Tuesday, 2016-04-05

ayoungagrebennikov, I just know that value is needed for ECP. I'd have to look in the client code to see how it is used...00:00
ayoungI can poiont you are the right place...omne sec00:00
ayoungagrebennikov, I know at one time all the SAML stuff was mopving to a separate repo, but I don't think that happend.00:02
ayoungagrebennikov, Ah00:02
ayoungagrebennikov, do you have that?00:02
ayoungOk...I need to go back into family mode00:03
agrebennikovwow.... seems l'll sink there))00:03
*** jasonsb has joined #openstack-keystone00:03
openstackgerritRodrigo Duarte proposed openstack/keystone: Migrate tempest tests into keystone tree  https://review.openstack.org/30139800:03
rodrigodsayoung, stevemar, dstanek ^ boom!00:04
rodrigodsadded a topic to tomorrow's meeting about that00:04
ayoung+6794, -400:04
ayoungrodrigods, that is huge00:05
rodrigodsayoung, more than huge i'd say00:05
*** mylu has quit IRC00:05
ayoungrodrigods, reinforces that I want it in a separate repo. I wonder if we could do some git magic, like a subrepo00:05
*** henrynash has quit IRC00:06
rodrigodsayoung, that might work? never saw something like that in openstack though00:06
ayoungrodrigods, can't think about it right now,...but good work.00:06
rodrigodsayoung, it is just a migration and some docs/pep8 fixes :P00:07
rodrigodslet's see what ppl will think about it tomorrow00:07
*** mylu has joined #openstack-keystone00:09
*** markvoelker has quit IRC00:12
*** mylu has quit IRC00:14
*** markvoelker has joined #openstack-keystone00:16
*** pushkaru has joined #openstack-keystone00:19
*** mylu has joined #openstack-keystone00:26
*** phalmos has quit IRC00:38
*** jamielennox|away is now known as jamielennox00:41
dolphmjamielennox: o/ wanted to catch up with you on https://review.openstack.org/#/c/245629/00:47
patchbotdolphm: patch 245629 - openstack-specs - A common policy scenario across all projects00:47
*** lhcheng has quit IRC00:48
*** mylu has quit IRC00:48
jamielennoxdolphm: yea, i'm here00:49
jamielennoxdolphm: and i thought you would have opinions on that :000:49
dolphmjamielennox: well, i posted a pretty substantial revision and you squashed it with patchset 7 :P00:49
jamielennoxdolphm: basically i simplified the crap out of it to get it passed00:49
jamielennoxdolphm: i did?00:49
dolphmjamielennox: but it looks like your rev was substantial too00:50
dolphmjamielennox: yes - we both uploaded simplified versions00:50
agrebennikovayoung, so do I have to go bother steve with my issue? (sorry)00:50
dolphmjamielennox: i'm planning to combine both our efforts with another patchset, but didn't want to get started on that before you reviewed my changes as well00:50
jamielennoxdolphm: it's been sitting there for weeks untouched - we timed it well00:50
dolphmjamielennox: ++00:50
dolphmjamielennox: i proposed a cross-project session on the topic00:51
jamielennoxdolphm: yea, i was thinking of that as well00:51
dolphmjamielennox: nova has a similar cross-project spec up as well00:51
dolphmjamielennox: no worries, i put your name on the list of presenters or whatever :P00:51
jamielennoxdolphm: do you know the nova spec url?00:52
dolphmjamielennox: i can find it00:52
dolphmjamielennox: one sec00:52
dolphmjamielennox: https://review.openstack.org/#/c/290155/00:52
patchbotdolphm: patch 290155 - nova-specs - Embed policy defaults in code00:52
dolphmjamielennox: different solution, overlapping problem description00:53
jamielennoxdolphm: yea, not directly related but relevant. having read only the first paragraph or two it would seem to be an oslo.policy spec00:54
dolphmjamielennox: except, the intent is to have all services conform00:55
dolphmjamielennox: so it was discussed as a nova spec, and then proposed as a cross-project spec00:55
jamielennoxdolphm: ayoung and i have had discussions about something along this line as well00:55
jamielennoxpartially at the tokyo00:56
dolphmjamielennox: moving to conf, specifically?00:56
jamielennoxno, but seperating what is and is not configurable policy00:56
jamielennoxlike project scoping is not something you should be able to unconfigure00:56
dolphmjamielennox: ++00:56
dolphmjamielennox: overall, moving things to conf is something i'm interested in thought experimenting with at least00:57
jamielennoxdolphm: yep, it seems to me a start of this would be to be able to generate the policy.json files in the same way we generate oslo.config files00:57
dolphmjamielennox: that was exactly johnthetubaguy's thought00:58
jamielennoxand then specify like an overlay config00:58
dolphmjamielennox: makes total sense to me00:58
dolphmjamielennox: and that's the spec lol00:58
jamielennoxoh, right00:58
jamielennoxwell then yes, that's a good cross-project thing to have i'd be interested in being a part of00:58
jamielennoxbut they should absolutely not be the same session00:59
dolphmjamielennox: so, the thought was to create a long-term, cross-project backlog spec for all our issues with policy, and then add these specific changes of direction as 'sub-tasks', so to speak00:59
*** sdake has joined #openstack-keystone00:59
*** mylu has joined #openstack-keystone00:59
dolphmjamielennox: it's a big topic, for sure, but i can't imagine we'll be able to accomplish more than a session's worth of policy in one cycle, so ... prioritize, have one session, and push hard on the resutl?01:00
*** mylu has quit IRC01:00
jamielennoxdolphm: at least my policy spec (i haven't read your update yet - mulitasking poorly) is i'm hoping a fairly simple change that doesn't actually require code change01:01
jamielennoxit's a community thing or something01:01
jamielennoxbut then the only debate i'm aware of on the cross-project thing is you and me as to how far it should go01:02
jamielennoxeveryone else is on board other than wording01:02
*** mylu has joined #openstack-keystone01:02
dolphmjamielennox: well, we both worked to reduce the number of proposed roles01:02
dolphmjamielennox: but ended up with a different result01:02
jamielennoxso yea, i think the nova thing is the big push for next cycle01:02
dolphmjamielennox: i was hoping to sync up with you on that today as well01:02
*** mylu has quit IRC01:04
*** mylu has joined #openstack-keystone01:04
*** mylu has quit IRC01:08
jamielennoxdolphm: so just checking i haven't missed anything - the change in the patchset you uploaded is around using global_admin and global_observer and removing the capability roles01:09
dolphmjamielennox: pretty much01:09
dolphmjamielennox: i'm not 100% sold on renaming one of the two core roles we have, but i do like explicit01:10
jamielennoxdolphm: so i popped up on irc and was talking to people - when we first proposed this the is_admin_project stuff wasn't merged01:10
dolphmjamielennox: yeah, that's complicating it01:10
dolphmjamielennox: also 'cloud_admin' makes it complicated to implement in the v3 policy file01:10
jamielennoxif we assume that people configure is_admin_project (and that's difficult because i don't see how we do that in a backwards compatible way) it simplifies the project or global scoping of much fo this01:11
*** mylu has joined #openstack-keystone01:15
*** mylu has quit IRC01:19
*** spandhe has quit IRC01:20
*** EinstCrazy has joined #openstack-keystone01:23
*** mylu has joined #openstack-keystone01:24
*** dan_nguyen has quit IRC01:26
*** pushkaru has quit IRC01:26
*** mylu has quit IRC01:35
*** jamielennox is now known as jamielennox|away01:41
*** jamielennox|away is now known as jamielennox01:44
*** wwriverrat has quit IRC01:47
*** wwriverrat has joined #openstack-keystone01:47
*** mylu has joined #openstack-keystone01:53
*** mylu has quit IRC01:55
*** pushkaru has joined #openstack-keystone01:56
*** mylu has joined #openstack-keystone01:57
*** mylu has quit IRC01:59
openstackgerritLi Yingjun proposed openstack/keystone: Fix KeyError when rename to a name is already in use  https://review.openstack.org/30141802:11
*** alex_xu has quit IRC02:13
*** alex_xu has joined #openstack-keystone02:16
*** EinstCra_ has joined #openstack-keystone02:17
*** raildo has quit IRC02:19
*** EinstCrazy has quit IRC02:20
*** pushkaru has quit IRC02:24
*** mylu has joined #openstack-keystone02:25
*** woodster_ has quit IRC02:37
*** mylu has quit IRC02:37
*** mylu has joined #openstack-keystone02:43
*** mylu has quit IRC02:44
*** nkinder has quit IRC02:48
*** nkinder has joined #openstack-keystone02:52
*** lhcheng has joined #openstack-keystone02:52
*** ChanServ sets mode: +v lhcheng02:52
*** spandhe has joined #openstack-keystone02:53
*** ankur has joined #openstack-keystone03:00
*** tqtran has quit IRC03:01
*** sdake has quit IRC03:02
*** kalaswan has joined #openstack-keystone03:03
*** fawadkhaliq has joined #openstack-keystone03:06
*** sekrit has joined #openstack-keystone03:11
*** fawadkhaliq has quit IRC03:12
*** EinstCra_ is now known as EinstCrazy03:12
*** fawadkhaliq has joined #openstack-keystone03:13
*** alex_xu has quit IRC03:18
*** alex_xu has joined #openstack-keystone03:20
*** woodster_ has joined #openstack-keystone03:21
*** fawadkhaliq has quit IRC03:21
*** fawadkhaliq has joined #openstack-keystone03:22
*** fawadkhaliq has quit IRC03:22
*** fawadkhaliq has joined #openstack-keystone03:22
*** agrebennikov has quit IRC03:24
ayoungdolphm, jamielennox I like what you are both proposing.  I think we are getting close.03:27
*** diazjf has joined #openstack-keystone03:28
jamielennoxayoung: yea, i think it's just figuring out the names and stuff now and how much we rely on the is_admin_project03:28
*** diazjf has quit IRC03:28
ayoungis_admin_project is going to be painful to merge in, acknowleged. I'm working right now with Tripleo to see what we can do with policy03:28
*** mylu has joined #openstack-keystone03:28
ayoungand puppet managed files03:28
ayoungI think it is going to be one of those transition things:03:29
ayoungwe get an alternative policy file, use that for an iteration or two, and then make it default, for each of the projects03:29
ayoungwhich is why your current effort is good;  better to do this once03:29
ayoungso is_admin_project and implied roles are tools to make this easier.03:29
ayoungUse them if they make sense..03:30
*** mylu has quit IRC03:30
*** spandhe_ has joined #openstack-keystone03:30
*** spandhe has quit IRC03:31
*** spandhe_ is now known as spandhe03:31
ayoungjamielennox, python question.  I'm trying to unify @controller.protected and @controller.filterprotected   http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n11003:34
ayoungand I'm trying to figure out how to get the params to be sane03:34
ayoungfilterprotected does:03:34
ayoung@controller.filterprotected('domain_id', 'enabled', 'name')03:34
jamielennoxayoung: yea, we are going to need some way per project to specify whether it should expect is_admin_project03:34
jamielennoxbecause we can't know ahead of time whether they are using that or not03:35
ayoungand the issue with @controller.protected is the callback03:35
ayounga named parameter always has to come before a *args param, right?03:35
ayoungso I can't do03:35
ayoungoh wait03:36
jamielennoxergh, i've attempted that cleanup before, it's not fun03:36
ayoungdef filterprotected(*filters, **callback):03:36
ayoungso in that case...what happnes if some calls03:36
jamielennoxi don't **callback is weird there03:37
ayoungthere would be nothing in *filters, right?03:37
jamielennox**callback doesn't mean callback=XXX03:37
jamielennoxor i've never seen it used like that03:37
ayoungright it is like03:37
ayoungcallback['callbak'] = _check_user_and_group_protection03:38
ayoungcan I do03:38
ayoung@controller.protected(callback=None, *filters)  ?03:39
*** links has joined #openstack-keystone03:39
ayounghow about03:40
ayoungdef filterprotected(*filters, callback=None):03:40
ayoungthat should be OK, no?03:40
ayounginvalid syntax03:41
ayoungthe thing is, we don;t actually have any combination of filterprotected and callback.  I'm guessing henry put that in for completeness03:41
ayoungI'm so damn close here...and I want to go to bed but finish this first03:42
jamielennoxno, not in py203:43
jamielennoxyou pretty much have to do *args, **kwargs and then interpret in manually03:43
ayoungjamielennox, I think this is a better approach:  def filterprotected(filters=None, callback=None):   and then conver the calls to filterprocted(filters=[one,two,tree])03:43
