Monday, 2016-08-15

*** roxanaghe has quit IRC00:00
*** su_zhang has joined #openstack-keystone00:22
*** tqtran has joined #openstack-keystone00:24
*** tqtran has quit IRC00:28
*** adrian_otto has joined #openstack-keystone01:12
*** su_zhang has quit IRC01:17
*** su_zhang has joined #openstack-keystone01:17
*** EinstCrazy has joined #openstack-keystone01:23
*** roxanaghe has joined #openstack-keystone01:25
*** roxanaghe has quit IRC01:29
*** adrian_otto1 has joined #openstack-keystone01:33
*** adrian_otto has quit IRC01:34
*** tonytan4ever has joined #openstack-keystone01:42
*** wangqun has joined #openstack-keystone01:46
*** tonytan4ever has quit IRC01:47
openstackgerritAnh Tran proposed openstack/keystone: api-ref: Correcting V3 OS-INHERIT APIs
*** su_zhang has quit IRC01:59
*** adrian_otto1 has quit IRC01:59
*** tonytan4ever has joined #openstack-keystone02:01
*** jamielennox is now known as jamielennox|away02:10
*** jamielennox|away is now known as jamielennox02:30
*** davechen has joined #openstack-keystone02:38
stevemarjamielennox: o/02:57
jamielennoxstevemar: hello02:57
stevemarjamielennox: take a quick look at a bug / fix?02:57
stevemarjamielennox: and the fix
openstackLaunchpad bug 1603038 in OpenStack Identity (keystone) "Execption on admin_token usage ValueError: Unrecognized " [Medium,In progress] - Assigned to Colleen Murphy (krinkle)02:58
jamielennoxoh, yea - i have that one open02:58
jamielennoxi'm not sure i like how the context_env works, it means it will only work with the admin_token middleware which is deprecated02:59
jamielennoxbut then so is CONF.keystone_authtoken.admin_token so maybe it doesn't matter03:00
stevemarjamielennox: it'll probably be pretty tough to get rid of the admin_token middleware in all honesty03:02
jamielennoxstevemar: how auth_token and admin_token fit together is a little bit funky already03:10
jamielennoxbut i don't think we can rely on that in non-keystone services03:11
stevemarrely on what ?03:11
jamielennoxoh, wait - i'm looking at keystone/middleware not keystonemiddleware03:12
stevemarjamielennox: you refactored it! :)03:13
jamielennoxyea, it all made sense at the time :p03:13
jamielennoxstevemar: +Aed - there might still be weird edge cases when using admin_token - but i'm pretty sure there has always been weird edge cases using admin_token03:31
stevemarjamielennox: totally03:40
*** tonytan4ever has quit IRC03:46
*** su_zhang has joined #openstack-keystone03:52
*** EinstCrazy has quit IRC03:53
*** chlong has joined #openstack-keystone04:21
*** tqtran has joined #openstack-keystone04:26
*** tqtran has quit IRC04:30
*** EinstCrazy has joined #openstack-keystone04:33
*** jaosorior has joined #openstack-keystone04:47
*** roxanaghe has joined #openstack-keystone04:49
*** roxanaghe has quit IRC04:52
*** EinstCrazy has quit IRC04:54
*** EinstCrazy has joined #openstack-keystone04:55
openstackgerritMerged openstack/keystone: Skip middleware request processing for admin token
*** EinstCrazy has quit IRC04:59
*** EinstCrazy has joined #openstack-keystone05:00
openstackgerritMerged openstack/keystone: Constraints are ready to be used for tox.ini
*** GB21 has joined #openstack-keystone05:21
*** rcernin has joined #openstack-keystone05:25
*** EinstCrazy has quit IRC05:26
*** EinstCrazy has joined #openstack-keystone05:27
*** EinstCra_ has joined #openstack-keystone05:30
*** EinstCrazy has quit IRC05:31
*** adriant has quit IRC05:40
*** rkrum has joined #openstack-keystone05:47
*** roxanaghe has joined #openstack-keystone05:52
*** roxanaghe has quit IRC05:57
*** agireud has quit IRC06:01
*** agireud has joined #openstack-keystone06:10
*** jmccrory is now known as jmccrory_away06:12
*** david-lyle has joined #openstack-keystone06:36
*** pcaruana has joined #openstack-keystone06:36
*** david-lyle_ has quit IRC06:39
*** tonytan4ever has joined #openstack-keystone06:47
*** belmoreira has joined #openstack-keystone06:48
*** tonytan4ever has quit IRC06:52
*** wangqun has quit IRC06:54
*** rkrum has quit IRC07:07
*** chlong has quit IRC07:08
*** chlong has joined #openstack-keystone07:25
*** su_zhang has quit IRC07:25
*** GB21 has quit IRC07:38
*** roxanaghe has joined #openstack-keystone07:41
*** roxanaghe has quit IRC07:45
*** wangqun has joined #openstack-keystone07:53
*** GB21 has joined #openstack-keystone07:53
*** Ephur has quit IRC07:57
*** wangqun has quit IRC07:59
*** zzzeek has quit IRC08:00
*** sdake has joined #openstack-keystone08:01
*** zzzeek has joined #openstack-keystone08:02
*** tonytan4ever has joined #openstack-keystone08:03
*** chlong has quit IRC08:07
*** tonytan4ever has quit IRC08:08
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c
