Monday, 2015-08-24

*** Kennan2 is now known as Kennan00:02
*** topol has joined #openstack-keystone00:03
*** ChanServ sets mode: +v topol00:03
*** topol has quit IRC00:08
*** vmbrasseur has quit IRC00:10
*** vmb is now known as vmbrasseur00:10
*** shadower49 has quit IRC00:23
*** shadower49 has joined #openstack-keystone00:23
*** RA_ has joined #openstack-keystone00:42
*** bknudson has joined #openstack-keystone00:49
*** ChanServ sets mode: +v bknudson00:49
*** mylu has quit IRC00:52
*** mylu has joined #openstack-keystone01:05
*** mylu has quit IRC01:17
*** diegows has quit IRC01:30
*** mylu has joined #openstack-keystone01:31
*** ngupta has joined #openstack-keystone01:34
*** abhirc has joined #openstack-keystone01:43
*** piyanai has quit IRC01:44
*** sigmavirus24_awa is now known as sigmavirus2401:48
*** davechen has joined #openstack-keystone01:50
*** Kennan has quit IRC02:02
*** Kennan has joined #openstack-keystone02:02
*** lhcheng has joined #openstack-keystone02:05
*** ChanServ sets mode: +v lhcheng02:05
*** jamielennox is now known as jamielennox|away02:20
*** abhirc has quit IRC02:23
*** jamielennox|away is now known as jamielennox02:32
*** mylu has quit IRC02:32
*** topol has joined #openstack-keystone02:35
*** ChanServ sets mode: +v topol02:35
*** topol has quit IRC02:39
*** ngupta has quit IRC02:47
*** hakimo has joined #openstack-keystone02:52
*** hakimo_ has quit IRC02:55
*** sigmavirus24 is now known as sigmavirus24_awa03:20
*** gordc has joined #openstack-keystone03:26
*** dikonoor has joined #openstack-keystone03:28
*** openstackgerrit has quit IRC03:31
*** openstackgerrit has joined #openstack-keystone03:32
openstackgerritJamie Lennox proposed openstack/keystone: Reject rule if assertion type unset
*** ankita_wagh has joined #openstack-keystone03:54
*** gordc has quit IRC03:56
*** lhcheng has quit IRC04:21
*** sigmavirus24_awa is now known as sigmavirus2404:23
*** sigmavirus24 is now known as sigmavirus24_awa04:34
openstackgerritEric Brown proposed openstack/keystone: Use min and max on IntOpt option types
*** hrou has quit IRC05:02
*** kiran-r has joined #openstack-keystone05:10
*** geoffarnold has joined #openstack-keystone05:11
*** geoffarnold has quit IRC05:15
*** geoffarnold has joined #openstack-keystone05:21
*** urulama has joined #openstack-keystone05:27
*** ankita_wagh has quit IRC05:41
*** ankita_wagh has joined #openstack-keystone05:41
*** henrynash has joined #openstack-keystone05:47
*** ChanServ sets mode: +v henrynash05:47
*** jamielennox is now known as jamielennox|away05:47
*** henrynash has quit IRC05:55
*** henrynash has joined #openstack-keystone05:58
*** ChanServ sets mode: +v henrynash05:58
*** stevemar has joined #openstack-keystone06:02
*** ChanServ sets mode: +v stevemar06:02
*** dikonoor has quit IRC06:04
stevemari wonder if jamielennox|away is truly away06:07
*** urulama has quit IRC06:08
*** urulama has joined #openstack-keystone06:09
*** henrynash has quit IRC06:09
*** lsmola has joined #openstack-keystone06:11
*** Nirupama has joined #openstack-keystone06:18
*** geoffarnold is now known as geoffarnoldX06:21
*** _kiran_ has joined #openstack-keystone06:25
*** kiran-r has quit IRC06:27
*** geoffarnoldX is now known as geoffarnold06:27
*** geoffarnold is now known as geoffarnoldX06:29
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core
*** stevemar has quit IRC06:53
*** fhubik has joined #openstack-keystone07:02
*** ankita_wagh has quit IRC07:05
*** RA_ has quit IRC07:09
*** _kiran_ has quit IRC07:17
*** rajesht has joined #openstack-keystone07:24
rajeshthi cores,07:24
rajeshtneed one more +2 on patch
*** paulose has joined #openstack-keystone07:32
paulosehi is it a good practice to add users to admin role07:32
*** henrynash has joined #openstack-keystone07:43
*** ChanServ sets mode: +v henrynash07:43
tobasco_can i run keystone in apache with and without ssl at the same time?07:44
tobasco_i cannot get keystone ssl to work with ceilometer for example, im thinking about applying the ssl cert on the haproxy load balancer infront of keystone instead07:44
*** yottatsa has joined #openstack-keystone07:50
openstackgerritMarek Denis proposed openstack/keystone: Ensure ephemeral user's user_id is url-safe
openstackgerritMarek Denis proposed openstack/keystone: Respect federated user name in tokens.
*** pnavarro has joined #openstack-keystone07:59
*** yottatsa has quit IRC08:08
*** fhubik is now known as fhubik_brb08:09
*** paulose has quit IRC08:13
*** yottatsa has joined #openstack-keystone08:15
*** jistr has joined #openstack-keystone08:17
*** yottatsa has quit IRC08:23
*** yottatsa has joined #openstack-keystone08:25
*** urulama has quit IRC08:26
*** urulama has joined #openstack-keystone08:27
*** fhubik_brb is now known as fhubik08:31
*** yottatsa has quit IRC08:39
*** jistr has quit IRC08:45
*** jistr has joined #openstack-keystone08:47
*** shadower49 is now known as shadower08:48
*** henrynash has quit IRC08:50
*** pnavarro is now known as pnavarro|mtg08:55
openstackgerritMerged openstack/keystoneauth: Clean up exception messages
*** jistr has quit IRC09:08
*** amakarov has joined #openstack-keystone09:15
*** katkapilatova has joined #openstack-keystone09:20
*** aix has joined #openstack-keystone09:20
*** lhinds has joined #openstack-keystone09:20
*** lhinds has quit IRC09:21
*** pnavarro|mtg is now known as pnavarro09:21
*** claudiub has joined #openstack-keystone09:23
*** rajesht_ has joined #openstack-keystone09:34
*** rajesht has quit IRC09:34
*** e0ne has joined #openstack-keystone09:51
*** davechen has left #openstack-keystone09:53
openstackgerritMerged openstack/keystone: Stop using deprecated assignment manager methods
*** yottatsa has joined #openstack-keystone10:06
*** e0ne has quit IRC10:08
openstackgerritMerged openstack/keystone: Remove deprecated methods from assignment.Manager
*** Kennan has quit IRC10:09
*** Kennan has joined #openstack-keystone10:10
*** fhubik is now known as fhubik_brb10:13
*** aix has quit IRC10:15
*** yottatsa has quit IRC10:18
*** e0ne has joined #openstack-keystone10:18
*** yottatsa has joined #openstack-keystone10:19
*** urulama has quit IRC10:31
*** marzif has joined #openstack-keystone10:31
*** urulama has joined #openstack-keystone10:31
*** ekarlso has quit IRC10:32
*** ekarlso has joined #openstack-keystone10:32
*** e0ne has quit IRC10:40
*** aix has joined #openstack-keystone10:48
*** jamielennox|away has quit IRC10:50
*** mhu has quit IRC10:51
*** jistr has joined #openstack-keystone10:52
*** nzeer has quit IRC10:54
*** Guest7770 has quit IRC10:55
*** jacorob has quit IRC10:55
*** eglute has quit IRC10:55
*** lbragstad has quit IRC10:55
*** jacorob has joined #openstack-keystone10:55
*** ctracey has quit IRC10:55
*** mhu has joined #openstack-keystone10:56
*** sudorandom has quit IRC10:56
*** blewis has joined #openstack-keystone10:56
*** akscram has quit IRC10:56
*** dikonoo has joined #openstack-keystone10:56
*** dikonoor has joined #openstack-keystone10:56
*** dikonoo has quit IRC10:56
*** blewis is now known as Guest546910:56
*** vmbrasseur has quit IRC10:56
*** ctracey has joined #openstack-keystone10:58
*** sudorandom has joined #openstack-keystone11:01
*** vmbrasseur has joined #openstack-keystone11:01
*** lbragstad has joined #openstack-keystone11:02
*** eglute has joined #openstack-keystone11:02
*** nzeer has joined #openstack-keystone11:02
*** akscram has joined #openstack-keystone11:03
*** jamielennox|away has joined #openstack-keystone11:04
*** jamielennox|away is now known as jamielennox11:04
*** ChanServ sets mode: +v jamielennox11:04
*** samueldmq has joined #openstack-keystone11:10
*** abhirc has joined #openstack-keystone11:18
*** jaosorior has joined #openstack-keystone11:19
*** fhubik_brb is now known as fhubik11:22
*** topol has joined #openstack-keystone11:23
*** ChanServ sets mode: +v topol11:23
*** Nirupama has quit IRC11:27
*** topol has quit IRC11:28
samueldmqany information we need to pass down to the service (from middleware) is done via env vars, right ?11:29
*** gordc has joined #openstack-keystone11:43
*** rajesht_ has quit IRC12:06
*** shoutm has joined #openstack-keystone12:07
*** markvoelker_ has quit IRC12:10
*** piyanai has joined #openstack-keystone12:14
*** urulama has quit IRC12:15
*** raildo-afk is now known as raildo12:15
*** urulama has joined #openstack-keystone12:15
claudiubhello, any keystone folks can look at this bug fix?
