Tuesday, 2016-07-05

« Monday, 2016-07-04 Index Wednesday, 2016-07-06 »
*** dgonzalez has quit IRC00:08
*** dgonzalez has joined #openstack-keystone00:15
*** code-R has quit IRC00:19
*** code-R has joined #openstack-keystone00:27
*** iurygregory_ has joined #openstack-keystone00:28
*** chrisshattuck has joined #openstack-keystone00:57
*** jamielennox is now known as jamielennox|away01:09
*** jamielennox|away is now known as jamielennox01:43
*** EinstCrazy has joined #openstack-keystone01:44
*** jamielennox is now known as jamielennox|away01:53
*** EinstCra_ has joined #openstack-keystone02:01
*** EinstCrazy has quit IRC02:02
*** code-R_ has joined #openstack-keystone02:02
*** code-R has quit IRC02:05
*** EinstCrazy has joined #openstack-keystone02:06
*** EinstCra_ has quit IRC02:07
*** wangqun has joined #openstack-keystone02:11
*** GB21 has joined #openstack-keystone02:25
*** davechen has joined #openstack-keystone02:35
*** GB21 has quit IRC02:43
*** jamielennox|away is now known as jamielennox02:43
*** chrisshattuck has quit IRC02:56
*** chrisshattuck has joined #openstack-keystone03:04
*** chrisshattuck has quit IRC03:05
*** chrisshattuck has joined #openstack-keystone03:06
*** rcernin has joined #openstack-keystone03:09
*** chrisshattuck has quit IRC03:10
*** chrisshattuck has joined #openstack-keystone03:10
*** code-R_ has quit IRC03:11
*** roxanagh_ has joined #openstack-keystone03:11
*** code-R has joined #openstack-keystone03:11
*** ravelar159 has joined #openstack-keystone03:19
*** davechen has quit IRC03:49
stevemarjamielennox: i was half way through reviewing that patch03:50
stevemarjamielennox: hmm03:50
stevemarjamielennox: OIDC isn't necessary for that bug, not under  "extra"03:50
*** iurygregory_ has quit IRC03:52
stevemarjamielennox: i wouldn't mind opening a SAML specific bug about the entry point, but i guess we can keep that one open03:52
*** chrisshattuck has quit IRC03:54
*** M00nr41n has joined #openstack-keystone03:56
*** GB21 has joined #openstack-keystone04:08
*** EinstCrazy has quit IRC04:12
*** ravelar159 has quit IRC04:13
*** roxanagh_ has quit IRC04:24
*** M00nr41n has quit IRC04:28
*** roxanagh_ has joined #openstack-keystone04:30
*** GB21 has quit IRC04:40
*** roxanagh_ has quit IRC04:40
*** roxanagh_ has joined #openstack-keystone04:43
*** ravelar159 has joined #openstack-keystone04:45
*** roxanagh_ has quit IRC04:47
*** ravelar159 has quit IRC04:49
jamielennoxgah, stupid dogpile value crap04:49
*** GB21 has joined #openstack-keystone04:58
stevemarjamielennox: http://i.imgur.com/8iVy7t6.jpg05:00
*** sheel has joined #openstack-keystone05:07
jamielennoxlol05:07
jamielennoxkind of a pile05:07
*** bj0rnar- has quit IRC05:08
jamielennoxjust spent most of the day on a auth_token oslo.cache conversion to realize that dogpile writes its own metadata to the value and so new values aren't compatible with old values05:08
jamielennoxeverytime i try this it doesn't work right05:08
jamielennoxstevemar: would people accept a cache flush on auth_token update?05:09
*** bj0rnar has joined #openstack-keystone05:10
stevemarjamielennox: what do you mean by `on auth_token update`?05:12
jamielennoxstevemar: so dogpile.cache writes its own format to the cache, so if i go via it then all old cache values are dead05:14
jamielennoxstevemar: i'm pretty sure i can maintain config compatibility05:15
jamielennoxstevemar: but when you update keystonemiddleware all the existing values in cache would get ignored05:15
jamielennoxi'm guessing it's not worth it - but it's annoying as i thought i had this solved05:15
jamielennoxdamn, back later05:16
stevemarjamielennox: oh, you mean when they upgrade to a version of ksm that includes some change05:18
stevemarjamielennox: i think that (a cache flush) would be OK...05:18
stevemaryou're upgrading the whole cloud, it'll take a while05:19
*** code-R has quit IRC05:23
*** M00nr41n has joined #openstack-keystone05:24
stevemarsleep time05:28
openstackgerritMerged openstack/keystone: Refactoring: remove the duplicate method  https://review.openstack.org/33696305:37
*** code-R has joined #openstack-keystone05:39
*** ravelar159 has joined #openstack-keystone05:39
*** itisha has quit IRC05:40
*** roxanagh_ has joined #openstack-keystone05:44
*** ravelar159 has quit IRC05:45
*** itisha has joined #openstack-keystone05:47
*** roxanagh_ has quit IRC05:48
*** ravelar159 has joined #openstack-keystone05:52
openstackgerrityuyafei proposed openstack/python-keystoneclient: Add __ne__ built-in function  https://review.openstack.org/33743505:53
*** davechen has joined #openstack-keystone05:54
*** maestropandy has joined #openstack-keystone05:54
*** tonytan4ever has quit IRC05:55
*** code-R_ has joined #openstack-keystone05:56
*** code-R has quit IRC05:59
*** rcernin has quit IRC06:01
*** EinstCrazy has joined #openstack-keystone06:04
*** ravelar159 has quit IRC06:14
*** GB21 has quit IRC06:15
*** code-R_ has quit IRC06:19
*** code-R has joined #openstack-keystone06:20
*** maestropandy has quit IRC06:24
*** hogepodge has quit IRC06:25
*** hogepodge has joined #openstack-keystone06:27
*** maestropandy has joined #openstack-keystone06:28
*** ravelar159 has joined #openstack-keystone06:30
*** rcernin has joined #openstack-keystone06:32
*** roxanagh_ has joined #openstack-keystone06:44
*** pcaruana has joined #openstack-keystone06:46
*** roxanagh_ has quit IRC06:49
*** ravelar159 has quit IRC06:52
openstackgerritzhufl proposed openstack/keystone: Remove unused LOG  https://review.openstack.org/33746606:53
*** tonytan4ever has joined #openstack-keystone06:55
*** ravelar159 has joined #openstack-keystone07:00
*** tonytan4ever has quit IRC07:00
*** ravelar159 has quit IRC07:05
*** tesseract- has joined #openstack-keystone07:09
*** danpawlik has joined #openstack-keystone07:12
*** jpena|off is now known as jpena07:15
*** kevinbenton has quit IRC07:17
*** clenimar has quit IRC07:19
*** clenimar has joined #openstack-keystone07:20
*** kevinbenton has joined #openstack-keystone07:20
*** dancn` is now known as dancn07:23
*** dancn has quit IRC07:24
*** dancn has joined #openstack-keystone07:24
openstackgerrityuyafei proposed openstack/python-keystoneclient: Remove white space between print and ()  https://review.openstack.org/33749407:24
openstackgerritAtsushi SAKAI proposed openstack/keystone: [doc/api]Remove space within word  https://review.openstack.org/33750907:39
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: fix OpenID Connect authorization code grant_type  https://review.openstack.org/33000607:47
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move the get_unscoped_auth_ref into the base class  https://review.openstack.org/33714007:47
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add discovery document support  https://review.openstack.org/33046407:47
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: deprecate grant_type argument  https://review.openstack.org/33046507:47
openstackgerritMerged openstack/keystone: Handle catalog backends that don't support all functions.  https://review.openstack.org/33640007:49
*** chlong has quit IRC07:52
*** EinstCrazy has quit IRC07:53
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: fix OpenID Connect authorization code grant_type  https://review.openstack.org/33000607:53
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move the get_unscoped_auth_ref into the base class  https://review.openstack.org/33714007:53
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add discovery document support  https://review.openstack.org/33046407:53
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: deprecate grant_type argument  https://review.openstack.org/33046507:53
*** ravelar159 has joined #openstack-keystone07:54
*** EinstCrazy has joined #openstack-keystone07:56
*** ravelar159 has quit IRC07:59
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** tonytan4ever has joined #openstack-keystone08:03
*** chlong has joined #openstack-keystone08:04
*** tonytan4ever has quit IRC08:08
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move the get_unscoped_auth_ref into the base class  https://review.openstack.org/33714008:11
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: deprecate grant_type argument  https://review.openstack.org/33046508:11
