Friday, 2016-01-08

*** lhcheng has joined #openstack-keystone		00:02
*** ChanServ sets mode: +v lhcheng		00:02
*** spandhe has joined #openstack-keystone		00:04
henrynash	htruta: hi	00:05
htruta	henrynash, hi.	00:05
htruta	had to rebase your patch... seems like I've done something wrong	00:05
henrynash	htruta: did you mean tyo just update the V9 resoruce driver patch and remove the depreaction warning	00:06
*** ayoung has quit IRC		00:06
henrynash	htruta: ah, yep, didn’t think you meant to do that!	00:07
htruta	henrynash, hehe... sorry, I'll fix it	00:07
henrynash	htruta: np!	00:07
*** arif-ali has quit IRC		00:12
notmorgan	stevemar: waiting on local pep8/py27 run for the stable/liberty revert	00:13
notmorgan	stevemar: kilo revert also proposed	00:13
notmorgan	stevemar: we may want some reno for it too.	00:14
notmorgan	can add that if you want it	00:15
htruta	henrynash, wow, the diff between two versions, which are not base is coll on the new UI	00:16
htruta	coo*	00:16
htruta	cool**	00:16
*** arif-ali has joined #openstack-keystone		00:20
*** dims has joined #openstack-keystone		00:22
stevemar	notmorgan: probs	00:25
notmorgan	stevemar: i'll add a reno patch for master soon.	00:26
*** jasonsb has joined #openstack-keystone		00:27
*** henrynash has quit IRC		00:27
openstackgerrit	Henrique Truta proposed openstack/keystone: Replace tenant for project in resource files https://review.openstack.org/248295	00:28
openstackgerrit	Henrique Truta proposed openstack/keystone: Create V9 version of resource driver interface https://review.openstack.org/262082	00:28
notmorgan	stevemar: https://review.openstack.org/#/c/265023/ stable/liberty	00:31
*** openstackgerrit has quit IRC		00:32
*** openstackgerrit has joined #openstack-keystone		00:32
roxanaghe	bknudson_, still around? for https://review.openstack.org/#/c/242512/ I still don't get it how that code in extras is hit. I can login with ADFS without hitting the ADFSPassword plugin	00:36
notmorgan	stevemar: https://review.openstack.org/#/q/topic:bug/1475762+status:open	00:36
*** oomichi has joined #openstack-keystone		00:38
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add release note for revert of c4723550aa95be403ff591dd132c9024549eff10 https://review.openstack.org/265024	00:43
notmorgan	stevemar: ^ reno	00:43
gyee	notmorgan, stevemar, I suggest you guys to double check with Swift before approving the revert, it may cause problems with cross-tenant ACLs with names only	00:49
gyee	https://github.com/openstack/swift/blob/master/swift/common/middleware/keystoneauth.py#L143	00:49
gyee	there are legacy stuff may break if we are not careful	00:49
samueldmq	notmorgan: this looks to be a serious regression on running clouds	00:49
notmorgan	gyee: hopefully not since that was the previous behavior before that fix	00:50
gyee	bknudson_, btw, roxanaghe was looking at the patch, we can't figure out how that code got exercised at all	00:50
notmorgan	gyee: this only changes that you can use ids to get a token	00:51
gyee	notmorgan, right, but they are using token data version to determine the domain	00:51
samueldmq	notmorgan: is there a bug open for that ?	00:51
gyee	I would suggest they sign off on those patches so we have CYA :-)	00:51
notmorgan	and unless they changed that in liberty	00:51
notmorgan	we don't care	00:51
notmorgan	in fact, we should be reverting to maintain compat	00:52
notmorgan	changed it post l3	00:52
notmorgan	gyee: it's been doing that according to the blame since 2014	00:52
notmorgan	so we should be fine reverting	00:52
notmorgan	but we'llk see what breaks anyway at least w/ devstack-isms and go from there	00:53
gyee	if we that, make sure they set allow_names_in_acls to False	00:53
notmorgan	fwiw https://github.com/openstack/swift/commit/49fa5b8fb467bb5900dda36da47d46d4c5882bb0 that doc line was updated in 2014	00:53
notmorgan	so, like i said, this is just restoring us to correct behavior	00:54
gyee	v2 APIs should not be domain-aware at all	00:54
notmorgan	gyee: no they shouldn't but this is breaking real deployments and we just need to maintain old behavior unfortunately	00:55
gyee	lhcheng, do you know of ADFSPassword plugin being used at all?	00:55
gyee	notmorgan, yeah, so as long as they are aware of it and OK with it, that's all I am saying	00:56
*** woodster_ has quit IRC		00:56
notmorgan	gyee: i am unhappy about needing to revert it :(	00:57
gyee	lhcheng, bknudson_, looking at django-auth, we can't figure out how ADFSPassword plugin is being utilized	00:57
*** slberger has left #openstack-keystone		00:58
lhcheng	gyee: CERN uses ADFS, don't know if they used the ADFSPassword plugin.	00:59
gyee	we are trying to validate bknudson_ patch, but can't figure out how to test it	00:59
gyee	with ADFS that is	00:59
lhcheng	gyee: django_openstack_auth doesn't use it.	00:59
gyee	then I don't understand who uses that code	01:00
lhcheng	gyee: https://github.com/openstack/keystoneauth/blob/6547b156e95b6a8ad7f9efe290cbe0a3349f4977/keystoneauth1/tests/unit/extras/saml2/examples/xml/ADFS_RequestSecurityTokenResponse.xml#L21	01:02
lhcheng	marekd might know :)	01:02
gyee	right, that's the part we are trying to validate	01:05
gyee	lemme do some mo code diving	01:06
*** _zouyee has joined #openstack-keystone		01:06
*** KarthikB has joined #openstack-keystone		01:09
*** lhcheng has quit IRC		01:10
*** EinstCrazy has joined #openstack-keystone		01:14
*** _cjones_ has quit IRC		01:40
openstackgerrit	Roxana Gherle proposed openstack/keystone: Allow '_' character in mapping_id value https://review.openstack.org/264937	01:43
openstackgerrit	Roxana Gherle proposed openstack/keystone: Allow '_' character in mapping_id value https://review.openstack.org/264937	01:46
*** shoutm_ has joined #openstack-keystone		01:49
*** shoutm has quit IRC		01:53
*** spzala has joined #openstack-keystone		01:55
*** ccard__ has quit IRC		01:56
*** spzala has quit IRC		01:59
*** spandhe has quit IRC		02:05
*** KarthikB has quit IRC		02:06
*** ccard__ has joined #openstack-keystone		02:07
*** pai15 has joined #openstack-keystone		02:09
*** csoukup has joined #openstack-keystone		02:23
*** shoutm_ has quit IRC		02:25
*** henrynash has joined #openstack-keystone		02:26
*** ChanServ sets mode: +v henrynash		02:26
*** shoutm has joined #openstack-keystone		02:26
*** richm has quit IRC		02:31
*** yangyapeng has joined #openstack-keystone		02:32
*** ayoung has joined #openstack-keystone		02:35
*** ChanServ sets mode: +v ayoung		02:35
*** jaosorior has quit IRC		02:35
*** jaosorior has joined #openstack-keystone		02:35
*** dims has quit IRC		02:36
*** jasonsb has quit IRC		02:44
*** jasonsb has joined #openstack-keystone		02:44
*** tqtran has quit IRC		02:47
*** tsymanczyk has joined #openstack-keystone		02:57
*** tsymanczyk is now known as Guest82944		02:57
*** Guest82944 has quit IRC		02:57
*** pai15 has quit IRC		02:58
*** gyee has quit IRC		03:04
*** henrynash has quit IRC		03:06
*** spandhe has joined #openstack-keystone		03:35
*** aginwala has joined #openstack-keystone		03:42
stevemar	jamielennox: this is so close: https://review.openstack.org/#/c/244440/7	03:57
jamielennox	stevemar: always the funny thing is that i had +A there for a bit, but it merge conflicted	03:57
jamielennox	stevemar: is my gerrit messed up or are bknudson_'s nits unrelated?	04:00
stevemar	jamielennox: i think your gerrit is messed up, they seem related to me	04:00
stevemar	i think the big one is fixing the licence, cause #lawyers	04:01
