Tuesday, 2015-12-15

« Monday, 2015-12-14 Index Wednesday, 2015-12-16 »
gyeestevemar, we are still verifying henrynash patches, but look promising so far00:01
*** pumaranikar has quit IRC00:01
*** zqfan_AFK has joined #openstack-keystone00:10
*** EinstCrazy has joined #openstack-keystone00:23
*** EinstCrazy has quit IRC00:25
*** gildub has quit IRC00:25
*** topol has quit IRC00:29
*** pgbridge has quit IRC00:30
*** r-daneel has quit IRC00:47
openstackgerritayoung proposed openstack/keystone: Add is_admin_project check to policy.json  https://review.openstack.org/25763600:55
*** markvoelker has joined #openstack-keystone00:56
*** EinstCrazy has joined #openstack-keystone00:58
openstackgerritayoung proposed openstack/keystone: Add is_admin_project check to policy.json  https://review.openstack.org/25763600:59
*** markvoelker has quit IRC01:01
*** jasonsb has quit IRC01:01
*** andreykurilin__ has quit IRC01:02
*** openstack has joined #openstack-keystone01:06
openstackgerritayoung proposed openstack/keystone: Updated Cloudsample  https://review.openstack.org/24072001:11
*** gyee has quit IRC01:17
*** yangyapeng has joined #openstack-keystone01:25
*** yangyapeng has quit IRC01:30
notmorganhuh no ayoung01:32
notmorganstevemar, bknudson, almost have a fully working suburl cloud01:32
notmorgangonna write up the configuration shortly, but this makes me happy01:33
stevemarnotmorgan: noice01:33
notmorganrunning into neutron issues01:33
notmorganbut meh01:33
notmorganhave some help from cburgess coming to get a basic neutron lined up01:33
notmorganstevemar: then we can actually explore support of a proper cookie [with some inter-server changes] for auth to the API endpoint01:34
notmorgani'd like to get devstack to support suburl deployments as well01:34
notmorgankrotscheck: ping ^ how does suburl (api.tempusfrangit.org/<service>) sound to you?01:35
notmorgankrotscheck: makes the cors stuff less important and we can do cooler things with auth :)01:35
*** markvoelker has joined #openstack-keystone01:37
stevemarbknudson: you thinking about making a "keystone-uwsgi-public.ini" file in keystone?02:09
jamielennoxstevemar, bknudson: i don't think we should support this upstream02:09
stevemarjamielennox: using uwsgi? why no?02:10
stevemarnot?02:10
jamielennoxi just think it's too much we have to test against02:10
*** aginwala has quit IRC02:10
jamielennoxi don't know if we should replicate all the testing02:11
openstackgerritThomas Hsiao proposed openstack/keystone: Validate domain for DB-based domain config. CRUD  https://review.openstack.org/25688902:11
*** aginwala has joined #openstack-keystone02:14
*** gissi has quit IRC02:14
*** csoukup has joined #openstack-keystone02:15
*** gissi has joined #openstack-keystone02:15
*** jasonsb has joined #openstack-keystone02:16
*** browne has quit IRC02:16
stevemardstanek: more comments and questions here about stable interface docs: https://etherpad.openstack.org/p/keystone-stable-interface-guidelines02:18
*** csoukup has quit IRC02:19
*** mtreinish has quit IRC02:20
*** mtreinish has joined #openstack-keystone02:20
stevemarnotmorgan: this might be of interest to you: https://review.openstack.org/#/c/193894/402:21
*** jasonsb has quit IRC02:21
dstanekstevemar: just updated with the answers02:21
*** fangxu has quit IRC02:22
*** iurygregory has quit IRC02:27
*** ericksonsantos has quit IRC02:28
*** ericksonsantos has joined #openstack-keystone02:29
*** iurygregory has joined #openstack-keystone02:29
openstackgerritMerged openstack/keystone: Changed the key repo validation to allow read only  https://review.openstack.org/25673602:44
notmorganstevemar: that is somewhat interesting02:45
notmorganstevemar: and def. in line with the stuff i'm working on02:45
notmorganstevemar: stupid neutron being hard to configure :P02:45
*** Guest65915 has quit IRC02:45
stevemari hear it is a pain02:45
notmorganjamielennox: uwsgi is a beast of config options02:45
notmorganjamielennox: but it is super useful for isolated eventlet-like testing02:46
notmorganjamielennox: i'd recommend supporting it, but honestly, I'm apathetic on the server side at the moment02:46
*** richm has quit IRC02:47
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25605302:48
jamielennoxnotmorgan: i understand wanting something that launches a process to have a LB do the apache stuff02:48
jamielennoxbut uwsgi is not exactly easy02:49
notmorganjamielennox: uwsgi is actually pretty easy if you boil off the cruft we don't care about and treat it like eventlet.02:49
jamielennoxassuming we're still dumping eventlet02:49
jamielennoxwhy would we pick uwsgi over ~10 otehrs02:49
notmorganif we aren't dumping eventlet in keystone, i am done with the server02:50
*** aginwala has quit IRC02:50
jamielennoxnotmorgan: it's dumped02:50
jamielennoxnotmorgan: but getting rid of it means that anything wsgi should be able to serve it02:50
notmorganso, uwsgi is nice because it provides a HTTP interface if needed02:50
jamielennoxlets just not bother02:50
*** aginwala has joined #openstack-keystone02:50
notmorganand can run on unix sockets02:50
notmorganactually02:51
notmorganhold up02:51
notmorgani wouldn't make a custom uwsgi ini02:51
jamielennoxhttp://wsgi.readthedocs.org/en/latest/servers.html02:51
notmorganyeah no02:51
notmorganlets document any keythings needed to run uwsgi in our docs02:52
notmorganwe can have devstack deploy uwsgi if we want02:52
notmorgan(not a bad idea)02:52
notmorganbut we don't need an ini in our tree02:52
jamielennoxlet's say *hand wave* wsgi02:52
notmorganand our wsgi app.py should work with almost any wsgi (file a bug if it doesnt) container02:52
jamielennoxi don't think we do anything that is mod_wsgi specific02:52
notmorganwe don't02:53
jamielennoxi'm happy for people to use uwsgi, lets document things like the environment variables that go into the application, and not support a specific wsgi server02:54
notmorganjamielennox: ++ that is good02:54
notmorganyeah if someone is proposing we support a uwsgi.ini -- NO.02:54
jamielennoxoo, another vital video to watch for onboarding02:54
jamielennoxnotmorgan: i think bknudson is proposing it to devstack, i don't think there is a keystone component to that02:54
jamielennoxi'm just not sure what point there is to the devstack support, who's going to run it to test02:55
notmorgansure and in devstack is fine02:55
notmorgani think we should move to uwsgi in devstack02:55
jamielennoxmeh - apache is fine02:55
jamielennoxdevstack should be what we suggest02:55
notmorganwell there is another reason for uwsgi02:56
jamielennoxand unless haproxy suddenly learnt how to do all the mod_auth_X then we still recommend apache as the container02:56
notmorganactually i would still use apache02:56
notmorganin all those cases02:56
notmorganspecifically for SSL offload02:56
*** woodster_ has quit IRC02:56
*** gildub has joined #openstack-keystone02:57
jamielennoxme too, but people have lots of opinions on this stuf02:57
*** fawadkhaliq has joined #openstack-keystone02:59
stevemarnotmorgan: btw https://review.openstack.org/#/c/257131/02:59
stevemarnotmorgan: and if you have a minute... https://review.openstack.org/#/c/256257/03:00
stevemari should really add tests for that though03:00
notmorganjamielennox: so my ideal world: [Internet] -> [tls(HAProxy + Auth_Token)] -> [[tls(Apache)] -> [uwsgi(service]] [via unix socket]03:00
