Monday, 2015-10-19

*** roxanaghe has joined #openstack-keystone00:02
*** mjb has quit IRC00:04
*** roxanaghe has quit IRC00:06
*** mylu_ has joined #openstack-keystone00:14
*** mjb has joined #openstack-keystone00:16
*** mylu has quit IRC00:16
*** EinstCrazy has quit IRC00:21
*** wwwjfy has joined #openstack-keystone00:21
*** shadower has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
mordredjamielennox: ok. SO00:25
jamielennoxmordred: yup00:25
mordredjamielennox: python-neutronclient is the one I've gotten the furthest on (although I've got first steps on glance and nova ...)00:26
mordredjamielennox: and I've just discovered the fascinating world of the codebase that doesn't use keystone sessions00:26
jamielennoxyea, that's fun00:26
mordredjamielennox: can you think of any reason why the HTTPClient class shouldn't just create a ksa Session itself?00:27
jamielennoxespecially when they want you to keep compatibility with every non-used argument00:27
mordredjamielennox: well, I'm fine with having layers where old arguments get ignored - that I can do :)00:27
jamielennoxmordred: mostly it just became easier for compatibility, having that sort of join is what i did for keystoneclient and i ended up with deprecated arguments and all sorts of indirection to make all the old code keep working00:28
jamielennoxso i said if you pass session= then you are opting in to new behaviour and you can't use some things00:28
mordredah - yeah. totally00:28
jamielennoxlike pulling tokens out of authenticated clients and reusing stuff00:28
jamielennoxthe other one is that session auths as necessary and most of the time HTTPClient did it up front00:29
jamielennoxyou can make session do that, it just got confusing00:29
jamielennoxand one day it'll be a whole lot easier to say "ok, all this code is no longer supported" because they are two different things00:30
mordredthe thing I'm about to have to try to debug is:
mordredwhich is in the non-Session code patch00:31
mordredI'm _guessing_ it's because the auth url in clouds.yaml is a v3 endpoint00:31
mordredand without ksa, the discovery is going do the wrong thing00:31
mordredand attempt to do v2 things with the v3 endpoint00:31
jamielennoxyea, that would do it00:32
jamielennoxi've been trying not to "fix" the old code too much, if it's broken then it's a good reason to use sessions where all this stuff works00:32
*** browne has quit IRC00:33
jamielennoxare they the only two functional tests of neutronclient?00:34
mordredI guess I've just got to look at the old codepath a little and figure out how the old code was feeding the right values into that codepath worked00:34
mordredno - there are others00:34
mordredthose are just the only two that fail (they're the only two that explicitly test the old HTTPClient codepath)00:34
jamielennoxi'm guessing you have to have os_client_config code in those tests anyway00:35
jamielennoxwould anyone care if you used a session for the test instead?00:35
mordredwell, this particular test is testing the non-session codepath :)00:35
jamielennoxit is.. but they aren't named like that is a goal00:35
jamielennoxtest_post_put_delele_network_StringException  test_list_network_StringException00:36
mordredLibraryHTTPClientTest is the class it's in00:36
mordredthey have those two tests00:36
mordredand they mixin them into a httpclient and a sessionclient test00:36
mordredso each path does both tests00:37
jamielennoxi think os-client-config is going to have a similar time as the sessions, it's just not a good idea to use the os-client-config params with the old way00:37
mordredI agree - althoug, right now I'm not sure why occ has different values than the functional_creds.conf00:37
mordredI mena, if I just use occ to pull the values out and then pass the 4 values into the constructor00:38
mordredI would expect it to be the same as the previos00:38
jamielennoxocc does v3 doesn't it?00:38
jamielennoxor maybe non-versioned00:38
mordredit does ksa discovery _if_ you use it to get an Auth00:38
*** jbell8 has joined #openstack-keystone00:38
jamielennoxso if you can override the HTTPClient case you can do like00:38
jamielennoxauth.get_endpoint(service_type=AUTH_INTERFACE, version=(2, 0))00:39
*** jbell8 has quit IRC00:39
jamielennoxand use that as the auth_url for those tests00:39
*** jbell8 has joined #openstack-keystone00:39
jamielennoxthat will discover on the auth_url rather than the identity endpoint in catalog00:40
jamielennoxi'm pretty sure we merged that one00:40
*** wwwjfy has quit IRC00:40
*** wwwjfy_ has joined #openstack-keystone00:40
*** mylu_ has quit IRC00:40
mordredhrm. interesting00:41
mordred(I'm also putting in a change to cat out some files so I can look at them in the logs - but I'm going to try your thing too ...)00:41
*** jasonsb has joined #openstack-keystone00:44
*** mylu has joined #openstack-keystone00:47
openstackgerritJamie Lennox proposed openstack/keystoneauth-saml2: Redirect on 303 in SAML plugin
*** dims_ has joined #openstack-keystone00:53
*** su_zhang has joined #openstack-keystone00:53
*** dimsum__ has quit IRC00:56
*** chlong has joined #openstack-keystone01:01
mordredjamielennox: is the URL that is in clouds.yaml  - was the one that was in functional_creds.conf01:02
*** roxanaghe has joined #openstack-keystone01:02
*** chlong has quit IRC01:03
jamielennoxyea, that makes sense01:03
*** dims_ has quit IRC01:03
mordredjamielennox: will auth.get_endpoint(service_type=ksa1.plugin.AUTH_INTERFACE, version=(2, 0)) get me ?01:03
jamielennoxi've been trying to exclude the version from devstack01:03
openstackgerritMerged openstack/keystoneauth-saml2: Standardize federated auth token scoping
jamielennoxit should get you :35357/v2.001:03
mordredand that'll be a working v2 endpoint then?01:03
jamielennoxit won't jump across public/internal ports01:04
jamielennoxyea, it'll be fine for what those tests are doing01:04
*** chlong has joined #openstack-keystone01:05
mordredjamielennox: I don't suppose there is a way to do that with ksc that makes any sense is there? because I've got one patch that just pulls from occ - and then one that moves to ksa01:05
mordredI could also collapse them if I need to01:05
*** chlong has quit IRC01:05
*** chlong_ has joined #openstack-keystone01:05
jamielennoxthat same function exists on ksc01:05
*** rdo has quit IRC01:05
*** chlong_ has quit IRC01:05
mordredah! I see what I can steal ... v2_auth_url = ks_discover.url_for('2.0')01:05
*** dimsum__ has joined #openstack-keystone01:05
jamielennoxnot much of the session/auth plugin stuff changes across ksa/ksc01:06
*** chlong has joined #openstack-keystone01:06
jamielennoxmordred: that will always expect an unversioned url though01:06
mordredas input?01:06
jamielennoxright, going to discover directly is asking it to perform on a specific url01:06
*** EinstCrazy has joined #openstack-keystone01:07
jamielennoxso it will work for changing /v2.0 -> /01:07
*** roxanaghe has quit IRC01:07
jamielennoxactually it might work anyway with a /v2.0 because if you discover on /v2.0 it will give you /v2.001:07
*** rdo has joined #openstack-keystone01:08
jamielennoxi'd go the get_endpoint route myself because it will trim the /v2.0 to / and discover on that, but either should wokr01:08
*** dimsum__ has quit IRC01:08
*** dimsum__ has joined #openstack-keystone01:08
mordredso - I'm going to do the get_endpoint route in the next patch01:08
mordredbecause I agee, it's a better route01:08
mordredjamielennox: then this for the ksa patch: yeah?01:12
jamielennoxmordred: there's no session passed to auth01:13
jamielennoxdoes OCC add the auth to session or not?01:13
mordredocc only gets an auth01:14
mordreddo I need a session for auth.get_endpoint()?01:14
jamielennoxyou pretty much need a session whenever you talk to the plugin directly01:14
jamielennoxmost of the time you attach the plugin to a session, then call the method on session which just passes itself as first argument01:15
mordredjamielennox: how do I give the auth a session?01:15
jamielennoxsession is the first param01:15
mordredauth.get_endpoint(session, service_type='identity', version=(2, 0))01:18
jamielennoxservice_type='identity' will mean get identity from the catalog, AUTH_INTERFACE will query on what you passed as auth_url01:18
jamielennoxin this case they're probably the same thing01:19
mordredk. I'll try: auth.get_endpoint(session, interface=keystoneauth1.plugin.AUTH_INTERFACE, version=(2, 0))01:19
*** davechen has joined #openstack-keystone01:21
mordredjamielennox: ok. I think I have it - just submitted two new patces - thanks for the help!01:27
mordred(now let's see if devstack agrees with me :) )01:27
jamielennoxnp, will see how they go later01:27
*** topol has joined #openstack-keystone01:28
*** ChanServ sets mode: +v topol01:28
*** topol has quit IRC01:29
*** andreykurilin has quit IRC01:33
*** andreykurilin has joined #openstack-keystone01:39
*** lhcheng has quit IRC01:42
*** browne has joined #openstack-keystone01:46
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make public the base loader classes