jamielennox	it seems like code i changed, but gerrit isn't showing it as changed from the original	04:01
stevemar	oh, actually, you are right	04:01
stevemar	not sure why he wrote thta	04:01
stevemar	commented	04:02
dstanek	jamielennox: stevemar: i was just looking at that code	04:03
dstanek	copyright is borked :-)	04:03
jamielennox	dstanek: i've no idea how i did that	04:03
jamielennox	dstanek: there are pros and cons to vim, sometimes you accidently hit a key and it makes a giant change to your file you don't notice	04:04
dstanek	been there	04:04
openstackgerrit	Jamie Lennox proposed openstack/keystone: Perform middleware tests with webtest https://review.openstack.org/244440	04:05
openstackgerrit	Jamie Lennox proposed openstack/keystone: Make AuthContext depend on auth_token middleware https://review.openstack.org/255686	04:05
*** edmondsw has quit IRC		04:05
*** tsymanczyk has joined #openstack-keystone		04:07
*** tsymanczyk is now known as Guest89247		04:08
*** aginwala has quit IRC		04:11
*** Guest89247 has quit IRC		04:12
openstackgerrit	Merged openstack/keystone: Change LOG.warn to LOG.warning https://review.openstack.org/263113	04:16
openstackgerrit	melissaml proposed openstack/keystone: Wrong usage of "an" https://review.openstack.org/265066	04:19
openstackgerrit	Merged openstack/keystone: Adds a hacking check looking for Logger.warn usage https://review.openstack.org/264334	04:20
openstackgerrit	Merged openstack/keystone: Fixes hacking logger test cases to use same base https://review.openstack.org/264335	04:20
ayoung	http://phys.org/news/2016-01-evidence-bad.html Suggests that our current code review system is broken. Since we insist on all the -1s going away before we merge code.	04:25
*** tobe has joined #openstack-keystone		04:25
*** tobe has quit IRC		04:26
*** links has joined #openstack-keystone		04:27
*** KarthikB has joined #openstack-keystone		04:35
*** markvoelker has quit IRC		04:38
*** aginwala has joined #openstack-keystone		04:38
*** flwang has quit IRC		04:42
*** aginwala has quit IRC		04:42
*** flwang1 has joined #openstack-keystone		04:46
openstackgerrit	Henrique Truta proposed openstack/keystone: Restricting domain_id update https://review.openstack.org/207218	04:56
*** jamielennox is now known as jamielennox\|away		05:27
*** fawadkhaliq has joined #openstack-keystone		05:32
*** spandhe has quit IRC		05:35
*** jaosorior has quit IRC		05:47
*** dave-mccowan has quit IRC		05:49
*** henrynash has joined #openstack-keystone		05:58
*** GB21 has joined #openstack-keystone		05:58
*** ChanServ sets mode: +v henrynash		05:58
*** sigmavirus24_awa is now known as sigmavirus24		06:03
*** sigmavirus24 is now known as sigmavirus24_awa		06:05
*** toddnni_ has joined #openstack-keystone		06:08
*** toddnni has quit IRC		06:09
*** toddnni_ is now known as toddnni		06:09
*** mgagne has quit IRC		06:09
*** andreaf has quit IRC		06:09
*** spzala has joined #openstack-keystone		06:10
*** dtroyer has quit IRC		06:11
*** vgridnev has joined #openstack-keystone		06:13
*** markvoelker has joined #openstack-keystone		06:13
*** spzala has quit IRC		06:15
*** mgagne has joined #openstack-keystone		06:16
*** mgagne is now known as Guest41804		06:16
*** andreaf has joined #openstack-keystone		06:17
*** dtroyer has joined #openstack-keystone		06:17
*** _cjones_ has joined #openstack-keystone		06:17
*** markvoelker has quit IRC		06:18
*** _cjones_ has quit IRC		06:19
*** _cjones_ has joined #openstack-keystone		06:19
*** KarthikB has quit IRC		06:19
*** vgridnev has quit IRC		06:20
*** jaosorior has joined #openstack-keystone		06:21
*** aginwala has joined #openstack-keystone		06:29
*** EinstCrazy has quit IRC		06:37
*** aginwala has quit IRC		06:38
openstackgerrit	Ankit Agrawal proposed openstack/keystone: Replace unicode with six.text_type https://review.openstack.org/261253	06:38
*** aginwala has joined #openstack-keystone		06:39
*** rdo has quit IRC		06:44
*** rdo has joined #openstack-keystone		06:46
*** aginwala has quit IRC		06:50
*** _cjones_ has quit IRC		06:51
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/264426	06:51
*** rdo has quit IRC		06:54
*** rdo has joined #openstack-keystone		06:56
*** itlinux has joined #openstack-keystone		06:58
*** zqfan has joined #openstack-keystone		07:02
*** shoutm has quit IRC		07:02
*** henrynash has quit IRC		07:03
*** aginwala has joined #openstack-keystone		07:06
*** shoutm has joined #openstack-keystone		07:12
*** aginwala_ has joined #openstack-keystone		07:13
*** itlinux has quit IRC		07:14
*** itlinux has joined #openstack-keystone		07:15
*** itlinux has quit IRC		07:16
*** aginwala has quit IRC		07:16
*** belmoreira has joined #openstack-keystone		07:26
*** aginwala has joined #openstack-keystone		07:27
*** aginwala_ has quit IRC		07:30
*** aginwala has quit IRC		07:31
*** aginwala has joined #openstack-keystone		07:34
*** GB21 has quit IRC		07:39
*** EinstCrazy has joined #openstack-keystone		07:49
*** aginwala has quit IRC		07:52
*** aginwala has joined #openstack-keystone		07:55
*** csoukup has quit IRC		07:55
*** oomichi has quit IRC		07:56
*** GB21 has joined #openstack-keystone		08:00
*** aginwala_ has joined #openstack-keystone		08:02
*** fawadkhaliq has quit IRC		08:04
*** ankit_ag has joined #openstack-keystone		08:05
*** aginwala has quit IRC		08:06
openstackgerrit	Merged openstack/keystone: Expose defect in users_in_group, groups_for_user exact filters https://review.openstack.org/264779	08:12
openstackgerrit	Merged openstack/keystone: Fix users in group and groups for user exact filters https://review.openstack.org/263158	08:14
*** oomichi has joined #openstack-keystone		08:14
*** markvoelker has joined #openstack-keystone		08:15
*** jaosorior has quit IRC		08:16
*** jaosorior has joined #openstack-keystone		08:16
*** markvoelker has quit IRC		08:19
*** jistr has joined #openstack-keystone		08:24
marekd	dolphm: around now	08:26
*** aginwala_ has quit IRC		08:29
*** spzala has joined #openstack-keystone		08:33
*** GB21 has quit IRC		08:37
*** spzala has quit IRC		08:38
*** fhubik has joined #openstack-keystone		08:54
*** GB21 has joined #openstack-keystone		08:55
openstackgerrit	Merged openstack/keystone: De-duplicate fernet payload tests https://review.openstack.org/230193	08:58
*** browne has quit IRC		09:04
openstackgerrit	Andreas Jaeger proposed openstack/keystone: Merge pep8 and bandit test environments https://review.openstack.org/261993	09:07
openstackgerrit	Andreas Jaeger proposed openstack/keystone: Merge pep8 and bandit test environments https://review.openstack.org/265148	09:11
*** dstanek has quit IRC		09:16
*** dstanek has joined #openstack-keystone		09:18
*** ChanServ sets mode: +v dstanek		09:18
*** mhickey has joined #openstack-keystone		09:23
*** BobBall has joined #openstack-keystone		09:46
*** fawadkhaliq has joined #openstack-keystone		09:56
BobBall	I'm confused with v2 vs v3 when using keystone_authtoken - could someone help? http://paste.openstack.org/show/483306/ glance-api and glance-registry are both configured with auth_uri=.../v3 and auth_version=v3.0, however keystoneclient.auth.identity.v2 is making the authentication requests!	09:56
BobBall	I suspect I'm missing something very obvious here, but I'm really confused	09:57
*** EinstCrazy has quit IRC		10:04
*** markvoelker has joined #openstack-keystone		10:15
*** markvoelker has quit IRC		10:20
*** jaosorior has quit IRC		10:37
*** jaosorior has joined #openstack-keystone		10:38
*** csoukup has joined #openstack-keystone		10:52
*** csoukup has quit IRC		10:56
*** daemontool has joined #openstack-keystone		10:58
openstackgerrit	Maho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller https://review.openstack.org/261188	10:58
