Thursday, 2016-04-07

« Wednesday, 2016-04-06 Index Friday, 2016-04-08 »
jamielennoxit won't give you the password plugin opts, it will just restore admin_user etc00:00
zigoAh, that I got it already with my (probably more ugly) patch.00:00
zigoI'd like to really have *all* options if possible.00:00
zigoAnd especially the new ones for v3password.00:01
zigoThese, I don't know how to have them. :(00:01
jamielennoxso you would have to edit the values returned in that list00:03
zigojamielennox: Don't you think it would make sense to have the v3password options showing by default?00:03
zigoThat's what we want our users to switch to, no?00:03
jamielennoxzigo: maybe - but is it confusing if they are there and people haven't set auth_type = v3password00:03
jamielennoxzigo: probably just password - it abstracts v2/v300:04
jamielennoxif we have auth_type unset and people see username and password etc options then they change all those values and then wonder why they don't work00:04
zigoWell, can't we set v3password as the default value?00:04
zigoI'd vote for it...00:05
jamielennoxzigo: this comes full circle because that would break everyone that hasn't set an auth_type already - which is why we are getting more agressive deprecating the old options00:06
zigoHum...00:07
zigoI see.00:08
zigoI'll think about it! :P00:08
jamielennoxzigo: yea, i completely agree with everything - i'd love to have an easy way to define all this but we're in a bit of a bind00:08
zigoThough what we have right now is really not satisfying at all, that's for sure.00:08
zigooh, and yes, what neutron does creates a *very* confusing result, I can agree with that.00:09
zigoIt took me a while to understand what to do.00:09
jamielennoxzigo: this has been the problem with auth plugins all along, they're very flexible but it leaves you less of an obvious default00:10
jamielennoxwhat i did build in originally that has never really been used is auth_sections00:10
jamielennoxthis was the best we could come up with for doc as well00:11
zigoBTW, is everyone (ie: all services) already compatible with v3password auth?00:11
jamielennoxzigo: they should be, particularly if it's a plugin they won't notice the difference00:11
jamielennoxzigo: for auth_token everyone is00:11
zigoOk.00:12
jamielennoxbecause we control that00:12
zigoThanks a lot for all the explanations.00:12
jamielennoxzigo: no problem - if you can come up with a good solution i'd love to hear it00:12
jamielennoxi think auth_section is the best we can do00:13
zigojamielennox: I need to sleep on it, and think about it tomorrow when my CI runs successfully again! :)00:13
zigoI do like the idea, though we got to provide some working by default auth_section stuff.00:13
zigoI could add them manually at the packaging level too though...00:13
jamielennoxright, it would at least let you have a section like [keystonepassword] that you could auto fill with defaults00:13
zigo[auth_section_v3password]00:14
zigoSomething like that ...00:14
jamielennoxand then it becomes obvious in auth_token when you say auth_section = keystonepassword00:14
jamielennoxthat you are actually opting it to that type of auth00:14
zigoRight.00:14
jamielennoxobviously not perfect, but ...00:15
*** tqtran has quit IRC00:15
jamielennoxoo, i broke the gate again overnight :)00:15
*** spandhe_ has quit IRC00:15
*** pushkaru has quit IRC00:16
jamielennoxthis is why devstack won't merge my stuff00:16
zigo:)00:17
*** spandhe has joined #openstack-keystone00:17
zigoIf you never break the gate overnight, then you aren't really contributing upstream ! :)00:17
jamielennoxzigo: at least my overnight is everyone else's daytime00:18
zigojamielennox: Where do you live?00:19
jamielennoxzigo: sydney, austrlaia00:19
zigoNew zealand?00:19
jamielennoxzigo: sydney, australia00:19
zigoAh... close ! :)00:19
*** spandhe has quit IRC00:19
jamielennoxzigo: don't let them hear you say that00:19
*** henrynash has quit IRC00:19
jamielennoxit's like being confused for canadian00:19
zigojamielennox: I moved from China a year ago, I know what it feels like: they will never be able to get ahead of us! :P00:20
zigojamielennox: Anyway, I shall go sleep now, bye and thanks again.00:22
jamielennoxzigo: no problem - talk to you later00:22
*** pushkaru has joined #openstack-keystone00:25
stevemarjamielennox: you broke the gate?00:30
jamielennoxstevemar: devstack patch to remove /v2.0 from keystone endpoint00:30
stevemarhttps://review.openstack.org/#/c/285879/00:31
patchbotstevemar: patch 285879 - openstack-dev/devstack - Use unversioned keystone endpoints (MERGED)00:31
stevemari didn't realize there was fall out00:31
*** furface has quit IRC00:31
jamielennoxstevemar: https://review.openstack.org/#/c/302449/00:32
patchbotjamielennox: patch 302449 - openstack-dev/devstack - Revert "Use unversioned keystone endpoints" (MERGED)00:32
stevemarwomp womp00:32
*** furface has joined #openstack-keystone00:32
jamielennoxi don't know exactly what, but the tempest fix it depends-on is not in a released version00:32
*** pushkaru has quit IRC00:32
jamielennoxwhich is admittedly not good - but tempest is installed from source so i don't know why it was a problem00:32
stevemarohhh00:32
stevemarthats a bit weird00:33
stevemarunfortunate00:34
jamielennoxbased on comments they seem willing to redo it after a tempest release and version bump00:37
jamielennoxbut it doesn't help my case on getting devstack things merged )00:37
jamielennox:000:37
jamielennoxgah - :)00:37
jamielennoxhttps://review.openstack.org/#/c/302480/100:37
patchbotjamielennox: patch 302480 - openstack-dev/devstack - Revert "Revert "Use unversioned keystone endpoints""00:37
*** furface has quit IRC00:38
*** jrist has quit IRC00:39
*** furface has joined #openstack-keystone00:39
mtreinishjamielennox: I would have just pushed a release today to unblock things00:40
*** lhcheng has quit IRC00:40
mtreinishbut with the mitaka release tomorrowish it didn't make sense00:41
jamielennoxmtreinish: yea - people get funny about gate stuff, there are already 2 +2s on the revert revert so it's not a big deal00:41
jamielennoxit was always supposed to wait till newton00:41
*** jrist has joined #openstack-keystone00:42
*** browne has quit IRC00:47
*** dave-mcc_ has quit IRC00:51
*** spandhe has joined #openstack-keystone00:53
*** dave-mccowan has joined #openstack-keystone00:54
*** harlowja has quit IRC01:00
*** dan_nguyen has quit IRC01:02
*** dave-mccowan has quit IRC01:03
*** harlowja has joined #openstack-keystone01:03
dimsmtreinish : thanks for holding off :)01:08
*** diazjf has joined #openstack-keystone01:08
dimsjamielennox : all sorted out with zigo? :)01:08
jamielennoxdims: i think enough for now, there isn't a great solution so at least he is aware of the problem and can try and work something out from there01:09
dimsright thanks.01:09
dimsjust making sure we are on for release tomorrow :)01:09
*** agrebennikov has joined #openstack-keystone01:10
*** tqtran has joined #openstack-keystone01:11
*** diazjf has quit IRC01:12
*** tqtran has quit IRC01:16
*** agrebennikov has quit IRC01:20
*** sdake has quit IRC01:28
*** EinstCrazy has joined #openstack-keystone01:29
*** sdake has joined #openstack-keystone01:32
*** agrebennikov has joined #openstack-keystone01:32
*** stingaci has joined #openstack-keystone01:34
*** stingaci has quit IRC01:51
*** stingaci has joined #openstack-keystone01:51
*** zqfan has joined #openstack-keystone01:54
*** stingaci has quit IRC02:07
ayoungjamielennox, so...I think I merged @controller.filterprotected into @controller.protected  .  tox running now.02:15
*** browne has joined #openstack-keystone02:16
jamielennoxayoung: that's going to be fun to review02:17
jamielennoxayoung: i always thought the decorator there was the wrong approach02:17
jamielennoxit's too complex02:17
jamielennoxyou have to have the resource available to do any enforcement on it02:17
ayoungjamielennox, well it certainly is not simpler merged02:17
jamielennoxit should just be a method call,02:18
jamielennoxi did that when i attempted pecan, and then had a flag on the request object (cause it was thread local) to say it had had policy applied to make sure we didn't do anything dumb02:18
ayoungjamielennox, this is just a step02:18
jamielennoxthat's still the best way i can think of doing it, current system is way too complex + magic02:18
ayoungat least it is a single decorator02:19
ayoungtrying to get the guts out of that function02:19
ayoungso the decorator can go away02:19
*** sdake_ has joined #openstack-keystone02:20
jamielennoxit's a fun one02:20
