Tuesday, 2015-09-15

*** btully has quit IRC00:01
*** mylu has quit IRC00:07
*** mylu has joined #openstack-keystone00:08
*** dsirrine has joined #openstack-keystone00:10
openstackgerritJamie Lennox proposed openstack/keystone: Reject rule if assertion type unset  https://review.openstack.org/21608800:26
*** roxanagh_ has joined #openstack-keystone00:26
jamielennoxmorgan, mordred: any concerns about: https://review.openstack.org/#/c/221738/00:26
openstackgerritHidekazu Nakamura proposed openstack/keystone: Update development environment set up doc  https://review.openstack.org/22302000:26
jamielennoxit'd be the same patch for keystoneauht00:27
mordredjamielennox: lgtm - let me check with jeblair00:31
*** roxanag__ has joined #openstack-keystone00:35
*** roxanagh_ has quit IRC00:35
morganjamielennox: no issues but will defer to mordred and jeblair00:41
morganjamielennox: I have another idea that can come later on00:41
jamielennoxi can't see any reason it'd be an issue, it just prevents multiple threads authenticating at the same time00:41
morganBut this is a good starting place00:41
jamielennoxso we can have auths from config shared across threads00:41
jamielennoxmorgan: oh?00:42
jamielennoxmorgan: also when you have a moment can you look at https://review.openstack.org/#/c/212341/ again - i want to get those auth_token reviews moving again00:42
morganYeah. A way to do an async "reauth" if it is still valid00:42
*** dsirrine has quit IRC00:42
morganSo a runner reauths but we don't block waiting on a reauth (optional)00:43
jamielennoxhmm, i had wondered about that because it will attempt to get a new token ~30 seconds before the old one expires00:43
morganThe lock is still needed00:43
jamielennoxor if invalidated immediately00:43
morganSo this is where to start00:43
jamielennoxyep, this would be required either way00:43
morganYep. So LGTM as long as no issues are flagged by jeblair or mordred00:44
*** samueldmq1 has joined #openstack-keystone00:44
*** samueldmq1 has quit IRC00:44
*** samueldmq has quit IRC00:44
*** samueldmq has joined #openstack-keystone00:45
*** tqtran has quit IRC00:46
openstackgerritLance Bragstad proposed openstack/keystone: Update federation router with missing call  https://review.openstack.org/22336100:47
mordredjamielennox: I don't think serializing those auths will be a problem for nodepool- we should not e auth-ing frequently and we certainly want to serialize if need be00:47
*** roxanag__ has quit IRC00:47
jamielennoxmordred: so the use case is like nova that using nova user to do certain calls00:48
jamielennoxat the moment it's a bit dodgy how that works00:48
*** dims_ has joined #openstack-keystone00:48
jamielennoxbut i want all greenlet threads to share the same token00:48
jamielennoxthis is the only way i can see to share that object and not have them trample each other00:48
mordredyeah - I think it's a great idea00:49
mordredfor those following along- jeblair thinks it looks fine and will not break nodepool00:52
*** btully has joined #openstack-keystone01:01
*** arahal_ has joined #openstack-keystone01:02
*** btully has quit IRC01:06
*** r-daneel has quit IRC01:06
*** _cjones_ has quit IRC01:06
*** arahal_ has quit IRC01:06
*** ankita_wagh has quit IRC01:07
*** roxanagh_ has joined #openstack-keystone01:12
*** roxanag__ has joined #openstack-keystone01:18
*** roxanagh_ has quit IRC01:18
*** roxanag__ has quit IRC01:19
*** ebalduf_ has quit IRC01:19
*** roxanagh_ has joined #openstack-keystone01:20
mfischstevemar: you here?01:20
stevemarmfisch: ahoy01:20
mfischstevemar: trying to figure out of the pycadf module will let me take the event back into an easier to deal with format01:21
mfischI was writing my own class to encapsulate the useful into01:21
*** roxanagh_ has quit IRC01:21
mfischI dont see a constructor that takes json inbound in the online docs tho01:22
*** roxanagh_ has joined #openstack-keystone01:22
*** jsavak has joined #openstack-keystone01:23
stevemarmfisch: hmm, its all json-y01:23
stevemarmfisch: i guess we never really thought of folks trying to extend it01:24
stevemarall pycadf has is the .to_dict() function for events01:24
stevemarmfisch: https://github.com/openstack/pycadf/blob/9c02245f42d544147e290d97b3cb1cac2d9028b0/pycadf/cadftype.py#L81-L8301:26
mfischIm missing something... ok let me look01:27
stevemaryou can output the event as a dictionary01:27
stevemarbut you can't create the event from a dictionary, if that's what you're asking01:27
stevemari'm assuming you want to take the existing event, make it a dictionary, modify it, and create an event again?01:27
mfischI just want to have it in a nice to use format01:28
mfischlike a python object01:28
mfischwhich I can do stuff with like01:28
mfisch"show me the name of the object on which the action was taken", if it's project.delete, the lookup is different than user.delete for example01:28
*** roxanagh_ has quit IRC01:29
mfischa class can encapsulate that logic01:29
*** roxanagh_ has joined #openstack-keystone01:29
mfischotherwise I have stuff like this01:29
mfischhost_agent = json_data['payload']['initiator']['host']['agent']01:29
mfischsounds like I'll just parse it myself01:29
*** urulama has quit IRC01:30
mfischthe format is pretty solid between event types right?01:30
stevemarohh, i see what you mean01:30
*** urulama has joined #openstack-keystone01:30
stevemarmfisch: yes, its very static01:30
mfischI'll paste this code after I work on it more01:31
stevemarmfisch: so all of that is a result of how the msg is put onto the mq01:31
*** sigmavirus24 is now known as sigmavirus24_awa01:31
stevemarmfisch: https://github.com/openstack/keystone/blob/da1d4936465a63c99df08bf0b3a6ad9c950b8bef/keystone/notifications.py#L722-L73501:31
mfischone thing my class can do is "tell me the name of the guy who did the thing"01:31
mfischno need to have that logic in 5 places01:31
stevemarwe create a pycadf object (event), and give it a whole bunch of properties; but to put it on the mq, its gotta be in a dict, so we have to call event.as_dict() and then add that to the event payload01:32
mfischwell if you ever add e = Event(message) let me know01:32
mfischthis kind of thing for example is useful to me too stevemar01:34
mfischtarget_type = target_type_uri.split('/')[-1:][0]01:34
mfischpreceeded by: target_type_uri = json_data['payload']['initiator']['target']['typeURI']01:34
*** roxanagh_ has quit IRC01:34
*** ankita_wagh has joined #openstack-keystone01:35
*** roxanagh_ has joined #openstack-keystone01:35
*** davechen has joined #openstack-keystone01:36
stevemarmfisch: once i see your code i'll understand whats going on, i'm not opposed to changing up pycadf to construct events based on other input01:38
stevemarpycadf has been static for a while now01:39
*** davechen1 has joined #openstack-keystone01:40
*** jecarey has joined #openstack-keystone01:40
*** dave-mccowan has quit IRC01:40
*** davechen has quit IRC01:42
*** roxanag__ has joined #openstack-keystone01:44
*** roxanagh_ has quit IRC01:44
*** lhcheng_ has joined #openstack-keystone01:45
*** lhcheng has quit IRC01:45
*** EinstCrazy has joined #openstack-keystone01:47
*** mylu_ has joined #openstack-keystone01:48
*** mylu has quit IRC01:51
*** roxanag__ has quit IRC01:55
*** roxanagh_ has joined #openstack-keystone01:55
*** roxanagh_ has quit IRC01:57
*** roxanagh_ has joined #openstack-keystone01:57
*** roxanagh_ has quit IRC02:01
*** roxanagh_ has joined #openstack-keystone02:01
*** jsavak has quit IRC02:04
*** ebalduf_ has joined #openstack-keystone02:08
*** ankita_wagh has quit IRC02:08
*** dims_ has quit IRC02:11
*** roxanagh_ has quit IRC02:12
*** roxanag__ has joined #openstack-keystone02:12
*** dave-mccowan has joined #openstack-keystone02:13
*** urulama has quit IRC02:16
*** urulama has joined #openstack-keystone02:16
mfischstevemar: thanks I'll post some code later02:17
*** dave-mccowan has quit IRC02:17
*** roxanag__ has quit IRC02:22
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/22200002:23
