Tuesday, 2015-08-25

« Monday, 2015-08-24 Index Wednesday, 2015-08-26 »
gyeewe are using a real LDAP server for the func tests right? like OpenLDAP?00:00
morganwe wont actually have to if we don't want00:00
morgancan use ldap_test library00:00
morganwe *can* use OpenLDAP00:00
*** rm_work is now known as rm_work|away00:01
gyeeI have a script to automagically install OpenLDAP and populate it with some data00:01
gyeeonly works on Ubuntu though00:01
morganwith ldap_test you can do it all in python code00:01
*** _cjones_ has quit IRC00:01
morganit's an in-mem LDAP spec server00:01
morganit requires a jre, but that isn't the end of the world00:01
gyeeI dunno man, ORCL's lawyers are ready to pounce :)00:02
morgannot my problem00:02
morgan:P00:02
morganthey can pounce on the upstream library00:02
morganand we can pivot00:02
morgansince we're just using ldap-interface00:03
gyeehah, jre's not our problem00:03
morganthis is such a bs way of doing tests:00:04
morgan    def test_configurable_forbidden_create_existing_user(self):00:05
morgan        conf = self.get_config(CONF.identity.default_domain_id)00:05
morgan        conf.ldap.user_allow_create = False00:05
morgan        self.reload_backends(CONF.identity.default_domain_id)00:05
morgando .setup then reload backends00:05
morganrather than properly handling setup00:05
*** samueldmq has quit IRC00:14
dstanekgyee: !00:14
gyeedstanek, yes sir00:18
dstanekgot time for some easy reviews?00:18
gyeesure00:18
dstanekhttps://review.openstack.org/#/c/214346/00:19
dstanekhttps://review.openstack.org/#/c/210478/00:19
gyeeoh, my favorite tempDir, now I need to update the patch on keystonemiddleware00:20
dstaneki've got plenty more where that came from00:20
dstanekhttps://review.openstack.org/#/c/199343/00:22
*** tellesnobrega_ has joined #openstack-keystone00:22
*** shadower has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** tellesnobrega_ has quit IRC00:23
*** tellesnobrega_ has joined #openstack-keystone00:23
*** tellesnobrega_ has quit IRC00:24
gyeedstanek, for https://review.openstack.org/#/c/210478/5, can't we be a bit more forgiving?00:27
gyeelike inspect the callback and ignore the self param?00:27
dstanekgyee: you mean allow unbound methods?00:28
gyeeright00:28
gyeebut I am fine with the error as well00:28
dstanekgyee: what would you pass in for self?00:28
dstanekalso this is only a test showing the current behavior00:29
dstanekthere was a small debate about whether or not it was possible and to win i wrote a test to show my position00:29
*** topol has quit IRC00:30
gyeek00:30
gyeedang it! colorizer used to be fun00:31
gyeeoh well00:32
dstanekwithout some significant rework we don't know what instance to use anyway00:32
dstanekgyee: thx!00:33
*** topol has joined #openstack-keystone00:33
*** ChanServ sets mode: +v topol00:33
gyeedstanek, np00:34
*** lhcheng is now known as lhcheng_away00:38
gyeemorgan, our LDAP group membership resolution code doesn't appear to support posixGroup. Would the be a bug or new feature?00:39
morganuhmm00:39
morganbug probably00:39
gyeek, let me file a bug and get it fix00:39
gyeewhat about nested group resolution?00:39
*** mylu has quit IRC00:40
*** mylu has joined #openstack-keystone00:41
morgangyee: uh00:41
morganfeature i would think00:41
morgangyee, dstanek: going to have a fairly easy review going up soon00:42
dstanekmorgan: i'll be here00:42
*** shoutm_ has joined #openstack-keystone00:43
openstackgerritMorgan Fainberg proposed openstack/keystone: No More .reload_backends() or .reload_backend()  https://review.openstack.org/21647300:43
morgan^^00:43
morganbetter test isolation00:44
morganno more "RELOAD THE THINGS" just to load a config option00:44
morganit was sloppy at best00:44
*** mylu has quit IRC00:45
*** shoutm has quit IRC00:45
gyeemuch cleaner code00:47
morganfinally rid of that awful "reload backend" magic stuff with that patch00:47
morganthat should help limit the impact of moving away from the FakeLDAP to something that really validates ldap semantics00:48
morganbefore we move to full functionaly00:48
morgandelete all the lines of code: +45, -7100:49
morganok not that many... but still00:50
morgangyee:  also https://review.openstack.org/#/c/210087 and the follow up patch should be easy00:51
gyeek00:53
dstanekmorgan: should you be doing something like what config_figure was doing so the test state gets reset?00:54
dstanekgyee: check out these two https://review.openstack.org/#/c/210087/01:00
gyeedstanek, yeah, looking at them, just trying to understand what you did there01:01
*** ankita_w_ has quit IRC01:02
*** ankita_wagh has joined #openstack-keystone01:02
dstanekgyee:  the _assert_backends was sorta funky01:02
*** shoutm_ has quit IRC01:03
gyeedstanek, clever, you are basically checking the entry point against what's being loaded?01:07
*** piyanai has joined #openstack-keystone01:07
*** ankita_wagh has quit IRC01:07
*** browne has quit IRC01:07
gyeedstanek, don't you need to check to make sure the domain-specific backend flag is enabled as well?01:07
*** geoffarnold is now known as geoffarnoldX01:07
*** shoutm has joined #openstack-keystone01:08
dstanekgyee: yes, exactly. i wanted to make sure that the loaded driver was correct. when i was hacking on tests i accidentally make all backends sql and the ldap tests were passing :-)01:09
dstanekgyee: no, i just assume your setup knows and will pass in a dict as the identity value01:09
gyeeah, you are using manager.domain_configs to get the driver name01:10
gyeeshould be fine01:10
gyeedstanek, https://review.openstack.org/#/c/210087/2/keystone/tests/unit/test_backend_ldap.py, line 10601:12
gyee, instead of %01:12
gyee:)01:12
dstanekgyee: that's only for logging :-P01:12
gyeeoh k01:13
*** hrou has joined #openstack-keystone01:15
dstanekgyee: is this the thing you were talking about fixing?01:15
dstanekhttps://review.openstack.org/#/c/177661/27/keystonemiddleware/tests/unit/utils.py01:15
gyeedstanek, yes01:16
gyeeI'll have to do the same there01:16
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Keep a consistent logger name for keystoneauth  https://review.openstack.org/21260201:16
morganok lets see that moves us to a fixture...01:17
morganand cleans up the "reload" thing...01:18
morganhmmm...01:18
gyeedstanek, actually I want tempfile, not TempDir01:28
gyeedoesn't appear fixtures have TempFile01:28
gyeeanyway, dinner bell ringing, kids singing, time to card out01:29
*** gyee has quit IRC01:29
*** davechen has joined #openstack-keystone01:30
*** asd112z has joined #openstack-keystone01:35
*** topol has quit IRC01:46
*** topol has joined #openstack-keystone01:52
*** ChanServ sets mode: +v topol01:52
*** topol has quit IRC01:54
*** dims__ has quit IRC01:55
*** dave-mccowan has quit IRC01:56
*** shoutm_ has joined #openstack-keystone02:01
*** ngupta has joined #openstack-keystone02:01
*** shoutm has quit IRC02:03
*** mylu has joined #openstack-keystone02:04
*** mylu has quit IRC02:08
*** richm has quit IRC02:16
*** lhcheng_away is now known as lhcheng02:17
*** _hrou_ has joined #openstack-keystone02:20
*** hrou has quit IRC02:23
*** mylu has joined #openstack-keystone02:25
*** mylu has quit IRC02:32
*** mylu has joined #openstack-keystone02:33
*** mylu has quit IRC02:35
*** mylu has joined #openstack-keystone02:36
*** Ephur has joined #openstack-keystone02:41
openstackgerritLin Hua Cheng proposed openstack/python-keystoneclient: Use region_id filter for List Endpoints  https://review.openstack.org/21650102:43
*** mylu has quit IRC02:45
*** ngupta has quit IRC02:47
*** ngupta has joined #openstack-keystone02:47
*** mylu has joined #openstack-keystone02:47
*** browne has joined #openstack-keystone02:49
*** dikonoor has joined #openstack-keystone02:52
*** hakimo_ has joined #openstack-keystone02:52
*** mylu has quit IRC02:53
*** hakimo has quit IRC02:55
*** lhcheng has quit IRC03:00
*** ankita_wagh has joined #openstack-keystone03:02
*** Ephur has quit IRC03:02
*** ngupta has quit IRC03:07
*** ngupta has joined #openstack-keystone03:08
*** fangzhou has quit IRC03:10
openstackgerritJamie Lennox proposed openstack/keystoneauth: Fix v2 plugin loaders to not have V2 prefix  https://review.openstack.org/21651003:16
openstackgerritJamie Lennox proposed openstack/keystoneauth: Fix plugin loading tests  https://review.openstack.org/21651103:16
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove plugin.load_from_conf_options and argparse  https://review.openstack.org/21651203:16
jamielennoxmorgan: ugh ^03:16
morganYes03:16
