Wednesday, 2016-01-06

*** gyee has quit IRC00:07
*** gyee has joined #openstack-keystone00:14
*** ChanServ sets mode: +v gyee00:14
*** gyee has quit IRC00:24
*** henrynash has quit IRC00:24
*** harlowja_ has joined #openstack-keystone00:27
*** harlowja has quit IRC00:30
*** shoutm has quit IRC00:32
*** sripriya has quit IRC00:41
*** shaleh has quit IRC00:59
*** clayton has quit IRC01:17
*** EinstCrazy has joined #openstack-keystone01:17
*** clayton has joined #openstack-keystone01:18
*** davechen has joined #openstack-keystone01:19
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy SQL driver
*** _cjones_ has quit IRC01:24
*** clayton has quit IRC01:30
*** gyee has joined #openstack-keystone01:31
*** ChanServ sets mode: +v gyee01:31
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Be consistent in how we give error codes in the Identity spec
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes return usage in endpoint-policy
*** fangxu_ has joined #openstack-keystone01:33
samueldmqbknudson_: responded and sent a new version, let me know if this makes sense to you ^01:33
*** fangxu has quit IRC01:34
*** fangxu_ is now known as fangxu01:34
*** _zouyee has joined #openstack-keystone01:37
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for the policy SQL driver
*** davechen1 has joined #openstack-keystone01:43
*** davechen has quit IRC01:46
*** davechen has joined #openstack-keystone01:48
*** davechen1 has quit IRC01:50
*** clayton has joined #openstack-keystone01:50
*** henrynash has joined #openstack-keystone01:58
*** ChanServ sets mode: +v henrynash01:58
stevemardstanek: need you to take a quick look at:
stevemarit is a hacking change and the author isn't groking how it's done02:04
*** henrynash has quit IRC02:14
*** davechen has quit IRC02:15
*** topol has joined #openstack-keystone02:44
*** ChanServ sets mode: +v topol02:44
*** topol has quit IRC02:48
*** dims has quit IRC02:59
*** browne has quit IRC03:02
*** browne has joined #openstack-keystone03:02
*** fangxu has quit IRC03:04
*** niusmallnan has joined #openstack-keystone03:07
*** niusmallnan has left #openstack-keystone03:09
*** fangxu has joined #openstack-keystone03:18
*** fangxu has quit IRC03:23
*** gyee has quit IRC03:30
*** woodster_ has quit IRC03:36
*** zqfan has joined #openstack-keystone03:40
*** links has joined #openstack-keystone03:51
*** richm has quit IRC03:53
*** browne has quit IRC04:08
*** PsionTheory has quit IRC04:13
*** oomichi has quit IRC04:49
*** Nirupama has joined #openstack-keystone05:07
*** fangxu has joined #openstack-keystone05:10
*** fawadkhaliq has joined #openstack-keystone05:17
*** Magesh has joined #openstack-keystone05:36
Mageshnow i configuring openstack liberty version05:36
Mageshwhen i restart httpd service i am getting error05:37
Magesherror mentioned below05:37
Magesh[root@controller ~]# systemctl restart httpd.service Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.05:37
MageshPlease help me05:37
Magesh[root@controller ~]# service httpd status05:38
MageshRedirecting to /bin/systemctl status  httpd.service httpd.service - The Apache HTTP Server    Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)   Drop-In: /usr/lib/systemd/system/httpd.service.d            └─openstack-dashboard.conf    Active: failed (Result: exit-code) since Wed 2016-01-06 06:35:43 CET; 2min 21s ago   Process: 19294 ExecStartPre=/usr/bin/python /usr/share/openstack-dashboard/ c05:38
*** jrist has quit IRC05:39
Mageshwhen i restart httpd service i am getting error05:44
Mageshsystemctl restart httpd.service05:44
Mageshfailed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.05:45
*** jrist has joined #openstack-keystone05:51
openstackgerritMerged openstack/python-keystoneclient: Implements base classes for functional tests
*** henrynash has joined #openstack-keystone05:55
*** ChanServ sets mode: +v henrynash05:55
*** Magesh has quit IRC06:00
*** Magesh has joined #openstack-keystone06:02
Mageshwhen i restart httpd service getting error06:02
Magesh[root@controller ~]# systemctl restart httpd.service Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.06:02
openstackgerrithenry-nash proposed openstack/keystone-specs: Be consistent in how we give error codes in the Identity spec
Mageshhelp me06:14
Mageshnow i configuring openstack liberty06:15
Mageshwhen i restart httpd service getting error06:15
MageshJob for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.06:15
*** david-lyle_ has joined #openstack-keystone06:24
*** gwei3 has joined #openstack-keystone06:34
Mageshwhen i restart httpd service getting error06:38
MageshJob for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details06:39
Mageshin openstack liberty06:39
openstackgerritMerged openstack/keystone: Define paste entrypoints
*** chlong has quit IRC06:50
*** david-lyle_ has quit IRC06:56
*** belmoreira has joined #openstack-keystone06:59
*** gwei31 has joined #openstack-keystone07:00
*** gwei31 has quit IRC07:01
*** gwei3 has quit IRC07:01
*** Magesh has quit IRC07:07
*** shoutm has joined #openstack-keystone07:11
*** spandhe has joined #openstack-keystone07:20
*** e0ne has joined #openstack-keystone07:25
*** henrynash has quit IRC07:30
*** shoutm_ has joined #openstack-keystone07:30
*** shoutm has quit IRC07:33
*** henrynash has joined #openstack-keystone07:33
*** ChanServ sets mode: +v henrynash07:33
*** fawadkhaliq has quit IRC07:37
openstackgerrithenry-nash proposed openstack/keystone: Modify rules for domain specific role assignments
*** fawadkhaliq has joined #openstack-keystone07:40
*** magesh has joined #openstack-keystone07:41
mageshwhen restart httpd service getting error07:41
magesh[root@controller ~]# systemctl restart httpd.service memcached.service Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.07:42
openstackgerritMerged openstack/keystone: Do not use __builtin__ in python3
*** fawadkhaliq has quit IRC07:48
*** fawadkhaliq has joined #openstack-keystone07:49
*** spandhe has quit IRC08:02
*** chlong has joined #openstack-keystone08:11
openstackgerritMerged openstack/keystone: Use oslo_config PortOpt support
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
openstackgerrithenry-nash proposed openstack/keystone: Correct docstring for federation driver interface
*** shoutm_ has quit IRC08:29
openstackgerrithenry-nash proposed openstack/keystone: Correct docstring for federation driver interface
openstackgerrithenry-nash proposed openstack/keystone: Create V9 version of federation driver interface
*** shoutm has joined #openstack-keystone08:31
*** EinstCra_ has joined #openstack-keystone08:32
openstackgerrithenry-nash proposed openstack/keystone: Correct docstrings for federation driver interface
*** EinstCrazy has quit IRC08:35
*** shoutm has quit IRC08:40
*** fawadkhaliq has quit IRC08:46
*** henrynash has quit IRC08:49
openstackgerritReedip proposed openstack/pycadf: remove suport for py33
*** fawadkhaliq has joined #openstack-keystone08:56
*** fhubik has joined #openstack-keystone09:00
*** fhubik is now known as fhubik_brb09:05
*** fawadkhaliq has quit IRC09:07
openstackgerritMerged openstack/keystone: Config option for insecure responses
openstackgerritMerged openstack/keystone: Correct SecurityError with unicode args
*** shoutm has joined #openstack-keystone09:14
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** jistr has joined #openstack-keystone09:17
*** mhickey has joined #openstack-keystone09:19
*** aix has joined #openstack-keystone09:23
*** fawadkhaliq has joined #openstack-keystone09:35
*** fawadkhaliq has quit IRC09:36
*** fhubik_brb is now known as fhubik09:38
*** EinstCra_ has quit IRC09:40
*** EinstCrazy has joined #openstack-keystone09:42
*** fawadkhaliq has joined #openstack-keystone09:43
*** fhubik is now known as fhubik_brb09:45
*** _zouyee has quit IRC09:46
*** EinstCrazy has quit IRC10:04
*** shoutm has quit IRC10:05
*** fawadkhaliq has quit IRC10:09
*** fhubik_brb is now known as fhubik10:17
*** shoutm has joined #openstack-keystone10:24
*** fawadkhaliq has joined #openstack-keystone10:44
*** fawadkhaliq has quit IRC10:45
*** dims has joined #openstack-keystone10:47
*** fhubik is now known as fhubik_brb10:48
*** fawadkhaliq has joined #openstack-keystone10:54
*** mhickey has quit IRC10:56
*** fawadkhaliq has quit IRC10:56
*** _zouyee has joined #openstack-keystone10:57
*** fhubik_brb is now known as fhubik11:03
*** GB21 has joined #openstack-keystone11:07
*** fawadkhaliq has joined #openstack-keystone11:10
*** lhcheng has joined #openstack-keystone11:19
*** ChanServ sets mode: +v lhcheng11:19
*** fawadkhaliq has quit IRC11:24
*** fhubik is now known as fhubik_brb11:45
*** mhickey has joined #openstack-keystone11:46
*** Magesh_ has joined #openstack-keystone11:49
Magesh_when i restarting httpd service getting error11:49
