Thursday, 2015-06-18

« Wednesday, 2015-06-17 Index Friday, 2015-06-19 »
*** spandhe has quit IRC00:06
*** zzzeek has quit IRC00:09
*** lhcheng has quit IRC00:11
*** gyee has quit IRC00:23
*** vilobhmm has quit IRC00:24
*** ncoghlan has joined #openstack-keystone00:24
*** jamielennox|away is now known as jamielennox00:35
*** jasondotstar has quit IRC00:39
*** kfox1111 has quit IRC00:43
*** dims has joined #openstack-keystone00:43
*** tqtran has quit IRC00:51
*** rdo has quit IRC00:52
*** rdo has joined #openstack-keystone00:54
*** jamielennox is now known as jamielennox|away01:00
*** lastops has joined #openstack-keystone01:05
*** jamielennox|away is now known as jamielennox01:08
*** lastops has quit IRC01:10
*** timsim has joined #openstack-keystone01:12
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor _confirm_token_bind takes AccessInfo  https://review.openstack.org/17967601:15
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class  https://review.openstack.org/18081801:15
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate token processes  https://review.openstack.org/19094001:15
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Make token bind work with a request  https://review.openstack.org/18081701:15
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094101:15
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol  https://review.openstack.org/18081601:15
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Rename _LOG to log in auth_token middleware  https://review.openstack.org/19294801:15
jamielennoxdstanek: I reorganized the above a little bit, hopefully they are grouped in a way that is more logical and we can get some movement01:16
openstackgerritMerged openstack/python-keystoneclient: Removes unused debug logging code  https://review.openstack.org/18699401:18
openstackgerritMerged openstack/keystonemiddleware: Remove install_venv_common and fix typo in memorycache  https://review.openstack.org/18911301:19
*** roxanaghe has quit IRC01:19
*** Kennan has quit IRC01:22
*** Kennan has joined #openstack-keystone01:23
*** browne has quit IRC01:26
*** vilobhmm has joined #openstack-keystone01:29
*** fangzhou has quit IRC01:38
openstackgerritJamie Lennox proposed openstack/keystoneauth: Support discovery on the AUTH_INTERFACE  https://review.openstack.org/19164101:47
*** _cjones_ has quit IRC01:53
*** woodster_ has quit IRC02:01
openstackgerritMerged openstack/python-keystoneclient: Use python-six shim for assertRaisesRegex/p  https://review.openstack.org/18877402:12
*** browne has joined #openstack-keystone02:12
*** jamielennox is now known as jamielennox|away02:20
*** rushiagr_away is now known as rushiagr02:29
*** dims has quit IRC02:32
*** dims has joined #openstack-keystone02:33
*** dims has quit IRC02:41
*** fangzhou has joined #openstack-keystone02:46
*** spandhe has joined #openstack-keystone02:53
*** kiran-r has joined #openstack-keystone03:01
*** stevemar has joined #openstack-keystone03:01
*** ChanServ sets mode: +v stevemar03:01
*** kiran-r has quit IRC03:01
*** davechen has joined #openstack-keystone03:03
*** jamielennox|away is now known as jamielennox03:03
*** davechen1 has joined #openstack-keystone03:09
*** davechen has quit IRC03:12
*** arunkant__ has joined #openstack-keystone03:13
*** jamielennox is now known as jamielennox|away03:15
*** kiran-r has joined #openstack-keystone03:15
*** kiran-r has quit IRC03:15
*** kiran-r has joined #openstack-keystone03:15
*** fangzhou has quit IRC03:16
*** arunkant__ has quit IRC03:17
*** woodster_ has joined #openstack-keystone03:18
*** jamielennox|away is now known as jamielennox03:25
*** rushiagr is now known as rushiagr_away03:26
*** spandhe has quit IRC03:43
*** rushiagr_away is now known as rushiagr03:44
*** richm has quit IRC03:45
*** diazjf has joined #openstack-keystone03:46
*** rushiagr is now known as rushiagr_away03:47
*** tobe has joined #openstack-keystone03:49
*** jaosorior has joined #openstack-keystone03:57
*** kiran-r has quit IRC04:39
*** kiran-r has joined #openstack-keystone04:39
*** boris-42 has joined #openstack-keystone04:44
*** clayton has quit IRC04:50
*** vilobhmm has quit IRC04:56
*** dvorak has joined #openstack-keystone05:00
openstackgerritFernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations  https://review.openstack.org/19285005:01
*** vilobhmm has joined #openstack-keystone05:02
stevemardiazjf, yay!05:03
diazjfwhoop thanks!05:05
morganfainbergjamielennox: not sure how we can break Oslo.config out of keystoneauth05:06
morganfainbergBut I think that is one of the last real hang ups.05:06
jamielennoxmorganfainberg: Oslo.config actually has very few deps05:06
jamielennoxi was thinking i can do it, it would essentially be a copy of the oslo.types or whatever package05:07
morganfainbergYeah, but do we really need it?05:07
jamielennoxmorganfainberg: i think i can get around it05:07
morganfainbergIf like to remove the last of the Oslo packages from ksa05:07
jamielennoxespecially with the split05:07
morganfainbergi'd*05:07
jamielennoxwith the split all the options are going to come from a different class and there will  be one helper method that redirects the old function of get_options to the one on the class05:08
jamielennoxso if it's going to be one method we would just need a function there that converts from whatever new option definition we come up with to the old oslo.config one05:08
jamielennoxwhich i guess we would need anyway for loading from config05:08
morganfainbergRight05:09
*** Kennan has quit IRC05:09
*** Kennan has joined #openstack-keystone05:10
jamielennoxi haven't gotten to what that option interface would look like yet05:10
morganfainbergAnd the accessinfo dict interface.05:11
morganfainbergThat one looks wrong somehow. Not sure why05:11
jamielennoxyea, i wasn't sure what to do there05:13
jamielennoxso to make it compatible with ksc (and probably just anyway) we would need to expose the whole token dict somehow05:13
morganfainbergIs there any way around that?05:16
morganfainbergAssuming we're going to have a ksc 2.0 for using keystoneauth.05:16
*** kiran-r has quit IRC05:17
morganfainbergAt this point I think... We are going to be safe-ish breaking compat with the stable branches.05:17
morganfainbergSeriously looking at dropping cli in ksc 2.0 as well.05:17
*** diazjf has quit IRC05:19
openstackgerritMerged openstack/keystone: Fix tests failing on slower system  https://review.openstack.org/19079005:21
*** jamielennox is now known as jamielennox|away05:23
*** jamielennox|away is now known as jamielennox05:26
jamielennoxmorganfainberg: what was the last thing I said? i'm having some connection issues today05:29
stevemarjamielennox, "so to make it compatible with ksc (and probably just anyway) we would need to expose the whole token dict somehow"05:31
jamielennoxand allow people to write to it from ksc05:31
jamielennox so i was coming up with some way of having like an overrides dict in the ksc object such that if it were set pull from there instead of going to super...05:31
jamielennoxi'm not sure it saves us much because there are still times when you may legitimately want to get access to the raw token dictionary05:32
stevemarmorganfainberg, drop it drop it drop it05:32
jamielennoxstevemar: which bit05:33
stevemarCLI from ksc05:34
stevemarjamielennox, you may have missed morganfainberg mention that05:34
jamielennoxoh - yea, i didn't see any convo after the last i said05:34
stevemarjamielennox, he wrote "Seriously looking at dropping cli in ksc 2.0 as well."05:35
jamielennoxoh, sure - do it05:35
jamielennoxmorganfainberg: why did we call the middleware release 2.0?05:35
morganfainbergRequirements update.05:35
morganfainbergMiddleware, ksc,05:35
morganfainbergEtc is all now released by the rel management team. Not the PtL05:36
jamielennoxbut 2.0?05:36
morganfainbergYep.05:36
morganfainbergAnd when we move to keystoneauth, we will have 3.005:36
jamielennoxlol, if they bump major version for every requirements update this is going to get crazy05:36
morganfainbergKeystone is moving to version 8.0.0 this cycle.05:36
jamielennoxyuk05:37
stevemaryeah, we'll be at 18 in no time05:37
jamielennoxinstead of 2015.205:37
jamielennox?05:37
morganfainbergWe're drastically changing the versioning. Ksa will be more sane.05:37
morganfainbergjamielennox: yep.05:37
stevemari dont mind keystone at 8.0.0, it only goes up 2 per year05:37
morganfainbergKsm should be 2x bumps a year as well.05:37
jamielennoxi like the year numbering schemes for things with fixed release schedules05:37
morganfainbergSince we are releasing in sync with the servers.05:38
jamielennoxnot sure how that plays with pypi though05:38
morganfainbergI'm letting rel05:38
morganfainbergManagement team handle that.05:38
*** chlong has quit IRC05:38
*** belmoreira has joined #openstack-keystone05:52
*** chlong has joined #openstack-keystone05:53
*** Kennan has quit IRC05:58
*** Kennan has joined #openstack-keystone06:01
*** vilobhmm1 has joined #openstack-keystone06:04
*** Kennan has quit IRC06:06
*** Kennan has joined #openstack-keystone06:06
*** vilobhmm has quit IRC06:07
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/19298306:09
*** spandhe has joined #openstack-keystone06:19
morganfainbergjamielennox: I almost want to say glance should stop using swift client.06:19
morganfainbergjamielennox: as a response to your email. Just stop using it if the team isn't putting effort into it.06:20
morganfainbergOstensibly the amount of actions glance needs to perform on swift is minimal.06:20
jamielennoxmorganfainberg: right, i essentially got started on doing exactly that because it's not a whole lot of effort on top of a session06:21
jamielennoxand the swiftclient interace is horrible06:21
morganfainbergYeah.06:21
jamielennoxmost of the functions have like headers= or querystring=06:21
morganfainbergSo I'm going to respond with that. Because e it just looks like the only option.06:21
jamielennoxexpecting users to construct what they want to pass through rather than deal with all there options06:21
jamielennoxhowever even doing that requires glance to figure out how they want to save their authentication options and deprecate the stupid http://user:tenant:password@auth_uri syntax06:22
jamielennoxso i figured i may as well send the email now06:22
jamielennoxmorganfainberg: i think it was paris where swift decided they were going to wait for SDK rather than do a v2 of their client, but in vancouver it was decided that SDK may not be suitable for service->service communication so we've got to figure something out06:23
morganfainbergWell I'll go out on the limb and say as much that we need to remove the dependence on swift client or swift client needs to grow session support.06:24
*** spandhe has quit IRC06:24
*** spandhe_ has joined #openstack-keystone06:24
morganfainbergI'll send that tonight / tomorrow.06:24
jamielennoxsounds good, it's the only one now, i got glanceclient merged the other day06:26
jamielennoxbut my god, you should read swiftclient - it's horrible06:28
jamielennoxmorganfainberg: oh - from earlier, are you meaning that we'll have to do a ksc 2 as soon as we merge ksa support so we should consider that feature branch to be 2.0?06:30
*** belmoreira has quit IRC06:31
jamielennoxbecause at the moment it's staying strictly compatible with the existing ksc06:31
*** kiran-r has joined #openstack-keystone06:34
*** jaosorior has quit IRC06:35
*** vilobhmm1 has quit IRC06:39
*** bjornar has quit IRC06:40
*** bjornar has joined #openstack-keystone06:43
morganfainbergYes06:46
morganfainbergWe should make it 2.006:46
jamielennoxincluding all the deprecations we want to do as part of that?06:48
jamielennoxbecause really there is no point in half of the compatibility stuff i'm doing then06:48
jamielennoxlike accessinfo in ksc can just disappear06:48
*** woodster_ has quit IRC06:51
*** krykowski has joined #openstack-keystone06:59
*** afazekas has joined #openstack-keystone07:00
*** stevemar has quit IRC07:02
*** spandhe_ has quit IRC07:03
*** e0ne has joined #openstack-keystone07:04
*** rlt_ has joined #openstack-keystone07:10
morganfainbergjamielennox: hm.07:13
morganfainberg*shrig* it's too late for me to think about that.07:13
morganfainbergSorry.07:13
* morganfainberg looks at the clock.07:13
jamielennoxmorganfainberg: no worries, but think about it because there's a lot of effort i'm putting into compatibility07:13
morganfainbergWe might need to two step it. Deprecation then gone.07:14
* morganfainberg does some terrible two step dance imitation.07:14
jamielennoxmorganfainberg: that's what i was expecting, just not major versions in between07:16
*** btully has quit IRC07:18
*** browne has quit IRC07:18
*** chlong has quit IRC07:18
*** btully has joined #openstack-keystone07:19
*** e0ne has quit IRC07:23
*** henrynash has joined #openstack-keystone07:34
*** ChanServ sets mode: +v henrynash07:34
evrardjpgood morning everyone07:46
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable listing of role assignments in a project hierarchy  https://review.openstack.org/18704507:47
*** boris-42 has quit IRC07:52
*** dguerri` is now known as dguerri08:15
*** viktors|afk is now known as viktors08:28
*** ncoghlan has quit IRC08:32
*** henrynash has quit IRC08:32
*** henrynash has joined #openstack-keystone08:33
*** ChanServ sets mode: +v henrynash08:33
*** tsufiev has quit IRC08:40
*** tsufiev has joined #openstack-keystone08:41
*** dims has joined #openstack-keystone08:44
*** e0ne has joined #openstack-keystone08:48
*** dims has quit IRC08:48
*** davechen1 has left #openstack-keystone08:56
*** e0ne is now known as e0ne_08:58
*** Nikkau has joined #openstack-keystone08:59
*** e0ne_ is now known as e0ne09:00
*** belmoreira has joined #openstack-keystone09:02
*** kiall has quit IRC09:35
*** Kiall has joined #openstack-keystone09:36
*** aix has joined #openstack-keystone09:37
*** henrynash has quit IRC09:48
*** jasondotstar has joined #openstack-keystone09:52
*** lucasagomes has joined #openstack-keystone09:55
lucasagomeshi, the last release of keystonemiddleware broke ironic's gate https://bugs.launchpad.net/ironic/+bug/146640509:55
openstackLaunchpad bug 1466405 in Ironic "broken ACL tests " [Undecided,New] - Assigned to Lucas Alvares Gomes (lucasagomes)09:55
lucasagomesany idea what specifically changed that broke us like that?09:56
lucasagomesit seems 403 ret code have changed to 401 in some cases09:56
