Thursday, 2016-08-18

« Wednesday, 2016-08-17 Index Friday, 2016-08-19 »
topol@here is the new Keystone logo available yet? Asking for a friend00:00
*** thumpba_ has joined #openstack-keystone00:03
bknudsonget that slack out of here!00:03
*** julim has quit IRC00:03
bknudsonhenrynash: I tried renaming the modules the migration worked.00:03
openstackgerritJamie Lennox proposed openstack/keystoneauth: Allow identity plugins to discover relative version urls  https://review.openstack.org/35680800:04
jamielennoxtopol: i think they were planning to show them off in barcelona - but i'm not sure where i got that impression from00:04
*** thumpba has quit IRC00:05
bknudsonstevemar probably has a shirt with the logo already00:05
topolbknudson whats the irc equivalent? I'm clearly old and confused.. mixing and matching across all these chat systems they make us use00:05
topoljamielennox thanks00:05
bknudsonthere is no irc equivalent to @here, luckily!00:05
topolHa Ha. bknudson you think you can hide00:05
bknudson@here review this!!!00:06
bknudsonnow!!!00:06
*** su_zhang has joined #openstack-keystone00:06
openstackgerritBrant Knudson proposed openstack/keystone: Add expand, data migration and contract logic to keystone-manage  https://review.openstack.org/34993900:10
henrynashbknudson: thanks for working the issues...was on a plane flight late afternoon, hence out of contact00:20
*** gyee_ has quit IRC00:21
*** ravelar has joined #openstack-keystone00:22
*** code-R_ has quit IRC00:22
*** sdake has joined #openstack-keystone00:35
*** roxanaghe has quit IRC00:42
*** wangqun has joined #openstack-keystone00:46
*** jamielennox is now known as jamielennox|away00:48
*** gus has joined #openstack-keystone00:48
*** itisha has quit IRC00:50
*** tqtran has quit IRC00:54
*** spzala has joined #openstack-keystone00:59
*** sdake has quit IRC00:59
*** adu has quit IRC01:00
*** sdake has joined #openstack-keystone01:02
*** spzala has quit IRC01:03
*** jamielennox|away is now known as jamielennox01:04
*** code-R has joined #openstack-keystone01:09
*** sdake has quit IRC01:11
*** spzala has joined #openstack-keystone01:15
*** chrichip has joined #openstack-keystone01:19
*** wangqun_ has joined #openstack-keystone01:21
*** su_zhang has quit IRC01:21
*** su_zhang has joined #openstack-keystone01:22
dolphmhenrynash: are you back home now?01:23
*** wangqun has quit IRC01:25
dstanektopol: go back to slack where you belong!01:26
*** su_zhang has quit IRC01:26
topoldstanek, I find that truly hurtful01:26
topoldstanek, was this hurtful atatck due to my snarky RG III comment?01:27
topolIf so... then I understand dstanek01:27
dstanektopol: no, i've learned to live with bad browns decisions01:27
dstaneki get to go tomorrow night to spend more money on beers that i probably should01:28
*** EinstCrazy has joined #openstack-keystone01:32
*** EinstCrazy has quit IRC01:32
*** EinstCra_ has joined #openstack-keystone01:33
topoldstanek AWESOME!!! Have fun!!!01:33
*** code-R has quit IRC01:37
*** spzala has quit IRC01:38
*** spzala has joined #openstack-keystone01:39
*** edmondsw has quit IRC01:40
*** hockeynut has joined #openstack-keystone01:41
*** Guest81529 has quit IRC01:42
*** spzala has quit IRC01:43
*** haplo37__ has joined #openstack-keystone01:50
*** tqtran has joined #openstack-keystone01:51
*** thumpba_ has quit IRC01:52
stevemaro/01:53
*** tqtran has quit IRC01:56
*** dikonoor has joined #openstack-keystone02:02
dolphmstevemar: go to bed02:02
stevemardolphm: :O02:02
stevemardolphm: k mom02:02
stevemar:)02:02
stevemardolphm: i took the evening off, went to play baseball02:02
stevemarand now watching olympics02:02
*** EinstCrazy has joined #openstack-keystone02:03
*** davechen has joined #openstack-keystone02:04
dstanekfor some definition of fun02:06
*** EinstCra_ has quit IRC02:07
stevemardstanek: heyo!02:07
dstanekoh man. that's what i get for using 'git add -p'02:07
dstanekstevemar: howdy02:08
stevemardstanek: ahoy partner02:09
openstackgerritDavid Stanek proposed openstack/keystone: Add test for revocation corner case in Fernet  https://review.openstack.org/35660702:09
dstanekthat's embarrassing :-(02:09
*** neophy has joined #openstack-keystone02:13
stevemardstanek: what did ya do?02:13
*** chrichip has quit IRC02:13
*** chrichip has joined #openstack-keystone02:15
dstanekstevemar: when i used 'git add -p' i forgot to add the import to the commit - i used -p so that i could avoid pulling in all of my logging02:17
stevemarah02:17
*** haplo37__ has quit IRC02:20
*** thumpba has joined #openstack-keystone02:23
*** EinstCra_ has joined #openstack-keystone02:27
*** EinstCrazy has quit IRC02:29
*** arunkant__ has joined #openstack-keystone02:36
*** arunkant_ has quit IRC02:39
*** eandersson_ has joined #openstack-keystone02:40
*** jamielennox is now known as jamielennox|away02:42
*** chrichip has quit IRC02:45
*** chrichip has joined #openstack-keystone02:47
*** eandersson_ has quit IRC02:47
*** spzala has joined #openstack-keystone03:00
*** julim has joined #openstack-keystone03:05
*** spzala has quit IRC03:05
*** hockeynut has quit IRC03:06
*** jamielennox|away is now known as jamielennox03:07
*** asettle has joined #openstack-keystone03:08
*** thumpba has quit IRC03:15
*** asettle has quit IRC03:16
*** julim has quit IRC03:19
openstackgerritMerged openstack/keystone: api-ref: Document domain specific roles  https://review.openstack.org/35616903:34
*** tonytan4ever has joined #openstack-keystone03:36
*** code-R has joined #openstack-keystone03:38
*** ravelar has quit IRC03:40
*** code-R has quit IRC03:43
*** links has joined #openstack-keystone03:45
*** code-R has joined #openstack-keystone03:47
*** vivek has joined #openstack-keystone03:49
*** vivek is now known as Guest8296703:49
*** code-R_ has joined #openstack-keystone03:50
Guest82967hi03:50
Guest82967does the wildcard * work with cors?03:50
Guest82967I know it is not recommended but in dev environment it will be useful...03:50
Guest82967i tried modifying the kestone.conf for the same but failed...03:52
*** code-R has quit IRC03:52
*** tqtran has joined #openstack-keystone03:52
*** tqtran has quit IRC03:56
*** spzala has joined #openstack-keystone04:01
*** code-R_ has quit IRC04:04
*** tonytan4ever has quit IRC04:05
*** spzala has quit IRC04:07
*** Trixboxer has quit IRC04:15
*** Guest82967 has quit IRC04:16
*** wangqun_ has quit IRC04:17
*** neophy has quit IRC04:19
*** wangqun has joined #openstack-keystone04:24
*** code-R has joined #openstack-keystone04:25
*** neophy has joined #openstack-keystone04:26
*** Trixboxer has joined #openstack-keystone04:28
*** marekd2 has joined #openstack-keystone04:29
*** marekd2 has quit IRC04:35
*** code-R has quit IRC04:38
*** Ephur has quit IRC04:38
*** code-R has joined #openstack-keystone04:38
*** su_zhang has joined #openstack-keystone04:42
*** dikonoor has quit IRC04:46
openstackgerritMerged openstack/keystone: Extracted common ldap setup and use in the filter tests  https://review.openstack.org/33406304:53
