Thursday, 2016-05-12

*** timcline has quit IRC00:01
*** dan_nguyen has quit IRC00:03
*** rbridgeman has quit IRC00:05
openstackgerritArun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf
*** jgriffith has quit IRC00:19
*** jsavak has quit IRC00:22
*** gyee has quit IRC00:36
*** fangxu has quit IRC00:42
*** lifeless has quit IRC00:46
*** lifeless has joined #openstack-keystone00:47
*** rcernin has quit IRC00:54
*** fangxu has joined #openstack-keystone00:54
*** timcline has joined #openstack-keystone00:58
*** timcline has quit IRC01:03
*** markvoelker_ has joined #openstack-keystone01:05
openstackgerritMerged openstack/keystonemiddleware: Return default value for pkg_version if missing
*** ozialien10 has quit IRC01:14
*** stingaci has quit IRC01:18
*** raddaoui has quit IRC01:27
*** TxGVNN has joined #openstack-keystone01:27
*** EinstCrazy has joined #openstack-keystone01:30
*** BjoernT has joined #openstack-keystone01:31
stevemarjamielennox: it has01:37
stevemarmorgan: awesome on
patchbotstevemar: patch 315267 - openstack-infra/project-config - Import ldappool into gerrit and setup project01:37
morganstevemar: yeah just needs some cleanup.01:38
openstackgerritSteve Martinelli proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements
*** tqtran has quit IRC01:48
*** markvoelker_ has quit IRC01:51
*** markvoelker has joined #openstack-keystone01:59
*** timcline has joined #openstack-keystone01:59
*** markvoelker_ has joined #openstack-keystone01:59
*** timcline has quit IRC02:03
*** markvoelker has quit IRC02:03
openstackgerritMerged openstack/keystone: Switch to use `new_domain_ref` for testcases
*** BjoernT has quit IRC02:13
*** zqfan has joined #openstack-keystone02:14
*** tonytan4ever has joined #openstack-keystone02:21
*** markvoelker_ has quit IRC02:31
*** spzala has quit IRC02:35
*** daemontool has quit IRC02:38
*** markvoelker_ has joined #openstack-keystone02:38
*** dan_nguyen has joined #openstack-keystone02:42
*** fangxu has quit IRC02:56
*** spzala has joined #openstack-keystone03:01
*** spzala has quit IRC03:05
*** lhcheng has quit IRC03:07
*** tonytan4ever has quit IRC03:08
*** markvoelker_ has quit IRC03:13
*** dan_nguyen has quit IRC03:13
*** stingaci has joined #openstack-keystone03:28
*** links has joined #openstack-keystone03:34
*** julim has joined #openstack-keystone03:40
*** richm has quit IRC03:45
*** furface has quit IRC03:52
*** furface has joined #openstack-keystone03:54
*** fangxu has joined #openstack-keystone03:58
*** EinstCrazy has quit IRC04:01
jamielennoxstevemar: any idea if these are legit failures?
patchbotjamielennox: patch 255686 - keystone - Make AuthContext depend on auth_token middleware04:02
jamielennoxhave you seen them elsewhere? it was definetly passing recently04:03
*** EinstCrazy has joined #openstack-keystone04:03
*** julim has quit IRC04:07
*** dan_nguyen has joined #openstack-keystone04:11
*** lhcheng has joined #openstack-keystone04:17
*** ChanServ sets mode: +v lhcheng04:17
*** lhcheng_ has joined #openstack-keystone04:23
*** pcaruana has joined #openstack-keystone04:25
*** lhcheng has quit IRC04:26
*** pcaruana has quit IRC04:32
*** fangxu has quit IRC04:34
*** dan_nguyen has quit IRC04:40
*** furface has quit IRC04:53
stevemarjamielennox: i think those are transient04:56
*** sdake has quit IRC04:57
jamielennoxstevemar: good - they look painful to debug04:58
*** spzala has joined #openstack-keystone05:01
stevemarjamielennox: ugh... a lot of things failed recently05:02
stevemara lot with: "test_roles_negative.RolesNegativeTestJSON"05:02
*** furface has joined #openstack-keystone05:07
*** spzala has quit IRC05:07
*** stingaci has quit IRC05:14
*** woodster_ has quit IRC05:18
*** lhcheng_ has quit IRC05:30
jamielennoxstevemar: oh, o, i'm seeing tests like tempest.api.identity.admin.v2.test_tenant_negative.TenantsNegativeTestJSON.test_update_non_existent_tenant throwing errors on random glance patches05:44
jamielennoxwhat have we done?05:44
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: WIP: generate sample config automatically
*** fangxu has joined #openstack-keystone05:46
lifelessjamielennox: changed something05:46
stevemarjamielennox: lifeless yep, we're on the hot seat05:47
stevemari'll look at it in a few minutes05:47
jamielennoxhas infra etc noticed? is the whole gate affected?05:48
stevemarprobably anyone running tempest, so yes05:48
stevemarhavent heard much from infra05:48
stevemarjamielennox: maybe ?05:49
jamielennoxstevemar: i thought that - but nothing is actually looking for that field in the token yet05:50
stevemarjamielennox: merged around when the errors started, and it is policy related05:50
jamielennoxunless adam's things merged?05:50
stevemarlet me dig into it in a few05:50
stevemarwhich adam's thing?05:50
stevemarhe hasn't merged anything in a few days05:50
jamielennoxhe had a policy change to start looking at is_admin_project - but i thought he was going to wait05:51
jamielennoxthe only reference to is_admin_project in keystone is the code that adds it to the token so i don't see that we could be enforcing anything on it05:52
jamielennoxstevemar: oh - "cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)", in cloudsample05:53
*** furface has quit IRC05:53
jamielennoxdo we use that anywhere in gate?05:53
*** rcernin has joined #openstack-keystone05:54
*** furface has joined #openstack-keystone06:01
*** spzala has joined #openstack-keystone06:03
*** spzala has quit IRC06:07
jamielennoxits not - maybe coicidence06:08
*** naresht has joined #openstack-keystone06:09
*** lhcheng has joined #openstack-keystone06:11
*** ChanServ sets mode: +v lhcheng06:11
*** pcaruana has joined #openstack-keystone06:12
jamielennoxstevemar: so things are interesting as of about here:
*** furface has quit IRC06:16
jamielennoxstevemar: it really might just be transient06:23
jamielennoxand conincidence06:23
stevemarjamielennox: maybe more race conditions coming up by way of fernet tokens?06:23
jamielennoxstevemar: so i was thinking that with the log i linked - but if you look at the PIDs i don't think there's a problem there06:24
jamielennoxjust coincidence that apache handed off some new workers there?06:24
*** fangxu has quit IRC06:25
stevemarjamielennox: why do we list the options here:
stevemarif they are already in the section above?06:27
jamielennoxstevemar: no idea - those options are old06:27
stevemarjamielennox: if you're interested:
patchbotstevemar: patch 315359 - keystonemiddleware - WIP: generate sample config automatically06:28
jamielennoxlike http_handler06:28
jamielennoxyea, nice06:29
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: remove old options from documentation
stevemarjamielennox: this is what it looks like:
stevemarcompared to:
jamielennoxstevemar: we need to update some of the samples in that file as well06:30
stevemaryeah, s/keystone_authtoken/authtoken/06:30
*** furface has joined #openstack-keystone06:31
jamielennoxfor things like  Deprecated group/name - [DEFAULT]/memcache_servers we should figure out how to make that keystone_authtoken06:31