*** sdake has quit IRC08:15
*** tqtran has joined #openstack-keystone08:27
*** tqtran has quit IRC08:31
*** sdake has joined #openstack-keystone08:35
*** markvoelker has joined #openstack-keystone08:41
*** sdake has quit IRC08:43
*** markvoelker has quit IRC08:45
*** mvk has joined #openstack-keystone08:56
*** ktychkova has joined #openstack-keystone09:08
*** roxanaghe has joined #openstack-keystone09:29
*** roxanaghe has quit IRC09:33
*** jaosorior is now known as jaosorior_brb09:38
*** sdake has joined #openstack-keystone09:46
*** wangqun has joined #openstack-keystone09:57
*** amakarov_away is now known as amakarov10:00
*** tonytan4ever has joined #openstack-keystone10:04
*** wangqun has quit IRC10:05
*** tonytan4ever has quit IRC10:08
*** EinstCra_ has quit IRC10:20
*** asettle has joined #openstack-keystone10:25
*** jaosorior_brb is now known as jaosorior10:31
*** markvoelker has joined #openstack-keystone10:42
*** markvoelker has quit IRC10:47
*** roxanaghe has joined #openstack-keystone11:17
*** roxanaghe has quit IRC11:22
*** jaosorior has quit IRC11:34
*** jaosorior has joined #openstack-keystone11:35
*** asettle has quit IRC11:36
*** rodrigods has quit IRC11:38
*** rodrigods has joined #openstack-keystone11:38
*** asettle has joined #openstack-keystone11:50
*** sdake has quit IRC12:02
*** edmondsw has joined #openstack-keystone12:04
*** tonytan4ever has joined #openstack-keystone12:05
*** sdake has joined #openstack-keystone12:06
*** tonytan4ever has quit IRC12:09
*** sigmavirus|away is now known as sigmavirus12:10
*** asettle has quit IRC12:11
henrynashanyone know how tell test_sql_upgrade to run against other databases? Since we use oslo_db.test_base now, I assume is something like setting OS_TEST_DBAPI_ADMIN_CONNECTION...but can't seem to make that work...any ideas?12:12
*** tonytan4ever has joined #openstack-keystone12:13
*** roxanaghe has joined #openstack-keystone12:18
*** gordc has joined #openstack-keystone12:19
*** roxanaghe has quit IRC12:23
*** markvoelker has joined #openstack-keystone12:30
*** woodster_ has joined #openstack-keystone12:32
*** GB21 has quit IRC12:35
*** timss has joined #openstack-keystone12:35
*** sdake has quit IRC12:38
*** julim has joined #openstack-keystone12:44
*** raildo has joined #openstack-keystone12:46
*** rkrum has joined #openstack-keystone12:47
*** pauloewerton has joined #openstack-keystone12:50
*** amoralej|off has quit IRC12:50
*** amoralej has joined #openstack-keystone12:53
*** julim has quit IRC13:01
*** julim has joined #openstack-keystone13:05
*** davechen has left #openstack-keystone13:06
*** rkrum has quit IRC13:10
*** rkrum has joined #openstack-keystone13:11
*** rkrum has quit IRC13:16
*** asettle has joined #openstack-keystone13:17
dstanekhenrynash: in the past i have changed our database fixture13:19
bretonme too13:20
bretonfiguring out proper env variables was hard13:20
*** GB21 has joined #openstack-keystone13:24
lbragstadmorning keystone!13:25
*** woodburn has quit IRC13:29
raildolbragstad, morning :)13:29
*** belmoreira has quit IRC13:31
dolphmhenrynash: there's an environment variable, but the tests are currently broken according to dstanek13:33
*** tonytan4ever has quit IRC13:33
dstanekhenrynash: dolphm: yeah, i was having problem because of our root domain :-(13:34
openstackgerritDolph Mathews proposed openstack/keystone: Fix nits in PCI-DSS Minimum password age requirements
openstackgerritDolph Mathews proposed openstack/keystone: Fix nits in PCI-DSS Minimum password age requirements
*** GB21 has quit IRC13:41
dolphmdstanek: abandon in favor of request local caching?
