Tuesday, 2016-09-20

*** itsuugo has quit IRC00:00
*** itsuugo has joined #openstack-keystone00:01
*** itsuugo has quit IRC00:06
*** itsuugo has joined #openstack-keystone00:07
*** guoshan has joined #openstack-keystone00:11
openstackgerritGage Hugo proposed openstack/keystone: Doctor check for domain specific configs  https://review.openstack.org/36143500:14
*** jamielennox is now known as jamielennox|away00:14
*** itsuugo has quit IRC00:14
*** itsuugo has joined #openstack-keystone00:15
openstackgerritMerged openstack/keystone: add placeholder migrations for newton  https://review.openstack.org/37263900:22
*** markvoelker has joined #openstack-keystone00:29
*** esp has quit IRC00:30
*** roxanaghe has quit IRC00:30
*** adrian_otto has quit IRC00:33
*** bjolo__ has joined #openstack-keystone00:41
*** bjolo has quit IRC00:41
*** roxanaghe has joined #openstack-keystone00:43
*** asettle has joined #openstack-keystone00:47
*** browne has quit IRC00:48
*** itsuugo has quit IRC00:49
*** itsuugo has joined #openstack-keystone00:50
*** asettle has quit IRC00:52
*** guoshan has quit IRC00:52
*** esp has joined #openstack-keystone00:53
*** esp has quit IRC00:56
*** spzala has quit IRC01:02
*** itsuugo has quit IRC01:02
*** itsuugo has joined #openstack-keystone01:03
*** roxanaghe has quit IRC01:04
*** adriant has joined #openstack-keystone01:06
*** itsuugo has quit IRC01:13
*** itsuugo has joined #openstack-keystone01:14
*** Marcellin__ has quit IRC01:17
*** itsuugo has quit IRC01:19
*** itsuugo has joined #openstack-keystone01:20
*** guoshan has joined #openstack-keystone01:22
*** gagehugo has quit IRC01:26
*** davechen has joined #openstack-keystone01:31
*** itsuugo has quit IRC01:33
*** EinstCrazy has joined #openstack-keystone01:33
*** itsuugo has joined #openstack-keystone01:34
*** EinstCrazy has quit IRC01:37
*** itsuugo has quit IRC01:42
*** itsuugo has joined #openstack-keystone01:43
*** nkinder has joined #openstack-keystone01:43
*** dikonoor has joined #openstack-keystone01:47
*** itsuugo has quit IRC01:48
*** roxanaghe has joined #openstack-keystone01:48
*** itsuugo has joined #openstack-keystone01:48
*** roxanaghe has quit IRC01:52
*** itsuugo has quit IRC01:54
*** itsuugo has joined #openstack-keystone01:55
*** zhangjl has joined #openstack-keystone01:55
*** markvoelker has quit IRC02:02
*** markvoelker has joined #openstack-keystone02:02
openstackgerritHa Van Tu proposed openstack/keystone: Fix prameters names in Keystone API v2-ext  https://review.openstack.org/36861802:04
*** itsuugo has quit IRC02:05
*** itsuugo has joined #openstack-keystone02:06
*** sdake has quit IRC02:06
*** sdake has joined #openstack-keystone02:06
*** namnh has joined #openstack-keystone02:12
*** itsuugo has quit IRC02:12
*** itsuugo has joined #openstack-keystone02:13
*** roxanaghe has joined #openstack-keystone02:16
openstackgerritDave Chen proposed openstack/keystone: Handle the exception from creating request token properly  https://review.openstack.org/36108702:18
*** itsuugo has quit IRC02:18
*** sdake has quit IRC02:18
*** itsuugo has joined #openstack-keystone02:20
*** jamielennox|away is now known as jamielennox02:20
openstackgerritHa Van Tu proposed openstack/keystone: Refactor Keystone admin-endpoint API  https://review.openstack.org/36980802:21
*** itsuugo has quit IRC02:24
*** itsuugo has joined #openstack-keystone02:25
*** iurygregory_ has quit IRC02:25
openstackgerritHa Van Tu proposed openstack/keystone: Refactor Keystone admin-tenant API v2  https://review.openstack.org/36984902:29
openstackgerritHa Van Tu proposed openstack/keystone: Refactor Keystone admin-endpoint API  https://review.openstack.org/36980802:29
*** nkinder has quit IRC02:35
*** itsuugo has quit IRC02:38
stevemarcrinkle: o/02:39
stevemarcrinkle: apparently bluebox has a bunch of documentation for k2k http://ibm-blue-box-help.github.io/help-documentation/keystone/k2k-federation/?cm_mc_uid=15636869701514730367719&cm_mc_sid_50200000=147433642902:39
stevemari didn't know this02:39
*** roxanaghe has quit IRC02:40
*** itsuugo has joined #openstack-keystone02:41
*** davechen1 has joined #openstack-keystone02:48
*** nicolasbock has joined #openstack-keystone02:49
*** davechen has quit IRC02:51
*** itsuugo has quit IRC02:52
*** itsuugo has joined #openstack-keystone02:53
*** tqtran has quit IRC02:56
zhangjlhey stevemar02:56
zhangjli have some problem with keystone federation, could you help me ?02:56
*** woodster_ has quit IRC03:00
*** markvoelker has quit IRC03:02
*** markvoelker has joined #openstack-keystone03:02
*** spzala has joined #openstack-keystone03:02
*** david-lyle has quit IRC03:03
*** davechen has joined #openstack-keystone03:06
*** spzala has quit IRC03:07
*** itsuugo has quit IRC03:07
*** itsuugo has joined #openstack-keystone03:09
openstackgerritDave Chen proposed openstack/keystone: Fix for unindent warning in doc build  https://review.openstack.org/37279603:09
*** davechen1 has quit IRC03:09
*** gagehugo has joined #openstack-keystone03:12
stevemarzhangjl: sure, i'm off to bed soon, but let's chat, maybe someone else can jump in when i'm off03:21
zhangjli deployed keystone federation according to the http://docs.openstack.org/developer/keystone/federation/federated_identity.html and http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo/03:25
zhangjlwhile, when i  test my keystone federation , i got some errors like follows:    File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 520, in post03:26
zhangjl        return self.request(url, 'POST', **kwargs)03:26
zhangjl    File "/usr/lib/python2.7/dist-packages/positional/__init__.py", line 94, in inner03:26
zhangjl        return func(*args, **kwargs)03:26
zhangjl    File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 420, in request03:26
zhangjl        raise exceptions.from_response(resp, method, url)03:26
zhangjl    keystoneauth1.exceptions.http.InternalServerError: Internal Server Error (HTTP 500)03:26
zhangjlthe detail is in the email with topic named [keystone]federation not working for me03:27
zhangjlcould you give me some advice03:28
stevemarzhangjl: i think rodrigo's blog is out of date by now03:31
zhangjlwhile, according to http://docs.openstack.org/developer/keystone/federation/federated_identity.html , the keystone federation still cannot work well...03:33
zhangjli have no idea about this question03:34
stevemarzhangjl: crinkle is trying to update some of the documentation for federation: https://review.openstack.org/#/c/371210/03:35
stevemarzhangjl: i think the very last change is helpful, around line 46003:35
zhangjlGreat!! I will try it later. Thanks for your help03:37
stevemarzhangjl: if you run into problems, leave comments in the review, maybe crinkle can add more docs :P03:38
zhangjlyes, i will do it03:38
zhangjlthank you  again03:38
*** tqtran has joined #openstack-keystone03:45
*** nicolasbock has quit IRC03:50
*** pnavarro has quit IRC03:51
*** guoshan has quit IRC03:55
*** itsuugo has quit IRC04:09
*** itsuugo has joined #openstack-keystone04:11
*** gagehugo has quit IRC04:13
*** itsuugo has quit IRC04:19
*** itsuugo has joined #openstack-keystone04:20
*** itsuugo has quit IRC04:25
*** itsuugo has joined #openstack-keystone04:27
*** itsuugo has quit IRC04:32
*** itsuugo has joined #openstack-keystone04:33
*** itsuugo has quit IRC04:38
*** itsuugo has joined #openstack-keystone04:39
*** dikonoor has quit IRC04:43
*** sdake has joined #openstack-keystone04:46
*** markvoelker has quit IRC04:46
*** dikonoor has joined #openstack-keystone04:48
*** tqtran has quit IRC04:49
*** tqtran has joined #openstack-keystone04:54
*** jaosorior has joined #openstack-keystone04:55
*** guoshan has joined #openstack-keystone04:56
*** GB21 has joined #openstack-keystone04:56
openstackgerritMerged openstack/keystone: Refactor Keystone admin-endpoint API  https://review.openstack.org/36980804:58
