Wednesday, 2016-02-10

« Tuesday, 2016-02-09 Index Thursday, 2016-02-11 »
*** mylu has quit IRC00:02
*** jbell8 has quit IRC00:03
*** rm_work has quit IRC00:04
*** diazjf has joined #openstack-keystone00:05
*** agireud has quit IRC00:06
*** mylu has joined #openstack-keystone00:07
*** agireud has joined #openstack-keystone00:08
*** rm_work has joined #openstack-keystone00:09
*** mylu has quit IRC00:10
*** mylu has joined #openstack-keystone00:12
*** shoutm_ has joined #openstack-keystone00:15
*** shoutm has quit IRC00:17
bigjoolsdstanek: how hard would it be to convert that stuff in ksfixtures to a standalone module that could go in oslotest?00:18
bigjoolsor anywhere, if that's not appropriate00:18
*** e0ne has quit IRC00:18
*** notmorgan has left #openstack-keystone00:20
*** mylu has quit IRC00:20
*** notmorgan has joined #openstack-keystone00:23
*** ChanServ sets mode: +v notmorgan00:23
openstackgerritJorge Munoz proposed openstack/keystone: Fix trust chain/redelegation tests  https://review.openstack.org/27816300:31
dstanekbigjools: is any of if really usable beyond keystone?00:34
bigjoolsdstanek: I'd certainly find it useful to make a fixture in rally00:34
bigjools"make it and they will come" :)00:35
*** aginwala has quit IRC00:53
*** aginwala has joined #openstack-keystone00:57
*** mylu has joined #openstack-keystone00:58
*** markvoelker has joined #openstack-keystone01:01
*** mylu has quit IRC01:02
*** mylu has joined #openstack-keystone01:04
*** gokrokve has joined #openstack-keystone01:05
*** gildub has joined #openstack-keystone01:06
dstanekbigjools: i can see making a fixture in rally, but i'm not sure about using ours01:09
bigjoolsoh, any particular reason?01:10
openstackgerritDavid Stanek proposed openstack/keystone: Disable the ipv6 tests in py34  https://review.openstack.org/27814701:11
openstackgerritDavid Stanek proposed openstack/keystone: Uses open context manager for templated catalogs  https://review.openstack.org/27805301:11
openstackgerritDavid Stanek proposed openstack/keystone: Enables token_data_helper tests for Python3  https://review.openstack.org/27805501:11
openstackgerritDavid Stanek proposed openstack/keystone: Stop using nose as a Python3 test runner  https://review.openstack.org/27805401:11
dstanekbigjools: i think they are pretty specific to the way we run tests. probably not all of them, but most of them01:12
bigjoolsfair enough01:12
bigjoolsI still think there's worth in a generic KeystoneFixture01:13
bigjoolscould even be a separate project01:13
dstanekbigjools: only if you make the unit tests a separate project, otherwise it wouldn't make sense01:13
dstaneki think the only generic one we have is temporaryfile and we should probably push that upstream01:14
bigjoolsnot at all - for example https://pypi.python.org/pypi/rabbitfixture/0.3.601:14
dstanekbigjools: that is designed to be used by project to mock out rabbit. we don't have that01:15
dstanekour fixtures setup our database, cache, etc.01:15
bigjoolsit's not mocking rabbit, it runs rabbit01:15
*** nekrodesk has joined #openstack-keystone01:16
bigjoolsbut I see why your particular fixture is no generic use01:16
*** diazjf has quit IRC01:16
bigjoolsI'm just saying I see value in something like that rabbit fixture which runs up an actual instance01:16
dstanekmisspoke. i meant setup.  in keystone we are really doing our mocking/faking in fixtures01:17
*** gokrokve has quit IRC01:17
bigjoolsok01:17
dstanekbigjools: it may be useful for things that depend on keystone01:17
bigjoolsyes exactly :)01:17
openstackgerritguang-yee proposed openstack/keystone: Use the right driver to get limits  https://review.openstack.org/26698901:18
bigjoolsIf i had more spare time I'd give it a go myself, but sadly 4 kids and a chronic health issue eat it all01:18
dstanekbigjools: ouch. i'm sorry to hear that01:19
bigjoolsI know, 4 kids right01:20
dstanekbigjools: i have the same :-)01:20
bigjools:)01:20
dstanekbigjools: something like that would be terribly slow. what would you expect it to be used for? functional tests for other projects?01:21
bigjoolsyes pretty much01:22
bigjoolsit'll only be slow for setup01:22
bigjoolsso you can just make a FixtureResource or something01:22
dstanekbigjools: it would be slow for each test. the setup runs for every test method01:23
bigjoolsnot if it's a fixtureresource01:23
bigjoolsthey exist across tests01:23
bigjoolsthat's why we made the rabbitfixture, it's not quick to set up at all but if used as a resource it's great01:24
dstanekso it woudl basically be slow across test classes right?01:24
bigjoolsyes01:24
bigjoolsyou would have to group all tests that need it in as few test classes as possible01:24
dstanekat that point is it better to have the test infrastructure setup an instance?01:25
bigjoolsalways a consideration, yes01:25
bigjoolsthere's tradeoffs01:25
dstaneki'm trying to visualize what i would want to do if i needed this for some other project01:27
bigjoolsI would absolutely start with a self-contained keystonefixture01:28
dstanekbigjools: looking over the rabbit code now01:28
bigjoolswhich may consist of other fixtures01:29
dstanekbigjools: it looks like that is just a regular fixture. what's the magic that makes it load once per class?01:30
bigjoolsfor the lazy: http://bazaar.launchpad.net/~lazr-developers/rabbitfixture/trunk/view/head:/rabbitfixture/server.py01:30
*** mylu has quit IRC01:31
dstanekthat's just doing the normal setUp. i'm assuming you would self.useFixture it in the test class setUp01:31
dstanekhmmm...is it maybe caching the server process in a global?01:32
*** mylu has joined #openstack-keystone01:35
*** _cjones_ has quit IRC01:36
bigjoolsdstanek: testresources.FixtureResource01:36
bigjoolsyou can use a fixture as a test resource01:37
dstanekbigjools: how is that typically used? in a setUpClass?01:38
bigjoolsdstanek: you define a class variable called 'resources', from memory01:40
bigjoolswhich defines class vars as fixtures01:40
bigjoolsas long as you are using testtools.TestCase01:42
*** mylu has quit IRC01:44
dstaneki just took a look at the testresources code. i've never seen FixtureResource used before.01:45
*** darrenc is now known as darrenc_afk01:47
bigjoolsit's pretty neat01:48
*** jasonsb has joined #openstack-keystone01:52
*** gyee has quit IRC01:53
*** mylu has joined #openstack-keystone01:55
*** mylu has quit IRC01:58
*** darrenc_afk is now known as darrenc01:59
stevemarwhat the heck happened to our py34 tests :(02:05
notmorganstevemar: dstanek "fixed" it to be blacklist?02:05
dstaneknotmorgan: stevemar: no, eventlet 0.18.202:05
notmorganoh that02:05
stevemarnotmorgan: i don't think so, last merge was long ago02:05
notmorganpypi screwup02:06
notmorgancan we ditch eventlet yet? ;)02:06
stevemardstanek: know if theres a patch to skip that?02:06
dstanekhttps://review.openstack.org/#/c/278147/02:06
notmorganthey removed 0.18.1 from pypi02:06
notmorganthat is the issue02:06
notmorganor an issue02:06
notmorganas well02:06
dstanek0.18.2 has a bug and g-r was updated02:07
notmorganwonderful02:07
dstaneknova shit itself too https://review.openstack.org/27791202:07
*** diazjf has joined #openstack-keystone02:07
notmorganyeah02:07
notmorganbasically eventlet did stupid02:07
dstanekif jenkins would give me some love then we can merge that in02:08
stevemardstanek: i think we'll just need to wait til that eventlet release is blocked in requirements02:08
notmorganyep02:08
*** aginwala has quit IRC02:09
stevemaris there no patch up to block 0.18.1 and 0.18.2 yet02:09
stevemar?02:09
dstanekstevemar: to my knowledge they are riding out 0.18.202:11
dstanekstevemar: http://lists.openstack.org/pipermail/openstack-dev/2016-February/086180.html02:13
*** Ephur has quit IRC02:13
stevemardstanek: "riding things out" really?02:13
dstanekstevemar: i don't think anyone else felt any pain, but i have no idea02:14
dstaneki'd love to just stay on 0.17.4 where things "worked"02:14
dstanekdims_: may know more02:14
dims_stevemar : only reports i have so far is nova and keystone, nova fixed up their unit tests02:15
dims_stevemar : my earlier suggestion was to skip tests tonight and request haypo for help in the AM since some of the eventlet/wsgi/py3 stuff was from him (in eventlet)02:16
stevemargreat, who gives a damn about keystone :]02:16
*** spandhe has quit IRC02:16
stevemareventlet support is deprecated, this just encourages us to remove it02:16
dstanekmy "fix" has about 45 mins left in the check queue and then it can be merged02:16
stevemardstanek: skip the ipv6 tests?02:17
dims_stevemar : not true :)02:17
dstanekdims_: true for us02:17
dims_dstanek : why do you feel so? (want to understand)02:17
stevemarfeelin like the unwanted step child =\02:18
dstanekdims_: we've deprecated eventlet in keystone so it's on the roadmap to be deleted02:18
stevemardstanek: i just gotta fix 4 failing tests here: https://review.openstack.org/#/c/249486/02:18
dims_stevemar : if you feel we need to throw up a 0.18.2 block, please do!02:19
*** aginwala has joined #openstack-keystone02:20
dims_stevemar : dstanek : before making any oslo release, i run py27 and py34 of oslo.* from master :)02:20
dims_against keystone that is02:20
*** spandhe has joined #openstack-keystone02:21
stevemardims_: i'll see how stanek's fix goes, and will toss up a block of eventlet if we cant get around it02:21
dims_stevemar : +1, if you have a bug, please point me to it as well02:21
dims_i'll ping haypo when i wake up02:22
*** diazjf has quit IRC02:22
dstanekstevemar: 40 mins left and already passed all of our unit tests...now just waiting on tempest and grenade tests02:22
*** diazjf has joined #openstack-keystone02:23
*** browne has quit IRC02:24
stevemardstanek: i'll +2/W it right away02:25
*** alex_xu has quit IRC02:28
*** mylu has joined #openstack-keystone02:30
*** alex_xu has joined #openstack-keystone02:30
*** spandhe_ has joined #openstack-keystone02:31
*** spandhe_ has left #openstack-keystone02:31
*** aginwala has quit IRC02:31
dstaneki know it's an irrational fear, but i don't want to push any more code until that gets checked02:32
*** spandhe has quit IRC02:33
*** spandhe has joined #openstack-keystone02:37
*** su_zhang has quit IRC02:41
*** Guest12840 has quit IRC02:41
*** dims_ has quit IRC02:45
*** alex_xu has quit IRC02:49
*** tsymanczyk has joined #openstack-keystone02:51
*** alex_xu has joined #openstack-keystone02:52
*** tsymanczyk is now known as Guest8395902:52
stevemardstanek: it's a bit irrational :)02:54
*** dan_nguyen has quit IRC02:56
*** darrenc is now known as darrenc_afk02:58
*** links has joined #openstack-keystone03:00
*** lhcheng has quit IRC03:10
*** darrenc_afk is now known as darrenc03:11
*** Nirupama has joined #openstack-keystone03:11
*** diazjf has quit IRC03:12
*** mylu has quit IRC03:15
*** mylu has joined #openstack-keystone03:16
openstackgerritTin Lam proposed openstack/keystone: H405 violations: multi line docstring summary not separated with an empty line  https://review.openstack.org/27819003:16
*** mylu has quit IRC03:26
*** Guest83959 has quit IRC03:26
*** dims has joined #openstack-keystone03:27
*** browne has joined #openstack-keystone03:27
*** mylu has joined #openstack-keystone03:29
*** woodster_ has joined #openstack-keystone03:32
*** dims has quit IRC03:37
*** gokrokve has joined #openstack-keystone03:37
stevemardstanek: my isp went down, did your tests pass locally?03:38
dstanekstevemar: they passed jenkins too03:38
*** mylu has quit IRC03:38
dstanekstevemar: https://review.openstack.org/#/c/278147/03:38
stevemardstanek: +2 / +A03:39
*** mylu has joined #openstack-keystone03:39
*** gokrokve_ has joined #openstack-keystone03:43
*** gokrokve has quit IRC03:45
*** gokrokve has joined #openstack-keystone03:48
*** gokrokve_ has quit IRC03:48
*** bill_az has quit IRC03:49
*** edmondsw has quit IRC03:49
*** tsymanczyk has joined #openstack-keystone03:51
*** tsymanczyk is now known as Guest5325203:52
*** gokrokve has quit IRC03:53
*** gokrokve has joined #openstack-keystone03:53
*** su_zhang has joined #openstack-keystone03:54
*** kalaswan has joined #openstack-keystone04:01
*** fawadkhaliq has joined #openstack-keystone04:02
*** lhcheng has joined #openstack-keystone04:02
*** ChanServ sets mode: +v lhcheng04:02
*** lhcheng_ has joined #openstack-keystone04:05
*** lhcheng has quit IRC04:08
*** mylu has quit IRC04:15
*** markvoelker has quit IRC04:15
*** markvoelker has joined #openstack-keystone04:16
*** spandhe_ has joined #openstack-keystone04:20
*** spandhe has quit IRC04:21
*** spandhe_ is now known as spandhe04:21
*** mylu has joined #openstack-keystone04:25
*** mylu has quit IRC04:26
*** lhcheng_ has quit IRC04:33
*** mylu has joined #openstack-keystone04:44
*** aginwala has joined #openstack-keystone04:45
*** kalaswan has quit IRC04:55
*** aginwala has quit IRC04:55
*** kalaswan has joined #openstack-keystone04:57
*** spandhe has quit IRC05:04
*** gokrokve_ has joined #openstack-keystone05:05
*** gokrokve has quit IRC05:06
*** spandhe has joined #openstack-keystone05:08
*** jbell8 has joined #openstack-keystone05:17
jamielennoxnotmorgan: https://review.openstack.org/#/c/268553/05:25
