Monday, 2015-12-14

*** markvoelker_ has quit IRC		00:10
*** gildub has joined #openstack-keystone		00:38
*** chlong has joined #openstack-keystone		00:48
*** jasonsb has joined #openstack-keystone		00:54
*** EinstCrazy has joined #openstack-keystone		00:55
notmorgan	jamielennox: so.	01:05
*** markvoelker has joined #openstack-keystone		01:10
*** markvoelker has quit IRC		01:15
jamielennox	notmorgan: yup	01:20
notmorgan	jamielennox: converting keystoneclient to use keystoneauth... it's a fairly sizable change it seems	01:20
jamielennox	notmorgan: it depends how much of a conversion you want to do	01:21
notmorgan	jamielennox: i'm looking to convert only keystoneclient CRUD stuff	01:22
notmorgan	don't care about session related things that we now consume from ksa	01:22
notmorgan	basically, leave the session stuff to be officially deprecated as soon as we can(ish)	01:22
notmorgan	[when all the clients and servers are using ksa]	01:22
jamielennox	notmorgan: so the rest of that stuff should just convert over more or less transparently	01:22
jamielennox	we did the exceptions change over	01:22
notmorgan	it looks like keystoneclient.discover and client?	01:23
notmorgan	and the rest relies on that?	01:23
jamielennox	oh, discover is pretty horrible	01:23
notmorgan	discover seems to have KSC specific magic in it	01:23
notmorgan	erm keystone*	01:23
notmorgan	yah	01:23
jamielennox	i don't really like how discover works at all	01:23
notmorgan	so, should i leave this for you to rewrite that?	01:24
jamielennox	notmorgan: it's horrible but i wasn't going to rewrite it atm - hasn't been a need	01:24
notmorgan	yeah	01:24
notmorgan	so just the base client and discover afaict	01:24
notmorgan	also: https://review.openstack.org/#/c/250669/ should be an easy +2/+A at this point	01:25
notmorgan	so we can be clear of the old-untested middleware	01:25
jamielennox	so that should be a fairly easy deprecation	01:25
jamielennox	i just thought we had to wait for another cycle	01:25
notmorgan	i don't think so.	01:26
notmorgan	it's been untested for a long time	01:26
notmorgan	stevemar: ^ cc	01:26
notmorgan	basically it's not really tested against a real system, it's probably borken	01:26
jamielennox	notmorgan: it's been very well publicised that the keystoneclient middleware is dead	01:27
jamielennox	i'd be fine to remove it now	01:28
notmorgan	exactly	01:28
notmorgan	toss a +2 on it and we hit steve to +A tomorrow?	01:28
* jamielennox hasn't had devstack work in like 5 days		01:28
notmorgan	jamielennox: it's working now better	01:28
jamielennox	something in tox/tempest	01:29
notmorgan	i've been shepherding thorugh mordred's patches for conversion to ksa	01:29
notmorgan	yeah tox 2.3.0 was/is broken	01:29
notmorgan	the nodes with it have been mostly (all?) squashed out	01:29
notmorgan	so it should be done at this point	01:29
notmorgan	we did land the nova's neutron options removal patch :)	01:30
jamielennox	is that really the only dependency we remove :(	01:34
jamielennox	webob can go	01:35
jamielennox	notmorgan: i +2ed it - we need to remove webob as well	01:38
notmorgan	sure will do as a followup	01:38
notmorgan	yeah it is.	01:39
notmorgan	sadly	01:39
jamielennox	notmorgan: done	01:40
notmorgan	jamielennox: ^	01:40
notmorgan	he	01:40
notmorgan	did we just both do it?	01:40
jamielennox	i don't see the bot messages	01:40
notmorgan	ahahaha	01:40
notmorgan	yeah	01:40
notmorgan	we both did	01:40
notmorgan	i'll abandon mine	01:40
jamielennox	i don't mind, pick one the other can approve	01:40
notmorgan	going with yours	01:41
jamielennox	did you have to hack up the neutron options patch?	01:42
notmorgan	nah. went through pretty easily	01:43
jamielennox	there's a fallback case	01:43
notmorgan	had to do extra requests_mock work	01:43
notmorgan	but it wasn't too bad	01:43
jamielennox	so you can do like nova_session options that fall back to generic session options	01:43
jamielennox	heat does that a lot	01:43
notmorgan	anyway.	01:44
notmorgan	need to circle up w/ nova team on the keystoneauth session conversion now	01:44
jamielennox	notmorgan: did you do that list?	01:44
notmorgan	hmm? which list?	01:44
jamielennox	ksa conversions	01:45
notmorgan	oh no.	01:45
notmorgan	need to bug mordred about that.	01:45
notmorgan	see which one of us is doing it	01:45
jamielennox	notmorgan: no worries, cause i can get back into that i just don't want to repeat work	01:45
notmorgan	lets get a list together tomorrow	01:45
notmorgan	and then you can hop in too	01:45
notmorgan	we can keep landing this stuff	01:45
notmorgan	with three of us working on it, we can likely land more	01:46
notmorgan	neutron is now fully using KSA, nova is close	01:46
notmorgan	and clients are starting to come together	01:47
notmorgan	there is a lot of OCC patches that need looks at for novaclient to be converted	01:47
*** markvoelker has joined #openstack-keystone		03:11
*** markvoelker has quit IRC		03:16
*** wanghua has joined #openstack-keystone		03:18
*** yuanxu has joined #openstack-keystone		03:31
*** yuanxu has quit IRC		03:40
mordred	they're all fairly small though	03:56
mordred	jamielennox: and no, I totallyy didn't work on that etherpad at all	04:01
