Thursday, 2016-10-06

« Wednesday, 2016-10-05 Index Friday, 2016-10-07 »
*** arunkant has joined #openstack-keystone00:03
*** gagehugo has quit IRC00:06
*** tqtran has quit IRC00:07
*** dikonoor has joined #openstack-keystone00:09
*** dikonoor has quit IRC00:18
*** markvoelker has joined #openstack-keystone00:22
*** ddieterly has joined #openstack-keystone00:22
*** markvoelker has quit IRC00:27
*** phalmos has joined #openstack-keystone00:42
*** phalmos has quit IRC00:54
*** dave-mcc_ has joined #openstack-keystone00:54
*** dave-mccowan has quit IRC00:55
*** ddieterly has quit IRC00:57
*** browne has quit IRC01:04
tonybCan someone take a quick look at: http://logs.openstack.org/90/381890/3/gate/gate-cross-keystone-python27-db-ubuntu-xenial/b6d48e7/console.html#_2016-10-05_22_37_43_851778 and tell me if it look slike a false positive to them?01:04
tonybit's a requirements (consstraints) chnage but not one used in keystone so I'm assuming it is a false positive but I'd like a seconf opinion bfore I 'recheck' it01:05
tonybHmm maybe not the only hits in logstash are for this review ...01:08
*** code-R has joined #openstack-keystone01:14
*** knikolla_ has quit IRC01:25
*** morgan has quit IRC01:27
*** dave-mccowan has joined #openstack-keystone01:28
*** dave-mcc_ has quit IRC01:29
*** code-R_ has joined #openstack-keystone01:33
*** ddieterly has joined #openstack-keystone01:35
*** code-R has quit IRC01:36
trananhkmastevemar, step 9 in guideline of upgrading without downtime: http://docs.openstack.org/developer/keystone/upgrading.html#upgrading-without-downtime -- "Upgrade all keystone nodes to the next release, and restart them one at a time"01:44
trananhkmastevemar, if all nodes down, how can it be 'without downtime'?01:44
trananhkmastevemar, should we update this?01:45
*** dave-mccowan has quit IRC02:01
*** code-R_ has quit IRC02:03
*** code-R has joined #openstack-keystone02:03
*** ddieterly has quit IRC02:05
*** code-R_ has joined #openstack-keystone02:10
*** code-R has quit IRC02:14
*** iurygregory_ has quit IRC02:25
*** spzala has joined #openstack-keystone02:31
*** jorge_munoz has quit IRC02:34
*** code-R has joined #openstack-keystone02:37
*** code-R_ has quit IRC02:37
*** jorge_munoz has joined #openstack-keystone02:38
*** haplo37_ has quit IRC02:39
*** haplo37_ has joined #openstack-keystone02:41
*** mordred has quit IRC03:03
*** mordred has joined #openstack-keystone03:06
*** nicolasbock has joined #openstack-keystone03:11
*** sdake has joined #openstack-keystone03:14
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/37882903:27
*** spzala has quit IRC03:28
*** code-R has quit IRC03:43
*** sdake_ has joined #openstack-keystone03:45
*** knikolla_ has joined #openstack-keystone03:45
*** sdake has quit IRC03:47
*** links has joined #openstack-keystone03:47
*** r1chardj0n3s has joined #openstack-keystone03:48
r1chardj0n3sohai folks - I need to do some dev/testing in Horizon against a federated keystone, and would like your advice on the absolutely easiest possible way I could set that up - preferably on a single box03:49
r1chardj0n3sthis isn't for any kind of deployment, it's purely for dev and testing03:50
*** code-R has joined #openstack-keystone03:52
*** code-R_ has joined #openstack-keystone03:53
*** code-R has quit IRC03:57
*** nicolasbock has quit IRC04:03
*** morgan has joined #openstack-keystone04:07
*** GB21 has joined #openstack-keystone04:11
*** phalmos has joined #openstack-keystone04:11
*** agireud has quit IRC04:16
*** alee has quit IRC04:16
*** agireud has joined #openstack-keystone04:24
*** markvoelker has joined #openstack-keystone04:25
*** jaosorior has joined #openstack-keystone04:25
*** GB21 has quit IRC04:26
*** markvoelker has quit IRC04:30
*** code-R has joined #openstack-keystone04:37
*** code-R_ has quit IRC04:37
*** GB21 has joined #openstack-keystone04:38
*** code-R_ has joined #openstack-keystone04:41
*** code-R has quit IRC04:44
*** bjolo_ has joined #openstack-keystone05:06
*** code-R has joined #openstack-keystone05:07
*** code-R_ has quit IRC05:07
*** knikolla_ has quit IRC05:07
*** thebloggu has quit IRC05:10
*** phalmos has quit IRC05:11
*** code-R has quit IRC05:12
*** haplo37_ has quit IRC05:15
*** haplo37_ has joined #openstack-keystone05:17
*** david-lyle has joined #openstack-keystone05:19
*** markvoelker has joined #openstack-keystone05:26
*** markvoelker has quit IRC05:31
*** richm has quit IRC05:40
*** alex_xu has quit IRC05:48
bretonmorning, keystone05:51
*** alex_xu has joined #openstack-keystone05:51
*** adriant has quit IRC05:54
*** jaosorior has quit IRC05:55
*** jaosorior has joined #openstack-keystone05:57
*** david-lyle_ has joined #openstack-keystone06:04
*** david-lyle has quit IRC06:04
*** sdake_ has quit IRC06:11
*** david-lyle_ has quit IRC06:12
*** code-R has joined #openstack-keystone06:14
*** rcernin has joined #openstack-keystone06:15
*** code-R_ has joined #openstack-keystone06:16
*** code-R has quit IRC06:19
*** markvoelker has joined #openstack-keystone06:27
*** markvoelker has quit IRC06:32
*** pnavarro has joined #openstack-keystone06:32
*** jorge_munoz_ has joined #openstack-keystone06:42
*** jorge_munoz has quit IRC06:43
*** jorge_munoz_ is now known as jorge_munoz06:43
*** code-R_ has quit IRC07:03
*** amoralej|off is now known as amoralej07:10
*** tesseract- has joined #openstack-keystone07:11
*** code-R has joined #openstack-keystone07:13
*** jidar_ has joined #openstack-keystone07:16
*** jidar has quit IRC07:16
*** jidar_ is now known as jidar07:17
*** pcaruana has joined #openstack-keystone07:26
*** ash__ has joined #openstack-keystone07:27
*** code-R has quit IRC07:27
*** markvoelker has joined #openstack-keystone07:28
*** code-R has joined #openstack-keystone07:28
*** markvoelker has quit IRC07:32
*** code-R has quit IRC07:34
*** bjolo_ has quit IRC07:42
*** mvk has quit IRC07:51
*** ash__ has quit IRC07:54
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:01
