Friday, 2016-05-06

« Thursday, 2016-05-05 Index Saturday, 2016-05-07 »
*** rderose has quit IRC00:00
*** chlong has quit IRC00:05
*** spzala has joined #openstack-keystone00:06
ayoung ldapsearch -x -H ldap://ldap.corp.redhat.com -L -b 'dc=redhat,dc=com' 'sn=Fainberg' 'dn'00:08
ayoungdn: uid=mfainber,ou=users,dc=redhat,dc=com00:08
*** aginwala has quit IRC00:09
ayoungrodrigods, does that LDAP query work for you?00:10
rodrigodsayoung, lol was just trying myself00:10
ayoungldapsearch -x -H ldap://ldap.corp.redhat.com -L -b 'dc=redhat,dc=com' 'sn=Sousa' 'dn'00:10
ayoungdn: uid=rsousa,ou=users,dc=redhat,dc=com00:10
*** spzala has quit IRC00:11
ayoungNope that is not you00:11
ayoungdn: uid=rduartes,ou=users,dc=redhat,dc=com00:12
ayoung  I'm guesing00:12
*** aginwala has joined #openstack-keystone00:12
rodrigodsayoung, ldapsearch -x -H ldap://ldap.corp.redhat.com -L -b 'dc=redhat,dc=com' 'sn=Duarte Sousa' 'dn'00:12
ayoungI cheated...I did givenName=Rodrigo00:13
rodrigodslol00:13
ayoungrodrigods, and now I need to figure out our internal build system again to do a backport RPM....this time I'm putting it on my blog00:14
rodrigodsayoung, and i'm trying to figure out how to use one of the testing tools here00:14
*** edtubill has joined #openstack-keystone00:16
*** edtubill has quit IRC00:18
*** edtubill has joined #openstack-keystone00:19
*** timcline has joined #openstack-keystone00:22
*** timcline has quit IRC00:27
*** itlinux has quit IRC00:36
*** aginwala has quit IRC00:36
*** aginwala has joined #openstack-keystone00:40
*** pgbridge has quit IRC00:45
*** edtubill has quit IRC00:48
*** dgonzalez has quit IRC00:48
*** gangaec has quit IRC00:49
*** frickler has quit IRC00:49
*** frickler has joined #openstack-keystone00:50
*** dgonzalez has joined #openstack-keystone00:50
*** TxGVNN has joined #openstack-keystone00:54
*** furface has quit IRC00:59
*** edtubill has joined #openstack-keystone01:00
*** gyee has quit IRC01:03
*** stingaci has joined #openstack-keystone01:05
*** GB21 has quit IRC01:06
*** spzala has joined #openstack-keystone01:07
*** spzala has quit IRC01:12
*** edtubill has quit IRC01:16
*** haplo37 has joined #openstack-keystone01:18
*** timcline has joined #openstack-keystone01:23
*** dan_nguyen has quit IRC01:26
*** timcline has quit IRC01:27
*** chlong has joined #openstack-keystone01:31
*** spzala has joined #openstack-keystone01:33
*** EinstCrazy has joined #openstack-keystone01:34
*** stingaci has quit IRC01:37
*** EinstCra_ has joined #openstack-keystone02:06
*** woodster_ has quit IRC02:08
*** EinstCrazy has quit IRC02:09
*** tonytan4ever has quit IRC02:09
*** aginwala has quit IRC02:13
openstackgerritwangxiyuan proposed openstack/python-keystoneclient: Allow send null value in extra properties  https://review.openstack.org/29624602:13
*** edtubill has joined #openstack-keystone02:30
*** fangxu has quit IRC02:38
*** jasonsb has quit IRC02:48
*** jasonsb has joined #openstack-keystone02:48
*** furface has joined #openstack-keystone02:51
*** jorge_munoz has quit IRC02:56
*** edtubill has quit IRC02:56
*** stingaci has joined #openstack-keystone02:59
*** jorge_munoz has joined #openstack-keystone02:59
*** daemontool_ has quit IRC03:04
*** stingaci has quit IRC03:06
*** richm has quit IRC03:07
*** jasonsb has quit IRC03:16
*** itlinux has joined #openstack-keystone03:18
*** lhcheng has joined #openstack-keystone03:20
*** ChanServ sets mode: +v lhcheng03:20
*** markvoelker has quit IRC03:20
*** julim has quit IRC03:33
*** amit213 has quit IRC03:33
*** julim has joined #openstack-keystone03:33
*** amit213 has joined #openstack-keystone03:33
stevemarlbragstad: we're on the hot seat :O https://bugs.launchpad.net/keystone/+bug/157886603:38
openstackLaunchpad bug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,Confirmed]03:38
*** dan_nguyen has joined #openstack-keystone03:38
ayoungstevemar, 1 second granularity in tokens is a PITA03:44
ayoungstevemar, 2 bytes.  That is what it would cost us to get subsecond granularity.03:45
*** jasonsb has joined #openstack-keystone03:52
*** spzala has quit IRC03:53
*** spzala has joined #openstack-keystone03:53
*** spzala has quit IRC03:58
*** rbridgeman_ has joined #openstack-keystone04:01
*** links has joined #openstack-keystone04:02
*** dan_nguyen has quit IRC04:13
*** markvoelker has joined #openstack-keystone04:21
*** dave-mcc_ has quit IRC04:26
*** markvoelker has quit IRC04:26
*** aginwala has joined #openstack-keystone04:28
*** rbridgeman_ has quit IRC04:36
*** spzala has joined #openstack-keystone04:54
*** GB21 has joined #openstack-keystone04:56
*** spzala has quit IRC04:59
*** GB21 has quit IRC05:02
*** spzala has joined #openstack-keystone05:02
*** GB21 has joined #openstack-keystone05:02
*** lhcheng has quit IRC05:07
*** spzala has quit IRC05:07
*** markvoelker has joined #openstack-keystone05:22
*** markvoelker has quit IRC05:26
*** GB21 has quit IRC05:33
*** lhcheng has joined #openstack-keystone05:38
*** ChanServ sets mode: +v lhcheng05:38
*** yolanda has joined #openstack-keystone05:55
*** furface has quit IRC06:02
*** spzala has joined #openstack-keystone06:03
*** jasonsb has quit IRC06:08
*** GB21 has joined #openstack-keystone06:08
*** jasonsb has joined #openstack-keystone06:08
*** spzala has quit IRC06:08
*** TxGVNN has quit IRC06:09
*** jasonsb has quit IRC06:13
*** jasonsb has joined #openstack-keystone06:16
*** lhcheng has quit IRC06:22
*** markvoelker has joined #openstack-keystone06:23
*** markvoelker has quit IRC06:27
*** browne has quit IRC06:29