*** grantbow has quit IRC		04:02
*** wolsen_ is now known as wolsen		04:12
*** Guest45133 is now known as jgriffith		04:12
*** aginwala has joined #openstack-keystone		04:19
*** dims has joined #openstack-keystone		04:20
*** fawadkhaliq has joined #openstack-keystone		04:29
*** pumaranikar has joined #openstack-keystone		04:32
*** topol has joined #openstack-keystone		04:34
*** ChanServ sets mode: +v topol		04:34
*** wasmum has quit IRC		04:36
*** mgagne has quit IRC		04:36
*** mgagne has joined #openstack-keystone		04:37
*** mgagne is now known as Guest73233		04:37
*** topol has quit IRC		04:39
*** wasmum has joined #openstack-keystone		04:42
*** ig0r_ has quit IRC		04:50
*** ig0r_ has joined #openstack-keystone		04:55
*** pumaranikar has quit IRC		04:55
stevemar	notmorgan: i totally forgot that keystone CLI had a "bootstrap" command: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/bootstrap/shell.py#L17-L40	05:05
*** markvoelker has joined #openstack-keystone		05:12
stevemar	jamielennox: do we need to deprecate all the plugins/sessions/auth stuff for keystoneclient, or has that already been done?	05:14
*** markvoelker has quit IRC		05:17
*** aginwala has quit IRC		05:26
*** jrist has quit IRC		05:36
*** jrist has joined #openstack-keystone		05:38
*** jrist has quit IRC		05:38
*** jrist has joined #openstack-keystone		05:38
stevemar	jamielennox: got one for ya: https://review.openstack.org/#/c/257131/	05:44
*** dims has quit IRC		05:53
*** Nirupama has joined #openstack-keystone		05:58
*** ig0r_ has quit IRC		06:12
*** alexvictorchan has joined #openstack-keystone		06:18
*** zqfan_AFK has joined #openstack-keystone		06:23
*** jimbaker` has quit IRC		06:25
*** yuanxu has joined #openstack-keystone		06:29
*** yuanxu_ has joined #openstack-keystone		06:31
*** yuanxu has quit IRC		06:32
*** yuanxu_ has quit IRC		06:32
*** gildub has quit IRC		06:49
stevemar	mordred: why is occ using code from keystoneclient.openstack.common.apiclient :O	06:49
stevemar	err, wrong occ, https://github.com/openstack/os-cloud-config	06:51
*** sudorandom has quit IRC		06:59
*** mjb has quit IRC		07:00
*** rcernin has joined #openstack-keystone		07:02
stevemar	jamielennox: around?	07:04
*** mjb has joined #openstack-keystone		07:05
*** openstackstatus has joined #openstack-keystone		07:05
*** ChanServ sets mode: +v openstackstatus		07:05
*** boris-42_ has joined #openstack-keystone		07:09
*** openstackgerrit has joined #openstack-keystone		07:10
*** jamielennox is now known as jamielennox\|away		07:12
*** markvoelker has joined #openstack-keystone		07:13
*** markvoelker has quit IRC		07:17
notmorgan	stevemar: ksc.bootstrap should die with the ksc cli	07:24
stevemar	notmorgan: it should	07:26
stevemar	notmorgan: doh, it looks like some places still use keystoneclient.middleware: http://codesearch.openstack.org/?q=from%20keystoneclient.middleware&i=nope&files=&repos=	07:33
*** sudorandom has joined #openstack-keystone		07:33
notmorgan	clearly we have gaps in testing then. there is no way that works right	07:34
notmorgan	lets spin some changeds for those before release then	07:35
*** dims has joined #openstack-keystone		07:39
*** rha has joined #openstack-keystone		07:40
*** rha has joined #openstack-keystone		07:40
*** alexvictorchan has quit IRC		07:45
*** chlong has quit IRC		07:46
stevemar	notmorgan: yeah, i'm doing that now	07:46
*** pnavarro has joined #openstack-keystone		08:01
*** pnavarro has quit IRC		08:07
*** joseppc has quit IRC		08:10
*** joseppc has joined #openstack-keystone		08:19
openstackgerrit	henry-nash proposed openstack/keystone: Support url safe restriction on new projects and domains https://review.openstack.org/256986	08:27
*** fawadkhaliq has quit IRC		08:30
*** fawadkhaliq has joined #openstack-keystone		08:31
*** fawadkhaliq has quit IRC		08:31
*** fawadkhaliq has joined #openstack-keystone		08:32
*** fhubik has joined #openstack-keystone		08:43
*** spandhe has quit IRC		08:46
*** dancn has joined #openstack-keystone		08:46
*** spandhe has joined #openstack-keystone		08:47
*** fhubik is now known as fhubik_brb		08:48
*** fawadkhaliq has quit IRC		08:49
*** fawadkhaliq has joined #openstack-keystone		08:49
*** fhubik_brb is now known as fhubik		08:53
openstackgerrit	henry-nash proposed openstack/keystone: Support url safe restriction on new projects and domains https://review.openstack.org/256986	08:57
*** fhubik is now known as fhubik_brb		09:00
stevemar	henrynash: thanks for the work :)	09:01
henrynash	stevemar: just keep swimming, just keep swimming....	09:02
stevemar	aint that the truth	09:02
stevemar	henrynash: hoping to wake up in time for our call!	09:02
stevemar	henrynash: or is it canceled with all the other holiday stuff?	09:02
henrynash	so Tammy and co wanted to present teh RTC stuff…but have had conflicting reports as to whether they will have it ready….if it’s ready, I’ll keep the call, if not, I’ll cancel	09:03
stevemar	henrynash: hmm, nate and i already spoke about that stuff last week for a solid hour	09:04
stevemar	he gave me the low down	09:04
henrynash	ok	09:05
*** marekd has joined #openstack-keystone		09:05
*** ChanServ sets mode: +v marekd		09:05
*** fhubik_brb is now known as fhubik		09:06
stevemar	henrynash: anywho, i'll show up	09:06
henrynash	if hear soft snoring, I’ll know who it is....	09:07
*** spandhe has quit IRC		09:08
stevemar	henrynash: oh it ain't soft	09:11
*** jistr has joined #openstack-keystone		09:12
henrynash	:-)	09:12
