Tuesday, 2015-06-30

« Monday, 2015-06-29 Index Wednesday, 2015-07-01 »
*** lhcheng_ has quit IRC00:00
morganfainbergdstanek: ugh00:00
dstanekmorganfainberg: keystone.tests.unit.core does a rules.init()00:00
dstanektrying a quick patch...00:00
morganfainbergdstanek: ok00:00
*** pgbridge has quit IRC00:01
*** Rockyg has quit IRC00:05
*** tqtran-afk is now known as tqtran_00:07
*** tjones1 has joined #openstack-keystone00:08
dstanekmorganfainberg: welcome to the pile of crap00:11
*** dims has joined #openstack-keystone00:12
dstanekkeystone.tests.unit.core calles rules.init() on import - this is needed because it creates an oslo_policy Enforce object00:12
dstanekwe need this because it will register the options for the global config object00:12
morganfainbergdstanek: oi00:13
dstanekthe Enforcer object unfortunately uses the global conf in it's init00:13
dstanekso i can reach in and register the options in the test class and the call rule.init() in a lazy way - but i think there is a fundamental design issue here00:14
morganfainbergif we break the enforcer model out00:14
morganfainbergand stop doing the rules "backend' thing00:14
*** chrisshattuck has quit IRC00:14
morganfainbergwe can hopefully solve this?00:14
dstaneki think it's a small change to oslo_policy to make this quite a bit nicer00:14
*** rm_work is now known as rm_work|away00:15
morganfainbergthis is back to the silly decorator enforcer model though00:15
morganfainbergif we built enforcers on init of the manager (and not using a global one) we would also solve this00:15
dstanekok, confirmed that the oslo.policy fix actually works00:16
dstanekmorganfainberg: yes, that is true too00:16
morganfainbergso i think we need to do either...00:17
morganfainbergoslo_policy fix, fix our enforcer model, or dirty hack00:18
*** tjones1 has quit IRC00:18
dstanekeven if i change enforcers to be created not at import time i still have the issue of needing to register the options00:20
dstanekfrom oslo_policy import opts; opts._register(CONF) - would have to be done in keystone.tests.unit.core00:21
dstanekstill sort of a hack because i have to call the private method00:21
morganfainbergsure00:21
*** navid__ has joined #openstack-keystone00:27
*** topol has quit IRC00:28
*** janonymous_ has quit IRC00:28
openstackgerritDavid Stanek proposed openstack/keystone: Umm...yeah. If this works I'll make a better msg  https://review.openstack.org/19691700:29
dstanekmorganfainberg: i bypass all the issues and just do the hack that we'd have to do anyway ^00:30
dstaneki think we need a more explicit (at least official way) to register the options00:30
*** boris-42 has joined #openstack-keystone00:30
dstanekmorganfainberg: if that works for you i'll fix up the commit message so that it's not just me rambling00:31
*** darrenc is now known as darrenc_afk00:31
*** topol has joined #openstack-keystone00:32
*** ChanServ sets mode: +v topol00:32
*** jsavak has quit IRC00:32
*** geoffarnold has quit IRC00:32
morganfainbergdstanek: ++00:41
morganfainbergdstanek: commented00:42
*** darrenc_afk is now known as darrenc00:44
morganfainbergdstanek: LGTM00:44
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class  https://review.openstack.org/18081800:45
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate token processes  https://review.openstack.org/19094000:45
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094100:45
dstanekmorganfainberg: which permanent fix do you think we should be using?00:51
*** ankita_w_ has joined #openstack-keystone00:51
dstaneka keystone one or an oslo_policy one? or both?00:51
morganfainbergdstanek: i'm leaning towards 2: oslo needs to let us register opts00:51
morganfainbergand 2nd, initialize enforcers in a sane way00:51
morganfainbergthe second part is more important, but i think the ability to tell oslo "register these" is correct00:52
dstanekok, i'll submit some patches for those things too00:52
dstaneki wonder why it doesn't break in my old environment00:53
morganfainbergnot sure00:53
*** ankita_wagh has quit IRC00:54
morganfainbergdstanek: thanks00:56
*** _cjones_ has quit IRC00:56
dstanekit'll just have to wait until a little later tonight - almost 9pm and i haven't gone for a run yet00:57
*** ayoung has joined #openstack-keystone00:58
*** ChanServ sets mode: +v ayoung00:58
*** henrynash_ has joined #openstack-keystone01:05
*** ChanServ sets mode: +v henrynash_01:05
*** henrynash has quit IRC01:08
*** henrynash_ is now known as henrynash01:08
*** lhcheng has joined #openstack-keystone01:10
*** ChanServ sets mode: +v lhcheng01:10
*** ankita_w_ has quit IRC01:12
*** sigmavirus24 is now known as sigmavirus24_awa01:13
*** markvoelker has quit IRC01:19
*** markvoelker has joined #openstack-keystone01:19
*** markvoelker has quit IRC01:22
*** davechen has joined #openstack-keystone01:23
*** markvoelker has joined #openstack-keystone01:23
*** markvoelker has quit IRC01:23
*** markvoelker has joined #openstack-keystone01:24
*** lhcheng_ has joined #openstack-keystone01:26
*** lhcheng has quit IRC01:26
*** jasondotstar has quit IRC01:30
*** piyanai has joined #openstack-keystone01:30
*** davechen1 has joined #openstack-keystone01:31
*** davechen has quit IRC01:33
*** ankita_wagh has joined #openstack-keystone01:37
*** ankita_wagh has quit IRC01:38
*** timsim has joined #openstack-keystone01:38
*** timsim has left #openstack-keystone01:38
*** ankita_wagh has joined #openstack-keystone01:38
*** tobe has joined #openstack-keystone01:38
morganfainbergdstanek: np01:39
*** tobe has quit IRC01:39
*** davechen has joined #openstack-keystone01:41
*** davechen1 has quit IRC01:44
*** blewis` has quit IRC01:44
*** RichardRaseley has joined #openstack-keystone01:44
*** tqtran_ has quit IRC01:49
*** RichardRaseley has quit IRC01:50
*** gyee has quit IRC01:53
*** juvenn has joined #openstack-keystone02:01
*** lhcheng has joined #openstack-keystone02:02
*** ChanServ sets mode: +v lhcheng02:02
*** topol has quit IRC02:04
*** topol has joined #openstack-keystone02:04
*** ChanServ sets mode: +v topol02:04
*** lhcheng_ has quit IRC02:05
*** sigmavirus24_awa is now known as sigmavirus2402:05
openstackgerritDavid Stanek proposed openstack/keystone: Fixes issue testing with oslo_policy.Enforcer  https://review.openstack.org/19691702:06
*** ayoung has quit IRC02:07
*** chlong_ has joined #openstack-keystone02:08
*** ayoung has joined #openstack-keystone02:09
*** ChanServ sets mode: +v ayoung02:09
*** chlong__ has joined #openstack-keystone02:09
*** chlong_ has quit IRC02:13
*** tobe has joined #openstack-keystone02:16
*** spandhe has quit IRC02:24
*** spandhe has joined #openstack-keystone02:25
*** chlong_ has joined #openstack-keystone02:28
*** david8hu has quit IRC02:31
*** chlong__ has quit IRC02:31
*** david8hu has joined #openstack-keystone02:31
*** chlong has joined #openstack-keystone02:31
*** hrou has joined #openstack-keystone02:31
*** chlong_ has quit IRC02:34
*** navid__ has quit IRC02:34
*** stevemar has joined #openstack-keystone02:35
openstackgerritMerged openstack/keystonemiddleware: Switch from deprecated oslo_utils.timeutils.strtime  https://review.openstack.org/19686202:36
*** fangzhou has quit IRC02:38
mordredjamielennox: YES! that02:46
mordredjamielennox, morganfainberg: can I bribe someone to get that merged and do a ksc release?02:47
* mordred hands jamielennox a bunny rabbit02:47
morganfainbergmordred: which thing? and KSC release depends on release managers atm, can do it tomorrow02:47
* jamielennox is not sure what to do with a bunny rabbit - stew?02:47
morganfainbergmordred: i no longer can do any keystone releases02:47
stevemarjamielennox: i'll take it02:48
morganfainbergjamielennox: be warned... it might be https://www.youtube.com/watch?v=pmu5sRIizdw02:48
morganfainbergmordred: ^ you're not giving jamielennox one of those, are you?02:49
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class  https://review.openstack.org/18081802:51
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094102:51
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Cleanup token_info setting  https://review.openstack.org/19693102:51
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate setting catalog on headers from others  https://review.openstack.org/19693202:51
mordredmorganfainberg: :)02:51
mordredmorganfainberg: https://review.openstack.org/#/c/16879202:51
morganfainbergmordred: +202:52
morganfainbergstevemar: , ^^02:53
stevemarmorganfainberg: hmmm02:58
*** richm has quit IRC02:58
*** davechen has quit IRC03:00
jamielennoxdamn, somewhere in all that i squashed 2 patches together and i've no idea how to untaggle htem03:02
*** davechen has joined #openstack-keystone03:03
*** davechen1 has joined #openstack-keystone03:07
*** piyanai has quit IRC03:08
stevemarzomg its hrou03:09
hrouIts stevemar !03:09
*** piyanai has joined #openstack-keystone03:09
*** davechen has quit IRC03:09
stevemarmorganfainberg: so hrou is starting up openstack dev, specifically swift03:09
stevemar(and he's known me for about 12 years :))03:10
hrouYep, throughout university, steve's a great guy !03:11
*** woodster_ has quit IRC03:11
stevemarlies lies lies03:16
stevemari just stole jamielennox's new rabbit, how nice could i be03:16
*** davechen has joined #openstack-keystone03:18
*** davechen1 has quit IRC03:20
*** juvenn has quit IRC03:24
*** lhcheng has quit IRC03:26
morganfainbergstevemar: oh hai and hrou oh hai03:26
*** markvoelker has quit IRC03:31
*** piyanai has quit IRC03:35
*** dims has quit IRC03:48
*** juvenn has joined #openstack-keystone03:53
*** _cjones_ has joined #openstack-keystone03:57
*** juvenn has left #openstack-keystone03:57
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Reject user creation using admin_token.  https://review.openstack.org/19694203:58
*** dramakri has quit IRC03:59
*** _cjones_ has quit IRC04:02
*** juvenn has joined #openstack-keystone04:08
*** david-lyle has quit IRC04:13
*** david-lyle has joined #openstack-keystone04:14
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable listing of role assignments in a project hierarchy  https://review.openstack.org/18704504:14
*** ankita_w_ has joined #openstack-keystone04:15
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable listing of role assignments in a project hierarchy  https://review.openstack.org/18704504:17
*** hrou has quit IRC04:17
*** ankita_wagh has quit IRC04:19
*** ankita_w_ has quit IRC04:19
*** ankita_wagh has joined #openstack-keystone04:19
stevemarhenrynash: writing up specs, as usual04:22
henrynashstevemar: :-)04:22
henrynashheading out…spek later04:22
stevemark04:23
stevemardavechen: hey - thanks for reviewing the oslo.cache patch04:24
stevemardavechen: you found a huge gap in testing in oslo.cach that we sorted out today :)04:25
*** tobe has quit IRC04:31
*** hogepodge has quit IRC04:32
*** markvoelker has joined #openstack-keystone04:32
*** tobe has joined #openstack-keystone04:32
*** hogepodge has joined #openstack-keystone04:32
*** topol has quit IRC04:34
*** markvoelker has quit IRC04:36
*** sigmavirus24 is now known as sigmavirus24_awa04:39
*** juvenn has left #openstack-keystone04:51
*** kiran-r has joined #openstack-keystone04:52
*** rm_work|away is now known as rm_work04:52
*** kiran-r has quit IRC05:00
*** kiran-r has joined #openstack-keystone05:03
*** ankita_wagh has quit IRC05:05
*** stevemar has quit IRC05:05
*** stevemar has joined #openstack-keystone05:06
*** ankita_wagh has joined #openstack-keystone05:07
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate setting catalog on headers from others  https://review.openstack.org/19693205:09
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move common request processing to base class  https://review.openstack.org/18081805:09
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate parts of auth_token  https://review.openstack.org/19094005:09
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094105:09
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol  https://review.openstack.org/18081605:09
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Temporarily disable the deprecations test failure  https://review.openstack.org/19694805:09
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add user_token and service_token to request  https://review.openstack.org/19694905:09
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add token_auth helper to request  https://review.openstack.org/19695005:09
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move enforcement and time validation to base class  https://review.openstack.org/19695105:09
*** pgbridge has joined #openstack-keystone05:14
*** ncoghlan has joined #openstack-keystone05:17
*** kiran-r has quit IRC05:17
*** kiran-r has joined #openstack-keystone05:18
*** pgbridge has quit IRC05:20
*** _kiran_ has joined #openstack-keystone05:23
*** kiran-r has quit IRC05:24
*** _kiran_ is now known as kiran-r05:27
*** spandhe has joined #openstack-keystone05:27
davechenstevemar: np, sir.05:32
