Wednesday, 2015-09-23

*** ankita_w_ has joined #openstack-keystone		00:05
*** ankita_wagh has quit IRC		00:05
*** jerrygb_ has joined #openstack-keystone		00:05
*** annasort has joined #openstack-keystone		00:08
*** jerrygb_ has quit IRC		00:08
*** jerrygb has quit IRC		00:09
*** su_zhang has joined #openstack-keystone		00:13
*** Guest18166 is now known as dims_		00:17
*** su_zhang has quit IRC		00:18
*** RA has joined #openstack-keystone		00:19
*** RA is now known as Guest35886		00:19
*** _cjones_ has quit IRC		00:22
*** su_zhang has joined #openstack-keystone		00:22
*** shadower has quit IRC		00:23
*** shadower has joined #openstack-keystone		00:23
lbragstad	dolphm: I saw that running devstack locally	00:24
dolphm	lbragstad: hrm	00:26
lbragstad	dolphm: i'm going to retry it with the stack user... it was running as the vagrant user (not sure why that would be a problem, but at this point i'm grabbing at straws)	00:26
dolphm	lbragstad: well it was definitely trying to use the vagrant user's home dir	00:27
lbragstad	dolphm: yeah	00:27
dolphm	i never do anything with devstack outside of stack	00:28
*** lhcheng_ has quit IRC		00:30
*** stevemar has joined #openstack-keystone		00:33
*** ChanServ sets mode: +v stevemar		00:33
*** exploreshaifali has quit IRC		00:33
*** stevemar has quit IRC		00:36
*** zzzeek has quit IRC		00:36
*** markvoelker has joined #openstack-keystone		00:40
*** geoffarnold has quit IRC		00:44
*** gyee has quit IRC		00:49
*** wwwjfy_ has joined #openstack-keystone		00:55
*** wwwjfy has quit IRC		00:55
*** EinstCrazy has joined #openstack-keystone		00:57
lbragstad	dolphm: i think the combination the me + devstack + tempest over the course of the last 12 hours has completely foobar'd this box...	00:58
* lbragstad rage quits to find food		00:58
dolphm	lbragstad: cattle!	01:03
*** stevemar has joined #openstack-keystone		01:11
*** ChanServ sets mode: +v stevemar		01:11
*** tonytan4ever has quit IRC		01:13
*** wwwjfy_ has quit IRC		01:17
*** ankita_w_ has quit IRC		01:19
*** ankita_wagh has joined #openstack-keystone		01:20
*** KarthikB has joined #openstack-keystone		01:21
*** su_zhang has quit IRC		01:24
*** ankita_wagh has quit IRC		01:24
*** woodster_ has quit IRC		01:39
*** jerrygb has joined #openstack-keystone		01:44
*** jerrygb has quit IRC		01:45
*** jerrygb has joined #openstack-keystone		01:45
*** ankita_wagh has joined #openstack-keystone		01:48
*** davechen has joined #openstack-keystone		01:49
*** richm has quit IRC		01:52
*** mylu has joined #openstack-keystone		01:55
*** doug-fish has joined #openstack-keystone		01:55
davechen	stevemar, dstanek: ping?	01:56
davechen	stevemar: are you okay if I revert it back to PS2 (https://review.openstack.org/#/c/224545/)	01:56
*** dims_ has quit IRC		01:57
*** dims_ has joined #openstack-keystone		01:57
*** kiranr has joined #openstack-keystone		02:01
*** dims_ has quit IRC		02:10
*** henrynash has quit IRC		02:10
*** henrynash has joined #openstack-keystone		02:10
*** ChanServ sets mode: +v henrynash		02:10
*** dims_ has joined #openstack-keystone		02:13
*** dims__ has joined #openstack-keystone		02:18
*** dims_ has quit IRC		02:18
*** darrenc is now known as darrenc_afk		02:21
*** dims__ has quit IRC		02:23
*** wwwjfy_ has joined #openstack-keystone		02:28
*** wwwjfy_ is now known as wwwjfy		02:30
*** mylu has quit IRC		02:30
*** mylu has joined #openstack-keystone		02:35
*** mylu has quit IRC		02:39
*** mylu has joined #openstack-keystone		02:39
*** dsirrine has quit IRC		02:43
*** dobson has quit IRC		02:47
*** ankita_wagh has quit IRC		02:48
*** darrenc_afk is now known as darrenc		02:49
*** dobson has joined #openstack-keystone		02:53
*** spandhe_ has joined #openstack-keystone		02:57
*** spandhe has quit IRC		02:58
*** spandhe_ is now known as spandhe		02:58
*** markvoelker has quit IRC		03:01
*** doug-fish has quit IRC		03:04
*** ankita_wagh has joined #openstack-keystone		03:08
*** boris-42 has quit IRC		03:09
openstackgerrit	Steve Martinelli proposed openstack/keystone: include expected_status in get/head/put/delete calls https://review.openstack.org/226613	03:10
openstackgerrit	Steve Martinelli proposed openstack/keystone: include expected_status in get/head/put/delete calls https://review.openstack.org/226613	03:12
*** david-lyle has joined #openstack-keystone		03:13
*** markvoelker has joined #openstack-keystone		03:16
*** KarthikB has quit IRC		03:17
*** su_zhang has joined #openstack-keystone		03:18
*** EinstCrazy has quit IRC		03:19
*** lhcheng has joined #openstack-keystone		03:24
*** ChanServ sets mode: +v lhcheng		03:24
*** ankita_wagh has quit IRC		03:40
*** spandhe has quit IRC		03:42
*** mylu has quit IRC		03:43
*** ankita_wagh has joined #openstack-keystone		03:43
*** mylu has joined #openstack-keystone		03:43
*** ayoung has quit IRC		03:45
*** dims_ has joined #openstack-keystone		03:47
*** mylu has quit IRC		03:48
*** geoffarnold has joined #openstack-keystone		03:54
*** dims_ has quit IRC		03:54
*** geoffarn_ has joined #openstack-keystone		03:55
*** Nirupama has joined #openstack-keystone		03:55
*** hrou has quit IRC		03:56
*** jerrygb has quit IRC		03:56
*** geoffarnold has quit IRC		03:58
*** geoffarn_ has quit IRC		04:07
openstackgerrit	Stanislaw Pitucha proposed openstack/pycadf: Event doc indentation issue https://review.openstack.org/226620	04:25
*** kiranr has quit IRC		04:32
stevemar	lhcheng: fixed up https://review.openstack.org/#/c/226232/	04:32
*** topol has quit IRC		04:37
lhcheng	stevemar: You're too fast. :) I haven't got the chance to test the changes, just took a first pass on the commit msg while looking at recent OSC opened bugs.	04:38
openstackgerrit	Steve Martinelli proposed openstack/keystone: include expected_status in get/head/put/delete calls https://review.openstack.org/226613	04:49
*** geoffarnold has joined #openstack-keystone		04:53
*** ankita_wagh has quit IRC		05:21
*** ankita_wagh has joined #openstack-keystone		05:22
*** spandhe has joined #openstack-keystone		05:22
*** lhcheng has quit IRC		05:29
*** doug-fish has joined #openstack-keystone		05:34
*** topol has joined #openstack-keystone		05:38
*** ChanServ sets mode: +v topol		05:38
*** doug-fish has quit IRC		05:39
*** topol has quit IRC		05:42
*** boris-42 has joined #openstack-keystone		05:47
openstackgerrit	Dave Chen proposed openstack/keystone: Deprecate local conf in paste-ini https://review.openstack.org/134124	05:49
*** dims_ has joined #openstack-keystone		05:50
openstackgerrit	Dave Chen proposed openstack/keystone: Deprecate local conf in paste-ini https://review.openstack.org/134124	05:52
openstackgerrit	Dave Chen proposed openstack/keystone: Add the missing parameter https://review.openstack.org/225177	05:52
*** su_zhang has quit IRC		05:54
*** kiran-r has joined #openstack-keystone		05:54
*** dims_ has quit IRC		05:55
*** ankita_w_ has joined #openstack-keystone		05:57
*** kiranr has joined #openstack-keystone		05:58
*** ankita_wagh has quit IRC		06:00
*** geoffarnold has quit IRC		06:00
*** kiran-r has quit IRC		06:02
*** kiranr has quit IRC		06:02
rajesht_	dolphm: you around ?	06:02
davechen	rajesht_: you properly won't catch him in this time.	06:03
rajesht_	davechen: thanks dave, could you please tell me when he will be available ?	06:04
davechen	rajesht_: some guys tell me he is located in texas.	06:06
rajesht_	davechen: in that case, I think he will get my msg when he will be available	06:07
davechen	rajesht_: hope so. :)	06:07
rajesht_	dolphm: could you please look at it https://review.openstack.org/#/c/210365/	06:07
rajesht_	davechen: thanks :)	06:07
*** jerrygb has joined #openstack-keystone		06:08
*** jerrygb has quit IRC		06:12
*** Guest35886 has quit IRC		06:18
stevemar	rajesht_: write a comment in the patch, and i'll ask him to follow up tomorrow	06:22
stevemar	dolphm: heads up for tomorrow ^	06:22
*** stevemar has quit IRC		06:23
rajesht_	stevemar: thanks steve :)	06:23
*** EinstCrazy has joined #openstack-keystone		06:32
rajesht_	stevemar: have a question regarding code cleanup issue https://bugs.launchpad.net/cinder/+bug/1259292	06:33
openstack	Launchpad bug 1259292 in Manila "Some tests use assertEqual(observed, expected) , the argument order is wrong" [Low,In progress] - Assigned to Yusuke Hayashi (hayashi-yusuke)	06:33
rajesht_	stevemar: there are several occurrences of assertDictEqual with wrong argument order	06:34