*** links has joined #openstack-keystone03:24
*** asd112z has quit IRC03:31
openstackgerritMerged openstack/keystoneauth: Keep a consistent logger name for keystoneauth  https://review.openstack.org/21260203:35
*** ngupta has quit IRC03:40
*** piyanai has quit IRC03:44
*** shoutm_ has quit IRC03:48
*** ankita_w_ has joined #openstack-keystone03:52
*** ankita_wagh has quit IRC03:52
*** shoutm has joined #openstack-keystone03:59
*** mylu has joined #openstack-keystone04:00
*** lhcheng has joined #openstack-keystone04:04
*** ChanServ sets mode: +v lhcheng04:04
openstackgerritLin Hua Cheng proposed openstack/python-keystoneclient: Use region_id filter for List Endpoints  https://review.openstack.org/21650104:11
*** mylu has quit IRC04:15
*** mylu has joined #openstack-keystone04:15
*** mylu has quit IRC04:20
*** stevemar has joined #openstack-keystone04:23
*** ChanServ sets mode: +v stevemar04:23
morganjamielennox: i hope we can land 1.0 of ksa this week.04:28
jamielennoxmorgan: what's left on the list?04:36
*** abhirc has quit IRC04:37
*** abhirc has joined #openstack-keystone04:38
*** abhirc has quit IRC04:42
morganThe ones you just posted and if any of the -1 ones we want.04:45
morganBut the list is short.04:45
*** abhirc has joined #openstack-keystone04:47
*** abhirc has quit IRC04:48
*** abhirc has joined #openstack-keystone04:48
*** woodster_ has quit IRC04:49
*** mylu has joined #openstack-keystone04:58
*** mylu has quit IRC04:59
*** rm_work|away is now known as rm_work05:03
*** abhirc has quit IRC05:04
davechenlhcheng: ping?05:12
lhchengdavechen: pong05:12
davechenlhcheng: why the kwargs is region=region_id in your patch (https://review.openstack.org/#/c/216501)?05:13
morganlhcheng: oh hai!05:13
davechenlhcheng: is that should be region_id=region_id05:13
davechen?05:13
lhchengmorgan: hello!05:14
lhchengmorgan: just watch the openstack seattle video, good job!05:14
morganlhcheng: up late eh?05:14
morganGlad you liked it!05:14
lhchengmorgan: we now have a "flock" :)05:14
morganIt was a fun talk to give.05:14
lhchengmorgan: glad to talk non-keystone some time? :P05:15
morganGoing to try and clean it up a little and use it again at a couple confs.05:15
davechenlhcheng, morgan: where is the link?05:15
morganSec05:15
morganhttps://m.youtube.com/watch?v=VpVOlwW2l5w05:15
morganlhcheng: yah.05:16
lhchengdavechen: ah, I didn't want to change the interface of the list() method05:16
morganGoing to compress it down for a lightning talk for one of the conferences.05:16
lhchengregion is already used by OSC05:16
davechenmorgan: cool, you looks so young. :)05:16
lhchengdavechen: ++05:17
morgandavechen: im only 34! ;) (soon 35)05:17
davechenmorgan: where is your beard?05:17
* lhcheng almost didn't recognize morgan in ops midcycle05:17
morganLost it :P05:17
morganGot board of having one for ~10yrs05:17
lhchengdavechen: yeah, I was looking for the beard05:17
davechenmorgan: looks more handsome. :)05:17
morganlhcheng: also no glasses (RIP)05:18
morganThough i have glasses again now.05:18
morganAlso finally05:18
morganMoving to NYC05:19
morganin the next couple05:19
openstackgerritJamie Lennox proposed openstack/keystone: Reject rule if assertion type unset  https://review.openstack.org/21608805:19
morganMonths :)05:19
lhchengwoah, nice! :D05:19
lhchengmorgan: how's your training going?05:19
morganlhcheng: post ptl itll pick up05:19
morganTook the day off due to migrane yesterday :(05:19
lhchengcool, but... where would you  bike in NYC?05:20
morganThat and new bike will be ready tomorrow.05:20
lhchengcentral park seems too small05:20
morganAll over. Nyc is a seriously bike friendly city05:20
morganHave a bike path around all of manhtattan05:20
morganAlso can ride out the length of long island (100mi each way)05:21
lhchengah there you go :)05:21
lhchengperfect05:21
morganYah. Plus buying a trainer05:21
morganSo can "ride" during the winter.05:21
davechenNyc means New York?05:21
morgandavechen: nyc = new york city05:22
lhchengugh..  winter is coming.. :)05:22
morganVs new york state05:22
morganlhcheng: no game of thrones jokes :P05:22
*** Ephur has joined #openstack-keystone05:22
morganAlso.. Do you even notice winter has happened in SV?05:23
lhchengmorgan: not last season, there weren't much snow in Tahoe.05:23
morganYah i know :(05:23
davechenlhcheng: i meant in your testcase, is that should be ...expected_query=expected_query, region_id=region_id?05:26
davechenlhcheng: region id is the filter passed into keystone server, right?05:26
*** ankita_w_ has quit IRC05:28
lhchengexpected_query is the query passed to keystone,  the second one is the argument pass to the list() method.05:29
* lhcheng had to dig into the test_list() code to figure that out.05:30
lhchengdavechen: ^05:30
davechenlhcheng: yes, I agree, but I am doubt that your scond argument is correct.05:31
*** asd112z has joined #openstack-keystone05:32
davechenlhcheng: I think it should be the filter passed into the keystone server, (https://github.com/openstack/keystone/blob/master/keystone/catalog/controllers.py#L318-L319)05:33
davechenthe code you just modified.05:33
stevemarmorgan: hurry up and get to the good time zone05:33
*** yottatsa has joined #openstack-keystone05:36
openstackgerritMerged openstack/keystoneauth: Fix v2 plugin loaders to not have V2 prefix  https://review.openstack.org/21651005:37
jamielennoxstevemar: as you're here i put a test on https://review.openstack.org/#/c/216088/05:38
jamielennoxi'd like marekd to review as well, but it would get me out of a spot if we could merge it quickly05:38
*** henrynash has joined #openstack-keystone05:40
*** ChanServ sets mode: +v henrynash05:40
*** ankita_wagh has joined #openstack-keystone05:42
lhchengdavechen: the test I have is correct, the reason is 'region=region_id' is used here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/unit/v3/utils.py#L26805:45
jamielennoxlhcheng: what are we discussing?05:45
lhchengdavechen: while the expected_query is used here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/unit/v3/utils.py#L26805:45
lhchengjamielennox: this patch: https://review.openstack.org/#/c/216501/ :)05:46
lhchengjamielennox: you can review it too if you get the chance05:46
jamielennoxhmm05:47
jamielennoxlhcheng: that may be an issue, because for  most people passing region= i'd expect that to be region_name and not region_id05:47
davechenlhcheng: thanks you. :)05:48
*** ajayaa has joined #openstack-keystone05:48
lhchengjamielennox: hmm the old one didn't work, we didn't support a region filter in the List Endpoints API05:49
davechenlhcheng: your two link is identical.05:49
jamielennoxlhcheng: lol/:(05:49
lhchengdavechen: sorry :P - while the expected_query is used here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/unit/v3/utils.py#L273-L27505:50
davechenlhcheng: I was thing that filter_kwargs passed in self.manager.list(**filter_kwargs) is just the the filter we use, but I am not sure now, I will debug into it and see how it works.05:51
davechens/thing/thinking05:51
*** asd112z has quit IRC05:51
openstackgerritMerged openstack/keystone: Refactor: use fixtures.TempDir more  https://review.openstack.org/21434605:55
*** links has quit IRC05:57
*** exploreshaifali has joined #openstack-keystone05:58
lhchengjamielennox: about the IdP specific websso, not sure if we can get it into DOA in time. I think the release team prefer to lock the requirements two weeks before the end of milestone to stabilize.05:58
jamielennoxlhcheng: damn, that'd be a shame - as a library it can't go in a new version and still make L05:59
jamielennoxthen again, i'm almost just tempted to leave it till next cycle05:59
jamielennoxit's not much code change, but i haven't managed to even get a full environment up to give it a proper test yet05:59
*** links has joined #openstack-keystone06:00
*** jaosorior has joined #openstack-keystone06:01
lhchengjamielennox: yup, my setup is using google oidc, have to figure out how to add another IdP (which is easy to setup)06:01
davechenlhcheng: just put a comment on that patch, correct me pls.06:03
