Wednesday, 2016-03-09

« Tuesday, 2016-03-08 Index Thursday, 2016-03-10 »
*** sdake_ has joined #openstack-keystone00:02
*** sdake has quit IRC00:03
openstackgerrithenry-nash proposed openstack/keystone: Split out domain config driver and manager tests  https://review.openstack.org/29019500:04
*** alex_xu has quit IRC00:05
*** sdake has joined #openstack-keystone00:05
*** edmondsw has quit IRC00:06
*** alex_xu has joined #openstack-keystone00:07
*** sdake_ has quit IRC00:07
*** davechen_afk has quit IRC00:07
*** woodster_ has quit IRC00:09
*** woodster_ has joined #openstack-keystone00:10
*** gyee has joined #openstack-keystone00:10
*** ChanServ sets mode: +v gyee00:10
*** gyee has quit IRC00:11
*** doug-fish has joined #openstack-keystone00:11
*** gyee has joined #openstack-keystone00:15
*** ChanServ sets mode: +v gyee00:15
openstackgerrithenry-nash proposed openstack/keystone: Move role backend tests  https://review.openstack.org/29016700:21
*** fawadkhaliq has joined #openstack-keystone00:23
openstackgerritEric Brown proposed openstack/keystone: Explicitly exclude tests from bandit scan  https://review.openstack.org/29020100:29
*** browne has quit IRC00:33
*** fawadkhaliq has quit IRC00:35
*** tjcocozz has quit IRC00:37
*** bapalm has quit IRC00:37
*** sheel has joined #openstack-keystone00:39
gyeelbragstad, can you take another look whenever you have a chance? https://review.openstack.org/#/c/288816/00:42
patchbotgyee: patch 288816 - keystone (stable/liberty) - Return 404 instead of 401 for tokens w/o roles00:42
*** wxy has joined #openstack-keystone00:47
morgangyee: oh backport?00:52
gyeemorgan, yeah, since its API impact00:52
morgangyee: hmm... should be safe to 404 v 40100:52
morganit's not changing the error code classification00:53
morganheck a 500 -> 400 is probably an "ok" backport00:53
gyee500 to anything is better :-)00:53
*** tjcocozz has joined #openstack-keystone00:53
morgangyee: well no00:53
morgan500 -> 200 is probably wrong00:53
morgan:P00:54
gyeehah00:54
*** bapalm has joined #openstack-keystone00:54
morganand 500 -> 418 is never right00:54
morganunless you really are a teapot00:54
gyeeoh I love that one00:54
* morgan wants to use http 418 legitimately at some point00:54
morganand i want to use 402 in keystone: "Pay me to fix this bug"00:55
morgan:P00:55
gyeeransomware :-)00:55
*** harlowja has quit IRC00:55
*** ankita_wagh has quit IRC00:56
morgangyee: >.>00:56
morgangyee: http://www.google.com/teapot00:56
gyeelmao00:57
gyeehey its useful!00:57
morganclick the teapot!00:57
gyeewow00:57
morganright!00:57
morgan:)00:57
*** trown|outtypewww is now known as trown01:06
*** browne has joined #openstack-keystone01:08
*** sdake has quit IRC01:20
*** jasonsb has joined #openstack-keystone01:21
*** daemontool has joined #openstack-keystone01:37
openstackgerrithenry-nash proposed openstack/keystone: Make modifications to domain config atomic  https://review.openstack.org/29022301:38
*** tellesnobrega is now known as tellesnobrega_af01:39
openstackgerritMerged openstack/keystone: Minor edits to the configuration doc  https://review.openstack.org/28510501:39
*** fpatwa_ has joined #openstack-keystone01:40
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235801:42
openstackgerrithenry-nash proposed openstack/keystone: Make modifications to domain config atomic  https://review.openstack.org/29022301:44
*** fpatwa_ has quit IRC01:52
openstackgerritJamie Lennox proposed openstack/keystone: Add docs for additional bootstrap endpoint parameters  https://review.openstack.org/29022601:55
lbragstadbknudson thanks for all the reviews on the testing refactor - responded to your comment https://review.openstack.org/#/c/286909/301:56
patchbotlbragstad: patch 286909 - keystone - Refactor TestFernetTokenProvider trust-scoped tests01:56
*** lhcheng_ has quit IRC01:58
*** spandhe has quit IRC02:03
openstackgerrithenry-nash proposed openstack/keystone: Make modifications to domain config atomic  https://review.openstack.org/29022302:12
*** pushkaru has quit IRC02:14
openstackgerritSean Perry proposed openstack/keystone: Migrate_repo init version helper  https://review.openstack.org/13764002:16
*** doug-fish has quit IRC02:19
*** doug-fish has joined #openstack-keystone02:19
*** doug-fis_ has joined #openstack-keystone02:23
*** doug-fish has quit IRC02:24
*** doug-fis_ has quit IRC02:27
*** lhcheng has joined #openstack-keystone02:28
*** ChanServ sets mode: +v lhcheng02:28
*** doug-fish has joined #openstack-keystone02:29
*** sdake has joined #openstack-keystone02:33
*** doug-fish has quit IRC02:35
*** woodster_ has quit IRC02:37
*** dan_nguyen has quit IRC02:39
*** doug-fish has joined #openstack-keystone02:40
*** csoukup has joined #openstack-keystone02:43
*** doug-fish has quit IRC02:45
*** csoukup has quit IRC02:47
*** doug-fish has joined #openstack-keystone02:50
*** richm has quit IRC02:54
*** doug-fish has quit IRC02:55
*** tqtran has quit IRC03:00
*** gyee has quit IRC03:02
*** lhcheng has quit IRC03:24
*** ankita_wagh has joined #openstack-keystone03:25
*** dims has quit IRC03:25
*** markvoelker has joined #openstack-keystone03:30
*** csoukup has joined #openstack-keystone03:33
*** sdake has quit IRC03:37
*** sdake has joined #openstack-keystone03:43
*** csoukup has quit IRC03:45
*** fpatwa_ has joined #openstack-keystone03:53
*** jamielennox is now known as jamielennox|away03:54
*** fpatwa_ has quit IRC03:58
*** links has joined #openstack-keystone04:03
*** Soni has quit IRC04:11
*** fifieldt has joined #openstack-keystone04:47
*** furface has quit IRC04:48
*** furface has joined #openstack-keystone04:49
*** EinstCrazy has joined #openstack-keystone04:57
*** GB21 has joined #openstack-keystone05:02
stevemaranyone want to take a quick look at https://review.openstack.org/#/c/290029/1 ?05:09
patchbotstevemar: patch 290029 - keystone - Clarify virtualenv setup in developer docs05:09
morganstevemar: uh05:10
morganstevemar: what does that do?05:10
morganor what is the intention for that?05:10
stevemarmorgan: it doesn't run the tests, as the name suggests05:11
morganright05:11
morganwhy is that needed?05:11
morganvs ... .tox/py27? or.?05:11
morganor using virtualenv directly?05:11
* morgan stops asking05:11
stevemarmorgan: we just want to create the virtualenv05:12
morgani... i think it's wrong to wedge / document using tox created venvs for running keystone05:13
morganvs document using virtualenv command and not having the venv in .tox/05:13
morganbut...05:13
morganeh w/e, +2/+A05:13
morganit solves the problem.05:14
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Return default value for pkg_version if missing  https://review.openstack.org/22204205:14
*** fpatwa_ has joined #openstack-keystone05:19
*** sdake_ has joined #openstack-keystone05:24
*** sdake has quit IRC05:27
*** EinstCrazy has quit IRC05:28
openstackgerrithenry-nash proposed openstack/keystone: Make modifications to domain config atomic  https://review.openstack.org/29022305:28
*** henrynash has quit IRC05:29
stevemarhenrynash is being naughty, he's supposed to be on vacation05:29
openstackgerritSteve Martinelli proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/29018005:31
*** lhcheng_ has joined #openstack-keystone05:34
*** fpatwa_ has quit IRC05:36
*** spandhe has joined #openstack-keystone05:41
*** fawadkhaliq has joined #openstack-keystone05:47
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/29028406:03
*** Nirupama has joined #openstack-keystone06:03
*** rcernin has joined #openstack-keystone06:09
openstackgerritMerged openstack/keystone: Clarify virtualenv setup in developer docs  https://review.openstack.org/29002906:15
*** lhcheng has joined #openstack-keystone06:23
*** ChanServ sets mode: +v lhcheng06:23
*** lhcheng_ has quit IRC06:26
*** tyagiprince has joined #openstack-keystone06:26
tyagiprinceHey ayoung, @all, I have a question to which you are one of the person who can answer the best. I want multiple AD's to be integrated with keystone. what is the best tool around which can do so? Also let me know which one is the easiest to configure :)06:28
*** furface has quit IRC06:43
*** furface has joined #openstack-keystone06:47
*** chlong has quit IRC06:54
*** dave-mccowan has quit IRC07:02
bretonmultiple domains and domain-specific configs07:04
bretontyagiprince: ^07:04
