Tuesday, 2016-08-23

*** david-lyle has joined #openstack-keystone		00:00
jamielennox	mordred, stevemar, dtroyer_zz: i think i like the UX of passing app_name, app_version, that makes more sense than asking the user to pass a list for user_agent, and then shade and osc-lib can just add themselves to additional_user_agent	00:00
dtroyer_zz	jamielennox: (catching up a bit) I don't have a strong need for a detailed user-agent, in my mind I would care about two things: knowing what is controlling the session layer (usually KSA now) and what is driving the REST routes and body. so in OSC that's KSA and the client lib/SDK.	00:01
dtroyer_zz	but I can handle adding each layer if that's what folks want on the toher end	00:01
*** david-lyle_ has joined #openstack-keystone		00:03
jamielennox	dtroyer_zz: for osc we would only need OSC and the client, it was when others start using osc_lib it'll be relevant	00:04
jamielennox	but whatever, the functionality can be there and if noone uses it it doesn't matter	00:04
dtroyer_zz	sure. what I am unsure of right now is how osc-lib's version is useful in the user-agent, very little of it is responsible for what comes out in the REST.	00:05
*** david-lyle has quit IRC		00:05
ayoung	IgorYozhikov, sounds like a regression, then.	00:06
jamielennox	oh - then ok. we don't worry about osc-lib then	00:06
jamielennox	i was mentally equating it to shade which is probably not true	00:06
dtroyer_zz	not so much today, and I'm not planning for it to grow command-specific stuff. it's purpose is to encapsulate the stuff for making CLIs and plugins using a project client or SDK	00:08
IgorYozhikov	ayoung, I'll try tomorrow with fresh installation and post the results	00:09
*** david-lyle_ has quit IRC		00:09
dtroyer_zz	IgorYozhikov: one thing to check is which plugin is being selected. run with —debug and look for a line early in the output 'Auth plugin XXXXXX selected'	00:10
dtroyer_zz	if its password, the problem is in our auto-detection of the —os-token and —os-url arguemnts overriding all else.	00:10
*** edtubill has joined #openstack-keystone		00:11
*** bigdogstl has joined #openstack-keystone		00:15
dtroyer_zz	try adding —os-auth-type token_endpoint to your command	00:16
*** sdake has joined #openstack-keystone		00:16
* dtroyer_zz mkaes note that those values should have dashes instead of underscores		00:16
*** bigdogstl has quit IRC		00:21
*** bigdogstl has joined #openstack-keystone		00:21
jamielennox	hmm, probably - i'm not sure how we would fix that, i'm not sure that token-endpoint = is valid in setup.cfg	00:21
dtroyer_zz	we convert all sorts of things back and forth, just need to do these too at the user-visible point	00:23
*** ravelar has joined #openstack-keystone		00:25
*** tonytan4ever has joined #openstack-keystone		00:25
*** ravelar has quit IRC		00:29
*** tonytan4ever has quit IRC		00:31
IgorYozhikov	dtroyer_zz, root@us16:~# openstack --os-token=ADMIN --os-url=http://127.0.0.1:35357/v3 --os-auth-type token_endpoint user list -f value -c Name	00:35
IgorYozhikov	admin	00:35
IgorYozhikov	thanx, will examine log files tomorrow - today :)	00:36
*** bigdogstl has quit IRC		00:37
IgorYozhikov	this is fresh packaged in deb pip freeze \| grep openstackclient	00:37
IgorYozhikov	python-openstackclient==3.0.0	00:37
IgorYozhikov	I packaged it locally	00:37
dtroyer_zz	we just did 3.0.1 a few hours ago	00:37
dtroyer_zz	also, os-client-config 1.20.1 is coming, if it isn't already, but (so far) isn't required to make things work	00:38
*** bigdogstl has joined #openstack-keystone		00:38
dtroyer_zz	ah, o-c-c 1.20.1 should be available now	00:39
IgorYozhikov	dtroyer_zz, updated via pip to 3.0.1 - works with --os-auth-type token_endpoint	00:39
dtroyer_zz	ok, good to know, you have a work-around and we have another bug	00:39
dtroyer_zz	would you mind making a new bug for this? it's a completely different code base from the one you found from a while back. tomorrow is fine if this is the end of your day	00:40
IgorYozhikov	it is 3.40am here O_o	00:40
IgorYozhikov	So I need to create a new one instead of https://bugs.launchpad.net/python-openstackclient/+bug/1615110	00:41
openstack	Launchpad bug 1615110 in python-openstackclient "Incorrect usage message" [Undecided,New]	00:41
IgorYozhikov	right?	00:41
*** bigdogstl has quit IRC		00:41
dtroyer_zz	yes please. it's due to a different issue	00:42
* dtroyer_zz is on a plane and didn't actually looka t that one, but I'm pretty sure this is new		00:42
*** bigdogstl has joined #openstack-keystone		00:43
IgorYozhikov	dtroyer_zz, ok, will do after sleep :)	00:43
dtroyer_zz	thanks	00:43
*** bigdogst_ has joined #openstack-keystone		00:47
*** bigdogstl has quit IRC		00:48
*** bigdogst_ has quit IRC		00:53
*** tqtran has quit IRC		00:56
*** code-R has joined #openstack-keystone		00:57
*** bigdogstl has joined #openstack-keystone		01:01
*** bigdogstl has quit IRC		01:06
*** sdake_ has joined #openstack-keystone		01:06
*** gyee has quit IRC		01:07
*** sdake has quit IRC		01:10
*** jamielennox is now known as jamielennox\|away		01:11
*** jamielennox\|away is now known as jamielennox		01:16
*** sdake_ has quit IRC		01:19
*** sdake has joined #openstack-keystone		01:22
*** su_zhang has quit IRC		01:26
jamielennox	anyone seen py.warnings [req-ea36bb61-38ad-4a12-bea2-2a0db5f50fe7 - - - - -] /usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/session.py:434: SAWarning: Session's state has been changed on a non-active transaction - this state will be discarded.	01:27
jamielennox	36 "Session's state has been changed on "	01:27
jamielennox	before?	01:27
jamielennox	seeing it on my own devstack	01:27
jamielennox	oh, nvm - restarting apache didn't help but restarting mysql did	01:29
*** wangqun has joined #openstack-keystone		01:31
*** davechen has joined #openstack-keystone		01:34
*** hockeynut has quit IRC		01:36
*** markvoelker has joined #openstack-keystone		01:44
*** markvoelker_ has joined #openstack-keystone		01:46
*** markvoelker has quit IRC		01:50
*** EinstCra_ has joined #openstack-keystone		02:01
*** EinstCra_ has quit IRC		02:17
*** EinstCra_ has joined #openstack-keystone		02:22
*** code-R_ has joined #openstack-keystone		02:28
*** code-R has quit IRC		02:31
*** EinstCra_ has quit IRC		02:39
*** roxanagh_ has joined #openstack-keystone		02:47
*** jamielennox is now known as jamielennox\|away		02:49
*** roxanagh_ has quit IRC		02:52
*** tqtran has joined #openstack-keystone		02:54
*** tqtran has quit IRC		03:00
*** jamielennox\|away is now known as jamielennox		03:06
*** ayoung has quit IRC		03:14
*** EinstCrazy has joined #openstack-keystone		03:24
*** bigdogstl has joined #openstack-keystone		03:31
openstackgerrit	Steve Martinelli proposed openstack/keystoneauth: Disables TCP_KEEPCNT when using Windows Subsystem for Linux https://review.openstack.org/357452	03:36
*** EinstCrazy has quit IRC		03:38
*** bigdogstl has quit IRC		03:41
*** bigdogstl has joined #openstack-keystone		03:44
*** dikonoor has joined #openstack-keystone		03:45
*** chrisshattuck has joined #openstack-keystone		03:47
*** roxanagh_ has joined #openstack-keystone		03:48
*** chrisshattuck has quit IRC		03:50
*** chrisshattuck has joined #openstack-keystone		03:51
*** roxanagh_ has quit IRC		03:52
*** gagehugo has quit IRC		03:53
*** chrisshattuck has quit IRC		04:03
*** chrisshattuck has joined #openstack-keystone		04:04
*** Jaison has joined #openstack-keystone		04:15
*** markvoelker has joined #openstack-keystone		04:21
*** markvoelker_ has quit IRC		04:22
*** chrisshattuck has quit IRC		04:24
*** chrisshattuck has joined #openstack-keystone		04:24
*** ravelar has joined #openstack-keystone		04:24
*** Jaison has quit IRC		04:24
*** jraju has joined #openstack-keystone		04:26
*** markvoelker has quit IRC		04:28
*** EinstCrazy has joined #openstack-keystone		04:30
*** su_zhang has joined #openstack-keystone		04:39
*** EinstCrazy has quit IRC		04:47
*** jamielennox is now known as jamielennox\|away		04:49
*** edtubill has quit IRC		04:50
*** bigdogstl has quit IRC		04:53
*** bigdogstl has joined #openstack-keystone		04:53
*** bigdogstl has quit IRC		04:56
*** bigdogstl has joined #openstack-keystone		04:56
*** tqtran has joined #openstack-keystone		04:57
*** bigdogstl has quit IRC		05:01
*** tqtran has quit IRC		05:01
*** roxanagh_ has joined #openstack-keystone		05:02
*** roxanagh_ has quit IRC		05:03
*** chrisshattuck has quit IRC		05:05
*** chrisshattuck has joined #openstack-keystone		05:06
*** jaosorior has joined #openstack-keystone		05:10
*** bigdogstl has joined #openstack-keystone		05:13
*** bigdogstl has quit IRC		05:17
*** sdake_ has joined #openstack-keystone		05:21
*** jamielennox\|away is now known as jamielennox		05:23
*** sdake has quit IRC		05:24
*** su_zhang has quit IRC		05:26
*** su_zhang has joined #openstack-keystone		05:26
*** markvoelker has joined #openstack-keystone		05:29
*** markvoelker has quit IRC		05:39
*** richm has quit IRC		05:40
*** sdake_ has quit IRC		05:41
*** roxanaghe has quit IRC		05:55
*** roxanaghe has joined #openstack-keystone		05:55
*** roxanagh_ has joined #openstack-keystone		06:04
*** gagehugo has joined #openstack-keystone		06:05
*** roxanagh_ has quit IRC		06:08
*** jamielennox is now known as jamielennox\|away		06:11
*** pcaruana has joined #openstack-keystone		06:14
*** woodster_ has quit IRC		06:19
*** chrisshattuck has quit IRC		06:29
*** EinstCrazy has joined #openstack-keystone		06:32
*** markvoelker has joined #openstack-keystone		06:36
*** jaugustine has quit IRC		06:38
*** EinstCrazy has quit IRC		06:38
*** markvoelker has quit IRC		06:42
*** EinstCra_ has joined #openstack-keystone		06:43
*** GB21 has joined #openstack-keystone		06:47
*** su_zhang has quit IRC		06:48
*** su_zhang has joined #openstack-keystone		06:48
adriant	this is probably a silly question, but where in keystone client is this api call: http://developer.openstack.org/api-ref/identity/v3/?expanded=#list-projects-for-user	06:50
*** su_zhang has quit IRC		06:52
openstackgerrit	Dave Chen proposed openstack/keystone: Fix credential update to ec2 type https://review.openstack.org/357950	06:58
*** tqtran has joined #openstack-keystone		06:59
*** EinstCra_ has quit IRC		07:01
*** tqtran has quit IRC		07:03
*** mdurrant_ has quit IRC		07:04
*** mdurrant_ has joined #openstack-keystone		07:04
*** EinstCrazy has joined #openstack-keystone		07:05
*** tesseract- has joined #openstack-keystone		07:18
*** EinstCrazy has quit IRC		07:24
*** EinstCrazy has joined #openstack-keystone		07:25
henrynash	adriant: do you mean the keystoneclient library or the keystoneclient cli?	07:29
*** asettle has joined #openstack-keystone		07:33
*** dikonoor has quit IRC		07:35
*** dikonoor has joined #openstack-keystone		07:36
*** EinstCra_ has joined #openstack-keystone		07:36
adriant	henrynash: client library, but mainly curious how exactly openstackclient calls it	07:38
adriant	as it seems to just use list directly, but according to the policy file that shouldn't work unless you're admin	07:38
*** markvoelker has joined #openstack-keystone		07:38
*** EinstCrazy has quit IRC		07:39
*** markvoelker has quit IRC		07:43
adriant	plus... openstackclient throws a fit when you pass a username rather than an id as it needs admin to parse that username to an id.	07:43
adriant	So to get user project list using the openstackclient you need to get your id by token issue and then use that.	07:44
*** GB21 has quit IRC		07:45
*** roxanagh_ has joined #openstack-keystone		07:52
*** adriant_ has joined #openstack-keystone		07:54
*** rcernin has quit IRC		07:56
*** roxanagh_ has quit IRC		07:56
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:01
*** openstackgerrit has quit IRC		08:03
*** openstackgerrit has joined #openstack-keystone		08:04
*** adriant_ has quit IRC		08:07
*** adriant__ has joined #openstack-keystone		08:11
*** markvoelker has joined #openstack-keystone		08:39
*** markvoelker has quit IRC		08:44
*** ravelar has quit IRC		08:50
*** adriant__ has quit IRC		08:53
IgorYozhikov	dtroyer_zz, as promised - https://bugs.launchpad.net/python-openstackclient/+bug/1615988	08:55
openstack	Launchpad bug 1615988 in python-openstackclient "[osclient v3.x.x]Default auth type is not detected in case when os-token and os-url is used " [Undecided,New]	08:55
*** code-R_ has quit IRC		08:56
henrynash	adriant: sorry, was afk for a while....so is the need to be able to list your own projects (i.e. the username is you), or to list the projects for another user?	09:06
*** code-R has joined #openstack-keystone		09:14
*** d0ugal has quit IRC		09:15
*** d0ugal has joined #openstack-keystone		09:16
openstackgerrit	zhufl proposed openstack/keystone: Remove unnecessary __init__ https://review.openstack.org/359063	09:17
*** willise has joined #openstack-keystone		09:31
*** willise has left #openstack-keystone		09:32
*** EinstCra_ is now known as EinstCrazy		09:36
*** roxanagh_ has joined #openstack-keystone		09:40
*** markvoelker has joined #openstack-keystone		09:40
*** markvoelker has quit IRC		09:44
*** roxanagh_ has quit IRC		09:45
*** dikonoor has quit IRC		09:51
*** dikonoor has joined #openstack-keystone		09:52
*** EinstCrazy has quit IRC		09:57
*** EinstCrazy has joined #openstack-keystone		09:57
*** EinstCra_ has joined #openstack-keystone		09:58
*** EinstCra_ is now known as EinstCrazy_		09:59
*** tqtran has joined #openstack-keystone		10:01
*** EinstCrazy has quit IRC		10:02
*** wangqun has quit IRC		10:03
*** code-R_ has joined #openstack-keystone		10:03
samueldmq	morning keystone	10:04
breton	samueldmq: o/	10:04
samueldmq	breton: hi	10:05
*** tqtran has quit IRC		10:05
*** code-R has quit IRC		10:06
*** richm has joined #openstack-keystone		10:07
*** EinstCrazy_ has quit IRC		10:28
*** ntpttr has quit IRC		10:30
*** ntpttr has joined #openstack-keystone		10:35
samueldmq	stevemar: keystonemiddleware release is proposed in patch 359106	10:43
samueldmq	stevemar: I am waiting on 357633 and 357452 to propose keystoneauth	10:43
samueldmq	patch 357633	10:43
samueldmq	change 357633	10:44
samueldmq	bot's broken	10:44
*** mnikolaenko_ has quit IRC		10:47
*** davechen has left #openstack-keystone		10:51
*** rodrigods has quit IRC		10:59
*** rodrigods has joined #openstack-keystone		10:59
*** sheel has joined #openstack-keystone		11:02
*** jpena is now known as jpena\|lunch		11:06
*** markvoelker has joined #openstack-keystone		11:09
*** ravelar has joined #openstack-keystone		11:18
*** markvoelker has quit IRC		11:20
openstackgerrit	Rodrigo Duarte proposed openstack/python-keystoneclient: Support domain-specific configuration management https://review.openstack.org/358770	11:22
*** ravelar has quit IRC		11:23
*** thiagolib has quit IRC		11:23
*** thiagolib has joined #openstack-keystone		11:24
*** roxanagh_ has joined #openstack-keystone		11:28
*** roxanagh_ has quit IRC		11:32
*** amakarov_away is now known as amakarov		11:36
amakarov	dstanek, I'm online	11:37
*** rcernin has joined #openstack-keystone		11:43
*** jaosorior has quit IRC		11:50
*** asettle has quit IRC		11:51
*** jaosorior has joined #openstack-keystone		11:51
*** wangqun has joined #openstack-keystone		11:51
*** lamt has joined #openstack-keystone		12:02
*** mordred has quit IRC		12:10
*** Gorian has quit IRC		12:12
*** Gorian has joined #openstack-keystone		12:12
*** mordred has joined #openstack-keystone		12:15
*** pauloewerton has joined #openstack-keystone		12:18
*** david_cu has joined #openstack-keystone		12:18
*** rcernin has quit IRC		12:23
*** rcernin has joined #openstack-keystone		12:28
*** jed56 has joined #openstack-keystone		12:31
*** nkinder has joined #openstack-keystone		12:31
*** edmondsw has joined #openstack-keystone		12:40
*** jpena\|lunch is now known as jpena		12:40
*** asettle has joined #openstack-keystone		12:40
dstanek	amakarov: heya	12:46
amakarov	dstanek, o/	12:55
dstanek	amakarov: i'm curious about your caching approach and how it compares to just hard dropping the keys like i am doing	12:56
*** chlong has quit IRC		12:56
*** woodster_ has joined #openstack-keystone		12:56
amakarov	dstanek, your case is faster: it doesn't care about timestamp checks	12:57
dstanek	amakarov: right, the two things that bother me about the timestamp approach is that it's possible for clock skew to be a problem and to drop invalidations	12:58
dstanek	unlikely that they would drop, but possible	12:58
amakarov	dstanek, but one thing still looks weird: dogpile.cache monkeypatching	12:58
*** guoshan has joined #openstack-keystone		12:59
dstanek	amakarov: i have three different implementations based off of your and zzzeek's suggestions	12:59
dstanek	i'd love to get support in dogpile for some of this stuff because i can't see how anyone could use dogpile without it	13:00
dstanek	amakarov: https://review.openstack.org/#/c/358826/1/keystone/common/cache/core.py	13:01
dstanek	i'm going to clean that one up since i think it's probably the best	13:01
dstanek	fix the pep8 and duplication issues, etc.	13:01
amakarov	dstanek, the last one?	13:02
*** tqtran has joined #openstack-keystone		13:03
dstanek	amakarov: yeah, uses a key mangler as zzzeek suggested and an invalidation strategy as you suggested	13:03
*** rcernin has quit IRC		13:03
amakarov	dstanek, I like this one	13:04
