Friday, 2015-06-19

*** Raildo has quit IRC		00:02
*** samueldmq2 has joined #openstack-keystone		00:03
*** samueldmq2 has quit IRC		00:03
samueldmq	ayoung: hi, you around ?	00:04
samueldmq	ayoung: I suppose you saw the diagram in that wiki ? let me know what you think about tht approach :)	00:05
samueldmq	ayoung: whether you agree or not, and why	00:05
gyee	wtf's Oslo Guru Meditation? https://review.openstack.org/#/c/184172/	00:05
samueldmq	gyee: lol haha, I have no idea :)	00:07
gyee	samueldmq, funny naming though	00:08
samueldmq	gyee: ++	00:09
*** gyee has quit IRC		00:27
*** ankita_w_ has quit IRC		00:30
*** r-daneel has quit IRC		00:34
*** dims has joined #openstack-keystone		00:39
ayoung	samueldmq, yep, I'm here. WHere is the source for the diagram?	00:45
*** dims has quit IRC		00:47
*** dims has joined #openstack-keystone		00:47
samueldmq	ayoung: http://www2.lsd.ufcg.edu.br/~samuel/dynamic-policies-workflow.diag	00:49
samueldmq	ayoung: I thought I had sent it already	00:49
*** spandhe has joined #openstack-keystone		00:49
ayoung	samueldmq, maybe you did...didn't see it. Thnaks	00:49
samueldmq	ayoung: I saw there are some 'requests' from keystone to CMS, I think that is just formatting, you can understand the logic behind	00:50
samueldmq	ayoung: I think the descriptuons there are pretty accurate, you'll understand how I see	00:50
samueldmq	ayoung: let me know if you agree , etc :)	00:50
ayoung	samueldmq, hold on. Let me go through it and I'll understand better	00:50
samueldmq	ayoung: sure	00:52
*** zzzeek has joined #openstack-keystone		00:52
*** zzzeek has quit IRC		00:52
*** openstack has joined #openstack-keystone		00:54
*** markvoelker has joined #openstack-keystone		00:56
*** diazjf has joined #openstack-keystone		00:58
ayoung	samueldmq, it looks pretty close. One technical issue you had was that a return call, say from nova to the user needs to be written as user <- nova;	01:00
ayoung	samueldmq, I might break this up into threee diags	01:00
*** ankita_wagh has joined #openstack-keystone		01:01
*** markvoelker has quit IRC		01:02
samueldmq	ayoung: what would be the three diags ? I'd be happy to break that up	01:02
samueldmq	ayoung: glad to hear you like what is in there :)	01:02
*** kfox1111 has quit IRC		01:08
*** bknudson has joined #openstack-keystone		01:10
*** ChanServ sets mode: +v bknudson		01:10
*** charlesw has joined #openstack-keystone		01:11
*** ncoghlan has joined #openstack-keystone		01:11
*** ccrouch has quit IRC		01:14
samueldmq	ayoung: ah got it, instead of nova -> user : user <- nova	01:14
samueldmq	ayoung: ++	01:14
ayoung	samueldmq, yeah...the diag also expects that what ever you start with has a lifeline that lasts the whole diagram	01:18
samueldmq	ayoung: that's why it's weird with lifelines	01:20
samueldmq	ayoung: :)	01:20
samueldmq	ayoung: otherwise you agree on that direction for Liberty?	01:20
ayoung	samueldmq, its designed to show a single use case. The case where user and admin both ask things, but don't talk to each other is hard to represent	01:20
samueldmq	ayoung: or do you have any other concertn ? etc	01:20
ayoung	samueldmq, lets treat it as a good set of tools for guiding the discussion. It does not show everything	01:21
*** dsirrine has quit IRC		01:21
samueldmq	ayoung: not sure I follow	01:21
ayoung	samueldmq, let me do a touch more editing and put them into the Wiki	01:21
ayoung	and I'll explain at that point	01:22
samueldmq	ayoung: sure	01:23
*** ankita_wagh has quit IRC		01:29
*** ankita_wagh has joined #openstack-keystone		01:30
*** woodster_ has quit IRC		01:31
ayoung	samueldmq, https://wiki.openstack.org/wiki/DynamicPolicies#Workflows_-_Liberty_Scope	01:42
ayoung	the source for the diagrams are embedded in the files	01:42
ayoung	if you click on the image, you should see the source	01:42
ayoung	samueldmq, I don't think there is enough detail there yet. We need to discuss the relationship between the files shipped with Nova that are pre-exisitng on the system and the ones from dynamic policy.	01:44
*** _cjones_ has quit IRC		01:44
openstackgerrit	Brant Knudson proposed openstack/keystone: Document policy target for operation https://review.openstack.org/168521	01:49
*** fangzhou has quit IRC		01:49
*** vilobhmm1 has quit IRC		01:51
*** markvoelker has joined #openstack-keystone		01:57
*** tsufiev has quit IRC		02:01
samueldmq	ayoung: you mean what I am called the Defaults and Custom policies?	02:01
samueldmq	ayoung: Default is what is uploaded by the CMS at bootstrapping / when a service is updated	02:01
samueldmq	ayoung: Custom is what the admin changed (a kind of diff)	02:01
ayoung	samueldmq, drop the term default	02:02
ayoung	I think it is confusing	02:02
*** aix has quit IRC		02:02
samueldmq	ayoung: Base policy	02:02
samueldmq	?	02:02
ayoung	there is the policy.json from the remote service git repos	02:02
*** markvoelker has quit IRC		02:02
ayoung	the default policy was supposed to be the unified one...lets leave that out for now	02:02
samueldmq	ayoung: ok, can I call it Base policy? or something like that ?	02:05
samueldmq	ayoung: it should be the olicy.json shipped with the code	02:05
samueldmq	ayoung: which is uploaded/updated to keystone	02:05
ayoung	how about stock policy?	02:05
*** tsufiev has joined #openstack-keystone		02:06
samueldmq	ayoung: and when the admin changes that, i.e, puts something in the custom (the diff) he receives warnings (what nova wants!!)	02:06
ayoung	something like that, yeah	02:06
samueldmq	ayoung: oh great :)	02:06
*** davechen has joined #openstack-keystone		02:07
*** davechen1 has joined #openstack-keystone		02:10
*** davechen has quit IRC		02:12
openstackgerrit	Brant Knudson proposed openstack/keystone: Refactor extract function load_auth_method https://review.openstack.org/187004	02:15
openstackgerrit	Brant Knudson proposed openstack/keystone: Use stevedore for auth drivers https://review.openstack.org/182102	02:15
openstackgerrit	Brant Knudson proposed openstack/keystone: Update sample config file https://review.openstack.org/182138	02:15
openstackgerrit	Brant Knudson proposed openstack/keystone: Short names for auth plugins https://review.openstack.org/182107	02:15
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Unit tests catch deprecated function usage https://review.openstack.org/189145	02:21
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Switch from deprecated isotime https://review.openstack.org/189147	02:21
samueldmq	ayoung: the split you made looks great, very clear	02:23
samueldmq	ayoung: that single diagram was very big	02:23
*** tobe has joined #openstack-keystone		02:24
openstackgerrit	Brant Knudson proposed openstack/keystone-specs: Add side-by-side comparison of v2 and v3 APIs https://review.openstack.org/187027	02:25
*** kiran-r has joined #openstack-keystone		02:33
davechen1	dolphm: hi,	02:34
davechen1	dolphm: I saw your comment here: https://bugs.launchpad.net/keystone/+bug/1466116/comments/1	02:35
openstack	Launchpad bug 1466116 in Keystone "With using V3 cloud admin policy, domain admin cannot issue a token for the project in his domain" [Undecided,Incomplete] - Assigned to Dave Chen (wei-d-chen)	02:35
davechen1	dolphm: Do you mean we should set inherited = 1 then we that use will has access to the project?	02:35
*** marzif has quit IRC		02:36
*** ankita_wagh has quit IRC		02:39
*** cburgess has quit IRC		02:39
*** diazjf has quit IRC		02:40
*** cburgess has joined #openstack-keystone		02:44
davechen1	figure it out, just need enable os_inherit in the keystone.conf. :)	02:45
*** vilobhmm has joined #openstack-keystone		02:45
*** spandhe has quit IRC		02:45
*** jamielennox is now known as jamielennox\|away		02:46
*** jamielennox\|away is now known as jamielennox		02:53
*** stevemar has joined #openstack-keystone		03:01
*** ChanServ sets mode: +v stevemar		03:01
*** wuhg has joined #openstack-keystone		03:03
*** cburgess has quit IRC		03:04
*** ankita_wagh has joined #openstack-keystone		03:05
*** cburgess has joined #openstack-keystone		03:05
*** dims has quit IRC		03:06
*** cburgess has quit IRC		03:07
*** cburgess has joined #openstack-keystone		03:10
*** richm has quit IRC		03:18
*** stevemar has quit IRC		03:22
*** rm_work has quit IRC		03:25
*** stevemar has joined #openstack-keystone		03:26
*** ChanServ sets mode: +v stevemar		03:26
*** rm_work\|away has joined #openstack-keystone		03:31
*** rm_work\|away is now known as rm_work		03:31
*** rm_work has joined #openstack-keystone		03:31
*** charlesw has quit IRC		03:40
*** browne has joined #openstack-keystone		03:40
*** kiran-r has quit IRC		03:44
*** markvoelker has joined #openstack-keystone		03:46
*** markvoelker has quit IRC		03:51
*** htruta_ has quit IRC		03:55
*** rm_you has joined #openstack-keystone		04:37
*** _cjones_ has joined #openstack-keystone		04:45
*** markvoelker has joined #openstack-keystone		04:47
*** _cjones_ has quit IRC		04:49
*** markvoelker has quit IRC		04:51
openstackgerrit	Merged openstack/keystone-specs: Add side-by-side comparison of v2 and v3 APIs https://review.openstack.org/187027	04:59
*** boris-42 has quit IRC		05:12
*** rm_you has quit IRC		05:19
*** ankita_wagh has quit IRC		05:24
*** vilobhmm has quit IRC		05:28
*** belmoreira has joined #openstack-keystone		05:57
*** kiran-r has joined #openstack-keystone		06:02
*** Kennan2 has joined #openstack-keystone		06:07
*** Kennan has quit IRC		06:07
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/192983	06:09
*** stevemar has quit IRC		06:10
*** vilobhmm has joined #openstack-keystone		06:15
*** fangzhou has joined #openstack-keystone		06:16
*** ankita_wagh has joined #openstack-keystone		06:18
*** e0ne has joined #openstack-keystone		06:25
*** e0ne has quit IRC		06:31
*** ankita_wagh has quit IRC		06:35
*** markvoelker has joined #openstack-keystone		06:36
*** vilobhmm has quit IRC		06:38
*** vilobhmm has joined #openstack-keystone		06:39
*** markvoelker has quit IRC		06:40
*** vilobhmm has quit IRC		06:46
*** vilobhmm has joined #openstack-keystone		06:49
*** vilobhmm has quit IRC		07:01
*** henrynash has joined #openstack-keystone		07:01
*** ChanServ sets mode: +v henrynash		07:01
*** chlong has quit IRC		07:06
*** rlt_ has joined #openstack-keystone		07:06
*** ihrachyshka has joined #openstack-keystone		07:17
jamielennox	lifeless: my pycon-au proposal was always fairly generic, it's actually not that far off	07:22
lifeless	jamielennox: sure, I know.	07:27
lifeless	jamielennox: but that wouldn't be heckling you. And we do want it touched up please :)	07:27
jamielennox	lifeless: yea, no worries - i sat down to do it thinking it was going to be a PITA, but it's not that bad	07:28
*** ncoghlan has quit IRC		07:36
jamielennox	lifeless: done	07:47
*** fangzhou_ has joined #openstack-keystone		07:48
*** browne has quit IRC		07:49
*** fangzhou has quit IRC		07:49
*** fangzhou_ is now known as fangzhou		07:49
lifeless	cool thanks	07:58
*** jamielennox is now known as jamielennox\|away		08:00
*** pnavarro has joined #openstack-keystone		08:09
*** boris-42 has joined #openstack-keystone		08:17
*** e0ne has joined #openstack-keystone		08:18
*** rushiagr_away is now known as rushiagr		08:18
*** markvoelker has joined #openstack-keystone		08:25
*** afazekas has joined #openstack-keystone		08:25
*** e0ne has quit IRC		08:25
*** markvoelker has quit IRC		08:29
*** aix has joined #openstack-keystone		08:32
*** henrynash has quit IRC		08:45
*** viktors has quit IRC		09:03
*** e0ne has joined #openstack-keystone		09:28
*** tobe has quit IRC		09:28
*** jasondotstar has joined #openstack-keystone		09:41
*** Kennan2 is now known as Kennan		09:49
*** e0ne is now known as e0ne_		09:52
*** e0ne_ is now known as e0ne		09:54
openstackgerrit	Dave Chen proposed openstack/keystone: Remove redundant config https://review.openstack.org/193477	09:55
*** davechen1 has left #openstack-keystone		09:56
*** dims has joined #openstack-keystone		10:09
*** markvoelker has joined #openstack-keystone		10:13
*** markvoelker has quit IRC		10:18
*** fangzhou has quit IRC		10:20
*** fmarco76 has joined #openstack-keystone		10:21
*** fmarco76 has quit IRC		10:21
*** afazekas has quit IRC		10:44
*** fangzhou has joined #openstack-keystone		10:45
*** samueldmq has quit IRC		10:51
*** dims has quit IRC		10:57
*** vg_ has joined #openstack-keystone		11:00
vg_	Hello Community folksd	11:00
*** henrynash has joined #openstack-keystone		11:00
*** ChanServ sets mode: +v henrynash		11:00
vg_	I need help with the Identity service policy assignments	11:01
vg_	I have a very specific ques. for that	11:01
vg_	https://ask.openstack.org/en/question/68616/openstack-policy-enforcement-for-custom-role-project_admin/	11:02
*** samuel has joined #openstack-keystone		11:02
marekd	vg_: i suggest waiting for ayoung	11:02
marekd	he should be here soon	11:02
*** samuel has quit IRC		11:02
marekd	he is the policy master	11:03
marekd	as well as samuelmmq who apparently is not here now.	11:03
*** samuel has joined #openstack-keystone		11:03
*** samuel has quit IRC		11:03
*** samueldmq has joined #openstack-keystone		11:04
*** wuhg has quit IRC		11:04
vg_	thanks much <+marekd> I am eagerly waiting	11:04
vg_	<samuelmq> would you be able to help me on policy for keystone please	11:05
samueldmq	morning	11:05
marekd	samueldmq: vg_ has a question for ya	11:05
vg_	I posted it in ask ..https://ask.openstack.org/en/question/68616/openstack-policy-enforcement-for-custom-role-project_admin/	11:05
samueldmq	marekd: vg_ hi, sure	11:05
*** dims has joined #openstack-keystone		11:06
samueldmq	vg_: I'll be glad if I can help	11:06
vg_	I am defining the custom role policies , but even after modifying it , my changes are not getting reflected	11:06
vg_	thanks <samueldmq>	11:06
vg_	i am here if you need more elaboration on the ques. or use case	11:07
*** afazekas has joined #openstack-keystone		11:07
samueldmq	vg_: reading your message in the ML (once I get some coffee) :)	11:08
vg_	thanks no worries...	11:08
