Wednesday, 2016-05-18

« Tuesday, 2016-05-17 Index Thursday, 2016-05-19 »
jamielennoxclenimar: where in the token did project is_domain end up?00:02
*** dan_nguyen has joined #openstack-keystone00:12
*** ninag has joined #openstack-keystone00:14
gyeenotmorgan, so we are going with pyldap instead of python3-ldap?00:16
gyeenice, just a drop in replacement00:17
notmorgangyee: initally00:18
openstackgerritRon De Rose proposed openstack/keystone: Move the revoke abstract base class out of core  https://review.openstack.org/31778400:18
gyeenotmorgan, gotcha, I still would like to use the python3-ldap discovery features to make life easier00:19
gyeeeventually00:19
notmorgangyee: the idea is pyldap gets us to py3 asap, ldap3 will be continued00:19
notmorgangyee: and likely will be easier to work with long term00:19
gyee++00:19
openstackgerritRon De Rose proposed openstack/keystone: Move the revoke abstract base class out of core  https://review.openstack.org/31778400:20
*** ninag has quit IRC00:21
openstackgerritMerged openstack/ldappool: Updated from global requirements  https://review.openstack.org/31698500:24
*** lhcheng has quit IRC00:32
*** diazjf has joined #openstack-keystone00:33
*** tqtran has quit IRC00:45
stevemarnotmorgan: catching up...00:53
openstackgerritMerged openstack/ldappool: Add py3 info to setup.cfg  https://review.openstack.org/31777400:55
notmorganpushing 2.0.0 of ldappool00:57
notmorganlets hope this goes "ok"00:57
notmorganstevemar: pushed00:58
notmorgan2.0.0 release of LDAPPool has been pushed.00:58
stevemarnoiiiice00:59
*** dan_nguyen has quit IRC00:59
notmorganstevemar: fyi all three of us can push tags for ldappool for now in case something is horked.00:59
stevemarhehe horked01:00
stevemarnotmorgan: what about pypi https://pypi.python.org/pypi/ldappool ? still shows 1.001:00
notmorganwaiting for publish01:00
stevemarah01:01
*** diazjf1 has joined #openstack-keystone01:12
*** diazjf has quit IRC01:15
stevemargyee: if you want... https://review.openstack.org/#/c/315362/ :)01:17
patchbotstevemar: patch 315362 - keystonemiddleware - remove old options from documentation01:17
stevemarnotmorgan: want to take a quick look at https://review.openstack.org/#/c/315359/ :)01:17
patchbotstevemar: patch 315359 - keystonemiddleware - generate sample config automatically01:18
openstackgerritguang-yee proposed openstack/keystone: default_project_id is a domain should result in unscoped token  https://review.openstack.org/31779201:21
*** EinstCrazy has joined #openstack-keystone01:21
notmorgangyee: ^ ?01:22
notmorgandhellmann: do you want to (as the release person) take over release for ldappool? i'm happy to continue it once we get 2.0.0 out01:24
notmorgandhellmann: but asking you in case you'd prefer that.01:24
*** anush has quit IRC01:25
stevemarnotmorgan: dhellmann: i think it would be an independent release01:28
notmorganstevemar: thats my thought, but figured i'd ask01:28
notmorganstevemar: it wont ever be looking for inclusion in big tent01:28
notmorgansince it's just a dependant lib01:28
notmorganbut we lean on it pretty heavily01:28
*** EinstCrazy has quit IRC01:33
*** iurygregory_ has joined #openstack-keystone01:35
*** EinstCrazy has joined #openstack-keystone01:37
*** EinstCrazy has quit IRC01:37
*** EinstCrazy has joined #openstack-keystone01:38
*** r-daneel has quit IRC01:42
ayoungnotmorgan, does that need a recheck?01:44
notmorganayoung: ?01:44
ayounghttps://review.openstack.org/#/c/317638/  notmorgan got a -2 from Jenkins01:44
ayoungWow, Jenkins got promoted01:44
patchbotayoung: patch 31763801:44
ayounggate-tempest-dsvm-postgres-full failed, looks spurious to me01:45
notmorganyeah a recheck01:45
-openstackstatus- NOTICE: Gerrit is about to be restarted to help with page timeouts01:46
*** raddaoui has quit IRC01:47
*** lhcheng has joined #openstack-keystone01:47
*** ChanServ sets mode: +v lhcheng01:47
*** lhcheng has quit IRC01:47
ayoungAnd Gerrit just choked01:48
*** lhcheng has joined #openstack-keystone01:48
*** ChanServ sets mode: +v lhcheng01:48
ayoung503 on 44301:48
notmorganstevemar: oops i failed at tagging ldappool correctly :(01:48
notmorganstevemar: doh01:48
notmorganstevemar: missed some details01:48
notmorganstevemar: next time.01:49
notmorganit just wont send the announcement email01:49
*** EinstCra_ has joined #openstack-keystone01:50
*** EinstCrazy has quit IRC01:50
*** EinstCra_ has quit IRC01:55
*** EinstCrazy has joined #openstack-keystone01:55
*** rderose has quit IRC01:56
*** EinstCra_ has joined #openstack-keystone01:57
*** EinstCrazy has quit IRC01:57
*** EinstCra_ has quit IRC01:58
*** EinstCrazy has joined #openstack-keystone01:58
*** EinstCrazy has quit IRC01:59
*** EinstCrazy has joined #openstack-keystone02:00
*** ninag has joined #openstack-keystone02:00
*** EinstCrazy has quit IRC02:05
*** EinstCrazy has joined #openstack-keystone02:05
*** ninag has quit IRC02:05
*** sdake has quit IRC02:06
*** sdake has joined #openstack-keystone02:12
*** EinstCrazy has quit IRC02:14
*** stingaci_ has quit IRC02:20
*** dan_nguyen has joined #openstack-keystone02:21
*** sdake has quit IRC02:22
*** EinstCrazy has joined #openstack-keystone02:24
*** EinstCra_ has joined #openstack-keystone02:31
*** rderose has joined #openstack-keystone02:33
*** EinstCrazy has quit IRC02:34
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/31748302:35
openstackgerritOpenStack Proposal Bot proposed openstack/ldappool: Updated from global requirements  https://review.openstack.org/31780602:35
*** TxGVNN has joined #openstack-keystone02:36
openstackgerritRon De Rose proposed openstack/keystone: Move the revoke abstract base class out of core  https://review.openstack.org/31778402:38
*** rderose has quit IRC02:39
*** diazjf1 has quit IRC02:40
openstackgerritMerged openstack/keystonemiddleware: generate sample config automatically  https://review.openstack.org/31535902:43
*** dan_nguyen has left #openstack-keystone02:44
gyeenotmorgan, yeah, we need to straighten out project is domain stuff, especially for default_project_id02:46
notmorgangyee: we should stop storing that data on the user object in keystone02:46
openstackgerritMerged openstack/ldappool: Updated from global requirements  https://review.openstack.org/31780602:46
notmorgangyee: it's the wrong place for it02:46
gyeeI completely agree02:46
gyeebut till then, we need to fix this bug02:46
notmorganeh02:46
notmorgando we?02:47
notmorgani'd say just prevent them from setting it02:47
notmorgandon't let them set it and get a unscoped token02:47
gyeeright now, right now if you set it to a domain ID, you can't log into horizon02:47
notmorganprevent the setting in validation (400) altogether02:48
notmorganyou can't promote a project to a domain02:48
notmorganso, make it a validation thing02:48
gyeeoh!02:48
notmorgannot a "handle it when someone does something stupid"02:48
*** spandhe has quit IRC02:48
gyeebut we need to update the spec too right?02:48
notmorganpossibly?02:48
gyeek, I can change it to validate at user update/creation02:49
gyeethis bug was accidentally discovered by our QA :-)02:49
gyeeshe set it to a domain_id02:49
notmorganyeah validate on setting the property02:50
notmorganuser create/update02:50
notmorganraiding a 404 randomly like that is just wierd02:50
notmorganraising*02:50
gyeek, let me update02:50
notmorganthis is def. a validate input deal instead :)02:50
gyeeyeah, right now we don't validate default_project_id at all02:51
notmorganand if this issue is in released code - we need to "fix" it (backported sql migration?)02:51
gyeetwo patches, one to fix input validation and the other to fix sql migration02:52
notmorgansure02:52
notmorganand make sure the SQL migration is backported/idempotent02:52
notmorganto mitaka (spacer) if this is like i said a bug in mitaka too02:52
gyeek, I'll look into it02:53
notmorgangyee: it should be straight forwrd.02:57
notmorgangyee: if this hasn't been released as a bug - i'll just say don't bother with the migration02:57
gyeek02:58
gyeenotmorgan, my only worry is would it break backward compat as there might be a case where default_project may not exist yet03:01
notmorgangyee: no, you misread what i said03:01
notmorgangyee: if it's a domain, fail validation03:01
notmorgandon;t change anything else03:01
notmorganthat isn't incompat.03:01
gyeek, k, gotcha03:01
notmorganbecause it's an ID that isn't valid03:02
notmorganthough honestly, we should add validation there... yay microversions03:02
notmorganor some such03:02
*** lhcheng has quit IRC03:05
*** raddaoui has joined #openstack-keystone03:06
*** sdake has joined #openstack-keystone03:09
*** lhcheng has joined #openstack-keystone03:10
*** ChanServ sets mode: +v lhcheng03:10
*** lhcheng has quit IRC03:10
*** stingaci has joined #openstack-keystone03:11
*** lhcheng has joined #openstack-keystone03:11
*** ChanServ sets mode: +v lhcheng03:11
stevemarnotmorgan: gyee another trivial patch: https://review.openstack.org/#/c/315362/03:12
patchbotstevemar: patch 315362 - keystonemiddleware - remove old options from documentation03:12
* stevemar wants to reduce the amount of open patches he has03:12
*** agrebennikov has quit IRC03:12
*** lhcheng has quit IRC03:14
*** stingaci has quit IRC03:18
openstackgerritguang-yee proposed openstack/keystone: make sure default_project_id is not domain on user creation and update  https://review.openstack.org/31779203:19
