Thursday, 2016-09-08

*** spzala has quit IRC00:00
rderosebreton: setting a datetime default has been a nightmare00:00
rderosebreton: more than you know, believe me00:00
*** spzala has joined #openstack-keystone00:00
*** spzala has quit IRC00:00
breton< Define the column with a DEFAULT clause that specifies a constant default value.00:00
*** spzala has joined #openstack-keystone00:01
rderosebreton: yeah, try to do that with sqlalchemy that will support all of our supported databases and all of the different db versions00:01
*** spzala has quit IRC00:01
*** spzala has joined #openstack-keystone00:01
rderosebreton: I think I'm just going to remove the server_default00:02
bretonrderose: i tried, doesn't help00:02
rderosebreton: really?00:02
rderosebreton: if you remove the server_default, it still automatically gets set?00:02
bretonrderose: yep. I stupidly edited keystone/common/sql/contract_repo/versions/ and the bug is still there.00:03
rderosebreton: how did you edit it?00:03
*** spzala has quit IRC00:04
breton+                                )00:04
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
bretonrderose: i know this won't go to upstream, but for testing it is fine, since the tests recreate the db each time from scratch00:05
openstackgerritEric Brown proposed openstack/keystone: Add missing sections in configuration doc
rderosebreton: I mean, you'd have to let it set it initially and then at the end remove it like so: password.c.created_at.alter(server_default='')00:06
rderosebreton: but it sounds, it's just that it's a timestamp column?00:06
bretonrderose: yep00:07
rderosebreton: dam!!!00:07
bretonwhy is created_at timestamp and expires_at datetime?00:08
bretonwhy is there is this difference in types?00:08
rderosebreton: because mysql 5.5 datetime doesn't support server_default00:09
rderosebreton: timestamp does; was recommended by zzzeek00:09
bretonwhy keystone/common/sql/contract_repo/versions/ doesn't get executed when the tests are run?00:10
rderoseit should00:11
bretonactually even
rderosebreton: the test still fail, but is the created_at date automatically getting updated with the change?00:14
rderosebreton: so when column changes, does the created_at change like before?00:15
bretonrderose: yep, the behaviour is still like in the bugreport00:17
rderosebreton: hmm...00:18
rderosebreton: I'll have to research this some more then00:19
*** esp has quit IRC00:19
bretonrderose: the problem is that is not executed in tests00:20
bretonrderose: at all00:20
rderosebreton: it has to be, otherwise it would be datetime column and not timestamp00:21
rderosebreton: right, aren't you seeing that the column is a timestamp00:21
rderosebreton: when you run the tests00:21
bretonrderose: not sure. I didn't try to differ them in tests, i just observed the different in the code00:25
rderosebreton: so why do you think it's not being executed?00:26
*** adrian_otto has quit IRC00:26
*** iurygregory_ has quit IRC00:26
bretonrderose: i inserted "assert False" to upgrade(). It was supposed to fail everything. It hasn't.00:29
*** harlowja has joined #openstack-keystone00:29
samueldmqlbragstad: see my comment in
openstackgerritEric Brown proposed openstack/keystone: Updates configuration doc with latest changes
samueldmqlbragstad: looks like a valid failure00:30
*** roxanaghe has quit IRC00:30
rderosebreton: I need some coffee :)00:30
bretonrderose: the tests succeeds even if i make this absolute SyntaxError:
rderosebreton: how about IRONMAN?00:31
rderosewill that work?00:31
bretonrderose: meh, batman was better :p00:31
*** topol_ has joined #openstack-keystone00:31
*** ChanServ sets mode: +v topol_00:31
bretonnot the last one though.00:31
bretonok, now i really need to go to sleep.00:32
rderosebreton: yeah, thanks again00:32
rderosebreton: I'll keep working on this00:32
rderosebreton: touch base with you tomorrow00:33
*** tqtran has quit IRC00:39
*** ddieterly has joined #openstack-keystone00:44
*** esp has joined #openstack-keystone00:48
*** spzala has joined #openstack-keystone00:48
*** gyee_ has quit IRC00:48
*** chlong has quit IRC01:03
*** davechen has joined #openstack-keystone01:20
*** javis has quit IRC01:26
*** sdake has joined #openstack-keystone01:32
*** wangqun has joined #openstack-keystone01:35
*** ddieterly has quit IRC01:35
*** tqtran has joined #openstack-keystone01:36
*** tqtran has quit IRC01:40
*** openstack has joined #openstack-keystone01:42
*** ddieterly has joined #openstack-keystone01:42
*** ddieterly has quit IRC01:46
*** asettle has joined #openstack-keystone01:47
*** asettle has quit IRC01:51
stevemarrderose: uh oh02:03
stevemarbreton: thanks for the find, great bug02:03
rderosestevemar: tell me about it :)02:03
rderosestevemar: I think I have a solution02:04
rderosestevemar: chatted with zzzeek02:04
rderosestevemar: testing it out now02:04
stevemarrderose: cool cool, i think amakarov reported a similar bug02:04
rderosestevemar: should have an updated patch soon:
*** spzala has quit IRC02:04
*** spzala has joined #openstack-keystone02:05
*** ddieterly has joined #openstack-keystone02:06
*** spzala has quit IRC02:07
*** spzala has joined #openstack-keystone02:07
*** chlong has joined #openstack-keystone02:19
*** ddieterly has quit IRC02:19
*** ddieterly has joined #openstack-keystone02:22
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: Switch fernet to be the default token provider.
*** spzala has quit IRC02:33
*** spzala has joined #openstack-keystone02:33
*** spzala has quit IRC02:35
*** spzala has joined #openstack-keystone02:35
*** ddieterly has quit IRC02:41
dstanekstevemar: are we OK to break backward compat for the bug?
