Friday, 2015-08-14

« Thursday, 2015-08-13 Index Saturday, 2015-08-15 »
*** topol has quit IRC00:01
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for httpclient.USER_AGENT  https://review.openstack.org/20583300:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for Session.get_token()  https://review.openstack.org/20581700:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate create HTTPClient without session  https://review.openstack.org/20583200:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Update deprecation text for Session properties  https://review.openstack.org/19151100:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate create v2_0 Client without session  https://review.openstack.org/20582000:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate create v3 Client without session  https://review.openstack.org/20582200:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for CredentialManager data argument  https://review.openstack.org/20582500:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate ServiceCatalog(region_name)  https://review.openstack.org/20580900:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for UserManager project argument  https://review.openstack.org/20582600:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate ServiceCatalog.get_urls() with no attr  https://review.openstack.org/20581000:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate create Discover without session  https://review.openstack.org/20582900:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate use of cert and key  https://review.openstack.org/20581300:02
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for Session.construct()  https://review.openstack.org/20581200:02
*** stevemar has joined #openstack-keystone00:02
*** ChanServ sets mode: +v stevemar00:02
*** jamielennox is now known as jamielennox|away00:05
openstackgerritBrant Knudson proposed openstack/keystone: Remove deprecated methods from assignment.Manager  https://review.openstack.org/21017400:06
*** jamielennox|away is now known as jamielennox00:07
*** geoffarnold has quit IRC00:08
*** arunkant_ has left #openstack-keystone00:09
*** jamielennox is now known as jamielennox|away00:10
*** spandhe has quit IRC00:10
*** geoffarnold has joined #openstack-keystone00:17
*** mylu has joined #openstack-keystone00:21
*** shadower has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** jamiec has quit IRC00:23
*** charz has quit IRC00:28
*** ankita_w_ has joined #openstack-keystone00:28
*** jamiec has joined #openstack-keystone00:30
*** _cjones_ has quit IRC00:31
*** charz has joined #openstack-keystone00:32
*** ankita_wagh has quit IRC00:32
*** ankita_w_ has quit IRC00:32
openstackgerritMerged openstack/keystoneauth-saml2: Updated from global requirements  https://review.openstack.org/21089300:37
*** geoffarnold has quit IRC00:38
openstackgerritMerged openstack/keystoneauth-saml2: Activate pep8 check that _ is imported  https://review.openstack.org/20922700:38
*** mylu has quit IRC00:39
*** gildub has quit IRC00:50
*** markvoelker has joined #openstack-keystone00:51
*** markvoelker has quit IRC00:56
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/21274400:56
*** fangzhou has joined #openstack-keystone01:02
*** davechen has joined #openstack-keystone01:18
*** ankita_wagh has joined #openstack-keystone01:27
openstackgerritDave Chen proposed openstack/keystone: Improve a few random docstrings  https://review.openstack.org/21102301:43
*** markvoelker has joined #openstack-keystone01:43
*** browne has quit IRC01:48
*** markvoelker has quit IRC01:48
*** raildo-afk is now known as raildo01:52
*** narengan has joined #openstack-keystone02:01
*** fangzhou has quit IRC02:04
*** jamielennox|away is now known as jamielennox02:08
*** ankita_w_ has joined #openstack-keystone02:09
*** Ephur has quit IRC02:11
*** ankita_wagh has quit IRC02:13
*** ngupta has joined #openstack-keystone02:17
*** boris-42 has quit IRC02:20
*** topol has joined #openstack-keystone02:22
*** ChanServ sets mode: +v topol02:22
*** jasonsb has joined #openstack-keystone02:23
*** claudiub has quit IRC02:25
*** lhcheng has quit IRC02:27
*** gyee_500 has quit IRC02:29
*** samleon has quit IRC02:31
openstackgerritMerged openstack/keystone: Fix typo in doc-string  https://review.openstack.org/21188102:37
*** topol_ has joined #openstack-keystone02:37
*** ChanServ sets mode: +v topol_02:37
openstackgerritMerged openstack/keystone: Fix the misspelling  https://review.openstack.org/21187602:39
*** topol has quit IRC02:41
*** zzzeek has joined #openstack-keystone02:41
*** mylu has joined #openstack-keystone02:42
*** roxanaghe has quit IRC02:44
*** zzzeek has quit IRC02:48
*** hakimo has joined #openstack-keystone02:53
*** hakimo_ has quit IRC02:55
*** markvoelker has joined #openstack-keystone02:55
*** stevemar has quit IRC02:58
*** stevemar has joined #openstack-keystone02:59
*** ChanServ sets mode: +v stevemar02:59
*** piyanai has joined #openstack-keystone03:02
*** browne has joined #openstack-keystone03:09
*** topol_ has quit IRC03:14
*** mylu has quit IRC03:31
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for the policy backend  https://review.openstack.org/21295703:33
*** raildo is now known as raildo-afk03:33
*** ngupta has quit IRC03:36
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Model: Create policy cache table  https://review.openstack.org/21167903:39
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Driver: Provide function to cache policies  https://review.openstack.org/21295903:39
morgan_404jamielennox: we need keystoneauth-saml2 to get sanitised for oslo deps too :(03:40
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Manager: Calculate validity and control caching  https://review.openstack.org/21296003:40
morgan_404Just saw the merge of _03:40
morgan_404All the i18n stuff needs to be dropped too03:40
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Controller: Calculate freshness in seconds  https://review.openstack.org/20969503:40
jamielennoxfrom saml2? i haven't looked03:41
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Application: Insert Cache-Control into response  https://review.openstack.org/21127103:41
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Controller: Calculate freshness in seconds  https://review.openstack.org/20969503:44
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Application: Insert Cache-Control into response  https://review.openstack.org/21127103:44
*** piyanai has quit IRC03:46
openstackgerritMorgan Fainberg proposed openstack/keystoneauth-saml2: Remove translation  https://review.openstack.org/21296403:51
*** richm has quit IRC03:51
*** lhcheng has joined #openstack-keystone03:55
*** ChanServ sets mode: +v lhcheng03:55
*** ankita_w_ has quit IRC03:57
*** ankita_wagh has joined #openstack-keystone03:58
*** jamielennox is now known as jamielennox|away04:02
*** ankita_wagh has quit IRC04:02
*** samueldmq has quit IRC04:08
*** ankita_wagh has joined #openstack-keystone04:09
*** Nirupama has joined #openstack-keystone04:18
*** markvoelker has quit IRC04:26
openstackgerritEric Brown proposed openstack/keystone: Utilize min and max of oslo.config  https://review.openstack.org/21237304:39