*** fawadkhaliq has quit IRC05:27
*** dave-mccowan has quit IRC05:33
*** woodster_ has quit IRC05:36
*** mylu has quit IRC05:41
*** roxanaghe has joined #openstack-keystone05:42
*** gokrokve_ has quit IRC05:42
*** diazjf has joined #openstack-keystone05:45
*** gokrokve has joined #openstack-keystone05:45
*** mylu has joined #openstack-keystone05:46
*** gokrokve has quit IRC05:48
*** gokrokve_ has joined #openstack-keystone05:48
*** diazjf1 has joined #openstack-keystone05:48
*** diazjf has quit IRC05:51
*** henrynash has joined #openstack-keystone05:57
*** ChanServ sets mode: +v henrynash05:57
*** daemontool_ has joined #openstack-keystone05:58
*** jasonsb has quit IRC06:01
*** daemontool has quit IRC06:02
*** jasonsb has joined #openstack-keystone06:02
*** fawadkhaliq has joined #openstack-keystone06:04
*** jasonsb has quit IRC06:04
*** mylu has quit IRC06:04
*** mylu has joined #openstack-keystone06:05
*** jasonsb has joined #openstack-keystone06:05
*** gokrokve_ has quit IRC06:06
*** roxanaghe has quit IRC06:06
*** mylu has quit IRC06:12
*** mylu has joined #openstack-keystone06:13
*** gildub has quit IRC06:16
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller  https://review.openstack.org/26118806:18
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v2_0)  https://review.openstack.org/26744906:20
openstackgerritSteve Martinelli proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948606:20
*** jsheeren has joined #openstack-keystone06:23
*** aginwala has joined #openstack-keystone06:23
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v2_0)  https://review.openstack.org/26744906:40
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v3)  https://review.openstack.org/26745606:46
*** spandhe has quit IRC06:47
*** gildub has joined #openstack-keystone06:50
*** roxanaghe has joined #openstack-keystone06:57
*** roxanaghe has quit IRC06:57
*** aginwala_ has joined #openstack-keystone06:58
*** aginwal__ has joined #openstack-keystone06:59
*** henrynash has quit IRC06:59
*** nkinder has quit IRC07:00
*** aginwala has quit IRC07:02
*** aginwala_ has quit IRC07:03
*** richm has joined #openstack-keystone07:03
*** gokrokve has joined #openstack-keystone07:06
*** su_zhang has quit IRC07:07
*** richm has quit IRC07:08
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v3)  https://review.openstack.org/26745607:08
*** jsheeren has quit IRC07:10
*** su_zhang has joined #openstack-keystone07:11
*** mylu has quit IRC07:13
*** belmoreira has joined #openstack-keystone07:13
*** gokrokve has quit IRC07:14
*** rcernin has joined #openstack-keystone07:14
*** lhcheng has joined #openstack-keystone07:14
*** ChanServ sets mode: +v lhcheng07:14
*** rudolfvriend has joined #openstack-keystone07:17
*** diazjf1 has quit IRC07:18
openstackgerritSteve Martinelli proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948607:21
stevemarthat took way to long to unwind07:21
stevemarbknudson_: ^ take a look if you can07:22
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v3/contrib)  https://review.openstack.org/26800307:26
*** richm has joined #openstack-keystone07:26
*** su_zhang has quit IRC07:36
*** jbell8 has quit IRC07:38
*** jbell8 has joined #openstack-keystone07:40
*** jsheeren has joined #openstack-keystone07:46
*** shoutm_ has quit IRC07:46
*** shoutm has joined #openstack-keystone07:46
*** openstackgerrit has quit IRC07:47
*** openstackgerrit has joined #openstack-keystone07:47
*** shoutm has quit IRC07:50
*** jbell8 has quit IRC07:51
*** nkinder has joined #openstack-keystone07:51
*** jbell8 has joined #openstack-keystone07:52
*** rcernin has quit IRC07:52
*** lhcheng has quit IRC07:53
openstackgerritKalaswan Datta proposed openstack/keystone: Clear the project ID from user information  https://review.openstack.org/27770707:57
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v3/contrib)  https://review.openstack.org/26800307:57
*** roxanaghe has joined #openstack-keystone07:58
*** e0ne has joined #openstack-keystone07:58
*** aginwala has joined #openstack-keystone08:01
*** roxanaghe has quit IRC08:02
*** aginwal__ has quit IRC08:04
openstackgerritMerged openstack/keystone: Disable the ipv6 tests in py34  https://review.openstack.org/27814708:12
*** rcernin has joined #openstack-keystone08:15
*** sinese_ has joined #openstack-keystone08:17
*** d0ugal has joined #openstack-keystone08:17
*** jistr|doc has joined #openstack-keystone08:22
openstackgerritSteve Martinelli proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948608:22
*** e0ne has quit IRC08:39
*** gokrokve has joined #openstack-keystone08:40
*** pnavarro has joined #openstack-keystone08:42
*** gokrokve has quit IRC08:44
*** jaosorior has joined #openstack-keystone08:48
*** browne has quit IRC08:53
*** fhubik has joined #openstack-keystone08:55
*** browne has joined #openstack-keystone08:56
*** roxanaghe has joined #openstack-keystone08:59
*** browne has quit IRC09:03
*** roxanaghe has quit IRC09:04
*** aginwala has quit IRC09:05
*** aginwala has joined #openstack-keystone09:07
*** aginwala has quit IRC09:17
*** mhickey has joined #openstack-keystone09:17
*** fawadkhaliq has quit IRC09:19
*** fawadkhaliq has joined #openstack-keystone09:19
*** notmorgan has left #openstack-keystone09:23
*** kalaswan has quit IRC09:26
*** jbell8 has quit IRC09:32
*** jbell8 has joined #openstack-keystone09:33
*** jbell8 has quit IRC09:35
*** jbell8 has joined #openstack-keystone09:39
*** fhubik has quit IRC09:39
*** gokrokve has joined #openstack-keystone09:41
*** jistr|doc has quit IRC09:46
*** gokrokve has quit IRC09:48
*** mvk has joined #openstack-keystone09:52
*** mvk has quit IRC09:56
*** roxanaghe has joined #openstack-keystone10:01
*** roxanaghe has quit IRC10:06
*** e0ne has joined #openstack-keystone10:07
*** mvk has joined #openstack-keystone10:16
*** sinese_ has quit IRC10:16
*** jaosorior has quit IRC10:21
*** fawadkhaliq has quit IRC10:32
*** fhubik has joined #openstack-keystone10:35
*** dims has joined #openstack-keystone10:48
*** fawadkhaliq has joined #openstack-keystone10:51
*** fawadkhaliq has quit IRC10:54
*** fawadkhaliq has joined #openstack-keystone10:55
*** roxanaghe has joined #openstack-keystone11:03
*** mhickey has quit IRC11:04
*** roxanaghe has quit IRC11:07
*** mhickey has joined #openstack-keystone11:19
*** fawadkhaliq has quit IRC11:22
*** fawadkhaliq has joined #openstack-keystone11:23
*** akscram has quit IRC11:25
*** akscram has joined #openstack-keystone11:25
*** alexpro has joined #openstack-keystone11:26
*** fhubik is now known as fhubik_brb11:34
openstackgerritTony Wang proposed openstack/keystone: improve credential tests  https://review.openstack.org/26561011:40
*** peter-hamilton has joined #openstack-keystone11:49
*** sinese_ has joined #openstack-keystone11:49
openstackgerritDave Chen proposed openstack/keystone: TEST: PLS DON'T REVIEW ME  https://review.openstack.org/26236411:52
*** xek has quit IRC11:53
*** permalac has joined #openstack-keystone11:55
*** links has quit IRC11:56
samueldmqmorning all11:58
*** fhubik_brb is now known as fhubik11:58
samueldmqlbragstad: is there something to be done in bug #1473567 yet ?11:58
openstackbug 1473567 in OpenStack Identity (keystone) "Fernet tokens fail tempest runs" [High,In progress] https://launchpad.net/bugs/1473567 - Assigned to Lance Bragstad (lbragstad)11:58
*** fawadkhaliq has quit IRC11:59
*** mvk has quit IRC12:00
*** daemontool_ has quit IRC12:00
*** mvk has joined #openstack-keystone12:02
*** pnavarro has quit IRC12:03
*** daemontool_ has joined #openstack-keystone12:16
*** mhickey has quit IRC12:17
openstackgerritMichael Krotscheck proposed openstack/keystone: Added CORS support to Keystone  https://review.openstack.org/24131712:20
*** alexpro has quit IRC12:21
*** gildub has quit IRC12:23
*** sinese_ has quit IRC12:25
*** sinese_ has joined #openstack-keystone12:27
*** edmondsw has joined #openstack-keystone12:29
*** mhickey has joined #openstack-keystone12:30
*** links has joined #openstack-keystone12:36
dstanekany cores have a min? simple one to get through https://review.openstack.org/#/c/278053/12:36
openstackgerritDavid Stanek proposed openstack/keystone: Enables token_data_helper tests for Python3  https://review.openstack.org/27805512:38
openstackgerritDavid Stanek proposed openstack/keystone: Stop using nose as a Python3 test runner  https://review.openstack.org/27805412:38
*** krotscheck_dcm is now known as krotscheck12:38
*** vgridnev has joined #openstack-keystone12:45
*** alexpro has joined #openstack-keystone12:54
*** nekrodesk has quit IRC13:00
*** roxanaghe has joined #openstack-keystone13:04
*** roxanaghe has quit IRC13:08
*** e0ne has quit IRC13:09
*** vgridnev has quit IRC13:09
*** e0ne has joined #openstack-keystone13:09
*** edmondsw has quit IRC13:11
*** jed56 has quit IRC13:13
*** pnavarro has joined #openstack-keystone13:17
*** gordc has joined #openstack-keystone13:19
*** vgridnev has joined #openstack-keystone13:19
*** vgridnev has quit IRC13:21
*** pnavarro has quit IRC13:22
*** e0ne has quit IRC13:24
*** e0ne has joined #openstack-keystone13:25
marekddstanek: done13:28
*** vgridnev has joined #openstack-keystone13:28
dstanekmarekd: thx!13:31
marekdyw13:31
*** pnavarro has joined #openstack-keystone13:34
*** Nirupama has quit IRC13:35
*** xek has joined #openstack-keystone13:38
*** permalac has quit IRC13:39
*** rk4n has joined #openstack-keystone13:41
*** jsavak has joined #openstack-keystone13:41
*** fawadkhaliq has joined #openstack-keystone13:42
*** fhubik is now known as fhubik_brb13:45
*** fhubik_brb is now known as fhubik13:46
*** jed56 has joined #openstack-keystone13:46
openstackgerritMarek Denis proposed openstack/keystone: Deprecate Saml2 auth plugin  https://review.openstack.org/27543813:47
*** su_zhang has joined #openstack-keystone13:48
*** gokrokve has joined #openstack-keystone13:49
*** dave-mccowan has joined #openstack-keystone13:51
*** gokrokve has quit IRC13:53
*** ninag has joined #openstack-keystone13:55
openstackgerritMichael Krotscheck proposed openstack/keystone: Added CORS support to Keystone  https://review.openstack.org/24131714:00
*** petertr7_away is now known as petertr714:06
*** roxanaghe has joined #openstack-keystone14:06
dstanekgrrrr... i can reproduce the failure here: https://review.openstack.org/#/c/278054/14:08
*** roxanaghe has quit IRC14:10
marekddstanek: ooh14:11
marekdwhat is this facadeengine for actually?14:12
*** jamie_h has joined #openstack-keystone14:16
jamie_his there a way to see the activity for a specific token based on its audit id?14:17
jamie_hlike a frontend API where you pass in the id14:17
marekdjamie_h: like a lifecycle of the user?14:17
jamie_hmarekd: something like that. anything that can provide some kind of security auditing14:18
marekdjamie_h: even if possible i'd say it's up to the sevice consumin CADF events14:18
marekdso surely not keystone14:18
marekdtopol: or stevemar  may know a little bit more.14:18
jamie_hkeystone provides audit_ids for each token though, right?14:18
jamie_honce those audit_ids have been issued, does it aggregate token activity according to the ID?14:19
marekdjamie_h: i am not sure14:19
*** permalac has joined #openstack-keystone14:22
*** rk4n has quit IRC14:25
*** links has quit IRC14:27
bknudson_dstanek: when I removed /etc/keystone/policy.json the tests failed14:30
bknudson_I think there's a bug for this already?14:30
dstanekbknudson_: really? mine didn't14:30
bknudson_I'll look into it some more... maybe it's looking elsewhere, too.14:31
bknudson_also want to try on py2714:31
dstanekjamie_h: i don't think we record what is done with a token. we do issue CADF events though14:32
*** bill_az has joined #openstack-keystone14:33
jamie_hdstanek: are those CADF events generated for activity on every openstack service or just keystone?14:34
dstanekjamie_h: is there something specific you are trying to do?14:34
jamie_hdstanek: security auditing14:34
dstanekjamie_h: not sure which services emit events14:34
*** peter-hamilton has quit IRC14:34
bknudson_as far as I know cadf is only on keystone. You'd have to ask the nova, etc., folks if they implemented it14:34
dstanekbknudson_: ok, i got the failure now!14:39
bknudson_dstanek: it fails the same way on py27 and py34, but some earlier test must be affecting it on py27 so it doesn't fail14:40
dimsdstanek : bknudson_ : stevemar : report back from eventlet-land, haypo is working on it https://github.com/eventlet/eventlet/issues/29614:40
bknudson_there must be a bug for this.14:40
dstanekbknudson_: it only fails in isolation for me. should be a quick fix14:41
jamie_hwhy was CADF events added if it wasn't guaranteed that other services would log user activity?14:41
bknudson_dstanek: https://bugs.launchpad.net/keystone/+bug/152038314:41
openstackLaunchpad bug 1520383 in OpenStack Identity (keystone) "Tests that need policy.json can never find it if run in isolation" [Undecided,New]14:41
dstanekbknudson_: thx. i just took it over14:42
bknudson_dims: neat, thanks!14:44
lbragstadsamueldmq no - we should be passing tempest tests with fernet14:44
bknudson_I assumed it was something keystone tests were doing wrong.14:44