*** davechen has left #openstack-keystone08:15
*** pnavarro has joined #openstack-keystone08:22
*** wanghua has quit IRC08:25
*** rvba has joined #openstack-keystone08:27
*** rvba has quit IRC08:27
*** rvba has joined #openstack-keystone08:27
*** roxanagh_ has joined #openstack-keystone08:33
*** roxanagh_ has quit IRC08:37
*** yolanda has quit IRC08:41
*** yolanda has joined #openstack-keystone08:42
openstackgerrithenry-nash proposed openstack/keystone: Remove headers from context  https://review.openstack.org/33701608:44
*** ravelar159 has joined #openstack-keystone08:48
*** code-R has quit IRC08:49
*** ravelar159 has quit IRC08:54
*** GB21 has joined #openstack-keystone08:54
*** nisha has joined #openstack-keystone08:57
*** EinstCrazy has quit IRC09:03
*** EinstCrazy has joined #openstack-keystone09:03
*** bjornar_ has joined #openstack-keystone09:09
*** EinstCra_ has joined #openstack-keystone09:20
*** yolanda has quit IRC09:21
*** yolanda has joined #openstack-keystone09:22
*** EinstCrazy has quit IRC09:23
*** maestropandy has quit IRC09:23
*** maestropandy has joined #openstack-keystone09:31
*** nisha has quit IRC09:35
*** nisha has joined #openstack-keystone09:36
*** ravelar159 has joined #openstack-keystone09:43
*** yolanda has quit IRC09:43
*** yolanda has joined #openstack-keystone09:45
*** ravelar159 has quit IRC09:47
*** EinstCrazy has joined #openstack-keystone10:02
*** wangqun has quit IRC10:03
*** EinstCra_ has quit IRC10:04
*** henrynash has quit IRC10:06
*** roxanagh_ has joined #openstack-keystone10:21
*** samueldmq has joined #openstack-keystone10:23
*** ChanServ sets mode: +v samueldmq10:23
samueldmqmorning keystone10:23
samueldmqmorning keystone10:23
*** roxanagh_ has quit IRC10:25
*** ntpttr has quit IRC10:30
*** ntpttr has joined #openstack-keystone10:31
*** EinstCrazy has quit IRC10:33
*** ravelar159 has joined #openstack-keystone10:36
*** maestropandy has quit IRC10:36
*** dims has joined #openstack-keystone10:38
*** ravelar159 has quit IRC10:41
*** henrynash has joined #openstack-keystone10:42
*** ChanServ sets mode: +v henrynash10:42
*** itisha has quit IRC10:50
*** rodrigods has quit IRC10:51
*** rodrigods has joined #openstack-keystone10:51
*** yolanda has quit IRC10:52
*** itisha has joined #openstack-keystone10:52
*** yolanda has joined #openstack-keystone10:56
*** GB21 has quit IRC11:12
*** henrynash has quit IRC11:29
*** ravelar159 has joined #openstack-keystone11:30
*** GB21 has joined #openstack-keystone11:32
*** jed56 has joined #openstack-keystone11:33
*** ravelar159 has quit IRC11:35
*** yolanda has quit IRC11:35
*** nisha_ has joined #openstack-keystone11:38
*** henrynash has joined #openstack-keystone11:40
*** ChanServ sets mode: +v henrynash11:40
*** nisha has quit IRC11:40
*** gordc has joined #openstack-keystone11:44
*** henrynash has quit IRC11:44
samueldmqstevemar: all reviewed and on the gates11:47
nisha_hi stevemar11:48
nisha_samueldmq, am here11:49
openstackgerritShoham Peller proposed openstack/keystone: Fixed the query params in role_assignments  https://review.openstack.org/33763211:54
*** nisha_ has quit IRC11:57
*** nisha_ has joined #openstack-keystone11:57
dstaneksamueldmq: good morning12:00
samueldmqdstanek: morning12:00
*** tonytan4ever has joined #openstack-keystone12:04
*** raildo-afk is now known as raildo12:07
*** maestropandy has joined #openstack-keystone12:08
openstackgerritPuneet Arora proposed openstack/keystone: Fixed a Typo  https://review.openstack.org/33763612:08
*** roxanagh_ has joined #openstack-keystone12:09
*** tonytan4ever has quit IRC12:09
*** yolanda has joined #openstack-keystone12:11
*** chlong has quit IRC12:12
*** roxanagh_ has quit IRC12:13
openstackgerrityuyafei proposed openstack/python-keystoneclient: Remove print in tests.functional.v3.test_implied_roles  https://review.openstack.org/33749412:15
*** henrynash has joined #openstack-keystone12:18
*** ChanServ sets mode: +v henrynash12:18
*** openstackgerrit has quit IRC12:19
*** openstackgerrit has joined #openstack-keystone12:19
openstackgerritShoham Peller proposed openstack/keystone: Fixed the query params in role_assignments  https://review.openstack.org/33763212:19
*** jpena is now known as jpena|lunch12:21
*** henrynash has quit IRC12:22
*** ravelar159 has joined #openstack-keystone12:25
*** ravelar159 has quit IRC12:29
*** lamt has joined #openstack-keystone12:33
*** chlong has joined #openstack-keystone12:43
*** pauloewerton has joined #openstack-keystone12:48
*** henrynash has joined #openstack-keystone12:49
*** ChanServ sets mode: +v henrynash12:49
*** TxGVNN has joined #openstack-keystone12:49
*** henrynash has quit IRC12:55
*** jed56 has quit IRC12:55
*** mdavidson has quit IRC12:55
*** jed56 has joined #openstack-keystone12:57
openstackgerritSteve Martinelli proposed openstack/keystone: Docs: Fix the query params in role_assignments example  https://review.openstack.org/33763212:59
*** GB21 has quit IRC13:02
*** samueldmq has quit IRC13:04
*** julim has joined #openstack-keystone13:05
*** yolanda has quit IRC13:05
*** tonytan4ever has joined #openstack-keystone13:05
*** yolanda has joined #openstack-keystone13:07
*** samueldmq has joined #openstack-keystone13:09
*** ChanServ sets mode: +v samueldmq13:09
*** tonytan4ever has quit IRC13:10
*** ravelar159 has joined #openstack-keystone13:19
*** henrynash has joined #openstack-keystone13:19
*** ChanServ sets mode: +v henrynash13:19
*** ravelar159 has quit IRC13:23
*** sheel has quit IRC13:25
*** code-R has joined #openstack-keystone13:30
stevemarmorning samueldmq13:30
*** jpena|lunch is now known as jpena13:34
*** raildo has quit IRC13:34
*** code-R_ has joined #openstack-keystone13:34
*** raildo-afk has joined #openstack-keystone13:35
*** nisha_ has quit IRC13:35
*** raildo-afk is now known as raildo13:36
*** nisha_ has joined #openstack-keystone13:36
*** code-R has quit IRC13:37
*** links has joined #openstack-keystone13:38
*** pnavarro has quit IRC13:39
*** ravelar159 has joined #openstack-keystone13:42
*** ayoung has joined #openstack-keystone13:43
*** ChanServ sets mode: +v ayoung13:43
*** links has quit IRC13:45
*** jsavak has joined #openstack-keystone13:47
*** code-R has joined #openstack-keystone13:47
openstackgerritMerged openstack/keystone: generate separate index files for each api-ref  https://review.openstack.org/33736313:48
*** itisha has quit IRC13:50
*** code-R_ has quit IRC13:51
openstackgerritMerged openstack/keystone: move OAUTH1 API to extensions  https://review.openstack.org/33737313:53
openstackgerritMerged openstack/keystone: Add missing preamble for v3 and v3-ext  https://review.openstack.org/33737513:54
*** spzala has joined #openstack-keystone13:54
*** links has joined #openstack-keystone13:56
*** code-R_ has joined #openstack-keystone13:56
*** tonytan4ever has joined #openstack-keystone13:56
*** roxanagh_ has joined #openstack-keystone13:57
*** henrynash has quit IRC13:58
*** links has quit IRC13:59
*** code-R has quit IRC13:59
*** roxanagh_ has quit IRC14:01
samueldmqstevemar: o/14:01
samueldmqaloga: I assume this is not WIP anymore ? 33000614:02
samueldmqpatch 33000614:02
patchbotsamueldmq: https://review.openstack.org/#/c/330006/ - keystoneauth - WIP - oidc: fix OpenID Connect authorization code ...14:02
*** ravelar159 has quit IRC14:02
*** woodster_ has joined #openstack-keystone14:05
openstackgerrithenry-nash proposed openstack/keystone-specs: Add migration-complete step to keystone-manage  https://review.openstack.org/33768014:06
samueldmqayoung: notmorgan: hey, last time I remember I got fernet working in the gate was with that patch for linear search in revoke BUT without the cache14:06
samueldmqayoung: notmorgan: I am running a recheck in https://review.openstack.org/#/c/319497/ and expecting it to still fail14:07
patchbotsamueldmq: patch 319497 - keystone - DO NOT MERGE: Test fix for fernet race condition14:07
ayoungyep14:07
samueldmqhow should we proceed with that ?14:07
samueldmqayoung: hey14:07
*** jsavak has quit IRC14:07
samueldmqayoung: so.. it doesn't seem to work with that cache ... and we want fernet back as the default in devstackk :(14:07
ayoungkill the cache14:08
ayounghelll, just Kill Keystone14:08
raildoayoung, \m/14:08
dstaneksamueldmq: what's the issue?14:08
samueldmqdstanek: remember we had fernet as default token provider in devstack14:09