*** sdake has quit IRC02:22
*** richm has quit IRC02:33
*** EinstCrazy has quit IRC02:35
*** lhcheng has joined #openstack-keystone02:35
*** ChanServ sets mode: +v lhcheng02:35
*** EinstCrazy has joined #openstack-keystone02:36
*** edmondsw has quit IRC02:36
*** agrebennikov has quit IRC02:41
openstackgerritayoung proposed openstack/keystone: enforcement logic refactored  https://review.openstack.org/27926302:52
ayoungsamueldmq, ^^ there ya go.  HOw many lines did I make it?02:52
ayoungStell a net loss!02:53
stevemarayoung: by 6 ;)02:57
ayoungstevemar, yeah, it is mostly reshuffling, but the logic between the two decorators was so duplicated02:57
ayoungstevemar, the reason I wanted that one cleaned up is that I want to get the policy enforcement extractable, and possibly into the middleware so that the logic is roughly the same everywhere. But we have this wonky approach to fetching resrouces from  the Database that won't work for the other services02:59
*** openstackstatus has quit IRC03:01
stevemaroh i do like the re-written form: @controller.protected(filters=['domain_id', 'enabled', 'name'])03:05
*** sdake_ has quit IRC03:06
stevemarayoung: one issue03:06
*** jasonsb has joined #openstack-keystone03:06
*** sdake has joined #openstack-keystone03:07
ayoungstevemar, yeah?03:11
openstackgerritayoung proposed openstack/keystone: enforcement logic refactored  https://review.openstack.org/27926303:13
*** sdake has quit IRC03:17
*** sdake has joined #openstack-keystone03:18
*** sdake has quit IRC03:28
*** lhcheng has quit IRC03:39
*** sheel has joined #openstack-keystone03:41
*** mylu has quit IRC03:45
*** Daviey has quit IRC03:50
*** Daviey has joined #openstack-keystone03:50
*** sekrit has quit IRC03:51
*** dave-mccowan has joined #openstack-keystone03:57
*** dave-mcc_ has joined #openstack-keystone03:58
*** dave-mccowan has quit IRC04:01
*** mylu has joined #openstack-keystone04:02
*** lhcheng has joined #openstack-keystone04:03
*** ChanServ sets mode: +v lhcheng04:03
*** sekrit has joined #openstack-keystone04:05
*** links has joined #openstack-keystone04:12
*** shoutm has joined #openstack-keystone04:15
*** Nirupama has joined #openstack-keystone04:28
*** dflorea has joined #openstack-keystone04:44
*** mylu has quit IRC04:45
*** GB21 has joined #openstack-keystone05:00
*** shoutm_ has joined #openstack-keystone05:00
*** shoutm has quit IRC05:03
*** jaosorior has joined #openstack-keystone05:13
*** ankur has quit IRC05:21
*** dflorea_ has joined #openstack-keystone05:26
*** dflorea has quit IRC05:28
*** shoutm_ has quit IRC05:36
*** shoutm has joined #openstack-keystone05:39
*** rcernin has joined #openstack-keystone05:45
*** dflorea_ has quit IRC06:07
*** GB21 has quit IRC06:12
*** GB21 has joined #openstack-keystone06:12
stevemarjamielennox: around?06:16
*** henrynash has joined #openstack-keystone06:16
*** ChanServ sets mode: +v henrynash06:16
jamielennoxstevemar: maybe06:16
stevemarjamielennox: question about kerberos06:17
stevemarjamielennox: why is there no entrypoint for it here: https://github.com/openstack/keystoneauth/blob/master/setup.cfg ?06:17
jamielennoxnope - not here06:17
stevemar:)06:17
jamielennoxstevemar: umm, i'm guessing it got forgotten?06:17
stevemarhow can i use kerberos via osc with auth type?06:18
jamielennoxthough that's weird06:18
stevemaris it because it's under "extras"?06:18
jamielennoxextras is just the things installed with keystoneauth[extras]06:19
jamielennoxextras is just the things installed with keystoneauth[kerberos]06:19
stevemaryep06:19
jamielennoxso same thing the saml plugin isn't there06:19
stevemarbut i'm wondering if it being optional is why we didn't create an entrypoint for it06:19
stevemarso, hows it supposed to be used?06:19
jamielennoxhmm06:19
stevemarif you can't load the options06:20
jamielennoxstevemar: it could be a problem06:20
jamielennoxhttps://github.com/openstack/keystoneauth/blob/master/keystoneauth1/extras/kerberos.py#L2506:20
stevemarjamielennox: even here we advertise it: https://github.com/openstack/python-keystoneclient-kerberos/blob/master/setup.cfg#L2506:20
jamielennoxrequests_kerberos is imported at the top of the file06:20
stevemarjamielennox: yes it is06:21
jamielennoxso if you were to iterate plugins, like how OSC does for example, then having an entrypoint would fali06:21
jamielennoxon the other hand, if you don't have an entry point there's just no way to use it via --os-auth-type06:21
stevemarjamielennox: we could try/except that06:21
stevemarright06:21
jamielennoxstevemar: could, but i think it should be a plugin thing06:21
jamielennoxstevemar: ok, that's bad06:22
jamielennoxstevemar: actually, there's no loader for it at all06:23
stevemarwhy no loader?06:24
jamielennoxi've no idea06:24
jamielennoxso the saml2 one never got made public06:25
jamielennoxi remember that because marek and i were arguing about how something would work06:25
jamielennoxhttps://github.com/openstack/keystoneauth/tree/master/keystoneauth1/extras06:25
*** pcaruana has joined #openstack-keystone06:26
*** GB21 has quit IRC06:26
stevemarseems like something we should resolve soon :\06:27
jamielennoxstevemar: so, it needs a loader to make it work, and we should fix it, but i haven't tested kerberos since i left redhat06:28
jamielennoxwe should probably ping ayoung and see if he's using the keystoneauth version or the keystoneclient one06:28
*** GB21 has joined #openstack-keystone06:28
stevemarthats not unsurprising :P06:28
stevemarprobably keystoneclient one, since the ksa can't be loaded :)06:28
jamielennoxstevemar: that would be my guess06:28
stevemarokay, someone emailed me about this lately, asking if he should open a bug06:29
stevemari'll tell him to do so06:29
jamielennoxyep06:29
stevemarjamielennox: i'll ask morgan to chime in, ksa is his baby too06:30
stevemarjamielennox: i wonder if this will be helpful: http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/ :)06:31
jamielennoxstevemar: everyone's a comedian06:31
stevemarjamielennox: <306:31
jamielennoxstevemar: but we had full on kerberized deployment scripts that included using auth_token middleware with kerberos auth - that's been ksa for a while now06:32
jamielennoxmaybe they just haven't been run for a while06:32
* stevemar shrugs06:32
stevemarbetter poke at people with red hats -- nkinder ayoung06:33
stevemaroff to bed, time to make the summit schedule tomorrow06:33
*** henrynash has quit IRC06:39
*** tqtran has joined #openstack-keystone06:43
*** GB21 has quit IRC06:44
*** GB21 has joined #openstack-keystone06:44
*** tesseract has joined #openstack-keystone06:45
*** tesseract is now known as Guest1287606:45
*** tqtran has quit IRC06:47
*** GB21 has quit IRC06:51
*** GB21 has joined #openstack-keystone06:54
*** woodster_ has quit IRC06:57
*** spandhe has quit IRC06:59
*** EinstCra_ has joined #openstack-keystone06:59
*** GB21 has quit IRC07:02
*** EinstCrazy has quit IRC07:02
*** GB21 has joined #openstack-keystone07:03
*** dave-mcc_ has quit IRC07:09
*** GB21 has quit IRC07:16
*** fhubik has joined #openstack-keystone07:23
*** GB21 has joined #openstack-keystone07:29
*** daemontool has joined #openstack-keystone07:32
*** GB21 has quit IRC07:37
*** jamielennox is now known as jamielennox|away07:45
*** lhcheng has quit IRC07:45
*** browne has quit IRC07:47
*** jaosorior has quit IRC07:47
*** jaosorior has joined #openstack-keystone07:47
*** henrynash has joined #openstack-keystone08:07
*** ChanServ sets mode: +v henrynash08:07
*** pnavarro has joined #openstack-keystone08:07
*** nkinder has quit IRC08:08
*** pnavarro has quit IRC08:13
*** nkinder has joined #openstack-keystone08:21
*** GB21 has joined #openstack-keystone08:26
*** openstackstatus has joined #openstack-keystone08:29
*** ChanServ sets mode: +v openstackstatus08:29
*** jistr has joined #openstack-keystone08:30
-openstackstatus- NOTICE: jobs depending on npm are now working again08:33
*** daemontool has quit IRC08:41
*** shoutm_ has joined #openstack-keystone08:43
*** shoutm has quit IRC08:46
*** e0ne has joined #openstack-keystone08:50
*** EinstCra_ is now known as EinstCrazy08:51
*** jaosorior has quit IRC08:59
*** jaosorior has joined #openstack-keystone09:00
*** fhubik has quit IRC09:07
*** fhubik has joined #openstack-keystone09:24
*** links has quit IRC09:31
*** alex_xu has quit IRC09:32
*** alex_xu has joined #openstack-keystone09:36
*** mvk has joined #openstack-keystone09:41
*** shoutm_ has quit IRC09:43
*** mkrcmari__ has quit IRC09:43
*** links has joined #openstack-keystone09:44
*** mvk_ has joined #openstack-keystone09:49
*** mvk has quit IRC09:53
*** mhickey has joined #openstack-keystone09:54
*** akanksha_ has joined #openstack-keystone10:01
*** shoutm has joined #openstack-keystone10:12
*** daemontool has joined #openstack-keystone10:22
*** GB21 has quit IRC10:28
*** EinstCrazy has quit IRC10:30
*** GB21 has joined #openstack-keystone10:31
*** fhubik has quit IRC10:34
*** mhickey has quit IRC10:35
*** links has quit IRC10:39
*** Guest12876 is now known as tesseract10:47
*** mvk_ has quit IRC10:47
*** tesseract is now known as Guest7403610:48
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/30062610:48
