Tuesday, 2016-10-04

« Monday, 2016-10-03 Index Wednesday, 2016-10-05 »
*** spzala has quit IRC00:03
*** markvoelker has joined #openstack-keystone00:29
*** adrian_otto has quit IRC00:29
*** markvoelker has quit IRC00:34
*** nkinder has quit IRC00:40
*** adu has quit IRC00:41
*** chris_hultin|AWA is now known as chris_hultin00:44
*** tqtran has quit IRC00:46
*** GB21 has joined #openstack-keystone00:46
*** adu has joined #openstack-keystone00:49
*** adrian_otto has joined #openstack-keystone00:49
*** adrian_otto has quit IRC00:52
*** nkinder has joined #openstack-keystone00:52
*** adrian_otto has joined #openstack-keystone00:53
*** markvoelker has joined #openstack-keystone00:54
*** chris_hultin is now known as chris_hultin|AWA00:54
*** chris_hultin|AWA is now known as chris_hultin00:55
*** adrian_otto has quit IRC00:56
*** adrian_otto has joined #openstack-keystone00:58
*** spzala has joined #openstack-keystone00:59
*** adrian_otto has quit IRC00:59
openstackgerritMerged openstack/keystone-specs: Mapping shadow users into projects and roles  https://review.openstack.org/32405501:00
*** spzala has quit IRC01:04
*** prashanth has joined #openstack-keystone01:06
*** adrian_otto has joined #openstack-keystone01:13
*** adrian_otto has quit IRC01:16
*** adrian_otto has joined #openstack-keystone01:16
*** adrian_otto has quit IRC01:22
*** adrian_otto has joined #openstack-keystone01:26
*** adrian_otto has quit IRC01:27
*** adrian_otto has joined #openstack-keystone01:29
*** adrian_otto has quit IRC01:32
*** adu has quit IRC01:33
openstackgerritJamie Lennox proposed openstack/keystone-specs: Allow retrieving an expired token  https://review.openstack.org/38136101:35
jamielennoxstevemar: ^01:36
*** adu has joined #openstack-keystone01:37
*** chris_hultin is now known as chris_hultin|AWA01:40
*** namnh has joined #openstack-keystone01:40
*** adrian_otto has joined #openstack-keystone01:48
*** adrian_otto has quit IRC01:51
*** adrian_otto has joined #openstack-keystone01:52
*** spzala has joined #openstack-keystone01:54
*** adrian_otto has quit IRC01:55
*** spzala has quit IRC01:59
*** spzala has joined #openstack-keystone02:10
stevemarthanks jamielennox, you're the best <302:10
jamielennoxstevemar: i think i have usable code02:11
jamielennoxthough i haven't messed with the other services yet, just testing valdiation directly02:11
jamielennoxi have a question02:11
jamielennoxhttps://review.openstack.org/#/c/379034/ and  https://review.openstack.org/#/c/379035/ - can i do that?02:12
jamielennoxstevemar: for all reasonable cases i don't think anyone but keystone has overriden auth_token middleware02:12
jamielennoxhowever it's technically a backwards incompatible change02:12
jamielennoxand for example if a kyestone without that fix was using a keystonemiddleware with it there would be an error02:13
*** prashanth has quit IRC02:16
*** david-lyle has joined #openstack-keystone02:25
EmilienMstevemar: would you accept a patch like this for keystone CI ? https://review.openstack.org/#/c/381322/02:33
stevemarEmilienM: "This job is non-voting" -- good with me02:35
EmilienMcool02:36
*** ravelar has quit IRC02:37
*** david-lyle has quit IRC02:38
EmilienMstevemar: i'm trying to retrospect in my brain what projects 'broke' the most for us in tripleo, and where we could run our CI jobs to give interesting feedback02:39
stevemarEmilienM: we definitely broke you enough to warrant the job :)02:40
stevemarEmilienM: osc too?02:40
EmilienMstevemar: oh yeah02:40
EmilienMstevemar: I'm not blaming any project, just trying to reduce feedback loop02:41
stevemartotally understand02:41
EmilienMi just think a combination of devstack + other things could be interesting02:41
*** tqtran has joined #openstack-keystone02:43
*** adu has quit IRC02:45
*** tqtran has quit IRC02:48
*** david-lyle has joined #openstack-keystone02:49
*** david-lyle has quit IRC02:55
*** trananhkma has joined #openstack-keystone02:57
*** tqtran has joined #openstack-keystone03:02
*** dikonoor has joined #openstack-keystone03:03
*** tqtran has quit IRC03:06
*** links has joined #openstack-keystone03:10
stevemarjamielennox: to answer your question, i don't know03:14
stevemarjamielennox: i'm weary about it03:14
jamielennoxstevemar: yea, me too03:14
jamielennoxstevemar: it just seems a lot of work for little gain to work around it03:14
stevemarjamielennox: you never got back to me -- whats the change for?03:15
jamielennoxoh, yea, it's in service of fetching expired tokens03:15
jamielennoxi need to pass allow_expired=True through to fetch_token03:15
jamielennoxbut if i do that without fixing the keystone override then its going to be a call error03:16
stevemarjamielennox: overriding foo(x, **kwargs) with just foo(x) causes an error right?03:18
stevemarhmm03:18
jamielennoxstevemar: no03:18
jamielennoxstevemar: having the base class call fetch_token(self, token_id, allow_expired=True) when keystone only has fetch_token(self, token_id) is going to be an error03:18
stevemarjamielennox: looks like "cloudcafe" overrides it: http://codesearch.openstack.org/?q=fetch_token&i=nope&files=&repos=03:20
stevemareh, not really03:20
openstackgerritRon De Rose proposed openstack/keystone: Remove password history validation from admin password resets  https://review.openstack.org/37903003:21
jamielennoxstevemar: yea, no they just use the same function name03:21
stevemarjamielennox: yeah, i realized that when i didn't see ksm in their reqs03:21
jamielennoxso i mean it's still a problem because it'll cross keystone releases03:22
stevemarjamielennox: that's OK03:23