openstackgerrit	Merged openstack/keystone: Imported Translations from Transifex https://review.openstack.org/192983	11:10
samueldmq	vg_: on your third point in there .. when you say http://<openstack-server-ip>/identity/<project-id>/detail/	11:11
samueldmq	vg_: you're talking about horizon, right ?	11:11
vg_	yes	11:11
samueldmq	vg_: k I got what you want	11:13
samueldmq	vg_: users are not owned by projects	11:13
samueldmq	vg_: so in project_id:%(target.project.id)s, this second part will evaluate to None, and the whole rule fails	11:14
vg_	ok	11:14
samueldmq	vg_: so you can't perform any action contaning that check	11:14
samueldmq	vg_: users are owned by domains	11:15
samueldmq	vg_: I'd suggest you to allow the domain_admin to manage users instead, and then check domain scope	11:15
samueldmq	vg_: so it should be something like : domain_id:%(target.domain.id)s, which means	11:16
samueldmq	vg_: the scope in the token (the first domain_id) must be equal to the target (user) domain id	11:17
samueldmq	vg_: adding role:domain_admin to that rule would mean that you allow, let's say, create_user for someone who has domain_admin role on a given domain and is trying to add users to the domain he/she admins	11:18
samueldmq	vg_: is that clear so far ?	11:18
*** e0ne is now known as e0ne_		11:19
vg_	yea , the domain part is clear to me that users should be maintained by domain	11:20
vg_	I am trying to map a rule , is it like this ?	11:20
vg_	"Tenant_Admin": "role:domain_admin or rule: domain_id:%(target.domain.id)s",	11:20
vg_	"identity:create_user": "rule:admin_required or rule:Tenant_Admin",	11:20
samueldmq	vg_: makes sense, however Tenant_Admin could be called domain_admin :)	11:20
samueldmq	vg_: so with this, you need a user with a domain scoped token	11:21
samueldmq	vg_: (so the domain is in the token, its scope more specifically)	11:22
samueldmq	vg_: however Horizon does not understand/use domain scoped tokens	11:22
vg_	yes...how would i show that up in Horizon dashboard	11:23
vg_	from the dashboard i fire up the API , which should be mapped to this rule for any user	11:24
samueldmq	vg_: I am not sure we could have a workaround that works the same for Horizon	11:25
samueldmq	henrynash: morning, you around ? ^	11:26
samueldmq	vg_: at very least you could specify just the role	11:27
samueldmq	vg_: but in that case, one would be able to CRUD users in any domain (since we weren't doing scope checking)	11:27
samueldmq	vg_: and having 'domain_admin' or 'user_admin' role in a project sounds weird	11:28
henrynash	samueldmq: hi	11:28
*** markvoelker has joined #openstack-keystone		11:29
*** e0ne_ has quit IRC		11:29
vg_	so i have the project_admin role created and in my keystone policy,json file i just added a role "Domain_Admin": "role:project_admin or rule: domain_id:%(target.domain.id)s",	11:30
samueldmq	henrynash: vg_ wants to create a domain_admin role which defines whether one can CRUD users or not	11:30
vg_	<samueldmq> yes both doesn't make sense	11:30
vg_	yes	11:31
henrynash	ok, sur	11:31
henrynash	sure	11:31
samueldmq	henrynash: I told him rules on the user CRUD should look like 'role:domain_admin or rule: domain_id:%(target.domain.id)s'	11:31
samueldmq	henrynash: however he wants to use that through Horizon, which does not understand domain scoped tokens	11:31
samueldmq	henrynash: do you know any workaround that could provide similar behavior ?	11:31
henrynash	samueldmq: I thought they started supporting domain tokens in Kilo, no?	11:31
samueldmq	henrynash: I don't think so .. let me check	11:32
henrynash	samueldmq: I though there was a patch to add that support…or so I heard	11:32
vg_	no even though their docs say it so , but I just stood up new kilo instance and it doesn't have that	11:33
*** markvoelker has quit IRC		11:34
samueldmq	henrynash: so it doesn't, just confirmed in #horizon	11:36
henrynash	samueldmq: ouch	11:37
samueldmq	henrynash: what I suggested him is to create 'user_admin' and assign this in a project, where the user can get a token	11:37
samueldmq	henrynash: and we could at very least check the project's domain id matches the domain where you're trying to create the usre	11:38
henrynash	samueldmq: yes, I have seen that done before	11:38
samueldmq	henrynash: I think that's the best we can do without domain scoped tokens	11:38
henrynash	samueldmq: I’m stunned that this didn’t yet get into Horizon	11:38
samueldmq	henrynash: and as far as I can tell, they don't intend to	11:39
samueldmq	henrynash: should domain-as-a-project be solving this somehow ? maybe ..	11:39
*** jasondotstar has quit IRC		11:43
henrynash	samueldmq: welll…that was the whole thing about have dual tokens!	11:47
samueldmq	henrynash: we could even do that with a project scoped token .. for example	11:49
samueldmq	henrynash: 'role:domain_admin and project_id:%(target.domain.id)s'	11:50
samueldmq	henrynash: if the project has is_domain=True, project_id:%(target.domain.id)s should match pretty fine :)	11:51
vg_	<samueldmq> so you suggest that i create new user with name "user_admin" assign it to project and then you are trying to get a token for this user (which we can get by simple curl call ) and then you want to check the domain of the project and match the domain_id?	11:51
samueldmq	vg_: first, one of your requirements is to managing users thorugh Horizon, right?	11:52
*** boris-42 has quit IRC		11:52
vg_	yes	11:52
samueldmq	vg_: I suggest you to create a role called 'user_admin' (which can be assigned to a user on a given project)	11:53
samueldmq	vg_: and yes, your last sentence is fine : 'check the domain of the project and match the domain_id'	11:53
henrynash	samueldmq: interesting idea....	11:55
samueldmq	vg_: however not sure we can do this with our current policy capabilities (the way we define the roles)...	11:55
samueldmq	vg_: I am not sure you can define something like : project.domain_id:%(target.domain.id)s	11:56
vg_	nopes I don't think project.domain_id would work	11:57
samueldmq	vg_: since that first part is what comes from the token, and we have only the project_id in there	11:57
samueldmq	vg_: and if you don't put any constraint on the scope, one with that role would be able to create users everywhere	11:58
samueldmq	henrynash: yes that makes sense, it is a good idea, isn't it ? :)	11:58
samueldmq	henrynash: keep that in mind and mull a bit on that, it may work pretty fine	11:58
henrynash	samueldmq: you’re a genious	11:59
henrynash	and a genius	11:59
samueldmq	vg_: henrynash haha not that much :-)	11:59
*** pc_m has joined #openstack-keystone		11:59
samueldmq	vg_: oops .. for you I wanted to say ... without scope checking , we're falling in bug #968696	11:59
openstack	bug 968696 in Keystone ""admin"-ness not properly scoped" [High,Confirmed] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)	11:59
samueldmq	ayoung: cc ^ bug "9 6 8 6 9 6" :-)	12:00
vg_	i am not happy they missed the major functionality to have Horizon have this feature....it should be there asap	12:00
vg_	yes , i was just about to mention that	12:00
samueldmq	vg_: well there are alternatives way to solve that issue, one is as I just mentioned with henrynash	12:00
samueldmq	vg_: we are moving very well towards those directions in this cycle	12:01
*** bknudson has quit IRC		12:01
samueldmq	vg_: we're working towards : v3 compability everywhere (v3 defines domains) + dynamic policies	12:01
samueldmq	vg_: where we will providing a much better way to define policies, with role inheritance, etc	12:02
samueldmq	vg_: and policy changes would occur via api, instead of requiring you to be using an out-of-band mechanism to update policy (the policy.json file)	12:02
*** markvoelker has joined #openstack-keystone		12:05
samueldmq	henrynash: this way we could even kill domain-scoped tokens, well, at least this is an idea to be considered	12:07
samueldmq	morganfainberg, raildo, htruta cc ^	12:08
*** e0ne has joined #openstack-keystone		12:08
*** radez_g0n3 is now known as radez		12:09
openstackgerrit	henry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config https://review.openstack.org/191976	12:09
samueldmq	henrynash: and dynamic policies is moving ... ayoung and I had an agreement yesterday on the scope for L, we had some diagrams, roadmap at https://wiki.openstack.org/wiki/DynamicPolicies	12:10
samueldmq	henrynash: make sure to check it out once you have some time :)	12:10
henrynash	samueldmq: well, we’d need to add the is_domain to the token…or support a “lookip” via the poliy rule	12:11
samueldmq	henrynash: to make sure someone has role 'domain_admin' in the domain with id X instead of in the project with id X ?	12:13
samueldmq	henrynash: we woudln't need if we unified assignments, which may have other implications thought	12:13
samueldmq	though*	12:13
henrynash	samuelmq: a (say) user create have just a domain ID (which will be the same as the project ID acting as the domain)….but for it to check that this project ID really is a domain, you’d want the is_domain to be in the token	12:16
samueldmq	henrynash: sure, unless we had a kind of dual-scoped token, which could be implemented by just unifying the assignments	12:17
samueldmq	henrynash: and providing the scope in the token as 'project' anyway	12:17
samueldmq	henrynash: I think the guys here who are working with reseller are considering this possibility	12:18
henrynash	samueldmq: that’s what I’m saying….we only have project scoped tokens, we just always include the is_domain=True/False maybe in every token….then it’s up the the poly rule to refer to it	12:18
henrynash	samueldmq: I think this woud work :-)	12:19
henrynash	samueldmq: to you want to write this up…or I’m happy to (and will credit you with the idea)	12:21
htruta	morganfainberg has strongly rejected the is_domain on the token request	12:22
htruta	samueldmq, henrynash ^	12:22
henrynash	htruta: this isn’t in the request, it’s in the token that gets generated	12:23
henrynash	htruta: morganfainberg & I have just agreed to disagree, but I respect his call to not do this on the request.	12:23
henrynash	htruta: the token contents are different however….we’ll see later if he also has an issue with ths	12:24
samueldmq	henrynash: I think we don't even need to put that in the token, if unifying assignments isn't an issue	12:24
henrynash	samueldmq: that’s the bit I don’t follow…where does the polciy rule get is_domain from?	12:25
samueldmq	henrynash: so if you request a project scoped token, and that has user_admin role, you should be able to manage users, making checks on the domain_id i nhte policy	12:25
samueldmq	henrynash: that's whether we unify assignments or not, if we unify, you have a single entity (a project) that represents both the domain and the porject side	12:25
*** bknudson has joined #openstack-keystone		12:25
*** ChanServ sets mode: +v bknudson		12:25
htruta	we discussed that yesterday, and morganfainberg gave us two options	12:26
htruta	1 - do not allow getting project scoped token to is_domain projects (at least not in liberty)	12:26
*** fangzhou has quit IRC		12:26
htruta	2 - kill domain scoped tokens	12:26
henrynash	samueldmq: not sure how that works….you do need in policy rules to make domain special somehow, or someone can make their own project special	12:27
samueldmq	henrynash: that'd be aligned with 2. above (as htruta said)	12:27
samueldmq	henrynash: oh wait	12:27
henrynash	I’m all for killing domain tokens	12:27
samueldmq	henrynash: when you check 'project_id:%(target.domain.id)s'	12:28
samueldmq	henrynash: in let's say, create_user	12:28
henrynash	samueldmq: we just look in the user entity	12:28
henrynash	samueldmq: “target” here is a user entity	12:29
samueldmq	henrynash: you indeed check that project_id is a domain , in the create_user in the controller, it will validate target.domain.id as a valid domain	12:29
henrynash	samueldmq; yep…which is why I said it eitehr needs to be in the token	12:29
samueldmq	henrynash: it already validates domains in the controller level	12:30
henrynash	samueldmq: or we add some kind of lookup to teh policy support (which I don’t like)	12:30
samueldmq	henrynash: where a domain is expected to be provided	12:30
samueldmq	henrynash: controller/manager level	12:30
henrynash	samueldmq: I guess that’s true…..hmmm…but not sure if I like the split checks	12:31
henrynash	samueldmq: it would be hard to know what you are limiting when writinga policy rule without knowing the code….	12:32
samueldmq	henrynash: we already have that today, yes I agree that's a kinf of hacking	12:32
samueldmq	henrynash: that is not very explicit/clear in the policy definition	12:32
samueldmq	henrynash: but for sure an idea to be considered :)	12:32
henrynash	samueldmq: Ok, let me take a crack at a quick blueprint for this!	12:33
samueldmq	htruta: henrynash is 100% for killing domain scoped tokens ;)	12:33
samueldmq	henrynash: nice, htruta and guys here will consider this as well, they are the right guys to be synchronizign with	12:34
samueldmq	thanks	12:34
henrynash	samueldmq: good ideas, guys	12:35
samueldmq	ayoung: I am updating that sequence diagrams to start with the right numbers (some of them start with action 14, etc)	12:36
samueldmq	ayoung: let me know when you're available so we can talk more about details on that thing	12:36
samueldmq	ayoung: and I am planning to start missing specs today, at least to have a first version	12:37
ayoung	samueldmq, ok, so question: what happens to the stock policy when a dynamic policy is fetched?	12:37
samueldmq	ayoung: since we've agreed on that workflow, let's define the specs, to have something very nicely defined by the end of next week	12:37
samueldmq	ayoung: how does keystone generate the dynamic policy based on the stock policy ?	12:38
ayoung	samueldmq, I think the two things we need up front are the Keystone API changes and the ability to fetch the policy from Auth token middleware	12:38
ayoung	lets put that question aside	12:38