lbragstadsamueldmq at least with those patches that have gone into tempest14:44
dstanekdims: awesome14:44
dimsdstanek : hope you feel the love now :)14:45
dstanekdims: :-)14:49
*** daemontool_ has quit IRC14:49
*** gokrokve has joined #openstack-keystone14:50
*** daemontool_ has joined #openstack-keystone14:50
*** daemontool__ has joined #openstack-keystone14:51
dstanekbknudson_: for the record i am complete against globals14:52
*** daemontool__ is now known as daemontool14:52
*** daemontool_ has quit IRC14:55
*** gokrokve has quit IRC14:56
bknudson_dstanek: noted14:57
*** gokrokve has joined #openstack-keystone14:58
*** spzala has joined #openstack-keystone15:01
*** fhubik is now known as fhubik_brb15:03
*** roxanaghe has joined #openstack-keystone15:07
*** esp has joined #openstack-keystone15:09
*** vgridnev has quit IRC15:09
openstackgerritBrant Knudson proposed openstack/keystone: Switch to configless bandit  https://review.openstack.org/27813615:10
*** vgridnev has joined #openstack-keystone15:11
openstackgerritJorge Munoz proposed openstack/keystone: Fix trust chain/redelegation tests  https://review.openstack.org/27816315:11
*** roxanaghe has quit IRC15:12
*** jsheeren has quit IRC15:12
*** permalac has quit IRC15:13
*** esp has quit IRC15:13
topoljamie_h did you have questions on CADF?15:16
*** pnavarro has quit IRC15:16
* topol loving this irc bouncer stevemar and notmorgan got me for my birthday15:16
*** vgridnev has quit IRC15:17
*** su_zhang has quit IRC15:18
*** gokrokve has quit IRC15:19
*** sigmavirus24_awa is now known as sigmavirus2415:19
*** woodster_ has joined #openstack-keystone15:23
*** jaosorior has joined #openstack-keystone15:24
*** jsavak has quit IRC15:27
marekdtopol: he was not sure whether audit_id value is kept for all actions executed for a given token.15:28
topolmarekd define kept?15:28
topolI think it is15:28
marekdsay i reuse token and do actions. will I get some commmon value for CADF events so I can later connect the points.15:28
marekdand recreate users's actions15:28
*** mvk has quit IRC15:29
*** mvk has joined #openstack-keystone15:29
*** mvk has quit IRC15:30
*** jsavak has joined #openstack-keystone15:31
*** mvk has joined #openstack-keystone15:31
*** pnavarro has joined #openstack-keystone15:31
*** su_zhang has joined #openstack-keystone15:31
*** rcernin has quit IRC15:33
*** vgridnev has joined #openstack-keystone15:33
marekdtopol: ^15:33
topolmarekd across projects or just within Keystone?15:34
*** e0ne has quit IRC15:34
marekdtopol: within keystone.15:34
topolmarekd I'll double check with stevemar but I believe so15:35
marekdtopol: sure. thanks.15:35
marekdjamie_h: ^^15:35
*** e0ne has joined #openstack-keystone15:35
*** jaosorior has quit IRC15:36
*** jorge_munoz1 has joined #openstack-keystone15:42
topolhenrynash what does None:%(target.role.domain_id)s   mean in a policy file?  do we document the policy file syntax and semantics somewhere?15:42
*** jaosorior has joined #openstack-keystone15:42
*** jorge_munoz1 has left #openstack-keystone15:42
*** gokrokve has joined #openstack-keystone15:43
*** dikonoor has joined #openstack-keystone15:43
*** dikonoor has quit IRC15:43
*** vgridnev has quit IRC15:45
*** vgridnev has joined #openstack-keystone15:45
*** dancn has left #openstack-keystone15:46
*** gokrokve has quit IRC15:47
*** jorge_munoz1 has joined #openstack-keystone15:52
*** su_zhang has quit IRC15:52
*** richm has quit IRC15:53
*** richm has joined #openstack-keystone15:54
*** richm has quit IRC15:59
*** rcernin has joined #openstack-keystone16:01
*** fhubik_brb is now known as fhubik16:01
*** jsavak has quit IRC16:01
openstackgerritayoung proposed openstack/keystone-specs: Tokens with subset of catalog  https://review.openstack.org/26613716:03
*** esp has joined #openstack-keystone16:04
*** samueldmq1 has joined #openstack-keystone16:04
*** gokrokve has joined #openstack-keystone16:04
*** slberger has joined #openstack-keystone16:05
*** phalmos has joined #openstack-keystone16:07
*** roxanaghe has joined #openstack-keystone16:08
*** fhubik has quit IRC16:08
*** jaosorior_ has joined #openstack-keystone16:09
*** henrynash has joined #openstack-keystone16:09
*** ChanServ sets mode: +v henrynash16:09
*** esp has quit IRC16:11
*** nekrodesk has joined #openstack-keystone16:11
*** nekrodesk has quit IRC16:11
*** samueldmq1 has quit IRC16:11
*** richm has joined #openstack-keystone16:12
*** jsavak has joined #openstack-keystone16:13
*** roxanaghe has quit IRC16:13
*** rudolfvriend has quit IRC16:15
*** esp has joined #openstack-keystone16:17
*** nekrodesk has joined #openstack-keystone16:18
*** csoukup has joined #openstack-keystone16:18
stevemarbknudson_: any suggestions on what to do with the eventlet patch?16:22
stevemarredefine them in keystone.conf?16:22
bknudson_stevemar: probably easiest to leave the eventlet options that are substitutable around for now16:23
bknudson_deprecate them in a separate patch16:23
bknudson_I mean deprecate the substitution in a separate patch.16:23
bknudson_I think we wanted to do this anyways16:24
bknudson_might want to check what devstack uses.16:24
*** rcernin has quit IRC16:24
*** esp has quit IRC16:24
*** browne has joined #openstack-keystone16:27
bknudson_topol: http://docs.openstack.org/developer/keystone/configuration.html#keystone-api-protection-with-role-based-access-control-rbac16:27
*** raildo-afk is now known as raildo16:29
topolbknudson,  Thanks! You always make my life easier.16:29
henrynashtopol: thx for comments on domain specific roles patches….the inability to add comments to a polcy json file is a real pain….both bknudson and I have independently tried to fix this, and not been successful116:29
bknudson_henrynash: I'm going to see if it's easy to support yaml. yaml supports comments16:30
henrynashbknudson_: agreed…I think that is probably the right approach16:30
topolhenrynash, bknudson, I know.  And Im gonna review what bknudson just sent me.  My gut tells me your new domain_admin roles and rules would benefit from docs that specifically explain those new one16:31
topols16:31
henrynashtopol: agreed. no question.16:31
topolhenrynash, bknudson Im gonna play guinea pig and read what bknudson sent me and then see if I can decipher the new roles16:31
*** roxanaghe has joined #openstack-keystone16:31
henrynashtopol, bknduson_: alternatively (to yaml) I will write up a .rst that explains what our v3cloudsample defines as policy rules sfor each API….so someone can really understand what is going on (and can then adapt as needed)16:32
topolhenrynash,bknudson it was when I read domain_admin_matches_filter_on_list_domain_roles that is when I broke down and started crying :-)16:33
henrynashtopol: I know….i can’t resist the temptation to spell it out16:33
*** boris-42 has quit IRC16:33
bknudson_docs are good. might take a while to do the whole switch to yaml.16:34
topolhenrynah the .rst  that explains the v3cloudsample and focuses on the domain stuff would be a huge help.  I'm willing to remove my -1 with a promise to add that doc and reference it in the release note16:35
*** Ephur has joined #openstack-keystone16:35
topolhenrynash ^16:35
*** ninag has quit IRC16:35
*** ninag has joined #openstack-keystone16:36
henrynashtopol: I’ll do that anyway…although there are some doc changes I shoudl add to the patch (e.g. add target.role.domain_id to configuration.rst where it talks about policy target attributes)16:36
*** vgridnev has quit IRC16:36
*** clenimar has joined #openstack-keystone16:36
*** jsavak has quit IRC16:36
topolhenrynash I do like your temptation to spell it out. It at least gave me some bread crumbs to deciper. So dont stop doing that16:37
*** jgriffith_away is now known as jgriffith16:37
henrynashtopol: after 34 years of spelling things out, unlikely to stop now :-)16:37
topolhenrynash, the rst enhancements will be a huge help.16:38
topolhenryansh, so_glad_to_hear_that_and_please_dont_chage_on_my_account16:38
henrynashtopol: yep, I’ll add (If I can make gerrit work…which seems broekn for me right now)16:38
topolhenrynash. Sounds great thanks16:39
henrynashtopol: not_on_your_life_boyoh16:39
openstackgerritBoris Bobrov proposed openstack/keystone: Use the right driver to get limits  https://review.openstack.org/26698916:39
*** doug-fish has quit IRC16:40
*** belmoreira has quit IRC16:41
*** doug-fish has joined #openstack-keystone16:41
*** clenimar has quit IRC16:41
*** jsavak has joined #openstack-keystone16:42
*** clenimar has joined #openstack-keystone16:43
*** doug-fish has quit IRC16:45
*** jbell8 has quit IRC16:46
*** browne has quit IRC16:47
*** jbell8 has joined #openstack-keystone16:47
openstackgerritBoris Bobrov proposed openstack/keystone: Use the right driver to get limits  https://review.openstack.org/26698916:49
*** doug-fish has joined #openstack-keystone16:51
*** pnavarro has quit IRC16:53
*** diazjf has joined #openstack-keystone16:53
*** fhubik has joined #openstack-keystone16:53
*** nekrodesk has quit IRC16:53
*** jamie_h has quit IRC16:54
openstackgerritBrant Knudson proposed openstack/oslo.policy: Support policy file in YAML  https://review.openstack.org/27851316:55
*** gyee has joined #openstack-keystone16:55
*** ChanServ sets mode: +v gyee16:55
*** sigmavirus24 is now known as sigmavirus24_awa16:55
*** sigmavirus24_awa is now known as sigmavirus2416:56
*** dikonoor has joined #openstack-keystone16:56
*** fhubik has quit IRC16:57
*** doug-fish has quit IRC16:57
*** _cjones_ has joined #openstack-keystone16:58
*** jaosorior_ has quit IRC16:58
*** spzala has quit IRC16:59
*** spzala has joined #openstack-keystone16:59
*** jaosorior_ has joined #openstack-keystone17:00
*** jsavak has quit IRC17:02
*** jsavak has joined #openstack-keystone17:02
ayounghenrynash, I started the day with the intention of reviewing your patches...17:03
ayoungroad to hell and all that17:03
henrynashayoung: :-)17:04
ayounghenrynash, policy question17:04
*** spzala has quit IRC17:04
henrynashayoung: just about to post a new version of teh CRUD for domain specific roles17:04
henrynashayoung: sure, shorrt17:04
ayoungwhen creing a DSR, are we going to have a different policy check than an impolied role17:04
henrynashshoot (even)17:04
ayoung?17:04
ayoungwhen creating a DSR, are we going to have a different policy check than an implied role?17:04
henrynashayoung: for the creation of the role or assigning it?17:05
ayoungcreation17:05
ayounghenrynash, DSR should be more permissive17:05
ayoungan implied role is a global admin thing, but a DSR should be a scope check for the right role on the domain.17:05
henrynashayoung: so a domain_admin can create a DSR (in their domain), while they cannot create a global roe17:05
henrynashrole17:05
ayounghenrynash, that is what I was looking for.  Can you point me at the logic for that?17:06
*** pnavarro has joined #openstack-keystone17:06
henrynashayoung: it’s those funcky policy rules…17:06
henrynashayoung: let me get you teh patch hold on17:06
henrynashayoung: https://review.openstack.org/#/c/262078/1617:07
*** e0ne has quit IRC17:08
*** spandhe has joined #openstack-keystone17:08
bretongyee: sorry for taking it so long. I've uploaded patch with tests17:08
gyeebreton, no worries, but looks like you overwritten some of my changes in patch #217:10
gyeebreton, for example, the hints are created after the list limit, that won't work, you have to create it prior17:11
openstackgerrithenry-nash proposed openstack/keystone: Add CRUD support for domain specific roles  https://review.openstack.org/26187017:12
*** daemontool has quit IRC17:13
ayounghenrynash, what do you think of the idea of making those two different policy checks?17:13
bretongyee: they are not created after list limit17:13
bretongyee: list_users doesn't always limit17:14
henrynashayoung: hmm, interesting idea….17:14
henrynashayoung: thinking17:14
bretongyee: it limits only when hints are passed with set list_limit17:14
ayounghenrynash, yeah, they are fundamentally differnt paths.  The policy itself should be separated, so you can't mess it up in the dynamic side17:14
bretongyee: before my patch limits were set before everything, in a decorator17:14
*** nkinder has quit IRC17:15
bretongyee: now before everything, except domain info fetching17:15
henrynashayoung: let me look at that, don’t *think* i have any obejction to that….and would make the policy rules simpler for wure17:15
henrynashsure17:15
*** vgridnev has joined #openstack-keystone17:16
ayounghenrynash, thanks.17:16
bretongyee: if no hints are passed, users should not be limited, regardless of values in config17:17
gyeebreton, https://review.openstack.org/#/c/266989/4/keystone/identity/core.py, line 820 on the right, you return if hints is not created17:17
openstackgerritDavid Stanek proposed openstack/keystone: Moves policy setup into a fixture.  https://review.openstack.org/27852817:17
*** pushkaru has joined #openstack-keystone17:18
dstanekbigjools: ^ a new fixture to solve your bug!17:18
gyeebreton, line 902, hints are created after17:18
gyeethat won't work17:18
dstanekstevemar: bknudson_: ^ that fixes the policy.json bug that we are seeing in py3417:18