samueldmqdstanek: then the gates started failing intermittently14:09
dstanekit was a cache issue?14:10
samueldmqdstanek: I am getting you links ... but gerrit seems to be super slow14:10
samueldmqdstanek: ayoung proposed this https://review.openstack.org/#/c/311652/14:11
patchbotsamueldmq: patch 311652 - keystone - Replace revoke tree with linear search (MERGED)14:11
samueldmqdstanek: which had caching disabled in a given version, then my test (patch 319497) passed in all the gates14:11
patchbotsamueldmq: https://review.openstack.org/#/c/319497/ - keystone - DO NOT MERGE: Test fix for fernet race condition14:11
samueldmqso I think the issue is fernet + that cache14:11
ayoungif you revoke something, you need to make sure the cache is invalidated, or you don't end up actually revoking14:12
*** code-R has joined #openstack-keystone14:13
ayoungand the cache invalidation probably needs to complete before the return from the revoke call, or you will have a race condition14:13
dstanekayoung: ++ revoke *needs* to remove the token from cache14:14
*** permalac has quit IRC14:14
ayoungI'm coming around to notmorgan 's way of thinking that a revoke check should be a sql query14:14
ayoungdstanek, not sure it is the token cache that is the problem.  it is the revoke event cache that needs to  be invalidated,14:15
*** nisha_ has quit IRC14:15
*** code-R_ has quit IRC14:15
*** nisha has joined #openstack-keystone14:15
samueldmqayoung: is there a possibility that reqA (invalidate token) and reqB (try something with that token) arrives at almost the same time14:15
samueldmqbut reqA returns later than reqB ?14:15
ayoungsamueldmq, not from a meaningful test14:16
stevemarsamueldmq: nisha can you start referencing this bug in the commit message that fixes the docstrings in keystoneclient? https://bugs.launchpad.net/python-keystoneclient/+bug/133076914:16
openstackLaunchpad bug 1330769 in python-keystoneclient "docstrings are inadequate" [Wishlist,In progress] - Assigned to Brant Knudson (blk-u)14:16
ayoungsamueldmq, the test itself is a single thread14:16
ayoungeven if the requests are handled by separate threads in Keystone, they should still be serialized by the test14:17
samueldmqayoung: ah you're correct14:17
ayoungwhat is failing?14:18
samueldmqayoung: in the test ?14:18
ayoungsamueldmq, in the gate14:18
samueldmqayoung: a revoked token is still valid after DELETE /tokens14:18
samueldmqwell, a token that is supposed to be revoked...14:19
samueldmqayoung: e.g http://logs.openstack.org/97/319497/1/check/gate-tempest-dsvm-full/25b34ec/console.html.gz#_2016-05-25_13_02_33_25514:20
*** dmellado has quit IRC14:21
samueldmqayoung: and see the test https://github.com/openstack/tempest/blob/ebcc070dc5e23a649a2c5875b1917f8bf8809ef4/tempest/api/identity/admin/v2/test_users_negative.py#L83-L9914:21
*** dmellado has joined #openstack-keystone14:21
ayounghow come that does not show up in http://git.openstack.org/cgit/openstack/tempest/tree/tempest/api/identity/v214:22
dstaneksamueldmq: this traceback is a little scary. i didn't read the test itself, but i'm assuming they tried to create a user and didn't specify a token; http://logs.openstack.org/97/319497/1/check/gate-tempest-dsvm-full/25b34ec/console.html.gz#_2016-05-25_13_02_33_25614:22
ayoungv2.test_users_negative14:22
ayoungis this a branch?   An old branch?14:22
ayoungadmin...missed that14:23
samueldmqdstanek: yes, see https://github.com/openstack/tempest/blob/ebcc070dc5e23a649a2c5875b1917f8bf8809ef4/tempest/api/identity/admin/v2/test_users_negative.py#L83-L9914:23
samueldmqdstanek: it actually tries an invalid token (revoked)14:23
ayounghttp://git.openstack.org/cgit/openstack/tempest/tree/tempest/api/identity/admin/v2/test_users_negative.py#n8514:23
dstanekok, so bad test name :-(14:23
samueldmqdstanek: ++14:24
*** sheel has joined #openstack-keystone14:24
samueldmqayoung: yes that's a better link :)14:24
ayoungOK, that is not "without a token" but rather with "recently revoked v2 token"14:24
samueldmqayoung: the same actually, nvm14:24
samueldmqayoung: exactly, which happens to still be valid14:24
ayoungsamueldmq, there was a race condition in posting the link14:25
samueldmqhehe14:25
ayoungok, so that hits...14:25
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/routers.py#n4114:26
ayoungright?14:26
ayoung  V2 delete?14:26
samueldmqyes14:26
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/controllers.py#n45714:26
*** richm has joined #openstack-keystone14:26
ayoungno cache yet...14:26
samueldmqayoung: then http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/controllers.py#n45214:27
ayoungpretty sure we can remove termie's comment14:27
ayoungthis stuff is not moving to middleware14:27
ayoungself.token_provider_api.revoke_token(token_id)14:28
samueldmqayoung: yes, this http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/provider.py#n43914:28
ayoungsamueldmq, so is this running with fernet that fails?14:29
samueldmqayoung: yes14:29
*** darosale has joined #openstack-keystone14:29
ayoungso should be the call to14:29
ayoung            self.revoke_api.revoke_by_audit_id(token_ref.audit_id)14:29
ayoungthat actually hs some effect14:29
*** dmellado has quit IRC14:29
dstaneksamueldmq: ayoung: just trying to catch up and look at the code at the same time. if we delete a token i don't see how it gets out of the cache that validate uses14:30
*** dmellado has joined #openstack-keystone14:30
ayoungdstanek, neither do I14:30
ayoungdstanek, that is what I am just realizing14:30
dstanekayoung: so i was right earlier!14:31
samueldmqdstanek: ayoung: validate_non_persistent_token ?14:31
samueldmqor maybe even _validate_token14:31
dstanekif we have the token id we just need to remove if from the cache of those 3 methods14:31
*** spzala has quit IRC14:31
ayoungdstanek, I'm also realizing I don't like a lot of the checks we make that, if triggered, would result in us not recording the revoke event14:31
*** spzala has joined #openstack-keystone14:32
samueldmqbut if that's it, why does it only fail with fernet ?14:32
ayoungsamueldmq, fernet is the "non persisted" option14:33
openstackgerritMerged openstack/python-keystoneclient: Remove print in tests.functional.v3.test_implied_roles  https://review.openstack.org/33749414:33
dstaneksamueldmq: there are three validate methods using the MEMOIZE decorator in there. probably have the clear them all14:33
*** pnavarro has joined #openstack-keystone14:33
samueldmqoh wait, validate_v2_token calls validate_non_persistent_token directly14:33
*** sigmavirus_away is now known as sigmavirus14:33
*** sigmavirus is now known as bops14:33
ayoungotherwise we end up editing the token record and that gets updating in the cache14:34
*** darosale has quit IRC14:34
*** bops is now known as sigmavirus14:34
samueldmqsame for v3 ... yes, that seems to be the cache of validate_non_persistent_token ?14:34
bretonlots of bug mail from Steve14:35
dstanekbreton: he's like a nagging wife sometimes :-)14:35
openstackgerritMerged openstack/keystone: [doc/api]Remove space within word  https://review.openstack.org/33750914:36
*** spzala has quit IRC14:36
samueldmqdstanek: ayoung: see http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/provider.py#n42114:37
samueldmq# This method isn't actually called in the case of non-persistent14:37
samueldmq        # tokens, but we include the invalidation in case this ever changes14:37
samueldmq        # in the future.14:37
ayoungsamueldmq, right14:37
samueldmqayoung: dstanek: that's why I had this https://review.openstack.org/#/c/316991/14:37
patchbotsamueldmq: patch 316991 - keystone - Invalidate token cache after token delete14:37
samueldmqto make cache invalidation happen for fernet too14:37
ayoungI think a call to that line needs to be at the bottom of14:37
ayoungdelete_tokens14:38
*** tonytan4ever has quit IRC14:39
dstaneksamueldmq: what calls that?14:39
samueldmqayoung: that's basically what I am doing in that patch, placing the invalidate call at revoke_token14:39
dstanekayoung: ++14:39
*** tonytan4ever has joined #openstack-keystone14:39
samueldmqdstanek: previously it was just the persistence layer14:39
ayoungso why is that one failing?14:40
samueldmqin that patch I want the token provider to call it after a token revoke14:40