*** GB21 has quit IRC10:49
*** mhickey has joined #openstack-keystone10:50
*** GB21 has joined #openstack-keystone10:50
*** alex_xu has quit IRC10:55
*** links has joined #openstack-keystone10:56
*** alex_xu has joined #openstack-keystone10:57
*** shoutm has quit IRC11:02
*** henrynash has quit IRC11:13
*** mvk_ has joined #openstack-keystone11:16
DinaBelovamorgan dims - I've rechecked the authtoken middleware caching on Mitaka - so yes, that was affected by the same sporadic connection issue -> marking https://bugs.launchpad.net/keystone/+bug/1566857 as invalid11:16
openstackLaunchpad bug 1566857 in OpenStack Identity (keystone) "Keystone authtoken middleware seems to work wrong with memcached cache" [Undecided,Invalid]11:16
DinaBelovamorgan dims although I face local cache behaviour I do not expect :( All memoized (cached) values are got from the Memcache on my env - no local context cache is used. Technically I'm tracking if I reach https://github.com/openstack/keystone/blob/master/keystone/common/cache/_context_cache.py#L78-L80 - I'm adding these operations profiling to the trace - and I should jump here if local cache is used, but I see nothing :(11:21
DinaBelovamorgan please take a look if you'll have a moment today11:21
*** GB21 has quit IRC11:21
dimsDinaBelova : thanks for the update11:29
*** ksnihyr has joined #openstack-keystone11:32
ksnihyrHi, all ! Can someone help me to work with keystonemiddleware ? I want to retrieve service catalog from request to my api. I find this way: parse X-Service-Catalog header. It`s true way, or better exists ?11:36
*** alex_xu has quit IRC11:41
*** jhesketh has joined #openstack-keystone11:43
*** alex_xu has joined #openstack-keystone11:43
*** ChanServ changes topic to "mitaka-3 done, no more features (you missed your chance) until Newton | Tag bugs as rc-potential - fix more bugs! | https://launchpad.net/keystone/+milestone/mitaka-rc1"11:44
*** shoutm has joined #openstack-keystone11:44
*** GB21 has joined #openstack-keystone11:52
*** gordc has joined #openstack-keystone11:55
*** trown|outtypewww is now known as trown12:04
*** EinstCrazy has joined #openstack-keystone12:06
*** jhesketh has quit IRC12:07
*** jhesketh has joined #openstack-keystone12:07
*** GB21 has quit IRC12:16
*** raildo-afk is now known as raildo12:18
*** edmondsw has joined #openstack-keystone12:23
*** doug-fish has joined #openstack-keystone12:26
morganDinaBelova: I would need to see the trace point you're adding. I know that the local cache works when enabled, but remember it only is used if that specific http request makes the same call twice.12:32
morganDinaBelova: and what request you are using to test it12:32
DinaBelovamorgan - sure - I've create https://bugs.launchpad.net/keystone/+bug/1567403 just to share the information. I used server create for testing - the html is attached to the bug. i was wrapping https://github.com/openstack/keystone/blob/master/keystone/common/cache/_context_cache.py#L78-L80 to see if it was called12:34
openstackLaunchpad bug 1567403 in OpenStack Identity (keystone) "Local context cache seems to work unproperly" [Undecided,New]12:34
DinaBelovaI can see that get_domain  function was called twice per Keystone API call12:34
DinaBelovaand both times it went to Memcached12:35
morganAlso be very careful about wrapping the cache stuff12:35
DinaBelovamorgan - sure, for Memcache I was checking that https://bitbucket.org/zzzeek/dogpile.cache/src/c6913eb143b24b4a886124ff0da5c935ea34e3ac/dogpile/cache/region.py?at=master&fileviewer=file-view-default#region.py-617 was called12:35
ayoungstevemar, so last I tested this was last summer.  export OS_AUTH_TYPE=v3fedkerb12:35
DinaBelovato say that "it was value got from memcache"12:36
DinaBelovamorgan - if nothing was found in memcache NeedRegenerationException will be raised and then gen_value() truggered12:36
morganHow are you hooking into these things? Monkey patching?12:36
morganBecause you're examining some stuff pretty deep in the stack12:37
DinaBelovaI'm wrapping these lines with profiler.Trace() - https://github.com/openstack/osprofiler/blob/master/osprofiler/profiler.py#L31312:38
DinaBelovathat is fact sends notification on entering and notification on exit12:38
DinaBelovawith info about parent point in the tree, timestamp, etc.12:38
morganHow do you wrap the dogpile region line?12:39
DinaBelovaI have several stuff added12:39
DinaBelovaone moment12:39
morganOk12:39
*** shoutm has quit IRC12:39
*** Nirupama has quit IRC12:39
DinaBelovamorgan http://paste.openstack.org/show/493313/12:41
morganSo you are monkey patching it basically?12:42
*** doug-fish has quit IRC12:42
morganSupplying your own gen_value?12:42
DinaBelovaas fn_info_tuple I use info passed from cache_on_arguments12:42
DinaBelovait's not my own, I just wrap the line where self.backend.set(key, value) is called12:42
DinaBelovaand that's it12:42
*** doug-fish has joined #openstack-keystone12:42
DinaBelovamorgan yes12:43
morganDo NOT do that12:43
morganDon't monkey patch libraries12:43
DinaBelovamorgan I need this to see if the memcahce was really called in the trace12:43
morganSorry no12:43
morganI mean I won't let that land12:44
DinaBelovaI'm not proposing to land it12:44
morganLet me explain. Sec12:44
morganOK.12:44
DinaBelovait's just for debug purposes12:44
morganPhew!12:44
morganSorry, you can see why I was worried then ^_^12:44
DinaBelova:D12:44
DinaBelovamorgan I'm not crazy :D12:45
DinaBelovaalthough I may look like12:45
morganHey, sometimes I have to check ;)12:45
DinaBelovaall modifications to dogpile/cache were ONLY for debug purposes12:45
DinaBelovaand that's it12:45
DinaBelovasorry for confusion :)12:45
morganAll good.12:45
DinaBelovajust to generate a bit more human-readable thing12:45
*** henrynash has joined #openstack-keystone12:46
*** ChanServ sets mode: +v henrynash12:46
DinaBelovaas I can trace almost everything from keystone, but not easilly understand what function was memoized and with waht args :( that's reachable only from dogpile code :(12:46
morganThe memoization stuff is not easy12:47
morganTo trace.12:47
DinaBelovaindeed12:47
DinaBelovatherefore all these stuff :(12:47
morganSo, the easiest way to check on the calls is using a dogpile proxy12:47
*** doug-fish has quit IRC12:47
*** sigmavirus24_awa is now known as sigmavirus2412:47
DinaBelovamorgan - I wanted to use it - even from your local thread context - but I won't be able to grab memoized function name, args, kwargs12:48
morganIf you look at how the request local cache is implemented, it actually is a proxy object that lives below the dogpile region.12:48
morganYou can stack proxies12:48
morganSo you could do region -> debug proxy -> request locla -> debug proxy -> backend12:49
morganThe proxies are applied in order12:49
morganYou can also change the generate_key_fn to debug12:49
morganWhich does the hashing.12:50
DinaBelovamorgan ok, I can write this proxy and add as a specific debug proxy12:50
morganSo, it would output the fn, the args, etc12:50
DinaBelovamorgan ack12:50
morganYep12:50
DinaBelovamorgan - although still please take a look on what I've seen12:50
morganI will.12:50
morganIt will be a bit sporadic as I have meetings all day12:51
morganAt the very least, i'll be back to normal schedule tomorrow.12:51
DinaBelovamorgan I can clearly understand it, sir :)12:51
morganOK, need to get moving... Breakfast soon and need to check out of the hotel.12:53
*** doug-fish has joined #openstack-keystone12:54
DinaBelovamorgan good luck man :)12:55
*** doug-fis_ has joined #openstack-keystone12:56
*** richm has joined #openstack-keystone12:56
*** pnavarro has joined #openstack-keystone12:58
*** doug-fish has quit IRC12:59
*** rodrigods has quit IRC13:01
*** rodrigods has joined #openstack-keystone13:01
*** shoutm has joined #openstack-keystone13:01
*** pnavarro_ has joined #openstack-keystone13:03
*** henrynash has quit IRC13:04
*** henrynash has joined #openstack-keystone13:05
*** ChanServ sets mode: +v henrynash13:05
*** pnavarro has quit IRC13:06
*** mvk_ has quit IRC13:11
*** mvk has joined #openstack-keystone13:13
samueldmqayoung: nice, will look13:13
