Wednesday, 2016-09-21

« Tuesday, 2016-09-20 Index Thursday, 2016-09-22 »
*** itsuugo has joined #openstack-keystone00:00
*** jamielennox is now known as jamielennox|away00:00
*** itsuugo has quit IRC00:05
*** itsuugo has joined #openstack-keystone00:06
*** itsuugo has quit IRC00:11
*** itsuugo has joined #openstack-keystone00:11
*** Alexey_Abashkin_ has quit IRC00:13
*** jamielennox|away is now known as jamielennox00:14
*** Alexey_Abashkin_ has joined #openstack-keystone00:14
*** Marcellin__ has quit IRC00:17
*** Alexey_Abashkin_ has quit IRC00:18
*** BjoernT has quit IRC00:20
*** adrian_otto has quit IRC00:21
*** tqtran has quit IRC00:25
stevemarbreton: rgr00:25
*** itsuugo has quit IRC00:27
*** itsuugo has joined #openstack-keystone00:27
lbragstadrodrigods did we revert the round down issue?00:28
lbragstador patch?00:28
rodrigodslbragstad, not yet00:28
rodrigodsfixed locally for me but not upstream00:28
lbragstadwhat tests is it impacting?00:29
rodrigodsksc functional ones00:29
lbragstadwhat if we take the same approach to the tempest tests and add waits?00:29
rodrigodslbragstad, maybe? not sure00:30
rodrigodsi'm not convinced that it is the real issue since the tests didn't pass with the revert commit00:31
rodrigodsthey only pass locally for me00:31
lbragstadif we revert the microsecond rounding patch we're going to see race conditions with tempest again00:31
*** Alexey_Abashkin_ has joined #openstack-keystone00:32
rodrigodslbragstad, see https://review.openstack.org/#/c/373555/100:32
openstackgerritRichard Avelar proposed openstack/keystone: Change python code revocation search to sql  https://review.openstack.org/35937100:34
*** itsuugo has quit IRC00:39
lbragstadrodrigods interesting... did it fail the recheck00:39
rodrigodslbragstad, the recheck is still running00:40
*** itsuugo has joined #openstack-keystone00:40
stevemarso the reality of this is that rounding of microseconds shouldn't cause an issue in real deployments00:41
stevemari'd be okay with using wait() here00:41
rodrigodslbragstad, stevemar locally https://paste.fedoraproject.org/431719/14744185/raw/00:43
stevemarrodrigods: i wonder if the issue is that because the token timestamp is rounded down, the token isn't even valid yet? not that it's expired00:44
rodrigodsstevemar, good point00:44
*** roxanaghe has quit IRC00:45
stevemarlbragstad: did that rounding change impact the issued_at field too?00:45
lbragstadthe revocation event is still not catching it00:45
lbragstadyeah - i believe so00:45
lbragstadsorry - i'm multi-task00:45
lbragstadtasking*00:45
lbragstadtrying to figure out if there is a doc meeting00:46
stevemarlbragstad: there isn't one today00:46
stevemarit was on the ML00:46
stevemar(the cancelation)00:46
lbragstadoh - my google calendar is out of date then00:47
rodrigodsstevemar, failed again http://logs.openstack.org/55/373555/1/check/gate-keystoneclient-dsvm-functional-ubuntu-xenial/93f57ab/testr_results.html.gz00:48
*** tonytan4ever has joined #openstack-keystone00:48
rodrigodslocally, 100% success00:48
lbragstadso - it must be in addition to something else?00:50
stevemarrodrigods: i think we need to drop in some wait()s00:50
openstackgerritRodrigo Duarte proposed openstack/keystonemiddleware: DO NOT MERGE: test commit  https://review.openstack.org/37357000:51
rodrigodssince i can't reproduce locally ^00:51
openstackgerritGage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs  https://review.openstack.org/36143500:51
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: DO NOT MERGE: Check functional tests  https://review.openstack.org/37355500:52
*** tonytan4ever has quit IRC00:52
*** itsuugo has quit IRC00:54
*** itsuugo has joined #openstack-keystone00:55
*** itsuugo has quit IRC01:03
*** itsuugo has joined #openstack-keystone01:05
*** zhangjl has joined #openstack-keystone01:11
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: test  https://review.openstack.org/37357801:12
*** roxanaghe has joined #openstack-keystone01:13
*** itsuugo has quit IRC01:14
stevemarcrinkle: o/01:14
*** itsuugo has joined #openstack-keystone01:15
*** sdake_ has joined #openstack-keystone01:19
*** sdake has quit IRC01:21
*** davechen has joined #openstack-keystone01:22
*** zouyapeng has quit IRC01:25
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: test  https://review.openstack.org/37357801:30
stevemarrodrigods: you got lucky and the functional tests passed01:31
*** roxanaghe has quit IRC01:33
*** roxanaghe has joined #openstack-keystone01:34
*** guoshan has joined #openstack-keystone01:34
*** itsuugo has quit IRC01:36
*** itsuugo has joined #openstack-keystone01:37
*** roxanaghe has quit IRC01:39
rodrigodsstevemar, just because the log01:40
rodrigodsi bet01:41
*** itsuugo has quit IRC01:46
*** itsuugo has joined #openstack-keystone01:47
*** tonytan4ever has joined #openstack-keystone01:49
*** roxanaghe has joined #openstack-keystone01:52
ayoungjamielennox, got some data for you as far as how much work we need to do for reworking policy01:53
ayounghttp://adam.younglogic.com/2016/09/distinct-rbac-policy-rules/01:53
*** tonytan4ever has quit IRC01:54
*** itsuugo has quit IRC01:55
*** itsuugo has joined #openstack-keystone01:56
*** itsuugo has quit IRC02:06
*** itsuugo has joined #openstack-keystone02:07
jamielennoxayoung: that's pretty cool02:10
jamielennoxayoung: not sure if we can use that to determine which need to be is_admin_project02:10
jamielennoxayoung: but it's a good indication that we should have some global things defined across all projects, though i don't know how to do that02:10
*** itsuugo has quit IRC02:12
*** itsuugo has joined #openstack-keystone02:12
ayoungjamielennox, so long as we don't touch default, I think we can make it work02:13
ayoungwhat I should do is generate the complete set of rules from that, with something like identity:default for each of the individual files, then find a way to make that stick02:14
ayoungI'm not really looking for a unified polic file, either.  I just need to be able to customize roles used upon deployment.  That seems to require system wide scanning of policy02:15
*** roxanaghe has quit IRC02:18
*** roxanaghe has joined #openstack-keystone02:18
*** itsuugo has quit IRC02:19
*** itsuugo has joined #openstack-keystone02:21
*** roxanaghe has quit IRC02:23
*** tonytan4ever has joined #openstack-keystone02:23
*** gagehugo has quit IRC02:24
rodrigodsstevemar, passed again02:24
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: DO NOT MERGE: Check functional tests  https://review.openstack.org/37355502:25
*** itsuugo has quit IRC02:36
*** itsuugo has joined #openstack-keystone02:37
*** nicolasbock has quit IRC02:41
*** itsuugo has quit IRC02:45
*** itsuugo has joined #openstack-keystone02:47
*** roxanaghe has joined #openstack-keystone02:50
*** itsuugo has quit IRC02:58
*** roxanaghe has quit IRC02:59
*** roxanaghe has joined #openstack-keystone03:00
*** itsuugo has joined #openstack-keystone03:00
*** xiaoyang has quit IRC03:02
*** david-lyle has quit IRC03:04
*** roxanaghe has quit IRC03:04
*** itsuugo has quit IRC03:05
stevemarrodrigods: bah03:06
jamielennoxstevemar, rodrigods: so it is something happening on the keystone side?03:06
*** itsuugo has joined #openstack-keystone03:06
stevemarjamielennox: sorta, is there a way to make the request sleep before issuing it or something03:07
stevemarjamielennox: i think the rounding definitely affected it03:07
jamielennoxdefine easy03:08
stevemarbut i'm not sure why03:08
jamielennoxyou can put a time.sleep in the request() function03:08
jamielennoxbut there's no like hook or existing param that would do it for you03:08
stevemarjamielennox: anyway to add it to ehre? https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/functional/v3/client_fixtures.py03:08
stevemaron the flip side, if someone has a script like this, they'll be hitting timeouts all over the place too03:09
jamielennoxyou think it's because the auth and the op are happening in the same second?03:10
stevemarjamielennox: thats my hypothesis03:10
jamielennoxdidn't we fix that with a >= to > change or something03:10
jamielennoxso if things are rounded to the same second then that's still ok03:10
stevemarjamielennox: https://github.com/openstack/keystone/commit/301b6a7bc770830485937f0b9927a26e2e5ec8c803:10
stevemaror even the same millisecond?03:11
jamielennoxstevemar: if this is true you should be able to replicate locally03:11
jamielennoxstart your own keystone, run func tests or just something that does a fast auth then op and put prints everywhere03:12
jamielennoxoh, so i think it's going to be using keystoneauth for the comm as well03:13
jamielennoxbecause it's doing os_client_config03:13
stevemarits using os-client-config?03:13
stevemareh, the easy solution for me is to revert the rounding work03:14