*** chlong has joined #openstack-keystone07:07
*** bjornar has quit IRC07:09
*** spandhe has quit IRC07:10
*** tomoiaga has joined #openstack-keystone07:15
*** fawadkhaliq has quit IRC07:28
*** eglute has quit IRC07:35
*** d34dh0r53 has quit IRC07:36
*** sigmavirus24_awa has quit IRC07:36
*** odyssey4me has quit IRC07:36
*** cloudnull has quit IRC07:38
*** GB21 has quit IRC07:41
*** odyssey4me has joined #openstack-keystone07:41
*** belmoreira has joined #openstack-keystone07:56
*** sdake_ is now known as sdake08:01
*** tyagiprince has quit IRC08:08
*** d0ugal has joined #openstack-keystone08:09
*** e0ne has joined #openstack-keystone08:10
*** ankita_wagh has quit IRC08:11
*** browne has quit IRC08:11
*** ankita_wagh has joined #openstack-keystone08:12
*** lhcheng_ has joined #openstack-keystone08:14
*** ankita_wagh has quit IRC08:16
*** lhcheng has quit IRC08:17
*** e0ne has quit IRC08:19
*** rk4n has joined #openstack-keystone08:22
*** wanghua has quit IRC08:24
*** fhubik has joined #openstack-keystone08:26
*** pece has joined #openstack-keystone08:31
*** josecastroleon has quit IRC08:32
*** lhcheng_ has quit IRC08:32
*** josecastroleon has joined #openstack-keystone08:33
*** rk4n has quit IRC08:36
*** tyagiprince has joined #openstack-keystone08:46
*** daemontool_ has joined #openstack-keystone08:47
*** openstackgerrit has quit IRC08:47
*** openstackgerrit has joined #openstack-keystone08:47
*** daemontool has quit IRC08:49
*** GB21 has joined #openstack-keystone08:52
*** doug-fish has joined #openstack-keystone08:52
*** tyagiprince has quit IRC08:53
*** tyagiprince has joined #openstack-keystone08:54
*** links has quit IRC08:55
*** doug-fish has quit IRC08:57
*** jaosorior has joined #openstack-keystone09:06
*** andreykurilin__ has joined #openstack-keystone09:10
*** chaitu has joined #openstack-keystone09:11
*** bapalm has quit IRC09:14
*** tjcocozz has quit IRC09:15
chaituHi all, Iam trying to create multiple domain in keystone, While running the following command "keystone-manage domain_config_upload --domain-name domain1".Following error occured http://paste.openstack.org/show/489787/09:16
*** jistr has joined #openstack-keystone09:19
stevemarchaitu: you can file a bug if you'd like09:20
*** d34dh0r53 has joined #openstack-keystone09:23
*** eglute has joined #openstack-keystone09:24
*** sigmavirus24_awa has joined #openstack-keystone09:24
*** cloudnull has joined #openstack-keystone09:26
*** mhickey_ has joined #openstack-keystone09:27
*** bapalm has joined #openstack-keystone09:27
chaitustevemar: how to make sure whether there is any errors in my side. How do i debug the issue.09:27
*** tjcocozz has joined #openstack-keystone09:31
*** furface has quit IRC09:32
*** furface has joined #openstack-keystone09:35
*** e0ne has joined #openstack-keystone09:51
stevemardstanek: thoughts on https://bugs.launchpad.net/keystone/+bug/1546834 when you get a chance09:53
openstackLaunchpad bug 1546834 in OpenStack Identity (keystone) " The deletion of an LDAP domain in keystone when write enabled should not clear the LDAP database" [Low,Triaged] - Assigned to Nisha Yadav (ynisha11)09:53
*** GB21 has quit IRC09:54
*** e0ne has quit IRC10:01
*** e0ne has joined #openstack-keystone10:04
*** bjornar has joined #openstack-keystone10:09
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient-kerberos: use keystoneauth instead of keystoneclient  https://review.openstack.org/29037410:11
*** rk4n has joined #openstack-keystone10:11
*** tyagiprince has quit IRC10:13
*** daemontool_ is now known as daemontool10:19
*** mvk has joined #openstack-keystone10:21
*** GB21 has joined #openstack-keystone10:24
*** rk4n has quit IRC10:34
Anticimexhmm, on a kilo keystone with saml2 idps, what do i need to restart to make it re-read rules.json (i.e. mapping file)?10:35
Anticimexi've tried both httpd and openstack-keystone, but it keeps the old mapping file10:35
Anticimexahh, i see, this file is input using openstackclient..10:36
*** rk4n has joined #openstack-keystone10:37
*** rk4n has quit IRC10:40
*** rk4n has joined #openstack-keystone10:40
marekdAnticimex: no, you don't have to restat server10:55
Anticimexi didn't set it up so i thought a static file is read, but we use that file as input to "openstack mapping set --rules /etc/keystone/rules.json $mappingname"10:59
Anticimexnow better :)10:59
Anticimexmarekd: thanks for confirming that11:00
marekdAnticimex: sure!11:00
*** GB21 has quit IRC11:03
*** dims has joined #openstack-keystone11:07
dstanekstevemar: my initial reaction is lol11:14
dstanekstevemar: i agree with your assessment about writable ldap being removed11:15
*** GB21 has joined #openstack-keystone11:17
*** doug-fish has joined #openstack-keystone11:17
*** doug-fish has quit IRC11:22
bretonchaitu: Group DEFAULT is not supported for domain specific configurations11:24
bretonchaitu: you need to remove group [DEFAULT] from your configs and leave there only ldap and identity11:25
*** pnavarro has joined #openstack-keystone11:25
breton*[ldap] and [identity]11:25
Anticimexmarekd: have you played with mapping federated users into hierachical projects?11:37
Anticimexmarekd: i.e. with the project permissions as part of the SAML2 entitlements?11:37
Anticimexour goal is to let the idp owners manage their project/group memberships themselves, via some registered entitlements in some fashion11:38
*** wxy has quit IRC11:39
*** chlong has quit IRC11:42
*** tyagiprince has joined #openstack-keystone11:44
Anticimexit's of course start to do 1st level customer projects (i.e. a customer, domain, has many projects), and perhaps even two-level in some semi-static mapping fashion.11:44
Anticimexbut ideally there would be a recursive:ish mapping thing, and some method of actually setting up these projects on the fly, as well11:45
Anticimexie upon first seeing the user logging in and the accompanied entitlements. would that perhaps be a job for a keystone middleware for example?11:45
*** links has joined #openstack-keystone11:48
*** GB21 has quit IRC11:50
*** fpatwa_ has joined #openstack-keystone11:59
*** jaosorior has quit IRC12:02
*** jaosorior has joined #openstack-keystone12:02
*** trown is now known as trown|commute12:03
*** GB21 has joined #openstack-keystone12:08
*** fpatwa_ has quit IRC12:09
*** chlong has joined #openstack-keystone12:14
*** EinstCrazy has joined #openstack-keystone12:15
*** mvk has quit IRC12:20
stevemardstanek: also, it was disabled already :)12:22
*** daemontool_ has joined #openstack-keystone12:23
*** toddnni_ has joined #openstack-keystone12:24
*** jdennis has quit IRC12:27
*** toddnni has quit IRC12:27
*** ryanpetrello has quit IRC12:27
*** chlong has quit IRC12:27
*** tristanC has quit IRC12:27
*** toddnni_ is now known as toddnni12:27
*** jdennis1 has joined #openstack-keystone12:27
*** jaosorior has quit IRC12:27
*** bapalm has quit IRC12:27
*** daemontool has quit IRC12:27
*** zeus has quit IRC12:27
*** jaosorior has joined #openstack-keystone12:27
*** tristanC has joined #openstack-keystone12:27
*** bapalm has joined #openstack-keystone12:27
*** daemontool_ is now known as daemontool12:29
*** zeus has joined #openstack-keystone12:30
*** GB21 has quit IRC12:30
*** zeus is now known as Guest864612:30
*** doug-fish has joined #openstack-keystone12:31
*** ryanpetrello has joined #openstack-keystone12:36
*** rodrigods has quit IRC12:37
*** rodrigods has joined #openstack-keystone12:37
*** chlong has joined #openstack-keystone12:40
*** doug-fish has quit IRC12:48
marekdAnticimex: no, i haven't yet12:51
*** mvk has joined #openstack-keystone12:51
*** pauloewerton has joined #openstack-keystone13:02
*** dims has quit IRC13:05
*** dims_ has joined #openstack-keystone13:05
*** markvoelker_ has joined #openstack-keystone13:08
*** gchung has joined #openstack-keystone13:09
*** petertr7_away is now known as petertr713:10
*** edmondsw has joined #openstack-keystone13:10
*** dims_ has quit IRC13:10
*** markvoelker has quit IRC13:11
*** dims has joined #openstack-keystone13:14
*** rbrady has joined #openstack-keystone13:14
*** jaosorior has quit IRC13:15
*** jaosorior has joined #openstack-keystone13:15
rbradyI'm trying to create Mistral actions that use their own keystone auth, using a token given as a param to get access to a keystone client.  Does this look right? http://paste.openstack.org/show/489731/13:16