jamielennoxcause i'm pretty sure they never came out of [DEFAULT]06:32
jamielennox# Deprecated group/name - [DEFAULT]/auth_plugin certainly never did06:32
stevemarjamielennox: these options don't appear in the generated version06:35
stevemari'm assuming that's OK since thats the non-plugin way of doing things06:35
jamielennoxyep - that's what i meant by out of date06:36
stevemari should drop the WIP prefix then :)06:36
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: generate sample config automatically
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: remove old options from documentation
stevemarjamielennox: that failure is happening way too often to be transient06:40
jamielennoxstevemar: got stats?06:40
jamielennoxi just did a quick look through the projects i was seeing it in06:40
stevemarlemme hit up logstash06:40
jamielennoxbut i didn't look at like history06:40
*** belmoreira has joined #openstack-keystone06:44
stevemarjamielennox: 64 failures in 6 hours06:44
stevemargive or take06:45
*** furface has quit IRC06:45
jamielennoxwhich failure06:45
*** belmoreira has quit IRC06:45
stevemaractually, bad query...06:45
*** knikolla has quit IRC06:45
*** TxGVNN has quit IRC06:46
jamielennoxbut so is most recent run fails 13 tests06:47
jamielennox is one before - fails 406:47
*** knikolla has joined #openstack-keystone06:48
jamielennoxall in identity - but that sort of  variance can't be my patch06:48
openstackgerritJamie Lennox proposed openstack/keystone: GATE TEST - DO NOT MERGE
*** belmoreira has joined #openstack-keystone06:51
stevemarjamielennox: i dunno man, we haven't had much merge in a while06:52
*** jorge_munoz has quit IRC06:53
*** knikolla has quit IRC06:58
stevemarlogstash is taking quite a while to find the result of "query=project%3Aopenstack%2Fkeystone"06:58
*** sudorandom has quit IRC06:58
*** crinkle_ has joined #openstack-keystone06:59
openstackgerritRyosuke Mizuno proposed openstack/keystone: Disable user lists without a filter
*** nonameentername has quit IRC06:59
*** kfox1111 has quit IRC06:59
*** crinkle has quit IRC07:00
*** kfox1111 has joined #openstack-keystone07:00
*** crinkle_ is now known as crinkle07:00
jamielennoxso i don't see anyway to see jenkins last votes on keystone07:00
jamielennoxeverything sorts by updated which doesn't always help07:00
stevemaryeah, frustrating07:00
*** sudorandom has joined #openstack-keystone07:00
stevemarthat includes comments07:01
*** jorge_munoz has joined #openstack-keystone07:01
jamielennoxbut i think keystone gate is just broken, it doesn't look like anything has passed07:01
*** murali has joined #openstack-keystone07:01
muraliHello all07:01
stevemari agree07:01
*** knikolla has joined #openstack-keystone07:01
stevemarjamielennox: i hope we're not busting someone else07:01
*** nonameentername has joined #openstack-keystone07:02
stevemarnova has had successful merges07:02
jamielennoxSo Switch to use `new_domain_ref` for testcases was the last thing to merge07:02
*** murali has quit IRC07:02
jamielennox~5hours ago07:03
stevemarwhich was just a refactor for tests...07:03
*** jaosorior has joined #openstack-keystone07:03
*** itsmee has joined #openstack-keystone07:03
stevemarjamielennox: i'm going to propose a revert of your patch, just a gut feeling07:03
openstackgerritSteve Martinelli proposed openstack/keystone: Revert "Always add is_admin_project if admin project defined"
*** spzala has joined #openstack-keystone07:04
stevemarjamielennox: if it fails, we'll know it's not the culprit07:04
jamielennoxit's the only one i can see recently being an issue but i can't see why07:04
* stevemar shrugs07:04
stevemarauthz is weird07:04
stevemarjamielennox: if that patch unbreaks the gate, approve it ?07:04
stevemari am off to bed07:04
*** tesseract has joined #openstack-keystone07:05
jamielennoxyep, night07:05
*** furface has joined #openstack-keystone07:05
itsmeeCan anyone of you able to have a look at this query ?
stevemarjamielennox: night, sorry again to you and jane :P07:06
jamielennoxstevemar: she'll make you pay for it in barcelona07:06
stevemarruh roh07:06
jamielennoxitsmee: so i think your query is being denied by policy07:08
jamielennoxso openstack is configured to say you need the admin role to perform the operation07:08
itsmeeYes obviously07:08
*** spzala has quit IRC07:09
itsmeeBut I need to know the way to get the own tenant details07:09
jamielennoxwhich is strange because the default policy is "identity:get_project": "rule:admin_required or project_id:%("07:09
itsmeeEven though admin and non admin user07:09
*** tesseract has quit IRC07:09
jamielennoxwhich should allow you to fetch the project details of the current project07:09
itsmeeUsing liberty version of devstack07:10
jamielennoxso i don't know what request.user.tenant_id is because a user can be a member of multiple tenants and you will have to use the token scoped to the tenant you want to access it07:11
jamielennoxbut i don't know enough horizon to help there07:11
itsmee"identity:get_project": "rule:admin_required",07:11
itsmee    "identity:list_projects": "rule:admin_required",07:11
itsmee    "identity:list_user_projects": "rule:admin_or_owner",07:11
itsmee    "identity:get_project": "rule:admin_required",07:11
itsmee    "identity:list_projects": "rule:admin_required",07:11
itsmee    "identity:list_user_projects": "rule:admin_or_owner",07:11
itsmee    "identity:get_project": "rule:admin_required",07:11
itsmee    "identity:list_projects": "rule:admin_required",07:11
itsmee    "identity:list_user_projects": "rule:admin_or_owner",07:11
itsmeeOh Ok :(07:11
jamielennoxah - that's it07:12
itsmeeOk I will try to get help from horizon :)07:12
jamielennoxso if you change identity:get _project to the one i said it should work07:13
itsmeeOh ok will try that07:13
jamielennoxthen horizon has a way of parsing policy files to know whether it should attempt to make the call07:13
itsmeeYes you are correct07:15
itsmeeI will try what you suggested07:15
itsmeeSame error :(07:16
*** jed56 has joined #openstack-keystone07:19
*** daemontool has joined #openstack-keystone07:19
*** elfosardo has joined #openstack-keystone07:22
*** dmk0202 has joined #openstack-keystone07:40
*** gsilvis has quit IRC07:55
*** gsilvis has joined #openstack-keystone07:56
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:01
*** mvk_ has joined #openstack-keystone08:04
*** spzala has joined #openstack-keystone08:05
*** lhcheng_ has joined #openstack-keystone08:07
*** pnavarro has quit IRC08:07
*** mvk has quit IRC08:08
*** spzala has quit IRC08:10
*** jamielennox is now known as jamielennox|away08:10
*** lhcheng has quit IRC08:10
*** lhcheng_ has quit IRC08:18
*** mhickey has joined #openstack-keystone08:20
Anticimexwould it be difficult to issue oauth tokens from keystone that have e.g. configurable lifetime?08:35
