Monday, 2016-08-01

« Sunday, 2016-07-31 Index Tuesday, 2016-08-02 »
*** markvoelker has joined #openstack-keystone00:12
*** sdake has joined #openstack-keystone00:13
*** tonytan4ever has joined #openstack-keystone00:16
*** markvoelker has quit IRC00:17
openstackgerritAdrian Turjak proposed openstack/keystone-specs: Optional MFA via password + TOTP auth plugin  https://review.openstack.org/34511300:17
*** sdake has quit IRC00:17
*** tonytan4ever has quit IRC00:21
*** chlong has joined #openstack-keystone00:26
*** chlong has quit IRC00:30
openstackgerritAdrian Turjak proposed openstack/keystone: adding combined password and totp auth plugin  https://review.openstack.org/34342200:37
*** chlong has joined #openstack-keystone00:41
adriantsteavemar: do you want me to add an item about MFA to the meeting agenda?00:45
adriantstevemar^00:45
*** tqtran has joined #openstack-keystone00:46
*** tqtran has quit IRC00:51
stevemaradriant: sure00:53
stevemaradriant: over here: https://etherpad.openstack.org/p/keystone-weekly-meeting00:53
stevemaradriant: i was just gonna add something else there...00:54
*** julim has joined #openstack-keystone01:05
*** chlong has quit IRC01:10
*** markvoelker has joined #openstack-keystone01:13
*** spzala has quit IRC01:13
*** spzala has joined #openstack-keystone01:13
adriantstevemar: oh awesome, you've added it already. Thanks. :)01:13
stevemaradriant: ;)01:13
*** davechen has joined #openstack-keystone01:14
stevemaradriant: will you be able to attend and any questions?01:17
*** markvoelker has quit IRC01:17
adriantYep, the meeting is a convenient 6pm my time. :)01:17
*** tonytan4ever has joined #openstack-keystone01:18
*** spzala has quit IRC01:18
adriantstevemar: correction, not 6pm my time, but yes will attent. :)01:22
*** tonytan4ever has quit IRC01:22
*** chlong has joined #openstack-keystone01:23
*** chlong has quit IRC01:28
*** chlong has joined #openstack-keystone01:30
*** EinstCrazy has joined #openstack-keystone01:35
*** EinstCrazy has quit IRC01:38
*** EinstCrazy has joined #openstack-keystone01:38
*** spzala has joined #openstack-keystone01:50
*** spzala has quit IRC01:50
*** spzala has joined #openstack-keystone01:50
*** tangchen has joined #openstack-keystone01:58
stevemarlbragstad: can you confirm if https://bugs.launchpad.net/keystone/+bug/1433331 is resolved?02:41
openstackLaunchpad bug 1433331 in OpenStack Identity (keystone) "Collapse Fernet specific tests into test_v3_auth.py TestAuth" [Low,Triaged]02:41
*** tonytan4ever has joined #openstack-keystone02:52
*** NanKe has joined #openstack-keystone03:00
*** TxGVNN has joined #openstack-keystone03:03
*** roxanaghe has joined #openstack-keystone03:10
*** jamiec has quit IRC03:20
*** jamiec has joined #openstack-keystone03:21
*** spzala has quit IRC03:26
*** amitkqed has quit IRC03:38
openstackgerritMerged openstack/keystone: Add schema validation to v2 update tenant  https://review.openstack.org/34873803:38
*** amitkqed has joined #openstack-keystone03:38
*** tqtran has joined #openstack-keystone03:47
*** code-R_ has joined #openstack-keystone03:50
*** code-R has quit IRC03:50
*** tqtran has quit IRC03:52
*** roxanaghe has quit IRC03:54
*** chlong has quit IRC04:15
*** roxanaghe has joined #openstack-keystone04:19
*** jidar has quit IRC04:20
*** jidar has joined #openstack-keystone04:24
*** code-R has joined #openstack-keystone04:26
*** code-R_ has quit IRC04:28
*** davechen has quit IRC04:29
*** chlong has joined #openstack-keystone04:31
*** code-R has quit IRC05:01
*** code-R has joined #openstack-keystone05:01
*** code-R_ has joined #openstack-keystone05:09
*** code-R has quit IRC05:12
*** roxanaghe has quit IRC05:20
*** tonytan4ever has quit IRC05:25
*** spzala has joined #openstack-keystone05:26
*** spzala has quit IRC05:31
*** tqtran has joined #openstack-keystone05:49
*** tqtran has quit IRC05:53
*** brancal has joined #openstack-keystone06:02
*** code-R has joined #openstack-keystone06:12
*** code-R_ has quit IRC06:13
*** tqtran has joined #openstack-keystone06:20
*** roxanaghe has joined #openstack-keystone06:21
*** davechen has joined #openstack-keystone06:24
*** tqtran has quit IRC06:24
*** roxanaghe has quit IRC06:25
*** adriant has quit IRC06:26
*** tonytan4ever has joined #openstack-keystone06:26
*** zouyapeng has joined #openstack-keystone06:30
*** tonytan4ever has quit IRC06:31
*** zouyapeng has quit IRC06:33
*** zouyapeng has joined #openstack-keystone06:33
*** belmoreira has joined #openstack-keystone06:33
*** tesseract- has joined #openstack-keystone06:44
*** daemontool_ has joined #openstack-keystone06:53
*** gb21 has joined #openstack-keystone06:55
*** chlong has quit IRC06:59
*** gb21 is now known as GB2106:59
*** jpena|off has joined #openstack-keystone07:00
*** jpena|off is now known as jpena07:00
*** jed56 has joined #openstack-keystone07:04
*** chlong has joined #openstack-keystone07:11
*** tonytan4ever has joined #openstack-keystone07:27
*** code-R has quit IRC07:30
*** tonytan4ever has quit IRC07:32
*** chlong has quit IRC07:34
*** rha has joined #openstack-keystone07:42
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** jaosorior has joined #openstack-keystone08:03
*** roxanaghe has joined #openstack-keystone08:09
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** roxanaghe has quit IRC08:14
*** roxanaghe has joined #openstack-keystone09:00
*** brancal has quit IRC09:01
*** brancal has joined #openstack-keystone09:02
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: Improve authentication plugins documentation  https://review.openstack.org/34942309:03
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: Add missing class name to tuple of public objects  https://review.openstack.org/34942409:03
*** roxanaghe has quit IRC09:06
*** tangchen has quit IRC09:27
*** tonytan4ever has joined #openstack-keystone09:28
*** tonytan4ever has quit IRC09:33
*** spzala has joined #openstack-keystone09:45
*** tangchen has joined #openstack-keystone09:46
*** spzala has quit IRC09:49
*** rodrigods has quit IRC09:55
*** rodrigods has joined #openstack-keystone09:55
*** EinstCrazy has quit IRC10:23
*** tangchen has quit IRC10:25
*** NanKe has quit IRC10:35
*** TxGVNN has quit IRC10:36
*** NanKe has joined #openstack-keystone10:36
*** NanKe has quit IRC10:36
*** NanKe has joined #openstack-keystone10:39
*** NanKe has quit IRC10:40
*** NanKe has joined #openstack-keystone10:45
*** NanKe has quit IRC10:46
*** davechen has quit IRC10:47
*** NanKe has joined #openstack-keystone10:56
*** tangchen has joined #openstack-keystone11:14
*** edmondsw has joined #openstack-keystone11:40
*** pauloewerton has joined #openstack-keystone11:49
*** jpena is now known as jpena|lunch11:50
*** itisha has joined #openstack-keystone12:00
*** sdake_ has joined #openstack-keystone12:02
*** raildo has joined #openstack-keystone12:05
*** pnavarro has joined #openstack-keystone12:05
*** davechen has joined #openstack-keystone12:22
*** tangchen has quit IRC12:23
*** markvoelker has joined #openstack-keystone12:27
*** samueldmq has joined #openstack-keystone12:35
*** ChanServ sets mode: +v samueldmq12:35
samueldmqmorning keystone12:35