*** geoffarnoldX is now known as geoffarnold12:16
*** markvoelker has joined #openstack-keystone12:17
*** geoffarnold is now known as geoffarnoldX12:19
*** markvoelker has quit IRC12:19
*** markvoelker has joined #openstack-keystone12:20
*** piyanai has quit IRC12:20
*** markvoelker has quit IRC12:20
*** diegows has joined #openstack-keystone12:20
*** diegows has quit IRC12:21
*** abhirc has quit IRC12:22
*** vivekd has joined #openstack-keystone12:23
*** markvoelker has joined #openstack-keystone12:25
silehtdolphm, hi, perhaps you can take a look to I have fixed your remarks, thx12:25
*** daemontool__ has joined #openstack-keystone12:27
openstackgerritDolph Mathews proposed openstack/keystone: Handle tokens created and quickly revoked with insufficient timestamp precision
*** piyanai has joined #openstack-keystone12:27
*** daemontool_ has quit IRC12:29
*** edmondsw has joined #openstack-keystone12:31
*** jistr has quit IRC12:31
*** jistr has joined #openstack-keystone12:33
*** petertr7_away is now known as petertr712:37
*** doug-fish has joined #openstack-keystone12:48
*** bknudson has left #openstack-keystone12:50
marekddolphm: Hi. Anychances for revisiting ? There were mostly nits, so should be easy to re-evaluate. And I would like to have this patch soon in master as I have a few chaines of patches depending on this one.12:55
marekddolphm: another questions - so whenever we add new 'field' to the fernet payload, it will take some space no matter whether it's set or not, right?12:56
dolphmmarekd: ++12:57
dolphmmarekd: and yes to your question12:57
dolphmmarekd: it'll add at least a byte12:57
marekdah, that's still better rather than 4bytes as we expect uuids to be 4 bytes.12:58
dolphmmarekd: but because of the block cipher, may or may not impact the fernet token size *immediately* (but will impact us later on)12:58
marekddolphm: i am thinking about this limit of 255 bytes12:58
*** dsirrine has quit IRC12:58
marekdif we mix project_id and user name we might break the limit.12:59
*** yottatsa has quit IRC12:59
dolphmmarekd: especially if those aren't uuids12:59
marekdproject_id is typically uuid12:59
*** annasort has joined #openstack-keystone13:00
marekdfor the names - i am thinking whether some set of good practces "don't set username" will help.13:00
dolphmmarekd: don't set username in the mapping?13:01
marekddolphm: yes, if you don't set username it will take user_id value.13:01
marekdor simply "mind that username must go to fernet payoad and this can hit your performance"13:01
dolphmmarekd: do we really need to support separate usernames then?13:01
marekddolphm: separate name and id ?13:02
dolphmmarekd: yes13:02
dolphmmarekd: token size is not just performance, it's a user experience compromise... in this case, we're trading one UX issue for another (usernames available to OS vs smaller tokens)13:02
marekddolphm: given that we allow users to set user_name and this may be different from user_id we would break this rule in fernet.13:03
marekddolphm: our engines will fill username if they are missing, and this will be pretty much equal to user_id13:04
marekdthe problem is if you need user_id to be and name something nicer13:04
dolphmmarekd: but why would people *need* that?13:04
marekddolphm: I don't know - a service provider wants to be able to show "Dolph Mathews" in the dashboard rather that your e-mail address ? Now, while there mifht be lots of Dolphs we can assume there is only Or worse...what if you identify users (user_id) by some random uuid known only to your IdP.13:06
*** yottatsa has joined #openstack-keystone13:07
marekd"Hello uu452123fhsdfsdF" doesn't sound nice.13:07
dolphmmarekd: so, don't show a user "name" in horizon at all then13:07
marekdi am good with that.13:07
marekddolphm: the question is whether we can break the logic and stop supporting name in the mapping rules.13:09
marekdand build it from given id.13:09
*** yottatsa has quit IRC13:09
dolphmmarekd: that will be difficult, but it sounds like we should have that conversation with horizon folks and other federation stakeholders13:10
marekdwill ask today during my weekly meeting what my folks think about it.13:10
dolphmmarekd: my username has very little value to me beyond being an input to authentication... as an output of authentication, it's useless!13:11
*** hrou has joined #openstack-keystone13:11
marekdyeah, yet username is a required users's field.13:12
*** dims has joined #openstack-keystone13:12
samueldmqlbragstad, hey, are you around ?13:13
dolphmmarekd: well that made sense when the only auth method in keystone was username + password :)13:15
marekddolphm: uh, looks like bigger movement in OpenStack.13:17
marekdnot sure if I should push for squeezing name in the fernet payload.13:17
*** jsavak has joined #openstack-keystone13:17
marekddolphm: nevertheless i think those are more important: and later
*** curioswati has joined #openstack-keystone13:18
marekdas those are kind of blockers.13:18
*** yottatsa has joined #openstack-keystone13:18
*** richm has joined #openstack-keystone13:19
curioswatiHello I am a newbie and want to contribute to keystone. I looked for low hanging fruits and found one to work on. Can anyone tell me how should I begin? I am totally new to openstack.13:20
*** dsirrine has joined #openstack-keystone13:20
*** csoukup has joined #openstack-keystone13:21
*** eglute has quit IRC13:21
*** jecarey has joined #openstack-keystone13:21
samueldmqdstanek, morning, need some advice on dealing with files in python :)13:22
dstaneksamueldmq: ?13:22
*** d34dh0r53 has quit IRC13:22
*** sigmavirus24_awa has quit IRC13:22
*** dolphm has quit IRC13:22
samueldmqdstanek, if I have a single file to write to, and I have different evenlet processes, taht will eventually fail, right ?13:23
samueldmqdstanek, see david's comment there13:23
marekdsamueldmq: what are evenlet processes?13:23
*** dims has quit IRC13:23
*** e0ne has joined #openstack-keystone13:23
samueldmqmarekd, evenlet thread, I think that's what I meant13:23
dstaneksamueldmq: that's a good question. i think you could run into trouble yes13:25
samueldmqdstanek, soo.. if I try to open the file, and if it fails because it's already occupied, I give up13:25
*** jamielennox has quit IRC13:26
*** nicodemos has joined #openstack-keystone13:26
samueldmqdstanek, wouldn't that be a valid mechanism to allow only a policy request per endpoint to keystone13:26
dstaneksamueldmq: it won't fail unless you do a lock of some sort13:26
marekdsamueldmq: who will stop you from opening file twice?13:26
marekdos ?13:26
*** jecarey has quit IRC13:26
dstaneksamueldmq: have you woked with file locks before?13:27
*** sigmavirus24_awa has joined #openstack-keystone13:27
*** doug-fish has quit IRC13:27
samueldmqmarekd, I thought os would block that, but as dstack said, we need a lock13:27
samueldmqdstanek, yes, but not in python13:27
samueldmqdstanek, have we ever used that in our keystone code ?13:27
dstaneksamueldmq: then you'll want to do the same thing13:28
*** doug-fish has joined #openstack-keystone13:28
dstaneksamueldmq: no, because generally we don't write to files13:28
samueldmqdstanek, ok13:28
*** eglute has joined #openstack-keystone13:28
*** bapalm_ has joined #openstack-keystone13:28
samueldmqdstanek, so if we do a lock, you agree we avoid multiple requests to keystone per endpoint ? :-)13:28
*** thiagop has joined #openstack-keystone13:29
*** d34dh0r53 has joined #openstack-keystone13:29
dstaneksamueldmq: also you'll want to use the file context manager so the file handle is always properly closes13:29
samueldmqdstanek, using 'with' ?13:29
dstaneksamueldmq: how would that avoid it?13:29
*** doug-fis_ has joined #openstack-keystone13:29
*** curioswati has left #openstack-keystone13:30
*** zzzeek has joined #openstack-keystone13:30
samueldmqdstanek, so .. there is a single file to be written to, right ? if it has a lock, only an eventlet trhead will open it, the others will fail13:30
samueldmqdstanek, oh wait, does each eventlet thread will have its own ksclient instance ?13:31
*** doug-fi__ has joined #openstack-keystone13:31
*** links has joined #openstack-keystone13:31
samueldmqdstanek, 'will each eventlet thread have its own ksclient instance?' is better english :-)13:31
dstaneki think that you should catch the (i think) IOError when you try to obtain the exclusive lock and just don't write to the file.13:32
*** yottatsa has quit IRC13:32
*** doug-fish has quit IRC13:32
*** jecarey has joined #openstack-keystone13:32
dstanekyou have the option then of returning "old" policy if you can safely read it from somewhere or just hitting Keystone for it13:32
dstanek]i don't think you should fail the request13:32
*** doug-fish has joined #openstack-keystone13:33
*** dolphm has joined #openstack-keystone13:33
*** yottatsa has joined #openstack-keystone13:33
*** doug-fis_ has quit IRC13:34
*** doug-fish has quit IRC13:34
samueldmqdstanek, sure, if for a given evenlet thread it fails to open, just give up of updating the policy (don't reject the request, just continue without updating policy)13:34
*** doug-fish has joined #openstack-keystone13:34
samueldmqdstanek, that maybe because another thread's alreaady updating the policy13:34
dstaneksamueldmq: at the point where you are writing you have already hit Keystone right?13:35
samueldmqdstanek, so we avoid N calls to keystone when the policy expires, where N is the number of evenelt threads13:35
*** doug-fi__ has quit IRC13:36
dstaneksamueldmq: so you will acquire the lock before hitting keystone?13:36
samueldmqdstanek, yes13:36
*** petertr7 is now known as petertr7_away13:36
samueldmqdstanek, that's the idea13:37
dstaneksamueldmq: so that would be in the Keystone code right?13:40
*** piyanai has quit IRC13:41
samueldmqdstanek, ksmiddleware, who writes to the file13:41
*** bknudson has joined #openstack-keystone13:41
*** ChanServ sets mode: +v bknudson13:41
samueldmqdstanek, as the file containing the dynamic-policy is written locally, in order to be read later at enforcement time13:41