*** spandhe_ has joined #openstack-keystone05:33
*** spandhe has quit IRC05:34
*** spandhe_ is now known as spandhe05:34
davechenstevemar: Acutally, I am aslo learnning a lot of the patches I reviewed.05:34
*** jaosorior has joined #openstack-keystone05:38
*** ajayaa has joined #openstack-keystone05:39
*** chrisshattuck has joined #openstack-keystone05:40
*** hogepodge has quit IRC05:42
*** hogepodge has joined #openstack-keystone05:42
*** topol has joined #openstack-keystone05:46
*** ChanServ sets mode: +v topol05:46
stevemardavechen: good :) keep doing great reviews05:46
*** kiran-r has quit IRC05:46
bigjoolsanyone interested in a devstack extension that sets it up to use testshib as an IdP?05:49
stevemarbigjools: i think dstanek was working on that05:49
bigjoolsoh well I already did it :)05:50
davechenstevemar: ha, nice to see you are still online. :)05:50
stevemarbigjools: tahts why you are BIG jools05:50
stevemardavechen: thats my secret, i'm always online05:50
bigjoolsstevemar: you will no doubt meet me in Tokyo and see why in person :)05:50
stevemarbigjools: i look forward to it!05:51
stevemarbigjools: got a patch or link for the shib stuff?05:51
bigjoolsnot presently - I just hacked it up on a custom devstack, I need to make a branch for upstream05:51
bigjoolsI confess I am not much of a bash coder so it's rather hacky :)05:52
stevemarbigjools: would you consider taking a look at dstanek's work? https://review.openstack.org/#/c/151310/05:52
bigjoolssure05:52
stevemaroh right - he did it using pysaml2 - not testshib05:52
*** browne has quit IRC05:53
*** rlt__ has quit IRC05:53
bigjoolsyeah just noticed05:54
bigjoolsmine's quite a lot simpler because of that05:54
davechenstevemar: Tokyo is not far from my Country, welcome to drop by, I would like to be  your tour guide.05:55
bigjoolsstevemar: actually mine is doing more than this, it's configuring the installed devstack to sign into testshib, which means mappings, groups, roles etc05:56
*** markvoelker has joined #openstack-keystone05:56
stevemardavechen: thanks for the offer, i just might take you up on it!05:57
stevemarbigjools: oh thats nice - code code code05:57
bigjools:)05:57
*** topol has quit IRC05:57
bigjoolsI'll throw it up tomorrow if I get time05:58
stevemarbigjools: sounds good05:58
*** browne has joined #openstack-keystone06:00
bigjoolsthere's no reason it can't work in addition to dstanek's, it just gets enabled as a separate service06:00
*** markvoelker has quit IRC06:01
*** mabrams has joined #openstack-keystone06:03
stevemarbigjools: davechen see you all some other time, sleep for me!06:05
*** stevemar has quit IRC06:05
*** stevemar has joined #openstack-keystone06:06
*** stevemar has quit IRC06:09
*** spandhe has quit IRC06:13
*** chrisshattuck has quit IRC06:13
*** lsmola has joined #openstack-keystone06:33
*** ajayaa_ has joined #openstack-keystone06:34
*** ajayaa has quit IRC06:34
ajayaa_jamielennox, stevemar, When I create a project using python-keystoneclient I get a warning saying "WARNING keystoneclient.utils [-] create takes at most 1 positional argument (3 given)"06:36
ajayaa_sounds like a bug to me.06:36
*** lhcheng has joined #openstack-keystone06:51
*** ChanServ sets mode: +v lhcheng06:51
*** belmoreira has joined #openstack-keystone06:52
*** browne has quit IRC06:52
*** juvenn has joined #openstack-keystone07:01
*** boris-42 has quit IRC07:02
*** dguerri` is now known as dguerri07:02
*** dguerri is now known as dguerri`07:07
marekdbigjools: i am very much interested in it :-)07:09
*** kiran-r has joined #openstack-keystone07:09
*** navid__ has joined #openstack-keystone07:12
*** juvenn has quit IRC07:13
*** juvenn has joined #openstack-keystone07:13
*** fhubik has joined #openstack-keystone07:19
openstackgerritDave Chen proposed openstack/keystone: Move resource related testcase into their own module  https://review.openstack.org/19544907:19
*** rlt_ has joined #openstack-keystone07:30
*** e0ne has joined #openstack-keystone07:33
*** chlong has quit IRC07:35
*** e0ne has quit IRC07:37
*** jistr has joined #openstack-keystone07:43
*** fhubik is now known as fhubik_afk07:44
*** lhcheng has quit IRC07:45
*** markvoelker has joined #openstack-keystone07:45
*** markvoelker has quit IRC07:50
*** rm_work is now known as rm_work|away07:53
*** rm_work|away is now known as rm_work07:54
*** fhubik_lunch has joined #openstack-keystone08:02
*** jistr has quit IRC08:03
*** fhubik_afk has quit IRC08:05
*** jaosorior has quit IRC08:06
*** fhubik_lunch has quit IRC08:07
*** fhubik_lunch has joined #openstack-keystone08:07
*** fhubik_lunch is now known as fhubik_afk08:07
*** stevemar has joined #openstack-keystone08:07
*** jistr has joined #openstack-keystone08:10
*** stevemar has quit IRC08:10
evrardjpgood morning everyone08:13
*** tobe has quit IRC08:17
*** ankita_wagh has quit IRC08:17
juvennevrardjp: good afternoon here ;)08:24
evrardjpclose to coming back home after a hard day of work, nice! ;)08:25
juvennevrardjp: are you familiar with keystoneclient.v3.client.Client?08:28
marekdrodrigods: ping pong.08:29
evrardjpjuvenn: not really, you have a question?08:29
juvennevradjp: I'm stuck at what params should I pass there?08:29
juvennClient(auth_url=auth_url, username=username, password=password)08:30
juvennit raises `eystoneclient.openstack.common.apiclient.exceptions.EndpointNotFound`08:31
juvennwhen I do client.users.list()08:31
juvennbut if I provide additional `endpoint=…`, it'll raises `AuthorizationFailure: no valid auth is available`08:32
*** fhubik_afk is now known as fhubik_lunch08:33
juvennis that `endpoint=` arg required? I suppose there should be default one, if not provided.08:35
*** Kennan has quit IRC08:38
*** Kennan has joined #openstack-keystone08:38
*** alex_xu_ is now known as alex_xu08:38
juvennThe examples in official doc does not provide `endpoint=`, as a matter of fact. http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html#introduction,08:40
*** juvenn has quit IRC08:43
*** juvenn has joined #openstack-keystone08:45
-openstackstatus- NOTICE: OpenStack CI is down due to hard drive failures08:48
*** ChanServ changes topic to "OpenStack CI is down due to hard drive failures"08:48
*** bradjones has quit IRC08:55
*** ncoghlan has quit IRC08:56
*** bradjones has joined #openstack-keystone08:57
*** bradjones has quit IRC08:57
*** bradjones has joined #openstack-keystone08:57
*** e0ne has joined #openstack-keystone09:02
*** lufix has joined #openstack-keystone09:03
*** rlt_ has quit IRC09:09
*** dguerri` is now known as dguerri09:14
*** e0ne is now known as e0ne_09:15
*** e0ne_ has quit IRC09:26
*** fhubik_lunch is now known as fhubik_afk09:28
*** e0ne has joined #openstack-keystone09:29
*** markvoelker has joined #openstack-keystone09:34
*** fhubik_afk is now known as fhubik_lunch09:36
openstackgerritEnrique Garcia Navalon proposed openstack/python-keystoneclient: Added endpoint group filter manager methods  https://review.openstack.org/18265809:38
*** markvoelker has quit IRC09:39
openstackgerritDave Chen proposed openstack/keystone: Show friendly message when request body is not provided  https://review.openstack.org/19500109:46
*** aix has quit IRC09:46
*** davechen has left #openstack-keystone09:55
*** stevemar has joined #openstack-keystone09:56
*** stevemar has quit IRC10:00
*** fhubik_lunch is now known as fhubik_afk10:13
*** lufix has quit IRC10:15
*** fhubik_afk is now known as fhubik_lunch10:17
*** aix has joined #openstack-keystone10:17
*** e0ne is now known as e0ne_10:23
*** e0ne_ is now known as e0ne10:25
*** amaretskiy has joined #openstack-keystone10:26
amaretskiyHi all! could someone take a look at https://review.openstack.org/#/c/188457/ ? This patch adds a lot of rally scenarios to rally job10:27
*** fhubik_lunch is now known as fhubik_afk10:29
*** fhubik_afk is now known as fhubik_lunch10:33
*** henrynash has quit IRC10:34
*** ajayaa_ has quit IRC10:38
*** chlong has joined #openstack-keystone10:49
*** fhubik_lunch is now known as fhubik_afk10:52
*** ajayaa_ has joined #openstack-keystone10:54
*** piyanai has joined #openstack-keystone10:57
*** wendle has joined #openstack-keystone11:06
*** dims has joined #openstack-keystone11:07
*** amakarov_away is now known as amakarov11:12
marekdrodrigods: hello, sir.11:12
rodrigodsmarekd, hi sir11:13
*** wendle has quit IRC11:17
marekdi need some your expertise on endpoint filtering, so it's enforced by a server, not a client, right? (i will start will silly questions)11:18
*** markvoelker has joined #openstack-keystone11:24
marekdrodrigods: ^^11:25
*** markvoelker has quit IRC11:29
*** radez is now known as radez_g0n311:36
*** stevemar has joined #openstack-keystone11:45
*** jaosorior has joined #openstack-keystone11:45
*** stevemar has quit IRC11:48
*** piyanai has quit IRC11:50
*** c_soukup has quit IRC11:55
*** radez_g0n3 is now known as radez11:58
*** fhubik_afk is now known as fhubik_lunch11:58
*** jistr is now known as jistr|class11:59
*** fhubik_lunch is now known as fhubik_afk11:59
*** markvoelker has joined #openstack-keystone12:02
rodrigodsmarekd, not expert :)12:04
rodrigodsbut it's enforced by the server12:04
samueldmqayoung: ping! morning, I have something to talk about with you12:06
samueldmqayoung: alternative to the caching strategy we talked last week ... just to make sure it makes sense12:06
samueldmqayoung: to put as an alternative solution in the spec12:06
*** jistr|class is now known as jistr12:07
samueldmqayoung: keystone server could control the policy 'releases' .., let me give you an example12:07
marekdrodrigods: cool12:08
marekdbtw, do we have anything interesting for a meeting today?12:08
marekdoh, we do..12:09
samueldmqayoung: keystone knows the policy for a given endpoint has max-age = 300, so each 300s it has a new policy  to release to those enpoints (it is None at the beggining)12:09
samueldmqayoung: when an endpoint (even behing an haproxy) asks for that policy , keystone returns>12:09
rodrigodsmarekd, do we?12:09
samueldmqayoung: last released policy (can be None if there is no release yet) and:12:09
samueldmqayoung: must-revalidates; private; max-age = (300 - (time passed since last release))12:10
samueldmqmorganfainberg: cc ^12:10
*** markvoelker_ has joined #openstack-keystone12:11
samueldmqayoung: morganfainberg let me know whether this makes sense to you guys, it's basically the same approach, but keystone server controls the policy synchronization itself, instead of expecting the middleware to understand Not-Valid-Before12:11
marekdrodrigods: depends :-)12:11
marekdrodrigods: e.g. progress on ksa is interesting for me.12:11
*** navid__ has quit IRC12:12
*** markvoel_ has joined #openstack-keystone12:13
*** markvoelker has quit IRC12:13
*** belmoreira has quit IRC12:15
rodrigodsmarekd, ++12:16
*** juvenn has quit IRC12:17
*** markvoelker_ has quit IRC12:17
*** ajayaa_ has quit IRC12:31
*** gordc_afk is now known as gordc12:38
*** edmondsw has joined #openstack-keystone12:39
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742712:40
openstackgerritRodrigo Duarte proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185412:40
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376312:40
openstackgerritRodrigo Duarte proposed openstack/keystone: Remove domain table references  https://review.openstack.org/16593612:40
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837212:40
*** csoukup has joined #openstack-keystone12:44
*** rlt_ has joined #openstack-keystone12:47
*** bknudson has joined #openstack-keystone12:47
*** ChanServ sets mode: +v bknudson12:47
*** ayoung has quit IRC12:48
*** markvoel_ has quit IRC12:51
*** markvoelker_ has joined #openstack-keystone12:52
*** jsavak has joined #openstack-keystone12:52
*** bknudson has quit IRC12:54
*** bdossant has joined #openstack-keystone12:58
*** markvoelker_ has quit IRC13:02
*** markvoelker has joined #openstack-keystone13:02
*** markvoelker_ has joined #openstack-keystone13:03
*** hrou has joined #openstack-keystone13:05
*** markvoelker_ has quit IRC13:05
*** markvoelker_ has joined #openstack-keystone13:06
*** zzzeek has joined #openstack-keystone13:06
*** mylu has joined #openstack-keystone13:06
*** markvoelker has quit IRC13:07
*** piyanai has joined #openstack-keystone13:08
*** bknudson has joined #openstack-keystone13:10
*** ChanServ sets mode: +v bknudson13:10
*** jsavak has quit IRC13:13
*** jsavak has joined #openstack-keystone13:13
*** richm has joined #openstack-keystone13:14
*** mylu has quit IRC13:21
*** eandersson^ has joined #openstack-keystone13:25
*** eandersson^ has quit IRC13:26
*** e0ne is now known as e0ne_13:29
*** boris-42 has joined #openstack-keystone13:31
*** mylu has joined #openstack-keystone13:32
*** ajayaa_ has joined #openstack-keystone13:34
*** stevemar has joined #openstack-keystone13:34
*** htruta has joined #openstack-keystone13:35
hughsaundershi, I'm playing with federation. I have two keystones one as IDP, one as SP. I can get a SAML assertion form IDP keystone and use that to get a token, then scoped token from SP keystone. Is there any form of service catalog integration, so that when a user views the service catalog on IDP keystone, they can see the services from SP keystone? or will users have to discover service providers via the service provider objects, then go and13:37
