Monday, 2015-11-30

*** openstack has joined #openstack-keystone14:13
*** openstack has quit IRC14:13
*** openstack has joined #openstack-keystone14:16
*** openstack has quit IRC14:16
*** openstack has joined #openstack-keystone14:21
*** openstack has quit IRC14:22
*** openstack has joined #openstack-keystone14:23
*** openstack has joined #openstack-keystone14:26
*** openstack has quit IRC14:26
*** openstack has joined #openstack-keystone14:35 [freenode-info] channel flooding and no channel staff around to help? Please check with freenode support:
*** tjcocozz has quit IRC14:36
*** openstack has joined #openstack-keystone15:43
*** flaper87 has joined #openstack-keystone15:46
*** ayoung has quit IRC15:47
*** e0ne has joined #openstack-keystone15:48
*** topol has joined #openstack-keystone15:49
*** ChanServ sets mode: +v topol15:49
*** dims has joined #openstack-keystone15:49
*** roxanaghe has joined #openstack-keystone15:50
*** martinus__ has quit IRC15:50
openstackgerritAlexander Makarov proposed openstack/keystone: SQLAlchemy column type for materialized path
*** agireud has joined #openstack-keystone15:53
*** martinus__ has joined #openstack-keystone15:53
*** roxanaghe has quit IRC15:54
*** jistr has quit IRC15:57
*** jdennis has joined #openstack-keystone15:58
*** jasondotstar has joined #openstack-keystone15:58
*** richm has joined #openstack-keystone15:58
*** slberger has joined #openstack-keystone16:00
*** e0ne has quit IRC16:02
*** ayoung has joined #openstack-keystone16:03
*** ChanServ sets mode: +v ayoung16:03
*** gordc has joined #openstack-keystone16:05
*** btully has quit IRC16:05
*** btully has joined #openstack-keystone16:07
*** pnavarro has joined #openstack-keystone16:09
*** slberger has quit IRC16:09
*** EinstCrazy has quit IRC16:13
*** slberger has joined #openstack-keystone16:15
*** arif-ali_ has joined #openstack-keystone16:15
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path convenience wrapper
*** davechen has joined #openstack-keystone16:15
*** arif-ali has quit IRC16:15
*** openstackstatus has joined #openstack-keystone16:15
*** ChanServ sets mode: +v openstackstatus16:15
*** arif-ali_ is now known as arif-ali16:15
notmorganstevemar, jamielennox, ping re would like to get that landed before we do a release (which we should do this week)16:28
notmorganstevemar: also
notmorganayoung, dstanek, bknudson, would be also good to get eyes on so we can work with cleaning up the icky "mock things out" stuff projects like ceilometer is doing16:29
*** chlong has joined #openstack-keystone16:40
ayoungnotmorgan, I like easy ones like that16:44
notmorganayoung: :)16:44
openstackgerritFernando Diaz proposed openstack/keystone: Strengthen Mapping Validation in Federation Mappings
ayoungnotmorgan, why is fixture not in the test directory there?16:45
* ayoung thought there was a reason16:45
*** LukeHinds has quit IRC16:46
notmorganayoung: this isn't for tests in ksm16:47
notmorganayoung:  this is for other services to consume16:47
ayoungnotmorgan, notmorgan and it needs to be in the stable interface for that?16:47
notmorganayoung: yes it does16:47
notmorganbecause changes to that fixture will break anyone who is using it16:47
notmorganso if we changed the interface we could break all tests for everyone that is using it in their tests.16:48
ayoungnotmorgan, ++16:48
ayoungI thought I remembered something along those lines16:48
notmorganthe reason for that fixture is that ceilometer (and others) were mocking out the memcache interface (internal) for auth_token, and we changed it and broke them16:48
ayoungnotmorgan, do my specs need to be in /mitaka before Friday, or just approved?16:49
notmorganayoung: uhhh16:49
notmorganstevemar: ^ what ayoung asked16:49
ayoungnotmorgan, I'm going with "backlog is good enough"16:49
ayoungI fugure approved means approved to implement, in mitaka means "we're committed"16:49
ayoungand wiggle room always better16:50
notmorganayoung: i dunno :P I am only doing keystone-related work right now because either a) it's the unglamorous stuff that people need fixed or b) this is so much better than the way we were/are doing it and is affecting my PoC for sub-url mounted services16:50
ayoungnotmorgan, I was looking at HAProxy due to your post.  I am not certain what it means for security.  And by that, I mea strict two way, authentication16:51
ayoungI somehow suspect that using HAProxy is breaking TLS, and we only get away with it because we blindly trust something we shouldn't16:51
notmorganit doesn't really break TLS16:52
notmorganwe can proxy the SSL through if we *really* want to16:52