stevemarjamielennox: we can have Newton capped at 4.9.z03:24
stevemarjamielennox: for O we can bump the minimum constraints to 4.10.003:24
stevemarNewton will just get cherry-picked changes03:24
stevemar(this is all keystonemiddleware i'm talking about)03:25
stevemarjamielennox: would inspecting the method signature help at all?03:25
jamielennoxstevemar: there's a few ways we can do it, we can inspect from above03:25
jamielennoxstevemar: we can put a bool on the class to say it accepts the new options03:26
stevemartry to use the newer sign but fall back if it's not there03:26
stevemarjamielennox: yeah, we did that in OSC03:26
stevemarnot pretty03:26
jamielennoxi think you're catching typeerror if you catch the args03:26
jamielennoxreally that's probably the best way03:27
jamielennoxit's not pretty but safest and we'd only need to carry it a cycle or so03:27
*** spzala has quit IRC03:27
stevemaryep03:28
jamielennoxbah, alright, i knew this i just didn't want to03:29
stevemarjamielennox: sorry bud, we can make it one cycle deprecation03:31
*** nicolasbock has quit IRC03:38
*** GB21 has quit IRC03:39
openstackgerritKanika Singh proposed openstack/keystone: Role Assignment was reporting incorrect Inheritance when --names was used. Reason: Dictionary was missing the inheritance key value pair. Hence added elif condition to check for inherited property and add it in the dictionary. Closes bug: #1625230  https://review.openstack.org/38097303:42
openstackbug 1625230 in OpenStack Identity (keystone) "Role Assignment Incorrectly Reports Inheritance when --name is Used" [Medium,Confirmed] https://launchpad.net/bugs/1625230 - Assigned to Kanika Singh (kanikasingh-1490)03:42
*** agireud has quit IRC03:44
openstackgerritJamie Lennox proposed openstack/keystone: Don't validate token expiry in the persistence backend  https://review.openstack.org/38138003:46
*** agireud has joined #openstack-keystone03:46
stevemarjamielennox: create a bp for the work and start referencing it in commit messages and topics please03:58
stevemarjamielennox: not sure if you want to create a new one or re-use https://blueprints.launchpad.net/keystone/+spec/session-extendable-tokens or https://blueprints.launchpad.net/keystone/+spec/trusted-tokens03:59
*** GB21 has joined #openstack-keystone04:23
openstackgerritJamie Lennox proposed openstack/keystone-specs: Allow retrieving an expired token  https://review.openstack.org/38136104:25
*** denismakogon__ has joined #openstack-keystone04:26
openstackgerritJamie Lennox proposed openstack/keystone: Don't validate token expiry in the persistence backend  https://review.openstack.org/38138004:28
*** lamt has quit IRC04:31
*** prashanth has joined #openstack-keystone04:34
*** adriant has quit IRC04:35
*** woodster_ has quit IRC04:40
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Specify that unknown arguments can be passed to fetch_token  https://review.openstack.org/37903404:48
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Specify that unknown arguments can be passed to fetch_token  https://review.openstack.org/37903404:49
openstackgerritJamie Lennox proposed openstack/keystone: Ignore unknown arguments to fetch_token  https://review.openstack.org/37903504:53
*** denismakogon__ has quit IRC04:56
openstackgerritJamie Lennox proposed openstack/keystoneauth: Implement caching for the generic plugins.  https://review.openstack.org/35950605:02
openstackgerritJamie Lennox proposed openstack/keystone-specs: Allow retrieving an expired token  https://review.openstack.org/38136105:11
*** denismakogon__ has joined #openstack-keystone05:18
*** vaishali has joined #openstack-keystone05:19
*** spzala has joined #openstack-keystone05:28
*** agireud has quit IRC05:31
*** spzala has quit IRC05:32
*** agireud has joined #openstack-keystone05:33
*** richm has quit IRC05:40
*** dikonoor has quit IRC05:42
*** GB21 has quit IRC05:46
*** vaishali has quit IRC05:46
*** jaosorior has joined #openstack-keystone05:46
*** flaper87 has joined #openstack-keystone05:49
*** flaper87 has quit IRC05:49
*** flaper87 has joined #openstack-keystone05:49
*** code-R has joined #openstack-keystone05:51
bretonmorning, folks05:53
*** adrian_otto has joined #openstack-keystone05:53
*** code-R_ has joined #openstack-keystone05:55
*** code-R has quit IRC05:58
*** GB21 has joined #openstack-keystone06:01
*** vaishali has joined #openstack-keystone06:02
trananhkmaHi keystone-er :)06:03
trananhkmaI tried to rolling upgrade Keystone from Mitaka to Newton. My model has 3 Controller nodes.06:03
trananhkmaAfter upgrade Controller1 successfully, I have an issuse with keystone, it raise that "KeyError: 'is_domain'" everytime when request is handling by Controller1. Full log here: http://paste.openstack.org/show/584107/06:03
trananhkmaI think the problem is that V2 api conflicted with V3 api.06:04
trananhkmaAfter I upgraded all 3 nodes to Newton, this error never occur again06:04
trananhkmaHow can I prevent this error during upgrade process? Does anyone have suggestion for me? Thanks06:04