hughsaunders query those SPs directly?13:37
*** stevemar has quit IRC13:37
*** blewis has joined #openstack-keystone13:38
*** e0ne_ has quit IRC13:39
samueldmqmorganfainberg: ayoung I added a topic to the meeting today to talk to people about 'Current Status and Scope for Liberty' in Dynamic Policies13:39
samueldmqmorganfainberg: ayoung I included your names, since the decisions we have today are based on conversations including both of you13:40
*** sigmavirus24_awa is now known as sigmavirus2413:40
*** stevemar has joined #openstack-keystone13:42
*** blewis has quit IRC13:42
stevemarmfisch: around?13:43
*** ayoung has joined #openstack-keystone13:43
*** ChanServ sets mode: +v ayoung13:43
*** e0ne has joined #openstack-keystone13:46
rodrigodshughsaunders, we can't access the SP catalog in the IdP, only after request the scoped token from the SP (as you described)13:50
hughsaundersrodrigods: thanks, so just to confirm, users will have to discover federated resources via the service provider objects, not the service catalog?13:52
hughsaundersalso are there any plans for service catalog integration?13:52
rodrigodshughsaunders, yes13:52
rodrigodsabout the second point, not that I'm aware of13:53
*** jsavak has quit IRC13:53
hughsaundersrodrigods: thanks, also thanks for your great blog post, was really helpful in getting it set up :)13:53
rodrigodshughsaunders, np! thanks :)13:53
*** fhubik_afk is now known as fhubik_lunch13:54
lbragstaddstanek: o/ quick question for you13:56
dstaneklbragstad: fire away13:56
lbragstaddstanek: when you're dev'ing on keystone, do you ever run the keystone process by invoking keystone/cmd/all.py manually?13:56
*** jsavak has joined #openstack-keystone13:57
lbragstadas the entry point, versus doing keystone-all?13:57
dstaneklbragstad: i only use keystone-all - since it is installed with 'develop' it invokes that code13:58
*** bdossant_ has joined #openstack-keystone13:58
lbragstaddstanek: ah, so you just use setup.py and install with develop13:58
*** bdossant has quit IRC13:59
dstaneklbragstad: i think tox is doing that by default too13:59
lbragstadok, that makes sense13:59
dstaneki run it with the full path '.tox/py27/bin/keyston-all' so that i don't get the system one13:59
lbragstadoh, nice14:00
*** jecarey has joined #openstack-keystone14:00
*** dims has quit IRC14:01
*** belmoreira has joined #openstack-keystone14:01
marekdbreton: hi, are you going to re-vote https://review.openstack.org/#/c/193703/2 based on disq in the comments?14:01
*** dims has joined #openstack-keystone14:01
*** kiran-r has quit IRC14:02
*** mabrams has quit IRC14:04
*** browne has joined #openstack-keystone14:05
*** jsavak has quit IRC14:07
*** fhubik_lunch is now known as fhubik14:10
*** jsavak has joined #openstack-keystone14:10
*** topol has joined #openstack-keystone14:13
*** ChanServ sets mode: +v topol14:14
*** bdossant_ has quit IRC14:14
marekdbknudson: Hi. I left a question in https://review.openstack.org/#/c/195335/1/doc/source/developing.rst . Would you care answering it ?14:17
samueldmqmarekd: I think what he's saying there is: you submit a patch that highlight the current behavior (which is wrong)14:19
samueldmqmarekd: if a function returns 4 and it should return 5, you could either:14:19
*** blewis has joined #openstack-keystone14:19
samueldmqmarekd: add a test asserting it returns 5 and then add @wip14:19
samueldmqmarekd: or add a tests asserting it returns 4, but leave a comment, for example, saying it's passing with wrong behavior14:20
samueldmqmarekd: both need to be changed once the behavior is fixed in the server, by i) removing the wip or ii) fixing the asserted return from 4 to 514:20
*** r-daneel has joined #openstack-keystone14:20
stevemarmfisch: ping14:20
amakarovayoung, hi! I know I'm a bit late: is there a dorm suite still available?14:21
*** fhubik is now known as fhubik_afk14:25
bretonmarekd: after today's meeting14:28
*** blewis` has joined #openstack-keystone14:29
bretonmarekd: there is "Review policy update" topic from bknudson. If we decide to leave use of @wip to developer, I'll be happy to +114:29
ayoungamakarov, I'll ask.  Probably14:30
ayoungamakarov, if there is, will you take it?14:30
openstackgerritChenhong Liu proposed openstack/keystone: Add testcases for list_role_assignments of v3 domains  https://review.openstack.org/18789914:31
*** blewis has quit IRC14:32
amakarovayoung, yes14:34
amakarovayoung, thank you and look here please :) https://review.openstack.org/#/c/141854/14:35
amakarovI've addressed your comments14:35
marekdbreton: the link provided is about sth else.14:38
ayoungamakarov, +214:39
amakarovayoung, _\m/14:39
*** jsavak has quit IRC14:41
*** blewis` has quit IRC14:41
*** HT_sergio has joined #openstack-keystone14:43
*** jsavak has joined #openstack-keystone14:44
*** rushiagr_away is now known as rushiagr14:45
*** jsavak has quit IRC14:47
*** pgbridge has joined #openstack-keystone14:51
*** jsavak has joined #openstack-keystone14:53
*** ChanServ changes topic to "Review Specs and Code | Milestone 1 for Liberty is ~June 23 | MidCycle July 15, 16, 17 in Boston"14:53
-openstackstatus- NOTICE: The log volume was repaired and brought back online at 14:00 UTC. Log links today from before that time may be missing, and changes should be rechecked if fresh job logs are desired for them.14:53
marekdrodrigods: hm, i started to wonder whether we should call the attribute openstack_user_domain here is: you submit a patch that highlight the current behavior (which is wrong)14:54
openstackgerritMerged openstack/keystone: Update MANIFEST.in  https://review.openstack.org/19532714:54
marekd16:19 < samueldmq> marekd: if a function returns 4 and it should return 5, you could either:14:54
marekdrodrigods: eh, sorry14:55
*** e0ne is now known as e0ne_14:55
marekdrodrigods: https://review.openstack.org/#/c/181007/1/keystone/contrib/federation/idp.py i am starting to wonder whether this should be openstack_user_domain or openstack_user_domain_name14:55
*** piyanai has quit IRC14:55
marekdstevemar: ^^14:55
stevemarmarekd: hmm14:56
marekdotherwise it *may* be confusing for ppl at the beginning.14:56
rodrigodsmarekd, stevemar, following the pattern of "openstack_project"14:56
*** diazjf has joined #openstack-keystone14:56
rodrigodsit should be "openstack_user_domain"14:56
rodrigodsotherwise, we need to add "_name" to everything14:56
*** hrou has quit IRC14:56
marekdstevemar: you agree?14:56
*** piyanai has joined #openstack-keystone14:57
*** hrou has joined #openstack-keystone14:57
marekdstevemar: oh i noticed your +1 there14:57
rodrigodsmarekd, the L version is already merged14:58
*** jsavak has quit IRC14:58
*** e0ne_ is now known as e0ne14:58
*** jsavak has joined #openstack-keystone14:58
*** e0ne is now known as e0ne_14:59
marekdyep, i confess i hadn't noticed it was for kilo at the beginning :-)14:59
*** e0ne_ is now known as e0ne14:59
marekdanyway, i am not the one to decide whether it will be merged or not, so i can only show my opinion by giving it a +115:00
rodrigodsmarekd, sure15:00
stevemarmarekd: same15:00
diazjfmarekd, stevemar, can you guys finish reviewing https://review.openstack.org/#/c/192850/ think its ready to be merged. thanks15:01
marekddiazjf: ok, i am looking right now.15:01
stevemardiazjf: aye aye captn15:01
diazjfmarekd, stevemar, thanks guys!!15:01
stevemarmigthe be cleaner to put these under federation, but thats small move15:02
*** piyanai has quit IRC15:02
*** jsavak has quit IRC15:03
openstackgerritRodrigo Duarte proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185415:03
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376315:03
openstackgerritRodrigo Duarte proposed openstack/keystone: Remove domain table references  https://review.openstack.org/16593615:03
marekddiazjf: i have few comments, going to add them now.15:07
marekdotherwise it looks pretty neat.15:07
*** aix has quit IRC15:09
*** eandersson has quit IRC15:12
diazjfmarekd, stevemar, perfect, I'll touch it up once I see the comments and maybe move the link to http://docs.openstack.org/developer/keystone/configure_federation.html mapping section? let me know what you think?15:13
openstackgerritEnrique Garcia Navalon proposed openstack/python-keystoneclient: Added endpoint group filter manager methods  https://review.openstack.org/18265815:13
*** jasondotstar has joined #openstack-keystone15:15
*** kiran-r has joined #openstack-keystone15:16
*** belmoreira has quit IRC15:17
*** dramakri has joined #openstack-keystone15:21
*** dramakri has left #openstack-keystone15:21
*** belmoreira has joined #openstack-keystone15:21
*** aix has joined #openstack-keystone15:24
*** bradjones has quit IRC15:30
*** slberger has joined #openstack-keystone15:32
*** bradjones has joined #openstack-keystone15:32
*** bradjones has quit IRC15:32
*** bradjones has joined #openstack-keystone15:32
*** ankita_wagh has joined #openstack-keystone15:32
*** kiran-r has quit IRC15:35
openstackgerritMerged openstack/keystonemiddleware: Refactor certificate fetch functions  https://review.openstack.org/17946015:36
*** anhhuynhx has joined #openstack-keystone15:41
*** aix has quit IRC15:48
*** geoffarnold has joined #openstack-keystone15:48
*** kiran-r has joined #openstack-keystone15:49
*** belmoreira has quit IRC15:50
*** kiran-r has quit IRC15:51
*** _cjones_ has joined #openstack-keystone15:52
*** jasondotstar has quit IRC15:52
*** mrutkows has joined #openstack-keystone15:54
*** aix has joined #openstack-keystone16:00
morganfainberglbragstad: if you have a few minutes, i could use some eyes on https://review.openstack.org/#/c/196548/116:00
*** jistr has quit IRC16:01
morganfainberglbragstad: see if i'm doing something insane16:01
*** aix has quit IRC16:01
*** ngupta has quit IRC16:02
*** kiran-r has joined #openstack-keystone16:02
marekddiazjf: still reviewing your patch.16:03
marekddiazjf: this shows me we should simplyfy mapping language16:03
marekdas even I had to look to the code to make sure I was right and there are some nested rules.16:03
*** chenhong has joined #openstack-keystone16:03
*** jasondotstar has joined #openstack-keystone16:06
*** fhubik_afk is now known as fhubik16:07
* marekd added 19 comments to the patchset - feeling like bknudson.16:07
marekdbknudson: stevemar: Can I ask for a review here: https://review.openstack.org/#/c/192671/ ?16:10
*** piyanai has joined #openstack-keystone16:14
*** kiran-r has quit IRC16:15
*** navid__ has joined #openstack-keystone16:15
lbragstadmorganfainberg: awesome, will do16:16
morganfainberglbragstad: and we need to correct the stupid around microseconds in the maintain expiry16:16
morganfainberglbragstad: but that is easy16:16
morganfainberglbragstad: will hopefully do that today16:16
lbragstadmorganfainberg: that would make life so much easier16:17
anhhuynhxCan someone please take a look at this bug https://bugs.launchpad.net/keystone/+bug/1460492 and clarify what is meant by "list by user_id and credential type (a required field) so that i only get back my EC2 credentials"?16:18
openstackLaunchpad bug 1460492 in Keystone "List credentials by type" [Wishlist,Triaged] - Assigned to Anh Huynh (anhx-huynh)16:18
lbragstadmorganfainberg: going to food quick16:18
morganfainberglbragstad: so the microsecond stupid will only be fixed in your test16:18
morganfainberglbragstad: btw16:18
morganfainberglbragstad: we can't fix it in the token because PKI tokens collide then16:18
lbragstadmorganfainberg: ok16:18
samueldmqmorganfainberg's doing some coding exercise :)16:18
morganfainbergif PKI tokens die, microseconds can msotly be droped16:18
*** mylu has quit IRC16:19
morganfainbergsamueldmq: i'm playing janitor16:19
morganfainbergsamueldmq: and cleaning up messes16:19
samueldmqmorganfainberg: which looks great :-)16:19
*** mylu has joined #openstack-keystone16:20
*** HT_sergio has quit IRC16:20
stevemarmarekd: reading16:20
chenhongdstanek: I replied your question in https://review.openstack.org/#/c/187899/ . Could you take a look at it?16:21
*** e0ne is now known as e0ne_16:23
dstanekchenhong: if that's the case i think you should move that function16:24
*** fhubik has quit IRC16:24
*** mylu has quit IRC16:24
*** piyanai_ has joined #openstack-keystone16:24
*** ankita_wagh has quit IRC16:25
*** ankita_wagh has joined #openstack-keystone16:26
chenhongdstanek: Do you mean move 'test_v3_assignment._build_role_assignment_***'  to one superclass?16:27
*** piyanai has quit IRC16:28
dstaneknot a super class, but a utility module16:28
*** piyanai_ is now known as piyanai16:28
*** jkomg has joined #openstack-keystone16:28
morganfainbergmordred: https://review.openstack.org/#/c/168792/ +A once that lands i'll bug release management to release for you16:29
*** dontalton has joined #openstack-keystone16:29
chenhongdstanek: I agree with you and I do have a plan to do that. But it's not good to do more than one thing in one change.16:29
samueldmqdstanek: ++16:30
