Thursday, 2016-05-19

« Wednesday, 2016-05-18 Index Friday, 2016-05-20 »
gyeeno need00:00
notmorganope00:01
*** pushkaru has quit IRC00:01
notmorgannope00:01
notmorganstill fails in the same way00:01
notmorganthe test is *really* opaque00:01
gyeewth? it works on python-openstackclient00:01
notmorganthis is failing with a 401 in our unit test00:01
notmorganpasses py27 just fine.. something is wonky00:02
*** lhcheng_ has quit IRC00:02
notmorganour unit test is bad.00:02
notmorganis what it looks like00:02
notmorganbut i don't know how it is bad... or if something in keysotne server is erroring silently00:02
notmorganbecause i love our opaque restfultestcase00:02
notmorgangyee: this is the failure: http://paste.openstack.org/show/497630/00:03
notmorganand all 4 fail in the same way00:03
notmorganeach time00:03
*** jamielennox is now known as jamielennox|away00:04
*** jamielennox|away is now known as jamielennox00:04
notmorgani'm guessing it's an issue in _generate_totp_passcode00:05
notmorgannot working right00:05
* notmorgan sighs.00:05
*** diazjf has quit IRC00:05
*** ddieterly has joined #openstack-keystone00:06
gyeelet me try it locally00:06
notmorgani am guessing in py3 totp.py is doing something different00:07
*** gyee has quit IRC00:08
*** gyee has joined #openstack-keystone00:08
*** ChanServ sets mode: +v gyee00:08
*** harlowja_ has joined #openstack-keystone00:11
*** furface has joined #openstack-keystone00:13
*** sdake has quit IRC00:13
*** markvoelker has quit IRC00:13
*** harlowja has quit IRC00:15
dstanekgyee: notmorgan: what are you guys trying to do with that craziness?00:16
notmorgandstanek: trying to fix the last 4 tests so test_v3_auth is py3-able00:17
*** iurygregory_ has joined #openstack-keystone00:17
notmorgandstanek: http://paste.openstack.org/show/497630/ is the failure00:17
notmorgandstanek: https://review.openstack.org/#/c/318381/1 is the current state, 4 failures in00:17
patchbotnotmorgan: patch 318381 - keystone - Enable py3 tests for test_v3_auth00:17
notmorgankeystone.tests.unit.test_v3_auth.TestAuthTOTP00:17
*** iurygregory has quit IRC00:18
notmorgandstanek: also tried with blob = base64.b32encode(os.urandom(20)).decode('utf-8')00:20
notmorganinstead of the wacky encode/decode thing00:20
notmorganand it fails in the same way00:20
dstaneknotmorgan: do you have a traceback of what's happening in the service?00:20
notmorgannope00:21
notmorganno traceback as far as i know00:21
notmorgan55345200:21
dstaneknotmorgan: running the tests now00:26
*** raddaoui has quit IRC00:27
*** rderose has joined #openstack-keystone00:30
notmorgandstanek: ++00:32
gyeedstanek, I am also running the tests00:33
gyeetaking a long time00:33
*** gyee has quit IRC00:34
notmorgandstanek: oh i ... uh think this might be an issue in the detection of the success case00:34
notmorganbecause i see a token being issued00:34
notmorganbut still getting a 401 response00:34
*** gyee has joined #openstack-keystone00:34
*** ChanServ sets mode: +v gyee00:34
*** stingaci has joined #openstack-keystone00:35
*** julim has joined #openstack-keystone00:35
dstanekgyee: notmorgan: you guys probably already figured this out but, python setup.py testr --testr-args="--subunit keystone.tests.unit.test_v3_auth.TestAuthTOTP.test_with_username_and_domain_id" | subunit-trace -f will run just a single test00:40
notmorgandstanek: i'm just been using source .tox/.... and python -m testtools.run <test>00:42
notmorgandstanek: since its the same env as tox runs that way00:42
gyeedstanek, nice! did tox used to be able to run a single test?00:43
dstanekgyee: yes, but i hacked it for the py34 tests. once we get them all working we can put it back the way it was00:44
gyeelike tox -e py34 keystone.tests.unit.test_v3_auth.TestAuthTOTP.test_with_username_and_domain_id00:44
dstanekyou can still run single tests on py27 though00:44
gyeeI see00:44
*** sigmavirus24 is now known as sigmavirus24_awa00:45
*** stingaci has quit IRC00:45
*** julim has quit IRC00:49
gyeedstanek, I got import error with the above command00:51
*** ninag has joined #openstack-keystone00:57
openstackgerritClenimar Filemon proposed openstack/keystoneauth: Add is_domain to keystoneauth token  https://review.openstack.org/28237700:59
*** ninag has quit IRC01:02
*** rderose has quit IRC01:07
*** spzala has joined #openstack-keystone01:08
*** spzala has quit IRC01:08
*** spzala has joined #openstack-keystone01:08
*** lhcheng has joined #openstack-keystone01:12
*** ChanServ sets mode: +v lhcheng01:12
ayoungsamueldmq, notmorgan https://review.openstack.org/#/c/311652/  passes when I strip out the caching.01:13
patchbotayoung: patch 311652 - keystone - Replace revoke tree with linear search01:13
ayoungnotmorgan, how can we make progress here?01:13
*** roxanaghe has joined #openstack-keystone01:24
*** doug-fish has joined #openstack-keystone01:24
notmorganayoung: i'll poke at the caching stuff01:24
notmorganayoung: and see what we can do about it/01:24
notmorganayoung: but if we don't pass with caching, it tells me we're making some really bad assumptions because the invalidates are as expected.01:25
notmorganayoung: my guess is we're asusming you can lookup the event list multiple times in a given request.01:25
ayoungnotmorgan, that is probably the case in a validate01:25
ayoungservice token gets one lookup01:25
*** EinstCrazy has joined #openstack-keystone01:26
ayoungthen the token it is validating gets the second01:26
ayoungnotmorgan, should we drive on to the database solution?01:26
*** roxanaghe has quit IRC01:29
*** doug-fish has quit IRC01:29
notmorganayoung: probably01:31
notmorganayoung: we can do it incrementally.01:31
notmorganwe probably still want caching01:31
notmorgandstanek: any joy on those tests?01:31
dstaneknotmorgan: certainly, but no fix just yet01:31
ayoungnotmorgan, caching makes sense.  if it is on a per token basis, then asking for data for the same token a second time goes to cache01:32
*** ddieterly is now known as ddieterly[away]01:32
dstanekso _to_content_type in keystone/tests/unit/rest.py takes the passcode from b'338484' to [34, 45, 56, ..]01:32
ayoungnever need to worry about invalidating01:32
*** ddieterly[away] has quit IRC01:32
dstaneknotmorgan: i think maybe our generate totp should just not return bytes, but i don't have the time to check yet01:33
notmorgandstanek: yeah its... ugh01:33
notmorgandstanek: i'll poke at that next01:34
notmorganthanks01:34
notmorganayoung: uhm............. sure?01:34
ayoungnotmorgan, can we merge the cacheless version, to get things working, and then drive on with optimizations?01:34
ayoungit gives a better baseline01:34
*** skoude has quit IRC01:36
*** skoude has joined #openstack-keystone01:37
notmorganayoung: if you prove it fixes the race01:44
notmorganayoung: otherwise i'd like to figure out where the race is first01:47
notmorgandstanek: sigh01:59
notmorgandstanek: yep... we can't return bytes from totp generate01:59
notmorganFFFFFFfffffffff01:59
notmorganfixes the bug01:59
*** EinstCra_ has joined #openstack-keystone02:00
*** ngupta has joined #openstack-keystone02:00
*** EinstCrazy has quit IRC02:03
openstackgerritMorgan Fainberg proposed openstack/keystone: Enable py3 tests for test_v3_auth  https://review.openstack.org/31838102:03
notmorgan^ dstanek 3/402:03
*** tqtran has quit IRC02:09
*** tqtran has joined #openstack-keystone02:18
jamielennoxnotmorgan: so how do i write a tc letter?02:19
notmorganjamielennox: a tc what?02:20
jamielennoxnotmorgan: "it's no longer the gates problem if you don't default to keystone v3 in otaca"02:20
notmorganoh.. uhm02:20
notmorgan..... there is a way to do this02:21
*** lhcheng has quit IRC02:22
notmorganjamielennox: sorry brain is ... braining02:23
jamielennoxnotmorgan: i'm not in a rush to write it :p02:23
notmorganjamielennox: but in short send a message to the dev mailing list, tagged with [tc], explaining the stuff02:23
notmorganjamielennox: and then propose a resolution to the governance directory (prob reference the resoltion review in the email)02:23
jamielennoxoh - that all, i figured thered at least be a template02:23
notmorganand be ready to show up at a TC meeting to discuss02:23
notmorganlook at other resolutions02:24
notmorganwould be what i'd do02:24
