Friday, 2016-02-12

« Thursday, 2016-02-11 Index Saturday, 2016-02-13 »
*** su_zhang has quit IRC00:04
*** su_zhang has joined #openstack-keystone00:05
*** roxanaghe has joined #openstack-keystone00:08
*** jamielennox is now known as jamielennox|away00:10
*** doug-fis_ has joined #openstack-keystone00:10
*** su_zhang has quit IRC00:12
*** su_zhang has joined #openstack-keystone00:12
*** daemontool_ has joined #openstack-keystone00:14
*** doug-fish has quit IRC00:15
*** daemontool has quit IRC00:15
*** dan_nguyen has joined #openstack-keystone00:16
*** nekrodesk has joined #openstack-keystone00:19
*** nekrodesk has quit IRC00:19
*** nekrodesk has joined #openstack-keystone00:21
*** nekrodesk has quit IRC00:21
lbragstaddstanek yep - one sec00:21
*** shoutm_ has joined #openstack-keystone00:26
*** shoutm has quit IRC00:28
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857000:29
*** aginwala has quit IRC00:29
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916200:30
*** csoukup_ has quit IRC00:30
*** nekrodesk has joined #openstack-keystone00:32
*** aginwala has joined #openstack-keystone00:32
*** aginwala has quit IRC00:33
*** aginwala has joined #openstack-keystone00:33
*** diazjf1 has quit IRC00:34
*** jasonsb has joined #openstack-keystone00:39
*** browne has quit IRC00:50
*** browne has joined #openstack-keystone00:52
*** shoutm has joined #openstack-keystone00:52
*** shoutm_ has quit IRC00:53
*** shoutm has quit IRC01:00
*** shoutm has joined #openstack-keystone01:01
*** ayoung has joined #openstack-keystone01:02
*** ChanServ sets mode: +v ayoung01:02
*** lhcheng has quit IRC01:09
*** aginwala has quit IRC01:10
*** aginwala has joined #openstack-keystone01:14
*** aginwala has quit IRC01:15
*** aginwala has joined #openstack-keystone01:15
*** alex_xu_ has quit IRC01:17
*** hideme has quit IRC01:18
*** gildub has quit IRC01:18
*** gildub has joined #openstack-keystone01:18
*** gildub has quit IRC01:19
*** browne has quit IRC01:20
*** gyee has joined #openstack-keystone01:21
*** ChanServ sets mode: +v gyee01:21
*** su_zhang has quit IRC01:24
*** alex_xu has joined #openstack-keystone01:25
openstackgerritDavid Stanek proposed openstack/keystone: Adds warning when no domain configs were uploaded  https://review.openstack.org/21428701:25
openstackgerritDavid Stanek proposed openstack/keystone: Extracts logic for finding domain configs  https://review.openstack.org/27935201:25
openstackgerritDavid Stanek proposed openstack/keystone: Adds better logging to the domain config finder  https://review.openstack.org/27935301:25
openstackgerritDavid Stanek proposed openstack/keystone: WIP refactor domain config upload  https://review.openstack.org/27935401:25
dolphmbknudson_: yes on catalog01:26
dolphmstevemar: there's not much yet, and there probably won't be too much ever01:26
stevemardstanek: ty!01:27
*** browne has joined #openstack-keystone01:28
dstanekdid someone add a turbo charger to the gate?01:32
dstanekit's almost like someone went ahead and pressed the NOS button01:33
stevemardstanek: someone pushed the old turbo button on the server01:34
stevemardstanek: http://i.imgur.com/NMary6v.png01:34
*** jamielennox|away is now known as jamielennox01:34
stevemarpokes bknudson_01:37
stevemarbknudson_: i'm trying out your uwsgi patch, getting "-s/--socket option is missing and stdin is not a socket" problems01:37
stevemaromg uwsgi help output is so long, i think it's actually longer than osc's01:39
dstanekstevemar: i was thinking more like http://www.12voltguy.com/images/D/G61.JPG01:40
*** aginwala has quit IRC01:43
*** drjones has quit IRC01:44
*** aginwala has joined #openstack-keystone01:50
*** harlowja has quit IRC01:55
*** clenimar has joined #openstack-keystone01:57
*** edmondsw has quit IRC01:57
*** clenimar has quit IRC01:57
*** Guest47583 has quit IRC02:06
*** jbell8 has joined #openstack-keystone02:22
*** spandhe has quit IRC02:23
*** aginwala has quit IRC02:26
*** aginwala has joined #openstack-keystone02:30
*** r-daneel has quit IRC02:32
*** browne has quit IRC02:33
*** shoutm_ has joined #openstack-keystone02:47
*** diazjf has joined #openstack-keystone02:48
*** shoutm has quit IRC02:48
*** dave-mccowan has quit IRC02:54
*** aginwala has quit IRC02:57
*** jbell8 has quit IRC02:57
*** aginwala has joined #openstack-keystone03:00
*** diazjf has quit IRC03:01
*** aginwala has quit IRC03:02
*** mylu has quit IRC03:03
*** su_zhang has joined #openstack-keystone03:09
*** gyee has quit IRC03:09
*** dan_nguyen has quit IRC03:09
*** dims has quit IRC03:11
*** dims has joined #openstack-keystone03:11
*** nekrodesk has quit IRC03:13
*** andrewbogott has quit IRC03:15
*** andrewbogott has joined #openstack-keystone03:15
*** mylu has joined #openstack-keystone03:15
openstackgerritMerged openstack/keystone-specs: Change token method  https://review.openstack.org/27790803:17
*** doug-fis_ has quit IRC03:19
ayoungjamielennox, ok, so I have found that if I do not explicitly set OS_IDENTITY_API_VERSION, I can't run `openstack domain list`03:19
ayoungI can use a versions AUTH URL but need to specify the version.  Is that what you would expect?03:20
*** doug-fish has joined #openstack-keystone03:21
*** doug-fish has quit IRC03:21
stevemarayoung: that's expected behavior03:24
jamielennoxayoung: right, so consider the IDENTITY_API_VERSION independant of the auth plugin03:26
jamielennoxyou can use a v3 token to do v2 operations etc03:26
ayoungjamielennox, I did not specify an auth plugin03:27
ayoungI specified OS_PASSWORD03:27
ayoungI'm guessing that does it implicitly?03:27
stevemarayoung: is this bug still valid? https://bugs.launchpad.net/keystone/+bug/153976603:27
openstackLaunchpad bug 1539766 in OpenStack Identity (keystone) "trust redelegation allows trustee to create a trust (with impersonation set to true) from a redelegated trust (with impersonation set to false)" [High,In progress] - Assigned to Jorge Munoz (jorge-munoz)03:27
jamielennoxayoung: so OSC does a bunch of hacks depending on what you give it03:27
stevemaror did we decide that it's working as expected03:27
jamielennoxayoung: i think it's using the password plugin underneath so it's doing discovery on whatever url you give it03:27
jamielennoxso if you give it a /v2.0 url it will do v2 auth03:28
ayoungstevemar, gah...can't parse03:28
ayoungI gave it a versionless URL03:28
ayoungexport OS_AUTH_URL=http://192.0.2.18:5000/03:28
ayoungdoes it then use the service catalog?03:28
jamielennoxyep, so it'd do discovery and do the best it can03:28
jamielennoxayoung: no, GET $OS_AUTH_URL03:28
ayoungand we default to V2?03:28
stevemarjamielennox: let me know when you have a few minutes, wanted to chat about the keystone libraries03:29
jamielennoxayoung: OS_IDENTITY_API_VERSION defaults to "2"03:29
jamielennoxstevemar: sure03:29
jamielennoxstevemar: whenever03:29
stevemarjamielennox: wanted to go over the open changes and bugs of the libraries in preparation for mitaka-303:30
stevemarso... ksc open changes: https://review.openstack.org/#/q/project:openstack/python-keystoneclient+status:open03:30
ayoungOK03:30
jamielennoxooo, we +2ed deprecate session03:31
jamielennox+Aed03:31
ayoungYour welcome03:31
*** dims has quit IRC03:31
ayoungdid I do that?03:31
ayoungI meant to, anyway03:31
stevemaroh samuel did03:31
*** links has joined #openstack-keystone03:32
stevemarhmm, jamielennox i thought we wanted to deprecate in newton03:32
*** csoukup has joined #openstack-keystone03:32
ayoungdeprecate early and often03:32
*** roxanaghe has quit IRC03:32
stevemarayoung: well, i'm thinking from the pov of a consuming service, we *just* got folks moved over to session03:33
jamielennoxi like it samueldmq, get the controversial stuff through :)03:33
stevemarnow they have to move over the auth03:33
jamielennoxstevemar: it's possibly going to raise some warnings in unexpected places03:33
ayoungI'm still wondering about the whole Puppet Nova V3 thing,  WHy it worked before they moved to KSA but not after03:33
stevemarnovaclient and neutronclient moved over03:33
stevemarthose are the two big guys03:34
jamielennoxstevemar: i was thinking more about the things using like session.load_from_conf_options etc03:34
ayoungstevemar, looking at the trust bug you posted above looks like a valid bug, and a nasty one03:34
jamielennoxlike nova and neutron rather than the clients03:34
*** dave-mccowan has joined #openstack-keystone03:35
jamielennoxstevemar: regarding https://review.openstack.org/#/c/27802703:35
stevemarjamielennox: y, thoughts?03:36
jamielennoxstevemar: i think the best thing we can do there is not print non-str data, there have been versions of this patch before03:36
jamielennoxbut there are lots of subtle py2/py3 issues03:36
jamielennoxbut an example of binary data you might be posting would be an ISO image to glance03:36
jamielennoxand you're going to come across problems if you try to log it to disk03:36
jamielennoxi think we should do if headers.get('Content-Type') in ('application/json', 'text/html'): logger.debug(data)03:37
jamielennoxotherwise just don't log it03:38
stevemarjamielennox: i'm coming at all of these from a "is it going to mess things up late in the game" point of view03:38
stevemarif it's even a little contentious, and unnecessary, it's not getting in03:38
jamielennoxi don't think that ones dangerous, i just think people are trying to be too clever in maintaining behaviour03:38
stevemarah03:38
stevemaryeah, that's a lot of debug calls03:39
jamielennoxthe old behaviour's not that good, just fix it03:39
ayoungDoes anyone know how to use puppet-keystone to add a user without also setting up Keystone at the same time?03:39
stevemarayoung: puppet people will know03:39
jamielennoxno idea03:39
ayoungstevemar, You;d think so03:39
* stevemar looks at the tests of that patch03:40
ayoungI am really getting tired of puppet's spooky actions at a distance approach03:40
*** gildub has joined #openstack-keystone03:40
stevemarjamielennox: it looks safe03:40
stevemarjamielennox: i'm +203:41
openstackgerritMerged openstack/python-keystoneclient: Deprecate Session  https://review.openstack.org/25869203:41