jamielennoxalthough positional() might give you something there03:43
ayoungwhat do you think of ^^03:43
jamielennoxi think it's fine03:44
ayoungOK..let me do that.  That unifies the interface03:44
*** prosun has joined #openstack-keystone03:46
*** dan_nguyen has joined #openstack-keystone03:47
*** alex_xu has quit IRC03:58
*** tqtran has joined #openstack-keystone03:59
*** alex_xu has joined #openstack-keystone04:01
*** tqtran has quit IRC04:03
prosunHow can I change my keystone configuration to use Indentity API version  V2.0?  I am using devstack. I updated  IDENTITY_API_VERSION:-2.0 from 3 in my openrc file (i was using version 3). I then source the openrc file (using command source openrc admin admin).   I was expecting that it changes my local environment variable OS_IDENTITY_API_VERSION to 2.0. and by default use V2.0.  But it does not.   Anything else I need to04:05
*** dave-mccowan has quit IRC04:07
openstackgerritayoung proposed openstack/keystone: Extract enforcement logic to its own method  https://review.openstack.org/27926304:09
*** dan_nguyen has quit IRC04:11
*** wwriverrat has quit IRC04:15
*** Nirupama has joined #openstack-keystone04:19
jamielennoxprosun: what variables does that end up setting?04:31
jamielennoxlike: env | grep OS_04:31
*** mylu has joined #openstack-keystone04:37
*** spandhe has quit IRC04:41
stevemarprosun: if you are source'ing openrc at the end, you are likely over-riding the work you did setting your version to 204:42
* stevemar waves at jamielennox: 04:42
*** spandhe has joined #openstack-keystone04:42
jamielennoxstevemar: howdy04:43
jamielennoxstevemar: hey - you think anyone uses the ENV cache thing in auth_token?04:43
jamielennoxsomething something swift right?04:44
notmynamewhat's the ENV cache thing? is that where we use the cache callback in the wsgi env?04:45
notmynameIIRC keystone middleware uses one if it's provided already04:45
stevemarnotmyname: jamielennox: yeah, not entierly what you're referring to, link?04:46
stevemarthis thing? https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_cache.py#L42-L5104:47
*** GB21 has joined #openstack-keystone04:49
*** spzala has quit IRC04:49
*** GB21 has quit IRC04:53
*** mylu has quit IRC05:00
*** tqtran has joined #openstack-keystone05:00
*** tqtran has quit IRC05:04
*** dave-mccowan has joined #openstack-keystone05:05
*** dave-mcc_ has joined #openstack-keystone05:07
*** mylu has joined #openstack-keystone05:07
*** dave-mccowan has quit IRC05:10
*** GB21 has joined #openstack-keystone05:12
*** rk4n has joined #openstack-keystone05:22
*** rk4n has quit IRC05:23
*** rk4n has joined #openstack-keystone05:24
*** jamielennox is now known as jamielennox|away05:27
*** rk4n has quit IRC05:29
*** markvoelker has quit IRC05:30
*** mylu has quit IRC05:31
*** dave-mcc_ has quit IRC05:31
*** richm has quit IRC05:35
*** EinstCra_ has joined #openstack-keystone05:38
*** EinstCrazy has quit IRC05:41
*** spzala has joined #openstack-keystone05:50
*** rcernin has joined #openstack-keystone05:51
*** spzala has quit IRC05:56
*** furface has quit IRC05:56
*** josecastroleon has joined #openstack-keystone06:00
*** fawadkhaliq has quit IRC06:02
*** vgridnev has joined #openstack-keystone06:08
*** lhcheng has quit IRC06:10
*** rdo has quit IRC06:12
*** spandhe has quit IRC06:12
morganstevemar: oh huh06:15
morganwhoa i see notmyname in this channel06:15
*** henrynash has joined #openstack-keystone06:18
*** ChanServ sets mode: +v henrynash06:18
*** henrynash has quit IRC06:29
*** henrynash has joined #openstack-keystone06:30
*** ChanServ sets mode: +v henrynash06:30
*** markvoelker has joined #openstack-keystone06:31
*** furface has joined #openstack-keystone06:40
*** naresht has joined #openstack-keystone06:43
*** vgridnev has quit IRC06:47
*** spzala has joined #openstack-keystone06:52
*** GB21 has quit IRC06:56
*** spzala has quit IRC06:56
*** henrynash has quit IRC07:02
*** markvoelker has quit IRC07:06
*** jaosorior has joined #openstack-keystone07:21
openstackgerritLi Yingjun proposed openstack/keystone: Fix KeyError when rename to a name is already in use  https://review.openstack.org/30141807:29
openstackgerritLi Yingjun proposed openstack/keystone: Fix KeyError when rename to a name is already in use  https://review.openstack.org/30141807:33
*** pcaruana has joined #openstack-keystone07:37
*** sheel has joined #openstack-keystone07:38
*** lhcheng has joined #openstack-keystone07:43
*** ChanServ sets mode: +v lhcheng07:43
*** jistr has joined #openstack-keystone07:44
*** jaosorior has quit IRC07:46
*** jaosorior has joined #openstack-keystone07:47
*** spzala has joined #openstack-keystone07:53
*** furface has quit IRC07:54
*** lhcheng has quit IRC07:54
*** furface has joined #openstack-keystone07:56
*** spzala has quit IRC07:57
*** tqtran has joined #openstack-keystone08:01
*** jistr has quit IRC08:01
*** jistr has joined #openstack-keystone08:01
*** markvoelker has joined #openstack-keystone08:02
*** GB21 has joined #openstack-keystone08:05
*** tqtran has quit IRC08:05
*** mvk_ has quit IRC08:19
*** daemontool has joined #openstack-keystone08:31
*** nisha_ has joined #openstack-keystone08:34
*** markvoelker has quit IRC08:35
*** chlong has quit IRC08:35
*** nisha_ has quit IRC08:36
*** e0ne has joined #openstack-keystone08:37
bretonbug 1566188 looks to me as invalid08:38
openstackbug 1566188 in OpenStack Identity (keystone) "keystone client reports 500 error if database service is not running" [Undecided,New] https://launchpad.net/bugs/1566188 - Assigned to Mark (rocky-asdf)08:38
*** rdo has joined #openstack-keystone08:38
*** mvk_ has joined #openstack-keystone08:45
*** spzala has joined #openstack-keystone08:54
*** kalaswan has quit IRC08:55
*** furface has quit IRC08:56
*** woodster_ has quit IRC08:57
*** spzala has quit IRC09:00
*** rk4n has joined #openstack-keystone09:03
*** rk4n has quit IRC09:07
*** rk4n has joined #openstack-keystone09:12
*** rk4n has quit IRC09:13
*** GB21 has quit IRC09:15
*** EinstCrazy has joined #openstack-keystone09:23
*** EinstCra_ has quit IRC09:26
*** GB21 has joined #openstack-keystone09:32
*** markvoelker has joined #openstack-keystone09:32
*** GB21 has quit IRC09:56
*** spzala has joined #openstack-keystone09:58
*** spzala has quit IRC10:03
*** markvoelker has quit IRC10:06
*** rk4n has joined #openstack-keystone10:08
*** richm has joined #openstack-keystone10:08
*** EinstCrazy has quit IRC10:14
*** EinstCrazy has joined #openstack-keystone10:14
*** EinstCrazy has quit IRC10:18
*** rk4n has quit IRC10:21
*** jsheeren has joined #openstack-keystone10:23
bretonyay, https://review.openstack.org/#/c/292894/10:29
patchbotbreton: patch 292894 - openstack-infra/project-config - Changing gate on devstack identity v3 only voting (MERGED)10:29
*** spzala has joined #openstack-keystone10:59
*** sdake has joined #openstack-keystone11:00
*** furface has joined #openstack-keystone11:03
*** markvoelker has joined #openstack-keystone11:03
*** spzala has quit IRC11:04
*** tellesnobrega is now known as tellesnobrega_af11:16
*** jsheeren has quit IRC11:17
*** rk4n has joined #openstack-keystone11:25
*** rk4n has quit IRC11:29
*** rodrigods has quit IRC11:32
*** rodrigods has joined #openstack-keystone11:32
*** rk4n has joined #openstack-keystone11:35
*** trown|outtypewww is now known as trown11:35
*** markvoelker has quit IRC11:35
*** mvk_ has quit IRC11:35
*** rk4n has quit IRC11:41
*** rk4n has joined #openstack-keystone11:47
*** mvk_ has joined #openstack-keystone11:48
*** raildo-afk is now known as raildo11:54
*** sdake_ has joined #openstack-keystone11:54
*** sdake has quit IRC11:55
*** spzala has joined #openstack-keystone12:00
*** spzala has quit IRC12:06
*** rk4n has quit IRC12:10
*** rk4n has joined #openstack-keystone12:11
*** Nirupama has quit IRC12:15
*** rk4n has quit IRC12:16
morganOh nice ^12:16
*** EinstCrazy has joined #openstack-keystone12:20
*** markvoelker has joined #openstack-keystone12:26
*** rk4n has joined #openstack-keystone12:32
*** edmondsw has joined #openstack-keystone12:35
*** ankur has quit IRC12:41
*** gordc has joined #openstack-keystone12:46
openstackgerritRodrigo Duarte proposed openstack/keystone: Migrate tempest tests into keystone tree  https://review.openstack.org/30139812:53
*** rk4n has quit IRC12:55
samueldmqdstanek: bknudson: rodrigods: I wonder if such tests ^ could be rewritten in an agnostic way12:56
samueldmqso that we could use them for both tempest nd our local functional tests12:56
samueldmqmuch easier now they will be under /keystone12:56
*** rk4n has joined #openstack-keystone12:56
edmondswis there any way to have policy.json check that a query param was NOT specified?12:56
*** sdake_ has quit IRC12:57
samueldmqedmondsw: I think so, let me check12:57
dstaneksamueldmq: maybe, but i'd almost rather see v3 tests move there any only run them through tempest and leave the unit tests to keystone12:57
edmondswsamueldmq thanks!12:57
dstanektoo many ways to do the same thing is confusing12:57
rodrigodssamueldmq, dstanek correct... the tests are only run via tempest12:58
samueldmqedmondsw: yes there is https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L68-L7212:58
rodrigodsyou can't run them using "only" keystone12:58
edmondswsamueldmq I don't think that'll do what I'm looking for12:58
samueldmqdstanek: I agree, but I thought we had an agreement at some point to make it possible ot run the tests locally too12:59
samueldmqrodrigods: ^12:59
dstaneksamueldmq: why can't you run tempest test locally?12:59
samueldmqdstanek: is it possible to run those tests against keystone using tox ?13:00
edmondswsamueldmq I want to check that someone didn't specify a domain_id query param... and "not domain_id:%(domain_id)s" wouldn't do that... I assume I can't just say "not domain_id" but maybe I can?13:00
rodrigodssamueldmq, dstanek they are all integration13:00
rodrigodsneed a running cloud/devstack to run them13:00
dstaneksamueldmq: not sure, but to me that's not really all that useful. i just want the tests.13:01
samueldmqedmondsw: maybe, worth it to try13:01
*** spzala has joined #openstack-keystone13:01
dstaneksamueldmq: my opinion on how to do this has been shifting as the QA group has been adding tools to make it easier13:01
samueldmqedmondsw: just be careful, I don't remind exactly if the query param comes in the first domain_id or in %(domain_id)s13:02
rodrigodsyes... they continue to be "tempest tests", but they are located in the interested components13:02
rodrigodsthe main idea is like: to not run keystone crud tests in nova13:02
samueldmqokay, looks like what's in my mind is some old idea13:02
samueldmqalthough it would be lovely if we could run them locally using tox :)13:03
rodrigodssamueldmq, it may be possible though, but need some work to make it happen (like... setting up an env before the run)13:04
rodrigodsbut there is something that can improve a lot keystone testing, that is requiring the integration test as we currently require the unit ones13:05
rodrigodssince it the tests are in our tree13:05
edmondswsamueldmq, hey, "not domain_id" actually did work... tx!13:05
samueldmqedmondsw: nice! glad to know, welcome13:05
samueldmqrodrigods: yes, lots of things will be improved now13:06
samueldmqas now we're the ones taking care of them13:06
samueldmqI mean, it is under our repository :13:06
*** pauloewerton has joined #openstack-keystone13:07
samueldmqbknudson: dstanek: have you heard about bindep?13:07
*** spzala has quit IRC13:07
rodrigodssamueldmq, ++13:08
samueldmq#link https://github.com/openstack-infra/bindep13:08
samueldmqit takes care of installing system dependencies13:08
samueldmqthe idea is that we have an other-requirements.txt file specifying such requirements13:09
samueldmqand then : `sudo [apt-get | yum] install $(bindep -b)`13:09
samueldmqit's an openstack tool, which makes set up environments go smoothly13:10
edmondswsamueldmq, well, I take that back... I don't think it's working after all13:10
samueldmqedmondsw: :(13:10
edmondswjust always passes13:10
samueldmqedmondsw: what exactly do you want to do ?13:11