dstaneksamueldmq: :-) right, sorry. i meant just no oslo code.13:41
samueldmqdstanek, yes, called by ksmiddleware13:42
samueldmqdstanek, wait... actually that code belonds to oslo, since the file writes are handled there, i.e we use oslo to update_dynamic_policy13:42
samueldmqdstanek, but we can revisit that if you think it isn't the appropriate pleace13:43
*** jamielennox|away has joined #openstack-keystone13:43
*** doug-fish has quit IRC13:43
dstaneksamueldmq: that's what i said above ^  you'll still hit keystone and will just be locked out of writing the file13:43
*** jamielennox|away is now known as jamielennox13:43
*** ChanServ sets mode: +v jamielennox13:43
*** doug-fish has joined #openstack-keystone13:43
samueldmqdstanek, hm, so the code to open/write to the file would need to live at middleware13:44
*** topol has joined #openstack-keystone13:46
*** ChanServ sets mode: +v topol13:46
dstaneksamueldmq: if you want to prevent multiple keystone hits then yes, but you still have the possibility of a race condition so i don't know how safe it is13:47
*** diazjf has joined #openstack-keystone13:47
samueldmqdstanek, even if using atomic locks etc, we can have race conditions ?13:47
*** doug-fish has quit IRC13:48
samueldmqdstanek, actually there will alway be race condition, as they are all competing for opening the file, but the fact is that only 1 will open it, and if we use an atomic lock we can guarantee that13:48
dstaneksamueldmq: sure, for the writes you won't have a race13:49
dstaneksamueldmq: but you are expecting to be able to read the file while the lock is holding right?13:49
*** geoffarnoldX is now known as geoffarnold13:50
*** doug-fish has joined #openstack-keystone13:50
samueldmqdstanek, we write to a common temp file, and then atomically rename it ot the one we read13:50
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin for hierarchical models
samueldmqdstanek, so I think that shouldnt be an issue13:51
*** dims_ has joined #openstack-keystone13:52
samueldmqbknudson, did we cover all your topics in the last meeting ? I am going to update that page, so making sure I am not leaving something that was uncovered ..13:53
bknudsonsamueldmq: just clear it out13:54
samueldmqbknudson, thanks13:54
bknudsonI can add things to it again if I want to cover it.13:54
*** yottatsa has quit IRC13:55
dstaneksamueldmq: i'm not sure you are correct. if thread A opens the file, thread B replaces the file and the thread A goes to read....what do you expect to happen?13:56
*** petertr7_away is now known as petertr713:57
samueldmqdstanek, so thread A could even read a half old and a half updated .13:57
samueldmqdstanek, right ?13:57
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin for hierarchical models
dstaneksamueldmq: i don't think it can ever get a half written file because of how unix file semantics works (unless they move happens between two different file systems13:59
*** ngupta has joined #openstack-keystone13:59
dstaneksamueldmq: i think in general the reader will be OK, I just don't know if that's a unix guarantee13:59
*** boris-42 has joined #openstack-keystone14:00
*** yottatsa has joined #openstack-keystone14:00
samueldmqdstanek, so I need to check that case where A is reading and B is writting atomically (moving the tmp file) at the same time14:01
samueldmqdstanek, you know someone in the community I could check that with ?14:01
dstaneksamueldmq: i  think we need to find out what happens14:01
dstaneksamueldmq: maybe start with -infra?14:02
*** pnavarro has quit IRC14:02
samueldmqdstanek, yes :)14:04
dstaneksamueldmq: also we'll have to note that the tmp file and the policy file must be on the same file system14:04
samueldmqdstanek, also.. how does eventlet work ? does it creates multiple instantiations of the service or does it share the same instance?14:05
samueldmqdstanek, more specifically, would multiple evenlet threads share the same ksclient ?14:05
*** henrynash has joined #openstack-keystone14:06
*** ChanServ sets mode: +v henrynash14:06
samueldmqdstanek, about the tmp file, yes, we look at where the policy file is, and create a tmp in the same dir :)14:06
dstaneksamueldmq: i don't think they share everything, but i'm not entirely sure which things are shared and which are not14:06
dstaneksamueldmq: we'll also have to be very careful here since we are introducing a new attack vector14:07
samueldmqdstanek, yes because they will need to share the same .tmp file, maybe we just get hte policy file and add a .tmp at the end14:07
samueldmqdstanek, yes, but it's basically the same of having attacker updating the policy file directly, isn't it ?14:08
*** jamielennox has quit IRC14:08
dstaneksamueldmq: yes and no. we don't do that right now so it doesn't matter. in the API where they are uploading a policy we know it's coming and can take proper action. in the new case we have to be careful that we can't be tricked on *any* request to write a policy14:09
*** jamielennox|away has joined #openstack-keystone14:10
*** jamielennox|away is now known as jamielennox14:11
*** ChanServ sets mode: +v jamielennox14:11
*** marzif has quit IRC14:11
*** marzif has joined #openstack-keystone14:12
dstaneksamueldmq: so it looks like once the file is opened for read that we should be OK. it sounds like the file handle remains active and the file isn't actually deleted until it's closed. it's just that you can no longer see it through the filesystem.14:13
openstackgerritNikita Konovalov proposed openstack/python-keystoneclient: Fix logging of binary contentent in request
samueldmqdstanek, yeah, you looking at infra ?14:14
samueldmqso we're safe from that -)14:14
dstaneksamueldmq: reading now...14:16
dstaneksamueldmq: excellent. i had to look it up in one of my old unix books14:17
*** narengan has joined #openstack-keystone14:17
*** nkinder has joined #openstack-keystone14:19
samueldmqdstanek, nice, we just confirmed then, thanks for looking at it as well14:19
openstackgerritBoris Bobrov proposed openstack/keystone: Prevent exception due to missing id of LDAP entity
openstackgerritBoris Bobrov proposed openstack/keystone: Expose exception due to missing id of LDAP entity
marekdsamueldmq: so is a eventlet green thread is one posix process/thread ?14:20
*** petertr7 is now known as petertr7_away14:20
*** bknudson has quit IRC14:21
dstanekmarekd: no, eventlet is cooperative real threads afaik14:21
samueldmqdstanek, if we wanted to keep the file writing logic at oslo.policy, would it make sense to you to do something like (at ksmiddlewre): 1) oslo.lock_policy_file 2) ksclient.get_policy_from_keystone 3) oslo.write_policy_and_release14:21
*** markvoelker has quit IRC14:21
openstackgerritBoris Bobrov proposed openstack/keystone: Prevent exception due to missing id of LDAP entity
openstackgerritBoris Bobrov proposed openstack/keystone: Expose exception due to missing id of LDAP entity
samueldmqdstanek, just to leave the file handling at oslo .. if that makes more sense14:22
*** markvoelker has joined #openstack-keystone14:22
marekddstanek: so actaly if you open the file in one green thread, read n bytes, and start reading file in another green thread it will start from n+1'th byte?14:22
marekdas internally this is one posix process/thread etc etc14:23
dstaneksamueldmq: my biggest concern there is that we'll have to be careful to unlock the file in a timely manner. if we use the context manager i think it's less of a concern14:23
dstanekmarekd: no, ideally you'd have opened the file twice. once in each green "thread"14:23
*** shoutm has quit IRC14:24
marekddstanek: a, it will give two fds14:24
dstanekmarekd: the way i think of it (which may not be entirely technically accurate) is that eventlet has a list of "threads" which are really just objects. each time one of the objects call IO bound methods (and other things) it moves down the list and give another object the chance to execute14:25
dstanekmarekd: yes, same as opening the file twice14:25
samueldmqdstanek, something like with lock(file):14:25
marekdfrom open(2):                       │16:25:20        +dstanek | marekd: the way i think of it (which may not be entirely           │ breton_14:25
*** petertr7_away is now known as petertr714:25
marekdEach  open(2)  of  a  file  creates a new open file description;14:26
marekd       thus, there may be multiple open file descriptions corresponding14:26
marekd       to a file inode.14:26
dstanekmarekd: exactly14:26
* samueldmq is reading up14:26
samueldmqnice :)14:27
*** jasonsb has quit IRC14:27
dstaneksamueldmq: sure, i don't know what the new fangled way to do it is. in the past i've used fcntl (a stdlib module) to do this soft of thing14:27
openstackgerritAlexander Makarov proposed openstack/keystone: Make application initialization a critical section
dstaneksamueldmq: fcntl(f.fileno(), fcntl.LOCK_EX|fcntl.LOCK_NB) -- or something like that14:28
*** yottatsa has quit IRC14:28
*** yottatsa has joined #openstack-keystone14:29
*** tonytan4ever has joined #openstack-keystone14:29
samueldmqdstanek, I am still digesting , looking at the fcntl module14:29
*** narengan has quit IRC14:29
*** narengan has joined #openstack-keystone14:30
*** shoutm has joined #openstack-keystone14:30
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model
dstaneksamueldmq: fcntl.lockf :-)14:30
samueldmqdstanek, hm, so this does exactly the locking thing14:31
*** ngupta has quit IRC14:31
*** diazjf has quit IRC14:31
samueldmqdstanek, yeah, "lockf - apply, test or remove a POSIX lock on an open file "14:31
dstaneksamueldmq: actually flock is the right thing memory isn't so great in my advanced age14:31
dstaneksamueldmq: yes, that is using system calls to lock the file14:31
samueldmqdstanek, advanced age ? that made me laugh :-)14:32
*** jecarey has quit IRC14:33
dstaneki think it may be breakfast time14:34
