Tuesday, 2016-06-28

openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract oslo_messaging specific audit tests  https://review.openstack.org/33429600:09
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor API tests to not run middleware  https://review.openstack.org/33429400:09
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Use a test notifier to record notifications  https://review.openstack.org/33429500:09
*** sdake has quit IRC00:15
*** spzala has joined #openstack-keystone00:20
*** julim has joined #openstack-keystone00:26
*** gyee has quit IRC00:29
*** dan_nguyen has joined #openstack-keystone00:39
*** richm has quit IRC00:40
*** julim has quit IRC00:52
*** dan_nguyen has quit IRC00:59
*** ddieterly has joined #openstack-keystone01:01
*** tqtran has quit IRC01:01
*** rcernin has quit IRC01:11
*** fawadkhaliq has joined #openstack-keystone01:20
*** fawadkhaliq has quit IRC01:24
*** EinstCrazy has joined #openstack-keystone01:30
*** ddieterly is now known as ddieterly[away]01:33
*** ddieterly[away] is now known as ddieterly01:34
*** davechen has joined #openstack-keystone01:37
*** rderose has quit IRC01:38
*** tqtran has joined #openstack-keystone01:59
*** EinstCra_ has joined #openstack-keystone02:00
*** spzala has quit IRC02:00
*** spzala has joined #openstack-keystone02:00
openstackgerritFangzhou Xu proposed openstack/keystone: Make getting token revocation list 9x faster on Mysql  https://review.openstack.org/28390202:00
*** fawadkhaliq has joined #openstack-keystone02:01
*** tqtran has quit IRC02:03
*** EinstCrazy has quit IRC02:03
*** spzala has quit IRC02:05
*** fawadkhaliq has quit IRC02:05
*** mwheckmann has joined #openstack-keystone02:06
*** ddieterly has quit IRC02:08
*** fawadkhaliq has joined #openstack-keystone02:22
*** fawadkhaliq has quit IRC02:26
*** GB21 has quit IRC02:26
*** mtreinish has quit IRC02:36
*** mtreinish has joined #openstack-keystone02:36
*** chlong has quit IRC02:37
*** woodburn has quit IRC02:37
*** spzala has joined #openstack-keystone02:37
*** woodburn has joined #openstack-keystone02:38
*** iurygregory_ has quit IRC02:39
*** sdake has joined #openstack-keystone02:40
*** fawadkhaliq has joined #openstack-keystone02:43
*** fawadkhaliq has quit IRC02:46
*** chlong has joined #openstack-keystone02:50
*** iurygregory_ has joined #openstack-keystone02:52
*** sdake has quit IRC02:56
openstackgerritSteve Martinelli proposed openstack/keystone: Additional logging when authenticating  https://review.openstack.org/33349003:03
openstackgerritSteve Martinelli proposed openstack/keystone: Do not spam the log with uncritical stacktraces  https://review.openstack.org/33474203:03
*** sheel has joined #openstack-keystone03:07
*** sdake has joined #openstack-keystone03:08
*** jorge_munoz has quit IRC03:10
*** jorge_munoz has joined #openstack-keystone03:14
*** iurygregory_ has quit IRC03:21
*** sdake has quit IRC03:27
*** woodster_ has quit IRC03:29
*** davechen has quit IRC03:30
*** links has joined #openstack-keystone03:50
*** TxGVNN has joined #openstack-keystone03:54
*** spzala has quit IRC03:57
*** tqtran has joined #openstack-keystone04:01
*** TxGVNN has quit IRC04:02
openstackgerritMerged openstack/keystone: Improve keystone.conf [assignment] documentation  https://review.openstack.org/33466704:05
*** tqtran has quit IRC04:06
openstackgerritMerged openstack/keystone: Improve keystone.conf [auth] documentation  https://review.openstack.org/33466804:29
*** zqfan has joined #openstack-keystone04:33
*** GB21 has joined #openstack-keystone04:40
*** fawadkhaliq has joined #openstack-keystone04:46
*** rcernin has joined #openstack-keystone04:47
*** phalmos has joined #openstack-keystone04:49
*** fawadkhaliq has quit IRC04:50
tonybstevemar: I hope you don't mind me doing the online edit thing04:54
stevemartonyb: not at all, did i muck something up? i was also using the online editor04:55
stevemartonyb: i was also replying to a mailing list post, so ... typo?04:55
stevemartonyb: doh, commit message lol04:56
tonybstevemar: the yaml was fine but the commit message still said 9.0.304:56
stevemarbrain fart04:56
tonybstevemar: my instinct is that it'd take longer and waste your time to -1 and respin than to just edit it04:56
stevemartonyb: no worries, i do the same to patches i review04:57
stevemari don't mind one bit, for the exact reason you mention04:57
tonybstevemar: cool.  It's a kinda new workflow so I get nervous04:57
*** spzala has joined #openstack-keystone04:57
*** spzala has quit IRC05:05
notmorganit's been a quiet day eh stevemar05:10
*** nisha_ has joined #openstack-keystone05:10
stevemarnotmorgan: everyday can be a quiet day if you ignore stuff05:11
notmorganstevemar: ignore stuff? nevar05:11
*** phalmos has quit IRC05:12
openstackgerritMerged openstack/keystone: Do not spam the log with uncritical stacktraces  https://review.openstack.org/33474205:12
stevemarnotmorgan: feel like looking at a caching patch: https://review.openstack.org/#/c/328820/5 :P05:13
patchbotstevemar: patch 328820 - keystone - Added cache for sql id mapping driver05:13
*** M00nr41n has quit IRC05:13
*** ayoung has quit IRC05:14
notmorganstevemar: uhm sure...05:15
notmorganstevemar: let me order some food...05:15
stevemardstanek: you lied! i asked if https://review.openstack.org/#/c/317169/ was related to fernet keys and you said it was related to totp05:15
patchbotstevemar: patch 317169 - keystone - Support encryption of credentials in Keystone05:15
stevemardstanek: it's both105:15
stevemar!05:15
stevemarnotmorgan: sure thing big wig05:15
notmorganstevemar: bofh!05:16
notmorgani mean...05:16
notmorganstevemar: commented on caching patch05:32
*** fawadkhaliq has joined #openstack-keystone05:34
*** GB21 has quit IRC05:35
*** fawadkhaliq has quit IRC05:36
*** fawadk has joined #openstack-keystone05:36
*** rcernin has quit IRC05:37
*** GB21 has joined #openstack-keystone05:38
*** nkinder has joined #openstack-keystone05:48
*** davechen has joined #openstack-keystone05:50
*** nkinder has quit IRC05:55
*** markvoelker has quit IRC05:58
*** mkoderer__ has joined #openstack-keystone06:01
*** spzala has joined #openstack-keystone06:02
*** GB21 has quit IRC06:05
*** spzala has quit IRC06:06
*** M00nr41n has joined #openstack-keystone06:07
*** rcernin has joined #openstack-keystone06:09
*** GB21 has joined #openstack-keystone06:16
*** dan_nguyen has joined #openstack-keystone06:19
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 roles  https://review.openstack.org/33454606:35
*** lujinluo has joined #openstack-keystone06:40
*** dan_nguyen has quit IRC06:40
*** nisha_ has quit IRC06:40
*** TxGVNN has joined #openstack-keystone06:42
*** jamielennox is now known as jamielennox|away06:44
*** pcaruana has joined #openstack-keystone06:46
*** markvoelker has joined #openstack-keystone06:58
*** tesseract- has joined #openstack-keystone06:59
*** spzala has joined #openstack-keystone07:02
*** daemontool has joined #openstack-keystone07:04
*** markvoelker has quit IRC07:04
*** mwheckmann has quit IRC07:05
*** bjornar_ has joined #openstack-keystone07:07
*** spzala has quit IRC07:07
*** amoralej|off is now known as amoralej07:15
*** bjornar_ has quit IRC07:19
*** belmoreira has joined #openstack-keystone07:35
openstackgerritChangBo Guo(gcb) proposed openstack/keystone: Config: no need to set default=None  https://review.openstack.org/33481407:42
*** pnavarro has joined #openstack-keystone07:59
*** markvoelker has joined #openstack-keystone08:00
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:01
*** spzala has joined #openstack-keystone08:03
*** wangqun has joined #openstack-keystone08:04
*** markvoelker has quit IRC08:04
*** dmk0202 has joined #openstack-keystone08:06
*** spzala has quit IRC08:08
openstackgerrithenry-nash proposed openstack/keystone: Pass request back into wsgi render_reponse  https://review.openstack.org/33072008:08
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
openstackgerrithenry-nash proposed openstack/keystone: WIP - Add framework for supporting microversions  https://review.openstack.org/33067408:16
*** mvk_ has quit IRC08:19
*** raddaoui has quit IRC08:27
*** daemontool has quit IRC08:40
*** pnavarro has quit IRC08:49
*** pnavarro has joined #openstack-keystone08:49
*** mvk_ has joined #openstack-keystone08:51
*** lujinluo has quit IRC08:57
*** markvoelker has joined #openstack-keystone09:00
*** davechen has left #openstack-keystone09:03
*** jistr is now known as jistr|mtg09:04
*** spzala has joined #openstack-keystone09:04
*** markvoelker has quit IRC09:05
*** spzala has quit IRC09:09
*** GB21 has quit IRC09:31
*** jistr|mtg is now known as jistr09:31
*** david-lyle has quit IRC09:44
*** david-lyle has joined #openstack-keystone09:46
*** mvk_ has quit IRC09:48
openstackgerritAndreas Jaeger proposed openstack/python-keystoneclient: List system dependencies for running common tests  https://review.openstack.org/33488609:50