*** fawadkhaliq has joined #openstack-keystone06:31
*** haplo37 has quit IRC06:38
*** yolanda has quit IRC06:46
*** yolanda has joined #openstack-keystone06:47
*** fangxu has joined #openstack-keystone06:51
*** kfox1111 has quit IRC06:53
*** yolanda has quit IRC07:02
*** spzala has joined #openstack-keystone07:04
*** permalac has joined #openstack-keystone07:06
*** yolanda has joined #openstack-keystone07:06
*** spzala has quit IRC07:10
*** aginwala has quit IRC07:13
*** aginwala has joined #openstack-keystone07:14
*** fawadkhaliq has quit IRC07:14
*** itlinux has quit IRC07:14
*** yolanda has quit IRC07:21
*** ankur has joined #openstack-keystone07:22
*** markvoelker has joined #openstack-keystone07:23
*** markvoelker has quit IRC07:28
*** yolanda has joined #openstack-keystone07:32
*** fawadkhaliq has joined #openstack-keystone07:33
*** TxGVNN has joined #openstack-keystone07:33
*** openstackstatus has quit IRC07:38
*** openstackstatus has joined #openstack-keystone07:39
*** ChanServ sets mode: +v openstackstatus07:39
*** henrynash has joined #openstack-keystone07:43
*** ChanServ sets mode: +v henrynash07:43
*** GB21 has quit IRC07:44
*** daemontool has joined #openstack-keystone07:53
*** chlong has quit IRC07:54
*** henrynash has quit IRC07:57
*** nkinder has quit IRC07:59
*** zzzeek has quit IRC08:00
*** TxGVNN has quit IRC08:02
*** TxGVNN has joined #openstack-keystone08:02
*** zzzeek has joined #openstack-keystone08:02
*** mkrcmari__ has joined #openstack-keystone08:05
*** spzala has joined #openstack-keystone08:07
*** andrewbogott_ has joined #openstack-keystone08:08
*** mvk_ has quit IRC08:08
*** dmk0202 has joined #openstack-keystone08:08
*** andrewbogott has quit IRC08:09
*** andrewbogott_ is now known as andrewbogott08:09
*** spzala has quit IRC08:11
*** TxGVNN has quit IRC08:14
*** mhickey has joined #openstack-keystone08:23
*** pnavarro has joined #openstack-keystone08:27
*** aginwala has quit IRC08:28
*** jaosorior has joined #openstack-keystone08:32
*** jistr has joined #openstack-keystone08:32
*** nkinder has joined #openstack-keystone08:33
*** pcaruana has joined #openstack-keystone08:36
*** GB21 has joined #openstack-keystone08:37
*** mkrcmari__ has quit IRC08:43
*** henrynash has joined #openstack-keystone08:49
*** ChanServ sets mode: +v henrynash08:49
*** jorge_munoz has quit IRC08:49
*** jorge_munoz has joined #openstack-keystone08:52
*** henrynash has quit IRC08:54
*** henrynash_ has joined #openstack-keystone08:54
*** ChanServ sets mode: +v henrynash_08:54
*** fawadkhaliq has quit IRC08:54
*** fhubik has joined #openstack-keystone08:55
*** tesseract has joined #openstack-keystone08:56
*** tesseract is now known as Guest4293008:56
*** EinstCra_ has quit IRC08:59
*** EinstCrazy has joined #openstack-keystone09:00
*** TxGVNN has joined #openstack-keystone09:00
*** alex_xu has quit IRC09:03
*** alex_xu has joined #openstack-keystone09:05
*** spzala has joined #openstack-keystone09:08
*** spzala has quit IRC09:13
*** henrynash_ has quit IRC09:14
*** mkrcmari__ has joined #openstack-keystone09:28
*** mhickey has quit IRC09:47
*** jaosorior is now known as jaosorior_lunch09:59
*** mhickey has joined #openstack-keystone10:02
*** ekarlso has quit IRC10:08
*** spzala has joined #openstack-keystone10:09
*** spzala has quit IRC10:14
*** fangxu has quit IRC10:14
*** fangxu has joined #openstack-keystone10:15
*** haplo37 has joined #openstack-keystone10:16
*** dims has quit IRC10:20
*** GB21 has quit IRC10:21
*** pnavarro has quit IRC10:24
*** markvoelker has joined #openstack-keystone10:26
openstackgerritDivya K Konoor proposed openstack/keystone: Honor ldap_filter on filtered user list  https://review.openstack.org/31212610:28
*** markvoelker has quit IRC10:30
samueldmqmorning10:36
*** fhubik has quit IRC10:43
*** EinstCrazy has quit IRC10:50
andreafmorning10:54
andreafI'm working on extending tempest to support domain scoped and unscoped tokens (it only supports project scoped ones atm) - and I would like to have some reviews / feedback from keystone folks as well: https://review.openstack.org/#/q/status:open+project:openstack/tempest+branch:master+topic:domain_scoped_tokens10:56
*** dmk0202 has quit IRC10:57
*** dmk0202 has joined #openstack-keystone10:57
*** dims has joined #openstack-keystone11:02
openstackgerritGyorgy Szombathelyi proposed openstack/keystone: Enhance federation group mapping validation  https://review.openstack.org/31350211:06
*** mhickey has quit IRC11:07
openstackgerritGyorgy Szombathelyi proposed openstack/keystone: Enhance federation group mapping validation  https://review.openstack.org/31350411:08
*** spzala has joined #openstack-keystone11:10
*** jaosorior_lunch has quit IRC11:11
*** jaosorior_lunch has joined #openstack-keystone11:12
*** jaosorior_lunch is now known as jaosorior11:12
*** spzala has quit IRC11:15
*** pnavarro has joined #openstack-keystone11:16
*** mhickey has joined #openstack-keystone11:20
*** lhcheng has joined #openstack-keystone11:24
*** ChanServ sets mode: +v lhcheng11:24
*** haplo37 has quit IRC11:25
*** haplo37 has joined #openstack-keystone11:26
*** markvoelker has joined #openstack-keystone11:27
*** GB21 has joined #openstack-keystone11:27
*** markvoelker has quit IRC11:31
*** GB21 has quit IRC11:34
*** GB21 has joined #openstack-keystone11:39
*** alex_xu has quit IRC11:42
*** yolanda has quit IRC11:43
*** GB21 has quit IRC11:44
*** alex_xu has joined #openstack-keystone11:47
*** GB21 has joined #openstack-keystone11:48
*** yolanda has joined #openstack-keystone11:48
*** spzala has joined #openstack-keystone12:11
*** raildo-afk is now known as raildo12:13
*** markvoelker has joined #openstack-keystone12:14
*** rderose has joined #openstack-keystone12:16
*** spzala has quit IRC12:16
*** ekarlso has joined #openstack-keystone12:19
*** GB21 has quit IRC12:20
*** gordc has joined #openstack-keystone12:21
*** alex_xu has quit IRC12:22
*** alex_xu has joined #openstack-keystone12:25
*** lhcheng has quit IRC12:26
*** rodrigods has quit IRC12:29
*** rodrigods has joined #openstack-keystone12:29
*** david_cu has joined #openstack-keystone12:32
*** ninag has joined #openstack-keystone12:39
rderoseedtubill: regarding PCI, I agree with Steve's table changes; probably need a created_by column as well12:41