rajesht_	stevemar: should I report separate bug for this change or can I submit against the above bug itself.	06:34
breton	I think you can submit against the above bug and use "Related-Bug: #1259292" in the commit message	06:37
openstack	bug 1259292 in Manila "Some tests use assertEqual(observed, expected) , the argument order is wrong" [Low,In progress] https://launchpad.net/bugs/1259292 - Assigned to Yusuke Hayashi (hayashi-yusuke)	06:37
rajesht_	breton: thanks	06:41
*** ParsectiX has quit IRC		06:50
*** kiranr has joined #openstack-keystone		06:51
*** browne has quit IRC		06:57
*** pnavarro has joined #openstack-keystone		07:02
*** rajesht__ has joined #openstack-keystone		07:10
*** rajesht_ has quit IRC		07:13
*** markvoelker has quit IRC		07:15
*** spandhe has quit IRC		07:15
*** stevemar has joined #openstack-keystone		07:23
*** ChanServ sets mode: +v stevemar		07:23
*** ankita_w_ has quit IRC		07:27
*** stevemar has quit IRC		07:27
*** jaosorior has joined #openstack-keystone		07:31
*** ankita_wagh has joined #openstack-keystone		07:51
*** dims_ has joined #openstack-keystone		07:52
*** dims_ has quit IRC		07:59
*** fhubik has joined #openstack-keystone		08:14
*** aix has joined #openstack-keystone		08:15
*** markvoelker has joined #openstack-keystone		08:15
openstackgerrit	Julia Varlamova proposed openstack/python-keystoneclient: Sync oslo-incubator common code https://review.openstack.org/226648	08:19
*** markvoelker has quit IRC		08:20
*** fhubik is now known as fhubik_brb		08:28
*** kiran-r has joined #openstack-keystone		08:29
*** ankita_wagh has quit IRC		08:30
*** katkapilatova has joined #openstack-keystone		08:30
*** fhubik_brb is now known as fhubik		08:33
*** kiran-r has quit IRC		08:34
*** kiran-r has joined #openstack-keystone		08:41
*** kiranr has quit IRC		09:02
openstackgerrit	henry-nash proposed openstack/keystone-specs: Support virtual roles https://review.openstack.org/226661	09:06
*** jerrygb has joined #openstack-keystone		09:08
*** dims_ has joined #openstack-keystone		09:11
openstackgerrit	henry-nash proposed openstack/keystone-specs: Support virtual roles https://review.openstack.org/226661	09:11
*** henrynash has quit IRC		09:12
*** jerrygb has quit IRC		09:13
*** kiranr has joined #openstack-keystone		09:15
*** e0ne has joined #openstack-keystone		09:15
*** fhubik is now known as fhubik_brb		09:18
*** stevemar has joined #openstack-keystone		09:25
*** ChanServ sets mode: +v stevemar		09:25
*** stevemar has quit IRC		09:28
*** fhubik_brb is now known as fhubik		09:29
*** fhubik is now known as fhubik_brb		09:39
*** dims_ has quit IRC		09:44
*** davechen has left #openstack-keystone		09:48
*** e0ne has quit IRC		09:49
*** e0ne has joined #openstack-keystone		09:50
*** lhcheng has joined #openstack-keystone		09:54
*** ChanServ sets mode: +v lhcheng		09:54
*** lhcheng has quit IRC		09:55
*** fhubik_brb is now known as fhubik		09:57
*** Kennan_Vacation has quit IRC		10:01
*** lhcheng has joined #openstack-keystone		10:02
*** ChanServ sets mode: +v lhcheng		10:02
*** Kennan_Vacation has joined #openstack-keystone		10:02
openstackgerrit	Rajesh Tailor proposed openstack/keystone: Fix order of arguments in assertEqual https://review.openstack.org/226677	10:03
*** fhubik is now known as fhubik_brb		10:07
*** dims_ has joined #openstack-keystone		10:09
*** kiran-r has quit IRC		10:10
*** urulama has quit IRC		10:12
*** urulama has joined #openstack-keystone		10:13
*** markvoelker has joined #openstack-keystone		10:17
*** markvoelker has quit IRC		10:21
*** lhcheng has quit IRC		10:28
*** abhishekk_ has joined #openstack-keystone		10:28
*** wwwjfy has quit IRC		10:33
*** lhcheng has joined #openstack-keystone		10:37
*** ChanServ sets mode: +v lhcheng		10:37
*** exploreshaifali has joined #openstack-keystone		10:51
*** EinstCrazy has quit IRC		10:51
*** kiran-r has joined #openstack-keystone		10:53
*** dsirrine has joined #openstack-keystone		10:57
*** aix has quit IRC		11:03
samueldmq	morning	11:03
openstackgerrit	David Stanek proposed openstack/keystone: Adds interface tests for timeutils https://review.openstack.org/226697	11:06
*** fhubik_brb is now known as fhubik		11:06
rajesht__	dolphm: you around ?	11:10
dstanek	rajesht__: it's a bit early for him.	11:10
rajesht__	dstanek: thanks for update	11:11
*** doug-fish has joined #openstack-keystone		11:11
openstackgerrit	Julien Danjou proposed openstack/keystone: wsgi: fix base_url finding https://review.openstack.org/226464	11:12
*** lhcheng has quit IRC		11:14
*** markvoelker has joined #openstack-keystone		11:17
*** markvoelker has quit IRC		11:22
openstackgerrit	Rajesh Tailor proposed openstack/keystone: Fix order of arguments in assertEqual https://review.openstack.org/226677	11:30
*** dsirrine has quit IRC		11:33
*** aix has joined #openstack-keystone		11:34
*** jerrygb has joined #openstack-keystone		11:35
*** Nirupama has quit IRC		11:36
*** gordc has joined #openstack-keystone		11:37
*** jerrygb has quit IRC		11:39
*** jerrygb has joined #openstack-keystone		11:48
*** EinstCrazy has joined #openstack-keystone		11:49
*** ParsectiX has joined #openstack-keystone		11:51
*** exploreshaifali has quit IRC		11:56
openstackgerrit	Merged openstack/oslo.policy: Use requests in http check instead of urllib https://review.openstack.org/226122	11:57
*** EinstCrazy has quit IRC		11:59
*** fhubik has quit IRC		12:04
*** EinstCrazy has joined #openstack-keystone		12:04
*** richm has joined #openstack-keystone		12:04
*** EinstCrazy has quit IRC		12:06
*** fhubik has joined #openstack-keystone		12:06
*** kiran-r has quit IRC		12:10
*** henrynash has joined #openstack-keystone		12:12
*** ChanServ sets mode: +v henrynash		12:12
*** henrynash has quit IRC		12:13
*** e0ne has quit IRC		12:13
*** pauloewerton has joined #openstack-keystone		12:14
*** ParsectiX has quit IRC		12:19
*** wwwjfy has joined #openstack-keystone		12:20
*** markvoelker has joined #openstack-keystone		12:20
*** kiranr has quit IRC		12:22
*** raildo-afk is now known as raildo		12:22
*** zzzeek has joined #openstack-keystone		12:28
*** wwwjfy has quit IRC		12:29
openstackgerrit	David Stanek proposed openstack/keystone: Declares expected_status in method signatures https://review.openstack.org/226744	12:29
openstackgerrit	David Stanek proposed openstack/keystone: Fixes the way v3_admin is called to match its def https://review.openstack.org/226745	12:29
openstackgerrit	David Stanek proposed openstack/keystone: Fixes v3_authenticate_token calls - no default https://review.openstack.org/226746	12:29
openstackgerrit	David Stanek proposed openstack/keystone: Uses constants for 5XX http status codes in tests https://review.openstack.org/226747	12:29
*** ankita_wagh has joined #openstack-keystone		12:30
*** edmondsw has joined #openstack-keystone		12:32
*** ankita_wagh has quit IRC		12:35
*** ParsectiX has joined #openstack-keystone		12:36
*** wwwjfy has joined #openstack-keystone		12:40
zigo	How come Keystone has setup_requires=['pbr>=1.8'] in its setup.py, when this is 1/ not in keystone requirements.txt 2/ not in global-requirements.txt ?!?	12:42
zigo	I mean ... WTF guys !!! :)	12:43
*** csoukup has joined #openstack-keystone		12:43
openstackgerrit	David Stanek proposed openstack/keystone: Adds interface tests for timeutils https://review.openstack.org/226697	12:45
*** csoukup has quit IRC		13:00
*** hrou has joined #openstack-keystone		13:01
dstanek	zigo: http://git.openstack.org/cgit/openstack/requirements/tree/setup.py#n28	13:01
*** kiran-r has joined #openstack-keystone		13:01
dstanek	zigo: wasn't us http://git.openstack.org/cgit/openstack/keystone/commit/?id=16ddc0a0754de263f33eba8f83a01db5c1e2f8d7	13:01
zigo	How come the proposal bot is doing this kind of silly patch?	13:03
*** lhcheng has joined #openstack-keystone		13:03
zigo	:(	13:03
*** ChanServ sets mode: +v lhcheng		13:03
dstanek	zigo: it's because it's in the g-r repo	13:03
zigo	dstanek: My point is, IT IS NOT !	13:03
dstanek	zigo: see my first link	13:03
zigo	python-pbr is >= 1.6 there.	13:03
zigo	Oh...	13:03
zigo	dstanek: So global-requirements.txt doesn't match the setup.py there... :(	13:04
zigo	Anyway, I'm packaging python-pbr 1.8 and I'll be done with that ! :)	13:04
dstanek	zigo: likely just a forgotten update	13:06
*** lhcheng has quit IRC		13:07
samueldmq	dolphm: dstanek ping, release notes	13:09