stevemarnotmorgan: i think bknudson wanted to swap the uwsgi job for a proper apache+mod_proxy_uswgi job02:26
notmorganstevemar: fair enough02:26
stevemarnotmorgan: cause the uwsgi job just runs uwsgi instead of apache, and it's a poor excuse for a web server02:26
*** tqtran has quit IRC02:26
notmorganyah02:27
notmorganok02:27
*** ngupta has quit IRC02:29
jamielennoxlooking at past resolutions v3 default doesn't really seem to be at the same point02:30
*** BjoernT has joined #openstack-keystone02:32
notmorganjamielennox: write something up!02:32
jamielennoxnotmorgan: i'm trying my best to avoid it02:32
*** links has joined #openstack-keystone02:35
jamielennoxgoing for lunch instead02:37
openstackgerritMerged openstack/keystone: Make AuthContext depend on auth_token middleware  https://review.openstack.org/25568602:38
notmorganlol02:39
*** BjoernT has quit IRC02:39
*** otaciliofl has joined #openstack-keystone02:42
*** spzala has quit IRC02:43
*** spzala has joined #openstack-keystone02:43
*** spzala has quit IRC02:44
*** spzala has joined #openstack-keystone02:44
*** woodster_ has quit IRC02:48
*** EinstCra_ has quit IRC02:58
*** EinstCrazy has joined #openstack-keystone02:59
*** spzala has quit IRC03:03
*** adu has joined #openstack-keystone03:04
*** TxGVNN has joined #openstack-keystone03:06
*** ozialien10 has quit IRC03:18
*** ozialien10 has joined #openstack-keystone03:19
*** tqtran has joined #openstack-keystone03:23
*** lhcheng has joined #openstack-keystone03:25
*** ChanServ sets mode: +v lhcheng03:25
*** tqtran has quit IRC03:27
*** edtubill has joined #openstack-keystone03:29
jamielennoxholy crap that merged03:32
jamielennoxi wonder if it broke anything03:32
*** lhcheng_ has joined #openstack-keystone03:33
*** lhcheng has quit IRC03:36
*** richm has quit IRC03:43
stevemarnotmorgan: ah https://review.openstack.org/#/c/312061/ and https://review.openstack.org/#/c/318381/ are the same thing03:48
patchbotstevemar: patch 312061 - keystone - Port test_v3_auth unit test to Python 303:48
patchbotstevemar: patch 318381 - keystone - Enable py3 tests for test_v3_auth03:48
notmorganstevemar: feel free to kilkl either one03:49
notmorganstevemar: but i was just stacking up all the changes to get there03:49
stevemaryeah, looking at both03:49
notmorganstevemar: btw... oauth1... :(03:49
stevemarnotmorgan: ruh roh03:49
stevemaroh no, is the damn lib not py3?!03:49
notmorganit's an uuuuuugly p3 port03:49
notmorganno not the lib03:50
stevemarphew03:50
notmorganour code is icky03:50
stevemarugly i can deal with03:50
notmorganlots of icky03:50
stevemaryou mean *my* code03:50
notmorganfixing py3 issues nets a tonne of notification bugs03:50
stevemarit's only community code when it's pretty03:50
notmorgannope. not even your code03:50
notmorganthings built on your code post facto03:50
stevemarif it's ugly, "who wrote this?!'03:50
notmorganso fwiw, my patch is a bit more surgical now than the previous on03:51
notmorganone*03:52
notmorganand i'm really hoping to solve the oauth1 tests soon03:52
notmorgancause then we can update our classifiers to be py3403:52
notmorgan:)03:52
notmorganwe're so very close03:52
adupy3 is great it's py2 that's ugly03:55
aduI use py2 at work, so I would know03:56
*** edtubill has quit IRC04:00
*** links has quit IRC04:00
*** chlong has joined #openstack-keystone04:04
*** ninag has joined #openstack-keystone04:06
openstackgerritTony Breeds proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843504:06
jamielennoxtonyb: did something go wrong? ^04:08
*** edtubill has joined #openstack-keystone04:08
tonybjamielennox: No04:08
tonybjamielennox: dims runs a bunch of test jobs out of cron the sniff test that u-c updates "work"04:09
tonybjamielennox: keystone wasn't in that list so ... now it is :)04:09
tonybjamielennox: basically ignore that thing04:09
jamielennoxah, ok - i was just a bit concerned about the last merge, thought it might have broken something04:09
*** ninag has quit IRC04:10
tonybjamielennox: it could take a while to see if it breaks.04:10
tonybjamielennox: good to be worried :)04:10
*** links has joined #openstack-keystone04:16
*** can8dnSix has joined #openstack-keystone04:21
*** iurygregory_ has quit IRC04:24
*** adu has quit IRC04:29
*** adu has joined #openstack-keystone04:29
*** darosale has joined #openstack-keystone04:35
*** adu has quit IRC04:43
notmorganstevemar: *sigh* '2016-05-19T03:19:02.901847Z' != '2016-05-19T03:19:02.901846Z'04:45
notmorganstevemar: REALLY!?!04:45
notmorganstevemar: :(04:45
stevemarnotmorgan: that's what https://review.openstack.org/#/c/312061/ was addressing04:45
patchbotstevemar: patch 312061 - keystone - Port test_v3_auth unit test to Python 304:45
notmorgan1 microsecond off.04:45
notmorgan1 effing microsecond.04:45
stevemarnotmorgan: there is aslso, as lbragstad said, a function called "closeEnoughForGovernmentWork" :)04:45
notmorganyeah we should use that04:46
notmorgancause... seriously04:46
*** GB21 has joined #openstack-keystone04:46
notmorgani don't even know how we managed to 1 microsecond drift there04:47
stevemar"assertCloseEnoughForGovernmentWork"04:47
stevemarwe use it in a few spots already04:47
stevemarnotmorgan: oh also, troveclient, designateclient and heatclient are now using ksa \o/04:47
notmorganthat is below the level of cpu slices04:48
*** GB21 has quit IRC04:51
notmorganstevemar: i am going to simply recheck that failure05:04
notmorganthat is a cosmic ray level event05:04
notmorganit is the first time i legitmately feel that way05:04
notmorgan'2016-05-19T03:19:02.901847Z' != '2016-05-19T03:19:02.901846Z' 1 microsecond?! really05:04
notmorganmaybe with terahertz cpu... or electron migration05:05
*** bkero has joined #openstack-keystone05:05
notmorganbkero: can totally appreciate it05:06
*** GB21 has joined #openstack-keystone05:06
stevemarnotmorgan: it's your doom :)05:07
*** doug-fish has joined #openstack-keystone05:11
*** can8dnSix has quit IRC05:12
*** doug-fish has quit IRC05:15
*** chlong has quit IRC05:17
notmorganstevemar: impossible05:18
*** roxanaghe has joined #openstack-keystone05:18
bkeroinconceivable<Vizzini>05:20
bkero</Vizzini>05:20
*** roxanaghe has quit IRC05:20
*** tqtran has joined #openstack-keystone05:24
stevemarbkero: ++05:25
jamielennoxstevemar: what's the likelyhood people are subclassing our controllers outside of keysotne?05:26
jamielennoxdo we consider those apis public05:26
stevemarjamielennox: probably low05:27
jamielennoxso if i replace context with a request object so long as it works in keystone i'm good ?05:27
stevemarjamielennox: yeah, technically it's all public, but i would assume it's unlikely05:27
*** markvoelker has joined #openstack-keystone05:27
stevemarjamielennox: you had to pick something that affects *all* controllers05:28
*** tqtran has quit IRC05:28
stevemarjamielennox: whats the gain we get from switching?05:28
jamielennoxit's bugged me since the beginning, and it's somewhat relaxing05:28
jamielennoxi want to start using real oslo.context and stuff throughout keystone05:29
jamielennoxrather than our botched together dictionary05:29
jamielennoxs/relaxing/cathartic05:30
stevemarjamielennox: safest best would be to toss up a patch and send a note to ops05:30
stevemartry and pitch it a bit better, other than `cathartic`05:31
stevemar:)05:31
*** chlong has joined #openstack-keystone05:31
*** rderose has joined #openstack-keystone05:31
stevemargo for `consistency between projects`, that always wins people over!05:31
*** rderose has quit IRC05:31
stevemarotherwise, folks will just roll their eyes "devs gonna dev"05:31
notmorganso stevemar, the issue with oauth1 tests is... pretty deep :(05:32
stevemarwhen they just want stability05:32
stevemargdi05:32
*** naresht has quit IRC05:32
*** markvoelker has quit IRC05:34
stevemarnotmorgan: what are you seeing?05:36
*** GB21 has quit IRC05:37
*** stingaci has joined #openstack-keystone05:37
notmorganstevemar: just a mess05:37
notmorganstevemar: i fix one thing and it spawns notification errors05:38
notmorganstevemar: it's ... blah05:38
notmorganso close :(05:38
notmorganmost recent: AssertionError: Notification not sent.05:38
notmorgan33 of them05:39
notmorgani am wondering if the library is an issue :(05:39
notmorganstevemar: oauthlib claims 3.4 compat05:40
notmorganso.. prob. not a lib error05:40
stevemarnotmorgan: post the patch as WIP?05:41