*** dikonoo has joined #openstack-keystone05:02
*** itsuugo has quit IRC05:03
*** dikonoor has quit IRC05:05
*** itsuugo has joined #openstack-keystone05:05
*** jaosorior has quit IRC05:09
*** jaosorior has joined #openstack-keystone05:09
crinklestevemar: awesome05:13
*** itsuugo has quit IRC05:14
*** itsuugo has joined #openstack-keystone05:15
*** dikonoor has joined #openstack-keystone05:16
*** dikonoo has quit IRC05:19
*** itsuugo has quit IRC05:20
*** itsuugo has joined #openstack-keystone05:22
*** aswadr_ has joined #openstack-keystone05:29
*** namnh has quit IRC05:38
*** namnh has joined #openstack-keystone05:38
*** richm has quit IRC05:39
*** markvoelker has joined #openstack-keystone05:47
*** itsuugo has quit IRC05:48
*** itsuugo has joined #openstack-keystone05:49
openstackgerritQiming Teng proposed openstack/keystone: Tweak api-ref doc for v3 users  https://review.openstack.org/36776705:51
*** markvoelker has quit IRC05:52
*** itsuugo has quit IRC05:54
*** itsuugo has joined #openstack-keystone05:55
*** dikonoor has quit IRC05:55
*** itsuugo has quit IRC06:02
openstackgerritQiming Teng proposed openstack/keystone: Tweak api-ref for v3 groups  https://review.openstack.org/36779306:02
*** itsuugo has joined #openstack-keystone06:03
*** itsuugo has quit IRC06:11
*** dikonoor has joined #openstack-keystone06:12
*** itsuugo has joined #openstack-keystone06:12
*** itsuugo has quit IRC06:17
*** EinstCrazy has joined #openstack-keystone06:18
*** itsuugo has joined #openstack-keystone06:19
davechenzhangjl: Here is how I setup K-K with the latest version,  some issues I hit and how it fixed hope it helps!  - http://blog.csdn.net/chenwei8280/article/details/4956096306:22
*** adriant has quit IRC06:27
zhangjli will try it later06:27
*** itsuugo has quit IRC06:31
*** itsuugo has joined #openstack-keystone06:32
*** itsuugo has quit IRC06:44
*** itsuugo has joined #openstack-keystone06:45
*** markvoelker has joined #openstack-keystone06:48
*** itsuugo has quit IRC06:50
*** itsuugo has joined #openstack-keystone06:50
*** pcaruana has joined #openstack-keystone06:50
*** markvoelker has quit IRC06:52
*** bjolo__ is now known as bjolo06:53
*** itsuugo has quit IRC06:59
*** tqtran has quit IRC07:00
*** itsuugo has joined #openstack-keystone07:00
*** itsuugo has quit IRC07:11
*** itsuugo has joined #openstack-keystone07:12
*** chlong has quit IRC07:14
*** namnh has quit IRC07:16
*** rcernin has joined #openstack-keystone07:19
*** itsuugo has quit IRC07:24
*** itsuugo has joined #openstack-keystone07:25
*** itsuugo has quit IRC07:30
*** itsuugo has joined #openstack-keystone07:31
*** jpena|off is now known as jpena07:36
*** amoralej|off is now known as amoralej07:38
openstackgerritMerged openstack/keystone: Refactor Keystone admin-tenant API v2  https://review.openstack.org/36984907:40
*** jgrassler has joined #openstack-keystone07:43
openstackgerritHa Van Tu proposed openstack/keystone: Refactor Keystone admin-tokens and admin-users v2  https://review.openstack.org/36988307:45
jgrasslerGood morning.07:48
*** markvoelker has joined #openstack-keystone07:49
jgrasslerWhat's the best way to list roles in a domain (or even better, retrieve a role in that domain by name if there's a mechanism for that)?07:49
jgrasslerkeystoneclient.v3.roles.RoleManager.list() does not appear to do the trick: it takes a `domain` argument07:49
jgrasslerbut only returns roles with domain=None.07:49
jgrasslerhttps://github.com/openstack/python-openstackclient/blob/master/openstackclient/identity/v3/role.py#L241 appears to indicate it is deprecated, but is not really clear about what the correct way to go about it is.07:52
*** EinstCrazy has quit IRC07:53
*** markvoelker has quit IRC07:53
*** guoshan has quit IRC07:54
*** itsuugo has quit IRC07:54
*** guoshan has joined #openstack-keystone07:54
*** itsuugo has joined #openstack-keystone07:55
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** acoles_ is now known as acoles08:01
*** itsuugo has quit IRC08:02
*** itsuugo has joined #openstack-keystone08:03
*** zhangjl1 has joined #openstack-keystone08:10
*** jlwhite has quit IRC08:11
openstackgerritHa Van Tu proposed openstack/keystone: Fix prameters names in Keystone API v2-ext  https://review.openstack.org/36861808:12
*** zhangjl has quit IRC08:13
*** jlwhite has joined #openstack-keystone08:14
*** mvk has quit IRC08:25
*** bradjones has quit IRC08:33
*** asettle has joined #openstack-keystone08:35
*** bradjones has joined #openstack-keystone08:36
*** bradjones has quit IRC08:36
*** bradjones has joined #openstack-keystone08:36
*** itsuugo has quit IRC08:36
*** itsuugo has joined #openstack-keystone08:39
*** zhangjl1 has quit IRC08:45
*** zhangjl has joined #openstack-keystone08:45
*** markvoelker has joined #openstack-keystone08:50
*** markvoelker has quit IRC08:54
*** __vaishali__ has joined #openstack-keystone08:58
*** mvk has joined #openstack-keystone09:02
*** nk2527_ has joined #openstack-keystone09:04
*** nk2527 has quit IRC09:04
*** xenogear has quit IRC09:04
*** xenogear has joined #openstack-keystone09:04
*** itsuugo has quit IRC09:10
*** itsuugo has joined #openstack-keystone09:11
*** xenogear has quit IRC09:12
*** nk2527_ has quit IRC09:12
*** code-R has joined #openstack-keystone09:15
*** pjm6 has joined #openstack-keystone09:22
*** code-R_ has joined #openstack-keystone09:23
*** itsuugo has quit IRC09:24
*** itsuugo has joined #openstack-keystone09:26
*** code-R has quit IRC09:26
*** xenogear has joined #openstack-keystone09:29
openstackgerritHa Van Tu proposed openstack/keystone: Fix prameters names in Keystone API v2-ext  https://review.openstack.org/36861809:30
*** nk2527 has joined #openstack-keystone09:30
*** zhangjl has quit IRC09:40
*** itsuugo has quit IRC09:41
*** itsuugo has joined #openstack-keystone09:42
*** namnh has joined #openstack-keystone09:43
openstackgerritMerged openstack/keystone: Fix for unindent warning in doc build  https://review.openstack.org/37279609:45
*** freerunner has quit IRC09:52
*** freerunner has joined #openstack-keystone09:52
*** itsuugo has quit IRC10:00
*** itsuugo has joined #openstack-keystone10:01
*** guoshan has quit IRC10:05
*** richm1 has joined #openstack-keystone10:11
*** zhangjl has joined #openstack-keystone10:11
*** zhangjl has left #openstack-keystone10:12
*** davechen has left #openstack-keystone10:17
*** ntpttr has quit IRC10:31
*** nicolasbock has joined #openstack-keystone10:33
*** mvk has quit IRC10:33
*** mvk has joined #openstack-keystone10:35
*** jaosorior is now known as jaosorior_lunch10:37
*** __vaishali__ has quit IRC10:38
*** ntpttr has joined #openstack-keystone10:39
*** dikonoor has quit IRC10:39
*** rodrigods has quit IRC10:41
*** rodrigods has joined #openstack-keystone10:41
*** __vaishali__ has joined #openstack-keystone10:42
*** itsuugo has quit IRC10:47
*** itsuugo has joined #openstack-keystone10:48
*** dikonoor has joined #openstack-keystone10:53
*** itsuugo has quit IRC10:58
*** itsuugo has joined #openstack-keystone11:01
*** jaosorior_lunch is now known as jaosorior11:03
*** guoshan has joined #openstack-keystone11:06
*** code-R_ has quit IRC11:06
*** EinstCrazy has joined #openstack-keystone11:09
*** __vaishali__ has quit IRC11:10
*** code-R has joined #openstack-keystone11:11
*** __vaishali__ has joined #openstack-keystone11:13
*** itsuugo has quit IRC11:18
*** itsuugo has joined #openstack-keystone11:19
*** dikonoo has joined #openstack-keystone11:21
*** dikonoor has quit IRC11:22
*** dikonoo has quit IRC11:26
*** zhangjl has joined #openstack-keystone11:27
*** zhangjl has left #openstack-keystone11:29
*** code-R has quit IRC11:31
*** dikonoo has joined #openstack-keystone11:33
*** spzala has joined #openstack-keystone11:34
*** itsuugo has quit IRC11:37
*** itsuugo has joined #openstack-keystone11:38
*** raildo has joined #openstack-keystone11:38
*** code-R has joined #openstack-keystone11:40
*** jpena is now known as jpena|lunch11:44
*** guoshan has quit IRC11:44
*** guoshan has joined #openstack-keystone11:45
*** __vaishali__ has quit IRC11:47
jamielennoxstevemar: i think i'm going to try and sleep through tomorrows meeting, but if you don't have any volunteers remind me tomorrow and i'll look into the ksc gate11:52