*** dobson has quit IRC04:42
*** morgan_404 is now known as morgan_20404:42
*** morgan_204 is now known as morgan_20604:44
*** morgan_206 is now known as morgan_50304:45
*** shadower has quit IRC04:45
*** jamielennox|away is now known as jamielennox04:46
*** dobson has joined #openstack-keystone04:48
*** vivekd has joined #openstack-keystone04:49
*** ankita_wagh has quit IRC05:02
*** ankita_wagh has joined #openstack-keystone05:02
*** lhcheng has quit IRC05:03
*** ankita_w_ has joined #openstack-keystone05:04
*** ankita_wagh has quit IRC05:05
*** hrou has joined #openstack-keystone05:05
*** narengan has quit IRC05:05
*** boris-42 has joined #openstack-keystone05:06
*** ankita_w_ has quit IRC05:07
*** ankita_wagh has joined #openstack-keystone05:08
*** ankita_wagh has quit IRC05:12
*** topol has joined #openstack-keystone05:14
*** ChanServ sets mode: +v topol05:14
*** topol has quit IRC05:18
openstackgerritDave Chen proposed openstack/keystone: Hardens the validated decorator's implementation  https://review.openstack.org/20911405:32
openstackgerritDave Chen proposed openstack/keystone: Show helpful message when request body is not provided  https://review.openstack.org/19590305:32
*** chlong has quit IRC05:41
*** spandhe has joined #openstack-keystone05:43
*** chlong has joined #openstack-keystone05:44
*** ankita_wagh has joined #openstack-keystone05:45
*** fifieldt_ has quit IRC06:00
*** e0ne has joined #openstack-keystone06:08
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/21235906:08
*** yottatsa has joined #openstack-keystone06:18
*** hrou has quit IRC06:24
*** e0ne has quit IRC06:27
*** hrou has joined #openstack-keystone06:28
thervejamielennox, Regarding the devstack v3 changes, one thing I noticed which is bit surprising is that "openstack endpoint list" doesn't return anything anymore06:35
therveThat's somewhat annoying06:35
jamielennoxtherve: yea, it's annoying that the syntax changes between v2 and v306:41
thervejamielennox, What's the syntax change?06:41
jamielennoxand that's kind of the issue i'm worried about, if anyone is performing raw openstack X commands that expect it to hit a v2 endpoint and we change that flag it will break them06:41
jamielennoxdepends on the command, there are a number that change between v2 and v306:42
jamielennoxbeyond the need to add domain arguments to everything06:42
therveI guess in this case it would work if the command just used v3 by default06:42
therveWhich somewhat makes sense, I think06:42
jamielennoxin v2 an endpoint is a combination of a public/internal/admin url06:42
jamielennoxin v3 each of those is it's own endpoint06:42
jamielennoxso i'd need to check exactly what the difference is but there's a reason it displays them differently06:43
therveLooking at the code, it's missing a "legacy_endpoint_id"06:43
jamielennoxso that's a v2/v3 transition thing06:44
jamielennoxif you made the endpoint in v2 then all 3 would have the same id, in v3 it's 3 seperate ids06:44
jamielennoxthe legacy_endpoint_id is the id that is displayed in v206:45
therveRight, but devstack creates the endpoint for me, so I can't "make them in v2"06:46
*** vivekd has quit IRC06:46
jamielennoxin devstack we've moved it to v3, but puppet and plenty of other installers still do it with v206:48
jamielennoxand you can always use the openstack CLI to make more endpoints using the v2 api06:48
*** e0ne has joined #openstack-keystone06:51
*** hrou has quit IRC06:51
therveI guess what I'm saying is that the changes that already happened have been disruptive, so setting the default version to 3 may fix more issues than introducing new ones.06:53
jamielennoxtherve: right, this wouldn't be the first time i've broken everything with a change to devstack - and most of those were way smaller06:54
jamielennoxin the long term we need to do it06:54
jamielennoxnot so long term06:54
jamielennoxi just figure if i know it's going to be disruptive i want to make sure it's advertised well06:54
therveRight06:54
therveWell we've been dealing with v2/v3 crazyness in Heat for 3 years, so I'm happy v3 is pushed forward :)06:55
jamielennoxit's ridiculous that it's still an ongoing issue06:55
jamielennoxand the way new services are popping up it's like whack-a-mole trying to get everyone updated06:56
*** e0ne has quit IRC07:04
*** Navid_ has quit IRC07:11
openstackgerritRoman Bogorodskiy proposed openstack/python-keystoneclient: Avoid message concatenation in error path  https://review.openstack.org/15575807:14
*** jamielennox is now known as jamielennox|away07:17
openstackgerritRoman Bogorodskiy proposed openstack/python-keystoneclient: Avoid message concatenation in error path  https://review.openstack.org/15575807:23
*** afazekas_ has joined #openstack-keystone07:24
*** chlong has quit IRC07:36
*** chlong has joined #openstack-keystone07:39
*** ankita_wagh has quit IRC07:42
*** ankita_wagh has joined #openstack-keystone07:43
*** spandhe has quit IRC07:46
*** ankita_wagh has quit IRC07:47
*** yottatsa has quit IRC07:47
*** henrynash has quit IRC07:49
*** fhubik has joined #openstack-keystone07:53
*** stevemar has quit IRC07:58
openstackgerritMerged openstack/keystone: Remove "tenants" from user_attribute_ignore default  https://review.openstack.org/18902908:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/21302108:08
*** jistr has joined #openstack-keystone08:13
*** topol has joined #openstack-keystone08:16
*** ChanServ sets mode: +v topol08:16
*** topol has quit IRC08:21
*** davechen has left #openstack-keystone08:31
*** browne has quit IRC08:34
*** wanghua has joined #openstack-keystone08:37
wanghuahi all, is there a way to get a token that will not expire08:38
wanghuaanyone can help?08:38
*** claudiub has joined #openstack-keystone08:41
bretonwhy would you want that?08:59
*** katkapilatova has joined #openstack-keystone09:09
*** fhubik is now known as fhubik_afk09:11
*** fhubik_afk is now known as fhubik09:12
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/21305009:15
*** wanghua has quit IRC09:40
*** yottatsa has joined #openstack-keystone09:42
*** yottatsa has quit IRC10:00
*** fhubik is now known as fhubik_afk10:10
*** arif-ali has quit IRC10:19
*** fhubik_afk is now known as fhubik10:29
*** piyanai has joined #openstack-keystone10:29
*** rdo has quit IRC10:36
*** rdo has joined #openstack-keystone10:38
*** fhubik is now known as fhubik_afk10:38
*** arif-ali has joined #openstack-keystone10:40
*** rdo has quit IRC10:43
*** rdo has joined #openstack-keystone10:50
*** gabriel-bezerra has quit IRC10:54
*** rdo has quit IRC10:57
*** yottatsa has joined #openstack-keystone10:58
*** rdo has joined #openstack-keystone10:59
*** gabriel-bezerra has joined #openstack-keystone10:59
bretondoes keystone support pagination in `* list` operations?11:03
*** topol has joined #openstack-keystone11:08
*** ChanServ sets mode: +v topol11:08
*** fhubik_afk is now known as fhubik11:12
*** topol has quit IRC11:13
*** fhubik is now known as fhubik_afk11:13
openstackgerritPaweł Pamuła proposed openstack/keystone: IdP deletion triggers token invalidation  https://review.openstack.org/21310411:35
*** Kennan2 has joined #openstack-keystone11:36
*** Kennan has quit IRC11:37
*** afazekas_ has quit IRC11:47
*** henrynash has joined #openstack-keystone11:50
*** ChanServ sets mode: +v henrynash11:50
*** fhubik_afk is now known as fhubik11:51
*** shadower has joined #openstack-keystone11:56
*** shadower has quit IRC11:58
*** shadower has joined #openstack-keystone11:59
*** gordc has joined #openstack-keystone12:01
*** yottatsa has quit IRC12:05
*** katkapilatova has left #openstack-keystone12:11
*** henrynash has quit IRC12:13
*** raildo-afk is now known as raildo12:13
*** henrynash has joined #openstack-keystone12:14
*** ChanServ sets mode: +v henrynash12:14
*** markvoelker has joined #openstack-keystone12:21
htrutahenrynash: do you have a few minutes to talk about the is_domain patch?12:24
henrynashhtruta: suew12:24
henrynashsure12:24