openstackgerritMerged openstack/keystone: Removes duplicate ldap test setup  https://review.openstack.org/33406404:53
*** chrichip has quit IRC04:53
*** chrichip has joined #openstack-keystone04:53
*** code-R has quit IRC04:59
*** spzala has joined #openstack-keystone05:00
stevemarhenrynash: if you have time: https://review.openstack.org/#/c/350704/2 https://review.openstack.org/#/c/356596/1 and https://review.openstack.org/#/c/356597/1 are all blocking the caching work :)05:02
patchbotstevemar: patch 350704 - keystone - Make all token provider behave the same with trusts05:02
patchbotstevemar: patch 356596 - keystone - Removes a redundant test from FernetAuthWithTrust05:02
patchbotstevemar: patch 356597 - keystone - Removes use of freezegun in test_auth tests05:02
*** jaosorior has joined #openstack-keystone05:03
*** spzala has quit IRC05:06
*** tonytan4ever has joined #openstack-keystone05:06
*** tonytan4ever has quit IRC05:11
*** code-R has joined #openstack-keystone05:15
*** eandersson_ has joined #openstack-keystone05:24
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/35687205:26
*** asettle has joined #openstack-keystone05:35
*** asettle has quit IRC05:39
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/35687205:50
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/35692805:50
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/35692905:50
*** roxanaghe has joined #openstack-keystone05:55
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/35694005:56
*** roxanaghe has quit IRC05:59
*** spzala has joined #openstack-keystone06:03
*** dikonoor has joined #openstack-keystone06:05
*** code-R has quit IRC06:05
*** spzala has quit IRC06:07
*** eandersson_ has quit IRC06:07
*** code-R has joined #openstack-keystone06:08
*** neophy has quit IRC06:08
*** rcernin has joined #openstack-keystone06:12
*** code-R_ has joined #openstack-keystone06:34
*** code-R has quit IRC06:36
*** adriant has quit IRC06:52
*** pcaruana has joined #openstack-keystone06:52
*** code-R_ has quit IRC06:53
*** xek__ has quit IRC07:08
*** tesseract- has joined #openstack-keystone07:17
*** EinstCra_ has quit IRC07:18
*** EinstCrazy has joined #openstack-keystone07:34
*** rvba has joined #openstack-keystone07:40
*** rvba has quit IRC07:40
*** rvba has joined #openstack-keystone07:40
*** roxanaghe has joined #openstack-keystone07:43
*** roxanaghe has quit IRC07:47
*** tqtran has joined #openstack-keystone07:54
*** pnavarro has joined #openstack-keystone07:56
*** tqtran has quit IRC07:59
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:01
*** spzala has joined #openstack-keystone08:04
*** spzala has quit IRC08:08
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** EinstCra_ has joined #openstack-keystone08:21
*** EinstCrazy has quit IRC08:25
*** eandersson_ has joined #openstack-keystone08:26
*** su_zhang has quit IRC08:30
*** su_zhang has joined #openstack-keystone08:31
*** su_zhang has quit IRC08:35
*** jaosorior has quit IRC08:37
*** asettle has joined #openstack-keystone08:39
*** jdennis has quit IRC08:56
*** roxanaghe has joined #openstack-keystone08:58
*** jdennis has joined #openstack-keystone08:59
*** dkehn_ has quit IRC09:00
*** wangqun_ has joined #openstack-keystone09:03
*** spzala has joined #openstack-keystone09:04
*** wangqun has quit IRC09:05
*** d0ugal has quit IRC09:08
*** spzala has quit IRC09:09
*** d0ugal has joined #openstack-keystone09:12
*** d0ugal_ has joined #openstack-keystone09:17
*** d0ugal_ has quit IRC09:18
*** d0ugal_ has joined #openstack-keystone09:18
*** dkehn_ has joined #openstack-keystone09:19
*** d0ugal has quit IRC09:20
*** d0ugal_ has quit IRC09:20
*** d0ugal has joined #openstack-keystone09:20
*** roxanaghe has quit IRC09:21
*** EinstCrazy has joined #openstack-keystone09:28
*** mvk has quit IRC09:29
*** EinstCra_ has quit IRC09:32
openstackgerrithenry-nash proposed openstack/keystone: Add expand, data migration and contract logic to keystone-manage  https://review.openstack.org/34993909:39
*** jdennis1 has joined #openstack-keystone09:52
*** jdennis has quit IRC09:52
*** marekd2 has joined #openstack-keystone09:53
*** asettle has quit IRC09:55
*** asettle has joined #openstack-keystone09:55
*** d0ugal has quit IRC09:58
*** mvk has joined #openstack-keystone09:59
samueldmqmorning keystone10:01
samueldmqhenrynash: hi, where may I start reviewing this rolling upgrade thing10:02
samueldmq?10:02
bretonmorning10:04
*** d0ugal has joined #openstack-keystone10:04
*** mvk has quit IRC10:05
*** spzala has joined #openstack-keystone10:05
*** NishaYadav has joined #openstack-keystone10:07
NishaYadavo/10:07
NishaYadavsamueldmq, morning10:08
NishaYadavstevemar, morning, just saw your comments on the patches, thanks a lot :)10:09
*** spzala has quit IRC10:10
*** davechen has left #openstack-keystone10:15
*** mvk has joined #openstack-keystone10:20
*** NishaYadav has quit IRC10:20
*** nishaYadav has joined #openstack-keystone10:20
samueldmqnishaYadav: morning10:25
samueldmqnishaYadav: it would be nice to fix the docs for the EC2 entity10:28
samueldmqhttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/ec2.py#L1610:28
nishaYadavsamueldmq, sure, will do that in a follow up patch10:29
samueldmqnishaYadav: cool, the docs were wrong, so I was very confused on what was causing the failure10:30
samueldmqthanks to stevemar o/10:30
nishaYadav++ :)10:31
*** EinstCrazy has quit IRC10:32
*** code-R has joined #openstack-keystone10:33
*** code-R_ has joined #openstack-keystone10:40
*** code-R has quit IRC10:43
*** roxanaghe has joined #openstack-keystone10:45
*** roxanaghe has quit IRC10:50
*** amakarov_away is now known as amakarov10:53
*** code-R_ has quit IRC10:57
*** code-R has joined #openstack-keystone10:57
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Follow up patch for Improve docs for v3 ec2  https://review.openstack.org/35710610:58
nishaYadavsamueldmq, ^ please have a look10:59
samueldmqnishaYadav: reviewed11:02
nishaYadavsamueldmq, thanks11:05
*** spzala has joined #openstack-keystone11:06
*** neophy has joined #openstack-keystone11:08
*** neophy has quit IRC11:09
*** spzala has quit IRC11:11
*** spzala has joined #openstack-keystone11:23
*** spzala has quit IRC11:23
*** asettle has quit IRC11:25
*** asettle has joined #openstack-keystone11:26
*** GB21 has joined #openstack-keystone11:28
openstackgerritMerged openstack/python-keystoneclient: Add ec2 functional tests  https://review.openstack.org/35024511:29