*** daemontool has quit IRC13:17
*** shoutm has quit IRC13:18
*** doug-fis_ has quit IRC13:23
*** shoutm has joined #openstack-keystone13:25
morganDinaBelova: thnx13:27
DinaBelovamorgan btw generate_key_fn is defined in dogpile in fact13:28
*** daemontool has joined #openstack-keystone13:28
DinaBelovaand the only place it's wrapped is oslo.cache that's still lib13:28
morganIt is. You can override it via config or via Oslo.cache13:28
morganConfig = dogpile config13:28
morganSo you can provide your own with debug logic13:28
morganKnowing the fn, args, etc13:29
DinaBelovaoh ,interesting13:29
DinaBelovathanks13:29
morgan^_^13:29
DinaBelovamorgan - sorry, can you point me to the dogpile or oslo.config config option where I should change it?13:36
*** jsavak has joined #openstack-keystone13:36
*** roxanaghe has joined #openstack-keystone13:37
*** rderose has joined #openstack-keystone13:37
*** pauloewerton has joined #openstack-keystone13:39
*** roxanaghe has quit IRC13:41
*** links has quit IRC13:46
*** rderose has quit IRC13:47
*** woodburn1 has joined #openstack-keystone13:49
*** rderose has joined #openstack-keystone13:49
*** woodburn has quit IRC13:50
*** ametts has joined #openstack-keystone13:56
ayounglbragstad, so, something looks really wrong with Fernet tokens and role assignment removal14:03
lbragstadayoung ?14:04
lbragstadayoung wrapping up some emails but go ahead14:04
ayounglbragstad, I've been looking at the failure on the WIP default for14:04
ayoungkeystone.tests.unit.test_v3_auth.TestFernetTokenAPIs.test_domain_scoped_token_is_invalid_after_deleting_grant14:04
ayoungand...its now what I thought it was14:04
ayounglbragstad, I thought it was a case of there being a role left behind, so a token that was valid with 2 roles would end up being valid with only one role14:05
ayounglet me link to the code14:05
ayounglbragstad, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_auth.py#n29114:06
ayounglbragstad, so I added in a call to validate the token and dump the contents...14:07
ayounglet me paste what I get14:07
*** sdake has joined #openstack-keystone14:07
ayounghttp://paste.openstack.org/show/493339/14:07
ayounglbragstad, scary part is 'roles': [{'id': '8a3c606c65824abaaa3e25fc09bbfe69', 'name': 'admin'}],14:08
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Add API Change Tutorial  https://review.openstack.org/30278914:08
ayounglbragstad, It only happens when the role is removed. I've tried a couple probes like this:14:08
samueldmqayoung: stevemar: dstanek: bknudson ^ still wip, but certainly a good thing to have14:08
ayoung1.  CHange the user up front.  self.user =  self.create_user14:09
ayoungthat fails outright...which is strange14:09
*** slberger has joined #openstack-keystone14:09
ayoung2.  fetch a token prior to doing the role assignment.  HTat gest a 40.  which is what it should get14:10
*** knikolla has joined #openstack-keystone14:10
ayoung3.  Try dropping the admin role from the user.  User does not have the admin role14:10
ayoungso, it looks like, in the fernet case, dropping the grant is sticking an admin role on the validation14:10
ayoungBut....this only happens on the WIP....14:11
ayoungwhich means that it probably is from the WIP changes...14:11
lbragstadhuh14:12
lbragstadweird14:12
*** sdake has quit IRC14:12
lbragstadayoung when test_domain_scoped_token_is_invalid_after_deleting_grant fails14:12
lbragstadhow does it fail?14:13
lbragstadayoung does it fail because http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_auth.py#n304 isn't true?14:13
ayounglbragstad, so, just verified it runs, and runs correctly before my patch.  So it is something I am doing14:13
lbragstadoh14:13
ayounglbragstad, that is correct14:13
raildolbragstad: https://review.openstack.org/#/c/258650/30/keystone/assignment/core.py14:13
patchbotraildo: patch 258650 - keystone - [WIP]Make fernet default token provider14:13
lbragstadso it shouldn't be able to validate that token because the role assignment/grant has been removed14:14
lbragstadgot it14:14
ayounglbragstad, but I think that in the existing code, Fernet is not tested with revocation events?14:14
raildolbragstad: I tried to skip the revocation event, but the tokens still valid on this case14:14
lbragstadayoung we wouldn't need a revocation event in that case would we? Since we're rebuilding the auth context?14:14
lbragstador rebuilding the role assignments rather?14:14
ayounglbragstad, right.  It should be tested only against existing role assignments,  ANd, since there are none, it should fail14:15
lbragstadayoung yeah - that makes sense14:15
lbragstadso the question is - why is it still getting role assignments?14:16
lbragstadright?14:16
*** mylu has joined #openstack-keystone14:17
openstackgerritDina Belova proposed openstack/keystone: Add DB operations tracing  https://review.openstack.org/29453514:18
openstackgerritDina Belova proposed openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336814:18
openstackgerritDina Belova proposed openstack/keystone: Add cache profiling  https://review.openstack.org/30279914:18
lbragstadthis actually sounds cache related14:18
raildolbragstad: I have this feeling too14:19
lbragstadraildo but ayoung did say that it is only occurring in the patch14:19
lbragstadraildo so we might be doing something in patch 258650 and not invalidating a cache14:20
patchbotlbragstad: https://review.openstack.org/#/c/258650/ - keystone - [WIP]Make fernet default token provider14:20
ayounglbragstad, I'm going to start putting some debugging into the verification path.  Its kindof a pain to do with RPDB thoug14:20
openstackgerritDina Belova proposed openstack/keystone: [WIP] Add cache profiling  https://review.openstack.org/30279914:20
lbragstadayoung you're going to start debugging self.token_provider_api.validate_token ?14:21
raildolbragstad: if you remove the "if self.token_provider_api._needs_persistence" on this file, you will get a forbidden for every request that you make after delete a grant14:21
lbragstadayoung self.token_provider_api.validate_token is your starting point?14:21
*** sdake has joined #openstack-keystone14:21
ayounglbragstad, yep14:21
raildolbragstad: ayoung I'm thinking that it some error related to this code: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L443-L45514:22
ayounglbragstad, ok, wait, this might be easier to debugt than I though14:22
ayoungdoes not need to go through the web layer14:22
openstackgerritDina Belova proposed openstack/keystone: [WIP] Add cache profiling  https://review.openstack.org/30279914:22
lbragstadayoung right14:22
ayoungraildo, let me debug...I'll look14:22
lbragstadayoung you could walk it down from https://github.com/openstack/keystone/blob/d0d38bec290cfe07092fd090ccbe09160b6d314d/keystone/token/provider.py#L20414:22
*** stingaci has joined #openstack-keystone14:23
*** pnavarro_ has quit IRC14:25
*** pnavarro_ has joined #openstack-keystone14:28
*** stingaci has quit IRC14:28
dimsstevemar : folks : this still good? https://review.openstack.org/#/c/299593/14:34
patchbotdims: patch 299593 - requirements - Update keystoneclient lower bound14:34
*** mylu has quit IRC14:37
openstackgerritMerged openstack/keystone: Merge tag '9.0.0'  https://review.openstack.org/30256714:41
*** mylu has joined #openstack-keystone14:42
dstanek/  2814:43
dstanekyeah, typing with one hand14:44
*** stingaci has joined #openstack-keystone14:46
dimsstevemar dstanek : this still good to release? https://review.openstack.org/#/c/300965/14:46
patchbotdims: patch 300965 - releases - release keystoneauth 2.5.014:46
*** ametts has quit IRC14:48
*** ametts has joined #openstack-keystone14:49
*** david_cu has joined #openstack-keystone14:51
*** david_cu has quit IRC14:52
*** stingaci has quit IRC14:52
lbragstadare we not using sched for the summit schedule?14:52
*** david_cu has joined #openstack-keystone14:52
*** timcline has joined #openstack-keystone14:52
*** sigmavirus24 is now known as sigmavirus24_awa14:55
*** sigmavirus24_awa is now known as sigmavirus2414:55
*** david_cu_ has joined #openstack-keystone14:55
openstackgerritRon De Rose proposed openstack/keystone: Move the resource abstract base class out of core  https://review.openstack.org/30282614:56
*** david_cu has quit IRC14:57
*** ametts has quit IRC14:57
*** ametts has joined #openstack-keystone14:58
*** woodster_ has joined #openstack-keystone15:00
*** david_cu_ has quit IRC15:00
ayoungok,  so the assigned role *is* admin15:00
ayoungand that is the case for the master path15:00