*** jistr has joined #openstack-keystone08:35
*** GB21 has joined #openstack-keystone08:47
*** jamie_h has quit IRC08:49
*** chaithu has joined #openstack-keystone08:56
*** pcaruana is now known as pcaruana|afk|09:01
openstackgerritMerged openstack/keystone: Add set_config_defaults() call to tests
*** openstackgerrit has quit IRC09:04
*** openstackgerrit has joined #openstack-keystone09:04
*** mvk_ has quit IRC09:04
*** spzala has joined #openstack-keystone09:06
*** spzala has quit IRC09:11
*** GB21 has quit IRC09:16
*** GB21 has joined #openstack-keystone09:33
*** mvk_ has joined #openstack-keystone09:35
*** mhickey has quit IRC09:36
*** mhickey has joined #openstack-keystone09:40
*** __zouyee has joined #openstack-keystone09:55
*** __zouyee has quit IRC10:00
*** TxGVNN has joined #openstack-keystone10:02
*** GB21 has quit IRC10:08
openstackgerrityolanda.robla proposed openstack/keystoneauth: Use betamax hooks to mask fixture results
*** GB21 has joined #openstack-keystone10:25
*** EinstCrazy has quit IRC10:30
*** EinstCrazy has joined #openstack-keystone10:31
*** EinstCrazy has quit IRC10:35
*** TxGVNN has quit IRC10:37
*** chaithu has quit IRC10:38
*** naresht has quit IRC10:38
*** josecastroleon has quit IRC10:47
*** josecastroleon has joined #openstack-keystone10:55
*** GB21 has quit IRC10:56
*** GB21 has joined #openstack-keystone11:00
*** tellesnobrega is now known as tellesnobrega_af11:06
*** spzala has joined #openstack-keystone11:07
*** spzala has quit IRC11:12
*** julim has joined #openstack-keystone11:22
*** jaosorior has quit IRC11:28
*** jaosorior has joined #openstack-keystone11:29
*** gordc has joined #openstack-keystone11:31
*** ninag has joined #openstack-keystone11:59
openstackgerrityolanda.robla proposed openstack/keystoneauth: Use betamax hooks to mask fixture results
openstackgerrityolanda.robla proposed openstack/keystoneauth: Use betamax hooks to mask fixture results
*** ninag has quit IRC12:05
*** spzala has joined #openstack-keystone12:08
*** raildo-afk is now known as raildo12:10
*** spzala has quit IRC12:12
*** rodrigods has quit IRC12:15
*** rodrigods has joined #openstack-keystone12:16
*** pauloewerton has joined #openstack-keystone12:16
*** julim has quit IRC12:28
*** GB21 has quit IRC12:31
*** ninag has joined #openstack-keystone12:38
*** ninag has quit IRC12:38
*** ninag has joined #openstack-keystone12:38
*** julim has joined #openstack-keystone12:57
*** pcaruana|afk| is now known as pcaruana13:01
*** edmondsw has joined #openstack-keystone13:04
openstackgerrithenry-nash proposed openstack/keystone-specs: Improve example of project acting as a domain
*** josecastroleon has quit IRC13:07
*** spzala has joined #openstack-keystone13:09
*** josecastroleon has joined #openstack-keystone13:09
*** jsavak has joined #openstack-keystone13:11
*** nalind has joined #openstack-keystone13:11
*** rderose has joined #openstack-keystone13:13
*** spzala has quit IRC13:13
*** rderose has quit IRC13:14
*** rderose_ has joined #openstack-keystone13:14
*** links has quit IRC13:14
*** jsavak has quit IRC13:16
*** spzala has joined #openstack-keystone13:16
*** jsavak has joined #openstack-keystone13:16
openstackgerrithenry-nash proposed openstack/keystone-specs: Improve example of project acting as a domain
openstackgerrithenry-nash proposed openstack/keystone-specs: Improve example of project acting as a domain
rodrigodshenrynash, almost a conversation in the review :P ^13:26
henrynashrodigods: ha113:26
henrynashrodigods: still not right, still twealing it13:27
rodrigodshenrynash, yeah, think it should be clear about the cases where the parent is a regular project or not13:27
rodrigodsthe parent_id vs domain_id cases13:27
kfox1111in v3 validate token, how do you know if the user is_admin?13:28
*** sigmavirus24_awa is now known as sigmavirus2413:28
rodrigodskfox1111, from the user roles13:28
henrynashrodigods: ok, let me try again!13:28
kfox1111so admin shows up as a role on all projects, even though it may not be explicitly?13:29
kfox1111like is_admin was?13:29
rodrigodskfox1111, hmm i might not understood your question than13:30
kfox1111ok. let me try and ask a different way. :)13:30
kfox1111in v2 verify token, if the user is a cloud admin, there is an is_admin flag set. the poplicy can be written to allow any cloud admin to do things.13:31
kfox1111they don't have to be a role=admin on the teproject.13:31
kfox1111is there a way to get that info from the v3 validate token api?13:31
rodrigodsfor v3, the cloud_admin must have the correct role in the is_admin_project13:32
kfox1111right. so what field, in the validate token do I use to determine if that was the case?13:32
rodrigodskfox1111, the role vs the scope of the token (project), then keystone verifies if the project is the is_admin_project13:33
kfox1111is it the same? I didn't see any is_admin code in that code except in v2.13:33
rodrigodsthat's my guess, didn't implement and review the code13:33
rodrigodshenrynash may be able to give more details ^13:33
kfox1111hmm... k.13:33
kfox1111I'm working on hooking up kubernetes to keystone. its go code, so I'm having to do stuff myself.13:34
kfox1111and I was hoping to get is_admin working, so that admins can administer the k8s clusters launched by users.13:35
*** ramishra has quit IRC13:35
dstanekmeta2-5~meta2-5~/b 2613:35
henrynashkfox1111: so I think we are trying not to use is_admin in v313:35
dstanek^ serry13:35
kfox1111hmm.. ok.13:36
kfox1111well, we already put our admins on all tenants we create with an admin role. I guess we can do an implied role admin -> member and I think it would work that way too.13:37
rodrigodsdstanek, lol13:37
*** ramishra has joined #openstack-keystone13:38
henrynashkfox1111: yep, that shoudl work…13:39
samueldmqdstanek: configuring weechat ? :-)13:39
openstackgerrithenry-nash proposed openstack/keystone-specs: Improve example of project acting as a domain
*** BjoernT has joined #openstack-keystone13:43
*** wanghua has quit IRC13:44
*** erhudy has joined #openstack-keystone13:47
dstaneksamueldmq: no, some key combination on this dump mac keystone prints that mapping in weechat. not sure what i keep pressing yet13:48
*** BjoernT has quit IRC13:49
samueldmqdstanek: hehe13:55
openstackgerrithenry-nash proposed openstack/keystone-specs: Improve example of project acting as a domain
*** pushkaru has joined #openstack-keystone13:59
*** belmoreira has quit IRC13:59
*** mhickey has quit IRC14:03
*** sdake has joined #openstack-keystone14:05
openstackgerrithenry-nash proposed openstack/keystone-specs: Improve example of project acting as a domain
*** roxanaghe has joined #openstack-keystone14:10
*** doug-fish has joined #openstack-keystone14:11
*** roxanaghe has quit IRC14:13
*** d0ugal has quit IRC14:14
*** roxanaghe has joined #openstack-keystone14:14
*** d0ugal has joined #openstack-keystone14:16
*** mhickey has joined #openstack-keystone14:17
*** roxanaghe has quit IRC14:19
*** d0ugal has quit IRC14:23
*** josecastroleon has quit IRC14:23
*** flaper87 has quit IRC14:24
*** josecastroleon has joined #openstack-keystone14:24
*** ksavich has quit IRC14:25
*** ksavich has joined #openstack-keystone14:26
*** josecastroleon has quit IRC14:26
*** flaper87 has joined #openstack-keystone14:27
*** flaper87 has quit IRC14:27
*** flaper87 has joined #openstack-keystone14:27
*** mou1 has quit IRC14:28
*** mou has joined #openstack-keystone14:29
morganstevemar: about to finish cleanup on import for ldappool. hope to land that soon.14:33