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 tokens  https://review.openstack.org/35713611:37
nishaYadavsamueldmq, please have a look ^11:38
*** code-R has quit IRC11:38
*** code-R has joined #openstack-keystone11:38
*** haplo37__ has joined #openstack-keystone11:42
samueldmqnishaYadav: reviewed11:43
samueldmqnishaYadav: just a couple of minor suggestions ..11:43
nishaYadavsamueldmq, sure thanks :)11:43
*** su_zhang has joined #openstack-keystone11:43
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Follow up patch for Improve docs for v3 ec2  https://review.openstack.org/35710611:44
nishaYadavsamueldmq, did the changes to former patch11:44
*** roxanaghe has joined #openstack-keystone11:46
*** su_zhang has quit IRC11:48
*** code-R has quit IRC11:49
*** nishaYadav has quit IRC11:50
*** ayoung has quit IRC11:50
*** roxanaghe has quit IRC11:50
*** tqtran has joined #openstack-keystone11:56
*** jpena is now known as jpena|lunch12:00
*** tqtran has quit IRC12:00
*** code-R has joined #openstack-keystone12:03
*** amoralej is now known as amoralej|lunch12:08
*** woodster_ has joined #openstack-keystone12:10
*** edmondsw has joined #openstack-keystone12:15
*** haplo37__ has quit IRC12:21
*** wangqun_ has quit IRC12:21
*** mvk has quit IRC12:21
*** spzala has joined #openstack-keystone12:24
*** code-R has quit IRC12:24
*** pauloewerton has joined #openstack-keystone12:25
*** gordc has joined #openstack-keystone12:27
*** spzala has quit IRC12:29
*** asettle has quit IRC12:34
*** asettle has joined #openstack-keystone12:34
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/35694012:40
*** rodrigods has quit IRC12:48
*** rodrigods has joined #openstack-keystone12:48
*** julim has joined #openstack-keystone12:53
*** jpena|lunch is now known as jpena12:55
*** raildo has joined #openstack-keystone13:00
*** code-R has joined #openstack-keystone13:05
*** amoralej|lunch is now known as amoralej13:08
*** code-R_ has joined #openstack-keystone13:09
*** code-R has quit IRC13:13
*** links has quit IRC13:16
*** richm has joined #openstack-keystone13:17
*** thumpba has joined #openstack-keystone13:17
*** adu has joined #openstack-keystone13:19
*** ametts has joined #openstack-keystone13:20
dikonoordstanek: Hi,I have few queries around the shadow user blueprint13:28
dikonoordstanek:https://specs.openstack.org/openstack/keystone-specs/specs/keystone/newton/shadow-users-newton.html13:28
dikonoordstanek: First, the spec says -"Refactor user table into an identity table and a locally-managed password table. Migrate data from the user table to these new tables and ultimately remove the user table. Modify backend code to utilize the new tables."13:30
lbragstaddstanek rderose dolphm stevemar samueldmq after collecting my thoughts - I attempted to summarize yesterday's conversation here - https://review.openstack.org/#/c/354495/613:30
patchbotlbragstad: patch 354495 - keystone - Add conf to support credential encryption13:30
dikonoordstanek:dolphm: However, i don't see a table named "identity" at all13:31
dikonoordstanek:dolphm: Second, when I configure openstack with ldap, there are entries created in user , local_user and nonlocal_user table and lot of information seems to be duplicated across the tables.13:32
dikonoordstanek:dolphm:I read the mitaka and newton specs and I am not completely clear on why we have it this way.13:33
dikonooranyone else who might have the answers ?13:35
*** BigWillie has joined #openstack-keystone13:39
*** spzala has joined #openstack-keystone13:42
*** ezpz has joined #openstack-keystone13:42
openstackgerritMikhail Nikolaenko proposed openstack/keystone: [WIP] Move fernet utils to backend  https://review.openstack.org/35649913:43
dstanekdikonoor: there is no idenity table13:43
dstanekeven for ldap users there will be a record in the user table13:44
dikonoordstanek: and guess there will  be no identity table in future as well..13:44
dikonoordstanek: and user table will eventually go away?13:44
dstanekdikonoor: the user table will not be going away13:45
dstanekdikonoor: the second paragraph in the spec does a decent job of describing why we want this change13:47
dikonoordstanek: i will take a look at the code and get back. I am not sure I understand why we need entries in user, local and nonlocal tables13:47
dstanekyou shouldn't get records in all those tables for an ldap user13:49
*** BjoernT has joined #openstack-keystone13:49
dikonoordstanek: what are the tables that should be updated for a ldap user?13:50
dstanekdikonoor: although all users will have two records a user plus one of the other13:50
dstanekprobably user and nonlocal_User13:51
dikonoordstanek: well, thats what i thought it should be13:52
dstanekare you seeing something different?13:52
*** adu has quit IRC13:53
dikonoordstanek: i initially thought there would be entries in user , password and local_user table for sql users; user and nonlocal_user entries for ldap and custom drivers;13:53
dikonoorand entries in user and federated_user for federated users13:53
dikonoorbut i see entries in user, local_user and nonlocal_user for custom and ldap users; i haven't tried sql and federated users..13:54
samueldmqlbragstad: hi13:54
samueldmqlbragstad: why do we need 'database triggers that disables credential create or update' ?13:54
dikonoordstanek: and that's why I got confused. but if you say that's not expected, then let me try it again just so that i can confirm (and open a bug)13:55
samueldmqlbragstad: just create triggers to put the data in both columns, and both mitaka and newton code will work correctly13:55
lbragstadsamueldmq otherwise we run into an issue where the database triggers will copy incorrect data from one column to another13:55
lbragstadsamueldmq mitaka code won't understand encrypted data13:55
dstanekdikonoor: what you said is exactly what i expect to see13:55
lbragstadsamueldmq and if we want to provide sane default for keystone.conf out of the box - we should make it so newton code only understand encrypted data13:56
samueldmqlbragstad: and we don't want to put any logic in keystone13:56
samueldmqto duplicate the data13:56
samueldmqlbragstad: I agree with your comment there then13:56
dikonoordstanek: ok..thanks for confirming that..I will try and get back13:56
lbragstadsamueldmq the simplest resolution we found was for force a limited service outage for credentials during the upgrade13:57
lbragstadwas to force*13:57
*** edtubill has joined #openstack-keystone13:57
*** ayoung has joined #openstack-keystone13:57
*** ChanServ sets mode: +v ayoung13:57
lbragstadotherwise copying data back and forth started to become a nightmare13:57
*** itisha has joined #openstack-keystone13:57
openstackgerritEduardo Magalhães proposed openstack/python-keystoneclient: Fix no content return type doc  https://review.openstack.org/35723613:58