*** jk|osx has joined #openstack-keystone16:30
samueldmqchenhong: you can do that in a preparation patch, i.e move that to an utility module, and in your patch, just import that16:30
samueldmqchenhong: that's my suggestion, not sure dstanek agree or have a better advice :-)16:31
*** piyanai has quit IRC16:31
diazjfmarekd, stevemar, thanks for all the feedback. I'll work on updating this tonight.16:31
dstaneksamueldmq: no, i think that's a good thing to do16:31
*** jkomg has quit IRC16:33
*** jk|osx is now known as jkomg16:33
samueldmqdstanek: nice :) chenhong ^16:33
*** e0ne_ has quit IRC16:34
*** piyanai has joined #openstack-keystone16:34
*** kiran-r has joined #openstack-keystone16:34
samueldmqmorganfainberg: ayoung when middleware asks with IMS, Keystone server could return only the part of the Dynamic Policy that has changed since then16:36
*** jasondotstar has quit IRC16:36
chenhongsamueldmq: dstanek: So, you mean I should add this utility module firstly and then using it in the testcases?16:36
*** e0ne has joined #openstack-keystone16:36
samueldmqmorganfainberg: ayoung  this would be a great performance improvement in the cases there are a lot of customized rules16:36
*** piyanai has quit IRC16:36
morganfainbergsamueldmq: no that is not how an IMS check works16:36
samueldmqchenhong: yes, you can make the patches dependent16:37
dstanekchenhong: yes, maybe just add the shared function to keystone.tests.unit.utils for now?16:37
morganfainbergsamueldmq: IMS is "return the entire document" or "not modified"16:37
*** jasondotstar has joined #openstack-keystone16:37
*** HT_sergio has joined #openstack-keystone16:37
morganfainbergsamueldmq: you would want a non-IMS check - but this isn't a lot of data, why should we try and over optimise16:38
morganfainbergsamueldmq: use the first rule of optimisation: don't16:38
morganfainbergsamueldmq: optimise if it is an issue16:38
samueldmqmorganfainberg: k, but that could be a potential improvement, since if you ask IMS, you impliciyly are aware of what was defined in that time16:38
samueldmqmorganfainberg: but I agree16:38
morganfainbergbut more important, don't break HTTP spec16:38
samueldmqmorganfainberg: yes, completely agree16:38
samueldmqmorganfainberg: did you see my messages earlier today ? we can manage the synchronization complexity all in the keystone server16:39
*** Ephur has joined #openstack-keystone16:39
samueldmqmorganfainberg: I am writting all that in the specs (on the fetch at middleware right now)16:39
ayoungsamueldmq, I don't think it is worth it, at least not up front16:39
samueldmqmorganfainberg: and *everything* I am writing is very based on HTTP spec :-)16:40
samueldmqvery/completely16:40
ayoungI would be really surprised if the performance improvemtn was needed16:40
samueldmqayoung: sure, that's what we just discussed :-) let's start simple16:40
chenhongdstanek: Yes, I'm going to do it now.16:40
samueldmqayoung: and optimize if someone needs it16:40
ayoungsamueldmq, so,  what is far more likely as a stage 2 (or 3 or 4) is project specific policy16:41
ayoungand...I don't have a way to distribute that right now16:41
samueldmqayoung: maybe, but we have a lot of things to do before make that happen16:41
samueldmqayoung: exactly :)16:41
openstackgerritTheodore Ilie proposed openstack/keystone: Add test case for deleting endpoint with space in url  https://review.openstack.org/19688316:41
ayoungthat is one reason I kindof want the IDs to be a hash, as it will help the cas where two things want a policy file, and they actually have idenitcal ones16:41
anhhuynhxdoes credential type means a role like admin and such?16:43
anhhuynhxor credential type means things like access keys or secret keys?16:44
*** lufix has joined #openstack-keystone16:46
*** piyanai has joined #openstack-keystone16:48
stevemarnow if i only knew what jason's irc nick is...16:49
stevemarjkomg seems like an appropriate name :)16:49
jkomgstevemar: :D16:49
jkomgjkennedy is registered and taken, alas16:50
*** mylu has joined #openstack-keystone16:50
stevemarah damn that other jkennedy16:50
*** openstackgerrit has quit IRC16:50
*** openstackgerrit has joined #openstack-keystone16:51
*** roxanaghe has joined #openstack-keystone16:51
*** HT_sergio has quit IRC16:51
jkomgalways another jkennedy16:53
*** piyanai has quit IRC16:54
*** lufix has quit IRC16:54
*** anhhuynhx has quit IRC16:56
morganfainbergtopol:16:57
morganfainberghttps://review.openstack.org/#/c/195347/ should be a nobrainer16:57
*** geoffarnold has quit IRC16:58
*** geoffarnold has joined #openstack-keystone16:58
*** jasondotstar has quit IRC16:59
*** kiran-r has quit IRC17:02
*** jasondotstar has joined #openstack-keystone17:03
*** ankita_wagh has quit IRC17:03
*** kiran-r has joined #openstack-keystone17:03
*** piyanai has joined #openstack-keystone17:04
*** e0ne has quit IRC17:05
*** jlvillal has joined #openstack-keystone17:05
*** mylu has quit IRC17:06
*** lhcheng has joined #openstack-keystone17:07
*** ChanServ sets mode: +v lhcheng17:07
miguelgrinbergmarekd: are you around for a question on SSO metadata for federation?17:07
*** samueldmq has quit IRC17:08
*** mylu has joined #openstack-keystone17:08
*** samueldmq has joined #openstack-keystone17:08
*** lhcheng_ has joined #openstack-keystone17:08
*** mylu has quit IRC17:10
openstackgerritChenhong Liu proposed openstack/keystone: Centralizing build_role_assignment_* functions  https://review.openstack.org/19718417:11
*** lhcheng has quit IRC17:11
chenhongdstanek: Can you review this new change, https://review.openstack.org/#/c/197184/ ?17:12
dstanekchenhong: sure, i'll add it to my list17:13
chenhongdstanek: thanks. I make the previous one depend on this new patch17:14
*** jasondotstar has quit IRC17:15
*** piyanai has quit IRC17:17
*** ankita_wagh has joined #openstack-keystone17:19
*** jsavak has joined #openstack-keystone17:20
*** richm has quit IRC17:21
*** amaretskiy has quit IRC17:21
roxanaghedstanek, for https://review.openstack.org/#/c/180769/ -> I think 'project' should be 'unknown' (as per my last comment). do you mind if I upload a new patch to change that?17:21
*** ngupta has joined #openstack-keystone17:22
roxanagheI want to move that patch forward, since it's been sitting silently there for too long :)17:22
*** kiran-r has quit IRC17:22
*** dguerri is now known as dguerri`17:25
*** jasondotstar has joined #openstack-keystone17:25
*** htruta_ has joined #openstack-keystone17:25
*** mylu has joined #openstack-keystone17:27
topolmorganfainberg. Done!17:32
morganfainbergtopol: told ya that'd be an easy one17:32
topol:-)17:32
*** jsavak has quit IRC17:33
*** jsavak has joined #openstack-keystone17:35
openstackgerritMerged openstack/keystone-specs: Cleanup and removal of StrictABC requirement  https://review.openstack.org/19534717:36
myluHi guys I am trying to set up K2K federation in kilo with devstack I'm confused about the difference between port 5000 and 35357. when should I use which? Thanks in advance!17:36
*** navid__ has quit IRC17:36
*** richm has joined #openstack-keystone17:37
*** kiran-r has joined #openstack-keystone17:37
myluI'm following rodrigods' tutorial (http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo/)17:37
marekdmiguelgrinberg: hi, i am here.17:38
stevemarmylu: just port 500017:39
miguelgrinbergmarekd: Hi, I'm trying to implement keystone-to-keystone federation for the os-ansible-deployment project17:39
miguelgrinbergmarekd: have the ECP workflow working perfectly, but I'm stuck on getting Horizon to work17:39
*** diazjf has quit IRC17:40
rodrigodsmiguelgrinberg, K2K isn't available for Horizon yet17:40
rodrigods(just the regular Federation)17:40
miguelgrinbergoh, so I can't have a Horizon authenticating to a Keystone IdP yet?17:40
marekdmiguelgrinberg: not with k2k.17:41
rodrigodsmiguelgrinberg, there is a WIP for it: https://review.openstack.org/#/c/159910/17:41
*** rlt_ has quit IRC17:41
*** tqtran has joined #openstack-keystone17:41
stevemarmorganfainberg: might be a bit late for the keystone meeting17:42
morganfainbergnp17:42
marekdmiguelgrinberg: the problem is keystoneclient not handling multiple tokens at once.17:42
marekdmiguelgrinberg: it's a longer transition process....17:42
*** dramakri has joined #openstack-keystone17:42
miguelgrinbergmarekd: okay, but I seem to be having a more basic problem, though now it may be pointless to discuss it since clearly I won't be able to get this working anyway17:43
mylustevemar: Even for the auth_url when trying create SP in IdP? rodigods' blog says the auth_url should be the protocol url in SP which is using 35357 tho..(maybe I did something wrong when I create the protocol)17:43
*** jecarey has quit IRC17:43
stevemarmylu: the auth url should be 500017:43
marekdmylu: port is unrelated in this case, really 5000 is enough17:44
marekdmiguelgrinberg: what's your problem then?17:44
mylustevemar: cool thanks17:44
miguelgrinbergmarekd: this is where you generate the SSO metadata, which uses a URI binding: https://github.com/openstack/keystone/blame/8bb63620b4d9ec71b0a60ed705938103d7d3c2c2/keystone/contrib/federation/idp.py#L49017:44
miguelgrinbergmarekd: and this is where shibboleth looks for bindings: https://github.com/craigpg/shibboleth-sp2/blob/f62a7996e195a9c026f3f8cb0e9086594b7f8515/shibsp/handler/impl/SAML2SessionInitiator.cpp#L164-L16517:44
openstackgerritChenhong Liu proposed openstack/keystone: Add testcases for list_role_assignments of v3 domains  https://review.openstack.org/18789917:45
miguelgrinbergmarekd: it looks for a few binding types, but not the URI type that Keystone generates in the IdP metadata17:45
*** kiran-r has quit IRC17:45
marekdmiguelgrinberg: are you talking now about ECP or websso flow?17:45
*** mgarza_ has joined #openstack-keystone17:46
miguelgrinbergmarekd: this is websso flow17:46
miguelgrinbergsorry if I didn't make myself clear before17:46
marekdmiguelgrinberg: no problem.17:46
miguelgrinbergECP flow works fine for me17:46
chenhongdstanek: I already done with the first change, please review it again. https://review.openstack.org/#/c/187899/917:47
* kfox1111 beets his head on the desk.17:48
marekdmiguelgrinberg: ok, can you file a bug and assign it to me? I don't think we will fix this immediately, because we don't support k2k w/ websso flow, but we can mark it as wishlist.17:48
kfox1111securely getting a secret to an instance so it can get secrets is hard. especially when there are so many different types of instances. :/17:48
miguelgrinbergmarekd: yep, certainly will. Thanks!17:49
kfox1111and barbican only seems to support async certificate creation. which means I really need an authentication channel that can be used repeatedly for a while.17:49
*** lsmola has quit IRC17:49
marekdmiguelgrinberg: you can examine a WIP rodrigods posted and see if it makes any use for you.17:50
kfox1111implying I need an instance cert that is needed to be able to fetch the keystone cert. :/17:50
rm_workkfox1111: we were looking at anchor for ephemeral syncronously created certs for this purpose in Octavia17:50
rm_workmight fit your use-case?17:50
kfox1111interesting.17:50
kfox1111did you end up using it?17:50
rm_worknot yet17:51
kfox1111think it will work?17:51
rm_workwe're still using a local implementation based on openSSL17:51
rm_workbut I think it'll work17:51
openstackgerritMerged openstack/python-keystoneclient: Support /auth routes for list projects and domains  https://review.openstack.org/16879217:52
kfox1111I was kind of thinking maybe the instance creates its own self signed cert, contacts the instance user service with the cert and says handshake me... then after the instance proves it is who it says it is, it can use its own cert to talk to just the instance user service to fetch the keystone certificate until its ready. then once it is retrieved the cert is no longer trusted.17:52
rm_workseems like ephemeral certs would be ok for that17:53
rm_workour case needed to throw away the ephemeral piece17:53
rm_workwhich made using Anchor an odd choice :P but I was still planning to try17:53
miguelgrinbergmarekd: that patch may be useful later, but at this point I'm stuck at the very beginning of the flow with this shibboleth problem, the redirect from horizon to the websso endpoint fails auth17:53
kfox1111yeah. seems like overkill to centeralize the service though. since each vm would then need a way to securely get the ephemeral cert and we're all the way back around.17:54
marekdmiguelgrinberg: for the clarity, we are still talking k2k ?17:55
kfox1111in wsgi, can you programatically hook a url pattern to a CA?17:55
*** jecarey has joined #openstack-keystone17:56
*** chenhong has quit IRC17:56
miguelgrinbergmarekd: still k2k, that's all I'm doing. We are also working on ADFS as an IdP, but I have personally not worked on that.17:56
kfox1111like /v1/auth/getcert/<instanceuuid> will look up the ca associated with the instanceuuid in a db, and then ensure only that ca's allowed that endpoint?17:56
*** chlong has quit IRC17:56
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies Fetch and Cache  https://review.openstack.org/13465517:56