*** SheenaG has joined #openstack-keystone02:32
*** geoffarnoldX is now known as geoffarnold02:35
*** davechen has joined #openstack-keystone02:39
*** davechen1 has quit IRC02:41
*** jasonsb has joined #openstack-keystone02:43
*** jasonsb has quit IRC02:46
*** btully has joined #openstack-keystone02:49
*** btully has quit IRC02:54
*** Nirupama has joined #openstack-keystone02:56
*** gyee has quit IRC03:01
*** dims_ has joined #openstack-keystone03:12
*** SheenaG has quit IRC03:12
*** dave-mccowan has joined #openstack-keystone03:14
*** markvoelker has quit IRC03:15
*** dave-mccowan has quit IRC03:18
*** dims_ has quit IRC03:19
*** erhudy1 has quit IRC03:25
*** sigmavirus24_awa has quit IRC03:27
*** dtroyer has quit IRC03:27
*** eglute has quit IRC03:27
*** lbragstad has quit IRC03:27
*** mgagne has quit IRC03:28
*** dolphm has quit IRC03:28
*** hockeynut has quit IRC03:28
*** Guest60363 has quit IRC03:28
*** jacorob has quit IRC03:28
*** sudorandom has quit IRC03:28
*** rm_work has quit IRC03:28
*** comstud has quit IRC03:28
*** darrenc_ has joined #openstack-keystone03:29
*** gus has quit IRC03:29
*** darrenc has quit IRC03:29
*** doug-fish has joined #openstack-keystone03:29
*** sudorandom has joined #openstack-keystone03:30
*** dtroyer has joined #openstack-keystone03:30
*** jacorob has joined #openstack-keystone03:30
*** hockeynut has joined #openstack-keystone03:30
*** eglute has joined #openstack-keystone03:30
*** dolphm has joined #openstack-keystone03:30
*** lbragstad has joined #openstack-keystone03:30
*** comstud has joined #openstack-keystone03:30
*** rm_work has joined #openstack-keystone03:31
*** blewis has joined #openstack-keystone03:31
*** blewis is now known as Guest8235403:31
*** gus has joined #openstack-keystone03:31
*** mgagne has joined #openstack-keystone03:31
*** sigmavirus24_awa has joined #openstack-keystone03:32
*** doug-fish has quit IRC03:34
*** geoffarnold is now known as geoffarnoldX03:36
*** hockeynut has quit IRC03:39
*** sudorandom has quit IRC03:39
*** Guest82354 has quit IRC03:39
*** eglute has quit IRC03:39
*** lbragstad has quit IRC03:39
*** mgagne has quit IRC03:41
*** gus has quit IRC03:41
*** sigmavirus24_awa has quit IRC03:41
*** comstud has quit IRC03:41
*** rm_work has quit IRC03:41
*** dolphm has quit IRC03:41
*** dtroyer has quit IRC03:41
*** jacorob has quit IRC03:41
*** d34dh0r53 has quit IRC03:42
*** ankita_wagh has joined #openstack-keystone03:43
*** gus has joined #openstack-keystone03:44
*** doug-fish has joined #openstack-keystone03:44
*** roxanagh_ has joined #openstack-keystone03:48
*** doug-fish has quit IRC03:49
*** lhcheng_ has quit IRC03:49
*** lhcheng has joined #openstack-keystone03:49
*** ChanServ sets mode: +v lhcheng03:49
*** david-lyle has joined #openstack-keystone03:50
*** blewis_ has joined #openstack-keystone04:03
*** eglute has joined #openstack-keystone04:03
*** sudorandom has joined #openstack-keystone04:03
*** comstud has joined #openstack-keystone04:03
*** dolphm has joined #openstack-keystone04:03
*** jacorob has joined #openstack-keystone04:03
*** mgagne has joined #openstack-keystone04:03
*** hockeynut has joined #openstack-keystone04:03
*** rm_work has joined #openstack-keystone04:04
*** dtroyer has joined #openstack-keystone04:04
*** d34dh0r53 has joined #openstack-keystone04:04
*** lbragstad has joined #openstack-keystone04:04
*** sigmavirus24_awa has joined #openstack-keystone04:04
*** mylu_ has quit IRC04:05
*** mylu has joined #openstack-keystone04:05
*** dave-mccowan has joined #openstack-keystone04:15
*** markvoelker has joined #openstack-keystone04:15
*** dims_ has joined #openstack-keystone04:16
*** mylu has quit IRC04:17
*** dave-mccowan has quit IRC04:19
*** markvoelker has quit IRC04:21
*** darrenc_ is now known as darrenc04:21
*** dims_ has quit IRC04:22
*** btully has joined #openstack-keystone04:24
*** lhcheng has quit IRC04:30
*** stevemar has quit IRC04:34
*** stevemar has joined #openstack-keystone04:35
*** ChanServ sets mode: +v stevemar04:35
*** ankita_wagh has quit IRC04:40
*** ankita_wagh has joined #openstack-keystone04:40
*** ankita_wagh has quit IRC04:42
*** jecarey has quit IRC04:42
*** ankita_wagh has joined #openstack-keystone04:43
*** shoutm has quit IRC04:45
*** ebalduf_ has quit IRC04:45
*** shoutm has joined #openstack-keystone04:55
*** roxanagh_ has quit IRC05:12
*** dave-mccowan has joined #openstack-keystone05:16
*** doug-fish has joined #openstack-keystone05:17
*** dave-mccowan has quit IRC05:20
*** doug-fish has quit IRC05:21
*** ninag has joined #openstack-keystone05:24
*** ninag has quit IRC05:28
*** ankita_wagh has quit IRC05:31
*** richm has quit IRC05:37
*** shoutm has quit IRC05:45
*** shoutm has joined #openstack-keystone05:48
*** hrou has quit IRC05:50
*** henrynash has joined #openstack-keystone06:00
*** ChanServ sets mode: +v henrynash06:00
*** henrynash has quit IRC06:00
*** markvoelker has joined #openstack-keystone06:18
*** lhcheng has joined #openstack-keystone06:18
*** ChanServ sets mode: +v lhcheng06:18
*** woodster_ has quit IRC06:19
*** stevemar has quit IRC06:19
*** stevemar has joined #openstack-keystone06:21
*** ChanServ sets mode: +v stevemar06:21
*** markvoelker has quit IRC06:22
*** lhcheng has quit IRC06:23
*** ParsectiX has joined #openstack-keystone06:24
openstackgerritJamie Lennox proposed openstack/keystoneauth: Support DNS lookup for generic plugins  https://review.openstack.org/22342906:25
stevemarjamielennox: hmmm? ^06:27
jamielennoxstevemar: you like?06:27
*** urulama has quit IRC06:28
stevemarjamielennox: its interesting06:28
*** lhcheng has joined #openstack-keystone06:29
*** ChanServ sets mode: +v lhcheng06:29
openstackgerritJamie Lennox proposed openstack/keystoneauth: Support DNS lookup for generic plugins  https://review.openstack.org/22342906:30
openstackgerritJamie Lennox proposed openstack/keystoneauth: Move generic loading tests into loading folder  https://review.openstack.org/22343106:30
jamielennoxstevemar: there's been talk about something like it for a long time, it was just a bit harder with keystoneclient06:31
openstackgerritjaveme proposed openstack/python-keystoneclient: pass correct max_positional_arg 4 utils.positional  https://review.openstack.org/20785706:32
jamielennoxstevemar: it came up again so i just wanted to see what was required and see what people thought06:32
*** urulama has joined #openstack-keystone06:40
*** e0ne has joined #openstack-keystone06:40
openstackgerritJamie Lennox proposed openstack/keystoneauth: Support DNS lookup for generic plugins  https://review.openstack.org/22342906:41
*** htruta has quit IRC06:44
*** e0ne has quit IRC06:44
*** mordred has quit IRC06:46
*** shadower has joined #openstack-keystone06:46
*** e0ne has joined #openstack-keystone06:48
*** htruta has joined #openstack-keystone06:48
*** mordred has joined #openstack-keystone06:49
*** btully has quit IRC06:57
*** henrynash has joined #openstack-keystone06:59
*** ChanServ sets mode: +v henrynash06:59
*** exploreshaifali has joined #openstack-keystone07:05
*** boris-42 has quit IRC07:10
*** e0ne has quit IRC07:10
*** pnavarro has joined #openstack-keystone07:17
mordredjamielennox: so, for DNS - that looks like it's going to look for an _openstack_keystone TXT record ... any chance we could also hav ean AUTH_HOST config value and have  the DNS look for _openstack_keystone.AUTH_HOST?07:25
mordredjamielennox: I actually had a cloud change their base keystone auth url on me yesterday - so one could imagine a world where public clouds could just set the txt record and update it if/when they need to move the base URL07:27
*** martinus__ has joined #openstack-keystone07:27
*** e0ne has joined #openstack-keystone07:31
*** shoutm_ has joined #openstack-keystone07:35
*** shoutm has quit IRC07:35
*** e0ne has quit IRC07:42
*** lhcheng has quit IRC07:44
*** e0ne has joined #openstack-keystone07:46
*** e0ne has quit IRC07:51
*** fhubik has joined #openstack-keystone07:54
*** sdake has quit IRC08:07
*** humble__ has joined #openstack-keystone08:10
humble__jamielennox: ping08:11
*** jistr has joined #openstack-keystone08:18
*** markvoelker has joined #openstack-keystone08:19
*** dims_ has joined #openstack-keystone08:20
*** markvoelker has quit IRC08:23
*** humble_ has joined #openstack-keystone08:24
*** henrynash has quit IRC08:24
*** humble__ has quit IRC08:28
openstackgerritDave Chen proposed openstack/keystonemiddleware: Unregister some configuration options after test  https://review.openstack.org/22291908:31
openstackgerritMerged openstack/keystoneauth: Identity plugin thread safety  https://review.openstack.org/22155108:37
*** humble__ has joined #openstack-keystone08:42
jamielennoxhumble_: pong08:45