gyeemiller time03:20
gyeeah I mean dinner time03:20
*** gyee has quit IRC03:20
*** links has joined #openstack-keystone03:26
notmorganstevemar: hehe03:27
notmorganstevemar: i'll do another review madness day soon03:27
*** dave-mccowan has quit IRC03:32
*** sdake_ has joined #openstack-keystone03:37
*** sdake has quit IRC03:40
notmorganstevemar: +303:44
*** richm has quit IRC03:47
*** lhcheng has joined #openstack-keystone03:47
*** ChanServ sets mode: +v lhcheng03:47
*** anush has joined #openstack-keystone03:48
stevemarnotmorgan: woo hoo03:55
*** sdake_ has quit IRC03:58
openstackgerritSteve Martinelli proposed openstack/keystone: reorganize mitaka release notes  https://review.openstack.org/31634203:58
*** anush has quit IRC04:05
openstackgerritSteve Martinelli proposed openstack/keystone: reorganize mitaka release notes  https://review.openstack.org/31634204:07
*** sdake has joined #openstack-keystone04:09
notmorganstevemar: i read that as "randomize ..."04:15
notmorganstevemar: i was like "uhhhhhhh really?!"04:15
openstackgerritColleen Murphy proposed openstack/keystone: Fix config path for running wsgi in developer mode  https://review.openstack.org/31782504:21
*** edtubill has joined #openstack-keystone04:27
openstackgerritMerged openstack/keystonemiddleware: remove old options from documentation  https://review.openstack.org/31536204:34
openstackgerritColleen Murphy proposed openstack/keystone: Fix config path for running wsgi in developer mode  https://review.openstack.org/31782504:42
*** samueldmq has quit IRC04:43
*** ksavich has quit IRC04:44
*** samueldmq has joined #openstack-keystone04:46
stevemarnotmorgan: hehe04:51
*** TxGVNN has quit IRC04:57
*** fawadkhaliq has joined #openstack-keystone04:57
*** rbridgeman has quit IRC05:00
*** furface has quit IRC05:00
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users  https://review.openstack.org/30548705:01
*** edtubill has quit IRC05:02
*** ktychkova has joined #openstack-keystone05:07
*** EinstCra_ has quit IRC05:08
*** lupine_ has joined #openstack-keystone05:08
*** EinstCrazy has joined #openstack-keystone05:11
*** EinstCra_ has joined #openstack-keystone05:12
*** links has quit IRC05:12
*** lupine has quit IRC05:12
*** ericksonsantos has quit IRC05:12
*** ktychkova_ has quit IRC05:12
*** ericksonsantos has joined #openstack-keystone05:13
*** links has joined #openstack-keystone05:13
*** EinstCrazy has quit IRC05:15
*** edtubill has joined #openstack-keystone05:17
*** iurygregory_ has quit IRC05:20
*** edtubill has quit IRC05:21
*** edtubill has joined #openstack-keystone05:22
notmorganstevemar: are you open to the v3/auth -> /auth spec this cycle?05:23
*** sdake has quit IRC05:26
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller  https://review.openstack.org/26118805:32
*** amrith is now known as _amrith_05:34
*** lhcheng has quit IRC05:40
*** rcernin has joined #openstack-keystone05:47
*** furface has joined #openstack-keystone05:56
*** henrynash has joined #openstack-keystone06:02
*** ChanServ sets mode: +v henrynash06:02
*** david-lyle has quit IRC06:05
*** jrist has quit IRC06:07
*** jbell8 has joined #openstack-keystone06:08
*** _amrith_ is now known as amrith06:09
*** jbell8 has quit IRC06:12
*** jbell8 has joined #openstack-keystone06:12
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v2_0)  https://review.openstack.org/26744906:17
nareshtHi a;;06:20
nareshtall*06:20
nareshtDid anyone tried Keystone Google Federation06:20
nareshtI struct at here http://paste.openstack.org/show/497443/06:20
nareshtAny help is highly appreciated.06:20
nareshterror is "could not retrieve metadata from url: https://accounts.google.com/.well-known/openid-configuration"06:20
*** EinstCrazy has joined #openstack-keystone06:21
*** jrist has joined #openstack-keystone06:22
*** jrist has quit IRC06:22
*** jrist has joined #openstack-keystone06:22
*** edtubill has quit IRC06:22
*** edtubill has joined #openstack-keystone06:25
*** EinstCra_ has quit IRC06:25
*** edtubill has quit IRC06:30
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v3)  https://review.openstack.org/26745606:30
openstackgerritRyosuke Mizuno proposed openstack/keystone: Add the validation rules when create token  https://review.openstack.org/31589406:36
openstackgerritSteve Martinelli proposed openstack/keystone: Use PyLDAP instead of python-ldap  https://review.openstack.org/31763806:38
openstackgerritSteve Martinelli proposed openstack/keystone: enable ldap tests for py3  https://review.openstack.org/31764406:40
*** rcernin has quit IRC06:47
*** _cjones_ has joined #openstack-keystone06:49
*** _cjones_ has quit IRC06:50
*** ozialien10 has quit IRC06:50
*** rcernin has joined #openstack-keystone06:51
*** belmoreira has joined #openstack-keystone07:01
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v3/contrib)  https://review.openstack.org/26800307:26
*** jbell8 has quit IRC07:30
*** dmk0202 has joined #openstack-keystone07:35
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add release notes for return-request-id-to-caller  https://review.openstack.org/27664407:47
*** fawadkhaliq has quit IRC07:52
*** fawadkhaliq has joined #openstack-keystone07:52
*** jistr has joined #openstack-keystone07:54
*** daemontool has joined #openstack-keystone07:55
*** david-lyle has joined #openstack-keystone07:57
*** fawadkhaliq has quit IRC07:58
*** fawadkhaliq has joined #openstack-keystone07:58
*** fawadkhaliq has quit IRC07:58
*** fawadkhaliq has joined #openstack-keystone07:59
*** fawadkhaliq has quit IRC07:59
*** zzzeek has quit IRC08:00
*** fawadkhaliq has joined #openstack-keystone08:00
*** fawadkhaliq has quit IRC08:00
*** fawadkhaliq has joined #openstack-keystone08:01
*** zzzeek has joined #openstack-keystone08:01
*** fawadkhaliq has quit IRC08:01
*** fawadkhaliq has joined #openstack-keystone08:01
*** fawadkhaliq has quit IRC08:02
*** fawadkhaliq has joined #openstack-keystone08:02
*** fawadkhaliq has quit IRC08:02
*** fawadkhaliq has joined #openstack-keystone08:03
*** fawadkhaliq has quit IRC08:03
*** fawadkhaliq has joined #openstack-keystone08:04
*** fawadkhaliq has quit IRC08:04
*** fawadkhaliq has joined #openstack-keystone08:05
*** fawadkhaliq has quit IRC08:05
*** fawadkhaliq has joined #openstack-keystone08:06
*** fawadkhaliq has quit IRC08:06
*** fawadkhaliq has joined #openstack-keystone08:06
*** fawadkhaliq has quit IRC08:07
*** fawadkhaliq has joined #openstack-keystone08:08
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: Let OidcPassword accept scope parameters as kwargs  https://review.openstack.org/31789508:20
*** henrynash_ has joined #openstack-keystone08:40
*** ChanServ sets mode: +v henrynash_08:40
*** auggy_ has joined #openstack-keystone08:42
*** raddaoui_ has joined #openstack-keystone08:43
*** jraim_ has joined #openstack-keystone08:44
*** eglute_s has joined #openstack-keystone08:44
*** bapalm_ has joined #openstack-keystone08:44
*** lbragstad_ has joined #openstack-keystone08:44
*** hockeynut_afk has joined #openstack-keystone08:45
*** lupine has joined #openstack-keystone08:45
*** mhu1 has joined #openstack-keystone08:45
*** breton_ has joined #openstack-keystone08:45
*** furface has quit IRC08:45
*** auggy has quit IRC08:45
*** wasmum has quit IRC08:45
*** sigmavirus24_awa has quit IRC08:45
*** hockeynut has quit IRC08:45
*** mhu has quit IRC08:45
*** d34dh0r53 has quit IRC08:45
*** jraim has quit IRC08:45
*** med_ has quit IRC08:45
*** tpeoples has quit IRC08:45
*** BrAsS_mOnKeY has quit IRC08:45
*** bapalm has quit IRC08:45
*** cloudnull has quit IRC08:45
*** henrynash has quit IRC08:45
*** lupine_ has quit IRC08:45
*** raddaoui has quit IRC08:45
*** ramishra has quit IRC08:45
*** harbor2 has quit IRC08:45
*** odyssey4me has quit IRC08:45
*** briancurtin has quit IRC08:45
*** yarkot1 has quit IRC08:45
*** david_cu has quit IRC08:45
*** Kimmo_ has quit IRC08:45
*** eglute has quit IRC08:45
*** mgagne has quit IRC08:45
*** breton has quit IRC08:45
*** Nakato has quit IRC08:45
*** lbragstad has quit IRC08:45
*** evrardjp has quit IRC08:45
*** jamielennox has quit IRC08:45
*** vkmc has quit IRC08:45
*** Nakato has joined #openstack-keystone08:45
*** furface has joined #openstack-keystone08:45
*** med_ has joined #openstack-keystone08:45
*** d34dh0r53 has joined #openstack-keystone08:45
*** mgagne has joined #openstack-keystone08:45
*** vkmc has joined #openstack-keystone08:45
*** ramishra has joined #openstack-keystone08:45
*** ramishra has quit IRC08:45
*** mhu1 is now known as mhu08:45
*** med_ has quit IRC08:45
*** med_ has joined #openstack-keystone08:45
*** auggy_ is now known as auggy08:45
*** BrAsS_mO- has joined #openstack-keystone08:45
*** vkmc has quit IRC08:45
*** vkmc has joined #openstack-keystone08:45
*** yarkot1 has joined #openstack-keystone08:46
*** mgagne is now known as Guest9229208:46
*** furface has quit IRC08:46
*** furface has joined #openstack-keystone08:46
*** BrAsS_mO- has quit IRC08:46
*** BrAsS_mO- has joined #openstack-keystone08:46
*** odyssey4me has joined #openstack-keystone08:46
*** henrynash_ is now known as henrynash08:46
*** sigmavirus24_awa has joined #openstack-keystone08:46
*** raddaoui_ is now known as raddaoui08:46
*** evrardjp has joined #openstack-keystone08:46
*** jraim_ is now known as jraim08:47
*** serverascode has quit IRC08:47
*** mvk has joined #openstack-keystone08:49
*** cloudkiller has joined #openstack-keystone08:49
*** wxy has quit IRC08:49
*** raddaoui has quit IRC08:51
*** jaosorior has joined #openstack-keystone08:51
*** tpeoples has joined #openstack-keystone08:52
*** rm_work has quit IRC08:53
*** rm_work has joined #openstack-keystone08:54
*** jamielennox has joined #openstack-keystone08:55
*** ChanServ sets mode: +v jamielennox08:55
*** wasmum has joined #openstack-keystone08:57
*** daemontool_ has joined #openstack-keystone09:00
*** daemontool_ has quit IRC09:00
*** daemontool has quit IRC09:03
*** serverascode has joined #openstack-keystone09:03
*** wxy has joined #openstack-keystone09:03
*** briancurtin has joined #openstack-keystone09:05
openstackgerritJack Ning proposed openstack/keystone: Added cache for mapping of user to uuid  https://review.openstack.org/31730709:17