*** wwwjfy_ has quit IRC01:49
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make public the base loader classes
*** mylu has quit IRC02:00
*** mylu has joined #openstack-keystone02:00
*** roxanaghe has joined #openstack-keystone02:03
*** doug-fish has joined #openstack-keystone02:04
*** mylu has quit IRC02:04
*** mylu has joined #openstack-keystone02:05
*** doug-fi__ has joined #openstack-keystone02:06
*** doug-fis_ has quit IRC02:06
*** roxanaghe has quit IRC02:08
*** doug-fish has quit IRC02:09
*** su_zhang has quit IRC02:13
*** dimsum__ has quit IRC02:24
*** dimsum__ has joined #openstack-keystone02:24
openstackgerritDave Chen proposed openstack/keystone: test_backend_sql work with python34
davechendstanek: ping?02:26
davechendstanek: nose has gone from this patch -
davechendstanek: pls help to check it @ your convenience :)02:27
*** marzif has quit IRC02:27
*** topol has joined #openstack-keystone02:29
*** ChanServ sets mode: +v topol02:29
*** jbell8 has quit IRC02:39
*** wwwjfy has joined #openstack-keystone02:51
*** dimsum__ has quit IRC02:51
*** dimsum__ has joined #openstack-keystone02:51
openstackgerritJamie Lennox proposed openstack/keystoneauth-saml2: Redirect on 303 in SAML plugin
*** roxanaghe has joined #openstack-keystone03:04
*** ajaya has joined #openstack-keystone03:06
*** jamielennox has left #openstack-keystone03:07
*** davechen has quit IRC03:08
*** jamielennox has joined #openstack-keystone03:08
*** ChanServ sets mode: +v jamielennox03:08
*** topol has quit IRC03:08
*** topol has joined #openstack-keystone03:08
*** ChanServ sets mode: +v topol03:08
*** roxanaghe has quit IRC03:09
*** davechen has joined #openstack-keystone03:10
*** davechen1 has joined #openstack-keystone03:19
*** davechen has quit IRC03:21
*** dimsum__ has quit IRC03:30
*** lhcheng has joined #openstack-keystone03:30
*** ChanServ sets mode: +v lhcheng03:30
*** dimsum__ has joined #openstack-keystone03:31
*** dimsum__ has quit IRC03:31
*** dimsum__ has joined #openstack-keystone03:31
*** lhcheng has quit IRC03:36
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core
*** topol has quit IRC03:36
*** dimsum__ has quit IRC03:37
*** dimsum__ has joined #openstack-keystone03:38
*** links has joined #openstack-keystone03:41
*** mylu has quit IRC03:56
*** dimsum__ has quit IRC03:57
*** mylu has joined #openstack-keystone04:00
*** roxanaghe has joined #openstack-keystone04:05
*** ajaya has quit IRC04:07
*** roxanaghe has quit IRC04:09
*** spandhe has joined #openstack-keystone04:12
*** su_zhang has joined #openstack-keystone04:21
*** jamielennox is now known as jamielennox|away04:32
*** jamielennox|away is now known as jamielennox04:35
*** lhcheng has joined #openstack-keystone04:40
*** ChanServ sets mode: +v lhcheng04:40
*** jaosorior has joined #openstack-keystone04:46
stevemar_jamielennox: poke04:46
jamielennoxstevemar_: yea04:46
stevemar_jamielennox: anything else needed for ksa 1.2.0?04:46
stevemar_i'm trying to release ksa and osc tmrw04:47
stevemar_looking at,n,z i don't see anything super pressing04:47
jamielennoxstevemar_: yea, that's what i'm looking at, i added one or two more today but they're not blockers04:48
stevemar_jamielennox: coolio04:48
stevemar_will release the newest then04:49
stevemar_sha: 79104aa0fe51a7c729561c111010f6dcd77ff2ad04:49
jamielennoxstevemar_: looks right to me04:49
*** topol has joined #openstack-keystone04:51
*** ChanServ sets mode: +v topol04:51
*** stevemar_ has quit IRC04:51
*** mylu has quit IRC04:53
*** stevemar_ has joined #openstack-keystone04:53
*** ChanServ sets mode: +o stevemar_04:53
stevemar_jamielennox: if you're interested:
*** GB21 has quit IRC05:01
*** topol_ has joined #openstack-keystone05:01
*** ChanServ sets mode: +v topol_05:01
*** topol has quit IRC05:05
*** roxanaghe has joined #openstack-keystone05:06
*** ajaya has joined #openstack-keystone05:07
*** roxanaghe has quit IRC05:10
*** su_zhang has quit IRC05:11
*** florianf|away has quit IRC05:16
*** jbell8 has joined #openstack-keystone05:19
davechen1stevemar_: replied your comments  -
davechen1stevemar_: pls let me know if i miss something, thanks!05:24
stevemar_davechen1: ah yeah, i missed the change at L4700... token_id.encode('utf-8'))05:24
*** Nirupama has joined #openstack-keystone05:24
*** davechen1 is now known as davechen05:24
stevemar_davechen: i think py3 does encoding automagically, so no UnicodeDecodeError is raised05:26
davechenand for the nose,  i am not trying to import nose anyway, just try to slove the issue cause by nose for python3.05:26
lifelessdavechen: do you still need nose?05:26
davechenstevemar_:  I think so, although i didn't ever dig into this but UnicodeDecodeError will not raise in pytho3 for this case.05:27
davechenlifeless: no, i am not05:27
davechenlifeless: but currently python3 testing does.05:27
lifelessdavechen: I meant 'does keystone testing of python3 ...' :)05:28
lifelessdavechen: anyhow05:28
davechenyes, we are trying to enable the testing of python3.05:28
lifelessstevemar_: python3 refuses to do any unicode('str' actually in python3)<->bytes conversions05:28
lifelessstevemar_: its one of the major steps needed in porting05:28
davechenlifeless: a lot of work has been done by brant.05:29
lifelessdavechen: cool05:29
lifelessI know haypo used nose as a workaround when the files weren't all parseable by python305:29
lifelesswe could probably switch to a testr filter now easily enough05:30
lifelessdavechen: whats the issue nose is causing for you ?05:30
davechenlifeless: we have methods but not a testcase which include "test" as a part of the name of the method.05:30
davechenlifeless: so, nose assume they are testcase and try to execute them as a testcase.05:31
lifelessdavechen: ugh05:31
davecheni figure out two approach to address them,05:32
lifelessso that nose command05:32
davechen1. use @nottest decorator05:32
lifelesscan easily be switched over to testr05:32
davechen2. update the name of the method.05:32
lifelessif you want to05:32
*** jaosorior has quit IRC05:32
*** jaosorior has joined #openstack-keystone05:32
davechenmaybe, some follow-up patches I think.05:32
lifelessthat would avoid the need to use either the decorator or change method names05:45
davechensure. :)05:46
davechenso, this is the third approach.05:47
*** dimsum__ has joined #openstack-keystone05:54
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** hidekazu has joined #openstack-keystone05:57
stevemar_oh no, our update config bot is dying :(05:58
stevemar_he seems to be a bit broken05:58
*** dimsum__ has quit IRC05:59
*** stevemar_ has quit IRC06:00
*** stevemar_ has joined #openstack-keystone06:01
*** ChanServ sets mode: +o stevemar_06:01
*** roxanaghe has joined #openstack-keystone06:02
*** roxanaghe has quit IRC06:02
*** stevemar_ has quit IRC06:04
*** topol_ has quit IRC06:06
*** topol has joined #openstack-keystone06:07
*** ChanServ sets mode: +v topol06:07
*** topol has quit IRC06:12
*** lsmola_ has joined #openstack-keystone06:16
*** ajaya has quit IRC06:20
openstackgerritDave Chen proposed openstack/keystone: Switch to use CA certificate for SAML signing
*** GB21 has joined #openstack-keystone06:27
*** boris-42 has joined #openstack-keystone06:28
*** jamielennox is now known as jamielennox|away06:33
*** ParsectiX has joined #openstack-keystone06:38
*** jaosorior has quit IRC06:42
*** jaosorior has joined #openstack-keystone06:42
*** yasu has joined #openstack-keystone06:45
*** jaosorior has quit IRC06:45
*** jaosorior has joined #openstack-keystone06:45
*** ajaya has joined #openstack-keystone06:46
*** jaosorior has quit IRC06:47
*** jaosorior has joined #openstack-keystone06:47
*** gildub has quit IRC06:53
*** dimsum__ has joined #openstack-keystone06:56
*** yasu has quit IRC06:58
*** yasu__ has joined #openstack-keystone06:58
*** roxanaghe has joined #openstack-keystone06:59
*** dimsum__ has quit IRC07:00
*** e0ne has joined #openstack-keystone07:01
*** roxanaghe has quit IRC07:04
openstackgerritZhiQiang Fan proposed openstack/python-keystoneclient: remove unused FakeLog class in test code
lifelessdavechen: ok so I had a poke at making the 3.4 stuff run with testr07:08
lifelessdavechen: problem is discovery - all the ldap tests try to load and fail07:08
*** markvoelker has quit IRC07:08
lifelessdavechen: Its possible to address that, but its not a trivial change; I'm timing out on it, but may poke at it some more later in the week // on th eplane07:08
davechenlifeless: great!07:09
davechenlifeless: btw, what do you mean the failure of ldap tests?07:09
davechenlifeless: afaik, it's not failed in keystone as far.07:10
lifelessdavechen: ldap isn't installable on python 3.407:10
lifelessdavechen: all the tests like keystone/tests/unit/ assume its importable07:10
lifelessdavechen: which means that rather than the tests being importable and then not run07:10
lifelessdavechen: they're erroring during discovery07:10
lifelessdavechen: let me commit my WIP and push it up and you can see what I mean easily07:11
davechenlifeless: get it, this file is not acutally tested and not enabled for py3 testing.07:11
openstackgerritlifeless proposed openstack/keystone: WIP / DNM: don't use nose for Python 3.4 tests.
