Tuesday, 2015-07-21

« Monday, 2015-07-20 Index Wednesday, 2015-07-22 »
*** mylu has quit IRC00:02
*** topol has joined #openstack-keystone00:03
*** ChanServ sets mode: +v topol00:03
*** mylu has joined #openstack-keystone00:03
openstackgerritMerged openstack/keystone: Fix for LDAP filter on group search by name  https://review.openstack.org/19473300:06
*** topol has quit IRC00:07
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraints  https://review.openstack.org/15837200:08
*** dims_ has joined #openstack-keystone00:10
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/20228200:15
*** amickus has quit IRC00:15
openstackgerritBrant Knudson proposed openstack/keystone: test_base64utils works with py34  https://review.openstack.org/20385300:17
*** gyee has quit IRC00:20
*** chlong has joined #openstack-keystone00:22
*** tqtran-afk is now known as tqtran00:23
*** sigmavirus24_awa is now known as sigmavirus2400:27
*** adam_g has quit IRC00:32
*** piyanai has quit IRC00:33
*** Nakato_ is now known as Nakato00:34
*** btully has joined #openstack-keystone00:40
*** btully has quit IRC00:45
*** spandhe has quit IRC00:53
*** _cjones_ has quit IRC00:55
*** mylu has quit IRC00:58
*** mylu has joined #openstack-keystone01:00
openstackgerritBrant Knudson proposed openstack/keystone: test_base64utils works with py34  https://review.openstack.org/20385301:04
openstackgerritBrant Knudson proposed openstack/keystone: Fix pemutils for py34  https://review.openstack.org/20389201:04
openstackgerritMerged openstack/keystone: Fix docstrings in contrib  https://review.openstack.org/20360701:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/20228201:08
openstackgerritBrant Knudson proposed openstack/keystone: test_base64utils works with py34  https://review.openstack.org/20385301:13
openstackgerritBrant Knudson proposed openstack/keystone: Fix pemutils for py34  https://review.openstack.org/20389201:13
openstackgerritMerged openstack/keystone: Additional Fernet test coverage  https://review.openstack.org/19273901:16
*** tqtran has quit IRC01:17
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/20228201:17
openstackgerritBrant Knudson proposed openstack/keystone: Fix test_utils for py34  https://review.openstack.org/20389601:19
*** mylu has quit IRC01:20
*** jiaxi has joined #openstack-keystone01:22
*** rm_work|away is now known as rm_work01:22
*** mestery has quit IRC01:29
*** bitblt has quit IRC01:29
*** ankita_w_ has quit IRC01:38
*** mylu has joined #openstack-keystone01:39
*** browne has quit IRC01:40
*** mylu has quit IRC01:40
*** jdandrea has quit IRC01:42
*** mylu has joined #openstack-keystone01:44
jiaxiHello everyone01:44
*** jasonsb has quit IRC01:47
jiaxiAnyone here ?01:47
*** mylu has quit IRC01:47
jiaxi you need to wrap the string here with the _LW i18n helper.01:47
jiaxiWhat does this mean ?01:47
*** mylu has joined #openstack-keystone01:47
jiaxiWhat's _LW i18n helper ?01:48
jamielennoxjiaxi: it's a translation thing01:48
jamielennoxyou import from oslo i18n01:48
jiaxiOh. Thank you01:48
jamielennoxif you do log.warning you need to do log.warning(_LW('your message')) so it can be translated01:49
jiaxijamielennox, Thank you so much.01:50
*** stevemar has joined #openstack-keystone01:52
*** ChanServ sets mode: +v stevemar01:52
openstackgerritayoung proposed openstack/oslo.policy: Convert Exceptions to failures.  https://review.openstack.org/16590801:52
*** davechen has joined #openstack-keystone01:53
openstackgerritBrant Knudson proposed openstack/keystone: Ensure database options registered for tests  https://review.openstack.org/20390001:54
*** davechen1 has joined #openstack-keystone02:00
*** ankita_wagh has joined #openstack-keystone02:00
*** davechen has quit IRC02:02
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687002:04
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687002:07
*** woodster_ has quit IRC02:12
openstackgerritayoung proposed openstack/keystone: Specify ID for Project or domain creation  https://review.openstack.org/20385202:13
openstackgerritMerged openstack/keystonemiddleware: Fix rst  https://review.openstack.org/20265902:14
*** fangzhou has quit IRC02:14
*** browne has joined #openstack-keystone02:18
jamielennoxso sick of pbr...02:22
*** ayoung has quit IRC02:24
openstackgerritMerged openstack/keystonemiddleware: Refactor extract method for offline validation  https://review.openstack.org/18865002:27
openstackgerritjiaxi proposed openstack/keystone: Suppressing the request when creating endpoint with invalid urls  https://review.openstack.org/20051202:28
*** chenhong has joined #openstack-keystone02:28
openstackgerritjiaxi proposed openstack/keystone: Suppressing the request when creating endpoint with invalid urls  https://review.openstack.org/20051202:32
jiaxiAnyone who like to exchange review ?02:33
*** ankita_wagh has quit IRC02:40
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Use UUID values in v3 test fixtures  https://review.openstack.org/16854602:48
*** hakimo_ has joined #openstack-keystone02:52
*** hakimo has quit IRC02:55
*** mylu has quit IRC02:58
*** jasonsb has joined #openstack-keystone02:58
*** dims_ has quit IRC03:09
*** dims_ has joined #openstack-keystone03:09
*** mylu has joined #openstack-keystone03:13
*** lhcheng has quit IRC03:15
*** richm has quit IRC03:19
*** lhcheng has joined #openstack-keystone03:24
*** ChanServ sets mode: +v lhcheng03:24
stevemarlhcheng: thanks :P03:24
stevemari can't believe i didn't see that one...03:24
lhchengstevemar: np :) I got curious about it too and started debugging.03:25
*** dims_ has quit IRC03:27
*** dims_ has joined #openstack-keystone03:28
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587303:31
*** krotscheck is now known as krotsche_vaca03:32
stevemarfinally have that one passing tests03:33
stevemarthat has not been the easiest of switches03:33
*** dims_ has quit IRC03:34
*** henriquetruta has quit IRC03:34
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core  https://review.openstack.org/18337703:36
openstackgerritSteve Martinelli proposed openstack/keystone: Add .settings/ to .gitignore  https://review.openstack.org/20391003:36
*** ankita_wagh has joined #openstack-keystone03:39
*** chenhong1 has joined #openstack-keystone03:41
*** chenhong has quit IRC03:41
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core  https://review.openstack.org/18698803:48
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587303:55
*** lhcheng has quit IRC03:59
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587304:01
*** dims_ has joined #openstack-keystone04:06
*** mylu has quit IRC04:06
lbragstadmarekd: I'm able to get a federated unscoped token now with the current playbooks04:07
lbragstadmarekd: https://github.com/lbragstad/keystone-deploy/tree/federation04:07
lbragstadmarekd: I just pushed all my changes, including the ones you mentioned early04:07
*** mylu has joined #openstack-keystone04:07
lbragstadcc dstanek and dolphm - the latest commit of keystone-deploy's federation branch should give you k2k up to scoping a federated unscoped token (still need to work that part out)04:09
*** dims_ has quit IRC04:10
lbragstada sampple inventory might look something like http://cdn.pasteraw.com/mtntjattzpbt9165llj02g312mu8t4u - if you have two vms up04:10
*** chenhong1 has quit IRC04:11
lbragstadshould be able to run the tests (nosetests test_federation_exercises.py) https://github.com/lbragstad/keystone-deploy/blob/federation/test_federation_exercises.py#L203 which is kind of an abomination at the moment04:11
*** chenhong has joined #openstack-keystone04:12
*** dims_ has joined #openstack-keystone04:13
*** davechen1 has quit IRC04:13
*** davechen has joined #openstack-keystone04:14
*** dims_ has quit IRC04:18
*** mylu has quit IRC04:22
*** ankita_wagh has quit IRC04:22
*** ankita_wagh has joined #openstack-keystone04:22
* jamielennox found his ssl bug :)04:23
*** dims_ has joined #openstack-keystone04:27
*** rm_work is now known as rm_work|away04:31
*** rm_work|away is now known as rm_work04:33
davechenstevemar: hi,04:34
davechenstevemar: Are you around? :)04:35
*** dims_ has quit IRC04:35
davechenstevemar: Just want to confirm with you, is this needed? (https://review.openstack.org/#/c/179767/)04:36
*** lhcheng has joined #openstack-keystone04:38
*** ChanServ sets mode: +v lhcheng04:38
*** btully has joined #openstack-keystone04:39
davechenI did some investigation, the referential integrity is either restricted in the driver layer or in the manager layer, there is no need to change the code logic but the restriction in the DB is not necessary.04:39
*** topol has joined #openstack-keystone04:46
*** ChanServ sets mode: +v topol04:46
*** bradjones has quit IRC04:50
*** bradjones has joined #openstack-keystone04:52
*** bradjones has quit IRC04:52
*** bradjones has joined #openstack-keystone04:52
*** topol has quit IRC04:54
*** topol has joined #openstack-keystone04:55
*** ChanServ sets mode: +v topol04:55
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core  https://review.openstack.org/18698805:00
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core  https://review.openstack.org/18337705:00
*** dims_ has joined #openstack-keystone05:02
stevemardavechen: hey hey05:02
davechenstevemar: hi,05:03
stevemardavechen: that patch has me confused because i thought we wanted to get rid of all the on_delete=CASCADE calls05:04
davechenstevemar: why we need to get rid of it? sorry, I didn't catch it05:05
davechenstevemar: does that mean we will drop all of the foreign keys in the SQL?05:05
*** ankita_wagh has quit IRC05:06
*** dims_ has quit IRC05:06
stevemardavechen: we can keep foreign keys, but we shouldn't enforce deletion with on_delete=CASCADE05:07
stevemarwe should have the controller/manager perform two delete calls05:07
davechenstevemar: if we not enforce it, it will be `restrict` by default.05:07
stevemarone for the foreign key, and one for the original item05:08
stevemardavechen: why is restrict bad?05:08
davechenyes, I think the controller or manage has been cleaned. :)05:08
davechenstevemar: restrict is not bad, but it seems not necessary, since the logic has been enfored in manager layer or driver layer.05:09
davechenif we want to handle with SQL directly, the DB will refuse you to do it since it has been FK reference.05:09
*** topol has quit IRC05:09
*** ankita_wagh has joined #openstack-keystone05:10
davechenbut I not sure if this is appropriate way to manage DB directly.05:10
stevemardavechen: i think what morganfainberg is worried about is that if someone is using a non-SQL backend (mongo) to store this, then the FKs may not be deleted05:10
*** sigmavirus24 is now known as sigmavirus24_awa05:11
davechenstevemar: yep, I cleared all of the entities in the keystone, all of them is enforced either in the manager layer or in the driver layer.05:11
