Tuesday, 2016-01-12

*** shoutm has joined #openstack-keystone00:00
*** jasonsb has joined #openstack-keystone00:14
*** aginwala has quit IRC00:18
*** shoutm has quit IRC00:19
*** markvoelker has quit IRC00:20
*** shoutm has joined #openstack-keystone00:21
*** aginwala has joined #openstack-keystone00:23
henrynashhtruta: hi00:26
ayounghenrynash, why are the patches only adding code?  When you make keystone/resource/V8_backends/sql.py (+ 262) shouldn't the same number of Lines of code disappear from elsewhere?00:37
*** ankita_wagh has quit IRC00:38
henrynashayoung: that’s a copy of the river, moved to V8_backends, so we can test the new manager with an old driver….that code is only excuted as part of a test00:38
henrynash(river -> driver)00:38
ayounghenrynash, its a copy, right?00:39
henrynashayoung: yes00:39
*** dims_ has joined #openstack-keystone00:39
ayounghenrynash, shouldn't there be some sort of baseclass then>00:39
henrynashayoung: there is for the signatures in the manager, but not for the code00:39
*** slberger has left #openstack-keystone00:39
*** dims has quit IRC00:40
ayounghenrynash, I'm missing something00:40
henrynashayoung: remember we are not promising to keep the V8 driver code around….we only promise to support the interface00:41
henrynashayoung: we had this long debate in the IRC meeting on this00:41
ayounghenrynash, I know...just trying to restore it from long term memory as I do the review....00:42
henrynashayoung: if it were not for needing to test teh interface, we would delete the V8 driver from the tree00:42
henrynashayoung: the V9Assignment driver was done the same way (that has merged)00:42
ayounghenrynash, the v8 code you added is a copy of the existing unversioned driver, right?00:43
henrynashayoung: correct00:43
henrynashayoung: well, it was already versioned (V8), we just didn’t have any way of updating it!00:43
henrynashayoung: in Liberty, the drivers got versioned as V8, but we didn’t hvae the plan in palce on how, exactly, we  create a V9 and yets support the V8 interface00:44
ayounghenrynash, I'm just trying to figure out why it is necessary to copy instead of baseclass and then update only when we change00:44
henrynashayoung: too complicated, I think00:44
henrynashayoung: ‘cause we really want is an old V8 driver in its entirety00:45
ayounghenrynash, right.  But V9 could subclass V8, no?00:47
ayoungI mean, uin theory00:48
ayoungwe are chosing not to do that to make sure the code doens not vary unintentionally?00:48
henrynashayoung: correct….we wanted just a time-shotted driver testing, and not trying to have code re-use00:48
ayounghenrynash, so we have to issue that any bug fixes in v9 need to be echoed in v8  and vice versa00:49
henrynashayoung: (and yes, in theory we could to that)…although teh V9 driver is meant to subclass the V9 abstract class in teh manager00:49
henrynashayoung: we don’t support the V8 driver in Mitaka00:50
ayounghenrynash, OK...with that in mind, I'll give the two driver reviews a look through00:50
henrynashayoung: and in Liberty, there is no V9, so there’s always only one drievr (per relase) to fix00:50
henrynashayoung: to be exaact, we don’t maintain the V8 driver code in Mitaka, we still support the V8 interface00:51
*** shoutm_ has joined #openstack-keystone00:51
*** shoutm has quit IRC00:54
*** gyee has quit IRC00:55
*** woodster_ has quit IRC00:56
*** shoutm_ has quit IRC00:58
*** shoutm has joined #openstack-keystone01:03
*** oomichi has quit IRC01:04
*** EinstCrazy has joined #openstack-keystone01:05
*** EinstCrazy has quit IRC01:06
*** EinstCrazy has joined #openstack-keystone01:07
htrutahenrynash, hey, I have no idea why, but looks like this code here https://review.openstack.org/#/c/210600/42/keystone/tests/unit/test_backend.py is not passing in the wrapper01:14
*** _cjones_ has quit IRC01:16
henrynashhtruta: hmm, how odd…..sounds like we need a python guru to look at this…01:18
stevemarjamielennox: is this still valid: https://review.openstack.org/#/c/220509/ ?01:19
stevemarany takers for https://review.openstack.org/#/c/205440/16 ? henrynash jamielennox ayoung ?01:20
henrynashstevemar: looking01:20
*** markvoelker has joined #openstack-keystone01:21
jamielennoxstevemar: i guess it's still valid, though i don't know if it improves things much01:21
jamielennoxstevemar: you don't use AuthTokenPlugin directly, it's constructed for you if you don't provide one yourself01:21
*** ankita_wagh has joined #openstack-keystone01:21
jamielennoxstevemar: so telling people that AuthTokenPlugin is deprecated probably isn't going to mean as much to them as the warning that's already there01:22
*** ankita_wagh has quit IRC01:22
jamielennoxmaybe we should use the oslo_log deprecation method instead though01:22
stevemarjamielennox: dammit, wrong link01:22
stevemarjamielennox: i meant this one: https://review.openstack.org/#/c/222042/ sorry01:23
stevemarjust trying to clean up old patches and push through ones that should be included in the next release01:23
jamielennoxstevemar: oh - umm, i think we should merge it but it's an edge case01:23
jamielennoxi was using auth_token directly without having it installed for testing and so the pkg_resources lookup failed01:23
stevemarjamielennox: if you're actively reviewing: https://review.openstack.org/#/c/258932/01:23
*** markvoelker has quit IRC01:25
*** markvoelker has joined #openstack-keystone01:25
stevemarjamielennox: you also have 2 patches that should either be targeted to KSA or may already be in KSA: https://review.openstack.org/#/c/148166/ and https://review.openstack.org/#/c/178024/01:25
ayoungstevemar, ... why would I want to?  What benefit to the world does having that code in Keystone bring?01:27
ayoungjust ... more ec2 stuff. bleh01:28
stevemarayoung: it's ec2 compat, we've done it before, we gotta maintain, it's not glamorous :(01:29
stevemarayoung: good news is that the author uses existing code and sources it, yay01:29
*** aginwala has quit IRC01:30
*** ninag has quit IRC01:30
ayoungstevemar, yeah, yeah01:31
ayounglooks like henrynash got it...01:31
ayoungI'm still putting kids to bed01:32
stevemarayoung: cheer up! you're gonna have bqq soon :)01:32
stevemarayoung: rgr that, let the dad-ops begin01:32
ayoungstevemar, not I.  Gonna be missing this midcycle01:32
stevemarayoung: oh?01:32
stevemarthats 4 cores missing! :O01:32
*** spzala has joined #openstack-keystone01:33
notmorganstevemar: adam, myself, jamielennox and ?01:35
stevemarnotmorgan: marekd01:35
notmorganayoung: sorry for the -1 on the spec, but i think endpoint filtering should die. the sub-set of roles ++01:36
*** spzala has quit IRC01:38
htrutajamielennox, was seeing some v2 removal related, and saw this patch you commented: https://review.openstack.org/#/c/221300/01:42
htrutajamielennox, do you more specifically remember why you had to abandon this patch of yours?01:42
*** aginwala has joined #openstack-keystone01:44
*** dims_ has quit IRC01:48
*** dims has joined #openstack-keystone01:48
jamielennoxhtruta: i don't remember specifically on that one, there were some problems with things like create_userrc and functional testing expecting v2 arguments01:49
jamielennoxhtruta: at the moment though i think almost everything in devstack is v301:49
htrutajamielennox, yes... I saw that the v3 only gate is passing in all the patches I've looked01:50
*** EinstCrazy has quit IRC01:50
*** EinstCrazy has joined #openstack-keystone01:51
htrutajamielennox, I had the impression that tempest really lacks this v3 integration01:51
*** csoukup has joined #openstack-keystone01:52
htrutaI wonder if it would make any difference to test the other services with a token of a project in a domain different than the default01:52
jamielennoxhtruta: no tempest is pretty good at testing this stuff01:52
notmorganhtruta: add things in tempest if needed01:53
notmorganon that front01:53
notmorganjamielennox: ++01:53
jamielennoxit does it all in it's own way though because it wants to test independant of the existing libraries01:53
notmorganand thats fine imo01:54
notmorganesp. for this01:54
htrutajamielennox, notmorgan I see01:54
notmorganalso i don't know why someone would pick the nick "esp" on irc01:54
*** dims has quit IRC01:54
htrutanotmorgan, jamielennox do all of the main services already support keystoneauth and sessions?01:55
htrutalooks like sessions are really the way for easier integrations01:56
notmorganhtruta: neutron does, nova has a patch in flight01:56
notmorganglance ... i think is next01:56
jamielennoxhtruta: server side or client?01:56
jamielennoxall the clients except swift do01:56
*** spandhe has quit IRC01:56
notmorganwell ksc.session01:56
notmorganthere are a lot that are not ksa.session yet01:56
jamielennoxserver side is a bit hit and miss01:56
htrutaclient side, I guess01:57
*** aginwala has quit IRC01:57
*** shoutm has quit IRC01:58
*** csoukup has quit IRC01:58
*** shoutm has joined #openstack-keystone02:00
jamielennoxhtruta: yea, so everything but swift has client support02:00
notmorganoh reminds me i need to hack on swiftclient soon02:00
htrutanotmorgan, jamielennox where do you think we can put some effort still in Mitaka, as the code is only going to be removed from Q?02:00
notmorgani should be able to solve the session issue there pretty easily02:00
jamielennoxnotmorgan: haha - i've approached that like 3 or 4 times02:00
jamielennoxnotmorgan: but i am more of a purist than you i think02:00
notmorganjamielennox: well the swift team is mostly on board02:00
notmorganjamielennox: yeah i am more about "have support" then make it better02:01
notmorganthan "works perfectly"02:01
*** EinstCra_ has joined #openstack-keystone02:03
htrutanotmorgan, jamielennox I'll put a topic in tomorrow's meeting, ok?02:03
ayoungnotmorgan, I was toying with splitting that spec anyway.  Just that the two specs would be fairly similar.  But I'm far more interested in the role portion than the endpoint part02:03
lhcheng_hello, are there known issue with using keystone v3 + ldap assignment in kilo?02:04
notmorganayoung: i'm -2 on the endpoint filtering because i think we should rip it out of keystone02:05
notmorganayoung: but i wont block it, i'll just -1 with the comment that i think it's not worth doing02:05
notmorganayoung: on the split that is02:05
ayoungnotmorgan, why so harsh on the endpoint stuff?02:05
*** dims has joined #openstack-keystone02:06
*** EinstCra_ has quit IRC02:06
*** EinstCrazy has quit IRC02:06
*** davechen has joined #openstack-keystone02:07
ayoungnotmorgan, I was planning on enforcing security via the endpoint;  gyee and I had been working on the endpoint check in middleware02:07
ayoungneeds this to be relevant02:07
notmorganayoung: i think it's not worth trying to wedge security into the catalog02:07
notmorganayoung: use proper roles if we want to enforce security. we have RBAC, the concept of "oh look in the catalog" is flawed02:07
notmorgancosts a lot of CPU and makes the catalogs effectively uncache-able02:08
ayoungnotmorgan, well, tjhe catalog approach closer maps to what people use already with AD/Kerberos02:08
notmorganso, lets use the things that we can enforce on very well :)02:08
*** EinstCrazy has joined #openstack-keystone02:08
notmorgansure. but we're not KRB5 or AD02:08
ayoungWe can do it with roles02:08
ayoungI'll admit that endpoint is pretty course grained02:08
ayoungnotmorgan, I did have something more cacheable proposed at one point:  https://review.openstack.org/#/c/160909/02:09
notmorgani am a big fan of improving enforcement, but not adding alternate methods of enforcement. really be good at enforcement with roles :)02:09
notmorganif that makes sense02:09
ayoungnotmorgan, I'll chew it over.  I can see two sides to that one. But I will split the spec02:10
* notmorgan nods.02:10
notmorganthe subset of roles is absolutely something we should work towards anyway02:10
jamielennoxnotmorgan, ayoung, stevemar: question - what would ideally be in the credentials dict for policy enforcement02:17
jamielennoxas of today i can only think user_id, project_id, roles02:17
jamielennoxobviously service_roles, service_project_id in future02:17
ayoungjamielennox, heh...ideally not user_id02:17
jamielennoxayoung: yea, i can see that02:18
jamielennoxi've put together an oslo.context patch that provides to_policy_dict instead of just to_dict so we remove all the RPC cruft from it02:18
ayoungjamielennox, I want role check in middleware, project check in code...02:18
ayoungjamielennox, sounds good02:19