jamielennoxauth_token in haproxy03:02
jamielennoxinteresting03:02
jamielennoxbut why apache -> uwsgi03:02
openstackgerritThomas Hsiao proposed openstack/keystone: Validate domain for DB-based domain config. CRUD  https://review.openstack.org/25688903:08
*** jasonsb has joined #openstack-keystone03:11
notmorganbecause it allows fore restarting the services independant of apache03:17
notmorganfor*03:17
notmorganand uwsgi talks sockets among other tunables that gunicorn and the like does not03:17
notmorgan(gunicorn might do sockets)03:17
notmorganbut apache and nginx talk uwsgi protocol (not HTTP) to the server. it's a bit better overall03:17
notmorganand uwsgi plays MUCH better with venvs03:18
jamielennoxnotmorgan: i'm not convinced on the venv article03:19
notmorganmod_wsgi does not play well with venvs03:19
jamielennoxi mean i get it, and i don't like using docker as an answer to stuff, but docker03:19
notmorgansure.03:19
notmorganthe venv bit is just a nice-to-have03:19
*** topol has joined #openstack-keystone03:19
*** ChanServ sets mode: +v topol03:19
*** EinstCrazy has quit IRC03:20
* notmorgan is also not really sold on the whole docker running <keystone> for example03:20
notmorgani would like apache to talk unix socket uwsgi protocol03:20
notmorganrather than TCP HTTP03:20
*** browne has joined #openstack-keystone03:20
notmorganit also means we have clearer control over the data path - you can't circumvent as easily even on localhost the TLS / validating03:21
notmorganvalidation03:21
jamielennoxwell containing keystone might be a good reason for the haproxy managing mod_aux_x03:21
jamielennoxmod_wsgi daemon mode is a domain socket isn't it03:21
*** EinstCrazy has joined #openstack-keystone03:21
jamielennoxunix socket03:21
jamielennoxwhatever03:21
notmorganyou know it might be03:21
notmorganbut i veyr much want mod_wsgi out of the picture03:21
jamielennoxafaik you can't reboot it03:22
notmorganbeing able to restart services separate from apache is a win03:22
jamielennoxlike independant of apache - but meh03:22
notmorganor nginx03:22
notmorganyeah03:22
jamielennoxto my mind this is haproxy's problem03:22
notmorganmod_wsgi owns the process03:22
notmorganagain, not sold on apache owning that03:22
jamielennoxhaproxy -> apache (mod_wsgi) -> process03:22
notmorganbut in docker model sure03:22
jamielennoxrestart apache is fine because haproxy is doing that same handoff03:22
notmorganeh sortof03:23
notmorgandepends if you use docker or not03:23
notmorganin non-containerized world03:23
notmorgana restart of apache affects all SSL offloaded/TLS internal services on the box03:23
notmorganand a lot (LOT) of deployments use combined controllers03:23
jamielennoxwhat else are you running on the keystone box03:23
notmorganif we containerize the APIs it's less of an issue03:23
*** topol has quit IRC03:23
notmorganoh oh move keystone off?03:24
notmorgansure03:24
notmorganfrom a pure security standpoint that is nice03:24
*** aginwala has quit IRC03:24
notmorganthe way i'm running HA Proxy is 2 binds, internal and external03:24
notmorganexternal will do ATM offload03:25
notmorganinternal will do "are you really X service? ok pass authz through"03:25
*** yangyapeng has joined #openstack-keystone03:25
jamielennoxstill think that should just be dns, but ok03:26
notmorganfor what it is worth, HAProxy seems to do much better talking to keystone than the services do03:26
notmorganuhm. how does DNS provide validation ?03:26
notmorganservice -[client cert]->[HAproxy, so L7/non-port-based-access-works]->[other service]03:27
notmorganwas my thought03:27
*** aginwala has joined #openstack-keystone03:28
notmorganand HAProxy would just do client cert auth before passing the request on.03:28
notmorganprevents accidental traffic leaking (VLAN/VXLAN) from affecting changes03:28
notmorganmaybe i'm over thinking the internal security bit03:29
* notmorgan shrugs.03:29
notmorganHAProxy can also just do the same L7 stuff to make the catalog consistent for internal urls03:29
openstackgerritSteve Martinelli proposed openstack/keystone: fix up release notes, file deprecations under right title  https://review.openstack.org/25623503:29
stevemarnotmorgan: ^03:29
notmorganthat doesn't need to offload auth to keystone (vcan be done via ANYCAST if we wanted?)03:30
notmorganstevemar: uhm sure?03:31
stevemarnotmorgan: i just need someone to look at it :P03:31
stevemarand you're active atm03:31
notmorgandon't we have a reno job jenkins runs?03:31
stevemarnotmorgan: we do!03:31
*** pgbridge has joined #openstack-keystone03:33
*** ccard__ has quit IRC03:35
*** tsymanczyk has joined #openstack-keystone03:37
jamielennoxnotmorgan: not validation, just internal/external distinction03:37
*** tsymanczyk is now known as Guest1190503:37
notmorganjamielennox: sure.03:37
notmorganjamielennox: still needs L7 mangling03:38
notmorganbut sure, easy enough to DNS it up or use internal_url + dns03:38
jamielennoxnotmorgan: with auth plugins in the backends here we can do catalog however you setup the plugin03:40
notmorgansure03:40
notmorgani'd still use the catalog + L7 mangling to direct to <not-on-random-port> for service->service03:40
*** ccard__ has joined #openstack-keystone03:47
*** flwang1 has quit IRC03:49
*** david-lyle has quit IRC03:50
*** Guest11905 has quit IRC03:51
*** markvoelker has quit IRC03:52
*** aginwala has quit IRC03:53
*** aginwala has joined #openstack-keystone03:54
*** aginwala has quit IRC03:56
*** david-lyle has joined #openstack-keystone03:58
krotschecknotmorgan: Suburl is meh. I'm addressing the use case of N > 1 UI's hosted to meet different use cases.03:59
krotscheckNever assume there's only one UI.04:00
*** krotscheck is now known as krotscheck_vaca04:00
notmorgankrotscheck: hah i figured you'd respond when you got home04:00
notmorgan:P04:00
notmorgankrotscheck_vaca: i'll argue suburl with you at a different point. [this is not for dashboards]04:00
*** david-lyle has quit IRC04:01
*** david-lyle has joined #openstack-keystone04:02
*** links has joined #openstack-keystone04:07
*** boris-42_ has quit IRC04:13
*** tsymanczyk has joined #openstack-keystone04:18
*** tsymanczyk is now known as Guest5029104:18
*** openstackstatus has quit IRC04:24
*** openstack has joined #openstack-keystone04:24
*** openstackstatus has joined #openstack-keystone04:25
*** ChanServ sets mode: +v openstackstatus04:25
*** Guest50291 has quit IRC04:45
*** aginwala has joined #openstack-keystone04:49
*** markvoelker has joined #openstack-keystone04:53
*** markvoelker has quit IRC04:57
*** aginwala has quit IRC04:59
*** aginwala has joined #openstack-keystone05:24
*** Ephur has quit IRC05:33
*** dims has quit IRC05:41
openstackgerritguang-yee proposed openstack/keystone: Validate domain for DB-based domain config. CRUD  https://review.openstack.org/25688905:51
*** pgbridge has quit IRC05:58
*** Nirupama has joined #openstack-keystone05:58
*** roxanagh_ has joined #openstack-keystone05:59
*** rm_work has quit IRC05:59
*** tsymanczyk has joined #openstack-keystone06:00
openstackgerritMerged openstack/keystone: Verify that user is trustee only on issuing token  https://review.openstack.org/25747806:00
*** tsymanczyk is now known as Guest983706:01
openstackgerritguang-yee proposed openstack/keystone: Validate domain for DB-based domain config. CRUD  https://review.openstack.org/25688906:01