*** GB21 has joined #openstack-keystone09:51
*** henrynash has quit IRC09:53
*** TxGVNN has quit IRC09:59
*** markvoelker has joined #openstack-keystone10:01
*** mvk_ has joined #openstack-keystone10:01
*** spzala has joined #openstack-keystone10:05
*** nisha_ has joined #openstack-keystone10:05
*** markvoelker has quit IRC10:06
*** spzala has quit IRC10:10
openstackgerritMerged openstack/python-keystoneclient: Follow up patch for Improve docs for v3 projects  https://review.openstack.org/33407110:13
*** wangqun has quit IRC10:14
*** bjornar_ has joined #openstack-keystone10:19
*** itsuugo has joined #openstack-keystone10:20
*** fawadk has quit IRC10:47
*** daemontool has joined #openstack-keystone10:48
*** spzala has joined #openstack-keystone10:53
*** EinstCra_ has quit IRC10:57
*** samueldmq has joined #openstack-keystone11:01
*** ChanServ sets mode: +v samueldmq11:01
samueldmqmorning keystone11:02
*** markvoelker has joined #openstack-keystone11:02
*** markvoelker has quit IRC11:07
nisha_samueldmq, good morning11:08
*** nisha__ has joined #openstack-keystone11:11
*** nisha_ has quit IRC11:14
samueldmqnisha__: morning11:16
*** amakarov_away is now known as amakarov11:18
*** ddieterly has joined #openstack-keystone11:19
*** nisha__ is now known as nisha_11:21
amakarovsamueldmq, g'day! please look at line 1067 in https://review.openstack.org/#/c/285521/25/keystone/tests/unit/test_sql_upgrade.py11:23
patchbotamakarov: patch 285521 - keystone - Closure table for HMT11:23
amakarovsamueldmq, that's what my patch https://review.openstack.org/#/c/334568/ for11:23
patchbotamakarov: patch 334568 - keystone - Allow test migration by module name11:23
*** wanghua has quit IRC11:25
*** fawadkhaliq has joined #openstack-keystone11:25
*** gordc has joined #openstack-keystone11:30
*** rodrigods has quit IRC11:32
*** rodrigods has joined #openstack-keystone11:32
samueldmqamakarov: kk will look11:35
*** GB21 has quit IRC11:37
*** GB21 has joined #openstack-keystone11:43
*** gordc has quit IRC11:45
*** raildo-afk is now known as raildo11:53
*** sdake has joined #openstack-keystone11:58
*** sdake_ has joined #openstack-keystone12:00
*** sdake has quit IRC12:03
*** fawadkhaliq has quit IRC12:04
*** real56 has joined #openstack-keystone12:05
*** raddaoui has joined #openstack-keystone12:08
*** spzala has quit IRC12:08
*** spzala has joined #openstack-keystone12:08
*** amoralej is now known as amoralej|lunch12:09
*** nisha_ has quit IRC12:11
*** gordc has joined #openstack-keystone12:12
*** spzala has quit IRC12:12
*** GB21 has quit IRC12:14
*** GB21 has joined #openstack-keystone12:18
*** jamielennox|away is now known as jamielennox12:21
jamielennoxamakarov: are you going to the midcycle?12:21
amakarovjamielennox, hi! no, I'm not going this time12:22
*** ddieterly has quit IRC12:22
jamielennoxamakarov: ah, damn, i wanted to figure out where we differ on the reservations and the policy stuff12:22
amakarovjamielennox, I think it can co-exist12:24
*** markvoelker has joined #openstack-keystone12:24
jamielennoxamakarov: i think they can to - i was just thinking that reservatins would largely solve the policy problem you're trying to solve as well12:25
amakarovjamielennox, even more: policy on keystone side can work in parallel with existing model12:25
jamielennoxand i want to see if i was missing anything to rolling this all into one solution12:25
jamielennoxamakarov: i'll find some time to talk to you about it later, just wanted to see if it could be the midcycle12:27
*** GB21 has quit IRC12:27
jamielennoxbut i'm going to bed - meeting early tomorrow12:27
*** fawadkhaliq has joined #openstack-keystone12:28
*** daemontool has quit IRC12:28
amakarovjamielennox, we can arrange hangout meeting or something like this12:28
jamielennox++12:28
*** danpawlik has joined #openstack-keystone12:30
alogasamueldmq: regarding your comment about the oidc scope in https://review.openstack.org/#/c/330463/12:30
patchbotaloga: patch 330463 - keystoneauth - oidc: move scope into _OidcBase12:30
alogasamueldmq: I already commented there, but if you want some clarification I'm here12:31
stevemaro/12:31
alogasamueldmq: the oidc scope is not related with the grant type, but with the claims that the auth server is returning12:31
*** fawadkhaliq has quit IRC12:32
alogasamueldmq: so this should work regardless of the grant_type12:32
alogasamueldmq: *however* the specification states that an authN request sent to a server must contain (it is a required parameter) a scope12:33
alogasamueldmq: and that scope MUST contain the "openid" scope value12:33
raildojamielennox: hey :) about our v2-v3 stuffs, I was thinking in send an email to the operators list, to ask if Otaca is a good deadline.12:33
alogasamueldmq: so the code is wrong atm, since we're doing "scope='profile'" and it should be "scope='openid profile'" or "scope='profile'"12:34
*** daemontool has joined #openstack-keystone12:36
*** links has quit IRC12:40
*** aloga has quit IRC12:40
*** aloga has joined #openstack-keystone12:40
alogawow, a nice weechat crash12:40
*** ddieterly has joined #openstack-keystone12:44
*** pnavarro has quit IRC12:46
*** amoralej|lunch is now known as amoralej12:47
*** ddieterly has quit IRC12:49
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/33344812:50
*** spzala has joined #openstack-keystone12:51
*** edmondsw has joined #openstack-keystone12:52
*** links has joined #openstack-keystone12:53
shewlessHi dstanek. Just thought I'd give you an update on my experience using ADFS as my IdP12:55
*** shewless has quit IRC12:55
*** shewless has joined #openstack-keystone12:55
shewlessHi dstanek. Just thought I'd give you an update on my experience using ADFS as my IdP12:55
shewlessdstanek: Really the only difference I found is that microsoft forces "https" for the metadata and the consumer assertions. It'll support the port 5000 thing (for keystone) but you still have to enable SSL in apache for the virtual host 5000 and change local_settings.py to point to https:// v3 auth..12:56
*** daemontool has quit IRC12:57
shewlessdstanek: just FYI12:57
shewlessdstanek: Otherwise shibboleth told me which attributes were being served up with ADFS and I just mapped them and it works12:57
*** TxGVNN has joined #openstack-keystone13:00
*** pauloewerton has joined #openstack-keystone13:03
*** M00nr41n has quit IRC13:05
*** jsavak has joined #openstack-keystone13:06
breton_knikolla: i am thinking about https://review.openstack.org/#/c/320623/11/devstack/README.rst13:10
patchbotbreton_: patch 320623 - keystone - Devstack plugin for Federation13:10
openstackgerritAndreas Jaeger proposed openstack/python-keystoneclient: List system dependencies for running common tests  https://review.openstack.org/33488613:10
breton_knikolla: so the main reason why we are doing this thing is to test federation in the gates13:10
dstanekshewless: nice. that's good news. glad you were able to fight through it13:11
breton_knikolla: the line i'm thinking about is "After the setup is done, register the federated Keystone service providers"13:11
breton_knikolla: how should it be done in the gates?13:12
*** daemontool has joined #openstack-keystone13:13
*** nisha_ has joined #openstack-keystone13:13
breton_knikolla: lets register sp in the plugin, reading SP_URL from the environment variables13:15
*** sdake_ has quit IRC13:23
*** EinstCrazy has joined #openstack-keystone13:23
*** sdake has joined #openstack-keystone13:24
*** jamielennox has quit IRC13:25
*** daemontool has quit IRC13:25
*** richm has joined #openstack-keystone13:26
*** ddieterly has joined #openstack-keystone13:30
*** henrynash has joined #openstack-keystone13:31
*** ChanServ sets mode: +v henrynash13:31
samueldmqaloga: hi13:34
samueldmqaloga: "we're doing "scope='profile'" and it should be "scope='openid profile'""13:35
samueldmqaloga: so is it wrong setting scope=profile as the default for all those 3 classe s?13:35
samueldmqstevemar: o/13:36
*** pnavarro has joined #openstack-keystone13:39
*** daemontool has joined #openstack-keystone13:41
*** timcline has joined #openstack-keystone13:41
*** ddieterly is now known as ddieterly[away]13:41
*** henrynash has quit IRC13:42
*** timcline has quit IRC13:42
*** fifieldt has joined #openstack-keystone13:43
*** timcline has joined #openstack-keystone13:43
*** henrynash has joined #openstack-keystone13:44
*** ChanServ sets mode: +v henrynash13:44
openstackgerritMerged openstack/keystone: Config: no need to set default=None  https://review.openstack.org/33481413:45
*** ddieterly[away] is now known as ddieterly13:48
*** ayoung has joined #openstack-keystone13:52
*** ChanServ sets mode: +v ayoung13:52
*** rderose has joined #openstack-keystone13:53
knikollabreton_: hi13:53
*** mwheckmann has joined #openstack-keystone13:55
knikollabreton_: that step can be easily included in devstack.sh as part of the automation, it can as easily be included in the shell script which runs stack.sh after it runs stack.sh13:56