*** e0ne is now known as e0ne_09:57
*** e0ne_ is now known as e0ne09:59
*** dims has joined #openstack-keystone10:00
lucasagomesapparently it has to do with https://review.openstack.org/#/c/17419610:08
*** eandersson has joined #openstack-keystone10:09
*** pnavarro has joined #openstack-keystone10:16
*** aix has quit IRC10:21
samueldmqmorning !10:31
lucasagomesok the problem is because token cache keys are sha256 hashes10:33
samueldmqlucasagomes, hi morning10:34
samueldmqlucasagomes, I can find the change for you, just a cache10:34
*** tobe has quit IRC10:34
samueldmqjust a second I meant* oO10:34
lucasagomessamueldmq, yeah fixing it now in Ironic10:35
lucasagomeswe weren't using sha256 hashes for the token keys in Ironic10:35
lucasagomes(for our ACL tests)10:35
lucasagomesI'm updating the tests to check for hashs and non shash (to be compatible with ksmiddleware < 2.0.010:35
lucasagomes)*10:36
samueldmqlucasagomes, https://review.openstack.org/#/c/186971/10:36
samueldmqlucasagomes, why do you handle token keys at service level (ironic) ? you caching there as well (besides middleware) ?10:37
lucasagomessamueldmq, https://review.openstack.org/19305710:38
lucasagomessamueldmq, it's just ACL tests10:38
lucasagomesit was there before and the that change with the hash broke our gate. Maybe we shouldn't have those tests10:39
lucasagomesbut I don't know much about that bit... I'm just trying to unbroken the gate10:39
*** tobe has joined #openstack-keystone10:40
samueldmqlucasagomes, ACL tests are like functional tests ? where you run against a running ironic, with a middleware on it, et c?10:41
samueldmqlucasagomes, I've never heard this terminology :)10:42
samueldmqlucasagomes, and yes, fixing that is fair enough for now10:42
lucasagomessamueldmq, yup10:42
samueldmqlucasagomes, nice10:42
lucasagomesyeah I will fix it and then bring it up to the community whether we should drop it or not10:42
lucasagomesI don't wanna fix the gate by deleting the tests, I think it's unfair10:42
samueldmqlucasagomes, yes it is, fix that to have the gate working asap, then revisit if they're really needed10:43
lucasagomessamueldmq, yes, I think it sounds like a good approach10:44
lucasagomessamueldmq, thanks much!10:44
samueldmqlucasagomes, you're welcome, feel free to come again and ask any questions you have :)10:44
lucasagomessamueldmq, will do :-)10:45
samueldmqdstanek, morning10:48
samueldmqdstanek, I saw your message from yesterday10:49
samueldmqdstanek, 'Listing policies filtered by service endpoint URL' (https://review.openstack.org/#/c/186765/) should be abandoned in favor of 'Policy by URL' (https://review.openstack.org/#/c/192422/)10:50
*** e0ne is now known as e0ne_10:50
samueldmqdstanek, basically, an URL does not uniquely identify an endpoint, and then a policy10:50
samueldmqdstanek, we need a way to directly associate and retrieve policies on URLs, that's what that second spec proposes10:51
dstaneksamueldmq: did you see why comment on url there? why use url?10:51
samueldmqdstanek, on the second patch ?10:52
dstanekyes10:52
dstanekurl seems arbitrary10:53
samueldmqdstanek, looking ..10:54
dstaneki was jumping on the point made by Matthew Edmonds10:55
samueldmqdstanek, yes .. so, we need a way to, from the middleware placed on a service endpoint, fetch the policy for it10:56
samueldmqdstanek, so we're tied to service endpoints, right ? (at least this is the more granular we can go)10:57
samueldmqdstanek, yes can assign policies to endpoints, regions or services10:57
dstanekusing url is arbitrary though right? it could easily just be policy_id in the middleware config10:57
samueldmqdstanek, yes it could, but the endpoint policy extension assign policies to endpoints/regions/services, so we will be using that extension10:58
samueldmqdstanek, so we should be asking for something that comes from the endpoint ... the first option is the endpoint_id10:59
samueldmqdstanek, so far so good ?10:59
dstaneklooking at that extension now10:59
dstanekdoes that spec mention the extension or its relationship to the new functionality?11:00
*** e0ne_ has quit IRC11:00
*** btully has quit IRC11:00
samueldmqdstanek, I didn't fully read it .. will do today11:00
samueldmqdstanek, but that should mention ... show in what we are being based to implement that, so people can understand why we're going that way11:01
dstanekyes, that spec has no why11:02
*** btully has joined #openstack-keystone11:02
samueldmqdstanek, url is a property of endpoints, and morganfainberg argued that identifying by URL is better UX11:02
dstanekso why url and not endpoint id?11:02
samueldmqdstanek, yes that's where I am going now ..11:02
dstanekah, i see11:03
samueldmq:)11:03
samueldmqdstanek, CMS have URL  a priori11:03
samueldmqdstanek, see this for example https://wiki.openstack.org/wiki/DynamicPolicies#Overview_Solution_-_Liberty_Scope11:03
samueldmqdstanek, me and ayoung almost fully agreed on that scope diagram :)11:03
*** lucasagomes has left #openstack-keystone11:04
dstanekso which URL/endpoint do you use when the service is access from different ones?11:05
samueldmqsorry not sure I understood your question11:06
dstaneka service can theoretically be accessed from a number of endpoints all having different URLs - which one do you use in the config?11:07
dstanekthink Keystone's public vs. internal11:08
samueldmqdstanek, in devstack, glance has 3 enpoints all pointing to localhost:929211:08
dstanekexactly. so which url should be put into the config?11:08
samueldmqdstanek, in devstack they're all the same ... the config goes into the middleware section11:09
samueldmqdstanek, which is defined per endpoint11:09
*** tobe has quit IRC11:09
dstanekthe endpoint urls are all the same?11:09
samueldmqdstanek, in the case of devstack yes11:10
dstanekwell, what if they were not? which one do you use?11:10
samueldmqdstanek, you should not be using a policy per URL/ednpoint, but per region/service instead11:10
*** tobe has joined #openstack-keystone11:11
samueldmqdstanek, when you look for a policy for an endpoint, if there is no policy associated directly, it tries to find in its region -> service11:11
samueldmqdstanek, kindof inherited ..11:11
dstanekthe spec doesn't say anything about that11:12
dstanekso basically for services that have multiple endpoints like glance you should not be using this feature?11:12
samueldmqdstanek, that inherits from the endpoint policy extension as well, that should be mentioned11:12
samueldmqdstanek, should they be using different policies ? just because they have different interface types ?11:13
samueldmqdstanek, if this is a real-use case, we should still consider it11:13
dstanekit is if glance or any other service can have multiple URLs11:14
dstaneki think there needs to be guidance here11:14
samueldmqdstanek, if they have multiples URLs (1 for admin, 1 for public and 1 for internal), they can associate a policy per URL11:15
samueldmqdstanek, and set the right URL in each middleware11:15
dstanekand have multiple instances of that middleware in the same process?11:16
samueldmqdstanek, if you have the same process (different endpoint types) for all interfaces, shouldn't they be running in the same URL11:17
samueldmqdstanek, or should a process be expected to listen to different ports for those different interfaces ?11:18
openstackgerritCyril Roelandt proposed openstack/keystonemiddleware: Prevent a UnicodeDecodeError in the s3token middleware  https://review.openstack.org/17977711:18
dstaneki can easily run a service on 0.0.0.0:8080 and have a public name that points to haproxy (maybe that goes through a rate limiting service) and a private name that goes to a different haproxy. they both could point to that machine's IP:port11:20
dstaneki'm not saying the spec is wrong - i'm saying that it is incomplete if there are possible corner cases - it should talk about them11:22
dstaneki think the existing extension and using endpoint_id has the same issue11:22
samueldmqdstanek, got it11:23
samueldmqdstanek, so for your public URL you have a policy, and for your admin you have another11:23
samueldmqdstanek, which one should middleware fetch ?11:23
dstanekright, or if you only have one policy that both should use do you put it in there twice?11:24
samueldmqdstanek, we don't allow that today, if it is the same process, there is only one policy11:24
dstanekor it's possible that we say that we expect a deployer (and openstack services) to deploy a process per endpoint (except for Keystone?)11:25
*** tobe has quit IRC11:25
dstaneksamueldmq: right, and i don't think there is advice on which one to use. or explicit guidance to say it's an arbitrary decidion11:26
samueldmqdstanek, basically we have a policy per middleware, which is uniquely identified per URL11:26
samueldmqby*11:26
dstaneki almost feels like we should just be specifying a policy id in the config11:26
samueldmqdstanek, and what if I want to completely change a policy for an endpoint ?11:27
samueldmqdstanek, I change the config and restart ? that's not dinamyc at all11:27
samueldmqdstanek, as we have today, you'd need to simply change the policy-endpoint association11:28
dstanekyou could very easily use an intermediate id, but i'm assuming policy won't be changing that much11:29
samueldmqdstanek, yes but the solution is already in place for policy association11:30
samueldmqdstanek, you suggesting we should not use that extension at all ?11:30
samueldmqdstanek, anyway the extension add one level of indirection, you associate at the server and ask for the association with a key (endpoint id, url, whatever)11:30
*** aix has joined #openstack-keystone11:32
dstaneksamueldmq: i'm just saying the spec is incomplete11:33
samueldmqdstanek, I completely agree there are corner cases that need to be clarified11:33
samueldmqdstanek, ++11:33
dstanekso the middleware will be configured to know the region id, service id and endpoint url?11:33
samueldmqdstanek, just endpoint_url, if there is no policy to that url, it seeks on its corresponding service, then service11:34
samueldmqif that makes sense11:34
dstanekhow does the middleware know what service to lookup?11:34
samueldmqdstanek, endpoints with same URL should be in the same region, from the same service11:35
samueldmqdstanek, if this is not true, we may have another issue ^11:36
*** e0ne has joined #openstack-keystone11:36
dstanekwe definitely don't enforce that anywhere11:36
samueldmqdstanek, k, need to bring that in the discussion as well11:37
dstaneki don't know that the spec talks about that either region based or service based lookups by the URL11:37
samueldmqdstanek, too much work :(11:37
samueldmqdstanek, always thinking I could do better/quicker11:38
samueldmqdstanek, it doesn't, but I agree that logic is expected, since that's what happens when we use endpoint_id11:39
samueldmqdstanek, need to confirm that with adam/morgan11:39
dstanekis that true? i don't see that logic in the extension11:40
dstanekif you check by endpoint_id it will explicitly look for that. no fallback to service or region from what i can tell11:41
samueldmqdstanek, that's what someone told me .. I think it was gyee_ , I didnt't test it myself11:41
samueldmqdstanek, so I am probably making bad assumptions11:41
samueldmqdstanek, did you see those messages in the ML, where sdague pointed out an issue with unified policy approach ?11:42
dstanekis that from a while ago where he said nova had some stuff in code? or something more recent?11:43
dstanekactually right now if looks like you need the policy id and endpoint id to check the policy - feels dumb :-(11:45
*** jasondotstar has quit IRC11:46
samueldmqdstanek, that's from a while11:47
samueldmqdstanek, you can have the policy, it is an entity, you can check it using policy_id11:48
samueldmqdstanek, however the association is policy/endpoint ids11:48
samueldmqdstanek, basically, the issue wiht unifying  is: when any service change any API signature, that should be reflected in that separate repo/project (which owns the unified policy)11:50
samueldmqdstanek, that's just bad, and what about deployments running on master ? any commit changing api signature should have a depends-on commit on the unified poliyc ?11:50
dstanekyes, i did see that and he's got a great point11:53
samueldmqdstanek, yes .. what I want is to not do unified, at least for now11:53
samueldmqdstanek, that diagram I sent you earlier describes exactly how I see the workflow (https://wiki.openstack.org/wiki/DynamicPolicies#Overview_Solution_-_Liberty_Scope)11:54
dstanekon the other hand that is only about the included policy file right?11:54
*** btully has quit IRC11:54
dstanekso deployments running on master shouldn't be impacted11:55
dstanekit's really a developer thing - having to go to two different repos for a single API change11:55
samueldmqdstanek, yes, the unified should be always in sync with individual policies11:55
*** btully has joined #openstack-keystone11:55
samueldmqdstanek, if you're using dynamic policies, and the unified policy is not updated, the unified will replace your local updated policy (with let's say new api's)11:56
samueldmqdstanek, local policy files are replaced by what comes from the server (based on the unified policy)11:57
samueldmqdstanek, so the unified should necessarily be updated11:57
*** rushiagr_away is now known as rushiagr11:58
dstanekno, what i'm saying is that when a deployer follows master they likely have their own policy files and are not directly using the ones that come bundled anyway. so no matter what, when an API changes they have to change their version of a policy file.11:59
samueldmqdstanek, so they would be uploading their new policy to keystone, and just no using the unified11:59
samueldmqnot*11:59
samueldmqdstanek, however I saw morganfainberg and someone else talking about default policies (I think it was on nova yesterday) that lots of people use default policies12:01
dstanekif they are using unified policy they would have to update their version - if they are not they would have to update their policy12:01
dstanekno depends-on needed for deployer purposes12:01
dstanekyou're talking about defaults in code right?12:01
samueldmqdstanek, but unified policy is updated fro mthe repo12:02
samueldmqdstanek, and what if the policy coming from nova has 2 new api's , and the unified policy repo still doesn't reflect those api's12:02