*** haplo37_ has quit IRC08:01
*** haplo37_ has joined #openstack-keystone08:03
*** code-R has joined #openstack-keystone08:12
*** code-R_ has joined #openstack-keystone08:13
*** qwertyco_ has joined #openstack-keystone08:15
*** code-R has quit IRC08:17
*** jaosorior is now known as jaosorior_lunch08:17
*** code-R_ has quit IRC08:18
*** qwertyco_ has quit IRC08:21
*** qwertyco has joined #openstack-keystone08:21
*** mvk has joined #openstack-keystone08:23
*** qwertyco is now known as qwertyco_08:24
*** qwertyco_ has quit IRC08:26
*** qwertyco has joined #openstack-keystone08:26
*** spzala has joined #openstack-keystone08:28
*** spzala has quit IRC08:33
*** pnavarro has quit IRC08:35
*** asettle has joined #openstack-keystone08:39
*** qwertyco has quit IRC08:58
*** qwertyco has joined #openstack-keystone08:58
*** qwertyco has quit IRC08:58
*** qwertyco has joined #openstack-keystone08:59
*** bjolo_ has joined #openstack-keystone09:02
*** qwertyco has quit IRC09:14
*** qwertyco has joined #openstack-keystone09:14
*** qwertyco has quit IRC09:21
*** qwertyco has joined #openstack-keystone09:21
*** code-R has joined #openstack-keystone09:25
*** mvk has quit IRC09:29
*** code-R_ has joined #openstack-keystone09:29
*** code-R has quit IRC09:32
*** hoangcx has joined #openstack-keystone09:35
*** jaosorior_lunch has quit IRC09:36
*** jaosorior_lunch has joined #openstack-keystone09:36
*** qwertyco has quit IRC09:37
*** qwertyco has joined #openstack-keystone09:37
*** mvk has joined #openstack-keystone09:41
*** jaosorior_lunch is now known as jaosorior09:44
*** woodster_ has quit IRC10:00
*** jorge_munoz has quit IRC10:04
*** richm has joined #openstack-keystone10:10
*** hoangcx has quit IRC10:11
*** hoangcx has joined #openstack-keystone10:12
*** hoangcx has quit IRC10:12
*** code-R_ has quit IRC10:24
*** code-R has joined #openstack-keystone10:24
*** nicolasbock has joined #openstack-keystone10:32
*** pjm6 has quit IRC10:54
*** pjm6 has joined #openstack-keystone10:54
dstanekr1chardj0n3s: i have an ansible role that i use to set a testshib test11:02
*** d0ugal has quit IRC11:05
*** d0ugal has joined #openstack-keystone11:06
*** d0ugal has quit IRC11:06
*** d0ugal has joined #openstack-keystone11:06
*** code-R has quit IRC11:13
r1chardj0n3sdstanek: please tell me more (though I'm actually about to go to bed :-)11:23
dstanekr1chardj0n3s: i was planning on pushing anyway. i can make it a priority to get done this morning. i just have to get the kids off to school11:25
dstaneki have a role 'keystone-sp' that is pretty simple and only used a handful of optional vars11:26
*** code-R has joined #openstack-keystone11:26
r1chardj0n3sdstanek: simple sounds awesome :-D11:26
dstanekit is mostly hard coded at this point to just work with testshib although i have been tweaking it to work with other IdPs so i can test single logout11:27
dstaneki also have a 'devstack' role that fires up devstack and a playbook that combines the two11:27
r1chardj0n3sdstanek: I have literally no idea what testshib is :-)11:28
r1chardj0n3sbut I do know "devstack" and "IdP" and "hard coded" and other words and phrases you use11:28
r1chardj0n3s:-)11:28
dstanektestshib is a public IdP running the shibboleth software. it is useful for testing service providers11:28
dstanekr1chardj0n3s: :-)11:28
dstanekwhat do you need to use as an IdP? or does it not really matter for your purpose?11:29
r1chardj0n3sah, excellent! I was greatly afeared of the shibboleth "documentation" today11:29
r1chardj0n3sI really don't care what is used, as long as Horizon thinks keystone is federated :-)11:29
r1chardj0n3sI need to sort out some issues in our user interface that don't allow federated users to perform some actions11:30
r1chardj0n3sand the only way I can be certain of fixes is to reproduce the original issues11:30
dstanekr1chardj0n3s: nice, that's what i was working on yesterday. specifically domain admins11:30
r1chardj0n3syep, that sounds familiar11:30
dstanekby the time you wake up i'll have some stuff for you to generate the environment11:31
r1chardj0n3sthat's awesome, thanks!11:31
dstaneknp. i'll send you an email when it's done11:32
dstanekit's tested on U16.04 and F2411:32
*** code-R has quit IRC11:32
bjolomorning11:33
*** spzala has joined #openstack-keystone11:33
dstanekbjolo: good morning11:33
bjoloim trying to setup keystone v3 with the policy.v3cloudsample.json file11:35
bjolobut i dont know if it is working correctly (one indicator is that i dont get the domains tab visible in horizon)11:35
bjolois there a way i can test what type of token i get from keystone?11:36
bjoloi.e. can i prove that from a keystone perspective, i am cloud_admin?11:36
bjolomy installation is a fresh openstack-kolla newton11:37
bjoloand a devstack11:37
bjoloboth behave the same11:37
bjolohttp://www.symantec.com/connect/blogs/domain-support-horizon-here11:37