*** jraim_ has joined #openstack-keystone13:14
*** dutsmoc has joined #openstack-keystone13:20
*** mgagne_ has joined #openstack-keystone13:20
*** _d34dh0r53_ has joined #openstack-keystone13:20
*** edmondsw has quit IRC13:21
*** agireud has quit IRC13:21
*** zzzeek has quit IRC13:21
*** ayoung has quit IRC13:21
*** topol has quit IRC13:21
*** BlackDex has quit IRC13:21
*** jraim has quit IRC13:21
*** mgagne has quit IRC13:21
*** ericksonsantos has quit IRC13:21
*** darrenc has quit IRC13:21
*** cloudnull has quit IRC13:21
*** comstud has quit IRC13:21
*** d34dh0r53 has quit IRC13:21
*** dtroyer has quit IRC13:21
*** eglute has quit IRC13:21
*** tjcocozz has quit IRC13:21
*** pleia2 has quit IRC13:21
*** smurke has quit IRC13:21
*** clayton has quit IRC13:21
*** naresht has quit IRC13:21
*** prosun has quit IRC13:21
*** pauloewerton has quit IRC13:21
*** daemontool has quit IRC13:21
*** klindgren has quit IRC13:21
*** nonameentername has quit IRC13:21
*** amit213 has quit IRC13:21
*** mtreinish has quit IRC13:21
*** dstanek has quit IRC13:21
*** lunarlamp has quit IRC13:21
*** rcernin has quit IRC13:21
*** harlowja has quit IRC13:21
*** raginbajin has quit IRC13:21
*** odyssey4me has quit IRC13:21
*** lbragstad has quit IRC13:21
*** timburke has quit IRC13:21
*** trey has quit IRC13:21
*** e0ne has quit IRC13:21
*** josecastroleon has quit IRC13:21
*** zqfan has quit IRC13:21
*** mdavidson has quit IRC13:21
*** BrAsS_mOnKeY has quit IRC13:21
*** sileht has quit IRC13:21
*** andrewbogott has quit IRC13:21
*** haneef has quit IRC13:21
*** afazekas has quit IRC13:21
*** DuncanT has quit IRC13:21
*** dancn has quit IRC13:21
*** yarkot has quit IRC13:21
*** bradjones has quit IRC13:21
*** johnthetubaguy has quit IRC13:21
*** trown has quit IRC13:21
*** ianw has quit IRC13:21
*** EmilienM has quit IRC13:21
*** briancurtin has quit IRC13:21
*** errr has quit IRC13:21
*** navidp has quit IRC13:21
*** hughsaunders has quit IRC13:21
*** bapalm has quit IRC13:21
*** jmlowe has quit IRC13:21
*** krotscheck has quit IRC13:21
*** adam_g has quit IRC13:21
*** ryanpetrello has quit IRC13:21
*** sigmavirus24_awa has quit IRC13:21
*** Nakato has quit IRC13:21
*** pumaranikar has quit IRC13:21
*** flaper87 has quit IRC13:21
*** ctracey has quit IRC13:21
*** dobson has quit IRC13:21
*** tristanC has quit IRC13:21
*** zeus has quit IRC13:21
*** _fortis has quit IRC13:21
*** huats_ has quit IRC13:21
*** gerhardqux has quit IRC13:21
*** gordc has quit IRC13:21
*** pcaruana has quit IRC13:21
*** arunkant has quit IRC13:21
*** Ephur has quit IRC13:21
*** openstackgerrit has quit IRC13:21
*** charz has quit IRC13:21
*** hogepodge has quit IRC13:21
*** rha has quit IRC13:21
*** hockeynut has quit IRC13:21
*** brad[] has quit IRC13:21
*** BAKfr has quit IRC13:21
*** lupine has quit IRC13:21
*** rk4n has quit IRC13:21
*** markvoelker has quit IRC13:21
*** EinstCrazy has quit IRC13:21
*** mvk_ has quit IRC13:21
*** alex_xu has quit IRC13:21
*** nkinder has quit IRC13:21
*** Trident has quit IRC13:21
*** baffle has quit IRC13:21
*** dims has quit IRC13:21
*** redrobot has quit IRC13:21
*** hugokuo has quit IRC13:21
*** mordred has quit IRC13:21
*** dansmith has quit IRC13:21
*** andreaf has quit IRC13:21
*** wolsen has quit IRC13:21
*** john5223 has quit IRC13:21
*** jaosorior has quit IRC13:21
*** patchbot has quit IRC13:21
*** mkoderer__ has quit IRC13:21
*** toddnni has quit IRC13:21
*** martinus__ has quit IRC13:21
*** amakarov has quit IRC13:21
*** dolphm has quit IRC13:21
*** rmstar has quit IRC13:21
*** raildo has quit IRC13:21
*** notmyname has quit IRC13:21
*** DinaBelova has quit IRC13:21
*** SpamapS has quit IRC13:21
*** boltR has quit IRC13:21
*** zigo has quit IRC13:21
*** x58 has quit IRC13:21
*** bknudson has quit IRC13:21
*** sekrit has quit IRC13:21
*** ChanServ has quit IRC13:21
*** david-lyle has quit IRC13:21
*** samueldmq has quit IRC13:21
*** dgonzalez has quit IRC13:22
*** mnaser has quit IRC13:22
*** lifeless has quit IRC13:22
*** mugsie has quit IRC13:22
*** frickler has quit IRC13:22
*** breton has quit IRC13:22
*** stevemar has quit IRC13:22
*** ktychkova has quit IRC13:22
*** serverascode has quit IRC13:22
*** rvba has quit IRC13:22
*** wanghua has quit IRC13:22
*** zhiyan has quit IRC13:22
*** jasondotstar has quit IRC13:22
*** mfisch has quit IRC13:22
*** kfox1111 has quit IRC13:22
*** boris-42 has quit IRC13:22
*** andreykurilin__ has quit IRC13:22
*** rodrigods has quit IRC13:22
*** jistr has quit IRC13:22
*** jdennis has quit IRC13:22
*** Anticimex has quit IRC13:22
*** Daviey_ has quit IRC13:22
*** iurygregory has quit IRC13:22
*** anteaya has quit IRC13:22
*** Dave has quit IRC13:22
*** kevinbenton has quit IRC13:22
*** crinkle has quit IRC13:22
*** skoude has quit IRC13:22
*** opilotte- has quit IRC13:22
*** tellesnobrega_af has quit IRC13:22
*** morgan has quit IRC13:22
*** freerunner has quit IRC13:22
*** htruta has quit IRC13:22
*** sshen has quit IRC13:22
*** sheel has quit IRC13:22
*** woodburn has quit IRC13:22
*** bigjools has quit IRC13:22
*** xek has quit IRC13:22
*** wxy has quit IRC13:22
*** mancdaz has quit IRC13:22
*** fungi has quit IRC13:22
*** gsilvis_ has quit IRC13:22
*** med_ has quit IRC13:22
*** furface has quit IRC13:22
*** rdo has quit IRC13:22
*** jasonsb has quit IRC13:22
*** jrist has quit IRC13:22
*** jlvillal has quit IRC13:22
*** lmiccini has quit IRC13:22
*** ekarlso- has quit IRC13:22
*** kragniz has quit IRC13:22
*** mc_nair has quit IRC13:22
*** jidar has quit IRC13:22
*** SamYaple has quit IRC13:22
*** jraim_ is now known as jraim13:22
*** eglute has joined #openstack-keystone13:23
*** EinstCrazy has joined #openstack-keystone13:24
*** spzala has joined #openstack-keystone13:24
*** zzzeek_ has joined #openstack-keystone13:24
*** topol_ has joined #openstack-keystone13:24
*** dtroyer_zz has joined #openstack-keystone13:24
*** BlackDex_ has joined #openstack-keystone13:24
*** darrenc_ has joined #openstack-keystone13:24
*** pauloewerton has joined #openstack-keystone13:24
*** rk4n has joined #openstack-keystone13:24
*** gordc has joined #openstack-keystone13:24
*** markvoelker has joined #openstack-keystone13:24
*** mvk_ has joined #openstack-keystone13:24
*** rodrigods has joined #openstack-keystone13:24
*** furface has joined #openstack-keystone13:24
*** rdo has joined #openstack-keystone13:24
*** e0ne has joined #openstack-keystone13:24
*** daemontool has joined #openstack-keystone13:24
*** jistr has joined #openstack-keystone13:24
*** jaosorior has joined #openstack-keystone13:24
*** sheel has joined #openstack-keystone13:24
*** pcaruana has joined #openstack-keystone13:24
*** naresht has joined #openstack-keystone13:24
*** josecastroleon has joined #openstack-keystone13:24
*** rcernin has joined #openstack-keystone13:24
*** alex_xu has joined #openstack-keystone13:24
*** prosun has joined #openstack-keystone13:24
*** sekrit has joined #openstack-keystone13:24
*** nkinder has joined #openstack-keystone13:24
*** jasonsb has joined #openstack-keystone13:24
*** david-lyle has joined #openstack-keystone13:24
*** zqfan has joined #openstack-keystone13:24
*** jdennis has joined #openstack-keystone13:24
*** notmyname has joined #openstack-keystone13:24
*** arunkant has joined #openstack-keystone13:24
*** Ephur has joined #openstack-keystone13:24
*** klindgren has joined #openstack-keystone13:24
*** woodburn has joined #openstack-keystone13:24
*** dgonzalez has joined #openstack-keystone13:24
*** tjcocozz has joined #openstack-keystone13:24
*** openstackgerrit has joined #openstack-keystone13:24
*** mdavidson has joined #openstack-keystone13:24
*** bigjools has joined #openstack-keystone13:24
*** charz has joined #openstack-keystone13:24
*** samueldmq has joined #openstack-keystone13:24
*** xek has joined #openstack-keystone13:24
*** wolfe.freenode.net sets mode: +v samueldmq13:24
*** bapalm has joined #openstack-keystone13:24
*** nonameentername has joined #openstack-keystone13:24
*** Anticimex has joined #openstack-keystone13:24
*** Trident has joined #openstack-keystone13:24
*** amit213 has joined #openstack-keystone13:24
*** stevemar has joined #openstack-keystone13:24
*** jmlowe has joined #openstack-keystone13:24
*** jrist has joined #openstack-keystone13:24
*** BrAsS_mOnKeY has joined #openstack-keystone13:24
*** baffle has joined #openstack-keystone13:24
*** harlowja has joined #openstack-keystone13:24
*** fungi has joined #openstack-keystone13:24
*** dims has joined #openstack-keystone13:24
*** ktychkova has joined #openstack-keystone13:24
*** mtreinish has joined #openstack-keystone13:24
*** sileht has joined #openstack-keystone13:24
*** mugsie has joined #openstack-keystone13:24
*** hogepodge has joined #openstack-keystone13:24
*** patchbot has joined #openstack-keystone13:24
*** dstanek has joined #openstack-keystone13:24
*** redrobot has joined #openstack-keystone13:24
*** jlvillal has joined #openstack-keystone13:24
*** serverascode has joined #openstack-keystone13:24
*** andrewbogott has joined #openstack-keystone13:24
*** rvba has joined #openstack-keystone13:24
*** wxy has joined #openstack-keystone13:24
*** mancdaz has joined #openstack-keystone13:24
*** krotscheck has joined #openstack-keystone13:24
*** Daviey_ has joined #openstack-keystone13:24
*** pleia2 has joined #openstack-keystone13:24
*** hugokuo has joined #openstack-keystone13:24
*** bknudson has joined #openstack-keystone13:24
*** iurygregory has joined #openstack-keystone13:24
*** mkoderer__ has joined #openstack-keystone13:24
*** wanghua has joined #openstack-keystone13:24
*** mnaser has joined #openstack-keystone13:24
*** raginbajin has joined #openstack-keystone13:24
*** haneef has joined #openstack-keystone13:24
*** zhiyan has joined #openstack-keystone13:24
*** toddnni has joined #openstack-keystone13:24
*** rha has joined #openstack-keystone13:24
*** sigmavirus24_awa has joined #openstack-keystone13:24
*** jasondotstar has joined #openstack-keystone13:24
*** mfisch has joined #openstack-keystone13:24
*** adam_g has joined #openstack-keystone13:24
*** wolfe.freenode.net sets mode: +ovv stevemar dstanek bknudson13:24
*** kfox1111 has joined #openstack-keystone13:24
*** ryanpetrello has joined #openstack-keystone13:24
*** gsilvis_ has joined #openstack-keystone13:24
*** hockeynut has joined #openstack-keystone13:24
*** Nakato has joined #openstack-keystone13:24
*** lifeless has joined #openstack-keystone13:24
*** pumaranikar has joined #openstack-keystone13:24
*** martinus__ has joined #openstack-keystone13:24
*** lmiccini has joined #openstack-keystone13:24
*** amakarov has joined #openstack-keystone13:24
*** flaper87 has joined #openstack-keystone13:24
*** afazekas has joined #openstack-keystone13:24
*** ctracey has joined #openstack-keystone13:24
*** DuncanT has joined #openstack-keystone13:24
*** clayton has joined #openstack-keystone13:24
*** smurke has joined #openstack-keystone13:24
*** odyssey4me has joined #openstack-keystone13:24
*** hughsaunders has joined #openstack-keystone13:24
*** brad[] has joined #openstack-keystone13:24
*** dobson has joined #openstack-keystone13:24
*** tristanC has joined #openstack-keystone13:24
*** zeus has joined #openstack-keystone13:24
*** dancn has joined #openstack-keystone13:24
*** dolphm has joined #openstack-keystone13:24
*** mordred has joined #openstack-keystone13:24
*** dansmith has joined #openstack-keystone13:24
*** rmstar has joined #openstack-keystone13:24
*** ekarlso- has joined #openstack-keystone13:24
*** boris-42 has joined #openstack-keystone13:24
*** yarkot has joined #openstack-keystone13:24
*** BAKfr has joined #openstack-keystone13:24
*** _fortis has joined #openstack-keystone13:24
*** huats_ has joined #openstack-keystone13:24
*** andreaf has joined #openstack-keystone13:24
*** lbragstad has joined #openstack-keystone13:24
*** raildo has joined #openstack-keystone13:24
*** bradjones has joined #openstack-keystone13:24
*** lupine has joined #openstack-keystone13:24
*** anteaya has joined #openstack-keystone13:24
*** ianw has joined #openstack-keystone13:24
*** johnthetubaguy has joined #openstack-keystone13:24
*** trown has joined #openstack-keystone13:24
*** lunarlamp has joined #openstack-keystone13:24
*** timburke has joined #openstack-keystone13:24
*** EmilienM has joined #openstack-keystone13:24
*** wolfe.freenode.net sets mode: +o dolphm13:24
*** andreykurilin__ has joined #openstack-keystone13:24
*** trey has joined #openstack-keystone13:24
*** gerhardqux has joined #openstack-keystone13:24
*** med_ has joined #openstack-keystone13:24
*** kragniz has joined #openstack-keystone13:24
*** DinaBelova has joined #openstack-keystone13:24
*** wolsen has joined #openstack-keystone13:24
*** frickler has joined #openstack-keystone13:24
*** Dave has joined #openstack-keystone13:24
*** breton has joined #openstack-keystone13:24
*** john5223 has joined #openstack-keystone13:24
*** briancurtin has joined #openstack-keystone13:24
*** navidp has joined #openstack-keystone13:24
*** errr has joined #openstack-keystone13:24
*** SpamapS has joined #openstack-keystone13:24
*** kevinbenton has joined #openstack-keystone13:24
*** crinkle has joined #openstack-keystone13:24
*** skoude has joined #openstack-keystone13:24
*** boltR has joined #openstack-keystone13:24
*** opilotte- has joined #openstack-keystone13:24
*** zigo has joined #openstack-keystone13:24
*** mc_nair has joined #openstack-keystone13:24
*** x58 has joined #openstack-keystone13:24
*** jidar has joined #openstack-keystone13:24
*** tellesnobrega_af has joined #openstack-keystone13:24
*** morgan has joined #openstack-keystone13:24
*** SamYaple has joined #openstack-keystone13:24
*** freerunner has joined #openstack-keystone13:24
*** htruta has joined #openstack-keystone13:24
*** sshen has joined #openstack-keystone13:24
*** ChanServ has joined #openstack-keystone13:24
*** wolfe.freenode.net sets mode: +oo morgan ChanServ13:24
*** jraim has quit IRC13:24
*** jraim has joined #openstack-keystone13:24
* breton shrugs13:24
