Friday, 2016-05-13

« Thursday, 2016-05-12 Index Saturday, 2016-05-14 »
*** rderose has quit IRC00:03
*** ayoung has joined #openstack-keystone00:20
*** ChanServ sets mode: +v ayoung00:20
*** tqtran has quit IRC00:22
*** rcernin has quit IRC00:24
*** markvoelker has joined #openstack-keystone00:27
*** dave-mccowan has joined #openstack-keystone00:27
*** catintheroof has quit IRC00:27
openstackgerritMerged openstack/keystone: Updating sample configuration file  https://review.openstack.org/31576400:31
*** sdake has quit IRC00:33
*** woodburn1 has joined #openstack-keystone00:33
*** markvoelker has quit IRC00:34
*** dave-mccowan has quit IRC00:35
*** woodburn has quit IRC00:35
*** raddaoui has quit IRC00:37
*** openstackgerrit has quit IRC01:02
*** openstackgerrit has joined #openstack-keystone01:02
*** rbridgeman has joined #openstack-keystone01:09
*** chlong has joined #openstack-keystone01:13
*** dan_nguyen has quit IRC01:19
*** markvoelker has joined #openstack-keystone01:29
*** tonyb has joined #openstack-keystone01:29
tonybI'm playing catchup here but when did the keystone command go away?01:30
*** alex_xu_ has joined #openstack-keystone01:30
*** EinstCrazy has joined #openstack-keystone01:30
tonybtempets-lib on stable branches uses it so I either need to update tempest-lib or pin to an old enough version of python-keystoneclient01:31
*** chlong has quit IRC01:31
*** markvoelker has quit IRC01:34
dimstonyb : a few days ago01:35
tonybdims: with the 3.0.0 release?01:35
dimsy there was a big warning email to -dev list too01:36
* tonyb missed that thread :(01:36
dimstonyb http://markmail.org/message/uhke6kdmhpwuvjbs01:37
tonybdims: Thanks.01:37
morgantonyb: 3.0.001:39
morgantonyb: what dims said01:39
morgantonyb: but basically it's been deprecated for a looong time, openstackclient is the correct path forward.01:39
tonybmorgan: Thanks.01:39
morgantonyb: np, sorry this one caught you off guard :( - we tried to communicate it as loud as we could.01:40
tonybs/keystone/openstack identity/ ?01:40
morgantonyb: unfortunately, the openstackclient commands are quite different :(01:40
tonybmorgan: okay01:40
lbragstadtypically in the form of `openstack <entity> <operation>01:40
morgantonyb: it comes down to "keystoneclient" didn't do things the same way OSC did. OSC is standard across all things.01:40
lbragstad`01:40
morganlbragstad: in some cases. in others not even.01:41
tonybmorgan: I knew it was going away but I didn't realise it'd break the gate.01:41
morgantonyb: but what lbragstad said holds true *most* of the time.01:41
morgantonyb: /me nods.01:41
morgantonyb: sorry! :(01:41
tonybmorgan: no problem.01:41
morgantonyb: at least we've heard of exactly one place things broke now.. from you - this means we *almost* got it right.01:41
tonybmorgan: not cranky at all just tryign to workout the way forward.01:42
morgantonyb: totally, you didn't come off cranky, still doesn't make me happy to hear we broke ya01:42
morgan*almost* right.01:42
morganso close.01:42
tonyb:)01:42
morganhehe01:42
*** roxanagh_ has joined #openstack-keystone01:44
*** EinstCra_ has joined #openstack-keystone01:44
*** EinstCrazy has quit IRC01:44
*** roxanagh_ has quit IRC01:44
*** EinstCra_ has quit IRC01:52
*** EinstCrazy has joined #openstack-keystone01:52
tonybIt doesn't look like it'll be too bad to fix01:53
* tonyb wanders off to test it ....01:53
*** EinstCrazy has quit IRC01:55
*** EinstCrazy has joined #openstack-keystone01:55
*** EinstCrazy has quit IRC01:56
stevemarmorgan thanks for answering tonyb's questions!01:57
*** EinstCrazy has joined #openstack-keystone01:57
morganstevemar: shhhh.01:57
*** morgan is now known as notmorgan01:57
stevemarmorgan: you're such a fountain of information01:57
* notmorgan is totally not morgan01:57
stevemarnotmorgan: i think folks should ask you all the questions01:58
notmorganheyyyy i'm not PTL anymore01:58
*** EinstCra_ has joined #openstack-keystone01:58
*** josecastroleon has joined #openstack-keystone02:00
notmorganstevemar: can we make someone else answer all the questions?02:00
notmorgan;)02:00
*** EinstCrazy has quit IRC02:01
*** EinstCrazy has joined #openstack-keystone02:02
*** josecastroleon has quit IRC02:02
tonybso I assume y'all will be ok with me cappign python-keystoneclient <3.0.0 on stable/*02:03
notmorganyep02:03
notmorgani'm good with it02:03
notmorganand it makes *a lot* of sense to do so02:03
notmorganTonight the role of Steve Martinelli the PTL will be played by "notmorgan" :P02:04
*** EinstCra_ has quit IRC02:04
notmorgan>.>02:04
notmorgantonyb: in all seriousness though, capping makes sense for this02:04
tonyb:)02:04
tonybYeah it's a major release for a reason ....02:04
notmorganyep02:04
notmorganSemver and break things02:05
*** furface has quit IRC02:13
*** furface has joined #openstack-keystone02:13
*** iurygregory has quit IRC02:13
openstackgerritColleen Murphy proposed openstack/ldappool: Fix pool_full race condition  https://review.openstack.org/31583902:16
openstackgerritSteve Martinelli proposed openstack/ldappool: Raise an explicit BackendError on TLS failures  https://review.openstack.org/31584002:16
crinklestevemar: notmorgan ^02:16
notmorgancrinkle: ack.02:17
* crinkle learned about --until-failure today02:17
notmorgancrinkle: oooooh wait, is that a tox thing?02:17
crinklenotmorgan: ya02:17
crinkleor02:17
crinklemaybe a testr thing02:17
notmorganholy crap. that is useful.02:17
* notmorgan learned something awesome today.02:17
stevemarwait wait, i wanna learn02:17
crinkletox -epy27 -- --until-failure <--- run for a while until you're convinced 315839 works02:18
notmorganthat is fantastic.02:19
stevemarlol does it keep looping?02:19
stevemarcrinkle: ^02:19
crinklestevemar: ya02:19
stevemaryep02:20
stevemarjust tried02:20
stevemarhehe02:20
stevemari wonder if it failed in my env...02:20
stevemarop, yeah, it sure did02:20
stevemarnice02:20
stevemarcrinkle: nice, i pulled it down and it worked02:21
crinkleyay02:22
notmorgancrinkle: i always liked -- --failing02:23
notmorgancrinkle: but this so much better for chasing races down. i've been doing it the hard way :(02:23
lbragstadspeaking of races...02:23
lbragstadhttps://bugs.launchpad.net/keystone/+bug/1578866 fills me with hate02:24
openstackLaunchpad bug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,In progress] - Assigned to Lance Bragstad (lbragstad)02:24
notmorganlbragstad: round up!02:24
notmorganlbragstad: round tokens and events up? :P oh wait... that doesn't solve it either02:24
lbragstadi'm running all the same versions of mysql bits that devstack is and i can't seem to recreate it02:25
notmorganlbragstad: what verison of mysql?02:25
lbragstad5.5.49-0ubuntu0.14.04.102:26
notmorganalso it is super edge-case racy02:26
lbragstadhttp://logs.openstack.org/30/314330/3/check/gate-tempest-dsvm-neutron-dvr/3d9272f/logs/dpkg-l.txt.gz02:26
*** EinstCrazy has quit IRC02:26
lbragstadit's racy but frequent enough to be a pain in the gate02:26
notmorganyep02:27
notmorganlbragstad: the real issue is that our tests do not mirror reality02:27
notmorganlbragstad: a token and password change in the same second is pretty narrow02:28
lbragstadnotmorgan agreed - but it's still a problem02:28
openstackgerritSteve Martinelli proposed openstack/ldappool: Use standard-library logging to record errors  https://review.openstack.org/31584402:28
notmorganlbragstad: i would be ok with forcing the rev. events to round up to the next second, but that likely is going to expose other issues02:28
lbragstadnotmorgan right02:28
notmorganlbragstad: frankly, this might actually be a sleep(1)02:29
lbragstadnotmorgan we already have one of those in the test02:29
notmorganlbragstad: if this is a tempest thing, it has to mirror what we support02:29
notmorganlbragstad: if it's in our unit tests, we can control the clock02:29
notmorganlbragstad: so since it's in tempest...02:30
*** markvoelker has joined #openstack-keystone02:30
stevemarnotmorgan: any brilliant idea how to make ldappool work with both pyldap and python-ldap?02:31
notmorganstevemar: at the same time?02:31
notmorganno.02:31
notmorganstevemar: to test it? yes, provide a test that explicitly overrides the library installed02:32
notmorganstevemar: (a different requirements.txt)02:32
notmorganstevemar: possibly we need to use "extras" and make one the default one ... another not default?02:32
*** EinstCrazy has joined #openstack-keystone02:33
*** markvoelker has quit IRC02:34
*** edtubill has quit IRC02:35
stevemarnotmorgan: if we swap out python-ldap for pyldap as the default, we're impacting a lot of folks that may upgrade their existing projects02:41
stevemarnotmorgan: OTOH, we could keep pyldap as an "extra", and specify that in keystone's requirements02:42
stevemarbut hmm... testing will be hard02:42
*** fangxu has quit IRC02:42
*** lhcheng_ has quit IRC02:57
notmorganstevemar: we'll need to see how an "extra" works as the default vs non-default02:58
notmorganmutual exclusive extra?02:58
notmorganstevemar: you know. lets just do pyldap for 2.0.0 and have a compat test job02:59
notmorganfor python-ldap02:59
notmorganhmm. actually i bet we can do some setuptools magic02:59
notmorganugh02:59
*** phalmos has joined #openstack-keystone03:01
stevemarnotmorgan: crinkle i posted 2 other changes: https://review.openstack.org/#/c/315844/ and https://review.openstack.org/#/c/315840/03:02
patchbotstevemar: patch 315844 - ldappool - Use standard-library logging to record errors03:02
patchbotstevemar: patch 315840 - ldappool - Raise an explicit BackendError on TLS failures03:02
stevemarthey are old pull requests03:02
*** phalmos_ has joined #openstack-keystone03:02
notmorganstevemar: not sure of the legalities...but you may want to set the author on those commits?03:03
notmorganto the original author03:03
notmorganof the PR03:03
stevemarnotmorgan: i was wondering that...03:03
notmorganalso commenting on the logging one.03:03
stevemarbut they wouldn't have signed the Openstack CLA?03:03
notmorganldappool doesn't require CLA03:03
notmorgani explicitly set it up to not.03:03
openstackgerritMerged openstack/ldappool: Fix pool_full race condition  https://review.openstack.org/31583903:04
notmorganstevemar: i would set the authors, the PRs could have been merged and then it'd be included here anyway03:05
notmorganthis way they at least get credit in the history03:05
stevemarah okay03:05
*** phalmos has quit IRC03:06
notmorganstevemar: you know how to set the author right? (some magic git invocation)03:06
stevemaryep03:06
notmorganokie03:06
notmorganalso look at the logging one.03:06
notmorgani think one of the debug stantments should be .info03:06
openstackgerritSteve Martinelli proposed openstack/ldappool: Use standard-library logging to record errors  https://review.openstack.org/31584403:07
stevemarfixed one of them03:07
*** chlong has joined #openstack-keystone03:08
stevemarnotmorgan: hmm, kinda hard to find the author on this one: https://github.com/mozilla-services/ldappool/pull/303:10
notmorgani have a trick to find it03:10
stevemarnotmorgan: you have too many tricks03:12
notmorganstevemar: Lorenzo M. Catucci <lorenzo@sancho.ccd.uniroma2.it>03:13
notmorganretrieved from https://github.com/lmctv/deform/commit/6ba3cef7380cee33f39beaba5d926522e7cde49d03:13
stevemarnotmorgan: probably should have PMed that :P03:13
notmorganstevemar: eh. *shrug*03:13
notmorganit's going into a git log03:13
notmorganit is public info on github03:13
notmorganif it was more than trivial to find i'd PM it03:14
openstackgerritSteve Martinelli proposed openstack/ldappool: Raise an explicit BackendError on TLS failures  https://review.openstack.org/31584003:14
stevemaranyway, ^03:14
openstackgerritRodrigo Duarte proposed openstack/keystone: Add protocols integration tests  https://review.openstack.org/30750803:14
openstackgerritRodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests  https://review.openstack.org/30544403:14