jamielennoxmordred: what's the use case? i was thinking that not adding extra flags to an auth plugin was good08:45
mordredjamielennox: 2 use cases08:45
jamielennoxa while ago i had a proposal for default_domain as well - a domain used in v3 but dropped in v2 and i was thinking that was a candidate for DNS as well08:46
*** acc has joined #openstack-keystone08:46
*** humble_ has quit IRC08:46
mordredjamielennox: a) I have 9 cloud accounts, _openstack_keystone without a domain attached is likely never going to be set for me BUT08:46
humble__jamielennox: I want to put keystone.token_auth in context, but it can not be serialized by oslo.messaging.08:47
jamielennoxright - but this is DNS so likely propogating within a corporate environment where i really only want one entry08:47
jamielennoxhumble__: yea :(08:47
mordredjamielennox: b) I know the domain of eachof the cloud providers - so I'd love to just be able to say "cloud=hpcloud.com" "cloud=citycloud.net" "cloud=auro.net"08:47
*** e0ne has joined #openstack-keystone08:48
mordredwhich is well known, easy to guess and not likely to change08:48
jamielennoxhumble__: that is the major problem with it at the moment. I was hoping to get some auth_token fixes made and then test it in keystone but that's taken a really long time to pass08:48
jamielennoxhumble__: also oslo.context has changed since last i looked at it and i need to rewrite the integration there - i was hoping the context would be based on the plugin but it might have to be the other way around08:48
mordredinstead, I have to say "auth_url=https://region-b.geo-1.identity.hpcloudsvc.com:35357/v2.0" "cloud=https://identity1.citycloud.com:5000/v3/" "cloud=https://api.van1.auro.io:5000/v2.0"08:48
mordredwhic his just all insane08:49
mordredjamielennox: totally. your thing is awesome for corporate environments08:49
humble__jamielennox: Is there a way I can use now?08:49
mordredalso - auro really did change their keystone aurl_url recently08:49
*** fhubik has quit IRC08:49
mordredand the hard part about that is that you can only learn what's up by logging in to the provider web dashboard, which you likely never use otherwise08:50
jamielennoxhumble__: not really, there is some stuff i did in nova, and somewhere else that i've forgotten, that built a custom plugin from the context just for that service08:50
jamielennoxhumble__: so you can replicate that, but there is nothing that provides a helper for using that actual plugin08:51
openstackgerritDave Chen proposed openstack/keystonemiddleware: Unregister some configuration options after test  https://review.openstack.org/22291908:51
jamielennoxmordred: so my DNS knowledge is fairly average - but why would my DNS server want to register half a dozen cloud entry points rather than use something like OCC?08:52
jamielennoxAFAIK txt is not something that propogates around the internet like that08:52
*** dims_ has quit IRC08:53
*** stevemar has quit IRC09:04
*** exploreshaifali has quit IRC09:04
*** acc has quit IRC09:08
*** aix has quit IRC09:09
mordredjamielennox: it totally is09:11
mordredjamielennox: this is actually how jabber works09:11
mordredjamielennox: you say "I want to connect in an XMPP session to mordred@inaugust.com" and the jabber client looks up a set of known DNS entries on top of the inaugust.com domain09:12
mordredjamielennox: I mean, you should use OCC - but also, if you just want to connect to citycloud, you shouldn't really need to go digging through their dashboard to learn that the url is https://identity1.citycloud.com:5000/v3/09:13
jamielennoxI guess it really is no different to MX or any of the others09:13
mordred(in fact..):09:14
mordred_xmpp-server._tcp   IN   SRV    5 0 5269 scylla.inaugust.com.09:14
mordred_xmpp-client._tcp   IN   SRV    5 0 5222 scylla.inaugust.com.09:14
mordred_jabber._tcp        IN   SRV    5 0 5269 scylla.inaugust.com.09:14
mordredthere are the XMPP records to make inaugust.com behave like a well-behaved XMPP server09:14
*** davechen has left #openstack-keystone09:16
mordredjamielennox: to be clear, I think the dns patch is great and should not block on this - just talking about next steps - don't want perfect to get in the way of good09:16
jamielennoxso i only see A and RRSIG which looks like some sort of key/sig09:17
*** urulama has quit IRC09:17
*** urulama has joined #openstack-keystone09:17
*** fhubik has joined #openstack-keystone09:19
jamielennoxmordred: right - and i honestly think the corp is an easier/more important solve at the moment, but i just want to make sure one doesn't get in the way of another09:19
*** markvoelker has joined #openstack-keystone09:19
*** katkapilatova has joined #openstack-keystone09:24
*** markvoelker has quit IRC09:24
*** katkapilatova has left #openstack-keystone09:24
*** katkapilatova has joined #openstack-keystone09:27
*** ParsectiX has quit IRC09:35
*** ParsectiX has joined #openstack-keystone09:36
*** bradjones|away has quit IRC09:47
*** bradjones has joined #openstack-keystone09:49
*** bradjones has quit IRC09:49
*** bradjones has joined #openstack-keystone09:49
*** dims_ has joined #openstack-keystone09:52
*** dims_ has quit IRC09:57
*** aix has joined #openstack-keystone09:57
*** stevemar has joined #openstack-keystone10:04
*** ChanServ sets mode: +v stevemar10:04
*** richm has joined #openstack-keystone10:06
*** stevemar has quit IRC10:08
*** chlong has quit IRC10:09
*** chlong has joined #openstack-keystone10:11
openstackgerritMerged openstack/keystone: Update federation router with missing call  https://review.openstack.org/22336110:22
*** flwang has quit IRC10:31
*** flwang has joined #openstack-keystone10:32
*** humble_ has joined #openstack-keystone10:37
*** shoutm_ has quit IRC10:40
*** humble__ has quit IRC10:41
*** shoutm has joined #openstack-keystone10:41
*** dims_ has joined #openstack-keystone10:44
openstackgerritAlexander Makarov proposed openstack/keystone: Check datetime string to validate is a string  https://review.openstack.org/22322810:49
openstackgerritMerged openstack/keystoneauth: Move generic loading tests into loading folder  https://review.openstack.org/22343110:56
*** shoutm has quit IRC11:05
*** pnavarro is now known as pnavarro|lunch11:13
*** shoutm has joined #openstack-keystone11:14
*** EinstCrazy has quit IRC11:15
*** markvoelker has joined #openstack-keystone11:20
*** e0ne has quit IRC11:22
*** markvoelker has quit IRC11:25
*** sdake has joined #openstack-keystone11:25
*** dsirrine has joined #openstack-keystone11:27
*** sdake_ has joined #openstack-keystone11:31
*** sdake has quit IRC11:31
*** pnavarro|lunch has quit IRC11:32
*** gordc has joined #openstack-keystone11:34
*** Nirupama has quit IRC11:35
*** EinstCrazy has joined #openstack-keystone11:39
*** dsirrine has quit IRC11:40
*** pnavarro|lunch has joined #openstack-keystone11:51
*** stevemar has joined #openstack-keystone12:06
*** ChanServ sets mode: +v stevemar12:06
*** nicodemos has joined #openstack-keystone12:07
*** henrynash has joined #openstack-keystone12:08
*** ChanServ sets mode: +v henrynash12:08
*** stevemar has quit IRC12:09
*** EinstCrazy has quit IRC12:13
*** markvoelker has joined #openstack-keystone12:19
*** nicodemos has quit IRC12:24
*** shoutm has quit IRC12:24
*** raildo-afk is now known as raildo12:25
*** sdake_ has quit IRC12:30
*** SheenaG has joined #openstack-keystone12:31
*** pnavarro|lunch is now known as pnavarro12:36
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()  https://review.openstack.org/19764712:36
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687712:36
openstackgerritLance Bragstad proposed openstack/keystone: Additional documentation for services  https://review.openstack.org/21118412:41
*** richm has quit IRC12:43
*** humble_ has quit IRC12:44
*** doug-fish has joined #openstack-keystone12:47
*** edmondsw has joined #openstack-keystone12:47
*** thiagop has quit IRC12:47
*** flaper87 has joined #openstack-keystone12:56
*** richm has joined #openstack-keystone12:57
*** flaper87 has left #openstack-keystone12:57
*** amakarov_away is now known as amakarov12:59
*** fhubik is now known as fhubik_brb12:59
openstackgerritLance Bragstad proposed openstack/keystone: Add caching to get_catalog  https://review.openstack.org/21521212:59
amakarovlbragstad, hi! Help me please: how to issue a Fernet token using curl? I'm getting it truncated in X-Subject-Token13:00