*** dancn has quit IRC		09:12
*** dancn has joined #openstack-keystone		09:12
*** markvoelker has joined #openstack-keystone		09:14
*** dancn is now known as localbip		09:16
*** rm_you has joined #openstack-keystone		09:17
*** markvoelker has quit IRC		09:18
*** localbip has quit IRC		09:18
*** dancn has joined #openstack-keystone		09:19
*** dancn has quit IRC		09:19
*** dancn has joined #openstack-keystone		09:20
*** jrist has quit IRC		09:26
*** Guest58914 is now known as BobBall		09:26
*** fhubik is now known as fhubik_brb		09:27
*** jrist has joined #openstack-keystone		09:30
*** jrist has quit IRC		09:30
*** jrist has joined #openstack-keystone		09:30
*** roxanaghe has joined #openstack-keystone		09:35
*** aix has joined #openstack-keystone		09:36
*** topol has joined #openstack-keystone		09:37
*** ChanServ sets mode: +v topol		09:37
*** mhickey has joined #openstack-keystone		09:37
*** vgridnev has joined #openstack-keystone		09:38
*** ig0r_ has joined #openstack-keystone		09:39
*** topol has quit IRC		09:41
*** dancn has quit IRC		09:45
*** fhubik_brb is now known as fhubik		09:46
*** jrist has quit IRC		09:46
*** jrist has joined #openstack-keystone		09:47
*** henrynash has quit IRC		09:49
*** roxanaghe has quit IRC		09:51
*** vgridnev has quit IRC		09:55
*** vgridnev has joined #openstack-keystone		09:56
*** jrist has quit IRC		09:57
*** jrist has joined #openstack-keystone		09:59
*** jrist has quit IRC		09:59
*** jrist has joined #openstack-keystone		09:59
*** fawadkhaliq has quit IRC		10:05
openstackgerrit	javeme proposed openstack/python-keystoneclient: remove the default arguments "{}" https://review.openstack.org/254175	10:05
*** zeus` has quit IRC		10:23
*** fawadkhaliq has joined #openstack-keystone		10:25
*** rcernin has quit IRC		10:25
breton	lbragstad: a script to reproduce the bug with trusts and fernet: http://paste.openstack.org/show/481789/	10:35
*** dancn has joined #openstack-keystone		10:45
*** dancn has quit IRC		10:55
*** dancn has joined #openstack-keystone		10:55
*** yuanxu has joined #openstack-keystone		10:55
*** yuanxu has quit IRC		10:56
*** e0ne has joined #openstack-keystone		11:05
*** fhubik is now known as fhubik_brb		11:06
*** dims has quit IRC		11:13
*** EinstCrazy has quit IRC		11:22
openstackgerrit	Marek Denis proposed openstack/keystone: Adds a base class for functional tests https://review.openstack.org/203142	11:25
*** chlong has joined #openstack-keystone		11:39
*** EinstCrazy has joined #openstack-keystone		11:44
*** vgridnev has quit IRC		11:49
*** raildo-afk is now known as raildo		12:10
*** aix has quit IRC		12:12
*** doug-fish has joined #openstack-keystone		12:23
*** doug-fish has quit IRC		12:34
*** vgridnev has joined #openstack-keystone		12:34
*** doug-fish has joined #openstack-keystone		12:39
*** vgridnev_ has joined #openstack-keystone		12:39
*** vgridnev has quit IRC		12:39
*** gordc has joined #openstack-keystone		12:44
*** markvoelker has joined #openstack-keystone		12:45
*** dims has joined #openstack-keystone		12:48
*** markvoelker has quit IRC		12:49
*** vgridnev_ has quit IRC		12:50
*** vgridnev_ has joined #openstack-keystone		12:54
*** aix has joined #openstack-keystone		12:55
*** vgridnev_ has quit IRC		13:05
*** vgridnev has joined #openstack-keystone		13:05
*** joseppc has quit IRC		13:13
*** henrynash has joined #openstack-keystone		13:24
*** ChanServ sets mode: +v henrynash		13:24
*** Nirupama has quit IRC		13:27
mordred	stevemar: it's not?	13:30
*** fhubik_brb is now known as fhubik		13:33
*** BobBall has quit IRC		13:39
*** fhubik is now known as fhubik_brb		13:46
*** jaosorior has joined #openstack-keystone		13:47
*** fhubik_brb is now known as fhubik		13:47
*** pumaranikar has joined #openstack-keystone		13:53
*** topol has joined #openstack-keystone		13:54
*** ChanServ sets mode: +v topol		13:54
*** dslevin_ has joined #openstack-keystone		13:55
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation driver interface https://review.openstack.org/209600	13:56
*** zeus has joined #openstack-keystone		13:57
*** gordc has quit IRC		13:57
*** zeus is now known as Guest83257		13:57
*** Guest83257 is now known as zeus-		13:58
*** zeus- is now known as zeus`		13:58
*** richm has joined #openstack-keystone		14:02
*** andreykurilin__ has joined #openstack-keystone		14:05
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation manager skeleton https://review.openstack.org/253124	14:09
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation manager skeleton https://review.openstack.org/253124	14:10
*** dims has quit IRC		14:11
*** gordc has joined #openstack-keystone		14:12
*** dims has joined #openstack-keystone		14:19
openstackgerrit	henry-nash proposed openstack/keystone: WIP: Add support for strict url safe option on new projects and domains https://review.openstack.org/257376	14:25
*** dims has quit IRC		14:28
openstackgerrit	Alexander Makarov proposed openstack/keystone: Trust manager using unified delegation https://review.openstack.org/257378	14:28
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation manager skeleton https://review.openstack.org/253124	14:29
*** dims has joined #openstack-keystone		14:30
openstackgerrit	henry-nash proposed openstack/keystone: WIP: Add support for strict url safe option on new projects and domains https://review.openstack.org/257376	14:30
*** pumaranikar has quit IRC		14:32
openstackgerrit	Henrique Truta proposed openstack/keystone: Tests for projects acting as domains https://review.openstack.org/211219	14:42
openstackgerrit	Henrique Truta proposed openstack/keystone: Projects acting as domains https://review.openstack.org/231289	14:42
openstackgerrit	Henrique Truta proposed openstack/keystone: Removes project.domain_id FK https://review.openstack.org/233274	14:42
openstackgerrit	Henrique Truta proposed openstack/keystone: Change project name constraints https://review.openstack.org/158372	14:42