stevemardavechen: right, that's what i thought - so what's the point of 195873 ? it looks like it's introducing a new one?05:14
stevemars/195873/17976705:14
stevemarsorry05:14
stevemarit's late :)05:14
davechenstevemar: have a rest, sir05:14
stevemardavechen: nah, lets talk about https://review.openstack.org/#/c/179767 - i haven't been reviewing as much as i should05:15
davechenstevemar: just couple of mins05:16
davechenthe point of that patch is just some clean up, it not introduce a new one.05:17
stevemardavechen: sure, so what am I not understanding :)05:17
davechenstevemar: the patch has a long history.05:18
davechenit's from one of your comment from kilo :)05:18
*** chenhong1 has joined #openstack-keystone05:19
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587305:19
davechenstevemar: it's not a big deal, update it will let end user to udpate the DB without complain from the DB.05:19
davechenstevemar: and it should okay if we just keep it as is.05:19
*** chenhong has quit IRC05:20
davechendavechen: let me think if there is anything more we should do, if no, we can close the BP as implemented :)05:20
stevemardavechen: is there a bug / error when the DB is updated now?05:20
davechen/think/check05:21
stevemardavechen: think works too :)05:21
*** spandhe has joined #openstack-keystone05:21
davechenstevemar: ah, just in case that there is no one disagree we could manage DB.05:21
davechen:)05:21
davechenbut I don't think so.05:22
*** dims_ has joined #openstack-keystone05:22
davechenstevemar: you should take a break, have a good  dream. :)05:22
*** topol has joined #openstack-keystone05:23
*** ChanServ sets mode: +v topol05:23
*** spandhe_ has joined #openstack-keystone05:24
*** spandhe has quit IRC05:26
*** spandhe_ is now known as spandhe05:26
*** dims_ has quit IRC05:26
*** topol has quit IRC05:27
*** topol has joined #openstack-keystone05:27
*** ChanServ sets mode: +v topol05:27
stevemardavechen: thanks boss! leave comments in the patch / email if you want to chat about it05:31
davechenstevemar:you are kidding me :)05:31
openstackgerritSteve Martinelli proposed openstack/keystone: Clean up docs before creating new ones  https://review.openstack.org/20392505:33
*** dims_ has joined #openstack-keystone05:36
*** topol has quit IRC05:38
*** markvoelker has quit IRC05:38
*** dims_ has quit IRC05:41
*** davechen has quit IRC05:44
*** markvoelker has joined #openstack-keystone05:44
*** davechen has joined #openstack-keystone05:45
*** spandhe has quit IRC05:50
*** spandhe has joined #openstack-keystone05:53
*** topol has joined #openstack-keystone05:55
*** ChanServ sets mode: +v topol05:55
*** topol has quit IRC05:56
*** topol has joined #openstack-keystone05:57
*** ChanServ sets mode: +v topol05:57
jiaxiAnyone here ?05:58
jiaxiopenstack trust create error .05:58
*** topol has quit IRC05:59
*** hrou has quit IRC05:59
*** Kennan has quit IRC06:01
marekdlbragstad: so, did keystone-idp work?06:01
*** Kennan has joined #openstack-keystone06:02
*** topol has joined #openstack-keystone06:03
*** ChanServ sets mode: +v topol06:03
*** topol has quit IRC06:03
*** topol has joined #openstack-keystone06:03
*** ChanServ sets mode: +v topol06:03
*** stevemar has quit IRC06:03
*** topol has quit IRC06:08
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Reuse token_ref fetched in AuthContextMiddleware.  https://review.openstack.org/19086306:13
jiaxistevermar, openstack trust create error .  did you fix it ?06:16
lhchengjiaxi: what is the error?06:17
jiaxiI remember that you submitted a  patch set to fix it06:17
jiaxiERROR: openstack No user with a name or ID of '4dd2389e79bd4154869a67ee1b237f2a' exists.06:17
jiaxilhcheng: openstack trust create --project 824f8b8c6ad24855b07b88766d90786c --role 26ea0ce38b6f4ce4bcf03151db2927c4 4dd2389e79bd4154869a67ee1b237f2a f1553dd09afd44d2af178dbc2847e0ff06:17
jiaxithe cmd06:17
jiaxilhcheng: Error info say 4dd2389e79bd4154869a67ee1b237f2a didn't exist06:18
jiaxiThat's terrible. Because it exist...06:18
lhchengjiaxi: I think stevemar's patch should fix it, can you try it?06:19
lhchengjiaxi: https://review.openstack.org/#/c/200646/506:19
jiaxiOK06:20
*** dims_ has joined #openstack-keystone06:21
jiaxilhcheng, but it works fine some days ago. His patch didn't merge yet.06:21
lhchengjiaxi:  you can still pull the patch to test it though. :)06:22
jiaxiokay06:22
jiaxilhcheng,  Li hua Cheng  https://review.openstack.org/#/c/203312/06:23
jiaxiHelp me review my little patch set https://review.openstack.org/#/c/203312/06:23
jiaxiThank you06:24
jiaxilhcheng,You are chinese?06:24
*** dims_ has quit IRC06:25
lhchengjiaxi: my devstack got broken atm, don't have a way to test the patch06:29
lhchengjiaxi: yeah, but I don't speak mandarin :P06:29
lhchengjiaxi: will look at it when my env gets going again06:30
*** bradjones has quit IRC06:30
jiaxidevstack broken ?   test which patch ?06:30
jiaxilhcheng: test which patch ?06:30
lhchengjiaxi: your patch06:30
jiaxican use quota set to test06:31
*** pnavarro has joined #openstack-keystone06:31
jiaxilhcheng: you can use openstack cmd to test06:31
lhchengjiaxi: i know, but my devstack is not running06:32
jiaxilhcheng,jekins has tested it with devstack06:32
*** bradjones has joined #openstack-keystone06:32
*** bradjones has quit IRC06:32
*** bradjones has joined #openstack-keystone06:32
jiaxilhcheng, restart, cut off some service.06:33
jiaxilhcheng, I give you  a local.conf06:34
jiaxilhcheng: [[local|localrc]] HOST_IP=10.250.6.52 FIXED_RANGE=10.24.0.0/24 NETWORK_GATEWAY=10.24.0.1 LOGDAYS=1 LOGDIR=$DEST/logs LOGFILE=$LOGDIR/stack.sh.log SCREEN_LOGDIR=$LOGDIR/screen ADMIN_PASSWORD=quiet DATABASE_PASSWORD=$ADMIN_PASSWORD RABBIT_PASSWORD=$ADMIN_PASSWORD SERVICE_PASSWORD=$ADMIN_PASSWORD SERVICE_TOKEN=a682f596-76f3-11e3-b3b2-e716f9080d5006:34
marekdlol, i bet lhcheng will be able to use this local file, esp with 10/8 subnet....06:34
jiaxilhcheng: use this mini one.   Then ./stack.sh.   Then  devstack will run happily.06:35
lhchengjiaxi: my conf is at the minimum atm, I don't think the conf will help06:35
jiaxiwhat's the error info ?06:36
jiaxilhcheng, what's error report ?06:36
lhchengjiaxi: it is just broken now, will look at it tom06:36
jiaxiI have install devstack and reinstall devstack for many times.06:36
lhchengjiaxi: something with cannot import "from openstack_requirements import project"06:37
lhchengjiaxi: okay, added a comment on your patch. It doesn't have a test on it.06:38
jiaximiss file ? unstack.sh clean.sh   then, download a new devstack from github.06:38
jiaxilhcheng, fix add some test to reproduce the problem  ???06:39
jiaxilhcheng, this issue is for cmd. 100% can reproduce.06:40
jiaxilhcheng,  what do you mean by 'ix add some test to reproduce the problem'06:40
jiaxilhcheng,  what do you mean by 'fix add some test to reproduce the problem'06:41
lhchengjiaxi: I meant add some unit test06:42
lhchengjiaxi: thanks for the advice, will try to fix the  devstack tom06:42
davechenlhcheng: what's your time? lin :)06:43
lhcheng11:40pm06:43
davechenlhcheng: terrible!06:44
davechenlhcheng: it's too late.06:44
lhchengdavechen: just wrapping up some stuff06:44
jiaxilhcheng: You are not chinese ?06:45
davechenlhcheng: not easy life for SE, hope you clean those up.06:45
davechenjiaxi: lin is living in USA.06:45
lhchengjiaxi: did a refresh on devstack repo, that seems to do the trick. hit a different problem now. thanks06:46
lhchengdavechen: what's SE?06:46
marekdsoft eng06:46
marekd?06:46
davechenmarekd: yep.06:46
jiaxidavechen: what's SE ?06:46
*** pnavarro has quit IRC06:46
davechensoft eng.06:46
davechennot easy for all of us. :)06:47
*** ankita_wagh has quit IRC06:47
jiaxilhcheng, What's the new problem ?06:47
*** browne has quit IRC06:48
lhchengdavechen: lol06:48
lhchengjiaxi: failed on osc role add, I'll figure it out tom06:48
lhchengokay, I'm logging off06:49
lhchengdavechen just reminded me how late it is06:49
lhcheng:P06:49
*** spandhe has quit IRC06:49
davechenlhcheng: good dreaming.06:49
lhchengdavechen: thanks! catch you later06:49
lhchengenjoy the rest of the day06:49
davechenlhcheng: I will, thanks. :)06:50
*** dims_ has joined #openstack-keystone06:56
*** dims_ has quit IRC07:00
*** stevemar has joined #openstack-keystone07:04
*** ChanServ sets mode: +v stevemar07:04
*** ankita_wagh has joined #openstack-keystone07:04
*** stevemar has quit IRC07:08
*** rletrocquer has joined #openstack-keystone07:10
*** amirosh has joined #openstack-keystone07:23
*** afazekas_ has joined #openstack-keystone07:24
*** ParsectiX has joined #openstack-keystone07:26
*** losingle has joined #openstack-keystone07:30
*** amirosh_ has joined #openstack-keystone07:32
*** btully has quit IRC07:34
*** amirosh has quit IRC07:36
*** dims_ has joined #openstack-keystone07:37
*** dims_ has quit IRC07:41
*** belmoreira has joined #openstack-keystone07:42
*** fhubik has joined #openstack-keystone07:48
*** topol has joined #openstack-keystone07:49
*** ChanServ sets mode: +v topol07:49
*** losingle has quit IRC07:52
*** belmoreira has quit IRC07:52
*** lhcheng has quit IRC07:52
*** topol has quit IRC07:54
*** jistr has joined #openstack-keystone07:55
*** chlong has quit IRC08:04
*** ankita_wagh has quit IRC08:06
*** cinerama has quit IRC08:07
jiaxiThe unit test of openstack is too different from the unit test of keystone.08:10
*** cinerama has joined #openstack-keystone08:12
openstackgerritRen Qiaowei proposed openstack/keystone: Add necessary executable permission  https://review.openstack.org/20396608:14
openstackgerritMarek Denis proposed openstack/keystone: Adding Documentation for Mapping Combinations  https://review.openstack.org/19285008:17
*** pnavarro has joined #openstack-keystone08:25
bretongood morning keystone08:30
*** dims_ has joined #openstack-keystone08:31
*** henrynash has quit IRC08:32
*** cinerama has quit IRC08:33
*** henrynash has joined #openstack-keystone08:34
*** ChanServ sets mode: +v henrynash08:34
*** cinerama has joined #openstack-keystone08:34
*** dims_ has quit IRC08:36
*** henrynash has quit IRC08:40
*** aix has joined #openstack-keystone08:43
*** dims_ has joined #openstack-keystone08:46
*** dims_ has quit IRC08:51
*** stevemar has joined #openstack-keystone08:53
*** ChanServ sets mode: +v stevemar08:53
*** stevemar has quit IRC08:57
*** aix has quit IRC08:58
*** henrynash has joined #openstack-keystone09:02
*** ChanServ sets mode: +v henrynash09:02
*** piyanai has joined #openstack-keystone09:08
*** henrynash has quit IRC09:12
*** e0ne has joined #openstack-keystone09:15
*** geoffarn_ has joined #openstack-keystone09:21
*** geoffarnold has quit IRC09:24
*** dims_ has joined #openstack-keystone09:26
*** aix has joined #openstack-keystone09:28
*** amick has joined #openstack-keystone09:29
*** dims_ has quit IRC09:31
openstackgerritDave Chen proposed openstack/keystone: Remove unused code in domain config checking  https://review.openstack.org/19405709:33