edmondsw	dstanek, please see my replies to your comments on https://review.openstack.org/#/c/217373/	13:09
openstackgerrit	Julien Danjou proposed openstack/keystone: eventlet: handle system that misses TCP_KEEPIDLE https://review.openstack.org/226773	13:10
*** jaosorior has quit IRC		13:10
samueldmq	dolphm: dstanek I updated the etherpad, and I'd like to check with you if things are okay like that, so I can generate the release notes	13:10
samueldmq	https://etherpad.openstack.org/p/keystone-liberty-release-notes	13:10
dstanek	edmondsw: i really don't think those things are tested. coverage report shows the first case isn't hit and it i remove the added binascii.Error the tests still pass	13:11
*** jecarey has joined #openstack-keystone		13:11
edmondsw	dstanek py27 tests will pass without binascii... but py34 fails	13:12
edmondsw	did you only try py27?	13:12
edmondsw	not sure how the coverage report could miss the first case being hit... definitely is...	13:12
dstanek	edmondsw: yes, because that's what matters. does the error not happen in 27?	13:12
edmondsw	no... only py34	13:12
edmondsw	that is there to handle a py34 case	13:13
openstackgerrit	Julien Danjou proposed openstack/keystone: wsgi: fix base_url finding https://review.openstack.org/226464	13:14
edmondsw	oh, on the first case... yeah, the coverage is right, now I realize I did check for RevocationListError in the other except block	13:14
edmondsw	so I'll go add a test for that one	13:14
edmondsw	let me know if you have trouble with any of the other replies... are we good on the binascii one?	13:15
*** thiagop has joined #openstack-keystone		13:16
edmondsw	dstanek ^	13:17
dstanek	edmondsw: i just replied on the review	13:17
edmondsw	tx	13:17
dstanek	edmondsw: i'm not understanding why we turn an UnauthorizedError and make it a ServiceError	13:18
edmondsw	it's a configuration issue... you've misconfigured your service	13:18
*** jsavak has joined #openstack-keystone		13:18
edmondsw	dstanek: the service has to be able to authenticate to keystone before it can ask keystone whether the token it has is valid or not.	13:19
edmondsw	dstanek: if it can't auth to keystone, then it can't even ask that question... so no way of knowing whether the token is valid or not	13:19
dstanek	edmondsw: if that's the case then the msg isn't very helpful :-(	13:20
dstanek	...and why would we have a retry for an unauthorized?	13:20
*** dims_ has quit IRC		13:21
dstanek	i would have expected that code to be in the HttpError block	13:21
*** dims_ has joined #openstack-keystone		13:21
dstanek	bknudson: very strange ^	13:22
edmondsw	dstanek, I didn't add the retry, that was there before, so I'm not sure... seemed risky to pull it out. I agree it looks odd, though	13:22
*** jsavak has quit IRC		13:23
edmondsw	I can raise the ServiceError there with a nicer message, and separately in the other case with the existing message	13:23
*** jsavak has joined #openstack-keystone		13:23
edmondsw	also something I didn't do, but whatever... if I'm in there...	13:23
dstanek	edmondsw: that addressed by comment about moving the exception. one has already added an exit with this patch	13:25
*** urulama has quit IRC		13:26
*** stevemar has joined #openstack-keystone		13:26
*** ChanServ sets mode: +v stevemar		13:26
*** urulama has joined #openstack-keystone		13:26
edmondsw	dstanek, didn't follow that last comment	13:26
dstanek	s/ed by/es my/ - where i was asking to move up the exception	13:27
edmondsw	right	13:28
dstanek	htruta: you around?	13:28
*** stevemar has quit IRC		13:29
samueldmq	where does keystone-manage live now ? I see a note it is no longer at /bin	13:30
samueldmq	bknudson: ping ^	13:30
*** dsirrine has joined #openstack-keystone		13:33
raildo	dstanek: he will be online in a few minutes :)	13:33
dstanek	samueldmq in keystone.cmd	13:33
lbragstad	samueldmq: the keystone-manage command is setup as an entry point through setup.cfg	13:33
htruta	dstanek: hi.	13:34
dstanek	raildo: thx	13:34
dstanek	htruta: hi	13:34
htruta	raildo is a good secretary	13:34
raildo	¬¬	13:34
dstanek	htruta: i'm looking at https://review.openstack.org/#/c/155260/4 and i'm not sure that it addresses the bug	13:34
dstanek	i was going to setup a test scenario, but haven't gotten around to it yet	13:34
samueldmq	dstanek: lbragstad okay, how can I put it in the upgrade notes ? any suggestion?	13:35
samueldmq	:-)	13:35
*** bradjones has quit IRC		13:35
dstanek	it's only changing the message and not the exception thrown....and the message that's being changes isn't the one that gets shown anyway	13:35
lbragstad	samueldmq: I think that should be transparent to a deployer, since they'll have to install keystone	13:36
lbragstad	regardless	13:36
samueldmq	lbragstad: aah, cool then :)	13:36
samueldmq	lbragstad: better this way	13:36
dstanek	samueldmq: you can say that it's distributed as a setuptools entrypoint and that there is no deployer impact	13:36
lbragstad	yeah, that would work	13:36
dstanek	the only impact is if a deployer tries to debug :-)	13:37
htruta	dstanek: hm... got it	13:37
*** abhishekk_ has quit IRC		13:37
htruta	dstanek: I've just analysed the message itself, haven't realized that it wasn't the right place	13:37
bknudson	samueldmq: it's installed when you do pip install of keystone	13:38
bknudson	it goes where pip decides to put it.	13:38
bknudson	should be the same place as keystone-all	13:38
dstanek	htruta: ok, i thought you knew something that i didn't. i won't bother trying to test unless the author comes back and says I'm wrong :-)	13:39
htruta	dstanek: nope, you were much deeper on that than me, you're right :)	13:39
samueldmq	bknudson: okay, thanks, I was wondering if needed to put that in the release notes	13:41
samueldmq	bknudson: but no, since this change has no impact in endusers/deployers	13:41
*** lsmola has quit IRC		13:41
bknudson	samueldmq: there should be no effect on deployers	13:41
samueldmq	bknudson: ++	13:42
bknudson	on my system the pip install puts keystone-manage in /usr/local/bin/keystone-manage	13:42
bknudson	keystone keystone-all keystone-manage keystone-wsgi-admin keystone-wsgi-public	13:42
bknudson	are all in /usr/local/bin	13:42
samueldmq	bknudson: nice, thanks for sharing :)	13:45
*** lsmola has joined #openstack-keystone		13:50
*** e0ne has joined #openstack-keystone		13:51
opilotte	somebody can help me with this build error? http://logs.openstack.org/81/210581/11/check/gate-keystone-python34/f3c6c72/console.html	13:51
*** stevemar has joined #openstack-keystone		13:55
*** ChanServ sets mode: +v stevemar		13:55
*** su_zhang has joined #openstack-keystone		13:55
bknudson	opilotte: looks like your .coveragerc is out of date	13:58
openstackgerrit	Tom Cocozzello proposed openstack/keystone: Use the correct import for range https://review.openstack.org/226801	14:00
*** ParsectiX has quit IRC		14:01
*** jsavak has quit IRC		14:02
*** jerrygb has quit IRC		14:03
*** diazjf has joined #openstack-keystone		14:03
samueldmq	okay, I've submitted a version of the release notes in the wiki	14:04
samueldmq	https://wiki.openstack.org/wiki/ReleaseNotes/Liberty#OpenStack_Identity_.28Keystone.29	14:04
stevemar	dstanek: cool patches dude	14:04
samueldmq	I kept a note there saying it's being drafted in the etherpad until we get that version reviewed by core-reviewers :)	14:04
samueldmq	dolphm, morgan, bknudson, dstanek, jamielennox, stevemar cc ^	14:05
*** csoukup has joined #openstack-keystone		14:06
*** jerrygb has joined #openstack-keystone		14:07
*** exploreshaifali has joined #openstack-keystone		14:08
openstackgerrit	OpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements https://review.openstack.org/226807	14:10
openstackgerrit	Dave Chen proposed openstack/keystone: Deprecate local conf in paste-ini https://review.openstack.org/134124	14:19
openstackgerrit	Dave Chen proposed openstack/keystone: Add the missing parameter https://review.openstack.org/225177	14:20
*** phalmos has joined #openstack-keystone		14:20
*** browne has joined #openstack-keystone		14:22
*** KarthikB has joined #openstack-keystone		14:23
openstackgerrit	Matthew Edmonds proposed openstack/keystonemiddleware: only make token invalid when it really is https://review.openstack.org/217373	14:27
*** tonytan4ever has joined #openstack-keystone		14:28
*** henrynash has joined #openstack-keystone		14:29
*** ChanServ sets mode: +v henrynash		14:29
*** slberger has joined #openstack-keystone		14:30
*** jorge_munoz has joined #openstack-keystone		14:31
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata https://review.openstack.org/226825	14:33