openstackgerritLance Bragstad proposed openstack/keystone: Add documentation for configuring IdP WebSSO  https://review.openstack.org/21835313:04
openstackgerritLance Bragstad proposed openstack/keystone: Ensure token validation works irrespective of padding  https://review.openstack.org/22178613:05
lbragstadamakarov: you should be able to get a token using curl, but inspecting the headers13:06
*** ninag has joined #openstack-keystone13:06
lbragstadamakarov: what's the curl call you're making?13:06
*** ninag has quit IRC13:06
amakarovcurl -i -H "Content-Type: application/json"   -d '13:06
amakarov{ "auth": {13:06
amakarov    "identity": {13:06
amakarov      "methods": ["password"],13:06
amakarov      "password": {13:06
amakarov        "user": {13:06
amakarov          "name": "admin",13:06
amakarov          "domain": { "id": "default" },13:06
amakarov          "password": "admin"13:06
amakarov        }13:06
amakarov      }13:06
amakarov    }13:06
amakarov  }13:06
*** ayoung has joined #openstack-keystone13:07
*** ChanServ sets mode: +v ayoung13:07
amakarovlbragstad, ^13:07
lbragstadamakarov: what's the response you're getting (try using http://pasteraw.com/ )13:07
lbragstadamakarov: and then just post the link13:07
lbragstadamakarov: looks like it's working...13:08
*** tdurakov_ has quit IRC13:09
lbragstadlooks like it's an unscoped token response..13:09
amakarovlbragstad, yes, but token is shorter than it should be )13:09
lbragstadwhich is consistent with the request13:09
lbragstadamakarov: how so?13:09
lbragstadamakarov: see if you can decrypt it and inspect the contents...13:10
amakarovlbragstad, doing that13:10
lbragstadamakarov: you can use https://github.com/lbragstad/fernet-inspector if it helps13:10
lbragstadamakarov: http://cdn.pasteraw.com/fsq4fmye4b6sphj41xjc261dzn9a7e013:11
*** thiagop has joined #openstack-keystone13:12
*** hrou has joined #openstack-keystone13:12
amakarovlbragstad, http://cdn.pasteraw.com/hv4acrpdlndhth57byqt4c5ihvqa8bb13:16
amakarovlbragstad, I presume, given that it was decoded, the token is valid13:16
lbragstadamakarov: yep, at least according to the Fernet spec13:17
lbragstadamakarov: you can try passing it back to keystone and validate it13:17
amakarovlbragstad, ok, thanks13:17
lbragstadamakarov: it shouldn't have an issue decrypting it13:17
lbragstadamakarov: fernet unscoped tokens have a little less in their payloads so the typically end up being a bit smaller than project or domain scoped fernet tokens.13:18
amakarovlbragstad, it looks like I've mistaken it for scoped one13:18
*** jecarey has joined #openstack-keystone13:19
*** dims_ has quit IRC13:21
*** dims_ has joined #openstack-keystone13:22
amakarovlbragstad, thank you! Getting a scoped token works as it should - my mistake13:24
lbragstadamakarov: no problem! glad it worked!13:26
*** jsavak has joined #openstack-keystone13:32
openstackgerritMerged openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/19231913:33
*** btully has joined #openstack-keystone13:44
*** nicodemos has joined #openstack-keystone13:49
*** ninag has joined #openstack-keystone13:57
*** ParsectiX has quit IRC14:06
*** phalmos has joined #openstack-keystone14:06
*** lsmola has quit IRC14:06
*** stevemar has joined #openstack-keystone14:06
*** ChanServ sets mode: +v stevemar14:06
*** stevemar has quit IRC14:10
*** gabriel-bezerra has quit IRC14:11
openstackgerritDave Chen proposed openstack/keystonemiddleware: update middlewarearchitecture.rst  https://review.openstack.org/21916214:11
*** gabriel-bezerra has joined #openstack-keystone14:11
*** sigmavirus24_awa is now known as sigmavirus2414:13
openstackgerritDave Chen proposed openstack/keystonemiddleware: Configuration is outdated  https://review.openstack.org/22054514:14
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/22200014:15
*** SheenaG has quit IRC14:15
*** exploreshaifali has joined #openstack-keystone14:17
*** slberger has joined #openstack-keystone14:18
*** david-lyle has quit IRC14:20
dstaneklbragstad: do you know if fernet works ok in devstack? i have to assume it does, but i don't want to go down that path right now if there are known issues14:32
lbragstaddstanek: the only issues we are hitting are the ones with tempest14:36
lbragstaddstanek: which are side-effects of sub-second precision14:36
lbragstaddstanek: which are shown here - https://review.openstack.org/#/c/195780/14:36
dstaneklbragstad: perfect. i'll update my setup then to start using fernet.14:36
lbragstaddstanek: and documented here - https://bugs.launchpad.net/keystone/+bug/147356714:38
openstackLaunchpad bug 1473567 in Keystone "Fernet tokens fail tempest runs" [High,Triaged]14:38
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: auth_token tests use clean config  https://review.openstack.org/22333814:38
*** gabriel-bezerra has quit IRC14:40
*** dsirrine has joined #openstack-keystone14:40
*** dsirrine has quit IRC14:44
morganOh Steve is offline14:45
morganWas going to bug him14:45
*** katkapilatova has left #openstack-keystone14:45
morganIf we want new client, middleware, pycadf, or any other lib releases we need to cut them by tomorrow14:47
morganPlease check them over. I will be putting in the requests for this tonight14:47
morganI'll comment on this at the meeting as well14:47
bknudsonwe need new olso.policy.14:48
bknudsonmorgan: 0.11.114:48
bknudsonmorgan: are we going to need another keystoneclient release after translations get updated?14:49
bknudsonassuming translations get updated14:49
bknudsonkeystonemiddleware doesn't need a release14:50
morganDunno on ksc14:50
morganPolicy will go out with the Oslo batches14:50
morganKSM has 1-2 new patches that we might as well grab but aren't needed14:51
morganKeystoneauth I need to bug mordred and jamielennox14:51
morganReleases of libraries14:52
mordredlibraries are neat14:52
morganHave to go out for tomorrow. So keystoneauth14:52
*** geoffarnoldX is now known as geoffarnold14:52
morganDo we need a 1.0.1 for the loading fixes etc?14:52
bknudsonkeystoneauth has a bug fix.14:52
*** fhubik_brb is now known as fhubik14:53
morganbknudson: ok so we do need 1.0.114:53
bknudsonpersonally I'd like to see a freeze on keystoneauth dev until something starts using it as is14:53
bknudsone.g., keystonemiddleware14:53
bknudsonthen we can gate on it14:53
morganThere are a couple fixes that will come over from ksc. But I'm going to freeze ksc session work too14:54
morganOnce those 1 or 2 land14:54
morganksc session will be frozen after the next release of keystoneclient14:54
*** shoutm has joined #openstack-keystone14:54
*** phalmos has quit IRC14:54
*** pnavarro is now known as pnavarro|off14:55
*** stevemar has joined #openstack-keystone14:56
*** ChanServ sets mode: +v stevemar14:56
*** zzzeek has joined #openstack-keystone14:56
*** phalmos has joined #openstack-keystone14:59
*** gabriel-bezerra has joined #openstack-keystone15:07
*** csoukup has joined #openstack-keystone15:07
openstackgerritKonstantin Maximov proposed openstack/keystone: Add test for domains list filtering and limiting  https://review.openstack.org/20745615:09
*** flaper87 has joined #openstack-keystone15:09
flaper87Greetings. Does this look ok? https://github.com/openstack/python-glanceclient/blob/master/glanceclient/shell.py#L482-L48915:10
flaper87is domain_name or domain_id required when using the project_name ?15:10
bknudsonflaper87: yes15:10
flaper87bknudson: danke :)15:10
bknudsonflaper87: why doesn't tenant_name require domain?15:11
bknudsondoes it use v2 instead?15:11
henrynashflaper87: why doens’t tenant need a domain spec as well?15:11
*** fhubik is now known as fhubik_brb15:12
flaper87well, that's the quesiton  I was about to ask to you :)15:12
flaper87I guess that line is not really ok15:12
flaper87bknudson: henrynash thanks folks15:12
bknudsontenant is just another name for project so there should just be a translation15:12
*** roxanaghe has quit IRC15:13
flaper87bknudson: yup, I know that and I would expect the requirements to be the same15:13
*** david-lyle has joined #openstack-keystone15:13
flaper87(hence my questions)15:14
*** jorge_munoz has quit IRC15:16
bknudsonalso, you should deprecate your CLI and use openstack unified CLI instead.15:16
*** shoutm has quit IRC15:17
flaper87bknudson: one step at a time15:17