Magesh_[root@controller ~]# systemctl start httpd.service Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.11:50
*** doug-fish has joined #openstack-keystone11:59
*** lhcheng has quit IRC12:16
*** lhcheng has joined #openstack-keystone12:17
*** ChanServ sets mode: +v lhcheng12:17
*** pauloewerton has joined #openstack-keystone12:19
*** kashyap has joined #openstack-keystone12:21
*** lhcheng has quit IRC12:21
*** ktychkova has quit IRC12:22
*** GB21 has quit IRC12:22
kashyapHi folks, stumbled across this yak, while trying to do another test - with today's Git, does anyone else see these kind of Keystone errors when setting up DevStack? --
openstackLaunchpad bug 1490950 in devstack " on master fails during creation some Keystone roles" [Undecided,New]12:23
kashyapAs I noted in comment#5, it's still reproducible despite upgrading python-openstackclient, and re-doing it.12:24
*** gordc has joined #openstack-keystone12:26
*** fawadkhaliq has joined #openstack-keystone12:38
*** fawadkhaliq has quit IRC12:39
*** fawadkhaliq has joined #openstack-keystone12:39
*** EinstCrazy has joined #openstack-keystone12:53
*** fhubik_brb is now known as fhubik13:01
dimskashyap : i bet you will see some issues in keystone's logs (i've seen some VersionConflict errors when library versions are mismatched)13:06
kashyapdims: I did look at the log, but it was mostly about CLI parsing errors13:08
kashyapdims: But, I can't claim I've deeply investigated the log - so I'll look at it closely13:09
*** EinstCrazy has quit IRC13:09
kashyapdims: Duh, you're right - "ContextualVersionConflict: (urllib3 1.14 (/usr/lib/python2.7/site-packages), Requirement.parse('urllib3==1.13.1'), set(['requests']))13:11
*** EinstCrazy has joined #openstack-keystone13:11
*** EinstCrazy has quit IRC13:12
*** martinus__ has quit IRC13:13
*** martinus__ has joined #openstack-keystone13:15
dimskashyap : can you get me a paste with the traceback and a few more lines before this happens?13:15
dimsoops...pretty please :)13:15
kashyap1 sec, torn between several SSH sessions13:15
kashyapIt has complete log, didn't trim it I'm afraid.13:17
dimskashyap : so typically i go to /opt/stack/keystone and do a pip install of the requirements.txt when i run into this13:18
dimsand then try a restart13:19
dims"pip install -U -r requirements.txt"13:19
kashyapdims: Okay, let me try that.  Yeah, probably I should make a habit of it13:19
dimsthrow in a sudo depending on your environment13:19
*** dslev has joined #openstack-keystone13:22
dstanekstevemar: ok, looking now13:23
kashyapYeah, I normally place everything under ~/src13:23
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/python-keystoneclient: Handle EmptyCatalog exception in list federated projects
*** Nirupama has quit IRC13:29
*** links has quit IRC13:32
*** edmondsw has joined #openstack-keystone13:34
*** magesh has quit IRC13:38
*** Magesh_ has quit IRC13:38
*** lhinds has joined #openstack-keystone13:38
*** dslev has quit IRC13:38
*** topol has joined #openstack-keystone13:39
*** ChanServ sets mode: +v topol13:39
*** topol has quit IRC13:42
*** dave-mccowan has joined #openstack-keystone13:45
*** thiagop has joined #openstack-keystone13:49
*** ninag has joined #openstack-keystone14:02
*** petertr7_away is now known as petertr714:05
*** richm has joined #openstack-keystone14:08
*** ayoung has joined #openstack-keystone14:11
*** ChanServ sets mode: +v ayoung14:11
*** richm has quit IRC14:12
*** dslevin_ has joined #openstack-keystone14:12
*** links has joined #openstack-keystone14:22
*** richm has joined #openstack-keystone14:24
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/python-keystoneclient: Handle EmptyCatalog exception in list federated projects
*** links has quit IRC14:28
*** jsavak has joined #openstack-keystone14:32
*** jsavak has quit IRC14:32
*** jsavak has joined #openstack-keystone14:33
*** jbell8 has joined #openstack-keystone14:37
*** gordc has quit IRC14:37
*** kashyap has left #openstack-keystone14:46
openstackgerritMerged openstack/oslo.policy: Add string format rendering to RoleCheck.__call__()
*** gordc has joined #openstack-keystone14:55
*** sigmavirus24_awa is now known as sigmavirus2414:59
*** phalmos has joined #openstack-keystone15:02
*** thiagop is now known as thiagop-lunch15:03
*** _zouyee has quit IRC15:07
dolphmlbragstad: you asked me about one of davechen's comments the other day - this review is also related if you're still interested
*** lhcheng has joined #openstack-keystone15:19
*** ChanServ sets mode: +v lhcheng15:19
lbragstaddolphm I did see that, I will be sure to review it today15:19
*** timcline has joined #openstack-keystone15:25
*** petertr7 is now known as petertr7_away15:28
*** breitz has quit IRC15:30
*** lhinds has quit IRC15:30
*** breitz has joined #openstack-keystone15:30
*** lhinds has joined #openstack-keystone15:30
*** petertr7_away is now known as petertr715:35
*** tonytan4ever has joined #openstack-keystone15:40
*** lhcheng_ has joined #openstack-keystone15:48
*** KarthikB has joined #openstack-keystone15:48
openstackgerritMerged openstack/keystone-specs: Clarify project hierarchy and parent usage within the API
*** lhcheng has quit IRC15:51
*** slberger has joined #openstack-keystone15:54
*** topol has joined #openstack-keystone15:56
*** ChanServ sets mode: +v topol15:57
*** phalmos has quit IRC16:02
*** jsavak has quit IRC16:04
*** fangxu has quit IRC16:06
*** lhinds has quit IRC16:06
*** jsavak has joined #openstack-keystone16:08
*** slberger1 has joined #openstack-keystone16:10
*** kfox1111 has left #openstack-keystone16:11
*** slberger has quit IRC16:12
*** vgridnev has joined #openstack-keystone16:13
*** Qiang has joined #openstack-keystone16:16
*** belmoreira has quit IRC16:18
*** shoutm has quit IRC16:23
*** Qiang has quit IRC16:24
*** qiangw has joined #openstack-keystone16:25
*** qiangw has left #openstack-keystone16:25
*** fhubik is now known as fhubik_brb16:31
*** fhubik_brb is now known as fhubik16:33
*** dslevin_ has quit IRC16:34
*** diazjf has joined #openstack-keystone16:37
openstackgerritMerged openstack/pycadf: Put py34 first in the env order of tox
openstackgerritMerged openstack/pycadf: remove suport for py33
openstackgerritayoung proposed openstack/keystone: Implied Roles API
openstackgerritayoung proposed openstack/keystone: SQL migrations for implied roles
openstackgerritayoung proposed openstack/keystone: backend for implied roles
*** dslevin_ has joined #openstack-keystone16:44
*** _cjones_ has joined #openstack-keystone16:47
*** dslevin_ has quit IRC16:49
*** fhubik has quit IRC16:51
dtroyer_zzstevemar: I need a bit of refresh re DevStack and Identity v3… do you know if we still run jobs using v2 anywhere?16:52
stevemardtroyer_zz: i believe it's all v3 nowadays16:56
openstackgerritMerged openstack/keystone-specs: Be consistent in how we give error codes in the Identity spec
*** gyee has joined #openstack-keystone16:58
*** ChanServ sets mode: +v gyee16:58
stevemardolphm: keystoneauth for liberty has been busted for a while16:59
dolphmstevemar: yeah, i've heard complaints17:00
dtroyer_zzcoolness, thanks stevemar17:00
stevemardolphm: i was going to look at it next week, i think it's got to with how other libraries are using it in the dsvm setup17:02
stevemardtroyer_zz: v2 APIs will still work17:07
stevemarauth and crud17:07
stevemardtroyer_zz: but the way we setup devstack, and the scripts only call v3 APIs to set everything up17:08