*** fawadkhaliq has quit IRC		11:05
*** fawadkhaliq has joined #openstack-keystone		11:05
*** _zouyee has quit IRC		11:09
*** dims has joined #openstack-keystone		11:09
samueldmq	morning keystoners	11:09
samueldmq	BobBall: hi	11:10
samueldmq	BobBall: have you restarted the service after updating the configuration?	11:10
BobBall	And the VM they are running on :)	11:11
BobBall	The paste shows that auth.identity.v2 is using a v3 API	11:11
BobBall	URI I mean	11:11
samueldmq	BobBall: devstack ?	11:11
BobBall	No; Mirantis OpenStack	11:12
samueldmq	BobBall: yes something is weird, and it actually tried v2 URL then v3	11:15
samueldmq	BobBall: keystoneclient.auth.identity.v2 making v2.0 requests and keystoneclient.session using the v3 uri	11:15
*** yangyapeng has quit IRC		11:16
BobBall	Any ideas why it might do that? (even if it's not a way to fix it) because I'm very confused about the whole thing tbh :D	11:17
samueldmq	BobBall: is it working ?	11:19
BobBall	no :/	11:19
samueldmq	BobBall: could you reproduce the same using devstack?	11:20
BobBall	Hang on - you saying that the logs suggest it tries a v3 auth against a v3 url?	11:20
BobBall	I'd assumed it didn't try that since there was no reference to identity.v3	11:20
BobBall	If it tries a v3 auth then the problem might just be that the v3 auth itself is broken in my setup. I don't expect v2 to work, but I assumed from the above that v3 was not being attempted, just v2 with the v3 URI?	11:21
samueldmq	BobBall: yes maybe	11:21
samueldmq	BobBall: I see it trying v3 auth, then v2 auth ... v3 auth again then v2	11:21
samueldmq	BobBall: also it might be worth it to test against devstack, just to make sure it's working	11:22
samueldmq	BobBall: and test v3 auth manually on your keystone	11:22
BobBall	Awesome. Then I'll assume that I've just not got the right settings for the v3 auth plugin somehow or somewhere and v3 auth is working fine	11:22
BobBall	v3 auth works in 95% of scenarious	11:23
BobBall	scenarios*	11:23
BobBall	This is only failing for glance_store using swift	11:23
BobBall	Sorry for my misunderstanding of the logs - if I'd realised that v3 was actually being attempted correctly I would have dug into the auth earlier	11:24
samueldmq	BobBall: no problem, welcome	11:24
samueldmq	BobBall: let us know if you've got it working, or if you need help	11:25
*** fawadkhaliq has quit IRC		11:25
BobBall	Will do!	11:25
*** fawadkhaliq has joined #openstack-keystone		11:25
*** shoutm has quit IRC		11:30
*** _zouyee has joined #openstack-keystone		11:48
breton_	BobBall: which version of MOS is it?	11:51
BobBall	7 but with modifications to use keystone v3 by default, so it's not a standard thing for anyone :)	11:52
breton_	BobBall: could you please do `curl https://public.fuel.local:5000` and post the output?	11:53
breton_	or curl http://192.168.10.2:5000/	11:54
BobBall	{"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "https://public.fuel.local:5000/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}	11:56
*** markvoelker has joined #openstack-keystone		12:01
breton_	BobBall: https://bugs.launchpad.net/keystone/+bug/1438469	12:04
openstack	Launchpad bug 1438469 in keystonemiddleware "auth_version config not used" [Undecided,Incomplete]	12:04
breton_	stevemar: ^	12:04
*** markvoelker has quit IRC		12:06
*** raildo-afk is now known as raildo		12:16
*** EinstCrazy has joined #openstack-keystone		12:18
*** lhcheng has joined #openstack-keystone		12:23
*** ChanServ sets mode: +v lhcheng		12:23
*** GB21 has quit IRC		12:23
*** EinstCrazy has quit IRC		12:28
*** dims_ has joined #openstack-keystone		12:40
*** dims has quit IRC		12:41
*** markvoelker has joined #openstack-keystone		12:45
samueldmq	dstanek: hi, you around ?	12:45
*** EinstCrazy has joined #openstack-keystone		12:49
*** fawadkhaliq has quit IRC		12:50
*** EinstCrazy has quit IRC		12:52
*** EinstCrazy has joined #openstack-keystone		12:54
*** fawadkhaliq has joined #openstack-keystone		12:55
openstackgerrit	Paulo Ewerton Gomes Fragoso proposed openstack/keystone: API support for project cascade update https://review.openstack.org/243585	13:14
*** dims_ has quit IRC		13:16
*** links has quit IRC		13:25
*** dims has joined #openstack-keystone		13:26
*** ankit_ag has quit IRC		13:27
openstackgerrit	Grzegorz Grasza (xek) proposed openstack/keystone: Online schema migration documentation https://review.openstack.org/265252	13:33
*** edmondsw has joined #openstack-keystone		13:35
*** EinstCrazy has quit IRC		13:38
openstackgerrit	Henrique Truta proposed openstack/keystone: API support for project cascade delete https://review.openstack.org/244248	13:40
openstackgerrit	Henrique Truta proposed openstack/keystone: Manager support for project delete cascade https://review.openstack.org/244149	13:40
openstackgerrit	Henrique Truta proposed openstack/keystone: Add backend support for deleting a projects list https://review.openstack.org/245916	13:40
*** sigmavirus24_awa is now known as sigmavirus24		13:46
*** sileht has quit IRC		13:46
*** sileht has joined #openstack-keystone		13:48
*** annasort has joined #openstack-keystone		13:50
*** gordc has joined #openstack-keystone		13:50
*** e0ne has joined #openstack-keystone		13:52
openstackgerrit	Paulo Ewerton Gomes Fragoso proposed openstack/keystone: Manager support for project cascade update https://review.openstack.org/243584	13:53
openstackgerrit	Grzegorz Grasza (xek) proposed openstack/keystone: Unit test for checking cross-version migrations compatibility https://review.openstack.org/241603	13:54
openstackgerrit	Grzegorz Grasza (xek) proposed openstack/keystone: Unit test for checking cross-version migrations compatibility https://review.openstack.org/241603	13:57
*** jaosorior has quit IRC		14:02
*** richm has joined #openstack-keystone		14:02
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Improve Development Environment Docs https://review.openstack.org/246400	14:09
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Improve Development Environment Docs https://review.openstack.org/246400	14:10
*** dave-mccowan has joined #openstack-keystone		14:13
*** GB21 has joined #openstack-keystone		14:13
samueldmq	okay, time to review and get used to new gerrit interface :)	14:14
openstackgerrit	Henrique Truta proposed openstack/keystone: Improves domain name case sensitivity tests https://review.openstack.org/236103	14:16
*** spzala has joined #openstack-keystone		14:18
*** jsavak has joined #openstack-keystone		14:30
*** KarthikB has joined #openstack-keystone		14:31
*** Eva-i has joined #openstack-keystone		14:35
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Improve Conflict error message in IdP creation https://review.openstack.org/265279	14:41
*** magalhaes has joined #openstack-keystone		14:46
magalhaes	Hi there	14:46
magalhaes	anyone here has used keystone to keystone federation? In order to connect an private cloud openstack to an openstack located in the public cloud?	14:47
*** petertr7_away is now known as petertr7		14:47
*** doug-fish has joined #openstack-keystone		14:50
*** iurygregory has quit IRC		14:52
Eva-i	Hello. Is it possible to gather keystone auth token from web browser like this https://github.com/openstack/zaqar/blob/master/examples/websocket.html#L101? Seems like this javascript code was working in the past, but now Keystone server doesn't allow cross-origin requests.	14:54