flaper87but yeah15:17
*** flaper87 has left #openstack-keystone15:18
*** jorge_munoz has joined #openstack-keystone15:19
*** e0ne has joined #openstack-keystone15:20
*** fhubik_brb is now known as fhubik15:24
*** roxanaghe has joined #openstack-keystone15:27
morganstevemar, ayoung: FYI once the PTL election is over I am delegating the rest of the release stuff to whomever wins. Choose wisely if you would like to continue to run for PTL.15:28
ayoungmorgan, care to share your notebook on these tasks?15:29
*** flaper87 has joined #openstack-keystone15:29
*** shadower has quit IRC15:30
morganayoung: notebook? It is mostly talking with relmanagement and taking care of the rc bugs and babysitting the gate15:30
morganAnd managing the rc milestone(s)15:30
morganFinally, it is writing release notes15:31
ayoungmorgan, might I request that you gather your thoughts on said issues to hand them off....15:31
ayoungflaper87, hey...15:31
morgan^^ there you have the thoughts ;)15:31
ayoungmorgan is ROAD.15:31
ayoungflaper87, so I think you can get all of the values you need from the AUTH plugin15:32
henrynashdo we have a sensible way to check from our RESTful unit tests (e.g. test_v3_identity)  if the keystone “server” issues a deprecation warning?15:32
*** exploreshaifali has quit IRC15:32
flaper87ayoung: is that keystoneauth1 ?15:32
ayoungflaper87, um...it will be, but still in keystoneclient for now15:33
flaper87ayoung: gotcha15:33
bknudsonhenrynash: should be able to attach a Mock to whatever is called to indicate deprecation and then verify it was invoked.15:33
ayoungflaper87, what are you trying to do?15:34
flaper87ayoung: this is how it's currently done: https://github.com/openstack/python-glanceclient/blob/master/glanceclient/shell.py#L40615:34
flaper87ayoung: not much really, just found that while fixing a different thing15:34
flaper87and thought I'd fix that as well15:34
*** boris-42 has joined #openstack-keystone15:35
ayoungso you were mixinfg the user and project domains?15:35
ayoungoh...you are detecting that the domain was set for at least one....15:36
ayoungso,  default domain is a bad name15:36
ayoungit really is just supposed to be default for V215:36
henrynashbknudson: …yep that was what I was trying to do…maybe I’not got it quite right..let me experiement further15:36
flaper87ayoung: lemme rephrase that. I was looking at something that had nothing to do with auth and then I realized that we require domain_id or domain_name to be set if project_name is used15:36
ayoungif you specify V3...it should be V3 for both.15:36
ayoungyeah...so that should be explicitly OS_PROJECT_DOMAIN_[ID|NAME]15:36
ayoungflaper87, and...we don't give you a good qay to query the domain ID, so if you've been using V2, but now you need V3 due to an assignment in another domain, you have to work for it15:37
ayoungflaper87, I realize it is hard for you to overlap with jamielennox in Australia, but I think you would benefit from a short conversation with him about auth plugins here.  You are doing things that tie us to the Password Auth approach, and we are quickly moving beyond that.15:38
flaper87ayoung: I think jamielennox was one of the last to touch that keystone code (or similar)15:40
flaper87ayoung: but yeah, I pinged him earlier today and he wasn't around15:40
flaper87ayoung: I'll keep pinging him and seek for a path forward from this current state15:40
ayoungflaper87, you are in Italy now, right?  He'll be around for the Keystone meeting at 2 US Easter, in a bout 2 hours.15:41
ayoungflaper87, but I'll be happy to proxy your concerns on this.  However, what bknudson said about moving to the common CLI is your best bet.  I'd just leave it brokn and focus efforts there15:41
ayoungI think that glance is pretty well working with common, no?15:42
flaper87ayoung: feel free to proxy my concerns if I'm not around15:43
flaper87while I'd like to move to the common CLI, I think we need some other prios for now. Lets see what Mitaka brings15:43
flaper87ayoung: thanks for the support :)15:44
flaper87but yeah, I agree moving to common would be better15:44
*** pece has joined #openstack-keystone15:44
*** roxanaghe has quit IRC15:45
*** ebalduf has joined #openstack-keystone15:47
*** gyee has joined #openstack-keystone15:53
*** ChanServ sets mode: +v gyee15:53
*** geoffarnold is now known as geoffarnoldX15:53
*** fhubik is now known as fhubik_brb15:54
*** richm has quit IRC15:59
*** ankita_wagh has joined #openstack-keystone16:01
openstackgerritBrant Knudson proposed openstack/keystone: Document httpd for accept on /identity, /identity_admin  https://review.openstack.org/19576616:01
*** fhubik_brb is now known as fhubik16:05
*** diazjf has joined #openstack-keystone16:10
*** richm has joined #openstack-keystone16:13
*** geoffarnoldX is now known as geoffarnold16:14
*** phalmos has quit IRC16:14
stevemarbknudson: why :443/identiity and /identity_admin16:16
stevemarwhy do we need /identity_admin at all?16:17
bknudsonstevemar: for v2.16:17
stevemarscrew v2!16:17
stevemarand whats your reason for :443?16:18
*** richm has quit IRC16:18
bknudsonstevemar: 443 is the default port for https16:18
gyeenothing on the meeting agenda today? no meeting then?16:19
*** _cjones_ has joined #openstack-keystone16:20
*** richm has joined #openstack-keystone16:20
*** fhubik has quit IRC16:22
*** jistr has quit IRC16:24
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: auth_token tests use clean config  https://review.openstack.org/22333816:24
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Remove unused group parameter from tests  https://review.openstack.org/22367916:24
morgangyee: there is a meeting16:24
morganHave some relmngment stuff to go over16:24
gyeemorgan, sounds good16:26
*** lhcheng has joined #openstack-keystone16:26
*** ChanServ sets mode: +v lhcheng16:26
stevemarbknudson: true true16:27
*** ninag has quit IRC16:27
*** sdake has joined #openstack-keystone16:28
morganThere agenda updated16:30
*** sdake_ has joined #openstack-keystone16:31
gyeedo mo morgan son16:31
*** sdake has quit IRC16:35
*** aix has quit IRC16:39
ayoungstevemar, he's right16:40
ayounghttps://wiki.openstack.org/wiki/URLs#Keystone  stevemar16:40
*** GheRivero has joined #openstack-keystone16:41
stevemarayoung: aye, bknudson is rarely wrong, i was just trying to extract all the information out16:41
ayoungstevemar, look at the date on that Wiki16:41
ayoungI wrote that when Keystone was me, dolphm and Joe Heck.16:41
ayoungman this is a long-view project16:42
stevemarayoung: oooof16:42
stevemarneeds buy-in from all projects16:42
stevemarbut definitely possible16:43
dolphmstevemar: bknudson: both are :443 though, right?16:44
*** mylu has joined #openstack-keystone16:44
*** annasort has joined #openstack-keystone16:44
stevemardolphm: i assume so16:44
stevemarwhy wouldn't v2 be https16:44
dolphmjust a sanity check16:44
*** fifieldt_ has quit IRC16:49
ayoungstevemar, so the thing to keep in mind is that if you do 443 all on the same hostname, they have to be in the same web server.  Mixing eventlet and HTTPD on 443 won't wokr.  THe Eventlet story is priamrity some other TLS termination16:50
*** mylu has quit IRC16:50
ayoungSo, if you have an all-in-one install, and both Nova and Keystone are on the same machine, one can't run on 44316:51
dolphmso you front them both with a real HTTPS terminator16:51
ayoungNow, I think we could resurrect the Nova-in-HTTPD approach.  I origianlly followed a rackspace article when doing the Keystone stuff that was arouind running  nOva in HTTPD16:51
dolphmand leave the developer solutions to the dev boxes16:51
ayoungdolphm, that is also an option, but the terminator has to support the authentication, too16:52
ayoungand most don't do Kerberos or X509.  THis is not a devloper-centric solution.  It is a different deployment profile than I think you guys are doing, but very common in the internal cloud world16:52
*** edtubill has joined #openstack-keystone16:53
morganayoung: I should have docs up for uwsgi soonish (for review) which helps the all-in-one webserver16:53
morganIt's been slow due to other things.16:53
ayoungmorgan, cool.16:53
gyeeayoung, you're right, take stunnel for example, it does not pass down the x.509 information16:54
morganMod_proxy and uwsgi for horizon, keystone, etc all independent is a nice setup16:54