notmorganbut let me be clear, if HAProxy is talking TLS to the backends, and that is secure independant of user->service16:52
notmorganthat is also good.16:52
notmorganthe services requiring strict client certs isn't buying us a lot of security at the moment as long as the only ingress ot the services is via the HAProxy Balancer16:53
ayoungnotmorgan, yeah,  and that is something that no-one does, but we should require.  Otherwise, datacenters become like unclorinated public swimming pools16:53
notmorganand that is a fine restriction imo16:53
notmorganrequire TLS, don't require pass-through TLS16:53
ayoungnotmorgan, well, if HAProxy validates cerst (to include OCSP or CRL, which I'm guessing it does not) it would be fine....the more I learn about this stuff, the more I feel it is hopeless16:53
notmorganif you saw i am also looking at ways to do the token validate at the edge in HAProxy16:53
notmorganayoung: yes it can16:54
ayoungnotmorgan, don't focus on token validation16:54
notmorganayoung: you need to configure it to do so.16:54
ayoungits a mistake to pour more water into that boot16:54
ayoungwe need to authenticate on each call16:54
notmorganayoung: i 100% disagree16:54
ayoungwith a single HAProxy...16:54
ayoungwe can make it cheap16:54
ayoungyou just need to authenticate to HAProxy16:54
ayoungand that is only on the first call16:54
notmorganayoung: i still thing service-to-service is to be trusted16:55
notmorganayoung: oh yes, that is the goal.16:55
notmorgani'm providing a way to make HAProxy handle that seemlessly, so we can go to a simple OAuth method long term16:55
ayoungnotmorgan, Svc2Svc should be trusted for standard workflows.16:55
ayoungnotmorgan, so the issue I had was that HAProxy didn't seem to handle crypto-auth16:55
notmorgantoken auth just happens to be the PoC part, and if HAProxy can do the logic of KSM in the process, win16:55
ayoungeither Client Certs or Kerb16:55
notmorganayoung: yeah it can. :)16:55
*** lhcheng has joined #openstack-keystone16:56
*** ChanServ sets mode: +v lhcheng16:56
notmorgansome requires some embedded lua to do it.16:56
notmorganbut it can totally do it16:56
notmorganthe client cert is baseline16:56
notmorganunless you need to ask keystone questions16:56
*** swebb has quit IRC16:56
notmorgankrb5 is going to be some embeded code, but also doable16:56
ayoungnotmorgan, so, that is what I meant by "forget the tokens"  I think we need to push the "ask keystone questions" off from token vlaidation...something like this:16:57
ayoung1.  call to HA proxy gets authenticated16:57
ayoung2.  HA proxy adds the "I know who the user is , it is blah validated by foo"16:57
ayoungto the call to the service16:57
ayoungservice then calls keystone, like a token validation "foo/blah came in, looking for project X.  give me the access_info"16:57
notmorgani would like the services to never need to ask keystone16:59
ayoungnotmorgan think about that statement16:59
notmorganthe services should not need to ask keystone anything16:59
ayoungasking keystone is the only way to not get stale info16:59
notmorganwhat case are you trying to lock out of?17:00
notmorganlong running jobs with changing permissions middle of the task?17:00
ayounguser asks for a long running operation,  should check at time of access "is this still valid"17:00
notmorganheat, for example, would not be explicitly trusted17:00
notmorganonly at the time of issuance.17:00
ayoungnotmorgan, glance snapshot17:00
notmorgani say "make a snapshot"17:00
notmorganthat was trusted when requested, it should complete17:00
notmorgannot be checked every single step of the way17:00
*** lhcheng has quit IRC17:00
notmorganit was authorized when you started17:00
notmorganif you ask for another snapshot, ask again17:01
ayoungyeah, but you don't know at time of request that it is going to be requested17:01
notmorgancheck authorization17:01
ayoungyou don't find out until auth would have timed out17:01
notmorganno, that is the heat case.17:01
notmorganif i say make a snapshot, that is now17:01
ayoungthis is standard VM running stuff17:01
notmorganand it checked at request time17:01
notmorganif you're saying "make a snapshot in 20 mins" you're asking in 20 mins.17:01
ayoungyo uare saying that all operations need to be pre-authed?17:02
ayoungthat means you need to know a-=priori all possible code paths17:02
ayoungI'm fine with that, except that the other serives all make like whingy bsabies when I suggested it17:02
notmorganso, see here is where i am coming from17:02
notmorgani don't care if they whine17:02
notmorgani'm writing code for this to prove it out17:02