*** spzala has quit IRC02:50
stevemardstanek: i think domain specific roles are still experimental02:51
stevemardoubtful that we've documented that anywhere, but they've only hung around for one release02:51
*** spzala has joined #openstack-keystone02:51
stevemardstanek: plus, as you mentioned, it results in a bug anyway02:51
dstanekstevemar: coolio, just checking before I +A02:51
stevemardstanek: you good02:51
dstanekstevemar: you good too02:51
stevemarheading out, early night, little one is waking up02:52
dstanekstevemar: have a good night02:53
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a nit in a comment
*** spzala has quit IRC02:55
*** chrisshattuck has joined #openstack-keystone03:14
openstackgerritRon De Rose proposed openstack/keystone: Return password_expires_at during auth
openstackgerritRon De Rose proposed openstack/keystone: Return password_expires_at during auth
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
*** chrisshattuck has quit IRC03:23
*** chrisshattuck has joined #openstack-keystone03:23
rderoseFor my migration script need to check if mysql 5.6.5. I can check for mysql (if == 'mysql'), but does anyone know how to check the version?03:24
rderoseengine.version doesn't work03:24
*** fangxu has quit IRC03:29
openstackgerritNguyen Phuong An proposed openstack/keystone: [api-ref] Remove parameters unused in keystone v2
openstackgerritMerged openstack/keystone: Project domain must match role domain for assignment
*** GB21 has joined #openstack-keystone04:05
*** esp has quit IRC04:12
*** code-R has joined #openstack-keystone04:19
*** links has joined #openstack-keystone04:28
*** markvoelker has quit IRC04:30
*** markvoelker has joined #openstack-keystone04:31
*** GB21 has quit IRC04:35
*** dikonoor has joined #openstack-keystone04:39
*** woodster_ has quit IRC04:39
*** can8dnSix has joined #openstack-keystone04:40
*** esp has joined #openstack-keystone04:42
openstackgerritNguyen Phuong An proposed openstack/keystone: [api-ref] Remove parameters unused in keystone v2
*** GB21 has joined #openstack-keystone04:51
openstackgerritRon De Rose proposed openstack/keystone: Return password_expires_at during auth
*** dikonoor has quit IRC04:54
*** dikonoor has joined #openstack-keystone04:56
*** sdake has quit IRC04:56
*** code-R_ has joined #openstack-keystone04:57
*** sdake has joined #openstack-keystone05:00
*** code-R has quit IRC05:00
openstackgerritMerged openstack/keystone: Fixes a nit in a comment
*** code-R_ has quit IRC05:08
*** can8dnSix has quit IRC05:10
*** jaosorior has joined #openstack-keystone05:10
*** chlong has quit IRC05:14
*** GB21 has quit IRC05:14
*** chrisshattuck has quit IRC05:20
*** GB21 has joined #openstack-keystone05:27
*** spzala has joined #openstack-keystone05:27
*** ChanServ sets mode: +v henrynash05:30
*** chlong has joined #openstack-keystone05:30
*** links has quit IRC05:31
*** spzala has quit IRC05:31
*** cnf has quit IRC05:32
*** dikonoor has quit IRC05:33
*** roxanaghe has joined #openstack-keystone05:37
*** tqtran has joined #openstack-keystone05:38
*** esp has quit IRC05:38
*** richm has quit IRC05:40
*** tqtran has quit IRC05:42
*** roxanaghe has quit IRC05:46
*** links has joined #openstack-keystone05:46
*** code-R has joined #openstack-keystone05:47
*** dikonoor has joined #openstack-keystone05:48
*** hoangcx has joined #openstack-keystone05:50
*** swamireddy1 has joined #openstack-keystone05:50
*** code-R_ has joined #openstack-keystone05:55
*** sdake_ has joined #openstack-keystone05:56
*** code-R has quit IRC05:57
*** sdake has quit IRC05:58
*** code-R_ has quit IRC06:00
*** dikonoor has quit IRC06:03
*** annp has joined #openstack-keystone06:04
*** chlong has quit IRC06:13
*** gagehugo has joined #openstack-keystone06:22
*** hoonetorg has quit IRC06:25
*** chlong has joined #openstack-keystone06:26
openstackgerritNguyen Phuong An proposed openstack/keystone: [api-ref] Correct response code status
*** topol_ has quit IRC06:43
*** tonytan4ever has quit IRC06:49
*** jpena|away is now known as jpena|off06:52
*** swamireddy1 has quit IRC06:57
*** hoangcx has quit IRC06:57
*** tesseract- has joined #openstack-keystone07:04
*** maestropandy has joined #openstack-keystone07:25
*** maestropandy has left #openstack-keystone07:25
*** jed56 has joined #openstack-keystone07:33
*** openstackgerrit has quit IRC07:33
*** openstackgerrit has joined #openstack-keystone07:34
bretonrderose: wait, the problem is not with server_default07:38
bretonrderose: the problem is that migration scripts do not run in tests07:39
*** tqtran has joined #openstack-keystone07:39
*** cnf has joined #openstack-keystone07:40
*** topol_ has joined #openstack-keystone07:43
*** ChanServ sets mode: +v topol_07:43
*** tqtran has quit IRC07:43
*** topol_ has quit IRC07:49
*** tonytan4ever has joined #openstack-keystone07:50
*** chlong has quit IRC07:52
*** jpena|off is now known as jpena07:54
*** tonytan4ever has quit IRC07:54
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** maestropandy has joined #openstack-keystone08:00
*** adriant has quit IRC08:06
*** maestropandy has left #openstack-keystone08:15
*** sdake_ is now known as sdake08:17
*** dikonoor has joined #openstack-keystone08:24
*** cnf has quit IRC08:27
*** cnf has joined #openstack-keystone08:28
wangqunHi all, I meet a bug when I set quota for a project. I am using kilo version of keystone.08:32
wangqunwhen I run the following command.08:33
wangqunopenstack --debug quota set --volumes 20 623051a1ce4f417ea5b99e2bedca5e3908:33
wangqunIt will show the error.08:34
wangqunFile "/usr/local/lib/python2.7/dist-packages/openstackclient/common/", line 124, in take_action08:34
wangqun    **volume_kwargs)08:34
wangqun  File "/usr/local/lib/python2.7/dist-packages/cinderclient/v1/", line 47, in update08:34
wangqun    result = self._update('/os-quota-sets/%s' % (tenant_id), body)08:34
wangqunI don't know how to fix the problem.08:34
*** joerch has joined #openstack-keystone08:34
wangqunCan anyone help me?08:35
*** jaosorior is now known as jaosorior_lunch08:40
*** asettle has joined #openstack-keystone08:40
bretonwangqun: please post the full traceback to paste.openstack.org08:41
wangqunbreton:Thanks. I will do it.08:42
*** namnh has joined #openstack-keystone08:45
openstackgerritLu lei proposed openstack/keystone: Repalce six.iterXXX(aaa) with aaa.XXX()