notmorganstevemar: sorry... -1 on that.. Tests?03:14
notmorganstevemar: if not possible or not reasonable, +203:15
stevemarnotmorgan: probably should have a test, just havne't looked into it yet03:16
notmorganstevemar: also, yay ldappool becoming a thing.03:17
notmorganthat is usable again03:17
stevemar:)03:17
notmorganso... we have one more major issue with py2303:18
notmorganpy3*03:18
notmorgan... python-memcached03:18
notmorganis STILL a trainwreck03:18
notmorganmaybe we make the default for keystone (and recommendation) pylibmc?03:18
*** agrebennikov has quit IRC03:20
stevemardidn't realize there was a big issue there03:20
notmorganyeah.. it "loads" but doens't work03:20
*** pushkaru has joined #openstack-keystone03:21
tonybAre you thinking to switch out python-memcached or only use pylibmc on python_version>3.0 ?03:22
stevemartonyb: thats the thought03:25
stevemarlooking at http://sendapatch.se/projects/pylibmc/ -- it seems to be a drop-in replacement, almost?03:25
stevemartonyb: i think on either python version would be nice03:25
tonybstevemar: if it's better maintained then doing the full switch would be the best approach, but that impacts {'requirement': <Requirement('python-memcached>=1.56')>, 'used_by': set(['openstack/keystone', 'openstack/keystonemiddleware', 'openstack/designate', 'openstack/oslo.cache', 'openstack/zaqar'])}03:26
tonybso you'd probably want buy-in / help for the non keystone side03:26
tonyband doign it early in newton would be best :)03:27
stevemaroooof oslo.cache, that'll be a toughie03:27
stevemartonyb: for sure03:27
notmorgantonyb: pylibmc in newton would be the target03:27
* tonyb probably isn't saying anythign surprising03:27
stevemar*early* newton03:27
notmorganstevemar: oslo.cache isn't an issue really03:27
notmorgantbh03:27
notmorganno one really uses that poart but us (keystone)03:27
notmorganbut pylibmc is likely the best option03:27
notmorganbmemcache is... weird03:27
notmorgantonyb: ^ cc (correct me if i'm wrong)03:28
tonybnotmorgan: ISTR patches for nova but they may not have landed03:28
notmorgantonyb: oh nice. but still not the worst thing to use pylibmc if we can do it seemlessly03:28
stevemartonyb: i don't think they ever landed03:28
notmorgantonyb: but i think nova isn't landing those yet03:28
tonybokay that's probably fine then03:29
stevemari dont see where zaqar is using it03:30
notmorgansec03:30
tonybThis is the kind of thing that the 'requirements' team shoudl be able to help with but it doesn't exist yet :(03:30
stevemartonyb: mind if i start the convo on the ML?03:30
jamielennoxi though oslo.cache was going to let us punt these decisions?03:31
*** markvoelker has joined #openstack-keystone03:31
tonybstevemar: go nuts!03:31
notmorgankeystone, zaqar, nova imports it, celiometer does, heat, kolla, fuel03:31
notmorgananyway.03:31
notmorganwe can make devstack use pylibmc for keystone03:31
notmorganand in unit tests it doesn't matter03:32
notmorganand we can document use pylibmc03:33
stevemartonyb: notmorgan i don't see how zaqar uses it: http://codesearch.openstack.org/?q=memcache&i=nope&files=&repos=zaqar03:33
notmorganstevemar: they are importing it.03:34
notmorganstevemar: and doing things with it03:34
notmorgani assume that means they are using it03:34
tonybstevemar: it's possible it's a left over from befoer they used oslo.cache03:34
stevemarnotmorgan: i don't see an import statement there03:34
notmorganoh hah are they "import zaqar.cache as oslo_cache" facepalm03:35
*** markvoelker has quit IRC03:35
notmorganstevemar: in zaqar.common.cache03:35
notmorganfrom oslo_cache import core03:36
notmorganand zaqar.common.decorator03:36
notmorganthey default to conf.cache.backend = 'dogpile.cache.memory'... oh man i need to go poke at flaper8703:36
notmorganabout that03:36
tonybAny chance y'all can drop a +1 on https://review.openstack.org/#/q/I6f31ece2c7b6290abd219f5bf2236718e9bd53f2,n,z ?03:36
stevemarwuuut03:36
stevemartonyb: about that, i commented on the bug, can we not backport https://github.com/openstack/python-novaclient/commit/d133a664ae19385ded69ee416f04f6243c26285e ?03:37
notmorgantonyb: done.03:37
notmorganstevemar: ... i dont' want to rebase this https://review.openstack.org/#/c/271948/ :(03:38
patchbotnotmorgan: patch 271948 - keystone - Deprecate keystone.common.kvs03:38
tonybstevemar: I'll look but it looked like several places in the tests they were shelling out to keystone commands rather than using the keystoneclient module03:40
openstackgerritSteve Martinelli proposed openstack/keystone: Deprecate keystone.common.kvs  https://review.openstack.org/27194803:41
stevemarnotmorgan: the rebase button worked *shrugs*03:41
notmorganstevemar: cool?03:41
notmorganstevemar: still needs reno or something... i think03:42
stevemarnotmorgan: oh yeah03:42
openstackgerritSteve Martinelli proposed openstack/ldappool: Use standard-library logging to record errors  https://review.openstack.org/31584403:45
*** tqtran has joined #openstack-keystone03:47
*** tqtran has quit IRC03:48
*** pushkaru has quit IRC03:52
*** jamielennox is now known as jamielennox|away03:58
openstackgerritMerged openstack/ldappool: Use standard-library logging to record errors  https://review.openstack.org/31584404:02
*** jamielennox|away is now known as jamielennox04:03
jamielennoxmore than you wanted to know about ldap ...04:04
*** phalmos_ has quit IRC04:05
*** ayoung has quit IRC04:07
*** lhcheng has joined #openstack-keystone04:11
*** ChanServ sets mode: +v lhcheng04:11
*** edtubill has joined #openstack-keystone04:16
*** links has joined #openstack-keystone04:23
*** doug-fish has joined #openstack-keystone04:25
jamielennoxnotmorgan, stevemar: so i'm trying to write up this spec for srevice token passing user headers rather than user token04:26
jamielennoxand i just want reassuring there's not a security problem here04:27
jamielennoxbecause it seems like if you have service role you can do whatever you like as anyone04:27
notmorganjamielennox: there isn't04:27
notmorgannot anymore than any other thing with bearer tokens04:27
notmorganmake it an option to disable04:27
notmorgan*shrug*04:28
jamielennoxyea, i'm going to write it up anyway04:28
jamielennoxalso it looks like it would make sense to make a function that validates both04:28
notmorganbut in short we want to move away from "pass user authz" between services and need that validation04:28
notmorganeh04:28
notmorganno04:28
jamielennoxbecause it seems stupid to validate your user service auth token04:28
notmorganmake it an either or.04:28
jamielennoxand then immediately use it again to validate the user headers04:28
notmorgandon't revalidate user authz if the service->service thing is in place04:28
jamielennoxrather than pass the service token + user headers and get back a reply with both04:28
notmorganmake someone ask for that04:28
notmorgani really don't want to make it a "must have both" unless there is a damn good reason04:29
notmorgani think it's better if we push to "validate on the edge"04:29
jamielennoxso must have both is how we know that we can trust the X-User etc04:29
*** doug-fish has quit IRC04:29
jamielennoxwe don't just blindly trust those headers04:29
notmorganno trust those headers if the role XXXX is on the service token04:30
notmorganbut i wouldn't make it validate both04:30
notmorganif you pass a service token and a user token... ????04:30
notmorgani'd always defer to service token and then know if header XXXX is trusted04:31
*** markvoelker has joined #openstack-keystone04:31
jamielennoxbut we want the joint ownership for many things04:33
notmorganyou still rely on the user authz04:33
notmorganand data04:33
openstackgerritSteve Martinelli proposed openstack/ldappool: make ldappool py3 compatible  https://review.openstack.org/31572804:33
notmorganjust don't need to validate the user token04:33
jamielennoxwe need to pass the user headers to keystone04:33
notmorgannope04:33
jamielennoxoh04:34
notmorganif it is validated at the edge04:34
jamielennoxergh - i know where you're going04:34
notmorganuser -> serivce04:34
notmorganit's good.04:34
notmorgan:)04:34
jamielennoxwe had discussed to only pass essentially the fernet data around04:35
jamielennoxthen have keystone rebuild that info04:35
jamielennoxrather than pass the entire env around04:35
notmorganpass the minimal data around04:35
notmorganbut i'd rather avoid asking keystone each step04:35
notmorganif that makes sense?04:35
jamielennoxso we need to validate service token anywway04:36
notmorganroles also don't really matter04:36
notmorganjust validate the service token04:36
notmorganbut it saves a dual token validate04:36
jamielennoxso my thing is - combine it into one04:36
jamielennoxvalidate the service token and user headers in one go04:36
jamielennoxresp={'service': {...}, 'user': {...}}04:37
notmorganif we're doing that lets force that to be on moving auth to /AUTH04:37
*** markvoelker has quit IRC04:37
notmorganand make it a type of auth validation04:37
notmorgani don't want to wedge it into v304:37
jamielennoxi'd be happy to put it somewhere new04:37
notmorgani think next week i'm gonna hack the auth change04:37
notmorgan :(04:37
jamielennoxbut i want to make at least hte keystone part of this doable this cycle04:38
jamielennoxi've got a few changes up for context stuff04:38
notmorganyeah04:38
jamielennoxstill haven't figured out messaging04:38
notmorganand they'r epretty good.04:38
jamielennoxso all that is going to take a while04:38
notmorganjust need to land/message them04:38
notmorganso i think /AUTH plus wire /v3/auth up to /auth04:38
notmorganwe win04:38
notmorganand make ksa smart04:38
jamielennoxbut i semi promised it to nova at summit so i need to do it now04:39
jamielennoxwe can do that, just add 'auth': '/auth' or something to GET /04:40
jamielennoxall the generic passwords should hit / first for information anyway04:40
jamielennoxso we just build that into discovery04:40
jamielennoxi've always wanted to do more with the / response - like what auth plugins are enabled, what extensions etc04:40
* notmorgan nods04:41
notmorganwell def. ping me on any of those reviews04:41
jamielennoxanyway - unified response?04:41
jamielennoxvalidate service token and user headers in one?04:42
openstackgerritSteve Martinelli proposed openstack/ldappool: use standard docstring convention for parameters  https://review.openstack.org/31587904:45
jamielennoxit's been a while since i looked at fernet's formatting - oh god04:47
openstackgerritSteve Martinelli proposed openstack/ldappool: use standard docstring convention for parameters  https://review.openstack.org/31587904:57
*** itsmee has quit IRC05:04
*** sdake has joined #openstack-keystone05:05
*** itsme_ has joined #openstack-keystone05:07
itsme_Hello all05:08
*** hoonetorg has quit IRC05:11
*** jaosorior has joined #openstack-keystone05:21
*** hoonetorg has joined #openstack-keystone05:24
*** sdake has quit IRC05:26
*** edtubill has quit IRC05:27
*** sdake has joined #openstack-keystone05:28
*** chlong has quit IRC05:29
*** markvoelker has joined #openstack-keystone05:32
*** rbridgeman has quit IRC05:33
*** edtubill has joined #openstack-keystone05:33
*** sdake has quit IRC05:33
jamielennoxstevemar: why does everything with oauth have admin_required for policy?05:34
*** markvoelker has quit IRC05:37
stevemarjamielennox: because thats what i copy and pasted 3 years ago when i didn't know any better05:38
stevemarjamielennox: also, your change really doesn't want to merge05:38
jamielennoxstevemar: god damn it, again05:38
jamielennox?05:38
stevemarjamielennox: i recheck'ed05:38
jamielennoxstevemar: i want to do some testing with that in early in the cycle05:39
jamielennoxmerge damnit!05:39
jamielennoxstevemar: have you ever heard of anyone using oauth? at least the request token stuff should be < admin05:40
jamielennoxi think05:40
jamielennoxit doesn't seem like anyone "owns" a consumer05:41