rderosebreton_: regarding concrete role assignments, what do you mean all tests passed after you removed that particular line.  All that line should do is remove the duplicates.13:56
knikollabreton_: i just left it outside because it's the only step in the Identity Provider setup that requires knowledge about the service providers. So it kind of made the install more flexible.13:56
*** ametts has joined #openstack-keystone13:57
knikollabreton_: have you got the plugin working with generic federation?13:57
rderosebreton_: what test didn't pass?13:57
breton_knikolla: almost, i will push it today or tomorrow13:59
knikollabreton_: i'm fine with having the registration step as part of the plugin.14:00
knikollabreton_: cool.14:00
breton_rderose: 5 mins14:01
rderosebreton_: cool14:01
*** rderose_ has joined #openstack-keystone14:04
*** woodster_ has joined #openstack-keystone14:05
rodrigodsknikolla, breton_, can you check the setup here https://review.openstack.org/#/c/324769/8/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py14:06
patchbotrodrigods: patch 324769 - keystone - WIP: Federated authentication via ECP functional t...14:06
rodrigodsknikolla, breton_, so the plugin provides the necessary configs14:06
rodrigodsI tried to reduce the number of configs needed as much as possible14:06
*** rderose has quit IRC14:07
breton_rodrigods: lets stop using word "plugin" and use either "devstack plugin" or "tempest plugin"14:07
rodrigodsbreton_, sure, "devstack plugin"14:08
rodrigodsprovides the needed configs for the "tempest plugin"14:08
*** KevinE has joined #openstack-keystone14:09
knikollarodrigods: looking14:09
knikollarodrigods: btw, did you also include the k2k tests to your review?14:09
rodrigodsknikolla, not yet, the k2k tests should be in a follow up patch anyway14:10
breton_knikolla: that's the issue: i removed that line and tests still pass14:10
breton_knikolla: wrong hl, sorru14:10
breton_rderose_: that's the issue: i removed that line and tests still pass14:10
breton_*sorry, dammit14:11
breton_fat fingers today14:11
knikollabreton_: no worries14:11
rderose_breton_: oh, I see14:11
rderose_breton_: that's just because the tests are introducing any duplicates14:12
rodrigodsbreton_, rderose_, removing the line and having the tests passing is not an issue14:12
rderose_* are not14:12
lbragstaddstanek https://review.openstack.org/#/c/334061/414:12
patchbotlbragstad: patch 334061 - keystone - Group test_backend_ldap skips for readability14:12
lbragstaddstanek I left a comment there14:12
breton_rodrigods: yes it is. It indicates lack of test.14:12
lbragstaddstanek and removed my -114:12
rodrigodsrderose_, maybe add a test to check that are no duplicates14:12
rodrigodsbreton_, is not a "functional" issue14:13
*** KevinE has quit IRC14:13
*** BjoernT has joined #openstack-keystone14:13
rodrigodsbreton_, or wait...14:13
rodrigodsit is14:13
rodrigodssince it is the return of an API14:13
dstaneklbragstad: nice. working through those other tests now14:14
lbragstaddstanek if the goal is to approach consolidating/refactoring those tests in pieces because there are so many of them, i'm fine with that14:14
lbragstadi just wanted to make sure we weren't forgetting about those tests14:14
dstaneksome of them override tests defined in the test_backend_ldap module and not from the general test modules14:14
samueldmqdstanek: I couldn't understand why test_list_projects_filtered_and_limited could be removed from the skip list, and still pass14:14
lbragstadah14:14
samueldmqdstanek: since we don't even support resoruce LDAP anymore :(14:14
knikollarodrigods: looked at the tempest test, the info is available as env variables14:14
rderose_rodrigods breton_: you want a test for that one line to show that duplicates were removed?14:14
dstaneksamueldmq: :-) magic14:14
dstaneksome of those test use SQL backends for certain things14:15
knikollarodrigods: one question, you're registering the idp in the test?14:15
lbragstaddstanek that's fun14:15
samueldmqdstanek: I guess it's running against SQL, which make me think the setup is wrong ?14:15
dstanekthis all started as a way for me to understand the LDAP code better14:15
samueldmqdstanek: or the tests are in the wrong place, and shouldn't be inherited by LDAP setup14:15
dstaneksamueldmq: no, we setup SQL on purpose there for some of the tests14:16
samueldmqdstanek: agreed, but we don't need to test test_list_projects_filtered_and_limited there again I guess14:16
rodrigodsrderose_, yeah, should have a test with duplicates in groups/users assignments and check the return don't have duplicates14:16
rderose_rodrigods: okay, on it14:16
rodrigodsknikolla, via env vars? it needs to write to tempest conf somehow14:16
samueldmqdstanek: I mean, I suspect the smae test is running against SQL several times (with slightly different setups, but all using SQL)14:16
stevemarback in an hour or two14:17
dstaneksamueldmq: maybe. the issue right now is that we subclass all the tests and run them against different setups. i want to fix this over time, incrementally14:17
rodrigodsknikolla, i have a review that does that, just a sec14:17
breton_rderose_: yep14:17
ayoungWHy do we not have a simple CLI for actually seeing the auth data in the token?14:17
dstanekwe are running the same tests over and over again in there14:17
ayoungIts like this #1 thing needed for debugging auth problems14:17
samueldmqdstanek: ++14:17
breton_ayoung: because nobody wrote it14:17
knikollarodrigods: the tempest.conf can be templated from the env vars, a simple script with sed should work14:17
samueldmqdstanek: while we just need to run specific subsets when the setup change14:18
ayoungbreton_, used to be in the debug output.  Someone hid it.14:18
rodrigodsknikolla, sure, i mean, devstack already have something that does that14:18
dstaneksamueldmq: something like that14:18
knikollarodrigods: i asked because the devstack plugin registeres the identity provider after setting up shibboleth.14:18
lbragstaddstanek how come subclassing the tests and running them with different tests is an issue?14:18
rodrigodsknikolla, https://review.openstack.org/#/c/293497/6/lib/tempest14:18
patchbotrodrigods: patch 293497 - openstack-dev/devstack - Tempest: add a Keystone reseller feature flag14:18
lbragstadrunning them with different setups*14:18
rodrigodsknikolla, think it should be created/removed by the test14:18
samueldmqdstanek: ok, given we will keep improving that .. I am fine with running that test (again) for that setup :)14:18
*** nisha_ has quit IRC14:19
openstackgerritBoris Bobrov proposed openstack/keystone: Line removed, tests pass  https://review.openstack.org/33506114:19
samueldmqlbragstad: you fine with that patch right ?14:19
dstaneklbragstad: the issue is that the same tests run multiple times when the setup is not meaningful to them14:19
samueldmqexactly14:19
lbragstaddstanek but we do that kind of stuff with all the token providers14:20
rodrigodsknikolla, we might want more elaborated scenarios, so depending on the setup made by the "devstack plugin" can be tricky14:20
knikollarodrigods: so the devstack plugin should handle only shibboleth and dependencies? i can make that configurable14:20
dstaneklbragstad: if we are then it's likely useless, but i'd have to look deeper to see the value14:20
knikollarodrigods: if SKIP_REGISTRATION (or something), don't register, just do shibboleth14:20
rodrigodsknikolla, i think so, as minimum as possible so the rest is done by the test setup14:20
dstaneklbragstad: a lot of this is case-by-case14:20
lbragstaddstanek for example, we have a class with all of our token api behavior then we inherit that test class and run it against uuid, pki, pkiz, fernet...14:21
knikollarodrigods: i'm ok with that. will work on it.14:21
samueldmqdstanek: agreed, I think for token providers it makes more sense14:21
dstaneklbragstad: that is fine14:21
samueldmqlbragstad: that's right14:21
*** gagehugo has joined #openstack-keystone14:21
lbragstaddstanek it sounded like you were against that pattern?14:21
rodrigodsknikolla, cool, some more elaborated scenarios can be: create/delete idp and try to use the token of it - so depending on the environment is not ideal14:21
dstaneklbragstad: in this case we have a class that has all identity, assignment and resource tests cases together and runs them over and over14:21
knikollarodrigods: right, yeah. that makes complete sense.14:22
dstaneklbragstad: if the setup doesn't change how we expect the tests to work then it may not be worth keeping them14:22
lbragstaddstanek ah - so the setup is the same?14:22
samueldmqlbragstad: issue there is that, let's say we have a test that runs against project SQL, then we run it with keystone using only sql, identity LDAP and resource backend SQL, and so on14:23
*** ravelar159 has joined #openstack-keystone14:23
dstaneklbragstad: yes. we setup identity in different ways, so we don't always have to run the resource tests, for instance14:23