lbragstaddolphm dstanek i got my patch in tempest to fail with added logging
patchbotlbragstad: patch 314330 - tempest - Do not merge - add logging for bug 157886614:35
openstackbug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,Confirmed]
*** sdake has quit IRC14:35
*** links has joined #openstack-keystone14:36
*** GB21 has joined #openstack-keystone14:36
*** raddaoui has joined #openstack-keystone14:41
*** GB21 has quit IRC14:42
morgandstanek: going to bug you for a hacking change soon (review) to make sure we don't ever add oslo namespaced stuff to ldappool. will ping you when ready14:46
*** timcline has joined #openstack-keystone14:47
*** phalmos has joined #openstack-keystone14:51
*** tonytan4ever has joined #openstack-keystone14:51
bknudsonwe're doing something wrong if we're developing libraries that other projects are prohibited to use.14:56
morganbknudson: oslo is terrible to include in things outside of openstack14:57
morganbknudson: i wouldn't include any oslo libs in a library we adopt14:57
morganbknudson: oslo is ok for openstack specific things, but it adds a lot of things we shouldn't force on others.14:57
*** marekd has joined #openstack-keystone14:58
*** ChanServ sets mode: +v marekd14:58
morganbknudson: and since we're adopting ldappool, i view it in that category.14:58
morganconverting to PBR is about as far as i want to go compared to other things14:58
*** thiagolib has quit IRC15:01
*** mhickey has quit IRC15:01
*** josecastroleon has joined #openstack-keystone15:03
bknudsonPBR TTR15:04
bknudson(to the rescue)15:04
*** haplo37 has joined #openstack-keystone15:04
*** jaugustine has joined #openstack-keystone15:05
*** agrebennikov has joined #openstack-keystone15:07
*** agrebennikov has quit IRC15:11
dstanekmorgan: sounds good15:13
dstaneklbragstad: nice15:13
*** edtubill has joined #openstack-keystone15:14
*** mhickey has joined #openstack-keystone15:15
lbragstaddstanek yeah - trying to multi-task and putting the events in order15:15
*** sdake has joined #openstack-keystone15:17
*** d0ugal has joined #openstack-keystone15:17
*** dan_nguyen has joined #openstack-keystone15:19
*** catintheroof has joined #openstack-keystone15:26
*** catintheroof has quit IRC15:27
*** catintheroof has joined #openstack-keystone15:29
*** links has quit IRC15:32
*** spzala has quit IRC15:34
*** dmk0202 has quit IRC15:35
*** dmk0202 has joined #openstack-keystone15:36
rodrigodsbknudson, dstanek, lbragstad: have some time to take another look at ?15:41
patchbotrodrigods: patch 302299 - keystone - Add identity providers integration tests15:41
*** josecastroleon has quit IRC15:48
*** GB21 has joined #openstack-keystone15:49
*** josecastroleon has joined #openstack-keystone15:54
*** ninag has quit IRC15:59
*** spzala has joined #openstack-keystone16:00
*** doug-fis_ has joined #openstack-keystone16:01
*** doug-fi__ has joined #openstack-keystone16:03
*** doug-fish has quit IRC16:05
*** doug-fis_ has quit IRC16:06
*** jaosorior has quit IRC16:06
*** doug-fi__ has quit IRC16:08
*** rbridgeman has joined #openstack-keystone16:08
*** GB21 has quit IRC16:09
openstackgerritElvin Tubillara proposed openstack/keystone: Config changes to support PCI-DSS
*** sdake has quit IRC16:13
*** mkoderer__ has quit IRC16:14
*** dmk0202 has quit IRC16:15
*** dan_nguyen has quit IRC16:18
*** d0ugal has quit IRC16:20
*** d0ugal has joined #openstack-keystone16:21
*** josecastroleon has quit IRC16:24
*** gb21 has joined #openstack-keystone16:24
*** tellesnobrega_af is now known as tellesnobrega16:27
*** d0ugal has quit IRC16:27
morganstevemar: and ready for initial import - we'll apply the outstanding PRs and the fixes from you and crinkle once it is in gerrit16:27
patchbotmorgan: patch 315267 - openstack-infra/project-config - Import ldappool into gerrit and setup project16:27
*** mkoderer__ has joined #openstack-keystone16:28
morganstevemar, crinkle: let me know if i missed something insane when prepping that repo (if you have a few moments)16:28
stevemarmorgan: it'll also need a requirements.txt, but yeah16:29
morganstevemar: did you look at ?16:30
*** spzala has quit IRC16:30
stevemarmorgan: only at the 1st of the PRs, give me 1 sec :)16:31
morganstevemar: since i'm importing from my fork of he repo16:32
stevemarmorgan: looks fantastic16:32
stevemarwe can iterate on it from this point on16:32
morganand it passes pep8/py27.16:33
stevemarmorgan: anyway to give a non-voting py34 job?16:34
morganstevemar: lets add that after import.16:35
*** agrebennikov has joined #openstack-keystone16:35
stevemarmorgan: okie dokie16:35
stevemarmorgan: does the license in ldappool init have to change?16:35
morganstevemar: nope. we're keeping MPL16:35
morganstevemar: just easier16:36
*** spzala has joined #openstack-keystone16:36
morganwe'll need to add a proper license file, and then we'll need to get RTFD working for it16:36
morganall doable post import16:36
stevemarPackage Index Owner: mdrnstm, tarek16:36
stevemarPackage Index Maintainer: openstackci16:36
stevemarmorgan want to take a quick peek at
patchbotstevemar: patch 315359 - keystonemiddleware - generate sample config automatically16:38
*** lhcheng has joined #openstack-keystone16:39
*** ChanServ sets mode: +v lhcheng16:39
*** spzala has quit IRC16:40
*** d0ugal has joined #openstack-keystone16:42
stevemarrderose_: o/16:42
*** doug-fish has joined #openstack-keystone16:43
*** TxGVNN has joined #openstack-keystone16:44
*** fangxu has joined #openstack-keystone16:44
*** josecastroleon has joined #openstack-keystone16:45
*** arunkant_ has joined #openstack-keystone16:45
rderose_stevemar: o/16:45
rderose_stevemar: what's up?16:46
stevemarrderose_: still wondering about what the migration story will be for pci16:47
*** gyee has joined #openstack-keystone16:47
*** ChanServ sets mode: +v gyee16:47
*** doug-fish has quit IRC16:48
*** spzala has joined #openstack-keystone16:48
rderose_stevemar: okay, what are you thinking?16:48
stevemarrderose_: if i upgrade to N, these options will now have a default value of 90 days before lock out, and as a deployers, i didn't want this feature... in 90 days, i'll have locked out users :P16:48
morganstevemar: will look.16:49
morganstevemar: might be when i land in PDX though16:49
*** sdake has joined #openstack-keystone16:49
stevemarmorgan: stop traveling so much16:49
*** alex_xu has quit IRC16:49
morganstevemar: TRYING TO GET HOME!16:49
rderose_well, we can make default value to be none, so that you have to purposely opt in16:50
rderose_stevemar: ^16:50
stevemarrderose_: right, which is kinda wonky UX16:50
rderose_stevemar: hmm...16:50
stevemarthe all or nothing switch isn't nice if someone doesn't want to rotate passwords, but just wants stronger password support16:51