*** trown|commute is now known as trown13:18
*** markvoelker_ has quit IRC13:20
*** richm has joined #openstack-keystone13:22
*** dave-mccowan has joined #openstack-keystone13:22
*** fhubik has quit IRC13:25
*** doug-fish has joined #openstack-keystone13:29
*** doug-fish has quit IRC13:31
*** doug-fish has joined #openstack-keystone13:32
*** tyagiprince has quit IRC13:32
edmondswrbrady, is this with mitaka?13:32
rbradyedmondsw: yes13:33
edmondswbecause keystoneclient is deprecated in mitaka... use keystoneauth113:33
rbradyedmondsw: I've been using http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html.  Is there a better set of docs I should be reading?13:34
edmondswand one sec, writing you a better example13:34
*** links has quit IRC13:35
*** markvoelker has joined #openstack-keystone13:39
edmondswrbrady, try this: http://paste.openstack.org/show/489836/13:40
edmondswreplace "rbrady_code" with whatever is appropriate there13:40
edmondswand it would be odd for the project ID to be "admin"... wouldn't it be a UUID?13:41
*** pkarikh has quit IRC13:41
*** amakarov has quit IRC13:41
*** tsufiev has quit IRC13:41
*** rk4n has quit IRC13:41
edmondswif you don't know the id, you may need to specify project_name and project_domain_name instead13:43
edmondswstevemar, someone should update http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html per above conversation13:44
*** fhubik has joined #openstack-keystone13:44
*** ninag has joined #openstack-keystone13:46
stevemaredmondsw: sounds like you're agreeing to fix it :)13:46
stevemaredmondsw: https://bugs.launchpad.net/python-keystoneclient/+bug/147052013:46
openstackLaunchpad bug 1470520 in python-keystoneclient "docs for sessions are out of date" [Low,Triaged]13:46
edmondswstevemar I would love to.. but if you wait for that, it'll probably be a while :)13:47
edmondswI'm under a huge pile right now13:47
stevemaredmondsw: i know that feel13:47
*** trown is now known as trown|brb13:50
rbradyedmondsw: success!  Thanks13:52
edmondswrbrady, awesome13:52
*** trown|brb is now known as trown13:52
*** henrynash has joined #openstack-keystone13:57
*** ChanServ sets mode: +v henrynash13:57
*** markvoelker has quit IRC13:58
*** tyagiprince has joined #openstack-keystone14:01
*** Nirupama has quit IRC14:02
*** daemontool_ has joined #openstack-keystone14:03
*** daemontool has quit IRC14:07
*** jaugustine has joined #openstack-keystone14:09
*** tyagiprince has quit IRC14:10
*** rk4n has joined #openstack-keystone14:13
*** amakarov has joined #openstack-keystone14:13
*** nkinder has joined #openstack-keystone14:14
*** pkarikh has joined #openstack-keystone14:16
*** tyagiprince has joined #openstack-keystone14:16
*** fifieldt has quit IRC14:16
*** tyagiprince has quit IRC14:18
openstackgerritAlexander Makarov proposed openstack/keystone: Closure table for HMT  https://review.openstack.org/28552114:19
*** tyagiprince has joined #openstack-keystone14:19
*** tsufiev has joined #openstack-keystone14:23
openstackgerritBrant Knudson proposed openstack/keystone: Correct create_project driver versioning  https://review.openstack.org/28905814:24
*** nkinder has quit IRC14:36
openstackgerrithenry-nash proposed openstack/keystone: Split out domain config driver and manager tests  https://review.openstack.org/29019514:37
*** ninag has quit IRC14:38
lbragstadnonameentername one minor suggestion inline on https://review.openstack.org/#/c/290139/214:39
patchbotlbragstad: patch 290139 - keystone - v2 tokens validated on the v3 API are missing time...14:39
lbragstadnonameentername I pulled that down locally and it checks out14:40
*** ninag_ has joined #openstack-keystone14:41
openstackgerrithenry-nash proposed openstack/keystone: Make modifications to domain config atomic  https://review.openstack.org/29022314:45
*** knikolla has joined #openstack-keystone14:47
*** markvoelker has joined #openstack-keystone14:48
openstackgerrithenry-nash proposed openstack/keystone: Make modifications to domain config atomic  https://review.openstack.org/29022314:50
*** sdake_ has joined #openstack-keystone14:50
*** sdake has quit IRC14:53
*** frontrunner has joined #openstack-keystone14:55
*** jdennis1 has quit IRC14:56
*** jdennis has joined #openstack-keystone14:56
frontrunnerkeystone-manage bootstrap' is spitting out this...14:58
frontrunner2016-03-09 09:48:18.001 15650 INFO keystone.cmd.cli [req-94c9c18e-f663-4783-8ef1-ddbf16d344c6 - - - - -] Domain default already exists, skipping creation.14:58
frontrunner2016-03-09 09:48:18.005 15650 CRITICAL keystone [req-94c9c18e-f663-4783-8ef1-ddbf16d344c6 - - - - -] DomainNotFound: Could not find domain: default14:58
*** sdake has joined #openstack-keystone14:58
frontrunnerone line tells me domain 'default14:58
frontrunner'exists14:58
frontrunnerthe next line says it does not14:58
frontrunnerany suggestions anyone?14:59
*** sdake_ has quit IRC15:00
*** xek_ is now known as xek15:05
*** pushkaru has joined #openstack-keystone15:06
*** rk4n has quit IRC15:06
stevemarfrontrunner: what args did you pass in?15:07
*** BigWillie has joined #openstack-keystone15:08
*** sigmavirus24_awa is now known as sigmavirus2415:09
*** pushkaru has quit IRC15:14
*** rk4n has joined #openstack-keystone15:15
*** slberger has joined #openstack-keystone15:16
dstanekhtruta: i was doing other stuff and didn't get a chance to fix up that review any more15:18
*** pushkaru has joined #openstack-keystone15:19
*** tyagiprince has quit IRC15:19
*** phalmos has joined #openstack-keystone15:26
*** tomoiaga has quit IRC15:26
mfischayoung: have the LDAP terrorists already won?  https://github.com/SUSE-Cloud/keystone-hybrid-backend/issues/4215:28
openstackgerritAlexander Makarov proposed openstack/keystoneauth: Examples for kerberos and saml2 plugins  https://review.openstack.org/28866915:28
*** spzala has joined #openstack-keystone15:33
*** phalmos has quit IRC15:33
stevemarmfisch: ayoung -215:36
dstanekstevemar: thoughts on https://bugs.launchpad.net/keystone/+bug/1552795 ?15:37
openstackLaunchpad bug 1552795 in OpenStack Identity (keystone) "enhance notification for user events with user name" [Wishlist,In progress] - Assigned to Lance Bragstad (lbragstad)15:37
stevemardstanek: bug description looks legit, whats the issue15:38
dstanekmfisch: they'll only win if they merge! i don't care if terrorists build pipe bombs as long as they are blowing off their own hands15:38
lbragstaddstanek stevemar speaking of notifications! https://review.openstack.org/#/q/topic:bug/1552639 closes a bug15:38
stevemarisn't this a dupe?15:38
lbragstadstevemar we had two notification bugs opened within a day15:39
*** ninag_ has quit IRC15:39
lbragstadstevemar one was for not sending notifications on user/group assignments15:39
lbragstadwhich is fixed above ^15:39
dstanekstevemar: i don't think it's legit. there's comments in there from lbragstad, dolphm and i explaining why.15:39
stevemardstanek: lbragstad blah, i need to read it15:39
lbragstadstevemar "top to bottom, left to right..."15:39
*** ninag has joined #openstack-keystone15:40
*** ninag has quit IRC15:40
*** ninag has joined #openstack-keystone15:40
lbragstadstevemar the other bug was because username wasn't in the notification payload15:40
stevemarlbragstad: never!15:40
*** ninag has quit IRC15:40
*** sdake_ has joined #openstack-keystone15:41
*** sdake has quit IRC15:41
*** gchung is now known as gordc15:42
frontrunnerwhat is proper etiquette for replying to messages in this chat - do i reply via the general chat or do i reply via personal response?15:42
stevemarfrontrunner: general chat!15:43
stevemarfrontrunner: i just saw your PM :(15:43
frontrunner'openstack domain list' gives me different results with domains i create myself...15:43
frontrunner+----------------------------------+----------+---------+--------------------+15:43
frontrunner| ID                               | Name     | Enabled | Description        |15:43
frontrunner+----------------------------------+----------+---------+--------------------+15:43
frontrunner| d4aa83d0fe3d43d99e660b06c98c7b15 | default2 | True    |                    |15:43
frontrunner| default                          | Default  | True    | The default domain |15:43
frontrunner+----------------------------------+----------+---------+--------------------+15:43