notmorganmebee05:41
notmorganbleh05:41
openstackgerritMorgan Fainberg proposed openstack/keystone: WIP - Py3 oauth tests  https://review.openstack.org/31845105:42
notmorganstevemar: ^05:44
notmorganls05:44
*** lhcheng has joined #openstack-keystone05:44
*** ChanServ sets mode: +v lhcheng05:44
notmorganstevemar: i figure whoever finishes the py3 changes gets to propose the classifier change05:45
stevemarnotmorgan: haha05:45
*** lhcheng_ has quit IRC05:45
stevemarthat's why you are gunning for it!05:45
notmorganstevemar: nah, i want to make it easy for someone else to.05:45
notmorganstevemar: anyone else. it's a big change :)05:45
stevemarnotmorgan: i dunno, dstanek does have a claim to the py3 throne too05:45
notmorgani actually hope someone picks up the oauth patchset05:45
stevemarnotmorgan: maybe we can bribe haypo05:46
notmorganstevemar: ooh05:46
notmorgangood idea05:46
stevemari mean beg, or bribe, whatever he wants05:46
stevemarcomes with the territory or the rebase shield05:46
stevemarof*05:47
*** edtubill has quit IRC05:54
*** gyee has quit IRC05:56
*** fawadkhaliq has joined #openstack-keystone05:57
*** doug-fish has joined #openstack-keystone05:57
*** furface has quit IRC06:00
*** doug-fish has quit IRC06:01
*** chlong has quit IRC06:05
*** rcernin has joined #openstack-keystone06:13
*** GB21 has joined #openstack-keystone06:14
*** chlong has joined #openstack-keystone06:22
*** cloudpuppy has quit IRC06:29
*** TxGVNN has quit IRC06:32
*** lhcheng has quit IRC06:39
*** darosale has quit IRC06:44
*** belmoreira has joined #openstack-keystone06:45
*** EinstCrazy has quit IRC06:51
*** EinstCrazy has joined #openstack-keystone06:52
*** chlong has quit IRC06:54
*** EinstCrazy has quit IRC06:54
*** EinstCrazy has joined #openstack-keystone06:56
*** EinstCrazy has quit IRC06:57
*** TxGVNN has joined #openstack-keystone06:58
*** pnavarro has joined #openstack-keystone06:58
*** EinstCrazy has joined #openstack-keystone06:58
*** jaosorior has quit IRC06:59
*** jaosorior has joined #openstack-keystone07:00
*** EinstCrazy has quit IRC07:00
*** TxGVNN has quit IRC07:00
*** EinstCrazy has joined #openstack-keystone07:01
*** furface has joined #openstack-keystone07:04
jamielennoxgah, that ones a bit ugly https://review.openstack.org/#/c/318349/2/keystone/token/providers/fernet/token_formatters.py07:07
patchbotjamielennox: patch 318349 - keystone - Enable py3 testing for Fernet token provider07:07
jamielennoxstevemar: it's no longer cathartic - our tests suck so bad07:10
*** pnavarro has quit IRC07:15
stevemarjamielennox: good, i've successfully convinced you to not do it07:23
jamielennoxnot sure about that07:23
stevemardammit07:28
*** ninag has joined #openstack-keystone07:32
zigoIs it correct to say that users should be using "keystone-manage token_flush" only if [token]/provider is set to uuid?07:36
zigoOr is it useful in other cases?07:36
*** ninag has quit IRC07:37
zigoI've got some report of unhappy users of fernet tokens that want me to remove the cron job of the Debian package, which is why I'm asking.07:37
stevemarzigo: only useful for uuid really07:37
zigoOk.07:37
zigostevemar: Is it deprecated?07:37
zigo(I've been told that...)07:37
zigostevemar: Or still useful?07:37
stevemarzigo: nope07:37
zigoOk, thanks a lot.07:37
stevemarzigo: definitely not deprecated07:37
zigoFYI, I'm about to do:07:37
zigo        PROVIDER=$(grep -E '^[ \t]*provider[ \t]*=' /etc/keystone/keystone.conf)07:37
zigo        if [ -n "${PROVIDER}" ] ; then07:37
zigo                PROVIDER=$(grep -E '^[ \t]*provider[ \t]*=' /etc/keystone/keystone.conf | sed -e 's/[ \t]*provider[ \t]*=//' | awk '{print $1}')07:37
zigo                if [ "${PROVIDER}" = "uuid" ] ; then07:37
zigo                        su -c '/usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' keystone07:37
zigo                fi07:38
zigo        fi07:38
zigoOh, I'm forgetting the default value ... :P07:38
zigoBut you got the idea, I believe.07:38
*** fawadkhaliq has quit IRC07:39
*** fawadkhaliq has joined #openstack-keystone07:39
stevemarnotmorgan: do we still persist/store tokens for fernet (if and only if they are v2 tokens)?07:39
stevemarzigo: let me double check we i am giving you all the right info!07:40
stevemari seem to remember now a case where we still persist tokens even if fernet is selected07:41
zigostevemar: At least, for fernet tokens, the script fails and trace dumps, which is problematic in production (ie: our monitoring tool is reporting it...).07:41
stevemarouch07:41
zigostevemar: https://bugs.launchpad.net/fuel/+bug/152032107:42
openstackLaunchpad bug 1520321 in Fuel for OpenStack "keystone-manage token_flush command fails" [Low,Fix released] - Assigned to Max Yatsenko (myatsenko)07:42
stevemari wonder why it would fail07:42
zigoWell, it should gracefully fail, instead of just raising a Python error.07:43
stevemarinteresting07:44
zigoIMO, best would be to just output a nice warning in a single line, and exit.07:45
stevemarso when packaging, you used to always set up the hourly job regardless of the token provider07:45
stevemarbut now (as you pasted) it'll depend if uuid07:45
zigoRight, because I didn't know.07:45
zigoWell, now, the cron job stays, but it will check for the config, yes.07:45
stevemarcool cool07:45
zigohttp://paste.openstack.org/show/497648/ <--- My current version.07:46
zigoI'd prefer to always call keystone-manage, and have *it* to know better than me.07:46
zigoThough, as it just crashes and fills-up the log, I can't anymore.07:46
stevemarzigo: it may just be that we didn't anticipate this command running with fernet and it went untested. mind if i open that bug against keystone07:47
stevemarwe could fail silently or return nothing07:47
zigoThanks ! :)07:47
stevemarsounds easy enough to implement, unless some of the fernet guys (lbragstad and dolphm) are against it for some reason07:48
zigoIn any case, for this kind of issues, we have 4 groups of people interacting (ie: upstream, package maintainers, puppet team, monitoring guys and ops), so communication on what we shall do is important! :)07:48
*** dmk0202 has joined #openstack-keystone07:50
stevemarzigo: yep!07:51
stevemarzigo: question for you, somewhat related07:51
stevemarzigo: fernet as the default token provider, yes or no?07:52
stevemaras a packager, your thoughts...07:52
zigoWell, do we have to, at some point, generate keys and such, to make it work?07:53
stevemari know you it when a user is able to just install the package and get going07:53
zigoI don't mind having it the default, but then if I need to generate keys in the postinst, I need to get the doc on how to do it.07:53
zigoHow does that work?07:54
stevemarzigo: fine with me. i can get you the docs.07:54
stevemarzigo: for an all-in-one deployment it should just be 2 additional keystone-manage commands07:54
zigoCool ! :)07:55
*** GB21 has quit IRC07:55
zigoThen I'm ok with it as default.07:55
stevemarzigo: i'll add it to the list!07:55
zigoJust the latest CVE scares me a bit.07:55
stevemarthe audit id one?07:55
zigoYes.07:55
zigoAre Fernet tokens mature enough?07:55
stevemaryeah, that one is unfortunate.07:56
stevemarwe only discovered it after we made it the default07:56
stevemari think so. we kicked the tires for a few releases now, and we wouldn't have found it without making it the default in devstack07:56
*** EinstCra_ has joined #openstack-keystone07:57
zigoFair enough.07:57
stevemarzigo: not sure if you have access to the bug, but someone confirmed it is not an issue in liberty07:58
stevemarwe will backport the fix to mitaka07:59
zigoI have access to the bug (it's disclosed, and anyway, I am in the embargoe list), and there's already a backport to Mitaka.07:59
zigoI'm currently building the package and will upload after it passes all unit tests.07:59
stevemaryay, i just saw that it was merged07:59
*** zzzeek has quit IRC08:00
*** EinstCrazy has quit IRC08:00
stevemarnow if someone can approve my mitaka releases, i would be happy: https://review.openstack.org/#/c/317839/ :)08:00
patchbotstevemar: patch 317839 - releases - release keystone server and libraries for mitaka08:00
stevemarholy heck it's 4am, i need to sleep08:01