bretongyee: right, because hints must always exist. Sometimes they are empty.17:18
bretonif you call _set_list_limit_in_hints after creating hints in core.py, users will always be limited17:19
bretoneven when you call identity_api.list_users() without any arguments17:19
bretonwhich is not what we want to happen17:19
henrynashayoung: what would be the argument for havinig seperate paths for global vs dom specific crud, but common path for assigning global vs domain specific roles17:19
*** aginwala has joined #openstack-keystone17:20
ayounghenrynash, assigning is scoped to the project always17:20
ayoungdefining an implied role is a global operation17:20
ayoungdefining a DSR is a scoped operation17:20
gyeebreton, you don't set the limit till its configured right? so it doesn't matter if hints exist or not17:20
lbragstadstevemar when making a reno - we only commit what we are changing. right?17:20
bretongyee: list_users must return truncated response only if hints were passed from the controller17:21
stevemardstanek: i thought davechen had a fix for this17:21
lbragstadstevemar as in - i shouldn't have to worry about the prelude section?17:21
bretongyee: in all other cases it should be the full list17:21
henrynashayoung: ok, I see the distinction you are making….17:21
bretongyee: controller creates hints17:21
*** dan_nguyen has joined #openstack-keystone17:21
ayounghenrynash, so I want to avoid having an accidental elevation of privs17:21
stevemarlbragstad: yeah, don't fill in prelude, it formats terribly17:21
lbragstadstevemar for the trust reno - i should only change "fixes"17:21
stevemarlbragstad: whats the change?17:22
dstanekstevemar: maybe? not on the bug though17:22
bretongyee: that's what I emulate in tests -- a call from controller17:22
lbragstadstevemar https://review.openstack.org/#/c/274850/517:22
ayounghenrynash, if I could assign a DSR from Dom1 to a user on a project in DOm2, we'd have the same risk;  its the coupling of the namespace to assignment that makes it safe17:22
* breton afk for 30 minutes17:22
henrynashayoung: that does mean we have to hvae 5 new paths for domain specific roles crud, I assume17:22
ayounghenrynash, I would say instead to make it policy enforcement points17:23
gyeebreton, let me go over the code again, I don't think we should truncate if limit is not set17:23
stevemarlbragstad: i'd go with the "other" section, it's not a "fix"17:23
ayoungthe crud can be the same path17:23
lbragstadstevemar ok17:23
henrynashayoung;: same API, sure17:23
lbragstadstevemar an I can remove everything else17:23
lbragstad?17:23
*** _cjones_ has quit IRC17:23
ayounghenrynash, chew it over, but I think it is the right distinction17:23
henrynashayoung: ok, thx17:23
ayounghenrynash, I'll comment on the review so we have a record17:24
henrynashayoung: great17:24
ayounghenrynash, I am 2/3 of the way through https://review.openstack.org/#/c/261870/1817:25
stevemarlbragstad: yep17:25
ayounghenrynash, but is 19 coming?17:25
dstanekstevemar: he doesn't have any related open reviews17:26
henrynashayoung: I uploaded a new patch for samuels comments (it’s already up there), no fucntional changes, mainly (reasonable) test nits etc.17:26
ayounghenrynash, OK17:26
*** _cjones_ has joined #openstack-keystone17:27
raildolbragstad: ping, about what was discussed yesterday related to fernet+v2+trust. Is there anything that I can help? btw I intend dig into this bug: https://bugs.launchpad.net/keystone/+bug/153379417:27
openstackLaunchpad bug 1533794 in OpenStack Identity (keystone) "Fernet v2 token response doesn't match v2 uuid token responses" [Medium,Triaged]17:27
*** browne has joined #openstack-keystone17:27
*** aginwala has quit IRC17:27
*** jaosorior_ has quit IRC17:28
openstackgerritDavid Stanek proposed openstack/keystone: Enables token_data_helper tests for Python3  https://review.openstack.org/27805517:28
openstackgerritDavid Stanek proposed openstack/keystone: Stop using nose as a Python3 test runner  https://review.openstack.org/27805417:29
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865017:29
*** doug-fish has joined #openstack-keystone17:29
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet work with oauth1 authentication  https://review.openstack.org/26778117:29
openstackgerritLance Bragstad proposed openstack/keystone: Remove support for trusts in v2.0  https://review.openstack.org/27485017:29
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v2_token()  https://review.openstack.org/27485117:29
lbragstadraildo ^17:29
*** nekrodesk has joined #openstack-keystone17:30
*** nekrodesk has quit IRC17:30
*** mylu has joined #openstack-keystone17:31
ayounghenrynash, do you need the override for list roles, or can we just replace the original list_roles with the logic in your wrapper?  Why do we need to keep the original?17:31
ayounghttps://review.openstack.org/#/c/261870/19/keystone/assignment/controllers.py17:31
henrynashayoung: becuase (i this version) you need to set up teh domain id filter BEFORE you call polciy enforncement17:32
ayounghenrynash, So if we modified the policy check decorator it would have the same effect?17:33
henrynashayoung: sure17:33
ayoungsomething like17:33
ayounghenrynash, I think that would be cleaner.  I don't like messing around with the logic in the routers17:33
ayoungBut I understand why you are.17:33
ayounglet me look at it for a few more minutes.17:33
henrynashayoung: there are a few places we do that17:33
ayoungmodify the decorator?17:34
*** nekrodesk has joined #openstack-keystone17:34
*** nekrodesk has quit IRC17:34
henrynashayoung: no, have to have a wrapper to get code executed before we call the method we have a poliy rule on17:34
*** dolphm_ has joined #openstack-keystone17:34
ayounghenrynash, So..that is fine, but we've not done it in the router before.  Why in the router now?17:35
henrynashayoung: the changes in the router where just to make it easy to allow us to use the standard router mappings for v3 while overriding one method…teh alternative was to remove using the v3router and insert all the routes manually…whcih seemed worse17:36
ayoungAh17:37
*** lhcheng has joined #openstack-keystone17:37
*** ChanServ sets mode: +v lhcheng17:37
*** mhickey has quit IRC17:37
henrynashayoung: so there is no specific logic added to teh routwer, just the ability to rename a mthod for a given action (from the standard list_<entity>, get_<entity> etc.)17:38
openstackgerritTrevor McKay proposed openstack/python-keystoneclient: Handle exception on UnicodeDecodError in logging of request  https://review.openstack.org/27802717:38
*** rk4n has joined #openstack-keystone17:39
*** boris-42 has joined #openstack-keystone17:39
ayounghenrynash, right. This makes sense, but I wonder if the patterns of "hereis how you do it for global versus scoped" is something we want to generalize17:39
ayoungWe don;t allow nested domains, so we wouldnt have ti there17:39
*** nekrodesk has joined #openstack-keystone17:40
*** nekrodesk has quit IRC17:40
raildolbragstad: you're the guy!17:40
ayoungI could see maybe for catalog filter17:40
ayounglbragstad, did you see the responses on trusts V2 on the mailing list?17:40
raildolbragstad: do you have some tips related to the other bug? Anything to help me to start on it?17:40
henrynashayoung: well, the specifics of this wrpper are just to allow teh defualt of only returning global roles if you don’t provide a filter (for backward compatibiity reasons)17:40
ayounglbragstad, what would it take to continue to honor it?17:40
henrynashayoung: but as a general point, maybe there are cases17:41
ayounghenrynash, right. And it is not horrible17:41
henrynashayoung: for instance, I think we will need domain specific mappig rules17:41
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865017:41
henrynashayoung: (not in mitaka)17:41
ayoungbut since we are talking about splitting the policy enforcement along these lines now anyway, perhaps should address it now17:42
lbragstadayoung we'd have to introduce trust support for v2.0 fernet tokens17:42
ayounglbragstad, could that be done in a follow on patch?17:42
ayounglbragstad, ie: we know we broke it, but we are adding it back?17:42
openstackgerritBrant Knudson proposed openstack/keystone: Convert policy to yaml  https://review.openstack.org/27854217:43
*** jed56 has quit IRC17:43
*** nkinder has joined #openstack-keystone17:43
*** nekrodesk has joined #openstack-keystone17:44
*** nekrodesk has quit IRC17:44
lbragstadayoung I was going on the consensus of the comments in the review17:44
lbragstadayoung and it seemed like people were fine removing that from v2.017:44
ayounglbragstad, yeah.  I am willing to drive on with this approach, provided we can unfuck ourselves later17:44
ayoungsorry, technical term17:44
openstackgerritTrevor McKay proposed openstack/python-keystoneclient: Handle exception on UnicodeDecodError in logging of request  https://review.openstack.org/27802717:45
lbragstadayoung so you want to remove support for using trusts against v2.0 and then re-add it back in?17:45
ayounglbragstad, yes I do17:45
henrynashayoung: should that be un or de ?17:45
ayounghenrynash, it should be unde17:45
ayoungantidis17:45
ayounglbragstad, I just want the risk mitigation laid out17:45
ayoungif we have broken everyone, how bad is it to add back in?17:46
ayoungonce we have fernet the default17:46
ayoungor should we just bite the bullet and do that now17:46
*** nekrodesk has joined #openstack-keystone17:47
*** nekrodesk has quit IRC17:47
*** ChanServ sets mode: +o dolphm_17:47
lbragstadayoung that's why i brought it up in the meeting yesterday17:48
*** ninag has quit IRC17:48
ayounglbragstad, yes, but getting a new feature in needs to be done pre M317:48
ayoungA bug fix can be done after17:48
openstackgerritTrevor McKay proposed openstack/python-keystoneclient: Handle exception on UnicodeDecodError in logging of request  https://review.openstack.org/27802717:49
krotscheckIs it possible to get another core review pass on https://review.openstack.org/#/c/241317/ ? I've answered all the questions and made requested changes (and it's passing the gate, whee!)17:51
*** roxanaghe has quit IRC17:52
*** rcernin has joined #openstack-keystone17:52
lbragstadayoung it would take refactoring to allow trusts back into fernet17:52
lbragstadand testing17:53
ayounglbragstad, in V3 how does Fernet handle trusts?17:53
*** nekrodesk has joined #openstack-keystone17:53
lbragstadit packs the trust id into the token17:53
lbragstadand handles it as an explicit trust scoped token17:54
*** petertr7 is now known as petertr7_away17:54
samueldmqhenrynash: hi17:56
samueldmqhenrynash: left a couple of review on the domain-roles thing17:56
henrynashsamueldmq: hi17:56
samueldmqhenrynash: it's looking pretty good, just a few things to adjust/nits :)17:56
samueldmqhenrynash: should be an easy approval17:56
henrynashsamueldmq: i fixed upa bunch of the ones you mentioned….was there more on top, or just those17:56
*** aginwala has joined #openstack-keystone17:57
henrynashsamueldmq: I think we do need the controller wrapper, see me reply to yours17:57
*** mvk has quit IRC17:59
*** dolphm has quit IRC17:59
*** dolphm_ is now known as dolphm17:59
stevemarsamueldmq: easy approval? sign me up18:00
*** Guest53252 has quit IRC18:01
samueldmqstevemar: domain-roles is pretty good already :)18:01
*** tsymanczyk has joined #openstack-keystone18:01
samueldmqhenrynash: looking t your reply18:02
stevemarsamueldmq: obviously, it's henry nash!18:02
*** tsymanczyk has quit IRC18:02
stevemar:P18:02
henrynashstevemar: I’ll pay you later18:02
ayounglbragstad, and how does Fernet handle V2 ?18:03
samueldmqstevemar: ++18:03
*** nkinder has quit IRC18:03
*** aginwala has quit IRC18:06
*** richm has quit IRC18:06
*** jaosorior has quit IRC18:09
*** pnavarro has quit IRC18:09
*** itlinux has quit IRC18:11
openstackgerritSteve Martinelli proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948618:13
stevemarhenrynash: i accept payment in check or cash18:13
stevemarbknudson_: ^ fixed it up, kept the options18:14
*** aginwala has joined #openstack-keystone18:14
henrynashstevemar: a checked shirt on its way18:14
*** mylu has quit IRC18:16
*** tsymanczyk has joined #openstack-keystone18:16
*** mylu has joined #openstack-keystone18:17
*** tsymanczyk is now known as Guest5238518:17
*** e0ne has joined #openstack-keystone18:20
samueldmqhenrynash: so, about that domain_id=None filter18:24
henrynashsamueldmq: indeed…18:24
samueldmqhenrynash: hmm, I think I just got your point18:24
henrynashsamueldmq: the key is you have to do it BEFORE you do the policy check…since the policy check may want to look at the filter18:24
samueldmqhenrynash: if I don't provide a filter for attribute_x, it doesn't mean that attribute_x=None would have the same result18:25
samueldmqhenrynash: it actually would filter on attribute_x where it corresponds to None18:25
lbragstadayoung  it tells you to go to v3 if you want to get a trust scoped token18:25
henrynashsamueldmq: yes, it would filter on that (and return only global roles)18:25