samueldmqdstanek, so looks like there is some coding to be done :)14:34
samueldmqdstanek, bon apetit14:34
*** narengan has quit IRC14:34
*** alejandrito has joined #openstack-keystone14:37
*** jecarey has joined #openstack-keystone14:40
*** bapalm_ has quit IRC14:41
*** diazjf has joined #openstack-keystone14:42
*** jecarey has quit IRC14:44
*** pgbridge has quit IRC14:44
*** bapalm- has joined #openstack-keystone14:45
htrutais anyone else having problems on running keystone tests?14:48
htrutatox gives me "Double requirement given"14:48
*** pgbridge has joined #openstack-keystone14:49
*** yottatsa has quit IRC14:51
*** fhubik is now known as fhubik_brb14:51
*** yottatsa has joined #openstack-keystone14:51
*** fhubik_brb is now known as fhubik14:52
*** jecarey has joined #openstack-keystone14:57
krotscheckDoes keystone make use of any nonbasic http headers?14:58
krotscheckmorganfainberg: Which ones?14:59
krotscheckANything else?14:59
dolphmkrotscheck: and X-Subject-Token14:59
krotscheckAwesome, thanks14:59
morganfainbergUmm... Maybe one more14:59
*** shoutm has quit IRC15:00
dolphmmorganfainberg: i can't think of any that are used externally15:00
*** jecarey_ has joined #openstack-keystone15:00
*** jecarey_ has quit IRC15:00
*** jecarey has quit IRC15:00
morganfainbergdolphm: yeah15:00
*** jecarey has joined #openstack-keystone15:00
samueldmqmorganfainberg, Cache-Control ?15:00
morganfainbergsamueldmq: that is http spec15:00
samueldmqif that's non-basic15:00
dolphmkrotscheck: ignore the ones that are "new in version 3.4 -- those aren't used outside keystone
morganfainbergAt this point15:01
samueldmqmorganfainberg, k got it15:01
dolphmmorganfainberg: those really shouldn't be documented as part of that spec, at all15:01
krotscheckThe list considered basic is "Accept, Accept-language, Content-type, cache-control, content-language, expires, last-modified, pragma"15:01
*** geoffarnold is now known as geoffarnoldX15:01
*** mpmsimo has joined #openstack-keystone15:01
morganfainbergdolphm: fair enough15:01
dolphmmorganfainberg: i take that back -- they're all used for tokenless authz?15:02
morganfainbergdolphm: oooh yah maybe15:02
dolphmmorganfainberg: against keystone?15:02
dolphmmorganfainberg: or auth_token?15:02
krotscheckOk, so I'd like to add some middleware to keystone, and from the number of headers y'all have it makes a bit more sense to do it in code rather than in paste.ini15:03
morganfainbergHmm. Keystone15:03
* krotscheck has specs and docs and things for the curious.15:03
*** mpmsimo1 has joined #openstack-keystone15:03
morganfainbergAuth token doesn't use the token less stuff yet (ever?)15:03
krotscheckMy question is: Where would that live?15:03
openstackgerritAndrey Pavlov proposed openstack/keystone: Add S3 signature v4 checking
morganfainbergkrotscheck: don't do it in paste-ini ... Even if we had no other headers15:04
krotscheckmorganfainberg: Is there a single magic place where I can add it then?15:04
* krotscheck is grepping through code right now to try to understand how the app is set up.15:05
morganfainbergDepends what are they?15:05
morganfainbergAnd are they sent out or consumed by keystone?15:05
morganfainbergOr both15:05
*** narengan has joined #openstack-keystone15:05
*** mpmsimo has quit IRC15:06
morganfainbergOk I don't know pecan15:06
dolphmkrotscheck: "from the number of headers y'all have it makes a bit more sense to do it in code rather than in paste.ini" what does this mean?15:06
samueldmqhenrynash, dolphm fyi: change #208609 now contains tests as you guys asked for it (in its parent change)15:06
samueldmqand should be very easy to review/merge, given that the change is very simple15:07
morganfainbergDoes that mean cors headers are sent on our requests or consumed by keystone there? (I assume the former based on how cors works)15:07
morganfainbergdolphm: it means he isn't wedging things into our paste pipeline15:07
*** mpmsimo1 has quit IRC15:08
krotscheckdolphm: The TL/DR version is that there's a middleware that permits breaking the browser sandbox, but it needs to have a list of nonstandard headers explicitly provided to it. You can do that in paste.ini, or in oslo.confg, however the nature of oslo_middleware and oslo-config-generator is that you can't make App-specific properties show up in generated config files. Which leaves me with two things: 1- custom documentation for every single15:08
krotscheckAPI, or 2- tell the middleware which custom headers are being used.15:08
krotscheckmorganfainberg: Sortof. The "Allow headers" field is "Here's a header that the client is permitted to send to us". The "expose headers" field is "Here's a list of headers that the client is permitted to read on our response.15:09
dolphmkrotscheck: 3) change the nature of oslo-config-generator ?15:09
morganfainbergHmm.. Not sure where to put that atm...15:11
krotscheckdolphm... and then propagate the new config markup to all the projects?15:11
dolphmkrotscheck: i don't know -- where/how would you test keystone running with CORS?15:12
* morganfainberg wants to see paste die. But I know that isn't reasonable.15:12
krotscheckdolphm: Well, the middleware itself is pretty hardcore tested already. The way I'd add tests to keystone is to add header checks to make sure no new added headers sneak in without our knowledge.15:12
krotscheckmorganfainberg: Well, I see pasteinit pointing at all the generators in the
morganfainbergYes. We are working to collapse that into a single thing15:13
morganfainbergThey way we have it sucks :(15:14
krotscheckmorganfainberg: Is that likely to happen before feature freeze?15:14
krotscheckOk, lemme rephrase that. Is that likely to happen _this week_?15:14
krotscheckBecause feature freeze.15:14
morganfainbergAnd that isn't impacted by ff15:14
krotscheckOk, so what's your recommended approach?15:14
*** piyanai has joined #openstack-keystone15:15
krotscheckNote: I can use paste.ini things, but that requires a ton more documentation and is less testable.15:15
krotscheckAnd if I have to do that for every service in openstack there's no way I'm going to get it done before feature freeze.15:15
morganfainbergI am unsure how you can place in Oslo middleware except in paste until we are off our awful wsgi code15:15
morganfainbergI would look to see if you can put it in the base stuff15:16
morganfainbergAs low15:16
morganfainbergLevel as possible15:16
morganfainbergThat way as long as it is tested we can worry about carrying that forward as we move away from the icky paste stuff15:17
morganfainbergkrotscheck: in here
morganfainbergIn render response15:19
morganfainbergIs my guess15:19
*** urulama has quit IRC15:20
*** urulama has joined #openstack-keystone15:20
*** geoffarnoldX is now known as geoffarnold15:22
*** fhubik has quit IRC15:27
*** geoffarnold has quit IRC15:28
*** jsavak has quit IRC15:30
*** jsavak has joined #openstack-keystone15:31
*** narengan has quit IRC15:31
*** narengan has joined #openstack-keystone15:32
*** jasonsb has joined #openstack-keystone15:35
*** jistr has quit IRC15:35
*** dims__ has joined #openstack-keystone15:36
*** tellesnobrega has quit IRC15:37
*** david-ly_ is now known as david-lyle15:38
*** jistr has joined #openstack-keystone15:38
*** jsavak has quit IRC15:39
*** dims_ has quit IRC15:39
*** jsavak has joined #openstack-keystone15:40
*** raildo is now known as raildo-afk15:42
*** raildo-afk is now known as raildo15:42
*** e0ne has quit IRC15:42
*** tellesnobrega has joined #openstack-keystone15:43
*** e0ne has joined #openstack-keystone15:44
*** lhcheng has joined #openstack-keystone15:47
*** ChanServ sets mode: +v lhcheng15:47
*** doug-fish has quit IRC15:49
*** doug-fish has joined #openstack-keystone15:49
openstackgerritOlivier Pilotte proposed openstack/keystone-specs: Accepts Group IDs from the IdP without domain
*** alejandrito has quit IRC15:53
*** doug-fish has quit IRC15:54
*** gyee has joined #openstack-keystone15:54
*** ChanServ sets mode: +v gyee15:54
*** petertr7 is now known as petertr7_away15:56
*** katkapilatova has left #openstack-keystone15:57
*** yottatsa has quit IRC15:58
*** ngupta has joined #openstack-keystone15:58
*** yottatsa has joined #openstack-keystone16:00
*** geoffarnold has joined #openstack-keystone16:01
*** bknudson has joined #openstack-keystone16:01
*** ChanServ sets mode: +v bknudson16:01
*** doug-fish has joined #openstack-keystone16:05
*** links has quit IRC16:08
*** mpmsimo has joined #openstack-keystone16:08
*** urulama has quit IRC16:11
*** urulama has joined #openstack-keystone16:12
*** __dstanek__ has joined #openstack-keystone16:12
*** mpmsimo has quit IRC16:12
*** dims__ has quit IRC16:12
*** jistr has quit IRC16:13
*** dims has joined #openstack-keystone16:13
__dstanek__as my son says, "everything is awesome!"16:13
*** dims is now known as dims__16:13
*** marzif has quit IRC16:18
*** _cjones_ has joined #openstack-keystone16:19
samueldmq__dstanek__, ++16:20
samueldmqgyee, ping - need to check some requirements on policies with you, as youre the stackholder for this atm  :-)16:20
*** narengan has quit IRC16:24
*** BAKfr has quit IRC16:25
*** BAKfr has joined #openstack-keystone16:26
*** doug-fish has quit IRC16:31
*** doug-fish has joined #openstack-keystone16:31
*** jsavak has quit IRC16:34
*** narengan has joined #openstack-keystone16:34
*** jsavak has joined #openstack-keystone16:38
gyeesamueldmq, sure, let me email16:41
*** jsavak has quit IRC16:42
samueldmqgyee, k ping me when you're available :-)16:42
*** dims__ has quit IRC16:43
*** jsavak has joined #openstack-keystone16:43
*** tonytan4ever has quit IRC16:45
*** dims__ has joined #openstack-keystone16:45
*** lhcheng has quit IRC16:52
*** ankita_wagh has joined #openstack-keystone16:53
*** piyanai has quit IRC16:54
*** tonytan4ever has joined #openstack-keystone16:55
*** urulama is now known as urulama__16:56
*** diegows has joined #openstack-keystone17:00
dims____dstanek__: morganfainberg: or other policy folks... please bless this review?