*** zzzeek has joined #openstack-keystone08:02
*** jamielennox is now known as jamielennox|away08:05
*** cheran has quit IRC08:09
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** vnogin has joined #openstack-keystone08:10
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: Let OidcPassword accept scope parameters as kwargs  https://review.openstack.org/31789508:14
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: Let OidcPassword accept scope parameters as kwargs  https://review.openstack.org/31789508:17
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: oidc: create an OidcBase class with common methods  https://review.openstack.org/31796708:18
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: Remove unused parameters in OidcPassword methods  https://review.openstack.org/31796608:18
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: oidc: add OidcToken class to authenticate reusing an access token  https://review.openstack.org/31796808:18
*** pnavarro has joined #openstack-keystone08:19
*** daemontool has joined #openstack-keystone08:21
*** GB21 has joined #openstack-keystone08:21
*** ozialien10 has quit IRC08:27
*** ozialien10 has joined #openstack-keystone08:27
*** jistr has joined #openstack-keystone08:30
*** EinstCrazy has joined #openstack-keystone08:38
*** EinstCra_ has quit IRC08:40
openstackgerritMerged openstack/keystone: Enable py3 for credential tests  https://review.openstack.org/31834108:42
openstackgerritAlfredo Moralejo proposed openstack/keystone: Add .mo files to MANIFEST.in  https://review.openstack.org/31852709:18
*** fawadkhaliq has quit IRC09:24
*** fawadkhaliq has joined #openstack-keystone09:24
*** GB21 has quit IRC09:30
*** zqfan has joined #openstack-keystone09:30
*** EinstCrazy has quit IRC09:36
*** EinstCrazy has joined #openstack-keystone09:36
*** ericksonsantos has quit IRC09:46
*** clenimar has quit IRC09:47
*** clenimar has joined #openstack-keystone09:49
*** ericksonsantos has joined #openstack-keystone09:49
*** EinstCrazy has quit IRC09:51
*** rk4n has joined #openstack-keystone09:55
*** GB21 has joined #openstack-keystone09:59
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843510:00
*** porunov has joined #openstack-keystone10:01
*** mvk_ has quit IRC10:15
*** d0ugal has quit IRC10:24
*** d0ugal has joined #openstack-keystone10:28
*** d0ugal has quit IRC10:31
*** d0ugal has joined #openstack-keystone10:31
*** danielh has quit IRC10:35
*** mou has joined #openstack-keystone10:36
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: oidc: create an OidcBase class with common methods  https://review.openstack.org/31796710:37
openstackgerritAlvaro Lopez Garcia proposed openstack/python-keystoneclient: oidc: add OidcToken class to authenticate reusing an access token  https://review.openstack.org/31796810:37
*** mvk_ has joined #openstack-keystone10:50
*** jamielennox|away is now known as jamielennox11:03
*** tellesnobrega is now known as tellesnobrega_af11:10
*** rk4n has quit IRC11:18
*** rodrigods has quit IRC11:20
*** rodrigods has joined #openstack-keystone11:20
*** iurygregory has joined #openstack-keystone11:26
*** porunov has quit IRC11:27
*** doug-fish has joined #openstack-keystone11:28
*** doug-fish has quit IRC11:29
*** fawadkhaliq has quit IRC11:30
*** ninag has joined #openstack-keystone11:34
*** ninag has quit IRC11:38
*** gordc has joined #openstack-keystone11:41
openstackgerritMikhail Nikolaenko proposed openstack/keystone: Added app for policy enforcement  https://review.openstack.org/31752911:46
*** ddieterly has joined #openstack-keystone12:03
*** rk4n has joined #openstack-keystone12:05
*** jistr has quit IRC12:08
openstackgerrithenry-nash proposed openstack/keystone-specs: Support hierarchical project naming  https://review.openstack.org/31860512:12
*** TxGVNN has joined #openstack-keystone12:13
*** amrith is now known as _amrith_12:14
*** raildo-afk is now known as raildo12:15
openstackgerrithenry-nash proposed openstack/keystone-specs: Support hierarchical project naming  https://review.openstack.org/31860512:16
*** raildo has left #openstack-keystone12:16
*** markvoelker has joined #openstack-keystone12:16
*** raildo has joined #openstack-keystone12:17
*** rk4n has quit IRC12:17
*** rk4n has joined #openstack-keystone12:18
*** markvoelker has quit IRC12:21
*** markvoelker has joined #openstack-keystone12:24
*** GB21 has quit IRC12:24
*** ddieterly is now known as ddieterly[away]12:25
*** jistr has joined #openstack-keystone12:28
*** edmondsw has joined #openstack-keystone12:28
*** jistr is now known as jistr|bbl12:28
*** stingaci has quit IRC12:31
*** julim has joined #openstack-keystone12:34
*** links has quit IRC12:36
*** tellesnobrega_af is now known as tellesnobrega12:37
*** ninag has joined #openstack-keystone12:38
*** markvoelker has quit IRC12:41
*** markvoelker has joined #openstack-keystone12:42
*** ninag has quit IRC12:43
*** markvoelker_ has joined #openstack-keystone12:46
*** ninag_ has joined #openstack-keystone12:47
*** ddieterly[away] is now known as ddieterly12:48
*** markvoelker_ has quit IRC12:48
*** markvoelker_ has joined #openstack-keystone12:49
*** markvoelker has quit IRC12:50
*** markvoelker_ has quit IRC12:55
*** markvoelker has joined #openstack-keystone12:55
*** ddieterly has quit IRC12:57
*** richm has joined #openstack-keystone13:01
lbragstadsamueldmq ping13:06
openstackgerritAlfredo Moralejo proposed openstack/keystone: Add .mo files to MANIFEST.in  https://review.openstack.org/31852713:09
*** markvoelker_ has joined #openstack-keystone13:12
*** markvoelker_ has quit IRC13:12
*** dave-mccowan has joined #openstack-keystone13:12
*** markvoelker_ has joined #openstack-keystone13:12
openstackgerritJamie Lennox proposed openstack/keystone: Replace context building with a request object  https://review.openstack.org/31865713:15
openstackgerritJamie Lennox proposed openstack/keystone: Pass a request to controllers instead of a context  https://review.openstack.org/31865813:15
jamielennoxstevemar: present for you ^13:15
*** markvoelker has quit IRC13:15
*** pauloewerton has joined #openstack-keystone13:16
*** rk4n_ has joined #openstack-keystone13:25
*** rk4n has quit IRC13:26
*** ngupta has joined #openstack-keystone13:31
*** mou has quit IRC13:31
*** mou has joined #openstack-keystone13:32
*** ddieterly has joined #openstack-keystone13:32
*** BigWillie has joined #openstack-keystone13:37
knikollao/ morning keystone!13:40
openstackgerritAlfredo Moralejo proposed openstack/keystone: Add .mo files to MANIFEST.in  https://review.openstack.org/31852713:41
*** markvoelker_ has quit IRC13:44
*** ddieterly is now known as ddieterly[away]13:45
*** tellesnobrega is now known as tellesnobrega_af13:46
*** ddieterly[away] is now known as ddieterly13:52
*** ametts has joined #openstack-keystone13:52
*** gagehugo has joined #openstack-keystone13:53
*** belmoreira has quit IRC13:55
*** belmoreira has joined #openstack-keystone13:55
dstanekgood morning knikolla13:57
*** mou has quit IRC13:57
*** mou has joined #openstack-keystone13:57
*** ngupta has quit IRC14:00
*** jistr|bbl is now known as jistr14:00
*** ngupta has joined #openstack-keystone14:01
knikollamorning dstanek. since you’re here i have a few questions about devstack plugins for k2k, if you don’t mind.14:01
*** ninag_ has quit IRC14:02
*** woodster_ has joined #openstack-keystone14:02
*** ngupta_ has joined #openstack-keystone14:03
*** darosale has joined #openstack-keystone14:03
*** ninag has joined #openstack-keystone14:03
dstanekknikolla: i don't think i'd be helpful for that, but you should ask away for when someone that is familiar with it is in here14:04
*** ninag_ has joined #openstack-keystone14:05
*** ngupta has quit IRC14:05
knikolladstanek: sure, so i made https://github.com/knikolla/devstack-plugin-k2k-idp and https://github.com/knikolla/devstack-plugin-k2k-sp and just wanted to know if 2 separate plugins is the way to do it, or not.14:06
*** ninag has quit IRC14:07
*** rderose has joined #openstack-keystone14:08
rodrigodsknikolla, hmm we are going to put everything under keystone/devstack, right?14:08
rodrigodscan we execute two plugins? i think we can?14:09
knikollarodrigods: yes, you can execute as many as you want. but not from the same repo.14:10
knikollarodrigods: so if we want it in keystone/devstack, there can only be one plugin there.14:11
rodrigodsknikolla, really? why is that?14:11
