Friday, 2015-06-19

*** Raildo has quit IRC00:02
*** samueldmq2 has joined #openstack-keystone00:03
*** samueldmq2 has quit IRC00:03
samueldmqayoung: hi, you around ?00:04
samueldmqayoung: I suppose you saw the diagram in that wiki ? let me know what you think about tht approach :)00:05
samueldmqayoung: whether you agree or not, and why00:05
gyeewtf's Oslo Guru Meditation?
samueldmqgyee: lol haha, I have no idea :)00:07
gyeesamueldmq, funny naming though00:08
samueldmqgyee: ++00:09
*** gyee has quit IRC00:27
*** ankita_w_ has quit IRC00:30
*** r-daneel has quit IRC00:34
*** dims has joined #openstack-keystone00:39
ayoungsamueldmq, yep, I'm here.  WHere is the source for the diagram?00:45
*** dims has quit IRC00:47
*** dims has joined #openstack-keystone00:47
samueldmqayoung: I thought I had sent it already00:49
*** spandhe has joined #openstack-keystone00:49
ayoungsamueldmq, maybe you did...didn't see it.  Thnaks00:49
samueldmqayoung: I saw there are some 'requests' from keystone to CMS, I think that is just formatting, you can understand the logic behind00:50
samueldmqayoung: I think the descriptuons there are pretty accurate, you'll understand how I see00:50
samueldmqayoung: let me know if you agree , etc :)00:50
ayoungsamueldmq, hold on.  Let me go through it and I'll understand better00:50
samueldmqayoung: sure00:52
*** zzzeek has joined #openstack-keystone00:52
*** zzzeek has quit IRC00:52
*** openstack has joined #openstack-keystone00:54
*** markvoelker has joined #openstack-keystone00:56
*** diazjf has joined #openstack-keystone00:58
ayoungsamueldmq, it looks pretty close.  One technical issue you had was that a return call, say from nova to the user needs to be written  as   user <- nova;01:00
ayoungsamueldmq, I might break this up into threee diags01:00
*** ankita_wagh has joined #openstack-keystone01:01
*** markvoelker has quit IRC01:02
samueldmqayoung: what would be the three diags ? I'd be happy to break that up01:02
samueldmqayoung: glad to hear you like what is in there :)01:02
*** kfox1111 has quit IRC01:08
*** bknudson has joined #openstack-keystone01:10
*** ChanServ sets mode: +v bknudson01:10
*** charlesw has joined #openstack-keystone01:11
*** ncoghlan has joined #openstack-keystone01:11
*** ccrouch has quit IRC01:14
samueldmqayoung: ah got it, instead of nova -> user : user <- nova01:14
samueldmqayoung: ++01:14
ayoungsamueldmq, yeah...the diag also expects that what ever you start with has a lifeline that lasts the whole diagram01:18
samueldmqayoung: that's why it's weird with lifelines01:20
samueldmqayoung: :)01:20
samueldmqayoung: otherwise you agree on that direction for Liberty?01:20
ayoungsamueldmq, its designed to show a single use case.  The case where user and admin both ask things, but don't talk to each other is hard to represent01:20
samueldmqayoung: or do you have any other concertn ? etc01:20
ayoungsamueldmq, lets treat it as a good set of tools for guiding the discussion.  It does not show everything01:21
*** dsirrine has quit IRC01:21
samueldmqayoung: not sure I follow01:21
ayoungsamueldmq, let me do a touch more editing and put them into the Wiki01:21
ayoungand I'll explain at that point01:22
samueldmqayoung: sure01:23
*** ankita_wagh has quit IRC01:29
*** ankita_wagh has joined #openstack-keystone01:30
*** woodster_ has quit IRC01:31
ayoungthe source for the diagrams are embedded in the files01:42
ayoungif you click on the image, you should see the source01:42
ayoungsamueldmq, I don't think there is enough detail there yet.  We need to discuss the relationship between the files shipped with Nova that are pre-exisitng on the system and the ones from dynamic policy.01:44
*** _cjones_ has quit IRC01:44
openstackgerritBrant Knudson proposed openstack/keystone: Document policy target for operation
*** fangzhou has quit IRC01:49
*** vilobhmm1 has quit IRC01:51
*** markvoelker has joined #openstack-keystone01:57
*** tsufiev has quit IRC02:01
samueldmqayoung: you mean what I am called the Defaults and Custom policies?02:01
samueldmqayoung: Default is what is uploaded by the CMS at bootstrapping / when a service is updated02:01
samueldmqayoung: Custom is what the admin changed (a kind of diff)02:01
ayoungsamueldmq, drop the term default02:02
ayoungI think it is confusing02:02
*** aix has quit IRC02:02
samueldmqayoung: Base policy02:02
ayoungthere is the policy.json from the remote service git repos02:02
*** markvoelker has quit IRC02:02
ayoungthe default policy was supposed to be the unified one...lets leave that out for now02:02
samueldmqayoung: ok, can I call it Base policy? or something like that ?02:05
samueldmqayoung: it should be the olicy.json shipped with the code02:05
samueldmqayoung: which is uploaded/updated to keystone02:05
ayounghow about stock policy?02:05
*** tsufiev has joined #openstack-keystone02:06
samueldmqayoung: and when the admin changes that, i.e, puts something in the custom (the diff) he receives warnings (what nova wants!!)02:06
ayoungsomething like that, yeah02:06
samueldmqayoung: oh great :)02:06
*** davechen has joined #openstack-keystone02:07
*** davechen1 has joined #openstack-keystone02:10
*** davechen has quit IRC02:12
openstackgerritBrant Knudson proposed openstack/keystone: Refactor extract function load_auth_method
openstackgerritBrant Knudson proposed openstack/keystone: Use stevedore for auth drivers
openstackgerritBrant Knudson proposed openstack/keystone: Update sample config file
openstackgerritBrant Knudson proposed openstack/keystone: Short names for auth plugins
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Unit tests catch deprecated function usage
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Switch from deprecated isotime
samueldmqayoung: the split you made looks great, very clear02:23
samueldmqayoung: that single diagram was very big02:23
*** tobe has joined #openstack-keystone02:24
openstackgerritBrant Knudson proposed openstack/keystone-specs: Add side-by-side comparison of v2 and v3 APIs
*** kiran-r has joined #openstack-keystone02:33
davechen1dolphm: hi,02:34
davechen1dolphm: I saw your comment here:
openstackLaunchpad bug 1466116 in Keystone "With using V3 cloud admin policy, domain admin cannot issue a token for the project in his domain" [Undecided,Incomplete] - Assigned to Dave Chen (wei-d-chen)02:35
davechen1dolphm: Do you mean we should set inherited = 1 then we that use will has access to the project?02:35
*** marzif has quit IRC02:36
*** ankita_wagh has quit IRC02:39
*** cburgess has quit IRC02:39
*** diazjf has quit IRC02:40
*** cburgess has joined #openstack-keystone02:44
davechen1figure it out, just need enable os_inherit in the keystone.conf. :)02:45
*** vilobhmm has joined #openstack-keystone02:45
*** spandhe has quit IRC02:45
*** jamielennox is now known as jamielennox|away02:46
*** jamielennox|away is now known as jamielennox02:53
*** stevemar has joined #openstack-keystone03:01
*** ChanServ sets mode: +v stevemar03:01
*** wuhg has joined #openstack-keystone03:03
*** cburgess has quit IRC03:04
*** ankita_wagh has joined #openstack-keystone03:05
*** cburgess has joined #openstack-keystone03:05
*** dims has quit IRC03:06
*** cburgess has quit IRC03:07
*** cburgess has joined #openstack-keystone03:10
*** richm has quit IRC03:18
*** stevemar has quit IRC03:22
*** rm_work has quit IRC03:25
*** stevemar has joined #openstack-keystone03:26
*** ChanServ sets mode: +v stevemar03:26
*** rm_work|away has joined #openstack-keystone03:31
*** rm_work|away is now known as rm_work03:31
*** rm_work has joined #openstack-keystone03:31
*** charlesw has quit IRC03:40
*** browne has joined #openstack-keystone03:40
*** kiran-r has quit IRC03:44
*** markvoelker has joined #openstack-keystone03:46
*** markvoelker has quit IRC03:51
*** htruta_ has quit IRC03:55
*** rm_you has joined #openstack-keystone04:37
*** _cjones_ has joined #openstack-keystone04:45
*** markvoelker has joined #openstack-keystone04:47
*** _cjones_ has quit IRC04:49
*** markvoelker has quit IRC04:51
openstackgerritMerged openstack/keystone-specs: Add side-by-side comparison of v2 and v3 APIs
*** boris-42 has quit IRC05:12
*** rm_you has quit IRC05:19
*** ankita_wagh has quit IRC05:24
*** vilobhmm has quit IRC05:28
*** belmoreira has joined #openstack-keystone05:57
*** kiran-r has joined #openstack-keystone06:02
*** Kennan2 has joined #openstack-keystone06:07
*** Kennan has quit IRC06:07
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** stevemar has quit IRC06:10
*** vilobhmm has joined #openstack-keystone06:15
*** fangzhou has joined #openstack-keystone06:16
*** ankita_wagh has joined #openstack-keystone06:18
*** e0ne has joined #openstack-keystone06:25
*** e0ne has quit IRC06:31
*** ankita_wagh has quit IRC06:35
*** markvoelker has joined #openstack-keystone06:36
*** vilobhmm has quit IRC06:38
*** vilobhmm has joined #openstack-keystone06:39
*** markvoelker has quit IRC06:40
*** vilobhmm has quit IRC06:46
*** vilobhmm has joined #openstack-keystone06:49
*** vilobhmm has quit IRC07:01
*** henrynash has joined #openstack-keystone07:01
*** ChanServ sets mode: +v henrynash07:01
*** chlong has quit IRC07:06
*** rlt_ has joined #openstack-keystone07:06
*** ihrachyshka has joined #openstack-keystone07:17
jamielennoxlifeless: my pycon-au proposal was always fairly generic, it's actually not that far off07:22
lifelessjamielennox: sure, I know.07:27
lifelessjamielennox: but that wouldn't be heckling you. And we do want it touched up please :)07:27
jamielennoxlifeless: yea, no worries - i sat down to do it thinking it was going to be a PITA, but it's not that bad07:28
*** ncoghlan has quit IRC07:36
jamielennoxlifeless: done07:47
*** fangzhou_ has joined #openstack-keystone07:48
*** browne has quit IRC07:49
*** fangzhou has quit IRC07:49
*** fangzhou_ is now known as fangzhou07:49
lifelesscool thanks07:58
*** jamielennox is now known as jamielennox|away08:00
*** pnavarro has joined #openstack-keystone08:09
*** boris-42 has joined #openstack-keystone08:17
*** e0ne has joined #openstack-keystone08:18
*** rushiagr_away is now known as rushiagr08:18
*** markvoelker has joined #openstack-keystone08:25
*** afazekas has joined #openstack-keystone08:25
*** e0ne has quit IRC08:25
*** markvoelker has quit IRC08:29
*** aix has joined #openstack-keystone08:32
*** henrynash has quit IRC08:45
*** viktors has quit IRC09:03
*** e0ne has joined #openstack-keystone09:28
*** tobe has quit IRC09:28
*** jasondotstar has joined #openstack-keystone09:41
*** Kennan2 is now known as Kennan09:49
*** e0ne is now known as e0ne_09:52
*** e0ne_ is now known as e0ne09:54
openstackgerritDave Chen proposed openstack/keystone: Remove redundant config
*** davechen1 has left #openstack-keystone09:56
*** dims has joined #openstack-keystone10:09
*** markvoelker has joined #openstack-keystone10:13
*** markvoelker has quit IRC10:18
*** fangzhou has quit IRC10:20
*** fmarco76 has joined #openstack-keystone10:21
*** fmarco76 has quit IRC10:21
*** afazekas has quit IRC10:44
*** fangzhou has joined #openstack-keystone10:45
*** samueldmq has quit IRC10:51
*** dims has quit IRC10:57
*** vg_ has joined #openstack-keystone11:00
vg_Hello Community folksd11:00
*** henrynash has joined #openstack-keystone11:00
*** ChanServ sets mode: +v henrynash11:00
vg_I need help with the Identity service policy assignments11:01
vg_I have a very specific ques. for that11:01
*** samuel has joined #openstack-keystone11:02
marekdvg_: i suggest waiting for ayoung11:02
marekdhe should be here soon11:02
*** samuel has quit IRC11:02
marekdhe is the policy master11:03
marekdas well as samuelmmq who apparently is not here now.11:03
*** samuel has joined #openstack-keystone11:03
*** samuel has quit IRC11:03
*** samueldmq has joined #openstack-keystone11:04
*** wuhg has quit IRC11:04
vg_thanks much  <+marekd> I am eagerly waiting11:04
vg_<samuelmq> would you be able to help me on policy for keystone please11:05
marekdsamueldmq: vg_  has a question for ya11:05
vg_I posted it in ask ..