amakarov	dstanek, why do you add "this should last forever" everywhere? :)	13:05
dstanek	amakarov: those are reminders for me to make sure the cache expiration for the region won't apply to those keys	13:06
*** tqtran has quit IRC		13:07
amakarov	dstanek, I'm curios: why use uuid4 everytime and not just random? Lower chance of collision?	13:11
*** chlong has joined #openstack-keystone		13:12
*** wangqun has quit IRC		13:14
dstanek	amakarov: no particular reason. doing a 'random.randint(0, sys.maxint)' would probably be faster, but i was using uuid in the tests already	13:14
dstanek	the chance of collision is so tiny because it's only comparing a few random bits of data, unlike our database that has 10s of 1000s of rows	13:16
*** roxanagh_ has joined #openstack-keystone		13:16
dstanek	the biggest chance of collision is if the same random number comes up as a past one where there is still some old data cached	13:17
amakarov	dstanek, I'll be happy to support this patch once you deal with Jenkins :) I like it.	13:19
*** roxanagh_ has quit IRC		13:21
*** julim has joined #openstack-keystone		13:21
dstanek	amakarov: i actually think the monkey patching wasn't useful anyway. it was a holdover from before i created a keystone specific create_region()	13:22
amakarov	dstanek, ++	13:23
*** bigdogstl has joined #openstack-keystone		13:24
*** david-lyle has joined #openstack-keystone		13:24
*** tonytan4ever has joined #openstack-keystone		13:24
*** gagehugo_ has joined #openstack-keystone		13:32
*** gagehugo has quit IRC		13:32
*** gagehugo_ has quit IRC		13:32
*** gagehugo has joined #openstack-keystone		13:33
*** sdake has joined #openstack-keystone		13:36
*** sheel has quit IRC		13:36
*** sdake_ has joined #openstack-keystone		13:37
*** jraju has quit IRC		13:40
*** sdake has quit IRC		13:41
*** ayoung has joined #openstack-keystone		13:42
*** ChanServ sets mode: +v ayoung		13:42
*** bigdogstl has quit IRC		13:43
*** ravelar has joined #openstack-keystone		13:46
*** eandersson_ has quit IRC		13:47
*** raildo has joined #openstack-keystone		13:51
*** tonytan4ever has quit IRC		13:56
*** eandersson has joined #openstack-keystone		13:56
*** guoshan has quit IRC		13:57
*** bigdogstl has joined #openstack-keystone		13:57
*** tqtran has joined #openstack-keystone		14:02
*** bigdogstl has quit IRC		14:02
*** pcaruana has quit IRC		14:02
*** david-lyle has quit IRC		14:04
*** tonytan4ever has joined #openstack-keystone		14:08
*** ddieterly has joined #openstack-keystone		14:12
*** code-R has joined #openstack-keystone		14:14
*** code-R_ has quit IRC		14:14
stevemar	o/	14:16
*** pcaruana has joined #openstack-keystone		14:17
*** edtubill has joined #openstack-keystone		14:17
lbragstad	o/	14:18
openstackgerrit	Ron De Rose proposed openstack/keystone: Relax the requirement for mappings to result in group memberships https://review.openstack.org/358111	14:20
openstackgerrit	Merged openstack/keystoneauth: Disables TCP_KEEPCNT when using Windows Subsystem for Linux https://review.openstack.org/357452	14:22
*** ravelar has quit IRC		14:28
*** ravelar has joined #openstack-keystone		14:28
*** david-lyle has joined #openstack-keystone		14:28
*** adam_g has quit IRC		14:29
*** spedione\|AWAY is now known as spedione		14:30
*** jaosorior is now known as jaosorior_away		14:32
dstanek	well me too! o/	14:33
*** adam_g has joined #openstack-keystone		14:34
*** adam_g has quit IRC		14:34
*** adam_g has joined #openstack-keystone		14:34
*** sdake_ has quit IRC		14:35
stevemar	dstanek: :O	14:36
*** vern has quit IRC		14:36
stevemar	samueldmq: ^ you're all clear to release keystoneauth	14:36
*** ezpz has joined #openstack-keystone		14:39
*** jaugustine has joined #openstack-keystone		14:39
samueldmq	stevemar: hi	14:39
samueldmq	stevemar: don't we want https://review.openstack.org/#/c/357633/ in too ?	14:39
samueldmq	stevemar: crinkle left a question there I don't have an answer to, I think it is a standard but I am not 100% sure	14:40
*** sdake has joined #openstack-keystone		14:41
stevemar	samueldmq: ideally we want that in, but it's tuesday; jamie has to answer that and won't come online until late afternoon, and that is too late to release in the day; and i'd rather not until wednesday	14:42
stevemar	samueldmq: no reason to rush and merge it, we've lived without it, and will continue to live without it :)	14:42
samueldmq	stevemar: yes, it should be fine, that's not critical	14:42
samueldmq	stevemar: ++	14:42
amakarov	stevemar, greetings! I've fixed tests and answered questions here: https://review.openstack.org/#/c/309146/ Would you please take a look again?	14:47
stevemar	amakarov: will do!	14:48
*** tqtran has quit IRC		14:49
*** bigdogstl has joined #openstack-keystone		14:52
openstackgerrit	Merged openstack/keystone: Shadowing a nonlocal_user incorrectly creates a local_user https://review.openstack.org/357979	14:54
*** slberger has joined #openstack-keystone		14:54
*** david-lyle has quit IRC		14:54
openstackgerrit	Mikhail Nikolaenko proposed openstack/keystone: [WIP] Move fernet utils to backend https://review.openstack.org/356499	14:56
*** bigdogstl has quit IRC		14:57
*** hockeynut has joined #openstack-keystone		14:58
*** code-R_ has joined #openstack-keystone		14:58
crinkle	samueldmq: stevemar I didn't mean to hold up a release, I was just curious about it	15:00
*** code-R has quit IRC		15:01
*** vern has joined #openstack-keystone		15:03
samueldmq	crinkle: that's a good question you left in the review	15:04
samueldmq	crinkle: there is no rush to have that in this release, as stevemar said	15:04
samueldmq	release is proposed already https://review.openstack.org/#/c/359261	15:04
samueldmq	:)	15:05
*** edtubill has quit IRC		15:07
AlexOughton	Hey stevemar samueldmq and anyone else involved: Thanks for helping clean up my submission for the TCP_KEEPCNT thing and getting that pushed through! :-)	15:15
openstackgerrit	Dolph Mathews proposed openstack/keystone: Doc fix: "keystone-manage upgrade" is not a thing https://review.openstack.org/359281	15:18
dolphm	quick doc fix for rolling upgrades! ^	15:19
SamYaple	well let this one slide dolphm	15:22
SamYaple	just this once	15:22
openstackgerrit	Dolph Mathews proposed openstack/keystone: Doc fix: license rendered in published doc https://review.openstack.org/359284	15:22
*** david-lyle has joined #openstack-keystone		15:23
openstackgerrit	Tobias Diaz proposed openstack/python-keystoneclient: Catch MemoryError when logging huge responses Closes-bug: 1616105 https://review.openstack.org/359292	15:28
openstack	bug 1616105 in python-keystoneclient "Request of large files raises a MemoryError due to logging" [Undecided,In progress] https://launchpad.net/bugs/1616105 - Assigned to Tobias Diaz (int-0)	15:28
samueldmq	AlexOughton: hey, you're welcome	15:31
*** david-lyle has quit IRC		15:33
openstackgerrit	Dolph Mathews proposed openstack/keystone: Doc fix: license rendered in published doc https://review.openstack.org/359284	15:35
EmilienM	stevemar: hey !	15:36
EmilienM	what is supposed to do https://review.openstack.org/358969 ?	15:36
stevemar	EmilienM: hey	15:36
stevemar	EmilienM: just making sure that you guys aren't gonna break if we change the upper-constraints to 3.0.1	15:36
EmilienM	our CI relies on packaging (RDO or UCA), so depends-on won't work between puppet-* and python projects, except Tempest.	15:36
EmilienM	it is not something we can test	15:36
stevemar	EmilienM: :(	15:36
EmilienM	but, you can ask on #rdo, we have a mechanism to test it super easily	15:37
EmilienM	in RDO Ci	15:37
stevemar	ah	15:43
stevemar	dolphm: but "upgrade" is better than "db_sync" :P	15:44
stevemar	we clearly need an alias	15:44
*** code-R_ has quit IRC		15:45
*** code-R has joined #openstack-keystone		15:46
*** tesseract- has quit IRC		15:46
*** bigdogstl has joined #openstack-keystone		15:46
*** dikonoor has quit IRC		15:49
*** ddieterly is now known as ddieterly[away]		15:50
*** bigdogstl has quit IRC		15:53
*** ddieterly[away] is now known as ddieterly		15:54
*** pcaruana has quit IRC		15:56
*** nishaYadav has joined #openstack-keystone		15:58
nishaYadav	o/	15:58
*** jaosorior_away is now known as jaosorior		16:00
*** david-lyle has joined #openstack-keystone		16:01
*** Ephur has joined #openstack-keystone		16:02
*** gyee has joined #openstack-keystone		16:03
stevemar	edmondsw: is https://bugs.launchpad.net/python-openstackclient/+bug/1616104 related to the 3.0.1 release, or just in general	16:03
openstack	Launchpad bug 1616104 in python-openstackclient "openstack user list --project <p> not showing effective assignments" [Undecided,New]	16:04