openstackgerritMerged openstack/python-keystoneclient: Deprecate auth plugins from keystoneclient  https://review.openstack.org/25869303:42
stevemarjamielennox: the request id bits is a lot to look at right now, so skip taht for now03:42
openstackgerritMerged openstack/python-keystoneclient: Deprecate adapter  https://review.openstack.org/25874203:42
ayoungmfisch, do you know how to use Keystone Puppet module in "apply" mode to add a user without also setting up Keystone, or destroying and existing install?03:42
stevemarjamielennox: what about https://review.openstack.org/#/c/254154/ ?03:42
stevemarjamielennox: all the ones older than feb 5 can wait and bit rot :)03:43
ayoungI have the same problem with the Apache module. I want to add the Federation information for /etc/httpd/  Added class('apache:') and the pup[pet apply wiped out all the old config03:44
stevemarjamielennox: err we need a release note for the deprecations03:45
*** browne has joined #openstack-keystone03:45
*** dan_nguyen has joined #openstack-keystone03:45
stevemari'll write something up03:46
jamielennoxstevemar: ok, +A03:46
*** woodster_ has quit IRC03:46
jamielennoxstevemar: for https://review.openstack.org/#/c/254154/ - what were they doing that they hit that?03:48
openstackgerritMerged openstack/keystonemiddleware: Remove except Exception handler  https://review.openstack.org/26855303:48
jamielennoxlike i get the problem - but why on earth would you have a character like that in a key value?03:48
stevemarjamielennox: that's what i asked (refer to my only comment)03:49
stevemarjamielennox: i'll make a release note and release ksc on monday, i don't anticipate any more work going into it for this release03:50
stevemarthis should give us runway in case something funky happens03:50
*** ebalduf has joined #openstack-keystone03:51
*** csoukup has quit IRC03:51
jamielennoxstevemar: ok, i put on a similar comment03:52
jamielennoxyea, i'm scared by all these request-id changes03:53
jamielennoxi've never seen someone pull of a complete across all clients change like that successfully03:53
stevemarjamielennox: yeah, i don't want to be the guinea pig03:54
stevemarthat can wait til N imo03:54
jamielennoxstevemar: what happens to revocations when PKI goes away?03:56
jamielennoxstevemar: see https://review.openstack.org/#/c/260196/4/keystoneclient/v3/tokens.py03:56
jamielennoxstevemar: also this should be fine: https://review.openstack.org/#/c/271120/03:57
*** nekrodesk has joined #openstack-keystone03:58
*** nekrodesk has quit IRC03:58
stevemarjamielennox: i'm not ready for the revoke one just yet03:59
stevemarthat one scares me03:59
*** Nirupama has joined #openstack-keystone03:59
stevemar+W on the endpoint override03:59
jamielennoxstevemar: i'm not looking for code, just conceptually - does it just go away?03:59
jamielennoxayoung: 603:59
jamielennoxayoung: ^03:59
ayoung6!04:00
ayoungreading04:00
ayoungjamielennox, " happens to revocations when PKI goes away?"04:00
jamielennoxayoung: yea04:00
ayoungjamielennox, OK, so the revocation list can go away, too04:00
ayoungthe events are used for fernet04:00
ayoungand we can drop 90% of them04:00
jamielennoxayoung: why do we care about publishing events for fernet?04:01
ayoungbecause instead of revoking upone, say, domain deactivate, we just won;t mark those tokens as valid04:01
jamielennoxayoung: _publishing_04:01
ayoungjamielennox, passsword change, explicit token revoke.  Need to persist those04:01
ayoungno publishing required04:01
*** nekrodesk has joined #openstack-keystone04:01
ayoungonly used inside Keystone04:01
jamielennoxayoung: keystone will need to track events, but i don't see that we need to publish revocation events04:01
*** shoutm has joined #openstack-keystone04:01
ayoungright04:02
ayoungall that can stop04:02
jamielennoxsweet04:02
ayoungjamielennox, oh yes04:02
jamielennoxit just seems to remove so much pain for like 2 years i can't believe it just goes away04:02
jamielennoxi thought i was overlooking something04:02
ayoungjamielennox, we went a different direction04:02
ayoungPKI was going to do what we ended up doing with SAML for K2K04:03
ayoungOf course, K2K doesn't have revoations04:03
ayoungand PKI never should have either04:03
ayoungbut, whatever04:03
*** shoutm_ has quit IRC04:03
jamielennoxayoung: right - but that's not our fault :) the best part about standards04:03
ayoungI've learned a thing or two about delegation since then.  Best to check it live.04:03
ayoungAuthentication can be long lived, so long as the delegation check is synchronos04:04
jamielennoxok, i'm pretty sure auth_token middleware has been doing revocation wrong all along04:04
ayoungand you check delegation/authorization when the action occurs04:04
ayoungHeh04:04
ayoungalmost certainly04:04
openstackgerritMerged openstack/keystone: Enables token_data_helper tests for Python3  https://review.openstack.org/27805504:04
jamielennoxyep, cause we check and fetch revocations regardless of type or anything04:05
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: add release notes for deprecated auth bits  https://review.openstack.org/27937404:05
stevemarjamielennox: https://review.openstack.org/#/c/279374/04:05
stevemarjamielennox: anything in ksa you think are a must for mitaka? https://review.openstack.org/#/q/project:openstack/keystoneauth+status:open04:05
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947904:06
jamielennoxstevemar: nope, even the endpoint_override expansion is a nice-to-have04:06
stevemarjamielennox: yeah, not much went in since last release: https://github.com/openstack/keystoneauth/compare/2.2.0...master04:06
stevemarwould still be nice to have it out04:07
jamielennoxstevemar: yep - that doesn't mean you can't release04:07
jamielennoxstevemar: https://review.openstack.org/#/c/255661/ should be a safe change04:09
jamielennoxstevemar, ayoung: and i would really like https://review.openstack.org/#/c/267277/ to go in before a middleware release04:10
*** su_zhang has quit IRC04:11
stevemarjamielennox: what about https://review.openstack.org/#/c/220509/04:13
stevemarjamielennox: okay04:14
stevemarwe can get those in04:14
stevemarjamielennox: middleware has A LOT of commits04:14
jamielennoxstevemar: put a -1 on https://review.openstack.org/#/c/22050904:16
stevemarjamielennox: well, not a lot, but ... a lot of changes that could cause issues04:16
jamielennoxstevemar: we removed all my good issue changing commits04:17
jamielennoxissue causing04:17
stevemarjamielennox: bknudson_ -1'ed https://review.openstack.org/#/c/255661/04:18
jamielennoxstevemar: yep, but it was over the need for a bug number, i replied but it hasn't moved04:18
jamielennoxstevemar: i don't mind waiting for bknudson_ to clear it04:19
stevemaroh, meh04:19
*** dan_nguyen has quit IRC04:21
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/27890704:23
*** mylu has quit IRC04:24
openstackgerritTin Lam proposed openstack/keystone: Removing H405 violations from keystone  https://review.openstack.org/27819004:26
*** dave-mccowan has quit IRC04:28
openstackgerritMerged openstack/python-keystoneclient: Handle exception on UnicodeDecodError in logging of request  https://review.openstack.org/27802704:37
openstackgerritMerged openstack/keystoneauth: Allow parameter expansion in endpoint_override  https://review.openstack.org/27112004:42
*** spandhe has joined #openstack-keystone04:45
*** mylu has joined #openstack-keystone04:48
jamielennoxstevemar: so stevemar about the OSC proposal - i'm not trying to remove things from the root namespace04:52
jamielennoxwell, not entirely04:52
openstackgerritayoung proposed openstack/keystone-specs: Dynamic RBAC Policy  https://review.openstack.org/27937904:57
*** jbell8 has joined #openstack-keystone04:58
*** mylu_ has joined #openstack-keystone05:05
*** jbell8 has joined #openstack-keystone05:08
*** browne has quit IRC05:08
*** browne has joined #openstack-keystone05:08
*** charz_ has quit IRC05:09
*** mylu has quit IRC05:09
*** pumaranikar has quit IRC05:09
*** ebalduf has quit IRC05:09
*** dtroyer has quit IRC05:09
*** comstud has quit IRC05:10
*** mgagne has quit IRC05:10
*** hockeynut has quit IRC05:10
*** roxanaghe has joined #openstack-keystone05:10
*** roxanaghe has quit IRC05:10
*** nekrodesk has quit IRC05:10
*** dtroyer has joined #openstack-keystone05:11
*** rm_work has quit IRC05:11
*** stevemar has quit IRC05:11
*** hughsaunders has quit IRC05:11
*** hockeynut has joined #openstack-keystone05:12
*** roxanaghe has joined #openstack-keystone05:12
*** pumaranikar has joined #openstack-keystone05:12
*** charz has joined #openstack-keystone05:12
*** mgagne has joined #openstack-keystone05:12
*** mgagne is now known as Guest368705:12
*** stevemar has joined #openstack-keystone05:13
*** ChanServ sets mode: +o stevemar05:14
*** hughsaunders has joined #openstack-keystone05:17
*** rm_work has joined #openstack-keystone05:18
*** comstud has joined #openstack-keystone05:18
*** chlong has quit IRC05:19
*** jaosorior has joined #openstack-keystone05:20
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Deprecate class AuthTokenPlugin properly  https://review.openstack.org/22050905:23
*** boris-42 has quit IRC05:24
*** vgridnev has joined #openstack-keystone05:24
*** su_zhang has joined #openstack-keystone05:25
*** aginwala has joined #openstack-keystone05:25
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: update deprecation message to indicate when deprecations were made  https://review.openstack.org/22050905:30
stevemarjamielennox: ^ if you're inclined05:31
*** chlong has joined #openstack-keystone05:33
*** shoutm has quit IRC05:39
*** chlong has quit IRC05:42
*** shoutm has joined #openstack-keystone05:45
*** roxanaghe has quit IRC05:48
openstackgerritMerged openstack/keystone: refactor: Remove unused test method  https://review.openstack.org/25555905:51
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947905:53
*** chlong has joined #openstack-keystone05:54
*** mylu_ has quit IRC05:57
*** aginwala has quit IRC06:01
*** mylu has joined #openstack-keystone06:01
*** mylu has quit IRC06:03
*** aginwala has joined #openstack-keystone06:04
*** jaosorior has quit IRC06:06
*** jaosorior has joined #openstack-keystone06:06
stevemarjamielennox: heads up: https://bugs.launchpad.net/keystonemiddleware/+bug/154248606:06