samueldmqmarekd: vg_ hi, sure11:05
*** dims has joined #openstack-keystone11:06
samueldmqvg_: I'll be glad if I can help11:06
vg_I am defining the custom role policies , but even after modifying it , my changes are not getting reflected11:06
vg_thanks <samueldmq>11:06
vg_i am here if you need more elaboration on the ques. or use case11:07
*** afazekas has joined #openstack-keystone11:07
samueldmqvg_: reading your message in the ML (once I get some coffee) :)11:08
vg_thanks no worries...11:08
openstackgerritMerged openstack/keystone: Imported Translations from Transifex
samueldmqvg_: on your third point in there .. when you say http://<openstack-server-ip>/identity/<project-id>/detail/11:11
samueldmqvg_: you're talking about horizon, right ?11:11
samueldmqvg_: k I got what you want11:13
samueldmqvg_: users are not owned by projects11:13
samueldmqvg_: so in project_id:%(, this second part will evaluate to None, and the whole rule fails11:14
samueldmqvg_: so you can't perform any action contaning that check11:14
samueldmqvg_: users are owned by domains11:15
samueldmqvg_: I'd suggest you to allow the domain_admin to manage users instead, and then check domain scope11:15
samueldmqvg_: so it should be something like : domain_id:%(, which means11:16
samueldmqvg_: the scope in the token (the first domain_id) must be equal to the target (user) domain id11:17
samueldmqvg_: adding role:domain_admin to that rule would mean that you allow, let's say, create_user for someone who has domain_admin role on a given domain and is trying to add users to the domain he/she admins11:18
samueldmqvg_: is that clear so far ?11:18
*** e0ne is now known as e0ne_11:19
vg_yea , the domain part is clear to me that users should be maintained by domain11:20
vg_I am trying to map a rule , is it like this ?11:20
vg_"Tenant_Admin": "role:domain_admin or rule: domain_id:%(",11:20
vg_"identity:create_user": "rule:admin_required or rule:Tenant_Admin",11:20
samueldmqvg_: makes sense, however Tenant_Admin could be called domain_admin :)11:20
samueldmqvg_: so with this, you need a user with a domain scoped token11:21
samueldmqvg_: (so the domain is in the token, its scope more specifically)11:22
samueldmqvg_: however Horizon does not understand/use domain scoped tokens11:22 would i show that up in Horizon dashboard11:23
vg_from the dashboard i fire up the API , which should be mapped to this rule for any user11:24
samueldmqvg_: I am not sure we could have a workaround that works the same for Horizon11:25
samueldmqhenrynash: morning, you around ? ^11:26
samueldmqvg_: at very least you could specify just the role11:27
samueldmqvg_: but in that case, one would be able to CRUD users in any domain (since we weren't doing scope checking)11:27
samueldmqvg_: and having 'domain_admin' or 'user_admin' role in a project sounds weird11:28
henrynashsamueldmq: hi11:28
*** markvoelker has joined #openstack-keystone11:29
*** e0ne_ has quit IRC11:29
vg_so i have the project_admin role created and in my keystone policy,json file i just added a role "Domain_Admin": "role:project_admin or rule: domain_id:%(",11:30
samueldmqhenrynash: vg_ wants to create a domain_admin role which defines whether one can CRUD users or not11:30
vg_<samueldmq> yes both doesn't make sense11:30
henrynashok, sur11:31
samueldmqhenrynash: I told him rules on the user CRUD should look like 'role:domain_admin or rule: domain_id:%('11:31
samueldmqhenrynash: however he wants to use that through Horizon, which does not understand domain scoped tokens11:31
samueldmqhenrynash: do you know any workaround that could provide similar behavior ?11:31
henrynashsamueldmq: I thought they started supporting domain tokens in Kilo, no?11:31
samueldmqhenrynash: I don't think so .. let me check11:32
henrynashsamueldmq: I though there was a patch to add that support…or so I heard11:32
vg_no even though their docs say it so , but I just stood up new kilo instance and it doesn't have that11:33
*** markvoelker has quit IRC11:34
samueldmqhenrynash: so it doesn't, just confirmed in #horizon11:36
henrynashsamueldmq: ouch11:37
samueldmqhenrynash: what I suggested him is to create 'user_admin' and assign this in a project, where the user can get a token11:37
samueldmqhenrynash: and we could at very least check the project's domain id matches the domain where you're trying to create the usre11:38
henrynashsamueldmq: yes, I have seen that done before11:38
samueldmqhenrynash: I think that's the best we can do without domain scoped tokens11:38
henrynashsamueldmq: I’m stunned that this didn’t yet get into Horizon11:38
samueldmqhenrynash: and as far as I can tell, they don't intend to11:39
samueldmqhenrynash: should domain-as-a-project be solving this somehow ? maybe ..11:39
*** jasondotstar has quit IRC11:43
henrynashsamueldmq: welll…that was the whole thing about have dual tokens!11:47
samueldmqhenrynash: we could even do that with a project scoped token .. for example11:49
samueldmqhenrynash: 'role:domain_admin and project_id:%('11:50
samueldmqhenrynash: if the project has is_domain=True, project_id:%( should match pretty fine :)11:51
vg_<samueldmq> so you suggest that i create new user with name "user_admin" assign it to project and then you are trying to get a token for this user (which we can get by simple curl call ) and then you want to check the domain of the project and match the domain_id?11:51
samueldmqvg_: first, one of your requirements is to managing users thorugh Horizon, right?11:52
*** boris-42 has quit IRC11:52
samueldmqvg_: I suggest you to create a role called 'user_admin' (which can be assigned to a user on a given project)11:53
samueldmqvg_: and yes, your last sentence is fine : 'check the domain of the project and match the domain_id'11:53
henrynashsamueldmq: interesting idea....11:55
samueldmqvg_: however not sure we can do this with our current policy capabilities (the way we define the roles)...11:55
samueldmqvg_: I am not sure you can define something like : project.domain_id:%(
vg_nopes I don't think project.domain_id would work11:57
samueldmqvg_: since that first part is what comes from the token, and we have only the project_id in there11:57
samueldmqvg_: and if you don't put any constraint on the scope, one with that role would be able to create users everywhere11:58
samueldmqhenrynash: yes that makes sense, it is a good idea, isn't it ? :)11:58
samueldmqhenrynash: keep that in mind and mull a bit on that, it may work pretty fine11:58
henrynashsamueldmq: you’re a genious11:59
henrynashand a genius11:59
samueldmqvg_: henrynash haha not that much :-)11:59
*** pc_m has joined #openstack-keystone11:59
samueldmqvg_: oops .. for you I wanted to say ... without scope checking , we're falling in bug #96869611:59
openstackbug 968696 in Keystone ""admin"-ness not properly scoped" [High,Confirmed] - Assigned to Adam Young (ayoung)11:59
samueldmqayoung: cc ^ bug "9 6 8 6 9 6" :-)12:00
vg_i am not happy they missed the major functionality to have Horizon have this should be there asap12:00
vg_yes , i was just about to mention that12:00
samueldmqvg_: well there are alternatives way to solve that issue, one is as I just mentioned with henrynash12:00
samueldmqvg_: we are moving very well towards those directions in this cycle12:01
*** bknudson has quit IRC12:01
samueldmqvg_: we're working towards : v3 compability everywhere (v3 defines domains) + dynamic policies12:01
samueldmqvg_: where we will providing a much better way to define policies, with role inheritance, etc12:02
samueldmqvg_: and policy changes would occur via api, instead of requiring you to be using an out-of-band mechanism to update policy (the policy.json file)12:02
*** markvoelker has joined #openstack-keystone12:05
samueldmqhenrynash: this way we could even kill domain-scoped tokens, well, at least this is an idea to be considered12:07
samueldmqmorganfainberg, raildo, htruta cc ^12:08
*** e0ne has joined #openstack-keystone12:08
*** radez_g0n3 is now known as radez12:09
openstackgerrithenry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config
samueldmqhenrynash: and dynamic policies is moving ... ayoung and I had an agreement yesterday on the scope for L, we had some diagrams, roadmap at
samueldmqhenrynash: make sure to check it out once you have some time :)12:10
henrynashsamueldmq: well, we’d need to add the is_domain to the token…or support a “lookip” via the poliy rule12:11
samueldmqhenrynash: to make sure someone has role 'domain_admin' in the domain with id X instead of in the project with id X ?12:13
samueldmqhenrynash: we woudln't need if we unified assignments, which may have other implications thought12:13
henrynashsamuelmq: a (say) user create have just a domain ID (which will be the same as the project ID acting as the domain)….but for it to check that this project ID really is a domain, you’d want the is_domain to be in the token12:16
samueldmqhenrynash: sure, unless we had a kind of dual-scoped token, which could be implemented by just unifying the assignments12:17
samueldmqhenrynash: and providing the scope in the token as 'project' anyway12:17
samueldmqhenrynash: I think the guys here who are working with reseller are considering this possibility12:18
henrynashsamueldmq: that’s what I’m saying….we only have project scoped tokens, we just always include the is_domain=True/False maybe in every token….then it’s up the the poly rule to refer to it12:18
henrynashsamueldmq: I *think* this woud work :-)12:19
henrynashsamueldmq: to you want to write this up…or I’m happy to (and will credit you with the idea)12:21
htrutamorganfainberg has strongly rejected the is_domain on the token request12:22
htrutasamueldmq, henrynash ^12:22
henrynashhtruta: this isn’t in the request, it’s in the token that gets generated12:23
henrynashhtruta: morganfainberg & I have just agreed to disagree, but I respect his call to not do this on the request.12:23
henrynashhtruta: the token contents are different however….we’ll see later if he also has an issue with ths12:24
samueldmqhenrynash: I think we don't even need to put that in the token, if unifying assignments isn't an issue12:24
henrynashsamueldmq: that’s the bit I don’t follow…where does the polciy rule get is_domain from?12:25
samueldmqhenrynash: so if you request a project scoped token, and that has user_admin role, you should be able to manage users, making checks on the domain_id i nhte policy12:25
samueldmqhenrynash: that's whether we unify assignments or not, if we unify, you have a single entity (a project) that represents both the domain and the porject side12:25
*** bknudson has joined #openstack-keystone12:25
*** ChanServ sets mode: +v bknudson12:25
htrutawe discussed that yesterday, and morganfainberg gave us two options12:26
htruta1 - do not allow getting project scoped token to is_domain projects (at least not in liberty)12:26
*** fangzhou has quit IRC12:26
htruta2 - kill domain scoped tokens12:26
henrynashsamueldmq: not sure how that works….you do need in policy rules to make domain special somehow, or someone can make their own project special12:27
samueldmqhenrynash: that'd be aligned with 2. above (as htruta said)12:27
samueldmqhenrynash: oh wait12:27
henrynashI’m all for killing domain tokens12:27
samueldmqhenrynash: when you check 'project_id:%('12:28
samueldmqhenrynash: in let's say, create_user12:28
henrynashsamueldmq: we just look in the user entity12:28
henrynashsamueldmq: “target” here is a user entity12:29
samueldmqhenrynash: you indeed check that project_id is a domain , in the create_user in the controller, it will validate as a valid domain12:29
henrynashsamueldmq; yep…which is why I said it eitehr needs to be in the token12:29
samueldmqhenrynash: it already validates domains in the controller level12:30
henrynashsamueldmq: or we add some kind of lookup to teh policy support (which I don’t like)12:30
samueldmqhenrynash: where a domain is expected to be provided12:30
samueldmqhenrynash: controller/manager level12:30
henrynashsamueldmq:  I guess that’s true…..hmmm…but not sure if I like the split checks12:31
henrynashsamueldmq: it would be hard to know what you are limiting when writinga policy rule without knowing the code….12:32
samueldmqhenrynash: we already have that today, yes I agree that's a kinf of hacking12:32
samueldmqhenrynash: that is not very explicit/clear in the policy definition12:32
samueldmqhenrynash: but for sure an idea to be considered :)12:32
henrynashsamueldmq: Ok, let me take a crack at a quick blueprint for this!12:33
samueldmqhtruta: henrynash is 100% for killing domain scoped tokens ;)12:33
samueldmqhenrynash: nice, htruta and guys here will consider this as well, they are the right guys to be synchronizign with12:34
henrynashsamueldmq: good ideas, guys12:35
samueldmqayoung: I am updating that sequence diagrams to start with the right numbers (some of them start with action 14, etc)12:36
samueldmqayoung: let me know when you're available so we can talk more about details on that thing12:36
samueldmqayoung: and I am planning to start missing specs today, at least to have a first version12:37
ayoungsamueldmq, ok,  so question:  what happens to the stock policy when a dynamic policy is fetched?12:37
samueldmqayoung: since we've agreed on that workflow, let's define the specs, to have something very nicely defined by the end of next week12:37
samueldmqayoung: how does keystone generate the dynamic policy based on the stock policy ?12:38
ayoungsamueldmq, I think the two things we need up front are the Keystone API changes and the ability to fetch the policy from Auth token middleware12:38
ayounglets put that question aside12:38
samueldmqayoung: so keystone stores 1) stock policy and 2) custom policy (a kind of diff for what the admin has customized)12:38
ayoungwe can deal with that later, here is what I am thinking12:38