*** jaosorior has joined #openstack-keystone		14:33
openstackgerrit	henry-nash proposed openstack/keystone-specs: Support virtual roles https://review.openstack.org/226661	14:35
*** jecarey has left #openstack-keystone		14:37
bknudson	what do we want to do with new features that are experimental in the release notes?	14:37
bknudson	samueldmq: ^	14:38
*** geoffarnold has joined #openstack-keystone		14:38
bknudson	I think they should go in a separate section from "Key New Features"	14:38
*** kiran-r has quit IRC		14:39
*** stevemar has quit IRC		14:40
*** r-daneel has joined #openstack-keystone		14:43
*** exploreshaifali has quit IRC		14:44
*** stevemar has joined #openstack-keystone		14:46
*** ChanServ sets mode: +v stevemar		14:46
stevemar	bknudson: good call	14:48
bknudson	stevemar: you'd prefer a separate section?	14:49
stevemar	bknudson: yeah, i think so	14:49
*** kiranr has joined #openstack-keystone		14:50
*** wwwjfy has quit IRC		14:50
bknudson	I'll move them around in the etherpad then	14:50
openstackgerrit	Tom Cocozzello proposed openstack/keystone: Deprecate httpd/keystone.py https://review.openstack.org/221975	14:54
*** phalmos has quit IRC		14:56
*** kiran-r has joined #openstack-keystone		14:56
*** kiran-r has quit IRC		14:58
*** wwwjfy has joined #openstack-keystone		14:58
*** phalmos has joined #openstack-keystone		15:01
*** alextricity has joined #openstack-keystone		15:02
openstackgerrit	Merged openstack/pycadf: Event doc indentation issue https://review.openstack.org/226620	15:04
*** katkapilatova has quit IRC		15:06
samueldmq	bknudson: I'd suggest adding a tag at the beggining/ending of the line: (experimental)	15:07
*** katkapilatova has joined #openstack-keystone		15:07
samueldmq	bknudson: we could also create a new section, I am okay with both	15:07
samueldmq	bknudson: wht do you think ?	15:07
bknudson	samueldmq: I prefer a separate section.	15:08
bknudson	since I think we would prefer less description for an experimental feature. They'll have to read the developer docs to figure it out.	15:09
samueldmq	bknudson: okay, makes sense to me	15:09
samueldmq	bknudson: great updates in the etherpad, we can evolve there to update the wiki later	15:10
samueldmq	bknudson: I had updated in the wiki since I considered that a good 'version' from what I could see from the bug/blueprint lists	15:11
alextricity	Hey Keystone! I'm looking for someone to help me with my federated keystone setup.	15:13
alextricity	I just put in the OpenID RP apache module	15:13
*** phalmos has quit IRC		15:13
alextricity	what is the best way to test this?	15:13
alextricity	Can I use Google Sign-In as my Provider?	15:14
*** katkapilatova has left #openstack-keystone		15:14
alextricity	stevemar: You wouldn't happen to know about this would you? :)	15:15
*** jorge_munoz has quit IRC		15:18
*** henrynash has quit IRC		15:19
*** phalmos has joined #openstack-keystone		15:19
*** akanksha_ has joined #openstack-keystone		15:20
*** jorge_munoz has joined #openstack-keystone		15:20
*** woodster_ has joined #openstack-keystone		15:21
*** dsirrine has quit IRC		15:22
slberger	alextricity, it should be fairly easy to set up google as your identity provider	15:24
*** doug-fish has quit IRC		15:24
alextricity	slberger: I'm trying to work though it now. I think I found a good reference for doing this:	15:24
alextricity	https://developers.google.com/identity/protocols/OpenIDConnect	15:24
*** roxanagh_ has joined #openstack-keystone		15:25
alextricity	Any others would definitely help though!	15:25
alextricity	I'm assuming Google won't send requests to an endpoint with out a public CA cert	15:25
alextricity	But I don't know that yet	15:26
slberger	alextricity, that looks like a pretty good resource	15:26
alextricity	is a self-signed cert sufficient?	15:26
alextricity	s/requests/responses	15:26
*** tonytan4ever has quit IRC		15:26
slberger	alextricity, I have never run into any issues with the certs	15:26
*** tonytan4ever has joined #openstack-keystone		15:28
diazjf	alextricity, I worked on it with stevemar, Writting up a blog on it, should be done by Monday, hopefully. Not hard to setup at all.	15:29
diazjf	Just ask me if you need any help	15:30
alextricity	diazjf: Thanks :) Will do!	15:30
alextricity	diazjf: Could I get a link to the blog :)	15:31
alextricity	or..where it will be when its finished rather	15:31
*** alejandrito has joined #openstack-keystone		15:33
*** browne has quit IRC		15:35
*** tonytan4ever has quit IRC		15:38
*** topol has joined #openstack-keystone		15:40
*** ChanServ sets mode: +v topol		15:40
*** browne has joined #openstack-keystone		15:41
gordc	are pki tokens dead?	15:44
bknudson	gordc: pki tokens are still supported and haven't been deprecated yet	15:44
gordc	bknudson: kk, was hoping to just kill pki related bug. :(	15:45
*** topol has quit IRC		15:45
*** roxanagh_ has quit IRC		15:45
stevemar	gordc: in M :)	15:46
*** e0ne has quit IRC		15:47
stevemar	alextricity: yo	15:48
stevemar	alextricity: so theres a few things to consider here	15:48
*** e0ne has joined #openstack-keystone		15:48
stevemar	alextricity: for SSO through horizon, its pretty easy to set up, and well documented in keystone docs	15:48
stevemar	and is kinda written up here: https://gist.github.com/stevemart/4b41bd5437048a7fdfab	15:49
stevemar	alextricity: through a CLI is more difficult	15:49
*** su_zhang has quit IRC		15:50
*** su_zhang has joined #openstack-keystone		15:51
stevemar	alextricity: through CLI - we only have 1 openID connect plugin so far https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/oidc.py	15:51
stevemar	and that one only supports the 'pasword credential owner flow'	15:51
stevemar	which google disables	15:51
*** _cjones_ has joined #openstack-keystone		15:52
*** roxanagh_ has joined #openstack-keystone		15:52
diazjf	alextricity, just message me on this chat on Monday and I'll let you know.	15:52
*** _cjones_ has quit IRC		15:52
*** _cjones_ has joined #openstack-keystone		15:52
alextricity	stevemar: diazjf: okay great! I'll read up on these and ask if I have any questions! Thanks guys	15:53
stevemar	alextricity: the other option is using the 'authorization code' option from the CLI, its not merged yet though :(	15:54
stevemar	diazjf: you should review! https://review.openstack.org/#/c/224993/	15:54
*** urulama has quit IRC		15:55
*** su_zhang has quit IRC		15:56
*** urulama has joined #openstack-keystone		15:56
*** sdake has joined #openstack-keystone		15:57
diazjf	stevemar, gotcha I'll take a look a little later today	15:58
*** ayoung has joined #openstack-keystone		16:00
*** ChanServ sets mode: +v ayoung		16:00
*** jaosorior has quit IRC		16:01
*** jaosorior has joined #openstack-keystone		16:02
*** roxanagh_ has quit IRC		16:04
*** sdake has quit IRC		16:04
dstanek	stevemar: thx	16:05
*** roxanagh_ has joined #openstack-keystone		16:05
*** sdake_ has joined #openstack-keystone		16:07
alextricity	stevemar: Will I have to change the RedirectURI and LocationMatch to work with version 1.3? Or can I use the 1.2 version still?	16:08
alextricity	http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#web-single-sign-on-authentication	16:08
*** jsavak has joined #openstack-keystone		16:08
alextricity	Your using the 1.2 version in your one-shoter	16:08
stevemar	alextricity: depends on your version of keystone that you're running	16:08
* alextricity checks		16:09
edmondsw	dstanek, your comments should be addressed now in https://review.openstack.org/#/c/217373/	16:09
stevemar	alextricity: if you're using liberty, you can use either, if you're using kilo or older, it can only be the first example (the 1.2 one)	16:09
dstanek	edmondsw: great, i'll take a look	16:10
edmondsw	tx	16:10
*** sdake has joined #openstack-keystone		16:11
*** jsavak has quit IRC		16:13
openstackgerrit	Brant Knudson proposed openstack/keystone: Cleanup _build_federated_info https://review.openstack.org/220658	16:14
*** sdake_ has quit IRC		16:14
*** doug-fish has joined #openstack-keystone		16:14
alextricity	stevemar: What version number am I looking at here? The version of the federation extenstion?	16:16
alextricity	extension*	16:16
openstackgerrit	Brant Knudson proposed openstack/keystone: Add user_domain_id, project_domain_id to auth context https://review.openstack.org/213792	16:16