davechenlifeless: sure, that's great, thanks.07:11
davechenlifeless: significant update07:12
davechenlifeless: i think i need rebase my patch on that. :)07:13
lifelessdavechen: well, its a WIP - the nose approach is to not load those tests at all07:13
lifelessdavechen: but whatever works :)07:14
davechenlifeless: yeah.07:14
lifelessif keystone cores feel this approach is preferrable, I'll happily run the remainder of it down to ground and get it working07:15
davechenhope so.07:16
davechenat least, I think dstanek like it more. :)07:16
*** fesp has joined #openstack-keystone07:18
*** e0ne has quit IRC07:20
*** spandhe has quit IRC07:23
*** chlong has quit IRC07:23
*** e0ne has joined #openstack-keystone07:24
*** lhcheng has quit IRC07:26
*** browne has quit IRC07:27
*** gildub has joined #openstack-keystone07:28
*** e0ne has quit IRC07:31
*** fesp has quit IRC07:36
*** ajaya has quit IRC07:43
*** fhubik has joined #openstack-keystone07:49
openstackgerritDave Chen proposed openstack/keystone: Deprecate local conf in paste-ini
*** roxanaghe has joined #openstack-keystone08:01
*** stevemar_ has joined #openstack-keystone08:02
*** ChanServ sets mode: +o stevemar_08:02
*** roxanaghe has quit IRC08:05
*** stevemar_ has quit IRC08:06
*** pnavarro has joined #openstack-keystone08:07
*** markvoelker has joined #openstack-keystone08:09
*** GB21 has quit IRC08:12
*** markvoelker has quit IRC08:14
openstackgerritMarek Denis proposed openstack/keystone: Move federation extension into keystone core
*** e0ne has joined #openstack-keystone08:16
*** jistr has joined #openstack-keystone08:17
*** jistr has quit IRC08:18
*** jistr has joined #openstack-keystone08:20
*** GB21 has joined #openstack-keystone08:21
*** e0ne has quit IRC08:29
*** fhubik is now known as fhubik_brb08:29
*** e0ne has joined #openstack-keystone08:33
*** e0ne has quit IRC08:35
*** marzif has joined #openstack-keystone08:37
*** fhubik_brb is now known as fhubik08:39
*** yasu__ has quit IRC08:41
*** ajaya has joined #openstack-keystone08:42
*** marzif has quit IRC08:45
*** dimsum__ has joined #openstack-keystone08:59
*** dimsum__ has quit IRC09:04
*** fhubik is now known as fhubik_brb09:04
*** openstack has joined #openstack-keystone09:17
*** fhubik is now known as fhubik_brb09:25
*** fhubik_brb is now known as fhubik09:28
openstackgerritMarek Denis proposed openstack/keystone: Federation Identity Provider functional tests
openstackgerritMarek Denis proposed openstack/keystone: Functional tests for federation mapping CRUD
openstackgerritMarek Denis proposed openstack/keystone: Functional tests for federation protocols CRUD
openstackgerritMarek Denis proposed openstack/keystone: Adds a base class for functional tests
*** GB21 has quit IRC09:39
*** marzif has joined #openstack-keystone09:51
*** Nirupama has quit IRC09:54
*** davechen has left #openstack-keystone09:55
*** ParsectiX has quit IRC09:58
*** jaosorior has quit IRC09:59
*** jaosorior has joined #openstack-keystone10:00
*** roxanaghe has joined #openstack-keystone10:01
*** stevemar_ has joined #openstack-keystone10:03
*** ChanServ sets mode: +o stevemar_10:03
*** roxanaghe has quit IRC10:05
*** stevemar_ has quit IRC10:06
*** dimsum__ has joined #openstack-keystone10:07
*** yasu has joined #openstack-keystone10:13
*** jbell8 has quit IRC10:24
*** jbell8 has joined #openstack-keystone10:25
*** akanksha_ has joined #openstack-keystone10:33
*** pnavarro is now known as pnavarro|mtg10:36
*** wwwjfy has quit IRC10:38
*** urulama has quit IRC10:39
*** urulama has joined #openstack-keystone10:39
*** weihan has joined #openstack-keystone10:39
openstackgerritHidekazu Nakamura proposed openstack/keystone: Adds sample data for policy.v3cloudsample.json
*** marzif has quit IRC10:46
*** Nirupama has joined #openstack-keystone10:48
*** ParsectiX has joined #openstack-keystone10:49
*** dimsum__ is now known as dims10:52
*** fhubik is now known as fhubik_brb10:54
*** roxanaghe has joined #openstack-keystone11:02
*** roxanaghe has quit IRC11:06
*** fhubik_brb is now known as fhubik11:08
*** marzif has joined #openstack-keystone11:14
*** ParsectiX has quit IRC11:15
*** fhubik is now known as fhubik_brb11:19
*** e0ne has quit IRC11:20
*** gordc has joined #openstack-keystone11:21
*** markvoelker has joined #openstack-keystone11:22
*** doug-fish has quit IRC11:22
*** fhubik_brb is now known as fhubik11:24
*** doug-fish has joined #openstack-keystone11:25
*** markvoelker has quit IRC11:27
*** Nirupama has quit IRC11:30
*** markvoelker has joined #openstack-keystone11:34
*** fhubik is now known as fhubik_brb11:34
*** ParsectiX has joined #openstack-keystone11:36
*** pnavarro|mtg is now known as pnavarro11:38
*** fhubik_brb is now known as fhubik11:42
*** amakarov_away is now known as amakarov11:43
*** mylu has joined #openstack-keystone11:45
*** krotscheck_ is now known as krotscheck11:48
*** pnavarro is now known as pnavarro|mtg11:50
*** pnavarro|mtg is now known as pnavarro|lunch11:50
*** wwwjfy has joined #openstack-keystone11:51
*** mylu has quit IRC11:52
*** ParsectiX has quit IRC11:53
*** fhubik is now known as fhubik_brb11:53
*** markvoelker has quit IRC12:02
*** roxanaghe has joined #openstack-keystone12:02
*** josecastroleon has joined #openstack-keystone12:03
*** stevemar_ has joined #openstack-keystone12:04
*** ChanServ sets mode: +o stevemar_12:04
*** davechen has joined #openstack-keystone12:05
*** roxanaghe has quit IRC12:07
*** stevemar_ has quit IRC12:07
*** yasu has quit IRC12:11
*** e0ne has joined #openstack-keystone12:12
*** fhubik_brb is now known as fhubik12:13
*** raildo-afk is now known as raildo12:21
*** weihan_ has joined #openstack-keystone12:25
*** weihan_ has quit IRC12:26
*** weihan has quit IRC12:26
*** jistr is now known as jistr|mtg12:26
*** weihan has joined #openstack-keystone12:26
*** weihan has quit IRC12:27
*** yasu has joined #openstack-keystone12:27
*** weihan has joined #openstack-keystone12:27
*** dims has quit IRC12:27
*** dims has joined #openstack-keystone12:28
*** topol has joined #openstack-keystone12:29
*** ChanServ sets mode: +v topol12:29
*** edmondsw has joined #openstack-keystone12:29
*** pauloewerton has joined #openstack-keystone12:30
*** weihan has quit IRC12:30
*** weihan has joined #openstack-keystone12:31
*** ParsectiX has joined #openstack-keystone12:34
*** weihan has quit IRC12:34
*** e0ne has quit IRC12:35
*** weihan has joined #openstack-keystone12:37
*** weihan has quit IRC12:37
*** weihan has joined #openstack-keystone12:38
*** dikonoor has joined #openstack-keystone12:41
*** yasu has quit IRC12:42
*** petertr7_away is now known as petertr712:43
*** davechen1 has joined #openstack-keystone12:45
*** ayoung has joined #openstack-keystone12:45
*** ChanServ sets mode: +v ayoung12:45
*** weihan has quit IRC12:46
*** davechen has quit IRC12:47
*** weihan has joined #openstack-keystone12:47
*** gildub has quit IRC12:48
*** nicodemos has joined #openstack-keystone12:50
*** marzif has quit IRC12:51
*** ajaya has quit IRC12:51
*** lhcheng has joined #openstack-keystone12:56
*** ChanServ sets mode: +v lhcheng12:56
*** jistr|mtg is now known as jistr12:59
*** ParsectiX has quit IRC13:00
*** jbell8 has quit IRC13:04
*** topol has quit IRC13:05
*** topol has joined #openstack-keystone13:06
*** ChanServ sets mode: +v topol13:06
*** petertr7 is now known as petertr7_away13:16
*** akanksha_ has quit IRC13:18
*** lhcheng has quit IRC13:20
*** petertr7_away is now known as petertr713:20
*** marzif has joined #openstack-keystone13:23
*** e0ne has joined #openstack-keystone13:24
*** topol has quit IRC13:25
*** davechen1 has left #openstack-keystone13:26
*** jsavak has joined #openstack-keystone13:26
*** marzif has quit IRC13:27
*** richm has joined #openstack-keystone13:28
*** marzif has joined #openstack-keystone13:30
*** ParsectiX has joined #openstack-keystone13:37
*** marzif has quit IRC13:42
*** links has quit IRC13:44
lbragstaddstanek i'm really liking