openstackgerritRon De Rose proposed openstack/keystone: Move the assignment abstract base class out of core  https://review.openstack.org/29963515:01
*** Guest74036 has quit IRC15:10
*** stingaci has joined #openstack-keystone15:12
*** real56 has joined #openstack-keystone15:13
*** ksnihyr has quit IRC15:16
*** anush_ has joined #openstack-keystone15:19
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/30062615:22
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/30285515:22
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/30076415:22
*** shoutm has quit IRC15:22
*** alex_xu has quit IRC15:25
*** stevemar changes topic to "MITAKA is released! Thanks to everyone that contributed!"15:28
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/30288115:28
*** alex_xu has joined #openstack-keystone15:29
*** david_cu has joined #openstack-keystone15:29
jdandreaIs there any way to call TokenManager.validate() and have the client use the publicurl and not the adminurl?15:29
jdandrea(using an admin user token to create the client, ofc.)15:30
*** arunkant_ has joined #openstack-keystone15:30
*** agrebennikov has joined #openstack-keystone15:30
bknudsonjdandrea: the interface is specified on the session -- http://docs.openstack.org/developer/keystoneauth/using-sessions.html#service-discovery15:32
*** jsavak has quit IRC15:35
*** links has joined #openstack-keystone15:36
jdandreabknudson: Oh! Thank you. I think I am a bit clueless on the session aspect (though I use it).15:36
*** EinstCrazy has quit IRC15:36
jdandreabknudson So, if I understand correctly, I can limit the interface to public and then it will default to that?15:36
bknudsonjdandrea: you'll have to try it. I'm just going off the docs15:37
jdandreabknudson *nods*15:37
jdandreabknudson ... and that is using session.get, not the higher level TokenManager.validate() or authenticate() calls. Hmm. Maybe I can't then.15:39
bknudsonjdandrea: you create the Client with the session, then you use client.tokens.validate() ??15:40
*** jsavak has joined #openstack-keystone15:40
jdandreabknudson: Yes, I do that now, but when I create Session I can't give it an endpoint filter. http://paste.openstack.org/show/493356/15:42
*** GB21 has joined #openstack-keystone15:42
bknudsonoh, the endpoint_filter is on the get()... hmm15:43
jdandreabknudson: Oh! Check out the next to last paragraph in the Service Discovery section on that link:15:43
*** spzala has joined #openstack-keystone15:43
jdandrea"For example the keystoneauth1.token_endpoint.Token plugin (which is used when you want to always use a specific endpoint and token combination) will always return the same endpoint regardless of the parameters to endpoint_filter"15:43
* jdandrea makes "sad trombone" noise15:43
jdandreaOr I misread it.15:44
bknudsonif you're using the token plugin you set the url when you create that plugin.15:44
bknudsonso if you create the token plugin with the public endpoint it will use that.15:44
jdandreabknudson I think I misread. I'm calling client.tokens.validate() ... is that the token plugin though?15:45
bknudsonno, that's not the token plugin.15:45
jdandreaOk. Then I'm confused. Trying to figure it out from the docs but I'm not succeeding yet.15:46
*** roxanaghe has joined #openstack-keystone15:46
jdandreaI need to figure out how to use keystoneauth1.token_endpoint.Token then, since I want to use a specific endpoint/token combo ... and THEN I call client.tokens.validate()?15:47
*** jaosorior has quit IRC15:47
bknudsonyou can do that... seems like there would be a way to tell keystoneclient which end point you want to use.15:47
*** jaosorior has joined #openstack-keystone15:47
*** jsavak has quit IRC15:47
jdandreabknudson: Right. Seems like. It's difficult trying to figure out what that is though. :/ Looking at source and trying to tease it apart now.15:48
* jdandrea longs to find sample code somewhere15:48
*** jsavak has joined #openstack-keystone15:48
*** links has quit IRC15:48
* jdandrea finds http://docs.openstack.org/developer/keystoneauth/authentication-plugins.html ...15:48
jdandreaGaah, v2 has no sample code. (Using a cluster without v3 at the moment.)15:49
jdandreabknudson: Wait! I'm using v2.Password already (vs. v2.Token). Maybe I can filter it in there.15:50
bknudsondoes keystoneclient even provide validate tokens on v2 client? I haven't even tried keeping the v2 docs up to date.15:51
*** browne has joined #openstack-keystone15:53
*** pcaruana has quit IRC15:53
jdandreabknudson: Not sure (there's a "validate" token?). I'm just want to validate a token and get info, using a client that was authenticated with a user bearing the admin role.15:54
jdandreaI can do a GET on http://controller:5000/v2.0/tokens/AUTH_TOKEN (with X-Auth-Token set to the token of someone with the admin role) and I do get info back.15:55
bknudsonyou might wind up just calling .get('/v2.0/tokens/...') on the session anyways.15:55
*** henrynash has quit IRC15:55
jdandreaBut when I use the library it fails because it forces adminurl, and our adminurls are on a private network that I can't reach. Yet publicurl works (same for nova, etc.). Hmm.15:55
bknudsonah, I did add it: https://github.com/openstack/python-keystoneclient/blame/master/keystoneclient/v2_0/tokens.py#L7815:56
bknudsonprobably so that authtoken could use it.15:56
jdandreabknudson: Yup. That's what I tried!15:56
*** stingaci has quit IRC15:56
jdandreaIf I try that it goes through adminurl and (for me) fails. If I do a direct GET (no client library use) using publicurl it succeeds.15:56
jdandreaSo I'm trying to still use the client library but not have it go through adminurl.15:57
bknudsonjdandrea: one of the arguments to the Client should be the interface16:01
jdandreabknudson: Ah. I'm just passing the session. Looking at the source ...16:01
*** ametts has quit IRC16:01
bknudsonhttps://github.com/openstack/python-keystoneclient/blame/master/keystoneclient/httpclient.py#L22716:01
*** jasonsb has quit IRC16:02
* jdandrea jaw drop16:03
*** jasonsb has joined #openstack-keystone16:03
jdandreabknudson: I swear, "The More You Know" *whooosh* ... that seems to have done it (I hope). Thank you! Trying it.16:03
bknudsonneat16:03
*** dave-mccowan has joined #openstack-keystone16:03
jdandrea:-o16:05
jdandreaI think it worked! Thank you! (If there's a doc page for this, my apologies. I failed to find it.)16:06
bknudsonhttp://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.v3.html#keystoneclient.v3.client.Client doesn't include interface as a parameter.16:07
*** e0ne has quit IRC16:08
jdandreaAhh.16:08
*** e0ne has joined #openstack-keystone16:09
jdandreabknudson That's also v3 though.16:10
bknudsonright, I don't care about v216:11
jdandreabknudson: Granted, but I do (stuck with it here for a bit yet, *sighs*).16:11
jdandreaOr is v2 EOL'ed? Please. Give me ammo. :)16:11
bknudsonv2 has security issues that can't be fixed... specifically the token is passed in the URL which is typically logged by web servers16:13
* jdandrea nods16:13
jdandreaThat's a good reason.16:13
*** jsavak has quit IRC16:14
*** ksnihyr has joined #openstack-keystone16:14
*** jsavak has joined #openstack-keystone16:14
ayoungraildo, lbragstad yep, its caching.  I don't think we should cache token validations16:17
*** ametts has joined #openstack-keystone16:17
lbragstadguh16:17
raildoayoung: this sounds like a big impact on tests...16:17
*** mhickey has quit IRC16:17
raildoon the performance16:18
bknudsontoken validation is what deployers want cached due to the performance.16:18
raildobknudson: that was i thought16:18
*** mylu has quit IRC16:19
*** mylu has joined #openstack-keystone16:20
*** stingaci has joined #openstack-keystone16:21
ayounglbragstad, Well, it can either be fast or correct.  Which do you want?16:22
*** lhcheng has joined #openstack-keystone16:22
*** ChanServ sets mode: +v lhcheng16:22
*** anush_ has quit IRC16:23
*** anush_ has joined #openstack-keystone16:24
*** trown is now known as trown|lunch16:24
openstackgerritRon De Rose proposed openstack/keystone: Move the resource abstract base class out of core  https://review.openstack.org/30282616:25
raildoayoung: can we invalidate the cache only when we delete a grant (or when we call a revocation event)? this could solve our problem?16:28
ayoungraildo, most likely.  Let me get the tests to run correctly first and then we'll optimize16:28
ayoungraildo, going to have to broadly invalidate on most delete actions, I think16:29
*** jsavak has quit IRC16:29
*** jsavak has joined #openstack-keystone16:29
ayoungthat might be OK, though.  I suspec that deletes are rare, and will just cause a quick blip in perf in the real word.   That should work.16:29