*** davechen has quit IRC12:40
*** julim has quit IRC12:40
*** NanKe has quit IRC12:42
*** sileht has quit IRC12:44
*** sileht has joined #openstack-keystone12:46
*** sdake_ is now known as sdake12:48
*** nishaYadav has joined #openstack-keystone12:49
*** jsavak has joined #openstack-keystone12:57
*** nisha_ has joined #openstack-keystone13:00
*** nisha__ has joined #openstack-keystone13:02
*** jpena|lunch is now known as jpena13:03
*** nishaYadav has quit IRC13:04
*** dikonoor has joined #openstack-keystone13:04
*** nisha_ has quit IRC13:05
*** dikonoor has quit IRC13:05
*** dikonoor has joined #openstack-keystone13:06
*** bill_az has joined #openstack-keystone13:06
*** nisha_ has joined #openstack-keystone13:08
*** TxGVNN has joined #openstack-keystone13:11
*** nisha__ has quit IRC13:12
*** spzala has joined #openstack-keystone13:14
*** tonytan4ever has joined #openstack-keystone13:15
*** nisha_ is now known as nishaYadav13:16
*** dave-mcc_ has quit IRC13:19
*** tonytan4ever has quit IRC13:19
*** dave-mccowan has joined #openstack-keystone13:19
*** dave-mccowan has quit IRC13:19
*** nishaYadav has quit IRC13:23
*** julim has joined #openstack-keystone13:24
*** nisha_ has joined #openstack-keystone13:25
*** nisha_ is now known as nishaYadav13:25
*** julim has quit IRC13:26
*** julim has joined #openstack-keystone13:28
*** tonytan4ever has joined #openstack-keystone13:34
*** ayoung has joined #openstack-keystone13:36
*** ChanServ sets mode: +v ayoung13:36
*** tonytan_brb has joined #openstack-keystone13:39
*** tonytan4ever has quit IRC13:41
dstaneksamueldmq: good morning13:41
*** ametts has joined #openstack-keystone13:41
*** nisha_ has joined #openstack-keystone13:44
*** richm has joined #openstack-keystone13:45
*** nisha__ has joined #openstack-keystone13:45
*** dave-mccowan has joined #openstack-keystone13:46
*** nishaYadav has quit IRC13:47
*** nishaYadav has joined #openstack-keystone13:48
*** nishaYadav is now known as Guest9976913:48
*** nisha_ has quit IRC13:49
lbragstadstevemar that should be closed - or fix committed. https://bugs.launchpad.net/keystone/+bug/143333113:49
openstackLaunchpad bug 1433331 in OpenStack Identity (keystone) "Collapse Fernet specific tests into test_v3_auth.py TestAuth" [Low,Fix committed]13:49
lbragstadstevemar I've updated it with a comment13:49
*** Guest99769 is now known as nisha_13:49
*** nisha__ has quit IRC13:49
*** thumpba has joined #openstack-keystone13:50
*** ametts has quit IRC13:51
*** samueldmq has quit IRC13:53
*** ametts has joined #openstack-keystone14:00
*** lamt_ has quit IRC14:03
*** raddaoui has quit IRC14:04
*** tpeoples has quit IRC14:04
*** thiagolib has quit IRC14:04
*** DuncanT has quit IRC14:04
*** jraim has quit IRC14:04
*** jed56 has quit IRC14:04
*** zhiyan has quit IRC14:04
*** auggy has quit IRC14:04
*** briancurtin has quit IRC14:04
*** boris-42 has quit IRC14:04
*** itisha has quit IRC14:04
*** serverascode has quit IRC14:04
*** code-R has joined #openstack-keystone14:05
*** code-R_ has joined #openstack-keystone14:06
*** slberger has joined #openstack-keystone14:08
lbragstadbreton it looks like you have a patch up to fix the caching problems I was seeing on Friday - https://review.openstack.org/#/c/327885/1314:09
patchbotlbragstad: patch 327885 - keystone - Fix cache invalidation14:09
*** code-R has quit IRC14:10
*** tangchen_ has joined #openstack-keystone14:10
*** ravelar159 has joined #openstack-keystone14:11
*** tonytan4ever has joined #openstack-keystone14:14
*** raddaoui has joined #openstack-keystone14:16
*** dave-mccowan has quit IRC14:16
*** roxanaghe has joined #openstack-keystone14:17
*** dave-mccowan has joined #openstack-keystone14:17
*** tonytan_brb has quit IRC14:17
*** itisha has joined #openstack-keystone14:18
*** boris-42 has joined #openstack-keystone14:18
*** DuncanT has joined #openstack-keystone14:18
*** briancurtin has joined #openstack-keystone14:18
*** jed56 has joined #openstack-keystone14:18
*** auggy has joined #openstack-keystone14:18
*** tpeoples has joined #openstack-keystone14:18
*** thiagolib has joined #openstack-keystone14:19
*** jraim has joined #openstack-keystone14:19
*** zhiyan has joined #openstack-keystone14:19
*** serverascode has joined #openstack-keystone14:19
*** lamt_ has joined #openstack-keystone14:20
*** roxanaghe has quit IRC14:21
bretonlbragstad: have you tried it?14:21
bretonlbragstad: we tried it with Samuel and afaik it didn't fix your issues14:22
bretonlbragstad: but i've updated it since then14:22
*** ravelar_159 has joined #openstack-keystone14:22
lbragstadbreton I'm testing it locally now14:22
*** ravelar159 has quit IRC14:22
lbragstadbreton it seems to have fixed the issue I was seeing on Friday14:22
lbragstadbreton https://bugs.launchpad.net/keystone/+bug/160755314:23
openstackLaunchpad bug 1607553 in OpenStack Identity (keystone) "Revocation event caching is broken across processes" [High,New]14:23
bretonlbragstad: review the patch then please14:24
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Lockout requirements  https://review.openstack.org/34007414:24
lbragstadbreton yep - working on it14:24
lbragstadbreton locally - the tempest.api.identity tests pass for me except for one (tempest.api.identity.admin.v3.test_users.UsersV3TestJSON.test_update_user_password)14:25
*** aastha has joined #openstack-keystone14:25
lbragstadthat one fails occasionally14:25
dstanekbreton: i'm a little worried that it is hooking into dogpile's internals that way. seems like a new concept that dogpile needs to grow14:26
*** chlong has joined #openstack-keystone14:26
bretondstanek: they already have it14:27
*** chlong is now known as chlong|gone14:27
dstanekbreton: have what?14:27
bretondstanek: custom region invalidation14:28
dstanekbreton: can't we use that then?14:29
dstaneki was thinking it needed a namespace concept which is what most people seem to think regions are14:29
*** jaosorior has quit IRC14:30
*** spedione|AWAY is now known as spedione14:30
*** slberger1 has joined #openstack-keystone14:30
*** slberger has quit IRC14:30
*** chlong|gone has quit IRC14:32
*** jaosorior has joined #openstack-keystone14:32
*** jorge_munoz has joined #openstack-keystone14:32
*** chlong|gone has joined #openstack-keystone14:33
*** chlong|gone is now known as chlong14:34
bretondstanek: 1. we need to backport it to mitaka 2. wait for new dogpile release 3. make oslo_cache support it14:35
lbragstadbreton with your patch I seem to get one or two tempest failures when running the entire tempest.api.identity suite14:35
*** michauds has joined #openstack-keystone14:35
bretonlbragstad: and without?14:35
dstanekbreton: exactly14:35
*** jorge_munoz_ has joined #openstack-keystone14:35
lbragstadbreton double checking14:35
bretondstanek: that's why we can't use it yet14:36
bretondstanek: https://gerrit.sqlalchemy.org/#/c/108/14:36
dstanekbreton: when could we..just need a new release?14:37
*** jorge_munoz has quit IRC14:37
*** jorge_munoz_ is now known as jorge_munoz14:37
*** tonytan4ever has quit IRC14:38
bretondstanek: we also need to backport it to mitaka. There won't be new release of dogpile.14:38
lbragstadbreton that would require bumping the version of dogpile in mitaka - right?14:38
*** hwcomcn has joined #openstack-keystone14:38
dstanekbreton: why not?14:38
*** hwcomcn has quit IRC14:39
bretondstanek: or we could bump the version of dogpile in mitaka, right. I am just not sure that we can do it for a bugfix.14:39
*** thumpba has quit IRC14:39
*** hwcomcn has joined #openstack-keystone14:39
lbragstadbreton that's exactly what I was wondering14:40
*** hwcomcn has quit IRC14:41
bretonbut using that new feature in dogpile cache sounds like a new feature for keystone14:41
bretonwhile there i propose a fix for what was there14:41
lbragstadbreton http://docs.openstack.org/project-team-guide/stable-branches.html#active-maintenance14:42
*** jdennis has joined #openstack-keystone14:42
lbragstadlooks like version bumping is a no-go in stable branches14:42