*** henrynash has joined #openstack-keystone12:03
*** ChanServ sets mode: +v henrynash12:03
samueldmqdstanek, yes I am talking about the default policy.json shipped with the code12:03
dstanekwill that matter to a deployer? i doubt they are running directly from master for the policy so they'd have to add it by hand manually anyway12:03
samueldmqdstanek, the unified policy is not a c&p from individual policies12:04
samueldmqdstanek, we'd be working on consistency between common rules, etc12:04
dstanekbut it's a policy file and that means that a deployer can and probably should change it to make their environment12:04
samueldmqdstanek, or even rename 'default' rule from nova to 'compute:default', because each policy has its 'default' rule12:04
samueldmqdstanek, lots of people run on default policy12:05
samueldmqI don't think the unified effort is worth it, we can work on consistency between different polciies by educating people, and helping them to have a better policy12:06
samueldmqinstead adding another level of policy, unified, that can simply be not used at aall12:06
dstanekwhat is the driven behind unified policy? it seems that nobody else is asking for it12:07
samueldmqdstanek, exactly, I asked ayoung yesterday about what he is trying to solve with that12:07
samueldmqdstanek, so I could see if there is another way to solve that problem12:08
samueldmqdstanek, one of the motivation is 'role hierarchies'12:08
dstanekhow does it help with that?12:08
samueldmqdstanek, role:admin inherits from role:member12:08
samueldmqdstanek, you would be able to define the role hierarchy using the policy rules, and just once, since all policies are unified12:09
samueldmqdstanek, I have a different solution for that12:09
samueldmqdstanek, when asking for a policy for a given endpoint, you should be able to ask GET /policy/<endpoint_url> ? effective12:10
samueldmqusing effective, role hierarchies would be expanded12:10
samueldmq'compute:create_server':'role:member' would become 'compute:create_server':'role:member or role:admin'12:10
*** jasondotstar has joined #openstack-keystone12:10
samueldmqand you can use any role in the hierarchy directly in the assignments, without changing anything in the enforcement code12:11
dstaneksounds like you should write an alternative spec :-)12:11
samueldmqdstanek, oh looks like you liked that12:13
samueldmqdstanek, and then we don't touch inidividual policies for now, and can implement what is in that scope for L (in that wiki)12:13
samueldmq:-)12:13
samueldmqdstanek, I want to get dolphm's view on this, ayoung said me to talk to him, since he had the original idea about unified policy :)12:14
*** ihrachyshka has joined #openstack-keystone12:15
dstaneki like alternatives12:15
ihrachyshkaanyone looking into fixing grenade job that fails due to keystone with "ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option"?12:15
dstanekthe thing i really dislike about specs is that we don't ever get a clear description of the problem12:16
samueldmqdstanek, nice, ideally we should have an agreement internally (keystone) this week12:16
dstanekwe get lots of: 'problem description: we are missing my solution'12:16
dstanekihrachyshka: link?12:16
ihrachyshkahttp://logs.openstack.org/66/185066/3/check/check-grenade-dsvm-neutron/45d8663/logs/apache/keystone.txt.gz#_2015-06-18_09_08_46_67587412:16
samueldmqdstanek, next week I'd like to get this in a cross-project again, since we are solving what we want + implementing nova requirements12:16
samueldmqdstanek, so they should be happy12:16
ihrachyshkadstanek, as per sdague, it's because keystone script is not upgraded by grenade12:17
samueldmqdstanek, next week I'd like to start a meeting for policies .. so we could iterate faster .. I'm really worried about timing12:17
ihrachyshkadstanek, see related thread: http://lists.openstack.org/pipermail/openstack-dev/2015-June/067147.html12:17
samueldmq++ <dstanek> we get lots of: 'problem description: we are missing my solution'12:17
dstanekihrachyshka: is there anything we can do about it?12:17
*** Nikkau has quit IRC12:18
ihrachyshkadstanek, not sure. I guess fixing it? :)12:18
ihrachyshkadstanek, it breaks other projects, like neutron12:18
dstanekfix grenade?12:18
dstaneksamueldmq: i should start being strict in the problem description section12:19
*** bknudson has joined #openstack-keystone12:20
*** ChanServ sets mode: +v bknudson12:20
ihrachyshkadstanek, hm, yes, fix grenade pieces relevant to keystone. I think it's expected from every project to take care of their pieces in devstack or grenade since project teams know better how their upgrade is expected to work. am I wrong on that?12:21
dstanekihrachyshka: no idea. i know nothing about grenade :-) i can take a look and let others know later12:21
samueldmqdstanek, we definitively need to improve how we write specs , put comments on hte problem descriptions, we need to educate ppl on that :)12:21
ihrachyshkadstanek, ok, thanks, please do.12:22
ihrachyshkaI'll report a bug too12:22
*** btully has quit IRC12:22
dstanekihrachyshka: is there docs on running grenade anywhere?12:23
*** btully has joined #openstack-keystone12:25
ihrachyshkadstanek, not sure, I'm not a qa guy. you may check .rst files for the project. it may be the case that it's easier to just upload and see whether it works.12:25
*** bknudson has quit IRC12:26
*** cdent has joined #openstack-keystone12:28
ihrachyshkadstanek, I don't have permissions. can you raise priority for https://bugs.launchpad.net/keystone/+bug/1466485 to Critical in keystone?12:30
openstackLaunchpad bug 1466485 in Keystone "keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Undecided,New]12:30
ihrachyshkain case you ask, since it's a gate failure, it is critical12:30
*** e0ne is now known as e0ne_12:32
ihrachyshkadstanek, I suspect that first, in devstack:lib/keystone, code that copies keystone.py should be moved into a separate function, and then reused from grenade. or better, the file should be just referenced from apache config without any copying involved12:36
ihrachyshkacode that copies files in devstack: http://git.openstack.org/cgit/openstack-dev/devstack/tree/lib/keystone#n16312:37
ihrachyshkahm, that said, the file was not changed in a while, so it may be something different...12:39
*** e0ne_ is now known as e0ne12:39
*** dims has quit IRC12:40
*** dims has joined #openstack-keystone12:41
*** jasondotstar has quit IRC12:42
*** bknudson has joined #openstack-keystone12:43
*** ChanServ sets mode: +v bknudson12:43
*** rushiagr is now known as rushiagr_away12:44
*** woodster_ has joined #openstack-keystone12:45
*** henrynash has quit IRC12:50
samueldmqayoung, hi12:52
dstanekihrachyshka: sure12:52
samueldmqayoung, I will try to get an agreement in unified vs not unified in keystone first (you, dolphm, morganfainberg, dstanek, and others)12:54
*** henrynash has joined #openstack-keystone12:54
*** ChanServ sets mode: +v henrynash12:54
samueldmqayoung, if we can't do that until next week, I will put both solutions in the roadmap as alternatives, and discuss in a cross-project view12:54
samueldmqayoung, I'll start the missing specs according to that wiki12:55
*** jasondotstar has joined #openstack-keystone12:55
samueldmqayoung, also, adding the spec for GET /policy/endpoint_url ? effective, as I described later (which solves role inheritance wihtout needing unified policy)12:55
samueldmqhenrynash, hi ! good morning12:56
samueldmqhenrynash, do you have a minute to about an idea on inherited roles (regarding where they are expanded, etc)12:57
samueldmq?12:57
*** henrynash has quit IRC13:00
samueldmq* henrynash has quit (Quit: henrynash) :(13:02
ayoungsamueldmq, tough start to the day, eh?13:03
ayoungsamueldmq, so,  no one responded about why to unify?13:03
samueldmqayoung, I'd say challenging13:03
samueldmqayoung, not yet, I am still not convinced that's worth it13:03
samueldmqayoung, :)13:04
ayoungsamueldmq, ok,  let's (for arguments sake only)  assume not...what does the process look like then?13:04
*** henrynash has joined #openstack-keystone13:04
*** ChanServ sets mode: +v henrynash13:04
ayoungsamueldmq, and henrynash is back, too13:04
samueldmqayoung, ok, without unified13:05
samueldmqayoung, it should be something like this https://wiki.openstack.org/wiki/DynamicPolicies#Overview_Solution_-_Liberty_Scope13:05
samueldmqayoung, (I still didn't update that diagram, sorry)13:05
ayoungNo problem oin the diagram13:05
samueldmqayoung, I am assuming step 3 is the default policy shipped with the nvoa code13:06
ayoungsamueldmq, so  lets take 2 use cases and map them out13:06
samueldmqayoung, ask me questions for things you think we don't solve that way13:06
ayoung1.  Initial install13:06
samueldmqayoung, sure13:06
*** henrynash has quit IRC13:06
ayoung2.  updating an existing install13:07
ayoungok...lets make 1.5 customizing policy13:07
samueldmqayoung, sure ...13:07
samueldmqayoung, can I give you the solution ?13:07
ayoungheh, you never programmed in Basic, did you...time to renumber our lines13:07
ayoung1. initial install13:07
samueldmqayoung, I got what you said13:07
ayoung2. Customize policy13:07
ayoung3. Update remote service with new policy13:08
*** henrynash has joined #openstack-keystone13:08
*** ChanServ sets mode: +v henrynash13:08
samueldmqayoung, sure, here I go13:08
ayoungsamueldmq, can you seq diag those?13:08
samueldmqayoung, sure13:08
ayoungok,  use the tool, and keep the diags themselves in git somewhere13:08
samueldmqayoung, that is in that diagram13:08
ayoungthe  source for them13:08
ayoungactually, does not need to be git, but....13:09
ayounghmmm, just make the source handy13:09
ayoungsamueldmq, but...that can wait....go on with what you were saying13:10
samueldmqayoung, ok, sure13:10
samueldmqayoung, can I say what I think now or you prefer to see the diagram directly?13:10
ayoungsamueldmq, so...I wonder if we need to expand this to cover more work flow.13:11
samueldmqayoung, to be more detailed , right ?13:11
ayoungI've been thinking in terms of step-by-step improvments to what we have in the repo, but that does not explain the benefit of the end product.13:11
ayoungREally need to explain both13:11
*** richm has joined #openstack-keystone13:12
ayoungOK  so,  in the overview I wrote last year,  I tried to order things based on the dependencies.  Lets rephrase what I said above to be:13:12
ayoungwe want to push the unified policy file as late in the dependency list as possible13:12
*** henrynash has quit IRC13:12
ayoungso...short term, we can get: fetch policy from Keystone13:12
samueldmqayoung, yes, so we can have a better agreement on that as we go13:12
ayounglets assume we only get that far...what does that imply?13:13
samueldmqayoung, yes, keeping the individual policies separete13:13
*** edmondsw has joined #openstack-keystone13:13
ayoungSomeone neeeds to upload the policy...and if Nova updates its defaults, we need to, somehow, factro that in13:13
samueldmqayoung, you may ask me: what did we do differently from what puppet could do, just distributing ?13:13
ayoungSo, Lets assume that Nova has a default set of rules laid down before it fetches from Keystone...in Git terms, we would rebase on top of that13:14
samueldmqayoung, ok13:14
ayoungNovas defaults are always root commit, and then we fetch the one from Keystone and lay it over the top.  If Nova updates, we wipe the cache,  lay down the one from nova, and update from keystone again13:14
samueldmqayoung, let me explain you how 1. 2. and 3. above would work imo13:14
ayoungany definitions made by the base policy are overwritten by the ones centralized.  This has high risk, as I see it13:15
ayoungbecause of the internal rules13:15
ayoungi.e.  operator  might redefine what is meant by "owner:" in keystone13:15
samueldmqayoung, no, keystone stores 2 versions per endpoint, one is the default as it is i nthe service (uploaded by the cms)13:15
ayoungso..alternative13:15
samueldmqayoung, and other which is the diff13:15
samueldmqayoung, when you upgrade a service, CMS updates the default policy on keystone13:16
samueldmqayoung, the diff (what you've customized) is kept13:16
ayoungif a new policy file is fetched from keystone, it completely replaces any rules that are on the installed system13:16
samueldmqayoung, and new APIs jsut get the default13:16
ayoungthe risk here, then, is that we have just removed any new rules added by the nova team13:16
*** charlesw has joined #openstack-keystone13:16
cdentanybody will to make an opinion on whether this https://bugs.launchpad.net/keystonemiddleware/+bug/1466499 is a keystonemiddleware or webob bug?13:16
openstackLaunchpad bug 1466499 in keystonemiddleware "Use of webob.Reponse in AuthProtocol middleware break content-type handling" [Undecided,New]13:16
samueldmqayoung, yes but when upgrade, CMS updates the default policy on keystone13:16
ayoungsamueldmq, even an up[date can't be automated13:17
ayoungwe need conflict resolution13:17
samueldmqayoung, CMS is expected to keep inidivdual policies in sync on keystone13:17
ayoungand, so we need conflict detection13:17
samueldmqayoung, upload and update when needed13:17
ayoungCMS is no magic bullet13:17
samueldmqayoung, and it doesn't need to13:17
samueldmqayoung, give me an example13:17
dstanekcdent: keystonemiddleware bug13:18
*** jasondotstar has quit IRC13:18
dstanekcdent: i'll comment on the bug13:18
cdentdstanek: so I shouldn't bother to report a bugon webob?13:18
ayoungsamueldmq, nova has a rule in their default file admin_or_owner.  They have a target compute:foo  = admin_or_owner.  admin_or_wonder depnds on a rule owner, which says that the user has the Member" role on the projec.t Operator has removed the Member role13:19
ayoungand update target compute:foo13:19
ayoungso that it is role:thingy13:19
samueldmqayoung, when a new API comes, it's defined in terms of default policy13:20
ayoungno a new target i\s define compute:bar = admin_or_owner.13:20
samueldmqayoung, the admin is supposed to customize it13:20
ayoungsamueldmq, yes, that is what I mean by conflioct resoution.  It can;'t be automated13:20
samueldmqayoung, that fails, because that API is based on the defaults, and he customized that13:20
samueldmqayoung, sure it can't13:20
samueldmqayoung, we fill out with the defaults13:21
ayoungthat is what the nova team does not want13:21
dstanekcdent: you probably can - they shouldn't add it if we don't need it, but i wouldn't be surprised if it were marked as won't fix because it would break backward compat13:21