*** phalmos has joined #openstack-keystone17:08
*** henrynash has joined #openstack-keystone17:10
*** ChanServ sets mode: +v henrynash17:10
*** jgriffith is now known as jgriffith_away17:15
dtroyer_zzthat's my concern, whether DevStack still needs to support v2 itself (not starting it, but using it)17:16
dtroyer_zzI've seen some reviews come in with v3 hard-coded17:16
dtroyer_zzif we can properly start and test v2 but only uses v3, I'm happy-ish17:17
dtroyer_zz(modulo hard-codin ickyness)17:17
ayounghenrynash, I split the patch17:21
ayoungI only added you as co-author on the API piece.  Is that accurate?17:22
henrynashayoung: yep, just saw that….17:22
ayounghenrynash, and it is not to be stingy with credit, just want you to be able to +2 more of it17:22
henrynashayoung: I think that’s fair (although, I added a tiny bit to the controller to interpret the role_id in the indirect and a new test in test_assignment to check for it… maybe if we are being strict….)17:23
henrynashayoung: didn’t suspect stingyness at all!17:23
ayounghenrynash, that is all in the API section of the split patches17:24
henrynashayoung: in deed17:24
henrynash(as well as indeed)17:24
bknudson_one of you can +2 since you're both cores.17:25
bknudson_as long as you both agree on the changes17:25
ayoungsamueldmq, care to look at those:  you origianlly suggested the split17:25
ayoung  is the first one/ migration17:26
*** jgriffith_away is now known as jgriffith17:30
openstackgerritHarshada Mangesh Kakad proposed openstack/keystone: Fixing the deprecated library function.
lbragstaddstanek it's nice to have you back from vacation!17:31
*** e0ne has quit IRC17:32
dstaneklbragstad: good to be back!17:32
lbragstaddstanek planning on a bug day Friday?17:32
*** ninag has quit IRC17:33
*** ninag has joined #openstack-keystone17:33
dstanekabsolutely...i need to update the etherpad17:34
lbragstaddstanek sweet... this one right?
stevemarbug bash, bug smash, bug crash17:36
dstaneklbragstad: oh, wait no17:36
lbragstaddstanek do you have a different etherpad?17:36
lbragstaddstanek oh...17:37
lbragstadi thought that was just information about the process17:37
*** ninag_ has joined #openstack-keystone17:37
stevemarcan someone explain the magic behind:
lbragstaddo we want to track bugs and progress in there too (weekly)?17:37
lbragstadstevemar we should performance test that...17:38
stevemar"For Mysql, (valid, expires) key is better than (expires, valid) for getting token revocation list query"17:38
*** ninag has quit IRC17:38
stevemarlbragstad: the commit message says he tested it with a million records17:38
*** jbell8 has quit IRC17:38
stevemari am just wondering why it's better to do one way instead of the other17:38
lbragstadstevemar ah17:39
lbragstaddstanek should we collapse those two etherpads into one?17:39
henrynashayoung: on implied roles, I think you put me co-author on the API one…most of my code is in the backend one17:39
ayounghenrynash, ah...right17:40
*** ninag_ has quit IRC17:40
ayoungOK I'll add you to both17:40
*** ninag has joined #openstack-keystone17:40
henrynashayoung: probably the most accurate17:40
dstaneklbragstad: i wouldn't have a problem with that17:41
lbragstaddstanek want to use the office hours one or the bug-bash one?17:41
openstackgerritayoung proposed openstack/keystone: backend for implied roles
dstaneklbragstad: i'll let you pick :-)17:42
stevemaris it cause it's easier to check boolean then date, instead of date then boolean?17:44
stevemarlbragstad: ^17:44
*** ninag has quit IRC17:44
openstackgerritTom Cocozzello proposed openstack/python-keystoneclient: WIP set up incude names for list role assignments
stevemardolphm: you too since you are active today:
*** jistr has quit IRC17:45
lbragstadstevemar I'm not entirely sure, but whatever the case, I think it needs to be added as a comment explaining the reasoning.17:45
*** shaleh has joined #openstack-keystone17:45
ayounghenrynash, I'd like to get the migration merged, even if the others malinger.  With there being several migrations all trying to claim the same number, it is going to be the cause of most of the rebasing17:47
*** ninag has joined #openstack-keystone17:48
openstackgerritMerged openstack/python-keystoneclient: Wrong usage of "a/an"
lbragstadjorge_munoz do you remember if we ever opened a bug for deprecating the use of 'CONF.is_domain_immutable'?17:49
lbragstadcc - dolphm ^17:49
lbragstadjorge_munoz I remember us having that as an action item from a conversation we had, I can't remember if the bug was ever opened though.17:49
*** RichardRaseley has joined #openstack-keystone17:50
RichardRaseleyCan anyone point me to a good resource on getting started developing against OpenStack Keystone in Python?17:50
lbragstadRichardRaseley is a good place to start if you haven't read it already17:51
RichardRaseleyI've got a Kilo cloud and am working on some tooling against it. At this time it is basic user / role / project management[17:51
lbragstadRichardRaseley along with -
shalehRichardRaseley: you mean using python-keystonelient lib for your own apps?17:51
RichardRaseleylbragstad: Thank you.17:51
RichardRaseleyshaleh: Yes, I am just going to develop a simple user / role / project management script.17:51
lbragstadRichardRaseley that information can be specific to keystone development.17:51
lbragstadRichardRaseley which might not be exactly what you need (sorry, I jumped to gun in answering your question)17:52
*** ninag has quit IRC17:52
shalehRichardRaseley: Jamie Lennox and a few of the other devs have nice blogs with short examples. Also, I find just loading up the lib in thr interpreter and experimenting to be a good way to learn.17:52
*** ninag has joined #openstack-keystone17:53
lbragstadRichardRaseley for a script you can use the openstack client17:53
RichardRaseleylbragstad: Yeah, that seems to be good info on setting up a development environment and the like, but I am looking for something to get me started at the code level, e.g here's how you auth, here's how you query users, etc.17:53
lbragstadRichardRaseley ++ to what shaleh said, too17:53
RichardRaseleylbragstad: So you would suggest I just shell out from my python code?17:53
openstackgerritSteve Martinelli proposed openstack/keystone: Remove redundant check after enforcing schema validation
lbragstadRichardRaseley dolphm also has a simple script that bootstraps a keystone deployment using keystoneclient, that might be helpful for you to reference (as a start)17:54
shalehRichardRaseley: if you are used to REST, check out the API specs here:
RichardRaseleyFor someone getting started, would you recommend use of the python libraries or interacting with the API through REST? The former would seem a bit clearer?17:54
stevemardolphm: i re-added the tests here: they pass locally, i think they were duplicates, but we can remove them in another patch17:55
shalehRichardRaseley: essentially you auth by making a Session. Then you call bits of the API using the Session object. The curve is not very steep.17:55
lbragstadRichardRaseley in the long term, using the libraries would be beneficial17:56
RichardRaseleyOK, I will poke at it from that direction. Thanks!17:56
RichardRaseleyThank you both, shaleh and lbragstad.17:56
lbragstadRichardRaseley np, good luck!17:56
shalehRichardRaseley: np17:57
*** ninag has quit IRC17:57
*** ninag has joined #openstack-keystone17:58
*** ninag has quit IRC18:02
*** roxanaghe has joined #openstack-keystone18:03
*** phalmos has quit IRC18:03
*** phalmos has joined #openstack-keystone18:09
*** petertr7 is now known as petertr7_away18:13
*** ninag has joined #openstack-keystone18:13
*** jsavak has quit IRC18:14
*** jsavak has joined #openstack-keystone18:14
*** ninag_ has joined #openstack-keystone18:14
*** ninag__ has joined #openstack-keystone18:16
*** mhickey has quit IRC18:16
*** ninag has quit IRC18:17
bretongyee: yep, I am still working on that bug18:18
bretongyee: sorry for long radiosilence on it18:18
*** ninag_ has quit IRC18:18
openstackgerritMerged openstack/python-keystoneclient: Docstring: Mark optional parameter as optional.