samueldmqbut that's all the same for that test's purpose: resoruce sql14:23
bknudson_we are running a lot of backend tests 6 times which is useless.14:23
lbragstadgot it14:24
lbragstadok - i'm good with that then14:24
bknudson_I started working on it a little with https://review.openstack.org/#/c/283822/14:24
patchbotbknudson_: patch 283822 - keystone - Move resource manager tests out of test_backend14:24
bknudson_but haven't had time to finish it up14:24
dstaneklbragstad: samueldmq: i have one more stash related to that module that i want to get out of my stash list14:25
samueldmqbknudson_: nice, I remember to have split test_v3_identity, which was huge14:25
dstanekbknudson_: i've been doing some similar work. was able to cut the runtime of test_backend_ldap in half14:25
samueldmqbknudson_: but there is also a need to split test_backend14:25
lbragstadsamueldmq stevemar so I will go ahead and get dstanek's first patch geting14:25
lbragstadgating*14:25
bknudson_the test time has gotten too long.14:26
lbragstadsamueldmq dstanek this one https://review.openstack.org/#/c/334061/414:26
patchbotlbragstad: patch 334061 - keystone - Group test_backend_ldap skips for readability14:26
bknudson_but then I'm running the opportunistic sql tests.14:26
samueldmqlbragstad: sure, just +2ed14:26
*** M00nr41n has joined #openstack-keystone14:27
openstackgerritAndreas Jaeger proposed openstack/python-keystoneclient: List system dependencies for running common tests  https://review.openstack.org/33488614:29
*** tonytan4ever has joined #openstack-keystone14:30
dstanekbknudson_: my goal was to get my local full test runtimes down about 50%. i was able to get it down 40% so far. just have to submit the rest of the stashed changes14:32
*** darosale has joined #openstack-keystone14:32
*** nisha_ has joined #openstack-keystone14:33
*** ravelar159 has quit IRC14:35
*** jamielennox has joined #openstack-keystone14:36
*** ChanServ sets mode: +v jamielennox14:36
*** aloga_ has joined #openstack-keystone14:36
*** aloga_ has quit IRC14:36
bknudson_dstanek: how did you get the runtime down?14:36
ayoungI really want to gut the LDAP code14:37
*** ravelar159 has joined #openstack-keystone14:37
bknudson_we should push to having the web server handle the LDAP.14:38
bknudson_this is what people are using already so it has to work.14:38
*** links has quit IRC14:38
*** diazjf has joined #openstack-keystone14:38
*** aloga_ has joined #openstack-keystone14:39
ayoungbknudson_, looked in to it14:40
*** nkinder has joined #openstack-keystone14:40
ayoungthe mod_auth_ldap code is too static14:40
ayoungit is just "yes or no" for a given URL14:40
*** diazjf1 has joined #openstack-keystone14:40
ayoungneed mod_lookup_identity for the way we need14:40
bknudson_right, for the v3/auth/tokens URL14:40
ayoungbut that is SSSD based14:40
*** EinstCrazy has quit IRC14:40
ayoungbknudson_, it does not pass through the groups14:41
ayoungmod_auth_ldap does not pass through the groups14:41
ayoungits why we ended up writing mod_lookup_id14:41
bknudson_oh... that would cause problems for us.14:41
bknudson_so apache auth handlers can pass groups, but the ldap one doesn't?14:41
ayoungbknudson_, mod_lookup_identity and mod_authn_saml  pass groups.  X509 Client cert passes generic attributes, which can work as groups.  mod_auth_sql and mod_authLdap do the group mathcing in the apache layer, but do not pass them on14:42
bknudson_weird14:43
ayoungbknudson_, https://www.freeipa.org/page/Environment_Variables is a pretty good overview of what provides what14:43
*** ravelar159 has quit IRC14:43
*** diazjf has quit IRC14:43
ayounghttps://www.freeipa.org/page/Environment_Variables#LDAP_authentication is the LDAP constraints14:43
ayoungHmmmm14:44
ayoung"Attributes can be specified in the AuthLDAPURL value such that those values are set as environment variables of the form "AUTHENTICATE_", so any arbitrary list of values may be provided. "14:44
ayoungbknudson_, that sounds promising14:44
*** ravelar159 has joined #openstack-keystone14:44
ayoungwe could do a mapping like we do for X509 tokenless.14:45
ayounginstead of REMOTE_GROUPS we would get AUTHENTICATE_GROUPS  but it should work14:45
*** KevinE has joined #openstack-keystone14:46
*** timcline has quit IRC14:46
*** timcline has joined #openstack-keystone14:47
*** slberger has joined #openstack-keystone14:48
bknudson_"Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are provided. If no attributes are provided, the default is to useĀ uid. It's a good idea to choose an attribute that will be unique across all entries in the subtree you will be using. All attributes listed will be put into the environment with an AUTHENTICATE_ prefix for use by other modules."14:48
bknudson_So I guess you could specify multiple attributes and only the first would be used but they'd all go into AUTHENTICATE_ vars14:48
*** EinstCrazy has joined #openstack-keystone14:48
lbragstadravelar159 o/14:48
*** krotscheck_dcm is now known as krotscheck14:48
bknudson_Not sure that you could put "groups" in there14:49
bknudson_maybe another attribute that can be mapped to groups like dept or something.14:49
ayounggroups use show up in an attributes "assigned_groups"14:50
ayoungbknudson_, I'm not certain mod_authz_ldap is maintained anymore, either14:51
ayoungdocs I found are Centos 514:51
*** timcline has quit IRC14:51
ayoungah,  not it merged main14:51
ayounghttps://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html14:51
bknudson_that's what I was looking at14:51
ayoungbknudson_, yeah, I was confusing myself.  I was initially looking at the 2.0 docs, but the URL is different14:53
bknudson_mod_auth_ldap (without the nz) went to old docs14:53
ayoungbknudson_, so, this whole mess drove the approach in our group.  Its why we use SSSD for everything14:54
ayoungit means you don't need to configure this for each individual service.14:54
*** EinstCrazy has quit IRC14:54
dstanekrderose_: can you ping me when your push that patch with the added test?14:55
*** EinstCrazy has joined #openstack-keystone14:55
*** timcline has joined #openstack-keystone14:55
rderose_dstanek: sure14:55
*** dan_nguyen has joined #openstack-keystone14:58
dstanekbknudson_: what's the point of this test? http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_backend_ldap.py#n93014:58
dstanekbknudson_: later that test is skipped in a different setup saying that it only works with fakeldap14:58
*** ravelar159 has quit IRC14:59
bknudson_good question... I don't remember off the top of my head what that was about. Maybe checking that DN handling code works.15:02
*** itisha has joined #openstack-keystone15:02
*** slberger1 has joined #openstack-keystone15:04
*** slberger has quit IRC15:04
*** nkinder has quit IRC15:07
dstanekbknudson_: i'll leave that one in the stash for now then :-)15:08
*** M00nr41n has quit IRC15:08
*** M00nr41n has joined #openstack-keystone15:10
*** diazjf1 has quit IRC15:12
*** jistr is now known as jistr|mtg15:13
*** M00nr41n has quit IRC15:14
*** M00nr41n has joined #openstack-keystone15:20
*** fawadkhaliq has joined #openstack-keystone15:20
*** M00nr41n has quit IRC15:24
*** fawadkhaliq has quit IRC15:25
shewlessdstanek: only 1 thing remains I think.  Right now my idp admin is sharing the "UPN" which is username@email.com.  Is there a way to strip off the @email.com part in the mapping?  Keystone barfs on the @ sign.15:26
*** M00nr41n has joined #openstack-keystone15:29
*** jsavak has quit IRC15:30
*** belmoreira has quit IRC15:31
dstaneki need some naming help... i created an alternative method for skipTest and called it skip_test_in_subclass. this method makes sure that if you are explicity skipping a test because it won't work in a subclass that the method actually exists15:32
*** danpawlik has quit IRC15:32
dstanekthis is because the ldap backend tests were skipping stuff that had long since been removed15:32
dstanekso...what is the right name for this?15:32
*** jistr|mtg is now known as jistr15:32
*** slberger1 has quit IRC15:35
*** TxGVNN has quit IRC15:36
bknudson_in Java you can mark a method with @overrides , so might want to pick that15:38
*** jsavak has joined #openstack-keystone15:38
bknudson_skip_test_overrides ?15:38
*** slberger has joined #openstack-keystone15:38
*** alex_xu has quit IRC15:40
*** darosale has quit IRC15:41
*** dmk0202 has quit IRC15:42
*** SamYaple has joined #openstack-keystone15:42
openstackgerritMerged openstack/keystone: Group test_backend_ldap skips for readability  https://review.openstack.org/33406115:43
*** alex_xu has joined #openstack-keystone15:44
*** diazjf has joined #openstack-keystone15:45
*** nisha__ has joined #openstack-keystone15:46
*** diazjf has quit IRC15:47
*** diazjf has joined #openstack-keystone15:47
*** browne has joined #openstack-keystone15:49
*** ddieterly is now known as ddieterly[away]15:49
*** pnavarro has quit IRC15:49
dstanekbknudson_: i'd be fine with that15:50