htrutaas in here: https://review.openstack.org/#/c/212045/1/keystone/tests/unit/test_backend.py12:25
htrutahenrynash: do you agree with prohibiting the creation on controller layer and keeping the logic on manager12:26
htruta?12:26
henrynashhtruta: so preventing creation in controller while we build up the base underpinnings seems a good idea12:26
henrynashhtruta: but I really don’t want to see a test like this one….it is just so wroung12:27
htrutahenrynash: I see. I could change to the expected behavior at the final of the reseller chain and just remove the WIP after the honor operations one12:28
henrynashhtruta: yes, but this test will fail in the end since the data it is providing is conflicting12:28
*** petertr7_away is now known as petertr712:29
*** edmondsw has joined #openstack-keystone12:29
henrynashhtruta: the “add is_domain” patch isn’t a good enough “chunk” of functionaity if it reuires us to write tests that make no sense12:29
htrutahenrynash: I don't think so... putting the expected behaviour, with the parent_id = domain_id case as you pointed, it would be ok after the honor one12:30
*** yottatsa has joined #openstack-keystone12:30
henrynashhtruta: ah..fine, if you change the test, sure….but then if it isn’t going to pass in this patch, why is it here and not after the is_domain one12:31
htrutahenrynash: I get your point... another possibility is making the 'add is_domain' as small as ONLY adding the is_domain field, prohibiting the creation and and setting it to False12:31
henrynashhtruta: why isn’t it as simple as simply setting the right domain_id in the test?12:32
*** Nirupama has quit IRC12:32
htrutahenrynash: I could do that correct setting. and only remove the WIP decorator in the honor one12:32
henrynashhtruta: forgive me for bing dumb, but why won’t it pass in the is_domain patch?12:34
htrutahenrynash: because at that point, projects with is_domain=True don't act as domains yet12:34
htrutadomain_id is still pointing to domain table12:34
henrynashhtruta: right, got it12:35
*** yottatsa has quit IRC12:35
*** tjcocozz has joined #openstack-keystone12:35
henrynashhtruta: (thinking)12:36
*** yottatsa has joined #openstack-keystone12:36
htrutathat's why we've made a 'temporary behavior', setting the domain_id as it is12:36
htrutahenrynash: ^12:36
morgan_503Ooh i see a henrynash :)12:45
henrynashmorgan_503: hi12:45
henrynashhtruta: (still thinking!)12:45
morgan_503breton: not really. In some cases we did but it is problematic with ldap among other things. Filtering is recommended over pagination12:46
henrynashhtruta: it seems to me that we should be doing something like this:12:46
henrynashhtruta: a) first patch adds Is_domain to project but it has no special meaning…and in the same patch we stop it being set at the controller level12:47
*** yottatsa has quit IRC12:47
henrynashhtruta: b) we then slowly roll in the manger/backend fucntionality for is_domain12:47
henrynashhtruta: c) finally we unblock the controller12:48
*** yottatsa has joined #openstack-keystone12:49
*** doug-fish has joined #openstack-keystone12:49
henrynashhtruta: what seem odd in the current set up is that the sequence we do things doesn’t jive with how things will look eventually, so it’s very hard for a reviewer to udnerstand if (why?) things are being done the wya they are12:49
htrutahenrynash: I see12:51
htrutathis slow roll in functionality would be keeping it as nothing until the honor operations one.12:52
henrynashhtruta: I’m just checking we don’t call create_project from anywhere other than the standard controller12:52
*** yottatsa_ has joined #openstack-keystone12:53
henrynashhtruta: no, we’re good there12:53
*** yottatsa has quit IRC12:54
htrutahenrynash: nice12:55
henrynashhtruta: well, you could for instance, add all the logic on setting and checking domain id, project_id without the honors…it would only be checking against other projects (and ignoring existing domains, but that would be ok)12:55
htrutahenrynash: not sure if it is possible... the domain_id would point (in some cases) to an entity that's not really a domain12:56
htrutait would be really inconsistent12:57
htrutahenrynash: can't we agree that reseller is not valid without the honor one and, if the cut happens before it lands, we'd rollback the ones which were merged12:58
henrynashhtruta: maybe….but lots of other stuff is landing…..and I’d hate to roll back bits12:59
htrutayes.. but that would be necessary anyway... if we don't have the 'honor' one, the is_domain field would be useless12:59
henrynashhtruta: you may be right on the checks…I’d have thought it could be done, but I could easily be wrond!13:00
henrynashhtruta: but if is benign, then whu woudln’t we leave in there?13:00
henrynashhtruuta: no reason why some feature developments can’t span multiple release cycles13:00
*** fhubik is now known as fhubik_afk13:01
htrutahenrynash: hm. ok, then13:01
henrynashhtrutua: let;’s see how this goes…I’m as keen to get this in as you are…but we need others to be able to understnd and review without having to get as deep in the weeds as I have done13:02
htrutahenrynash: ok, then. so what are our next steps?13:03
htrutaputting the tests as wip, blocking creation in controller and keeping logic on manager is ok?13:03
henrynashhtruta: so let’s have a patch that just adds is_domain to the backend but it is not interpreded anywhere…and is block by the controller (in the was is_domain is block by for v2 calls anyway)13:04
henrynashhtruta: let’s get that in and then build on it13:05
*** fhubik_afk is now known as fhubik13:06
htrutahenrynash: ok. that would be the first patch of the chain, right?13:06
henrynashhtruta: yep13:07
henrynashhtruta: simple tests, just making sure you set it True/False via the manager13:07
henrynashhtruta: and a test that shows it’s not settable via teh controller (we have some of those already for v2 I asuspect)13:07
henrynashhtruta: v2 should fail as is, for v3 maybe we throw a not Implemented exception13:08
htrutahenrynash: ok, sir. seems right to me13:08
*** rodrigods has quit IRC13:13
henrynashhtruta: on idea…haven’t quite thought it through is you then add support for is_domain projects just as root projects, then honor domain operations on them…..and only then do you allow hierarchies of is_domain projects….it might be a simpler set of transitions13:14
henrynashhtruta: (one idea….)13:14
*** richm has joined #openstack-keystone13:16
morgan_503henrynash: pagination requests make me sad :(13:16
henrynashmorgan_503: yep, just saw that….I’m not sure how we do a better job at socializing this as you say…(other than getting rid of teh v2 api!!!)13:17
htrutahenrynash: hm... seems like a good way to go. That might got us smaller patches, but a bigger rework13:18
morgan_503Fix the api-ref site #113:18
*** jsavak has joined #openstack-keystone13:18
henrynashmorgan_503: yep13:18
morgan_503But i am *not* going to try and do docbook changes13:18
henrynashmorgan_503: yeah, we have a bit of gap here created by tool choices13:18
morgan_503Asking for that is afaiac unreasonable13:18
morgan_503Docbook makes me sad13:19
morgan_503And kill v213:19
morgan_503Honestly getting devstack to 100% v3 and putting everything useful in not the default domain should help ;)13:20
morgan_503*evil*13:20
henrynashmorgan_503:  yep…kill v2 !  Eeek, need to find power source….5% power left on laptop….I’ll be back in a while13:20
*** henrynash has quit IRC13:20
*** rodrigods has joined #openstack-keystone13:20
openstackgerritMerged openstack/keystone: Improve a few random docstrings  https://review.openstack.org/21102313:21