samueldmqayoung: so it gets stock policy for that endpoint, and overrides with what is in the custom policy12:39
ayoung1.  There is always a stock policy on the server, so that it can run even if Keystone has nothing for it12:39
ayoungwe need that as a migration strategy if nothing else12:39
samueldmqayoung: if the CMS has not uploaded a stock policy for an endpoint12:39
samueldmqayoung: we fall bakc, and do not apply the dynamic policy mechanism12:39
samueldmqayoung: the admin ccan't even customize, since there is nothing to be based on12:40
ayoungAt start up, or upon first user request,  the service requests a policy from keystone.  Let's say keystone has something for it.  Where does it go?  Same directory as the stock policy?  are they additive?12:40
*** woodster_ has joined #openstack-keystone12:40
samueldmqayoung: the CMS is expected to be uploading the policy which is shipped with the code as the stock policy12:41
ayoungOr, do we say it is all or nothing;  either we use the stock policy, or we use the dynamic policy, not both together12:41
ayoungso, one thing we could do is this12:41
*** raildo has joined #openstack-keystone12:41
samueldmqayoung: so at very last, it would be overwriting it with itself12:41
ayoungupon start up, create a cache dir.  copy the stock policy into cache.  Then, upon fetch, we wipe out the cache12:41
*** jasondotstar has joined #openstack-keystone12:43
ayoungsamueldmq, so upon starting Nova, it could try to post its stock policy to Keystone12:44
ayoungand then we need to merge.  How do we determine if the stock policy is new or not?  I'm thinking SHA256 and Keystone tracks all the uploaded policy files.12:45
*** dims has quit IRC12:46
ayoungsamueldmq, when doing the certs for PKI, we had decided to wait until first request to fetch certs, as we did not want to rqure that the keystone server was up in order to start Nova.  We'll have the same concern here, too12:46
*** dims has joined #openstack-keystone12:46
openstackgerrithenry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config
samueldmqayoung: let me see if I understand12:48
samueldmqayoung: you propose to have middleware uploading stock policy to keytone, instead of having the cms ?12:48
samueldmqayoung: I think the idea on having the dynamic policy created based on the stock + what the amdin has customized is the key12:49
samueldmqayoung: since when a service upgrades, cms only needs to update stock policy on keystone12:50
samueldmqayoung: stcok policy can be associated to url, region or service, where we find hierarchically for a stock poliyc of a given endpoint12:50
raildohenrynash, ping, I totally agree with kill domain tokens,  but I understand the other side, so imo, now in Liberty we can stay with don't allow getting project scoped token to is_domain-True, and in M we can discuss a better solution for that issue. What do you think?12:59
samueldmqraildo: so the option 5 ?13:00
raildosamueldmq, unfortunately :(13:00
samueldmqraildo: I think that may be a wise choice, since we introduce domain hierarchies, and have more time to think how to do it the best we can13:00
samueldmqraildo: not against having is-domain or any other option, but we would have more time to think about, as you said13:01
samueldmqraildo: I am with you on this point o/13:01
openstackgerrithenry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config
henrynashraildo: let’s see…I’ll push for L !!13:01
raildohenrynash, haha13:02
raildohenrynash, so, what we have to do to convince the other guys?13:02
samueldmqhenrynash: that's something great, however we can't do that when cores are 50% for and 50% against doing it now :)13:03
samueldmqraildo: ++13:03
henrynashraildo: my argument is….this (unless there’s a gremlin we haven’t thought of) will fix Horizon and everyone’s issuson domain tokens. We won’t kill them yet (you can still ask for one), but by inluding is_domain=True in the token it lets us write policy files that don’t need domain tokens13:04
samueldmqayoung: do what I said above make sense ?13:05
samueldmqayoung: that's related to the default policy thing, if no policy is specified for an endpoint13:05
*** HenryG has quit IRC13:05
*** HenryG has joined #openstack-keystone13:05
samueldmqayoung: in that case, I believe we should step-back, and let the old mechanism in place (i.e do not touch /etc/nova/policy.json)13:06
ayoungsamueldmq, it can be either CMS or Nova itself, depending.  CMS is probably better workflow, less surprise13:06
*** HenryG has quit IRC13:06
samueldmqayoung: nova uploading would be thorugh something like /policy API13:06
samueldmqayoung: but nothing says we cna't go for that in M if we decide13:06
ayoungso, when policy is fetched from Keystone, it will remove whatever is in the cache.13:06
samueldmqayoung: CMS is better for now13:07
ayoungwe start by populating the cache from stock13:07
*** HenryG has joined #openstack-keystone13:07
samueldmqayoung: exactly, it would be overwritting /etc/nova/policy.json13:07
ayoungthat *can* happen at startup13:07
raildohenrynash, in the other way, we age kind of mix project and domain admin and this can be a mess... that is the main argument to doesn't kill domains tokens now.13:07
samueldmqayoung: since stock on keystone is the same as that initially13:07
ayoungsamueldmq, OK,  I think we should create a sequence diagrams with the cache, and show the relationship between Auth token, the cache, Nova, and oslo.policy13:08
raildohenrynash, I want to do this, but I don't want to have 90% of core team hates me  hahahaha13:08
samueldmqayoung: ++ do you want to do so or can I grab that ?13:09
vg_<samueldmq> <+ayong> <HenryG> sorry i went for long meeting in here , can anyone of you please address this question here as well as to what we discussed above -
ayoungsamueldmq, take a first swipe at it, please13:09
samueldmqayoung: I am available to do so, but I am ok if you want to13:09
henrynashraildo: that’s ok, 45% can hate you, and the other 45% can hate me….the it’s less than 505 each13:09
samueldmqayoung: sure!13:09
vg_I will anyway try that policy changes as suggested13:09
henrynash(50% each)13:09
ayoungsamueldmq, if you want to start with one of the existing diagrams, that may make sense,  too13:09
dstanekah, boy. talking hierarchies again13:09
ayoungor do it as a stand alone, either way13:09
samueldmqayoung: that's exactly what I was thinking13:10
samueldmqayoung: that's something that exists, but will contain more details13:10
samueldmqayoung: ok will look what could be better13:11
samueldmqdstanek: that's part of the fun here :-)13:11
marekdboy, how do i run any osc command with existing token ?13:16
*** richm has joined #openstack-keystone13:16
marekdOS_TOKEN=token openstack --os-auth-type v3token server list   is correct?13:16
dstanekhenrynash: i had a good discussion with htruta last night and i think i managed to confuse myself.13:16
henrynashdstanek: join the clud13:17
marekddstanek: what was it about ?13:17
htrutadstanek: lol13:17
htrutais that a good thing?13:17
dstanekhtruta: no13:17
dstanekA<is_domain=True> is a domain obviously, but is also a project that is a child of that domain. Still blows my mind.13:18
marekdheh, what happens when you remove this project?13:19
dstanekmarekd: you can't physically because it's the same database record13:19
*** vg_ has quit IRC13:20
marekddstanek: but logically you want it to appear in your project list.13:20
marekdor you don't ?13:20
htrutadstanek: it is a project. but it's not a child.13:20
dstanekmarekd: if it holds resources like other projects (compute, etc) it would have to13:20
htrutait is a suoer-powerful project13:20
dstanekhtruta: but logically it acts as a child13:20
dstanekit i told you i had a project named A that was part of a domain A, would you know if it's is_domain=True?13:24
dstanekor like schrodinger's cat is it both until you check the box?13:25
*** dguerri` is now known as dguerri13:26
samueldmqayoung: would you be ok with adding those diagrams to the main wiki page itself13:27
samueldmqayoung: so we don't need to open a new page to see the diagrams13:27
htrutadstanek: hah. you would have to be clearer. if you say that it's part of a domain, I'd say that it's is_domain=false13:27
htrutaotherwise, it'll b both13:28
dstanekhtruta: i'm not worried about the way to get tokens, i'm worried about how to explain what is actually happening13:30
openstackgerrithenry-nash proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain
openstackgerrithenry-nash proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain
*** HT_sergio has joined #openstack-keystone13:33
samueldmqhenrynash: "identity:create_user": "rule:admin_required and project_id:%(user.domain_id)s and is_domain:True" :-)13:33
dstanekhenrynash: what is the actual difference between having a domain scoped token and a project scoped token with is_domain=True?13:34
*** kiran-r has quit IRC13:34
htrutadstanek: you just need to say that you have powerful projects that hold users and regular projects that, as it works today, don't13:34
henrynashdstanek: nothing (in theory)…13:34
*** charlesw has joined #openstack-keystone13:35
henrynashdtsanek: it’s just that you don’t need to understand domain tokens in order to get the later13:35
dstanekhtruta: but now you have siblings with the same name! so confusing13:35
henrynashdtsanek: so (for instance), Horizon would just *work*13:35
dstanekhenrynash: they'd have to change horizon to know enough about the domain concept to know when to ask for an is_domain=True though, right?13:36
samueldmqdstanek: unless we merge assignments and make the token work for both domain + project sides13:37
samueldmqdstanek: but I am nt sure about the implications of merging assignments, just seeing the possibility13:37
dstaneksamueldmq: i don't get that. to get around the ambiguity we've created they would have to know to ask for an is_domain=True token at least some of the time, but i would guess all of the time13:39
*** dguerri is now known as dguerri`13:40
samueldmqdstanek: requesting a token on a project which has is_domain -> True would always return a token with is_domain = True, meaning you could act as a domain orproject with that token13:42
samueldmqdstanek: kind of dual scoped token, that was being proposed by the guys here13:42
dstaneksamueldmq: but you'll have to specify is_domain=True in the token request because of the ambiguity13:42
samueldmqdstanek: k I got your point, you don't want a token to act as both project and domain13:44
samueldmqayoung: btw, talking to morganfainberg a few days ago, he suggested to make the policy fetch in its own middleware13:44
dstaneksamueldmq: ++13:44
samueldmqayoung: i.e, a separate filter from auth_tokne13:44
ayoungsamueldmq, nope13:44
ayoungsamueldmq, it is going to go along with gyee_ 's code for endpoint binding13:44
ayounghe's going to need it , too13:44
*** dguerri` is now known as dguerri13:45
samueldmqayoung: I'd be for splitting both :(13:45
samueldmqayoung: auth_token should be only about tokens13:45
ayoungso, since he insisted that gyee_ 's goes into ATM, policy fetch goes there too.  We can't do a check  before a fetch13:45
samueldmqayoung: auth_TOKEN :(13:45
samueldmqayoung: who said we couldn't put the policy filter on top of auth_token13:46
samueldmqayoung: instead of running after it ?13:46
samueldmqayoung: that's an independent task13:46
ayoungits all Keystone work13:47
*** henrynash has quit IRC13:47
ayoungmaking each service update pipelines is no more viable for Policy fetch than for endpoint binding13:47
marekdrodrigods: FYI, i am playing with our k2k auth plugin and it happens to work13:47
samueldmqayoung: k if you guys want me to write that on auth_token, I will hapilly do that13:47
samueldmqayoung: I really don't want to struggle on that point13:48
marekdi have small problems with scoping the token, but i think this might actually be a problem with server.13:48
samueldmqayoung: already ahving enough fun with the roadmap/scope ;)13:48
samueldmqayoung: oh that's a great point, so it'd require services updating their pipelines ..13:48
*** henrynash has joined #openstack-keystone13:48
*** ChanServ sets mode: +v henrynash13:48
*** dims is now known as dimsum__13:57
*** jdennis has quit IRC14:00
*** morgan has quit IRC14:02
*** morgan has joined #openstack-keystone14:03
*** morgan is now known as Guest9312614:03
*** pballand has quit IRC14:04
*** f13o has joined #openstack-keystone14:05
*** morganfainberg is now known as morgan-devserver14:06
*** morgan-devserver is now known as CaptainMorgan14:08
*** ihrachyshka has quit IRC14:09
*** sigmavirus24_awa is now known as sigmavirus2414:12
*** stevemar has joined #openstack-keystone14:24
*** ChanServ sets mode: +v stevemar14:24
CaptainMorganayoung: samueldmq: fwiw, the policy fetch and cache is going to be the hard part. Especially with multiple worker processes (mod_wsgi). This is cache is not easy to do right.14:25
ayoungCaptainMorgan, Is that Army Captain or Navy Captain?14:27
CaptainMorganPirate captain14:27
*** r-daneel has joined #openstack-keystone14:27
CaptainMorganRum running pirate captain. :P14:27
samueldmqCaptainMorgan: haha14:28
samueldmqCaptainMorgan: don't we solve a similar problem with certificates (or something else) ?14:28
*** archers has joined #openstack-keystone14:29
*** stevemar is now known as stevedoor14:29
CaptainMorgansamueldmq: sortof we store them to disk and load them every time.14:29
CaptainMorganPolicy is harder because they change more often. And almost no one uses pki tokens.14:29
samueldmqCaptainMorgan: and yes, finally we are in agreement, I am working on a couple of new diagrams and will pin g you later to get you view14:30
CaptainMorganWe also don't refectory certs14:30
CaptainMorganUnless the cache on disk is removed.14:30
CaptainMorganNow imagine running multiple nova api behind ha proxy on separate machines.14:31