*** code-R has joined #openstack-keystone09:00
*** code-R_ has joined #openstack-keystone09:02
*** maestropandy has joined #openstack-keystone09:03
*** code-R has quit IRC09:05
*** pnavarro has joined #openstack-keystone09:18
*** NishaYadav has joined #openstack-keystone09:19
*** nisha_ has joined #openstack-keystone09:19
*** nisha_ has quit IRC09:20
*** asettle has quit IRC09:23
*** asettle has joined #openstack-keystone09:23
*** davechen has left #openstack-keystone09:34
*** asettle has joined #openstack-keystone09:41
*** mvk has quit IRC09:43
*** spzala has joined #openstack-keystone09:52
*** namnh has quit IRC09:54
*** spzala has quit IRC09:56
*** annp has quit IRC09:59
*** GB21 has quit IRC10:05
*** richm has joined #openstack-keystone10:08
*** GB21 has joined #openstack-keystone10:11
*** mvk has joined #openstack-keystone10:13
*** nisha_ has joined #openstack-keystone10:14
*** NishaYadav has quit IRC10:17
*** NishaYadav has joined #openstack-keystone10:27
*** NishaYadav is now known as Guest354610:28
*** nisha__ has joined #openstack-keystone10:30
*** nisha_ has quit IRC10:31
*** Guest3546 has quit IRC10:33
*** tqtran has joined #openstack-keystone10:42
*** wangqun has quit IRC10:46
*** tqtran has quit IRC10:46
*** dikonoor has quit IRC10:53
*** amakarov_away is now known as amakarov10:55
*** jpena is now known as jpena|lunch10:59
openstackgerritLu lei proposed openstack/keystone: Replace six iteration methods with standard ones
*** nisha__ has quit IRC11:13
*** maestropandy has quit IRC11:19
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model
*** dikonoor has joined #openstack-keystone11:23
*** dikonoor has quit IRC11:28
*** dikonoor has joined #openstack-keystone11:29
*** dikonoor has quit IRC11:40
*** tonytan4ever has joined #openstack-keystone11:51
*** links has quit IRC11:52
*** jaosorior_lunch is now known as jaosorior11:56
*** tonytan4ever has quit IRC11:56
openstackgerritSteve Martinelli proposed openstack/keystone: [api-ref] Correct response code status
*** shaleh_ has joined #openstack-keystone12:09
*** shaleh has quit IRC12:12
*** raildo has joined #openstack-keystone12:17
*** jpena|lunch is now known as jpena12:21
*** pauloewerton has joined #openstack-keystone12:26
bretoni think i don't understand something12:26
bretondo we run the migrations in tests setup?12:27
bretonor we just create all the tables separately?12:27
*** EinstCrazy has joined #openstack-keystone12:31
*** su_zhang has joined #openstack-keystone12:36
*** GB21 has quit IRC12:36
*** shaleh has joined #openstack-keystone12:37
bretonit seems that we don't run migrations at all and it's ok12:37
bretonbecause of
bretonso bug 1621449 is probably invalid :(12:39
openstackbug 1621449 in OpenStack Identity (keystone) "Unit tests run on old db schema" [High,Confirmed]
*** shaleh_ has quit IRC12:39
*** maestropandy has joined #openstack-keystone12:46
*** jaosorior has quit IRC12:51
*** jaosorior has joined #openstack-keystone12:51
stevemarbreton: there should be a test that upgrades all the way in test_sql_migrate12:53
*** dikonoor has joined #openstack-keystone12:54
*** maestropandy has quit IRC12:54
bretonstevemar: there is such test, yes12:56
bretonstevemar: but for other, non-upgrade tests, the tables are created not with migrations12:56
bretonstevemar: but with metadata.create_all()12:57
*** maestropandy has joined #openstack-keystone13:00
*** spzala has joined #openstack-keystone13:06
*** tonytan4ever has joined #openstack-keystone13:07
amakarovbreton, I assume it's for speed, unit tests don't care about migrations - those are for other things13:10
*** tonytan4ever has quit IRC13:12
*** jraju has joined #openstack-keystone13:12
*** tonytan4ever has joined #openstack-keystone13:14
*** su_zhang has quit IRC13:16
*** su_zhang has joined #openstack-keystone13:16
*** su_zhang_ has joined #openstack-keystone13:20
*** sdake_ has joined #openstack-keystone13:20
lbragstadsamueldmq checking13:20
*** su_zhang has quit IRC13:20
*** sdake has quit IRC13:22
*** aloga_ has joined #openstack-keystone13:24
openstackgerritBoris Bobrov proposed openstack/keystone: Syncronize Password model with the migrated schema
bretonrderose: ^13:25
lbragstadsamueldmq stevemar interesting - looks like keystone-manage fernet_setup only runs when fernet is the default in Devstack
*** ddieterly has joined #openstack-keystone13:27
*** topol_ has joined #openstack-keystone13:28
*** ChanServ sets mode: +v topol_13:28
*** topol_ has quit IRC13:29
openstackgerritMikhail Nikolaenko proposed openstack/keystone: [WIP] Move fernet utils to backend
*** ddieterly has quit IRC13:31
*** xenogear has quit IRC13:34
lbragstadsamueldmq stevemar  it looks like the still isn't a fernet-keys repository during the grenade run -
openstackgerritLance Bragstad proposed openstack/keystone: WIP: Switch fernet to be the default token provider.
*** woodster_ has joined #openstack-keystone13:45
*** joerch has quit IRC13:48
*** spzala has quit IRC13:49
stevemarlbragstad: dagnabbit13:50
*** xenogear has joined #openstack-keystone13:50
*** spzala has joined #openstack-keystone13:50
lbragstadstevemar i wonder if it is because keystone-manage fernet_setup isn't run on the upgrade (?)13:50
*** Administrator_ has joined #openstack-keystone13:51
stevemarlbragstad: i didn't think so, but i saw your grenade patch, let's see what happens13:51
*** gagehugo_ has joined #openstack-keystone13:51
stevemarlbragstad: i don't think we have enough runway to make fernet the default in newton13:51
*** gagehugo has quit IRC13:51
*** gagehugo_ has quit IRC13:51
lbragstadstevemar agreed - just testing it13:52
*** gagehugo has joined #openstack-keystone13:52
lbragstadstevemar if that passes - i'll mark everything with a -2 or a wip until we open for ocata and we will land it first thing then?13:52
lbragstadwhich would mean reproposing the grenade patch to from-newton13:52
lbragstadinstead of from-mitaka13:52
*** zhugaoxiao has quit IRC13:54
*** spzala has quit IRC13:55
lbragstadit would be nice to confidently merge first thing in Ocata, though13:56
lbragstadstevemar what about the null key for credential encryption - are we going to bring up the FFE in next weeks meeting?13:58
*** topol_ has joined #openstack-keystone13:59
*** ChanServ sets mode: +v topol_13:59
*** chrisshattuck has joined #openstack-keystone14:00
samueldmqlbragstad: so that's a devstack thing right?14:01
samueldmqlbragstad: that needs to run fernet_setup when keystone config is set to fernet ?14:01
lbragstadsamueldmq which part?14:01
lbragstadsamueldmq well - the only failure in the most recent run was grenade related14:02
lbragstadso upgrade testing14:02
*** ddieterly has joined #openstack-keystone14:02
lbragstadand when you look at the logs from the failure - keystone doesn't have a fernet-keys directory in /etc/14:02
lbragstadso i'm curious if that was the problem14:02
samueldmqlbragstad: seems to be related14:03
lbragstadsamueldmq dstanek just found this -
lbragstadwhich is exactly the problem14:03
lbragstadlooks like keystone is throwing a 500 during version discovery14:03
lbragstadso - that grenade patch *should* fix it14:04
samueldmqlbragstad: what patch ? you have a link ?14:04
*** chrisshattuck has quit IRC14:05
openstackgerritMerged openstack/keystone: Introduce null key for credential encryption
lbragstad^ i have dependent on ^14:05
openstackgerritMerged openstack/keystone: Log warning if null key is used for encryption
openstackgerritMerged openstack/keystone: Add docs for the null key
openstackgerritMerged openstack/keystone: [api-ref] Correct response code status
*** chrisshattuck has joined #openstack-keystone14:05
stevemarlbragstad: the null key is merged, it was a bug, no need for an ffe14:06