*** daemontool has joined #openstack-keystone09:18
*** mvk_ has joined #openstack-keystone09:24
*** mvk has quit IRC09:28
*** zqfan has joined #openstack-keystone09:36
*** cloudkiller is now known as cloudnull09:46
*** fawadkhaliq has quit IRC09:49
*** fawadkhaliq has joined #openstack-keystone09:50
nareshthi all09:53
nareshtwe are trying to do keystone to google federation09:54
nareshtwe struck at  "ERROR keystone.federation.controllers [req-bdc799d5-910a-4d80-ad0d-91df148f116b - - - - -] http://x.x.x.x/dashboard/auth/websso/ is not a trusted dashboard host"09:56
nareshtPlease help us if anyone did this earlier09:56
*** markvoelker has joined #openstack-keystone09:56
*** markvoelker has quit IRC10:02
*** mou has joined #openstack-keystone10:03
*** EinstCrazy has quit IRC10:14
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: Remove unused parameters in OidcPassword methods  https://review.openstack.org/31796610:32
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: oidc: create an OidcBase class with common methods  https://review.openstack.org/31796710:32
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: oidc: add OpenidToken class to authenticate reusing an access token  https://review.openstack.org/31796810:32
*** Kimmo__ has joined #openstack-keystone10:39
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: Let OidcPassword accept scope parameters as kwargs  https://review.openstack.org/31789510:51
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: oidc: create an OidcBase class with common methods  https://review.openstack.org/31796710:52
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: Remove unused parameters in OidcPassword methods  https://review.openstack.org/31796610:52
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: oidc: add OpenidToken class to authenticate reusing an access token  https://review.openstack.org/31796810:52
*** henrynash has quit IRC10:59
*** GB21 has joined #openstack-keystone11:02
*** mancdaz has quit IRC11:09
*** mancdaz has joined #openstack-keystone11:09
*** vnogin has joined #openstack-keystone11:23
*** GB21 has quit IRC11:32
*** GB21 has joined #openstack-keystone11:33
*** julim has joined #openstack-keystone11:40
*** lupine has quit IRC11:40
*** lupine has joined #openstack-keystone11:40
*** mvk_ has quit IRC11:49
*** ninag has joined #openstack-keystone11:51
*** iurygregory_ has joined #openstack-keystone11:52
*** ninag has quit IRC11:57
*** rodrigods has quit IRC11:58
*** rodrigods has joined #openstack-keystone11:58
*** tellesnobrega is now known as tellesnobrega_af12:02
*** ChanServ sets mode: +v samueldmq12:05
*** sigmavirus24_awa is now known as sigmavirus2412:12
*** iurygregory_ has quit IRC12:14
*** fawadkhaliq has quit IRC12:17
*** fawadkhaliq has joined #openstack-keystone12:18
*** mvk_ has joined #openstack-keystone12:19
*** GB21 has quit IRC12:19
*** gordc has joined #openstack-keystone12:23
*** raildo-afk is now known as raildo12:28
*** links has quit IRC12:31
*** links has joined #openstack-keystone12:35
*** amrith is now known as _amrith_12:48
*** richm has joined #openstack-keystone12:52
*** daemontool has quit IRC12:52
*** gtop-323 has joined #openstack-keystone12:53
*** ninag has joined #openstack-keystone12:55
*** tellesnobrega_af is now known as tellesnobrega12:58
*** edmondsw has joined #openstack-keystone13:04
raildostevemar: ping, I'm so happy to see something like this happen https://review.openstack.org/#/c/257362/13:08
patchbotraildo: patch 257362 - neutron-specs - Moving to Keystone v3 API (MERGED)13:08
*** TxGVNN has joined #openstack-keystone13:12
raildocc jamielennox notmorgan ^13:14
*** pnavarro has joined #openstack-keystone13:14
*** links has quit IRC13:16
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: oidc: create an OidcBase class with common methods  https://review.openstack.org/31796713:19
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: oidc: add OidcToken class to authenticate reusing an access token  https://review.openstack.org/31796813:19
*** tellesnobrega is now known as tellesnobrega_af13:20
*** BjoernT has joined #openstack-keystone13:21
*** tellesnobrega_af is now known as tellesnobrega13:21
*** BjoernT is now known as Bjoern_zZzZzZzZ13:21
*** pauloewerton has joined #openstack-keystone13:21
*** anush has joined #openstack-keystone13:25
openstackgerritClenimar Filemon proposed openstack/keystoneauth: Add is_domain to keystoneauth token  https://review.openstack.org/28237713:30
*** tonytan4ever has joined #openstack-keystone13:31
*** Bjoern_zZzZzZzZ is now known as BjoernT13:37
lbragstad_ayoung  any word on the revocation tree patch?13:39
ayounglbragstad_, lots of words.  I have some really choice words,,,13:39
*** lbragstad_ is now known as lbragstad13:39
lbragstadayoung do you think it's possible to have something mergeable today?13:40
ayounglbragstad, No clue13:40
ayoungcan you fuigure out what went wrong with the other?13:40
ayounghttp://logs.openstack.org/52/311652/12/check/gate-tempest-dsvm-postgres-full/77bf29b/console.html13:40
lbragstadayoung the other?13:41
ayounglbragstad, My guess is soemthing in the marshalling code for caching13:41
ayoungWTF I need to implement custom marshalling code when Python has perfectly acceptable Pickle is beyond me13:41
ayoungnotmorgan, why do we not use pickle for caching?13:42
mnaseri know i'm just hopping in this conversation but i'm wondering if it has to do with security => https://blog.nelhage.com/2011/03/exploiting-pickle/13:43
mnaserthat's a common reason why ive seen it avoided13:43
ayoungmnaser, nope13:45
ayoungthis is never done from an untrusted source, and what we are doing is no safer13:45
*** ametts has joined #openstack-keystone13:49
lbragstadayoung the failures on your latest patch look strange13:53
lbragstadi'm going to see if i can recreate it in devstack13:54
*** doug-fish has joined #openstack-keystone13:57
*** dave-mccowan has joined #openstack-keystone13:59
ayounglbragstad, I'm guessing it has to do with the dates, probably expires_at or revoked_at13:59
*** anush has quit IRC14:01
*** ninag has quit IRC14:02
*** raddaoui has joined #openstack-keystone14:02
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users  https://review.openstack.org/30548714:04
*** ninag has joined #openstack-keystone14:04
*** rderose has joined #openstack-keystone14:04
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/31748314:08
*** ninag has quit IRC14:09
*** links has joined #openstack-keystone14:10
*** ninag has joined #openstack-keystone14:12
*** sdake has joined #openstack-keystone14:14
*** pushkaru has joined #openstack-keystone14:16
*** jbell8 has joined #openstack-keystone14:16
*** doug-fis_ has joined #openstack-keystone14:19
knikollao/14:21
*** doug-fish has quit IRC14:21
*** Guest92292 is now known as mgagne14:25
*** mgagne has quit IRC14:25
*** mgagne has joined #openstack-keystone14:25
*** sdake has quit IRC14:26
*** sdake has joined #openstack-keystone14:27
*** daemontool has joined #openstack-keystone14:28
*** edtubill has joined #openstack-keystone14:32
*** ninag has quit IRC14:32
*** ninag has joined #openstack-keystone14:33
*** gagehugo has joined #openstack-keystone14:34
*** doug-fis_ has quit IRC14:35
*** ninag has quit IRC14:37
*** links has quit IRC14:39
*** sdake_ has joined #openstack-keystone14:42
*** phalmos has joined #openstack-keystone14:42
*** sdake has quit IRC14:43
*** timcline has joined #openstack-keystone14:47
ayounglbragstad, so the pre-cached version (Revision 9) passed, and the post-cached failed.  There are two possbilities I can think of14:48
ayoung1.  THe caching itself is at fault14:48
ayoung2. the marshalling code is suspect14:49
ayoungI'm tempted to replace my code with pickle.14:49
lbragstadayoung i'm trying to reproduce it with http://logs.openstack.org/52/311652/12/check/gate-tempest-dsvm-neutron-full/f74b906/logs/reproduce.sh14:51
*** _amrith_ is now known as amrith14:53
*** raildo is now known as raildo-afk14:56
*** hockeynut_afk is now known as hockeynut14:56
ayoungnotmorgan, any reason to avoid pickle for the caching?14:58
*** jaosorior has quit IRC14:59
*** jaosorior has joined #openstack-keystone14:59
notmorganAsk bknudson14:59
notmorganMore in depth answer than I can type here ATM.15:00
bknudsonayoung: if you can overwrite the pickle data, you can get the application to do whatever you want15:00
bknudsonbecause it's essentially run as a python program15:00
ayoungbknudson, this is for the cache15:00