openstackgerrit	Henrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name https://review.openstack.org/210600	14:42
*** markvoelker has joined #openstack-keystone		14:43
*** petertr7_away is now known as petertr7		14:44
openstackgerrit	Marek Denis proposed openstack/keystone: Adds a base class for functional tests https://review.openstack.org/203142	14:47
*** jimbaker has joined #openstack-keystone		14:48
*** jimbaker has quit IRC		14:48
*** jimbaker has joined #openstack-keystone		14:48
*** zqfan_AFK has quit IRC		14:51
*** henrynash has quit IRC		14:59
*** henrynash has joined #openstack-keystone		15:00
*** ChanServ sets mode: +v henrynash		15:00
*** ig0r_ has quit IRC		15:04
*** sigmavirus24_awa is now known as sigmavirus24		15:05
dolphm	breton: do we have an existing place in the test suite for that?	15:08
*** pumaranikar has joined #openstack-keystone		15:15
*** davechen has joined #openstack-keystone		15:17
*** EinstCrazy has quit IRC		15:18
breton	dolphm: I could not figure out	15:27
*** breitz has quit IRC		15:27
*** breitz has joined #openstack-keystone		15:28
breton	we have like several places where tokens are tested	15:28
breton	and I couldn't figure out where this test should be	15:28
* breton is still debugging		15:29
openstackgerrit	Alexander Makarov proposed openstack/keystone: Trust manager using unified delegation https://review.openstack.org/257378	15:29
*** timcline has joined #openstack-keystone		15:30
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation manager skeleton https://review.openstack.org/253124	15:31
*** dslevin_ has quit IRC		15:36
*** fhubik is now known as fhubik_brb		15:37
*** fhubik_brb is now known as fhubik		15:37
*** superdan is now known as dansmith		15:38
*** flwang1 has joined #openstack-keystone		15:40
*** slberger1 has joined #openstack-keystone		15:41
*** fhubik is now known as fhubik_brb		15:42
*** r-daneel has joined #openstack-keystone		15:43
*** fhubik_brb is now known as fhubik		15:43
*** jorge_munoz has quit IRC		15:43
*** _d34dh0r53_ is now known as d34dh0r53		15:47
*** pgbridge has joined #openstack-keystone		15:50
*** fhubik is now known as fhubik_brb		15:50
*** Ephur has joined #openstack-keystone		15:51
*** fhubik_brb is now known as fhubik		15:53
*** topol has quit IRC		15:53
*** petertr7 is now known as petertr7_away		15:54
*** vgridnev has quit IRC		15:54
*** jorge_munoz has joined #openstack-keystone		15:56
*** tonytan4ever has joined #openstack-keystone		15:56
*** fhubik has quit IRC		15:56
*** 21WAAGP61 has quit IRC		15:57
*** davechen1 has joined #openstack-keystone		15:57
*** andreaf_ has joined #openstack-keystone		15:57
*** spandhe has joined #openstack-keystone		15:58
*** petertr7_away is now known as petertr7		15:58
*** davechen has quit IRC		15:59
*** jistr has quit IRC		16:03
openstackgerrit	Grzegorz Grasza (xek) proposed openstack/keystone: WIP Refactor use of oslo.db.sqlalchemy.session.EngineFacade https://review.openstack.org/257458	16:08
*** spandhe_ has joined #openstack-keystone		16:09
*** spandhe has quit IRC		16:10
*** spandhe_ is now known as spandhe		16:10
*** tonytan4ever has quit IRC		16:11
*** petertr7 is now known as petertr7_away		16:12
*** inc0 has joined #openstack-keystone		16:17
inc0	hey guys, quick question	16:17
inc0	I'm writting upgrade playbook for keystone	16:17
inc0	and way I want to do it is to do schema migration and after that restart ks one service at the time	16:18
inc0	but since you are apache backed - will that work?	16:18
inc0	also can I SIGHUP ks to reload db connections?	16:19
stevemar	inc0: should just need to restart apache	16:20
inc0	stevemar, thing is, I don't want to restart all the services at same time	16:20
stevemar	inc0: upgrade databases using keystone-manage then restart apache	16:20
inc0	this causes downtime, and it's downtime for every other service	16:20
stevemar	inc0: only keystone and horizon should be running on apache	16:21
inc0	stevemar, but everything talks to ks for auth...so if ks is down auth is down and openstack control plane is down	16:21
*** andreaf has quit IRC		16:21
*** andreaf_ is now known as andreaf		16:21
inc0	thats why i want to avoid it at all cost	16:21
stevemar	inc0: yep... i think that's a known issue	16:22
inc0	well, I think part of it can be avoided	16:23
inc0	hence my question, can ks really support rolling upgrades	16:23
*** tonytan4ever has joined #openstack-keystone		16:24
*** EinstCrazy has joined #openstack-keystone		16:25
stevemar	inc0: we can have no downtown for database migrations, that's possible	16:27
inc0	ok, so I make migration, db is new	16:28
inc0	will old services keep working?	16:28
*** csoukup has joined #openstack-keystone		16:28
stevemar	inc0: that's the plan going forward, we are http://specs.openstack.org/openstack/keystone-specs/specs/mitaka/online-schema-migration.html	16:29
stevemar	inc0: apache restart will always be needed	16:29
inc0	ok...but if I have 3 ks running on 3 nodes	16:29
inc0	if I restart one at the time, I don't have downtime then	16:30
stevemar	inc0: oh, you're assuming you are load balanced or something	16:31
inc0	yes, ofc	16:32
inc0	question tho, if I can do this safely? or should I first SIGHUP all the processes to reload db connections and only then I can safely do rolling upgrae?	16:32
*** EinstCrazy has quit IRC		16:32
stevemar	inc0: i'm not clear on what the best practices are, you could drop an email to the operators mailing list to get feedback on what other folks are doing (or join #openstack-operators)	16:37