lbragstadthat's awesome info13:47
*** exploreshaifali has joined #openstack-keystone13:47
*** marzif has joined #openstack-keystone13:48
dstaneki was going to add a graph of gerrit data (reviews pushed, etc), but wasn't sure about the value13:49
krotscheckThis might seem like a stupid question, but does keystone use keystonemiddleware?13:49
lbragstaddstanek ++ even just an active number of bugs open would be good too13:50
*** pnavarro|lunch is now known as pnavarro13:50
dstanekkrotscheck: yes, but not necessarily the same as the other projects13:50
*** nate_gone is now known as njohnston13:50
dstaneklbragstad: yeah, i wasn't sure how to easily get that retroactively.13:51
lbragstaddstanek are you scrapping launchpad using their api?13:51
dstaneklbragstad: yes13:51
dstaneklbragstad: counting the "won't fix", "invalid", "expired" and "fix released" is a good indicator of how many bugs were handled and don't need anymore work13:52
lbragstaddstanek I think i used something like -
dstanekyou could add "opinion" in there, but i haven't seen any of those ever on this project13:53
dstaneklbragstad: sorta13:53
lbragstadbut that is to get "New", "Confirmed", "Triaged", and "In Progress"13:53
dstaneki'll public my script to github today13:53
lbragstaddstanek cool, I'd like to check it out13:54
*** sigmavirus24_awa is now known as sigmavirus2413:55
*** weihan has quit IRC13:55
*** pumaranikar has joined #openstack-keystone13:58
*** roxanaghe has joined #openstack-keystone14:04
*** stevemar_ has joined #openstack-keystone14:04
*** ChanServ sets mode: +o stevemar_14:04
*** tonytan4ever has joined #openstack-keystone14:06
lbragstadstevemar_ ! -
lbragstadstevemar_ i had to remember to give that to you14:06
*** ParsectiX has quit IRC14:07
*** stevemar_ has quit IRC14:08
*** roxanaghe has quit IRC14:09
*** diazjf has joined #openstack-keystone14:09
*** marzif has quit IRC14:10
*** marzif has joined #openstack-keystone14:10
*** EinstCrazy has quit IRC14:12
*** zz_john5223 is now known as john522314:13
*** marzif has quit IRC14:14
*** csoukup has joined #openstack-keystone14:14
*** marzif has joined #openstack-keystone14:14
*** rderose has joined #openstack-keystone14:16
*** links has joined #openstack-keystone14:26
*** timcline has joined #openstack-keystone14:33
*** stevemar_ has joined #openstack-keystone14:34
*** ChanServ sets mode: +o stevemar_14:34
*** browne has joined #openstack-keystone14:35
*** links has quit IRC14:35
*** weihan has joined #openstack-keystone14:37
*** marzif has quit IRC14:38
*** marzif has joined #openstack-keystone14:39
dstanekstevemar_: hey14:39
*** EinstCrazy has joined #openstack-keystone14:40
lbragstadstevemar_ mornin'14:40
*** weihan has quit IRC14:40
*** chlong has joined #openstack-keystone14:40
bretontoo many talks at the summit14:41
*** weihan has joined #openstack-keystone14:41
bretonI checked 5 talks and they are at the same time14:41
bretonso hard to choose.14:41
*** slberger has joined #openstack-keystone14:41
*** jaosorior has quit IRC14:42
*** jaosorior has joined #openstack-keystone14:43
*** pgbridge has joined #openstack-keystone14:44
*** jaosorior has quit IRC14:52
*** jaosorior has joined #openstack-keystone14:52
htrutabreton: looks like they've put the same amount of 4 day talks in 314:53
*** petertr7 is now known as petertr7_away14:54
*** rderose has quit IRC14:55
*** rderose has joined #openstack-keystone14:56
dstanekbreton: just fork when you get to tokyo, but don't forget to join before you leave14:57
*** su_zhang has joined #openstack-keystone14:59
*** petertr7_away is now known as petertr715:00
*** su_zhang has quit IRC15:00
*** su_zhang has joined #openstack-keystone15:01
stevemar_dstanek: or a time machine15:02
*** jbell8 has joined #openstack-keystone15:02
*** roxanaghe has joined #openstack-keystone15:05
*** fhubik is now known as fhubik_brb15:07
*** fhubik_brb is now known as fhubik15:09
*** fhubik is now known as fhubik_brb15:09
*** roxanaghe has quit IRC15:11
*** ajaya has joined #openstack-keystone15:16
*** roxanaghe has joined #openstack-keystone15:21
*** dikonoor has quit IRC15:22
*** jbell8 has quit IRC15:22
*** akanksha_ has joined #openstack-keystone15:22
*** phalmos has joined #openstack-keystone15:22
*** jbell8 has joined #openstack-keystone15:23
*** urulama has quit IRC15:23
*** urulama has joined #openstack-keystone15:24
*** fhubik_brb is now known as fhubik15:26
*** josecastroleon has quit IRC15:26
*** ankurgupta has joined #openstack-keystone15:27
*** jbell8 has quit IRC15:30
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation migration
*** marzif has quit IRC15:34
*** marzif has joined #openstack-keystone15:35
*** nicodemos has left #openstack-keystone15:37
*** roxanaghe has quit IRC15:38
*** phalmos has quit IRC15:41
*** marzif has quit IRC15:42
*** marzif has joined #openstack-keystone15:42
*** jbell8 has joined #openstack-keystone15:42
*** ajaya has quit IRC15:44
*** phalmos has joined #openstack-keystone15:45
*** aix has quit IRC15:46
*** pnavarro is now known as pnavarro|off15:46
ayoungstevemar_, so I just posted a further revision of my thinking on Admin. Its on the mailing list, and also here:
openstackgerritSteve Martinelli proposed openstack/keystone: Move federation extension into keystone core
ayoung"The Service Catalog is a Domain"15:53
*** gyee has joined #openstack-keystone15:57
*** ChanServ sets mode: +v gyee15:57
*** e0ne has quit IRC15:57
*** jbell8 has quit IRC15:59
*** jbell8 has joined #openstack-keystone16:00
*** haneef__ has quit IRC16:00
*** petertr7 is now known as petertr7_away16:00
*** su_zhang has quit IRC16:01
ayoungWhat the actual?  Deny Everybody?16:02
*** roxanaghe has joined #openstack-keystone16:02
marekdstevemar_: would be happy to see answer to my question and get you +216:03
amakarovayoung, good day! I've described delegation and made some patches to, please take a look if you don't mind16:04
ayoungamakarov, Don't mind if I do....16:04
openstackgerritMichael Krotscheck proposed openstack/keystone: Moved CORS Middleware from application to paste.ini
amakarovayoung, am I playing Yoda? :)16:05
ayoungamakarov, amakarov Look as good you will not when 900 years you reach!16:06
ayoungamakarov, Other contributors: None?  Hey now!@16:06
*** roxanaghe has quit IRC16:06
lbragstaddolphm browne  rebased and resolved the merge conflicts -
amakarovayoung, may I enlist you? ;)16:07
ayoungamakarov, I don't enlist.  I'm an officer.16:07
ayoungYou may Commission me.16:07
ayounglbragstad, when a Fernet token comes in to Keystone for validation, you need to expand out the data anyway.  Won't most revocation events be filtered out; if a role is unassigned, or a domain deactivated, the token will be invalid, right?16:09
*** SpamapS_ is now known as SpamapS16:09
amakarovayoung, that differs from my experience: in our army one gets commissioned if he is disabled or has some serious health problems: he goes home then :D16:10
stevemar_marekd: yo16:10
ayoungamakarov, that is "De-commissioned"16:10
*** SpamapS has quit IRC16:10
*** SpamapS has joined #openstack-keystone16:10
lbragstadayoung the fernet token will be expanded into its component parts, then all that information is passed to get_token_data(). After that it will check the token reference against the revocation events16:11
ayounglbragstad, I'm thinking we can seriously decomplexify revocation events16:11
ayoungit might also have a pretty good performance impact.16:12