openstackgerritAyush Garg proposed openstack/keystone: Update warn with warning for logging
*** PsionTheory has joined #openstack-keystone18:24
*** rdo has quit IRC18:26
stevemarlunch time!18:27
gyeebreton, np, I was about to write code :)18:27
*** rdo has joined #openstack-keystone18:28
RichardRaseleylbragstad and shaleh: All of the python examples I am seeing are using `keystoneclient`. Is that what I should be doing, or should I use `openstackclient`?18:29
shalehRichardRaseley: 'keystoneclient' is provided by python-keystoneclient pip package. Yes, use that for a 100% Python experience. no need to shell out.18:29
*** jsavak has quit IRC18:30
shalehRichardRaseley: what release of OpenStack are you targeting currently?18:30
RichardRaseleyshaleh: OK, so the 'keystoneclient is deprecated' warning from people is more about using from the CLI vs. development.18:30
RichardRaseleyshaleh: Juno18:30
shalehRichardRaseley: yes. The 'keystoneclient' CLI is deprecated. But it is also the name of the Python lib :-)18:31
RichardRaseleyAh, OK18:32
shalehin Juno I think keystoneclient CLI is your best bet though.18:32
shalehRichardRaseley: all of the other OpenStack services use python-keystoneclient to talk to keystone. If you grep around for it in their code you will see good examples of authenticating.18:33
RichardRaseleyshaleh: OK, thank you!18:33
shalehRichardRaseley: I just barely saw kilo, so unfortunately my knowledge of juno is mostly from tribal wisdom.18:34
*** spandhe has joined #openstack-keystone18:38
*** jsavak has joined #openstack-keystone18:40
*** jbell8 has joined #openstack-keystone18:43
*** e0ne has joined #openstack-keystone18:44
notmorganlbragstad: we didn't have a bug for deprecating that but iirc we did it18:44
notmorganayoung: this should be an easy +2/+A and closes the loop a but more on keystone-manage bootstrap18:46
ayoungnotmorgan, trade you one for one18:46
notmorganayoung: depending on how complex and if it's server18:46
notmorganayoung: :P18:46
ayoungnotmorgan,  but henrynash  already undermined me18:47
ayoungare we even insiting on tests for migrations anymore?18:48
notmorganayoung: we do.18:48
notmorganayoung: but mostly it's with data manipulation18:48
ayoungthis seemed to be simplicity itself.18:49
notmorganusually the migration comes with code that exercises it18:49
notmorganthis one is doing some manipulation of data [creating Fkeys] and should have a simple test to ensure it's created correctly18:50
*** fawadkhaliq has quit IRC18:50
notmorganor... like i said, code to exercise it vs. just putting in a schema. [follow ups that can merge at the same time is also good]18:50
ayoungnotmorgan, this was a split...and it is this kind of confusion that made me resist doing the split18:51
openstackgerritayoung proposed openstack/keystone: SQL migrations for implied roles
notmorganayoung: i think adding that into the commit message would make it easier to see18:55
notmorganayoung: then18:55
notmorganayoung: :)18:55
*** alejandrito has joined #openstack-keystone18:56
RichardRaseleyI am attempting to write a pretty basic script to manipulate users / roles / projects in Keystone. My first test was this ( which fails with a keystoneauth1.exceptions.auth_plugins.MissingAuthPlugin: An auth plugin is required to determine endpoint URL.18:57
openstackgerritayoung proposed openstack/keystone: SQL migrations for implied roles
*** browne has joined #openstack-keystone18:57
ayoungnotmorgan, henrynash there ya go.18:58
notmorganayoung: ++18:58
RichardRaseleyIt is not clear to me (in my example above) if I can use the client object directly, or if I have to use it via a session?19:00
lbragstadRichardRaseley can you try using the v3 client?19:01
bknudson_you pass the session to the client19:01
shalehlbragstad: Juno19:01
RichardRaseleySorry, I am on Kilo19:01
shalehRichardRaseley: ah, that is a little more pleasant :-)19:02
RichardRaseleyshaleh: Good. =]19:02
RichardRaseleySo I first create a session as outlined here: ?19:02
bknudson_and it's also here
bknudson_unfortunately, it's a little out of date -- sessions are now in keystoneauth and not in keystoneclient19:04
*** kfox1111 has joined #openstack-keystone19:04
RichardRaseleyWow, this is pretty confusing for someone just getting started.19:04
*** tonytan4ever has quit IRC19:04
kfox1111I'm seeing maybe a bug in keystone client... can someone have alook at this stack trace?19:05
shalehRichardRaseley: it actually follows common Python REST API access practices19:05
RichardRaseleySo is there a canonical example for Kilo that I can reference that is up to date?19:05
RichardRaseleyshaleh: I don't know what that means in regard to me wanting to write a simple script, all I know is it is quite confusing for me.19:05
RichardRaseleybknudson_: So I need to use keystoneauth? Is that a separate python package? Part of keystone client?19:06
bknudson_you can continue to use keystoneclient sessions so the docs still work.19:06
*** fawadkhaliq has joined #openstack-keystone19:06
bknudson_but it's preferred to use keystoneauth. keystoneauth is a separate python package (actually it's keystoneauth1)19:06
kfox1111the strange thing is, it looks like a session pool http connection isn't tryign to be reestablished? is this a bug?19:07
*** jbell8 has quit IRC19:07
*** petertr7_away is now known as petertr719:08
*** fawadkhaliq has quit IRC19:13
*** edmondsw has quit IRC19:14
*** jbell8 has joined #openstack-keystone19:14
*** tonytan4ever has joined #openstack-keystone19:15
*** edmondsw has joined #openstack-keystone19:17
*** harlowja_ has quit IRC19:18
*** harlowja has joined #openstack-keystone19:19
openstackgerritMerged openstack/keystone: Reject user creation using admin token without domain
openstackgerritMerged openstack/keystone: Updating sample configuration file
*** pece has joined #openstack-keystone19:26
kfox1111anyone see that kind of behavior out of keystoneclient?19:27
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
lbragstaddolphm dstanek would you think that closes bug 1489061 ?19:31
openstackbug 1489061 in OpenStack Identity (keystone) "fernet token validation is slow" [Medium,Confirmed] - Assigned to Grzegorz Grasza (xek)19:31