*** edtubill has quit IRC05:41
jamielennoxbut i almost think it should be unprotected and assume that oauth will validate the consumer key05:41
jamielennox  i was trying to clean some of this up for a blog post - but i can't see how anyone could reasonably use it05:42
jamielennoxyep, authorize_request_token requires admin - so this is broken for essentially everyone05:45
*** fangxu has joined #openstack-keystone05:46
openstackgerritRyosuke Mizuno proposed openstack/keystone: Add the validation rules when create token  https://review.openstack.org/31589405:48
*** edtubill has joined #openstack-keystone05:48
*** rcernin has joined #openstack-keystone05:50
*** edtubill has quit IRC05:50
*** edtubill has joined #openstack-keystone05:54
*** jamielennox is now known as jamielennox|away05:56
*** jamielennox|away is now known as jamielennox06:10
*** fangxu_ has joined #openstack-keystone06:15
*** fangxu has quit IRC06:15
*** fangxu_ is now known as fangxu06:15
stevemarjamielennox: just the rule by default?06:17
*** woodster_ has quit IRC06:18
stevemarjamielennox: if the policy rule was changed, would it be less broken?06:18
*** fangxu has quit IRC06:21
*** lhcheng has quit IRC06:28
*** furface has quit IRC06:29
openstackgerritSteve Martinelli proposed openstack/keystone: Deprecate keystone.common.kvs  https://review.openstack.org/27194806:30
jamielennoxthe mechanism works, it's not going to give me the subcredentials that dolphm suggested, but it's actually a much better idea for the likes of heat06:33
jamielennoxstevemar: so i think create_consumer is right as admin06:33
*** markvoelker has joined #openstack-keystone06:33
jamielennoxbut i think the rest of it can be just member, and maybe validate that the project you have permissions in the project you authorize (but that should be checked anyway)06:34
jamielennoxactually for everything overcloud like heat it's completely right, i'm just not sure how we would deal with consumer keys06:36
*** markvoelker has quit IRC06:38
jamielennoxstevemar: maybe request_token should be service06:42
jamielennoxmaybe access_token as well, but if they're protected by the consumer secret then so long as you're careful with that distribution it should be the same thing06:43
*** ninag has joined #openstack-keystone06:51
*** tesseract has joined #openstack-keystone06:56
*** ninag has quit IRC06:56
openstackgerritMerged openstack/keystone-specs: Improve example of project acting as a domain  https://review.openstack.org/31554406:57
stevemarjamielennox: service meaning the service role?07:01
*** edtubill has quit IRC07:05
jamielennoxstevemar: yep07:18
jamielennoxstevemar: sorry, notifications playing up07:18
*** fawadkhaliq has joined #openstack-keystone07:20
stevemarnp07:23
jamielennoxso there's a bunch of stuff missing from policy - which i can't quite remember if it defaults to any role or admin only07:29
jamielennoxthis is way too sensitive for past 5 on a friday07:30
*** chaithu has joined #openstack-keystone07:30
*** markvoelker has joined #openstack-keystone07:34
stevemarjamielennox: ++07:36
stevemarroll out, have a good one07:36
stevemarjamielennox: http://img.izismile.com/img/img7/20141015/1000/daily_gifdump_719_13.gif07:38
*** markvoelker has quit IRC07:39
*** pnavarro has joined #openstack-keystone07:42
*** frickler has quit IRC07:54
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:02
*** rha has joined #openstack-keystone08:04
*** nkinder has quit IRC08:06
*** josecastroleon has joined #openstack-keystone08:10
stevemartonyb: finally sent that pylibmc note to the mailing list \o/08:14
stevemari need to sleep08:15
stevemarjamielennox: have a good weekend08:15
tonybstevemar: yes you do!08:15
stevemar:)08:15
tonybstevemar: I was surprised that you were awake enough to comment on my squashed backport08:15
jamielennoxstevemar: yea, i'm supposed to be done - it's gotta be late08:15
stevemarmy body lives east coast, but my mind is clearly a fan of pacific time08:15
tonyb:)08:16
stevemar*yawn* see y'all in a few hours :)08:16
*** lhcheng has joined #openstack-keystone08:17
*** ChanServ sets mode: +v lhcheng08:17
*** jorge_munoz has quit IRC08:19
*** ozialien10 has joined #openstack-keystone08:20
*** lhcheng has quit IRC08:22
*** alex_xu_ has quit IRC08:33
*** ramishra has quit IRC08:34
*** markvoelker has joined #openstack-keystone08:35
*** fhubik has joined #openstack-keystone08:36
*** alex_xu has joined #openstack-keystone08:37
*** markvoelker has quit IRC08:39
*** mhickey has joined #openstack-keystone08:42
*** jistr has joined #openstack-keystone08:46
*** frickler has joined #openstack-keystone08:47
chaithuHi All09:06
chaithuWe am trying to do Keystone to Keystone Federation. We configured one keystone as Service Provider and other keystone as Identity Provider09:07
chaithuWe got unscoped token but we are facing issue when trying to access federated projects list through the unscoped token.09:08
chaithuHere is the log from sp http://paste.openstack.org/show/497014/09:09
chaithuAny help is highly appreciated.09:09
*** dmk0202 has joined #openstack-keystone09:09
chaithuThis is the blog we are following http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo/09:09
samueldmqmorning09:13
*** nkinder has joined #openstack-keystone09:17
*** henrynash has quit IRC09:18
*** mvk has joined #openstack-keystone09:25
*** markvoelker has joined #openstack-keystone09:36
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Add API Change Tutorial  https://review.openstack.org/30278909:37
*** markvoelker has quit IRC09:40
*** ninag has joined #openstack-keystone09:51
*** ninag has quit IRC09:56
chaithuWe got scoped token, but we are getting an error when we are trying to single sign on. Here is the error http://paste.openstack.org/show/497022/09:58
*** TxGVNN has joined #openstack-keystone10:00
*** EinstCrazy has quit IRC10:02
*** mhickey has quit IRC10:09
*** d0ugal has quit IRC10:20
*** d0ugal has joined #openstack-keystone10:21
chaithuWe are trying to do Keystone to Keystone Federation. We configured one keystone as Service Provider and other keystone as Identity Provider10:23
chaithuWe got scoped token, but we are getting an error when we are trying to single sign on. Here is the error http://paste.openstack.org/show/497022/10:23
chaithuThis is how we are doing single sign on http://paste.openstack.org/show/497032/10:24
chaithuDid anyone tried this before ?10:24
chaithuDid anyone tried this before ?10:25
*** lhcheng has joined #openstack-keystone10:31
*** ChanServ sets mode: +v lhcheng10:31
samueldmqchaithu: morning10:33
samueldmqchaithu: most of us are USA-based; so expect people to show up in the next few hours10:33
samueldmqchaithu: I don't have experience with k2k, maybe rodrigods may help you10:34
chaithuOh.... Thank you for info :)10:34
samueldmqyw10:34
*** lhcheng has quit IRC10:36
chaithusamueldmq: Yes, I have hope10:36
*** markvoelker has joined #openstack-keystone10:36
*** markvoelker has quit IRC10:41
*** josecastroleon has quit IRC10:43
*** itsme_ has quit IRC11:14
*** NikitaKonovalov has joined #openstack-keystone11:16
NikitaKonovalovHi, I've got a question about trusts behavior. If the trustor user is deleted will the trustee be able to get a token with a trust issued earlier?11:18
*** mvk has quit IRC11:19
NikitaKonovalovdoes implersonation flag matter in this case?11:21
*** jaosorior has quit IRC11:30
*** jaosorior has joined #openstack-keystone11:30
rodrigodschaithu, hi... you mean web sso?11:31
chaithuYes11:32
chaithurodrigods: remote-ids missing here  http://paste.openstack.org/show/497049/11:32
rodrigodsso why are you trying via CLI? you should try via horizon11:33
rodrigods?11:33
chaithurodrigods: even from horizon same error too11:33
rodrigodschaithu, k2k, right? We can't do k2k websso using what is upstream yet11:34
rodrigodsit is doable, but with some customization11:34
chaithurodrigods: Should we set remote-ids like this https://keystone.idp/v3/OS-FEDERATION/saml2/idp_111:34
rodrigodschaithu, this is to improve the security (a must do, actually)11:35
rodrigodsbut for k2k websso, we need further work on horizon and keystoneclient11:35
chaithuWe did some customization to horizon settings http://docs.openstack.org/developer/keystone/federation/websso.html#setup-web-single-sign-on-sso11:36
*** josecastroleon has joined #openstack-keystone11:37
chaithuis that remote-ids is correct ?11:37
*** markvoelker has joined #openstack-keystone11:37
rodrigodschaithu, what I mean is: you can't do k2k federation using websso with the current code upstream. You need custom code added. Websso is only possible with "regular"federation -> using an IdP that is not keystone11:38
chaithuOh understand11:39
chaithurodrigods: I have question then with the scoped token what do we do ?11:40
*** markvoelker has quit IRC11:42
rodrigodschaithu, from the point you have an openstack token, you can use the openstack resources11:47
*** mvk has joined #openstack-keystone11:49
*** rodrigods has quit IRC11:52
*** rodrigods has joined #openstack-keystone11:52
chaithurodrigods: We are unble to access openstack resources. Do we need to role add group federated to admin  ?12:07
chaithurodrigods: http://paste.openstack.org/show/497052/12:08
rodrigodschaithu, that depends what you are trying to do and also on the policy files. That particular request (list users) is admin only12:09
rodrigodschaithu, https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L49 or https://github.com/openstack/keystone/blob/master/etc/policy.json#L4512:10
*** links has quit IRC12:14
*** ninag has joined #openstack-keystone12:16
*** BrAsS_mOnKeY has quit IRC12:16
*** darrenc_ has joined #openstack-keystone12:17
*** darrenc has quit IRC12:17
*** belmoreira has joined #openstack-keystone12:21
*** belmoreira has quit IRC12:21
*** raildo-afk is now known as raildo12:22
*** BrAsS_mOnKeY has joined #openstack-keystone12:22
*** darrenc_ is now known as darrenc12:22
*** henrynash has joined #openstack-keystone12:25
*** ChanServ sets mode: +v henrynash12:25
chaithurodrigods: Thanks a lot rorigods :) . Now we are able to access resources. I missed to add admin role to federated group.12:33
*** markvoelker has joined #openstack-keystone12:38
*** iurygregory has joined #openstack-keystone12:41
*** rcernin_ has joined #openstack-keystone12:42
*** rcernin has quit IRC12:42
*** markvoelker has quit IRC12:43
*** edtubill has joined #openstack-keystone12:45
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers  https://review.openstack.org/21200612:48
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers  https://review.openstack.org/21200612:50
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers  https://review.openstack.org/21200612:54
*** phalmos has joined #openstack-keystone12:55
*** edtubill has quit IRC12:59
*** ayoung has joined #openstack-keystone13:00
*** ChanServ sets mode: +v ayoung13:00
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for the policy drivers  https://review.openstack.org/21295713:03
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers  https://review.openstack.org/21200613:04
*** doug-fis_ has joined #openstack-keystone13:10
*** pnavarro has quit IRC13:11
*** doug-fis_ has quit IRC13:11
*** doug-fis_ has joined #openstack-keystone13:11
*** sdake has joined #openstack-keystone13:14
openstackgerritMerged openstack/keystone: switch to tempest instead of deprecated tempest-lib  https://review.openstack.org/31190113:15
*** rcernin_ has quit IRC13:16
*** dave-mccowan has joined #openstack-keystone13:16
*** timcline has joined #openstack-keystone13:19
*** fawadkhaliq has quit IRC13:20
*** fawadkhaliq has joined #openstack-keystone13:20
*** edtubill has joined #openstack-keystone13:20
*** timcline has quit IRC13:21
*** odyssey4me has quit IRC13:21
*** odyssey4me has joined #openstack-keystone13:21
*** timcline has joined #openstack-keystone13:22
*** fawadkhaliq has quit IRC13:25
*** rcernin has joined #openstack-keystone13:27
*** spzala has joined #openstack-keystone13:33
*** edtubill has quit IRC13:34
*** markvoelker has joined #openstack-keystone13:39
*** jsavak has joined #openstack-keystone13:40
*** fhubik has quit IRC13:42
*** openstack has joined #openstack-keystone13:43
*** markvoelker has quit IRC13:44
*** openstack has joined #openstack-keystone13:44
chaithuHi Stevemar13:52