knikollarodrigods: that’s my understanding of the devstack plugin architecture. you point it to a repo and it searches for devstack/plugin.sh and runs it.14:12
dstanekknikolla: this seems like something to bring up at the QA meeting today :-)14:12
dstanekwhat is the case for making it multiple plugins?14:12
*** edtubill has joined #openstack-keystone14:13
*** pauloewerton has quit IRC14:13
rodrigodsknikolla, hmm got it14:13
*** pauloewerton has joined #openstack-keystone14:13
knikolladstanek: based on the etherpad from the design summit, we’re gonna have all kinds of plugins, ad/ldap, federation, k2k. so making them work nicely with a single plugin, i’m not sure about that.14:14
knikollahttps://etherpad.openstack.org/p/newton-keystone-testing14:14
knikolladstanek: actually nevermind about ad/ldap as it’s already built in devstack.14:15
dstanekknikolla: we could do a single plugin and control what components are setup using env vars14:15
rodrigodsdstanek, ++14:15
knikolladstanek: sure, i planned on giving it a try. i split them into two since it was easier to debug.14:16
rodrigodsknikolla, besides that, i'm really glad to see stuff evolving on this side14:16
dstanekjust like how you setup services in devstack we could have KEY_PLUGIN_COMPONENTS="sp,idp,awesome"14:16
*** edtubill has quit IRC14:17
rodrigodswe could even have flavors for each component14:17
rodrigodssp_mod_mellon, sp_mod_shib14:17
knikollarodrigods: dstanek: that sounds good to me.14:18
knikollaalso i’m not sure why there is a bullet point in the etherpad for federation, and a separate one for k2k. isn’t the sp the same in both cases.14:19
rodrigodsknikolla, i think it is14:19
knikollaor is this a scenarion with some other idp instead of keystone14:19
rodrigodswe have the "regular" federation scenario too14:19
*** _amrith_ is now known as amrith14:20
dstanekright, it's about scenarios and not necessarily plugins14:20
knikollarodrigods: dstanek: right, also k2k uses saml/ecp whereas some other idp might use something else. got it.14:21
openstackgerrityolanda.robla proposed openstack/keystoneauth: Use betamax hooks to mask fixture results  https://review.openstack.org/31113314:21
knikollai’ll need to sync up with breton_ if we’re going to go the single plugin route.14:21
*** belmoreira has quit IRC14:27
*** fawadkhaliq has joined #openstack-keystone14:29
*** ninag_ has quit IRC14:32
*** fawadkhaliq has quit IRC14:33
*** pushkaru has joined #openstack-keystone14:34
stevemarmorning knikolla!14:34
knikollamorning stevemar! :)14:35
*** belmoreira has joined #openstack-keystone14:38
stevemarknikolla: feeling ambitious? https://review.openstack.org/#/c/318451/ :)14:38
patchbotstevemar: patch 318451 - keystone - WIP - Py3 oauth tests14:38
lbragstadonly two modules left!14:38
knikollastevemar: sure! i’ll give it a go!14:40
knikollastevemar: is that the last thing blacklisted?14:40
stevemarknikolla: hmm? blacklisted?14:41
knikollastevemar: as in tests-py3-blacklist.txt14:41
stevemarknikolla: the blacklist are tests that don't run in py3 gate job14:41
stevemarknikolla: the oauth tests are on the blacklist, this patch is trying to remove them14:42
stevemarknikolla: but notmorgan can't seem to crack it, and is looking for help :P14:42
knikollastevemar: i know, i understand what the patch is trying to do. i was just curious if after the pyldap thing his was the only thing left to remove from the py3 blacklist.14:43
knikollathis*14:43
knikollabut i see there are a few others :P14:43
*** sdake_ has joined #openstack-keystone14:44
stevemarknikolla: yep! 2 last changes :)14:45
*** raddaoui has joined #openstack-keystone14:47
*** tellesnobrega_af is now known as tellesnobrega14:47
*** TxGVNN has quit IRC14:47
*** sigmavirus24_awa is now known as sigmavirus2414:48
*** tellesnobrega is now known as tellesnobrega_af14:49
*** tellesnobrega_af is now known as tellesnobrega14:49
*** tonytan4ever has joined #openstack-keystone14:49
*** timcline has joined #openstack-keystone14:49
*** otaciliofl has quit IRC14:52
*** rk4n_ has quit IRC14:52
raildostevemar: look how beautiful this is: https://github.com/openstack/glance/blob/master/glance/common/auth.py#L121-L125 :P14:52
stevemarraildo: :(14:52
*** edtubill has joined #openstack-keystone14:53
openstackgerritMerged openstack/keystone: Enable py3 testing for Fernet token provider  https://review.openstack.org/31834914:53
*** fesp has joined #openstack-keystone14:53
openstackgerritRon De Rose proposed openstack/keystone: Move identity.backends.sql model code to sql_model.py  https://review.openstack.org/29261114:55
*** julim has quit IRC14:56
*** julim has joined #openstack-keystone14:56
*** ninag_ has joined #openstack-keystone14:56
*** jaosorior has quit IRC14:59
*** jaosorior has joined #openstack-keystone15:00
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users  https://review.openstack.org/30548715:01
openstackgerritRon De Rose proposed openstack/keystone: Move identity.backends.sql model code to sql_model.py  https://review.openstack.org/29261115:01
*** ddieterly is now known as ddieterly[away]15:01
*** ddieterly[away] is now known as ddieterly15:01
*** alaski has joined #openstack-keystone15:02
*** jaosorior has quit IRC15:03
*** diazjf has joined #openstack-keystone15:03
*** jaosorior has joined #openstack-keystone15:03
*** diazjf1 has joined #openstack-keystone15:07
*** spzala has joined #openstack-keystone15:08
*** jaosorior has quit IRC15:10
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users  https://review.openstack.org/30548715:10
*** doug-fish has joined #openstack-keystone15:10
*** diazjf has quit IRC15:10
*** links has joined #openstack-keystone15:11
*** tellesnobrega is now known as tellesnobrega_af15:11
*** doug-fish has quit IRC15:12
*** alex_xu has quit IRC15:13
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: Remove unused parameters in _OidcBase  https://review.openstack.org/31873215:14
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: DRY when obtaining a keystone token  https://review.openstack.org/31873315:14
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: DRY when obtaining an access token  https://review.openstack.org/31873415:14
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: fix typo in docstring  https://review.openstack.org/31873515:14
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: fix typo in docstring  https://review.openstack.org/31873515:16
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: DRY when obtaining an access token  https://review.openstack.org/31873415:16
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: DRY when obtaining a keystone token  https://review.openstack.org/31873315:16
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: Remove unused parameters in _OidcBase  https://review.openstack.org/31873215:16
*** doug-fish has joined #openstack-keystone15:20
knikollai’m starting to regret moving back to os x for development. damn tox and python dependencies!15:20
*** ninag_ has quit IRC15:21
*** TxGVNN has joined #openstack-keystone15:24
*** fawadkhaliq has joined #openstack-keystone15:24
stevemarknikolla: hehe15:25
*** links has quit IRC15:26
knikollastevemar: vagrant with synced folders to the rescue!15:28
*** belmoreira has quit IRC15:28
*** dmk0202 has quit IRC15:33
stevemar\o/15:36
*** ninag has joined #openstack-keystone15:37
openstackgerritSteve Martinelli proposed openstack/keystone: Pass a request to controllers instead of a context  https://review.openstack.org/31865815:40
*** darosale has quit IRC15:41
henrynashraildo, samueldmq: ping15:48
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add OidcAccessToken class to authenticate reusing an access token  https://review.openstack.org/31875015:49
samueldmqhenrynash: pong15:49
henrynashsamuedlmq: not sure if you have seen https://review.openstack.org/#/c/318605/ yet….the next iteration in the attempt to allow duplicate project names...15:50
patchbothenrynash: patch 318605 - keystone-specs - Support hierarchical project naming15:50
henrynashsamueldmq: my real qeustion is whether (once we have microversioning), this should be controlled by a config switch…or just on all the time?15:51
henrynashsamueldmq: if it’s controlled by a config switch, then you need a way of interogatig wethee full names are in use of not, even after you are taking the microversion….which seems silly15:52