openstackgerrit	Brant Knudson proposed openstack/keystone: More info in RequestContext https://review.openstack.org/213595	16:17
*** amit213 has quit IRC		16:17
*** phalmos has quit IRC		16:17
alextricity	stevemar: Because I see here I'm running keystone (8.0.0.0b3)	16:17
*** amit213 has joined #openstack-keystone		16:18
alextricity	keystoneauth1 (1.1.0)	16:18
stevemar	alextricity: use the shorter redirect URL, just in case	16:19
*** roxanagh_ has quit IRC		16:23
*** roxanagh_ has joined #openstack-keystone		16:24
*** jaosorior has quit IRC		16:28
openstackgerrit	Merged openstack/oslo.policy: Updated from global requirements https://review.openstack.org/226807	16:29
*** gyee has joined #openstack-keystone		16:29
*** ChanServ sets mode: +v gyee		16:29
*** kiran-r has joined #openstack-keystone		16:31
openstackgerrit	Tony Wang proposed openstack/keystone: Show v3 endpoints in v2 endpoint list https://review.openstack.org/215870	16:36
openstackgerrit	Brant Knudson proposed openstack/keystone: Enable try_except_pass Bandit test https://review.openstack.org/225738	16:37
openstackgerrit	Brant Knudson proposed openstack/keystone: Enable subprocess_without_shell_equals_true Bandit test https://review.openstack.org/225692	16:37
openstackgerrit	Brant Knudson proposed openstack/keystone: Enable Bandit 0.13.2 tests https://review.openstack.org/225347	16:37
openstackgerrit	Brant Knudson proposed openstack/keystone: Enable hardcoded_bind_all_interfaces Bandit test https://review.openstack.org/225690	16:37
openstackgerrit	Brant Knudson proposed openstack/keystone: Enable password_config_option_not_marked_secret Bandit test https://review.openstack.org/225691	16:37
openstackgerrit	Brant Knudson proposed openstack/keystone: Update bandit blacklist_calls config https://review.openstack.org/225327	16:37
openstackgerrit	Brant Knudson proposed openstack/keystone: Update bandit blacklist_imports config https://review.openstack.org/225341	16:37
*** nicodemos has joined #openstack-keystone		16:41
*** topol has joined #openstack-keystone		16:47
*** ChanServ sets mode: +v topol		16:47
*** henrynash has joined #openstack-keystone		16:48
*** ChanServ sets mode: +v henrynash		16:48
openstackgerrit	Eric Brown proposed openstack/keystone: Handle 16-char non-uuid user IDs in payload https://review.openstack.org/226121	16:49
*** ankita_wagh has joined #openstack-keystone		16:51
openstackgerrit	Dolph Mathews proposed openstack/keystone: Rename v3_authenticate_token() to v3_create_token() https://review.openstack.org/226881	16:53
*** aix has quit IRC		16:53
*** tonytan4ever has joined #openstack-keystone		16:55
*** tonytan_brb has joined #openstack-keystone		16:56
*** exploreshaifali has joined #openstack-keystone		16:57
browne	dolphm: on https://review.openstack.org/#/c/226121/, were you suggesting a new conf option? if so, i think that would be a little strange to rely on a deployer to set it correctly to avoid a bug. alternatively, the convert_uuid could only be used when using sql identity backend	16:57
dolphm	browne: i was, but only as a thought experiment. i'm not sure it's a good idea myself	16:59
dolphm	browne: making it conditional based on the identity driver is probably more reliable	16:59
*** tonytan4ever has quit IRC		16:59
dolphm	browne: but you'd have to check to see if the driver is an instance of our own driver, to match deployments who have extended the default driver	17:00
dolphm	browne: .... which leads me back to a separate conf option :P	17:00
*** kiran-r has quit IRC		17:00
browne	dolphm: ugh, sounds gross to put knowledge of the identity drivers in the token backend	17:00
*** tonytan_brb has quit IRC		17:01
dolphm	browne: 100% agree.	17:01
*** fhubik is now known as fhubik_brb		17:01
dolphm	lbragstad: have you seen this bug? ^	17:02
lbragstad	dolphm: browne yeah, that would make sense	17:03
*** su_zhang has joined #openstack-keystone		17:03
browne	the other fun thing about this bug is that it only exists in py27.	17:04
dolphm	browne: ooh, that's interesting. is there a py34 implementation of UUID that we could backport?	17:04
*** henrynash has quit IRC		17:04
lbragstad	actually, how are we hitting that...	17:04
lbragstad	because we use this - https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L417	17:04
dolphm	lbragstad: that's the problem, actually	17:05
browne	dolphm: so in py3.x bytes and str are different. py27 they are not	17:05
lbragstad	https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L337-L349	17:05
lbragstad	hmm	17:05
dolphm	lbragstad: we successfully decode things that look like they were UUID, but never were	17:05
dolphm	lbragstad: so we get a user not found with the decoded result	17:05
browne	so py34 can assert the string is actually a byte array	17:05
dolphm	lbragstad: .... because it wasn't encoded at all	17:05
lbragstad	dolphm: how can we successfully decode it when it wasn;t uuid in the first place?	17:06
dolphm	lbragstad: luck	17:07
dolphm	lbragstad: look at browne's test cases	17:07
browne	lbragstad: because any 16 char str is a valid uuid as far as UUID is concerned	17:07
lbragstad	...	17:08
dolphm	browne: as long as it's 0-9A-F, though, right?	17:08
browne	… when you pass using bytes=…	17:08
lbragstad	hmm interesting...	17:08
*** jorge_munoz has quit IRC		17:08
browne	lbragstad: yeah, its real easy to duplicate using just the UUID module	17:09
lbragstad	right, so as long as you pass some "ID value" as 0-9 and a-f in bytes...	17:09
browne	lbragstad: that's true when using uuid.UUID(uuid_string)	17:10
browne	which does fail for 16 char non-uuids	17:11
lbragstad	so, making that conditional based on the context of the identity backend is a solution	17:11
bknudson	I don't think a config option is a terrible idea	17:12
lbragstad	if you're using the ldap identity backend, keystone can safely encode or decode user IDs?	17:12
*** kiranr has quit IRC		17:12
lbragstad	because that is separate user management	17:12
bknudson	or maybe it's based on if you're using ldap identity	17:12
*** ankita_wagh has quit IRC		17:12
browne	lbragstad: all that matters is whether the user_id is a uuid or not	17:12
lbragstad	bknudson: a separate config option to attempt packing as bytes?	17:12
*** ankita_wagh has joined #openstack-keystone		17:12
browne	technically you can have a uuid using ldap	17:12
lbragstad	true	17:12
lbragstad	I think I like bknudson's config idea...	17:13
dolphm	>>> uuid.UUID(bytes='DeadFacedBeefDad')	17:13
dolphm	UUID('44656164-4661-6365-6442-656566446164')	17:13
lbragstad	we can add a config option to let the deployer choose to compress user ids to bytes	17:13
lbragstad	if they have the ability to do so	17:13
*** pnavarro has quit IRC		17:14
dolphm	lbragstad: that was my first thought. but default it to enable or disable?	17:14
lbragstad	if not, they can still use fernet tokens but they get a bit bigger	17:14
browne	lbragstad: yeah, probably the best option	17:14
dolphm	lbragstad: if you default it to enable, they have to disable it to avoid a bug, as browne pointed out.	17:14
lbragstad	right	17:14
dolphm	lbragstad: if you default it to disable, then deployers have to opt-in to get smaller tokens.	17:14
lbragstad	I would consider it a performance gain	17:14
lbragstad	i'd say the second case is safer?	17:14
lbragstad	worst case in the second case is the token is a bit bigger	17:15
dolphm	lbragstad: safer but i dislike both lol	17:15
dolphm	lbragstad: a bit?!	17:15
lbragstad	just a bit :)	17:15
lbragstad	16 will turn to 32.. so	17:15
*** e0ne has quit IRC		17:16
lbragstad	twice as big depending on how many id strings are in the token.. .	17:16
browne	most are probably using ldap anyway	17:16
dolphm	lbragstad: holy crap i think there's a significant waste of space here already	17:17
lbragstad	?	17:17
browne	if user_id had a type of UUID, then another solution would be to check instanceof. but that probably causes tons of changes	17:18
lbragstad	dolphm: in the payload?	17:18
dolphm	lbragstad: yeah, testing to make sure i'm not crazy, one min.	17:19
*** diazjf has quit IRC		17:19
lbragstad	browne: http://cdn.pasteraw.com/klxyo3k5t3mwn1yegkwowhtfzsovhat	17:19
lbragstad	browne: is that what you mean?	17:20
browne	lbragstad: yeah, i'm suggesting t= uuid.uuid4(), not t= uuid.uuid4().hex	17:20
lbragstad	browne: oh...	17:21
