Friday, 2016-09-30

*** robcresswell has quit IRC		00:04
*** arunkant has quit IRC		00:09
*** scarlisle has quit IRC		00:10
*** haplo37_ has quit IRC		00:14
*** haplo37_ has joined #openstack-keystone		00:16
*** markvoelker has joined #openstack-keystone		00:28
*** tonytan4ever has joined #openstack-keystone		00:35
*** tonytan4ever has quit IRC		00:41
*** gyee has quit IRC		00:59
*** ddieterly has joined #openstack-keystone		01:06
openstackgerrit	George Tian proposed openstack/keystone: Remove the no use arg https://review.openstack.org/379266	01:22
*** annp has joined #openstack-keystone		01:30
*** davechen has joined #openstack-keystone		01:35
*** iurygregory_ has quit IRC		01:35
*** ddieterly has quit IRC		01:41
rderose	what's up stevemar, lets push this one thru: https://review.openstack.org/#/c/375928/	01:54
rderose	:)	01:54
*** tonytan4ever has joined #openstack-keystone		02:00
*** jorge_munoz has quit IRC		02:33
*** jorge_munoz has joined #openstack-keystone		02:37
openstackgerrit	Dave Chen proposed openstack/keystone: Add foreign key to trust table https://review.openstack.org/368422	02:39
*** tonytan4ever has quit IRC		02:41
*** jorge_munoz has quit IRC		02:58
*** jorge_munoz has joined #openstack-keystone		02:58
stevemar	rderose: eh, still looking at it	03:03
stevemar	rderose: it seems wrong that those methods are not in the base	03:03
stevemar	ayoung: are you going to cherry-pick https://review.openstack.org/#/c/379887/ to mitaka as well? it'll have a shot of landing there	03:04
rderose	yeah, look at the base class for v8 and v9	03:04
rderose	https://review.openstack.org/#/c/375928/7/keystone/assignment/backends/base.py	03:04
ayoung	stevemar, yep. Was just running tox on it	03:04
*** david-lyle has quit IRC		03:04
stevemar	ayoung: just use the cherry-pick button :P	03:05
rderose	ln 156 and ln 283	03:05
stevemar	from the original patch, of course	03:05
stevemar	rderose: lookig...	03:05
ayoung	stevemar, since the other was a manual rebase, I wanted to see the unit tests run. But there you go	03:05
ayoung	https://review.openstack.org/#/c/379905/	03:05
stevemar	ayoung: mention "cherry-picked from 7df92f7b624500e24b71c4b2d516604e0edb52f2	03:06
ayoung	stevemar, BTW, I think I am going to request +2ability on stable. I've avoided it thus far, but it looks like my job is focusing far more on that.	03:06
rderose	stevemar: I believe AssignmentDriverV8 is only used to support driver versioning	03:06
stevemar	ayoung that's actually not my call, the stable team promotes people to stable, i can recommend you, but mattR and team have final say	03:07
ayoung	that is fine	03:07
stevemar	i'll poke mriedem in the morning then	03:07
ayoung	and I'll spend some time working on it before asking	03:07
stevemar	that would be appreciated	03:07
ayoung	nah, its ok. Let me show myself to be focused on it.	03:08
ayoung	stevemar, do any of our jobs in Zuul require more than one host? Or are the all single machine jobs?	03:09
stevemar	ayoung: all single machine	03:10
stevemar	ayoung: i left a comment on the one stable/mitaka patch, just a rebase issue, nothing major	03:10
openstackgerrit	George Tian proposed openstack/keystone: Remove the no use arg https://review.openstack.org/379266	03:16
*** aswadr_ has joined #openstack-keystone		03:23
davechen	ayoung: pls consider to remove the -2 on this one - https://review.openstack.org/#/c/368422/.	03:26
davechen	ayoung: iiuc, your concerns have been addressed, or pls let me know if there is any other things that need to be addressed.	03:26
ayoung	davechen, nope	03:26
davechen	ayoung: ;)	03:27
ayoung	davechen, unless we change the \general approach to Keystone, we are not going to do cross-backend constraints	03:27
ayoung	users could only be in one backend when I wrote trusts.	03:27
ayoung	The status today is very different	03:27
davechen	ayoung: the appoache have been totoally changed.	03:28
davechen	ayoung: in that review, only project is referenced.	03:28
ayoung	davechen, ah, not on a db def check...?	03:28
davechen	no user is touched	03:28
ayoung	looking	03:28
davechen	ayoung: yep	03:28
rderose	all users are in the sql backend now btw	03:28
davechen	only touch db for project.	03:28
davechen	refernce with project, i think that is make sense.	03:29
ayoung	davechen, you still doing fkeys?	03:29
stevemar	jamielennox: around?	03:29
davechen	rderose: the key is only for project-trust.	03:29
rderose	I see	03:29
ayoung	nope. -2 stands	03:29
davechen	ayoung: the key is only for project-trust.	03:29
davechen	ayoung: what's the reason behind? pls	03:30
ayoung	davechen, resource is different backend from assignment. I would allow wiggle room on an assignment-trust fkey, but even there, today it should not be allowed	03:30
ayoung	davechen, heh, ask henrynash why he felt the need to split assignment up into resource and assignment	03:31
ayoung	pretty sure your change would mess him up	03:31
ayoung	TBH, i would have accepted it if he had not done that	03:31
ayoung	your change that is	03:31