rderose_stevemar: I guess I think we should have a reasonable default value; not necessarily PCI compliant16:51
stevemarrderose_: I guess None default for each, and we can recommend options16:51
stevemarlet me see what other projects do16:51
rderose_stevemar: I'm okay with that16:51
stevemarrderose_: just keep that in mind :P16:51
*** spzala has quit IRC16:52
*** woodster_ has joined #openstack-keystone16:52
*** alex_xu has joined #openstack-keystone16:52
rderose_stevemar: okay, will do.  thx16:52
stevemarrderose_: if we stick with None defaults, theres going to be a lot of "if CONF.constraint.blah: "16:53
lbragstaddstanek dolphm here is a snippet of the log from
patchbotlbragstad: patch 314330 - tempest - Do not merge - add logging for bug 157886616:54
openstackbug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,Confirmed]
rderose_stevemar: sure, but we have to support none, whether it's default or not16:54
*** elfosardo has quit IRC16:56
*** mkoderer__ has quit IRC16:57
rderose_heading to lunch...16:58
*** rderose_ has quit IRC16:58
*** spzala has joined #openstack-keystone17:00
*** TxGVNN has quit IRC17:00
*** mhickey has quit IRC17:01
*** mvk_ has quit IRC17:04
*** mkoderer__ has joined #openstack-keystone17:04
*** spzala has quit IRC17:04
dstaneklbragstad: that's failing on the check that old tokens won't work, right?17:07
lbragstaddstanek it's failing the test because the test expects the token to be invalid (404), but instead keystone validates it successfully17:08
lbragstadwhich fails the assertion17:08
dstaneklbragstad: but it should be invalid because the password was this a revocation issue of some sort?17:08
kfox1111can token validation work with pki tokens too?17:09
kfox1111so you can always just use remote validation?17:09
lbragstaddstanek right - the token should be invalid but it's failing this assertion
lbragstaddstanek i have a feeling it is related17:09
lbragstaddstanek but the weird part is that it's transient17:09
lbragstadand very "racey"17:10
lbragstadwhich is why i attempted to add timestamps to various client operations in tempest to see if the race was there (i.e. the token validation was faster than the token revocation from a client perspective)17:10
dstaneklbragstad: what is that time.sleep there? the token should be invalid because of the password reset and not the timestamp17:11
lbragstaddstanek that's because fernet is only precise to the second17:11
dstaneklbragstad: right, but why would that come into play with this test?17:11
lbragstaddstanek *and* revocation events are stored in sql, meaning that event.issued_before is also truncated to only be second precise17:11
*** spzala has joined #openstack-keystone17:11
lbragstadso - in keystone, when we hit that case we bail saying it's an invalid token17:12
lbragstadso - if we get a token that has an issued_at time as the same second as the revocation events issued_before time, then we err on the side of security and say it's an invalid token17:13
openstackgerritArun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf
lbragstadeither though you may have changed your password at 10:52:15.02 and got a new token at 10:52:15.0517:13
*** stingaci has joined #openstack-keystone17:13
dstaneklbragstad: the logging doesn't seem to have the issued_before gate logged17:14
*** josecastroleon has quit IRC17:15
lbragstaddstanek not that I can tell - my patch only logs the before and after when a client did a particular thing17:15
lbragstadlike - the user is going to change their password (timestamp) -> request is sent -> user has changed their password (timestamp + x)17:15
lbragstaddstanek but this is interesting
lbragstad^ that is the keystone access log from the failed test17:16
*** spzala has quit IRC17:16
lbragstaddstanek you should be able to search for '14aee731a93845d8ac34b9e8403e659b' - that is the user id of the user in the test that failed17:16
*** roxanaghe has joined #openstack-keystone17:18
*** fangxu has quit IRC17:20
*** doug-fish has joined #openstack-keystone17:22
*** doug-fish has quit IRC17:23
*** spzala has joined #openstack-keystone17:23
*** jaugustine has quit IRC17:23
*** doug-fish has joined #openstack-keystone17:24
*** jistr has quit IRC17:24
dstaneklbragstad: i think we need logging in keystone where we do that comparison. i can't find it in
*** doug-fish has quit IRC17:28
*** spzala has quit IRC17:28
lbragstaddstanek since keystone errors on the side of security when a token issued_at and a revocations issued_before are too close17:28
lbragstadthe only thing I can think of is that the revocation is taking too long17:29
lbragstadand the validation is getting to keystone before the revocation is stored17:29
dstaneklbragstad: debug logging around that revocation would be very helpful if we don't already have it17:29
lbragstaddstanek I'll have to check - but i'm not seeing any sort of revocation logging through tempest17:31
*** fangxu has joined #openstack-keystone17:32
dstaneklbragstad: it logs in debug mode because i'm seeing tons and tons of logging17:32
dstanekb 2617:32
dstaneki'm terrible at thiis17:32
*** gb21 has quit IRC17:33
*** d0ugal has quit IRC17:34
*** julim has quit IRC17:35
*** gyee has quit IRC17:35
*** NellyK has joined #openstack-keystone17:36
*** spzala has joined #openstack-keystone17:37
*** alex_xu has quit IRC17:38
*** rdo has quit IRC17:38
*** rderose has joined #openstack-keystone17:40
*** spzala has quit IRC17:41
*** markvoelker has joined #openstack-keystone17:41
*** ninag has joined #openstack-keystone17:46
*** rdo has joined #openstack-keystone17:46
*** ninag has quit IRC17:46
*** doug-fis_ has joined #openstack-keystone17:48
*** ninag has joined #openstack-keystone17:48
*** spzala has joined #openstack-keystone17:49
*** stingaci has quit IRC17:50
samueldmqayoung: hey17:50
samueldmqayoung: could you take a look at patch 302789 again ?17:50
patchbotsamueldmq: - keystone - Add API Change Tutorial17:50
samueldmqcc stevemar morgan ^17:50
*** ninag_ has joined #openstack-keystone17:50
*** stingaci has joined #openstack-keystone17:50
stevemarAPI change tutorial...17:51
samueldmqstevemar: sounds a good idea ? :)17:51
ayoungsamueldmq, will do17:52
samueldmqayoung: thanks17:52
*** d0ugal has joined #openstack-keystone17:52
*** ninag has quit IRC17:53
*** NellyK has quit IRC17:53
*** spzala has quit IRC17:53
*** spzala has joined #openstack-keystone17:54
*** doug-fis_ has quit IRC17:54
lbragstaddolphm not sure if you see all the conversation up there ^17:57
*** tqtran has joined #openstack-keystone17:58
dolphmlbragstad: actually, i don't -- i'm not using znc properly today17:58
lbragstaddolphm ah - ok17:58
dolphmshould i go read eavesdrop?17:58
*** pcaruana has quit IRC17:58
lbragstaddolphm naw - i'll walk through it again17:59
lbragstad(hopefully it helps?)17:59
dolphmif it hurts, try again17:59
dolphm-doctor topol18:00
lbragstaddolphm so in keystone, when we compare token data against revocation events, if a revocation event's issued_before time is greater than *or* equal too the token's issued_at time, we consider it revoked18:00