jamielennoxand i'm struggling to think of why you want anything more than project_id and roles in the ability to enforce02:19
jamielennoxkeystone drops in the entire token02:19
jamielennoxand maybe methods should be in there for 2FA02:19
jamielennoxbut i can't see any reason things like trust id should be in there02:19
jamielennoxlet alone any of the _names02:19
notmorganjamielennox: domain_id.02:23
notmorganotherwise thats covers it02:23
notmorgan2FA yes/no02:23
notmorganif we add 2FA stuff02:23
jamielennoxnotmorgan: domain_id for keystone - i was thinking maybe project_domain_id for others02:24
*** jbell8 has joined #openstack-keystone02:24
jamielennoxi can't see user_domain_id being useful02:24
notmorganjamielennox: project_domain_id and user_domain_id02:24
notmorganuser_domain_id might be useful for "user must be in X domain for admin"02:24
notmorganor l3 CS type stuff02:24
jamielennoxyea, ok02:24
jamielennoxi don't think that information is even in oslo.context yet :( and my last patch caused problems because heats tests are wrong, but it would require backports into heat stable to get passed02:25
notmorgani wouldn't backport anything to stable for this02:26
notmorganonly forward looking02:26
jamielennoxno, my last patch was - "context.user doesn't make sense, let's forward that to context.user_id project_id etc so we can deprecate the old ones"02:26
jamielennoxmost projects do this anyway02:26
notmorganyeah i'd rever tthat then02:27
jamielennoxheat apparently sometimes (at least in tests) uses context.user for name or some other field02:27
notmorgani think context.user is not a terrible thing to hve02:27
jamielennoxright call, annoying02:27
notmorganit encapsulates the user data02:27
notmorganand it's annoying02:27
jamielennoxnotmorgan: in almost all cases it doesn't, it's just hte id02:27
notmorganbut it doesn't hurt us to encapsulate it02:28
notmorgandoes it?02:28
notmorgani mean, i wouldn't put all the user data in there02:28
notmorganbut i would keep the user data in context.user02:28
notmorganvs. context.user_<thing>02:28
notmorgansame for scope long term02:28
jamielennoxnotmorgan: many services dont keep username arround, id is all we care about02:29
*** ninag has joined #openstack-keystone02:31
openstackgerritMerged openstack/python-keystoneclient: Removes MANIFEST.in as it is not needed explicitely by PBR  https://review.openstack.org/25893202:34
*** ninag has quit IRC02:35
*** aginwala has joined #openstack-keystone02:36
*** jbell8 has quit IRC02:38
*** jbell8 has joined #openstack-keystone02:39
openstackgerritayoung proposed openstack/keystone: implied roles driver and manager  https://review.openstack.org/26426002:43
*** fawadkhaliq has joined #openstack-keystone02:44
*** spzala has joined #openstack-keystone02:46
*** spandhe has joined #openstack-keystone02:47
openstackgerritMerged openstack/keystonemiddleware: Adding parse of protocol v4 of AWS auth to ec2_token  https://review.openstack.org/20544002:48
*** roxanagh_ has joined #openstack-keystone02:57
ayoungare the fernet tasks passing Tempest finally?03:02
*** oomichi has joined #openstack-keystone03:03
openstackgerritzhangguoqing proposed openstack/keystoneauth: Replace assertEqual(None, *) with assertIsNone in tests  https://review.openstack.org/26611803:07
*** aginwala has quit IRC03:09
*** aginwala has joined #openstack-keystone03:12
*** aginwala has quit IRC03:16
*** spandhe_ has joined #openstack-keystone03:16
*** spandhe has quit IRC03:18
*** spandhe_ is now known as spandhe03:18
*** spzala has quit IRC03:19
*** spzala has joined #openstack-keystone03:20
*** sigmavirus24_awa is now known as sigmavirus2403:22
*** dims has quit IRC03:24
*** spzala has quit IRC03:25
*** jbell8 has quit IRC03:27
*** doug-fish has joined #openstack-keystone03:30
*** ccard_ has joined #openstack-keystone03:31
*** EinstCrazy has quit IRC03:33
*** EinstCrazy has joined #openstack-keystone03:33
*** ccard__ has quit IRC03:34
*** lhcheng has joined #openstack-keystone03:35
*** ChanServ sets mode: +v lhcheng03:35
ayoungnotmorgan, are you going to hold firm on opposing the "request a token with a subset of endpoints?"  I can see where you are coming from, but...this is making things better, not worse that way03:36
ayoungthe endpoint binding code that Gyee go in recently is kindof hamstrung without a way to limit the endpoints in the tokne03:37
ayoungnotmorgan, and...I don;t see us completely getting rid of the service catalog, which is the only thing that would actively solve the problems you referred to in the review03:37
notmorganayoung: catalog is fine03:38
notmorganayoung: i just don't want to enforce/filter the catalog03:38
*** lhcheng_ has quit IRC03:38
ayoungnotmorgan, so this proposal does not need endpoint fgilter03:39
ayoungnotmorgan, say you are uploading an image to glance, you don't need any other endpoints but glance in the token03:39
ayoungcouple that with gyee's fix, and I think we have a pretty big reduction in attack service03:40
ayoungnotmorgan, forget filtering, this is most likely going to be used with a single endpoint in the token for most calls03:41
ayoungits an opt in API;  if the user does not request a subset of the endpoints, they get the default behavior03:42
notmorganno benefit03:44
notmorganjust don't bother to futz w/ the catalog03:45
openstackgerritayoung proposed openstack/keystone-specs: Tokens with subsets of roles or endpoints  https://review.openstack.org/18697903:45
notmorgancatalog should just be the catlaog03:45
notmorganand left alone03:45
ayoungnotmorgan, so you going to work out with gyee that you want to kill his "endpoint binding of tokens" because that is the other side of this03:47
ayoungnotmorgan, https://review.openstack.org/#/c/177661/03:48
*** shoutm_ has joined #openstack-keystone03:49
notmorganayoung: yep want to kill that03:50
notmorganayoung: i've been trying very hard not to -2 things03:50
*** shoutm has quit IRC03:51
ayoungnotmorgan, didn't see anything negative from you on those reviews.  It caught me by surprise that you are set against this.  I'm not certain we should do this with Roles, though.03:51
notmorganjust -1'd it03:51
ayoungnotmorgan, that effectively stops it.  Keystone doesn't tend to move past a -1 from a core03:52
notmorganwe move past -1 more often than other projects tbh03:52
notmorganbut that might be by fault03:52
notmorgancause i'll +2/harass people over a -103:52
notmorgani also am open to movin back to a zero score for the right things03:53
*** vivekd has joined #openstack-keystone03:53
notmorganbut honestly endpoint filtering is awful03:53
notmorganand we can do better03:54
ayoungnotmorgan, ok...this one is not going to happen in Mitaka anyway.  I'll leave it be for now. We can discuss in the post rc1 timeframe what approach we want to take for 'N'03:54
ayoungI think this is different from filtering, TBH03:54
notmorgani don't think we shoul muck with the catalog at all03:55
ayoungI still think a token should be good for only one service, and a short period of time...03:55
notmorganwe should just use the raw catalog in all cases03:55
notmorgancatalog is discovery03:55
notmorgandon't muck with it03:55
notmorganshort period, limited roles, even roles that limit access to a specific service03:55
notmorganesp. if those are well defined roles that are opinionated and interoperable across deplyments03:56
notmorganbut i don't want to see us mucking with the catalog03:56
notmorganif that makes sense03:56
ayoungnotmorgan, the problem is it makes too much sense03:56
ayoungit brings up the urge I've surpressed to take the catalog as it exists now out behind the woodshed and give it the Old-Yeller treatment03:57
notmorgannah, i think we can do this with other things w/o needing to muck with the catalog03:57
notmorganeven if we old yeller it03:57
notmorgani want us to not muck around in there if we use it for discovery03:57
*** doug-fish has quit IRC03:58
notmorganif we make it something else, and discovery is separate i'll back away from my stance03:58
ayoungOK...I'll rewrite my spec as just roles.  That at least allows the spec to be 1-1 with the impl03:58
notmorgancatalog should be inclusive (and well defined)03:58
notmorganas it sits now03:58
notmorganif we are enforcing on it i'd rather add a new "things i can talk to with this token" field03:58
notmorganif that makes sense03:58
*** shoutm has joined #openstack-keystone03:59
notmorganso we can use the catalog as a definitive "this is what the endpoints for the cloud are" and know it's always the same03:59
notmorganespecially if the x-project spec for well defined catalog lands03:59
*** shoutm_ has quit IRC04:00
*** topol has joined #openstack-keystone04:03
*** ChanServ sets mode: +v topol04:03
openstackgerritayoung proposed openstack/keystone-specs: Tokens with subsets of roles  https://review.openstack.org/18697904:04
*** topol has quit IRC04:07
openstackgerritayoung proposed openstack/keystone-specs: Tokens with subset of catalog  https://review.openstack.org/26613704:08
ayoungnotmorgan, that second one you will want to -104:08
notmorgani'll do that tomorrow ;)04:09
notmorgani am too busy procrasinating cleanup post cooking to do that.04:10
notmorganayoung: and calling out topol on twitter for not having an IRC bouncer04:11
ayoungnotmorgan, I'm a meatspace IRC bouncer04:11
notmorganayoung: you're on IRC enough that i don't notice04:12
notmorganbut topol drops off a lot04:13
*** spandhe has quit IRC04:18
openstackgerritMerged openstack/keystone: Separate trust crud tests from trust auth tests  https://review.openstack.org/26593104:20
*** spzala has joined #openstack-keystone04:20
*** spzala has quit IRC04:25
*** links has joined #openstack-keystone04:26
*** RA_ has joined #openstack-keystone04:28
*** roxanagh_ has quit IRC04:28
*** richm has quit IRC04:49
*** fawadkhaliq has quit IRC04:52
*** markvoelker has quit IRC04:58
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/26615105:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/26615305:01
*** itlinux has joined #openstack-keystone05:04
*** itlinux has quit IRC05:04
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/26616805:05
*** shoutm_ has joined #openstack-keystone05:08
*** shoutm has quit IRC05:08
*** aginwala has joined #openstack-keystone05:09
*** fawadkhaliq has joined #openstack-keystone05:15
*** sigmavirus24 is now known as sigmavirus24_awa05:18
*** spzala has joined #openstack-keystone05:22
*** EinstCra_ has joined #openstack-keystone05:25
*** EinstCrazy has quit IRC05:25
*** spzala has quit IRC05:26
*** EinstCra_ has quit IRC05:29
*** shoutm has joined #openstack-keystone05:30
*** EinstCrazy has joined #openstack-keystone05:30
*** aginwala has quit IRC05:30
*** shoutm_ has quit IRC05:32
*** aginwala has joined #openstack-keystone05:32
stevemaranyone wannt punt https://review.openstack.org/#/c/266118/1 through?05:33
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Disable memory caching of tokens  https://review.openstack.org/21234505:34
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094105:35
*** vgridnev has joined #openstack-keystone05:35
*** jaosorior has joined #openstack-keystone05:47
*** Nirupama has joined #openstack-keystone05:48
stevemarthanks jamielennox05:55
*** markvoelker has joined #openstack-keystone05:59
*** shoutm has quit IRC06:00
*** edmondsw has quit IRC06:02
*** shoutm has joined #openstack-keystone06:02
*** EinstCrazy has quit IRC06:03
*** EinstCrazy has joined #openstack-keystone06:03
openstackgerritvenkatamahesh proposed openstack/keystone: Improvements in python condition code  https://review.openstack.org/26620306:05
*** markvoelker has quit IRC06:06
openstackgerritDave Chen proposed openstack/keystone: Relax the schema validation to accept empty request body  https://review.openstack.org/23744806:09
*** spzala has joined #openstack-keystone06:23
*** aginwala_ has joined #openstack-keystone06:26
*** shoutm has quit IRC06:28
*** spzala has quit IRC06:29
*** aginwala has quit IRC06:30
*** aginwala_ has quit IRC06:32
*** ninag has joined #openstack-keystone06:33
*** shoutm has joined #openstack-keystone06:34
*** ninag has quit IRC06:38
*** EinstCrazy has quit IRC06:39
*** EinstCrazy has joined #openstack-keystone06:39
*** EinstCra_ has joined #openstack-keystone06:45
*** EinstCrazy has quit IRC06:45
*** jaosorior has quit IRC06:48
*** fawadkhaliq has quit IRC06:49
*** fawadkhaliq has joined #openstack-keystone06:51
*** lhcheng has quit IRC06:54
*** EinstCra_ has quit IRC06:56
*** EinstCrazy has joined #openstack-keystone06:57
*** EinstCrazy has quit IRC06:57
*** EinstCrazy has joined #openstack-keystone06:57
*** EinstCrazy has quit IRC07:00
*** EinstCra_ has joined #openstack-keystone07:00
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/26616807:02