dstanekbjolo: i finished the day yesterday confused on how it could actually work. at this point i can't get it to work either11:37
*** spzala has quit IRC11:37
dstanekbjolo: one thing you need to do is put your policy in horizon's conf directory too11:38
bjoloi have done that11:38
bjolosee the symantec blogg. need a special version of policy.json file since horizon does not support the default one11:39
bjolodstanek, so you can confirm that it is not working for you either?11:39
dstanekbjolo: i moved this to the horizon channel11:39
bjolohave done that11:40
bjolobut i kinda need to prove that keystone works first11:40
bjoloso back to my original question11:40
bjolohow can i verify/validate that i am cloud_admin?11:40
dstanekbjolo: do something that requires you to be a cloud admin11:42
*** alex_xu has quit IRC12:12
*** alex_xu has joined #openstack-keystone12:14
*** qwertyco has quit IRC12:24
*** qwertyco has joined #openstack-keystone12:24
*** lamt has quit IRC12:25
*** edmondsw has joined #openstack-keystone12:26
*** alex_xu has quit IRC12:27
*** alex_xu has joined #openstack-keystone12:29
*** markvoelker has joined #openstack-keystone12:31
*** code-R has joined #openstack-keystone12:34
*** ddieterly has joined #openstack-keystone12:37
*** ddieterly has quit IRC12:41
*** jaosorior has quit IRC12:41
*** code-R_ has joined #openstack-keystone12:49
*** links has quit IRC12:50
*** code-R has quit IRC12:53
openstackgerritAlexander Makarov proposed openstack/keystone: Verbose 401/403 debug responses  https://review.openstack.org/37243312:56
*** raildo has joined #openstack-keystone12:56
*** spzala has joined #openstack-keystone12:59
stevemaro/13:02
*** dave-mccowan has joined #openstack-keystone13:04
*** ayoung has joined #openstack-keystone13:04
*** ChanServ sets mode: +v ayoung13:04
*** nishaYadav has joined #openstack-keystone13:05
*** nishaYadav is now known as Guest1003413:05
*** namnh has joined #openstack-keystone13:05
*** links has joined #openstack-keystone13:05
*** agireud has quit IRC13:10
*** Guest10034 has quit IRC13:10
bretonnewton has just been released13:16
*** agireud has joined #openstack-keystone13:18
*** haplo37_ has quit IRC13:28
dstanekmorning13:29
*** haplo37_ has joined #openstack-keystone13:30
cnfohai13:30
lbragstadjo/13:32
cnfanyone know why i'd get "ServiceCatalogException: Invalid service catalog service: object-store" in horizon logs?13:32
dstanekcnf: is that a horizon exception?13:42
cnfdstanek yes13:44
lbragstadhere is an easy review for folks if anyone has time to review - https://review.openstack.org/#/c/382453/13:45
lbragstad^ closes a bug13:45
cnfdstanek it's gone now, but i am uncertain what I changed?13:46
*** ash__ has joined #openstack-keystone13:47
cnfdstanek http://paste.openstack.org/show/584678/ is the full traceback, if you want13:47
amakarovlbragstad, please review mine https://review.openstack.org/#/c/372433/ if I addressed your comments properly?13:48
dstanekcnf: that appears to be a horizon thing13:49
*** phalmos has joined #openstack-keystone13:50
*** GB21 has quit IRC13:53
* cnf hangs his head13:56
*** nicolasbock has quit IRC13:58
*** tonytan4ever has joined #openstack-keystone13:59
*** sdake has joined #openstack-keystone13:59
*** nicolasbock has joined #openstack-keystone14:01
*** knikolla_ has joined #openstack-keystone14:03
*** namnh has quit IRC14:06
*** tonytan4ever has quit IRC14:06
*** tonytan4ever has joined #openstack-keystone14:06
*** ddieterly has joined #openstack-keystone14:08
*** sdake has quit IRC14:15
*** bjolo_ has quit IRC14:18
*** knikolla_ has quit IRC14:24
knikollao/14:27
*** jorge_munoz has joined #openstack-keystone14:31
*** ash__ has quit IRC14:34
*** chris_hultin|AWA is now known as chris_hultin14:34
*** ddieterly is now known as ddieterly[away]14:38
*** qwertyco has quit IRC14:41
*** ddieterly[away] is now known as ddieterly14:42
*** DuncanT has quit IRC14:55
*** phalmos_ has joined #openstack-keystone14:55
*** raddaoui has quit IRC14:55
*** boris-42 has quit IRC14:55
*** cargonza has quit IRC14:55
*** andrewbogott has quit IRC14:55
*** pkoraca has quit IRC14:55
*** AndyWojo has quit IRC14:55
*** hrybacki has quit IRC14:55
*** phalmos has quit IRC14:58
cnfdoes keystone still support v2 in mikata, or is that disabled?15:00
dstanekcnf: still supported, but deprecated I believe15:00
cnfhmm15:00
cnfthen cyberduck is doing stupid things15:00
*** ravelar has joined #openstack-keystone15:01
cnfit still uses V2, and keystone doesn't seem to be accepting it15:01
amakarovlbragstad, if I call _LW(msg), where msg = "string %s" % "injected" what will be i18n'ed?15:04
dstanekcnf: what do you mean by accept?15:09
dstanekcnf: is the v2 api enabled?15:10
cnfuhm, good question, how do you enable it?15:10
cnfor disable it15:10
lbragstadamakarov prior to your patch - those log statements were LOG.warning(_LW('Some warning message')) - right?15:11
lbragstadAll i'm saying is that if we are doing a _LW before logging the message - we should continue that pattern with your patch15:11
dstanekamakarov: you want to do _LW('string %s") % "injected"15:11
dstanek15:12
lbragstaddstanek thanks15:12
lbragstadamakarov dstanek knows everything there is to know about logging/internationization/string injection ;)15:12
amakarovlbragstad, dstanek thanks for insight )15:14
dstanekamakarov: yw15:16
dstanekif you need the injected string translated it is possible if it's a constant15:17
amakarovdstanek, that's the core of my question :)15:17