*** guoshan has quit IRC11:54
*** itsuugo has quit IRC11:54
*** guoshan has joined #openstack-keystone11:55
*** GB21 has quit IRC11:55
*** itsuugo has joined #openstack-keystone11:56
*** xiaoyang has joined #openstack-keystone11:58
xiaoyanghow to use redis?11:58
*** namnh has quit IRC11:59
*** mvk has quit IRC12:00
*** mvk has joined #openstack-keystone12:04
*** itsuugo has quit IRC12:06
*** itsuugo has joined #openstack-keystone12:07
*** namnh has joined #openstack-keystone12:08
*** vaishali has joined #openstack-keystone12:08
*** marekd2 has joined #openstack-keystone12:08
*** nkinder has joined #openstack-keystone12:09
dstanekxiaoyang: what do you mean?12:10
raildojamielennox, ping, are you around?12:10
raildojamielennox, about the v3-gate issue on neutron12:11
jamielennoxraildo: briefly, was just unlocking some stuff before bed12:11
*** edmondsw has joined #openstack-keystone12:12
raildojamielennox, so have good night, we can talk when you wake up :) it's not urgent12:12
jamielennoxthat's ok - hit me12:12
* dstanek ducks as raildo winds up12:13
raildodstanek, haha12:13
raildojamielennox, so, I kind of find the issue: https://github.com/openstack/glance_store/blob/master/glance_store/_drivers/swift/connection_manager.py#L147-L15912:13
raildothe problem is an error when glance try to find the swift endpoint using keystone v312:13
jamielennoxraildo: ew, yea, i've seen the glance/swift connection before - that's worse than i remember12:13
jamielennoxso i mean the parameters to that are right12:15
jamielennoxit's just not many things need to extract the url like that12:15
raildojamielennox, yes... I'm investigating know if we needed swift in the previous job, and why this only breaks now, since this job is running for almost a year12:15
jamielennoxraildo: i'm guessing it's probably a config change12:16
jamielennoxraildo: something that the glance/swift people put into devstack without actually thinking about keystone v312:16
raildojamiec, in march, we had this change on this code: https://github.com/openstack/glance_store/commit/fb77cb73c5daa9f78dbf13d9c943c91f92ba029812:16
raildojamielennox, ^12:17
jamielennoxraildo: that doesn't make much sense12:18
jamielennoxthat function should work regardless of version12:18
raildojamielennox, ++12:18
raildojamielennox, we should be using session here?12:18
jamielennoxraildo: well, always - but for some of these projects it's like banging your head against a wall12:19
jamielennoxi found particularly with the glance_store library to fix it properly would mean changing their plugin api12:19
raildojamielennox, yes, I have this patch to make glance use session: https://review.openstack.org/#/c/324100/12:20
raildojamielennox, but it's almost impossible to make this right :(12:20
*** asettle has quit IRC12:21
raildojamielennox, ok, I'll take a look deeper and see what we can do. thanks for your time, sir12:21
raildohave a good night :)12:21
*** asettle has joined #openstack-keystone12:21
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848812:22
*** markvoelker has joined #openstack-keystone12:24
jamielennoxraildo: yea, i have looked at glance before and it would require an almost complete rewrite of that internal client layer they have12:26
jamielennoxraildo: which they might even accept - i just don't want to do that12:26
*** asettle has quit IRC12:26
raildojamielennox, agreed, they talk about keystone v1 on that...12:26
jamielennoxraildo: i am not spending as much time upstream at the moment but i will help out on this stuff hoewver i can12:27
jamielennoxraildo: yea, swift talks about v1 as well, they made a plugin12:27
raildojamielennox, I appreciate that12:27
jamielennoxlike ok - why?12:27
*** spzala has quit IRC12:28
raildojamielennox, we need just remove it, not add more complexity on this code12:29
jamielennoxyea, but people are really unhappy when you try and replace their http layer12:29
jamielennoxit's crap - but it's been consistently crap for the last 3 years12:29
*** ayoung has quit IRC12:30
*** amoralej is now known as amoralej|lunch12:30
raildojamielennox, better definition ever!12:31
jamielennoxanyway, i support just patching glance to do v3password for now, it'd be better to do the whole plugin loading thing but we just need to keep v3 working and default12:32
jamielennoxif you see a way to transition it properly over to keystoneauth i'll definetly chip in and help12:32
jamielennoxand i don't see anything that saves us from swiftclient12:32
jamielennoxi've tried a few times12:33
*** guoshan has quit IRC12:34
*** mvk has quit IRC12:45
*** mvk has joined #openstack-keystone12:46
*** jpena|lunch is now known as jpena12:46
*** guoshan has joined #openstack-keystone12:49
*** asettle has joined #openstack-keystone12:55
*** david-lyle has joined #openstack-keystone12:56
*** wasmum has quit IRC12:58
*** markd__ has joined #openstack-keystone13:07
*** markd__ has quit IRC13:08
*** jaosorior has quit IRC13:09
*** jaosorior has joined #openstack-keystone13:10
*** spzala has joined #openstack-keystone13:11
*** spzala has quit IRC13:11
*** spzala has joined #openstack-keystone13:11
*** breton has quit IRC13:12
*** sdake has quit IRC13:17
*** namnh has quit IRC13:17
*** breton has joined #openstack-keystone13:20
*** amoralej|lunch is now known as amoralej13:29
*** avozza has joined #openstack-keystone13:31
*** acoles has quit IRC13:32
*** openstackstatus has joined #openstack-keystone13:36
*** ChanServ sets mode: +v openstackstatus13:36
*** vaishali has quit IRC13:37
*** r-daneel has joined #openstack-keystone13:38
*** guoshan has quit IRC13:41
*** guoshan has joined #openstack-keystone13:43
-openstackstatus- NOTICE: OpenStack Infra now has a Twitter bot, follow it at https://twitter.com/openstackinfra13:43
edmondswstevemar any idea why the last keystonemiddleware release on openstack-announce was 4.0.0 when github shows we're up to 4.9.0?13:47
stevemaredmondsw: link?13:47
stevemaredmondsw: that makes no sense13:47
edmondswtry to find a newer one13:47
edmondswthat's the latest I can find13:47
edmondswstevemar looking at the content of that announce, it says "Changes in keystonemiddleware 3.0.0..4.0.0"13:48
edmondswmakes me think we're only announcing major versions?13:48
*** sdake has joined #openstack-keystone13:49
stevemaroh thats from december of last year13:49
edmondswI was trying to find when 4.9.0 was released, and... well, I'm not sure where to look since it wasn't announced13:50
*** guoshan has quit IRC13:53
stevemaredmondsw: lemme see13:53
edmondswty sir13:53
stevemaredmondsw: https://github.com/openstack/releases/blob/master/deliverables/newton/keystonemiddleware.yaml#L413:54
stevemartheres your issue13:54
stevemaredmondsw: http://lists.openstack.org/pipermail/openstack-dev/2016-August/thread.html13:54
edmondswyep... that's wrong, though, isn't it? Shouldn't these go on openstack-announce?13:55
*** spilla has joined #openstack-keystone13:55
stevemaredmondsw: ksc is going to announce, but ksm and ksa are going to -dev13:56
*** gagehugo has joined #openstack-keystone13:56
stevemardhellmann: whats the correct behaviour here? ^13:57
*** guoshan has joined #openstack-keystone13:57
dhellmannstevemar : projects consumed by deployers or end users should send to -announce, others to -dev13:57
dhellmannstevemar : http://git.openstack.org/cgit/openstack/releases/tree/README.rst#n19513:58
knikollamorning o/13:59
*** pauloewerton has joined #openstack-keystone13:59
*** markvoelker has quit IRC14:02
*** bjolo is now known as bjolo_afk14:02
lbragstaddstanek ping14:03
dstaneklbragstad: pong14:03
lbragstaddstanek have a minute to visit about https://review.openstack.org/#/c/372655/114:03