marekdmiguelgrinberg: we support ADFS, and we use it at CERN with success.17:57
samueldmqayoung: morganfainberg ^ going to the keystone server one (post-meeting) :)17:57
miguelgrinbergmarekd: but it does not work from Horizon due to the token problem that rodrigods is working on his patch, correct?17:58
samueldmqayoung: I've put myself as primary assignee as I already have patches for that17:58
marekdmiguelgrinberg: ADFS is not K2K at all....17:58
samueldmqayoung: https://review.openstack.org/#/c/188561/ ... btw, which is now in merge conflict :(17:58
*** fangzhou has joined #openstack-keystone17:58
*** shaleh has joined #openstack-keystone17:58
miguelgrinbergmarekd: okay, I see. The token issue is specific to K2K.17:58
*** e0ne has joined #openstack-keystone17:58
marekdmiguelgrinberg: let me put this way: Keystone-SP + some 1-st class IdP like ADFS, Shibboleth_idp will work for ya via cli (based on SAML ECP) and websso.17:58
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Switch from deprecated oslo_utils.timeutils.strtime  https://review.openstack.org/19685317:58
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Unit tests catch deprecated function usage  https://review.openstack.org/18914517:58
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Switch from deprecated isotime  https://review.openstack.org/18914717:58
marekdmiguelgrinberg: what we *dont* have is K2K with Horizon.17:59
samueldmqit's time ! :-)17:59
miguelgrinbergmarekd: got it. I've only been doing K2K, but good to know we'll be able to get ADFS going at least.17:59
marekdmiguelgrinberg: we will all go to openstack-meeting for our weekly meeting, so i will be slower in response for next hour.18:00
marekdmiguelgrinberg: feel invited to the meeting if you fancy18:00
*** jsavak has quit IRC18:01
miguelgrinbergmarekd: thanks18:01
*** henrynash has joined #openstack-keystone18:01
*** ChanServ sets mode: +v henrynash18:01
marekdmiguelgrinberg: also note that Keystone-idp is not a fully fledged SAML IdP18:01
marekdso no redirects at this moment.18:01
*** mylu has quit IRC18:01
*** mylu has joined #openstack-keystone18:02
marekdmiguelgrinberg: so, i'd imagine a auth plugin in horizon must simply work as K2K auth plugin in keystoneauth - swap the local token for sAML assertion, go to the remote SP, get token, scope and start using....18:02
marekdmiguelgrinberg: it will not be "yet another websso workflow" with all those HTTP 302 calls etc.18:03
marekdthere is K2K plugin that works, so i would expect  django_openstack_auth wrk in a similar manner.18:03
marekdmiguelgrinberg: https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/auth/identity/v3/k2k.py18:04
*** e0ne is now known as e0ne_18:04
*** ankita_w_ has joined #openstack-keystone18:05
marekddavid8hu: sitting next to gyee?18:05
marekdtell him i think there is a way to get rid of stickyness on HaProxy balaning load to Shibboleth service providers :P18:06
miguelgrinbergmarekd: I have seen the K2K plugin, it was actually very helpful in understanding how everything works.18:06
*** geoffarnold has quit IRC18:06
marekdmiguelgrinberg: OK18:06
*** ankita_w_ has quit IRC18:06
marekd:-)18:06
*** ankita_w_ has joined #openstack-keystone18:06
*** e0ne_ is now known as e0ne18:07
*** ankita_wagh has quit IRC18:08
miguelgrinbergmarekd: but we'll want to wait for upstream support for Horizon K2K, or help with the effort18:08
*** ajayaa_ has quit IRC18:08
marekdmiguelgrinberg: well, feel free to work on a prototypr and get back to the community.18:09
marekdit's fine we may want to merge it and everybody will be happy.18:10
marekdif it's fine [...]18:10
*** diazjf has joined #openstack-keystone18:13
lbragstadbknudson: morganfainberg oslo.policy and oslo.cache have been added to our weekly report http://keystone-weekly-bug-report.tempusfrangit.org/weekly-bug-reports/keystone-weekly-bug-report.html18:13
*** ericksonsantos has joined #openstack-keystone18:14
*** tellesnobrega_ has joined #openstack-keystone18:15
*** anhhuynx has joined #openstack-keystone18:15
*** e0ne is now known as e0ne_18:18
*** rushiagr is now known as rushiagr_away18:18
*** tellesnobrega_ has quit IRC18:20
kfox1111well... Actually, the randomly generated string I use for authenticating the vm can continue to be used.... that should work... just gota store it.18:20
*** e0ne_ is now known as e0ne18:23
*** gyee has joined #openstack-keystone18:24
*** ChanServ sets mode: +v gyee18:24
*** htruta_ has quit IRC18:26
*** jasondotstar has quit IRC18:27
myluHi guys, I see this error when I try to do assertion exchange for federation "2015-06-30 18:24:22 WARN Shibboleth.SSO.SAML2 [2]: no metadata found, can't establish identity of issuer (http://128.52.181.124:5000/v3/OS-FEDERATION/saml2/idp)" But I do have MetadataProvider set up in shibboleth2.xml...18:29
*** topol has quit IRC18:30
marekdmylu: how exactly is it set?18:30
*** topol has joined #openstack-keystone18:30
*** ChanServ sets mode: +v topol18:30
mylumarekd: <MetadataProvider type="XML" uri="https://128.52.181.124:5000/v3/OS-FEDERATION/saml2/metadata"/>18:31
*** ngupta has quit IRC18:32
marekdmylu: you have https here...18:33
marekdis it correct?18:33
marekdlog says 'http' on the other hand.18:34
myluohhhhh!18:34
mylulet me try it that's so silly18:34
marekdmylu: make sure you can access that link via curl, broweser whatever...18:34
marekdand then paste to the config.18:34
*** ankita_wagh has joined #openstack-keystone18:38
*** ankita_w_ has quit IRC18:39
mylumarekd: shibboleth log still says no metadata found, but its something different this time. I tried curl "http://128.52.181.124:5000/v3/OS-FEDERATION/saml2/metadata", it worked18:41
mylushibboleth log says "building MetadataProvider of type XML" and then no metadata found..18:42
morganfainbergyeesh boston hotels are priiiiicy18:42
mylu"2015-06-30 18:35:43 INFO Shibboleth.Application : building MetadataProvider of type XML"18:42
marekdmylu: what's in the shibboleth2.xml ?18:43
marekd<MetadataProvider>18:43
openstackgerritJason Obrien proposed openstack/keystone: Removed all mentions of keystone-all from installing.rst and developing.rst docs.  https://review.openstack.org/19722518:43
mylu"2015-06-30 18:35:43 WARN OpenSAML.MessageDecoder.SAML2 [3]: no metadata found, can't establish identity of issuer (http://128.52.181.124:5000/v3/OS-FEDERATION/saml2/idp"18:43
mylumarekd: yes18:44
marekdmylu: i am asking "what is in the shibboleth2.xml?"18:44
mylumarekd: "<MetadataProvider type="XML" uri="http://128.52.181.124:5000/v3/OS-FEDERATION/saml2/metadata"/>"18:44
marekdand entityId ?18:45
marekdis it equal to the value configured in keystone-idp in keystone.conf ?18:45
mylumarekd: ohhh wait the entity id was in https18:45
mylulet me change it to http and try again thanks a lot!18:45
*** geoffarnold has joined #openstack-keystone18:46
miguelgrinbergmarekd: bug filed: https://bugs.launchpad.net/keystone/+bug/147020518:47
openstackLaunchpad bug 1470205 in Keystone "Keystone IdP SAML metadata insufficient for websso flow" [Undecided,New]18:47
marekdmiguelgrinberg: ok, thanks.18:51
*** jasondotstar has joined #openstack-keystone18:55
samueldmqo/18:59
*** browne has quit IRC19:00
samueldmqso whether creating a separate middleware or not can be decided with a #vote next meeting19:00
samueldmqmorganfainberg: ^19:00
morganfainbergsure.19:00
samueldmqwhen we'll have all the specs updated, people will have had a change to get familiar19:01
samueldmqand FFE email already sent19:01
marekdjamielennox: can you remind me what what the link to your change where you changed gate jobs to not fail on missing requirements (ksa) ?19:01
samueldmq(it only left the keystone server one to be updated though :))19:01
henrynashany cores want to take a quick look at https://review.openstack.org/#/c/187045/ which is looking for approval…19:02
jamielennoxmarekd: https://review.openstack.org/#/c/186228/19:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate setting catalog on headers from others  https://review.openstack.org/19693219:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add user_token and service_token to request  https://review.openstack.org/19694919:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add token_auth helper to request  https://review.openstack.org/19695019:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move enforcement and time validation to base class  https://review.openstack.org/19695119:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move common request processing to base class  https://review.openstack.org/18081819:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate parts of auth_token  https://review.openstack.org/19094019:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094119:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol  https://review.openstack.org/18081619:02
morganfainbergreminder for those who are in the US (and for those not) - July 4th is observed on Friday19:02
morganfainberggo out and enjoy yourself if you're having the day off.19:03
morganfainbergif you're not in the US - sorry, it's going to be very very quiet :P19:03
raildo:(19:03
jamielennoxoh - that's happening again19:03
morganfainbergyeah the whole us holiday in the middle of our summer thing19:04
samueldmqhenrynash: hi19:04
marekdjamielennox: hmm, so what shall i specify wrt thiat patch: https://review.openstack.org/#/c/190631/ keystoneauth_integration too ?19:04
samueldmqhenrynash: not core but want to talk about that :)19:04
morganfainbergjamielennox: it doens't quite make up for the complete lack of vacation policy/sanity the us has.19:04
henrynashsamueldmq: hi19:04
jamielennoxmorganfainberg: it's more i always forget that it's on and wonder why no-one is around19:04
samueldmqhenrynash: so the idea is to list role assignments starting from a parent project19:05
samueldmqhenrynash: how does that relate to effective ?19:05
henrynashsamueldmq: yes19:05
*** ChanServ changes topic to "US Independence Day is observed 7/3 (Friday) - expect it to be quiet while people are out."19:05
morganfainbergjamielennox: ^ :P19:05
henrynashsamueldmq: so I think it is a valid call with and without effective19:05
ayounghenrynash, looking19:06
henrynash(Henry off to sulk on 7/3 since we lost that one….)19:06
jamielennoxlol19:06
*** ChanServ changes topic to "| Review Code, Specs, Etc | Keystone MidCycle 15, 16, 17 | US Independence Day is observed 7/3 (Friday)"19:06
samueldmqhenrynash: hmm, so that's about considering *direct* assignments on the root and subproject19:06
samueldmqhenrynash: applying effective or not is optional19:07
henrynashsamueldmq: yes19:07
morganfainbergwe're going to be at the midcycle during the openstack 5th birthday party19:07
ayounghenrynash, did the question of reseller come up with that, and the answer is : "if the roles no longer apply, you get nothing, s it just works." I suspect?19:07
morganfainbergjamielennox: travel for pyconau is set. need to do hotel-y-things19:07
samueldmqhenrynash: k makes sense19:07
jamielennoxmorganfainberg: oh right, when are you coming in19:07
morganfainbergjamielennox: how is the transportation in town? as in... taxi, uber, etc?19:07
samueldmqhenrynash: I am sorry for not updating the list role assignments refactoring yet19:08
jamielennoxalhtough not sure if i can come up early anyway19:08
henrynashayoung: when you say “if the roles no longer apply”….what do you mean…there is an opagque boundary19:08
samueldmqhenrynash: dstanek asked for a split on that patch19:08
morganfainbergjamielennox: i'm landing the 31th of july and leaving on uh... the following friday?19:08
morganfainbergaug 819:08
samueldmqhenrynash: I will run with that ..19:08
jamielennoxuber is around but i've never tried it from the airport19:08
morganfainbergjamielennox: i can do taxis19:08
jamielennoxthe airport train is pretty good so i normally just do that - but that's when i'm paying19:08
samueldmqhenrynash: having the refactored code will be better to the one who will implement that spec + to me (so I won't need to refactor it again)19:08
samueldmqhenrynash: if that makes sense ..19:09
morganfainbergjamielennox: i just want to avoid renting a car and dealing with international driving in general if the city isn't too bad to navigate19:09
henrynashsamueldmq: abso-bloody-lutely (to quote Dame Helen Mirran)19:09
jamielennoxit's pretty easy to get around the city, depends what you want to do in terms of whether a hire is worth it19:09
samueldmqmorganfainberg: LA should be a small city19:09
jamielennoxbut fair warning hiring cars here is more expensive19:09
samueldmqmorganfainberg: so that's ok I think :p019:09
samueldmq:)19:09
morganfainbergjamielennox: eh19:10
morganfainbergjamielennox: if it's needed for business stuffs... it's fine19:10
*** geoffarnold has quit IRC19:10
*** henrynash has quit IRC19:10
samueldmqhenrynash: haha :)19:10
samueldmqoops 'henrynash has quit' :(19:10
*** ankita_wagh has quit IRC19:11
* morganfainberg has quit.19:11
morganfainberg>.>19:11
morganfainberg<.<19:11
*** dguerri` is now known as dguerri19:11
morganfainbergdo you believe it?19:11