patchbotdolphm: patch 183189 - keystone - WIP: reduce redundant get_user calls13:43
dstanekdolphm: i'll take a deeper look in a bit, but my first reaction is to keep it. local caching is a hack13:44
dolphmdstanek: i don't disagree, but i wonder if it's worth the effort13:44
dolphmdstanek: it'd be great if request context lazily loaded things like that13:45
*** belmoreira has joined #openstack-keystone13:50
*** chlong has joined #openstack-keystone13:52
*** ayoung has joined #openstack-keystone13:55
*** ChanServ sets mode: +v ayoung13:55
openstackgerritAlexander Ignatyev proposed openstack/keystone: Support new osprofiler API
*** dims has quit IRC13:59
*** adrian_otto has joined #openstack-keystone14:01
*** dims has joined #openstack-keystone14:05
*** roxanaghe has joined #openstack-keystone14:06
*** GB21 has joined #openstack-keystone14:07
*** su_zhang has joined #openstack-keystone14:08
*** roxanaghe has quit IRC14:10
*** sdake has joined #openstack-keystone14:10
*** adrian_otto has quit IRC14:13
*** adrian_otto has joined #openstack-keystone14:15
*** ezpz has joined #openstack-keystone14:19
*** adrian_otto has quit IRC14:20
*** tonytan4ever has joined #openstack-keystone14:23
*** ravelar has joined #openstack-keystone14:24
*** ametts has joined #openstack-keystone14:26
openstackgerritRon De Rose proposed openstack/keystone: Create rolling upgrades migration repos
*** tqtran has joined #openstack-keystone14:30
*** pcaruana has quit IRC14:30
*** spedione|AWAY is now known as spedione14:31
*** tqtran has quit IRC14:34
openstackgerritRon De Rose proposed openstack/keystone: Create rolling upgrades migration repos
*** jdennis1 has quit IRC14:45
*** slberger has joined #openstack-keystone14:45
henrynashrderose, davechen: I must admit I am getting confused as to why everyone else is proposing patches up for rolling upgrades....I have had the series of patches up for weeks....14:47
*** sdake has quit IRC14:48
rderosehenrynash: creating a patch with the 3 repos (expand, migrate, contract), do you have a patch that has this approach?14:50
openstackgerritRon De Rose proposed openstack/keystone: WIP - Create rolling upgrades migration repos
henrynashrderose: no, mine ahs two - and I have argued why we should not have a repo for --migrate, and I still don't think we should. Anyway, I don't this the way round it is to basically bypass someone else's patches14:51
rderosehenrynash: Okay, I'll look at your patches again and if duplicate (or close), I'll abandon this one. I don't want to step on your toes, but would argue for the 3 repos approach.14:55
henrynashrderose: how would you to migrate 1000 rows at a time, with traditional repo approach?14:56
*** michauds has joined #openstack-keystone14:56
rderosehenrynash: batch them and you would be in migration phase longer14:57
henrynashrderose: if we had a million rows to migrate, if we did it in one go we might lock up the database and cause denial of service for a while14:57
rderosehenrynash: you could batch the million rows, right?14:58
rderoseso are you arguing having an expand and contract repo, but not a migrate?14:58
henrynashrderose: yep, but usually the batch size is determined by the operator by calling (something like): keystone-manage db_sync -- migrate --delta 100014:59
henrynashrderose: not proposing we support that yet (but this is what some of the other projects do)14:59
openstackgerritBoris Bobrov proposed openstack/keystone: [wip] Add prepare_ldap command
*** spzala has joined #openstack-keystone15:01
rderosehenrynash: okay, makes sense. and we currently support batching, right?  why couldn't we support this within a new migrate repo?15:03
henrynashrderose: not quite sure what you mean in terms of supporting batching mean in regaular sql commands? We have an optional limit, but not sure about batching15:04
*** su_zhang has quit IRC15:05
*** rcernin has quit IRC15:06
*** jdennis has joined #openstack-keystone15:10
*** mvk has quit IRC15:10
henrynashdstanek: hi15:11
openstackgerritMerged openstack/keystone-specs: Simplify manage-migration spec by introducing database triggers