rderoseedtubill: as an approach, we could probably come up with the db design to satisfy all of the requirements and then divide the work up by PCI number12:44
rderoseedtubill: let me know what you think12:44
*** ayoung has quit IRC12:48
*** alejandrito has joined #openstack-keystone12:52
alejandritoHi! one quick question, did anyone has experience making this work ? http://docs.openstack.org/developer/keystone/auth-totp.html12:53
*** mhickey has quit IRC12:57
*** sdake has joined #openstack-keystone13:00
*** EinstCrazy has joined #openstack-keystone13:02
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers  https://review.openstack.org/21200613:02
*** yolanda has quit IRC13:02
*** haplo37 has quit IRC13:03
*** Srushti has quit IRC13:06
*** yolanda has joined #openstack-keystone13:07
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for the policy drivers  https://review.openstack.org/21295713:10
*** pauloewerton has joined #openstack-keystone13:10
*** jsavak has joined #openstack-keystone13:12
*** spzala has joined #openstack-keystone13:12
samueldmqrderose: you're quick13:15
samueldmq:)13:15
rderosesamuelmq: started early this morning, feeling much better today13:17
rderose:)13:17
*** spzala has quit IRC13:17
*** lhcheng has joined #openstack-keystone13:19
*** ChanServ sets mode: +v lhcheng13:19
samueldmqrderose: nice13:19
*** pcaruana has quit IRC13:25
*** lhcheng has quit IRC13:25
*** lhcheng has joined #openstack-keystone13:25
*** ChanServ sets mode: +v lhcheng13:25
*** ankur has quit IRC13:27
*** tonytan4ever has joined #openstack-keystone13:28
dstanekalejandrito: i had it working to test13:32
dstanekwith google authenticator13:32
*** BigWillie has joined #openstack-keystone13:34
*** lhcheng has quit IRC13:45
dstanekrderose: is there a PCI patch already?13:45
*** timcline has joined #openstack-keystone13:46
*** sigmavirus24_awa is now known as sigmavirus2413:48
rderosedstanek: no, only a spec I believe13:49
alejandritoguys, do you think would be easy to backport the TOTP auth plugin to liberty ?13:50
alejandritodstanek, ^13:50
samueldmqalejandrito: upstream? we don't backport features13:51
*** csoukup has joined #openstack-keystone13:51
alejandritosamueldmq, ok, so, if i want to implement TOTP on a productive liberty cloud, what would be the best way to do it ?13:52
dstanekalejandrito: you can probably just take the code and wrap it up in it's own Python package13:53
*** lhcheng has joined #openstack-keystone13:54
*** ChanServ sets mode: +v lhcheng13:54
rderosedstanek: but in the etherpad link, steve has some notes about table changes (re: PCI stuff)13:55
dstanekrderose: do you have the link handy?13:55
*** edmondsw has joined #openstack-keystone13:55
*** timcline has quit IRC13:56
*** timcline has joined #openstack-keystone13:56
rderosedstanek: https://etherpad.openstack.org/p/keystone-newton-pci-dss13:58
dstanekrderose: thanks13:58
*** lhcheng has quit IRC13:58
rderosedstanek: see under "work to be done"13:58
*** lhcheng has joined #openstack-keystone13:58
*** ChanServ sets mode: +v lhcheng13:58
*** sdake_ has joined #openstack-keystone14:00
*** ametts has joined #openstack-keystone14:00
alejandritodstanek, samueldmq cant i just take totp.py and put it into liberty's plugins dir ?14:01
dstanekalejandrito: probably, but that's not very repeatable. if that's something you can manage then you can see if it works14:02
*** pauloewerton has quit IRC14:03
*** sdake has quit IRC14:04
*** pauloewerton has joined #openstack-keystone14:05
alejandritodstanek, thx ^_^14:05
*** alejandrito has quit IRC14:05
*** catintheroof has joined #openstack-keystone14:05
*** ayoung has joined #openstack-keystone14:07
*** ChanServ sets mode: +v ayoung14:07
*** ramishra has quit IRC14:07
*** ramishra has joined #openstack-keystone14:07
*** spzala has joined #openstack-keystone14:14
*** catintheroof has quit IRC14:15
-openstackstatus- NOTICE: Zuul is currently recovering from a large number of changes, it will take a few hours until your job is processed. Please have patience and enjoy a great weekend!14:15
bknudsonI blame monasca-analytics.14:16
*** links has quit IRC14:17
rodrigodslol14:17
*** spzala has quit IRC14:18
*** r-daneel has joined #openstack-keystone14:26
*** catintheroof has joined #openstack-keystone14:27
*** spzala has joined #openstack-keystone14:28
*** EinstCrazy has quit IRC14:30
andrewbogottI am running aground on keystoneclient.exceptions.BadRequest: Expecting to find domain in project14:30
andrewbogottI remember the easy fix (explicitly set domain=default) but it isn't helping14:30
*** slberger has joined #openstack-keystone14:31
andrewbogottCan anyone help me debug?  This is with kilo14:31
*** dave-mccowan has joined #openstack-keystone14:35
ayoungandrewbogott, I can.14:35