lbragstadayoung if you create an assignment on a project, get a scoped token for that project, then remove the assignment on that project, the validation of that token will return 40116:12
stevemar_marekd: answered, but don't +2 yet, i still need to make some tweaks :)16:12
lbragstadayoung I believe we have test cases that test that for fernet16:12
ayounglbragstad, right.  But the real infomration is in the token validation response16:13
ayoungso, if You have a token with one role on a proejct, and that role gets revoked, the user would have no roles on the project16:13
stevemar_bknudson: i answered most of your questions here: not sure what to do about the last one16:13
ayoungsame return code16:13
ayoungOn tjhe other hand, if a user had to roles, and only one was removed, the token validation response would be 200 but only have a single role on it16:14
lbragstadayoung if the role you have on the project is removed and you go to validate your token, you'll get a 40116:14
lbragstadoh, i see what you're saying16:14
ayounglbragstad, yeah....16:14
amakarovayoung, tell me please, what is the correct thing to state in "Other contributors" in the spec?16:14
ayounglbragstad, I wrote Revocation Events assuming remote validation16:14
lbragstadayoung i thought you were only talking about a single role assignment16:15
ayoungamakarov, at least me:  Adam Young ayoung@redhat.com16:15
ayoungamakarov, anyone else involved can tell you themselves16:15
ayounglbragstad, so the need for in-process revocation events drops significantly16:15
*** su_zhang has joined #openstack-keystone16:16
ayoungif we are always validating against current data, all we need to really check is for password change-type events, where the token is a proxy for authentication16:16
lbragstadayoung this would technically still return a list of roles that you have on the project -
ayounglbragstad, right.  So we would need to make clear that a validation would always return the current list, not the list at the time of token issue16:17
lbragstadayoung yep16:17
ayoungI think it would simplify a lot.16:17
lbragstadayoung I think that is different than the uuid model?16:17
lbragstadayoung with uuid tokens we persist the entire reference to the database and then validate based on that (i think?)16:18
ayounglbragstad, not  really. With UUID, we serialize the auth data for performance sake, but we could serialize just the fernet subset of it, and then use common logic16:18
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Unified delegation spec
ayoungSo we could make it work16:18
*** spandhe has joined #openstack-keystone16:18
ayoungAgain, simplify, and better code16:19
lbragstadayoung by rebuilding the reference for each validation?16:19
lbragstadinstead of relying on possibly stale data?16:19
ayounglbragstad, exactly16:20
lbragstadayoung that makes sense, but i think that's where we took a performance hit16:21
lbragstadwith fernet anyway16:21
lbragstadbut we have patches up to mitigate some of that16:21
ayounglbragstad, rebuilding the references?16:21
lbragstadayoung yes16:21
ayounglbragstad, well, we'll need to solve it anyway.16:21
lbragstadayoung ++16:21
ayounglbragstad, looking16:22
lbragstadayoung see the performance improvements noted in the commit messages16:22
ayoung validation requests by 7.5%:16:22
ayounglbragstad, you didn't report a validation speed up on 215715.  Did you not see one, or was it unmeasured?16:23
lbragstadayoung we did see an improvement in
lbragstadayoung it was around 28%16:23
*** spandhe has quit IRC16:24
ayounglbragstad, just the commit message only mentions creation.  I think that would be true, too, for validation16:24
lbragstadayoung yeah16:25
*** jistr has quit IRC16:26
*** jbell8_ has joined #openstack-keystone16:26
*** richm has quit IRC16:27
*** lifeless has quit IRC16:28
*** jbell8 has quit IRC16:28
*** crinkle has quit IRC16:29
*** crinkle has joined #openstack-keystone16:29
*** chlong has quit IRC16:29
*** alex_xu has quit IRC16:29
*** chmouel has quit IRC16:29
*** jrist has quit IRC16:29
ayounglbragstad, I'm willing to +2 both of those as is.16:30
ayoungand I did16:30
*** lifeless has joined #openstack-keystone16:30
*** su_zhang has quit IRC16:32
*** weihan has quit IRC16:33
lbragstadayoung thank you sir!16:34
*** chmouel has joined #openstack-keystone16:34
ayounglbragstad, Maybe on the Flight to Tokyo I'll take some time to see what it would take to implement UUID in terms of Fernet16:35
*** alex_xu has joined #openstack-keystone16:35
*** ajaya has joined #openstack-keystone16:35
ayoungit would only use the internal format, not the whole spec, I thinkt16:35
ayoungUnless you want to take it?16:35
ayounglbragstad, and, infact, we could do the same thing with PKI tokens. All online validations get the same treatment16:36
lbragstadayoung I want to say morgan had some ideas on that, too?16:37
lbragstadayoung he has some ideas that tie together all the bits for consolidating all the common parts of the different token paths.16:40
lbragstad(if that makes sense?)16:41
ayounglbragstad, Yeah, it makes sense.16:41
*** chlong has joined #openstack-keystone16:42
*** richm has joined #openstack-keystone16:42
*** tonytan4ever has quit IRC16:42
*** tqtran has joined #openstack-keystone16:42
*** jrist has joined #openstack-keystone16:42
*** jrist has joined #openstack-keystone16:42
*** tsymanczyk has joined #openstack-keystone16:45
*** exploreshaifali has quit IRC16:45
*** tsymanczyk is now known as Guest586916:45
lbragstadayoung i think it would be beneficial to sit down in go through that with morgan though16:45
ayounglbragstad, absolutely.  Just wanted to give you some lead time to think it through prior to Tokyo16:46
lbragstadayoung ++16:46
*** e0ne has joined #openstack-keystone16:47
*** tsymancz1k has joined #openstack-keystone16:47
*** e0ne has quit IRC16:47
*** e0ne has joined #openstack-keystone16:48
*** jasonsb has quit IRC16:49
*** Ephur has joined #openstack-keystone16:50
*** fhubik has quit IRC16:50
*** petertr7_away is now known as petertr716:52
*** marzif has quit IRC16:53
*** marzif has joined #openstack-keystone16:56
*** kiran-r has joined #openstack-keystone16:56
*** tonytan4ever has joined #openstack-keystone16:57
*** jbell8_ has quit IRC16:58
*** mfisch` is now known as mfisch16:59
*** mfisch is now known as Guest2794716:59
*** kiranr has joined #openstack-keystone17:00
*** Guest27947 is now known as mfisch17:00
*** mfisch has quit IRC17:00
*** mfisch has joined #openstack-keystone17:00
*** Satya_ has joined #openstack-keystone17:00
Satya_Hi All17:01
*** openstackgerrit has quit IRC17:01
Satya_i am just figuring out is there any way i can integrate keystone with docker for tenant management and user management?17:01
*** openstackgerrit has joined #openstack-keystone17:02
*** kiran-r has quit IRC17:02
*** jaosorior has quit IRC17:03
*** lsmola_ has quit IRC17:04
*** jlvillal has joined #openstack-keystone17:05
*** petertr7 is now known as petertr7_away17:07
*** phalmos has quit IRC17:09
*** lhcheng has joined #openstack-keystone17:09
*** ChanServ sets mode: +v lhcheng17:09
*** browne has quit IRC17:10
*** lhcheng_ has joined #openstack-keystone17:11
*** rderose has quit IRC17:13
*** lhcheng has quit IRC17:14
*** rderose has joined #openstack-keystone17:14
Satya_any help?17:15
*** josecastroleon has joined #openstack-keystone17:15
*** spandhe has joined #openstack-keystone17:19
stevemar_Satya_: not sure anyone has tried that yet17:22
openstackgerritHenrique Truta proposed openstack/keystone: Improves domain name case sensitivity tests
gyeestevemar_, can you please take a peak at my response whenever you have a chance?