*** fawadkhaliq has quit IRC		14:54
*** fawadkhaliq has joined #openstack-keystone		14:54
*** fawadkhaliq has quit IRC		14:55
Eva-i	In Firefox web browser the error looks like this on attempt to get auth token from Keystone: "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:5000/v3/auth/tokens. (Reason: CORS header 'Access-Control-Allow-Origin' missing)."	15:00
*** vgridnev has joined #openstack-keystone		15:01
*** topol has joined #openstack-keystone		15:02
*** ChanServ sets mode: +v topol		15:02
*** iurygregory has joined #openstack-keystone		15:03
*** mhickey has quit IRC		15:04
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token() https://review.openstack.org/196877	15:09
*** browne has joined #openstack-keystone		15:09
*** peter-hamilton has joined #openstack-keystone		15:14
*** peter-hamilton has quit IRC		15:18
*** mhickey has joined #openstack-keystone		15:18
*** csoukup has joined #openstack-keystone		15:19
*** petertr7 is now known as petertr7_away		15:19
*** fawadkhaliq has joined #openstack-keystone		15:23
*** dansmith is now known as superdan		15:23
*** petertr7_away is now known as petertr7		15:24
*** timcline has joined #openstack-keystone		15:26
*** breitz has quit IRC		15:30
*** breitz has joined #openstack-keystone		15:31
lbragstad	dolphm strange gerrit UI question for you, or anyone else who uses the gerrit-dash-creator. I have reviews that are "In Progress" meaning they aren't -1'd or failing Jenkins, yet they still show up as "Need Attention".. seems to only happen with the new gerrit UI.	15:40
lbragstad	has anyone else's gerrit dashboard behaved differently after the update?	15:41
*** e0ne has quit IRC		15:42
lbragstad	cc dstanek ^	15:43
*** links has joined #openstack-keystone		15:47
*** slberger has joined #openstack-keystone		15:48
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/264426	15:51
openstackgerrit	Merged openstack/keystone: Perform middleware tests with webtest https://review.openstack.org/244440	15:52
*** spzala_ has joined #openstack-keystone		15:53
*** spzala has quit IRC		15:55
*** ninag has joined #openstack-keystone		15:56
openstackgerrit	Marek Denis proposed openstack/keystone: Service Providers and Projects associations https://review.openstack.org/264854	15:58
*** fawadkhaliq has quit IRC		16:01
*** jsavak has quit IRC		16:02
*** timcline has quit IRC		16:03
*** tonytan4ever has joined #openstack-keystone		16:03
*** jsavak has joined #openstack-keystone		16:05
*** mhickey has quit IRC		16:06
*** henrynash has joined #openstack-keystone		16:07
*** ChanServ sets mode: +v henrynash		16:07
dstanek	lbragstad: i've not really noticed that yet. i've mostly moved to trello for managing reviews	16:09
*** zigo has quit IRC		16:09
bknudson_	dstanek: what does your trello board look like?	16:10
*** zigo has joined #openstack-keystone		16:10
*** belmoreira has quit IRC		16:10
lbragstad	dstanek alright - oh well... it's not a blocker, just annoying	16:11
lbragstad	and i was curious if anyone else noticed it	16:11
openstackgerrit	Tom Cocozzello proposed openstack/keystone: Replace unicode with six.text_type https://review.openstack.org/261253	16:11
*** petertr7 is now known as petertr7_away		16:11
*** lhcheng has quit IRC		16:12
openstackgerrit	Tom Cocozzello proposed openstack/keystone: Replace unicode with six.text_type https://review.openstack.org/261253	16:13
lbragstad	dstanek it's bug day - anything in particular you need me to review yet?	16:14
*** daemontool has quit IRC		16:15
dstanek	lbragstad: nope, i'm just starting to figure out what reviews i want to look at	16:15
lbragstad	FYI to everyone else - if you want we have an etherpad going per usual for the bug day - https://etherpad.openstack.org/p/keystone-office-hours	16:15
*** petertr7_away is now known as petertr7		16:17
*** mhickey has joined #openstack-keystone		16:18
*** henrynash has quit IRC		16:18
dstanek	bknudson_: https://trello.com/b/kAcLdBiq/openstack	16:19
dstanek	bknudson_: i'm still working out what my workflow will be, but the only thing i do manually is move a card into "In Progress" - the app does everything else for me	16:20
marekd	dstanek: it's not correlated with gerrit, is it?	16:21
*** jdennis1 has quit IRC		16:21
bknudson_	nothing is in progress	16:21
bknudson_	must be nice	16:21
marekd	your votes will not impact cards' status	16:21
dstanek	bknudson_: that because i'm going through and staring the reviews i want to look at :-)	16:21
dstanek	marekd: the data comes from gerrit	16:21
*** GB21 has quit IRC		16:21
marekd	dstanek: how?	16:22
dstanek	marekd: https://github.com/dstanek/os-trello	16:22
*** KarthikB has quit IRC		16:23
*** jdennis has joined #openstack-keystone		16:24
marekd	dstanek: thx	16:24
dstanek	marekd: np	16:24
*** dims has quit IRC		16:25
dstanek	marekd: it gets starred reviews from gerrit and watches/assigned bugs from launchpad - specs are coming this weekend	16:26
*** dims has joined #openstack-keystone		16:26
*** ninag has quit IRC		16:26
*** jbell8 has joined #openstack-keystone		16:26
*** tonytan4ever has quit IRC		16:27
*** links has quit IRC		16:27
*** jsavak has quit IRC		16:31
openstackgerrit	Marek Denis proposed openstack/keystone: Service Providers and Projects associations https://review.openstack.org/264854	16:31
*** jsavak has joined #openstack-keystone		16:32
*** jistr has quit IRC		16:33
*** _zouyee has quit IRC		16:37
*** tonytan4ever has joined #openstack-keystone		16:40
*** gyee has joined #openstack-keystone		16:40
*** ChanServ sets mode: +v gyee		16:40
*** fawadkhaliq has joined #openstack-keystone		16:48
openstackgerrit	Navid Pustchi proposed openstack/keystone: Delete checks for default domain delete https://review.openstack.org/264342	16:48
*** phalmos has joined #openstack-keystone		16:54
openstackgerrit	Brant Knudson proposed openstack/keystone: AuthContextMiddleware admin token handling https://review.openstack.org/198931	16:56
*** KarthikB has joined #openstack-keystone		16:58
*** rderose has joined #openstack-keystone		17:00
openstackgerrit	Brant Knudson proposed openstack/keystone: Use assertIn to check if collection contains value https://review.openstack.org/264959	17:02
*** jsavak has quit IRC		17:03
*** fhubik has quit IRC		17:03
*** henrynash has joined #openstack-keystone		17:04
*** ChanServ sets mode: +v henrynash		17:04
*** _cjones_ has joined #openstack-keystone		17:05
*** _cjones_ has quit IRC		17:06
*** _cjones_ has joined #openstack-keystone		17:06
*** jsavak has joined #openstack-keystone		17:06
stevemar	dstanek: office hours have started, yes?	17:16
dstanek	stevemar: i've been here for a while :-)	17:17
stevemar	dstanek: any "drop-in"?	17:17
*** GB21 has joined #openstack-keystone		17:17
dstanek	stevemar: how do you feel about https://review.openstack.org/#/c/253273/27 and its bug https://bugs.launchpad.net/keystone/+bug/1524030	17:18
openstack	Launchpad bug 1524030 in OpenStack Identity (keystone) "Reduce revocation events for performance improvement" [Medium,In progress] - Assigned to Jorge Munoz (jorge-munoz)	17:18
dstanek	stevemar: nobody ever drops in :-)	17:18
stevemar	dstanek: :(	17:18
stevemar	dstanek: there have been a few attempts at speeding up revocation events	17:18
samueldmq	henrynash: hi	17:19
henrynash	samueldmq: hi	17:20
dstanek	stevemar: i'm wondering if special casing the disabling events gives enough of a benefit for breaking up the code like that	17:20