edmondsw	stevemar found in 2.6.0, haven't tried 3.0.0 yet	16:04
edmondsw	stevemar hadn't even realized yet that there was a 3.0.1... wasn't 3.0.0 just yesterday? what caused the respin so fast?	16:05
stevemar	edmondsw: 3.0.0 didn't work lol	16:05
edmondsw	great...	16:05
stevemar	edmondsw: we were caught between os-client-config releases	16:05
stevemar	its all good now :P	16:05
stevemar	edmondsw: but we shuffled things around for listing role assignments	16:06
edmondsw	stevemar, ok, so I'll have to try again on 3.0.1 once I can get that setup... probably not today	16:07
*** michauds has joined #openstack-keystone		16:08
*** pcaruana has joined #openstack-keystone		16:09
*** nkinder has quit IRC		16:11
stevemar	anyone want to look at https://review.openstack.org/#/c/343028/ ? i've reviewed it a few times now, it's one of our last blueprints	16:14
stevemar	crinkle dolphm samueldmq edmondsw ^	16:14
stevemar	rderose: ^	16:15
edmondsw	stevemar I'll try to look this afternoon	16:17
*** code-R has quit IRC		16:18
*** jaosorior has quit IRC		16:18
* crinkle looks		16:19
*** bigdogstl has joined #openstack-keystone		16:23
rderose	stevemar: looking...	16:25
*** bigdogstl has quit IRC		16:27
*** chrisshattuck has joined #openstack-keystone		16:29
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	16:29
dolphm	stevemar: +2/+A	16:30
lbragstad	dolphm did the mysql trigger - curious for feedback on it	16:30
samueldmq	stevemar: will do	16:30
lbragstad	still looking into the equivalent trigger for sqlite and postgresql	16:30
dolphm	lbragstad: link?	16:30
samueldmq	stevemar: too late, approved :-)	16:30
lbragstad	dolphm https://review.openstack.org/#/c/355618/	16:30
dstanek	amakarov: i got rid of the comment you mentioned earlier by creating a region just for invalidation keys	16:31
lbragstad	dolphm I responded to all comments on patchset 11 and fixed most of them in the latest patch	16:31
dolphm	lbragstad: it's the UPDATE case that needs to be conditional - not BEFORE INSERT (which the old triggers were good for)	16:31
dolphm	lbragstad: but the conditional looks correct for the BEFORE UPDATE case	16:32
lbragstad	dolphm cool - updating	16:32
dolphm	lbragstad: so, you'll need 6 triggers total	16:33
dolphm	lbragstad: and don't forget to tear down the second trigger in contract	16:33
*** nishaYadav has quit IRC		16:33
dolphm	lbragstad: ... and in a BEFORE UPDATE, you'll also have both a NEW. and an OLD. to deal with	16:33
dolphm	lbragstad: BEFORE UPDATE only has a NEW row	16:33
edmondsw	stevemar dolphm I think the release notes still need work there	16:34
lbragstad	dolphm we only care if NEW.key_hash and NEW.encrypted_blob are populated though, right?	16:34
edmondsw	I mean https://review.openstack.org/#/c/343028	16:35
*** woodburn has quit IRC		16:36
edmondsw	breton ^	16:37
dolphm	lbragstad: before the migration, only blob will be populated, right?	16:37
*** BjoernT has joined #openstack-keystone		16:38
dolphm	lbragstad: and the old release will only try to populate blob	16:38
dolphm	lbragstad: the new release will only try to populate encrypted_blob	16:38
dolphm	lbragstad: (and key hash)	16:38
dolphm	lbragstad: both of which are operations you need to detect and block	16:38
lbragstad	yes	16:38
*** jraju has joined #openstack-keystone		16:38
dolphm	lbragstad: but you need to allow the --migrate process to run, which will be setting encrypted_blob and key_hash on rows where the blob already exists	16:38
dolphm	lbragstad: using UPDATE	16:38
dolphm	lbragstad: whereas nothing will be INSERTing, so you can block all of those	16:39
dolphm	lbragstad: so, the complex trigger (BEFORE UPDATE) will basically be checking to see if this is --migrate running, and if so, allow it, else signal	16:39
*** jraju has quit IRC		16:39
*** ravelar has quit IRC		16:40
dolphm	stevemar: still going to be AFK for the meeting?	16:40
*** ravelar has joined #openstack-keystone		16:40
lbragstad	dolphm the migrate process will always populate key_hash and encrypted_blob	16:40
lbragstad	if key_hash or encrypted_blob are null then signal	16:41
breton	edmondsw: dolphm: thanks, i've wf-1 the change	16:41
dolphm	lbragstad: then you'd be allowing the legacy app to keep writing :-/	16:41
* breton spoiled wf+1		16:41
edmondsw	breton sorry... and thanks	16:42
dolphm	breton: edmondsw: oops, sorry, i only reviewed the diff between 12 and 13	16:42
lbragstad	dolphm the legacy app defaults key_hash to null if it's not populated	16:42
lbragstad	ah - nevermind... i see	16:43
dolphm	lbragstad: oh, sorry, then you'll be allowing newton app to write	16:43
dolphm	lbragstad: and mitaka won't be able to read it	16:43
dolphm	lbragstad: this is totally not confusing at all.	16:43
lbragstad	what happens if encrypted_blob isn't supplied to a schema that doesn't allow it to be nullable?	16:43
lbragstad	https://review.openstack.org/#/c/355618/12/keystone/credential/backends/sql.py	16:44
dolphm	lbragstad: that line doesn't matter because you're actually defining it to be nullable here https://review.openstack.org/#/c/355618/12/keystone/common/sql/expand_repo/versions/002_add_key_hash_and_encrypted_blob_to_credential.py	16:44
dolphm	lbragstad: so, your model does not match the actual schema	16:45
dolphm	lbragstad: unless you do an alter column in the contract -- which we could allow, i think	16:45
dolphm	lbragstad: but only in mysql and postgres	16:45
lbragstad	hmm	16:46
*** asettle has quit IRC		16:48
*** asettle has joined #openstack-keystone		16:49
openstackgerrit	Boris Bobrov proposed openstack/keystone: Add mapping_populate command https://review.openstack.org/343028	16:49
*** asettle has joined #openstack-keystone		16:49
*** awayne has quit IRC		16:49
*** asettle has quit IRC		16:50
*** amakarov is now known as amakarov_away		16:50
*** ctracey has quit IRC		16:53
*** ctracey has joined #openstack-keystone		16:54
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	16:54
*** woodburn has joined #openstack-keystone		16:55
*** jed56 has quit IRC		16:55
*** nishaYadav has joined #openstack-keystone		16:56
lbragstad	going to grab lunch quick	16:57
*** chrisshattuck has quit IRC		16:58
*** nkinder has joined #openstack-keystone		17:05
*** Guest25180 is now known as med_		17:06
*** med_ has joined #openstack-keystone		17:06
*** med_ is now known as medberry		17:06
*** Gorian\|work has joined #openstack-keystone		17:06
*** medberry is now known as med_		17:06
*** ddieterly is now known as ddieterly[away]		17:10
*** bigdogstl has joined #openstack-keystone		17:15
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Filter data when deserializing RevokeEvents https://review.openstack.org/358872	17:17
*** jrist has quit IRC		17:18
*** bigdogstl has quit IRC		17:20
*** jaugustine_ has joined #openstack-keystone		17:26
*** jaugustine has quit IRC		17:27
*** jaugustine_ is now known as jaugustine		17:27
*** gagehugo_ has joined #openstack-keystone		17:27
*** su_zhang has joined #openstack-keystone		17:29
*** hockeynut has quit IRC		17:33
*** tqtran has joined #openstack-keystone		17:35
openstackgerrit	ayoung proposed openstack/keystone-specs: Flag to bypass expiry and revocation check on token validation https://review.openstack.org/358131	17:36
*** tqtran has quit IRC		17:39
*** code-R has joined #openstack-keystone		17:42
*** code-R_ has joined #openstack-keystone		17:44
*** Ephur has quit IRC		17:45
openstackgerrit	David Stanek proposed openstack/keystone: Distributed cache namespace to invalidate regions https://review.openstack.org/349704	17:46
*** jrist has joined #openstack-keystone		17:46
*** code-R has quit IRC		17:47
*** nishaYadav has quit IRC		17:48
*** nisha_ has joined #openstack-keystone		17:48
*** su_zhang has quit IRC		17:51
*** bigdogstl has joined #openstack-keystone		17:51
*** su_zhang has joined #openstack-keystone		17:51
*** zhugaoxiao has joined #openstack-keystone		17:53
*** Administrator__ has quit IRC		17:55
*** bigdogstl has quit IRC		17:58
dolphm	bknudson: bandit should be downvoting lbragstad's patch for potential SQL injection vulnerability around L90 https://review.openstack.org/#/c/355618/14/keystone/common/sql/expand_repo/versions/002_add_key_hash_and_encrypted_blob_to_credential.py,unified	17:59
dolphm	bknudson: something we're going to have to be super careful about now that we're writing more manual SQL	18:00
henrynash	dolphm, bknudson: I did write some SQL injection detection code a while back...	18:00