*** piyanai has joined #openstack-keystone17:00
morganfainbergHi. Will look as soon as I order breakfast17:00
dims__thanks morganfainberg17:01
openstackgerritHenrique Truta proposed openstack/keystone: Tests for projects acting as domains
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for projects acting as domains
openstackgerritHenrique Truta proposed openstack/keystone: Unit tests for is_domain field in project's table
openstackgerritHenrique Truta proposed openstack/keystone: Replicate domain info in projects table
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraints
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name
dstanekmorganfainberg: i may beat you to it17:02
morganfainbergdstanek: hehe17:02
*** topol has quit IRC17:04
* dims__ ready to be the referee17:04
*** mpmsimo has joined #openstack-keystone17:05
openstackgerritOlivier Pilotte proposed openstack/keystone-specs: Accepts Group IDs from the IdP without domain
*** roxanaghe has joined #openstack-keystone17:08
*** doug-fish has quit IRC17:08
*** doug-fish has joined #openstack-keystone17:09
*** mpmsimo has quit IRC17:09
morganfainbergdims__: photo finish!!17:10
dims__thanks to both of you17:11
*** marzif has joined #openstack-keystone17:12
* morganfainberg tags dstanek in for the next review17:12
*** doug-fish has quit IRC17:13
*** mylu has joined #openstack-keystone17:13
*** jecarey has quit IRC17:14
dstanekmorganfainberg: sure17:15
morganfainbergdstanek: any hope of getting flask-y things this cycle?17:15
morganfainbergdolphm: I totally am going to try roasting my own coffee. I expect it to be awful :P17:16
morganfainbergBut I'm going to send you some :P17:16
*** dsirrine has quit IRC17:17
dstanekmorganfainberg: i think partially yes, i was working on breaking up a couple more patches yesterday. i've been changing lots of infrastructural things like wsgi to test things all working17:17
*** marzif has quit IRC17:17
dstanekmorganfainberg: that sounds like a lot of work17:18
morganfainbergYah. It does.17:18
openstackgerritMerged openstack/keystonemiddleware: Allow to use oslo.config without global CONF
morganfainbergAlso if you have a few i'd like a full review of keystoneauth17:19
morganfainbergAnything that looks awful.17:19
morganfainbergI want to get it into g-r17:19
morganfainbergBut we need 1.0 for that17:19
openstackgerritHenrique Truta proposed openstack/keystone: Some fixes in the is_domain field creation
*** petertr7_away is now known as petertr717:20
*** aix has quit IRC17:20
*** samleon has joined #openstack-keystone17:22
*** urulama__ has quit IRC17:23
*** urulama__ has joined #openstack-keystone17:24
*** ankita_wagh has quit IRC17:24
morganfainbergmordred jamielennox: just approved the backlog of ksa patches17:25
morganfainbergI want to wind down dev if at all possible for 1.0 before the end of the week.17:25
mordredmorganfainberg: woot!17:25
morganfainbergUnless we really have missed on things.17:25
morganfainbergSo look at -1 Jenkins etc patches and les see if we want them17:25
morganfainbergAnd I'll poke jamielennox later today to see if we need to land anything else specific17:26
morganfainbergAnd try and corral some keystone-cores to full review ksa117:27
*** diegows has quit IRC17:29
*** lhcheng has joined #openstack-keystone17:31
*** ChanServ sets mode: +v lhcheng17:31
openstackgerritDavid Stanek proposed openstack/keystone: Stops using deprecated assignment manager methods
*** alextricity has joined #openstack-keystone17:33
dstanekhtruta: i don't know when to review all that stuff. it's still changing so frequently17:33
*** mylu has quit IRC17:34
*** mylu has joined #openstack-keystone17:35
*** dsirrine has joined #openstack-keystone17:35
*** mylu has quit IRC17:36
*** piyanai has quit IRC17:36
*** mylu has joined #openstack-keystone17:36
dstanekquick one:
*** dikonoor has quit IRC17:40
*** ankita_wagh has joined #openstack-keystone17:43
morganfainbergIt is amazing how much better I can see with glasses :P17:44
krotscheckmorganfainberg: All this stuff in seems... vendored?17:44
htrutadstanek: it was just a rebase... I was having merge problems17:45
morganfainbergkrotscheck: it is somewhat. But that is where we manage the requests. Once we move to flask that goes away17:45
htrutadstanek: this one is a very good start :D17:45
morganfainbergkrotscheck: so that is where I would place it to be processed on every request and it will get ported over to $better_thing once we ditch this custom framework thing17:46
krotscheckmorganfainberg: I... have a slightly different proposal?17:47
krotscheckI have zero idea if itll work17:47
morganfainbergSure. If it involves paste im going to cry17:47
morganfainbergJust FYI17:47
krotscheckIt sortof involves paste.17:47
* morganfainberg cries17:47
morganfainbergSee what you did?17:48
krotscheckBut really just creates a uniform app factory17:48
*** doug-fish has joined #openstack-keystone17:48
*** __dstanek__ has quit IRC17:48
morganfainbergYeah I don't want to add anything to the paste pipeline people might remove / break by accident17:48
*** browne has joined #openstack-keystone17:48
morganfainbergWe have enough issues with that as is17:48
morganfainbergIf that makes sense?17:48
morganfainbergI am hoping we get it down to keystone is a single entry and covers all the things (our APIs are not optional and cannot be turned off)17:49
krotscheckmorganfainberg: I'm currently looking at what glance does.17:51
krotscheckAnd I think it might be adaptable.17:51
krotscheckThe paste.ini is here:
krotscheckAnd the root_app_factory referecned is here:
*** dsirrine has quit IRC17:52
*** Ephur has joined #openstack-keystone17:53
krotscheckBut looking at that, and your comments, the work necessary to make that a thing might be too impactful17:53
morganfainbergI would be much happier if this change involved zero paste-ini changes17:53
*** csoukup has quit IRC17:53
krotscheckOk, well, can you provide me with a more specific approach than *hand wavey* somewhere in that vendored package that may be overwritten by a vendoring update?17:53
morganfainbergIf there is no other good way ill accept paste-ini. But i'd rather not let deployers screw this bit up by accident/on purpose17:53
*** jasonsb_ has joined #openstack-keystone17:54
*** Ephur has quit IRC17:54
morganfainbergIf you put it in render_response and add a test to ensure it is there17:54
*** mylu has quit IRC17:54
*** jasonsb has quit IRC17:54
*** mylu has joined #openstack-keystone17:54
morganfainbergThe censoring bits are going away and we have carried thst for a long time without direct updates / copy paste17:55
krotscheckThat's... not actually a place I can add middleware.17:55
krotscheckLike, where's the _app_ created.17:55
krotscheckI see these "ComposingRouter" things17:55
morganfainbergThis as real middleware sucks :(17:55
morganfainbergBut uhhh17:55
morganfainbergIf it is17:55
krotscheckBut those don't extend Application17:55
krotscheckWhich seems to be the thing we want17:55
morganfainbergHmm let me17:56
morganfainbergFind the base application thing17:56
* morganfainberg dislikes middleware unless it is legitimately optional.17:56
morganfainbergIf not having this would break the world if probably should be baked in17:57
morganfainbergBut i get why it is done this way17:57
krotscheckI just found a thing called initialize_application()17:57
krotscheckIs that a thing?17:57
morganfainbergMaybe? Im on my phone trying to finish late breakfast :P17:57
dstanekkrotscheck: what do you mean by is that a thing?17:58
morganfainbergThat is where we have our app factories17:58
*** mylu has quit IRC17:59
krotscheckOk, so all apps that are created go through there?17:59
*** jecarey has joined #openstack-keystone17:59
*** rm_work is now known as rm_work|away18:00
morganfainbergAnd in you have "Application"18:00
morganfainbergThat extends base application18:00
*** mylu has joined #openstack-keystone18:00
dstanekkrotscheck: that is called in our httpd handler18:00
krotscheckOk, sec. I think that's what I need, lemme apply the thing and run the tests and then I'll come back with questions.18:01
dstanekkrotscheck: ComposingRouter and ComposableRouter won't be around for too much longer18:01
dstaneki was actually hoping to delete all of common.wsgi, but that's probably not in the cards for this cycle18:02
*** piyanai has joined #openstack-keystone18:02
*** mylu has quit IRC18:02
krotscheckCool, one last question. The X-Project-* headers and X-Domain-* headers - are those defined in constants somewhere?18:02
*** mylu has joined #openstack-keystone18:04
krotscheckI lied.18:04
krotscheckGET/PUT/POST/DELETE... any other HTTP methods in use?18:04
dstanek options if we do that sort of thing18:05
*** dsirrine has joined #openstack-keystone18:15
*** piyanai has quit IRC18:16
openstackgerritDolph Mathews proposed openstack/keystone: Handle tokens created and quickly revoked with insufficient timestamp precision
openstackgerritDolph Mathews proposed openstack/keystone: Do not revoke all of a user's tokens when a role assignment is deleted
*** bapalm- is now known as bapalm_18:19
*** ankita_w_ has joined #openstack-keystone18:27
*** piyanai has joined #openstack-keystone18:28
*** ankita_wagh has quit IRC18:30
openstackgerritMerged openstack/keystoneauth: Rename the actual plugin class to AdminToken
*** jasonsb_ has quit IRC18:31
*** piyanai has quit IRC18:31
openstackgerritMerged openstack/keystoneauth: Port in the argument scrubbing from OCC
*** Guest1060 has quit IRC18:34
*** piyanai has joined #openstack-keystone18:34
*** piyanai has quit IRC18:35
openstackgerritMerged openstack/oslo.policy: Overwrite option should not cause policy file reloading
*** tsymanczyk has joined #openstack-keystone18:44
*** tsymanczyk is now known as Guest7994318:44
*** rm_work|away is now known as rm_work18:48
*** geoffarnold is now known as geoffarnoldX18:49
*** geoffarnoldX is now known as geoffarnold18:49
openstackgerritMerged openstack/keystoneauth: Move session loading into loading module
*** piyanai has joined #openstack-keystone18:51
*** narengan has quit IRC18:58
*** jasonsb has joined #openstack-keystone18:59
*** narengan has joined #openstack-keystone18:59
*** narengan has quit IRC18:59
*** ankita_wagh has joined #openstack-keystone18:59
*** ankita_w_ has quit IRC19:03
*** e0ne has quit IRC19:04
*** jsavak has quit IRC19:05
*** vivekd has quit IRC19:05
*** jsavak has joined #openstack-keystone19:07
krotscheckFun fact - the flavor of openssl available on my osx box does not permit me to pass all the keystone tests.19:08
* krotscheck doesn't always test his code, but when he does, he does it in gerrit19:08
*** vivekd has joined #openstack-keystone19:08
openstackgerritMichael Krotscheck proposed openstack/keystone: Added CORS support to Keystone
alextricityIs Adam Young in the house?19:14
alextricityAnybody know his handle?19:15
samueldmqalextricity, it's ayoung, but he's not in the channel atm19:16
alextricitysamueldmq: Thanks. I was looking for someone to answer some questions about multi-domain backends.19:17
samueldmqalextricity, you can just ask here, someone else may have the answers you're looking for19:18
alextricityI'm getting some strange errors on my environment19:18
samueldmqgyee, basically, in the regard of policies, I need to know i) what inconsistency is acceptable for hp-cloud and ii) the probability you guys will deploy this solution in L :)19:19
morganfainbergkrotscheck: we don't support OS X as a target for these reasons19:19
alextricityDoes anybody know if the service users still use the sql identity driver?19:19
