Friday, 2015-05-01

*** emagana has quit IRC		00:08
*** Rockyg has quit IRC		00:14
morganfainberg	jamielennox: did a +2/+A run on a bunch of ksa stuff	00:23
morganfainberg	jamielennox: all the chopping block things is what i'm looking at atm	00:23
jamielennox	morganfainberg: excellent, thanks	00:23
jamielennox	yea, accessinfo and service catalog are really the only really old parts that are getting copied across and also the worst interfaces	00:23
jamielennox	at the moment i'm kind of trying for a reset	00:24
jamielennox	at the end of that review chain i remove the dict subclass - and i expect we may want it back at some point	00:24
morganfainberg	yeah i'm at that one	00:24
morganfainberg	going to let the others land before i +2/A that one	00:24
morganfainberg	but eh	00:24
morganfainberg	that one is just a bit more to look at	00:24
morganfainberg	but it looks sane	00:24
morganfainberg	at a glance	00:24
*** samueldmq has quit IRC		00:25
*** samueldmq has joined #openstack-keystone		00:25
jamielennox	morganfainberg: i've been trying to keep them small but at some point you need to make a big change	00:26
morganfainberg	the exceptions one is particularly big :P	00:26
jamielennox	ye	00:27
morganfainberg	ok just pushed through all but dict subclass and exceptions	00:27
jamielennox	the exceptions one i'm particularly keen on though	00:27
morganfainberg	yeah i just need to look more closely at it	00:27
jamielennox	having that out of oslo is going to be great	00:27
morganfainberg	it's not a rubber-stamp thing	00:27
morganfainberg	most of the others were super easy to +2/A because it was removing interfaces that we didn't need anymore	00:28
jamielennox	morganfainberg: want me to break up exceptions into smaller pieces?	00:29
morganfainberg	tbh: we probably could stop the neutron ds-gate for KSA until we do a release.	00:29
morganfainberg	jamielennox: nah	00:29
morganfainberg	jamielennox: i just need to spend more time looking at it than "oh yeah easy"	00:29
jamielennox	it's mostly just moving stuff around	00:29
morganfainberg	yep	00:29
jamielennox	but i did add like some new base classes - they won't make much difference to the API just organization change	00:30
morganfainberg	so i'd like to revisit ayoung's accessinfo change for KSA	00:30
jamielennox	yea	00:30
morganfainberg	if we're changing things... lets do it right.	00:30
ayoung	Konfederate States of Amerika!	00:30
morganfainberg	ayoung: told you i'd circle back on that changeset ;)	00:31
ayoung	morganfainberg, paciencia y fey	00:31
morganfainberg	ayoung: we might just include it as the KSA cut over.	00:31
morganfainberg	ayoung: since we're ripping things out of ksc changing over to KSA	00:31
ayoung	morganfainberg, sounds good to me	00:31
ayoung	need me to port it?	00:31
morganfainberg	ayoung: well we have jamielennox here. what any concerns with this change jamielennox ? anything we need to address with it	00:32
morganfainberg	before work is expended on moving it to the new repo	00:32
ayoung	morganfainberg, I think he needed to grok the follow on changes to AccessInfo and figure out if the approach would work for existing uses	00:32
morganfainberg	ayoung: right.	00:32
jamielennox	ayoung: and i have been fighting it out - i still think it's mostly unnecessary	00:32
ayoung	one moment, I need to report a bug,...you'll never belive what RDO packaging does with config....	00:32
morganfainberg	lhcheng: https://review.openstack.org/#/c/177428/ is going to need some love for sure [from lots of people]	00:33
ayoung	morganfainberg, you sell jamielennox on the concept. I'm gonna go bugzilla something	00:33
morganfainberg	jamielennox: so lets go over where you sit and what I see as needed afterwards.	00:33
morganfainberg	jamielennox: then we can find out where things should move towards (Target wise)	00:33
jamielennox	alright, so i understand the need for an interface but i have a number of concerns	00:34
morganfainberg	lhcheng: re - priorities that don't have clear owners yet	00:34
jamielennox	1. i see no need to include ways to marshal data in the client, AccessInfo already provides this for v2 and v3 tokens. I don't want to give people the functionality to build tokens from client and i'm not sure the new format buys us anything over accessinfo	00:35
jamielennox	2. I understand the strict Immutable etc stuff from a server side perspective, but it doesn't apply on client. If we get stuff we don't understand then we should make the best of it - it's really bad python form to start enforcing all this type checking, and again i don't want to be able to build a token	00:35
morganfainberg	jamielennox: see i disagree from the token standpoint here. we really should not be allowing random crap in tokens - strictly control what is there and available for anyone/thing to use	00:36
jamielennox	3. There is nothing additionally exposed that i see we want, and there is a whole heap of stuff like turning dictionaries into arrays by iterating over __dict__ that i just don't see the advantage of from client	00:37
morganfainberg	jamielennox: the "well you can just kindofgrab whatever" aspect has led to "Well we'll put it in the token" and knowing what part of the token things live in and what people expect/see is icky	00:37
jamielennox	morganfainberg: right, but that's a server side problem - i specifically don't want the ability to build a token from client (except the test fixture we have)	00:37
morganfainberg	jamielennox: sortof. it should be controlled on both sides.	00:37
morganfainberg	jamielennox: if someone gets something magical into the token body, it shouldn't "appear" from the client side just as much as it shouldn't happen server side	00:38
lhcheng	morganfainberg: cool, I can work on that. Will review the spec when I get home.	00:38
jamielennox	morganfainberg: AccessInfo is a completely read only interface, and now you merged that patch the user doesn't even have access to the underlying dictionary	00:38
morganfainberg	jamielennox: I also am concerned about having code duplicated (effectively)	00:39
morganfainberg	jamielennox: i'd like the same interface to be in server as it is in client, in server we also access/deal with data from the token	00:39
morganfainberg	lhcheng: awesome	00:39
jamielennox	morganfainberg: great i'd love that - i propsed https://review.openstack.org/#/c/178034/ when arguing with adam	00:40
morganfainberg	jamielennox: i also expect us to eventually decouple auth from CRUD APIs in keystone.	00:40
morganfainberg	jamielennox: so we may not be V2/V3 tokens we might be v2/v3/v4/v5/v10	00:40
jamielennox	morganfainberg: right, i think bringing in domain and project etc objects hurts that more than helps	00:40
morganfainberg	but that could be underlying implementation that changes... my concern is that the interface would again need to be changed to support that	00:41
ayoung	morganfainberg, jamielennox https://bugzilla.redhat.com/show_bug.cgi?id=1217663	00:41
openstack	bugzilla.redhat.com bug 1217663 in openstack-keystone "Overridden default for TOken Provider points to non-existent class" [Unspecified,New] - Assigned to nkinder	00:41
ayoung	le sigh	00:41
morganfainberg	since we didn't start from having that in mind.	00:41
morganfainberg	jamielennox: so - there are my reasons for wanting it to be all the same.	00:41
morganfainberg	ayoung: really?! really?? :(	00:42
ayoung	Really.	00:42
morganfainberg	ayoung: i do like that we can see RH bugzilla in irc like that though :P	00:42
ayoung	morganfainberg, I think it might be the IRC default for Bugzilla to go to RH	00:42
morganfainberg	ayoung: nope mozilla works too	00:42
ayoung	yeah...the big ones are all registered	00:42
morganfainberg	ayoung: among others. it knows the RH bugzilla's url and grabs it.	00:43
jamielennox	morganfainberg: i agree with wanting it the same, all i want in the client though is the read only portions of this code and i think it's easier to work with the interface i proposed in that review than the object one	00:43
ayoung	jamielennox, only for client	00:43
morganfainberg	jamielennox: so where does the marshalling code go? in server?	00:43
ayoung	for other code, no, it is not easier to work with, and even on the client, I'd argue we should be using straight python and not the dictionary interface	00:43
jamielennox	ayoung: ksc is not a dumping ground for keystone problems in the same way it's not a dumping ground for other services	00:43
morganfainberg	jamielennox: and now do we have some weird hybrid of locations to change things if we update?	00:43
jamielennox	that's what got us so screwed up last time	00:44
jamielennox	morganfainberg: yep, marshalling all goes on server side	00:44
morganfainberg	jamielennox: i'm fine with things being in logical places, as long as we are smart about it so we're not painting ourselves into a corner	00:44
ayoung	jamielennox, the KC code should be changed regardless. I take back that it is easier in the client...it is never more correct to use a dictionary when you have a true class model.	00:44
jamielennox	ayoung: ksa does not have a dictionary	00:45
ayoung	jamielennox, it has a thin wrapper aroujnd the parsed json an is used in most placed via the dictionary interface	00:45
jamielennox	it backs onto a given dictionary because we have to because that's what we get from a request	00:45
ayoung	this is not a dumping ground. All of our code is wrong. Havintg a strong domain model for marshalling on both sides of the wire just implies that it needs to be defined once and only once	00:46
ayoung	since KC is importated into Server, it needs to be at least in KC..and now we are splitting that, it needs to be in a place available to both client and server	00:46
morganfainberg	jamielennox: i'm still of the opinion a strongly defined class model is better.	00:47
ayoung	jamielennox, what if we change the marshalling format? What if we go to SAML everywhere?	00:47
ayoung	Or JWT	00:47
morganfainberg	jamielennox: mostly because it eliminates some magic of "well whats in the JSON"	00:47
ayoung	or...you name it	00:47
morganfainberg	ayoung: that was my point of decoupling auth.	00:47
ayoung	you don't tie your business logic to uyou marshalling format	00:47
jamielennox	ayoung: right i realize ksa is the logical place - however i'm not arguing the backing format, that's a big reason i wanted to remove the dict accessors from accessinfo	00:48
ayoung	morganfainberg, I am with you.	00:48
morganfainberg	ayoung: but w/o calling out changing the serialization format. forgot it.	00:48
ayoung	jamielennox, ah...can we get away with removing them?	00:48
morganfainberg	ayoung: yep.	00:48
morganfainberg	ayoung: we just did.	00:48
ayoung	that would be cool	00:48
morganfainberg	ayoung: for KSA	00:48
morganfainberg	ayoung: it is part of the conversion to KSA from KSC	00:49
jamielennox	what i'm arguing is the interface and i'm quite happy to have that flat rather than do a bunch of marshalling around	00:49