lbragstadstevemar what about an ffe for credential encryption?14:06
stevemarlbragstad: *granted*14:06
lbragstadayoung ping - want me to abandon since the null key stuff merged?14:07
lbragstadstevemar sweet14:07
stevemarlbragstad: it's just a formality tbh14:07
openstackgerritMikhail Nikolaenko proposed openstack/keystone: [WIP] Add sql backend for fernet keys
samueldmqlbragstad: stevemar's stamp on it!14:07
ayounglbragstad, yes, please14:07
ayounglbragstad, I got it14:07
lbragstadayoung sorry - just did it14:07
lbragstadayoung i think EmilienM's stuff was in the process of merging - but hopefully there aren't any more upgrade issues14:08
ayounglbragstad, Shhh...I still want that in...14:08
lbragstadayoung ++14:09
*** topol_ has quit IRC14:10
*** sdake has joined #openstack-keystone14:10
*** sdake_ has quit IRC14:12
*** gagehugo_ has joined #openstack-keystone14:13
*** su_zhang_ has quit IRC14:13
*** su_zhang has joined #openstack-keystone14:13
*** EinstCrazy has quit IRC14:15
*** su_zhang has quit IRC14:18
*** EinstCrazy has joined #openstack-keystone14:19
*** jaugustine has joined #openstack-keystone14:20
rderosebreton: adding the server_default to the model is not going to fix the error14:26
rderosebreton: mysql versions below 5.6.5 will still update the timestamp when any column in the row is updated14:28
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation assignment driver
openstackgerritAlexander Makarov proposed openstack/keystone: Move dependency-related trust logic to manager
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation trust driver
rderosebreton: I'm going back to the drawing board on this one and I think, just going to propose that we manually fix this in the contract repo with a simple (not ideal) approach14:29
rderoseamakarov: is this still a bug:
openstackLaunchpad bug 1620764 in OpenStack Identity (keystone) "migration test fails on table addition" [Undecided,New] - Assigned to Ron De Rose (ronald-de-rose)14:30
rderoseamakarov: did you see my comments?14:30
amakarovrderose, yes, and followed the example you provided14:30
lbragstadstevemar samueldmq dstanek looks like the grenade patch makes pass14:31
amakarovrderose, that created even more questions :)14:31
rderoseamakarov: haha of course14:31
rderoseamakarov: it just gets more complicated huh14:31
rderoseamakarov: oh, and it looks like your patch passed the gate14:32
amakarovrderose, I've removed empty migrations14:32
amakarovrderose, so what if I need those migrations? I don't understand how this thing works and why it failed! :)14:33
rderoseamakarov: oh, was that it?  because you had empty migrations in contract and migrate?14:33
rderoseamakarov: ah, let me dig into that14:33
rderoseamakarov: can you update the bug description?14:33
amakarovrderose, of course14:34
rderoseamakarov: cool14:34
*** rodrigods has quit IRC14:35
*** rodrigods has joined #openstack-keystone14:35
bretonrderose: ok. But the patch works for me. Could you please -1 it with your concerns?14:35
lbragstaddstanek this is interesting -
lbragstadthat's from stevemar's patch to make fernet default in devstack14:36
*** scarab_ has joined #openstack-keystone14:38
rderosebreton: in talking with zzzeek for mysql 5.6.4 and older will set current_timestamp onupdate, which is what we saw.  For these older versions, he suggests using "server_default="CURRENT_TIMESTAMP()"14:39
bretonrderose: also, my mysql version is 5.5.50-0+deb8u1 and it works for me14:39
rderosebreton: the column is not getting updated like before?14:39
bretonrderose: yes, the column is not getting updated like before.14:40
rderosebreton: what the #$@#%14:40
rderosebreton: what about the UTC problem?  that's still an issue, right?14:40
bretonrderose: nope. Everything works for me.14:41
*** EinstCrazy has quit IRC14:41
rderosebreton: how is that possible, is not UTC?14:42
bretonrderose: that's why closes-bug, not partial-bug.14:42
bretonrderose: no idea :)14:42
*** mvk has quit IRC14:42
rderosebreton: I just don't trust it now and afraid that different versions of mysql will fail14:43
*** ravelar has joined #openstack-keystone14:43
bretonrderose: ok. I will test it on an older version now14:43
rderosebreton: cool14:43
*** michauds has joined #openstack-keystone14:43
openstackgerritayoung proposed openstack/keystone-specs: Flag to bypass expiry and revocation check on token validation
bretonrderose: sorry, but the oldest i can test on my localhost is 5.5.47-0, from debian oldstable.14:47
bretonrderose: even ubuntu 12.04 has 5.5.5014:48
rderosebreton: hmm...14:48
rderosebreton: this is just hard to explain, especially the UTC issue.  If you set the db to UTC+4, should set the default created_at accordingly14:49
rderosebreton: for existing passwords14:49
rderosebreton: that should still be a problem14:50
bretonrderose: i am in utc+3, and everything in the db is in UTC14:50
rderosebreton: actually, it does now. because our tests don't have existing passwords, right?14:51
rderosebreton: the server_default would only kick in for old passwords14:51
rderosebreton: so I think that would still be a problem14:52
bretonrderose: don't know14:52
rderosebreton: we need a test for that14:52
bretonrderose: yep. Let me write one for it.14:52
*** dikonoor has quit IRC14:52
rderosebreton: and I really don't trust that the onupdate will not be a problem for all versions...  have to get zzzeek's input on why that is working for you14:52
rderosebreton: have a meeting at the top of the hour, let me know what you find out14:53
*** jraju has quit IRC14:59
ayoungWow....we do a lot of Business logic in the auth controller. How did we let that happen?15:00
ayoungI wonder if what we really should have is an auth Manager.15:01
ayoungI'm thinking through the "long lived token" thing15:01
*** ddieterly has quit IRC15:01
*** aloga_ has quit IRC15:02
ayoungand so we need a call that returns the data associated with a token. The auth_data, as it is called throughout the middleware.15:02
ayoungI think that this is a variation on the auth call, with a flag that says "ignore revocation and expiry" as I put in the spec15:03
ayoungwe have revocations in a separate backend from tokens.  And we call into that from the auth controller15:04
ayoungseems that, instead, we should have the auth controller (HTTP specific logic) call into the auth manager (business logic) that calls the token persistance layer to get the data, and then checks expiry and revocation15:05
ayoungthis is the pipeline we dioscussed in San Antonio during a midcycle several years ago15:06
rderoseamakarov: you never created empty migration scripts for data_migrate and contract?15:09
amakarovtried it15:10
*** scarab_ has quit IRC15:10
rderoseamakarov: which patch set?15:11
amakarovrderose, tests didn't pass15:12
*** su_zhang has joined #openstack-keystone15:12
rderoseamakarov: okay, looking now15:12
bretonrderose: although i am writing a test15:16
bretonrderose: it is probably unrelated to my issue15:16
