Tuesday, 2016-01-12

*** shoutm has joined #openstack-keystone		00:00
*** jasonsb has joined #openstack-keystone		00:14
*** aginwala has quit IRC		00:18
*** shoutm has quit IRC		00:19
*** markvoelker has quit IRC		00:20
*** shoutm has joined #openstack-keystone		00:21
*** aginwala has joined #openstack-keystone		00:23
henrynash	htruta: hi	00:26
ayoung	henrynash, why are the patches only adding code? When you make keystone/resource/V8_backends/sql.py (+ 262) shouldn't the same number of Lines of code disappear from elsewhere?	00:37
*** ankita_wagh has quit IRC		00:38
henrynash	ayoung: that’s a copy of the river, moved to V8_backends, so we can test the new manager with an old driver….that code is only excuted as part of a test	00:38
henrynash	(river -> driver)	00:38
ayoung	henrynash, its a copy, right?	00:39
henrynash	ayoung: yes	00:39
*** dims_ has joined #openstack-keystone		00:39
ayoung	henrynash, shouldn't there be some sort of baseclass then>	00:39
ayoung	?	00:39
henrynash	ayoung: there is for the signatures in the manager, but not for the code	00:39
*** slberger has left #openstack-keystone		00:39
*** dims has quit IRC		00:40
ayoung	henrynash, I'm missing something	00:40
henrynash	ayoung: remember we are not promising to keep the V8 driver code around….we only promise to support the interface	00:41
henrynash	ayoung: we had this long debate in the IRC meeting on this	00:41
ayoung	henrynash, I know...just trying to restore it from long term memory as I do the review....	00:42
henrynash	ayoung: if it were not for needing to test teh interface, we would delete the V8 driver from the tree	00:42
henrynash	ayoung: the V9Assignment driver was done the same way (that has merged)	00:42
ayoung	henrynash, the v8 code you added is a copy of the existing unversioned driver, right?	00:43
henrynash	ayoung: correct	00:43
henrynash	ayoung: well, it was already versioned (V8), we just didn’t have any way of updating it!	00:43
henrynash	ayoung: in Liberty, the drivers got versioned as V8, but we didn’t hvae the plan in palce on how, exactly, we create a V9 and yets support the V8 interface	00:44
ayoung	henrynash, I'm just trying to figure out why it is necessary to copy instead of baseclass and then update only when we change	00:44
henrynash	ayoung: too complicated, I think	00:44
henrynash	ayoung: ‘cause we really want is an old V8 driver in its entirety	00:45
ayoung	henrynash, right. But V9 could subclass V8, no?	00:47
ayoung	I mean, uin theory	00:48
ayoung	we are chosing not to do that to make sure the code doens not vary unintentionally?	00:48
henrynash	ayoung: correct….we wanted just a time-shotted driver testing, and not trying to have code re-use	00:48
ayoung	henrynash, so we have to issue that any bug fixes in v9 need to be echoed in v8 and vice versa	00:49
henrynash	ayoung: (and yes, in theory we could to that)…although teh V9 driver is meant to subclass the V9 abstract class in teh manager	00:49
henrynash	ayoung: we don’t support the V8 driver in Mitaka	00:50
ayoung	henrynash, OK...with that in mind, I'll give the two driver reviews a look through	00:50
henrynash	ayoung: and in Liberty, there is no V9, so there’s always only one drievr (per relase) to fix	00:50
henrynash	ayoung: to be exaact, we don’t maintain the V8 driver code in Mitaka, we still support the V8 interface	00:51
*** shoutm_ has joined #openstack-keystone		00:51
*** shoutm has quit IRC		00:54
*** gyee has quit IRC		00:55
*** woodster_ has quit IRC		00:56
*** shoutm_ has quit IRC		00:58
*** shoutm has joined #openstack-keystone		01:03
*** oomichi has quit IRC		01:04
*** EinstCrazy has joined #openstack-keystone		01:05
*** EinstCrazy has quit IRC		01:06
*** EinstCrazy has joined #openstack-keystone		01:07
htruta	henrynash, hey, I have no idea why, but looks like this code here https://review.openstack.org/#/c/210600/42/keystone/tests/unit/test_backend.py is not passing in the wrapper	01:14
*** _cjones_ has quit IRC		01:16
henrynash	htruta: hmm, how odd…..sounds like we need a python guru to look at this…	01:18
stevemar	jamielennox: is this still valid: https://review.openstack.org/#/c/220509/ ?	01:19
stevemar	any takers for https://review.openstack.org/#/c/205440/16 ? henrynash jamielennox ayoung ?	01:20
henrynash	stevemar: looking	01:20
*** markvoelker has joined #openstack-keystone		01:21
jamielennox	stevemar: i guess it's still valid, though i don't know if it improves things much	01:21
jamielennox	stevemar: you don't use AuthTokenPlugin directly, it's constructed for you if you don't provide one yourself	01:21
*** ankita_wagh has joined #openstack-keystone		01:21
jamielennox	stevemar: so telling people that AuthTokenPlugin is deprecated probably isn't going to mean as much to them as the warning that's already there	01:22
*** ankita_wagh has quit IRC		01:22
jamielennox	maybe we should use the oslo_log deprecation method instead though	01:22
stevemar	jamielennox: dammit, wrong link	01:22
stevemar	jamielennox: i meant this one: https://review.openstack.org/#/c/222042/ sorry	01:23
stevemar	just trying to clean up old patches and push through ones that should be included in the next release	01:23
jamielennox	stevemar: oh - umm, i think we should merge it but it's an edge case	01:23
jamielennox	i was using auth_token directly without having it installed for testing and so the pkg_resources lookup failed	01:23
stevemar	jamielennox: if you're actively reviewing: https://review.openstack.org/#/c/258932/	01:23
jamielennox	done	01:24
*** markvoelker has quit IRC		01:25
*** markvoelker has joined #openstack-keystone		01:25
stevemar	jamielennox: you also have 2 patches that should either be targeted to KSA or may already be in KSA: https://review.openstack.org/#/c/148166/ and https://review.openstack.org/#/c/178024/	01:25
ayoung	stevemar, ... why would I want to? What benefit to the world does having that code in Keystone bring?	01:27
ayoung	Ugh...	01:28
ayoung	just ... more ec2 stuff. bleh	01:28
stevemar	ayoung: it's ec2 compat, we've done it before, we gotta maintain, it's not glamorous :(	01:29
stevemar	ayoung: good news is that the author uses existing code and sources it, yay	01:29
*** aginwala has quit IRC		01:30
*** ninag has quit IRC		01:30
ayoung	stevemar, yeah, yeah	01:31
ayoung	looks like henrynash got it...	01:31
ayoung	I'm still putting kids to bed	01:32
stevemar	ayoung: cheer up! you're gonna have bqq soon :)	01:32
stevemar	ayoung: rgr that, let the dad-ops begin	01:32
ayoung	stevemar, not I. Gonna be missing this midcycle	01:32
stevemar	ayoung: oh?	01:32
stevemar	:(	01:32
stevemar	thats 4 cores missing! :O	01:32
*** spzala has joined #openstack-keystone		01:33
notmorgan	stevemar: adam, myself, jamielennox and ?	01:35
stevemar	notmorgan: marekd	01:35
notmorgan	ouch,	01:36
notmorgan	ayoung: sorry for the -1 on the spec, but i think endpoint filtering should die. the sub-set of roles ++	01:36
*** spzala has quit IRC		01:38
htruta	jamielennox, was seeing some v2 removal related, and saw this patch you commented: https://review.openstack.org/#/c/221300/	01:42
htruta	jamielennox, do you more specifically remember why you had to abandon this patch of yours?	01:42
*** aginwala has joined #openstack-keystone		01:44
*** dims_ has quit IRC		01:48
*** dims has joined #openstack-keystone		01:48
jamielennox	htruta: i don't remember specifically on that one, there were some problems with things like create_userrc and functional testing expecting v2 arguments	01:49
jamielennox	htruta: at the moment though i think almost everything in devstack is v3	01:49
htruta	jamielennox, yes... I saw that the v3 only gate is passing in all the patches I've looked	01:50
*** EinstCrazy has quit IRC		01:50
*** EinstCrazy has joined #openstack-keystone		01:51
htruta	jamielennox, I had the impression that tempest really lacks this v3 integration	01:51
*** csoukup has joined #openstack-keystone		01:52
htruta	I wonder if it would make any difference to test the other services with a token of a project in a domain different than the default	01:52
jamielennox	htruta: no tempest is pretty good at testing this stuff	01:52
notmorgan	htruta: add things in tempest if needed	01:53
notmorgan	on that front	01:53
notmorgan	jamielennox: ++	01:53
jamielennox	it does it all in it's own way though because it wants to test independant of the existing libraries	01:53
notmorgan	and thats fine imo	01:54
notmorgan	esp. for this	01:54
htruta	jamielennox, notmorgan I see	01:54
notmorgan	also i don't know why someone would pick the nick "esp" on irc	01:54
notmorgan	:P	01:54
*** dims has quit IRC		01:54
htruta	notmorgan, jamielennox do all of the main services already support keystoneauth and sessions?	01:55
htruta	looks like sessions are really the way for easier integrations	01:56
notmorgan	htruta: neutron does, nova has a patch in flight	01:56
notmorgan	glance ... i think is next	01:56
jamielennox	htruta: server side or client?	01:56
jamielennox	all the clients except swift do	01:56
*** spandhe has quit IRC		01:56
notmorgan	well ksc.session	01:56
notmorgan	there are a lot that are not ksa.session yet	01:56
jamielennox	server side is a bit hit and miss	01:56
htruta	client side, I guess	01:57
*** aginwala has quit IRC		01:57
*** shoutm has quit IRC		01:58
*** csoukup has quit IRC		01:58
*** shoutm has joined #openstack-keystone		02:00
jamielennox	htruta: yea, so everything but swift has client support	02:00
notmorgan	oh reminds me i need to hack on swiftclient soon	02:00
htruta	notmorgan, jamielennox where do you think we can put some effort still in Mitaka, as the code is only going to be removed from Q?	02:00
notmorgan	i should be able to solve the session issue there pretty easily	02:00
jamielennox	notmorgan: haha - i've approached that like 3 or 4 times	02:00
jamielennox	notmorgan: but i am more of a purist than you i think	02:00
notmorgan	jamielennox: well the swift team is mostly on board	02:00
notmorgan	jamielennox: yeah i am more about "have support" then make it better	02:01
notmorgan	than "works perfectly"	02:01
*** EinstCra_ has joined #openstack-keystone		02:03
htruta	notmorgan, jamielennox I'll put a topic in tomorrow's meeting, ok?	02:03
ayoung	notmorgan, I was toying with splitting that spec anyway. Just that the two specs would be fairly similar. But I'm far more interested in the role portion than the endpoint part	02:03
lhcheng_	hello, are there known issue with using keystone v3 + ldap assignment in kilo?	02:04
notmorgan	ayoung: i'm -2 on the endpoint filtering because i think we should rip it out of keystone	02:05
notmorgan	ayoung: but i wont block it, i'll just -1 with the comment that i think it's not worth doing	02:05
notmorgan	ayoung: on the split that is	02:05
ayoung	notmorgan, why so harsh on the endpoint stuff?	02:05
*** dims has joined #openstack-keystone		02:06
*** EinstCra_ has quit IRC		02:06
*** EinstCrazy has quit IRC		02:06
*** davechen has joined #openstack-keystone		02:07
ayoung	notmorgan, I was planning on enforcing security via the endpoint; gyee and I had been working on the endpoint check in middleware	02:07
ayoung	needs this to be relevant	02:07
notmorgan	ayoung: i think it's not worth trying to wedge security into the catalog	02:07
notmorgan	ayoung: use proper roles if we want to enforce security. we have RBAC, the concept of "oh look in the catalog" is flawed	02:07
notmorgan	costs a lot of CPU and makes the catalogs effectively uncache-able	02:08
ayoung	notmorgan, well, tjhe catalog approach closer maps to what people use already with AD/Kerberos	02:08
notmorgan	so, lets use the things that we can enforce on very well :)	02:08
*** EinstCrazy has joined #openstack-keystone		02:08
notmorgan	sure. but we're not KRB5 or AD	02:08
notmorgan	:)	02:08
ayoung	We can do it with roles	02:08
ayoung	but...	02:08
ayoung	I'll admit that endpoint is pretty course grained	02:08
notmorgan	exatly	02:09
notmorgan	exactly	02:09
ayoung	notmorgan, I did have something more cacheable proposed at one point: https://review.openstack.org/#/c/160909/	02:09
notmorgan	i am a big fan of improving enforcement, but not adding alternate methods of enforcement. really be good at enforcement with roles :)	02:09
notmorgan	if that makes sense	02:09
ayoung	notmorgan, I'll chew it over. I can see two sides to that one. But I will split the spec	02:10
* notmorgan nods.		02:10
notmorgan	the subset of roles is absolutely something we should work towards anyway	02:10
jamielennox	notmorgan, ayoung, stevemar: question - what would ideally be in the credentials dict for policy enforcement	02:17
jamielennox	?	02:17
jamielennox	as of today i can only think user_id, project_id, roles	02:17
jamielennox	obviously service_roles, service_project_id in future	02:17
ayoung	jamielennox, heh...ideally not user_id	02:17
jamielennox	ayoung: yea, i can see that	02:18
ayoung	:)	02:18
jamielennox	i've put together an oslo.context patch that provides to_policy_dict instead of just to_dict so we remove all the RPC cruft from it	02:18
ayoung	jamielennox, I want role check in middleware, project check in code...	02:18
ayoung	jamielennox, sounds good	02:19
jamielennox	and i'm struggling to think of why you want anything more than project_id and roles in the ability to enforce	02:19