ayoung	morganfainberg, I thought the other projects might depend on that format	00:49
morganfainberg	ayoung: when we move to usign KSA, we fix that if they are	00:49
morganfainberg	because that is wrong.	00:49
morganfainberg	and we're now providing a good interface for them to use	00:49
morganfainberg	that can even be statically analyzed	00:49
jamielennox	i'm stuck with the majority of the AccessInfo structure - that's just how it is, but in general it's not bad once you remove the dict	00:49
morganfainberg	vs. "uhh things in a dict"	00:49
jamielennox	looking at https://review.openstack.org/#/c/178034/1/keystoneclient/access.py	00:50
ayoung	morganfainberg, so...do we need this: https://review.openstack.org/#/c/160134/9	00:50
*** _cjones_ has quit IRC		00:50
morganfainberg	ayoung: we probably need to put the marshalling code at least in server	00:50
morganfainberg	ayoung: what i don't like is assuming json was the transport. but honestly we own KSA	00:50
jamielennox	i've already got for example auth_ref.project_domain_id this feels like i'm going to get auth_ref.project.domain.id and i see no benefit in that over the original	00:50
ayoung	morganfainberg, that is not marshalling code. The patch I linked to is the adapter for using the AccessInfo model in the dictionary form	00:50
morganfainberg	we could change the underlying impl as needed.	00:50
jamielennox	and i need to maintain the old interface so i'm going to be maintaining all those links	00:51
morganfainberg	ayoung: oh uh we will move to the KSA one	00:51
morganfainberg	ayoung: so check w/ jamielennox on if we need that code	00:51
ayoung	morganfainberg, hold on...let me clarify what I did	00:51
ayoung	1 I wrote the model a stand alone patch . 2 I modified the tests so that they would pass with both the old and new access info. 3 I modifeidthe esxisting access info useage to be based on the model	00:52
ayoung	that is the safeest way to go, and I'd like to keep something like that	00:52
ayoung	the existing access info is our contract	00:52
ayoung	as jamielennox points out, we can't break that due to backwards compat issues, at least not yet	00:53
morganfainberg	ayoung: oh i see what you're doing	00:53
morganfainberg	yeah we likely will still need that	00:53
morganfainberg	or somthing similar	00:53
ayoung	so, if we move the model to ksa, we should probably m ove this too, otherwise we have a libraray sync issue	00:53
ayoung	I'd rather get it in to KC before we split	00:53
ayoung	even if it never gets released	00:53
ayoung	but so we can test the hell out of it	00:54
morganfainberg	jamielennox: we might not land a single one of these changes..	00:54
morganfainberg	jamielennox: tempest might be borked	00:54
jamielennox	yea, i saw the first one failed on tempest	00:54
jamielennox	which we're not in :p	00:54
ayoung	jamielennox, this needs to happen. While domain is slightly annoying to have as an object, we have two domains per token, and we could conceivably have more. IAs an extensible model, it is the right approach. same thing with project. If we were ever forcved to support mutliple projects on one token, my approach would support that. And it onluy changes implementation, not interface.	00:56
jamielennox	so let's step back a little bit, i agree with "it would be nice to have a unified model" but the current reason we _need_ a unified model is because of the revocation events that defines its own models	00:56
ayoung	jamielennox, and policy	00:57
jamielennox	ayoung: the model would have exactly the same problem, you'd need to add a list in there somehow	00:57
ayoung	Keystone server has code that is worse for enforcing policyh	00:57
jamielennox	adding a new accessor for a new object is no harder than adding new properties for the same thing	00:57
jamielennox	right and policy that was going to be my next question - what else	00:58
jamielennox	do we need a model for?	00:58
ayoung	tokenless operations	00:58
morganfainberg	honestly most objects we have will need one	00:58
morganfainberg	because we eventually are going to decouple backends from the in-memory representations	00:58
jamielennox	also remember this is only because we don't have a way for keysotne to consume auth_token middleware yet	00:59
morganfainberg	it's the only way to support rolling upgrades w/ a single datastor	00:59
ayoung	policy is the big one, though. I plan on using policy for endpoint bindings and token constraints	00:59
ayoung	jamielennox, this is a prereq to server consume keystonemiddleware	00:59
ayoung	having a unified accss info, it, I mean.	00:59
jamielennox	ayoung: that assumption could also be satisfied by keystone using the new AccessInfo object	01:00
jamielennox	ie the one in ksa	01:00
jamielennox	or the existing AccessInfo object and just ignoring the dict bit	01:00
ayoung	jamielennox, yes, any format could be made to work.	01:01
jamielennox	ayoung: so can we use the one we already have please?	01:01
ayoung	jamielennox, the one we have on the client is not good code. It is the wrong abstraction to start from	01:01
ayoung	there is a reason I made an object modle and a builder	01:02
ayoung	because that pattern is the most useful and extensible for all implementations	01:02
ayoung	the server side is much more complex	01:02
ayoung	for example, we did not have a good means to convert a v2 token to b34 format or the reverse	01:02
ayoung	wiuth a cannonical format we can do that	01:03
ayoung	v2->cannonical ->v3	01:03
morganfainberg	jamielennox: ^^ that is the other point / reason for the object model	01:03
ayoung	v3->v2 is doabble assuming the token fits constraints	01:03
morganfainberg	v3->v2 has bitten us quite a few times	01:03
morganfainberg	actually	01:03
morganfainberg	and vice-versa	01:03
morganfainberg	extra data leaking into the token	01:03
jamielennox	ayoung: i completely get that, but you could implement all that on the server side, satisfy https://review.openstack.org/#/c/178034/1/keystoneclient/access.py interface and i don't need to maintain two implementations of the same thing on client	01:04
jamielennox	policy, revoke functions are just written against that interface	01:04
jamielennox	i have no reason to do v3->v2 or vice-versa functionality in client	01:05
morganfainberg	jamielennox: don't we already do some of that for SC parsing?	01:05
morganfainberg	or has that code all disappeared	01:06
jamielennox	i agree with all your points on this stuff - right up to the point where i want to give all this to every consumer of ksc	01:06
morganfainberg	jamielennox: i don't see why someone who is consuming KSA wouldn't want to do data marshalling for v2->v3	01:07
jamielennox	morganfainberg: in auth_token i have to convert a v3 catalog to a v2 catalog because not doing so breaks compatibility, that's just a porely defined interface	01:07
morganfainberg	what if their app needs v3?	01:07
morganfainberg	this is meant to be used outside of ksm too	01:07
jamielennox	why would a user need to change token formats?	01:07
morganfainberg	we tell them to go ask keystone for the v3 version of the data	01:07
morganfainberg	jamielennox: because their app understands one version of data	01:07
morganfainberg	so why not give them the cannonical version?	01:07
jamielennox	this is the point of AccessInfo, it abstracts the differences	01:08
*** browne has quit IRC		01:08
ayoung	jamielennox, and you will not have two implementations. I ported access info to use the model. One implementation	01:08
ayoung	that is what https://review.openstack.org/#/c/160134/9 is all about	01:08
morganfainberg	jamielennox: the issue i see is you're asking us to support 2 versions	01:08
morganfainberg	jamielennox: whats in ksa and what is in server	01:08
jamielennox	morganfainberg: the alternative is client supporting 2 versions - and more people get pissed off when we change that interface	01:09
*** alexsyip has quit IRC		01:09
jamielennox	looking at for example: https://review.openstack.org/#/c/160134/9/keystoneclient/access.py all the way down there are things like:	01:10
morganfainberg	jamielennox: or we shim layer it, convert the clients over and put a deprecated message in saying "this isn't used by openstack proper, use new interface" like many libs do	01:10
morganfainberg	and document the "old way" as deprecated at the get-go [just no warning messages until we have people / clients /etc converted]	01:10
jamielennox	@property	01:10
jamielennox	def expires(self):	01:10
jamielennox	return self.token.expires_at.value	01:10
ayoung	morganfainberg, there might be a problem with that patch. I thought the neutron error was spurous, but it is sticking around in rechecks. I wonder if neutron modifies the dictionanry	01:11
morganfainberg	ayoung: there is also a potential issue with pbr and tempestlib	01:11
morganfainberg	fyi	01:11
ayoung	morganfainberg, yep	01:11
jamielennox	that could just as easily exist on the server side and have things written against the AccessInfo properties	01:11
jamielennox	if anything self.token.expires_at is much more bound to the v3 format than auth_ref.expires is	01:13
morganfainberg	jamielennox: so let me distil my 3 reasons for this (in order of priority as i see it): 1) V2/V3 is making broad assumptions on incoming data. I want to see us support more than this-very-specific-format-of-json-data, 2) I don't want 2 implementations of a model that we need to work with, 3) The object model is much better for static analysis/introspection than scrping things out of json (and less likely to be carrying cruft	01:14
morganfainberg	around because it slipped through).	01:14
morganfainberg	the well defined interfaces, etc seem to be a non-contentious part	01:14
morganfainberg	so i left that out.	01:14
morganfainberg	and part 1 is because looking forward, we will have new types of auth that wont be tied to V3-crud-interface [so to speak]	01:15
jamielennox	I agree with all this, but you seem to be under the assumption that AccessInfo is a token model	01:16
jamielennox	it's not it's an interface with multiple implementations	01:16
morganfainberg	jamielennox: if it looks like a duck... quacks like a duck... it's clearly a platypus	01:16
ayoung	jamielennox, AccessInfo is the good name. A token is a pointer to AccessInfo	01:17
jamielennox	i agree the implementations sucked but we've just got rid of the dict accessors - so it's purely an interface	01:17
ayoung	jamielennox, you don'	01:17
morganfainberg	or would a dropbear be more correct? shiftyeyes	01:17
*** bknudson has joined #openstack-keystone		01:17
*** ChanServ sets mode: +v bknudson		01:17
ayoung	jamielennox, you don't want to make an interface around a domain model	01:17
ayoung	the domain model is the contract, not an abstraction	01:17
jamielennox	dropbear was the name of first redhat openstack deployment	01:17
morganfainberg	haha	01:17