samueldmqso it's executed regardless token type (persistent or not)14:40
ayoung keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_unscoped_token14:40
ayoungkeystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_user_and_tenant14:40
samueldmqayoung: I haven't taken a deeper look (at least not recently)14:41
ayoungkeystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_user14:41
ayoung keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_scoped_token_by_id14:41
samueldmqayoung: but it looks like tests were calling the persistence layer and expecting the cache to be revoked ?14:41
ayoung'm seeing a pattern14:41
dstaneksamueldmq: if our persistence layer is clearing the cache then we are just doing it wrong14:41
dstanekthat is super sad actually :-(14:41
*** nisha has quit IRC14:42
samueldmqdstanek: yes, that's happening... which means fernet don't invalidate validate cache at all :(14:42
samueldmqI can't remember why I thought that wasn't the main issue anymore at the time14:43
*** ddieterly has joined #openstack-keystone14:43
samueldmqlet's see if 319497 breaks; then I can rebase it on 316991 and see what happens14:43
*** itisha has joined #openstack-keystone14:43
*** haneef has quit IRC14:43
ayoung2a7db0e3 (Samuel de Medeiros Queiroz 2016-03-04 14:16:31 -0300 534)     def test_delete_scoped_token_by_id(self):14:44
ayoungbut that looks like it was a refactoring14:44
ayounghenrynash_ did it14:46
ayoungnope it was notmorgan !14:46
ayoungI take that back.  It was henrynash_14:47
ayounggit show 07a080d314:47
*** raildo is now known as raildo-afk14:47
*** raildo-afk is now known as raildo14:47
samueldmqayoung: yes, it's bypassing the provider by calling self.token_provider_api._persistence.delete_tokens14:49
samueldmqayoung: I just need to fix the tests to call the token_provider itself14:50
samueldmqayoung: dstanek: I remember someone told me that it doesn't matter at the end because the revocation events should revoke the token14:51
samueldmqeven if validate_token returned success14:51
samueldmqquestion is whether revoke logic has always been broken, and properly invalidating the cache was doing the work :-)14:52
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Invalidate token cache after token delete  https://review.openstack.org/31699114:56
samueldmqayoung: or simply call it too in the provider ^14:56
samueldmqlet's see how that goes14:56
samueldmqbrb14:56
samueldmqdstanek: ^ you too :)14:56
*** code-R has quit IRC14:58
*** timcline has joined #openstack-keystone14:59
*** spzala has joined #openstack-keystone15:00
*** code-R has joined #openstack-keystone15:01
*** KevinE has joined #openstack-keystone15:01
*** KevinE_ has joined #openstack-keystone15:02
*** phalmos has joined #openstack-keystone15:03
*** ddieterly is now known as ddieterly[away]15:05
*** KevinE has quit IRC15:05
*** chrisshattuck has joined #openstack-keystone15:06
*** code-R has quit IRC15:06
*** diazjf has joined #openstack-keystone15:06
*** danpawlik has quit IRC15:07
bretonoh how i love cache issues15:10
bretonfixed a cache issue and found 3 in tests15:11
*** roxanagh_ has joined #openstack-keystone15:11
*** BjoernT has joined #openstack-keystone15:13
*** roxanagh_ has quit IRC15:16
openstackgerritMerged openstack/keystone: Fixed a Typo  https://review.openstack.org/33763615:24
openstackgerritMerged openstack/keystone: Remove unused LOG  https://review.openstack.org/33746615:25
openstackgerritMerged openstack/keystone: Docs: Fix the query params in role_assignments example  https://review.openstack.org/33763215:26
*** yolanda has quit IRC15:28
*** yolanda has joined #openstack-keystone15:30
*** openstackgerrit has quit IRC15:33
*** openstackgerrit has joined #openstack-keystone15:33
*** jed56 has quit IRC15:35
*** ddieterly[away] is now known as ddieterly15:36
*** code-R has joined #openstack-keystone15:37
*** haneef_ has quit IRC15:37
*** maestropandy has quit IRC15:38
*** harlowja has joined #openstack-keystone15:40
*** code-R_ has joined #openstack-keystone15:42
*** code-R has quit IRC15:45
*** gyee has joined #openstack-keystone15:45
*** ChanServ sets mode: +v gyee15:45
*** TxGVNN has quit IRC15:48
*** fangxu has quit IRC15:53
*** yolanda has quit IRC15:55
*** yolanda has joined #openstack-keystone15:56
*** spzala has quit IRC16:01
*** sdake has joined #openstack-keystone16:06
*** spzala has joined #openstack-keystone16:07
*** henrynash has joined #openstack-keystone16:08
*** ChanServ sets mode: +v henrynash16:08
henrynash_ayoung: what did I break?16:08
ayounghenrynash_, just common sense16:08
ayounghenrynash_, heh...the issue is that the tests for revocation16:09
*** spzala has quit IRC16:09
ayounghitting the sql backend was then checking for revocations16:09
*** spzala has joined #openstack-keystone16:09
ayoung which does not make sense in a non-persisted-token-world16:09
henrynash_ayoung: hmm, oops16:09
ayounghenrynash_, samueldmq is working on getting a round that.  Be willing to provide feedback on the reviews where we might have to yank the tests,16:10
ayoungsurpirsed it took this long to trip over those assumptions16:11
*** sdake has quit IRC16:11
henrynash_ok16:11
*** roxanagh_ has joined #openstack-keystone16:12
henrynash_so I have a dumb question (which I should know the answer to, but clearly do not): if you upgrade keystone (say LIberty to Mitaka), does it automatically run (the equivilent of) a db_sync to migrate the DB or is that always a manual step (as an aside, can’t find any documentation on upgarding keystone in our docs)…16:12
*** adu has joined #openstack-keystone16:14
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: DO NOT MERGE: Test fix for fernet race condition  https://review.openstack.org/31949716:16
*** roxanagh_ has quit IRC16:16
ayounghenrynash_, no automatice16:16
ayoungs16:16
samueldmqayoung: dstanek: henrynash: ^added depends-on the patch that does explicit revocation for fernet ^16:17
ayoungno automatic migration.  You need to explicitly run it,  and therein lies a problem16:17
samueldmqlet's hear what jenkins sats16:17
samueldmqsays16:17
henrynash_ayoung: ah, ok….that explains why I can’t fdin any code that does that!16:17
ayoungsamueldmq, there is no code in that commit16:17
ayoungjust docs16:17
samueldmqthat's just to test the gate16:17
samueldmqayoung: it depends on a devstack change that enables fernet, and on my cache change16:18
samueldmqayoung: it doesn't matter what that patch actually does, just want to run the gates16:18
*** nisha has joined #openstack-keystone16:21
*** bjornar_ has quit IRC16:22
openstackgerrithenry-nash proposed openstack/keystone-specs: Add migration-complete step to keystone-manage  https://review.openstack.org/33768016:24
openstackgerrithenry-nash proposed openstack/keystone-specs: Add migration-complete step to keystone-manage  https://review.openstack.org/33768016:24
openstackgerritBoris Bobrov proposed openstack/keystone: Fix cache invalidation  https://review.openstack.org/32788516:26
*** code-R_ has quit IRC16:27
*** code-R has joined #openstack-keystone16:27
*** yolanda has quit IRC16:28
*** spzala has quit IRC16:30
*** yolanda has joined #openstack-keystone16:31
*** rcernin has quit IRC16:31
*** spzala has joined #openstack-keystone16:33
*** tesseract- has quit IRC16:33
*** pcaruana has quit IRC16:33
*** hogepodge has quit IRC16:34
bretonhow do we set id for @decorators.idempotent_id ?16:37
bretonjust copypasting from uuid4() or somehow else?16:37
*** spzala has quit IRC16:37
dstanekbreton: what is decorators.idempotent_id?16:38
bretondstanek: it is used in keystone_tempest_plugin/tests/api/identity/v3/test_identity_providers.py for example: https://github.com/openstack/keystone/blob/master/keystone_tempest_plugin/tests/api/identity/v3/test_identity_providers.py#L4916:40
bretonit seems that there is a tool for that, http://docs.openstack.org/developer/tempest/HACKING.html#test-identification-with-idempotent-id16:40
*** hogepodge has joined #openstack-keystone16:41
*** KevinE_ has quit IRC16:42
*** tonytan_brb has joined #openstack-keystone16:44
*** KevinE has joined #openstack-keystone16:45
*** tonytan4ever has quit IRC16:46
rodrigodsbreton, check-uuid --fix16:47
rodrigodsyou pass the package you want to fix16:47
rodrigodsbreton, check-uuid --fix keystone_tempest_plugin (if you are trying to fix some tests there)16:47