*** diazjf has joined #openstack-keystone15:27
*** su_zhang has joined #openstack-keystone15:31
*** edtubill has joined #openstack-keystone15:33
*** belmoreira has quit IRC15:38
*** edtubill has quit IRC15:40
*** edtubill has joined #openstack-keystone15:40
*** diazjf has left #openstack-keystone15:40
*** haplo37__ has joined #openstack-keystone15:41
*** asettle has quit IRC15:46
*** asettle has joined #openstack-keystone15:47
*** asettle has quit IRC15:53
*** asettle has joined #openstack-keystone15:54
henrynashdstanek, dolphm: are you sure that teh overrides in backend_sql.conf are still honored? Wasn't that codde stripped out of test_sql_upgrade when it was converted to use oslo_db test_base?16:01
*** arunkant_ has joined #openstack-keystone16:01
*** BjoernT has joined #openstack-keystone16:02
dstanekhenrynash: no, but in a few minutes i can switch gears and try to help figure it out16:02
*** adrian_otto has joined #openstack-keystone16:02
dstaneklunching/dealing with cable guy right now16:02
henrynashdstaneK: ok, thks!16:02
henrynashdstanek :-)16:02
*** GB21 has quit IRC16:05
*** tqtran has joined #openstack-keystone16:08
*** dims has quit IRC16:10
*** gyee has joined #openstack-keystone16:12
*** Ephur has joined #openstack-keystone16:18
*** su_zhang has quit IRC16:21
*** spedione is now known as spedione|AWAY16:25
*** ametts_ has joined #openstack-keystone16:28
*** hockeynut has joined #openstack-keystone16:28
*** ametts has quit IRC16:30
*** dkehn_ has quit IRC16:31
*** tqtran has quit IRC16:31
*** tqtran has joined #openstack-keystone16:40
*** dims has joined #openstack-keystone16:42
*** tqtran has quit IRC16:44
*** dims has quit IRC16:47
*** esp has joined #openstack-keystone16:47
*** dkehn has joined #openstack-keystone16:48
*** roxanaghe has joined #openstack-keystone16:48
*** spedione|AWAY is now known as spedione16:49
*** dims has joined #openstack-keystone16:53
henrynashdstanek: fyi, have made progress on ping me when you are back on16:54
*** adrian_otto has quit IRC16:54
*** tonytan4ever has quit IRC16:54
*** GB21 has joined #openstack-keystone16:55
*** adrian_otto has joined #openstack-keystone16:57
*** slberger has quit IRC16:58
*** sdake has joined #openstack-keystone17:00
*** slberger has joined #openstack-keystone17:01
*** ravelar1 has joined #openstack-keystone17:05
*** ravelar has quit IRC17:05
*** jaosorior has quit IRC17:06
*** esp has quit IRC17:06
*** Ephur has quit IRC17:07
*** harlowja has joined #openstack-keystone17:08
stevemarhenrynash: rderose you guys like stepping on each others toes today eh ;)17:09
rderosestevemar: ;)17:09
stevemarrderose: i think henrynash had first dibs on the patches, let's let him finish it up :)17:09
stevemarreviewing is *just* as important!!!17:09
rderosestevemar: agree, I've abandon my patch for now17:10
stevemarrderose: :)17:10
rderosestevemar henrynash: will add my comments to the latest patch17:10
stevemarglad to hear i didn't need to pass around the peace stick17:10
stevemari've named it lucille17:10
rderosestevemar: why lucille?17:11
stevemarrderose: you need to read the walking dead17:11
*** esp has joined #openstack-keystone17:13
*** asettle has quit IRC17:15
*** su_zhang has joined #openstack-keystone17:17
*** Ephur has joined #openstack-keystone17:19
*** Ephur has quit IRC17:20
*** tqtran has joined #openstack-keystone17:21
*** su_zhang has quit IRC17:21
*** su_zhang has joined #openstack-keystone17:22
*** ayoung has quit IRC17:25
*** asettle has joined #openstack-keystone17:26
*** tqtran has quit IRC17:29
*** adrian_otto1 has joined #openstack-keystone17:31
*** tqtran has joined #openstack-keystone17:32
*** Gorian|work has joined #openstack-keystone17:34
*** adrian_otto has quit IRC17:35
*** iurygregory has quit IRC17:36
*** rcernin has joined #openstack-keystone17:37
openstackgerritMerged openstack/keystone: api-ref: Correcting V3 OS-INHERIT APIs
*** Ephur has joined #openstack-keystone17:39
*** edtubill has quit IRC17:40
*** ayoung has joined #openstack-keystone17:41
*** ChanServ sets mode: +v ayoung17:41
*** tonytan4ever has joined #openstack-keystone17:45
*** iurygregory has joined #openstack-keystone17:53
dstanekhenrynash: back17:53
*** GB21 has quit IRC17:56
*** Ephur has quit IRC18:04
*** Ephur has joined #openstack-keystone18:06
*** Ephur has quit IRC18:08
*** Ephur has joined #openstack-keystone18:08
stevemarwhoa wheres bknudson18:08
*** bknudson has joined #openstack-keystone18:21
*** ChanServ sets mode: +v bknudson18:21
*** Ephur has quit IRC18:25
*** Ephur has joined #openstack-keystone18:26
*** manous has joined #openstack-keystone18:27
manousplease how can i solve this issue
manousin shell i can list everything18:28