samueldmq	henrynash: this bp may be considered implemented	17:21
samueldmq	henrynash: https://blueprints.launchpad.net/keystone/+spec/assignment-manager-cleanup	17:21
samueldmq	henrynash: I think the lat patches were the ones you submitted to re-use list_role_assignments	17:21
samueldmq	henrynash: do you agree?	17:21
lbragstad	dstanek we might be able to justify the trust + fernet thing as a separate bug?	17:23
*** roxanagh_ has joined #openstack-keystone		17:23
lbragstad	since it's something that is inconsistent between token providers	17:23
dstanek	lbragstad: if it's not correct behavior it should definitely be a separate bug	17:23
lbragstad	is mfisch around?	17:23
henrynash	samueldmq: so I have one more i the series I am working on….which allows the federation calls (e.g. list_projects_for_groups) to use list_role_assignments	17:24
lbragstad	dstanek I believe this patch is the result of some conversations at the summit	17:24
lbragstad	between jorge_munoz and dolphm IIRC	17:24
henrynash	samueldmq: which I will get in for M2	17:24
*** e0ne has joined #openstack-keystone		17:25
*** fawadkhaliq has quit IRC		17:26
*** fawadkhaliq has joined #openstack-keystone		17:26
*** rderose has quit IRC		17:27
samueldmq	henrynash: have you posted them up for review already?	17:27
*** superdan has quit IRC		17:27
*** dansmith has joined #openstack-keystone		17:27
lbragstad	dstanek and I want to say that mfisch had some input around the volume of revocation events	17:27
henrynash	samueldmq: not the last one yet, it’s mainly done - I need to rebase it and tidy it up…I’ll try and do that over the weekend and post early next week	17:27
lbragstad	dstanek I believe that he saw token validation times tank as the table grew, which is what helped spark the discussion at the summit	17:28
dstanek	lbragstad: according to mfisch's blog post on the subject the logouts from horizon (and something else) have the greatest number of evernt	17:28
samueldmq	henrynash: sure sir, please let me know, looking forward to review it	17:28
lbragstad	dstanek yeah, that sounds right	17:28
lbragstad	dstanek it was something that created tons of revocation events,	17:28
lbragstad	and that scaled up with token validations	17:28
dstanek	lbragstad: the real question is can we do something different in the algorithm for deleting old events? maybe limiting the deletes in a effort to stop table locking	17:29
lbragstad	dstanek at the summit we had a discussion around which revocation checks we could eliminate	17:29
lbragstad	dstanek we chose to remove the check for domain and project membership	17:29
dstanek	lbragstad: maybe i'll do some hacking on that over the weekend - but eliminating a very small percentage of the overall events may not be worth it	17:29
lbragstad	dstanek when you remove a user from a project or domain, a revocation event is stored to	17:29
*** GB21 has quit IRC		17:30
lbragstad	dstanek that behavior is something that we get for free with fernet because we rebuild the user/project and user/domain relationships on token validation - so there is no need for a revocation event	17:30
*** dansmith is now known as superdan		17:31
lbragstad	dstanek I want to say that we narrowed it down to a list of revocation events that we must keep - i'll try and dig those up	17:31
dstanek	lbragstad: i'm going to try to fix up https://review.openstack.org/#/c/127433/19 to get it through	17:31
lbragstad	dstanek related to bullet 1.3 here - https://etherpad.openstack.org/p/keystone-mitaka-summit-tokens	17:33
*** ninag has joined #openstack-keystone		17:34
lbragstad	ayoung was also a part of the conversation	17:35
lbragstad	ayoung question for you - do you remember what revocation events we wanted to keep?	17:35
*** diazjf has joined #openstack-keystone		17:37
*** jsavak has quit IRC		17:38
*** jsavak has joined #openstack-keystone		17:38
openstackgerrit	Navid Pustchi proposed openstack/keystone: Disallow disabling the default domain https://review.openstack.org/260067	17:40
*** timcline has joined #openstack-keystone		17:40
lbragstad	dstanek opened a new bug - https://bugs.launchpad.net/keystone/+bug/1532280	17:43
openstack	Launchpad bug 1532280 in OpenStack Identity (keystone) "Fernet trust token is still valid when user's domain is disabled." [Undecided,New]	17:43
lbragstad	cc jorge_munoz ^	17:43
dstanek	lbragstad: i need to try to setup a test environment to run the benchmark	17:44
notmorgan	stevemar: not sure why the reverts are failing gate. They worked.locally	17:44
notmorgan	stevemar: will poke at them again shortly	17:44
*** mhickey has quit IRC		17:45
*** magalhaes has quit IRC		17:47
mfisch	stevemar: is admin_token_auth the filter for the service token?	17:51
mfisch	if so I'm curious why it's enabled in the public endpoint by default, calls using it to that endpoint don't seem to work, but its in the pipeline	17:51
*** spandhe has joined #openstack-keystone		17:53
openstackgerrit	Roxana Gherle proposed openstack/keystone: Allow '_' character in mapping_id value https://review.openstack.org/264937	17:54
openstackgerrit	Tom Cocozzello proposed openstack/keystone: Replace unicode with six.text_type https://review.openstack.org/261253	17:57
*** spandhe has quit IRC		17:58
*** doug-fis_ has joined #openstack-keystone		17:58
*** doug-fis_ has quit IRC		17:58
*** doug-fis_ has joined #openstack-keystone		17:59
*** jbell8 has quit IRC		18:00
*** lhcheng has joined #openstack-keystone		18:00
*** ChanServ sets mode: +v lhcheng		18:00
*** e0ne has quit IRC		18:01
*** doug-fish has quit IRC		18:01
*** dims_ has joined #openstack-keystone		18:02
*** Madkiss_ has joined #openstack-keystone		18:03
*** Madkiss has quit IRC		18:03
*** henrynash has quit IRC		18:03
*** doug-fis_ has quit IRC		18:03
*** jbell8 has joined #openstack-keystone		18:04
*** dims has quit IRC		18:05
*** lhcheng has quit IRC		18:05
*** doug-fish has joined #openstack-keystone		18:12
*** doug-fish has quit IRC		18:16
*** jasonsb has quit IRC		18:20
*** spandhe has joined #openstack-keystone		18:24
*** timcline_ has joined #openstack-keystone		18:30
*** timcline has quit IRC		18:30
notmorgan	mfisch: no it is meant for bootstrapping	18:33
notmorgan	mfisch: it is a static token that is "admin" but has nothing else going one	18:34
notmorgan	on*	18:34
notmorgan	mfisch: so basically "i'm an admin, do things and trust me"	18:34
notmorgan	mfisch: we're trying to deprecate it. hence the addition of keystone-manage bootstrap	18:34
notmorgan	mfisch: in a real deployment you should not have admin_token in the pipeline at all once bootstrap is complete	18:35
stevemar	mfisch: what notmorgan said, it's what validates the "ADMIN_TOKEN" in keystone.conf	18:36
notmorgan	stevemar: i'm not getting py27 failures locally. WTF.	18:37
notmorgan	stevemar: in this revert.	18:37
stevemar	lol	18:38
* notmorgan waits maybe not hit it yet.		18:38
stevemar	thats gonna be a joy to dbeug	18:38
*** ninag has quit IRC		18:38
notmorgan	i know i ran these full tests locally and got a pass which is why i'm baffled	18:39
notmorgan	just did a clean master checkout/cherry-pick	18:39
notmorgan	and a new TOX env	18:39
notmorgan	so.	18:39
notmorgan	also our tests are slow :()	18:39
*** RichardRaseley has joined #openstack-keystone		18:41
mfisch	notmorgan: for bootstrapping though shouldnt it only need to be in the admin pipeline by default and not the public one?	18:41
*** pgbridge has joined #openstack-keystone		18:41
mfisch	that was my real question	18:41