samueldmq	ayoung: so keystone stores 1) stock policy and 2) custom policy (a kind of diff for what the admin has customized)	12:38
ayoung	we can deal with that later, here is what I am thinking	12:38
samueldmq	ayoung: so it gets stock policy for that endpoint, and overrides with what is in the custom policy	12:39
ayoung	1. There is always a stock policy on the server, so that it can run even if Keystone has nothing for it	12:39
ayoung	we need that as a migration strategy if nothing else	12:39
samueldmq	ayoung: if the CMS has not uploaded a stock policy for an endpoint	12:39
samueldmq	ayoung: we fall bakc, and do not apply the dynamic policy mechanism	12:39
samueldmq	ayoung: the admin ccan't even customize, since there is nothing to be based on	12:40
ayoung	At start up, or upon first user request, the service requests a policy from keystone. Let's say keystone has something for it. Where does it go? Same directory as the stock policy? are they additive?	12:40
*** woodster_ has joined #openstack-keystone		12:40
samueldmq	ayoung: the CMS is expected to be uploading the policy which is shipped with the code as the stock policy	12:41
ayoung	Or, do we say it is all or nothing; either we use the stock policy, or we use the dynamic policy, not both together	12:41
ayoung	so, one thing we could do is this	12:41
*** raildo has joined #openstack-keystone		12:41
samueldmq	ayoung: so at very last, it would be overwriting it with itself	12:41
ayoung	upon start up, create a cache dir. copy the stock policy into cache. Then, upon fetch, we wipe out the cache	12:41
*** jasondotstar has joined #openstack-keystone		12:43
ayoung	samueldmq, so upon starting Nova, it could try to post its stock policy to Keystone	12:44
ayoung	and then we need to merge. How do we determine if the stock policy is new or not? I'm thinking SHA256 and Keystone tracks all the uploaded policy files.	12:45
*** dims has quit IRC		12:46
ayoung	samueldmq, when doing the certs for PKI, we had decided to wait until first request to fetch certs, as we did not want to rqure that the keystone server was up in order to start Nova. We'll have the same concern here, too	12:46
*** dims has joined #openstack-keystone		12:46
openstackgerrit	henry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config https://review.openstack.org/191976	12:47
samueldmq	ayoung: let me see if I understand	12:48
samueldmq	ayoung: you propose to have middleware uploading stock policy to keytone, instead of having the cms ?	12:48
samueldmq	ayoung: I think the idea on having the dynamic policy created based on the stock + what the amdin has customized is the key	12:49
samueldmq	ayoung: since when a service upgrades, cms only needs to update stock policy on keystone	12:50
samueldmq	ayoung: stcok policy can be associated to url, region or service, where we find hierarchically for a stock poliyc of a given endpoint	12:50
raildo	henrynash, ping, I totally agree with kill domain tokens, but I understand the other side, so imo, now in Liberty we can stay with don't allow getting project scoped token to is_domain-True, and in M we can discuss a better solution for that issue. What do you think?	12:59
samueldmq	raildo: so the option 5 ?	13:00
raildo	samueldmq, unfortunately :(	13:00
samueldmq	raildo: I think that may be a wise choice, since we introduce domain hierarchies, and have more time to think how to do it the best we can	13:00
samueldmq	raildo: not against having is-domain or any other option, but we would have more time to think about, as you said	13:01
samueldmq	raildo: I am with you on this point o/	13:01
openstackgerrit	henry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config https://review.openstack.org/191976	13:01
henrynash	raildo: let’s see…I’ll push for L !!	13:01
raildo	henrynash, haha	13:02
raildo	henrynash, so, what we have to do to convince the other guys?	13:02
samueldmq	henrynash: that's something great, however we can't do that when cores are 50% for and 50% against doing it now :)	13:03
samueldmq	raildo: ++	13:03
henrynash	raildo: my argument is….this (unless there’s a gremlin we haven’t thought of) will fix Horizon and everyone’s issuson domain tokens. We won’t kill them yet (you can still ask for one), but by inluding is_domain=True in the token it lets us write policy files that don’t need domain tokens	13:04
samueldmq	ayoung: do what I said above make sense ?	13:05
samueldmq	ayoung: that's related to the default policy thing, if no policy is specified for an endpoint	13:05
*** HenryG has quit IRC		13:05
*** HenryG has joined #openstack-keystone		13:05
samueldmq	ayoung: in that case, I believe we should step-back, and let the old mechanism in place (i.e do not touch /etc/nova/policy.json)	13:06
ayoung	samueldmq, it can be either CMS or Nova itself, depending. CMS is probably better workflow, less surprise	13:06
*** HenryG has quit IRC		13:06
samueldmq	ayoung: nova uploading would be thorugh something like /policy API	13:06
samueldmq	ayoung: but nothing says we cna't go for that in M if we decide	13:06
ayoung	so, when policy is fetched from Keystone, it will remove whatever is in the cache.	13:06
samueldmq	ayoung: CMS is better for now	13:07
ayoung	we start by populating the cache from stock	13:07
*** HenryG has joined #openstack-keystone		13:07
samueldmq	ayoung: exactly, it would be overwritting /etc/nova/policy.json	13:07
ayoung	that can happen at startup	13:07
raildo	henrynash, in the other way, we age kind of mix project and domain admin and this can be a mess... that is the main argument to doesn't kill domains tokens now.	13:07
samueldmq	ayoung: since stock on keystone is the same as that initially	13:07
ayoung	samueldmq, OK, I think we should create a sequence diagrams with the cache, and show the relationship between Auth token, the cache, Nova, and oslo.policy	13:08
raildo	henrynash, I want to do this, but I don't want to have 90% of core team hates me hahahaha	13:08
samueldmq	ayoung: ++ do you want to do so or can I grab that ?	13:09
vg_	<samueldmq> <+ayong> <HenryG> sorry i went for long meeting in here , can anyone of you please address this question here as well as to what we discussed above - https://ask.openstack.org/en/question/68616/openstack-policy-enforcement-for-custom-role-project_admin/	13:09
ayoung	samueldmq, take a first swipe at it, please	13:09
samueldmq	ayoung: I am available to do so, but I am ok if you want to	13:09
henrynash	raildo: that’s ok, 45% can hate you, and the other 45% can hate me….the it’s less than 505 each	13:09
samueldmq	ayoung: sure!	13:09
vg_	I will anyway try that policy changes as suggested	13:09
henrynash	(50% each)	13:09
ayoung	samueldmq, if you want to start with one of the existing diagrams, that may make sense, too	13:09
dstanek	ah, boy. talking hierarchies again	13:09
ayoung	or do it as a stand alone, either way	13:09
samueldmq	ayoung: that's exactly what I was thinking	13:10
samueldmq	ayoung: that's something that exists, but will contain more details	13:10
samueldmq	ayoung: ok will look what could be better	13:11
samueldmq	dstanek: that's part of the fun here :-)	13:11
marekd	boy, how do i run any osc command with existing token ?	13:16
*** richm has joined #openstack-keystone		13:16
marekd	OS_TOKEN=token openstack --os-auth-type v3token server list is correct?	13:16
dstanek	henrynash: i had a good discussion with htruta last night and i think i managed to confuse myself.	13:16
henrynash	dstanek: join the clud	13:17
henrynash	club	13:17
marekd	dstanek: what was it about ?	13:17
htruta	dstanek: lol	13:17
htruta	is that a good thing?	13:17
dstanek	htruta: no	13:17
dstanek	A<is_domain=True> is a domain obviously, but is also a project that is a child of that domain. Still blows my mind.	13:18
marekd	heh, what happens when you remove this project?	13:19
dstanek	marekd: you can't physically because it's the same database record	13:19
*** vg_ has quit IRC		13:20
marekd	dstanek: but logically you want it to appear in your project list.	13:20
marekd	or you don't ?	13:20
htruta	dstanek: it is a project. but it's not a child.	13:20
dstanek	marekd: if it holds resources like other projects (compute, etc) it would have to	13:20
htruta	it is a suoer-powerful project	13:20
htruta	super*	13:20
dstanek	htruta: but logically it acts as a child	13:20
dstanek	it i told you i had a project named A that was part of a domain A, would you know if it's is_domain=True?	13:24
dstanek	or like schrodinger's cat is it both until you check the box?	13:25
*** dguerri` is now known as dguerri		13:26
samueldmq	ayoung: would you be ok with adding those diagrams to the main wiki page itself	13:27
samueldmq	ayoung: so we don't need to open a new page to see the diagrams	13:27
htruta	dstanek: hah. you would have to be clearer. if you say that it's part of a domain, I'd say that it's is_domain=false	13:27
htruta	otherwise, it'll b both	13:28
dstanek	htruta: i'm not worried about the way to get tokens, i'm worried about how to explain what is actually happening	13:30
openstackgerrit	henry-nash proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain https://review.openstack.org/193543	13:31
openstackgerrit	henry-nash proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain https://review.openstack.org/193543	13:32
*** HT_sergio has joined #openstack-keystone		13:33
samueldmq	henrynash: "identity:create_user": "rule:admin_required and project_id:%(user.domain_id)s and is_domain:True" :-)	13:33
dstanek	henrynash: what is the actual difference between having a domain scoped token and a project scoped token with is_domain=True?	13:34
*** kiran-r has quit IRC		13:34
htruta	dstanek: you just need to say that you have powerful projects that hold users and regular projects that, as it works today, don't	13:34
henrynash	dstanek: nothing (in theory)…	13:34
*** charlesw has joined #openstack-keystone		13:35
henrynash	dtsanek: it’s just that you don’t need to understand domain tokens in order to get the later	13:35
dstanek	htruta: but now you have siblings with the same name! so confusing	13:35
henrynash	dtsanek: so (for instance), Horizon would just work	13:35
dstanek	henrynash: they'd have to change horizon to know enough about the domain concept to know when to ask for an is_domain=True though, right?	13:36
samueldmq	dstanek: unless we merge assignments and make the token work for both domain + project sides	13:37
samueldmq	dstanek: but I am nt sure about the implications of merging assignments, just seeing the possibility	13:37
dstanek	samueldmq: i don't get that. to get around the ambiguity we've created they would have to know to ask for an is_domain=True token at least some of the time, but i would guess all of the time	13:39
*** dguerri is now known as dguerri`		13:40
samueldmq	dstanek: requesting a token on a project which has is_domain -> True would always return a token with is_domain = True, meaning you could act as a domain orproject with that token	13:42
samueldmq	dstanek: kind of dual scoped token, that was being proposed by the guys here	13:42
dstanek	samueldmq: but you'll have to specify is_domain=True in the token request because of the ambiguity	13:42
samueldmq	dstanek: k I got your point, you don't want a token to act as both project and domain	13:44
samueldmq	ayoung: btw, talking to morganfainberg a few days ago, he suggested to make the policy fetch in its own middleware	13:44
dstanek	samueldmq: ++	13:44
samueldmq	ayoung: i.e, a separate filter from auth_tokne	13:44
ayoung	samueldmq, nope	13:44
ayoung	samueldmq, it is going to go along with gyee_ 's code for endpoint binding	13:44
ayoung	he's going to need it , too	13:44
*** dguerri` is now known as dguerri		13:45
samueldmq	ayoung: I'd be for splitting both :(	13:45
samueldmq	ayoung: auth_token should be only about tokens	13:45
ayoung	so, since he insisted that gyee_ 's goes into ATM, policy fetch goes there too. We can't do a check before a fetch	13:45
samueldmq	ayoung: auth_TOKEN :(	13:45
samueldmq	ayoung: who said we couldn't put the policy filter on top of auth_token	13:46
samueldmq	ayoung: instead of running after it ?	13:46
samueldmq	:-)	13:46
samueldmq	ayoung: that's an independent task	13:46
ayoung	its all Keystone work	13:47
*** henrynash has quit IRC		13:47
ayoung	making each service update pipelines is no more viable for Policy fetch than for endpoint binding	13:47
marekd	rodrigods: FYI, i am playing with our k2k auth plugin and it happens to work	13:47
samueldmq	ayoung: k if you guys want me to write that on auth_token, I will hapilly do that	13:47
samueldmq	ayoung: I really don't want to struggle on that point	13:48
marekd	i have small problems with scoping the token, but i think this might actually be a problem with server.	13:48
samueldmq	ayoung: already ahving enough fun with the roadmap/scope ;)	13:48
samueldmq	ayoung: oh that's a great point, so it'd require services updating their pipelines ..	13:48
*** henrynash has joined #openstack-keystone		13:48
*** ChanServ sets mode: +v henrynash		13:48
*** dims is now known as dimsum__		13:57
*** jdennis has quit IRC		14:00
*** morgan has quit IRC		14:02
*** morgan has joined #openstack-keystone		14:03
*** morgan is now known as Guest93126		14:03
*** pballand has quit IRC		14:04
*** f13o has joined #openstack-keystone		14:05
*** morganfainberg is now known as morgan-devserver		14:06
*** morgan-devserver is now known as CaptainMorgan		14:08
*** ihrachyshka has quit IRC		14:09
*** sigmavirus24_awa is now known as sigmavirus24		14:12
*** stevemar has joined #openstack-keystone		14:24
*** ChanServ sets mode: +v stevemar		14:24
CaptainMorgan	ayoung: samueldmq: fwiw, the policy fetch and cache is going to be the hard part. Especially with multiple worker processes (mod_wsgi). This is cache coherency...it is not easy to do right.	14:25
ayoung	CaptainMorgan, Is that Army Captain or Navy Captain?	14:27
CaptainMorgan	Pirate captain	14:27
ayoung	So...Navy	14:27
*** r-daneel has joined #openstack-keystone		14:27
CaptainMorgan	Rum running pirate captain. :P	14:27