ayoung	davechen, personally, I did not see the need to have them in separate backends, but not only did he feel strongly enough to write it, he convinced the whole team to go along with it. Its part of our architecture that a backend like identity, resource, etc be a self containerd unit. Almost like a true microservice	03:33
jamielennox	stevemar: hmm?	03:34
ayoung	davechen, can you work around that, and do the cleanup using only python API calls?	03:34
ayoung	jamielennox, hey what do I need to look for in a service to see if it is doing the right thing with context and policy? I told devananda I would confirm that ironic was OK	03:35
davechen	ayoung: okay, tbh, I cannot catch it, not quite understand this has any thing about the split of resource/assignment	03:35
jamielennox	ayoung: heh - i'm actually messing with ironic right now	03:35
ayoung	jamielennox, on policy?	03:35
jamielennox	ayoung: yea, and fixing context	03:35
davechen	ayoung: that could be, just like what i did for user/trust cleanup stuff.	03:36
ayoung	davechen, sorry to give you the run around there. I thought I was clear on the first review. Would not have let you flounder. When I -2, it means something, and I try not to do it to be annpying.	03:36
ayoung	davechen, that would be the right approach	03:37
davechen	ayoung: maybe i missed, i just catch your idea of keeping of project-trust reference there, but cleanup user/trust by the API calls in your first review.	03:38
davechen	ayoung: i need ask henrynash more details about this.	03:38
ayoung	davechen, yeah, the same is true for any cross backend calls. Work through the managers	03:39
davechen	ayoung: gotcha. thanks!	03:40
ayoung	it also means you execute any business logic that we have there.	03:40
ayoung	davechen, get something without the database changes up there and I'llremove the -2	03:40
davechen	ayoung: sure.	03:41
davechen	ayoung: actually, i am also concerned about the change will impact rolling upgrade somehow.	03:42
*** ddieterly has joined #openstack-keystone		03:44
*** ddieterly has quit IRC		03:45
openstackgerrit	George Tian proposed openstack/keystone: Remove the no use arg (auth=None) https://review.openstack.org/379234	03:50
jamielennox	ayoung: https://review.openstack.org/379919 is the first one	03:52
jamielennox	then we just need to do another one that uses to_policy_values which is mostly find and replace	03:52
ayoung	jamielennox, can you put more into these commit messages, specifically referenceing bug 968696 as to why these cahnges are necessary?	03:54
openstack	bug 968696 in Glance ""admin"-ness not properly scoped" [High,In progress] https://launchpad.net/bugs/968696 - Assigned to Sharat Sharma (sharat-sharma)	03:54
jamielennox	actually it should be tagged bug 1602081 as thats what the others have been	03:56
openstack	bug 1602081 in OpenStack Identity (keystone) "Use oslo.context's policy dict" [High,In progress] https://launchpad.net/bugs/1602081 - Assigned to Jamie Lennox (jamielennox)	03:56
ayoung	does that block 968696? If not, then it should	03:56
jamielennox	it's definitely mentioned in the bug report, i don't know if there's an explicit block	03:56
jamielennox	or really how you do that in launchpad	03:56
ayoung	Yeah, "blocks" might be a bugzillism	03:57
*** tonytan4ever has joined #openstack-keystone		03:57
jamielennox	you used to be able to chain together blueprints, but i've not seen it in bugs	03:57
ayoung	1602981 just doesn't roll off the fingers or tongue the same way...harder to memorize. I'lll link to it the other way	03:58
jamielennox	yea, i konw	03:58
jamielennox	was worth having an independant tracking bug though	03:58
*** links has joined #openstack-keystone		03:58
*** markvoelker has quit IRC		04:01
*** tonytan4ever has quit IRC		04:02
ayoung	yeah, very good. I see Keystone is lagging	04:04
ayoung	what do we need to do there?	04:04
jamielennox	ayoung: https://review.openstack.org/#/c/371856/ will give us basic is_admin_project support	04:05
jamielennox	actually making keystone use contexts properly is a longer thing which probably needs views next	04:06
ayoung	sure	04:07
ayoung	Keystone actually already worked to support is_admin_project, just in a way that differed from all the other projects. And thus, would have different policy, which would mess up a lot of people	04:08
jamielennox	so keysotne's policy is going to be the hardest to fix because today we dump the whole token into policy and people can use whatever they like from it	04:11
stevemar	jamielennox: this chain needs a rebase: https://review.openstack.org/#/c/334295/	04:12
jamielennox	oh>	04:12
jamielennox	ok, i can have a look	04:13
jamielennox	there are a couple of patches i have that still have a block from newton	04:13
jamielennox	and a couple i want to progress	04:13
jamielennox	ayoung: can you look at https://review.openstack.org/#/c/359642/2	04:14
jamielennox	stevemar: then https://review.openstack.org/#/c/359653/2 needs the block removed	04:14
jamielennox	then https://review.openstack.org/#/c/359506/ doesn't look important but i kind of need it	04:15
stevemar	jamielennox: oh thanks for reminding me -- actually, i want to release ksa/ksm/ksc on mondy	04:15
stevemar	jamielennox: i'd rather release new versions first, then merge those	04:17