ayoungits more like "do a long upload, and then do something, and the long upload is to glance, and the do something is to swift."17:02
notmorganif it goes nowhere i still can gather operator support17:03
notmorganbut i'm done "talking about" the plans and doing the "code talks" method17:03
ayoungnotmorgan, I trust you will get it long as it supports existing use cases17:03
notmorganayoung: the major change is that i am planning to make anything that is core-service to another core service just pass through the auth-headers17:03
ayoungnotmorgan, good luck.  I gave up on that approach once I got to a  full page of abandoinded code reviews17:03
*** jaosorior has quit IRC17:03
*** rdo_ has quit IRC17:03
notmorganayoung: the exception is like heat or something that works on staged tasks17:04
notmorganit always asks before performing an action as that *may* have changed (they are discreet actions)17:04
ayoungnotmorgan, heh, solve the Nova to other core services case first and I'll be happy17:04
notmorganayoung: that is part of what this is aiming towards.17:04
notmorganbut the 1st step is correcting the bug [yes like 1] in nova so glance can be sub-url mounted17:05
ayoungnotmorgan, this is all going to be via keystoneauth, right?17:05
notmorganayoung: anything the clients use17:05
ayoungum...was that a yes or a no?17:05
notmorganwell auth in the edge [for my purposes] can't be KSA17:05
notmorganbecause we don't run python at the edge17:06
notmorganbut inside the services yes.17:06
notmorganit will be KSA and/or a patch to ksc.session when this mode is enabled [prob. out-of-tree]17:06
notmorganbut ksa will receive first tier support for handling this in the right way(s)17:07
ayoungnotmorgan, define "at the edge" if can, please?17:08
notmorganayoung: at the edge: the ingress point before the services.17:09
notmorganso, HAProxy in my example17:09
ayoungnotmorgan, HAProxy coming in, then....and going out?17:09
notmorganayoung: correct. HAProxy is the gateway to the services here17:09
ayoungnotmorgan, so, HAProxy has to work with whatever you do, but the calling out from the other services will still be via keystoneauth.17:10
notmorganayoung: long term, i want to use "internal" interface for svc->svc17:10
notmorganayoung: yes, it would just route though a similar balancer [maybe without the heavier handed auth checking]17:10
ayoungnotmorgan, agreed, although x509 clientless works fine there, too17:10
notmorganayoung: ksa would just be smart enough to bundle the auth stuff up that is needed to do svc->svc17:11
ayoungnotmorgan, I think we're on the same page17:11
notmorganand the x509 or whatever covers the "are you really a trusted service"17:11
notmorganbut haproxy can do all the stuff we are talking about and then some.17:12
notmorganayoung: but it isn't the only thing that can do it.17:12
notmorganayoung: just very convienent way to. and it addresses the "eventlet" problem [mostly]17:12
ayoungnotmorgan, its part of the RDO solution, so an HAProxy approach works for me17:12
*** pnavarro has quit IRC17:13
*** mfedosin has quit IRC17:13
notmorgani have a working devstack with everything [except novnc] sub-url mounted (cause i just didn't care]17:13
*** EinstCrazy has joined #openstack-keystone17:14
ayoungnotmorgan, heh...websockets is its own kind of crazy17:14
*** pnavarro has joined #openstack-keystone17:15
*** lhcheng has joined #openstack-keystone17:15
*** ChanServ sets mode: +v lhcheng17:15
*** boris-42_ has quit IRC17:15
notmorganayoung: it is, but it still will work :)17:16
notmorganayoung: but it's more digging into things than i am willing to do for the first few steps17:16
notmorgani'm almost to the point where I legitimately need a lab of nodes [not enough space to use VMs] to proove this out17:17
ayoungnotmorgan, did you stray from  ?  Cuz if you did, please update with the rationale, when you have a chance.17:17
notmorganayoung: i am17:17
notmorganayoung: i disagree with some of those choices17:17
notmorgannotably /identity/main17:18
notmorganand identity/admin17:18
ayoungnotmorgan, look at when I wrote that....17:18
notmorganbut i think the rest are all in line17:18
notmorganbasically, i am doing /identity/(v2.0|v3)17:18
notmorganno distinction17:18
notmorganand that is the only real change to what you wrote17:18
ayoungcool.  And, FWIW, I am totally cool with ditching /main and /admin, as well you might guess17:18
notmorganand i am going to make the auth_url in my POC actually 100% separate17:19
ayoungnotmorgan, this is why we should not allow productive coders to be PTL17:19
ayounglook at how much more wea re getting out of you now.17:19
notmorganuh. i am doing very little work in keystone :P17:19