bretonrodrigods: oh, since you are here, i have more questions16:49
*** hogepodge has quit IRC16:50
rodrigodsbreton, cool, ask away16:50
bretonrodrigods: why do we need keystone_tempest_plugin/services/identity/clients.py:Federation and all the methods there? Are they used by something?16:50
rodrigodsbreton, they are for the federation API clients16:50
rodrigodstoo much code in common16:50
bretonrodrigods: nevermind, see where they are used already16:50
bretonrodrigods: so that code basically reimplements keystoneclient, but more lightweight?16:51
rodrigodsbreton, yeah... the idea in tempest is to not call the python clients16:51
*** jpena is now known as jpena|off16:51
bretonrodrigods: cool. So to implement code to work with catalog i need to subclass clients.Identity and implement my methods there?16:52
rodrigodsbreton, yeah, basically :)16:53
rodrigodsbreton, remember to keep them as simpler as possible, just JSON parsing16:53
* rodrigods is glad someone else is adding integration tests :)16:53
bretonrodrigods: suppose i want to run test_identity_provider_create. What do i need to do that?16:55
rodrigodsbreton, install/config tempest / execute the tests via "tox -e all-plugin -- keystone"16:56
rodrigodsoops, tox -e all-plugin -- test_identity_provider_create16:56
rodrigodsor... you can use testr: testr run test_identity_provider_create16:56
bretonrodrigods: so basically perform steps from http://docs.openstack.org/developer/tempest/overview.html#quickstart and tox -e all-plugin -- test_identity_provider_create?16:57
rodrigodsbreton, you don't need a "tempest init", just pip install tempest, create a tempest.conf inside tempest/etc and you should be fine16:58
rodrigodsbreton, if you are using devstack, it is already done for you16:59
rodrigodsbreton, you just need to run the tests16:59
*** diazjf has quit IRC16:59
*** adu has quit IRC17:00
bretonrodrigods: got it, thanks17:00
*** spzala has joined #openstack-keystone17:02
*** spzala has quit IRC17:02
*** ayoung has quit IRC17:02
*** hogepodge has joined #openstack-keystone17:02
samueldmqis anyone here familiar with CORS ?17:04
*** permalac has joined #openstack-keystone17:09
*** yolanda has quit IRC17:09
xeksamueldmq, I did a simple "allow all" configuration a while ago17:10
samueldmqxek: nice, I have a quick question about it17:11
samueldmqxek: if I have 2 servers: 1 for serving pages and another for the REST API17:12
samueldmqxek: when my browser gets a page and that page tries to access the REST API that fails17:12
samueldmqxek: that's a CORS issue right ?17:12
*** adu has joined #openstack-keystone17:13
xeksamueldmq, may be... check for the "Access-Control-Allow-Origin" header, it also needs to return this header when queried with http OPTIONS command17:13
bretonrodrigods: how does tempest know my identity service url?17:14
samueldmqxek: who should set, let's say, 'Access-Control-Allow-Origin: *' ?17:14
rodrigodsbreton, a config at tempest.conf17:14
samueldmqxek: the server serving the pages?17:14
samueldmqxek: or the server with REST API?17:14
xeksamueldmq, the api service17:14
*** tqtran has joined #openstack-keystone17:14
bretonrodrigods: http://paste.openstack.org/show/526046/ this is my tempest.conf. Should i add anything there?17:15
samueldmqxek: if I am understanding correctly it should be the server service the pages, to tell the browser to trust the another server with APIs17:15
samueldmqxek: isn't this right ?17:15
bretonrodrigods: that's not devstack17:15
rodrigodsbreton, yep, let me show you an example17:15
bretonrodrigods: found it at http://docs.openstack.org/developer/tempest/configuration.html#tempest-configuration, but would love to see yours17:16
xeksamueldmq, I'm pretty certain it's the api service - it controls whether it is safe to call it from other pages17:16
*** rcernin has joined #openstack-keystone17:17
*** hogepodge has quit IRC17:17
bretonrodrigods: oh, it already was in etc.17:17
rodrigodsbreton, http://paste.openstack.org/show/526048/17:17
rodrigodsbreton, cool17:18
samueldmqxek: hmm, I thought the interface should specify to the browser that it's safe to ask something from the API server17:18
samueldmqxek: rather than the API server saying to browser, hey it's okay to call me17:18
bretonrodrigods: perfect, thanks17:18
*** ddieterly is now known as ddieterly[away]17:19
xeksamueldmq, that way a hacker could build a page that calls any other site, maybe with the users credentials with which they logged in17:20
samueldmqxek: on the other way, what if the page is modified locally to call an untrusted API?17:22
*** mdavidson has joined #openstack-keystone17:23
*** hogepodge has joined #openstack-keystone17:23
xeksamueldmq, there will be a javascript error when using the xmlhttprequest api17:23
*** adu has quit IRC17:24
*** spzala has joined #openstack-keystone17:24
bretonrodrigods: what directory should i run "tox -e all-plugins -- keystone" in?17:24
rodrigodsbreton, tempest root17:24
rodrigodsbreton, you can also run testr init; testr run keystone17:25
xeksamueldmq, but you may still do a POST to an external page, which is sometimes used (also by hackers) to do cross-site scripting17:25
samueldmqxek: hmm, interesting17:25
samueldmqxek: the page came from server1 and is on user's browser17:25
samueldmqxek: page wants to make GET /v3/users on server2 (API server)17:26
samueldmqxek: then server2 must specify that it allows receiving requests from cross origin ? is that right ?17:26
xeksamueldmq, the absence of the header will prevent the script from reading the response17:27
xeksamueldmq, in case of a post, it would first do an OPTIONS query, and only if the OPTIONS query returns a proper header, it will do a real POST17:28
samueldmqxek: so the request to server2 (API) comes with an info saying the request originally came from a page that was originated on server117:28
samueldmqxek: something like that ..17:28
bretonrodrigods: how do i run it from tempest root if i installed tempest from pip? :)17:28
*** hogepodge has quit IRC17:28
xeksamueldmq, not sure about other methods, but probably they follow the same scenario, that modifying queries first do an OPTIONS query17:28
bretonrodrigods: or i shouldn't do it? :)17:29
xeksamueldmq, no, the header contains the info what is allowed, and the browser decides17:29
rodrigodsbreton, ah... than you need to create a "cloud"17:32
rodrigodsbreton, like described in the link you pasted above17:32
*** fangxu has joined #openstack-keystone17:32
*** tonytan_brb has quit IRC17:34
*** fangxu has quit IRC17:34
*** bjornar_ has joined #openstack-keystone17:35
stevemarsamueldmq: added you to https://review.openstack.org/#/c/337805/117:35
patchbotstevemar: patch 337805 - api-site - use in-tree docs for identity APIs17:35
stevemarsamueldmq: please take a look17:35
*** hogepodge has joined #openstack-keystone17:36
*** nisha_ has joined #openstack-keystone17:36
*** nisha has quit IRC17:40
*** gagehugo has joined #openstack-keystone17:40
samueldmqstevemar: looking at https://review.openstack.org/#/c/337805/1/www/static/.htaccess17:42
patchbotsamueldmq: patch 337805 - api-site - use in-tree docs for identity APIs17:42
samueldmqstevemar: first URL gets redirected to second one, right ?17:42
*** bjornar_ has quit IRC17:44
*** gagehugo has quit IRC17:47
*** gagehugo has joined #openstack-keystone17:50
*** shaleh has joined #openstack-keystone17:53
*** jaugustine has joined #openstack-keystone17:55
*** hogepodge has quit IRC17:55
stevemarmeeting time!17:59
stevemartime to jump over to -meeting! ajayaa, amakarov, ayoung, breton, browne, crinkle, claudiub, davechen, david8hu, dolphm, dstanek, edmondsw, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, jorge_munoz, knikolla, lbragstad, lhcheng, marekd, MaxPC, morgan, nkinder, notmorgan, raildo, rodrigods, rderose, roxanaghe, samleon, samueldmq, shaleh, stevemar, tjcocozz, tsymanczyk, topol, vivekd, wanghong, xek17:59
samueldmqdstanek: patch 319497 just failed, even depending on the other patch that invalidates the cache :(18:10
patchbotsamueldmq: https://review.openstack.org/#/c/319497/ - keystone - DO NOT MERGE: Test fix for fernet race condition18:10
dstaneksamueldmq: hmmm....that's not good18:10