*** jsavak has quit IRC17:32
*** pnavarro|off has quit IRC17:33
*** jsavak has joined #openstack-keystone17:33
*** jasonsb has joined #openstack-keystone17:39
*** kiranr has quit IRC17:40
*** jbell8 has joined #openstack-keystone17:46
*** josecastroleon has quit IRC17:46
*** jasonsb has quit IRC17:47
bretonwhat's the problem with our current /v3/policies? Is it used by anybody?17:47
*** marzif has quit IRC17:48
*** marzif has joined #openstack-keystone17:48
*** josecastroleon has joined #openstack-keystone17:50
bretonit looks to me like poor man's redis17:50
*** browne has joined #openstack-keystone17:56
lbragstadis it just me or does the Wednesday of the summit seem a little light in the morning?18:00
lbragstaddoes anyone have some good sessions going on Wednesday morning?18:00
*** markvoelker has joined #openstack-keystone18:03
*** markvoelker has quit IRC18:05
bknudson"Software should only work with Unicode strings internally, decoding the input data as soon as possible and encoding the output only at the end." --
bknudsonmaybe we should do this in keystone18:06
stevemar_gyee: i shall sir18:06
bknudsonalthough in keystone case the output is also unicode18:06
stevemar_ayoung: i like what you're doing with policy18:06
lbragstadbknudson we output unicode?18:06
gyeearigato stevemar_ son18:07
stevemar_ayoung: it's been a lot of effort and i think we're all finally understanding the problem you're trying to solve18:07
stevemar_and thanks for bending and meeting us all half way18:07
bretonlbragstad: yep, almost nothing there18:07
bknudsonlbragstad: you know, that's a good question. unicode in JSON isn't pretty... maybe it's UTF-8?18:07
stevemar_gyee: +1 for mentioning bat flip18:08
bknudsonlbragstad: "A string is a sequence of zero or more Unicode characters" according to
gyeelbragstad, those keystone sessions are fantastical18:08
lbragstadbknudson whats the types in the header?18:08
gyeekeynote I mean18:08
*** rderose has quit IRC18:08
*** diazjf has quit IRC18:08
lbragstadgyee breton impromptu keystone working group? hallway session?18:09
gyeelbragstad, ++18:09
breton++ :)18:10
lbragstadgyee breton  that's actually a pretty good slice of time to work on something18:10
lbragstadI don't have anything on my calendar (yet!) until 2 pm18:11
bknudsonlbragstad: looks like headers are limited to ascii18:11
lbragstadbknudson ah, that makes sense18:11
bknudsonso unicode for headers is pushing it.18:11
lbragstadbknudson I remember there being a difference in between the type of a string pulled out of a header and the type of a string pulled out of a request body.18:11
bknudsonlet's just convert them all to unicode and deal with unicode internally18:12
lbragstadthat was a bug we hit with fernet between v2.0 and v318:12
lbragstadbknudson I'd be fine with that18:12
bretonlbragstad: there is, I hope to hear some of deployers' pains.18:12
lbragstadat least we'd be consistent internally18:12
bknudsonright, there's a difference between what's allowed in X-Auth-Token and "token" data in auth request.18:12
lbragstadbreton nice, I'll add that one18:13
lbragstadbknudson so, all the ways we take input from a client would be through the headers (v3 tokens) and request bodies, right?18:14
gyeebreton, nice one18:14
bknudsonwell, we get input from the config file, too.18:14
lbragstadgyee breton  we could still work on something in the morning?18:14
lbragstadbknudson oh, right... duh18:14
gyeelbragstad, only if I don't have any hangovers from the booth crawl18:15
bretonyep, from 9am18:15
bknudsonand potentially from command line18:15
lbragstadgyee does that classify as a blocker?18:15
lbragstadcommand line should be translated to request body by the client, right?18:15
lbragstadunless you're talking about keystone-manage18:15
stevemar_bknudson: lbragstad headers are ascii only18:16
bknudsonlbragstad: y, keystone-manage and keystone-all I guess18:16
bknudsone.g., keystone-manage --config <what is this?>18:16
bknudsonand logs, not sure if that's unicode18:17
lbragstadbknudson i think that would be whatever argparse uses?18:17
bknudsonapparently on windows the encoding of filenames depends on a config option18:17
gyeebknudson, can oslo.config handle unicode filename?18:20
dstanekbknudson: the unicode strings internally is what i've been trying to push for18:20
bknudsongyee: I don't know... I don't know if it can handle unicode contents of files either.18:21
dstanekbytes generally are only for the boundaries when you are talking about strings18:21
*** josecastroleon has quit IRC18:21
bknudsonI'm just going to stick a bunch of assert isinstance(token_id, unicode) all over.18:21
dstanekbknudson: what are you trying to do?18:22
*** devlaps has joined #openstack-keystone18:22
bknudsondstanek: see -- I added a bunch of comments like "this is a str"18:22
bknudsonbut it shouldn't be a str, should be unicode18:23
gyeebknudson, can we do the conversion at the middleware filter? the same way we do xml-json conversion before?18:23
gyeethen internally, we can assume a single encoding18:24
bknudson"Since Python 3.0, the language features a str type that contain Unicode characters," -- so apparently str in py3 is unicode on py218:24
lbragstadgyee will we be able to do the conversion for all input methods?18:24
lbragstads/conversion/conversion in middleware/18:24
bknudsongyee: sure, I just need to change every test since they don't all go through the pipeline18:24
gyeelbragstad, sure if everything is coming in via API18:24
dstanekbknudson: i started similar work a while back18:24
bknudsondstanek: y, that looks familiar18:25
dstanekthe module should be considered a boundary i think18:25
bknudsoncontroller should be reponsible for conversion18:25
*** jasonsb has joined #openstack-keystone18:26
bknudson(or even a middleware per gyee's comment)18:26
dstanekinstead of checking types i'd rather the functions just work with text and convert to bytes18:26
lbragstaddstanek the would be a boundary for non-persistent tokens for sure18:26
bknudsondstanek: what do you mean by text? it's got to be either str or unicode18:26
lbragstadsince that's the hand off point for whatever crypto method your using, but what about uuid providers?18:26
dstanektext is unicode18:27
bknudsonbytes for the encryption?18:27
dstanekor basically six.text_type18:27
bknudsonsix.text_type would make things a little easier18:28
lbragstadwe already use that through places of keystone18:28
dstanekbknudson: i don't think we should be checking the type though. the functions should take either text or bytes and then return either strings or bytes; anything else should be an error18:29
bknudsonwe shouldn't have to use it except in specific places where we're taking in strings... and all over in the tests!18:29
dstaneki'm actually working on some py3 tests now.18:29
bknudsondstanek: right, and by text you mean six.text_type18:30
*** pumaranikar has quit IRC18:30
dstanekbknudson: yes18:30
bknudsonwe don't have to have our internal functions support both str and unicode18:30
*** Satya_ has quit IRC18:30
bknudsonas in, all our tests are broken since they pass '' rather than six.text_type('')18:30
dstaneku'some string' is much nicer than six.text_type('some string')18:32
bknudsonalso, from what I can tell oslo.cache doesn't support unicode keys, so that's all broken18:32
dstanekbknudson: that's what i'm fixing now the mangling stuff18:33
dstaneki'm currently stuck in rebase hell18:33
bknudsondstanek: all the cache stuff moved to oslo.cache18:33
*** jsavak has quit IRC18:34
*** roxanaghe has joined #openstack-keystone18:34
dstanekbknudson: yep18:34
lbragstadyeah, that was a fun rebase18:34
*** jsavak has joined #openstack-keystone18:35
*** mylu has joined #openstack-keystone18:35
openstackgerritTom Cocozzello proposed openstack/keystone: Fix docstring
bknudsonisinstance(u'', six.text_type) == True on python 318:36
*** petertr7_away is now known as petertr718:38
*** diazjf has joined #openstack-keystone18:39
*** jlvillal_ has joined #openstack-keystone18:40
*** phalmos has joined #openstack-keystone18:44
dstanekthat should be true everywhere18:44
*** Guest3686 is now known as mgagne18:45
*** mgagne has joined #openstack-keystone18:45
openstackgerritTom Cocozzello proposed openstack/keystonemiddleware: Define entry points for filter factories for Paste Deployment
*** jasonsb has quit IRC18:50
*** mylu has quit IRC18:53
bknudsondstanek: you're right, it's True on py2 also18:55
*** pumaranikar has joined #openstack-keystone18:56
*** mylu has joined #openstack-keystone18:56
*** boris-42 has quit IRC18:58
dstanekbknudson: b'' should be str in 2 and bytes in 318:59
dstanekmakes life easy18:59
bknudsonI don't think we have too many binary strings, but I'll look out for it.18:59
bknudsonbinary literals18:59
dstaneki've had to make that change for the wsgi tests and a few other things19:00
*** jsavak has quit IRC19:00
samueldmqI wonder why there are those type differences between python 2 and 319:00
dstanekpython 3 moved to the java model where strings are text and there is a real binary type19:01