*** r-daneel has joined #openstack-keystone15:17
dstanekamakarov: do you have a sample somewhere?15:18
*** code-R_ has quit IRC15:18
amakarovdstanek, https://review.openstack.org/#/c/372433/9/keystone/token/controllers.py15:19
dstanekamakarov: those are just IDs. there is nothing to translate15:20
dstanekamakarov: the translation is static and done ahead of time. it's not dymamic. the only part that is dynamic is picking the translated string *if* it is available15:21
dstanekamakarov: this is how you'd do it if you had constants: http://paste.openstack.org/raw/584706/15:21
amakarovdstanek, yes, I think it's obvious: how can one create translation files for something that WILL be defined in runtime?15:22
dstanekexactly. so what exactly is your question?15:23
*** boris-42 has joined #openstack-keystone15:24
amakarovdstanek, I wanted to clarify what lbragstad ment in his comment15:25
amakarovlbragstad, about this comment: https://review.openstack.org/#/c/372433/9/keystone/v2_crud/user_crud.py15:26
lbragstadamakarov yep15:26
amakarovI agree it may be a breach, though what do you think about fixing in in another patch?15:27
amakarovthis one pursue it's purpose15:27
*** marekd2 has joined #openstack-keystone15:28
lbragstadamakarov previously - we would just raise an Unauthorized exception without a specific message - now we are providing a message as well as whatever assertion error was excepted.15:29
amakarovlbragstad, otoh, creating a vulnerability to solve it in the future causes some doubts...15:29
*** hrybacki has joined #openstack-keystone15:29
amakarovlbragstad, yep15:29
lbragstadThe way the message is worded makes it seem like the new password has something wrong with it15:29
lbragstadand by the series of events - the new password isn't even checked yet15:30
lbragstadso it would only be an issue with the current password15:30
amakarovlbragstad, so it's just about the form of the message - not about the information we provide to a potential attacker?15:30
openstackgerritMerged openstack/keystone: Default the resource backend to SQL  https://review.openstack.org/38245315:31
lbragstadamakarov well - that's something to think about too15:31
lbragstadin that case - if the authentication with the current password fails, a 401 unauthorized makes sense15:31
*** pnavarro has joined #openstack-keystone15:32
*** tonytan_brb has joined #openstack-keystone15:32
amakarovwell, are you agree on sending "Password change failed" for now? Without details?15:34
amakarovlbragstad, ^15:34
*** nicolasbock has quit IRC15:34
lbragstadamakarov well - the password change failed but not because of the new password15:35
lbragstadthat's the part that is confusing15:35
*** tonytan4ever has quit IRC15:35
*** andrewbogott has joined #openstack-keystone15:35
amakarovlbragstad, attacker can analyse the code and understand the reason anyway15:36
*** DuncanT has joined #openstack-keystone15:36
*** andrewbogott has quit IRC15:37
*** andrewbogott has joined #openstack-keystone15:37
dstanekcnf: there would be /v2.0 entries in the paste.ini15:37
lbragstadamakarov i'm thinking about user experience. previously if the current password failed we didn't emit any message about "password change" failing - we just emitted a 401. Now we are going to emit a "password change" failed message which could lead a user to think the request failed because of the new password they used, when that wasn't the case at all15:38
amakarovlbragstad, I suggest sending something similar to "v2 password change failed due to rejected authentication"15:38
lbragstadamakarov yeah - that would be better15:38
*** adrian_otto has joined #openstack-keystone15:38
cnfdstanek yeah, they seem to be there15:39
dstanekcnf: what's the issue you are having?15:40
amakarovlbragstad, ookay - now to fight pep8 :)15:40
lbragstadamakarov perfect15:40
*** cargonza has joined #openstack-keystone15:41
amakarovdstanek, how to resolve "H701  Empty localization string" ?15:41
amakarovI'm using _LW(msg) syntax15:42
cnfdstanek can't make cyberduck work on v2 (which is what it uses)15:42
*** raddaoui has joined #openstack-keystone15:42
amakaroviirc it's your hack in the tests that raises it?15:42
openstackgerritLance Bragstad proposed openstack/keystone: Default the assignment backend to SQL  https://review.openstack.org/38242815:42
dstanekH701 is not my error message15:43
dstanekwhat is msg and why are you not using a constant?15:43
lbragstadstevemar rodrigods had to resolve an import that snuck out from under me - https://review.openstack.org/#/c/382428/15:43
*** AndyWojo has joined #openstack-keystone15:43
amakarovdstanek, https://review.openstack.org/#/c/372433/9/keystone/common/request.py15:43
amakarovsee first lbragstad's comment15:44
amakarovdstanek, I want to avoid # noqa it possible15:45
amakarov*if15:45
dstanekamakarov: i don't think _(var) actually works. i think it has to be a constant15:46
dstanekerrr...literal in this case15:46
amakarovlbragstad, can you suggest something about this? ^^15:46
*** nicolasbock has joined #openstack-keystone15:46
dstanekamakarov: http://docs.openstack.org/developer/oslo.i18n/guidelines.html#using-a-marker-function15:47
dstanekyou need to use a literal string15:47
amakarovdstanek, ok, got it. lbragstad are you ok with literals?15:48
dstanekamakarov: i'd just keep it that way. create the 'msg' var and use it later15:49
*** pkoraca has joined #openstack-keystone15:49
amakarovdstanek, like msg = _LW("whatever") ?15:49