bretonrderose: because my issue happens only in unittests15:16
*** spzala has joined #openstack-keystone15:16
lbragstadsamueldmq these must be the revocation caching issues you were referencing -
rderosebreton: true15:16
bretonrderose: and not in reallife15:16
rderosebreton: not real life?15:16
bretonrderose: well, outside of unit tests :)15:17
rderosebreton: yeah, okay15:17
bretonrderose: so the test probably will go to another patchset.15:17
breton*to another patch15:17
*** sdake_ has joined #openstack-keystone15:21
*** sdake has quit IRC15:22
bretonrderose: after migration UTC gets inserted.15:23
rderosebreton: yeah, agree15:24
bretonrderose: so actually inserts UTC15:25
rderosebreton: wow, not according to the docs15:26
bretonrderose: or maybe something else works, not
rderosebreton: maybe...15:27
bretonrderose: i am not sure how to test it though. Because the gates are in UTC afaik.15:28
bretonrderose: and we need to emulate non-UTC environment15:28
rderosebreton: yeah15:28
bretonand i don't know how to do that15:28
*** javis has joined #openstack-keystone15:30
samueldmqlbragstad: yes15:32
lbragstadhah - it looks specific to the change password tests15:33
lbragstadfor both v2.0 and v315:33
samueldmqlbragstad: maybe not ... wait let me see15:33
bretonlbragstad: that's the one we are now working on15:33
samueldmqlbragstad: hmm15:33
bretonlbragstad: with rderose15:33
lbragstadcc dstanek ^15:33
lbragstadbreton the fernet default revocation caching issues?15:33
samueldmqlbragstad: is there a known reason for that bug ?15:33
bretonlbragstad: nope, password change15:34
samueldmqlbragstad:  in that case (the link you posted) it's failing to validate the token15:34
lbragstadbreton bug report?15:34
samueldmqlbragstad: the revocation issue I was looking at was the opposite15:34
samueldmqlbragstad: the token was expected to be revoked, but was still valid15:35
lbragstadsamueldmq this time it is suppose to be valid but it isn't15:35
bretonlbragstad:, but the root cause is fixed in
openstackLaunchpad bug 1621200 in OpenStack Identity (keystone) "MySQLOpportunisticIdentityDriverTestCase.test_change_password fails in UTC+N timezone" [Undecided,In progress] - Assigned to Boris Bobrov (bbobrov)15:36
*** esp has joined #openstack-keystone15:38
samueldmqlbragstad: hmm, if the other tests are not failing ....15:39
samueldmqlbragstad: I'd assume dstanek's patch actually fixed the issue we used to see15:39
lbragstadsamueldmq i would assume it at least fixed some of them15:39
*** thiagolib has joined #openstack-keystone15:41
dstaneki fix bug15:41
lbragstadbut - i wonder why we seem to still be having issues with password tests?15:42
*** browne has joined #openstack-keystone15:44
*** topol_ has joined #openstack-keystone15:49
*** ChanServ sets mode: +v topol_15:49
*** roxanaghe has joined #openstack-keystone15:50
*** topol_ has quit IRC15:50
*** maestropandy has quit IRC15:55
*** BjoernT has joined #openstack-keystone15:57
*** su_zhang has quit IRC16:02
*** su_zhang has joined #openstack-keystone16:03
*** su_zhang has quit IRC16:07
*** ravelar has quit IRC16:12
*** ravelar has joined #openstack-keystone16:13
*** woodburn has left #openstack-keystone16:16
*** woodburn has joined #openstack-keystone16:17
*** tesseract- has quit IRC16:21
*** cher75 has joined #openstack-keystone16:28
*** ametts has joined #openstack-keystone16:32
*** ravelar has quit IRC16:33
*** ravelar has joined #openstack-keystone16:33
bretonguys, what about out microversions spec? Will it be implemented in N?16:38
bretonor in O?16:38
*** spzala has quit IRC16:39
*** spzala has joined #openstack-keystone16:40
*** gyee_ has joined #openstack-keystone16:40
*** clenimar has joined #openstack-keystone16:43
*** spzala has quit IRC16:44
*** cher75 has quit IRC16:45
openstackgerritSteve Martinelli proposed openstack/keystone: New notes on advanced upgrade/fallback for cluster
*** spzala has joined #openstack-keystone16:46
*** code-R_ has quit IRC16:47
stevemarbreton: to be implemented when we need it16:49
*** spzala has quit IRC16:50
*** arunkant__ has joined #openstack-keystone16:55
*** spzala has joined #openstack-keystone16:57
*** jaosorior has quit IRC17:01
*** spzala has quit IRC17:02
*** Gorian has quit IRC17:03
*** ezpz has quit IRC17:03
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Support domain-specific configuration management
stevemarlbragstad: want to take a quick look at
*** spzala has joined #openstack-keystone17:09
*** slberger has joined #openstack-keystone17:09
lbragstadstevemar yeah17:12
*** adrian_otto has joined #openstack-keystone17:12
*** spzala has quit IRC17:14
*** su_zhang has joined #openstack-keystone17:15
*** fangxu has joined #openstack-keystone17:19
*** marekd2 has joined #openstack-keystone17:20
*** jpena is now known as jpena|off17:21
*** marekd2 has quit IRC17:21
*** joerch has joined #openstack-keystone17:21
*** spzala has joined #openstack-keystone17:25
*** spzala has quit IRC17:29
*** michauds has quit IRC17:30
*** spzala has joined #openstack-keystone17:31
*** spzala has quit IRC17:35
*** code-R has joined #openstack-keystone17:35
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
*** code-R_ has joined #openstack-keystone17:38
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
*** code-R has quit IRC17:42
*** spzala has joined #openstack-keystone17:42
notmorganayoung: it's amazing how much logic is there. however, it's is the only place we really broke the "business logic below the controller" thing17:43
ayoungnotmorgan, yeah...I was puzzling through it. I think it is because a lot of it is HTTP specific for authentication17:43
notmorganrderose: gratz on core... also "sucker" ;) now you have to review things!17:44
ayoungwe really should split authN and authZ up more clearly17:44
notmorganayoung: pretty much, basically that logic really does belong (most of the http stuff) in the controller17:44
notmorganthe token things are isolated to the token manager... some authz stuff could be shuffled17:44
rderosenotmorgan: thanks man!  yeah, got find time to do reviews :)17:44
ayoungjust looking through the plugins, you see it is all HTTP specific header operations17:44
ayoungnotmorgan, with the exception of Password, which should be Basic Auth, dagnabit17:45
*** adrian_otto has quit IRC17:45
notmorganayoung: nope, DIGEST ;)17:45
notmorganayoung: but same thing ;)17:45
*** tqtran has joined #openstack-keystone17:46
notmorganit's sad when SoCal has been nicer weather than PDX in the last few days i've been here vs. when I was home17:46
*** spzala has quit IRC17:47
notmorgan(SoCal desertish areas, let alone ocean locations)17:47
*** spzala has joined #openstack-keystone17:48
ayoungnotmorgan, I should write up a spec for that17:50
bknudsonseems like the controller should be pulling the headers out to make them available17:50
ayoungbknudson, I thought that, but, it really is not a protocol agnostic17:52
notmorganayoung: wouldn't hurt, but my guess is that spec could wait - the setup we have now is in need or refinement not an overhaul like some other things17:52