*** openstackstatus has quit IRC13:24
*** mgagne_ has quit IRC13:24
*** mgagne_ has joined #openstack-keystone13:24
bretonmaybe this is the wrong place to add my tests13:24
breton(and a bunch of not my tests should be moved out of there too)13:25
bretonlooks like it.13:26
*** openstackstatus has joined #openstack-keystone13:26
*** ChanServ sets mode: +v openstackstatus13:26
*** agireud has joined #openstack-keystone13:27
*** ericksonsantos has joined #openstack-keystone13:28
dstanekbreton: which ones?13:28
*** ayoung has joined #openstack-keystone13:29
*** ChanServ sets mode: +v ayoung13:29
*** cloudnull has joined #openstack-keystone13:29
bretondstanek: test_shadow_federated_user. I will propose a patch to move it.13:29
*** edmondsw has joined #openstack-keystone13:29
dstanekbreton: why should it be moved?13:30
*** jsavak has joined #openstack-keystone13:31
bretondstanek: because all tests there are REST tests13:31
bretondstanek: and test_shadow_federated_user tests the manager13:31
dstanekbreton: yep, those should definitely be moved :-) feel free to add me to the review so i can star it13:32
*** mylu has joined #openstack-keystone13:33
rodrigodsdstanek, btw... are you in favor of this patch: https://review.openstack.org/#/c/301398/13:33
patchbotrodrigods: patch 301398 - keystone - Migrate tempest tests into keystone tree13:33
*** tqtran has joined #openstack-keystone13:33
rodrigodsthis seems to be common direction among the projects13:34
dstanekrodrigods: is that what was discussed in the QA meeting 2 weeks ago?13:34
rodrigodsdstanek, yes13:35
*** links has quit IRC13:35
rodrigodsnext step is to have this merged: https://review.openstack.org/#/c/298696/13:35
patchbotrodrigods: patch 298696 - openstack-infra/project-config - Enable non-voting keystone tempest plugin tests13:35
rodrigodsobserve its stability, make it voting and remove keystone API tests from tempest tree13:36
*** rk4n has quit IRC13:36
dstanekrodrigods: then yes i'm for it, i haven't looked at your specific patch just yet13:37
rodrigodsdstanek, np, thanks13:37
rodrigodsi added a topic for today's meeting to check other opinions as well13:37
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/30062613:37
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/30076413:37
*** tqtran has quit IRC13:38
*** rk4n has joined #openstack-keystone13:38
*** jsavak has quit IRC13:41
*** sheel has quit IRC13:41
*** jsavak has joined #openstack-keystone13:42
*** ametts has joined #openstack-keystone13:42
*** spzala has quit IRC13:43
*** anush_ has joined #openstack-keystone13:45
*** rderose has joined #openstack-keystone13:46
*** gordc has quit IRC13:50
openstackgerritRodrigo Duarte proposed openstack/keystone: Migrate tempest tests into keystone tree  https://review.openstack.org/30139813:53
*** sigmavirus24_awa is now known as sigmavirus2413:56
*** gordc has joined #openstack-keystone13:57
*** rk4n has quit IRC13:57
openstackgerritRodrigo Duarte proposed openstack/keystone: Migrate tempest tests into keystone tree  https://review.openstack.org/30139813:58
*** spzala has joined #openstack-keystone13:58
*** rk4n has joined #openstack-keystone14:01
*** pushkaru has joined #openstack-keystone14:02
*** BlackDex_ is now known as BlackDex14:02
openstackgerritRodrigo Duarte proposed openstack/keystone: Migrate tempest tests into keystone tree  https://review.openstack.org/30139814:03
*** knikolla has joined #openstack-keystone14:03
*** pushkaru has quit IRC14:04
*** pushkaru has joined #openstack-keystone14:04
*** jsavak has quit IRC14:08
*** slberger has joined #openstack-keystone14:08
*** jsavak has joined #openstack-keystone14:09
samueldmqdo we have tests for the abstract drivers ? (not the ones using the apis, just the drivers instead)14:12
samueldmqI wrote some of those tests in patch 212957 and patch 21200614:12
patchbotsamueldmq: https://review.openstack.org/#/c/212957/ - keystone - Create unit tests for the policy drivers14:12
patchbotsamueldmq: https://review.openstack.org/#/c/212006/ - keystone - Create unit tests for endpoint policy drivers14:12
samueldmqI wonder where I should place them14:13
*** rderose has quit IRC14:13
*** mylu has quit IRC14:13
*** mylu has joined #openstack-keystone14:14
*** sdake has joined #openstack-keystone14:15
*** mylu has quit IRC14:18
morgandstanek: in tests caching is on by default. If the test is failing with caching on, the code is not cache compatible (failing to invalidate, etc)14:21
morganbreton: ^cv14:21
morganOr the test is making a bad assumption14:21
morganBut we only cach @memioze decorated functions14:22
dstanekmorgan: that's super odd for unit tests14:22
morganIt was needed at the time/still is or people write cache incompatible code14:23
morganWe would need to run tests twice, with/without cache14:23
morganIt was safer to run with cache, as that is the harder case, without cache it is noop, basically invalidates don't matter14:24
morganBut this is also because our unit tests aren't really unit test s14:24
*** mylu has joined #openstack-keystone14:25
morganThey are more "functional"14:25
dstanekunit tests shouldn't be testing caching. that's very strange because changing fixture won't change the returned data?14:25
rodrigodswhat are the keystone* ppl that have experience in creating gate jobs?14:25
morganrodrigods: Brant, myself, Steve, Dolph, and jamielennox|away . not sure who else for sure. But I am sure there are more.14:26
dstanekmorgan: maybe in our v3 tests i can see caching being on, but not for unit tests14:26
rodrigodsmorgan, thanks, will add you to https://review.openstack.org/#/c/298696/14:26
patchbotrodrigods: patch 298696 - openstack-infra/project-config - Enable non-voting keystone tempest plugin tests14:26
bretonmorgan: we have "get-or-create" functions. Is it ok that they are cached?14:26
*** tellesnobrega_af is now known as tellesnobrega14:27
knikolladstanek, are you still working on this? https://review.openstack.org/#/c/151310/14:27
patchbotknikolla: patch 151310 - keystone - adds a devstack plugin for running a pysaml2 IdP14:27
morgandstanek: iirc we have caching defaulted to on in our tests. At least we did.14:27
morganbreton: it should be OK. Doest mean it is correct to be cached.14:28
morganAs dstanek is highlighting.14:28
dstanekknikolla: sorta, before my vacation i was experimenting with another way to do it14:28
dstanekknikolla: did you have an interest in that?14:29
*** naresht has quit IRC14:29
*** rk4n has quit IRC14:29
rodrigodsdstanek, another possibility for these tests is to add the infra and run them using our tempest plugins14:31
dstanekrodrigods: what tests?14:31
rodrigodsdstanek, federation related14:32
knikolladstanek, yeah. we want to setup a federation gate.14:32
rodrigodsknikolla, ^ talking about that?14:32
knikollarodrigods, yeah14:32
dstanekrodrigods: those reviews are to setup the infra14:33
dstanekknikolla: i don't think the pysaml idp was working all that well14:33
dstanekdefinitely not a good long term thing14:33
dstanekbut it was cheap and easy14:33
rodrigodsdstanek, i know... but the federation gate idea is to have something definitive using the recommended tools14:34
rodrigodslike shib and mellon14:34
rodrigodsand for gate jobs, it is to run the tests using the tempest code14:34
dstanekrodrigods: i'm fine with that14:35
rodrigodsdstanek, knikolla cool, we just need to sync the efforts :)14:35
knikolladstanek, rodrigods: wanna start an etherpad?14:36
rodrigodsknikolla, ++14:36
rodrigodsknikolla, going to Austin? this is something we can discuss there too14:36
rodrigodsdstanek, you are going, right?14:37
knikollarodrigods, yeah, i'll be there.14:37
dstanekyes, i'll be there14:37
*** _d34dh0r53_ is now known as d34dh0r5314:39
knikollarodrigods, dstanek: https://etherpad.openstack.org/p/Keystone-Federation-Testing14:40
knikollai'm all new to this etherpad thing14:40
rodrigodswe can add this link to keystone's etherpad too14:41
rodrigodsthe summit etherpad i mean, let try to find it14:41
*** Don_Nalezyty has joined #openstack-keystone14:42
knikollarodrigods, https://etherpad.openstack.org/p/keystone-newton-summit-brainstorm14:42
rodrigodsknikolla, thanks14:43
*** spandhe has joined #openstack-keystone14:45
knikollamylu, ping14:46
myluknikolla: ?14:46
*** sheel has joined #openstack-keystone14:49
*** rderose has joined #openstack-keystone14:53
*** sdake_ has joined #openstack-keystone14:54
*** josecastroleon has quit IRC14:54
*** mylu has quit IRC14:57
*** sdake has quit IRC14:57
*** ametts has quit IRC15:00
*** mkoderer__ has quit IRC15:02
*** mylu has joined #openstack-keystone15:03
*** pcaruana has quit IRC15:06
*** tellesnobrega is now known as tellesnobrega_af15:06
*** markvoelker has quit IRC15:12
*** markvoelker has joined #openstack-keystone15:13
*** ametts has joined #openstack-keystone15:14
*** phalmos has joined #openstack-keystone15:14
*** links has joined #openstack-keystone15:14
*** mkoderer__ has joined #openstack-keystone15:15
prosunjamielennox|away: I am checking for the OS_IDENTITY_API_VERSION and OS_AUTH_URL variables (using env command)15:17
*** diazjf has joined #openstack-keystone15:18
*** rderose has quit IRC15:19
*** david_cu has joined #openstack-keystone15:22
stevemarbreton: still online?15:23
stevemarthis bug looks nasty: https://bugs.launchpad.net/keystone/+bug/156628215:23
openstackLaunchpad bug 1566282 in OpenStack Identity (keystone) "Returning federated user fails to authenticate with HTTP 500" [Undecided,New] - Assigned to Boris Bobrov (bbobrov)15:23
*** links has quit IRC15:25
prosunstevemar: what would be the right order of using Identity API 2.0?  I tried editing the openrc file (updating export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-2.0}) then restarting the keystone service (by restarting apache server)15:26
*** dave-mccowan has joined #openstack-keystone15:27
*** sdake_ has quit IRC15:27
*** sdake has joined #openstack-keystone15:27
stevemarprosun: no need to restart apache, just edit your RC file and source it15:27
prosunstevemar: okay.15:29
*** anush_ has quit IRC15:30
*** mvk_ has quit IRC15:37
*** rk4n has joined #openstack-keystone15:39
*** tellesnobrega_af is now known as tellesnobrega15:41
bretonstevemar: yes15:42
bretonstevemar: i am working on that bug now15:42
morganstevemar: looks like https://review.openstack.org/#/c/103368/48 is mostly ready to go15:42
patchbotmorgan: patch 103368 - keystone - Integrate OSprofiler in Keystone15:42
morganstevemar: FYI.15:42
morganhavent finished the full review, but it's at the point where they've solved all the issues and we just need to decide to land/not land (before net merge conflict)15:43
morganso if we want osprofiler... we should land it15:43
*** sigmavirus24 is now known as sigmavirus24_awa15:43
*** sigmavirus24_awa is now known as sigmavirus2415:43
*** rk4n has quit IRC15:44
*** daemontool has quit IRC15:45
*** jaosorior has quit IRC15:46
*** rk4n has joined #openstack-keystone15:47
*** jaosorior has joined #openstack-keystone15:47
*** csoukup has joined #openstack-keystone15:49
*** spandhe has quit IRC15:52
bknudsonthe keystone.tests.unit.test_v3_auth.TestAuthTOTP.test_with_multiple_users test fails randomly15:54