raildoayoung: agreed16:29
raildobknudson: what do you think?16:30
*** david_cu has quit IRC16:30
jdandreabknudson: Thank you so much, again, that saves me a ton of headache, you have no idea.16:30
htrutaayoung: that's what I thought too. Grant deletes don't seem to happen very often16:30
*** stingaci has quit IRC16:31
*** pnavarro_ has quit IRC16:34
*** mylu has quit IRC16:36
*** spandhe has joined #openstack-keystone16:36
*** david-lyle has quit IRC16:36
*** browne has quit IRC16:37
bknudsonraildo: invalidate the cache works. That's what the customer would have to do.16:37
bknudsony, if it's on the same server and it requires cache invalidation then make that part of the flow16:38
*** spzala has quit IRC16:38
ayoungraildo, looking like that is the same problem with the trust tests16:38
*** spzala has joined #openstack-keystone16:39
*** stingaci has joined #openstack-keystone16:39
ayoungraildo, I'll get the tests to pass, and leave the caching code in but commented out, and I'll resubmit it.  You can work on re-introducing the caching after that.  Deal?16:39
raildoayoung: deal :)16:40
ayoungremoving the caching exposes a couple places where we need to raise different excptions16:40
ayoungso this should get that covered16:40
ayoungmostly converting not authorized to not found16:40
*** mylu has joined #openstack-keystone16:42
*** e0ne has quit IRC16:42
*** spzala has quit IRC16:43
*** daemontool has quit IRC16:44
*** dflorea has joined #openstack-keystone16:45
*** spzala has joined #openstack-keystone16:45
*** fhubik has joined #openstack-keystone16:46
*** stingaci has quit IRC16:46
*** spzala has quit IRC16:47
*** spzala has joined #openstack-keystone16:48
*** stingaci has joined #openstack-keystone16:48
*** rcernin has quit IRC16:52
*** spzala has quit IRC16:53
*** stingaci has quit IRC16:54
*** real56 has quit IRC17:00
*** jistr has quit IRC17:01
*** mylu has quit IRC17:02
*** fhubik has quit IRC17:02
*** zqfan has quit IRC17:02
*** mylu has joined #openstack-keystone17:03
*** stingaci has joined #openstack-keystone17:04
*** david-lyle has joined #openstack-keystone17:06
*** ametts has quit IRC17:07
*** pcaruana has joined #openstack-keystone17:08
*** david-lyle has quit IRC17:11
lbragstadayoung  I opt for correct17:12
ayounglbragstad, I think we can make it work.  We'll just have to be more aggresice on cache invalidations.  But those should be rare enough that they don't impact performance17:13
*** jasonsb has quit IRC17:13
lbragstadayoung I opt for performance because i think we went the cached route originally17:14
lbragstadayoung if i recall gyee's TODO right17:14
*** stingaci has quit IRC17:15
ayoungrunning tox now.  I knocked out a few of the errors by making the tests just check for keystone.exception.Error.  It is within the API, and it probably maps to the same thing when done via the validation API anyway, just a difference of what the provider returns on a uuid vs fernet failure17:16
lbragstadayoung cool17:16
*** david-lyle has joined #openstack-keystone17:17
*** spzala has joined #openstack-keystone17:17
*** stingaci has joined #openstack-keystone17:18
*** ametts has joined #openstack-keystone17:20
dstanekhmmm.... i thought the VM i setup yesterday was correctly configured for federation. turns out it is not. more fun in my future...17:21
*** browne has joined #openstack-keystone17:21
ayoungdstanek, Shibboleth>?17:21
*** spzala has quit IRC17:22
dstanekayoung: yeah17:22
ayoungdstanek, wouldn't happend to be an RDO or RH install would it?17:22
*** stingaci has quit IRC17:23
dstanekayoung: i'm using fedora for this vm. been trying to do that more and more lately17:23
*** david-lyle has quit IRC17:23
ayoungdstanek, ah, cool.  We're supposed to confirm Shib with RH OSP .  Actually, I think rodrigods tagged for that17:24
*** trown|lunch is now known as trown17:24
*** akanksha_ has quit IRC17:27
ayoungraildo, - Failed: 6 still working17:31
*** dflorea has quit IRC17:32
*** anush_ has quit IRC17:32
*** anush_ has joined #openstack-keystone17:33
*** rcernin has joined #openstack-keystone17:33
*** tqtran has joined #openstack-keystone17:33
*** spzala has joined #openstack-keystone17:35
*** stingaci has joined #openstack-keystone17:35
openstackgerritRon De Rose proposed openstack/keystone: Move the resource abstract base class out of core  https://review.openstack.org/30282617:37
*** spzala has quit IRC17:39
rodrigodsayoung, dstanek, exactly :)17:39
*** pnavarro_ has joined #openstack-keystone17:43
*** dflorea has joined #openstack-keystone17:43
*** timcline has quit IRC17:43
*** timcline has joined #openstack-keystone17:44
*** mvk has quit IRC17:45
*** timcline has quit IRC17:49
*** richm has quit IRC17:49
*** anush_ has quit IRC17:50
*** spzala has joined #openstack-keystone17:50
*** anush_ has joined #openstack-keystone17:50
*** aginwala has joined #openstack-keystone17:52
*** e0ne has joined #openstack-keystone17:53
*** david-lyle has joined #openstack-keystone17:56
*** david-lyle has quit IRC17:56
*** dflorea has quit IRC17:56
amakarovmorgan, greetings!17:56
amakarovI've tried splitting abstract interface into client and server17:57
amakarovHere's what I've got: https://gist.github.com/x-eye/7d667415db77fa024fac68285829230517:57
*** david-lyle has joined #openstack-keystone17:58
*** pushkaru has joined #openstack-keystone17:58
amakarovit's definitely possible17:58
*** dflorea has joined #openstack-keystone17:59
*** jsavak has quit IRC18:01
*** diazjf has joined #openstack-keystone18:02
*** anush_ has quit IRC18:02
*** jsavak has joined #openstack-keystone18:02
*** e0ne has quit IRC18:03
*** richm has joined #openstack-keystone18:05
*** real56 has joined #openstack-keystone18:05
*** david_cu has joined #openstack-keystone18:06
*** timcline has joined #openstack-keystone18:09
*** richm has quit IRC18:10
*** timcline has quit IRC18:10
*** timcline has joined #openstack-keystone18:10
*** aginwala has quit IRC18:10
*** e0ne has joined #openstack-keystone18:13
dstanekamakarov: what are you trying to do?18:13
*** e0ne has quit IRC18:14
*** diazjf has quit IRC18:14
*** aginwala has joined #openstack-keystone18:14
*** aginwala has quit IRC18:16
tjcocozzbknudson, now that experimental gate job is in.  all i need to do is leave a comment on a patch of "check experimental" to run it? Do i add the job name?18:19
*** anush_ has joined #openstack-keystone18:19
bknudsontjcocozz: y, pick a proposed review and check experimental it.18:19
bknudsonthat will run all the experimental jobs18:20
tjcocozzbknudson, done! Just wanted to double check, becuase it was just merged in this morning.18:20
*** diazjf has joined #openstack-keystone18:23
*** richm has joined #openstack-keystone18:24
*** sdake_ has joined #openstack-keystone18:26
*** doug-fish has joined #openstack-keystone18:26
*** sdake has quit IRC18:26
*** dflorea has quit IRC18:27
amakarovdstanek, last summer I've heard an idea to move drivers away from managers and use network to communicate between them. Reading through my federation presentation I've noticed old os-cli hadn't support for some bits. So I wanted to try do something that will remove the need to track client-server match18:28
*** lhcheng_ has joined #openstack-keystone18:28
edmondswif I've got an auth plugin instance, how do I check the expiration date for its token?18:28
dstanekamakarov: communicate between the server manager instances and the server driver instances? or something else?18:29
amakarovdstanek, in particular18:29
amakarovthis is just a general idea18:30
dstanekamakarov: what is the benefit in doing that?18:30
*** lhcheng has quit IRC18:30
amakarovdstanek, you declare an interface, implement it and it gets split to client and server part automatically thus ideally matching each other18:31
dstanekamakarov: what do you mean gets split to the client?18:31
*** lhcheng has joined #openstack-keystone18:31
*** ChanServ sets mode: +v lhcheng18:31
amakarovit may even remove the need in client library18:31
*** lhcheng_ has quit IRC18:32
amakarovdstanek, look at the client_factory()18:32
dstanekso you basically want code on demand? like flash or activex for the browser18:33
amakarovdstanek, it produces the Client class able to call everything declared in the interface18:33
amakarovdstanek, something like that, maybe18:33
dstanekamakarov: so who owns the code that knows the differences in the18:34
dstanekAPI? the user of the client?18:34
amakarovdstanek, the server part, I think18:35
*** lhcheng has quit IRC18:35
amakarovthough you still need to import it in the client side18:35
