Tuesday, 2016-11-01

openstackgerrit	Merged openstack/keystone: Faster id mapping lookup https://review.openstack.org/339294	00:08
*** sigmavirus has quit IRC		00:20
*** dims_ has quit IRC		00:20
*** jrist has quit IRC		00:21
*** jrist has joined #openstack-keystone		00:22
*** _sigmavirus24 has joined #openstack-keystone		00:24
*** guoshan has joined #openstack-keystone		00:27
openstackgerrit	Merged openstack/keystone: Doctor check for LDAP domain specific configs https://review.openstack.org/361435	00:28
*** richm has joined #openstack-keystone		00:30
*** dims has joined #openstack-keystone		00:31
*** guoshan has quit IRC		00:31
stevemar	heads up keystoners, lets land this spec: https://review.openstack.org/#/c/345113/14	00:42
stevemar	adriant: thanks for the reviews! :)	00:49
adriant	stevemar: np :)	00:50
adriant	just actually responding to you and jamie about caching for TOTP and why it doesn't make sense	00:50
stevemar	adriant: oh?	00:50
adriant	passcodes are only valid for 30sec	00:50
stevemar	adriant: jamielennox and i spoke about it at the summit, guess we were wrong :(	00:50
adriant	no point caching that	00:50
stevemar	ouch	00:50
adriant	so cache the token instead	00:51
stevemar	yeah	00:51
jamielennox	?	00:51
stevemar	for a few minutes anyway, as long as the token is good for	00:51
* stevemar waves at jamielennox		00:51
adriant	posting a comment and how I've been getting around that	00:51
* jamielennox is doing the rivetting mandatory cyber security training that is apparently overdue		00:52
jamielennox	it has insightful comments about bearer tokens	00:53
*** hoangcx has joined #openstack-keystone		00:55
jamielennox	adriant: we're not caching the passcode, we're caching the token that is returned so that we don't have to fetch another one if we have an existing token	00:59
jamielennox	just to do that we need to cache based on the password component, but not the totp	01:00
adriant	the password is password+totp though	01:00
adriant	so it's still just a password	01:00
jamielennox	in submitting to keystone yes, from a client perspective it doesn't have to be	01:00
adriant	but the keystone server then handles it as two values	01:00
adriant	oh, yeah	01:01
adriant	we can easily ask for them seperately	01:01
jamielennox	right so --os-password --os-access-code and we only cache on password	01:01
jamielennox	stevemar: had asked me about it and that was the only way i know to cache it properly	01:02
adriant	jamielennox: but would that mean we need to make the server expect it as two different auth plugins, or will the client still do the password+totp join?	01:03
jamielennox	adriant: honestly, doesn't matter, it's purely about how you set up the ksa loader to handle things like openstackclient	01:04
jamielennox	how you actually push the data is up to you	01:04
adriant	jamielennox: have posted a comment on the review, although we've mostly covered it here, but the thing to look at is this: http://paste.openstack.org/show/587502/	01:05
adriant	that openrc is how I've been doing totp auth	01:05
adriant	and last I played with it was working fine in a devstack	01:06
jamielennox	adriant: yea, ok, so what we would do is --os-auth-type passwordtotp --os-password XXX --os-pass-code YYY	01:06
jamielennox	and the equivalent env vars	01:06
adriant	yep	01:06
jamielennox	it's purely a loading thing that we can solve later	01:06
adriant	that seems sensible	01:06
adriant	just don't want to complicate the server side of it	01:07
*** dave-mccowan has joined #openstack-keystone		01:09
*** chlong has quit IRC		01:09
adriant	jamielennox, stevemar: one change I do think I'll try and spec out at some stage is to allow serverside layering of auth plugins. So rather than having to make a separate passwordtotp plugin, in the conf you can specify that the password auth method is comprised of "password,totp"	01:10
adriant	but that would be a weird and complex change...	01:11