CaptainMorgan	Sure.	14:28
samueldmq	CaptainMorgan: haha	14:28
samueldmq	CaptainMorgan: don't we solve a similar problem with certificates (or something else) ?	14:28
*** archers has joined #openstack-keystone		14:29
*** stevemar is now known as stevedoor		14:29
CaptainMorgan	samueldmq: sortof we store them to disk and load them every time.	14:29
CaptainMorgan	Policy is harder because they change more often. And almost no one uses pki tokens.	14:29
samueldmq	CaptainMorgan: and yes, finally we are in agreement, I am working on a couple of new diagrams and will pin g you later to get you view	14:30
CaptainMorgan	We also don't refectory certs	14:30
CaptainMorgan	Refetch*	14:30
CaptainMorgan	Unless the cache on disk is removed.	14:30
CaptainMorgan	Now imagine running multiple nova api behind ha proxy on separate machines.	14:31
samueldmq	CaptainMorgan: let me understand the issue	14:31
CaptainMorgan	Then cache coherency becomes a real headache, as all the policies need to be in sync.	14:31
samueldmq	CaptainMorgan: separate machines mean differetn URLs, right?	14:31
*** josecastroleon has quit IRC		14:31
CaptainMorgan	You can't have some workers for an endpoint with different policy files.	14:31
samueldmq	CaptainMorgan: or is the proxy URL the endpoint URL,	14:32
breton	what's the problem with cache coherence if we use multiple memcaches?	14:32
CaptainMorgan	No, you can have separate machines behind ha proxy meaning same url	14:32
samueldmq	CaptainMorgan: HMMM ;; so updating policy should be an atomic operation through different machines	14:32
CaptainMorgan	breton: forcing the use of memcache is one option.	14:32
breton	CaptainMorgan: s/memcache/redis/	14:32
CaptainMorgan	samueldmq: it has to be atomic for all api processes for a given endpoint.	14:33
CaptainMorgan	This is a hard problem. It always will be a hard problem.	14:33
samueldmq	CaptainMorgan: great sentence, captain	14:33
* samueldmq is going to have lunch, back in a bit		14:33
CaptainMorgan	breton: sure that is an option, it likely means we will see a slow adoption of dynamic policy. I'm not opposed to it though.	14:34
breton	hm, ok.	14:34
*** jasondotstar has quit IRC		14:35
samueldmq	CaptainMorgan: if policy was stored into db prior to policy.json file, this problem should be solved	14:35
CaptainMorgan	Doesn't matter how you cut it, it is adding either a lot of developer overhead or a lot of operator overhead.	14:35
CaptainMorgan	samueldmq: how?	14:35
samueldmq	CaptainMorgan: I mean, db coherency/replication would take care of the hard part for us	14:35
CaptainMorgan	How? You can't wave hands and say db solves it :P	14:35
* samueldmq waves hands		14:36
breton	also, /me hit all the caveats of per-domain config and openldap and using v3 in juno	14:36
samueldmq	CaptainMorgan: services would need to store their policies into their dbs	14:36
samueldmq	CaptainMorgan: this solves, but not sure this is the best soltuion/can be adopted	14:36
CaptainMorgan	samueldmq: unlikely to fly. The services own their dbs. Keystone owns the policy and fetcher.	14:36
CaptainMorgan	Also the db then has to be queried on every request for policy updates.	14:37
breton	there is not enough docs about domains	14:37
samueldmq	CaptainMorgan: ok	14:37
*** jasondotstar has joined #openstack-keystone		14:37
samueldmq	CaptainMorgan: tell me ...	14:37
CaptainMorgan	breton: you should bug henrynash about that too.	14:37
samueldmq	CaptainMorgan: how to admins update a policy when they have multiple machines representing a single endpoint ?	14:37
samueldmq	CaptainMorgan: how to they update N policies atomically ? we should solve this similarly	14:38
CaptainMorgan	samueldmq: they use cms and restart the endpoint sorry have a small window of an outage.	14:38
CaptainMorgan	With auto updates across nodes and processes you have less control of when this happens.	14:38
CaptainMorgan	A lot less control.	14:39
samueldmq	CaptainMorgan: that's an interesting challenge, captain, I will mull on it a bit more	14:40
* samueldmq 's gonna have lunch		14:40
*** charlesw has quit IRC		14:43
*** dguerri is now known as dguerri`		14:44
samueldmq	CaptainMorgan: each process behind the proxy has its own middleware, right ?	14:45
*** charlesw has joined #openstack-keystone		14:45
samueldmq	CaptainMorgan: so each middleware is in charge of fetching/updating the cache of the policy for its service	14:47
samueldmq	CaptainMorgan: so updating isn't an issue, but the time window between middlwares updating their policies	14:47
samueldmq	CaptainMorgan: is that right ?	14:47
*** dvorak is now known as clayton		14:49
*** archers has quit IRC		14:50
*** dguerri` is now known as dguerri		14:50
*** spandhe has joined #openstack-keystone		14:51
*** f13o has quit IRC		14:53
dstanek	anyone have any thoughts on this: https://bugs.launchpad.net/keystone/+bug/1466893	14:53
openstack	Launchpad bug 1466893 in Keystone "Keystone wsgi will not start after upgrade on neutron grenade jobs some times" [Critical,New]	14:53
*** f13o has joined #openstack-keystone		14:54
stevedoor	dstanek, don't use neutron	14:56
bknudson	dstanek: is the first error "Target WSGI script '/var/www/keystone/admin' cannot be loaded as Python module." causing the next error?	14:56
bknudson	or is it really one error message?	14:56
samueldmq	henrynash: @david-lyle \| samueldmq: there is a set of patches to support domain-scoped tokens, but they have not merge yet	14:56
samueldmq	henrynash: @david-lyle \| https://review.openstack.org/#/c/141153/ and https://review.openstack.org/#/c/148082/	14:57
stevedoor	maybe it's the monkey patching?	14:57
bknudson	I wonder what /var/www/keystone/admin looks like ... if it's normal or not?	14:57
dstanek	bknudson: it's the kilo version	14:57
bknudson	you can look at it?	14:58
dstanek	no, but i asked sdague	14:58
*** diazjf has joined #openstack-keystone		14:58
charlesw	Hi folks, we have a swift cluster using keystone PKI token to authN. The token expiration time is 8h. In swift's keystone middleware config, the default revocation_cache_time is 10 (seconds), and token_cache_time is 300 (s). Sometimes we saw in swift proxy-server.error log: WARNING:swift:Fetch revocation list failed, fallback to online validation WARNING:swift:Authorization failed for...	14:58
charlesw	...token. Seems like the service user's token becomes invalid quickly even though exp time is 8h. We see 401 errors frequently when fetching revocation_list from keystone server which cause re-authentication for the service user to retry to fetch revocation_list. We also see GET / call to keystone server right after the re-authentication. Keystone server uses memcached to store revocation...	14:58
charlesw	...list. Any clues?	14:58
charlesw		14:58
*** Ephur has joined #openstack-keystone		14:59
dstanek	bknudson: i think that "could not be loaded" is part of the exception below it	14:59
bknudson	dstanek: it looks like the startup worked in several cases but then one of them fails	15:00
bknudson	there's lots of "Deprecated: direct import of driver is deprecated as of Liberty in favor of entrypoints and may be removed in N." so it's running the new code already	15:01
*** charlesw_ has joined #openstack-keystone		15:01
dstanek	yeah, i don't quite get it	15:01
marekd	rodrigods: ping.	15:01
dstanek	it's kilo wsgi running against master code	15:01
rodrigods	marekd, hi	15:01
bknudson	dstanek: http://logs.openstack.org/19/193519/2/check/check-grenade-dsvm-neutron/e0a1dbe/logs/apache/keystone.txt.gz#_2015-06-19_13_35_48_117594	15:01
dstanek	it seems like configure() is called twice, but i can't see how that could be	15:02
bknudson	here's another similar failure	15:02
bknudson	but it's not configure, it's can't import ec2.	15:02
*** rushiagr is now known as rushiagr_away		15:02
dstanek	that's interesting - missing deps?	15:02
marekd	stevedoor: rodrigods: do you agree that after we scope federated token, the groups should also be present in user['OS-FEDERATION']['group_ids'] ?	15:02
*** zzzeek has joined #openstack-keystone		15:03
stevedoor	marekd, isn't that what we do now?	15:03
bknudson	dstanek: it doesn't look like it's really on startup. Apache just starts a new worker whenever it feels like it.	15:03
*** charlesw has quit IRC		15:03
*** charlesw_ is now known as charlesw		15:03
marekd	stevedoor: i just need confirmation...	15:04
marekd	because i also think we do that.	15:04
*** browne has joined #openstack-keystone		15:04
stevedoor	marekd, https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L533-L566	15:05
stevedoor	y we do	15:05
rodrigods	marekd, yep, but just not sure if they are already there too	15:05
stevedoor	marekd, we do it for unscoped only i think	15:05
marekd	stevedoor: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L558-L566we don't....	15:05
bknudson	dstanek: keystone is started with L code at around 13:33:16 and this failure occurs at 13:35:56	15:05
marekd	stevedoor: if we scope the project the groups are not added, just roles.	15:06
stevedoor	wait...	15:06
rodrigods	marekd, stevedoor maybe a bit confusing displaying groups that don't have role_assignment in the project/domain of the token scope?	15:06
bknudson	dstanek: it's like maybe mod_wsgi isn't cleaning up after itself properly	15:06
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Unified delegation spec https://review.openstack.org/189816	15:06
stevedoor	marekd, right, after a scoping its just the roles	15:06
bknudson	dstanek: one obvious workaround is to catch the exception	15:06
marekd	stevedoor: which basically means you cannot rescope from existing token... ?	15:07
stevedoor	marekd, explain that more please	15:08
*** belmoreira has quit IRC		15:08
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Unified delegation spec https://review.openstack.org/189816	15:08
*** amakarov_away is now known as amakarov		15:09
marekd	stevedoor: wait, once I have a normal token, and a user exists in the backend, how does he rescope the token (to different project). Is it even possible?	15:09
marekd	stevedoor: actually i don't understand why would we even put roles in OS-FEDERATION ?	15:09
marekd	rodrigods: ^^	15:10
marekd	in the token['user'][OS-FEDERATION']	15:10
dstanek	bknudson: i guess it would be possible to get a dirty process from apache, but that seems unlikely	15:10
stevedoor	marekd, we don't put roles in user.os-federation, we put it at the top level	15:11
dstanek	bknudson: according to sdague then happens mostly on neutron jobs and ever then it isn't all of the time	15:11
dstanek	so why is neutron different?	15:11
*** henrynash has quit IRC		15:11
marekd	stevedoor: ah, ok	15:11
dstanek	charlesw: so you are seeing your service user's tokens expiring too quickly?	15:12
stevedoor	marekd, i'm not sure the user can rescope the token?	15:12
marekd	stevedoor: stevedoor you are right, my bad.	15:12
marekd	stevedoor: shall we put groups in the scoped tokens too ?	15:13
charlesw	@dstanek: yes. It's strange. Swift client's token seems fine though.	15:13
dstanek	charlesw: is there something in the revocation list maybe saying that it was invalidated?	15:14
*** jsavak has joined #openstack-keystone		15:14
pc_m	stevedoor: hi. Do you have time for some questions? morganfainberg pointed me your way.	15:15
rodrigods	marekd, I'm worried about the semantics of having groups in a scoped token (groups that don't have role assignment in the token scope)	15:15
marekd	rodrigods: it's about your identity	15:15
marekd	rodrigods: it's all you get ,as an ephemeral user.	15:16
bknudson	dstanek: neutron jobs might drive more token creation	15:16
bknudson	more communication with keystone	15:16
bknudson	and more concurrency	15:16
rodrigods	marekd, but the identity in a scoped token is a "targeted" identity IMHO	15:16
david8hu	samueldmq, ayoung, CaptainMorgan, The sequence diagram step 8 from the wiki calls for overriding of default policy with custom policy. Is there a plan to provide an API to indicate default verses custom policy? I assume not, so it should be a policy orverriding a previous policy already in the db. The previous policy does not need to be the default policy that originally shiped with each service. It could a policy tha	15:16
david8hu	t already overriden the default policy, and service simply overrides it with an update.	15:16
marekd	rodrigods: can we rescope scoped token today?	15:17
dstanek	bknudson: in your example i'm wondering what sys.module['keystoneclient'] actually is	15:17
rodrigods	marekd, I believe we can	15:17
*** Zanatoz has joined #openstack-keystone		15:17
bknudson	dstanek: example?	15:17
stevedoor	pc_m, whats up	15:18
pc_m	stevedoor: I'm doing some researching/investigating and would like to know if/how to support the scenario I have.	15:19
charlesw	@dstanek, the revocation list fetching failed with 401 error. Could it be the service user's token is revoked? It has to re-authN and re-fetch the revocation list.	15:20
stevedoor	pc_m, what's your scenario look like?	15:20
*** jlibosva has joined #openstack-keystone		15:20
bknudson	dstanek: https://bugzilla.redhat.com/show_bug.cgi?id=677735#c14 ?	15:20
openstack	bugzilla.redhat.com bug 677735 in z_other "Pulp process becomes unresponsive after a few days" [High,Closed: currentrelease] - Assigned to jslagle	15:20
bknudson	that's pretty old	15:21
pc_m	stevedoor: Essentially an AWS Direct Connect scenario, where user Joe, wants to give Sally (someone external to OpenStack) authorization to perform some Neutron commands, like add a subset/network, set a GW IP, etc.	15:21
jlibosva	hi, we have issue on gate in grenade job with Neutron. I'm not very familiar with keystone logs, is there anybody willing to help me to understand?	15:21
dstanek	bknudson: well, it python thinks that keystoneclient.contrib.ec2 doens't exist maybe in got the wrong module in the import pth or something	15:21
pc_m	morganfainberg suggested OAuth1.1. Would that work?	15:22