samueldmqCaptainMorgan: let me understand the issue14:31
CaptainMorganThen cache coherency becomes a real headache, as all the policies need to be in sync.14:31
samueldmqCaptainMorgan: separate machines mean differetn URLs, right?14:31
*** josecastroleon has quit IRC14:31
CaptainMorganYou can't have some workers for an endpoint with different policy files.14:31
samueldmqCaptainMorgan: or is the proxy URL the endpoint URL,14:32
bretonwhat's the problem with cache coherence if we use multiple memcaches?14:32
CaptainMorganNo, you can have separate machines behind ha proxy meaning same url14:32
samueldmqCaptainMorgan: HMMM ;; so updating policy should be an atomic operation through different machines14:32
CaptainMorganbreton: forcing the use of memcache is one option.14:32
bretonCaptainMorgan: s/memcache/redis/14:32
CaptainMorgansamueldmq: it has to be atomic for all api processes for a given endpoint.14:33
CaptainMorganThis is a hard problem. It always will be a hard problem.14:33
samueldmqCaptainMorgan: great sentence, captain14:33
* samueldmq is going to have lunch, back in a bit14:33
CaptainMorganbreton: sure that is an option, it likely means we will see a slow adoption of dynamic policy. I'm not opposed to it though.14:34
bretonhm, ok.14:34
*** jasondotstar has quit IRC14:35
samueldmqCaptainMorgan: if policy was stored into db prior to policy.json file, this problem should be solved14:35
CaptainMorganDoesn't matter how you cut it, it is adding either a lot of developer overhead or a lot of operator overhead.14:35
CaptainMorgansamueldmq: how?14:35
samueldmqCaptainMorgan: I mean, db coherency/replication would take care of the hard part for us14:35
CaptainMorganHow? You can't wave hands and say db solves it :P14:35
* samueldmq waves hands14:36
bretonalso, /me hit all the caveats of per-domain config and openldap and using v3 in juno14:36
samueldmqCaptainMorgan: services would need to store their policies into their dbs14:36
samueldmqCaptainMorgan: this solves, but not sure this is the best soltuion/can be adopted14:36
CaptainMorgansamueldmq: unlikely to fly. The services own their dbs. Keystone owns the policy and fetcher.14:36
CaptainMorganAlso the db then has to be queried on every request for policy updates.14:37
bretonthere is not enough docs about domains14:37
samueldmqCaptainMorgan: ok14:37
*** jasondotstar has joined #openstack-keystone14:37
samueldmqCaptainMorgan: tell me ...14:37
CaptainMorganbreton: you should bug henrynash about that too.14:37
samueldmqCaptainMorgan: how to admins update a policy when they have multiple machines representing a single endpoint ?14:37
samueldmqCaptainMorgan: how to they update N policies atomically ? we should solve this similarly14:38
CaptainMorgansamueldmq: they use cms and restart the endpoint sorry have a small window of an outage.14:38
CaptainMorganWith auto updates across nodes and processes you have less control of when this happens.14:38
CaptainMorganA lot less control.14:39
samueldmqCaptainMorgan: that's an interesting challenge, captain, I will mull on it a bit more14:40
* samueldmq 's gonna have lunch14:40
*** charlesw has quit IRC14:43
*** dguerri is now known as dguerri`14:44
samueldmqCaptainMorgan: each process behind the proxy has its own middleware, right ?14:45
*** charlesw has joined #openstack-keystone14:45
samueldmqCaptainMorgan: so each middleware is in charge of fetching/updating the cache of the policy for its service14:47
samueldmqCaptainMorgan: so updating isn't an issue, but the time window between middlwares updating their policies14:47
samueldmqCaptainMorgan: is that right ?14:47
*** dvorak is now known as clayton14:49
*** archers has quit IRC14:50
*** dguerri` is now known as dguerri14:50
*** spandhe has joined #openstack-keystone14:51
*** f13o has quit IRC14:53
dstanekanyone have any thoughts on this:
openstackLaunchpad bug 1466893 in Keystone "Keystone wsgi will not start after upgrade on neutron grenade jobs some times" [Critical,New]14:53
*** f13o has joined #openstack-keystone14:54
stevedoordstanek, don't use neutron14:56
bknudsondstanek: is the first error "Target WSGI script '/var/www/keystone/admin' cannot be loaded as Python module." causing the next error?14:56
bknudsonor is it really one error message?14:56
samueldmqhenrynash: @david-lyle | samueldmq: there is a set of patches to support domain-scoped tokens, but they have not merge yet14:56
samueldmqhenrynash:  @david-lyle | and
stevedoormaybe it's the monkey patching?14:57
bknudsonI wonder what /var/www/keystone/admin looks like ... if it's normal or not?14:57
dstanekbknudson: it's the kilo version14:57
bknudsonyou can look at it?14:58
dstanekno, but i asked sdague14:58
*** diazjf has joined #openstack-keystone14:58
charleswHi folks, we have a swift cluster using keystone PKI token to authN. The token expiration time is 8h. In swift's keystone middleware config, the default revocation_cache_time is 10 (seconds), and token_cache_time is 300 (s). Sometimes we saw in swift proxy-server.error log: WARNING:swift:Fetch revocation list failed, fallback to online validation   WARNING:swift:Authorization failed for...14:58
charlesw...token. Seems like the service user's token becomes invalid quickly even though exp time is 8h. We see 401 errors frequently when fetching revocation_list from keystone server which cause re-authentication for the service user to retry to fetch revocation_list. We also see GET / call to keystone server right after the re-authentication. Keystone server uses memcached to store revocation...14:58
charlesw...list. Any clues?14:58
*** Ephur has joined #openstack-keystone14:59
dstanekbknudson: i think that "could not be loaded" is part of the exception below it14:59
bknudsondstanek: it looks like the startup worked in several cases but then one of them fails15:00
bknudsonthere's lots of "Deprecated: direct import of driver is deprecated as of Liberty in favor of entrypoints and may be removed in N." so it's running the new code already15:01
*** charlesw_ has joined #openstack-keystone15:01
dstanekyeah, i don't quite get it15:01
marekdrodrigods: ping.15:01
dstanekit's kilo wsgi running against master code15:01
rodrigodsmarekd, hi15:01
dstanekit seems like configure() is called twice, but i can't see how that could be15:02
bknudsonhere's another similar failure15:02
bknudsonbut it's not configure, it's can't import ec2.15:02
*** rushiagr is now known as rushiagr_away15:02
dstanekthat's interesting - missing deps?15:02
marekdstevedoor: rodrigods: do you agree that after we scope federated token, the groups should also be present in user['OS-FEDERATION']['group_ids'] ?15:02
*** zzzeek has joined #openstack-keystone15:03
stevedoormarekd, isn't that what we do now?15:03
bknudsondstanek: it doesn't look like it's really on startup. Apache just starts a new worker whenever it feels like it.15:03
*** charlesw has quit IRC15:03
*** charlesw_ is now known as charlesw15:03
marekdstevedoor: i just need confirmation...15:04
marekdbecause i also think we do that.15:04
*** browne has joined #openstack-keystone15:04
stevedoory we do15:05
rodrigodsmarekd, yep, but just not sure if they are already there too15:05
stevedoormarekd, we do it for unscoped only i think15:05
marekdstevedoor: don't....15:05
bknudsondstanek: keystone is started with L code at around 13:33:16 and this failure occurs at 13:35:5615:05
marekdstevedoor: if we scope the project the groups are not added, just roles.15:06
rodrigodsmarekd, stevedoor maybe a bit confusing displaying groups that don't have role_assignment in the project/domain of the token scope?15:06
bknudsondstanek: it's like maybe mod_wsgi isn't cleaning up after itself properly15:06
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Unified delegation spec
stevedoormarekd, right, after a scoping its just the roles15:06
bknudsondstanek: one obvious workaround is to catch the exception15:06
marekdstevedoor: which basically means you cannot rescope from existing token... ?15:07
stevedoormarekd, explain that more please15:08
*** belmoreira has quit IRC15:08
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Unified delegation spec
*** amakarov_away is now known as amakarov15:09
marekdstevedoor: wait, once I have a normal token, and a user exists in the backend, how does he rescope the token (to different project). Is it even possible?15:09
marekdstevedoor: actually i don't understand why would we even put roles in OS-FEDERATION ?15:09
marekdrodrigods: ^^15:10
marekdin the token['user'][OS-FEDERATION']15:10
dstanekbknudson: i guess it would be possible to get a dirty process from apache, but that seems unlikely15:10
stevedoormarekd, we don't put roles in user.os-federation, we put it at the top level15:11
dstanekbknudson: according to sdague then happens mostly on neutron jobs and ever then it isn't all of the time15:11
dstanekso why is neutron different?15:11
*** henrynash has quit IRC15:11
marekdstevedoor: ah, ok15:11
dstanekcharlesw: so you are seeing your service user's tokens expiring too quickly?15:12
stevedoormarekd, i'm not sure the user can rescope the token?15:12
marekdstevedoor: stevedoor you are right, my bad.15:12
marekdstevedoor: shall we put groups in the scoped tokens too ?15:13
charlesw@dstanek: yes. It's strange. Swift client's token seems fine though.15:13
dstanekcharlesw: is there something in the revocation list maybe saying that it was invalidated?15:14
*** jsavak has joined #openstack-keystone15:14
pc_mstevedoor: hi. Do you have time for some questions? morganfainberg pointed me your way.15:15
rodrigodsmarekd, I'm worried about the semantics of having groups in a scoped token (groups that don't have role assignment in the token scope)15:15
marekdrodrigods: it's about your identity15:15
marekdrodrigods: it's all you get ,as an ephemeral user.15:16
bknudsondstanek: neutron jobs might drive more token creation15:16
bknudsonmore communication with keystone15:16
bknudsonand more concurrency15:16
rodrigodsmarekd, but the identity in a scoped token is a "targeted" identity IMHO15:16
david8husamueldmq, ayoung, CaptainMorgan, The sequence diagram step 8 from the wiki calls for overriding of default policy with custom policy.  Is there a plan to provide an API to indicate default verses custom policy?  I assume not, so it should be a policy orverriding a previous policy already in the db.  The previous policy does not need to be the default policy that originally shiped with each service.  It could a policy tha15:16
david8hut already overriden the default policy, and service simply overrides it with an update.15:16
marekdrodrigods: can we rescope scoped token today?15:17
dstanekbknudson: in your example i'm wondering what sys.module['keystoneclient'] actually is15:17
rodrigodsmarekd, I believe we can15:17
*** Zanatoz has joined #openstack-keystone15:17
bknudsondstanek: example?15:17
stevedoorpc_m, whats up15:18
pc_mstevedoor: I'm doing some researching/investigating and would like to know if/how to support the scenario I have.15:19
charlesw@dstanek, the revocation list fetching failed with 401 error. Could it be the service user's token is revoked? It has to re-authN and re-fetch the revocation list.15:20
stevedoorpc_m, what's your scenario look like?15:20
*** jlibosva has joined #openstack-keystone15:20
bknudsondstanek: ?15:20 bug 677735 in z_other "Pulp process becomes unresponsive after a few days" [High,Closed: currentrelease] - Assigned to jslagle15:20
bknudsonthat's pretty old15:21
pc_mstevedoor: Essentially an AWS Direct Connect scenario, where user Joe, wants to give Sally (someone external to OpenStack) authorization to perform some Neutron commands, like add a subset/network, set a GW IP, etc.15:21
jlibosvahi, we have issue on gate in grenade job with Neutron. I'm not very familiar with keystone logs, is there anybody willing to help me to understand?15:21
dstanekbknudson: well, it python thinks that keystoneclient.contrib.ec2 doens't exist maybe in got the wrong module in the import pth or something15:21
pc_mmorganfainberg suggested OAuth1.1. Would that work?15:22
dstanekjlibosva: that's probably the issue we are talking about now15:22
bknudsondstanek: oh, y, I didn't notice it was keystoneclient and not keystone15:22
pc_mstevedoor: We don't want to give Sally, Joe's auth credentials.15:22
jlibosvadstanek: can you give me tl;dr?15:22
jlibosvaI just joined channel15:22
stevedoorpc_m, and you dont want to give sally her own credentials?15:23
dstanekjlibosva: we are looking into
openstackLaunchpad bug 1466485 in Keystone "duplicate for #1466893 keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Critical,Confirmed]15:23
jlibosvadstanek: thanks!15:23
jlibosvadstanek: yep, thats it! :)15:23
bknudsondstanek: the documentation for mod_wsgi doesn't expire confidence:
pc_mstevedoor: Not sure. Sally would be an Internet Provider, for example.15:23
stevedoorpc_m, then i think the oauth module is what you want15:23
pc_mstevedoor: I did see a link from morganfeinberg on OAuth, some questions for you on that...15:24
stevedoorpc_m, it essentially enables an openstack user to delegate a role on a project to an external party15:24
pc_mstevedoor: Yeah, that is what I'm looking for.15:24
stevedoorpc_m, sure (leaving for lunch in ~ 15 minutes) - but fire away15:24
pc_mstevedoor: I'll try to be quick...15:25
stevedoorpc_m, meh, there's always email :)15:25
pc_mstevedoor: What release supports OAuth?15:25
stevedooroh it's been there for a while, grizzly/havana?15:25
pc_mstevedoor: I can do that, can you PM me your email?15:25
*** pballand has joined #openstack-keystone15:26
pc_mstevedoor: thanks! Let me shoot you an email.15:26
*** jasondotstar has quit IRC15:26
stevedoorpc_m, cool cool15:26
bknudsondstanek: I guess they switched to
openstackLaunchpad bug 1466485 in Keystone "keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Critical,Confirmed]15:26