*** openstack has joined #openstack-keystone13:52
chaithuStevemar: Hi Stevemar. What is sso-demo.test.ibmcloud.com here https://gist.github.com/stevemart/4b41bd5437048a7fdfab What you are referring. Could you please tell us  ?13:53
samueldmqlbragstad: do you have any news about failing jobs after fernet was made default?13:53
*** markvoelker has joined #openstack-keystone13:55
samueldmqlbragstad: http://logs.openstack.org/31/197331/21/check/gate-tempest-dsvm-full/7342a5a/console.html#_2016-05-13_13_26_40_08613:55
lbragstadsamueldmq I've been working on it for a few days13:56
lbragstadhttps://bugs.launchpad.net/keystone/+bug/157886613:56
samueldmqlbragstad: have you verified that the deleted token is the same used in the next request ?13:57
samueldmqlbragstad: for example: https://github.com/openstack/tempest/blob/16863a1b4b16b53c3a73813d5dc6c3122f2d8cbc/tempest/api/identity/admin/v2/test_roles_negative.py#L41-L4613:57
samueldmqlbragstad: token in L45 is the same that is revoked in L4413:58
*** ninag has quit IRC13:58
openstackLaunchpad bug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,In progress] - Assigned to Lance Bragstad (lbragstad)13:58
samueldmqlbragstad: this is test_list_roles_request_without_token (another test), and it's failing sometimes as well :/13:58
lbragstadsamueldmq yeah - that makes sense13:59
lbragstadsamueldmq are you saying the test is wrong?13:59
samueldmqlbragstad: I don't think so, otherwise it would be failing 100% of the time13:59
samueldmq:(13:59
lbragstadsamueldmq right13:59
samueldmqlbragstad: but yes, I was wondering that, but doesn't make sense14:00
*** ninag has joined #openstack-keystone14:00
samueldmqlbragstad: what do you think is causing the issue ?14:00
samueldmqlbragstad: is it always related to revocations ?14:00
lbragstadsamueldmq I not quite sure anymore..14:00
lbragstadI have a strong feeling that it is related to second precision14:01
lbragstadbut we've accounted for that in the tempest tests14:01
samueldmqlbragstad: fernet tokens don't have subsecond precision at all right ?14:02
lbragstadsamueldmq right - that's why we have some time.sleep(1) statements in temepst14:02
*** ninag has quit IRC14:03
samueldmqlbragstad: so token validation check does: IF user_token.expiry > now(): fail14:03
*** ninag has joined #openstack-keystone14:04
*** ametts has joined #openstack-keystone14:04
samueldmqlbragstad: is that right?14:04
lbragstadsamueldmq yes - but I think it's the opposite14:04
lbragstadif token.expires < now(): fail14:04
samueldmqlbragstad: if we changed > by >= that should be fixed14:05
lbragstadsamueldmq i'm not sure it's related to token expiration14:05
samueldmqlbragstad: and the current second would be taken into account, which does make sense to me14:05
lbragstadsamueldmq i have a feeling it's the issued_at time of the token and issued_before time of the revocation event14:05
samueldmqlbragstad: it's explicity revocation ?14:05
samueldmqlbragstad: yes, when we check for validity of the token against the revocation event14:06
samueldmqlbragstad: we need to include the current second, something like that I was saying14:06
samueldmqthe comparison should be >= vs > (same applies to <= and < if that's the case)14:07
*** ninag has quit IRC14:08
*** gordc has joined #openstack-keystone14:08
samueldmqlbragstad: makes sense ?14:09
*** EinstCrazy has joined #openstack-keystone14:09
lbragstadsamueldmq we do14:09
lbragstadsamueldmq for example14:09
lbragstadif we get a token at 9:10:12.000001 which is rolling into the threshold of a new second, the token issued_at time will be 9:10:12.00000014:10
*** ninag has joined #openstack-keystone14:11
*** ninag has quit IRC14:11
lbragstadwhen we search the revocation events - we compare it to the issued_before time of the revocation event with a less than or equal to statement.14:11
lbragstadhttps://github.com/openstack/keystone/blob/0f579aa362f021b17f7c2931ffca309e395bd51f/keystone/models/revoke_model.py#L22314:12
lbragstadso - if we revoke our token at 9:10:12.000524 and get a new token at 9:10:12.00982714:13
samueldmqlbragstad: ok14:13
samueldmqlbragstad: https://github.com/openstack/keystone/blob/0f579aa362f021b17f7c2931ffca309e395bd51f/keystone/models/revoke_model.py#L22514:13
lbragstadthe token we *just* got would still be revoked14:13
samueldmqlbragstad: may this be happening ?14:13
lbragstadhence the time.sleep(1)s in temepst14:13
lbragstadsamueldmq what do you mean?14:14
samueldmqlbragstad: what happens if 'issued_at' is not in the token data?14:15
samueldmqlbragstad: it isn't a required field, and is_revoked would return False14:17
samueldmqlbragstad: https://github.com/openstack/keystone/blob/0f579aa362f021b17f7c2931ffca309e395bd51f/keystone/models/revoke_model.py#L247-L25214:17
samueldmqlbragstad: however not sure this is the case for those failures14:17
*** sigmavirus24_awa is now known as sigmavirus2414:19
*** jaosorior has quit IRC14:19
*** links has joined #openstack-keystone14:19
openstackgerritDolph Mathews proposed openstack/keystone: Add feature support matrix to documentation  https://review.openstack.org/31611814:20
openstackgerrithenry-nash proposed openstack/keystone: Drop the (unused) domain table  https://review.openstack.org/31611914:20
*** edtubill has joined #openstack-keystone14:23
lbragstadyeah - issued_at should always be passed into the revoke api I believe14:24
lbragstadI can't think of a case where it wouldn't be14:24
lbragstadsamueldmq do you have any thoughts on https://bugs.launchpad.net/keystone/+bug/1578866/comments/1114:25
openstackLaunchpad bug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,In progress] - Assigned to Lance Bragstad (lbragstad)14:25
lbragstad?14:25
*** dan_nguyen has joined #openstack-keystone14:25
samueldmqlbragstad: if I do DELETE v3/tokens/abc12314:26
samueldmqlbragstad: what does the revocation event look like?14:26
* samueldmq 's looking14:26
*** d0ugal has quit IRC14:29
*** links has quit IRC14:29
lbragstadsamueldmq this is an example of what the revocation events look like in sql http://cdn.pasteraw.com/5x9hfswrfn0g91kmrf2wzdn7j2uxace14:29
samueldmqlbragstad: that can be a possibility14:29
samueldmqlbragstad: the other is that our revocation code is wrong ? (very unlikely?)14:29
*** EinstCrazy has quit IRC14:30
lbragstadsamueldmq possibkly14:30
samueldmqlbragstad: so something must match before comparing issued_before14:30
*** d0ugal has joined #openstack-keystone14:30
lbragstadsamueldmq the part that throw me is that if the logic in the revocation api were wrong we would hopefully be seeing more consistent failures14:31
*** EinstCrazy has joined #openstack-keystone14:32
samueldmqlbragstad: ++14:32
samueldmqlbragstad: look at this failure http://paste.openstack.org/show/OBUGE3Ep7SBerrPiO81l/14:32
samueldmqlbragstad: search for 13:16:1814:32
*** jorge_munoz has joined #openstack-keystone14:32
lbragstadsamueldmq i see 8 occurrences14:33
samueldmqlbragstad: don't look at the ones logged by tempestt14:33
samueldmqlbragstad: overall yo ucan see 3 blocks of log14:33
lbragstadsamueldmq "issued_at": "2016-05-13T13:16:18.000000Z"14:33
samueldmqlbragstad: the first is POST /tokens at  13:16:1814:34
samueldmqlbragstad: the second is DELETE /tokens at 13:16:1814:34
samueldmqlbragstad: the third is GET /roles and keystone still says it's 13:16:18 at its time14:34
lbragstadsamueldmq and that third GET shouldn't work14:36
*** jorge_munoz has quit IRC14:36
*** jorge_munoz has joined #openstack-keystone14:36
samueldmqlbragstad: exactly, because token should be invalid14:36
lbragstadsamueldmq yup14:37
samueldmqlbragstad: and that's not related to user changing password, so yes it's indeed an issue with the revocation events + token recovations14:37
lbragstadsamueldmq that's what i'm thinking14:37
samueldmqnothing specific to password change workflow14:38
*** can8dnSix has joined #openstack-keystone14:38
*** d0ugal has quit IRC14:38
lbragstadright - but something that is still requires the revocation API14:38
*** gyee_ has joined #openstack-keystone14:38
*** gyee has quit IRC14:39
openstackgerritMichael Bayer proposed openstack/keystone: Don't set None for ldap.OPT_X_TLS_CACERTFILE  https://review.openstack.org/31612914:40
*** ksavich has quit IRC14:42
samueldmqlbragstad: tell me, when we do the revoke check in https://github.com/openstack/keystone/blob/0f579aa362f021b17f7c2931ffca309e395bd51f/keystone/models/revoke_model.py#L22314:44
samueldmqlbragstad: are we comparing the time strings14:44
samueldmq?14:44
lbragstadsamueldmq i can double check14:45
*** mou has quit IRC14:48
*** mou has joined #openstack-keystone14:49
samueldmqlbragstad: I am asking because sometimes I see "2016-05-13T13:16:18Z", and sometimes I see "2016-05-13T13:16:18.000000Z"14:49
samueldmqlbragstad: and:14:49
lbragstadsamueldmq for what keys?14:49
*** jorge_munoz_ has joined #openstack-keystone14:49
lbragstad"2016-05-13T13:16:18.000000Z" should be the token data's issued_at time14:49
samueldmqlbragstad: always with the subsecond precision right?14:50
samueldmqlbragstad: even if it is always 0 for fernet14:50
*** jorge_munoz__ has joined #openstack-keystone14:50
lbragstadsamueldmq should be14:51
samueldmqlbragstad: yes, should be, see:14:51
samueldmq>>> "2016-05-13T13:16:18.000000Z" >= "2016-05-13T13:16:18.000000Z"14:51
samueldmqTrue14:51
samueldmq>>> "2016-05-13T13:16:18.000000Z" >= "2016-05-13T13:16:18Z"14:51
samueldmqFalse14:51
lbragstad....14:51
lbragstadwtf14:51
lbragstadreally?!14:51
lbragstadok - so... how would that be a race condition?14:52
edmondswayoung, I've got a customer who mentioned using cn as the user passward attribute with LDAP because "i want to use for authentication kerberos"... does that make sense? will it work?14:52
*** jorge_munoz has quit IRC14:53
*** jorge_munoz__ is now known as jorge_munoz14:53
*** slberger has joined #openstack-keystone14:53
samueldmqlbragstad: if the token was generated exatcly at 13:16:18 (0 subseconds) and keystone showed it without the .00000014:53
samueldmq?14:53
*** jorge_munoz_ has quit IRC14:54
openstackgerritMerged openstack/keystone: Move the federation abstract base class out of core  https://review.openstack.org/31413714:54
lbragstadsamueldmq but... sql can truncate the revocation datetimes14:54
*** BjoernT has joined #openstack-keystone14:54
lbragstadso if something was revoked at 9:10:12.093452 it would be stored as 9:10:1214:55
samueldmqlbragstad: so it's always stored without subsecond precision anyways14:56
lbragstadsamueldmq but - that can change depending on the version of sql you're using14:56
samueldmqlbragstad: I'd need to do some testing and see how dates are handled in token generaiton / revocation events14:57
lbragstadsome versions of sql will truncate extra precision from the datetime object14:57
lbragstadand some will perform rounding based on the precision14:57
samueldmqlbragstad: we'd need to debug the revocation engine, and see what's coming from sql14:58
lbragstadsamueldmq dropping some log statements in it now14:58
samueldmqlbragstad: nice, bad part of it is that we can't mke our patches fail :(14:58
*** BAKfr has quit IRC14:59
samueldmqlbragstad: would we be allowed to merge some temporary logging in keystone ? so we can debug this issue ?14:59
lbragstadsamueldmq possibly - dstanek was talking about that yesterday15:00
lbragstadthe revocation api doesn't have much for logging15:00
samueldmqbecause it would be too verbosing right ? :/15:00
samueldmqverbose*15:01