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Fix no content return type doc  https://review.openstack.org/35723614:00
samueldmqnotmorgan: hey14:04
*** EinstCrazy has joined #openstack-keystone14:04
samueldmqnotmorgan: do you have anything for https://blueprints.launchpad.net/keystone/+spec/serviceid-binding-with-role-definition ?14:04
samueldmqnonameentername: there is a commet from you there, as it was supposed to be updated with something after the kilo summit14:04
samueldmqnonameentername: not you, notmorgan  ^14:04
samueldmqnotmorgan: I think that bp is not valid anymore14:04
*** arunkant__ has quit IRC14:07
*** edtubill has quit IRC14:10
*** edtubill has joined #openstack-keystone14:17
*** asettle has quit IRC14:20
*** edtubill has quit IRC14:20
*** asettle has joined #openstack-keystone14:21
*** asettle has quit IRC14:21
*** asettle has joined #openstack-keystone14:21
*** edtubill has joined #openstack-keystone14:24
*** ravelar has joined #openstack-keystone14:25
*** edtubill has quit IRC14:27
samueldmqrderose: hi14:28
*** haplo37__ has joined #openstack-keystone14:28
samueldmqrderose: can you look at my comment in 351749 ?14:28
rderosesamueldmq: hey14:28
rderosesure14:28
samueldmqrderose: hey :)14:28
*** ravelar has quit IRC14:28
samueldmqrderose: I think that's ready to go14:28
samueldmqrderose: looks like that and 343314 are the last ones14:29
*** gagehugo_ has joined #openstack-keystone14:29
*** ravelar has joined #openstack-keystone14:29
rderosesamueldmq: yeah, it's definitely a more descriptive name14:30
rderosesamueldmq: let me change it14:30
ayoungrderose, samueldmq what is burning and needs my attention?  I've been slacking on reviews, and you guys have been cranking14:30
rderoseayoung: how about: https://review.openstack.org/#/c/343314/14:31
patchbotrderose: patch 343314 - keystone - PCI-DSS Minimum password age requirements14:31
ayoungrderose, how long was password_change_limit_per_day  in there?14:33
rderoseayoung: not long, we just added it in Newton14:34
ayoungSo safe to replace14:34
rderoseayoung: yes14:34
*** edtubill has joined #openstack-keystone14:34
rderoseayoung: yeah, that feature was never implemented, was just the initial idea14:34
ayoung++14:34
*** jed56 has quit IRC14:35
*** jdennis has joined #openstack-keystone14:35
ayoungrderose, I thought passwords were going into their own table now?14:35
ayoung user_ref = session.query(model.User).get(user_id)14:35
ayoungstill in the user?14:35
*** jdennis1 has quit IRC14:35
rderoseayoung: they are14:35
rderoseayoung: the user model includes a password ref list14:36
rderoseayoung: so user -> local_user -> password14:36
ayoungrderose, sql alchemy doing the join?14:36
rderoseayoung: yes14:36
ayoungrderose, do you ahve a test that ensures that everything works if the min age is not set?14:37
rderoseayoung: yes14:37
ayoungwhich one?14:37
rderosehttps://review.openstack.org/#/c/343314/50/keystone/tests/unit/test_v3_identity.py14:38
patchbotrderose: patch 343314 - keystone - PCI-DSS Minimum password age requirements14:38
rderoseayoung: ^14:38
ayoungrderose, lookin14:38
ayoungtest_admin_password_reset_with_min_password_age_enabled14:38
rderoseayoung: sorry, misread14:38
ayoungtest_changing_password_with_min_password_age(14:38
rderoseayoung: everything still works when min age is disabled?14:39
ayoungrderose, I am trying to confirm we won't break people that do not have a value set here14:39
samueldmqrderose: ayoung  brb gotta pick up kid at school14:39
rderoseayoung: it's disabled by default14:39
*** su_zhang has joined #openstack-keystone14:39
ayoungrderose, probably still should be explicitly tested.14:39
*** spedione|AWAY is now known as spedione14:39
ayoungrderose, its probably OK as is, but look through and find another test that implicitly tests it, would you?14:40
rderoseayoung: test_changing_password_with_min_password_age does disable and then tests change_password14:41
rderoseayoung: in test_v3_identity.py14:41
*** edtubill has quit IRC14:41
*** d0ugal has quit IRC14:41
ayoungrderose, +2 from me14:42
ayounglooks well reviewed and thought out14:42
rderoseayoung: sweet!  thanks :)14:43
*** edtubill has joined #openstack-keystone14:44
rderoseayoung: Glad to finally have your input on some of the PCI. I know you've been meaning to weight in, but have been busy.  Thanks.14:45
ayoungrderose, any others?14:45
rderoseayoung: for PCI, no. all of the others have been merged14:46
*** edtubill has quit IRC14:47
*** jaugustine has quit IRC14:47
*** edtubill has joined #openstack-keystone14:47
*** xenogear has quit IRC14:47
*** d0ugal has joined #openstack-keystone14:48
*** d0ugal has quit IRC14:48
*** d0ugal has joined #openstack-keystone14:48
*** nk2527_ has quit IRC14:49
*** gagehugo has quit IRC14:49
openstackgerritRon De Rose proposed openstack/keystone: Password expires ignore user list  https://review.openstack.org/35174914:51
*** dmellado|off is now known as dmellado14:52
*** tonytan4ever has joined #openstack-keystone14:57
rderoseayoung: ^ this one is not PCI, but related14:57
*** edtubill has quit IRC14:58
samueldmq rderose: oh 343314 is gating already14:59
*** edtubill has joined #openstack-keystone14:59
samueldmqrderose: so the bp will be considered implemented after 351749?15:00
*** michauds has joined #openstack-keystone15:00
rderosesamueldmq: yeah, hallelooya!15:00
rderosesamueldmq: however, 351749 is not PCI, however stevemar tied it to the blueprint15:01
ayoungrderose, +2A15:01
rderosesamueldmq: 343314 is really the last PCI patch, 351749 is just the icing on the cake :)15:02
rderoseayoung: sweet!15:02
*** xenogear has joined #openstack-keystone15:02
samueldmqrderose: changed https://blueprints.launchpad.net/keystone/+spec/pci-dss to implemented15:03
samueldmqrderose: well done!15:03
*** hockeynut has joined #openstack-keystone15:04
rderosesamueldmq: thanks!  appreciate your reviews :)  glad to finally have this off my plate15:04
samueldmq\o/15:05
samueldmq#success keystone is now pci-dss compliant15:05
openstackstatussamueldmq: Added success to Success page15:05
*** EinstCrazy has quit IRC15:05
*** d0ugal has quit IRC15:09
*** edtubill has quit IRC15:09
bknudsonsure it is.15:12
openstackgerritMerged openstack/python-keystoneclient: Follow up patch for Improve docs for v3 ec2  https://review.openstack.org/35710615:14
*** edtubill has joined #openstack-keystone15:15
stevemaro/15:15
stevemarrderose: i consider it critical :P15:16
rderosestevemar: cool15:17
samueldmqwell, not 100% compliant :p15:17
samueldmqstevemar: o/15:17
bknudsonyou need to pay someone to declare your solution compliant. That's the racket.15:18