*** su_zhang has quit IRC		18:00
*** su_zhang has joined #openstack-keystone		18:01
*** jamielennox\|away is now known as jamielennox		18:01
*** su_zhang has quit IRC		18:01
*** su_zhang has joined #openstack-keystone		18:02
*** su_zhang has quit IRC		18:02
*** su_zhang has joined #openstack-keystone		18:02
*** nisha_ has quit IRC		18:03
*** shaleh has joined #openstack-keystone		18:06
*** nishaYadav has joined #openstack-keystone		18:06
*** nishaYadav has quit IRC		18:10
openstackgerrit	Richard Avelar proposed openstack/keystone: POC sql query revoked tokens https://review.openstack.org/359371	18:12
*** hockeynut has joined #openstack-keystone		18:13
*** nishaYadav has joined #openstack-keystone		18:13
*** Ephur has joined #openstack-keystone		18:17
lbragstad	henrynash ping to see if you have time to talk about the rolling upgrade testing stuff after the meeting?	18:21
openstackgerrit	ayoung proposed openstack/keystone: Modify sql banned operations for each of the new repos https://review.openstack.org/358723	18:21
*** su_zhang has quit IRC		18:41
*** su_zhang has joined #openstack-keystone		18:41
*** code-R_ has quit IRC		18:41
*** code-R has joined #openstack-keystone		18:42
*** ddieterly[away] is now known as ddieterly		18:44
jamielennox	so why are we doing DB triggers now?	18:51
henrynash	lbragstad: you shouldn't do self.upgrade(self.max_version) in your test, but you should do self.upgrade(2)	18:51
*** amakarov has joined #openstack-keystone		18:51
jamielennox	i thought DB triggers were outside our ability with cross sql requirements	18:51
lbragstad	henrynash got it - the interesting part it that it doesn't fail my test	18:51
lbragstad	henrynash it fails here - https://github.com/openstack/keystone/blob/0cd732b2b0d3e18cbdbceecf66a83cd378c27717/keystone/tests/unit/test_sql_banned_operations.py#L211	18:52
*** su_zhang has quit IRC		18:52
henrynash	lbragstad: well, since you are 2 then max_version is 2, so you are OK...but as soon as we add a 3rd, your test might be wroung	18:52
ayoung	dolphm, so, I'll add the grace period as part of that review.	18:52
ayoung	the spec review, that is	18:52
henrynash	lbragstad: but that's not why your is failing	18:52
* lbragstad henrynash this is the specific failure - http://cdn.pasteraw.com/6zaqyxiupmfikpeqbzn86wwicgqcni3		18:53
lbragstad	which looks like it fails because the credential table isn't created	18:53
henrynash	lbragstad: ah!!	18:56
henrynash	lbragstad: this is failing in sql_banned_operations...not sql_upgrade....	18:56
lbragstad	henrynash yep!	18:56
henrynash	lbragstad: that ISN'T fixed in master yet....	18:56
lbragstad	henrynash is that fixed somewhere in https://review.openstack.org/#/c/358723/1/keystone/tests/unit/test_sql_banned_operations.py ?	18:57
henrynash	lbragstad: rebase on https://review.openstack.org/#/c/358723/1	18:57
henrynash	lbragstad: yep, that ensures the early repos are migrated up first	18:57
henrynash	lbragstad: sorry, hadn't twiged that it was sql_banned_operations that was failing	18:58
samueldmq	ah, just as a note	18:58
jamielennox	shaleh: i jumped ahead and did the user-agent change: https://review.openstack.org/#/c/357633/	18:58
*** markvoelker has joined #openstack-keystone		18:58
samueldmq	keystonemiddleware and keystoneauth have been released today	18:58
samueldmq	dolphm: ^	18:58
lbragstad	henrynash ok - that makes sense	18:58
jamielennox	oh, damn - i was hoping to get that usre_agent patch in a next release	18:59
samueldmq	and 1 minutes left	18:59
samueldmq	minute	18:59
jamielennox	samueldmq: we're not in a meeting :p	18:59
samueldmq	oh	18:59
breton	lol	18:59
* samueldmq facepalm		18:59
* samueldmq goes afk		18:59
dolphm	samueldmq: you're excused	19:01
*** markvoelker has quit IRC		19:01
shaleh	jamielennox: thanks. blah. Work and stuff.	19:02
shaleh	jamielennox: I had made it to about half of the unit testing and got pulled away	19:03
*** tqtran has joined #openstack-keystone		19:04
*** ddieterly is now known as ddieterly[away]		19:04
jamielennox	shaleh: no worries, turns out i wanted something like that for another reason and so didn't think you'd mind	19:04
jamielennox	i was hoping to get it in that last ksa release though to start pushing people towards it	19:04
openstackgerrit	henry-nash proposed openstack/keystone: Update developer docs for new rolling upgrade repos https://review.openstack.org/359383	19:05
*** code-R has quit IRC		19:07
openstackgerrit	henry-nash proposed openstack/keystone: Update developer docs for new rolling upgrade repos https://review.openstack.org/359383	19:07
jamielennox	why are we using database triggers now?	19:08
jamielennox	why isn't https://review.openstack.org/#/c/357789/3/keystone/common/sql/expand_repo/versions/002_mysql_upgrade.sql a code fix, a migration and a default	19:09
rodrigods	jamielennox, had the same question when i saw it	19:09
jamielennox	we've alwas considered triggers outside the cross-sql platform we support	19:10
lbragstad	henrynash sweet - in order to cleanly rebase on your patch I had to rebase it	19:11
henrynash	lbragstad: ok, thx	19:11
lbragstad	henrynash mind if I push a new patch set?	19:11
henrynash	lbragstad: go for it	19:11
lbragstad	henrynash for https://review.openstack.org/#/c/358723/2	19:11
openstackgerrit	Lance Bragstad proposed openstack/keystone: Modify sql banned operations for each of the new repos https://review.openstack.org/358723	19:11
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	19:11
*** tonytan_brb has joined #openstack-keystone		19:11
henrynash	jamielennox, rodrigods: so on https://review.openstack.org/#/c/357789/3 I did originally write it without triggers, but dolphm, redrose were keen that we keep to strict use of the three new phases	19:12
openstackgerrit	henry-nash proposed openstack/keystone: Fix issue of password created_at being left as nullable https://review.openstack.org/357789	19:13
*** spzala has joined #openstack-keystone		19:13
shaleh	jamielennox: looks a lot like my code. I saved the generated user_agent on self so it did not need to be examined on every request.	19:13
jamielennox	henrynash: to me this is where we have to do if db_version>X also set a timestamp on the query	19:14
*** tonytan4ever has quit IRC		19:14
jamielennox	roll code, migrate data, add default	19:14
jamielennox	or just do it in migrate if you can do a default and NULL column, i don't think you an	19:15
henrynash	jamielennox: agreed....although th problem of the original patch was rderose couldn't find a way of having a common server default for the date that worked across all three DBs	19:15
jamielennox	shaleh: i save the user_agent on self, just i don't generate it till first needed	19:17
henrynash	jamielennox: ...and (almost) every migration from now on will have triggers anyway...so we better get used to them	19:18
*** nishaYadav has quit IRC		19:18
jamielennox	why will every migration have triggers?	19:18
*** nishaYadav has joined #openstack-keystone		19:18
jamielennox	shouldn't sqlalchemy-migrate handle the common DEFAULT=NOW()	19:19
jamielennox	and sqlalchemy handle parsing a datetime	19:19
shaleh	triggers? triggers do not play nice with multi-master Galera right?	19:19
notmorgan	mordred: ^ cc sql trigger talking is scaring me.	19:19
henrynash	jamielennox: ..cause that's how rolling upgrades are implemented as per dolphm's simplificaiton	19:19
jamielennox	to me triggers are that magic you invoke only when you have one running database you understand completely	19:20
shaleh	jamielennox: in request() you set 'user_agent = headers.setdefault()' instead of 'self.user_agent = headers.setdefault()'	19:20
rderose	jamielennox: it should have, but doesn't work for alter table	19:20
rderose	jamielennox: works when create table	19:20
*** pcaruana has quit IRC		19:20
mordred	notmorgan: I didn't do it	19:21
jamielennox	shaleh: oh, yea, i save the generated portion, but request() will be used by many different clients so i can't save the entire user_agent string because it will change	19:21
* mordred scans backscroll		19:21
*** nishaYadav has quit IRC		19:21
notmorgan	mordred: no.. but you can say "sql + triggers" and appropriate response to said "thing"	19:21
rderose	jamielennox henrynash: triggers seem to be the most common way to deal with rolling upgrades	19:21
mordred	notmorgan: yah. don't do triggers	19:21
jamielennox	rderose: is that a sqlalchemy migrate bug? i think openstack owns that	19:21
notmorgan	cause everytime someone brings up triggers... it scares me.	19:21
shaleh	jamielennox: I am a little confused then. What is the difference between "app" and "client" here?	19:21
notmorgan	^ keystone folks, see what mordred said, trust him on that.	19:21
jamielennox	shaleh: app=nova, client=glanceclient	19:22
shaleh	rderose: we took over sqlalchemy-migrate	19:22
notmorgan	do not do triggers	19:22