*** ninag has joined #openstack-keystone15:01
*** ninag has quit IRC15:01
*** woodster_ has joined #openstack-keystone15:01
lbragstadsamueldmq probably15:01
*** phalmos has quit IRC15:02
*** jsavak has quit IRC15:02
*** BAKfr has joined #openstack-keystone15:02
*** jsavak has joined #openstack-keystone15:02
*** ninag_ has joined #openstack-keystone15:03
lbragstadsamueldmq my diff of the logging i'm adding http://cdn.pasteraw.com/hpertp6wqfbtmc160owayzodpqjd62315:03
*** phalmos has joined #openstack-keystone15:03
samueldmqlbragstad: maybe loggig all the token data is more useful ?15:05
samueldmqlbragstad: so taht we can identify what token is being checkd15:05
*** d0ugal has joined #openstack-keystone15:05
*** julim has quit IRC15:05
samueldmqlbragstad: I will apply this and run the test test_list_roles_request_without_token so many times tht it will need to fail sometime15:05
samueldmqheheh15:05
lbragstadsamueldmq ha - we already tried that15:06
lbragstadsamueldmq looks like they are compared as datetime objects15:07
lbragstad2016-05-13 15:03:31.862 1946 INFO keystone.models.revoke_model [req-97f4542a-f634-4f02-ada1-d4c9a601d12b - - - - -] revoke_map.issued_before: datetime.datetime(2016, 5, 13, 15, 3, 30)15:07
lbragstad2016-05-13 15:03:31.862 1946 INFO keystone.models.revoke_model [req-97f4542a-f634-4f02-ada1-d4c9a601d12b - - - - -] token_data.issued_at: datetime.datetime(2016, 5, 13, 15, 3, 30)15:07
*** jsavak has quit IRC15:07
*** julim has joined #openstack-keystone15:08
lbragstadhttp://cdn.pasteraw.com/sytc6xrjsnytufmzi5erthorld6jyo715:08
samueldmqlbragstad: yep15:12
ayoungedmondsw, password?15:12
ayoungit does not make sense to me.  password should not be readable, so I would think that would break no matter what.15:12
edmondswayoung, yeah, I couldn't figure what they might be thinking, but thought maybe I was missing something15:13
ayoungWe had a way to do Kerberos with LDAP with the same general setup as a simple bind15:13
*** dmk0202 has quit IRC15:13
*** rha has quit IRC15:13
edmondswayoung, how? I've not worked with kerberos before15:14
mfischdolphm: ready15:14
ayoungedmondsw, if they want to do Kerberos, front the /auth section with mod_auth_kerb or mod_auth_gssapi and set the auth method to kerberos15:14
ayoungI have not tested it in a while, it might well have bitrotted, but I don't think so15:14
*** rha has joined #openstack-keystone15:14
*** rha has quit IRC15:14
ayoungedmondsw, you need to have the kerberos auth plugin15:14
*** haplo37 has joined #openstack-keystone15:14
ayoungwe had that in an separate repo,  keystoneclient-kerberos.  Which might be an issue with keystoneauth1 now.15:15
*** rha has joined #openstack-keystone15:15
*** rha has quit IRC15:15
*** rha has joined #openstack-keystone15:15
ayoungedmondsw, http://adam.younglogic.com/2014/07/kerberos-for-horizon-and-keystone/  is the last step.  Let me find an earlier15:15
*** chaithu has quit IRC15:16
ayounghttp://adam.younglogic.com/2014/05/keystoneclient-s4u2proxy/15:16
mfischdstanek: also here15:16
*** pnavarro has joined #openstack-keystone15:16
ayoungedmondsw, but to be honest, I like the combo of Kerberos and LDAP via SSSD.15:16
dstanekmfisch: k15:17
ayounghttp://adam.younglogic.com/2015/03/key-fed-lookup-redux/15:17
*** openstackgerrit has quit IRC15:17
*** openstackgerrit has joined #openstack-keystone15:17
ayoungedmondsw,  jamielennox and did a proof of concept for that last summer, albeit using FreeIPA as the Kerb backend, and it worked quite well.15:18
ayounghttps://github.com/admiyo/rippowam/tree/master/roles/packstack/tasks15:18
*** rha has quit IRC15:19
edmondswayoung, tx, I'll do some reading15:20
ayoungedmondsw, ++15:20
*** rha has joined #openstack-keystone15:21
*** rha has quit IRC15:21
*** rha has joined #openstack-keystone15:21
*** edtubill has quit IRC15:24
*** edtubill has joined #openstack-keystone15:24
*** henrynash has quit IRC15:26
*** spzala has quit IRC15:27
*** roxanagh_ has joined #openstack-keystone15:28
*** phalmos_ has joined #openstack-keystone15:29
*** phalmos has quit IRC15:32
openstackgerritElvin Tubillara proposed openstack/keystone: Config changes to support PCI-DSS  https://review.openstack.org/31467915:32
samueldmqlbragstad: have you applied those LOGs to your local deploy?15:32
*** ericksonsantos has joined #openstack-keystone15:33
lbragstadsamueldmq yeah - i have a local devstack with tempest + kesytone15:33
samueldmqlbragstad: are you logging all the token data?15:33
lbragstadsamueldmq not yet15:33
lbragstadI can modify it though15:33
samueldmqlbragstad: could you do a DELETE token and then GET /something15:33
samueldmqso we can see what it looks like ?15:34
samueldmqlbragstad: please log all the token data and all the revoke_map if possible15:34
*** jsavak has joined #openstack-keystone15:34
lbragstadsamueldmq ok15:34
samueldmqlbragstad: I am thinking of writting some unittests15:34
samueldmqlbragstad: to test the revocation engine behavior15:34
*** tonytan4ever has joined #openstack-keystone15:37
lbragstadsamueldmq http://cdn.pasteraw.com/k2weyf0z12vptw5w6glxzd1vekb4wm915:38
lbragstadwith this diff http://cdn.pasteraw.com/oytc7i7y88qji5cd2zig2g2ur7skibl15:38
*** roxanagh_ has quit IRC15:40
samueldmqlbragstad: thanks15:40
*** yarkot has quit IRC15:43
*** haplo37 has quit IRC15:47
*** henrynash has joined #openstack-keystone15:52
*** ChanServ sets mode: +v henrynash15:52
openstackgerrithenry-nash proposed openstack/keystone: Drop the (unused) domain table  https://review.openstack.org/31611915:54
*** GB21 has joined #openstack-keystone15:55
*** tesseract has quit IRC15:56
*** EinstCrazy has quit IRC15:56
*** gyee_ has quit IRC15:56
*** spzala has joined #openstack-keystone15:58
*** spzala_ has joined #openstack-keystone15:59
*** jsavak has quit IRC16:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/31617016:02
*** gyee has joined #openstack-keystone16:02
*** ChanServ sets mode: +v gyee16:02
*** spzala has quit IRC16:02
*** rcernin has quit IRC16:02
*** jsavak has joined #openstack-keystone16:02
*** eandersson has quit IRC16:03
lbragstadsamueldmq not seeing much in those logs16:04
lbragstadsamueldmq well - not much interesting stuff16:04
*** spzala_ has quit IRC16:04
lbragstadit does look like issued_at and issued_before are both datetime objects when they are compared16:04
*** lhcheng has joined #openstack-keystone16:11
*** ChanServ sets mode: +v lhcheng16:11
*** rbridgeman has joined #openstack-keystone16:11
*** spzala has joined #openstack-keystone16:11
*** GB21 has quit IRC16:15
*** spzala has quit IRC16:16
*** roxanagh_ has joined #openstack-keystone16:17
*** markvoelker has quit IRC16:18
samueldmqlbragstad: yes, same here16:18
*** josecastroleon has quit IRC16:20
dolphmlbragstad: what were the edge cases that fernet didn't *originally* support? or what didn't it support previous to mitaka, anyway?16:20
lbragstaddolphm wrt subsecond accuracy?16:21
dolphmlbragstad: i'm just thinking API operations16:21
dolphmlbragstad: like, you couldn't get a fernet token using an oauth access token, right?16:21
lbragstaddolphm yeah, oauth was one16:22
lbragstadtrusts on v2.0 were another16:22
*** agrebennikov has joined #openstack-keystone16:22
lbragstadusing bind16:22
dolphmlbragstad: federation was an issue in kilo16:22
*** markvoelker has joined #openstack-keystone16:22
dolphmooh, bind16:22
dolphmand we still dont' support that in master, right?16:22
lbragstadright16:23
lbragstadbind has never made it into the token payload16:23
lbragstadbecause it can technically be unbound16:23
*** spzala has joined #openstack-keystone16:23
samueldmqlbragstad: http://paste.openstack.org/show/497105/ I can't even revoke my own fernet token with my fernet token here in my devstck16:23
openstackgerritDolph Mathews proposed openstack/keystone: Add feature support matrix to documentation  https://review.openstack.org/31611816:26
lbragstadsamueldmq that's strange16:26
lbragstadsamueldmq dolphm I can confirm that with my devstack the sql backend is truncating datetimes for revocation events, not rounding them16:27
lbragstadrevocation event before going into sql  {'user_id': u'ca2c5cb035b8443ba79c9560d938dd00', 'issued_before': '2016-05-13T16:12:10.745395Z'}16:27
*** spzala has quit IRC16:27
lbragstaddata in sql after the revocation event is persisted - | 2292 | ca2c5cb035b8443ba79c9560d938dd00 | 2016-05-13 16:12:10 | 2016-05-13 16:12:10 |16:28
dolphmlbragstad: on mysql version what?16:30
lbragstad5.5.49-0ubuntu0.14.04.116:30
lbragstaddolphm which is the same one used by devstack16:30
samueldmqtokens keep being valid is the issue right ?16:31
agrebennikovhey ayoung, you have any idea why in v3 I cannot set my id for a project, while in v2 I could do it?16:31
samueldmqso revocation events always happen *after* token issue in our scenario16:31
samueldmqrounding vs trucanting shouldn't matter in this case16:31
samueldmqlbragstad: ^16:31
lbragstadyeah - if it rounded up I think it would only benefit us16:31
samueldmqexactly16:32
lbragstadsince the expression is issued_before >= issued_at16:32
lbragstadhttps://github.com/openstack/keystone/blob/0f579aa362f021b17f7c2931ffca309e395bd51f/keystone/models/revoke_model.py#L22316:32
lbragstadregardless - our app should be handling time correctly so we're not prone to that kind of stuff anyway16:32
lbragstador -16:32
lbragstadour app should be handling time such that we aren't prone to differences in backends16:33
lbragstadi.e. removing microsecond precision before storing the revocation event16:33
*** spzala has joined #openstack-keystone16:35
*** sdake_ has joined #openstack-keystone16:36
lbragstaddolphm samueldmq actually16:36
lbragstaddolphm samueldmq does this sound crazy?16:37
lbragstadin keystone when a user changes their password we send a notification to handle the revocation event16:37
dolphmsamueldmq: "set my id for a project" ?16:37
lbragstadcould it be that the validation of the "revoked" token is beating the queue to keystone?16:38
*** spzala has quit IRC16:39
*** sdake has quit IRC16:39
*** mvk has quit IRC16:41
samueldmqdolphm: what's that?16:41
dolphmsamueldmq: i'm quoting you, wondering what you're referring to16:41
samueldmqlbragstad: keep in mind it's happening for other cases too, like explicitly deleting a token16:42
dolphmlbragstad: i doubt it16:42
*** jistr has quit IRC16:42
lbragstadsamueldmq right - but for fernet we have to rely on the revocation api for everything16:42
dolphmsamueldmq: with fernet?16:42
dolphmlbragstad: ++16:42
samueldmqdolphm: yes16:43
samueldmqdolphm: I didn't remember to sya that ? lol16:43
samueldmqdolphm: for example (failing with explicity token delete)16:43
samueldmqhttp://logs.openstack.org/31/197331/21/check/gate-tempest-dsvm-full/7342a5a/console.html#_2016-05-13_13_26_40_08616:43
dolphmsamueldmq: that produces a revocation event, just like changing your password16:43
samueldmqdolphm: exactly, so it's nothing to do with the password change specifically16:44
*** raddaoui has joined #openstack-keystone16:44
*** daemontool_ has joined #openstack-keystone16:45
lbragstadi'm standing up a new devstack and i'm going to run with http://logs.openstack.org/30/314330/3/check/gate-tempest-dsvm-neutron-dvr/3d9272f/logs/reproduce.sh16:45
*** spzala has joined #openstack-keystone16:47
*** daemontool has quit IRC16:48
*** josecastroleon has joined #openstack-keystone16:49
*** spzala has quit IRC16:51
lbragstaddolphm samueldmq ping me your public keys if you want to poke at it16:52
*** roxanagh_ has quit IRC16:52
*** sdake_ has quit IRC16:54
*** tpeoples has quit IRC16:56
*** nikhil has quit IRC16:56
*** auggy has quit IRC16:56
*** jed56 has quit IRC16:56
*** spzala has joined #openstack-keystone16:59
*** catintheroof has joined #openstack-keystone16:59
*** catintheroof has quit IRC17:00
*** catintheroof has joined #openstack-keystone17:00
*** spzala has quit IRC17:03
samueldmqlbragstad: I can't reproduce the error even with a bash script17:05
samueldmqlbragstad: http://paste.openstack.org/show/497108/ run under 1 sec, and it always work as expected17:05