openstackgerritGage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs  https://review.openstack.org/36143503:15
*** itsuugo has quit IRC03:23
*** itsuugo has joined #openstack-keystone03:25
*** itsuugo has quit IRC03:29
*** itsuugo has joined #openstack-keystone03:31
*** dikonoor has joined #openstack-keystone03:33
*** itsuugo has quit IRC03:36
*** itsuugo has joined #openstack-keystone03:36
*** iurygregory_ has quit IRC03:37
*** itsuugo has quit IRC03:41
*** guoshan_ has joined #openstack-keystone03:41
*** guoshan has quit IRC03:41
*** itsuugo has joined #openstack-keystone03:42
*** sdake_ has quit IRC03:42
*** itsuugo has quit IRC03:51
*** itsuugo has joined #openstack-keystone03:52
*** guoshan_ has quit IRC03:52
*** itsuugo has quit IRC03:59
*** davechen has quit IRC03:59
*** davechen has joined #openstack-keystone03:59
*** itsuugo has joined #openstack-keystone04:01
*** lamt has quit IRC04:01
*** markvoelker has quit IRC04:03
*** itsuugo has quit IRC04:05
*** itsuugo has joined #openstack-keystone04:06
*** markvoelker has joined #openstack-keystone04:10
*** itsuugo has quit IRC04:11
*** itsuugo has joined #openstack-keystone04:12
*** itsuugo has quit IRC04:17
*** itsuugo has joined #openstack-keystone04:18
*** itsuugo has quit IRC04:23
*** itsuugo has joined #openstack-keystone04:24
*** fangxu has joined #openstack-keystone04:26
*** fangxu has quit IRC04:27
*** itsuugo has quit IRC04:29
*** itsuugo has joined #openstack-keystone04:30
*** vaishali_ has joined #openstack-keystone04:34
stevemarjamielennox: poke04:35
jamielennoxumph04:35
stevemarjamielennox: whats with the syntax in https://review.openstack.org/#/c/336971/4/keystonemiddleware/tests/unit/audit/test_audit_middleware.py04:35
stevemarself.create_simple_middleware()(req)04:35
stevemaris that some secret python i don't know?04:35
jamielennoxstevemar: definitely04:35
jamielennoxstevemar: it's just a wrapper that is returning a middleware object, then calling that object with a request04:36
jamielennoxsame as04:36
jamielennoxmiddleware = self.create_simple_middleware()04:36
jamielennoxmiddleware(req)04:36
stevemaroooohhh i see it04:36
jamielennoxmiddleware.__call__(req)04:36
stevemaryeah, thats04:36
stevemarnot pretty04:36
stevemari guess you don't want to do:04:37
stevemarmiddleware = self.create_simple_middleware()04:37
stevemarmiddleware(req)04:37
stevemarsave that 1 line ;)04:37
jamielennoxi could, depends if you think it makes a difference04:37
jamielennoxi think i fix it in a later review04:37
jamielennoxi wrap it in an app thing04:38
jamielennoxso you call middleware.get(...) instead of creating a request04:38
jamielennoxhttps://review.openstack.org/#/c/336972/404:38
jamielennoxbut those audit tests are a bit of a shambles so i wanted to be really careful working through them04:39
stevemargotcha04:39
stevemari do find it a bit confusing04:39
*** itsuugo has quit IRC04:45
*** itsuugo has joined #openstack-keystone04:46
*** jaosorior has joined #openstack-keystone04:50
*** itsuugo has quit IRC04:51
*** itsuugo has joined #openstack-keystone04:53
*** guoshan has joined #openstack-keystone04:53
*** code-R has joined #openstack-keystone04:56
*** sc68cal_ has joined #openstack-keystone05:09
*** woodster_ has quit IRC05:10
*** jaosorior has quit IRC05:10
*** jaosorior has joined #openstack-keystone05:11
*** sc68cal has quit IRC05:11
*** itsuugo has quit IRC05:12
*** itsuugo has joined #openstack-keystone05:12
*** asettle has joined #openstack-keystone05:20
*** tqtran has joined #openstack-keystone05:25
*** itsuugo has quit IRC05:26
*** itsuugo has joined #openstack-keystone05:27
*** asettle has quit IRC05:28
*** tqtran has quit IRC05:30
openstackgerritQiming Teng proposed openstack/keystone: Tweak status code in api-ref doc for v3 users  https://review.openstack.org/36776705:32
*** itsuugo has quit IRC05:32
*** itsuugo has joined #openstack-keystone05:33
*** adriant has quit IRC05:35
openstackgerritQiming Teng proposed openstack/keystone: Reorder APIs in api-ref doc for v3 users  https://review.openstack.org/37366005:36
*** lamt has joined #openstack-keystone05:39
*** richm1 has quit IRC05:40
*** code-R has quit IRC05:51
*** tqtran has joined #openstack-keystone05:53
*** itsuugo has quit IRC05:53
*** itsuugo has joined #openstack-keystone05:54
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/37367805:58
*** code-R has joined #openstack-keystone05:58
*** itsuugo has quit IRC05:59
*** itsuugo has joined #openstack-keystone06:01
*** markvoelker has quit IRC06:01
*** markvoelker has joined #openstack-keystone06:03
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/37368606:03
*** itsuugo has quit IRC06:05
*** itsuugo has joined #openstack-keystone06:07
*** rcernin has joined #openstack-keystone06:07
*** code-R_ has joined #openstack-keystone06:09
*** markvoelker has quit IRC06:11
*** code-R has quit IRC06:12
*** tonytan4ever has quit IRC06:14
*** itsuugo has quit IRC06:17
*** itsuugo has joined #openstack-keystone06:18
*** namnh has joined #openstack-keystone06:25
*** itsuugo has quit IRC06:25
*** itsuugo has joined #openstack-keystone06:27
openstackgerritDave Chen proposed openstack/keystone: Handle the exception from creating access token properly  https://review.openstack.org/35979506:30
openstackgerritDave Chen proposed openstack/keystone: Handle the exception from creating access token properly  https://review.openstack.org/35979506:35
*** itsuugo has quit IRC06:37
*** itsuugo has joined #openstack-keystone06:38
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/37375006:42
*** itsuugo has quit IRC06:43
*** code-R_ has quit IRC06:45
*** itsuugo has joined #openstack-keystone06:45
*** itsuugo has quit IRC07:02
*** namnh has quit IRC07:02
*** itsuugo has joined #openstack-keystone07:03
*** namnh has joined #openstack-keystone07:03
*** itsuugo has quit IRC07:10
*** markvoelker has joined #openstack-keystone07:11
*** itsuugo has joined #openstack-keystone07:12
*** pcaruana has joined #openstack-keystone07:13
*** markvoelker has quit IRC07:16
*** vaishali_ has quit IRC07:18
*** tqtran has quit IRC07:19
*** jpena|off is now known as jpena07:19
*** Alexey_Abashkin_ has quit IRC07:20
*** AlexeyAbashkin has joined #openstack-keystone07:23
*** itsuugo has quit IRC07:25
*** itsuugo has joined #openstack-keystone07:27
*** itsuugo has quit IRC07:33
*** itsuugo has joined #openstack-keystone07:35
*** pnavarro has joined #openstack-keystone07:35
*** code-R has joined #openstack-keystone07:37
openstackgerritNanke_Liu (lnk) proposed openstack/keystonemiddleware: Replace 'MagicMock' with 'Mock'  https://review.openstack.org/37382607:41
*** amoralej|off is now known as amoralej07:43
*** tonytan4ever has joined #openstack-keystone07:44
*** code-R has quit IRC07:46
*** vaishali has joined #openstack-keystone07:47
*** tonytan4ever has quit IRC07:50
*** vaishali has quit IRC07:51
*** pnavarro has quit IRC07:53
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** code-R has joined #openstack-keystone08:02
*** vaishali has joined #openstack-keystone08:04
*** pnavarro has joined #openstack-keystone08:04
*** itsuugo has quit IRC08:04
*** itsuugo has joined #openstack-keystone08:05
*** vaishali has quit IRC08:08
*** code-R has quit IRC08:11
*** marekd2 has joined #openstack-keystone08:15
*** pnavarro has quit IRC08:27
*** jaosorior is now known as jaosorior_brb08:28
*** vaishali has joined #openstack-keystone08:28
*** vaishali has quit IRC08:33
bretondammit08:33
breton20 mails about that stupid "Never use MagicMock"08:34
*** pnavarro has joined #openstack-keystone08:38
jamielennoxyea, i hate those big launchpad bugs that then tell you everytime a new project is subscribed/unscubscribed/fixed and not interesting08:39
*** asettle has joined #openstack-keystone08:45
*** vaishali_ has joined #openstack-keystone08:46
*** pnavarro has quit IRC08:57
*** mvk has quit IRC09:00
*** pnavarro has joined #openstack-keystone09:02
*** acoles_ is now known as acoles09:02
*** pnavarro has quit IRC09:13
*** itsuugo has quit IRC09:16
*** itsuugo has joined #openstack-keystone09:17
*** pnavarro has joined #openstack-keystone09:22
*** itsuugo has quit IRC09:22
*** itsuugo has joined #openstack-keystone09:23
*** code-R has joined #openstack-keystone09:30
*** mvk has joined #openstack-keystone09:31
*** code-R_ has joined #openstack-keystone09:31
*** pnavarro has quit IRC09:34
*** itsuugo has quit IRC09:34
*** code-R has quit IRC09:34
*** itsuugo has joined #openstack-keystone09:35
openstackgerritDave Chen proposed openstack/keystone: Handle the exception from creating request token properly  https://review.openstack.org/36108709:38
*** pnavarro has joined #openstack-keystone09:48
*** pnavarro has quit IRC09:53
alogastevemar: as promised https://review.openstack.org/#/c/373983/10:00