*** ParsectiX has quit IRC09:34
*** dims_ has joined #openstack-keystone09:36
*** dims_ has quit IRC09:40
*** piyanai has quit IRC09:40
*** lhcheng has joined #openstack-keystone09:41
*** ChanServ sets mode: +v lhcheng09:41
*** lhcheng has quit IRC09:46
*** davechen has left #openstack-keystone09:47
openstackgerritMarek Denis proposed openstack/keystoneauth-saml2: Depend on keystoneauth  https://review.openstack.org/18685409:51
*** topol has joined #openstack-keystone09:51
*** ChanServ sets mode: +v topol09:51
*** ParsectiX has joined #openstack-keystone09:55
*** amick has left #openstack-keystone09:56
*** topol has quit IRC09:56
*** amickus has joined #openstack-keystone09:58
*** boris-42 has quit IRC10:02
*** Kennan has quit IRC10:02
*** Kennan has joined #openstack-keystone10:03
*** pnavarro has quit IRC10:03
*** amirosh has joined #openstack-keystone10:04
*** aix has quit IRC10:04
*** amirosh_ has quit IRC10:06
*** fhubik is now known as fhubik_afk10:10
*** fhubik_afk is now known as fhubik10:13
openstackgerritMarek Denis proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314210:15
*** aix has joined #openstack-keystone10:15
*** dims_ has joined #openstack-keystone10:16
*** pnavarro has joined #openstack-keystone10:18
*** ParsectiX has quit IRC10:19
*** chmouel_ is now known as chmouel10:25
*** amirosh_ has joined #openstack-keystone10:31
*** amirosh has quit IRC10:33
*** chenhong1 has quit IRC10:34
*** _afazekas has joined #openstack-keystone10:41
*** jiaxi has quit IRC10:41
*** stevemar has joined #openstack-keystone10:42
*** ChanServ sets mode: +v stevemar10:42
samueldmqmorning10:42
*** afazekas has quit IRC10:45
*** stevemar has quit IRC10:47
*** ParsectiX has joined #openstack-keystone10:47
*** fhubik has quit IRC10:48
*** amirosh_ has quit IRC10:49
*** fhubik has joined #openstack-keystone11:16
*** fhubik is now known as fhubik_afk11:19
*** lhcheng has joined #openstack-keystone11:30
*** ChanServ sets mode: +v lhcheng11:30
*** lhcheng has quit IRC11:35
*** dsirrine has joined #openstack-keystone11:47
*** lhcheng has joined #openstack-keystone11:55
*** ChanServ sets mode: +v lhcheng11:55
*** fhubik_afk is now known as fhubik11:56
*** lhcheng has quit IRC11:59
*** uvirtbot has quit IRC12:01
*** uvirtbot has joined #openstack-keystone12:04
*** gordc has joined #openstack-keystone12:06
*** ankita_wagh has joined #openstack-keystone12:07
*** dims_ has quit IRC12:09
*** ankita_wagh has quit IRC12:11
samueldmqmorganfainberg: good morning12:13
samueldmqmorganfainberg: there is something wrong with that solution to get the endpoint id from URL12:14
dstaneksamueldmq: i think morganfainberg is still sleeping :-)12:14
samueldmqdstanek: I just called him to see if someone else like you were available12:14
samueldmqdstanek: it was a trap12:14
dstaneksamueldmq: please leave your message at the beep...12:15
samueldmqdstanek: just kidding :) but I would appreciate if you have some minutes12:15
samueldmqdstanek: hehe12:15
dstaneksamueldmq: what's up?12:15
*** jiaxi has joined #openstack-keystone12:16
samueldmqdstanek: so ...12:16
samueldmqdstanek: we fetch policy + do endpoint enforcement (gyee's work) based on the endpoint_id12:16
samueldmqdstanek: which would be discovered by URL, so far so good, right?12:16
samueldmqdstanek: i) it is not endpoint_id, it'd be endpoint_IDS, since a URL can match multiple ids12:17
samueldmqdstanek: ii) for gyee's work, he needs all the ids for that service process ... I mean, if we just specify http://nova.com and that maps to (public,admin) ids12:18
*** chlong has joined #openstack-keystone12:18
samueldmqdstanek: we would need to get the internal id somehow, which would be by the URL http://10.10.2.6512:18
samueldmqdstanek: so that would need to be multiple URLs, to discover multiple IDS, I think this is just getting very complex , and bad :(12:19
*** raildo has joined #openstack-keystone12:23
jiaxiI think david is sleeping..12:23
dstaneksamueldmq: sorry walked away to grab breakfast...reading up12:25
samueldmqdstanek: did you already grab breakfast ? wow, take your time :)12:25
jiaximorning in US ?12:25
dstanek8:25am where i am and 5:25 on the other coast12:25
dstaneksamueldmq: is it actually possible to hit an endpoint and have it result in multiple IDs for enforcement?12:26
samueldmqdstanek: just 1 hour earlier than where I am :) that's why I bug you that often12:27
samueldmqdstanek: you mean to fetch the endpoint ids list ? or to do the endpoint enforcement ?12:27
jiaxiIf I want to understand keystone throughly,  What's the best and most effective way ?12:28
dstaneksamueldmq: to do the enforcement12:28
dstanekjiaxi: reading the code to get a feel for the structure is probably a really great step and then i'd go to the identity docs and openstack setup tutorials12:29
samueldmqdstanek: today we can't do that, but that's the work gyee is involved, and I confirmed with him yesterday it's needed the whole list of endpoint ids (regardless the interface type)12:29
samueldmqdstanek: so the endpoint id can be checked against the service catalog properly12:29
dstaneksamueldmq: ok, your point (ii) confused me.12:30
samueldmqdstanek: ok let me clarify12:30
samueldmqdstanek: we need all the endpoint_ids that represent that service process12:30
dstaneksamueldmq: gyee is basically running into the problem i was calling out earlier (what URL to use)12:31
samueldmqdstanek: let's say 3 ids (internal, public, admin)12:31
*** stevemar has joined #openstack-keystone12:31
*** ChanServ sets mode: +v stevemar12:31
samueldmqdstanek: we possibly can't discover those 3 ids from a single URL12:31
samueldmqdstanek: yeah I think that's basically the problem you called out earlier12:32
samueldmqdstanek: so to discover those 3 ids, we would need, let's say 2 url, the first discover (public,admin) ids and the second discovers (internal) id12:32
samueldmqdstanek: if that makes sense ..12:32
dstaneksamueldmq: you could get a list of endpoints for a service right?12:33
dstaneksamueldmq: also this makes my catalog in DNS much harder12:33
samueldmqdstanek: for a service type yes, but there could be too much service enpoints for, let's say, 'nova'12:33
*** stevemar has quit IRC12:34
dstaneksamueldmq: too many for what? i don't see getting a large list of URLs as the problem. the problem i see is know which or the URLs are actually handled by that instance of a service (but maybe that doesn't matter)12:41
dstanekjiaxi: you should try to respond to each comment in a review to let reviewers know that something was done or that you disagree with a comment12:45
dstanekjiaxi: that's another reason why reviews don't get attention. if i have a list of 100 reviews and i can't tell if my comments were address i'll skip and move on.12:45
jiaxiI have responsed ...12:45
jiaxidstanek, I update my code according to all your comment.12:46
dstanekjiaxi: you should respond to each comment. a few times i made a comment and you posted a review without addressing them. how should i know when to look?12:46
jiaxidstanek, I will remmember in my note and mind.12:48
jiaxidstanek:  All responed one by one   https://review.openstack.org/#/c/200512/12:50
jiaxiI didn't tell a lie.12:50
*** piyanai has joined #openstack-keystone12:51
jiaxidstanek: patch set 16, all responed.12:51
dstanekjiaxi: ok12:51
jiaxiI think that my code looks good this time.12:52
lbragstadmarekd: things work, but I'm getting a 401 when I try to get a list of projects using a federated unscoped token, per raildo's write up12:55
lbragstadmarekd: specifically https://github.com/lbragstad/keystone-deploy/blob/federation/test_federation_exercises.py#L209-L21212:55
samueldmqdstanek: back12:57
*** pawel_ has joined #openstack-keystone12:58
samueldmqdstanek: basically, if we setup it as : endpoint_urls=http://nova.com:9292,http://10.10.2.16:929212:58
marekdlbragstad: sorry i didn't look into it as you eventually didn't answer whether it worked or not...12:59
samueldmqdstanek: it would work, because the former would discover (public,admin) endpoint ids, and the latter would discover (internal)12:59
samueldmqdstanek: we are considering just one URL so far, and that opens a hole in the solution12:59
*** piyanai has quit IRC13:00
lbragstadmarekd: no worries13:00
lbragstadmarekd: just got into the office13:00
dstaneksamueldmq: that's not really discovery is you hard code the URLs in the config13:00
samueldmqdstanek: hmm, so when you come with http://nova.com:9292 I discover the ids for it13:01
samueldmqdstanek: if you come with http://10.10.2.16:9292 I discover the ids for it13:01
samueldmqdstanek: and I store all the ids representing me (as a service process)13:01
lbragstadmorganfainberg: do you still want this proposed for stable? https://review.openstack.org/#/c/186376/ -- if so, I'll send out an exception on the mailing list13:02
dstaneksamueldmq: what is 10.10.2.16 isn't in the catalog?13:02
samueldmqdstanek: yes it is, representing the internal interface13:03
marekdlbragstad: let me look slightly later.13:03
marekdlbragstad: wanted to finish something.13:03
samueldmqdstanek: and nova.com would represent the public,admin interfaces13:03
lbragstadmarekd: no problem13:03
dstaneksamueldmq: what if i hit it with a url that isn't in the catalog? which is entirely possible13:04
jiaxianyone want to exchange a review ?  https://review.openstack.org/#/c/200512/13:05
samueldmqdstanek: that would fail .. I think that's gyee work, making sure you the enpoint ids in the token match the ids where you try to access13:05
samueldmqdstanek: if I got a token, I am supposed to access to the urls in my service catalog13:05
samueldmqdstanek: is that right ?13:05
dstaneksamueldmq: i'll have to see how gyee is handling having a service that has multiple endpoints13:06
samueldmqdstanek: I think I got your point, if I have access to that service process, but I am using a different URL from the ones in my catalog13:07
*** bradjones has quit IRC13:07
samueldmqdstanek: I will have acccess denied, because enpoint id by my url wont't happen13:07
dstaneksamueldmq: right, deployers can do all sorts of crazy things with proxies13:07
samueldmqdstanek: even though I effectivelly should have access to that serivce process13:07
samueldmqdstanek: hmm, that's a good point actually13:08
*** bradjones has joined #openstack-keystone13:08
*** bradjones has quit IRC13:08
*** bradjones has joined #openstack-keystone13:08
samueldmqdstanek: and based on their crazy things, only they know what they do, and then making themselves put the endpoint_ids in hte middleware config would be safe13:08
samueldmqdstanek: (putting UX aside) this is what would work pretty fine13:09