*** hwcomcn has joined #openstack-keystone14:42
dstanekbreton: can we do the hack only for a backport and do the right thing in master then?14:43
lbragstadbackports have to be merged into master prior to landing in a stable branch i though..14:43
lbragstadthought*14:43
bretondstanek: technically yes. Not sure about the policies though.14:44
*** tonytan4ever has joined #openstack-keystone14:44
dstaneklbragstad: they do, *i think*, but i don't feel comfortable with a hack like this unless there is a clear path to remove it14:44
bretondstanek: hack like this was there long before my patch14:44
bretondstanek: it just didn't work :)14:45
dstanekit's very possible that a dogpile release will completely break this and thus break some people using older releases14:45
*** thumpba has joined #openstack-keystone14:45
dstanekbreton: yes, i know. it was a mistake then too14:45
bretonyep14:45
lbragstadi believe we talked about this at the austin mid-cycle14:45
*** gagehugo has joined #openstack-keystone14:46
dstaneki really wish we could say we only use memcache for caching and just use that directly14:46
lbragstadyeah - that would be nice in this case14:47
dstaneki actually started down that path a little to make some of our things easier to cache14:47
dstanekmaybe i'll throw up a review and see what people thing14:47
dstanekthink*14:47
bretonwow14:47
bretonin fact, the new dogpile release *will* break https://review.openstack.org/#/c/327885/14:48
patchbotbreton: patch 327885 - keystone - Fix cache invalidation14:48
*** thiagolib has quit IRC14:48
dstanekbreton: fantastic :-)14:48
*** sto has joined #openstack-keystone14:49
*** clenimar has quit IRC14:49
bretonsounds like a good thing to discuss tomorrow14:50
lbragstadbreton ++14:50
*** clenimar has joined #openstack-keystone14:51
*** tonytan_brb has joined #openstack-keystone14:51
*** thiagolib has joined #openstack-keystone14:52
*** hwcomcn_ has joined #openstack-keystone14:52
*** dikonoor has quit IRC14:52
*** diazjf has joined #openstack-keystone14:53
*** tonytan4ever has quit IRC14:54
openstackgerritGage Hugo proposed openstack/keystone: Add schema validation to create service in v2  https://review.openstack.org/34696214:55
*** hwcomcn has quit IRC14:55
*** nk2527 has quit IRC14:58
*** code-R_ has quit IRC14:59
*** gagehugo has quit IRC14:59
*** jistr is now known as jistr|call15:00
*** jaugustine has quit IRC15:00
*** mvk has quit IRC15:04
*** slberger1 has quit IRC15:07
lbragstadbreton I'm running the tempest tests repeatedly to get an average number of failures against master and with your patch (i'll update the bug when I have those averages)15:08
*** gagehugo has joined #openstack-keystone15:08
*** dave-mccowan has quit IRC15:09
*** jaosorior is now known as jaosorior_lunch15:09
*** slberger has joined #openstack-keystone15:09
bretonlbragstad: thank you15:09
*** jistr|call is now known as jistr15:12
*** clenimar has quit IRC15:13
*** pgbridge has joined #openstack-keystone15:13
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Lockout requirements  https://review.openstack.org/34007415:13
*** samueldmq has joined #openstack-keystone15:13
*** ChanServ sets mode: +v samueldmq15:13
samueldmqdstanek: o/15:13
*** pauloewerton has quit IRC15:13
*** dave-mccowan has joined #openstack-keystone15:13
*** jaugustine has joined #openstack-keystone15:15
*** ericksonsantos has quit IRC15:15
dstanekhey samueldmq15:15
*** dave-mccowan has quit IRC15:16
*** mrhillsman has joined #openstack-keystone15:19
*** raildo has quit IRC15:23
*** diazjf has quit IRC15:23
*** gagehugo_ has joined #openstack-keystone15:24
*** iurygregory has quit IRC15:24
samueldmqdstanek: so this week I am 100% back.. fully recovered and have finished a couple of things I had to do :)15:28
samueldmqtrying to get my virtualbox working with 64-bit vms15:30
*** ericksonsantos has joined #openstack-keystone15:30
*** clenimar has joined #openstack-keystone15:31
openstackgerritGage Hugo proposed openstack/keystone: Add schema validation to create service in v2  https://review.openstack.org/34696215:31
*** pauloewerton has joined #openstack-keystone15:31
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Lockout requirements  https://review.openstack.org/34007415:31
*** iurygregory has joined #openstack-keystone15:32
*** code-R has joined #openstack-keystone15:32
*** raildo has joined #openstack-keystone15:32
*** nk2527 has joined #openstack-keystone15:33
openstackgerritSteve Martinelli proposed openstack/keystone: [api] add blurb about experimental status  https://review.openstack.org/34794715:34
*** code-R_ has joined #openstack-keystone15:34
*** sdake has quit IRC15:34
*** belmoreira has quit IRC15:36
*** nisha_ is now known as nishaYadav15:36
*** code-R has quit IRC15:38
samueldmqstevemar: you around ?15:38
stevemarsamueldmq: technically no, but whats up?15:38
samueldmqstevemar: about the federation docs on their own files ...15:39
samueldmqstevemar: will just leave a comment in the review, anyways I am fine with your proposal15:39
*** diazjf has joined #openstack-keystone15:40
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Lockout requirements  https://review.openstack.org/34007415:40
*** danpawlik has quit IRC15:42
*** dave-mccowan has joined #openstack-keystone15:43
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Improve authentication plugins documentation  https://review.openstack.org/34942315:52
*** narengan has joined #openstack-keystone15:52
*** nithya has joined #openstack-keystone15:54
*** nithya has quit IRC15:54
lbragstadbreton dstanek https://bugs.launchpad.net/keystone/+bug/1607553/comments/515:55
openstackLaunchpad bug 1607553 in OpenStack Identity (keystone) "Revocation event caching is broken across processes" [High,New]15:56
bretonlbragstad: what tests fail in both cases? Are they the same from one run to another?15:58
lbragstadbreton no - they are random15:58
*** jistr is now known as jistr|biab16:01
bretonlbragstad: could you please post a list of tests that failed with my patch? I'll try to reproduce it manually16:01
dstaneklbragstad: that's really odd that it lowers the average like that16:01
lbragstadbreton sure - doing another run now16:01
lbragstaddstanek very16:01
* lbragstad breton these are the two the failed on my last run with your patch - http://cdn.pasteraw.com/5f44o8epievtqtfw3jy733f6qt5iyrc16:03
*** Guest15832 is now known as redrobot16:04
bretontest_list_user_roles_request_without_token16:04
bretonhuh16:04
*** ayoung has quit IRC16:06
lbragstadtempest.api.identity.admin.v2.test_roles_negative.RolesNegativeTestJSON.test_list_user_roles_request_without_token and tempest.api.identity.admin.v3.test_users.UsersV3TestJSON.test_update_user_password failed16:06
lbragstadlooks like test_list_user_roles_request_without_token failed because the token was validated successfully instead of raising a 40116:07
*** markvoelker has quit IRC16:09
lbragstadbut it looks like the failure in test_users.UsersV3TestJSON.test_update_user_password was because the token was considered invalid by keystone.. even though it should have been considered valid16:10
*** jaosorior_lunch has quit IRC16:11
*** jaosorior has joined #openstack-keystone16:12
*** tesseract- has quit IRC16:14
*** ravelar_159 is now known as ravelar16:17
*** hwcomcn_ has quit IRC16:21
*** ayoung has joined #openstack-keystone16:21
*** ChanServ sets mode: +v ayoung16:21
*** diazjf has quit IRC16:24
*** TxGVNN has quit IRC16:25
*** diazjf has joined #openstack-keystone16:25
*** arunkant has quit IRC16:26
*** ntpttr has quit IRC16:28
*** arunkant has joined #openstack-keystone16:31
*** julim has quit IRC16:34
*** julim has joined #openstack-keystone16:36
breton2016-08-01 19:30:28.635230 2016-08-01 19:30:28.635 13651 DEBUG oslo.cache.core [req-46f294c8-0e8f-40c0-b40f-d1328e33b80d - - - - -] CACHE_SET: Key: "'1921523d6734d44e88ed58dfc76ef681a36b8e9b'" Value: "([<keystone.models.revoke_model.RevokeEvent object at 0x7f3fc8418910>, <keystone.models.revoke_model.RevokeEvent object at 0x7f3fc8418950>], {'v': 1, 'ct': 1470069028.634853})" set /home/breton/.vi16:40