dstanekin py2 strings were binary because there were always binary and they added a unicode type19:01
openstackgerritTom Cocozzello proposed openstack/keystonemiddleware: Define entry points for filter factories for Paste Deployment
dstaneksamueldmq: ^19:02
*** jasonsb has joined #openstack-keystone19:03
*** jsavak has joined #openstack-keystone19:03
samueldmqdstanek: kk19:04
samueldmqdstanek: also, there are some differences in builtin methods, like print("") and print "", right?19:05
dstaneksamueldmq: yes, print is actually a function in 319:06
*** roxanagh_ has joined #openstack-keystone19:07
dstaneksamueldmq: they added some future stuff to help with py3 things19:07
*** roxanagh_ has quit IRC19:11
samueldmqdstanek: nice, do you recommend any good books on python ? like learning it deeply19:14
ayoungstevemar_, I think I can use Henrynash's split of assignment from resource to implement this.19:14
samueldmqayoung: hey, what's up ?19:15
ayoungsamueldmq, did you see the latest?19:15
samueldmqayoung: no19:16
samueldmqayoung: just saw stevemar_ said he likes what you're doing with policies :p19:16
*** ChanServ sets mode: +o dolphm19:19
samueldmqayoung: hmm ... looking at it19:19
samueldmqayoung: we could simply take the actual admin as global admin, and add new project_admin, domain_admin roles to our policies ?19:20
*** tonytan4ever has quit IRC19:20
dstaneki'm not sure why kvs does so much dogpile stuff19:20
ayoungsamueldmq, I think so.19:22
ayoungsamueldmq, then again, it might not make sense to split admin off of the thing it is assigned to19:22
ayoungadmin on project would, here, mean something different from admin on domain, or on endpoint19:23
ayoungBut more specific roles could be very useful19:23
samueldmqayoung: yeah but I think splitting it off in the naming is helpful too19:23
samueldmqayoung: as it provides clarity19:23
ayoungsamueldmq, true.  I kindof like "manager" for new roles going forward, especially for a project role that involves assigne other user to the project19:24
samueldmqayoung: project_manager ? domain_manager?19:24
ayoungsamueldmq, I also think quota is going to be different, as that really needs to be controlled by  a role outside the project19:24
ayoungsamueldmq, yes, and also storage, network, etc.19:25
samueldmqayoung: storage_manager is indeed a project manager (only on that project), but only delegated storage-y things19:26
*** su_zhang has joined #openstack-keystone19:27
ayoungsamueldmq, maybe...need to think it through.  I was thinking more that storage maanger is like admin, but just for storage stuff,  across swift, cinder, and glance....we can afford a few cycles on that one, though19:28
samueldmqayoung: yes, I agree, but it is like global admin ? or project-scoped admin ?19:29
ayoungsamueldmq, heh...I think I was slippin back to thinkning about implied roles...punt on it for now19:29
*** tonytan4ever has joined #openstack-keystone19:30
ayoungfor now, I think we make admin work as people currently understand it, with admin-on-endpoint explicit as opposed to assumed19:30
bknudsonayoung: ?19:32
ayoungbknudson, yep.  that is pretty much it.19:34
ayoungbknudson, but instead of making it a new scope on a token (which has problems) we make the catalog its own domain, and scope tokens to services-as-projects19:35
*** petertr7 is now known as petertr7_away19:35
*** marzif has quit IRC19:36
bknudsonayoung: so to create a service you create a project?19:37
*** marzif has joined #openstack-keystone19:37
*** woodster_ has joined #openstack-keystone19:37
bknudsonhow is that going to work with nova?19:37
ayoungbknudson, I don't think so.  I think that when you create a service or endpoint, you implicitly create a project19:37
bknudsonoh, you're saying this is only for some kind of "service admin" role19:37
ayoungbknudson, we treat the catalog as a read-only backed for "resources"19:37
*** petertr7_away is now known as petertr719:38
ayoungbknudson, so when you create an endpoint with id "FEEDBABACAFE000"  you get a proejdct with project_id  "FEEDBABACAFE000"  in the "catalog" domain19:38
bknudsonwhich you can scope a token to19:38
bknudsonand assign roles on19:38
ayoungbknudson, yeah19:39
bknudsonthen what do I use it for? give it to nova?19:39
ayoungbknudson, by keeping it as a proejct, you don't change the clienst19:39
ayoungbknudson, ok, on nova you can then use it to scope a toklen for "admin" actions like add a hypervisor19:39
ayoungbut also like deleting a vm for a rpoject that was deleted  but the notiffication got missed19:39
bknudsonhow does nova handle this? changes to policy.json or hardcoded or what?19:40
ayoungIn Keystone, we can use it to scope operations to the Keystone server, like creating new domains or uploading policy files19:40
bknudsonwe've got cloudpolicy.json already that controls that19:40
ayoungbknudson, I think we can do some magiv in the policy enforcement, but maybe an explicit change to "is_admin"19:40
ayoungbknudson, but that needs to be edited, which is a tooling problem19:41
bknudsonhow do you do it without editing?19:41
openstackgerritTom Cocozzello proposed openstack/keystonemiddleware: Define entry points for filter factories for Paste Deployment
*** mylu has quit IRC19:43
*** ajaya has quit IRC19:45
*** ankurgupta has quit IRC19:45
*** ankurgupta has joined #openstack-keystone19:46
*** marzif has quit IRC19:46
*** ankurgupta has left #openstack-keystone19:48
*** amakarov is now known as amakarov_away19:49
*** exploreshaifali has joined #openstack-keystone19:50
*** pumaranikar has quit IRC19:52
*** pumaranikar has joined #openstack-keystone19:52
pauloewertonheys guys, reviews for the patch would be highly appreciated. seems it is the only one being maintained atm in the feature/keystoneauth_integration branch for keystoneclient20:03
*** su_zhang has quit IRC20:04
*** roxanagh_ has joined #openstack-keystone20:08
*** maxabidi has joined #openstack-keystone20:10
ayoungpauloewerton, oooh. I'll look20:12
openstackgerritBrant Knudson proposed openstack/keystone: Handle fernet payload timestamp differences
openstackgerritBrant Knudson proposed openstack/keystone: Fix fernet padding for python 3
openstackgerritBrant Knudson proposed openstack/keystone: Fix key_repository_signature method for python3
*** roxanagh_ has quit IRC20:12
htrutabknudson: quick question about your comment here:
htrutain this case, should we just raise an error or remove the duplicate entries?20:13
bknudsonhtruta: I think an error should be raised.20:14
bknudsonI don't know how you could remove duplicate entries safely.20:14
htrutabknudson: that's what I was thinking20:14
*** Guest5869 has quit IRC20:15
*** tsymancz1k has quit IRC20:15
*** urulama has quit IRC20:15
pauloewertonayoung, nice, thx!20:15
*** urulama has joined #openstack-keystone20:15
*** dims_ has joined #openstack-keystone20:16
htrutabknudson:  I'll add the test. thanks20:16
*** maxabidi has quit IRC20:17
*** akanksha_ has quit IRC20:18
*** dims has quit IRC20:19
*** e0ne has quit IRC20:20
*** Ephur has quit IRC20:31
openstackgerritayoung proposed openstack/keystone-specs: Unified delegation spec
ayoungamakarov_away, just cleaned up some language20:36
openstackgerritBrant Knudson proposed openstack/keystone: Handle fernet payload timestamp differences
openstackgerritBrant Knudson proposed openstack/keystone: Fix fernet padding for python 3
openstackgerritBrant Knudson proposed openstack/keystone: Fix key_repository_signature method for python3
*** gordc has quit IRC20:38
openstackgerritBrant Knudson proposed openstack/keystone: Handle fernet payload timestamp differences
openstackgerritBrant Knudson proposed openstack/keystone: Fix fernet padding for python 3
openstackgerritBrant Knudson proposed openstack/keystone: Fix key_repository_signature method for python3
openstackgerritHenrique Truta proposed openstack/keystone: Constraint to prevent duplicates endpoints
*** hidekazu has quit IRC20:45
*** Ephur has joined #openstack-keystone20:49
*** tsymancz1k has joined #openstack-keystone20:52
openstackgerritHenrique Truta proposed openstack/keystone: Tests for subprojects acting as domains
openstackgerritHenrique Truta proposed openstack/keystone: Sub projects acting as domains
*** petertr7 is now known as petertr7_away20:54
openstackgerritHenrique Truta proposed openstack/keystone: Remove domain table references
*** su_zhang has joined #openstack-keystone20:54
*** jlvillal_ has quit IRC20:57
*** urulama has quit IRC20:58
*** pauloewerton has quit IRC20:58
*** urulama has joined #openstack-keystone20:58
*** jlvillal_ has joined #openstack-keystone20:58
*** jsavak has quit IRC20:59
*** spandhe has quit IRC21:00
openstackgerritHenrique Truta proposed openstack/keystone: Bye Bye Domain Table
*** jsavak has joined #openstack-keystone21:01
*** spandhe has joined #openstack-keystone21:01
*** jlvillal_ has quit IRC21:02
*** jsavak has quit IRC21:07
*** tsymancz1k has quit IRC21:07
openstackgerritRon De Rose proposed openstack/keystone: Remove endpoint policy extensions that should be part of main keystone