*** Nirupama has joined #openstack-keystone06:05
*** stevemar has quit IRC06:11
*** boris-42 has quit IRC06:12
*** serverascode has quit IRC06:12
*** ramishra has quit IRC06:12
*** jaosorior has quit IRC06:12
*** vivekd has joined #openstack-keystone06:14
*** ramishra has joined #openstack-keystone06:15
*** jaosorior has joined #openstack-keystone06:16
*** serverascode has joined #openstack-keystone06:17
*** boris-42 has joined #openstack-keystone06:17
*** ankita_wagh has quit IRC06:20
*** _hrou_ has quit IRC06:34
*** Nirupama has quit IRC06:36
*** exploreshaifali has quit IRC06:40
*** yottatsa has quit IRC06:42
*** topol has joined #openstack-keystone06:46
*** ChanServ sets mode: +v topol06:46
*** shoutm has quit IRC06:49
*** vivekd_ has joined #openstack-keystone06:50
*** shoutm has joined #openstack-keystone06:51
*** vivekd__ has joined #openstack-keystone06:52
*** vivekd has quit IRC06:53
*** vivekd__ is now known as vivekd06:53
*** vivekd_ has quit IRC06:55
*** urulama__ is now known as urulama07:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/21450907:07
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/21389407:07
*** yottatsa has joined #openstack-keystone07:14
*** yottatsa has quit IRC07:15
*** topol has quit IRC07:21
*** browne has quit IRC07:21
*** lhcheng has quit IRC07:22
*** topol has joined #openstack-keystone07:23
*** ChanServ sets mode: +v topol07:23
*** topol has quit IRC07:23
*** topol has joined #openstack-keystone07:25
*** ChanServ sets mode: +v topol07:25
*** topol has quit IRC07:25
*** topol has joined #openstack-keystone07:26
*** ChanServ sets mode: +v topol07:26
*** topol has quit IRC07:26
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow specifying a region name to auth_token  https://review.openstack.org/21657907:31
openstackgerritMerged openstack/keystone: Remove all traces of oslo incubator  https://review.openstack.org/19934307:32
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/21450907:35
*** topol has joined #openstack-keystone07:41
*** ChanServ sets mode: +v topol07:41
*** ajayaa has quit IRC07:50
*** ajayaa has joined #openstack-keystone07:51
*** henrynash has quit IRC07:55
*** fhubik has joined #openstack-keystone07:56
*** shoutm has quit IRC08:03
*** asd112z has joined #openstack-keystone08:03
*** jaosorior has quit IRC08:05
*** shoutm has joined #openstack-keystone08:05
*** asd112z has quit IRC08:08
*** urulama has quit IRC08:09
*** urulama has joined #openstack-keystone08:10
*** exploreshaifali has joined #openstack-keystone08:10
openstackgerritMerged openstack/keystone: Adds backend check to setup of LDAP tests  https://review.openstack.org/21008708:11
openstackgerritMerged openstack/keystone: Creates a fixture representing as LDAP database  https://review.openstack.org/21008808:11
*** jistr has joined #openstack-keystone08:12
*** e0ne has joined #openstack-keystone08:17
*** pnavarro has joined #openstack-keystone08:24
*** Nirupama has joined #openstack-keystone08:29
*** vivekd has quit IRC08:45
*** vivekd has joined #openstack-keystone08:48
*** exploreshaifali has quit IRC08:52
*** jaosorior has joined #openstack-keystone08:59
*** btully has quit IRC09:00
*** claudiub has joined #openstack-keystone09:01
*** katkapilatova has joined #openstack-keystone09:14
*** marzif has joined #openstack-keystone09:21
*** marzif has quit IRC09:31
*** marzif has joined #openstack-keystone09:31
*** shoutm has quit IRC09:41
*** fhubik is now known as fhubik_brb09:46
*** dims__ has joined #openstack-keystone09:48
*** dims__ has quit IRC09:48
*** dims__ has joined #openstack-keystone09:49
*** aix has joined #openstack-keystone09:50
*** btully has joined #openstack-keystone09:51
*** aix has quit IRC09:52
*** aix has joined #openstack-keystone09:53
*** davechen has left #openstack-keystone09:55
*** btully has quit IRC09:55
*** exploreshaifali has joined #openstack-keystone10:03
*** fhubik_brb is now known as fhubik10:04
*** exploreshaifali has quit IRC10:15
*** exploreshaifali has joined #openstack-keystone10:16
*** vivekd has quit IRC10:22
*** vivekd_ has joined #openstack-keystone10:22
*** vivekd_ is now known as vivekd10:22
*** dave-mcc_ has joined #openstack-keystone10:23
*** eandersson has joined #openstack-keystone10:29
*** fhubik is now known as fhubik_brb10:30
*** urulama_ has joined #openstack-keystone10:54
*** urulama has quit IRC10:54
*** asd112z has joined #openstack-keystone11:03
*** asd112z has quit IRC11:08
*** vivekd has quit IRC11:08
*** ajayaa has quit IRC11:09
*** piyanai has joined #openstack-keystone11:16
*** ajayaa has joined #openstack-keystone11:23
*** fhubik_brb is now known as fhubik11:24
*** vivekd has joined #openstack-keystone11:35
*** exploreshaifali has quit IRC11:36
*** topol has quit IRC11:39
*** topol has joined #openstack-keystone11:39
*** ChanServ sets mode: +v topol11:39
*** topol has quit IRC11:39
*** topol has joined #openstack-keystone11:40
*** ChanServ sets mode: +v topol11:40
*** topol has quit IRC11:40
*** vivekd has quit IRC11:40
*** exploreshaifali has joined #openstack-keystone11:41
*** gordc has joined #openstack-keystone11:42
*** piyanai has quit IRC11:44
*** vivekd_ has joined #openstack-keystone11:47
*** vivekd_ is now known as vivekd11:51
openstackgerritMarek Denis proposed openstack/keystone: Fernet payloads for federated scoped tokens.  https://review.openstack.org/20217611:53
*** ChanServ sets mode: +o dolphm11:56
*** shoutm has joined #openstack-keystone12:02
*** piyanai has joined #openstack-keystone12:04
*** urulama_ has quit IRC12:05
*** urulama has joined #openstack-keystone12:05
*** samueldmq has joined #openstack-keystone12:09
samueldmqmorning12:09
*** petertr7_away is now known as petertr712:11
*** piyanai has quit IRC12:19
*** greystart has joined #openstack-keystone12:19
*** fhubik is now known as fhubik_brb12:22
*** tellesnobrega is now known as tellesnobrega_af12:22
*** fhubik_brb is now known as fhubik12:22
*** fhubik is now known as fhubik_brb12:23
*** petertr7 is now known as petertr7_away12:33
*** petertr7_away is now known as petertr712:35
*** ajayaa has quit IRC12:35
*** edmondsw has joined #openstack-keystone12:36
*** iurygregory has quit IRC12:45
*** vivekd has quit IRC12:48
*** iurygregory has joined #openstack-keystone12:48
*** nicodemos has joined #openstack-keystone12:48
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/21450912:52
*** doug-fish has joined #openstack-keystone12:54
openstackgerritDolph Mathews proposed openstack/keystone: Show that unscoped tokens are revoked when deleting role assignments  https://review.openstack.org/21639112:58
openstackgerritDolph Mathews proposed openstack/keystone: Handle tokens created and quickly revoked with insufficient timestamp precision  https://review.openstack.org/21623612:58
openstackgerritDolph Mathews proposed openstack/keystone: Do not revoke all of a user's tokens when a role assignment is deleted  https://review.openstack.org/21636712:59
*** sigmavirus24_awa is now known as sigmavirus2413:00
*** nicodemos has quit IRC13:00
*** iurygregory has quit IRC13:01
*** nicodemos has joined #openstack-keystone13:03
*** Nirupama has quit IRC13:03
*** geoffarnoldX is now known as geoffarnold13:06
*** browne has joined #openstack-keystone13:10
*** jsavak has joined #openstack-keystone13:11
*** raildo-afk is now known as raildo13:13
*** richm has joined #openstack-keystone13:15
*** pgbridge has joined #openstack-keystone13:20
*** doug-fish has quit IRC13:20
*** doug-fish has joined #openstack-keystone13:21
*** doug-fis_ has joined #openstack-keystone13:22
*** links has quit IRC13:23
*** dims__ has quit IRC13:24
*** doug-fi__ has joined #openstack-keystone13:24
*** dims__ has joined #openstack-keystone13:25
*** ajayaa has joined #openstack-keystone13:25
*** doug-fish has quit IRC13:26
*** doug-fis_ has quit IRC13:26
*** doug-fish has joined #openstack-keystone13:27
marekddolphm: Hi. I am curious what's your opinion on https://review.openstack.org/#/c/215221/5/keystone/auth/plugins/mapped.py esp the "avoid double encoding bit".13:28
*** btully has joined #openstack-keystone13:28
*** hrou has joined #openstack-keystone13:29
*** doug-fi__ has quit IRC13:29
*** thiagop has joined #openstack-keystone13:29
openstackgerritLance Bragstad proposed openstack/keystone: Refactor: rename Fernet's unscoped federated payload  https://review.openstack.org/20219013:30
dolphmmarekd: i'd much rather have consistency -- but why do usernames need to be URL safe?13:31
openstackgerritLance Bragstad proposed openstack/keystone: Refactor: Provider._rebuild_federated_info()  https://review.openstack.org/20887213:31
dolphmmarekd: oh, user IDs. i'm blind.13:31
marekddolphm: ++ user_id13:31
dolphmmarekd: why would they already be quoted?13:31
marekddolphm: you may pass it from assertion.13:32
marekdmaybe some idp issues urlencoded stuff.13:32
dolphmmarekd: maybe? or they do13:32
marekdmaybe13:32
*** btully has quit IRC13:32
dolphmmarekd: i'd rather wait for a bug report to verify the "maybe" then13:33
dolphmmarekd: so, assume they're never encoded13:33