lbragstadsamueldmq yeah - bknudson and i both saw the same thing17:06
*** jsavak has quit IRC17:07
openstackgerritDolph Mathews proposed openstack/keystone: Add feature support matrix to documentation  https://review.openstack.org/31611817:07
*** jsavak has joined #openstack-keystone17:07
samueldmqlbragstad: I'd like to see logs showing X-Auth-Token in the succeding request is the same as the revoked one17:08
samueldmqlbragstad: so we'd be sure the issue is within keystone17:08
samueldmqlbragstad: tempest deletes self.client.token, but what happens if it changes that value by a valid token somehow before the next request17:09
lbragstadsamueldmq jordanP had a patch up to add more logging17:09
lbragstadspecifically for that case17:09
lbragstadhttps://review.openstack.org/#/c/314121/17:10
patchbotlbragstad: patch 314121 - tempest - WIP : also log Auth-Token17:10
samueldmqlbragstad: in the password test, specifically, it does something like: revoke self.client.token and use self.users_client in the next request17:10
openstackgerrithenry-nash proposed openstack/keystone: Drop the (unused) domain table  https://review.openstack.org/31611917:10
samueldmqlbragstad: what's the guarantee self.client.token is always equal to self.users_client.token ?17:10
*** spzala has joined #openstack-keystone17:10
samueldmqlbragstad: what I mean is that it can be a race condition within tempest tests, maybe unlikely to happen, but how can we (keystone side) be sure of that?17:11
lbragstadsamueldmq I'd have to dig around in the tempest code to answer that one17:11
lbragstadbut if it wasn't - it wouldn't be a race condition, would it?17:11
samueldmqlbragstad: not sure, it would be something like tempest replacing the revoked token with another very quickly17:13
lbragstadhmm - that seems like it would either fail all the time or not at all?17:13
samueldmqlbragstad: like having a tokenpool and geting another token from there17:13
samueldmqlbragstad: not sure, that's very unlike to happen, but we need to start from the beginning, and make sure it isn't anything related to tempest17:14
samueldmqbefore crazily digging into keystone17:14
samueldmqand it's something none of us got to reproduce, not even once17:14
samueldmq:(17:14
lbragstadsamueldmq yeah - that makes sense17:14
*** spzala has quit IRC17:14
lbragstadbut that's why i'm trying to do it with devstack and tempest17:15
lbragstadwhich should technically reproduce it17:15
lbragstadwhich makes me think it might be something that environmental between the two environments17:15
samueldmqI tried running tempest tests, but maybe it's a bit slower running that test in isolation, with all the setup, etc17:15
samueldmqlbragstad: jordanP has a "wip do not merge" patch, I think we should merge something, and then expect someone to break17:17
*** roxanagh_ has joined #openstack-keystone17:17
samueldmqrather than rechecking and expecting that specific patch to fail17:17
*** josecastroleon has quit IRC17:19
*** tonytan4ever has quit IRC17:19
*** can8dnSix has quit IRC17:19
arunkantstevemar, dstanek: anyone to do review on this..https://review.openstack.org/#/c/279828/ .17:20
patchbotarunkant: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...17:20
*** tpeoples has joined #openstack-keystone17:25
*** gordc has quit IRC17:27
samueldmqlbragstad: dolphm: if I mark a patch as workflow-1, jenkins will still run jobs on it right?17:29
*** jed56 has joined #openstack-keystone17:29
lbragstadsamueldmq yes - it should17:29
dolphmsamueldmq: absolutely17:30
dolphmsamueldmq: it won't merge though, even with another WF+117:30
samueldmqlbragstad: dolphm thanks, gonna try something17:30
*** auggy has joined #openstack-keystone17:30
samueldmqdolphm: nice17:30
*** gordc has joined #openstack-keystone17:37
*** jsavak has quit IRC17:39
*** nikhil_ has joined #openstack-keystone17:39
*** nikhil_ is now known as Guest5308917:40
*** mvk has joined #openstack-keystone17:43
*** josecastroleon has joined #openstack-keystone17:44
*** spzala has joined #openstack-keystone17:44
samueldmqlbragstad: https://review.openstack.org/#/q/topic:token-revocation-issue17:45
samueldmqdolphm: ^17:46
samueldmqhopefully we can catch a failing gate in one of those17:46
*** henrynash has quit IRC17:46
lbragstadsamueldmq why remove the X-Auth-Token?17:47
lbragstadsamueldmq isn't that what you wanted to know?17:47
samueldmqlbragstad: I am removing the part that ommited ait17:47
samueldmqit*17:47
lbragstadoh - right17:48
lbragstadnvm17:48
dolphmlbragstad: other way around17:48
samueldmq:)17:48
samueldmqwe could also add some keystone logging17:48
dolphmsamueldmq: that's awesome17:48
*** mvk_ has joined #openstack-keystone17:48
samueldmqand add a Depends_On on those patches17:48
samueldmqlbragstad: dolphm ^ so we could really track everything is going on when it fails17:49
samueldmqboth tempest and keystone sides17:49
dolphmsamueldmq: ping the tempest channel - that's a lot of reviews17:49
samueldmqdolphm: yes, I left a question to mtreinish there, but submitted wihtout a response, I will leave a message there17:50
samueldmqthanks for the heads up17:50
*** mkrcmari__ has joined #openstack-keystone17:50
*** roxanagh_ has quit IRC17:50
*** lhcheng has quit IRC17:51
*** mvk has quit IRC17:52
samueldmqdone17:52
*** dan_nguyen has quit IRC17:52
*** spzala has quit IRC17:52
*** ksavich has joined #openstack-keystone17:52
dolphmsamueldmq: instead of IGNORE, DO NOT MERGE  would make it more clear who should do the ignoring. otherwise, well done lol17:52
*** roxanagh_ has joined #openstack-keystone17:52
*** mvk has joined #openstack-keystone17:53
openstackgerritMerged openstack/keystone: Deprecate keystone.common.kvs  https://review.openstack.org/27194817:53
*** mvk_ has quit IRC17:53
samueldmqdolphm: does changing commit message restart jenkins jobs ?17:55
dolphmsamueldmq: no, i think jenkins recognizes that as trivial17:55
*** mkrcmari__ has quit IRC17:55
*** stingaci has joined #openstack-keystone17:56
samueldmqdolphm: nice, I will change the title in the next 'recheck', so I don't cause a flood in qa again right now17:56
samueldmqo/17:56
notmorganuhm. iirc commit message changes do re-run check jobs17:57
notmorganyou don't lose (in most caseS) the review scores.17:57
dolphmhrm17:58
dolphmtest it with one17:58
*** mvk_ has joined #openstack-keystone17:59
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/31617018:02
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: morgan and dolphm, let's see if this re-runs jobs  https://review.openstack.org/21295718:02
samueldmqit was notmorgan, actually18:02
notmorganlol18:02
*** mvk has quit IRC18:02
samueldmqand yes, it does lol18:03
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for the policy drivers  https://review.openstack.org/21295718:03
samueldmqfixing it ^ o/18:03
samueldmqyep, I see jobs starting for the new patchsets in zuul.o.o18:05
samueldmqanyways18:05
samueldmqlbragstad: do you have a patch up with logs everywhere around revocation events + token validation18:05
samueldmqlbragstad: so we can post it X times and wait for one to fail :) and change 197331 did18:06
samueldmqas*18:06
lbragstadsamueldmq I don't18:07
samueldmqlbragstad: k I will create one18:07
lbragstadI started working on a patch yseterday to make all datetime formats in keystone truncate microsecond precision18:07
samueldmqlbragstad: nice, maybe useful depending on the issue18:10
*** josecastroleon has quit IRC18:11
samueldmqlbragstad: but for now we just need to understand what the heck is going on lol18:11
lbragstadyeah - something we might move forward with regardless18:11
lbragstadyeah - exactly18:11
*** ninag_ has quit IRC18:11
*** ninag has joined #openstack-keystone18:12
*** doug-fish has joined #openstack-keystone18:12
*** doug-fi__ has joined #openstack-keystone18:15
*** mkrcmari__ has joined #openstack-keystone18:15
*** tonytan4ever has joined #openstack-keystone18:15
*** doug-fis_ has quit IRC18:15
*** doug-fish has quit IRC18:17
*** spandhe has joined #openstack-keystone18:17
*** doug-fi__ has quit IRC18:18
*** spzala has joined #openstack-keystone18:18
*** mvk_ has quit IRC18:19
*** dan_nguyen has joined #openstack-keystone18:19
*** sdake has joined #openstack-keystone18:20
*** josecastroleon has joined #openstack-keystone18:20
*** spzala has quit IRC18:20
*** spzala has joined #openstack-keystone18:21
*** ninag has quit IRC18:21
*** doug-fish has joined #openstack-keystone18:23
openstackgerritArun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf  https://review.openstack.org/27982818:25
*** sdake_ has joined #openstack-keystone18:26
stevemararunkant: nice patch, gyee: ^ feel free to kick it off18:26
gyeestevemar, thank you Sir!18:26
arunkantstevemar and gyee: thanks18:26
*** sdake has quit IRC18:28
stevemarayoung: can you review https://review.openstack.org/#/c/311203/2 edmondsw is poking 968696 again :)18:29
patchbotstevemar: patch 311203 - keystone - admin gets is_admin_project by default18:29
samueldmqlbragstad: you still around ?18:31
lbragstadsamueldmq yep18:31
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31623818:31
samueldmqlbragstad: could you test ^ in your install ?18:31
lbragstadsamueldmq yeah18:31
lbragstadfirst node is trashed, i'm rebuilding18:31
samueldmqlbragstad: kk18:33
lbragstadsamueldmq thoughts? https://review.openstack.org/#/c/316238/118:37
patchbotlbragstad: patch 316238 - keystone - DO NOT MERGE: LOG revocation mechanism18:37
*** mkrcmari__ has quit IRC18:39
*** ninag has joined #openstack-keystone18:39
*** mkrcmari__ has joined #openstack-keystone18:39
*** ninag has quit IRC18:42
*** ayoung has quit IRC18:42
*** ninag has joined #openstack-keystone18:43
bknudsonwhy can't we merge logging fixes?18:43
*** ninag has quit IRC18:44
*** roxanagh_ has quit IRC18:44
*** ninag has joined #openstack-keystone18:44
*** TxGVNN has quit IRC18:45
*** ninag has quit IRC18:47
*** roxanagh_ has joined #openstack-keystone18:48
stevemarthis change really doesn't want to merge: https://review.openstack.org/#/c/255686/818:49
patchbotstevemar: patch 255686 - keystone - Make AuthContext depend on auth_token middleware18:49
samueldmqlbragstad: why not, will add that too18:49
*** josecastroleon has quit IRC18:50
samueldmqbknudson: we can, but not sure if doing at that level wouldn't be too verbose18:50
samueldmqlbragstad: were you able to run that patch ? or not yet?18:51
bknudsonif it's needed to fix this problem then it's not too verbose.18:51
*** doug-fish has quit IRC18:51
lbragstadsamueldmq not yet - still reproducing the environment for devstack18:51
*** doug-fish has joined #openstack-keystone18:52
*** mhickey has joined #openstack-keystone18:52
*** sdake_ has quit IRC18:52
*** doug-fish has quit IRC18:53
*** sdake has joined #openstack-keystone18:53
*** sdake has quit IRC18:53
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31623818:54
samueldmqlbragstad: ^ updated, I also added depends-on that tempest chnge, so we can get both logs18:54
lbragstadsamueldmq sweet - i'll pull that one18:54
*** doug-fish has joined #openstack-keystone18:54
*** ninag_ has joined #openstack-keystone18:55
*** doug-fish has quit IRC18:59
samueldmqlbragstad: what log do you see those info ?19:00
samueldmqlbragstad: I am looking at /var/log/apache2/keystone.log in my devstack19:00
lbragstadsamueldmq https://review.openstack.org/#/c/316238/219:00
patchbotlbragstad: patch 316238 - keystone - DO NOT MERGE: LOG revocation mechanism19:00
*** doug-fish has joined #openstack-keystone19:02
lbragstadsamueldmq i got a syntax error with the patch19:03
lbragstadsamueldmq here is my diff19:03
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31623819:03
samueldmqlbragstad:  ^19:03
*** mvk_ has joined #openstack-keystone19:03
lbragstadsamueldmq http://cdn.pasteraw.com/httod9dtcszzf7gole5ava8053myb4a19:03
samueldmqlbragstad: nice, I just fixed it, and used %r everywhere19:03