dstanek	jlibosva: that's probably the issue we are talking about now	15:22
bknudson	dstanek: oh, y, I didn't notice it was keystoneclient and not keystone	15:22
pc_m	stevedoor: We don't want to give Sally, Joe's auth credentials.	15:22
jlibosva	dstanek: can you give me tl;dr?	15:22
jlibosva	I just joined channel	15:22
stevedoor	pc_m, and you dont want to give sally her own credentials?	15:23
dstanek	jlibosva: we are looking into https://bugs.launchpad.net/keystone/+bug/1466893	15:23
openstack	Launchpad bug 1466485 in Keystone "duplicate for #1466893 keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Critical,Confirmed]	15:23
jlibosva	dstanek: thanks!	15:23
jlibosva	dstanek: yep, thats it! :)	15:23
bknudson	dstanek: the documentation for mod_wsgi doesn't expire confidence: https://modwsgi.readthedocs.org/en/master/#status	15:23
pc_m	stevedoor: Not sure. Sally would be an Internet Provider, for example.	15:23
bknudson	https://modwsgi.readthedocs.org/en/master/_images/dead-parrot.jpg	15:23
stevedoor	pc_m, then i think the oauth module is what you want	15:23
pc_m	stevedoor: I did see a link from morganfeinberg on OAuth, some questions for you on that...	15:24
stevedoor	pc_m, it essentially enables an openstack user to delegate a role on a project to an external party	15:24
pc_m	stevedoor: Yeah, that is what I'm looking for.	15:24
stevedoor	pc_m, sure (leaving for lunch in ~ 15 minutes) - but fire away	15:24
pc_m	stevedoor: I'll try to be quick...	15:25
stevedoor	pc_m, meh, there's always email :)	15:25
pc_m	stevedoor: What release supports OAuth?	15:25
stevedoor	oh it's been there for a while, grizzly/havana?	15:25
pc_m	stevedoor: I can do that, can you PM me your email?	15:25
stevedoor	done	15:26
*** pballand has joined #openstack-keystone		15:26
pc_m	stevedoor: thanks! Let me shoot you an email.	15:26
*** jasondotstar has quit IRC		15:26
stevedoor	pc_m, cool cool	15:26
bknudson	dstanek: I guess they switched to https://bugs.launchpad.net/grenade/+bug/1466485	15:26
openstack	Launchpad bug 1466485 in Keystone "keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Critical,Confirmed]	15:26
dstanek	bknudson: yeah, i mentioned in -qa this morning that the bug was already reported	15:27
*** jasondotstar has joined #openstack-keystone		15:28
dstanek	bknudson: the example you found was using ksc 1.3.1 which i'm assuming has that module	15:29
*** edmondsw has joined #openstack-keystone		15:30
*** vilobhmm has joined #openstack-keystone		15:31
bknudson	dstanek: it just randomly switches from one version of ksc to another?	15:31
dstanek	do you see it using a different version?	15:32
bknudson	or does apache report that error if it's been running for a while and an exception escapes?	15:32
*** pnavarro has quit IRC		15:32
bknudson	dstanek: I don't see it using a different version, but why is the error reported only once and not every time?	15:32
*** browne has quit IRC		15:33
bknudson	or does apache only report the error on startup?	15:33
dstanek	not sure. i would expect apache to report that for each process	15:34
bknudson	dstanek: !!! -- http://logs.openstack.org/66/185066/3/check/check-grenade-dsvm-neutron/45d8663/logs/apache/keystone.txt.gz#_2015-06-18_09_08_31_715671	15:35
bknudson	??	15:35
bknudson	this is just random	15:35
bknudson	I guess it's back to eventlet since mod_wsgi is such a turd	15:35
dstanek	whoa...something is getting seriously messed up	15:36
bknudson	maybe there's some docs that indicate we're doing something totally wrong	15:36
stevedoor	bknudson, from oslo_utils import excutils	15:36
*** jsavak has quit IRC		15:37
stevedoor	maybe it's a library issue?	15:37
*** Lactem has joined #openstack-keystone		15:37
Lactem	Hey @dolphm.	15:37
dstanek	stevedoor: probably not in all of the libs	15:37
*** jsavak has joined #openstack-keystone		15:38
*** _cjones_ has joined #openstack-keystone		15:38
dstanek	bknudson: could there be some stevedore recursion in there?	15:38
bknudson	dstanek: why would it only happen once and not every time?	15:39
dstanek	the line before the error indicates that something is loading by the full class path, but the traceback show stevedore loading stuff	15:39
* bknudson thought dstanek was going to fix all this dependency stuff.		15:40
*** vilobhmm has quit IRC		15:40
dstanek	i don't think this is a dependency issue :-P	15:40
dstanek	and you guys keep slowing down my patches!	15:41
bknudson	I guess we could add a LOG.debug so we know what driver is being loaded.	15:43
Lactem	Is dolphm around at this time of day usually?	15:44
dstanek	Lactem: sometimes	15:44
dstanek	Lactem: need help?	15:44
bknudson	I'm going to keep trolling through the mod_wsgi docs in case it says we're doing something wrong.	15:46
dstanek	bknudson: i'll add some debugs to maybe help us catch the issue	15:46
bknudson	dstanek: a log in httpd/keystone.py saying that it's calling "application = wsgi_server.initialize_application(name)" would help, too	15:47
*** kfox1111 has joined #openstack-keystone		15:47
bknudson	in case it's getting called multiple times in the same process	15:47
bknudson	because that's something that we wouldn't be expecting	15:47
dstanek	bknudson: that would have to be back ported to kilo	15:48
bknudson	dstanek: maybe... but the logs where it fails are in L	15:48
openstackgerrit	ayoung proposed openstack/keystone-specs: certmonger https://review.openstack.org/134099	15:48
dstanek	bknudson: it's L version of keystone but the wsgi script installed from kilo	15:48
bknudson	whaaa?	15:49
bknudson	there's no diff in that file for L -> k	15:49
bknudson	it changed from J in K	15:50
bknudson	http://git.openstack.org/cgit/openstack/keystone/tree/httpd/keystone.py?h=stable%2Fkilo	15:50
bknudson	it's only 1 line of code, so not the most complicated	15:50
*** marzif has joined #openstack-keystone		15:50
bknudson	I'm not sure if you can call log function in httpd/keystone.py since logging wouldn't be configured yet	15:51
*** kiran-r has joined #openstack-keystone		15:51
*** marzif has quit IRC		15:51
dstanek	bknudson: that i'm not sure about. but we would have to backport - not saying that's hard, just that it has to be done	15:51
Lactem	dstanek: Kind of. We were going to pick up from yesterday.	15:52
dstanek	Lactem: what troubles are you running into?	15:52
*** marzif has joined #openstack-keystone		15:52
Lactem	I'm not really sure what he was saying. https://bugs.launchpad.net/keystone/+bug/1098564 http://pastebin.com/D16WXLEV	15:55
openstack	Launchpad bug 1098564 in Keystone "Cannot delete a service or endpoint" [Low,Incomplete]	15:55
Lactem	He told me to use keystone catalog and give him the output. It's in the pastebin.	15:56
CaptainMorgan	charlesw: what version of middleware are you running? My guess is 1.0.0	15:56
CaptainMorgan	charlesw: that version has issues and Ubuntu and other distributions have not updated.	15:56
dstanek	Lactem: are you seeing the log statements when you run the tests?	15:56
bknudson	dstanek: have you heard of mod_wsgi express? https://pypi.python.org/pypi/mod_wsgi	15:56
Lactem	I don't think so. He said neither of them are there.	15:57
*** charlesw_ has joined #openstack-keystone		15:57
bknudson	I don't have mod_wsgi express installed on my system for some reason.	15:57
dstanek	bknudson: nope, but that's kinda neat	15:58
CaptainMorgan	samueldmq: each process has its own middleware running (instance). So all of them in an Apache group...or behind a single ha proxy must have policy updated at the same time.	15:58
*** jlibosva has quit IRC		15:58
dstanek	Lactem: i think he was giving you hints on where to debug	15:58
*** belmoreira has joined #openstack-keystone		15:58
bknudson	dstanek: looks like it just stands up a private apache instance.	15:58
*** marzif has quit IRC		15:58
dstanek	that's a cool idea for testing	15:59
CaptainMorgan	samueldmq: or some requests can break erroneously (or succeed). Basically the entire group of processes behind an endpoint url must be updated atomically	15:59
*** charlesw has quit IRC		15:59
bknudson	I think I'd rather use a lighter-weight container.. nginx or something	15:59
*** charlesw_ is now known as charlesw		15:59
CaptainMorgan	david8hu: not sure.	15:59
dstanek	i prefer nginx -> gunicorn -> application	15:59
CaptainMorgan	dstanek: I like uwsgi these days	16:00
bknudson	we should do that	16:00
bknudson	rather than mess around with apache	16:00
CaptainMorgan	bknudson: for?	16:00
dstanek	bknudson: we still have to support apache for federation afaik	16:01
*** RichardRaseley has joined #openstack-keystone		16:01
dstanek	apache giveth and apache sucketh	16:01
CaptainMorgan	Apache has a better set of modules	16:01
bknudson	apache -> gunicorn	16:01
bknudson	forward the headers	16:01
CaptainMorgan	bknudson: don't know how well that works. But Apache supports uwsgi pretty well	16:01
dstanek	that's easy enough, but i'm not sure how that plays with the other modules	16:01
CaptainMorgan	Haven't tried unicorn with Apache	16:02
*** vilobhmm has joined #openstack-keystone		16:02
bknudson	it's just reverse proxy	16:02
CaptainMorgan	I also am generally not a fan of gunicorn. But that is a separate concern	16:02
*** RichardRaseley has quit IRC		16:03
*** RichardRaseley has joined #openstack-keystone		16:03
*** RichardRaseley has quit IRC		16:03
CaptainMorgan	Personal bias.	16:03
CaptainMorgan	No real reason not to use it here.	16:04
bknudson	must have been attacked by a unicorn	16:04
CaptainMorgan	Nah, just a pain in the ass in the past with lots of weird crashes	16:04
CaptainMorgan	Like I said, strictly a personal bias.	16:04
*** RichardRaseley has joined #openstack-keystone		16:04
bknudson	that's what we're seeing with keystone in apache mod_wsgi	16:04
CaptainMorgan	mod_wsgi has very tightly controlled requirements	16:05
CaptainMorgan	And none of these will easily show when we break	16:05
CaptainMorgan	When something goes wrong the errors and traces are not intuitive unless you're already past the wsgi loading	16:06
CaptainMorgan	It's always been that way, always will be.	16:06
CaptainMorgan	And you can't call log from the keystone.py file.	16:07
bknudson	that's a real downer.	16:07
CaptainMorgan	That error looks like a bad library ^^^ btw.	16:08
CaptainMorgan	The one that sparked this convo	16:08
dstanek	CaptainMorgan: which library? seems arbitrary	16:08
bknudson	we've seen errors from oslo.config, keystoneclient, and oslo.utils	16:09
CaptainMorgan	dstanek: not sure. But also re,ember these wsgi wrappers will occasionally spawn a new worker and kill old workers. So if it has worked for a while and then suddenly breaks, I look at "what did you install between now and then"	16:09
openstackgerrit	David Stanek proposed openstack/keystone: Adds some debugging statements https://review.openstack.org/193619	16:09
CaptainMorgan	Whenever an install of a lib is done that could affect Apache/wsgi a restart is needed.	16:09
dstanek	bknudson: i was thinking something like that. what other logging would be useful?	16:10
bknudson	maybe it's worth checking the grenade logs and see if it's installing stuff.	16:10
*** e0ne has quit IRC		16:10
bknudson	odd but possible.	16:10
dstanek	well, maybe not so odd	16:10
dstanek	it's upgrading keystone from K->L	16:11
CaptainMorgan	Ok so this is likely oslo_utils	16:11
dstanek	maybe the error happens before it restarts apache	16:11
CaptainMorgan	The oslo config error is because you hit an error before.	16:11
CaptainMorgan	And the conf object already has things loaded.	16:11
samueldmq	CaptainMorgan: k so as each process has its own middleware, they will all be updated with the new policy, for sure	16:12
CaptainMorgan	So reregistering opts causes subsequent errors.	16:12
samueldmq	CaptainMorgan: the concern is that they all need to be atomic	16:12
bknudson	stupid global variables!	16:12
dstanek	so an apache worker restarts during the keystone upgrade and the deps would be all out of whack	16:12
CaptainMorgan	samueldmq: yes they need to be atomic across all of them.	16:12
samueldmq	CaptainMorgan: and what windows we could consider them as being atomic ..	16:12
bknudson	that does make some sense. apache would discard the application	16:12
CaptainMorgan	dstanek: yep. Possibly.	16:12
bknudson	and in both cases they happened in pairs.	16:13
CaptainMorgan	bknudson: yep. Ignore the oslo_config error it's a red herring here	16:13
bknudson	not sure what we'd do about it?	16:13
samueldmq	CaptainMorgan: sure, they would be updated in the first incoming request where timeout has been reached ..	16:13
bknudson	catch the exception in initializing and reset somehow?	16:13
*** ankita_wagh has joined #openstack-keystone		16:13
bknudson	there might be all sorts of global state that's messed up.	16:14
bknudson	drivers half-loaded	16:14
CaptainMorgan	bknudson: this isn't something you can reset out of.	16:14
CaptainMorgan	This is a broken workflow in grenade	16:14
samueldmq	CaptainMorgan: but if timeouts may be reached in different timings in different processes .. or we shouldn't consider this	16:14
bknudson	maybe just need to restart apache again at end of upgrading	16:14
*** gyee has joined #openstack-keystone		16:14
*** ChanServ sets mode: +v gyee		16:14
bknudson	if that's not happening already	16:14
samueldmq	CaptainMorgan: (I am assuming you can talk about this subject at the same time as well :))	16:14
CaptainMorgan	You cannot live upgrade keystone or mod_wsgi - it needs a restart.	16:15
CaptainMorgan	samueldmq: that is the issue of cache coherency. You need all the processes to update at the same time. Not at different times. The timeout must be synchronized	16:15
bknudson	ok, time to check out grenade	16:15
CaptainMorgan	samueldmq: this is the hardest part of this update for policy. And honestly why I think the central policy stuff cannot make it this cycle at this point. Scaffolding for it will happen. Centralization and consumption from keystone likely won't	16:16
bknudson	http://git.openstack.org/cgit/openstack-dev/grenade/tree/projects -- doesn't bode well	16:16