marekddolphm: hm, o13:33
marekdok13:33
marekdso i am going to rework this patch13:33
dolphmmarekd: and then *always* encode what we're given to ensure it's URL safe13:33
marekddolphm: sure13:33
marekddolphm: thanks13:34
*** claudiub has quit IRC13:34
*** jecarey has joined #openstack-keystone13:34
*** dims has joined #openstack-keystone13:36
*** dims__ has quit IRC13:36
*** doug-fish has quit IRC13:38
*** doug-fish has joined #openstack-keystone13:39
*** dims_ has joined #openstack-keystone13:39
*** doug-fish has quit IRC13:39
*** doug-fish has joined #openstack-keystone13:39
openstackgerritMarek Denis proposed openstack/keystone: Ensure ephemeral user's user_id is url-safe  https://review.openstack.org/21522113:40
openstackgerritMarek Denis proposed openstack/keystone: Fernet payloads for federated scoped tokens.  https://review.openstack.org/20217613:40
*** topol has joined #openstack-keystone13:40
*** ChanServ sets mode: +v topol13:40
*** dims__ has joined #openstack-keystone13:41
*** dims has quit IRC13:42
*** bapalm has quit IRC13:44
*** topol has quit IRC13:44
*** dims_ has quit IRC13:45
*** mpmsimo has joined #openstack-keystone13:49
*** fhubik_brb is now known as fhubik13:51
*** bapalm_ is now known as bapalm13:51
dolphmthere's no way to filter a gerrit query to remove changes where you've already reviewed the latest patchset, is there?13:54
*** ngupta has joined #openstack-keystone13:58
*** petertr7 is now known as petertr7_away14:00
lbragstaddolphm: doesn't next-review do that for you?14:02
dolphmlbragstad: it does, but i'm poking at gerrit directly14:04
dolphmlbragstad: http://cdn.pasteraw.com/oke3hfa4pjipkkr0l0j3wasbtnavars14:05
*** iurygregory has joined #openstack-keystone14:08
*** btully has joined #openstack-keystone14:11
*** tonytan4ever has joined #openstack-keystone14:11
lbragstaddolphm: oh, interesting...14:12
lbragstadthat's a good question.14:12
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/21389414:12
*** petertr7_away is now known as petertr714:13
openstackgerritDavid Stanek proposed openstack/keystone: Adds a notification testcase for unbound methods  https://review.openstack.org/21047814:13
*** piyanai has joined #openstack-keystone14:13
*** mpmsimo has quit IRC14:15
*** raildo is now known as raildo-afk14:16
*** mpmsimo has joined #openstack-keystone14:16
*** raildo-afk is now known as raildo14:17
dstanekdolphm: try "NOT label:Code-Review<=-1,self NOT label:Code-Review>=1,self NOT owner:self"14:18
dolphmdstanek: ooooh14:19
dolphmdstanek: holy crap, thanks14:20
dstanekdolphm: np, it's a part of my dashboard14:20
dstanekhttp://bit.ly/dstanek-review14:21
*** annasort_ has joined #openstack-keystone14:21
lbragstaddstanek: wow, nice14:21
dstaneksome queries in there are not perfect, but i've been gradually making them better14:22
dolphmdstanek: foreach just applies to all of them?14:23
dstanekyes14:23
*** annasort has quit IRC14:24
*** annasort_ is now known as annasort14:24
dstaneki need to write down what i'm doing there so others can benefit14:24
dolphmdstanek: i'm going to dissect your queries14:25
marekddstanek: definitely14:27
dstanekdolphm: i can do you +1000 better - http://paste.openstack.org/show/427105/14:27
dstanekusing http://git.openstack.org/cgit/stackforge/gerrit-dash-creator/14:27
dstanekopenstack already has an answer for everything14:27
dolphmdstanek: don't you have to upload that to gerrit?14:28
*** bknudson has joined #openstack-keystone14:28
*** ChanServ sets mode: +v bknudson14:28
dstanekdolphm: no, it creates the URL out of the INI14:29
dstanekthen i just created a bit.ly for mine14:29
*** annasort has quit IRC14:30
dstanekdolphm: i just ran this: .tox/py27/bin/gerrit-dash-creator --template-directory=templates/ dashboards/dstanek.dash14:31
*** asd112z has joined #openstack-keystone14:32
*** asd112z has quit IRC14:33
*** asd112z has joined #openstack-keystone14:33
*** asd112z has quit IRC14:34
*** asd112z has joined #openstack-keystone14:34
*** katkapilatova has left #openstack-keystone14:35
dolphmdstanek: can you search by dependencies?14:39
*** petertr7 is now known as petertr7_away14:41
*** afaranha has joined #openstack-keystone14:41
*** afaranha has left #openstack-keystone14:41
*** petertr7_away is now known as petertr714:42
lbragstaddstanek: re; http://paste.openstack.org/show/427105/ -- there isn't a way to add a dashbaord is there?14:42
*** topol has joined #openstack-keystone14:42
*** ChanServ sets mode: +v topol14:42
*** links has joined #openstack-keystone14:43
lbragstaddstanek: nvm, figured it out14:44
dstaneklbragstad: add a dashboard?14:44
dstanekdolphm: search for reviews based on the dependent review?14:45
*** topol_ has joined #openstack-keystone14:45
*** ChanServ sets mode: +v topol_14:45
*** topol has quit IRC14:46
*** topol_ has quit IRC14:48
*** diazjf has joined #openstack-keystone14:51
*** doug-fish has quit IRC14:52
*** shoutm has quit IRC14:52
*** doug-fish has joined #openstack-keystone14:54
*** claudiub has joined #openstack-keystone14:58
*** exploreshaifali has quit IRC14:59
claudiubhi. Can anyone please review this bugfix? https://review.openstack.org/#/c/211686/14:59
*** zzzeek has joined #openstack-keystone14:59
*** lhcheng has joined #openstack-keystone15:00
*** ChanServ sets mode: +v lhcheng15:00
*** vivekd has joined #openstack-keystone15:00
*** nicodemos has quit IRC15:03
morganDont think so15:04
*** thedodd has joined #openstack-keystone15:04
morgandolphm: ^ (my response was to you)15:05
morganclaudiub: that will also need to be proposed to keystoneauth15:06
dolphmdstanek: like, search for reviews with no parent review, or which ultimately depend on a specific change-id15:07
*** vivekd has quit IRC15:07
*** annasort has joined #openstack-keystone15:09
breton_dstanek: where do you put it?15:11
breton_I mean, the config15:12
*** lhcheng has quit IRC15:12
*** dave-mcc_ has quit IRC15:12
*** annasort_ has joined #openstack-keystone15:12
breton_oh, got it, nevermind15:13
*** annasort has quit IRC15:14
*** annasort_ is now known as annasort15:14
openstackgerritDave Chen proposed openstack/keystone: Refactor: Don't hard code the error code  https://review.openstack.org/19862315:16
dstanekclaudiub: is that true that you can't launch Windows instances? why is ksc running in Windows in that case?15:20
*** rm_work is now known as rm_work|away15:24
*** dave-mcc_ has joined #openstack-keystone15:26
claudiubdstanek: can't launch hyper-v instances, yes. It tries to use neutron client to fetch network related info. and it needs to authenticate first: http://paste.openstack.org/show/tUb4rXXtmV9Nafw10GzL/15:27
lbragstadmorgan: since the SPFE was granted, should we merge this in? https://review.openstack.org/#/c/199339/15:27
morganSure15:27
lbragstadmorgan: cool I'll let you pull the trigger since I uploaded a couple patches15:28
claudiubdstanek: it seems that just having that patch, nova-compute continues to work properly and instances are spawned corectly.15:28
morganlbragstad: please reference the vote (link to it jn the comment) and go ahead and +a it15:28
*** amg__ has joined #openstack-keystone15:29
dstanekclaudiub: interesting. what's actually running on the windows machine?15:30
claudiubdstanek: hm, can you be more specific? we run nova-compute, neutron-hyperv-agent and ceilometer-agent-compute, if that's what you want to know15:30
amg__Has anyone had success using Heat with an AD ident service in Keystone? Running into issues with Kilo on Cent7. Keep getting the error: "ERROR (heat-keystone-setup-domain:124) User 'cs-os-users' is not authorized to perform this operation, please try with other OS_USERNAME setting."15:31
amg__I'm using a user that has admin level privs.15:31
claudiubdstanek: needed for Hyper-V compute nodes, in order to deploy Hyper-V instances.15:31
amg__But no joy15:31
claudiubdstanek: as for packages, the dependencies those projects need, defined in their requirements.txt15:32
dstanekclaudiub: there is something running on Windows that is using keystoneclient. i'm wondering what that is15:32
claudiubdstanek: nova-compute15:33
dstanekclaudiub: i didn't realize that it could run on Windows15:33
amg__There was some issue with the previous version of the heat-keystone-setup-domain but they supposedly resolved it and pushed it out. I'm thinking that there is something going awry when the user (even though the privs are right) tries to auth and the MySQL assignment DB isn't playing along.15:34
claudiubdstanek: well, hyper-v has been in nova for a few years..15:34