*** Guest95273 has quit IRC06:06
openstackgerritJorge Munoz proposed openstack/keystone: Reduce revoke events for disabled domains and projects.  https://review.openstack.org/25327306:09
*** btully has joined #openstack-keystone06:10
openstackgerritKen'ichi Ohmichi proposed openstack/keystone: Enable os_inherit of Keystone v3 API  https://review.openstack.org/25758006:10
openstackgerritKen'ichi Ohmichi proposed openstack/keystone: Add inherited to ldap list_domain_ids_for_user()  https://review.openstack.org/25768206:10
*** rm_work has joined #openstack-keystone06:22
*** aginwala has quit IRC06:27
*** Guest9837 has quit IRC06:28
*** aginwala has joined #openstack-keystone06:30
*** vgridnev has joined #openstack-keystone06:37
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25605306:50
*** markvoelker has joined #openstack-keystone06:54
*** tsymanczyk has joined #openstack-keystone06:55
*** tsymanczyk is now known as Guest5206606:55
*** dims has joined #openstack-keystone06:56
stevemarjamielennox: you would know better than i... are the auth plugins and session code deprecated in KSC yet?06:57
stevemaror are we waiting for more KSA adoption06:57
stevemarprobably that06:57
jamielennoxstevemar: they're not marked as such06:57
jamielennoxstevemar: we can probably do it now06:57
jamielennoxi don't think there is anythin else we are waiting for06:58
stevemarhmm OK06:58
stevemari'll add it to the meeting06:58
*** markvoelker has quit IRC06:58
stevemarmaybe some sucker, i mean awesome person will do it06:58
stevemarjamielennox: if you're bored during orientation: https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/deprecated-as-of-mitaka,n,z07:02
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/25555307:25
*** dims has quit IRC07:26
*** roxanagh_ has quit IRC07:26
openstackgerritMerged openstack/keystone: Add Trusts unique constraint to remove duplicates  https://review.openstack.org/23911407:26
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25605307:30
*** Guest52066 has quit IRC07:32
*** fangxu has joined #openstack-keystone07:34
*** tsymanczyk has joined #openstack-keystone07:36
*** tsymanczyk is now known as Guest6382807:37
*** Guest63828 has quit IRC07:43
*** dims_ has joined #openstack-keystone07:45
*** urulama has joined #openstack-keystone07:48
*** dims_ has quit IRC08:01
*** aginwala has quit IRC08:07
*** vgridnev has quit IRC08:07
*** dims_ has joined #openstack-keystone08:09
*** fangxu has quit IRC08:11
*** btully has quit IRC08:12
*** agireud has joined #openstack-keystone08:17
*** browne has quit IRC08:18
*** vgridnev has joined #openstack-keystone08:23
*** agireud has quit IRC08:24
*** roxanagh_ has joined #openstack-keystone08:27
*** roxanagh_ has quit IRC08:31
*** pnavarro has joined #openstack-keystone08:31
*** agireud has joined #openstack-keystone08:31
*** dims_ has quit IRC08:41
*** tsymanczyk has joined #openstack-keystone08:43
*** tsymanczyk is now known as Guest966408:43
openstackgerritKen'ichi Ohmichi proposed openstack/keystone: Enable os_inherit of Keystone v3 API  https://review.openstack.org/25758008:50
openstackgerritKen'ichi Ohmichi proposed openstack/keystone: Enable os_inherit of Keystone v3 API  https://review.openstack.org/25758008:52
*** oomichi has joined #openstack-keystone08:55
*** markvoelker has joined #openstack-keystone08:55
*** vgridnev has quit IRC08:55
*** jistr has joined #openstack-keystone08:56
*** markvoelker has quit IRC08:59
*** fhubik has joined #openstack-keystone08:59
*** Guest9664 has quit IRC09:03
*** tsymancz1k has joined #openstack-keystone09:04
*** dims has joined #openstack-keystone09:21
*** mhickey has joined #openstack-keystone09:25
*** roxanagh_ has joined #openstack-keystone09:28
*** roxanagh_ has quit IRC09:32
*** roxanaghe has quit IRC09:33
*** lhcheng has joined #openstack-keystone09:41
*** ChanServ sets mode: +v lhcheng09:41
*** openstackgerrit has quit IRC09:47
*** openstackgerrit has joined #openstack-keystone09:47
*** e0ne has joined #openstack-keystone09:48
*** agireud has quit IRC09:49
*** agireud has joined #openstack-keystone09:52
*** wanghua has quit IRC09:53
*** fhubik has quit IRC09:59
*** e0ne has quit IRC09:59
*** agireud has quit IRC09:59
*** roxanaghe has joined #openstack-keystone10:00
*** e0ne has joined #openstack-keystone10:00
openstackgerritMerged openstack/keystone: Add API route for list role assignments for tree  https://review.openstack.org/22045210:01
*** aix has joined #openstack-keystone10:01
*** vgridnev has joined #openstack-keystone10:05
*** roxanaghe has quit IRC10:06
*** agireud has joined #openstack-keystone10:09
*** miguelgrinberg has quit IRC10:20
openstackgerritShu Muto proposed openstack/python-keystoneclient-kerberos: Drop py33 support  https://review.openstack.org/25780710:22
*** agireud has quit IRC10:22
*** aix has quit IRC10:26
*** wanghua has joined #openstack-keystone10:27
*** aix has joined #openstack-keystone10:28
*** agireud has joined #openstack-keystone10:28
*** zqfan_AFK has quit IRC10:31
*** openstackgerrit has quit IRC10:32
bretonAlthough it is already fixed, could someone triage https://bugs.launchpad.net/keystone/+bug/1525219 please?10:32
openstackLaunchpad bug 1525219 in OpenStack Identity (keystone) "Trust-scoped user requests failed while using fernet tokens" [Undecided,Fix committed] - Assigned to Boris Bobrov (bbobrov)10:32
*** openstackgerrit has joined #openstack-keystone10:32
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25605310:33
*** agireud has quit IRC10:34
*** fhubik has joined #openstack-keystone10:34
*** fhubik is now known as fhubik_brb10:34
*** fhubik_brb is now known as fhubik10:35
*** gildub has quit IRC10:46
*** fhubik is now known as fhubik_brb10:48
*** agireud has joined #openstack-keystone10:48
*** yangyapeng has quit IRC10:52
*** EinstCrazy has quit IRC10:54
*** markvoelker has joined #openstack-keystone10:55
*** markvoelker has quit IRC11:00
*** fhubik_brb is now known as fhubik11:00
*** roxanaghe has joined #openstack-keystone11:03
*** tsymancz1k has quit IRC11:07
*** roxanaghe has quit IRC11:08
*** lhcheng_ has joined #openstack-keystone11:11
*** lhcheng has quit IRC11:13
*** dims has quit IRC11:15
*** EinstCrazy has joined #openstack-keystone11:18
*** ig0r_ has quit IRC11:20
*** lhcheng_ has quit IRC11:20
*** lhcheng_ has joined #openstack-keystone11:21
*** lhcheng has joined #openstack-keystone11:22
*** ChanServ sets mode: +v lhcheng11:22
*** lhcheng_ has quit IRC11:25
*** sborkows has joined #openstack-keystone11:31
*** fhubik has quit IRC11:47
*** fhubik has joined #openstack-keystone11:50
*** roxanaghe has joined #openstack-keystone12:05
*** roxanaghe has quit IRC12:09
*** fawadkhaliq has quit IRC12:13
*** fawadkhaliq has joined #openstack-keystone12:21
*** tsymanczyk has joined #openstack-keystone12:22
*** tsymanczyk is now known as Guest2339712:23
*** fawadkhaliq has quit IRC12:23
*** fawadkhaliq has joined #openstack-keystone12:23
*** fhubik_ has joined #openstack-keystone12:25
*** fhubik_ is now known as fhubik_brb12:25
*** fhubik has quit IRC12:28
*** urulama has quit IRC12:34
*** urulama has joined #openstack-keystone12:34
*** EinstCrazy has quit IRC12:35
*** doug-fish has joined #openstack-keystone12:35
*** EinstCrazy has joined #openstack-keystone12:36
*** dims has joined #openstack-keystone12:39
*** markvoelker has joined #openstack-keystone12:41
*** pnavarro has quit IRC12:45
*** gordc has joined #openstack-keystone12:45
*** markvoelker has quit IRC12:46
*** dims has quit IRC12:51
*** fawadkhaliq has quit IRC13:03
*** oomichi has quit IRC13:03
*** markvoelker has joined #openstack-keystone13:04
*** roxanaghe has joined #openstack-keystone13:06
*** links has quit IRC13:09
*** mkoderer_ has quit IRC13:11
*** roxanaghe has quit IRC13:12
*** mkoderer has joined #openstack-keystone13:13
openstackgerritnandal proposed openstack/keystone: Removed Unused variable request  https://review.openstack.org/25788713:15