*** guoshan has quit IRC14:03
stevemaredmondsw: sounds like middleware, auth and client should all go to announce :\14:05
dstaneklbragstad: sure14:06
*** shaynek has joined #openstack-keystone14:06
*** lamt has joined #openstack-keystone14:07
lbragstaddstanek so I think I got most of the sql errors I was seeing squared away14:07
lbragstaddstanek the failures that looked like this - http://cdn.pasteraw.com/6ewowxka9jp92sok44x2kfqlagqqecl14:08
lbragstadso now there are only a couple failures left - 4 are kvs related and one it trust related that I can probably fix14:08
shaynekHi all, could anyone please help me to answer the question in this bug: https://bugs.launchpad.net/python-keystoneclient/+bug/150837414:09
openstackLaunchpad bug 1508374 in python-keystoneclient "using session construct client will miss service_catalog property" [Medium,In progress] - Assigned to Mikhail Nikolaenko (mnikolaenko)14:09
*** markvoelker has joined #openstack-keystone14:09
*** sdake_ has joined #openstack-keystone14:09
lbragstadthe kvs ones are failing because we actually trying to create things in the backend prior to the test14:09
lbragstaddstanek which is here - https://github.com/openstack/keystone/blob/3b24a6fca67ff595b5e37fb020eea37717ab7ce1/keystone/tests/unit/token/test_backends.py#L463-L47314:09
lbragstaddstanek you can see that the _create_test_data method is only creating dummy values but never actually creating entities in the backend14:10
lbragstadwhich is why my patch was failing because it tries to rebuild the token from scratch14:11
*** sdake has quit IRC14:11
lbragstadso - I guess my question is does the TokenCacheInvalidation test class make sense anymore since it's pretty similar to test_auth.py14:12
*** woodster_ has joined #openstack-keystone14:12
dstaneklbragstad: i'd be happy just create the real data in the test methods and getting rid of that14:14
dstaneklbragstad: unless there is a lot of test methods to be changed. then there should be a new test class with common setup14:14
lbragstaddstanek right now that only consists of a few tests14:14
lbragstadbut it's run against a bunch of backends14:14
dstaneklbragstad: that class definitely needs to be fixed or replaced now that we need the real data in the backends14:14
*** ayoung has joined #openstack-keystone14:15
*** ChanServ sets mode: +v ayoung14:15
*** rob_d has joined #openstack-keystone14:15
lbragstaddstanek right - we were able to write it like that before because the uuid provider never validated any of that information14:15
lbragstaddstanek but we apparently run these tests against kvs, too14:16
lbragstadand those fail because we can't really write to them14:16
dstaneklbragstad: why not?14:16
dstanekwhat kvs is left?14:16
lbragstaddstanek http://cdn.pasteraw.com/onfbtt5dfccdv4t08dezf06kiqxyznz14:16
lbragstadactually - here is the entire list but you can ignore the sql failures since I already fixed those http://logs.openstack.org/55/372655/1/check/gate-keystone-python27-db-ubuntu-xenial/15d3627/testr_results.html.gz14:17
dstaneklbragstad: so can't find default domain is weird. is that not created by the common setup?14:18
lbragstaddstanek from somewhere in this chain it should be https://github.com/openstack/keystone/blob/3b24a6fca67ff595b5e37fb020eea37717ab7ce1/keystone/tests/unit/test_backend_sql.py#L5114:20
rob_d...a sys admin is trying WebSSO on Mitaka (works great), having problems with retrieving role assignments in services like murano+sahara.. ok to patch keystone with https://review.openstack.org/#/c/284943/63 ? thanks all14:20
rodrigodsstevemar, did the last recheck today as last attempt of something be wonky in the infra14:20
rodrigodsstevemar, will try to run them locally to check what's going on14:21
stevemarrodrigods: cool, it was an announcement for everyone on the team, but you and i have been rechecking ;)14:21
edmondswstevemar, so followup question... any idea when the next release of keystonemiddleware will be?14:22
rodrigodsstevemar, sure :)14:22
stevemaredmondsw: i'm tempted to say the release announcements are correct as-is :(14:22
stevemaredmondsw: i didn't think anything merged that was significant enough to release?14:22
dstaneklbragstad: have you been able to figure out why the domain isn't being created?14:22
stevemaredmondsw: i think maybe 2 or 3 things merged?14:22
lbragstaddstanek I haven't14:23
edmondswstevemar I'm specifically waiting on the translation enablement, though I doubt things have actually been translated anyway14:23
lbragstaddstanek but the error surprised me because it was at first buried in sql errors before I fixed them and I didn't think we supported kvs anymore14:23
edmondswstevemar, but you think announcing ksm and ksa to dev is correct now?14:23
stevemaredmondsw: https://github.com/openstack/keystonemiddleware/compare/4.9.0...master yeah, divyas change is the only one14:24
*** spedione|AWAY is now known as spedione14:24
edmondswmaybe ksm, but ksa is consumed by end users, surely14:24
stevemaredmondsw: i mean, i could release it, but do you mind waiting til we have more in the release?14:25
edmondswno, I don't mind waiting, just wondered what the plan was14:25
*** Guest14517 is now known as med_14:26
*** med_ has quit IRC14:26
*** med_ has joined #openstack-keystone14:26
*** adrian_otto has joined #openstack-keystone14:26
*** chrisshattuck has joined #openstack-keystone14:30
stevemaredmondsw: i think jamielennox has a few more patches he wants to land, so i'll wait for those to merge, if anything i'll release if it's more than 4-6 weeks has gone by14:31
edmondswsounds good, tx14:31
*** BjoernT has joined #openstack-keystone14:33
*** spedione is now known as spedione|AWAY14:34
stevemaredmondsw: back to the -dev or -announce thing14:35
stevemaredmondsw: i can see an argument for both...14:35
*** ravelar has joined #openstack-keystone14:36
edmondswksm is probably just openstack-dev... I think that makes sense14:36
stevemaredmondsw: you were looking for ksm in -announce :)14:36
edmondswyeah... I didn't realize we split some things into openstack-dev until dhellman's explanation above... which makes sense, I guess14:37
edmondswso I won't argue that14:37
edmondswbut you said ksa is also going to openstack-dev, and that seems wrong14:37
*** afred312 has quit IRC14:37
edmondswan enduser would need ksa to script to our APIs14:37
*** jaugustine has joined #openstack-keystone14:38
*** acoles has joined #openstack-keystone14:40
stevemaredmondsw: i would think ksm should go to announce to then14:40
stevemarthe upgrade changes that ksm and ksa have are impactful for the end users, than dev i would think14:41
edmondswyour call14:41
*** adrian_otto has quit IRC14:48
*** chrisshattuck has quit IRC14:49
*** shaynek has quit IRC14:52
*** slberger has joined #openstack-keystone14:55
*** adrian_otto has joined #openstack-keystone14:56
*** adrian_otto has quit IRC14:57
*** edtubill has joined #openstack-keystone14:57
*** spedione|AWAY is now known as spedione14:58
*** dikonoo has quit IRC14:59
*** chrisshattuck has joined #openstack-keystone14:59
stevemaredmondsw: i don't think it's *my* call :P15:01
edmondswwell, it's probably not mine :P15:02
*** slberger has quit IRC15:02
mfischstevemar: dstanek so far so good in my virtual environment over night, deploying to lab environment in about an hour15:02
mfischwill let you kno15:02
*** slberger has joined #openstack-keystone15:03
*** nk2527 has quit IRC15:05
edmondswstevemar, ask mfisch what he thinks... there's a deployer / end-user for you :)15:05
mfischso whats the question?15:06
edmondswwhether keystonemiddleware and keystoneauth should be announced on openstack-dev or openstack-announce15:06
edmondswopenstack-dev is where internal things are announced, whereas things that deployers / end-users care about should be announced on openstack-announce15:07
dstanekmfisch: great, thanks15:07
*** avozza has quit IRC15:09
mfischedmondsw: personally its fine to get them but I also dont care15:09