dstanekbknudson: yeah, i mentioned in -qa this morning that the bug was already reported15:27
*** jasondotstar has joined #openstack-keystone15:28
dstanekbknudson: the example you found was using ksc 1.3.1 which i'm assuming has that module15:29
*** edmondsw has joined #openstack-keystone15:30
*** vilobhmm has joined #openstack-keystone15:31
bknudsondstanek: it just randomly switches from one version of ksc to another?15:31
dstanekdo you see it using a different version?15:32
bknudsonor does apache report that error if it's been running for a while and an exception escapes?15:32
*** pnavarro has quit IRC15:32
bknudsondstanek: I don't see it using a different version, but why is the error reported only once and not every time?15:32
*** browne has quit IRC15:33
bknudsonor does apache only report the error on startup?15:33
dstaneknot sure. i would expect apache to report that for each process15:34
bknudsondstanek: !!! --
bknudsonthis is just random15:35
bknudsonI guess it's back to eventlet since mod_wsgi is such a turd15:35
dstanekwhoa...something is getting seriously messed up15:36
bknudsonmaybe there's some docs that indicate we're doing something totally wrong15:36
stevedoorbknudson, from oslo_utils import excutils15:36
*** jsavak has quit IRC15:37
stevedoormaybe it's a library issue?15:37
*** Lactem has joined #openstack-keystone15:37
LactemHey @dolphm.15:37
dstanekstevedoor: probably not in all of the libs15:37
*** jsavak has joined #openstack-keystone15:38
*** _cjones_ has joined #openstack-keystone15:38
dstanekbknudson: could there be some stevedore recursion in there?15:38
bknudsondstanek: why would it only happen once and not every time?15:39
dstanekthe line before the error indicates that something is loading by the full class path, but the traceback show stevedore loading stuff15:39
* bknudson thought dstanek was going to fix all this dependency stuff.15:40
*** vilobhmm has quit IRC15:40
dstaneki don't think this is a dependency issue :-P15:40
dstanekand you guys keep slowing down my patches!15:41
bknudsonI guess we could add a LOG.debug so we know what driver is being loaded.15:43
LactemIs dolphm around at this time of day usually?15:44
dstanekLactem: sometimes15:44
dstanekLactem: need help?15:44
bknudsonI'm going to keep trolling through the mod_wsgi docs in case it says we're doing something wrong.15:46
dstanekbknudson: i'll add some debugs to maybe help us catch the issue15:46
bknudsondstanek: a log in httpd/ saying that it's calling "application = wsgi_server.initialize_application(name)" would help, too15:47
*** kfox1111 has joined #openstack-keystone15:47
bknudsonin case it's getting called multiple times in the same process15:47
bknudsonbecause that's something that we wouldn't be expecting15:47
dstanekbknudson: that would have to be back ported to kilo15:48
bknudsondstanek: maybe... but the logs where it fails are in L15:48
openstackgerritayoung proposed openstack/keystone-specs: certmonger
dstanekbknudson: it's L version of keystone but the wsgi script installed from kilo15:48
bknudsonthere's no diff in that file for L -> k15:49
bknudsonit changed from J in K15:50
bknudsonit's only 1 line of code, so not the most complicated15:50
*** marzif has joined #openstack-keystone15:50
bknudsonI'm not sure if you can call log function in httpd/ since logging wouldn't be configured yet15:51
*** kiran-r has joined #openstack-keystone15:51
*** marzif has quit IRC15:51
dstanekbknudson: that i'm not sure about. but we would have to backport - not saying that's hard, just that it has to be done15:51
Lactemdstanek: Kind of. We were going to pick up from yesterday.15:52
dstanekLactem: what troubles are you running into?15:52
*** marzif has joined #openstack-keystone15:52
LactemI'm not really sure what he was saying.
openstackLaunchpad bug 1098564 in Keystone "Cannot delete a service or endpoint" [Low,Incomplete]15:55
LactemHe told me to use keystone catalog and give him the output. It's in the pastebin.15:56
CaptainMorgancharlesw: what version of middleware are you running? My guess is 1.0.015:56
CaptainMorgancharlesw: that version has issues and Ubuntu and other distributions have not updated.15:56
dstanekLactem: are you seeing the log statements when you run the tests?15:56
bknudsondstanek: have you heard of mod_wsgi express?
LactemI don't think so. He said neither of them are there.15:57
*** charlesw_ has joined #openstack-keystone15:57
bknudsonI don't have mod_wsgi express installed on my system for some reason.15:57
dstanekbknudson: nope, but that's kinda neat15:58
CaptainMorgansamueldmq: each process has its own middleware running (instance). So all of them in an Apache group...or behind a single ha proxy must have policy updated at the same time.15:58
*** jlibosva has quit IRC15:58
dstanekLactem: i think he was giving you hints on where to debug15:58
*** belmoreira has joined #openstack-keystone15:58
bknudsondstanek: looks like it just stands up a private apache instance.15:58
*** marzif has quit IRC15:58
dstanekthat's a cool idea for testing15:59
CaptainMorgansamueldmq: or some requests can break erroneously (or succeed). Basically the entire group of processes behind an endpoint url must be updated atomically15:59
*** charlesw has quit IRC15:59
bknudsonI think I'd rather use a lighter-weight container.. nginx or something15:59
*** charlesw_ is now known as charlesw15:59
CaptainMorgandavid8hu: not sure.15:59
dstaneki prefer nginx -> gunicorn -> application15:59
CaptainMorgandstanek: I like uwsgi these days16:00
bknudsonwe should do that16:00
bknudsonrather than mess around with apache16:00
CaptainMorganbknudson: for?16:00
dstanekbknudson: we still have to support apache for federation afaik16:01
*** RichardRaseley has joined #openstack-keystone16:01
dstanekapache giveth and apache sucketh16:01
CaptainMorganApache has a better set of modules16:01
bknudsonapache -> gunicorn16:01
bknudsonforward the headers16:01
CaptainMorganbknudson: don't know how well that works. But Apache supports uwsgi pretty well16:01
dstanekthat's easy enough, but i'm not sure how that plays with the other modules16:01
CaptainMorganHaven't tried unicorn with Apache16:02
*** vilobhmm has joined #openstack-keystone16:02
bknudsonit's just reverse proxy16:02
CaptainMorganI also am generally not a fan of gunicorn. But that is a separate concern16:02
*** RichardRaseley has quit IRC16:03
*** RichardRaseley has joined #openstack-keystone16:03
*** RichardRaseley has quit IRC16:03
CaptainMorganPersonal bias.16:03
CaptainMorganNo real reason not to use it here.16:04
bknudsonmust have been attacked by a unicorn16:04
CaptainMorganNah, just a pain in the ass in the past with lots of weird crashes16:04
CaptainMorganLike I said, strictly a personal bias.16:04
*** RichardRaseley has joined #openstack-keystone16:04
bknudsonthat's what we're seeing with keystone in apache mod_wsgi16:04
CaptainMorganmod_wsgi has very tightly controlled requirements16:05
CaptainMorganAnd none of these will easily show when we break16:05
CaptainMorganWhen something goes wrong the errors and traces are not intuitive unless you're already past the wsgi loading16:06
CaptainMorganIt's always been that way, always will be.16:06
CaptainMorganAnd you can't call log from the file.16:07
bknudsonthat's a real downer.16:07
CaptainMorganThat error looks like a bad library ^^^ btw.16:08
CaptainMorganThe one that sparked this convo16:08
dstanekCaptainMorgan: which library? seems arbitrary16:08
bknudsonwe've seen errors from oslo.config, keystoneclient, and oslo.utils16:09
CaptainMorgandstanek: not sure. But also re,ember these wsgi wrappers will occasionally spawn a new worker and kill old workers. So if it has worked for a while and then suddenly breaks, I look at "what did you install between now and then"16:09
openstackgerritDavid Stanek proposed openstack/keystone: Adds some debugging statements
CaptainMorganWhenever an install of a lib is done that could affect Apache/wsgi a restart is needed.16:09
dstanekbknudson: i was thinking something like that. what other logging would be useful?16:10
bknudsonmaybe it's worth checking the grenade logs and see if it's installing stuff.16:10
*** e0ne has quit IRC16:10
bknudsonodd but possible.16:10
dstanekwell, maybe not so odd16:10
dstanekit's upgrading keystone from K->L16:11
CaptainMorganOk so this is likely oslo_utils16:11
dstanekmaybe the error happens before it restarts apache16:11
CaptainMorganThe oslo config error is because you hit an error before.16:11
CaptainMorganAnd the conf object already has things loaded.16:11
samueldmqCaptainMorgan: k so as each process has its own middleware, they will all be updated with the new policy, for sure16:12
CaptainMorganSo reregistering opts causes subsequent errors.16:12
samueldmqCaptainMorgan: the concern is that they all need to be atomic16:12
bknudsonstupid global variables!16:12
dstanekso an apache worker restarts during the keystone upgrade and the deps would be all out of whack16:12
CaptainMorgansamueldmq: yes they need to be atomic across all of them.16:12
samueldmqCaptainMorgan: and what windows we could consider them as being atomic ..16:12
bknudsonthat does make some sense. apache would discard the application16:12
CaptainMorgandstanek: yep. Possibly.16:12
bknudsonand in both cases they happened in pairs.16:13
CaptainMorganbknudson: yep. Ignore the oslo_config error it's a red herring here16:13
bknudsonnot sure what we'd do about it?16:13
samueldmqCaptainMorgan: sure, they would be updated in the first incoming request where timeout has been reached ..16:13
bknudsoncatch the exception in initializing and reset somehow?16:13
*** ankita_wagh has joined #openstack-keystone16:13
bknudsonthere might be all sorts of global state that's messed up.16:14
bknudsondrivers half-loaded16:14
CaptainMorganbknudson: this isn't something you can reset out of.16:14
CaptainMorganThis is a broken workflow in grenade16:14
samueldmqCaptainMorgan: but if timeouts may be reached in different timings in different processes .. or we shouldn't consider this16:14
bknudsonmaybe just need to restart apache again at end of upgrading16:14
*** gyee has joined #openstack-keystone16:14
*** ChanServ sets mode: +v gyee16:14
bknudsonif that's not happening already16:14
samueldmqCaptainMorgan: (I am assuming you can talk about this subject at the same time as well :))16:14
CaptainMorganYou cannot live upgrade keystone or mod_wsgi - it needs a restart.16:15
CaptainMorgansamueldmq: that is the issue of cache coherency. You need all the processes to update at the same time. Not at different times. The timeout must be synchronized16:15
bknudsonok, time to check out grenade16:15
CaptainMorgansamueldmq: this *is* the hardest part of this update for policy. And honestly why I think the central policy stuff cannot make it this cycle at this point. Scaffolding for it will happen. Centralization and consumption from keystone likely won't16:16
bknudson -- doesn't bode well16:16
bknudsonkeystone is first in the list16:16
samueldmqCaptainMorgan: k got it, that must be in the spec as well ;)16:17
CaptainMorganbknudson: grenade makes the assumption that pip install does 100% the right thing.16:17
CaptainMorganbknudson: so likely something has stomped on keystone's deps somehow.  Also mod_wsgi the way we have it configured doesn't load the worker until the first request.16:18
CaptainMorganSo Apache might restart fine and explode down the line16:18
bknudsonnot loading the worker until the request what made me think we'd be safe16:18
dstanekit looks like grenade shuts down keystone, does the upgrade and then restarts it16:18
bknudsonsince it wouldn't make requests until grenade is all done?16:18
CaptainMorganbknudson: it may make some requests before. Requests will trickle in as services are started16:19
bknudsonalthough maybe it does make requests during upgrade... checking service catalog16:19
CaptainMorganDue to middleware, etc catalog.16:19
*** spandhe has quit IRC16:19
Lactemdstanek: I thought he was saying that this bug might not require code changes / it's not really a bug.16:19
* CaptainMorgan is on a mobile device, so just talking about the stuff I know - not actually debugging it atm.16:19
dstanekLactem: i read that as him giving hints for where you can look to see if that's the case16:20
*** kiran-r has quit IRC16:21
dstaneki don't understand where the grenade pip-freeze.txt comes from16:22
dstaneklog clearly show upgrade installs ksk 1.6.0
dstanekpip-freeze.txt says 1.3.1
CaptainMorganWell when was pip-freeze run. Pre or post upgrade.16:24
CaptainMorganThat might be a pre upgrade.16:24
*** RichardRaseley has quit IRC16:24
CaptainMorganFrom devstack16:24
bknudsondevstack got support for running services in venv... seems like that would help?16:25
CaptainMorganbknudson: venv and mod_wsgi might have some oddities... Might.16:25
dolphmbknudson: lbragstad: \o/ checking out the token provider manager w/ stevedore patch...,unified16:25
lbragstadbknudson: I have a question16:25
CaptainMorganBut other services in venv - yes.16:25
lbragstadbknudson: ^ what dolphm said16:25
*** RichardRaseley has joined #openstack-keystone16:26
dolphmbknudson: lbragstad: does the driver namespace restrict 3rd parties from providing entry points into custom drivers?16:26
CaptainMorgandolphm: no, you can place a driver in any namespace via entry points.16:26
lbragstaddolphm: bknudson *if* the only thing I plan on doing is extending the BaseProvider
dolphmCaptainMorgan: that's what i thought, but ... what does the driver_namespace do then?16:27
CaptainMorganThe idea is you are looking in that namespace for the short name16:27
CaptainMorganSo if someone calls a module for neutron "password" it is t found for keystone16:27
CaptainMorganFor example.16:27
dolphmso the third party package would specify a keystone.token.provider entrypoint as well?