frontrunnerthe openstack created default domain has an ID='default'15:43
frontrunnerwhile any domain i create has an ID of some hash15:43
frontrunnercould that be the issue?15:43
stevemarfrontrunner: logic is if the original person walks away (like i did), someone else can carry the conversation15:43
frontrunnerok, thanks15:44
stevemarfrontrunner: i'd delete "d4aa83d0fe3d43d99e660b06c98c7b15"15:44
frontrunnerthat was just a test15:44
stevemarfrontrunner: keystone-manage boostrap is atomic, so it shouldn't create duplicates15:44
frontrunneri am trying to create the 'default' domain and it does not seem to work15:45
frontrunnerperhaps because the ID is a hash and not the text 'default'15:45
*** browne has joined #openstack-keystone15:45
frontrunnercan i create a domain with an ID of some string value?15:46
stevemarfrontrunner: you shouldn't need to create the default domain, the bootstrap should do that for you15:46
*** ninag has joined #openstack-keystone15:46
stevemarfrontrunner: if you're running off of master branch, then here's an example of something you can do: https://review.openstack.org/#/c/289669/1/lib/keystone15:47
patchbotstevemar: patch 289669 - openstack-dev/devstack - Use extended keystone-manage bootstrap parameters15:47
frontrunneryes, the bootstrap does, but i am trying to recreate what it does in order to debug something else15:47
stevemarkeystone-manage bootstrap --bootstrap-username admin --bootstrap-password secretadmin --bootstrap-project-name admin --bootstrap-role-name admin --bootstrap-service-name keystone --bootstrap-region-id RegionOne --bootstrap-admin-url http://127.0.0.1:35357/v3 --bootstrap-public-url http://127.0.0.1:5000/v3 --bootstrap-internal-url http://127.0.0.1:5000/v315:47
stevemarfrontrunner: ahhh15:48
stevemarfrontrunner: this is what it does: https://github.com/openstack/keystone/blob/2445d24efacd4c5f96174b3bf1028bf5770f7bab/keystone/cmd/cli.py#L162-L34315:48
lbragstaddstanek do you have a link to the "current open keystone bugs"?15:49
*** jorge_munoz has joined #openstack-keystone15:49
lbragstaddstanek this is the one that you use - right? https://goo.gl/rYZADQ15:50
dstaneklbragstad: i have been using two...15:51
frontrunnerok, i derive from what you sent that i can not create a domain with an ID="my own name"15:51
dstaneklbragstad: the default search minus the fix-committed http://bit.ly/1nwwzVT15:51
*** phalmos has joined #openstack-keystone15:52
*** jorge_munoz_ has joined #openstack-keystone15:52
dstaneklbragstad: bugs that i almost definitely have patches http://bit.ly/1M6G30n15:52
frontrunnerwhere is this derived: CONF.identity.default_domain_id15:52
stevemarfrontrunner: correct! IDs are UUID15:52
stevemarfrontrunner: only the default domain is handled in a special way15:53
frontrunnerok15:53
*** jorge_munoz has quit IRC15:54
*** jorge_munoz_ is now known as jorge_munoz15:54
frontrunnerthat renders that test unfeasible15:54
*** EinstCrazy has quit IRC15:56
dstanekfrontrunner: what are you trying to test?15:56
frontrunnerthe true problem i am trying to get past is installing from git whereby part of my bash relies in fedora pack commands 'yum install...' and part from 'pip install' and part from 'git clone...'  these all land me in package management hell with issues like: "cpio: rename"15:59
htrutadstanek: I saw that you put it as WIP. submit your progress if you want, and I guess I can finish it today15:59
dstanekhtruta: i have nothing new for that review. if you want it go for it. i'll ask before i do any more work. the merge conflicts on that one were enough for the day :-)16:00
htrutadstanek: nice! thanks16:01
dstanekhtruta: no, thank you!16:01
frontrunneris there an source install philosophy that I am missing such as: if i use git clone then i can't use "yum install..." for any other openstack installs?16:02
openstackgerritDavid Stanek proposed openstack/keystone: Remove foreign assignments when deleting a domain  https://review.openstack.org/12743316:02
*** zzzeek has quit IRC16:03
*** nkinder has joined #openstack-keystone16:03
dstaneksuper easy review ^ already have +2+A and just needed a tweak16:03
*** zzzeek has joined #openstack-keystone16:04
lbragstaddstanek does that need a release note?16:08
lbragstadsaying that assignments are cleaned up?16:08
stevemarlbragstad: nah16:09
lbragstadok16:09
stevemarlbragstad: we don't need to advertise EVERYTHING16:09
stevemarlbragstad: there's no new config option16:09
*** nkinder has quit IRC16:10
dstanekstevemar: lbragstad: ++ although it does change the driver signature16:10
dstaneklbragstad: just commented on https://review.openstack.org/#/c/287977/2 with a question16:11
patchbotdstanek: patch 287977 - keystone - Add ability to send notifications for actors16:11
ayoungmfisch, yes, the terrorists have won16:11
morganstevemar: ADVERTISE IT ALL!16:12
morgan:P16:12
stevemarmorgan: go back to bed!16:12
morganstevemar: it's 8am here16:12
ayoungmfisch, we have enough people requesting it that we need to at least code review it and be able to speak honestly around it16:12
dstanek#action morgan to write release notes for all commits that don't already have them16:12
morgan#action flake on dstanek's action, leaving it to dstanek to complete16:12
* dstanek is sad16:13
morgandstanek: :P16:13
ayoungmfisch, It also allows me to start working on an approach to wean people off the Hybrid driver and onto something supportable16:13
morganayoung: which hybrid driver?16:13
ayoungmorgan, https://github.com/SUSE-Cloud/keystone-hybrid-backend/16:14
morganoh oh16:14
morganthat... ick16:14
ayoungmorgan, its essentially a V2 crutch at this point16:14
morganyeah16:14
*** sdake has joined #openstack-keystone16:14
morganit's the same thing i wrote back in essex for metacloud16:14
morganbasically16:14
ayoungmorgan, maybe if I had been less hard headed a few years ago it would have been the norm in Keystone16:14
morganeh.16:15
morganmaybe not.16:15
*** sdake_ has quit IRC16:15
ayoungmorgan, the issue is that people in the LDAP domain have all these scripts that are V2 specific. I need a way to transition them cleanly to V316:15
ayoungand having the code that they are working with be outside the tree means that, well, it can do anything.16:16
lbragstaddstanek ah - that comment makes sense, i can either incorporate it into that patch or do it in a follow on.16:16
lbragstaddstanek preference?16:16
morganshrug.16:16
*** sdake_ has joined #openstack-keystone16:17
mfischayoung: also I have to rehack this driver each time we release, and I'd love a transition plan16:18
mfischayoung: I'd love to get rid of this and switch to domains but I think it might be painful16:18
ayoungmfisch, can you own this effort?  I am happy to guide?16:18
mfischI wonder if the SuSe guy would, they havent taken many of my patches16:18
mfischIm glad to help but probably not until after the summit16:18
*** sdake has quit IRC16:19
*** BigWillie has quit IRC16:20
*** sdake_ is now known as sdake16:21
*** roxanagh_ has joined #openstack-keystone16:21
ayoungmfisch, that is fine. And, screw SuSE.  If they don't play, we can deal with it ourselves.16:21
mfischayoung: isnt there a path to just dump this completely and use domains?16:22
ayoungmfisch, how?16:22
mfischservice domain for mysql and ldap domain for users16:22
ayoungmfisch, its the V2 scripts that are the problem, though16:23
ayoungso...yes, but16:23
ayoungwe need to make sure all of the services use V3 first, I guess16:23
mfisch=116:24
mfisch+1!16:24
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: WIP: Add users functional tests  https://review.openstack.org/28930616:24
samueldmqI'd like to discuss something on how we do functional tests in ksclient16:24
samueldmqdstanek: stevemar: bknudson: hi ^16:25
samueldmq(anyone else willing to discuss it is welcome too)16:25
bknudsonsamueldmq: what's up? I'm around16:26
samueldmqbknudson: if you look at my patch above, I have written a test (test_create_user)16:26
samueldmqbknudson: I am already using the resources provided by devstack: 'default' domain and 'demo' project16:26
samueldmqbknudson: but I am not sure this is the right way to go, because those tests should be able to run against any installation16:27
ayoungmfisch, how do you configure your Nova servers?  What do you use? Puppet?16:27
bknudsonsamueldmq: not every deployment that we want to run these tests on is going to support creating users16:27