lbragstadayoung https://github.com/openstack/keystone/blob/7a0874f6f69852584061fa384f75dfb0d5f1c229/keystone/token/providers/fernet/core.py#L165-L16818:25
*** spzala has joined #openstack-keystone18:26
*** igornsa_ has joined #openstack-keystone18:26
samueldmqhenrynash: so /roles and /roles?domain_id=None are equivalent18:26
samueldmq?18:26
henrynashsamuedlmq: yes18:27
henrynashi.e. global roles by default, for backward compatibility18:27
samueldmqhenrynash: if we returne both, it didn't mean we weren't backwards compatible18:28
*** mylu has quit IRC18:28
samueldmqhenrynash: because there were no domain-specific roles before ...18:28
henrynashsamueldmq: indeed, and the name of a domain specific role may be the same as an existing global role, so we want clienst to have to ask explicitley and hence know how to handle the results18:29
samueldmqhenrynash: fair point18:31
lbragstadraildo to get a start on https://bugs.launchpad.net/keystone/+bug/1533794 I think we need to consolidate the fernet and uuid token providers18:31
openstackLaunchpad bug 1533794 in OpenStack Identity (keystone) "Fernet v2 token response doesn't match v2 uuid token responses" [Medium,Triaged]18:31
lbragstadraildo once that is done, there is less room for data creep18:31
samueldmqhenrynash: perhaps domain-specific roles could have their names prepended with domain_name18:31
lbragstadbetween token providers18:31
*** su_zhang has joined #openstack-keystone18:31
raildolbragstad: makes sense18:31
samueldmqhenrynash: I think you have thought about all this, I am just making sure :)18:31
henrynashsamueldmq: they could, but from a domain admin point of view that would suck!18:31
*** spzala has quit IRC18:32
henrynashsamuedlmq: since they can ONLY create dsrs in their own domain18:32
samueldmqso they only can /roles?domain_id=xx18:32
*** spzala has joined #openstack-keystone18:32
ayounglbragstad, OK, walk me through it.  I really don't see what the problem is here.18:32
samueldmqthe only difference would be that a cloud admin would be able to see all the roles in the cloud18:32
lbragstadayoung I'm not seeing your email18:32
samueldmqhenrynash: perhaps another special call for that if we need it in the future ?18:33
ayounglbragstad, ?18:33
ayounga particular one, or any?18:33
lbragstadayoung ah - I misread your message18:33
lbragstadnevermind18:33
henrynashsamueldmq: yes cloud admin can see them all18:33
samueldmqhenrynash: like ?include_domain_specific_roles_yes_it_is_too_big_for_a_query_param18:33
samueldmqhenrynash: but not in a single call right ?18:33
henrynashsamueldmq: or maybe a longer parameter if we can think of one18:34
ayounglbragstad, the fernet payload holds the version of the token?18:34
samueldmqhenrynash: anyway, cloud admin isn't supposed to manage domain roles18:34
henrynashsamueldmq: not in the usual case, no18:35
samueldmqhenrynash: he takes care of global roles, and each domain_admin creates his own abstractions that maps better for their domain18:35
henrynashsamueldmq: yep18:35
lbragstadayoung no18:35
lbragstadayoung the fernet payload just holds things about the token18:35
ayounglbragstad, then why would calling validate V2 with a trust ID be a problem?18:35
lbragstadayoung it doesn't know if the token was v2 or v318:35
ayounglbragstad, I know. It just knows that a trust was in there, right?18:36
lbragstadayoung yes18:36
ayoungbut if we call validate on the v2 api, and there is a trustid in the token, why is this a problem?18:37
lbragstadayoung let me code it up quick and post for review18:37
ayoungOK18:37
*** spzala has quit IRC18:37
*** aginwala has quit IRC18:39
samueldmqhenrynash: +2'ed , only left a comment regarding a new test case that could be added18:39
samueldmqhenrynash: but shoudn't block the change18:39
*** pnavarro has joined #openstack-keystone18:39
henrynashsamuedlmq: thx…happy to come back in and add more tests…..18:41
*** aginwala has joined #openstack-keystone18:42
samueldmqhenrynash: :)18:43
*** jsavak has quit IRC18:44
ayounghenrynash, so...should create DSR  be a different API call?  It does not feel like it should.18:44
ayoungBut the policy should be different18:44
ayoungand the wrapper seems strange18:44
henrynashayoung: agreed…same API call18:44
ayoungok, so long as we can split the policy itself, we can always refactor the internals18:44
ayoungits a controller, and the API foer that is private18:45
henrynashayoung: IF we want to givem the separate policy endpoints, then need a kind of wrapper for each API, whcih checks to see if it is a domain specific role…and if so calls one policy endpoint method, if not a different one18:45
henrynashI’m modify the follow on patch (that change sthe polci file) to try this out…will post it and see what we think18:46
samueldmqhtruta: raildo: hey, what's missing for reseller phase 1 ?18:46
samueldmqhtruta: raildo: I still see it as an open bp targeted to m3 https://blueprints.launchpad.net/keystone/+spec/reseller18:47
*** pnavarro has quit IRC18:47
henrynashayoung: so I think the base patch is OK as is - if we go the seperate policy endpoint route in the follow on patch, then I’ll be modify the list_wrapper18:48
ayounghenrynash, works for me18:48
samueldmqhenrynash: btw, looks like w eneed a docimpact tag there ?18:49
henrynashsamuedlmq: yep, agreed18:49
samueldmqhenrynash: since all docs refering to roles need to be clear on global roles vs dsr18:49
bknudson_dstanek: there's several references to rules.reset(), e.g., in test_v3_protection18:50
dstanekbknudson_: hmmm...let's see18:51
bknudson_keystone/tests/unit/rest.py18:51
bknudson_keystone/tests/unit/test_policy.py18:51
bknudson_maybe could pass in the policy file name to config_overrides()18:51
*** petertr7_away is now known as petertr718:52
*** roxanaghe has joined #openstack-keystone18:53
bknudson_or could save the fixture and provide a method to switch to a different policy18:53
ayounghenrynash, +2A on https://review.openstack.org/#/c/261870/1918:53
henrynashayoung: thx18:53
bknudson_seems like we should be defaulting to policy.v3cloudsample.json at some point18:53
ayoungbknudson_, once you finish porting it to yaml18:54
*** mylu has joined #openstack-keystone18:54
ayoungthen we can do policy.yml with the new rules18:54
ayoungcna put a note that policy.json is old and deprecated18:54
samueldmqhenrynash: ayoung: nice, domain-roles approved ! :)18:55
bknudson_ayoung: good idea18:55
henrynash(does little rain dance)18:55
samueldmqhehe18:55
ayoungsamueldmq, yeah, but we really do need to split the policy for DSR from global18:55
dstanekbknudson_: what do you think is better. defining a class variable POLICY_FILE and override in that class or add a method to the fixture to load/reset?18:55
samueldmqayoung: separate entried in the policy file ?18:55
ayoungsamueldmq, yes18:56
samueldmqayoung: like it was 2 APIs?18:56
dstanekbknudson_: adding the method to the fixture just means the the policy setup happens twice18:56
*** aginwala has quit IRC18:56
samueldmqlike 2 endpoints ?18:56
ayoungsamueldmq, global needs one policy, DSR a separate policy18:56
bknudson_dstanek: I'm pretty sure it was happening already that the policy setup happens twice.18:56
ayoungto make it clear that you should not let a domain admin write global policy,18:56
bknudson_dstanek: do we have any tests that set the policy just for the test and not for all the tests in the class?18:57
samueldmqayoung: yeah I know, global roles are managed by cloud admin18:57
samueldmqayoung: domain admins map global roles as they want18:57
dstanekbknudson_: it shouldn't with this change, generally speaking.18:57
dstanekbknudson_: not that i know of18:57
ayoungsamueldmq, so we'll get that split in a follow on patch18:57
bknudson_dstanek: a class variable makes sense then. we can always change it.18:57
samueldmqayoung: how would that be in the policy ? something like identity:list_roles and identity:list_domain_roles ?18:58
htrutasamueldmq: we miss code reviews18:58
ayoungsamueldmq, I don't care for list18:58
samueldmqhtruta: so here I am18:58
ayoungI care for create and modify18:58
ayoungbut yes18:58
samueldmqayoung: hm, can't we control by checking the provided entity contains a domain_id18:58
samueldmqayoung: like create_role:domain_admin and role.domain_id18:59
ayoungsamueldmq, it makes the policy quite complex. And since we want policy to be editable, it makes it fragile18:59
samueldmqayoung: so put part of that in the code?18:59
samueldmqayoung: but we don't do that so far right ?18:59
htrutasamueldmq: the 3 first patches of the chain are good to go, henrynash has made a lot of work at them. And the other ones need some rebase18:59
*** su_zhang has quit IRC18:59
*** aginwala has joined #openstack-keystone19:00
samueldmqhtruta: could you provide me a link?19:00
ayoungsamueldmq, right now, we are OK since we don't really have a fix for 968696 in the default anyway19:00
*** aginwala has quit IRC19:00
htrutasamueldmq: sure. you can start from this one: https://review.openstack.org/#/c/264533/2319:00
samueldmqhtruta: k I will look at them after project tree disable/delete19:01
*** petertr7 is now known as petertr7_away19:01
htrutasamueldmq: awesome19:01
*** doug-fis_ has joined #openstack-keystone19:02
*** nekrodesk has quit IRC19:04
*** daemontool has joined #openstack-keystone19:04
*** doug-fi__ has joined #openstack-keystone19:04
*** igornsa_ has quit IRC19:04
openstackgerritTrevor McKay proposed openstack/python-keystoneclient: Handle exception on UnicodeDecodError in logging of request  https://review.openstack.org/27802719:04
*** aginwala has joined #openstack-keystone19:05
*** doug-fish has quit IRC19:05
*** doug-fis_ has quit IRC19:06
*** henrynash has quit IRC19:07
dstanekbknudson_: what do you think about a pattern like: http://paste.openstack.org/show/486612/19:07
*** spzala has joined #openstack-keystone19:07
*** jsavak has joined #openstack-keystone19:08
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857019:08
*** doug-fi__ has quit IRC19:09
*** c_soukup has joined #openstack-keystone19:09
*** spzala has quit IRC19:09
*** spzala has joined #openstack-keystone19:09
openstackgerritayoung proposed openstack/keystone: Make fernet work with oauth1 authentication  https://review.openstack.org/26778119:10
*** mylu_ has joined #openstack-keystone19:11
openstackgerritayoung proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865019:13
*** csoukup has quit IRC19:13
ayounglbragstad, just cleaned up the commit messages.19:13
lbragstadayoung thanks19:13
ayounglbragstad, please make sure you do a git review -d before making any more changes to keep the edits.19:14
*** mylu has quit IRC19:15
*** aginwala has quit IRC19:16
*** aginwala has joined #openstack-keystone19:17
*** mylu_ has quit IRC19:19
*** c_soukup has quit IRC19:19
openstackgerritHenrique Truta proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591619:20
htrutasamueldmq, stevemar: just addressed your comments in here ^19:21
*** mylu has joined #openstack-keystone19:21
samueldmqhtruta: thanks19:23
samueldmqkrotscheck: hi, about https://review.openstack.org/#/c/24131719:23
*** mylu has quit IRC19:23
samueldmqkrotscheck: why aren't the headers for tokenless auth needed anymore19:23
samueldmq?19:23
samueldmqkrotscheck: just saw they were removed from patchset 9 to 1019:24
*** mylu has joined #openstack-keystone19:24
*** su_zhang has joined #openstack-keystone19:25
*** csoukup has joined #openstack-keystone19:26
*** mylu has quit IRC19:27
krotschecksamueldmq: I was under the impression, from the discussion on PS8, that they were headers added by the keystone middleware once a token had been parsed. Ergo, not actually part of the external API.19:28
*** petertr7_away is now known as petertr719:28
*** nekrodesk has joined #openstack-keystone19:28
*** nekrodesk has quit IRC19:28
*** jasonsb has quit IRC19:28
*** jsavak has quit IRC19:28
*** jasonsb has joined #openstack-keystone19:29
*** mylu has joined #openstack-keystone19:30
*** mylu has quit IRC19:31
samueldmqkrotscheck: so not something coming form the clients and that needed to be added to latent_allow_headers and latent_expose_headers19:32
samueldmqkrotscheck: I need to check that19:32
krotscheckYep19:32
krotscheckThat was my assumption, anyway19:32
samueldmqgyee: hi, I have a question about tokenless auth19:33
*** jsavak has joined #openstack-keystone19:33
krotscheckGiven that x509 authentication is a public standard, and the bits I removed were custom headers19:33
samueldmqgyee: (I am assuming you are aware of howthat works :))19:33
gyeesamueldmq, sure, I 'll try :)19:34
samueldmqkrotscheck: yes, but I thought the user needed to pass the headers himself, as to provide the needed info to authenticate19:34
*** jasonsb has quit IRC19:34
samueldmqgyee: these headers https://github.com/openstack/keystone/blob/af399474b2e67b023225a8abffe8933af40c1548/doc/source/configure_tokenless_x509.rst#scope-information19:34
gyeeright, we need to headers to convey the scope information19:35
samueldmqgyee: are they provided by the user right ?19:35
gyeecorrect19:35
krotscheckReally?19:35
samueldmqgyee: perfect, and x509 certs is just about the way we encrypt/decrypt the info19:35