*** su_zhang_ has joined #openstack-keystone		17:21
*** su_zhang has quit IRC		17:21
lbragstad	yeah that would work, but I'm not sure we'd be able to make that change?	17:21
dolphm	lbragstad: i appear to be wrong and/or we're only wasting a single byte	17:21
lbragstad	browne: that would be the ideal fix however	17:21
browne	yeah, probably would cause a ripple of huge number of changes everywhere. i think user_id is assumed to be a string	17:21
*** urulama has quit IRC		17:21
*** urulama has joined #openstack-keystone		17:22
bknudson	if it's a useful change, go ahead	17:22
dolphm	browne: user_id is definitely a string, but we can do whatever we need to inside fernet.... but i don't follow what you're suggesting?	17:22
lbragstad	dolphm: browne if the id came from ldap, we can't convert 1234567890abcdef to a uuid class, because we hit the same issue	17:23
browne	dolphm: i'm suggesting the type is uuid.UUID, not str. and for other non-uuid user_ids it would be string or whatever	17:23
dolphm	browne: ah you mean passing around one of two completely different types as a user ID within keystone?	17:24
browne	lbragstad: using a uuid in ldap is probably incredibly rare, although possible. yes, that case can't really be identified well	17:24
browne	dolphm: yeah, not a simple thing	17:25
*** raildo is now known as raildo-afk		17:25
dolphm	lbragstad: tl;dr i think we could have saved a byte if msgpack.packb() knew how to pack unsigned long ints but it refuses	17:25
dolphm	msgpack.exceptions.PackValueError: Integer value out of range	17:25
lbragstad	dolphm: oh, interesting...	17:27
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix typo in config help https://review.openstack.org/226888	17:28
dolphm	lbragstad: we could have used uuid.uuid4().int instead of bytes and this would have been trivial to distinguish	17:28
dolphm	lbragstad: well, i take that back. that wouldn't have solved the bug.	17:28
lbragstad	dolphm: can we change it?	17:28
*** lhcheng has joined #openstack-keystone		17:31
*** ChanServ sets mode: +v lhcheng		17:31
*** spandhe has joined #openstack-keystone		17:32
*** su_zhang_ has quit IRC		17:35
*** su_zhang has joined #openstack-keystone		17:35
*** topol has quit IRC		17:38
*** raildo-afk is now known as raildo		17:41
*** phalmos has joined #openstack-keystone		17:41
alextricity	stevemar: So I don't need to set up SSL at all for this?	17:48
alextricity	I would imagine that SSL would need to be set up for horizon and keystone	17:48
dolphm	stevemar: +1 do be secure	17:49
dolphm	alextricity: ^	17:49
odyssey4me	alextricity yeah, ssl is only an absolutely requirement when your IdP is ADFS as it refuses to trust an SP that doesn't present via SSL :)	17:51
alextricity	Hmmm..interesting. Thanks odyssey4me dolphm	17:52
odyssey4me	for production, you would want to use SSL for any publically presented identity authentication/authorization	17:53
odyssey4me	that seems to be a rather obvious statement to make :)	17:53
alextricity	But it's always good to throw that out there!	17:53
alextricity	People tend to forget..	17:53
*** kiran-r has joined #openstack-keystone		17:54
*** e0ne has joined #openstack-keystone		17:56
*** henrynash has joined #openstack-keystone		17:57
*** ChanServ sets mode: +v henrynash		17:57
bknudson	doc fix could use keystone support: https://review.openstack.org/226901	17:59
henrynash	morgan: we need to revert (or modify items from version 3.5 to 3.5) a bunch of changes to the Identity API spec (e.g. I think all buit the last two items listed as changes for 3,5)!	18:02
henrynash	morgan: since these blueprints never landed	18:03
morgan	henrynash: huh? Oh sure	18:03
bknudson	they're part of the spec but keystone doesn't need to implement it.	18:03
henrynash	morgan: yep	18:03
henrynash	morgan, bknudson: mayeb we just mark them as 3.6	18:03
bknudson	does keystone say that it support 3.5?	18:04
henrynash	bknudson: intersteding question…not sure where we say that…but normally the version of teh spec is tied to a relasee (and 3.5 = :Liberty)	18:04
henrynash	sory, neet to go offline for a bit, be back on later….happy to make these changesif we agree	18:05
*** mylu has joined #openstack-keystone		18:05
morgan	Propose them. - we cab have the discussion in gerrit	18:05
henrynash	ok, will do	18:05
*** henrynash has quit IRC		18:05
*** doug-fis_ has joined #openstack-keystone		18:05
*** e0ne has quit IRC		18:06
*** doug-fi__ has joined #openstack-keystone		18:06
*** doug-f___ has joined #openstack-keystone		18:08
*** doug-fish has quit IRC		18:08
*** urulama has quit IRC		18:08
*** urulama has joined #openstack-keystone		18:09
*** doug-fish has joined #openstack-keystone		18:09
*** doug-fis_ has quit IRC		18:10
*** doug-fis_ has joined #openstack-keystone		18:11
*** su_zhang has quit IRC		18:11
*** doug-fi__ has quit IRC		18:11
*** su_zhang has joined #openstack-keystone		18:11
*** doug-f___ has quit IRC		18:13
*** e0ne has joined #openstack-keystone		18:13
*** ankita_wagh has quit IRC		18:13
*** doug-fish has quit IRC		18:14
*** ankita_wagh has joined #openstack-keystone		18:14
*** diazjf has joined #openstack-keystone		18:17
openstackgerrit	Merged openstack/keystone: Use the correct import for range https://review.openstack.org/226801	18:21
dstanek	dolphm: what are your thoughts on https://review.openstack.org/#/c/226697/ ?	18:21
*** jorge_munoz has joined #openstack-keystone		18:23
*** phalmos has quit IRC		18:23
stevemar	alextricity: odyssey4me dolphm yeah, SSL is recommended, but i was just playing around and not using it, and thus set the SSLVerift options to false	18:26
*** dims__ has joined #openstack-keystone		18:28
dolphm	dstanek: i'm not opposed. that second test is the sort of negative test that i value. what happens when we pass it a null value or an empty string? etc. i wouldn't be surprised to see timeutils silently pass back a null value as well	18:28
dstanek	dolphm: we can add tests for whatever part of the interface that we want. the benefit to doing it this way is that the intent is clear. having an extra assert in another test may work, but it's not as clear why it's there so will likely be removed in a future refactoring	18:30
dolphm	dstanek: ++	18:31
*** dims_ has quit IRC		18:31
dstanek	dolphm: the other benefit is that these tests are super simple and fast	18:32
*** aix has joined #openstack-keystone		18:33
*** kiran-r has quit IRC		18:33
alextricity	stevemar: diazjf Is the authorized redirect URI in the google dev console the same one I configured in the apache module config?	18:34
dstanek	ok, tired of looking at a glowing screen - might be time for a run	18:34
lbragstad	dstanek: nice, have fun	18:34
stevemar	alextricity: yes sir	18:35
*** topol has joined #openstack-keystone		18:36
*** ChanServ sets mode: +v topol		18:36
alextricity	stevemar: They don't take public IPs though. Any other way around that aside from using a legit domain?	18:36
*** phalmos has joined #openstack-keystone		18:36
stevemar	alextricity: i was just using localhost:5000	18:39
*** topol has quit IRC		18:40
alextricity	stevemar: hmm..i guess that would work. that means that uri is processed locally, right?	18:43
alextricity	I'm just trying to understand it all XD	18:43
*** e0ne has quit IRC		18:49
*** phalmos has quit IRC		18:49
*** su_zhang has quit IRC		18:51
*** dsirrine has joined #openstack-keystone		18:58
mfisch	stevemar: deployed the CADF consumer today to dev running in a container	18:59
lbragstad	dolphm: fwiw, i got everything in tempest.api.identity.v3 and tempest.api.identity.admin.v3 to pass with - http://cdn.pasteraw.com/6k893vbt6i5kpnvpjjjayjxs5n1ncxu	18:59
mfisch	stevemar: when its gets to prod I'll let you know the message rate	18:59
stevemar	mfisch: cool cool	19:03
stevemar	mfisch: would the chattiness be a factor even if you don't listen to those events?	19:03
mfisch	well as it turns out I need the chatty ones	19:04
mfisch	I'm logging 4 things for now	19:04
mfisch	but this is very much iterative, I especially need to see how much space these logs take	19:04
*** mylu has quit IRC		19:10
*** mylu has joined #openstack-keystone		19:10
*** phalmos has joined #openstack-keystone		19:12
*** e0ne has joined #openstack-keystone		19:12
edmondsw	bknudson, should this retry be moved down into the HttpError block? https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L220	19:14