jamielennox	always hated they changed that	01:17
ayoung	I thought it just died under its own weight? It was a good name.	01:18
morganfainberg	too bad we long since passed the 'D' release of OpenStack and it wasn't in Aus.	01:18
morganfainberg	diablo is fine... dropbear would have been better	01:18
ayoung	Or B. I'd want to call that Bunyip	01:18
ayoung	Maybe S in Sidney?	01:18
jamielennox	ayoung: that's when 3 or 4 other internal clouds got brought up with better funding	01:18
jamielennox	next asia is 2 years, so that might be about right	01:19
*** richm has quit IRC		01:19
jamielennox	nah - i can't count	01:19
ayoung	morganfainberg, have you seen http://c2.com/cgi/wiki?StringlyTyped	01:19
morganfainberg	jamielennox: anyway so my view is that this is really a model - even if we are in denial about it	01:19
jamielennox	morganfainberg: what is a model?	01:20
ayoung	t is the 20th letter of the alphabet. J is 10. I have that much memorized. I think.	01:20
jamielennox	AccessInfo is not a model	01:20
morganfainberg	jamielennox: what is being provided via KSA	01:20
ayoung	yes it is	01:20
ayoung	it is the primary reason for keystone to exist	01:20
*** richm has joined #openstack-keystone		01:20
ayoung	Users and Domains and ROles and all that crap exists so we can make access control decisions	01:20
morganfainberg	what is on the wire just happens to be the dehydrated form of the object - this is no different than the nova RPC.	01:21
morganfainberg	we just happened to use json	01:21
jamielennox	it's an interface with a bunch of implementaions and if saml or some other format comes along then there is no reason we wouldn't write another implementation of it	01:21
morganfainberg	vs. the object model they used.	01:21
ayoung	no saml is marshalling	01:21
ayoung	we would parse saml to Accessinfo	01:21
ayoung	just another builder	01:21
morganfainberg	ok anyway i need to go to the gym	01:22
morganfainberg	back in a couple hours	01:22
ayoung	just the fact that we had / have test code that checks the Version of the AccessInfo shows we have a leaky abstraction	01:22
openstackgerrit	Merged openstack/keystonemiddleware: Deprecate auth_token authentication https://review.openstack.org/127066	01:22
jamielennox	if when creating AccessInfo i extracted everything out of the dictionary, and stored them as attributes rather than did it at @property time would that make a difference?	01:23
jamielennox	other than being a bunch of additional work	01:23
*** darrenc is now known as darrenc_afk		01:23
morganfainberg	jamielennox: all chopping-block looks like it'll merge	01:24
ayoung	jamielennox, if you started down that path, eventually you would end up with the model I coded	01:24
morganfainberg	we might just have been unlucky w/ the utils change	01:24
morganfainberg	jamielennox: and re: accessinfo - i've voiced my stance and i'll chat more when back from the gym	01:24
morganfainberg	if you're still around	01:24
ayoung	jamielennox, your flat format would work until we need to enumerate something. The service catalog is already not flat	01:24
ayoung	my code allows us to share logic between the domain object for the user and the one for the project...maybe that means very little	01:25
ayoung	but if you think how it is composed on the server side, first you fgo to the id backend and get the user, then you go get the roles, then the catalog...it makes sense to have them as separate objects	01:25
ayoung	and, from a parsing perspective, it is easier as well	01:26
ayoung	each of the objects is a contract. Only morph the objects themselves through their methods...usually the objects will be treateed as immutable	01:26
jamielennox	the service catalog is already an object for exactly this reason and the same could apply to any additional properties	01:32
*** darrenc_afk is now known as darrenc		01:34
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Change auth_token to use keystoneclient https://review.openstack.org/144248	01:34
ayoung	jamielennox, OK...lets assume two changes hit us. One, a token can have multiple users. Two, a token can have multiple projects. THere are still a default fro each, but also an array. The default user would be a pointer to token.users[0] and the default project would be pointer to tokens.projects[0]. Nothing else would have to change. If it is flat, we need to rearchitect it. And that will break code that is assumin	01:41
ayoung	g things will be flat, or make it that you work with the default objects in a different way from the non default	01:41
jamielennox	ayoung: it would require we made a new auth_ref.users that returned a list, i agree - but the same defaults apply for the flat as does the nested accessors	01:43
jamielennox	and, it does not mean that i can actually get rid of the existing property either way	01:43
jamielennox	besides if we want to play that game what happens if we allow multiple scopes - then we're all screwed	01:48
ayoung	jamielennox, so...I have to admit, I am kind of surprised by your resistance. We have a goal of using the same code to represent the object on both sides of the wire. To you disagree with that goal?	01:56
jamielennox	maybe	01:57
samueldmq	morganfainberg, finally I am testing the keystone v3 only against tempest	01:57
samueldmq	morganfainberg, I was having issues in my vs due to nested virt	01:57
samueldmq	morganfainberg, I solved this by setting LIBVIRT_TYPE=qemu in my devstack	01:58
samueldmq	morganfainberg, tomorrow I will update you with the results of tempest execution	01:58
samueldmq	jamielennox, cc ^	01:58
jamielennox	samueldmq: nice, what's that involve? running the tempest keystone v3 tests only or having v2 disabled for the whole devstack?	01:59
samueldmq	jamielennox, the second one, v2 disabled for the whole openstack	02:00
samueldmq	clarkb helped me today to figure out what was wrong with my env :)	02:01
jamielennox	awesome! is this to allow us to test what still relies on v2 by seeing what fails? i'll be very surprised if tempest passes	02:01
samueldmq	jamielennox, yeah, it is	02:02
samueldmq	jamielennox, I will set tempest to use v3 auth tokens to make calls to services	02:02
samueldmq	jamielennox, and disable v2	02:03
samueldmq	jamielennox, actually tempest is OK by just setting tempest to use v3 auth tokens (without disabling v2)	02:03
samueldmq	jamielennox, but I think some services may be validating v3 tokens in the v2 api (I think it is possible, if we're using the default domain)	02:04
samueldmq	jamielennox, I will let you know as soon as I have some results	02:04
jamielennox	samueldmq: it is and they doe	02:04
jamielennox	do	02:04
samueldmq	nice, so disabling v2 will actually tell us if there is something missing	02:05
jamielennox	yep	02:05
samueldmq	jamielennox, great I will let you know	02:05
jamielennox	samueldmq: can you see https://trello.com/b/5qivasNp/keystone-v3	02:05
*** topol has quit IRC		02:06
samueldmq	jamielennox, looking	02:06
samueldmq	jamielennox, how did you get those known issues ? testing manually ?	02:07
jamielennox	samueldmq: yep	02:07
jamielennox	i've done a few tempest patches as well	02:07
jamielennox	and devstack to disable v3 and start running commands	02:07
jamielennox	it's by no means exhaustive like tempest will give	02:07
ayoung	samueldmq, good work	02:08
samueldmq	ayoung, thanks, but actually I am just testing the great work jamielennox has been doing around v3 support	02:08
* jamielennox blushes		02:09
samueldmq	jamielennox, ++ agree	02:09
samueldmq	hehe !:)	02:09
jamielennox	samueldmq: anyway if you find specific things that are v2 only add them to that board and feel free to take on anything you want	02:10
jamielennox	but that's my current list for doing v3 everywhere	02:10
samueldmq	jamielennox, nice, I will also try to help you by doing the remaining work	02:11
samueldmq	jamielennox, I was hoping we could have them working by the summit	02:11
jamielennox	the biggest blocker i know at the moment is glanceclient and swiftclient, i've got patches up for glanceclient and i've got WIP patches for nova etc to use updated glanceclient	02:11
samueldmq	jamielennox, it would be amazing	02:11
samueldmq	jamielennox, hmm, so tempest should fail .. after failing, we could apply your patches and re-run it	02:12
jamielennox	samueldmq: i'll be honest i'm hoping for liberty and that will still be hard	02:12
samueldmq	jamielennox, hmmm ... iirc, I ran smoke tests and they passed	02:12
samueldmq	jamielennox, I need to recheck	02:12
samueldmq	jamielennox, smoke tests is a smaller set of 'basic' tests for each service ..	02:13
samueldmq	jamielennox, let's just not speculate, tomorrow we'll know :)	02:13
samueldmq	jamielennox, after testing it manually, I am planning to submit the experimental gate jobs	02:14
jamielennox	samueldmq: that would be useful	02:14
openstackgerrit	guang-yee proposed openstack/keystonemiddleware: enforce endpoint constraint https://review.openstack.org/177661	02:15
*** gyee has quit IRC		02:15
openstackgerrit	guang-yee proposed openstack/keystonemiddleware: enforce endpoint constraint https://review.openstack.org/177661	02:18
*** lhcheng has quit IRC		02:26
openstackgerrit	Merged openstack/keystoneauth: Rename _discover module https://review.openstack.org/178911	02:29
ayoung	jamielennox, ok, so let's start there. I need a unified way to enforce policy	02:31
ayoung	that has to be the same everywhere	02:31
jamielennox	ayoung: that does not require a mode, that requires a standard interface - which are related but different concepts	02:32
ayoung	jamielennox, I need three things to match	02:32
ayoung	1. the data from token in all the remote services	02:33
ayoung	2. a token in keystone	02:33
ayoung	3. tokenless operations	02:33
ayoung	I don't want to have to work to keep them in sync	02:33
ayoung	I want to work with a single set of objects.	02:33
ayoung	anything that varies from that is going to introduce complexity and instability	02:35
ayoung	and this code has been held up for a long time. A lot is backlogged behind it.	02:35
ayoung	revocation events need a unified access info. I've been trying to get that code into a single place, clean, for about a year now	02:36
jamielennox	ayoung: i'm playing around with how i would write a model and i find myself coming back to having the AccessInfo as the driver	02:50
jamielennox	ignoring catalog - which is not handled very well in either approach	02:50
jamielennox	i could easily create a model from an AccessInfo	02:52
jamielennox	I could easily write a new AccessInfo called like ModelAccessInfo that bridges the gap	02:52
ayoung	jamielennox, what do you define AccessInfo to be?	02:53
jamielennox	So i need AccessInfo to be about 10 @properties otherwise the whole auth plugin system fails, and i don't see any way i can get around that compatibility	02:54
jamielennox	that's what i was showing in the other review	02:55