ayoungthe only part that really is protocol agnostic is external, which lets APache do essentially that17:52
*** spzala has quit IRC17:52
ayoungnotmorgan, I would really like to get all of the methods stuff gone, and do it all in apache modules.17:53
ayoungThen again, I would like to spend my time on Keystone, and I can't17:53
notmorganayoung: like i said, refinement not overhaul ;)17:53
notmorganalso don't forget uwsgi may be used behind nginx17:53
notmorganso be aware it can't be "apache specific" but i'm sure you're already thinking that17:54
ayoungnotmorgan, but, to the heart of the matter,  I need to get someone to code the "ignore expiration and revocation"17:54
ayoungnotmorgan, right..whatever is passed in to mapping.17:54
*** LamT_ has joined #openstack-keystone17:54
notmorganayoung: i can commit to the rev event fixes and cleanup.... but sorry i'm punting on jumping on that grenade ;)17:54
ayoungnotmorgan, nah, I want to give it to an outreachy intern anyway17:55
ayoungOr do it myself17:55
* notmorgan nods.17:55
*** su_zhang has quit IRC17:55
notmorganif i was more involved with keystone I'd probably just write a bunch of code for lingering specs.17:55
notmorganbut as I'm not...17:55
ayoungI'm just gonna write specs and hope to get others to implement17:56
* notmorgan looks at the clock and decides another coffee this early is a bad plan(tm)17:57
* ayoung looks at clock and realized lunch time is fast receding17:59
notmorganayoung: yeah damn east coast time :P18:01
* notmorgan is going to grab lunch in ~30m18:01
notmorganso your lunch is waaaaay late18:01
notmorgandstanek: I reviewed it again because I'm a rebel18:02
*** chrisshattuck has quit IRC18:02
notmorganayoung: re, isn't ?noexpire a validate call?18:06
notmorganayoung: that isn't part of the POST.18:06
notmorganayoung: it's a GET, unless you are flagging the token itself as non-expiring (sounds dangerous)18:06
*** gyee_ has quit IRC18:06
*** wasmum has quit IRC18:06
dstaneknotmorgan: rebel without or with a cause?18:07
notmorgandstanek: without a clue18:07
ayoungnotmorgan, yes it is a GET call18:07
notmorganayoung: ok i'll comment there. i was worried i was confused18:07
ayoungyou are saying "ignore expiration and revocation on this call"18:07
dstaneknotmorgan: right there with you18:07
ayoungshould not change the state of the token, but will return successfully even if the token is revoked or expired18:07
*** spzala has joined #openstack-keystone18:09
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
*** spzala has quit IRC18:14
notmorganayoung: commented18:15
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
notmorganayoung: -1 for the POST vs GET, and a bunch of nits/comments on the spec itself, but nothing critical18:15
ayoungnotmorgan, thanks.  It seems like the keystone server changes should be minimal for this. It is mostly a change in the way one service talks to another18:15
notmorganayoung: overall, looks good except for GET vs POST18:15
ayoungnotmorgan, the big thing is going to be, when nova calls glance, it needs to send the service token along with the users token18:16
notmorganayoung: yeah18:16
ayoungwe already have support for that, right?18:16
notmorganwe ... well sortof18:16
notmorgancode change in nova might be needed18:16
ayoungwas hoping it could be in config and client instead18:16
notmorganksa does not have that baked in (yet) iirc18:17
notmorganksa+middleware. it was one of the things I was hoping to use via an auth plugin18:17
notmorganbut it should be a trivial auth plugin update to make it happen18:17
notmorganand then nova config vs code change (now that I think about it)18:17
* notmorgan runs off for lunching18:17
* notmorgan is back until lunch actually happens.18:24
*** sdake_ is now known as sdake18:27
notmorganstevemar: we can remove that option now, right?18:28
notmorganstevemar: since we don't have eventlet18:28
*** michauds has joined #openstack-keystone18:33
*** su_zhang has joined #openstack-keystone18:33
*** spzala has joined #openstack-keystone18:33
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
*** gagehugo has quit IRC18:44
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
* stevemar waves to notmorgan18:45
stevemarnotmorgan: i suppose we could remove that option, i completely forgot about it18:45
*** gagehugo has joined #openstack-keystone18:45
stevemarcause it's not bundled with the regular options18:45
openstackgerritMerged openstack/keystone: Replace six iteration methods with standard ones
*** su_zhang has quit IRC18:47
stevemarnotmorgan: i imagine we could remove the pydev-debug-host options too18:49
notmorganthose we probably want to keep18:49
stevemarnotmorgan: gonna push a patch or want me to do it?18:50
notmorganstevemar: i can when I get home next week18:51
notmorgancan't really do it until then18:51
notmorganlost the cord for my laptop's power supply18:51
*** scarlisle has joined #openstack-keystone18:51
stevemarnotmorgan: hehe18:51
notmorganso, no laptop with a charge atm =/18:51
stevemarnotmorgan: that's unfortunate18:51
*** david-lyle has quit IRC18:53
notmorganstevemar: and ~1000mi from home.18:53
*** david-lyle has joined #openstack-keystone18:53
openstackgerritDoug Hellmann proposed openstack/keystone: standardize release note page ordering
stevemarlbragstad: i had the same questions about the "tests" in mfisch's docs19:01
lbragstadstevemar yeah - just curious if we want to be more explicit there/19:01
stevemarlbragstad: i am just trying to get it merged :)19:02
openstackgerritSteve Martinelli proposed openstack/keystone: New notes on advanced upgrade/fallback for cluster
stevemarlbragstad: i changed the Keystone -> keystone stuff19:03
lbragstadstevemar sweet19:03
stevemari don't know what to add for tests and i don't agree with your first and other change :P19:03
lbragstadstevemar gotcha19:03
lbragstadyeah - that was more of a minor comment19:04
lbragstadif we can figure out what we want to do about the phrasing of tests, i'm good with it19:04
*** amakarov is now known as amakarov_away19:08
*** pnavarro has quit IRC19:19
lbragstadsamueldmq have you looked at the test_user_update_own_password tests recently?19:22
lbragstadin tempest?19:23
stevemarlbragstad: i'm not sure what to write for tests19:24
lbragstadstevemar you could just replace it with a statement saying to confirm keystone it up and running properly19:27
lbragstad(really ambiguous, but...)19:27
lbragstadhow they do that is up to them19:27
lbragstadit could be through tests or manually, etc...19:27
stevemarlbragstad: i'm cool with that, want me to propose the wording?19:27
lbragstadstevemar sure - i'm sifting tempest stuff right now19:27
*** su_zhang has joined #openstack-keystone19:33
*** chrisshattuck has joined #openstack-keystone19:34
*** adrian_otto has joined #openstack-keystone19:34
*** fangxu has quit IRC19:35
*** su_zhang has quit IRC19:38
openstackgerritLance Bragstad proposed openstack/keystone: WIP: Switch fernet to be the default token provider.