amg__I'd like to avid it, but its been suggested that multiple backends might fix this? Not sure thats the direction I want to go, but if we must...15:34
openstackgerritMerged openstack/keystone-specs: IDP specific websso  https://review.openstack.org/19933915:35
dstanekclaudiub: i'm just surprised that nova doesn't call it out with a trove classifier15:35
claudiubdstanek: well, i don't think that can change on the nova side any time soon, since it's very close to freeze.15:37
dstanekclaudiub: i'm not saying to change nova. the classifiers are how you advertise support for a platform15:38
*** mpmsimo has quit IRC15:39
claudiubdstanek: ah, I see what you mean15:39
claudiubdstanek: yeah, it might a good idea to update that in the future15:40
*** amg__ has quit IRC15:42
*** lsmola has quit IRC15:44
*** links has quit IRC15:44
*** mpmsimo has joined #openstack-keystone15:44
dstanekclaudiub: so basically the problem with sigmavirus24's suggestion is that requests uses socket.setsockopt instead of sock.ioctl?15:49
sigmavirus24dstanek: yeah, I'm working on a way to allow people to use ioctl in urllib315:49
sigmavirus24That said, it won't be ready in time for that patch to land15:50
sigmavirus24Which means windows consumers get wildly different (although functional) behaviour15:50
dstaneksigmavirus24: i'm OK with that since we don't advertise official Windows support :-)15:50
*** vivekd has joined #openstack-keystone15:52
sigmavirus24dstanek: warning, by accepting patches to fix something on a platform, you're implicitly supporting it15:52
sigmavirus24Which translates into official support =P15:52
dstaneksigmavirus24: by wildly different .... it's just using the TCP defaults for the Windows installation right?15:52
claudiubdstanek: yeah, for SIO_KEEPALIVE_VALS, sock.ioctl must be used. And yeah, I'd say it's better to have it working, rather than not at all.15:52
sigmavirus24Right which will be much much longer15:52
sigmavirus24Still it will hang for less than forever15:53
sigmavirus24But it'll hang for probably on the order of hours15:53
sigmavirus24dstanek: if only I had a way of not having to spend all my free time working on fixes for things upstream of openstack15:53
dstaneksigmavirus24: i thought you loved it!15:54
dstaneki'm actually surprised that we don't have other broken things on windows15:54
dstanekmorgan, dolphm: what has been the traditional level of support for running clients on Windows? i've never seen anyone ask about it until this bug15:56
morganCygwin i think15:56
morganBut not sure.15:56
*** piyanai has quit IRC15:57
morganI assume things mostly work15:57
claudiubcygwin is quite inefficient...15:57
*** petertr7 is now known as petertr7_away15:58
morganEven without cygwin. Mostly work. But i havent heard a lot about this being run on windows directly without cygwib15:58
dstanekmorgan: likely because ksc doesn't work15:59
*** doug-fish has quit IRC15:59
morganSure15:59
*** pnavarro has quit IRC16:00
*** dikonoor has quit IRC16:00
*** doug-fish has joined #openstack-keystone16:01
*** _cjones_ has joined #openstack-keystone16:03
*** djc_ has joined #openstack-keystone16:03
dstanekclaudiub: i'm going to leave it at a medium since nobody else has complained about it, which seems weird if we broke an official hypervisor implementation16:04
djc_Has anyone used dual identity backends for keystone? AD and mysql?16:04
*** amg__ has joined #openstack-keystone16:04
dstanekclaudiub: besides you have a patch that you have to convince people to approve. at this point the priority doesn't much matter16:05
amg__good question djc_16:05
claudiubdstanek: it's because it's broken on the current master. When Liberty will be released / stable, there will be many more users for it16:05
amg__It seems I've never found much on it, but never really looked that hard.16:05
dstanekclaudiub: there weren't using ksc before?16:05
amg__Anyone have a good doc for multiple ident services for keystone?16:05
claudiubdstanek: and then there will be more complaints. :)16:06
claudiubdstanek: ksc?16:06
claudiubkeystone client?16:06
dstanekclayton: yes16:06
dstanekit would seem that any release using the newest version would fail16:06
claudiubyeah, it was, but I think those socket options are new16:06
*** mylu has joined #openstack-keystone16:06
claudiubdstanek: https://github.com/openstack/python-keystoneclient/blob/stable/kilo/keystoneclient/session.py#L852 this is in stable/kilo16:08
*** aix has quit IRC16:08
claudiubdstanek: only TCP_NODELAY and SO_KEEPALIVE are there, which are fine16:08
*** marzif has quit IRC16:12
*** vivekd has quit IRC16:16
*** djc_ has quit IRC16:17
*** jistr has quit IRC16:17
*** tellesnobrega_af is now known as tellesnobrega16:18
*** tonytan4ever has quit IRC16:20
*** e0ne has quit IRC16:20
*** amg__ has quit IRC16:20
*** mylu has quit IRC16:22
*** vivekd has joined #openstack-keystone16:25
*** tonytan4ever has joined #openstack-keystone16:26
*** exploreshaifali has joined #openstack-keystone16:27
*** marzif has joined #openstack-keystone16:28
*** fhubik is now known as fhubik_brb16:30
*** mylu has joined #openstack-keystone16:31
*** fhubik_brb is now known as fhubik16:32
*** urulama has quit IRC16:33
*** urulama has joined #openstack-keystone16:34
*** jdennis has quit IRC16:41
*** __TheDodd__ has joined #openstack-keystone16:42
*** gyee has joined #openstack-keystone16:43
*** ChanServ sets mode: +v gyee16:43
*** thedodd has quit IRC16:43
*** fhubik has quit IRC16:43
*** ankita_wagh has joined #openstack-keystone16:45
alextricitySo i was trying to set up keystone with AD, and used the service token to update assignments and such. But now i'm getting:16:51
alextricityERROR: openstack An unexpected error prevented the server from fulfilling your request: badly formed hexadecimal UUID string (Disable debug mode to suppress these details.) (HTTP 500) (Request-ID: req-e1469ab5-9d7a-4edd-9507-b69c5afde644)16:51
alextricityAnybody seen this?16:51
ekarlsois authlib in soon ?16:51
*** csoukup has joined #openstack-keystone16:52
*** ankita_w_ has joined #openstack-keystone16:55
*** roxanaghe has joined #openstack-keystone16:56
*** ankita_wagh has quit IRC16:58
*** errr has joined #openstack-keystone16:58
*** piyanai has joined #openstack-keystone17:00
raildon17:01
*** josdotso has joined #openstack-keystone17:06
josdotsoIn Kilo, using federation, does user mapping mean that a trusted foreign user need not have a user record in the local Keystone/mysql?17:07
josdotsoOr is there a user record inserted locally whenever a truster user accesses a foreign Openstack?17:08
*** e0ne has joined #openstack-keystone17:08
josdotso*inserted at the foreign system whenever...17:09
josdotsoRe: http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo/17:10
*** mestery has quit IRC17:14
*** djc_ has joined #openstack-keystone17:15
*** jaosorior has quit IRC17:15
djc_is it possible to have a hybrid identity backend for keystone (AD & mysql)?17:15
morgandjc_: what do you mean by hybrid?17:16
morganjosdotso: in kilo you can have either a local record or an ephemeral user that federation maps to17:17
josdotsomorgan: thanks!17:17
morganjosdotso: it depends on which method you prefer17:17
dstanekbrowne: i think you want to take off a 0 there17:17
morganAnd it is based on the mapping rules.17:17
djc_morgan: we were using AD as the backend to keystone. This worked until we tried to install and configure heat orchestration. Heat does not play well with AD. We changed the backend to mysql and were able to complete the installation. Would it be possible to have service accounts like heat, glance nova in mysql and user accounts in AD?17:17
openstackgerritEric Brown proposed openstack/keystone: Use min and max on IntOpt option types  https://review.openstack.org/21237317:18
morgandjc_: yes. That is the per-domain-backends17:18
*** lhcheng has joined #openstack-keystone17:18
*** ChanServ sets mode: +v lhcheng17:18
morgandjc_: the idea is that you put the service users in one domain (sql) and the non-service users in another domain (backed by AD)17:18
morganThis does require using keystone v3 however17:19
djc_morgan: is there any documentation on this you could point me towards? I've been googling to no avail. Maybe using wrong search terms.17:19
brownedstanek: so 100000 instead of 1000000?17:19
*** petertr7_away is now known as petertr717:20
dstanekbrowne: yeah, 9 seconds is way to long for a single operation like that17:20
morgandjc_: there is but i'll need to find it. In our docs (configuratiob) look for per-domain identity17:20
brownedstanek: 1000000 is about 0m1.918s.  100000 is 0m0.335s17:20