stevemarbknudson: yay15:57
stevemarbknudson: whats the error when it fails?15:57
bknudsonstevemar: webtest.app.AppError: Bad response: 401 Unauthorized (not 201)16:00
openstackgerritBoris Bobrov proposed openstack/keystone: Update federated user display name with shadow_users_api  https://review.openstack.org/30179516:01
*** tellesnobrega is now known as tellesnobrega_af16:02
bknudsonif I put a sleep() in the test it fails. So I assume it's a timing error.16:03
bknudsonjust bad luck getting a code right before it expires16:03
*** lhcheng has joined #openstack-keystone16:03
*** ChanServ sets mode: +v lhcheng16:03
*** dan_nguyen has joined #openstack-keystone16:05
*** rderose has joined #openstack-keystone16:06
stevemartime to evaluate if https://review.openstack.org/#/c/301795/ is an RC blocker \o/16:11
patchbotstevemar: patch 301795 - keystone - Update federated user display name with shadow_use...16:11
ayoungsamueldmq, so close16:11
openstackgerritayoung proposed openstack/keystone: Extract enforcement logic to its own method  https://review.openstack.org/27926316:12
*** mvk_ has joined #openstack-keystone16:14
ayoungonce more with feeling16:14
openstackgerritayoung proposed openstack/keystone: Extract enforcement logic to its own method  https://review.openstack.org/27926316:15
*** tellesnobrega_af is now known as tellesnobrega16:17
*** mylu has quit IRC16:18
ayoungsamueldmq, so ^^ still is not quite there.  Need to unify the two decorators, and I could not quite get that16:19
*** woodburn has quit IRC16:20
*** fawadkhaliq has joined #openstack-keystone16:21
*** fawadkhaliq has quit IRC16:22
*** jasonsb has quit IRC16:22
*** agrebennikov has joined #openstack-keystone16:24
agrebennikovstevemar, if you have time today - could you please guide me a little bit through groups usage in case of federation?16:25
agrebennikovyesterday we discussed it with ayoung and it seems there are very few people in the world who really use it16:26
stevemaragrebennikov: sure16:26
stevemaragrebennikov: yep, that's certainly the case16:26
agrebennikovstevemar, :) are you aware of Anybody actually>16:26
stevemaragrebennikov: there are definitely a few places using it16:27
agrebennikovmarekd in CERN?16:27
stevemaragrebennikov: more than just him :)16:27
agrebennikovdo you personally have practical experience?16:27
*** dflorea has joined #openstack-keystone16:28
stevemari've set it up a few times16:28
stevemarhaven't in a while :(16:28
agrebennikovas a POC as usually? ;)16:28
*** woodburn has joined #openstack-keystone16:28
agrebennikovI mean like almost everybody is doing it16:28
*** spandhe has joined #openstack-keystone16:28
stevemaryeah, my experience is as a PoC16:29
*** jaugustine has joined #openstack-keystone16:29
agrebennikov"lets create a local group and assign it to the tenant. now map all federated users to this local group. done"16:29
*** rderose has quit IRC16:29
agrebennikovstevemar, so my question now is - what is the proper way of manipulating with remote groups and assignments in general16:29
agrebennikovin case of federation16:29
*** wxy has quit IRC16:30
*** anush_ has joined #openstack-keystone16:30
agrebennikovbecause how it looks to me right now - all remote groups should be always replicated to the local system16:30
*** dflorea_ has joined #openstack-keystone16:30
*** rderose has joined #openstack-keystone16:30
agrebennikovin order to assign them to the projects16:30
*** dflorea has quit IRC16:30
agrebennikovstevemar, right?16:30
stevemaragrebennikov: initially that was the thinking yes, but we're slowly decoupling that16:31
agrebennikovstevemar, things like shadow users?16:32
stevemaragrebennikov: i guess you want every federated user to have their own tenant/project?16:32
agrebennikovstevemar, groups actually16:32
agrebennikovusers don't make any sense16:32
agrebennikovbut usually in production we advise users to manipulate with groups16:32
stevemaragrebennikov: oh? i had a request to do that at the user level16:32
agrebennikovstevemar, how do you then share tenants?16:33
agrebennikovstevemar, there is almost 0 real customers who are willing to do the same job twice16:33
agrebennikovstevemar, everybody wants to add the user to the group (remotely) in order to allow the access16:34
stevemaragrebennikov: the use case i was being desscribed asked for each user to have their own project, i think they were trying to have a public cloud use case16:34
agrebennikovstevemar, that's why when you guys decided to remove ldap assignments......16:34
agrebennikovwe were EXTREMELLYYYYYY disappointed16:34
agrebennikovstevemar, yes, for the public it makes kind of sense16:35
stevemaragrebennikov: it was deprecated for a year and we sent out multiple notices... we didn't hear anything :\16:35
agrebennikovbut we are still in a private cloud, arent we? ;)16:35
stevemaranyway, different argument16:35
agrebennikovstevemar, this is why this time in Austin I'll definitely visit your gang and tell you a couple of words regarding real usecases)))16:35
*** anush_ has quit IRC16:35
stevemaragrebennikov: would love it16:36
agrebennikovstevemar, wanted to do it last year..... didn't happen16:36
agrebennikovstevemar, so per groups16:37
stevemaragrebennikov: i guess your issue is you don't want to create the groups in keystone16:37
agrebennikovstevemar, for sure16:37
agrebennikovnobody wants it16:37
stevemaragrebennikov: cause, for the mapping, you don't need to specify the groups, there is a shortcut you can do if you give them the same name as the remote groups16:38
agrebennikovstevemar, but in this case it will say "no such group"16:39
*** anush_ has joined #openstack-keystone16:39
stevemaragrebennikov: yes, unless you have the created on the keystone side16:40
*** nisha has joined #openstack-keystone16:40
stevemaragrebennikov: this is basically one of the main issues we have in federated identity, we need to translate properties from one side to the other16:41
stevemaragrebennikov: are you familiar with the shadow user work that was done in mitaka?16:41
agrebennikovstevemar, not very deep telling the truth16:42
dolphmis there not a sched.org page for the summit schedule?16:42
*** mhickey has joined #openstack-keystone16:42
dolphmall i can find is https://www.openstack.org/summit/austin-2016/summit-schedule/16:42
agrebennikovhow I understand it - they are just transferred to the mysql16:43
agrebennikovon the first auth attempt16:43
*** trown is now known as trown|lunch16:43
agrebennikovkind of16:43
stevemaragrebennikov: basically, yes16:45
stevemaragrebennikov: if a federated user comes in, we store a copy of the user in mysql with attributes like their identity provider and name16:46
stevemaragrebennikov: i am wondering if we need a similar mechanism for groups, where we store all the groups a federated user comes in with, this would reduce the need for creating the groups remotely16:47
agrebennikovstevemar, right, but this is what probably cannot be applied to the groups16:47
raildodolphm: you can create your schedule on this link, but I think we don't have sched.org this time :(16:47
stevemaragrebennikov: why do you say that?16:48
agrebennikovstevemar, per groups - I'd prefer to store all them based on the filter16:48
agrebennikovsince the admin may want to assign the group Before the user comes in))16:48
bretonstevemar: this would mean that the user will get unauthorized first time he comes16:49
*** diazjf has quit IRC16:50
stevemarhmm, nasty problem16:51
bretonstevemar: i wonder where operators expect assignments to come from in the case where there are neither groups nor users16:51
agrebennikovstevemar, not even first. The workflow will be ugly: 1. user tries to authorize, fails (but the group comes in); 2. admin assigns the group; 3. user authorizes successfully16:51
stevemarbreton: we had an operator say their user had no groups, that wasn't fun16:52
stevemarscratch that idea then :P16:52
agrebennikovstevemar, so yes, we need groups before16:53
* breton things about fortress16:53
stevemarback in a bit16:53
bretonstill won't work for cases where all identity is in okta/3rd-party-idp16:54
*** dflorea_ has quit IRC16:57
nishahey all :)16:58
*** tellesnobrega is now known as tellesnobrega_af16:59
*** dflorea has joined #openstack-keystone17:00
*** mhickey has quit IRC17:02
samueldmqayoung: cool, looking17:03
*** dflorea has quit IRC17:04
samueldmqyay nisha, congrats on getting a devstack machine working quickly :)17:05
samueldmq(for keystone client functional tests)17:05
nishasamueldmq, thanks :)17:06
*** StefanPaetowJisc has joined #openstack-keystone17:07
*** jsavak has quit IRC17:08
*** sdake_ has joined #openstack-keystone17:10
samueldmqayoung: do we really need to change that filters=[] thing at that commit ?17:10
ayoungsamueldmq, see how that makes the signatures of the two decorators the same?17:10
ayoungsamueldmq, the goal is to drop filterprotected and merge it into protected17:10
*** sdake has quit IRC17:10
ayoungfilterprotected doesn't do everything that filter does yet17:11
*** nisha_ has joined #openstack-keystone17:11
*** EinstCrazy has quit IRC17:11
ayoungsamueldmq, so the next thing I did was replaced the body of filterprotected with the body of protected...and that is where things fell apart17:12
*** zqfan has quit IRC17:12
*** nisha has quit IRC17:14
notmynamemorgan: yeah, I was working on some keystone/swift interactions with timburke, and we had questions. so instead of just join/part all the time, I never left :-)17:18
morgannotmyname: hehe17:19
morgannotmyname: welcome! :)17:19
*** tellesnobrega_af is now known as tellesnobrega17:20
notmynamemorgan: of course, this also means you need to stick with "morgan" ;-)17:20
*** morgan is now known as notnotmyname17:21
notnotmynamenotmyname: :P17:21
*** notnotmyname is now known as morgan17:21
*** pgreg has joined #openstack-keystone17:21
morgannotmyname: it's kindof 50/50 depends on netsplits. i end up switching between morgan/notmorgan :P17:22
morganstevemar: i might/mightnot be at the meeting today.17:23
morganstevemar: will be on an airplane around that time17:23
*** browne has joined #openstack-keystone17:24
*** jistr has quit IRC17:24
stevemarmorgan: rgr17:27
*** tellesnobrega is now known as tellesnobrega_af17:33
*** tellesnobrega_af is now known as tellesnobrega17:33
*** jsavak has joined #openstack-keystone17:34
*** tellesnobrega is now known as tellesnobrega_af17:34
*** nisha_ has quit IRC17:34
*** tellesnobrega_af is now known as tellesnobrega17:35
*** rderose has quit IRC17:37
*** tqtran has joined #openstack-keystone17:37
morganstevemar: anything on the agenda o17:37
morganI should toss $0.02 on now?17:38
*** rderose has joined #openstack-keystone17:38
*** nisha has joined #openstack-keystone17:38
*** dflorea has joined #openstack-keystone17:40
samueldmqbknudson: in tests/unit/identity17:40
samueldmqbknudson: what's the difference between test_backends and test_core ,17:41
*** jsavak has quit IRC17:41
bknudsontest_backends contains tests for classes in keystone/identity/backends.py, test_core contains tests for classes in keystone/identity/core.py17:41
bknudsonthat's how it should be anyways17:41
*** jsavak has joined #openstack-keystone17:42
*** dflorea has quit IRC17:42
samueldmqbknudson: test_backends still use the core.py code (resource_api, identity_api, etc)17:44
*** dflorea has joined #openstack-keystone17:44
samueldmqbknudson: wouldn't it be beter to only use drivers (backends) code when testing them ?17:44
bknudsonthe keystone test structure is really crappy17:45
samueldmqlet's fix it17:45
bknudsonI'm trying.17:45
stevemarmorgan: there is something on the agenda...17:46
samueldmqbknudson: for example, patch 21200617:46
patchbotsamueldmq: https://review.openstack.org/#/c/212006/ - keystone - Create unit tests for endpoint policy drivers17:46
dstanekbknudson: i just want to be able to infer where tests are located by the filename17:46
samueldmqbknudson: it contains tests for the endpoint policy backends, and it only uses the drivers, not the APIs17:46
stevemarmorgan: just tests, rodrigods made the change to the agenda17:46
morganstevemar: oh the code of conduct thing too.17:46
*** mylu has joined #openstack-keystone17:46
bknudsonsamueldmq: added it to my list17:46
stevemarmorgan: ayoung and i can speak to that17:47