notmorganand don't expect to be coming back actually.17:19
ayoungso long as the overall story gets better, I am OK with that17:19
* stevemar is wondering how to take that17:19
notmorgani'll stick on the KSA stuff but i'm seriously considering stepping down as keystone-core but staying on as ksa-core17:20
ayoungstevemar, we give you one rotation, then we need you back on real stuff17:20
ayoungstevemar, I say next time we make topol take it.17:20
stevemari'm make a mess of things no matter where i am17:20
*** jorge_munoz has quit IRC17:21
*** EinstCrazy has quit IRC17:21
*** ChanServ sets mode: +o dolphm17:22
*** davechen1 has joined #openstack-keystone17:24
*** davechen has quit IRC17:26
*** Guest23729 is now known as zeus17:27
*** lhcheng_ has joined #openstack-keystone17:27
*** zeus has quit IRC17:27
*** zeus has joined #openstack-keystone17:27
*** gyee has joined #openstack-keystone17:28
*** ChanServ sets mode: +v gyee17:28
topolayoung, notmorgan you actually trust me enough to want to hand me something???17:28
ayoungstevemar, topol ever heard of the Peter principle?17:29
ayoungtopol, Or did you ever read the part in the Hitchhiker's trilogy explaining why Zaphod Bebblebrox was made Predident of the Galaxy?17:29
topolayoung I live it :-)17:29
notmorgantopol: HEY don't loop me into this :P I stayed out of that comment for a reason.17:29
*** rdo has joined #openstack-keystone17:29
topolnotmorgan :-)17:29
*** swebb has joined #openstack-keystone17:30
*** lhcheng has quit IRC17:30
openstackgerritLance Bragstad proposed openstack/keystone: Use assertDictEqual instead of assertEqualPolicies
notmorganayoung: feedback on is of course welcome17:36
ayoungnotmorgan, betamax?  Someone was feeling retro17:36
ayoungnotmorgan, WTF is a BetaMax interface?17:37
notmorganayoung: betamax is basically record requests session17:38
notmorganand then you can use that exact recording in a replay for testing17:38
notmorganit is based on requests-mock17:38
ayoungnotmorgan, vcr " Record your test suite's HTTP interactions and replay them during future test runs for fast, deterministic, accurate tests.17:39
ayoungwe need that in the review somewhere, either in the commit, or in the doc, or a bug link or something17:39
notmorganso the plan here is to use this and record interactions with "real" clouds.17:39
notmorganand then OCC can replay that and make sure there isn't regression when things are added to OCC's feature set17:39
ayoungjst throwing a new technology in there to someone like me that is not paying too much attention to the discussion makes it hard to review17:39
notmorganayoung: but we're pushing the fixture/interface down to ksa level since it belongs at the low level rather than in the consuming projects [the basic support that is]17:40
ayoungnotmorgan, that approach to testing can be fragile.17:40
ayoung"record/replay" that is17:40
notmorganit is only one set of functional tests17:40
ayoungits agood "get started" approach,17:40
notmorganbut it is needed for things like OCC17:41
notmorganbecause occ and then shade have cloud-specific code paths17:41
*** tjcocozz has quit IRC17:41
ayoungare go going to hold up a checking if it breaks a Betamax based test?17:41
notmorganso we need to be sure that they don't break when *we* make a change. if it breaks because the cloud changes, we can re-record and go from there.17:41
notmorganayoung: in OCC and Shade? probably17:42
notmorganfor the specified code paths17:42
notmorganbecause they are there to support cloud-specific deployment configs17:42
*** tjcocozz has joined #openstack-keystone17:43
notmorganwill KSA ever be held up because betamax? no.. unless you break the betamax interface in ksa (itself)17:43
notmorganbut not because we have pre-recorded anything17:43
*** edmondsw has joined #openstack-keystone17:44
ayoungWe are getting fucking code review commens on the numer of spaces after a period.  Berke Brehed was right17:44
notmorganwe are?17:45
ayoungI am17:45
ayoungin the help sttrings for config17:45
htrutahey stevemar, should I mark this as deprecated-of-mitaka ?17:45
notmorganayoung: if there was no other reason for the -1 i'd call it out, but i'd classify those as nits, and could be ignored if there were no other issues with the patch17:47
*** davechen has joined #openstack-keystone17:48
ayoungnotmorgan, its just noise17:48
ayoungnotmorgan, but I've had three people jump on that17:48
notmorganif that is the only reason they are -1, i'd call it out as "great but this isn't worth the re-spin re-review time"17:49
notmorganif they have other concerns, i'm fine with those comments17:49
* notmorgan shrugs17:49