dstanekamakarov: someone on the client side will have to know what methods/properties are available18:35
bknudsonI was looking at swagger for a while -- https://review.openstack.org/#/c/287499/ -- you can generate a client from the swagger file.18:36
patchbotbknudson: patch 287499 - keystone - WIP - Generate swagger18:36
*** lhcheng has joined #openstack-keystone18:36
*** ChanServ sets mode: +v lhcheng18:36
dstanekbknudson: sorry, but i have my own swagger18:36
amakarovdstanek, they will know it the same way they know it now: from the import18:36
bknudsonit's actually OpenAPI now, I guess.18:37
*** pnavarro_ has quit IRC18:37
* amakarov googleing OpenAPI18:37
dstanekamakarov: as a developer i install ksc 1.2.3 and i know what it's interfaces are. in the code-on-demand how will i know?18:38
*** timcline has quit IRC18:38
amakarovyou have to import the interface class18:38
bknudsondstanek: how do you know what the interfaces are?18:38
*** jsavak has quit IRC18:38
amakarovin our case it looks like dragging entire keystone into...18:38
amakarovhmm18:38
dstanekbknudson: docs :-)18:39
dstanekamakarov: so you still have to have a client that matches up with server capabilities?18:39
*** real56 has quit IRC18:39
dstanekinterfaces for new/removed things, etc.18:39
bknudsonhe he18:39
bknudsontry to figure out how to create a user from the docs: http://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.v3.html#keystoneclient.v3.users.UserManager.create18:39
*** jsavak has joined #openstack-keystone18:40
dstanekbknudson: sheesh... haven't you heard of 'code as documentation' :-P18:40
bknudsonoh, that's what you meant by docs.18:40
bknudsonthe code actually does have the args... I think the positional decorator is causing the docs to not see the right docs.18:41
amakarovdstanek, that thing I don't clearly understand... new/removed things18:41
amakarovthe idea is if it changes in the server it changes on the client that very moment18:42
*** spzala has quit IRC18:42
*** real56 has joined #openstack-keystone18:42
amakarovbecause server implements the interface and client just turns it into a proxy18:42
*** aginwala has joined #openstack-keystone18:43
raildoayoung: \o/18:44
*** spzala has joined #openstack-keystone18:44
amakarovdstanek, I understand the situation when some 3-rd party app has tons of code relying on a function that gets removed, then it sticks to the old version - as usual...18:45
*** stingaci has quit IRC18:45
ayoungraildo, loooks like Fernte V2 TOkens and trusts still not working together18:45
dstanekamakarov: so working code would be broken when we remove something?18:45
dstanekit's the same situation as with clients known to work with certain server versions18:46
amakarovdstanek, indeed... how is this handled now?18:46
dstanekwe actually do REST wrong on the client side18:46
raildoayoung: maybe we need depends on this patch: https://review.openstack.org/#/c/278693/ ?18:47
patchbotraildo: patch 278693 - keystone - Make fernet support trust auth against v2.018:47
amakarovdstanek, faking a response of raising something?18:47
dstanekamakarov: if we add or change something it may require a new client to see that. not sure how often we do removals that would impact the client18:47
ayoungraildo, oh..I forget we hadn;t merged that18:47
ayoungyep...need that first18:47
amakarovdstanek, I think it's a corner case and can be handled in my concept the very same way18:48
raildoayoung: ok18:48
dstanekamakarov: my biggest fear in doing code on demand is that it would make us that much further from anyone using the REST API18:48
*** stingaci has joined #openstack-keystone18:48
ayounglbragstad, you planning on getting back to  https://review.openstack.org/#/c/278693/  soon?18:49
patchbotayoung: patch 278693 - keystone - Make fernet support trust auth against v2.018:49
amakarovdstanek, tbh I haven't clear vision how to implement REST here :) I'm exposing function calls thus I use RPC18:49
*** dflorea has joined #openstack-keystone18:49
*** aginwala has quit IRC18:50
ayoungraildo, I don't think we need to revoke anything, so long as we validate token exists at validation.18:50
ayoungLet me try that./...18:50
ayoungthat one might still be tripping on the caching issues18:50
amakarovayoung, o/18:50
*** spzala_ has joined #openstack-keystone18:50
raildoayoung: if we don't revoke anything, we have to rotationate the fernet key?18:51
ayoungraildo, nope18:52
ayoungno relation between those two things18:52
raildoayoung: ok, so we just neet revalidate the related tokens?18:52
amakarovayoung, please review my unified delegation patches when you have some time18:52
raildoneed*18:52
ayoungamakarov, will do18:52
dstanekamakarov: exactly :-) RPC isn't scalable in the same way that REST is. but you were really not doing RPC, but rather dynamically splitting out the client18:53
*** real56 has quit IRC18:53
*** spzala has quit IRC18:53
ayoungraildo, yes, specifically, that the trust is valid18:53
*** spzala has joined #openstack-keystone18:53
raildoayoung: got it18:53
ayoungraildo, I might be able to merge the heart of that patch into the big one, and see if it works...18:53
ayoungneed to make sure the v2 tokens get tagged as trust tokens18:53
*** dflorea has quit IRC18:53
amakarovdstanek, right, that code can be called RPC only conceptually ))18:53
raildoayoung: ++18:54
*** jsavak has quit IRC18:54
lbragstadayoung do we need that to land before the "make fernet default" patch?18:55
*** spzala_ has quit IRC18:55
*** roxanaghe has quit IRC18:56
ayounglbragstad, I think so, and there might be a need to deal with the caching at the same time18:57
*** spzala has quit IRC18:57
*** jsavak has joined #openstack-keystone18:57
ayounglbragstad, the fact that it passed 27 is heartening18:57
*** aginwala has joined #openstack-keystone18:57
lbragstadayoung ++18:57
ayounglbragstad, raildo I'm going to rebase that one and see where that gets us18:57
*** e0ne has joined #openstack-keystone19:00
*** GB21 has quit IRC19:03
*** pushkaru has quit IRC19:03
*** aginwala has quit IRC19:05
*** diazjf has quit IRC19:07
*** diazjf has joined #openstack-keystone19:08
*** david-lyle_ has joined #openstack-keystone19:13
*** roxanaghe has joined #openstack-keystone19:15
*** spzala has joined #openstack-keystone19:15
*** david-lyle has quit IRC19:15
*** real56 has joined #openstack-keystone19:16
*** sigmavirus24 is now known as sigmavirus24_awa19:17
*** aginwala has joined #openstack-keystone19:17
*** david-lyle_ has quit IRC19:19
*** diazjf1 has joined #openstack-keystone19:20
*** pushkaru has joined #openstack-keystone19:21
*** diazjf has quit IRC19:23
*** diazjf1 has quit IRC19:24
*** jaosorior has quit IRC19:27
openstackgerritayoung proposed openstack/keystone: Make fernet support trust auth against v2.0  https://review.openstack.org/27869319:29
ayounglbragstad, raildo hmmm...seems broken still19:29
*** david-lyle has joined #openstack-keystone19:29
lbragstadayoung wasn't all the py27 tests passing?19:29
ayounglbragstad, yeah, but not after rebase19:29
ayounglbragstad, maybe I messed up the rebase, but I think I put everything in the same place s19:30
ayounglbragstad, actually, it looks way too different to be correct19:30
ayoungcare to take a swipe at the rebase?19:31
*** david-lyle has quit IRC19:31
*** david-lyle has joined #openstack-keystone19:31
lbragstadayoung was the latest version you pushed the rebase? ^19:32
ayounglbragstad, yep.  but the tests might have been poorly merged19:32
*** mvk has joined #openstack-keystone19:32
ayounglbragstad, feel free to take it from the top...a few things have changed in the test file since your last successful run19:33
lbragstadayoung ok - i'll take a peek at it19:34
ayoungthanks19:34
*** mvk_ has joined #openstack-keystone19:35
*** mylu has quit IRC19:35
lbragstadayoung thank you19:36
*** david-lyle has quit IRC19:37
*** mylu has joined #openstack-keystone19:38
*** mvk has quit IRC19:39
*** aginwala has quit IRC19:45
*** alex_xu has quit IRC19:54
*** rderose has quit IRC19:55
*** alex_xu has joined #openstack-keystone19:55
*** rderose has joined #openstack-keystone19:55
ayoungraildo, lbragstad so I think I have those changes in the fernet default tree already.  Necessary but not sufficient19:58
*** real56 has quit IRC19:58
ayounglbragstad, what I was seeing was that when reconstituting a v2 token that was built from a trust, it did not have the trust ID inside19:58
*** anush_ has quit IRC19:58
raildoayoung: i suggestto  put in the commit message or in any other place, what we have to do to finish this patch, just to make this clear for everybody19:59