lbragstadsamueldmq I don't think the latest failures with the fernet patch are due to revocation caching19:43
lbragstaddstanek ^19:43
dstaneklbragstad: errors in caching again?19:43
lbragstadi don't think so19:44
lbragstadsamueldmq ^19:44
lbragstaddstanek samueldmq checkout the three failures here -
samueldmqlbragstad: I've not looked at the test recently19:45
samueldmqlbragstad: the failure there is different than what I used to see19:45
samueldmqlbragstad: as we talked earlier, it's now failing because it doesn't find the token .. and it was the opposite at that time19:46
lbragstaddstanek samueldmq it is returning a 40419:46
lbragstadsamueldmq right - but dstanek beat caching into submission19:46
lbragstaddstanek samueldmq and now we get a 40419:46
lbragstadin this method
lbragstadwhich is trying to change a password and authenticate19:47
lbragstad(probably within the same second)19:47
lbragstadwhich means it could be hitting the revocation check (and the revocation events are working properly)19:47
*** code-R_ has quit IRC19:47
samueldmqlbragstad: hmm so maybe it was relying in the wrong behavior before ?19:49
samueldmqit is failing for other token formats too ?19:49
samueldmqor only fernet19:49
lbragstadI assume only fernet19:49
dstaneklbragstad: yeah, that would be problematic if it were in the same second19:49
dstanekwhy would this problem only appear with fernet though? if it's a revocation issue19:49
*** sdake_ has joined #openstack-keystone19:50
lbragstadbecuase fernet is granular to the second?19:50
* lbragstad dstanek that doesn't explain why this test fails though -
*** sdake has quit IRC19:52
*** slberger has quit IRC19:53
dstaneklbragstad: is that actually a fernet thing or a revocation thing?19:54
dstaneklbragstad: or are uuids only to the minute?19:55
*** slberger has joined #openstack-keystone19:55
lbragstaddstanek uuids are microsecond19:56
lbragstaddstanek the second precision with fernet is because of the spec19:56
bknudsonthere was an issue with revocation events because some version of mysql only had second-level granularity too19:56
dstaneklbragstad: ah, right19:57
dstaneki hate it when all the things are broken19:57
lbragstaddstanek ++19:58
lbragstadso i can see why tempest.api.identity.v2.test_users.IdentityUsersTest.test_user_update_own_password and tempest.api.identity.v3.test_users.IdentityUsersTest.test_user_update_own_password fail that way because the have the _restore_password method19:59
mtreinishbknudson: heh, it's most versions of mysql19:59
lbragstadbut tempest.api.identity.admin.v3.test_users.UsersV3TestJSON.test_update_user_password does not20:00
bknudsonI don't remember when that changed in mysql20:00
mtreinishbknudson: looking at it was a thing starting in 5.6.420:00
mtreinishat least for time, datetime, timestamp columns20:01
mtreinishI had to deal with that in subunit2sql at one point too20:01
bknudsonmtreinish: because it changed or because it was truncating?20:02
mtreinishbecause it was truncating on the infra server20:03
mtreinishI ended up just splitting the microseconds into a separate integer column20:03
mtreinishand gluing the pieces together in python20:04
bknudsondoes openstack say what version of mysql is supported?20:06
mtreinishThat's a good question, I don't think so. At least I've never seen it documented anywhere explicitly20:08
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
bknudsonI assume it's higher than 120:10
*** su_zhang has joined #openstack-keystone20:10
*** su_zhang has quit IRC20:18
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
*** asettle has quit IRC20:19
*** asettle has joined #openstack-keystone20:21
*** su_zhang has joined #openstack-keystone20:23
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
openstackgerritSteve Martinelli proposed openstack/keystone: New notes on advanced upgrade/fallback for cluster
*** asettle has quit IRC20:25
stevemarlbragstad: updated
openstackgerritRichard Avelar proposed openstack/keystone: POC sql query revoked tokens
*** su_zhang has quit IRC20:32
samueldmqlbragstad: back20:32
*** ravelar has quit IRC20:32
rderosestevemar: just saw your comment regarding password_expires_at20:34
*** fangxu has joined #openstack-keystone20:35
rderosestevemar: password_expires_at will be returned now for all users (SQL, LDAP...)20:35
lbragstadsamueldmq o/20:35
samueldmqlbragstad: did you get what's going on ?20:35
rderosestevemar: and in order for it to be useful, it needs to be returned in auth20:35
rderosestevemar: not changing the auth API, it includes the user object20:35
lbragstadsamueldmq partially - just kinda stepping through it with dstanek20:36
stevemarrderose: whats it return for ldap and federated users?20:36
samueldmqlbragstad: need help ?20:36
rderosejust returns password_expires_at: None20:36
stevemari see20:36
samueldmqlbragstad: let me know if you need a couple of extra eyes20:36
lbragstadsamueldmq so apparently 3 tests failed in the last run20:36
rderosestevemar: the horizon team is adding a new dialog window for this20:36
stevemarrderose: why would you need it as part of the auth request?20:37
lbragstadsamueldmq i think i understand why two of them failed20:37
stevemarthat wasn't in the commit message :)20:37
rderosestevemar: auth response20:37
lbragstadsamueldmq but i'm trying to figure out why failed20:37
rderosestevemar: true20:37
stevemarrderose: new dialog window eh20:37
stevemarrderose: any way we can bump this to O?20:37
rderosestevemar: yeah, saying it's time to change your password, 7 days left or something20:37
rderosestevemar: we could, but it's such a small change :)20:38
stevemarthat ones a bit dicey, i don't like playing around with auth so late in the game20:38
david-lylestevemar: we won't consume until O20:38
rderosestevemar: well, there you go :)20:38
stevemardavid-lyle: o/20:38
stevemardavid-lyle: thanks for confirming20:39
stevemarrderose: we cool?20:39
samueldmqlbragstad: hmm, that test failed in both v2 and v320:39
rderosestevemar: we cool!20:39
stevemar*fist bump*20:39
samueldmqlbragstad: it is present in both test suites in tempest20:39
rderosestevemar :)20:39
lbragstadsamueldmq i don't think so20:39
lbragstadsamueldmq  tempest.api.identity.v3.test_users.IdentityV3UsersTest.test_user_update_own_password and tempest.api.identity.v2.test_users.IdentityV2UsersTest.test_user_update_own_password20:40