mfischunless there's some major bug I need to be fixed15:10
mfischwe don't upgrade middleware generally, its part of a holisitic service, like neutron or nova15:10
stevemarmfisch: you track both -announce and the [release] tag in -dev? i assume?15:10
mfischI think only announce15:10
mfischfor dev I track keystone, trove, and puppet15:11
mfischand maybe 1-2 others15:11
*** roxanaghe has joined #openstack-keystone15:22
*** slberger has quit IRC15:32
ayoungstevemar, checkout the new nova default policy file.  It looks like this15:34
stevemarayoung: they've had it like that for a while i thought?15:34
stevemarayoung: ever since they landed the one that alaski worked on, to generate it from code15:35
*** tung_doan has joined #openstack-keystone15:35
*** slberger has joined #openstack-keystone15:35
ayoungstevemar, yeah, but I only just looked at it.  And now everyone that customizes policy has to go and look for the tool to generate the default rules.  SHould have at least put a comment in there how to do that.15:35
stevemarayoung: yay for json and not allowing comments :)15:36
stevemarayoung: https://github.com/openstack/nova/blob/master/tox.ini#L60-L6115:36
stevemarthey treat it like they do the sample config file15:36
stevemarreasonable defaults, and if you want to customize, generate the file and tweak it15:36
stevemari don't know if i agree with that, but it's what they've decided15:37
bknudsonI was supposed to add support for yaml policy files but got reassigned so didn't work on it.15:37
*** roxanaghe has quit IRC15:37
ayoungstevemar, "comment" : "to generate the rulesfile run the command oslopolicy-policy-generator --namespace nova --output-file policy.json"  is valid json15:38
stevemarayoung: true15:39
stevemarayoung: propose it :)15:39
ayoungstevemar, I alrayd have afull page of rejected reviews.  Not going to add to it until I do some house keeping15:39
stevemardo no nova peeps hang out in keystone?15:40
stevemarmr<tab> fail, sd<tab> fail15:40
*** jaosorior has quit IRC15:40
ayoungstevemar, I already talked with the nova guys about it.  They are the ones that gave me the policy gen commands.15:43
ayoungright now I am just trying to figure out a plan to manage policy dynamically so we can, eventually, get to a sane policy approach across the services15:44
bknudsonkeystone just works so other devs haven't felt the need to join15:44
stevemarbknudson: that's not the opinion of some folks :P15:44
*** ezpz_ has joined #openstack-keystone15:49
*** ezpz_ is now known as ezpz15:49
*** EinstCrazy has quit IRC15:50
lbragstadshould https://github.com/openstack/keystone/blob/3b24a6fca67ff595b5e37fb020eea37717ab7ce1/keystone/tests/unit/test_v3_trust.py#L243 be the inverse?15:53
*** adrian_otto has joined #openstack-keystone15:54
*** mvk has quit IRC15:55
*** Marcellin__ has joined #openstack-keystone15:58
*** gyee has joined #openstack-keystone15:58
*** roxanaghe has joined #openstack-keystone16:03
*** code-R has quit IRC16:05
*** code-R has joined #openstack-keystone16:06
*** code-R has quit IRC16:07
*** roxanaghe has quit IRC16:08
*** browne has joined #openstack-keystone16:08
*** marekd2 has quit IRC16:16
*** marekd2 has joined #openstack-keystone16:16
*** marekd2_ has joined #openstack-keystone16:19
*** marekd2 has quit IRC16:19
*** marekd2_ has quit IRC16:20
*** avozza has joined #openstack-keystone16:23
openstackgerritLance Bragstad proposed openstack/keystone: Ensure all v2.0 tokens are validated the same way  https://review.openstack.org/37265516:24
openstackgerritLance Bragstad proposed openstack/keystone: Make sure all v3 tokens are validated the same way  https://review.openstack.org/37108316:24
lbragstaddstanek dolphm y'all were right - just needed to populate the data for the kvs tests ^16:24
rodrigodsanyone has a fresh devstack deployment handy?16:24
rodrigodsi want to confirm something16:24
rderoserodrigods: how fresh?16:25
rderoserodrigods: mine's yesterday16:25
rodrigodsrderose, hmm should be good enough16:25
rodrigodsrderose, can you try https://adam.younglogic.com/2013/09/keystone-v3-api-examples/ ?16:25
rodrigodsrderose, get a token like that, and then fetch the domains list16:25
rderosesure, give me a few16:26
rderoserodrigods: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}16:32
rodrigodsrderose, same here16:32
rodrigodsrderose, i guess we have a bug16:32
rderosehmm... yeah16:32
rodrigodsstevemar, ^ the reason ksc tests are failing16:32
dstaneklbragstad: if you can limit the data created to only what you actually use in the tests16:33
*** code-R has joined #openstack-keystone16:35
lbragstaddstanek ah - good point16:36
lbragstadi think there the only thing that matters is that a default domain exists16:36
*** code-R_ has joined #openstack-keystone16:36
*** code-R has quit IRC16:40
lbragstaddstanek actually - it looks like load_fixtures creates everything we need, so I should be able to reuse most of that instead16:41
*** asettle has quit IRC16:41
*** asettle has joined #openstack-keystone16:42
rderoserodrigods: sorry, put in the wrong password16:43
rderoserodrigods: this did work16:43
rderoserodrigods: actually...16:44
rderosehold on16:44
rderoserodrigods: nope, confirmed doesn't work: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}16:45
rodrigodsrderose, here i've did ". openrc admin admin", then 'openstack token issue' and it worked16:46
*** asettle has quit IRC16:47
rderosecurl -si -H"X-Auth-Token:9880b87020fd4a14920779aea80c3ec3" -H "Content-type: application/json" http://localhost:35357/v3/domains16:47
rderoserodrigods: ^ okay, this worked16:48
*** ravelar has quit IRC16:48
rodrigodsrderose, so the error was in the syntax after all :)16:48
rderoseyeah, looks like it :)16:49
*** ravelar has joined #openstack-keystone16:52
*** gyee_ has joined #openstack-keystone16:53
*** roxanaghe has joined #openstack-keystone16:53
*** mvk has joined #openstack-keystone16:55
*** rcernin has quit IRC16:55
*** ravelar has quit IRC16:55
*** EinstCrazy has joined #openstack-keystone16:56
*** adrian_otto has quit IRC16:56
*** gyee has quit IRC16:57
*** itsuugo has quit IRC17:02
*** BjoernT has quit IRC17:02
*** itsuugo has joined #openstack-keystone17:03
*** tung_doan has quit IRC17:04
*** jpena is now known as jpena|off17:06
*** pcaruana has quit IRC17:14
*** amoralej is now known as amoralej|off17:17
openstackgerritLance Bragstad proposed openstack/keystone: Ensure all v2.0 tokens are validated the same way  https://review.openstack.org/37265517:17
*** gagehugo has quit IRC17:19
*** gagehugo has joined #openstack-keystone17:20
lbragstaddstanek cleaned up by using the existing data that's created by load_fixtures instead of creating new stuff ^17:26
*** gyee_ has quit IRC17:28
rodrigodsdstanek, hmm think something is odd in the cache17:34
dstanekrodrigods: ?17:34
rodrigodsdstanek, to delete a domain we need to disable it first and sometimes the deletion fails because the domains was still enabled17:34
rodrigodsbut not really17:35
rodrigodsit has been disabled first17:35
dstanekinternal checks like that should not be using cached data. sounds like a bug17:35
*** code-R_ has quit IRC17:36
*** itsuugo has quit IRC17:36
rodrigodsdstanek, pasting the logs here17:37
rodrigodsdstanek, http://paste.openstack.org/raw/582290/17:38
*** itsuugo has joined #openstack-keystone17:38
openstackgerritMerged openstack/keystone: Fix prameters names in Keystone API v2-ext  https://review.openstack.org/36861817:40
rodrigodsdstanek, the error is also intermittent, sometimes the error is due authorization not being granted, i think it is related to cache too17:40
dstanekrodrigods: so the 'delete_domain' manager method gets the domain directly from the driver - so it is not getting cached data17:41
*** acoles is now known as acoles_17:42
*** shaleh has joined #openstack-keystone17:43
rodrigodsdstanek, yeah, saw that... cache was the first guess when i saw the logs17:44