bknudson	keystone is first in the list	16:16
samueldmq	CaptainMorgan: k got it, that must be in the spec as well ;)	16:17
CaptainMorgan	bknudson: grenade makes the assumption that pip install does 100% the right thing.	16:17
CaptainMorgan	bknudson: so likely something has stomped on keystone's deps somehow. Also mod_wsgi the way we have it configured doesn't load the worker until the first request.	16:18
CaptainMorgan	So Apache might restart fine and explode down the line	16:18
bknudson	not loading the worker until the request what made me think we'd be safe	16:18
dstanek	it looks like grenade shuts down keystone, does the upgrade and then restarts it	16:18
bknudson	since it wouldn't make requests until grenade is all done?	16:18
CaptainMorgan	bknudson: it may make some requests before. Requests will trickle in as services are started	16:19
bknudson	although maybe it does make requests during upgrade... checking service catalog	16:19
CaptainMorgan	Due to middleware, etc catalog.	16:19
*** spandhe has quit IRC		16:19
Lactem	dstanek: I thought he was saying that this bug might not require code changes / it's not really a bug.	16:19
* CaptainMorgan is on a mobile device, so just talking about the stuff I know - not actually debugging it atm.		16:19
dstanek	Lactem: i read that as him giving hints for where you can look to see if that's the case	16:20
*** kiran-r has quit IRC		16:21
dstanek	i don't understand where the grenade pip-freeze.txt comes from	16:22
dstanek	log clearly show upgrade installs ksk 1.6.0 http://logs.openstack.org/66/185066/3/check/check-grenade-dsvm-neutron/45d8663/logs/grenade.sh.txt.gz#_2015-06-18_09_05_35_228	16:23
dstanek	pip-freeze.txt says 1.3.1 http://logs.openstack.org/66/185066/3/check/check-grenade-dsvm-neutron/45d8663/logs/pip-freeze.txt.gz	16:23
CaptainMorgan	Awesome.	16:23
CaptainMorgan	:(	16:23
CaptainMorgan	Well when was pip-freeze run. Pre or post upgrade.	16:24
CaptainMorgan	That might be a pre upgrade.	16:24
*** RichardRaseley has quit IRC		16:24
CaptainMorgan	From devstack	16:24
bknudson	devstack got support for running services in venv... seems like that would help?	16:25
CaptainMorgan	bknudson: venv and mod_wsgi might have some oddities... Might.	16:25
dolphm	bknudson: lbragstad: \o/ checking out the token provider manager w/ stevedore patch... https://review.openstack.org/#/c/166543/17/keystone/token/provider.py,unified	16:25
lbragstad	bknudson: I have a question	16:25
CaptainMorgan	But other services in venv - yes.	16:25
lbragstad	bknudson: ^ what dolphm said	16:25
*** RichardRaseley has joined #openstack-keystone		16:26
dolphm	bknudson: lbragstad: does the driver namespace restrict 3rd parties from providing entry points into custom drivers?	16:26
CaptainMorgan	dolphm: no, you can place a driver in any namespace via entry points.	16:26
lbragstad	dolphm: bknudson if the only thing I plan on doing is extending the BaseProvider https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L459	16:26
dolphm	CaptainMorgan: that's what i thought, but ... what does the driver_namespace do then?	16:27
CaptainMorgan	The idea is you are looking in that namespace for the short name	16:27
CaptainMorgan	So if someone calls a module for neutron "password" it is t found for keystone	16:27
CaptainMorgan	For example.	16:27
dolphm	so the third party package would specify a keystone.token.provider entrypoint as well? https://github.com/openstack/keystone/blob/master/setup.cfg#L110-L111	16:28
CaptainMorgan	Yep	16:28
dolphm	oh ok	16:28
dolphm	easy enough	16:28
lbragstad	jsut as an entrypoint	16:28
lbragstad	hmm	16:28
CaptainMorgan	Yeah, it's meant to make it easy :)	16:28
*** raildo has quit IRC		16:29
CaptainMorgan	Now... I have no idea what happens if someone specifies a driver name already used	16:29
*** dguerri is now known as dguerri`		16:29
dolphm	CaptainMorgan: like, provides another 'uuid' entrypoint?	16:30
*** raildo has joined #openstack-keystone		16:30
dolphm	i'd hope that setuptools or something would puke early	16:31
*** RichardRaseley has quit IRC		16:31
*** RichardRaseley has joined #openstack-keystone		16:31
*** RichardRaseley has quit IRC		16:32
*** kiran-r has joined #openstack-keystone		16:32
dstanek	dolphm: i believe it does is you dupe the name	16:32
CaptainMorgan	dolphm: i hope so too, but i haven't tried it	16:33
dolphm	maybe not let you install that package at all? :D	16:33
dolphm	that'd be like installing two packages with the same name	16:33
dolphm	into site-packages	16:33
*** jsavak has quit IRC		16:33
lbragstad	CaptainMorgan: dolphm so that seemed to work (i.e. it didn't puke)	16:34
CaptainMorgan	New way to troll people:, provide conflicting entry points in some common used library	16:34
*** BrAsS_mOnKeY has quit IRC		16:34
dolphm	lbragstad: sweet	16:34
CaptainMorgan	Make lots of people cry	16:34
CaptainMorgan	???	16:34
CaptainMorgan	Profit	16:34
CaptainMorgan	shiftyeyes	16:35
Lactem	Hi dolphm.	16:35
dolphm	Lactem: o/	16:36
Lactem	\o	16:36
*** ChanServ sets mode: +o CaptainMorgan		16:37
CaptainMorgan	o/	16:37
CaptainMorgan	\o	16:37
CaptainMorgan	\o/	16:37
*** rm_work is now known as rm_work\|away		16:37
*** diazjf has quit IRC		16:38
CaptainMorgan	(>^_^)>	16:38
dstanek	hi fives all around! o/\o	16:38
CaptainMorgan	(╯°□°）╯︵ ┻━┻	16:39
*** edmondsw has quit IRC		16:39
samueldmq	haha Friday is fun	16:40
*** diazjf has joined #openstack-keystone		16:40
Lactem	Sorry to have another problem... I'm trying tools/with_venv.sh bin/keystone-all and getting an error message similar to https://bugs.launchpad.net/mos/+bug/1397518 (ImportError: No module named oslo).	16:40
openstack	Launchpad bug 1397518 in Mirantis OpenStack "python-oslo.concurrency requires python-retrying" [Critical,Fix committed] - Assigned to Max Yatsenko (myatsenko)	16:40
dstanek	see that's PTL rage! going from fun hi fives to flipping tables	16:40
samueldmq	dstanek: hehe	16:41
*** browne has joined #openstack-keystone		16:42
Lactem	Yeah there's no oslo for me. Is there a link to install it or does it not work like that?	16:44
samueldmq	david8hu: hi, sorry for the late answer	16:44
samueldmq	david8hu: yes a deployer can configure its CMS to upload an already customized policy where is expected to be the default (we're now calling it stock policy)	16:44
*** dguerri` is now known as dguerri		16:45
samueldmq	david8hu: however he won't be following the documented behavior :)	16:45
samueldmq	david8hu: so that will be taken as the truth, even if he's lying to us	16:45
*** dguerri is now known as dguerri`		16:46
samueldmq	david8hu: in the future, if we provided a /policy API in each service, this could be solved, but we aren't goign to that directiom	16:46
dstanek	Lactem: i would expect the venv created by with_venv to have it installed. how did you check to see if it's installed?	16:46
samueldmq	david8hu: at least for now, we can revisit that later .. I think it's a suggestion from nova gusy	16:46
samueldmq	david8hu: guys*	16:46
*** jsavak has joined #openstack-keystone		16:48
dolphm	Lactem: uhh, i don't use tools/with_venv.sh myself... have you used tox to run tests?	16:49
samueldmq	Auth	16:49
*** f13o has quit IRC		16:49
Lactem	No sorry I'm not familiar with tox.	16:49
Lactem	I'm trying to re-set it up following http://docs.openstack.org/developer/keystone/developing.html and the tutorial directly before that. @dolphm	16:50
dstanek	tox will allow you to run the unit tests	16:51
*** ankita_wagh has quit IRC		16:51
Lactem	I'm still trying to do this setup.	16:51
Lactem	I think I may have skipped these steps yesterday, so my testing might not be accurate.	16:51
dstanek	you don't need the setup to run the unit tests	16:51
dolphm	Lactem: which branch are you working with, master?	16:51
Lactem	Yes.	16:51
Lactem	http://docs.openstack.org/developer/keystone/setup.html So you're saying I can skip that page?	16:52
dolphm	Lactem: we should maybe update those docs with what we actually do nowadays	16:52
Lactem	That would be a good idea. :P	16:53
dolphm	Lactem: can you `pip install tox` ?	16:53
dstanek	if you have a checkout then run 'tox -e py27' to run the unit tests	16:53
Lactem	Okay.	16:53
*** BrAsS_mOnKeY has joined #openstack-keystone		16:53
dolphm	Lactem: they're not entirely innaccurate, just maybe not today's best practices	16:53
*** rm_work\|away is now known as rm_work		16:53
dstanek	there may be system libraries that need to be installed	16:53
Lactem	I should be in sudo su stack, correct?	16:53
dolphm	oh, this is devstack!	16:53
Lactem	Yes.	16:53
Lactem	I was told to use devstack.	16:54
dolphm	that's fair	16:54
*** thedodd has joined #openstack-keystone		16:54
dolphm	i'm also an outcast because i raaaarely use devstack	16:54
dolphm	outcast/outlier	16:54
Lactem	Oh.	16:54
Lactem	What do you use and is it easier?	16:54
dstanek	Lactem: devstack already setups up a working instance of keystone - this is the way i usually develop	16:54
dolphm	dstanek: i was going to suggest `tox -e py27` and then `.tox/py27/bin/keystone-all` ..	16:54
dstanek	dolphm: yep, exactly	16:55
Lactem	I actually did that before and it got stuck for a while. I just exited.	16:55
dstanek	Lactem: i don't think it gets too much easier than devstack for starting out	16:55
Lactem	py27 installdeps: -r/opt/stack/keystone/requirements.txt, -r/opt/stack/keystone/test-requirements.txt	16:55
Lactem	It was stuck on that.	16:55
*** raildo has quit IRC		16:55
dstanek	can your VM talk to the outside world?	16:56
Lactem	Probably?	16:56
dolphm	ping -c 1 google.com ?	16:56
Lactem	I mean I can put stuff on Google Drive and have the VM download from there if that's what you mean.	16:56
*** raildo has joined #openstack-keystone		16:56
Lactem	Yeah the ping works just fine.	16:56
dstanek	try running tox again then	16:57
dolphm	after running `tox -e py27` successfully, then `source .tox/py27/bin/activate` will get you into a python 2.7 virtualenv containing just keystone	16:57
Lactem	Is tox -e py27 supposed to take a really long time?	16:57
dolphm	Lactem: it runs thousands of tests	16:58
*** bradjones has quit IRC		16:58
dstanek	yes, a good amount of time	16:58
dolphm	Lactem: and installs lots of packages right off the bat. but it should give you decent feedback once the tests start	16:58
Lactem	It keeps getting stuck on the second line. I'll just wait a while.	16:58
dolphm	Lactem: it's probably downloading all of pypi	16:58
dstanek	Lactem: how long to you normally wait?	16:58
*** bradjones has joined #openstack-keystone		16:58
*** bradjones has quit IRC		16:58
*** bradjones has joined #openstack-keystone		16:58
dolphm	Lactem: (exagerration) it's downloading all the packages specified by requirements.txt and test-requirements.txt	16:59
dolphm	Lactem: stuck on "py27 installdeps" ?	17:00
Lactem	It's moving on now.	17:00
*** RichardRaseley has joined #openstack-keystone		17:03
*** belmoreira has quit IRC		17:03
samueldmq	ayoung: I am updating the diagrams by putting more details	17:06
samueldmq	ayoung: see the first I just updated, and let me know if it looks good	17:06
samueldmq	ayoung: http://tinyurl.com/p5f9ljx	17:06
*** bradjones has quit IRC		17:11
*** bradjones has joined #openstack-keystone		17:12
*** bradjones has quit IRC		17:12
*** bradjones has joined #openstack-keystone		17:12
Lactem	dolphm: It's all done with py27.	17:15
Lactem	Now I do source .tox/py27/bin/activate?	17:15
dolphm	Lactem: yeah, try that	17:15
Lactem	Done.	17:15
Lactem	(py27)stack@Ubuntu64:~/keystone$	17:16
Lactem	Now I'm in that.	17:16
dolphm	Lactem: can you run `keystone-all` directly?	17:16
Lactem	tools/with_venv.sh bin/keystone-all Like that, right?	17:16
Lactem	That still gives me the problem with "No module named oslo found."	17:17
dolphm	Lactem: no, just `keystone-all` directly	17:17
dolphm	Lactem: you should be in a virtualenv (py27) where keystone is installed	17:17
Lactem	Yes.	17:18
Lactem	I don't see any keystone-all in ls.	17:18
dolphm	Lactem: keystone-all would be in .tox/py27/bin	17:18
Lactem	I'm in /opt/stack/keystone	17:18
Lactem	.	17:18
Lactem	(py27)stack@Ubuntu64:~/keystone$ pwd	17:18
dolphm	but .tox/py27/bin should already be in your path	17:18
*** ankita_wagh has joined #openstack-keystone		17:19
Lactem	(py27)stack@Ubuntu64:~/keystone$ pwd	17:19
*** ankita_wagh has quit IRC		17:19
Lactem	shows: /opt/stack/keystone	17:19
*** ankita_wagh has joined #openstack-keystone		17:19
*** spandhe has joined #openstack-keystone		17:19
dolphm	Lactem: what does `which keystone-all` show?	17:20
Lactem	shows: /opt/stack/keystone/.tox/py27/bin/keystone-all	17:20
Lactem	Looks good, right?	17:20
dolphm	Lactem: so keystone-all is already available, and you don't have to use tools/with_venv.sh because you're already in a venv containing keystone	17:20
dolphm	Lactem: yep! just run `keystone-all` now, and you should see it startup	17:21
Lactem	http://pastebin.com/RmTuFyyx	17:21
Lactem	That's my traceback.	17:21
Lactem	(from keystone-all)	17:21
dolphm	keystone==2014.2.4.dev5 ?!	17:22
*** ankita_wagh has quit IRC		17:22
dolphm	dstanek: any ideas? ^	17:22
*** ankita_wagh has joined #openstack-keystone		17:22
Lactem	I may have screwed up the setup and missed a step or something?	17:22
*** jsavak has quit IRC		17:23
*** jsavak has joined #openstack-keystone		17:23
dolphm	Lactem: tox should take care of all the setup for you	17:23
dolphm	Lactem: tox -e py27 ran successfully, right?	17:24
dolphm	Lactem: tests passed at the end, etc	17:24
Lactem	I think it was failing before or something. I used sudo tox -e py27. Is that bad?	17:24
Lactem	It worked, though: py27: commands succeeded	17:24
Lactem	congratulations :)	17:24
dolphm	Lactem: oh, don't use sudo	17:25
Lactem	Should I redo it without sudo? I don't see how that would change anything since it was successful.	17:25
dolphm	Lactem: to recover, i'd do sudo rm -rf /opt/stack/keystone/.tox/	17:25
dolphm	Lactem: and then just `tox -e py27`	17:25
Lactem	Thanks. This will take a while. I'll tell you what happens.	17:26