mfischayoung: yessir16:27
samueldmqbknudson: my idea was that we created our own test scenario to run tests on16:27
*** bjornar has quit IRC16:27
bknudsonyou should read a config file to figure out the domain and projects to use16:27
ayoungmfisch, OK, so we need a way to use that to migrate from V2 to V3 for the configuration to talk to Keystone16:27
mfischchange params, restart service?16:28
mfischis there more?16:28
samueldmqbknudson: yes, so there should be a config file telling how to run the tests ...16:28
samueldmqbknudson: like create_users=False would skip that test, for example16:28
bknudsonsamueldmq: right, like devstack creates for tempest. Maybe our tests should read the tempest config?16:28
morganmfisch: thats mostly it.16:29
bknudsonor, just put these tests in tempest16:29
morganmfisch: or it should be it.16:29
bknudsonwhy duplicate the effort?16:29
mfischthats pretty much puppet's #1 function16:29
ayoungmfisch, set the domain...and figuring out what domain to use.  Splitting it off of the default.  I think that is the hard part.16:29
mfischayoung: yes, I was just thinking only of the v3 switch16:30
mfischthe domains is more work16:30
samueldmqbknudson: afaik tempest uses its own client to make requests16:30
samueldmqbknudson: we need to have tests for individual clients too, tempest only tests the HTTP APIs16:30
ayoungmfisch, then, there is the fact that the LDAP users might have scripted v3 to explicirtly say OS_DOMAIN_ID=default16:30
ayoungso...need to think through it, soup to nuts16:30
bknudsonsamueldmq: tempest is testing keystone, not keystoneclient, so they use their own client. They can't have tests for keystoneclient?16:30
mfischyep16:31
mfischI've had not much luck selling my boss on ditching this driver unfortunately16:31
mfischneed to get cycles from the scheduler16:31
bknudsonsamueldmq: I guess it makes sense they don't want to test keystoneclient. At least try to share the config somehow.16:31
samueldmqbknudson: I don't thnk they want to test clients16:32
samueldmqbknudson: yes, but the config has much more than we need16:32
samueldmqbknudson: but I will take a deeper look16:32
*** shaleh has joined #openstack-keystone16:33
*** dims has quit IRC16:33
bknudsonsamueldmq: well, either way the tests need to be customizable to the deployment16:33
samueldmqbknudson: completely agreed16:34
ayoungmfisch, If we can make the change at the Service configuration level, it should be easier.  It might require some magic to duplicate role assignments between two domains for a while.16:35
mfischwe may have some changes in our theory about how we deal with non-openstack service accounts, so not like nova16:35
mfischbut like the account for "Adam's Team CI account"16:35
mfischright now those are in mysql16:35
mfischbut we may push those to LDAP so we can tie to an employee16:36
*** nkinder has joined #openstack-keystone16:36
*** arunkant has joined #openstack-keystone16:36
ayoungmfisch, I think that there is a risk there.  Those should be service accounts, not real users16:36
mfischayoung: is this something we can cover in autsin too?16:36
mfischpreferably with alcohol and bbq16:37
ayoungunified delegation probably should address exactly that use case16:37
ayoungmfisch, and music.  Don't forget the music16:37
mfischyes16:38
mfischyou play sax, I'll take notes16:38
*** gyee has joined #openstack-keystone16:39
*** ChanServ sets mode: +v gyee16:39
ayoungmfisch, that too.16:39
ayoungmfisch, lets try to have a plan going in to Austin, though.  Treat the Summit as a time to polish and refine, as well as get consensus16:40
*** trown has quit IRC16:41
*** dims has joined #openstack-keystone16:44
henrynashbknudson: ping16:45
*** fhubik has quit IRC16:45
bknudsonhenrynash: what's up?16:45
henrynashbknudson: just wanted to chat about our respective commenst on the resource driver...16:46
*** rderose has joined #openstack-keystone16:46
henrynashbknudson: so “resource” has two, independant, drivers - resource and domain_config16:46
bknudsonhenrynash: I'm checking to see if there's a foreign key in the domain config16:46
henrynashbknudson: (whcih would indeed scupper my argument!)16:47
bknudsonhenrynash: there isn't one in http://git.openstack.org/cgit/openstack/keystone/tree/keystone/resource/config_backends/sql.py#n1916:48
henrynashbknudson: I didn’t think so….16:48
bknudsonso there shouldn't be any need to have the domain_id exist in the resource backend in order to have it in the domain_config backend16:49
henrynashbknudson: ahhh, right - I’m with you16:49
*** e0ne has quit IRC16:50
bknudsonyou do for the manager tests because the manager checks16:50
bknudsonI assume the manager checks... that's what we usually do16:50
henrynashbknudson: right, so for the driver tests we can just use a uuid for domain_id16:50
bknudsonhenrynash: yes, just use any old id16:51
henrynashbknudson: ok…will fix up, thx16:51
bknudsonthe value has to be valid for the drivers16:51
*** belmoreira has quit IRC16:52
*** wolsen has quit IRC16:52
*** wolsen has joined #openstack-keystone16:52
*** browne has quit IRC16:53
*** trown has joined #openstack-keystone16:53
lbragstaddstanek responded https://review.openstack.org/#/c/287977/216:55
patchbotlbragstad: patch 287977 - keystone - Add ability to send notifications for actors16:55
*** jaosorior has quit IRC16:55
lbragstadand added - https://review.openstack.org/#/c/290666/116:55
patchbotlbragstad: patch 290666 - keystone - Clarify actor operation for notifications16:55
*** EinstCrazy has joined #openstack-keystone16:56
*** tellesnobrega_af is now known as tellesnobrega17:00
*** tyagiprince has joined #openstack-keystone17:01
*** rk4n has quit IRC17:02
dstaneklbragstad: is there any chance that this will be backported and the followup patch lost?17:02
*** fawadkhaliq has joined #openstack-keystone17:03
*** EinstCrazy has quit IRC17:03
*** fawadkhaliq has quit IRC17:03
lbragstaddstanek I don't think we will be backporting https://review.openstack.org/#/c/287857/4 but that's up to stevemar - the bug isn't tagged with backport potential17:04
patchbotlbragstad: patch 287857 - keystone - Add notifications to user/group membership17:04
bknudsonlbragstad: you can backport whatever you want to17:04
bknudsondoesn't need to be tagged as backport potential17:05
lbragstadbknudson dstanek I can backport it - up to your guys17:05
lbragstadyou*17:05
*** daemontool has joined #openstack-keystone17:05
*** dan_nguyen has joined #openstack-keystone17:06
dstaneklbragstad: no i just mean that if they are separate and someone wants that backported their notification format would be incorrect without the follow up17:06
*** BigWillie has joined #openstack-keystone17:06
*** jistr has quit IRC17:06
*** daemontool_ has quit IRC17:07
openstackgerritMerged openstack/keystone: Correct create_project driver versioning  https://review.openstack.org/28905817:08
*** rk4n has joined #openstack-keystone17:08
*** rcernin has quit IRC17:09
lbragstaddstanek I don't think it would be incorrect - is just a better name for the key17:09
*** fawadkhaliq has joined #openstack-keystone17:10
dstaneklbragstad: but any consumers would later have to be rewritten to use the new key17:10
lbragstaddstanek ah - yes17:10
openstackgerritMerged openstack/keystone: Validate v2 fernet token returns extra attributes  https://review.openstack.org/28961817:11
*** rk4n has quit IRC17:11
*** rk4n has joined #openstack-keystone17:12
*** browne has joined #openstack-keystone17:18
openstackgerritLance Bragstad proposed openstack/keystone: Add ability to send notifications for actors  https://review.openstack.org/28797717:19
lbragstaddstanek fixed17:20
openstackgerritLance Bragstad proposed openstack/keystone: Add notifications to user/group membership  https://review.openstack.org/28785717:20
dstaneklbragstad: wasn't it discussed somewhere that we'd attach the full entity for things like deletions?17:20
*** bjornar has joined #openstack-keystone17:20
lbragstaddstanek i'm not sure if it was discussed - we still only provide the ID of the resource that was deleted and the resource type17:21
dstaneklbragstad: hmm, ok. maybe i can find that somewhere...17:21
lbragstaddstanek why?17:21
openstackgerritMerged openstack/keystone: v2 tokens validated on the v3 API are missing timezones  https://review.openstack.org/29013917:21