topoldolphm, yes Im here18:00
lbragstadtopol sweet - you can help, too!18:00
topollbragstad, anything for oyu18:01
dolphmlbragstad: right18:01
lbragstaddolphm topol make sense?18:01
lbragstadso - in the keystone + fernet + devstack case18:01
dolphmrevocation events apply to tokens issued in the past18:01
lbragstadkeystone tokens are only going to have second precision when it comes to issued_at18:02
lbragstadso - if you get a token at 10:52:25.000004, your token response is going to say 10:52:25.00000018:02
dolphmand when we create a revocation event, is the limited-precision timestamp truncated, rounded up/down, or is it up to the db?18:02
lbragstaddolphm I *think* it is rounded down18:03
dolphmby python or by the db?18:03
lbragstaddolphm in some cases python -
ayoungsamueldmq, responded.  I like it.  Tried to make some constructive additions18:04
lbragstadbut that's the expires_at18:05
*** doug-fish has joined #openstack-keystone18:05
*** dave-mccowan has quit IRC18:05
dolphmlbragstad: hmm, why don't we do the same for other timestamps?18:06
dolphmlbragstad: what ends up in the db for those values?18:06
lbragstaddolphm i'm not entirely sure18:06
dolphmlbragstad: if we're comparing two timestamps with different levels of precision, then you have an opportunity for a race condition18:07
dolphmlbragstad: or even if the precision was manipulated in different ways (rounding vs truncating)18:08
*** d0ugal has quit IRC18:08
*** doug-fis_ has joined #openstack-keystone18:08
*** rcernin has quit IRC18:09
lbragstaddolphm I think the is_revoked login in keystone was written to assume second precision18:09
lbragstadfor example, if a token's issued_at time is equal to a revocation events issued_before time, we error on the side of security and say that the token is revoked18:10
*** doug-fish has quit IRC18:10
ayounglbragstad, it needs to be a second granularity either way.  But I also think that we can reduce the number of revoke events18:11
ayounglbragstad, I am working through this change18:11
patchbotayoung: patch 285134 - keystone - WIP Remove unneeded revocation events18:11
ayoungI have made a little progress, but getting hung up on the Federation tokens18:12
ayoungI have a Tripleo task I need to finish first, and some hotfix patches for RPMs I should be doing, and then get back to that18:12
topollbragstad, dolphm is it possible to add a second to the revocation issued_before time to ensure rounding errors can't have an impact/18:12
*** doug-fis_ has quit IRC18:13
*** ninag_ has quit IRC18:13
*** jistr has joined #openstack-keystone18:15
*** lhcheng has quit IRC18:15
*** jistr is now known as jistr|afk18:15
*** ninag has joined #openstack-keystone18:15
*** stingaci has quit IRC18:15
samueldmqayoung: nice, thanks for the comments, I will update it accordingly18:16
dolphmtopol: i tried several variations of that a few months back - and i was only met with even more test failures18:16
ayoungsamueldmq, thanks18:16
*** julim has joined #openstack-keystone18:17
topoldolphm, ugggh18:17
dolphmlbragstad: if you write microsecond precision to mysql 5.5, it'll silently truncate everything beyond seconds18:17
lbragstaddolphm yeah - that sounds familiar18:18
*** openstackgerrit has quit IRC18:18
dolphmlbragstad: OH, that example shows it rounding UP!18:18
lbragstadyes it is...18:18
*** openstackgerrit has joined #openstack-keystone18:18
*** markvoelker_ has joined #openstack-keystone18:19
dolphmlbragstad: should we ask mike?18:19
lbragstaddolphm i'm trying to find out which version of mysql my patch ran against18:20
lbragstaddolphm and yes18:20
dolphmlbragstad: i'd bet he's got a general pattern that he recommends to avoid that behavior - or maybe there's something we can turn on in sqlalchemy to have it blow up if we give it too much precision18:20
lbragstaddolphm or we can patch keystone to always truncate - like fernet does18:20
lbragstador round down18:21
*** markvoelker has quit IRC18:22
dolphmzzzeek: we're experiencing a race condition, likely due to a loss of precision of timestamps somewhere between our app, sqlalchemy, the db, and when they're later compared to totally different timestamps. we're happy to just have second-level precision, but is there a way to have sqlalchemy throw a backtrace if we give it more precision that the db is expecting / capable of handling accurately?18:22
zzzeekdolphm: yes you'd want to intercept the data at the type level18:23
zzzeekdolphm: examples of that knid of thing:
zzzeekdolphm: also you can, when you look into doing the comparison, render a SQL expression like a CAST or similar that ensures both sides of the expression are of the same precision18:25
clenimarhi there18:25
clenimaris admin_url param deprecated?18:25
dolphmzzzeek: perfect, thanks! we'll have to play with that recipe18:26
dolphmclenimar: only in that it's only relevant to the v2 API, and the v2 API itself is basically deprecated. we still support other services have admin URLs in the service catalog, however18:27
dolphmlbragstad: we could use something like that recipe above to ensure all timestamps end up exactly the same before hitting the db18:29
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add __str__ to PolicyOpt
clenimarthank you, dolphm18:29
lbragstaddolphm yeah - that makes sense18:30
lbragstaddolphm where would be a good place for that to live in keystone?18:30
*** erhudy has quit IRC18:31
*** BjoernT has joined #openstack-keystone18:33
*** belmoreira has joined #openstack-keystone18:34
*** ninag has quit IRC18:35
*** ninag has joined #openstack-keystone18:35
*** ninag has quit IRC18:35
lbragstaddolphm sweet - looks like we do this already with JsonBlobs18:35
*** ninag has joined #openstack-keystone18:36
*** spzala has quit IRC18:38
*** rderose has quit IRC18:38
*** ninag has quit IRC18:39
*** rderose has joined #openstack-keystone18:40
*** stingaci has joined #openstack-keystone18:40
*** BjoernT has quit IRC18:42
*** spzala has joined #openstack-keystone18:44
*** sdake has quit IRC18:44
dolphmlbragstad: so, i assume that means we'll have to swap a bunch of model definitions with this new, wrapped class?18:45
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements
*** ninag has joined #openstack-keystone18:46
lbragstaddolphm yep18:46
*** dmk0202 has joined #openstack-keystone18:47
*** spzala has quit IRC18:48
dolphmlbragstad: still can't reproduce outside of the gate, right?18:50
lbragstaddolphm right18:50
lbragstaddolphm so maybe i'm using a different version of mysql that truncates and the gate is using something else?18:50
dolphmlbragstad: that means that even if we implement a new column type just to see if it fixes the issue, we'll have to merge it just to see if it works :-/18:50
dolphmlbragstad: what version of mysql are you on?18:51
*** ninag has quit IRC18:51
lbragstaddolphm I nuked the devstack box that I was using - I can setup again though18:51