ayoungits internal to our code base completely15:01
bknudsonif you can ensure that nobody can inject into the cache then that's totally safe.15:01
ayoungsame is true of messagepack or Json, so not a concern here15:01
ayoungnotmorgan, ^^  I'm going with Pickle.  Reduces the LOC15:01
bknudsonjson doesn't allow running arbirary code15:01
*** tonytan4ever has quit IRC15:01
ayoungGAh15:02
ayoungbreaks other things...15:02
bknudsonlooks like messagepack is also safe15:02
*** jistr is now known as jistr|mtg15:02
*** rderose has quit IRC15:03
*** tellesnobrega is now known as tellesnobrega_af15:03
*** fawadkhaliq has quit IRC15:04
samueldmqayoung: lbragstad: what are those _RevokeEventHandler and _ResponseCacheProxy ?15:08
ayoungsamueldmq, majik15:08
samueldmqayoung: you think this is making that patch fail somehow ? ^15:08
ayoungblackest majik15:08
ayoungsamueldmq, yep15:08
notmorganayoung: basically don't use pickle. we should be using json where we can15:08
*** jbell8 has quit IRC15:08
*** woodster_ has joined #openstack-keystone15:08
notmorganif we can't use json, we should fix it so we can15:08
ayoungnotmorgan, I think pickle is the more correct tool here15:09
ayoungit keeps us from having to one off business logic etc15:09
notmorganayoung: if pickle is "correct" use msgpack15:09
notmorganis my stance on it15:09
ayoungnotmorgan, no, msgpack means writing our own code15:10
ayoungthat is not correct15:10
*** diazjf has joined #openstack-keystone15:10
ayounglet python do python15:10
*** ninag has joined #openstack-keystone15:10
notmorgani am against using pickle at any point because of how the serialization and deserialization works.15:11
*** doug-fish has joined #openstack-keystone15:11
ayoungnotmorgan, explain15:11
*** iurygregory_ has joined #openstack-keystone15:11
notmorgani am not willing to explain to people why pickle is used and that it really is not insecure15:12
notmorganplain and simple, it's flagged as a security risk when code is audited15:12
ayoungnotmorgan, oy vey15:12
notmorganand i wont support adding code in that i am going to need to explain this when asked.15:12
notmorgani wont block it. just don't expect a +2 (or a +1) from me on it.15:13
ayoungnotmorgan, well, let me start by seeing if it gets through the tests. That alone will be diagnostic15:13
notmorganthe fix for json is about 7 lines of code.15:14
*** ninag has quit IRC15:14
notmorganif you do it the "quick" way15:14
notmorganand maybe 100 if we stop assuming datetime objects15:14
notmorgan1 few hundred - which is reasonable (we re-hydrate datetime in a lot of places). We could be consistent15:15
notmorganand ame sure we aren't acting on datetime objects like we do.15:15
*** iurygregory_ has quit IRC15:15
*** jbell8 has joined #openstack-keystone15:17
*** doug-fish has quit IRC15:17
*** ninag has joined #openstack-keystone15:18
notmorganayoung: though once we move to a direct SQL query - this all becomes a non-issue15:18
ayoungnotmorgan, I notice a lot of the Royal We and a "you"" in there.15:19
*** jistr|mtg is now known as jistr15:19
notmorganayoung: we = keystone.15:19
ayoungOY VEY!15:20
ayoungits right in Pep 815:20
ayoungWTF people15:21
ayoung>> Issue: [B301:blacklist] Pickle library appears to be in use, possible security issue.15:21
ayoung   Severity: Medium   Confidence: High15:21
ayoung   Location: keystone/common/cache/_context_cache.py:3815:21
notmorganbandit15:21
notmorgannot pep815:21
notmorganpep8 is just the job15:21
*** ninag has quit IRC15:21
*** ninag has joined #openstack-keystone15:21
ayoungits the pep8 job that is complaining15:22
notmorganyes15:23
ayoungas in tox -e pep815:23
notmorganpep8 job runs bandit15:23
rodrigodslol15:23
*** fawadkhaliq has joined #openstack-keystone15:23
notmorganbandit is an openstack tool15:23
*** fawadkhaliq has quit IRC15:23
ayoungand marshall triggers it too.15:23
stevemarthe pep8 job runs both flake8 and bandit15:23
lbragstadhttps://github.com/openstack/keystone/blob/master/tox.ini#L5415:23
*** stingaci has joined #openstack-keystone15:24
ayoungTHIS IS CACHING CODE!  WE CONTROL ALL SIDES!  AN APP DEVELOPER SHOULD NOT BE WRITING THIS!15:24
ayoungFFS15:24
*** rcernin has quit IRC15:24
*** doug-fis_ has joined #openstack-keystone15:25
ayoungDear Python.  You have let me down. Sincerely, Adam.15:25
samueldmqayoung: hehe15:25
*** doug-fis_ has quit IRC15:25
samueldmqlol15:25
ayoungsamueldmq, you laugh at me?  You fix the damn code.15:25
*** doug-fis_ has joined #openstack-keystone15:25
notmorganayoung: you can always "# nosec" it15:25
samueldmqayoung: I just found 'Dear Python.  You have let me down. Sincerely, Adam.' funny15:26
notmorganthe fact that python-mmemcache uses pickle implicitly is also an issue15:26
samueldmqayoung: not thinking you trying to fix the code funny15:26
notmorganbecause we don't control all sides there15:26
ayoungsamueldmq, I never wanted to do revocations at all, and somehow I am in the critical path here writing revocation code instead of what I am supposed to do, which is again not even what I should be writing15:27
openstackgerritSteve Martinelli proposed openstack/keystone: enable ldap tests for py2  https://review.openstack.org/31764415:27
ayoungnotmorgan, what is # nosec?15:27
lbragstadayoung it's like #noqa but for security things15:27
notmorganwhat lbragstad said15:27
ayoungjust put at the end of the line?15:27
lbragstadessentially15:27
samueldmqayoung: let me know how I can help, and I will do it15:28
ayoungsamueldmq, right now, it looks like I have a path.15:28
*** Guest88617 has joined #openstack-keystone15:28
ayoungIf this marshalling thing is still messed up, we'll split up the work15:28
Guest88617If anyone knows about the OS_INTERFACE variable and how it works in Rally, I really can't figure it out.someone posted it in a question specifically here: https://answers.launchpad.net/rally/+question/293670 but there are no responses15:28
openstackgerritayoung proposed openstack/keystone: Replace revoke tree with linear search  https://review.openstack.org/31165215:30
ayoungsamueldmq, lets see if ^^ passes the temptest checks. If it does, the issue was my marshalling code.  IF it does not, its likely cache invalidation type issues.15:30
samueldmqayoung: nice, let me know15:31
ayoungsamueldmq, nope. You keep an eye on it. I have to go work on WebSSO integration for Tripleo15:31
samueldmqayoung: what's the "marshalling" code?15:31
notmorganayoung: my guess is the issue was specific in tree building15:31
ayoungnotmorgan, not this case.  THis was a problem with my patch failing tempest15:31
samueldmqayoung: (I was talking one line before)15:31
notmorganayoung: no no i mean the race15:31
ayoungnotmorgan, I hope so15:31
notmorganayoung: the issue that the linear search should fix.15:32
stevemaramrith: *poke*15:32
ayoungnotmorgan, my concern is that maybe there are multiple levels of problem15:32
ayoungcaching being one of them,15:32
stevemaramrith: what deprecations warnings do you want to add to: https://review.openstack.org/#/c/290971/15:32
patchbotstevemar: patch 290971 - python-troveclient - switch to keystoneauth15:32
ayoungLike, the tree was bad, but also an event won't get into the cache when it should.15:32
*** belmoreira has quit IRC15:32
ayoungWe should not have problems with tokens being incorrectly revoked unless it is time check based, though15:33
*** fawadkhaliq has joined #openstack-keystone15:34
notmorganayoung: i don't think it was an event missing from the cache -- except that the tree itself was built wrong15:36
notmorganayoung: and "not caching" the tree wouldn't fix that.15:36
*** dmk0202 has quit IRC15:37
*** dmk0202 has joined #openstack-keystone15:37
samueldmqnotmorgan: ayoung: if we think the caching is wrong, why not fix the code by removing the tree without caching it15:37
ayoungnotmorgan, so the latest errors are "revoked when they should not be" errors, which leads me to suspect my marshalling code.  If that does not fix it, I am going to guess it is due to time issues, meaning the same thing that samueldmq and lbragstad have been tracking down15:37
samueldmqthen we work in caching in a followup pach?15:37
notmorganayoung: second level resolution with "really fast tests"15:38
ayoungsamueldmq, it means that each token validation will hit the database to pull in the list15:38
notmorganis a clear issue15:38
notmorganso we get racy-issues somewhere along the way15:38
notmorganand we need to handle that.15:39
ayoungI wonder if we can't somehow drop all revocations.15:40
ayoungLike...if we track last password changed time, we could drop those...15:40
ayoungexcpet that the tokens have the damn 1 second granularity so would not fix.15:40
notmorganpick a rounding direction for invalidations.15:41
notmorgandocument it, make sure tests aren't dumb15:41
ayoungThe whole, revoke and immediately reissue work flow is a test-only issue15:41
notmorganayoung: pretty much15:41
amrithstevemar, one second15:42
amrithhave to get a release out15:42
notmorganayoung: the tests are silly and don't mirror reality at all15:42
notmorganayoung: my answer is we should be fixing the tests not keystone.15:42
notmorganbut ... that doesn't tend to go over well "why are you sleeping in this test"15:42
*** ninag has quit IRC15:43
* notmorgan does not think this is a keystone issue in any real world scenario.15:43
