Wednesday, 2015-05-13

« Tuesday, 2015-05-12 Index Thursday, 2015-05-14 »
dstanekdamn...it's not sqlalchemy migrate - it's us databasing wrong00:02
*** gordc has quit IRC00:03
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow searching a catalog on service or endpoint id  https://review.openstack.org/17466900:04
*** Raildo_ has joined #openstack-keystone00:05
*** markvoelker has joined #openstack-keystone00:06
*** chlong_ has joined #openstack-keystone00:20
lbragstaddstanek: :(00:22
lbragstaddstanek: what did we do?!00:22
morganfainberglbragstad: lots of things i'm sure00:26
*** david-lyle has quit IRC00:28
morganfainbergmordred: i am starting to agree with you... we (OpenStack) must hate our users... a lot00:29
Raildo_morganfainberg, thanks for you explaination :)00:29
Raildo_in the reseller patch00:29
*** lhcheng has quit IRC00:32
*** lhcheng has joined #openstack-keystone00:32
*** ChanServ sets mode: +v lhcheng00:32
*** lhcheng has quit IRC00:32
morganfainbergRaildo_, no problem00:35
*** leveldoc has quit IRC00:36
dstaneklbragstad: i haven't looked in detail yet, but from the error i think we have mutually-dependent foreign key constraints in federation00:37
dstanekwanted to eat dinner before i followed that rabbit hole00:37
lbragstaddstanek: that sounds like fun00:38
lbragstaddstanek: you made a comment about a code conversation we had yesterday? Wanted to follow up with you but I'll let you eat dinner first00:38
* lbragstad had a crazy afternoon 00:38
lbragstadI wasn't as prompt this afternoon responding00:38
openstackgerritJamie Lennox proposed openstack/keystoneauth: Reorder catalog exceptions  https://review.openstack.org/18250700:40
openstackgerritMerged openstack/python-keystoneclient: Removes temporary fix for doc generation  https://review.openstack.org/12166700:41
*** ankita_wagh has quit IRC00:43
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add a readme  https://review.openstack.org/18250800:44
dstaneklbragstad: oh, i was just wondering if you thought more about the code required to do a 0-downtime upgrade and how to manage it00:45
lbragstaddstanek: I did a few tests today00:46
lbragstadwithout downtime, I can fill you in on them00:46
dstaneklbragstad: you were able to survive deleting a column without code changes?00:47
lbragstadyeah00:47
dstaneklbragstad: how does the keystone not break when the column goes away?00:47
lbragstaddstanek: tl;dr I tested out the percona toolkit and did it that way, using TOI with galera,00:47
lbragstaddstanek: it creates a shadow table00:48
lbragstadwith the new schema00:48
dstanekand that remains until you rollout a new code release?00:48
lbragstadthen it sets up a trigger that allows all incoming writes to be propagated to the new table.00:48
lbragstadthen it start piecing all data from the old table to the new "shadow" table, once that's done, it renames them and deletes the old one00:49
dstanekbut you still have code that is trying to use the column that no longer exists00:49
lbragstaddstanek: that would be if you were going to delete a required table according to the application00:50
lbragstadthe application would have to be smart enough to handle both schema for a period of time while the migration is happening00:50
dstaneklbragstad: right, that's what i'm asking about :-P00:51
lbragstadahh00:51
lbragstadgotcha00:51
lbragstadI thought you were asking about how the database did it explicitly00:51
lbragstaddstanek: I'll still working through those pieces.00:51
dstanekmulti-phase release don't seem like they'd work well in this ecosystem00:51
lbragstadyeah00:51
jamielennoxmorganfainberg: i was talking with richm this morning and he said it would be good if we (keystone-core) and you specifically could lean on the puppet guys at summit and explain how important v3 auth in the puppet modules is00:52
morganfainbergsounds good00:52
jamielennoxprobably in general - not just summit00:52
dstaneklbragstad: i do think we'd need some community support to pull this off00:52
lbragstaddstanek: possibly00:52
*** browne has quit IRC00:53
dstanekotherwise we'd have to carry temporary patches that don't get reviewed by the core team00:53
lbragstaddstanek: the upstream migration scripts are great for documenting exactly what we need to do, but having an upgrade path that's more realistic would be awesome,00:53
lbragstad(but I also understand the overhead of that)00:54
*** rwsu has quit IRC00:54
dstaneklbragstad: what's more realistic?00:54
lbragstadhaving upstream migration that run in 0 downtime manner00:54
lbragstadmigrations*00:54
*** stevemar has joined #openstack-keystone00:54
*** ChanServ sets mode: +v stevemar00:54
*** Raildo__ has joined #openstack-keystone00:54
lbragstaddstanek: we got this little tid bit from jaypipes http://specs.openstack.org/openstack/nova-specs/specs/kilo/approved/online-schema-changes.html00:54
dstanekthat's easy enough to do with migrations if we code and support a multiphase deploy00:55
*** _cjones_ has quit IRC00:55
lbragstaddstanek: do you suggest that we start coding migration paths that way?00:55
lbragstads/coding/reviewing/00:55
dstaneklbragstad: we should all probably discuss at the summit00:56
lbragstadthen we would have to have a rule in place for the "old schema" that is cleaned up every release00:56
lbragstad++00:56
lbragstadI agree00:56
lbragstadso I would assume it would be similar to how we remove deprecated cruft at the beginning of every release00:57
dstanekin a previous life we did live upgrades by doing them in several phases - deploy code that knows the migration will happen - migrate - deploy new code - last db migrate if needed00:58
dstanekevery time we changed schemas it was a big deal - even adding tables and columns00:58