*** dims has quit IRC		16:42
openstackgerrit	Boris Bobrov proposed openstack/keystone: Verify that user is trustee only on issuing token https://review.openstack.org/257478	16:46
*** e0ne has quit IRC		16:48
dolphm	is gerrit dog slow today for anyone else?	16:49
notmorgan	dolphm: yes	16:49
notmorgan	dolphm: -infra is looking into it	16:49
bknudson	dolphm: every once in a while gerrit slows down and they reboot it	16:49
*** jmccrory has quit IRC		16:53
*** gyee has joined #openstack-keystone		16:53
*** ChanServ sets mode: +v gyee		16:53
openstackgerrit	Henrique Truta proposed openstack/keystone: Constraint to prevent duplicates endpoints https://review.openstack.org/134095	16:54
dstanek	bknudson: java.....	16:54
bknudson	there's no memory leaks in java!	16:54
openstackgerrit	Alexander Makarov proposed openstack/keystone: Trust manager using unified delegation https://review.openstack.org/257378	16:54
dstanek	that's what the call JVM memory management sir	16:54
*** jmccrory has joined #openstack-keystone		16:55
*** topol has joined #openstack-keystone		16:55
*** ChanServ sets mode: +v topol		16:55
*** breitz has quit IRC		16:56
*** breitz has joined #openstack-keystone		16:56
*** rderose has joined #openstack-keystone		16:56
*** diazjf has joined #openstack-keystone		16:59
*** topol has quit IRC		16:59
*** ccard__ has joined #openstack-keystone		17:00
*** davechen1 is now known as davechen		17:01
*** ccard_ has quit IRC		17:02
*** pwp has joined #openstack-keystone		17:03
stevemar	dstanek: ba dum tsst!	17:05
*** thiagop has joined #openstack-keystone		17:11
openstackgerrit	Boris Bobrov proposed openstack/keystone: Verify that user is trustee only on issuing token https://review.openstack.org/257478	17:12
*** rderose has quit IRC		17:13
breton	could someone set importance of bug 1524849 please?	17:14
openstack	bug 1524849 in OpenStack Identity (keystone) "Cannot use trusts with fernet tokens" [Undecided,In progress] https://launchpad.net/bugs/1524849 - Assigned to Boris Bobrov (bbobrov)	17:14
breton	dolphm: (found a place for a test btw)	17:14
dolphm	breton: awesome! and triaged.	17:15
dolphm	breton: i'll review the patch today	17:15
breton	it turns out that a lot of components already use trusts	17:16
breton	murano, sahara do. Glance has a patch to start using them.	17:17
*** aginwala has joined #openstack-keystone		17:18
bknudson	breton: how do they know what roles to use in the trust?	17:18
breton	bknudson: I have no idea	17:19
odyssey4me	hi all, I'm trying to work on configuring an environment with the hybrid ldap/sql back-end, which seems like it should be there but doesn't seem to be working... I'm probably missing something	17:19
odyssey4me	can anyone guide me to an appropriate configuration?	17:20
*** openstackstatus has quit IRC		17:20
*** openstackstatus has joined #openstack-keystone		17:22
*** ChanServ sets mode: +v openstackstatus		17:22
breton	bknudson: https://review.openstack.org/#/c/241986/17/glance/api/v2/image_data.py they take roles from token	17:22
bknudson	breton: y, so they're not using trusts to limit roles they're using it to extend the token expiration	17:24
bknudson	:(	17:24
bknudson	I'm surprised we allow creating a trust with the same roles. what's the point?	17:27
breton	bknudson: yep. We discussed it at the summit, and they should not do what they're doing.	17:29
*** pwp has quit IRC		17:31
*** petertr7_away is now known as petertr7		17:31
*** tpeoples has joined #openstack-keystone		17:31
*** raies has joined #openstack-keystone		17:32
raies	hi anyone arround	17:32
*** e0ne has joined #openstack-keystone		17:34
raies	I started deploying icehouse manualy	17:34
*** doug-fish has quit IRC		17:35
breton	icehouse? Oh.	17:35
raies	I I reached keystone installation, I wanted to set backend as ldap	17:35
*** doug-fish has joined #openstack-keystone		17:35
raies	As per current doc I set backend as identity and assignment also	17:35
raies	After that I don't know hw to proceed with user/role/tenant/ creation and al further steps	17:36
raies	as in sql based backend	17:36
raies	How to proceed with this ?	17:36
raies	I was folowing this doc for ldap setting - http://docs.openstack.org/admin-guide-cloud/keystone_integrate_identity_backend_ldap.html	17:39
*** doug-fish has quit IRC		17:40
*** tonytan4ever has quit IRC		17:40
*** aix has quit IRC		17:42
raies	any help on above ?	17:45
*** mhickey has quit IRC		17:49
stevemar	breton: how does https://review.openstack.org/#/c/257478/2 fix the fernet issue?	17:51
stevemar	breton: can you update the commit message on how it fixes it, it's not immediately clear on how it does	17:52
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: remove the default arguments "{}" https://review.openstack.org/254175	17:59
stevemar	dolphm: punt this one throgh https://review.openstack.org/#/c/254175/	18:00
dolphm	stevemar: +A	18:00
stevemar	dolphm: nod	18:04
stevemar	dolphm: maybe you can answer my question from above?	18:04
stevemar	dolphm: how does https://review.openstack.org/#/c/257478/2 solve the bug?	18:05
*** petertr7 is now known as petertr7_away		18:06
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation manager skeleton https://review.openstack.org/253124	18:09
dolphm	stevemar: all i know is the test makes sense, and fernet must hit that check in the new code path but not the old one because trust + impersonation + fernet test fails without the fix	18:10
openstackgerrit	Alexander Makarov proposed openstack/keystone: Trust manager using unified delegation https://review.openstack.org/257378	18:11