jamielennox	stevemar: ok, that last one i would like in though	04:17
jamielennox	359506	04:18
*** EinstCrazy has joined #openstack-keystone		04:19
*** sdake_ has joined #openstack-keystone		04:42
*** sdake has quit IRC		04:46
*** ddieterly has joined #openstack-keystone		04:47
*** EinstCrazy has quit IRC		04:47
*** haplo37_ has quit IRC		04:49
*** haplo37_ has joined #openstack-keystone		04:51
*** ddieterly has quit IRC		04:52
*** adriant has quit IRC		04:53
*** GB21 has joined #openstack-keystone		04:57
*** tonytan4ever has joined #openstack-keystone		04:58
*** vaishali has joined #openstack-keystone		04:58
*** markvoelker has joined #openstack-keystone		05:02
*** GB21 has quit IRC		05:02
*** tonytan4ever has quit IRC		05:03
*** vaishali has quit IRC		05:04
*** markvoelker has quit IRC		05:07
*** GB21 has joined #openstack-keystone		05:15
*** sdake_ has quit IRC		05:19
*** vaishali has joined #openstack-keystone		05:20
stevemar	jamielennox: gonna ask for your eyes on https://review.openstack.org/#/c/375730/4 and https://review.openstack.org/#/c/378001/2	05:21
stevemar	i'm super paranoid about messing around with the list returned content	05:21
jamielennox	whoa, what	05:21
*** code-R has joined #openstack-keystone		05:22
*** code-R_ has joined #openstack-keystone		05:23
*** code-R has quit IRC		05:27
openstackgerrit	Steve Martinelli proposed openstack/keystone: create release notes for removed functionality https://review.openstack.org/375914	05:39
*** richm has quit IRC		05:39
*** jaosorior has joined #openstack-keystone		05:40
davechen	stevemar: thanks for the update!	05:40
stevemar	davechen: np ;)	05:41
*** code-R_ has quit IRC		05:43
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: Use the mocking fixture in notifier tests https://review.openstack.org/334295	05:43
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: Extract oslo_messaging specific audit tests https://review.openstack.org/334296	05:44
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: Use oslo_messaging conf fixture https://review.openstack.org/336970	05:45
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: Refactor audit tests to use create_middleware https://review.openstack.org/336971	05:45
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: Return and use an app wherever possible https://review.openstack.org/336972	05:45
stevemar	jamielennox: rebased for ya ^	05:45
stevemar	ayoung: take a look at that chain (the first three) if you can	05:46
breton	morning keystone	05:47
stevemar	breton: i think you mean good night ( ͡° ͜ʖ ͡°)	05:48
jamielennox	stevemar: oh, i wasn't in a hurry because i didn't think you were going to include them anyway	05:49
jamielennox	stevemar: so thanks	05:49
stevemar	jamielennox: i changed my mind after looking at the delta between ksm master and last release -- not much went in at all	05:50
stevemar	jamielennox: mehhh https://github.com/openstack/keystonemiddleware/compare/4.9.0...master	05:50
jamielennox	stevemar: yea, we froze for a fair while and its only just opened again	05:50
stevemar	jamielennox: did we freeze it? or did it.freeze.us...	05:51
jamielennox	stevemar: bed time?	05:51
stevemar	yep	05:52
*** bjolo has joined #openstack-keystone		05:54
openstackgerrit	ChangBo Guo(gcb) proposed openstack/oslo.policy: Trivial: Don't need restrict export of class https://review.openstack.org/374102	05:55
*** sdake has joined #openstack-keystone		05:59
*** rcernin has joined #openstack-keystone		06:07
*** tonytan4ever has joined #openstack-keystone		06:29
*** tonytan4ever has quit IRC		06:34
*** sdake has quit IRC		06:35
*** sdake has joined #openstack-keystone		06:35
*** pcaruana has joined #openstack-keystone		06:39
*** jaosorior has quit IRC		06:40
*** vaishali has quit IRC		06:53
*** GB21 has quit IRC		06:53
*** pnavarro has joined #openstack-keystone		07:02
*** markvoelker has joined #openstack-keystone		07:03
*** vaishali has joined #openstack-keystone		07:04
*** GB21 has joined #openstack-keystone		07:06
*** markvoelker has quit IRC		07:07
*** rkrum has joined #openstack-keystone		07:10
*** jamielennox is now known as jamielennox\|away		07:23
*** david_cu has joined #openstack-keystone		07:24
*** coolias has joined #openstack-keystone		07:33
*** sdake_ has joined #openstack-keystone		07:34
*** sdake has quit IRC		07:37
*** rkrum has quit IRC		07:38
*** EinstCrazy has joined #openstack-keystone		07:43
*** ayoung has quit IRC		07:47
*** coolias has quit IRC		07:49
*** EinstCrazy has quit IRC		07:52
*** ayoung has joined #openstack-keystone		07:53
*** ChanServ sets mode: +v ayoung		07:53
*** namnh has joined #openstack-keystone		07:56
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** ayoung has quit IRC		08:00