jamielennox	keystone drops in the entire token	02:19
jamielennox	and maybe methods should be in there for 2FA	02:19
jamielennox	but i can't see any reason things like trust id should be in there	02:19
jamielennox	let alone any of the _names	02:19
notmorgan	jamielennox: domain_id.	02:23
notmorgan	otherwise thats covers it	02:23
notmorgan	2FA yes/no	02:23
notmorgan	if we add 2FA stuff	02:23
jamielennox	notmorgan: domain_id for keystone - i was thinking maybe project_domain_id for others	02:24
*** jbell8 has joined #openstack-keystone		02:24
jamielennox	i can't see user_domain_id being useful	02:24
notmorgan	jamielennox: project_domain_id and user_domain_id	02:24
notmorgan	user_domain_id might be useful for "user must be in X domain for admin"	02:24
notmorgan	or l3 CS type stuff	02:24
jamielennox	yea, ok	02:24
jamielennox	i don't think that information is even in oslo.context yet :( and my last patch caused problems because heats tests are wrong, but it would require backports into heat stable to get passed	02:25
notmorgan	i wouldn't backport anything to stable for this	02:26
notmorgan	tbh	02:26
notmorgan	only forward looking	02:26
jamielennox	no, my last patch was - "context.user doesn't make sense, let's forward that to context.user_id project_id etc so we can deprecate the old ones"	02:26
jamielennox	most projects do this anyway	02:26
notmorgan	oh	02:27
notmorgan	yeah i'd rever tthat then	02:27
jamielennox	heat apparently sometimes (at least in tests) uses context.user for name or some other field	02:27
notmorgan	i think context.user is not a terrible thing to hve	02:27
jamielennox	right call, annoying	02:27
notmorgan	it encapsulates the user data	02:27
notmorgan	and it's annoying	02:27
notmorgan	:(	02:27
jamielennox	notmorgan: in almost all cases it doesn't, it's just hte id	02:27
notmorgan	sure.	02:28
notmorgan	but it doesn't hurt us to encapsulate it	02:28
notmorgan	does it?	02:28
notmorgan	i mean, i wouldn't put all the user data in there	02:28
notmorgan	but i would keep the user data in context.user	02:28
notmorgan	vs. context.user_<thing>	02:28
notmorgan	same for scope long term	02:28
jamielennox	notmorgan: many services dont keep username arround, id is all we care about	02:29
notmorgan	yeah	02:31
*** ninag has joined #openstack-keystone		02:31
openstackgerrit	Merged openstack/python-keystoneclient: Removes MANIFEST.in as it is not needed explicitely by PBR https://review.openstack.org/258932	02:34
*** ninag has quit IRC		02:35
*** aginwala has joined #openstack-keystone		02:36
*** jbell8 has quit IRC		02:38
*** jbell8 has joined #openstack-keystone		02:39
openstackgerrit	ayoung proposed openstack/keystone: implied roles driver and manager https://review.openstack.org/264260	02:43
*** fawadkhaliq has joined #openstack-keystone		02:44
*** spzala has joined #openstack-keystone		02:46
*** spandhe has joined #openstack-keystone		02:47
openstackgerrit	Merged openstack/keystonemiddleware: Adding parse of protocol v4 of AWS auth to ec2_token https://review.openstack.org/205440	02:48
*** roxanagh_ has joined #openstack-keystone		02:57
ayoung	are the fernet tasks passing Tempest finally?	03:02
*** oomichi has joined #openstack-keystone		03:03
openstackgerrit	zhangguoqing proposed openstack/keystoneauth: Replace assertEqual(None, *) with assertIsNone in tests https://review.openstack.org/266118	03:07
*** aginwala has quit IRC		03:09
*** aginwala has joined #openstack-keystone		03:12
*** aginwala has quit IRC		03:16
*** spandhe_ has joined #openstack-keystone		03:16
*** spandhe has quit IRC		03:18
*** spandhe_ is now known as spandhe		03:18
*** spzala has quit IRC		03:19
*** spzala has joined #openstack-keystone		03:20
*** sigmavirus24_awa is now known as sigmavirus24		03:22
*** dims has quit IRC		03:24
*** spzala has quit IRC		03:25
*** jbell8 has quit IRC		03:27
*** doug-fish has joined #openstack-keystone		03:30
*** ccard_ has joined #openstack-keystone		03:31
*** EinstCrazy has quit IRC		03:33
*** EinstCrazy has joined #openstack-keystone		03:33
*** ccard__ has quit IRC		03:34
*** lhcheng has joined #openstack-keystone		03:35
*** ChanServ sets mode: +v lhcheng		03:35
ayoung	notmorgan, are you going to hold firm on opposing the "request a token with a subset of endpoints?" I can see where you are coming from, but...this is making things better, not worse that way	03:36
ayoung	the endpoint binding code that Gyee go in recently is kindof hamstrung without a way to limit the endpoints in the tokne	03:37
ayoung	notmorgan, and...I don;t see us completely getting rid of the service catalog, which is the only thing that would actively solve the problems you referred to in the review	03:37
notmorgan	ayoung: catalog is fine	03:38
notmorgan	ayoung: i just don't want to enforce/filter the catalog	03:38
*** lhcheng_ has quit IRC		03:38
ayoung	notmorgan, so this proposal does not need endpoint fgilter	03:39
ayoung	notmorgan, say you are uploading an image to glance, you don't need any other endpoints but glance in the token	03:39
ayoung	couple that with gyee's fix, and I think we have a pretty big reduction in attack service	03:40
ayoung	notmorgan, forget filtering, this is most likely going to be used with a single endpoint in the token for most calls	03:41
ayoung	its an opt in API; if the user does not request a subset of the endpoints, they get the default behavior	03:42
notmorgan	no benefit	03:44
notmorgan	just don't bother to futz w/ the catalog	03:45
openstackgerrit	ayoung proposed openstack/keystone-specs: Tokens with subsets of roles or endpoints https://review.openstack.org/186979	03:45
notmorgan	catalog should just be the catlaog	03:45
notmorgan	and left alone	03:45
ayoung	notmorgan, so you going to work out with gyee that you want to kill his "endpoint binding of tokens" because that is the other side of this	03:47
ayoung	notmorgan, https://review.openstack.org/#/c/177661/	03:48
*** shoutm_ has joined #openstack-keystone		03:49
notmorgan	ayoung: yep want to kill that	03:50
notmorgan	ayoung: i've been trying very hard not to -2 things	03:50
*** shoutm has quit IRC		03:51
ayoung	notmorgan, didn't see anything negative from you on those reviews. It caught me by surprise that you are set against this. I'm not certain we should do this with Roles, though.	03:51
notmorgan	just -1'd it	03:51
ayoung	notmorgan, that effectively stops it. Keystone doesn't tend to move past a -1 from a core	03:52
notmorgan	we move past -1 more often than other projects tbh	03:52
notmorgan	but that might be by fault	03:52
notmorgan	cause i'll +2/harass people over a -1	03:52
notmorgan	i also am open to movin back to a zero score for the right things	03:53
*** vivekd has joined #openstack-keystone		03:53
notmorgan	but honestly endpoint filtering is awful	03:53
notmorgan	and we can do better	03:54
ayoung	notmorgan, ok...this one is not going to happen in Mitaka anyway. I'll leave it be for now. We can discuss in the post rc1 timeframe what approach we want to take for 'N'	03:54
notmorgan	right	03:54
ayoung	I think this is different from filtering, TBH	03:54
notmorgan	eh	03:54
notmorgan	sortof	03:55
notmorgan	i don't think we shoul muck with the catalog at all	03:55
ayoung	I still think a token should be good for only one service, and a short period of time...	03:55
notmorgan	we should just use the raw catalog in all cases	03:55
notmorgan	catalog is discovery	03:55
notmorgan	period	03:55
notmorgan	don't muck with it	03:55
notmorgan	short period, limited roles, even roles that limit access to a specific service	03:55
notmorgan	yes	03:55
notmorgan	esp. if those are well defined roles that are opinionated and interoperable across deplyments	03:56
notmorgan	but i don't want to see us mucking with the catalog	03:56
notmorgan	if that makes sense	03:56
ayoung	notmorgan, the problem is it makes too much sense	03:56
ayoung	it brings up the urge I've surpressed to take the catalog as it exists now out behind the woodshed and give it the Old-Yeller treatment	03:57
notmorgan	nah, i think we can do this with other things w/o needing to muck with the catalog	03:57
notmorgan	even if we old yeller it	03:57
notmorgan	i want us to not muck around in there if we use it for discovery	03:57
*** doug-fish has quit IRC		03:58
notmorgan	if we make it something else, and discovery is separate i'll back away from my stance	03:58
ayoung	OK...I'll rewrite my spec as just roles. That at least allows the spec to be 1-1 with the impl	03:58
notmorgan	catalog should be inclusive (and well defined)	03:58
notmorgan	as it sits now	03:58
notmorgan	if we are enforcing on it i'd rather add a new "things i can talk to with this token" field	03:58
notmorgan	if that makes sense	03:58
*** shoutm has joined #openstack-keystone		03:59
notmorgan	so we can use the catalog as a definitive "this is what the endpoints for the cloud are" and know it's always the same	03:59
notmorgan	especially if the x-project spec for well defined catalog lands	03:59
*** shoutm_ has quit IRC		04:00
*** topol has joined #openstack-keystone		04:03
*** ChanServ sets mode: +v topol		04:03
openstackgerrit	ayoung proposed openstack/keystone-specs: Tokens with subsets of roles https://review.openstack.org/186979	04:04
*** topol has quit IRC		04:07
openstackgerrit	ayoung proposed openstack/keystone-specs: Tokens with subset of catalog https://review.openstack.org/266137	04:08
ayoung	notmorgan, that second one you will want to -1	04:08
notmorgan	right	04:09
notmorgan	i'll do that tomorrow ;)	04:09
notmorgan	i am too busy procrasinating cleanup post cooking to do that.	04:10
notmorgan	ayoung: and calling out topol on twitter for not having an IRC bouncer	04:11
ayoung	notmorgan, I'm a meatspace IRC bouncer	04:11
notmorgan	ayoung: you're on IRC enough that i don't notice	04:12
notmorgan	so...	04:13
notmorgan	but topol drops off a lot	04:13
*** spandhe has quit IRC		04:18
openstackgerrit	Merged openstack/keystone: Separate trust crud tests from trust auth tests https://review.openstack.org/265931	04:20
*** spzala has joined #openstack-keystone		04:20
*** spzala has quit IRC		04:25
*** links has joined #openstack-keystone		04:26
*** RA_ has joined #openstack-keystone		04:28
*** roxanagh_ has quit IRC		04:28
*** richm has quit IRC		04:49
*** fawadkhaliq has quit IRC		04:52
*** markvoelker has quit IRC		04:58
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/266151	05:01
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements https://review.openstack.org/266153	05:01
*** itlinux has joined #openstack-keystone		05:04
*** itlinux has quit IRC		05:04
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/266168	05:05
*** shoutm_ has joined #openstack-keystone		05:08
*** shoutm has quit IRC		05:08
*** aginwala has joined #openstack-keystone		05:09
*** fawadkhaliq has joined #openstack-keystone		05:15
*** sigmavirus24 is now known as sigmavirus24_awa		05:18
*** spzala has joined #openstack-keystone		05:22
*** EinstCra_ has joined #openstack-keystone		05:25
*** EinstCrazy has quit IRC		05:25
*** spzala has quit IRC		05:26
*** EinstCra_ has quit IRC		05:29
*** shoutm has joined #openstack-keystone		05:30
*** EinstCrazy has joined #openstack-keystone		05:30
*** aginwala has quit IRC		05:30
*** shoutm_ has quit IRC		05:32
*** aginwala has joined #openstack-keystone		05:32
stevemar	anyone wannt punt https://review.openstack.org/#/c/266118/1 through?	05:33
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: Disable memory caching of tokens https://review.openstack.org/212345	05:34
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: Don't cache signed tokens https://review.openstack.org/190941	05:35
*** vgridnev has joined #openstack-keystone		05:35
*** jaosorior has joined #openstack-keystone		05:47
*** Nirupama has joined #openstack-keystone		05:48
stevemar	thanks jamielennox	05:55
*** markvoelker has joined #openstack-keystone		05:59
*** shoutm has quit IRC		06:00
*** edmondsw has quit IRC		06:02
*** shoutm has joined #openstack-keystone		06:02
*** EinstCrazy has quit IRC		06:03
*** EinstCrazy has joined #openstack-keystone		06:03
openstackgerrit	venkatamahesh proposed openstack/keystone: Improvements in python condition code https://review.openstack.org/266203	06:05
*** markvoelker has quit IRC		06:06
openstackgerrit	Dave Chen proposed openstack/keystone: Relax the schema validation to accept empty request body https://review.openstack.org/237448	06:09
*** spzala has joined #openstack-keystone		06:23
*** aginwala_ has joined #openstack-keystone		06:26
*** shoutm has quit IRC		06:28
*** spzala has quit IRC		06:29
*** aginwala has quit IRC		06:30
*** aginwala_ has quit IRC		06:32
*** ninag has joined #openstack-keystone		06:33
*** shoutm has joined #openstack-keystone		06:34
*** ninag has quit IRC		06:38
*** EinstCrazy has quit IRC		06:39
*** EinstCrazy has joined #openstack-keystone		06:39
*** EinstCra_ has joined #openstack-keystone		06:45
*** EinstCrazy has quit IRC		06:45
*** jaosorior has quit IRC		06:48
*** fawadkhaliq has quit IRC		06:49
*** fawadkhaliq has joined #openstack-keystone		06:51
*** lhcheng has quit IRC		06:54
*** EinstCra_ has quit IRC		06:56
*** EinstCrazy has joined #openstack-keystone		06:57
*** EinstCrazy has quit IRC		06:57
*** EinstCrazy has joined #openstack-keystone		06:57
*** EinstCrazy has quit IRC		07:00
*** EinstCra_ has joined #openstack-keystone		07:00
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/266168	07:02