ayoungandrewbogott, V2 vs v3?14:35
andrewbogottayoung: 3, in theory, although maybe I have that messed up somehow14:36
andrewbogotthere's a code snippet:14:36
andrewbogotthttps://phabricator.wikimedia.org/P301014:36
andrewbogottI just now added the user_domain_name='default' bit, to no avail14:36
ayoungandrewbogott, OK, then, yes, you need an explict USER_DOMAIN_ID (or NAME) and PROJECT_DOMAIN_ID (or name) in the environment14:36
ayoungandrewbogott, Tenant?  Really14:37
ayoungand I thought we were friends.14:37
andrewbogottMy environment says...14:37
andrewbogotthttps://www.irccloud.com/pastebin/dwNZi9IT/14:37
bknudsonthe default domain name is Default14:37
bknudsonnot default14:37
bknudsonthe default domain id is default14:37
ayoungandrewbogott, yeah, but not sure that the env is used when calling the Python API the way that you do14:38
ayoung​ tenant_name=project) is not sufficient.14:38
andrewbogottso now I have user_domain_name='Default' in the above code...14:39
ayoungbut also what bknudson said is going to burn you after.  I think the missing param in the code is what is giving you that error. It is the client checking it, and the error for default vs Default would ceom back from the server14:40
ayoungandrewbogott, can you load that in from a config file?  Much cleaner to switch that way.  I have an example...14:40
*** edtubill has joined #openstack-keystone14:41
andrewbogottok!  What I needed was...14:41
andrewbogott        user_domain_id='default',14:41
andrewbogott        project_domain_id='default',14:41
andrewbogottthat gets me through14:41
andrewbogottHere's where you tell me that in newer versions of generic.Password those args have a default value of 'default' by default...14:42
bknudsonyour app should prefer to use the domain names. going forward we'll hope to not be setting the default domain ID (it'll be a random UUID)14:43
*** clenimar has quit IRC14:43
ayoungandrewbogott, https://github.com/admiyo/ossipee/blob/master/ossipee-inventory.py#L914:43
andrewbogottThat's "in future versions you'll be rewriting all your scripts again" which is not the same thing :)14:43
andrewbogottBut, ok!  I will keep an eye out.14:44
ayoungandrewbogott, in the future you will be using Ansible, but that is not the same thing14:44
ayoungandrewbogott, but what he is saying is change your current script to use the name of the domain, which is Default not default14:44
ayoungsame for project14:44
andrewbogottbknudson: so, I should set _name='Default' rather than _id='default' yes?14:44
andrewbogottI will try14:44
ayoungthe IDs are for internal use, and the names are for humans14:44
bknudsonandrewbogott: yes.14:44
*** dan_nguyen has joined #openstack-keystone14:45
andrewbogottok, that seems to work too14:45
ayoungthink of the IDs like pointers in C.  You have references to them, but you shouldn't do pointer math14:45
andrewbogottyeah, makes sense14:45
andrewbogottok, thanks all!14:45
*** clenimar has joined #openstack-keystone14:45
ayoungandrewbogott, another happy customer.14:46
-openstackstatus- NOTICE: Zuul has been restarted. As a results, we only preserved patches in the gate queue. Be sure to recheck your patches in gerrit if needed.14:46
*** itlinux has joined #openstack-keystone14:46
ayoungbknudson, I know your availability is getting limited.  Would really like your eyes on https://review.openstack.org/#/c/311652/  as I think that is going to make a lot of other things easier to debug over time, to include the Fernet timeout isues14:48
patchbotayoung: patch 311652 - keystone - Replace revoke tree with linear search14:48
bknudsonayoung: I'll add it to my list.14:48
ayoungbknudson, thanks.  The check code has lived in the test_revoke file  alongside the  tree, as a sanity check.  So I have a pretty high degree of confidence that it accepts and rejects the samethings that the existing code does.14:49
*** itlinux has quit IRC14:51
*** navidp has joined #openstack-keystone14:53
openstackgerritNavid Pustchi proposed openstack/keystonemiddleware: Fix D400 PEP257 violation  https://review.openstack.org/31305214:54
*** sdake_ has quit IRC14:57
*** andrewbogott has quit IRC14:58
*** andrewbogott has joined #openstack-keystone14:58
*** jorge_munoz_ has joined #openstack-keystone14:58
*** jorge_munoz has quit IRC14:59
*** jorge_munoz_ is now known as jorge_munoz14:59
*** haplo37 has joined #openstack-keystone14:59
*** jaosorior has quit IRC15:02
*** Guest42930 has quit IRC15:05
*** dan_nguyen has quit IRC15:05
*** david-lyle has joined #openstack-keystone15:06
*** jaugustine has joined #openstack-keystone15:07
*** diazjf has joined #openstack-keystone15:09
*** diazjf1 has joined #openstack-keystone15:11
*** diazjf has quit IRC15:13
*** sdake has joined #openstack-keystone15:16
*** itlinux has joined #openstack-keystone15:22
*** pushkaru has joined #openstack-keystone15:26
lbragstadstevemar bknudson standing up a tempest/devstack node to see if I can recreate https://bugs.launchpad.net/keystone/+bug/157886615:30
openstackLaunchpad bug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,Confirmed]15:30
lbragstadstevemar bknudson let me know if you want your ssh keys on there15:30
bknudsonlbragstad: ok, thanks. I'll try to recreate it with a test, too.15:30
*** pnavarro has quit IRC15:31
lbragstadcc dolphm dstanek ^15:32
*** sdake has quit IRC15:32
lbragstadlooks like https://review.openstack.org/#/c/311761/ just failed because of the negative role tests...15:32
patchbotlbragstad: patch 311761 - requirements - Require Babel>=2.3.415:32