djc_morgan: and this would be in the keystone.conf file correct?17:21
dstanekbrowne: actually i read it wrong....but i still think 100k17:21
morgandjc_:  here is a great post on it http://www.ibm.com/developerworks/cloud/library/cl-configure-keystone-ldap-and-active-directory/index.html17:21
morganThat post is written by henrynash. He wrote the code for per-domain backends17:21
*** doug-fish has quit IRC17:21
brownedstanek: sure i can make 100k17:22
dstanekdolphm, lbragstad: didn't you guys have some performance numbers based on the number of rounds for fernet?17:22
djc_morgan: thanks. I really appreciate it. I will read the post.17:22
lbragstaddstanek: yeah, it was buried in a review from long long ago17:22
morgandjc_: and http://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers is our internal docs17:22
morganRounds for fernet?17:22
djc_morgan: Even better. Thanks.17:23
morganFernet iirc doesnt use "rounds" directly17:23
lbragstaddstanek: are you referring to the password crypt strength?17:23
morgandjc_: the blog post will be more in depth17:23
dstaneklbragstad: yes17:23
morgandstanek: fernet doesnt use rounds like the password hashing does.17:23
*** mestery has joined #openstack-keystone17:23
morganSince fernet is a signature and real encryption not one way hashing17:24
dstanekmorgan: when we were bench marking fernet we were tuning the # of rounds to get performance statistics17:25
morganRounds are strictly password afaik17:25
morganIt can affect how fast password validation is17:26
dolphmdstanek: yeah, not for fernet, it was just password hashing on auth17:26
morganBut the crypt strength in the keystone.conf has nothing to do with the fernet token itself17:26
*** mpmsimo has quit IRC17:27
dolphmfernet crypt "strength" is fixed at 128-bit AES CBC17:27
*** jecarey has quit IRC17:29
dstanekright... miss type ... i meant when we were looking into performance when fernet was being implemented ... it wasn't a fernet issue, but i think that's when we found it17:29
morgandolphm: ++17:30
dstaneki want to check out the numbers and compare them to browne's. if we are going to advertise a max rounds, i don't want it to be unusable17:32
*** jasonsb has quit IRC17:33
lbragstaddstanek: https://github.com/openstack/keystone/commit/67e0ba5ee2108731050e26f7b4dd6c8d3dab118d17:33
lbragstadI think that was the one17:33
*** jasonsb has joined #openstack-keystone17:34
lbragstaddstanek: https://review.openstack.org/#/c/165295/17:34
*** piyanai has quit IRC17:35
dstaneklbragstad: that's it. thx17:37
*** ajayaa has quit IRC17:37
*** jasonsb has quit IRC17:38
*** mylu has quit IRC17:38
dstanekbrowne: ^ check out those links for why 40k was too high17:39
brownedstanek: ok, i'll take a look17:39
*** exploreshaifali has quit IRC17:40
*** mylu has joined #openstack-keystone17:44
*** djc_ has quit IRC17:48
*** piyanai has joined #openstack-keystone17:51
samueldmqhmm, lbragstad just updated the meeting page, needed to do a rebase -i17:53
samueldmq:)17:53
*** urulama has quit IRC17:54
vivekddstanek: hi17:54
lbragstadsamueldmq: oh really? conflict?17:54
lbragstadsamueldmq: sorry about that17:54
vivekddstanek last week you had said that you would bring up the stable driver interfaces in today's meeting but i see that you have not added it in the agenda @ https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting17:54
*** urulama has joined #openstack-keystone17:55
brownedstanek: is 100k a fair max?  that allows for growth in speed of cpus in the future.  40k was too high for a default if i read correctly, but not necessarily as a max17:56
samueldmqlbragstad, haha np, just because I updated the whole agenda (due to indentation)17:56
*** ngupta has quit IRC17:56
samueldmqvivekd, hi, feel free to do so, anyone can add topics to the agenda17:57
samueldmqvivekd, just to let you know :)17:57
*** tqtran has joined #openstack-keystone17:57
openstackgerritEric Brown proposed openstack/keystone: Use min and max on IntOpt option types  https://review.openstack.org/21237317:58
vivekdsamueldmq: ok. but it was dstanek who wanted to discuss. is it ok if i add it on his behalf?17:58
dstanekvivekd: hi. did i say i would do that?17:58
*** samleon has quit IRC17:58
dstanekvivekd: we had a good discussion on in yesterday in irc so it may not be necessary anymore17:58
*** henrynash has joined #openstack-keystone17:59
*** ChanServ sets mode: +v henrynash17:59
*** mpmsimo has joined #openstack-keystone18:00
vivekdyes dstanek18:00
vivekddstanek: ok18:00
*** doug-fish has joined #openstack-keystone18:01
*** mpmsimo has quit IRC18:03
*** mpmsimo has joined #openstack-keystone18:03
josdotsoWould it be possible to create a broker Keystone (tier a) with Federated trusts to a tier (b) that already has external trusts to another tier (c)?  Such that the broker tier (a) contains no users, but maps users from the all of tier c, via b? :)18:06
*** browne has quit IRC18:06
*** ngupta has joined #openstack-keystone18:07
*** amg__ has joined #openstack-keystone18:10
*** piyanai has quit IRC18:10
*** marzif has quit IRC18:11
*** jasonsb has joined #openstack-keystone18:12
*** tonytan4ever has quit IRC18:14
*** urulama_ has joined #openstack-keystone18:14
*** ksavich has joined #openstack-keystone18:15
*** lhcheng_ has joined #openstack-keystone18:15
*** _sigmavirus24 has joined #openstack-keystone18:16
*** lhcheng has quit IRC18:17
*** urulama has quit IRC18:17
*** sigmavirus24 has quit IRC18:17
*** Qlawy has quit IRC18:17
*** Qlawy has joined #openstack-keystone18:18
*** Qlawy has joined #openstack-keystone18:18
*** _sigmavirus24 is now known as sigmavirus2418:20
*** sigmavirus24 has joined #openstack-keystone18:20
*** doug-fish has quit IRC18:23
*** jecarey has joined #openstack-keystone18:27
*** doug-fish has joined #openstack-keystone18:29
*** tonytan4ever has joined #openstack-keystone18:31
*** jsavak has quit IRC18:40
*** henrynash has quit IRC18:42
dstanekif you can subvert the TLS cert then you can subvert the policy signing cert!18:42
lhcheng_that's a good argument18:43
morganjosdotso: i am not sure i can parse that question... But possibly?18:45
josdotsomorgan: sorry for the confusion.  I guess it's keystone trusting keystone trusting keystone18:45
morganKeystone can federate to other keystones ... So likely but i havent tried it.18:45
morganIt would mean a lot of sso-handoff-auth to get from b to c18:46
morganAuth with b, sso auth to a, sso auth to c18:46
josdotsoThanks for your help.  That makes sense to me.18:47
gyeedstanek, its not just about TLS, its about checking to make sure the file downloaded is the same as the one at the server, that's all18:48
dstanekgyee: what's the case where it won't be?18:49
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687018:49
*** csoukup has quit IRC18:51
lhcheng_gyee: have you heard back from security guys if we want pycadf notifications for ^18:52
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687018:52
*** jasonsb has quit IRC18:52
*** marzif has joined #openstack-keystone18:52
*** jasonsb has joined #openstack-keystone18:53
*** mylu has quit IRC18:53
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687018:53
*** urulama_ has quit IRC18:54
*** urulama has joined #openstack-keystone18:54
openstackgerritRoxana Gherle proposed openstack/python-keystoneclient: Deprecate default admin endpoint type for v3 client  https://review.openstack.org/18520018:54
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687018:56
gyeelhcheng_, yes, we need CADF on auth, but my understanding is that mapping validation already produce CADF, no?18:57
roxanaghebknudson, for the "default endpoint type switched to public" patch did you suggest adding that to feature/keystoneauth_integration branch or somewhere else?18:57
gyeedstanek, dunno, you never downloaded anything corrupted before?18:57
*** spandhe has joined #openstack-keystone18:58
roxanaghebknudson, this is the review that I uploaded https://review.openstack.org/#/c/215261/, but dstanek was asking if it's the right place..18:58
bknudsonroxanaghe: the feature branch is the right place since that will be ksc 2.018:58
roxanaghebknudson, ok thx18:58
*** mylu has joined #openstack-keystone19:02
lhcheng_gyee: idk if mapping emits a pycadf notification, I don't recall seeing a pycadf resource related to mapping validation19:03
gyeelhcheung_, k, in that case, we need to add it19:05
*** mylu has quit IRC19:05
*** mylu has joined #openstack-keystone19:06
raildomaybe we I think that we can approve this19:07