*** andrewbogott has quit IRC		08:02
*** andrewbogott has joined #openstack-keystone		08:02
*** coolias has joined #openstack-keystone		08:15
*** vaishali has quit IRC		08:20
*** sdake_ has quit IRC		08:23
*** ChanServ sets mode: +v marekd		08:26
*** vaishali has joined #openstack-keystone		08:32
*** vaishali has quit IRC		08:54
*** vaishali has joined #openstack-keystone		08:55
*** markvoelker has joined #openstack-keystone		09:04
*** markvoelker has quit IRC		09:08
*** code-R has joined #openstack-keystone		09:20
*** code-R_ has joined #openstack-keystone		09:22
*** code-R has quit IRC		09:24
*** robcresswell has joined #openstack-keystone		09:25
*** asettle has joined #openstack-keystone		09:29
*** vaishali has quit IRC		10:07
*** richm has joined #openstack-keystone		10:08
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/380092	10:17
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements https://review.openstack.org/380093	10:17
*** GB21 has quit IRC		10:19
*** vaishali has joined #openstack-keystone		10:19
*** davechen has quit IRC		10:21
*** davechen has joined #openstack-keystone		10:22
*** coolias has quit IRC		10:23
*** annp has quit IRC		10:24
*** coolias has joined #openstack-keystone		10:24
*** GB21 has joined #openstack-keystone		10:25
*** davechen has left #openstack-keystone		10:29
*** mvk has quit IRC		10:30
*** tonytan4ever has joined #openstack-keystone		10:31
breton	stevemar: yep, https://review.openstack.org/#/c/369618/ terribly killed performance.	10:33
*** tonytan4ever has quit IRC		10:35
*** nicolasbock has joined #openstack-keystone		10:43
*** denismakogon has joined #openstack-keystone		10:53
denismakogon	Hello, guys, may someone who	10:54
denismakogon	who's familiar with implementation of new backend drivers to answer few questions regarding bringing new one(of course downstream)	10:54
*** coolias has quit IRC		10:55
*** mvk has joined #openstack-keystone		11:00
*** pjm6 has quit IRC		11:04
*** namnh has quit IRC		11:09
*** pjm6 has joined #openstack-keystone		11:13
*** bjolo has quit IRC		11:27
*** bjolo has joined #openstack-keystone		11:27
*** artmr has joined #openstack-keystone		11:37
*** tlbr has quit IRC		11:43
*** tonytan4ever has joined #openstack-keystone		11:46
*** akrzos has quit IRC		11:50
*** tlbr has joined #openstack-keystone		11:50
*** tonytan4ever has quit IRC		11:51
*** akrzos has joined #openstack-keystone		11:56
*** akrzos has quit IRC		12:03
*** raildo has joined #openstack-keystone		12:05
*** rob_d___ has quit IRC		12:05
*** akrzos has joined #openstack-keystone		12:10
*** amoralej is now known as amoralej\|lunch		12:14
*** GB21 has quit IRC		12:19
*** edmondsw has joined #openstack-keystone		12:21
openstackgerrit	Arthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" list() calls by globally unique IDs https://review.openstack.org/378001	12:31
lbragstad	o/	12:48
lbragstad	happy friday!	12:48
*** markvoelker has joined #openstack-keystone		12:52
*** links has quit IRC		12:56
*** david-lyle has joined #openstack-keystone		12:57
*** vaishali has quit IRC		12:57
dstanek	lbragstad: indeed	12:57
*** sdake has joined #openstack-keystone		13:04
breton	lbragstad: hey. Does keystone-performance bot still work?	13:04
lbragstad	breton let me check	13:06
lbragstad	I might have to kick it	13:06
breton	lbragstad: can i run it on already merged review?	13:06
lbragstad	breton i need to refactor it bad - so i can spend today on that	13:06
breton	lbragstad: that would be great	13:07
lbragstad	breton thanks for the reminder	13:07
stevemar	breton: ugh....	13:13
stevemar	breton: file a bug, attach logs, let's see what we can do	13:13
breton	stevemar: there are no logs related to it	13:13
breton	stevemar: it even bypasses oslo.cache debug proxy	13:13
breton	stevemar: i think i have a solution though. Will run tempest on it soon.	13:14
stevemar	breton: that sounds promising	13:14
*** denismakogon has quit IRC		13:21
*** amoralej\|lunch is now known as amoralej		13:22
lbragstad	stevemar i followed up on your concern here - https://review.openstack.org/#/c/371083/	13:26
*** tonytan4ever has joined #openstack-keystone		13:34
lbragstad	dolphm do you have strong opinions on putting the token version in the fernet payload?	13:40
dolphm	lbragstad: like v2 or v3?	13:40
lbragstad	dolphm yeah	13:41
lbragstad	dolphm the only reason i ask is because i'm trying to refactor the token provider api. currently - with the patches that i have in review, the token provider validates v2.0, v3 and non persistent tokens the same.	13:45
dolphm	lbragstad: why would it need to be in the payload?	13:45
lbragstad	it will get what ever information it needs, and reconstructs the token at validation time, but part of the problem is that we have a validate_token method in the provider that takes a token and validates it regardless of the version	13:46
lbragstad	it can determine the version of the token based on what the token looks like when it's pulled out of the backend	13:46
lbragstad	in the case of persistent formats	13:47
lbragstad	so - if we were to maintain that validate_token() behavior with non-persistent tokens, the problem is that we don't really know what version to format the token as (?)	13:47
*** adrian_otto has joined #openstack-keystone		13:48
bknudson	lbragstad: tokens are returned at a version ... tokens don't have a version	14:00
*** rodrigods has quit IRC		14:00
breton	do we have tests for context cache?	14:00
*** rodrigods has joined #openstack-keystone		14:00
bknudson	you can get a token using v2 and then validate that token using v3	14:00