samueldmqayoung, this problem is not related to our current work13:21
samueldmqayoung, it occrus today13:21
cdentroger dstanek, thanks13:21
ayoungsamueldmq, true13:21
samueldmqayoung, if an admin gets a new policy and he has customized his own13:21
samueldmqayoung, he needs to see what new api's have been introduced13:21
samueldmqayoung, and adapt their rules13:21
*** Ctina_ has joined #openstack-keystone13:21
ayoungsamueldmq, but we are now working at odds with sean dague and the microversion approach13:21
ayoungand that will kill our ability to gain adoption13:22
samueldmqayoung, yes sure, but I think unified is not the solution for that, it's just adding a dependency we don't need (at least for now)13:22
ayoungsamueldmq, I need to work on something with a co-worker for a moment.13:22
samueldmqayoung, let's keep the paradigm in individual policies,13:22
samueldmqayoung, distribute them13:22
samueldmqayoung, and make it possible to policies be customized through the API13:23
ayoungsamueldmq, so...that is one reason I was thinking "split"13:23
ayoungwe could split policy up into 3 files13:23
ayoung1:  common rules13:23
ayoung2: roles foir targets13:23
ayoung3: scope for targets13:23
ayoungonly 2: is customizable by the projects13:24
ayoungcorrection13:24
samueldmqayoung, yes but you agree that all can come later, after having the mechanism for policy distribution/API for CRUD in place?13:24
ayoungonly 1 and 2: are customizable by the operators13:24
ayoung3: is set by the services13:24
ayoungsamueldmq, if we have a clear design in place, we can work on the ordering.  I am not certain13:25
ayoungI thik we need to focus on the design first13:25
*** ayoung is now known as ayoung-mtg13:25
samueldmqayoung-mtg, look at step 3 https://wiki.openstack.org/wiki/DynamicPolicies#Overview_Solution_-_Liberty_Scope13:25
samueldmqayoung-mtg, if we go unified, instead of uploading/updating a Default policy per endpoint13:25
samueldmqayoung-mtg, we'll be doing that once for everyone13:26
dstanekcdent: commented13:26
samueldmqayoung-mtg, that's all to go from separate to unified13:26
samueldmqayoung-mtg, that's where my diagram and yours differ13:26
*** edmondsw has quit IRC13:27
cdentdstanek: awesome, thanks13:27
dstanekcdent: once you create the webob issue you should add a comment with a link13:27
cdentdstanek: already done, in both directions13:27
*** csoukup has joined #openstack-keystone13:29
*** belmoreira has quit IRC13:30
*** richm has quit IRC13:30
*** dsirrine has joined #openstack-keystone13:32
*** fifieldt_ is now known as fifieldt13:36
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs  https://review.openstack.org/18702713:41
*** ayoung-mtg is now known as ayoung13:42
*** HT_sergio has joined #openstack-keystone13:42
*** charlesw has quit IRC13:43
*** richm has joined #openstack-keystone13:44
*** zzzeek has joined #openstack-keystone13:46
*** csoukup has quit IRC13:56
*** sigmavirus24_awa is now known as sigmavirus2413:57
*** jasondotstar has joined #openstack-keystone13:58
*** jasondotstar has quit IRC13:58
*** dsirrine has quit IRC14:00
*** charlesw has joined #openstack-keystone14:04
*** btully has quit IRC14:09
*** afazekas has quit IRC14:09
*** edmondsw has joined #openstack-keystone14:10
mfischdolphm: lbragstad: I'm using your benchmarks this morning against my staging environment, comparing to prod and while token creation with fernet is faster token validation is significantly slower14:10
mfischI didnt manage to get a before and after benchmark but I will have one when we do prod next week14:10
mfischWondering why I'm seeing such a bad result14:10
*** btully has joined #openstack-keystone14:10
lbragstadmfisch: what's your testing criteria look like?14:11
mfischI basically took dolph's benchmarks14:11
*** kr4zy has joined #openstack-keystone14:11
mfischI dont have a great apples to apples yet since these are different environments14:11
*** dsirrine has joined #openstack-keystone14:13
mfischlbragstad: once I upgrade production I'll have apples to apples to share14:13
*** stevemar has joined #openstack-keystone14:13
*** ChanServ sets mode: +v stevemar14:13
dstanekmfisch: have you tuned the number of rounds?14:13
mfischdstanek: no, I have not, how would one do that?14:15
*** btully has quit IRC14:15
lbragstadmfisch: that would be the crypt_strength in your configs14:16
lbragstadmfisch: it defaults to 40,000 rounds14:16
mfischthere it is14:17
mfischI was looking in the fernet section14:17
*** btully has joined #openstack-keystone14:17
dstaneksorry walked away...14:19
dstanekthat will significantly change the time it takes to run each key through the crypto14:20
dolphmmfisch: that's weird...14:20
mfischfor validation or for token creation?14:20
lbragstadI find the validation part weird14:21
dolphmmfisch: token and user creation14:21
mfischI will do a few more runs today14:21
mfischtoken creation is quicker14:21
dolphmmfisch: by how much?14:21
mfischbut this is a real cloud and so there is other stuff going on in it14:21
dolphmmfisch: and how much slower is token validation?14:21
mfischlemme post14:21
dolphmmfisch: what version of pypi/cryptography and python?14:22
mfischthis is token validation with UUID: Requests per second:    26.28 [#/sec] (mean), concurrent: 401.32 [#/sec] (mean)14:22
mfischwith fernet I get 6.x and 83 concurrent14:22
dolphmmfisch: also, what does your token backend look like for UUID? maybe it's just insanely fast already?14:22
dolphmwhoa14:22
*** thedodd has joined #openstack-keystone14:23
mfischthis is not the same cloud again but that staging cloud should have basically no load, it should be quicker14:23
dolphm6 / sec vs 26 / sec?14:23
mfischUUID backend is a inter-DC galera with an arbitrator14:23
mfischbut I'm not hitting the GSLB, I'm hitting a per DC LB so only local replication matters14:23
mfischwe have a master node that keystone prefers to read/write into14:24
*** btully has quit IRC14:24
*** btully has joined #openstack-keystone14:25
kr4zyHere is my detail Openstack Keystone Juno setup: https://gist.github.com/anonymous/e9881eda4dea4325a7fa. Line 33, is it possible to use a different value instead of CN for "who=CN=Unknown Name"?14:26
mfischdolphm: I'll do few more runs today and tomorrow and maybe email you some results14:27
dolphmmfisch: what about pypi/cryptography & python version?14:27
dstanekmfisch: have you tried to adjust the crypt_strength? i curious to know if that helps14:28
dolphmdstanek: that'll help token creation, but not validation14:28
mfischfernet creation is quicker as expected14:28
dstanekdolphm: crypto is not used for validation?14:28
dolphmdstanek: crypt strength is only used for creating & comparing password hashes14:29
dolphmdstanek: wiiiith... passlib? pypi/cryptography doesn't do rounds like that anywhere in fernet14:29
mfischpython 2.7.6-8 and I cannot find the cryptography library on here which is strange14:31
dstanekdolphm: i'll have to take a look at the code. if we encrypt/sign the token with a number of rounds then the decrypt/verify would also take that number of rounds right? unless we are not checking on validate14:31
*** jasondotstar has joined #openstack-keystone14:31
*** btully has quit IRC14:32
*** jasondot_ has joined #openstack-keystone14:32
*** henrynash has joined #openstack-keystone14:32
*** ChanServ sets mode: +v henrynash14:32
*** ninag has joined #openstack-keystone14:32
mfischdstanek: let me know what you find14:34
*** btully has joined #openstack-keystone14:34
*** kiran-r has quit IRC14:34
*** HT_sergio has quit IRC14:36
mfischdolphm: cryptography (0.8)14:37
*** e0ne is now known as e0ne_14:37
lbragstadmfisch: that looks right14:37
*** e0ne_ is now known as e0ne14:37
mfischlet me gather more data with a few more longer runs and get back to you guys14:37
mfischwe've already notified customers so this is happening regardless ;)14:38
mfischI need to step away am at a conference supposed to be paying attention14:38
dstanekdolphm: it looks like fernet token_formater uses self.unpack and that uses the crypto lib14:38
lbragstaddstanek: yeah, that's right14:41
dstaneklbragstad: that's why i would expect lowering the rounds to speed up the verification14:42
*** jasondotstar has quit IRC14:42
lbragstaddstanek: ++  that's were I noticed a speed up in our environment14:43
*** ihrachyshka has quit IRC14:43
morganfainbergmfisch: are you also caching anything?14:43
kr4zyHere is my detail Openstack Keystone Juno setup: https://gist.github.com/anonymous/e9881eda4dea4325a7fa. Line 33, is it possible to use a different value instead of CN for "who=CN=Unknown Name"?14:43
*** browne has joined #openstack-keystone14:46
*** diazjf has joined #openstack-keystone14:48
dstanekkr4zy: i don't know much about our LDAP driver, but i'm guessing that's a configurable value14:49
*** jasondotstar has joined #openstack-keystone14:49
dstanekkr4zy: you have two different examples one for LDAP and one for AD. are those from two different Keystone instances?14:50
kr4zydstanek: from one keystone instance.14:50
*** jasondotstar has quit IRC14:50
*** henrynash has quit IRC14:50
*** jasondot_ has quit IRC14:51
kr4zydstanek: I don't see an option in keystone.conf to configure he ldap driver14:51
dstanekkr4zy: two different drivers?14:51
*** jasondotstar has joined #openstack-keystone14:51
dstanekas-in domain config14:51
*** rdo has quit IRC14:52
*** rdo has joined #openstack-keystone14:54
dolphmmorganfainberg: mfisch: we didn't test without caching, but fernet needs to read a bunch from the db on validate, so caching will be important14:54
dolphmkr4zy: https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L872-L118714:56
*** charlesw_ has joined #openstack-keystone14:58
*** charlesw has quit IRC14:59
*** charlesw_ is now known as charlesw14:59
*** e0ne has quit IRC15:04
*** HT_sergio has joined #openstack-keystone15:05
kr4zydstanek: keystone uses the ldap driver for both ldap and ad right?15:06
dstanekyep, you specify the user in your config. i'm assuming if you have 2 different users that you are using a domain config for something15:07
stevemarkr4zy, i believe so15:07
*** boris-42 has joined #openstack-keystone15:10
ayoungkr4zy, are you trying to do AD alongside straight LDAP in two different machines?15:11
kr4zyI am using AD only15:12
ayoungdolphm, I would set the expectations for Fernet to be:  handle distributed much more easily than uuid (no sync)  but slightly slower on each validate15:12
ayoungdolphm, the slightly slower  due to the number of DB reads15:12
kr4zyon one machine15:12
ayoungdolphm, and I don't think caching will buy you all that much there....but really, who cares?15:12
kr4zyI have two keystone config. One with ldap and one with ad that I switch around to compare15:12
ayoungTHe perf difference should be miniscule15:12
ayoungkr4zy, Ah, ok...so, are you using the SQL driver with a domain specific backend for LDAP, or are you using the LDAP driver directly for identity?15:13
kr4zyI am using sql for the assignment and ldap for the identity driver15:14
dstanekkr4zy: what LDAP user do you have in your config?15:15
dolphmmfisch: we also benchmarked an earlier implementation of fernet -- maybe it's worth re-running benchmarks with stable/kilo15:16
dolphmmfisch: but i still can't explain the magnitude of the performance decrease you're seeing15:16
kr4zyuser = CN=OpenstackKeystone,OU=Service Accounts,OU=Swift,OU=Applications,DC=adstg,DC=xxx,DC=com15:16
dolphmmfisch: nothing i'm aware of changed *that* much between what we benchmarked and stable/kilo15:17
*** rwsu has joined #openstack-keystone15:18
kr4zyI see in the logs that keystone makes two calls to ad to retrieve the users then it attempt to use the user's CN, specify in the env, to query ad. That's where it didn't work out15:19
kr4zybecause of the extra space in the CN15:20
kr4zyI think15:20
ayoungkr4zy, if ldapsearch allows it, I think the Python wrappers allow it15:21
kr4zyI want to understand if there's any option in the keystone.conf that would allow me to specify a specific value for keystone to use instead of the cn15:21
*** arunkant_ has quit IRC15:21
ayoungkr4zy, you want this for groups or for users?15:22
ayoungin either case, I think you can provide a query15:22
ayoungI know you can fro groups15:22
ayoungkr4zy, one thing about LDAP...it has lots of knobs and buttons15:23
ayoungkr4zy, did you specify user_filter in the ldap section?15:24
ayoungkr4zy, or group_filter?15:24
*** browne has quit IRC15:27
*** kfox1111 has joined #openstack-keystone15:30
*** spandhe has joined #openstack-keystone15:30
*** gyee has joined #openstack-keystone15:32
*** ChanServ sets mode: +v gyee15:32
kr4zyayoung: but are all the settings for ldap is handle in keystone.conf?15:34
ayoungkr4zy, yes, unless you do a domain specific backend.15:34
kfox1111ayoung: Is a project scoped token allowed to get a new token associated with a trust on the account, or must that use an unscoped token?15:35
ayoungkfox1111, it is today, yes15:35
kfox1111and forever?15:35
ayoungkfox1111, so, put ojn your security hat...the geernal rule is that you should beable to go from more general to more specific, but not the other way15:36
ayoungI'm not certain it would make sense to go from a scoped token to a trust scoped token...why would you want to?15:36
lbragstadjust out of curiosity, is anyone aware of any places that still have some availability in Boston for the meetup?15:38
kfox1111to save some steps. If I provided a scoped token from the nova metadata server to the vm, then the vm could use the service catalog as is, and acl's would work without an extra call to keystone.15:38
kfox1111with requiring unscoped tokens to go to trusts, I have to return unscoped tokens to the vm, so to talk to barbican, the vm get token workflow ends up authenticating with keystone twice. once from the metadata server to get the unscoped token, and once from the vm, unscoped to scoped.15:39
kr4zywhat does this message mean "REFERRAL: {'info': 'Referral:\nldap://xxxxx.com/ou=UserGroups,DC=xxxxx,DC=com', 'desc': 'Referral'}"15:40
kfox1111so I'm going to have to make a nova dummy project, return the unscoped token and dummy project name, then the vm's got to go and contact keystone using the token and the dummy project name and get a scoped one, get a new token and service catalog, and then it can talk to barbican.15:40