dstanekamakarov: yes. the thing in _() has to be a literal, but the var can be used anywhere15:50
amakarovdstanek, the problem is that the same message is translated with _() and _LW()15:51
amakarovso I HAVE to repeat the literal15:51
dstaneki think the way it works is that a script parses the Python code looking for strings inside of the hints. then those are shipped to translators. the script doesn't try to evaluate the code to figure out if the thing passed into the hints is actually a static string.15:51
amakarovdstanek, makes sense15:51
dstanekamakarov: no, use the same one. the one that is wrapped in _()15:52
amakarovdstanek, so be it15:52
dstanekamakarov: anything in _() will be translated. the others are prioritized and may not be translated15:52
dstanekfor example the things a user sees should be _(), but logs should be _L?(). if they don't have time to translate all the warnings for log files that's not as big of a deal15:53
dstanekamakarov: http://docs.openstack.org/developer/oslo.i18n/guidelines.html#choosing-a-marker-function15:53
*** woodburn has joined #openstack-keystone15:54
*** haplo37_ has quit IRC15:57
*** haplo37_ has joined #openstack-keystone15:59
*** rcernin has quit IRC16:01
*** david-lyle has joined #openstack-keystone16:01
stevemarnewton is out the door :)16:02
stevemarthanks everyone for helping to make a great release16:02
amakarovstevemar, so keystone is great again? ;)16:03
stevemaramakarov: i wouldn't go so far as to say that16:03
stevemaramakarov: my goal is always: make keystone less bad16:03
amakarovstevemar, it there a list of bad things in keystone? launchpad bugs?16:04
*** nishaYadav has joined #openstack-keystone16:04
*** ravelar has quit IRC16:04
nishaYadavo/16:05
stevemaramakarov: i was mostly trying to be funny :P16:05
stevemaramakarov: but i'm working on a list of things i think we should have16:05
amakarovstevemar, me too :)16:05
knikollayay for newton!16:08
openstackgerritAlexander Makarov proposed openstack/keystone: Verbose 401/403 debug responses  https://review.openstack.org/37243316:12
amakarovlbragstad, dstanek ^^16:12
*** gyee has joined #openstack-keystone16:13
*** jistr is now known as jistr|afk16:14
*** adrian_otto has quit IRC16:15
*** spzala has quit IRC16:25
*** mvk has quit IRC16:27
*** nishaYadav_ has joined #openstack-keystone16:31
*** tesseract- has quit IRC16:31
*** nishaYadav_ has quit IRC16:33
*** nishaYadav_ has joined #openstack-keystone16:34
*** nishaYadav has quit IRC16:34
*** ravelar has joined #openstack-keystone16:34
*** ravelar has quit IRC16:34
*** ravelar has joined #openstack-keystone16:37
*** gyee has quit IRC16:51
*** pnavarro has quit IRC16:52
*** ddieterly is now known as ddieterly[away]16:54
*** tonytan_brb is now known as tonytan4ever16:54
*** jistr|afk is now known as jistr16:57
*** ddieterly[away] is now known as ddieterly16:57
*** nishaYadav_ has quit IRC16:58
*** nishaYadav_ has joined #openstack-keystone16:58
*** sdake has joined #openstack-keystone17:01
*** jamielennox|away has quit IRC17:02
*** asettle__ has joined #openstack-keystone17:02
*** david-lyle has quit IRC17:03
*** woodster_ has joined #openstack-keystone17:05
*** asettle has quit IRC17:07
*** asettle__ has quit IRC17:07
*** marekd2 has quit IRC17:08
*** mvk has joined #openstack-keystone17:10
*** jamielennox|away has joined #openstack-keystone17:16
*** jamielennox|away is now known as jamielennox17:16
*** ChanServ sets mode: +v jamielennox17:16
*** ddieterly is now known as ddieterly[away]17:19
*** martinus__ has quit IRC17:22
*** marekd2 has joined #openstack-keystone17:24
*** david-lyle has joined #openstack-keystone17:25
*** tqtran has joined #openstack-keystone17:27
*** gagehugo has joined #openstack-keystone17:33
*** gagehugo has quit IRC17:37
stevemardolphm: if you have a few minutes there are 2 mitaka patches that can be approved: https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:stable/mitaka17:37
*** marekd2 has quit IRC17:43
openstackgerritRon De Rose proposed openstack/keystone: Remove driver version from docs  https://review.openstack.org/38316317:44
openstackgerritMerged openstack/keystone: Default the assignment backend to SQL  https://review.openstack.org/38242817:50
openstackgerritRon De Rose proposed openstack/keystone: Remove driver version from identity backend test names  https://review.openstack.org/38316617:53
*** david-lyle has quit IRC17:55
*** gyee has joined #openstack-keystone17:57
*** tonytan4ever has quit IRC18:01
*** tonytan4ever has joined #openstack-keystone18:01
*** david-lyle has joined #openstack-keystone18:06
morganstevemar: +3 on  both of those18:06
stevemarmorgan: thanks! :)18:06
*** marekd2 has joined #openstack-keystone18:09
*** gagehugo has joined #openstack-keystone18:10
openstackgerritDeepak proposed openstack/keystonemiddleware: Changed the home-page link  https://review.openstack.org/38318318:10
*** marekd2 has quit IRC18:18
*** ddieterly[away] has quit IRC18:19
*** marekd2 has joined #openstack-keystone18:19
*** amoralej is now known as amoralej|off18:22
*** marekd2 has quit IRC18:23
openstackgerritDeepak proposed openstack/keystone-specs: Changed the home-page link  https://review.openstack.org/38319518:23
*** spzala has joined #openstack-keystone18:24
*** asettle has joined #openstack-keystone18:24
mfischstevemar: are there any docs on the password expiry stuff in newton?18:25
*** ddieterly has joined #openstack-keystone18:25
mfischlike how to enable it, manage it, figure out who's going to expire in the next 7 days etc18:26