samueldmq:)19:03
lbragstadsamueldmq awesome, thanks!19:04
samueldmqlbragstad: could you try http://paste.openstack.org/show/497121/ locally?19:05
samueldmqlbragstad: tokenv2-request.json is like http://paste.openstack.org/show/497122/19:05
samueldmqthis reproduces the behavior of at test that failed19:06
lbragstadsamueldmq was that with devstack?19:06
*** mkrcmari__ has quit IRC19:06
*** roxanagh_ has quit IRC19:06
*** daemontool_ has quit IRC19:06
samueldmqlbragstad: yes, but I changed the passwords to be admin everywhere19:07
samueldmqlbragstad: you just need to change what's in tokenv2-request.json19:07
samueldmqto match your user's creds19:07
lbragstadok19:07
lbragstadsamueldmq what's jq?19:09
samueldmqah, it's used to parse json :)19:10
samueldmqjust sudo apt-get install jq19:10
*** roxanagh_ has joined #openstack-keystone19:11
lbragstadsamueldmq can you get it to happen consistently with that script?19:11
samueldmqyep19:11
lbragstadsamueldmq http://cdn.pasteraw.com/mvrlv5r6nofj68l2uw82idrfnn4mbtd19:12
samueldmqlbragstad: that's consistent, isn't it ?19:12
*** dan_nguyen has quit IRC19:12
lbragstadsamueldmq but that's the expected behavior right?19:13
lbragstadget a token, request the roles, revoked the token, request roles and get a 401 ?19:13
lbragstadthat's what *should* happen19:13
samueldmqlbragstad: http://paste.openstack.org/show/497123/19:13
samueldmqlbragstad: exactly, that's what should happen all the time :)19:14
lbragstadoh - I thought you meant you were able to recreate what tempest was seeing19:15
lbragstadwhere the last 401 is actually a valid set of roles19:15
*** stingaci has quit IRC19:15
samueldmqlbragstad: no, not that easy :p19:15
samueldmqlbragstad: just wanted you to run that and see the logs19:15
lbragstadunfortunately!19:15
samueldmqlbragstad: to see if we're logging all the info we will need19:16
samueldmqto debug19:16
samueldmq:)19:16
*** pnavarro has quit IRC19:17
*** yarkot has joined #openstack-keystone19:17
lbragstadsamueldmq here19:18
lbragstadis a snippet from the keystone logs http://cdn.pasteraw.com/8uxeevbgpw8kgqo8ud2epdzcc8ibcbm19:18
lbragstadsamueldmq with your patch19:18
*** phalmos_ has quit IRC19:19
samueldmqlbragstad: have you applied the latest patchst ?19:20
samueldmqlbragstad: it's weird I don't see any logging from the sql driver19:20
lbragstadyeah - i think so19:20
samueldmq'Persisting revocation event: ...'19:20
*** roxanagh_ has quit IRC19:21
lbragstad2016-05-13 19:16:33.805 2957 DEBUG keystone.revoke.backends.sql [req-a0060f29-3b25-4259-9841-1a47ba975b65 89b214449d25408eb24a3ef9cc59a0e4 c649855d3c85494ab5fea2bec4cf64f4 - default default] Persisting revocation event: {'issued_before'19:21
lbragstad: '2016-05-13T19:16:33.805141Z', 'audit_id': u'YXmiQxZwS4qYIz4eZGyM1Q'} revoke /opt/stack/keystone/keystone/revoke/backends/sql.py:9919:21
samueldmqlbragstad: ok, let me post that patch several times :B19:24
samueldmqand let's wait, and discover what's going on19:24
samueldmqo/19:25
lbragstadsamueldmq sounds good19:25
openstackgerritMerged openstack/keystone-specs: Add note about service provider fields  https://review.openstack.org/30347119:25
*** ayoung has joined #openstack-keystone19:30
*** ChanServ sets mode: +v ayoung19:30
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31624819:33
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625019:34
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625119:35
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625319:35
*** stingaci has joined #openstack-keystone19:36
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625419:36
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625519:36
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625619:37
samueldmqthere we go!19:37
lbragstadsamueldmq hopefully we get something19:43
*** tonytan4ever has quit IRC19:43
samueldmqlbragstad: in one of those for tempest, I can see at least one failed in gate-tempest-dsvm-neutron-full19:44
samueldmqlbragstad: but I don't have access to the logs yet :(19:44
samueldmqlbragstad: look 316227 in zuul.o.o19:44
lbragstadhttps://review.openstack.org/#/c/316227/19:44
patchbotlbragstad: patch 316227 - tempest - IGNORE: Log X-Auth-Token19:44
samueldmqlbragstad: it doesn't show in the patch yet, you need to go to zuul.openstack.org and use 316227 as a filter19:45
lbragstadsamueldmq so - you think this might somehow be related to how tempest clients get tokens?19:46
*** neophy has joined #openstack-keystone19:47
samueldmqlbragstad: maybe, we will see :)19:47
samueldmqlbragstad: if not, our keystone changes will help on understanding what we're doing wrong19:48
openstackgerritMerged openstack/keystone-specs: keystone-manage doctor  https://review.openstack.org/31030919:55
*** roxanagh_ has joined #openstack-keystone19:58
samueldmqlbragstad: I have something from tempest run20:00
lbragstadsamueldmq  ?20:00
samueldmqlbragstad: and looks like it isn't their fault20:00
lbragstaddo you have the logs?20:00
samueldmqlbragstad: http://logs.openstack.org/27/316227/1/check/gate-tempest-dsvm-neutron-full/fef7c51/console.html#_2016-05-13_19_40_18_99620:00
*** dan_nguyen has joined #openstack-keystone20:00
*** tonytan4ever has joined #openstack-keystone20:01
samueldmqlbragstad: look for gAAAAABXNiVwu_S6NLq3H2ZiJkh7P17eymY_rDnyQtxDU6bUrRBlauTukXg32kHfcUQnmXM7CbgZKl7bnD3-4OgH_S9uZ4GzjycM4cE6wlx3GrIc0tdrRricGrGh8wwMys6G-pk6J7i3R9JTQsndB8miFrGa69rlAVzjdhiJewK03U67PmV_tJ420:01
samueldmqoops sorry didn't need to be the full token20:01
samueldmqlbragstad: specially here http://logs.openstack.org/27/316227/1/check/gate-tempest-dsvm-neutron-full/fef7c51/console.html#_2016-05-13_19_40_19_03920:01
samueldmqlbragstad: when it does the DELETE token request20:02
samueldmqlbragstad: then it gets 204 from keystone20:02
samueldmqlbragstad: and just after tried to delete a token from a user in a given project (with the revoked token passed in request headers)20:02
samueldmqlbragstad: and it suceeds20:02
samueldmqwith 20420:02
*** dmk0202 has joined #openstack-keystone20:03
lbragstadso that was this guy - specifically20:07
lbragstadhttps://github.com/openstack/tempest/blob/master/tempest/api/identity/admin/v2/test_roles_negative.py#L183-L19620:07
samueldmqlbragstad: yes, L192 revokes the token that is used in L19320:08
samueldmqlbragstad: and is being accepted by the server20:08
*** med_ has quit IRC20:09
*** roxanagh_ has quit IRC20:09
samueldmqlbragstad: now we need to wait for keystone patches to have their jobs finished20:10
samueldmqlbragstad: and hopefully catch something as well20:10
lbragstadok - so we know tempest is using the right token20:11
samueldmqlbragstad: yep20:11
lbragstadwhich makes sense because if something was wrong there it would probably be a lot more frequent20:11
lbragstads/it/the failures/20:11
samueldmqlbragstad: yep, that makes sense, but we needed to make this sure :)20:12
*** fangxu has joined #openstack-keystone20:12
samueldmqthen move a step forward in the investigation20:12
*** raildo is now known as raildo-afk20:13
*** spandhe has quit IRC20:14
*** roxanagh_ has joined #openstack-keystone20:17
*** edmondsw has quit IRC20:18
*** dmk0202 has quit IRC20:22
*** mvk_ has quit IRC20:22
*** timcline has quit IRC20:23
*** timcline has joined #openstack-keystone20:25
*** wrightspace has joined #openstack-keystone20:27
*** roxanagh_ has quit IRC20:27
*** roxanagh_ has joined #openstack-keystone20:34
*** sheel has quit IRC20:35
*** ametts has quit IRC20:36
lbragstadsamueldmq it's not looking good for the home team20:41
lbragstadmost of the keystone patches with revocation logging are passing20:41
*** roxanagh_ has quit IRC20:42
*** roxanagh_ has joined #openstack-keystone20:45
lbragstadsamueldmq ooo! https://review.openstack.org/#/c/316253/20:45
patchbotlbragstad: patch 316253 - keystone - DO NOT MERGE: LOG revocation mechanism20:45
samueldmqlbragstad: yes!20:45
samueldmqlbragstad: let's look into it, let me find the logs20:46
lbragstadI don't think I'll ever be this happy about a gate failure again20:46
lupineYOU CAN'T TELL ME WHAT TO DO20:46
* lupine merges20:46
*** daemontool has joined #openstack-keystone20:46
samueldmqlbragstad: hahahahah same here o/20:47
lbragstadsamueldmq i can't get to the logs yet20:47
*** gordc has quit IRC20:47
samueldmqlbragstad: http://logs.openstack.org/53/316253/1/check/gate-tempest-dsvm-postgres-full/c9a6d63/console.html20:48
samueldmqlbragstad: we can't get to them through zuul anymore20:48
samueldmqlbragstad: you need to go to http://logs.openstack.org and the pattern is (2 last digits of change)/(full change)20:49
samueldmqeg. http://logs.openstack.org/53/31625320:49
samueldmq:)20:49
*** wrightspace has quit IRC20:49
lbragstadsamueldmq https://github.com/openstack/tempest/blob/master/tempest/api/identity/admin/v3/test_tokens.py#L4720:49
lbragstadthat is what's failing this time20:50
samueldmqlbragstad: nice, test is very clear about what it is dong20:50
samueldmqdoing20:50
lbragstadyeah20:50
*** neophy has quit IRC20:50
samueldmqlbragstad: I can see openstack request id req-6cbc3296-612b-4963-84fa-db2240e13ff820:51
samueldmqlbragstad: in the main log, let's look for something in the keystone logs20:51
samueldmqlbragstad: http://logs.openstack.org/53/316253/1/check/gate-tempest-dsvm-postgres-full/c9a6d63/logs/apache/keystone.txt.gz20:52
*** daemontool has quit IRC20:52
samueldmqlbragstad: log is too big, still loading20:54
lbragstadsamueldmq use wget and parse it locally20:54
samueldmqlbragstad: 'adding revocation event' logged TOOOO MANY times20:54
samueldmqlbragstad: hey man you're smart :D20:54
lbragstadsamueldmq i've been riding the struggle bus all week20:55
*** doug-fis_ has joined #openstack-keystone20:55
*** doug-fis_ has quit IRC20:55
samueldmqlbragstad: ahahha20:55
samueldmqlbragstad: 50mb and downloading20:55
samueldmqwow20:56
samueldmq120mb20:56
*** mhickey has quit IRC20:57
*** doug-fish has quit IRC20:58
samueldmqlbragstad: there shouldn't be TOO many revocation events20:59
samueldmqlbragstad: mybe something is wrong20:59
*** slberger1 has joined #openstack-keystone21:02
*** neophy has joined #openstack-keystone21:02
*** slberger has quit IRC21:03
lbragstadsamueldmq so here https://github.com/openstack/tempest/blob/master/tempest/api/identity/admin/v3/test_tokens.py#L4121:05
lbragstadthat's validating the user's fresh token21:05
lbragstadand I think that is logged by your revocation stuff at line 310074 in the logs21:05
samueldmqlbragstad: why do you think it is in that line ?21:06
lbragstadthat token's issued_at time 'issued_at': datetime.datetime(2016, 5, 13, 20, 22, 57)21:06
lbragstadsamueldmq just walking through the test21:06
samueldmqlbragstad: I am still trying to find myself in all those 'adding revocatio nevent'21:06
*** raddaoui has quit IRC21:07
*** iurygregory has quit IRC21:09
lbragstadsamueldmq at line 310525 the token in the test is logged in the revocation backend.21:11
lbragstadPersisting revocation event: {'issued_before': '2016-05-13T20:22:57.765732Z', 'audit_id': u'1cQdglCCS4qZhEY359h4cw'}21:11
samueldmqlbragstad: L310538 it does the get token21:13
samueldmqlbragstad: that shouldn't be allowed21:13
lbragstadthe token was issued at 'issued_at': datetime.datetime(2016, 5, 13, 20, 22, 57)21:15
*** ninag_ has quit IRC21:15
*** ninag has joined #openstack-keystone21:16
samueldmqlbragstad: agreed21:16
lbragstadsamueldmq so line 310541 is the line that should have invalidate that token21:17
samueldmqlbragstad: if you look for datetime.datetime(2016, 5, 13, 20, 22, 57)21:18
samueldmqlbragstad: you will find many "Checking token against revocation tree"21:18
lbragstadyeah21:18
samueldmqlbragstad: but there is NO "Comparing token against revoke map"21:18
lbragstadi find that weird too21:19
samueldmqlbragstad: so it's why it's not being revoked, it isn't actually compared with data to revoke it21:19
lbragstadhmm21:19