*** jsavak has joined #openstack-keystone21:08
*** roxanagh_ has joined #openstack-keystone21:10
*** e0ne has joined #openstack-keystone21:11
*** roxanagh_ has quit IRC21:14
*** tsymancz1k has joined #openstack-keystone21:14
*** haneef has joined #openstack-keystone21:16
*** raildo is now known as raildo-afk21:17
*** e0ne has quit IRC21:20
*** jbell8 has quit IRC21:20
openstackgerritBrant Knudson proposed openstack/keystone: Refactor test use of new_*_ref
*** stevemar_ has quit IRC21:22
*** stevemar_ has joined #openstack-keystone21:22
*** ChanServ sets mode: +o stevemar_21:22
*** stevemar_ has quit IRC21:22
*** stevemar_ has joined #openstack-keystone21:23
*** ChanServ sets mode: +o stevemar_21:23
*** spandhe has quit IRC21:30
*** spandhe has joined #openstack-keystone21:32
dstanekwow, still 2260 unicode related test errors :-(21:35
openstackgerritBrant Knudson proposed openstack/keystone: Merge keystone.config info keystone.common.config
*** njohnston is now known as nate_gone21:36
bknudsondstanek: because of caching?21:38
dstanekno, i've been working on making a unicode center and bytey outside - lots of fun21:42
openstackgerritDavid Stanek proposed openstack/keystone: Adds already passing tests to py34 run
openstackgerritDavid Stanek proposed openstack/keystone: Fixes kvs cache key mangling issue for Py3
dstanekthat addresses the kvs caching stuff21:43
*** timcline has quit IRC21:45
*** tonytan4ever has quit IRC21:49
*** diazjf has left #openstack-keystone21:50
*** tsymanczyk has joined #openstack-keystone21:51
*** tsymanczyk is now known as Guest7825321:51
*** phalmos has quit IRC21:53
*** slberger has left #openstack-keystone21:53
*** markvoelker has joined #openstack-keystone22:00
*** sigmavirus24 is now known as sigmavirus24_awa22:01
*** alex_xu has quit IRC22:04
*** jsavak has quit IRC22:04
*** alex_xu has joined #openstack-keystone22:05
*** urulama_ has joined #openstack-keystone22:06
*** jbell8 has joined #openstack-keystone22:06
*** pumaranikar has quit IRC22:08
*** urulama has quit IRC22:09
*** roxanagh_ has joined #openstack-keystone22:10
*** jbell8 has quit IRC22:12
*** exploreshaifali has quit IRC22:14
*** thiagop has quit IRC22:14
*** jbell8 has joined #openstack-keystone22:14
*** dims_ has quit IRC22:15
*** roxanagh_ has quit IRC22:17
*** jbell8 has quit IRC22:19
*** su_zhang has quit IRC22:25
*** jamielennox|away is now known as jamielennox22:26
*** csoukup has quit IRC22:47
jamielennoxmorgan or ayoung: is an easy +A22:54
ayoungjamielennox, did you origianlly write the BP for service/endpoint scoped tokens?22:55
jamielennoxi don't think so22:55
*** su_zhang has joined #openstack-keystone22:55
jamielennoxalso it seems there should be an ABAC thing there22:56
jamielennoxthat doesn't look right22:56
jamielennoxthe admin rbac22:56
*** markvoelker has quit IRC22:57
ayoungjamielennox,  I was dolphs and you responded first22:58
ayoungUnscoped == service scoped for the keystone server that issued it seems ... maybe right?22:58
jamielennoxit's a better way of looking at unscoped tokens, it just doesn't necessarily imply any roles23:00
openstackgerritMerged openstack/keystoneauth-saml2: Redirect on 303 in SAML plugin
*** su_zhang has quit IRC23:02
ayoungjamielennox, no argument there.  It just doesn't really map to how we use them today. Unscoped is certaily limited to Keystone only, but it would not be the same as a domain scoped token.  And, if we do the endpoint scoped role assignments , it kindof implies that the user has some role on the endpoint23:02
jamielennoxright, well it doesn't map because we don't really have the concept of a service scoped token23:03
ayoungAlthough I guess that anyone with an active account in Keystone has an implied role on Keystone?23:03
jamielennoxwell you have the role that lets you list things you're a member of23:03
ayoungrotof like _member_ in that they can list their own data?23:03
ayoungI can accept that explanation23:03
jamielennoxstill there feels like an admin-rbac solution that would be better here23:04
jamielennoxseperate management roles from usage roles23:04
jamielennoxit's just kind of complex23:04
ayoungjamielennox, what about the rest of my thought process.  Where the service catalog becomes a read-only "resource" backend for  single domain23:05
jamielennoxwas that in the review?23:05
ayoungpartially I'm trying to be pragmatic23:05
ayoungjamielennox, nah, posted to the mailing list earlier today23:05
ayoungblog posted it, too23:05
jamielennoxoh, haven't seen that yet23:05
ayoungyou know most of can cut to...23:06
ayoung"All of these constraints drive toward a solution where we link the admin project to the existing endpoint ids. "23:06
*** su_zhang has joined #openstack-keystone23:08
jamielennoxno i think that's going the wrong way23:09
jamielennoxMake regions, services, and endpoints projects23:10
jamielennoxi think i understand the rationale, but you're trying to squeeze a complex problem into our limited role system23:10
jamielennoxand maybe we should just make the role system less limited23:10
ayoungjamielennox, you have a counter-proposal?23:11
ayoungAnd, might I add, one that we can implement within the openstack development process?23:11
jamielennoxno, but at the moment i'm thinking that projects shouldn't be the top level23:11
jamielennoxi don't know if that means domains23:12
ayoungjamielennox, you do realize that a response like that "no, but I have no alternative" is very frustrating to hear.23:12
jamielennoxespecially as we just essentially ripped those out23:12
jamielennoxi do23:12
ayoungAnd the reason this has been broken for so long23:12
ayoungSo...I'm willing to make something work, but I need a positive direction to head23:12
jamielennoxand given the token formats specify one scope per token we are going to have to have a situation where you can scope to more than either a project or domain23:13
ayoungI do like the idea (on its own) of the proejct hierarchy for a domain coming from a source other than the main SQL-resources table, like we do with identity23:13
jamielennoxdo we even talk about domains any more?23:13
*** roxanagh_ has joined #openstack-keystone23:14
jamielennoxdomains had some useful properties that i'm not sure we retain with the merging into projects23:14
ayoungthey are still there, and Henrynash just went crazy getting DB config for them working23:14
jamielennoxright, but that's because we assume idp == domain23:14
ayoungjamielennox, but, "project" or even "tenant" is not really any differnt than saying "label" link in an SELinux sort of wat23:15
jamielennoxit's kind of an authn/authz problem, and i'm thinking of z23:15
ayoungso saying that "labels" can come from the catalog does feel consistent to me.23:15
ayoungrole assignments would stay in the assignments backend.23:16
ayoungSo...we create a special domain, call it the catalog domain23:16
ayoungEverythuing inside the service catalog then maps to a project23:16
ayoungthe Ids are the same23:16
ayoungso endpoint_id == project_id23:16
jamielennoxyou're trying really hard not to create a new concept23:16
jamielennoxwhat happens when someone gets confused and tries to launch a vm in that project23:17
ayoungjamielennox, it lets the client keep working, and does not break the remote services23:17
ayoungI thought of that.  Really, launching  a VM should be a separate role from admin anyway23:17
ayoungthe easy case to catch is if you get a token for nova. The endpointid == project id, and the policy in nova could filter it out23:18
jamielennoxso we're in to domain specific policy to make sure noone does anything project-y in the project23:18
ayoungwhen you get a token scoped to any catalog project, the only endpoint you get is that endpoint.23:18
ayoungso we could it with the endpoint binding of the tokens, too23:18
ayoungAnd, really, only admins could make that mistake23:19
ayoungperhaps we also make sure they have a quota of 0?23:19
ayoungLaunching a vm in one would really not break anything, would it?23:19
jamielennoxso that's a lot of runtime enforcement to make this work23:20
*** roxanagh_ has quit IRC23:20
jamielennoxnote because it appears i forgot to say earlier: that's a pretty cool hack, i'm just wary of putting hacks in such fundamental places23:20
ayoungjamielennox, that is a lot of runtime enforcement to catch a minor case that I think is kindof minimally worth wortrying about.23:21
ayoungIt just lets the cliens work as is today, and Horizon, too.  I'm mnot 100% against adding "endpoint" as a scope for tokens to report.23:21
*** topol has joined #openstack-keystone23:22
*** ChanServ sets mode: +v topol23:22
*** mylu has joined #openstack-keystone23:26
*** tsymancz1k has quit IRC23:27
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements
*** tsymancz1k has joined #openstack-keystone23:32
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
*** jbell8 has joined #openstack-keystone23:33
*** mylu has quit IRC23:34
*** mylu has joined #openstack-keystone23:35
*** spandhe has quit IRC23:53

Generated by 2.14.0 by Marius Gedminas - find it at!