*** jdandrea has joined #openstack-keystone13:11
samueldmqmorganfainberg: cc ^13:12
dstaneksamueldmq: so if we are to put restrictions like this on deployments we should document it pretty well13:12
raildolbragstad: I don't know what it is, but if it's wrong, it's not my fault :P13:13
samueldmqdstanek: the problem isn't new deployement, but running ones which would break if try to use those features :(13:13
lbragstadraildo: ;)13:13
dstanekoh, good a brand new devstack and the py34 unit test won't run!13:13
*** jsavak has joined #openstack-keystone13:16
*** markvoelker has quit IRC13:17
openstackgerritDave Chen proposed openstack/keystone: Avoid the hard coding of admin token  https://review.openstack.org/20354613:17
*** hrou has joined #openstack-keystone13:18
*** piyanai has joined #openstack-keystone13:19
*** bknudson has joined #openstack-keystone13:20
*** ChanServ sets mode: +v bknudson13:20
*** bdossant has joined #openstack-keystone13:20
jiaxihttps://review.openstack.org/#/c/200512/13:23
jiaxiGood man ,  top coder. Help me to review my patch set.13:24
*** mylu has joined #openstack-keystone13:24
marekddstanek: ever tried to run functional tests and pdb at the same time? :-)13:27
*** mylu has quit IRC13:39
samueldmqmorganfainberg: when I see all those things, I want to fix that endpoint model .. and I wonder if that is worth it :(13:42
samueldmqmorganfainberg: so I start thinking of Consul13:42
dstanekmarekd: nope :-)13:42
*** rm_work is now known as rm_work|away13:46
*** piyanai has quit IRC13:48
samueldmqis there a way to make services register themselves ? if they did, they would know their ids :)13:48
samueldmqdstanek: cc ^13:48
*** henrynash has joined #openstack-keystone13:48
*** ChanServ sets mode: +v henrynash13:48
marekdsamueldmq: what was consul ?13:49
*** edmondsw has joined #openstack-keystone13:49
samueldmqmarekd: catalog management https://www.consul.io/docs/agent/http/catalog.html13:49
samueldmqmarekd: so services would register themselves, etc13:50
marekdsamueldmq: it's openstackkindofthing ?13:50
pawel_hi. could anyone explain me this thing: I use python client to access keystone and at this point I can list users, etc. Now, I'm using api function tokens.revoke_token. I can see a new entry in the revocation_event table in the database. I would suspect that if I delete this entry from revocation_event table, I would be able to use the token in python client but it's not the case. Could anyone explain what is happening beh13:50
marekddstanek, morganfainberg ^^13:51
*** stevemar has joined #openstack-keystone13:51
*** ChanServ sets mode: +v stevemar13:51
*** topol has joined #openstack-keystone13:52
*** ChanServ sets mode: +v topol13:52
*** kiran-r has joined #openstack-keystone13:52
*** mylu has joined #openstack-keystone13:53
*** dims_ has joined #openstack-keystone13:53
samueldmqmarekd: dunno, morgan was trying to figure out more about it at the midcycle (I think)13:54
samueldmqmarekd: I think we can do endpoint self registering at ksmiddleware level within our current openstack code (no need of external libs like consul)13:55
samueldmqmarekd: however I don't know what's better13:55
bknudsondstanek: ever use py-notify or axel?13:57
*** jsavak has quit IRC13:57
bknudsonor another eventing system13:57
*** jsavak has joined #openstack-keystone13:57
bretonhttp://varlamov.me/2015/usaput6/29.jpg -- that's in front of the whitehouse13:57
* bknudson wonders why keystone implements its own13:57
marekdbknudson: any ideas for pawel_ problem? (read up)13:57
bretonwhy does she hate us?13:57
*** piyanai has joined #openstack-keystone13:58
stevemarbreton: probably because bknudson -1'ed her13:58
bknudsonI put that sign there... -1ing keystone.13:59
samueldmqstevemar: ++ ahaha13:59
bknudsonneeds work13:59
raildostevemar: lol13:59
dstanekbknudson: i have used py-notify and blinker (and the ones builtin to web frameworks)13:59
*** bdossant has quit IRC13:59
bknudsondstanek: does flask have a built-in eventing?13:59
dstanekbknudson: i tried replacing notifications with blinker, but it ended up being almost the same amount of code13:59
dstanekbknudson: no13:59
*** bdossant has joined #openstack-keystone14:00
dstanekbknudson: although now that i've ripped DI out of notifications that may no longer be the case14:00
bknudsondstanek: y, it might be easier now.14:00
*** hrou has quit IRC14:00
morganfainbergsamueldmq: consul does clustering and handles the communication. I dont like reinventing the wheel doing it ourselves.14:02
morganfainbergsamueldmq: if we are doing self registration, etc, lets use software that has solved the hard problems.14:03
dstanekbknudson: i could try again and see what it comes out as14:03
morganfainbergdstanek: worth reducing our custom code if we can. :)14:04
*** mestery has joined #openstack-keystone14:04
*** amickus has quit IRC14:04
*** bknudson has quit IRC14:05
openstackgerritMarek Denis proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314214:07
openstackgerritMarek Denis proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314214:07
*** fangzhou has joined #openstack-keystone14:07
openstackgerrithenry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config  https://review.openstack.org/19197614:08
openstackgerritMarek Denis proposed openstack/keystone: Federation Identity Provider functional tests  https://review.openstack.org/20325814:10
dstanekmorganfainberg: i'll spike it for an hour today and see what i come up with14:10
*** richm has joined #openstack-keystone14:11
openstackgerrithenry-nash proposed openstack/keystone: Remove unused code in domain config checking  https://review.openstack.org/19405714:13
*** hrou has joined #openstack-keystone14:16
*** sigmavirus24_awa is now known as sigmavirus2414:16
openstackgerrithenry-nash proposed openstack/keystone: Remove unused code in domain config checking  https://review.openstack.org/19405714:16
*** ayoung has joined #openstack-keystone14:23
*** ChanServ sets mode: +v ayoung14:23
lbragstadraildo: quick question on your federation writeup. Did you have any initial issues with client.fed_token_id returning 401 when you use it to list projects?14:25
*** browne has joined #openstack-keystone14:27
marekddstanek: i think we should esuse most of the existing helper functions for funtional testssuite.14:27
marekdotherwise loads of code will be copy/pasta14:28
marekds/esuse/reuse14:28
*** jsavak has quit IRC14:28
*** alex_xu has quit IRC14:29
*** jecarey has joined #openstack-keystone14:30
*** david-lyle has quit IRC14:30
*** alex_xu has joined #openstack-keystone14:31
marekdlbragstad: any credentials i can use to login to your sp keystone?14:31
marekdlbragstad: i am intersted in how mapping looks like for instance.14:31
*** jsavak has joined #openstack-keystone14:32
jiaxistevemar: Hello, are you here14:32
jiaxi?14:32
raildolbragstad: i think that you want to talk with rodrigods, not with me =P14:33
raildolbragstad: he is the federation guy14:33
*** fhubik is now known as fhubik_afk14:33
lbragstadraildo: ah, yes, you're right... sorry about that!14:33
raildolbragstad: np :)14:33
jiaxiThis bug can be fixed with only one line14:34
jiaxiShould I add unit test ?14:34
jiaxihttps://review.openstack.org/#/c/203312/14:34
rodrigodslbragstad, hmm don't remember having issues at that step14:35
*** jsavak has quit IRC14:36
*** fangzhou has quit IRC14:36
*** jsavak has joined #openstack-keystone14:37
dstanekmarekd: what helper functions?14:39
dstanekjiaxi: yes14:40
jiaxiThe whole test for /common/quota.py  will be 100s line.14:41
jiaxiat least14:41
stevemarjiaxi: yes, i'm around14:41
*** dguerri` is now known as dguerri14:42
jiaxistevemar, david  The unit test of openstackclient  is  terrible different from keystone14:42
jiaxiI feel the unit test of openstackclient is too difficult.14:42
*** piyanai has quit IRC14:42
dstanekjiaxi: i don't doubt it's different, but i think it should be done. without it may be hard to evaluate that there was really a problem and that the fix actually fixes it14:43
*** dguerri is now known as dguerri`14:43
jiaxistevemar:  maybe, I fix the bug.  The other person add unit test who have interest ?14:44
lbragstadtests should go in the same patch..14:44
dstaneki agree. if you are not interested in providing the tests someone may pick up the patch and work on it.14:45
jiaxidstanek: It's a little hard for me. I will listen to you. I will add the unit test tomorrow14:45
stevemarjiaxi: add one test for now? if it's exceptionally difficult we can skip it, but try adding one test for now14:46
dstanekjiaxi: if you disagree stevemar, dtroyer_zz could probably provide better guidance for that particular project14:47
*** topol has quit IRC14:47
jiaxihttps://review.openstack.org/#/c/200512/  please have a look at my patch set . Thank you...14:47
dstanekjiaxi: have my comments been addressed?14:48
jiaxidstanek: of course14:49
*** jsavak has quit IRC14:49
jiaxistevemar: I will add . It's deep night in China.14:49
*** bdossant has quit IRC14:50
jiaxistevemar: I will try to add unit test for all the common/quota.py.14:50
*** kiran-r has quit IRC14:51
*** bdossant has joined #openstack-keystone14:51
dstanekjiaxi: just focus on the specific case you are fixing14:51
*** fhubik_afk is now known as fhubik14:52
jiaxidstanek:  Okay.    https://review.openstack.org/#/c/200512/  This patch looks good now.14:53
*** btully has joined #openstack-keystone14:54
stevemardstanek: that patch is looking much better14:54
*** jsavak has joined #openstack-keystone14:55
dstanekstevemar: yeah, it's on my list :-)14:57
stevemarlbragstad: the patch is only for v2.014:57
lbragstadstevemar: right, but should we care about that behavior in v3?14:58
stevemarlbragstad: probably14:58
dstaneksince v2 is dead i would want to make sure v3 is taken care of14:59
lbragstaddstanek: ++14:59
*** jsavak has quit IRC15:00
jiaxiI will do it in v315:01
*** jsavak has joined #openstack-keystone15:01
jiaxiIn next fix15:01
lbragstadif you want it to be done in a separate patch, I'm fine with that. But if they go in separately, we should open a bug for the v3 side so it's not lost15:02
jiaxiI will do it now15:02
jiaxilbragstad : thank you15:03
lbragstadjiaxi: np15:03
*** hrou has quit IRC15:04
*** gus_ has joined #openstack-keystone15:06
*** afazekas_ has quit IRC15:08
lbragstadrodrigods: the auth_url that you use in your tests is the auth_url of the idp, right?15:08
*** kiran-r has joined #openstack-keystone15:09
*** edmondsw has quit IRC15:09
*** chlong has quit IRC15:09
*** jamiec has quit IRC15:09
*** gus has quit IRC15:09
*** jamielennox has quit IRC15:09
*** rm_work|away has quit IRC15:09
*** hogepodge has quit IRC15:09
*** flwang has quit IRC15:09
*** sudorandom has quit IRC15:09
*** bdossant has quit IRC15:10
jiaxihttps://bugs.launchpad.net/keystone/+bug/147672015:14