*** Raildo_ has quit IRC00:58
*** ayoung has joined #openstack-keystone00:59
*** ChanServ sets mode: +v ayoung00:59
openstackgerritSam Leong proposed openstack/keystone-specs: Light-weight Keystone to Keystone Federation  https://review.openstack.org/18251300:59
*** erickson has joined #openstack-keystone00:59
lbragstaddstanek: I could see that...00:59
lbragstaddstanek: you'd like to see the application be smart enough to just deal with it, which would mean more flexibility for the migrations overall, right?01:00
*** alexsyip has quit IRC01:00
*** ericksonfgds has quit IRC01:00
dstaneklbragstad: at least that's the way i've done it in the past; i don't know how you can get around that when doing certain kinds of migrations01:01
lbragstaddstanek: let alone complicated ones01:01
lbragstaddstanek: the percona toolkit for galera only supports certain operations, other things it just doesn't know how to deal with01:02
*** greghaynes has joined #openstack-keystone01:02
*** bknudson has joined #openstack-keystone01:07
*** ChanServ sets mode: +v bknudson01:07
openstackgerritJulian Edwards proposed openstack/keystone: Improve websso documentation.  https://review.openstack.org/18178201:07
*** samleon has quit IRC01:13
stevemarnkinder, thanks for making all those changes to the slide deck01:20
nkinderstevemar: Sure.  I'm on a roll with making diagrams :)01:21
nkinderstevemar: I like the changes you've made.  It's shaping up nicely.01:21
*** lhcheng has joined #openstack-keystone01:25
*** ChanServ sets mode: +v lhcheng01:25
stevemarnkinder, i'm pretty much 99% done the presentation i have with bknudson, and now i'm reviewing ours (while watching the flash)01:28
stevemarthen comes the one i have to do with marekd ....01:29
stevemarwhich is the most behind01:29
nkinderstevemar: cool.  I'm going to add multiple slides to show the federation flow step by step01:29
dstanekstevemar: which talk are you guys doing?01:29
nkinderstevemar: also want to do a set for the Horizon SSO stuff01:29
nkinderdstanek: me and stevemar? Advanced authentication methods.01:30
dstaneknkinder: what are you using for the diagrams?01:30
nkinderdstanek: inkscape01:30
nkinderI like to produce in SVGs for nice scaling01:30
dstaneknkinder: cool, i'll have to add that to my schedule01:30
stevemarnkinder, yeah, i think you had those in the one you did last summit01:31
*** lhcheng_ has joined #openstack-keystone01:31
dstaneknkinder: i've never really tried it; installed it, but looked too scary01:31
nkinderdstanek: it's pretty cool, but has a bit of a learning curve01:32
nkinderI did some logo work with it for the Dogtag project to learn it01:32
stevemarnkinder, you want the SSO pictures to be staggered like yours? or you want the actual keystone -> horizon -> whatever flow in boxes ?01:33
*** lhcheng has quit IRC01:34
*** Raildo_ has joined #openstack-keystone01:35
nkinderstevemar: I was thinking of using the multiple slides approach to show each step01:35
nkinderoh, you mean the boxes that show the architecture?01:35
nkindernot really sure yet01:35
stevemaryeah, boxes that show component or just screen caps :)01:35
stevemarcould show both side by side ;)01:36
nkinderboth are nice actually01:36
nkinder"here's how it looks", then "here's how it works"01:36
stevemaralright, i'll get that done before snoozing01:36
*** Raildo__ has quit IRC01:39
*** Raildo_ has quit IRC01:39
*** topol has joined #openstack-keystone01:40
*** ChanServ sets mode: +v topol01:40
*** topol has quit IRC01:40
*** mestery has quit IRC01:45
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove custom header handling  https://review.openstack.org/18038501:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env  https://review.openstack.org/17420201:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function  https://review.openstack.org/17420101:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Base use webob  https://review.openstack.org/17420001:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't rely on token_info for header building  https://review.openstack.org/17419901:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move project included validation  https://review.openstack.org/17419801:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Depend on keystoneclient for expiration checking  https://review.openstack.org/17419701:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't store expire into memcache  https://review.openstack.org/17419601:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Cleanup token hashes generated by cache  https://review.openstack.org/17419401:46
*** zzzeek has quit IRC01:47
*** erickson has quit IRC01:47
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove custom header handling  https://review.openstack.org/18038502:04
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env  https://review.openstack.org/17420202:04
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function  https://review.openstack.org/17420102:04
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Base use webob  https://review.openstack.org/17420002:04
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't rely on token_info for header building  https://review.openstack.org/17419902:04
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move project included validation  https://review.openstack.org/17419802:04
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Depend on keystoneclient for expiration checking  https://review.openstack.org/17419702:04
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't store expire into memcache  https://review.openstack.org/17419602:04