*** Nirupama has quit IRC13:17
*** henrynash_ has quit IRC13:21
*** raildo-afk is now known as raildo13:22
*** petertr7_away has quit IRC13:23
*** petertr7_away has joined #openstack-keystone13:24
*** petertr7_away is now known as petertr713:24
*** breitz has quit IRC13:31
*** breitz has joined #openstack-keystone13:32
*** e0ne has quit IRC13:34
*** e0ne has joined #openstack-keystone13:35
*** petertr7 has quit IRC13:38
*** petertr7_away has joined #openstack-keystone13:43
*** petertr7_away is now known as petertr713:43
*** martinus__ has quit IRC13:45
*** martinus__ has joined #openstack-keystone13:49
*** opilotte_ has quit IRC13:50
*** links has joined #openstack-keystone13:51
*** aix has quit IRC13:52
*** opilotte_ has joined #openstack-keystone13:57
*** fawadkhaliq has joined #openstack-keystone14:00
openstackgerritMerged openstack/keystone: Updated Cloudsample  https://review.openstack.org/24072014:01
*** rcernin has joined #openstack-keystone14:02
*** aix has joined #openstack-keystone14:05
*** roxanaghe has joined #openstack-keystone14:07
*** richm has joined #openstack-keystone14:09
*** e0ne has quit IRC14:12
*** roxanaghe has quit IRC14:14
*** csoukup has joined #openstack-keystone14:16
*** fhubik_brb is now known as fhubik_14:19
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25605314:19
*** pnavarro has joined #openstack-keystone14:21
openstackgerritTom Cocozzello proposed openstack/keystone: List assignments with names  https://review.openstack.org/24995814:24
*** edmondsw has joined #openstack-keystone14:24
*** edmondsw has quit IRC14:28
*** topol has joined #openstack-keystone14:29
*** ChanServ sets mode: +v topol14:29
*** topol has quit IRC14:30
*** dims has joined #openstack-keystone14:34
bretonso14:36
bretonAdam gets the 968696 t-shirt?14:36
amakarovbreton, this time it can be a scarf across the neck :)14:37
bretonbug 96869614:38
openstackbug 968696 in neutron ""admin"-ness not properly scoped" [Undecided,Triaged] https://launchpad.net/bugs/96869614:38
bretonoh, ok, only for keystone.14:38
*** fawadkhaliq has quit IRC14:39
amakarovbreton, maybe a baseball bat with the inscription then14:39
*** dslevin_ has quit IRC14:42
*** pumaranikar has joined #openstack-keystone14:57
*** links has quit IRC14:58
*** alex_xu has quit IRC14:58
*** links has joined #openstack-keystone14:59
*** pumaranikar has quit IRC14:59
*** pumaranikar has joined #openstack-keystone15:00
*** dims has quit IRC15:00
*** inc0 has quit IRC15:00
*** alex_xu has joined #openstack-keystone15:04
*** aix has quit IRC15:09
*** aix has joined #openstack-keystone15:09
*** topol has joined #openstack-keystone15:10
*** ChanServ sets mode: +v topol15:10
*** roxanaghe has joined #openstack-keystone15:10
*** boris-42_ has joined #openstack-keystone15:12
*** e0ne has joined #openstack-keystone15:12
*** sigmavirus24_awa is now known as sigmavirus2415:14
*** roxanaghe has quit IRC15:15
*** davechen has joined #openstack-keystone15:19
*** timcline has joined #openstack-keystone15:20
*** vgridnev has quit IRC15:26
*** btully has joined #openstack-keystone15:28
*** slberger has joined #openstack-keystone15:29
*** doug-fish has quit IRC15:30
*** tonytan4ever has joined #openstack-keystone15:51
*** fhubik_ is now known as fhubik_brb15:51
*** kairat has joined #openstack-keystone15:55
*** fhubik_brb is now known as fhubik_15:58
*** rcernin has quit IRC15:58
*** mfedosin has joined #openstack-keystone15:59
*** raorn has joined #openstack-keystone15:59
kairatstevemar, ping16:00
*** sborkows has quit IRC16:02
kairatstevemar, if you have some time could you please help us (glance) with questions regarding keystoneauth module (https://review.openstack.org/#/c/241986/15/glance/common/trust_auth.py)16:02
*** jaosorior has joined #openstack-keystone16:03
kairatit seems that there is no way to load trust-scoped auth_plugin when using this module16:03
*** diazjf has joined #openstack-keystone16:07
stevemarkairat: sure, i saw that request yesterday and forgot about it16:10
stevemarkairat: i was working with mfedosin on it earlier16:10
*** roxanaghe has joined #openstack-keystone16:11
stevemarif any other keystoners wants to take a look, they are welcome to: https://review.openstack.org/#/c/241986/ cc jamielennox dstanek bknudson lhcheng dolphm16:11
stevemarwe can help our glance peers :)16:11
bknudsonwhy does glance need to use trusts?16:14
kairatbecause glance has registry16:14
kairatit requires authorization16:14
bknudsonthe user sends you a token, use that.16:15
bknudsonor get your own token16:15
*** roxanaghe has quit IRC16:15
mfedosinbknudson: after image upload user token may expire16:15
bknudsonI don't think this was the reason that trusts were added.16:16
bknudsonwe discussed some other possible solutions at the summit ...16:16
bknudsonnot sure what happened to the implementation. I guess people got busy with other things.16:16
mfedosinI know about service tokens16:16
mfedosinbut it's not a solution in current implementation16:17
bknudsonthe solutions that were discussed were to allow extending the token lifetime, or allowing use of an expired token (given a service token)16:17
mfedosinbecause we can't get original user info with expired token16:18
bknudsonright, using the service token is going to require changes in keystone16:19
mfedosinand trusts considered to be the only one solution until service tokens will be improved16:19
mfedosinwe mentioned this in our spec16:19
bknudsonok, but now you're having problems with trusts, so apparently that requires improvements, too.16:20
*** topol has quit IRC16:21
*** pnavarro has quit IRC16:21
mfedosinthe improvements are obvious16:21
mfedosinwe just need an ability to load a session with trust16:22
*** pgbridge has joined #openstack-keystone16:22
mfedosinwe can implement a workaround in glance for it, but it's better to do in keystoneauth, I think16:22
bknudsonI agree keystoneauth is the right place for it.16:23
stevemarmfedosin: bknudson what's the trouble with using trusts?16:32
mfedosinstevemar: it's in keystoneauth loading module16:33
mfedosinwe can't load a session from config and provide a trust_id there16:34
*** fhubik_ is now known as fhubik_brb16:36
*** browne has joined #openstack-keystone16:37
stevemarmfedosin: uh oh - did you submit a patch to ksa? or not sure what to fix there?16:37
mfedosinstevemar: not yet16:38
mfedosinthis exception is raised in this case https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/v3/base.py#L158-L16116:38
mfedosinsorry, this one https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/base.py#L134-L13716:39
mfedosinI will try to fix it tomorrow16:40