raildomaybe we can approve this patch* https://review.openstack.org/#/c/189366/19:07
lhcheng_gyee: I'll check with stevemar when I catch him online.19:08
*** lhcheng_ is now known as lhcheng_away19:08
*** ksavich has quit IRC19:16
*** claudiub has quit IRC19:16
*** tqtran has quit IRC19:21
*** jlk has joined #openstack-keystone19:21
*** jasonsb has quit IRC19:21
jlkhey all, I'm in need of tracing through keystonemiddleware, and how it interacts with python requests. I've got a bug where when I supply a certs file requests barfs on it, and I'd like to trace through that. (this is through swift proxy too). Are there any helpful hints for making this work, because I can't seem to get it to either use pdb or epdb to get me an interactive session19:22
*** rm_work|away is now known as rm_work19:23
*** jdennis has joined #openstack-keystone19:23
gyeejlk, what do you mean "barfs on it"?19:25
*** ngupta has quit IRC19:25
gyeeopenssl cli is your best friend in debugging SSL issues19:25
*** dims__ has quit IRC19:25
jlkyeah, I think I'm going ot have to go there, but requests is reporting an error of no such file when referencing the cert19:26
*** dims has joined #openstack-keystone19:26
jlkwell, crap something just changed, hold.19:26
*** exploreshaifali has joined #openstack-keystone19:27
*** rm_work is now known as rm_work|away19:27
*** jdennis has quit IRC19:28
*** csoukup has joined #openstack-keystone19:29
dstanekjlk: can you make a small testcase outside of middleware to debug?19:32
jlkI'm trying19:32
dstanekjlk: also i've used rpdb against keystone so i'm assuming it would work against swift19:34
jlkugh, finally got it to start up again.19:34
jlkhttps://gist.github.com/j2sol/d190eab86f9499aef6d9  is the error I get19:35
jlkthe file exists, the swift user is able to read it19:35
jlkI'm not sure what options to openssl command line would be appropriate to validate it's format19:35
*** jasonsb has joined #openstack-keystone19:36
gyeelooks like it doesn't like the double quotes in the path19:37
*** jdennis has joined #openstack-keystone19:37
gyee'"..."'19:37
jlk.....19:37
dstanekmarekd: you still hanging out in here?19:38
gyee[Errno bad ca_certs: '"/etc/ssl/certs/ca-certificates.crt"']19:38
gyee[('system library', 'fopen', 'No such file or directory'),19:38
jlkyeah I can't believe I overlooked the quotes.19:38
jlkholy crap that was it.  That's so silly19:38
dstanekjlk: you seem to have extra doubles19:38
gyeeyeah, it happens :)19:39
* dstanek is always late to the party19:39
jlkno, the config file only has single doubles.19:39
jlkI took out all quotes and it works19:39
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Centralized Policies Distribution Mechanism  https://review.openstack.org/21685119:41
jlkchanging config in this way makes it work:  cafile = "/etc/ssl/certs/ca-certificates.crt"  -> cafile = /etc/ssl/certs/ca-certificates.crt19:41
gyeefood time19:42
*** gyee has quit IRC19:42
*** greystart has quit IRC19:43
*** ankita_w_ has quit IRC19:43
openstackgerritDavid Stanek proposed openstack/keystone: Ensure ephemeral user's user_id is url-safe  https://review.openstack.org/21522119:43
jlkFeels like something that's kinda broken in either keystone middleware config parsing, or swift parsing of those options sending them to keystone middleware.19:44
dstanek^ federation review that should be ready to merge!19:44
*** marzif_ has joined #openstack-keystone19:44
*** marzif has quit IRC19:46
*** ankita_wagh has joined #openstack-keystone19:47
*** samueldmq has quit IRC19:48
*** ngupta has joined #openstack-keystone19:50
*** ngupta has quit IRC19:52
*** ngupta has joined #openstack-keystone19:52
*** dtroyer has joined #openstack-keystone19:55
*** jasonsb has quit IRC20:02
*** jasonsb has joined #openstack-keystone20:03
*** browne has joined #openstack-keystone20:05
*** tonytan4ever has quit IRC20:06
*** petertr7 is now known as petertr7_away20:11
*** mylu has quit IRC20:17
*** exploreshaifali has quit IRC20:17
*** amg__ has quit IRC20:18
openstackgerritLance Bragstad proposed openstack/keystone: Additional documentation for services  https://review.openstack.org/21118420:18
*** mylu has joined #openstack-keystone20:19
*** mpmsimo has quit IRC20:25
*** mpmsimo has joined #openstack-keystone20:26
*** tqtran has joined #openstack-keystone20:32
*** ngupta has quit IRC20:33
*** lhcheng_away is now known as lhcheng20:34
*** ChanServ sets mode: +v lhcheng20:34
*** ngupta has joined #openstack-keystone20:34
morganjlk: it's a config processor but since swift loads in from paste-ini (iirc) there is little we can do20:34
morganjlk: if they loaded with oslo.config it is a bit easier20:34
*** e0ne has quit IRC20:35
*** gyee has joined #openstack-keystone20:41
*** ChanServ sets mode: +v gyee20:41
*** ngupta__ has joined #openstack-keystone20:44
openstackgerritMerged openstack/keystone: Update Httpd configuration docs for sites-available/enabled  https://review.openstack.org/20802520:44
*** henrynash has joined #openstack-keystone20:45
*** ChanServ sets mode: +v henrynash20:45
openstackgerritMorgan Fainberg proposed openstack/keystone: No More .reload_backends() or .reload_backend()  https://review.openstack.org/21647320:45
*** henrynash has quit IRC20:51
*** samleon has joined #openstack-keystone20:57
*** pnavarro has joined #openstack-keystone20:58
*** thiagop has quit IRC20:59
*** josdotso has quit IRC21:00
*** raildo is now known as raildo-afk21:03
*** tqtran has quit IRC21:06
*** pnavarro has quit IRC21:06
*** geoffarnold is now known as geoffarnoldX21:09
*** geoffarnoldX is now known as geoffarnold21:09
*** geoffarnold is now known as geoffarnoldX21:09
*** doug-fish has quit IRC21:12
morgandstanek: I cc'd you on an email re summit space, please let me know if it looks out of whack21:13
morgandstanek: i'll bug stevemar about it as well when he's back21:13
*** hrou has quit IRC21:14
*** doug-fish has joined #openstack-keystone21:16
*** doug-fis_ has joined #openstack-keystone21:17
*** jecarey has quit IRC21:18
*** doug-fis_ has quit IRC21:18
*** doug-fis_ has joined #openstack-keystone21:19
*** doug-fish has quit IRC21:20
*** dave-mcc_ has quit IRC21:21
*** jecarey has joined #openstack-keystone21:21
*** pnavarro has joined #openstack-keystone21:23
*** exploreshaifali has joined #openstack-keystone21:26
jlkmorgan: thanks. I'll see if I can chase up a bug to file on the swift side.21:33
morganjlk: you wont win that argument21:33
morganswift doesn't use oslo_* packages21:33
jlkdepends on who I argue with21:33
jlkif they don't use them, then it's certainly a bug in their own parser21:34
morganwell except this is parsed out of paste-ini i think21:34
jlkif not a bug in the parser, then a bug in the documentation for their config files.21:34
morganwhich is apaste-ism21:34
morgannot really a bug21:34
morganjust the way paste pulls the item in, if it has quotes, it has quotes (literal) and when converted to a string it maintains the quotes21:34
morgannow a bug in documentation, sure21:35
*** pnavarro has quit IRC21:36
jlkfurther fun, they embed their own keystone middleware it seems.21:37
*** mylu has quit IRC21:37
*** urulama has quit IRC21:38
*** urulama has joined #openstack-keystone21:38
*** annasort has quit IRC21:39
jlkwell they have it, but don't necessarily use it21:41
*** bknudson has quit IRC21:42
*** mylu has joined #openstack-keystone21:44
*** ngupta has quit IRC21:44
*** ngupta__ has quit IRC21:44
*** doug-fis_ has quit IRC21:44
*** tonytan4ever has joined #openstack-keystone21:47
*** e0ne has joined #openstack-keystone21:48
*** diazjf has left #openstack-keystone21:49
*** jecarey has quit IRC21:50
*** claudiub has joined #openstack-keystone21:57
*** geoffarnoldX is now known as geoffarnold21:57
*** pgbridge has quit IRC21:57
*** samueldmq has joined #openstack-keystone21:58
*** edmondsw has quit IRC21:58
openstackgerritMerged openstack/keystoneauth: Fix plugin loading tests  https://review.openstack.org/21651121:59
*** mpmsimo has left #openstack-keystone22:00
morganjlk: yah22:01
*** lhcheng has quit IRC22:01
openstackgerritClaudiu Belu proposed openstack/python-keystoneclient: Fixes missing socket attribute error during init_poolmanager  https://review.openstack.org/21168622:07
*** aix has joined #openstack-keystone22:07
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces  https://review.openstack.org/20952422:09
morgandstanek: any value in enforcing .load_backends is called only ones?22:14
morganonce*22:14
morgandstanek: load_fixtures should be for sure only called once.22:15