openstackgerritayoung proposed openstack/keystone-specs: Federated Query APIs  https://review.openstack.org/31360415:33
ayoungrderose, ^^ is for you.  It does not have the API changes yet.15:33
*** dmk0202 has quit IRC15:33
bknudsonlbragstad: I've tried the scenario locally and I get token invalid (even without the sleep after changing password)15:33
bknudsonso I'm going to put this in a loop and see if it ever happens.15:33
lbragstadhmmm15:34
lbragstadbknudson so you haven't been able to recreate it with keystone, devstack, and tempest on master?15:34
*** dmk0202 has joined #openstack-keystone15:34
bknudsonlbragstad: I'm just starting up master keystone in devstack. Not using tempest.15:35
rderoseayoung: okay, looking now15:35
bknudsonI'm too lazy to figure out tempest config15:35
lbragstadbknudson oh - got it15:35
ayoungbknudson, lbragstad I really suspect that simplifying the revoke path will make these easier to debug.  I think that is what is rejecting tokens15:36
*** catintheroof has quit IRC15:36
ayounglbragstad, so please look at https://review.openstack.org/#/c/311652/15:36
lbragstadayoung in the case we are seeing it's *not* rejecting a token and it should be15:36
patchbotayoung: patch 311652 - keystone - Replace revoke tree with linear search15:36
ayounglbragstad, also easier to debug with the above code15:36
bknudsonif I can recreate then it'll be easy enough to apply the patch and see if it helps15:37
lbragstad++15:38
*** dmk0202 has quit IRC15:39
*** jsavak has quit IRC15:42
*** TxGVNN has quit IRC15:43
dstanekmorgan: have you done anything for https://bugs.launchpad.net/keystone/+bug/1572341 yet?15:44
openstackLaunchpad bug 1572341 in OpenStack Identity (keystone) "Failed migration 90 -> 91 Can't DROP 'ixu_user_name_domain_id'" [High,Triaged]15:44
*** dave-mccowan has quit IRC15:50
rderoseayoung: at first glance, the spec good; describes problem and exactly what we discussed at the summit15:52
rderoseayoung: I'll review more closely later and add my comments, but I like it!15:53
lbragstadbknudson I'm running tempest.api.identity.v2.test_users in a loop until it fails with latest keystone, devstack, and tempest15:53
lbragstadbknudson my keystone sha 7a18200ff6fb80a2408dbbe3172fe73dfb13366c15:53
lbragstadmy devstack sha 8d27280f3e845841e78acf659a7e8b605122517e15:53
ayoungrderose, cool.  I would suggest that the next thing you do is try to do the API portion of the spec review, as that will flush out some more gremlins15:53
ayoungand it will let you think through implementaiton15:53
rderoseayoung: sounds good15:54
*** jsavak has joined #openstack-keystone15:55
morgandstanek: nope.15:55
navidpdstanek, it seems the error is with memcache https://bugs.launchpad.net/keystone/+bug/128775715:59
openstackLaunchpad bug 1287757 in OpenStack Identity (keystone) kilo "Optimization: Don't prune events on every get" [High,Fix released] - Assigned to Morgan Fainberg (mdrnstm)15:59
navidpdstanek, the pooled memchached token is not updating in time, causing the tree to be rebuilt16:00
navidpdstanek, what is your suggestion?16:00
lbragstadbknudson I'm at 60 consecutive tempest runs of tempest.api.identity.v2.test_users.IdentityUsersTest.test_user_update_own_password without a failure16:01
*** dan_nguyen has joined #openstack-keystone16:02
bknudsonlbragstad: this is strange.16:03
lbragstadbknudson I wonder if it only fails when the revocation table gets super bloated?16:03
*** yolanda has quit IRC16:03
lbragstadbknudson i'm now at 80 consecutive runs and I have 700 revocation events stored in the revocation table16:04
stevemarsamueldmq: want to take a quick look at https://review.openstack.org/#/c/313052/316:04
patchbotstevemar: patch 313052 - keystonemiddleware - Fix D400 PEP257 violation16:04
bknudsonlbragstad: does the tempest test still have the sleep(1) in it? Try removing the sleep16:05
lbragstadbknudson yeah - tempest has the sleep in it still16:05
*** aginwala has joined #openstack-keystone16:06
*** roxanaghe has joined #openstack-keystone16:07
*** johnthetubaguy has quit IRC16:08
*** johnthetubaguy has joined #openstack-keystone16:08
dstaneknavidp: that causes the tree to be rebuilt?16:09
lbragstadbknudson I do see the test execution time getting slower and slower16:10
*** dmellado is now known as dmellado|off16:10
navidpyes and as well as other nodes accept the token while it is invalidated on the other node,16:10
navidpdstanek, base on this ocmment which i dont know if it is valid https://bugs.launchpad.net/keystone/+bug/1503312/comments/2416:10
openstackLaunchpad bug 1503312 in OpenStack Identity (keystone) "Optimization: Don't rebuild revoke-tree in each validate-token call" [Medium,In progress]16:10
dstaneknavidp: so not related to that other bug?16:12
*** roxanaghe has quit IRC16:12
dstaneknavidp: do you know where the rebuild is invoked?16:12
navidpdstanek, there is two patches uploaded which is not updated recently and their approach is to invalidate the revocation tree16:13
navidpdstanek, this is must be an issue with backend = keystone.cache.memcache_pool for the revocation tree16:14
dstaneknavidp: ok, i'll take a look at bug in a big. i curious to know what is actually happening so that we can determine if it is a bug16:15
*** sdake has joined #openstack-keystone16:15
navidpdstanek, I will try to test it and see if I get the same issue16:16