openstackgerrit	Alexander Makarov proposed openstack/keystone: Trust manager using unified delegation https://review.openstack.org/257378	18:11
*** andreykurilin__ has quit IRC		18:12
*** aginwala has quit IRC		18:20
*** aginwala has joined #openstack-keystone		18:20
openstackgerrit	Fernando Diaz proposed openstack/keystone: Opt-out certain Keystone Notifications https://review.openstack.org/253780	18:22
*** timcline has quit IRC		18:23
*** thiagop has quit IRC		18:27
breton	ah	18:30
breton	will add description now	18:30
stevemar	breton: thanks boss!	18:31
*** vgridnev has joined #openstack-keystone		18:31
*** flwang1 has quit IRC		18:34
*** browne has joined #openstack-keystone		18:36
openstackgerrit	Alexander Makarov proposed openstack/keystone: Assignment manager using unified delegation https://review.openstack.org/257378	18:38
*** ig0r_ has joined #openstack-keystone		18:39
openstackgerrit	Alexander Makarov proposed openstack/keystone: Trust manager using unified delegation https://review.openstack.org/257378	18:40
*** aginwala has quit IRC		18:41
*** david-lyle_ has joined #openstack-keystone		18:42
*** raies has quit IRC		18:42
openstackgerrit	Alexander Makarov proposed openstack/keystone: Assignment manager using unified delegation https://review.openstack.org/257527	18:42
*** spandhe has quit IRC		18:43
*** david-lyle has quit IRC		18:45
*** timcline has joined #openstack-keystone		18:47
*** gordc has quit IRC		18:48
*** dslevin_ has joined #openstack-keystone		18:48
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation model https://review.openstack.org/208488	18:55
*** doug-fish has joined #openstack-keystone		18:55
*** aginwala has joined #openstack-keystone		18:57
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation migration https://review.openstack.org/237047	18:57
*** agireud has joined #openstack-keystone		18:57
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation migration https://review.openstack.org/237047	19:00
*** doug-fish has quit IRC		19:00
*** doug-fish has joined #openstack-keystone		19:01
*** doug-fis_ has joined #openstack-keystone		19:03
*** gordc has joined #openstack-keystone		19:03
*** doug-fis_ has quit IRC		19:04
*** doug-fis_ has joined #openstack-keystone		19:04
*** gordc has quit IRC		19:04
*** doug-fish has quit IRC		19:05
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/256520	19:07
*** tonytan4ever has joined #openstack-keystone		19:09
*** gordc has joined #openstack-keystone		19:10
*** diazjf has quit IRC		19:15
*** alex_xu has quit IRC		19:15
*** alex_xu has joined #openstack-keystone		19:16
*** pwp has joined #openstack-keystone		19:18
*** EinstCrazy has joined #openstack-keystone		19:18
*** fawadkhaliq has quit IRC		19:23
*** diazjf has joined #openstack-keystone		19:23
*** roxanaghe has joined #openstack-keystone		19:24
*** EinstCrazy has quit IRC		19:25
*** woodster_ has joined #openstack-keystone		19:26
*** topol has joined #openstack-keystone		19:26
*** ChanServ sets mode: +v topol		19:26
*** petertr7_away is now known as petertr7		19:27
openstackgerrit	Boris Bobrov proposed openstack/keystone: Verify that user is trustee only on issuing token https://review.openstack.org/257478	19:27
openstackgerrit	Dan Nguyen proposed openstack/python-keystoneclient: Add include_subtree to role_list_assignments call https://review.openstack.org/188184	19:30
*** gwei3 has joined #openstack-keystone		19:32
*** fangxu has joined #openstack-keystone		19:32
*** gsilvis has quit IRC		19:32
openstackgerrit	Alexander Makarov proposed openstack/keystone: Assignment manager using unified delegation https://review.openstack.org/257527	19:33
openstackgerrit	Tom Cocozzello proposed openstack/keystone: List assignments with names https://review.openstack.org/249958	19:37
*** petertr7 is now known as petertr7_away		19:38
*** gsilvis has joined #openstack-keystone		19:39
openstackgerrit	werner mendizabal proposed openstack/keystone-specs: Multifactor Authentication https://review.openstack.org/130376	19:41
openstackgerrit	Alexander Makarov proposed openstack/keystone: Assignment manager using unified delegation https://review.openstack.org/257527	19:42
*** gwei3 has quit IRC		19:43
*** gwei3 has joined #openstack-keystone		19:43
*** tonytan4ever has quit IRC		19:43
openstackgerrit	ayoung proposed openstack/keystone-specs: Service Catalog Subsets by ID https://review.openstack.org/160909	19:44
*** albertom has quit IRC		19:45
*** gwei3 has quit IRC		19:45
*** maxabidi has joined #openstack-keystone		19:50
*** e0ne has quit IRC		19:51
*** pwp has quit IRC		19:51
*** e0ne has joined #openstack-keystone		19:52
*** albertom has joined #openstack-keystone		19:52
*** rderose has joined #openstack-keystone		19:53
*** rderose has quit IRC		19:55
*** rderose has joined #openstack-keystone		19:55
notmorgan	stevemar: gonna take a swing at making devstack use the new bootstrap commands I think	19:58
*** tonytan4ever has joined #openstack-keystone		20:04
stevemar	notmorgan: do it up	20:06
crinkle	notmorgan: i'm trying to test out the bootstrap thing, and it seems to work but trying to use it to do things like list or create users returns "The service catalog is empty."	20:07
crinkle	notmorgan: what am I doing wrong?	20:07
*** david-lyle_ has quit IRC		20:10
*** david-lyle has joined #openstack-keystone		20:12
notmorgan	crinkle: so that bootstrap just creates an initial user	20:15
notmorgan	crinkle: so you need to still do the explicit endpoint setting after auth for the rest of things like endpoint	20:15
notmorgan	and service creation	20:15