*** vgridnev has quit IRC		07:05
*** EinstCra_ has quit IRC		07:08
*** EinstCrazy has joined #openstack-keystone		07:08
*** jaosorior has joined #openstack-keystone		07:09
*** roxanagh_ has joined #openstack-keystone		07:16
openstackgerrit	venkatamahesh proposed openstack/keystone: Improvements for more effective code https://review.openstack.org/266203	07:22
*** spzala has joined #openstack-keystone		07:25
*** vgridnev has joined #openstack-keystone		07:35
*** EinstCra_ has joined #openstack-keystone		07:41
*** EinstCrazy has quit IRC		07:41
*** e0ne has joined #openstack-keystone		07:42
*** RA_ has quit IRC		07:43
*** vivekd_ has joined #openstack-keystone		07:49
openstackgerrit	Dave Chen proposed openstack/keystone: Enable `id`, `enabled` attributes filtering for list IdP API https://review.openstack.org/215041	07:50
*** vivekd has quit IRC		07:52
*** vivekd_ is now known as vivekd		07:52
*** belmoreira has joined #openstack-keystone		07:53
*** vgridnev has quit IRC		08:00
*** spzala has quit IRC		08:00
*** jistr has joined #openstack-keystone		08:06
*** jistr is now known as jistr\|doc		08:07
*** EinstCrazy has joined #openstack-keystone		08:07
*** EinstCra_ has quit IRC		08:07
*** jed56 has joined #openstack-keystone		08:08
*** EinstCrazy has quit IRC		08:12
*** EinstCrazy has joined #openstack-keystone		08:12
*** GB21 has joined #openstack-keystone		08:15
*** e0ne has quit IRC		08:16
*** pnavarro has joined #openstack-keystone		08:19
*** fawadkhaliq has quit IRC		08:22
*** fawadkhaliq has joined #openstack-keystone		08:22
*** spzala has joined #openstack-keystone		08:27
openstackgerrit	Merged openstack/keystonemiddleware: Disable memory caching of tokens https://review.openstack.org/212345	08:48
openstackgerrit	Merged openstack/keystonemiddleware: Don't cache signed tokens https://review.openstack.org/190941	08:49
*** vgridnev has joined #openstack-keystone		08:50
openstackgerrit	Maho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller https://review.openstack.org/261188	08:52
stevemar	yawns	08:52
stevemar	tomorrow, we release all the clients!	08:52
stevemar	or at least, propose patches and create release notes	08:53
*** spzala has quit IRC		08:55
openstackgerrit	Merged openstack/keystoneauth: Updated from global requirements https://review.openstack.org/266153	08:59
*** jistr\|doc has quit IRC		08:59
*** belmoreira has quit IRC		09:01
*** fhubik has joined #openstack-keystone		09:06
*** spzala has joined #openstack-keystone		09:09
*** daemontool has joined #openstack-keystone		09:11
*** spzala has quit IRC		09:14
*** openstackgerrit has quit IRC		09:17
*** openstackgerrit has joined #openstack-keystone		09:17
*** jistr has joined #openstack-keystone		09:20
*** mhickey has joined #openstack-keystone		09:23
*** fhubik is now known as fhubik_brb		09:27
*** aix has joined #openstack-keystone		09:37
*** e0ne has joined #openstack-keystone		09:48
*** fhubik_brb is now known as fhubik		09:50
*** clayton has quit IRC		09:51
*** fawadkhaliq has quit IRC		09:51
*** clayton has joined #openstack-keystone		09:51
*** fawadkhaliq has joined #openstack-keystone		09:52
*** sileht has quit IRC		09:52
*** davechen has left #openstack-keystone		09:55
*** EinstCrazy has quit IRC		09:57
*** fawadkhaliq has quit IRC		10:01
*** fawadkhaliq has joined #openstack-keystone		10:01
*** markvoelker has joined #openstack-keystone		10:02
*** sileht has joined #openstack-keystone		10:03
*** markvoelker has quit IRC		10:07
*** RA has joined #openstack-keystone		10:10
*** RA is now known as Guest69175		10:10
*** josecastroleon has joined #openstack-keystone		10:19
openstackgerrit	Merged openstack/keystoneauth: Replace assertEqual(None, *) with assertIsNone in tests https://review.openstack.org/266118	10:19
*** Guest69175 has quit IRC		10:25
*** aix has quit IRC		10:32
samueldmq	morning	10:35
samueldmq	stevemar: nice	10:35
*** shoutm_ has joined #openstack-keystone		10:45
*** shoutm has quit IRC		10:47
*** fawadkhaliq has quit IRC		10:52
*** aix has joined #openstack-keystone		10:53
*** jaosorior has quit IRC		10:55
*** jaosorior has joined #openstack-keystone		10:55
*** shoutm_ has quit IRC		10:56
*** dims has joined #openstack-keystone		11:05
*** roxanagh_ has quit IRC		11:05
*** shoutm has joined #openstack-keystone		11:07
*** spzala has joined #openstack-keystone		11:10
*** josecastroleon has quit IRC		11:13
*** spzala has quit IRC		11:15
*** vivekd has quit IRC		11:17
*** openstackgerrit has quit IRC		11:17
*** openstackgerrit has joined #openstack-keystone		11:17
*** fhubik is now known as fhubik_brb		11:19
openstackgerrit	Merged openstack/keystone: Create V9 version of federation driver interface https://review.openstack.org/262307	11:19
openstackgerrit	Xiaoyang Zhang proposed openstack/keystone: keystone bug test https://review.openstack.org/266303	11:29
*** zqfan has joined #openstack-keystone		11:33
*** vivekd has joined #openstack-keystone		11:40
*** vivekd has quit IRC		11:41
*** vivekd has joined #openstack-keystone		11:42
*** jaosorior has quit IRC		11:49
*** jaosorior has joined #openstack-keystone		11:50
*** fhubik_brb is now known as fhubik		11:52
*** vivekd has quit IRC		11:54
openstackgerrit	ting wang proposed openstack/keystone: Python3: replace dumps with dump_as_bytes https://review.openstack.org/266315	11:56
*** josecastroleon has joined #openstack-keystone		12:01
*** markvoelker has joined #openstack-keystone		12:03
*** fhubik is now known as fhubik_brb		12:04
*** peter-hamilton has joined #openstack-keystone		12:06
*** markvoelker has quit IRC		12:08
*** roxanagh_ has joined #openstack-keystone		12:09
*** vgridnev has quit IRC		12:10
*** josecastroleon has quit IRC		12:10
openstackgerrit	Henrique Truta proposed openstack/keystone: Create V9 version of resource driver interface https://review.openstack.org/262082	12:11
*** vgridnev has joined #openstack-keystone		12:11
*** josecastroleon has joined #openstack-keystone		12:11
*** spzala has joined #openstack-keystone		12:11
*** roxanagh_ has quit IRC		12:15
*** spzala has quit IRC		12:16
*** GB21 has quit IRC		12:21
*** qeelee has joined #openstack-keystone		12:21
*** pauloewerton has joined #openstack-keystone		12:21
*** _zouyee has joined #openstack-keystone		12:21
*** GB21 has joined #openstack-keystone		12:22
*** _zouyee has quit IRC		12:23
*** _zouyee has joined #openstack-keystone		12:23
_zouyee	hello	12:23
samueldmq	_zouyee: hi	12:23
*** shoutm_ has joined #openstack-keystone		12:26
*** shoutm has quit IRC		12:28
*** aix has quit IRC		12:29
*** vgridnev has quit IRC		12:30
*** shoutm_ has quit IRC		12:31
*** aix has joined #openstack-keystone		12:32
*** shoutm has joined #openstack-keystone		12:32
*** fhubik_brb is now known as fhubik		12:33
*** GB21 has quit IRC		12:37
*** iurygregory has joined #openstack-keystone		12:37
*** vgridnev has joined #openstack-keystone		12:41
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/266151	12:41
*** d0ugal has quit IRC		12:42
*** d0ugal has joined #openstack-keystone		12:43
*** d0ugal is now known as Guest58385		12:43
*** EinstCrazy has joined #openstack-keystone		12:45
*** Guest58385 is now known as d0ugal		12:45
*** d0ugal has quit IRC		12:45
*** d0ugal has joined #openstack-keystone		12:45
marekd	notmorgan: reading the IRC backlog - why would you think endpoint filtering should die?	12:45
marekd	roxanaghe: let me know when you are online	12:45
*** markvoelker has joined #openstack-keystone		13:04
*** fhubik is now known as fhubik_brb		13:05
*** davechen1 has joined #openstack-keystone		13:05
*** ninag has joined #openstack-keystone		13:06
*** fhubik_brb is now known as fhubik		13:09
openstackgerrit	Marek Denis proposed openstack/keystone: Add asserts for service providers https://review.openstack.org/265809	13:09
openstackgerrit	Marek Denis proposed openstack/keystone: Service Providers and Projects associations https://review.openstack.org/264854	13:09
*** roxanagh_ has joined #openstack-keystone		13:10
*** ninag has quit IRC		13:11
*** spzala has joined #openstack-keystone		13:12
*** _zouyee has quit IRC		13:13
*** roxanagh_ has quit IRC		13:15
*** markvoelker has quit IRC		13:15
*** spzala has quit IRC		13:17
*** davechen has joined #openstack-keystone		13:17
*** davechen1 has quit IRC		13:19
*** fhubik has quit IRC		13:19
*** oomichi is now known as oomichi_away		13:23
*** ninag has joined #openstack-keystone		13:24
*** fawadkhaliq has joined #openstack-keystone		13:28
*** Nirupama has quit IRC		13:30
*** shoutm has quit IRC		13:30
*** sigmavirus24_awa is now known as sigmavirus24		13:31
*** edmondsw has joined #openstack-keystone		13:32
*** fawadkhaliq has quit IRC		13:34
*** markvoelker has joined #openstack-keystone		13:35
*** _zouyee has joined #openstack-keystone		13:36
*** _zouyee has quit IRC		13:36
*** sigmavirus24 is now known as sigmavirus24_awa		13:40
*** dslev has joined #openstack-keystone		13:42
htruta	stevemar: the patch this was depending on was merged https://review.openstack.org/#/c/262082 and it was rebased. Can you +A it?	13:46
stevemar	htruta: looks like it's failing the legacy tests	13:46
stevemar	henrynash: around?	13:46
*** browne has joined #openstack-keystone		13:47
htruta	stevemar: ow... my bad. I'll submit it again	13:48
stevemar	htruta: i'm not sure why it's failing	13:48
stevemar	but i did just wake up :)	13:48
htruta	stevemar: that's why: https://review.openstack.org/#/c/262082/4..5/tox.ini	13:48
stevemar	d'oh, need a new line that starts with nosetests -v \	13:49
stevemar	htruta: commented	13:49
stevemar	thanks for rebasing :)	13:49
htruta	stevemar: yes... just running it locally and will submit in a sec	13:50
*** topol has joined #openstack-keystone		13:50
*** ChanServ sets mode: +v topol		13:50
stevemar	htruta: cool cool	13:50
stevemar	htruta: i wonder why henrynash called the federation driver api_v3.py instead of sql.py	13:50
stevemar	seems inconsistent	13:50
stevemar	topol: oh hey, look who signed on :O	13:51
*** topol has quit IRC		13:51
htruta	stevemar: true... that's odd	13:52
*** browne has quit IRC		13:52
openstackgerrit	Henrique Truta proposed openstack/keystone: Create V9 version of resource driver interface https://review.openstack.org/262082	13:52
*** shoutm has joined #openstack-keystone		13:52
*** _zouyee has joined #openstack-keystone		13:55
*** jbell8 has joined #openstack-keystone		13:56
*** qeelee has quit IRC		13:57
*** dslev has quit IRC		14:02
*** gordc has joined #openstack-keystone		14:04
*** richm has joined #openstack-keystone		14:10
*** topol has joined #openstack-keystone		14:16
*** ChanServ sets mode: +v topol		14:16
*** jsavak has joined #openstack-keystone		14:16
*** spzala has joined #openstack-keystone		14:17
davechen	stevemar: henry give his answer here - https://review.openstack.org/#/c/262307/3/keystone/tests/unit/backend/legacy_drivers/federation/V8/api_v3.py@4	14:17
stevemar	davechen: hmm, but it's in the "backends* folder	14:18
*** Ephur has quit IRC		14:19
*** Ephur has joined #openstack-keystone		14:20
*** Ephur has quit IRC		14:20
davechen	stevemar: seems like he means FederatedIdentityProviderTestsV8 is inherit from test_v3_federation instead of test_backend.py.	14:20
*** Ephur has joined #openstack-keystone		14:20
*** spzala has quit IRC		14:21
*** jsavak has quit IRC		14:21
davechen	s/test_backend.py/test_backend_sql. This is the difference I can see.	14:21
lbragstad	ayoung fernet is passing devstack - https://review.openstack.org/#/c/195780/	14:22
dolphm	lbragstad: \o/	14:22
lbragstad	ayoung I believe it has been for a while; but there were some comments about where we should switch the default	14:22
lbragstad	(keystone or devstack)	14:22
*** jsavak has joined #openstack-keystone		14:23
lbragstad	if we want to allow it to be the default in keystone - we will need a patch to set things up automatically (maybe I can work on that today)	14:23
dstanek	lbragstad: nice	14:24
lbragstad	dolphm ayoung - fyi https://review.openstack.org/#/c/266054/1	14:24
lbragstad	all the trust tests are separated into "trust behavior" and "trust crud"	14:25
openstackgerrit	David Stanek proposed openstack/keystone: Refactor test auth_plugin config into fixture https://review.openstack.org/266396	14:26
openstackgerrit	David Stanek proposed openstack/keystone: Reduce setup overhead in auth_plugin tests https://review.openstack.org/266397	14:26
openstackgerrit	David Stanek proposed openstack/keystone: Change the remaining conf setup to use the fixture https://review.openstack.org/266398	14:26
openstackgerrit	David Stanek proposed openstack/keystone: Limits config fixture usage to where it's needed https://review.openstack.org/266399	14:26
*** shoutm has quit IRC		14:26
ayoung	http://www.ansible.com/blog/ansible-2.0-launch YAY!	14:29
*** petertr7_away is now known as petertr7		14:30
ayoung	lbragstad, thanks for pointing that out. Looks like it is +Workflow now. Are you planning on taking over https://review.openstack.org/#/c/258650/	14:31