*** rdo_ has quit IRC10:02
*** rdo_ has joined #openstack-keystone10:04
*** richm has joined #openstack-keystone10:10
openstackgerritAlvaro Lopez Garcia proposed openstack/keystone-specs: OpenID Connect improved support  https://review.openstack.org/37398310:17
*** tqtran has joined #openstack-keystone10:17
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: DO NOT MERGE: Check functional tests  https://review.openstack.org/37400310:18
*** tqtran has quit IRC10:21
*** itsuugo has quit IRC10:21
*** itsuugo has joined #openstack-keystone10:23
*** vaishali_ has quit IRC10:25
*** itsuugo has quit IRC10:33
*** itsuugo has joined #openstack-keystone10:34
openstackgerritAlexander Makarov proposed openstack/keystone: Verbose 401/403 debug responses  https://review.openstack.org/37243310:40
*** nicolasbock has joined #openstack-keystone10:41
*** pnavarro has joined #openstack-keystone10:41
*** vaishali_ has joined #openstack-keystone10:41
*** itsuugo has quit IRC10:41
*** itsuugo has joined #openstack-keystone10:43
*** tonytan4ever has joined #openstack-keystone10:46
*** tonytan4ever has quit IRC10:52
*** code-R_ has quit IRC10:56
*** code-R has joined #openstack-keystone10:56
openstackgerritRodrigo Duarte proposed openstack/keystonemiddleware: DO NOT MERGE: test commit  https://review.openstack.org/37357010:58
*** itsuugo has quit IRC10:58
*** itsuugo has joined #openstack-keystone11:00
*** pnavarro has quit IRC11:00
*** zhangjl has quit IRC11:05
*** namnh has quit IRC11:07
openstackgerritRodrigo Duarte proposed openstack/keystonemiddleware: DO NOT MERGE: test commit  https://review.openstack.org/37357011:07
openstackgerritDave Chen proposed openstack/keystone: Consolidate the common code into one method  https://review.openstack.org/37404311:16
openstackgerritDave Chen proposed openstack/keystone: Handle the exception from creating access token properly  https://review.openstack.org/35979511:18
*** pnavarro has joined #openstack-keystone11:18
davechenrodrigods: ^^11:19
davechenrodrigods: btw, thanks for the review and comments!11:19
rodrigodsdavechen, np! :)11:23
*** jed56 has quit IRC11:25
*** davechen has left #openstack-keystone11:26
*** jaosorior_brb is now known as jaosorior11:28
*** itsuugo has quit IRC11:28
*** itsuugo has joined #openstack-keystone11:29
*** daemontool has joined #openstack-keystone11:39
*** itsuugo has quit IRC11:39
*** itsuugo has joined #openstack-keystone11:40
*** woodster_ has joined #openstack-keystone11:40
*** code-R_ has joined #openstack-keystone11:42
*** code-R has quit IRC11:45
*** edmondsw has joined #openstack-keystone11:49
*** itsuugo has quit IRC11:52
*** itsuugo has joined #openstack-keystone11:53
*** jpena is now known as jpena|lunch11:57
*** lamt has quit IRC11:58
*** rodrigods has quit IRC11:59
*** rodrigods has joined #openstack-keystone11:59
*** pnavarro has quit IRC12:04
*** nk2527 has joined #openstack-keystone12:09
openstackgerritChangBo Guo(gcb) proposed openstack/oslo.policy: Trivial: Don't need restrict export of class  https://review.openstack.org/37410212:21
*** pauloewerton has joined #openstack-keystone12:26
*** lamt has joined #openstack-keystone12:29
*** itsuugo has quit IRC12:30
*** lamt has quit IRC12:31
*** lamt has joined #openstack-keystone12:32
*** itsuugo has joined #openstack-keystone12:32
*** markvoelker has joined #openstack-keystone12:33
*** guoshan has quit IRC12:33
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848812:44
*** amoralej is now known as amoralej|lunch12:44
*** itsuugo has quit IRC12:55
*** david-lyle has joined #openstack-keystone12:56
*** itsuugo has joined #openstack-keystone12:57
*** vaishali_ has quit IRC12:58
*** acoles is now known as acoles_12:58
*** jpena|lunch is now known as jpena13:00
*** jaosorior has quit IRC13:10
*** jaosorior has joined #openstack-keystone13:11
*** pnavarro has joined #openstack-keystone13:21
stevemarjamielennox: breton you can mute the bug mail13:22
*** stevemar changes topic to "Summit Brainstorm: https://etherpad.openstack.org/p/keystone-ocata-summit-brainstorm | Meeting Agenda https://etherpad.openstack.org/p/keystone-weekly-meeting | Newton retrospective: https://etherpad.openstack.org/p/keystone-newton-retrospective"13:30
stevemarPSA for keystone devs: add content to the summit etherpad: https://etherpad.openstack.org/p/keystone-ocata-summit-brainstorm -- dolphm ayoung bknudson jamielennox dstanek marekd samueldmq rodrigods13:31
rodrigodsthanks stevemar13:32
*** code-R_ has quit IRC13:34
*** code-R has joined #openstack-keystone13:36
*** amoralej|lunch is now known as amoralej13:36
rodrigodsstevemar, think i know the issue in ksc tests, just don't know yet how it is related to rounding down13:46
*** lamt has quit IRC13:47
*** spzala has joined #openstack-keystone13:47
ayoungstevemar, will do13:50
*** jrist has quit IRC13:52
dstanekstevemar: do you really like the idea of having invalid settings by default?13:52
dstanekre:idp sso stuff13:52
bretonwhat is psa?13:52
*** tonytan4ever has joined #openstack-keystone13:52
dstanekbreton: public service announcement13:52
*** asettle has quit IRC13:54
*** pnavarro has quit IRC13:54
*** asettle has joined #openstack-keystone13:55
rodrigodsdstanek, stevemar, lbragstad, so... think our ksc functional tests relied on a bug to work most of the times13:56
rodrigodsand... the rounding down patch fixes that bug13:56
lbragstadrodrigods lol13:57
rodrigodsbreaking our ksc functional tests :)13:57
dstanekrodrigods: nice13:57
*** lifeless has quit IRC13:57
lbragstadrodrigods is this suppose to be good news?13:57
dstanekrodrigods: can we fix it so it doesn't rely on the bug?13:57
rodrigodslbragstad, i guess?13:57
rodrigodsdstanek, i think so, replying to stevemar's ML list email13:57
rodrigodswith more details13:57
*** r-daneel has joined #openstack-keystone13:58
*** sdake has joined #openstack-keystone13:59
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation assignment driver  https://review.openstack.org/29131813:59
*** lifeless has joined #openstack-keystone13:59
openstackgerritAlexander Makarov proposed openstack/keystone: Move dependency-related trust logic to manager  https://review.openstack.org/36073513:59
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation trust driver  https://review.openstack.org/29187113:59
rodrigodslbragstad, dstanek, stevemar replied (ML thread is "gate-keystoneclient-dsvm-functional-ubuntu-xenial is broken")13:59
*** sdake has quit IRC13:59
openstackgerritAlexander Makarov proposed openstack/keystone: OAuth1 driver for unified delegation  https://review.openstack.org/37096514:00
*** sdake has joined #openstack-keystone14:00
*** acoles_ is now known as acoles14:03
rodrigodslbragstad, dstanek, the ksc functional are pretty good tests because they create lots of race condition scenarios14:05
rodrigodsit is a feature bug :)14:05
*** jrist has joined #openstack-keystone14:07
*** spedione|AWAY is now known as spedione14:10
*** dikonoor has quit IRC14:18
*** tqtran has joined #openstack-keystone14:19
*** tqtran has quit IRC14:23
*** slberger has joined #openstack-keystone14:23
*** gagehugo has joined #openstack-keystone14:25
*** mfisch has quit IRC14:28
stevemarrodrigods: hehe14:29
*** edtubill has joined #openstack-keystone14:30
*** edtubill has quit IRC14:30
*** edtubill has joined #openstack-keystone14:31
rodrigodsstevemar, https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/functional/v3/test_auth.py14:32
*** jed56 has joined #openstack-keystone14:32
*** mfisch has joined #openstack-keystone14:32
rodrigodsthese test14:32
*** mfisch has quit IRC14:32
*** mfisch has joined #openstack-keystone14:32
rodrigodstests*, that create the race condition14:32
*** acoles is now known as acoles_14:40
*** ravelar has joined #openstack-keystone14:41
*** LamT_ has quit IRC14:41
*** daemontool_ has joined #openstack-keystone14:41
rodrigodsstevemar, dstanek, lbragstad: https://review.openstack.org/#/c/374211/14:42
*** daemontool has quit IRC14:44
dstanekrodrigods: so this has been a problem for 5 weeks?14:47
dstaneki thought it was only the last few days14:47
rodrigodsdstanek, was uncovered by lbragstad commit14:47
dstanekrodrigods: ah14:47
*** ddieterly has joined #openstack-keystone14:48
dstanekrodrigods: +2 from me14:48
bretonrodrigods: nice14:49
*** acoles_ is now known as acoles14:49
rodrigodsthanks dstanek14:49
rodrigodsbreton, ++ was a nice one to debug :)14:50
*** EinstCrazy has joined #openstack-keystone14:52
*** slberger1 has joined #openstack-keystone14:56
*** EinstCrazy has quit IRC14:56
dstanekrodrigods: do we still need your other revert?14:57
rodrigodsdstanek, no14:57
*** slberger has quit IRC14:58
bknudsonI tried running with https://review.openstack.org/#/c/359371/15 and token validation is a lot faster.14:58
*** daemontool_ has quit IRC14:58
dstanekrodrigods: actually it looks like you have a few reverts14:58
rodrigodsdstanek, only the ksc is required as per the last discoveries14:59