lbragstadmaybe dolphm knows ^?17:21
dstaneklbragstad: gyee commented on that bug from earlier17:22
dolphmthe answer is B17:22
lbragstad4217:22
dstanek$1000 on B please17:22
stevemarlbragstad: it's always 4217:22
*** daemontool_ has joined #openstack-keystone17:22
dolphmdstanek: we have definitely discussed that in the past - but what's the point if you can mutate the object to something unrecognizable and then delete it?17:23
dolphmif you care, you need real data auditing17:23
*** daemontool has quit IRC17:23
browneHi bknudson, where are you at with the bandit changes for keystonemiddleware?  I see a bunch of patches in WIP.17:23
stevemarlbragstad: wasn't intending to backport https://review.openstack.org/#/c/287857/4 - seems kinda featurey and not buggy17:23
patchbotstevemar: patch 287857 - keystone - Add notifications to user/group membership17:23
lbragstadstevemar yeah - that's kinda what I was thinking17:23
dstanekdolphm: that's true. in the old ticketing system i worked on we stored new=entity and old=entity for updates.17:24
bknudsonbrowne: I was working on them for a while and then I stopped working on them since I figured we'd switch to configless. Reviewers kept commenting on issues with the sample config.17:24
lbragstaddstanek dolphm explained the shadow thing to me yesterday and it made sense17:24
bknudsonbrowne: if you've got time to work on it go ahead17:24
stevemarbrowne: sounds like you're volunteering :)17:24
lbragstadbrowne you've just been volun-told17:25
brownebknudson: yeah, want to switch it to configless.17:25
openstackgerrithenry-nash proposed openstack/keystone: Split out domain config driver and manager tests  https://review.openstack.org/29019517:25
brownelbragstad: haha, like that17:25
openstackgerritMerged openstack/keystone: Explicitly exclude tests from bandit scan  https://review.openstack.org/29020117:26
dolphmany thoughts on my last comment here? apparently e.message is deprecated in py26, but i struggled to find any mention of it after that https://bugs.launchpad.net/keystoneauth/+bug/153436317:27
openstackLaunchpad bug 1534363 in keystoneauth "message doesn't set properly on ClientException" [Medium,In progress] - Assigned to Tin Lam (tl3438)17:27
dolphmpy27 seems to support e.args instead of .message -- which is printed by __str__()17:28
*** tyagiprince1 has joined #openstack-keystone17:29
openstackgerrithenry-nash proposed openstack/keystone: Split out domain config driver and manager tests  https://review.openstack.org/29019517:32
*** tyagiprince has quit IRC17:33
*** tyagiprince1 is now known as tyagiprince17:33
openstackgerritMerged openstack/keystone: Move domain config backend tests  https://review.openstack.org/29003817:35
dstanekdolphm: yeah, e.message is gone in Python317:36
openstackgerritDavid Stanek proposed openstack/keystoneauth: WIP: interesting idea  https://review.openstack.org/29071917:40
dstanekdolphm: ^17:40
dstanekthat's what i think it should be17:40
openstackgerritEric Brown proposed openstack/keystonemiddleware: Remove bandit.yaml in favor of defaults  https://review.openstack.org/26711617:44
*** tyagiprince has quit IRC17:44
*** spandhe has joined #openstack-keystone17:45
*** mhickey_ has quit IRC17:46
openstackgerritEric Brown proposed openstack/keystonemiddleware: Remove bandit.yaml in favor of defaults  https://review.openstack.org/26711617:46
openstackgerrithenry-nash proposed openstack/keystone: Make modifications to domain config atomic  https://review.openstack.org/29022317:47
*** slberger has quit IRC17:49
*** nkinder has quit IRC17:51
*** rk4n has quit IRC17:53
zigodolphm: Hi there. I've had a discussion in this channel about the admin_token_auth being removed from the default Keystone pipeline, but having a look, it doesn't seem to be the case. Do you know if that was reverted, somehow?17:55
*** petertr7 is now known as petertr7_away18:00
dstanekzigo: i thought it wasn't going to be removed from the paste pipeline until it's removed in O, but morgan would know the deets18:03
morganit was put back in18:04
zigomorgan: Ah, thanks! :)18:04
morganand not removed.18:04
morganuntil O ot whatever18:04
zigomorgan: When trying to bootstrap my first admin user, I get:18:04
zigoCreating tenants... No domain with a name or ID of 'default' exists.18:04
zigomorgan: The "default" domain isn't there by default? :)18:05
zigomorgan: How do I even list the domains when I don't have a working admin user?18:05
zigo(yes, I know, I *will* use the keystone bootstrap stuff, I just want to unstuck everything before I write things correctly...)18:06
*** ankita_wagh has joined #openstack-keystone18:09
zigoThe domain table has some kind of weird content...18:09
zigoIn Mitaka b2, I had:18:09
zigomysql> SELECT * FROM domain;18:10
zigo+---------+---------+---------+-----------------------------------------------------------------------------------------+18:10
zigo| id      | name    | enabled | extra                                                                                   |18:10
zigo+---------+---------+---------+-----------------------------------------------------------------------------------------+18:10
zigo| default | Default |       1 | {"description": "Owns users and tenants (i.e. projects) available on Identity API v2."} |18:10
*** daemontool__ has joined #openstack-keystone18:10
zigoNow, instead, I get:18:10
zigomysql> SELECT * FROM domain;18:10
zigo+--------------------------+--------------------------+---------+-------+18:10
zigo| id                       | name                     | enabled | extra |18:10
zigo+--------------------------+--------------------------+---------+-------+18:10
zigo| <<keystone.domain.root>> | <<keystone.domain.root>> |       0 | {}    |18:10
zigoIs this normal?18:10
zigomorgan: ^18:10
*** spzala has quit IRC18:11
*** sdake has quit IRC18:11
*** spzala has joined #openstack-keystone18:11
stevemarbknudson: you should be able to ditch the bandit patches in keystonemiddleware now18:13
*** daemontool_ has quit IRC18:13
zigoOh, I see... Looks like I can't do without "keystone-manage bootstrap" these days, right?18:14
stevemarzigo: keystone-manage bootstrap is the prefered way18:15
stevemarzigo: but118:15
stevemarzigo: BUT!18:15
stevemarzigo: you can go ahead and use the admin_token like you used to18:15
stevemarcreate the endpoint, user, etc..18:16
*** ankita_wagh has quit IRC18:16
zigostevemar: Well, it doesn't work, because the "default" domain isn't there then.18:16
*** daemontool__ has quit IRC18:16
stevemarkeystone will create a default domain if it doesn't detect one18:16
zigostevemar: It just failed on me because of that.18:16
*** spzala has quit IRC18:16
stevemarzigo: what did you try to do?18:17
zigostevemar: Let me show you...18:17
zigostevemar: http://anonscm.debian.org/cgit/openstack/keystone.git/tree/debian/keystone.postinst.in <--- This is what the Debian package does automatically *IF* you ask it to do so (by default it does nothing).18:18
zigoThis way, "apt-get install keystone" is enough to have a working Keystone install.18:18
zigostevemar: It failed in the keystone_create_admin_tenant if I didn't run keystone-manage bootstrap.18:19
morganzigo: you know i disagree with apt-get install setting up anything in the db,18:19
zigomorgan: It's off by default...18:19
morganzigo: a package trying to be that smart is doing it wrong imo.18:19
stevemarmorgan: he did say IF :)18:19
zigomorgan: Do you think I18:19
zigomorgan: Do you think I'm dumb ? :)18:20
morgananyway18:20
morganuse of bootstrap would be ideal18:20
morganfwiw18:20
zigoThere's dbconfig-common to setup dbs, and it's supposed to "do the right thing" (tm). That's the standard interface in Debian for it, so I don't see why not, especially if it's off by default. Plus I use all of that with preseed so that everything gets installed automatically in my CI, without the need to interact with anything puppet, so it's *very* useful.18:21
*** jaosorior has joined #openstack-keystone18:21
zigomorgan: Will do.18:21
zigoThanks guys.18:21
morganzigo: it might be an edge case18:21
*** jasonsb has quit IRC18:22
morganzigo: as well. where the default domain doesn't get created in some cases. should be confirmed18:22
zigomorgan: I just thought I'd delay fixing the postinst to do the correct thing after everything else was working in Mitaka, but it looks like I'm going to work on this first ! :)18:22