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Cleanup token hashes generated by cache  https://review.openstack.org/17419402:04
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Extract the Loadable interface from a plugin  https://review.openstack.org/13857502:08
jamielennoxdoes someone want to kick off https://review.openstack.org/#/c/180945/ and https://review.openstack.org/#/c/180688/02:09
jamielennoxit's a client oslo-incubator sync with a patch to some doc strings, it's the last of us using the oslo. syntax02:10
*** erickson has joined #openstack-keystone02:11
*** browne has joined #openstack-keystone02:17
*** ankita_wagh has joined #openstack-keystone02:19
*** zzzeek has joined #openstack-keystone02:26
*** zzzeek has quit IRC02:26
*** darrenc is now known as darrenc_afk02:40
*** gyee has quit IRC02:47
*** jimbaker has quit IRC02:52
*** jimbaker has joined #openstack-keystone02:56
*** wpf has quit IRC02:56
*** jimbaker has quit IRC02:56
*** jimbaker has joined #openstack-keystone02:56
*** chlong has quit IRC03:05
*** erickson has quit IRC03:10
stevemarnkinder, can i get some of the svg source files that you've been using for the block diagrams?03:15
stevemarhopefully i can figure it out quickly :P03:15
*** richm has quit IRC03:16
*** darrenc_afk is now known as darrenc03:17
*** dims_ has quit IRC03:18
*** links has joined #openstack-keystone03:30
morganfainbergOh hai.03:40
*** trey has quit IRC03:43
*** trey has joined #openstack-keystone03:45
stevemarmorganfainberg, o/03:46
*** david-lyle has joined #openstack-keystone03:48
*** chlong_ has quit IRC03:52
*** sigmavirus24 is now known as sigmavirus24_awa04:06
*** dims has joined #openstack-keystone04:18
*** dims has quit IRC04:25
nkinderstevemar: sure, I'll e-mail them to you.  I have them all in one big svg file.04:41
stevemaryahoo04:44
stevemarnkinder, now to learn how to edit svgs :P04:44
nkinderstevemar: I use inkscape04:45
stevemarnkinder, i saw you mention that earlier, i already have it installed04:45
nkindercool04:45
nkinderif you have questions, let me know04:46
nkindermost of the diagrams I have are grouped objects.  You can select a group and copy paste the whole thing to mess around with one of them.04:46
stevemarinteresting setup04:47
nkinderThere's an "ungroup" menu option so you can break it apart and move individual parts of the diagram around (or modify them)04:47
nkinderYou can select an individual item even when grouped with ctrl-click04:47
*** lhcheng_ has quit IRC04:47
nkinderthat's pretty handy so you're not always ungrouping/re-grouping04:48
*** lhcheng has joined #openstack-keystone04:48
stevemarnkinder, how can i extend the layout?04:48
*** ChanServ sets mode: +v lhcheng04:48
stevemaroh i guess just zoom out a bit more04:48
nkinderjust copy/paste one of the digarams and drag it over to the side04:49
nkinderyoucan expand as far as you want04:49
* stevemar is learning04:49
stevemaryep, i noticed it was a silly question :)04:49
nkinderwhen you want to create a png, you select the group you want and choose "export bitmap"04:49
*** josecastroleon has joined #openstack-keystone04:53
stevemarnkinder, cool04:54
stevemarthe "user" icon in the sso case is really a browser right?04:54
nkinderstevemar: on the image you edited, we still want it to be a token for the second and third line04:54
nkinderyeah, user == browser is fine I think04:54
stevemaruh04:54
stevemarcopy pasta04:55
stevemarmy bad04:55
nkinderyou made all 3 images the id :)04:55
* stevemar head meets desk04:55
*** josecastroleon has quit IRC04:55
*** markvoelker has quit IRC04:58
*** markvoelker has joined #openstack-keystone05:06
*** arunkant has quit IRC05:11
*** hemna_ has joined #openstack-keystone05:13
*** stevemar2 has joined #openstack-keystone05:14
*** ChanServ sets mode: +v stevemar205:14
*** gsilvis_ has joined #openstack-keystone05:14
*** ir2ivps8 has quit IRC05:15
stevemar2nkinder, did you get that last msg? i was disconnected05:15
*** bboese_ has joined #openstack-keystone05:20
*** chlong has joined #openstack-keystone05:23
*** stevemar has quit IRC05:26
*** hemna has quit IRC05:26
*** anteaya has quit IRC05:26
*** gsilvis has quit IRC05:26
*** bboese has quit IRC05:27
*** anteaya has joined #openstack-keystone05:29
*** arunkant has joined #openstack-keystone05:32
*** chlong has quit IRC05:34
*** ir2ivps8 has joined #openstack-keystone05:34
stevemar2marekd, i see you browsing the slides...05:39
*** lhcheng has quit IRC05:39
marekdstevemar2: hey, i just logged in, so maybe my browser tab got activated.05:39
marekdstevemar2: anything particular you want me to take a look at?05:40
stevemar2marekd, oh haha05:40
stevemar2nope05:40
stevemar2it can wait til our meeting05:40
marekdit's 1pm edt which happens to be 5pm utc, right?05:40
*** arunkant has quit IRC05:41
marekdstevemar2: ^^05:43
stevemar2marekd, i believe so05:44
stevemar2it's 1:44 for me now, and 5:44am utc05:44
marekdallright05:45
*** kiranr has joined #openstack-keystone05:45
*** chlong has joined #openstack-keystone05:48
*** josecastroleon has joined #openstack-keystone05:50
*** dims has joined #openstack-keystone06:01
*** kiranr is now known as kiran-r06:04
*** dims has quit IRC06:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/17933106:08
*** mabrams has joined #openstack-keystone06:08
*** stevemar2 is now known as stevemar06:10
stevemarnkinder, i cleaned up our MFA slide06:11
*** afazekas_ has joined #openstack-keystone06:11
stevemarnuke x509 if you want06:11
stevemarand... the "token auth" seems a bit bare06:11
stevemarother than that... i think we're looking good06:11
*** chlong has quit IRC06:24
stevemarmorganfainberg, nkinder marekd i'm out, keep keystone safe while i'm gone06:24
marekdgood night, sir06:25