*** itsuugo has quit IRC17:45
*** itsuugo has joined #openstack-keystone17:46
*** tqtran has joined #openstack-keystone17:47
*** asettle has joined #openstack-keystone17:49
shalehdstanek, rodrigods: have you hammered out an understanding regarding my review 339558?17:50
rodrigodsshaleh, dstanek one sec17:52
rodrigodsshaleh, dstanek changed the score, not approving since i still think that would be better doing something as suggested17:53
shalehrodrigods: why? explicit versus implicit is a tenant of Python coding. Hiding the assert buries the test.17:53
rodrigodsshaleh, "hiding" was a suggestion to not redo the setup in test_put()17:54
shalehBut why are you opposed to the explicit, specific set up of the implied role?17:55
*** nk2527 has joined #openstack-keystone17:55
rodrigodsshaleh, we do something similar in ksc functional tests, the difference is that we redo the setup in the test for the create action17:55
shalehThe truly common things like roles and users are being done in setUp()17:55
shalehtrue. But as dstanek pointed out, the attempt at being overly DRY is leading to wasted code which slows down the test suite.17:57
dstanekrodrigods: hopefully you won't be dissapointed, but i have been and have plans to continue making our tests more like this17:57
shalehWhen C derives from B derives from A and all of the setUp()s are creating things there is wasted effort17:58
rodrigodsdstanek, i saw some of the changes in this direction17:58
rodrigodsdstanek, i really like them, but it is exactly the same call in the setup for this test and i don't think we use inheritance there17:59
openstackgerritAndrew Laski proposed openstack/oslo.policy: Perform basic checks on policy definitions  https://review.openstack.org/37349117:59
*** adrian_otto has joined #openstack-keystone18:04
*** adrian_otto has quit IRC18:08
*** acoles_ is now known as acoles18:12
*** code-R has joined #openstack-keystone18:13
*** code-R has quit IRC18:14
*** chrisshattuck has quit IRC18:16
*** aswadr_ has quit IRC18:22
*** NishaYadav has joined #openstack-keystone18:22
*** NishaYadav is now known as Guest2943618:22
*** Guest29436 has quit IRC18:25
*** nisha_ has joined #openstack-keystone18:25
*** asettle has quit IRC18:25
*** ravelar has joined #openstack-keystone18:28
*** adrian_otto has joined #openstack-keystone18:35
*** acoles is now known as acoles_18:40
*** itsuugo has quit IRC18:49
*** sdake_ is now known as sdake18:50
*** itsuugo has joined #openstack-keystone18:51
*** chrisshattuck has joined #openstack-keystone18:52
openstackgerritAlexander Makarov proposed openstack/keystone: Verbose 401/403 debug responses  https://review.openstack.org/37243318:59
*** markvoelker has quit IRC19:03
dstanekrodrigods: a wise man once said, "setting up something for failure works now, but eventually fails"19:03
dstanekrodrigods: besides i'd just have to clean it up in my next round of test fixes19:03
shaleh339558 now needs a final +A. Does someone have time to kick it?19:05
rodrigodsdstanek, ++19:05
*** markvoelker has joined #openstack-keystone19:07
*** shaleh is now known as shaleh|away19:07
knikollaso, what will be the new scope of the service providers change? what i got out from the meeting is that there is a desire to also remove the sp information from the catalog in the token.19:07
knikollaalongside all the client changes that that will require.19:08
*** itsuugo has quit IRC19:12
*** nisha_ has quit IRC19:13
*** itsuugo has joined #openstack-keystone19:14
*** gagehugo has quit IRC19:17
*** gagehugo has joined #openstack-keystone19:18
*** itsuugo has quit IRC19:28
*** itsuugo has joined #openstack-keystone19:29
*** mfisch has quit IRC19:32
*** mfisch has joined #openstack-keystone19:33
*** mfisch has quit IRC19:33
*** mfisch has joined #openstack-keystone19:33
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848819:33
*** itsuugo has quit IRC19:36
*** shaleh|away is now known as shaleh19:37
*** itsuugo has joined #openstack-keystone19:37
*** itsuugo has quit IRC19:44
*** itsuugo has joined #openstack-keystone19:45
*** avozza has quit IRC19:50
*** slberger has quit IRC19:54
*** slberger has joined #openstack-keystone19:55
*** EinstCrazy has quit IRC19:56
*** itsuugo has quit IRC20:01
*** adrian_otto has quit IRC20:02
*** itsuugo has joined #openstack-keystone20:03
openstackgerritRichard Avelar proposed openstack/keystone: POC sql query revoked tokens  https://review.openstack.org/35937120:04
*** mdurrant has joined #openstack-keystone20:04
*** nk2527 has quit IRC20:05
openstackgerritSamuel Pilla proposed openstack/keystone: Domain included for role in list_role_assignment  https://review.openstack.org/37351620:08
*** ravelar has quit IRC20:13
dstanekknikolla: i would think that first we create a usable API to get the information and then fix clients to start using it from there instead of the catalog and then deprecated the entries in the catalog20:15
dstanekthey probably have to stay in the catalog for quite some time unless we use a config option or something to remove them20:16
knikolladstanek: sure.20:16
knikolladstanek: would the api be of the form OS-EXT?20:16
dstaneki personally don't like that extension style of APIs. i'd rather it just be a first class API like anything else.20:17
nicolasbockHi! I am trying to understand domains in keystone. From the Security Guide for example I read that 'Domains are high-level containers for projects, users and groups'20:18
nicolasbockHow should I interpret that statement?20:18
nicolasbockAre domains a superclass of projects?20:18
nicolasbockI mean, is there a hierarchy in which domains are at the top, and projects live underneath them?20:19
dstaneknicolasbock: more or less yes20:19
knikolladstanek: what relation would it have to /v3/OS-FEDERATION/service_providers?20:19
nicolasbockdstanek, then does the 'Default' domain have any special meaning?20:19
nicolasbockor is it hierarchically speaking equivalent to other domains20:20
dstaneknicolasbock: it's used by v2 because that version is not API aware20:20
dstaneksometimes admin users/projects are put there (maybe because it's easy)20:20
nicolasbockdstanek, but in the database, the default domain doesn't have a standard id20:21
dstanekknikolla: that's a good question... without worrying too much about the URL i think you should document what APIs we need20:21
dstaneknicolasbock: it can be configured so that keystone knows what it is20:22
bknudsonthe default domain is used for v2 operations20:22
dstaneknicolasbock: http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n934 'default' is the default20:22
bknudsonif you're not using v2 then there's no need for a default domain.20:22
knikolladstanek: yep, i'll do that20:23
dstanekbknudson: that's a good point. it has no special meaning in v320:23
nicolasbockbknudson, dstanek, so in the case of v3, the domains are all hierarchically equal20:23
nicolasbockand I could put the service users in a domain other than Default20:24
bknudsonyou can put service users in a domain other than the default.20:24
nicolasbockv2 doesn't understand domains, right?20:26
*** chrisshattuck has quit IRC20:26
bknudsonright, domains is a v3 concept20:26
nicolasbockwhich means that if I want to support v2 and v3, I need to make the default domain the one in which my users live20:26
bknudsonthat's right.20:27
stevemarfinally back20:27
nicolasbockok, thanks, I think things are a little clearer now :)20:27
stevemardstanek: thanks for covering20:27
stevemardstanek: whats with the TA for the VMT thing?20:28
dstanekstevemar: ma pleasure20:28
nicolasbockbknudson, one more question: Suppose I want to change the default domain: Is that just a matter of setting 'default_domain_id'?20:28
bknudsonnicolasbock: as far as keystone is concerned, that's all you need to do.20:29
dstaneknicolasbock: if you have existing resouces in a domain that is currently the default things might now work as expected20:29
nicolasbockbknudson, you  mean for v2 users?20:29