ayoung	lbragstad, I was assuming that was mostly test fixes, so if you are already fixing the tests, you can rebase that and see it get closer and closer to working	14:32
*** aix has quit IRC		14:33
lbragstad	ayoung ah - I can. I was just trolling gerrit looking for that patch	14:33
lbragstad	ayoung let me pull your patch down and see what happens when I run it locally	14:33
ayoung	lbragstad, I was looking to seee if I could find the summary in the log file	14:33
*** aix has joined #openstack-keystone		14:33
ayoung	- Failed: 290	14:34
lbragstad	hmmm - http://logs.openstack.org/50/258650/1/check/gate-keystone-python27/4a701de/testr_results.html.gz	14:34
ayoung	ValueError: badly formed hexadecimal UUID string seems to be a common error...let's see	14:34
ayoung	File "keystone/token/providers/fernet/token_formatters.py", line 308, in convert_uuid_hex_to_bytes	14:35
ayoung	2015-12-16 21:29:22.027 \| uuid_obj = uuid.UUID(uuid_string)	14:35
lbragstad	i'm seeing a lot of "Key repository not found" errors	14:35
ayoung	lbragstad yeah, that is not surprising, too.	14:36
*** davechen has left #openstack-keystone		14:36
ayoung	We need to set up the Key repo once at the start of the run and have it there, reusable, for all tests in the run, I think.	14:37
ayoung	Make that the norm instead of the exception	14:37
*** _zouyee has quit IRC		14:37
*** _zouyee has joined #openstack-keystone		14:38
ayoung	lbragstad, I'll leave that patch to you, but shout at any point if you get stuck or need something on it.	14:38
*** dslev has joined #openstack-keystone		14:39
*** timcline has joined #openstack-keystone		14:39
lbragstad	ayoung agreed - let me see if i can get the key repository stuff figured out. I think that will fix a lot of the issues	14:39
ayoung	++	14:39
*** jaosorior has quit IRC		14:40
*** shoutm has joined #openstack-keystone		14:45
*** spzala has joined #openstack-keystone		14:45
*** woodster_ has joined #openstack-keystone		14:46
*** timcline has quit IRC		14:46
*** dslev has quit IRC		14:49
*** links has quit IRC		14:50
*** topol has quit IRC		14:55
*** topol has joined #openstack-keystone		14:55
*** ChanServ sets mode: +v topol		14:55
*** jsavak has quit IRC		14:56
*** roxanagh_ has joined #openstack-keystone		14:56
odyssey4me	I have a question around making use of multiple identity back-ends, in this case specifying the default domain configuration in /etc/keystone/domains/keystone.Default.conf	14:57
*** dslev has joined #openstack-keystone		14:58
odyssey4me	I'm using an sql back-end, but I want all domain configurations to be done in the same way - ie using the multiple domain back-end with conf files in /etc/keystone/domains/	14:58
odyssey4me	this allows someone to easily do sql or ldap identity back-ends	14:58
odyssey4me	the trouble I'm having is to determine what the content of the file should be for an sql back-end	14:58
odyssey4me	right now I have the two sections - 'identity' (containing 'driver = sql'), and an 'sql' section with no content	14:59
odyssey4me	should the sql section have content, and if so - what content?	15:00
*** topol has quit IRC		15:00
odyssey4me	it seems to work without content - I'm just trying to determine whether it could contain content to indicate that the domain in question could be referring to a totally different database if the deployer so chooses	15:01
*** roxanagh_ has quit IRC		15:01
*** doug-fish has joined #openstack-keystone		15:02
stevemar	odyssey4me: you're gonna make me look up and see if we actually support multiple SQL backends eh	15:03
odyssey4me	stevemar you know it :)	15:03
stevemar	henrynash: ^^	15:03
*** jrist has quit IRC		15:03
odyssey4me	hahahaha, delegated!	15:03
stevemar	odyssey4me: maybe it needs a [database] section and not [sql]	15:05
anteaya	bknudson_: stable meeting	15:05
stevemar	so you can specify a db connection	15:05
ayoung	odyssey4me, so...I'd say that the default domain should be in SQL, and not in a domain specific backend	15:05
ayoung	there was some work to make it happen, but, I would not see any advantage to putting SQL domains in a DSBE file.	15:06
stevemar	ayoung: odyssey4me i assumed the default domain was in SQL, but odyssey4me wants multiple SQL backends	15:06
ayoung	stevemar, I'm not certain that has been tested	15:06
ayoung	It would be awesome if it worked. Let's see what got committed	15:07
dstanek	stevemar: i didn't think that you could do that	15:07
dstanek	stevemar: which database connection would our drivers use and when? i thought we just weren't architected for that yet	15:08
ayoung	so..no, as far as I can tell, all that is supporetd is putting the domain specific backend configs into SQL, not what you are lookin for	15:08
ayoung	dstanek, that is my understanding as well	15:08
samueldmq	jamielennox: you around ? about adapter deprecation on ksclient	15:08
odyssey4me	ok, so only one sql back-end is ever supported at this stage... and its details must be put into keystone.conf instead of in a DSBE file	15:09
*** GB21 has joined #openstack-keystone		15:09
*** petertr7 is now known as petertr7_away		15:10
dstanek	odyssey4me: yes. afiak we only support a single database connection	15:11
samueldmq	dstanek: ++	15:12
odyssey4me	so there is no way that a secondary domain could be configured to be in a database that's different to the default domain and other config	15:12
*** jrist has joined #openstack-keystone		15:15
*** jrist has quit IRC		15:16
*** jrist has joined #openstack-keystone		15:16
*** dave-mccowan has joined #openstack-keystone		15:17
dstanek	odyssey4me: that is my understanding	15:17
*** petertr7_away is now known as petertr7		15:18
odyssey4me	ok, so the DSBE files are for LDAP (or other drivers) only	15:18
*** dave-mcc_ has joined #openstack-keystone		15:19
odyssey4me	and if someone is configuring the default domain in LDAP - should that be done in keystone.conf, or in a DSBE?	15:20
*** lhcheng has joined #openstack-keystone		15:22
*** ChanServ sets mode: +v lhcheng		15:22
*** dave-mccowan has quit IRC		15:22
*** jsavak has joined #openstack-keystone		15:25
ayoung	odyssey4me, in DSBE	15:25
ayoung	odyssey4me, I would do it like this:	15:25
ayoung	make SQL the identity profiover in the main config file	15:26
ayoung	crearte a DSBE for LDAP	15:26
ayoung	make the LDAP domain the default domain	15:26
ayoung	odyssey4me, along these lines http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/	15:26
odyssey4me	ayoung ok, so it's pretty much either or when it comes to the default domain	15:28
odyssey4me	I saw some old posts around a 'hybrid' concept where a domain could use both... does that exist?	15:28
ayoung	odyssey4me, more correct to say that it is either/or for the identity backend	15:28
ayoung	odyssey4me, nope	15:28
*** BobBall has left #openstack-keystone		15:29
ayoung	never supported	15:29
odyssey4me	ok, good - thanks for the confirmation	15:29
*** jbell8 has quit IRC		15:30
odyssey4me	as always, guys & gals, you rock :) your responsiveness is appreciated	15:30
*** breitz has quit IRC		15:32
*** breitz has joined #openstack-keystone		15:32
lbragstad	ayoung cut the tests in half - pushing a new patch	15:37
ayoung	lbragstad, the test time? Excellent	15:38
openstackgerrit	Lance Bragstad proposed openstack/keystone: Make fernet default token provider https://review.openstack.org/258650	15:38
lbragstad	ayoung 149 failures	15:38
lbragstad	ayoung i have a feeling they are oauth related	15:38
ayoung	interesting	15:38
*** timcline has joined #openstack-keystone		15:39
stevemar	lbragstad: ruh roh	15:39
lbragstad	stevemar ayoung - http://cdn.pasteraw.com/b5plpttlsmxjwrjl9nb41izxcyczwuf	15:39
stevemar	lbragstad: fernet and oauth errors?	15:40
ayoung	lbragstad, feels like something is expecting a UUID string and getting a Fernet token instead	15:41
stevemar	tjcocozz: feel like backporting much stuff? :P	15:42
tjcocozz	yeah whats up?	15:43
stevemar	tjcocozz: https://review.openstack.org/#/q/I483bc57bd38eb81a0905bcaf94e4ea82604919d6,n,z landed in master, but needs to be in liberty and kilo as well. the liberty one is failing tests too :\	15:43
stevemar	it's actually, the other half the of fix to which you've backported for the server side	15:44
tjcocozz	stevemar, just want to finish this review quick. I will give it a try	15:44
xek	lbragstad, Hi, I proposed documentation about online schema migration at https://review.openstack.org/#/c/265252/, can you take a look?	15:44
stevemar	tjcocozz: i see bknudson_ has taught you the fine art of backporting	15:44
tjcocozz	stevemar, lets see if it paid off :-)	15:45
bknudson_	tjcocozz figured that out himself	15:45
tjcocozz	bknudson_, i didn't know about the '-X' in git reivew though	15:46
ayoung	lbragstad, Um I think the issue is here: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/fernet/token_formatters.py#n434	15:46
ayoung	the test is probably using a non uuid user_id, and the Fernet provider is barfing on it. Fernet cannot assume UUID for User_id, as many LDAP installs need to use a string; no place to store the UUID	15:47
*** topol has joined #openstack-keystone		15:48
*** ChanServ sets mode: +v topol		15:48
xek	lbragstad, I'm also working to propose a patch for https://bugs.launchpad.net/keystone/+bug/1524124 in accordance with these guidelines	15:48
openstack	Launchpad bug 1524124 in OpenStack Identity (keystone) "unscalable database schema design" [Undecided,New] - Assigned to Grzegorz Grasza (xek)	15:48
ayoung	lbragstad, we could probably change the UUID-to-bytes call to a try block and, on this failure, base64 encode	15:48
lbragstad	ayoung yeah, i thought we did that already?	15:54
lbragstad	xek sure thing	15:55
dstanek	notmorgan: did you ever make progress on using ldap3?	15:55
dstanek	lbragstad: ayoung: i had a patch a while ago trying to fix the bytes issues in fernet https://review.openstack.org/#/c/207526/	15:57
bknudson_	lbragstad: I'm in the castle now, for the ossg meetup	15:58
*** fawadkhaliq has joined #openstack-keystone		15:58
lbragstad	bknudson_ what?! I assume you guys are going to break for lunch?	15:59
*** phalmos has joined #openstack-keystone		15:59
bknudson_	lbragstad: yep, at noon	15:59
bknudson_	I think they're going to bring in lunch	16:00
lbragstad	bknudson_ awesome!	16:00
ayoung	dstanek, that looks like it should come back to life	16:00
dstanek	ayoung: i can revive it. i'm reviving some other python3 stuff now	16:01
ayoung	dstanek, ++	16:01
lbragstad	ayoung i think that stuff was fixed with - https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L314-L327	16:02
lbragstad	ayoung browne was the one to do that I think - https://github.com/openstack/keystone/commit/794e1510cc91fbe0277e291bc2cabdfba478bef3	16:03
lbragstad	ayoung so i'm not completely sure why we hit that issue with oauth	16:04
ayoung	lbragstad, I think it is not oauth	16:04
ayoung	I think it is usierd id...let me confirm	16:04
lbragstad	ayoung it looks like the domain id?	16:05
*** gokrokve has joined #openstack-keystone		16:05
lbragstad	ayoung - http://cdn.pasteraw.com/jm2t11vxf9qj3bib6qm97cxaxycx0cl	16:06
*** aix has quit IRC		16:07
*** slberger has joined #openstack-keystone		16:07
lbragstad	ayoung - i think i have an idea of what is going on	16:10
lbragstad	ayoung the token formatter tries to convert the domain_id to bytes - and it fails with a ValueError.	16:10
*** vgridnev has quit IRC		16:11
lbragstad	the b_domain_id is then only assigned the domain_id iff the domain_id matches what is in the configuration	16:11
lbragstad	if not - the exception is reraised	16:11
ayoung	lbragstad, I'm trying to catch it with rpdb...	16:12
ayoung	lbragstad, I think it is failing on userid	16:13
openstackgerrit	Steve Martinelli proposed openstack/keystoneauth: add release notes for ksa 2.2.0 https://review.openstack.org/266456	16:14
*** fawadkhaliq has quit IRC		16:14
stevemar	mordred: notmorgan dolphm bknudson_ ^ gonna need helps with release notes, tagging new releases today	16:15
ayoung	lbragstad, nah, you are right it is domain	16:15
ayoung	I'll let youtackle it..I have to run	16:16
*** ayoung has quit IRC		16:16
*** shoutm has quit IRC		16:17
*** sigmavirus24_awa is now known as sigmavirus24		16:18
*** GB21 has quit IRC		16:24
*** EinstCrazy has quit IRC		16:28
*** josecastroleon has quit IRC		16:31
*** lhcheng has quit IRC		16:34
*** jamielennox is now known as jamielennox\|away		16:37
*** petertr7 is now known as petertr7_away		16:41
*** petertr7_away is now known as petertr7		16:42
*** jsavak has quit IRC		16:44
*** hockeynut_afk is now known as hockeynut		16:45
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: create release notes for ksm 4.1.0 https://review.openstack.org/266474	16:47
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: add release notes for ksc 2.1.0 https://review.openstack.org/266466	16:47
*** browne has joined #openstack-keystone		16:47
*** fawadkhaliq has joined #openstack-keystone		16:49
stevemar	looking for volunteers to review release notes :O https://review.openstack.org/#/q/topic:mitaka-2-keystone-libs	16:51