dolphmoh ok16:28
dolphmeasy enough16:28
lbragstadjsut as an entrypoint16:28
CaptainMorganYeah, it's meant to make it easy :)16:28
*** raildo has quit IRC16:29
CaptainMorganNow... I have no idea what happens if someone specifies a driver name already used16:29
*** dguerri is now known as dguerri`16:29
dolphmCaptainMorgan: like, provides another 'uuid' entrypoint?16:30
*** raildo has joined #openstack-keystone16:30
dolphmi'd hope that setuptools or something would puke early16:31
*** RichardRaseley has quit IRC16:31
*** RichardRaseley has joined #openstack-keystone16:31
*** RichardRaseley has quit IRC16:32
*** kiran-r has joined #openstack-keystone16:32
dstanekdolphm: i believe it does is you dupe the name16:32
CaptainMorgandolphm: i hope so too, but i haven't tried it16:33
dolphmmaybe not let you install that package at all? :D16:33
dolphmthat'd be like installing two packages with the same name16:33
dolphminto site-packages16:33
*** jsavak has quit IRC16:33
lbragstadCaptainMorgan: dolphm so that seemed to work (i.e. it didn't puke)16:34
CaptainMorganNew way to troll people:, provide conflicting entry points in some common used library16:34
*** BrAsS_mOnKeY has quit IRC16:34
dolphmlbragstad: sweet16:34
CaptainMorganMake lots of people cry16:34
LactemHi dolphm.16:35
dolphmLactem: o/16:36
*** ChanServ sets mode: +o CaptainMorgan16:37
*** rm_work is now known as rm_work|away16:37
*** diazjf has quit IRC16:38
dstanekhi fives all around!  o/\o16:38
CaptainMorgan (╯°□°)╯︵ ┻━┻16:39
*** edmondsw has quit IRC16:39
samueldmqhaha Friday is fun16:40
*** diazjf has joined #openstack-keystone16:40
LactemSorry to have another problem... I'm trying tools/ bin/keystone-all and getting an error message similar to (ImportError: No module named oslo).16:40
openstackLaunchpad bug 1397518 in Mirantis OpenStack "python-oslo.concurrency requires python-retrying" [Critical,Fix committed] - Assigned to Max Yatsenko (myatsenko)16:40
dstaneksee that's PTL rage! going from fun hi fives to flipping tables16:40
samueldmqdstanek: hehe16:41
*** browne has joined #openstack-keystone16:42
LactemYeah there's no oslo for me. Is there a link to install it or does it not work like that?16:44
samueldmqdavid8hu: hi, sorry for the late answer16:44
samueldmqdavid8hu: yes a deployer can configure its CMS to upload an already customized policy where is expected to be the default (we're now calling it stock policy)16:44
*** dguerri` is now known as dguerri16:45
samueldmqdavid8hu: however he won't be following the documented behavior :)16:45
samueldmqdavid8hu: so that will be taken as the truth, even if he's lying to us16:45
*** dguerri is now known as dguerri`16:46
samueldmqdavid8hu: in the future, if we provided a /policy API in each service, this could be solved, but we aren't goign to that directiom16:46
dstanekLactem: i would expect the venv created by with_venv to have it installed. how did you check to see if it's installed?16:46
samueldmqdavid8hu: at least for now, we can revisit that later .. I think it's a suggestion from nova gusy16:46
samueldmqdavid8hu: guys*16:46
*** jsavak has joined #openstack-keystone16:48
dolphmLactem: uhh, i don't use tools/ myself... have you used tox to run tests?16:49
*** f13o has quit IRC16:49
LactemNo sorry I'm not familiar with tox.16:49
LactemI'm trying to re-set it up following and the tutorial directly before that. @dolphm16:50
dstanektox will allow you to run the unit tests16:51
*** ankita_wagh has quit IRC16:51
LactemI'm still trying to do this setup.16:51
LactemI think I may have skipped these steps yesterday, so my testing might not be accurate.16:51
dstanekyou don't need the setup to run the unit tests16:51
dolphmLactem: which branch are you working with, master?16:51
Lactem So you're saying I can skip that page?16:52
dolphmLactem: we should maybe update those docs with what we *actually* do nowadays16:52
LactemThat would be a good idea. :P16:53
dolphmLactem: can you `pip install tox` ?16:53
dstanekif you have a checkout then run 'tox -e py27' to run the unit tests16:53
*** BrAsS_mOnKeY has joined #openstack-keystone16:53
dolphmLactem: they're not entirely innaccurate, just maybe not today's best practices16:53
*** rm_work|away is now known as rm_work16:53
dstanekthere may be system libraries that need to be installed16:53
LactemI should be in sudo su stack, correct?16:53
dolphmoh, this is devstack!16:53
LactemI was told to use devstack.16:54
dolphmthat's fair16:54
*** thedodd has joined #openstack-keystone16:54
dolphmi'm also an outcast because i raaaarely use devstack16:54
LactemWhat do you use and is it easier?16:54
dstanekLactem: devstack already setups up a working instance of keystone - this is the way i usually develop16:54
dolphmdstanek: i was going to suggest `tox -e py27` and then `.tox/py27/bin/keystone-all` ..16:54
dstanekdolphm: yep, exactly16:55
LactemI actually did that before and it got stuck for a while. I just exited.16:55
dstanekLactem: i don't think it gets too much easier than devstack for starting out16:55
Lactempy27 installdeps: -r/opt/stack/keystone/requirements.txt, -r/opt/stack/keystone/test-requirements.txt16:55
Lactem It was stuck on that.16:55
*** raildo has quit IRC16:55
dstanekcan your VM talk to the outside world?16:56
dolphmping -c 1 ?16:56
LactemI mean I can put stuff on Google Drive and have the VM download from there if that's what you mean.16:56
*** raildo has joined #openstack-keystone16:56
LactemYeah the ping works just fine.16:56
dstanektry running tox again then16:57
dolphmafter running `tox -e py27` successfully, then `source .tox/py27/bin/activate` will get you into a python 2.7 virtualenv containing just keystone16:57
LactemIs tox -e py27 supposed to take a really long time?16:57
dolphmLactem: it runs thousands of tests16:58
*** bradjones has quit IRC16:58
dstanekyes, a good amount of time16:58
dolphmLactem: and installs lots of packages right off the bat. but it should give you decent feedback once the tests start16:58
LactemIt keeps getting stuck on the second line. I'll just wait a while.16:58
dolphmLactem: it's probably downloading all of pypi16:58
dstanekLactem: how long to you normally wait?16:58
*** bradjones has joined #openstack-keystone16:58
*** bradjones has quit IRC16:58
*** bradjones has joined #openstack-keystone16:58
dolphmLactem: (exagerration) it's downloading all the packages specified by requirements.txt and test-requirements.txt16:59
dolphmLactem: stuck on "py27 installdeps" ?17:00
LactemIt's moving on now.17:00
*** RichardRaseley has joined #openstack-keystone17:03
*** belmoreira has quit IRC17:03
samueldmqayoung: I am updating the diagrams by putting more details17:06
samueldmqayoung: see the first I just updated, and let me know if it looks good17:06
*** bradjones has quit IRC17:11
*** bradjones has joined #openstack-keystone17:12
*** bradjones has quit IRC17:12
*** bradjones has joined #openstack-keystone17:12
Lactemdolphm: It's all done with py27.17:15
LactemNow I do source .tox/py27/bin/activate?17:15
dolphmLactem: yeah, try that17:15
LactemNow I'm in that.17:16
dolphmLactem: can you run `keystone-all` directly?17:16
Lactemtools/ bin/keystone-all Like that, right?17:16
LactemThat still gives me the problem with "No module named oslo found."17:17
dolphmLactem: no, just `keystone-all` directly17:17
dolphmLactem: you should be in a virtualenv (py27) where keystone is installed17:17
LactemI don't see any keystone-all in ls.17:18
dolphmLactem: keystone-all would be in .tox/py27/bin17:18
LactemI'm in /opt/stack/keystone17:18
Lactem(py27)stack@Ubuntu64:~/keystone$ pwd17:18
dolphmbut .tox/py27/bin should already be in your path17:18
*** ankita_wagh has joined #openstack-keystone17:19
Lactem(py27)stack@Ubuntu64:~/keystone$ pwd17:19
*** ankita_wagh has quit IRC17:19
Lactemshows: /opt/stack/keystone17:19
*** ankita_wagh has joined #openstack-keystone17:19
*** spandhe has joined #openstack-keystone17:19
dolphmLactem: what does `which keystone-all` show?17:20
Lactemshows: /opt/stack/keystone/.tox/py27/bin/keystone-all17:20
LactemLooks good, right?17:20
dolphmLactem: so keystone-all is already available, and you don't have to use tools/ because you're already in a venv containing keystone17:20
dolphmLactem: yep! just run `keystone-all` now, and you should see it startup17:21
LactemThat's my traceback.17:21
Lactem(from keystone-all)17:21
dolphmkeystone==2014.2.4.dev5 ?!17:22
*** ankita_wagh has quit IRC17:22
dolphmdstanek: any ideas? ^17:22
*** ankita_wagh has joined #openstack-keystone17:22
LactemI may have screwed up the setup and missed a step or something?17:22
*** jsavak has quit IRC17:23
*** jsavak has joined #openstack-keystone17:23
dolphmLactem: tox should take care of all the setup for you17:23
dolphmLactem: tox -e py27 ran successfully, right?17:24
dolphmLactem: tests passed at the end, etc17:24
LactemI think it was failing before or something. I used sudo tox -e py27. Is that bad?17:24
LactemIt worked, though:   py27: commands succeeded17:24
Lactem  congratulations :)17:24
dolphmLactem: oh, don't use sudo17:25
LactemShould I redo it without sudo? I don't see how that would change anything since it was successful.17:25
dolphmLactem: to recover, i'd do sudo rm -rf /opt/stack/keystone/.tox/17:25
dolphmLactem: and then just `tox -e py27`17:25
LactemThanks. This will take a while. I'll tell you what happens.17:26
dolphmLactem: but i have no idea what the consequences of running tox as a superuser would be -- does your regular user even have permission to utilize the resulting environment correctly? i'd guess not17:26
LactemYeah it failed.17:27
dolphmLactem: tox -e py27 did?17:27
LactemYep. No perms. That's why I did sudo before probably.17:27
Lactem${PYTHON:-python} -m discover -t ./ ./keystone/tests --list17:27
Lactem(13, 'Permission denied')17:27
dolphmLactem: there's no other error feedback?17:27
dolphmLactem: (lesson: be super skeptical before you prefix anything with sudo in the future!)17:28
*** diegows has joined #openstack-keystone17:29
dolphmLactem: i'm trying to think through what would have been created without useable permissions that's not in .tox/ ....17:29
LactemThose were my errors.17:29
dolphmLactem: considering we live in a VM-happy world, how long would it take you to blow away your devstack VM and create a new one? :)17:30
dolphmLactem: why problem solve when you can start from a known good state? :P17:31