*** tqtran has joined #openstack-keystone06:05
*** annp has joined #openstack-keystone06:06
*** GB21 has quit IRC06:07
*** GB21 has joined #openstack-keystone06:08
*** vaishali_ has joined #openstack-keystone06:08
*** tqtran has quit IRC06:10
*** vaishali has quit IRC06:12
*** vaishali_ has quit IRC06:14
*** dikonoor has joined #openstack-keystone06:14
*** vaishali_ has joined #openstack-keystone06:27
*** tqtran has joined #openstack-keystone06:31
*** tqtran has quit IRC06:35
*** tqtran has joined #openstack-keystone06:38
*** code-R_ has quit IRC06:40
*** code-R has joined #openstack-keystone06:41
*** rcernin has joined #openstack-keystone06:43
*** adrian_otto has quit IRC06:45
*** dikonoor has quit IRC06:45
*** adrian_otto has joined #openstack-keystone06:48
*** agireud has quit IRC06:50
*** agireud has joined #openstack-keystone06:51
*** tesseract- has joined #openstack-keystone06:52
*** vaishali_ has quit IRC06:52
*** agireud has quit IRC06:56
*** pnavarro has joined #openstack-keystone06:58
*** dikonoor has joined #openstack-keystone06:58
*** agireud has joined #openstack-keystone06:59
*** agireud has quit IRC07:02
*** denismakogon__ has quit IRC07:03
*** denismakogon__ has joined #openstack-keystone07:04
*** agireud has joined #openstack-keystone07:08
*** code-R_ has joined #openstack-keystone07:15
*** adrian_otto1 has joined #openstack-keystone07:16
*** code-R has quit IRC07:18
*** adrian_otto has quit IRC07:19
*** markvoelker has quit IRC07:24
*** adrian_otto1 has quit IRC07:37
*** adrian_otto has joined #openstack-keystone07:38
*** adrian_otto has quit IRC07:46
*** adrian_otto has joined #openstack-keystone07:49
*** adrian_otto has quit IRC07:50
*** jistr has joined #openstack-keystone07:57
*** zzzeek has quit IRC08:00
*** jed56 has joined #openstack-keystone08:00
*** zzzeek has joined #openstack-keystone08:01
*** amoralej|off is now known as amoralej08:03
*** tqtran has quit IRC08:09
*** code-R_ has quit IRC08:15
openstackgerritJamie Lennox proposed openstack/keystone: Don't validate token expiry in the persistence backend  https://review.openstack.org/38138008:15
*** asettle has joined #openstack-keystone08:16
*** asettle has quit IRC08:16
*** asettle has joined #openstack-keystone08:17
*** markvoelker has joined #openstack-keystone08:24
*** markvoelker has quit IRC08:29
openstackgerritmelissaml proposed openstack/keystone: Fix a typo in _init_.py  https://review.openstack.org/38152608:33
*** denismakogon__ has quit IRC08:41
*** denismakogon has joined #openstack-keystone08:41
*** vaishali_ has joined #openstack-keystone08:59
*** dikonoor has quit IRC09:19
*** code-R has joined #openstack-keystone09:20
*** code-R_ has joined #openstack-keystone09:36
*** code-R has quit IRC09:39
*** ma9 has joined #openstack-keystone09:41
ma9is there a way to resolve users,projects,roles,domains when using the command "openstack role assignment list"09:41
ma9?09:41
*** code-R_ has quit IRC09:48
*** code-R has joined #openstack-keystone09:48
*** GB21 has quit IRC09:53
*** vaishali_ has quit IRC09:53
*** annp has quit IRC09:53
*** jistr is now known as jistr|mtg09:59
*** zigo has quit IRC10:01
*** code-R has quit IRC10:03
*** code-R has joined #openstack-keystone10:04
*** zigo has joined #openstack-keystone10:04
*** zigo is now known as Guest8478010:05
bretonma9: yes. Use parameter --names10:09
*** richm has joined #openstack-keystone10:10
*** GB21 has joined #openstack-keystone10:11
*** vaishali_ has joined #openstack-keystone10:12
ma9breton: I'm running Kilo and it does not work10:12
*** Guest84780 has quit IRC10:14
*** zigo_ has joined #openstack-keystone10:16
bretonma9: then i am afraid there is no way. Afaik we discussed and fixed it only in Liberty or Mitaka.10:17
bretonprobably in Liberty10:18
*** code-R has quit IRC10:18
*** code-R has joined #openstack-keystone10:19
*** dikonoor has joined #openstack-keystone10:25
*** markvoelker has joined #openstack-keystone10:26
*** gb21_ has joined #openstack-keystone10:27
*** vaishali__ has joined #openstack-keystone10:27
*** vaishali has joined #openstack-keystone10:29
*** vaishali_ has quit IRC10:31
*** GB21 has quit IRC10:31
*** markvoelker has quit IRC10:31
*** vaishali__ has quit IRC10:32
*** code-R has quit IRC10:34
*** code-R has joined #openstack-keystone10:34
*** nicolasbock has joined #openstack-keystone10:40
*** spzala has joined #openstack-keystone10:44
*** code-R has quit IRC10:49
*** spzala has quit IRC10:49
*** code-R has joined #openstack-keystone10:50
*** pnavarro has quit IRC10:51
*** gb21_ is now known as GB2110:54
*** code-R_ has joined #openstack-keystone10:56
*** code-R has quit IRC10:56
*** rcernin has quit IRC10:57
*** rcernin has joined #openstack-keystone10:58
*** jistr|mtg is now known as jistr11:00
*** dikonoor has quit IRC11:01
*** bjolo_ is now known as bjolo11:10
*** amoralej is now known as amoralej|lunch11:13
bretonlp seems to be down :(11:22
*** zigo_ is now known as zigo11:23
*** markvoelker has joined #openstack-keystone11:27
*** dikonoor has joined #openstack-keystone11:30
*** markvoelker has quit IRC11:32
*** haplo37_ has quit IRC11:33
*** haplo37_ has joined #openstack-keystone11:35
*** vaishali has quit IRC11:41
*** pnavarro has joined #openstack-keystone11:43
*** vaishali has joined #openstack-keystone11:46
*** namnh_ has joined #openstack-keystone12:09
*** raildo has joined #openstack-keystone12:09
*** namnh has quit IRC12:12
*** code-R has joined #openstack-keystone12:12
*** jlwhite has quit IRC12:14
*** kevinbenton has quit IRC12:15
*** GB21 has quit IRC12:15
*** denismakogon has quit IRC12:15
*** code-R_ has quit IRC12:15
*** jlwhite has joined #openstack-keystone12:15
*** denismakogon has joined #openstack-keystone12:15
*** kevinbenton has joined #openstack-keystone12:17
*** edmondsw has joined #openstack-keystone12:18
*** vaishali_ has joined #openstack-keystone12:23
*** code-R has quit IRC12:24
*** code-R has joined #openstack-keystone12:25
*** GB21 has joined #openstack-keystone12:27
*** vaishali has quit IRC12:27
stevemaro/12:28