*** ankita_wagh has joined #openstack-keystone19:11
samueldmqbye19:11
samueldmqmorganfainberg: hi <.<19:13
*** e0ne is now known as e0ne_19:14
samueldmqoops 'morganfainberg has quit' :(19:14
*** jorge_munoz has quit IRC19:14
*** morganfainberg has left #openstack-keystone19:14
*** morganfainberg has joined #openstack-keystone19:14
*** ChanServ sets mode: +v morganfainberg19:14
samueldmqhe took that seriously19:14
samueldmq16:15:30       samueldmq | he took that seriously19:14
*** e0ne_ is now known as e0ne19:15
*** dguerri is now known as dguerri`19:15
jamielennoxmorganfainberg: my current thought for the federation stuff at pycon is: live demo :)19:15
morganfainbergfun19:16
morganfainbergmy current thought on the future of keystone is... uhhh i need to go get food before thinking about this19:16
jamielennoxmorganfainberg: do you know anyone that could get me some helion vms that i could do it on?19:16
jamielennoxi don't want to fight with VPNs as well as demo gods19:16
morganfainbergjamielennox: uhm... you mean public cloud? or you mean something just in isolation [devstack-y], or?19:17
jamielennoxmorganfainberg: atm i was thinking at least 2 public, maybe 319:17
*** yottatsa has joined #openstack-keystone19:17
*** mgarza_ has quit IRC19:18
morganfainbergjamielennox: so.. you'd use the VMs as ... a devstack/isolated deploy19:18
anhhuynxjamielennox: would you please take a look at this bug https://bugs.launchpad.net/keystone/+bug/1460492 and clarify something for me?19:18
openstackLaunchpad bug 1460492 in Keystone "List credentials by type" [Wishlist,Triaged] - Assigned to Anh Huynh (anhx-huynh)19:18
morganfainbergor you wanted to use a public cloud with federated auth19:18
morganfainbergto spin up VMs?19:18
jamielennoxi was going to take packstack rather than devstack19:18
morganfainbergcause that second one is a lot of work [having done this in the past]19:18
morganfainbergi can porbably get you a vm or two though19:18
jamielennoxand then IPA/ipsilon for saml19:18
morganfainbergah ok19:18
morganfainbergyeah i can probably do that19:19
morganfainbergi need to spin up my cloud account anyway19:19
jamielennoxnot sure yet if it's worth splitting the IPA/ipsilon machines for demo purposes19:19
yottatsahi everybody!19:19
*** mylu has quit IRC19:19
morganfainbergso we can piggyback this demo on that.19:19
*** jorge_munoz has joined #openstack-keystone19:19
jamielennoxmorganfainberg: i called it 'practical' federation for some reason19:19
morganfainbergi called mine something stupidly boring19:19
morganfainberglike "the future of identity in openstack (keystone)"19:20
*** piyanai has joined #openstack-keystone19:20
*** jorge_munoz has quit IRC19:20
* yottatsa just benchmarked fernet and it's REALLY great thing19:21
dstanekhmmm...i didn't know this, but apparently we shouldn't be using the config fixture to set any library config values anymore19:21
jamielennoxbut i was thinking if i had most of it ready i could pretty much start from scratch and configure a mapping, do the httpd config etc19:21
*** dramakri has quit IRC19:22
jamielennoxgo through the steps etc19:22
jamielennoxnever having done a demo presentation like that /me thinks - how hard can it be?19:22
*** mylu has joined #openstack-keystone19:22
jamielennoxanhhuynx: i'm not ignoring you, just reading through the bug19:22
yottatsahere is a question: is slave_connection in keystone really using anywhere?19:22
anhhuynxjamielennox: thank you :)19:23
*** jorge_munoz has joined #openstack-keystone19:23
*** geoffarnold has joined #openstack-keystone19:23
morganfainbergdstanek: ? so... how do we handle that?19:23
morganfainbergdstanek: this seems like we've got a gap.19:23
dstanekmorganfainberg: talking about it now in #openstack-oslo19:23
* morganfainberg goes to get lunch.19:23
yottatsagrep -r use_slave . | wc -l19:24
yottatsa019:24
kfox1111morganfainberg: just added some light reading for you to eat lunch by. ;)19:24
kfox1111just took a stab at coming up with an initial implementation that covers everything in the problem description.19:24
*** piyanai has quit IRC19:25
*** jsavak has joined #openstack-keystone19:26
yottatsaI can't find any blueprint about it, should I make new?19:26
jamielennoxanhhuynx: i replied on the bug - does that make more sense?19:30
*** rm_work is now known as rm_work|away19:31
*** rm_work|away is now known as rm_work19:33
*** crc32 has joined #openstack-keystone19:33
anhhuynxjamielennox: thank you Jamie, I'll keep working on this with the new information.19:33
jamielennoxanhhuynx: np - bug me if you have any more questions, i'm happy to step you through what will be required19:35
jamielennoxanhhuynx: however i'm based in Australia so this is the only day of the week i'm around at this time, but mostly people around here are friendly19:35
openstackgerritJason Obrien proposed openstack/keystone: Updated files for Keystone startup  https://review.openstack.org/19722519:36
*** jorge_munoz has quit IRC19:37
dstanekgyee: the short answer to your question on https://review.openstack.org/#/c/196917/ is no. the move to oslo_policy broke running tests by name19:38
*** dramakri has joined #openstack-keystone19:39
anhhuynxjamielennox: Would you please advise me on how to start with this? It appears that I have been going about this the wrong way, and I have no idea how to even use the v3 keystone API. If you don't mind can you point me to some reading materials?19:40
bretonbtw19:42
bretonI was able to use fernet tokens with juno openstack and kilo keystone19:43
breton(well, and kilo middleware and client)19:43
*** shaleh has quit IRC19:43
jamielennoxanhhuynx: hmm reading material for keystone v3...19:43
bretoneverything was good except with horizon. There is a bug in juno which is fixed in kilo19:44
jamielennoxanhhuynx: so i guess there are multiple ways to interact and it depends what you are looking for19:46
jamielennoxanhhuynx: so keystone provides a REST API for how to interact with it which is defined https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst19:46
dramakrianhhuynx: some simple v3 api examples from ayoung's blog - http://adam.younglogic.com/2013/09/keystone-v3-api-examples/19:46
jamielennoxanhhuynx: to communicate with that you can use curl or whatever you like that talks http19:47
anhhuynxThank you very much!19:47
*** tqtran is now known as tqtran-afk19:47
jamielennoxwe provide keystoneclient which is a python library that provides a way to talk python and have the library make calls for you19:47
jamielennoxdocumentation is a bit scarse but: http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html19:48
jamielennoxthen openstack client is an application that you can call from the command line which consumes keystoneclient internally19:48
*** jsavak has quit IRC19:49
jamielennoxso i guess it depends how you want to use it19:50
jamielennoxanhhuynx: regarding how you go about implementing it, first you would need to update the identity-api-v3 document above to add a new type parameter to the list credentials19:51
*** Rockyg has joined #openstack-keystone19:51
jamielennoxthen you need to add it to keystone itself so that when type= is passed it filters the results19:51
jamielennoxthen add it to keystoneclient and maybe openstackclient19:52
anhhuynxjamielennox: Isn't the identity-api-v3 document above just documentation?19:54
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies Fetch and Cache  https://review.openstack.org/13465519:54
anhhuynxWould updating it change anything?19:54
jamielennoxanhhuynx: we consider that doc to be the complete list of what keystone can do and it's where we nitpick over the high level change19:55
jamielennoxso no, changing it won't actually do anything but people won't let you merge the keystone review until the spec change has been approved19:55
anhhuynxOk, so if I want to add any functionality I better be documenting it?19:55
jamielennoxin this case it's really unlikely anyone will say no to the change so you can absolutely work on all of this in parallel19:56
*** shaleh has joined #openstack-keystone19:56
jamielennoxyep, if it's part of the public API it has to exist in that doc19:56
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19648519:57
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/19725419:57
*** browne has joined #openstack-keystone19:58
anhhuynxjamielennox: Thank you for the help! I'll try to mull over all the information.19:58
jamielennoxanhhuynx: np - and as mentioned come back and ask if you have questions19:59
*** arunkant has joined #openstack-keystone19:59
*** topol has quit IRC19:59
*** amakarov is now known as amakarov_away20:01
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements  https://review.openstack.org/19727020:02
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/19727720:03
*** ankita_w_ has joined #openstack-keystone20:03
*** shaleh has quit IRC20:03
*** ankita_w_ has quit IRC20:03
*** shaleh has joined #openstack-keystone20:03
*** jorge_munoz has joined #openstack-keystone20:04
*** ankita_w_ has joined #openstack-keystone20:04
*** jasondotstar has quit IRC20:05
*** ankita_wagh has quit IRC20:07
*** gokrokve has joined #openstack-keystone20:10
lbragstadmorganfainberg: following back up the on the token expiry fix20:15
*** mrutkows has quit IRC20:15
lbragstadmorganfainberg: I had to run when you were starting to explain it20:15
lbragstadmorganfainberg: you were saying that it should only be included in the tests?20:16
morganfainberglbragstad: we should just squash microseconds for the test. We unfortunately can't squash microseconds with pki tokens.20:16
morganfainbergActually.. We might be able to now.20:17
lbragstadmorganfainberg: you mean this tests? https://review.openstack.org/#/c/196475/2/keystone/tests/unit/test_v2.py20:17
morganfainbergWth audit Ida20:17
lbragstads/tests/tests/20:17
morganfainbergIds*20:17
morganfainberglet me get food.20:17
lbragstadmorganfainberg: ok, ping me when you're ready20:17
morganfainbergI'm getting breakfast/lunch at 1pm20:17
morganfainberg:P20:17
lbragstadmorganfainberg: I'm just stepping through the chain of patches you have up for it20:18
*** yottatsa has quit IRC20:20
*** yottatsa has joined #openstack-keystone20:21
*** henrynash has joined #openstack-keystone20:23
*** ChanServ sets mode: +v henrynash20:23
*** piyanai has joined #openstack-keystone20:24
*** mgarza has joined #openstack-keystone20:31
*** e0ne has quit IRC20:35
*** piyanai has quit IRC20:38
*** amit213 has quit IRC20:44
*** amit213 has joined #openstack-keystone20:44
*** amit213 has quit IRC20:44
*** fangzhou has quit IRC20:44
*** jaosorior has quit IRC20:46
*** yottatsa has quit IRC20:46
*** Ephur has quit IRC20:50
*** Ephur has joined #openstack-keystone20:54
openstackgerritJason Obrien proposed openstack/keystone: Updated docs for Keystone startup  https://review.openstack.org/19722520:54
*** Ephur_ has joined #openstack-keystone20:55
*** radez is now known as radez_g0n320:58
*** stevemar has quit IRC20:58
*** Ephur has quit IRC20:59
gyeedstanek, so even the policy tests depends on Rule.init()?21:02
*** jorge_munoz has quit IRC21:02
openstackgerritJason Obrien proposed openstack/keystone: Updated docs for Keystone startup  https://review.openstack.org/19722521:02
dstanekgyee: i really don't know what depends on that, but the fact that we are doing it is what breaks us21:03
*** jorge_munoz has joined #openstack-keystone21:03
dstanekmorganfainberg: so it appears that what i want to do (add oslo_policy.opts.register) isn't inline with the vision of oslo21:04
gyeedstanek, yeah, for one thing, you are calling an internal API :)21:04
*** piyanai has joined #openstack-keystone21:04
gyeelet me dig into that a bit more, I think all you have to do is initialize CONF21:05
gyeeand oslo will scan for the policy.json automatically21:05
dstanekmorganfainberg: the problem is that you can't do what they want yet - Doug is trying to give the config fixture a set_default() method so that the projects are not directly tied to config options21:05
dstanekmorganfainberg: i don't see how that is really beneficial, but we're going to discuss it more tomorrow21:06
dstanekgyee: yes, you have to get the oslo.policy options registered21:06
morganfainberg...ok21:06
dstanekgyee: are you thinking that you shouldn't have to register the options?21:07
gyeeyou should21:07
gyeewhat I am saying is that you first need to initialize CONF21:07
gyeeglobal CONF21:07
gyeeand oslo will take care of the rest21:07
dstanekgyee: that's already happening - the problem is that oslo.policy options are not being registered21:08
gyeethen how does test_v3_protection work without your changes?21:08
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain in token response  https://review.openstack.org/19733121:08
gyeethose tests are overriding the default policy.json location21:09
dstanekgyee: see https://bugs.launchpad.net/oslo.policy/+bug/147018321:09
openstackLaunchpad bug 1470183 in oslo.policy "We need a way to register oslo.policy's options" [Undecided,Confirmed] - Assigned to David Stanek (dstanek)21:09