*** vgridnev has quit IRC07:05
*** EinstCra_ has quit IRC07:08
*** EinstCrazy has joined #openstack-keystone07:08
*** jaosorior has joined #openstack-keystone07:09
*** roxanagh_ has joined #openstack-keystone07:16
openstackgerritvenkatamahesh proposed openstack/keystone: Improvements for more effective code  https://review.openstack.org/26620307:22
*** spzala has joined #openstack-keystone07:25
*** vgridnev has joined #openstack-keystone07:35
*** EinstCra_ has joined #openstack-keystone07:41
*** EinstCrazy has quit IRC07:41
*** e0ne has joined #openstack-keystone07:42
*** RA_ has quit IRC07:43
*** vivekd_ has joined #openstack-keystone07:49
openstackgerritDave Chen proposed openstack/keystone: Enable `id`, `enabled` attributes filtering for list IdP API  https://review.openstack.org/21504107:50
*** vivekd has quit IRC07:52
*** vivekd_ is now known as vivekd07:52
*** belmoreira has joined #openstack-keystone07:53
*** vgridnev has quit IRC08:00
*** spzala has quit IRC08:00
*** jistr has joined #openstack-keystone08:06
*** jistr is now known as jistr|doc08:07
*** EinstCrazy has joined #openstack-keystone08:07
*** EinstCra_ has quit IRC08:07
*** jed56 has joined #openstack-keystone08:08
*** EinstCrazy has quit IRC08:12
*** EinstCrazy has joined #openstack-keystone08:12
*** GB21 has joined #openstack-keystone08:15
*** e0ne has quit IRC08:16
*** pnavarro has joined #openstack-keystone08:19
*** fawadkhaliq has quit IRC08:22
*** fawadkhaliq has joined #openstack-keystone08:22
*** spzala has joined #openstack-keystone08:27
openstackgerritMerged openstack/keystonemiddleware: Disable memory caching of tokens  https://review.openstack.org/21234508:48
openstackgerritMerged openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094108:49
*** vgridnev has joined #openstack-keystone08:50
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller  https://review.openstack.org/26118808:52
stevemartomorrow, we release all the clients!08:52
stevemaror at least, propose patches and create release notes08:53
*** spzala has quit IRC08:55
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/26615308:59
*** jistr|doc has quit IRC08:59
*** belmoreira has quit IRC09:01
*** fhubik has joined #openstack-keystone09:06
*** spzala has joined #openstack-keystone09:09
*** daemontool has joined #openstack-keystone09:11
*** spzala has quit IRC09:14
*** openstackgerrit has quit IRC09:17
*** openstackgerrit has joined #openstack-keystone09:17
*** jistr has joined #openstack-keystone09:20
*** mhickey has joined #openstack-keystone09:23
*** fhubik is now known as fhubik_brb09:27
*** aix has joined #openstack-keystone09:37
*** e0ne has joined #openstack-keystone09:48
*** fhubik_brb is now known as fhubik09:50
*** clayton has quit IRC09:51
*** fawadkhaliq has quit IRC09:51
*** clayton has joined #openstack-keystone09:51
*** fawadkhaliq has joined #openstack-keystone09:52
*** sileht has quit IRC09:52
*** davechen has left #openstack-keystone09:55
*** EinstCrazy has quit IRC09:57
*** fawadkhaliq has quit IRC10:01
*** fawadkhaliq has joined #openstack-keystone10:01
*** markvoelker has joined #openstack-keystone10:02
*** sileht has joined #openstack-keystone10:03
*** markvoelker has quit IRC10:07
*** RA has joined #openstack-keystone10:10
*** RA is now known as Guest6917510:10
*** josecastroleon has joined #openstack-keystone10:19
openstackgerritMerged openstack/keystoneauth: Replace assertEqual(None, *) with assertIsNone in tests  https://review.openstack.org/26611810:19
*** Guest69175 has quit IRC10:25
*** aix has quit IRC10:32
samueldmqstevemar: nice10:35
*** shoutm_ has joined #openstack-keystone10:45
*** shoutm has quit IRC10:47
*** fawadkhaliq has quit IRC10:52
*** aix has joined #openstack-keystone10:53
*** jaosorior has quit IRC10:55
*** jaosorior has joined #openstack-keystone10:55
*** shoutm_ has quit IRC10:56
*** dims has joined #openstack-keystone11:05
*** roxanagh_ has quit IRC11:05
*** shoutm has joined #openstack-keystone11:07
*** spzala has joined #openstack-keystone11:10
*** josecastroleon has quit IRC11:13
*** spzala has quit IRC11:15
*** vivekd has quit IRC11:17
*** openstackgerrit has quit IRC11:17
*** openstackgerrit has joined #openstack-keystone11:17
*** fhubik is now known as fhubik_brb11:19
openstackgerritMerged openstack/keystone: Create V9 version of federation driver interface  https://review.openstack.org/26230711:19
openstackgerritXiaoyang Zhang proposed openstack/keystone: keystone bug test  https://review.openstack.org/26630311:29
*** zqfan has joined #openstack-keystone11:33
*** vivekd has joined #openstack-keystone11:40
*** vivekd has quit IRC11:41
*** vivekd has joined #openstack-keystone11:42
*** jaosorior has quit IRC11:49
*** jaosorior has joined #openstack-keystone11:50
*** fhubik_brb is now known as fhubik11:52
*** vivekd has quit IRC11:54
openstackgerritting wang proposed openstack/keystone: Python3: replace dumps with dump_as_bytes  https://review.openstack.org/26631511:56
*** josecastroleon has joined #openstack-keystone12:01
*** markvoelker has joined #openstack-keystone12:03
*** fhubik is now known as fhubik_brb12:04
*** peter-hamilton has joined #openstack-keystone12:06
*** markvoelker has quit IRC12:08
*** roxanagh_ has joined #openstack-keystone12:09
*** vgridnev has quit IRC12:10
*** josecastroleon has quit IRC12:10
openstackgerritHenrique Truta proposed openstack/keystone: Create V9 version of resource driver interface  https://review.openstack.org/26208212:11
*** vgridnev has joined #openstack-keystone12:11
*** josecastroleon has joined #openstack-keystone12:11
*** spzala has joined #openstack-keystone12:11
*** roxanagh_ has quit IRC12:15
*** spzala has quit IRC12:16
*** GB21 has quit IRC12:21
*** qeelee has joined #openstack-keystone12:21
*** pauloewerton has joined #openstack-keystone12:21
*** _zouyee has joined #openstack-keystone12:21
*** GB21 has joined #openstack-keystone12:22
*** _zouyee has quit IRC12:23
*** _zouyee has joined #openstack-keystone12:23
samueldmq_zouyee: hi12:23
*** shoutm_ has joined #openstack-keystone12:26
*** shoutm has quit IRC12:28
*** aix has quit IRC12:29
*** vgridnev has quit IRC12:30
*** shoutm_ has quit IRC12:31
*** aix has joined #openstack-keystone12:32
*** shoutm has joined #openstack-keystone12:32
*** fhubik_brb is now known as fhubik12:33
*** GB21 has quit IRC12:37
*** iurygregory has joined #openstack-keystone12:37
*** vgridnev has joined #openstack-keystone12:41
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/26615112:41
*** d0ugal has quit IRC12:42
*** d0ugal has joined #openstack-keystone12:43
*** d0ugal is now known as Guest5838512:43
*** EinstCrazy has joined #openstack-keystone12:45
*** Guest58385 is now known as d0ugal12:45
*** d0ugal has quit IRC12:45
*** d0ugal has joined #openstack-keystone12:45
marekdnotmorgan: reading the IRC backlog - why would you think endpoint filtering should die?12:45
marekdroxanaghe: let me know when you are online12:45
*** markvoelker has joined #openstack-keystone13:04
*** fhubik is now known as fhubik_brb13:05
*** davechen1 has joined #openstack-keystone13:05
*** ninag has joined #openstack-keystone13:06
*** fhubik_brb is now known as fhubik13:09
openstackgerritMarek Denis proposed openstack/keystone: Add asserts for service providers  https://review.openstack.org/26580913:09
openstackgerritMarek Denis proposed openstack/keystone: Service Providers and Projects associations  https://review.openstack.org/26485413:09
*** roxanagh_ has joined #openstack-keystone13:10
*** ninag has quit IRC13:11
*** spzala has joined #openstack-keystone13:12
*** _zouyee has quit IRC13:13
*** roxanagh_ has quit IRC13:15
*** markvoelker has quit IRC13:15
*** spzala has quit IRC13:17
*** davechen has joined #openstack-keystone13:17
*** davechen1 has quit IRC13:19
*** fhubik has quit IRC13:19
*** oomichi is now known as oomichi_away13:23
*** ninag has joined #openstack-keystone13:24
*** fawadkhaliq has joined #openstack-keystone13:28
*** Nirupama has quit IRC13:30
*** shoutm has quit IRC13:30
*** sigmavirus24_awa is now known as sigmavirus2413:31
*** edmondsw has joined #openstack-keystone13:32
*** fawadkhaliq has quit IRC13:34
*** markvoelker has joined #openstack-keystone13:35
*** _zouyee has joined #openstack-keystone13:36
*** _zouyee has quit IRC13:36
*** sigmavirus24 is now known as sigmavirus24_awa13:40
*** dslev has joined #openstack-keystone13:42
htrutastevemar: the patch this was depending on was merged https://review.openstack.org/#/c/262082 and it was rebased. Can you +A it?13:46
stevemarhtruta: looks like it's failing the legacy tests13:46
stevemarhenrynash: around?13:46
*** browne has joined #openstack-keystone13:47
htrutastevemar: ow... my bad. I'll submit it again13:48
stevemarhtruta: i'm not sure why it's failing13:48
stevemarbut i did just wake up :)13:48
htrutastevemar: that's why: https://review.openstack.org/#/c/262082/4..5/tox.ini13:48
stevemard'oh, need a new line that starts with nosetests -v \13:49
stevemarhtruta: commented13:49
stevemarthanks for rebasing :)13:49
htrutastevemar: yes... just running it locally and will submit in a sec13:50
*** topol has joined #openstack-keystone13:50
*** ChanServ sets mode: +v topol13:50
stevemarhtruta: cool cool13:50
stevemarhtruta: i wonder why henrynash called the federation driver api_v3.py instead of sql.py13:50
stevemarseems inconsistent13:50
stevemartopol: oh hey, look who signed on :O13:51
*** topol has quit IRC13:51
htrutastevemar: true... that's odd13:52
*** browne has quit IRC13:52
openstackgerritHenrique Truta proposed openstack/keystone: Create V9 version of resource driver interface  https://review.openstack.org/26208213:52
*** shoutm has joined #openstack-keystone13:52
*** _zouyee has joined #openstack-keystone13:55
*** jbell8 has joined #openstack-keystone13:56
*** qeelee has quit IRC13:57
*** dslev has quit IRC14:02
*** gordc has joined #openstack-keystone14:04
*** richm has joined #openstack-keystone14:10
*** topol has joined #openstack-keystone14:16
*** ChanServ sets mode: +v topol14:16
*** jsavak has joined #openstack-keystone14:16
*** spzala has joined #openstack-keystone14:17
davechenstevemar: henry give his answer here - https://review.openstack.org/#/c/262307/3/keystone/tests/unit/backend/legacy_drivers/federation/V8/api_v3.py@414:17
stevemardavechen: hmm, but it's in the "backends* folder14:18
*** Ephur has quit IRC14:19
*** Ephur has joined #openstack-keystone14:20
*** Ephur has quit IRC14:20
davechenstevemar: seems like he means FederatedIdentityProviderTestsV8 is inherit from test_v3_federation instead of test_backend.py.14:20
*** Ephur has joined #openstack-keystone14:20
*** spzala has quit IRC14:21
*** jsavak has quit IRC14:21
davechens/test_backend.py/test_backend_sql. This is the difference I can see.14:21
lbragstadayoung fernet is passing devstack - https://review.openstack.org/#/c/195780/14:22
dolphmlbragstad: \o/14:22
lbragstadayoung I believe it has been for a while; but there were some comments about *where* we should switch the default14:22
lbragstad(keystone or devstack)14:22
*** jsavak has joined #openstack-keystone14:23
lbragstadif we want to allow it to be the default in keystone - we will need a patch to set things up automatically (maybe I can work on that today)14:23
dstaneklbragstad: nice14:24
lbragstaddolphm ayoung - fyi https://review.openstack.org/#/c/266054/114:24
lbragstadall the trust tests are separated into "trust behavior" and "trust crud"14:25
openstackgerritDavid Stanek proposed openstack/keystone: Refactor test auth_plugin config into fixture  https://review.openstack.org/26639614:26
openstackgerritDavid Stanek proposed openstack/keystone: Reduce setup overhead in auth_plugin tests  https://review.openstack.org/26639714:26
openstackgerritDavid Stanek proposed openstack/keystone: Change the remaining conf setup to use the fixture  https://review.openstack.org/26639814:26
openstackgerritDavid Stanek proposed openstack/keystone: Limits config fixture usage to where it's needed  https://review.openstack.org/26639914:26
*** shoutm has quit IRC14:26
ayounghttp://www.ansible.com/blog/ansible-2.0-launch   YAY!14:29
*** petertr7_away is now known as petertr714:30
ayounglbragstad, thanks for pointing that out.  Looks like it is +Workflow now.  Are you planning on taking over https://review.openstack.org/#/c/258650/14:31