*** vaishali_ has quit IRC12:29
*** markvoelker has joined #openstack-keystone12:33
*** amoralej|lunch is now known as amoralej12:37
*** vaishali_ has joined #openstack-keystone12:41
openstackgerritRodrigo Duarte proposed openstack/keystone: Minor fix in role_assignments api-ref  https://review.openstack.org/38177712:43
*** ma9 has left #openstack-keystone12:44
*** code-R has quit IRC12:45
*** code-R has joined #openstack-keystone12:45
*** GB21 has quit IRC12:48
*** vaishali_ has quit IRC12:49
*** code-R has quit IRC12:53
*** namnh_ has quit IRC12:53
*** namnh has joined #openstack-keystone12:54
trananhkmastevemar, hello, are you free? can you give some minutes?12:56
stevemartrananhkma: sure, i'll try to help12:56
trananhkmastevemar, thanks, I all ready asked about it, could you take a look: http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2016-10-04.log.html#t2016-10-04T06:03:1812:59
trananhkmaalready @@12:59
*** spzala has joined #openstack-keystone13:07
stevemartrananhkma: i was going to say it looks like https://bugs.launchpad.net/keystone/+bug/1592169 -- but your issue is "is_domain" not "domain_id"13:10
openstackLaunchpad bug 1592169 in OpenStack Identity (keystone) mitaka "cached tokens break Liberty to Mitaka upgrade" [High,Fix committed] - Assigned to Colleen Murphy (krinkle)13:10
*** dave-mccowan has joined #openstack-keystone13:10
stevemartrananhkma: i think we added the is_domain attribute to projects in Newton, so if you are replicating data between controllers it may not be able to write to the table until all controllers are upgraded13:11
stevemartrananhkma: the problem is normally seen when retrieving cached values, are you using caching?13:13
stevemartrananhkma: can you please file a bug with keystone with any applicable logs13:14
trananhkmastevemar, I am thinking about that, I just used devstack to try the rolling upgrade feature, I'm not sure about the caching.13:15
trananhkmastevemar, sure, if you confirmed it's a bug13:16
trananhkmastevemar, I follow the step in this: http://docs.openstack.org/developer/keystone/upgrading.html#upgrading-without-downtime13:27
trananhkmabut, IMO, at step 9: 'Upgrade all keystone nodes to the next release, and restart them one at a time'. I think we cannot upgrade without downtime with this.13:27
trananhkmaI tried to upgrade Controller1 first, then start it to handle the quest, I mean it make system no downtime. But I have the issues here, as I mentioned above13:27
trananhkmaMay I do something wrong?13:31
*** daemontool has joined #openstack-keystone13:33
*** jaosorior has quit IRC13:34
*** jaosorior has joined #openstack-keystone13:34
dstanektrananhkma: that makes me think that rolling upgrades don't quite work for this release13:38
*** rodrigods has quit IRC13:40
*** rodrigods has joined #openstack-keystone13:40
trananhkmadstanek, im not sure about that, I just want to make confirmation to do next step13:42
lbragstadrderose did you have a patch somewhere for https://bugs.launchpad.net/keystone/+bug/1630092 ?13:43
openstackLaunchpad bug 1630092 in OpenStack Identity (keystone) "Admin password reset should be exempt from password history validation" [Medium,In progress] - Assigned to Ron De Rose (ronald-de-rose)13:43
dstanektrananhkma: to me your traceback indicates that's we expect new data that is doing going to be returned by the old version. seems like a bug.13:43
dstanektrananhkma: did you file a bug?13:43
dstanektrananhkma: rolling upgrades is experimental and it wouldn't surprise me if it had some issues13:43
lbragstadstevemar is anyone allowed to *create* tags for our project in launchpad?13:44
trananhkmadstanek, no I didn't. I trying to understand that, I afraid I do something wrong13:46
dstanektrananhkma: the best thing to do it create a bug so that more people can take a look. since you have a traceback there is definitely something wrong.13:46
dstanektrananhkma: even if technically you did something to cause that traceback it is our bad for letting it happen13:47
*** mah has joined #openstack-keystone13:48
mahHi all, How to let openstack use Nova Compute v2.0 instead of v2.1 ?13:48
trananhkmadstanek, ok, I'll report this bug now :)13:49
mahwithout messing up anything13:49
*** links has quit IRC13:49
dstanekmah: the client or nova itself?13:50
mahnova it self13:51
mahI already have both of them exist13:52
*** vkramskikh has left #openstack-keystone13:52
mahbut v2.1 is the used one13:52
-openstackstatus- NOTICE: The Gerrit service on review.openstack.org is being restarted to address performance degradation and should return momentarily14:00
*** phalmos has joined #openstack-keystone14:04
*** daemontool_ has joined #openstack-keystone14:06
dstanekmah: you might be better off asking that in #openstack-dev14:08
mahok thanks14:08
*** daemontool has quit IRC14:10
*** ravelar has joined #openstack-keystone14:13
stevemarlbragstad: i can create them if you need to, but i think the people under "keystone-drivers" can14:20
lbragstadstevemar cool - looking how to do that now14:20
stevemartrananhkma: its probably a bug then :(14:20
stevemarlbragstad: http://imgur.com/a/rEEfY link at the bottom14:21
lbragstadstevemar sweet - done14:23
lbragstadcc rderose - i've created a 'pci' tag14:23
stevemartrananhkma: let us know when you've filed the bug, we'll get someone to reproduce it14:24
trananhkmastevemar, thanks so much for your time, I already filed the bug here: https://bugs.launchpad.net/keystone/+bug/163025914:24
openstackLaunchpad bug 1630259 in OpenStack Identity (keystone) "Rolling upgrade does not work well in Newton release" [Undecided,New]14:24