samueldmqhenrynash: ok so the idea is to make a non-backward compatible cahnge15:52
samueldmqhenrynash: and be allowed to do that by using microversions15:52
henrynashsamuedlmq: well, I think there is no way of making this change and it be backward compatible....15:52
samueldmqhenrynash: agreed15:52
samueldmqhenrynash: for microversions I believe you will need to specify the version when calling the ndpoinet15:53
samueldmqendpoint*15:53
henrynashsamueldmq: so yes, you ONLY get any of this if you have requested (at least) vesion 3.7 (or whatevr the next one is)15:53
samueldmqhenrynash: it's gonna be 4.0, can't be 3.x if it's backward incompatible15:53
henrynashsamueldmq: why can’t we have a 3.X microversion?15:54
notmorganstevemar: i don't know how we're getting microsecond differences...15:54
samueldmqhenrynash: you can, but afaik if you create a backward incompatible change, you need to turn the big number15:54
henrynashsamueldmq: but isn’t that teh point of a microversion?15:55
henrynashsamueldmq: you only get the new changce if you ask for iyt15:55
samueldmqhenrynash: I think you're correct https://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/api-microversions.html#versioning15:56
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users  https://review.openstack.org/30548715:56
samueldmqhenrynash: but it says "X will only be changed if a significant backwards incompatible API change is made which affects the API as whole. That is, something that is only very very rarely incremented."15:57
samueldmqhenrynash: anyways, that can be figured out later :)15:57
samueldmqhenrynash: is there an effort to support microversions this cycle ?15:58
henrynashsamuedlmq: yes15:58
henrynashsamuedlmq: ayoung has a spec for it (although not very complete yet)15:58
ayounghenrynash, microversion spec? Feel free to take it/modify16:00
henrynashsamueldmq: I *think*, to avoid confusing, if we implement the hierarchical naming, then it wold just be on all the time (from that microversion on)16:00
henrynashayoung: will do….reading up a bit about it16:00
samueldmqhenrynash: ok, I had discussed about this with jamielennox at the summit and we came to a conclusion that it looks like it's still maturing and we could wait a bit more until adopt it16:00
samueldmqhenrynash: however if we have a need for it, why not16:00
*** sdake_ is now known as sdake16:01
samueldmqhenrynash: exactly, no config option16:01
henrynashsamueldmq: ++16:01
samueldmqhenrynash: from version x.y on, that's the way a name is represented16:01
henrynashsamuedlmq: I might introduce a new attribute (leafname ?) so that a client could do operations like create project without having to construct a full name from the tree16:02
henrynashsamuedlmq: again, only available in that version of teh api onwards16:02
*** julim has quit IRC16:02
samueldmqhenrynash: so you want a new attribute to be added to projects so that it represents its hierarchy?16:03
samueldmqhenrynash: vs modifying the project 'name' attribute ?16:04
*** rcernin has quit IRC16:04
henrynashsamueldmq: well we could do it that way, but I’m suggetsing the opposite  - name is the full path, but so taht you can create project without having to constructs the path (since you already can give a parent ID)…maybe it would be nice to have a leaf name?16:05
henrynashsamueldmq: it seems odd to specify parent_id and full name?  If you provide name (which is a full path now) you won’t need to specifiy parentID…..but that means you always have to construct the full path to create a prject16:07
*** darosale has joined #openstack-keystone16:07
henrynashsamuedlmq: I’ll propose it in the API spec, then we can argue over it!16:07
samueldmqhenrynash: maybe if you specify parent_id then project 'name' can be either way?16:07
raildohenrynash: hey16:08
henrynashsameldmq: ah, nice…if parent_id then teh name is relative to that……..16:08
samueldmqhenrynash: yes16:08
samueldmqhenrynash: can be, if you specify full name it may also work16:09
henrynashsamueldmq: ah, but then when you read the proejct back name is not what you specified in teh create….(it’s a full path now)…which maybe is a bit confusing?16:09
samueldmqhenrynash: since it's easy to get the leaf name from that16:09
samueldmqhenrynash: maybe16:10
samueldmqhenrynash: let's put all that in the spec and see what others think about it too16:11
*** fawadkhaliq has quit IRC16:11
*** ninag has quit IRC16:11
henrynashsamueldmq: yep16:11
*** ninag has joined #openstack-keystone16:12
raildo-- for config option ++ for create project with full path and no parent_id16:16
*** ninag has quit IRC16:16
raildoit's something similar with we made for domain_id16:16
raildowhen you can infer the domain_id from parent_id16:17
*** agrebennikov has joined #openstack-keystone16:25
*** ninag has joined #openstack-keystone16:26
*** tonytan4ever has quit IRC16:28
*** fesp has quit IRC16:29
*** tonytan4ever has joined #openstack-keystone16:33
stevemardoes anyone know this alvaro lopez dude? https://review.openstack.org/#/c/318750/ ?16:33
patchbotstevemar: patch 318750 - keystoneauth - oidc: add OidcAccessToken class to authenticate re...16:33
stevemarhe is crushing it for all the openid connect patches16:33
samueldmqstevemar: ++16:34
*** lhcheng has joined #openstack-keystone16:35
*** ChanServ sets mode: +v lhcheng16:35
stevemarsamueldmq: ah, his nick is aloga16:35
*** tellesnobrega_af is now known as tellesnobrega16:35
*** ninag has quit IRC16:35
*** ninag has joined #openstack-keystone16:36
*** ninag has quit IRC16:36
*** gagehugo has left #openstack-keystone16:36
*** ninag has joined #openstack-keystone16:36
*** roxanaghe has joined #openstack-keystone16:37
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add policy registration and authorize method  https://review.openstack.org/31314116:40
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add sample file generation script and helper methods  https://review.openstack.org/31424416:40
*** ninag has quit IRC16:41
henrynashraildo: ++16:42
*** jbell8 has joined #openstack-keystone16:44
*** fawadkhaliq has joined #openstack-keystone16:46
*** edtubill has quit IRC16:48
openstackgerrithenry-nash proposed openstack/keystone-specs: Support hierarchical project naming  https://review.openstack.org/31860516:48
stevemaranyone want to review this patch chain for openid connect slight refactoring? i've already given it a +2: https://review.openstack.org/#/c/318732/216:49
patchbotstevemar: patch 318732 - keystoneauth - oidc: Remove unused parameters in _OidcBase16:49
stevemarit's just straight refactoring, no special openid connect knowledge needed!16:49
stevemar(there are 4 patches in the chain)16:49
samueldmqstevemar: will look now16:49
*** tqtran has joined #openstack-keystone16:50
*** doug-fish has quit IRC16:50
*** doug-fish has joined #openstack-keystone16:51
*** mvk_ has quit IRC16:51
*** pnavarro has quit IRC16:54
*** ninag has joined #openstack-keystone16:54
*** doug-fis_ has joined #openstack-keystone16:54
*** doug-fish has quit IRC16:55
stevemarsamueldmq: danke!16:56
*** r-daneel has joined #openstack-keystone16:58
samueldmqstevemar: in the case of change 318750, you suggested to open a bug..16:58
samueldmqstevemar: should be a wishlist thing, right?16:58
*** ninag has quit IRC16:59
*** doug-fis_ has quit IRC16:59
*** doug-fish has joined #openstack-keystone16:59
stevemarsamueldmq: yeah, its a request for enhancement17:00
*** edtubill has joined #openstack-keystone17:00
stevemardoesn't need a spec or blueprint, just a bug so we have a record of it17:01
samueldmqstevemar: nice; do we also use release notes in ksa?17:01
samueldmqstevemar: agreed17:01
*** ninag_ has joined #openstack-keystone17:02
stevemarsamueldmq: o yeh! ++17:03
stevemarsamueldmq: that is definitely release note worthy17:03
*** doug-fish has quit IRC17:04
stevemarsamueldmq: if you are +2 otherwise, want me to add in the release note and bug, and we can merge it?17:04
*** ninag_ has quit IRC17:05
samueldmqstevemar: wfm17:05
*** ninag has joined #openstack-keystone17:05
*** julim has joined #openstack-keystone17:10
samueldmqstevemar: see latest comment there too17:11