*** ninag has joined #openstack-keystone		18:41
notmorgan	mfisch: admin and public don't really matter	18:41
notmorgan	that is a bad v2 artifact	18:41
notmorgan	i always recommend making them the same	18:42
notmorgan	in mitaka it shouldn't matter anymore since we've compressed the routers entries into 1 entry basically you get "keystone"	18:42
notmorgan	at least i think we compressed them down to 1 entry	18:42
* notmorgan thinks samueldmq did that		18:42
*** petertr7 is now known as petertr7_away		18:43
RichardRaseley	I am having some issues assigning roles via keystoneclient in Python. As I understand, we should be able to do a `keystone.roles.grant(self, user, group, domain, project, os_inherit_extension_inherited, **kwargs)`. I am not familiar with what 'group' would be in this context. Could someone advise?	18:44
*** ninag has quit IRC		18:44
*** ninag has joined #openstack-keystone		18:44
*** ninag has quit IRC		18:45
raildo	RichardRaseley: a group of users	18:45
notmorgan	stevemar: ugh something changed since i wrote this patch	18:45
notmorgan	stevemar: :(	18:45
RichardRaseley	raildo: I am used to using the user, role, and project constructs. A 'group' in what context?	18:45
notmorgan	or... some other subtle thing. i HATE our tests they are bloody impossible to debug cause they error with HTTP errors.	18:45
raildo	RichardRaseley: you can great a group, add users on this group, when you grant a role for this group, all the users inside this group will have this role	18:46
notmorgan	and don't catpture the real log	18:46
raildo	RichardRaseley: would be group, role, project (the users inside this group will have this role on that project)	18:46
RichardRaseley	raildo: When were groups introduced?	18:47
notmorgan	stevemar: basically we're fialing in an opaque way now . fantastic :(	18:47
notmorgan	stevemar: "need auth to validate a token" getting a 401	18:47
notmorgan	this passed when i wrote the patch	18:47
RichardRaseley	raildo: I have an LDAP backend, and doing an `openstack group list` shows my LDAP groups. Nice.	18:48
raildo	RichardRaseley: Havana: https://wiki.openstack.org/wiki/ReleaseNotes/Havana#Domains.2C_Groups.2C_and_More:_Identity_API_v3_Support	18:48
RichardRaseley	raildo: Anyhow, for my purposes I am assigning access to a specific individual, so I thought I could pass `None` for the group, but it didn't seem to like that. Let me find the error.	18:49
*** aginwala has joined #openstack-keystone		18:49
*** rderose has joined #openstack-keystone		18:50
*** itlinux has joined #openstack-keystone		18:53
baffle	RichardRaseley: I've used Groups since Havana..	18:57
RichardRaseley	baffle: I believe you. =]	18:58
*** aginwala has quit IRC		18:58
notmorgan	stevemar: found it. ayoung did more cleanup that locked down default domain. we're protecting ourselves in like 5 places against this since we fixed that bug	19:01
notmorgan	stevemar: undoing ayoung's fixes as well now	19:02
notmorgan	stevemar: this is not a pretty revert :(	19:02
*** RichardRaseley has quit IRC		19:03
*** jsavak has quit IRC		19:03
*** tonytan4ever has quit IRC		19:05
*** Ephur has joined #openstack-keystone		19:08
*** fawadkhaliq has quit IRC		19:08
notmorgan	ayoung: ugh we rolled up so many fixed across so many patches to prevent issuing tokens for users outside of the default domain via v2 auth api. =(	19:09
notmorgan	also i noticed we are using 401s instead of 404s for validate	19:11
ayoung	notmorgan, when did we do that? It ws like, 3 years ago, IIRC	19:11
notmorgan	this is a huge mess	19:11
notmorgan	ayoung: nope we fixed the bug in liberty and backported it	19:11
*** jasonsb has joined #openstack-keystone		19:11
notmorgan	ayoung: and people relied on it in production	19:11
notmorgan	using project-id user-id to auth	19:11
ayoung	Yay!	19:11
notmorgan	ayoung: also you started raising 401s for token not-validated	19:12
notmorgan	vs. 404	19:13
notmorgan	which will cause middleware token churn	19:13
*** rdo has quit IRC		19:13
notmorgan	this has become quite the rabbithole	19:13
* notmorgan wonders if we can skip the trust token intermix outside of default domain.		19:13
bknudson_	lbragstad: answered your question in https://review.openstack.org/#/c/258141/4	19:14
bknudson_	I'll admit it's still strange	19:14
ayoung	notmorgan, check the bug on the 401 vs 404...	19:14
*** aginwala has joined #openstack-keystone		19:14
ayoung	there was a reason for that, and I think it was middleware churn	19:15
notmorgan	ayoung: yeah. the 404 is correct, 401 seems to have sneaked back in	19:15
notmorgan	ayoung: in some of our refactoring	19:15
ayoung	notmorgan, what commits were those? I was not doing cleanup for cleanups sake.	19:17
notmorgan	this one was actually in 2013	19:17
notmorgan	but we started calling the method in another cleanup	19:17
notmorgan	so we fail in weird ways	19:17
notmorgan	basically you did fix A, we did fix b, c, d, e and f, and now call functions from fix a	19:17
notmorgan	and BOOM	19:18
notmorgan	so i think i'm just going to exempt non-trust tokens	19:18
*** timcline_ has quit IRC		19:19
*** bradjones has quit IRC		19:19
notmorgan	for sanity/ease of solving the real issue and then i think we need to start expanding our execptions to not just be "Unauthorized" but "TokenValidationFailed" so this confusion stops between what exception to use when raising out and converting to a web-error	19:19
*** bradjones has joined #openstack-keystone		19:19
*** bradjones has quit IRC		19:19
*** bradjones has joined #openstack-keystone		19:19
*** timcline has joined #openstack-keystone		19:19
*** rderose has quit IRC		19:20
*** itlinux has quit IRC		19:20
*** browne has quit IRC		19:22
*** bradjones has quit IRC		19:27
*** bradjones has joined #openstack-keystone		19:28
*** bradjones has quit IRC		19:28
*** bradjones has joined #openstack-keystone		19:28
*** tonytan4ever has joined #openstack-keystone		19:30
*** timcline_ has joined #openstack-keystone		19:36
*** aginwala has quit IRC		19:37
ayoung	notmorgan, "exempt non-trust tokens" from what?	19:38
notmorgan	ayoung: the revert	19:38
notmorgan	ayoung: so you can again get a v2 token for a user in non-default domain. the fix we had broke behavior people relied on	19:39
notmorgan	so we have to undo that fix	19:39
notmorgan	you can use user_id, and tenant_id to get a v2 token for non-v2 project or user	19:39
*** petertr7_away is now known as petertr7		19:39
notmorgan	it's crappy, but maintaining behavior that real deployments use is important...	19:40
ayoung	"v2 token for a user in non-default domain" So long as it is requested by userid, that should b OK	19:40
notmorgan	yeah	19:40
notmorgan	thats the idea	19:40
*** timcline has quit IRC		19:40
ayoung	the only issue is that username is not guarnateed to be unique across domains	19:40
notmorgan	and i'm leaving trusts being locked out.	19:40
ayoung	why exempt trusts?	19:40
ayoung	I bet that breaks something	19:40
notmorgan	because they already didn't work afaict	19:40
ayoung	hmmmm	19:40
notmorgan	this is a very narrow edge case	19:40
*** aginwala has joined #openstack-keystone		19:40
notmorgan	we had a bug that fixed it	19:40
ayoung	notmorgan, I'll take your word	19:41
notmorgan	in liberty for general tokens. i am trying to keep the revert as narrow as i can	19:41
ayoung	what was the commit that broke everything?	19:41
notmorgan	a combination of like 3-5 of them	19:41
notmorgan	that refactored for fernet tokens	19:41
notmorgan	and then closed a hole	19:41
notmorgan	this is a hand rolled revert	19:41