*** browne has joined #openstack-keystone13:24
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/21302113:26
*** piyanai has quit IRC13:26
*** fifieldt has joined #openstack-keystone13:30
*** gordc has quit IRC13:32
dstanekmorgan_503: docbook is evil13:33
morgan_503dstanek: ++13:33
*** yottatsa_ has quit IRC13:39
*** ngupta has joined #openstack-keystone13:42
dstanekuggg.... i have so may reviews thats need tending to. may garden look awful13:46
dstanekand patches13:46
*** tellesnobrega is now known as tellesnobrega_af13:47
*** ayoung has joined #openstack-keystone13:50
*** ChanServ sets mode: +v ayoung13:50
*** petertr7 is now known as petertr7_away13:58
*** petertr7_away is now known as petertr714:00
*** jecarey has joined #openstack-keystone14:02
raildon14:04
raildowrong window =S14:05
*** gordc has joined #openstack-keystone14:05
*** jsavak has quit IRC14:05
*** jsavak has joined #openstack-keystone14:06
*** hrou has joined #openstack-keystone14:13
*** topol has joined #openstack-keystone14:15
*** ChanServ sets mode: +v topol14:15
*** chlong has quit IRC14:19
ayoungdstanek, new machine.  Now when I run tox I get :14:23
ayoung$ . .tox/py27/bin/activate14:23
ayoung(py27)[ayoung@ayoung541 keystone]$ pip install ldap14:23
ayoungYou are using pip version 6.0.8, however version 7.1.0 is available.14:23
ayoungYou should consider upgrading via the 'pip install --upgrade pip' command.14:23
ayoungCollecting ldap14:23
ayoung  Could not find any downloads that satisfy the requirement ldap14:23
ayoung  No distributions at all found for ldap14:23
ayoungI did run that command, to upgrade pip....14:23
dstanekayoung: i don't think it's ldap14:23
*** sigmavirus24_awa is now known as sigmavirus2414:23
dstanekayoung: try python-ldap14:24
ayoungdstanek, what specifies that?14:24
ayoungAh...why is it in setup.cfg instead of requirements?14:25
*** fhubik has quit IRC14:26
dstanekayoung: it's now setup as an optiona dep14:27
*** browne has quit IRC14:27
dstanekayoung: if you look in the tox.ini is specifies that it wan't to use it14:27
dstanekayoung: doing it this way allows people to specify in the pip command to install keystone with the ldap dependencies14:28
*** vivekd has joined #openstack-keystone14:30
ayoungdstanek, I was trying to run tox -r.  That should work out of the box and it doesn't.14:30
dstanekayoung: it didn't get the ldap deps?14:31
dstanekayoung: you may need to update pbr then14:31
ayoungat this point, I don't care about LDAP, but if we need it for the tests to run, it should be installed by defulat.14:31
dstanekoutside of the venv14:31
ayoungok,  I've upgrade pip directly, which is also something we really should not ask people to do, is it against the basics of platform management...but ignoring that14:32
ayoungdstanek, isn't pbr only needed inside the venv?14:32
dstanekayoung: no, it handles all of the build stuff around creating the venv14:33
dstanekthe extras support was a recent change in pbr to catch up with the standard Python tooling14:33
ayoungpython-pbr-0.10.8-1.fc22.noarch14:33
dstaneki'm running 1.1.114:34
ayoungdstanek, OK, so to do this right, we probably should run a copr with upgraded pbr and pip.  Let me see if someone built them already14:35
dstanekayoung: what's a copr?14:35
*** geoffarnold has joined #openstack-keystone14:35
ayounghttps://copr.fedoraproject.org/14:35
ayoungdstanek, and apevec built a 1.3 version of pbr...let me grab that14:36
dstanekayoung: oh, neat. i've only recently transitioned to fedora so i'm still finding lots of new toys14:37
ayoungdstanek, yeah...coprs have filled a big vacancy in development process14:37
ayoungdstanek, http://koji.fedoraproject.org/koji/buildinfo?buildID=66908514:37
ayoungand14:39
ayounghttp://koji.fedoraproject.org/koji/buildinfo?buildID=666288  dstanek for pip14:39
*** geoffarnold has quit IRC14:39
vivekdayoung: dstanek: hi, i'm new to keystone development and openstack. the topic in this channel says 'feature freeze is rapidly approaching'. what is the feature freeze date? are these important dates documented somewhere for keystone?14:39
ayoungvivekd, we make them up at random14:40
ayoungvivekd, seriosly, though, we are in a 3 milestone process, and we just passed milestone 2.  Liberty 3 is coming up at the end of the month-ish14:40
ayoungI'll see if I can find an offical sched14:41
*** geoffarnold has joined #openstack-keystone14:41
vivekdayoung: that will help...thank u!14:41
dstanekliberty schedule: https://wiki.openstack.org/wiki/Liberty_Release_Schedule14:42
ayounghttps://wiki.openstack.org/wiki/Liberty_Release_Schedule14:42
ayoungdamn14:42
vivekddstanek: thank u!14:43
*** alejandrito has joined #openstack-keystone14:44
ayoungdstanek, http://paste.openstack.org/show/414370/14:44
ayoung$ pip --version14:44
ayoungpip 7.1.0 from /usr/lib/python2.7/site-packages (python 2.7)14:44
ayoungrebasing...14:45
dstanekayoung: hmm and that's after installing the new pbr at the system level?14:45
ayoungdstanek, I think I rsynced my old repo, not afresh clone of keystone.. trying again14:46
ayoungnope, same thing14:46
ayoungdstanek, so the line  py27 installdeps: -r/opt/stack/keystone/requirements.txt, -r/opt/stack/keystone/test-requirements.txt, .[ldap]14:47
ayoungthat is done inside the venv,right?14:47
dstanekyes14:47
*** ngupta has quit IRC14:47
ayoungdstanek, gonna comment out the ldap part of setup.cfg and see where if goes14:48
ayoungsame thing...14:48
ayoungweeeeird14:48
*** phalmos has joined #openstack-keystone14:48
dstanekayoung: hmmm...this is what i get http://paste.openstack.org/show/414410/14:48
ayoungdstanek, and in tox.ini.....14:49
dstaneki'm also using tox version 2.1.114:49
ayoungdstanek, no RPM built for that yet....14:50
dstanekyour output is strange because it looks like pbr still doesn't understand the extras syntax14:50
lbragstaddstanek: have you ever used yaprt?14:52
vivekdayoung: dstanek: lbragstad: gate-keystone-python34 had failed on my first keystone patch. when i tried to reproduce it locally by running 'tox -e py34', test didn't run due to a dependency problem. it was fixed when i did 'sudo apt-get install python3-dev'. is there a place where i can document this so that it could be useful for other developers?14:53
*** zzzeek has joined #openstack-keystone14:54
ayoungvivekd, same kind of issues I am running in to.  We don't do decent distro specific docs for developers14:54
*** r-daneel has joined #openstack-keystone14:55
*** piyanai has joined #openstack-keystone14:55
dstaneklbragstad: never heard of it14:59
vivekdayoung: oh ok. i see that tox already does some requirement installations internally. isn't it possible to handle this as part of that?14:59
lbragstaddstanek: ok, just curious14:59
ayoungvivekd, so, devstack does this, but the upstream projects themselves don't15:00
ayoungdstanek, we proabaly need something like that for the functional testing15:00
dstaneklbragstad: interesting...that's Kevin's thing15:00
ayounggrab the files/packages from devstack....15:00
dstanekayoung: and do what with them?15:00
lbragstaddstanek: yeah, i'm tinkering with it a bit15:00
ayoungdstanek, install them.  Like I'm doing with the tox, pip etc15:00
dstanekayoung: instead of using devstack?15:01
*** jsavak has quit IRC15:01
*** jsavak has joined #openstack-keystone15:01
ayoungdstanek, this is just...cool:  https://fedoraproject.org/wiki/Package_maintenance_guide?rd=Using_Fedora_GIT15:01