*** jorge_munoz has quit IRC18:27
mfischdoes any tooling know how to use it yet? osc?18:28
openstackgerritAndreas Jaeger proposed openstack/keystone: Enable release notes translation  https://review.openstack.org/38322318:28
openstackgerritAndreas Jaeger proposed openstack/keystoneauth: Enable release notes translation  https://review.openstack.org/38322418:28
openstackgerritAndreas Jaeger proposed openstack/keystonemiddleware: Enable release notes translation  https://review.openstack.org/38322518:28
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/38313418:30
*** asettle has quit IRC18:35
mfischI think cache_on_issue should default to True18:38
mfischif token caching is enabled why wouldn't you want that18:38
mfischI'm going to change that so I can vote in April!18:40
*** nishaYadav_ has quit IRC18:41
*** asettle has joined #openstack-keystone18:44
*** haplo37_ has quit IRC18:45
*** haplo37_ has joined #openstack-keystone18:47
dolphmmfisch: +1018:49
mfischhttps://review.openstack.org/#/c/383333/18:49
mfischdont know why it didnt show up here18:49
mfischlet me know if it needs more changes18:50
mfischthat should probably land in O at this point18:50
*** harlowja has quit IRC18:50
stevemarmfisch: catching up on your rambles18:50
mfischlol18:51
dolphmmfisch's soliloquy hour18:51
mfischjust enjoy talking to myself18:51
lbragstadlol18:51
stevemarmfisch: so we were undecided on enabling token caching to true by default18:51
stevemarwe didn't have solid performance numbers we could rely on18:52
mfischnot token caching18:52
*** asettle has quit IRC18:52
mfischcache_on_issue18:52
stevemarright, caching token *on issue*18:52
stevemarwe (mostly i) just wanted it to bake a little longer18:52
mfischI mean if you turn token caching on, then that should just be on18:52
mfischstevemar: so default on for O?18:52
dolphmcache all the things everywhere all the time18:52
mfischcaching itself should probably default true but thats more complex18:53
stevemarmfisch: if you report back with positive feedback, sure18:53
mfischit introduces a dep on memcache18:53
mfischk18:53
mfischstevemar: poking around on N in my free time18:53
mfischwe still dont have M out to the world thanks to the cinder quota bug18:53
lbragstaddolphm just return 200 OK18:53
stevemarmfisch: also, for your question about PCI (password expiry stuff), the docs are in progress: https://review.openstack.org/#/c/374422/718:54
stevemarmfisch: i've been too slow to review them18:54
mfischhow would the user get notified that their password was expiring?18:55
mfischwe can't do a windows NT login pop-up18:55
dolphmmfisch: we're working with horizon first cc- rderose18:55
mfischk18:56
mfischwe have a horizon monkey here and I will ping him18:56
mfischI hope it looks like this http://bit.ly/2dOwlFb18:56
*** ducttape_ has joined #openstack-keystone18:56
*** david-lyle has quit IRC18:57
mfischducttape_: the new PCI password stuff for keystone will be fronted by horizon to warn on password expiry etc18:57
mfischrderose is working on it18:57
dolphmmfisch: that would be perfect18:57
mfischducttape_: this is the UI I want http://bit.ly/2dOwlFb18:57
dolphmmfisch: rather, your password is going to expire in X days, <here's a password change form>18:57
rderosemfisch: me too :)18:57
* ducttape_ haz a sad18:57
rderosemfisch: unfortunately, it's just an alert message18:58
rderosemfisch dolphm: https://review.openstack.org/#/c/369652/18:58
*** gagehugo has quit IRC18:58
mfischwhat happens with ldap users I wonder18:58
rderosemfisch: password expires in only supported by the sql backend for identity18:59
ducttape_is you need help with that patch lemme know rderose18:59
rderosemfisch: so password_expires_at would be None for ldap18:59
rderoseducttape: not my patch, see Juan Pablo lopez Gutierrez18:59
rderosehe's the owner on the horizon side19:00
stevemarrderose: the thinking is that you'll be alerted by your LDAP system anyway to change your password19:00
rderosestevemar: yeah19:00
rderoseexactly19:00
mfischyes19:00
mfischI dont want to get in between AD and users19:00
mfischlet AD deal with that19:00
rderoseagree19:00
mfischstevemar: you guys fixed more than 3 bugs in newton19:01
mfischare the others not Reno worthy?19:02
gsilvisQuestion about federation-related stuff:  Did something about shibboleth on centos break in the last few months?  Everyone suggests using the same opensuse repo, but there's now missing dependencies (an old version of openssl)19:02
dolphmmaybe only 3 bugs that we couldn't fix in mitaka?19:02
stevemarmfisch: there are probably some notes missing19:02
dolphmhopefully we don't have release notes for bugs we introduced AND fixed in the newton dev cycle19:02
mfischhah19:02
mfischtrue19:02
stevemarsome are not reno worthy for sure19:03
stevemarlike ... 1505374Unit tests failing with oslo.policy 0.12.019:03
*** jamielennox has quit IRC19:03
dolphmif that's a release note, delete it...?19:03
stevemardolphm: its not19:04
mfischdolphm: does osprofiler have a perf impact in the paste filter?19:04
dolphmmfisch: last i looked, "theoretically no," because it's disabled by default even though it's in the pipeline19:05
*** jamielennox|away has joined #openstack-keystone19:05
dolphmbut if it were me, i wouldn't deploy it if i wasn't going to use it19:05
mfischwe heavily customize the pipeline already so I may consider removing19:05