lbragstad	bknudson kind of... right now they have a version according to the model	14:00
bknudson	then the model is incorrect	14:00
lbragstad	right - but we rely on it in various parts of keystone	14:01
openstackgerrit	Merged openstack/keystoneauth: Updated from global requirements https://review.openstack.org/380093	14:01
bknudson	where?	14:01
lbragstad	i'm trying to figure out the best way to simplify the token provider	14:01
*** adrian_otto has quit IRC		14:04
lbragstad	bknudson for example - https://github.com/openstack/keystone/blob/83b5da9132362cf0ba03c5b104f29a5e7482c61b/keystone/models/token_model.py#L100	14:05
bknudson	lbragstad: that's based on the data in the token	14:05
bknudson	if 'access' in token_data: it's v2, otherwise v3	14:06
breton	looks like we don't have tests for context cache.	14:06
lbragstad	bknudson right - but the model is associating a version to the object, right?	14:06
bknudson	it's associating a version with the representation of the token_data	14:07
bknudson	if the model only saw token_data with v3 contents then you could throw away the v2 branches.	14:08
bknudson	that class is there so that keystone code doesn't have to care about the version	14:08
lbragstad	yeah - that makes sense	14:08
bknudson	I mean doesn't have to care about whether token_data is v2 or v3	14:09
bknudson	so one way to clean up keystone code would be to make sure that KeystoneToken never saw v2 token_data.	14:09
bknudson	and then get rid of the v2 code.	14:10
bknudson	in KeystoneToken	14:10
lbragstad	hmm - yeah, that would work	14:10
*** ktychkova has quit IRC		14:10
bknudson	fernet provider should never give v2 token data?	14:11
bknudson	uuid would because that's what stored in the db.	14:11
*** gagehugo has joined #openstack-keystone		14:11
bknudson	I assume... if you get a v2 token using uuid does the database store a v2 token?	14:12
lbragstad	right - but I'm trying to change all that so when a token is validated keystone pulls the things it needs from the reference and rebuilds a v3 token reference	14:12
lbragstad	if we get rid of the v2 branches in the token model - we would have to move things like https://github.com/openstack/keystone/blob/83b5da9132362cf0ba03c5b104f29a5e7482c61b/keystone/models/token_model.py#L158 somewhere else	14:12
lbragstad	actually this - https://github.com/openstack/keystone/blob/83b5da9132362cf0ba03c5b104f29a5e7482c61b/keystone/models/token_model.py#L158	14:13
bknudson	I think that error checking code is there for completeness.	14:13
*** antwash has left #openstack-keystone		14:13
lbragstad	well - it's kind of like a type of validation, right?	14:13
openstackgerrit	Arthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" find() calls by globally unique IDs https://review.openstack.org/375730	14:14
bknudson	it would be a bug in keystone if we ever hit that line.	14:14
lbragstad	if you have a v2 token and translate it to a model and ask for the model.domain_name you'll get a NotImplemented error	14:14
bknudson	if you had a v2 token then self.version is V2 so NotImplementedError would be raised.	14:15
lbragstad	yep	14:16
bknudson	If you have a v3 token that's not domain scoped then what is domain_name supposed to do?	14:16
bknudson	does it raise UnexpectedError?	14:17
bknudson	maybe you're supposed to check .domain_scoped first?	14:17
lbragstad	bknudson yeah - that's another good question	14:19
*** bjolo has quit IRC		14:21
lbragstad	what would we do in this case - https://github.com/openstack/keystone/blob/83b5da9132362cf0ba03c5b104f29a5e7482c61b/keystone/auth/plugins/token.py#L38	14:22
lbragstad	the validate_token method gives you back a token version based on what the token looks like	14:23
*** ravelar has joined #openstack-keystone		14:23
lbragstad	the response has the ability to be a v3 formatted response or a v2 formatted response	14:23
lbragstad	depending on the token that was passed in	14:24
bknudson	what's it used for? My opinion is that validate_token should only return a canonical token (call it v3 if you want)	14:25
*** woodburn has quit IRC		14:25
bknudson	lbragstad: if https://github.com/openstack/keystone/blob/83b5da9132362cf0ba03c5b104f29a5e7482c61b/keystone/auth/plugins/token.py#L38 returned a v3 token would anything break?	14:26
bknudson	I mean "always returned a v3 token"	14:26
lbragstad	bknudson i changed it to validate_v3_token - testing it now	14:27
bknudson	also, should say "always returned v3 token data"	14:27
bknudson	validate_token might have to convert v2 data to v3 data	14:28
lbragstad	bknudson you mean the other way around?	14:29
lbragstad	validate_token should always call validate_v3_token and convert the v3 response to a v2 response when needed?	14:29
bknudson	lbragstad: well, that will have to happen, too. to handle v2 requests	14:30
bknudson	lbragstad: but if the uuid table has v2 data in it then validate_token needs to read in v2 data and convert it to v3 data to be returned	14:30
bknudson	so validate_token reads a token from the token table it needs to convert it to v3 data	14:30