*** yottatsa has joined #openstack-keystone15:02
*** petertr7 is now known as petertr7_away15:06
*** ngupta has joined #openstack-keystone15:08
*** narengan has joined #openstack-keystone15:09
*** jsavak has quit IRC15:11
*** jsavak has joined #openstack-keystone15:12
*** lsmola has quit IRC15:13
*** tjcocozz_ has joined #openstack-keystone15:14
*** henrynash has joined #openstack-keystone15:14
*** ChanServ sets mode: +v henrynash15:14
henrynashbknudson: ping15:15
*** HT_sergio has joined #openstack-keystone15:16
dstanekayoung: are you any closer to having a work env?15:16
ayoungdstanek, nah...looks like I need ldap to build ...so I'm working on getting tox 2.1.1 as an RPM15:16
henrynashayoung: you having problems with the ldap chanegs to tox, setup etc.?15:16
ayounghenrynash, yep15:17
henrynashayoung: me too, struggling most of the day to make it work15:17
ayounghenrynash, what platform you building on ?15:17
henrynashayoung: ubuntu15:17
henrynashayoung: there must be something (lots probaby) that I don’t understand about how this all hangs together….15:18
ayounghenrynash, I just update to tox 2.1.1...let's see if that makes a differnece15:18
ayounghenrynash, it seems to be happier...still waiting, though15:20
henrynashdstanek: here’s what I don’t understadn.. I upgrade pbr and pip,,,,but when it builds a new py27 virtual env it complains my pbr/pip are out of date and not the ones I have installed…..15:20
ayounghenrynash, I'm seeing similar things.  I think something is getting cached inthe keystone dir.  I'm run git clean -xdf and rerunning...15:21
ayounghenrynash, tox --version ?15:22
henrynashayoung: was on 1.9.1…just upgrading it now15:22
ayounghenrynash, that seems to be the secret.  I need to build a 2.1.1 RPM15:22
henrynashayoung: ah, ok..fingers crossed15:22
*** henrynash has quit IRC15:25
dstanekayoung: so you're good now? i just use 'sudo pip install ...' instead of using system packages15:28
*** esp has left #openstack-keystone15:28
dstaneki'm actually surprised that tox would need to be updated15:28
ayoungdstanek, so, yeah, I did a pip install --upgrade for tox and it worked, so I'm finidhing up on getting an upgraded tox package built for fedora15:28
ayoungtrying to be a good citizen, but also keep from polluting this laptop too badly with non-packaged executables15:29
*** jistr is now known as jistr|mtg15:29
*** sigmavirus24 is now known as sigmavirus24_awa15:30
*** openstackgerrit has quit IRC15:31
*** openstackgerrit has joined #openstack-keystone15:32
*** sigmavirus24_awa is now known as sigmavirus2415:33
*** esp has joined #openstack-keystone15:36
dstanekayoung: not in a VM?15:37
*** vivekd has quit IRC15:44
*** ayoung has quit IRC15:48
*** piyanai has quit IRC15:49
*** browne has joined #openstack-keystone15:53
*** piyanai has joined #openstack-keystone15:56
*** jistr|mtg is now known as jistr16:03
*** woodster_ has joined #openstack-keystone16:04
openstackgerritDavid Stanek proposed openstack/keystone: Hardens the validated decorator's implementation  https://review.openstack.org/20911416:10
*** ankita_wagh has joined #openstack-keystone16:10
*** jasonsb has quit IRC16:15
*** yottatsa has quit IRC16:23
*** piyanai has quit IRC16:31
*** spandhe has joined #openstack-keystone16:31
*** jistr has quit IRC16:32
*** yottatsa has joined #openstack-keystone16:35
*** spandhe has quit IRC16:35
*** spandhe_ has joined #openstack-keystone16:35
*** petertr7_away is now known as petertr716:36
*** gyee has joined #openstack-keystone16:37
*** ChanServ sets mode: +v gyee16:37
*** adrian_otto has joined #openstack-keystone16:40
*** jecarey has quit IRC16:42
dolphmis tox suddenly smart enough to know that you're testing a different branch? i swear it just rebuilt my environment correctly without me doing anything16:45
*** ankita_wagh has quit IRC16:45
*** ankita_wagh has joined #openstack-keystone16:46
*** stevemar has joined #openstack-keystone16:46
*** ChanServ sets mode: +v stevemar16:46
*** piyanai has joined #openstack-keystone16:48
*** stevemar has quit IRC16:49
*** ankita_wagh has quit IRC16:50
*** narengan_ has joined #openstack-keystone16:51
dstanekdolphm: with no -r flag?16:51
dstanekdolphm: i do think it checks installed deps against requests deps now - which is annoying because it takes much longer just to start the tests now16:52
*** vivekd has joined #openstack-keystone16:54
*** narengan has quit IRC16:54
*** atiwari has joined #openstack-keystone16:56
*** afaranha has joined #openstack-keystone16:56
*** afaranha has left #openstack-keystone16:56
*** lhcheng has joined #openstack-keystone17:00
*** ChanServ sets mode: +v lhcheng17:00
*** _cjones_ has joined #openstack-keystone17:00
*** ayoung has joined #openstack-keystone17:00
*** ChanServ sets mode: +v ayoung17:00
dolphmdstanek: that would explain the slowdown...17:01
dolphmdstanek: there's got to be a way to make that faster ... pip freeze is quite fast17:02
dolphmdstanek: (but yes, with no -r)17:02
dstanekdolphm: pip freeze is just listing - i think tox is now resolving the dep tree to make sure the venv matches17:02
dstanekmaybe there is a switch to turn it off17:03
dstaneki just run tests by hand now and only use tox to create the venv17:03
dolphmdstanek: ah17:03
dolphmdstanek: yeah, i should do the same. do you use nose?17:03
*** Kennan2 has quit IRC17:05
*** tjcocozz has quit IRC17:05
*** tjcocozz_ has quit IRC17:06
dolphmdstanek: or, i guess testr17:06
dstanekno i just use testr :-(  actually i use our tools/pretty_tox.sh script17:06
*** samleon has joined #openstack-keystone17:06
*** Navid_ has joined #openstack-keystone17:07
*** lhcheng_ has joined #openstack-keystone17:07
*** lhcheng has quit IRC17:09
*** jasonsb has joined #openstack-keystone17:11
*** phalmos has quit IRC17:12
*** jasonsb has quit IRC17:12
*** jasonsb has joined #openstack-keystone17:13
*** ankita_wagh has joined #openstack-keystone17:14
dolphmdstanek: any idea why would this fail with "IOError: [Errno 11] Resource temporarily unavailable" from multiprocessing? $ n .tox/py27/bin/nosetests --processes=217:16
*** david-lyle is now known as cbrown17:17
*** hrou has quit IRC17:17
*** stevemar has joined #openstack-keystone17:19
*** ChanServ sets mode: +v stevemar17:19
*** Kennan has joined #openstack-keystone17:21
*** hrou has joined #openstack-keystone17:23
*** roxanaghe has joined #openstack-keystone17:28
*** piyanai has quit IRC17:29
*** piyanai has joined #openstack-keystone17:33
*** hrou has quit IRC17:41
*** lhcheng_ has quit IRC17:45
*** lhcheng has joined #openstack-keystone17:45
*** ChanServ sets mode: +v lhcheng17:45
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/21327317:49
*** boris-42 has quit IRC17:50
*** Ephur has joined #openstack-keystone17:51
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/21327317:54
htrutadstanek: ^ look how cool. the "add is_domain field" patch that only adds the is_domain field17:54
htrutawho could ever think about that?17:55
*** henrynash has joined #openstack-keystone17:55
*** ChanServ sets mode: +v henrynash17:55
*** tjcocozz_ has joined #openstack-keystone17:56
*** tjcocozz has joined #openstack-keystone17:56
*** samueldmq has joined #openstack-keystone17:58
raildohtruta: you're a genius17:58
lhchenghtruta: how is that different from the other patch? :) https://review.openstack.org/#/c/157427/17:59
lhchengis this is_domain-lite ?17:59
htrutaraildo: I appreciate that18:00
htrutalhcheng: this one only adds the field. it does not touch some other stuff like domain_id and parent_id18:00
htrutawe are spliting this one18:01
*** yottatsa has quit IRC18:01
lhchenghtruta: I see18:01
lhchenghtruta: cool, that will make it easier to review18:02
htrutahenrynash: https://review.openstack.org/#/c/213273/18:02
henrynashhruta: great…will look in a bit18:03