dolphmmfisch: ++19:06
*** jamielennox|away is now known as jamielennox19:06
*** ChanServ sets mode: +v jamielennox19:06
mfischI'm keeping cors the Banquet Filter19:06
dolphmmfisch: how do you feel about the whole "paste is not configuration" fear mongering? i mean "perspective"19:06
mfischnot sure I've heard that phrase19:06
mfischwhats the ref?19:06
stevemarmfisch: commented on your patch19:06
mfischk19:07
stevemardolphm: the paste should be in .conf and not in a separate file?19:07
*** tonytan4ever has quit IRC19:07
dolphmmfisch: this is old, but this sentiment lives on http://lists.openstack.org/pipermail/openstack-dev/2012-July/000277.html19:08
mfischI could see it belonging in the config file but I dont think there's a strong argument to change it now19:08
dolphmstevemar: it's fine for it to be a separate file, but it's advantageous for deployers to be able to configure the pipeline, and counter-productive for upstream to prevent them from doing so19:09
*** ducttape_ has quit IRC19:09
mfischwe need to be able to change it19:09
mfischyeah I'm pretty firm on that one19:09
dolphmmfisch: i agree.19:10
stevemarinteresting19:10
mfischwe have audit stuff, tenant profiling stuff and some security stuff in ours19:11
*** adrian_otto has joined #openstack-keystone19:11
*** adrian_otto has quit IRC19:15
openstackgerritMatt Fischer proposed openstack/keystone: cache_on_issue default to true  https://review.openstack.org/38333319:15
*** nkinder has quit IRC19:15
mfischI didnt know you could do formatting in reno thats cool19:15
*** nkinder has joined #openstack-keystone19:16
stevemarmfisch: you sure can19:16
stevemarmfisch: https://review.openstack.org/#/c/375914/6/releasenotes/notes/removed-as-of-ocata-436bb4b839e74494.yaml19:16
stevemarmfisch: i'll enforce release notes this cycle19:17
mfischwe've enforced them in puppet since M I think19:17
mfischthey work well19:17
stevemarmfisch: we do them for features and other stuff, not well enough19:18
morganunless you need direct access to the keystone app via your filters you could do it without paste.19:18
*** adrian_otto has joined #openstack-keystone19:18
morgani would love if paste was killed and removed19:18
stevemarmfisch: you can include hyperlinks too ;)19:18
morganif you're just doing introspection on requests and responses (headers etc), there are better ways that wedging your code into the running wsgi app19:19
morgansuch as modifying the paste pipeline19:19
morganbut i expect i've lost that argument long ago19:20
dstanekmorgan: ++ there are already middlewares that do that19:20
morgandstanek: exactly19:20
*** agireud has quit IRC19:21
*** ddieterly is now known as ddieterly[away]19:28
*** agireud has joined #openstack-keystone19:29
*** sileht has quit IRC19:31
*** sileht has joined #openstack-keystone19:32
*** ddieterly[away] is now known as ddieterly19:32
*** agireud has quit IRC19:33
*** ravelar has quit IRC19:35
*** ravelar has joined #openstack-keystone19:36
*** agireud has joined #openstack-keystone19:43
*** tonytan4ever has joined #openstack-keystone19:45
*** gyee has quit IRC19:47
*** dave-mccowan has quit IRC19:49
*** gagehugo has joined #openstack-keystone19:52
openstackgerritRichard Avelar proposed openstack/keystone: Improve check_token validation performance  https://review.openstack.org/38210719:55
*** dave-mccowan has joined #openstack-keystone19:59
*** ravelar has quit IRC20:00
*** dave-mcc_ has joined #openstack-keystone20:01
*** dave-mccowan has quit IRC20:04
*** agireud has quit IRC20:06
*** david-lyle has joined #openstack-keystone20:06
bknudsonI think cors and sizelimit should be handled by uwsgi / apache / the wsgi container.20:07
*** sdake has quit IRC20:09
*** tonytan4ever has quit IRC20:16
*** harlowja has joined #openstack-keystone20:17
*** code-R has joined #openstack-keystone20:22
*** code-R_ has joined #openstack-keystone20:31
*** code-R has quit IRC20:34
*** browne has joined #openstack-keystone20:40
*** superklaus has joined #openstack-keystone20:40
*** dave-mcc_ has quit IRC20:41
openstackgerritMerged openstack/keystone: Remove password history validation from admin password resets  https://review.openstack.org/37903020:41
superklaushello. I insatlled devstack and can run an instance of cirrOS. when trying to use neutron cli, it says "An auth plugin is required to fetch a token"20:42
superklauslike, if I do neutron net-list, it says "An auth plugin is required to fetch a token"20:43
superklaus any help would be appreciated20:43
openstackgerritSteve Martinelli proposed openstack/keystone: cache_on_issue default to true  https://review.openstack.org/38333320:44
dstaneksuperklaus: did you source openrc?20:46
superklausthat fixed it. thank you20:47
openstackgerritRon De Rose proposed openstack/keystone: Remove driver version_specifiers from tests  https://review.openstack.org/38346020:59
*** code-R_ has quit IRC20:59
*** superklaus has quit IRC21:00
*** marekd2 has joined #openstack-keystone21:01
*** raildo has quit IRC21:01
*** dave-mccowan has joined #openstack-keystone21:01
*** ayoung has quit IRC21:02
*** marekd2 has quit IRC21:05
*** code-R has joined #openstack-keystone21:07
*** nicolasbock has quit IRC21:13
*** tonytan4ever has joined #openstack-keystone21:16
*** harlowja has quit IRC21:17
*** michauds has joined #openstack-keystone21:18
openstackgerritRon De Rose proposed openstack/keystone: Remove driver version_specifiers from tests  https://review.openstack.org/38346021:18