dolphmlbragstad: it's certainly a Partial-Bug at least19:31
dolphmlbragstad: maybe close it manually with a benchmark to demonstrate?19:31
dolphmwhenever we have time for that :P19:32
dolphmlbragstad: oh i did benchmark it.19:32
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
lbragstaddolphm so, partial or closes?19:33
dolphmlbragstad: from the last profile i did, this was the biggest time sink. the second biggest time sink was listing federated service providers - which marekd was looking into awhile back. i never saw a patch come from that.19:33
lbragstadi'll update the commit message19:33
dolphmlbragstad: just do Partial for now19:33
lbragstaddolphm I don't remember a patch for that19:33
*** lhcheng_ has quit IRC19:33
dolphmlbragstad: i don't either, i wrote a blog post to help him profile keystone himself19:33
openstackgerritLance Bragstad proposed openstack/keystone: Add caching to role assignments
lbragstadediting commit messages through the new gerrit ui is strange...19:34
bknudson_editing anything through the new gerrit is strange19:36
bknudson_or you could just say the new gerrit ui is strange.19:36
bknudson_searching is strange19:36
bknudson_copy-paste is strange19:36
bknudson_empty lines are displayed taller19:37
bknudson_scrolling is strange19:38
bknudson_typing comments is strange19:38
*** fangxu has joined #openstack-keystone19:39
* dolphm Today's featured rant brought to you by bknudson_ .19:40
tjcocozznow that we are talking about the ui are the dependencies are listed under 'related changes' tab?19:40
dolphmtjcocozz: yes19:40
tjcocozzdolphm, thank you19:40
*** e0ne has quit IRC19:47
stevemardolphm: thanks for all the reviews today19:47
*** vgridnev has quit IRC19:48
stevemarsearching with the new gerrit ui is definitely strange19:49
*** pece has quit IRC19:50
stevemardolphm: the liberty branch for keystoneauth fails here:
lbragstaddstanek I updated with a bunch of links to patches that close existing bugs - feel free to remove but hopefully it's a start for friday19:55
dstaneklbragstad: nice, thx!19:56
openstackgerritLance Bragstad proposed openstack/keystone: Replace DateTime with BigInteger for Revocation Events
lbragstaddstanek np19:56
dolphmhas anyone seen this i_ convention before? i'm not sure what to google def process_request(i_self, *i_args, **i_kwargs):19:58
openstackgerritDavid Stanek proposed openstack/keystone: Change LOG.warn to LOG.warning
openstackgerritDavid Stanek proposed openstack/keystone: Adds a hacking check looking for Logger.warn usage
openstackgerritDavid Stanek proposed openstack/keystone: Fixes hacking logger test cases to use same base
stevemardolphm: sounds like soemthing out of java19:59
dstanekdolphm: yuck. where are you seeing that?19:59
dolphm,unified L7119:59
dolphmdstanek: stevemar: ^19:59
dstanekdolphm: he's probably doing to so he does't mask the values from the closure20:00
dolphmdstanek: ah, so it's like "inline" or something?20:01
dstanekalthough he's not using them so it doesn't really matter...i'm guessing that i_ means inner_20:01
dolphminner, yeah20:01
htrutahenrynash: regarding your comment here:
htrutahenrynash: I thought it would make sense if we only allowed passing domain_id=None for is_domain=True projects... if we pass it to projects with is_domain=False, we raise an error20:05
*** jsavak has quit IRC20:05
stevemardolphm: more stable branch stuff;
stevemaroh wait, that one isn't as easy, since it's not a cherry pick20:06
*** thiagop-lunch is now known as thiagop20:07
*** fangxu has quit IRC20:07
bretondolphm: I think it's just a throwaway variables20:07
bretonI've seen people using _ as such variable20:07
henrynashhtruta: yep…and maybe you override the leagcy test for to expect an NotImplemented error?20:08
htrutahenrynash: makes sense20:08
dolphmbreton: _ in the interpreter has a different meaning though. i prefer _throwaway_variables_to_simply_be_prefixed_by_underscores20:08
bknudson_dolphm: he can't use self since self is referring to the containing class20:09
bknudson_I think "i" is short for "inner"20:10
bretondolphm: suggests to used `_'20:12
*** woodster_ has joined #openstack-keystone20:12
bknudson_ doesn't seem to be much of an improvement to me.20:14
bknudson_I guess it's needed for the follow-on20:14
*** jasonsb has quit IRC20:15
*** pkarikh has quit IRC20:21
*** belmoreira has joined #openstack-keystone20:22
RichardRaseleyI am working on a basic python script to do some user / role / project management against Keystone. When using `openstacclient` on the CLI, I am able to execute commands successfully. When trying to script the same operation I receive an error. Here is a paste which contains (1) my env variables, CLI commands, python script, and traceback error.
RichardRaseleyAny insight would be greatly appreciated.20:22
*** pkarikh has joined #openstack-keystone20:25
*** nkinder has quit IRC20:26
stevemarRichardRaseley: use "username" instead of "user_id" on line 2920:26
*** nkinder has joined #openstack-keystone20:26
stevemarand add the argument "project_domain_name" to v3.Password as well20:26
stevemaryour user_id is most likely not "richard_raseley" :)20:26
RichardRaseleystevemar: Thank you. Can you expand on project_domain_name vs. user_domain_name?20:27
stevemarRichardRaseley: both project and user should be domain-scoped20:27
stevemarprojects, users, and groups are all collected under a single domain, to allow for duplicate user names and such20:28
*** e0ne has joined #openstack-keystone20:28
stevemarso you have to specify, the user isn't just richard and the project isn't just openstack20:28
stevemarthe user is: richard@default_domain and the project is: openstack@default_domain20:28
stevemarin the case of another domain, say domainB, you could have: richard@domainB working on project openstack@domainB20:29
*** e0ne has quit IRC20:29
RichardRaseleystevemar: Oh, OK - I haven't seen that in any of the docs I've been trying to follow.20:29
RichardRaseleyLet me check that out.20:29
stevemargive it a whirl20:29
*** jsavak has joined #openstack-keystone20:29
tjcocozzstevemar, should auth_url be at port 5000 or 35357?20:30
stevemarbknudson_: dolphm any ideas on why liberty is failing to build for keystoneauth?