*** spandhe has joined #openstack-keystone17:50
*** davechen1 has quit IRC17:50
raildostevemar: ping, quickly question (ML email about deprecating features) you said that the code will keep for at least four releases, on this part, are you talk about the hole v2.0 API or only the authentication routes?17:51
*** ayoung has quit IRC17:57
openstackgerritMerged openstack/keystoneauth: Add argparse registration from Adapter objects
stevemarraildo: reply to the ML with that and i'll reply ;)18:07
raildostevemar: sure :)18:07
notmorganstevemar: i am also against calling it 2.0 of ksa18:07
notmorganstevemar: like... massively against it18:07
stevemarraildo: the answer is: we'll keep the whole of v2.0 CRUD routes around for 4 releases, and the authentication routes for longer (indefinitely) cc dolphm notmorgan18:07
stevemarnotmorgan: py26 support dropped, so we have to do a major bump18:08
notmorganstevemar: ugh18:08
notmorganstevemar: i am not happy about that at all18:08
notmorganstevemar: btw18:08
notmorganat all.18:08
raildostevemar: that was I thought, thanks18:09
notmorganstevemar: but -1 on your release request until we get at least updated hashes to the most recent merge (preferably)18:09
notmorganstevemar: the major version bump for droppy py26 is really crappy still.18:09
stevemardhellmann: ^ thoughts?18:10
*** harlowja has joined #openstack-keystone18:10
openstackgerritMerged openstack/keystonemiddleware: Add a mock-fixture for keystonemiddleware auth_protocol
notmorganbut i'm fine if we *have* to18:10
stevemarnotmorgan: yeah, let me know what hash you want and i'll update it18:10
stevemaror you update it, whatevsss18:10
notmorganstevemar: commented in the review and also ^ the ksm one18:10
notmorganthat just landed18:10
*** chlong has quit IRC18:10
dhellmannstevemar , notmorgan : yeah, dropping support for a whole deployment platform is a major version change18:11
*** edmondsw has quit IRC18:11
dhellmannyou're declaring a backwards-incompatible change18:11
notmorganstill super crappy for KSA since i don't think we had any 26 specific code.18:11
notmorganand no one who used ksa was 26 dependant afaik18:11
notmorganbut meh.18:11
stevemardhellmann: that's true, we didn't have py26 specific code18:12
notmorgani wont make too much of a stink. just very displeased with that part of the change.18:12
dhellmannit's not about your code, it's about the declaration of support18:12
stevemarnotmorgan: you're saying to not release ksm?18:12
stevemardhellmann: true true18:12
notmorganstevemar: just include the new fixture in the release (that just merged)18:12
notmorganstevemar: thats all.18:12
stevemarroger roger18:13
stevemargotcha, the auth token fixture18:13
notmorganstevemar: yah.18:13
stevemarnotmorgan: cool beans18:13
notmorganseems like it's silly not to drop that in cause it landed :)18:13
notmorganstevemar: but the ksa from_argparse is the more important thing to incliude in the release18:14
notmorganstevemar: that is holding up client fixes18:14
notmorganand OCC fixes18:14
notmorgani kinda want to see land... but...18:16
notmorganit can wait until m218:16
*** zeus has quit IRC18:17
*** rm_work has quit IRC18:17
*** odyssey4me has quit IRC18:19
*** swebb has quit IRC18:19
*** EinstCrazy has joined #openstack-keystone18:21
*** zeus has joined #openstack-keystone18:22
*** zeus is now known as Guest2158818:22
*** rm_work has joined #openstack-keystone18:22
*** Guest21588 is now known as zeus`18:23
*** Guest83268 has quit IRC18:23
*** reed has quit IRC18:24
*** EinstCrazy has quit IRC18:25
*** odyssey4me has joined #openstack-keystone18:25
*** chlong has joined #openstack-keystone18:26
stevemarnotmorgan: i want it to land too :(18:27
*** crinkle has quit IRC18:27
stevemartheres no reason the two of us can't review it now?!18:27
*** petertr7 is now known as petertr7_away18:27
*** mgagne has joined #openstack-keystone18:28
*** mgagne is now known as Guest6345318:28
*** doug-fish has quit IRC18:28
*** reed has joined #openstack-keystone18:28
notmorganstevemar: I can rubber stamp it now. But real review on a couple hours?18:29
*** crinkle has joined #openstack-keystone18:29
stevemarwe don't have to force it18:29
*** swebb has joined #openstack-keystone18:30
openstackgerritPriti Desai proposed openstack/keystone: Fix for listing role assignments by project admin
*** aginwala has joined #openstack-keystone18:31
*** lhcheng_ has quit IRC18:32
stevemarnotmorgan: bump for review:
*** shaleh has joined #openstack-keystone18:36
*** hogepodge has joined #openstack-keystone18:37
*** jistr has joined #openstack-keystone18:37
*** Guest63453 has quit IRC18:38
*** Guest63453 has joined #openstack-keystone18:38
*** Guest63453 is now known as mgagne18:39
*** davechen1 has joined #openstack-keystone18:40
*** davechen has quit IRC18:41
*** mfedosin has joined #openstack-keystone18:44
stevemarbknudson: notmorgan dolphm if i could get reviews on these before M1: << adding release notes for keystone libs18:44
*** diegoadolfo__ has joined #openstack-keystone18:45
shalehsamueldmq: hey, please look at the comments I made to yours on the project_ref review and consider turning that -1 into a +1.18:51
*** pnavarro has quit IRC18:54
*** pnavarro has joined #openstack-keystone18:58
*** tyagiprince has joined #openstack-keystone18:58
*** pnavarro has quit IRC19:02
*** aginwala has quit IRC19:02
*** sripriya has joined #openstack-keystone19:03
*** sileht has quit IRC19:05
*** aginwala has joined #openstack-keystone19:07
*** jaosorior has joined #openstack-keystone19:08
*** tyagiprince has quit IRC19:10
*** tyagiprince has joined #openstack-keystone19:10
*** btully has quit IRC19:10
*** btully has joined #openstack-keystone19:11
*** jaosorior has quit IRC19:15
*** petertr7_away is now known as petertr719:18
*** mancdaz has quit IRC19:20
*** xek has quit IRC19:21
*** mancdaz has joined #openstack-keystone19:22
*** aginwala is now known as aginwala8719:24
*** aginwala87 is now known as aginwala19:24
*** mkoderer has quit IRC19:26
*** davechen has joined #openstack-keystone19:26
*** tyagiprince has quit IRC19:27
*** aginwala has quit IRC19:27
*** c_soukup has joined #openstack-keystone19:28
*** lhcheng has joined #openstack-keystone19:29
*** ChanServ sets mode: +v lhcheng19:29
*** mkoderer has joined #openstack-keystone19:29
*** davechen1 has quit IRC19:29
openstackgerritAlexander Makarov proposed openstack/keystone: Use path hybrid property in query filtering
openstackgerritSean Perry proposed openstack/keystone: Use unit.new_project_ref consistently
*** csoukup has quit IRC19:32
*** petertr7 is now known as petertr7_away19:33
*** diazjf has left #openstack-keystone19:36
*** petertr7_away is now known as petertr719:42
*** aginwala has joined #openstack-keystone19:43
raildostevemar: Do you know when will be the next release for keystoneclient?19:44
stevemarraildo: soon, before M1 ends20:06
stevemarraildo: i've proposed updates here:
*** c_soukup has quit IRC20:06
raildostevemar: great, I'll take a look20:07
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Remove hardcoded endpoint filter for update password
stevemarraildo: i'm just waiting on this change to merge ^20:10
bknudsonstevemar: is gating20:10
stevemarthanks bknudson, much appreciated20:10
bknudson needs another +220:10
bknudson(from non-ibm)20:11
raildostevemar: so it will be really soon :)20:11
stevemarnotmorgan: dolphm lbragstad dstanek ^ ?20:11
*** mserngawy_ has joined #openstack-keystone20:11
stevemarraildo: yes, the intention is to release ksc/ksm/ksa tomorrow (early in the week)20:11
stevemari wonder if i need to stagger those releases20:12
shalehgyee is back too20:12
stevemarmeh, shouldn't need to20:12
stevemargyee: finall!20:12
dstanekstevemar: release notes!20:12
lbragstadstevemar looking20:12
stevemardstanek: yeah, libraries need them too :(20:13
stevemarbrb, making tea20:13
dstanekstevemar: running tox now and i'll +2 when it completes20:13
*** doug-fish has joined #openstack-keystone20:14
*** ayoung has joined #openstack-keystone20:18
*** ChanServ sets mode: +v ayoung20:18
*** martinus__ has quit IRC20:21
stevemarjust a heads up that ksm/ksc/ksa are all going to receive major version bumps this time around because we are removing py26 support20:22
stevemardstanek: lhcheng ayoung gyee lbragstad dolphm: just a heads up that ksm/ksc/ksa are all going to receive major version bumps this time around because we are removing py26 support20:22
*** martinus__ has joined #openstack-keystone20:22
dolphmstevemar: ++20:22
ayoungstevemar, good20:22
dstanekstevemar: it's about time!20:22
*** NM has quit IRC20:24
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Deprecating API v2.0
* ayoung ready to remove py27 support, too20:27
*** jistr has quit IRC20:27
raildoayoung: haha20:28
shalehayoung: beyond string annoyance, 27 is largely 3x already20:28
*** shaleh is now known as shaleh|away20:29
bknudsonif we didn't have py27 support in keystone you couldn't run it at all.20:30
*** mfedosin has quit IRC20:31
*** adelia has joined #openstack-keystone20:31
gyeestevemar, awesome!20:32
stevemarbknudson: maybe that's ayoung's plan20:32
ayoungI'm ready to deprecate Keystone20:32
gyeeayoung,whatever you are drinking, I want some :)20:33
ayounggyee, Coffee.20:33