morganfainbergkrotscheck: we used to, but it just became more and more painful to support19:19
morganfainbergkrotscheck: you can brew update openssl...but still doesn't solve everything19:19
*** jsavak has quit IRC19:19
morganfainbergalextricity: ayoung is adam's IRC nick, but I think he's officially on vacation19:20
*** jsavak has joined #openstack-keystone19:22
*** afaranha has joined #openstack-keystone19:23
*** afaranha has left #openstack-keystone19:23
openstackgerritDolph Mathews proposed openstack/keystone: Test that unscoped tokens are revoked when deleting role assignments
*** petertr7 is now known as petertr7_away19:25
krotscheckmorganfainberg: Bah, why can you not submit to apple?19:27
morganfainbergkrotscheck: because they don't use / support the F/LOSS libraries19:28
morganfainbergthey have moved to their own libs for things like LDAP and SSL19:28
krotscheckmorganfainberg: SUBMIT!19:28
morganfainbergnot worth the headache19:28
openstackgerritDolph Mathews proposed openstack/keystone: Do not revoke all of a user's tokens when a role assignment is deleted
openstackgerritDolph Mathews proposed openstack/keystone: Handle tokens created and quickly revoked with insufficient timestamp precision
krotscheckmorganfainberg: The ghost of Steve Jobs Commands you!19:28
morganfainbergeasier to say "keystone doesn't support OS X"19:28
* morganfainberg hands the Ghost of Steve Jobs a vagrant file19:28
*** petertr7_away is now known as petertr719:29
*** urulama__ has quit IRC19:29
*** urulama__ has joined #openstack-keystone19:30
openstackgerritHenrique Truta proposed openstack/keystone: Honor domain operations in project table
*** Ephur has joined #openstack-keystone19:46
*** piyanai has quit IRC19:53
*** nicodemos has quit IRC19:57
*** jsavak has quit IRC19:57
*** thiagop has quit IRC20:01
*** exploreshaifali has joined #openstack-keystone20:04
morganfainbergdstanek: wow. our FakeLDAP thing is just awful20:05
* morganfainberg was trying to convert it to a fixture20:05
morganfainbergbut we do really weird things to support the "LiveLDAP" tests20:05
morganfainbergwhich really... don't do a heck of a lot20:05
dstanekmorganfainberg: yeah, i tried too20:07
dstaneki ran out of interest :-)20:07
morganfainbergI'm going to rip apart the external config file crap and remove it20:08
morganfainbergLDAPLive should move under functional anyway20:08
dstaneki think the problem i ran into was all of the reloading of data - that's why i was trying to do it20:08
morganfainbergso I'm content to move those there in the process20:08
morganfainbergah yeah I got rid of that with the python-ldap-test thing20:09
morganfainbergturned that into a fixture20:09
morganfainbergand bonus: we get real LDAP enforcement rather than "ooopse we don't really validate this is LDAP-y-things"20:09
morganfainbergthe down side... you need a java runtime for unit tests20:09
morganfainbergbut I'm not wholly upset by that20:09
morganfainbergso i think the steps are: 1) Move LiveTests to "functional"20:10
morganfainberg2) Rip out config files on disks as "unit tests"20:10
morganfainberg3) make test-ldap thing a fixture20:10
*** thiagop has joined #openstack-keystone20:10
dolphmmorganfainberg: fakeldap has been a mess since day 1 :(20:11
morganfainbergthat is the fixture I am working with atm20:11
morganfainbergdstanek, dolphm, ^ cc20:11
*** piyanai has joined #openstack-keystone20:11
*** Guest79943 has quit IRC20:12
*** exploreshaifali has quit IRC20:13
*** vivekd has quit IRC20:14
dstanekmorganfainberg: actually i did push this
dstanekit's rather sad really that i have some much in motion that i can't remember what i've pushed20:15
*** tonytan4ever has quit IRC20:15
morganfainbergi really want to stop pretending a dict is a sufficient representation of LDAP20:16
openstackgerritMerged openstack/keystoneauth: Do not log binary data during debug
morganfainbergI guess I could use your thing and just magically make it disappear behind the scenes and use the python-ldap-test20:17
morganfainbergbut ugh.20:17
*** yottatsa has quit IRC20:17
*** pnavarro has joined #openstack-keystone20:17
*** tsymanczyk has joined #openstack-keystone20:22
*** tsymanczyk is now known as Guest7651920:23
*** jerrygb has joined #openstack-keystone20:33
*** jerrygb is now known as test0rz20:34
*** test0rz is now known as asd112z20:34
*** jasonsb_ has joined #openstack-keystone20:36
*** jasonsb has quit IRC20:36
*** woodster_ has joined #openstack-keystone20:37
openstackgerritAndrey Pavlov proposed openstack/keystone: Add S3 signature v4 checking
*** jsavak has joined #openstack-keystone20:38
*** petertr7 is now known as petertr7_away20:42
dstanekmorganfainberg: what is your feeling on the stable interface stuff? have you been watching the implementations?20:42
morganfainbergi haven't really clearly been watching it20:42
morganfainbergwas on my list for this week to circle up on20:42
dstanekmorganfainberg: right not it's unfortunately just a "slightly" smarted ABCMeta in that if only enforces method names, but does allow you to have versions of that20:45
edmondswI recently saw 6 unexplained "Authorization failed for token" errors spread over almost 5 minutes in cinder and nova. They apparently came from keystonemiddleware/auth_token/ (not the one). The first was a few seconds after keystone restarted. During that restart, the httpd logs show a couple /v2.0/tokens/revoked calls getting 500 errors. Could that be causing this? keystonemiddleware no longer trus20:45
edmondswting tokens because it couldn't tell what had been revoked?20:45
morganfainbergdstanek: yeah20:45
*** tonytan4ever has joined #openstack-keystone20:45
*** mylu has quit IRC20:46
dstanekmorganfainberg: i hacked this together in response to the existing review:
*** mylu has joined #openstack-keystone20:46
*** fangzhou has joined #openstack-keystone20:47
dolphmedmondsw: what's the backtrace?20:49
dolphmedmondsw: but yes, 500's from keystone will crop up as 401's to the end user20:50
edmondswcan't find a trace for the 50020:50
dolphmedmondsw: if you find a log, be sure to open a bug against keystone20:50
edmondswand debug logging wasn't on, so it didn't print a trace for the 401s20:50
dolphmedmondsw: ah, i assumed you were referring to a devstack run. 500's aren't ever by design though, bug reports much appreciated!20:51
edmondswyeah... if i can figure it out I'll open\20:51
dolphmedmondsw: thanks!20:52
morganfainbergdstanek: so that is better. i dumped out the requirement for strictabc because it wasn't going to really fly in the timeline - i'm ok with somehting like this20:52
edmondswthe only way I know about the 500s was from httpd logs... nothing at all in the keystone logs there, which seems odd20:53
dstanekmorganfainberg: take a look at the initial review when you have a few. the author was thinking of only supporting 1 version back and providing code that would make the old version act like the new one.20:54
dstanekmorganfainberg: i don't know that it's necessarily a good thing to do that20:54
morganfainbergyeah no we can't do that20:54
morganfainbergit has to be *all versions*20:54
morganfainberguntil we deprecate the version explicitly20:54
morganfainbergbut yes code needs ot make the old version behave like the new20:55
dstanekmorganfainberg: how can it? if we add a new method there is often no good way to add the behavior20:57
morganfainbergif we are breaking compatibility we are breaking our contract20:57
morganfainbergwe are setting a contract on the backend driver interface20:57
dstanekso how would you safely add a method?20:57
morganfainbergeither we deprecate the functionality and move slowly towards new or we do conversion logic20:57
morganfainbergyou make an effort to not need to. if you really need to, the new method can't impact old versions running20:58
morganfainbergthe minimum would be a 2-cycle interface contract.20:58
dstanekso then it needs to be optional in most cases and we'd look for it an raise a warning if we don't find it20:58
morganfainbergthe reality is we should not be leaking backend implementation details to the end users20:59
morganfainbergwe've really made no effort to define interfaces here. If cinder can do it, we can.20:59
morganfainbergthe manager has a ton of logic in it to do things as needed20:59
morganfainbergso we can lift the business logic up until we can be assured all drivers have the support.21:00
dstanekthe example we were working through is a driver that has '.list()' and we add a new '.list_by_name()' the implementation to implement list_by_name would table scan and do Python side filtering...which is no good21:00
morganfainbergbut that would be the solution for the interim if the backend driver doesn't have .list_by_name21:00
dstaneki'll have to look at what cinder is doing21:00
morganfainbergthey just don't change the contract21:00
morganfainbergsame with neutron21:00
morganfainbergour usecases aren't that complex we can just commit to a contract.21:01
dstanekwhile that's technically true, you broke a large production implementation depending on table side a frequency of use21:01
morganfainbergthey should move to the new version with optimised .list_by_name - the difference is we *dont* break the deployer completly every single time we update21:02
dstanekto me this method stuff is mostly useless since we will know what methods are changing - it's really the inputs and outputs that will help the driver writers21:02
morganfainbergi've heard more people bitch about the endless interface changes21:03
*** jsavak has quit IRC21:03
morganfainbergwe should either a) not support pluggable backends outside of in-tree drivers21:03
morganfainbergor b) commit to a contract21:03
morganfainbergwe're already not doing a21:03
*** AndroUser2 has joined #openstack-keystone21:03
*** jsavak has joined #openstack-keystone21:03
morganfainbergwe have deployers that have to chase our interface changes with nearly every commit21:03
dstanekwhat are we changing so much?21:04
morganfainbergevery release all of our driver interfaces seem to change/move/etc21:04
morganfainbergbecause people want $new_shiny_feature21:04
dstanekthe complaints i have heard are that's it's nearly impossible to write a driver because you have to figure out what dictionary comes back when21:04
*** ankita_w_ has joined #openstack-keystone21:04
morganfainbergit's both21:04
morganfainbergwhat dict comes back and that once you figure that out, next cycle it changes21:05
dstanekand that we've removed keys thinking they were "implementation details"21:05
morganfainbergso we should commit to a clear interface for our drivers just like we do for the REST API21:05
dstanekfor new features i'd rather see them optional for a release and then we don't have too worry too much21:05
morganfainbergexcept we're leaking to the end users then21:05
gyeeso I can spend more time on the beach instead of refactoring the mongo driver :)21:05
morganfainbergwhich is incorrect21:05
morganfainbergwe should be ensuring that the end user needs to know zero about the differences between backend implementations21:06
dstanekgyee: yeah, so what sort of issues have you been running into?21:06
gyeedstanek, public cloud is running Keystone with mongo driver21:06
*** piyanai has quit IRC21:06
*** ankita_wagh has quit IRC21:07
morganfainbergif that means we have a very crappy in-memory version of the list_by_name when the driver doesn't support it, the deployer may 403 it, but we don't break the user's expectation -- no 501 "oh this isn't implemented" or worse, 40421:07
gyeeits seem everything we pull we have to fix the driver because some of the interface's been moved around21:07