ayounglbragstad, I was assuming that was mostly test fixes, so if you are already fixing the tests, you can rebase that and see it get closer and closer to working14:32
*** aix has quit IRC14:33
lbragstadayoung ah - I can. I was just trolling gerrit looking for that patch14:33
lbragstadayoung let me pull your patch down and see what happens when I run it locally14:33
ayounglbragstad, I was looking to seee if I could find the summary in the log file14:33
*** aix has joined #openstack-keystone14:33
ayoung - Failed: 29014:34
lbragstadhmmm - http://logs.openstack.org/50/258650/1/check/gate-keystone-python27/4a701de/testr_results.html.gz14:34
ayoungValueError: badly formed hexadecimal UUID string  seems to be a common error...let's see14:34
ayoungFile "keystone/token/providers/fernet/token_formatters.py", line 308, in convert_uuid_hex_to_bytes14:35
ayoung2015-12-16 21:29:22.027 |         uuid_obj = uuid.UUID(uuid_string)14:35
lbragstadi'm seeing a lot of "Key repository not found" errors14:35
ayounglbragstad  yeah, that is not surprising, too.14:36
*** davechen has left #openstack-keystone14:36
ayoungWe need to set up the Key repo once at the start of the run and have it there, reusable, for all tests in the run, I think.14:37
ayoungMake that the norm instead of the exception14:37
*** _zouyee has quit IRC14:37
*** _zouyee has joined #openstack-keystone14:38
ayounglbragstad, I'll leave that patch to you, but shout at any point if you get stuck or need something on it.14:38
*** dslev has joined #openstack-keystone14:39
*** timcline has joined #openstack-keystone14:39
lbragstadayoung agreed - let me see if i can get the key repository stuff figured out. I think that will fix a lot of the issues14:39
*** jaosorior has quit IRC14:40
*** shoutm has joined #openstack-keystone14:45
*** spzala has joined #openstack-keystone14:45
*** woodster_ has joined #openstack-keystone14:46
*** timcline has quit IRC14:46
*** dslev has quit IRC14:49
*** links has quit IRC14:50
*** topol has quit IRC14:55
*** topol has joined #openstack-keystone14:55
*** ChanServ sets mode: +v topol14:55
*** jsavak has quit IRC14:56
*** roxanagh_ has joined #openstack-keystone14:56
odyssey4meI have a question around making use of multiple identity back-ends, in this case specifying the default domain configuration in /etc/keystone/domains/keystone.Default.conf14:57
*** dslev has joined #openstack-keystone14:58
odyssey4meI'm using an sql back-end, but I want all domain configurations to be done in the same way - ie using the multiple domain back-end with conf files in /etc/keystone/domains/14:58
odyssey4methis allows someone to easily do sql or ldap identity back-ends14:58
odyssey4methe trouble I'm having is to determine what the content of the file should be for an sql back-end14:58
odyssey4meright now I have the two sections - 'identity' (containing 'driver = sql'), and an 'sql' section with no content14:59
odyssey4meshould the sql section have content, and if so - what content?15:00
*** topol has quit IRC15:00
odyssey4meit seems to work without content - I'm just trying to determine whether it could contain content to indicate that the domain in question could be referring to a totally different database if the deployer so chooses15:01
*** roxanagh_ has quit IRC15:01
*** doug-fish has joined #openstack-keystone15:02
stevemarodyssey4me: you're gonna make me look up and see if we actually support multiple SQL backends eh15:03
odyssey4mestevemar you know it :)15:03
stevemarhenrynash: ^^15:03
*** jrist has quit IRC15:03
odyssey4mehahahaha, delegated!15:03
stevemarodyssey4me: maybe it needs a [database] section and not [sql]15:05
anteayabknudson_: stable meeting15:05
stevemarso you can specify a db connection15:05
ayoungodyssey4me, so...I'd say that the default domain should be in SQL, and not in a domain specific backend15:05
ayoungthere was some work to make it happen, but, I would not see any advantage to putting SQL domains in a DSBE file.15:06
stevemarayoung: odyssey4me i assumed the default domain was in SQL, but odyssey4me wants multiple SQL backends15:06
ayoungstevemar, I'm not certain that has been tested15:06
ayoungIt would be awesome if it worked.  Let's see what got committed15:07
dstanekstevemar: i didn't think that you could do that15:07
dstanekstevemar: which database connection would our drivers use and when? i thought we just weren't architected for that yet15:08
ayoungso..no, as far as I can tell, all that is supporetd is putting the domain specific backend configs into SQL, not what you are lookin for15:08
ayoungdstanek, that is my understanding as well15:08
samueldmqjamielennox: you around ? about adapter deprecation on ksclient15:08
odyssey4meok, so only one sql back-end is ever supported at this stage... and its details must be put into keystone.conf instead of in a DSBE file15:09
*** GB21 has joined #openstack-keystone15:09
*** petertr7 is now known as petertr7_away15:10
dstanekodyssey4me: yes. afiak we only support a single database connection15:11
samueldmqdstanek: ++15:12
odyssey4meso there is no way that a secondary domain could be configured to be in a database that's different to the default domain and other config15:12
*** jrist has joined #openstack-keystone15:15
*** jrist has quit IRC15:16
*** jrist has joined #openstack-keystone15:16
*** dave-mccowan has joined #openstack-keystone15:17
dstanekodyssey4me: that is my understanding15:17
*** petertr7_away is now known as petertr715:18
odyssey4meok, so the DSBE files are for LDAP (or other drivers) only15:18
*** dave-mcc_ has joined #openstack-keystone15:19
odyssey4meand if someone is configuring the default domain in LDAP - should that be done in keystone.conf, or in a DSBE?15:20
*** lhcheng has joined #openstack-keystone15:22
*** ChanServ sets mode: +v lhcheng15:22
*** dave-mccowan has quit IRC15:22
*** jsavak has joined #openstack-keystone15:25
ayoungodyssey4me, in DSBE15:25
ayoungodyssey4me, I would do it like this:15:25
ayoungmake SQL the identity profiover in the main config file15:26
ayoungcrearte a DSBE for LDAP15:26
ayoungmake the LDAP domain the default domain15:26
ayoungodyssey4me, along these lines  http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/15:26
odyssey4meayoung ok, so it's pretty much either or when it comes to the default domain15:28
odyssey4meI saw some old posts around a 'hybrid' concept where a domain could use both... does that exist?15:28
ayoungodyssey4me, more correct to say that it is either/or for the identity backend15:28
ayoungodyssey4me, nope15:28
*** BobBall has left #openstack-keystone15:29
ayoungnever supported15:29
odyssey4meok, good - thanks for the confirmation15:29
*** jbell8 has quit IRC15:30
odyssey4meas always, guys & gals, you rock :) your responsiveness is appreciated15:30
*** breitz has quit IRC15:32
*** breitz has joined #openstack-keystone15:32
lbragstadayoung cut the tests in half - pushing a new patch15:37
ayounglbragstad, the test time?  Excellent15:38
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865015:38
lbragstadayoung 149 failures15:38
lbragstadayoung i have a feeling they are oauth related15:38
*** timcline has joined #openstack-keystone15:39
stevemarlbragstad: ruh roh15:39
lbragstadstevemar ayoung - http://cdn.pasteraw.com/b5plpttlsmxjwrjl9nb41izxcyczwuf15:39
stevemarlbragstad: fernet and oauth errors?15:40
ayounglbragstad, feels like something is expecting a UUID string and getting a Fernet token instead15:41
stevemartjcocozz: feel like backporting much stuff? :P15:42
tjcocozzyeah whats up?15:43
stevemartjcocozz: https://review.openstack.org/#/q/I483bc57bd38eb81a0905bcaf94e4ea82604919d6,n,z landed in master, but needs to be in liberty and kilo as well. the liberty one is failing tests too :\15:43
stevemarit's actually, the other half the of fix to which you've backported for the server side15:44
tjcocozzstevemar, just want to finish this review quick.  I will give it a try15:44
xeklbragstad, Hi, I proposed documentation about online schema migration at https://review.openstack.org/#/c/265252/, can you take a look?15:44
stevemartjcocozz: i see bknudson_ has taught you the fine art of backporting15:44
tjcocozzstevemar, lets see if it paid off :-)15:45
bknudson_tjcocozz figured that out himself15:45
tjcocozzbknudson_, i didn't know about the '-X' in git reivew though15:46
ayounglbragstad, Um  I think the issue is here: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/fernet/token_formatters.py#n43415:46
ayoungthe test is probably using a non uuid user_id, and the Fernet provider is barfing on it.  Fernet cannot assume UUID for User_id, as many LDAP installs need to use a string;  no place to store the UUID15:47
*** topol has joined #openstack-keystone15:48
*** ChanServ sets mode: +v topol15:48
xeklbragstad, I'm also working to propose a patch for https://bugs.launchpad.net/keystone/+bug/1524124 in accordance with these guidelines15:48
openstackLaunchpad bug 1524124 in OpenStack Identity (keystone) "unscalable database schema design" [Undecided,New] - Assigned to Grzegorz Grasza (xek)15:48
ayounglbragstad, we could probably change the UUID-to-bytes call to a try block and, on this failure, base64 encode15:48
lbragstadayoung yeah, i thought we did that already?15:54
lbragstadxek sure thing15:55
dstaneknotmorgan: did you ever make progress on using ldap3?15:55
dstaneklbragstad: ayoung: i had a patch a while ago trying to fix the bytes issues in fernet https://review.openstack.org/#/c/207526/15:57
bknudson_lbragstad: I'm in the castle now, for the ossg meetup15:58
*** fawadkhaliq has joined #openstack-keystone15:58
lbragstadbknudson_ what?! I assume you guys are going to break for lunch?15:59
*** phalmos has joined #openstack-keystone15:59
bknudson_lbragstad: yep, at noon15:59
bknudson_I think they're going to bring in lunch16:00
lbragstadbknudson_ awesome!16:00
ayoungdstanek, that looks like it should come back to life16:00
dstanekayoung: i can revive it. i'm reviving some other python3 stuff now16:01
ayoungdstanek, ++16:01
lbragstadayoung i think that stuff was fixed with - https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L314-L32716:02
lbragstadayoung browne was the one to do that I think - https://github.com/openstack/keystone/commit/794e1510cc91fbe0277e291bc2cabdfba478bef316:03
lbragstadayoung so i'm not completely sure why we hit that issue with oauth16:04
ayounglbragstad, I think it is not oauth16:04
ayoungI think it is usierd id...let me confirm16:04
lbragstadayoung it looks like the domain id?16:05
*** gokrokve has joined #openstack-keystone16:05
lbragstadayoung - http://cdn.pasteraw.com/jm2t11vxf9qj3bib6qm97cxaxycx0cl16:06
*** aix has quit IRC16:07
*** slberger has joined #openstack-keystone16:07
lbragstadayoung - i think i have an idea of what is going on16:10
lbragstadayoung the token formatter tries to convert the domain_id to bytes - and it fails with a ValueError.16:10
*** vgridnev has quit IRC16:11
lbragstadthe b_domain_id is then only assigned the domain_id *iff* the domain_id matches what is in the configuration16:11
lbragstadif not - the exception is reraised16:11
ayounglbragstad, I'm trying to catch it with rpdb...16:12
ayounglbragstad, I think it is failing on userid16:13
openstackgerritSteve Martinelli proposed openstack/keystoneauth: add release notes for ksa 2.2.0  https://review.openstack.org/26645616:14
*** fawadkhaliq has quit IRC16:14
stevemarmordred: notmorgan dolphm bknudson_ ^ gonna need helps with release notes, tagging new releases today16:15
ayounglbragstad, nah, you are right it is domain16:15
ayoungI'll let youtackle it..I have to run16:16
*** ayoung has quit IRC16:16
*** shoutm has quit IRC16:17
*** sigmavirus24_awa is now known as sigmavirus2416:18
*** GB21 has quit IRC16:24
*** EinstCrazy has quit IRC16:28
*** josecastroleon has quit IRC16:31
*** lhcheng has quit IRC16:34
*** jamielennox is now known as jamielennox|away16:37
*** petertr7 is now known as petertr7_away16:41
*** petertr7_away is now known as petertr716:42
*** jsavak has quit IRC16:44
*** hockeynut_afk is now known as hockeynut16:45
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: create release notes for ksm 4.1.0  https://review.openstack.org/26647416:47
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: add release notes for ksc 2.1.0  https://review.openstack.org/26646616:47
*** browne has joined #openstack-keystone16:47
*** fawadkhaliq has joined #openstack-keystone16:49
stevemarlooking for volunteers to review release notes :O https://review.openstack.org/#/q/topic:mitaka-2-keystone-libs16:51