*** adu has joined #openstack-keystone18:13
-openstackstatus- NOTICE: Job instability resulting from a block storage connectivity error on mirror.iad.rax.openstack.org has been corrected; jobs running in rax-iad should be more reliable again.18:14
*** tonytan4ever has joined #openstack-keystone18:15
*** ddieterly[away] is now known as ddieterly18:16
*** ayoung has joined #openstack-keystone18:16
*** ChanServ sets mode: +v ayoung18:16
*** adu has quit IRC18:20
*** spzala has quit IRC18:21
*** hogepodge has joined #openstack-keystone18:26
*** diazjf has joined #openstack-keystone18:27
*** pnavarro has quit IRC18:30
*** diazjf has quit IRC18:31
*** diazjf has joined #openstack-keystone18:34
*** diazjf has quit IRC18:40
*** thiagolib has joined #openstack-keystone18:45
*** code-R has quit IRC18:50
*** hogepodge has quit IRC18:53
*** diazjf has joined #openstack-keystone18:54
*** bjornar_ has joined #openstack-keystone18:55
*** diazjf has quit IRC18:57
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 services  https://review.openstack.org/33727418:57
*** gagehugo has quit IRC18:58
*** M00nr41n has quit IRC18:58
*** M00nr41n has joined #openstack-keystone19:00
*** diazjf has joined #openstack-keystone19:00
stevemarkeystoners, assemble again!19:00
*** hogepodge has joined #openstack-keystone19:00
ayounghenrynash, so, I was thinking that migrations would need to run in two steps19:00
henrynashayoung: that’s kind of what the spec says19:01
stevemarhenrynash: include any references to how nova claims they will do it19:01
ayounghenrynash, I was thinking of it in terms of a state machine19:01
henrynashstevemar: will do19:01
stevemarthis one seems like a slam dunk though19:01
dolphmhenrynash: ayoung: ++19:01
ayounghenrynash, so we have two conflictuing approaches.  We do upgrades from major relese to major release only19:01
ayoungMitaka to Newton for example19:01
ayoungbut then others track master19:01
ayoungand "migrations complete" would, I think, make it hard to handle both cases.  I think we need to discuss things a little more granularly19:02
henrynashayoung: hmm, I agree19:02
jamielennoxhenrynash: i feel like we're still missing a code layer that can deal with 2 different versions of the database though right?19:02
shalehjamielennox: pretty much19:02
ayounghenrynash, so...remember back when I wanted each extension to have its own migration?  It was thinking along these lines:19:03
ayoungwhen we add a feature, we want to touch as little code as possible19:03
henrynashayoung: I was too, but I don;t think one db can be controlled by two different version repos19:03
dolphmhenrynash: ayoung: if we had a read-only mode for keystone, where it knew it wasn't allowed to accept write requests, we could workaround a lot of issues like this. so, limited functionality while we can maintain "zero downtime"19:03
ayoungdolphm, I think that might be a useful tool, and address some of the issues, but not all19:03
shalehdolphm: yeah, that has come up a bit lately and would be a great idea.19:03
henrynashayoung: and we, for instance, add new attributes to existing ytables in the main repo in a miagration19:03
dolphmshaleh: do you know if that approach would work for other services?19:04
henrynashayoung: I need to go aoffline for bit.I’’ll be back on later19:04
ayoungdolphm, however...if we split revocations into a separate db backend, and said "read only for all but revoations" we would be ain a better place19:04
jamielennoxdolphm: tables are all still locked for reading when doing a migration with table changes right? so it wouldn't continue to just work19:04
dolphmshaleh: it only makes sense for us (to me) because we have fernet19:04
ayoungdolphm, so...take that idea one step further19:04
dstanekdolphm: shadow users makes read-only mode a little harder now19:04
dolphmdstanek: ++19:04
shalehdolphm: even without Fernet, in the UUID case we could validate but not create tokens.19:04
dolphmshaleh: right, but we can do our entire auth lifecycle without writing if you're using fernet19:05
dolphmso, zero downtime for our primary use case19:05
ayoungdolphm, thouight experieiment here (not seriously proposing)  if we were to split Keystone up into separate microservices, such that id, assignment, policy, auth, revoke ran on separate serviers, and we had to migrate each individually19:05
dstanekdolphm: when you auth (depending on the type of user) we will do a write19:05
shalehdolphm: true.19:05
ayoungand yet maintain 100% uptime19:05
ayoungwe would have separate migrations on each server for both code and database19:05
shalehdolphm: as for other services I think it would be a challenge but there is a minimal case for many/most of them for read-only.19:06
dstanekdolphm: aren't we doing some kind of last activity in addition to the last auth?19:06
shalehdolphm: I think Nova would be a challenge.19:06
ayoungwhat if we had separate sql repos for each, or if we used alembic which, IIUC, does a dependency tree for sql migrations?19:06
shalehI have to head to the office now. Laters all.19:07
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add service functional tests  https://review.openstack.org/33735119:07
ayoungshaleh, wait19:07
ayoungshaleh, are you going to finish the OSC work for implied roles?19:07
*** jaugustine has quit IRC19:07
ayoungor should I grab it back19:07
*** code-R has joined #openstack-keystone19:07
shalehayoung: grab it back if you need it now. Sorry, I was being bounced around on issues at work for a bit.19:07
dolphmdstanek: yes, but you could sacrifice that functionality during an upgrade19:08
ayoungshaleh, NP...just needed to know19:08
dstanekdolphm: i don19:08
dstanekt think it's impossible, just that it's going to litter our code with checks for the 'is_read_only'. so we'll have to come up with a way to do it right19:09
ayoungdolphm, OK, so my whole rant against nested/hmt in domains...it was based on the work you are addressing for auto-provisioning.  If we need to sync two tress, somehow, we need to be able to treat the project-under-domain as a namespace.  THat is really what I think is broken, and I don't know how to make it work with the existing restrictions19:11
*** clenimar has quit IRC19:12
dolphmayoung: "if we need to sync two trees" - why would you need to sync more than a group of projects under a single parent at a time?19:12
*** shaleh has quit IRC19:13
*** bjornar_ has quit IRC19:13
notmorgandolphm: ++19:17
ayoungdolphm, K2K19:19
ayoungJohn comes from BU,  Mary from Norteastern19:19
*** julim has quit IRC19:19
ayoungthey both come into the project at MIT19:19
ayoungboth have a project called "test"19:20
ayoungnow, whichone gets there first would get a project called test19:20
dolphmayoung: so map them into separate parent projects to avoid that, right?19:20
notmorgandolphm: well domains. but yes.19:22
dolphmnotmorgan: i hesitated on which term to use, but yes, a project acting as a domain at the very least19:22
ayoungnotmorgan, domains are a keystone concept19:22
ayoungquota is not19:22
ayoungwe've made a specialy kind of hell for admins here19:22
ayoungor...we find a way to work both projects into the same domain19:23
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 policies  https://review.openstack.org/33782919:23
ayoungand then we don;t get lynched19:24
dolphmayoung: if they're coming in from different IdP's, I'd like to map them into separate domains19:24
ayoungcuz it would probably take until the Boston summit for the lynchmob to find us, and I don't want to be lynched at home19:24
ayoungdolphm, but they are coming out of the same quota.19:24
ayoungneed to be in a single tree somehow19:24
notmorgani don't see mapping multiple idps to a single domain as viable in the current way keystone works?19:25
dolphmayoung: so, two projects acting as domains under the same parent domain, where the quota actually is set?19:25
*** sheel has quit IRC19:25
notmorgandidn't way say idps need to be mapped uniqely to domains?19:26
ayoungdolphm, as I said, a special hell for admins19:26
*** hogepodge has quit IRC19:27
*** slberger has joined #openstack-keystone19:27
dstanekayoung: how would 2 different users with two different projects be under the same quota?19:28
ayoungdstanek, you mean to say we should not allow this?19:28
dstanekayoung: no, i don't understand the usecase19:29