*** flwang1 has joined #openstack-keystone16:41
stevemarmfedosin: what's the issue with that?16:46
stevemarit should be either domain or project or trust16:46
mfedosinwhen we load a session from config, project_id it there. if we additionally provide trust_id, then keystoneauth loads both and after any call we get this exception16:48
mfedosinstevemar: there should be a way not to load project_id if trust_id is provided16:49
stevemarmfedosin: no sir16:50
stevemarmfedosin: i thought i mentioned this in an earlier review16:50
stevemarwhere you were re-using the client with the same args16:50
*** roxanaghe has joined #openstack-keystone16:50
*** fhubik_brb is now known as fhubik_16:50
*** rderose has joined #openstack-keystone16:52
mfedosinstevemar: please look here: https://review.openstack.org/#/c/241986/17/glance/common/trust_auth.py lines #46-5316:55
mfedosinis there any way to do thing like on the line 36?16:56
stevemarmfedosin: hmm, you're not passing in the project id16:56
stevemari wonder why it's complaining16:56
mfedosinno, there it works16:57
mfedosinbut if but if we do trustee_auth = conf.load_from_conf_options(CONF, 'keystone_authtoken', trust_id=trust_id) it fails with the exception16:59
*** david-lyle has quit IRC17:02
*** gyee has joined #openstack-keystone17:03
*** ChanServ sets mode: +v gyee17:03
*** tonytan4ever has quit IRC17:04
*** HoloIRCUser2 has joined #openstack-keystone17:06
*** HoloIRCUser2 has quit IRC17:11
*** HoloIRCUser2 has joined #openstack-keystone17:12
*** david-lyle has joined #openstack-keystone17:12
*** raies has joined #openstack-keystone17:14
*** rderose has quit IRC17:15
*** HoloIRCUser2 has quit IRC17:15
*** fhubik_ is now known as fhubik_brb17:18
stevemarmfedosin: yep, that i expect, since you are passing in project stuff in that line17:18
*** e0ne has quit IRC17:19
raieshi17:21
raiesI wanted to make keystone identity backend as ldap17:22
raiesThis is single node setup17:22
*** vgridnev has joined #openstack-keystone17:25
raiesI created a file - openstack.ldif17:25
raiesopenstack.ldif dn: ou=Groups,dc=domain,dc=tld objectClass: top objectClass: organizationalUnit ou: groups dn: ou=Users,dc=domain,dc=tld objectClass: top objectClass: organizationalUnit ou: users dn: ou=Roles,dc=domain,dc=tld objectClass: top objectClass: organizationalUnit ou: roles dn: ou=Projects,dc=domain,dc=tld objectClass: top objectClass: organizationalUnit ou: projects17:26
raiesIn keystone.conf -17:26
raies[identity] driver=keystone.identity.backends.ldap.Identity    [assignment] driver=keystone.assignment.backends.sql.Assignment    [ldap] ### Flags with "###" are not required in case only identity in ldap url=ldaps://locahost user='cn=admin,dc=domain,dc=tld' password=admin suffix='dc=domain,dc=tld' ###use_dumb_member=true ###dumb_member='cn=dumb,dc=domain,dc=tld' user_tree_dn='ou=Users,dc=domain,dc=tld' user_mail_attribute=17:27
raiesunder default section of keystone.conf -17:27
raies[DEFAULT] admin_token=password  admin_workers = 2 max_token_size = 16384 debug = True admin_bind_host = 192.168.1.3 member_role_name = ​_member_​ member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab17:27
raiesAfter these settings when I run keystone user-list17:28
*** lhcheng_ has joined #openstack-keystone17:28
raiesI can not see any service user17:28
raiesuser list is empty17:28
*** topol has joined #openstack-keystone17:29
*** ChanServ sets mode: +v topol17:29
*** petertr7 is now known as petertr7_away17:30
raiesAlso when I tried to create new user using keystone client, following error comes -17:30
raies"An unexpected error prevented the server from fulfilling your request. {'desc': 'No such object', 'matched': 'dc=openstack,dc=org'} (HTTP 500)"17:30
raiesany help on this ?17:30
raieshow to correctly configure ldap with keystone ? and how to ensure service users using ldap ?17:31
*** lhcheng has quit IRC17:31
stevemarraies: you really don't want to use a single LDAP backend for all identities17:31
stevemarwe won't be supporting write operations to LDAP in the future (create/update/delete)17:31
stevemarraies: check out how to enable multi domain support17:32
raiesstevemar: ok fine17:33
raiesstevemar: I will check it out17:33
stevemarraies: there's a lot of into online: http://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers - http://richmegginson.livejournal.com/25846.html and https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/17:34
*** topol has quit IRC17:34
raiesstevemar: But I am playing with icehouse and wanted to set single domain ldap backend for iceouse17:34
*** pnavarro has joined #openstack-keystone17:35
raiesstevemar: As per my understanding, keystone user-list must reflect atleast service users, after setting backend as ldap17:37
raiesBut I am not sure of it17:37
*** doug-fish has joined #openstack-keystone17:37
*** doug-fish has quit IRC17:37
*** sigmavirus24 is now known as sigmavirus24_awa17:38
raiesIn my case I have set assignment as sql and identity as ldap17:38
*** doug-fish has joined #openstack-keystone17:38
raiesAlthough service users are already there in cloud but keystone user-list does not reflect it. Output of user-list is blank17:39
*** david8hu has joined #openstack-keystone17:39
*** markvoelker_ has joined #openstack-keystone17:40
*** markvoelker has quit IRC17:41
*** fhubik_brb is now known as fhubik_17:42
*** RichardRaseley has joined #openstack-keystone17:42
*** tonytan4ever has joined #openstack-keystone17:45
stevemarraies: why are you using icehouse? we don't even support it any longer :(17:45
raiesI am working with a project where I need to make real like env17:46
raiesand real env is icehouse17:46
raiesicehouse + ldap backend17:46
raiesSo I wanted to make a real like env. Thus I can work on this17:46
*** markvoelker_ has quit IRC17:47
raildostevemar: ping, I'm wondering, how the API v2.0 deprecation will impact other services, like any service that can't autenticate with API v3...17:48
raildostevemar: someting like https://bugs.launchpad.net/ironic/+bug/149477617:48
openstackLaunchpad bug 1494776 in Ironic "Ironic API fails when keystone /v2.0 pipeline is disabled" [High,Confirmed] - Assigned to Pavlo Shchelokovskyy (pshchelo)17:48
raildostevemar: or https://bugs.launchpad.net/openstack-ansible/+bug/150927217:48
openstackLaunchpad bug 1509272 in openstack-ansible " Set Keystone endpoints to be v3 by default" [Low,Confirmed] - Assigned to RPC Documentation (rpcdocs)17:48
stevemarraildo: they need to get on board :)17:49
stevemarraildo: they'll receive deprecation warnings for 2 years before they are broken17:49
raildostevemar: sure.. and I want to help it :)17:49
*** markvoelker has joined #openstack-keystone17:49
stevemarraildo: i'm sure they will appreciate the help!17:50
raildoon keystone side, we don't need to do anything more, right?17:50
*** links has quit IRC17:50
stevemarraildo: dont think so17:50
odyssey4mestevemar raies heat, glance, nova, cinder, horizon, neutron, swift are all ok as at Liberty release17:50
*** browne has quit IRC17:51
raildostevemar: great :)17:51
odyssey4mesorry, meant to include raildo17:51
raildoodyssey4me: np17:51
odyssey4mewe (OpenStack-Ansible) gate test on Keystone v3 API only from Liberty onward17:51
odyssey4meonly Aodh and Ceilometer are still a little funky17:52