*** _cjones_ has joined #openstack-keystone16:53
*** tonytan4ever has joined #openstack-keystone16:54
*** jsavak has joined #openstack-keystone16:54
*** bradjones has quit IRC16:55
*** _zouyee has quit IRC16:55
*** rderose has joined #openstack-keystone16:56
*** bradjones has joined #openstack-keystone16:58
*** bradjones has quit IRC16:58
*** bradjones has joined #openstack-keystone16:58
*** _cjones_ has quit IRC16:58
*** _cjones_ has joined #openstack-keystone16:58
*** spzala has quit IRC16:59
*** spzala has joined #openstack-keystone17:00
*** dslev has quit IRC17:01
*** gyee has joined #openstack-keystone17:01
*** ChanServ sets mode: +v gyee17:01
*** lhcheng has joined #openstack-keystone17:02
*** ChanServ sets mode: +v lhcheng17:02
*** spzala has quit IRC17:04
*** vgridnev has joined #openstack-keystone17:06
*** fawadkhaliq has quit IRC17:07
*** mhickey has quit IRC17:13
*** rderose has quit IRC17:15
*** jbell8 has joined #openstack-keystone17:16
*** daemontool has quit IRC17:22
*** gokrokve has quit IRC17:22
*** fawadkhaliq has joined #openstack-keystone17:29
*** zqfan has quit IRC17:31
bknudson_stevemar: https://review.openstack.org/#/c/266474/ is failing locally17:32
bknudson_/opt/stack/keystonemiddleware/releasenotes/source/unreleased.rst:3: WARNING: Duplicate explicit target name: "bug 1490804".17:32
openstackbug 1490804 in OpenStack Security Advisory "PKI Token Revocation Bypass (CVE-2015-7546)" [Undecided,Confirmed] https://launchpad.net/bugs/149080417:32
*** petertr7 is now known as petertr7_away17:37
roxanaghemarekd: ping17:42
*** e0ne has quit IRC17:42
*** tonytan4ever has quit IRC17:51
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424817:54
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414917:54
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591617:54
*** jasonsb has quit IRC17:56
*** rderose has joined #openstack-keystone18:00
*** jistr has quit IRC18:03
marekdroxanaghe: so i am here18:04
marekdhowever, may be disconneced18:04
*** shaleh has joined #openstack-keystone18:04
*** dave-mcc_ has quit IRC18:04
roxanaghehey marekd, so you saw my question from yesterday?18:05
*** ankita_wagh has joined #openstack-keystone18:06
roxanaghemarekd, I've been trying to help testing that ADFSPlugin patch to remove lxml dependency, I'm almost able to test it all through but not quite there18:06
marekdroxanaghe: and od patch wors fine?18:07
marekdi mean, default code from the keystoneauth lib18:08
roxanaghemarekd, no - without the patch - it doesn't work either18:08
roxanagheI got a weird ADFS error :(18:09
marekdso i'd first suggest try to make it work with default code (i think gyee even confirmed it worked)18:09
marekdi don't know what is that error meaning18:09
marekddon't you have some adfs folks out there?18:10
*** jsavak has quit IRC18:10
gyeemarekd, you mean the famous Dr Watson error dialog? :)18:10
marekdgyee: i don't know what dialog :-)18:11
gyeeI haven't had a chance to look into the ADFS stuff yet18:11
roxanaghemarekd, gyee hah I'll try to dig in some more into that error or search for an ADFS friend18:14
marekdroxanaghe: MS support is your friend :-)18:14
marekdbut they are...friends you can buy18:14
roxanaghemarekd, right :) I can also give a try to your kerberos script see what we get on our env18:16
openstackgerritIan Cordasco proposed openstack/oslo.policy: Add oslopolicy-checker command-line tool  https://review.openstack.org/17097818:16
marekdroxanaghe: if you have access to a totally dev adfs env that would be coo18:16
marekddisable tls/ssl18:16
marekdand try if it works18:16
marekdbut just keep in mind that also this request body must have host filled18:17
marekdsomewhere in the <mustUnderstand tag>18:17
gyeemarekd, ADFS login form is customizable right?18:18
*** jbell8_ has joined #openstack-keystone18:18
marekdthis login webpage?18:19
marekddunno, but i guess so.18:19
gyeeanyways, roxanaghe, lets do some heavy debugging later in the afternoon18:20
roxanaghemarekd, ok I'll give it a try today. Yes, figuring out the correct urls was a bit of a struggle, I could put up a patch to improve the code doc in ADFSPlugin18:20
roxanaghegyee yayy :)18:20
*** tonytan4ever has joined #openstack-keystone18:20
*** jbell8 has quit IRC18:21
marekdroxanaghe: thanks18:24
marekdroxanaghe: feel free to use thishttps://github.com/zaccone/pyadfsclient/blob/master/README.md18:25
roxanaghemarekd, that's good. thanks18:26
gyeemarekd, sure will do, thanks!18:26
*** jaosorior has joined #openstack-keystone18:27
marekdgyee: roxanaghe if you can give access to your dev adfs instances for ppl fromout of hpe i could use one18:28
*** rderose has quit IRC18:32
*** rderose has joined #openstack-keystone18:32
*** e0ne has joined #openstack-keystone18:35
gyeeraildo, yeah, I haven't enable trove yet18:35
roxanaghemarekd I'll have to ask around how that works. the current one is accessible only through VPN18:35
raildogyee: right18:35
marekdroxanaghe: aha18:36
notmorganhenrynash: after meeting need to ask you about the @filterprotected decorator, i'm tring to unwind that and the callbacks atm18:36
*** jasonsb has joined #openstack-keystone18:39
*** fawadkhaliq has quit IRC18:42
*** jsavak has joined #openstack-keystone18:48
*** petertr7_away is now known as petertr718:52
*** ayoung has joined #openstack-keystone18:52
*** ChanServ sets mode: +v ayoung18:52
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: add release notes for ksc 2.1.0  https://review.openstack.org/26646618:55
openstackgerritDavid Stanek proposed openstack/keystone: Reduce setup overhead in auth_plugin tests  https://review.openstack.org/26639718:59
openstackgerritDavid Stanek proposed openstack/keystone: Refactor test auth_plugin config into fixture  https://review.openstack.org/26639618:59
openstackgerritDavid Stanek proposed openstack/keystone: Limits config fixture usage to where it's needed  https://review.openstack.org/26639918:59
openstackgerritDavid Stanek proposed openstack/keystone: Change the remaining conf setup to use the fixture  https://review.openstack.org/26639818:59
*** jaosorior has quit IRC19:00
*** daemontool has joined #openstack-keystone19:00
gyeelets talk it over at the mid-cycle19:00
ayoungnotmorgan, it would not be different based on scope19:00
*** jaosorior has joined #openstack-keystone19:00
ayounggyee, I wonm't be there19:00
gyeeayoung, I saw you name on the list19:00
stevemari'll be sending out an email to midcycle attendees, if you know someone who wants to come and is not on the list https://wiki.openstack.org/wiki/Sprints/KeystoneMitakaSprint#Registration -- let me know!19:00
gyeethought you changed your mind19:00
ayounggyee, nah, the issue is medical.19:01
ayounggyee, I can't make it.19:01
notmorgangyee: it unsure if i'll be at the midcycle19:01
gyeeayoung, no worries, health is wealth19:01
stevemargyee: i added ayoung's name to the list last week, to make sure he had a spot19:01
stevemarbut i'll be removing it now19:01
notmorgani am looking into it.19:01
notmorganbut no guarantees19:01
notmorgangyee, ayoung: so if we want to bind endpoints i am fine with adding a list, i just want the catalog blob to not change. if that makes sense19:02
stevemarnotmorgan: do what you can19:02
ayoungnotmorgan, so...the only thing that will differ with this (my) spec is that, if you ask for a specific endpoint, it will only add that endpoint to the catalog.  I think it is safe to say that if the token would not have that endpoint without it being in the request, it would not be alloed to request it;  would be a 40319:02
*** jbell8_ has quit IRC19:02
ayoungnotmorgan, it would be smaller ,but the endpoint value in the catalog would be unchanged19:02
notmorganagain i am against changing the content of the catalog based on authetc19:02
*** jbell8 has joined #openstack-keystone19:03
notmorganthe catalog content shouldn't change.19:03
ayoungnotmorgan, Well, we can work with that constraint, but it is strange.19:03
gyeeyou can enforce endpoint binding without the proper endpoints19:04
ayounggyee, we could do it in a separate section of the token from the catalog if he insists19:04
gyeeunless you want to stick an extra field in the tokne19:04
ayoungI have to run....back in 1/2 hour19:04
gyeelike allowed_endpoints or something19:04
gyeethat would make the token even bigger19:04
*** breton_ is now known as breton19:05
notmorgangyee: that is what i'm saying, do enforcement in a specific place in the token if you need it.19:05
gyeeif we are going this far, might as well make service catalog a separate service instead19:05
notmorgangyee: it probably should be19:05
*** spzala has joined #openstack-keystone19:05
gyeenormorgan, yeah, probably a better way19:05
notmorganit should not be embeded in the token at all, but that is something i'm working on long term19:05
gyeeI am totally OK with it being a separate service19:05
samueldmqconsul ?19:06
notmorganso in short, i'm just saying "don't change the catalog content" if you want this enforcement make it an enforcement block so we can expand/change as needed19:06
lbragstadstevemar thanks for the review on https://review.openstack.org/#/c/266052/ - I completely agree.19:06
*** aginwala has joined #openstack-keystone19:06
notmorgannot be locking more into the catalog as it is, because it needs work and will change with the x-proect spec to standardize it19:06
lbragstadstevemar I think jorge_munoz wants to take a stab at making the setup stuff more efficient19:06
stevemarlbragstad: ah okay19:07
gyeewe need a way to control what service to expose based on auth scope, so we'll need to figure out a solution19:07
notmorganso use an enforcement section, heck, we can be smart about it19:07
notmorgan{ enforcement: { region: { id: X, alloed: false }}19:08
notmorganif you want to get really granular19:08
*** martinus__ has quit IRC19:08
*** ayoung has quit IRC19:08
notmorganbut i don't want to see the catalog content changing.19:08
*** rderose has quit IRC19:09
notmorganbecause it's backing us further into a corner/locking us more into how the catalog works now and makes it harder to re-think the catalog [things in progress already] than today19:09
samueldmqnotmorgan: ++19:10
gyeeI think its essentially we need to be able to control what to expose19:10
notmorganI'm not convinced that is a real concern19:10
*** diegows has joined #openstack-keystone19:10
notmorgansamueldmq: anyway - so it looks like we've compressed down a bunch of things into a single paste entry?19:12
notmorgansamueldmq: and you did some of that work?19:12
notmorgansamueldmq: just checking on that status because i like that direction19:12
gyeegotta run, I'll catch you guys later19:13
*** gyee has quit IRC19:13
stevemarnotmorgan: can you address dolphm's concern here: https://review.openstack.org/#/c/265023/ (2nd last comment)19:14
samueldmqnotmorgan: hmm, frankly not sure I did that :-)19:14
samueldmqnotmorgan: single paste entry for v2 and v3 ?19:14
*** diegows has quit IRC19:15
lbragstadnotmorgan question for you on default domain behavior with fernet when you have a minute19:17
*** aginwala has quit IRC19:17
notmorganstevemar: commented on dolph's comment19:18
notmorganstevemar: the removed tests are not valid when we revert this change19:18
notmorgansamueldmq: routers for v3 into an entry in the paste pipeline19:19
notmorgansamueldmq: was the "make extensions default" stuff i think19:19
notmorganlbragstad: ask away19:19
samueldmqnotmorgan: sorry I didn't do that, I think stevemar did19:20
notmorganstevemar: the tests explicitly test that intermix doesn't work outside default domain. you can't revert the change and keep the tests.19:20
samueldmqnotmorgan: but I am able to help if there is something else to be done19:20
notmorgansamueldmq: ah your name was on the commit that made the change.19:20
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: create release notes for ksm 4.1.0  https://review.openstack.org/26647419:20
notmorgansamueldmq: but sure.19:20
notmorganstevemar: and it's at least 2 reported deployments now not just one.19:20
lbragstaddo you remember why we did this - https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L375-L38219:20
notmorganlbragstad: ldap19:21
notmorganlbragstad: i think19:21
lbragstadnotmorgan right19:21
lbragstadnotmorgan but we only do it for the default domain it19:21
notmorgandefault domain ID is "default"19:21
notmorgannot UUID.hex19:21
notmorganthis is converting to uuid.bytes19:21
notmorganif possible19:21
notmorgancan't make "default" into uuid.bytes19:21
notmorganit was to reduce the token size19:21
*** itlinux has joined #openstack-keystone19:21
notmorganwhere possible19:22