*** mvk has joined #openstack-keystone15:19
*** michauds has quit IRC15:19
*** arunkant_ has joined #openstack-keystone15:21
*** rcernin has quit IRC15:22
lbragstadbknudson believe it or not - I will take donations to say your solution is compliant15:22
lbragstad:)15:22
lbragstadfor two donations I'll even say it's "super certified"15:23
samueldmqhehe15:23
*** d0ugal has joined #openstack-keystone15:24
*** su_zhang has quit IRC15:28
*** sdake_ has joined #openstack-keystone15:29
*** su_zhang has joined #openstack-keystone15:29
samueldmqrderose: can you reply dolph's comment in 35174915:33
samueldmq?15:33
*** su_zhang has quit IRC15:33
dolphmsamueldmq: we've already discussed it outside of gerrit - i just wanted to file my objection for the record15:34
samueldmqdolphm: k, I will let that proceed to the gate then15:34
*** jaugustine has joined #openstack-keystone15:37
*** nk2527 has joined #openstack-keystone15:41
*** gagehugo has joined #openstack-keystone15:47
stevemarbreton: new "ldap_populate" today? :)15:49
*** mvk has quit IRC15:50
*** gagehugo_ has quit IRC15:51
*** michauds has joined #openstack-keystone15:52
*** edtubill has quit IRC15:53
*** edtubill has joined #openstack-keystone15:55
stevemari'll let henrynash address the comments here: https://review.openstack.org/#/c/349939/2415:57
patchbotstevemar: patch 349939 - keystone - Add expand, data migration and contract logic to k...15:57
*** tqtran has joined #openstack-keystone15:57
mfischcrinkle: stevemar: Crinkle's patch has my personal blessing15:58
mfischI told you it would work15:58
mfisch;)15:58
mfischthanks for the fix15:58
*** tonytan4ever has quit IRC16:00
*** edtubill has quit IRC16:01
*** tonytan4ever has joined #openstack-keystone16:01
dolphmmfisch: \o/16:02
*** tqtran has quit IRC16:02
mfischI think you should be sure your upgrade tests include caching16:03
mfischfernet implies caching IMHO16:03
mfischas I think 3 wise men once said at a Summit talk16:03
stevemarmfisch: most of our upgrade tests are unit tests16:04
stevemarand its hard to do caching+unit tests16:04
stevemarregardless16:04
stevemarthank you for the verification16:04
stevemaryou are an indispensable resource for the keystone team !16:04
dstanekstevemar: ++16:05
stevemarayoung: i'm going to bump "views" to O -- reasoning is in the patch16:05
ayoungstevemar, works16:05
dolphmmfisch: i'm hoping that we'll have a voting job via openstack-ansible that actually does a multi-node rolling upgrade with caching & fernet at some point (hopefully by end of year)16:05
ayoungstevemar, so, on the "token expiration" solution from the midcycle, Ithink it needs the is_admin_project fix first16:06
mfischthat would be cool16:06
stevemarayoung: i spoke with jamie about bumping the job last night, he is cool with it16:06
ayoungwe want one project to say "I will accept expired user tokens along with tokens from a nother service iff  they have Role R on the admin project"16:06
stevemarayoung: we gotta fix all the services first?16:06
notmorganbknudson: ++ on your response to the #success16:06
ayoungso, for example, glance will accept it if the service token has the Nova role16:07
ayoungstevemar, that fix is pretty close, actuallly16:07
ayoungstevemar, jamielennox has fixes in for most services.  I just bugged Neutron and Cinder on the mailing list16:07
ayounglooks like Cue also needs some prodding16:07
ayoungI think the rest are done16:08
dstanekdolphm: is anyone working on that already?16:08
stevemarayoung: oh nice16:09
stevemarayoung: i haven't been tracking that one much16:09
dolphmdstanek: my understanding is that it's on the roadmap for the OSIC QE team, but i'd also like to see some investment from the regular OSA community16:09
stevemargood to hear16:09
ayoungstevemar, I am trying to think along the lines of "how do we integrate 3rd party services into the workload"16:09
*** gyee has joined #openstack-keystone16:09
ayoungstevemar, we've done a lot of talking about trusted services like nova nad glance16:10
dstanekdolphm: nice. that will be great to have16:10
ayoungbut I am starting to think all of the *aaS services are ina different class16:10
ayoungso if a workflow engine calls into Sahara which calls Heat, and each is run by a different Org, we want to be able to let them all do their thing16:10
ayoungthe part I don't like is we have no way to tell a user "here is what you need to delegate to this service"16:11
ayoungits all or nothing, and that is just yucky. ...to use a technical term16:11
ayoungI would love to have a pattern likethis:16:11
dolphmdstanek: sorry, osic ops, not QE16:12
ayoung1.  If a user sends no token, or an expired token, to an API,they get back a 401.16:12
ayoung2.  They then get a token with scope but no roles, or a simple role like "just query"16:12
ayoungThey then get back another 401, but this time with "here is the role I require"16:12
ayoungbascially, how OAUTH does things16:12
ayoungUser then goes and gets a token with that role, and sends it to the service, and now they get the 20016:13
*** Ephur has joined #openstack-keystone16:13
*** gagehugo_ has joined #openstack-keystone16:14
openstackgerritDolph Mathews proposed openstack/keystone: Add rolling upgrade documentation  https://review.openstack.org/35079316:15
*** nishaYadav has joined #openstack-keystone16:15
bretonstevemar: mapping_populate16:16
*** roxanaghe has joined #openstack-keystone16:16
bretonstevemar: today, yes16:16
openstackgerritMerged openstack/keystonemiddleware: Use AccessInfo in UserAuthPlugin instead of custom  https://review.openstack.org/33871416:16
*** sdake_ has quit IRC16:16
*** ametts has quit IRC16:16
odyssey4medolphm dstanek yep, once N3 is done we've got a guy who'll be largely focused on doing just that - with support from the rest of us... we're very keen to have the rolling upgrade test in place for NEwton's release16:17
dolphmodyssey4me: =D16:19
stevemarbreton: ah yeah, mapping_populate16:19
*** ametts has joined #openstack-keystone16:21
*** michauds has quit IRC16:25
*** gagehugo_ has quit IRC16:26
*** tesseract- has quit IRC16:26
openstackgerritBoris Bobrov proposed openstack/keystone: Add mapping_populate command  https://review.openstack.org/34302816:27
openstackgerritSteve Martinelli proposed openstack/keystone: Add domain check in domain-specific role implication  https://review.openstack.org/35126416:33
stevemarsomeone (ayoung) want to look at ^ it involves a bug as well, but i think it'll break trusts, there is one failing test16:35
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 tokens  https://review.openstack.org/35713616:35
stevemarbreton: nice16:37
*** thumpba_ has joined #openstack-keystone16:37
*** thumpba has quit IRC16:39
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/35692916:40