mordred	notmorgan: what is the use case people are wanting to solve with them?	19:22
notmorgan	mordred: does it really matter? it involves orm/migrations/zero downtime upgrades iirc.	19:22
shaleh	modred, notmorgan: rain the -2's	19:22
notmorgan	mordred: but.. does it really matter with an ORM?	19:22
jamielennox	shaleh: the client part of that particularly will change as nova talks to differnt services	19:23
rderose	jamielennox shaleh: cool	19:23
notmorgan	mordred: my answer is the same: RUN AWAY, RUN AWAY	19:23
mordred	notmorgan: yeah. not really - a sideband process is gonna work much better forhow all of our stuff is organized	19:23
shaleh	jamielennox: ah. right. I remember us talking about that now.	19:23
mordred	notmorgan: also, I want to say nova already has a pretty good story for this, so whatever they're doing is likely what keystone should do	19:24
*** ddieterly[away] is now known as ddieterly		19:24
notmorgan	mordred: there are some wider concerns with keystone that we've run into (edge cases) but generally I agree.	19:24
notmorgan	shaleh: sql triggers are going to def. be worthy of me dreding up a -2 :)	19:25
notmorgan	dredging(	19:25
dstanek	mordred: notmorgan: the idea behind triggers was to give us a nice migration path that is near 100% uptime without having to drag along too much code	19:25
notmorgan	god... i can't type	19:25
dstanek	mordred: notmorgan: allows us to add transition logic to an N-1 release after the fact	19:26
notmorgan	dstanek: there are so many issue with triggers. if you run a DB and tightly control all aspects it might work.	19:26
notmorgan	dstanek: but we support an ORM. and many DB backends (many = more than MySQL), + galera in the mix. it is going to be rough going to make sure it all works	19:26
jamielennox	alright, well i feel like i've kicked this hornets nest in the right direction but i want to catch some more sleep before the sun comes up	19:27
dstanek	i think the plan was to support just MySQL and Postgres at this point	19:27
*** gyee has quit IRC		19:27
jamielennox	but i'm very skeptical that triggers are the right way to do this when we don't control the db	19:27
notmorgan	right. that is going to make your life hard.	19:27
henrynash	notmorgan, dstanek: we only install them temporarily between the expand and contract phases of an upgrade	19:28
dstanek	henrynash: exactly	19:28
dstanek	it allows for incremental migration of data while everything is up and running	19:28
lbragstad	dstanek and sqlite until your patch goes through	19:28
jamielennox	that should be something we test for in our code	19:28
notmorgan	henrynash: you should talk more in depth with mordred about that - really. Triggers result in tears in my experience.	19:28
jamielennox	we are going to need that abstraction layer of if db_version X in our backends	19:28
*** hockeynut has quit IRC		19:28
dstanek	lbragstad: i think we'll always need our unit tests to run in sqlite	19:28
henrynash	jamielennox: that is the alternative	19:29
lbragstad	dstanek so that makes sqlite, mysql, and postgres, right?	19:29
notmorgan	this is a case, that as much as I dislike it, I am going to advocate: Carry code that does the work with the schema intelligently	19:29
bknudson	there's a library for that abstraction layer - oslo.versionedobjects	19:29
mordred	notmorgan: ++	19:29
jamielennox	bknudson: there's not a lot of documentation for that last i checked	19:30
mordred	managing the trigger definitions and ddl in SQL for each backend is going to be clunky and different - whereas doing it closer to the model/orm layer will keep it in the DB language already being used	19:30
notmorgan	do not lean on SQL backends because it will end in tears because something will be subtly different between MySQL, Postgres, and Oh hi i used <other engine not supported bug it used to work> user	19:30
notmorgan	mordred: ++	19:30
dstanek	bknudson: that's terrible from what i've seen	19:30
bknudson	jamielennox: the code is the documentation!	19:30
bknudson	http://docs.openstack.org/developer/oslo.versionedobjects/	19:30
notmorgan	you're going to end up writing DDL specific triggers... might as well drop the ORM and write DDL specific SQL then for better optimisation	19:30
jamielennox	bknudson: particularly if i want to use it for something other than RPC, it appears if i'm using it i will understand it already	19:31
notmorgan	which case, sure, go for it :)	19:31
dstanek	that may be because there's no docs and/or that we always use our own libs in strange ways	19:31
mordred	now - if the proposal was also to replace the ORM layer with completely hand-written SQL for all of the things, then I would think it would make more sense, since SQL itself would be a fundamental part of the approach - and in that case, I'd also suggest completely dropping support for sqlite and postgres anyway since nobody uses either	19:31
mordred	notmorgan: wow. jinx	19:31
notmorgan	mordred: yep, 100%	19:31
notmorgan	mordred: haha! :) we do occasionally think alike.	19:31
jamielennox	bknudson: i am coming to the same conclusion as last time i looked at versionedobjects. oslo = a place for nova to dump out whatever works for them	19:33
bknudson	other projects must be using oslo.versionedobjects...	19:34
notmorgan	bknudson: i think cinder is or is moving that way	19:34
jamielennox	it's very geared towards RPC, i don't think we'd want it for DB version abstraction	19:35
dstanek	bknudson: i still don't get how versionedobjects helps here. isn't is an abstraction over object definitions for RPC?	19:35
bknudson	maybe keystone should have a conductor process like nova?	19:35
jamielennox	bknudson: no	19:36
dstanek	bknudson: -2 :-P over architecture for the sake of over architecture	19:36
jamielennox	all keystones can talk directly to the DB	19:36
jamielennox	the code we'd have in the conductor can just live in the keystone	19:36
jamielennox	anyway, -2 to a conductor, -1 to triggers, -1 to oslo.versionedobjects, +2 to more sleep, back later	19:38
dstanek	jamielennox: good night	19:39
*** su_zhang has joined #openstack-keystone		19:41
*** Ephur has quit IRC		19:44
*** su_zhang has quit IRC		19:46
*** asettle has joined #openstack-keystone		19:53
*** markvoelker has joined #openstack-keystone		19:57
*** ddieterly is now known as ddieterly[away]		19:58
*** asettle has quit IRC		19:58
*** woodburn has left #openstack-keystone		19:59
notmorgan	.	19:59
*** slberger has quit IRC		20:02
*** su_zhang has joined #openstack-keystone		20:08
*** edmondsw has quit IRC		20:13
*** haplo37__ has joined #openstack-keystone		20:14
*** slberger has joined #openstack-keystone		20:20
*** ddieterly[away] is now known as ddieterly		20:21
*** amakarov has quit IRC		20:26
*** hockeynut has joined #openstack-keystone		20:27
*** sigmavirus is now known as sigmavirus\|away		20:29
*** aswadr_ has quit IRC		20:31
*** itisha has joined #openstack-keystone		20:33
*** gyee has joined #openstack-keystone		20:37
*** ChanServ sets mode: +v gyee		20:37
*** nkinder has quit IRC		20:40
*** chrisshattuck has joined #openstack-keystone		20:40
*** slberger has quit IRC		20:43
stevemar	o/	20:44
breton	\o	20:45
stevemar	uhh... what i miss?	20:45
breton	meeting	20:45
stevemar	no more triggers? wat.	20:45
breton	stevemar: welcome to 2017, where have you been	20:46
*** raildo has quit IRC		20:46
stevemar	breton: dammit i was gone for a day!	20:47
stevemar	http://e.lvme.me/tgc2a3l.jpg	20:47
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add mapping_populate command https://review.openstack.org/343028	20:52
*** markvoelker has quit IRC		20:52
*** woodburn has joined #openstack-keystone		20:53
*** slberger has joined #openstack-keystone		20:56
*** su_zhang has quit IRC		20:59
*** ezpz has quit IRC		20:59
*** su_zhang_ has joined #openstack-keystone		21:01
*** tonytan_brb has quit IRC		21:01
*** asettle has joined #openstack-keystone		21:02
notmorgan	stevemar: triggers in SQL are simply a bad idea	21:06
notmorgan	stevemar: you're going to be writing per-engine DDL code and at that point might as well drop the ORM	21:06
stevemar	notmorgan: we're only writing per-engine code because sqlalchemry doesn't handle this afaik	21:07
notmorgan	stevemar:right, simply don't do it	21:07
stevemar	we could drop sqlite from our trigger support	21:07
notmorgan	stevemar: and also will be different for PGSQL from MySQL	21:07
notmorgan	and galera works ... oddly with triggers	21:07
stevemar	right, we'll have unit tests for postgres and mysql, the unit tests will test on both now	21:08
stevemar	granted galera is untested	21:08
notmorgan	the reason SQL-A doesn't support this is because it's is hard(tm) and engine specific	21:08