lbragstadstevemar do you know if tony wang is on irc?20:30
dolphmcloudnull: ^20:30
stevemartjcocozz: doesn't matter for most cases, but 5000 is the ideal one20:30
*** e0ne has joined #openstack-keystone20:30
bknudson_stevemar: let me get through this review and I'll take a look.20:30
lbragstadstevemar just curious if he had a follow on patch for -
stevemarbknudson_: the review is a proposal bot change :)20:31
stevemarlbragstad: i have no idea who he is :)20:31
stevemarlbragstad: what was the follow on patch supposed to address?20:31
lbragstadstevemar stuff like you're comment here -
stevemarlbragstad: ohh20:32
stevemari tried to do that, and then couldn't get it working20:32
stevemarit wasn't critical enough for me to change my vote though20:32
openstackgerritNavid Pustchi proposed openstack/keystone: Delete checks for default domain delete
RichardRaseleystevemar: OK, I now have as follows:
lbragstadstevemar I don't think it's enough to -1 but I was curious if a follow on was floating around somewhere.20:32
stevemarlbragstad: nope, i went and got distracted with other stuff20:33
stevemarRichardRaseley: any luck?20:33
*** e0ne has quit IRC20:33
*** vgridnev has joined #openstack-keystone20:33
stevemarRichardRaseley: oh, don't worry about actually adding the @ sign in your code, that was for illustrative purposes!20:33
stevemarthe v3.Password plugin does all that logic for you, just supply the username, password, project, and what domain it's all in.20:34
stevemarsorry is i steered you wrong20:34
RichardRaseleystevemar: Oh, that's OK. Let me clean that up and try.20:34
bknudson_stevemar: I could swear we've seen the issue in before.20:34
stevemarRichardRaseley: yeah, just chop off the "@default_domain" thing, that was just me trying to illustrate, apparently not well!20:35
stevemarbknudson_: yeah right?20:36
RichardRaseleystevemar: That got me what I was hoping for, thank you.20:36
stevemarRichardRaseley: yippie20:36
openstackgerritNavid Pustchi proposed openstack/keystone: Delete checks for default domain delete
*** jsavak has quit IRC20:37
stevemarbknudson_: it is installing the latest ksm, 4.0.020:37
stevemarand oslo.config20:37
dstanekbknudson_: wasn't that an issue with using a newer version of oslo.config?20:37
bknudson_the change was in keystoneauth, right.20:38
*** jsavak has joined #openstack-keystone20:38
stevemarstable/liberty of ksa20:38
stevemardstanek: if that's the case, we'll have to cap it20:38
stevemardims ^^20:38
*** mhickey has joined #openstack-keystone20:38
bknudson_we've got this change:
*** fpatwa has joined #openstack-keystone20:41
bknudson_change in keystonemiddleware:
dstanekbknudson_: ah right, those things were removed at some point20:42
*** dtroyer_zz has quit IRC20:43
bknudson_stevemar: so it's using latest keystonemiddleware with old keystoneauth seems a little odd.20:44
bknudson_I thought we didn't even release keystoneauth in L.20:45
*** dtroyer has joined #openstack-keystone20:45
fpatwaI am trying to setup keystone with AD as backend using the Read-Only LDAP option (multi domain support) - I have it setup and as 'admin' user in sql can view the users in AD specific domain, but am not sure how to assign a role to domain admin user which is in AD20:45
fpatwaWhen I try it using the 'admin' user in sql I get Authorizatiion failure error20:46
openstackgerritMerged openstack/keystone: Make `bootstrap` idempotent
fpatwaI would appreciate if anyone can provide any pointers - Thanks! - Farhan20:49
RichardRaseleystevemar: follow-up. If I want to wrap my keystone code in a try / except block, what is the correct way for me to capture the relevant errors? For example, in my ldap code I have `except ldap.LDAPError, e: ...` is there a similar 'class' (if that is the right term) of object to ldap.LDAPError?20:49
openstackgerritMerged openstack/keystoneauth: Change LOG.warn to LOG.warning
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** zqfan has quit IRC20:51
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name
dolphmRichardRaseley: firstly, use "ldap.LDAPError as e" not "ldap.LDAPError, e"20:54
dolphmRichardRaseley: the comma is from py25, and in newer versions of python, looks like you're also trying to catch an exception named "e"20:56
htrutahenrynash: hey, I was also thinking of splitting this one: 1 that makes project.domain_id nullable (that's pretty much your code) and the constraint changing itself. Makes sense?20:56
dolphmRichardRaseley: i'm also trying to figure out quite what you're asking for..20:57
dolphmRichardRaseley: ldap.LDAPError *is* probably a class, and you're catching an instance of it20:57
dolphmRichardRaseley: well not probably, it *is*20:58
*** david-lyle_ has joined #openstack-keystone20:59
*** david-lyle_ has quit IRC20:59
stevemarbknudson_: i think we released an alpha of ksa20:59
bknudson_I'll keep looking into it.. might be able to recreate by using old ksa with new middleware.20:59
stevemarbknudson_: maybe backport mordred's change20:59
bknudson_might need to add some workaround logic (or backport something)21:00
mordredstevemar: what did I do?21:00
stevemarmordred: broke everything!21:00
stevemarmordred: so liberty of ksa is not building:
stevemarmordred: here's the error:
stevemarmordred: i'm wondering if backporting will fix it21:01
bknudson_ohh, looks good.21:02
mordredso - yes21:02
openstackgerritMerged openstack/keystone: Wrong usage of "an"
bknudson_LOL because I just pointed at as a guess.21:03
*** raildo has left #openstack-keystone21:03
bknudson_sometimes you get lucky21:04
stevemarbknudson_: backports are cheap, i went ahead and cherry picked21:04
*** pauloewerton has quit IRC21:04
openstackgerritMerged openstack/keystone: fix reuse of variables
openstackgerritMerged openstack/keystone: Add return value
openstackgerritMerged openstack/keystone: Verify that attribute `enabled` equals True
openstackgerritMerged openstack/keystoneauth: Add betamax to test-requirements.txt
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** fangxu has joined #openstack-keystone21:08
*** spzala has joined #openstack-keystone21:08
lbragstadnavidp stevemar dolphm bknudson_ gyee breton around?21:08
openstackgerritMerged openstack/python-keystoneclient: Change default endpoint for Keystone v3 to public
lbragstadwant to see if we can come to a quick conclusion on what means to us21:09
openstackLaunchpad bug 1522616 in OpenStack Identity (keystone) "It's possible to disable the default domain through domain update API" [Medium,In progress] - Assigned to Navid Pustchi (npustchi)21:09
lbragstadsince navidp has some fixes up already21:09
gyeelbragstad, yes sir21:10
*** jbell8 has quit IRC21:10
lbragstaddo we think it's a bug?21:10
gyeeI don't think so21:10
lbragstadthe only reason why I opened it was because we don't allow that behavior when deleting the default domain, but it is possible to achieve the same end result by disabling it21:11
gyeethere's nothing special about the domain21:11
RichardRaseleydolphm: Just seeing your replies no2w.21:11
lbragstadgyee i agree21:11
lbragstadgyee i'm more or less talking about how we take a lot of precaution when deleting a domain but we don't take *any* when disabling it21:11
gyeeyou have to be a cloud admin to be able to disable a domain21:12
RichardRaseleydolphm: My intent is to gracefully capture any errors generated by my keystone code, and present those to the user.21:12
lbragstadand both actions result in the same thing21:12
RichardRaseleyThanks for the `as e` tip.21:12
bretonwhy would we take any precautions?21:12
dolphmRichardRaseley: what exceptions are you expecting?21:12
lbragstadbreton that predates me i think21:12
bretondisabling is a precaution by itself, isn't it?21:12
dolphmRichardRaseley: and i assume this is in Keystone itself?21:12
RichardRaseleydolphm: That's a hard question.21:12