openstackgerritArun Kant proposed openstack/pycadf: Adding barbican specific base resources.  https://review.openstack.org/21002318:05
*** browne has quit IRC18:05
*** yottatsa has joined #openstack-keystone18:07
*** jecarey has joined #openstack-keystone18:10
*** woodster_ has quit IRC18:10
*** ankita_w_ has joined #openstack-keystone18:17
*** stevemar has quit IRC18:19
*** ankita_wagh has quit IRC18:21
*** samueldmq has quit IRC18:24
*** roxanaghe_ has joined #openstack-keystone18:29
ayounghenrynash, did updating tox work for you, too?18:30
henrynashayoung: I think it might…then I ran out of disk space on my VM!!! just trying to fix that18:31
henrynashayoung: did it work for you?18:31
dstanekdolphm: i've not seen that before, but i had other issues with nose and our tests so i just stopped using it18:31
*** roxanaghe has quit IRC18:31
ayounghenrynash, yes18:31
henrynashayoung: great…I’m pretty sure mine will work too once I give it the breathing room18:31
ayounghenrynash, it fails pretty quickly without:  tox < 2 does not understand the directive to install ldap18:32
*** yottatsa has quit IRC18:32
henrynashayoung: yep18:33
*** ayoung has quit IRC18:41
*** stevemar has joined #openstack-keystone18:42
*** ChanServ sets mode: +v stevemar18:42
dstanekhmmm....i just switched to the new gerrit UI and i can't figure out how to leave a comments anymore18:43
dstaneki should have looked for just one more minute! it's now at the top of the page18:44
*** browne has joined #openstack-keystone18:48
*** phalmos has joined #openstack-keystone18:55
*** browne has quit IRC18:57
*** ankita_wagh has joined #openstack-keystone18:57
*** browne has joined #openstack-keystone18:58
*** ankita_w_ has quit IRC19:01
*** jsavak has quit IRC19:02
*** jsavak has joined #openstack-keystone19:05
dstaneklbragstad: i see you also started reviewing https://review.openstack.org/#/c/155758/5 . are you seeing what i am seeing?19:12
lbragstaddstanek: I just reviewed it to get eyes on it, I haven't recreated it locally at all19:14
dstaneklbragstad: ok, i'm not going to waste much time on it and just let the submitter prove it works :-)19:14
lbragstaddstanek: yeah, i didn't try doing anything locally with it, it was just the next victim in my next-review list :)19:15
*** jsavak has quit IRC19:17
*** jsavak has joined #openstack-keystone19:17
*** HT_sergio has quit IRC19:17
morgan_503"Doesnt ldap just work like sql?!"19:21
morgan_503... No ...19:22
* morgan_503 wants to kill keystone user management APIs so badly.19:22
*** stevemar has quit IRC19:22
*** stevemar has joined #openstack-keystone19:23
*** ChanServ sets mode: +v stevemar19:23
morgan_503henrynash: could i trouble you to respond to that thread as well. I dont see how we can solve their needs without supplying implementation specific differences / awfulness. I'm happy to take the fall here but I am completely against pagination in identity v319:24
henrynashmorgan_503: will do19:24
morgan_503I just think people assume it is easy to paginate ldap like you paginate sql19:24
*** boris-42 has joined #openstack-keystone19:24
morgan_503Which js absolutely not the case.19:24
morgan_503Needing to know every user who has access via keystone's APIs is silly (who could have a role) but asking about role assignments isnt.19:27
*** stevemar has quit IRC19:28
*** ayoung has joined #openstack-keystone19:28
*** ChanServ sets mode: +v ayoung19:28
vivekdmorgan_503: hi morgan fainberg19:30
vivekdmorgan_503: i couldn't find a blueprint corresponding to the spec @ http://specs.openstack.org/openstack/keystone-specs/specs/liberty/stable-driver-interfaces.html so i created one @ https://blueprints.launchpad.net/keystone/+spec/stable-driver-interfaces19:30
vivekdmorgan_503: could u please review it?19:30
morgan_503Nod. I aksed gyee to look at that19:30
morgan_503As well.19:30
*** tjcocozz_ has quit IRC19:31
*** tjcocozz has quit IRC19:31
gyeemorgan_503, vivekd, yeah, will review patch 4 later today19:31
gyeeon my todo list19:31
*** stevemar has joined #openstack-keystone19:32
*** ChanServ sets mode: +v stevemar19:32
vivekdmorgan_503: oh ok. gyee reviewed my gerrit patch. but the blueprint is still not approved hence asked u19:32
vivekdok gyee19:33
stevemarmorgan_503: we all want to kill it19:33
gyeebp should be there19:33
gyeestevemar, kill what? stable driver interface?19:33
*** ankita_wagh has quit IRC19:34
stevemargyee: no, user managment api19:34
dstanekstevemar: oh, damn. i thought docker19:34
gyeestevemar, replace it with what? ask devstack/jenkins19:34
*** ankita_wagh has joined #openstack-keystone19:34
stevemardstanek: docker too19:34
stevemargyee: x509 tokenless auth and federated identity?19:35
gyeeyay!19:35
stevemarjust rip out all /users calls19:35
* gyee in euphoria19:35
stevemarone day, one day19:36
stevemarspeaking of which, i should go back to that patch19:36
morgan_503stevemar: feel free to jump into that thread too.19:38
*** ankita_wagh has quit IRC19:38
stevemarmorgan_503: i spoke with gyee and cbrown on irc #openstack-horizon19:39
stevemarthe thing is, i'm actually not opposed to pagination, they just haven't convinced me it won't break19:39
stevemarpaging through 400K results (ibm ldap) is nuts19:40
*** ngupta has quit IRC19:42
gyeestevemar, nah, you never going to see 400k returned19:44
gyeenetwork socket would timed out long before19:44
gyeelooking at the LDAP spec, it doesn't not require to hold the connection, just the session cookie in order to paginate19:46
*** yottatsa has joined #openstack-keystone19:47
*** browne has quit IRC19:47
gyeeI am guess we can convey it as a 'marker'?19:47
gyeewill need to cook up some code to test it out19:47
*** piyanai has quit IRC19:54
*** piyanai has joined #openstack-keystone19:55
*** yottatsa has quit IRC19:57
*** stevemar_ has joined #openstack-keystone19:58
*** ChanServ sets mode: +v stevemar_19:58
vivekdgyee: didn't get you. you meant you will approve the bp as well?19:58
gyeevivekd, the spec has been approved, that's all we need to move forward19:59
gyeeyour code implements the bp19:59
vivekdgyee: ok20:00
*** stevemar has quit IRC20:00
*** doug-fis_ has joined #openstack-keystone20:02
*** jsavak has quit IRC20:03
gyeespec is linked to the bp, and bp is used for release tracking20:04
gyeeat least that's how I understood it20:04
*** alejandrito has quit IRC20:04
*** jsavak has joined #openstack-keystone20:04
*** doug-fish has left #openstack-keystone20:05
*** petertr7 is now known as petertr7_away20:05
vivekdgyee: ok. i read here(http://docs.openstack.org/infra/manual/developers.html#automated-testing) that the bp should be in approved state.20:12
vivekdgyee: point #7 at the above URL reads "If the change implements a feature, it should reference a blueprint. The blueprint should be approved before the change is merged."20:12
stevemar_gyee: right, but ibm's ldap has 400K entries (probably more), you really want to paginate through ALL of them? to create an index?20:12
*** woodster_ has joined #openstack-keystone20:13
*** ayoung has quit IRC20:15
*** doug-fis_ is now known as doug-fish20:16
*** esp has left #openstack-keystone20:19
*** esp has joined #openstack-keystone20:21
*** geaaru has joined #openstack-keystone20:21
*** jecarey has quit IRC20:25
*** ankita_wagh has joined #openstack-keystone20:26
*** bknudson has quit IRC20:27
*** gordc has quit IRC20:28
openstackgerritDoug Fish proposed openstack/python-keystoneclient: Add Keystone2Keystone auth plugin for K2K  https://review.openstack.org/20758520:31
*** browne has joined #openstack-keystone20:34
morgan_503gyee: spec != ldap awful python library20:34