dolphmlbragstad: 5.6.3 to 5.6.4 is the magic version barrier with support for subsecond precision changed radically18:52
dolphmmysql 5.6.3 vs 5.6.418:52
lbragstadlocally i have 5.6.25-0ubuntu0.15.04.118:59
*** rderose_ has joined #openstack-keystone18:59
*** lhcheng has joined #openstack-keystone19:01
*** ChanServ sets mode: +v lhcheng19:01
*** lhcheng_ has joined #openstack-keystone19:02
*** lhcheng has quit IRC19:02
*** d0ugal has joined #openstack-keystone19:02
*** rderose has quit IRC19:03
*** slberger has joined #openstack-keystone19:03
openstackgerritMerged openstack/keystone: Move the assignment abstract base class out of core
*** spzala has joined #openstack-keystone19:10
*** spzala has quit IRC19:11
*** spzala has joined #openstack-keystone19:11
samueldmqayoung: about your comment in
patchbotsamueldmq: patch 302789 - keystone - Add API Change Tutorial19:14
samueldmqayoung: what is ""19:14
ayoungsamueldmq, yes?19:14
samueldmqalso edit the API doc in (path..) to show the effect of the new change, and make sure you bump the version number etc.19:14
samueldmqoops ^19:15
samueldmqin yours first comment19:15
samueldmqyour* (arrgh)19:15
stevemarmorgan: looks like we need a .gitreview file in ldappool :)19:17
morganPropose it stevemar:) I'll get the core group setup as soon as I am home.19:18
openstackgerritMatthew Edmonds proposed openstack/keystone: admin gets is_admin_project by default
stevemarmorgan: but... i can't push new patches until a .gitreview file exists :O19:19
morganstevemar: propose a patch with gitreview.19:19
morganThen it works!19:19
stevemardidn't know that19:19
samueldmqpropose a pull request ?19:19
morganWith the .gitreview file.19:20
morganSince it just looks locally for it.19:20
morganI expect this next version should be 2.0 fwiw stevemar19:20
openstackgerritSteve Martinelli proposed openstack/ldappool: make ldappool py3 compatible
stevemarmorgan: oh for sure19:21
morganSince we are adding py319:21
stevemarwe'll be switching the main requirement19:21
morganMake it work with both19:21
morganIf possible.19:21
morganI mean, it should be possible.19:21
openstackgerritSteve Martinelli proposed openstack/ldappool: additional files to ignore in .gitignore
openstackgerritSteve Martinelli proposed openstack/ldappool: add .gitreview
openstackgerritSteve Martinelli proposed openstack/ldappool: additional files to ignore in .gitignore
openstackgerritSteve Martinelli proposed openstack/ldappool: make ldappool py3 compatible
*** rderose has joined #openstack-keystone19:28
*** r-daneel has joined #openstack-keystone19:28
openstackgerritLance Bragstad proposed openstack/keystone: Avoid datetime rounding issues
*** rderose_ has quit IRC19:31
stevemarmorgan: want to push through? it just adds the necessary .gitreview file19:32
patchbotstevemar: patch 315731 - ldappool - add .gitreview19:32
stevemarmorgan: i'm not sure it can work with both python-ldap and pyldap, they are installed in the same namespace19:32
morganAhh ok19:32
morganThat's fine. We might want a separate test job for python-ldap19:33
*** rderose has quit IRC19:33
*** rderose has joined #openstack-keystone19:34
*** fangxu has quit IRC19:34
openstackgerritMonty Taylor proposed openstack/ldappool: Add gitreview file
openstackgerritMonty Taylor proposed openstack/ldappool: Fix license in
openstackgerrithenry-nash proposed openstack/keystone: Create V9 driver for identity backend
morganmordred: stevemar beat you to the .gitreview file ;)19:37
*** ninag has joined #openstack-keystone19:38
stevemarmorgan: you added HP boilerplate to
stevemarmordred: ^19:38
morganstevemar: i did not.19:38
stevemar"Copyright (c) 2013 Hewlett-Packard Development Company, L.P."19:38
*** ninag has quit IRC19:41
morganstevemar: it's i think in the cookiecutter repo like that19:42
*** ninag has joined #openstack-keystone19:42
morganstevemar: ok who should be on the hook for ldappool?19:42
morganstevemar: you, me? all of keystone-core?19:42
stevemarmorgan: obviously just crinkle :P19:43
stevemarmorgan: i dunno, any volunteers?19:43
morgandone, though i'm totally letting her blame you.19:43
stevemaranyone who has touched it at all?19:43
morganok anyway you and crinkle added to core on ldappool now19:43
stevemaryee haw19:44
* crinkle swims in ldap pools19:44
morgancrinkle: be careful, i hear they're poluted.19:44
*** ninag has quit IRC19:45
morganyou both are also in the -release group. we'll get the release things worked out later (once 2.0.0 with the changes rolls out)19:46
morganbut we can make keystone py3...ish now! :)19:46
morgan(don't look at the memcache thing)19:46
morganhm.. where is gyee.19:49
morganstevemar: i'll send out a "are you going to keystone midcycle" thing tomorrow19:50
morganstevemar: so we can get real numbers19:50
morganstevemar: google form good? or ... wiki?19:50
stevemarmorgan: docs job failed :(19:50
* morgan leans towards form19:51
stevemargoogle form19:51
morganstevemar: which docs job?19:51
stevemarmorgan: ldappool19:51
morganuhm... there... shouldn't be a docs job in gate?19:51
morganor you mean you ran tox -edocs19:52
*** jistr|afk has quit IRC19:52
morganoh crud. forgot docs was part of the template19:52
morganuhm. going to make it no-op for the moment.19:52
*** belmoreira has quit IRC19:54
stevemarmorgan: i can cook up a working docs change as part of git review19:54
*** rbridgeman has quit IRC19:54
morganstevemar: if you want to.19:55
morganstevemar: i have RTFD integration on my short list for it too19:55
*** pauloewerton has quit IRC19:55
morganstevemar: either way wfm19:57
stevemarmorgan: let me run all the jobs now and make sure it works19:57
stevemarmay be a new patch19:57
*** josecastroleon has joined #openstack-keystone20:02
openstackgerritSteve Martinelli proposed openstack/ldappool: add .gitreview and fix ldappool gate
stevemarmorgan: OK, *now* it should be good20:03
*** rbridgeman has joined #openstack-keystone20:04
morganstevemar: okie20:07
openstackgerritMorgan Fainberg proposed openstack/ldappool: Fix license in
lbragstaddolphm dstanek started working on the mysql datetime fix -
patchbotlbragstad: patch 315735 - keystone - Avoid datetime rounding issues20:14
lbragstadbut I think i'm going to have to fix the bigger timestamp problem20:15
*** martinus__ has quit IRC20:15
dolphmlbragstad: bigger?20:15
morganstevemar: oh.. should probably spin up the bug pages and such for ldappool20:16
* morgan does this20:16
*** belmoreira has joined #openstack-keystone20:16
*** spzala_ has joined #openstack-keystone20:16
*** martinus__ has joined #openstack-keystone20:18
*** spzala has quit IRC20:18
lbragstaddolphm i think some of the token formats return different precision than others20:19
lbragstadand that might vary from v2 to v320:20
*** ayoung has quit IRC20:20
dolphmlbragstad: the v2 vs v3 thing is definitely true. we added microsecond precision in v3, but it'd be API compatible to store second-level precision as long as we return .00000Z20:20
lbragstadI think that's what we're going to have to do20:21
morganstevemar: created.20:23