*** chlong has joined #openstack-keystone06:27
stevemarsigning off sir.   o\06:38
*** ankita_wagh has quit IRC06:41
*** stevemar has quit IRC06:43
marekdbigjools: here?06:44
bretongood morning, keystone06:47
marekdhello06:47
morganfainbergbreton: zzz good evening ;)06:47
*** smallbig has left #openstack-keystone06:49
bretonit's interesting how keystone is tackled around the clock06:49
morganfainbergbreton: maybe... or it's cause we're just cool like that :P06:50
*** kiranr has joined #openstack-keystone06:54
*** fifieldt has joined #openstack-keystone06:56
*** fifieldt has quit IRC06:56
*** kiran-r has quit IRC06:57
*** kiranr has quit IRC07:02
*** kiranr has joined #openstack-keystone07:02
*** lufix has joined #openstack-keystone07:05
*** kiranr is now known as kiran-r07:16
kiran-rbreton morganfainberg Hi!07:23
kiran-rbreton morganfainberg I have a multi node deployment, When I try to use keystone client from an external VM, it gets token through publicURL but further operations are done through adminURL which is unreachable. Is there a way to make keystone use publicURL for all operations??07:28
*** arunkant has joined #openstack-keystone07:43
*** jistr has joined #openstack-keystone07:49
*** dguerri is now known as _dguerri07:52
*** _dguerri is now known as dguerri07:52
ccardI have been trying to get keystone running as a wsgi app using TLS under Apache in our OpenStack installation (juno), and I thought I had it all working, but although the v2.0 api appears to work, I can't get the v3 api to work any more.07:52
morganfainbergkiran-r: for v2 public and admin urls have separate capabilities. the public url (iirc) is mostly just auth07:53
morganfainbergkiran-r: with v3 the API pipelines are the same.07:53
ccardIf I do a simple /v3/tokens request using curl I get HTTP 500 back, and in the keystone log I see the message like this: 2015-05-13 07:15:43.801 23432 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:27007:54
*** browne has quit IRC07:54
morganfainbergkiran-r: i highly recommend using v3 where possible and likely you need the admin url available for all CRUD actions anyway on v207:54
morganfainbergccard: do you have X-Auth-Token header (and if you're doing a validate of a token) x-subject-token headers set?07:55
morganfainbergccard: x-auth-token is the token for authorization (can I perform an action), x-subject-token is the token you're validating *or* revoking in the case of a DELETE07:56
morganfainberghowever, the 500 is odd, you should see a 4xx response if those are missing.07:56
ccardmorganfainberg: I get the same error if I run "openstack domain list"07:56
openstackgerritxu-haiwei proposed openstack/keystonemiddleware: Change auth_url to identity_uri  https://review.openstack.org/18256207:57
morganfainbergccard: are you using the admin_token or a real user?07:57
ccardI was just trying to narrow down the issue by running a curl command (taken from http://docs.openstack.org/developer/keystone/api_curl_examples.html)07:57
morganfainbergccard: admin_token is kind of voodoo/magic and should only be used for bootstrapping07:57
ccardI have OS_USERNAME=admin and OS_PASSWORD=<admin password>07:58
morganfainbergccard: unfortunately i don't think i can debug much atm - it is almost 1am here and i'm falling asleep.07:59
ccardThe openstack domain list command worked when keystone was configured to run as an eventlet, all I've changed is moving it to Apache wsgi and adding ssl certs and https endpoints07:59
morganfainbergccard: you might have an issue with the wsgi script permissions07:59
ccardbut v2.0 api works fine07:59
morganfainbergapache is *very* picky about the permissions of the scripts that it is executing07:59
morganfainbergccard: unfortunately like i said, i'm exaughsted and don't think i can debug much else via IRC atm. (sorry)08:00
morganfainbergif it was a bit earlier i might have a bit more steam08:00
ccardmorganfainberg: np08:00
morganfainberg ccard: i'd look to make sure you don't have some erroneous json typo and/or make sure apache isn't erroring itself somewhere08:01
morganfainbergthat error looks likeeither x-auth-token or x-subject-token header is missing08:01
morganfainbergbut the 500 error is a bit weird.08:02
morganfainbergthere should be some east-coasters awake in a few hours. and a fresh pair of eyes might see something i am nt seeing08:02
ccardYes, the error message implies x-auth-token is missing, but surely that's the client's job to put in the request.08:02
morganfainbergccard: well depends on lots of things. the client should08:03
morganfainbergbut it could be doing something silly :P08:03
morganfainbergccard: best of luck and it's 4am east coast, so might have some luck when the east coasters start rolling in08:03
morganfainbergshould be sooner vs later08:04
ccardthe only difference the client would see is that the keystone endpoint is now https08:04
ccardok08:04
morganfainbergif east coast types can't help i'll be back in ~6-8 hrs likely08:04
morganfainbergsorry i'm not more help right now08:05
ccardnp08:05
morganfainberggood luck in either case - hopefully we can get it resolved for you :)08:05
morganfainbergs/et it/help get it08:05
bretonbtw I am aware of that issue with keystoneclient08:09
bretonmorganfainberg: the issue there is that publicurl and adminurl point to different ips,  http://172.16.0.2:5000/v2.0  and http://192.168.0.1:35357/v2.0  for example. And 192.xxx is not reachable outside the deployment08:16
bretonand calls like 'tenant-list' call adminurl08:17
bretonand I can't find that logic in ksc08:18