bretonrtualenvs/keystone/local/lib/python2.7/site-packages/oslo_cache/core.py:8716:41
bretonugh16:41
bretonCACHE_SET: Key: "'1921523d6734d44e88ed58dfc76ef681a36b8e9b'" Value: "([<keystone.models.revoke_model.RevokeEvent object at 0x7f3fc8418910>, <keystone.models.revoke_model.RevokeEvent object at 0x7f3fc8418950>], {'v': 1, 'ct': 1470069028.634853})"16:41
bretonwhat are these reprs in value?16:42
bretonhow do we cache objects?16:44
bretonsomething seems wrong here16:45
*** Gorian_ has joined #openstack-keystone16:45
bretonlbragstad:16:46
*** tesseract- has joined #openstack-keystone16:46
bretonhow are non-serializable objects cached?16:46
* breton will get back to tackling it in 3h16:47
samueldmqbreton: you suspect the revoke cache issues are related to how they're being cached internally in dogpile ?16:47
*** pnavarro has quit IRC16:47
samueldmqbreton: ah you went afk, ttyl16:47
*** daemontool__ has joined #openstack-keystone16:48
*** jistr|biab is now known as jistr16:49
*** narengan has quit IRC16:52
*** daemontool_ has quit IRC16:52
openstackgerritMerged openstack/keystoneauth: Add missing class name to tuple of public objects  https://review.openstack.org/34942416:53
*** narengan has joined #openstack-keystone16:53
*** tesseract- has quit IRC16:54
*** Gorian_ has quit IRC16:54
*** Gorian_ has joined #openstack-keystone16:54
*** gyee has joined #openstack-keystone16:55
*** ChanServ sets mode: +v gyee16:55
*** iurygregory has quit IRC16:58
*** tesseract- has joined #openstack-keystone16:58
*** tesseract- has quit IRC16:58
*** gyee_ has joined #openstack-keystone16:59
*** ChanServ sets mode: +v gyee_16:59
*** gyee has quit IRC16:59
*** gyee_ has quit IRC16:59
*** gyee has joined #openstack-keystone17:00
*** ChanServ sets mode: +v gyee17:00
openstackgerritGage Hugo proposed openstack/keystone: Add schema validation to create user v2  https://review.openstack.org/34853117:01
*** jpena is now known as jpena|off17:02
*** TxGVNN has joined #openstack-keystone17:02
*** sdake has joined #openstack-keystone17:02
*** clenimar has quit IRC17:03
*** markvoelker has joined #openstack-keystone17:05
*** gagehugo has quit IRC17:06
*** slberger has quit IRC17:09
*** pauloewerton has quit IRC17:10
*** pauloewerton has joined #openstack-keystone17:11
*** ayoung has quit IRC17:11
*** slberger has joined #openstack-keystone17:12
*** roxanaghe has joined #openstack-keystone17:14
*** ericksonsantos has quit IRC17:14
stevemarlbragstad: you opened a bug about revocation being broken everywhere17:17
*** sdake has quit IRC17:17
dstanekbreton: objects are pickled before they are put in cache17:18
*** pauloewerton has quit IRC17:18
*** TxGVNN has quit IRC17:20
lbragstadstevemar only in multi-process setups17:20
*** raildo has quit IRC17:20
lbragstadstevemar https://bugs.launchpad.net/keystone/+bug/160755317:20
openstackLaunchpad bug 1607553 in OpenStack Identity (keystone) "Revocation event caching is broken across processes" [High,New]17:20
stevemarlbragstad: which is every setup :)17:20
lbragstadstevemar one would think so17:21
*** clenimar has joined #openstack-keystone17:21
*** iurygregory has joined #openstack-keystone17:21
samueldmqlbragstad: even for other token formats ?17:21
lbragstadstevemar we seem to be narrowing it down to not having the ability to invalidate regions across multiple processes17:21
lbragstadsamueldmq the uuid token provider doesn't rely on revocation events - so it might be short-circuiting that check17:22
*** raildo has joined #openstack-keystone17:22
*** ericksonsantos has joined #openstack-keystone17:22
samueldmqlbragstad: makes sense, that's what I thought > it's been broken for a while, but somehow it may be short-circuiting17:23
samueldmqso ppl didn4t make a harm yet17:23
*** ayoung has joined #openstack-keystone17:23
*** ChanServ sets mode: +v ayoung17:23
*** pauloewerton has joined #openstack-keystone17:24
*** spzala has quit IRC17:24
*** julim has quit IRC17:24
samueldmqlbragstad: so the plan now is to discover what's going on in the cache internals?17:26
harlowjastevemar sort of found answer, having some internal discussion around identity, and ..., will drag the folks internally in here for more questions (if any)17:26
lbragstadsamueldmq well - I ended up finding that it was most likely an issue with not being able to invalidate cache regions across processes17:27
lbragstadsamueldmq and dstanek pointed me to a patch that breton had up that is suppose to fix it17:27
samueldmqlbragstad: hmm, the dvsm install is multiprocess?17:27
lbragstadsamueldmq devstack deploys keystone with 5 processes with 1 thread each17:27
samueldmqlbragstad: what patch? let's test it in the gate17:27
samueldmqadding that depends-on thing17:27
lbragstadsamueldmq I tested it locally17:28
samueldmqlbragstad: and ...17:28
lbragstadsamueldmq I posted my findings here - https://bugs.launchpad.net/keystone/+bug/160755317:28
openstackLaunchpad bug 1607553 in OpenStack Identity (keystone) "Revocation event caching is broken across processes" [High,New]17:28
samueldmqlbragstad: did it work?17:28
lbragstadsamueldmq not completely17:28
lbragstadbut it seemed to be better17:28
lbragstad(not sure how that works)17:28
lbragstadif we're invalidating the cache region for revocation events every time we add a new revocation event, that should take care of the problem17:29
*** brancal has quit IRC17:31
dstanekthat patch won't fix races...just the fact that our caching is broken17:31
lbragstaddstanek with that patch - i'm not sure how a race condition is still possible17:32
lbragstadin tempest17:32
dstanekwhy not? what do you theorize is happening17:33
dstanekcache races frequently happen with multiple processes17:33
lbragstaddstanek i'm not sure17:34
lbragstaddstanek but if we walk through https://github.com/openstack/tempest/blob/5ba5d648f613822f5fe39bccece72f5f74103113/tempest/api/identity/admin/v3/test_tokens.py#L4917:34
lbragstadthat test fails without breton's (and sometimes without it)17:34
lbragstadline 48 issues a client request to delete subject_token17:35
lbragstadwhich will be handled by a process in keystone, and tempest won't execute the next command until a 204 return code has been returned from keystone17:35
lbragstadso at that point we can assume that keystone has persisted a revocation event17:35
dstaneklbragstad: do you have a tempest config i could scam so i can try to reproduce?17:36
lbragstadand as a result - it should have invalidated the revocation cache17:36
lbragstaddstanek sure - my config is just devstack master17:36
lbragstadthen I switched keystone token.provider = fernet17:36
lbragstadand I was able to recreate the issue on keystone master17:37
dstaneklbragstad: i have a clean devstack...let me see...17:37
*** diazjf has quit IRC17:40
lbragstaddstanek i built keystone locally on commit - 8a669fabad6591175db72de314af9931a8f26bb417:42
lbragstaddstanek and ran ./run_tempest.sh tempest.api.identity.admin.v3.test_tokens17:42
dstaneklbragstad: how often does it fail?17:47
*** thumpba has quit IRC17:48
*** jaosorior has quit IRC17:49
*** thumpba has joined #openstack-keystone17:49
lbragstaddstanek with fernet enabled and without breton's patch it fails about 70% of the time form e17:49