ayoungnotmorgan, the fernet granularity of 1 second breaks our pre-existing contract.  And somehow that has become my problem to solve.  I feel like Lando here.15:43
notmorganayoung: fix tempest instead15:43
ayoungnotmorgan, Fix like you would fix a dog?15:43
notmorganayoung: and no it didn't really break the contract fwiw, we just were much less likely to hit it.15:44
notmorganayoung: across multi nodes etc, microsecond was *still* absolutely prone to this15:44
notmorganbut testing isn't multi node.15:44
ayoungthe contract (implicit admittedly) was that we could revoke a token, immediately issue a new one, and it would be valid15:44
notmorganayoung: that wasn't a valid assumption15:44
notmorganayoung: tests just assumed it because they could get away with it15:44
ayoungit was. Its just not now15:45
notmorganno.15:45
notmorganin multi-node environments, the datetime object was based on localtime15:45
ayoungthe whole thing is a sculpture made out of bandaids15:45
notmorgannot based on $centralized_time$15:45
notmorganso you could easily within ntp limits run into this issue15:45
notmorgannot even considering our standard "drift" acceptance15:45
notmorganthe only place this assumption works is in AIO deployments15:46
notmorganit's the only place it has *ever* worked15:46
ayoungyep15:46
notmorganso that points to the test being wrong15:46
notmorgannot keystone15:46
ayoungguess what kind of deployments I work with almost exclusively?15:46
notmorganso we should make the test smarter15:46
notmorgannot "fix" keystone15:46
notmorgan(getting rid of the tree is orthogonal)15:47
ayoungnotmorgan, time granularity aside I think I want to get away from a revocation event table15:47
notmorgan(and still a massive improvement)15:47
ayoungthe only kind we must persist are explicit revocation by ID15:47
ayoungand I bet we could do that and passwords with a single value15:47
notmorganayoung: we need to track when $item$ was disabled/deleted15:47
notmorganas well15:47
notmorgandomains, projects, users15:48
ayoungnotmorgan, yes, but we already have that data15:48
notmorganno we don't15:48
notmorgannot for delete15:48
notmorgannot for disable in most15:48
notmorganwe don't store it15:48
ayoungwe only need to track the current state15:48
ayoungnot a time15:48
ayoungif A is disabled when a token referenceing A is validated, the token is invalid15:48
ayoungre-enable, and the token is now valid15:49
notmorganoh wait i'm still thinking events consumed outside keystone15:49
notmorgannvm15:49
amrithstevemar, hello15:49
samueldmqayoung: notmorgan patch 31637015:49
patchbotsamueldmq: https://review.openstack.org/#/c/316370/ - keystone - DO NOT MERGE: local in-process cache per request15:49
* notmorgan does want to point out that uuid tokens still make me sad because validation paths are wildly different and can't be merged in15:49
amrithstevemar, want to add warnings about os-tenant-name and os-tenant-id15:50
amrithin favor of os-project-name and os-project-id15:50
samueldmqthat single run alone doesn't mean anything, but tests passed; it *could* a mix of things, as ayoung suspect15:50
samueldmqs15:50
*** dmk0202 has quit IRC15:51
*** tonytan4ever has joined #openstack-keystone15:53
*** ninag has joined #openstack-keystone15:54
*** henrynash has joined #openstack-keystone15:57
*** ChanServ sets mode: +v henrynash15:57
*** ninag has quit IRC15:58
*** ninag has joined #openstack-keystone15:58
*** jistr has quit IRC16:00
*** agrebennikov has joined #openstack-keystone16:00
*** phalmos has quit IRC16:01
*** edtubill has quit IRC16:02
*** phalmos has joined #openstack-keystone16:02
*** raildo-afk is now known as raildo16:03
*** ninag has quit IRC16:04
*** ninag has joined #openstack-keystone16:04
notmorganstevemar: https://review.openstack.org/#/c/317644/3 py2?16:05
patchbotnotmorgan: patch 317644 - keystone - enable ldap tests for py216:05
notmorganstevemar: also... 4 test suits that aren't py3 friendly... woot16:06
openstackgerritSteve Martinelli proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/31748316:07
openstackgerritSteve Martinelli proposed openstack/keystone: enable ldap tests for py3  https://review.openstack.org/31764416:07
stevemarnotmorgan: i rearranged things16:08
stevemarthe proposal bot change was going to conflict16:08
stevemarand yeah, my bad with calling it py2 :P16:08
*** ninag has quit IRC16:09
notmorganstevemar: hehe it was mostly the py2 thing ;)16:09
*** ninag has joined #openstack-keystone16:10
stevemaramrith: i wonder if keystoneauth already emits deprecations for you...16:11
*** mou has quit IRC16:11
stevemari guess not16:12
amrithstevemar, it does not16:12
stevemarhmm okay16:13
stevemaryou could do it in a separate patch :P16:13
amriththe nova sample I was following did it16:13
amrithI was going to check and do similar16:13
amrithanother patch for that?16:13
stevemaramrith: up to you, it's your repo :)16:14
*** edtubill has joined #openstack-keystone16:15
*** ninag has quit IRC16:15
amrithhmm, maybe I get an ATC pass16:16
amriththat would be nice16:17
lbragstadayoung so what's the motive behind using marshal versus messagepackutils?16:19
ayounglbragstad, not writing custom code versus writing custom marshalling code.16:19
ayoungmarshall knows how to save and restore standard python types16:20
ayounglbragstad, it properly converts and object to a stream of bytes and back16:20
lbragstadayoung I logged the data before and after passing it to msgpackutils and the data looked fine16:20
ayoungand, since that was one of the potential causes, using the marshall approach removes it from the test16:21
*** vnogin has quit IRC16:22
*** afred312 has joined #openstack-keystone16:23
*** gyee has joined #openstack-keystone16:25
*** ChanServ sets mode: +v gyee16:25
*** Guest88617 is now known as help16:26
*** help is now known as Kevin16:26
*** ninag has joined #openstack-keystone16:27
*** Kevin is now known as KevinE16:27
edtubillDoes anyone know the status of this patch? https://review.openstack.org/#/c/159910/ Also, I was wondering if django_openstack_auth is owned by the horizon or the keystone team?16:27
patchbotedtubill: patch 159910 - django_openstack_auth - K2K federation16:27
*** raildo is now known as raildo-afk16:30
*** raildo-afk is now known as raildo16:30
*** sdake_ has quit IRC16:31
dstanekedtubill: it's a horizon thing16:31
*** sdake has joined #openstack-keystone16:31
edtubilldstanek: thx16:31
*** spzala has joined #openstack-keystone16:33
ayoungedtubill, if you want it, add in the unit tests he's asking for16:33
david-lyleedtubill: apparently I was thrown on that grenade, but I haven't had time to look yet. If you have the cycles, feel free :)16:33
*** ninag has quit IRC16:34
*** ninag has joined #openstack-keystone16:34
edtubillayoung, david-lyle: thx, I just need to find out now if I have cycles...16:35
*** ngupta_ has joined #openstack-keystone16:37
*** lhcheng has joined #openstack-keystone16:38
*** ChanServ sets mode: +v lhcheng16:38
*** tellesnobrega_af is now known as tellesnobrega16:38
lbragstadnotmorgan what's the purpose behind _RevokeEventHandler ?16:38
notmorganuhm. in ayoung 's code?16:38
lbragstadnotmorgan just in general16:38
notmorganlbragstad: to serialize revoke events with msgpack16:38
lbragstadbefore and after putting and pulling them from the cache right?16:38
notmorganlbragstad: yeah in the local request cache16:39
lbragstadnotmorgan what about the _registry.frozen = True and .frozen = False stuff?16:39
*** ninag has quit IRC16:40
lbragstadso when _context_cache is imported - we unfreeze the registry and make it mutable, then we freeze it agin16:41
edtubilldavid-lyle: so is that the way that the horizon/keystone team would want to support k2k federation? LIke if I were to do it, would I get a -2 because of some other competing idea?16:41
lbragstadagain*16:41
*** jbell8 has quit IRC16:43
*** amrith is now known as _amrith_16:45
*** ninag has joined #openstack-keystone16:47
david-lyleedtubill: that was someone's implementation. If you have a better idea, I'm certainly open to hearing it out. Storing a ton of unscoped tokens on the session is not ideal, IMO. and combining all the regions in one list will be confusing the the end user16:47
edtubilldavid-lyle: I would have to think about if there is a better way, I know that one of the problems with that patch was that I had to be sure to use the cache session backend type instead of signed cookies because the session variables were too big to fit in a cookie on the browser.16:50
*** fawadkhaliq has quit IRC16:50
*** fawadkhaliq has joined #openstack-keystone16:51
*** ninag has quit IRC16:52
*** ninag has joined #openstack-keystone16:52
*** ninag has quit IRC16:52
*** ninag has joined #openstack-keystone16:53
david-lyleedtubill: that's generally true though16:53
edtubillI also wanted to ask if anyone here knew if there were any future plans to make keystone support saml2 websso when it is being used as an idp? or if the majority opinion was not to implement that ever.16:54
*** fawadkhaliq has quit IRC16:55
*** ninag has quit IRC16:55
*** ninag has joined #openstack-keystone16:55
*** diazjf has quit IRC16:58
*** ninag has quit IRC17:00
*** henrynash has quit IRC17:00
*** lhcheng_ has joined #openstack-keystone17:01
*** lhcheng has quit IRC17:01
*** roxanaghe has joined #openstack-keystone17:01
*** ninag has joined #openstack-keystone17:02
*** stingaci has quit IRC17:06
*** tonytan4ever has quit IRC17:08
openstackgerritMerged openstack/keystone: Move the revoke abstract base class out of core  https://review.openstack.org/31778417:09