notmorgan	more so than the other DDL specific stuff	21:08
notmorgan	really, don't do it. see mordred's comments, if there is something you should just trust mordred on, it's SQL things.	21:09
notmorgan	triggers will result in tears.	21:09
stevemar	rumor has it he knows some sql stuff n things	21:09
notmorgan	yeah	21:09
notmorgan	writing the code in python vs in SQL engine really is going to be more maintainable and more consistent	21:10
notmorgan	as much as it's "write our own code" vs lean on the DB engine to do it	21:10
mordred	I mean ... I can be convinced if support for not-mysql was totally dropped and aLL database code was migrated to raw SQL	21:11
mordred	becaue then you could actually do good database queries and stuff	21:11
mordred	but people aren't going to do that	21:11
notmorgan	mordred: i stop short of that because... i mean that kindof is antithetical to the current approach.	21:11
mordred	so I think sticking the head into the hole halfway in this case is a great way to wind up with multiple pieces of head	21:11
mordred	notmorgan: it is	21:11
stevemar	mordred: what do you recommend then? use versioned objects?	21:11
stevemar	(boarding soon)	21:12
notmorgan	stevemar: it is the current option used in openstack.	21:12
mordred	yah - which I believe is what nova is doing with oslo.db right?	21:12
notmorgan	it would be an option	21:12
bknudson	might be better to switch to redis	21:12
notmorgan	bknudson: mongo	21:12
notmorgan	bknudson: document based storage	21:12
bknudson	notmorgan: y, if you want to be webscale.	21:12
*** julim has quit IRC		21:12
notmorgan	bknudson: you saw where I was going with this	21:12
stevemar	but i'd like to continue the conversation, since it would mean reverting patches	21:12
notmorgan	stevemar: dear god we landed triggers?	21:13
stevemar	no	21:13
notmorgan	phew	21:13
stevemar	notmorgan: just some of the stuff surrounding it: https://review.openstack.org/#/q/status:merged+project:openstack/keystone+branch:master+topic:bp/manage-migration	21:13
stevemar	new keystone-manage db_sync options	21:14
henrynash	modred, notmorgan: I must admit I don't follow the argument of "if you use triggers for a temporary upgrade phase to only copy data between two schemas, then you might as well drop the sue or orm for keystone"	21:14
notmorgan	stevemar: you can still do the work.	21:14
notmorgan	henrynash: it's triggers themselves are BAD.	21:14
notmorgan	henrynash: not the concept	21:14
notmorgan	henrynash: the triggers are going to make life miserable	21:14
notmorgan	henrynash: and unreliable across engines and a LOT of work.	21:14
stevemar	notmorgan: i think we need better evidence other than "its bad" and "life miserable"	21:15
notmorgan	henrynash: it would be easier to keep the tempoary support code in python.	21:15
*** david-lyle has quit IRC		21:15
notmorgan	stevemar: so, the long and the short comes down to this: you are going to write per-DDL code that is very domain specific and almost guaranteed to be untestable in newton in any clustered environment	21:16
henrynash	notmorgan: which was strongly argued against by others (dolphm, dstanek, lbragstad)...	21:16
*** spzala has quit IRC		21:16
notmorgan	stevemar: in openstack, if it is untested, it is broken	21:16
notmorgan	this is clear in our history	21:16
*** spzala has joined #openstack-keystone		21:17
notmorgan	and this is something that can't be wrong or you destroy openstack deployments	21:17
notmorgan	code in python is testable without clusters and can be more generic	21:17
henrynash	notmorgan: what testing on clustered environments do we do today in opesntack?	21:17
*** ddieterly is now known as ddieterly[away]		21:17
*** ddieterly[away] is now known as ddieterly		21:17
stevemar	but our unit tests now run postgres and mysql now -- and henry added tests	21:17
notmorgan	henrynash: none, but we don't need to.	21:17
stevemar	(is coming off as antagonistic, but doesn't mean to)	21:18
notmorgan	henrynash: since the DB engin is simpl store+replicate	21:18
notmorgan	in DDL specific code you need to increase testing espeically when it comes to "automatic actions"	21:18
*** david-lyle has joined #openstack-keystone		21:18
notmorgan	if SQL-A isn't doing it/testing it i worry about our ability to test it/do it	21:18
henrynash	notmorgan: why?	21:18
notmorgan	because the engine gets weird with replicating these things in general. There is no commonly documented "this doesn't work" in galera, but it's not a widely used case and we are VERY lax in specifying versions of <DB engine> we support	21:19
notmorgan	basically we treat the DB engine as a simple "store data" box. we do not test beyond that	21:20
notmorgan	this is extremely worrysome when you start leaning on advanced features (triggers are advanced) in the DB engine	21:20
notmorgan	if SQL-A had an abstraction for it that was more concise and tested, I'd be less worried.	21:21
notmorgan	this REALLY feels like taking aim at foot and pulling the trigger (pun not intended) hoping that blanks are loaded.	21:21
*** spzala has quit IRC		21:21
notmorgan	the other question is who is writing the DDL specific code?	21:21
henrynash	notmorgan: so far me and lbragstad	21:22
*** pauloewerton has quit IRC		21:22
notmorgan	let me step back..	21:22
notmorgan	whjy are we talking triggers instead of python code?	21:22
notmorgan	this feels like the whole "cause it's cool" and/or "because we can fire/forget it"	21:23
notmorgan	which is IMO not true (either thing)	21:23
henrynash	notmorgan: because other cores would not support rolling upgrades with RW support by relying on versions objects	21:23
openstackgerrit	ayoung proposed openstack/python-keystoneclient: Update README to include creating a session from a config file. https://review.openstack.org/359434	21:24
notmorgan	because versioned objects suck? or because something else/	21:24
henrynash	notmorgan: I have been dragged somewhat kicking (and quietly screaming) into this...having origionally written the whole upgrade process to rely on versioned oonects	21:24
mordred	I mean, that's how the nova team has been working with the ops community for solving this problem ... I think it would be exceptionally weird for keystone to just make a new weird thing, no?	21:25
henrynash	(objects)	21:25
ayoung	(car cdr)	21:25
notmorgan	mordred: thats part of it. i don't think versioned objects are great, but having worked with triggers in MySQL, NDB, MSSQL, and Oracle it only ever seemed to work reliably/well in Oracle and MSSQL	21:26
mordred	I mean, I'm not a core, but this is solved in openstack, I have no idea why a whole new (and exceedingly brittle) solution would be written from scratch	21:26
ayoung	Work fine in Postgresql	21:26
mordred	notmorgan: yes. exactly	21:26
mordred	ayoung: literally nobody uses postgres with openstack	21:26
mordred	is has been dropped from the gate for a bunch of projects	21:26
notmorgan	unless you are in very very very clear control of the DB and know all the limitations of the triggers across MySQL/NDB backendsd	21:26
notmorgan	and versions	21:26
mordred	so we're talking about mysql	21:26
notmorgan	mordred: by literally you mean figuratively, i know 1 deployer does... because he complained on the ML about a bug ;)	21:27
ayoung	mordred, pretty sure we were just talking DB. Pretty sure no one runs Openstack on NDB and very few on Oracle or MSSQL either	21:27
notmorgan	mordred: /me stops snarking about literally	21:27
mordred	notmorgan: by literally I mean literally and do not care about statistical outliers	21:27
bknudson	we have a bug saying mysql is 10x slower at something.	21:27
notmorgan	mordred: heheh	21:27
henrynash	modred, notmorgan: i have no partiular axe to bear....just that we must have RW rolling upgrade support	21:27
mordred	ayoung: yes. I agree with that	21:27
ayoung	Never been impressed by MySQL. Used to have an interview question "Why chose PostgreSQL over MySQL..."	21:28
mordred	sigh	21:28
mordred	so.	21:28
ayoung	heh	21:28
mordred	let's not do THAT conversation	21:28
mordred	because it has literlaly no positive outcome for postgres	21:28
henrynash	modred, notmorgan: and since I have now written patches to support both types or RW....just want to see one of them stick!	21:28
notmorgan	ayoung: because you have reasons to do so. and there are reasons and uses.	21:28
mordred	given that every super large anything on a database runs on mysql	21:28
ayoung	that was years ago. THe reasons have long since been addressed	21:28
notmorgan	ayoung: but shrug different choices for different things.	21:28
ayoung	mordred, um, no. Every super large anything on a databaseruns either Oracle or DB2.	21:29