lbragstadfor me*17:49
dstaneklbragstad: i wasn't patient enough i guess17:50
lbragstaddstanek do you have caching enabled for revocation events?17:50
*** yeeg has joined #openstack-keystone17:50
*** gyee has quit IRC17:50
*** yeeg has quit IRC17:50
*** yeeg has joined #openstack-keystone17:51
*** yeeg has quit IRC17:51
*** gyee has joined #openstack-keystone17:52
*** spzala has joined #openstack-keystone17:52
dstaneklbragstad: yeah, i can get it to fail now17:53
*** markvoelker_ has joined #openstack-keystone17:53
*** markvoelker has quit IRC17:53
stevemarharlowja: okay, keep us posted if you can17:54
lbragstaddstanek the error should look something like this - http://cdn.pasteraw.com/psy3io1qmf4jrt0x06i8n5baizuotq917:56
*** narengan has quit IRC17:58
harlowjastevemar sure17:59
dstaneklbragstad: it's impossible to look at the keystone log and see what's happening....tons of other stuff in there, i'm assuming from setup/teardown18:01
lbragstaddstanek i recreated the issue and documented the logs http://cdn.pasteraw.com/ms750ntgl1nv00z6a16jfew5jft23ml18:02
lbragstaddstanek this is the testing output http://cdn.pasteraw.com/67vnkdoo4n07f2xsqyruv6qlj9fi0xc18:02
lbragstaddstanek from there I mapped the token ID that was revoke through the logs to the cache id18:02
*** narengan1 has joined #openstack-keystone18:04
*** julim has joined #openstack-keystone18:10
stevemarbreton: what's up with "Validating trust-scoped tokens with v2.0 API"18:10
stevemaranyone have an opinion on https://review.openstack.org/#/c/347543/4 ? seems kinda hacky?18:11
patchbotstevemar: patch 347543 - keystone - Add dummy domain_id column to cached role18:11
stevemardstanek: lbragstad dolphm samueldmq anyone want to take a look at: https://review.openstack.org/#/c/344924/ ?18:16
patchbotstevemar: patch 344924 - keystone - Retry revocation on MySQL deadlock18:16
stevemari'm trying to triage a few of the bugs we have18:16
*** slberger has quit IRC18:18
stevemarcrinkle: did you -1 W this patch because of the test comment? https://review.openstack.org/#/c/344496/218:19
patchbotstevemar: patch 344496 - keystone - Skip middleware request processing for admin token18:19
dstanekstevemar: probably in a few....looking at the cache issue now18:20
crinklestevemar: yes18:21
stevemarcrinkle: not sure what to do about a test there...18:21
*** brancal has joined #openstack-keystone18:23
*** permalac has joined #openstack-keystone18:23
crinklestevemar: yeah me either18:23
stevemarcrinkle: I tried it out and it stopped blowing up for me, i'm happy with it18:24
lbragstaddstanek i'm finishing up a call quick and then i should be able to walk through it with you if you want to debug it on Google or something like that?18:25
*** spzala_ has joined #openstack-keystone18:27
*** ayoung has quit IRC18:30
*** nishaYadav has quit IRC18:31
*** spzala has quit IRC18:31
stevemarcrinkle: you can set it to 0 workflow, i dont know how to create a test for this easily18:32
stevemarmaybe jamielennox|away has an idea18:32
crinklestevemar: i think maybe if i can capture logging in keystone/tests/unit/test_middleware.py i can use that18:34
crinklebut it's not working so far18:34
*** brancal has quit IRC18:35
openstackgerritMerged openstack/keystone: Move Identity Provider API to its own file  https://review.openstack.org/34900918:36
openstackgerritMerged openstack/keystone: refactor idp to its own file  https://review.openstack.org/34921818:37
*** brancal has joined #openstack-keystone18:37
*** markvoelker_ has quit IRC18:38
*** markvoelker has joined #openstack-keystone18:39
*** markvoelker has quit IRC18:39
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/34963818:41
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/34964818:47
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/33344918:47
*** samueldmq has quit IRC18:47
*** GB21 has quit IRC18:54
*** doug-fish has joined #openstack-keystone18:55
*** jmlowe has joined #openstack-keystone19:00
*** jsavak has quit IRC19:02
*** jsavak has joined #openstack-keystone19:03
*** cheran has joined #openstack-keystone19:04
*** spzala_ has quit IRC19:05
*** cheran has quit IRC19:05
lbragstaddstanek want to sync on the caching thing?19:06
*** fifieldt has quit IRC19:07
jmloweQuick question about federation and mapping, is that really true about only doing group based role assignments?19:07
*** spzala has joined #openstack-keystone19:09
stevemarjmlowe: sorta? the mapping must result in a group (for now, see https://bugs.launchpad.net/keystone/+bug/1601929 )19:09
openstackLaunchpad bug 1601929 in OpenStack Identity (keystone) "Relax the requirement for mappings to result in group memberships" [Medium,Triaged] - Assigned to Ron De Rose (ronald-de-rose)19:09
jmloweIf I'm mapping all the federated users to local users wouldn't that be how they get their roles?19:09
jmlowestevemar: ah, ok, seemed a bit odd since you could be mapped to a local user19:10
jmlowestevemar: do you think that will hit in Newton?19:10
stevemarjmlowe: hopeful!19:11
stevemarjmlowe: do you use the mapping to map to local users?19:11
jmlowestevemar: just in the planning stages19:11
stevemarjmlowe: not sure if you're aware, but there was work to shadow all federated users to the user table19:11
stevemarso they'll have IDs and such, you should be able to assign them roles19:12
stevemarthis work landed in mitaka i think19:12
*** spzala has quit IRC19:13
stevemarrodrigods: are we ever going to expose these APIs: https://blueprints.launchpad.net/keystone/+spec/project-tree-deletion :)19:13
jmlowestevemar: One more question, can I do a per user mapping?  ie remote_user_a -> local_user_a, remote_user_c -> local_user_b19:13
stevemarjmlowe: yeah, it's pretty flexible, you should be able to do that19:14
*** harlowja has quit IRC19:14
bretonstevemar: we can issue a trust-scoped token but cannot validate it in v2.019:14
bretonstevemar: why?19:14
dstaneklbragstad: i think breton's patch fixes the caching issue, but i doubt it solves all of your troubles.19:15
bretonlbragstad: what about uuid? Do they have failures with my patch?19:15
dstaneklbragstad: that test almost always fails without the patch and it hasn't failed with the patch yet19:15
*** diazjf has joined #openstack-keystone19:15
lbragstaddstanek what if you run the whole test suite?19:15
*** harlowja has joined #openstack-keystone19:15
lbragstadtempest.api.identity ?19:16
dstaneklbragstad: i'll try that in a sec...running against my patch now19:16
lbragstadbreton let me check quick - I wouldn't think UUID would have issues with that patch19:16
stevemarbreton: if you obtained a trust then you can use v3, why go around using v2?19:16
*** sdake has joined #openstack-keystone19:18
bretonstevemar: because i obtained it using v219:18
*** fifieldt has joined #openstack-keystone19:18
bretondstanek: > objects are pickled before they are put in cache19:18
bretondstanek: i've grepped through dogpile cache and it seems that objects are pickled only for backends "file" and "memory"19:19
stevemarbreton: trusts are v3 only, how did you get one using v2?19:19
bretondstanek: also redis19:19
dstanekbreton: the memcache library does the pickling19:20
*** slberger has joined #openstack-keystone19:21
bretonstevemar: keystone/tests/unit/test_auth.py, test_create_trust_impersonation for example19:22
jmloweso big fat list with every remote user mapped to their corresponding local user is ok19:23
lbragstadbreton I ran the tempest identity suite against your patch and uuid without any failures.19:23