*** RichardRaseley has joined #openstack-keystone20:34
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Deprecating API v2.0
*** aginwala has quit IRC20:39
*** navid_ has quit IRC20:39
*** aginwala has joined #openstack-keystone20:42
*** EinstCrazy has joined #openstack-keystone20:42
*** c_soukup has joined #openstack-keystone20:45
stevemarmfisch`: poke20:46
*** EinstCrazy has quit IRC20:47
*** doug-fish has quit IRC20:51
*** belmoreira has joined #openstack-keystone20:53
*** raildo is now known as raildo-afk20:53
*** dims_ has joined #openstack-keystone20:53
*** doug-fish has joined #openstack-keystone20:54
*** doug-fis_ has joined #openstack-keystone20:55
*** dims has quit IRC20:56
*** mfisch` has quit IRC20:56
*** mfisch has joined #openstack-keystone20:57
*** mfisch is now known as Guest715020:57
*** doug-fi__ has joined #openstack-keystone20:57
*** pauloewerton has quit IRC20:57
*** doug-fish has quit IRC20:58
openstackgerritDave Chen proposed openstack/keystonemiddleware: Configuration is outdated
*** doug-fis_ has quit IRC21:00
*** Guest7150 has quit IRC21:01
*** doug-fi__ has quit IRC21:02
bretonstevemar: I will work on memcache_pool patches tomorrow21:02
*** aginwala has quit IRC21:02
bretonstevemar: althought that patch really can be abandoned, memcache_pool still doesn't work21:02
*** dims_ has quit IRC21:03
stevemarbreton:  :(21:03
*** lhcheng has quit IRC21:03
*** doug-fish has joined #openstack-keystone21:04
*** doug-fish has quit IRC21:09
*** aginwala has joined #openstack-keystone21:13
*** diazjf has joined #openstack-keystone21:14
*** dims has joined #openstack-keystone21:14
*** rdo has quit IRC21:18
*** raildo-afk is now known as raildo21:19
*** aginwala has quit IRC21:19
davechenbreton: I don't know how to contradict you, acutally, I agree with you at some points.21:23
openstackgerritMerged openstack/keystonemiddleware: Add release notes for keystonemiddleware
davechenbreton: let's just wait to see if there is any comments from jamielennox or marekd who filed the bug.21:24
*** rdo has joined #openstack-keystone21:26
*** topol has quit IRC21:26
*** doug-fish has joined #openstack-keystone21:32
bretondavechen: ok, I agree. I am not strictly against the change, just have some concerns.21:33
*** doug-fis_ has joined #openstack-keystone21:35
*** doug-fis_ has quit IRC21:35
*** doug-fis_ has joined #openstack-keystone21:35
*** doug-fish has quit IRC21:37
*** aginwala has joined #openstack-keystone21:37
*** opilotte has quit IRC21:38
*** opilotte has joined #openstack-keystone21:38
davechenbreton: your comments is great! so I checked bunches of websites and didn't find any exceptions that can assist the change. :)21:41
*** navid_ has joined #openstack-keystone21:42
*** dims_ has joined #openstack-keystone21:42
openstackgerritMerged openstack/keystoneauth: Add release notes for keystoneauth
*** dims has quit IRC21:43
*** mfisch has joined #openstack-keystone21:48
*** mfisch has quit IRC21:48
*** mfisch has joined #openstack-keystone21:48
*** jasonsb has quit IRC21:48
*** aginwala has quit IRC21:49
*** petertr7 is now known as petertr7_away21:55
*** andrewbogott has quit IRC21:56
*** andrewbogott has joined #openstack-keystone21:56
ayoungOK....what is the rationale for not being able to deprecate V2 Auth?21:58
shaleh|away1) non python users 2) lots of existing users 3) ease of upgrade21:59
*** aginwala has joined #openstack-keystone21:59
shaleh|awaynot exactly in that order21:59
*** shaleh|away is now known as shaleh21:59
shalehas I recall from the summit21:59
shaleh(not my list)22:00
ayoungshaleh, I'm looking at the Etherpad and ... well, I just don't get it22:00
*** navid_ has quit IRC22:00
ayoungI think we are wrong.  I see no reason V2 Auth needs to stick around22:00
*** navid_ has joined #openstack-keystone22:00
shalehayoung: as usual, talk to morded. He is a major proponent.22:01
shalehother people felt that breaking v2 style auth would cause lots of strife with existing users/customers22:02
shalehI seem to recall bknudson or lbragstad being in that crowd22:03
bknudsonI'm fine with deprecating v2 auth22:03
shalehstevemar would suggest dropping v2, be reminded by somebody of xyz and then agree that at least v2 auth needed to live on22:03
shalehbknudson: sorry if I am not remembering correctly22:04
*** csoukup_ has joined #openstack-keystone22:04
shalehbknudson: I was still learning names and voices during some of these conversations22:04
bknudsonI think it was dolphm that had an issue with deprecating v2 auth22:04
shalehbknudson: yeah, that sounds plausible22:04
shalehbknudson: I was getting you and him mixed up the first day22:04