*** charlesw has quit IRC15:41
*** charlesw_ has joined #openstack-keystone15:41
*** charlesw_ is now known as charlesw15:41
kfox1111maybe that's just the best we can do.15:41
*** afazekas has joined #openstack-keystone15:42
*** arunkant_ has joined #openstack-keystone15:45
ayoungkfox1111, I'm still processing15:47
ayounglbragstad, besides the Dorm?15:47
*** ErickCharles has joined #openstack-keystone15:48
dstaneklbragstad: last i looked our travel tool showed a few15:48
*** belmoreira has joined #openstack-keystone15:49
*** afazekas has quit IRC15:50
*** pnavarro has quit IRC15:52
*** ducttape_ has joined #openstack-keystone15:53
ducttape_I have a question, related to fernet tokens:  In horizon (with the mysql UUID tokens), you might change your own permissions for a project - and it could invalidate your token.   It seems like fernet works a bit differently ?15:56
ayoungkr4zy, I have no idea15:56
ayoungducttape_, not exactly...but we got a little better in handling those things with revocation events15:57
ayoungwith uuid, you could actually enable revocation events as well, and then they would behave the same, but the default for UUID tokens is to revoke-by-id15:58
ayoungkfox1111, I'm still thinking it through.  I know I come across as trying to make your life difficult, but I assure, that is not my intention...just a side effect15:58
ayoungrichm, can you answer kr4zy 's question there?  I know too little LDAP to be useful here15:59
kfox1111ayoung: I understand. I want to ensure this thing's secure and future proof.16:00
kfox1111I also really need it in liberty. :/16:00
*** jasondotstar is now known as jasondotstar|afk16:01
kfox1111so if its not perfect, but can be perfected in m+ without breaking things, I'm all for that.16:01
ayoungkfox1111, yeah...16:01
ayoungkfox1111, so Nova is going to be a proxy for tokens from the VM?16:01
*** afazekas has joined #openstack-keystone16:01
*** ninag has quit IRC16:01
ayoungkfox1111, a VM will ask the metadata server for a token, and that will trigger a call to keystone to get it?16:02
kfox1111I was thinking nova would only proxy the inital requiest to keystone to get the unscoped token.16:02
kfox1111but if a project scoped token is required to talk to barbican to use acl's, then the vm's got to talk to keystone and get a scoped one first.16:02
kfox1111correct.16:02
ayoungkfox1111, hmmm.  Maybe that is not the right idea.  Maybe Nova should only hand over scoped tokens,  scoped down to what they are targetted to do.16:02
kfox1111that could work, but I'm a bit worried then the nova api will have to chaise the keystone one.16:03
ayounglimits the damage that can be done.16:03
*** jasondotstar has joined #openstack-keystone16:03
*** HT_sergio has quit IRC16:03
kfox1111you add service scoped or different trust flags, nova's gota change too.16:03
ayoungkfox1111, so what if it does...Keystone tokens are already chatty...I was trying to fix that in the past, but have given up on it16:03
ayoungdon't prematurely optimize16:03
kfox1111fair enough.16:04
ayoungkfox1111, is it easy to write metadata plugins?16:04
kfox1111yup. got a prototype of the metadata server handing back keystone tokens to the vm already. :)16:04
kfox1111took less then 4 hours to get working.16:04
ayoungkfox1111, so you can always send the project ID in a token request.  No need to get a scoped token first.  So lets set the project ID as a parameter to the plugin16:05
kfox1111will take more work since we're switching things to the barbican ca workflow.16:05
*** _cjones_ has joined #openstack-keystone16:05
ayoungkfox1111, I like this....I need to think it through, but there is something very powerful you are starting here16:05
*** jamie_h has joined #openstack-keystone16:05
ayoungwe havea chain of trust, we want to make sure we can follow it16:06
kfox1111yeah.16:06
kfox1111so, here's one detail still to resolve....16:06
ayounguser kicks off vm...nova now has the knowledge of the vm...if the vm needs to do something, nova provides access to that...16:06
*** _cjones_ has quit IRC16:06
*** _cjones_ has joined #openstack-keystone16:06
jamie_hhow do you change the token expiration in v3? I edited the expiration key in [token] section of keystone.conf, and restarted the "key" and "key-access" screens. nothing happened16:06
ayoungthe question is how to configure things between nova and keystone...its kindof like an implicit trust16:06
ayoungjamie_h, wrong value16:06
ayoungkey and key-access?16:07
kfox1111ayoung: exactly. thats what the spec was changed to say recently.16:07
*** afazekas has quit IRC16:07
kfox1111using a new liberty feature to allow nova+barbican to act as an identity provider16:07
jamie_hayoung the "expiration" value has this comment "# Amount of time a token should remain valid (in seconds). (integer value)". does this not control expiration time?16:08
ayoung'expiration'16:08
ayoungah..ok, not the key stuff16:08
ayoungjamie_h, yes, that is the right value16:08
*** HT_sergio has joined #openstack-keystone16:08
jamie_h"key" and "key-access" are the screens in devstack running keystone services16:08
ayoungjamie_h, if you hit keystone with curl, you can see all the values in the token body, including expiration16:08
ayoungah..I see16:08
ayoungjamie_h, so keystone runs in httpd16:09
jamie_hayoung yes, but it's giving me tokens that have a millisecond expiry time16:09
ayoungto restart httpd, run the  equivalent ofo sudo service httpd restart16:09
jamie_hI basically uncommented the keystone.conf line so it's 3600 - but restarting services isn't picking it up in devstack16:09
ayoungjamie_h, devstack is running with Keystone in httpd, right?16:09
kfox1111so... barbican needs a scoped token to allow acl's to work. its not going to actually ever use the project info though.16:10
kfox1111keystone needs a user to be a member of a project in order to get a scoped token.16:11
jamie_hayoung I don't know. I tried `sudo service apache2 restart`, revoked the token and generated it again - still the same expiry16:11
kfox1111so should the users nova hands out have a dummy "nova-user" project or something that they always get added to,16:11
ayoungjamie_h, maybe you changed th wrong config file?16:11
ayounggah...too many directions at once!16:11
kfox1111and the vm can rely on getting the unscoped token and ask it to be scoped to that dummy project so it can get a service catalog and talk to services that support acl's?16:12
*** kr4zy_ has joined #openstack-keystone16:12
dstanekjamie_h: 'ps -ef | grep keystone' to see if it is running as keystone-all16:12
ayoungkfox1111, why not a barbican project?16:12
kfox1111why create a project for nova instance users for barbican and zaqar for example?16:12
kfox1111when it relay's no real permissions?16:12
ayoungkfox1111, ... but you are on the right.  Let's not create an explicit project16:13
kfox1111its there simply because you don't want to allow an unscoped token to pass to that service.16:13
kfox1111yeah.16:13
kfox1111I think the identity provider thing of nova+barbican thingy could do that part.16:13
ayoungjust that the nova user needs to be able to authenticate to keystone to get a token on behalf of a user...and that should be some sort of federation setup...we could use X509 for that16:13
kfox1111maybe...16:13
jamie_hdstanek I don't see `keystone-all`. I see a few processes tailing the logs for /var/log/apache2/keystone.log and /var/log/apache2/keystone_access.log16:13
ayoungor even something else...16:13
kfox1111ayoung: thats the plan. see the spec.16:14
kfox1111specifically:  http://specs.openstack.org/openstack/keystone-specs/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.html16:14
ayoungkfox1111, ok...need to get lucnh and run an errand...I think I like where this is headed16:14
dstanekjamie_h: yep, then you are running under apache. so you are getting new tokens generated with the wrong timeout?16:14
ayoungwe could possibly treat token for token exahcnes as another form of federation.16:14
kfox1111ayoung: Cool. thanks for helping flesh this out. :)16:14
jamie_hdstanek the expiries are ridiculously short, like 1 millisecond16:14
ayoungactually...it could be like K2K16:14
jamie_hand it seems to be ignoring the keystone.conf `expiration` value16:14
ayoungjamie_h, when you start, it should dump the config into the log file16:15
ayoungI think it ieven shows where it is reading the config from16:15
dstanekjamie_h: what config are you editing? the one is /etc?16:15
ayoungand see what values are set there..you might need to turn on debugging16:15
kfox1111ayoung: I thought I saw somehwere that sayd nova specs had to be in by the 21st.16:15
kfox1111so we're quickly running out of time on approving the spec though.16:15
ayoungkfox1111, maybe we can do this out of the scope of Nova proper.16:16
kfox1111I'm not tied really heavly to the details, more the concept at this point.16:16
*** ihrachyshka has joined #openstack-keystone16:16
ayoung3rd party metadata plugin?16:16
richmkr4zy: A referral is like a redirect16:16
kfox1111well, I'm afraid it requires direct modification to the metadata server.16:16
ayoungmeh16:16
jamie_hah, I think it's working now. thanks all! :)16:16
kfox1111the plugin mechanism caches things, so wouldn't work. :/16:16
ayoungI need to head out.16:16
*** ayoung is now known as ayoung-afk16:16
kfox1111ok.16:16
*** rushiagr_away is now known as rushiagr16:16
*** kr4zy_ has quit IRC16:16
dstanekjamie_h: what was the problem?16:16
*** kr4zy_ has joined #openstack-keystone16:17
*** kr4zy has quit IRC16:17
richmkr4zy: Can you paste your keystone ldap config to http://paste.openstack.org/, with your sensitive information obscured?16:17
jamie_hno problem - I wasn't reading the hour value properly. restarting value picked up the right expiration16:18
dstanekjamie_h: ah, ok. cool16:19
*** afazekas has joined #openstack-keystone16:20
*** aix has quit IRC16:20
*** vilobhmm has joined #openstack-keystone16:20
*** vilobhmm1 has joined #openstack-keystone16:22
*** openstackgerrit has quit IRC16:22
*** openstackgerrit has joined #openstack-keystone16:23
*** vilobhmm has quit IRC16:25
*** jasondotstar has quit IRC16:25
*** browne has joined #openstack-keystone16:26
sigmavirus24dolphm: ping16:30
*** gsilvis has quit IRC16:30
*** charlesw_ has joined #openstack-keystone16:30
*** afazekas has quit IRC16:30
*** ninag has joined #openstack-keystone16:31
sigmavirus24alternatively if you're around lbragstad, ping16:31
*** charlesw has quit IRC16:31
lbragstadsigmavirus24: o/16:31
*** charlesw_ is now known as charlesw16:31
lbragstadsigmavirus24: what can I help with?16:31
*** jasondotstar|afk is now known as jasondotstar16:33
sigmavirus24so dolphm mentioned that if I re-run keystone-manage fernet_setup --keystone-user... --keystone-group... that it should rotate the keys in the configured key repository but I'm not seeing that behaviour16:33
sigmavirus24Am I missing something?16:34
dolphmsigmavirus24: o/16:34
sigmavirus24\o16:34
lbragstadsigmavirus24: s/fernet_setup/fernet_rotate/16:34
sigmavirus24Ahh16:34
dolphmsigmavirus24: no, the behavior i was describing was something that cloudnull described ansible implementing16:34
dstanekshouldn't it be fernet_rotate?16:34
lbragstadsigmavirus24: fernet_setup will init a repo for you and rotate *once*16:35
sigmavirus24Yeah that makes more sense16:35
sigmavirus24Those are the bits I was missing16:35
dolphmfernet_setup -> fernet_rotate -> fernet_rotate -> fernet_rotate -> fernet_rotate16:35
* sigmavirus24 was also missing it in keystone-manage's -h16:35
sigmavirus24thanks all16:35
sigmavirus24sorry for the noise16:35
*** ninag has quit IRC16:35
dolphmsigmavirus24: is it not in --help?16:35
sigmavirus24it is but my eyes were missing it for some reason16:36
lbragstaddolphm: sigmavirus24 it was when keystone/bin/keystone-manage was still around16:36
*** ninag has joined #openstack-keystone16:36
sigmavirus24it is16:36
* sigmavirus24 just needs better eyes16:36
sigmavirus24or more coffe16:36
sigmavirus24*coffee16:36
dolphmalways coffee16:36
lbragstadsigmavirus24: ++ more coffee16:36
sigmavirus24coffee is bae16:36
*** gsilvis has joined #openstack-keystone16:37
*** Ctina__ has joined #openstack-keystone16:37
*** samueldmq has quit IRC16:37
*** samueldmq has joined #openstack-keystone16:38
*** afazekas has joined #openstack-keystone16:39
dolphm--sigmavirus2416:40
*** vilobhmm1 has quit IRC16:40
* sigmavirus24 is good at killing conversations16:40
sigmavirus24c-c-c-c-c-convo killer16:40
*** Ctina_ has quit IRC16:40
dolphmsigmavirus24++16:42
sigmavirus24really? I was expecting another --16:43
*** HT_sergio has quit IRC16:44
*** jasondotstar is now known as jasondotstar|afk16:44
*** ErickCharles has quit IRC16:45
*** jasondotstar|afk is now known as jasondotstar16:46
*** afazekas has quit IRC16:46
openstackgerritFernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations  https://review.openstack.org/19285016:46
*** jasondotstar is now known as jasondotstar|afk16:46
*** afazekas has joined #openstack-keystone16:49
diazjf***sigmavirus24 coffee is bae16:49
sigmavirus24diazjf: it is16:49
*** RichardRaseley has joined #openstack-keystone16:51
*** kiran-r has joined #openstack-keystone16:51
*** jasondotstar|afk is now known as jasondotstar16:53
dolphmdstanek: what's the issue with keystone here? it sounds like something is wrong with the deploy config to me, but i'm not sure what https://bugs.launchpad.net/grenade/+bug/146648516:53
openstackLaunchpad bug 1466485 in Keystone "keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Critical,Confirmed]16:53
*** jasondotstar is now known as jasondotstar|afk16:53
dstanekdolphm: i'm trying to reproduce it now - this is based on the thread from sdague about keystone breaking one of the upgrade tenants by having some code that potentially needs to be copied after an upgrade (the wsgi handlers)16:55
*** eandersson has quit IRC16:55
dolphmdstanek: the example httpd/ stuff?16:56
dstanekyes16:57
*** ducttape_ has quit IRC16:57
dolphmdstanek: i really don't consider that to be part of keystone itself... it should be managed separately by the deploy tool16:57
dstanekthere was some discussion in here a few days ago about this becoming a problem soon16:57
dolphmit's handy as a canonical reference, but not much more16:57
bknudsonit must be http://git.openstack.org/cgit/openstack/keystone/tree/httpd/keystone.py16:57
dolphmbknudson: right. normally the deploy tool would own that file because that's the non-paste way to build your WSGI application stack16:58