morganSince you can configure Apache once and/or graceful with a fast reload16:54
gyeeone drawback with apache, though more like a minor annoyance, is that it can dynamically reload the server cert during a switch over16:55
morganAlso uwsgi can run isolated like eventlet16:55
morganWith even just a single worker16:55
ayounggyee, gyee can or can'16:55
gyeeit mean it can't16:55
morganSo same tool chain for all of it16:55
morgangyee: this is what graceful reloads are for16:55
ayoungThought that is what you meant.  Yeah, in general, Apache's pain is that it is so static16:55
gyeefock I can't type today!16:55
ayoungsame issue with adding new authentication methods for Federation16:56
morganUnless cert is compromised16:56
gyeeyeah, if Apache can dynamically reload stuff it would be awesome16:56
morganayoung: same answer re: graceful. But we need to get process management for the wsgi apps out of Apache itself for it to work16:56
morganOtherwise the graceful is a loooooooong process16:57
morganAww rain stopped :(16:57
ayoungmorgan, So...had a thought you might like.  I need to do a proof of concept, but I think I can make Federation work with the existing Keystone User database ana Basic-Auth using mod_auth_dbm16:57
morganayoung: always has been an option16:58
ayoungmorgan, well, I know it should work for an unscoped token.  THe question is what to do about groups16:58
morganThe downside is somethings want a user_get (a habit we need to break)16:58
ayoungmod_lookup_identity should, in the future support it16:58
morganGroups we keep in keystone for now16:58
morganIterate on it16:59
ayoungbut we could, I think, use federation to get an unscoped token, and then token-token for scoped using a DB lookup16:59
ayoungmorgan, my thought is it gets toward what you wanted with auth being out of the version code...16:59
morganAlso I asked for a question to go on the user survey re: using keystone for user management16:59
morganAnd what deployers are really doing / why they are doing it16:59
morganSo we have real feedback17:00
gyeethey are using keystone for user management?17:00
morganYes. People are17:00
morganSo we need to know really why the choice was made17:00
*** pnavarro|off has quit IRC17:01
gyeeyeah, I am curious if they have to deal with any compliance at all17:01
morganThen we can solve those cases. My guess is shipping freeipa as the default in devstack solves 99% of it17:01
gyeesince we don't even have basic password policy support17:01
morgangyee: people hack things up.17:01
morganAssume they walk the line of compliance17:02
*** diazjf has quit IRC17:02
morganBecause you know that isnt hard to do17:02
morganIts hard to do it right and in a way that makes it easy17:02
morganBut it isnt hard to hack something in to cya17:02
morganThat makes operator life later suck17:03
*** diazjf has joined #openstack-keystone17:03
morganAnyway ask for that. Asked for real feedback on centralization of policy17:03
morganAnd one or two other things17:03
morganSo we have clear priorities17:03
morganAnd views via the foundation17:03
morganayoung: ^^ figured you'd like that17:04
*** GheRivero has left #openstack-keystone17:04
ayoungmorgan, one disconnect between Keystone and FreeIPA (LDAP RFCs really) is that to add a human user you need frist and last name17:04
morganDoesnt mean it isnt important if it doesnt get the level of response expected, just see where deployers/operators are17:05
ayoungbut...for service users, we are acutally just using a service principal.17:05
morganayoung: service, nova17:05
morganLots of users with the surname "service"17:05
ayoungmorgan, we have a demo of this we'll be showing in TOkyo.17:05
ayoungWe need to figure out a way to map domains to service users for Heat.17:06
morganAlso may want to line out how horizon shouldnt/should manage users with freeipa (once you demo it)17:06
morganvia a spec17:06
morganFuture looking of course :)17:06
*** mylu has joined #openstack-keystone17:09
ayoungI could see a morgan One possibility is that we add an IPA backend for Identity.  If we can do "First Last" as optional fields for Keystone it would map a little cleaner17:09
morganThings to consider17:10
gyeeayoung, FreeIPA works on ubunut now right?17:10
*** diazjf has quit IRC17:10
ayounggyee, yes17:10
* gyee add freeipa poc to his todo list17:10
ayounggyee: give me a shout when you get to it17:12
gyeeayoung, sure will do, I'll try to do my homework before Tokyo17:12
*** ankita_wagh has quit IRC17:13
*** ayoung has quit IRC17:17
*** ninag has joined #openstack-keystone17:21
*** jorge_munoz has quit IRC17:25
*** ankita_wagh has joined #openstack-keystone17:25
*** mylu_ has joined #openstack-keystone17:29
dstanekso, this is weird. when i ./stack.sh on F22 it seems to uninstall python-tox and then it fails17:29
*** mylu has quit IRC17:32
*** phalmos has joined #openstack-keystone17:32
*** ayoung has joined #openstack-keystone17:32
*** ChanServ sets mode: +v ayoung17:32
*** sdake_ is now known as sdake17:33
*** ParsectiX has joined #openstack-keystone17:35
*** mylu_ has quit IRC17:36
*** sdake_ has joined #openstack-keystone17:41
*** haneef has joined #openstack-keystone17:42
*** phalmos has quit IRC17:43
*** sdake has quit IRC17:44
*** tsymancz1k is now known as tsymanczyk17:45
*** jdandrea has joined #openstack-keystone17:45
bknudsondolphm: you can configure httpd with the handler for any path on any port you want ... so it's got https://host/identity_admin handled by admin.py and https://host/identity handled by main.py17:45
bknudsonand you could do the same with /compute and /image or whatever17:46
jdandreaCan someone please point me toward info that differentiates between _member_ and user roles (as I'm now seeing user show up in kilo installs)?17:46
bknudsonjdandrea: keystone doesn't do anything special with "user" roles, or any roles other than _member_17:49
jdandreabknudson: Thanks. I wasn't sure where those came from.17:49
bknudsonwe don't stop admins from creating roles, so could be anyone17:50
jdandreabknudson: Ah, I will check with the admins then. (I don't think they knew either ... yipe.)17:50
*** phalmos has joined #openstack-keystone17:53
gyeejdandrea, we automagically create the _member_ when you use V2 API to add user to tenant/project, https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L22317:54
*** e0ne has quit IRC17:54
jdandreagyee: Sounds good. I need to find who made that 'user' role on our end. :)17:55
gyeeyeah time to make CADF work for you :)17:57
*** jsavak has quit IRC17:58
*** spandhe has joined #openstack-keystone17:58
*** jorge_munoz has joined #openstack-keystone18:00
*** jsavak has joined #openstack-keystone18:00
morgan... stupid client disconnected18:03
*** pece has quit IRC18:03
*** ninag has quit IRC18:05
*** ninag has joined #openstack-keystone18:06
*** ninag has quit IRC18:11
*** gordc has quit IRC18:11
*** gordc has joined #openstack-keystone18:12
openstackgerritvenkatamahesh proposed openstack/keystone: Removed the extra http:// from JSON schema link  https://review.openstack.org/21731918:14
*** jsavak has quit IRC18:17
*** jsavak has joined #openstack-keystone18:17
*** tonytan4ever has joined #openstack-keystone18:17
*** ankita_wagh has quit IRC18:19
*** phalmos has quit IRC18:20
*** exploreshaifali has joined #openstack-keystone18:20
*** ankita_wagh has joined #openstack-keystone18:22
jamielennoxbknudson: https://review.openstack.org/#/c/223338/ is not very nice, but if you think that's best i'm ok18:27
jamielennoxmy only other thought was to mock it or something18:27
jamielennoxstupid oslo_config18:27
bknudsonjamielennox: I don't think there's a nice way to do it without a lot of rewriting18:28
bknudsonand I think we should rewrite it.18:28
bknudsonbut that's going to be more work just to fix the bug.18:28
*** e0ne has joined #openstack-keystone18:29
jamielennoxbknudson: yea, I had ideas to rewrite this part after all those outstanding reviews had passed18:29
jamielennoxtry and fix the glance passes CONF issue18:30
jamielennoxbut not today18:30
*** phalmos has joined #openstack-keystone18:31
bknudsonwe've still got the memcache part in oslo-incubator that uses global conf18:31
jamielennoxbknudson: you might want to flip the ordering of those two patches rather than risk the other failing in gate18:31
bknudsonand auth_token registers global conf18:31
bknudsonso we need to fix thos.18:31