*** _cjones_ has joined #openstack-keystone		16:53
*** tonytan4ever has joined #openstack-keystone		16:54
*** jsavak has joined #openstack-keystone		16:54
*** bradjones has quit IRC		16:55
*** _zouyee has quit IRC		16:55
*** rderose has joined #openstack-keystone		16:56
*** bradjones has joined #openstack-keystone		16:58
*** bradjones has quit IRC		16:58
*** bradjones has joined #openstack-keystone		16:58
*** _cjones_ has quit IRC		16:58
*** _cjones_ has joined #openstack-keystone		16:58
*** spzala has quit IRC		16:59
*** spzala has joined #openstack-keystone		17:00
*** dslev has quit IRC		17:01
*** gyee has joined #openstack-keystone		17:01
*** ChanServ sets mode: +v gyee		17:01
*** lhcheng has joined #openstack-keystone		17:02
*** ChanServ sets mode: +v lhcheng		17:02
*** spzala has quit IRC		17:04
*** vgridnev has joined #openstack-keystone		17:06
*** fawadkhaliq has quit IRC		17:07
*** mhickey has quit IRC		17:13
*** rderose has quit IRC		17:15
*** jbell8 has joined #openstack-keystone		17:16
*** daemontool has quit IRC		17:22
*** gokrokve has quit IRC		17:22
*** fawadkhaliq has joined #openstack-keystone		17:29
*** zqfan has quit IRC		17:31
bknudson_	stevemar: https://review.openstack.org/#/c/266474/ is failing locally	17:32
bknudson_	/opt/stack/keystonemiddleware/releasenotes/source/unreleased.rst:3: WARNING: Duplicate explicit target name: "bug 1490804".	17:32
openstack	bug 1490804 in OpenStack Security Advisory "PKI Token Revocation Bypass (CVE-2015-7546)" [Undecided,Confirmed] https://launchpad.net/bugs/1490804	17:32
*** petertr7 is now known as petertr7_away		17:37
roxanaghe	marekd: ping	17:42
*** e0ne has quit IRC		17:42
*** tonytan4ever has quit IRC		17:51
openstackgerrit	Paulo Ewerton Gomes Fragoso proposed openstack/keystone: API support for project cascade delete https://review.openstack.org/244248	17:54
openstackgerrit	Paulo Ewerton Gomes Fragoso proposed openstack/keystone: Manager support for project cascade delete https://review.openstack.org/244149	17:54
openstackgerrit	Paulo Ewerton Gomes Fragoso proposed openstack/keystone: Add backend support for deleting a projects list https://review.openstack.org/245916	17:54
*** jasonsb has quit IRC		17:56
*** rderose has joined #openstack-keystone		18:00
*** jistr has quit IRC		18:03
marekd	roxanaghe: so i am here	18:04
marekd	however, may be disconneced	18:04
*** shaleh has joined #openstack-keystone		18:04
*** dave-mcc_ has quit IRC		18:04
roxanaghe	hey marekd, so you saw my question from yesterday?	18:05
*** ankita_wagh has joined #openstack-keystone		18:06
roxanaghe	marekd, I've been trying to help testing that ADFSPlugin patch to remove lxml dependency, I'm almost able to test it all through but not quite there	18:06
marekd	roxanaghe: and od patch wors fine?	18:07
marekd	works	18:07
marekd	i mean, default code from the keystoneauth lib	18:08
roxanaghe	marekd, no - without the patch - it doesn't work either	18:08
roxanaghe	I got a weird ADFS error :(	18:09
marekd	so i'd first suggest try to make it work with default code (i think gyee even confirmed it worked)	18:09
marekd	i don't know what is that error meaning	18:09
marekd	don't you have some adfs folks out there?	18:10
*** jsavak has quit IRC		18:10
gyee	marekd, you mean the famous Dr Watson error dialog? :)	18:10
marekd	gyee: i don't know what dialog :-)	18:11
gyee	I haven't had a chance to look into the ADFS stuff yet	18:11
roxanaghe	marekd, gyee hah I'll try to dig in some more into that error or search for an ADFS friend	18:14
marekd	roxanaghe: MS support is your friend :-)	18:14
marekd	but they are...friends you can buy	18:14
roxanaghe	marekd, right :) I can also give a try to your kerberos script see what we get on our env	18:16
openstackgerrit	Ian Cordasco proposed openstack/oslo.policy: Add oslopolicy-checker command-line tool https://review.openstack.org/170978	18:16
marekd	roxanaghe: if you have access to a totally dev adfs env that would be coo	18:16
marekd	disable tls/ssl	18:16
marekd	and try if it works	18:16
marekd	but just keep in mind that also this request body must have host filled	18:17
marekd	somewhere in the <mustUnderstand tag>	18:17
marekd	<mustUnderstand>	18:17
gyee	marekd, ADFS login form is customizable right?	18:18
*** jbell8_ has joined #openstack-keystone		18:18
marekd	this login webpage?	18:19
marekd	dunno, but i guess so.	18:19
gyee	anyways, roxanaghe, lets do some heavy debugging later in the afternoon	18:20
roxanaghe	marekd, ok I'll give it a try today. Yes, figuring out the correct urls was a bit of a struggle, I could put up a patch to improve the code doc in ADFSPlugin	18:20
roxanaghe	gyee yayy :)	18:20
*** tonytan4ever has joined #openstack-keystone		18:20
*** jbell8 has quit IRC		18:21
marekd	roxanaghe: thanks	18:24
marekd	roxanaghe: feel free to use thishttps://github.com/zaccone/pyadfsclient/blob/master/README.md	18:25
marekd	https://github.com/zaccone/pyadfsclient/blob/master/README.md	18:25
roxanaghe	marekd, that's good. thanks	18:26
gyee	marekd, sure will do, thanks!	18:26
*** jaosorior has joined #openstack-keystone		18:27
marekd	thanks	18:28
marekd	gyee: roxanaghe if you can give access to your dev adfs instances for ppl fromout of hpe i could use one	18:28
*** rderose has quit IRC		18:32
*** rderose has joined #openstack-keystone		18:32
*** e0ne has joined #openstack-keystone		18:35
gyee	raildo, yeah, I haven't enable trove yet	18:35
roxanaghe	marekd I'll have to ask around how that works. the current one is accessible only through VPN	18:35
raildo	gyee: right	18:35
marekd	roxanaghe: aha	18:36
notmorgan	henrynash: after meeting need to ask you about the @filterprotected decorator, i'm tring to unwind that and the callbacks atm	18:36
*** jasonsb has joined #openstack-keystone		18:39
*** fawadkhaliq has quit IRC		18:42
*** jsavak has joined #openstack-keystone		18:48
*** petertr7_away is now known as petertr7		18:52
*** ayoung has joined #openstack-keystone		18:52
*** ChanServ sets mode: +v ayoung		18:52
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: add release notes for ksc 2.1.0 https://review.openstack.org/266466	18:55
openstackgerrit	David Stanek proposed openstack/keystone: Reduce setup overhead in auth_plugin tests https://review.openstack.org/266397	18:59
openstackgerrit	David Stanek proposed openstack/keystone: Refactor test auth_plugin config into fixture https://review.openstack.org/266396	18:59
openstackgerrit	David Stanek proposed openstack/keystone: Limits config fixture usage to where it's needed https://review.openstack.org/266399	18:59
openstackgerrit	David Stanek proposed openstack/keystone: Change the remaining conf setup to use the fixture https://review.openstack.org/266398	18:59
*** jaosorior has quit IRC		19:00
*** daemontool has joined #openstack-keystone		19:00
gyee	lets talk it over at the mid-cycle	19:00
ayoung	notmorgan, it would not be different based on scope	19:00
*** jaosorior has joined #openstack-keystone		19:00
ayoung	gyee, I wonm't be there	19:00
gyee	ayoung, I saw you name on the list	19:00
stevemar	i'll be sending out an email to midcycle attendees, if you know someone who wants to come and is not on the list https://wiki.openstack.org/wiki/Sprints/KeystoneMitakaSprint#Registration -- let me know!	19:00
gyee	thought you changed your mind	19:00
ayoung	gyee, nah, the issue is medical.	19:01
ayoung	gyee, I can't make it.	19:01
notmorgan	gyee: it unsure if i'll be at the midcycle	19:01
gyee	ayoung, no worries, health is wealth	19:01
stevemar	gyee: i added ayoung's name to the list last week, to make sure he had a spot	19:01
stevemar	but i'll be removing it now	19:01
notmorgan	i am looking into it.	19:01
notmorgan	but no guarantees	19:01
notmorgan	gyee, ayoung: so if we want to bind endpoints i am fine with adding a list, i just want the catalog blob to not change. if that makes sense	19:02
stevemar	notmorgan: do what you can	19:02
ayoung	notmorgan, so...the only thing that will differ with this (my) spec is that, if you ask for a specific endpoint, it will only add that endpoint to the catalog. I think it is safe to say that if the token would not have that endpoint without it being in the request, it would not be alloed to request it; would be a 403	19:02
*** jbell8_ has quit IRC		19:02
ayoung	notmorgan, it would be smaller ,but the endpoint value in the catalog would be unchanged	19:02
notmorgan	again i am against changing the content of the catalog based on authetc	19:02
*** jbell8 has joined #openstack-keystone		19:03
notmorgan	the catalog content shouldn't change.	19:03
ayoung	notmorgan, Well, we can work with that constraint, but it is strange.	19:03
gyee	you can enforce endpoint binding without the proper endpoints	19:04
gyee	can't	19:04
ayoung	gyee, we could do it in a separate section of the token from the catalog if he insists	19:04
gyee	unless you want to stick an extra field in the tokne	19:04
ayoung	I have to run....back in 1/2 hour	19:04
gyee	like allowed_endpoints or something	19:04
gyee	that would make the token even bigger	19:04
*** breton_ is now known as breton		19:05
notmorgan	gyee: that is what i'm saying, do enforcement in a specific place in the token if you need it.	19:05
gyee	if we are going this far, might as well make service catalog a separate service instead	19:05
notmorgan	gyee: it probably should be	19:05
*** spzala has joined #openstack-keystone		19:05
gyee	normorgan, yeah, probably a better way	19:05
notmorgan	it should not be embeded in the token at all, but that is something i'm working on long term	19:05
gyee	I am totally OK with it being a separate service	19:05
samueldmq	consul ?	19:06
notmorgan	so in short, i'm just saying "don't change the catalog content" if you want this enforcement make it an enforcement block so we can expand/change as needed	19:06
lbragstad	stevemar thanks for the review on https://review.openstack.org/#/c/266052/ - I completely agree.	19:06
*** aginwala has joined #openstack-keystone		19:06
notmorgan	not be locking more into the catalog as it is, because it needs work and will change with the x-proect spec to standardize it	19:06
lbragstad	stevemar I think jorge_munoz wants to take a stab at making the setup stuff more efficient	19:06
stevemar	lbragstad: ah okay	19:07
gyee	we need a way to control what service to expose based on auth scope, so we'll need to figure out a solution	19:07
notmorgan	so use an enforcement section, heck, we can be smart about it	19:07
notmorgan	{ enforcement: { region: { id: X, alloed: false }}	19:08
notmorgan	if you want to get really granular	19:08
*** martinus__ has quit IRC		19:08
*** ayoung has quit IRC		19:08
notmorgan	but i don't want to see the catalog content changing.	19:08
*** rderose has quit IRC		19:09
notmorgan	because it's backing us further into a corner/locking us more into how the catalog works now and makes it harder to re-think the catalog [things in progress already] than today	19:09
samueldmq	notmorgan: ++	19:10
gyee	I think its essentially we need to be able to control what to expose	19:10
notmorgan	I'm not convinced that is a real concern	19:10
*** diegows has joined #openstack-keystone		19:10
notmorgan	samueldmq: anyway - so it looks like we've compressed down a bunch of things into a single paste entry?	19:12
notmorgan	samueldmq: and you did some of that work?	19:12
notmorgan	samueldmq: just checking on that status because i like that direction	19:12
gyee	gotta run, I'll catch you guys later	19:13
*** gyee has quit IRC		19:13
stevemar	notmorgan: can you address dolphm's concern here: https://review.openstack.org/#/c/265023/ (2nd last comment)	19:14
samueldmq	notmorgan: hmm, frankly not sure I did that :-)	19:14
samueldmq	notmorgan: single paste entry for v2 and v3 ?	19:14
*** diegows has quit IRC		19:15
lbragstad	notmorgan question for you on default domain behavior with fernet when you have a minute	19:17
*** aginwala has quit IRC		19:17
notmorgan	stevemar: commented on dolph's comment	19:18
notmorgan	stevemar: the removed tests are not valid when we revert this change	19:18
notmorgan	samueldmq: routers for v3 into an entry in the paste pipeline	19:19
notmorgan	samueldmq: was the "make extensions default" stuff i think	19:19
notmorgan	lbragstad: ask away	19:19
samueldmq	notmorgan: sorry I didn't do that, I think stevemar did	19:20
notmorgan	stevemar: the tests explicitly test that intermix doesn't work outside default domain. you can't revert the change and keep the tests.	19:20
samueldmq	notmorgan: but I am able to help if there is something else to be done	19:20
notmorgan	samueldmq: ah your name was on the commit that made the change.	19:20
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: create release notes for ksm 4.1.0 https://review.openstack.org/266474	19:20
notmorgan	samueldmq: but sure.	19:20
notmorgan	stevemar: and it's at least 2 reported deployments now not just one.	19:20
lbragstad	do you remember why we did this - https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L375-L382	19:20
notmorgan	lbragstad: ldap	19:21
notmorgan	lbragstad: i think	19:21
lbragstad	notmorgan right	19:21
notmorgan	oh	19:21
notmorgan	oh	19:21
notmorgan	no	19:21
lbragstad	notmorgan but we only do it for the default domain it	19:21
lbragstad	id*	19:21
notmorgan	default domain ID is "default"	19:21
lbragstad	right	19:21
notmorgan	not UUID.hex	19:21