ayoungadded it to the agenda already17:47
samueldmqbknudson: thanks, that needs an update, probably should be in test_backends.py17:47
morganI'll try and be there for that.17:47
samueldmqbknudson: I will do that, then you will get it updated when it reach the top of your queue :)17:47
bknudsonsamueldmq: here's my attempt at identity driver tests -- https://review.openstack.org/#/c/291950/17:48
patchbotbknudson: patch 291950 - keystone - Define identity interface - easy cases17:48
bknudsonsamueldmq: note that it can also test against live databases (mysql and postresql)17:48
samueldmqbknudson: cool, that's what I was talking about17:49
samueldmqbknudson: testing the driver's interface17:50
*** dflorea has quit IRC17:50
*** nisha_ has joined #openstack-keystone17:51
*** dflorea has joined #openstack-keystone17:52
*** nisha has quit IRC17:55
*** dflorea has quit IRC17:56
*** dflorea has joined #openstack-keystone17:57
*** shaleh has joined #openstack-keystone17:57
*** dflorea has quit IRC17:58
*** jsavak has quit IRC17:59
*** jsavak has joined #openstack-keystone17:59
*** dflorea has joined #openstack-keystone18:02
*** trown|lunch is now known as trown18:02
*** dflorea has quit IRC18:03
*** dflorea has joined #openstack-keystone18:03
*** timcline has joined #openstack-keystone18:04
*** mylu has quit IRC18:05
*** jsavak has quit IRC18:06
*** jsavak has joined #openstack-keystone18:06
*** e0ne has quit IRC18:10
*** nisha_ is now known as nisha18:12
*** diazjf has joined #openstack-keystone18:12
nishasamueldmq, I added the line in local.conf file and ran ./stack.sh again successfully18:14
nishasamueldmq, what can I do next? :)18:14
samueldmqnisha: great18:14
samueldmqnisha: go to your python-keystoneclient dir18:15
samueldmqnisha: and download https://review.openstack.org/#/c/289306/18:15
patchbotsamueldmq: patch 289306 - python-keystoneclient - Add users functional tests18:15
*** pushkaru has quit IRC18:15
nishasamueldmq, yeah sure! doing it18:16
nishasamueldmq, where is it located ? sorry it doesn't show up on doing ls -a in devstack dir18:18
samueldmqnisha: it's at the same level as devstack is18:19
samueldmqnisha: should be ~/python-keystoneclient18:19
*** pgreg has quit IRC18:22
nishasamueldmq, I think I did something wrong earlier, have a look please http://paste.openstack.org/show/493047/18:24
*** dflorea has quit IRC18:26
*** pushkaru has joined #openstack-keystone18:27
*** StefanPaetowJisc has quit IRC18:29
samueldmqnisha: did you create the user called stack ?18:31
*** StefanPaetowJisc has joined #openstack-keystone18:32
*** StefanPaetowJisc has left #openstack-keystone18:33
*** dflorea has joined #openstack-keystone18:33
*** jsavak has quit IRC18:33
*** jsavak has joined #openstack-keystone18:34
*** dflorea has quit IRC18:38
nishasamueldmq, yes i did18:38
*** stingaci has joined #openstack-keystone18:39
nishausing $ groupadd stack and $ useradd -g stack -s /bin/bash -d /opt/stack -m stack18:39
*** dflorea has joined #openstack-keystone18:39
samueldmqnisha: I normally log in with that user18:39
samueldmqnisha: and run ./stack.sh with it18:39
samueldmqnisha: python-keystoneclient should be in stack's home18:40
nishahow should I log in ? can you tell that part again please18:40
*** rcernin has quit IRC18:41
samueldmqnisha: like you login as nisha18:42
samueldmqnisha: are you connecting via ssh ?18:43
samueldmqnisha: is it a virtual machine ?18:43
*** dflorea has quit IRC18:44
*** Don_Nalezyty has quit IRC18:44
nishaYes, i am using an ubuntu vm18:44
samueldmqnisha: you connect to it with something like: 'ssh nisha@x.x.x.x' right ?18:46
nishahmm, I did that long back, yup18:48
nishasamueldmq, when I ran ./stack.sh command it completed after saying The default users are: admin and demo and it gave me a password18:50
nishasamueldmq, should i be using that here to login18:50
samueldmqnisha: no, I am talking about log in in the vm, not log in in the cloud18:52
samueldmqnisha: when you created stack user, you created its home18:52
samueldmqnisha: look at /opt/stack18:52
nishasamueldmq, hmm okay18:52
*** AJaeger has joined #openstack-keystone18:52
samueldmqnisha: and see if python-keystoneclient is in there18:52
AJaegerkeystone team, I fear your mitaka branch is broken, have a look at https://review.openstack.org/300953 - the keystone-coverage-db job is failing there.18:53
nishasamueldmq, yup it is there18:53
AJaegerkeystone team,should the job run on that branch at all?18:53
stevemarAJaeger: looking18:54
*** phalmos has quit IRC18:54
samueldmqnisha: cool, you should go there and download that patch18:54
nishasamueldmq, alright! thanks18:54
AJaegerthanks, stevemar. Might be an unrelated issue as well, I couldn't figure it out ;(18:54
samueldmqnisha: do a 'ls -l' there and see if it belongs to nisha or stack user18:54
samueldmqnisha: if stack, you can switch to that user with 'su stack'18:55
knikollaroxanaghe, yes, but not until we have a way to mock ldap.18:55
samueldmq(if it still doesnt' have a password, create it with 'sudo passwd stack')18:55
samueldmqnisha:  ^18:55
*** e0ne has joined #openstack-keystone18:55
roxanagheknikolla, I was looking at the existing fakeldap and I think it could be refactored a little bit to be suitable for ldap3 mocking as well18:56
stevemarAJaeger: this is weird: http://logs.openstack.org/53/300953/1/check/keystone-coverage-db/3c59c4a/console.html#_2016-04-04_12_07_05_46018:56
stevemarAJaeger: there was a 25 minute gap with no logging18:56
AJaegerstevemar: argh ;(18:56
stevemarAJaeger: timeout?18:56
roxanaghebknudson, ayoung any opinion on refactoring fakeldap to suit ldap3 mocking as well?18:57
AJaegerstevemar: might be - let's recheck again?18:57
stevemarAJaeger: done18:57
morganAJaeger: that is a weird one18:57
morganroxanaghe: I wish it was easier to just mock at the socket level for LDAP data.18:58
ayoungroxanaghe, you really want me to take that on, don't you?18:58
morganSince I am on a plane all tomorrow I might see if it is possible.18:59
roxanagheayoung, nop18:59
ayoungmorgan, and some form of in-memory LDAP server written in Python that could respond18:59
morganThen we could test any LDAP server18:59
nishasamueldmq, it belongs to nisha user not stack user18:59
morganayoung: yeah. I was thinking something like betamax that can record real transactions and then replay them.18:59
ayoungroxanaghe, have you made a stab at it yet? WHat kind of issues would there be?18:59
samueldmqnisha: ok so just keep using nisha :)19:00
morganOr similar.19:00
samueldmqnisha: go in there and download the patch19:00
*** AJaeger has left #openstack-keystone19:00
stevemarbreton: for https://review.openstack.org/#/c/301795/1 does it happen regardless of user name change? cc dolphm19:01
patchbotstevemar: patch 301795 - keystone - Update federated user display name with shadow_use...19:01
nishasamueldmq, will do that !19:01
knikollastevemar, rodrigods want to add this to the meeting next week? https://etherpad.openstack.org/p/Keystone-Federation-Testing19:03
stevemarknikolla: sure, you know how to update the agenda?19:03
rodrigodsknikolla, sure, if we figure out the steps :)19:03
roxanagheayoung, no unmanageable issues yet, fakeldap uses a dictionary underneath so should work for another ldap lib in theory19:03
knikollastevemar, i think i can figure that out19:04
*** e0ne has quit IRC19:05
ayoungroxanaghe, IF you can port fake as is, I think it is the surest path forward.  We can also plan on replacing fake in the future with a better mocking tool if we discover it, but lets assume that we are stuck with fake19:05
stevemarknikolla: i have the utmost belief that you can!19:05
morganWe are stuck with fakeldap for now.19:05
morganayoung: unless we write a tool.19:05
knikollastevemar, if OpenID allowed me to login though, i just get a blank page19:05
stevemarknikolla: :)19:05
stevemarknikolla: as a heads up, there is a security question now when you save your changes, it's at the top of the page19:06
ayoungmorgan, So I just got my tftp server working in Rust.  Maybe I could adapt that?19:06
ayoungits read only19:06
morganNah. I'd look at a real socket mock for our unit tests instead of running another server -- if it is really a unit test19:07
morganVs functional.19:07
samueldmqnisha: after you do that, just run 'tox -e functional' inside python-keystoneclient19:07
samueldmqnisha: and funcitonal tests will run against the cloud devstack created :)19:08
nishasamueldmq, okay sir :)19:08
openstackgerritDolph Mathews proposed openstack/keystone: Update federated user display name with shadow_users_api  https://review.openstack.org/30179519:09
*** stingaci has quit IRC19:10
dolphmstevemar: rderose: ^19:11
rderosedolphm: just saw your latest patch19:11
dolphmstevemar: rderose: i added some assertions to the tests, and was surprised that they didn't pass19:11
knikollaayoung, morgan, removing the fake part, could i theoretically run the unit tests as functional tests?19:12
dolphmstevemar: rderose: i would have just left a code review, but given this is potentially a last minute RC blocker19:12
knikollafor ldap19:12
*** stingaci has joined #openstack-keystone19:12
rderosedolphm: let me see where it's failing19:12
rodrigodsbknudson, dstanek, ayoung, stevemar, are you in -qa?19:13
dstanekrodrigods: yes19:13
rodrigodsmtreinish has some thoughts about the keystone tempest plugin19:13
bretonstevemar: yes, regardless19:13
stevemarbreton: damn19:13
stevemarbreton: new patch btw: https://review.openstack.org/#/c/301795/2/keystone/tests/unit/test_v3_identity.py19:14
patchbotstevemar: patch 301795 - keystone - Update federated user display name with shadow_use...19:14
stevemarrodrigods: i'm a bit occupied with the rc bug atm, i'll have to settle with reading the scrollback in -qa19:14
bretonstevemar: this is the another bug dolphm is talking about19:15
bretonstevemar: and it deserves a separate bugreport19:15
*** rderose_ has joined #openstack-keystone19:15
bknudsonrodrigods: I am in qa19:16
rodrigodsstevemar, np, think we are covered with bknudson and dstanek :)19:16
*** rderose has quit IRC19:16
bretonCode Review - Error19:16
bretonServer Unavailable19:17
*** ametts has quit IRC19:17
*** stingaci_ has joined #openstack-keystone19:17
*** e0ne has joined #openstack-keystone19:18
dolphmbreton: so, handle my comment in a separate bug report?19:18
*** stingaci has quit IRC19:18
stevemarbreton: dolphm: not updating the display name is a much lower priority bug and not an rc blocker19:18
dolphmstevemar: ++19:19
bretondolphm: agreed. Will file now19:19
stevemarbreton: want to file... thanks! :)19:19
stevemardolphm: update the patch with the new bug number and let's land this sucker19:20
stevemarrderose_: are you good with the patch? you are mr. shadow user19:20
dolphmi like that19:20
rderose_stevemar: yes19:20
stevemarwe have a game plan19:20
rderose_dolphm: :)19:21
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Credential Encryption  https://review.openstack.org/28495019:21
dolphmbreton: still fails on the third call as well, for me19:21
rderose_stevemar dolphm: just trying to figure out the separate issue dolph uncovered19:21
bretondolphm: oh.19:21
dolphmbreton: i added a third call http://cdn.pasteraw.com/fvpvbj9pjjunfczjgetwcmihhzzs3s919:22
dolphmbreton: and the failure: http://cdn.pasteraw.com/n14dwccymednh6euzqdysfp4bcohjt419:22
stevemardolphm: the ID changes if the user logs in 3 times?19:23
stevemaroh thats the name, just a UUID, duh19:24
dolphmstevemar: right19:25
stevemarbreton: file that bug :P19:25
bretondolphm: is it even correct after the first call?19:25
dolphmbreton: let me double check that19:25
stevemarbreton: we just need a number for now, to write in the patch19:25
dolphmbreton: oh, i already had an assertion to test exactly that, so yes19:26
*** phalmos has joined #openstack-keystone19:26
stevemarits going to take a few hours to make this merge in master and stable/mitaka19:28
dolphmbreton: stevemar: i left a +2 and a comment - i have to run to a dentist appointment and i'll be back shortly19:28
stevemarthen release19:29
stevemardolphm: thanks19:29
bretonstevemar: https://bugs.launchpad.net/keystone/+bug/156649419:29
openstackLaunchpad bug 1566494 in OpenStack Identity (keystone) "Federated user's name is not updated if changed in idp" [Undecided,New]19:29