openstackLaunchpad bug 1476720 in Keystone "Openstack endpoint create with invalid url should be suppressed" [Undecided,New]15:14
*** bknudson has joined #openstack-keystone15:15
*** ChanServ sets mode: +v bknudson15:15
*** edmondsw has joined #openstack-keystone15:16
*** chlong has joined #openstack-keystone15:16
*** zzzeek has joined #openstack-keystone15:16
*** kiran-r has quit IRC15:16
*** jiaxi has quit IRC15:17
*** ParsectiX has quit IRC15:18
*** flwang has joined #openstack-keystone15:19
*** diazjf has joined #openstack-keystone15:19
pawel_ayoung: Could you explain me the following thing: I use python client to access keystone and at this point I can list users, etc. Now, I'm using api function tokens.revoke_token. I can see a new entry in the revocation_event table in the database. I would suspect that if I delete this entry from revocation_event table, I would be able to use the token in python client but it's not the case. It's worth noting that I have a15:22
ayoungpawel_, depends on if you have revoke by ID set or not.  If you do revoke by ID, then the revocation events are not used.15:23
*** afazekas has joined #openstack-keystone15:25
*** bdossant has joined #openstack-keystone15:26
pawel_ayoung: I did sth like: client.tokens.get_revoked("3b5d..."). Could you give me some hints where to start investigating what happens there?15:27
*** bdossant has quit IRC15:28
*** bdossant has joined #openstack-keystone15:35
*** jsavak has quit IRC15:35
*** hrou has joined #openstack-keystone15:36
*** david-lyle has joined #openstack-keystone15:38
*** jsavak has joined #openstack-keystone15:39
ayoungpawel_, config file.  See if you have revoke_by_id enabled15:42
rodrigodslbragstad, SP15:43
*** pnavarro_ has joined #openstack-keystone15:43
*** jsavak has quit IRC15:43
*** jsavak has joined #openstack-keystone15:44
pawel_ayoung: I have commented it out, so I guess it's true by default15:44
*** pnavarro has quit IRC15:47
marekdrodrigods: in your blog post15:51
marekdwhy do you add role assign between group and domain and later scope to a projet?15:51
marekdsome inherited roles comes to the game here?15:51
rodrigodsmarekd, for the mapping to work, right?15:51
rodrigodsdon't remember the example in the top of my head15:52
marekdmapping, role assignments , everything.15:52
marekdrodrigods: it's here: http://rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo/ :-)15:52
rodrigodsmarekd, hmm I think the intent was to have a inherited role assignment15:53
marekdrodrigods: that's what i thought.15:54
marekdrodrigods: so maybe you could change it and either specify that, or just create role assignment between group and project?15:54
marekdi suggest latter15:54
marekdso we don't confuse ppl even more.15:54
*** jasonsb has quit IRC15:56
rodrigodsmarekd, ++ will update the example15:57
marekdrodrigods: thanks15:57
rodrigodsmarekd, print('\nGrant role Member to group1 in domain1')16:00
rodrigodsclient.roles.grant(role1, group=group1, domain=domain1, os_inherit_extension_inherited=True)16:00
*** jistr has quit IRC16:04
*** jsavak has quit IRC16:04
*** jsavak has joined #openstack-keystone16:04
*** fhubik is now known as fhubik_afk16:05
*** gyee has joined #openstack-keystone16:08
*** ChanServ sets mode: +v gyee16:08
*** pnavarro_ has quit IRC16:12
*** _cjones_ has joined #openstack-keystone16:13
*** _cjones_ has quit IRC16:13
*** _cjones_ has joined #openstack-keystone16:14
*** dguerri` is now known as dguerri16:17
*** bknudson has quit IRC16:18
*** _cjones_ has quit IRC16:20
*** bdossant has quit IRC16:20
*** _cjones_ has joined #openstack-keystone16:24
*** bknudson has joined #openstack-keystone16:25
*** ChanServ sets mode: +v bknudson16:25
stevemarbknudson: poke16:25
bknudsonstevemar: what's up?16:25
bknudsonI can't find the nova meetup16:25
*** mgarza has joined #openstack-keystone16:25
bknudsonit's supposed to be around here somewhere.16:26
stevemarbknudson: finally got most of the tests passing, but can't seem to get the last few going, mind taking a look at the changes in keystone.tests ?16:26
stevemarhttps://review.openstack.org/#/c/195873/16:26
stevemarbknudson: ask mattR where he's hulking out16:26
stevemarbknudson: did we set up the nova midcycle in a closet?16:26
lbragstadstevemar: I bet the hulk can jump from rochester to canada, watch out!16:27
stevemarlbragstad: not like it's all that far16:27
bknudsonstevemar: you're getting all sorts of errors16:27
samueldmqayoung: hi, I've an interesting question to you :)16:27
raildobknudson: I only see this infromation about nova meetup: Where: IBM - 3605 US-52, Rochester, MN 5590116:28
stevemarbknudson: pretty sure this is what's screwing me over: https://review.openstack.org/#/c/195873/20/keystone/tests/unit/ksfixtures/cache.py16:28
stevemarbknudson: that change to cache.REGION really hurt :P16:28
stevemarraildo: that's where bknudson is every day!16:28
*** jlvillal has quit IRC16:29
raildostevemar: ops :P16:29
samueldmqayoung: our work must be sincronized with gyee's one, right ? what if I use an URL that is not even registed in keystone ? how does endpoint id discovery work ?16:29
samueldmqayoung: so the request will be rejected ? even if it had the right catalog, etc but the unkown URL was used ?16:30
raildois there a 9 3/4 door? :P16:30
*** jlvillal has joined #openstack-keystone16:32
bknudsonstevemar: does the test need to create a new region every time?16:33
bknudsonbecause oslo.cache doesn't provide a way to create a new region16:33
bknudsonthe tests are probably using the wrong region then16:34
bknudsonyour decorators would still be referencing the old global cache region16:34
*** david-lyle has quit IRC16:34
*** dguerri is now known as dguerri`16:34
*** diazjf has quit IRC16:38
*** bknudson has quit IRC16:39
*** dguerri` is now known as dguerri16:39
*** amick has joined #openstack-keystone16:40
*** roxanaghe has joined #openstack-keystone16:41
samueldmqgyee: hey you around ?16:41
ayoungsamueldmq, so if there were no endpoint_id set, it probably should get rejected if you can't map to a known endpoint id16:42
samueldmqayoung: so that would be rejected, and that maybe weird, isn't it ?16:42
ayoungyou are saying "enforce policy on this" but not providing enough information to enforce policy...default to deny16:42
ayoungsamueldmq, using dynaamic policy thus has to be opt-in16:42
ayoungits what happens when this stuff is not clearly thought out at the start16:43
samueldmqayoung: so you enabled dynamic policy but didn't configure properly .. it's your fault16:43
samueldmqayoung: something like that ..16:43
ayoungyep16:43
samueldmqayoung: could endpoint enforcement from gyee by done by url ?16:43
samueldmqayoung: be done*16:43
ayoungsamueldmq, we just need to provide sufficient logging to make it clear what is happening, which is why I think we want the URL resolution in middleware....although I could see us doing the URL resolution in the server, and just returning a clear error message16:44
ayoungeither way16:44
ayoungsamueldmq, I don't think so,  I think it should probably be done by endpoint id, but I'm flexible there16:44
samueldmqayoung: so you look at the url from the request, and at the urls in token's catalog, right ?16:44
*** lhcheng has joined #openstack-keystone16:45
*** ChanServ sets mode: +v lhcheng16:45
*** e0ne has quit IRC16:45
samueldmqayoung: "who am I ? I am represented by any url who have came to me, I don't know why, but if it arrived to me, it's me" :)16:45
*** fhubik_afk is now known as fhubik16:45
samueldmqayoung: I think that sounds sane16:45
ayoungsamueldmq, heh.16:46
ayoungNot sure I am the right arbiter for what is "Sane" anymore16:46
samueldmqayoung: haha16:46
samueldmqayoung: I think gyee's work as well can be based on that ... just look at the url from the request and look at the catalog16:47
*** dguerri is now known as dguerri`16:47
samueldmqayoung: taht should be all for his work16:47
ayoungsamueldmq, URL is probably the right abstraction for binding.16:47
*** bknudson has joined #openstack-keystone16:47
*** ChanServ sets mode: +v bknudson16:47
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587316:47
samueldmqayoung: although we should allow requests coming with a different URL, but with valid catalogs16:47
samueldmqayoung: seriously, I need more eyes on those things :(16:48
*** david-lyle has joined #openstack-keystone16:48
bknudsonThere's a lot more people at the nova meetup.16:49
bknudsontoo many16:49
samueldmqayoung: btw, the config in middleware should be endpoint_URLS16:49
*** browne has quit IRC16:49
samueldmqayoung: i.e multiple URLs, right ?16:49
samueldmqayoung: so we can get all the ids from different interfaces (and probably different urls)16:49
*** geoffarn_ has quit IRC16:49
samueldmqayoung: sounds correct ?16:50
bknudsonI'm afraid they're going to ask me about dynamic policies16:50
samueldmqayoung: cc ^16:50
ayoungbknudson, I'm here for now to field questions16:50
gyeesamueldmq, yes, reading16:50
bknudsonayoung: great16:50
ayoungbknudson, but only until 2:3016:50
ayoungbknudson, where is it?16:51
gyeesamueldmq, endpoint constraint should work with url as well16:51
bknudsonayoung: I see you posted your presentation16:51
ayoungbknudson, yep16:51
bknudsonayoung: it's here in rochester, mn16:51
gyeeit basically match the flatten catalog16:51
gyeewhatever's in there16:51
samueldmqgyee: nice, so no need to lookup the server, just look at the url from the request + catalog16:51
stevemarbknudson: why are you late?16:51
samueldmqgyee: agree ?16:51
bknudsonstevemar: I work.16:51
ayounggyee, yeah,  binding should work with either, but the endpoint needs to know which URLs to look for when enforcing policy16:51
gyeesamueldmq, it can lookup anything in the catalog :)16:51
bknudsonstevemar: I don't get to just decide what I want to do.16:52
ayoungthe fact that one server can match multiple endpoints is rally kindof yucky16:52
gyeeservice, region, url, endpoint_id, etc16:52
ayoungsamueldmq, OK,  slight change of topic:16:52
samueldmqgyee: nice, but ...16:52
gyeeayoung, its just a rule someone need to create16:52
ayoungneed to kill global admin16:52
samueldmqgyee: what if one uses another url that is not registered in keystone ?16:52
ayoungsamueldmq, DENY16:52
samueldmqgyee: the service can be reached and the token is valid16:52
samueldmqayoung: is that acceptable ?16:52
samueldmqdstanek: cc ^16:52
gyeesamueldmq, ayoung's right, if its not in the catalog, deny access16:53
ayoungsamueldmq, it is correct.16:53
samueldmqok then, I just want to listen to you guys16:53
samueldmqI have no experience with deployements ;(16:53
samueldmqI mean real deployments16:53
gyeeusing oslo policy to enforce endpoint binding is awesome16:53
samueldmqthat was a concern from dstanek earlier today16:53
ayoungsamueldmq, ok,  so with the patch I posted yesterday, we can scratch off the last lingering reasons to have global admin for anything that can be project scoped;16:53