openstackgerrit	Dave Chen proposed openstack/keystone: Refactor: Join multiple criteria together https://review.openstack.org/133135	02:56
ayoung	jamielennox, so...we need to maintain that. But I see that as the historical. Why do you think that should drive the design	02:56
jamielennox	AccessInfo is a set of properties you are supposed to define in subclasses, we currently have AccessInfoV2 and AccessInfoV3 - but you are never supposed to query the difference between those two objects	02:56
ayoung	I'd split that statement:	02:56
ayoung	AccessInfo is a set of properties.	02:57
ayoung	THe fact that we subclass is an implementation detail.	02:57
jamielennox	ok	02:57
jamielennox	that's far	02:57
jamielennox	fair	02:57
ayoung	So long as we are consistent in providing those properties, we should be compatible.	02:58
jamielennox	right	02:58
ayoung	OK. So our requirements so far: don't change the accessinfo contract. Make the data look the same wherever policy or revocation events are enforced. So far so good?	02:59
jamielennox	yep	02:59
ayoung	OK. Now, here are some other requirements. We need to be able to convert from V2 to V3 tokens. Hopefully that is a short term issue.	03:00
ayoung	On the server side, we need to be able to reconsitute the access info for a user either from a token or from an X509 cert	03:01
ayoung	and then this needs to pass policy	03:01
jamielennox	ayoung: no we don't need to convert	03:01
ayoung	jamielennox, in the token provider we do	03:01
*** wwwjfy has joined #openstack-keystone		03:01
jamielennox	ayoung: not a client problem	03:02
ayoung	if we pass in a v2 token to the v3 api, we should be passing back a v3 format	03:02
ayoung	I didn;'t say on client	03:02
ayoung	I meant project wide	03:02
ayoung	we have the long standing blueprint for cleaning up the token creation process.	03:03
jamielennox	on the server side it is ridiculous that you need to convert between - i completely agree with that, this should be a model and v2/v3 are views on the model	03:03
jamielennox	as are saml etc	03:03
ayoung	jamielennox, ok. So now you understand where I was coming from when I started this effort.	03:03
jamielennox	absolutely	03:04
jamielennox	this was the driving force behind all that pecan stuff i did before atlanta	03:04
jamielennox	i want to turn keystone into a proper model / view setup	03:04
jamielennox	well model/controller i guess	03:04
ayoung	ah. I saw that you refreshed those patches. I took a quick look but hadnt' finished reviewing	03:04
ayoung	M-V-C? Yeah. I'm with you there	03:04
jamielennox	pecan's not all that good at what we want to do - but it's the only approved one from TC AFAIK	03:05
openstackgerrit	Dave Chen proposed openstack/keystone: Refactor: Join multiple criteria together https://review.openstack.org/133135	03:05
jamielennox	and i want to get rid of the home grown one	03:05
jamielennox	i agree, i argued that stuff for a long time	03:05
jamielennox	still do	03:05
ayoung	jamielennox, so your objection is limited to it moving into the client?	03:06
jamielennox	yes, essentially	03:06
*** richm has quit IRC		03:07
ayoung	But if you add up everything we said above, can you see why I would want to have it in the client?	03:07
jamielennox	i can absolutely see why you want it in client, but spin your perspective and explain why I would want it in client - what does it buy the client?	03:07
jamielennox	rule of thumb - it needs to be reused in at least 3 places to be useful to be in a library	03:08
ayoung	jamielennox, well, here are the three places	03:08
ayoung	1. keystone server	03:08
ayoung	2. Remote services like Nova	03:08
ayoung	3. Horizon	03:09
jamielennox	nova - why?	03:09
ayoung	policy enforcement	03:09
ayoung	horizon does the reverse...reads a token and figures out what to show based on policy	03:09
jamielennox	those are both things they do today	03:09
ayoung	jamielennox, but every service has its own view of policy.	03:10
ayoung	We want the common policy file..or at least common rules	03:10
jamielennox	i agree	03:11
ayoung	so I don;'t want subtle differences in how they interpret policy due to each having its own model	03:11
jamielennox	again i agree - this is your saviour: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_user_plugin.py	03:11
ayoung	that doesn't cover the Serve cases of building the token from the backend. So I still have two	03:12
jamielennox	no - that's 1	03:13
jamielennox	:)	03:13
ayoung	no, to use that, I would need to convert from the Python model to a dictionary	03:13
ayoung	and...that is an abstract base class, so I can still have differences in how it is implemented.	03:13
jamielennox	ayoung: so in that user plugin i very explicitly hid access to the AccessInfo because i didn't want people getting confused by the dict methods	03:14
jamielennox	the user plugin has 2 _TokenData objects, one for the X-Auth-Token and one for the X-Service-Token	03:15
jamielennox	_TokenData is a _very strictly_ read only format that gives you information about the token	03:15
ayoung	That is fine. Not a hard abstraction to cover	03:15
ayoung	so is mine	03:15
jamielennox	my plan was to have oslo.policy construct a dictionary from those two _TokenData objects	03:16
ayoung	it is the builder that lets you morph it, but you don't do any reading until it is all done and built	03:16
jamielennox	because oslo.policy requires a dict	03:16
jamielennox	i thought that better that having a .to_policy_dict() on the plugin	03:16
jamielennox	this is what we talked about 6 moths ago when i said i want keystone team to handle both the supply and enforcement of policy	03:18
ayoung	so..I plan on using these classes in the other parts of Keystone. Identity will create a User object. Assignment will create Role objects. And so on	03:18
ayoung	there are elements of that in the code already	03:18
jamielennox	all the service should ever need to do is pass through the _UserPlugin object and then the object that want to enforce upon	03:18
ayoung	then to create a token, you create a builder, and the directory gets the objects from each of the backends, and when it is done, build, and you get the model version of the AccessInfo	03:19
*** davechen has joined #openstack-keystone		03:19
ayoung	then a dictionary is a wrapper around that.	03:19
ayoung	and that operates like your code	03:19
ayoung	we're not that far apart, I'm just driving it by the server use cases	03:20
ayoung	which are the more complex	03:20
jamielennox	I'm not doubting it's a good model - your justifications are all keystone server cases	03:20
ayoung	jamielennox, the client can use the same model classes	03:20
ayoung	when you do openstack project list, it should internally be a list of the project objects from the model	03:21
ayoung	same with domains, groups, roles, role assignments, and so on	03:21
ayoung	one set of objects for the core domain model	03:21
ayoung	ensuring consistency	03:21
jamielennox	i think you bring in more complexity there than you save	03:21
jamielennox	the requirements are too different	03:21
ayoung	nah	03:23
ayoung	it means that you alwasy have the same object everywhere. That was the intention of keystone/common/model in the first opkace	03:24
morganfainberg	jamielennox: confirmed failures for tempestlib fixed recheckking choppingblock	03:24
jamielennox	note that i want that plugin to replace context as well which is the point of https://review.openstack.org/#/c/167181/ which even though it is in merge conflict is still unreviewed as are the two underlying patches	03:24
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/models.py	03:24
jamielennox	ayoung: that's kind of cool - ok we could use that	03:25
*** fifieldt has joined #openstack-keystone		03:25
ayoung	jamielennox, wuh?	03:25
*** lhcheng has joined #openstack-keystone		03:25
*** ChanServ sets mode: +v lhcheng		03:25
ayoung	jamielennox, but we don't. We do this instead...	03:26
jamielennox	ayoung: but those are really trivial classes	03:26
jamielennox	i mean they're more of a template than a model	03:26
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/sql.py#n27	03:26
ayoung	they are keys	03:27
jamielennox	ayoung: July 3, 2013: https://review.openstack.org/#/c/35462/2 - i'm with you buddy i get the advantages of common models	03:28
ayoung	jamielennox, yes, but you coded it backwards	03:29
ayoung	the model does not depend on the API. It is the other way around	03:29
jamielennox	that model doesn't depend on the api	03:30
jamielennox	the controller converts from api to model and back	03:30
ayoung	https://review.openstack.org/#/c/35462/2/keystone/credential/credential.py,cm	03:30
jamielennox	the model is an abstraction of the self.credential_api to make it object orientated	03:31
ayoung	jamielennox, ok...we need to have a serious design discussion about this. We both want the same things.	03:31
ayoung	Just have different approachees to get there	03:31
ayoung	the SQL code is the culprit	03:31
ayoung	it combines the python object you get from the DB with the code to fetch it	03:31
ayoung	these need to be split	03:32
*** zzzeek has quit IRC		03:32
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/sql.py#n27	03:32
jamielennox	absolutely, i would have much prefered to write that so the SQL code depended on the model - you're right that part is backwards, but it was unfeasible at that time, my goal was once everything had a model we could invert it	03:32
ayoung	and this is why I really did not support the KSL rewrite. That is when that code was introduced.	03:33
ayoung	and I've been living with it ever since	03:33
ayoung	BUNGEE!	03:33
ayoung	I in I am making a lot of changes I gone!!!!!	03:33
jamielennox	i wanted to do the same thing with either pecan or falcon, i was just going to do it slower	03:34
jamielennox	and probably not disapear	03:34
ayoung	so lets start by getting the domain model right. And the client code is the most dilligent in testing things.	03:35
ayoung	Heh. No you have proven your tenacity	03:35
jamielennox	can't believe that code was 2 years ago, if i'd stuck it out then we might have a model based system already	03:36
lifeless	now I want a millenium falcon with keystone server built-in	03:36
ayoung	This time we will. We have a consensus	03:36
morganfainberg	lifeless: uhm.	03:36
ayoung	lifeless, we're home.	03:36
morganfainberg	lifeless: ok!	03:36
lifeless	morganfainberg: because it would be model based :)	03:36
*** josecastroleon has joined #openstack-keystone		03:36
lifeless	(boom tish, and apologies for the side-track)	03:37
morganfainberg	lifeless: i was going to opt for camelot (but it's a silly place) instead	03:37
ayoung	This new learning astounds me sir morganfainberg .	03:37
lifeless	my daughter is watching a bubble guppies episode with knights right now...	03:38
lifeless	my brain is... melting :)	03:38
ayoung	lifeless, my kids are asleep...thankfully so	03:38