*** woodster_ has joined #openstack-keystone16:16
*** frontrunner has joined #openstack-keystone16:21
*** agrebennikov has joined #openstack-keystone16:22
*** rbridgeman has joined #openstack-keystone16:24
lbragstadbknudson interesting... if you look through all the traces here http://logstash.openstack.org/#/dashboard/file/logstash.json?query=message:%5C%22testtools.matchers._impl.MismatchError:%20%26lt%3Bbound%20method%20V3TokenClient.auth%20of%20%26lt%3Btempest.lib.services.identity.v3.token_client.V3TokenClient%5C%22%20AND%20tags:%5C%22console%5C%22%20AND%20voting:1&from=10d16:26
*** catintheroof has joined #openstack-keystone16:27
lbragstadyou only see v3 tempest.api.identity.v3.test_users.IdentityV3UsersTest.test_user_update_own_password fail16:27
lbragstadthe v2 version of that same test always passes - tempest.api.identity.v2.test_users.IdentityUsersTest.test_user_update_own_password [1.937001s] ... ok16:27
lbragstadwhich is what I'm testing16:27
bknudsonoh, I've been testing using v3 apis.16:28
*** mtreinish has quit IRC16:28
lbragstadbknudson gotcha16:28
bknudsonI'll try switching to v2.16:29
bknudsonthe bug says v2, but you're saying it's v3 that's failing?16:29
*** jidar has quit IRC16:29
lbragstadbknudson yeah - I can't get it to fail on v2.016:30
lbragstadbknudson and i'm up to 222 consecutive runs16:31
bknudsonmy tests hasn't failed after 775. my test should keep working for 60 minutes when the admin token expires.16:32
lbragstadI do notice severe performance degradation once there are about 1500 rows in the revocation_events table16:34
*** mtreinish has joined #openstack-keystone16:35
openstackgerritNavid Pustchi proposed openstack/keystonemiddleware: Fix D204 PEP257 violation and enable D301 and D209  https://review.openstack.org/31363616:35
*** jsavak has quit IRC16:36
openstackgerritNavid Pustchi proposed openstack/keystonemiddleware: Fix D204 PEP257 violation and enable D301 and D209  https://review.openstack.org/31363616:36
*** jidar has joined #openstack-keystone16:39
*** dmk0202 has joined #openstack-keystone16:40
*** sdake_ has joined #openstack-keystone16:42
*** sdake has quit IRC16:45
*** aginwala has quit IRC16:46
*** jsavak has joined #openstack-keystone16:46
lbragstadbknudson I can't really seem to get the v3 version of that test to fail either..16:51
lbragstadbknudson i'm just going to loop the identity tests and run it until something blows up16:51
*** gyee has joined #openstack-keystone16:52
*** ChanServ sets mode: +v gyee16:52
*** dmk0202 has quit IRC16:55
*** roxanaghe has joined #openstack-keystone16:57
*** dmk0202 has joined #openstack-keystone16:57
*** dmk0202 has quit IRC17:01
*** roxanaghe has quit IRC17:06
*** jistr has quit IRC17:07
*** lupine has quit IRC17:09
*** jasonsb has quit IRC17:11
*** jasonsb has joined #openstack-keystone17:12
*** roxanaghe has joined #openstack-keystone17:12
*** jsavak has quit IRC17:16
*** jasonsb has quit IRC17:17
*** dave-mccowan has joined #openstack-keystone17:17
*** haplo37 has quit IRC17:18
bknudsonlbragstad: my test ran until the admin token expired, so wasn't able to recreate after 2092 iteration17:23
*** fangxu has quit IRC17:25
*** aginwala has joined #openstack-keystone17:28
*** roxanaghe has quit IRC17:29
*** roxanaghe has joined #openstack-keystone17:29
*** spzala has quit IRC17:32
*** spzala has joined #openstack-keystone17:32
*** spzala has quit IRC17:37
*** aginwala has quit IRC17:37
*** jsavak has joined #openstack-keystone17:39
*** lupine has joined #openstack-keystone17:40
*** lupine has quit IRC17:41
*** lupine has joined #openstack-keystone17:41
*** lupine_ has joined #openstack-keystone17:41
*** lupine_ has quit IRC17:41
*** jsavak has quit IRC17:45
*** yolanda has joined #openstack-keystone17:46
*** jsavak has joined #openstack-keystone17:46
*** aginwala has joined #openstack-keystone17:47
*** gagehugo has joined #openstack-keystone17:50
*** yolanda has quit IRC17:54
*** navidp has quit IRC17:54
*** yarkot1 has quit IRC17:57
*** sdake_ is now known as sdake17:57
lbragstadbknudson I've ran the entire tempest.api.identity test suite for over an hour consecutively and I can't recreate18:01
*** lupine has quit IRC18:01
lbragstadside note - each test is taking about 7 seconds to run because of how many revocation events are being stored18:02
*** lupine has joined #openstack-keystone18:02
*** lupine has quit IRC18:02
*** lupine has joined #openstack-keystone18:02
dstaneklbragstad: ouch18:06
lbragstaddstanek yeah - keystone is dog slow18:06
lbragstaddstanek bknudson maybe it doesn't happen as a result of the revocation table bloating?18:07
*** yarkot1 has joined #openstack-keystone18:07
bknudsonwhy would revocation table bloating cause tokens to remain valid?18:07
lbragstadbknudson no idea18:08
lbragstadjust wasn't going to rule it out18:08
*** fangxu has joined #openstack-keystone18:11
lbragstaddolphm were you ever able to get https://github.com/openstack/tempest/blob/master/tempest/api/identity/admin/v2/test_roles_negative.py to fail?18:18
*** pushkaru has quit IRC18:20
*** tonytan4ever has quit IRC18:22
*** BigWillie has quit IRC18:24
*** BigWillie has joined #openstack-keystone18:26
*** lamt has joined #openstack-keystone18:27
*** pushkaru has joined #openstack-keystone18:29
*** sdake_ has joined #openstack-keystone18:31
openstackgerritMerged openstack/keystonemiddleware: Fix D400 PEP257 violation  https://review.openstack.org/31305218:33
*** sdake has quit IRC18:33
*** stingaci has joined #openstack-keystone18:34
*** navidp has joined #openstack-keystone18:36
*** gordc has quit IRC18:36
*** catintheroof has quit IRC18:41
stevemarbknudson: you believe fungi and dims, they want to remove ldap on us?! those anarchists18:44