notmorgan	henrynash: i dislike versioned objects, i would generally +2 it with the current architecture of openstack	21:29
mordred	but whether or not mysql or postgres are better or worse is irrelevant. the predominant deployment choice for openstakc is by a MASSIVE margin mysql	21:29
mordred	ayoung: not even close	21:29
ayoung	mordred, yep	21:29
mordred	ayoung: google. facebook. twitter.	21:29
ayoung	mordred, some day Oravle will die	21:29
mordred	mysql	21:29
ayoung	Oracle	21:29
notmorgan	henrynash: i would be inclined to -2 triggers with the current architecture of openstack and complexity introduced with many versions of the DB engines/types/etc	21:29
mordred	oracle is used for backoffice toys	21:29
mordred	it is NOT used for LARGE things	21:30
mordred	that is 100% dominated by mysql and has been for years	21:30
ayoung	mordred, may those words become more and more true all the time. Been burnt by Oracle so many times in the past	21:30
notmorgan	henrynash: if that helps where I am coming from. in-python code is much much much better suited for our current architecture and lax requirement specifications	21:30
*** spedione is now known as spedione\|AWAY		21:30
notmorgan	henrynash: and we can't really be more strict (easily) without breaking whole deployment models of shared resources ooooor drastically increase testing to cover multiuple versions better.	21:31
*** hockeynut has quit IRC		21:31
notmorgan	henrynash: and i fall back to "if it isn't tested, it's broken" which becomes even more prevalent with advanced DB engine features	21:31
ayoung	Kinda not happy with the Triggers approach myself, but was still mulling. Glad to see it is not just me being a purist	21:31
bknudson	one concern I have with the nova approach is that I don't think that they have even done the "cleanup" stage	21:33
mordred	then the nova approach should be improved	21:33
mordred	making operators lives harder by introducing a second approach will be welcomed by noone	21:33
notmorgan	henrynash, stevemar: Bbut that is the level of what i can convey here, and it is based upon talks w/ mordred and anecdoctal experience/personal. so	21:33
henrynash	notmorgan: I also prefer not writing DB specific code, but with others -2ing the other approach, we are between a rock and hard place	21:34
bknudson	doing the same thing as nova in keystone has been -2?	21:34
henrynash	bknudson: yes	21:34
bknudson	:(	21:34
mordred	that seems very odd	21:34
bknudson	we better watch out we'll get kicked out of openstack.	21:35
notmorgan	henrynash: this is where the case I make is "the people in the community who grok SQL better than I do (and most everyone else) say this is the wrong approach, please reconsider the -2 on the approach that matches (as distateful as it is) the way other projects are approaching it"	21:35
mordred	nova has been trailblazing in this area	21:35
mordred	and I believe the expectatoin from the operators is that other projects will catch up with the work nova has been doing	21:35
henrynash	modred: and I origional proposed and we approved a spec around it	21:35
mordred	I do not believe the operators expect that each project will attempt to solve this from scratch	21:35
notmorgan	i may not like nova's approach. I think it is accepted by the community and operators	21:35
mordred	notmorgan: ++	21:35
notmorgan	and fills the needs for our architecture in openstack	21:36
henrynash	modred, notmorgan: but others would not support the implementation that this implied	21:36
mordred	henrynash: I believe that is/was the right thing to do	21:36
notmorgan	mordred: this sounds like something the TC needs to really mandate a direction on.	21:36
notmorgan	"	21:36
notmorgan	"rolling updates will conform roughly to X,Y,Z"	21:37
notmorgan	not mandating rolling updates are needed, just "use oslo" type mandate	21:37
notmorgan	(ignoring swift, obv)	21:37
mordred	notmorgan: well, honestly, it sounds like communication/education is sorely needed	21:37
notmorgan	mordred: probably.	21:37
mordred	because I find it hard to believe that keystone cores would -2 such an approach when presented with the informatoin that the approach has bene developed hand in hand with our operator community over the last 2 years	21:38
mordred	so I can only imagine that they are not aware of that	21:38
notmorgan	but the place i'd start is the above quoted thing... basically leaning to the folks who know SQL and how it works under the hood + oepnstacks' architecture say triggers are not a good idea (for a number of reasons)	21:39
*** su_zhang_ has quit IRC		21:42
*** su_zhang has joined #openstack-keystone		21:42
*** sdake has quit IRC		21:45
*** asettle has quit IRC		21:45
*** sdake has joined #openstack-keystone		21:45
*** sdake has quit IRC		21:45
bknudson	I wonder what the reason was for the rejection of the nova approach? Because we didn't want oslo.versionedobjects?	21:46
*** sdake has joined #openstack-keystone		21:46
bknudson	Maybe oslo.versionedobjects isn't a requirement.	21:46
notmorgan	bknudson: ++	21:50
notmorgan	bknudson: both things good to know	21:50
*** chrisshattuck has quit IRC		21:51
*** spzala has joined #openstack-keystone		21:53
Gorian\|work	wow! People talk in here!	21:56
*** atod has joined #openstack-keystone		21:57
*** ddieterly is now known as ddieterly[away]		21:57
*** tonytan4ever has joined #openstack-keystone		22:02
notmorgan	Gorian\|work: we got kicked out of openstack-dev at one point because we talk too much :P	22:04
Gorian\|work	haha, wow	22:04
Gorian\|work	I hardly ever see activity in the OpenStack channels	22:04
notmorgan	Gorian\|work: -nova, -infra, -cinder, and -keystone i know get decent chatter	22:05
notmorgan	and -meeting (obviously)	22:05
Gorian\|work	infra?	22:05
notmorgan	channel that discusses all the things related to the openstack infrastructure	22:06
notmorgan	gerrit, zuul, nodepool, etc	22:06
notmorgan	(operating it for penstack)	22:06
Gorian\|work	oh cool	22:06
notmorgan	#openstack-infra (that is)	22:06
notmorgan	the -<name> is just shorthand :)	22:06
*** tonytan4ever has quit IRC		22:07
Gorian\|work	yeah, I gathered that :P	22:07
Gorian\|work	who are you by the way? Since you aren't morgan	22:07
Gorian\|work	you can't just identify yourself by who you aren't!	22:07
rodrigods	stevemar, around?	22:07
notmorgan	i am also morgan	22:07
notmorgan	hm.	22:08
Gorian\|work	what? How does that work?!	22:08
notmorgan	.	22:08
notmorgan	hehe	22:08
notmorgan	i camp on both names ;)	22:09
notmorgan	but irc is being cranky and not letting me change nicks	22:09
*** ddieterly[away] is now known as ddieterly		22:09
notmorgan	shrug	22:09
*** notmorgan is now known as morganfainberg		22:09
Gorian\|work	awww, that sucks	22:09
*** morganfainberg is now known as morgan		22:09
morgan	there we go	22:10
*** slberger has left #openstack-keystone		22:10
morgan	someone tries to login with my account because it's "morgan" about 200 times a day	22:10
morgan	due to a badly configured thunderbird client	22:10
morgan	but it is mine muhahahahaha	22:11
* morgan laughs evilly		22:11
*** morgan is now known as notmorgan		22:11
* notmorgan cackles manaiacally		22:12
*** gagehugo has quit IRC		22:20
*** ayoung has quit IRC		22:27
*** ddieterly is now known as ddieterly[away]		22:31
*** baffle has quit IRC		22:34
*** michauds has quit IRC		22:36
*** ddieterly[away] has quit IRC		22:36
*** shaleh has quit IRC		22:41
*** sdake has quit IRC		22:44
*** sdake has joined #openstack-keystone		22:44
*** spzala has quit IRC		22:48
*** baffle has joined #openstack-keystone		22:48
*** BjoernT has quit IRC		22:49
*** spzala has joined #openstack-keystone		23:00
*** chlong has quit IRC		23:03
*** tonytan4ever has joined #openstack-keystone		23:03
*** spzala has quit IRC		23:05
*** tonytan4ever has quit IRC		23:08
*** iurygregory_ has joined #openstack-keystone		23:08
*** ddieterly has joined #openstack-keystone		23:10
*** ddieterly is now known as ddieterly[away]		23:11
*** ddieterly[away] is now known as ddieterly		23:13
*** esp has joined #openstack-keystone		23:14
notmorgan	yay i have real internet again	23:17
*** erhudy has quit IRC		23:22
*** bigdogstl has joined #openstack-keystone		23:25
*** Gorian\|work has quit IRC		23:25
*** bigdogstl has quit IRC		23:29
*** spzala has joined #openstack-keystone		23:34
*** spzala has quit IRC		23:39
*** eandersson_ has joined #openstack-keystone		23:40
*** eandersson has quit IRC		23:43
*** bigdogstl has joined #openstack-keystone		23:45
*** bigdogstl has quit IRC		23:50
*** spzala has joined #openstack-keystone		23:56
*** cheran has joined #openstack-keystone		23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!