ayoungwe can recreate a delete project16:53
gyeenext step, enhance oslo policy to allow partial matches16:53
samueldmqgyee: it's already doing the policy overlay (under review, spec approved)16:54
samueldmqgyee: it just needs to do the endpoint binding enforcement16:54
ayoungthe real question is what to do about things that are not scoped to proejcts...cells and hypervisors in Nova,  and Roles, Policy etc in Keystone16:54
samueldmqayoung: nice go ahead16:54
ayoungso, in Keystone,  we should probably scope EVERYTHING16:54
samueldmqayoung: maybe that should be everywhere16:55
bknudsoneveryone has name tags here.16:55
ayoungwe make a root domain, and everything is in some subordinate of the root domain16:55
ayoungbknudson, dare you to write Puddin' Tame on yours16:55
ayoungsamueldmq, https://review.openstack.org/#/c/203852/  BTW,  you should look at16:55
ayoungsamueldmq, I think is "should" be everywhere, but that is a huge barrier...we need something we can shim on top of the current deployment to make things work16:56
*** diazjf has joined #openstack-keystone16:56
ayoungI was wondering if "scoped to endpoint"  would confuse people, espcially with gyee's work;  a way of saying a token is for admin tasks on an endpoint...I don't love the idea, and it would be an API change in Keystone.16:57
ayoungwe could treat regions, services, and endpoints all as a sort of project16:57
ayoungand allow anything to be scoped under there...it would work nicely with the namespaced roles that henrynash was pushing for16:58
gyeeayoung, scoped to an endpoint is opposite of my work16:58
samueldmqayoung: I don't like the idea, maybe I don't have the right usecase16:58
ayounggyee, I know, that is why I was worried about confusion16:58
samueldmqayoung: scoping endpoints already has its api, that's the endpoint_filtering thing16:58
samueldmqthat's my understadning16:58
ayoungsamueldmq, use case is "create hypervisor"16:59
ayoungor "upload policy"16:59
ayoungthis is "do something that is specific to this endpoint"16:59
ayoungnot to a resource inside a project16:59
*** jsavak has quit IRC16:59
ayounghow do we implicit scope all the calls that are out there now16:59
samueldmqayoung: so get a token to an endpoint ?16:59
samueldmqayoung: like scoped to an endpoint16:59
ayoungsamueldmq, you tried writing a global policy file.  Imagine you wanted to say "no gloabl admin" in that...how would you scope calls to create_cell or something17:00
ayoungsamueldmq, yeah;  scoped to the implicit admin_project for that endpoint17:00
ayoungand...something we can do without requiring the end users edit their policy files17:01
*** jasonsb has joined #openstack-keystone17:01
samueldmqayoung: actually we can create a role called endpoint_admin and assign it in the (domain?)17:01
ayoungsomething to replace is_admin....17:01
ayoungassign it in what domain?  There is no domain or project, yet...17:01
samueldmqayoung: so for the policy crud we only do RBAC check, i.e check for role:endpoint_admin17:01
ayoungright...we need to fix that17:01
ayoungsamueldmq, but fixing it in Keystone ie easy.  Fixing it in all the other endpoints out there is hard17:02
gyeebknudson, who do we need to blackmail to merge your py3 fixes?17:02
samueldmqayoung: would you be ok with simply enforcing the endpoint constraint by the URL from the request against the catalog (no request to keystone)?17:02
samueldmqayoung: errr, I meant gyee ^17:02
ayoungsamueldmq, so gyee 's constraint say "this token can only be used on this endpoint" but what I am looking for is "this token is scoped to perform administrative operations on this endpoint"17:03
samueldmqayoung: yes I agree, there are too many things to be fixed in policy17:03
ayoungok...let's assume we can inject the endpoint id into the policy check...somehow17:03
*** jsavak has joined #openstack-keystone17:03
ayoungwe still need a scope that makes sense17:03
ayoungwhat if...we say each endpoint is implicitly a project...or at least acts like one17:04
gyeeayoung, it would be hard to separate out the "administrative operations" from other operations right?17:04
ayoungtreat it as a custom resource backend17:04
gyeehow would you distinguish them?17:04
ayounggyee, so this would require a change on the projects stock policy files.17:04
bknudsonthere's a lack of understanding of hierarchical multitenancy here.17:05
gyeebut admin operations are deployment-specific right? the scope of admin may be different from deployment to deployment17:05
ayounghttp://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json#n21917:05
bknudsondo we have any presentations?17:05
ayoungbknudson, improvise.  Find a white board and a marker, get someone to record and presto---instant presentation17:06
gyeehah17:06
gyeebetter than powerpoint17:07
bknudsonI would have to guess since I don't know what it looks like in the token17:07
bknudsonplus it seems to be in progress17:07
samueldmqayoung: just left a review on 20385217:08
gyees/pro/di/17:08
samueldmqayoung: sounds good overall, just some small comments17:08
ayoungsamueldmq, thanks.  One thing that it makes me convinced of, however, is that we need to avoid "magic" project ids that mean someothing.  We could not, say, make the root domain always have an id of "1"17:09
samueldmqraildo: htruta ^ do you have a presentation on HMT to let bknudson show it in nova meetup?17:10
*** htruta_ has joined #openstack-keystone17:10
*** spandhe has joined #openstack-keystone17:10
raildosamueldmq: I have some presentations in the google drive, I can share with him17:11
raildobknudson: samueldmq or the post blog http://raildo.me/hierarchical-multitenancy-in-openstack/17:11
samueldmqbknudson: raildo thanks ^17:11
stevemarbknudson should rebel against the man, and decide his own work17:11
samueldmqayoung: I understand your usecase and that makes sense ... but let's solve that as a separate thing :)17:11
samueldmqayoung: we already have too much to deal with, and that is an independent thing17:12
samueldmqayoung: if that makes sense to you17:12
ayoungsamueldmq, so,  the whole dynamic policy thing hinges on scoping everything, as that will kill global admin and solve 96869617:12
ayoungits actually the more important problem to solve17:12
ayoungdynamic was the only way I could see to solve it in the past17:12
samueldmqayoung: so why are we even doing the distribution now ?17:12
samueldmq:(17:12
ayoungsamueldmq, because the distribtuion might be the only solution17:13
ayoungI'm still kindof convinced that to be the case17:13
ayoungbut if we can get soemthing that works by modifying the stock policies...we will actuallyl speed up the adoption of dynamic17:13
samueldmqayoung: k17:14
bknudsonraildo: thanks17:14
ayoungsamueldmq, this is how these things work;  you realize there is a problem..you push at it, break it down to smaller problems...expose the softer and harder aspects to solve.17:14
samueldmqayoung: btw, why don't we just get the policy by url ? endpoint enforcement by url, etc ?17:14
*** ankita_wagh has joined #openstack-keystone17:14
samueldmqayoung: we don't even need the ids ..17:14
bknudsondoes the token contain the project hierarchy?17:14
samueldmqayoung: that sounds like circles in my mind17:14
bknudsonhow is nova supposed to use it?17:14
ayoungsamueldmq,  heh...I'd tend to agree, but the existing tooling is all build around ids17:15
ayoungbknudson, token does not17:15
ayoungbknudson, nova has a shadow copy of it17:15
ayoungraildo, htruta how does the HMT hierarchy get synced to nova?17:15
samueldmqbknudson: ayoung it needs to ask keystone for the hierarchy I suppose, that's how quota guys are doing17:15
samueldmqericksonsantos: ^ right ?17:16
ericksonsantossamueldmq, yes17:16
bknudsonauth_token middleware fetches the hierarchy?17:16
ericksonsantosbknudson, for now it is the service17:16
bknudsonthe token doesn't even know if the project is in a hierarchy, so if you're not using it you still pay the overhead?17:17
raildoayoung: the nova needs to request the hierarchy in the keystone client17:17
ayoungbknudson, is it in every call?17:17
rodrigodsGET /projects?subtree_as_ids or ?parents_as_ids17:17
ericksonsantosayoung, yes, it would be better if we have this info already in the token17:18
raildoayoung: there is a patch to do this: https://review.openstack.org/#/c/200941/2/nova/quota.py17:18
ayoungericksonsantos, heh...that is a lot of payload in each token17:18
ayoungshould be fetched and cached...17:18
ayoungwe need a general purpose caching strategy...but I'm not going to write it yet17:19
rodrigodsthe hierarchy with ids17:19
rodrigodsisn't too much information17:19
ericksonsantosrodrigods, ++17:19
rodrigodsand we could use the ?nocatalog approach17:19
rodrigods(but... that's for M)17:19
dstanekrodrigods: it is if you need it in the token17:20
*** lsmola has quit IRC17:20
rodrigodsdstanek, why? it is not even close to the overhead caused by the service catalog (in an average case)17:20
bknudsonrodrigods: I agree, doesn't seem like having 2-5 ids in the token is that much.17:21
dstanekrodrigods: i don't think anyone would let an arbitrarily long lists of IDs get into fernet tokens17:21
samueldmqdstanek: you mean like .. request a token with hierarchical info if you're going to perform hierarchical operations (quotas updates?)17:21
bknudsonyou can configure the size of the hierarchy in keystone17:21
bknudsonhow about a /v3/auth/project_hierarchy?17:22
rodrigodsI believe makes sense to discuss something for M17:22
rodrigodsand today... nova needs to request the hierarchy via  GET /projects?subtree_as_ids or ?parents_as_ids17:23
ayoungI think the real question is "why does nova need to know the hierarchy"17:23
*** aix has quit IRC17:23
ayoungI suspect that having it in middleware is the wrong levle\17:23
ayounglevel17:23
ayounghierarchy should be mostly an authorization tool, and only necessary for Nova on the Quota calls17:24
ayoungwho really owns the hierarchy?17:24
rodrigodsa parent owns its subtree17:24
bknudsonis that all hmt will ever be used for?17:24
ericksonsantosand Cinder17:24
bknudsonquotas?17:24
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies Fetch and Cache  https://review.openstack.org/13465517:24
rodrigodsbknudson, there is the delete/update hierarchy side as well (in keystone)17:24
rodrigodsbut mostly quotas, I believe17:25
raildobknudson: for now, i beliebe so...17:25
samueldmqbknudson: maybe it's the only application we see today for HMT on other services17:26
samueldmqbknudson: keystone side there are N advantages, like project organization, etc17:26
bknudsonso on keystone we've got role assignments that are inherited?17:27
samueldmqbknudson: maybe limiting an image to be seen across a certain hierarchy in the future ?17:27