*** urulama has quit IRC17:52
*** pnavarro has quit IRC17:52
*** urulama has joined #openstack-keystone17:52
odyssey4meCeilometer merged https://review.openstack.org/237537 recently, getting on board the the v3 API17:53
raildoodyssey4me: awesome :)17:53
samueldmqodyssey4me: raildo: in addition, devstack has a v3 only gate17:55
samueldmqsee gate-tempest-dsvm-neutron-identity-v3-only-full in any devstack change17:55
samueldmqe.g https://review.openstack.org/#/c/255898/17:56
*** rderose has joined #openstack-keystone17:56
*** vgridnev has quit IRC17:58
*** HoloIRCUser1 has joined #openstack-keystone17:59
stevemarpoke for meeting: ajayaa, amakarov, ayoung, breton, browne, davechen, david8hu, dolphm, dstanek, ericksonsantos, geoffarnold, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, lbragstad, lhcheng, marekd, morganfainberg, nkinder, raildo, rodrigods, roxanaghe, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, claudiub, rderose, samleon, xek, MaxPC, tjcocozz17:59
dolphm\o/17:59
*** lhcheng_ is now known as lhcheng17:59
*** ChanServ sets mode: +v lhcheng17:59
*** mhickey has quit IRC18:00
roxanagheo/18:00
*** HoloIRCUser1 is now known as TomCocozz18:00
navidpo/18:00
*** henrynash has joined #openstack-keystone18:02
*** ChanServ sets mode: +v henrynash18:02
*** fhubik_ is now known as fhubik_brb18:02
*** e0ne has joined #openstack-keystone18:04
*** tonytan4ever has quit IRC18:08
*** fhubik_brb is now known as fhubik_18:10
navidpjoin #openstack-meeting18:11
*** flwang1 has quit IRC18:11
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/25648618:12
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/25804018:13
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/25804118:13
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/25805218:16
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/25805918:16
*** diazjf has quit IRC18:17
*** Alexander has joined #openstack-keystone18:18
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: WIP Refactor use of oslo.db.sqlalchemy.session.EngineFacade  https://review.openstack.org/25745818:18
*** Alexander is now known as amakarov_18:19
*** jistr has quit IRC18:22
*** TomCocozz has quit IRC18:23
*** aginwala has joined #openstack-keystone18:23
*** mfedosin has quit IRC18:27
*** topol has joined #openstack-keystone18:27
*** ChanServ sets mode: +v topol18:27
*** sigmavirus24_awa is now known as sigmavirus2418:31
openstackgerritMerged openstack/keystone: Validate domain for DB-based domain config. CRUD  https://review.openstack.org/25688918:34
*** iurygregory has quit IRC18:36
*** ericksonsantos has quit IRC18:36
*** browne has joined #openstack-keystone18:39
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/25648618:39
*** aginwala has quit IRC18:40
*** aginwala has joined #openstack-keystone18:40
*** fhubik_ is now known as fhubik_brb18:42
*** Guest73233 is now known as mgagne18:42
*** fhubik_brb is now known as fhubik_18:42
*** mgagne is now known as Guest7643418:42
*** browne has quit IRC18:43
*** browne has joined #openstack-keystone18:43
*** dims has joined #openstack-keystone18:45
*** raildo is now known as raildo-afk18:48
*** harlowja_ has quit IRC18:49
*** harlowja has joined #openstack-keystone18:50
*** aginwala has quit IRC18:50
*** browne has quit IRC18:50
*** aginwala has joined #openstack-keystone18:52
gyeebknudson, https://review.openstack.org/226464, devstack is broken even without this patch18:59
*** aix has quit IRC18:59
*** rderose has quit IRC18:59
gyeeif you set you public_endpoint to http://host:5000/identity19:00
gyeeI just verified it in devstack even without that patch19:00
bknudsonI don't set public_endpoint to http://host:5000/identity , I'd set it to http://host/identity19:00
*** raies has quit IRC19:01
bknudsonand I agree devstack is broken since it's not setting public_endpoint when it should be... I've got a patch up for that.19:01
gyeebknudson, same thing19:01
gyeeI set it to http://host/identity19:02
gyeesame result, got /identity/identity19:02
gyeeso it's already broken without that patch19:02
bknudsonoh, let met try it.19:02
henrynashdstanek: if you do look at https://review.openstack.org/#/c/242513/ feel free to +2/A it if you think it is OK19:02
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/25605319:03
bknudsongyee: that's not what happens for me, I get "href": "http://192.168.122.239/identity/v3/"19:03
gyeebkudson, that's latest devstack?19:04
dstanekhenrynash: you're next on my board - https://trello.com/b/kAcLdBiq/openstack19:04
bknudsongyee: yes, devstack is up to date19:04
bknudsonand keystone19:04
gyeethat's weird, let me do a fresh clone19:05
bknudsonI set public_endpoint = http://192.168.122.239/identity and admin_endpoint = http://192.168.122.239/identity_admin in keystone.conf19:06
bknudsongyee: here's the devstack patch (it worked earlier)19:06
bknudsonhttps://review.openstack.org/#/c/193894/19:06
gyeebknudson, ah, ok, I can reproduce it now19:07
gyeebknudson, I was using a special branch :)19:08
bknudsongood to know keystone isn't totally broken19:08
gyeelet me pull that patch and try again19:10
stevemargyee: "special"19:10
stevemargyee: everything about you is special19:10
gyeestevemar, I was doing some experimentation19:11
gyeestevemar, lol19:11
henrynashdstaneK; that’s nice19:12
stevemaralso btw, there are some blueprints targeted to mitaka-2 that have not yet been started! :) https://launchpad.net/keystone/+milestone/mitaka-2 - looking at you dolphm (shadow users), henrynash (DSR and domain config defaults) and rodrigods (filtering SPs)19:12
henrynashdstanek: trello, taht is19:12
stevemarhenrynash: i'll cut you some slack since you have like 18 blueprints19:13
dstanekhenrynash: it's a work in progress19:13
henrynashstevemar: under control (ish)19:13
stevemarbut as a heads up - have code up for review before mitaka-2 ends, or it's gonna get the boot!19:13
stevemarit can land in mitaka-3, but have something up!19:14
gyeeand demo it in mid-cycle :)19:15
*** fangxu has joined #openstack-keystone19:19
*** browne has joined #openstack-keystone19:20
stevemargyee: now we're talking19:22
stevemaryay new keystone patches should have a job for legacy drivers19:22
*** jaosorior has quit IRC19:23
*** henrynash has quit IRC19:24
*** vgridnev has joined #openstack-keystone19:24
rodrigodsstevemar: :( maybe marekd and/or iurygregory can take care of it (filtering SPs)?19:26
bknudsonstevemar: I proposed a couple of changes to -infra for keystone testing.19:26
bknudsonwhich I guess they have to work before anyone's going to merge them.19:27
openstackgerritFangzhou Xu proposed openstack/keystone: Make getting token revocation list 9x faster on Mysql  https://review.openstack.org/23960819:28
*** browne has quit IRC19:29
*** browne has joined #openstack-keystone19:30
*** browne has quit IRC19:32
*** openstackgerrit has quit IRC19:32
*** browne has joined #openstack-keystone19:32
*** openstackgerrit has joined #openstack-keystone19:32
*** browne has quit IRC19:33
*** browne has joined #openstack-keystone19:33
*** e0ne has quit IRC19:34
*** e0ne_ has joined #openstack-keystone19:35
*** browne has quit IRC19:35
*** browne has joined #openstack-keystone19:36
*** henrynash has joined #openstack-keystone19:37
*** ChanServ sets mode: +v henrynash19:37
*** flwang1 has joined #openstack-keystone19:40
stevemarbknudson: those are the ones you cc'ed me on for eventlet and such? i haven't had a chance to look at them yet19:41