*** dims has quit IRC		03:38
morganfainberg	https://www.youtube.com/watch?v=1Npo0cmp-VY	03:38
ayoung	20 minutes to midnight, and I squandered my grownup time arguing on IRC	03:38
ayoung	Though we're tough and able. Quite in de fa ti gable.	03:39
*** stevemar has joined #openstack-keystone		03:39
*** ChanServ sets mode: +v stevemar		03:39
*** josecastroleon has quit IRC		03:39
jamielennox	right - i've got pretty much nothing done today	03:39
jamielennox	ayoung, morganfainberg: so could this be solved by making keystone consume auth_token somehow?	03:41
jamielennox	because everything you're asking for i haev a solution for every other service	03:41
jamielennox	and i've been pushing it for a while	03:42
ayoung	jamielennox, if we push this into keystoneauth, then I think we are there	03:42
jamielennox	using auth_token or the common solutions	03:43
ayoung	jamielennox, so, yes, the whoe goal of this excercize has been to get keystone to consume keystonemiddleware, as that is where we are targetting the policy enforcement as well	03:47
ayoung	and we are targetting having middleware use the client for its operations, so it should be handing over one of the common objects when validating a token	03:48
jamielennox	ayoung: it seems like you're fighting backwards then	03:48
jamielennox	everything you're talking about already uses AccessInfo	03:49
ayoung	and I maintained the access info interface for just that reason	03:49
jamielennox	right, but the other solution was for the server to implement the accessinfo interfaces	03:49
jamielennox	and we're back to 3 hours ago....	03:49
*** _cjones_ has joined #openstack-keystone		03:50
ayoung	and its bed time	03:53
jamielennox	ayoung: night	03:55
*** _cjones_ has quit IRC		03:55
jamielennox	morganfainberg: have you looked at the reaosn those reviews are failing? is infra on it? is it known?	03:56
morganfainberg	jamielennox: was an issue with tempestlib	03:56
morganfainberg	should be resolved	03:56
jamielennox	ok - i'll go through and recheck them	03:56
morganfainberg	jamielennox: already did	03:56
jamielennox	o - thanks	03:56
stevemar	morganfainberg, when is the hackathon?	03:58
morganfainberg	stevemar: email will be sent tomorrow but plan is July 15, 16, 17	03:58
stevemar	k	03:58
stevemar	just need to input it in the calendar	03:58
morganfainberg	and i checked. doesn't look like we have a holiday around then	03:59
morganfainberg	:P	03:59
stevemar	\o/	03:59
*** fifieldt has quit IRC		03:59
*** samueldmq has quit IRC		03:59
*** tqtran has joined #openstack-keystone		04:00
*** topol has joined #openstack-keystone		04:07
*** ChanServ sets mode: +v topol		04:07
*** tqtran has quit IRC		04:14
morganfainberg	oh look it's a topol	04:22
topol	morganfainberg, sorry I have been traveling :-(	04:24
morganfainberg	topol: lies - you're not sorry :)	04:24
*** topol has quit IRC		04:34
*** dims has joined #openstack-keystone		04:39
*** dims has quit IRC		04:45
stevemar	morganfainberg, as quickly as he appears, he then disappears	04:55
stevemar	the ways of the ninja	04:55
morganfainberg	Hah.	04:55
*** winggundamth has joined #openstack-keystone		04:56
winggundamth	hi everybody. I having problem on openstack --insecure COMMAND after follow Kilo install-guide but try to make https self signed instead of normal one	05:01
winggundamth	SSLError: SSL exception connecting to https://identity.example.com/v3/auth/tokens	05:03
winggundamth	full verbose and debug here http://paste.openstack.org/show/214185/	05:03
winggundamth	is it related to this bug? https://bugs.launchpad.net/python-openstackclient/+bug/1447704	05:04
openstack	Launchpad bug 1447704 in python-openstackclient "token issue fails for keystone v2 if OS_PROJECT_DOMAIN_NAME or OS_USER_DOMAIN_NAME are set" [Low,Triaged] - Assigned to Dean Troyer (dtroyer)	05:04
stevemar	winggundamth, they don't seem related	05:06
winggundamth	how about this one? https://bugs.launchpad.net/python-openstackclient/+bug/1447784	05:07
openstack	Launchpad bug 1447784 in python-openstackclient "--insecure is ignored if OS_CACERT env var is set" [Low,Confirmed]	05:07
winggundamth	just wonder SSL error that I got. Is it happens because of self signed?	05:08
stevemar	winggundamth, same thing - i don't think that error is related either, that bug is fairly harmless	05:10
stevemar	winggundamth, try using keystoneclient? the old CLI.	05:10
stevemar	keystone user-list --insecure and see if that works	05:10
winggundamth	let me try it	05:10
openstackgerrit	Dave Chen proposed openstack/keystone: Refactor: Join multiple criteria together https://review.openstack.org/133135	05:13
*** henrynash has quit IRC		05:13
*** henrynash has joined #openstack-keystone		05:13
*** ChanServ sets mode: +v henrynash		05:13
winggundamth	stevemar: http://paste.openstack.org/show/214196/ it shows no error but still don't list the user	05:16
winggundamth	but user doesn't list maybe another problem	05:17
winggundamth	oh. it listed now. I forget to put OS_TENANT_NAME var	05:18
winggundamth	stevemar: so I think it's the openstack bug that doesn't respect --insecure right?	05:19
stevemar	winggundamth, gah	05:19
stevemar	okay, i guess we really need to fix the osc bug	05:20
stevemar	can you comment on the bug? and say it's impacting you	05:20
stevemar	it helps to remind us to be less lazy	05:20
winggundamth	nice :)	05:20
winggundamth	sure I'll do it now	05:20
winggundamth	which bug that you want me to comment. both?	05:21
stevemar	yeah, mention that you had to resort tot he using the old keystone CLI, that'll raise the priority	05:21
stevemar	umm	05:21
stevemar	the one that says it ignores --insecure	05:21
winggundamth	ok sure	05:21
openstackgerrit	Merged openstack/keystoneauth: Remove cli functions from utils https://review.openstack.org/178922	05:21
openstackgerrit	Merged openstack/keystoneauth: Remove management_url from AccessInfo https://review.openstack.org/178912	05:25
*** henrynash has quit IRC		05:27
winggundamth	stevemar: this is done. https://bugs.launchpad.net/python-openstackclient/+bug/1447784/comments/4	05:27
openstack	Launchpad bug 1447784 in python-openstackclient "--insecure is ignored if OS_CACERT env var is set" [Low,Confirmed]	05:27
*** henrynash has joined #openstack-keystone		05:27
*** ChanServ sets mode: +v henrynash		05:27
winggundamth	never heard you guys lazy before lol	05:27
winggundamth	another question. https://launchpad.net/~ubuntu-cloud-archive/+archive/ubuntu/kilo-staging when the new kilo build that's not rc1 coming on this? will the openstackclient build is 1.1.0 too? because I got nova sth deprecated warning so that I have to manual install with pip	05:31
*** emagana has joined #openstack-keystone		05:31
stevemar	winggundamth, hmm, that one i'm not sure about	05:33
winggundamth	ok thanks. hope I can write python in some day so could help you guys :)	05:38
stevemar	winggundamth, that parts not hard :)	05:40
stevemar	winggundamth, docs, bugs, specs, code, translations ... everything helps	05:40
winggundamth	trying to hack your code right now so at least override insecure to all case lol	05:41
*** markvoelker has quit IRC		05:48
*** emagana has quit IRC		05:48
*** browne has joined #openstack-keystone		05:58
winggundamth	surprise me that openstackclient 1.2.0 just out	06:00
winggundamth	while I see only 1.1.0 in launchpad	06:00
winggundamth	https://pypi.python.org/pypi/python-openstackclient/1.2.0	06:01
*** lhcheng has quit IRC		06:01
stevemar	winggundamth, yep, came out today	06:01
stevemar	winggundamth, the debian/ubuntu packagers are usually a bit behind	06:02
stevemar	maybe if we can fix the insecure bug then we can release a 1.2.1 client for you	06:02
*** emagana has joined #openstack-keystone		06:03
*** rm_work\|away is now known as rm_work		06:05
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/179331	06:06
*** emagana has quit IRC		06:09
*** emagana has joined #openstack-keystone		06:10
*** emagana has quit IRC		06:14
*** chlong has quit IRC		06:21
*** _cjones_ has joined #openstack-keystone		06:25
*** _cjones_ has quit IRC		06:25
*** _cjones_ has joined #openstack-keystone		06:26
*** chlong has joined #openstack-keystone		06:35
*** davechen has left #openstack-keystone		06:57
*** chlong has quit IRC		07:02
*** _cjones_ has quit IRC		07:04
*** lhcheng has joined #openstack-keystone		07:08
*** ChanServ sets mode: +v lhcheng		07:08
*** lhcheng has quit IRC		07:10
*** lhcheng has joined #openstack-keystone		07:11
*** ChanServ sets mode: +v lhcheng		07:11
*** stevemar has quit IRC		07:20
*** chlong has joined #openstack-keystone		07:26
*** browne has quit IRC		07:34
*** chlong has quit IRC		07:37
*** henrynash_ has joined #openstack-keystone		07:37
*** ChanServ sets mode: +v henrynash_		07:37
*** henrynash has quit IRC		07:39
*** henrynash has joined #openstack-keystone		07:42
*** ChanServ sets mode: +v henrynash		07:42
*** henrynash_ has quit IRC		07:42
*** henrynash_ has joined #openstack-keystone		07:46
*** ChanServ sets mode: +v henrynash_		07:46
*** henrynash has quit IRC		07:47
*** henrynash has joined #openstack-keystone		07:48
*** ChanServ sets mode: +v henrynash		07:48
*** chlong has joined #openstack-keystone		07:49
*** henrynash_ has quit IRC		07:50
*** ncoghlan has quit IRC		07:52
*** henrynash_ has joined #openstack-keystone		07:52
*** ChanServ sets mode: +v henrynash_		07:52
*** henrynash has quit IRC		07:53
*** chlong has quit IRC		07:53
*** chlong has joined #openstack-keystone		07:55
*** henrynash has joined #openstack-keystone		07:55
*** ChanServ sets mode: +v henrynash		07:55
*** henrynash_ has quit IRC		07:57
openstackgerrit	Merged openstack/keystoneauth: Remove auth_url property from AccessInfo https://review.openstack.org/178913	08:00
openstackgerrit	Merged openstack/keystoneauth: Remove region_name from catalog https://review.openstack.org/178914	08:00
openstackgerrit	Merged openstack/keystoneauth: Remove the AccessInfo Factory https://review.openstack.org/178915	08:00
openstackgerrit	Merged openstack/keystoneauth: Remove region_name from service catalog https://review.openstack.org/178916	08:01
*** chlong has quit IRC		08:01
*** henrynash_ has joined #openstack-keystone		08:04
*** ChanServ sets mode: +v henrynash_		08:04
*** henrynash has quit IRC		08:06
*** henrynash has joined #openstack-keystone		08:08
*** ChanServ sets mode: +v henrynash		08:08
*** henrynash_ has quit IRC		08:09
*** henrynash_ has joined #openstack-keystone		08:12
*** ChanServ sets mode: +v henrynash_		08:12
*** henrynash has quit IRC		08:13
*** henrynash_ is now known as henrynash		08:13
*** boris-42 has joined #openstack-keystone		08:13
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/178426	08:15