*** chris_hultin\|AWA is now known as chris_hultin		14:31
openstackgerrit	Arthur Miranda proposed openstack/python-keystoneclient: Clean up for readability https://review.openstack.org/380343	14:31
bknudson	and then potentially back to v2 data as you've mentioned	14:31
lbragstad	yeah - that's essentially what I started trying to refactor but I kept getting hung up	14:31
lbragstad	doesn't look like we use self.token_provider_api.validate_token that much - http://cdn.pasteraw.com/n9xs80ivrv91ei50a7ygzgzvalqjd9b	14:32
bknudson	every use of it you have to wonder what the point of it is	14:32
lbragstad	well - here for example it looks like we use it because we don't know what version the token might be https://github.com/openstack/keystone/blob/83b5da9132362cf0ba03c5b104f29a5e7482c61b/keystone/common/controller.py#L136	14:34
bknudson	sure, but now the code using it doesn't know what version the token was either.	14:34
lbragstad	bknudson should it care?	14:34
lbragstad	or does it just want to know that the token is valid?	14:35
bknudson	so in this case it's used to fill in the auth data	14:35
bknudson	so you could write a policy file that references the fields in the token	14:35
bknudson	oh, it doesn't actually put the token data in the auth data.	14:36
bknudson	extracts a few bits.	14:36
bknudson	so the code using validate_token doesn't care if it's a v2 token or v3 token.	14:36
bknudson	so could just as well have done validate_v3_token, right?	14:36
lbragstad	it uses token_ref.user_id and tries to use token_ref.user_domain_id	14:37
*** david-lyle has quit IRC		14:37
openstackgerrit	Lance Bragstad proposed openstack/keystone: WIP: Use validate_v3_token instead of validate_token https://review.openstack.org/380349	14:37
bknudson	does validate_v3_token fail if the token was a v2 token?	14:37
bknudson	I assume it doesn't	14:37
*** david-lyle has joined #openstack-keystone		14:38
lbragstad	bknudson well ^ that passed for me locally	14:38
*** haplo37_ has quit IRC		14:45
*** lamt has joined #openstack-keystone		14:45
*** SamYaple has quit IRC		14:46
*** SamYaple has joined #openstack-keystone		14:46
openstackgerrit	Lance Bragstad proposed openstack/keystone: WIP: Use validate_v3_token instead of validate_token https://review.openstack.org/380349	14:46
lbragstad	bknudson ^ that did, too	14:47
*** adrian_otto has joined #openstack-keystone		14:48
*** haplo37_ has joined #openstack-keystone		14:48
bknudson	lbragstad: seems like the only thing that should use validate_v2_token is when the v2 validate token api.	14:48
lbragstad	bknudson even that could use validate_v3_token and just use the v2 token data helpers to convert the response	14:49
bknudson	lbragstad: that would be cool.	14:49
bknudson	then you can get rid of validate_v2_token, and replace validate_token with validate_v3_token.	14:50
bknudson	easy	14:50
lbragstad	easy he says	14:50
*** adrian_otto has quit IRC		14:50
*** GB21 has joined #openstack-keystone		14:54
*** jorge_munoz has quit IRC		14:55
*** jorge_munoz has joined #openstack-keystone		14:57
*** woodburn has joined #openstack-keystone		15:00
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/380092	15:04
*** browne has joined #openstack-keystone		15:08
openstackgerrit	Eric Brown proposed openstack/keystone: Remove the unused doc files https://review.openstack.org/379857	15:09
*** phalmos has joined #openstack-keystone		15:15
*** antwash has joined #openstack-keystone		15:19
*** phalmos has quit IRC		15:19
*** phalmos has joined #openstack-keystone		15:19
*** phalmos has quit IRC		15:22
openstackgerrit	Boris Bobrov proposed openstack/keystone: Cache region_id to avoid lookup in memcache https://review.openstack.org/380376	15:24
stevemar	lbragstad: when you are bknudson, everything is easy	15:25
lbragstad	stevemar i know, right?	15:25
stevemar	lbragstad: it's hard being that great	15:25
openstackgerrit	Boris Bobrov proposed openstack/keystone: Cache region_id to avoid lookup in memcache https://review.openstack.org/380376	15:25
lbragstad	it's hard making everything so easy	15:26
stevemar	lbragstad: if you have a quick second: https://review.openstack.org/#/c/379857/2	15:26
breton	:( i usually run make	15:27
stevemar	breton: really?!	15:27
stevemar	breton: just: tox -e docs	15:27
lbragstad	breton any specific reason to run make?	15:28
*** adrian_otto has joined #openstack-keystone		15:28
breton	stevemar: lbragstad: i just expect it to be in all docs. And run it in non-openstack projects.	15:30
breton	so it's a habit	15:31
lbragstad	ah	15:31
*** code-R_ has quit IRC		15:37
*** slberger has joined #openstack-keystone		15:39
*** mvk has quit IRC		15:39
stevemar	breton: are you opposed to removing it?	15:46
openstackgerrit	Arthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" find() calls by globally unique IDs https://review.openstack.org/375730	15:47
stevemar	browne: commented on https://review.openstack.org/#/c/379857/2	15:48
browne	yep, saw that. i'll leave the Makefile.	15:49
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	15:51
openstackgerrit	Eric Brown proposed openstack/keystone: Remove the unused sdx doc files https://review.openstack.org/379857	15:52