*** HT_sergio has quit IRC17:31
dolphmLactem: what does `ls -la $HOME/.pip_download_cache` look like?17:32
Lactemls: cannot access /opt/stack/.pip_download_cache: No such file or directory17:32
LactemI could restart. It would probably take about an hour.17:33
dolphmor maybe ls -la $PIP_DOWNLOAD_CACHE17:33
dolphmLactem: ooh, there we go (that's your keystone dir, btw)17:34
dolphmLactem: delete everything there owned by root17:34
samueldmqCaptainMorgan: what if we defined a small timeout for policies, and cache would be checked on keystone against a hash17:34
dolphmLactem: `rm -rf keystone.egg-info .testrepository .venv`17:34
LactemI know how to delete. :P17:34
samueldmqCaptainMorgan: I mean, each policy has its hash, and when the small timeout expires, we check policy validity against keystone using that hash17:35
dolphmLactem: i'm not saying you don't :)17:35
*** tqtran has joined #openstack-keystone17:35
dolphmLactem: it was likely hte .testrepository that your normal user couldn't touch17:35
LactemAlright done.17:35
samueldmqCaptainMorgan: I think that's the same issue as tokens, where we want to stop revoking and set timeouts that make more sense17:35
dolphmLactem: so, try `tox -e py27` once more17:36
*** diazjf has quit IRC17:36
CaptainMorgansamueldmq: you will end up with some requests failing or succeeding incorrectly and you don't have control of the windows like you do with a cms deploy17:36
LactemI think this is because I deleted those directories and it needs those.17:37
CaptainMorganYou can't hope for the best here, this is one we need to actually solve correctly, short timeouts are not viable on their own.17:37
samueldmqCaptainMorgan: do you have any direction on a good approach to solve this ?17:37
samueldmqCaptainMorgan: so my mind could start thinking on that direction17:38
CaptainMorganNot this week I don't17:38
samueldmqCaptainMorgan: tell your mind to find something next week, so I can put in the spec17:38
CaptainMorganThere are a lot of pitfalls around this.17:38
*** e0ne has joined #openstack-keystone17:38
CaptainMorganI can throw ideas out but it doesn't mean they are good.17:38
samueldmqCaptainMorgan: go ahead :)17:39
samueldmqCaptainMorgan: you have been touched this issue more times than me, I am sure17:39
dolphmLactem: try `tox -r -e py27`17:39
dolphmLactem: which will rebuild .tox/py27/17:39
samueldmqCaptainMorgan: (I've never had this in practice)17:39
CaptainMorganThis is something we likely need to defer until the mid cycle for, unfortunately. Without a whiteboard and more than irc (mumble won't help here either) I can design a solution.17:40
samueldmqCaptainMorgan: ok so sounds like I plan17:40
CaptainMorganI've dealt with this before.  It just plain is hard to do.17:40
samueldmqCaptainMorgan: we implement the simple solution (where incoherency is accepted by timeout slice of time)17:40
samueldmqCaptainMorgan: and we define something better in the midcycle17:41
CaptainMorganLet me be clear, we can't ask anyone to deploy it with out solve this.17:41
CaptainMorganIt is better to tell them to use cms and not centralize it because they have control of the windows of potential outages.17:42
samueldmqCaptainMorgan: k so I will make sure we have the first implementation before midcycle (I've a demo already)17:42
samueldmqCaptainMorgan: so we have the rest of the cycle to improve it, so more chacnes to get it done17:42
* CaptainMorgan would rather see focus on the other changes needed tbh17:42
Lactemdolphm: I'm going to take a break while this runs and be back in maybe 10 minutes.17:42
samueldmqCaptainMorgan: dealing with microversions in oslo.policy ?17:42
CaptainMorganThat is a huge one17:43
samueldmqCaptainMorgan: sure, but we need to define the scope (already did with ayoung) I am just putting more details17:43
samueldmqCaptainMorgan: before asking you to take a look17:43
CaptainMorganAnd the way that gets dealt with could change how we do centralization.17:43
samueldmqCaptainMorgan: ok I need to investigate that, and see how we'll be addressing it17:43
CaptainMorganBecause if we centralize policy and then to deal with microversions we have to redesign the centralization... A lot of throw away work.17:44
CaptainMorganCache coherency of the policy within an endpoint is the last piece otherwise you're really at risk of redesigning the caching.17:45
*** amakarov is now known as amakarov_away17:45
CaptainMorganThe saying: I have one problem, and I use caching to solve it. Now I have two problems.17:45
CaptainMorganIt isn't far off.17:45
CaptainMorganCaching is always hard to do correctly.17:46
samueldmqCaptainMorgan: the biggest benefit of centralizing is the APIs we provide to define better policies, which should be orthogonal to dealing with microversions17:46
samueldmqCaptainMorgan: not sure, I need to visit that subject deeply17:46
CaptainMorgansamueldmq: just expect you're going to have to throw away the centralization and redesign it if you treat it as orthogonal.17:47
CaptainMorganIf it wasn't a distributed system, it would be a lot easier.17:47
samueldmqCaptainMorgan: maybe, as I said, I am not sure, need to understand deeply how we're going to deal with microversions17:47
ayoungCaptainMorgan,  Are you suggesting we never cache data from Keystone?17:48
CaptainMorganayoung: I'm saying address the issues around dealing with the policy variances at the endpoint, then design caching around that.17:48
CaptainMorganayoung: don't design centralization and caching then try and wedge in the other work, because there is a significant risk you'll need to redesign the caching17:48
ayoungCaptainMorgan, so you think we should drop centralizing the policy?  You seem to have been implying that lately without outright saying it17:49
CaptainMorganNo. Just focus on making sure all the other bits are in order before centralizing17:50
samueldmqCaptainMorgan: ok, we're finishing the first bit you asked : roadmap + scope for L17:51
samueldmqCaptainMorgan: I will study that microversion stuff and then have somehting in the roadmap, with priority17:52
CaptainMorganE.g. How are microversions in the ApIS handled, the base line policy work (if any is needed), then how you source policy and ensure all processes (potentially across physically different services) pick up the policy at once.17:52
samueldmqayoung: makes sense? ^17:52
CaptainMorganJust ensuring you aren't designing a system that no one can use because cms deployment give control over when potential outages/inconsistent policy responses happen.17:52
CaptainMorganOr wasting a lot of effort on designing a caching system for this that doesn't work for the use-case.17:53
*** marzif has joined #openstack-keystone17:53
samueldmqayoung: I want to update the diagrams, but
CaptainMorganIf you want to invert this, order go for it, but I'm betting there will be a lot of redesign along the way - and a lot of throw away code.17:54
samueldmqayoung: says me 'You cannot overwrite this file.'17:54
* CaptainMorgan is really pointing out the traps here having been down this road 4 or 5 times in previous projects / companies.17:56
*** jasondotstar has quit IRC17:56
samueldmqCaptainMorgan: k I will study this next week, and see how it fits better in our planned roadmap/scope17:56
CaptainMorganAyoung: Notice I'm not -1 or -2 any of this.17:56
bknudsondolphm: the driver_namespace matches the string in setup.cfg
CaptainMorganayoung: I'm really just trying to save you headaches down the line / total rewrites :(17:57
bknudsonif you have your own driver you'll have to call it something different than the existing ones17:57
dolphmbknudson: thanks, i think we got it straighted out! the config lbragstad was running was not as i thought, so i was lead to believe the implementation was behaving oddly17:57
bknudsonso if I wanted to have my own token provider I'd call it bknudsons_driver or something.17:57
openstackgerritEric Brown proposed openstack/keystone: Add missing keystone-manage commands to doc
Lactemdolphm: tox works17:59
*** jdennis has joined #openstack-keystone17:59
*** jasondotstar has joined #openstack-keystone17:59
*** jasondot_ has joined #openstack-keystone17:59
ayoungCaptainMorgan, doesn't really seem to matter,  Sean has checked out of the conversation, and without him, driving microversions, I don't think we are going anywhere.18:01
dolphmLactem: try running keystone again!18:03
*** ninag has joined #openstack-keystone18:04
LactemType keystone-all?18:04
dolphmLactem: if you're in the .tox/py27 venv already, yes18:04
LactemIt says (py27) in front of my command thing, so I assume I am. Here goes...18:04
*** jith_ has quit IRC18:05
*** Rockyg has joined #openstack-keystone18:05
*** diazjf has joined #openstack-keystone18:07
dolphmLactem: what is your `git log -n 1` ?18:08
LactemThis should be up-to-date. I just made this VM yesterday afternoon.18:09
*** arunkant has quit IRC18:10
*** jasondotstar has quit IRC18:10
Lactemdolphm: Wouldn't installing "The 'requests!=2.4.0,<=2.2.1,>=2.1.0' distribution" fix it?18:14
dolphmLactem: possibly, but you'll likely just run into another, similar issue. i'm trying to reproduce now.18:16
dolphmLactem: if you created this VM yesterday, why is the latest commit 2 weeks old?18:17
CaptainMorganayoung: ill see what i can do.about wrangling sean back into the convo18:17
dolphmLactem: oh sorry, that's a merge18:17
LactemI'm using vagrant and devstack by the way.18:17
dolphmLactem: i'm running this now from the same commit SHA as you: `tox -r -e py27 ; n source .tox/py27/bin/activate ; keystone-all`18:18
*** marzif has quit IRC18:18
LactemI never did the source.18:18
LactemCould that be the problem?18:18
samueldmqCaptainMorgan: sure, talking to him is the next step to see things in nova side, once we've agreed internally on that wiki :)18:19
LactemI went straight from tox -r -e py27 to keystone-all.18:19
samueldmqCaptainMorgan: and yes, please get him back into the convo18:19
dolphmLactem: this is stable/juno! 2014.2.418:19
dolphmthat explains the weird version string earlier; you're not even close to master18:19
LactemWhy would that be?18:20
LactemDo I need to run git clone?18:20
LactemI thought it automatically did that when vagrant first set this all up.18:20
dolphmLactem: did you install devstack yourself?18:20
LactemWell I think so.18:20
LactemI got a virtual box.18:20
dolphmLactem: did you follow these instructions?