*** jbell8 has joined #openstack-keystone17:11
*** ninag has quit IRC17:11
*** ninag has joined #openstack-keystone17:15
*** daemontool has quit IRC17:15
*** ninag_ has joined #openstack-keystone17:16
*** ninag has quit IRC17:20
*** ninag_ has quit IRC17:20
*** stingaci has joined #openstack-keystone17:22
*** rderose has joined #openstack-keystone17:28
*** _amrith_ is now known as amrith17:32
openstackgerritSteve Martinelli proposed openstack/keystone: reorganize mitaka release notes  https://review.openstack.org/31634217:33
*** pnavarro has quit IRC17:36
*** mvk_ has quit IRC17:37
*** stingaci has quit IRC17:39
*** ninag has joined #openstack-keystone17:40
*** tqtran has joined #openstack-keystone17:43
*** spzala has quit IRC17:43
*** spzala has joined #openstack-keystone17:43
*** ninag has quit IRC17:45
*** ninag has joined #openstack-keystone17:46
dstanekanyone know how to use osc to delete role assignments? is only listing implemented?17:51
raildodstanek: openstack role remove17:53
samueldmqraildo: ++17:53
samueldmqall the CRUD is available17:54
raildoand with inherited flag too :D17:54
raildodstanek: http://docs.openstack.org/cli-reference/openstack.html#openstack-role-remove17:54
dstanekraildo: that removes a role though right? not just an assignment17:54
dstanekoh, wait....17:55
raildo"Remove role from domain/project : user/group"17:55
*** stingaci has joined #openstack-keystone17:55
dstanekraildo: i didn't realize that there was also a delete that deleted the role17:56
dstaneksince there is a 'role assignment list' i was looking for a 'role assignment remove' - yay for consistency!17:57
raildodstanek: yep, there is a role delete to delete the role, and a role remove to delete the assignment17:57
raildolol17:57
raildodstanek: ++ for improve this name/docs17:57
dstanekraildo: thx!17:58
raildodstanek: np17:58
*** BjoernT is now known as Bjoern_zZzZzZzZ17:58
dstaneki would have spent 30 minutes digging through the code just to find this info17:58
raildodstanek: now you can use this time to do code review (or take a coffee) :)17:59
dstanek..nap time..18:00
raildohaha18:00
*** Bjoern_zZzZzZzZ is now known as BjoernT18:04
*** jdennis has joined #openstack-keystone18:05
*** jdennis1 has quit IRC18:05
*** rderose has quit IRC18:06
*** stingaci has quit IRC18:07
*** TxGVNN has quit IRC18:07
stevemardstanek: we're going to do a 3.0.0 for OSC soon, if you have opinions on the naming, let dtroyer know! the topic of role assignment vs role add / remove has come up before, but no conclusion!18:08
dstanekstevemar: maybe a patch will help the discussion :-)18:09
stevemar:)18:10
stevemardstanek: fwiw, henry has already stumbled onto the land mine a bit here: https://review.openstack.org/#/c/311460/18:10
patchbotstevemar: patch 311460 - python-openstackclient - Add assignment list to v2 identity and deprecate a...18:10
*** darosale has joined #openstack-keystone18:13
dstanekstevemar: oh, nice. i'll dig into that once i'm done hacking up my k2k setup18:15
*** doug-fish has joined #openstack-keystone18:16
*** doug-fish has quit IRC18:17
*** doug-fish has joined #openstack-keystone18:17
*** tonytan4ever has joined #openstack-keystone18:18
*** doug-fis_ has quit IRC18:20
notmorganstevemar: ooh can we break things in 3.0.0 of OSC ? (Just kidding!!)18:20
redrobotohai keystone friends.  I'm looking for docs showing the proper use of keystoneauth18:24
redrobotanyone have a link handy?18:24
*** amit213 has quit IRC18:24
dstanekredrobot: what are you trying to do exactly?18:27
dstanekredrobot: maybe this will help? http://docs.openstack.org/developer/keystoneauth/using-sessions.html18:27
*** amit213 has joined #openstack-keystone18:27
redrobotdstanek trying to migrate python-barbianclient from using python-keystoneclient sessions to using keystoneauth instead18:27
notmorganredrobot: woooooot18:27
notmorganredrobot: we have some of those docs!18:27
raildoredrobot: so, i recommend this link http://docs.openstack.org/developer/keystoneauth/migrating.html18:28
*** diazjf has joined #openstack-keystone18:28
dstanekraildo: ++18:28
redrobotraildo that looks like what I'm looking for18:28
notmorganraildo: ++18:28
redrobotthanks folks!  I'll be back if I run into any troubles18:28
notmorganraildo: beat me to it.18:28
rm_workhey, anyone aware of keystone changes that might have merged in the last day or two that could be breaking our keystone requests in devstack (for octavia/lbaas)?18:28
rm_worksince at least yesterday we're getting broken gate runs with a 40418:29
notmorganrm_work: uhm. that is a big question18:29
rm_workpossibly earlier18:29
notmorganrm_work: what is the error?18:29
rm_workhttp://logs.openstack.org/10/314410/5/check/gate-neutron-lbaasv2-dsvm-scenario/c008b65/logs/screen-o-cw.txt.gz18:29
raildoredrobot: btw, I recommend take a look on this patch https://review.openstack.org/#/c/304812/18:29
patchbotraildo: patch 304812 - python-monascaclient - Adding keystoneauth sessions support18:29
dstanekrm_work: what's the error?18:29
raildoredrobot: some guys made similar work in other services18:29
redrobotraildo will do!  thanks again18:29
rm_worksee the wall of red in there18:29
rm_workit traces down to a keystone request made inside of a session in neutron client18:29
rm_workwherein it gets a 40418:29
raildoredrobot: np :) good luck!18:29
rm_workthere's not much that is useful (at least to me) for that requestid in the keystone logs :/18:30
notmorganrm_work: nothing i know specifically would have affected that.18:30
notmorganrm_work: but... i mean..18:30
notmorganclearly there is an issue18:30
rm_workyeah, was just curious if something major and obviously possibly breaking might have merged18:30
raildorm_work: I guess it was a desvtack change related to fernet18:30
rm_workif not, i'll just have to go head down and debug it18:30
notmorganrm_work: nothing major and obvious afaik18:30
raildoit was reverted18:31
notmorganraildo: ah18:31
notmorganrm_work: ^18:31
notmorganthat probably18:31
rm_workthe only log line for keystone is something about certs18:31
dstanekrm_work: that'a a 404 talking to neutron?18:31
raildohttps://review.openstack.org/#/c/318116/18:31
patchbotraildo: patch 318116 - openstack-dev/devstack - Revert "Switch fernet to be the default token prov... (MERGED)18:31
*** sdake_ has joined #openstack-keystone18:31
rm_workdstanek: no, 404 from keystone request, inside neutron client when trying to use the session18:31
rm_workraildo: that looks... possibly likely18:31
rm_workok and it was reverted18:32
rm_workas of *recently*18:32
dstanekoh, strange: from the keystone log 127.0.0.1 - - [18/May/2016:00:15:45 +0000] "POST /v3/v2.0/tokens HTTP/1.1" 404 93 "-" "keystoneauth1/2.6.0 python-requests/2.10.0 CPython/2.7.6" 5660(us)18:32
dstanek/v3/v2.0?18:32
rm_workhmmmmmm i didn't see that18:32
rm_workwhich log is that in?18:33
dstanekhttp://logs.openstack.org/10/314410/5/check/gate-neutron-lbaasv2-dsvm-scenario/c008b65/logs/apache/keystone_access.txt.gz18:33
*** sdake has quit IRC18:33
dstanekmaybe a bad endpoint for discovery or broken logic if we are still doing the url manipulation18:33
raildodstanek: well, this is really odd18:34
rm_workoh yeah that's very weird18:34
rm_workman how did you even pick that out, lol18:34
raildodstanek: an your eagle's eyes18:34
rm_workmy eyes still glaze over it and i KNOW it's there18:34
notmorganrm_work: dstanek is ust that good.18:34
dstaneklol18:35
notmorganrm_work: there is a reason we keep him around ;)18:35
raildonotmorgan: haha18:35
rm_workso yeah that'd account for the 40418:35
notmorgandstanek: I'm feeling a py3 win landing here soon. we're close.18:36
notmorgandstanek: so close18:36
rm_worklet me see where I define the keystone URL18:36
dstanekunless you really want version 2 or the version 3 api!18:36
notmorgandstanek: then we're really just dependant libraries we don't test in unit tests away18:36
rm_workoh, no, this is totally a problem in OUR config18:36
rm_worksomething broke badly18:36
rm_workbut we haven't merged anything new so i don't know HOW18:36
rm_worksomething in our devstack plugin is somehow setting that in OUR config18:36
notmorganrm_work: magic.18:36
dstanekrm_work: did something is devstack change?18:36
rm_workbut it didn't used to18:36
notmorganrm_work: black magic18:36
rm_workprobably dstanek18:37
rm_workauth_uri = http://127.0.0.1:35357/v3/v2.018:37
rm_worklol18:37
rm_workin octavia's config18:37
notmorganrm_work: thats epic18:37
rm_workgotta track down how our plugin does that18:37
raildorm_work: notmorgan http://www.reactiongifs.com/r/mgc.gif18:37
rm_worki bet a trailing slash changed18:37
rm_workthanks for the spot dstanek :P18:38
dstanekrm_work: yw18:38
*** roxanaghe has quit IRC18:40
rm_workiniset $OCTAVIA_CONF keystone_authtoken auth_uri ${KEYSTONE_AUTH_URI}/v2.018:41
rm_worklooks like somehow the main var for keystone auth uri changed18:41
rm_workwe were just dumbly appending18:41
rm_workassuming it was a baseURI18:42
raildorm_work: hardcoded v2 :( we are trying to remove this kind of v2 ussage18:42
rm_workyeah :/18:43
rm_workour request doesn't work right with v3 yet apparently18:43
rm_worki tried just changing it to v3 in config and no dice18:43