notmorgan	this is converting to uuid.bytes	19:21
notmorgan	if possible	19:21
notmorgan	can't make "default" into uuid.bytes	19:21
lbragstad	yep	19:21
notmorgan	it was to reduce the token size	19:21
*** itlinux has joined #openstack-keystone		19:21
notmorgan	where possible	19:22
*** yarkot has joined #openstack-keystone		19:22
notmorgan	uuid.bytes is 16bytes, uuid.hex is 32	19:22
lbragstad	but if you have another domain that isn't uuid.byte compatible, it will blow up	19:22
notmorgan	you should never have that	19:22
notmorgan	unless you changed the DB directly	19:22
lbragstad	which i think is causing a bunch of the tests to fail in keystone's switch to making fernet the default	19:22
notmorgan	our tests may be wrong.	19:22
notmorgan	i am near certain we assert domain ids should laways be uuid except "default"	19:23
lbragstad	notmorgan - https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_protection.py#L563-L576	19:23
notmorgan	https://github.com/openstack/keystone/blob/master/keystone/resource/controllers.py#L131	19:23
*** aginwala has joined #openstack-keystone		19:23
notmorgan	lbragstad: that looks like incorrect setup something a real deployment couldn't do	19:24
lbragstad	notmorgan https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_protection.py#L608	19:24
notmorgan	yep	19:24
lbragstad	notmorgan ah, it bypasses the controller layer	19:24
notmorgan	yar	19:24
lbragstad	hmmm	19:24
notmorgan	samueldmq: i'll look more into it shortly	19:24
*** yarkot has quit IRC		19:25
samueldmq	notmorgan: what's the change ? maybe I did and just forgot about it :(	19:25
samueldmq	notmorgan: k let me know if you need a hand	19:25
lbragstad	notmorgan so - should we refactor those tests to not be doing that? open a bug I assume?	19:25
notmorgan	lbragstad: yeah.	19:25
notmorgan	lbragstad: we also might want to push the "assign_unique_id" to the manager layer	19:26
lbragstad	notmorgan yeah - that seems like business logic to me	19:26
*** jaosorior has quit IRC		19:31
*** jaosorior has joined #openstack-keystone		19:32
lbragstad	notmorgan https://bugs.launchpad.net/keystone/+bug/1533330	19:32
openstack	Launchpad bug 1533330 in OpenStack Identity (keystone) "Some protection test cases have incorrect domain id setup" [Undecided,New]	19:32
notmorgan	lbragstad: ++	19:34
*** dave-mccowan has joined #openstack-keystone		19:36
*** jbell8 has quit IRC		19:37
sigmavirus24	stevemar: for the oslo.policy CLI, just a blueprint is enough or is a spec needed also?	19:40
*** ayoung has joined #openstack-keystone		19:41
*** ChanServ sets mode: +v ayoung		19:41
notmorgan	sigmavirus24: i don't think a spec is needed for that	19:41
notmorgan	imo	19:41
notmorgan	but defer to sigmavirus24	19:41
notmorgan	serm stevemar	19:41
*** jasonsb has quit IRC		19:42
sigmavirus24	heh	19:42
sigmavirus24	I'm just trying to clear out the oslo.policy queue	19:42
navidp	question about keystoneauth1 and keystoneclient authentication	19:48
*** jasonsb has joined #openstack-keystone		19:49
ayoung	notmorgan, am I correct in understanding that your concern about the endpoint-binding aspect of the token is that it will change the service catalog, which will then mess up caching?	19:51
*** Karthik__ has joined #openstack-keystone		19:53
ayoung	notmorgan, if that is the case...I think we can work with that.	19:53
*** rderose has joined #openstack-keystone		19:54
*** ankita_wagh has quit IRC		19:55
navidp	keystoneauth https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/token_endpoint.py	19:55
navidp	get_options method how to get that	19:56
*** aginwala has quit IRC		19:57
*** pai15 has joined #openstack-keystone		19:58
*** rderose has quit IRC		19:58
notmorgan	ayoung: not just caching but also means that you [end user] gets differet views into the deployment for discoverability depending on internal things	19:59
ayoung	notmorgan, Right. I see what you are getting at.	20:00
notmorgan	ayoung: i think we should add an enforcement or binding section/re-use	20:00
ayoung	notmorgan, So, for this to work right, it should really be a separate field, and an endpoint_id only	20:00
notmorgan	and we can do all this in a way that also doesn't lock us into the way catalog works today	20:00
notmorgan	cause we're in the middle of re-thinking that as is	20:00
ayoung	notmorgan, so, with the "request a role" I was planning on saying that a user can only request a single role. That increases the size of the token (thinking fernet and signing) by a single field. We would want the samething here.	20:01
ayoung	It would be wonderful if we had a shorthand way of treating an endpoint as a role....	20:01
ayoung	and of being able to compose those shorthand IDs on the fly	20:02
*** aginwala has joined #openstack-keystone		20:02
notmorgan	ayoung: sure.	20:02
ayoung	notmorgan I really need to walk through a whole use case, from start to finish, and diagram it out, to show what should happen where. It would start with a user getting a scoped token today, but really, we should split the "give me catalog for my projects" reuqest that an end user needs to know form "let me call this remote service"	20:03
ayoung	mainly because I don;t want tokens being used in more than one hop	20:04
ayoung	so a token should never be usable for more than one endpoint	20:04
ayoung	having catalog in the token is actually making it easier to do bad things	20:04
notmorgan	ayoung: well i want to make it so you auth an action at the edge and never need to revisit - aka boot an instance	20:05
notmorgan	you're allowed to do that	20:05
ayoung	Exactly!	20:05
notmorgan	doesn't matter the subsequent service requests	20:05
notmorgan	talk to glance, swift, etc.	20:05
notmorgan	that is a lot of what i'm working on in my POC	20:05
ayoung	are you doing "nova can always talk to glance to download an image ,does not need a token" in that POC?	20:05
notmorgan	that is the long term plan	20:06
notmorgan	it's the next step. i need to pull apart KSM to make that more possible	20:06
*** aginwala has quit IRC		20:12
navidp	anybody can help me with keystoneauth1???	20:13
navidp	in keystoneclient https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/token_endpoint.py#L43-L54 you can get list of options, do you have similar thing in keystoneauth https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/token_endpoint.py	20:14
*** aginwala has joined #openstack-keystone		20:15
openstackgerrit	henry-nash proposed openstack/keystone: Fix incorrect signature in federation legacy V8 wrapper https://review.openstack.org/266559	20:20
*** dslev has joined #openstack-keystone		20:22
*** dslev has quit IRC		20:25
*** aginwala has quit IRC		20:26
*** aginwala has joined #openstack-keystone		20:26
*** Karthik__ has quit IRC		20:27
*** KarthikB_ has joined #openstack-keystone		20:27
*** jsavak has quit IRC		20:28
*** tonytan4ever has quit IRC		20:28
*** KarthikB_ has quit IRC		20:28
*** KarthikB_ has joined #openstack-keystone		20:28
notmorgan	navidp: there is a way to get the options for the plugins, sec. let me find that for you	20:29
*** jsavak has joined #openstack-keystone		20:29
navidp	notmorgan, thank you sir	20:30
notmorgan	navidp: i think it's part of keystoneauth1.loading	20:31
notmorgan	the token_endpoint one is... a bit weird	20:31
notmorgan	token_endpoint i think is not really used int he same way	20:32
notmorgan	navidp: sorry trying to switch contexts back to keystoneauth	20:32
navidp	notmorgan, no i think it is due to loading change from keystoneclient to keystoneauth	20:32
*** topolznc has joined #openstack-keystone		20:33
topolznc	topol: test	20:33
notmorgan	navidp: https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/_plugins/admin_token.py that is the one you're looking for	20:33
notmorgan	topolznc: oh hi	20:33
topolznc	topol: just working out some tweaks, no thanks to that jerk stevemar	20:33
notmorgan	navidp: or the normal token endpoing if you want to auth with a normal token mechanism	20:34
navidp	notmorgan, isnt that admin_token	20:34
notmorgan	navidp: s/endpoing/plugin	20:34
notmorgan	navidp: token_endpoint is not a super useful thing and isn't exposed as a plugin via setup.cfg	20:34
notmorgan	so it's not really a plugin in keystoneauth	20:34
notmorgan	admin_token replicates the functionality	20:35
navidp	notmorgan, thanks i try it, see if it works, thanks again	20:35
* notmorgan nods		20:35
ayoung	dstanek, which of these is preferred:	20:38
ayoung	role_dics = dict((role_ref['id'], role_ref) for role_ref in self.role_api.list_roles())	20:38
ayoung	role_dics = {role_ref['id']: role_ref for role_ref in self.role_api.list_roles()}	20:38
dstanek	ayoung: the second	20:38
ayoung	dstanek, I guessed that, but...why?	20:38
*** tonytan4ever has joined #openstack-keystone		20:39
dstanek	ayoung: i think it's mainly because the literal syntax is cleaner than using the dict constructor. someone once said it was also faster, but i never bothered to verify	20:39
notmorgan	ayoung: dict() constructor is expensive	20:39
notmorgan	and literal syntax [except sets] is easier to read	20:40
notmorgan	don't ever literal constructor sets though... cause it's the same as a dict just w/o the keys: value	20:40
lbragstad	is anyone else getting this issue on master with nosetests? http://cdn.pasteraw.com/ej2dnmpohzcmiqjmh8bcbpc2bow4w3g	20:40
ayoung	dstanek, I'm about to post an updated patch that uses it. When I have it, I would appreciate you looking. I'll ping you	20:40
dstanek	ayoung: sure	20:40
notmorgan	lbragstad: new venv?	20:40
dstanek	lbragstad: no, i'm not getting that	20:41
lbragstad	notmorgan no	20:41
dstanek	lbragstad: is that master with no changes?	20:41
notmorgan	lbragstad: might have stale dep.	20:41
*** aginwala has quit IRC		20:41
lbragstad	dstanek this is the only thing i changed - http://cdn.pasteraw.com/e5udadv4wu5jv7x3zmvkecf2v9vyzyh	20:41
lbragstad	which should be unrelated	20:41
lbragstad	it doesn't fail with tox - so maybe it's a venv issue?	20:42
notmorgan	or just inadvertant ick	20:42
dstanek	lbragstad: oh actually your using nose with 2.7. i never do that	20:42
lbragstad	dstanek ah - i just wanted to use a break point in those tests so I could figure out what was going on	20:43
lbragstad	dstanek i typically do that with nose and ipdb	20:43
lbragstad	dstanek which i tried doing here but it broke - resulting in the above paste	20:43
lbragstad	just curious if anyone else had issues with that	20:44
*** jaosorior has quit IRC		20:44
dstanek	lbragstad: odd	20:46
lbragstad	dstanek what - how i debug tests? :)	20:47
dstanek	no, the error	20:47
*** cburgess_ has quit IRC		20:48
*** cburgess has joined #openstack-keystone		20:48
*** topol has quit IRC		20:48
dstanek	lbragstad: it's an order of operations thing. that code really need to import it like 'from keystone.tests.unit import utils'	20:49
lbragstad	dstanek let me try that quick	20:50
lbragstad	dstanek doing it in a python shell with that environment active works with the way you just described	20:50
dstanek	when running through tox it's automatically added to sys.modules by test_utils.py	20:50
dstanek	i think the import should be added and the 'unit.' should be removed from the decorator call	20:51
lbragstad	dstanek weird	20:51
stevemar	topolznc: ping	20:51
topolznc	stevemar Hi	20:51
lbragstad	so that worked	20:52
*** topolznc is now known as topol		20:52
*** topol is now known as Guest45335		20:52
*** daemontool has quit IRC		20:52
openstackgerrit	Lance Bragstad proposed openstack/keystone: Fix import order in test_v3_protection.py https://review.openstack.org/266570	20:54
openstackgerrit	Lance Bragstad proposed openstack/keystone: Fix admin domain in test_v3_protection.py https://review.openstack.org/266571	20:54
lbragstad	dstanek ^ the first patch fixes the issue - the second patch is still wip for fixing bug 1533330 (which needs to get fixed before ayoung's fernet default switch patch will pass all the tests..	20:55
openstack	bug 1533330 in OpenStack Identity (keystone) "Some protection test cases have incorrect domain id setup" [Undecided,In progress] https://launchpad.net/bugs/1533330 - Assigned to Lance Bragstad (lbragstad)	20:55
*** mhickey has joined #openstack-keystone		20:56
*** raildo is now known as raildo-afk		20:57
*** Guest45335 is now known as topol_		20:57
*** topol_ is now known as Guest12581		20:58
*** Guest12581 is now known as topol2		20:58
dstanek	lbragstad: reviewed :-)	20:59
dstanek	lbragstad: i suggested a more detailed commit message	20:59
stevemar	topol2: poke	20:59
*** jsavak has quit IRC		20:59
topol2	stevemar hi	20:59
dstanek	topol2: irc is hard	20:59
notmorgan	topol2: shady topol2 huh?	21:00
notmorgan	i mean.. WHOARE YOU?!	21:00
ayoung	lbragstad, +2A on the first one. Feel free to consider that sticky	21:00
notmorgan	:P	21:00
ayoung	the second one makes sense in breaking the tests	21:00
lbragstad	dstanek ++ thanks!	21:00
*** jsavak has joined #openstack-keystone		21:00
stevemar	topol2: this should appear in your buffer	21:00
ayoung	topol2, lookup the ghost command for IRC	21:01
openstackgerrit	Lance Bragstad proposed openstack/keystone: Fix import order in test_v3_protection.py https://review.openstack.org/266570	21:03
lbragstad	dstanek ayoung attempted to commit message better ^	21:04