*** doug-fis_ has joined #openstack-keystone18:32
bknudsonjamielennox: I was worried I'd have to flip the order... I'll work on that after the meeting18:32
jamielennoxbknudson: yes, and we can still register options to global conf, but provide a function (like oslo_conf already does) to register options against any CONF and pass a CONF in18:32
jamielennoxthe oslo-incubator part is removed in the memcache patches i've already got up18:33
*** doug-fish has quit IRC18:33
jamielennoxno, apparently someone else was working on that, i killed the memorycache altogether18:33
jamielennoxwe shouldn't be caching tokens on the process18:34
*** ayoung has quit IRC18:34
*** ayoung has joined #openstack-keystone18:34
*** ChanServ sets mode: +v ayoung18:34
henrynashanyone want to do teh honors on: https://review.openstack.org/#/c/154485/ - nice to get the last of these in before RC118:34
ayounghenrynash, looking18:35
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Remove unused group parameter from tests  https://review.openstack.org/22367918:37
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: auth_token tests use clean config  https://review.openstack.org/22333818:37
*** e0ne has quit IRC18:38
bknudsonswapped the order of those 2 ^18:38
ayounghenrynash, so, I understand creating nested projects and users ,but why is it creating roles?   https://review.openstack.org/#/c/154485/18:39
henrynashayoung: a specific test, or the helper?18:39
ayoungthe helper.... henrynash  I think I get it18:40
ayounghenrynash, when I see...18:40
ayoung'assignments': [{'user': 0, 'role': 0, 'project': 0},18:40
ayoungthat is assiging newly created user 0 newly created role 0 or newly created projecrt 0 for the test,  right?18:40
henrynashthis patch builds on all the earlier ones that introduced the concepts18:41
ayounghenrynash, so...they are not so much test plans as fixtures, right?18:41
*** ParsectiX has quit IRC18:41
ayoungThis does not say what passes or fails, just what the db should have at the start of the run18:41
ayoungand everything is still created with uuidgen for names and ids.18:42
*** doug-fis_ has quit IRC18:42
*** ParsectiX has joined #openstack-keystone18:42
henrynashayoung: well, teh plan is a dict, and when you “execute the plan” it crates the users, roles, projecst you requetsed, followed by the assinments, followed by the tests you defined18:42
*** doug-fish has joined #openstack-keystone18:42
ayoungI was still reading...I see18:43
gyeelike linear algebra :)18:44
ayounghmmm.  henrynash I both love and hate it18:44
henrynashyep, me too…but it’s super easy to write tetsts18:44
ayoungI love the idea, just .... worried it might not be clear to people that come along after us to maintina18:44
ayoungbut...its elegant18:44
*** doug-fis_ has joined #openstack-keystone18:44
henrynashayoung: yep, agreed….whcih is why if you read teh full test helper, there is a pretty comprehensie doc string to describe it all18:45
ayoungit feels like it should be up one level, you know?  Like we are doing something in the tests that should be handled by the framework18:45
*** pnavarro|off has joined #openstack-keystone18:45
*** exploreshaifali has quit IRC18:45
ayounghenrynash, I think I'm in favor..just adjusting my thinking18:45
*** sdake_ is now known as sdake18:45
henrynashayuong: so this was discussed in the BP for this….(remeber this is the last patch out of 6 or 7 that implementedthe BP)…and the general agreement was keep it as a bisic dict so we execute fast (basically directed for loops, essentially)18:46
*** doug-fish has quit IRC18:47
ayounghenrynash, yeah, I have been in a cave.  This is cool18:48
*** phalmos has quit IRC18:48
henrynashcave’s can be ccol too!18:48
ayounghenrynash, +2A18:49
openstackgerritAlexander Makarov proposed openstack/keystone: Return default domain for admin  https://review.openstack.org/22375218:49
henrynashayoung: thx18:49
*** doug-fis_ has quit IRC18:51
*** ParsectiX has quit IRC18:52
*** e0ne has joined #openstack-keystone18:53
*** nicodemos has quit IRC18:53
*** doug-fish has joined #openstack-keystone18:55
*** doug-fish has quit IRC18:55
*** doug-fish has joined #openstack-keystone18:55
*** pnavarro|off has quit IRC18:56
*** diazjf has joined #openstack-keystone18:56
*** jecarey has quit IRC18:59
*** doug-fis_ has joined #openstack-keystone19:00
*** doug-fis_ has quit IRC19:00
*** doug-fis_ has joined #openstack-keystone19:00
jamielennoxmorgan: how did we go with a v2 branch for ksc?19:00
*** henrynash has quit IRC19:01
*** doug-fish has quit IRC19:03
*** phalmos has joined #openstack-keystone19:04
*** gyee has quit IRC19:05
*** tonytan4ever has quit IRC19:07
*** mylu has joined #openstack-keystone19:07
morganjamielennox: the answer was "don't do that"19:08
*** henrynash has joined #openstack-keystone19:08
*** ChanServ sets mode: +v henrynash19:08
morganjamielennox: wait for liberty branch to happen and make master v219:09
morganfor mitaka19:09
jamielennoxmorgan: that's going to be difficult19:09
morganfeel free to talk to dhellmann and explain the difficulty19:09
morganso we can change that up19:09
morganyou can explain better than I can19:10
*** ninag has joined #openstack-keystone19:10
*** nicodemos has joined #openstack-keystone19:10
*** henrynash has quit IRC19:11
*** ninag_ has joined #openstack-keystone19:11
jamielennoxwell, we're breaking compatibility...19:11
morganyep but we could propose the break and then go play "fix everyone"19:11
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate setting catalog on headers from others  https://review.openstack.org/19693219:11
morganthen land it19:11
jamielennoxi don't know how requirements is going to handle this anyway19:12
*** mylu has quit IRC19:13
*** ninag has quit IRC19:14
morganrequirements branch stable just like everything else does19:14
morganliberty will be stable/liberty for keystoneclient19:15
*** ninag_ has quit IRC19:16
*** fhubik has joined #openstack-keystone19:16
*** ninag has joined #openstack-keystone19:16
*** ankita_wagh has quit IRC19:16
*** fhubik has quit IRC19:17
jamielennoxso we need to update everybody before we can actually cut a release of 2.0, that's going to be fun19:18
*** jecarey has joined #openstack-keystone19:20
openstackgerritJamie Lennox proposed openstack/keystoneauth: Support DNS lookup for generic plugins  https://review.openstack.org/22342919:20
jdandreabknudson: I checked with folks on our end regarding user. They added it by following the steps here: http://docs.openstack.org/kilo/install-guide/install/apt/content/keystone-users.html ... but I wonder why create a user role if there's already a _member_ role? (Unless they have distinct purposes.)19:22
openstackgerritAlexander Makarov proposed openstack/keystone: Return default domain for admin  https://review.openstack.org/22375219:26
bknudsonjdandrea: I don't know who writes those docs... we've got a couple of people on our team to work on it now so I can tell them about it.19:26
bknudsonjdandrea: "As an example, this guide creates the         demo project and user."19:27
bknudsonjdandrea: maybe they were thinking this was required and not an example?19:27
jdandreabknudson: I'm going to ask. They say the docs specifically advise to change "_member_" to "user" ... hmmmmm.19:27
* jdandrea is dubious.19:27
bknudsonjdandrea: you can configure the role that's used for v2: http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n4119:28
bknudsonso if you'd rather use a role name "user" than _member_, go ahead19:28
jdandreabknudson: Ah, and that id maps to, say, _member_.19:28
*** ebalduf has quit IRC19:36
bknudsonmaybe somebody else can look at https://review.openstack.org/#/c/155758/ and see if they agree with my comments...19:36
bknudsonif so I'll go in and fix it.19:36
bknudsonlooked at it more closely and now I think it's correct. https://review.openstack.org/#/c/155758/19:39
*** jsavak has quit IRC19:42
*** geoffarnold is now known as geoffarnoldX19:44
bknudsonjamielennox: how was this all incorrect? https://review.openstack.org/#/c/207857/19:44
jamielennoxbknudson: depends on your definition of correct19:45
jamielennoxbknudson: taking for example https://review.openstack.org/#/c/207857/4/keystoneclient/v3/credentials.py19:45
jamielennoxpassing 1 there is fine, it just makes user and type required keyword arguments19:46