*** ravelar has quit IRC14:28
*** chris_hultin|AWA is now known as chris_hultin14:32
*** pnavarro has quit IRC14:32
*** jorge_munoz has joined #openstack-keystone14:32
*** denismakogon has quit IRC14:32
*** denismakogon has joined #openstack-keystone14:33
*** jorge_munoz_ has joined #openstack-keystone14:35
*** spzala has quit IRC14:35
*** vaishali_ has joined #openstack-keystone14:35
*** dikonoor has quit IRC14:36
*** jorge_munoz has quit IRC14:38
*** jorge_munoz_ is now known as jorge_munoz14:38
*** chris_hultin is now known as chris_hultin|AWA14:41
*** ravelar has joined #openstack-keystone14:42
openstackgerritRodrigo Duarte proposed openstack/keystone: Minor fix in role_assignments api-ref  https://review.openstack.org/38177714:47
stevemartrananhkma: thanks, hoping we can check it out and backport as necessary14:50
*** chris_hultin|AWA is now known as chris_hultin14:50
stevemari added the bug to the agenda14:53
*** spzala has joined #openstack-keystone15:05
dolphmtrananhkma: thanks for the bug report!15:06
stevemardolphm: ++15:07
*** rcernin has quit IRC15:10
*** dave-mccowan has quit IRC15:13
*** daemontool_ has quit IRC15:19
*** phalmos has quit IRC15:21
*** daemontool has joined #openstack-keystone15:27
*** namnh has quit IRC15:28
*** dave-mccowan has joined #openstack-keystone15:30
*** adrian_otto has joined #openstack-keystone15:31
*** spilla has joined #openstack-keystone15:37
bknudsonI wonder if there couldn't be some kind of version on the cached data15:39
bknudsonmight be as easy to implement as just putting the version in the key15:40
bknudsonthe would put different versions of objects in different namespaces15:40
*** prashanth has quit IRC15:41
*** pnavarro has joined #openstack-keystone15:42
*** nicolasbock has quit IRC15:47
*** adrian_otto has quit IRC15:48
mah Hi all, How to let openstack use Nova access API v2.0 instead of v2.1 ?15:51
*** nicolasbock has joined #openstack-keystone15:53
*** adrian_otto has joined #openstack-keystone15:58
*** lamt has joined #openstack-keystone16:01
*** jaosorior has quit IRC16:02
*** vaishali_ has quit IRC16:08
*** dikonoor has joined #openstack-keystone16:14
*** vaishali_ has joined #openstack-keystone16:15
*** gagehugo has joined #openstack-keystone16:17
*** links has joined #openstack-keystone16:17
*** links has quit IRC16:18
*** david-lyle has joined #openstack-keystone16:21
*** dikonoor has quit IRC16:24
*** openstackgerrit has quit IRC16:26
*** openstackgerrit has joined #openstack-keystone16:27
*** openstackgerrit has quit IRC16:28
*** openstackgerrit has joined #openstack-keystone16:28
*** tesseract- has quit IRC16:29
*** openstackgerrit has quit IRC16:30
*** openstackgerrit has joined #openstack-keystone16:30
*** pnavarro has quit IRC16:34
amakarovzzzeek, dogpile.cache has redis backend, but uses it as mere KVS. Meanwhile Redis has hashes that fits into cache region model perfectly - why didn't you use it?16:35
*** daemontool has quit IRC16:35
zzzeekamakarov: feel free to build another backend, it seems natural the default dogpile appoach for any given backend is to store "keys" and "values" in the server16:37
zzzeekamakarov: or an option to the exisitng backend to use a specific hash16:37
amakarovzzzeek, it won't be limited by a backend - the one is already there16:39
amakarovzzzeek, alternative CacheRegion is required16:39
amakarovSo I wanted to ask about your reasoning for current solution16:40
amakarovfocused on memcached?16:40
zzzeekamakarov: CacheRegion knows nothing about the backend16:40
zzzeekamakarov: focused on "thing that stores keys and values"16:41
amakarovzzzeek, well, thank you for clarification16:41
zzzeekamakarov: if by "hashes" you mean, "store the keys and valeus inside of a redis hash", how woudl you choose this "hash" other than a fixed path ?16:43
amakarovzzzeek, I mean this: http://redis.io/commands/hset16:46
amakarovand yes - current CacheRegion cannot use it16:46
zzzeekamakarov: right, by "how would you choose" I mean:  HSET --> this part --> myhash <-- <-- field1 "Hello"16:47
amakarovright now CacheRegion prefixes keys with, well, hash name (in terms of Redis)16:49
amakarovzzzeek, so region invalidation becomes just hash deletion operation rather than prefix regeneration16:50
amakarovso prefix can be hard-coded again16:50
*** dikonoor has joined #openstack-keystone16:51
zzzeekamakarov: "prefixes keys with, well, hash name", i dont understand16:51
amakarovzzzeek, oh, sorry - I mismatched it with invalidation strategy16:52
amakarovhmm... I'll think about using it then - I can try to use existing region logic with some specific strategy for redis...16:53
*** vaishali_ has quit IRC16:54
*** asettle__ has joined #openstack-keystone16:54
zzzeekamakarov: POC: http://paste.openstack.org/show/584259/16:55
amakarovzzzeek, yes! something like that16:56
amakarovzzzeek, and invalidate() just calls backend.hdel()16:57
zzzeekamakarov: oh i should test the actual backend there...16:57
amakarovzzzeek, you see: we faced a performance degradation with distributed region invalidation as there is significant overhead in memcached calls (x3 to be more specific)16:58
zzzeekamakarov: here we are: http://paste.openstack.org/show/584261/16:58
zzzeekamakarov: invalidation is a crapshow, sure.  was not an original use case.16:59
*** asettle has quit IRC16:59
*** asettle__ has quit IRC16:59
zzzeekamakarov: well, time based invalidation was, of course.17:00
zzzeekbut "go and delete the keys", not so much17:00
amakarovzzzeek, yep - it's a common case when architecture just reflects current state of how things are done and slightly behind the actual need :)17:02
*** adrian_otto has quit IRC17:03
amakarovzzzeek, ah, we can't just go with a new backend:  a strategy is required too - backends do not invalidate17:04