*** e0ne has joined #openstack-keystone08:25
*** e0ne has quit IRC08:28
*** jaosorior has joined #openstack-keystone08:28
*** e0ne has joined #openstack-keystone08:30
*** e0ne has quit IRC08:31
openstackgerritdarren-wang proposed openstack/keystone: Closes-Bug: #1454531 Change-Id: I01af5376505f49c3c7c1906b7bc9511adb114632  https://review.openstack.org/18256908:40
openstackbug 1454531 in Keystone "list_user_projects() can't get filtered by 'domain_id'." [Undecided,In progress] https://launchpad.net/bugs/1454531 - Assigned to DWang (darren-wang)08:40
openstackgerritVictor Stinner proposed openstack/python-keystoneclient: Remove discover and iso8601 dependencies  https://review.openstack.org/17768708:43
openstackgerritdarren-wang proposed openstack/keystone: Adding 'domain_id' filter to list_user_projects()  https://review.openstack.org/18256908:45
*** josecastroleon has quit IRC08:50
*** ericksonfgds has joined #openstack-keystone08:52
*** josecastroleon has joined #openstack-keystone08:54
*** ericksonfgds has quit IRC09:20
*** e0ne has joined #openstack-keystone09:22
*** fhubik has joined #openstack-keystone09:30
*** dims has joined #openstack-keystone09:35
*** e0ne is now known as e0ne_09:36
*** e0ne_ is now known as e0ne09:38
*** dims has quit IRC09:40
*** dims has joined #openstack-keystone10:01
*** mabrams has quit IRC10:06
*** jamielennox is now known as jamielennox|away10:08
*** fhubik is now known as fhubik_afk10:16
*** fhubik_afk is now known as fhubik10:22
*** e0ne is now known as e0ne_10:25
*** avozza has quit IRC10:25
*** josecastroleon1 has joined #openstack-keystone10:25
*** darrenc has quit IRC10:25
*** gus has quit IRC10:25
*** e0ne_ is now known as e0ne10:26
*** darrenc has joined #openstack-keystone10:27
*** breton has quit IRC10:27
*** josecastroleon has quit IRC10:28
*** breton has joined #openstack-keystone10:29
*** mhu has quit IRC10:29
*** josecastroleon1 has quit IRC10:29
*** LarsHau has quit IRC10:30
*** mhu has joined #openstack-keystone10:31
*** grantbow has quit IRC10:31
*** grantbow has joined #openstack-keystone10:32
*** zz_avozza has joined #openstack-keystone10:32
*** EmilienM has quit IRC10:33
*** zz_avozza is now known as avozza10:33
*** ekarlso has quit IRC10:33
*** gus has joined #openstack-keystone10:33
*** EmilienM has joined #openstack-keystone10:35
*** LarsHau has joined #openstack-keystone10:37
samueldmqmorning10:39
*** e0ne is now known as e0ne_10:39
*** e0ne_ is now known as e0ne10:40
*** ekarlso has joined #openstack-keystone10:41
*** dhague has joined #openstack-keystone10:44
*** ekarlso has quit IRC10:45
*** ekarlso has joined #openstack-keystone10:45
*** Trozz has quit IRC10:58
*** Trozz has joined #openstack-keystone11:05
*** e0ne is now known as e0ne_11:26
*** josecastroleon has joined #openstack-keystone11:36
dstaneksamueldmq: that it is11:36
*** fhubik is now known as fhubik_afk11:39
samueldmqdstanek, hey, what's up :-)11:45
dstaneksamueldmq: not much11:52
*** kiran-r has quit IRC11:55
*** e0ne_ is now known as e0ne12:08
*** aix has joined #openstack-keystone12:13
*** trey has quit IRC12:15
*** fhubik_afk is now known as fhubik12:15
*** trey has joined #openstack-keystone12:16
openstackgerritDavid Stanek proposed openstack/keystone: Removes temporary fix for doc generation  https://review.openstack.org/18264312:22
*** gordc has joined #openstack-keystone12:25
*** lmtaylor has joined #openstack-keystone12:26
*** amakarov_away is now known as amakarov12:37
*** bknudson has quit IRC12:40
*** mestery has joined #openstack-keystone12:44
*** mflobo has left #openstack-keystone12:44
*** mflobo1 has joined #openstack-keystone12:48
*** mflobo1 has left #openstack-keystone12:48
*** kiran-r has joined #openstack-keystone12:51
openstackgerritEnrique Garcia Navalon proposed openstack/python-keystoneclient: Added endpoint group filter manager methods. Following spec defined at: https://github.com/openstack-attic/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-ep-filter-ext.md  https://review.openstack.org/18265813:02
*** richm has joined #openstack-keystone13:10
*** radez_g0n3 is now known as radez13:19
*** jsavak has joined #openstack-keystone13:20
*** nkinder has quit IRC13:24
bretonImportError: No module named pbr_json on debian jessie13:28
bretonany suggestions what it can be?13:28
openstackgerritEnrique Garcia Navalon proposed openstack/python-keystoneclient: Added endpoint group filter manager methods  https://review.openstack.org/18265813:30
bretonhttps://bugs.launchpad.net/pbr/+bug/1324784 oh well13:31
openstackLaunchpad bug 1324784 in PBR "TypeError: dist must be a Distribution instance" [Undecided,Fix released]13:31
*** richm has quit IRC13:34
*** sigmavirus24_awa is now known as sigmavirus2413:37
openstackgerritBoris Bobrov proposed openstack/keystone: alembic initial support  https://review.openstack.org/15005713:40
openstackgerritBoris Bobrov proposed openstack/keystone: Use migration_cli for db migrations  https://review.openstack.org/14754813:40
*** mattfarina has joined #openstack-keystone13:40
openstackgerritEnrique Garcia Navalon proposed openstack/python-keystoneclient: Added endpoint group filter manager methods  https://review.openstack.org/18265813:43
samueldmqmorganfainberg, jamielennox|away already updated the patch for identity v3 jobs .. see https://review.openstack.org/#/c/179663/13:44
*** bjornar has quit IRC13:46
*** richm has joined #openstack-keystone13:48
*** links has quit IRC13:48
*** kairat_kushaev has joined #openstack-keystone13:51
kairat_kushaevHi guys! I noticed keystone is using dogpile for caching operations. Have you noticed any drawbacks of using dogpile in Keystone?13:52
kairat_kushaevI am asking because we would like to implement caching using  dogpile.13:53
kairat_kushaevI reviewed the solution in keystone and it seems ok but maybe someone faces with some issues that we can avoid in Heat.13:54