dolphmsigmavirus24: should building a wheel instead of an egg affect entry points somehow?20:41
sigmavirus24entry-points no20:41
dolphmlbragstad: ^20:41
sigmavirus24well maybe20:41
sigmavirus24eggs are weird20:41
sigmavirus24and old20:41
sigmavirus24and crufty20:41
sigmavirus24but probably not20:41
sigmavirus24at least I think tarballs used to create eggs when installed by pip20:42
sigmavirus24and they never broke for flake8 between eggs and wheels20:42
morgan_503I was wrong on the connection needing to be kept... But if there is ever an error you have to start the whole pagination again20:42
morgan_503Ldap sucks at pagination20:42
morgan_503And again, order is not guaranteed20:42
morgan_503gyee: ^20:42
morgan_503And going backwards doesnt seem possible20:43
dolphmvivekd: that might be outdated since the introduction of specs? we approve and merge specs... i'm not aware of anyone ever using the "Approved" flag on blueprints for anything20:43
morgan_503Its only forward paging20:43
lbragstadsigmavirus24: if I have a setup.cfg that lists dependency_links on a git repository (versioned at a specific git sha), and I build the wheel, shouldn't the git repo (project's) dependencies be installed?20:43
morgan_503What a trainwreck20:43
vivekdoh ok dolphm20:44
lbragstadsigmavirus24: s/setup.cfg/setup.py/ sorry20:44
vivekddolphm: thanks for the clarification20:45
dolphmlbragstad: can you import the project in dependency_links? (is that keystone?)20:45
gyeemorgan_503, stevemar, I am not saying LDAP pagination not suck :)20:45
gyeejust trying to figure out if that's even possible20:45
sigmavirus24lbragstad: hm20:46
lbragstaddolphm: it is keystone20:46
sigmavirus24dependency_links I'm not entirely certain about20:46
morgan_503gyee: so forward paging only, each connection has a maximum number of xookies allowed. Cookies seem tied to the connection itself20:46
morgan_503As per rfc.20:46
morgan_503A deleted cookie or error means start the whole thing from page 120:46
*** phalmos has quit IRC20:46
lbragstadsigmavirus24: doing something like https://github.com/dstanek/typist/blob/master/setup.py#L29-L30 with a git+ line in the requirements.txt file blows up on processing20:46
* morgan_503 is reading the rfc20:46
sigmavirus24lbragstad: http://stackoverflow.com/a/13587734/1953283 looks relevant20:47
morgan_503I dont want to support this ever20:47
sigmavirus24oh lbragstad that's not dependency_links20:47
sigmavirus24heh20:47
sigmavirus24that's interesting20:47
dolphmmorgan_503: keystone-manage cookie_flush20:47
morgan_503It isnt "ldap paging sucks" it is "this is not meant to be used for pagination in a web app, it is strictly meant to be used to get larger data sets than server max"20:47
lbragstadsigmavirus24: I need to build wheels better20:47
morgan_503dolphm: lol.20:48
lbragstadsigmavirus24: I'm pretty new to the whole thing, so I'm very open to suggestions20:48
gyeemorgan_503, yeah, if its tied to connection, then that would truly suck20:48
morgan_503I think it is based on the rfc.20:48
morgan_503This is not rest-api friendly at all20:48
gyeeyou looking at RFC 2696?20:48
morgan_503Yeah. And the AD inplementation docs20:49
morgan_503Which give a lot of detail20:49
morgan_503Since microsoft wrote that rfc...20:49
morgan_503The tl;dr is: pagination logic like you would do in SQL is just not doable in ldap20:50
*** yottatsa has joined #openstack-keystone20:50
openstackgerritHenrique Truta proposed openstack/keystone: Unit tests for is_domain field in project's table  https://review.openstack.org/21204520:50
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/21327320:50
dolphmmorgan_503: ++20:51
openstackgerritTimothy Symanczyk proposed openstack/keystone: Remove redundant rule:cloud_admin from list_role_assignment rule in sample v3 policy file.  https://review.openstack.org/21333820:51
morgan_503And if you do write the code for it... Youll be very unhappy once the results get beyond a couple pages20:51
dolphmmorgan_503: you mean in 6 months when someone else realizes there's still no pagination and asks this same question again..?20:52
*** yottatsa has quit IRC20:52
morgan_503When in 6 months they raise the wuestion why keystone locks up when someone uses pagination to list users (if this were implemented) or why there are tons of connections to their ldap server...20:53
morgan_503Or why going to page 50 from 51 causes socket timeouts20:53
*** raildo is now known as raildo-afk20:53
morgan_503Or takes forever20:53
gyeeso how does ldappool support this then? obviously it will have to implement session affinity20:53
morgan_503Dont release the connection back to the pool if you are using it20:54
morgan_503That is how b20:54
morgan_503:P20:54
gyeethat doesn't sound right20:54
morgan_503If you are paging through a series, you are typically not dropping the connection back to the pool20:54
gyeeanyway, argument is mood if we don't support ldap back for identity anymore20:55
morgan_503Remember paging in ldap is meant for getting more results than server max. Not meant to be a sql-style offset paging20:55
morgan_503Uh. I never said we would get rid of ldap backends. I just said keystone should t manage the users ;)20:56
morgan_503Long term moving to purely federated users would be awesome20:56
morgan_503But that is a loooooong way out20:56
morgan_503Ldap assignment is dead next cycle20:56
gyeeso we should still support listing ldap users, just that they are immutable from Keystone API20:57
morgan_503I would say no20:57
morgan_503List active assignments (and associated users)20:57
morgan_503Or search for a user20:57
morgan_503But not a pure "list"20:58
morgan_503Of all potential users20:58
gyeewow20:58
gyeewhat if we have 500 active assignments?20:58
gyeereturn them all in one shot20:58
morgan_503Assignments are managed not in ldap20:58
morgan_503Assignments can be paginated in a sane way20:58
morgan_503We no longer have ldap assignment after liberty20:59
morgan_503And user ids are sortable in that wuery20:59
morgan_503Just dont ask me for every user that keystone could allow an assignment to. It might be 300k objects even though only 20 have active assignments21:00
morgan_503The other 299980 users cant access the opensrack cloud anyway21:00
morgan_503Assuming a unique user per assignment21:00
morgan_503So we can require pagination support in assignment. Just not identity21:01
morgan_503It is a difference of what you are using to lookup the data. And what data you want21:01
*** stevemar_ has quit IRC21:01
gyeesure, if we don't *manage* identity, then I don't see a case for listing them21:02
morgan_503And we dont want to manage identity21:02
*** stevemar has joined #openstack-keystone21:02
*** ChanServ sets mode: +v stevemar21:02
morgan_503Its why identity api is not defcore designated21:02
gyeehear ya21:02
morgan_503Most deployments only use sql for service accounta21:02
morgan_503And with x509 that can go away too21:02
morgan_503In theory21:03
gyeewe need a default IdP in devstack/jenkins to test stuff still21:03
morgan_503In most cases (both public and private) users will be managed by an external system21:03
gyeemake sense21:04
morgan_503That is fine. That is devstack's concern to setup. It could be an ldap server with an ldif loaded21:04
morgan_503And each service that needs a user could easily do that. Or it's just a wrapper to ldapadd ;)21:04
morgan_503devstack is the easy case21:04
gyeeyeah, standing up with some users is pretty trivial21:05
gyeestanding up ldap21:05
openstackgerritVivek Dhayaal proposed openstack/keystone: EndpointFilter driver doesnt inherit its interface  https://review.openstack.org/21334221:05