*** aginwala has quit IRC19:41
stevemarbut they are on my list19:41
bknudsonstevemar: yes19:41
*** jaosorior has joined #openstack-keystone19:41
stevemarbknudson: cool, i'll look at them soon19:42
*** e0ne_ has quit IRC19:42
*** aginwala has joined #openstack-keystone19:44
*** tonytan4ever has joined #openstack-keystone19:52
*** gyee has quit IRC19:54
*** vgridnev has quit IRC19:55
*** roxanaghe has quit IRC19:59
dolphmstevemar: what's the mitaka 2 deadline?20:10
*** fhubik has joined #openstack-keystone20:11
stevemardolphm: http://docs.openstack.org/releases/schedules/mitaka.html20:11
stevemardolphm: the last day to propose code for a spec that is landing in mitaka is jan16-2220:12
*** urulama has quit IRC20:12
stevemardolphm: *before* the midcycle ;)20:12
*** fhubik has quit IRC20:12
*** jaosorior has quit IRC20:12
*** urulama has joined #openstack-keystone20:12
*** e0ne has joined #openstack-keystone20:13
*** e0ne_ has joined #openstack-keystone20:15
*** e0ne has quit IRC20:16
*** fangxu has quit IRC20:17
*** mfedosin has joined #openstack-keystone20:23
*** Ephur has joined #openstack-keystone20:23
*** aginwala has quit IRC20:35
*** pumarani- has joined #openstack-keystone20:38
*** aginwala has joined #openstack-keystone20:38
*** lhcheng has quit IRC20:39
*** rm_you has quit IRC20:43
*** lhcheng has joined #openstack-keystone20:45
*** ChanServ sets mode: +v lhcheng20:45
*** lhcheng has quit IRC20:46
openstackgerritBrant Knudson proposed openstack/keystone: Add audit IDs to revocation events  https://review.openstack.org/25814120:48
openstackgerritBrant Knudson proposed openstack/keystone: Add audit IDs to revocation events  https://review.openstack.org/25814120:48
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Verify audit_id when available  https://review.openstack.org/25814320:49
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Verify audit_id when available  https://review.openstack.org/25814320:49
*** phalmos has joined #openstack-keystone20:53
openstackgerritTom Cocozzello proposed openstack/keystone: WORK IN PROGRESS!!!!! List assignments with names  https://review.openstack.org/24995820:53
*** dslev has joined #openstack-keystone20:57
notmorganstevemar: i wasn't aware we ever wanted PBR to be a runtime requirement for libraries...20:58
*** doug-fish has quit IRC20:58
*** e0ne_ has quit IRC20:59
*** fangxu has joined #openstack-keystone20:59
*** gyee has joined #openstack-keystone21:01
*** ChanServ sets mode: +v gyee21:01
*** timcline has quit IRC21:04
*** jaosorior has joined #openstack-keystone21:11
*** jaosorior has quit IRC21:11
*** jaosorior has joined #openstack-keystone21:11
*** topol has quit IRC21:13
*** flwang1 has quit IRC21:16
stevemarnotmorgan: link?21:17
*** sigmavirus24 is now known as sigmavirus24_awa21:17
*** sigmavirus24_awa is now known as sigmavirus2421:17
stevemartjcocozz: so you're saying its a work in progress?21:18
*** timcline has joined #openstack-keystone21:21
*** doug-fish has joined #openstack-keystone21:25
*** doug-fish has quit IRC21:29
*** e0ne has joined #openstack-keystone21:30
*** amakarov_ has quit IRC21:31
*** flwang1 has joined #openstack-keystone21:31
*** aginwala has quit IRC21:31
*** Guest76434 is now known as mgagne21:33
*** mgagne is now known as Guest16021:34
*** Guest160 has quit IRC21:34
*** Guest160 has joined #openstack-keystone21:34
*** Guest160 is now known as mgagne21:35
*** jaosorior has quit IRC21:41
*** timcline has quit IRC21:44
*** mfedosin has quit IRC21:49
*** lhcheng has joined #openstack-keystone21:50
*** ChanServ sets mode: +v lhcheng21:50
notmorganstevemar: uhmm keystoneauth RFC agent string21:51
notmorganstevemar: need to find the review again, sorry it got lost in a tab21:51
notmorganhttps://review.openstack.org/#/c/256002/21:52
notmorganstevemar: ^21:52
*** petertr7_away is now known as petertr721:56
*** andreykurilin__ has joined #openstack-keystone21:57
*** david-lyle has quit IRC21:58
*** doug-fish has joined #openstack-keystone21:58
*** david-lyle has joined #openstack-keystone22:00
stevemarnotmorgan: -1 it!22:08
notmorganstevemar: i don't know if it's something we want/not-want22:09
notmorganstevemar: it was more of a "is this correct?"22:09
stevemareither way, pbr isn't listed in requirements22:09
notmorganah22:09
stevemari wasn't sure either :\22:09
stevemarthanks notmorgan22:10
stevemaryou're the best22:10
*** rcernin has joined #openstack-keystone22:16
*** aginwala has joined #openstack-keystone22:19
openstackgerritDan Nguyen proposed openstack/python-keystoneclient: Add include_subtree to role_list_assignments call  https://review.openstack.org/18818422:19
briancurtinstevemar: so should i put it in the requirements file, or is there a different way to get the version?22:21
*** doug-fish has quit IRC22:22
stevemarbriancurtin: i legitimately don't know if :)22:23
briancurtinfwiw, a quick look around shows o-c-c and swiftclient do the same pbr thing, though swiftclient makes a first attempt to use pkg_resources22:25
briancurtinoh, so does keystoneclient22:27
stevemarbriancurtin: whats the sdk do?22:27
stevemaryou guys just use pbr22:27
stevemarhmm22:27
briancurtinthe same as what those + the ksa review. what i entered in that ksa review was pulled straight from SDK22:28
stevemargotcha22:28
stevemari just wanted to step back and pause/question before going forward22:28
briancurtinmakes sense22:28
stevemarbut we do need pbr in requirements.txt at a minimum22:28
*** timcline has joined #openstack-keystone22:29
*** timcline has quit IRC22:29
stevemari'll let jamielennox and mordred chime in too: https://review.openstack.org/#/c/256002/ maybe they have another opinion22:29
briancurtinif the others on the review are ok with that approach solving the problem, i’ll add it to requirements22:29
*** timcline has joined #openstack-keystone22:29
stevemardo it up22:30
*** gildub has joined #openstack-keystone22:32
*** e0ne has quit IRC22:32
stevemaranyone want to push through an easy review? https://review.openstack.org/#/c/257131/22:35
openstackgerritBrian Curtin proposed openstack/keystoneauth: Provide a RFC 7231 compliant user agent string  https://review.openstack.org/25600222:38
*** dslev has quit IRC22:39
*** ericksonsantos has joined #openstack-keystone22:42
*** iurygregory has joined #openstack-keystone22:42
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: remove venv bits from tools  https://review.openstack.org/25817522:42
*** timcline has quit IRC22:44
openstackgerritBrian Curtin proposed openstack/keystoneauth: Provide a RFC 7231 compliant user agent string  https://review.openstack.org/25600222:45
*** dslev_ has joined #openstack-keystone22:47
jamielennoxstevemar, briancurtin: i'm happy with the concept22:49
jamielennoxlifeless: regarding https://review.openstack.org/#/c/256002/ - do we need the pbr dependency there?22:49
*** phalmos has quit IRC22:51
jamielennoxstevemar: i'd like to get https://review.openstack.org/#/c/253972/ through if you can have a look22:52
*** iurygregory has quit IRC22:53
*** iurygregory has joined #openstack-keystone22:53
notmorganmordred: https://review.openstack.org/256002 not sure if this is right. again, thinking PBR isn't really meant to be runtime like this22:54
stevemarjamielennox: o/22:54