bknudsonquestion might be why copy it... should be able to reference it wherever it is16:58
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/httpd/wsgi-keystone.conf has /var/www/cgi-bin/keystone/main16:58
bknudsonoh, I guess you have to rename it.16:59
dstanekbknudson: that's exactly what i was saying :-) our docs, i believe, say to copy it16:59
bknudsonname = os.path.basename(__file__) -- that's the prob16:59
dstanekwell, in any case i can't get grenade to actually run17:00
bknudsonwe might be better off having admin and public copies of that file rather than using __file__17:00
bknudsonit's small enough17:00
bknudsonthen you could ref it from anywhere17:00
*** belmoreira has quit IRC17:01
dstanekbknudson: the problem i what file to you reference? it will be different on different distros17:01
dolphmbknudson: if that's the case, then put them into the keystone package so they can be imported and deployed into real wsgi.py files17:01
bknudsonnice17:01
bknudsonwait, why's it different?17:01
dolphmbknudson: because it should be owned by the deploy tool!17:01
dolphmmaybe they wrap it with middleware, change the application name, etc17:02
morganfainbergbknudson, dolphm: there are also much stricter permission issues with mod_wsgi and how it can run than "just source" from the pythonpath17:02
bknudsonputting it in the keystone package makes sense17:02
morganfainbergwe could *potentially* make what is copied a very very very very basic stub that imports from the python path17:03
*** Lactem has joined #openstack-keystone17:03
morganfainbergso zero logic17:03
*** krykowski has quit IRC17:03
morganfainbergbut in the python package afair wont work17:03
dolphmbknudson: we don't expose actual wsgi application objects anywhere in keystone, so i'd be in favor of that17:03
morganfainbergbecause of apache wsgi limits17:03
dstanekmorganfainberg: that's basically what it is now17:03
*** jasondotstar|afk has quit IRC17:03
morganfainbergdstanek: the break is because we moved the code from it in juno17:03
morganfainbergerm kilo17:04
morganfainbergso upgrade doesn't work17:04
morganfainbergif we backport shuffling that code into the keystone package and similarly make it do nothing in the wsgi module17:04
morganfainbergthe upgrade would work17:04
LactemIf I'm attempting to make a branch for myself in order to test code, could I just use https://github.com/openstack/keystone? It looks like that is behind https://git.openstack.org/cgit/openstack/keystone/ in commits, but I can't clone the latter.17:04
*** diazjf has quit IRC17:05
morganfainbergLactem: https://github.com/openstack/keystone/commit/6b274951828955f65d35eb2fb9092f15d15a7bd7 is the same as http://git.openstack.org/cgit/openstack/keystone/commit/?id=6b274951828955f65d35eb2fb9092f15d15a7bd717:05
morganfainbergLactem: you would clone from https://git.openstack.org/openstack/keystone (not the lack of cgit)17:06
LactemOkay thanks.17:06
morganfainbergdstanek: so i don't think we can make this strictly part of the python package. but we can eliminate the issue17:06
morganfainbergor at least really mitigate it17:07
LactemAlso is there a guide on how to test my new branch of Keystone once I make it? I assume I would use git clone <url> like in http://docs.openstack.org/developer/keystone/setup.html, but instead use my branch for the url?17:07
dstanekmorganfainberg: when you say 'make it do nothing in the wsgi module' are you talking about http/keystone.py or keystone/server/wsgi.py?17:10
morganfainbergdstanek: http/keystone.py17:10
morganfainbergdstanek: if that has no logic, the upgrade could work w/o needing to re-copy things17:11
morganfainbergthe issue is juno->Kilo we moved the logic17:11
morganfainbergand the juno wsgi can't work with kilo17:11
dstanekmorganfainberg: that side steps the issue so grenade is happy. what about people upgrading their existing installations?17:11
morganfainbergdstanek: again, if the wsgi file doesn't change, the upgrade is easy17:12
morganfainbergthis is only really an issue with pip upgrades17:12
morganfainbergdistributions will put wsgi files in sane places17:12
*** vilobhmm has joined #openstack-keystone17:12
morganfainbergbut as long as we don't move the import location the wsgi file relies on, even a pip upgrade would work17:13
morganfainbergand i'm ok saying "this cannot move"17:13
*** vilobhmm1 has joined #openstack-keystone17:14
dstanekmorganfainberg: i guess i'm confused. what, if anything, can be do here? the only think i can see is making kilo work using the old wsgi stub17:16
morganfainbergdstanek: we could move the logic for juno17:16
morganfainbergbackport the basic shuffle of code17:16
morganfainbergi don't think it's going to be possible to make kilo work with the old stub17:16
*** vilobhmm has quit IRC17:16
morganfainbergand we document "hey if you aren't on juno X.Y.Z, copy this when upgrading"17:17
*** ihrachyshka has quit IRC17:17
morganfainbergit would solve the gate issue, and solve future pip upgrades.17:17
morganfainbergagain packagers/distributions will do what they're going to do anyway17:17
*** cdent has quit IRC17:17
dstanekso basically make grenade happy17:18
morganfainbergdstanek: yep17:18
morganfainbergwe take a long hard look at that wsgi stub in kilo17:18
morganfainbergmake sure it's really doing *nothing*17:18
morganfainbergand is py3 compat17:18
dstanekhopefully it's just the one commit - ea8845a48f3def7a53407aadc14d45bf0609cc7d17:18
morganfainbergthen we backport the same kind of shuffle to juno17:18
morganfainbergi don't want to be fighting this again next cycle17:18
dstanekok, back it figuring out why grenade doesn't work for me :-(17:19
dstanekmorganfainberg: i think the current version is as minimal as you can get17:19
*** jasondotstar has joined #openstack-keystone17:20
morganfainbergdstanek: i think we could avoid the os.path.basename17:20
morganfainbergbut that should be compat across versions17:20
morganfainbergso yeah17:20
dstanekalthough is still breaks their upgrade tenant17:20
*** jasondotstar is now known as jasondotstar|afk17:20
morganfainberg?17:20
*** jasondotstar|afk is now known as jasondotstar17:20
dstanek"New code should need nothing more than 'db migrations'" - http://git.openstack.org/cgit/openstack-dev/grenade/tree/README.rst17:21
*** fangzhou has joined #openstack-keystone17:21
*** cdent has joined #openstack-keystone17:21
morganfainbergwe are making that the case if we backport the shuffle of code17:21
morganfainbergnew code is contained strictly in the keystone package17:22
morganfainbergand db migrations are what are needed17:22
morganfainberggrenade doesn't need to get smarter about upgradeing the wsgi file17:23
morganfainbergsince it becomes a fairly (100%?) static file that shouldnt change across releases17:23
dstanekyeah, until it's not - which is what i fear17:24
*** cdent has quit IRC17:24
dstanekin genade horizon seems to use the django.wsgi right out of their project17:25
*** jasondotstar is now known as jasondotstar|afk17:26
morganfainbergreally it's no better or worse17:27
morganfainberghttps://github.com/openstack-dev/devstack/blob/master/files/apache-horizon.template#L217:27
morganfainbergdevstack mangles and assumes where this exists17:27
morganfainbergthe assumption that a pip upgrade is all that is needed for a wsgi app is a bad assumption17:28
morganfainbergthere is more than python things involved here17:28
morganfainbergwe can't say "it can only ever be a python thing"17:28
dstanekmorganfainberg: yeah, i agree. like dolphm said, it's really a deployment tool issue.17:28
morganfainbergso, i'm going to go out on a limb and say we need to solve this in grenade - and convince them that pip install is not sufficient17:29
morganfainbergwith cinder also looking at wsgi installs17:29
*** jasondotstar|afk is now known as jasondotstar17:29
morganfainbergand every api leaning (slowly) that way17:29
morganfainbergi don't think we want broad assumptions like that17:29
*** dguerri is now known as dguerri`17:30
morganfainbergno sane deployer is going to point apache at $PYTHON_PATH/site-packages/<app>/wsgi/<app>.wsgi.py17:30
* morganfainberg believes devstack should represent a basic level of common sense17:30
morganfainbergbut i might lose that argument17:30
dstanekhaha17:31
dstaneki hope not17:31
bknudsonis somebody supposed to merge master with the feature/keystoneauth_integration branch?17:42
*** kiran-r has quit IRC17:42
*** rushiagr is now known as rushiagr_away17:49
dolphmbknudson: to update the feature branch?17:49
bknudsondolphm: yes, to keep the feature branch in sync with master17:50
*** openstackgerrit has quit IRC17:50
bknudsonaccording to -infra, nobody has merge authority so nobody can do it.17:51
*** openstackgerrit has joined #openstack-keystone17:51
*** jasondot_ has joined #openstack-keystone17:51
*** marzif has joined #openstack-keystone17:52
*** jasondot_ has quit IRC17:53
*** kr4zy_ has quit IRC18:02
*** henrynash has joined #openstack-keystone18:03
*** ChanServ sets mode: +v henrynash18:03
*** kr4zy has joined #openstack-keystone18:04
*** jasondotstar is now known as jasondotstar|afk18:07
*** afazekas has quit IRC18:08
*** HT_sergio has joined #openstack-keystone18:12
*** yottatsa has joined #openstack-keystone18:13
*** roxanaghe has joined #openstack-keystone18:13
*** samueldmq2 has joined #openstack-keystone18:14
*** samueldmq__ has joined #openstack-keystone18:15
*** jasondotstar|afk is now known as jasondotstar18:15
*** jasondotstar is now known as jasondotstar|afk18:15
*** yottatsa has quit IRC18:16
*** samueldmq has quit IRC18:17
*** samueldmq2 has quit IRC18:18
*** jamie_h has quit IRC18:19
LactemCould anyone help direct me where to find the file in which commands are handled in Keystone? I'm specifically looking for keystone endpoint-create and delete. (Sorry. I'm good with Java, but not so much Python and this API yet.)18:21
dstanekLactem: that's in python-keystoneclient, but will be removed in favor of python-openstackclient18:21
*** samueldmq2 has joined #openstack-keystone18:22
LactemI'm actually trying to work on this bug since I'm a beginner to OpenStack (it doesn't look too hard): https://bugs.launchpad.net/keystone/+bug/1098564. @dolphm commented on it before.18:22
openstackLaunchpad bug 1098564 in Keystone "Cannot delete a service or endpoint" [Low,Confirmed]18:22
Lactemdstanek: So that command is being removed entirely? It needs an equivalent to still be used in cmd line, right?18:22
dstanekLactem: the command-line portion of it is being removed in favor of the openstackclient - the functionality will remain18:23
LactemHmm.18:23
*** samueldmq has joined #openstack-keystone18:23
LactemWhat if people need to use command line, though? Is it not going to still be an option?18:24
dstanekso it looks like you want the server side of the logic anyway - at least according to that bug18:24
LactemYes.18:24
LactemBut I don't know where the command is being handled.18:24
dstanekkeystone.catalog handles managing endpoints18:25
LactemFixing this bug should contribute to python-openstackclient, too, right, since it's functionality?18:25
dstanekyou'll find a controllers module in there that is the starting point for the work flow18:25
LactemOkay thank you. I'll read through that code.18:25
*** samueldmq__ has quit IRC18:25
dstanekrouters will show you how the url maps to the controller18:25
dstanekthe controller will mostly use a driver that you'll find in the backends package18:26
*** samueldmq2 has quit IRC18:26
LactemThank you very much.18:26
dstaneknp18:27
*** jasondotstar|afk has quit IRC18:27
*** rlt_ has quit IRC18:29
*** samueldmq2 has joined #openstack-keystone18:30
*** Ctina__ has quit IRC18:34
*** samueldmq has quit IRC18:34
*** marzif has quit IRC18:37
*** samueldmq__ has joined #openstack-keystone18:38
*** thedodd has quit IRC18:38
*** charlesw_ has joined #openstack-keystone18:38
*** charlesw has quit IRC18:39
*** charlesw_ is now known as charlesw18:39
*** samueldmq has joined #openstack-keystone18:39
*** marzif has joined #openstack-keystone18:40
*** samueldmq2 has quit IRC18:42
*** samueldmq__ has quit IRC18:42
*** samueldmq2 has joined #openstack-keystone18:44
*** samueldmq__ has joined #openstack-keystone18:44
*** henrynash has quit IRC18:45
*** kfox1111 has quit IRC18:47
*** marzif has quit IRC18:47
*** samueldmq has quit IRC18:47
*** samueldmq2 has quit IRC18:48
*** samueldmq has joined #openstack-keystone18:48
*** henrynash has joined #openstack-keystone18:50
*** ChanServ sets mode: +v henrynash18:50
*** kfox1111 has joined #openstack-keystone18:51
*** samueldmq__ has quit IRC18:51
*** samueldmq2 has joined #openstack-keystone18:51
*** spandhe has quit IRC18:54
*** samueldmq__ has joined #openstack-keystone18:54
*** samueldmq has quit IRC18:55
*** samueldmq has joined #openstack-keystone18:55
*** samueldmq2 has quit IRC18:57
*** samueldmq2 has joined #openstack-keystone18:57
*** samueldmq__ has quit IRC18:58
samueldmq2Oh, looks like I've been disconnecting too many times :(18:59
*** samueldmq has quit IRC19:00
*** samueldmq2 is now known as samueldmq19:00
dstaneksamueldmq: just a bit :-)19:00
*** samueldmq2 has joined #openstack-keystone19:01
*** jasondotstar has joined #openstack-keystone19:01
*** jasondot_ has joined #openstack-keystone19:01
*** jasondotstar has quit IRC19:02
*** diazjf has joined #openstack-keystone19:02
*** samueldmq has quit IRC19:05
*** samueldmq2 has quit IRC19:05
*** jasondot_ is now known as jasondotstar|afk19:07
morganfainbergdolphm: Swype keyboard for iOS has gotten way better.19:15
* morganfainberg is amazed19:15
morganfainbergIt mostly just works19:15
*** fangzhou_ has joined #openstack-keystone19:16
*** fangzhou has quit IRC19:16
*** fangzhou_ is now known as fangzhou19:16
morganfainbergbknudson: huh we should fix the merge authority for the feature branch then19:18
dolphm*reinstalling*19:18
morganfainbergDolphm: It doesn't do the autocorrect as much. You have to select from the prediction bar.19:19
dolphmthat sounds like a fantastic change19:19
dolphmi have autocorrect turned off completely with the regular keyboard. i'd rather type garbage than something i didn't intend at all19:20
morganfainbergdolphm: i also have the full access turned off so i am not getting the"new trending words " feature atm19:20
morganfainbergBut it does seem to really do quite a good job. The spacing is a little different than the default keyboard so normal typing is a bit slower for me atm19:21