zzzeekamakarov: yup, but those are pluggable of course17:04
amakarovzzzeek, thank you for your help - I'm off to feed that to our QA :)17:05
*** browne has joined #openstack-keystone17:29
*** nicolasbock has quit IRC17:42
*** jorge_munoz has quit IRC17:42
*** nicolasbock has joined #openstack-keystone17:46
*** gagehugo has quit IRC17:50
*** gagehugo_ has joined #openstack-keystone17:50
*** gagehugo has joined #openstack-keystone17:50
*** bjolo_ has joined #openstack-keystone17:53
*** tqtran has joined #openstack-keystone17:55
*** sdake has quit IRC17:58
*** rcernin has joined #openstack-keystone17:58
*** ayoung has joined #openstack-keystone18:01
*** ChanServ sets mode: +v ayoung18:01
*** jaugustine has joined #openstack-keystone18:02
*** harlowja has quit IRC18:03
*** adrian_otto has joined #openstack-keystone18:06
*** adrian_otto has quit IRC18:08
*** agireud has quit IRC18:10
*** LamT__ has quit IRC18:11
*** agireud has joined #openstack-keystone18:12
*** phalmos has joined #openstack-keystone18:19
dolphmlbragstad: assigned you https://bugs.launchpad.net/keystone/+bug/163025918:19
openstackLaunchpad bug 1630259 in OpenStack Identity (keystone) "KeyError: 'is_domain' during mitaka -> newton rolling upgrade" [High,Triaged] - Assigned to Lance Bragstad (lbragstad)18:19
lbragstaddolphm thanks18:20
lbragstadraildo https://github.com/openstack/keystone/commit/c1d0959da9a5e70cc16636bab1581ae154be27e5 looks suspicious in ^18:20
dolphmlbragstad: i would say so18:20
lbragstadi think the problem is that is_domain is assuming the 'is_domain' key to be in the token if the token version is v318:23
lbragstadhttps://github.com/openstack/keystone/blob/stable/newton/keystone/models/token_model.py#L21318:23
*** phalmos has quit IRC18:23
lbragstadbut we only populate the token_data with 'is_domain' if the token is actually project scoped - https://github.com/openstack/keystone/blob/stable/newton/keystone/token/providers/common.py#L30418:24
openstackgerritLance Bragstad proposed openstack/keystone: Make returning is_domain conditional  https://review.openstack.org/38203218:26
lbragstadraildo ^18:26
*** amoralej is now known as amoralej|off18:29
*** phalmos has joined #openstack-keystone18:30
*** adrian_otto has joined #openstack-keystone18:31
*** jorge_munoz has joined #openstack-keystone18:31
jamielennoxlbragstad: can i get you to have a look at https://review.openstack.org/#/c/381380/18:42
jamielennoxlbragstad: it's going to conflict with your one validation method, but you're about the only person ATM who would know this area well enough to see if i missed something18:43
lbragstadjamielennox sure thing18:43
*** ruoyu has joined #openstack-keystone18:43
dstanekstevemar: i plan on prepping dolph with anything i want discussed...i'll give you a heads up before the summit too18:49
stevemardstanek: appreciated18:50
*** spzala has quit IRC18:51
*** gagehugo has quit IRC18:51
*** spzala has joined #openstack-keystone18:52
lbragstadstevemar same - i plan to proxy through dolphm18:53
*** hrybacki has joined #openstack-keystone18:53
hrybackio/18:53
stevemardolphm will need to install a load balancer with all the proxying hes gonna do18:53
* stevemar walks away for coffee after a terrible joke18:54
lbragstadba-dum-pshh18:54
kfox1111ok, seeing something weird...18:54
kfox1111http://logs.openstack.org/68/380868/22/experimental/gate-kolla-kubernetes-deploy-ubuntu-binary-ceph-nv/588148b/logs/openstack-catalog.txt18:54
kfox1111split endpoitns in the list.18:54
kfox1111I thought this may have been a race when they were put in the db, and the client wasn't merging right.18:55
kfox1111but:18:55
*** adrian_otto has quit IRC18:55
kfox1111http://pastebin.com/XZTYdSrf18:57
*** spzala has quit IRC18:57
kfox1111I see they actually have different .service_id's.18:57
hrybackiwrt knocking out a low-hanging-fruit bug with TripleO-Quickstart it appears most are assigned to Annapoornima Koppad(annakoppad) but I am not seeing them on internal or freenode -- anyone know their timezone?18:59
*** spzala has joined #openstack-keystone19:01
jamielennoxdstanek: you have a -1 on https://review.openstack.org/#/c/371856/ - anything i can explain there ?19:01
hrybackispecifically looking at https://bugs.launchpad.net/keystone/+bug/1570463 and https://bugs.launchpad.net/keystone/+bug/1410029 as candidates19:01
openstackLaunchpad bug 1570463 in OpenStack Identity (keystone) "RFE: keystone-manage CLI to allow using syslog & specific log files" [Medium,Triaged] - Assigned to Annapoornima Koppad (annakoppad)19:01
openstackLaunchpad bug 1410029 in OpenStack Identity (keystone) "Unnecessary conflict wrapper on assignment driver delete_project() method" [Low,Triaged] - Assigned to Annapoornima Koppad (annakoppad)19:01
kfox1111oh.. I wonder if this is because they are being created in parallel.19:02
*** spzala has quit IRC19:05
*** code-R has joined #openstack-keystone19:06
openstackgerritMerged openstack/keystone: Fix a typo in _init_.py  https://review.openstack.org/38152619:07
hrybackiayoung ^^19:11
ayounghrybacki, gonna test workflow with that?19:12
hrybackimaybe. think either would be a good candidate? Not sure how much additional setup / testing is necessary to replicate either though19:13
* hrybacki leans on your experience19:13
ayoungdelete_project is more real hrybacki19:14
ayoungmore worth checking19:14
ayoungbut both are pretty simple.  Give it a go19:14
hrybackiwhat about the assignee? don't want just bump them19:14
dstanekjamielennox: i'm just worried that this can be used incorrectly in the future. i can take off my -119:18