openstackLaunchpad bug 1542486 in OpenStack Compute (nova) "nova-compute stack traces with BadRequest: Specifying 'tenant_id' other than authenticated tenant in request requires admin privileges" [Undecided,Incomplete]06:06
openstackgerritMerged openstack/keystone: Deprecate admin_token_auth  https://review.openstack.org/27544306:06
*** jaosorior has quit IRC06:06
*** jaosorior has joined #openstack-keystone06:11
*** chlong has quit IRC06:11
stevemartjcocozz: i have a job for you tomorrow, fix this backport: https://review.openstack.org/#/c/265019/06:19
*** nekrodesk has joined #openstack-keystone06:24
*** nekrodesk has quit IRC06:24
*** aginwala has quit IRC06:25
stevemardstanek: easy one for bug squash day tomorrow: https://review.openstack.org/#/c/265797/06:26
stevemardstanek: another for tomorrow: https://review.openstack.org/#/c/275706/606:27
*** med_ has quit IRC06:28
*** jbell8 has quit IRC06:28
*** jbell8 has joined #openstack-keystone06:30
*** nekrodesk has joined #openstack-keystone06:30
*** nekrodesk has quit IRC06:30
*** lhcheng has joined #openstack-keystone06:33
*** ChanServ sets mode: +v lhcheng06:33
*** chlong has joined #openstack-keystone06:34
*** aginwala has joined #openstack-keystone06:35
*** nekrodesk has joined #openstack-keystone06:36
*** nekrodesk has quit IRC06:36
*** nekrodesk has joined #openstack-keystone06:39
*** nekrodesk has quit IRC06:39
*** nekrodesk has joined #openstack-keystone06:41
*** med_ has joined #openstack-keystone06:43
*** med_ is now known as Guest7650706:43
*** gildub has quit IRC06:55
*** su_zhang has quit IRC06:57
*** aginwala has quit IRC06:58
*** aginwala has joined #openstack-keystone07:00
*** boris-42 has joined #openstack-keystone07:02
*** chlong has quit IRC07:03
openstackgerritMerged openstack/keystonemiddleware: update deprecation message to indicate when deprecations were made  https://review.openstack.org/22050907:08
openstackgerritSteve Martinelli proposed openstack/pycadf: Add docstring validation  https://review.openstack.org/23025707:15
*** lhcheng_ has joined #openstack-keystone07:15
openstackgerritSteve Martinelli proposed openstack/pycadf: Add docstring validation  https://review.openstack.org/23025707:17
*** lhcheng has quit IRC07:17
*** jbell8 has quit IRC07:20
*** jbell8 has joined #openstack-keystone07:20
*** jbell8 has quit IRC07:23
*** jbell8 has joined #openstack-keystone07:23
*** jbell8 has quit IRC07:27
*** jbell8 has joined #openstack-keystone07:28
*** belmoreira has joined #openstack-keystone07:28
*** tomoiaga has joined #openstack-keystone07:30
*** henrynash has joined #openstack-keystone07:30
*** ChanServ sets mode: +v henrynash07:30
*** jbell8 has quit IRC07:30
*** jbell8 has joined #openstack-keystone07:31
tomoiagaI am writing a keystoneauth plugin and was wondering where I can find more info on what get_cache_id_elements is used for (it is explained a bit but I have some troubles understanding at what type of caching does the author reffer to). Thank you!07:34
*** jbell8 has quit IRC07:34
*** jbell8 has joined #openstack-keystone07:35
*** jbell8 has quit IRC07:40
*** jbell8 has joined #openstack-keystone07:40
*** lhcheng_ has quit IRC07:47
*** su_zhang has joined #openstack-keystone07:49
*** spandhe has quit IRC07:52
*** vgridnev has quit IRC07:58
*** su_zhang has quit IRC08:11
*** aginwala has quit IRC08:17
*** pnavarro has joined #openstack-keystone08:19
*** nekrodesk has quit IRC08:21
*** aginwala has joined #openstack-keystone08:31
*** aginwala has quit IRC08:36
*** shoutm has quit IRC08:43
*** browne has quit IRC08:44
*** e0ne has joined #openstack-keystone08:49
*** vgridnev has joined #openstack-keystone08:50
openstackgerrithenry-nash proposed openstack/keystone: Modify rules in the v3 policy sample for domain specifc roles  https://review.openstack.org/26207808:51
*** fhubik has joined #openstack-keystone08:54
openstackgerrithenry-nash proposed openstack/keystone: Modify implied roles to honor domain specific roles  https://review.openstack.org/26306408:56
*** pnavarro has quit IRC09:01
*** mhickey has joined #openstack-keystone09:07
*** mhickey has quit IRC09:08
*** mhickey has joined #openstack-keystone09:09
*** aginwala has joined #openstack-keystone09:14
openstackgerrithenry-nash proposed openstack/keystone: Modify rules for domain specific role assignments  https://review.openstack.org/26354909:16
*** aginwala has quit IRC09:18
*** mvk has joined #openstack-keystone09:25
openstackgerritMerged openstack/python-keystoneclient: add release notes for deprecated auth bits  https://review.openstack.org/27937409:25
*** nekrodesk has joined #openstack-keystone09:26
*** nekrodesk has quit IRC09:26
*** rvba has quit IRC09:26
*** rvba has joined #openstack-keystone09:27
*** rvba has quit IRC09:27
*** rvba has joined #openstack-keystone09:27
*** nekrodesk has joined #openstack-keystone09:29
*** nekrodesk has quit IRC09:29
*** nekrodesk has joined #openstack-keystone09:32
*** nekrodesk has quit IRC09:32
*** nekrodesk has joined #openstack-keystone09:33
*** nekrodesk has quit IRC09:33
*** nekrodesk has joined #openstack-keystone09:36
*** nekrodesk has quit IRC09:36
*** nekrodesk has joined #openstack-keystone09:39
*** nekrodesk has quit IRC09:39
*** nekrodesk has joined #openstack-keystone09:41
*** pnavarro has joined #openstack-keystone09:48
openstackgerritMerged openstack/keystone: Extracts logic for finding domain configs  https://review.openstack.org/27935209:54
*** pnavarro has quit IRC09:54
openstackgerritMerged openstack/keystone: Adds better logging to the domain config finder  https://review.openstack.org/27935309:55
*** mvk has quit IRC09:59
*** rudolfvriend has joined #openstack-keystone10:04
*** pnavarro has joined #openstack-keystone10:08
*** daemontool has joined #openstack-keystone10:28
*** daemontool_ has quit IRC10:31
*** openstackgerrit has quit IRC10:32
*** openstackgerrit has joined #openstack-keystone10:32
*** mvk has joined #openstack-keystone10:32
*** aginwala has joined #openstack-keystone10:35
jamielennoxtomoiaga: at the moment it's not really used for much at all10:39
jamielennoxbut it's referring to the elements of that plugin that make it unique10:39
*** aginwala has quit IRC10:40
*** pnavarro has quit IRC10:40
tomoiagajamielennox: thank you. I've created the function since it was "required" and I am using my own token cache. I am waiting for the possibility to serialize an entire accessInfo object :) Right now I access the ._data to cache the catalog and other details :)10:40
jamielennoxso if you hash all the elements in the get_cache_id_elements dictionary it will be unique and you can reuse an existing token if the elements are the same10:40
jamielennoxtomoiaga: it shouldn't be 'required', if you don't fill anything in it will return None and it's assumed you can't cache that plugin10:41
*** dims has joined #openstack-keystone10:41
jamielennoxbut yes, the intention is/was to add it to openstackclient so that it could reuse authentication across calls10:42
jamielennoxi'ts still planned but the transition from keystoneclient to keystoneauth is more difficult than expected10:42
jamielennoxthe functionality is all there though if you want to use it in your own application10:43
tomoiagajamielennox: yes, "required" may be too much. I thought I might use it to cache auth, I guess in the future it will be possible (it will be great :) ). Right now I have my own code.10:43
tomoiagajamielennox: I switched to keystoneauth for my project a few days ago. I had some small issues with the AccessInfo objects (it was a nice thing you guys documented the change)10:44
tomoiagajamielennox: keystoneauth and the session were great things so thank you for your work on this!10:46
jamielennoxtomoiaga: excellent! i'm glad it made things easier for you. and yes i thought that almost no-one would notice the accessinfo changes but it has caught a few people now10:47
jamielennoxlet me know of anything that doesn't work as you expect10:47
jamielennoxand particularly the caching as i thought it was going to get a lot of testing from OSC and as yet it hasn't10:48
jamielennox(i don't know anything that would be wrong just i was expecting it to be used a lot by now)10:48
tomoiagajamielennox: I'll look at it and try to implement it on my project. Until now I went with the lazy approach and saved the entire accessinfo in a request session. Worked well since it was a dict :)10:51
tomoiagaserializable dict that it10:51
jamielennoxtomoiaga: so get_cache_id gives you a unique hash value to the plugin state10:52
jamielennoxget_auth_state gives you a string and set_auth_state takes it back10:52
jamielennoxhttps://github.com/openstack/keystoneauth/blob/master/keystoneauth1/plugin.py#L201-L24610:52
jamielennoxthey call the cache_id_elements internally10:52
jamielennoxthat should be really easily combined to cache to either memcache or keyring or whatever you use10:53
jamielennoxthis is why there's no mention of what type of caching it will be - because it can be anything10:54
jamielennoxas per doc string you should only call get_auth_state/set_auth_state if get_cache_id gives you a non-none value10:55
*** josecastroleon has quit IRC10:56
jamielennoxand with that - goodnight10:58
tomoiagajamielennox: thank you very much! That helps a lot10:58
tomoiagajamielennox: have a good night!10:59
*** nekrodesk has quit IRC11:07
*** sileht has quit IRC11:20
*** Ephur has quit IRC11:24
*** alex_xu has quit IRC11:27
*** alex_xu has joined #openstack-keystone11:28
*** sileht has joined #openstack-keystone11:39
*** baffle___ is now known as baffle11:45
samueldmqjamielennox: stevemar: hey, it went through the gate11:49
samueldmqjamielennox: stevemar: my understanding was that we got more things moved over ksa and since Morgan removed his -1, it was time!11:50
*** aginwala has joined #openstack-keystone11:53
*** aginwala has quit IRC11:58
openstackgerritHenrique Truta proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128911:58