*** markvoelker has quit IRC13:59
raildokairat_kushaev, I have had a little issue, because the dogpile can't store kwargs. you can see morganfainberg 's comment about this here: https://review.openstack.org/#/c/158372/51/keystone/resource/core.py14:00
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837214:02
kairat_kushaevraildo: Thanks.14:03
kairat_kushaevmorganfainberg: Hello, could you please help with the questions below?14:05
*** mabrams has joined #openstack-keystone14:05
kairat_kushaevmorganfainberg: sorry, above14:05
*** bknudson has joined #openstack-keystone14:15
*** ChanServ sets mode: +v bknudson14:15
*** nkinder has joined #openstack-keystone14:17
*** afazekas has joined #openstack-keystone14:29
ayoungmorganfainberg, http://interactive.blockdiag.com14:29
*** chlong has quit IRC14:30
*** bdossant has joined #openstack-keystone14:31
*** stevemar has joined #openstack-keystone14:32
*** ChanServ sets mode: +v stevemar14:32
*** lmtaylor has quit IRC14:36
*** bdossant has quit IRC14:36
openstackgerritEnrique Garcia Navalon proposed openstack/python-keystoneclient: Added endpoint group filter manager methods  https://review.openstack.org/18265814:42
*** mestery has quit IRC14:44
*** fhubik has quit IRC14:48
*** blewis has joined #openstack-keystone14:49
*** e0ne is now known as e0ne_14:50
*** e0ne_ is now known as e0ne14:52
*** hemna_ is now known as hemna14:53
*** josecastroleon has quit IRC14:57
*** lmtaylor1 has joined #openstack-keystone15:01
*** e0ne is now known as e0ne_15:02
morganfainbergayoung: that's cool.15:08
*** blewis has quit IRC15:09
ayoungmorganfainberg, yep.  Although I think I am still going to use the tikz UML generation in Latex for my presentation15:09
ayoungthe block diagrams don't seem to want to work as object/class diagrams15:10
*** blewis has joined #openstack-keystone15:11
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376315:15
*** dims has quit IRC15:15
*** dims has joined #openstack-keystone15:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839815:17
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418015:18
*** blewis has quit IRC15:18
*** jistr is now known as jistr|mtg15:19
stevemarmorganfainberg, i was confused by your comment about the keystone logo change15:21
morganfainbergstevemar: just a silly add a "remote Idp" thing.15:21
morganfainbergSince it is "using federation" :p15:22
morganfainbergTotally superfluous and random.15:22
stevemari'm okay with that :P15:22
*** afazekas_ has quit IRC15:24
*** afazekas has quit IRC15:24
*** jistr|mtg is now known as jistr15:29
*** browne has joined #openstack-keystone15:34
*** _cjones_ has joined #openstack-keystone15:39
*** lhcheng has joined #openstack-keystone15:40
*** ChanServ sets mode: +v lhcheng15:40
amakarovayoung, hi! Help me please with a question about policies in keystone: we still have to edit policy.json manually or it can be somehow managed through API?15:41
ayoungamakarov, manual for now15:42
*** e0ne_ is now known as e0ne15:43
*** gyee has joined #openstack-keystone15:44
*** ChanServ sets mode: +v gyee15:44
amakarovayoung, oh... thanks. Is there any spec/bp or discussion on the summit maybe?15:44
ayoungjust a couple15:44
ayoungamakarov, http://openstacksummitmay2015vancouver.sched.org/event/14f4c5993e34b0f6a10c810510abbd7315:44
*** _cjones_ has quit IRC15:44
*** _cjones_ has joined #openstack-keystone15:45
*** kiran-r has quit IRC15:54
*** alexsyip has joined #openstack-keystone16:07
*** rwsu has joined #openstack-keystone16:13
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376316:17
*** Akshik has joined #openstack-keystone16:23
*** jistr has quit IRC16:25
*** edmondsw has joined #openstack-keystone16:26
openstackgerritDolph Mathews proposed openstack/python-keystoneclient: Prevent attempts to "filter" list() calls by globally unique IDs  https://review.openstack.org/18275216:42
*** browne has quit IRC16:51
*** samleon has joined #openstack-keystone16:58
marekd /msg stevemar i think i need swiss number again :/17:01
raildolbragstad, about your first comment in https://review.openstack.org/#/c/165936/21/keystone/resource/core.py17:01
raildowhat would be the best way to do this schema checking without the clean?17:01
stevemarmorganfainberg, join up!17:02
morganfainbergBut....17:02
* morganfainberg gets computer out.17:03
stevemarmorganfainberg, you just need a phone17:03
morganfainbergPhone is dead. Needed computer to charge it.17:03
*** topol has joined #openstack-keystone17:04
*** ChanServ sets mode: +v topol17:04
*** zzzeek has joined #openstack-keystone17:06
openstackgerritMin Song proposed openstack/keystone: Use single connection in get_all function  https://review.openstack.org/18024717:15
*** ankita_wagh has joined #openstack-keystone17:18
*** harlowja has quit IRC17:20
*** harlowja has joined #openstack-keystone17:20
openstackgerritMin Song proposed openstack/keystone: Use single connection in get_all function  https://review.openstack.org/18024717:21
*** samleon has quit IRC17:30
*** samleon has joined #openstack-keystone17:31
*** browne has joined #openstack-keystone17:33
*** Akshik has quit IRC17:34
*** Akshik has joined #openstack-keystone17:35
*** belmoreira has joined #openstack-keystone17:41
*** belmoreira has quit IRC17:43
*** dguerri is now known as _dguerri17:46
raildolbragstad, i get yout point here, but I don't know how to check because I don't know if we need to check this here, since this is already validate before https://review.openstack.org/#/c/165936/21/keystone/resource/core.py17:49
dolphmraildo: he'll be afk until tomorrow, so i guess reply in the review?17:50
raildodolphm, ok, thanks.17:51