dolphm	Lactem: but i have no idea what the consequences of running tox as a superuser would be -- does your regular user even have permission to utilize the resulting environment correctly? i'd guess not	17:26
Lactem	Yeah it failed.	17:27
dolphm	Lactem: tox -e py27 did?	17:27
Lactem	Yep. No perms. That's why I did sudo before probably.	17:27
Lactem	${PYTHON:-python} -m subunit.run discover -t ./ ./keystone/tests --list	17:27
Lactem	(13, 'Permission denied')	17:27
dolphm	Lactem: there's no other error feedback?	17:27
dolphm	Lactem: (lesson: be super skeptical before you prefix anything with sudo in the future!)	17:28
Lactem	http://pastebin.com/03kZPaBd	17:28
Lactem	Okay.	17:28
*** diegows has joined #openstack-keystone		17:29
dolphm	Lactem: i'm trying to think through what would have been created without useable permissions that's not in .tox/ ....	17:29
Lactem	Those were my errors.	17:29
Lactem	Okay.	17:29
dolphm	Lactem: considering we live in a VM-happy world, how long would it take you to blow away your devstack VM and create a new one? :)	17:30
dolphm	Lactem: why problem solve when you can start from a known good state? :P	17:31
*** HT_sergio has quit IRC		17:31
dolphm	Lactem: what does `ls -la $HOME/.pip_download_cache` look like?	17:32
Lactem	ls: cannot access /opt/stack/.pip_download_cache: No such file or directory	17:32
Lactem	I could restart. It would probably take about an hour.	17:33
dolphm	or maybe ls -la $PIP_DOWNLOAD_CACHE	17:33
Lactem	http://pastebin.com/ULvaB8eF	17:33
dolphm	Lactem: ooh, there we go (that's your keystone dir, btw)	17:34
dolphm	Lactem: delete everything there owned by root	17:34
samueldmq	CaptainMorgan: what if we defined a small timeout for policies, and cache would be checked on keystone against a hash	17:34
dolphm	Lactem: `rm -rf keystone.egg-info .testrepository .venv`	17:34
Lactem	I know how to delete. :P	17:34
samueldmq	CaptainMorgan: I mean, each policy has its hash, and when the small timeout expires, we check policy validity against keystone using that hash	17:35
dolphm	Lactem: i'm not saying you don't :)	17:35
*** tqtran has joined #openstack-keystone		17:35
dolphm	Lactem: it was likely hte .testrepository that your normal user couldn't touch	17:35
Lactem	Alright done.	17:35
samueldmq	CaptainMorgan: I think that's the same issue as tokens, where we want to stop revoking and set timeouts that make more sense	17:35
dolphm	Lactem: so, try `tox -e py27` once more	17:36
*** diazjf has quit IRC		17:36
CaptainMorgan	samueldmq: you will end up with some requests failing or succeeding incorrectly and you don't have control of the windows like you do with a cms deploy	17:36
Lactem	http://pastebin.com/UxxYzJCG	17:36
Lactem	I think this is because I deleted those directories and it needs those.	17:37
CaptainMorgan	You can't hope for the best here, this is one we need to actually solve correctly, short timeouts are not viable on their own.	17:37
samueldmq	CaptainMorgan: do you have any direction on a good approach to solve this ?	17:37
samueldmq	CaptainMorgan: so my mind could start thinking on that direction	17:38
CaptainMorgan	Not this week I don't	17:38
CaptainMorgan	:P	17:38
samueldmq	CaptainMorgan: tell your mind to find something next week, so I can put in the spec	17:38
CaptainMorgan	There are a lot of pitfalls around this.	17:38
*** e0ne has joined #openstack-keystone		17:38
CaptainMorgan	I can throw ideas out but it doesn't mean they are good.	17:38
samueldmq	CaptainMorgan: go ahead :)	17:39
samueldmq	CaptainMorgan: you have been touched this issue more times than me, I am sure	17:39
dolphm	Lactem: try `tox -r -e py27`	17:39
dolphm	Lactem: which will rebuild .tox/py27/	17:39
samueldmq	CaptainMorgan: (I've never had this in practice)	17:39
CaptainMorgan	This is something we likely need to defer until the mid cycle for, unfortunately. Without a whiteboard and more than irc (mumble won't help here either) I can design a solution.	17:40
samueldmq	CaptainMorgan: ok so sounds like I plan	17:40
CaptainMorgan	I've dealt with this before. It just plain is hard to do.	17:40
samueldmq	CaptainMorgan: we implement the simple solution (where incoherency is accepted by timeout slice of time)	17:40
samueldmq	CaptainMorgan: and we define something better in the midcycle	17:41
CaptainMorgan	Let me be clear, we can't ask anyone to deploy it with out solve this.	17:41
CaptainMorgan	It is better to tell them to use cms and not centralize it because they have control of the windows of potential outages.	17:42
samueldmq	CaptainMorgan: k so I will make sure we have the first implementation before midcycle (I've a demo already)	17:42
samueldmq	CaptainMorgan: so we have the rest of the cycle to improve it, so more chacnes to get it done	17:42
* CaptainMorgan would rather see focus on the other changes needed tbh		17:42
Lactem	dolphm: I'm going to take a break while this runs and be back in maybe 10 minutes.	17:42
samueldmq	CaptainMorgan: dealing with microversions in oslo.policy ?	17:42
CaptainMorgan	That is a huge one	17:43
samueldmq	CaptainMorgan: sure, but we need to define the scope (already did with ayoung) I am just putting more details	17:43
samueldmq	CaptainMorgan: before asking you to take a look	17:43
CaptainMorgan	And the way that gets dealt with could change how we do centralization.	17:43
samueldmq	CaptainMorgan: ok I need to investigate that, and see how we'll be addressing it	17:43
CaptainMorgan	Because if we centralize policy and then to deal with microversions we have to redesign the centralization... A lot of throw away work.	17:44
CaptainMorgan	Cache coherency of the policy within an endpoint is the last piece otherwise you're really at risk of redesigning the caching.	17:45
*** amakarov is now known as amakarov_away		17:45
CaptainMorgan	The saying: I have one problem, and I use caching to solve it. Now I have two problems.	17:45
CaptainMorgan	It isn't far off.	17:45
CaptainMorgan	Caching is always hard to do correctly.	17:46
samueldmq	CaptainMorgan: the biggest benefit of centralizing is the APIs we provide to define better policies, which should be orthogonal to dealing with microversions	17:46
samueldmq	CaptainMorgan: not sure, I need to visit that subject deeply	17:46
CaptainMorgan	samueldmq: just expect you're going to have to throw away the centralization and redesign it if you treat it as orthogonal.	17:47
CaptainMorgan	If it wasn't a distributed system, it would be a lot easier.	17:47
samueldmq	CaptainMorgan: maybe, as I said, I am not sure, need to understand deeply how we're going to deal with microversions	17:47
ayoung	CaptainMorgan, Are you suggesting we never cache data from Keystone?	17:48
CaptainMorgan	ayoung: I'm saying address the issues around dealing with the policy variances at the endpoint, then design caching around that.	17:48
CaptainMorgan	ayoung: don't design centralization and caching then try and wedge in the other work, because there is a significant risk you'll need to redesign the caching	17:48
ayoung	CaptainMorgan, so you think we should drop centralizing the policy? You seem to have been implying that lately without outright saying it	17:49
CaptainMorgan	No. Just focus on making sure all the other bits are in order before centralizing	17:50
samueldmq	CaptainMorgan: ok, we're finishing the first bit you asked : roadmap + scope for L	17:51
samueldmq	CaptainMorgan: I will study that microversion stuff and then have somehting in the roadmap, with priority	17:52
CaptainMorgan	E.g. How are microversions in the ApIS handled, the base line policy work (if any is needed), then how you source policy and ensure all processes (potentially across physically different services) pick up the policy at once.	17:52
samueldmq	ayoung: makes sense? ^	17:52
CaptainMorgan	Just ensuring you aren't designing a system that no one can use because cms deployment give control over when potential outages/inconsistent policy responses happen.	17:52
CaptainMorgan	Or wasting a lot of effort on designing a caching system for this that doesn't work for the use-case.	17:53
*** marzif has joined #openstack-keystone		17:53
samueldmq	ayoung: I want to update the diagrams, but https://wiki.openstack.org/wiki/File:Dynamic-policies-install.png	17:54
CaptainMorgan	If you want to invert this, order go for it, but I'm betting there will be a lot of redesign along the way - and a lot of throw away code.	17:54
samueldmq	ayoung: says me 'You cannot overwrite this file.'	17:54
* CaptainMorgan is really pointing out the traps here having been down this road 4 or 5 times in previous projects / companies.		17:56
*** jasondotstar has quit IRC		17:56
samueldmq	CaptainMorgan: k I will study this next week, and see how it fits better in our planned roadmap/scope	17:56
samueldmq	:)	17:56
CaptainMorgan	Ayoung: Notice I'm not -1 or -2 any of this.	17:56
bknudson	dolphm: the driver_namespace matches the string in setup.cfg http://git.openstack.org/cgit/openstack/keystone/tree/setup.cfg#n110	17:56
CaptainMorgan	ayoung: I'm really just trying to save you headaches down the line / total rewrites :(	17:57
bknudson	if you have your own driver you'll have to call it something different than the existing ones	17:57
dolphm	bknudson: thanks, i think we got it straighted out! the config lbragstad was running was not as i thought, so i was lead to believe the implementation was behaving oddly	17:57
bknudson	so if I wanted to have my own token provider I'd call it bknudsons_driver or something.	17:57
openstackgerrit	Eric Brown proposed openstack/keystone: Add missing keystone-manage commands to doc https://review.openstack.org/193663	17:58
Lactem	dolphm: tox works	17:59
*** jdennis has joined #openstack-keystone		17:59
*** jasondotstar has joined #openstack-keystone		17:59
*** jasondot_ has joined #openstack-keystone		17:59
ayoung	CaptainMorgan, doesn't really seem to matter, Sean has checked out of the conversation, and without him, driving microversions, I don't think we are going anywhere.	18:01
dolphm	Lactem: try running keystone again!	18:03
*** ninag has joined #openstack-keystone		18:04
Lactem	Type keystone-all?	18:04
dolphm	Lactem: if you're in the .tox/py27 venv already, yes	18:04
Lactem	It says (py27) in front of my command thing, so I assume I am. Here goes...	18:04
*** jith_ has quit IRC		18:05
*** Rockyg has joined #openstack-keystone		18:05
Lactem	http://pastebin.com/f0vjyzSS	18:05
Lactem	:(	18:05
*** diazjf has joined #openstack-keystone		18:07
dolphm	Lactem: what is your `git log -n 1` ?	18:08
Lactem	@dolphm	18:08
Lactem	sry	18:08
Lactem	http://pastebin.com/6m810cPB	18:09
Lactem	This should be up-to-date. I just made this VM yesterday afternoon.	18:09
*** arunkant has quit IRC		18:10
*** jasondotstar has quit IRC		18:10
Lactem	dolphm: Wouldn't installing "The 'requests!=2.4.0,<=2.2.1,>=2.1.0' distribution" fix it?	18:14
dolphm	Lactem: possibly, but you'll likely just run into another, similar issue. i'm trying to reproduce now.	18:16
dolphm	Lactem: if you created this VM yesterday, why is the latest commit 2 weeks old?	18:17
CaptainMorgan	ayoung: ill see what i can do.about wrangling sean back into the convo	18:17
dolphm	Lactem: oh sorry, that's a merge	18:17
Lactem	I'm using vagrant and devstack by the way.	18:17
dolphm	Lactem: i'm running this now from the same commit SHA as you: `tox -r -e py27 ; n source .tox/py27/bin/activate ; keystone-all`	18:18
*** marzif has quit IRC		18:18
Lactem	Umm.	18:18
Lactem	I never did the source.	18:18
Lactem	Could that be the problem?	18:18
samueldmq	CaptainMorgan: sure, talking to him is the next step to see things in nova side, once we've agreed internally on that wiki :)	18:19
Lactem	I went straight from tox -r -e py27 to keystone-all.	18:19
samueldmq	CaptainMorgan: and yes, please get him back into the convo	18:19
dolphm	Lactem: this is stable/juno! 2014.2.4	18:19
dolphm	that explains the weird version string earlier; you're not even close to master	18:19
Lactem	Why would that be?	18:20
Lactem	Do I need to run git clone?	18:20
Lactem	I thought it automatically did that when vagrant first set this all up.	18:20
dolphm	Lactem: did you install devstack yourself?	18:20
Lactem	Yeah.	18:20
Lactem	Well I think so.	18:20
Lactem	I got a virtual box.	18:20
dolphm	Lactem: did you follow these instructions? http://docs.openstack.org/developer/devstack/	18:21
Lactem	No.	18:21
Lactem	I don't see anything with vagrant in there. I'm using vagrant.	18:21
*** rlt_ has quit IRC		18:23
bknudson	dstanek: stevedoor: I marked https://bugs.launchpad.net/grenade/+bug/1466485 as incomplete for keystone based on what we've seen.	18:23
openstack	Launchpad bug 1466485 in Keystone "keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Critical,Incomplete]	18:23
Lactem	I can try following that tutorial now, but I think I would have to re-make my machine.	18:23
Lactem	I'm hoping to avoid doing that again.	18:23
bknudson	cattle not pets!	18:23
dolphm	Lactem: have a link to where you got the vagrant init from?	18:24
dolphm	bknudson: even if he nukes it, he'll be back to square one with a stable/juno devstack box ..	18:24
bknudson	you do need to check out the right branch of devstack	18:25
Lactem	I was given a vagrant.tgz and a box.	18:25
Lactem	It's a private download in Google Drive.	18:26
*** HT_sergio has joined #openstack-keystone		18:27
Lactem	http://pastebin.com/RU3ie9ve That's what I had.	18:27
dolphm	bknudson: is it possible to switch and restack gracefully?	18:27
Lactem	For me I can use vagrant suspend and then vagrant up again to restart, but that's not technically a restart I guess. I believe there's vagrant restart, but I've never tried it.	18:28
bknudson	dolphm: I don't switch around to really old devstacks ever. I keep a separate vm.	18:28
dolphm	Lactem: i find it odd that they stuck you with juno	18:28
bknudson	it might work	18:28
Lactem	I'm sure I can switch.	18:28
Lactem	Is it the vagrant or the box that I need to change?	18:29