*** e0ne has quit IRC22:16
openstackgerritTerry Howe proposed openstack/keystoneauth: Raise exception for v2 with domain scope  https://review.openstack.org/21688322:17
*** lhcheng has joined #openstack-keystone22:20
*** ChanServ sets mode: +v lhcheng22:20
*** mylu has quit IRC22:20
*** a2hill has joined #openstack-keystone22:21
*** a2hill has left #openstack-keystone22:23
openstackgerritMerged openstack/keystone-specs: fix a simple typo "ì" -> "i"  https://review.openstack.org/21544422:25
morganreally we had an ì in the specs :P22:25
morganheheh22:26
jlkcute.22:28
jlkmorgan: almost as fun as finding languages in which "tolower" and "toupper" have ambiguous meaning, and can crash software.22:28
morganjlk: SIGSEGV22:28
dstanekmorgan: if it stops the stupid, then it's a good idea22:28
morgandstanek: load_fixtures... putting a simple enforce in so it is only ever called once... 1780 failed tests22:29
morganall ldap22:29
morganbecause ... it was easier to just reload/re-populate things than split tests apart22:29
morgandstanek: at least it is easy to fix. just ... ugh.22:29
morganonce this is done it'll be easier to not need a "clean" LDAP for functional tests22:29
*** tonytan4ever has quit IRC22:29
dstanekmorgan: yeah, some tests do it accidentally since their setup does it and some parent's too... others explicitly do it22:29
morganthis is more explicit22:30
morgan"load thing slike you normally one, then muck with configs, then reload things"22:30
* morgan wonders why it isn't "muck with configs then load stuff in"22:30
morganI think I'm going to add a couple calls to enforce .config_overrides is called once22:30
morgan(and is always called)22:30
morganand i am debating if load_fixtures should always be called or not22:31
*** mylu has joined #openstack-keystone22:31
*** samleon has quit IRC22:32
*** csoukup has quit IRC22:32
openstackgerritgordon chung proposed openstack/keystonemiddleware: use the same context across a request  https://review.openstack.org/21688922:35
dstanekmorgan: extracurricular activities https://pypi.python.org/pypi/tox-run-command22:39
morganooo22:39
dstanekwas trying to make a better version of with_venv.sh that integrates better with our dev tools22:42
gyeedstanek, morgan, https://review.openstack.org/#/c/209524/22:42
gyeejust want to make sure we are on the same page22:43
*** tqtran has joined #openstack-keystone22:43
dstanekgyee: not really. i like the idea of just having a subclass per version22:44
dstanekwe can deprecate classes, remove them when they are unsupported, etc22:45
gyeedstanek, you mean Compatiblizer?22:45
morgandstanek: yes subclass per version22:46
gyeeyou mean like Kilodriver, LibertyDriver, etc?22:46
morgangyee: use numbers but yes.22:46
morganbecause if liberty doesn't change the interface22:47
morganwe don't need to increment22:47
morganfor example22:47
gyeesome some subclass may just be a "pass" if there are no new interfaces22:47
dstanekgyee: yep, like morgan said, with numbers22:47
dstanekno magic meta classes needed22:47
gyeelike Driver12, Driver13,22:47
dstanekgyee: ++ yep, then it's explicit that there are no changes22:48
dstanekok, gotta run. be back in a hour22:48
morgandstanek: i would argue if there are no changes, don't increment/make a new class22:48
*** spandhe_ has joined #openstack-keystone22:48
gyeemorgan, like the way we handle sql migration?22:49
morganbasically yes22:49
*** spandhe has quit IRC22:49
*** spandhe_ is now known as spandhe22:49
morganif you make a change create the new driver22:49
gyeek22:49
morganif we lock the interface at the milestone, then after the <marker> we would create a new interface *if* a change occurs22:50
gyeek22:50
gyeevivekd, ^^^22:50
*** dsirrine has quit IRC22:50
openstackgerritMorgan Fainberg proposed openstack/keystone: No More .reload_backends() or .reload_backend()  https://review.openstack.org/21647322:53
openstackgerritMorgan Fainberg proposed openstack/keystone: Enforce .config_overrides is called exactly once  https://review.openstack.org/21689222:53
morganARGH22:53
morganwhy did it do that...22:53
* morgan glares angrily at git-review22:55
gyeedependency fail? :)22:55
*** asd112z has quit IRC22:59
*** shoutm has joined #openstack-keystone23:01
vivekdgyee: subclassing is ok whenever we create a new interface.23:02
vivekdgyee: but we want to warn the user when he;s running a older driver implemenation against a newer interface.23:02
vivekdgyee: the metaclass serves that purpose23:02
gyeevivekd, you can do it with subclass too right?23:03
gyeejust check the parent to see which version it is implementing23:03
*** dsirrine has joined #openstack-keystone23:03
vivekdgyee: that parent check logic again has to be placed inside a metaclass na?23:04
*** __TheDodd__ has quit IRC23:08
gyeevivekd, actually, you don't have to do parent check at all23:08
vivekdgyee: say we've driver11, 12, interfaces and "driver11impl" implementing driver11 interface.23:08
gyeeas each class would still define INTERFACE_VERSION23:08
gyeeso your code still works23:08
vivekdgyee: inside metaclass we can check that driver11impl is not implementing the latest(driver12) and so warn the user23:10
vivekdgyee: ok23:10
openstackgerritMerged openstack/python-keystoneclient: Deprecate ServiceCatalog.get_urls() with no attr  https://review.openstack.org/20581023:12
gyeevivekd, if I understand morgan and dstanek correctly, it's a small change from your current patch23:13
gyeesomething like23:13
gyeeclass Driver12(Driver):23:13
gyee    interface_version = manager.LIBERTY23:13
vivekdgyee: ok. u mean this Driver12 class needs to be added in all core.py files containing Driver interfaces?23:15
gyeevivekd, right23:16
gyeeand have the backends implement that class23:17
*** gordc has quit IRC23:17
gyeeinterface23:17
*** mylu has quit IRC23:17
openstackgerritMerged openstack/python-keystoneclient: Proper deprecation for Session.construct()  https://review.openstack.org/20581223:17
openstackgerritMerged openstack/python-keystoneclient: Deprecate use of cert and key  https://review.openstack.org/20581323:18
*** mylu has joined #openstack-keystone23:18
vivekdgyee: ok then shall i add those two lines in all core.py files and modify all implementations to inherit this new class Driver12 and resubmit the patch now?23:20
vivekdgyee: will u be available to review it now?23:21
gyeevivekd, right23:21
gyeemorgan, dstanek, does that sound right?23:21
*** mylu has quit IRC23:22
*** bitblt has joined #openstack-keystone23:28
*** bitblt has quit IRC23:28
*** mylu has joined #openstack-keystone23:29
openstackgerritMerged openstack/python-keystoneclient: Proper deprecation for Session.get_token()  https://review.openstack.org/20581723:29
*** marzif_ has quit IRC23:29
openstackgerritMerged openstack/python-keystoneclient: Deprecate create v2_0 Client without session  https://review.openstack.org/20582023:31
openstackgerritMerged openstack/python-keystoneclient: Deprecate create v3 Client without session  https://review.openstack.org/20582223:32
*** mylu has quit IRC23:33
*** vivekd_ has joined #openstack-keystone23:35
*** vivekd has quit IRC23:36
*** vivekd_ is now known as vivekd23:36
*** annasort has joined #openstack-keystone23:40
*** annasort has quit IRC23:41
*** zzzeek has quit IRC23:45
*** zzzeek has joined #openstack-keystone23:49
*** dave-mccowan has joined #openstack-keystone23:49
dstanekmorgan: gyee: vivekd: i have to read up, but the reason i like 1 version per release (even if no changes are made) makes it very easy for developers to know what the current version is23:50
dstanekit's not 5 the identity, 2 for assignment and 10 to tokens23:50
gyeedstanek, that's fine23:50
gyeeno disagreement here23:50
dstanekgyee: vivekd: it's much easier than what you are thinking. a driver sublclasses identity.DriverV1, when DriverV2 is published we add the deprecated decorator to DriverV1.__init__23:53
*** zzzeek has quit IRC23:53
gyeedstanek, but you don't want to deprecated if no new interfaces are added right?23:54
dstanekgyee: then you just make the decision for that driver not to deprecate it. it can be done driver by driver.23:56
gyeedstanek, yeah, make sense23:56
gyeethat way, we don't need to do any version check23:56
gyeegreat idea!23:56
dstanekit's very simple and takes advantage of what we are already doing so there is less to learn23:57
dstaneki'll document some of my thoughts and push up a review23:58
gyeedstanek, ++23:58
dstanekneed to get some of these other patches mergable first23:58
« Monday, 2015-08-24 Index Wednesday, 2015-08-26 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!