manousbut in horizon i have error18:28
*** neophy has joined #openstack-keystone18:33
*** ayoung has quit IRC18:37
*** tqtran has quit IRC18:39
*** asettle has quit IRC18:41
*** rcernin has quit IRC18:42
stevemarhenrynash: around?18:46
*** spzala has quit IRC18:48
*** spzala has joined #openstack-keystone18:48
*** tqtran has joined #openstack-keystone18:49
*** haplo37__ has quit IRC18:50
*** spzala has quit IRC18:51
*** hockeynut has quit IRC18:51
*** spzala has joined #openstack-keystone18:52
*** su_zhang has quit IRC18:56
*** itisha has joined #openstack-keystone18:58
*** tqtran has quit IRC18:59
henrynashstevemar: hi19:03
*** haplo37__ has joined #openstack-keystone19:04
henrynashdstanek: so I don't think backend_sql is read anymore for test_sql_upgrade....I managed to make it work using the env var OS_TEST_DBAPI_ADMIN_CONNECTION which is ready be oslo_db19:04
*** fifieldt has quit IRC19:07
*** edtubill has joined #openstack-keystone19:08
*** haplo37__ has quit IRC19:10
*** tqtran has joined #openstack-keystone19:12
stevemarhenrynash: do you remember what the heck we decided on the topic of  "can domain scoped roles imply global roles?"19:13
stevemarhenrynash: way back when designing DSR19:13
*** ametts_ has quit IRC19:13
patchbotstevemar: patch 351264 - keystone - Add domain check in domain-specific role implication19:13
henrynashstevemar: so a dsr needs to be able to imply a global role (or they would be useless, since only global roles exist in policy files)19:15
henrynashstevemar: a dsr from one domain probably shouldn't be able to imply a dsr in another domain19:15
*** asettle has joined #openstack-keystone19:16
henrynashstevemar: (at least even I am not sure I want to try and write the keystonepolicy rule that would check such an action)19:16
henrynashstevemar: you probably don't want a global role implying a dsr....can't really see the use case for that, and it would be confusing I suspect19:17
*** ametts_ has joined #openstack-keystone19:18
*** fifieldt has joined #openstack-keystone19:18
*** ametts_ has quit IRC19:18
*** roxanaghe has quit IRC19:18
*** asettle has quit IRC19:19
*** ametts has joined #openstack-keystone19:19
*** haplo37__ has joined #openstack-keystone19:22
*** Nisha has joined #openstack-keystone19:24
*** Nisha is now known as Guest3533519:24
*** Guest35335 is now known as nishaYadav19:25
*** nishaYadav is now known as Guest1445119:25
*** Guest14451 is now known as nisha_19:26
*** nisha_ is now known as nisha__19:26
*** su_zhang has joined #openstack-keystone19:26
*** asettle has joined #openstack-keystone19:29
*** slberger has quit IRC19:31
*** asettle has quit IRC19:31
*** adrian_otto1 has quit IRC19:31
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest
*** su_zhang has quit IRC19:34
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest
openstackgerritLance Bragstad proposed openstack/keystone: Add key_hash column to credential table
*** tonytan4ever has quit IRC19:41
dstanekhenrynash: perfect, i'll give that a try too then19:46
*** ayoung has joined #openstack-keystone19:48
*** ChanServ sets mode: +v ayoung19:48
*** nisha_ has joined #openstack-keystone19:50
*** nisha__ has quit IRC19:51
*** nisha_ has quit IRC19:51
*** nisha_ has joined #openstack-keystone19:52
henrynashstevemar: ping19:52
stevemarhenrynash: pong19:52
openstackgerrithenry-nash proposed openstack/keystone: POC of data migration using database triggers
henrynashstevemar: so i was under (maybe a false) impression taht we supported a two cycle upgrade (i.e. we would support Liberty->Newton in one leap) that your understanding?19:55
stevemarhenrynash: that has been the case for a while now19:57
henrynashstevemar: dolphm^19:57
dolphmstevemar: when did that become true?19:58
*** tonytan4ever has joined #openstack-keystone19:58
stevemarit may not have been written down, but i think that's been the unwritten rule the ops have expected19:58
bknudsonI didn't think we ever supported going directly from L->N19:58
dolphmstevemar: unwritten?19:59
dolphmgrenade does not test that case as far as i know19:59
stevemarhey i'm happy to be wrong here19:59
*** ravelar1 has quit IRC20:00
stevemarour schema migrations put an upper limit on 220:00
dolphmstevemar: for maintenance purposes20:01
stevemari asked in -operators20:01
dolphmstevemar: that should really not imply that we support skipping releases as a viable upgrade path20:01