*** openstack has joined #openstack-keystone14:59
stevemarrodrigods: that's good news :)14:59
rodrigodsdstanek, will abandon the other ones when the ksc revert proves that works14:59
stevemarrodrigods: no need to revert keystone patches !15:00
rodrigodsstevemar, ++15:00
stevemarrodrigods: sure, abandon the others15:00
*** slberger1 has quit IRC15:02
*** slberger has joined #openstack-keystone15:04
bretonhttp://bikeshed.com/ (hit reload a couple of times if you dislike background color)15:07
breton(or https://shed.bike/ for almost-plain-text)15:08
openstackgerritAndrew Laski proposed openstack/oslo.policy: Update docs on policy sample generator  https://review.openstack.org/37423215:10
*** ddieterly is now known as ddieterly[away]15:12
*** ddieterly[away] is now known as ddieterly15:12
*** lamt has joined #openstack-keystone15:15
openstackgerritDavid Stanek proposed openstack/keystone: Fix formatting strings in LOG.warning  https://review.openstack.org/36188215:17
*** gagehugo has quit IRC15:19
openstackgerritDavid Stanek proposed openstack/keystone: Fix formatting strings in LOG.debug  https://review.openstack.org/36189515:23
lbragstadbknudson nice!15:23
dstanek^ i wanted to get those out of my queue forever15:24
*** EinstCrazy has joined #openstack-keystone15:24
*** EinstCrazy has quit IRC15:26
*** EinstCrazy has joined #openstack-keystone15:27
ravelarbknudson thanks for the feedback! :) been trying to get some views on this15:27
openstackgerritLance Bragstad proposed openstack/keystone: One validate method to rule them all...  https://review.openstack.org/37424315:28
bknudsonravelar: the commit message says it's a work in progress15:28
ravelarbknudson I updated it one more time since then, the commit message should be changed since 15?15:29
*** ddieterly is now known as ddieterly[away]15:30
*** mvk has quit IRC15:31
*** gagehugo has joined #openstack-keystone15:32
stevemardolphm: https://review.openstack.org/#/c/374245/1 for mitaka15:33
stevemarthanks breton for backporting15:33
*** slberger has quit IRC15:34
*** ddieterly[away] is now known as ddieterly15:34
*** slberger has joined #openstack-keystone15:35
bretonstevemar: wait, that's still probably wip, to early to +2. The tests will fail, and if they won't then it's pure luck and they will on recheck.15:36
stevemarbreton: sad15:36
stevemarbreton: do you have any other patches you want to backport?15:36
stevemarbreton: otherwise i will ask to release the new mitaka today15:36
*** edtubill has quit IRC15:37
dolphmlbragstad: ^15:37
*** edtubill has joined #openstack-keystone15:37
lbragstaddolphm ?15:38
*** jaosorior has quit IRC15:39
openstackgerritAndrew Laski proposed openstack/oslo.policy: Perform basic checks on policy definitions  https://review.openstack.org/37349115:39
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add optional exception for check_rules  https://review.openstack.org/37425115:39
dolphmlbragstad: your patch is being backported15:39
bretonstevemar: no, can't think of any. I need to leave for 3-4 hours, but after that i will finish 374245 and i think we're good.15:42
bknudsonravelar: I think the slow part of revocation event handling is reading and deserializing the data.15:42
bretonbut if anyone wants to get https://review.openstack.org/#/c/374245/ in earlier, feel free to poke it15:46
*** d0ugal has quit IRC15:48
*** d0ugal has joined #openstack-keystone15:49
*** gagehugo has quit IRC15:51
*** itsuugo has quit IRC15:53
*** gagehugo has joined #openstack-keystone15:54
*** itsuugo has joined #openstack-keystone15:55
*** EinstCrazy has quit IRC15:59
*** roxanaghe has joined #openstack-keystone16:00
ravelarbknudson you're probably right, another assignment I am currently looking into is dropping some of the unnecessary columns from the rev event list to clean this up a bit. Right now there are a number of possibilities for an entry in revocation table16:02
bknudsonravelar: we have talked about removing project_id and domain_id and check the state of the object instead.16:03
*** rcernin has quit IRC16:03
bknudsoncan also drop role_id, trust_id, consumer_id, access_token_id.16:04
ravelaryes, lbragstad brought me up to speed with his patches which may be able to do that. That would make a big difference since domain_id is one of the things that have multiple token_data fields matched to one revocation column16:04
*** chianingwang has quit IRC16:04
*** chianingwang has joined #openstack-keystone16:04
bknudsonwell, it all depends on how they're using the cloud. Not sure how many domain revocations are happening anyways.16:05
ravelarbknudson, just saw your other comments on the patch, will do them right away :)16:05
bknudsonwhat does the typical query look like?16:05
bknudsonLet me take a look.16:05
*** gyee has joined #openstack-keystone16:07
*** vkmc is now known as vkmc|afk16:14
bknudsonHere's what my token_data looks like: http://paste.openstack.org/show/582424/16:14
bknudsonso the query is always going to have all the filters set.16:15
bknudsoneven when they don't matter (like access_token_id is null)16:15
*** pcaruana has quit IRC16:15
*** pcaruana has joined #openstack-keystone16:17
ravelarbknudson are you saying that token_data should remove None values and the query should only check the revocation event table for what isn't None in token_data?16:18
bknudsonravelar: seems like it.16:19
bknudsonat least, don't need to do both is_(None) and == value when value is None16:19
ravelarbknudson, in one of my previous patches I implemented this but the problem was multiple tox tests failed because the current method is doing that. I just wasn't sure if that was the implementation we didn't want to get rid of16:20
bknudsonravelar: I was planning to look at the current method...16:21
bknudsonfor some reason the commit message didn't say that it was re-implementing something.16:21
ravelarthe current method keeps none values of token_data so that if a revocation column has a column set and the token_data has it None then it fails16:21
ravelarbknudson ah, sorry16:21
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Test that v3fedkerb plugin loads  https://review.openstack.org/36801716:21
*** ddieterly is now known as ddieterly[away]16:22
*** edtubill has quit IRC16:22
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Fix parameters for Kerberos Auth Plugin  https://review.openstack.org/36828816:23
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Test that v3fedkerb plugin loads  https://review.openstack.org/36801716:23
*** edtubill has joined #openstack-keystone16:23
ravelarbknudson but basically if you look at matches inside the revoke/backend/sql.py file it shows how it is still comparing all of revocation columns to all of token_data and so if something is in revocation column that isn't there in the corresponding token_data field then it short circuits as false. So it really only makes sure that a revocation event field that is None is not looked into, not the other way around. I am unsure how important16:24
ravelarthis is and if we could change this to only match what the token gives us instead of the other way around.16:24
ravelarbknudson ooops I meant matches inside models/revoke_model.py16:25
*** ddieterly[away] is now known as ddieterly16:25
bknudsonravelar: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/models/revoke_model.py#n151 ?16:26
ravelarbknudson yes that's the one :)16:26
bknudsonsince there are 2 parts of code that do the same thing and need to be kept in sync there should be cross-referencing between them.16:27
bknudsonor, maybe revoke_model.matches isn't used anymore so should be removed.16:27
openstackgerritMerged openstack/keystone: Give domain admin rights to domain specific implied roles  https://review.openstack.org/33955816:29
ravelarbknudson yeah, I was thinking of just removing them since the first part of the POC was to see if it did improve performance and now that it does, the next step is having it replace the old method16:29
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: delete python bytecode including pyo before every test run  https://review.openstack.org/37132416:29
*** spzala has quit IRC16:30
*** spzala has joined #openstack-keystone16:31
bknudsonravelar: it makes sense that performance is improved since from what I saw there was so much time spent deserializing the events... maybe there's a more efficient way to deserialize that would be a better solution16:31
bknudsonfor example if it was a list of dicts rather than a list of objects.16:31
bknudsonand then if we cached the events.16:32
bknudsonalso, would be interesting if we could avoid a tablescan but I don't think that's going to be possible... need to check for the token audit_id and that's random.16:33
ravelarbknudson I was looking into indexing and caching, you definitely have a good point there16:34