*** asettle has joined #openstack-keystone21:20
*** asettle has quit IRC21:21
*** tonytan4ever has quit IRC21:22
openstackgerritRon De Rose proposed openstack/keystone: Remove driver version specifiers from tests  https://review.openstack.org/38346021:22
*** chris_hultin is now known as chris_hultin|AWA21:23
*** jorge_munoz has joined #openstack-keystone21:25
*** ddieterly is now known as ddieterly[away]21:28
*** jorge_munoz_ has joined #openstack-keystone21:28
lbragstadbreton the osic performance bot is up and fixed21:29
*** jorge_munoz has quit IRC21:30
*** jorge_munoz_ is now known as jorge_munoz21:30
lbragstadbreton I had to rework some of the playbook due to osa changes for newton21:30
*** code-R has quit IRC21:31
*** ddieterly[away] is now known as ddieterly21:31
*** ddieterly is now known as ddieterly[away]21:32
lbragstadrodrigods ping21:32
*** david-lyle_ has joined #openstack-keystone21:34
*** david-lyle has quit IRC21:34
*** david-lyle has joined #openstack-keystone21:35
*** adrian_otto has quit IRC21:35
*** david-lyle has quit IRC21:35
*** david-lyle has joined #openstack-keystone21:35
lbragstadrodrigods finally getting around to https://github.com/lbragstad/keystone-performance/pull/13/files21:35
*** adriant has joined #openstack-keystone21:35
lbragstadrodrigods does ab -e not require a filename as an argument?21:35
*** agireud has joined #openstack-keystone21:37
*** harlowja has joined #openstack-keystone21:39
*** harlowja has quit IRC21:39
*** david-lyle_ has quit IRC21:39
*** harlowja has joined #openstack-keystone21:39
*** ravelar has joined #openstack-keystone21:44
openstackgerritRichard Avelar proposed openstack/keystone: Improve check_token validation performance  https://review.openstack.org/38210721:45
*** rcernin has joined #openstack-keystone21:47
*** david-lyle has quit IRC21:56
*** rcernin has quit IRC21:59
*** rcernin has joined #openstack-keystone21:59
*** spzala has quit IRC22:04
bretonlbragstad: thank you. Can i check already merged patches?22:10
*** sdake has joined #openstack-keystone22:13
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/38311522:13
bknudsonbreton: post a revert and check experimental it.22:17
rodrigodslbragstad, hmm think i get from a tutorial somewhere22:17
rodrigodsworked for me, though22:17
*** ayoung has joined #openstack-keystone22:21
*** ChanServ sets mode: +v ayoung22:21
*** ddieterly[away] has quit IRC22:32
*** ddieterly has joined #openstack-keystone22:36
*** TonyXu has quit IRC22:41
*** TonyXu has joined #openstack-keystone22:42
*** michauds has quit IRC22:44
*** nicolasbock has joined #openstack-keystone22:49
*** ddieterly has quit IRC22:50
openstackgerritJamie Lennox proposed openstack/keystoneauth: Allow specifying client and service info to user_agent  https://review.openstack.org/35763322:54
ianwjamielennox: around?  question on https://review.openstack.org/#/c/366922/22:55
jamielennoxianw: yea22:55
ianwthe issue seems to be that OS_IDENTITY_API_VERSION is set to "2" on devstack subnodes, but i think that is probably unintentional22:55
ianwsubnodes that don't have keystone installed22:55
jamielennoxianw: i'd really like to prevent that one22:57
jamielennoxthere's nothing that should be running in devstack without v3 api22:57
ianwthat's what i thought :)22:57
jamielennoxwe are actively trying to get gate jobs going that disable v222:57
ianwit seems like that we just need to move the definition out.  actually, i'm having deja-vu, there might be a change to do that22:58
jamielennoxianw: i left a -1, i've never run the multinode case so i don't know how to test anything there but yea, i would look to move the OS_IDENTITY_API_VERSION=3 somewhere basic23:00
jamielennoxthis is all part of the v3 everywhere that i haven't pushed recently23:00
ianwI think https://review.openstack.org/#/c/350801/2 will fix it23:00
jamielennoxianw: yea, that makes sense to me23:02
*** ayoung has quit IRC23:05
*** spzala has joined #openstack-keystone23:05
openstackgerritRichard Avelar proposed openstack/keystone: Improve check_token validation performance  https://review.openstack.org/38210723:10
*** spzala has quit IRC23:11
jamielennoxstevemar: can you escalate https://review.openstack.org/#/c/357633/ to be included in next release23:18
*** marekd2 has joined #openstack-keystone23:21
jamielennoxstevemar: also, any reason for just +1 on https://review.openstack.org/#/c/336972/ ?23:23
jamielennoxi understand you don't care either way but you're like the only person that reviews that sort of stuff23:24
*** marekd2 has quit IRC23:25
*** rcernin has quit IRC23:36
openstackgerritGage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs  https://review.openstack.org/36143523:42
*** ayoung has joined #openstack-keystone23:50
*** ChanServ sets mode: +v ayoung23:50
*** phalmos_ has quit IRC23:51
stevemarjamielennox: lol23:53
stevemarjamielennox: why did i only +1 that?!23:54
stevemarayoung: can you kick https://review.openstack.org/#/c/336972/ through?23:54
stevemarjamielennox: the ksa one i was going to look at today23:54
jamielennoxstevemar: awesome, yea, it's a little bit to wrap your head around but sean and i discussed it a lot at the midcycle23:55
jamielennoxwas supposed to have gone in last cycle but i kind of forgot about it23:55
*** pcaruana has quit IRC23:55
*** ravelar has quit IRC23:57
« Wednesday, 2016-10-05 Index Friday, 2016-10-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!