*** raildo is now known as raildo-afk		20:15
notmorgan	crinkle: i'll spin up quick example of it here in a moment.	20:16
crinkle	notmorgan: so I still need to use the auth token to create an endpoint and service?	20:19
notmorgan	crinkle: you'll need to do an explciit endpoint auth, will be easier to show give me a moment	20:20
crinkle	notmorgan: sure	20:20
*** dslevin_ has quit IRC		20:21
stevemar	crinkle: so in the current install docs, when you first setup keystone, you gotta setup endpoints and services using the admin_token right?	20:22
notmorgan	stevemar: today that is how it is done	20:22
stevemar	notmorgan: that's why i wrote 'current install docs'!	20:22
stevemar	crinkle: if you boostrap, you should have an admin user that is capable of creating the endpoints and services, in lieu of using the admin_token, the deployer could just use the newly made admin user	20:23
*** rderose has quit IRC		20:25
crinkle	stevemar: I think I need to see notmorgan's example, because the only way I know to create an endpoint is with --os-token/--os-url or --os-password/--os-auth-url, one requires the token and one requires an endpoint already be created	20:27
stevemar	crinkle: damn! and i was so proud of my wording	20:27
crinkle	stevemar: sorry :)	20:27
stevemar	crinkle: we'll wait for notmorgan :)	20:27
stevemar	i think, in the end, this means we can remove auth_token from the pipeline by default	20:28
*** flwang1 has joined #openstack-keystone		20:28
*** dims has joined #openstack-keystone		20:29
dstanek	stevemar: notmorgan: that would be very nice and make some of my test setup scripts more readable	20:31
stevemar	dstanek: aye aye	20:31
stevemar	dstanek: but we need a way to get the IDs, otherwise scripts will still be a PITA	20:32
*** fangxu has quit IRC		20:32
crinkle	notmorgan: stevemar oh! i can do openstack token issue with the admin user and then i have what i need :)	20:32
dstanek	crinkle: right, you'll have an admin that you can use to do normal keystone operations including all the bootstrap stuff	20:33
notmorgan	crinkle: that is what i was going to be doing	20:34
notmorgan	crinkle: so.. yes	20:34
crinkle	cool, it's clicking now	20:34
crinkle	notmorgan: ty	20:34
*** Guest68185 has quit IRC		20:35
*** timcline has quit IRC		20:39
*** timcline has joined #openstack-keystone		20:40
henrynash	dstanek, stevemar, notmorgan: relatively simple refactoring to reuse existing code, that would be nice to get in: https://review.openstack.org/#/c/242513/	20:42
notmorgan	i think i'll have a fully working sub-url mounted openstack today	20:44
notmorgan	wheeeeee	20:44
* notmorgan has to fix some nova things.		20:44
notmorgan	but it's close	20:44
bknudson	related devstack change: https://review.openstack.org/#/c/193894/	20:48
bknudson	notmorgan: were you updating devstack?	20:48
stevemar	crinkle: \o/	20:49
stevemar	henrynash: looking!	20:49
henrynash	stevemar: thx	20:49
stevemar	bknudson: henrynash we need to establish guidelines on stable ABI interfaces	20:49
bknudson	stevemar: let's do it!	20:50
stevemar	bknudson: rm -rf stable_interfaces	20:50
stevemar	fixed!	20:50
henrynash	stevemar: guidelines beyond the hoops we jump though to suppoer the old driver interface?	20:51
stevemar	bknudson: henrynash https://etherpad.openstack.org/p/keystone-stable-interface-guidelines	20:52
dstanek	henrynash: legacy code is terrible :-(	20:52
notmorgan	bknudson: uhm i was planning on taking a swing at making devstack use keystone-manage bootstrap	20:52
notmorgan	bknudson: but... otherwise no changes planned	20:52
dstanek	stevemar: i have some refinements to the docs that i started to make. i could probably finish them today.	20:53
notmorgan	more eyes on https://review.openstack.org/#/c/255599/ would be useful if that is the direction we want to go	20:53
bknudson	notmorgan: do we want devstack to use path-mounted services?	20:53
notmorgan	bknudson: oh, ideally yes	20:53
stevemar	dstanek: oh sure, i just started to jot ideas here: https://etherpad.openstack.org/p/keystone-stable-interface-guidelines	20:53
notmorgan	bknudson: but i need a fully working POC first	20:53
notmorgan	bknudson: i'm close.	20:53
henrynash	stevemar: btw, how to I add tox - elegacy_drivers to jenkins?	20:53
stevemar	henrynash: we probably need a new job for it,	20:55
notmorgan	stevemar: we would need a new job	20:56
stevemar	henrynash: let me do that for you, you have enough things	20:56
henrynash	stevemar: ok, thanks :-)	20:57
openstackgerrit	Alexander Makarov proposed openstack/keystone: Assignment manager using unified delegation https://review.openstack.org/257527	20:57
henrynash	stevemarL: add me as reviewer, since I’d like to know how to do it	20:57
stevemar	sure	20:57
*** gordc has quit IRC		20:58
*** henrynash has quit IRC		20:59
*** henrynash_ has joined #openstack-keystone		20:59
*** ChanServ sets mode: +v henrynash_		20:59
*** david-lyle has quit IRC		21:01
*** harlowja has quit IRC		21:04
stevemar	henrynash_: https://review.openstack.org/#/c/257566/	21:05
*** aginwala has quit IRC		21:06
*** harlowja has joined #openstack-keystone		21:07
*** david-lyle has joined #openstack-keystone		21:07
henrynash_	stevemar: what does the branch: ^(?!stable/(kilo\|liberty).*$ part mean in layout.yaml?	21:07
bknudson	henrynash_: keeps the job from running on stable branches	21:08
bknudson	the job would fail since there's no tox target for it on the old branches	21:08
henrynash_	stevemar: ah, right, got it! thx	21:08