bknudsonif there's a lot of events it's going to wind up putting load on the server since has to read this table all the time..16:34
*** adrian_otto1 has joined #openstack-keystone16:34
ravelarbknudson on a handful of columns?16:35
bknudsonravelar: y, at least the rows don't have a lot of bytes in them, so lots of rows in a page.16:35
ravelarbknudson how many events would actually put a noticeable load? Since revocation list is constantly cleaned up as well16:36
bknudsonconsider what happens if you've got a million rows16:36
*** jplopezgu_ is now known as jlopezgu16:36
*** spzala has quit IRC16:37
bknudsonthen every time a token is validated it does this query twice (once for the auth token and once for the subject token)16:37
ravelarbknudson a database normally deals with millions of rows?16:37
bknudsonravelar: I've worked with databases that contained millions of rows.16:37
ravelarbknudson I mean, I definitely see where you are going with this. Wouldn't adding indexes to issued_before or something along those lines help?16:38
*** gagehugo has quit IRC16:38
bknudsonwe already have an index on revoked_at http://git.openstack.org/cgit/openstack/keystone/tree/keystone/revoke/backends/sql.py#n3616:39
openstackgerritSteve Martinelli proposed openstack/keystone: Revert "Allow compatibility with keystonemiddleware 4.0.0"  https://review.openstack.org/37428416:39
bknudsonprobably because of the last_fetch filter in list_events.16:39
openstackgerritSteve Martinelli proposed openstack/keystone: Revert "Allow compatibility with keystonemiddleware 4.0.0"  https://review.openstack.org/37428416:40
ravelarbknudson ahh, but list_events is no longer used with this new method since it doesnt need to convert db entries to dicts for matches anymore16:40
ravelarbknudson also I am interested in what you mentioned earlier about dicts rather than object. Could you explain? I didn't fully understand16:40
bknudsonravelar: first, when list_events is done all the rows are converted to RevocationEvent objects...16:41
bknudsonalso, when you do list_events it checks memcache to get the events, too.16:41
bknudsonso then it has to get the binary data from memcache and rebuild a list of RevocationEvent objects16:42
stevemarravelar: btw, can you check the bugs with the tag "revoke" and see if your patch will close any? https://bugs.launchpad.net/keystone/+bugs?field.tag=revoke -- if it does, then add Closes-Bug: 123456 to the commit message16:42
openstackbug 123456 in xine-lib (Ubuntu) "podcast crashes amarok" [Undecided,Fix released] https://launchpad.net/bugs/12345616:42
ravelarbknudson but list_events only got called with the old implementation in check_token?16:42
ravelarstevemar sure, will look into that :)16:43
bknudsonravelar: yes, that's the problem with the current implementation.16:43
*** lamt has quit IRC16:43
ravelarbknudson ahh, okay ha. I misunderstood. I thought you were referring to mine16:43
bknudsonravelar: the potential problem with the new implementation is that the database server has more work to do.16:43
ravelarbknudson gotcha16:44
bknudsonthis is what SpamapS brought up in patch set 3.16:44
stevemarravelar: i think it could close bug 1511775, bug 1524030, bug 1609566 and bug 159080516:44
openstackbug 1511775 in OpenStack Identity (keystone) "Revoking a role revokes the unscoped token for a user" [Medium,Triaged] https://launchpad.net/bugs/151177516:44
openstackbug 1524030 in OpenStack Identity (keystone) "Reduce revocation events for performance improvement" [Medium,In progress] https://launchpad.net/bugs/1524030 - Assigned to Richard (csravelar)16:44
openstackbug 1609566 in OpenStack Identity (keystone) "500 error from revocation event deserialize" [Medium,In progress] https://launchpad.net/bugs/1609566 - Assigned to Morgan Fainberg (mdrnstm)16:44
openstackbug 1590805 in OpenStack Identity (keystone) "Revoking "admin" role from a group invalidates domain admin's token" [Low,New] https://launchpad.net/bugs/159080516:44
bknudsonI don't see any way that indexes would improve much... other than I'd expect issued_before to help.16:44
stevemarmaybe not the last one...16:45
ravelarbknudson yeah, the other columns wouldn't make much use of indexes other than the one mentioned16:45
bknudsonravelar: I'm surprised that revoked_at isn't used in the new is_revoked.16:46
bknudsonmaybe because those rows should have been pruned out anyways?16:46
*** spzala has joined #openstack-keystone16:46
*** adrian_otto1 has quit IRC16:49
*** edtubill has quit IRC16:51
ravelarbknudson, hmm I believed I missed it before as it being indexed already. But having the query do something like query = session.query(RevocationEvent).order_by(RevocationEvent.revoked_at)16:52
ravelarbknudson prior would make it more likely that it finds a match earlier if at all, correct?16:53
* SpamapS stirs16:53
*** lamt has joined #openstack-keystone16:57
*** ngupta has joined #openstack-keystone16:59
dstanek /b 2817:03
*** marekd2 has quit IRC17:05
*** marekd2 has joined #openstack-keystone17:06
*** code-R has quit IRC17:09
*** marekd2 has quit IRC17:10
*** jpena is now known as jpena|off17:14
*** marekd2 has joined #openstack-keystone17:17
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/37367817:20
openstackgerritMerged openstack/python-keystoneclient: Revert "Add auth functional tests"  https://review.openstack.org/37421117:20
*** marekd2 has quit IRC17:21
*** thebloggu has joined #openstack-keystone17:22
*** itsuugo has quit IRC17:22
*** itsuugo has joined #openstack-keystone17:23
*** rob_d has quit IRC17:24
openstackgerritRichard Avelar proposed openstack/keystone: Change python code revocation search to sql  https://review.openstack.org/35937117:29
*** ddieterly is now known as ddieterly[away]17:32
*** jed56 has quit IRC17:35
*** ravelar has quit IRC17:37
bknudsonravelar: I forgot about the order by revoked_at... I think the point of that is that it the events are supposed to be used in that order so that a tree could be made.17:40
*** ravelar has joined #openstack-keystone17:44
*** haplo37__ has joined #openstack-keystone17:45
*** Dave has quit IRC17:45
bknudsonSpamapS: I've been looking into the performance problem with revocation events this week.17:46
bknudsonand was able to actually test out https://review.openstack.org/#/c/359371/ -- results were excellent in vagrant.17:47
SpamapSbknudson: how's the database query thing looking?17:47
*** amoralej is now known as amoralej|off17:47
bknudsonSpamapS: I think the actual problem that we see with the code as it is is that keystone needs to spend so much time deserializing values (from either the DB or from memcache)17:47
bknudsonreading the binary "list of RevocationEvent" as binary from memcache and converting it into python objects17:48
*** amoralej|off is now known as amoralej17:49
bknudsonbut this is something I can look into more.17:49
bknudsonI wanted to try out the sql query to see if that improved things since that was easier to do, and it is a lot faster.17:49
bknudsonthe sql query itself is not pretty, and I doubt that an index would help, other than an index on issued_before since that's in the query: and1.append(RevocationEvent.issued_before >= value)17:50
*** Dave____ has joined #openstack-keystone17:51
bknudsonSpamapS: the code in https://review.openstack.org/#/c/359371/16/keystone/revoke/backends/sql.py makes it look like the query would typically not contain a lot, but as it turns out token_data always has all the fields.17:51
bknudsonso for example, or1 will always have 3 or_s appended.17:52
*** acoles is now known as acoles_17:57
*** wajdi has joined #openstack-keystone17:57
*** amoralej is now known as amoralej|off18:02
*** itsuugo has quit IRC18:11
*** vkmc|afk is now known as vkmc18:12
*** itsuugo has joined #openstack-keystone18:13
*** ngupta has quit IRC18:13
wajdiHi folks!18:13
*** ngupta has joined #openstack-keystone18:14
*** tonytan4ever has quit IRC18:14
*** tonytan4ever has joined #openstack-keystone18:15
SpamapSbknudson: I wonder if msgpack serialization would help much.18:15
wajdiIf I am logged in as an admin, and I want to provide a user temporary access to a tenant. What would be the best/acceptable approach to tackle this?18:16
bknudsonSpamapS: That's a good idea. I'd have to do measurements to know. It's pickled now.18:18
bknudsonis it easy to switch to msgpack?18:18
SpamapSbknudson: anyway, with all those OR's... one thing to look at it possibly using UNION18:18
*** edtubill has joined #openstack-keystone18:18
SpamapSbecause that way you can use multiple indexes18:18
SpamapSAnother possibility is to maintain materialized views.18:19
SpamapSMost fun is if you expect mostly empty results, you can do a query in parallel per OR clause18:20