samueldmqjamielennox: stevemar: also I agree with ayoung, why not deprecate ? ksa is stable so let's make the move :)11:58
*** pnavarro has joined #openstack-keystone12:02
*** dave-mccowan has joined #openstack-keystone12:08
*** links has quit IRC12:10
*** raildo-afk is now known as raildo12:11
*** vgridnev has quit IRC12:25
*** jbell8 has quit IRC12:34
*** jbell8 has joined #openstack-keystone12:35
*** aginwala has joined #openstack-keystone12:35
*** vgridnev has joined #openstack-keystone12:36
*** daemontool has quit IRC12:36
*** aginwala has quit IRC12:39
*** edmondsw has joined #openstack-keystone12:40
*** vgridnev has quit IRC12:41
*** jbell8 has quit IRC12:42
*** jbell8 has joined #openstack-keystone12:43
*** vgridnev has joined #openstack-keystone12:47
*** aginwala has joined #openstack-keystone12:48
*** daemontool has joined #openstack-keystone12:50
*** aginwala has quit IRC12:53
*** pnavarro has quit IRC13:09
*** mhickey has quit IRC13:12
samueldmqhtruta: just left a comment in 24414913:17
samueldmqhenrynash: there is unrelated code (for update) there13:17
samueldmqhenrynash: not you,, but htruta  :)13:17
samueldmqhtruta: it's all good other than that13:18
htrutasamueldmq: thanks. will look13:19
*** clenimar has joined #openstack-keystone13:19
henrynashsamueldmq: when you have a moment, take a look at https://review.openstack.org/#/c/264533/24 would be good to start getting some of this in13:27
*** alex_xu has quit IRC13:28
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358513:29
*** alex_xu has joined #openstack-keystone13:30
samueldmqhenrynash: looking now13:33
samueldmqhenrynash: so domain_id of is-domain projs is null13:33
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414913:36
htrutasamueldmq: just addressed one of your comments and replied the other13:36
samueldmqhtruta: oh, you're correct13:38
*** ninag has joined #openstack-keystone13:40
*** aginwala has joined #openstack-keystone13:40
samueldmqhtruta: left another comment/question there, this time more interesting than a nit :)13:43
samueldmqhtruta: no vote, just wan't to think about that with you13:43
samueldmqhenrynash: ^ would be nice to see your view on it too13:43
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358513:44
*** aginwala has quit IRC13:44
*** petertr7_away is now known as petertr713:49
*** Nirupama has quit IRC13:50
*** vgridnev has quit IRC13:51
*** vgridnev has joined #openstack-keystone13:52
*** edmondsw has quit IRC13:53
htrutasamueldmq: in this case, as we already have all of the projects disabled, I don't think it'll be much harm doing that13:53
*** edmondsw has joined #openstack-keystone13:54
samueldmqhtruta: I think it's bad, if the delete_projects fail later for some reason, lots of things were deleted (assignments)13:59
samueldmqhtruta: and notifications were sent, making other system using them understand the prjects were deleted (when it's a lie)14:00
*** clayton has quit IRC14:00
samueldmqhtruta: we should be able to easily put that behavior after the delete, exactly as it was before, and do not change this behavior14:01
htrutasamueldmq: if we do that, the delete list will not be atomic, once we'll have to go through each project at a time14:01
htrutasamueldmq: If I already disabled all the projects, and tried to delete them, I don't think I'll care about the assignments any longer14:03
samueldmqhtruta: deleting porjects + cleaning them up is not atomic anyways14:06
samueldmqhtruta: as they're 2 steps and may fail separately14:06
*** jaosorior has quit IRC14:06
*** jaosorior has joined #openstack-keystone14:06
samueldmqhtruta: in the old code there are 2 cleanups, things happening prior and after calling the driver to delete14:07
samueldmqhtruta: what I am proposing is to keep the bhehavior14:07
samueldmqfor prj in project_list:14:08
henrynashsamueldmq: at the manager and above level, yes, the domain_id of a project acting as a domain is null…but under the hood it actually points to the “root of all domains"14:08
samueldmq    self._INITIAL_cleanup_project(prj['id'], prj, initiator)14:08
samueldmqret = self.driver.delete_projects_from_ids(projects_ids)14:08
samueldmqfor prj in project_list:14:08
*** sshen has quit IRC14:08
samueldmq    self._cleanup_project_AFTER_DELETE(prj['id'], prj, initiator)14:08
samueldmqsomething like this14:08
samueldmqhenrynash: yes, nice14:08
samueldmqhenrynash: could we get your view on https://review.openstack.org/#/c/244149/29/keystone/resource/core.py ?14:09
henrynashsamueldmq: looking now14:09
*** jsavak has joined #openstack-keystone14:12
*** clayton- has joined #openstack-keystone14:12
*** daemontool has quit IRC14:16
htrutasamueldmq: I guess that would reduce the problem, but not eliminate it. If a fail occurs at the pre_cleanup, it'd already receive notifications to invalidate tokens14:17
htrutathinking about that, does it even make sense? since this project should already been disabled?14:18
henrynashsamueldmq, htruta: I thought we supproted cascade for update (of the enabled flag) and delete?14:19
htrutahenrynash: this patch does the delete cascade. there is another one doing the update14:20
henrynashhtruta: ah, ok14:20
samueldmqhtruta: maybe, but we should keep the current behavior14:20
samueldmqhtruta: and if it's broken, fix it as separate patch if needed14:21
samueldmqhenrynash: did you see my point there ?14:21
henrynashsamuedlmq: of the cleanup before/after the delete?14:21
samueldmqhenrynash: yes, my point is that we keep the process exactly as it happens now14:22
samueldmqhenrynash: but do for multi-project14:23
henrynashsmueldmq; agreed14:23
*** petertr7 is now known as petertr7_away14:23
samueldmqhenrynash: nice, htruta  ^14:24
samueldmqhenrynash: btw, few questions regarding 26453314:24
henrynashsure14:24
samueldmqhenrynash: so, what if someone does GET /domains/<<special.thing>>14:24
henrynashsamueldmq: they should get not found14:25
henrynashsamuedlmq: see line 38 of backends/sql.py14:25
samueldmqhenrynash: cool, same for get_projects_in_domain(<<special.thing>>)14:26
henrynashsamuedlmq: yep14:26
samueldmqhenrynash: so there a couple of methods to take care of it yet14:26
samueldmqhenrynash: will leave a comment in a minute14:27
henrynashsamueldmq: you could be right….14:27
htrutasamueldmq, henrynash: by "do for multi-project", you mean keeping the pre and post delete cleanup?14:27
*** dansmith is now known as superdan14:28
samueldmqhtruta: yes exactly how it happens, but with a for before and after14:29
samueldmqhtruta: and atomic multi-project deletion i nthe middle, see a code I pasted a few lines  above14:29
htrutasamueldmq: ++14:29
*** knikolla has joined #openstack-keystone14:31
*** igornsa has joined #openstack-keystone14:31
henrynashsamuedlmq: see teh tests in test_backend_sql.py for hidden….I *thought* I caught them all14:31
samueldmqhenrynash: just left a review14:32
samueldmqhenrynash: most of occurences are specially in the wrapper, yes that's a lot of work in thtat wrapper14:32
samueldmqhenrynash: let me know if you agree14:32
*** sshen has joined #openstack-keystone14:37
henrynashsamuedlmq: for the v8 wrapper….that driver won’t have the hidden rows…..so tehy won’t be found....14:38
samueldmqhenrynash: can't I apply the migration and keep using my version of v8 driver ?14:40
samueldmqhenrynash: I think that's the point of the wrapper isn't it ?14:40
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414914:40
htrutasamueldmq, henrynash: fixed ^14:40
*** daemontool has joined #openstack-keystone14:40
samueldmqhtruta: perfect, will run the tests :)14:41
*** pauloewerton has joined #openstack-keystone14:41
*** su_zhang has joined #openstack-keystone14:41
henrynashsamueldmq: no, we don’t support our V8 driver anymore (at M), we only support teh V8 interface - and you are on your own with the migration…which does rsise the issue of how we stop people getting themselves into trouble14:42
samueldmqhenrynash: so what's the point of modifying some methods in ResourceDriverV9 ?14:44
henrynashsamueldmq: the assumption is that if you have your own driver, it’s using it’s own tables (and maybe not SQL)…..but I am a bit worried how we stop a migration stamoing all over their tables if they ARE usring modifed version of our SQL tables….this is a more general issue outside o fthis patch14:44
samueldmqhenrynash: I meant V9ResourceWrapperForV8Driver14:44
samueldmqhenrynash: for example, why did we change create_project in V9ResourceWrapperForV8Driver ?14:45
samueldmqhenrynash: in their custom storage, they don't know about hidden_domain, why do we add this to new created projects ?14:46
henrynashsamueldmq: its for teh new domain_id field (of course) and the manager thinks teh table has the attribute, but a v8 driver backend will not14:46
samueldmqhenrynash: if the old ones there don't even know about it ? (if they haven't applied migration)14:46
*** igornsa has quit IRC14:46
henrynashsamueldmq; sorry, I mean that domain_id can be none14:46
samueldmqhenrynash: okay so the only thing we want to support in the wrapper is the ability to create a project with domain_id = None14:47
henrynashsamueldmq: exactly (and decode it when we read etc.)14:48
samueldmqhenrynash: why do we want to do this ? do we need to ?14:48
openstackgerritBrant Knudson proposed openstack/keystone: Allow project_id in catalog substitutions  https://review.openstack.org/27957614:49
henrynashsamueldmq: we are changing the expected values of domain_id at the upgrade, and I can’t assume that old drivers know how to handle that14:49
samueldmqhenrynash: yes you might be correct, I will think more about it14:50
samueldmqhenrynash: I need to go afk for bit now, will be back in ~1 hour14:50
henrynashsamueldmq: I agree, it’s a but subtle14:50
henrynashsamueldmq: ok14:50
samueldmqhenrynash: I will ping you later to discuss further, sorry14:51
*** clayton- is now known as clayton14:55
henrynashsamueldmq: no problem14:57
henrynashhtruta: so on the FK issue with the reverse project list….do mean the delete_using_ids method in the backend has problems?14:59