morganzigo: but def. move to use bootstrap if you can in general, it's what devstack does and ideally this is the general way going forward.18:22
zigoDoing so right now.18:23
*** slberger has joined #openstack-keystone18:23
zigo(as I just tried manually, and it worked...)18:23
morganzigo: if you can isolate a case where default domain isn't created automatically - it's worth filing a bug on it.18:23
morganzigo: and worth us fixing - before mitaka ships - we claim to support automatic creation of the default domain18:24
*** nkinder has joined #openstack-keystone18:24
zigoWell, install Keystone, run db_sync, then attempt to do:18:25
zigoopenstack --os-token ${AUTH_TOKEN} --os-url=http://127.0.0.1:35357/v3/ --os-domain-name default --os-identity-api-version=3 project create --or-show $ADMIN_TENANT_NAME --domain default --description "Default Debian admin project"18:25
morganstevemar, bknudson: ^18:25
*** spzala has joined #openstack-keystone18:25
zigoIt may have failed a bit later, let me make sure...18:25
bknudsononly if v2 is used does it create a default domain18:26
bknudsonbecause that's what the default domain is for - v2 users18:26
morganbknudson: so in this case zigo needs to create the default domain if not using bootstrap18:26
morganbknudson: if he's using it.18:26
morganok18:26
morganthat is fine18:26
bknudsoncreate a domain. Call it default if you want18:26
morganbknudson: ++18:26
morganzigo: so instead of converting to bootstrap, just add the domain create call, but i still recommend bootstrap if possible18:27
* zigo moves to use keystone-manage bootstrap anyway18:27
openstackgerritDoug Hellmann proposed openstack/python-keystoneclient: Update reno for stable/mitaka  https://review.openstack.org/29075918:27
*** mvk has quit IRC18:27
morganzigo: ok cool. just figured we'd offer the small amount of work.18:27
morganzigo: anyway.18:27
morganzigo: cheers18:28
zigoI very much prefer the bootstrap way, because I don't have to pass a password in the command line, which would be a security issue (it is right now...).18:28
zigoThanks a lot guys, you're really super helpful.18:28
*** e0ne has joined #openstack-keystone18:29
*** tyagiprince has joined #openstack-keystone18:38
ayoungIt is 80 degress here in Massachusetts.18:40
bknudsonCentigrade?18:41
stevemarbknudson: thatd be interesting18:42
*** pece has quit IRC18:42
ayoungIt is warmer outside my house than inside18:43
bknudsonstraight to the ac18:43
ayoungbknudson, I guess that is about 25 degrees Centigrade18:43
ayoungJust opened the majority of the windows in my house18:43
bknudsonit was warm here yesterday and then today it cools off18:44
*** dims has quit IRC18:44
*** dims has joined #openstack-keystone18:46
sigmavirus24For interested parties, I'm going to be speaking about keystoneauth's betamax feature and betamax for the OpenStack NYC Bugsmash event: https://twitter.com/sigmavirus24/status/707629010323308544 The talk will be live-streamed over Hangouts on Air18:46
sigmavirus24psst morgan what made you add the BetamaxFixture btw?18:47
morgansigmavirus24: because we wanted to record public cloud/clouds that are in OCC18:47
morganand be able to replay the responses for unit tests18:47
sigmavirus24:)18:47
morganmaking sure we don't regress/break real installs18:47
morganit hasn't gotten there yet, but that was the reasoning for adding it to ksa18:48
sigmavirus24morgan: I know why I'd use the fixture, just wasn't sure what made you choose betamax really :)18:48
morganthe fixture was a good way to handle that recording also so we can do recording elegantly - the option was betamax or crazy requests-mock stuff18:48
sigmavirus24Cool18:48
morganfigured betamax did most of what we wanted already, so yay18:48
morganwhy reinvent the wheel18:49
sigmavirus24Thanks :)18:49
morgansigmavirus24: sure thing18:49
openstackgerritJorge Munoz proposed openstack/keystone: Rename v2 token schema used for validation  https://review.openstack.org/29076818:52
*** sdake has joined #openstack-keystone18:57
*** petertr7_away is now known as petertr718:57
*** ninag has quit IRC18:58
*** ninag has joined #openstack-keystone18:59
*** markvoelker has quit IRC19:01
openstackgerritJorge Munoz proposed openstack/keystone: Rename v2 token schema used for validation  https://review.openstack.org/29076819:02
*** markvoelker has joined #openstack-keystone19:03
*** ninag has quit IRC19:03
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/29064519:03
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848819:05
*** trown is now known as trown|lunch19:05
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation driver interface  https://review.openstack.org/20960019:06
*** petertr7 is now known as petertr7_away19:07
openstackgerritJorge Munoz proposed openstack/keystone: Rename v2 token schema used for validation  https://review.openstack.org/29076819:08
lbragstadjorge_munoz https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:refactor-tests19:09
shalehstevemar, lbragstad you all around to talk about the migrate_repo review?19:12
*** andreykurilin__ has quit IRC19:13
*** boris-42 has quit IRC19:14
*** tqtran has joined #openstack-keystone19:15
openstackgerritJorge Munoz proposed openstack/keystone: Consolidate TestTrustRedelegation and TestTrustAuth tests  https://review.openstack.org/28044719:15
*** markvoelker has quit IRC19:17
*** markvoelker has joined #openstack-keystone19:18
*** doug-fis_ has joined #openstack-keystone19:19
*** doug-fis_ is now known as doug-fish_19:20
krotscheckmorgan: Hey, is there a spec somewhere that describes how keystone is deprecating the v2 api (headers, etc)? Trove is in a similar situation.19:21
*** doug-fish has quit IRC19:21
*** gordc has quit IRC19:22
*** tyagiprince has quit IRC19:26
*** sdake_ has joined #openstack-keystone19:30
*** sdake has quit IRC19:32
*** jed56 has quit IRC19:33
*** mvk has joined #openstack-keystone19:39
*** petertr7_away is now known as petertr719:40
*** ninag has joined #openstack-keystone19:40
*** lhcheng has joined #openstack-keystone19:40
*** ChanServ sets mode: +v lhcheng19:40
*** ninag_ has joined #openstack-keystone19:42
*** ninag has quit IRC19:44
*** tyagiprince has joined #openstack-keystone19:45
tjcocozzbknudson, it looks like the warnerrors functionality is going to come back https://review.openstack.org/#/c/229951/19:46
patchbottjcocozz: patch 229951 - openstack-dev/pbr - Restore warnerrors behavior19:46
*** woodster_ has joined #openstack-keystone19:47
bknudsontjcocozz: that's going to cause everything to break again! he he19:47
*** pushkaru has quit IRC19:48
*** pushkaru has joined #openstack-keystone19:48
*** sigmavirus24 is now known as sigmavirus24_awa19:48
tjcocozzbknudson, yeah, just checked and it hasn't been running since Apr 719:49
openstackgerritDolph Mathews proposed openstack/keystone: Add PKIZ coverage to trust tests  https://review.openstack.org/29081319:52
*** BigWillie has quit IRC19:54
*** doug-fish has joined #openstack-keystone19:55
*** doug-fish_ has quit IRC19:55
*** tyagiprince has quit IRC19:59
*** pauloewerton has quit IRC20:02
*** jaosorior has quit IRC20:02
*** gordc has joined #openstack-keystone20:02
*** jaosorior has joined #openstack-keystone20:03
*** tyagiprince has joined #openstack-keystone20:04
morgankrotscheck: uhmmmmmmmmm20:06
morgankrotscheck: ask stevemar, dolphm, bknudson, and dstanek20:07
bknudsonkrotscheck: we're just having use of the v2 apis log a deprecation warning20:08
*** gyee has quit IRC20:08
*** pushkaru has quit IRC20:09
*** pumarani__ has joined #openstack-keystone20:09
*** nkinder has quit IRC20:11
*** daemontool has joined #openstack-keystone20:14
dolphmstevemar: WTF does NOT_REGISTERED mean in the jenkins job? https://review.openstack.org/#/c/290768/20:17
patchbotdolphm: patch 290768 - keystone - Rename v2 token schema used for validation20:17
dolphmjorge_munoz: ^20:20
*** sdake has joined #openstack-keystone20:21
dolphmkrotscheck: the clients log warnings client-side, the API should be advertised as deprecated on the root endpoint at some point (i think the status is still "stable" for us), and the servers log usage as deprecation warnings20:21
krotscheckdolphm: Thanks :)20:22