LactemI don't see anything with vagrant in there. I'm using vagrant.18:21
*** rlt_ has quit IRC18:23
bknudsondstanek: stevedoor: I marked as incomplete for keystone based on what we've seen.18:23
openstackLaunchpad bug 1466485 in Keystone "keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Critical,Incomplete]18:23
LactemI can try following that tutorial now, but I think I would have to re-make my machine.18:23
LactemI'm hoping to avoid doing that again.18:23
bknudsoncattle not pets!18:23
dolphmLactem: have a link to where you got the vagrant init from?18:24
dolphmbknudson: even if he nukes it, he'll be back to square one with a stable/juno devstack box ..18:24
bknudsonyou do need to check out the right branch of devstack18:25
LactemI was given a vagrant.tgz and a box.18:25
LactemIt's a private download in Google Drive.18:26
*** HT_sergio has joined #openstack-keystone18:27
Lactem That's what I had.18:27
dolphmbknudson: is it possible to switch and restack gracefully?18:27
LactemFor me I can use vagrant suspend and then vagrant up again to restart, but that's not technically a restart I guess. I believe there's vagrant restart, but I've never tried it.18:28
bknudsondolphm: I don't switch around to really old devstacks ever. I keep a separate vm.18:28
dolphmLactem: i find it odd that they stuck you with juno18:28
bknudsonit might work18:28
LactemI'm sure I can switch.18:28
LactemIs it the vagrant or the box that I need to change?18:29
*** kiran-r has quit IRC18:29
bknudsongit checkout master in devstack and ./stack18:29
*** jdennis has quit IRC18:29
bknudsonprobably want to ./unstack first18:29
LactemOkay so I made a new folder and used git clone (like in that tutorial). There's no ./stack there.18:30
dolphmLactem: the vagrant image must have contained either devstack pre-installed at stable/juno, or came configured to install stable/juno18:30
bknudsonit's in devstack directory18:30
LactemWait no there is.18:30
LactemSorry I misspelled it.18:30
dolphmLactem: you shouldn't need to clone devstack again18:30
LactemI don't ever remember typing git clone <link> for devstack.18:31
dolphmthat was probably part of the vagrant image18:31
bknudsonthere might be an option to tell it to re-clone all the repos18:31
bknudsonotherwise you'll have to go through all your repos and check them out to master, too18:31
dolphmif you had, then you would have had to go out of your way to use a 7 month old release!18:31
bknudsonthey're in /opt/stack/*18:31
dolphmbknudson: well that's no fun18:31
dolphmbknudson: surely there's something in an rc file?18:32
bknudsonI've got a script that updates all the repos ;)18:32
*** jasondotstar has joined #openstack-keystone18:32
LactemSo I should vagrant up again and run an update script that's in /opt/stack?18:32
*** jsavak has quit IRC18:33
*** jsavak has joined #openstack-keystone18:33
bknudsonlooks like the option is RECLONE in localrc18:33
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Token request after Reseller
raildoCaptainMorgan, dstanek, gyee ^18:36
LactemWhat's the name of the update script? There are just all of the project folders in /opt/stack.18:36
bknudsonactually, looks like you can just delete all the dirs in /opt/stack, then devstack should reclone18:38
openstackgerritBrant Knudson proposed openstack/keystone: Document policy target for operation
*** diegows has quit IRC18:39
LactemSo what's the link to clone all of the projects?18:39
LactemOr do I need to clone each one individually?18:39
bknudsonrun ./ and that will clone18:39
*** stevedoor has quit IRC18:40
LactemI don't see any anymore, though.18:41
LactemOh okay the one in /home/stack/devstack.18:41
LactemOkay I'll do it. I'm pretty sure that's what it did automatically to install the outdated stuff last time, though.18:42
samueldmqCaptainMorgan: ayoung I just updated the wiki
samueldmqCaptainMorgan: ayoung activity diagrams are very detailed now, Roadmap is defined and Liberty scope is set (and agreed with ayoung for now)18:43
dolphmbknudson: where is stackrc / whatever specifies the branches everything should use?18:45
LactemI'll just let this run. ttyl18:45
dolphmbknudson: or is that just built into devstack's stable/juno branch?18:45
bknudsondolphm: if you check out devstack stable/juno it will use stable/juno for the repos18:46
dolphmbknudson: cool18:48
dolphmLactem: ^18:48
LactemYeah I think it's just going to re-install the same stuff that was already installed.18:49
LactemHow do I check out a different version?18:49
ayoungsamueldmq, I'll look in a bit18:49
samueldmqayoung: sure, great!18:50
*** diegows has joined #openstack-keystone18:51
*** diegows has quit IRC18:52
*** jasondotstar has quit IRC19:01
charleswCaptainMorgan, dstanek and folks: my token expiring before expiration time happens in keystone middleware frequently. I'm using keystone middleware 1.5 on ubuntu trusty. The token is not in revocation list. Any clues?19:05
openstackgerritBrant Knudson proposed openstack/keystone: Sanitize passwords in debug log on user create
*** bradjones has quit IRC19:20
*** bradjones has joined #openstack-keystone19:22
*** bradjones has quit IRC19:22
*** bradjones has joined #openstack-keystone19:22
*** ninag has quit IRC19:25
dolphmbknudson: thanks ^19:25
bknudsonI should be able to create a test.19:25
bknudsonactually, I'm surprised dolphm doesn't have a test already.19:26
dolphmbknudson: ;)19:26
dolphmbknudson: speaking of: i didn't +A because i wrote the test coverage19:27
dolphmand we're all at rackspace, i suppose19:27
bknudsondolphm: I did get to that one when I was reviewing a couple days ago.19:27
*** csoukup has joined #openstack-keystone19:29
bknudsonI meant I didn't get to that one19:33
bknudsonthere were too many other old reviews that had a +219:33
*** rdo has quit IRC19:35
bknudsonThis test is going to be awesome19:36
*** ihrachyshka has joined #openstack-keystone19:36
*** rdo has joined #openstack-keystone19:37
*** jasondotstar has joined #openstack-keystone19:37
*** jasondotstar has quit IRC19:38
*** pc_m has quit IRC19:38
*** jsavak has quit IRC19:39
*** jsavak has joined #openstack-keystone19:39
openstackgerritBrant Knudson proposed openstack/keystone: Sanitize passwords in debug log on user create
openstackgerritBrant Knudson proposed openstack/keystone: Add test showing password logged
*** HT_sergio has quit IRC19:44
*** jasondotstar has joined #openstack-keystone19:46
*** jasondotstar has quit IRC19:47
*** marzif has joined #openstack-keystone19:49
*** jsavak has quit IRC19:50
*** jasondotstar has joined #openstack-keystone19:54
Lactemdolphm:./ had some errors at the end, but it appears to have finished.19:57
*** belmoreira has joined #openstack-keystone19:57
david8husamueldmq, ayoung, One of my teamates is going to help out on dynamic policy as well.  I do not see her on IRC at the moment.  We now have one additional help :)19:57
*** boris-42 has joined #openstack-keystone20:04
*** stevemar has joined #openstack-keystone20:07
*** ChanServ sets mode: +v stevemar20:07
Lactemdolphm: Okay I'm just doing vagrant destroy and vagrant up again. It's going to take a while.20:08
*** gabriel-bezerra has quit IRC20:11
*** e0ne has quit IRC20:11
openstackgerritFernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations
stevemardiazjf, \o/20:13
stevemardiazjf, i'll review it soon! it's open in a chrome tab.... just reviewing other stuff atm :)20:14
*** dan is now known as Guest8780820:14
*** marzif has quit IRC20:14
*** dan_ has joined #openstack-keystone20:14
*** belmoreira has quit IRC20:14
*** dan_ is now known as Guest9629920:14
*** roxanaghe has joined #openstack-keystone20:15
dolphmLactem: does intel want you to do any development against master?20:17
*** gabriel-bezerra has joined #openstack-keystone20:19
openstackgerritBrant Knudson proposed openstack/keystone: Mask passwords in debug log on user password operations
openstackgerritBrant Knudson proposed openstack/keystone: Add test showing password logged
*** HT_sergio has joined #openstack-keystone20:24
*** roxanaghe has quit IRC20:24
Lactemdolphm: The goal is to successfully submit some patches.20:27
LactemThat's why I'm working on that easy bug. It might not even need a patch. idk20:27
*** ankita_w_ has joined #openstack-keystone20:28
*** marzif has joined #openstack-keystone20:30
*** ankita_wagh has quit IRC20:32
*** ankita_wagh has joined #openstack-keystone20:34
diazjfstevemar thanks20:36
diazjfjust running into some issues with validation20:36
*** ankita_w_ has quit IRC20:37
diazjfposted them on the patch20:37
stevemardiazjf, run `tox -e docs` to check for validation before submitting ;)20:37
diazjfnice thanks20:37
diazjfmeant json validation using cli :-/20:37
*** jasondotstar has quit IRC20:37
*** marzif has quit IRC20:38
*** CaptainMorgan is now known as morgan20:41
*** ankita_wagh has quit IRC20:41
*** ankita_wagh has joined #openstack-keystone20:42
morganstevemar: thanks for taking with the person this morning about oauth20:44
stevemarmorgan, np, have to reply still :P20:45
samueldmqdavid8hu: that's great, thanks! glad to hear :)20:47
*** ihrachyshka has quit IRC20:47
*** iurygregory has quit IRC20:51
*** marzif has joined #openstack-keystone20:51
*** raildo has quit IRC20:53
dolphmLactem: you definitely want to get onto master then20:56
dolphmLactem: we won't accept patches to older branches unless they're backports from master, or there's a *really* good reason they can't go into master first20:57
*** marzif has quit IRC21:00
openstackgerritEric Brown proposed openstack/keystone: Add missing keystone-manage commands to doc
LactemI don't know why it wouldn't be on master by default.21:03
openstackgerritFernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations
Lactemdolphm: Any ideas on how I would make it use master branch? It looks like it's getting everything from the most recent git branch.21:06
*** rushiagr_away is now known as rushiagr21:08
openstackgerritEric Brown proposed openstack/keystone: Add missing keystone-manage commands to doc
dstanekLactem: 'git checkout master' will make your working copy use the master branch - what branch are you on?21:10
*** radez is now known as radez_g0n321:14
*** charlesw has quit IRC21:15
*** bradjones has quit IRC21:20
LactemIt says I'm already on master.21:22
Lactem@ dstanek21:22
*** bradjones has joined #openstack-keystone21:22
*** bradjones has quit IRC21:22
*** bradjones has joined #openstack-keystone21:22
LactemHow can I check the version?21:22
dstanekthat's good then. what made you think that you were not?21:23
LactemDolph said my version is juno or something like that. It's from 2014.21:23
LactemWait which directory do I git checkout master from?21:23
LactemIn keystone it says it's up to date with master.21:24
dstanekyou can run the checkout from anywhere in your local copy of the code21:25
*** htruta_ has joined #openstack-keystone21:25
*** diazjf has quit IRC21:27
*** HT_sergio has quit IRC21:29
*** tqtran is now known as tqtran_afk21:29
*** Rockyg has quit IRC21:30
*** gabriel-bezerra has quit IRC21:34
*** csoukup has quit IRC21:35
openstackgerritBrant Knudson proposed openstack/keystone: Switch to oslo.service
bknudson+6, -111821:37
bknudson^ that's how it should be.21:37
*** tqtran_afk is now known as tqtran21:38
openstackgerritBrant Knudson proposed openstack/keystone: Switch to oslo.service
openstackgerritBrant Knudson proposed openstack/keystone: Remove unused requirements
openstackgerritBrant Knudson proposed openstack/keystone: Switch to oslo.service
*** stevemar has quit IRC21:52
bknudsonthis is weird -- requirements update breaks keystone --
*** HT_sergio has joined #openstack-keystone21:58
*** marzif has joined #openstack-keystone21:58
*** rushiagr is now known as rushiagr_away22:01
*** ankita_wagh has quit IRC22:02
*** pballand has quit IRC22:06
*** marzif has quit IRC22:10
*** henriquetruta has joined #openstack-keystone22:11
*** ankita_wagh has joined #openstack-keystone22:13
openstackgerritBrant Knudson proposed openstack/keystone: Updated from global requirements
openstackgerritBrant Knudson proposed openstack/keystone: Don't try to drop FK constraints for sqlite
*** RichardRaseley has quit IRC22:14
*** htruta_ has quit IRC22:15
*** ankita_wagh has quit IRC22:16
*** dimsum__ has quit IRC22:19
*** dimsum__ has joined #openstack-keystone22:20
openstackgerritBrant Knudson proposed openstack/keystone: Don't try to drop FK constraints for sqlite
openstackgerritBrant Knudson proposed openstack/keystone: Updated from global requirements
*** HT_sergio has quit IRC22:26
*** Lactem has quit IRC22:30
*** bknudson has quit IRC22:30
*** jasondot_ has quit IRC22:32
*** dimsum__ has quit IRC22:32
*** marzif has joined #openstack-keystone22:33
*** david8hu has quit IRC22:37
*** gyee has quit IRC22:39
*** browne has quit IRC22:42
*** henrynash has joined #openstack-keystone22:51
*** ChanServ sets mode: +v henrynash22:51
*** zzzeek has quit IRC22:58
*** zzzeek has joined #openstack-keystone23:01
*** ankita_wagh has joined #openstack-keystone23:03
*** bigjools has quit IRC23:05
*** zigo has quit IRC23:05
*** marzif has quit IRC23:06
*** zigo has joined #openstack-keystone23:07
*** bigjools has joined #openstack-keystone23:08
*** thedodd has quit IRC23:08
*** zzzeek has quit IRC23:15
*** henriquetruta has quit IRC23:20
*** telemonster has quit IRC23:22
*** telemonster has joined #openstack-keystone23:22
*** vilobhmm has quit IRC23:23
*** arif-ali has quit IRC23:26
*** arif-ali has joined #openstack-keystone23:29
*** HT_sergio has joined #openstack-keystone23:30
*** henriquetruta has joined #openstack-keystone23:33
*** henriquetruta has quit IRC23:39
*** hogepodge has quit IRC23:45
*** hemna_ has joined #openstack-keystone23:52
*** browne has joined #openstack-keystone23:52
*** hemna has quit IRC23:53

Generated by 2.14.0 by Marius Gedminas - find it at!