*** doug-fish has joined #openstack-keystone15:01
*** dave-mccowan has quit IRC15:01
*** pushkaru has joined #openstack-keystone15:02
*** jbell8 has quit IRC15:02
openstackgerritSteve Martinelli proposed openstack/pycadf: Add docstring validation  https://review.openstack.org/23025715:03
openstackgerritBrant Knudson proposed openstack/keystone: Allow project_id in catalog substitutions  https://review.openstack.org/27957615:04
stevemarnice patch bknudson_ ^15:08
bknudson_stevemar: should have been a 1 line change but that substitution code is copy-pasted all over.15:09
bknudson_still on my list of things to do15:09
*** gordc has joined #openstack-keystone15:13
*** jbell8 has joined #openstack-keystone15:13
*** jaosorior has quit IRC15:13
*** jaosorior has joined #openstack-keystone15:14
*** dave-mccowan has joined #openstack-keystone15:17
*** doug-fish has quit IRC15:21
*** doug-fish has joined #openstack-keystone15:22
*** fhubik has quit IRC15:27
*** nkinder has joined #openstack-keystone15:28
*** phalmos has joined #openstack-keystone15:31
*** belmoreira has quit IRC15:35
*** mjblack has joined #openstack-keystone15:38
*** tomoiaga has quit IRC15:39
*** rudolfvriend has quit IRC15:41
*** slberger has joined #openstack-keystone15:41
*** petertr7_away is now known as petertr715:45
*** sigmavirus24_awa is now known as sigmavirus2415:48
*** phalmos has quit IRC15:49
openstackgerritwerner mendizabal proposed openstack/keystone: Time-based One-time Password  https://review.openstack.org/27490115:52
*** aginwala has joined #openstack-keystone15:54
*** aginwala has quit IRC15:58
*** phalmos has joined #openstack-keystone15:59
htrutahenrynash: not exactly. That method is only supposed to traverse the list and delete one by one. I gave the Manager the responsibility of passing the proper list16:08
samueldmqhenrynash: so should an upgraded keystone (with a v8 driver) support the creation of is_domain projects) ?16:16
samueldmqhenrynash: what if we just didn't allow it ? perhaps that would make sense too16:16
*** phalmos has quit IRC16:20
*** tsymanczyk has joined #openstack-keystone16:22
*** tsymanczyk is now known as Guest6533316:22
*** roxanaghe has joined #openstack-keystone16:22
*** links has joined #openstack-keystone16:23
*** phalmos has joined #openstack-keystone16:24
*** e0ne has quit IRC16:24
arunkantstevemar : hi..any suggestion to deal with audit middleware issue. https://bugs.launchpad.net/keystonemiddleware/+bug/154484016:27
openstackLaunchpad bug 1544840 in keystonemiddleware "Audit Middleware driver config issue with Nova, Neutron" [Undecided,New]16:27
henrynashsamueldmq: I don’t see how we can without supporting two managers….since the Mitaka manager expects to be able to store domains as projects….and the goal of our wrapper is that the manaager level shouldn’t have to have sepreate code paths for current and deprecated driver interfaces16:36
*** browne has joined #openstack-keystone16:36
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857016:37
*** araji has joined #openstack-keystone16:37
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916216:39
*** woodster_ has joined #openstack-keystone16:39
*** spzala has joined #openstack-keystone16:45
*** jaosorior has quit IRC16:48
mjblacknot sure if this is the right place to ask, I'm trying to figure out how to do saml authentication with keystone and the cli client, can the openstack cli client do saml authentication?16:48
*** su_zhang has quit IRC16:56
*** spandhe has joined #openstack-keystone16:56
*** vgridnev has quit IRC16:57
stevemararunkant: i saw that last night and didn't really know what the issue was16:58
openstackgerrithenry-nash proposed openstack/keystone: Allow project domain_id to be nullable at the manager level  https://review.openstack.org/26453317:00
openstackgerrithenry-nash proposed openstack/keystone: Verify project unique constraints for projects acting as domains  https://review.openstack.org/15837217:00
arunkantstevemar: The issue is around services which are already using oslo messaging notification capabilites like neutron.  They use 'messaging' as driver.17:00
arunkantstevemar: If someone want to use 'log' as notification driver for auditing events, it cause problems..as now audit log file will also have neutron legular events logged in log file17:01
*** haneef_ has joined #openstack-keystone17:03
arunkantstevemar : The reason is that audit middleware is using common oslo messaging configuration17:04
*** jaosorior has joined #openstack-keystone17:04
openstackgerrithenry-nash proposed openstack/keystone: Add tests in preparation of projects acting as a domain  https://review.openstack.org/27236917:04
arunkantstevemar: Does it make sense?17:05
openstackgerrithenry-nash proposed openstack/keystone: Add is_domain filter to v3 list_projects  https://review.openstack.org/15839817:05
samueldmqhenrynash: simply not suprting domain as projects at all in v8 drivers ?17:05
openstackgerrithenry-nash proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128917:05
stevemararunkant: something like this: http://paste.openstack.org/show/486851/17:05
henrynashsamuedlmq: but what the manager code look like?17:05
samueldmqhenrynash: as it is today17:05
samueldmqhenrynash: only the driver would handle domain_key17:06
stevemararunkant: so you're saying we can't have two separate mechanisms for notification events17:06
henrynashsamueldmq: we don’t have duplcaite managers…we only have the “new” manager….that’s the point of the wrapper17:06
stevemargordc: quickie https://review.openstack.org/#/c/230257/17:07
gordcstevemar: done17:07
gordc... awkward transaction without context17:08
arunkantstevemar: we can configure two notification driver..'messaging' and 'log' as MultiOpt conf property ..but then notifications are sent to both which makes them useless from auditing contect.17:08
henrynashsamueldmq: I guess you could write a wrapper that split projects as a domain out to teh domain table again!17:08
henrynashsamuedlmq: ouch!17:08
samueldmqhenrynash: if the mitaka manager has a v8 (liberty?) driver, it can't create a project with domain_id = Null17:08
henrynashsamueldmq: so how will it creeate a domain?17:09
arunkantstevemar: If it will ideal if audit middleware can have it own configuration to specify notification driver.17:09
openstackgerritClenimar Sousa proposed openstack/keystone: Avoid wrong deletion of domain assignments  https://review.openstack.org/27570617:10
stevemararunkant: i don't know how possible this is, let's see what dhellmann or dims thinks?17:10
* stevemar pokes dims and/or dhellmann 17:10
*** dan_nguyen has joined #openstack-keystone17:10
henrynashsamueldmq: I gotta head out for a bit…..we can disucss later, but I think our options are a) as I have coded it, or b) the wrapper has to do the inverse and turn all project API requests for projecst as a domain back to teh domain table.17:11
dimsnotification driver is for the whole service i think17:11
dimsin mitaka we at least separated out the rpc and notification drivers17:12
henrynashsamueldmq: and I’m not sure I fancy b) !!!!!17:12
*** henrynash has quit IRC17:12
*** clenimar has quit IRC17:12
*** mvk has quit IRC17:12
stevemardims: so, would it be possible to have the notification driver be one thing for the nova events, and another for the keystone audit stuff?17:13
arunkantstevemar, dims: Yes as it uses DEFAULT or oslo_messaging_notifications config values. If there is separate config ..then audit middleware can use instance of that driver only17:13
stevemarsince they need to be defined in the same file...17:13
dimsstevemar : not currently, always possible :) it's just code17:14
stevemararunkant: sounds like you have a fix in mind?17:14
*** gyee has joined #openstack-keystone17:14
*** ChanServ sets mode: +v gyee17:14
arunkantstevemar: Yes...I can make a quick patch to show the fix.17:14
*** pgbridge has quit IRC17:15
*** _cjones_ has joined #openstack-keystone17:16
*** openstackgerrit has quit IRC17:17
*** openstackgerrit has joined #openstack-keystone17:17
arunkantstevemar: Will add patch today and add you  as reviewer.17:17
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916217:19
*** browne has quit IRC17:20
*** mylu has joined #openstack-keystone17:24
*** aginwala has joined #openstack-keystone17:25
*** mylu has quit IRC17:34
*** jsavak has quit IRC17:34
*** jsavak has joined #openstack-keystone17:35
*** pgbridge has joined #openstack-keystone17:38
*** aginwala has quit IRC17:39
samueldmqhtruta: is clenimar around ?17:41
htrutasamueldmq: not anymore. Why?17:41
samueldmqhtruta: was going to ask if he ran the tests for 27570617:42
*** jaosorior has quit IRC17:44
*** spzala has quit IRC17:45
*** mylu has joined #openstack-keystone17:48
openstackgerritJohn Dennis proposed openstack/keystone: Convert assignment.root_role config option to list of strings  https://review.openstack.org/27970317:49
htrutasamueldmq: I believe he has ran. Anyway, you can +A the patch, jenkins will recheck again if it fails17:50
*** jbell8 has quit IRC17:52
*** Guest65333 has quit IRC17:58
*** jasonsb has quit IRC17:58
*** links has quit IRC17:58
ayoungsamueldmq, https://review.openstack.org/#/c/279703/  is a trivial one17:59
*** browne has joined #openstack-keystone17:59
ayoungAlready!17:59
*** mylu has quit IRC18:02
*** mylu has joined #openstack-keystone18:05
*** su_zhang has joined #openstack-keystone18:06
*** jsavak has quit IRC18:06
stevemarayoung: yay for jdennis18:06
*** jsavak has joined #openstack-keystone18:07
ayoungstevemar, yeah, he's back focused on Keystone.18:09
ayoungspecifically Federation stuff for now.18:09
stevemarayoung: awesome, the more the merrier18:09
dolphmNice!18:10
*** petertr7 is now known as petertr7_away18:11
*** aginwala has joined #openstack-keystone18:12
*** lhcheng has joined #openstack-keystone18:15
*** ChanServ sets mode: +v lhcheng18:15
*** jbell8 has joined #openstack-keystone18:16
*** tsymanczyk has joined #openstack-keystone18:17
*** tsymanczyk is now known as Guest7700418:17
*** gordc has quit IRC18:19
htrutastevemar: will we break the world even more if we change this: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L182 ?18:20