notmorgan	because so much changed between when the fixes landed and when liberty shipped	19:42
notmorgan	https://review.openstack.org/#/c/208069/	19:42
notmorgan	that was the final "break things" commit	19:42
notmorgan	but this is a rabbithole	19:42
ayoung	notmorgan, so the ones I made were the commits back in 2013, nothing recent?	19:43
notmorgan	yeah, we just started calling .assert_default_domain in new ways	19:43
*** fawadkhaliq has joined #openstack-keystone		19:43
notmorgan	so - your fixes/cleanup from 2013 is also "fixing" this bug in some cases	19:43
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Revert "Validate domain ownership for v2 tokens" https://review.openstack.org/265002	19:44
notmorgan	stevemar: ^ that should pass py27 now	19:44
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Revert "Validate domain ownership for v2 tokens" https://review.openstack.org/265002	19:45
*** timcline_ has quit IRC		19:46
stevemar	notmorgan: thanks boss sauce	19:47
*** rdo has joined #openstack-keystone		19:47
*** timcline has joined #openstack-keystone		19:47
stevemar	notmorgan: poke: https://review.openstack.org/#/c/259730/	19:48
*** timcline has quit IRC		19:49
*** timcline_ has joined #openstack-keystone		19:49
*** lhcheng has joined #openstack-keystone		19:49
*** ChanServ sets mode: +v lhcheng		19:49
*** jbell8 has quit IRC		19:50
notmorgan	stevemar: working on stable/liberty revert now	19:50
notmorgan	and then kilo then i'll get to that review	19:51
stevemar	kk, nvm	19:51
notmorgan	these hand-rolled reverts are unfun	19:51
*** diazjf has quit IRC		19:51
stevemar	mmhmm	19:52
*** lhcheng has quit IRC		19:54
*** jsavak has joined #openstack-keystone		19:57
*** aginwala has quit IRC		20:03
*** aginwala has joined #openstack-keystone		20:05
*** timcline_ has quit IRC		20:05
*** timcline has joined #openstack-keystone		20:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add release note for revert of c4723550aa95be403ff591dd132c9024549eff10 https://review.openstack.org/265024	20:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Revert "Validate domain ownership for v2 tokens" https://review.openstack.org/265002	20:07
*** lhcheng has joined #openstack-keystone		20:14
*** ChanServ sets mode: +v lhcheng		20:14
openstackgerrit	ayoung proposed openstack/keystone: SQL migrations for implied roles https://review.openstack.org/264259	20:16
ayoung	were hotels posted for the Austin Summit yet?	20:17
*** fawadkhaliq has quit IRC		20:17
*** fawadkhaliq has joined #openstack-keystone		20:18
tjcocozz	I am having trouble debugging in py34 anyone have any tips on how to have the code stop at a breakpoint?	20:19
*** lhcheng has quit IRC		20:19
*** jsavak has quit IRC		20:21
*** jsavak has joined #openstack-keystone		20:21
*** fawadkhaliq has quit IRC		20:22
notmorgan	ayoung: yes	20:25
bknudson_	tjcocozz: nosetests -s	20:26
ayoung	notmorgan, thanks	20:26
tjcocozz	ha i havn't tried the -s, thank you bknudson_ it worked!	20:27
lbragstad	ayoung i have a trust question	20:28
ayoung	lbragstad, I have trust issues	20:28
lbragstad	ayoung touche	20:28
lbragstad	ayoung is there any reason why this shouldn't work - http://cdn.pasteraw.com/5pbraajahsqrhl5qagn4xkyu1tppje9	20:29
lbragstad	the creation of the trust fails	20:29
lbragstad	with 403 - saying the user isn't allowed to create the trust, but I don't see why not	20:29
ayoung	lbragstad, r = self.post('/OS-TRUST/trusts', body={'trust': trust_ref}) fails?	20:30
lbragstad	ayoung yep	20:30
* lbragstad grabs the trace		20:30
lbragstad	ayoung http://cdn.pasteraw.com/l7b4cwmwe964lhzgeg3zi24rnknbm7w	20:31
lbragstad	ayoung I double checked things through the self.assignment_api in the tests and the trustor has the self.role assigned to the new project (that should work, right?)	20:31
ayoung	You are not authorized to perform the requested action: identity:create_trust looks like an RBAC problem. What is the policy rule in effect?	20:32
lbragstad	ayoung the policy loaded is the default one stored in /home/lancebragstad/projects/keystone/etc/policy.json	20:32
lbragstad	so, whatever we keep in source?	20:32
*** lhcheng has joined #openstack-keystone		20:32
*** ChanServ sets mode: +v lhcheng		20:32
lbragstad	ayoung - https://github.com/openstack/keystone/blob/master/etc/policy.json#L99	20:33
ayoung	"user_id:%(trust.trustor_user_id)s",	20:33
lbragstad	ayoung yep	20:33
lbragstad	is that not right for what I'm trying to do?	20:34
ayoung	lbragstad, wrong user making the call, then	20:34
lbragstad	ayoung oh...	20:34
ayoung	lbragstad, what user makes the call r = self.post('/OS-TRUST/trusts', body={'trust': trust_ref})	20:34
lbragstad	ayoung I'm not sure - checking	20:34
lbragstad	I wonder if that is self.user	20:34
ayoung	lbragstad, I think you need to get an explicit token for that user, and use it to make the call instead of the default. I think you are right that it is self.user	20:35
lbragstad	because in other examples - self.user is used as the trustor and it seems to work fine	20:35
lbragstad	ayoung let me try that quick	20:35
*** diazjf has joined #openstack-keystone		20:36
*** Daviey has joined #openstack-keystone		20:38
*** henrynash has joined #openstack-keystone		20:41
*** ChanServ sets mode: +v henrynash		20:41
notmorgan	stevemar: -1 on the doc but because we need to explain how to get the admin token now with openstack token issue i think	20:41
notmorgan	stevemar: otherwise looks good.	20:42
notmorgan	stevemar: can't use username/password until there is a keystone catalog entry	20:42
*** lhcheng_ has joined #openstack-keystone		20:42
notmorgan	at least afaik	20:42
stevemar	s/the admin token/any token	20:42
notmorgan	stevemar: yes. get the token for the user just created	20:42
notmorgan	because bootstrap doesn't return that since it doesn't actually have a running keystone	20:42
notmorgan	do you want me to toss in a way to output (JSON?) for the created/not-created[idempotent] user/role/etc	20:43
notmorgan	or are we good with it as is for now?	20:43
htruta	bknudson_: are you around?	20:44
bknudson_	seems broken that you can't use username/password just because there's no catalog entry	20:44
bknudson_	htruta: yes	20:44
*** lhcheng has quit IRC		20:44
htruta	bknudson_: regarding this comment here: https://review.openstack.org/#/c/134095/14/keystone/catalog/core.py is moving this logic to the sql backend ok?	20:45
htruta	catching the DBDuplicateEntry there and raise the Conflict	20:45
bknudson_	htruta: I guess so. I can't think of a better way	20:46
notmorgan	bknudson_: also your eyes on the revert for master would be welcome	20:46
notmorgan	bknudson_: since it's hand-rolled due to $oh-god-so-much-changed$	20:46
notmorgan	bknudson_: i want to make sure it's not going to cause us other issues down the line.	20:47
ayoung	henrynash, why do you feel the need to prepend the work Implement to your patches?	20:47
ayoung	Or my patches in this case?	20:47
*** aginwala has quit IRC		20:47
htruta	bknudson_: ok, just wondered if it really was a backend responsibility, but couldn't find a better way either. thanks	20:47
henrynash	ayoung: in the commit comment?	20:48
ayoung	Yeah	20:48
ayoung	henrynash, I just ask cuz it keeps messing me up searching for my patches	20:48
ayoung	I like to keep the titles succinct	20:48
henrynash	ayoung: I just think it helps reviews understand what’s in a patch (especiiay when an overall bp is spread over several patches)	20:48
lhcheng_	htruta: I did the same thing in this patch: https://review.openstack.org/#/c/265279/	20:49