bknudsonnicolasbock: if you change the default_domain_id then v2 ops are going to look there for users and stuff.20:30
nicolasbockbknudson, ok, that makes sense.20:30
nicolasbockbknudson, thanks so much for all your help!20:30
bknudsonno problem20:30
dstaneknicolasbock: bknudson: right so users might not be able to login anymore through v220:30
nicolasbockdstanek, thanks, so I just have to convince everyone to switch to v3 :)20:30
dstaneknicolasbock: ++20:31
dstanekbreaking v2.0 will likely do that :-)20:31
dstanek(or get you fired)20:31
nicolasbockdstanek, very subtle :)20:31
nicolasbockI'll blame it on upstream :)20:31
dstanekhappy to help :-)20:32
*** spilla has quit IRC20:33
*** roxanaghe has quit IRC20:39
*** roxanaghe has joined #openstack-keystone20:40
*** slberger has quit IRC20:44
stevemardstanek: TA == threat analysis20:45
bretonstevemar: flu got me since Thu, so i don't have patches to backport. Tomorrow maybe.20:45
stevemarbreton: get better soon, let me know sooner rather than later, i want to cut a new version this week20:46
bretonstevemar: will do20:47
*** asettle has joined #openstack-keystone20:49
*** roxanaghe has quit IRC20:52
*** spedione is now known as spedione|AWAY20:52
*** slberger has joined #openstack-keystone20:52
*** roxanaghe has joined #openstack-keystone20:52
dstanekstevemar: i have to read the docs a little and come up with a task list for getting all of our projects managed under the VMT20:55
*** LamT_ has joined #openstack-keystone20:55
*** roxanaghe has quit IRC20:57
stevemardstanek: okay, is this a cross-project initiative, or mandated by someone / something ?  :)20:57
stevemardstanek: let me know if we're stretching you too thin, with reviews and vmt, and other bits20:57
dstanekstevemar: i just want to get the list of tasks together. then i'm hoping to get others to help out :-)20:59
stevemardstanek: ಠ_ಠ21:01
stevemarlbragstad: don't worry about the bug from the meeting today, i already verified it doesn't happen in master21:02
*** gagehugo has quit IRC21:02
lbragstadstevemar ah21:02
stevemarlbragstad: looks like a misconfiguration21:02
lbragstadstevemar sounds good - I was just starting a devstack build21:02
lbragstadstevemar so it will probably be closed then?21:03
*** gagehugo has joined #openstack-keystone21:03
*** jaugustine has quit IRC21:03
lbragstador marked as invalid?21:03
stevemarlbragstad: probably, its open against nova atm21:03
mfischstevemar: about 8 hours in and no issues21:04
*** gyee has joined #openstack-keystone21:04
*** ChanServ sets mode: +v gyee21:04
*** lamt has quit IRC21:05
stevemarmfisch: i'm guessing it would have happened by now?21:06
mfischit should have yeah, Im off tomorrow but will look again on thu21:06
mfischby then for sure21:06
stevemarmfisch: if that patch also fixed the v2 catalog in v3 token bug, i'd be sooooo happy21:07
mfischno KeyErrors in any logs in my lab in the last 3 days21:07
mfischi know before we had thousands21:07
stevemarmfisch: stupid question, but you re-enabled caching right? :)21:07
stevemarmfisch: just making sure :)21:08
mfischmemcache up to #3 memory user now21:08
mfischSTAT bytes 22759440521:08
mfischSTAT curr_items 1615021:08
mfischSTAT total_items 2047921:08
bknudsonmight as well use all the memory otherwise it's wasted21:08
mfischI cap it at 10% because its a pig21:09
*** ezpz has quit IRC21:09
*** browne has quit IRC21:09
*** pauloewerton has quit IRC21:10
bknudsonWhat do you think about changing keystone so that user invalidations don't go in the events list, but instead we check if the user is still valid?21:10
bknudsonSeems like it would be a pretty easy change (except for the issue of supporting old keystones)21:11
*** roxanaghe has joined #openstack-keystone21:11
bknudsonanother idea - take advantage of "last_fetch" in revocation event listing somehow. The server would have to save the revocation events (maybe in memcache)21:12
mfischdisabling the user is the first thing we'd do if someone was hax0ring us21:14
mfischtoken validation would be 2nd or 3rd21:14
bknudsonunfortunately, might be hard since we have an api to get the revocation events...21:15
*** browne has joined #openstack-keystone21:22
*** browne has quit IRC21:24
bknudsonmfisch: do you see a significant slowdown when there are some revocation events?21:27
mfischyes, I have21:28
bknudsonever look into it?21:29
mfischwell there was ML discussion with adam about it21:29
bknudsonI've been looking into it for a couple of days to see what's causing it.21:29
lbragstadbknudson the slow down when the revocation event table grows?21:29
bknudsonlbragstad: yes.21:30
lbragstadbknudson after hearing some of the results from ravelar's work - it seems like the revocation check being in python isn't helping anything21:31
bknudsonlbragstad: why is having the revocation check in python a problem?21:32
bknudsonHere's an example timing: revoke.sql list_events: 0:00:00.211991 for 2050 - q:0:00:00.17836921:33
bknudsonso list_events takes .212s , where the query takes .178 of that21:33
lbragstadbknudson ravelar was working on a POC to push the check in to sql21:33
*** adriant has joined #openstack-keystone21:34
bknudsonso token validation is going to take at least .212s , which is way too slow.21:34
lbragstadso instead of asking the backend for a list of revocation events and comparing them one by one in python - he was making it so that we would ask sql if there were any revocation records that matched these token values21:34
bknudsonnow, for some reason the call to list_events actually takes .324s21:35
bknudsonlbragstad: that might be faster... would have to measure it.21:35
lbragstadbknudson i thought he did - but i'd have to ask him21:35
bknudsonlbragstad: in the meantime, we could, stop putting user revocations into revocation event table.21:35
lbragstadeither way - it sounds like you two were working on something very similar21:36
lbragstadbknudson stop putting user revcoations in the revocation table/21:36
bknudsonlbragstad: btw - moving the event query into sql would make it impossible to cache.21:36
lbragstadlike - stop storing use revocation events period?21:36
lbragstadfor users?21:37
bknudsonlbragstad: right, for user revocation events go to the identity manager to check if the user is disabled.21:37
bknudsonI guess that wouldn't catch password changes?21:37
lbragstadbknudson yeah - that's the tricky one21:37
bknudsonwe'd have to still have revocation events for password changes.21:37
bknudsonbut for user disable / delete wouldn't need an event.21:38
lbragstadchange password is one of the rare places were we need a revocation event21:38
lbragstadbknudson right - i have a couple patches up that might help with that, too21:38
bknudsonanother option is to take advantage of the last_fetch parameter.21:38
bknudsonso in memcache would store the revocation event list + last_fetch21:38
bknudsonand then the sql query would do last_fetch from there21:39
bknudsonand then update memcache with the new list + fetch time21:39
bknudsonwould have to prune the list.21:39
bknudsonthat should be pretty fast.21:40
lbragstadyeah - i'd be curious to see taht21:40
dstanek bknudson lbragstad: an SQL solution should be faster for large datasets21:43
*** edtubill has quit IRC21:43
*** spzala has quit IRC21:43
bknudsondstanek: serialization / deserialization seems to be taking a lot of the time, and that's only to going to grow with the # of events.21:44
lbragstadwe should also trim some events21:44
bknudsoneven if memcache is used there's going to be a lot of serdes.21:45
bknudsonso maybe losing memcache isn't a big deal.21:45
dstaneklbragstad: my worry with trimming events is that we have an api for them21:45
*** edmondsw has quit IRC21:46
bknudsonmaybe we need a config option or something. :(21:46
lbragstadmoar config options...21:46
bknudsonwhich disables the API21:46
lbragstadi thought revocation events were internal only21:46