*** e0ne has joined #openstack-keystone18:20
*** jsavak has quit IRC18:22
*** mhickey has joined #openstack-keystone18:24
*** aginwala has quit IRC18:24
*** openstack has joined #openstack-keystone18:24
*** jsavak has joined #openstack-keystone18:25
*** aginwala has joined #openstack-keystone18:28
samueldmqayoung: looking18:33
ayoungsamueldmq, you;'ve already reviewed.  THanks18:34
samueldmqayoung: yeah :)18:34
*** aginwala has quit IRC18:35
openstackgerritSean Perry proposed openstack/keystonemiddleware: argparse expects a list not a dictionary  https://review.openstack.org/27971818:35
samueldmqhtruta: you updating 244149 ? should be an easy approval after addressing tjcocozz 's comments18:36
*** aginwala has joined #openstack-keystone18:37
htrutasamueldmq: ow. haven't seen it. will fix it18:38
htrutastevemar: will treat this as a long term goal. For a while, I'll try to make some v3 service tokens by default.18:40
stevemarhtruta: ++18:40
stevemardstanek: around for squashing some bugs18:40
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916218:40
htrutastevemar: have you (or anyone else) tackle something out of the v3 only etherpad?18:40
dstanekstevemar: sure, send me some links boss. i'm a little slow today though.18:41
stevemarhtruta: not yet, been focused on mitaka-3 for now18:43
stevemardstanek: hmm18:43
htrutastevemar: nice. thanks18:43
*** e0ne has quit IRC18:44
htrutatjcocozz: are you around?18:44
stevemardstanek: oh, the ones i wanted to send are now gating18:44
htrutasamueldmq: just answered tjcocozz 's comments. I guess you're good to go there18:46
*** openstackgerrit has quit IRC18:47
*** openstackgerrit has joined #openstack-keystone18:47
openstackgerritSteve Martinelli proposed openstack/keystone: add a test that uses trusts and implies roles  https://review.openstack.org/27731918:47
stevemardstanek: ^18:47
tjcocozzhtruta, hey18:47
htrutatjcocozz: just answered your comments in 244149. Please, take a look18:48
stevemardstanek: oh right, this one too: https://review.openstack.org/#/c/265797/18:48
* tjcocozz is looking now18:48
tjcocozzhtruta, that test is calling update_project not delete_project18:49
htrutatjcocozz: it first disables, but then it calls the delete in L343618:49
tjcocozzhtruta, for some  reason i didn't see that. thanks for pointing that out.  so where is the forbiddenaction in update_project tested?18:52
htrutatjcocozz: update_project does not raise exception. It successfully disables project2. The problem is that I can't delete the root_project, once project1 is enabled18:53
tjcocozzhtruta, on line327 in resource/core.py18:53
*** mylu has quit IRC18:53
htrutatjcocozz: we are not cascadely updating. Is a simple update of project2, which have no children18:54
*** mylu has joined #openstack-keystone18:55
tjcocozzhtruta, sorry i think i may be asking the wrong thing.   I think there should be a test for https://review.openstack.org/#/c/244149/30/keystone/resource/core.py18:56
*** mhickey has quit IRC18:56
tjcocozzhtruta, my first comment in the above link18:57
htrutatjcocozz: we are keeping the same behavior as before. the method was just refactored. The test already existed (test_disable_hierarchical_not_leaf_project)18:59
gyeestevemar, would you be mad at me if I tag this one for backport to liberty? https://bugs.launchpad.net/keystone/+bug/153587819:00
openstackLaunchpad bug 1535878 in OpenStack Identity (keystone) "A user with a role on a project should be able to issue a GET /project call" [Medium,Fix released] - Assigned to Ajaya Agrawal (ajayaa)19:00
tjcocozzhtruta, cool! oh i see what your doing now.  thanks for pointing that out.  let me take a look at the test but i think this will be good to go19:00
htrutatjcocozz: cool!19:00
*** Guest77004 has quit IRC19:03
stevemargyee: yes19:05
stevemargyee: it's mostly a change in the json file, the deployer can change that to their liking19:06
stevemargyee: i don't see the point, but feel free to convince me :)19:06
bknudson_I wrote up a spec for supporting YAML in oslo.policy -- https://review.openstack.org/#/c/279725/19:07
bknudson_I don't know if we use oslo specs for oslo.policy or keystone-specs.19:07
stevemarbknudson_: it's mostly the keystone team that looks at the patches, so i said keystone-specs19:08
stevemarbknudson_: poke for https://review.openstack.org/#/c/279718/19:08
*** mhickey has joined #openstack-keystone19:10
gyeestevemar, alrighty, I am fine with deployer customization on this one19:10
*** Ephur has joined #openstack-keystone19:16
*** petertr7_away is now known as petertr719:17
*** araji has left #openstack-keystone19:20
*** aginwala has quit IRC19:22
*** jdennis has quit IRC19:22
*** jdennis has joined #openstack-keystone19:23
*** vgridnev has joined #openstack-keystone19:27
*** jdennis has quit IRC19:30
*** jsavak has quit IRC19:30
*** esp has joined #openstack-keystone19:33
*** aginwala has joined #openstack-keystone19:36
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947919:37
*** esp has quit IRC19:40
*** jsavak has joined #openstack-keystone19:40
*** jdennis has joined #openstack-keystone19:43
openstackgerritBrant Knudson proposed openstack/keystone-specs: oslo.policy file in YAML  https://review.openstack.org/27974819:43
samueldmqayoung: stevemar: https://review.openstack.org/#/c/244149/19:44
samueldmqeasy one19:44
*** mylu has quit IRC19:44
bknudson_samueldmq: potentially long-running operations like this are scary19:45
*** mylu has joined #openstack-keystone19:45
*** edmondsw has quit IRC19:46
samueldmqhtruta: only an improvement in tests here: 24358419:47
ayoungsamueldmq, +2A19:48
stevemarbknudson_: true19:48
ayoungHMT FTW19:48
samueldmqbknudson_: stevemar: hierarchy height is limited in config19:48
stevemarbknudson_: it's kinda expected with a "cascade" option19:48
samueldmqbknudson_: stevemar: default is 5 iirc19:48
stevemar++19:48
stevemartrue day19:48
samueldmqstevemar: ++19:48
stevemardat19:49
bknudson_the height is limited but the width isn't19:49
stevemarbknudson_: hey, did you see my comments about the uwsgi patch?19:50
bknudson_stevemar: which?19:50
ayoungsamueldmq, https://review.openstack.org/#/c/279379/  radical reworking of Dynamic Policy.   I took your name off, since this is a new approach, but, I suspect, knowing you, it will end up getting added again.  This, though, I think is a palatable approach.  We should prep this for the summit19:50
* stevemar really wants uwsgi so we can rip out eventlet19:50
ayoungstevemar, just for testing?19:50
stevemarbknudson_: hmm, i couldn't get it to complete a devstack run with the config you have posted19:50
bknudson_stevemar: oh, right. I was getting failures locally too.19:51
bknudson_wasn't sure what the deal was.19:51
stevemarayoung: yes, we can't remove eventlet until we prove it can run with something else19:51
*** alex_xu has quit IRC19:51
bknudson_seems like uwsgi should default to values that work!19:51
openstackgerritJohn Dennis proposed openstack/keystone: Convert assignment.root_role config option to list of strings  https://review.openstack.org/27970319:52
ayoungwe use a lite server in IPA...19:52
ayounglet me see what it is19:52
*** browne has quit IRC19:52
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947919:52
ayoungstevemar, it was the paste server19:52
ayoungfrom paste import httpserver19:53
stevemarayoung: take a quick look at https://review.openstack.org/#/c/277319/ too please :)19:53
ayoungstevemar, will do19:53
*** mylu has quit IRC19:53
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947919:53
stevemarbknudson_: so, i had to add "iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi plugins python" to even get it to respond to a request19:53
*** alex_xu has joined #openstack-keystone19:54
ayoungstevemar, so shouldb't that be a WIP test?19:54
bknudson_stevemar: oh, wow. why would you have to have a "python" plugin for a python library like uwsgi.19:54
stevemarand then it died upon the first request, cause the buffer-size is only 4096 by default19:54
stevemarayoung: adding @wip makes it pass no?19:55
stevemarrather, skip?19:55
ayoungstevemar, yes, but just do it for the failing part19:55
ayoungtest_trust_expands_implied_roles19:55
ayoungstevemar, the way you have it, it passes19:55
stevemarayoung: it does19:56
ayoungI think WIP means :run it but expect it to fail, right dstanek ?19:56
samueldmqayoung: looking19:56
stevemarayoung: i'll add it19:56
dstanekayoung: yep19:57
ayoungstevemar, I;ve been deep in Puppet land. Trying to figure out how to enable Federation.  THe puppet providers right now are K2K specific.  And I don't think they support mapping or protocol19:58
ayoungDO we need Mapping or Protocol for K2K?19:58
stevemarayoung: give me 1 minute to add wip19:58
stevemarayoung: yep19:58
ayoungIf not, I can claim that the existing provider does not work and change its intention19:58
ayoungFederation should be straight federation, and K2K should be its own19:59
*** aginwala has quit IRC20:00
openstackgerritMerged openstack/keystone: AuthContextMiddleware admin token handling  https://review.openstack.org/19893120:01
*** aginwala has joined #openstack-keystone20:02
*** aginwala has quit IRC20:03
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916220:04
ayoungjdennis, thanks.  Looks good20:04
*** aginwala has joined #openstack-keystone20:07
*** aginwala has quit IRC20:12
*** aginwala has joined #openstack-keystone20:13
samueldmqayoung: stevemar: you working on 1543318 ?20:14
samueldmqbug #154331820:14
openstackbug 1543318 in OpenStack Identity (keystone) "Token for trust does not expand implied roles" [Medium,New] https://launchpad.net/bugs/1543318 - Assigned to Adam Young (ayoung)20:14
stevemarsamueldmq: yes20:15
stevemarposting in 1 second20:15
samueldmqstevemar: perfect20:15
ayoungstevemar, Um...cool.  Glad I was not working on that20:15
ayoungOr are you just working on the test?20:16
raildostevemar: 1 mississippi, 2 mississippi...20:16
openstackgerritSteve Martinelli proposed openstack/keystone: add a test that uses trusts and implies roles  https://review.openstack.org/27731920:16
stevemarayoung: just the test20:16
ayoungstevemar, OK20:16
stevemarayoung: you got the bug, you talked about this 2 days ago :)20:16