morganfainbergBut not a lot slower19:22
*** Lactem has quit IRC19:22
dolphmmorganfainberg: is new trending words like things you've added to your local dictionary, or like new pronouns invented on twitter today?19:22
morganfainbergI assume intertube based words.19:22
*** uschreiber_ has joined #openstack-keystone19:23
morganfainbergIt seems to learn what I type. It also asks if I want to add any words to the dictionary when it doesn't know / can't predict anything based on what you're typing.19:23
morganfainbergS/you're/i'm19:24
*** thedodd has joined #openstack-keystone19:25
dolphmhow do you make it learn new words? swyping "riverwalk" results in "riverbank" everytime, but i don't see a way to tell it something different19:25
morganfainbergdolphm: my guess is type it multiple times.19:25
*** uschreiber_ has quit IRC19:25
dolphmOH - you have to type it without swyping at all19:26
dolphmand THEN it'll appear in the suggestion list, you hit it, and it'll ask if you want it to learn that word19:26
morganfainbergYeah Swype can't guess things it doesn't know.19:26
*** roxanaghe has quit IRC19:27
*** jasondotstar|afk is now known as jasondot_19:27
*** jasondot_ is now known as jasondotstar|afk19:27
*** jasondotstar|afk has quit IRC19:27
dolphmWell yeah, but I'd expect a better UX to teach our new words though19:27
morganfainbergOh crap I may have to uninstall it. It just suggested dynasty as the logical prediction after duck.:p19:28
dolphms/our/it/19:28
dolphmrofl19:28
morganfainbergYeah the learn UX has some glaring gaps still.19:29
morganfainbergBut overall the keyboard is much much better than before.19:29
morganfainbergOoh. https://www.python.org/dev/peps/pep-0447/19:33
morganfainbergThat's cool.19:33
morganfainbergAlso. https://www.python.org/dev/peps/pep-0484/19:34
*** jasondotstar has joined #openstack-keystone19:36
morganfainbergdolphm: found an issue with Swype. No way to hide the keyboard.19:38
morganfainbergOr... Hmm19:38
morganfainbergNvm19:38
dstanektype hints will be interesting19:38
dstaneklots of talk about that at pycon this year19:39
*** samueldmq has joined #openstack-keystone19:43
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs  https://review.openstack.org/18702719:44
*** ninag has quit IRC19:45
*** samueldmq2 has joined #openstack-keystone19:46
*** r-daneel has joined #openstack-keystone19:47
*** jasondotstar is now known as jasondotstar|afk19:47
*** samueldmq has quit IRC19:49
*** samueldmq2 has quit IRC19:50
*** jasondotstar|afk is now known as jasondotstar19:52
*** belmoreira has joined #openstack-keystone19:58
*** diazjf has quit IRC20:02
*** ankita_wagh has joined #openstack-keystone20:05
*** jasondotstar is now known as jasondotstar|afk20:06
*** jasondotstar|afk is now known as jasondotstar20:06
*** jasondotstar is now known as jasondotstar|afk20:06
bknudsonlet's just use java20:07
dstaneksounds like those crusty old guys that use to say, "let's just use cobol"20:08
bknudsonpython seems to be looking for things to do.20:08
*** charlesw_ has joined #openstack-keystone20:08
*** jasondotstar|afk is now known as jasondotstar20:08
bknudsonjust call it done20:08
dstanekwe haven't even gotten to the 4.0 rewrite yet!20:08
morganfainberghtruta: so the only concern i have with only requiring the hierarchy in a name conflict remains20:09
*** charlesw has quit IRC20:09
*** charlesw_ is now known as charlesw20:09
morganfainberghtruta: you're going to break people when renames happen. in cases that worked even minutes/seconds before20:09
morganfainberghtruta: I am thinking the only real solution is never issue a domain scope token again20:10
*** kr4zy has quit IRC20:10
*** kr4zy has joined #openstack-keystone20:10
morganfainberghtruta: i don't think without redesigning the HMT stuff we are going to back ourselves out of this corner20:10
morganfainbergraildo, rodrigods,  cc ^^20:11
morganfainbergis there a reason we even need domain scope in reality? or can we really just drop domain scoped tokens and allow extra actions to occur on "is_domain" projects.20:11
morganfainbergalso, at any reasonable depth of project hierarchy we don't have compatibility issues.20:11
*** kr4zy has quit IRC20:12
*** kr4zy has joined #openstack-keystone20:14
*** samueldmq has joined #openstack-keystone20:14
samueldmqayoung-afk: good news20:14
*** ayoung-afk is now known as ayoung20:14
ayoungsamueldmq, I like hearing good news20:15
samueldmqayoung: https://wiki.openstack.org/wiki/DynamicPolicies#Workflows_-_Liberty_Scope20:15
samueldmqayoung:what you asked me earlier :)20:15
*** samueldmq2 has joined #openstack-keystone20:15
samueldmq2ayoung: the sequence diagram (I used the tool you suggested, and put more details)20:15
ayoungsamueldmq, there is something wonky with your diagram, though.  Where is the source?20:16
*** samueldmq has quit IRC20:16
ayoungsamueldmq2, I see at least one place where Keystone is calling into the CMS.  I assume that is just an artifact of trial and error.20:17
*** samueldmq2 has quit IRC20:17
htrutamorganfainberg: why are we breaking people after renaming?20:18
*** kr4zy has quit IRC20:18
*** samueldmq2 has joined #openstack-keystone20:18
morganfainberghtruta: so what happens is project is in a hierarchy20:18
samueldmq2ayoung, my connection is too bad today, sorry20:18
samueldmq2ayoung, http://www2.lsd.ufcg.edu.br/~samuel/dynamic-policies-workflow.diag20:18
morganfainberghtruta: that has no conflict, then you rename it's parent (which is allowed)20:19
samueldmq2ayoung, there is the source ^20:19
morganfainberghtruta and now there is a conflict, now the auth request fails - and it was 100% valid/working before20:19
morganfainberghtruta: or someone drops a project with a name conflict under it20:19
samueldmq2ayoung, I generated that diagram using the python tool though, it couldn't be generated online since it's big, hehe20:19
morganfainberghtruta: basically there isn't a consistent "this will work" interface people can program to. You always need to pass the hierarchy or are at risk of having random failures in the future. in short, we should always require the hierarchy -- it means there isn't a chance something will break because of an action of another user.20:20
htrutamorganfainberg: that renaming issue will always happen, unless I use project_id... so, I do not understand how always passing the hierarchy will solve it20:21
htrutathat's something the child projects will always be depending on the parents20:22
morganfainberghtruta: the issue is a rename of a child could *also* break it20:22
morganfainbergthe interface is basically saying "requesting things like X will work, until they don't then you need to do Y", so the logical conclusion is always do Y.20:23
morganfainbergwhy not just make that the norm20:23
htrutamorganfainberg: got it20:23
htrutamorganfainberg: then, considering that we'll do Y (always requiring the hierarchy), how won't we break every single deploy that makes the request by name?20:24
htrutaproject name20:24
morganfainberghtruta: we *can* make it so that in a hierarchy you need the hierarchy passed. outside of a hierarchy you just do things as you would normally20:25
morganfainbergno one is broken that way20:25
morganfainbergright?20:25
morganfainbergand i *think* we said where project.is_domain=True, you never issue a project scoped token for anyway, right?20:26
* morganfainberg can't remember the result of that conversation20:26
*** samueldmq2 has quit IRC20:27
raildomorganfainberg, in fact, we want to provide a project scoped token to project.is_domain=True20:27
morganfainbergoh ok so never a domain_scoped token20:27
morganfainberg?20:27
morganfainbergor still possible to get either/or20:27
htrutamorganfainberg: we wanted both of them20:27
* morganfainberg isn't sure this is a good idea20:27
htrutaeither20:27
morganfainbergnot sure what the benefit of the domain scope really is.20:27
htrutanot both, not dual20:27
htrutaI've heard someone say that they don't want to mix the capabilities of a domain admin and project admin20:28
morganfainbergwould it make it easier if domain scope just went away?20:28
morganfainbergwho said that?20:28
* morganfainberg looks at ayoung (just a guess)20:28
htrutaI don't think domain scoped token is a problem for us, at all20:28
htrutaguess it was gyee20:28
morganfainbergwe could (initially) only ever allow domain scoped tokens for the domains as we do today20:29
morganfainbergand loosen that restriction down the line20:29
gyee\o20:29
raildomorganfainberg, if a domain_admin will do the same actions with a project scoped token then before, I'm ok with this.20:29
gyeewe mix domain and project admin, there will be trouble20:29
morganfainberggyee: then lets not allow project admins on domains for now20:29
gyeeabsolutely20:30
morganfainberglets not try and boil the ocean and solve every issue20:30
morganfainbergraildo, ^^20:30
morganfainbergwe can circle up on that after - it narrows the complexity of potential issues down a lot20:30
* morganfainberg is seeing a lot of landmines around reseller atm20:30
morganfainbergand i don't want us to step in them.20:30
* gyee let morganfainberg walk in front of him20:31
htrutamorganfainberg: so, you are suggesting that we don't allow is_domain projects to get project scoped tokens?20:32
htrutaat least, not in Liberty20:32
morganfainberghtruta: yes.20:32
morganfainberghtruta: it's a simple if-check and it can allow us to be more directed about avoiding edge cases while opening up reseller20:32
*** aix has joined #openstack-keystone20:33
*** samueldmq has joined #openstack-keystone20:33
morganfainberghtruta: with a resource that can be both project and domain (but not at the same time in a authz scope) we open a lot of strange edge cases we need to evaluate20:33
samueldmqdstanek: I think I am good now ... no more issues with connection :)20:33
gyeefirst bug you are going to see will be "elevated privilege" if we allow project admin to get a domin admin token or vice versa :)20:34
samueldmqdstanek: connected to the laboratory and set up tmux + irssi20:34
samueldmqayoung: I am back, sorry I was having issues with my connection20:34
htrutagyee: the idea wasn't that... the assignments would remain separated20:34
morganfainberghtruta: lets totally dodge that for the moment20:35
htrutamorganfainberg: isn't this approach making it difficult to set quotas in reseller?20:35
raildomorganfainberg, imo, it will limit a lot the reseller usability, since we can set quotas to a project.is_domain=True, without provide a project scoped token.20:35
raildowe can't*20:36
morganfainbergraildo: i'm honestly worried reseller is going to be rife with CVEs at the moment20:36
*** pnavarro has joined #openstack-keystone20:36
morganfainbergi would rather solve the quota on a domain issue than deal with 5 new priv escalation issues20:36
morganfainbergthis is personal preference20:36
gyeemorganfainberg, ++20:37
morganfainbergi know it sucks to make other projects domain aware20:38
htrutamorganfainberg: I think no one outside of keystone wants domains20:38
morganfainbergbut either that *or* we do away with domain scope 100%20:38
morganfainbergand we commit to fixing the mix/priv issues20:38
raildomorganfainberg, I see your point, I'm just tough that behaviour(provide project scoped token) will be normal, and really useful in a future...20:38
morganfainbergi don't think we want either/or20:38
morganfainbergthe resource acting as either a domain or project is what worries me, because it opens a lot of edge cases20:39
htrutais henrynash around?20:39
morganfainbergif we pick one side or the other - we can focus on making it correct that way20:39
morganfainbergi don't have a strong opinion which side, just that having a mish-mash scares me20:39
*** HT_sergio has quit IRC20:39
morganfainbergi know gyee would rather have the clear separation, but i think we can address the problems if we make everything project only20:40
raildomorganfainberg, I prefer work to deprecated domain scoped token :P20:40
raildodeprecate*20:40
morganfainbergraildo: i'd not deprecate domain scope, i'd make it just disappear.20:40
raildo++20:40
htrutaI was really liking the idea of domains being a powerful project, once we won't need to put domains in other services20:40
morganfainbergno longer issued, make keystone handle project scope correctly in the project.is_domain=True case20:40
morganfainberghtruta: i think that if we want domains to be a special powerful class of object, we need other services aware of them20:41
morganfainbergit's not something we can isolate to keystone20:41
morganfainbergotherwise it's "that weird thing keystone does, and isn't that useful in most cases"20:41
morganfainbergif that makes sense.20:41
*** marzif has joined #openstack-keystone20:41
gyeedomain is a keystone only concept, other services don't care about it20:42
morganfainberggyee: it either needs to be supported by other services (quota, etc for hierarchy reasons)20:43
morganfainbergor .. it needs to go away20:43
morganfainbergi don't think there is a good middleground here20:43
gyeeit offer a great deal of value for multitenancy and resource isolation20:44
lbragstaddstanek: question for you on some database fixture stuff https://github.com/openstack/keystone/commit/01b0f4cd7da5773e2a8d865a181899ff5b856ff220:44
morganfainberggyee: so it can't be just a keystone concept then20:44
morganfainbergor it shouldn't be20:44
lbragstadbecause of this line (https://github.com/openstack/keystone/commit/01b0f4cd7da5773e2a8d865a181899ff5b856ff2#diff-c5219e3fcf442ecbfa092ae7d06e6908R105) the test database will be dropped after the tests run, right?20:45
dstanekeither way other services will have to know about domains; the question i have is should they be aware of domains that act as projects too20:45
*** belmoreira has quit IRC20:45
morganfainbergdstanek: if we squash all scopes to project - it means other services just need to learn what an is_domain flag is vs. learning what a domain scope is20:45
morganfainbergi think that is a lower barrier20:45
raildoI agree that we need to extend the domain concept to other services, maybe think in some use cases and do a cross project session in the next summit to discuss this20:45
gyeeso what do they do with domains?20:45
morganfainbergbut... if we need the separation20:45
gyeefor quota management?20:45
htrutabut having them as projects might make it easier20:45