*** kiran-r has quit IRC		18:29
bknudson	git checkout master in devstack and ./stack	18:29
*** jdennis has quit IRC		18:29
bknudson	probably want to ./unstack first	18:29
Lactem	Okay so I made a new folder and used git clone (like in that tutorial). There's no ./stack there.	18:30
dolphm	Lactem: the vagrant image must have contained either devstack pre-installed at stable/juno, or came configured to install stable/juno	18:30
bknudson	stack.sh	18:30
bknudson	it's in devstack directory	18:30
Lactem	Wait no there is.	18:30
Lactem	Sorry I misspelled it.	18:30
dolphm	Lactem: you shouldn't need to clone devstack again	18:30
Lactem	I don't ever remember typing git clone <link> for devstack.	18:31
dolphm	that was probably part of the vagrant image	18:31
bknudson	there might be an option to tell it to re-clone all the repos	18:31
bknudson	otherwise you'll have to go through all your repos and check them out to master, too	18:31
dolphm	if you had, then you would have had to go out of your way to use a 7 month old release!	18:31
bknudson	they're in /opt/stack/*	18:31
dolphm	bknudson: well that's no fun	18:31
dolphm	bknudson: surely there's something in an rc file?	18:32
bknudson	I've got a script that updates all the repos ;)	18:32
*** jasondotstar has joined #openstack-keystone		18:32
Lactem	So I should vagrant up again and run an update script that's in /opt/stack?	18:32
*** jsavak has quit IRC		18:33
*** jsavak has joined #openstack-keystone		18:33
bknudson	looks like the option is RECLONE in localrc	18:33
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone-specs: Token request after Reseller https://review.openstack.org/192495	18:34
raildo	CaptainMorgan, dstanek, gyee ^	18:36
Lactem	What's the name of the update script? There are just all of the project folders in /opt/stack.	18:36
bknudson	actually, looks like you can just delete all the dirs in /opt/stack, then devstack should reclone	18:38
openstackgerrit	Brant Knudson proposed openstack/keystone: Document policy target for operation https://review.openstack.org/168521	18:38
*** diegows has quit IRC		18:39
Lactem	So what's the link to clone all of the projects?	18:39
Lactem	Or do I need to clone each one individually?	18:39
bknudson	run ./stack.sh and that will clone	18:39
*** stevedoor has quit IRC		18:40
Lactem	I don't see any stack.sh anymore, though.	18:41
Lactem	Oh okay the one in /home/stack/devstack.	18:41
Lactem	Okay I'll do it. I'm pretty sure that's what it did automatically to install the outdated stuff last time, though.	18:42
samueldmq	CaptainMorgan: ayoung I just updated the wiki https://wiki.openstack.org/wiki/DynamicPolicies	18:42
samueldmq	CaptainMorgan: ayoung activity diagrams are very detailed now, Roadmap is defined and Liberty scope is set (and agreed with ayoung for now)	18:43
dolphm	bknudson: where is stackrc / whatever specifies the branches everything should use?	18:45
Lactem	I'll just let this stack.sh run. ttyl	18:45
dolphm	bknudson: or is that just built into devstack's stable/juno branch?	18:45
bknudson	dolphm: if you check out devstack stable/juno it will use stable/juno for the repos	18:46
dolphm	bknudson: cool	18:48
dolphm	Lactem: ^	18:48
Lactem	Yeah I think it's just going to re-install the same stuff that was already installed.	18:49
Lactem	How do I check out a different version?	18:49
ayoung	samueldmq, I'll look in a bit	18:49
samueldmq	ayoung: sure, great!	18:50
*** diegows has joined #openstack-keystone		18:51
*** diegows has quit IRC		18:52
*** jasondotstar has quit IRC		19:01
charlesw	CaptainMorgan, dstanek and folks: my token expiring before expiration time happens in keystone middleware frequently. I'm using keystone middleware 1.5 on ubuntu trusty. The token is not in revocation list. Any clues?	19:05
openstackgerrit	Brant Knudson proposed openstack/keystone: Sanitize passwords in debug log on user create https://review.openstack.org/193695	19:19
*** bradjones has quit IRC		19:20
*** bradjones has joined #openstack-keystone		19:22
*** bradjones has quit IRC		19:22
*** bradjones has joined #openstack-keystone		19:22
*** ninag has quit IRC		19:25
dolphm	bknudson: thanks ^	19:25
bknudson	I should be able to create a test.	19:25
bknudson	actually, I'm surprised dolphm doesn't have a test already.	19:26
dolphm	bknudson: ;)	19:26
dolphm	bknudson: speaking of: https://review.openstack.org/#/c/192782/ i didn't +A because i wrote the test coverage	19:27
dolphm	and we're all at rackspace, i suppose	19:27
bknudson	dolphm: I did get to that one when I was reviewing a couple days ago.	19:27
*** csoukup has joined #openstack-keystone		19:29
bknudson	I meant I didn't get to that one	19:33
bknudson	there were too many other old reviews that had a +2	19:33
*** rdo has quit IRC		19:35
bknudson	This test is going to be awesome	19:36
*** ihrachyshka has joined #openstack-keystone		19:36
bknudson	hint: https://github.com/testing-cabal/fixtures/blob/master/fixtures/_fixtures/logger.py#L65	19:37
*** rdo has joined #openstack-keystone		19:37
*** jasondotstar has joined #openstack-keystone		19:37
*** jasondotstar has quit IRC		19:38
*** pc_m has quit IRC		19:38
*** jsavak has quit IRC		19:39
*** jsavak has joined #openstack-keystone		19:39
openstackgerrit	Brant Knudson proposed openstack/keystone: Sanitize passwords in debug log on user create https://review.openstack.org/193695	19:42
openstackgerrit	Brant Knudson proposed openstack/keystone: Add test showing password logged https://review.openstack.org/193703	19:42
*** HT_sergio has quit IRC		19:44
*** jasondotstar has joined #openstack-keystone		19:46
*** jasondotstar has quit IRC		19:47
*** marzif has joined #openstack-keystone		19:49
*** jsavak has quit IRC		19:50
*** jasondotstar has joined #openstack-keystone		19:54
Lactem	dolphm:./stack.sh had some errors at the end, but it appears to have finished.	19:57
*** belmoreira has joined #openstack-keystone		19:57
david8hu	samueldmq, ayoung, One of my teamates is going to help out on dynamic policy as well. I do not see her on IRC at the moment. We now have one additional help :)	19:57
*** boris-42 has joined #openstack-keystone		20:04
*** stevemar has joined #openstack-keystone		20:07
*** ChanServ sets mode: +v stevemar		20:07
Lactem	dolphm: Okay I'm just doing vagrant destroy and vagrant up again. It's going to take a while.	20:08
*** gabriel-bezerra has quit IRC		20:11
*** e0ne has quit IRC		20:11
openstackgerrit	Fernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations https://review.openstack.org/192850	20:12
stevemar	diazjf, \o/	20:13
stevemar	diazjf, i'll review it soon! it's open in a chrome tab.... just reviewing other stuff atm :)	20:14
*** dan is now known as Guest87808		20:14
*** marzif has quit IRC		20:14
*** dan_ has joined #openstack-keystone		20:14
*** belmoreira has quit IRC		20:14
*** dan_ is now known as Guest96299		20:14
*** roxanaghe has joined #openstack-keystone		20:15
dolphm	Lactem: does intel want you to do any development against master?	20:17
*** gabriel-bezerra has joined #openstack-keystone		20:19
openstackgerrit	Brant Knudson proposed openstack/keystone: Mask passwords in debug log on user password operations https://review.openstack.org/193695	20:22
openstackgerrit	Brant Knudson proposed openstack/keystone: Add test showing password logged https://review.openstack.org/193703	20:22
*** HT_sergio has joined #openstack-keystone		20:24
*** roxanaghe has quit IRC		20:24
Lactem	dolphm: The goal is to successfully submit some patches.	20:27
Lactem	That's why I'm working on that easy bug. It might not even need a patch. idk	20:27
*** ankita_w_ has joined #openstack-keystone		20:28
*** marzif has joined #openstack-keystone		20:30
*** ankita_wagh has quit IRC		20:32
*** ankita_wagh has joined #openstack-keystone		20:34
diazjf	stevemar thanks	20:36
diazjf	just running into some issues with validation	20:36
*** ankita_w_ has quit IRC		20:37
diazjf	posted them on the patch	20:37
stevemar	diazjf, run `tox -e docs` to check for validation before submitting ;)	20:37
diazjf	nice thanks	20:37
diazjf	meant json validation using cli :-/	20:37
*** jasondotstar has quit IRC		20:37
*** marzif has quit IRC		20:38
*** CaptainMorgan is now known as morgan		20:41
*** ankita_wagh has quit IRC		20:41
*** ankita_wagh has joined #openstack-keystone		20:42
morgan	stevemar: thanks for taking with the person this morning about oauth	20:44
stevemar	morgan, np, have to reply still :P	20:45
morgan	Right	20:45
samueldmq	david8hu: that's great, thanks! glad to hear :)	20:47
*** ihrachyshka has quit IRC		20:47
*** iurygregory has quit IRC		20:51
*** marzif has joined #openstack-keystone		20:51
*** raildo has quit IRC		20:53
dolphm	Lactem: you definitely want to get onto master then	20:56
dolphm	Lactem: we won't accept patches to older branches unless they're backports from master, or there's a really good reason they can't go into master first	20:57
*** marzif has quit IRC		21:00
openstackgerrit	Eric Brown proposed openstack/keystone: Add missing keystone-manage commands to doc https://review.openstack.org/193663	21:02
Lactem	I don't know why it wouldn't be on master by default.	21:03
openstackgerrit	Fernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations https://review.openstack.org/192850	21:05
Lactem	dolphm: Any ideas on how I would make it use master branch? It looks like it's getting everything from the most recent git branch.	21:06
*** rushiagr_away is now known as rushiagr		21:08
openstackgerrit	Eric Brown proposed openstack/keystone: Add missing keystone-manage commands to doc https://review.openstack.org/193663	21:10
dstanek	Lactem: 'git checkout master' will make your working copy use the master branch - what branch are you on?	21:10
*** radez is now known as radez_g0n3		21:14
*** charlesw has quit IRC		21:15
*** bradjones has quit IRC		21:20
Lactem	It says I'm already on master.	21:22
Lactem	@ dstanek	21:22
*** bradjones has joined #openstack-keystone		21:22
*** bradjones has quit IRC		21:22
*** bradjones has joined #openstack-keystone		21:22
Lactem	How can I check the version?	21:22
dstanek	that's good then. what made you think that you were not?	21:23
Lactem	Dolph said my version is juno or something like that. It's from 2014.	21:23
Lactem	Wait which directory do I git checkout master from?	21:23
Lactem	In keystone it says it's up to date with master.	21:24
dstanek	you can run the checkout from anywhere in your local copy of the code	21:25
*** htruta_ has joined #openstack-keystone		21:25
*** diazjf has quit IRC		21:27
*** HT_sergio has quit IRC		21:29
*** tqtran is now known as tqtran_afk		21:29
*** Rockyg has quit IRC		21:30
*** gabriel-bezerra has quit IRC		21:34
*** csoukup has quit IRC		21:35
openstackgerrit	Brant Knudson proposed openstack/keystone: Switch to oslo.service https://review.openstack.org/193732	21:37
bknudson	+6, -1118	21:37
bknudson	^ that's how it should be.	21:37
*** tqtran_afk is now known as tqtran		21:38
openstackgerrit	Brant Knudson proposed openstack/keystone: Switch to oslo.service https://review.openstack.org/193732	21:48
openstackgerrit	Brant Knudson proposed openstack/keystone: Remove unused requirements https://review.openstack.org/193734	21:48
openstackgerrit	Brant Knudson proposed openstack/keystone: Switch to oslo.service https://review.openstack.org/193732	21:49
*** stevemar has quit IRC		21:52
bknudson	this is weird -- requirements update breaks keystone -- https://review.openstack.org/#/c/190405/7	21:56
*** HT_sergio has joined #openstack-keystone		21:58
*** marzif has joined #openstack-keystone		21:58
*** rushiagr is now known as rushiagr_away		22:01
*** ankita_wagh has quit IRC		22:02
*** pballand has quit IRC		22:06
*** marzif has quit IRC		22:10
*** henriquetruta has joined #openstack-keystone		22:11
*** ankita_wagh has joined #openstack-keystone		22:13
openstackgerrit	Brant Knudson proposed openstack/keystone: Updated from global requirements https://review.openstack.org/190405	22:13
openstackgerrit	Brant Knudson proposed openstack/keystone: Don't try to drop FK constraints for sqlite https://review.openstack.org/193741	22:13
*** RichardRaseley has quit IRC		22:14
*** htruta_ has quit IRC		22:15
*** ankita_wagh has quit IRC		22:16
*** dimsum__ has quit IRC		22:19
*** dimsum__ has joined #openstack-keystone		22:20
openstackgerrit	Brant Knudson proposed openstack/keystone: Don't try to drop FK constraints for sqlite https://review.openstack.org/193741	22:23
openstackgerrit	Brant Knudson proposed openstack/keystone: Updated from global requirements https://review.openstack.org/190405	22:23
*** HT_sergio has quit IRC		22:26
*** Lactem has quit IRC		22:30
*** bknudson has quit IRC		22:30
*** jasondot_ has quit IRC		22:32
*** dimsum__ has quit IRC		22:32
*** marzif has joined #openstack-keystone		22:33
*** david8hu has quit IRC		22:37
*** gyee has quit IRC		22:39
*** browne has quit IRC		22:42
*** henrynash has joined #openstack-keystone		22:51
*** ChanServ sets mode: +v henrynash		22:51
*** zzzeek has quit IRC		22:58
*** zzzeek has joined #openstack-keystone		23:01
*** ankita_wagh has joined #openstack-keystone		23:03
*** bigjools has quit IRC		23:05
*** zigo has quit IRC		23:05
*** marzif has quit IRC		23:06
*** zigo has joined #openstack-keystone		23:07
*** bigjools has joined #openstack-keystone		23:08
*** thedodd has quit IRC		23:08
*** zzzeek has quit IRC		23:15
*** henriquetruta has quit IRC		23:20
*** telemonster has quit IRC		23:22
*** telemonster has joined #openstack-keystone		23:22
*** vilobhmm has quit IRC		23:23
*** arif-ali has quit IRC		23:26
*** arif-ali has joined #openstack-keystone		23:29
*** HT_sergio has joined #openstack-keystone		23:30
*** henriquetruta has joined #openstack-keystone		23:33
*** henriquetruta has quit IRC		23:39
*** hogepodge has quit IRC		23:45
*** hemna_ has joined #openstack-keystone		23:52
*** browne has joined #openstack-keystone		23:52
*** hemna has quit IRC		23:53

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!