lbragstadstevemar i think breton means that he can get a trust scoped token using v2.019:23
lbragstadnot that he can create a trust on v2.019:23
stevemarjmlowe: you'll have a hell of a time maintaining that, but it should be OK19:23
bretonlbragstad: ++19:24
stevemarlbragstad: ah i follow....19:24
stevemarlbragstad: just the HEAD request to validate?19:24
*** KevinE has joined #openstack-keystone19:24
jmloweI have a whole bunch of users from xsede.org, I'm using auth.globus.org with openid connect, and I'll need to map them all to possibly different usernames at tacc.utexas.edu19:25
jmloweonly a tiny fraction know their credentials at tacc.utexas.edu but everybody knows their xsede.org credentials and everything should be setup for openid connect via globus auth19:26
jmloweI can programmatically get all of the mappings19:26
stevemarjmlowe: sounds like it should be fun times19:27
stevemarjmlowe: we're very interested in hearing feedback from folks using federation19:27
lbragstaddstanek is your patch up for review?19:27
stevemarjmlowe: so please keep us looped in, even if your experience is shitty, we can improve that19:28
stevemaramakarov: dolphm: i don't remember this being approved https://blueprints.launchpad.net/keystone/+spec/pre-cache-tokens does it have a spec?19:28
jmlowestevemar: another project I have is to create a central xsede.org keystone then federate with other project members running openstack, Bridges https://www.psc.edu/index.php/bridges-approach and Jetstream-cloud.org being the first two19:29
*** ametts has quit IRC19:30
jmloweWhere can I read up on the shadowing of federated users?19:31
lbragstaddstanek I notice that breton's patch fixes tempest.api.identity.admin.v3.test_tokens but I seems to get race conditions running the entire suite19:32
lbragstaddstanek i'll see if I can recreate another example19:33
*** KevinE has quit IRC19:35
*** ametts has joined #openstack-keystone19:36
*** diazjf has quit IRC19:36
dstaneklbragstad: not up yet, still getting it to work19:37
lbragstaddstanek cool19:37
*** KevinE has joined #openstack-keystone19:37
*** diazjf has joined #openstack-keystone19:37
stevemarjmlowe: heres what we did in mitaka: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/mitaka/shadow-users.html and what we are doing for newton: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/newton/shadow-users-newton.html19:41
*** KevinE has quit IRC19:41
*** KevinE has joined #openstack-keystone19:42
*** jsavak has quit IRC19:43
*** spzala has joined #openstack-keystone19:43
*** jsavak has joined #openstack-keystone19:44
*** spzala has quit IRC19:44
*** spzala has joined #openstack-keystone19:44
lbragstaddstanek breton here is another example of a test that fails with breton's patch - looks like a race condition19:45
lbragstadhttp://cdn.pasteraw.com/q11n0xcvg9z7ot55so31yqwqrr4d9n419:45
*** spzala has quit IRC19:45
lbragstadI think the race it between when the revocation event cache region is invalidated and when the next call hits keystone19:46
jmlowestevemar: ok one more question, the mapping as it stands today in Mitaka could be remote_user — (keystone mapping) — > local_group -> role ?19:48
lbragstadwell - more specifically, a race between when the revocation event cache region is invalidated across processes and when the next call hits keystone19:48
stevemarjmlowe: right, the remote_user will get a role via the local group (you can assign groups many roles), or you can assign the user an individual role (this may be in newton only...)19:49
bretonlbragstad: why does it happen only on fernet?19:49
lbragstadbreton I would think that it only happens with fernet because uuid and the other tokens formats don't rely on the revocation api19:50
lbragstads/don't rely/don't rely heavily/19:50
jmloweyou can map remote_user to local_user but the roles won't be applied until Newton? just want to make sure I'm really clear on this so I can present capabilities on a timeline to decision makers19:51
openstackgerritGage Hugo proposed openstack/keystone: Add schema validation to update user v2  https://review.openstack.org/34502219:52
*** ametts has quit IRC19:55
lbragstadbreton for example; when you have uuid enabled and a user changes their password, the user's tokens are actually pruned from the database https://github.com/openstack/keystone/blob/8a8f070bc0714d5bd2c3594dcd8b458ac688be61/keystone/identity/core.py#L97919:56
*** spzala has joined #openstack-keystone19:56
*** ametts has joined #openstack-keystone20:00
stevemardstanek: take a look at this one and re-assess please: https://bugs.launchpad.net/keystone/+bug/137693720:01
openstackLaunchpad bug 1376937 in OpenStack Identity (keystone) "No way to prevent duplicates in endpoints" [Medium,In progress] - Assigned to David Stanek (dstanek)20:01
*** jsavak has quit IRC20:01
*** narengan1 has quit IRC20:02
*** jsavak has joined #openstack-keystone20:02
*** KevinE has quit IRC20:08
dstanekstevemar: sure20:09
*** spzala has quit IRC20:12
*** spzala has joined #openstack-keystone20:13
bretonstevemar: i am actually keeping an eye on https://bugs.launchpad.net/bugs/152024420:17
openstackLaunchpad bug 1520244 in python-keystoneclient "flag "truncated" in responses to list operations is not supported" [Medium,Triaged]20:17
*** spzala has quit IRC20:17
bretonstevemar: we decided that i wait for other patch, adding request-id to ksc20:18
stevemarbreton: ah, there was bound to be some false comments, it's a script i run20:19
bretonok20:21
*** jorge_munoz has quit IRC20:22
*** narengan has joined #openstack-keystone20:22
stevemarbreton: hadn't run it in a while, ended up unassigning all of these: http://paste.openstack.org/show/545197/ :|20:23
bretona lot :(20:24
*** ayoung has joined #openstack-keystone20:26
*** ChanServ sets mode: +v ayoung20:26
openstackgerritGage Hugo proposed openstack/keystone: Added postgresql libs to developer docs  https://review.openstack.org/34968820:26
openstackgerritSteve Martinelli proposed openstack/keystone: Reduce revoke events for disabled domains and projects.  https://review.openstack.org/25327320:33
*** spzala has joined #openstack-keystone20:36
*** ametts has quit IRC20:36
*** slberger has quit IRC20:37
*** ametts has joined #openstack-keystone20:38
openstackgerritSteve Martinelli proposed openstack/keystone: Reduce revoke events for disabled domains and projects.  https://review.openstack.org/25327320:38
*** slberger has joined #openstack-keystone20:39
openstackgerritSteve Martinelli proposed openstack/keystone: Reduce revoke events for disabled domains and projects.  https://review.openstack.org/25327320:39
*** spzala has quit IRC20:41
dstaneklbragstad: one of the fernet tests keep tripping me up20:43
lbragstaddstanek which one?20:43
dstanekkeystone.tests.unit.test_auth.FernetAuthWithTrust.test_trust_get_token_fails_if_trustee_disabled20:44
dstanekrunning the full test suite again to see if that's the only one20:44
lbragstaddstanek this one? https://github.com/openstack/keystone/blob/be88c0b7be4e891e7846ded85a3a289c72c5443c/keystone/tests/unit/test_auth.py#L134420:46
dstaneklbragstad: yes20:46
lbragstaddstanek how is it failing?20:46
lbragstadwhat do you have enabled?20:47
lbragstaddstanek or are you just running the unit tests?20:47
dstaneklbragstad: i've made some changes to how the cache key is generated and it doesn't seem to like it20:47
dstaneklbragstad: it's just the unit tests right now20:47
lbragstaddstanek paste20:47
lbragstad?20:47
stevemarayoung: please revisit https://bugs.launchpad.net/keystone/+bug/1268751 and mark as invalid if you think so20:48