*** mylu has joined #openstack-keystone19:35
krotscheckTokenless auth isn't a W3C spec, it's all done via X-?? headers?19:35
gyeethe cert conveys identity while the headers convey the scope19:36
samueldmqkrotscheck: we need that info to a user get a token, so I understand x509 is just about identity security19:36
*** jorge_munoz1 has quit IRC19:37
*** mylu has quit IRC19:37
samueldmqgyee: exactly, so the certs avoid username/password, but we still need info to where scope to19:37
samueldmqkrotscheck: ^19:37
gyeethat was done with other auth mechanisms in mind (i.e. kerberos)19:37
krotscheckoookay19:37
krotscheckAlright, I'll add them back in19:37
gyeekrotscheck, why not make them configurable?19:38
*** daemontool has quit IRC19:38
krotscheckgyee: They are.19:38
gyeegreat!19:38
krotscheckgyee: You can add them manually in keystone.conf.19:38
krotscheckgyee: This is just to make sure that an operator doesn't have to know to add those.19:38
gyeenice, I like it19:38
krotscheckI'll do it in a separate patch so we can argue whether it makes sense to include them. Will that work samueldmq ?19:39
gyeesounds like a plan19:39
*** nekrodesk has joined #openstack-keystone19:40
krotscheckgyee: Just to clarify: Those headers are incoming only, the API doesn't return them, yes?19:40
samueldmqkrotscheck: add the headers in a follwoon patch ? or just make them configurable ,19:40
samueldmq?19:40
krotschecksamueldmq: Followup patch19:41
gyeekrotscheck, yes, incoming only19:41
openstackgerritJorge Munoz proposed openstack/keystone: Fix trust chain/redelegation tests  https://review.openstack.org/27816319:41
openstackgerritMichael Krotscheck proposed openstack/keystone: Added tokenless auth headers to CORS middleware  https://review.openstack.org/27858019:42
krotscheckgyee, samueldmq ^^19:42
gyeethank, will take a look19:42
gyeethanks19:42
samueldmqkrotscheck: works for me19:42
*** mylu has joined #openstack-keystone19:42
*** doug-fish has joined #openstack-keystone19:43
*** jbell8 has quit IRC19:43
*** mylu has quit IRC19:43
*** jbell8 has joined #openstack-keystone19:45
samueldmqtjcocozz: about https://review.openstack.org/#/c/24131719:45
*** dikonoor has quit IRC19:45
samueldmqtjcocozz: krotscheck is now addressing tokenless auth headers in a followup patch https://review.openstack.org/#/c/27858019:45
samueldmqtjcocozz: that's why I changed my score there19:46
ayounggyee, so this will work for you: https://review.openstack.org/#/c/266137/  in general?  I thought you wanted a shared token cache?19:46
krotschecktjcocozz: I also commented with a temporary way of enabling those headers.19:46
ayoungOh wait19:46
ayoungwrong patch19:47
tjcocozzkrotscheck, awesome! I will set up a devstack with your new patch.19:47
tjcocozzsamueldmq, ^^19:47
krotscheckAnd, well, the reason I added a new patch is because the gate is rather full right now19:47
krotscheckAnyway19:47
* krotscheck shifts into daycare mode.19:47
*** krotscheck is now known as krotscheck_dcm19:47
gyeeayoung, you mean the endpoint checking at the server side? that definitely will work for me19:47
samueldmqtjcocozz: nice, make sure to review -d the followup patch, so you get the same as it was in patchset 919:48
ayounggyee,OK19:48
ayoungthat is great19:48
krotscheck_dcmI'll get any questions you have, just might respond to them in a delayed manner.19:48
ayoungwe can work with that19:48
samueldmqtjcocozz: that's great you test it :)19:48
gyeeayoung, I love that proposal because 1) we don't have to change the catalog; and 2) no middleware needed19:48
ayoungit is far more efficient, I think.  But it will be problematic if people share the cache between serives19:48
samueldmqtjcocozz: thanks for doing so19:48
tjcocozzsamueldmq, there should be a dependency in his commit message19:48
ayoungI need to see it that will screw up all-in-one deploys19:48
ayounggyee, but, I think its ok19:49
tjcocozzsamueldmq, i think he is offline now.19:49
gyeeayoung, I don't think its a problem, this is no different from how we cache invalid tokens today19:49
gyeeayoung, it will work, thanks for putting together the spec19:49
ayounggyee, if we go with fineer graine policy, the two things will be complementary19:49
openstackgerritMerged openstack/keystone: Uses open context manager for templated catalogs  https://review.openstack.org/27805319:49
ayounggyee, it was based on a convo with morgan19:49
ayounghis -1 was looking out for you, but it was his idea, too19:49
gyeethat's good, I think we have a path forward19:50
ayounggyee, do we have a "default filter" for catalog?19:50
gyeewe don't deprecate the APIs to setup the endpoint-project relationship and we do the enforcement at the server side during token validation19:50
samueldmqtjcocozz: the commits are dependant already aren't they ?19:50
ayounga way to say "this is what people get by default that is not the entire catalog"?19:51
gyeeayoung, agreed, that's what we have now I think19:51
samueldmqtjcocozz: https://review.openstack.org/#/c/278580 's parent is 55b056fa9e5d776b00b666ca74fa56461f2b4dfc19:52
gyeelike either allow all or deny all if project-endpoint relationship doesn't exist19:52
samueldmqtjcocozz: which is https://review.openstack.org/#/c/24131719:52
*** jorge_munoz1 has joined #openstack-keystone19:52
samueldmqtjcocozz: I don't know other way to look at dependency tree in the new gerrit ui19:52
samueldmq:(19:52
* tjcocozz is looking now19:53
*** su_zhang has quit IRC19:53
openstackgerritayoung proposed openstack/keystone-specs: Tokens with subset of catalog  https://review.openstack.org/26613719:55
tjcocozzsamueldmq, it is very confusing how it is setup now.  I think your right, he set up the depencenies correctly.19:55
*** rk4n has quit IRC19:55
*** doug-fish has quit IRC19:55
*** jbell8 has quit IRC19:55
roxanaghelhcheng, you here? I have a question about the keystone url used by horizon for websso authentication19:56
*** jbell8 has joined #openstack-keystone19:56
openstackgerritayoung proposed openstack/keystone-specs: Tokens with subset of catalog  https://review.openstack.org/26613719:57
roxanaghelhcheng, in fact it's more like a proposal - I would like to have an OPENSTACK_WEBSSO_KEYSTONE_URL config setting19:57
*** jgriffith is now known as jgriffith_away19:57
ayounggyee, Feel free to take that spec and run with it19:57
gyeeayoung, sure will do19:57
ayounggyee, what did you mean by <endpoint_filter> though, in the request?19:57
ayoungWe don;t want to have to edit the remote config files19:57
samueldmqtjcocozz: yes, I really don't like the way the dependencies are shown there :/19:58
ayoungso I was figuring the service would figure out its Hostname and port and send those to keystone19:58
ayoungbased on requests that come it, or a config option19:58
gyeeayoung, its the same filter we support at the client side19:58
ayoungthat was what we had agreed on in the past, so what would the filter look like?19:58
tjcocozzsamueldmq, maybe the next release of gerrit19:59
gyee?server=xyz,region=abc,interface=public19:59
*** jbell8 has quit IRC19:59
gyeesame set of filters supported by the Session I think19:59
ayounggyee, OK.  Can you modify the api in that spec to show that?20:00
*** jbell8 has joined #openstack-keystone20:00
gyeeayoung, yes, on my todo list20:00
ayoungexcellent20:00
samueldmqtjcocozz: yeah, I am crossing my fingers20:00
*** aginwala has quit IRC20:01
*** mylu has joined #openstack-keystone20:01
*** AJaeger has joined #openstack-keystone20:02
lhchenghey roxanaghe20:02
*** doug-fish has joined #openstack-keystone20:02
*** aginwala has joined #openstack-keystone20:03
roxanaghehey lhcheng20:03
*** aginwala has quit IRC20:03
*** aginwala has joined #openstack-keystone20:04
lhchengif we have OPENSTACK_WEBSSO_KEYSTONE_URL, we can only make WEBSSO to work with one endpoint20:05
roxanaghelhcheng, so I want to put up a patch in Horizon to add a config setting OPENSTACK_WEBSSO_KEYSTONE_URL because in our environments we use an internal VIP to communicate with Keystone for the keystone credentials authentication but that does not work for websso20:06
openstackgerritAndreas Jaeger proposed openstack/keystone: Make pep8 *the* linting interface  https://review.openstack.org/27859120:07
roxanaghelhcheng, can you expand on that?20:07
AJaegerkeystone cores, I'm sorry: We have to go back to pep8 since that's the documented requested interface ^20:07
stevemarAJaeger: :( its all good20:07
* AJaeger just made a bit of work for himself ;(20:08
bknudson_I was starting to wonder when everyone else would switch to linters.20:08
*** daemontool has joined #openstack-keystone20:08
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414920:08
AJaegerbknudson_: I learned today what it means to switch everyone - and that's more than I can chew right now ;(20:09
lhchengroxanaghe: hmm let me think about that, can I get back to you later?20:09
bknudson_AJaeger: how about switch the infra jobs to pep8 and then just remove linters?20:09
bknudson_rather than 2 commits in keystone20:09
AJaegerbknudson_: good idea - we left pep8 in...20:10
AJaegerthanks, will do...20:10
*** haneef has joined #openstack-keystone20:10
stevemarAJaeger: do we need to split pep8 back into pep8 and bandit?20:10
roxanaghelhcheng, sure20:10
AJaegerstevemar: not at all, pep8 and linters have the same meaning - general linting20:12
dstanekAJaeger: that's unfortunate20:13
AJaegerdstanek: if somebody wants to change the PTI and all official projects, then go for it - but I figured out what I started and cannot finish that.20:14
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857020:15
AJaeger https://review.openstack.org/278593  is the infra change20:16
*** doug-fish has quit IRC20:18
openstackgerritAndreas Jaeger proposed openstack/keystonemiddleware: Make pep8 *the* linting interface  https://review.openstack.org/27859920:18
openstackgerritAndreas Jaeger proposed openstack/keystone: Make pep8 *the* linting interface  https://review.openstack.org/27859120:19
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947920:19
*** doug-fish has joined #openstack-keystone20:20
openstackgerritAndreas Jaeger proposed openstack/python-keystoneclient: Make pep8 *the* linting interface  https://review.openstack.org/27860220:21
AJaegerstevemar: could you +1 the infra change 278593 , please?20:21
*** jgriffith_away is now known as jgriffith20:22
*** dave-mcc_ has joined #openstack-keystone20:22
*** dave-mccowan has quit IRC20:22
*** dave-mccowan has joined #openstack-keystone20:23
*** dolphm has quit IRC20:24
*** dave-mcc_ has quit IRC20:26
haneefstevemar:  What is the purpose of user-deleted audit event?. It has user-id,  but the user is gone from db, No way to figure out who got deleted20:27
*** su_zhang has joined #openstack-keystone20:27
stevemarhaneef: i thought we added username and domain name?20:29
stevemarAJaeger: done20:30
haneefstevemar: Thanks let me check once again20:31
AJaegerthanks, stevemar20:31
*** jsavak has quit IRC20:32
*** su_zhang has quit IRC20:32
*** e0ne has quit IRC20:32
lbragstadayoung do trusts not use revocation events?20:33
*** jsavak has joined #openstack-keystone20:33
*** dims has quit IRC20:34
*** fawadkhaliq has quit IRC20:34
*** mhickey has joined #openstack-keystone20:34
ayounglbragstad, um...I think you are missing somethiung in there20:34
ayoungtrusts are used to create a token20:34
ayoungif the trust goes away, the token is invalid20:34
stevemarhaneef: it's entirely possible they don't include name, i'm going from memory20:34
ayounglbragstad, I thought there was a revoke by trust ID in there?20:34
lbragstadayoung hmm20:35
*** dims has joined #openstack-keystone20:35
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/revoke/model.py#n21  first one20:35
lbragstadayoung http://cdn.pasteraw.com/gkk9xzi7commrfvrp9bp7ig3lryx6oz20:35
ayounglbragstad, now, we can remove that, if we check the existance of the trust upon validation instead20:35
lbragstadayoung that second test is failing for me20:36
lbragstadtest_delete_trust_revokes_token20:36
ayounglbragstad, I wonder if the problem is the matching of the code20:36
ayoungthe trustID in the v2 token?20:36
ayounglbragstad, but, really, the check should be done inside the code anyway, and not in revoke evetns20:36
ayoungevents20:36
ayoungwe can drop most of those20:37
ayoungfile it as abug and assign to me, with that code attached20:37
gyeestevemar, looking at the code, I don't see where we populate the user domain and user name in CADF20:38
stevemargyee: do we do that for project name and project domain name?20:39
*** gokrokve has quit IRC20:40
stevemargyee: i was getting confused with the initiator's project id and domain id20:41
gyeestevemar, doesn't look like it, I am going by the code at this point, haven't setup the transport to actually look at it20:41
gyeewe have info for the initiator20:41
*** nekrodesk has quit IRC20:41
stevemargyee: so, we're going to have the same problem for all the delete operations20:42
gyeestevemar, afraid so20:42
stevemargyee: at the manager level,where the notification kicks off, we just have the ID20:42