jamielennox	adriant: it's always been the intent, and serverside will handle that pretty well	01:11
jamielennox	adriant: the problem is specifying that multiple is required	01:11
adriant	yeah, that's what I was running into when trying to get totp working	01:11
jamielennox	the server validates all the auth methods that a user provides, but therefore if a user only provides TOTP keystone will validate that	01:11
jamielennox	what we've lacked and talked about for a while is a way to specify requirements for which auths require other auths	01:12
adriant	exactly, so we need a way to combine them in some way in such a way that won't break too much.	01:12
adriant	I'd love to work on that at some stage and help :)	01:12
jamielennox	adriant: cool! yea, mostly we just need a way to figure out how we would express those links	01:13
adriant	It was something I was considering, but this seemed like the fastest solution without much pain	01:13
jamielennox	and in a way that isn't a giant PITA for existing users	01:13
adriant	I think just a new way of mapping auth plugins to auth types. Currently we map one to one, but maybe we should map one to many.	01:14
adriant	so password = "password,totp" token = "token" etc	01:14
adriant	but I'll leave it for now. It's a weird topic!	01:15
adriant	Plus would mean reworking all existing plugins to play nice together...	01:16
adriant	Or impose limits on which can be used together.	01:16
*** guoshan has joined #openstack-keystone		01:17
jamielennox	the plugins will play nice together today	01:17
jamielennox	the problems we've had in the past is there is a huge rabbit hole here of things like extra roles for 2 factor vs 1	01:17
jamielennox	and how to specify which users require 2fa	01:18
jamielennox	yea, it's hard, but it's more of a management issue than i think we'll have problems with the existing code	01:18
adriant	I was mainly meaning, the current TOTP plugin on master won't play nice with password if a user does not have a TOTP cred I don't think.	01:19
adriant	it requires a user to have the TOTP cred to auth, and if it fails, even a valid password would result in no token.	01:19
adriant	I think, i need to recheck the code.	01:19
adriant	but if we allow it to auth when a user doesn't have a cred, then it is useless by itself.	01:21
adriant	so it has to be used with password, and then we fall into the hole of needing some way to tell the plugin it isn't being used by itself. :/	01:21
morgan_	lbragstad: o/	01:27
*** guoshan has quit IRC		01:31
*** guoshan has joined #openstack-keystone		01:32
*** kiran-r has joined #openstack-keystone		01:37
*** Zer0Byte__ has quit IRC		01:42
*** davechen_afk is now known as davechen		01:46
*** TonyXu has joined #openstack-keystone		01:52
*** zhangjl has joined #openstack-keystone		02:14
*** haplo37_ has quit IRC		02:50
*** haplo37_ has joined #openstack-keystone		02:52
*** dave-mccowan has quit IRC		02:53
*** namnh has joined #openstack-keystone		02:53
stevemar	morgan_: i don't think lbragstad is around :(	02:56
ayoung	stevemar, Did you get a chance to at least read Token Verify Role Check https://review.openstack.org/#/c/391624/ yet?	02:58
ayoung	stevemar, cuz...I think I want to take it one step further, and extend the implied roles API to be the mechanism that actually implements this.	03:00
ayoung	Bascially, instead of using the oslo-policy enforcement, we use the implied roles to link from a role to a pattern. Or, more correctly, during enforcement time, we start with a pattern, match that to the current URL, and use the roles implication rules to confirm or deny access	03:01
ayoung	Each of the services could provide a basic JSON file with API patterns and Roles, and those would get uploaded to Keystone when they register with the service catalog	03:02