lbragstadso how would that be a race condition though?21:19
samueldmqno idea21:20
*** ninag has quit IRC21:20
*** tonytan4ever has quit IRC21:21
lbragstadsamueldmq ah21:21
lbragstadsamueldmq that's because LOG.debug('Comparing token against revoke map') is only logged when not names21:22
samueldmqlbragstad: but that should be the case at some point ? shouldn't it ? the call to that function is recursive21:22
lbragstadso if something is matched before that check we don't log that bit21:22
samueldmqlbragstad: hmm21:22
lbragstadsamueldmq I guess we only log it if we are comparing dates (issued_before, issued_at)21:23
samueldmqlbragstad: I should be logging that outside that if21:24
samueldmqurrrgh21:24
samueldmqlbragstad: but why it didn't get to compare the dates ?21:25
*** ninag has joined #openstack-keystone21:25
samueldmqlbragstad: why did it consider the token valid before reaching that code,21:25
lbragstadit might have matched on the audit_id21:25
samueldmq?21:25
samueldmqlbragstad: matching the audit_id would make it valid ?21:25
lbragstadsamueldmq i'm not entirely sure but we can revoke by audit id21:26
samueldmqregardless the revocation event' 'issued_before'21:26
lbragstadand that's what we have to do when we revoke a fernet token21:26
*** markvoelker has quit IRC21:26
samueldmqlbragstad: but it's exactly the opposite, it's not being revoked at all21:26
lbragstadright21:26
samueldmqlbragstad: without reaching the end of recursion21:26
lbragstadwhich is strange... because if that's true it's a race condition that doesn't have anything to do with time (that we know of)?21:26
*** ninag_ has joined #openstack-keystone21:27
*** stingaci has quit IRC21:27
*** roxanagh_ has quit IRC21:27
*** ninag has quit IRC21:30
*** ninag_ has quit IRC21:32
*** roxanagh_ has joined #openstack-keystone21:32
samueldmqlbragstad: we need more data21:33
samueldmqlbragstad: we need to see what is happening inside each call to _search21:34
lbragstad++21:34
samueldmqlbragstad: so we will be able to understand why it's stopping at some point and thinking the token is valid21:34
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31623821:37
samueldmqlbragstad: ^21:37
samueldmqlbragstad: let's think about any other info we could need21:38
lbragstadsamueldmq that will log tons of stuff but that's fine21:38
lbragstadthat's what we need21:38
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31624821:40
openstackgerritLance Bragstad proposed openstack/keystone: Avoid datetime rounding issues  https://review.openstack.org/31573521:40
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625021:40
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625121:41
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625321:41
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625421:41
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625521:42
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625621:42
samueldmqlbragstad: okay, let's hope it's gonna fail again21:42
openstackgerritLance Bragstad proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31623821:42
lbragstadsamueldmq ^21:42
* samueldmq nods21:43
* samueldmq goes to update all them again21:43
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31624821:44
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625021:45
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625121:45
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625321:46
*** ninag has joined #openstack-keystone21:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625421:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625521:47
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625621:47
samueldmqlbragstad: how long did the last one take ?21:47
lbragstad45 minutes?21:48
samueldmqlbragstad: hmm, looking at 316238 the results took 1:20 h to get posted in the cahnge21:49
samueldmq:/21:49
samueldmqlet's wait and see21:49
*** roxanagh_ has quit IRC21:50
*** ninag has quit IRC21:50
*** dmk0202 has joined #openstack-keystone21:53
*** roxanagh_ has joined #openstack-keystone21:53
*** henrynash has joined #openstack-keystone21:55
*** ChanServ sets mode: +v henrynash21:55
*** woodster_ has quit IRC21:58
*** daemontool has joined #openstack-keystone21:59
*** slberger1 has left #openstack-keystone22:01
*** dmk0202 has quit IRC22:06
*** edtubill has quit IRC22:15
*** markvoelker has joined #openstack-keystone22:27
*** sheel has joined #openstack-keystone22:29
*** alex_xu has quit IRC22:30
*** daemontool has quit IRC22:31
*** markvoelker has quit IRC22:31
*** timcline has quit IRC22:33
*** alex_xu has joined #openstack-keystone22:33
*** dan_nguyen has quit IRC22:39
samueldmqlbragstad: most of them are passing this time :(22:39
lbragstadsamueldmq looks like https://review.openstack.org/#/c/316238/ is going to fail22:40
patchbotlbragstad: patch 316238 - keystone - DO NOT MERGE: LOG revocation mechanism22:40
samueldmqlbragstad: it's tking so long in gate-tempest-dsvm-full22:40
* samueldmq thinks lbragstad owns a 60 inches monitor, and can actually see all of them in real time22:41
lbragstadha - i wish22:41
openstackgerritMerged openstack/keystonemiddleware: Adding audit middleware specific notification driver conf  https://review.openstack.org/27982822:41
*** neophy has quit IRC22:41
openstackgerritguang-yee proposed openstack/keystoneauth: Support TOTP auth plugin  https://review.openstack.org/28108622:41
notmorgansamueldmq: but what if i want to merge it!?22:42
notmorgansamueldmq: fwiw, you should stick a -2 on that if you really don't want it to merge and/or WIP it.22:42
notmorgansamueldmq: just as a safety thing... -2 prevents merge for sure.22:42
*** agrebennikov has quit IRC22:42
samueldmqnotmorgan: ok, these are going to be my first -2's22:43
notmorganlol22:44
lbragstadme too22:44
notmorganneed to issue -2s at some point!22:44
notmorganmight as well be froe your own patches.22:44
samueldmqeven though I don't expect a core to merge something with DO NOT MERGE!!!!22:44
lbragstadi haven't issued a -2 yet22:44
samueldmqcores are expect to read things before merging22:44
samueldmqhehe22:44
jamielennoxread? all the things?22:45
jamielennoxughh22:45
notmorgansamueldmq: i fon't either but it falls into the category of "i'd -2 it if it was my patch"22:45
notmorgannot that you actually need to22:45
notmorganjamielennox: yah i know right?! i just +2/+A everything22:45
jamielennoxnotmorgan: i have a badge and everything22:45
lbragstadfilgtm22:45
notmorganjamielennox: ++22:45
samueldmqjamielennox: at lest the commit messages lol22:46
notmorganlbragstad: my motto22:46
samueldmqnotmorgan: you can't anymore, not these22:46
* notmorgan doesn't have the pin anymore :(22:46
notmorganlost...22:46
lbragstadsamueldmq logs are up http://logs.openstack.org/38/316238/5/check/gate-tempest-dsvm-neutron-full/c49c786/22:46
samueldmqlbragstad: which change ? 316238 passed :/22:47
lbragstad316238,522:48
lbragstadfailed gate-tempest-dsvm-neutron-full22:48
lbragstadah damn22:49
lbragstadit failed because of something else22:49
*** catintheroof has quit IRC22:49
samueldmqlbragstad: yes, all of them passed22:49
samueldmqif I wished them all to pass, they'd fail22:50
samueldmqfor sure22:50
lbragstadah22:50
samueldmqlbragstad: I have another approach22:50
samueldmqlbragstad: tempest patches failed 6 out of 822:50
samueldmqlbragstad: I will remove the depends-on form keystone patches, and put on tempest ones22:50
samueldmqlbragstad: makes sense?22:50
lbragstadyeah - that works22:51
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31623822:51
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31624822:52
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625022:52
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625122:52
*** spzala has quit IRC22:52
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625322:53
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625422:53
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625522:53
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: LOG revocation mechanism  https://review.openstack.org/31625622:53
lbragstadis anyone here really familiar with the _next_level_keys() method?22:58
*** woodster_ has joined #openstack-keystone22:58
samueldmqlbragstad: yeah we will need to understand all that revocation logic23:01
samueldmqin order to be able to debug23:01
lbragstadsamueldmq i'm not sure i understand the logic in the _next_level_keys() method... for one, it returns values not keys i think23:01
lbragstadwell - it *yields* values not keys23:03
*** stingaci has joined #openstack-keystone23:04
*** stingaci has quit IRC23:04
*** stingaci has joined #openstack-keystone23:04
samueldmqlbragstad: looks like it returns the corresponding value inside token data?23:04
samueldmqlbragstad: "Generate keys based on current field name and token data."23:05
lbragstadthis is weird23:06
lbragstadwe get into _search() right23:07
lbragstadand we have a list of things to check for23:07
samueldmqlbragstad: yeah, it should be written in a way we could understand :p23:07
lbragstadwe call _next_level_keys()23:07
lbragstadwhich will return a generator that's evoked by the for loop23:07
samueldmqlbragstad: that's right23:08
samueldmqlbragstad: I don't even know how the tree is structured :/23:08
lbragstadthe first yield is just '*'23:08
lbragstadwhich i'm assuming is a "match all the things" thing23:08
lbragstadbecause it would be yielded as key (which is actually a value)23:09
lbragstadto me, a key in this sense would be something like user_id23:09
lbragstadand uuid.uuid4().hex would be the value23:09
lbragstadbut w/e23:09
samueldmqlbragstad: hmm, I think I understand something now23:09
lbragstadanywho23:09
lbragstadwe get into the for loop23:09
samueldmqlbragstad: "Each node is a hashtable of key=value combinations from revocation events."23:09
samueldmqlbragstad: the for loop iterator trhough key=value available from the token23:10
*** stingaci_ has joined #openstack-keystone23:10
samueldmqlbragstad: and see if that exists in the tree (if exists, should be revoked)23:10
lbragstadbut _search is recursive23:11
samueldmqtoken with user=X arrives, then it will look recursively in the tree for user_id=X23:12
*** stingac__ has joined #openstack-keystone23:12
*** stingaci has quit IRC23:13
samueldmqlbragstad: I just don't quite get how the tree is structured23:13
lbragstadhopefully the logging shows it23:14
*** stingaci_ has quit IRC23:15
samueldmqlbragstad: ++ let's just wait for the logs23:16
samueldmqlbragstad: man, I can't wait to find out what the heck is going on23:16
lbragstadyeah23:16
lbragstadthis tree is terrible23:17
samueldmqlbragstad: (and I've only been debugging this today VS your whole week lol)23:17
lbragstadrevocation is already hard23:17
samueldmqlbragstad: and that tree makes things harder23:17
*** roxanagh_ has quit IRC23:17
*** roxanagh_ has joined #openstack-keystone23:18
*** ekarlso has quit IRC23:23
*** dan_nguyen has joined #openstack-keystone23:24
*** BjoernT has quit IRC23:27
*** markvoelker has joined #openstack-keystone23:28
*** roxanagh_ has quit IRC23:28
*** roxanagh_ has joined #openstack-keystone23:30
*** stingac__ has quit IRC23:32
*** markvoelker has quit IRC23:32
*** roxanagh_ has quit IRC23:32
*** ekarlso has joined #openstack-keystone23:32
*** dan_nguyen has quit IRC23:36
samueldmqlbragstad: http://logs.openstack.org/56/316256/4/check/gate-tempest-dsvm-postgres-full/6956621/console.html#_2016-05-13_23_39_15_61823:44
samueldmq!!!23:44
openstacksamueldmq: Error: "!!" is not a valid command.23:44
samueldmqlol23:44
samueldmq773 MB log file : http://logs.openstack.org/56/316256/4/check/gate-tempest-dsvm-postgres-full/6956621/logs/apache/keystone.txt.gz23:48
samueldmqnot bad23:48
*** gyee has quit IRC23:49
*** dan_nguyen has joined #openstack-keystone23:53
lbragstadsamueldmq that's huge..23:55
« Thursday, 2016-05-12 Index Saturday, 2016-05-14 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!