*** dstanek has quit IRC22:56
stevemarjamielennox: done22:56
*** dstanek has joined #openstack-keystone22:56
*** ChanServ sets mode: +v dstanek22:56
stevemarjamielennox: swap for review: https://review.openstack.org/#/c/258175/22:56
notmorganbriancurtin: i'm wondering if we can do a 1-time on setup thing instead of calling to PBR for version each time22:56
jamielennoxeasy22:57
jamielennoxstevemar: also https://review.openstack.org/#/c/255691/22:58
jamielennoxneed that to make the auth_token in middleware bits public22:58
*** petertr7 is now known as petertr7_away22:59
*** tonytan4ever has quit IRC23:00
lifelessjamielennox: yes23:00
lifelessjamielennox: (why is that even a question)23:00
*** david-lyle has quit IRC23:01
jamielennoxlifeless: right - if we do it via pbr we need that, this came up a while ago and i thought pbr wasn't supposed to be a runtime dep23:01
jamielennoxthat we should do that sort of veresion discovery via setuptools23:01
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: remove CLI from keystoneclient  https://review.openstack.org/25818123:01
lifelesspbr is totally a runtime dep23:01
*** david-lyle has joined #openstack-keystone23:01
lifelessits also a build time dep - the only one we allow23:01
lifelessif you do it via pkg_resources, be sure to add in the calls to git to handle uninstalled trees23:02
lifeless(oh, and dep on pkg_resources, since you'll be using that) - glwt :)23:02
lifelesssorry for the snark... this keeps coming up and I don't know how to kill the meme23:02
lifelessI mean - we document it, its in g-r, its in cookiecutter.23:03
jamielennoxok, i don't remember where it came up that we shouldn't be using it at runtime but that's ok with me23:03
lifelessthe redhat distro folk23:04
lifelesswho have repeated said 'its a problem' on the -dev list, but have not to the best of my knowledge yet filed a bug or detailed description of the problem23:04
lifelesshave pushed that concept23:04
jamielennoxthey used to hack it out in rpm - but last i looked they'd stopped doing that23:04
kfox1111do you have to do anything in liberty keystone to get ec2 compatability?23:04
lifelessseparately there was a performance thing where it was implicated in slow CLI startup23:04
kfox1111We recently switched our keystone to liberty version, and just now realized heat cfn service isn't working.23:05
*** fangxu_ has joined #openstack-keystone23:05
*** fangxu has quit IRC23:05
*** fangxu_ is now known as fangxu23:05
lifelessbut we couldn't reproduce and that's gone quiet - but it shouldn't ever be slow (unless you're running from-git-without-installing), which is not a common case! [and even then, it should only read history to the last tag, so not much work)23:05
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: move hacking to tests folder  https://review.openstack.org/25818323:06
*** dstanek has quit IRC23:06
*** aginwala has quit IRC23:07
jamielennoxlifeless: ok, well that's an easy dependency to add then, thanks23:07
*** dstanek has joined #openstack-keystone23:07
*** ChanServ sets mode: +v dstanek23:07
*** aginwala has joined #openstack-keystone23:07
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: move hacking to tests folder  https://review.openstack.org/25818323:08
stevemarjamielennox: got another one for you ^23:08
jamielennoxstevemar: that works?23:09
jamielennoxstevemar: ok, works for me then23:09
stevemarjamielennox: why do you sound surprised?23:10
davechenstevemar: do you know what's client or what's service currntly using full auth flow?23:10
jamielennoxstevemar: hacking has been in the base folder for everything - i thought there must be a reason23:10
stevemarnope https://github.com/openstack/keystone/tree/master/keystone/tests/hacking23:10
stevemardavechen: not clear one whay you mean?23:10
davechenstevemar:  i was thinking it using this router to get all of the projects. - https://github.com/openstack/keystone/blob/master/keystone/resource/routers.py#L28-L3123:10
stevemardavechen: do i have an example?23:11
davechenstevemar: the decorator you are using "v2_auth_deprecated" for this method "get_projects_for_token"23:11
openstackgerritayoung proposed openstack/keystone-specs: Bootstrap  https://review.openstack.org/25663423:11
*** urulama has quit IRC23:12
davechenstevemar: i am just want to see if there any service or client still using full auth flow23:12
lifelessjamielennox: EPARSE: pbr is an easy dep to add? <- is what you meant?23:12
stevemardavechen: ohhh, there wouldn't be one in an openstack repo23:12
*** urulama has joined #openstack-keystone23:12
davechenlooks like all of them combined into one step23:12
davechenand it's not using this one - https://github.com/openstack/keystone/blob/master/keystone/resource/routers.py#L28-L31?23:12
jamielennoxlifeless: right, we've been trying to keep keystoneauth really light weight, absolutely minimal dependencies and argue about if we need them at all23:13
stevemardavechen: i'm just thinking in case a user has their own home-made CLI/script that just uses rest calls23:13
kfox1111any known problems with kilo heat-api-cfn and liberty keystone?23:13
jamielennoxlifeless: PBR should cause too many problems getting through23:13
stevemarkfox1111: not to my knowledge :(23:13
jamielennoxlifeless: s/should/shouldn't23:13
davechenstevemar: okay, that's not surprise i didn't see it anywhere, thanks!23:14
kfox1111k. I'll keep digging. thanks.23:14
*** sigmavirus24 is now known as sigmavirus24_awa23:15
lifelessjamielennox: cool23:15
notmorganlifeless: ftr, i'm fine with PBR being runtime but it's the endless cycle of remembering complaints about it23:17
lifelessnotmorgan: yah23:17
notmorganlifeless: last time i stared at it, it was just a build-time thing that caused no complaints. so rather be sure before landing a dep on it at runtime especially in keystoneauth :)23:17
lifelessnotmorgan: I blame mordred for sucking me into it23:18
*** rcernin has quit IRC23:20
*** flwang1 has quit IRC23:21
openstackgerritJohn Dewey proposed openstack/keystone: Correct developer documentation on venv creation  https://review.openstack.org/25818823:21
*** e0ne has joined #openstack-keystone23:21
*** gordc has quit IRC23:23
*** shaleh has joined #openstack-keystone23:29
*** errr has quit IRC23:30
*** csoukup has quit IRC23:30
jamielennoxstevemar: so if i stick a debtcollector.remove on Session am i going to break tests for everyone23:30
jamielennoxstevemar: do you know if it's somehow limited to only throwing errors within it's own test cases?23:30
*** errr has joined #openstack-keystone23:31
*** david-lyle_ has joined #openstack-keystone23:33
*** david-lyle has quit IRC23:36
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/25804023:44
jamielennoxstevemar, notmorgan: what do we think about passing https://review.openstack.org/#/c/117089/ before doing the session deprecation23:44
jamielennoxit would isolate things a bit better23:44
jamielennox(it's also my oldest open review)23:46
*** oomichi has joined #openstack-keystone23:47
*** errr has quit IRC23:49
*** gildub has quit IRC23:49
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/25805923:50
*** jasonsb has quit IRC23:55
*** jasonsb has joined #openstack-keystone23:58
*** chlong has quit IRC23:59
« Monday, 2015-12-14 Index Wednesday, 2015-12-16 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!