*** dhague has quit IRC17:56
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418017:57
*** e0ne is now known as e0ne_18:00
stevemarmorganfainberg, feel free to drop18:01
stevemarits past 218:01
*** mabrams has quit IRC18:01
*** mflobo has joined #openstack-keystone18:04
*** e0ne_ is now known as e0ne18:04
*** e0ne has quit IRC18:06
marekdrodrigods: still connected ?18:12
rodrigodsmarekd, phone hung up18:14
*** Akshik has quit IRC18:15
*** gokrokve has joined #openstack-keystone18:16
dstanekdolphm: i was hoping that the hashing algorithm was implemented in Python and we could speed it up in C, but it looks like it's already C18:22
dolphmdstanek: are you looking at a profile of auth?18:23
dstanekdolphm: yes, of a single request to get a token from a password18:23
dolphmdstanek: can you paste it?18:24
dstanekdolphm: http://paste.openstack.org/show/222044/18:25
openstackgerritDavid Stanek proposed openstack/keystone: Order routes so most frequent requests are first  https://review.openstack.org/18278118:25
dstanekdolphm: ^ that gave me a 2-10% speed bump for an auth request, but at the expense of others18:26
dolphmoh wow18:26
dstanekymmv....the speedup on a faster VM might be much less18:26
dstanekdolphm: i'm experimenting with several other things including a rounds change.18:27
*** mflobo has quit IRC18:28
openstackgerritMin Song proposed openstack/keystone: Use single connection in get_all function  https://review.openstack.org/18024718:28
*** mflobo has joined #openstack-keystone18:33
dolphmdstanek: have a profile after minimizing the number of rounds?18:33
*** mflobo has left #openstack-keystone18:34
dolphmdstanek: should have lbragstad deploy http://docs.repoze.org/profile/18:38
*** e0ne has joined #openstack-keystone18:45
*** aix has quit IRC18:47
*** ankita_wagh has quit IRC18:48
*** jaosorior has quit IRC18:52
*** yapeng has joined #openstack-keystone18:54
*** ankita_wagh has joined #openstack-keystone18:56
*** _dguerri is now known as dguerri18:59
stevemarnkinder, use bluejeans?19:00
nkinderstevemar: yep, joining now19:00
*** palendae has left #openstack-keystone19:01
*** yapeng has quit IRC19:02
bretondstanek: wow. I thought there are regexps and it the order is not significant19:05
breton> The problem is that routes uses one, yes one, huge regex for19:05
breton> dispatching19:05
bretonI mean, regexp is an automaton and it can be reduced to the minimum.19:08
*** Rockyg_ has joined #openstack-keystone19:12
dstanekbreton: yes, i had issues with routes at my last job19:14
*** achudnovets has joined #openstack-keystone19:14
dstanekdolphm: that profile was after the routes change was applied19:16
*** achudnovets has quit IRC19:19
*** belmoreira has joined #openstack-keystone19:32
*** e0ne has quit IRC19:32
*** belmoreira has quit IRC19:33
*** e0ne has joined #openstack-keystone19:33
dolphmdstanek: repoze won't make the datas http://162.242.172.215:35357/v3/__profile__19:36
dstanekdolphm: i'm using my own19:36
dolphmdstanek: you're own what?19:37
dstanekdolphm: http://paste.openstack.org/show/222096/19:38
dstanekit drops to a single file, but that could be easily changed19:38
dolphmdstanek: ah19:39
bretonmaybe we should use Rally for benchmarks19:39
*** packet has joined #openstack-keystone19:40
dstanektoo much of a pain for what i am doing and dolphm's are based on Rackspace's reality; not sure how easy it is to muck with Rally19:40
bretondstanek: http://logs.openstack.org/35/133135/20/check/gate-rally-dsvm-keystone/0fb6153/rally-plot/results.html.gz -- before your patch19:42
bretondstanek: http://logs.openstack.org/81/182781/1/check/gate-rally-dsvm-keystone/43b31d8/rally-plot/results.html.gz -- with the patch19:42
dstanekwow, that's a pretty big difference19:43
*** e0ne has quit IRC19:43
dstaneki'm hacking together a quick change to use pecan's dispatching just to see if it's better19:43
*** stevemar has quit IRC19:44
bretonand I'll try launching one of rally's tests via gates to see how it goes19:45
openstackgerritMin Song proposed openstack/keystone: Use single connection in get_all function  https://review.openstack.org/18024719:45
*** turul_ has quit IRC19:45
*** turul_ has joined #openstack-keystone19:46
dolphmdata! http://162.242.172.215:35357/v3/__profile__19:46
dstanekdolphm: if you have it not strip_dirs it's a little easier to see where the files come from19:48
dstanekdolphm: reducing rounds made a pretty big difference19:49
dolphmdstanek: it makes such a big difference that we actually got a vulnerability report once which said 40,000 was high enough to be vulnerable to a DoS19:50
dolphmdstanek: =)19:50
dstanekhaha19:50
*** Rockyg_ has quit IRC19:59
*** e0ne has joined #openstack-keystone19:59
*** Rockyg has joined #openstack-keystone20:01
*** mattfarina has quit IRC20:09
openstackgerritBoris Bobrov proposed openstack/keystone: Test before dstanek's patch  https://review.openstack.org/18281920:10
dolphmlbragstad: i sent you a couple TODO items that we discussed earlier today ^20:11
lbragstaddolphm: yep, reading them now20:11
raildobreton, that is a weird name for a patch :P20:11
dolphmlbragstad: why is the deploy broken at the moment?20:11
dolphmlbragstad: locust is getting 404's on GET /v3/auth/tokens20:12
lbragstadraildo: regarding the jsonschema comment, as long as we can prove that it's always validated prior with jsonschema, I think that'd be ok20:12
*** amakarov is now known as amakarov_away20:12
lbragstadraildo: it's just weird to be using clean.py20:12
lbragstaddolphm: checking it out20:12
lbragstadnot sure what happend.20:12
bretonraildo: meh, it's just to see what rally gonna say20:12
raildolbragstad, right :) thanks for that20:13
openstackgerritBoris Bobrov proposed openstack/keystone: after dstanek's patch  https://review.openstack.org/18282320:13