stevemarIIRC most operators will choose to jump 2 releases, but do their db upgrades one at a time20:01
bknudsonAnybody know why we have a "PooledMemachedBackend" --
bknudsondoes it give better performance?20:02
dolphmstevemar: whether it'd be nice to support or not is not the question -- it's a question of whether it's a viable, supported, tested, and documented upgrade path20:02
dolphmstevemar: and AFAIK we've never had the infrastructure resources to make the investment, much less project-level support20:03
*** sigmavirus is now known as sigmavirus|away20:03
henrynashdolphm, stevemar: I absolutely don't think we should try and support a rolling upgrade across 2 releases, I think the question is whether we still support the "offline" (I.e. naked db_sync) across 2 releases20:04
stevemarbknudson: supposedly20:05
dolphmhenrynash: we can't say we support it unless we can test it, and it's not tested20:05
stevemarhenrynash: dolphm what does the governance tag say20:05
stevemar and
stevemarlooks like we're in the clear henrynash20:06
dolphmN-1 to N20:06
stevemaronly n-120:06
stevemarhenrynash: no testing, no docs, no nada :)20:06
stevemarn-1 it is!20:06
* stevemar *applies PTL stamp*20:07
*** ravelar has joined #openstack-keystone20:07
*** su_zhang has joined #openstack-keystone20:08
*** nisha_ has quit IRC20:08
henrynashstevemar: even for a non rolling upgrade? (just checking)20:08
stevemarhenrynash: especially for that, we don't even had it implemented yet :)20:09
stevemarlets get folks rolling 1 release at a time20:09
henrynashstevemar: no, i was say for the NON rolling upgrade (i.e. what we have today)20:09
stevemarerr, can't read20:09
stevemaryes, even for non-rolling, good ol fashioned offline upgrade, we never wrote anywhere that n-2 will work20:10
stevemarhenrynash: i think *we* (IBM) used to have that policy for ICM/ICO which is why you and I are getting confused20:10
henrynashok, we shall make so, captain20:10
henrynashdolphm: simplifcation patch will be done by end of day!20:11
*** nisha_ has joined #openstack-keystone20:11
stevemar15:59 stevemar: what is the expectation for upgrading? jumping 2 releases? (k->m)20:11
stevemar16:00 stevemar: or just single releases20:11
stevemar16:03 jproulx: stevemar:  just single releases, though seems many people are doing (k->l->m) in more or less one go.  I'm working on testing it for my site now.  From what I understand at least for nova you really ahve to go through Liberty because of the way the do lazy migration of DB entries (though I don't think you need to stay at L for any period of time, but as I said I'm in the middle of testing this so not20:11
stevemar 100% sure yet)20:11
*** slberger has joined #openstack-keystone20:11
stevemarhenrynash: as i said, i think folks will upgrade many releases in one maintenance window, but will upgrade dbs one at a time20:12
dolphmstevemar: right, some deployers do multiple upgrades within a maintenance period, but it still takes 3 code bases20:13
dolphmhenrynash: awesome!20:13
dolphmhenrynash: poke me when you have a revision? happy to review it ASAP20:14
*** neophy has quit IRC20:14
stevemar16:14 stevemar: jproulx: but the expectation is that DB schemas can only be ugpraded N-1 to N right?20:14
stevemar16:14 jproulx: That's the official expectation yes.20:14
dolphmall accurate20:15
henrynashdolphm: separate issue: do we use a repo for the migration phase....the reason I did not do that in my patch was to allow migration in batches...i.e. if we had to migrate 1 million rows, then doing it in one go might cause a denial of service to other users of the database...most other projects support batching, e.g. to do 1000 rows you might execute keystone-manage db_sync --migrate --delta 100020:24
*** cargonza has joined #openstack-keystone20:24
dolphmhenrynash: i'd say yes to a separate repo for data migrations, but that's not the reasoning i'd use20:25
samueldmqwhat does a token KVS backend buy us ?20:25
dolphmsamueldmq: backing tokens to memcache and mongo20:25
openstackgerritTin Lam proposed openstack/keystone: api-ref: Document implied roles API
crinkleshould i propose only to stable/mitaka or propose it in master and leave a TODO to remove it?20:26
patchbotcrinkle: patch 347543 - keystone - Add dummy domain_id column to cached role20:26