gyeethat's during the time when we move assignment, identity, and resource drivers around21:07
gyeeevery upstream pull was an adventure21:07
gyeeI made the mistake of not having a 3rd CI21:08
gyeeand have it voting21:08
dstanekgyee: besides moving assignment->resouce what sort of breaking changes did we make?21:09
morganfainberga lot of driver becomes dumber, manager smarter21:09
morganfainbergnew args21:09
morganfainbergremoved args21:09
gyeewhat he said ^^^21:09
morganfainbergdriver smarter manager dumber21:09
morganfainbergthings move21:09
morganfainbergsome of it is to make drivers behave similarly21:09
gyeelike why am I getting a 500 Internal Error after an upstream pull21:10
morganfainbergwe can make the docs better, but it doesn't really solve the issue21:10
dstanekwhile i agree with everything that was just said the method existence isn't any of that21:11
morganfainbergif we claim to support out-of-tree drivers at all, we should be committing to a contract on the driver interface21:11
gyeemorganfainberg, maybe we need a 3rd CI?21:11
dstaneka better approach may be to have contract tests that shouldn't be changed21:11
morganfainbergs/claim to support/allow21:11
gyeedstanek, yes21:12
morganfainbergsame net effect21:12
morganfainbergyou still need to support changing versions21:12
dstanekwhen we break a contract now we fix the broken tests - maybe need tests that can't change21:12
morganfainbergof the contract21:12
morganfainbergso the point was we support some layer of backwards compat as needed21:12
morganfainbergmoving to the new driver interface version removes the compat layer21:12
dstanekwhy isn't that a manager/driver thing? if you add an arg is needs to be optional, kind of thing21:13
gyeedstanek, you mean the tests will be under openstack/keystone-compatibility repo?21:13
morganfainbergdstanek: because things aren't just easy to make "optional"21:13
morganfainbergdstanek: also how do you know if a driver can take new <optional arg>21:14
morganfainbergor worse adding the "find_by_name" api21:14
dstaneki just worry that if we write naive implementations it'll be worse21:14
morganfainbergdo we just 501 it?21:14
morganfainbergwe have done a very very poor job of ensuring we take care of the end users [I don21:15
morganfainbergt care about deployers at the moment]21:15
dstanekmorganfainberg: that's the more interesting problem. writing something that looks and the signatures and other things (i've been calling that inputs/outputs)21:15
morganfainbergend users matter more. not needing to know that cloud X doesn't support $feature$ because the driver interface is old21:15
morganfainbergis crappy21:15
gyeearen't the params part of the signature?21:15
morganfainbergeven though it is running the same version of keystone21:15
morganfainberg(9.0 for example)21:16
morganfainbergif someone upgrades to keystone 9.0 and doesn't update driver interfaces to the new contract, there should be warnings and we should have a naieve implementation21:16
morganfainbergbut it doesn't break the end user [403 aside, since access to a API is independent in this argument]21:17
alextricityHello. I'm using AD for my keystone domain backend, but I get this message everytime:21:17
alextricity{"error": {"message": "User c113a4c78586ad32cde81aaa8596d6aa4aa92cd1f9c84b0114e76a7f25b96970 has no access to project 25eb9bc982494c2486f2c8159f830d29 (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}21:17
alextricityHas anybody seen this?21:17
gyeemorganfainberg, what's the process to create out-of-tree driver?21:17
morganfainberggyee: what do you mean?21:17
morganfainbergyou already did it21:17
gyeelike folk?21:17
morganfainbergyou'd base it on the correct version'd base class.21:17
gyeeI mean where do I stash the code?21:18
morganfainberggyee: wherever you want21:18
gyeealrighty then21:18
morganfainbergbase class would convey version.21:18
morganfainbergso if you were 3 versions behind (example):21:18
dstanekso, are we defining now breaking as "will work in a test environment"?21:18
morganfainbergdstanek: will result in the same output [test environment or prod, not being specific]21:19
gyeealextricity, means your user have no role assignment on the given project21:19
dstanekuntil a naive implementation locks the table and nothing works21:20
morganfainbergif you use the API, so if the new api is "find by name" we will find by name - in memory if needed21:20
morganfainbergdstanek: this is at the manager layer so it might stream a lot of data.21:20
*** hrou has quit IRC21:20
*** mylu has quit IRC21:21
*** mylu has joined #openstack-keystone21:21
dstanekwhat about a case where we change the driver API for an existing REST API call that uses a non-performant naive implemenation21:21
gyeedstanek, I don't understand21:22
dstanekgyee: this is what we were arguing against last week. the Compatibilizer idea. writing a naive implementation of a new driver method21:24
gyeedstanek, but we have the hints param21:25
dstanekmorganfainberg: i can do a dynamic subclass implementation in my meta class that will allow for naive implementations, but i'm not sure how that would work21:25
dstaneks/how/how well/21:26
gyeethe hints convey the information about what the backend is capable of21:26
*** gordc has quit IRC21:26
dstanekmorganfainberg: my original thought was to have versioned classes and pick the parent dynamically, but after thinking through the implications i stopped21:26
*** raildo is now known as raildo-afk21:27
dstanekgyee: so what if a new driver was added? what do we do?21:27
dstanekgyee: s/driver/driver method/21:28
gyeedstanek, emit a warning21:28
gyeeand bump the version number up21:29
dstanekgyee: and provide a naive implementation for older versions?21:29
dstanekmorganfainberg: is saying we should; i don't know that it can work21:30
dstanekmorganfainberg: where in cinder are they versioning drivers?21:30
gyeewe can't, we don't know what the native driver is capable of21:30
*** diegows has joined #openstack-keystone21:33
*** samueldmq has quit IRC21:33
gyeedstanek, that's how we ended up with this LDAP performance problem, see
openstackLaunchpad bug 1417189 in python-keystoneclient "Keystone v2 list users by name should be supported to avoid potential performance problem" [Undecided,In progress] - Assigned to rajiv (rajiv-kumar)21:35
*** Guest76519 has quit IRC21:35
*** piyanai has joined #openstack-keystone21:35
gyeedstanek, our identity driver used to do that, fetch all the users and do linear search in process21:36
*** tsymanczyk has joined #openstack-keystone21:36
gyeefor lookup by name21:36 that where the example came from?21:38
*** thiagop has quit IRC21:39
*** pnavarro has quit IRC21:39
*** AndroUser2 has quit IRC21:39
*** geoffarnold has quit IRC21:41
*** ngupta_ has joined #openstack-keystone21:45
*** abhirc has joined #openstack-keystone21:47
*** samueldmq has joined #openstack-keystone21:47
*** abhirc has quit IRC21:47
*** abhirc has joined #openstack-keystone21:48
morganfainberggyee: i disagree21:48
morganfainbergThe naive implementation *if the native driver doesnt have* the support is fine21:49
morganfainbergBut if you are on the same driver interfaces no naive impl21:49
morganfainberggyee, dstanek: the naive impl would only be if you were on version 4 of the interface and keystone used version 521:50
morganfainbergif you are on the same (max) interface keystone supports it is assumed your driver would have a native (or internally naive) implementation to use21:50
morganfainbergthe naive impl would only be in the conversion classes not baked in always21:51
morganfainbergso 4->5 might have find_by_name implementatio21:51
morganfainbergif you upgraded to being based in version 5, you would support it natively in the driver/backend21:52
*** ankita_wagh has joined #openstack-keystone21:53
morganfainbergthat being said we should pretty much *not* be adding/removing too much from the driver interfaces21:53
*** ankita___ has joined #openstack-keystone21:53
*** ankita_w_ has quit IRC21:56
gyeemorganfainberg, so you are fine with fetching 4000 records and do linear search? :)21:56
morganfainberggyee: only if you when upgrading keystone didn't update your backend driver to match the new interface21:56
morganfainbergand didn't listen to the warnings when you did UAT21:57
morganfainbergsaying you should upgrade/update your driver21:57
*** ankita_wagh has quit IRC21:57
morganfainbergif you just leave your driver impl on $previous_version you get the basic implementation that is provided to make sure the drivers work21:58
*** jsavak has quit IRC21:58
morganfainbergi will argue that the linear search is a relatively less-likely issue. most will be "convert string arg X to list Y" in the case of passing a list of memcache servers21:58
morganfainbergfor example21:58
gyeemorganfainberg, sure, in theory we only need these from the drivers create(), get(id), delete(id), and update(id)21:59
morganfainbergso if we add find_by_name as the new interface. your old driver doesn't do find_by_name, we do it in the conversion object21:59
gyeethe rest can be done above (performance aside)21:59
morganfainbergif you move to the new interface you implenment it natively22:00
morganfainbergif you continue with the old interface the driver continues to work but has performance implications22:00
morganfainbergand warnings are thrown "heyyyyy you should update to the new contract"22:00
gyeein BOLD :)22:00
morganfainbergbut if you're on the brand-new shiny interface contract, you should have no naive implementations that aren't baked into the driver itself (nothing above the driver)22:01
morganfainbergbesides normal manager logic22:01
morganfainbergand we maintain a 2-cycle interface contract22:01
gyeesure, I can live with that22:02
morganfainbergif you don't update your interface within 1 yr... seriously?22:02
morganfainbergnow... when do we increment the interface versions? each change? once a cycle?22:02
morganfainbergi don't know.22:02
morganfainbergeach change becomes a bit painful22:02
morganfainbergmaybe each milestone?22:02
*** pgbridge has quit IRC22:03
morganfainbergif you chase faster than that we can only do so much22:03
gyeewe need to bump it whenever we introduce new interface right?22:03
morganfainberglike i said, don't have a clear viewon that22:03
morganfainbergthe only concern i have with *every* change is that we end up with a large number of layers22:04
morganfainbergwith compat code possibly22:04
morganfainbergI would be ok with bundling the changes once per milestone22:05
morganfainbergevery 1.5 months is a fine window22:05
morganfainbergwe just indicate to those writing drivers what the increment timeline is.22:05
morganfainbergthat way they know when to update their drivers22:06
*** piyanai has quit IRC22:06
morganfainbergmilestone is cut, next change is a version bump on the driver that is affected22:06
gyeeactually once per release is fine22:06
morganfainbergor at feature freeze we lock the interfaces22:07
morganfainbergno more driver changes.22:07
gyeetreat it like public APIs22:07
morganfainbergthen once the next cycle opens, drivers get a new version when/if they are changed22:07
*** diazjf has left #openstack-keystone22:07
gyeewhat if no driver interface changes for a given release? we maintain the same version right?22:10
morganfainbergno change = no version change22:10
*** ankita___ has quit IRC22:11
gyeek, make sense22:11
*** ankita_wagh has joined #openstack-keystone22:11
lbragstad ls22:14
* lbragstad fails22:15
*** ngupta has quit IRC22:15
samueldmqlbragstad, I know well what it is hehe22:15