*** henrynash_ has joined #openstack-keystone		08:16
*** ChanServ sets mode: +v henrynash_		08:16
*** henrynash has quit IRC		08:18
*** henrynash_ is now known as henrynash		08:18
*** chlong has joined #openstack-keystone		08:18
*** winggundamth has quit IRC		08:38
*** chlong has quit IRC		08:40
*** e0ne has joined #openstack-keystone		08:55
*** e0ne has quit IRC		08:58
*** henrynash_ has joined #openstack-keystone		09:07
*** ChanServ sets mode: +v henrynash_		09:07
*** henrynash has quit IRC		09:08
*** henrynash_ is now known as henrynash		09:08
*** henrynash_ has joined #openstack-keystone		09:27
*** ChanServ sets mode: +v henrynash_		09:27
*** henrynash has quit IRC		09:28
*** henrynash_ is now known as henrynash		09:28
*** markvoelker has joined #openstack-keystone		09:29
*** lhcheng has quit IRC		09:41
*** dguerri is now known as _dguerri		09:57
*** topol has joined #openstack-keystone		09:59
*** ChanServ sets mode: +v topol		09:59
*** _dguerri is now known as dguerri		10:00
*** mflobo has quit IRC		10:00
*** josecastroleon has joined #openstack-keystone		10:09
*** topol has quit IRC		10:10
*** mflobo has joined #openstack-keystone		10:14
*** chlong has joined #openstack-keystone		10:14
*** ayoung has quit IRC		10:25
*** ayoung has joined #openstack-keystone		10:37
*** ChanServ sets mode: +v ayoung		10:37
*** josecastroleon has quit IRC		10:37
openstackgerrit	David Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver https://review.openstack.org/167675	10:45
*** chlong has quit IRC		11:01
*** chlong has joined #openstack-keystone		11:04
*** dguerri is now known as _dguerri		11:15
*** chlong has quit IRC		11:15
openstackgerrit	David Charles Kennedy proposed openstack/keystone: Service with no endpoints should not be in catalog https://review.openstack.org/176383	11:21
*** _dguerri is now known as dguerri		11:21
*** markvoelker has quit IRC		11:30
openstackgerrit	David Charles Kennedy proposed openstack/keystonemiddleware: Enforce endpoint constraint https://review.openstack.org/177661	11:42
*** ctina_ has joined #openstack-keystone		11:50
*** markvoelker has joined #openstack-keystone		12:01
*** markvoelker has quit IRC		12:06
*** markvoelker has joined #openstack-keystone		12:12
*** jlbhshluekg has joined #openstack-keystone		12:16
jlbhshluekg	.	12:16
jlbhshluekg	did usa intelligence supply isis with weapons like they did with al-qaeda to justify creating wars?	12:16
jlbhshluekg	did usa excute the creative mess in the middle east like they said they will, does the creative mess include explosions with uncertain responsibles to create wars?	12:16
jlbhshluekg	plz, send my qs to help limiting usa & israel aggression against others& may then lessen number of people killed in the middle east.	12:16
jlbhshluekg	.did usa intelligence supply isis with weapons like they did with al-qaeda to justify creating wars?	12:16
*** jlbhshluekg has quit IRC		12:16
*** jlbhshluekg has joined #openstack-keystone		12:16
*** jlbhshluekg has joined #openstack-keystone		12:17
*** jlbhshluekg has left #openstack-keystone		12:17
*** henrynash_ has joined #openstack-keystone		12:29
*** ChanServ sets mode: +v henrynash_		12:29
*** henrynash has quit IRC		12:31
*** henrynash_ is now known as henrynash		12:31
*** davidckennedy has joined #openstack-keystone		12:38
*** richm1 has joined #openstack-keystone		12:46
davidckennedy	Anybody have any clue why jenkins applies -1 when all tests show SUCCESS? See - https://review.openstack.org/#/c/177661/	12:47
bknudson	davidckennedy: http://logs.openstack.org/61/177661/9/check/gate-keystonemiddleware-requirements/80f9ee4/	12:51
*** zzzeek has joined #openstack-keystone		12:53
lbragstad	marekd: do you want me to create another blueprint for this guy? https://review.openstack.org/#/c/132122/	12:55
lbragstad	cc morganfainberg ^	12:56
lbragstad	and register it to https://github.com/openstack/keystone-specs/blob/master/specs/juno/keystone-api-validation.rst	12:56
openstackgerrit	Lance Bragstad proposed openstack/keystone: Switch the token provider to use strict_abc https://review.openstack.org/149411	13:03
openstackgerrit	Lance Bragstad proposed openstack/keystone: StrictABC Implementation https://review.openstack.org/148354	13:03
*** afaranha has quit IRC		13:06
*** iamjarvo_ has joined #openstack-keystone		13:07
*** mattfarina has joined #openstack-keystone		13:10
*** iamjarvo_ has quit IRC		13:11
*** richm1 is now known as richm		13:16
*** sigmavirus24_awa is now known as sigmavirus24		13:28
*** dims has joined #openstack-keystone		13:30
*** joesavak has joined #openstack-keystone		13:33
*** wwwjfy_ has joined #openstack-keystone		13:38
*** wwwjfy has quit IRC		13:38
*** packet has joined #openstack-keystone		13:39
*** zzzeek has quit IRC		13:42
*** henrynash has quit IRC		13:43
*** henrynash has joined #openstack-keystone		13:44
*** ChanServ sets mode: +v henrynash		13:44
davidckennedy	bknudson I got it.	13:44
davidckennedy	It's the oslo.config version specified in the requirements, but why that causes, er, nothing to go wrong I don't know.	13:46
*** packet has quit IRC		13:48
*** henrynash has quit IRC		13:49
*** packet has joined #openstack-keystone		13:49
*** henrynash has joined #openstack-keystone		13:49
*** ChanServ sets mode: +v henrynash		13:49
openstackgerrit	David Charles Kennedy proposed openstack/keystonemiddleware: Enforce endpoint constraint https://review.openstack.org/177661	13:49
*** openstackgerrit has quit IRC		13:51
*** wwwjfy_ has quit IRC		13:51
*** wwwjfy has joined #openstack-keystone		13:51
*** openstackgerrit has joined #openstack-keystone		13:52
marekd	lbragstad: i think morganfainberg and bknudson are better to ask here. Code submits without existing and active bps were always subject to -1 so i think this situation is somehow similar.	13:57
bknudson	lbragstad: nobody's going to stop you from creating a blueprint.	13:57
lbragstad	bknudson: marekd ok, I'll create one for it	13:58
marekd	lbragstad: sure, and then i will be happy to positively vote on the code patch!	13:58
marekd	or rather +A	13:59
marekd	lbragstad: let me know when it's ready	13:59
lbragstad	marekd: ++ will do	13:59
marekd	lbragstad: thanks	13:59
*** gordc has joined #openstack-keystone		14:01
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement validation on the Identity V3 API https://review.openstack.org/132122	14:03
lbragstad	marekd: bknudson ^	14:03
*** samueldmq has joined #openstack-keystone		14:03
marekd	voted!	14:04
*** iamjarvo has joined #openstack-keystone		14:04
*** iamjarvo has quit IRC		14:05
*** iamjarvo has joined #openstack-keystone		14:05
bknudson	lbragstad: marekd: morganfainberg: I approved the blueprint.. I'm assuming this is ok since there are 4 cores involved already.	14:09
lbragstad	bknudson: works for me	14:09
lbragstad	marekd: thanks!	14:10
bknudson	is there other validation work going on this release?	14:10
lbragstad	bknudson: not that I am aware of	14:10
*** markvoelker has quit IRC		14:10
lbragstad	bknudson: to the best of my knowledge, the identity api was the only validation that didn't make it into Juno.	14:10
bknudson	lbragstad: you can finally report that this is completed in your pbc results	14:10
lbragstad	bknudson: \o/	14:10
lbragstad	bknudson: finally!	14:11
morganfainberg	bknudson: ++	14:11
*** markvoelker_ has joined #openstack-keystone		14:14
*** samueldmq has quit IRC		14:15
*** markvoel_ has joined #openstack-keystone		14:15
*** henrynash_ has joined #openstack-keystone		14:16
*** ChanServ sets mode: +v henrynash_		14:16
*** samueldmq has joined #openstack-keystone		14:16
*** henrynash has quit IRC		14:16
*** henrynash_ is now known as henrynash		14:16
*** markvoelker_ has quit IRC		14:19
samueldmq	bknudson, lbragstad are you talking about the schema validations ?	14:29
samueldmq	I 've added an idea to that brainstorming etherpad	14:29
samueldmq	<samueldmq> basically we could enforce FKs by adding them at keystone/common/models.py an then would enforce them at manager level with annotations	14:29
lbragstad	samueldmq: around schema validation?	14:29
samueldmq	(looks like I am having connection issues)	14:29
bknudson	this is validation of inputs using JSONSchema	14:29
samueldmq	lbragstad, this one I described ? ^ (fks validation)	14:30
bknudson	we have a security-related initiative here and one of the requirements is input validation.	14:30
samueldmq	lbragstad, could be done using schemas ?	14:30
ayoung	samueldmq, don't count on keystone/common/models.py	14:31
ayoung	that is going to get replaced by unified accessinfo	14:31
ayoung	jdennis, you live!	14:31
ayoung	how are the new digs?	14:31
ayoung	jdennis, I realize you are digging out from under rought 3.5Ge (that is Giga-emails)	14:32
*** stevemar has joined #openstack-keystone		14:47
*** ChanServ sets mode: +v stevemar		14:47
ayoung	lifeless, someone was taking pictures of your bedroom: http://nerdist.com/the-best-bedrooms-have-a-millennium-falcon-cockpit/	14:49
*** dims is now known as dimsum__		14:58
jdennis	ayoung: yes, I'm alive, exhausted, and connected. Trying to catch up, 5,000 emails to wade through, if there is something important to draw my attention to please do, especially interested in where we stand with the ECP work	15:03
*** emagana has joined #openstack-keystone		15:05
samueldmq	ayoung, maybe approve this (https://review.openstack.org/#/c/177413/) ?	15:06
bknudson	samueldmq: approving doesn't do much good since it depends on another review that isn't approved	15:07
samueldmq	bknudson, oh sure, didnt pay attention on the chain , thx	15:07
*** emagana has quit IRC		15:09
*** dimsum__ has quit IRC		15:31
*** henrynash_ has joined #openstack-keystone		15:31
*** ChanServ sets mode: +v henrynash_		15:31
*** dimsum__ has joined #openstack-keystone		15:31
*** henrynash has quit IRC		15:33
*** henrynash_ is now known as henrynash		15:33
*** iamjarvo has quit IRC		15:38
*** gyee has joined #openstack-keystone		15:42
*** ChanServ sets mode: +v gyee		15:42
openstackgerrit	Arvind Tiwari proposed openstack/keystone-specs: spec for cloud namespaces https://review.openstack.org/179412	15:47
*** iamjarvo has joined #openstack-keystone		15:48
*** lhcheng has joined #openstack-keystone		15:51
*** ChanServ sets mode: +v lhcheng		15:51
*** henrynash has quit IRC		15:52
openstackgerrit	Merged openstack/keystone-specs: Deprecations https://review.openstack.org/153881	15:54
*** zzzeek has joined #openstack-keystone		15:58
*** henrynash has joined #openstack-keystone		16:01
*** ChanServ sets mode: +v henrynash		16:01
*** browne has joined #openstack-keystone		16:04
openstackgerrit	Merged openstack/keystone-specs: Add spec for 'stable keystone driver interfaces' https://review.openstack.org/177428	16:06
*** henrynash_ has joined #openstack-keystone		16:11
*** ChanServ sets mode: +v henrynash_		16:11
*** henrynash has quit IRC		16:12
*** henrynash_ is now known as henrynash		16:12
stevemar	lbragstad, yesssss laance	16:12
stevemar	this patch has bit-rotted https://review.openstack.org/#/c/154370/	16:12
stevemar	this guy and his downgrades	16:12
lbragstad	stevemar: yeah, doesn't look like its been touched in a while	16:13