*** petertr7 is now known as petertr7_away20:42
gyeestevemar, I think we talked about this awhile back, we actually do need a resource life-cycle management framework20:43
gyeelike be able to transition from deleted to purged state20:43
gyeedeleted does not wipe it from DB, but merely marking it as deleted20:44
gyeepurge will do the actually deletion so we can preserve the data according to data retention policy20:44
stevemargyee: i could dig that... a config option that says "purge_on_delete=true/false", and maybe a keystone-manage call to actually purge all items20:45
gyeeright, that's work20:45
*** jgriffith is now known as jgriffith_away20:45
*** gildub has joined #openstack-keystone20:46
stevemargyee: so for the immediate case, you need to know the name of user/project you deleted eh20:46
stevemarcan't you look it up, based on the ID from when it was created?20:46
gyeestevemar, we need to be able to generate a report on what's being deleted20:47
lbragstadayoung the original test is this - https://github.com/openstack/keystone/blob/ed67079d2b20811b551d78cc1aa72305f8278777/keystone/tests/unit/test_auth.py#L1150-L116520:47
*** AJaeger has left #openstack-keystone20:47
stevemarzigo: around to talk about eventlet in keystone?20:47
lbragstadayoung which looks like delete_trust does something to clean up old tokens in the backend20:48
stevemargyee: we could fetch from the DB before deleting, so we can get the name20:48
gyeealternative would be to look it up from the backup, assuming creation was done since the last backup20:48
raildolbragstad: we are missing a check regarding federation_token and v2_token... in the current code, this line is called: https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L23120:48
raildolbragstad: and then will test this: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L65920:49
raildolbragstad: we are not calling this on the fernet case here: https://review.openstack.org/#/c/274851/6/keystone/token/provider.py20:50
* dims peeks at dstanek's reviews from yesterday20:50
dimsstevemar : bknudson_ : dstanek : looks like https://review.openstack.org/#/c/278054/ and https://review.openstack.org/#/c/278528/ are ready and would help me unblock my periodic job (against oslo.* master)20:51
bknudson_I don't think https://review.openstack.org/#/c/278528/1 is ready20:52
bknudson_dstanek: were you working on https://review.openstack.org/#/c/278528/1 ?20:52
lbragstadraildo I don't think we need the check ther e20:52
dimsbknudson_ : ah, i saw all green and a +220:52
lbragstadraildo the validate_non_persistent_token() method assumes a v3 token20:53
*** e0ne has joined #openstack-keystone20:53
raildolbragstad: so, there is some tests that wait a 404 but actually it a 200 https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_federation.py#L241420:53
lbragstadraildo we actually end up calling v2_token_data_helper.v3_to_v2_token(v3_token_ref)20:53
*** petertr7_away is now known as petertr720:53
dstanekbknudson_: i have some changes that get rid of all of the policy stuff. right now it passed 27 and the 34 tests are running. it could be a followup if that's desirned20:53
bknudson_dstanek: how long do the py34 tests take to run?20:53
raildolbragstad: so, we need change this tests to validade with v3?20:54
*** jbell8 has quit IRC20:54
openstackgerritSteve Martinelli proposed openstack/keystone: Make pep8 *the* linting interface  https://review.openstack.org/27859120:54
dstanekbknudson_: hopefully just a few minutes more. until the nose fix they run serially ]20:54
lbragstadraildo the v3_to_v2_token() method here should check for invalid cases https://review.openstack.org/#/c/274851/6/keystone/token/providers/common.py20:54
*** jbell8 has joined #openstack-keystone20:54
lbragstadraildo if a v3 federated token is passed in for example20:54
lbragstadit should fail20:55
lbragstadraildo we might also have issues in our tests with timing too. Those would be caused by the subsecond issues with fernet and mysql20:55
lbragstadraildo notmorgan has ways to fix that20:56
navidpjamielennox, o/20:56
dstanekstevemar: the Depends-on will ignore the +A until the other project's fix is merged, right?20:56
raildolbragstad: I remember that you had mentioned that before20:56
stevemardstanek: yes20:56
dstaneklbragstad: i love that our tests run *so fast* that is causes us problems. usually the opposite is true20:57
openstackgerritJorge Munoz proposed openstack/keystone: Consolidate trust tests into a single class  https://review.openstack.org/27862820:57
dstanekstevemar: cool, thjx20:57
lbragstaddstanek right20:57
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Trying py27/34 with oslo-master  https://review.openstack.org/27764820:57
*** aginwala has quit IRC20:58
ayounglbragstad, at a minuimum it should still be doing revoke_by_trust_id too, though20:59
raildolbragstad: so, when we got a v2 token we convert in av 3 token, following this v2_token_data_helper.v3_to_v2_token(v3_token_ref) method. So, on the tests that are using a v2 token, and it is not expected to be converted to a v3 token, what should we do?21:00
openstackgerritDavid Stanek proposed openstack/keystone: Moves policy setup into a fixture.  https://review.openstack.org/27852821:00
raildolbragstad: change the expected return?21:01
*** dolphm has joined #openstack-keystone21:01
*** ChanServ sets mode: +o dolphm21:01
dstanekbknudson_: a bit more complicated now. you're welcome! ^21:01
lbragstadraildo we should be expecting that v3_to_v2_token throws an exception21:01
*** jorge_munoz1 has left #openstack-keystone21:02
raildolbragstad: got it :) thanks for the explanation21:02
lbragstadraildo np21:03
*** c_soukup has joined #openstack-keystone21:03
raildolbragstad: so, I suggest add this on the v3_to_v2_token https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L619-L62221:04
raildolbragstad: since v2 doesn't support federation on this context21:04
*** sinese_ has quit IRC21:04
lbragstadraildo yeah - that would make sense21:04
bknudson_dstanek: the test code sure was working hard to use the policy file.21:06
*** csoukup has quit IRC21:06
*** daemontool has quit IRC21:07
*** jorge_munoz2 has joined #openstack-keystone21:08
*** dolphm has quit IRC21:08
*** jorge_munoz2 has quit IRC21:08
*** aginwala has joined #openstack-keystone21:08
*** dolphm has joined #openstack-keystone21:08
*** ChanServ sets mode: +o dolphm21:08
raildolbragstad: I can add a comment about it on the patch, or if you agree with this case I can send a patch set21:09
*** e0ne has quit IRC21:09
lbragstadraildo on https://review.openstack.org/#/c/258650/22 ?21:10
lbragstadraildo which patch?21:10
raildolbragstad:  this is more related to this patch: https://review.openstack.org/#/c/274851, but it was already merged21:12
raildolbragstad: I can send in the https://review.openstack.org/#/c/258650/2221:12
lbragstadraildo  you can make it a separate patch if you want21:13
jamielennoxnavidp: morning21:13
navidpjamielennox, morning21:13
raildolbragstad: but I have to make "Make fernet default token provider" depends for this patch =/21:13
raildosince the tests on it that are breaking...21:14
navidpjamielennox, have a question about plugin loading in ksa vs ksc21:14
*** jsavak has quit IRC21:15
jamielennoxsure21:15
*** daemontool has joined #openstack-keystone21:15
lbragstadraildo if you want to incorporate your change into https://review.openstack.org/#/c/258650/18 would you be able to address dolphm's comment too?21:15
lbragstadraildo i just saw them come through and I don't want them to get lost in revisions21:16
dolphmoutdated link ^21:16
navidpjamielennox, this is how i load plugins for options list https://review.openstack.org/#/c/276350/6/openstackclient/api/auth.py21:16
dolphmhttps://review.openstack.org/#/c/258650/21:16
lbragstaddolphm thanks21:16
raildolbragstad: great, so I'll do that :)21:16
samueldmqlbragstad: left a comment on https://review.openstack.org/#/c/274850/21:16
samueldmqlbragstad: let me know if that makes sense so I can submit a quick fix ?21:17
*** jsavak has joined #openstack-keystone21:18
raildosamueldmq: he already fixed it: https://review.openstack.org/#/c/258650/19..2121:18
navidpjamielennox, for token-endpoint get this error http://paste.openstack.org/show/486626/21:18
lbragstadsamueldmq sure21:18
navidpjamielennox, what is plugin loading process in keystoneauth21:19
samueldmqraildo: the release note ,21:19
samueldmq?21:19
raildosamueldmq: https://review.openstack.org/#/c/258650/19..21/releasenotes/notes/make-fernet-the-default-token-provider-5060d445e2ebf1bd.yaml21:20
*** nekrodesk has joined #openstack-keystone21:21
*** nekrodesk has quit IRC21:21
samueldmqraildo: I am talking about another thing21:22
samueldmqraildo:21:23
samueldmqRemove support for trusts in v2.021:23
samueldmqraildo: see my comment in https://review.openstack.org/#/c/27485021:23
jamielennoxnavidp: so for whatever reason we renamed token_endpoint to admin_token in keystoneauth21:25
jamielennoxit otherwised clashed with some stuff that OSC had21:25
jamielennoxnavidp: i don't think there is a token_endpoint plugin registered in the keystoneauth entry point21:25
raildosamueldmq: I'm looking and there is just a "as noticed by Dave, this needs a release note"  that why I sent the link, but np we can add something related to this :)21:26
jamielennoxand i don't want OSC to provide one/any21:26
*** aginwala has quit IRC21:27
navidpjamielennox, if i understand correclty, we should drop token_endpoint in osc in favor of ksa token_endpoint21:27
jamielennoxnavidp: also you shouldn't need to use the entrypoint directly, keystoneauth1.loading has get_available_plugin_loaders() that will return you everything on the system21:28
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Trying py27/34 with oslo-master  https://review.openstack.org/27764821:28
*** gildub has quit IRC21:28
*** gildub has joined #openstack-keystone21:28
jamielennoxnavidp: ah, so https://review.openstack.org/#/c/276350/6/setup.cfg is where it is finding token_ednpoint21:29
*** jgriffith_away is now known as jgriffith21:29
jamielennoxnavidp: if possible (it's possible but a bit of reorganization) i don't want OSC to provide any keystoneauth plugins21:29
jamielennoxit shouldn't need them21:30
*** nekrodesk has joined #openstack-keystone21:30
jamielennoxand by publishing them like that they become available to every other user on the system21:30
*** pushkaru has quit IRC21:30
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fix release note of removal of v2.0 trusts support  https://review.openstack.org/27864721:31
*** su_zhang has joined #openstack-keystone21:31
stevemargyee: do we need X-User-ID, and X-User-Name here too? https://review.openstack.org/#/c/278580/121:31
navidpjamielennox, no password or token plugins in osc, interresting , doesnt it cause incossitency?21:32
stevemargyee: nevermind, according to http://docs.openstack.org/developer/keystone/configure_tokenless_x509.html#scope-information we don't21:32
jamielennoxnavidp: i don't think they should need to provide their own at all, but if you do for consistency you can create the plugin directly21:33
jamielennoxthere's no reason to use setuptools and entrypoints when you know exactly the thing you want to instantiate21:33
jamielennoxjust create the class21:33
jamielennoxthat way they can use it without being able to do things like nova --auth-type osc_password21:34
samueldmqstevemar: lbragstad: raildo: https://review.openstack.org/#/c/278647/21:34
* samueldmq : brb21:35
*** su_zhang has quit IRC21:35
bknudson_suhani gupta is a nut.21:36
raildolol21:36
*** clenimar_ has joined #openstack-keystone21:38
navidpjamielennox, ok21:38
navidpjamielennox, thanks21:38
*** csoukup_ has joined #openstack-keystone21:39
*** phalmos_ has joined #openstack-keystone21:39
*** dave-mcc_ has joined #openstack-keystone21:39
*** bknudson has joined #openstack-keystone21:40
*** ChanServ sets mode: +v bknudson21:40
*** nonameentername has joined #openstack-keystone21:40
*** BAKfr_ has joined #openstack-keystone21:41
*** charz_ has joined #openstack-keystone21:41
*** crinkle_ has joined #openstack-keystone21:41
lbragstaddolphm with https://review.openstack.org/#/c/274850/6 we can also remove/refactor all of https://github.com/openstack/keystone/blob/ed67079d2b20811b551d78cc1aa72305f8278777/keystone/tests/unit/test_auth.py#L844-L1278 too - right?21:42
*** skoude has joined #openstack-keystone21:43
*** Dave_____ has joined #openstack-keystone21:43
*** spzala_ has joined #openstack-keystone21:44
*** smcginni1 has joined #openstack-keystone21:44
*** wolsen has joined #openstack-keystone21:44
*** aginwala has joined #openstack-keystone21:44
*** bill_az_ has joined #openstack-keystone21:44
*** aginwala has quit IRC21:45
*** aginwala has joined #openstack-keystone21:46
*** crinkle has quit IRC21:47
*** crinkle_ is now known as crinkle21:47
*** raildo is now known as raildo-afk21:47
dolphmjamielennox: "i don't think they should need to provide their own at all" you mean OSC can instantiate it's own plugins?21:47