*** anush_ has joined #openstack-keystone20:00
raildoayoung: maybe reply that email about the fernet token progress20:00
*** ametts has quit IRC20:01
jdandreaDoes anyone out there restrict their adminurl endpoints to private networks (separate from publicurl endpoints)? I can reach our publicurl endpoints but not our adminurl ones, and it's really tripping me up.20:03
*** diazjf has joined #openstack-keystone20:05
*** diazjf1 has joined #openstack-keystone20:06
*** diazjf2 has joined #openstack-keystone20:07
*** mkrcmari__ has joined #openstack-keystone20:07
openstackgerritayoung proposed openstack/keystone: [WIP]Make fernet default token provider  https://review.openstack.org/25865020:09
ayoungraildo, about 6 failures still20:09
*** mvk_ has quit IRC20:10
*** diazjf1 has quit IRC20:10
raildoayoung: thanks sir!20:10
*** diazjf has quit IRC20:11
*** dflorea has joined #openstack-keystone20:11
*** aginwala has joined #openstack-keystone20:11
*** agrebennikov has quit IRC20:13
*** jed56 has quit IRC20:13
*** dflorea has quit IRC20:14
*** dflorea has joined #openstack-keystone20:15
*** dflorea has quit IRC20:16
*** dflorea has joined #openstack-keystone20:16
*** ametts has joined #openstack-keystone20:17
*** ayoung has quit IRC20:18
*** stingaci has quit IRC20:19
*** sdake_ is now known as sdake20:23
*** diazjf has joined #openstack-keystone20:27
*** diazjf1 has joined #openstack-keystone20:28
*** dflorea has quit IRC20:29
*** aginwala has quit IRC20:30
*** diazjf2 has quit IRC20:31
*** dflorea has joined #openstack-keystone20:31
*** diazjf has quit IRC20:32
*** timcline has joined #openstack-keystone20:32
*** aginwala has joined #openstack-keystone20:40
*** spzala has quit IRC20:40
*** ametts has quit IRC20:41
*** ericksonsantos has joined #openstack-keystone20:41
*** mvk_ has joined #openstack-keystone20:46
*** mkrcmari__ has quit IRC20:50
*** mkrcmari__ has joined #openstack-keystone20:50
*** diazjf1 has quit IRC20:50
*** diazjf1 has joined #openstack-keystone20:51
*** dflorea has quit IRC20:52
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/30285520:53
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/30076420:53
*** mvk_ has quit IRC20:54
*** mylu has quit IRC20:54
*** mylu has joined #openstack-keystone20:54
*** aginwala has quit IRC20:55
*** stingaci has joined #openstack-keystone20:55
*** mvk_ has joined #openstack-keystone20:55
*** aginwala has joined #openstack-keystone20:56
*** david-lyle has joined #openstack-keystone20:56
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/30288120:57
*** dflorea has joined #openstack-keystone20:58
*** rderose has quit IRC20:58
*** mkrcmari__ has quit IRC20:59
*** rderose has joined #openstack-keystone21:00
*** dflorea has quit IRC21:01
*** dflorea has joined #openstack-keystone21:01
*** pcaruana has quit IRC21:01
*** dflorea has quit IRC21:03
*** mylu has quit IRC21:04
*** e0ne has quit IRC21:04
*** dflorea has joined #openstack-keystone21:05
*** trown is now known as trown|outtypewww21:06
*** dflorea has quit IRC21:07
*** dflorea has joined #openstack-keystone21:08
*** ksnihyr has quit IRC21:09
*** ksnihyr has joined #openstack-keystone21:10
*** diazjf1 has quit IRC21:11
*** diazjf has joined #openstack-keystone21:11
*** raildo is now known as raildo-afk21:11
*** e0ne has joined #openstack-keystone21:11
*** dflorea has quit IRC21:12
*** agrebennikov has joined #openstack-keystone21:12
*** ksnihyr has quit IRC21:14
*** diazjf has quit IRC21:15
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Add API Change Tutorial  https://review.openstack.org/30278921:15
samueldmqyeah, now an initial version that makes sense21:15
samueldmqgoal of this is to help new contributors to get familiar with the code base21:15
samueldmqand how API changes happen here21:15
*** e0ne has quit IRC21:18
*** mylu has joined #openstack-keystone21:19
*** diazjf has joined #openstack-keystone21:19
*** mylu has quit IRC21:20
*** rderose has quit IRC21:21
*** rderose has joined #openstack-keystone21:22
*** jsavak has quit IRC21:22
*** jsavak has joined #openstack-keystone21:23
*** lhcheng has quit IRC21:23
*** mylu has joined #openstack-keystone21:24
*** diazjf has quit IRC21:26
*** mylu has quit IRC21:29
*** ayoung has joined #openstack-keystone21:32
*** ChanServ sets mode: +v ayoung21:32
openstackgerritTim Burke proposed openstack/keystonemiddleware: Have s3_token accept identity_uri config option  https://review.openstack.org/29483521:44
*** timcline has quit IRC21:45
*** timcline has joined #openstack-keystone21:45
*** stingaci has quit IRC21:46
openstackgerritMerged openstack/pycadf: Updated from global requirements  https://review.openstack.org/30299221:48
*** timcline has quit IRC21:50
*** rderose has quit IRC21:51
*** rderose has joined #openstack-keystone21:51
*** mylu has joined #openstack-keystone21:52
*** pauloewerton has quit IRC21:54
roxanagheayoung, knikolla: hey there, I think I found a way to mock the ldap3 calls at the socket level inside the ldap3 library (for our unit testing purposes)21:56
roxanagheayoung, knikolla here's my first stab at it: https://github.com/roxanagherle/ldap3/blob/master/ldap3/strategy/mockSync.py21:56
lbragstaddolphm mfisch want to have a meeting for our talk soon?21:57
knikollaroxanaghe, awesome!21:59
*** david_cu has quit IRC22:00
*** slberger has left #openstack-keystone22:01
*** ayoung has quit IRC22:01
roxanagheknikolla also, I was wondering if we really want to have write operations implemented or just test the read operations based on a configurable mock setup22:05
*** dave-mccowan has quit IRC22:06
*** stingaci has joined #openstack-keystone22:06
knikollaroxanaghe, that is a very good point. i would hope that a configurable setup would remove the need for write operations at all.22:07
openstackgerritMerged openstack/keystone: Bandit test results  https://review.openstack.org/29937322:07
*** david_cu has joined #openstack-keystone22:08
*** mylu has quit IRC22:08
*** pushkaru has quit IRC22:08
roxanagheknikolla, that would make my life easier as well22:09
*** ksnihyr has joined #openstack-keystone22:10
knikollaroxanaghe, agreed.22:12
*** david_cu has quit IRC22:12
knikollaroxanaghe, good work!22:15
*** ksnihyr has quit IRC22:15
*** stingaci has quit IRC22:16
roxanagheknikolla, thx!22:17
*** stingaci has joined #openstack-keystone22:17
*** dave-mccowan has joined #openstack-keystone22:18
*** knikolla has quit IRC22:19
*** doug-fish has quit IRC22:23
*** ayoung has joined #openstack-keystone22:26
*** ChanServ sets mode: +v ayoung22:26
*** timcline has joined #openstack-keystone22:27
*** aginwala has quit IRC22:28
*** aginwala has joined #openstack-keystone22:28
*** rcernin has quit IRC22:29
*** aginwala_ has joined #openstack-keystone22:31
*** aginwala has quit IRC22:32
*** rderose has quit IRC22:32
*** diazjf has joined #openstack-keystone22:41
*** lhcheng has joined #openstack-keystone22:42
*** ChanServ sets mode: +v lhcheng22:42
*** pumarani- has joined #openstack-keystone22:42
*** aginwala_ has quit IRC22:43
*** timcline has quit IRC22:44
*** timcline has joined #openstack-keystone22:44
*** gordc has quit IRC22:46
*** daemontool has joined #openstack-keystone22:48
*** timcline has quit IRC22:49
*** mylu has joined #openstack-keystone22:52
*** aginwala has joined #openstack-keystone22:53
*** sdake has quit IRC22:54
*** aginwala has quit IRC22:56
*** sdake has joined #openstack-keystone22:58
*** aginwala has joined #openstack-keystone23:00
*** ksnihyr has joined #openstack-keystone23:11
*** sdake has quit IRC23:12
*** jsavak has quit IRC23:13
*** aginwala has quit IRC23:13
*** aginwala has joined #openstack-keystone23:13
*** dflorea has joined #openstack-keystone23:15
*** ksnihyr has quit IRC23:17
*** aginwala has quit IRC23:17
*** aginwala has joined #openstack-keystone23:20
*** henrynash has joined #openstack-keystone23:21
*** ChanServ sets mode: +v henrynash23:21
openstackgerritMerged openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/30298523:22
*** pumarani- has quit IRC23:22
*** ayoung has quit IRC23:26
*** diazjf has quit IRC23:26
*** tqtran has quit IRC23:27
*** markvoelker has quit IRC23:29
*** arunkant_ has quit IRC23:32
*** jamielennox|away is now known as jamielennox23:36
*** stingaci has quit IRC23:37
*** mylu has quit IRC23:38
*** diazjf has joined #openstack-keystone23:40
*** anush_ has quit IRC23:43
*** mylu has joined #openstack-keystone23:45
*** roxanaghe has quit IRC23:50
*** markvoelker has joined #openstack-keystone23:59
« Wednesday, 2016-04-06 Index Friday, 2016-04-08 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!