*** gyee has quit IRC18:20
bknudsonthe rows are actually pretty short, and we could make them shorter by dropping a bunch of cols from the table. (we could check the status of the project directly rather than have an event for it (same for other object types))18:20
*** Marcellin__ has joined #openstack-keystone18:20
*** gyee has joined #openstack-keystone18:20
SpamapSbknudson: it's easy to switch to msgpack yes, you'd need to inject something in the keys so you don't confuse the json deserializers, but it's the same basic mode of operation.18:21
bknudsondo you know if other openstack projects use msgpack for caching (or msgpack in general)18:22
SpamapSprivsep I think18:22
SpamapSfor talking over a local socket, not caching18:22
SpamapSIt also saves quite a bit of cache space, which can be important sometimes.18:23
openstackgerritMerged openstack/keystone: Handle the exception from creating access token properly  https://review.openstack.org/35979518:24
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/37375018:24
*** ngupta has quit IRC18:29
*** ngupta has joined #openstack-keystone18:29
*** rcernin has joined #openstack-keystone18:30
openstackgerritSteve Martinelli proposed openstack/keystone: Handle the exception from creating request token properly  https://review.openstack.org/36108718:35
openstackgerritSteve Martinelli proposed openstack/keystone: Consolidate the common code into one method  https://review.openstack.org/37404318:35
*** sdake has quit IRC18:39
stevemaranyone available to remove the bandaid we had in the newton release for keystonemiddlware <4.2.0 -- https://review.openstack.org/#/c/374284/218:40
*** itsuugo has quit IRC18:42
*** esp has joined #openstack-keystone18:43
*** itsuugo has joined #openstack-keystone18:44
openstackgerritSteve Martinelli proposed openstack/keystone: Revert "Allow compatibility with keystonemiddleware 4.0.0"  https://review.openstack.org/37428418:44
stevemarbknudson: done18:44
*** tqtran has joined #openstack-keystone18:47
*** Dave____ has quit IRC18:48
*** ig0r_ has joined #openstack-keystone18:50
*** ddieterly[away] is now known as ddieterly18:50
*** Dave has joined #openstack-keystone18:50
*** ngupta_ has joined #openstack-keystone18:56
*** sdake has joined #openstack-keystone18:56
*** asettle has quit IRC18:58
*** ngupta has quit IRC18:59
*** srobert has joined #openstack-keystone18:59
*** ngupta_ has quit IRC19:00
*** thebloggu has quit IRC19:04
*** ddieterly is now known as ddieterly[away]19:06
*** itsuugo has quit IRC19:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/37433419:07
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/37433519:07
*** gagehugo has joined #openstack-keystone19:07
*** itsuugo has joined #openstack-keystone19:08
openstackgerritMerged openstack/keystone: Fix formatting strings in LOG.debug  https://review.openstack.org/36189519:12
*** catintheroof has joined #openstack-keystone19:12
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/37433819:12
bknudsonlbragstad: do we still need this code? http://git.openstack.org/cgit/openstack/keystone/tree/keystone/models/revoke_model.py#n28119:14
bknudsongiven https://review.openstack.org/#/c/368244/19:15
lbragstadbknudson i'm not sure - i just know we make sure it doesn't have microsecond precision outside of 00000019:15
bknudsonlbragstad: the code in the revocation events is taking the token timestamp and setting microsec to 0... but all tokens should already be 0?19:16
lbragstadbknudson I believe so19:17
*** ddieterly[away] is now known as ddieterly19:19
*** roxanaghe has quit IRC19:21
*** ngupta has joined #openstack-keystone19:25
*** ddieterly is now known as ddieterly[away]19:30
*** roxanaghe has joined #openstack-keystone19:33
*** roxanaghe has quit IRC19:34
openstackgerritMerged openstack/python-keystoneclient: Minor docstring fix in mappings.py  https://review.openstack.org/35869819:34
*** ddieterly[away] is now known as ddieterly19:37
stevemarrderose: you can +2 and +W a patch at the same time :P19:37
stevemarrderose: doesn't have to be 2 actions :)19:37
*** mfisch has quit IRC19:37
rderosestevemar: got it ;)19:37
bretonstevemar: the big problem with backporting round down patch is that a lot of tests don't expect it. We use freezegun for it in N, but can't do it for Mitaka.19:38
rderosestevemar: is it too late to add PCI release notes?19:38
stevemarrderose: nope, do it up19:39
stevemarrderose: actually...19:39
stevemarrderose: i think that ship has sailed :(19:39
rderose:)19:39
bretonstevemar: the workaroind for tests would be to sleep(), but it doesn't sound good.19:39
stevemarrderose: docs would help though!19:40
rderosestevemar: on it!19:40
stevemarbreton: why does sleep not sound good?19:40
openstackgerritMerged openstack/python-keystoneclient: Import module instead of object  https://review.openstack.org/36946919:40
*** tonytan_brb has joined #openstack-keystone19:41
openstackgerritRichard Avelar proposed openstack/keystone: Change python code revocation search to sql  https://review.openstack.org/35937119:41
bretonstevemar: ~10 tests need it. Is adding 10 seconds to unit tests ok?19:41
stevemarbreton: should be fine, the unit tests are pretty speedy19:43
bretonstevemar: ok then, will push a new patch soon19:43
bknudsonplease don't add sleeps to unit tests.19:43
breton:)19:44
bknudsonthis is why we have freezegun and mocking19:44
*** tonytan4ever has quit IRC19:44
bretonbknudson: what do you suggest to do in Mitaka? Mock?19:44
bknudsonbreton: yes. Let's not do something stupid in master because of a problem in mitaka.19:45
bretonbknudson: the stupid will be done in Mitaka only19:45
bknudsonthat's fine.19:45
bretonbknudson: master already does the smart way19:45
bretonand mitaka cannot into smart way19:45
bknudsonwere you going to put sleep in mitaka only? I'm fine with that.19:46
bretonbknudson: yes. Good.19:46
*** artmr has joined #openstack-keystone19:52
*** gyee_ has joined #openstack-keystone19:55
*** gyee has quit IRC19:55
stevemarbknudson: yes, i wasn't suggesting to put stupid into master. just mitaka since freezegun doesn't exist there yet19:56
bknudsonsome master tests are strangely slow already... wonder if there isn't a sleep in there somewhere.19:56
stevemarlbragstad rderose dolphm breton: i did an analysis on what is left to complete based on the blueprints that landed in newton, they are at the end of the etherpad here: https://etherpad.openstack.org/p/keystone-newton-retrospective20:00
bretonwhile the tests are running...20:00
stevemarlbragstad rderose dolphm breton would love to get your opinion on these things20:00
bretonhow does rounding down affect tempest?20:01
stevemarbreton: it didn't ?20:02
bretonstevemar: i don't know, i am just asking20:03
stevemarbreton: ah yeah, it didn't :)20:03
bretoni mean, we have to use freezegun in unittests20:03
bretonwhy we don't need to use sleeps in tempest?20:03
stevemarbreton: it affected the keystoneclient functional tests, but that was cause the functional tests weren't quite correct20:03
lbragstadbreton in the process of making fernet the default we were hitting an issue where tokens would/or wouldn't be invalidated because the revocation event had microsecond precision and the tokens didn't20:04
lbragstadbreton and apparently on ubuntu 16.04 mysql will round up instead of truncating20:05
lbragstads/mysql/mysql or sqlalchemy/20:05
lbragstadbreton which is different behavior than what we've seen in the past with mysql20:06
lbragstad(where extra datetime precision will be truncated before being shoved into mysql)20:06
*** artmr has quit IRC20:07
*** catintheroof has quit IRC20:08
bretonlbragstad: stevemar: for example, in https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_assignment.py#L331 we tick to 1 second 2 times. Is skipping a second required in tempest?20:09
lbragstadbreton i think in the tempest scenario we don't have complete system control of the clock across all processes(?)20:09
lbragstadsomeone would have to fact check me on that20:10
*** _cjones_ has joined #openstack-keystone20:10
bretonlbragstad: i understand that, but do we need to add sleep(1s) to the scenarios?20:10
lbragstadbreton the whole reason for the sleeps is because the underlying implementation of fernet (in the cryptography library) doesn't support microsecond precison20:11
lbragstadfor fernet, the token issued at time is generated by the fernet library20:11
lbragstadwhich uses time.time() but converts it to an int()20:12
lbragstadremoving all subsecond precison20:12
bretonok, i'll try to explain another way20:12
bretonsuppose i am a test writer20:13
bretonand i want to implement test_token_revoked_once_group_role_grant_revoked in tempest20:13
bretoni create a grant using curl, add user to group, get a token, validate it, delete grant, try to validate again20:14
lbragstadthat token will be considered revoked20:14
bretoneverything happens in less than a second20:15
lbragstadyep20:15