*** dslevin_ has joined #openstack-keystone		21:09
openstackgerrit	Merged openstack/python-keystoneclient: remove the default arguments "{}" https://review.openstack.org/254175	21:10
*** tsymanczyk has joined #openstack-keystone		21:10
*** tsymanczyk is now known as Guest65915		21:10
*** harlowja_ has joined #openstack-keystone		21:11
stevemar	henrynash_: easy as 1-2-3!	21:11
henrynash_	cue that song…so-re-mi	21:12
*** david-lyle has quit IRC		21:12
henrynash_	do-re-mi even	21:12
*** harlowja has quit IRC		21:13
*** andreykurilin__ has joined #openstack-keystone		21:13
*** jamielennox\|away is now known as jamielennox		21:17
anteaya	henrynash_: I'm happy with 257566 now	21:19
anteaya	henrynash_: you ask good questions	21:19
*** e0ne has quit IRC		21:20
*** gordc has joined #openstack-keystone		21:20
henrynash_	anteya: good	21:21
*** e0ne has joined #openstack-keystone		21:23
*** aginwala has joined #openstack-keystone		21:23
*** alex_xu has quit IRC		21:25
*** alex_xu has joined #openstack-keystone		21:27
dstanek	henrynash_: what was that refactoring review you wanted me to take a look at? i just blew up my trello board so i lost priority ordering	21:35
henrynash_	dstanek: https://review.openstack.org/#/c/242513/ thanks	21:38
dstanek	henrynash_: thx	21:38
*** e0ne has quit IRC		21:40
*** fangxu has joined #openstack-keystone		21:43
openstackgerrit	Dave Chen proposed openstack/keystone: Update `developing.rst` to remove extensions stuff https://review.openstack.org/257573	21:45
*** alex_xu has quit IRC		21:45
davechen	stevemar: fyi, i did something in devstack to remove the support for keystone extensions - https://review.openstack.org/#/c/257548/	21:47
*** alex_xu has joined #openstack-keystone		21:48
openstackgerrit	Dan Nguyen proposed openstack/python-keystoneclient: Add include_subtree to role_list_assignments call https://review.openstack.org/188184	21:50
stevemar	thanks davechen, i'll look soon	21:51
*** chlong has quit IRC		21:51
*** petertr7_away is now known as petertr7		21:53
davechen	stevemar: i am not asking for review, keep your eyes on something important, just a heads up. :)	21:56
*** opilotte_ has quit IRC		22:04
*** opilotte_ has joined #openstack-keystone		22:05
*** timcline has quit IRC		22:07
*** opilotte_ has quit IRC		22:09
*** opilotte_ has joined #openstack-keystone		22:11
*** aginwala has quit IRC		22:14
*** jasonsb has quit IRC		22:16
openstackgerrit	Ken'ichi Ohmichi proposed openstack/keystone: Enable os_inherit of Keystone v3 API https://review.openstack.org/257580	22:16
*** aginwala has joined #openstack-keystone		22:22
*** gildub has joined #openstack-keystone		22:26
*** petertr7 is now known as petertr7_away		22:26
*** rdo has quit IRC		22:28
*** rdo has joined #openstack-keystone		22:30
*** EinstCrazy has joined #openstack-keystone		22:36
*** lhcheng has joined #openstack-keystone		22:36
*** ChanServ sets mode: +v lhcheng		22:36
*** vgridnev has quit IRC		22:38
*** david-lyle has joined #openstack-keystone		22:39
*** tonytan4ever has quit IRC		22:40
*** EinstCrazy has quit IRC		22:42
*** jasonsb has joined #openstack-keystone		22:45
*** lhcheng has quit IRC		22:46
*** lhcheng has joined #openstack-keystone		22:46
*** ChanServ sets mode: +v lhcheng		22:46
*** agireud has quit IRC		22:50
*** diazjf has quit IRC		22:51
*** lhcheng has quit IRC		22:51
*** jamielennox is now known as jamielennox\|away		23:01
stevemar	henrynash_: your patches for using the assignment table were wonderful to review!	23:01
*** jamielennox\|away is now known as jamielennox		23:01
openstackgerrit	Jorge Munoz proposed openstack/keystone: Reduce revoke events for disabled domains and projects. https://review.openstack.org/253273	23:03
openstackgerrit	Jorge Munoz proposed openstack/keystone: Reduce revoke events for disabled domains and projects. https://review.openstack.org/253273	23:03
*** chlong has joined #openstack-keystone		23:05
*** gordc has quit IRC		23:09
openstackgerrit	Dan Nguyen proposed openstack/python-keystoneclient: Add include_subtree to role_list_assignments call https://review.openstack.org/188184	23:15
*** doug-fis_ has quit IRC		23:18
*** doug-fish has joined #openstack-keystone		23:18
*** csoukup has quit IRC		23:19
*** doug-fis_ has joined #openstack-keystone		23:20
*** doug-fis_ has quit IRC		23:21
*** doug-fis_ has joined #openstack-keystone		23:22
*** jasonsb has quit IRC		23:22
*** sigmavirus24 is now known as sigmavirus24_awa		23:22
*** doug-fish has quit IRC		23:23
*** davechen has left #openstack-keystone		23:24
*** pumaranikar has quit IRC		23:31
*** pumaranikar has joined #openstack-keystone		23:32
*** jasonsb has joined #openstack-keystone		23:34
stevemar	gyee: is this patch resolved? https://bugs.launchpad.net/keystone/+bug/1437407	23:38
openstack	Launchpad bug 1437407 in OpenStack Identity (keystone) "With using V3 cloud admin policy, domain admin unable to list role assignment for projects in his domain" [Medium,In progress] - Assigned to Guang Yee (guang-yee)	23:38
*** pumaranikar has quit IRC		23:39
*** jasonsb has quit IRC		23:39
openstackgerrit	ayoung proposed openstack/keystone: Updated Cloudsample https://review.openstack.org/240720	23:39
*** jasonsb has joined #openstack-keystone		23:41
*** doug-fis_ has quit IRC		23:43
*** maxabidi has quit IRC		23:44
*** aginwala has quit IRC		23:51
*** slberger1 has left #openstack-keystone		23:52
*** aginwala has joined #openstack-keystone		23:54
*** pumaranikar has joined #openstack-keystone		23:54
*** markvoelker has quit IRC		23:55
*** jaosorior has quit IRC		23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!