openstackgerritvenkatamahesh proposed openstack/keystonemiddleware: Added the home-page value with openstack.org  https://review.openstack.org/22378419:46
jamielennoxwhich i always like19:46
jamielennoxalmost everyone does/should do that anyway because otherwise you really can't tell what's happening19:46
bknudsonthe submitter is saying that it was wrong because we forgot to take the self parameter into account19:47
*** ankita_wagh has joined #openstack-keystone19:47
jamielennoxbknudson: no that's not right19:47
bknudsonmaybe clearer error message would help19:48
openstackgerritAlexander Makarov proposed openstack/keystone: Check datetime string to validate is a string  https://review.openstack.org/22322819:48
*** jecarey_ has joined #openstack-keystone19:48
*** topol has joined #openstack-keystone19:49
*** ChanServ sets mode: +v topol19:49
*** geoffarnoldX is now known as geoffarnold19:49
*** ebalduf has joined #openstack-keystone19:50
*** devlaps has joined #openstack-keystone19:51
*** jecarey has quit IRC19:51
*** jsavak has joined #openstack-keystone19:52
*** mylu has joined #openstack-keystone19:55
*** doug-fis_ has quit IRC19:57
*** jorge_munoz has quit IRC19:57
*** ebalduf has quit IRC19:58
*** doug-fish has joined #openstack-keystone19:58
*** doug-fish has quit IRC20:02
*** nicodemos has quit IRC20:03
*** gyee has joined #openstack-keystone20:08
*** ChanServ sets mode: +v gyee20:08
*** henrynash has joined #openstack-keystone20:09
*** ChanServ sets mode: +v henrynash20:09
*** jorge_munoz has joined #openstack-keystone20:09
*** doug-fish has joined #openstack-keystone20:10
bknudsonI guess it's a waste of time to review middleware patches since they're going to be hard to get merged since unit tests are failing all the time20:11
*** ankita_wagh has quit IRC20:22
*** mylu has quit IRC20:23
*** mylu has joined #openstack-keystone20:25
*** mylu has quit IRC20:27
*** mylu has joined #openstack-keystone20:27
*** ParsectiX has joined #openstack-keystone20:28
*** ankita_wagh has joined #openstack-keystone20:28
*** ParsectiX has quit IRC20:28
*** shadower has joined #openstack-keystone20:29
*** mylu has quit IRC20:31
*** mylu has joined #openstack-keystone20:32
*** jsavak has quit IRC20:34
*** jsavak has joined #openstack-keystone20:35
*** mylu has quit IRC20:38
*** mylu has joined #openstack-keystone20:38
*** mylu has quit IRC20:39
*** mylu has joined #openstack-keystone20:39
jdandreabknudson: I've been given the specific page that references changing OPENSTACK_KEYSTONE_DEFAULT_ROLE to user: http://docs.openstack.org/kilo/install-guide/install/apt/content/install_dashboard.html20:41
jdandreabknudson: ... so it's not the default role but it's the default for *Horizon* (plus now we see where it comes from).20:41
*** mylu has quit IRC20:41
jdandreabknudson: Although it's documented as a default role for users created via the dashboard.20:42
bknudsonjdandrea: I guess horizon or anybody can tell people to create roles. keystone will accept any string you throw at it for a role name20:42
jdandreabknudson: *nodnod*20:43
bknudsonI wonder why they decided on user.20:43
jdandreabknudson: Exactly what I'm wondering. Why not use _member_?20:44
jdandreaFolks are confused on this end: "Do I use _member_ or user?" That sort of thing.20:44
bknudsonnote that we'll eventually remove keystone dealing with the _member_ role.20:45
bknudsononce we get rid of v2.20:45
*** mylu has joined #openstack-keystone20:45
jdandreabknudson: Ah, good to know, tx.20:45
*** mylu has quit IRC20:46
*** mylu has joined #openstack-keystone20:47
*** mylu_ has joined #openstack-keystone20:51
*** mylu has quit IRC20:51
*** pgbridge has quit IRC20:56
*** jsavak has quit IRC20:56
*** hrou has quit IRC20:59
*** hrou has joined #openstack-keystone20:59
openstackgerritMerged openstack/python-keystoneclient: Identity plugin thread safety  https://review.openstack.org/22173821:01
*** raildo is now known as raildo-afk21:03
*** thiagop has quit IRC21:03
*** mylu_ has quit IRC21:06
jamielennoxbknudson: can you have a look at https://review.openstack.org/#/c/217450/ as it needs a keystone-stable-core21:07
*** csoukup has quit IRC21:07
bknudsonwill do21:08
*** mylu has joined #openstack-keystone21:08
*** mylu has quit IRC21:09
*** mylu has joined #openstack-keystone21:10
*** mylu has quit IRC21:10
*** mylu has joined #openstack-keystone21:10
*** mylu has quit IRC21:12
*** mylu has joined #openstack-keystone21:12
*** henrynash has quit IRC21:28
*** stevemar has quit IRC21:30
*** urulama has quit IRC21:31
*** urulama has joined #openstack-keystone21:31
*** richm has quit IRC21:38
*** topol has quit IRC21:39
*** topol has joined #openstack-keystone21:39
*** ChanServ sets mode: +v topol21:39
*** diazjf has quit IRC21:42
*** mylu has quit IRC21:43
*** mylu has joined #openstack-keystone21:43
*** jorge_munoz has quit IRC21:46
*** ebalduf has joined #openstack-keystone21:46
*** ebalduf has quit IRC21:47
*** phalmos has quit IRC21:47
*** edmondsw has quit IRC21:54
*** richm has joined #openstack-keystone21:55
*** csoukup has joined #openstack-keystone21:56
*** csoukup has quit IRC21:57
*** ninag has quit IRC21:57
*** ninag has joined #openstack-keystone21:58
dolphmjdandrea: "user" is a very strange default. the precedent before keystone adopted "_member_" was "Member", but keystone had reason to force people to have a role, so we created a new one.21:59
dolphm"_member_" was chosen because no one would ever create such a hideous role name21:59
*** edtubill has left #openstack-keystone22:00
*** diazjf has joined #openstack-keystone22:00
*** ayoung has quit IRC22:01
*** doug-fish has quit IRC22:01
*** doug-fish has joined #openstack-keystone22:02
*** ninag has quit IRC22:02
*** hrou has quit IRC22:03
*** _hrou_ has joined #openstack-keystone22:03
*** lhcheng_ has joined #openstack-keystone22:04
*** lhcheng has quit IRC22:07
dolphmmorgan: bknudson: thoughts on the backportability of https://review.openstack.org/#/c/202176/ ?22:08
bknudsondolphm: if this only affects fernet tokens then go ahead. they're experimental22:08
dolphmit's an interesting case because it doesn't technically expose a new API (and if it does, it's an API that's only internally consumable in keystone) and fixes an important feature22:08
morganshould be fine22:08
dolphmbknudson: morgan: i'll propose it now then22:08
*** gordc has quit IRC22:16
*** roxanaghe has joined #openstack-keystone22:22
*** mylu has quit IRC22:25
*** mylu has joined #openstack-keystone22:27
*** Ephur has quit IRC22:31
*** jecarey_ has quit IRC22:31
*** slberger has left #openstack-keystone22:31
*** geoffarnold is now known as geoffarnoldX22:36
*** lhcheng_ has quit IRC22:37
*** erhudy1 has joined #openstack-keystone22:37
*** ninag has joined #openstack-keystone22:40
*** lhcheng has joined #openstack-keystone22:40
*** ChanServ sets mode: +v lhcheng22:40
*** doug-fish has quit IRC22:43
*** ninag has quit IRC22:44
*** darrenc is now known as darrenc_afk22:52
*** aix has joined #openstack-keystone22:52
*** diazjf has quit IRC22:55
*** sdake has quit IRC22:56
*** r-daneel has joined #openstack-keystone22:57
*** zzzeek has quit IRC22:59
*** ankita_wagh has quit IRC23:03
dolphmmorgan: bknudson: https://review.openstack.org/#/c/223863/23:05
*** darrenc_afk is now known as darrenc23:06
*** e0ne has quit IRC23:09
*** markvoelker has quit IRC23:10
*** e0ne has joined #openstack-keystone23:13
*** openstackgerrit has quit IRC23:16
*** david-lyle has quit IRC23:17
*** openstackgerrit has joined #openstack-keystone23:17
*** geoffarnoldX is now known as geoffarnold23:21
*** ankita_wagh has joined #openstack-keystone23:22
*** mylu has quit IRC23:23
*** mylu has joined #openstack-keystone23:23
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/22200023:26
*** e0ne has quit IRC23:26
openstackgerritMerged openstack/keystone: Update man pages with liberty version and dates  https://review.openstack.org/22323823:28
morganYAY global reqs is working again23:29
*** _hrou_ has quit IRC23:33
*** mylu has quit IRC23:43
*** diazjf has joined #openstack-keystone23:47
*** aix has quit IRC23:53
*** markvoelker has joined #openstack-keystone23:56
openstackgerritMorgan Fainberg proposed openstack/keystone: Removed the extra http:// from JSON schema link  https://review.openstack.org/21731923:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!