*** doug-fish has joined #openstack-keystone17:11
*** doug-fish has quit IRC17:11
*** doug-fish has joined #openstack-keystone17:12
*** ddieterly is now known as ddieterly[away]17:12
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.4: User must change their password requirements  https://review.openstack.org/31700717:14
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428417:17
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.4: User must change their password requirements  https://review.openstack.org/31700717:19
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.4: User must change their password requirements  https://review.openstack.org/31700717:19
*** mou has quit IRC17:20
*** mou has joined #openstack-keystone17:20
*** mou has quit IRC17:22
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.4: User must change their password requirements  https://review.openstack.org/31700717:24
*** ksatrimed has joined #openstack-keystone17:27
openstackgerritRon De Rose proposed openstack/keystone: Move identity.backends.sql model code to sql_model.py  https://review.openstack.org/29261117:27
*** stingaci has joined #openstack-keystone17:29
*** stingaci has quit IRC17:29
*** fawadkhaliq has quit IRC17:33
*** pnavarro has joined #openstack-keystone17:34
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.4: User must change their password requirements  https://review.openstack.org/31700717:37
*** ddieterly[away] is now known as ddieterly17:39
*** pnavarro has quit IRC17:39
*** jbell8 has quit IRC17:39
*** r-daneel has quit IRC17:44
*** tonytan4ever has quit IRC17:45
*** pushkaru has quit IRC17:47
*** daemontool has quit IRC17:47
*** pnavarro has joined #openstack-keystone17:52
openstackgerritRon De Rose proposed openstack/keystone: Move identity.backends.sql model code to sql_model.py  https://review.openstack.org/29261117:54
*** ksatrimed has quit IRC17:56
*** jbell8 has joined #openstack-keystone17:56
*** tonytan4ever has joined #openstack-keystone17:57
*** ddieterly is now known as ddieterly[away]18:02
*** darosale has quit IRC18:03
*** darosale has joined #openstack-keystone18:04
*** cheran has joined #openstack-keystone18:04
openstackgerritMerged openstack/keystoneauth: oidc: Remove unused parameters in _OidcBase  https://review.openstack.org/31873218:04
ayoungsamueldmq, can you confirm that https://review.openstack.org/#/c/311652/  does/does not fix the test race conditions?  It has no caching18:07
patchbotayoung: patch 311652 - keystone - Replace revoke tree with linear search18:07
*** notmorgan has quit IRC18:11
*** ninag has quit IRC18:15
*** doug-fis_ has joined #openstack-keystone18:16
*** ninag has joined #openstack-keystone18:16
*** TxGVNN has quit IRC18:16
*** ninag has quit IRC18:17
*** ninag has joined #openstack-keystone18:18
*** doug-fish has quit IRC18:19
openstackgerritMerged openstack/keystoneauth: oidc: DRY when obtaining a keystone token  https://review.openstack.org/31873318:21
*** jbell8 has quit IRC18:22
*** ninag has quit IRC18:24
*** ninag has joined #openstack-keystone18:25
openstackgerritMerged openstack/keystoneauth: oidc: DRY when obtaining an access token  https://review.openstack.org/31873418:25
*** notmorgan has joined #openstack-keystone18:26
*** dmellado has quit IRC18:26
*** nonameentername has quit IRC18:26
*** kfox1111 has quit IRC18:26
*** crinkle has quit IRC18:26
*** lifeless has quit IRC18:26
*** Daviey has quit IRC18:26
*** mfisch has quit IRC18:26
*** kfox1111 has joined #openstack-keystone18:26
*** nonameentername has joined #openstack-keystone18:26
*** Daviey has joined #openstack-keystone18:26
*** lifeless has joined #openstack-keystone18:26
*** crinkle has joined #openstack-keystone18:26
*** mfisch has joined #openstack-keystone18:27
*** mfisch is now known as Guest7626818:27
*** dmellado has joined #openstack-keystone18:27
*** ninag has quit IRC18:27
*** ninag has joined #openstack-keystone18:28
openstackgerritMerged openstack/keystoneauth: oidc: fix typo in docstring  https://review.openstack.org/31873518:28
*** jbell8 has joined #openstack-keystone18:30
*** andrewbogott has quit IRC18:31
*** zhiyan has quit IRC18:31
*** andrewbogott has joined #openstack-keystone18:34
*** zhiyan has joined #openstack-keystone18:34
*** ninag has quit IRC18:42
*** jistr has quit IRC18:43
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/31832018:43
*** rcernin has joined #openstack-keystone18:47
*** andrewbogott has quit IRC18:51
*** andrewbogott has joined #openstack-keystone18:51
*** pnavarro has quit IRC18:55
*** alaski has left #openstack-keystone18:56
*** doug-fis_ has quit IRC18:58
*** ninag has joined #openstack-keystone19:01
*** ddieterly[away] has quit IRC19:02
*** pushkaru has joined #openstack-keystone19:04
*** doug-fish has joined #openstack-keystone19:09
*** henrynash has quit IRC19:11
*** rderose has quit IRC19:11
*** ddieterly has joined #openstack-keystone19:26
*** jbell8 has quit IRC19:27
*** Guest76268 is now known as mfisch19:30
*** jbell8 has joined #openstack-keystone19:30
*** mfisch has quit IRC19:30
*** mfisch has joined #openstack-keystone19:30
*** stingaci has joined #openstack-keystone19:34
*** ninag has quit IRC19:37
*** ninag has joined #openstack-keystone19:38
*** BjoernT has joined #openstack-keystone19:40
*** ninag has quit IRC19:42
*** harbor2 has joined #openstack-keystone19:43
openstackgerritwerner mendizabal proposed openstack/keystone: Support encryption of credentials in Keystone  https://review.openstack.org/31716919:45
*** ngupta_ has quit IRC19:48
*** ddieterly is now known as ddieterly[away]19:51
*** pushkaru has quit IRC19:53
*** ngupta_ has joined #openstack-keystone19:53
*** rderose has joined #openstack-keystone20:01
*** gyee has joined #openstack-keystone20:02
*** ChanServ sets mode: +v gyee20:02
rderosedstanek: regarding the PCI config settings, do we want to be PCI compliant by default?  I'm just concerned about existing deployments having to go change a bunch settings.20:02
rderosedstanek: and the other issue would be that, that every time PCI change their standards, we'll have to go change our defaults to match20:03
dstanekrderose: yeah, we probably can't for backward compatibility, but i wish we could20:03
stevemardstanek: definitely can't be by default20:03
dstanekwe should provide some documented guidance for how to be compliant20:04
rderosedstanek, stevemar: we could, but I think most settings should be relaxed by default20:04
rderosedstanek stevemar: for example, passwords shouldn't expire by default.  agree?20:06
*** ddieterly[away] is now known as ddieterly20:06
rderosedstanek stevemar: but for folks that want to be PCI compliant (which can vary between operators), they'll have some options20:08
*** amrith is now known as _amrith_20:09
*** pushkaru has joined #openstack-keystone20:11
dstanekrderose: yeah, i agree that most should be relaxed by default. but we should definitely create a new doc with configuration information20:13
stevemardstanek: rderose we can definitely give a blurb in the docs at recommended settings/values20:13
stevemarbut yeah, they unfortunately all have to be off or 0 by default20:14
rderosedstanek stevemar: sounds good20:14
stevemarin the help we could write something like "It is recommended to set this to X. The default value of 0 indicates this compliance check is not enabled"20:14
stevemarrderose: ^ in the help of the config option20:15
*** doug-fish has quit IRC20:15
dstaneki think we need a separate doc defining how we see PCI in addition to configuration20:15
*** markvoelker has joined #openstack-keystone20:15
dstaneklike locked vs. disabled, etc.20:15
stevemardstanek: fo sho20:15
rderosestevemar dstanek: I think we should shy away from telling folks how to be PCI compliant, only because this is going to change over time.  Instead, we should just provide the functionality and then they can set the configuration to be PCI compliant20:17
rderosestevemar dstanek: some PCI compliant things are subjective and how operators implement PCI could vary between organizations20:18
*** markvoelker has quit IRC20:20
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add OidcAccessToken class to authenticate reusing an access token  https://review.openstack.org/31875020:20