morganfainberggyee: quota, image management, swift bucket collections, barbican shared secrets across all projects20:46
morganfainberggyee: etc20:46
gyeeI thought we are centralize quota management in Keystone at one point20:46
morganfainbergno20:46
morganfainbergno20:46
morganfainbergand no20:46
morganfainbergplease no20:46
raildohaha20:46
*** charlesw has quit IRC20:46
htrutalol20:46
morganfainbergoh god no20:46
gyeewow, 5 nos20:46
raildokeep calm and no quotas in keystone20:47
*** kr4zy has joined #openstack-keystone20:47
morganfainbergraildo: ++20:47
*** henrynash has quit IRC20:47
*** stevemar has quit IRC20:48
raildook, I'm sad but we will remove project scoped token to project.is_domain=True20:48
morganfainbergraildo: so like i said, i don't really mind if we go the otherway20:48
morganfainbergyou just need to help me sway gyee 's view on it20:49
* morganfainberg would prefer to make "domain scope" [being an explicit scope] disappear20:49
raildoi will think more about this. If we don't find a way to do this in Liberty, i'll come back in M with a solution20:49
morganfainbergbut i get that we have to pick what is achievable.20:49
gyeeif we can make it work without privilege bleedover20:49
morganfainberggyee: if we commit to no explicit domain scope, i think we can20:50
*** Lactem has joined #openstack-keystone20:50
morganfainbergif we allow for a resource to be domain and/or project20:50
morganfainbergwe're going to run into lots of edge cases20:50
LactemIs there a guide somewhere that explains how to do unit tests on Keystone?20:50
morganfainbergi'd rather commit to clear cut target case.20:50
LactemI edited a .py file on my computer and need to test it on the vm.20:50
morganfainbergLactem: so we us tox, i typically rune "tox -epy27"20:51
*** pnavarro has quit IRC20:51
morganfainbergLactem in the keystone directory20:51
morganfainbergLactem: that will make a venv and build all the dependencies for you and then run the unit tests20:51
LactemHow will I tell it to use my new file instead of the old?20:51
morganfainbergLactem: if you updated a file in-place, it will test the file20:51
morganfainbergit tests what is in that directory20:51
morganfainbergif you're adding a new file, you need to write specific tests to make sure the new module is tested (aka if it's a driver)20:52
LactemBut you see my directory that I edited is in my actual computer. I have the actual Keystone running in a VM.20:52
LactemI just edited a file. It's not new.20:52
morganfainbergLactem: so unit tests are run local to the tox command20:52
morganfainbergif you're looking to do a functional/does this api work like i expect test20:52
gyeemorganfainberg, raildo, can you update the spec? I need to think it through20:52
LactemOkay so I can just run tox in my vagrant directory?20:53
morganfainbergyou'd need to upload your new file to the VM20:53
LactemYeah okay so how do I do that?20:53
morganfainbergLactem: i don't know enough about your setup.20:53
morganfainbergLactem: i do my development on linux these days20:53
morganfainbergso i just run tox locally20:53
LactemI'm running Ubuntu.20:53
morganfainbergor i upload the whole (scp?) keystone project to a vm20:53
raildogyee, sure, we will do this asap :)20:53
morganfainbergthen run tests in the vm20:53
LactemOkay so I have to get the edited file to my VM.20:54
morganfainberggyee: i'm trying to make it so you don't have to think about it three different ways man ;)20:54
LactemHow would I go about that? Sorry for my noob questions.20:54
morganfainbergLactem: you can scp the keystone directory to your VM.20:54
morganfainbergi have no idea how vagrant works these days since i don't use it20:54
htrutamorganfainberg: so, those beautiful things about passing the hierarchy are going to M ?20:54
dstanekLactem: why don't you just edit directly on the VM?20:54
htrutaand we'll keep project names unique in domains (not in parents)20:54
morganfainberghtruta: we probably still need it.20:55
morganfainbergdstanek: ++20:55
morganfainberghtruta: depends which way the spec is updated (all project scope, or domain's can't be project scope)20:55
*** ankita_w_ has joined #openstack-keystone20:56
Lactemdstanek: Because I'm not that experienced with Linux and would screw up trying to edit code from inside a VM.20:56
bknudsonLactem: there's an #openstack-101 channel for new contributors20:56
dstanekwhen you get a project scoped token you'll still pass in the domain to use right?20:56
htrutadstanek: yes20:56
LactemI'm just here because I'm working on a Keystone bug.20:56
dstanekwhy is the Project<is_domain=True>'s domain itself?20:57
htrutadstanek: because it is a domain20:57
dstanekLactem: that's the beauty of VMs. if you mess it up too badly you can recreate20:57
LactemI don't know how to do it, though, since I'm in SSH.20:58
LactemI kind of need a GUI like Sublime to edit Python code.20:58
dstanekLactem: nano?20:58
dstanekLactem: also with virtualbox you can mount the directory from the VM to your machine20:58
htrutaLactem: or vim20:59
*** ankita_wagh has quit IRC20:59
*** e0ne has joined #openstack-keystone20:59
LactemI don't like vim.20:59
LactemI think I'll try the mounting, though. Thanks.21:00
bknudsonI tried mounting from my host system and it wound up being a disaster.21:00
*** jamielennox is now known as jamielennox|away21:01
bknudsonI tried using sshfs21:02
bknudsonI forget what the issues were.21:02
*** marzif has quit IRC21:03
kfox111123'rds cutoff day for the instance users spec. Please +1 or raise issues now.21:03
*** pnavarro has joined #openstack-keystone21:03
dstaneklbragstad: yes, i think so21:05
*** raildo has quit IRC21:06
lbragstaddstanek: gotcha, I was attempting to load a test database with specific data but i would fail most of the tests because they can't access assumed values in the database (like the default domain)21:06
dstaneklbragstad: using the fixture?21:07
lbragstaddstanek: yeah21:07
*** jamielennox|away is now known as jamielennox21:09
dstaneklbragstad: do you have an example i can look at? i have to run for a bit, but i'll be back on later21:10
lbragstaddstanek: yeah, I'll see if I can get one together and ping it to you21:11
dstaneklbragstad: perfect21:11
lbragstadit might be a bit though21:11
morganfainbergkfox1111: please link the spec for review.21:12
morganfainbergkeystone-core, please review kfox1111's nova spec.21:12
gyeeon it21:13
*** diazjf has joined #openstack-keystone21:15
*** Xurong has quit IRC21:15
*** Xurong has joined #openstack-keystone21:15
*** Xurong has quit IRC21:16
*** Xurong has joined #openstack-keystone21:16
*** openstack_ has joined #openstack-keystone21:17
*** openstack__ has joined #openstack-keystone21:18
*** openstack__ has quit IRC21:18
*** openstack__ has joined #openstack-keystone21:19
*** openstack__ has quit IRC21:19
*** openstack__ has joined #openstack-keystone21:20
*** openstack__ has quit IRC21:20
*** Xurong has quit IRC21:21
*** kfox1111 is now known as kfox1111_afk21:22
*** htruta_ has joined #openstack-keystone21:23
*** openstack_ has quit IRC21:23
*** fangzhou has quit IRC21:25
*** ankita_wagh has joined #openstack-keystone21:32
*** ankita_w_ has quit IRC21:35
*** timburke has joined #openstack-keystone21:38
bknudsonwhat do you think about deprecating the sizelimit middleware in the keystone paste pipeline?21:40
bknudsonif you're running in apache you should use apache's functionality for this21:40
bknudsonnot sure how we would code that up other than to remove it from the default pipeline21:40
bknudsonfrom the sample21:40
bknudsonI'll just make a blueprint and propose the patch21:44
*** pnavarro has quit IRC21:45
bigjoolsgood morning, 'stoners21:46
*** fangzhou has joined #openstack-keystone21:50
*** Raildo has joined #openstack-keystone21:50
morganfainbergbknudson: i think that is fine to do21:50
morganfainbergbknudson: as long as we document the alternative and how to configure it21:50
bknudsonI'll fill in the bp so we can write up some release notes.21:51
openstackgerritMerged openstack/keystone: Update version for Liberty  https://review.openstack.org/19240521:52
bknudsonversion 8!21:52
bknudsonwe're going backwards21:52
*** bknudson has quit IRC21:54
Lactemhttps://bugs.launchpad.net/keystone/+bug/1098564/comments/3 Could anyone take a quick look at that please? I think I did this correctly, but I'm not 100% sure since the bug was already confirmed. It wasn't a problem when I did it this way, though.21:54
openstackLaunchpad bug 1098564 in Keystone "Cannot delete a service or endpoint" [Low,Confirmed]21:54
LactemYou also commented on this bug two years ago @dolphm.21:57
*** kr4zy has quit IRC22:00
*** browne has quit IRC22:01
*** browne has joined #openstack-keystone22:02
*** diazjf has quit IRC22:03
*** zzzeek has quit IRC22:03
*** trey has joined #openstack-keystone22:04
dolphmLactem: looking22:06
dolphmLactem: ooh, this bug is familiar22:07
dolphmLactem: what's the output of your `keystone catalog` now?22:07
dolphmLactem: i'm hoping the broken endpoint is actually supressed from that output?22:07
*** Lactem has quit IRC22:15
*** Lactem has joined #openstack-keystone22:15
dolphmLactem: https://bugs.launchpad.net/keystone/+bug/1098564/comments/422:16
openstackLaunchpad bug 1098564 in Keystone "Cannot delete a service or endpoint" [Low,Incomplete]22:16
LactemHey.22:16
LactemSorry I left. My computer froze.22:16
dolphmLactem: no worries, did you get my messages from the last few minutes?22:17
LactemThanks for the reply! That was fast.22:17
LactemI just saw you link me your comment, but that's it.22:17
dolphmLactem: http://cdn.pasteraw.com/qdvz8p6s7smjx7qfe789h4h8vh5pmnj22:17
dolphmLactem: as a sanity check, add both an invalid/broken endpoint AND a valid endpoint, and then verify your `keystone catalog` only contains the good one22:18
dolphmand hopefully there's a warning in the server logs about the presence of a malformed endpoint22:18
LactemOkay. I may have to restart the vm and it might take a while since I crashed.22:18
dolphmno worries22:19
*** __TheDodd__ has joined #openstack-keystone22:23
*** thedodd has quit IRC22:27
*** diazjf has joined #openstack-keystone22:27
*** ankita_w_ has joined #openstack-keystone22:29
*** e0ne has quit IRC22:31
*** ankita_wagh has quit IRC22:32
*** browne has quit IRC22:32
*** edmondsw has quit IRC22:43
lifelessjamielennox: ping. nag. you know what i want :)22:44
lifelessmorganfainberg: also have you updated your talk ? I haven't logged into cross check yet.22:44
*** crinkle has quit IRC22:44
*** browne has joined #openstack-keystone22:44
*** sigmavirus24 is now known as sigmavirus24_awa22:44
Lactemdolphm: I have to completely remake the VM. After it's ready, you want me to try doing the stuff I did in my post and then tell you what keystone catalog says?22:45
*** RichardRaseley has quit IRC22:46
morganfainberglifeless: on my list to do today/tomorrow22:46
*** jasondotstar has quit IRC22:46
*** RichardRaseley has joined #openstack-keystone22:46
lifelessmorganfainberg: please. Its much easier for me to heckle jamielennox when your one is done.22:46
morganfainbergLol22:47
*** telemonster has quit IRC22:47
morganfainbergWill do what I can tonight22:48
*** telemonster has joined #openstack-keystone22:48
morganfainbergSo you can heckle jamielennox more22:48
LactemSo is this a job for all of you?22:49
lifelessthank you!22:49
LactemOr hobby?22:49
morganfainbergLactem: my full time job is OpenStack22:49
*** nkinder has quit IRC22:49
LactemCool.22:49
LactemI'm an intern. This is my first week.22:50
morganfainbergMost of us who are constantly active here are employed to work on OpenStack or open source22:50
LactemI figured.22:50
morganfainberg:)22:50
*** jdennis has quit IRC22:51
morganfainbergHappy to have you join us:)22:51
LactemHaha thanks. I'm happy to join, although it's not a paid internship, so I'm not really "employed."22:51
*** boris-42 has quit IRC22:52
*** jdennis has joined #openstack-keystone22:53
*** browne has quit IRC22:55
*** openstackgerrit has quit IRC22:55
*** markvoelker_ has quit IRC22:55
*** ericksonsantos has quit IRC22:55
*** tellesnobrega has quit IRC22:55
*** ngupta has quit IRC22:55
*** EmilienM has quit IRC22:55
*** nkinder has joined #openstack-keystone22:57
*** dims_ has joined #openstack-keystone23:01
*** dims has quit IRC23:04
*** crinkle has joined #openstack-keystone23:06
*** openstackgerrit has joined #openstack-keystone23:06
*** markvoelker_ has joined #openstack-keystone23:06
*** ericksonsantos has joined #openstack-keystone23:06
*** tellesnobrega has joined #openstack-keystone23:06
*** ngupta has joined #openstack-keystone23:06
*** EmilienM has joined #openstack-keystone23:06
*** diazjf has quit IRC23:07
*** marzif has joined #openstack-keystone23:10
*** __TheDodd__ has quit IRC23:12
*** arunkant_ has quit IRC23:16
morganfainbergwhere is stevemar when you need him :P23:23
*** markvoelker_ has quit IRC23:26
*** boris-42 has joined #openstack-keystone23:28
dstanekmorganfainberg: how often does that happen :-P23:28
morganfainbergdstanek: what?23:28
morganfainbergsteve being offline?23:28
* morganfainberg doesn't know23:29
dstanekno....needing him :-)23:29
*** kfox1111_afk is now known as kfox111123:30
morganfainberghah23:31
dstanekmorganfainberg: where are you this week?23:34
morganfainbergIn Pasadena23:35
morganfainbergSo home23:35
*** RichardRaseley has quit IRC23:37
dstanekoh, nice23:38
*** chlong has joined #openstack-keystone23:47
*** RichardRaseley has joined #openstack-keystone23:48
*** RichardRaseley has quit IRC23:48
*** dims_ has quit IRC23:53
*** RichardRaseley has joined #openstack-keystone23:54
Lactemdolphm: I finally did it. I'm pasting the log now.23:55
Lactemhttp://pastebin.com/D16WXLEV @dolphm23:56
dolphmLactem: awesome! looking23:56
dolphmLactem: welcome, btw!23:56
dolphmLactem: who's your internship with?23:56
LactemThanks.23:56
LactemIntel23:56
LactemIt's my first week.23:56
LactemI'm actually about to go since it's almost 5.23:56
*** RichardRaseley has quit IRC23:57
lbragstadLactem: congrats on the internship :)23:57
dolphmLactem: eek, your "good" endpoint (860843c8c6984cec8f5ae1bd2d4808ef) isn't returned by keystone catalog either23:57
dolphmLactem: let's pick this up tomorrow? ping me whenever you have time23:57
LactemAlright.23:57
LactemThanks see you tomorrow.23:57
*** Lactem has quit IRC23:58
« Wednesday, 2015-06-17 Index Friday, 2015-06-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!