dimsLOL18:44
bknudsonstevemar: y, nice try.18:44
fungildap is dead, long live nis/yp18:45
bknudsonplease kill ldap18:45
lbragstadayoung around?18:45
bknudsonit's not even RESTful18:45
ayounglbragstad, yep18:46
openstackgerritMerged openstack/keystonemiddleware: Fix D204 PEP257 violation and enable D301 and D209  https://review.openstack.org/31363618:46
fungimay it REST in peace18:46
lbragstadayoung want to go through your patch for revocation events?18:46
ayounglbragstad, sure18:46
lbragstadayoung I have some questions18:46
ayoungfire awy18:46
lbragstadayoung so - with your patch, we no longer have a tree, right?18:46
*** mkrcmari__ has quit IRC18:46
lbragstadbut a flattened list18:47
ayounglbragstad, correct, it is a list, and we do an exhaustive search from oldest to newest event18:47
lbragstadok - so we have a list of events (formally the tree) and some attributes from a token18:47
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Credential Encryption  https://review.openstack.org/28495018:47
ayounglbragstad, yeah.  The old tree code maintained the list as well, and used the same events as the nodes of the tree.18:48
ayoungit only used the list for adding new events and cleaning up expired.  It was another vestige of assuming we needed to do this in middleware18:48
lbragstadayoung so if we match some of the token attributes to an event in the list, we have a match right?18:48
ayounglbragstad, right.  If The event says "all tokens for project P are revoked" and the token has proejct P in the user or scope section, it is revoked18:49
ayoungactually, no project in the user section....change hat to domain and it still holds true though18:50
lbragstadayoung ok - so if we have a match we exit early18:50
ayoungright18:50
lbragstadok18:50
ayoungso the normal case, where a token is valid goes through the whole list18:50
ayounglbragstad, which is why I want the follow on change to reduce the number of revokation events to a minimum18:50
lbragstadright18:50
ayoungfor example, if a user or project is disabled, we don't want to look for an event for that, we want to look at the identty or resource backends to find that out18:51
lbragstadyeah - we get that for free today with rebuilding the authorization context18:51
lbragstadon validation18:51
ayoungrevoke events should be reserved for things that can't otherwise be deduced: password changes, explicit token revocations18:51
ayounglbragstad, just realize the PCIS effort might even get us the password change one18:51
ayounglbragstad, also, I don't want to change the code very much on this patch, just port over what has been working in the test directory. Any additional cleanup can be proposed after, with deep scruitiny18:53
ayoungcomment changes are OK18:53
*** GB21 has joined #openstack-keystone18:54
lbragstadayoung ok - I ran a subset of the identity tempest api tests on keystone master to get an idea of how long it was taking. I'm going to do the same with your patch18:54
lbragstadin a minute18:54
lbragstadhttp://cdn.pasteraw.com/5jdvrgi9iusd3wqltg6m1bb0t7g7ngw18:55
rodrigodswhy only v2 tests?18:55
lbragstadrodrigods I just picked a set of tests18:55
lbragstadrodrigods and i was trying to get those to expose a transient we've been seeing the gate recently18:56
rodrigodsok18:56
ayounglbragstad, comparing with tree vs with list?18:56
lbragstadayoung yeah - since i have things setup anyway18:56
rodrigodsneed to run both 30 times heh18:56
rodrigodsmaster student feelings18:56
ayounglbragstad, looking for failures or looking for timeing data?  Or both?18:56
lbragstadboth18:56
lbragstadmore so the timing18:56
ayoungrodrigods, you are starting to think like QE.  I love it18:56
ayounglbragstad, awesome.  Let me know what you find.18:57
rodrigodsayoung, really? heh18:57
ayounglbragstad, even if the tree is slightly faster on checking (which I doubt) I suspect that the overall will be faster when we remove the spurious events18:57
*** aginwala has quit IRC19:03
*** tonytan4ever has joined #openstack-keystone19:07
*** dave-mccowan has quit IRC19:09
*** aginwala has joined #openstack-keystone19:09
*** navidp has quit IRC19:13
*** gordc has joined #openstack-keystone19:17
lbragstadayoung is the removal of spurious events as subsequent patch?19:17
lbragstads/as/a/19:18
*** roxanaghe has quit IRC19:18
*** aginwala has quit IRC19:20
*** sdake has joined #openstack-keystone19:24
*** dave-mccowan has joined #openstack-keystone19:25
*** sdake has quit IRC19:25
*** rcernin has joined #openstack-keystone19:26
ayounglbragstad, yes, and I need to rewrite it19:26
lbragstadayoung so - we do see a slight performance increase with your patch http://cdn.pasteraw.com/1uu3nqyf9lxffxbk7ap44mo0pe5xh0b19:26
lbragstadcompared to http://cdn.pasteraw.com/5jdvrgi9iusd3wqltg6m1bb0t7g7ngw19:26
*** sdake_ has quit IRC19:26
ayounglbragstad, good.  It was not by itself meant as a performance increase, but glad to know it is not making things worse19:27
lbragstadright19:27
*** mkrcmari__ has joined #openstack-keystone19:31
*** spzala has joined #openstack-keystone19:34
*** edtubill has quit IRC19:34
stevemaranyone know what TZ haypo is in?19:35
tristanCstevemar: he should be UTC+119:36
*** edtubill has joined #openstack-keystone19:37
*** spzala has quit IRC19:39
openstackgerritayoung proposed openstack/keystone: Replace revoke tree with linear search  https://review.openstack.org/31165219:41
*** edtubill has quit IRC19:43
*** ninag has quit IRC19:47
openstackgerritColleen Murphy proposed openstack/keystoneauth: Expose allow paramters URL discovery in adapter  https://review.openstack.org/30965019:51