*** nisha_ has quit IRC15:50
*** darosale has joined #openstack-keystone15:53
*** sdake_ has joined #openstack-keystone15:54
*** tesseract- has quit IRC15:56
*** sdake has quit IRC15:57
*** daemontool_ has joined #openstack-keystone16:00
*** ddieterly[away] is now known as ddieterly16:02
*** aloga_ has quit IRC16:03
*** dan_nguyen has quit IRC16:03
*** daemontool has quit IRC16:03
*** nisha__ is now known as nisha_16:05
*** gyee has joined #openstack-keystone16:17
*** ChanServ sets mode: +v gyee16:17
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add role functional tests  https://review.openstack.org/33511816:21
nisha_samueldmq, please have a look when you get time ^16:24
*** timcline has quit IRC16:24
*** timcline has joined #openstack-keystone16:25
*** nisha_ has quit IRC16:28
*** timcline has quit IRC16:29
*** nisha_ has joined #openstack-keystone16:29
*** EinstCrazy has quit IRC16:32
*** zqfan has quit IRC16:33
*** daemontool_ has quit IRC16:35
*** bjornar_ has quit IRC16:36
*** nisha_ has quit IRC16:37
*** tonytan4ever has quit IRC16:39
*** permalac has joined #openstack-keystone16:43
*** permalac_ has quit IRC16:45
*** dulek has quit IRC16:49
*** pcaruana has quit IRC16:49
*** rcernin has quit IRC16:51
*** timcline has joined #openstack-keystone16:52
*** dan_nguyen has joined #openstack-keystone16:53
*** jed56 has quit IRC16:55
*** tonytan4ever has joined #openstack-keystone16:56
*** timcline has quit IRC16:57
*** timcline has joined #openstack-keystone16:57
*** tqtran has joined #openstack-keystone16:59
*** aloga_ has joined #openstack-keystone17:01
*** timcline has quit IRC17:01
*** gyee has quit IRC17:03
*** henrynash has quit IRC17:05
roxanaghebknudson_, or dolphm  could you approve this stable/mitaka backport https://review.openstack.org/#/c/332956/ ?17:06
patchbotroxanaghe: patch 332956 - keystone (stable/mitaka) - /services?name=<name> API fails when using list_limit17:06
roxanaghebknudson_, dolphm it has too many +1s and not enough +2s :)17:06
*** fawadkhaliq has joined #openstack-keystone17:07
openstackgerritFangzhou Xu proposed openstack/keystone: Make getting token revocation list 9x faster on Mysql  https://review.openstack.org/28390217:07
*** fangxu has joined #openstack-keystone17:08
mfischis there some magic needed to delete an endpoint? The call tells me that the endpoint isn't found although it's clearly listed17:11
samueldmqmfisch: there shouldn't be17:12
samueldmqmfisch: trying to delete gives you an error ?17:12
shewlessHello.. I've got SSO working.. I'm wondering if there is a way to skip the horizon landing page.. the one that allows you to click "connect"17:12
mfischopenstack endpoint show 775fa420984048beb30b264a5b2c158d  works17:12
mfischopenstack endpoint delete 775fa420984048beb30b264a5b2c158d17:12
mfischCould not find endpoint: 775fa420984048beb30b264a5b2c158d (HTTP 404) (Request-ID: req-5f251426-18c6-4eb1-9293-5789123db828)17:13
mfischnothing much in the lgos17:13
mfischlogs17:13
shewlessthat would be good.. in local_settings.py I see SSO_CHOICES but the comment says to leave "local credentials"17:13
samueldmqmfisch: it may be a bug in the endpoint_api cache (perhaps that endpoint is still cached ?)17:13
*** aloga_ has quit IRC17:13
samueldmqmfisch: or is it giving 404 from the very first time you run delete ?17:14
*** diazjf has quit IRC17:14
mfischits still in the db17:14
mfischcolleague did the first delete but I think it failed too17:14
mfischand its still in the db like I mentioned17:14
samueldmqmfisch: using v2 or v3 ?17:14
dstanekmfisch: anything in the logs?17:14
mfischnot much but I just quiesced the rest of the cluster to zoom in a bit, so give me a sc17:15
mfischsec17:15
mfischdstanek: nothing really just this " Could not find endpoint: 775fa420984048beb30b264a5b2c158d"17:17
mfischlet me turn on debug17:18
samueldmqmfisch: dstanek: looks like if the endpoint was created in v3 and is being deleted with v2 it won't work ?17:18
samueldmqsee https://github.com/openstack/keystone/blob/master/keystone/catalog/controllers.py#L186-L19917:18
mfischoh maybe this17:18
mfischDeprecated: delete_endpoint of the v2 API is deprecated as of Mitaka in favor of a similar function in the v3 API and may be removed in Q.17:18
mfischthats it17:18
mfischits a v3 endpoint17:18
* mfisch shakes fist17:19
mfisch thanks guys17:19
*** ddieterly is now known as ddieterly[away]17:19
dstaneksamueldmq: yes, this is true17:19
samueldmqwe got it17:19
*** hoonetorg has quit IRC17:19
EmilienMhey, I found something weird with latest openstackclient (running trunk) and keystone17:19
EmilienMhttp://logs.openstack.org/52/334852/1/check/gate-puppet-openstack-integration-3-scenario001-tempest-centos-7/014af3f/console.html#_2016-06-28_09_09_13_99212817:19
samueldmqmfisch: thanks for reporting it17:19
EmilienMConflict occurred attempting to store user - Duplicate Entry (HTTP 409)17:19
samueldmqdstanek: is this documented behavior ?  (v3 endpoint can't be deleted in v2)17:19
dstaneksamueldmq: i think so, but not sure where17:20
mfischsamueldmq: yeah kinda17:20
*** timcline has joined #openstack-keystone17:20
mfischthere's some weirdness with v2/v3 endpoints17:20
*** timcline has quit IRC17:20
samueldmqmfisch: ++ in the migration we create 3 v3 endpoints for 1 v2 endpoint, and the former's ID is stored as legacy_endpoint_id17:21
*** timcline has joined #openstack-keystone17:21
mfischyep17:21
mfischall mine are v3 endpoints17:21
mfischin this environment anyway17:21
samueldmqnice17:22
samueldmqEmilienM: yes that's weird, looks like it's conflicting when creating a new user17:22
samueldmqEmilienM: perhaps unique constraints are being violated ? let me check into the code17:23
mfischsamueldmq: it used to be that endpoint list didnt work with v2 api and v3 endpoints, but that seems to work now17:23
EmilienMsamueldmq: it's something in osclient probably, that merged the last 20 days17:23
mfischEmilienM: can you repro with curl?17:23
mfisch--debug will show it17:23
EmilienMmfisch: it's in puppet ci17:23
EmilienMyeah, we can trick provider17:24
EmilienMoh in fact it's not idempotent17:24
mfischthats no bueno17:25
mfischis user list failing?17:25
EmilienMhttp://logs.openstack.org/52/334852/1/check/gate-puppet-openstack-integration-3-scenario001-tempest-centos-7/014af3f/console.html#_2016-06-28_09_06_18_09355117:25
EmilienMit's failing during second puppet run17:25
EmilienMso openstackclient tries to create the user again while is already exist17:25
samueldmqmaybe user creation is called twice with the pair ('domain_id', 'name')17:26
samueldmqthat is expected to be unique17:26
dstanekEmilienM: the puppet module isn't idempotent?17:26
samueldmqEmilienM: is it always failing ? or is it intermittent ?17:26
EmilienMdstanek: it currently is17:27
EmilienMdstanek: when using openstackclient latest tag17:27
EmilienMbut when using trunk, it's not17:27
EmilienMsamueldmq: always.17:27
EmilienMsamueldmq: at second puppet run17:27
EmilienMso when admin user already exist17:27
EmilienMlet me dig puppet17:27
stevemarEmilienM: that seems correct to me17:27
dstanekEmilienM: openstackclient isn't idempotent17:27
samueldmqEmilienM: so it makes sense to be in the second run17:27
samueldmqEmilienM: it may be trying to recreate the user17:28
stevemarEmilienM: we have an argument --or-show, which makes it idempotent (kinda)17:28
stevemarEmilienM: where it'll return the user if a conflict is caught17:28
*** imcsk8 has joined #openstack-keystone17:28
EmilienMright, we check here https://github.com/openstack/puppet-keystone/blob/master/lib/puppet/provider/keystone_user/openstack.rb#L8317:29
*** jpena has joined #openstack-keystone17:30
*** julim has joined #openstack-keystone17:30
EmilienMand https://github.com/openstack/puppet-keystone/blob/master/lib/puppet/provider/keystone.rb#L16317:30
EmilienMwe show openstack user show to determine if it's already here17:30
EmilienMbut with latest osclient, it seems like it returns false so it tries to create it again17:31
*** jsavak has quit IRC17:32
stevemarEmilienM: hmm, maybe of the keystoneauth conversion? it'll toss up keystoneauth1.NotFound instead of keystoneclient.NotFound17:32
*** jsavak has joined #openstack-keystone17:33
SamYapleif i set an inherited role on a domain, will the project inherit that role as well since domains are projects in mitaka?17:35
samueldmqSamYaple: good question... henrynash_ ^17:37
*** d0ugal has quit IRC17:37
*** d0ugal has joined #openstack-keystone17:37
*** d0ugal has quit IRC17:37
*** d0ugal has joined #openstack-keystone17:37
samueldmqSamYaple: I'd expect that if you pass domain_id when creating the inherited role, it won't be applied to the current node17:37
EmilienMstevemar: I wonder if https://review.openstack.org/#/c/311206/ caused our issue17:37
patchbotEmilienM: patch 311206 - python-openstackclient - Use resource id when name given for identity show (MERGED)17:37