*** topol has joined #openstack-keystone22:17
*** ChanServ sets mode: +v topol22:17
*** henrynash has quit IRC22:23
edmondswdolphm, tracked down the problem I was asking about earlier... opened
openstackLaunchpad bug 1488267 in keystonemiddleware "auth_token middleware reporting valid token as invalid" [Undecided,New]22:23
*** tonytan4ever has quit IRC22:23
*** hrou has joined #openstack-keystone22:24
*** asd112z has quit IRC22:25
*** mylu has quit IRC22:25
*** mylu has joined #openstack-keystone22:26
*** topol has quit IRC22:28
*** topol has joined #openstack-keystone22:29
*** ChanServ sets mode: +v topol22:29
*** shoutm has joined #openstack-keystone22:32
*** ankita_w_ has joined #openstack-keystone22:33
*** bknudson has quit IRC22:33
*** topol has quit IRC22:33
*** doug-fish has quit IRC22:34
*** doug-fish has joined #openstack-keystone22:34
*** ankita_wagh has quit IRC22:36
*** jecarey has quit IRC22:37
*** doug-fis_ has joined #openstack-keystone22:37
*** roxanaghe has quit IRC22:38
*** geoffarnold has joined #openstack-keystone22:38
*** doug-fish has quit IRC22:38
*** jecarey has joined #openstack-keystone22:39
*** jasonsb_ has quit IRC22:40
*** tsufiev has quit IRC22:41
*** doug-fish has joined #openstack-keystone22:41
*** doug-fis_ has quit IRC22:42
*** geoffarnold has quit IRC22:42
*** hrou has quit IRC22:44
*** diegows has quit IRC22:45
*** geoffarnold has joined #openstack-keystone22:45
*** jaosorior has quit IRC22:45
*** doug-fish has quit IRC22:46
*** tsufiev has joined #openstack-keystone22:46
*** mylu has quit IRC22:52
*** jecarey has quit IRC22:54
*** edmondsw has quit IRC22:57
*** mylu has joined #openstack-keystone23:03
*** zzzeek has quit IRC23:10
*** claudiub has quit IRC23:12
dstanekmorganfainberg: gyee: my thought is that we'd version for each release23:12
gyeeeven without interface changes for a given release?23:13
dstanekgyee: i don't see why not23:15
dstanekthen you are really saying this is a Liberty driver23:15
gyeedstanek, if we do that, we are forcing 3rd party driver to update the version23:16
*** dims_ has joined #openstack-keystone23:16
gyeeunless we internally maintaining compatibility base on interface matching, not by version number23:16
gyeeremove the +1 version check in the code23:17
dstanekmorganfainberg: i'm fine with what you were saying before, i just disagree with what we are calling it. if we provide a naive implementation that forces someone to write to the new interface anyway then it's no better then just being up front and saying that we broke backward compat.23:18
*** dims__ has quit IRC23:18
dstanekgyee: in my mind each driver interface know what versions it is; i'll hack up a demo23:18
morganfainbergthen we simply stop changing the driver interface - i mean that is my end goal23:18
morganfainbergstop changing the driver interfaces23:19
dstanekmorganfainberg: ++23:19
morganfainbergwe have almost no reason to be changing driver interfaces at this point23:19
morganfainbergthe fact that we are indicates we aren't thinking about the design23:19
*** mylu has quit IRC23:19
*** dims__ has joined #openstack-keystone23:19
*** mylu has joined #openstack-keystone23:20
morganfainbergthe long/short is we need a contract there regardless23:20
morganfainbergand a cycle-to-cycle change is *not* a contract23:20
*** mylu has quit IRC23:20
gyeewe need a contract23:20
morganfainbergthis has to be at least as stable as our REST API23:20
gyeespit on the palm and seal it!23:20
*** mylu has joined #openstack-keystone23:21
*** dims_ has quit IRC23:21
*** Ephur has quit IRC23:22
dstanekdoesn't our rest API change during master development?23:22
dstanekor once we commit we are locked in?23:22
gyeedstanek, we look API spec by M1 I think23:23
*** topol has joined #openstack-keystone23:24
*** ChanServ sets mode: +v topol23:24
dstanekthat's the theory23:24
*** tsymanczyk is now known as Guest8862223:26
*** Guest88622 is now known as tsymanczyk23:27
morganfainbergand if we are supporting external plugins it needs to be more stable than our rest api23:32
morganfainbergthe issue is we should really be changing the backend interfaces so infrequently that it is a major ordeal if something has to be changed out23:33
morganfainbergor even added at this point23:33
dstanekhow stable are you thinking? i'm trying to think through implementation and that's the biggest variable in a design23:33
morganfainbergwhich is why i was advocating fro the naive implementation23:33
gyeehow does neutron solved this problem, they have a tone of 3rd party drivers23:33
morganfainbergthey don't change their interface23:33
morganfainbergi mean that is it23:33
gyeeoh :)23:33
morganfainbergthey comitted to a contract23:33
morganfainbergand stuck with it23:33
*** doug-fish has joined #openstack-keystone23:34
gyeeI mean do they do any enforcements23:34
morganfainbergchanging that interface is a *big* deal23:34
morganfainbergyes, 3rd party CI would break23:34
morganfainbergor 1st party ci would break23:34
morganfainbergI was willing to give us wiggle room to progress the API with the compat layer23:34
*** EmilienM has quit IRC23:34
morganfainberga naive implementation is not the end of the world... and the "big" issue implementations are really going to be far and few between23:35
morganfainbergminor changes such as updating args will be more the norm23:35
gyeeyeah I agree23:35
dstanekthen if that's the case it should be easy for us to support 1 class per supported version right?23:36
morganfainbergagain part of the goal is never to leak implementation details to the end user23:36
morganfainbergso if we are not comitting to a contract fine. but if we are we need to supply compat for when we have to hcnage it. that is all23:36
*** EmilienM has joined #openstack-keystone23:36
morganfainbergdstanek: sure. 1 class = 1 version23:37
morganfainbergif you support 2 versions, 2 classes23:37
*** stevephone has joined #openstack-keystone23:37
morganfainbergbut the APIs to the end user (the person consuming OpenStack ?Keystone Rest API) can't return different things23:37
dstanekhow do you feel about the third-party driver subclassing a versioned class instead of Driver?23:37
morganfainbergso version 9 of keystone says get_user_by_name is supported, anything loaded by version 9 of keystone should support that [even if it's naive implemented]23:38
*** woodster_ has quit IRC23:38
*** doug-fish has quit IRC23:38
morganfainbergi'd expect them to be subclassing the version they are built on23:38
morganfainbergrather than *base* Driver23:38
morganfainbergthey'd use DriverV22 for example23:38
*** woodster_ has joined #openstack-keystone23:38
morganfainbergand that tells us what the underlying implementation will support (if they don't adhere to that, we can't help)23:39
dstanekthen really there is no work to be done...except for the hard part of making sure the interface is correct23:39
morganfainbergwell we also have to support backwards compat with regards to the rest api.23:39
morganfainbergif the driver doesn't support .get_by_name either we are breaking our user Rest contract or our driver contract23:40
dstanekhow fine grained should the versioning be?23:40
morganfainbergor we have a compat layer that does the naive conversion23:40
morganfainbergi'm ok with versioning on the driver being once per cycle or once per milestone23:40
morganfainbergnot any faster than once per milestone23:40
dstanekonce per milestone seems more natural to me23:41
morganfainbergif someone is chasing master, they know there is extra work to be done23:41
morganfainbergand i'm fine saddling them with that23:41
*** morganfainberg is now known as morgan23:42
* gyee likes to chase master23:42
dstanekok, so we're saying the same thing there. i thought that you were saying that once per cycle was not enough23:42
gyeelatest (and greatest)23:42
dstanekgyee: then you deserve the pain23:42
morgandstanek: ++23:42
gyeeno pain, no gain23:42
dstanekno pain, no complain23:42
dstanekso back to what i really care about then....i'm pretty sure that our own in-tree drivers return different data23:42
morgandstanek: no once per cycle would be fine. if nothing changes you don't *have* to change it23:42
morgandstanek: that is part of this initiative. fix that while we are at it23:43
dstaneki was going to hack typist up to check dict keys, but i just haven't done that yet23:43
morganwe're comitting to a contract23:43
morganso we go commit to the contract -- for ourselves too23:43
*** stevephone has quit IRC23:43
openstackgerritguang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint
morganand if gyee is a masochist... we let him be a masochist23:43
morganbut i somehow think he'll start syncing about as often as once a milestone if the contract changes at most once per milestone :P23:44
morganor the contract definition :P23:44
gyeeI wasn't kidding, we did sync per milestone during the K2K stuff23:44
morganhopefully with the added pain of changing the interfaces people will be more selective of running roughshod over the interface definitions as they make minor adjustments23:45
gyeekey is how fast can you do hotfix :)23:45
dstanek....and not create new problems23:46
morgani can't belive our tests are so unisolated23:47
morganthe moment you say use cleanUp to remove the backends you get magical conflicts *everywhere*23:47
morganthis is just awful stuff23:47
dstanekso right now: ":param dict user: a user object"23:48
morganthe per-domain backend is just awful in our testing harnesses23:48
dstaneki was thinking: ":param keystone.identity.schema.user user: a user object"23:48
dstanekand then validate against the schema23:48
* morgan sighs...23:49
morganno you can't just say ".reset ldap"23:49
gyeedstanek, yes23:49
* morgan yells at whoever implemented that23:49
gyeemorgan, you are using FakeLDAP?23:49
morgantrying to remove FakeLDAP23:49
dstanekgyee: typist only runs at test time, but at least it's something23:49
morganmove to something that enforces real LDAP semantics but still is in-mem23:50
gyeedstanek, I like the idea, I mean we can just reuse the JSON schema check right?23:50
dstanekgyee: maybe the create ones23:51
gyeemorgan, btw, I've been messing around with python3-ldap, and I LIKE IT!23:51
morgangyee: ldap3 you mean23:51
morgan[they renamed it]23:52
morganbut yeah it's good23:52
gyeenow I can even do discovery with DsaInfo23:52
gyeeschema discovery23:52
gyeemakes configuration much much easier23:52
gyeewe can cut down a lot of mapping stuff23:52
morgannot completely23:53
morganwow fakeldap is a trainwreck23:54
morganoh i see.. .reload_backends()23:55
morganWHY IS THIS A THING23:55
gyeethat's enough for me to skip most of the configuration we have today23:56
morgangyee: except it isn't23:56
morganbecause people configure things wackily23:56
*** jasonsb has joined #openstack-keystone23:56
gyeesure, in that case, they'll have to overwrite23:56
gyeebut for standard schema, that'll save a lot of work23:57
morganoh of course.. because we just use random crap in our configs too because FakeLDAP just accepted it23:57
* morgan glares.23:57
gyeeFakeLDAP is just a dict23:57
morganit's worse that not testing the LDAP code from what I can tell23:57
morganthe .reload_backends and the just assuming the ldap roots exist are just awful23:58
gyeemorgan, why even waste time on it, lets do func test instead23:58
morgangyee: because we need to clean this up to make func tests work23:58
morgannot calling .reload_backends will make porting to func test better23:58
morganor it's basically rewriting a mess of tests to just hit parity23:59
morganfor the funsies of rewriting test code23:59

Generated by 2.14.0 by Marius Gedminas - find it at!