*** itisha has quit IRC16:40
*** code-R_ has quit IRC16:41
*** sdake has joined #openstack-keystone16:43
openstackgerritMerged openstack/keystone: PCI-DSS Minimum password age requirements  https://review.openstack.org/34331416:43
*** nisha_ has joined #openstack-keystone16:45
*** nishaYadav has quit IRC16:45
*** nisha_ is now known as nishaYadav16:45
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/35692816:48
*** ravelar1 has joined #openstack-keystone16:51
*** ravelar has quit IRC16:51
*** ankur-gupta-f has joined #openstack-keystone16:52
*** d34dh0r53 is now known as RichardLongus16:52
*** eandersson_ has quit IRC16:54
*** nisha_ has joined #openstack-keystone16:56
*** dikonoor has quit IRC16:57
*** asettle has quit IRC16:58
*** RichardLongus is now known as d34dh0r5316:58
*** asettle has joined #openstack-keystone16:58
*** ravelar1 is now known as ravelar16:59
*** nishaYadav has quit IRC16:59
*** su_zhang has joined #openstack-keystone17:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/35687217:01
*** asettle has quit IRC17:03
*** tonytan_brb has joined #openstack-keystone17:04
*** nisha_ is now known as nishaYadav17:04
*** su_zhang has quit IRC17:06
*** tonytan4ever has quit IRC17:06
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/35694017:07
*** su_zhang has joined #openstack-keystone17:07
*** marekd2 has quit IRC17:11
*** marekd2 has joined #openstack-keystone17:12
*** marekd2 has quit IRC17:17
*** marekd2 has joined #openstack-keystone17:17
*** Ephur has quit IRC17:18
*** marekd2_ has joined #openstack-keystone17:19
*** marekd2 has quit IRC17:22
*** Gorian|work has joined #openstack-keystone17:23
*** marekd2_ has quit IRC17:23
*** tonytan_brb is now known as tonytan4ever17:25
*** gyee has quit IRC17:28
openstackgerritLance Bragstad proposed openstack/keystone: Make KeyRepository shareable  https://review.openstack.org/35605317:29
openstackgerritLance Bragstad proposed openstack/keystone: Add conf to support credential encryption  https://review.openstack.org/35449517:30
openstackgerritLance Bragstad proposed openstack/keystone: Add key_hash and encrypted_blob to credential table  https://review.openstack.org/35561817:30
openstackgerritLance Bragstad proposed openstack/keystone: Add create and update methods to credential Manager  https://review.openstack.org/35505617:30
openstackgerritLance Bragstad proposed openstack/keystone: Create a fernet credential provider  https://review.openstack.org/35449617:30
*** ravelar has quit IRC17:32
lbragstaddolphm still working on the migration pieces - but i rebased on the rest of the henrynash's work17:33
lbragstadgoing to break for lunch17:33
*** nisha_ has joined #openstack-keystone17:33
dolphmlbragstad: have you dug into writing triggers or anything yet?17:33
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Reuse Domain and Project resouce definitions  https://review.openstack.org/35736717:35
samueldmqstevemar: ^17:35
samueldmqstevemar: this fixes what is making 356041 fail17:36
*** nishaYadav has quit IRC17:36
samueldmqI am not sure we could simply get off of those classes and just re-use the exisitng ones in projects.py and doamins.py17:37
samueldmqstevemar: because the Project and Domain classes in auth.py are public symbols17:37
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Add auth functional tests  https://review.openstack.org/35604117:37
*** tqtran has joined #openstack-keystone17:39
*** hockeynut has quit IRC17:44
*** nisha_ is now known as nishaYadav17:51
*** rcernin has joined #openstack-keystone17:51
*** amakarov is now known as amakarov_away17:52
stevemarsamueldmq: good question17:57
*** nisha_ has joined #openstack-keystone18:00
*** nisha__ has joined #openstack-keystone18:02
*** nishaYadav has quit IRC18:04
*** nisha_ has quit IRC18:06
*** nisha__ is now known as nishaYadav18:07
nishaYadavI am trying to make an object of class:`keystoneclient.access.AccessInfo`. Can anyone please help me proceed?18:11
nishaYadavsamueldmq, can you please help with this ^18:14
*** ravelar has joined #openstack-keystone18:15
nishaYadavI see this in the doc,  def factory(cls, resp=None, body=None, region_name=None, auth_token=None, **kwargs):18:18
nishaYadavBut don't know what to pass in cls18:18
samueldmqnishaYadav: why do you need to create a AccessInfo? is it for the token stuff ?18:20
nishaYadavYeah, I am writing the token functional tests, so for the revoke_token test18:22
nishaYadavsamueldmq, any other way around?18:22
bknudsonverify_token will return an accessinfo18:23
bknudsonalso, there's probably a function to get the access info when authenticating, or a way to get the accessinfo for the session token?18:23
bknudsonthe cls argument is provided by the python interpreter.18:27
stevemardhellmann: poke18:27
* dhellmann grunts18:27
stevemardhellmann: regarding https://review.openstack.org/#/c/357214/1 why is it such a short release?18:28
patchbotstevemar: patch 357214 - releases - proposed ocata schedule18:28
stevemardhellmann: i suppose we could talk in -release...18:28
dhellmannstevemar : yeah18:28
*** spedione is now known as spedione|AWAY18:28
samueldmqbknudson: nice, thanks for the tips, I will try that with nishaYadav18:28
nishaYadavbknudson, thanks a lot  :)18:29
*** hockeynut has joined #openstack-keystone18:36
*** ayoung has quit IRC18:37
*** michauds has joined #openstack-keystone18:38
*** nisha_ has joined #openstack-keystone18:40
*** nisha__ has joined #openstack-keystone18:43
*** nishaYadav has quit IRC18:44
*** su_zhang has quit IRC18:44
*** nisha__ is now known as nishaYadav18:44
*** nisha_ has quit IRC18:46
openstackgerritMerged openstack/python-keystoneclient: Fix no content return type doc  https://review.openstack.org/35723618:47
*** catintheroof has joined #openstack-keystone18:49
bknudsonwhen we change the recommendataion for a config change we wind up changing it in probably 7 or 8 repos.18:51
bknudsone.g., keystone config help text & doc, devstack, but then also ansible, (and for me, ursula and arrrsula)18:52
lbragstaddolphm not yet18:52
bknudsonwould be interesting if we could somehow have the recommended config in the keystone repo somehow (or in a single other repo that the deployers could use)18:53
lbragstaddolphm that's what i'm going to look into once I collapse https://review.openstack.org/#/c/317169/33 into https://review.openstack.org/#/c/355618/718:53
patchbotlbragstad: patch 317169 - keystone - Implement encryption of credentials at rest18:53
patchbotlbragstad: patch 355618 - keystone - Add key_hash and encrypted_blob to credential table18:53
*** gagehugo_ has joined #openstack-keystone18:53
*** gagehugo has quit IRC18:54
*** gagehugo_ has quit IRC18:54
*** gagehugo has joined #openstack-keystone18:54
openstackgerritMerged openstack/keystone: Add dummy domain_id column to cached role  https://review.openstack.org/34754318:55