*** ayoung has quit IRC20:24
openstackgerritSteve Martinelli proposed openstack/keystoneauth: oidc: add OidcAccessToken class to authenticate reusing an access token  https://review.openstack.org/31875020:24
stevemarany takers on https://review.openstack.org/#/c/318750/3 ^ it's pretty slick20:25
patchbotstevemar: patch 318750 - keystoneauth - oidc: add OidcAccessToken class to authenticate re...20:25
*** xenthree3 has joined #openstack-keystone20:29
*** xenthree3 has left #openstack-keystone20:29
*** ddieterly is now known as ddieterly[away]20:30
*** daemontool has joined #openstack-keystone20:32
dstanekrderose: i agree about specific values, but there is a lot more to the docs than that20:34
*** doug-fish has joined #openstack-keystone20:38
*** ninag has joined #openstack-keystone20:39
*** dmk0202 has joined #openstack-keystone20:39
*** tqtran has quit IRC20:40
*** julim has quit IRC20:42
*** julim has joined #openstack-keystone20:42
*** doug-fish has quit IRC20:43
rderosedstanek: yeah, this is just a small subset20:43
*** doug-fish has joined #openstack-keystone20:43
rderosedstanek: eventually PCI out-of-the-box though :)20:44
dstanekrderose: subset?20:44
rderosedstanek: we'll keep adding to it20:44
rderosedstanek: this is only a handful of standards for PCI20:44
rderosedstanek: as you said, a lot more to the docs20:44
openstackgerritMerged openstack/oslo.policy: Add policy registration and authorize method  https://review.openstack.org/31314120:47
dstanekrderose: for the docs we need to define anything specific to Keystone for PCI - so what is a disabled user and how do they get re-enabled (and things like that)20:47
dstanekstevemar: osc code seems weird20:47
*** tonytan4ever has quit IRC20:51
*** zqfan has quit IRC20:53
*** BigWillie has quit IRC20:58
*** tqtran has joined #openstack-keystone21:00
*** ddieterly[away] is now known as ddieterly21:00
*** raildo is now known as raildo-afk21:10
notmorganstevemar: ok so i think i'll pull in victor's assertTimeStampEquals21:11
notmorganand co-author him on the patch21:11
notmorganthat sound good?21:11
*** ninag has quit IRC21:14
*** ngupta_ has quit IRC21:15
*** rderose has quit IRC21:19
*** julim has quit IRC21:20
*** dmk0202 has quit IRC21:22
*** pauloewerton has quit IRC21:26
*** pushkaru has quit IRC21:27
*** jbell8 has quit IRC21:29
*** edtubill has quit IRC21:33
*** chrisshattuck has joined #openstack-keystone21:35
*** rderose has joined #openstack-keystone21:37
*** doug-fish has quit IRC21:38
*** sdake has quit IRC21:39
*** jbell8 has joined #openstack-keystone21:42
*** jbell8 has quit IRC21:44
*** doug-fish has joined #openstack-keystone21:44
*** jbell8 has joined #openstack-keystone21:47
*** doug-fish has quit IRC21:49
dstaneknotmorgan: sounds greeeaaat.21:49
*** doug-fish has joined #openstack-keystone21:50
*** doug-fish has quit IRC21:54
openstackgerritguang-yee proposed openstack/keystone: make sure default_project_id is not domain on user creation and update  https://review.openstack.org/31779221:56
*** daemontool has quit IRC21:57
*** darosale has quit IRC22:04
*** edmondsw has quit IRC22:06
*** ddieterly is now known as ddieterly[away]22:07
*** ayoung has joined #openstack-keystone22:08
*** ChanServ sets mode: +v ayoung22:08
*** jbell8 has quit IRC22:09
*** rderose has quit IRC22:13
*** shaleh has joined #openstack-keystone22:13
notmorgandstanek: lol22:15
*** rderose has joined #openstack-keystone22:18
*** sigmavirus24 is now known as sigmavirus24_awa22:20
*** rcernin has quit IRC22:23
*** markvoelker has joined #openstack-keystone22:27
*** markvoelker has quit IRC22:29
*** ddieterly[away] is now known as ddieterly22:29
*** markvoelker has joined #openstack-keystone22:29
*** sdake has joined #openstack-keystone22:30
*** ngupta has joined #openstack-keystone22:32
*** ninag has joined #openstack-keystone22:38
*** ninag has quit IRC22:41
*** doug-fish has joined #openstack-keystone22:44
*** doug-fish has quit IRC22:44
*** sdake has quit IRC22:45
*** ddieterly has quit IRC22:51
*** diazjf1 has quit IRC22:54
*** josecastroleon has quit IRC22:54
*** chrisshattuck has quit IRC22:55
*** markvoelker has quit IRC22:58
*** timcline has quit IRC22:59
openstackgerritRon De Rose proposed openstack/keystone: Config changes to support PCI-DSS  https://review.openstack.org/31467923:01
openstackgerritRon De Rose proposed openstack/keystone: Config settings to support PCI-DSS  https://review.openstack.org/31467923:02
*** yolanda has quit IRC23:03
*** ametts has quit IRC23:04
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428423:04
*** sdake has joined #openstack-keystone23:04
*** ngupta has quit IRC23:05
*** yolanda has joined #openstack-keystone23:05
*** dan_nguyen has joined #openstack-keystone23:06
*** ngupta has joined #openstack-keystone23:08
openstackgerritMorgan Fainberg proposed openstack/keystone: Enable py3 tests for test_v3_auth  https://review.openstack.org/31838123:11
notmorganstevemar: ^23:11
notmorgandstanek: ^23:11
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428423:14
*** sdake has quit IRC23:14
*** sdake has joined #openstack-keystone23:15
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428423:15
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.4: User must change their password requirements  https://review.openstack.org/31700723:16
openstackgerritRon De Rose proposed openstack/keystone: Config settings to support PCI-DSS  https://review.openstack.org/31467923:20
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428423:20
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.4: User must change their password requirements  https://review.openstack.org/31700723:20
*** sdake has quit IRC23:21
*** ayoung has quit IRC23:22
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428423:25
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.4: User must change their password requirements  https://review.openstack.org/31700723:26
*** gordc has quit IRC23:26
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.4: User must change their password requirements  https://review.openstack.org/31700723:27
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428423:29
notmorgandstanek, gyee, stevemar: https://review.openstack.org/#/c/318381/3 this just passed the py27/34 tests and the previous version passed everything else. should be good to land today23:31
patchbotnotmorgan: patch 318381 - keystone - Enable py3 tests for test_v3_auth23:31
notmorgan(or looks like it's passing 34)23:31
gyeenotmorgan, nice! I was looking at the timestamp failure23:32
gyeethere was a second difference, not subsecond23:32
*** jbell8 has joined #openstack-keystone23:32
notmorgangyee: every test i saw was subsecond difference23:32
*** jbell8 has quit IRC23:33
notmorgangyee: ran it a few hundred times here.23:33
gyeethat's good23:33
notmorgangyee: sigh and it failed again23:33
notmorganour tests suck23:33
gyeebtw, is python-openstackclient master broken?23:34
notmorgangyee: another  '2016-05-20T00:28:48.523130Z' != '2016-05-20T00:28:48.523129Z'" subsecond failure23:34
gyeeI keep getting "TypeError: Message objects do not support addition."23:34
notmorgansigh.. missed one23:34
openstackgerritMorgan Fainberg proposed openstack/keystone: Enable py3 tests for test_v3_auth  https://review.openstack.org/31838123:36
notmorgangyee: dunno23:36
bkeronotmorgan: \o/23:36
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428423:36
*** BjoernT has quit IRC23:37
openstackgerritJamie Lennox proposed openstack/keystone: Pass a request to controllers instead of a context  https://review.openstack.org/31865823:37
gyeestevemar, dtroyer, https://bugs.launchpad.net/python-openstackclient/+bug/157578723:40
openstackLaunchpad bug 1575787 in python-openstackclient "i18n Error for message objects concatenation" [Undecided,In progress] - Assigned to Madhu Mohan Nelemane (mmohan-9)23:40
gyeeI also got the same problem23:40
*** zqfan has joined #openstack-keystone23:41
*** chrisshattuck has joined #openstack-keystone23:49
*** ayoung has joined #openstack-keystone23:49
*** ChanServ sets mode: +v ayoung23:49
*** jamielennox is now known as jamielennox|away23:49
*** sdake has joined #openstack-keystone23:52
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428423:54
*** iurygregory_ has joined #openstack-keystone23:58
« Wednesday, 2016-05-18 Index Friday, 2016-05-20 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!