*** yarkot has joined #openstack-keystone19:22
notmorganuuid.bytes is 16bytes, uuid.hex is 3219:22
lbragstadbut if you have another domain that isn't uuid.byte compatible, it will blow up19:22
notmorganyou should never have that19:22
notmorganunless you changed the DB directly19:22
lbragstadwhich i think is causing a bunch of the tests to fail in keystone's switch to making fernet the default19:22
notmorganour tests may be wrong.19:22
notmorgani am near certain we assert domain ids should laways be uuid except "default"19:23
lbragstadnotmorgan - https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_protection.py#L563-L57619:23
*** aginwala has joined #openstack-keystone19:23
notmorganlbragstad: that looks like incorrect setup something a real deployment couldn't do19:24
lbragstadnotmorgan https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_protection.py#L60819:24
lbragstadnotmorgan ah, it bypasses the controller layer19:24
notmorgansamueldmq: i'll look more into it shortly19:24
*** yarkot has quit IRC19:25
samueldmqnotmorgan: what's the change ? maybe I did and just forgot about it :(19:25
samueldmqnotmorgan: k let me know if you need a hand19:25
lbragstadnotmorgan so - should we refactor those tests to not be doing that? open a bug I assume?19:25
notmorganlbragstad: yeah.19:25
notmorganlbragstad: we also might want to push the "assign_unique_id" to the manager layer19:26
lbragstadnotmorgan yeah - that seems like business logic to me19:26
*** jaosorior has quit IRC19:31
*** jaosorior has joined #openstack-keystone19:32
lbragstadnotmorgan https://bugs.launchpad.net/keystone/+bug/153333019:32
openstackLaunchpad bug 1533330 in OpenStack Identity (keystone) "Some protection test cases have incorrect domain id setup" [Undecided,New]19:32
notmorganlbragstad: ++19:34
*** dave-mccowan has joined #openstack-keystone19:36
*** jbell8 has quit IRC19:37
sigmavirus24stevemar: for the oslo.policy CLI, just a blueprint is enough or is a spec needed also?19:40
*** ayoung has joined #openstack-keystone19:41
*** ChanServ sets mode: +v ayoung19:41
notmorgansigmavirus24: i don't think a spec is needed for that19:41
notmorganbut defer to sigmavirus2419:41
notmorganserm stevemar19:41
*** jasonsb has quit IRC19:42
sigmavirus24I'm just trying to clear out the oslo.policy queue19:42
navidpquestion about keystoneauth1 and keystoneclient authentication19:48
*** jasonsb has joined #openstack-keystone19:49
ayoungnotmorgan, am I correct in understanding that your concern about the endpoint-binding aspect of the token  is that it will change the service catalog, which will then mess up caching?19:51
*** Karthik__ has joined #openstack-keystone19:53
ayoungnotmorgan, if that is the case...I think we can work with that.19:53
*** rderose has joined #openstack-keystone19:54
*** ankita_wagh has quit IRC19:55
navidpkeystoneauth https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/token_endpoint.py19:55
navidpget_options method how to get that19:56
*** aginwala has quit IRC19:57
*** pai15 has joined #openstack-keystone19:58
*** rderose has quit IRC19:58
notmorganayoung: not just caching but also means that you [end user] gets differet views into the deployment for discoverability depending on internal things19:59
ayoungnotmorgan, Right.  I see what you are getting at.20:00
notmorganayoung: i think we should add an enforcement or binding section/re-use20:00
ayoungnotmorgan, So, for this to work right, it should really be a separate field, and an endpoint_id only20:00
notmorganand we can do all this in a way that also doesn't lock us into the way catalog works today20:00
notmorgancause we're in the middle of re-thinking that as is20:00
ayoungnotmorgan, so, with the "request a role" I was planning on saying that a user can only request a single role.  That increases the size of the token (thinking fernet and signing) by a single field.  We would want the samething here.20:01
ayoungIt would be wonderful if we had a shorthand way of treating an endpoint as a role....20:01
ayoungand of being able to compose those shorthand IDs on the fly20:02
*** aginwala has joined #openstack-keystone20:02
notmorganayoung: sure.20:02
ayoungnotmorgan  I really need to walk through a whole use case, from start to finish, and diagram it out, to show what should happen where.  It would start with a user getting a scoped token today, but really, we should split the  "give me catalog for my projects" reuqest that an end user needs to know form "let me call this remote service"20:03
ayoungmainly because I don;t want tokens being used in more than one hop20:04
ayoungso a token should never be usable for more than one endpoint20:04
ayounghaving catalog in the token is actually making it easier to do bad things20:04
notmorganayoung: well i want to make it so you auth an action at the edge and never need to revisit - aka boot an instance20:05
notmorganyou're allowed to do that20:05
notmorgandoesn't matter the subsequent service requests20:05
notmorgantalk to glance, swift, etc.20:05
notmorganthat is a lot of what i'm working on in my POC20:05
ayoungare you doing "nova can always talk to glance to download an image ,does not need a token" in that POC?20:05
notmorganthat is the long term plan20:06
notmorganit's the next step. i need to pull apart KSM to make that more possible20:06
*** aginwala has quit IRC20:12
navidpanybody can help me with keystoneauth1???20:13
navidpin keystoneclient https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/token_endpoint.py#L43-L54 you can get list of options, do you have similar thing in keystoneauth https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/token_endpoint.py20:14
*** aginwala has joined #openstack-keystone20:15
openstackgerrithenry-nash proposed openstack/keystone: Fix incorrect signature in federation legacy V8 wrapper  https://review.openstack.org/26655920:20
*** dslev has joined #openstack-keystone20:22
*** dslev has quit IRC20:25
*** aginwala has quit IRC20:26
*** aginwala has joined #openstack-keystone20:26
*** Karthik__ has quit IRC20:27
*** KarthikB_ has joined #openstack-keystone20:27
*** jsavak has quit IRC20:28
*** tonytan4ever has quit IRC20:28
*** KarthikB_ has quit IRC20:28
*** KarthikB_ has joined #openstack-keystone20:28
notmorgannavidp: there is a way to get the options for the plugins, sec. let me find that for you20:29
*** jsavak has joined #openstack-keystone20:29
navidpnotmorgan, thank you sir20:30
notmorgannavidp: i think it's part of keystoneauth1.loading20:31
notmorganthe token_endpoint one is... a bit weird20:31
notmorgantoken_endpoint i think is not really used int he same way20:32
notmorgannavidp: sorry trying to switch contexts back to keystoneauth20:32
navidpnotmorgan, no i think it is due to loading change from keystoneclient to keystoneauth20:32
*** topolznc has joined #openstack-keystone20:33
topolznctopol: test20:33
notmorgannavidp: https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/_plugins/admin_token.py that is the one you're looking for20:33
notmorgantopolznc: oh hi20:33
topolznctopol: just working out some tweaks, no thanks to that jerk stevemar20:33
notmorgannavidp: or the normal token endpoing if you want to auth with a normal token mechanism20:34
navidpnotmorgan, isnt that admin_token20:34
notmorgannavidp: s/endpoing/plugin20:34
notmorgannavidp: token_endpoint is not a super useful thing and isn't exposed as a plugin via setup.cfg20:34
notmorganso it's not really a plugin in keystoneauth20:34
notmorganadmin_token replicates the functionality20:35
navidpnotmorgan, thanks i try it, see if it works, thanks again20:35
* notmorgan nods20:35
ayoungdstanek, which of these is preferred:20:38
ayoung        role_dics = dict((role_ref['id'], role_ref) for role_ref in self.role_api.list_roles())20:38
ayoung        role_dics = {role_ref['id']: role_ref for role_ref in self.role_api.list_roles()}20:38
dstanekayoung: the second20:38
ayoungdstanek, I guessed that, but...why?20:38
*** tonytan4ever has joined #openstack-keystone20:39
dstanekayoung: i think it's mainly because the literal syntax is cleaner than using the dict constructor. someone once said it was also faster, but i never bothered to verify20:39
notmorganayoung: dict() constructor is expensive20:39
notmorganand literal syntax [except sets] is easier to read20:40
notmorgandon't ever literal constructor sets though... cause it's the same as a dict just w/o the keys: value20:40
lbragstadis anyone else getting this issue on master with nosetests? http://cdn.pasteraw.com/ej2dnmpohzcmiqjmh8bcbpc2bow4w3g20:40
ayoungdstanek, I'm about to post an updated patch that uses it.  When I have it, I would appreciate you looking.  I'll ping you20:40
dstanekayoung: sure20:40
notmorganlbragstad: new venv?20:40
dstaneklbragstad: no, i'm not getting that20:41
lbragstadnotmorgan no20:41
dstaneklbragstad: is that master with no changes?20:41
notmorganlbragstad: might have stale dep.20:41
*** aginwala has quit IRC20:41
lbragstaddstanek this is the only thing i changed - http://cdn.pasteraw.com/e5udadv4wu5jv7x3zmvkecf2v9vyzyh20:41
lbragstadwhich should be unrelated20:41
lbragstadit doesn't fail with tox - so maybe it's a venv issue?20:42
notmorganor just inadvertant ick20:42
dstaneklbragstad: oh actually your using nose with 2.7. i never do that20:42
lbragstaddstanek ah - i just wanted to use a break point in those tests so I could figure out what was going on20:43
lbragstaddstanek i typically do that with nose and ipdb20:43
lbragstaddstanek which i tried doing here but it broke - resulting in the above paste20:43
lbragstadjust curious if anyone else had issues with that20:44
*** jaosorior has quit IRC20:44
dstaneklbragstad: odd20:46
lbragstaddstanek what - how i debug tests? :)20:47
dstanekno, the error20:47
*** cburgess_ has quit IRC20:48
*** cburgess has joined #openstack-keystone20:48
*** topol has quit IRC20:48
dstaneklbragstad: it's an order of operations thing. that code really need to import it like 'from keystone.tests.unit import utils'20:49
lbragstaddstanek let me try that quick20:50
lbragstaddstanek doing it in a python shell with that environment active works with the way you just described20:50
dstanekwhen running through tox it's automatically added to sys.modules by test_utils.py20:50
dstaneki think the import should be added and the 'unit.' should be removed from the decorator call20:51
lbragstaddstanek weird20:51
stevemartopolznc: ping20:51
topolzncstevemar Hi20:51
lbragstadso that worked20:52
*** topolznc is now known as topol20:52
*** topol is now known as Guest4533520:52
*** daemontool has quit IRC20:52
openstackgerritLance Bragstad proposed openstack/keystone: Fix import order in test_v3_protection.py  https://review.openstack.org/26657020:54
openstackgerritLance Bragstad proposed openstack/keystone: Fix admin domain in test_v3_protection.py  https://review.openstack.org/26657120:54
lbragstaddstanek ^ the first patch fixes the issue - the second patch is still wip for fixing bug 1533330 (which needs to get fixed before ayoung's fernet default switch patch will pass all the tests..20:55
openstackbug 1533330 in OpenStack Identity (keystone) "Some protection test cases have incorrect domain id setup" [Undecided,In progress] https://launchpad.net/bugs/1533330 - Assigned to Lance Bragstad (lbragstad)20:55
*** mhickey has joined #openstack-keystone20:56
*** raildo is now known as raildo-afk20:57
*** Guest45335 is now known as topol_20:57
*** topol_ is now known as Guest1258120:58
*** Guest12581 is now known as topol220:58
dstaneklbragstad: reviewed :-)20:59
dstaneklbragstad: i suggested a more detailed commit message20:59
stevemartopol2: poke20:59
*** jsavak has quit IRC20:59
topol2stevemar hi20:59
dstanektopol2: irc is hard20:59
notmorgantopol2: shady topol2 huh?21:00
notmorgani mean.. WHOARE YOU?!21:00
ayounglbragstad, +2A on the first one.  Feel free to consider that sticky21:00
notmorgan :P21:00
ayoungthe second one makes sense in breaking the tests21:00
lbragstaddstanek ++ thanks!21:00
*** jsavak has joined #openstack-keystone21:00
stevemartopol2: this should appear in your buffer21:00
ayoungtopol2, lookup the ghost command for IRC21:01
openstackgerritLance Bragstad proposed openstack/keystone: Fix import order in test_v3_protection.py  https://review.openstack.org/26657021:03
lbragstaddstanek ayoung attempted to commit message better ^21:04
openstackgerrithenry-nash proposed openstack/keystone: Fix incorrect signature in federation legacy V8 wrapper  https://review.openstack.org/26655921:04