bretonwill the test work correctly within this second?20:15
lbragstadwell - you would want to make sure the token you got in step 3 is revoked20:16
lbragstadbut you'll also want to make sure you wait to get into the threshold of a new second20:16
lbragstadto test authentication again20:16
lbragstadif you test authentication within the second the revocation event was stored you'll always get a 40120:16
*** ravelar has quit IRC20:16
lbragstad(which should be the same behavior as attempted to authenticate with a group you're not it)20:17
*** ezpz has joined #openstack-keystone20:17
bretonso if i don't make sure to wait to get into the new second, the test will fail20:18
bretonbecause i think in mirantis we are now hitting this with tempest :(20:19
lbragstadpossibly - another part of that is that tempest will attempt to get a new token when auth is cleared or reset20:19
lbragstadso if that is done within the same second as a revocation event - the new token will fail20:19
bknudsonkeystone doesn't make any assurance that a token that you just got will be valid20:20
bknudsonso a test that relies on that will be incorrect20:20
bretonbknudson: which token is valid then?20:20
bknudsonthe only way to tell if a token is valid is to use it.20:21
bknudsonand it either works or it doesn't.20:21
bknudsonif the token is invalid then get a new one and try again.20:21
bknudsonIt is strange that keystone would return a token that it should know is invalid.20:22
*** ravelar has joined #openstack-keystone20:24
*** wajdi has quit IRC20:25
bretonok, i think i got it. Thank you!20:26
bretonso if stored revocation time == stored token created time, than this token passes, right? And with rounded down datetimes it happens with mysql too?20:29
breton*then20:30
lbragstadbreton if the revocation event's issued_before time is the same as the token's issued_at time, keystone will err on the side of security and revoke the token20:34
lbragstadso if you get a token at 10:43.234562 and change your password at 10:43.240000, keystone will consider that token revoked20:35
lbragstadif you attempt to get another token at 10:43.500000 keystone will still consider that token revoked because it was issued within the same second as the revocation event20:35
lbragstadeven though it was issued just *slightly* afterwords20:35
lbragstadthis is where having to roll into the threshold of a new second matters20:36
bretondo we run tempest on fernet?20:38
lbragstadbreton devstack has support for fernet but we haven't made the switch ye20:38
lbragstadyet*20:38
stevemarbreton: theres a devstack patch to switch to fernet, not merged yet, it has run tempest tests20:38
lbragstadand it all passes20:39
bretonwe run tempest on fernet and some things dont pass, each time different. Maybe for $mitaka reasons.20:41
*** ddieterly is now known as ddieterly[away]20:41
*** gyee_ has quit IRC20:44
edtubillHi, I'm trying to get a federated user to do admin things like list projects -can someone help me? I can only get this to work if I set federated_domain_name=Default in keystone.conf. But if that is set during `keystone-manage bootstrap` I get an error during the creation of the Default domain.20:45
edtubillBy "list projects" I mean listing them in horizon20:45
bretonedtubill: what release is it?20:45
edtubillbreton: mitaka20:46
bretonedtubill: have you tried putting your user into a group that has admin role on Default domain?20:48
bretonactually i don't know how Horizon does this...20:48
openstackgerritGage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs  https://review.openstack.org/36143520:50
edtubillbreton: I have an admin role on a project for the group, let me try the domain.20:50
edtubillbreton: I tried adding the admin role for the default domain on a group and still no luck :/20:54
*** roxanaghe has joined #openstack-keystone20:54
stevemaranyone want to take on removing PKI and write support for LDAP :)20:59
stevemarand/or20:59
stevemarhehe20:59
stevemarunwinding that mess is going to take a loooong time20:59
bretonedtubill: you should figure out how Horizon tries to fetch list of projects. In Mitaka, projects are stored in domains and in your case they probably are in Default domain. I don't know how Horizon does things when you are in domain A and you want to list things in domain B. Maybe #openstack-horizon know this :)21:00
bretonstevemar: i'd like to do the pki stuff21:00
stevemarbreton: sure, good choice ;)21:01
david-lylehttps://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/plugin/base.py#L8621:01
knikolladefine: write support for LDAP21:01
stevemarbreton: i think it's the more manageable one21:01
stevemarknikolla: delete/create/update for user/group21:01
stevemarthey are both slated to be removed in O21:01
knikollaoh remove those, right21:01
edtubill@breton: thx for the help, I'm gonna to also check if a federated Admin user has the same issues on the CLI.21:06
*** ddieterly[away] is now known as ddieterly21:07
stevemarknikolla: regarding https://review.openstack.org/#/c/320623/ -- whats holding that one up from becoming non-WIP21:07
stevemarknikolla: anything I can help with? do you need a new infra job?21:08
knikollastevemar: tere is a todo in the commit message saying it needs more testing.21:08
knikollastevemar: running stack.sh with many possible values takes a long time and it's a boring job21:09
stevemar:)21:09
*** pauloewerton has quit IRC21:09
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/37433821:10
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/37433521:12
* stevemar pokes dolphm to look at https://review.openstack.org/#/c/374245/ for stable 21:12
bretonhow can test_list_users_filtered_by_funny_name fail in https://review.openstack.org/#/c/374245/21:13
stevemarbreton: thats funny21:14
stevemarbreton: at least test_revoked_token_in_list is a real failure21:14
stevemarnot sure why you are getting 401s for other tests21:15
bretonstevemar: already fixed that one. But how could test_list_users_filtered_by_funny_name fail?21:15
stevemarbreton: no idea21:15
knikollastevemar: for the devstack plugin, i'll give it a few more spins this week, remove the WIP, and add it to next  weeks agenda. sounds good?21:15
stevemarknikolla: sounds fantastic21:16
bretonpdb it is then!21:16
stevemarbreton: feeling better today?21:16
*** itsuugo has quit IRC21:16
* stevemar forgot he had a tea and now it's called21:17
stevemarcold*21:17
bretonstevemar: yep!21:17
stevemarbreton: great 2 hear21:17
*** itsuugo has joined #openstack-keystone21:17
bretonaaaand it passes with pdb.21:18
knikollastevemar: btw, i'll take the remove ldap write support. i should be able to devote more time to keystone in this ocata cycle.21:20
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/37433421:20
*** rcernin has quit IRC21:24
*** wasmum has joined #openstack-keystone21:24
stevemarbreton: recheck :)21:25
stevemarknikolla: sounds good, i took a hack at it on a flight... if i find that change, want me to post it?21:25
stevemarknikolla: it probably needs work to make the tests pass21:25
stevemari dont remember if i stashed the change or not21:26
*** ngupta has quit IRC21:29
*** ngupta has joined #openstack-keystone21:30
*** itsuugo has quit IRC21:31
bknudsonI added timing of the memcache call when doing validate_token: http://paste.openstack.org/show/582470/21:31
bknudsonfunny thing is, here the memcache calls takes longer than the sql call.21:31
*** itsuugo has joined #openstack-keystone21:32
bknudsonstill hard to tell if the memcache call takes a long time because of reading data or parsing it...21:32
*** ngupta has quit IRC21:35
*** ngupta has joined #openstack-keystone21:36
*** edmondsw has quit IRC21:40
*** itsuugo has quit IRC21:42
*** itsuugo has joined #openstack-keystone21:42
*** esp has quit IRC21:43
*** esp has joined #openstack-keystone21:43
*** ig0r_ has quit IRC21:45
bknudsonI'm not seeing an obvious way to get the time to deserialize... putting a timer in msgpackutils.py.loads() winds up logging so much... I think it's recursive.21:50
*** itsuugo has quit IRC21:55
*** haplo37__ has quit IRC21:55
*** itsuugo has joined #openstack-keystone21:56
*** roxanaghe has quit IRC21:56
*** roxanaghe has joined #openstack-keystone21:56
*** edtubill has quit IRC21:59
*** ezpz has quit IRC22:00
*** itsuugo has quit IRC22:01
*** srobert has quit IRC22:01
*** itsuugo has joined #openstack-keystone22:02
*** ddieterly is now known as ddieterly[away]22:03
knikollastevemar: sounds great. ping me if you find it.22:05
*** spedione is now known as spedione|AWAY22:08
stevemardolphm: sorry about the false alarm22:09
*** ravelar has quit IRC22:09
dolphmstevemar: p.s. i'll be out tomorrow afternoon through next tuesday22:10
*** itsuugo has quit IRC22:10
*** itsuugo has joined #openstack-keystone22:10
bknudsonwe're going to have to dock your pay22:11