samueldmqSamYaple: howver if you use project_id it will17:37
openstackgerritAlexander Makarov proposed openstack/keystone: Performance oriented functional test for HMT  https://review.openstack.org/33514417:38
samueldmqSamYaple: this way backwards compat is kept17:38
openstackgerritAlexander Makarov proposed openstack/keystone: Closure table for HMT  https://review.openstack.org/28552117:38
stevemarEmilienM: hmm, that only impact `os user show`17:39
EmilienMstevemar: yes, and we use user show to determine is whether or not user exist in our puppet catalog17:39
EmilienMso maybe it returns false, and puppet tries to create it and fails before user actually exist already17:40
SamYaplesamueldmq: i think youre right. i just did a test and a user with a domain role wont allow me to get a token scoped for a project17:40
*** fawadkhaliq has quit IRC17:40
samueldmqSamYaple: cool17:40
EmilienMstevemar: we're investigating our puppet provider now, I'll let you know progress17:41
EmilienMstevemar, samueldmq: thx folks17:41
*** d0ugal has quit IRC17:41
samueldmqEmilienM: you're welcome, thanks for reporting17:41
*** d0ugal has joined #openstack-keystone17:42
*** d0ugal has quit IRC17:42
*** d0ugal has joined #openstack-keystone17:42
SamYapleI am attempting to create a policy rule that says if user has 'domainadmin' role in domain the user can list all the projects in that domain. its... not working well.17:43
SamYapleI have this "role:domainadmin and domain_id:%(token.domain.id)s"17:43
SamYaplebut i think the list_projects doesnt pass target information. havent confirmed that17:43
*** rcernin has joined #openstack-keystone17:45
*** mvk_ has quit IRC17:45
amoralejEmilienM, jpena discovered something interesting17:50
EmilienMamoralej: what?17:50
amoralejif you do  openstack user show admin it works fine17:50
amoralejbut if you do  "openstack user show admin --domain Default" it fails17:50
EmilienMthe warning might screw our parsing up17:50
EmilienMoh?17:50
EmilienMnice17:50
amoralejCommandError: No user with a name or ID of '454ad1c743e24edcad846d1118837cac' exists.17:50
EmilienMit sounds super related to https://review.openstack.org/#/c/311206/17:51
patchbotEmilienM: patch 311206 - python-openstackclient - Use resource id when name given for identity show (MERGED)17:51
EmilienMstevemar: hey it's us again17:51
amoralejand that seems to be relationed with a strange log in apache in your jobs17:51
rodrigodsamoralej, EmilienM what is the user domain?17:51
amoralej::1 - - [28/Jun/2016:09:09:11 +0000] "GET /v3/users?domain_id=default&name=cc754e6a839742c3a3d07c523f5afce1 HTTP/1.1" 200 149 "-"17:51
amoralejdefault17:51
EmilienMdefault17:51
rodrigodsthat name is incorrect17:52
EmilienMhow's that? It worked until now17:52
amoralejEmilienM, let me try with a version before https://review.openstack.org/#/c/311206/17:52
patchbotamoralej: patch 311206 - python-openstackclient - Use resource id when name given for identity show (MERGED)17:52
EmilienMamoralej: yeah or just revert the patch locally ^17:53
rodrigodsEmilienM, taking a look in osc code, think "user_str" is the ID, not the name17:53
rodrigodsand it is passing the wrong argument to the utils.find_resource17:53
*** jaugustine has joined #openstack-keystone17:54
amoralejbut what surprised me is that in my environment, i don't reproduce it with keystone_user resource17:55
*** diazjf has joined #openstack-keystone17:57
stevemarEmilienM: damn, that sucks17:58
stevemarEmilienM: keystone meeting in 2 minutes, i may not reply17:59
EmilienMstevemar: ack17:59
*** jorge_munoz_ has joined #openstack-keystone18:00
stevemarmeeting reminder ajayaa, amakarov, ayoung, breton, browne, crinkle, claudiub, davechen, david8hu, dolphm, dstanek, edmondsw, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, jorge_munoz, knikolla, lbragstad, lhcheng, marekd, MaxPC, morgan, nkinder, notmorgan, raildo, rodrigods, rderose, roxanaghe, samleon, samueldmq, shaleh, stevemar, tjcocozz, tsymanczyk, topol, vivekd, wanghong, xek18:00
*** jsavak has quit IRC18:01
amoralejEmilienM, it's confirmed, https://review.openstack.org/#/c/311206/ broke openstack user show admin --domain Default18:02
patchbotamoralej: patch 311206 - python-openstackclient - Use resource id when name given for identity show (MERGED)18:02
amoralejbut not for all users,18:02
*** jpena is now known as jpena|off18:02
*** jorge_munoz has quit IRC18:03
*** jorge_munoz_ is now known as jorge_munoz18:03
*** gyee has joined #openstack-keystone18:08
*** ChanServ sets mode: +v gyee18:08
*** henrynash has joined #openstack-keystone18:09
*** ChanServ sets mode: +v henrynash18:09
*** bjornar_ has joined #openstack-keystone18:09
*** ddieterly[away] is now known as ddieterly18:11
*** real56 has quit IRC18:14
*** ddieterly is now known as ddieterly[away]18:15
*** dan_nguyen has quit IRC18:18
*** jsavak has joined #openstack-keystone18:20
*** mvk_ has joined #openstack-keystone18:20
*** pcaruana has joined #openstack-keystone18:25
*** mvk_ has quit IRC18:26
raildojamielennox: hey :) about our v2-v3 stuffs, I was thinking in send an email to the operators list, to ask if Otaca is a good deadline. what do you think?18:28
jamielennoxraildo: damn i still haven't written that :) umm, i don't think that operators are out target - mostly who we're interested here are developers because we want to move the gate forward18:29
jamielennoxwe're not going to be able to actually deprecate v3 for a while18:29
raildojamielennox: sure18:29
jamielennoxat the moment the plan is just to move the gate forward18:29
*** PsionTheory has joined #openstack-keystone18:29
raildojamielennox: so, everything that you need, just ping me :D18:30
raildojamielennox: I updated the etherpad https://etherpad.openstack.org/p/v3-only-devstack18:31
raildojamielennox: we only have a few jobs to fix/test right now18:31
*** rderose has joined #openstack-keystone18:33
*** rderose_ has quit IRC18:34
*** pauloewerton has quit IRC18:37
*** ddieterly[away] is now known as ddieterly18:37
*** ravelar159 has joined #openstack-keystone18:39
*** PsionTheory has quit IRC18:39
*** pauloewerton has joined #openstack-keystone18:41
*** amoralej is now known as amoralej|lunch18:42
*** amoralej|lunch is now known as amoralej|off18:43
openstackgerritJamie Lennox proposed openstack/keystone: Use request.params instead of context['query_string']  https://review.openstack.org/33082218:47
lbragstadravelar159 are you in #osic ?18:48
ayounggyee, https://copr.fedorainfracloud.org/coprs/admiyo/18:49
gyeeayoung, good! we need to figure out getting it into devstack18:49
*** mvk has joined #openstack-keystone18:49
ayounggyee, ++18:50
ayounggyee, and Tripleo, I think18:50
gyeeindeed18:51
ayounggyee, so, yeah, first up is adding Anchor to devstack, and I think we do it in the core repo.18:51
*** mvk has quit IRC18:52
gyeeayoung, yeah, that part should be pretty trivial18:52
gyeeI just need to find some time to do it18:52
openstackgerritSteve Martinelli proposed openstack/keystone: Migrate identity /v2-ext docs from api-ref repo  https://review.openstack.org/32230118:52
openstackgerritSteve Martinelli proposed openstack/keystone: Migrate identity /v2 docs from api-ref repo  https://review.openstack.org/32217318:52
openstackgerritSteve Martinelli proposed openstack/keystone: Migrate identity /v2-admin docs from api-ref repo  https://review.openstack.org/32224718:53
openstackgerritSteve Martinelli proposed openstack/keystone: Migrate identity /v2-ext docs from api-ref repo  https://review.openstack.org/32230118:53
openstackgerritDolph Mathews proposed openstack/keystone: Migrate identity /v3-ext docs from api-ref repo  https://review.openstack.org/32213118:53
*** sheel has quit IRC18:55
*** fifieldt has quit IRC19:01
ayoungnotmorgan, I'd like troubleshooting to be less formal than Gerrit reviews, and more open to Operator contribs19:01
stevemarnotmorgan: hmm, i like the idea of a repo to hold everything... install guides, faq, moved blogs19:01
notmorganso ayoung i've long thought we should have people who make cool blog posts also propose officially docs (if they are like a howto) for federation19:01
notmorganayoung: so we don't need to do the search always for "who wrote this when"19:02
notmorgani see the troubleshooting guide being exactly in that category19:02
*** henrynash has quit IRC19:02
ayoungnotmorgan, is this a dagger I se before me?19:02
ayoungheh19:02
*** sdake has joined #openstack-keystone19:02
*** sdake_ has quit IRC19:03
ayoungI kindof want it to be like the Ask openstack site19:03
notmorganayoung: :) i would start with the troubleshooting doc here. adding a repo and publishing isn't terrifying.19:03
ayounghttps://ask.openstack.org/en/questions/  but with more like Stack overflow operations19:03
notmorganayoung: contribute more to ask.openstack?19:03
ayoungnotmorgan, I do all the time.. but It seems to lack organization19:03