*** bknudson has quit IRC21:48
*** c_soukup has quit IRC21:48
*** dave-mccowan has quit IRC21:48
*** spzala has quit IRC21:48
*** phalmos has quit IRC21:48
*** bill_az has quit IRC21:48
*** jgriffith has quit IRC21:48
*** BAKfr has quit IRC21:48
*** miguelgrinberg has quit IRC21:48
*** wolsen_ has quit IRC21:48
*** Dave has quit IRC21:48
*** smcginnis has quit IRC21:48
*** jrist has quit IRC21:48
*** charz has quit IRC21:48
*** bknudson_ has quit IRC21:48
*** _nonameentername has quit IRC21:48
*** skoude_ has quit IRC21:48
*** dhellmann has quit IRC21:48
*** ramishra has quit IRC21:48
*** mariusv has quit IRC21:48
*** yarkot has quit IRC21:48
*** hockeynut has quit IRC21:48
*** zeus has quit IRC21:48
*** BAKfr_ is now known as BAKfr21:48
*** miguelgrinberg_ has joined #openstack-keystone21:48
*** nekrodesk has quit IRC21:48
*** miguelgrinberg_ is now known as miguelgrinberg21:48
*** bknudson has joined #openstack-keystone21:49
*** ChanServ sets mode: +v bknudson21:49
*** zeus has joined #openstack-keystone21:49
*** hockeynut has joined #openstack-keystone21:49
*** yarkot has joined #openstack-keystone21:49
*** dhellmann has joined #openstack-keystone21:49
*** zeus is now known as Guest5749721:49
dolphmjamielennox: navidp: so, deprecate the existing plugins in OSC, leaving the entrypoints alone for now. ensure OSC is using keystoneauth plugin instead of it's own. and eventually remove the plugins from OSC?21:49
*** mhickey has quit IRC21:50
*** jgriffith has joined #openstack-keystone21:51
dolphmjamielennox: no one should be using OSC's auth plugins besides itself, right?21:51
stevemardolphm: correct21:52
stevemarbknudson: ++21:52
dolphmstevemar: jamielennox: bknudson: navidp: so remove the entry points immediately or leave them alone and deprecate the plugins for now?21:52
*** smcginni1 is now known as smcginnis21:52
*** clenimar_ has quit IRC21:53
dolphmlbragstad: that all looks like it's testing v2?21:53
lbragstaddolphm yeah21:53
dolphmnavidp: https://github.com/openstack/oslo.log/blob/master/oslo_log/versionutils.py#L5221:53
dolphmlbragstad: then yeah - remove it in the same patch? how do those tests still pass21:53
lbragstaddolphm i have a follow on patch coming...21:54
dolphmlbragstad: should it be one patch?21:54
stevemarbknudson: that account has now been disabled21:54
dolphmlbragstad: ah, that's already +A'd21:54
*** jrist has joined #openstack-keystone21:54
jamielennoxdolphm: so the plugin loader is just an indirect way of creating the plugin class right21:55
lbragstadayoung https://review.openstack.org/#/c/278693/121:55
lbragstadayoung that's what I came up with21:56
jamielennoxdolphm: so OSC is providing an osc_password plugin in setup.cfg which keeps compatibility with it's old options21:56
ayounglbragstad, good.  I think that, so long as we have a WIP we can move ahead21:56
ayoungI'll look it over21:56
*** ramishra has joined #openstack-keystone21:56
dolphmjamielennox: so osc_password != any other password plugin in ksa or ksc21:56
ayoungjamielennox, It looks like the Nova folks panicked something over the change to KSA21:56
jamielennoxdolphm: but the way it does it is to load_from_argparse('osc_password'). if you're not taking that string from the user it may as well just call OscPassword(...) directly21:56
ayoungis that what you are discussing?21:57
lbragstadayoung dolphm i'm going to propose another patch to remove issuing v2 trust scoped tokens and refactor the tests21:57
ayoungjamielennox, cuz it lead to this https://review.openstack.org/27849021:57
jamielennoxit can absolutely provide its own plugin if it needs to handle the arguments, i'm just saying there's no reason for it to be an entrypoint21:57
ayounglbragstad, do what you need.  You have my support.  I'll review what you post21:57
dolphmjamielennox: ah, gotcha.21:58
jamielennoxayoung: i haven't seen any problems regarding the nova/ksa change yet21:58
*** vgridnev has quit IRC21:58
ayoungjamielennox, https://github.com/openstack/puppet-nova/commit/d09868a59c451932d67c66101b725182d7066a1421:58
ayoungthey did that21:58
dolphmjamielennox: so then - can OSC use KSA plugins today?21:58
ayoungjamielennox, and hardcoded the pluging to the v3 version21:58
jamielennoxdolphm: it can't yet, the entrypoint namespaces were purposefully changed between ksc and ksa so you can't get them confused21:59
jamielennoxso OSC is looking for ksc plugins specifically21:59
jamielennoxayoung: interesting - but as i understood it it was always going to be a bit of a problem for puppet and auth plugins22:00
*** aginwala has quit IRC22:01
jamielennoxayoung: because say you subsitute 'kerberos' there for 'v3password' puppet wouldn't know the parameters that the kerberos plugin accepted22:01
jamielennoxin ansible's case (and i don't think OSA has done this) i think you can just take a hash of auth values22:02
jamielennoxand just with_dict those into the config file22:02
jamielennoxbut i don't know if there's the equivalent in puppet22:02
*** mylu has quit IRC22:06
*** rcernin has quit IRC22:07
*** phalmos_ has quit IRC22:08
*** petertr7 is now known as petertr7_away22:08
ayoungjamielennox, so, are they doing the right thing then?22:09
jamielennoxayoung: it seems that nova is doing the right thing, i don't know enough puppet to know if there is a better way to handle that22:09
ayoungOK22:09
ayoungI have a todo in the patch22:09
jamielennoxayoung: i know richm and i had spoken about it and he was going to look into the problem22:09
jamielennoxi don't know if he got anywhere with it22:10
*** Guest15678 has joined #openstack-keystone22:10
*** jbell8 has quit IRC22:12
*** jbell8 has joined #openstack-keystone22:12
*** daemontool has quit IRC22:13
openstackgerritSteve Martinelli proposed openstack/keystone: add a test that uses trusts and implies roles  https://review.openstack.org/27731922:16
*** boris-42_ has joined #openstack-keystone22:17
*** petertr7z has joined #openstack-keystone22:18
*** petertr7z is now known as petertr722:18
*** bknudson_ has joined #openstack-keystone22:19
*** ChanServ sets mode: +v bknudson_22:19
*** bknudson_ has quit IRC22:19
openstackgerritJorge Munoz proposed openstack/keystone: Move redelegated_trust_id out of extras  https://review.openstack.org/27647422:20
*** bknudson_ has joined #openstack-keystone22:20
*** ChanServ sets mode: +v bknudson_22:20
*** henrynash has joined #openstack-keystone22:20
*** ChanServ sets mode: +v henrynash22:20
*** woodster__ has joined #openstack-keystone22:22
*** chlong_ has joined #openstack-keystone22:22
*** boris-42 has quit IRC22:22
*** petertr7_away has quit IRC22:22
*** dhellmann has quit IRC22:22
*** bknudson has quit IRC22:22
*** chlong has quit IRC22:22
*** woodster_ has quit IRC22:22
*** dhellmann has joined #openstack-keystone22:23
*** woodster__ is now known as woodster_22:23
*** boris-42_ is now known as boris-4222:24
*** nekrodesk has joined #openstack-keystone22:26
*** henrynash has quit IRC22:30
*** su_zhang has joined #openstack-keystone22:30
*** aginwala has joined #openstack-keystone22:31
*** aginwala has quit IRC22:32
*** aginwala has joined #openstack-keystone22:32
*** diazjf has quit IRC22:34
lbragstadayoung this wasn't v2 specific was it?22:38
lbragstadhttps://github.com/openstack/keystone/blob/ed67079d2b20811b551d78cc1aa72305f8278777/keystone/tests/unit/test_auth.py#L1140-L114822:38
*** lhcheng has quit IRC22:40
*** mylu has joined #openstack-keystone22:42
*** aginwala has quit IRC22:44
*** jgriffith is now known as jgriffith_away22:46
*** mylu has quit IRC22:48
*** alex_xu has quit IRC22:52
*** sigmavirus24 is now known as sigmavirus24_awa22:53
*** alex_xu has joined #openstack-keystone22:55
*** mylu has joined #openstack-keystone22:57
*** doug-fish has quit IRC22:59
*** aginwala has joined #openstack-keystone23:00
*** doug-fish has joined #openstack-keystone23:00
*** aginwala has quit IRC23:01
*** aginwala has joined #openstack-keystone23:01
*** jgriffith_away is now known as jgriffith23:02
lbragstadayoung i just hooked https://github.com/openstack/keystone/blob/ed67079d2b20811b551d78cc1aa72305f8278777/keystone/tests/unit/test_auth.py#L1140-L1148 up using v3 and it has an inconsistent behavior with v223:05
*** doug-fish has quit IRC23:05
lbragstadayoung not sure how you want to handle these http://cdn.pasteraw.com/e3hadt7pdw6mq2fxv0r4n4w2ffurbs923:05
*** lhcheng has joined #openstack-keystone23:06
*** ChanServ sets mode: +v lhcheng23:06
*** doug-fis_ has joined #openstack-keystone23:08
openstackgerritBrant Knudson proposed openstack/keystone: Deprecate admin_token_auth  https://review.openstack.org/27544323:10
*** doug-fis_ has quit IRC23:10
*** doug-fis_ has joined #openstack-keystone23:11
ayounglbragstad, was it allowing you to create a trust using a trust?  And redelgation was not set?23:11
lbragstadayoung no - one gives me an Unauthorized and another gives me a Forbidden23:11
ayounglbragstad, It soujnds like one is on token validation and the other is on the operation.  What does the V3 API spec say it should be?23:12
ayoungForbidden  right?23:12
lbragstadv2.0 was giving me Unauthorized23:13
lbragstadv3 was giving me a Forbidden23:13
ayounglbragstad, I think the v3 response is more correct23:13
ayoungand I suspect that the error handling is irrelevant23:14
ayoungits going to be ! Success.23:14
ayoungSo, while it is a risk, I suspect you want to make v2 return Forbidden23:14
ayoungand, if that is what you want to do, becauyse is cleans up the code, do it23:14
*** daemontool has joined #openstack-keystone23:15
lbragstadok23:16
ayounglbragstad, normally I would say "don't change the return code" but I assume you want to change it so that the same code is executed for both?23:16
*** mylu has quit IRC23:16
lbragstadayoung i'm putting together a patch to remove support for getting v2.0 trust-scoped tokens23:16
lbragstadwhich is exactly the opposite of the patch I did earlier23:17
lbragstadthat way we can look at them23:17
*** mylu has joined #openstack-keystone23:19
*** mylu has quit IRC23:21
*** mylu has joined #openstack-keystone23:21
*** mylu has quit IRC23:23
*** mylu has joined #openstack-keystone23:24
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fix default LDAP attribute for user name  https://review.openstack.org/27879123:25
samueldmqayoung: stevemar: ^ is this something we can/want to do ?23:25
ayoungsamueldmq, massive breakage23:26
samueldmqayoung: yeah, that's what I expected23:26
ayoungsamueldmq, TBH, I suspect you could make that happen23:26
*** roxanaghe has quit IRC23:26
bknudson_we're using cn for the user ID attribute.23:26
ayoungmost people doing LDAP would explicitly set that field.  I'd almost be more prone to drop the defaults and complain23:27
bknudson_so I don't think ti would work to use cn for both the ID and the name... what happens if you update the name?23:27
ayoungbknudson_, LDAP is read only.  THat could happen on you anyway23:27
ayoungif you go to the LDAP backend and change the UID or the CN or anyother field that Keystone was using, Keystone will show the change23:28
ayoungin the Case of the userid field, it would mean that the user lost all their resources23:28
samueldmqand I suspect changing defaults on *config* files shouldn't break people ?23:28
samueldmqdeployers are expected to customize/adapt config files according to their deployments/needs23:29
bknudson_if ldap is read-only why do we have http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap.py#n103 ?23:29
samueldmqthat's the same of updating policy, isn't it ,23:29
bknudson_it's deprecated, but that doesn't mean you can't continue using it23:29
bknudson_changing defaults of config files breaks people23:30
samueldmqbknudson_: aren't deployers supposed to analyze and merge upstream configs with theirs ?23:31
*** roxanaghe has joined #openstack-keystone23:31
samueldmqor is it that lots of people just run on defaults anyways ?23:31
bknudson_they did, and if they used the defaults they break when the default changes.23:32
*** doug-fis_ has quit IRC23:33
*** edmondsw has joined #openstack-keystone23:34
samueldmqayoung: bknudson_: so looks like it'd be better to just update our configuration.rst docs23:35
ayoungsamueldmq, the norm is that LDAP is read only.  I thiknk we said we were deprecating writabel LDAP23:35
ayoungit really does not suit anyone23:36
bknudson_the docs might be more accurate.23:36
bknudson_hopefully the docs say to not use writable ldap23:39
*** gordc has quit IRC23:41
openstackgerritBrant Knudson proposed openstack/oslo.policy: Support policy file in YAML  https://review.openstack.org/27851323:42
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fix configuration docs for username LDAP attribute  https://review.openstack.org/27879123:43
samueldmqbknudson_: ayoung: fixing docs (I think it's the best thing to do for now) ^23:44
ayoungsamueldmq, ++23:44
*** chlong_ has quit IRC23:46
*** mylu has quit IRC23:47
*** csoukup_ has quit IRC23:50
*** aginwala has quit IRC23:50
*** aginwala has joined #openstack-keystone23:51
bigjoolshey guys, devstack sets up catalog urls with v3 at the end, should that be fixed?23:54
*** spzala_ has quit IRC23:54
*** spzala has joined #openstack-keystone23:55
« Tuesday, 2016-02-09 Index Thursday, 2016-02-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!