*** adriant has joined #openstack-keystone22:12
*** timburke has quit IRC22:16
*** ravelar has joined #openstack-keystone22:16
*** timburke has joined #openstack-keystone22:16
*** spzala has quit IRC22:20
*** lamt has quit IRC22:20
*** adrian_otto has joined #openstack-keystone22:20
*** spzala has joined #openstack-keystone22:20
*** ddieterly[away] is now known as ddieterly22:21
*** itsuugo has quit IRC22:21
*** ngupta has quit IRC22:23
*** ngupta has joined #openstack-keystone22:23
*** itsuugo has joined #openstack-keystone22:23
*** spzala has quit IRC22:25
*** adrian_otto has quit IRC22:25
*** ngupta has quit IRC22:28
*** slberger has left #openstack-keystone22:28
*** adrian_otto has joined #openstack-keystone22:28
openstackgerritRon De Rose proposed openstack/keystone: Add docs for PCI-DSS  https://review.openstack.org/37442222:31
openstackgerritRon De Rose proposed openstack/keystone: Add docs for PCI-DSS  https://review.openstack.org/37442222:32
stevemarbknudson: do you mind looking at the backport then? https://review.openstack.org/#/c/374245/22:32
stevemarbknudson: hopefully you don't find an issue with the original :(22:32
bknudsonstevemar: I'll add it to my list22:33
stevemarbknudson: how long is the list now?22:33
bknudsonI don't have much reason to care about stable anymore since we run off master.22:33
stevemarbknudson: i can remove you as a stable reviewer if you'd like? :P22:34
bknudsonmaybe I can get back to more upstream work in the near future.22:34
bretonstevemar: still to early to review. Tests fail on second-third run, so i fix them when they do, and use gates to catch them faster22:38
*** ddieterly has quit IRC22:40
*** markvoelker has quit IRC22:43
openstackgerritMerged openstack/keystone: Handle the exception from creating request token properly  https://review.openstack.org/36108722:45
openstackgerritMerged openstack/keystone: Consolidate the common code into one method  https://review.openstack.org/37404322:45
stevemarbreton: dang, tough one to backport22:46
bretonstevemar: actually i figured it out22:46
bretonstevemar: i just need to put sleep() everywhere where it's tick() in master22:47
stevemarbreton: that makes sense22:47
*** adrian_otto has quit IRC22:47
*** ngupta has joined #openstack-keystone22:50
*** itsuugo has quit IRC22:51
*** itsuugo has joined #openstack-keystone22:52
*** roxanaghe has quit IRC22:54
*** itsuugo has quit IRC22:57
*** _cjones_ has quit IRC22:57
*** itsuugo has joined #openstack-keystone22:58
bretonstevemar: ok, now it's good to review. All unit tests passed, functional are in progress.22:58
stevemaryeehaw22:59
stevemarbknudson: you too, if possible, otherwise i can ask notmorgan :)23:00
stevemarthanks for the hard work breton23:00
*** itsuugo has quit IRC23:02
*** mvk has joined #openstack-keystone23:04
*** jamielennox is now known as jamielennox|away23:04
*** itsuugo has joined #openstack-keystone23:04
*** asettle has joined #openstack-keystone23:04
stevemarbreton: i'm going to mark this as invalid: https://bugs.launchpad.net/keystone/+bug/1624109 do you agree?23:05
openstackLaunchpad bug 1624109 in OpenStack Identity (keystone) "keystone-manage fernet_setup fails silently" [Undecided,New]23:05
*** roxanaghe has joined #openstack-keystone23:07
stevemarbreton: hehe, if we backport the rounding fix, we'll have to backport the functional test fix too (remove auth tests)23:07
*** asettle has quit IRC23:09
bretonstevemar: yes, please mark as invalid23:09
*** itsuugo has quit IRC23:10
bretonstevemar: right. Will do now.23:10
*** hoonetorg has quit IRC23:10
stevemarbreton: no worries, i can do that, i left comments on your patch23:10
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/37433823:11
*** itsuugo has joined #openstack-keystone23:11
*** ngupta has quit IRC23:13
stevemarbreton: ah, actually we won't need to backport the ksc functional test fix -- the failing tests aren't there ;)23:13
*** roxanaghe has quit IRC23:13
*** ngupta has joined #openstack-keystone23:13
bretonstevemar: do we need to backport them to stable/newton?23:15
*** itsuugo has quit IRC23:16
*** itsuugo has joined #openstack-keystone23:17
*** Marcellin__ has quit IRC23:17
*** ngupta has quit IRC23:18
*** roxanaghe has joined #openstack-keystone23:19
*** itsuugo has quit IRC23:22
*** itsuugo has joined #openstack-keystone23:22
stevemarbreton: probably...23:25
bknudsonthis is somewhat interesting: http://paste.openstack.org/show/582483/23:26
bknudson1st call for list_events goes to the db23:26
bknudson2nd goes to memcache23:26
bknudson3rd uses context cache23:26
bknudsonwhy didn't the 2nd one use the context cache?23:27
bretonis this from some patch? where do you see this?23:27
bknudsonbreton: this is using master keystone. I added timing statements23:27
stevemarbreton: lets see if https://review.openstack.org/#/c/374445/ fails23:29
openstackgerritRichard Avelar proposed openstack/keystone: Change python code revocation search to sql  https://review.openstack.org/35937123:29
bknudsonmaybe the request context gets reset.23:31
*** itsuugo has quit IRC23:32
*** itsuugo has joined #openstack-keystone23:34
* stevemar needs food23:36
*** jamielennox|away is now known as jamielennox23:43
*** lamt has joined #openstack-keystone23:43
*** markvoelker has joined #openstack-keystone23:44
jamielennoxhowdy keystone, is everything broken today?23:44
jamielennoxrodrigods: great job on the ksc functional tests23:44
*** itsuugo has quit IRC23:46
stevemarjamielennox: things are less broken today23:47
stevemarjamielennox: can you punt https://review.openstack.org/#/c/374284/ through?23:47
*** itsuugo has joined #openstack-keystone23:47
*** lamt has quit IRC23:47
stevemarjamielennox: also, etherpads to fill in: https://etherpad.openstack.org/p/keystone-ocata-summit-brainstorm and https://etherpad.openstack.org/p/keystone-newton-retrospective23:48
jamielennoxstevemar: that got merged?23:48
jamielennoxstevemar: oh, no this is for the ocata release right?23:48
stevemarright23:48
stevemarthe bandaid went into newton23:48
*** markvoelker has quit IRC23:49
jamielennoxok so master is open again?23:49
stevemarjamielennox: wide open23:49
jamielennoxwoohoo23:49
stevemarjamielennox: please don't blow things up23:49
jamielennoxwhaaa, i wouldn't... well.. i have... but23:49
jamielennoxbut it means i can start looking at the context changes again23:50
bknudsonthe RequestContext doesn't actually last the whole request23:52
bknudsonone gets created when the token is validated and some stuff is read from cache23:52
bknudsonthen another one gets created by keystone/middleware/auth.py(166)fill_context() which replaces the first one23:53
jamielennoxbknudson: what is the first one created before middleware/auth?23:53
jamielennoxthe only time i can think that might happen twice is the jsonhome stuff which loops you through the wsgi stack again23:53
jamielennox(which we should either fix or remove)23:53
bknudsonjamielennox: it's created here: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/cache/_context_cache.py#n3723:54
jamielennoxalso i _hate_ that oslo.context as a library decided that it was ok to save itself to thread local on __init__ and don't trust it at all23:54
bknudsonkeystone is getting stuff from the cache... probably to validate the token23:54
jamielennoxgah, ok, why is it doing that?23:55
*** itsuugo has quit IRC23:55
bknudsonthe first context is created by a call to /home/vagrant/keystone/keystone/middleware/auth.py(58)fetch_token()23:55
jamielennoxso get_current() should/might work23:56
*** itsuugo has joined #openstack-keystone23:56
bknudsonfill_context creates a new RequestContext() so it's going to replace the one that was created earlier23:56
jamielennoxit's very unlikely that get_current returns None - however it may return the context from the last request if you call it incorrectly23:57
bknudsonit'll be None the first time in the thread.23:57
bknudsonI hope23:57
jamielennoxyep23:57
jamielennoxbut middleware/auth should be resetting RequestContext because that is basically the entrypoint for alll requests into keysotne23:58
bknudsonit's doing "return oslo_context.get_current() or oslo_context.RequestContext()" and "oslo_context/context.py(114)__init__()"23:58
bknudsonso I assume get_current() there returned None23:58
jamielennoxright, but as much as i hate get_current this must be called after middleware/auth and so the context it fetches should be correct right?23:59
bknudsony, but it's throwing away the little bit of work that happened23:59
bknudsonand it's not a little bit of work either... getting the list of revocation events takes most of the time of validation23:59
bknudsonfor some reason there are 3 calls to list_events on token validate23:59
« Tuesday, 2016-09-20 Index Thursday, 2016-09-22 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!