jamielennoxayoung: maybe we can get an anonymous ask.o.o account and just feed you the softball questions19:03
ayoungwe have a keystone tag19:03
notmorganjamielennox: lol19:04
ayoungwe need more structure than that19:04
notmorganso stack overflow isn't exactly organised..19:04
ayoungjamielennox, hell, I want to post all the questions I get in PM IRC and email19:04
ayoungnotmorgan, agreed19:04
ayoungnotmorgan, its really a wiki I want19:04
ayoungcross linking19:04
ayounghave a troubleshooting page with a list of quesitons19:04
ayoungclick on the link that is closest...19:05
*** aloga_ has joined #openstack-keystone19:05
notmorganso i think if we want an official doc, we should just get it in a repo - wikis have... well look at wiki.o.o conversations19:05
jamielennoxso whilst that was a joke, i think in future when you help someone you should make them post it to ask.o.o and help them there so it can be referred to next time19:05
notmorganand the spam issues.19:05
ayoungnotmorgan, I don't want an official doc so much as I want a living doc19:05
* jamielennox goes back to bed19:05
notmorganayoung: openstack has issues with spammers at this point since we page-rank well. it has to have some level of control - or just be ask.o.o19:06
lbragstadjamielennox o/19:06
ayoungevery try to search ask.o.o?19:06
ayoungsearc h the Keystone tag and I get  1,141 questions19:07
*** spzala has quit IRC19:07
ayoungnotmorgan, is that why the wiki is shut down?19:07
notmorgani think you're going to find the troubleshooting doc in a repo is going to b the easiest19:07
*** spzala has joined #openstack-keystone19:07
notmorganayoung: it isn't shutdown, it is locked down a lot more, no new accounts, weird captcha questions, and still getting spam19:07
ayoungnotmorgan, that is what I meant...the no-new-accounts19:08
notmorganyep19:08
notmorganwe have had massive spam issues, 1000s of pages a day19:08
notmorganetc19:08
ayoungWhat is the platform for Ask.o.o?19:08
notmorgansome custom code [php] i think.19:08
notmorganit's iirc managed by the foundation.19:09
*** amakarov is now known as amakarov_away19:09
notmorganmaybe it's askbot?19:10
notmorganhttps://github.com/ASKBOT19:10
notmorganhttp://askbot.org/en/questions/19:11
*** aloga_ has quit IRC19:12
*** spzala has quit IRC19:12
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494319:13
ayoungHeh...lots of unanswered questions there, too19:13
rderosestevemar rodrigods dstanek: added a test to test for domain duplicates ^19:14
rodrigodsrderose, awesome, will take a look back tonight19:14
rderoserodrigods: cool, thx19:15
*** tonytan4ever has quit IRC19:15
*** fifieldt has joined #openstack-keystone19:16
*** sdake_ has joined #openstack-keystone19:16
*** sdake has quit IRC19:20
*** dan_nguyen has joined #openstack-keystone19:21
stevemarayoung: i think putting it in keystone proper right now is easiest19:23
*** tonytan4ever has joined #openstack-keystone19:24
*** gyee has quit IRC19:25
ayoungstevemar, maybe19:28
ayoungstevemar, depends on if it should be part of a larger openstack troubleshooting effort19:28
stevemarayoung: it's easy enough to put a redirect in our docs if we move to a larger repo19:28
ayoungso many things start with "keystone is broken" and it ends up being a config to talk to keystone that is broken19:29
ayoungstevemar, how do people submit new questions19:29
ayoungits the wrong place.19:29
ayoungits keystone server, client, middleware, cli, horizon19:29
ayoungbut...I'll chew on it.19:30
*** ayoung has quit IRC19:35
*** raddaoui has quit IRC19:37
*** aloga_ has joined #openstack-keystone19:38
*** ametts has quit IRC19:40
stevemarsamueldmq: any link to the patch on making the api-ref use keystone instead of openstack-manuals?19:42
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements  https://review.openstack.org/32844719:45
*** hoonetorg has joined #openstack-keystone19:54
EmilienMstevemar: I have to leave now but we found out that https://review.openstack.org/#/c/311206 was the root cause19:56
*** ametts has joined #openstack-keystone19:56
EmilienMit causes issue when user show with a default domain it returns 119:56
*** bjornar_ has quit IRC19:57
EmilienMI need to leave now but I'll give details later, feel free to look if you see something wrong19:57
* EmilienM afk19:57
stevemarEmilienM: ack19:57
stevemaralso leaving for a few19:57
openstackgerritJoao Targino proposed openstack/python-keystoneclient: Update README to comply with Identity V3  https://review.openstack.org/33521020:00
*** ddieterly is now known as ddieterly[away]20:00
*** jsavak has quit IRC20:01
*** jsavak has joined #openstack-keystone20:02
*** ntpttr has joined #openstack-keystone20:02
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Use extras for oslo.messaging dependency  https://review.openstack.org/27440020:02
*** jaugustine has quit IRC20:04
*** jorge_munoz has quit IRC20:04
*** slberger1 has joined #openstack-keystone20:04
*** spzala has joined #openstack-keystone20:05
*** jorge_munoz has joined #openstack-keystone20:05
*** slberger has quit IRC20:05
openstackgerritSteve Martinelli proposed openstack/keystone: Line removed, tests pass  https://review.openstack.org/33506120:06
*** ravelar159 has quit IRC20:08
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Update README to comply with Identity V3  https://review.openstack.org/33521020:08
*** ddieterly[away] is now known as ddieterly20:24
*** ayoung has joined #openstack-keystone20:29
*** ChanServ sets mode: +v ayoung20:29
*** jorge_munoz_ has joined #openstack-keystone20:32
*** jorge_munoz has quit IRC20:32
*** jorge_munoz_ is now known as jorge_munoz20:32
*** lucas___ has joined #openstack-keystone20:36
*** jbell8 has joined #openstack-keystone20:36
*** gyee has joined #openstack-keystone20:39
*** ChanServ sets mode: +v gyee20:39
*** ddieterly is now known as ddieterly[away]20:40
*** ddieterly[away] is now known as ddieterly20:40
mfischlbragstad: FYI from my tester: https://bugs.launchpad.net/keystone/+bug/159707720:45
openstackLaunchpad bug 1597077 in OpenStack Identity (keystone) "Mitaka token 'expires' padding differs between POST and GET/HEAD on Fernet tokens" [Undecided,New]20:45
mfischthats minor I believe20:45
bknudson_Probably fixed with https://review.openstack.org/#/c/332493/20:46
patchbotbknudson_: patch 332493 - keystone - Correct use of isotime20:46
lbragstadbknudson_ oh - good point20:47
*** ametts has quit IRC20:49
*** slberger1 has quit IRC20:49
*** samueldmq has quit IRC20:51
*** samueldmq has joined #openstack-keystone20:52
*** ChanServ sets mode: +v samueldmq20:52
*** lucas___ has quit IRC21:01
*** sdake has joined #openstack-keystone21:01
*** rderose has quit IRC21:02
*** slberger has joined #openstack-keystone21:03
*** jsavak has quit IRC21:03
*** jsavak has joined #openstack-keystone21:04
*** sdake_ has quit IRC21:04
*** lucas___ has joined #openstack-keystone21:04
*** lucas___ has quit IRC21:06
*** lucas____ has joined #openstack-keystone21:06
*** lucas____ has quit IRC21:10
*** dmk0202 has joined #openstack-keystone21:11
*** vgridnev_ has joined #openstack-keystone21:12
*** lucas___ has joined #openstack-keystone21:17
*** harlowja has quit IRC21:19
*** chrisshattuck has joined #openstack-keystone21:22
*** lucas___ has quit IRC21:22
ayoungnotmorgan, stevemar http://docs.openstack.org/developer/keystone/  is generated from git keystone/docs.  Right?  How often?21:22
notmorganayoung: uhm.21:23
notmorganayoung: every commit21:24
ayoungWhen,...did we split config out?  I totally missed that21:25
ayoungI like, but it means I have a lot of dead links...21:25
*** gagehugo has quit IRC21:26
notmorganayoung: hmm? into docs?21:26
notmorganayoung: earlier this cycle.21:26
ayoungnotmorgan, yeah...could not hae been that long ago21:27
notmorganayoung: next step is to delete the sample config from the git repo21:27
notmorgansince it's pretty much out of date now/not maintained21:27
*** ravelar159 has joined #openstack-keystone21:28
*** samueldmq has quit IRC21:29
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove the sample config from the git tree  https://review.openstack.org/33523621:29
*** ddieterly is now known as ddieterly[away]21:31
*** ravelar_159 has joined #openstack-keystone21:32
*** fangxu has quit IRC21:32
*** ravelar159 has quit IRC21:35
*** pauloewerton has quit IRC21:36
*** ravelar_159 has quit IRC21:37
*** jsavak has quit IRC21:38
*** fangxu has joined #openstack-keystone21:39
*** sdake has quit IRC21:39
*** dmk0202 has quit IRC21:42
*** jsavak has joined #openstack-keystone21:47
ntpttrayoung: hey, I see your name in this code so maybe you can help me answer this :). Is there a way to tell if a project is 'admin project' when you just get the project object itself, or is that info just stored in the token here? https://github.com/openstack/keystone/blob/d9c6b50a3ae514e640fa13a344e59fe3649ee0ef/keystone/token/providers/common.py#L269-L28521:49
*** itisha has quit IRC21:50
*** aloga_ has quit IRC21:50
ayoungntpttr, it is majik21:51