*** mylu has quit IRC21:10
*** arunkant_ has joined #openstack-keystone21:10
dstanekgyee: it's an order of operations issue21:11
*** jdandrea has joined #openstack-keystone21:12
dstanekgyee: try running this: tox -e py27 -- test_v3_protection21:13
gyeedstanek, k21:13
dstanekgyee: nm that example won't work for you :-(21:13
*** arunkant has quit IRC21:14
dstanekgyee: i had my env setup to better debug this nonsense21:14
gyeedstanek, sorry  I need to run for another meeting, will try after I get back21:14
*** piyanai has quit IRC21:15
*** ankita_w_ has quit IRC21:15
lbragstadmorganfainberg: I think I found something strange with trusts and fernet21:16
*** ankita_wagh has joined #openstack-keystone21:16
lbragstadI can't quite wrap my head around it21:16
anhhuynxjamielennox: so Jamie, I was looking at: https://github.com/openstack/keystone/blob/master/keystone/credential/controllers.py#L84-L9021:16
*** HT_sergio has joined #openstack-keystone21:16
morganfainberglbragstad: not surprising.21:16
lbragstadmorganfainberg: I have this patch up, https://review.openstack.org/#/c/196774/21:16
lbragstadmorganfainberg: which is pretty straight forward21:17
anhhuynxjamielennox: Do you think that by adding @controller.filterprotected('type') I would be going down the right path?21:17
dstanekgyee: the simple answer for why those work is for each of those tests the global enforcer is recreated letting the new config value work21:17
morganfainbergYeah21:17
dstanekgyee: it only works because the options have previously been registered21:17
lbragstadI'm just passing the respective data from token_data to token_formatter.create_token21:17
lbragstadin _get_token_id21:17
dstanekgyee: you could argue that my patch "could" just call rules.reset() at the beginning of each test, but that just seems like wasted cpu21:18
lbragstadmorganfainberg: so that I can eliminate the fernet.core.py:Provider.issue_v3_token method21:18
morganfainbergYou will likely still need to to squash binds21:18
morganfainbergBut it should squash binds and then call super21:18
morganfainbergNothing else.21:18
morganfainbergSo effectively eliminated.21:18
lbragstadbut, when keystone goes to validate that token, the user_id doesn't match the trustee_id and it throws a 403 https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L433-L43521:19
morganfainbergYeah. I was fighting that in the v2 ones.21:19
morganfainbergThe end of my patch chain.21:19
lbragstadmorganfainberg: do you think it's something wrong with _populate_user() ? https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L27021:20
morganfainbergNo the failure is before that.21:20
lbragstadbecause I'm pulling that dict in _get_token_id21:21
lbragstadsee line 208 here https://review.openstack.org/#/c/196774/4/keystone/token/providers/fernet/core.py21:21
*** HT_sergio has quit IRC21:21
morganfainbergIs called. The trustee has already been replaced with the trustor Is the issue21:21
lbragstadwhy is that?21:21
lbragstadoh... https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L28421:22
morganfainbergNot sure. But it fails in the data formatter21:22
* lbragstad sigh21:22
morganfainberglbragstad: this was my hell this weekend.21:22
lbragstad:(21:22
morganfainbergBut I was looking at the v2 side. Same icky issues.21:22
lbragstadI don't understand why that's there21:22
morganfainbergBecause impersonation makes the auth the trustor. Not the trustee with the roles from the trustor21:23
morganfainbergImpersonation is broken. Horribly (as a concept). But we have it and people use it.21:23
jamielennoxanhhuynx: that would be the first step and make keystone actually accept the type flag21:25
jamielennoxanhhuynx: i think you would need to modify the driver hints as well and the DB call so that when you query the database you do so based on that type21:25
jamielennoxanhhuynx: but yes - you're in the right place21:26
lbragstadbut we make an assertion https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L43421:26
anhhuynxjamielennox: Thank you Jamie.21:26
lbragstadmorganfainberg: so, apparently using trusts that have impersonation set to False works21:29
morganfainbergYeah.21:29
morganfainbergIt's impersonation that is a train wreck to deal with.21:30
*** BrAsS_mO- has quit IRC21:34
*** hrou_ has joined #openstack-keystone21:36
*** hrou has quit IRC21:36
*** fifieldt has quit IRC21:39
*** ayoung has quit IRC21:39
*** tqtran-afk is now known as tqtran21:39
*** jsavak has joined #openstack-keystone21:41
*** ngupta has joined #openstack-keystone21:43
openstackgerritTheodore Ilie proposed openstack/keystone: Add test case for deleting endpoint with space in url  https://review.openstack.org/19688321:43
jdandreaClue needed with AuthN using Kilo and keystone v3, suspecting pilot error. (I checked with the #openstack channel but couldn't crack the case.) http://paste.openstack.org/show/329750/21:44
*** jsavak has quit IRC21:45
*** edmondsw has quit IRC21:46
morganfainberglbragstad: anyway... yeah maybe we need to make the data provider the only thing that does impersonation swap/check21:48
openstackgerritVictor Morales proposed openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336821:48
morganfainberglbragstad: instead of trying to do it way up in the issue code21:48
bknudsonjdandrea: there's docs for how to use sessions -- http://docs.openstack.org/developer/python-keystoneclient/using-sessions.html21:48
morganfainberglbragstad: this is only an issue with validate calling back through afaict21:48
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v3_token()  https://review.openstack.org/19677421:49
lbragstadmorganfainberg: new patch with better fixes21:49
*** shaleh has quit IRC21:49
lbragstadi.e. the trust stuff and getting federation to work21:49
morganfainbergi'll rebase through my chain as well soon21:49
jdandreabknudson: Thanks! Confused though. Not sure how seeing that error would lead me to know to use sessions? Also, does that mean the example is out of date at http://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.v3.html#module-keystoneclient.v3.client ?21:49
morganfainberglbragstad: you'll still need issue_v3_token but just to raise out on bound tokens21:50
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687721:50
bknudsonjdandrea: that sample code is out of date.21:50
morganfainberglbragstad: def issue_v3_token(....): if bind: raise else: return super()21:50
jdandreabknudson: Ah, ok, thanks.21:50
morganfainberglbragstad: unless fernet now supports binds21:50
lbragstadmorganfainberg: no, all token providers have a _supports_bind property that returns True or False21:51
*** jsavak has joined #openstack-keystone21:51
*** BrAsS_mOnKeY has joined #openstack-keystone21:51
*** BrAsS_mOnKeY has quit IRC21:51
*** fifieldt has joined #openstack-keystone21:51
lbragstadhttps://review.openstack.org/#/c/196774/5/keystone/token/providers/common.py21:51
lbragstadmorganfainberg: ^21:51
morganfainberglbragstad: cool21:51
morganfainberglbragstad: much better...21:52
lbragstadmorganfainberg: if that's what you're thinking?21:52
morganfainbergyeah21:52
morganfainbergi'd like to move more to a capability list21:52
morganfainbergvs. endlessly growing @properties21:52
morganfainbergor such21:52
lbragstadmorganfainberg: yeah, I liked that with the non-persistence stuff21:52
morganfainbergbut that can happen down the line21:52
*** henrynash has quit IRC21:52
morganfainbergso get_provider_capabilities() => ['needs_persistence', 'binds', 'trusts', '...']21:53
morganfainbergor some such21:53
morganfainbergbut that is a refactor that should come later21:53
lbragstadmorganfainberg: oh, that's an interesting idea21:53
morganfainbergthis cleanup fernet stuff likely needs to be backported to kilo21:53
morganfainbergso we should do this without that level of re-structure21:54
lbragstadagreed,21:54
lbragstadswitching to something like a capabilities list shouldn't be too bad later on, it's all the prereq work to get there that seems to be the fun part :)21:54
*** BrAsS_mOnKeY has joined #openstack-keystone21:55
*** BrAsS_mOnKeY has quit IRC21:55
openstackgerritJason Obrien proposed openstack/keystone: Updated docs for Keystone startup  https://review.openstack.org/19722521:56
brownelbragstad: so i think i ran into a similar issue yesterday when trying to use fernet tokens.  http://paste.openstack.org/show/329764/21:56
*** csoukup has quit IRC21:57
*** BrAsS_mOnKeY has joined #openstack-keystone21:57
*** jecarey has quit IRC21:57
brownein this code path it seems to expect the user_id to be a UUID, which its not because I'm using LDAP21:57
*** BrAsS_mOnKeY has quit IRC21:57
lbragstadbrowne: I already have a fix for you :) https://review.openstack.org/#/c/186376/21:57
brownelbragstad: oh nice!21:57
lbragstadbrowne: that has already landed in master21:58
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L33421:58
lbragstadbut hasn't done so in stable/kilo21:58
browneyep, i was using stable/kilo21:58
*** BrAsS_mOnKeY has joined #openstack-keystone21:59
*** BrAsS_mOnKeY has quit IRC21:59
morganfainbergjamielennox: you here?21:59
jamielennoxmorganfainberg: yea21:59
morganfainbergjamielennox: what is the likelyhood of session [in Auth_Token] passing down the right thing to the internal service->service requests22:00
morganfainbergandddddd forcing a service token to be there (if possible)22:00
jamielennoxmorganfainberg: done and released?22:00
morganfainbergoh sweet22:00
morganfainbergSWEET22:00
jamielennoxoh wait22:00
*** diazjf has left #openstack-keystone22:00
jamielennoxi may be over confident on the service token22:00
*** BrAsS_mOnKeY has joined #openstack-keystone22:00
morganfainberghehe22:01
bknudsonI don't think we approved the spec for that yet22:01
jamielennoxhttps://review.openstack.org/#/c/193422/22:01
morganfainbergi want to start really making all services that are expecting [nova] -> [<thing>] type action to use the service token22:01
*** BrAsS_mOnKeY has quit IRC22:01
morganfainbergbecause....22:01
morganfainberguh...22:01
morganfainbergif we do that we have a way out from under the bearer tokens from [user] -> [API]22:01
jamielennoxyea, it turns out i reached too far with the X-OpenStack-Request-ID thing22:01
jamielennoxthey'll come find us when they figure out what they want there22:01
jamielennoxso what's missing there is serialization22:02
morganfainbergsince auth_token then can validate authz and pass on a confirmed authz in the request + service token22:02
jamielennoxauth_token passes it down, it needs to be passed from n-api -> n-* (i can't remember which one does the work)22:02
bknudsonjamielennox: here's the request ID spec now -- https://review.openstack.org/#/c/156508/22:02
morganfainbergwe can do cooler things... and then we can support *gaaaaasssssp* signed requests instead of bearer tokens along side bearer tokens22:02
morganfainbergand i think lots of people would be very happy with that22:02
bknudsonit doesn't even mention logging, it's just how to get it from the client libs22:03
*** BrAsS_mOnKeY has joined #openstack-keystone22:03
morganfainberg[it just means nova->glance is implicitly trusted, as long as you say "hey i validated this authz for the user ehre it is"22:03
* morganfainberg tries and kills bearer tokens from user->service22:03
jamielennoxbknudson: i'ts sooo broken22:03
bknudsonI'd expect client certs would be the way to go for nova->glance22:03
*** jsavak has quit IRC22:03
morganfainbergbknudson: that is the long term goal22:04
jamielennoxmorganfainberg: bearer tokens can work we just need to fix auth_token22:04
jamielennoxand get service tokens gong22:04
jamielennoxgoing22:04
morganfainbergbknudson: but we have to do it in steps, support different authn/authz between user and service vs service and service22:04
jamielennoxcinder.get_previous_request_id()22:04
morganfainbergbknudson: then we can work / iterate on either of those separately22:04
jamielennoxwtf - how do they expect that to work22:04
bknudsonjamielennox: thread-local storage22:04
morganfainbergbknudson: yay thread-local :(22:04
*** BrAsS_mOnKeY has joined #openstack-keystone22:04
jamielennoxbknudson: you're kidding22:04
morganfainberg¬_¬22:05
morganfainbergjamielennox: i don't think he is22:05
jamielennox    cinder = client.Client('2', 'demo', 'admin', 'demo',6322:05
jamielennox                           'http://21.12.4.342:5000/v2.0')22:05
jamielennoxthat's lovely - how do they think that's going to work with sessions ?22:05
jamielennox- oh yea, i remember somebody talking about auth plugins....22:05
jamielennoxWe are proposing to add 'get_previous_request_id()' method in python-clients,4422:06
jamielennoxpython-openstackclient and python-openstacksdk to return request id to the4522:06
jamielennoxuser.4622:06
jamielennox22:06
jamielennoxlol to anyone who thinks they can add a method to every client22:06
bknudsonjamielennox: I suggested that they add a way to register a callback function, and if they're going to do that then put it on the session instead22:06