lbragstadboth failed but I think that is because they were doing an authenticate within the same second as a password change20:40
samueldmqdstanek: the v3 test has a sleep in there20:45
samueldmqlbragstad: ^20:45
lbragstadsamueldmq yep ]20:45
samueldmqlbragstad: so it can't be happening in the same second ?20:45
lbragstadsamueldmq right20:45
lbragstadsamueldmq that's the part that's confusing me20:45
stevemarlbragstad: i don't know what you want me to change in the upgrade doc :\20:45
stevemaroh, the title?20:46
lbragstadstevemar yeah20:46
lbragstadsamueldmq and it passes this time -
stevemarlbragstad: hmm, then it'll be the same name as another section 2 below20:47
stevemarlbragstad:  how about i break it up into single node deployment vs cluster20:47
samueldmqlbragstad: so it's intermittent :(20:47
lbragstadstevemar there's already a 'Upgrading with minimal downtime' section?20:48
samueldmqlbragstad: we should be able to add logs to keystone, and add a depends-on20:48
samueldmqlbragstad: to gather more information on why it's returning 40420:48
stevemarlbragstad: bah i can't read20:50
stevemarlbragstad: can you also quickly review and it's dependent patch20:51
openstackgerritSteve Martinelli proposed openstack/keystone: New notes on advanced upgrade/fallback for cluster
lbragstadsamueldmq yeah - not sure but it could be hitting the revocation event somehow20:51
samueldmqlbragstad: I can't see how because the revocation event includes a timestamp20:52
samueldmqlbragstad: and the test sleeps for 1 second20:52
lbragstadstevemar are we addressing breton's comment here - ?20:52
stevemarlbragstad: you mean browne's :)20:52
lbragstadsamueldmq true - what else could make that 404 though?20:53
stevemarlbragstad: no, i don't want to waste resources for a whitespace change that jenkins didn't fail :P20:53
samueldmqlbragstad: dunno need to take a better look20:53
lbragstadstevemar yep (sorry for the rogue ping breton)20:53
samueldmqlbragstad: it's a GET token, right ?20:53
lbragstadsamueldmq yeah - a show token which i think is a GET /v3/auth/tokens20:53
samueldmqlbragstad: kk20:54
stevemarsamueldmq: with the token you want to show passed in as X-Subject-Token20:55
samueldmqstevemar: and it's returned as x-subject-token too ?20:55
stevemari do believe so, i'd have to check the API20:55
stevemaruse x-auth-token for *your* token20:56
samueldmqstevemar: nvm, it's passed as x-subject-token, yes20:56
samueldmqstevemar: ++20:56
lbragstadsamueldmq stevemar
samueldmqstevemar: token to perform -> x-auth-token20:56
samueldmqtoken to validate -> subject20:56
*** mvk has joined #openstack-keystone20:58
*** harlowja_ has joined #openstack-keystone20:59
*** harlowja has quit IRC21:00
*** raildo has quit IRC21:01
*** fangxu has quit IRC21:01
*** su_zhang has joined #openstack-keystone21:03
*** javis has quit IRC21:03
*** fangxu has joined #openstack-keystone21:07
*** su_zhang has quit IRC21:08
*** pauloewerton has quit IRC21:14
*** shaleh has quit IRC21:16
*** ametts has quit IRC21:19
*** tonytan4ever has quit IRC21:27
*** ametts has joined #openstack-keystone21:31
lbragstaddstanek we don't still use itertools for iterating over dictionaries do we?21:38
lbragstadfrom six?21:38
*** adrian_otto has quit IRC21:40
*** javis has joined #openstack-keystone21:44
*** su_zhang has joined #openstack-keystone21:53
*** ametts has quit IRC21:57
*** javis has quit IRC22:01
*** fangxu has quit IRC22:04
dolphmcan someone give this a push? it's an entirely automated patch
dolphmtox -e genconfig22:06
dolphmlbragstad: i believe there were a bunch of new features in itertools in 2.7, so we used six there mostly for 2.6 <-> 2.7 compatibility, which we don't care about anymore22:07
samueldmqdolphm: done22:08
dolphmsamueldmq: thanks!22:08
samueldmqdolphm: anytime22:08
*** chrisshattuck has quit IRC22:10
*** tristanC has quit IRC22:12
*** fangxu has joined #openstack-keystone22:13
*** slberger has left #openstack-keystone22:13
*** tristanC has joined #openstack-keystone22:13
*** michauds has quit IRC22:14
*** BjoernT has quit IRC22:17
*** harlowja has joined #openstack-keystone22:18
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
*** harlowja_ has quit IRC22:22
*** mvk has quit IRC22:23
stevemardolphm: thanks for the reviews22:25
stevemardolphm and samueldmq there are a few reviews out there by dhellmann that are ready to be merged22:26
samueldmqstevemar: will look now22:26
*** tonytan4ever has joined #openstack-keystone22:28
samueldmqstevemar: dhellmann: all approved22:30
*** ntpttr has quit IRC22:31
*** su_zhang has quit IRC22:31
*** ntpttr has joined #openstack-keystone22:31
*** tonytan4ever has quit IRC22:33
*** sdake has joined #openstack-keystone22:34
*** sdake_ has quit IRC22:36
*** mvk has joined #openstack-keystone22:37
*** BjoernT has joined #openstack-keystone22:42
*** spzala has quit IRC22:48
*** spzala has joined #openstack-keystone22:49
*** adriant has joined #openstack-keystone22:50
*** spzala has quit IRC22:53
*** sdake has quit IRC22:59
*** BjoernT has quit IRC23:01
openstackgerritMerged openstack/keystone: New notes on advanced upgrade/fallback for cluster
*** gagehugo has quit IRC23:05
openstackgerritMerged openstack/keystone: Update sample keystone.conf for Newton
*** adrian_otto has joined #openstack-keystone23:16
ayoungnotmorgan, Using the kerberos authentication plugin requires installation of additional23:17
ayoungpackages. These can be installed with::23:17
ayoung    $ pip install keystoneauth1[kerberos]23:17
ayoungwe have an RPM for  keystoneauth123:18
openstackgerritMerged openstack/keystone: standardize release note page ordering
*** asettle has joined #openstack-keystone23:22
*** ntpttr has quit IRC23:23
*** markvoelker has quit IRC23:25
*** ntpttr has joined #openstack-keystone23:28
*** asettle has quit IRC23:30
*** javis has joined #openstack-keystone23:31
openstackgerritMerged openstack/keystonemiddleware: standardize release note page ordering
openstackgerritMerged openstack/keystoneauth: standardize release note page ordering
*** shoutm has joined #openstack-keystone23:43
dstaneklbragstad: what do you need itertools for?23:44
*** shoutm has quit IRC23:46
*** BjoernT has joined #openstack-keystone23:52

Generated by 2.14.0 by Marius Gedminas - find it at!