dolphmhenrynash: we should definitely be better about migrating smaller amount of data at a time, but that can be done in each individual data migration (batching smaller number of updates together, rather than doing an entire table, regardless of size)20:26
samueldmqdolphm: thanks. I am looking at change 34804020:27
dolphmhenrynash: i don't think the caller should have to do anything to get that behavior ... in other words, --migrate should never DoS the db, or lock it for extended periods20:27
samueldmqdolphm: "What is the utility of keeping KVS at all in a world where we are using multiple processes?"20:27
*** tonytan4ever has quit IRC20:27
samueldmqthis was one of the comments left there, I found it interesting and can't have an answer20:28
dolphmsamueldmq: kvs for token persistence is perhaps a bit special compared to the other backends (where i'm not sure anyone has used it in production besides HP)20:29
dolphmdstanek: cc ^20:29
dstanekdolphm: do they actually use it in production?20:29
samueldmqdolphm: thanks for looking at it20:29
henrynashdolphm: I would think it hard for a repo migration to provide the optimal batching....I was imagining we would want to call migrate multiple times....or pass it some batch size that was appropraiet for the customers db in question, how much it is loaded etc.....i.e. how much db bandwidth do they want to use up for migration20:30
*** sdake has quit IRC20:32
henrynashdolphm: (in fact it is actually a mute question for Newton...there are no data migrations!!)20:32
dolphmdstanek: they *did*20:40
dolphmhenrynash: that's true for the moment :P20:42
dolphmhenrynash: maybe that should be a permanent part of oslo.db? [db] data_migration_batch_size = 100 # for example20:44
*** adrian_otto has joined #openstack-keystone20:44
*** tonytan4ever has joined #openstack-keystone20:45
*** raildo has quit IRC20:54
bretonstevemar: regarding
openstackLaunchpad bug 1590779 in oslo.cache "Cache region invalidation works for local CacheRegion object only" [Undecided,In progress] - Assigned to Alexander Makarov (amakarov)20:55
*** roxanaghe has joined #openstack-keystone20:55
stevemarbreton: hmm, yes?20:55
bretonstevemar: i think it should be brought back to confirmed20:55
stevemarbreton: brought back?20:55
bretonstevemar: even if it will be fixed in oslo.cache, we shall probably have to enable it from keystone20:55
stevemarbreton: oh the bug state20:55
bretonstevemar: i am now working on ldap things, bug after that i want to tackle that bug20:56
stevemarbreton: if oslo.cache accepts the backport, and releases a stable version, we'll get it for free20:56
stevemarbreton: if you want it "confirmed" for tracking purposes, i can do that20:56
stevemarbreton: but i'm not wrong in saying we have nothing to do with the fix, right?20:57
bretonstevemar: if oslo.cache accepts the fix, it will not become automatically enabled for keystone20:57
stevemarbreton: why not?20:57
*** sdake has joined #openstack-keystone20:57
stevemarbreton: i was going to ping you about this earlier when i did the triage, but i assumed you were offline, good thing we're having the conversation now20:58
bretonstevemar: because i think it's bad to enable cross-region invalidation in oslo.cache by default making all openstack project use it20:58
bretonstevemar: it might be only our weird ways of using it20:59
bretonstevemar: the patch to oslo.cache ( is in a very early stage and who knows what it becomes after discussion21:00
patchbotbreton: patch 354831 - oslo.cache - Store cache invalidation timestamps on region backend21:00
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add credential functional tests
nisha_samueldmq, rodrigods please have a look when you get time :)21:00
bretonstevemar: and we have not yet figured out what dstanek has, because his patch was interesting21:01
bretonstevemar: and if dstanek's patch won't work, i want to come up with a solution (what a nice name for a hack, eh?) that would work with both versions of dogpile.cache21:02
dstanekbreton: i can't imagine anyone would not want it to properly invalidate21:02
dstanekbreton: why would it not work?21:02
bretondstanek: i don't know. Is it ready for review?21:03
*** haplo37__ has quit IRC21:03
*** julim has quit IRC21:03
dstanekbreton: i'll jump over to it and make sure it is. i'm pretty sure i got things working OK on friday21:04
bretondstanek: got it. Last time i checked it before Friday, so sorry if i'm not on the track21:05