*** davidckennedy has quit IRC		16:13
ayoung	jdennis, ok, so here is where we stand. Your last message implied we were doing IdP initiated only. marked (in Europe so home for the weekend I assume) disagreed. We ened to figure out what to do too get the keystone client talking ECP to get a token	16:16
bknudson	https://review.openstack.org/#/c/162765/ -- easy one has +2	16:17
*** wwwjfy has quit IRC		16:18
bknudson	ayoung: https://review.openstack.org/#/c/144248/ -- the auth_token to use keystoneclient change you +2d earlier. I made a change based on jamielennox's feedback.	16:20
ayoung	bknudson, looking	16:20
ayoung	bknudson, just this, right https://review.openstack.org/#/c/144248/11..12/keystonemiddleware/auth_token/_auth.py,cm	16:20
*** wwwjfy has joined #openstack-keystone		16:20
bknudson	ayoung: yes, he asked to use the discover API	16:21
ayoung	I think that is the better approach, yes	16:21
ayoung	+A	16:22
bknudson	ayoung: thanks! progress! liberty!	16:22
ayoung	equality! fraternity!	16:22
*** iamjarvo has quit IRC		16:23
*** gokrokve has joined #openstack-keystone		16:25
*** gokrokve has quit IRC		16:26
*** gokrokve has joined #openstack-keystone		16:27
*** alexsyip has joined #openstack-keystone		16:33
*** iamjarvo has joined #openstack-keystone		16:47
*** henrynash has quit IRC		16:47
*** gokrokve has quit IRC		16:51
*** HenryG is now known as floccinaucinihil		16:54
*** floccinaucinihil is now known as HenryThe8th		16:55
*** emagana has joined #openstack-keystone		16:59
*** markvoel_ has quit IRC		16:59
*** markvoelker has joined #openstack-keystone		17:00
*** _cjones_ has joined #openstack-keystone		17:00
*** _cjones_ has quit IRC		17:00
*** _cjones_ has joined #openstack-keystone		17:00
*** josecastroleon has joined #openstack-keystone		17:06
samueldmq	jamielennox, morganfainberg I have good news on the keystone v3 only tempest run	17:10
morganfainberg	samueldmq: it mostly just works?	17:10
morganfainberg	:)	17:10
samueldmq	- Passed: 881	17:11
samueldmq	- Skipped: 158	17:11
samueldmq	- Expected Fail: 0	17:11
samueldmq	- Unexpected Success: 0	17:11
samueldmq	- Failed: 9	17:11
stevemar	samueldmq, you didn't get injured when it blew up?	17:11
morganfainberg	not bad	17:11
samueldmq	stevemar, no hehe	17:11
stevemar	not bad at all	17:11
samueldmq	morganfainberg, and this time v2.0 is disabled, for sure :)	17:12
morganfainberg	great	17:12
samueldmq	my current env is:	17:12
morganfainberg	samueldmq: i'll push up a WIP review to devstack for the changes to get v3-only setup going	17:12
morganfainberg	samueldmq: today	17:12
*** josecastroleon has quit IRC		17:12
samueldmq	i) disabled v2 in keystone	17:12
samueldmq	ii) enabled tempest to use v3 tokens	17:12
samueldmq	iii) skipped tempest tests on specific keystone tests of v2 api ( the tests on api.idenity. etc, not the tests for other services)	17:13
samueldmq	iv) enabled horizon to use v3 auth	17:13
lbragstad	stevemar: devstack shrapnel can be dangerous...	17:14
samueldmq	morganfainberg, as I executed several times until get this working, I'll unstack/stack to ensure nothing was left in the databases	17:15
stevemar	lbragstad, lethal	17:15
samueldmq	morganfainberg, and any type of trash left is causing tests to fail	17:15
samueldmq	morganfainberg, however I still need to enable swift and neutron, I am just using the default devstack conf so far	17:16
samueldmq	stevemar, cc ^	17:16
stevemar	i'm not sure if swift will cause you issues	17:18
*** gokrokve has joined #openstack-keystone		17:18
stevemar	neutron might not	17:18
morganfainberg	heat will	17:18
stevemar	morganfainberg, why heat?	17:18
samueldmq	stevemar, god bless your thoughts, I hope too!	17:18
morganfainberg	at least i think it will	17:18
morganfainberg	does some v2 things still	17:19
*** gokrokve_ has joined #openstack-keystone		17:20
samueldmq	morganfainberg, hmm, will test it as well	17:20
samueldmq	however I think if we get it working with the core services by the summit it would be amazing	17:21
david-lyle	morganfainberg: more complicated than that for horizon	17:21
samueldmq	I will start working on the gate job (actually I started, but I couldn"t commit a code which I didnt test manually)	17:21
*** gokrokve has quit IRC		17:22
*** gokrokv__ has joined #openstack-keystone		17:22
david-lyle	need a session store other than signed cookies due to token size of k v3	17:22
david-lyle	that's why we haven't moved yet	17:22
*** gokrokve_ has quit IRC		17:22
david-lyle	we've debated memcached and sqlite as options	17:22
david-lyle	in memory cache is also an option	17:23
david-lyle	not a very good solution in general, but fastest bandaid	17:23
*** samleon has joined #openstack-keystone		17:25
morganfainberg	david-lyle: this is because the SC is giant?	17:25
david-lyle	yes	17:25
morganfainberg	david-lyle: not because the token data itself is bad - but when you couple the SC in ... icky	17:25
morganfainberg	maybe we need horizon to be able to grab a complete view of the SC and cache it for a period	17:25
david-lyle	which lhcheng is also looking at independently	17:25
morganfainberg	independant of the session?	17:25
samueldmq	morganfainberg, cache it on horizon ? and transmit only ids on the token	17:26
gyee	uh, endpoint filtering?	17:26
morganfainberg	then we can distil down the SC in the token to something usable / small	17:26
morganfainberg	david-lyle: not sure how a state like that in a django app would look though	17:26
david-lyle	he's looking at storing it on the request not the session	17:26
samueldmq	yeah, just the service ids in the token's catalog, and horizon cahes the whole list	17:26
morganfainberg	ah	17:26
openstackgerrit	Merged openstack/keystone: Fixes tests to use the config fixture https://review.openstack.org/162765	17:27
david-lyle	but would require more keystone API calls to retrieve the catalog	17:27
gyee	david-lyle, ajax it!	17:27
samueldmq	david-lyle, yeah but we can do it, right morganfainberg	17:27
david-lyle	eventually a more complete solution, but this is middle ground	17:28
samueldmq	david-lyle, ++	17:28
*** meera has joined #openstack-keystone		17:29
gyee	morganfainberg, see if you like this approach https://review.openstack.org/#/c/177661/	17:29
gyee	endpoint constraint enforcement using oslo policy, like we talked about last week	17:29
morganfainberg	nice	17:30
morganfainberg	will look post coffee	17:30
samueldmq	dstanek, why ldappool does not work with python 3 ?	17:30
morganfainberg	samueldmq: nope	17:30
samueldmq	bknudson, any thought s ? ^	17:30
morganfainberg	samueldmq: python-ldap doesn't either	17:30
morganfainberg	samueldmq: we need to move to ldap3 library, and re-implement the pool from ldappool	17:30
gyee	but python3 can do both	17:30
morganfainberg	it's not a lot of work	17:30
gyee	I mean python3 ldap	17:30
samueldmq	morganfainberg, hmm .. so it's because those incompatibilities with zip(), range() and othess?	17:30
morganfainberg	samueldmq: no just python-ldap doesn't do it	17:31
morganfainberg	gyee: ldap3 is the new name of the python3 ldap lib	17:31
samueldmq	morganfainberg, k, we have this in our roadmap?	17:31
morganfainberg	samueldmq: yep	17:31
samueldmq	morganfainberg, brainstorming list, etc	17:31
morganfainberg	samueldmq: we have a spec on the backlog for this i think	17:31
samueldmq	morganfainberg, nice, just to not forget about it	17:31
morganfainberg	just need to move it to liberty	17:31
gyee	yeah we need some work to transition over to ldap3	17:32
samueldmq	morganfainberg, ++ will look	17:32
gyee	shouldn't be that bad	17:32
* samueldmq is happy to be in review mode again		17:32
lhcheng	morganfainberg: been tinkering with DOA yesterday, and was able to shrink the size of data stored in horizon session	17:33
gyee	I remember we had to dance around unicode in our ldap logic, hopefully ldap3 support them natively	17:34
lhcheng	morganfainberg: stopped storing service catalog in the session and I got this improvements	17:34
lhcheng	morganfainberg: Keystone V2: 30% decrease, Keystone V3: 44% decrease	17:34
openstackgerrit	Merged openstack/keystonemiddleware: Change auth_token to use keystoneclient https://review.openstack.org/144248	17:34
morganfainberg	lhcheng: decrease in performance or size?	17:39
samueldmq	do we have an experimental gate-keystone-python3 ?	17:39
lhcheng	morganfainberg: size	17:39
morganfainberg	lhcheng: not bad	17:39
morganfainberg	samueldmq: maybe.	17:39
morganfainberg	samueldmq: might need to check we used to.	17:39
samueldmq	morganfainberg, looking at a patch chain of python3 from dstanek	17:40
morganfainberg	lhcheng: and the 66% is fairly static data, some environments will have massive SCs and might see 80+% decrease	17:40
lhcheng	morganfainberg: the downside is just an extra keystone call per page reload, which should not be significant for keystone	17:40
samueldmq	morganfainberg, would be great if we could run with 'check experimental'	17:40
morganfainberg	lhcheng: i'd like to see that able to be cached	17:40
morganfainberg	lhcheng: as a config option. if someone uses memcache, let them enable it to be cached	17:40
morganfainberg	lhcheng: if it isn't in memcache, fetch.	17:41
morganfainberg	lhcheng: should be a good middle-ground/easy-ish solution	17:41
morganfainberg	lhcheng: and address the extra call to keystone per page reload concern for real deployments	17:41
morganfainberg	since most use / have caching infrastructure	17:41
lhcheng	morganfainberg: likely some more data can be stripped down from the session, I just removed service catalog as of now.	17:42
morganfainberg	lhcheng: lets just start with that and get the SC cachable.	17:42
morganfainberg	lhcheng: we can look at other data as future optimisations	17:43
lhcheng	morganfainberg: I am thinking the first pass could be just always get from keystone, then the memcache comes as enhancement.	17:43
morganfainberg	lhcheng: yep, i just would like to see that 2nd pass (caching) bit land in liberty if at all possible	17:46
morganfainberg	lhcheng: knowing the operators, that would be a concern we can head off at the pass. optional, but a nice add on	17:46
lhcheng	yeah, should be easy	17:46
morganfainberg	and not a huge ask :)	17:46
lhcheng	morganfainberg: agreed	17:46
* morganfainberg submits another talk to PyConAU about Keystone.		17:47
openstackgerrit	Brant Knudson proposed openstack/keystone: Implement validation on the Identity V3 API https://review.openstack.org/132122	17:47
morganfainberg	lhcheng: btw: stable driver interfaces landed in backlog	17:49
morganfainberg	lhcheng: we need to move it to liberty now and flesh out a couple details in the spec	17:49
morganfainberg	lhcheng: if you wouldn't mind taking a look at the spec and we'll figure out who all is going to be on the hook for any specifics at the summit	17:50
lhcheng	morganfainberg: sure, will do.	17:50
*** wwwjfy has quit IRC		17:52
lhcheng	morganfainberg: brb, have to go to meeting.	17:53