ayoung	henrynash, dstanek BTW https://review.openstack.org/#/c/264259/5..6/keystone/common/sql/migrate_repo/versions/087_implied_roles.py I removed the spurious comment and resubbmited, since it failed grenade	20:49
htruta	lhcheng_: nice! will base on that	20:50
ayoung	henrynash, I'd rather you not add extra words to the top commit line. When doing a git log, words like implement etc don't help with searches. Cleaning up the messages themselves, OTOH, is greatly appreciated	20:51
henrynash	ayoung: Ok, for the commit line, i’ll keep succinct :-)	20:51
ayoung	thanks, henrynash . Was your last commit just a rebase other than that?	20:52
henrynash	ayoung: and not change it agian, promise, scouts-honor etc.	20:52
henrynash	ayoung: the very last one added some new tests	20:52
henrynash	in test_backend.py	20:52
ayoung	OK. looking	20:53
henrynash	ayoung: actually, sorry, the VERY last change was a pur rebase	20:53
henrynash	ayoung: patch 7 added the tetss	20:53
ayoung	henrynash, it is a two level tree, why do you think three>	20:53
ayoung	?	20:53
ayoung	DoH	20:54
* ayoung sorry		20:54
henrynash	ayoung: my misguided thoughts I can never decide if you should call it two or three level	20:54
ayoung	I was counting the relationships. Your way makes much mores sense	20:54
ayoung	henrynash, I really like that last test: test_role_assignments_inherited_implied_roles	20:56
henrynash	ayoung: yeah, thought we had to do something like that…that was one of the new ones I added in patch 7	20:57
openstackgerrit	ayoung proposed openstack/keystone: Implement manager and backend changes for implied roles https://review.openstack.org/264260	20:57
ayoung	minor typo...edited on the page. I like that feature	20:57
*** daemontool has joined #openstack-keystone		20:59
stevemar	its not too shabby	21:00
henrynash	ayuong: thx	21:00
stevemar	notmorgan: meh	21:01
stevemar	notmorgan: we do need a way to output stuff for config tools like puppet	21:01
notmorgan	stevemar: yeah.	21:01
*** aginwala has joined #openstack-keystone		21:04
*** pauloewerton has quit IRC		21:08
*** timcline_ has joined #openstack-keystone		21:11
*** timcline has quit IRC		21:12
*** jbell8 has joined #openstack-keystone		21:14
*** raildo is now known as raildo-afk		21:17
*** edmondsw has quit IRC		21:17
*** aginwala has quit IRC		21:17
*** RichardRaseley has joined #openstack-keystone		21:21
*** aginwala has joined #openstack-keystone		21:22
RichardRaseley	Hello. I am having some issues assigning roles using python-keystoneclient. Here is my existing code, please forgive any amateurish mistakes: http://paste.openstack.org/show/483350/	21:22
RichardRaseley	The code can be found in the `openstack_assign_role` function.	21:23
*** jsavak has quit IRC		21:24
*** topol has quit IRC		21:24
*** daemontool has quit IRC		21:27
*** phalmos has quit IRC		21:28
*** daemontool has joined #openstack-keystone		21:32
*** roxanagh_ has quit IRC		21:32
RichardRaseley	I seem to be getting a ' No handlers could be found for logger "keystoneclient.utils" ' in the above-mentioned script. I am not sure what is causing this or how to remedy it, any help would be appreciated.	21:39
*** diazjf has quit IRC		21:39
*** roxanagh_ has joined #openstack-keystone		21:40
openstackgerrit	Lance Bragstad proposed openstack/keystone: Expose bug with fernet and trusts https://review.openstack.org/265455	21:43
lbragstad	ayoung pushed my wip for now - i'll dig back into it	21:43
*** aginwala has quit IRC		21:44
*** slberger has quit IRC		21:45
*** aginwala has joined #openstack-keystone		21:48
openstackgerrit	Merged openstack/keystone: Wrong usage of "an" https://review.openstack.org/265066	21:54
*** slberger has joined #openstack-keystone		21:55
openstackgerrit	Merged openstack/keystone: Correct DN/encoding in test https://review.openstack.org/260731	21:56
*** jsavak has joined #openstack-keystone		22:02
*** jsavak has quit IRC		22:06
*** jsavak has joined #openstack-keystone		22:08
*** jbell8 has quit IRC		22:09
RichardRaseley	Is this (http://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.v3.html#keystoneclient.v3.roles.RoleManager.list) expecting the project ID? Doesn't seem to like the name.	22:12
*** timcline_ has quit IRC		22:29
*** timcline has joined #openstack-keystone		22:29
*** timcline_ has joined #openstack-keystone		22:31
*** timcline has quit IRC		22:34
*** petertr7 is now known as petertr7_away		22:34
lhcheng_	RichardRaseley: should be passing IDs. Even for the role.grant() call, it should be passing role_id not name (_member_)	22:36
*** aginwala has quit IRC		22:39
RichardRaseley	ihcheng_: OK	22:41
RichardRaseley	Thanks	22:41
*** aginwala has joined #openstack-keystone		22:43
*** roxanagh_ has quit IRC		22:44
*** RichardRaseley has quit IRC		22:44
openstackgerrit	Tom Cocozzello proposed openstack/keystone: Replace unicode with six.text_type https://review.openstack.org/261253	22:45
tjcocozz	bknudson_, Do these comments make more senese ^^	22:47
*** diazjf has joined #openstack-keystone		22:47
bknudson_	tjcocozz: yes.	22:49
tjcocozz	bknudson_, awesome. test_middleware.py is tricky to debug. The stack trace didn't start at the test i was running, so it took me almost all day to fill in the gaps.	22:51
*** roxanagh_ has joined #openstack-keystone		22:51
*** lhcheng_ has quit IRC		22:51
openstackgerrit	Brant Knudson proposed openstack/keystone: Escape DN in enabled query https://review.openstack.org/262334	22:54
openstackgerrit	Brant Knudson proposed openstack/keystone: Test enabled emulation with special user_tree_dn https://review.openstack.org/265462	22:54
*** timcline_ has quit IRC		22:54
*** jsavak has quit IRC		22:58
*** slberger has left #openstack-keystone		22:58
openstackgerrit	Tom Cocozzello proposed openstack/keystone: Replace unicode with six.text_type https://review.openstack.org/261253	22:59
*** roxanagh_ has quit IRC		23:01
openstackgerrit	Merged openstack/keystone: Reference driver methods through the Manager https://review.openstack.org/264958	23:02
tjcocozz	bknudson_, running py34 now. hopefully the right patch will be up shortly	23:02
*** diazjf has quit IRC		23:02
openstackgerrit	Tom Cocozzello proposed openstack/keystone: Replace unicode with six.text_type https://review.openstack.org/261253	23:04
openstackgerrit	Tom Cocozzello proposed openstack/keystone: Replace unicode with six.text_type https://review.openstack.org/261253	23:06
*** roxanagh_ has joined #openstack-keystone		23:07
*** phalmos has joined #openstack-keystone		23:07
*** sigmavirus24 is now known as sigmavirus24_awa		23:13
*** lhcheng has joined #openstack-keystone		23:13
*** ChanServ sets mode: +v lhcheng		23:13
*** aginwala has quit IRC		23:13
*** csoukup has quit IRC		23:16
*** roxanagh_ has quit IRC		23:18
*** jbell8 has joined #openstack-keystone		23:18
*** tonytan4ever has quit IRC		23:19
*** roxanagh_ has joined #openstack-keystone		23:21
*** vgridnev has quit IRC		23:22
*** aginwala has joined #openstack-keystone		23:22
*** slberger has joined #openstack-keystone		23:30
*** KarthikB has quit IRC		23:33
*** jasonsb has quit IRC		23:44
*** gordc has quit IRC		23:47
*** itlinux has joined #openstack-keystone		23:47
*** annasort has quit IRC		23:53
*** pgbridge has quit IRC		23:55
notmorgan	tjcocozz: welcome to crappy tests :(	23:58
notmorgan	we have a lot of them	23:58
*** topol has joined #openstack-keystone		23:59
*** ChanServ sets mode: +v topol		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!