breton	browne: stevemar: thank you	15:53
*** woodster_ has joined #openstack-keystone		15:53
browne	breton: np	15:53
openstackgerrit	Lance Bragstad proposed openstack/keystone: WIP: Use validate_v3_token instead of validate_token https://review.openstack.org/380349	15:57
*** asettle has quit IRC		16:00
*** code-R has joined #openstack-keystone		16:00
*** lamt has quit IRC		16:02
stevemar	browne: you can report bugs with six at: https://bitbucket.org/gutworth/six	16:03
*** slberger has quit IRC		16:03
*** nk2527 has quit IRC		16:03
browne	stevemar: yep, i'm in the process of doing just that	16:03
stevemar	;)	16:04
openstackgerrit	Ron De Rose proposed openstack/keystone: Move revocation logic to SQL https://review.openstack.org/359371	16:06
*** itisha has joined #openstack-keystone		16:06
*** slberger has joined #openstack-keystone		16:07
*** rcernin has quit IRC		16:08
stevemar	thanks browne	16:09
stevemar	breton: are you waiting for more comments / reviews for https://review.openstack.org/#/c/339294/ ?	16:12
*** code-R_ has joined #openstack-keystone		16:14
*** code-R has quit IRC		16:16
openstackgerrit	Arthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" list() calls by globally unique IDs https://review.openstack.org/378001	16:17
openstackgerrit	Arthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" list() calls by globally unique IDs https://review.openstack.org/378001	16:23
*** slberger has quit IRC		16:33
*** slberger has joined #openstack-keystone		16:37
openstackgerrit	Arthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" list() calls by globally unique IDs https://review.openstack.org/378001	16:43
openstackgerrit	Arthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" find() calls by globally unique IDs https://review.openstack.org/375730	16:45
openstackgerrit	Merged openstack/keystone: Remove the no use arg (auth=None) https://review.openstack.org/379234	16:54
*** rakhmerov__ is now known as rakhmerov		16:55
breton	stevemar: yes, i am waiting for henrynash to comment	16:56
breton	stevemar: actually, to change his -1 to +1, because his concern was about lack of tests, which i addressed	16:56
breton	(or to +2)	16:56
stevemar	breton: ah comment on the patch reminding him :P	16:59
openstackgerrit	Boris Bobrov proposed openstack/keystone: Cache region_id to avoid lookup in memcache https://review.openstack.org/380376	17:00
*** gyee has joined #openstack-keystone		17:02
*** nicolasbock has quit IRC		17:12
*** GB21 has quit IRC		17:15
*** mvk has joined #openstack-keystone		17:23
*** nicolasbock has joined #openstack-keystone		17:23
openstackgerrit	Arthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" list() calls by globally unique IDs https://review.openstack.org/378001	17:29
*** amoralej is now known as amoralej\|off		17:31
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	17:32
*** tqtran has joined #openstack-keystone		17:32
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	17:33
openstackgerrit	Ron De Rose proposed openstack/keystone: Move revocation logic to SQL https://review.openstack.org/359371	17:34
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	17:38
openstackgerrit	Ron De Rose proposed openstack/keystone: Move revocation logic to SQL https://review.openstack.org/359371	17:38
*** cheran75 has joined #openstack-keystone		18:04
*** adrian_otto has quit IRC		18:11
*** pnavarro has quit IRC		18:11
*** adrian_otto has joined #openstack-keystone		18:14
*** itisha has quit IRC		18:21
*** nkinder has joined #openstack-keystone		18:25
*** breton has quit IRC		18:38
*** rdo has quit IRC		18:39
*** rdo has joined #openstack-keystone		18:41
*** lamt has joined #openstack-keystone		18:44
*** breton has joined #openstack-keystone		18:46
*** aswadr_ has quit IRC		18:52
stevemar	such a quiet day today	18:59
stevemar	i guess everyone is off watching luke cage	18:59
lbragstad	?	18:59
stevemar	lbragstad: the channel is pretty quiet	19:06
lbragstad	who's luke cage?	19:06
stevemar	lbragstad: marvel's latest netflix show	19:07
lbragstad	ooo	19:07
lbragstad	i'm still trying to get caught up with Longmire	19:08
stevemar	lbragstad: you need to do different kinds of marathons, less running, more tv	19:10
*** nkinder has quit IRC		19:10
lbragstad	stevemar I literally make it about 10 minutes into the show and i'm passed out	19:11
lbragstad	not because it's boring either	19:11
stevemar	lbragstad: you should get that checked out	19:11
lbragstad	stevemar i need a prescription for more coffee	19:12
*** pnavarro has joined #openstack-keystone		19:13
*** openstackgerrit has quit IRC		19:18
*** openstackgerrit has joined #openstack-keystone		19:18
dolphm	stevemar: ++	19:30
*** slberger1 has joined #openstack-keystone		19:31
*** slberger has quit IRC		19:31
morgan	i want to drink coffee.... :(	19:33
stevemar	morgan: i suggest you drink this coffee	19:34
morgan	can't	19:35
morgan	another couple days... and i'll be free and clear	19:35
stevemar	morgan: i'm just picturing tyrone biggums	19:38
lbragstad	i am so close I can smell it - http://cdn.pasteraw.com/qgpol3l25vh120m3owfbvqyl51b3caw	19:41