*** pauloewerton has quit IRC19:59
*** dmk0202 has joined #openstack-keystone20:05
*** aginwala has joined #openstack-keystone20:07
*** navidp has joined #openstack-keystone20:07
*** mvk_ has joined #openstack-keystone20:08
*** mkrcmari__ has quit IRC20:12
*** aginwala has quit IRC20:17
openstackgerritLance Bragstad proposed openstack/keystone: Separate protocol schema  https://review.openstack.org/30808820:22
*** navidp has quit IRC20:25
*** GB21 has quit IRC20:27
stevemartristanC: ah thanks, i'll try him on monday20:28
*** GB21 has joined #openstack-keystone20:30
*** BigWillie has quit IRC20:30
*** openstackgerrit has quit IRC20:32
*** openstackgerrit has joined #openstack-keystone20:32
openstackgerritLance Bragstad proposed openstack/keystone: Replace revoke tree with linear search  https://review.openstack.org/31165220:34
*** spzala has joined #openstack-keystone20:35
*** jsavak has quit IRC20:39
*** spzala has quit IRC20:40
*** jsavak has joined #openstack-keystone20:40
*** gordc has quit IRC20:44
morgano/20:47
* morgan is lurking now and semi-paying attention.20:47
bknudsonmorgan-redhat20:47
morganbknudson: haha20:48
bknudsonmorgan: what do they have you doing there?20:48
bknudsonkeystone reviews I hope.20:48
morganbknudson: going to be writing code for zuul/nodepool as my primary job20:48
morganbknudson: but i'll still be doing work on keystone.20:48
morganauth is kindofimportant for nodepool and we have lots of work to still do to make openstack auth sotry better20:48
bknudsonmake openstack auth great again.20:49
morganbknudson: it was "never" great before. it was only passible (tries to kill the "make X great" meme in openstack)20:49
bknudsonthe meme will be over in november20:50
morganbknudson: i hope it stops sooner :(20:50
*** gagehugo has quit IRC20:53
*** jsavak has quit IRC20:58
*** dmk0202 has quit IRC20:58
*** lamt has quit IRC20:58
*** jaugustine has quit IRC20:59
*** agrebennikov has quit IRC21:00
*** raildo is now known as raildo-afk21:01
*** iurygregory has quit IRC21:05
*** roxanaghe has joined #openstack-keystone21:18
*** ayoung has quit IRC21:20
*** roxanaghe has quit IRC21:20
*** roxanaghe has joined #openstack-keystone21:22
*** ametts has quit IRC21:24
*** timcline has quit IRC21:26
*** spzala has joined #openstack-keystone21:36
*** sigmavirus24 is now known as sigmavirus24_awa21:38
*** aginwala has joined #openstack-keystone21:38
*** aginwala has quit IRC21:40
*** spzala has quit IRC21:41
*** timcline has joined #openstack-keystone21:42
*** aginwala has joined #openstack-keystone21:44
*** timcline has quit IRC21:45
*** timcline has joined #openstack-keystone21:46
*** ozialien10 has joined #openstack-keystone21:51
*** timcline has quit IRC21:52
openstackgerritRon De Rose proposed openstack/keystone: Move the catalog abstract base class and common code out of core  https://review.openstack.org/30923821:58
*** ayoung has joined #openstack-keystone22:16
*** ChanServ sets mode: +v ayoung22:16
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/31373122:17
*** navidp has joined #openstack-keystone22:19
rodrigodslbragstad, ayoung, ^ cool! the performance thing22:20
rodrigodsi wonder if stuff hasn't been compared before introducing the revoke tree22:20
*** tonytan4ever has quit IRC22:24
*** lhcheng has quit IRC22:27
*** csoukup has quit IRC22:29
*** slberger has left #openstack-keystone22:30
openstackgerritMerged openstack/keystone: Move the resource abstract base class out of core  https://review.openstack.org/30282622:32
*** roxanaghe has quit IRC22:33
*** david-lyle has quit IRC22:35
*** david-lyle has joined #openstack-keystone22:37
*** spzala has joined #openstack-keystone22:37
*** spzala has quit IRC22:42
*** sdake has joined #openstack-keystone22:45
*** markvoelker has quit IRC22:47
*** sdake_ has joined #openstack-keystone22:48
*** markvoelker has joined #openstack-keystone22:48
*** sdake has quit IRC22:50
samueldmqstevemar: hey, sorry was afk; it was looking neat22:50
*** r-daneel has quit IRC22:52
*** sdake has joined #openstack-keystone22:55
*** sdake_ has quit IRC22:56
*** sdake has quit IRC23:05
*** roxanaghe has joined #openstack-keystone23:09
*** rderose has quit IRC23:09
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Improve docs for v3 users  https://review.openstack.org/30579623:11
*** aginwala has quit IRC23:12
*** daemontool has quit IRC23:12
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Add users functional tests  https://review.openstack.org/28930623:12
openstackgerritMatthew Edmonds proposed openstack/keystone: Honor ldap_filter on filtered user list  https://review.openstack.org/31212623:21
*** lhcheng has joined #openstack-keystone23:24
*** ChanServ sets mode: +v lhcheng23:24
*** sheel has quit IRC23:25
*** rbridgeman has quit IRC23:26
*** richm has joined #openstack-keystone23:33
*** sdake has joined #openstack-keystone23:34
*** edmondsw has quit IRC23:34
*** sdake_ has joined #openstack-keystone23:37
*** richm has quit IRC23:38
*** fangxu has quit IRC23:38
*** sdake has quit IRC23:38
*** fangxu has joined #openstack-keystone23:38
*** spzala has joined #openstack-keystone23:38
*** lhcheng_ has joined #openstack-keystone23:41
*** spzala has quit IRC23:43
*** lhcheng has quit IRC23:44
*** woodster_ has quit IRC23:48
*** gyee has quit IRC23:53
*** stingaci has quit IRC23:59
« Thursday, 2016-05-05 Index Saturday, 2016-05-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!