*** gagehugo_ has joined #openstack-keystone18:56
*** fifieldt has quit IRC19:06
stevemarbknudson: i think i already asked you, but https://bugs.launchpad.net/keystone/+bug/1609566 -- anything new on that one?19:06
openstackLaunchpad bug 1609566 in OpenStack Identity (keystone) "500 error from revocation event deserialize" [Medium,In progress] - Assigned to Brant Knudson (blk-u)19:06
stevemarshould i bump it from newton-319:06
bknudsonstevemar: still looking into it.19:07
bknudsonI'm trying to create it using our internal dev process, so having to learn that.19:07
*** spedione|AWAY is now known as spedione19:09
stevemarbknudson: okay, i can hold keep it targeted for a bit19:09
stevemarbut if we're not able to recreate it consistently, buuuump19:09
*** spedione is now known as spedione|AWAY19:09
*** spedione|AWAY is now known as spedione19:10
bknudsonit keeps happening in our psr (perf test) environment, I just haven't been able to figure out how to recreate in my dev environment19:10
*** julim has quit IRC19:13
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Follow up patch for Add ec2 functional tests  https://review.openstack.org/35742019:14
openstackgerritMerged openstack/keystone: Password expires ignore user list  https://review.openstack.org/35174919:14
*** julim has joined #openstack-keystone19:14
*** gagehugo has quit IRC19:14
openstackgerritMerged openstack/keystone: Tidy up for late-breaking review comments on keystone-manage  https://review.openstack.org/35615819:14
*** fifieldt has joined #openstack-keystone19:17
*** thumpba_ has quit IRC19:29
stevemardolphm: thanks for reviews the patches that lead up to the caching fix19:30
dolphmstevemar: ++19:31
stevemardstanek: let me and dolphm know when you're all ready for the cache fix19:31
stevemardstanek: breton liked the latest incarnation of it19:31
*** su_zhang has joined #openstack-keystone19:32
dstanekstevemar: i'm writing some tests for it now :-) - the code itself hasn't changed, but it's only hand tested19:32
dolphmdstanek: sounds artisanal19:33
dstanekdolphm: gently hand crafted by a caring developer19:33
dolphmdstanek: Hipster+Workflow+119:33
*** dgonzalez has quit IRC19:34
dstanekyours now for the low price of 2(+2)+A!19:34
*** su_zhang has quit IRC19:36
samueldmqstevemar: replied your question in 35736719:38
samueldmqit would be nice to get someone else's view on it ^19:39
samueldmqand possibly a low priced  +2+A19:39
*** thumpba has joined #openstack-keystone19:39
*** dgonzalez has joined #openstack-keystone19:45
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add tokens functional tests  https://review.openstack.org/35743519:48
nishaYadavsamueldmq, ^ the link, thanks :)19:49
*** nishaYadav has quit IRC19:52
samueldmqthanks19:53
samueldmqdolphm: henrynash: for the rolling upgrades, do we still have the concept of only making additive changes to the schema?19:53
samueldmqand then things can only be removed in the N+1 release?19:53
samueldmqwhat I am thinking is that the contract step can remove things19:54
samueldmqthen we don't need to wait for N+119:54
dolphmsamueldmq: only in the expand repo19:55
dolphmsamueldmq: Each of the three new repos has it's own set of banned and whitelisted operations. You shouldn't be able to drop tables, columns, indexes, or triggers in the expand or data migration repos. You shouldn't be able to create tables, columns, indexes, or triggers in the data migration or contraction repos. You shouldn't be able to UPDATE or DELETE data in the expand or contract repos.19:55
samueldmqdolphm: perfect19:55
samueldmqthanks19:55
*** ezpz has quit IRC19:58
*** su_zhang has joined #openstack-keystone20:01
*** su_zhang has quit IRC20:01
*** su_zhang has joined #openstack-keystone20:01
dolphmbknudson: i see you renamed the migrations in each repo of henrynash's patch, but you didn't say why... i'm assuming that somehow fixed the issue you were debugging last night?20:02
dolphmbknudson: or is it the fact that you made them all no-op's that somehow fixed it?20:02
bknudsondolphm: should have just been a rename. It fixed the issue I was debugging last night.20:03
bknudsonI wasn't trying to make noops20:03
dolphmbknudson: can i ask how?20:03
bknudsondolphm: hang on I have a meeting.20:03
dolphmbknudson: oh, the no-op thing was henry, after you20:04
dolphmbknudson: no worries20:04
*** thumpba has quit IRC20:04
*** GB21 has quit IRC20:04
bknudsondolphm: see http://paste.openstack.org/show/560282/ -- sqlalchemy-migrate caches objects (singleton-style) and for some reason it was getting the wrong instance!20:08
bknudsondidn't look into it enough to figure out why, just figured if I changed the key it wouldn't get confused.20:09
*** ayoung has joined #openstack-keystone20:09
*** ChanServ sets mode: +v ayoung20:09
dolphmbknudson: oh, wow20:10
dolphmbknudson: maybe it should key off repo + migrate module name20:11
*** gyee has joined #openstack-keystone20:11
*** ChanServ sets mode: +v gyee20:11
bknudsonI don't understand how it gets confused, the key has the whole path: '/opt/stack/keystone/keystone/common/sql/expand_repo/versions/001_make_password_create_at_non_nullable.py'20:12
bknudsonso there shouldn't be any way for that to match '/opt/stack/keystone/keystone/common/sql/contract_repo/versions/001_make_password_create_at_non_nullable.py'20:13
dolphmbknudson: bah, you're right20:13
*** afred312_ has joined #openstack-keystone20:23
*** BigWillie has quit IRC20:24
dstaneki'm not sure why rally hates me so much20:24
*** afred312 has quit IRC20:24
openstackgerritAlexander Oughton proposed openstack/keystoneauth: Disables setting of TCP_KEEPCNT when running under the Windows Subsystem for Linux.  https://review.openstack.org/35745220:25
openstackgerritAlexander Oughton proposed openstack/keystoneauth: Disables setting of TCP_KEEPCNT when running under the Windows Subsystem for Linux.  https://review.openstack.org/35745220:30
dolphmdstanek: tests keep passing?20:37
dstanekdolphm: yeah. going to try to setup two faster nodes that share a db.20:37
dolphmdstanek: need bare metal?20:38
dstanekdolphm: not sure yet. it's hard to tell if it's a speed thing, a concurrency thing, etc.20:38
dstanekdolphm: if this doesn't work i'll let you know20:39
dolphmdstanek: ack20:39
*** pnavarro has quit IRC20:40
dstanekdolphm: i'm doing a few thing concurrently, but unfortunately humans can fork. cooperative multitasking sucks.20:40
stevemardolphm: do you plan on running the script amakarov wrote to validate pre-caching tokens works?20:48
*** AlexOughton has joined #openstack-keystone20:49
stevemardolphm: what are we waiting for with https://review.openstack.org/#/c/349939/24 ? theres a lot of back and forth and i'm not sure henry has a to-do?20:50