*** mylu has quit IRC		19:14
*** exploreshaifali has quit IRC		19:15
*** mylu has joined #openstack-keystone		19:16
*** dsirrine has quit IRC		19:19
*** tonytan4ever has joined #openstack-keystone		19:22
*** phalmos has quit IRC		19:22
*** mylu has quit IRC		19:22
*** mylu has joined #openstack-keystone		19:23
dolphm	dstanek: abandon? revive? https://review.openstack.org/#/c/183189/	19:23
*** urulama has quit IRC		19:24
dstanek	dolphm: that's on the list of things i have been playing with. I can update it later with what I've got so far	19:24
*** mylu_ has joined #openstack-keystone		19:24
*** urulama has joined #openstack-keystone		19:24
*** mylu has quit IRC		19:24
*** dims__ has quit IRC		19:24
*** e0ne has quit IRC		19:24
*** dims_ has joined #openstack-keystone		19:25
dolphm	dstanek: cool	19:26
*** phalmos has joined #openstack-keystone		19:31
dolphm	lbragstad: same question: abandon or revive? https://review.openstack.org/#/c/167832/	19:32
*** dsirrine has joined #openstack-keystone		19:35
lbragstad	dolphm: I'd like to get that landed, but morgan made a point that it would probably be easier to refactor the tests after the token_provider api is cleaned up	19:36
dolphm	lbragstad: which hasn't happened	19:36
lbragstad	dolphm: yeah, i'll abandon for now	19:37
dolphm	lbragstad: either way	19:37
lbragstad	and dig it up later if we want to revisit it	19:37
dolphm	lbragstad: cool	19:37
bknudson	edmondsw: do you think it should retry if it gets unauthorized? wouldn't that only happen if the password was wrong (or however the auth was done)	19:37
bknudson	you don't want to retry for invalid token, right?	19:37
edmondsw	bknudson, that's my point... I don't think it makes sense where it is today	19:37
bknudson	this might be something that never made much sense	19:37
bknudson	the suggestion to retry in the case of HttpError makes more sense, I guess.	19:38
edmondsw	ok, so I'll throw up a commit for moving that... dstanek also thought this was odd, so with at least 3 of us on the same page...	19:38
*** mylu_ has quit IRC		19:38
dolphm	i can't think of a reason why it would retry on 401 without at least doing something in between to try and get a different result	19:39
*** mylu has joined #openstack-keystone		19:39
dolphm	nor should it issue a warning there, but that's a different problem	19:39
*** mylu has quit IRC		19:40
edmondsw	dolphm, why no warning? it's essentially telling you keystone_authtoken config section is wrong, right?	19:40
dolphm	edmondsw: +1 to moving it into the next except block. i'd also be curious if there were any clues in the git history, but i think that code has been moved around a lot so that might be too difficult to be worth the effort	19:40
*** tjcocozz_ has joined #openstack-keystone		19:41
dolphm	edmondsw: it's failing to validate a user token, not it's own token. that 401 is expected behavior under any number of circumstances, and never a surprise to the operator	19:41
bknudson	it did move around a couple times.	19:41
dolphm	oh wait, that might be a lie. i forgot about 401 vs 404 on this call...	19:42
edmondsw	dolphm, I don't think that's right... I think the failure to validate the user token is the NotFound, and this is exactly when it fails to auth itself	19:42
bknudson	not being able to auth as the service user seems like something to tell the operator about	19:43
dolphm	edmondsw: ah, so in a 401 condition, i actually think the retry is appropriate there! middleware's own token may have expired, and it's up to the _request_strategy implementation to refresh itself, and for this code to try again	19:43
dolphm	although perhaps that behavior should be built into _auth_strategy.verify_token() rather than being handled here	19:44
dolphm	edmondsw: anyway, the retry seems appropriate to me, even if the responsibility is in the wrong scope, but i think the same retry strategy should apply to the HttpError block	19:45
edmondsw	you're saying it might be a token-expired problem, as opposed to a credentials-no-good problem... if that's possible here, I agree, a retry does make sense	19:45
dolphm	edmondsw: yes	19:45
*** tjcocozz_ has quit IRC		19:46
edmondsw	so instead of move it to HttpError, copy it to HttpError	19:46
bknudson	it's not too useful to retry with the same token	19:46
dolphm	bknudson: if retry is False, i'd log a warning only then	19:46
dolphm	bknudson: i'm assuming _request_strategy will get a new one in between?	19:46
edmondsw	+1 on moving the warning to when retry is False	19:46
bknudson	I'd think that would be up to the session to get a new token.	19:46
bknudson	and I think it does that automatically when it can	19:47
dolphm	bknudson: sure, would that happen in between retries here?	19:47
bknudson	shouldn't require a retry, it'll retry by itself	19:47
dolphm	bknudson: so we'll never hit the retry on an expired token?	19:47
dolphm	edmondsw: can you add some inline comments about when these except blocks are expected to be hit? :)	19:47
edmondsw	dolphm: once we figure that out :)	19:48
bknudson	dolphm: right, if the token was expired then the session would try to get a new token, and you'd get the auth failure then.	19:48
bknudson	or you'd get a fresh token and then it would have worked and not auth failure	19:48
*** su_zhang has joined #openstack-keystone		19:48
bknudson	that assumes I know how sessions and the auth plugins work, but I think that's the point of some of the code in auth tokens... let's see if I can find it.	19:49
bknudson	auth plugins, not tokens	19:49
bknudson	there's an auth plugin for token auth that's using the admin token where that won't retry	19:50
bknudson	here's some code: http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/session.py#n388	19:51
bknudson	^ shows that the session will try to get a new token on a request.	19:53
*** roxanagh_ has quit IRC		19:54
*** roxanagh_ has joined #openstack-keystone		19:54
bknudson	here's auth_token's special plugin: http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/_auth.py#n87 -- looks like it's able to re-fetch the token if you do username / password	19:54
*** gordc_ has joined #openstack-keystone		19:57
*** gordc_ is now known as guestblahasdfafa		19:58
*** guestblahasdfafa has quit IRC		19:58
*** pnavarro has joined #openstack-keystone		19:58
*** mylu has joined #openstack-keystone		19:59
*** mylu has quit IRC		20:01
*** mylu has joined #openstack-keystone		20:02
*** ankita_wagh has quit IRC		20:03
*** ankita_wagh has joined #openstack-keystone		20:03
edmondsw	bknudson, if there's just one plugin that doesn't retry, then we need to keep the retry here, no?	20:05
edmondsw	well, if it was just an admin_token case... retry there won't help because the admin_token won't have changed	20:06
*** mylu has quit IRC		20:06
bknudson	then change the plugin to retry.	20:07
bknudson	actually, it might retry, just retries with the same token	20:07
*** jorge_munoz has quit IRC		20:08
*** stevemar has quit IRC		20:11
*** stevemar has joined #openstack-keystone		20:11
*** ChanServ sets mode: +v stevemar		20:11
*** stevemar has quit IRC		20:13
openstackgerrit	Brant Knudson proposed openstack/keystone: Move development environment setup instructions to standard location https://review.openstack.org/226974	20:18
*** roxanagh_ has quit IRC		20:19
*** sdake_ has joined #openstack-keystone		20:22
*** nicodemos has quit IRC		20:23
*** roxanagh_ has joined #openstack-keystone		20:25
*** sdake has quit IRC		20:25
*** mylu has joined #openstack-keystone		20:27
*** roxanagh_ has quit IRC		20:27
*** ankita_w_ has joined #openstack-keystone		20:29
*** ankita_wagh has quit IRC		20:29
*** mylu has quit IRC		20:33
*** jorge_munoz has joined #openstack-keystone		20:34
*** mylu has joined #openstack-keystone		20:35
*** mylu has quit IRC		20:38
*** mylu has joined #openstack-keystone		20:39
*** mylu has quit IRC		20:43
*** su_zhang_ has joined #openstack-keystone		20:45
*** su_zhang has quit IRC		20:45
*** su_zhang_ has quit IRC		20:45
*** ankita_w_ has quit IRC		20:45
*** su_zhang has joined #openstack-keystone		20:45
*** ankita_wagh has joined #openstack-keystone		20:46
*** su_zhang has quit IRC		20:50
*** su_zhang has joined #openstack-keystone		20:51
*** raildo is now known as raildo-afk		20:53
*** sigmavirus24_awa has quit IRC		20:54
*** d34dh0r53 has quit IRC		20:55
*** d34dh0r53 has joined #openstack-keystone		20:55
*** eglute has quit IRC		20:55
*** eglute has joined #openstack-keystone		20:55
*** ankita_wagh has quit IRC		20:55
*** ankita_wagh has joined #openstack-keystone		20:56
*** thiagop has quit IRC		20:57
*** sigmavirus24_awa has joined #openstack-keystone		20:57
openstackgerrit	Brant Knudson proposed openstack/keystone: Correct comment to not be driver-specific https://review.openstack.org/226992	20:58