openstackgerrit	henry-nash proposed openstack/keystone: Fix incorrect signature in federation legacy V8 wrapper https://review.openstack.org/266559	21:04
*** pauloewerton has quit IRC		21:05
*** topol2 is now known as topol_		21:06
*** dave-mccowan has quit IRC		21:06
openstackgerrit	ayoung proposed openstack/keystone: Implied Roles API https://review.openstack.org/242614	21:07
*** ChanServ sets mode: +v topol_		21:07
*** dave-mccowan has joined #openstack-keystone		21:07
ayoung	dstanek, on ^^ there are two things I'd like your eyes on	21:07
*** topol_ is now known as topol		21:07
ayoung	https://review.openstack.org/#/c/242614/43/keystone/tests/unit/test_v3_assignment.py lines 2243 and 2244 I create arrays to do an "in" check right below it	21:08
ayoung	is there a better way? Some way to avoid the interim collection	21:08
ayoung	dstanek, the other place is	21:08
ayoung	https://review.openstack.org/#/c/242614/43/keystone/assignment/controllers.py line 374 where I create the dict to lookup the role by id later in the function	21:09
ayoung	just comment on the reviews either pro or con on the whether these are pythonic...	21:09
ayoung	and with that, I have to run again	21:09
*** jsavak has quit IRC		21:10
*** jsavak has joined #openstack-keystone		21:10
*** tsymanczyk has quit IRC		21:11
*** sigmavirus24 is now known as sigmavirus24_awa		21:12
*** jsavak has quit IRC		21:12
*** sigmavirus24_awa is now known as sigmavirus24		21:13
openstackgerrit	henry-nash proposed openstack/keystone: Correct docstrings for federation driver interface https://review.openstack.org/264068	21:14
*** ayoung has quit IRC		21:14
*** spandhe has joined #openstack-keystone		21:16
topol	notmorgan dstanek I am happy to inform you that you may send me irc messages 7 days a week and 24 hours a day and I will now receive them.	21:20
*** jsavak has joined #openstack-keystone		21:20
notmorgan	topol: oh good :)	21:20
dstanek	topol: did IBM give you an assistant?	21:21
topol	dstanek feel free to tell me sunday at 3am how great the browns are. notmorgan feel free to tell me how you burned that chicken dish at 2am Monday	21:21
notmorgan	topol: maybe	21:21
topol	stevebot did me a huge solid getting me a bounce castle for my birthday	21:21
topol	^stevemar	21:21
dstanek	topol: i'm sorry to tell you that the browns are currently under construction. estimated completion is around 2035.	21:22
stevemar	dstanek: assistants that setup ZNC? that's a good assistant	21:22
topol	dstanek, notmorgan so I may not respond right away but please know your messages will be responded to in the order they are received	21:23
*** timcline has quit IRC		21:23
notmorgan	topol: i expect a FILO queue not FIFO	21:23
stevemar	dstanek: notmorgan release notes please :) https://review.openstack.org/#/c/266466/ https://review.openstack.org/#/c/266456/ and https://review.openstack.org/#/c/266474/ so i can propose new libs :)	21:23
stevemar	or i may just drop the PTL hammer and push them through	21:24
notmorgan	stevemar: you should	21:24
stevemar	notmorgan: i was thinking i should...	21:24
notmorgan	i mean. i'm looking at them, but this is a case that even as a non-ptl i'd just push them if they look good	21:24
stevemar	non-critical and doc related	21:24
stevemar	i don't want folks to think i don't play by the rules :O	21:24
notmorgan	and blocking release	21:25
notmorgan	stevemar: there.	21:26
stevemar	notmorgan: <3	21:26
notmorgan	stevemar: you're playing by the rules. i may not be :P	21:26
notmorgan	but there ya go	21:26
*** tsymanczyk has joined #openstack-keystone		21:26
notmorgan	we should really look into possibly making RENO changes not run the full battery of gate jobs if we can	21:26
*** tsymanczyk is now known as Guest30716		21:26
stevemar	notmorgan: its not so bad with libs, they gate quickly because they are not part of integrated queue	21:27
notmorgan	stevemar: aye	21:27
*** Guest30716 has quit IRC		21:30
*** aginwala has joined #openstack-keystone		21:31
henrynash	stevemar: on release notes, I’m never clear whether you should put anything in the first section..I kind of did in the first few ones…but not sure how well they read when they are combined together…..	21:33
stevemar	henrynash: they read horribly when combined together	21:34
stevemar	henrynash: i avoid the prelude section	21:34
notmorgan	same	21:34
henrynash	stevemar: agreed…that’s what I’m doing now	21:34
henrynash	stevemar: feel free to pull out the two V9 driver lines I added	21:35
*** jsavak has quit IRC		21:35
stevemar	henrynash: before mitaka ends i'll clean it all up	21:35
henrynash	...if you are doing a generl update….	21:35
henrynash	or I’ll put up a ptch to strip them out	21:35
stevemar	you can do so, i'll punt it through	21:35
henrynash	ok	21:36
henrynash	stevemar: oh, seprate subject, just notcied we never put through this minor update to the spec on url safe names….https://review.openstack.org/#/c/253104/	21:36
openstackgerrit	Ian Cordasco proposed openstack/oslo.policy: Add oslopolicy-checker command-line tool https://review.openstack.org/170978	21:36
henrynash	stevemar: we’ve implemented it as this additonal patch specifies, so should probably merge that spec change	21:37
*** jbell8 has joined #openstack-keystone		21:37
openstackgerrit	Steve Martinelli proposed openstack/keystone: Adds an explicit utils import in test_v3_protection.py https://review.openstack.org/266570	21:38
*** avarner has joined #openstack-keystone		21:38
stevemar	lbragstad: noooo i updated the patch too	21:38
avarner	Hello	21:38
*** timcline has joined #openstack-keystone		21:38
stevemar	henrynash: !!	21:38
avarner	Does anyone know how to set a project's parent_id from the command line?	21:38
stevemar	henrynash: done	21:38
henrynash	steevmar: thx	21:38
stevemar	bknudson_: if you are around for stable patches: https://review.openstack.org/#/c/266045/ and https://review.openstack.org/#/c/266022/	21:40
lbragstad	stevemar works for me	21:40
lbragstad	:)	21:40
bknudson_	stevemar: not sure I can +2 patches that I authored.	21:41
stevemar	lbragstad: i don't work for you :O	21:41
stevemar	bknudson_: give them a +1?	21:41
lbragstad	stevemar troll	21:41
stevemar	lbragstad: buahaha	21:41
openstackgerrit	henry-nash proposed openstack/keystone: Tidy up release notes for V9 drivers https://review.openstack.org/266581	21:41
lbragstad	dstanek there must be some more weird test magic in https://review.openstack.org/#/c/266571/1	21:42
*** pai15 has quit IRC		21:43
stevemar	henrynash: are you happy with the status of the legacy tests job?	21:43
lbragstad	technically, it was creating an 'admin_domain' and all the tests in test_v3_protection.py passed. As soon as you update it to use a normal domain - tests fail with 403s	21:43
*** pai15 has joined #openstack-keystone		21:43
lbragstad	this makes me feel like that is some hardcoded wonkiness going on somewhere...	21:43
lbragstad	but I can't find it	21:43
stevemar	henrynash: can we make it voting? i think it's catching real errors and succeeded when it should	21:43
henrynash	stevemar: i.e. should we make them gating?	21:43
stevemar	henrynash: yes	21:44
openstackgerrit	Merged openstack/keystone-specs: Redefine url-safe requirements for names to tolerate unicode https://review.openstack.org/253104	21:44
openstackgerrit	Ian Cordasco proposed openstack/oslo.policy: Add oslopolicy-checker command-line tool https://review.openstack.org/170978	21:44
*** gyee has joined #openstack-keystone		21:44
*** ChanServ sets mode: +v gyee		21:44
sigmavirus24	stevemar: ^ Added a blueprint	21:44
henrynash	stevemar: yes, we should - I saw them catch two errors in different patches already…and no false errors	21:44
stevemar	henrynash: wonderbar!	21:44
henrynash	stevemar: in fact, I have been adding to them: see: https://review.openstack.org/#/c/266559/	21:46
*** tsymanczyk has joined #openstack-keystone		21:46
*** tsymanczyk is now known as Guest97710		21:47
stevemar	henrynash: nice	21:47
*** petertr7 is now known as petertr7_away		21:47
stevemar	henrynash: if you want to vote: https://review.openstack.org/#/c/266582/	21:47
*** pai15 has quit IRC		21:47
henrynash	stevemar: done	21:47
stevemar	yay	21:48
stevemar	sigmavirus24: thank yee	21:48
sigmavirus24	stevemar: always happy to help	21:48
stevemar	sigmavirus24: wanna help s'more? https://review.openstack.org/#/c/261801/	21:49
lbragstad	notmorgan it looks like we hardcode admin_domain_id in our policy file?	21:49
dstanek	lbragstad: why do you say that?	21:49
notmorgan	lbragstad: probably at the moment:(	21:50
sigmavirus24	stevemar: I promise not to git-blame that code	21:50
lbragstad	dstanek notmorgan - https://github.com/openstack/keystone/blob/ae87c03813fa0a1bfcd9d690817c8d45ee76fcb1/etc/policy.v3cloudsample.json#L3	21:50
stevemar	sigmavirus24: :)	21:50
lbragstad	the very last bit	21:50
henrynash	lbragstad: so it’s a placeholder….a dployment is meant to replaces that with teh ACTUAL domain id of teh domain tehy are belssing as the admin domain	21:50
dstanek	lbragstad: is the test really doing anything as admin? it looks more like it's creating a domain that just happens to have admin in the name	21:50
stevemar	sigmavirus24: there was a weird effort to make all the exceptions common and in oslo incubator	21:50
lbragstad	dstanek it's creating a domain with 'admin_domain_id' as the domain id	21:51
lbragstad	which is hard coded to the policy file	21:51
henrynash	dstanek, lbragstad: so that as users with a domain scoped token to that domain has cloud admin status	21:51
lbragstad	henrynash so, that's what determines if someone is a "cloud admin"	21:51
dstanek	lbragstad: does it do anything that would trigger that rule?	21:51
lbragstad	dstanek the v3 protection tests have assertions to check that the cloud admin can in fact do whatever	21:52
henrynash	lbragstad: if they have a domain scoped token to the domain_id that matches the rule in the policy file	21:52
henrynash	lbragstad: which in a real deployment, the policy file would have been modifed to patch in the REAL domain id of whatever domain the deployer had chosen	21:53
lbragstad	henrynash dstanek what is happening now, which my patch, is that i'm not using 'admin_domain_id' as the domain id (https://review.openstack.org/#/c/266571/1/keystone/tests/unit/test_v3_protection.py)	21:53
*** spzala has quit IRC		21:53
stevemar	sigmavirus24: thanks for all the iterations	21:53
lbragstad	and because I changed that, the tests fail because the policy file still considers the admin_domain_id to be the right one.	21:54
*** spzala has joined #openstack-keystone		21:54
henrynash	lbragstad, dstanek: now this pre-dates the new “admin-project/admin-domain” stuff that ayong has added….and we should switch these tests over to use that	21:54
*** pai15 has joined #openstack-keystone		21:55
lbragstad	henrynash is there a way to override the config in the tests?	21:55
henrynash	lbragstad, dstanek: I think he has only done the admin-project part (it’s part of that same rule in the policy file now)	21:55
lbragstad	so the I can set "admin_domain_id" to be self.admin_domain['id']	21:55
lbragstad	s/the/that/	21:55
henrynash	lbragstad: you’d need to overide the policy file, which is the thing this test is testing!	21:56
*** belmoreira has joined #openstack-keystone		21:56
dstanek	lbragstad: when i make your change i get a bunch of 403 errors	21:56
henrynash	lbragstad: but the new adminproject/admindomain stuff is the way to go - and is designed to get away from having to have the domain_id patched in the polciy file	21:56
lbragstad	dstanek ++ yep, that'	21:56
lbragstad	what i get	21:56
lbragstad	henrynash gotcha	21:56
dstanek	that's what you would expect right?	21:57
*** pai15 has quit IRC		21:57
*** petertr7_away is now known as petertr7		21:57
*** pai15 has joined #openstack-keystone		21:57
lbragstad	dstanek I'm not sure; part of me thinks it would be the intended behavior but the other part of me thinks we're testing things we keep making changes to	21:58
lbragstad	i'm not sure which one is right	21:58
*** spzala has quit IRC		21:58
dstanek	both?	21:58
henrynash	lbragstad: do you need to fix this test now? I need to check if admain added the admindomain part of his spec (not sure he did)…it may be waiting for teh projects acting as a domain….	21:59
lbragstad	henrynash the only reason i started digging into this was because 'admin_domain_id' was getting into the fernet provider and failing here - https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L375-L382	22:00
lbragstad	henrynash because 'admin_domain_id' isn't 'default'	22:00
lbragstad	which is why the exception is raised again	22:00
*** jsavak has joined #openstack-keystone		22:00
*** pai15 has quit IRC		22:00
*** ayoung has joined #openstack-keystone		22:00
*** ChanServ sets mode: +v ayoung		22:00
henrynash	lbragstad: ah	22:00
lbragstad	so, I thought it was just a matter or replacing 'admin_domain_id' with uuid.uuid4().hex	22:00
* lbragstad was wrong		22:00
*** pai15 has joined #openstack-keystone		22:00
henrynash	lbragstad: :-)	22:00
*** pai15 has quit IRC		22:00
lbragstad	henrynash suggestions? (you seem to be much more familiar with this than i am)	22:01