*** jsavak has quit IRC19:29
*** jsavak has joined #openstack-keystone19:29
*** clenimar has joined #openstack-keystone19:31
*** ametts has joined #openstack-keystone19:31
*** sdake_ has quit IRC19:31
*** gordc has quit IRC19:33
*** nisha has quit IRC19:34
*** e0ne has quit IRC19:35
stevemardolphm:  rderose_ breton okay, merging...19:36
rderose_stevemar: I'm okay, but working on the new issue...19:37
openstackgerritBrant Knudson proposed openstack/keystone: Fix totp test fails randomly  https://review.openstack.org/30188119:37
*** jsavak has quit IRC19:37
*** stingaci_ has quit IRC19:38
*** dflorea has joined #openstack-keystone19:38
stevemarbreton: ?19:39
bretonstevemar: we shall have to fix the tests before backporting19:39
bretonif we are not going to backport that display_name issue19:39
bretonotherwise ok19:39
stevemarbreton: the tests are passing in jenkins, we can backport the display name issue in the next mitaka release19:40
*** sdake has joined #openstack-keystone19:40
stevemarbreton: the display_name fix will land in, does that make sense?19:42
*** david_cu has quit IRC19:42
*** dflorea has quit IRC19:43
*** sdake has quit IRC19:44
*** sdake has joined #openstack-keystone19:46
*** jaosorior has quit IRC19:54
bknudsonrodrigods: btw, thanks for actually proposing tempest tests for keystone function19:54
*** gordc has joined #openstack-keystone19:54
rodrigodsbknudson, np... i really want to close the feature/tests gap here19:54
rodrigodsi still think that having them in our tree is valuable, but i'm fine with whatever conclusion you make :)19:55
bknudsonrodrigods: I can sure see why you'd propose moving tests to keystone if you're abandoning useful tests in tempest.19:57
rodrigodsyeah :(19:58
*** sdake_ has joined #openstack-keystone19:58
mtreinishrodrigods: I never said all testing should exclusively happen in tempest. You should have in tree tests too, it's about making a testing pyramid19:59
mtreinishI just said doing it via a tempest plugin in-tree wasn't what I viewed as a good approach19:59
rodrigodsmtreinish, sure, and will ping you a lot whenever such doubts happen :)19:59
rodrigodshave to leave here, will be back in a hour or so19:59
*** diazjf has quit IRC20:00
*** david_cu has joined #openstack-keystone20:00
*** jsavak has joined #openstack-keystone20:00
*** sdake has quit IRC20:01
ayoungmtreinish,  Do you have a rule of thumb about what tests should be in tempest versus what should be in Keystone?20:03
mtreinishayoung: mriedem quoted some of my thoughts on that on the ML (well talking about nova) here: http://lists.openstack.org/pipermail/openstack-dev/2015-October/078025.html20:05
*** mylu has joined #openstack-keystone20:05
ayoungmtreinish, reading20:05
mtreinishit's a convenient link when that question gets asked :)20:05
*** csoukup has quit IRC20:06
mtreinishthat quote is more or less the biggest thought in my head when I'm debating whether something belongs in tempest20:06
*** tqtran has quit IRC20:06
*** pushkaru has quit IRC20:06
ayoungmtreinish, So, Keystone is kindof the highest point on the hill.  It all rolls downhill from there.20:07
*** pushkaru has joined #openstack-keystone20:08
ayoungSO, we have things that call into Keystone, Keystone does not call into anything else in OpenStack, with the exception of notifications20:08
ayoungWe have a need for LDAP and real MySQL tests20:08
ayoungAnd Federation20:08
dstanekayoung: except for k2k or federation tests20:08
mtreinishayoung: right, which makes keystone a bit different for somethings with that nova example20:09
ayoungdstanek, K2K is stil Keystone.  Doesn't need any other services. And Federation is outside of OpenStack, too; so, right.20:09
mtreinishand personally because of it's importance as the base req in openstack I'm more open to adding keystone tests to tempest20:09
ayoungmtreinish, we have a simple echo server that we can use to test things like middleware and we have the client and auth code that we should be testing against a live server20:09
dstanekayoung: outside of openstack sure. i was thinking outside of the SUT20:10
ayoungSo where do we draw the line?20:10
ayoungdstanek, right...I agree with you. I was making a different distinction.  We change, we might break nova.  But OpenLDAP does not care if they break us.20:10
mtreinishayoung: I think the fundamental question is flawed. Duplication here isn't a bad thing, you should be asking what do we want in tempest (given the external testing and stuff I mentioned in that link)20:11
ayoungIf Notifications changed, or oslo-* in generakl, it might break us20:11
mtreinishbut you should strive to have in tree testing that covers everything20:11
mtreinishthe whole testing pyramid I was mentioning before20:11
mtreinishyou don't need devstack to spin up a working keystone, have lower level tests in tree that spin up a keystone with different backends and do requests20:12
bknudsonthe pyramid is the most powerful shape20:12
mtreinish(look at nova's api tests neutron's full stack, etc)20:12
ayoungmtreinish, yeah, but you have to watch out for those danged stargates20:12
lbragstadbknudson it's a super shape20:12
*** sdake_ has quit IRC20:12
mtreinishayoung: just call the asgard in that case :)20:12
*** sdake has joined #openstack-keystone20:13
ayoungSo it is still not clear to me what we consider contract. We have a pretty strict contract with the Keystone API (especially v3) that we assume must continue to be honored20:14
ayoungthat is the taoke issue validation part, but much more, it is all the admin for Keystone20:15
ayoungcreate user, assign role, set policy20:15
ayoungIf we change that, the only thing that will notice is Horizon.20:15
*** spzala has quit IRC20:15
ayoungnova, glance just care about token issue and validation20:15
ayoungNow, personally, I've wanted to have better functional testing in Keystone for a while, so I am happy to take on the whole kit-and-kaboodle20:16
ayoungbut now the question is "who should be able to approve test changes?"20:16
*** david_cu has quit IRC20:17
ayoungare we treating Tempest as the "other accountant" for a double set of books?20:17
ayoungor do we trust the Keystone code review process to be stringent enough?20:17
mtreinishayoung: double book accounting is a good analogy (I've used it before for describing this)20:18
ayoungOne reason I would like the Keystone tests to be in a separate repo, even if it is managed by the Keystone team is that it makes changes to test a deliberate, and separate, step from changing code.20:18
mtreinishayoung: right, that's one of the advantages of doing it in tempest20:18
mtreinishI know we've more than a few breaking api changes in keystone because of that20:19
ayoungmtreinish, well, I've also seen Tempest tests that lock us into decisions that are not what Keystone is committed to supporting.20:22
ayoungLike, just because we create a domain called "default" does not mean that there needs to  be one.20:22
ayoungAnd from a "understand the system" perspective, we can do so much more in depth testing of  keystone service than the Tempest team can, and it makes more sens for Keystone folks to review the test plans.20:23
ayoungNow, you might suggest that we come over to tempest land to review.20:23
mtreinishayoung: a bit of both actually. I just was pushign for you to have intree tests that are more exhaustive and also have tests in tempest (which lock you hard)20:24
mtreinishand for tempest stuff I know I bug keystone core people if I'm unsure of something20:25
*** dflorea has joined #openstack-keystone20:25
*** stingaci has joined #openstack-keystone20:26
mtreinishfwiw, the domain support in tempest is kinda a mess. Just ask jamielennox|away he was playing with it for a while :)20:26
*** david_cu has joined #openstack-keystone20:26
*** david-lyle_ has joined #openstack-keystone20:28
*** david-lyle has quit IRC20:29
*** david-lyle_ is now known as david-lyle20:29
knikollastevemar, well, apparently they don't allow new accounts in the wiki so I can't edit it.20:32
*** mylu has quit IRC20:32
*** vgridnev_ has joined #openstack-keystone20:32
mtreinishknikolla: the wiki is being pretty heavily spammed right now, so they've locked it down and also added a really annoying captcha20:33
*** david_cu has quit IRC20:33
mtreinishthere's a longish thread on the -infra ML about it20:33
knikollamtreinish, yeah, i asked on infra about that.20:34
*** tqtran has joined #openstack-keystone20:34
*** stingaci_ has joined #openstack-keystone20:39
*** stingaci has quit IRC20:39
*** vgridnev_ has quit IRC20:42
*** mylu has joined #openstack-keystone20:43
*** dflorea has quit IRC20:44
*** sheel has quit IRC20:47
*** diazjf has joined #openstack-keystone20:47
*** jamielennox|away is now known as jamielennox20:49
*** dflorea has joined #openstack-keystone20:51
*** stingaci_ has quit IRC20:52
*** raildo is now known as raildo-afk20:54
*** ChanServ sets mode: +v topol_20:55
*** topol_ is now known as topol20:55
lbragstadbreton have a couple free minutes to check the response to https://review.openstack.org/#/c/294305/ ?20:59
patchbotlbragstad: patch 294305 - keystone - Moved name formatting (clean) out of the driver20:59
*** trown is now known as trown|outtypewww20:59
*** stingaci has joined #openstack-keystone21:00
*** vgridnev_ has joined #openstack-keystone21:01
*** pauloewerton has quit IRC21:03
*** darrenc_ is now known as darrenc21:05
bretonlbragstad: in 1h, sorry for long silence21:05
lbragstadbreton no worries - just a friendly reminder :)21:06
*** lhcheng has quit IRC21:06
*** jaugustine has quit IRC21:07
*** dflorea has quit IRC21:09
*** dflorea has joined #openstack-keystone21:09
*** lhcheng has joined #openstack-keystone21:11
*** ChanServ sets mode: +v lhcheng21:11
*** knikolla has quit IRC21:20
*** david_cu has joined #openstack-keystone21:20
*** dflorea has quit IRC21:21
mfischstevemar: hey PTL, question for you. Why don't I see CVE or OSSN references in the  git commit logs? That would be useful21:21
mfischmaybe a good reason...21:22
*** dflorea has joined #openstack-keystone21:22
*** dflorea has quit IRC21:23
*** stingaci has quit IRC21:24
*** rk4n has quit IRC21:26
*** mylu has quit IRC21:26
*** pushkaru has quit IRC21:26
*** diazjf has quit IRC21:27
*** rk4n has joined #openstack-keystone21:30
*** sdake_ has joined #openstack-keystone21:30
*** diazjf has joined #openstack-keystone21:30
*** sdake has quit IRC21:33
*** mylu has joined #openstack-keystone21:36
*** sdake_ has quit IRC21:37
*** sdake has joined #openstack-keystone21:38
*** sdake has quit IRC21:39
*** knikolla has joined #openstack-keystone21:39
openstackgerritMerged openstack/keystone: Update federated user display name with shadow_users_api  https://review.openstack.org/30179521:41
*** dflorea has joined #openstack-keystone21:46
*** rk4n has quit IRC21:46
*** anush_ has quit IRC21:46
*** clayton has quit IRC21:47
*** clayton has joined #openstack-keystone21:47
*** tjcocozz has quit IRC21:48
*** jdandrea has joined #openstack-keystone21:48
*** tjcocozz has joined #openstack-keystone21:49
*** mylu_ has joined #openstack-keystone21:49
*** mylu has quit IRC21:50
dolphmmfisch: the fixes are landed before the OSSN goes out21:50
dolphmmfisch: there should be a CVE reference available, but then there'd be a race between "hey, this commit references a CVE i can't read, and there's no OSSN published?!"21:51
*** dave-mccowan has quit IRC21:55
*** jsavak has quit IRC21:55
*** david_cu has quit IRC21:55
*** david_cu has joined #openstack-keystone21:56
openstackgerritArun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf  https://review.openstack.org/27982821:57
*** mylu_ has quit IRC21:57
rodrigodsayoung, dstanek, bknudson, are we going to move the keystone tempest plugin thing forward?22:00
*** diazjf has quit IRC22:00
*** dflorea has quit IRC22:00
*** david_cu has quit IRC22:01
ayoungrodrigods, I thought we had agreed that we were.  Is it still not clear?  Is there some other point that I missed?22:01
*** sigmavirus24 is now known as sigmavirus24_awa22:01
rodrigodsayoung, after the whole discussion today in -qa i wasn't sure anymore :)22:02
bknudsonwe can always undo whatever we do in this space so might as well go ahead. We shouldn't get blocked waiting on a summit discussion22:02
ayoungrodrigods, I don't think it fundamentally changed anything .22:02
ayoungrodrigods, what bknudson just said22:02