*** pauloewerton has quit IRC21:05
*** topol2 is now known as topol_21:06
*** dave-mccowan has quit IRC21:06
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261421:07
*** ChanServ sets mode: +v topol_21:07
*** dave-mccowan has joined #openstack-keystone21:07
ayoungdstanek, on ^^ there are two things I'd like your eyes on21:07
*** topol_ is now known as topol21:07
ayounghttps://review.openstack.org/#/c/242614/43/keystone/tests/unit/test_v3_assignment.py  lines 2243 and 2244 I create arrays to do an "in" check right below it21:08
ayoungis there a better way?  Some way to avoid the interim collection21:08
ayoungdstanek, the other place is21:08
ayounghttps://review.openstack.org/#/c/242614/43/keystone/assignment/controllers.py  line 374 where I create the dict to lookup the role by id later in the function21:09
ayoungjust comment on the reviews either pro or con on the whether these are pythonic...21:09
ayoungand with that, I have to run again21:09
*** jsavak has quit IRC21:10
*** jsavak has joined #openstack-keystone21:10
*** tsymanczyk has quit IRC21:11
*** sigmavirus24 is now known as sigmavirus24_awa21:12
*** jsavak has quit IRC21:12
*** sigmavirus24_awa is now known as sigmavirus2421:13
openstackgerrithenry-nash proposed openstack/keystone: Correct docstrings for federation driver interface  https://review.openstack.org/26406821:14
*** ayoung has quit IRC21:14
*** spandhe has joined #openstack-keystone21:16
topolnotmorgan dstanek I am happy to inform you that you may send me irc messages 7 days a week and 24 hours a day and I will now receive them.21:20
*** jsavak has joined #openstack-keystone21:20
notmorgantopol: oh good :)21:20
dstanektopol: did IBM give you an assistant?21:21
topoldstanek feel free to tell me sunday at 3am how great the browns are. notmorgan feel free to tell me how you burned that chicken dish at 2am Monday21:21
notmorgantopol: maybe21:21
topolstevebot did me a huge solid getting me a bounce castle for my birthday21:21
dstanektopol: i'm sorry to tell you that the browns are currently under construction. estimated completion is around 2035.21:22
stevemardstanek: assistants that setup ZNC? that's a good assistant21:22
topoldstanek, notmorgan so I may not respond right away but please know your messages will be responded to in the order they are received21:23
*** timcline has quit IRC21:23
notmorgantopol: i expect a FILO queue not FIFO21:23
stevemardstanek: notmorgan release notes please :) https://review.openstack.org/#/c/266466/  https://review.openstack.org/#/c/266456/ and https://review.openstack.org/#/c/266474/ so i can propose new libs :)21:23
stevemaror i may just drop the PTL hammer and push them through21:24
notmorganstevemar: you should21:24
stevemarnotmorgan: i was thinking i should...21:24
notmorgani mean. i'm looking at them, but this is a case that even as a non-ptl i'd just push them if they look good21:24
stevemarnon-critical and doc related21:24
stevemari don't want folks to think i don't play by the rules :O21:24
notmorganand blocking release21:25
notmorganstevemar: there.21:26
stevemarnotmorgan: <321:26
notmorganstevemar: you're playing by the rules. i may not be :P21:26
notmorganbut there ya go21:26
*** tsymanczyk has joined #openstack-keystone21:26
notmorganwe should really look into possibly making RENO changes not run the full battery of gate jobs if we can21:26
*** tsymanczyk is now known as Guest3071621:26
stevemarnotmorgan: its not so bad with libs, they gate quickly because they are not part of integrated queue21:27
notmorganstevemar: aye21:27
*** Guest30716 has quit IRC21:30
*** aginwala has joined #openstack-keystone21:31
henrynashstevemar: on release notes, I’m never clear whether you should put anything in the first section..I kind of did in the first few ones…but not sure how well they read when they are combined together…..21:33
stevemarhenrynash: they read horribly when combined together21:34
stevemarhenrynash: i avoid the prelude section21:34
henrynashstevemar: agreed…that’s what I’m doing now21:34
henrynashstevemar: feel free to pull out the two V9 driver lines I added21:35
*** jsavak has quit IRC21:35
stevemarhenrynash: before mitaka ends i'll clean it all up21:35
henrynash...if you are doing a generl update….21:35
henrynashor I’ll put up a ptch to strip them out21:35
stevemaryou can do so, i'll punt it through21:35
henrynashstevemar: oh, seprate subject, just notcied we never put through this minor update to the spec on url safe names….https://review.openstack.org/#/c/253104/21:36
openstackgerritIan Cordasco proposed openstack/oslo.policy: Add oslopolicy-checker command-line tool  https://review.openstack.org/17097821:36
henrynashstevemar: we’ve implemented it as this additonal patch specifies, so should probably merge that spec change21:37
*** jbell8 has joined #openstack-keystone21:37
openstackgerritSteve Martinelli proposed openstack/keystone: Adds an explicit utils import in test_v3_protection.py  https://review.openstack.org/26657021:38
*** avarner has joined #openstack-keystone21:38
stevemarlbragstad: noooo i updated the patch too21:38
*** timcline has joined #openstack-keystone21:38
stevemarhenrynash: !!21:38
avarnerDoes anyone know how to set a project's parent_id from the command line?21:38
stevemarhenrynash: done21:38
henrynashsteevmar: thx21:38
stevemarbknudson_: if you are around for stable patches: https://review.openstack.org/#/c/266045/ and https://review.openstack.org/#/c/266022/21:40
lbragstadstevemar works for me21:40
bknudson_stevemar: not sure I can +2 patches that I authored.21:41
stevemarlbragstad: i don't work for you :O21:41
stevemarbknudson_: give them a +1?21:41
lbragstadstevemar troll21:41
stevemarlbragstad: buahaha21:41
openstackgerrithenry-nash proposed openstack/keystone: Tidy up release notes for V9 drivers  https://review.openstack.org/26658121:41
lbragstaddstanek there must be some more weird test magic in https://review.openstack.org/#/c/266571/121:42
*** pai15 has quit IRC21:43
stevemarhenrynash: are you happy with the status of the legacy tests job?21:43
lbragstadtechnically, it was creating an 'admin_domain' and *all* the tests in test_v3_protection.py passed. As soon as you update it to use a normal domain - tests fail with 403s21:43
*** pai15 has joined #openstack-keystone21:43
lbragstadthis makes me feel like that is some hardcoded wonkiness going on somewhere...21:43
lbragstadbut I can't find it21:43
stevemarhenrynash: can we make it voting? i think it's catching real errors and succeeded when it should21:43
henrynashstevemar: i.e. should we make them gating?21:43
stevemarhenrynash: yes21:44
openstackgerritMerged openstack/keystone-specs: Redefine url-safe requirements for names to tolerate unicode  https://review.openstack.org/25310421:44
openstackgerritIan Cordasco proposed openstack/oslo.policy: Add oslopolicy-checker command-line tool  https://review.openstack.org/17097821:44
*** gyee has joined #openstack-keystone21:44
*** ChanServ sets mode: +v gyee21:44
sigmavirus24stevemar: ^ Added a blueprint21:44
henrynashstevemar: yes, we should - I saw them catch two errors in different patches already…and no false errors21:44
stevemarhenrynash: wonderbar!21:44
henrynashstevemar: in fact, I have been adding to them: see: https://review.openstack.org/#/c/266559/21:46
*** tsymanczyk has joined #openstack-keystone21:46
*** tsymanczyk is now known as Guest9771021:47
stevemarhenrynash: nice21:47
*** petertr7 is now known as petertr7_away21:47
stevemarhenrynash: if you want to vote: https://review.openstack.org/#/c/266582/21:47
*** pai15 has quit IRC21:47
henrynashstevemar: done21:47
stevemarsigmavirus24: thank yee21:48
sigmavirus24stevemar: always happy to help21:48
stevemarsigmavirus24: wanna help s'more? https://review.openstack.org/#/c/261801/21:49
lbragstadnotmorgan it looks like we hardcode admin_domain_id in our policy file?21:49
dstaneklbragstad: why do you say that?21:49
notmorganlbragstad: probably at the moment:(21:50
sigmavirus24stevemar: I promise not to git-blame that code21:50
lbragstaddstanek notmorgan - https://github.com/openstack/keystone/blob/ae87c03813fa0a1bfcd9d690817c8d45ee76fcb1/etc/policy.v3cloudsample.json#L321:50
stevemarsigmavirus24: :)21:50
lbragstadthe very last bit21:50
henrynashlbragstad: so it’s a placeholder….a dployment is meant to replaces that with teh ACTUAL domain id of teh domain tehy are belssing as the admin domain21:50
dstaneklbragstad: is the test really doing anything as admin? it looks more like it's creating a domain that just happens to have admin in the name21:50
stevemarsigmavirus24: there was a weird effort to make all the exceptions common and in oslo incubator21:50
lbragstaddstanek it's creating a domain with 'admin_domain_id' as the domain id21:51
lbragstadwhich is hard coded to the policy file21:51
henrynashdstanek, lbragstad: so that as users with a domain scoped token to that domain has cloud admin status21:51
lbragstadhenrynash so, that's what determines if someone is a "cloud admin"21:51
dstaneklbragstad: does it do anything that would trigger that rule?21:51
lbragstaddstanek the v3 protection tests have assertions to check that the cloud admin can in fact do whatever21:52
henrynashlbragstad: if they have a domain scoped token to the domain_id that matches the rule in the policy file21:52
henrynashlbragstad: which in a real deployment, the policy file would have been modifed to patch in the REAL domain id of whatever domain the deployer had chosen21:53
lbragstadhenrynash dstanek what is happening now, which my patch, is that i'm not using 'admin_domain_id' as the domain id (https://review.openstack.org/#/c/266571/1/keystone/tests/unit/test_v3_protection.py)21:53
*** spzala has quit IRC21:53
stevemarsigmavirus24: thanks for all the iterations21:53
lbragstadand because I changed that, the tests fail because the policy file still considers the admin_domain_id to be the right one.21:54
*** spzala has joined #openstack-keystone21:54
henrynashlbragstad, dstanek: now this pre-dates the new “admin-project/admin-domain” stuff that ayong has added….and we should switch these tests over to use that21:54
*** pai15 has joined #openstack-keystone21:55
lbragstadhenrynash is there a way to override the config in the tests?21:55
henrynashlbragstad, dstanek: I think he has only done the admin-project part (it’s part of that same rule in the policy file now)21:55
lbragstadso the I can set "admin_domain_id" to be self.admin_domain['id']21:55
henrynashlbragstad: you’d need to overide the policy file, which is the thing this test is testing!21:56
*** belmoreira has joined #openstack-keystone21:56
dstaneklbragstad: when i make your change i get a bunch of 403 errors21:56
henrynashlbragstad: but the new adminproject/admindomain stuff is the way to go - and is designed to get away from having to have the domain_id patched in the polciy file21:56
lbragstaddstanek ++ yep, that'21:56
lbragstadwhat i get21:56
lbragstadhenrynash gotcha21:56
dstanekthat's what you would expect right?21:57
*** pai15 has quit IRC21:57
*** petertr7_away is now known as petertr721:57
*** pai15 has joined #openstack-keystone21:57
lbragstaddstanek I'm not sure; part of me thinks it would be the intended behavior but the other part of me thinks we're testing things we keep making changes to21:58
lbragstadi'm not sure which one is right21:58
*** spzala has quit IRC21:58
henrynashlbragstad: do you need to fix this test now? I need to check if admain added the admindomain part of his spec (not sure he did)…it may be waiting for teh projects acting as a domain….21:59
lbragstadhenrynash the only reason i started digging into this was because 'admin_domain_id' was getting into the fernet provider and failing here - https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L375-L38222:00
lbragstadhenrynash because 'admin_domain_id' isn't 'default'22:00
lbragstadwhich is why the exception is raised again22:00
*** jsavak has joined #openstack-keystone22:00
*** pai15 has quit IRC22:00
*** ayoung has joined #openstack-keystone22:00
*** ChanServ sets mode: +v ayoung22:00
henrynashlbragstad: ah22:00
lbragstadso, I thought it was just a matter or replacing 'admin_domain_id' with uuid.uuid4().hex22:00
* lbragstad was wrong22:00
*** pai15 has joined #openstack-keystone22:00
henrynashlbragstad: :-)22:00
*** pai15 has quit IRC22:00
lbragstadhenrynash suggestions? (you seem to be much more familiar with this than i am)22:01
henrynashlbragstad: I’ll try and dig in later today to find out how far we are away from switching to the new admindmain stuff22:01