openstackLaunchpad bug 1268751 in OpenStack Identity (keystone) "Potential token revocation abuse via group membership" [Low,Triaged]20:48
*** thiagolib has quit IRC20:48
ayoungstevemar, my comment from 2016-03-02: stands20:49
stevemarayoung: if we're not going to fix it when we should say so rather than letting it stand as open for 1000 days20:49
lbragstaddstanek is it failing intermittently or every time?20:51
dstaneklbragstad: everytime...need to figure out if it's all auth20:52
dstaneknot helpful but http://paste.openstack.org/show/545201/20:52
lbragstadhmm - so that should be a 40320:53
lbragstadaccording to the test20:53
lbragstaddstanek do you have a diff of your patch?20:54
*** diazjf has quit IRC20:57
openstackgerritDolph Mathews proposed openstack/keystone: Introduce read-only mode for the database  https://review.openstack.org/34970020:59
stevemardolphm: around a sec?20:59
dolphmrderose: henrynash: ^21:00
dolphmstevemar: o/21:00
*** jsavak has quit IRC21:00
stevemardolphm: regarding https://bugs.launchpad.net/keystone/+bug/1077282 ... what was the reasoning behind removing all the kvs stuff ?21:00
openstackLaunchpad bug 1077282 in OpenStack Identity (keystone) "Remove KVS Backend" [Wishlist,Triaged]21:00
stevemarjust to get rid of it in favor of sql?21:00
dstaneklbragstad: yeah, jas21:00
dstanekstevemar: it's not good for read environments21:01
bretondstanek: actually i ran into that test too21:01
bretondstanek: keystone.tests.unit.test_auth.FernetAuthWithTrust.test_trust_get_token_fails_if_trustee_disabled failed with my patch too, but then stopped21:01
stevemardstanek: OK, i get that it's a sub optimal data store21:01
dstanekbreton: at the midcycle i created a region subclass that does magic key generation to solve the invalidation problem21:02
stevemari'm just wondering how to untangle the last of it from the token stuff: https://github.com/openstack/keystone/search?l=python&q=kvs&utf8=%E2%9C%9321:02
dstanekstevemar: it's actually completely broken now that we use apache. each process would get a separate kvs data store21:02
stevemaras until we remove keystone/token/persistence/backends/memcache.py  we can't accomplish that bug21:02
dolphmdstanek: the 'kvs' drivers are really entry points for dogpile now though, right? so you can point keystone at mongo21:03
dolphmwhich is what HP did21:03
dolphmbut they don't do that anymore, so as gyee suggested at the midcycle, no one seems to need that support anymore21:03
dstaneki don't think we actually have kvs drivers for anything21:04
dstaneki think the base class is just subclassed for some reason, but it's been too long21:04
*** mvk has joined #openstack-keystone21:04
dstanekbreton: i'm going to steal your REGION.name idea :-) locally i've fixed oslo.cache21:05
*** raildo has quit IRC21:06
openstackgerrithenry-nash proposed openstack/keystone: Add the migration phase status table  https://review.openstack.org/34970321:06
openstackgerritDavid Stanek proposed openstack/keystone: WIP: region namespace POC for cache invalidation  https://review.openstack.org/34970421:07
dstaneklbragstad: breton: ^ midcycle hack21:07
lbragstaddstanek sweet - checking it out21:07
lbragstaddstanek is that what is failing the Fernet test?21:07
lbragstadfor you locally?21:07
*** diazjf has joined #openstack-keystone21:08
dstaneklbragstad: yeah, but i'm not convinced it's that test.... feels like out auth is broken in some way21:08
stevemari feel like marking https://bugs.launchpad.net/keystone/+bug/1180136 as "Opinion" at this point / cc dstanek21:09
openstackLaunchpad bug 1180136 in OpenStack Identity (keystone) "Dependency injection framework is constructing the object first and then injecting the dependency which is incorrect" [Wishlist,Triaged]21:09
*** brancal has quit IRC21:09
lbragstaddstanek dogpile.cache.CacheRegion and dogpile.cache.region.CacheRegion are the same class, right?21:10
lbragstaddstanek just digging through the dogpile code and that's what I'm seeing21:10
dstanekstevemar: yeah, i mostly fixed that already. just a few things that still need to be cleaned up21:10
stevemardstanek: mark it as fix released and cite what needs to be fixed.21:10
dstanekstevemar: i'll take a look at it21:10
ayoungstevemar, we are waiting for Fernet and revocation events to remove the form of revocation that would cause it.  THe bug stands, but I am not going to fix it.  Feel free to close Won't Fix if it bothers you that much, but otherwise, close it when the actual change is committed.  Its ok for the bug to stay there  until then, as documentation should anyone come across this21:11
dstanekstevemar: i think the issue with the dup endpoints is that we don't really know what to create a unique key on and as notmorgan noted, this would technically break backward compatibility21:13
stevemardstanek: it totally would21:13
stevemari will mark it as such21:13
rderosedolphm: looking...21:13
dstanekstevemar: doing to mark is a wontfix?21:14
stevemardstanek: already did21:15
stevemarsorry about all the bug requests -- i'm ramping up for newton-3 and trying to take a look at all the keystone bugs that need some love21:15
dstanekstevemar: abandoned that patch21:15
dstanekmore bug loving the better21:15
notmorgandstanek: hmm? i saw my name21:17
notmorganoh backwards compat things21:17
*** GB21 has joined #openstack-keystone21:17
notmorganhehe yeah don't break backwards compat plz21:17
*** pauloewerton has quit IRC21:17
dstaneknotmorgan: we were talking about the bug where someone wanted to add a constraint to endpoints21:17
notmorganyah21:17
notmorgani mean, it would be GREAT if we found a way to do it21:18
notmorganbut... backwards compat (eeeuuuwww) makes it hard21:18
*** diazjf1 has joined #openstack-keystone21:19
*** sdake has quit IRC21:20
*** nk2527 has quit IRC21:22
*** jaugustine has quit IRC21:23
*** gagehugo_ has quit IRC21:23
*** diazjf has quit IRC21:23
*** nk2527 has joined #openstack-keystone21:24
*** gagehugo has joined #openstack-keystone21:28
lbragstaddstanek I seem to get two different test failures with https://review.openstack.org/#/c/349704/121:30
patchbotlbragstad: patch 349704 - keystone - WIP: region namespace POC for cache invalidation21:30
lbragstadone that fails consistently is keystone.tests.unit.test_v3_assignment.AssignmentTestCase.test_get_head_role_assignments21:31
lbragstadthe other that fails sometimes is keystone.tests.unit.test_auth.FernetAuthWithTrust.test_trust_get_token_fails_if_trustee_disabled21:31
dstaneklbragstad: that is also failing for me....a little scarry21:31
lbragstaddstanek so you're seeing both of those fail too21:31
*** gagehugo_ has joined #openstack-keystone21:33
*** barclaac has quit IRC21:35
*** barclaac has joined #openstack-keystone21:35
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: Improve authentication plugins documentation  https://review.openstack.org/34942321:39
*** jaugustine has joined #openstack-keystone21:41
*** narengan has quit IRC21:43
lbragstaddstanek for some reason http://cdn.pasteraw.com/1xlbs7c4d1radscl4gc6kpzyftbfqu2 fixes keystone.tests.unit.test_v3_assignment.AssignmentTestCase.test_get_head_role_assignments for me locally21:44
*** jamielennox|away is now known as jamielennox21:48
openstackgerritMerged openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/33344921:52
*** tonytan4ever has joined #openstack-keystone21:54
*** ametts has quit IRC21:56
*** tonytan_brb has quit IRC21:57
openstackgerrithenry-nash proposed openstack/keystone: WIP Add support for rolling upgrades to keystone-manage  https://review.openstack.org/34971621:57