gyeelbragstad, you mean disable-before-deletion feature?21:13
RichardRaseleydolphm: I am developing a script to interact with Keystone.21:13
dolphmRichardRaseley: it should be easy - what exceptions does the code you're calling document as possible exceptions it could raise?21:13
RichardRaseleydolphm: I have absolutely no idea how to determine that.21:13
gyeethat was done to mitigate some performance limitations I think21:14
lbragstadgyee right, we can't explicitly delete without disabling first, but that only applies to the default domain defined in the CONF.21:14
lbragstadlink -
RichardRaseleydolphm: I am going to be listing / adding / deleting users / roles / projects21:14
lbragstadwe protect against deleteing the default domain, but we don't protect against disabling it. which results in the same behavior21:15
bretonhenrynash wrote that warning21:15
lbragstadbreton yes21:15
bretonhenrynash: why shouldn't we delete or disable the default domain?21:16
navidpgyee, If you are cloud admin in default domain and disable default domain, cloud admin can not enable it agian, i think that causes issues.21:16
bretonor did he21:17
gyeecloud admin doesn't have to come from default domain21:17
lbragstadI think it's a question of how much rope we want to be able to give people21:17
gyeewe should remove that check21:17
gyeeI thought we drew that line a long time ago21:17
*** kragniz is now known as {^-^}21:17
lbragstadwe either remove the check and then warn people saying "hey, this could be really bad if you disable to delete this... you've been warned"21:18
*** {^-^} is now known as Guest4635321:18
*** Guest46353 is now known as kragniz21:18
lbragstador we can make disabling it consistent with the behavior of delete21:18
lbragstadeither one works for me21:19
lbragstadjust wanted to get the discussion rolling since navidp has some time and patches invested into it21:19
dolphmRichardRaseley: what python call are you making, exactly?21:19
gyeeI think we should remove that check21:19
lbragstadgyee ok, so question21:19
lbragstadgyee would that have to go through a deprecation cycle?21:19
RichardRaseleydolphm: Thanks for taking time with what must seem like a really simple problem.21:20
dolphmRichardRaseley: it's a very broad problem :)21:20
*** alejandrito has quit IRC21:20
gyeelbragstad, I am not sure, stevemar's call I guess21:21
lbragstadgyee agreed21:21
gyeethough I don't know if its an documented external-facing feature21:21
gyeeif not, we can just remove it21:21
RichardRaseleydolphm: My code isn't complete yet, but I will be calling the users.{create,list,show), project.{create,list,show}, and roles.{create,list,show} (and whatever is required to assign roles)21:21
dolphmRichardRaseley: using keystoneclient?21:22
RichardRaseleydolphm: Yes21:22
lbragstadnavidp thoughts?21:23
dolphmRichardRaseley: so, you can catch keystoneclient.exceptions.ClientException to catch everything from keystoneclient, since all of our exceptions extend that21:23
RichardRaseleydolphm: OK, that is really helpful.21:24
*** lhcheng has joined #openstack-keystone21:24
*** ChanServ sets mode: +v lhcheng21:24
navidpgyee, why a cloud admin can disable or delete default domain as long as it is default domain, not that it is special more as it breaks consistency21:24
lbragstadgotta run to a quick meeting, i'll read the scroll back once i'm done21:24
gyeelbragstad, nomorgan added bootstrap commands to keystone-manage21:24
gyeeif needed, we can enhance to enable cloud admin domain21:25
*** jsavak has quit IRC21:25
openstackgerritayoung proposed openstack/keystone: SQL migrations for implied roles
gyeenavidp, default domain was created to facilitate v2 to v3 migration only21:25
gyeethere's nothing special about it21:25
*** jsavak has joined #openstack-keystone21:25
gyeecloud admin domain is configurable and it cloud be any domain21:25
bretonthat feel when there were no reviews for 3 weeks and then I get 100+ notifications about reviews in two days21:27
RichardRaseleydolphm: OK, thank you.21:27
dolphmbreton: sorry21:27
*** lhcheng_ has joined #openstack-keystone21:27
gyeebreton, its review seaon again :)21:27
stevemarbreton: :)21:28
navidpgyee, ok then :)21:28
openstackgerritayoung proposed openstack/keystone: backend for implied roles
openstackgerritayoung proposed openstack/keystone: Implied Roles API
stevemarbreton: i can confirm that as PTL, that feeling is awesome21:28
*** belmoreira has quit IRC21:29
*** jsavak has quit IRC21:31
*** lhcheng has quit IRC21:31
*** jsavak has joined #openstack-keystone21:31
openstackgerritEric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support
bknudson_there's something way off with the sample config file updater.21:45
*** dave-mccowan has quit IRC21:47
*** timcline has quit IRC21:47
lbragstadgyee just curious, but why was the default domain protected from being deleted then?21:50
*** timcline has joined #openstack-keystone21:50
gyeelbragstad, it shouldn't21:52
gyeedon't remember why we did that, but it shouldn't receive any special treatments21:52
samueldmqayoung: sure will look21:52
samueldmqayoung: sorry for the delay, holiday here today :)21:53
ayoungsamueldmq, thanks21:53
lbragstadgyee hm, ok. navidp we should follow up with henrynash when he is online21:53
ayounglbragstad, you can;'t run without default domain21:53
ayoungeverything would break21:53
lbragstadayoung but the same is true if you disable the default domain, right?21:54
lbragstadayoung and we don't protect against that21:54
bknudson_if deleting the default domain would break anything then we should fix that21:54
ayoungbut disable is reversable21:54
ayoungdelete is forever21:54
ayoungpretty sure you can re-enable a domain with a service token21:54
bknudson_not make it so you can't delete it21:54
lbragstadayoung it's only reversible if you have a recovery plan, like a second domain somewhere21:55
ayoungbknudson_, we are:  we are deprecating V221:55
gyeewe should implement this in bootstrap21:55
gyeekeystone-manage enable_cloud_admin or something21:55
ayounggyee, pretty sure it is done now in bootstrap21:55
*** vgridnev has quit IRC21:55
*** RichardRaseley has quit IRC21:55
dstaneklbragstad: gyee: this is why commit messages should be 'why' and not 'what' :-P21:55
gyeeayoung, ++21:55
ayounggyee, just did a review for bootstrap to be idempotent.  So if domain is deleted, it would be recreated21:56
gyeedstanek, amen brother!21:56
lbragstaddstanek ++21:56
ayoungnotmorgan wrote that21:56
gyeewe're good then21:56
bknudson_default domain is created by migration21:56
gyeeso is __member__ role21:57
lbragstadbknudson_ is right -
bknudson_I hope nobody deletes the member role21:58
*** jsavak has quit IRC21:58
gyeeit'll get magikally recreated21:59
gyeeno worries21:59
dstanekgyee: what recreates it?22:00
lbragstadit doesn't look like it's in the migration22:00
henrynashnavidp: hi…questions on default domain?22:02
*** ninag__ has quit IRC22:02
navidphenrynash, hi22:02
dstanekgyee: wow, crazy. i didn't know we did that22:02
lbragstadgyee interesting...22:03
lbragstadi didn't know that either22:03
navidphenrynash, is it possible to disable or delete default domain and cause no issues in keystone?22:03
*** ninag has joined #openstack-keystone22:03
gyeedstanek, that wasn't even an atomic operation either22:03
gyeethere are two separate transactions there22:04
henrynashnavidp: that *should* be possible, within certain restictions22:04
*** dtroyer has quit IRC22:04
*** DuncanT has quit IRC22:04
*** bradjones has quit IRC22:04
*** diazjf has quit IRC22:04
henrynashnavidp: e.g. be careful if you are using ldap22:04
*** bradjones has joined #openstack-keystone22:04
*** bradjones has quit IRC22:04
*** bradjones has joined #openstack-keystone22:04
*** diazjf has joined #openstack-keystone22:04
lbragstadhenrynash why do we have the "certain restrictions" part?22:05