*** mewald has joined #openstack-keystone20:22
morgandolphm: "not registered" is a jenkins issue i think, the job is in zuul but not registered with jenkins to run20:23
morgandolphm: i think20:23
dolphmmorgan: weird, so just recheck?20:23
*** sdake_ has quit IRC20:23
morgandolphm: well, if it passed previously, yes, if no, then look at the infra config to make sure it's properly setup20:23
*** pumarani__ has quit IRC20:25
*** pumarani__ has joined #openstack-keystone20:25
mewaldI am using Keystone V3 with multiple domains which works fine with the "openstack" client (for example, openstack user list etc) But the "keystone" client fails to run like this https://gist.github.com/mewald1/b897b1adb26fbf499b78 This is what the environment looks like: https://gist.github.com/mewald1/88c52a8431cf22a5d76920:26
*** trown|lunch is now known as trown20:27
*** tellesnobrega is now known as tellesnobrega_af20:30
*** tyagiprince has quit IRC20:33
openstackgerritSean Perry proposed openstack/keystone: Migrate_repo init version helper  https://review.openstack.org/13764020:33
lbragstaddolphm https://review.openstack.org/#/c/244871/6/doc/admin-guide-cloud/source/keystone_tokens.rst20:36
patchbotlbragstad: patch 244871 - openstack-manuals - Add documentation for keystone tokens (MERGED)20:36
lbragstaddolphm https://review.openstack.org/#/q/status:merged+project:openstack/openstack-manuals+branch:master+topic:add-tokens-doc20:36
*** tellesnobrega_af is now known as tellesnobrega20:39
lbragstaddolphm http://docs.openstack.org/admin-guide-cloud/keystone_tokens.html20:40
morganmewald: the keystoneclient cli does not work with v320:41
openstackgerritRon De Rose proposed openstack/keystone: Add auto-increment int primary key to revoke.backends.sql  https://review.openstack.org/29084120:45
*** doug-fish has quit IRC20:49
*** Ephur has joined #openstack-keystone20:49
*** tsufiev has left #openstack-keystone20:50
*** e0ne has quit IRC20:53
*** tqtran has quit IRC20:54
*** tqtran has joined #openstack-keystone20:55
openstackgerritMerged openstack/keystoneauth: Swap the order of username deprecation  https://review.openstack.org/28775420:55
*** pumarani__ has quit IRC20:57
*** pushkaru has joined #openstack-keystone20:57
*** sigmavirus24_awa is now known as sigmavirus2420:58
*** petertr7 is now known as petertr7_away21:00
*** rderose has quit IRC21:02
*** pushkaru has quit IRC21:02
*** pushkaru has joined #openstack-keystone21:02
lbragstaddolphm I got the same thing here - https://review.openstack.org/#/q/topic:bug/155263921:03
lbragstadgate-keystone-tox-db-legacy_driversNOT_REGISTERED21:04
* lbragstad has absolutely no idea what that is21:04
*** dims has quit IRC21:05
openstackgerrithenry-nash proposed openstack/keystone: Make modifications to domain config atomic  https://review.openstack.org/29022321:14
*** mewald has quit IRC21:18
*** markvoelker has quit IRC21:20
*** doug-fish has joined #openstack-keystone21:25
*** trown is now known as trown|outtypewww21:25
*** sheel has quit IRC21:27
*** dims has joined #openstack-keystone21:37
*** pnavarro has quit IRC21:38
*** sdake has quit IRC21:44
*** SDub has joined #openstack-keystone21:45
*** gyee has joined #openstack-keystone21:51
*** ChanServ sets mode: +v gyee21:51
*** rk4n has joined #openstack-keystone21:52
SDubAnyone know how to configure keystone to use TLS for public and admin endpoints?21:53
*** dims has quit IRC21:56
*** dims has joined #openstack-keystone21:58
*** slberger has quit IRC22:01
*** ninag_ has quit IRC22:05
zigomorgan: stevemar: When I do "openstack token issue", I get as a reply:22:09
zigo__init__() got an unexpected keyword argument 'token'22:09
zigoWhat's going on? :(22:09
zigo"openstack help" does show token as a possible command ...22:10
morganthats... weird22:10
morganlike... that shouldn't happen22:10
*** knikolla has quit IRC22:10
zigoRight...22:11
zigomorgan: http://paste.openstack.org/show/489913/22:13
morganstevemar: ^22:14
*** gordc has quit IRC22:16
*** phalmos has quit IRC22:19
*** jaugustine has quit IRC22:19
zigoI'm trying to upgrade OSC and KSC to latest version released a few days ago, see what happens.22:19
zigo(I was fairly up-to-date already...)22:19
*** david-lyle has quit IRC22:19
*** dave-mccowan has quit IRC22:20
*** david-lyle has joined #openstack-keystone22:20
shalehodd. Why is a token being passed to the Password plugin?22:21
*** mewald has joined #openstack-keystone22:21
morganshaleh: yeah it seems... wrong22:22
shalehalso, notice it is doing IDENTITTY_API_VERSION=3 but calling a /v2.0 api22:23
shalehmight be part of the issue22:23
*** jorge_munoz has left #openstack-keystone22:24
morganoh huh22:25
morganthat is likely an issue22:25
zigoAh...22:25
*** mewald has quit IRC22:26
zigoIt used to work very well for Liberty to do that.22:26
shalehzigo: why is 'token' defined here when calling 'token issue'?22:26
shalehleft over variable?22:27
zigoshaleh: I'm not sure what you mean.22:27
morganshaleh: maybe22:27
shalehzigo: can you paste the output of 'env' from the same shell. If that is called by a script, add it as a line just above the call to OSC.22:28
shalehzigo: obviously mask out anything we should not see22:28
*** dims has quit IRC22:29
zigoshaleh: Oh, I see what was wrong ! :)22:30
zigomorgan: shaleh: My bad, I was playing with export OS_TOKEN to avoid passing it on the command line, and an old one was there when trying to do "openstack token issue" again.22:31
zigoSo, it's my fault, though a nicer error message would have been nice ! :P22:31
shalehzigo: agreed. Check if there is an open bug and if not please open one.22:31
* zigo does that22:32
zigoshaleh: Against KSC, right?22:32
shalehzigo: OSC I think. It should have sanitized the inputs.22:32
zigoOk.22:32
shalehKSC was totally correct to complain about a token being passed into the Password plugin.22:33
*** roxanagh_ has quit IRC22:33
shalehzigo: thank you for the bug report. Now someone else won't have the same experience.22:34
*** pushkaru has quit IRC22:34
zigo:)22:34
*** dave-mccowan has joined #openstack-keystone22:34
shalehzigo: do mind the setting of IDENTITY_API_VERSION=3 but calling a /v2.0 api. This might bite you at some point.22:34
zigoshaleh: Shout this to the documentation people, that's what they advise to do. And by the way, for Liberty, this is what worked best, for some reason ...22:35
zigoshaleh: Hopefully, with everyone migrating to v3, we wont need it anymore.22:36
shalehzigo: link please.22:36
zigoshaleh: somewhere in docs.openstack.org -> install guide22:36
zigo(for Liberty)22:36
zigoThat's what I reproduced for my own Debian packaging CI, and it worked very well.22:36
shalehzigo: luck and the hard work of the Open Stack team22:37
zigo:)22:38
zigohttps://bugs.launchpad.net/python-openstackclient/+bug/155536622:42
openstackLaunchpad bug 1555366 in python-openstackclient "OSC should check if OS_TOKEN is set when performing a "token issue" command" [Undecided,New]22:42
shalehzigo: excellent22:42
*** henrynash has quit IRC22:43
zigoAh no...22:44
zigoIt looks like OS_TOKEN doesn't even work :(22:44
zigoI mean export OS_TOKEN.22:44
zigoOr does it?22:44
*** dims has joined #openstack-keystone22:44
shalehzigo: try --os-token22:44
zigoshaleh: The point is, I don't want to push it to the command line.22:45
shalehzigo: I know. Prove it works with --os-token. Then try it as a variable. Makes debugging easier :-)22:45
zigo(ie: that'd be leaking a token in /proc, visible to any user doing "ps auxf")22:45
zigoOk.22:45
shalehzigo: in theory the code treats --os-foo and OS_FOO the same22:46
stevemarzigo: dupe of https://bugs.launchpad.net/devstack/+bug/1549095 ?22:51
openstackLaunchpad bug 1549095 in Ironic "devstack fails while running Ironic grenade job: init__() got an unexpected keyword argument 'token'" [High,In progress] - Assigned to John L. Villalovos (happycamp)22:51
*** browne has quit IRC22:55
ctraceyfor those federation folks...any thought given to supporting OR logic in remote mappings?22:57
ctraceyright now all the remote mappings need to be true for the mapping to occur22:58
*** bjornar has quit IRC23:01
openstackgerritColleen Murphy proposed openstack/keystone: Update developer docs for bootstrap command  https://review.openstack.org/29089723:01
*** lunarlamp is now known as mariusv23:01
« Tuesday, 2016-03-08 Index Thursday, 2016-03-10 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!