morgan	snorting code is bad for your health lbragstad	19:43
lbragstad	i just can't help it	19:43
*** flwang1 has quit IRC		19:59
rderose	going to grab some lunch...	20:05
*** artmr has quit IRC		20:05
*** denismakogon_ has joined #openstack-keystone		20:07
*** flwang has joined #openstack-keystone		20:15
breton	oh my, bug 1629446	20:17
openstack	bug 1629446 in OpenStack Identity (keystone) "500 when a user logins in using federation" [Undecided,New] https://launchpad.net/bugs/1629446	20:17
openstackgerrit	Merged openstack/ldappool: Updated from global requirements https://review.openstack.org/380569	20:21
dstanek	i'm testing some federation stuff and wanted to test on fedora...how in the heck do you install mod_shib on fedora?	20:28
*** code-R_ has quit IRC		20:32
openstackgerrit	Eric Brown proposed openstack/keystone: Use httplib constants for http status codes https://review.openstack.org/379855	20:35
stevemar	breton: 1629446 scared me at first	20:39
stevemar	breton: then i realized its only after removed from group	20:39
stevemar	breton: folks need to put less scary titles in their bug report	20:40
stevemar	dstanek: https://tuakiri.ac.nz/confluence/display/Tuakiri/Installing+Shibboleth+2.x+SP+on+RedHat+based+Linux#InstallingShibboleth2.xSPonRedHatbasedLinux-Installation ?	20:41
dstanek	stevemar: yeah, i've found the repos, but i'm not sure which one to install	20:42
stevemar	rderose: available soon-ish? or wrapping up for the day?	20:43
dstanek	stevemar: actually some fedora guys gave me the best advice. just install centos instead of fedora to test it out	20:46
stevemar	dstanek: and there ya go	20:49
*** raildo has quit IRC		20:55
*** denismakogon_ has quit IRC		20:56
openstackgerrit	ayoung proposed openstack/keystone: WIP Remove unneeded revocation events https://review.openstack.org/285134	21:13
stevemar	rodrigods: rderose: i think https://review.openstack.org/#/c/375928/ is ready now :)	21:17
*** edmondsw has quit IRC		21:17
*** esp has joined #openstack-keystone		21:17
*** sdake has quit IRC		21:19
*** slberger1 has quit IRC		21:22
*** sdake has joined #openstack-keystone		21:25
openstackgerrit	Merged openstack/keystoneauth: Updated from global requirements https://review.openstack.org/380568	21:29
*** pnavarro has quit IRC		21:30
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/380567	21:35
rderose	ayoung: you there?	21:37
rderose	stevemar: ++	21:38
*** gagehugo has quit IRC		21:41
*** sdake has quit IRC		21:45
*** sdake has joined #openstack-keystone		21:46
openstackgerrit	Lance Bragstad proposed openstack/keystone: WIP: Remove validate_v2_token() method https://review.openstack.org/380663	21:56
openstackgerrit	Lance Bragstad proposed openstack/keystone: WIP: Simplify the KeystoneToken model https://review.openstack.org/380664	21:56
openstackgerrit	Boris Bobrov proposed openstack/keystone: Wrap invalidation region to context-local cache https://review.openstack.org/380376	21:56
*** jamielennox\|away is now known as jamielennox		21:59
*** sdake has quit IRC		21:59
*** slberger has joined #openstack-keystone		22:12
*** slberger has quit IRC		22:24
*** gyee has quit IRC		22:30
openstackgerrit	Lance Bragstad proposed openstack/keystone: WIP: One validate method to rule them all... https://review.openstack.org/374243	22:32
lbragstad	muahahahaha ^	22:33
lbragstad	jamielennox i did a different approach that led to some refactoring of the token model ^	22:34
*** ravelar has quit IRC		22:36
*** slberger has joined #openstack-keystone		22:40
jamielennox	lbragstad: i'll have to have a closer look later, however, awesome	22:43
jamielennox	so looks like you just always deal with a v3 model and convert to v2 where required	22:43
jamielennox	cause the other thing i never understood is why we needed to cache all of these validation methods differently	22:44
*** slberger has left #openstack-keystone		22:45
jamielennox	validate_token takes id - and just cache that instead of once per v2/v3/non-persistent etc	22:45
jamielennox	so yay to a single sensible function	22:45
openstackgerrit	Eric Brown proposed openstack/keystone: Fix for py35 http response status codes https://review.openstack.org/379855	22:48
*** thiagolib has quit IRC		22:48
lbragstad	jamielennox right	22:54
lbragstad	default to always using v3	22:54
lbragstad	and where we need a v2 token - just translate it	22:55
lbragstad	it also isolates all validation logic to a single method in keystone/token/providers/common.py	22:55
lbragstad	for both non-persistent and persistent formats	22:55
lbragstad	next step would be to refactor the v3 version out of the model and make it so the model is version agnostic?	22:56
lbragstad	and instead of making the model inherit from a dict it could just be an object and accept sane kwargs versus a dict of token_data (?)	22:57
openstackgerrit	Eric Brown proposed openstack/keystone: Fix for py35 http response status codes https://review.openstack.org/379855	23:12
*** sdake has joined #openstack-keystone		23:29
*** iurygregory_ has joined #openstack-keystone		23:31
*** ravelar has joined #openstack-keystone		23:35

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!