openstackgerrit	Brant Knudson proposed openstack/keystone: Correct docstrings https://review.openstack.org/226996	21:03
*** hrou has quit IRC		21:04
*** diazjf has quit IRC		21:16
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix use of TokenNotFound https://review.openstack.org/227004	21:23
*** chris_19 has joined #openstack-keystone		21:23
*** topol has joined #openstack-keystone		21:23
*** ChanServ sets mode: +v topol		21:23
morgan	oh i should probably do the un -2 thing now	21:23
chris_19	I have a caching question	21:23
chris_19	In the keystone.conf, what's the difference between the [cache]/memcache_servers setting and the [memcache]/servers setting?	21:24
*** roxanagh_ has joined #openstack-keystone		21:24
morgan	chris_19: the [memcache] server settings is a general setting used for the token memcache backend. The cache backend (used to, but may not anymore) fall back to [memcache]/servers if it is unset in the [cache] section	21:27
morgan	chris_19: in short, it allows you to use two different memcache backends, one for caching of real data and one for the Token storage backend (please do not use memcahce for the token backend)	21:27
chris_19	hmmm. ok	21:27
*** topol has quit IRC		21:28
morgan	chris_19: caching is for things like SQL/domain/etc	21:28
chris_19	So, [cache] = real data and [memcache] = token backend (which you say don't use)	21:29
morgan	cache is for caching things like results of the SQL queries internally	21:30
chris_19	right	21:30
morgan	to help offload stuff like ".get_user(<christ_19's_user_id>)	21:30
morgan	:)	21:30
chris_19	thanks. that helps	21:32
morgan	:)	21:32
morgan	sure thing	21:32
*** pnavarro has quit IRC		21:34
*** doug-fis_ has quit IRC		21:35
openstackgerrit	Dolph Mathews proposed openstack/keystone: Issue revocation events for the previous second https://review.openstack.org/227015	21:35
morgan	dolphm: that was kindof the direction I'd want to go all things considered	21:37
morgan	dolphm: ^	21:37
*** henrynash has joined #openstack-keystone		21:37
*** ChanServ sets mode: +v henrynash		21:37
morgan	though it may still fail tempest	21:37
morgan	because we do [ISSUE TOKENS SO FAST OMG] in some scenarios	21:38
dolphm	morgan: lol yeah. it fails miserably against keystone, but i might just be doing the math in the wrong spot	21:44
dolphm	morgan: will keep playing / feel free to suggest changes	21:44
morgan	will do.	21:44
morgan	the keystone tests are easy... the tempest part is where I'm worried	21:45
dolphm	morgan: trying a similar patch with time.sleep(1) now for the sake of sanity before debugging the failures in the patch above	21:45
dolphm	morgan: right	21:45
morgan	dolphm: use mock vs. sleep(1) in the final case	21:45
dolphm	morgan: this would fix it from tempest's perspective, in theory	21:45
morgan	tempest we should fix the tempest tests too	21:45
dolphm	morgan: atm, i'm actually sleeping in the revocation model, not the tests	21:45
dolphm	morgan: lance has a two line patch to fix tempest, using sleep, but tempest folks obviously no likey	21:46
dolphm	and we can't advance keystone's clock from the client side lol	21:46
openstackgerrit	henry-nash proposed openstack/keystone-specs: Align API spec for Liberty (3.5) with the changes that merged https://review.openstack.org/227023	21:47
morgan	dolphm: ooh. hm.	21:47
morgan	dolphm: I'll take a closer look at how fernet does these things as well soon. maybe we can play a game and always issue a token for now()+1second	21:48
morgan	which should absolutely work as expected	21:48
morgan	in all cases [with a minor massage of our internal testing]	21:49
openstackgerrit	henry-nash proposed openstack/keystone-specs: Align API spec for Liberty (3.5) with the changes that merged https://review.openstack.org/227023	21:49
*** mjb has quit IRC		21:50
*** mjb has joined #openstack-keystone		21:50
dolphm	morgan: auditors will love that :D	21:50
morgan	dolphm: I don't think they will care as much since we know "revoke" is as of "now" and all tokens after "now" should be valid	21:51
morgan	hell, they give us a pass on bearer tokens	21:51
morgan	and seriously 1s resolution is well within acceptable clock drift	21:52
dolphm	morgan: just discovered that the best part about putting a time.sleep(1) in the revocation model itself is that ALLLLL the tests take waaaaaaaaay longer	21:53
morgan	as much as I wish we could rely on RTC everywhere	21:53
morgan	dolphm: hah yeah =/	21:53
morgan	dolphm: with mock.patch(time.time, return time.time()+1): issue_token	21:56
morgan	:P	21:56
dolphm	i smell mock as a service	21:58
morgan	dolphm: woo ;)	21:59
*** sdake_ has quit IRC		21:59
*** pauloewerton has quit IRC		22:02
*** flaper87 has quit IRC		22:03
*** fhubik_brb has quit IRC		22:04
*** tsymancz2k has quit IRC		22:04
openstackgerrit	Dolph Mathews proposed openstack/keystone: Slow keystone waaaaaaay down https://review.openstack.org/227030	22:04
dolphm	morgan: ^	22:04
dolphm	needs +2's plz	22:04
morgan	dolphm: sadly that probably wont work too well.. apache model and all that. :P	22:05
*** telemonster has quit IRC		22:05
morgan	only will slow down one of the workers tokens issued concurrently still broken :(	22:05
*** hrou has joined #openstack-keystone		22:06
*** telemonster has joined #openstack-keystone		22:06
dolphm	morgan: slows the unit test suite down by 1266% for stability	22:07
*** flaper87 has joined #openstack-keystone		22:07
*** slberger has left #openstack-keystone		22:08
*** tsymancz2k has joined #openstack-keystone		22:09
*** stevemar has joined #openstack-keystone		22:13
*** ChanServ sets mode: +v stevemar		22:13
*** geoffarnold has quit IRC		22:13
*** mylu has joined #openstack-keystone		22:14
*** KarthikB has quit IRC		22:14
*** stevemar has quit IRC		22:15
*** openstackgerrit has quit IRC		22:16
*** openstackgerrit has joined #openstack-keystone		22:17
*** _cjones_ has quit IRC		22:17
*** _cjones_ has joined #openstack-keystone		22:17
*** henrynash has quit IRC		22:19
*** mestery has quit IRC		22:21
*** mestery has joined #openstack-keystone		22:22
openstackgerrit	Dolph Mathews proposed openstack/keystone: Issue revocation events in the future and in the past, or something https://review.openstack.org/227034	22:23
openstackgerrit	Dolph Mathews proposed openstack/keystone: Issue revocation events in the future and in the past, or something https://review.openstack.org/227034	22:23
*** gordc has quit IRC		22:26
morgan	dolphm: your commit messages are getting funnier and funnier	22:30
*** jorge_munoz has quit IRC		22:31
*** csoukup has quit IRC		22:32
*** jamielennox is now known as jamielennox\|away		22:35
*** su_zhang has quit IRC		22:35
*** su_zhang has joined #openstack-keystone		22:35
*** alejandrito has quit IRC		22:36
*** dims__ has joined #openstack-keystone		22:43
*** dims_ has quit IRC		22:46
*** su_zhang has quit IRC		22:46
*** su_zhang has joined #openstack-keystone		22:46
*** lhcheng has quit IRC		22:52
*** jerrygb has quit IRC		22:55
*** akanksha_ has quit IRC		22:58
*** geoffarnold has joined #openstack-keystone		22:59
*** geoffarn_ has joined #openstack-keystone		23:00
*** geoffarnold has quit IRC		23:03
*** tonytan4ever has quit IRC		23:09
*** geoffarn_ is now known as geoffarnoldX		23:10
*** stevemar has joined #openstack-keystone		23:13
*** ChanServ sets mode: +v stevemar		23:13
*** geoffarnoldX is now known as geoffarn_		23:13
*** lhcheng has joined #openstack-keystone		23:16
*** ChanServ sets mode: +v lhcheng		23:16
*** urulama has quit IRC		23:20
*** lhcheng_ has joined #openstack-keystone		23:20
*** urulama has joined #openstack-keystone		23:22
*** lhcheng has quit IRC		23:22
*** mylu has quit IRC		23:24
*** mylu has joined #openstack-keystone		23:25
*** geoffarn_ is now known as geoffarnoldX		23:25
*** geoffarnoldX is now known as geoffarn_		23:25
*** mylu has quit IRC		23:29
*** geoffarn_ has quit IRC		23:32
*** phalmos has quit IRC		23:39
*** _hrou_ has joined #openstack-keystone		23:46
*** hrou has quit IRC		23:49
*** jamielennox\|away is now known as jamielennox		23:52

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!