dolphmbreton: rally uses cprofile too, right?20:13
bretondolphm: as far as I know, they just make http requests and measure real time.20:14
dolphmbreton: the graphs it produces look like cprofile output converted into html20:15
lbragstaddolphm: redeploying the cluster20:15
dolphmlbragstad: how long is that going to take?20:16
dstanekdolphm: i don't think rally does any kind of profining20:16
dstanekor profiling even20:16
lbragstaddolphm: it's just the app nodes, so 10 - 15 minutes?20:16
lbragstaddolphm: where do you want me to deploy this middleware?20:18
*** mattfarina has joined #openstack-keystone20:19
dolphmlbragstad: http://cdn.pasteraw.com/kjuywuxgrqenus642z798k7f9nhmmvb20:19
dolphmlbragstad: i added a [filter:profile_v3] and added 3 filters to the beginning of [pipeline:api_v3]20:20
lbragstaddolphm: cool, got it20:20
dolphmlbragstad: add tags to all your plays so you can just do --tags=config next time to skip all the package installs and whatnot20:31
lbragstadok20:32
lbragstaddolphm: for some reason, the patch it's getting deployed from gerrit20:32
dolphmlbragstad: ?20:32
lbragstadssh to any of the app nodes and check the keystone repo20:33
dolphmlbragstad: gerrit is the upstream repo?20:34
lbragstadyeah20:34
dolphmlbragstad: that's correct - that's how it's able to deploy patches directly20:34
*** ankita_wagh has quit IRC20:35
lbragstadusing refspec20:35
*** ankita_wagh has joined #openstack-keystone20:35
*** nkinder has quit IRC20:37
*** ankita_wagh has quit IRC20:40
*** ankita_wagh has joined #openstack-keystone20:47
*** belmoreira has joined #openstack-keystone20:49
*** radez is now known as radez_g0n320:52
*** jorge_munoz_ has joined #openstack-keystone21:04
*** jorge_munoz has quit IRC21:09
*** amaurymedeiros has quit IRC21:09
*** ekarlso has quit IRC21:09
*** larsks has quit IRC21:09
*** wolsen has quit IRC21:09
*** haneef has quit IRC21:09
*** samueldmq has quit IRC21:09
*** jdennis has quit IRC21:09
*** greghaynes has quit IRC21:09
*** jorge_munoz_ is now known as jorge_munoz21:09
*** samueldmq has joined #openstack-keystone21:10
*** amaurymedeiros has joined #openstack-keystone21:10
*** amaurymedeiros has quit IRC21:10
*** amaurymedeiros has joined #openstack-keystone21:10
*** wolsen has joined #openstack-keystone21:10
*** greghayn1 has joined #openstack-keystone21:10
*** ekarlso has joined #openstack-keystone21:10
*** larsks has joined #openstack-keystone21:11
*** jdennis has joined #openstack-keystone21:11
*** haneef has joined #openstack-keystone21:11
*** gokrokve has quit IRC21:20
*** gokrokve has joined #openstack-keystone21:21
*** gokrokve has quit IRC21:25
*** gokrokve has joined #openstack-keystone21:29
*** greghayn1 is now known as greghaynes21:29
*** gokrokve has quit IRC21:45
*** gokrokve has joined #openstack-keystone21:45
*** gokrokve has quit IRC21:50
*** belmoreira has quit IRC21:54
*** lmtaylor1 has quit IRC21:54
*** gordc has quit IRC22:06
*** topol has quit IRC22:10
*** gokrokve has joined #openstack-keystone22:11
bknudsoncheck out this marshmallow library -- http://marshmallow.readthedocs.org/en/latest/22:11
bknudsonobject serializer / deserializer22:11
bknudsonwe could use that in the controllers22:12
bknudsonand start working with objects rather than dicts22:12
*** zzzeek has quit IRC22:17
gyeewhat's the advantage?22:17
*** nkinder has joined #openstack-keystone22:18
bknudsonwe already have to deal with objects with the sqlalchemy models22:18
bknudsonwe should be able to re-use those models22:18
bknudsonkeystone would be about 5 lines of code22:19
*** jsavak has quit IRC22:19
*** jamielennox|away is now known as jamielennox22:19
*** bknudson has quit IRC22:20
*** Ephur has joined #openstack-keystone22:20
gyeeoh I see what you mean :)22:24
gyeedo it!22:25
*** mattfarina has quit IRC22:27
*** ankita_wagh has quit IRC22:27
*** e0ne has quit IRC22:28
*** Rockyg has quit IRC22:33
*** ekarlso has quit IRC22:34
*** ekarlso has joined #openstack-keystone22:34
gyeewow, 6 roundtrips for "openstack role add", that doesn't look right22:36
*** mattfarina has joined #openstack-keystone22:36
-openstackstatus- NOTICE: Gerrit and Zuul are going offline for reboots to fix a security vulnerability.22:39
*** ChanServ changes topic to "Gerrit and Zuul are going offline for reboots to fix a security vulnerability."22:39
*** dims_ has joined #openstack-keystone22:40
*** mattfarina has quit IRC22:40
*** dims has quit IRC22:41
*** dims has joined #openstack-keystone22:43
*** dims_ has quit IRC22:47
*** openstackgerrit has quit IRC22:47
*** mattfarina has joined #openstack-keystone22:48
*** openstackgerrit has joined #openstack-keystone22:49
*** Raildo_ has joined #openstack-keystone22:53
*** ChanServ changes topic to "Liberty Development Open | Review Liberty Specs | See you at the summit!"22:57
-openstackstatus- NOTICE: Gerrit and Zuul are back online.22:57
*** ericksonfgds has joined #openstack-keystone22:58
*** ankita_wagh has joined #openstack-keystone23:00
*** Rockyg has joined #openstack-keystone23:07
*** gokrokve has quit IRC23:13
*** gokrokve has joined #openstack-keystone23:14
*** gokrokve has quit IRC23:15
*** mattfarina has quit IRC23:28
*** mattfarina has joined #openstack-keystone23:32
*** mattfarina has quit IRC23:34
*** mattfarina has joined #openstack-keystone23:37
*** mattfarina has quit IRC23:39
*** Raildo_ has quit IRC23:44
*** bknudson has joined #openstack-keystone23:51
*** ChanServ sets mode: +v bknudson23:51
*** ankita_wagh has quit IRC23:54
*** ericksonfgds has quit IRC23:55
*** _cjones_ has quit IRC23:56
« Tuesday, 2015-05-12 Index Thursday, 2015-05-14 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!