*** rbridgeman_ has joined #openstack-keystone20:23
mordredmorgan: oh. piddle. let me abaondon/rebase away from my gitreview patch20:24
*** rcernin has joined #openstack-keystone20:24
openstackgerritMonty Taylor proposed openstack/ldappool: Fix license in
morganmordred: i already rebased :P20:25
morganmordred: but okie.20:25
morganmordred: or i think i did? ... *shrugs*20:26
mordred(I had some things piled up in buffers from plane landing)20:26
morganah yesh20:26
*** rbridgeman has quit IRC20:26
morganstevemar: oooh got a test failure happening20:27
morganstevemar: =/20:27
stevemarmorgan: yeah :\20:27
morgan(this worked in devstack^wlocally)20:27
stevemarran fine locally....20:27
morganmight be concurrency?20:27
stevemarmorgan: its a racey test20:27
stevemarmorgan: it does call threading20:28
morganwe should fix that20:28
stevemaryeah its all kinds of racy20:29
morganoh boy.20:30
morganwell, code needs cleanup. so do tests20:30
*** josecastroleon has quit IRC20:32
*** belmoreira has quit IRC20:34
*** ericksonsantos has quit IRC20:35
*** ninag has joined #openstack-keystone20:36
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** raildo is now known as raildo-afk20:41
*** gyee has joined #openstack-keystone20:44
*** ChanServ sets mode: +v gyee20:44
openstackgerritRodrigo Duarte proposed openstack/keystone: Add service providers integration tests
openstackgerritSteve Martinelli proposed openstack/ldappool: add .gitreview and fix ldappool gate
openstackgerritSteve Martinelli proposed openstack/ldappool: Fix license in
openstackgerritSteve Martinelli proposed openstack/ldappool: additional files to ignore in .gitignore
openstackgerritSteve Martinelli proposed openstack/ldappool: make ldappool py3 compatible
*** fangxu has joined #openstack-keystone21:00
*** pushkaru has quit IRC21:00
*** sdake has joined #openstack-keystone21:04
*** yolanda has quit IRC21:04
arunkant_rodrigods, Thanks for review on  . I have answered your last comment. In short, it was verified against devstack deployment. Please check21:04
*** yolanda has joined #openstack-keystone21:04
rodrigodsarunkant_, awesome, thanks for that21:05
rodrigodswill check in a minute21:05
*** spzala_ has quit IRC21:06
rodrigodsarunkant, hmm great, somehow i've missed that21:07
rodrigodslooks good :)21:07
stevemarmorgan: gotta head out, but the ldappool gate should be fixed21:07
morganok watching the gate21:07
lbragstaddolphm if mysql rounded up in the storage of the revocation events - that would only help us, right?21:11
*** xek has quit IRC21:11
lbragstaddolphm if a user gets a fernet token at 10:52:25.000002, fernet will store it as 10:52:25.00000021:12
openstackgerritMerged openstack/ldappool: add .gitreview and fix ldappool gate
*** pushkaru has joined #openstack-keystone21:12
openstackgerritMerged openstack/ldappool: Fix license in
*** xek has joined #openstack-keystone21:12
lbragstadif a user changes their password at 10:52:25.005000 and it's stored in sql as 10:52:26, would that still be caught in the revocation api?21:13
lbragstadbecause the token's issued_at time would be 10:52:25.000000 and the revocation event's issued_before time would be 10:52:26.00000021:14
openstackgerritMerged openstack/ldappool: additional files to ignore in .gitignore
openstackgerritRodrigo Duarte proposed openstack/keystone: Add service providers integration tests
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Add API Change Tutorial
*** nalind has quit IRC21:24
*** sdake_ has joined #openstack-keystone21:24
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Add users functional tests
*** haplo37 has quit IRC21:28
*** sdake has quit IRC21:28
*** sdake has joined #openstack-keystone21:31
*** sdake_ has quit IRC21:32
*** ametts has quit IRC21:33
*** doug-fish has joined #openstack-keystone21:43
openstackgerritMerged openstack/keystone: Add mapping validation tests
*** gordc has quit IRC21:45
*** doug-fish has quit IRC21:48
*** mou has quit IRC21:50
*** ninag has quit IRC21:50
*** mou has joined #openstack-keystone21:50
*** pushkaru has quit IRC21:52
*** sigmavirus24 is now known as sigmavirus24_awa22:00
*** dmk0202 has quit IRC22:00
*** jsavak has quit IRC22:09
*** edtubill has quit IRC22:09
morganstevemar, crinkle: do we want to make ldappool adhere to global requirements? it is not currently doing so.22:10
crinklemorgan: i would think so? it has to be installable with keystone22:12
morganwill fix that22:12
morgancrinkle: i just bounced the py3 fix for ldappool out of the gate, will get pyldap in g-r and make it gate on g-r things before re-approving.22:13
*** phalmos has quit IRC22:15
*** timcline has quit IRC22:15
*** stingaci has quit IRC22:22
*** stingaci has joined #openstack-keystone22:22
*** pushkaru has joined #openstack-keystone22:22
*** jamielennox|away is now known as jamielennox22:24
*** ayoung has joined #openstack-keystone22:25
*** ChanServ sets mode: +v ayoung22:25
*** markvoelker_ has quit IRC22:25
*** edtubill has joined #openstack-keystone22:27
openstackgerritMorgan Fainberg proposed openstack/ldappool: make ldappool py3 compatible
morgancrinkle: ^ ok needs a re +2 when you have a few moments to confirm it looks correct still. :) thnx22:28
crinklemorgan: done22:30
*** dave-mccowan has joined #openstack-keystone22:34
*** dave-mcc_ has joined #openstack-keystone22:36
lbragstaddolphm  I have a devstack setup with the same exact mysql versions of everything - trying to recreate locally22:39
*** dave-mccowan has quit IRC22:40
*** dan_nguyen has joined #openstack-keystone22:41
*** pushkaru has quit IRC22:46
jamielennoxdo we know what's happening with the gate, are the problems from yesterday still a thing?22:48
lbragstadjamielennox yes22:48
jamielennoxis it a timing thing?22:50
lbragstadjamielennox it has to be..22:50
openstackLaunchpad bug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,In progress] - Assigned to Lance Bragstad (lbragstad)22:50
jamielennoxyea, i saw that autorecheck had tagged it as that22:51
lbragstadjamielennox check my last comment22:51
*** ninag has joined #openstack-keystone22:52
*** spzala has joined #openstack-keystone22:52
*** rbridgeman_ has quit IRC22:53
jamielennoxyea, that makes sense - it's not the failure i was looking at22:56
*** ninag has quit IRC22:57
lbragstadjamielennox oh - different failure?22:57
jamielennoxyep it was in the tempest negative tenant tests, but i can't remember where it came from22:57
jamielennoxwhich i thought was the same timing issue, but it looks like it was coming from test setup22:58
*** spzala has quit IRC23:02
*** ayoung has quit IRC23:03
*** dave-mcc_ has quit IRC23:06
*** slberger has left #openstack-keystone23:07
*** tonytan4ever has quit IRC23:09
lbragstadjamielennox yeah - i'm not sure where this timing issue is coming from anymore23:16
*** markvoelker has joined #openstack-keystone23:26
*** r-daneel has quit IRC23:27
*** markvoelker has quit IRC23:31
*** chlong has quit IRC23:35
*** stingaci has quit IRC23:38
*** arunkant_ has quit IRC23:48

Generated by 2.14.0 by Marius Gedminas - find it at!