*** piyanai has joined #openstack-keystone17:27
samueldmqbknudson: yes, we already had them from domains, and now it's possible to have inherited role assignments on porjects17:27
ayoungthere are requests to be able to list all resources in a proejct and subordinate projects17:28
raildobknudson: yes, we can inherited a role assignment in a parent project  to a subhierarchy17:28
*** mylu has quit IRC17:28
bknudsonok, I can probably describe this to nova folks and make it clear how it works17:28
raildobknudson: thanks!17:29
bknudsonso one question they brought up17:29
bknudsonthe change was removing the check that token.project_id matches URL project_id17:29
bknudsonis that check now supposed to check all the projects up the hierarchy?17:29
raildobknudson: we are working to don't remove this check...17:29
bknudsontoken.project_hierarchy matches URL project_id ?17:29
*** mylu has joined #openstack-keystone17:30
raildobknudson: we are trying to create a solution to use a target project17:30
raildobknudson: and we can verify if this project is a subproject for the project in the token17:30
bknudsonnova meetup group doesn't go out to fancy lunches17:30
*** mylu has quit IRC17:32
*** mylu has joined #openstack-keystone17:32
raildoCan you ask for the nova folks if they like this solution? it's very similiar to other cases in nova.17:33
raildobknudson: ^17:33
bknudsonraildo: what17:34
bknudsonwhat's the other cases?17:34
raildobknudson: like: /v2/​{tenant_id}​/os-quota-sets/​{tenant_id}​17:34
raildothe second {tenant_id} is the target project17:34
raildowe want to do the same to update quota to a subproject17:34
bknudsoninteresting. I'll try to steal some time to do a quick pres.17:35
bknudsonmight be tomorrow17:35
raildobknudson: thanks a lot17:35
*** browne has joined #openstack-keystone17:36
dstanekraildo: do those checks against the target tenant_id happen on the client side?17:36
*** jsavak has quit IRC17:36
bknudsonis there policy support for hierarchical tenants?17:37
bknudsonmaybe all the quota stuff is happening after policy17:37
*** jsavak has joined #openstack-keystone17:37
rodrigodsdstanek, nova requests the base project hierarchy and checks if the target project is there17:38
ayoungsamueldmq, what if we said that every endpoint, service, and region was a project, nested via HTM.  Then, to perform an admin action, you request a token scoped to the project-for-the-endpoint17:39
ayoungthey happen to have the same id...17:39
dstanekrodrigods: that URL "/v2/​{tenant_id}​/os-quota-sets/​{tenant_id}​" is that a keystone URL or nova URL?17:39
ayoungif you have a role on the region, you get it for the endpoints in the region via the HMT rules17:39
rodrigodsdsirrine, nova URL17:39
ericksonsantosdstanek, i think it is a nova URL17:40
samueldmqbknudson: for now there is no hierarchical checks in the policy (like checking parents etc) if that your question17:40
ayoungand we use the same mechanism we are using for dynamic policy/endpoint binding  to check the scope.17:40
samueldmqayoung: well .. so I could create an instance in a service ? so a nova instance on glance service17:40
dstanekericksonsantos: ok, then i am much more comfortable with it...i didn't want nova to be parsing keystone urls to find a tenant_id17:40
samueldmqayoung: that sounds crazy17:40
ayoungsamueldmq, it would be just another project17:40
dstaneksamueldmq: so crazy it just may work or so crazy that ayoung needs to find a hobby?17:41
samueldmqayoung: I think this is going to be very confusing :(17:41
ayoungjust that an addition class of resources wiould be acceptable for only that project17:41
ayoung"anything that manages resources is a proejct"17:41
ayoung"anything that manages resources is a project"17:41
raildobknudson: the project_id check happen here: https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L804 to every nova api call17:41
bknudsonso you want to support setting the quotas for groups of projects?17:41
*** pnavarro_ has joined #openstack-keystone17:42
samueldmqdstanek: prefer to not answer hehe :) ayoung has too much ideas to completely change the world o/17:42
samueldmqayoung: what if there were role assignments to endpoints ?17:42
bknudsonwhat's the new API for setting quota on group of projects?17:42
*** btully has quit IRC17:43
samueldmqayoung: to perform management operations on that endpoint ? is there a case for service/region ?17:43
samueldmqayoung: maybe just endpoint ..17:43
rodrigodsbknudson, don't think so17:43
raildobknudson: it's to a subproject... for each call17:43
rodrigodsjust in a single project per request17:43
*** rletrocquer has quit IRC17:44
bknudsonthe project and all its children17:44
bknudsonright/17:44
bknudsonright/17:44
bknudsonright?17:44
ericksonsantosbknudson, yes17:44
raildobknudson: yes17:44
bknudsonso it's on the enforcing side that you need to know the hierarchy.17:45
bknudsonthe bookkeeping17:45
ericksonsantosbknudson, yes17:45
rodrigodsbknudson, yes17:45
raildobknudson: you're ready to implement hmt + reseller with us \o/17:46
*** fangzhou has joined #openstack-keystone17:46
ayoungsamueldmq, service /region would be just for role assignements.  You would still get a token specific to the project for the endpoint you want to talk to directly17:46
bknudsonso one of the changes was removing the check for target project_id == token project_id ; why does that need to happen?17:46
*** diazjf has quit IRC17:47
*** piyanai has quit IRC17:47
raildobknudson: if this new call, we don't need to change this17:47
bknudsonsince you can set the quota on the project17:47
samueldmqayoung: I was saying tokens scoped to endpoints .. so that means to perform management operations on that endpoint17:47
ayoungsamueldmq, you are correct17:47
samueldmqayoung: things puppet would do (as policy fetch ? )17:47
ayoungsamueldmq, only operations via and API17:47
ayoungsamueldmq, only operations via an API17:48
samueldmqayoung: so the way I was proposing it would be to explicitly request a token scoped to an endpoint, and have role assignments to it, etc17:48
samueldmqayoung: in the future17:48
samueldmqayoung: yes only via API (controlled by the policy, and then using the endpoint scoped token)17:48
*** bitblt has joined #openstack-keystone17:48
raildowith the current APi call for quota, we can only change the quota to the project in the context, we can't update quota to another project17:48
raildobknudson: so, that's why we want to add the "target project" in the api call, and you will be able to update the quota to a subproject17:49
raildowith a token scoped to a parent project17:49
ayoungsamueldmq, "this token can only be used on this endpoint"  is different from "this token can only be used for administrative actions on this endpoint"  gyee is weorking on the first, I want to get to the second17:49
raildobknudson: and without removing this check17:50
bknudsonI thought the API was /v2/{tenant_id}/osquota-sets/{tenant_id}17:50
bknudsonso you can set the quota for a different project17:50
*** mylu has quit IRC17:50
raildobknudson: it's just a example, that we want to do similiar like this17:51
*** bitblt has quit IRC17:51
raildolet me find the current call17:51
bknudsonif you remove that check are you adding the check for project hierarchy elsewhere?17:51
samueldmqayoung: yeah gyee is working on ensuring the tokens are used in the place they are supposed to17:51
*** bitblt has joined #openstack-keystone17:51
rodrigodscurrently it is /v2.1/os-quota-sets/​{tenant_id}​ (in nova)17:51
*** amakarov_away is now known as amakarov17:51
samueldmqayoung: you want tokens to perform administrative operations they're supposed to17:51
raildobknudson: no, we will not change the check17:52
samueldmqayoung: using that first, of course17:52
openstackgerrithenry-nash proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720217:52
raildobknudson: in the first moment we thought in remove this check, but after rethink the design, we decide to create a new api call to update a subproject (/v2.1/os-quota-sets/​{project_id}​/target/{subproject_id})17:53
bknudsonraildo: the new API sounds safer17:54
raildobknudson: so, we don't need to change any nova check (or in other service)17:54
rodrigodsbknudson, ++17:54
raildobknudson: ++17:54
*** geoffarnold has joined #openstack-keystone17:54
*** markvoelker has joined #openstack-keystone17:55
bknudsonbut also means you're going to need new API for every HMT operation ?17:55
henrynashsamueldmq: I fixed up a few comments etc. in https://review.openstack.org/13720217:55
samueldmqhenrynash: just saw .. feel free to change L817 in assignment/core.py17:55
samueldmqhenrynash: the use of f() as a function, I agree that's confusing17:55
samueldmqhenrynash: thanks very much!17:55
raildobknudson: I don't think so... the problem here, is in the quota actions, I need to handle with a project that is not my project scoped token17:56
rodrigodsbknudson, that is not only for HMT17:56
raildorodrigods: yes, it's happen with other operations in nova, and other services like cinder17:57
stevemarlast minute reminder to add to the keystone meeting agenda https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting17:57
*** bitblt has quit IRC17:58
henrynashstevemar: already sneaked one in….17:58
*** bitblt has joined #openstack-keystone17:58
openstackgerrithenry-nash proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720217:58
gyeesamueldmq, ayoung, and yeah, my patch is now officially depending bknudson py3 patches17:59
dstaneki'm not going to be in my office for the whole meeting, but i'm going to try to keep up17:59
henrynashsamueldmq: done!17:59
gyeecause jenkins is broken right now for keystonemiddleware17:59
ayoungwe meeting today?17:59
stevemaryep17:59
*** mylu has joined #openstack-keystone17:59
ericksonsantosraildo, yes, in cinder we have to pass the ID for the tenant for which we want to show, update, or delete quotas.17:59
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687018:00
bknudsonI feel like we were meeting all last week.18:00
ericksonsantosmaybe nova have to do that too18:00
raildoericksonsantos: ++18:00
lbragstadbknudson: ++18:00
lbragstadweek long meetings!18:00
dstanekbknudson: that was just an excuse for fancy lunches18:00
samueldmqhenrynash: thanks ! :)18:00
henrynashwe want more meetings…we live for them...18:00
*** piyanai has joined #openstack-keystone18:02
*** boris-42 has joined #openstack-keystone18:02
*** mylu has quit IRC18:06
*** jsavak has quit IRC18:07
*** jsavak has joined #openstack-keystone18:08
*** mylu has joined #openstack-keystone18:09
openstackgerritRichard Megginson proposed openstack/keystone: add federation docs for mod_auth_mellon  https://review.openstack.org/19808318:10