morgan_503Even providing a simple shell script to add users if someone is playing with devstack as a "test openstack" thing21:05
*** jasonsb has quit IRC21:05
morgan_503In fact i'd probably say freeipa would be a good choice by default21:06
morgan_503It has a ui to add users and an api for it21:06
*** jasonsb has joined #openstack-keystone21:06
gyeesure21:06
morgan_503And it does a better job of managing it all.21:06
*** stevemar has quit IRC21:06
morgan_503And has password complexity support etc21:07
morgan_503And *it* can list the users / paginate21:08
gyeemorgan_503, sounds like Horizon folks owe you beer, for removing identity management :)21:08
morgan_503:P21:08
morgan_503That is where i want things to go tbh21:08
* morgan_503 shrugs21:08
gyeek man, I need to head for the woods with the kids21:09
morgan_503jamielennox|away: do you want me to take a crack at fixing caching in ksm?21:09
*** zzzeek has quit IRC21:09
gyeey'all have a good weekend21:09
morgan_503gyee: see ya on... Monday? Or tuesday.21:09
*** gyee has quit IRC21:09
vivekdgyee: happy weekend21:09
*** ayoung has joined #openstack-keystone21:10
*** ChanServ sets mode: +v ayoung21:10
*** jsavak has quit IRC21:10
*** jsavak has joined #openstack-keystone21:11
*** vivekd has quit IRC21:16
*** cbrown is now known as david-lyle21:20
*** jerrygb has joined #openstack-keystone21:23
*** adrian_otto has quit IRC21:29
*** jerrygb has quit IRC21:30
*** geaaru has quit IRC21:32
*** jsavak has quit IRC21:32
*** jsavak has joined #openstack-keystone21:33
openstackgerritDoug Fish proposed openstack/keystoneauth: Update k2k plugin with related code comments  https://review.openstack.org/20967121:34
*** doug-fish has quit IRC21:35
*** narengan_ has quit IRC21:36
*** bknudson has joined #openstack-keystone21:37
*** ChanServ sets mode: +v bknudson21:37
*** piyanai has quit IRC21:37
*** piyanai has joined #openstack-keystone21:39
*** lhinds has joined #openstack-keystone21:43
*** lhinds has left #openstack-keystone21:45
*** lhinds has joined #openstack-keystone21:45
*** ankita_w_ has joined #openstack-keystone21:46
*** lhinds has left #openstack-keystone21:47
*** jsavak has quit IRC21:49
*** ankita_wagh has quit IRC21:49
*** mylu has joined #openstack-keystone21:57
*** piyanai has quit IRC21:57
*** adrian_otto has joined #openstack-keystone21:59
*** mylu has quit IRC22:02
*** mylu has joined #openstack-keystone22:09
*** markvoelker has quit IRC22:15
openstackgerritLin Hua Cheng proposed openstack/keystone-specs: Add region_id filter in List Endpoints API  https://review.openstack.org/21335622:17
*** ankita_wagh has joined #openstack-keystone22:27
*** mylu has quit IRC22:28
*** stevemar has joined #openstack-keystone22:29
*** ChanServ sets mode: +v stevemar22:29
*** ankita_w_ has quit IRC22:30
*** stevemar has quit IRC22:33
*** lhcheng has quit IRC22:33
*** lhcheng has joined #openstack-keystone22:33
*** ChanServ sets mode: +v lhcheng22:33
openstackgerritTimothy Symanczyk proposed openstack/keystone: Simplify rule in sample v3 policy file  https://review.openstack.org/21333822:34
*** ankita_w_ has joined #openstack-keystone22:42
*** ankita_wagh has quit IRC22:42
*** ankita_wagh has joined #openstack-keystone22:44
*** ankita_w_ has quit IRC22:44
*** ngupta has joined #openstack-keystone22:46
*** edmondsw has quit IRC22:51
*** stevemar has joined #openstack-keystone22:51
*** ChanServ sets mode: +v stevemar22:51
*** ngupta has quit IRC22:52
* morgan_503 22:53
* morgan_503 goes back to lurk mode22:53
* morgan_503 might need22:53
morgan_503Taco or burritos for dinner ;)22:54
*** topol has quit IRC22:54
*** jasonsb has quit IRC22:56
*** pgbridge has quit IRC22:59
*** r-daneel has quit IRC23:01
*** atiwari1 has joined #openstack-keystone23:04
*** mylu has joined #openstack-keystone23:06
*** atiwari has quit IRC23:06
*** pgbridge has joined #openstack-keystone23:08
openstackgerritBrant Knudson proposed openstack/keystone: Remove deprecated methods from assignment.Manager  https://review.openstack.org/21017423:08
openstackgerritBrant Knudson proposed openstack/keystone: Stop using deprecated assignment manager methods  https://review.openstack.org/21337123:08
*** topol has joined #openstack-keystone23:10
*** ChanServ sets mode: +v topol23:10
mordredjamielennox|away: so - auth plugins and osc23:12
mordredI'm trying to figure out the right thing to do interface-wise23:12
mordredbecause people are starting to write playbooks with this code23:13
mordredI'm not thrilled about aligning to the OSC interface as a temporary measure to pass the gate23:13
mordredbecause that means we'll be encoding the OSC interface as what people should use in their shade core or ansible playbooks23:13
mordredand that's weird23:14
*** topol has quit IRC23:15
*** sigmavirus24 is now known as sigmavirus24_awa23:20
*** lhcheng has quit IRC23:22
*** ankita_wagh has quit IRC23:22
*** jasonsb has joined #openstack-keystone23:22
*** ankita_wagh has joined #openstack-keystone23:23
*** gordc has joined #openstack-keystone23:24
*** gordc has quit IRC23:24
*** ankita_wagh has quit IRC23:27
*** jasonsb has quit IRC23:28
openstackgerritBrant Knudson proposed openstack/keystone: Fix logging in federation/idp.py  https://review.openstack.org/20304723:28
openstackgerritBrant Knudson proposed openstack/keystone: Enhance tests for saml2 signing exception logging  https://review.openstack.org/21284523:28
*** lhcheng has joined #openstack-keystone23:29
*** ChanServ sets mode: +v lhcheng23:29
mordredjamielennox|away: what if we called the currently-unexposed Token(base.BaseAuthPlugin) plugin "admin_token" instead of "token_endpoint" ?23:30
mordredjamielennox|away: it seems the primary use case for its existence is for admin token23:30
mordredand for other token re-use v2/token and v3/token are the more appropriate plugins to use23:30
mordredperhaps that woudl be a way out of the current confusion?23:31
mordred(and also should make it clear that you're really unlikely to be wanting to use this auth plugin for other things)23:31
mordredmorgan_503: ^^ thoughts?23:31
*** markvoelker has joined #openstack-keystone23:31
openstackgerritBrant Knudson proposed openstack/keystone: Fix logging in federation/idp.py  https://review.openstack.org/20304723:31
openstackgerritBrant Knudson proposed openstack/keystone: Enhance tests for saml2 signing exception logging  https://review.openstack.org/21284523:31
morgan_503mordred: that seems reasonable23:32
mordredjamielennox|away: if we do that, then I think supporting token_endpoint in the way you did in your OCC patch is a fine choice23:32
*** spandhe_ has quit IRC23:32
mordredbecause then we're essentially ceeding that name to OSC23:32
mordredmorgan_503: yay!23:33
openstackgerritMerged openstack/keystone: Updating sample configuration file  https://review.openstack.org/21302123:33
*** samleon has quit IRC23:33
*** roxanaghe_ has quit IRC23:33
*** mylu has quit IRC23:34
*** mylu has joined #openstack-keystone23:35
*** markvoelker has quit IRC23:35
openstackgerritMonty Taylor proposed openstack/python-keystoneclient: Expose token_endpoint.Token as admin_token  https://review.openstack.org/21337623:38
mordredmorgan_503, jamielennox|away: ^^23:38
*** adrian_otto has quit IRC23:42
mordredalso https://review.openstack.org/#/c/212428/23:42
*** adrian_otto has joined #openstack-keystone23:42
openstackgerritHaneef Ali proposed openstack/keystone: Return correct URL in /v3 version response  https://review.openstack.org/21337923:52
*** stevemar has quit IRC23:56
« Thursday, 2015-08-13 Index Saturday, 2015-08-15 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!