lbragstadhenrynash i did open this - https://bugs.launchpad.net/keystone/+bug/153333022:01
openstackLaunchpad bug 1533330 in OpenStack Identity (keystone) "Some protection test cases have incorrect domain id setup" [Undecided,In progress] - Assigned to Lance Bragstad (lbragstad)22:01
*** spzala has joined #openstack-keystone22:01
lbragstadhenrynash which might not be relevant given this discussion?22:02
henrynashlbragstad: yep, saw that…I think I commented on it22:02
lbragstador maybe it is relevant but it just needs to be closed with a different blueprint (or something)22:02
henrynashlbragstad: so we could re-write the test now, so that cloud admin is a project scoped token to the (already supported) admin project….I haven’t looked at that…I’d be happy to do that later today22:02
openstackgerritIan Cordasco proposed openstack/oslo.policy: Run docs testenv by default with tox  https://review.openstack.org/26659122:03
lbragstadhenrynash let me double check that we don't have something similar to this in the project part of the token provider22:03
lbragstadhenrynash i don't think we do - https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L42422:03
lbragstadhenrynash so that might be possibility22:04
lbragstadhenrynash i could also try adding 'admin_domain_id ' to be a special case in the Domain scoped token class22:04
*** mhickey has quit IRC22:05
*** aginwala has quit IRC22:06
henrynashlbragstad: pretty yuk, that…22:06
henrynashlbragstad: let me fix the test for you….can’t do it till late today…22:07
henrynashlbragstad: I think I know how (and if not, then we have implemented admin project wrong)22:08
lbragstadhenrynash sweet! I like that better22:09
avarnerAre hierarchical projects broken?22:09
*** jasonsb has quit IRC22:10
avarnerKeystone seems to have no way to set or query a project's parent_id22:10
jorge_munozayoung: Hi, I have been trying to refactor some of the trust test cases on patch https://review.openstack.org/#/c/266052 and on the setuo for Trust22:10
ayoungjorge_munoz, you are not the only one22:10
ayoungjorge_munoz, someone else just posted a refactroing of the trust cases.  look in gerrit22:11
lhchengavarner: moving project to another parent project is not supported.22:11
avarnerCan I create a project under a parent?22:11
lhchengavarner: yes, it should work. you need keystone v3.22:11
*** petertr7 is now known as petertr7_away22:11
*** vgridnev has quit IRC22:12
*** chris_19 has joined #openstack-keystone22:12
*** jbell8 has quit IRC22:12
avarnerlhcheng, do you know the command line syntax?22:12
avarnerI'm trying: keystone --os-identity-api-version 3.6 tenant-create --name my_tenant_1 --description 'aaaa' --parent-id 123422:13
lhchengavarner: you need to use openstackclient22:13
lbragstadayoung yeah, that was my patch - jorge_munoz is working on one of the dependency ones of the one that merged this morning22:13
jorge_munozIn the setup for TrustAPIBehavior, a trust is create with allow_redelegation=True but has a comment above states that no redelegation should be allowed. I just want to make sure that I’m not missing something.22:13
ayoungjorge_munoz, git blame those, to make sure they came on the same commit, and look at the reviews22:14
*** dims has quit IRC22:15
lhchengavarner: 'openstack project create --parent <parent> <project_name>'22:16
*** jamielennox|away is now known as jamielennox22:17
avarnerlhcheng, thanks, I must have an old version22:19
jorge_munozayoung: So this was written by Alexander Makarov and tested as doing chain redelegations. The comment might just be incorrect. Just to be sure setting redelefation to False will not allow a user to create a new trust with a trusted token, right?22:20
lbragstadayoung jorge_munoz looks like it was all in the same commit - https://github.com/openstack/keystone/commit/0b89e8b2a414ac1c5b0c32974fbf741bd775c1c022:20
chris_19question about identity endpoints in the service catalog, running Liberty: does it matter if they end in :5000, :5000/v2.0, or :5000/v3? Is there a best practice?22:21
lbragstadayoung jorge_munoz here is the original commit - https://review.openstack.org/#/c/126897/22:21
*** ayoung has quit IRC22:23
chris_19Changing them definitely affects the way the clients and libraries work.22:25
*** peter-hamilton has quit IRC22:25
*** aginwala has joined #openstack-keystone22:28
*** ankita_wagh has joined #openstack-keystone22:29
tjcocozzpint stevemar22:30
tjcocozzping ^^22:30
*** gordc has quit IRC22:32
avarnerHow can I determine what version of keystone is installed?22:32
chris_19Look at the folder installed in site-packages22:33
lbragstaddstanek did you mean 'assignment' here instead of 'notifications'? https://review.openstack.org/#/c/215715/16/keystone/identity/core.py22:34
tjcocozzavarner, for me it shows up in 'pip list'22:36
dstanekno, i think we can get rid of some of the x-subsystem stuff using notifications22:36
*** belmoreira has quit IRC22:36
dstaneklbragstad: a better example is https://review.openstack.org/#/c/215715/16/keystone/resource/core.py22:36
chris_19you could also try:22:37
chris_19>>> import pbr.version22:37
chris_19>>> print pbr.version.VersionInfo('keystone').version_string()22:37
dstaneklbragstad: so the resource subsystem has to know when the assignment subsystem thinks something is invalid22:37
lbragstaddstanek oh - nevermind... i mis-read your comment22:37
dstaneklbragstad: if would be nice to have all of the assignment related to together22:37
dstaneklbragstad: food for thought22:38
* dstanek is going to grab some dinner22:38
avarnertjcocozz, looks like I have 9.0.0.dev304 - can I tell which version of the API that corresponds to?22:38
lbragstaddstanek so the assignment/core.py module could contain all the cache specific stuff and then a call back can be added to resource/core.py22:38
stevemartjcocozz: whaddup22:38
tjcocozzstevemar, just 1 sec22:38
stevemartjcocozz: of course tommy j22:39
avarnerI need API version 3.4 or later22:39
avarnerUnfortunately, keystone API documentation has no dates in it22:39
tjcocozzavarner, should it be in the tox.ini for what version of the client is needed22:39
dstaneklbragstad: resource wouldn't have any callback. it would just send a notification that something happened and assignment would listen for it22:39
avarnertjcocozz, not client version, API version22:39
dstaneklbragstad: i can come up with an example a little later tonight22:39
avarnerI need API 3.4 support in the keystone service22:40
tjcocozzstevemar, i am trying to backport https://review.openstack.org/#/c/258143/ for some reason the file auth_token/__init__.py has been changed so much i don't think it is possible22:40
stevemartjcocozz: ouch22:41
*** timcline has quit IRC22:41
stevemarbknudson_: should we still backport the server fixes if we can't backport the middleware ones?22:41
tjcocozzstevemar, what do you recommend??22:41
bknudson_stevemar: well, the bug isn't fixed if we don't backport both22:41
tjcocozzthis is for kilo btw ^^22:42
stevemarbknudson_: yep, that's what i figured22:42
stevemarbknudson_: tjcocozz okay let's see why we can't backport the fix22:42
stevemarits these here: https://review.openstack.org/#/q/I483bc57bd38eb81a0905bcaf94e4ea82604919d6,n,z22:43
navidpjamielennox, keystone auth question22:43
jamielennoxnavidp: yep22:43
stevemartjcocozz: you having trouble with kilo or liberty?22:43
tjcocozzstevemar, kilo.... the liberty patch is gold :-)22:43
navidpjamielennox, ok i will look to make sure he is not working on it22:44
navidpjamielennox, do you know get_options method in https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/v2.py#L40-L4922:44
stevemartjcocozz: oh okay22:44
navidpjamielennox, how can you get options for keystoneauth ??22:45
jamielennoxso that part has moved over to loading22:45
tjcocozzstevemar, i am going to leave the office.  Good luck!22:45
jamielennoxnavidp: there's some details here; https://github.com/openstack/keystoneauth/blob/master/doc/source/migrating.rst22:46
lbragstaddstanek sounds good! thanks22:46
stevemartjcocozz: see ya22:46
stevemarbknudson_: does it make a difference if i cherry pick from master as opposed to liberty?22:46
navidpjamielennox, how the plugins are loading versus ksc?22:46
navidpjamielennox, in keystoneauth22:47
bknudson_stevemar: if you had to make changes to resolve conflicts during the backport then you'll want to pick from L since then there should be fewer or no conflicts22:47
*** chris_19 has left #openstack-keystone22:48
avarnerWhen was identity API version 3.4 support released?22:48
avarnerThis should be a really easy, obvious questions22:48
avarnerBut openstack's documentation says nothing about it22:48
*** chris_19 has joined #openstack-keystone22:49
navidpjamielennox, i looked into this document, what i am trying to fiugre out is how authentication is different in keystoneauth vs keystoneclient22:49
jamielennoxnavidp: the auth part is no different, it's the process of loading the plugins that has changed22:51
*** chris_19 has quit IRC22:51
jamielennoxnavidp: previously there was a get_options classmethod on the plugin itself. this lets there be only one way to load the actual plugin22:51
navidpjamielennox, is there any documents explaing that or any cliffhangers you can direct me to ??22:51
jamielennoxinstead now we have a loading object that refers to a plugin so you could have many loaders per plugin22:52
*** chris_19 has joined #openstack-keystone22:52
navidpjamielennox, I see that most of places get_options are gone.22:52
*** chris_19 has left #openstack-keystone22:52
jamielennoxnavidp: yes, they've moved onto the loaders eg22:53
*** chris_19 has joined #openstack-keystone22:54
*** avarner has left #openstack-keystone22:55
*** KarthikB_ has quit IRC22:55
navidpso i ahould use loader to load and leave get_options out of it, now get_options has some other functionality, right22:55
*** KarthikB_ has joined #openstack-keystone22:56
navidpfor example how can i get_options_list like in ksc ??22:56
navidpjamielennox,  for example how can i get_options_list like in ksc ??22:56
*** chris_19 has left #openstack-keystone22:58
stevemarbknudson_: gonna ask you for a set of eyes in a few minutes22:59
stevemari think i managed to backport the patch...22:59
*** aginwala has quit IRC23:00
*** KarthikB_ has quit IRC23:00
*** sigmavirus24 is now known as sigmavirus24_awa23:01
*** KarthikB_ has joined #openstack-keystone23:02
*** tonytan4ever has quit IRC23:04
*** aginwala has joined #openstack-keystone23:05
jamielennoxnavidp: http://docs.openstack.org/developer/keystoneauth/api/keystoneauth1.loading.html#keystoneauth1.loading.base.get_plugin_options23:06
jamielennoxwould give you the ksa.loading.Opts23:06
jamielennoxhttp://docs.openstack.org/developer/keystoneauth/api/keystoneauth1.loading.html#keystoneauth1.loading.conf.get_plugin_conf_options is the oslo.config opts23:07
jamielennoxbut they are both in loading/__init__ with a better name23:07
*** KarthikB_ has quit IRC23:07
navidpjamielennox, thanks23:10
openstackgerritMerged openstack/python-keystoneclient: add release notes for ksc 2.1.0  https://review.openstack.org/26646623:12
openstackgerritMerged openstack/keystoneauth: add release notes for ksa 2.2.0  https://review.openstack.org/26645623:12
*** dave-mccowan has quit IRC23:15
stevemartjcocozz: bknudson_ https://review.openstack.org/#/c/266607/23:16
stevemarhad to modify the test just a tad, diff PS1 and PS2 to see what i did23:16
bknudson_this must be where we switched the tests to use webtest.23:18
*** aginwala has quit IRC23:20
*** e0ne has quit IRC23:26
*** browne has quit IRC23:29
*** aginwala has joined #openstack-keystone23:32
*** spzala has quit IRC23:35
*** spzala has joined #openstack-keystone23:36
*** KarthikB_ has joined #openstack-keystone23:36
*** sigmavirus24_awa is now known as sigmavirus2423:38
*** Karthik__ has joined #openstack-keystone23:38
*** spzala has quit IRC23:40
*** KarthikB_ has quit IRC23:41
*** Karthik__ has quit IRC23:43
*** spzala has joined #openstack-keystone23:43
*** spzala has joined #openstack-keystone23:44
*** sigmavirus24 is now known as sigmavirus24_awa23:47
*** sigmavirus24_awa is now known as sigmavirus2423:48
*** spzala has quit IRC23:48
*** oomichi_away is now known as oomichi23:49
*** ninag has quit IRC23:50
*** ninag has joined #openstack-keystone23:51
*** ninag has quit IRC23:51
*** phalmos has quit IRC23:52
*** spzala has joined #openstack-keystone23:56
*** bjornar1 has quit IRC23:58
*** shoutm has joined #openstack-keystone23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!