*** dave-mccowan has joined #openstack-keystone22:02
*** slberger has left #openstack-keystone22:02
*** dflorea has joined #openstack-keystone22:02
ayoungrodrigods, so what you are areally asking is for me to approve your 7K line patch?22:03
bknudsonone of the problems with summits is things get blocked for weeks in advance22:03
rodrigodsbknudson, ayoung, good, i just need the cores blessing :P22:03
*** mylu has joined #openstack-keystone22:03
rodrigodsayoung, nope, i want to write some new tests asap, and would be nice to know where to target them22:04
bknudsonnew tests should be targeted to tempest anyways22:04
*** dflorea has quit IRC22:04
bknudsonif they don't want it then we'll put it in keystone22:04
ayoungrodrigods, what tests.  I am not certain I agreee with bknudson on Tempest first22:05
rodrigodsbknudson, yeah... it is just matter of who is going to review them i suppose22:05
ayoungI think Keystone first22:05
rodrigodsayoung, federation CRUD: idps, mappings, sps, protocols22:06
ayoungWe can always add tests.22:06
ayoungYeah, start with Keystone, and, if Tempest wants them, they can grab them22:06
bknudsonI can review changes in tempest.22:06
*** stingaci has joined #openstack-keystone22:06
*** dflorea has joined #openstack-keystone22:06
ayoungless overhead, and more subject matter expertise in Keystone.  bknudson can review, but I won't see them there22:06
ayoungI think we should treat Tempest as a "promotion" of a functional test/22:07
ayoung"we want this one to stand the test of time..."22:07
rodrigodsayoung, yeah! that was my thinking too22:07
*** dflorea has quit IRC22:07
ayoungwhereas In Keystone is it "we want to make sure this works now"22:07
bretonlbragstad: /me shrugs22:08
bretonlbragstad: now i would ask to de-deplicate the bugreport, because now there are 2 issues in 1 report22:08
bretonone about the behavior, another about cleaning up the code22:09
*** dflorea has joined #openstack-keystone22:09
*** vgridnev_ has quit IRC22:09
rodrigodsayoung, bknudson, btw, regarding https://review.openstack.org/#/c/301398/, we don't import from tempest.services, we need to copy22:09
patchbotrodrigods: patch 301398 - keystone - Migrate tempest tests into keystone tree22:09
ayoungrodrigods, that is the Tempest Client?22:10
bretonlbragstad: +1d22:11
knikollaayoung, can you give an example of what would be enough as a functional test, and what would need to be in tempest to stand the test of time?22:11
ayoungknikolla, No I can't.  I've been trying to frame that in my head for a while now.22:11
*** mylu has quit IRC22:11
ayoungknikolla, LDAP would not be "test of time"22:11
ayoungLDAP is backend, and that should be able to vary22:11
bretoni guess the worst part is setup of functional tests22:12
*** dflorea has quit IRC22:12
knikollaayoung, in a generic way, not only for LDAP. I think we need to define a clear dividing line.22:12
bknudsonbeing able to get a token and validate a token22:12
ayoungbreton, right, which is part of the reason we don't have an LDAP functional test yet22:12
bretonthere was a [atch by dstanek22:13
ayoungknikolla, so, we put tests into Keystone, and its up to Tempest to steal them from us.22:13
bretonwith devstack setup with help of plugins22:13
*** mylu has joined #openstack-keystone22:13
bretoni am actually planning to restore it22:13
*** browne has quit IRC22:14
*** dflorea has joined #openstack-keystone22:14
bknudsonit should be pretty easy to have a tempest ldap job in keystone22:15
bknudsonsince devstack already supports it22:15
bknudsonbut then, I also thought it would be easy to have a tempest fernet job.22:16
morganyou now it's nice being home...22:16
* morgan waves at folks.22:16
bretonbknudson: are there examples how to add such jobs with special config? What to read about it?22:16
rodrigodsbreton, this is a really common doubt22:17
rodrigodsi have it myself22:17
*** timcline has quit IRC22:17
bknudsonbreton: https://review.openstack.org/#/c/264991/ might be a good example22:18
patchbotbknudson: patch 264991 - openstack-infra/project-config - Keystone-only uwsgi job (MERGED)22:18
bknudsonit sets some devstack options22:18
*** timcline has joined #openstack-keystone22:18
bknudsonnot sure how you would enable ldap service, but couldn't be too hard.22:18
bretonok, so i googled before22:19
bretonbut only now ran into https://wiki.openstack.org/wiki/Neutron/FunctionalGateSetup22:19
*** gordc has quit IRC22:19
rodrigodsbknudson, ^ that's the part i don't know22:19
rodrigodsand adding new dsvms types might need extra resources?22:19
rodrigodsnot sure22:19
bknudsoninfra might complain that we've got too many jobs.22:20
bknudsonwe could probably combine some if we get too many.22:20
bknudsonfor example, make the uwsgi job that we're already running use ldap22:20
rodrigodshmm true22:20
dstanekbknudson: it should be as simple as setting a few more variables to setup ldap22:21
*** dflorea has quit IRC22:21
knikollawould devstack in that case install and configure a real LDAP server?22:22
bretonin neutron example above they do things by setting shell variables22:22
dstanekknikolla: yes, it can do that now22:23
*** timcline has quit IRC22:23
bretonknikolla: yes22:23
ayoungI tricked topol into doing LDAP in Devstack years ago.22:23
ayoungits like MySQL. You add it it to the list of services...lets seee it is22:24
bknudsonhe wanted to do it22:24
ayoungdefault are ENABLED_SERVICES=key,n-api,n-cpu,n-net,n-cond,n-sch,n-novnc,n-crt,n-cauth,g-api,g-reg,c-sch,c-api,c-vol,horizon,rabbit,tempest,mysql,dstat22:24
ayoungI think you can just add ldap to that list22:25
knikollaayoung, yeah, i remember doing that, adding ldap to the list worked, my emphasis was on *real* ldap server.22:25
bknudsonyou'll need to add ldap to the list and also set the passwords22:25
bknudsonopenldap burn!!22:25
ayoungI would not set   # set ``KEYSTONE_IDENTITY_BACKEND`` to ``ldap``22:26
*** jamielennox is now known as jamielennox|away22:26
ayounginstead, create a domain, and use a domain specific backend22:26
bknudsonI don't think devstack supports that setup22:27
ayoungbknudson, you can do it after the fact22:27
dstanekknikolla: this is my template from ansible http://paste.openstack.org/show/493087/22:27
ayoungbknudson, need to do something like this:  http://adam.younglogic.com/2016/03/v3fromv2/  and then use the V3 API22:27
dstanekayoung: i always set KEYSTONE_IDENTITY_BACKEND to ldap22:28
bknudsonkeystone.rc -- is that like clouds.yaml?22:28
dstanekbknudson: keystone.rc?22:28
bknudsondstanek: regarding http://adam.younglogic.com/2016/03/v3fromv2/22:29
knikollaayoung, https://github.com/knikolla/ansible-k2k/blob/master/roles/devstack/scripts/modify_rcfile.sh22:29
*** dflorea has joined #openstack-keystone22:29
dstanekbknudson: that's the first i've seen of that :-)22:30
bknudsonseems like every deployer creates a shell script to source.22:30
bknudsonsomeday they'll switch to clouds.yaml.22:31
knikollabknudson, i've never worked with a cloud.yaml file before, interestingly enough.22:31
bknudsonknikolla: you're missing out. It's awesome.22:32
bknudsondevstack updates clouds.yaml22:32
dstanekknikolla: you should convert. much better experience.22:32
*** mylu has quit IRC22:33
knikollabknudson, dstanek: probably will.22:33
*** dflorea has quit IRC22:34
*** woodster_ has joined #openstack-keystone22:34
bknudsondstanek: you use ansible to drive devstack?22:35
knikollaansible is awesome22:36
dstanekbknudson: i've been working on publishing my stuff, but there is still too many *nsfw* comments and passwords22:36
dstaneki use ansible to setup my macbook air and dell laptops22:36
* breton thinks about moving to guix for these kind of things22:38
*** mylu has joined #openstack-keystone22:41
dstanekbreton: isn't guix an alternative package manager? iirc it's not a configuration management system22:41
*** dflorea has joined #openstack-keystone22:42
*** mylu has quit IRC22:42
*** Ephur has quit IRC22:44
openstackgerritMerged openstack/keystone: remove endpoint_policy from contrib  https://review.openstack.org/29481622:50
*** knikolla has quit IRC22:52
*** mylu has joined #openstack-keystone22:53
*** mylu has quit IRC22:57
*** ametts has quit IRC22:58
*** knikolla has joined #openstack-keystone23:04
*** mylu has joined #openstack-keystone23:04
ayoungknikolla, you need domains too23:08
knikollaayoung, btw, what is the correct way to integrate an existing software (not part of openstack) so that it can use keystone for authentication?23:11
ayoungknikolla, don't23:11
ayoungkeystone is dumb23:11
ayoungintegrate directly with the IdP instead23:11
knikollaayoung, we have different services which need a common way to auth. Using keystone and having it use an LDAP backed would save us the need to write auth logic for each one.23:13
ayoungknikolla, use Kerberos off LDAP instead23:13
ayoungor use X509 CLient auth23:13
ayoungor Use SAML23:14
ayoungknikolla, with FreeIPA, I would recommend Kerberos, and mod_lookup_identity as the baseline23:14
knikollaayoung, i'll investigate those.23:16
ayoungknikolla, I have blog posts that might help23:16
knikollaayoung, hmmm. so in that case apache would talk with FreeIPA instead of the application?23:19
ayoungknikolla, yep.  You can always fall back to direct LDAP,23:19
ayoungbut then you end up dealing with LDAP configuration on all of the remote systems23:20
ayoungand mod_auth_ldap is pretty static23:20
*** stingaci has quit IRC23:21
knikollaayoung, i see, similar to how mod_shib understands saml.23:21
ayoungknikolla, the idea is that SSSD is a daemon designed to register the system with FreeIPA and manage system identity, so you don't reimplement in each application23:22
*** phalmos has quit IRC23:22
ayoungit lets you unify ssh, X509 and other access control type things all together.  And DNS23:22
*** sdake has joined #openstack-keystone23:23
*** jamielennox|away is now known as jamielennox23:23
knikollaayoung, and in the simplest possible case that would reduce federation between the different applications to having the same FreeIPA.23:24
ayoungknikolla, so, Federation is a little different. For Federation, you need to figure out what protocols to support.  IODeally, yeah, you would leave all the decisoin about that to FreeIPA, but I don't thin that is practical.  For our stuff, we are using mod_mellon for SAML23:26
ayoungThe way CERN wen is that they use ADFS.  Then everythign is SAML23:26
ayoungand their ADFS server convers thirf party saml to CERN specific saml23:26
ayoungknikolla, if you go to http://openstack.cern.ch/  you get redirected to https://login.cern.ch/adfs  and from ther you have the ability to login in many different service providers23:27
ayounger, make that identity Providers23:27
knikollaayoung, all the different ways you can do authentication are fascinating.23:29
ayoungknikolla, so, Ideally, yeah, I would like to see soemthing in Keystone or Horizon play that role, but we don't have it right now, and no real plans to make it happen.  We could, potentially, do something like that with the K2K code we have, but Keystone thus far has done no UI23:29
ayoungknikolla, so, another team here at Red Hat is on the JBoss side, and they have a product that I am working on testing the Fedration with as well. Its called Keycloak.  They did openID COnnect first, and now we are helping them close the gap on SAML23:30
ayoungIt has a lot of features, but I don't really know it that well yet23:30
knikollaayoung, that looks interesting. will look into that.23:32
knikollaayoung, alongside convincing people that integrating keystone into our service is not a good idea.23:36
ayoungknikolla, Keystone should never have been. The idea of a bearer token providing a proxy to both authentication and authorization is a bad pattern23:37
knikollaayoung, There still is a place for keystone. At least as a service catalog, authorization service.23:38
knikollaayoung, but seeing the mod_lookup_identity post i got the same insight.23:38
knikollaayoung, do you have any books to recommend on the topic of identity patterns?23:40
*** mylu has quit IRC23:43
*** dflorea has quit IRC23:44
*** mylu has joined #openstack-keystone23:49
*** jamielennox is now known as jamielennox|away23:51
*** sdake_ has joined #openstack-keystone23:53
*** stingaci has joined #openstack-keystone23:54
*** sdake has quit IRC23:56
*** dflorea has joined #openstack-keystone23:58
*** jamielennox|away is now known as jamielennox23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!