*** spedione is now known as chris_hultin21:06
*** spzala has quit IRC21:07
*** spzala has joined #openstack-keystone21:07
*** sdake has quit IRC21:08
*** adrian_otto has quit IRC21:12
*** spzala has quit IRC21:13
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 ec2
nisha_samueldmq, rodrigods, thanks for suggestions, updated this too ^21:15
*** tqtran has quit IRC21:15
rodrigodsnisha_, think you found a bug21:17
*** sdake has joined #openstack-keystone21:17
rodrigodsthat's good!21:17
nisha_rodrigods, in the credential tests? update one?21:17
rodrigodsnisha_, yep21:17
rodrigodsjust confirmed by taking a look in the code21:17
*** pauloewerton has quit IRC21:18
*** haplo37__ has joined #openstack-keystone21:18
nisha_samueldmq, suggested trying to update it by passing project=None for ec2 type credential, even then the tests didn't fail21:18
*** mvk has joined #openstack-keystone21:19
samueldmqI guess this is because None values get cut off when updaitng21:20
nisha_rodrigods, samueldmq thanks :)21:20
*** nisha_ has quit IRC21:24
*** adrian_otto has joined #openstack-keystone21:27
*** chris_hultin is now known as spedione|AWAY21:27
*** edtubill has quit IRC21:28
*** ametts has quit IRC21:28
*** adrian_otto has quit IRC21:34
*** sdake has quit IRC21:39
*** edtubill has joined #openstack-keystone21:41
openstackgerritBilly Olsen proposed openstack/keystone: Maintain ordered list for KVS token persistence
*** adrian_otto has joined #openstack-keystone21:51
*** sdake has joined #openstack-keystone21:54
*** tqtran has joined #openstack-keystone21:55
*** harlowja has quit IRC21:55
*** tonytan4ever has quit IRC21:57
*** tqtran has quit IRC22:00
*** gordc has quit IRC22:00
*** tqtran has joined #openstack-keystone22:08
*** edtubill has quit IRC22:10
*** haplo37__ has quit IRC22:15
*** tqtran has quit IRC22:15
*** tqtran has joined #openstack-keystone22:16
*** jistr has quit IRC22:18
*** jistr has joined #openstack-keystone22:19
*** sdake has quit IRC22:20
*** hockeynut has joined #openstack-keystone22:29
*** slberger has left #openstack-keystone22:30
*** sdake has joined #openstack-keystone22:35
*** edmondsw has quit IRC22:51
openstackgerrithenry-nash proposed openstack/keystone: Add support for rolling upgrades to keystone-manage
*** sdake has quit IRC22:57
*** tonytan4ever has joined #openstack-keystone22:58
*** michauds has quit IRC23:02
*** tonytan4ever has quit IRC23:03
*** asettle has joined #openstack-keystone23:04
*** markvoelker has quit IRC23:06
*** asettle has quit IRC23:09
*** BjoernT has quit IRC23:13
*** ezpz has quit IRC23:18
*** manous has quit IRC23:18
openstackgerritMerged openstack/keystone: Remove the redundant verification in OAuth1 authorization
openstackgerritSteve Martinelli proposed openstack/keystone: Move fernet utils into keystone/common/
*** gyee has quit IRC23:30
openstackgerritSteve Martinelli proposed openstack/keystone: Make a FernetUtils class
openstackgerritSteve Martinelli proposed openstack/keystone: Pass key_repository and max_active_keys to FernetUtils
openstackgerritSteve Martinelli proposed openstack/keystone: Add credential encryption exception
bretonthat refactoring23:31
bretonmnikolaenko: ^ please rebase on master, new things are merged23:33
stevemarbreton: yeah, refactoring stuff n' things23:34
stevemarbreton: lbragstad is picking up the "encrypting credentials" blueprint and it involved moving fernet around23:34
stevemarcause they want to re-use fernet keys23:35
stevemarthe refactoring was already +2'ed by samueldmq, i just added the BP to the commit message and pushed through (I had +2ed originally)23:35
bretonstevemar: cool. I and mnikolaenko are working on
*** harlowja has joined #openstack-keystone23:36
bretonfor O, obviously23:36
stevemarbreton: ++23:38
*** Gorian|work has quit IRC23:38
openstackgerrithenry-nash proposed openstack/keystone: Add data migration and contract schema logic to keystone-manage
*** hockeynut has quit IRC23:43
*** gyee has joined #openstack-keystone23:49
openstackgerrithenry-nash proposed openstack/keystone: POC of data migration using database triggers
henrynashdolphm, rderose: new patches up for rolling upgrades23:50
rderosehenrynash: cool, I'll take a look. thanks.23:51
henrynashrderose: thx23:54
*** Ephur has quit IRC23:58
*** esp has left #openstack-keystone23:59

Generated by 2.14.0 by Marius Gedminas - find it at!