*** hogepodge has joined #openstack-keystone19:29
dstanekayoung: just trying to follow along19:29
ayoungdstanek, I set up an organizational project on  RAX.  Its paid for by me.  I pull toghther people from different regions to work there19:29
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 policies  https://review.openstack.org/33782919:29
ayoungits all out of my quota19:30
dstanekayoung: i can see a project quota on a project that both users are using....just in your example it seems that there a two different projects19:30
ayoungpeople do their work at home, and then sync it up to rax19:30
ayoungdstanek, proejct is the unit of security and info hiding in Openstack19:30
dstanekayoung: i guess what i don't get is "now, whichone gets there first would get a project called test"19:30
ayoungso two team members each have a hierarchy of stuff tehy are working on, and want to share with each other19:31
dstanekthat seems unrelated to quota19:31
*** gyee has quit IRC19:31
ayoungdstanek, each has a project called "wordpress" that they want to share with other members of the team19:31
ayoungdstanek, quota is simply "who pays for it"19:33
ayoungif the resource is paid for by a user ,they need to be able to create subprojects underneath that and divvy out access to other people19:34
*** nisha_ has quit IRC19:36
openstackgerritDavid Stanek proposed openstack/python-keystoneclient: WIP: Response objects from Manager methods  https://review.openstack.org/32991319:36
openstackgerritDavid Stanek proposed openstack/python-keystoneclient: Use the adapter instead of the client in tests  https://review.openstack.org/33783519:36
dstanekayoung: yeah, i get all that. i wasn't getting how it's a rebuttal to dolphm's point19:37
*** nisha_ has joined #openstack-keystone19:37
*** spzala has joined #openstack-keystone19:39
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add policy functional tests  https://review.openstack.org/33783619:39
*** ddieterly is now known as ddieterly[away]19:40
ayoungdstanek, my point is that we can't inflict domains on the other projects.  We need to make projects nestable, and the project name needs to act as a namespace.  Something that dolphm and notmorgan had said is too risky to allow.  I argue that the alternative, trying to allow nesting anywhere else, will confuse people even more greatly than this.  TO gyee's point in the meeting that we needed namesopacing...sure...we jsut19:41
ayoung didn't need a different namespace object (domain) from what we already had (tenant) and introducing it really does not make things at all clearer.19:41
ayoungTHe namespace should be a single hierarchy19:41
ayounglike URLS, or like the filesystem in an OS19:42
stevemarbreton: "lots of bug mail from Steve" :)19:42
stevemargotta smash those old bugs19:42
*** hogepodge has quit IRC19:43
*** hogepodge has joined #openstack-keystone19:44
*** nisha_ has quit IRC19:44
*** julim has joined #openstack-keystone19:45
dstanekayoung: i agree. that's why i like nested domains instead of projects. but i do realize that nobody outside of keystone understands domains19:46
dstanekayoung: i think of domains like directories and projects like files19:46
ayoungdstanek, projects are like directories and resources are like files19:46
ayoungdomains are like mountpoints19:47
dstanekthe problem i have with that and our current HMT impl is 'is_domain'19:47
dstaneki find it terrible because it's the exact opposite of refactoring and makes me sad19:47
*** roxanagh_ has joined #openstack-keystone19:48
dstanekmaybe that wouldn't have happened if there was only nested projects...but i don't know19:48
raildodstanek, ++ I think the problem with is_domain is only this feature it's not enough, we need to extend it to provide subproject with is_domain, and the quota for domain, to this change make sense19:50
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 policies  https://review.openstack.org/33782919:51
*** roxanagh_ has quit IRC19:52
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 services  https://review.openstack.org/33727419:55
dstanekraildo: i think the fact that we have a boolean value at all is bad19:55
dstanekyou wouldn't have a single object represent a user and a group19:56
raildodstanek, yes, that's why on the first phase we made at this way, focus in remove the domain concept after that, and only have one single 'project' object19:57
*** toddnni has joined #openstack-keystone19:58
dstanekwill a project behave differently if it's a domain w/ users vs. a project of resources?19:58
raildodstanek, no, it will be always a project, but sometimes can have a plus feature on it.19:58
raildodstanek, when you need this feature (be a namespace), you can enable it19:59
dstanekwhat is a 'plus feature'?19:59
raildodstanek, provide reseller for example, if need it, you can make project is_domain and handle with user, if you don't need, you can create just a regular project and handle only with resources20:00
dstanekraildo: that's my point. those should be two distict objects in code20:01
*** sheel has joined #openstack-keystone20:01
raildoI'm not saying it is the best solution, but hmt and reseller it is a huge change and it was not easy everyone happy20:02
raildodstanek, the problem was, have one kind of object in single hierarchy20:03
raildo(only project hierarchy)20:03
raildoor have two kinds of objects in a single hierarchy20:03
raildodomain -> domain -> project -> project20:03
*** ddieterly[away] is now known as ddieterly20:03
raildowe choose keep with one single object, adding this flag20:04
raildoand after that, try to remove domains concept20:04
raildosince, every other service works with project20:04
dstanekbut even if domains no longer exist you would need the is_domain to deal with behavior differences right?20:05
stevemarthis change is hilarious: https://review.openstack.org/#/c/337808/20:05
patchbotstevemar: patch 337808 - api-site - remove identity APIs20:05
stevemar+0, -4789220:05
stevemargotta pad my stackalytics stats20:06
raildodstanek, hum.. kind of, I think we can think in a better (and small) change to improve this point20:06
*** diazjf has quit IRC20:08
raildostevemar, the top8 LOC changes on stackalytics have 47k, you will have 42K only on this change :P20:09
stevemarbuahahaha20:09
stevemari probably have a handful only now20:09
stevemari haven't written any code \o/20:09
raildostevemar, lol20:09
raildohow to crack stackalytics, by stevemar20:10
*** bjornar_ has joined #openstack-keystone20:16
samueldmqstevemar: that change is great20:23
samueldmq:)20:23
*** samueldmq has quit IRC20:24
*** spzala has quit IRC20:28
*** spzala has joined #openstack-keystone20:29
*** hogepodge has quit IRC20:29
*** hogepodge has joined #openstack-keystone20:31
*** maestropandy has joined #openstack-keystone20:31
*** spzala has quit IRC20:34
*** raildo is now known as raildo-afk20:44
*** hogepodge has quit IRC20:45
*** hogepodge has joined #openstack-keystone20:47
*** spzala has joined #openstack-keystone20:49
ayoungcrud...I need hotel reservations. what hotel for midcycle again?20:53
*** gyee has joined #openstack-keystone20:55
*** ChanServ sets mode: +v gyee20:55
*** chrisshattuck has quit IRC20:59
openstackgerritMerged openstack/keystone: Fixes hacking's handling of log hints  https://review.openstack.org/33670820:59
*** chrisshattuck has joined #openstack-keystone21:07
*** hogepodge has quit IRC21:09
*** tonytan4ever has quit IRC21:09
*** diazjf has joined #openstack-keystone21:11
*** hogepodge has joined #openstack-keystone21:14
stevemarayoung: i'm at an awful one near the airport21:21
stevemargonna be driving in everyday21:21
stevemarmaybe topol will be the chauffer21:21
ayoungstevemar, who else is there?  We have a quorum21:22
*** pauloewerton has quit IRC21:22
stevemarayoung: i think it's just us schmucks from ibm that are stuck at the airport hotel21:25
ayoungstevemar, that is 5 pax though21:25
ayoungyou, topol, henrynash bknudson_ jamielennox right?21:25
stevemarayoung: probably21:26
ayoungwhich hotel?21:27
stevemarayoung: https://goo.gl/maps/q4yeMa5hckz21:27
stevemarayoung: the nice thing is, there's transit that goes to the office consistently21:28
*** phalmos has quit IRC21:29
stevemardolphm: dstanek lbragstad gyee which hotel are you guys at?21:30
gyeestevemar, I am staying at my home21:31