rm_workneed to dig further to figure that out18:43
raildorm_work: I saw a (amazing) spec about v3 migration on neutron18:43
raildorm_work: ++ for it18:43
rm_workyeah this is within neutronclient so i don't think it's something octavia can worry about :/18:44
rm_workbut not sure18:44
rm_workI don't think we provide the session18:44
rm_workerr18:44
rm_workrather, we do provide the session, but how it's used isn't up to us18:44
raildogot it18:44
dstanekrm_work:  you change the v2.0 to v3?18:45
rm_workdstanek: yes18:45
rm_worktried that FIRST actually18:45
dstanekwouldn't that give you /v3/v3?18:45
rm_workno18:45
rm_worki mean18:45
rm_workwhen i change it to JUST /v2.018:45
rm_workit doesn't append v3 to it18:46
dstanekah, ok.18:46
rm_workjust wondering when devstack changed $KEYSTONE_AUTH_URI to include /v3 instead of being a true base URL18:48
rm_workbecause that is what broke us18:48
rm_worki mean, we don't "hardcode" v2.0 in our actual code -- just for the default config in our devstack plugin18:49
rm_worki guess you could call that hardcoding but I don't18:49
dstanekrm_work: i think that's an old thing18:50
rm_workit can't be, because this worked last week18:50
rm_worklet me double-check that our devstack plugin didn't change this week <_<18:50
dstanekrm_work: i think this is it https://github.com/openstack-dev/devstack/blob/b74e01c34de76cb451f80d2f1ac1c4ccac1bb7e4/lib/keystone#L110 (from 2014)18:51
rm_worklol18:51
rm_workwell IDKWTF :P18:51
rm_workour devstack plugin has done this since we started18:52
dstaneklol, no idea :-(18:52
rm_workso I am thoroughly baffled by however devstack's black magic was making this work before and not now :P18:52
rm_workgoing to put in code to strip /v3 from the URL I guess in the meantime <_<18:52
rodrigodsdstanek, bknudson, lbragstad, stevemar: review request https://review.openstack.org/#/c/294165/ :) please take a look whenever you have some time18:56
patchbotrodrigods: patch 294165 - tempest - Add identity providers tests18:56
rodrigodsoops, wrong patch: https://review.openstack.org/#/c/302299/18:56
patchbotrodrigods: patch 302299 - keystone - Add identity providers integration tests18:56
*** cheran has joined #openstack-keystone18:59
*** pnavarro has joined #openstack-keystone18:59
*** agireud has quit IRC19:04
rm_workso do you guys cry when you see something like https://review.openstack.org/#/c/318290/1/devstack/plugin.sh or is that acceptable?19:05
patchbotrm_work: patch 318290 - octavia - Fix keystone auth url in devstack plugin19:05
hoonetorghi19:07
hoonetorgmy endpoint url's for keystone stuff are already v319:07
hoonetorgbut i did not upgrade policy.json to v319:07
raildorm_work: well... doesn't sounds right, but I don't know a better way to do this19:08
hoonetorgi've seen in diff that there are quite a few differences between between policy.json v2 and v319:08
hoonetorgbut i could not see any problems until now19:09
hoonetorgI only have default domain until now.19:09
raildohoonetorg: are you calling the policy.json v3, this policy? https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json19:09
hoonetorgraildo: yes19:10
hoonetorgi only forgot to update19:10
hoonetorgbut no problems now, can that be?19:10
raildohoonetorg: it's just a example on how can you use better v3 stuffs like, domains19:10
*** doug-fish has quit IRC19:10
raildohoonetorg: but does'nt have any problem keep using the other policy19:11
hoonetorgraildo: thx, so keeping old policy.json is OK?19:11
stevemarnotmorgan: want to take a quick look at https://review.openstack.org/#/c/312061/19:11
patchbotstevemar: patch 312061 - keystone - Port test_v3_auth unit test to Python 319:11
stevemardstanek: we are SO close to py3 compat :O19:12
stevemarthe ldap stuff cleans up all these: https://review.openstack.org/#/c/317644/4/tests-py3-blacklist.txt19:12
patchbotstevemar: patch 317644 - keystone - enable ldap tests for py319:12
raildohoonetorg: be ok, is relative :P  it works...19:12
stevemardstanek: just fernet, credential and oauth need to be fixed \o/19:13
hoonetorgwhen i replace it, what are necessary steps to do19:13
hoonetorgis restarting keystone enough19:13
hoonetorgor db_sync required too?19:13
*** doug-fish has joined #openstack-keystone19:13
raildohoonetorg: you don't need to change anything, every request is enforced on the policy again19:14
hoonetorgraildo: thx, can i still access via token and /v2 -url when using policy.json v3 (my deployment tool - saltstack - only supports v2)19:15
*** rderose has joined #openstack-keystone19:15
raildohoonetorg: I don't see any problem on it19:16
hoonetorgk19:16
hoonetorgperfect19:16
hoonetorgthat was a great help raildo - will try NOW19:16
raildohoonetorg: good luck :)19:16
openstackgerritMerged openstack/keystone: Use PyLDAP instead of python-ldap  https://review.openstack.org/31763819:17
*** doug-fish has quit IRC19:18
*** sdake_ has quit IRC19:23
*** timcline has quit IRC19:26
*** timcline has joined #openstack-keystone19:27
*** agireud has joined #openstack-keystone19:30
*** pnavarro has quit IRC19:31
*** rk4n has joined #openstack-keystone19:36
*** rk4n has quit IRC19:37
*** doug-fish has joined #openstack-keystone19:40
*** ninag has quit IRC19:41
*** stingaci has joined #openstack-keystone19:41
stevemardstanek: gyee dolphm ayoung any takers on this patch: https://review.openstack.org/#/c/317644/ :)19:42
patchbotstevemar: patch 317644 - keystone - enable ldap tests for py319:42
ayoungstevemar, +2A19:43
*** doug-fish has quit IRC19:44
*** ninag has joined #openstack-keystone19:45
ayoungsamueldmq, lbragstad looks like my last attempt failed spectacularly.  I'm going to revert to the one before it that used messagepack19:45
*** diazjf has quit IRC19:46
samueldmqayoung: looking19:46
samueldmqayoung: yep, "ValueError: unmarshallable object"19:47
*** diazjf has joined #openstack-keystone19:47
*** sdake has joined #openstack-keystone19:49
ayoungnotmorgan, what would happen if we accepted "Replace revoke tree with linear search"  with no caching enabled?19:49
samueldmqayoung: that's what I suggested (if it works without cache), then we keep working to re-enable it ?19:49
samueldmqnot sure this is necessary tho, since fernet has already been reverted as default :(19:50
ayoungsamueldmq, yeah, I'm not usually allowed to be practical19:50
samueldmqayoung: hehe agree, that's more practical19:50
ayoungusually I have to be purist and have the spirit beaten out of me to get a patch in19:50
samueldmqayoung: we solve the big issue then optimize19:50
*** fawadkhaliq has joined #openstack-keystone19:54
*** jbell8 has quit IRC19:54
*** fawadkhaliq has quit IRC19:54
*** fawadkhaliq has joined #openstack-keystone19:55
*** woodburn has joined #openstack-keystone19:55
openstackgerritayoung proposed openstack/keystone: Replace revoke tree with linear search  https://review.openstack.org/31165219:56
*** doug-fish has joined #openstack-keystone19:59
openstackgerritwerner mendizabal proposed openstack/keystone: Support encryption of credentials in Keystone  https://review.openstack.org/31716920:02
*** rderose has quit IRC20:07
*** tonytan4ever has quit IRC20:08
*** KevinE has quit IRC20:08
*** ametts has quit IRC20:13
*** diazjf has quit IRC20:13
*** fawadkhaliq has quit IRC20:15
hoonetorgraildo: for things like "openstack user list" i know need someone with role "cloud_admin" ?20:18
hoonetorghow to create such a guy? :)20:18
dstanekrm_work: i cry all the time :-(20:18
dstanekstevemar: so close to tests passing. i'll be interested in seeing if we can actually properly deal with unicode throughout the stack20:20
*** diazjf has joined #openstack-keystone20:20
hoonetorgraildo: ^^^ i switched policy.json from v2 to v3 now20:20
raildohoonetorg: we have a couple of different permissions between the policy.json and v3cloudsample20:20
dstanekhoonetorg: create a user and create a role assignment for them?20:21
rm_workdstanek / raildo lol well, yeah I guess that's what we're going with for now :P20:21
raildohoonetorg: we suggest have the cloud_admin in a different domain for the other users20:21
*** ninag has quit IRC20:21
raildoso we can avoid the 'global admin' issues20:21
dstanekhoonetorg: are you working on a dev/test cloud or a production cloud?20:22
hoonetorgtest cloud20:22
hoonetorgno trouble :)20:22
dstanekjust checking :-)20:22
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/31832020:23
hoonetorgbut change should go into prod soon20:23
samueldmqtest cloud, no trouble, oh wait, where's my test cloud ?20:23
samueldmq:)20:23
hoonetorgsamueldmq: lol20:24
raildohoonetorg: so, looking into the policy file https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L320:24
raildohoonetorg: cloud admin will be the guy with admin role, and this user was created in the cloud_admin_domain20:25
*** roxanaghe has joined #openstack-keystone20:26
hoonetorgraildo: so i must create an cloud_admin_domain and this shouldn't be the default domain?20:26
hoonetorglike "openstack domain create cloud_admin" ?20:27
*** ninag has joined #openstack-keystone20:27
raildoyes, and you change this line, for this domain_id20:27
raildohoonetorg:  and grant the admin role for this user, as dstanek said before20:28
hoonetorgk20:28
*** ngupta_ has quit IRC20:29
hoonetorgand the default value for the domain_id:admin_domain_id is really cloud_admin ?20:29