stevemarwe* talked20:17
ayoungstevemar, yeah.  Its not a huge change to make it work20:17
stevemaryeah, but i figured you would know faster than i would20:17
samueldmqayoung: I don't understand why trust backend isn't simply using the assignment backend to get the roles20:19
bknudson_unittest has expected failure support built-in https://docs.python.org/2/library/unittest.html#unittest.expectedFailure20:19
ayoungsamueldmq, it has its own list of roles20:19
ayoungsamueldmq, the trust has an explicit subset of the roles for the end user20:19
bknudson_unfortunately it doesn't support a descriptive message20:20
ayoungand I was debating whether to make all roles in a trust explicit or not20:20
samueldmqbknudson_: yes, ours support a description20:20
ayoungbut I think implied role expansion is the correct approach20:20
ayoungsay you take member and make it into two roles, reader and writer, and then make memn20:20
ayoungmember imply those two roles20:20
bknudson_but it properly reports that the test was expected to fail (rather than that the test passed)20:21
ayoungif you had a trust that inlcuded member in the past, it would break in the future once you split the roles (and policy)20:21
samueldmqayoung: yes, trusts should work the same20:21
samueldmqayoung: that's only about relegation, not about how roles are expanded, etc20:21
ayoungSo,  I need the "expand implied roles" function to be called for each role in the trust20:21
*** edmondsw has joined #openstack-keystone20:21
samueldmqbknudson_: is it a function? otherwise we could inherit from it ?20:22
openstackgerritMerged openstack/keystone: Avoid wrong deletion of domain assignments  https://review.openstack.org/27570620:22
samueldmqbknudson_: or perhaps re-use it somehow in our implementation20:22
ayoungwe put it in the assignment controller, which is separate from where the trusts roles are expanded20:22
bknudson_samueldmq: it's a decorator. I tried to see if I could re-use it but it was too complicated20:22
samueldmqbknudson_: ++20:22
samueldmqayoung: why do trsuts maintain its own list of roles ?20:23
ayoungsamueldmq, because trusts are a delegation mechanism, designed to allow a user to delegate subset of their roles20:23
samueldmqayoung: yes and that could rely on the assignment backend for knowing what the roles really are20:24
samueldmqayoung: what a role X in a project Y really means (project and group expansion, implied roles, etc)20:25
ayoungsamueldmq, so the logic right now (pre implied roels is)20:26
ayoungget the list of roles from the trust20:26
ayoungensure that the user still has those roles assigned20:26
ayoungadd them to the token20:26
ayoungand I was trying to think how to do that efficiently20:27
*** tsymanczyk has joined #openstack-keystone20:28
samueldmqayoung:  why do the trust contain roles at all?20:28
*** tsymanczyk is now known as Guest766720:28
ayoungsamueldmq, I am going to make you answer that20:28
ayoungyou tell me20:29
samueldmqayoung: the trust should be just the "confidence" user A has on user B on projec X, hmm, with a initial set of roles20:29
ayoung" with a initial set of roles"20:29
samueldmqayoung: that set of roles need to be effetive when user B get a token20:29
samueldmqayoung: yes20:29
ayoungsamueldmq, so If I have both admin and member, I only want a trust to have the member role20:30
samueldmqayoung: how does trust work with inherited roles ?20:30
ayounginherited roles will be expanded20:30
samueldmqayoung: in the trust backend ?20:30
ayoungI could see an option to not do that, but I think that would never get used20:30
samueldmqayoung: so it's duplicating the logic if so, while it should be just using:20:30
ayoungnah, we'll expand the roles when creating a token20:30
ayoungsamueldmq, the current expansion is done on "list roles for user on project"20:31
samueldmqayoung: k, I need to look at the code .. sorry I need to run to be a dad for a bit :)20:31
samueldmqayoung: will be back in a bit20:31
ayoungsamueldmq, NP.20:31
ayoungI'll try to make it work20:31
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/common.py#n404  right there.  Need to expand before the check20:33
*** daemontool has quit IRC20:33
*** daemontool has joined #openstack-keystone20:33
*** daemontool has quit IRC20:34
stevemarbknudson_: i should mention that my suggested changes to uwsgi got me to almost done with the keystone setup20:34
*** Guest3687 is now known as mgagne20:34
stevemarbknudson_: it kept crapping out on me, and timing out requests20:35
*** mgagne has quit IRC20:35
*** mgagne has joined #openstack-keystone20:35
bknudson_stevemar: uwsgi is a turd20:35
*** daemontool has joined #openstack-keystone20:35
stevemarbknudson_: then why are we suggesting it as an alternative to eventlet :(20:35
bknudson_Maybe somebody has figured out how to get it to work?20:35
bknudson_there sure are a lot of config options.20:35
bknudson_maybe gunicorn is better?20:38
bknudson_how hard is it to write a web server that doesn't time out and fail all the time?20:38
stevemarbknudson_: apparently very difficult20:38
stevemarbknudson_: i guess that's why everyone sticks to apache :)20:38
bknudson_apache has it figured out!20:38
stevemarwe should totes use it for keystone20:39
bknudson_we could start another apache instance. kind of heavyweight20:39
stevemar bknudson_ let's use iHS20:39
bknudson_stevemar: websphere20:40
stevemarbknudson_: IHS should be more than good enough: https://en.wikipedia.org/wiki/IBM_HTTP_Server20:41
bknudson_at least they based it on httpd rather than uwsgi20:41
bknudson_stevemar: I ran it and this time it gets: openstack endpoint list --service identity --interface public --region RegionOne -c ID -f value -> Unable to establish connection to http://192.168.122.239:35357/v3/services?type=identity20:45
bknudson_`openstack service create identity --name keystone '--description=Keystone Identity Service' -f value -c id` happened first and this worked20:45
bknudson_so not sure why it can't connect for the next operation.20:45
stevemarthanks jdennis20:45
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947920:46
stevemarbknudson_: mine failed in the same spot20:46
bknudson_maybe it's not so random after all.20:46
stevemaror... wait, mine got a bit farther along20:46
bknudson_ah, it is totally random20:46
stevemarlet me try again20:47
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947920:47
*** dave-mccowan has quit IRC20:48
bknudson_every once in a while it says -- Failed to contact the endpoint at http://192.168.122.239:35357/v2.0 for discovery. Fallback to using that endpoint as the base url.20:48
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947920:49
stevemarbknudson_: it works for me when i have enabled_services=key,rabbit,sql,horizon20:52
stevemarit is up and running, and responding to requests20:53
bknudson_stevemar: my keystone always starts but then some requests fail randomly20:53
stevemarbknudson_: y, which is why i thought increasing buffer_size would help :(20:53
bknudson_stevemar: I think it's correct to increase buffer_size since the headers can get pretty big (e.g., for pki)20:54
stevemaryep20:54
stevemargonna try keystone+horizon+swift20:55
*** henrynash has joined #openstack-keystone20:56
*** ChanServ sets mode: +v henrynash20:56
*** aginwala has quit IRC20:57
stevemarbknudson_: it's almost as if the requests are lagging?20:57
stevemarget_or_add_group_project_role:L960:   openstack role add 44501ab6faff420e960335e7ffefb938 --group f7785a9993994462b34547ac70b38f5d --project ee8637c3725045e1abc209f5b18c589c20:58
stevemarNo project with a name or ID of 'ee8637c3725045e1abc209f5b18c589c' exists.20:58
stevemarbut...20:58
stevemaraccording to mysql... ee8637c3725045e1abc209f5b18c589c | demo               | {}    |20:58
bknudson_the server must be saying that it doesn't exist?20:58
bknudson_so how would the server not be able to find it?20:58
stevemaryep20:58
stevemarthat's why i think theres some lag going on20:59
*** aginwala has joined #openstack-keystone20:59
stevemari know they are async requests, but *shrug*20:59
henrynashayoung, samueldmq: how are we feeling about https://review.openstack.org/#/c/262078/18 ? If we like this pattern, I still think we should do it manually like this for now, maybe refactor to use a router class or direct call to enforce later21:00
ayounghenrynash, that is my feeling21:00
bknudson_stevemar: I'm able to recreate using openstack CLI but not with a simple curl...21:00
*** raildo is now known as raildo-afk21:00
bknudson_probably has to do with multiple requests coming in.21:00
ayounghenrynash, has everything up to that merged? I better get a move on21:00
bknudson_e.g., for discovery and get token.21:01
stevemarbknudson_: yeah, i think so21:01
*** ericksonsantos has quit IRC21:01
stevemarayoung: slacking, pfft21:01
stevemar:]21:01
ayoungstevemar, oh yeah21:01
stevemari kid, i kid21:02
henrynashayoung: yep, that’s next in line21:02
ayounghenrynash, just realized instead of method_template=None):  you could have done  method_template='%s'):  but I don;'t think I would suggest it21:03
henrynashayoung: did consider that…but I know some folks don;t like default literals21:03
ayounghenrynash, still looking but I think it looks fine so far21:04
stevemarbknudson_: nothing obvious here: http://uwsgi-docs.readthedocs.org/en/latest/ThingsToKnow.html21:04
ayounghenrynash, so...can we agree to clean up the cloudsample file in the future, so that it is clear where the role section is on each rule?21:05
ayoungI'm not going to insist on it for this patch  but I think your verbosity got away from you there21:05
ayounghenrynash, what I would like to see is reusable rules for matching scope, for admin over ride, and then on each line:21:06
ayoungsay21:06
henrynashayoung: i’m certainly open for suggestions on a better way21:07
bknudson_stevemar: at least I'm able to recreate this pretty easily now, just openstack user list and it fails every once in a while.21:07
bknudson_I'll mess with config options and see if anything helps. maybe no threads or something21:07
ayoung"identity:get_domain_role": 'rule:admin_override or (rule:domain_matches and role:domain_admin)"21:07