*** fhubik has quit IRC18:10
*** rm_work|away has joined #openstack-keystone18:12
*** rm_work|away is now known as rm_work18:12
*** rm_work has quit IRC18:12
*** rm_work has joined #openstack-keystone18:12
*** sudorandom has joined #openstack-keystone18:13
*** jamielennox has joined #openstack-keystone18:15
*** ChanServ sets mode: +v jamielennox18:15
*** htruta_ has quit IRC18:16
*** jamielennox is now known as jamielennox|away18:16
*** TheIntern has joined #openstack-keystone18:17
*** btully has joined #openstack-keystone18:19
*** diazjf has joined #openstack-keystone18:19
*** david-lyle has quit IRC18:21
*** jamielennox|away is now known as jamielennox18:23
bknudsonthey're doing a google hangout here for remote participant18:23
*** btully has quit IRC18:23
*** ayoung has quit IRC18:36
*** piyanai has quit IRC18:37
*** hogepodge has joined #openstack-keystone18:38
*** piyanai has joined #openstack-keystone18:42
*** piyanai has quit IRC18:42
*** amick has quit IRC18:44
*** mylu has quit IRC18:45
*** mylu has joined #openstack-keystone18:51
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Unified delegation spec  https://review.openstack.org/18981618:52
*** mylu has quit IRC18:52
*** jecarey has quit IRC18:57
marekdrodrigods: raildo samueldmq: wasn't your colleague working on puppet module for federation?18:59
samueldmqiurygregory: cc ^18:59
gyeewho sign up for devstack k2k work last week? I can't seem to remember19:00
dolphmlbragstad: ^ ?19:00
iurygregoryhi marekd i'm creating a module for puppet keystone =)19:00
*** geoffarnold has quit IRC19:00
samueldmqgyee: I'll implement the getting endpoint_ids from url by looking up the catalog19:01
gyeesamueldmq, sounds good19:01
samueldmqgyee: as we kindof agreed on that already at midcycle (*I think*)19:01
morganfainbergdstanek: so lets plan a meeting so we can plan meetings19:02
morganfainbergdstanek: easy, right?19:02
gyeetongue twister19:03
dstanekmorganfainberg: what's wrong with that?19:03
*** mylu has joined #openstack-keystone19:03
morganfainbergdstanek: noooooothhhhhinnnng19:03
samueldmqmorganfainberg: sounds good, we should send a ml message to schedule that first19:03
*** tsymancz1k has left #openstack-keystone19:03
*** e0ne has joined #openstack-keystone19:04
*** bknudson has quit IRC19:06
lbragstadgyee: dolphm o/19:10
gyeelbragstad, sorry I have to run, lets chat about getting k2k to devstack later19:11
*** gyee has quit IRC19:11
lbragstadI don't think I signed up for anything, but marek did just help me figure out the last couple kinks in deploying K2K from source with ansible19:11
lbragstadaww.... he left...19:11
dolphmit's bedtime for him!19:12
*** TheIntern has quit IRC19:13
*** ankita_wagh has quit IRC19:14
*** amit213 has quit IRC19:14
lbragstaddolphm: ^ I did get ansible to deploy k2k federation in one shot, sets up the sp and ipd then the test_federation_exercises.py confirms you can get a SAML assertion, unscoped federated token, and then scope it19:14
*** amit213 has joined #openstack-keystone19:14
lbragstaddolphm: need to clean it up, a lot... but it works19:14
dolphmlbragstad: badass19:15
*** geoffarnold has joined #openstack-keystone19:15
lbragstadvery..19:15
* lbragstad is ready for beers19:15
* lbragstad owes marekd plenty of beers 19:15
*** mylu has quit IRC19:20
*** TheIntern has joined #openstack-keystone19:20
*** mylu has joined #openstack-keystone19:21
*** pawel__ has joined #openstack-keystone19:21
*** mylu has quit IRC19:22
*** tsymanczyk has joined #openstack-keystone19:24
*** mylu has joined #openstack-keystone19:24
*** jecarey has joined #openstack-keystone19:26
*** david-lyle has joined #openstack-keystone19:34
*** tsymanczyk is now known as Guest930219:34
*** piyanai has joined #openstack-keystone19:38
*** jecarey_ has joined #openstack-keystone19:40
*** mylu has quit IRC19:45
*** ayoung has joined #openstack-keystone19:47
*** ChanServ sets mode: +v ayoung19:47
*** mylu has joined #openstack-keystone19:47
openstackgerritSteve Martinelli proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587319:48
*** thedodd has joined #openstack-keystone19:50
*** stevemar has quit IRC19:51
*** jsavak has quit IRC19:52
*** jecarey_ has quit IRC19:54
*** jecarey has quit IRC19:54
*** jecarey has joined #openstack-keystone19:54
*** piyanai has quit IRC19:55
samueldmqayoung: so we get the endpoint_ids based on the requested URL (from wsgi) and in the token's catalog19:55
*** piyanai has joined #openstack-keystone19:55
samueldmqayoung: I saw you abandoned your 'endpoint_ids from url' change19:56
*** pnavarro_ has quit IRC19:57
*** pawel__ has quit IRC19:57
*** pauloewerton has joined #openstack-keystone19:58
samueldmqhenrynash: you around ?19:58
*** bitblt has quit IRC19:58
samueldmqhenrynash: oh nvm, I thought your -1 in change #199844 was due to the midcycle decision19:59
samueldmqhenrynash: which is what I am trying to learn more from :)19:59
*** lmtaylor1 has joined #openstack-keystone20:02
*** lmtaylor1 has left #openstack-keystone20:02
*** Guest9302 has left #openstack-keystone20:02
*** e0ne has quit IRC20:02
*** tsymanczyk_ has joined #openstack-keystone20:03
ayoungsamueldmq, I think I made it -1 WIP20:03
ayoungsamueldmq, and...meeting20:03
*** mylu has quit IRC20:03
samueldmqayoung: I'd like to see what the solution to resolve ids from urls would look like20:04
samueldmqayoung: as will be my next implementation step20:04
samueldmqayoung: I mean the details ... what get from the catalog/server, etc. I know the general direction20:04
*** ayoung is now known as ayoung-mtg20:04
ayoung-mtgsamueldmq, short answer...same approch, just calculated in the client, not server...we can do either20:05
samueldmqayoung-mtg: yeah, but we can't get the whole list of ids from the clietn (based on the catalog , which may not contain all the endpoint ids)20:06
samueldmqayoung-mtg: and the policy may be associated with the missing endpoint_id20:06
samueldmqayoung-mtg: so we need to go to the server anyhow20:06
*** btully has joined #openstack-keystone20:07
*** btully has quit IRC20:12
samueldmqdoes regions own services ? or do service have regions ?20:13
samueldmqs/does/do20:13
*** jsavak has joined #openstack-keystone20:14
*** TheIntern has quit IRC20:18
*** ankita_wagh has joined #openstack-keystone20:24
*** e0ne has joined #openstack-keystone20:27
*** jsavak has quit IRC20:27
*** jsavak has joined #openstack-keystone20:28
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystoneauth: Fix service_type default value in url_for method  https://review.openstack.org/20425320:29
*** amick has joined #openstack-keystone20:35
*** _cjones_ has quit IRC20:38
*** _cjones_ has joined #openstack-keystone20:38
*** piyanai has quit IRC20:39
morganfainbergayoung-mtg: fyi- deferred, but by next week - comments or accept or comments and accept.20:40
ayoung-mtgmorganfainberg, thanks.20:40
morganfainbergayoung-mtg: since no one said deny.20:40
*** piyanai has joined #openstack-keystone20:45
*** e0ne has quit IRC20:48
*** diazjf has left #openstack-keystone20:51
*** stevemar has joined #openstack-keystone20:52
*** ChanServ sets mode: +v stevemar20:52
*** amick has left #openstack-keystone20:53
*** amick has joined #openstack-keystone20:54
*** amick is now known as amickus20:55
*** diazjf has joined #openstack-keystone20:55
*** stevemar has quit IRC20:55
samueldmqmorganfainberg: http://paste.openstack.org/show/397098/20:56
*** tsymanczyk_ is now known as tsymanczyk20:58
*** raildo has quit IRC20:58
*** diazjf has quit IRC20:59
*** piyanai has quit IRC21:04
*** e0ne has joined #openstack-keystone21:14
*** diazjf has joined #openstack-keystone21:15
*** e0ne has quit IRC21:15
*** e0ne has joined #openstack-keystone21:16
*** ayoung-mtg is now known as ayoung21:20
ayoungsamueldmq, if the catalog does not have enough information in it to determine the endpoint id,  DENY21:21
*** amakarov is now known as amakarov_away21:21
ayoungsamueldmq, http://paste.openstack.org/show/397098/  looks right on21:21
henrynashsamueldmq: sorry, missed your question from earlier?21:24
*** stevemar has joined #openstack-keystone21:25
*** ChanServ sets mode: +v stevemar21:25
ayoungsamueldmq, I think I have a solution21:28
ayoungthe authtoken section of the conf file has21:28
ayoungadmin_tenant_name = service21:28
ayoungnow, that is v2,  and v3 would have domain in there as well21:28
ayoungso...we can scope the tokens for cell and hypervisors etc to that21:28
ayoungsamueldmq, the real issue is whether the config is available to enforce policy.  I think it is21:29
*** jecarey has quit IRC21:30
*** e0ne has quit IRC21:33
*** dguerri` is now known as dguerri21:37
openstackgerrithenry-nash proposed openstack/keystone-specs: Clarify project hierachy and parent usage within the API  https://review.openstack.org/20062421:40
*** dguerri is now known as dguerri`21:41
*** jsavak has quit IRC21:43
*** piyanai has joined #openstack-keystone21:44
*** stevemar has quit IRC21:48
*** pauloewerton has quit IRC21:48
*** stevemar has joined #openstack-keystone21:48
*** ChanServ sets mode: +v stevemar21:48
*** piyanai has quit IRC21:53
*** diazjf has quit IRC21:53
*** henrynash has quit IRC21:54
*** btully has joined #openstack-keystone21:55
*** sigmavirus24 is now known as sigmavirus24_awa21:57
*** mestery has quit IRC22:00
*** btully has quit IRC22:00
*** kragniz has quit IRC22:01
*** piyanai has joined #openstack-keystone22:01
*** dims_ has quit IRC22:01
*** kragniz has joined #openstack-keystone22:02
*** roxanaghe has quit IRC22:02
*** diazjf has joined #openstack-keystone22:02
*** dsirrine has quit IRC22:07
*** edmondsw has quit IRC22:07
*** dsirrine has joined #openstack-keystone22:09
*** odyssey4me has quit IRC22:11
*** odyssey4me has joined #openstack-keystone22:14
*** piyanai_ has joined #openstack-keystone22:22
*** piyanai has quit IRC22:23
*** piyanai_ is now known as piyanai22:23
*** mgarza has quit IRC22:24
*** gordc has quit IRC22:33
*** piyanai has quit IRC22:53
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/20430023:13
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/19725423:13
*** thedodd has quit IRC23:13
*** thedodd has joined #openstack-keystone23:14
*** thedodd has quit IRC23:18
*** stevemar has quit IRC23:20
*** stevemar has joined #openstack-keystone23:21
*** ChanServ sets mode: +v stevemar23:21
*** boris-42 has quit IRC23:22
*** stevemar has quit IRC23:25
*** david-lyle has quit IRC23:28
*** diazjf has quit IRC23:32
*** shaleh has joined #openstack-keystone23:48
*** jiaxi has joined #openstack-keystone23:48
jiaxidstanek,23:50
jiaxidstanek, are you here ?23:50
*** ankita_wagh has quit IRC23:50
*** ctracey has quit IRC23:53
*** gyee has joined #openstack-keystone23:54
*** ChanServ sets mode: +v gyee23:54
*** ctracey has joined #openstack-keystone23:55
*** ankita_wagh has joined #openstack-keystone23:55
« Monday, 2015-07-20 Index Wednesday, 2015-07-22 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!