*** ametts has joined #openstack-keystone20:30
hoonetorgor can it be any name? can it be changed?20:30
raildohoonetorg: you have to change this for the cloud_domain_id...20:32
raildohoonetorg: so, after create this new domain, the domain_id is 123, you must change this for domain_id:12320:33
hoonetorgah, so i must edit the policy.json file, is that right?20:34
*** huats_ has quit IRC20:36
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/31748320:38
*** rderose has joined #openstack-keystone20:38
raildohoonetorg: yeap20:40
hoonetorgthx20:41
hoonetorggot it20:41
*** ngupta_ has joined #openstack-keystone20:46
*** raildo is now known as raildo-afk20:49
openstackgerritMerged openstack/keystone: enable ldap tests for py3  https://review.openstack.org/31764420:49
*** ninag has quit IRC21:01
*** pauloewerton has quit IRC21:03
dstanekwoot ^21:06
*** ametts has quit IRC21:07
notmorgandstanek: oh just wait i'm cleaning up the last 4 test cases now21:10
notmorgandstanek: for py3 unless someone else has beaten me to it over lunch21:10
dstaneknotmorgan: nice21:12
dstanekis there really no way using ksc to get a project by name?21:12
openstackgerritMorgan Fainberg proposed openstack/keystone: Enable py3 for credential tests  https://review.openstack.org/31834121:12
notmorgandstanek: no we don't have a good API for it.21:12
*** spzala has quit IRC21:13
dstaneknotmorgan: :-( that's not cool21:13
*** spzala has joined #openstack-keystone21:13
*** ninag has joined #openstack-keystone21:15
dstaneki really wish federation was more cookie cutter. we could have 100s of implemenations all using different attributes and mappings. so it's much harder for the uninitiated21:17
*** spzala has quit IRC21:18
*** ayoung has quit IRC21:18
*** ayoung has joined #openstack-keystone21:18
*** ChanServ sets mode: +v ayoung21:18
*** spzala has joined #openstack-keystone21:22
notmorganuhm21:22
notmorgan...21:22
notmorgandstanek: so... i found an issue21:22
notmorgandstanek: python 2: urllib.parse.parse_qs returns a dict with text-type keys21:23
*** dave-mccowan has quit IRC21:23
notmorgandstanek: python 3: urllib.parse.parse_qs returns a dict with byte-string type keys21:23
notmorganerm, sorry both are byte string21:23
notmorganbut in py3 dict[b'key'] != dict['key']21:23
*** darosale has quit IRC21:24
dstaneknotmorgan: really?21:24
notmorgandstanek: yep21:24
dstanekwe can just use bytes to look into the dict right?21:25
notmorganwe can.. but...21:25
notmorgani mean.. really?21:25
dstanekit's a pain, but it makes sense21:25
notmorgan{'test': 'omg2', b'test': 'omg'}21:25
notmorganthat is ... silly21:25
notmorgansure it makes sense but... SILLY21:25
dstaneknotmorgan: you just have to strategically add some 'b's :-P21:26
notmorgani can fix our tests...21:26
notmorganit might actually be an issue with our tests21:26
notmorganbut... ugh.21:26
dstanekit's the price you pay to be awesome21:28
*** woodburn has quit IRC21:28
*** rderose has quit IRC21:30
*** doug-fish has quit IRC21:30
*** gagehugo has quit IRC21:32
*** BjoernT is now known as Bjoern_zZzZzZzZ21:33
*** edtubill has quit IRC21:33
*** Bjoern_zZzZzZzZ is now known as BjoernT21:46
*** rderose has joined #openstack-keystone21:47
openstackgerritMorgan Fainberg proposed openstack/keystone: Enable py3 testing for Fernet token provider  https://review.openstack.org/31834921:49
notmorgandstanek: 2/421:50
*** diazjf has quit IRC21:50
*** markvoelker has joined #openstack-keystone21:51
notmorganstevemar: lets make uwsgi job voting now?21:52
*** markvoelker has quit IRC21:52
*** markvoelker has joined #openstack-keystone21:53
*** phalmos has quit IRC21:54
*** gtop-323 has quit IRC21:55
*** ozialien10 has joined #openstack-keystone22:03
*** julim has quit IRC22:04
*** henrynash has joined #openstack-keystone22:14
*** ChanServ sets mode: +v henrynash22:14
hoonetorgraildo-afk: openstack user list always gives me You are not authorized to perform the requested action: identity:list_users22:20
*** ngupta_ has quit IRC22:21
*** harlowja has quit IRC22:22
hoonetorgi tried with domain_id:<id of newly created admin_domain> and user admin_domain which has role admin and is in project admin in domain admin_domain and with domain_id:default, admin user which is role admin and project admin.22:22
*** rderose has quit IRC22:22
hoonetorgno chance22:22
hoonetorgdstanek ^^^22:23
hoonetorghow to debug???22:23
hoonetorgpolicy.json v322:23
*** gordc has quit IRC22:25
*** timcline has quit IRC22:27
*** ddieterly has joined #openstack-keystone22:28
*** roxanaghe has quit IRC22:31
*** edmondsw has quit IRC22:32
*** roxanaghe has joined #openstack-keystone22:34
*** mvk_ has joined #openstack-keystone22:34
*** ddieterly is now known as ddieterly[away]22:41
*** ninag has quit IRC22:45
*** ninag has joined #openstack-keystone22:45
*** ninag has quit IRC22:50
*** jaosorior has quit IRC22:58
*** jaosorior has joined #openstack-keystone22:59
*** harlowja has joined #openstack-keystone23:00
*** jamielennox is now known as jamielennox|away23:04
*** ddieterly[away] is now known as ddieterly23:05
*** markvoelker_ has joined #openstack-keystone23:05
*** markvoelker_ has quit IRC23:05
*** markvoelker_ has joined #openstack-keystone23:06
*** markvoelker has quit IRC23:09
*** BjoernT has quit IRC23:09
*** ddieterly has quit IRC23:12
notmorgandstanek: almost done with test_v3_auth. woo23:12
notmorgandstanek: oauth1 is going to be the challenging one23:12
openstackgerritMorgan Fainberg proposed openstack/keystone: Enable py3 for credential tests  https://review.openstack.org/31834123:13
*** agrebennikov has quit IRC23:14
openstackgerritMorgan Fainberg proposed openstack/keystone: Enable py3 testing for Fernet token provider  https://review.openstack.org/31834923:14
*** spzala has quit IRC23:15
*** spzala has joined #openstack-keystone23:16
*** spzala has quit IRC23:21
notmorgangyee: the totp test code is awful :(23:41
notmorgangyee: it's so not py3 friendly23:42
*** stingaci has quit IRC23:43
gyeenotmorgan, looking23:44
notmorgangyee: sec.23:46
*** stingaci has joined #openstack-keystone23:46
gyeenotmorgan, I thought I've commented on that utf-8 encoding in one of the reviews23:47
notmorgangyee: http://paste.openstack.org/show/497628/23:47
notmorganthe code is really opaque and hard to debug.23:47
notmorganeven with pdb23:47
notmorgangyee: blob = base64.b32encode(uuid.uuid4().hex.encode('utf-8')).decode('utf-8').rstrip('=') this gets us past string type errors23:47
notmorganand the value is the same on the other end (checked) if your input uuid is the same23:48
notmorganmaybe i need to re-encode again?23:48
*** pushkaru has quit IRC23:48
*** pushkaru has joined #openstack-keystone23:48
notmorganoh gah. nope.23:49
notmorgangyee: btw, this is the only issue keeping us from having all but oauth1 tests py3 compat23:49
notmorgani can publish the current state of changes if that helps23:50
*** pushkaru has quit IRC23:50
*** pushkaru has joined #openstack-keystone23:51
*** jamielennox|away is now known as jamielennox23:51
openstackgerritMorgan Fainberg proposed openstack/keystone: Enable py3 tests for test_v3_auth  https://review.openstack.org/31838123:51
notmorgangyee: ^ current pass, we need to fix the TOTP test to not fail, and we're good on that23:51
gyeewhich totp tests failed?23:52
notmorgansec, getting the list23:52
notmorgankeystone.tests.unit.test_v3_auth.TestAuthTOTP.test_with_username_and_domain_id23:52
*** zqfan has quit IRC23:53
notmorgankeystone.tests.unit.test_v3_auth.TestAuthTOTP.test_with_multiple_users23:53
notmorgankeystone.tests.unit.test_v3_auth.TestAuthTOTP.test_with_multiple_credentials23:53
notmorgankeystone.tests.unit.test_v3_auth.TestAuthTOTP.test_with_an_invalid_passcode_with_no_user_credentials23:53
notmorganthose 423:53
notmorganthey pass under py2.723:53
notmorganas is23:53
notmorgan(in that patchset)23:53
*** markvoelker has joined #openstack-keystone23:53
*** furface has quit IRC23:54
*** doug-fish has joined #openstack-keystone23:54
*** roxanaghe has quit IRC23:54
gyeetotp creds need to be base32 encoded23:54
notmorganright.23:55
notmorgan        blob = base64.b32encode(uuid.uuid4().hex.encode('utf-8')).decode('utf-8').rstrip('=')23:55
*** stingaci has quit IRC23:55
notmorganthat is b32encoded23:55
gyeeyikes23:55
gyeemaybe we can use random bytes instead uuid23:56
*** pushkaru has quit IRC23:56
gyeeone sec23:56
notmorganthe only difference is the string encode/decode for py3 text vs binary_type things23:56
*** pushkaru has joined #openstack-keystone23:56
notmorgangyee: tried, smae error23:56
notmorgani tried uuid.uuid4().bytes23:56
notmorganstill need to decode for rstrip()23:56
*** markvoelker_ has quit IRC23:56
notmorganbut with .bytes the string is wildly different/shorter than with .hex23:56
notmorganout the other end of b32encode23:56
*** diazjf has joined #openstack-keystone23:58
*** doug-fish has quit IRC23:58
gyeebase64.b32encode(os.urandom(20)).decode('utf-8')23:58
gyeenotmorgan, ^^^23:58
gyeethat's what I have in my other patch to make it pass py323:59
notmorganok let me try tht23:59
gyeehttps://review.openstack.org/#/c/279854/15/openstackclient/tests/identity/v3/test_credential.py23:59
patchbotgyee: patch 279854 - python-openstackclient - Support TOTP credential23:59
notmorganno rstrip?23:59
« Tuesday, 2016-05-17 Index Thursday, 2016-05-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!