ayounghenrynash, although, I would settle for getting this through first: https://review.openstack.org/#/c/279379/21:08
ayoungThat is the split RBAC from scope thing21:08
henrynashayoung: :-)21:08
stevemarbknudson_: ++21:09
henrynashayoung: will study over the seekend21:09
ayounghenrynash, so if we do that, then the policy files can pretty much stay as is21:09
ayounghenrynash, tear it apart, please21:09
*** pauloewerton has quit IRC21:12
stevemarbknudson_: there are a few suggestions here: http://stackoverflow.com/questions/14962289/bad-django-uwsgi-performance21:12
*** jbell8 has quit IRC21:14
*** petertr7 is now known as petertr7_away21:15
*** petertr7_away is now known as petertr721:16
stevemarayoung: samueldmq poke for https://review.openstack.org/#/c/277319/21:17
ayoungstevemar, was just messing with that now21:17
ayoungit had a rebase issue with henrynash 's patch on Domain specific21:18
stevemarayoung: should be cleared up now, jenkins just +1ed me21:18
ayoungstevemar, the WIP made that happen21:18
ayoungexpand out the diff21:18
ayoungit was added to the wrong test21:18
ayoungits under class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase):  now21:19
ayoungmove the test above line 258321:19
stevemaroh doh!21:19
ayoungstevemar, also, you left it as 1 and not checking that all the roles were in the token, but I'll get that when I fix21:20
ayoungyours passes as is right now, but it should not21:20
stevemarayoung: yeah, the @wip skips the test21:20
ayoungstevemar, I was going to suggest a different check:21:20
ayoungbut I'll do that when I fix the test. for now, just remove the line21:21
ayoungself.assertEqual(self.role_list[0]['id'], token['roles'][0]['id'])21:21
ayoungas that assumes the roles will be in the same order21:21
ayoungand bump21:21
ayoungself.assertThat(token['roles'], matchers.HasLength(1))  to self.assertThat(token['roles'], matchers.HasLength(3))21:21
ayoungor bettter yet21:21
ayoungself.assertThat(token['roles'], matchers.HasLength(len( self.role_list)))21:21
stevemar++21:23
stevemarrunning pep8...21:23
openstackgerritSteve Martinelli proposed openstack/keystone: add a test that uses trusts and implies roles  https://review.openstack.org/27731921:25
stevemarayoung: there we go, in the right section this time :)21:25
*** jorge_munoz has joined #openstack-keystone21:28
*** mhickey has quit IRC21:28
*** aginwala has quit IRC21:31
ayoungstevemar, OK,  added two more lines to the check.  Its a two way confirmation that the lists match.  Comment one out, and the test will pass today21:33
ayoungProbably should be an equals, though21:33
ayoungstevemar, meh. its ok as is..I will change the test when I fix21:33
*** rodrigods has quit IRC21:34
*** rodrigods has joined #openstack-keystone21:34
*** jsavak has quit IRC21:34
stevemarayoung: \o/21:35
stevemarhenrynash: want to take a quick peek at that one? ^21:35
stevemarhenrynash: we'll have one less bug and ayoung and work on the actual fix21:35
*** jsavak has joined #openstack-keystone21:35
-openstackstatus- NOTICE: The infrastructure team is taking gerrit offline for maintenance this afternoon, beginning at 22:00 utc. We should have it back online around 23:00 utc. http://lists.openstack.org/pipermail/openstack-dev/2016-February/086195.html21:46
openstackgerritMerged openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414921:53
*** aginwala has joined #openstack-keystone21:54
*** jorge_munoz has quit IRC21:55
openstackgerritMerged openstack/keystone: Convert assignment.root_role config option to list of strings  https://review.openstack.org/27970321:55
*** jorge_munoz has joined #openstack-keystone21:56
*** jorge_munoz has quit IRC21:56
*** daemontool has quit IRC21:58
*** knikolla has quit IRC21:58
stevemarlbragstad: around?22:02
lbragstadstevemar o/22:02
stevemarlbragstad: i'm not smart, and i'm also very lazy. what was the result of the trust discussion from tuesday's meeting?22:03
stevemarlbragstad: i wanted to clean up any patches/bugs that jorge hasn't yet22:03
lbragstadstevemar this was essentially the direction https://review.openstack.org/#/c/274850/22:04
lbragstadwhich merged - but that's only part of it22:04
stevemarlbragstad: right22:04
stevemarlbragstad: what about the bit with redelegation and impersonation22:04
lbragstadstevemar that only removes support for "validating" trust-scoped tokens against v222:04
lbragstadstevemar oh...22:04
stevemari meant that part :)22:04
lbragstadjorge_munoz worked that out with amakarov_away22:04
-openstackstatus- NOTICE: Gerrit is offline for maintenacne until 23:00 utc22:04
*** ChanServ changes topic to "Gerrit is offline for maintenacne until 23:00 utc"22:04
stevemarnot the fernet part22:04
stevemarlbragstad: what was the outcome o_O22:05
lbragstadstevemar the outcome was that we need to actually define what the behavior is that we want out of trusts22:05
lbragstadstevemar so i started https://etherpad.openstack.org/p/keystone-trust-behavior for people to start jotting down use-cases and behaviors22:06
*** browne has joined #openstack-keystone22:06
*** phalmos has quit IRC22:08
stevemarlbragstad: blargh22:10
lbragstadstevemar sorry22:10
lbragstad:)22:10
stevemarlbragstad: i guess non are mitaka-3 blockers22:10
*** jsavak has quit IRC22:10
*** petertr7 is now known as petertr7_away22:10
lbragstadstevemar not that I am aware of - but i know it was brought up because of the revocation event stuff (that's what led jorge_munoz down the trust rabbit hole initially)22:11
stevemarlbragstad: i've got 2 open right now https://bugs.launchpad.net/keystone/+bug/1539766 and https://bugs.launchpad.net/keystone/+bug/153862622:11
openstackLaunchpad bug 1539766 in OpenStack Identity (keystone) "trust redelegation allows trustee to create a trust (with impersonation set to true) from a redelegated trust (with impersonation set to false)" [High,In progress] - Assigned to Jorge Munoz (jorge-munoz)22:11
openstackLaunchpad bug 1538626 in OpenStack Identity (keystone) "Fix trust test cases for redelegation and add test for impersonation" [Low,In progress] - Assigned to Jorge Munoz (jorge-munoz)22:11
lbragstadstevemar those make sense22:11
*** lhcheng has quit IRC22:14
*** lhcheng has joined #openstack-keystone22:15
*** ChanServ sets mode: +v lhcheng22:15
bknudson_stevemar: I think I figured it out. Adding  add-header "Connection: close"  seems to help. Tells the client not to try to re-use the connection or something.22:19
bknudson_there was a mention of it here: https://github.com/TechEmpower/FrameworkBenchmarks/issues/11422:20
*** lhcheng has quit IRC22:20
bknudson_I'd post it to gerrit but...22:20
*** vgridnev has quit IRC22:21
stevemarbknudson_: is that added to CLI only, or to the ini file?22:21
bknudson_stevemar: I put it in the ini file. the ini file and uwsgi cmd line options are equivalent22:22
stevemarbknudson_: just "connection = close"22:22
stevemaror add-header = "connection: close"22:22
bknudson_add-header = Connection: close22:22
stevemarotay22:22
bknudson_I'm also going to add some other options: thunder-lock = true22:23
bknudson_master = true22:23
stevemarbknudson_: just cause it sounds cool?22:23
bknudson_enable-threads = true22:23
stevemarTHUNDER LOCK ENGAGE!22:23
bknudson_stevemar: y, just because it sounds cool22:23
bknudson_it has to do with thundering herd problem when you have multiple listeners on a socket.22:24
bknudson_not that it's going to be a big deal when there's only a few threads.22:24
bknudson_"Uwsgi is not a "frontend" HTTP server. Keep-alive support is weak." -- y, uwsgi is a turd.22:25
bknudson_eventually we'll be able to make apache the frontend and have it talk uwsgi protocol to this uwsgi process.22:25
bknudson_and we'll probably go that way pretty soon, I just thought it would be easier to have uwsgi do http at first.22:26
stevemarbknudson_: giving it a whirl now22:29
*** RichardRaseley has joined #openstack-keystone22:32
bknudson_I'm kicking myself for not using gunicorn22:34
*** roxanaghe has quit IRC22:35
stevemarbknudson_: ++, that seems to be the option that was needed22:36
bknudson_ok. I'll post it up when gerrit is back.22:36
stevemarbknudson_: it's still early... we can switch to gunicorn22:37
stevemaror both22:37
bknudson_I'll post it as a follow-on22:37
stevemarbknudson_: ++22:37
stevemarbknudson_: the point is to move away from eventlet and toward real http servers22:37
*** aginwala has quit IRC22:38
stevemarif we can support apache/gunicorn/uwsgi, then i'm all for it22:38
*** aginwala has joined #openstack-keystone22:42
*** edmondsw has quit IRC22:43
*** mylu has joined #openstack-keystone22:48
*** lhcheng has joined #openstack-keystone22:57
*** ChanServ sets mode: +v lhcheng22:57
*** richm has joined #openstack-keystone22:58
*** RichardRaseley has quit IRC23:04
-openstackstatus- NOTICE: Gerrit is offline for maintenance, ETA updated to 23:30 utc23:05
*** ChanServ changes topic to "Gerrit is offline for maintenance, ETA updated to 23:30 utc"23:06
*** aginwala has quit IRC23:13
*** roxanaghe has joined #openstack-keystone23:14
ayoungstevemar, well, I have a fix for the implied roles in the trust token, but I can;t post to gerrit as it is down23:17
*** aginwala has joined #openstack-keystone23:19
*** sigmavirus24 is now known as sigmavirus24_awa23:22
ayounghttps://mariadb.com/blog/recent-release-mariadb-10111-contains-two-new-authentication-plugins23:27
*** pushkaru has quit IRC23:39
*** pushkaru has joined #openstack-keystone23:40
-openstackstatus- NOTICE: Gerrit is offline for maintenance, ETA updated to 23:59 utc23:40
*** ChanServ changes topic to "Gerrit is offline for maintenance, ETA updated to 23:59 utc"23:40
*** pushkaru has quit IRC23:41
*** pushkaru has joined #openstack-keystone23:41
*** markvoelker has quit IRC23:41
*** lhcheng has quit IRC23:46
*** richm has quit IRC23:46
*** lhcheng has joined #openstack-keystone23:47
*** ChanServ sets mode: +v lhcheng23:47
*** richm has joined #openstack-keystone23:49
*** slberger has left #openstack-keystone23:54
*** pushkaru has quit IRC23:58
« Thursday, 2016-02-11 Index Saturday, 2016-02-13 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!