jamielennoxdstanek: you don't need to take it off from prodding, i just wanted to discuss any concerns19:20
jamielennoxdstanek: unfortunately we have no choice but to default it to True because that was the old behaviour19:21
*** david-lyle has quit IRC19:22
dstanekjamielennox: i'd really just like to see the admin project go away19:23
lbragstadstevemar raildo dolphm do you know anh irc nick?19:24
lbragstadtrananhkma o/19:24
lbragstadi think i figured out what happened with that upgrade bug...19:25
lbragstadhttps://bugs.launchpad.net/keystone/+bug/1630259/comments/219:25
openstackLaunchpad bug 1630259 in OpenStack Identity (keystone) "KeyError: 'is_domain' during mitaka -> newton rolling upgrade" [High,Triaged] - Assigned to Lance Bragstad (lbragstad)19:25
jamielennoxdstanek: the admin_project go away? it's only been there for about a cycle19:25
dstanekjamielennox: beyond cloud admin is there a usecase for it?19:27
jamielennoxdstanek: it was basically a hack to specify one project that could do cross project things19:27
jamielennoxdstanek: so you can give someone admin on a project and not have them listing hypervisors and stuff that is not project specific19:28
*** spzala has joined #openstack-keystone19:28
*** dikonoor has quit IRC19:37
dolphmlbragstad: i do not, but i'd like to know19:38
lbragstaddolphm trananhkma filed the bug early - according to IRC19:39
lbragstads/early/earlier/19:39
dolphmlbragstad: so that's probably only a bug for uuid & pki?19:39
lbragstaddolphm i believe so19:39
lbragstadnon-persistent formats wouldn't be affected19:39
dolphmlbragstad: oh, i hadn't read the paragraph where you talked about fernet yet :P19:40
lbragstaddolphm i think part of the reason is because we rely on stale data in uuid validation19:40
dolphmlbragstad: ++19:41
dolphmlbragstad: if the value isn't there though, you can't just assume always-false, can you?19:41
dolphmi.e. .get('is_domain', False)19:41
lbragstaddolphm that i'm not sure on - that'd be a better question for raildo maybe19:41
lbragstaddolphm fwiw - this chain makes it so that all token formats valid online, every time https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:cleanup-token-provider19:42
dolphmi think you'd have to look up the project to know for sure, because that attribute was added to the token API long after it was an attribute on the actual project19:42
*** woodster_ has joined #openstack-keystone19:45
*** ruoyu has quit IRC19:46
*** code-R_ has joined #openstack-keystone19:48
*** bjolo_ has quit IRC19:49
*** bjolo_ has joined #openstack-keystone19:49
*** code-R_ has quit IRC19:49
*** code-R has quit IRC19:49
*** code-R has joined #openstack-keystone19:50
*** jdennis1 has quit IRC19:55
*** bjolo_ has quit IRC20:01
stevemardolphm: ++, lbragstad you can probably safely assume is_domain is false20:04
*** asettle has joined #openstack-keystone20:07
*** david-lyle has joined #openstack-keystone20:07
*** jdennis has joined #openstack-keystone20:09
*** adrian_otto has joined #openstack-keystone20:09
*** lamt has quit IRC20:12
*** harlowja has joined #openstack-keystone20:15
*** jorge_munoz has quit IRC20:18
*** david-lyle has quit IRC20:19
*** david-lyle has joined #openstack-keystone20:19
*** code-R has quit IRC20:22
raildolbragstad, sorry, i was afk, looking into the patch right now20:22
*** code-R has joined #openstack-keystone20:22
lbragstadraildo cool - thanks20:23
*** mordred has quit IRC20:23
raildolbragstad, we made is_domain==False by default, even if the used didn't set it, so that's the reason why we assume is_domain will be in the project field20:26
lbragstadraildo that makes sense - but I think the upgrade fails because it's assuming it to be there for the token reference, too20:27
*** code-R has quit IRC20:28
*** lamt has joined #openstack-keystone20:29
raildolbragstad, during the migration we already have this value, following the script: https://github.com/openstack/keystone/blob/master/keystone/common/sql/migrate_repo/versions/074_add_is_domain_project.py#L25-L26, don't we?20:29
lbragstadraildo right - but not for the token reference20:30
lbragstadraildo that's the project20:30
lbragstadraildo the problem is that token validation fails here - https://github.com/openstack/keystone/blob/stable/newton/keystone/models/token_model.py#L21320:31
*** roxanaghe has joined #openstack-keystone20:32
raildolbragstad, right, I'm looking to your change, it's weird since we follow similar changes for other properties, but makes sense for me.20:33
raildolbragstad, looking to your description on the launchpad, totally makes sense to me.20:38
lbragstadraildo sweet20:40
lbragstadraildo thanks for giving it a once over20:40
*** asettle has quit IRC20:43
raildolbragstad, np, if want I can add some test on your patch, or just help with some reviews20:45
lbragstadraildo yeah - that would be awesome!20:45
raildolbragstad, great :)20:46
*** mordred has joined #openstack-keystone20:53
*** gyee has joined #openstack-keystone20:55
*** ChanServ sets mode: +v gyee20:55
openstackgerritLance Bragstad proposed openstack/keystone: Add tests for validating expired tokens  https://review.openstack.org/38206920:57
lbragstadjamielennox ping20:57
*** adriant has joined #openstack-keystone20:57
lbragstadjamielennox feel free to steal that and work it into your commit ^20:57
*** asettle has joined #openstack-keystone20:57
*** denismakogon has quit IRC20:59
*** david-lyle has quit IRC21:04
jamielennoxlbragstad: meeting for the next half hour or so, but i can rebase on that21:05
jamielennoxlbragstad: more tests are good there, i think i'm safe but you never know21:05