henrynashnavidp: don’t use a bunch of teh v2 apis22:05
gyeeit is also possible to forgot to lock your doors at night and point the gun at your foot22:05
lbragstadhenrynash is what we are talking about22:05
openstackLaunchpad bug 1522616 in OpenStack Identity (keystone) "It's possible to disable the default domain through domain update API" [Medium,In progress] - Assigned to Navid Pustchi (npustchi)22:05
bknudson_I get an exception whenever I point the gun at my foot.22:05
navidphenrynash, should we restrict that ?22:05
gyeebknudson_, oh you just make my day22:06
lbragstadbknudson_ you'll end up with a 50322:06
henrynashnavidp: I think we should all the disablement of the default domain22:06
bknudson_lbragstad: probably 410 Gone22:07
lbragstadbknudson_ lol22:07
henrynashnavidp: now a bunch of things *should* stop working if you do that….e.g. if I autenticate via v2, it shoudl fail22:07
dstanekbknudson_: 410 Gone22:07
*** ninag has quit IRC22:07
bknudson_he he22:08
dstanekbknudson_: arrrg. you beat me to it22:08
navidphenrynash, so it is logical to disallow dosabling or deleteing default domain ?22:09
henrynashnavidp: no, I am saying we should allow those things22:09
henrynashnavidp: I think for now, not allowing youto delete the default domain is probably sensible22:10
*** dtroyer has joined #openstack-keystone22:10
*** mhickey has quit IRC22:10
henrynashnavidp: since disabling achieves the same effect from a “things stop working” point of view….and someone deleting the dfault domain by mistake could be seriously catastrophic22:11
henrynashnavidp: but you should definitely be able to disable it……22:11
henrynashnavidp: one issue would be if cloud admin is defined as having admin on the default domain (or a project within the default domain), I’m not sure how you could un-disable it…so we may have to add those checks22:12
henrynashnavidp: or add an option to keystone-manage to re-enable it22:13
*** petertr7 is now known as petertr7_away22:13
navidphenrynash, so for now disabling, then add an option to re-enable it, satisfies?22:14
lbragstadright now you can re-enable it but you have to do it via another domain22:16
henrynashnavidp: in the end, as was stated by someone, installations using the default domain should be the exception to the rule, but we’ll take a while to get there22:16
samueldmqdstanek: thanks for cleaning up the patch (abandoning)22:17
dstaneksamueldmq: my pleasure :-)22:17
*** DuncanT has joined #openstack-keystone22:17
navidphenrynash, ok then fair.22:17
*** shoutm has joined #openstack-keystone22:18
samueldmqbknudson_: hi22:18
henrynashlbragstad: if you are usin the v3cloudsample, then you have to be either cloud admin or domain admin  of the domain in question (and have a token to prove it)… that’s the issue if cloud admin is defined as having admin on the default domain (or a project within it)….you could never get a token on it22:18
bknudson_samueldmq: what's up?22:18
samueldmqbknudson_: do you think it is worth it to keep/merge those 2 patches for sql driver tests of endpoint policy and policy backends ?22:18
bknudson_stevemar: I was able to recreate the stable keystoneauth issue in vm. set up a venv with glance and pip install -U "keystoneauth1<1.2.0"22:18
samueldmqbknudson_: and
samueldmqbknudson_: or do you think we don't need them and just need to test the backends themselves (managers)22:19
bknudson_samueldmq: backends aren't managers. There should be tests for the backends and tests for the managers.22:20
bknudson_don't mix them22:20
samueldmqbknudson_: yes I know22:20
samueldmqbknudson_: sorry yes I confused in my setence22:20
samueldmqbknudson_: I am actually creating tests for the sql backends22:20
samueldmqbknudson_: I was asking because of your comment here
samueldmqbknudson_: if it was something specific to that test or relating to all those tests I wrote22:21
bknudson_if we're testing the interface is correct, then the test should be for the interface and then run all the same tests for all the implementations22:21
bknudson_sorry, should say : if we're testing that the driver implements the interface correctly, ...22:22
*** dims has quit IRC22:22
samueldmqbknudson_: agreed22:23
bknudson_as in, if all the drivers need to work the same then put the test in PolicyBase and then have a SqlPolicy(PolicyBase)22:23
lbragstadhenrynash right, if you have a keystone deployment with one domain and you decide to disable it,22:23
lbragstadhenrynash you can't really do anything else22:24
lbragstadhenrynash which is where you are suggesting the use of keystone-manage to re-enable it?22:24
bknudson_samueldmq: so shouldn't have all these tests in a PolicyBase ?22:24
bknudson_there's nothing specific to the SQL implementation as far as I can tell22:25
*** tonytan4ever has quit IRC22:26
samueldmqbknudson_: that's true, but for now it only has the sql backend22:26
openstackgerritMerged openstack/python-keystoneclient: Fix Resource.__eq__ mismatch semantics of object equal
samueldmqbknudson_: how different would be SqlPolicy(PolicyBase) and TestSqlPolicy(PolicyBase)22:26
bknudson_if we write it generic then somebody writing their own policy driver can use it to validate their implementation22:27
samueldmqbknudson_: but I am getting what you're saying, other backends supporting ldap and sql would already benefit from this22:27
samueldmqbknudson_: hmm, that's true, I was only thinking about our in-tree code22:27
samueldmqbknudson_: 100% agreed22:27
bknudson_There might not be any difference in SqlPolicy vs PolicyBase, other than setting up the SQL backend in setUp (which should be a fixture, but maybe it's not)22:28
bknudson_ideally the test wouldn't call self.driver.create_policy() in setUp, but would instead do SQL commands.22:29
bknudson_otherwise if we break create_policy then all the tests would stop working22:29
samueldmqbknudson_: so not using the driver itself for creating the test scenario22:33
samueldmqbknudson_: got your point22:33
bknudson_samueldmq: yep22:33
samueldmqdstanek: wait, was that yourself who abandoed that change ? or do you also have a bot for that work?22:35
samueldmqdstanek: I am asking because you(r bot) was pretty quick :-)22:36
samueldmqgyee: fixing a FIXME note from you here
samueldmqgyee: would be great to get your view on it22:38
gyeesamueldmq, thanks, looking22:38
samueldmqgyee: thanks :)22:39
*** timcline has quit IRC22:40
openstackgerritMerged openstack/python-keystoneclient: Remove "deprecated" internal method
*** phalmos has quit IRC22:41
*** tonytan4ever has joined #openstack-keystone22:45
*** KarthikB has quit IRC22:49
*** dims has joined #openstack-keystone22:53
openstackgerritMerged openstack/python-keystoneclient: Replace textwrap with fast standard code
shalehlbragstad: you around?23:00
openstackgerritMerged openstack/python-keystoneclient: Deprecated tox -downloadcache option removed
*** dims has quit IRC23:04
*** tonytan4ever has quit IRC23:07
*** diazjf has quit IRC23:12
*** topol has quit IRC23:18
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
*** henrynash has quit IRC23:20
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** henrynash has joined #openstack-keystone23:23
*** ChanServ sets mode: +v henrynash23:23
*** sigmavirus24 is now known as sigmavirus24_awa23:25
*** woodster_ has quit IRC23:26
*** dims_ has joined #openstack-keystone23:29
*** dave-mccowan has joined #openstack-keystone23:31
*** dims_ has quit IRC23:34
*** dims_ has joined #openstack-keystone23:36
openstackgerritEric Brown proposed openstack/keystone: Set deprecated_reason on deprecated options
*** gordc has quit IRC23:52
*** shaleh has quit IRC23:54
*** slberger1 has left #openstack-keystone23:55
*** itlinux has joined #openstack-keystone23:55
*** spzala has quit IRC23:57
*** oomichi has joined #openstack-keystone23:59

Generated by 2.14.0 by Marius Gedminas - find it at!