henrynash	lbragstad: I’ll try and dig in later today to find out how far we are away from switching to the new admindmain stuff	22:01
lbragstad	henrynash i did open this - https://bugs.launchpad.net/keystone/+bug/1533330	22:01
openstack	Launchpad bug 1533330 in OpenStack Identity (keystone) "Some protection test cases have incorrect domain id setup" [Undecided,In progress] - Assigned to Lance Bragstad (lbragstad)	22:01
*** spzala has joined #openstack-keystone		22:01
lbragstad	henrynash which might not be relevant given this discussion?	22:02
henrynash	lbragstad: yep, saw that…I think I commented on it	22:02
lbragstad	or maybe it is relevant but it just needs to be closed with a different blueprint (or something)	22:02
henrynash	lbragstad: so we could re-write the test now, so that cloud admin is a project scoped token to the (already supported) admin project….I haven’t looked at that…I’d be happy to do that later today	22:02
openstackgerrit	Ian Cordasco proposed openstack/oslo.policy: Run docs testenv by default with tox https://review.openstack.org/266591	22:03
lbragstad	henrynash let me double check that we don't have something similar to this in the project part of the token provider	22:03
henrynash	ok	22:03
lbragstad	henrynash i don't think we do - https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L424	22:03
lbragstad	henrynash so that might be possibility	22:04
lbragstad	henrynash i could also try adding 'admin_domain_id ' to be a special case in the Domain scoped token class	22:04
*** mhickey has quit IRC		22:05
*** aginwala has quit IRC		22:06
henrynash	lbragstad: pretty yuk, that…	22:06
henrynash	lbragstad: let me fix the test for you….can’t do it till late today…	22:07
henrynash	lbragstad: I think I know how (and if not, then we have implemented admin project wrong)	22:08
lbragstad	henrynash sweet! I like that better	22:09
avarner	Are hierarchical projects broken?	22:09
*** jasonsb has quit IRC		22:10
avarner	Keystone seems to have no way to set or query a project's parent_id	22:10
jorge_munoz	ayoung: Hi, I have been trying to refactor some of the trust test cases on patch https://review.openstack.org/#/c/266052 and on the setuo for Trust	22:10
ayoung	jorge_munoz, you are not the only one	22:10
ayoung	jorge_munoz, someone else just posted a refactroing of the trust cases. look in gerrit	22:11
lhcheng	avarner: moving project to another parent project is not supported.	22:11
avarner	Can I create a project under a parent?	22:11
lhcheng	avarner: yes, it should work. you need keystone v3.	22:11
*** petertr7 is now known as petertr7_away		22:11
*** vgridnev has quit IRC		22:12
*** chris_19 has joined #openstack-keystone		22:12
*** jbell8 has quit IRC		22:12
avarner	lhcheng, do you know the command line syntax?	22:12
avarner	I'm trying: keystone --os-identity-api-version 3.6 tenant-create --name my_tenant_1 --description 'aaaa' --parent-id 1234	22:13
lhcheng	avarner: you need to use openstackclient	22:13
lbragstad	ayoung yeah, that was my patch - jorge_munoz is working on one of the dependency ones of the one that merged this morning	22:13
jorge_munoz	In the setup for TrustAPIBehavior, a trust is create with allow_redelegation=True but has a comment above states that no redelegation should be allowed. I just want to make sure that I’m not missing something.	22:13
ayoung	jorge_munoz, git blame those, to make sure they came on the same commit, and look at the reviews	22:14
*** dims has quit IRC		22:15
lhcheng	avarner: 'openstack project create --parent <parent> <project_name>'	22:16
*** jamielennox\|away is now known as jamielennox		22:17
avarner	lhcheng, thanks, I must have an old version	22:19
jorge_munoz	ayoung: So this was written by Alexander Makarov and tested as doing chain redelegations. The comment might just be incorrect. Just to be sure setting redelefation to False will not allow a user to create a new trust with a trusted token, right?	22:20
lbragstad	ayoung jorge_munoz looks like it was all in the same commit - https://github.com/openstack/keystone/commit/0b89e8b2a414ac1c5b0c32974fbf741bd775c1c0	22:20
chris_19	question about identity endpoints in the service catalog, running Liberty: does it matter if they end in :5000, :5000/v2.0, or :5000/v3? Is there a best practice?	22:21
lbragstad	ayoung jorge_munoz here is the original commit - https://review.openstack.org/#/c/126897/	22:21
*** ayoung has quit IRC		22:23
chris_19	Changing them definitely affects the way the clients and libraries work.	22:25
*** peter-hamilton has quit IRC		22:25
*** aginwala has joined #openstack-keystone		22:28
*** ankita_wagh has joined #openstack-keystone		22:29
tjcocozz	pint stevemar	22:30
tjcocozz	ping ^^	22:30
*** gordc has quit IRC		22:32
avarner	How can I determine what version of keystone is installed?	22:32
chris_19	Look at the folder installed in site-packages	22:33
lbragstad	dstanek did you mean 'assignment' here instead of 'notifications'? https://review.openstack.org/#/c/215715/16/keystone/identity/core.py	22:34
tjcocozz	avarner, for me it shows up in 'pip list'	22:36
dstanek	no, i think we can get rid of some of the x-subsystem stuff using notifications	22:36
*** belmoreira has quit IRC		22:36
dstanek	lbragstad: a better example is https://review.openstack.org/#/c/215715/16/keystone/resource/core.py	22:36
chris_19	you could also try:	22:37
chris_19	>>> import pbr.version	22:37
chris_19	>>> print pbr.version.VersionInfo('keystone').version_string()	22:37
dstanek	lbragstad: so the resource subsystem has to know when the assignment subsystem thinks something is invalid	22:37
lbragstad	dstanek oh - nevermind... i mis-read your comment	22:37
dstanek	lbragstad: if would be nice to have all of the assignment related to together	22:37
dstanek	lbragstad: food for thought	22:38
* dstanek is going to grab some dinner		22:38
avarner	tjcocozz, looks like I have 9.0.0.dev304 - can I tell which version of the API that corresponds to?	22:38
lbragstad	dstanek so the assignment/core.py module could contain all the cache specific stuff and then a call back can be added to resource/core.py	22:38
stevemar	tjcocozz: whaddup	22:38
tjcocozz	stevemar, just 1 sec	22:38
stevemar	tjcocozz: of course tommy j	22:39
avarner	I need API version 3.4 or later	22:39
avarner	Unfortunately, keystone API documentation has no dates in it	22:39
tjcocozz	avarner, should it be in the tox.ini for what version of the client is needed	22:39
dstanek	lbragstad: resource wouldn't have any callback. it would just send a notification that something happened and assignment would listen for it	22:39
avarner	tjcocozz, not client version, API version	22:39
dstanek	lbragstad: i can come up with an example a little later tonight	22:39
avarner	I need API 3.4 support in the keystone service	22:40
tjcocozz	stevemar, i am trying to backport https://review.openstack.org/#/c/258143/ for some reason the file auth_token/__init__.py has been changed so much i don't think it is possible	22:40
stevemar	tjcocozz: ouch	22:41
*** timcline has quit IRC		22:41
stevemar	bknudson_: should we still backport the server fixes if we can't backport the middleware ones?	22:41
tjcocozz	stevemar, what do you recommend??	22:41
bknudson_	stevemar: well, the bug isn't fixed if we don't backport both	22:41
tjcocozz	this is for kilo btw ^^	22:42
stevemar	bknudson_: yep, that's what i figured	22:42
stevemar	bknudson_: tjcocozz okay let's see why we can't backport the fix	22:42
stevemar	its these here: https://review.openstack.org/#/q/I483bc57bd38eb81a0905bcaf94e4ea82604919d6,n,z	22:43
navidp	jamielennox, keystone auth question	22:43
jamielennox	navidp: yep	22:43
stevemar	tjcocozz: you having trouble with kilo or liberty?	22:43
tjcocozz	stevemar, kilo.... the liberty patch is gold :-)	22:43
navidp	jamielennox, ok i will look to make sure he is not working on it	22:44
navidp	jamielennox, do you know get_options method in https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/v2.py#L40-L49	22:44
jamielennox	navidp:	22:44
jamielennox	yep	22:44
stevemar	tjcocozz: oh okay	22:44
navidp	jamielennox, how can you get options for keystoneauth ??	22:45
jamielennox	so that part has moved over to loading	22:45
tjcocozz	stevemar, i am going to leave the office. Good luck!	22:45
jamielennox	navidp: there's some details here; https://github.com/openstack/keystoneauth/blob/master/doc/source/migrating.rst	22:46
lbragstad	dstanek sounds good! thanks	22:46
stevemar	tjcocozz: see ya	22:46
stevemar	bknudson_: does it make a difference if i cherry pick from master as opposed to liberty?	22:46
navidp	jamielennox, how the plugins are loading versus ksc?	22:46
navidp	jamielennox, in keystoneauth	22:47
bknudson_	stevemar: if you had to make changes to resolve conflicts during the backport then you'll want to pick from L since then there should be fewer or no conflicts	22:47
*** chris_19 has left #openstack-keystone		22:48
avarner	When was identity API version 3.4 support released?	22:48
avarner	This should be a really easy, obvious questions	22:48
avarner	But openstack's documentation says nothing about it	22:48
*** chris_19 has joined #openstack-keystone		22:49
navidp	jamielennox, i looked into this document, what i am trying to fiugre out is how authentication is different in keystoneauth vs keystoneclient	22:49
jamielennox	navidp: the auth part is no different, it's the process of loading the plugins that has changed	22:51
*** chris_19 has quit IRC		22:51
jamielennox	navidp: previously there was a get_options classmethod on the plugin itself. this lets there be only one way to load the actual plugin	22:51
navidp	jamielennox, is there any documents explaing that or any cliffhangers you can direct me to ??	22:51
jamielennox	instead now we have a loading object that refers to a plugin so you could have many loaders per plugin	22:52
*** chris_19 has joined #openstack-keystone		22:52
navidp	jamielennox, I see that most of places get_options are gone.	22:52
*** chris_19 has left #openstack-keystone		22:52
jamielennox	navidp: yes, they've moved onto the loaders eg	22:53
jamielennox	https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/_plugins/identity/v3.py#L18	22:53
*** chris_19 has joined #openstack-keystone		22:54
*** avarner has left #openstack-keystone		22:55
*** KarthikB_ has quit IRC		22:55
navidp	so i ahould use loader to load and leave get_options out of it, now get_options has some other functionality, right	22:55
*** KarthikB_ has joined #openstack-keystone		22:56
navidp	for example how can i get_options_list like in ksc ??	22:56
navidp	jamielennox, for example how can i get_options_list like in ksc ??	22:56
*** chris_19 has left #openstack-keystone		22:58
stevemar	bknudson_: gonna ask you for a set of eyes in a few minutes	22:59
stevemar	i think i managed to backport the patch...	22:59
*** aginwala has quit IRC		23:00
*** KarthikB_ has quit IRC		23:00
*** sigmavirus24 is now known as sigmavirus24_awa		23:01
*** KarthikB_ has joined #openstack-keystone		23:02
*** tonytan4ever has quit IRC		23:04
*** aginwala has joined #openstack-keystone		23:05
jamielennox	navidp: http://docs.openstack.org/developer/keystoneauth/api/keystoneauth1.loading.html#keystoneauth1.loading.base.get_plugin_options	23:06
jamielennox	would give you the ksa.loading.Opts	23:06
jamielennox	http://docs.openstack.org/developer/keystoneauth/api/keystoneauth1.loading.html#keystoneauth1.loading.conf.get_plugin_conf_options is the oslo.config opts	23:07
jamielennox	but they are both in loading/__init__ with a better name	23:07
*** KarthikB_ has quit IRC		23:07
navidp	jamielennox, thanks	23:10
openstackgerrit	Merged openstack/python-keystoneclient: add release notes for ksc 2.1.0 https://review.openstack.org/266466	23:12
openstackgerrit	Merged openstack/keystoneauth: add release notes for ksa 2.2.0 https://review.openstack.org/266456	23:12
*** dave-mccowan has quit IRC		23:15
stevemar	tjcocozz: bknudson_ https://review.openstack.org/#/c/266607/	23:16
stevemar	had to modify the test just a tad, diff PS1 and PS2 to see what i did	23:16
bknudson_	this must be where we switched the tests to use webtest.	23:18
*** aginwala has quit IRC		23:20
*** e0ne has quit IRC		23:26
*** browne has quit IRC		23:29
*** aginwala has joined #openstack-keystone		23:32
*** spzala has quit IRC		23:35
*** spzala has joined #openstack-keystone		23:36
*** KarthikB_ has joined #openstack-keystone		23:36
*** sigmavirus24_awa is now known as sigmavirus24		23:38
*** Karthik__ has joined #openstack-keystone		23:38
*** spzala has quit IRC		23:40
*** KarthikB_ has quit IRC		23:41
*** Karthik__ has quit IRC		23:43
*** spzala has joined #openstack-keystone		23:43
*** spzala has joined #openstack-keystone		23:44
*** sigmavirus24 is now known as sigmavirus24_awa		23:47
*** sigmavirus24_awa is now known as sigmavirus24		23:48
*** spzala has quit IRC		23:48
*** oomichi_away is now known as oomichi		23:49
*** ninag has quit IRC		23:50
*** ninag has joined #openstack-keystone		23:51
*** ninag has quit IRC		23:51
*** phalmos has quit IRC		23:52
*** spzala has joined #openstack-keystone		23:56
*** bjornar1 has quit IRC		23:58
*** shoutm has joined #openstack-keystone		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!