*** KevinE has joined #openstack-keystone21:58
openstackgerritColleen Murphy proposed openstack/keystone: Skip middleware request processing for admin token  https://review.openstack.org/34449621:58
*** KevinE has quit IRC21:59
*** jcalcote has joined #openstack-keystone21:59
jcalcoteI just installed newton keystone from canonical's cloud archive project on Ubuntu 16.04. It installs fine, but whenever I send it a curl command (e.g., curl http://localhost:5000/v2) I get back a 500 internal server error and the keystone log in /etc/apache2 shows a python stack trace - ImportError: no module named access22:01
dstanekjcalcote: can you paste the traceback into paste.openstack.org?22:02
jcalcoteSure - http://paste.openstack.org/show/545212/22:03
jcalcoteGoogle indicates a couple of other folks have seen this in the past with basically no resolution.22:04
dstanekjcalcote: can you also paste you keystone-paste.ini? it looks like an issue with dynamically loading something22:05
*** KevinE has joined #openstack-keystone22:05
*** KevinE has quit IRC22:05
jcalcotehttp://paste.openstack.org/show/545213/22:06
*** KevinE has joined #openstack-keystone22:06
*** GB21 has quit IRC22:07
*** diazjf1 has quit IRC22:07
lbragstadjcalcote it looks like your paste.ini file is looking for keystone.contrib.access22:07
jcalcoteoh yes - this makes sense - one of the few hits on google indicated a problem with contrib stuff - I just didn't follow what he was trying to say22:08
jcalcote... and it turns out keystone.contrib.access is not installed. Wonder where to get that?22:12
*** ravelar has quit IRC22:12
*** sdake has joined #openstack-keystone22:13
dstanekjcalcote: i think what was actually removed22:13
lbragstaddstanek jcalcote yeah - that's what I'm thinking22:14
dstanekjcalcote: https://review.openstack.org/#/c/125703/ removed a long, long time ago22:14
lbragstadI am looking for the commit22:14
lbragstadand.... dstanek beat me to it22:14
patchbotdstanek: patch 125703 - keystone - remove deprecated access log middleware (MERGED)22:14
jcalcotedstanek - thanks - looks like a cloud archive bug then - they need to update their paste-ini file for their package. In the mean time, I don't know paste very well - can someone tell me how to clean up my paste ini file properly?22:14
lbragstadhah - we must have just removed the entry point22:15
dstanekjcalcote: remove access_log from your pipelines22:15
jcalcotek - thanks a log guys22:15
dstanekand probably the [filter:access_log] section just to be complete22:15
*** slberger has left #openstack-keystone22:21
openstackgerritGage Hugo proposed openstack/keystone: Add schema validation to create user v2  https://review.openstack.org/34853122:27
jcalcotedstanik, lbragstad: thanks for the help - I had to remove the paste filters named: access, xml_body, sizelimiter before I could finally get rid of the 500 errors and get back something reasonable from the base keystone endpoint in curl.22:31
jcalcotekinda weird no one else is noticing this...22:31
*** spedione is now known as spedione|AWAY22:32
*** ravelar has joined #openstack-keystone22:33
jamielennoxstevemar: so roxanaghe was going to have a look at the ADFS plugin - last i heard it didn't work22:34
jamielennoxstevemar: so i'm not sure there's any point to giving it an entrypoint until then22:34
roxanaghejamielennox, stevemar right, right now I'm testing the saml2 plugin and that doesn't work for me yet. for the adfs plugin I didn't try it recently but at least I found out why we need a separate one for ADFS: that's because ADFS doesn't support ECP, which is used in the saml2 plugin22:37
*** spzala has joined #openstack-keystone22:41
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/34963822:42
*** spzala has quit IRC22:47
*** r-daneel has joined #openstack-keystone22:47
*** thumpba has quit IRC22:51
*** thumpba has joined #openstack-keystone22:51
jamielennoxroxanaghe: yea, i think that's the conclusion we came to at the midcycle, adfs had to do some form submission work and we're not sure how standard that form it22:53
jamielennoxis22:53
*** thumpba has quit IRC22:55
jamielennoxroxanaghe: if you need a hand with setting up the env let me know, it's been a little while but i remember most of it22:56
roxanaghejamielennox, for saml2 or adfs?22:56
jamielennoxsaml2 mainly, i haven't done adfs22:57
roxanaghejamielennox, I was able to setup a so-called testshib IDP - it's a test IDP provided by Shibboleth, I can use it via Horizon WebSSo but not via CLI22:59
roxanaghejamielennox, I get this type of error: https://github.com/kennethreitz/requests/issues/2364 I'm trying to see why, since it works well using a Web REST client23:01
*** sdake has quit IRC23:01
jamielennoxroxanaghe: mostly i've seen that when you make a mistake with SSL23:02
jamielennoxeither you have a https:// url without SSL configured or vice versa23:02
*** sdake has joined #openstack-keystone23:03
roxanaghehm, let me verify that, thanks!23:04
jamielennoxcrinkle: i don't understand your comment on https://review.openstack.org/#/c/344496/3/keystone/tests/unit/test_middleware.py23:06
patchbotjamielennox: patch 344496 - keystone - Skip middleware request processing for admin token23:06
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/34964823:06
*** tonytan4ever has quit IRC23:07
crinklejamielennox: the request environment variable is getting transformed from 'openstack.context' to 'HTTP_OPENSTACK.CONTEXT' so the test I wrote fails, still trying to figure it out23:09
jamielennoxcrinkle: ah, ok - so that'll be because of the difference between environment and headers in wsgi23:10
jamielennoxwsgi protocol passes everything around as an environment dict which contains a lot more than headers23:11
jamielennoxthings that are actually headers are prefixed with HTTP_ and uppercased23:11
jamielennoxso when you do request.headers['name'] it actually does request.environ['HTTP_NAME']23:11
jamielennoxcrinkle: i think you need to pass those as extra_environ= to make that work23:12
crinklejamielennox: aha let me try that23:12
*** Gorian_ has quit IRC23:15
*** thumpba has joined #openstack-keystone23:25
*** ravelar has quit IRC23:29
*** sdake has quit IRC23:31
*** edmondsw has quit IRC23:40
*** sdake has joined #openstack-keystone23:40
*** code-R_ has quit IRC23:45
*** ravelar159 has joined #openstack-keystone23:45
*** spzala has joined #openstack-keystone23:47
stevemarahh extra_environ23:47
jamielennoxstevemar: is that ahh in realization or satisfaction?23:49
stevemarjamielennox: more of a: "ohhh right, that's what was needed"23:50
jamielennoxrealization23:51
openstackgerritJamie Lennox proposed openstack/keystone: Move audit initiator creation to request  https://review.openstack.org/34265823:55
* notmorgan sighs.23:56
notmorgani really need people to stop asking me keystone questions in private23:56
stevemarnotmorgan: haha23:56
notmorganthis is causing me a lot of headaches trying to not swap contexts23:56
stevemarjust ignore them23:57
notmorgani just lost 4hrs of digging through code because of the context switch23:57
stevemargive us names!23:57
stevemarpublicly shame!23:57
notmorganno, i told them to stop asking me these things in private23:57
stevemarthats usually the best option23:57
notmorganbut it doesn't take a lot to swap the context23:57
notmorganbecause this code is not straight forward23:57
notmorganwhereas keystone is.23:57
notmorganso, you know how frustrating code can be where it's easy to just lose your spot =/23:58
*** spzala has quit IRC23:58
*** spzala has joined #openstack-keystone23:58
« Sunday, 2016-07-31 Index Tuesday, 2016-08-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!