*** BrAsS_mOnKeY has joined #openstack-keystone22:06
*** Lactem has joined #openstack-keystone22:06
bknudsonas long as all the requests go through the session they'll get the callbacks22:06
*** BrAsS_mOnKeY has quit IRC22:06
jamielennoxbknudson: why would you want to thread local this stuff? why wouldn't you just retrieve it from the response22:07
jamielennoxhmm, guess you would need to change every response for that22:07
bknudsonjamielennox: you don't have access to the response.22:07
*** gokrokve has quit IRC22:07
bknudsonyou might be able to do something like response=cinder.list() ; cinder.get_request_id(response)22:08
bknudsonand use a weakref dict22:08
jamielennoxurgh22:09
jamielennoxwhatever22:09
*** gordc is now known as gordc_afk22:09
jamielennoxif we fix auth people can break their clients in all sorts of dumb ways22:09
Lactemdstanek: You've been reviewing a patch of mine. Thanks for that. For some reason Jenkins keeps failing epy27. This also fails when I run tox on my local machine. I use git reset to test epy27 before my commit, and got the same errors. Thus, it's not failing for anything caused by my patch. What should I do? https://review.openstack.org/#/c/196883/22:09
Lactemhttp://logs.openstack.org/83/196883/1/check/gate-keystone-python27/48daa2e/22:09
jamielennoxmorganfainberg: https://review.openstack.org/#/c/167181/ is the serialization patch, it's WIP at the moment because i've no idea how it's going to integrate into oslo.context22:10
morganfainbergjamielennox: ah22:10
dstanekLactem: rebase your patch on top of master22:10
jamielennoxmorganfainberg: it's somewhere on my list of priorities22:10
dstanekthat issues has already been fixed22:10
morganfainbergjamielennox: right22:10
Lactemdstanek: Thanks.22:11
dstanekLactem: my pleasure22:11
LactemWait.22:11
LactemHmm. It says it's already up to date when I try git rebase.22:11
*** hrou_ has quit IRC22:11
jamielennoxmorganfainberg: feel free to take that and experiment, my most recent concern was i'm not sure oslo.context really wants us to package a full AccessInfo object * 2 tokens and the user plugin is fairly bound to the concept of an AccessInfo22:11
Lactem"Current branch master is up to date."22:12
LactemMaybe I should fetch first?22:12
jamielennoxmorganfainberg: We could either change UserPlugin so that it pulls the variables it needs at __init__ and therefore make serialization easier22:12
*** Rockyg has quit IRC22:12
morganfainbergjamielennox: that is the direction i think we need to go22:12
jamielennoxor we could try and sanitize the AccessInfo somehow22:12
morganfainbergjamielennox: rather than sanitizing AccessInfo22:12
openstackgerritDavid Stanek proposed openstack/keystone: Add test case for deleting endpoint with space in url  https://review.openstack.org/19688322:12
jamielennoxmorganfainberg: i think that is the last comment i made on the patch when i WIPed it22:13
morganfainbergjamielennox: easier to say "we grab X, Y, Z" than "we mangle this thing to make it work.. except when we miss something"22:13
morganfainbergi'd rather just be explicit22:13
jamielennoxyep, you would need multiple constructors, but whatever22:13
morganfainbergexplicit at least gives developers a target22:13
jamielennoxif we get it right we can have helpers handle the plugin->context->plugin bit22:13
morganfainbergand it is less likely to move out from under them because a sanititzation change22:14
morganfainbergjamielennox: ++22:14
morganfainbergyes22:14
jamielennoxi just don't want to make it so that we have to have nova package all these contexts themselves22:14
morganfainbergand they shouldn't have to22:14
morganfainbergi'd say we're doing it wrong if we make them do that22:14
openstackgerritJason Obrien proposed openstack/keystone: Updated docs for Keystone startup  https://review.openstack.org/19722522:14
jamielennoxi was thinking we could have auth_token depend on oslo.context and maybe we could even provide a BaseContext from there rather than have people go to oslo.context directly22:14
morganfainbergmaybe22:15
jamielennoxas in just now thinking rather than i've given that a lot of thought22:15
morganfainbergit could work22:15
jamielennoxmorganfainberg: please do experiment with that i have no solid ideas just that i want to take as much responsibiilty off the services as possible22:16
jamielennoxmorganfainberg: got to go out for a bit, back in like 30 minutes22:16
* morganfainberg is finishing up a couple things then has to also head out to make it to dinner place (yay traffic)22:16
dstaneki wish i could make a -1 sticky so i didn't have to -2 things22:16
LactemUh oh. What are you -2ing?22:17
morganfainbergdstanek: if it's serious enough that it needs to be sticky -- a -2 is probably correct22:17
bknudsonit's probably something I did.22:18
dstanekmorganfainberg: nah, i just want to make sure my -1 is considered. the doc review above just bothers me and i don't want to -2 a new contributor while they are actively doing development22:18
*** dims_ has joined #openstack-keystone22:19
Lactemdstanek: https://review.openstack.org/#/c/197225/ That one?22:19
bknudsondstanek: that one probably should be -222:19
dstanekthat's the one22:20
LactemErm. What's wrong with that?22:20
dstaneklet devstack document devstack :-)22:20
bknudsondevstack should be reading our documentation for how to deploy it not the other way around22:21
*** ankita_w_ has joined #openstack-keystone22:21
bknudsonotherwise we'll be stuck in a loop22:21
*** dims has quit IRC22:22
dstanekbknudson: yes, exactly. now nobody will know!22:22
LactemOh. I know the patch submitter irl.22:22
LactemWe're all new.22:22
*** gokrokve has joined #openstack-keystone22:22
dstanekLactem: that's why i didn't want to -222:23
*** yottatsa has joined #openstack-keystone22:23
Lactemdstanek: I don't see what you're saying on my patch, though. "I just pushed a new patchset up that appears to show that there is definitely a bug in there." I'm not seeing anything different in your new patchset than in the one right before it.22:23
dstanekLactem: the diff - https://review.openstack.org/#/c/196883/3..4/keystone/tests/unit/test_v3_catalog.py22:24
LactemThat's what I'm looking at.22:24
*** ankita_wagh has quit IRC22:24
dstanekLactem: the test as it was writting wasn't saving the url with the space into the database - so the test did nothing22:24
dstaneks/writting/written/22:25
Lactemdstanek: Is there a sample or a unit test example that would show me how to write it into the database?22:25
*** bknudson has quit IRC22:26
yottatsaDoes anybody know where slave_connection were introduced?22:26
dstanekLactem: i just pushed it :-) if you modify the ref before doing the POST it will get into the database22:27
LactemOhh.22:27
LactemI was wondering why it was moved. Thank you.22:27
dstanekLactem: the original code created a ref, POSTed it to keystone and then modified it locally22:27
*** jsavak has joined #openstack-keystone22:28
LactemI see.22:28
*** ayoung has joined #openstack-keystone22:29
*** ChanServ sets mode: +v ayoung22:29
*** ninag has joined #openstack-keystone22:36
*** shaleh has joined #openstack-keystone22:36
*** dontalton has quit IRC22:37
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19648522:39
Lactemdstanek: You're not stealing this bug from me, are you? The bug page put you down under "assigned to." Mind if I change that back to me?22:40
LactemBy the way this makes an error even if there's no space in tenant_id.22:41
*** ayoung has quit IRC22:41
morganfainbergLactem: the assigned to changes automatically22:42
morganfainbergLactem: based upon who pushes the patch. you still get credit for the patch because you're the "author" in git22:42
*** jsavak has quit IRC22:42
morganfainbergLactem: it's just how our tooling and how gerrit -> launchpad works22:42
LactemOkay so once I make the final patch, it will switch the assignee back. Cool.22:43
*** jsavak has joined #openstack-keystone22:43
*** gokrokve has quit IRC22:44
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/19727722:45
*** dhellmann has joined #openstack-keystone22:46
*** slberger has quit IRC22:46
yottatsaI'd just imlemented slave_connection initial support for keystone. Should I write a spec? Or I can start from blueprint? https://blueprints.launchpad.net/keystone/+spec/keystone-slaveification22:46
*** slberger has joined #openstack-keystone22:46
*** slberger has left #openstack-keystone22:47
dstanekLactem: yeah, or you can assign it back if you like. i don't intend to work on in at all, i just wanted to correct the test.22:51
dstanekyottatsa: a spec is probably the right thing for that22:52
dstanekyottatsa: that blueprint is really sparse on the the details that the spec template will make you think about22:53
yottatsadstanek, thank you22:54
*** jsavak has quit IRC22:54
yottatsadstanek, which directory I should use? kilo or liberty?22:59
dstanekyottatsa: liberty. kilo has already happened23:00
yottatsagot it23:00
*** dims_ has quit IRC23:01
dstanekyottatsa: actually probably backlog, now that i think about it - don't think we are approving any liberty specs at this time23:01
dstanekthe deadline was last week iirc23:01
morganfainbergdstanek: we aren't unless there is a proposal freeze exception granted23:05
morganfainbergdstanek: whihc we're open to - I really don't want everything piled into milestone-3 again23:05
*** markvoelker_ has quit IRC23:06
dstanekhaha, isn't that how we make sure we're busy?23:06
sigmavirus24morganfainberg: isn't that just Good Release Planning™?23:07
sigmavirus24s/Good/Glance/23:07
*** ninag has quit IRC23:08
*** hrou has joined #openstack-keystone23:09
dstaneksigmavirus24: is Glance practicing Fire-drill Driven Development?23:09
sigmavirus24That was Kilo at least23:09
sigmavirus24I don't think we merged a single blueprint before m-323:09
sigmavirus24And even then, we merged 2 big ones as FFEs23:09
sigmavirus24(CIS - Now openstack/searchlight, Artifacts)23:10
*** shaleh has quit IRC23:10
morganfainbergsigmavirus24: i dunno... thats my view, but i might be in the minority23:11
morganfainbergsigmavirus24: just today i get a lot more say in that stuff being PTL ;)23:11
sigmavirus24Doesn't PTL stand for "Petty Tyrant and Liar"23:12
* sigmavirus24 ducks23:12
dstanek"party through liberty"23:13
*** jsavak has joined #openstack-keystone23:13
kfox1111no, I'd say the ptl's job is pretty hard. I wouldn't consider it a party. ;)23:14
*** mgarza has quit IRC23:15
*** mgarza_ has joined #openstack-keystone23:15
*** mgarza_ has quit IRC23:16
*** zzzeek has quit IRC23:18
*** BrAsS_mOnKeY has joined #openstack-keystone23:20
openstackgerritMerged openstack/pycadf: Updated from global requirements  https://review.openstack.org/19727023:21
*** jkomg has quit IRC23:22
morganfainbergsigmavirus24: nah PTL stands for Please Try Later23:23
morganfainbergusually invoving a -1 or -2.23:23
sigmavirus24"Future unclear. Please try again later"23:23
morganfainbergsigmavirus24: -1, Nope, Please Try Later23:23
sigmavirus24So you're a glorified Magic 8 ball?23:23
morganfainbergsigmavirus24: oh you're giving me too much credit23:24
morganfainbergi only have 2 answers23:24
morganfainberg-1 and -223:24
*** jsavak has quit IRC23:24
sigmavirus24That was me in the Kilo cycle23:24
sigmavirus24My +/- ratio was something like 60% in glance23:24
morganfainbergi use a magic 8 ball to determine which answer to give.23:24
LactemIs there a way to print debug messages in a test case without using assertEqual, which will break the execution there?23:25
morganfainbergdon't ask how it works, it's a secret to everybody23:25
* morganfainberg even got a LoZ reference in there! wheeeeee.23:25
* morganfainberg mightbe a little loopy today23:25
*** shaleh has joined #openstack-keystone23:26
LactemUsing print doesn't seem to work. Is there a different way to log messages when using tox?23:26
*** roxanaghe has quit IRC23:27
*** jsavak has joined #openstack-keystone23:27
*** fangzhou has joined #openstack-keystone23:28
*** shaleh has quit IRC23:32
openstackgerritTheodore Ilie proposed openstack/keystone: Add test case for deleting endpoint with space in url  https://review.openstack.org/19688323:34
Lactem: D23:34
LactemI'll just leave that and go off for the day.23:34
*** jsavak has quit IRC23:35
dstanekLactem: are you trying to print during a broken test or a successful test?23:36
*** Lactem has quit IRC23:36
anhhuynxare there any credential types other than ec2?23:39
*** dims has joined #openstack-keystone23:45
*** dims has quit IRC23:46
*** anhhuynx has quit IRC23:47
*** markvoelker has joined #openstack-keystone23:47
*** dramakri has left #openstack-keystone23:50
browneanhhuynx: the openstack client does have a cert credential type23:50
brownehttps://github.com/openstack/python-openstackclient/blob/56163aa7bc7ab1ea98b94611158dbe2df727069a/openstackclient/identity/v3/credential.py#L4523:50
*** zzzeek has joined #openstack-keystone23:55
*** htruta_ has joined #openstack-keystone23:57
*** ianbrown has joined #openstack-keystone23:57
*** dsirrine_ has quit IRC23:59
« Monday, 2015-06-29 Index Wednesday, 2015-07-01 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!