stevemargyee: got room for a few more? :)21:31
gyee1 hr commute to Cisco so I'll be up early21:31
stevemargyee: are shalel and roxanaghe joining us ? :)21:31
ayounghmmm 300+ night  not gonna work21:31
gyeestevemar, yes21:31
ayoungI might end up bunking with gyee21:32
stevemargyee: \o/21:32
stevemar300/night?!21:32
gyeelet me put up my house on airbnb21:32
notmorgancburgess: ping - please coordinate with stevemar21:33
*** diazjf has quit IRC21:33
notmorgancburgess: re midcycle, I may/may not make it.21:33
stevemarcburgess: o/21:33
notmorgansince i have travel on either side of it already21:33
*** diazjf has joined #openstack-keystone21:34
stevemarcburgess: i have no idea what i have to coordinate with you on, but i'm here to help!21:34
notmorganstevemar, cburgess: just final location / other details21:34
notmorganrooms, etc21:34
cburgessnotmorgan stevemar Right21:34
cburgessnotmorgan stevemar I will follow-up on the final details this week and get them to you stevemar21:34
stevemarcburgess: works for me :)21:35
ayoungWOw...air BnB21:35
cburgessstevemar What does the count stand at right now?21:35
openstackgerritwerner mendizabal proposed openstack/keystone: Support encryption of credentials in Keystone  https://review.openstack.org/31716921:35
notmorgancburgess: uhmmm.21:35
stevemarcburgess: https://docs.google.com/spreadsheets/d/1qTupqEyYwXnNnO-sW0kRhh-I9hvpPHA7QAuewXnw6AA/edit 28, if you include the tentatives21:36
cburgessstevemar Thanks21:36
cburgessstevemar Is 30 a good final number we can lock in?21:36
stevemarcburgess: i'd say so21:36
*** roxanagh_ has joined #openstack-keystone21:36
stevemarcburgess: we've never had more than 3021:36
cburgessstevemar OK I see 19 confirmed and 8 tenative21:36
stevemarit's already -1, lin cheng won't attend21:37
notmorgan35 initial limit was because bay area opened a few doors for more folks21:37
cburgessstevemar OK great. Let me get with the people doing the setup and confirm the details. I will probably need some info from each attendee ahead of time to pre-create the network access passes for them. I'll let you know what I end up needing.21:37
notmorganbut 30 is safe.21:37
stevemarjamielennox: you attending midcycle?21:37
notmorganesp at this point21:37
notmorganstevemar: he said he was unlikely to21:37
notmorgani think in the meeting today21:37
stevemarcburgess: sounds good21:37
stevemarcburgess: i can get you that info quickly (probably)21:38
cburgessstevemar Great. Let me find out what info I need.21:38
stevemarcburgess: the biggest issue is making sure we all have wifi access :D21:38
cburgessstevemar Yup. Thats why I want to pre-create the account. Should help elimate some of the bottle neck.21:39
notmorganstevemar: it will require MAC Address, Social Security Number (sorry if you're not a US citezen), Bank Account Number, Mother's maiden name, passport-style photograph, encryption keys (private), and finally your left leg. ( :P )21:39
openstackgerritShawn Berger proposed openstack/keystone: Added name to duplicate entry error message.  https://review.openstack.org/33789221:39
notmorgancburgess: ^ sound about right? hehe21:39
notmorganj/k21:39
stevemar:)21:39
notmorgan^_^21:39
cburgessLOL21:39
cburgessWe aren't *that* bad.21:39
stevemarbreton: you are not attending? :(21:39
*** roxanagh_ has quit IRC21:41
*** ddieterly is now known as ddieterly[away]21:42
stevemarbreton: do i need to find dims and talk to him21:42
*** sigmavirus is now known as sigmavirus_away21:42
*** diazjf has quit IRC21:43
*** tonytan4ever has joined #openstack-keystone21:49
bretonstevemar: the midcycle? Nope, sorry. But i'll be happy to participate if you do something like Hangouts or other conferencing21:59
*** ddieterly[away] is now known as ddieterly22:06
*** KevinE has quit IRC22:07
ayounggyee, 36 minutes dublin to SJO without traffic. How long think it will take when you do this during the mid cycle?22:07
*** BjoernT has quit IRC22:11
*** ddieterly is now known as ddieterly[away]22:11
dstanekstevemar: don't remember :-) checking now22:14
openstackgerritMerged openstack/keystone: Use skip_test_overrides everywhere we feature skip  https://review.openstack.org/33671822:14
dstanekstevemar: hyatt regency santa clara22:17
*** ddieterly[away] is now known as ddieterly22:17
*** adu has joined #openstack-keystone22:18
*** timcline has quit IRC22:21
*** timcline has joined #openstack-keystone22:22
stevemarbreton: i'll see what we can arrange22:26
stevemarayoung: dstanek at hyatt regency santa clara22:26
*** timcline has quit IRC22:26
ayoungstevemar, any sort of code to get the price down?22:26
ayoung$381 USD22:27
ayoungFull prepayment required, non-refundable, no date changes.22:27
ayounggoes up from there22:27
stevemarnot that i know of22:28
*** spzala has quit IRC22:29
*** maestropandy has quit IRC22:29
*** spzala has joined #openstack-keystone22:30
*** spzala has quit IRC22:34
*** ddieterly is now known as ddieterly[away]22:36
*** ddieterly[away] has quit IRC22:36
*** sheel has quit IRC22:45
dstanekayoung: is that per night?22:46
dstaneki'm almost 100% sure that dolph and lance are both at that hotel22:47
dstanekayoung: i booked it at 259 per night for 3 nights22:48
*** timcline has joined #openstack-keystone22:52
*** timcline has quit IRC22:57
*** gordc has quit IRC22:59
*** itisha has quit IRC23:00
*** adu has quit IRC23:05
*** spzala has joined #openstack-keystone23:08
*** spzala has quit IRC23:08
*** spzala has joined #openstack-keystone23:09
*** spzala has quit IRC23:14
*** BjoernT has joined #openstack-keystone23:14
*** rcernin has quit IRC23:18
*** chrisshattuck has quit IRC23:18
*** code-R has quit IRC23:19
*** BjoernT has quit IRC23:19
gyeeayoung, with 680s traffic, that's at least 1 hour one way commute between 7-10am23:21
ayounggyee, that is what I figured.  You going to come in early or something?23:21
gyeeyou staying in my backyard? :-)23:22
ayounggyee, I don;t think so.  Don';t like the commute options23:22
gyeeayoung, the hotels are a lot cheaper in Dublin, I can carpool with you23:23
gyeelet me check23:23
ayounggyee, I honestly think I would rather crash on your couch then take a hotel in Dublin23:23
gyeeI can check with the wife23:24
*** roxanagh_ has joined #openstack-keystone23:24
gyeehttps://www.google.com/?gws_rd=ssl#q=hotel%20dublin%20ca&tbs=ls:-1,lf_hd:-1,lf_maxhp:-1,lf_maxhpitems:100-125-150-225,lf_maxhpcur:USD,lf_msr:-1,lf_hc:-1,lf_ha:0,lf_haitems:1023,lf:1,lf_ui:6&hotel_dates=2016-07-17,2016-07-18&rflfq=1&rlha=1&rlla=0&rllag=37700223,-121917975,1489&tbm=lcl&rldimm=13317741092652517230&rlfi=hd:2016-07-17%2C2016-07-18;si:1261390845042946143423:24
gyeesorry23:25
gyeehttp://doubletree3.hilton.com/en/hotels/california/doubletree-by-hilton-hotel-pleasanton-at-the-club-PLEPCDT/index.html23:25
gyeethis one is right next to Club Sport23:25
ayoungMaybe I can stay in my old Company bay in Camp Parks23:25
ayoungIHG Army Hotels Camp Parks23:25
gyeecamp parks is 5 minutes from my house23:25
gyeeright next to santi rita county jail too23:26
gyeethough it mostly house female prisoner these days23:27
ayoungI am no longer in the National Guard.  I am not allowed on base.  THink I'll opt out of the Jail option, too23:27
gyeeI can see them working out in the yard every time I pass by23:27
rodrigodsgyee, will have your own orange is the new black?23:28
rodrigodsyou have*23:28
rodrigodshave no idea why i typed "will"23:29
gyeehahah23:29
*** roxanagh_ has quit IRC23:29
*** breton has quit IRC23:32
*** permalac has quit IRC23:35
*** tonytan4ever has quit IRC23:41
openstackgerritMerged openstack/python-keystoneclient: Improve docs for v3 services  https://review.openstack.org/33727423:42
jamielennoxstevemar: yep, i'm coming - and in that airport hotel23:44
*** breton has joined #openstack-keystone23:45
*** slberger has left #openstack-keystone23:46
jamielennoxnotmorgan: so oslo.cache took all the dict and memorypool code from keystonemiddleware - but dogpile.cache wraps it in a tuple with some metadata dict so it's not compatible23:47
jamielennoxnotmorgan: so it's nice that it took it but it's basically useless :(23:47
jamielennoxcause it's not going to be compatible with old entries23:47
*** spzala has joined #openstack-keystone23:57
« Monday, 2016-07-04 Index Wednesday, 2016-07-06 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!