*** notmyname has quit IRC22:05
dolphmbknudson: ++ deprecation is okay, but it'll need to be supported for a *long* time22:05
dolphmand there are things we can do to reduce the maintenance cost in the mean time22:06
dolphmlike, implement it as translation middleware on top of the v3 app22:06
shalehdolphm: right, thanks I remember that being suggested22:06
bknudsondolphm: that's what I was thinking too, that we deprecate it even if we're not going to remove it. just so that keystone complains about it.22:06
*** c_soukup has quit IRC22:06
*** notmyname has joined #openstack-keystone22:06
dolphmat startup?22:07
*** markvoelker has joined #openstack-keystone22:07
bknudson(but that's not what I thought we agreed to at the summit)22:07
bknudsonkeystone would log the deprecation warning when it's used.22:07
shalehright, it could not interfere with the user.22:07
bknudsonwhen a /v2/auth/tokens request comes in it'll log warning22:07
openstackgerritMerged openstack/keystonemiddleware: Add domain and trust details to user plugin
shalehayoung: agree, the etherpad is not clear22:08
lbragstadshaleh ahh, it this regarding the deprecation session in tokyo?22:12
dolphmbknudson: hopefully only on the first call!22:13
bknudsondolphm: that's how the deprecated warning is supposed to work.22:14
dolphmbknudson: ++ wasn't sure if you were implying otherwise22:14
*** csoukup_ has quit IRC22:16
ayoungso, the issue with automatically translating V2 to V3 is that we have no way of querying the default domain id or name22:20
ayoungthat was one reason for:  "Query Config from Web UI "22:20
ayoungprobably the main one22:20
notmorganOMG HI dolphm !22:21
* notmorgan goes back to the corner now22:21
*** roxanaghe has joined #openstack-keystone22:24
*** mancdaz has quit IRC22:26
*** csoukup_ has joined #openstack-keystone22:27
dolphmnotmorgan: OMG HI22:27
dolphmstevemar: why is ksm 2.4.x and 3.0.x not on pypi?22:27
notmorgandolphm: we have ksm 3.0?22:28
stevemarnotmorgan: we do22:28
dolphmthere appear to be tags for 2.4.0 2.4.1 and 3.0.022:28
*** mancdaz has joined #openstack-keystone22:28
dolphmbut none are on pypi22:28
dolphmand they break stable/liberty22:28
notmorgandolphm: maybe 3.0 was just tagged and delay in pushing to pypi?22:28
notmorgan2.4 no clue22:28
notmorganoh no22:28
stevemardolphm: i asked dstufft about this in #pypa-dev22:29
stevemardolphm: join me there?22:29
stevemardolphm: but that was all before US turkey day22:29
*** davechen has left #openstack-keystone22:31
*** jasonsb has joined #openstack-keystone22:36
*** jasonsb has quit IRC22:37
*** fangxu has joined #openstack-keystone22:37
*** adelia_ has joined #openstack-keystone22:37
*** jasonsb has joined #openstack-keystone22:37
*** adelia has quit IRC22:41
*** btully has quit IRC22:41
*** tjcocozz has quit IRC22:41
*** tjcocozz has joined #openstack-keystone22:42
*** adelia_ has quit IRC22:42
*** btully has joined #openstack-keystone22:43
*** doug-fis_ has quit IRC22:44
*** doug-fish has joined #openstack-keystone22:44
*** doug-fish has quit IRC22:49
*** doug-fish has joined #openstack-keystone22:49
*** doug-fis_ has joined #openstack-keystone22:50
shalehlbragstad: yes, that was what we were talking about22:52
*** navid_ has quit IRC22:53
*** doug-fish has quit IRC22:54
*** diazjf has quit IRC22:54
*** doug-fis_ has quit IRC22:55
*** dims has joined #openstack-keystone23:02
*** doug-fish has joined #openstack-keystone23:03
*** dims_ has quit IRC23:03
*** aginwala_ has joined #openstack-keystone23:06
*** doug-fish has quit IRC23:07
*** aginwala has quit IRC23:10
*** breitz has quit IRC23:15
*** breitz has joined #openstack-keystone23:15
*** Ephur has quit IRC23:20
ayoungbknudson,,cm  when say "There should also be a test that shows that the authenticate response has is_admin_project=..." do you mean the token validation response?23:21
bknudsonayoung: there's already code that checks the token validation (GET /auth/tokens) response23:21
bknudsonthere isn't code that checks the auth response POST /auth/tokens23:21
ayoungbknudson, you mean test the response from the initial self.get_requested_token?23:22
bknudsonayoung: yes23:22
openstackgerritMerged openstack/python-keystoneclient: Remove hardcoded endpoint filter for update password
*** gordc has quit IRC23:39
*** jerrygb has quit IRC23:39
*** jerrygb has joined #openstack-keystone23:39
*** Ephur has joined #openstack-keystone23:44
*** RichardRaseley has quit IRC23:54
*** RichardRaseley has joined #openstack-keystone23:56
*** slberger has left #openstack-keystone23:56
*** miyagishi_t has joined #openstack-keystone23:58

Generated by 2.14.0 by Marius Gedminas - find it at!