openstackgerritLance Bragstad proposed openstack/keystone: Don't validate token expiry in the persistence backend  https://review.openstack.org/38138021:05
lbragstadjamielennox done ^21:06
lbragstadjamielennox so far - i think your patch looks good21:06
jamielennoxlbragstad: i think it's safe, if it wasn't then all the fernet token expiry would fail, but it's so messy it's hard to tell21:06
lbragstadthe only thing I wanted to verify was the fact we're maintaining those keystone/tests/unit/token/test_backend.py behaviors21:06
jamielennoxwell they're persistence behaviours which is not necessarily the same21:07
lbragstadacross token providers an expired token should return the same response21:08
lbragstadregardless of being persistent or non-persistent I would think21:08
jamielennoxoh yea, it's crazy in there21:09
lbragstadjamielennox very - once https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:cleanup-token-provider merges hopefully it's easier to understand from a validation perspective21:09
lbragstadjamielennox after that - we can start working on cleaning up the issue_token path21:10
lbragstadideally - once that's done all the token formatting logic should be in the controllers21:11
lbragstadand not in the providers21:11
* lbragstad crosses fingers21:11
jamielennoxlbragstad: yea, i considered basing it on that but it had a WIP prefix21:13
lbragstadjamielennox yeah - you could.. it all works, i just wanted get some opinions before they merged21:14
*** raildo has quit IRC21:15
jamielennoxlbragstad: merge it!21:16
lbragstadjamielennox +2 it! :)21:18
jamielennoxdamnit21:18
*** r-daneel has joined #openstack-keystone21:20
*** jaugustine has quit IRC21:22
*** gagehugo has joined #openstack-keystone21:25
*** adam_g` is now known as adam_g21:25
*** spilla has quit IRC21:26
*** gagehugo_ has joined #openstack-keystone21:27
bknudsondolphm: this looks like something that could be used by doctor - https://review.openstack.org/#/c/381968/21:31
bknudsonand others ^21:31
bknudsonspec for an oslo config validator21:32
*** david-lyle has joined #openstack-keystone21:33
*** david-lyle has quit IRC21:42
*** david-lyle has joined #openstack-keystone21:47
*** david-lyle has quit IRC21:48
*** david-lyle has joined #openstack-keystone21:48
*** asettle has quit IRC21:52
*** spzala has quit IRC21:59
*** adrian_otto has quit IRC21:59
*** adrian_otto has joined #openstack-keystone21:59
openstackgerritRon De Rose proposed openstack/keystone: Add revocation event indexes  https://review.openstack.org/37652322:01
*** asettle has joined #openstack-keystone22:04
*** adrian_otto has quit IRC22:06
*** lamt has quit IRC22:08
*** asettle has quit IRC22:10
*** edmondsw has quit IRC22:10
*** dave-mccowan has quit IRC22:11
*** gagehugo has quit IRC22:20
openstackgerritJamie Lennox proposed openstack/keystone: Allow fetching an expired token  https://review.openstack.org/38209822:46
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Pass allow_expired to token validate  https://review.openstack.org/38209922:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Specify that unknown arguments can be passed to fetch_token  https://review.openstack.org/37903422:48
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Pass ?allow_expired  https://review.openstack.org/38210022:48
*** rcernin has quit IRC22:50
jamielennoxstevemar: can you remove your W-1 from https://review.openstack.org/#/c/359653/22:51
jamielennoxpossibly change to a W+122:52
*** r-daneel has quit IRC22:52
openstackgerritJamie Lennox proposed openstack/keystone: Implement Views and convert credentials  https://review.openstack.org/33542322:56
*** sdake has joined #openstack-keystone22:58
openstackgerritRichard Avelar proposed openstack/keystone: Improve keystone validation performance  https://review.openstack.org/38210723:01
*** sdake_ has joined #openstack-keystone23:05
*** ravelar has quit IRC23:08
*** ravelar has joined #openstack-keystone23:08
*** sdake has quit IRC23:09
openstackgerritRon De Rose proposed openstack/keystone: Add revocation event indexes  https://review.openstack.org/37652323:12
*** jamielennox is now known as jamielennox|away23:12
*** jamielennox|away is now known as jamielennox23:13
openstackgerritRon De Rose proposed openstack/keystone: Add revocation event indexes  https://review.openstack.org/37652323:13
*** ravelar has quit IRC23:19
openstackgerritRon De Rose proposed openstack/keystone: Add revocation event indexes  https://review.openstack.org/37652323:21
openstackgerritRon De Rose proposed openstack/keystone: Add revocation event index  https://review.openstack.org/37652323:24
*** iurygregory_ has joined #openstack-keystone23:26
*** roxanaghe has quit IRC23:27
openstackgerritRon De Rose proposed openstack/keystone: Improve check_token validation performance  https://review.openstack.org/38210723:31
openstackgerritRon De Rose proposed openstack/keystone: Improve check_token validation performance  https://review.openstack.org/38210723:32
openstackgerritJamie Lennox proposed openstack/keystone-specs: Allow retrieving an expired token  https://review.openstack.org/38136123:39
openstackgerritJamie Lennox proposed openstack/keystone-specs: Allow retrieving an expired token  https://review.openstack.org/38136123:41
*** chris_hultin is now known as chris_hultin|AWA23:47
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Pass allow_expired to token validate  https://review.openstack.org/38209923:56
*** haplo37_ has quit IRC23:58
« Monday, 2016-10-03 Index Wednesday, 2016-10-05 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!