ayoungntpttr, what version of Keystone are you running?21:51
ntpttrayoung: 3 - I'm trying to work out this bug in cinder hierarchical quota showing https://bugs.launchpad.net/cinder/+bug/159704521:51
openstackLaunchpad bug 1597045 in Cinder "Admin cannot show/set quotas in projects where they are not a member or in hierarchy" [Undecided,New] - Assigned to Nate Potter (ntpttr)21:51
ntpttrayoung: basically I think we want the 'admin' project for a domain to be able to view and set quotas for all the users in that domain, but right now that's not what's happening21:52
ntpttrso if there was an easy way to tell if a project was the admin project, that would probably be a good way to fix that. Right now it's checking to see if the target project is in the subtree of the context project, but the admin project doesn't always have all the other projects in a domain in its subtree21:53
ntpttrI'm not too familiar w/ keystone, so this is blowing my mind a bit :)21:53
*** darosale has quit IRC21:54
ayoungntpttr, 3 is a keystona API version. Which version of the Keystone server are you running with?  Master?  Mitaka?21:54
ntpttrayoung: I'm using a fresh devstack, does that default to 2 or 3? The person who reported the bug is running mitaka I believe21:55
ntpttroops I understand your question, it's master21:55
ayoungntpttr, OK.  every keystone server has v2 and a v3 api support21:55
ayoungfrom Cinder's perspective, I think the question might be this:21:56
*** jbell8 has quit IRC21:56
ayoung"certain tokens are supposed to be used by administrators to fix things across all of cinder.  When we get one of those, itt might not match the project for the quota.  How do we tell?"21:57
*** ddieterly[away] is now known as ddieterly21:57
ayoungntpttr, ah....more than that, now that I read the bug report21:58
*** spzala has quit IRC21:58
ayoungntpttr, where did you see my name in the code, out of curiousity?  I wasn't doing the hierarchical stuff...but...21:58
*** spzala has joined #openstack-keystone21:58
*** vgridnev_ has quit IRC21:59
ayoungntpttr, you need henrynash_ raildo or someone that has worked on the hierarchical stuff.21:59
ayoungraildo in particular is our quota guru21:59
ntpttrayoung: well I was talking to dolphm about this, and he suggested figuring out if the project has admin scope for the project based on is_admin_project in the token, and mentioned you might know about that I think. Your nick is in the code for this docstring https://github.com/openstack/keystone/blob/d9c6b50a3ae514e640fa13a344e59fe3649ee0ef/keystone/token/providers/common.py#L269-L27421:59
ayoungas far as "admin token" we are working on making it easer to specify a token as "admin in the admin project"  which went in to Keystone last release, but is not exposed in oslo-context yet22:00
*** diazjf has quit IRC22:00
ayoungntpttr, he's  right22:00
ayoungthe reviews for that are still pending...22:00
ayounghttps://review.openstack.org/#/c/331374/  that merged22:01
patchbotayoung: patch 331374 - keystonemiddleware - Pass X_IS_ADMIN_PROJECT header from auth_token (MERGED)22:01
ayoungntpttr, so...you should be able to check for that header22:01
ntpttrayoung: ah cool, does that header exist whenever any request to keystone is made?22:02
ayoungntpttr, that is not the question you need to ask22:03
*** spzala has quit IRC22:03
ayoungntpttr, the question is "does cinder have access to that header after the token is validated " and the answer should be "yes"22:03
ayoungthe header is created by keystonemiddleware22:03
ayoungntpttr, so, any token validation respoonse has the data in it to generate that header, but not every web server out there would generate it...but you don't care, right?22:04
*** fangxu has quit IRC22:04
ntpttrayoung: I don't think so? What I do know is that we're making the request to get the project here based on the project ID from a keystone client that we generate with our context, is there a way to get that info out of the data there? https://github.com/openstack/cinder/blob/master/cinder/quota_utils.py#L106-L10822:06
ntpttrayoung: thanks for your help btw, sorry I'm pretty green with the keystone stuff22:06
ayoungntpttr, you should have it cinder by that point22:06
ayoungntpttr, test it out22:07
ayoungyou have a devstack setup?22:07
ayoungthere are a few config options to look at...22:07
ntpttrayoung: yeah I do, I was just walking through the code there in pdb after making a quota show request as admin22:08
ayoungntpttr, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/conf/resource.py#n5022:08
ayoungand22:08
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/conf/resource.py#n5622:08
ayoungif you set those, then only tokens from those projects should have the  X_IS_ADMIN_PROJECT header22:09
ntpttrayoung: ah okay, I need to manually put those in keystone.comf? does devstack not set up an admin project by default?22:10
ayoungntpttr, not yet22:10
ntpttrayoung: this is the response I was getting before when the get was called, I don't see the header so that's probably because those options aren't there http://paste.openstack.org/show/523841/22:10
ayoungntpttr, so jamielennox took this effort over from me.  I did not sync up with him as far as the state.  He's probably asleep right now22:10
ayoungI had an approach that we were going to take, but he was going for soemthing different, and there might still be a missing piece.  I'd sync with him when he is back22:11
ayounghe's in Australia, and was up early for the Keystone meeting ,so...a few more hours probably22:11
ntpttrayoung: gotcha, thanks. It looks like devstack actually has set up those values22:12
ntpttrhttp://paste.openstack.org/show/523845/22:12
ayoungYay!22:12
*** ddieterly is now known as ddieterly[away]22:12
*** ddieterly[away] is now known as ddieterly22:12
ayoungntpttr, I've been lost in Tripleo land this release..its been kicking my tuchas22:12
*** ddieterly has quit IRC22:13
ntpttrayoung: good luck!22:14
ayoungntpttr, too late22:14
ntpttrthanks for your time22:14
*** jbell8 has joined #openstack-keystone22:16
*** harlowja has joined #openstack-keystone22:16
*** harlowja has quit IRC22:23
*** lucas___ has joined #openstack-keystone22:24
*** jsavak has quit IRC22:28
*** lucas___ has quit IRC22:28
*** gordc has quit IRC22:38
*** BjoernT has quit IRC22:40
*** jorge_munoz has quit IRC22:41
*** tonytan4ever has quit IRC22:45
*** KevinE has quit IRC22:46
*** ddieterly has joined #openstack-keystone22:48
*** ddieterly is now known as ddieterly[away]22:49
*** mwheckmann has quit IRC22:49
*** ddieterly[away] has quit IRC22:52
*** fangxu has joined #openstack-keystone22:56
*** dan_nguyen has quit IRC22:57
*** lucas__ has joined #openstack-keystone22:58
*** jbell8 has quit IRC22:58
*** spzala has joined #openstack-keystone22:59
*** lucas___ has joined #openstack-keystone22:59
openstackgerritMerged openstack/python-keystoneclient: Update README to comply with Identity V3  https://review.openstack.org/33521023:00
*** lucas____ has joined #openstack-keystone23:02
*** lucas___ has quit IRC23:03
*** lucas__ has quit IRC23:03
*** rcernin has quit IRC23:03
*** lucas__ has joined #openstack-keystone23:03
*** spzala has quit IRC23:04
*** lucas___ has joined #openstack-keystone23:05
*** lucas____ has quit IRC23:06
*** lucas____ has joined #openstack-keystone23:07
*** lucas__ has quit IRC23:08
*** lucas___ has quit IRC23:09
*** lucas____ has quit IRC23:11
*** BjoernT has joined #openstack-keystone23:12
*** harlowja has joined #openstack-keystone23:12
*** BjoernT has quit IRC23:17
*** slberger has left #openstack-keystone23:18
*** tonytan4ever has joined #openstack-keystone23:22
*** timcline has quit IRC23:22
*** tonytan4ever has quit IRC23:27
*** rderose has joined #openstack-keystone23:31
rderoserodrigods: you're killing me, gooooooooodnesssss23:32
rderoserodrigods: :)23:32
jamielennoxayoung, ntpttr: hmm? yea, slept in23:47
jamielennoxrderose: hey, i'm looking at your inactive users DSS, it has a database write on every activate. How do i not do that?23:50
rderosejamielennox: it sets last_active_at on every authentication if you have the "disable_user_account_days_inactive" config set23:52
rderosejamielennox: if "disable_user_account_days_inactive" is set to none, it won't do the database write23:53
jamielennoxrderose: oh, you put it in the sql_backend. i was expecting it in the controller/manager and not seeing it23:54
rderosejamielennox: yeah, this feature is only supported via the sql backend identity23:55
jamielennoxi guess it has to go there to make the enabled  property work like that23:56
*** roxanaghe has quit IRC23:56
jamielennoxok, thanks23:56
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Use extras for oslo.messaging dependency  https://review.openstack.org/27440023:56
*** ddieterly has joined #openstack-keystone23:57
rderosejamielennox: np23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!