lhcheng	morganfainberg: will ping you later to follow-up on that.	17:53
morganfainberg	lhcheng: no worries	17:53
morganfainberg	i'm about to run for a bit today	17:53
morganfainberg	so, whenever	17:53
lhcheng	morganfainberg: okay :)	17:53
openstackgerrit	Merged openstack/keystoneauth: Base Documentation changes https://review.openstack.org/179298	17:57
*** packet has quit IRC		17:59
*** spandhe has joined #openstack-keystone		17:59
*** dguerri is now known as _dguerri		18:01
*** packet has joined #openstack-keystone		18:05
*** samueldmq_ has joined #openstack-keystone		18:11
*** samueldmq has quit IRC		18:11
*** toddnni has joined #openstack-keystone		18:20
*** packet has quit IRC		18:23
*** e0ne has joined #openstack-keystone		18:27
*** samueldmq_ is now known as samueldmq		18:29
gyee	pacman in 8!	18:31
gyee	sheet wrong window	18:31
*** _cjones_ has quit IRC		18:32
bknudson	gyee is up for anything!	18:33
gyee	bknudson, sorry I was talking to my bookie on a wrong channel	18:34
bknudson	you know it's fixed	18:35
lhcheng	gyee: lol	18:35
*** iamjarvo has quit IRC		18:37
morganfainberg	ayoung: ping - physics dept at BU right?	18:38
ayoung	morganfainberg, sort of	18:38
ayoung	the MOC is housed in the Physics dept. but the meetup will be near there, probably not in that building itself	18:38
morganfainberg	Eh I'll just say BU	18:38
morganfainberg	This is just the preliminary email "save the date thing"	18:39
ayoung	Yes, BU, main Campus is probably the right granularity	18:39
morganfainberg	MOC is multi <some Things> cloud?	18:39
ayoung	I don't know if they have any non main campii	18:39
ayoung	Massachusetts Open Cloud	18:39
morganfainberg	Ok cool.	18:39
ayoung	http://www.bu.edu/hic/research/massachusetts-open-cloud/	18:39
lifeless	ayoung: not but wow I wish	18:40
ayoung	lifeless, yours probably looks more like Tatooine	18:40
bknudson	does MOC run openstack?	18:40
ayoung	bknudson, yes	18:41
ayoung	bknudson, the guy that kicked it off (this guy http://www.bu.edu/cci/okrieg/) Built vCloud at VMware, and then turned his sights on doing something more open	18:42
ayoung	openstack is the basis for what they are pushing, and, in return, they are feeding some interesting ideas in to Keystone et alles.	18:42
ayoung	bknudson, he's one of you guys...long time IBMer	18:43
bknudson	I see that on the profile... was in research	18:44
morganfainberg	ayoung: email sent. 15, 16, 17.	18:45
morganfainberg	ayoung: I'll start working on hotels and other things like food next week / week after so we have stuff all lined up right after the summit if not before.	18:46
*** lhcheng has quit IRC		18:46
ayoung	morganfainberg, sounds good. Let me know when you are ready to plan, won't overload you with details now.	18:47
*** lhcheng_ has joined #openstack-keystone		18:47
morganfainberg	Yeah. I want to wait till after next week due to summit planning stuff.	18:47
morganfainberg	Ok off to lunch. Bbiab	18:47
*** iamjarvo has joined #openstack-keystone		18:50
*** iamjarvo has quit IRC		18:50
*** iamjarvo has joined #openstack-keystone		18:50
openstackgerrit	Merged openstack/keystoneauth: Cannot retrieve a token from service catalog https://review.openstack.org/178917	18:56
*** omkarjoshi has joined #openstack-keystone		18:57
openstackgerrit	Merged openstack/keystoneauth: Don't save version into the dictionary https://review.openstack.org/178918	18:58
*** e0ne has quit IRC		19:02
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor certificate fetch functions https://review.openstack.org/179460	19:03
*** ankita_wagh has joined #openstack-keystone		19:03
*** lhcheng_ is now known as lhcheng		19:05
*** ChanServ sets mode: +v lhcheng		19:05
openstackgerrit	Merged openstack/keystoneauth: Remove the factory from service catalog https://review.openstack.org/178919	19:06
*** emagana has quit IRC		19:10
*** emagana has joined #openstack-keystone		19:13
*** _cjones_ has joined #openstack-keystone		19:18
*** ankita_wagh has quit IRC		19:24
*** ankita_wagh has joined #openstack-keystone		19:25
*** ankita_wagh has quit IRC		19:29
openstackgerrit	Doug Hellmann proposed openstack/pycadf: Remove run_cross_tests.sh https://review.openstack.org/179481	19:40
*** ctina_ has quit IRC		19:43
*** samueldmq has quit IRC		19:47
*** HenryThe8th has quit IRC		19:50
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo https://review.openstack.org/179486	19:51
bknudson	ayoung: you might find this interesting ^ (WIP)	19:52
*** HenryG has joined #openstack-keystone		19:54
*** HenryG has quit IRC		19:55
*** HenryG has joined #openstack-keystone		19:56
*** spandhe has quit IRC		20:03
*** HenryG has quit IRC		20:16
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/179495	20:17
*** emagana has quit IRC		20:21
*** HenryG has joined #openstack-keystone		20:21
*** emagana has joined #openstack-keystone		20:23
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/178426	20:23
ayoung	bknudson, you are right, I find it interesting	20:32
*** emagana has quit IRC		20:32
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo https://review.openstack.org/179486	20:34
*** samleon has quit IRC		20:34
*** samleon has joined #openstack-keystone		20:34
*** samleon has quit IRC		20:35
*** _dguerri is now known as dguerri		20:38
openstackgerrit	Merged openstack/keystoneauth: Make ServiceCatalog take an actual catalog https://review.openstack.org/178920	20:44
*** lhcheng has quit IRC		20:45
*** lhcheng has joined #openstack-keystone		20:46
*** ChanServ sets mode: +v lhcheng		20:46
*** lhcheng has quit IRC		20:46
*** dguerri is now known as _dguerri		20:47
*** lhcheng has joined #openstack-keystone		20:49
*** ChanServ sets mode: +v lhcheng		20:49
openstackgerrit	Merged openstack/keystoneauth: AccessInfo is not a dict https://review.openstack.org/178921	20:50
*** _dguerri is now known as dguerri		20:54
*** spandhe has joined #openstack-keystone		20:58
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo https://review.openstack.org/179486	20:59
*** emagana has joined #openstack-keystone		21:06
*** mattfarina has quit IRC		21:07
*** ajayaa has joined #openstack-keystone		21:07
*** joesavak has quit IRC		21:10
*** sharky1 has joined #openstack-keystone		21:10
*** sharky1 has left #openstack-keystone		21:12
*** packet has joined #openstack-keystone		21:13
*** iamjarvo has quit IRC		21:15
morganfainberg	allo	21:16
*** Ephur has joined #openstack-keystone		21:16
*** meera has quit IRC		21:16
*** boris-42 has quit IRC		21:18
*** browne has quit IRC		21:21
*** iamjarvo has joined #openstack-keystone		21:21
*** iamjarvo has quit IRC		21:21
*** iamjarvo has joined #openstack-keystone		21:22
*** packet has quit IRC		21:23
sigmavirus24	o/ morganfainberg	21:28
*** emagana has quit IRC		21:28
*** iamjarvo has quit IRC		21:28
*** emagana has joined #openstack-keystone		21:31
*** stevemar has quit IRC		21:49
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo https://review.openstack.org/179486	21:49
*** gordc has quit IRC		21:53
*** dimsum__ has quit IRC		21:56
morganfainberg	bknudson: you interested in keystone +2 powers for stable?	21:56
morganfainberg	bknudson: i'd like to add one more keystone core to stable maint for keystone	21:56
*** dimsum__ has joined #openstack-keystone		21:56
bknudson	morganfainberg: sure.	21:56
morganfainberg	bknudson: mostly because i think you know all the stable policy stuff having dealt with oslo and other things	21:57
morganfainberg	bknudson: so less explaining :)	21:57
morganfainberg	bknudson: and well.. python robot!	21:57
morganfainberg	:)	21:57
morganfainberg	bknudson: cool i'll add you	21:57
bknudson	stable reviews are easy	21:57
morganfainberg	bknudson: yeah i just feel like a bottleneck with them atm or i write them and then need to find other stable folks to +2	21:58
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Don't return default for domain in v2 accessinfo https://review.openstack.org/179522	22:10
*** harlowja has joined #openstack-keystone		22:17
jamielennox	morganfainberg: do you have a script you were using for ksa for bringing across files from ksc?	22:18
morganfainberg	jamielennox: it requires merge commits to do now.	22:18
morganfainberg	jamielennox: and that gets icky	22:19
morganfainberg	jamielennox: sort-of.	22:19
morganfainberg	jamielennox: it was a combination of by-hand and a script to filter-branch	22:19
jamielennox	there's a couple of test files i think you missed, should i just c&p and propose them again?	22:19
morganfainberg	jamielennox: just c&p	22:19
jamielennox	ok	22:19
morganfainberg	jamielennox: it is a lot less headache, we got most of the history we care about	22:19
*** emagana has quit IRC		22:21
morganfainberg	jamielennox: feel free to +A the default domain change ^^ when jenkins passes	22:23
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Copy missed test_fixtures from keystoneclient https://review.openstack.org/179525	22:26
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Add endpoint and service ids to fixtures https://review.openstack.org/179526	22:26
*** sigmavirus24 is now known as sigmavirus24_awa		22:29
*** ajayaa has quit IRC		22:30
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: validate_token returns AccessInfo https://review.openstack.org/179486	22:35
morganfainberg	bknudson: you are now keystone-stable-maint	22:35
morganfainberg	bknudson: make sure you've 2x checked stable-maint policies etc. not that they are crazy or not mostly common sense	22:36
morganfainberg	bknudson: and now i can be less bottle-neck on keystone stable stuff	22:36
morganfainberg	bknudson: and the whole reason - your +1 here https://review.openstack.org/#/c/178293/ can become a +2	22:36
morganfainberg	(whole reason this topic started)	22:37
bknudson	morganfainberg: y, +2	22:37
*** emagana has joined #openstack-keystone		22:38
mtreinish	morganfainberg: now that he +2'd it do you want me to remove him from the group :)	22:38
morganfainberg	haha no	22:38
bknudson	that's going to be a lot of mailing list traffic	22:39
*** atiwari has joined #openstack-keystone		22:43
*** packet has joined #openstack-keystone		22:47
*** omkarjoshi has quit IRC		22:48
*** markvoelker has quit IRC		22:48
*** packet has quit IRC		22:56
*** gokrokv__ has quit IRC		22:58
*** ankita_wagh has joined #openstack-keystone		23:02
*** omkarjoshi has joined #openstack-keystone		23:15
*** boris-42 has joined #openstack-keystone		23:18
*** lhcheng has quit IRC		23:26
*** lhcheng has joined #openstack-keystone		23:27
*** ChanServ sets mode: +v lhcheng		23:27
*** wwwjfy has joined #openstack-keystone		23:27
*** alexsyip has quit IRC		23:33
*** browne has joined #openstack-keystone		23:34
*** gyee has quit IRC		23:35
*** josecastroleon has joined #openstack-keystone		23:41
*** josecastroleon has quit IRC		23:44
*** emagana has quit IRC		23:52

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!