patchbotstevemar: patch 349939 - keystone - Add expand, data migration and contract logic to k...20:50
dolphmstevemar: i withdrew my +2 for this https://review.openstack.org/#/c/349939/24/keystone/common/sql/migration_helpers.py@19520:53
patchbotdolphm: patch 349939 - keystone - Add expand, data migration and contract logic to k...20:53
stevemardolphm: _sync_common_repo() is run in the expand_schema?20:54
dolphmstevemar: if you're upgrading from mitaka, checkout newton up to this patch, and run db_sync, you won't get any of the legacy migrations at all20:54
stevemardolphm: line221?20:55
dolphmstevemar: oh, i missed that...20:55
dolphmstevemar: hmm20:55
stevemarreplied20:55
dolphmi guess that works for now20:55
dolphmstevemar: i'd like to put some stronger checks around the version numbers of each repo before we run any migrations20:55
stevemardolphm: *shrugs* i can change it to be more explicit and run _sync_common_repo() first before expand20:55
dolphmstevemar: can tweak that then20:55
lbragstadis anyone here familiar enough with https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_credential.py#L36-L49 to explain it's use?20:55
dolphmstevemar: +220:56
*** spzala has quit IRC20:56
dolphmlbragstad: not really, but i can try20:56
stevemardolphm: now 6 patches are approved lol20:57
openstackgerritAlexander Oughton proposed openstack/keystoneauth: Disables setting of TCP_KEEPCNT when running under the Windows Subsystem for Linux.  https://review.openstack.org/35745220:57
dolphmlbragstad: i've never had to work with the ec2 api other than as a reviewer20:57
lbragstaddolphm it seems that we are able to pass strings and dicts as blobs20:57
dolphmstevemar: gate'em!20:57
stevemaryee yee20:57
dolphmlbragstad: yeah, a dict should not be accepted as blob20:57
lbragstaddolphm just curious because the initial implementation of encrypted credentials expects blobs to be strings20:58
dolphmlbragstad: true...20:58
lbragstadand the fernet stuff blew up on it - so i started digging and found that surprising20:58
lbragstadbut - i've never used the ec2 stuff either :)20:58
dolphmlbragstad: i've totally forgotten about this. we still support storing dictionaries in that column? do we do json.dumps and json.loads on it somewhere?20:59
*** raildo has quit IRC20:59
stevemari guess i can mark the rolling upgrade bp as complete, the bug can stay open21:01
dolphmlbragstad: this is kind of an iffy test https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_credential.py#L326-L33121:01
dolphmstevemar: did you approve the docs?21:01
stevemardolphm: yes, i did21:01
dolphmstevemar: then Implemented!21:02
stevemar:]21:02
dolphmstevemar: i can file some additional bugs on the tests i'd like to see, to keep deployers from shooting themselves in the foot21:02
stevemardolphm: i just remembered that rderose owes me PCI docs21:02
dolphmstevemar: and ensure the repos are implemented correctly21:02
stevemardolphm: that would be nice21:02
*** julim has quit IRC21:04
*** dolphm has left #openstack-keystone21:04
*** dolphm has joined #openstack-keystone21:04
*** ChanServ sets mode: +o dolphm21:04
stevemarsomeone is actually running keystoneauth with "windows subsystem for linux" https://review.openstack.org/#/c/357452/3/keystoneauth1/session.py21:05
patchbotstevemar: patch 357452 - keystoneauth - Disables setting of TCP_KEEPCNT when running under...21:05
stevemarthe whole bash on windows thing21:05
dolphmi thought that was a poorly timed april fool's joke21:06
stevemari suppose not21:07
*** hockeynut has quit IRC21:12
lbragstaddolphm hmm21:12
lbragstaddolphm should i just check if the blob is a dict in the credential manager and convert it to a string if it is?21:13
lbragstadbefore encrypting it?21:13
*** catintheroof has quit IRC21:21
*** ravelar has quit IRC21:22
lbragstadactually - that's weird because how do you tell if you need to convert a blob back to a dict when you're reading it?21:24
*** edmondsw has quit IRC21:25
lbragstaddolphm I wonder if that is something that was handled with the sql.JsonBlob type?21:28
*** roxanaghe has quit IRC21:33
*** pauloewerton has quit IRC21:34
stevemardolphm: oh if you have a minute: https://review.openstack.org/#/c/357415/ should be easy, it's a clean cherry pick to fix the upgrade issue with cached tokens21:35
patchbotstevemar: patch 357415 - keystone (stable/mitaka) - Add dummy domain_id column to cached role21:35
*** awayne has joined #openstack-keystone21:35
*** BjoernT has quit IRC21:56
*** gordc has quit IRC22:02
*** julim has joined #openstack-keystone22:19
*** su_zhang has quit IRC22:23
*** asettle has joined #openstack-keystone22:24
*** su_zhang has joined #openstack-keystone22:29
*** ntpttr has quit IRC22:31
*** asettle has quit IRC22:32
*** su_zhang has quit IRC22:33
*** ntpttr has joined #openstack-keystone22:36
*** su_zhang has joined #openstack-keystone22:38
*** tonytan4ever has quit IRC22:47
*** spedione is now known as spedione|AWAY22:47
openstackgerritBoris Bobrov proposed openstack/keystone: Add mapping_populate command  https://review.openstack.org/34302822:48
openstackgerritBoris Bobrov proposed openstack/keystone: Add mapping_populate command  https://review.openstack.org/34302822:50
*** ametts has quit IRC22:51
*** haplo37__ has quit IRC23:03
*** michauds has quit IRC23:07
*** sdake_ has joined #openstack-keystone23:12
*** sdake has quit IRC23:13
*** chlong has quit IRC23:20
openstackgerritMerged openstack/keystone: Make all token provider behave the same with trusts  https://review.openstack.org/35070423:25
openstackgerritMerged openstack/keystone: Removes a redundant test from FernetAuthWithTrust  https://review.openstack.org/35659623:25
openstackgerritMerged openstack/keystone: Removes use of freezegun in test_auth tests  https://review.openstack.org/35659723:25
*** Guest36352 has joined #openstack-keystone23:30
*** Guest36352 has quit IRC23:31
*** rcernin has quit IRC23:32
*** adriant has joined #openstack-keystone23:34
*** lamt_ has joined #openstack-keystone23:34
*** jaugustine has quit IRC23:40
*** xenogear has quit IRC23:40
*** nk2527 has quit IRC23:41
*** gagehugo_ has quit IRC23:41
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/35687223:44
*** Gorian|work has quit IRC23:45
*** tonytan4ever has joined #openstack-keystone23:47
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/35694023:49
*** tonytan4ever has quit IRC23:53
*** gagehugo has joined #openstack-keystone23:53
*** ravelar has joined #openstack-keystone23:55
*** nk2527 has joined #openstack-keystone23:57
*** ravelar has quit IRC23:59
« Wednesday, 2016-08-17 Index Friday, 2016-08-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!