bknudsonhas it been deprecated long enough that we can drop it? We'd need a V4.21:46
bknudsonno, there's an api for revocation events -- auth_token middleware was supposed to use it.21:47
lbragstadrevocation *lists* have an api21:47
*** adu has joined #openstack-keystone21:47
dstanekbknudson: i wouldn't start out using memcached for revocation data. i'm curious to see what the speedup is to just filter data on the DB side21:47
lbragstadoh ...21:47
bknudsonthat's why there's a last_fetch time.21:47
stevemarbknudson: i believe lbragstad is correct, the only API for revocation stuff is listing events21:54
*** lamt has joined #openstack-keystone21:56
bknudsonidentity v4 here we come!21:59
bknudsonMaybe avelar's change works well enough I can try it out.22:00
*** roxanaghe has quit IRC22:08
*** roxanaghe has joined #openstack-keystone22:09
*** asettle has quit IRC22:14
bretonthe whole thing ^ sounds complex22:15
bretonmaybe we could just store password id in a token22:15
*** iurygregory_ has joined #openstack-keystone22:15
bretonit will take just sizeof(int) bytes in unencrypted token22:17
*** itsuugo has quit IRC22:20
*** itsuugo has joined #openstack-keystone22:21
*** hoonetorg has quit IRC22:24
*** slberger has left #openstack-keystone22:24
*** roxanaghe has quit IRC22:27
*** r-daneel has quit IRC22:34
*** roxanaghe has joined #openstack-keystone22:45
*** gyee has quit IRC22:47
*** ravelar has joined #openstack-keystone22:48
*** itsuugo has quit IRC22:49
rodrigodslbragstad, there? i think the round down change is the issue :(22:49
rodrigodsundid it here and the tests are passing22:50
*** itsuugo has joined #openstack-keystone22:50
rodrigodsdstanek, stevemar ^22:51
*** nkinder has quit IRC22:52
*** ravelar has quit IRC22:53
*** roxanaghe has quit IRC22:55
*** hoonetorg has joined #openstack-keystone22:56
stevemarrodrigods: ruh roh22:58
*** tonytan4ever has quit IRC22:58
rodrigodsstevemar, Depends-On runs with the correct code of the other repo, right?22:58
stevemarrodrigods: yep22:58
*** roxanaghe has joined #openstack-keystone22:59
stevemarrodrigods: propose a revert of Iaee0ec8c7acd512b9d93096ce8306a2952061c7a and add a Depends-On to the new commit id22:59
rodrigodsstevemar, cool, so I'll revert them and send a test commit to ksc to prove the tests are working22:59
jamielennoxdstanek, stevemar: it would be good to have https://review.openstack.org/#/c/371856/ in the release23:00
stevemarjamielennox: in the newton release?23:00
stevemarjamielennox: why's that?23:00
bretonthat's funny how we cannot win these round down issues for... a year?23:01
openstackgerritRodrigo Duarte proposed openstack/keystone: Revert "Add unit tests for isotime()"  https://review.openstack.org/37355323:02
openstackgerritRodrigo Duarte proposed openstack/keystone: Revert "Consistently round down timestamps"  https://review.openstack.org/37355423:02
*** hoonetorg has quit IRC23:02
stevemarbreton: seems like it!23:02
*** markvoelker has quit IRC23:03
*** markvoelker has joined #openstack-keystone23:03
jamielennoxstevemar: this is the is_admin_project one we talked about the other day23:03
stevemarjamielennox: y, i know, but why must it go into newton?23:04
jamielennoxkeystone being about the only project (and probably the most useful project) that doesn't do any form of is_admin_project in policy checking23:04
jamielennoxwell it would give us the functionality across (i think) all the core services23:05
jamielennoxhowever i'm not particularly bound by release cycles any more so if it sliips it doesn't bother me too much23:05
*** adu has quit IRC23:05
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: DO NOT MERGE: Check functional tests  https://review.openstack.org/37355523:05
rodrigodsstevemar, ^23:05
jamielennoxbased on talking other day it seemed you were ok with the late inclusion so i wanted to make sure to keep pushing it23:05
*** tonytan4ever has joined #openstack-keystone23:06
stevemarjamielennox: i meant i was OK with the patch in general, including it in rc2 - ehhhh23:06
stevemarjamielennox: last thing i want it an issue like what rodrigods is working on now :(23:07
stevemarjamielennox: include keystone in the bug report? https://bugs.launchpad.net/neutron/+bug/160208123:08
openstackLaunchpad bug 1602081 in neutron "Use oslo.context's policy dict" [High,In progress] - Assigned to Jamie Lennox (jamielennox)23:08
rodrigodsstevemar, let's start requiring functional tests for such changes23:10
rodrigodsideally at ksc, because we go through the whole stack23:10
jamielennoxrodrigods: did you find the problem for ksc?23:12
rodrigodsjamielennox, i hope so23:12
rodrigodsjamielennox, at least, the tests are passing locally23:13
jamielennoxwhat happened?23:13
rodrigodsjamielennox, https://review.openstack.org/#/c/373554/23:13
*** adrian_otto has joined #openstack-keystone23:15
rodrigodsjamielennox, submitted https://review.openstack.org/#/c/373555/ to verify the fix upstream23:16
rodrigodsstevemar, what about add the ksc functional tests job to keystone?23:17
rodrigods(and other repos)23:17
*** itsuugo has quit IRC23:18
jamielennoxrodrigods: that's weird, will_expire_soon is fairly lenient, the only thing i can see it being a problem for is maybe auth_token checks but if it's just rounding it shouldn't matter23:18
*** itsuugo has joined #openstack-keystone23:18
*** hoonetorg has joined #openstack-keystone23:19
rodrigodsjamielennox, that was my guess, what i know is that it fails here https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L348-L35123:20
rodrigodsbecause "Invalid user token" appears in the log23:21
*** itsuugo has quit IRC23:23
*** itsuugo has joined #openstack-keystone23:24
stevemarrodrigods: still failing23:25
rodrigodsstevemar, yeah... but they pass locally23:25
rodrigodshow can i be sure they have run considering the keystone change?23:25
stevemarrodrigods: it looks like it did here: http://status.openstack.org/zuul/23:26
rodrigodsstevemar, right23:27
stevemarrodrigods: http://logs.openstack.org/55/373555/1/check/gate-keystoneclient-dsvm-functional-ubuntu-xenial/c4617f3/logs/devstacklog.txt.gz#_2016-09-20_23_10_00_98423:28
rodrigodslet me do more testing23:28
stevemarrodrigods: right next to keystone:install_keystone:55623:28
stevemarrodrigods: fwiw, it looks like less tests are failing now23:28
stevemarrodrigods: now it's only test_domains (it tries to delete before disabling)23:29
*** hoonetorg has quit IRC23:29
rodrigodsstevemar, this issue happens sometimes here23:29
stevemarrodrigods: and now update_role_domain and list_roles are both failing23:29
rodrigodsstevemar, it is because the "disable" action is the one that has the "invalid" token23:29
stevemarrodrigods: yeah, depends on where it's run, some tests are failing more than others: http://logs.openstack.org/69/369469/1/gate/gate-keystoneclient-dsvm-functional-ubuntu-xenial/99ed136/testr_results.html.gz and http://logs.openstack.org/24/371324/1/check/gate-keystoneclient-dsvm-functional-ubuntu-xenial/4ad8dac/testr_results.html.gz23:31
*** hoonetorg has joined #openstack-keystone23:31
stevemarrodrigods: also the tokens expire in 1 hr23:35
stevemarthe rounding patch only affecting things in the microsecond range23:35
stevemardinner time23:36
*** BjoernT has joined #openstack-keystone23:37
jamielennoxrodrigods: so if it's failing there i'd be more inclined to blame keystone's validate23:37
jamielennoxrodrigods: but in which case it would  be affecting more than just keystoneclient's tests23:37
bretonthe thing we are discussing now would be one my candidates for mitaka btw23:39
*** ravelar has joined #openstack-keystone23:45
*** ravelar has quit IRC23:45
*** Alexey_Abashkin_ has joined #openstack-keystone23:45
*** Alexey_Abashkin has quit IRC23:46
*** tonytan4ever has quit IRC23:47
*** itsuugo has quit IRC23:58
rodrigodsstevemar, recreating my devstack, hopefully more logs can help23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!