ayoung	So the basic management of the RBAC policy would still fall on the individual projects. Just they would register those RBAC policies with Keystone, and Keystone would store them in a Relational Database format	03:03
*** richm has quit IRC		03:07
*** jperry has joined #openstack-keystone		03:23
stevemar	ayoung: i have not, i've been chipping away at reviews all day, haven't gotten to that one	03:36
*** links has joined #openstack-keystone		03:52
*** guoshan has quit IRC		04:11
*** jperry has quit IRC		04:17
morgan_	stevemar: yeah.	04:43
morgan_	stevemar: figured	04:43
*** kiran-r has quit IRC		04:56
*** guoshan has joined #openstack-keystone		05:12
*** guoshan has quit IRC		05:17
*** sheel has joined #openstack-keystone		05:28
*** kiran-r has joined #openstack-keystone		05:44
*** adriant has quit IRC		05:44
*** kiran-r has quit IRC		06:20
*** guoshan has joined #openstack-keystone		06:21
*** rcernin has joined #openstack-keystone		06:29
*** kiran-r has joined #openstack-keystone		06:31
openstackgerrit	howard lee proposed openstack/oslo.policy: Fix typo in oslo.policy https://review.openstack.org/392042	06:34
*** guoshan has quit IRC		06:35
*** guoshan has joined #openstack-keystone		06:36
*** kiran-r has quit IRC		07:12
*** haplo37_ has quit IRC		07:12
*** haplo37_ has joined #openstack-keystone		07:14
*** AlexeyAbashkin has quit IRC		07:20
*** tesseract has joined #openstack-keystone		07:21
*** tesseract is now known as Guest14381		07:21
breton	o/	07:22
*** belmoreira has joined #openstack-keystone		07:26
openstackgerrit	Merged openstack/keystone: log.error use _ of i18n https://review.openstack.org/389070	07:32
*** AlexeyAbashkin has joined #openstack-keystone		07:33
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:01
*** Dinesh_Bhor has joined #openstack-keystone		08:05
Dinesh_Bhor	Hi all, I am getting following error: ContextualVersionConflict: (amqp 1.4.9......Requirement.parse('amqp<3.0,>=2.1.1'), set(['kombu']))	08:06
Dinesh_Bhor	because of this I am not able to run any other apis like nova list, cinder list etc	08:07
Dinesh_Bhor	looks like it is similar to bug: https://bugs.launchpad.net/keystone/+bug/1587239	08:08
openstack	Launchpad bug 1587239 in OpenStack Identity (keystone) "cover job is failing too frequently" [High,Fix released] - Assigned to Steve Martinelli (stevemar)	08:08
Dinesh_Bhor	If someone has any suggestions on how to solve this please let me know	08:09
*** LiYuenan has joined #openstack-keystone		08:11
openstackgerrit	NITIN GUPTA proposed openstack/keystone: Added test cases for hints https://review.openstack.org/388541	08:16
*** guoshan has quit IRC		08:35
*** guoshan has joined #openstack-keystone		08:42
*** guoshan has quit IRC		09:07
*** guoshan has joined #openstack-keystone		09:07
openstackgerrit	NITIN GUPTA proposed openstack/keystone: Added test cases for hints https://review.openstack.org/388541	09:12
*** jaosorior has joined #openstack-keystone		09:15
*** jpich has joined #openstack-keystone		09:18
*** raildo has joined #openstack-keystone		09:29
*** Dinesh_Bhor has quit IRC		09:47
*** jaosorior has quit IRC		09:48
*** jaosorior has joined #openstack-keystone		09:48
*** raildo has quit IRC		09:56
*** dootniz is now known as kragniz		09:59
*** namnh has quit IRC		10:05
*** hoangcx has quit IRC		10:05
openstackgerrit	Merged openstack/keystone: Fix broken links in the docs https://review.openstack.org/391851	10:05
*** guoshan has quit IRC		10:22
*** zhangjl has quit IRC		10:34
openstackgerrit	Jamie Lennox proposed openstack/keystone: Allow fetching an expired token https://review.openstack.org/382098	10:36
*** rodrigods has quit IRC		10:37
*** rodrigods has joined #openstack-keystone		10:37
*** nicolasbock has joined #openstack-keystone		10:39
*** TonyXu has quit IRC		10:47
samueldmq	morning keystone	10:56
*** chlong has joined #openstack-keystone		10:57
breton	morning	11:05
breton	ksm gate is broken	11:05
rodrigods	breton, the tests pass locally?	11:23
breton	rodrigods: nowhere	11:25
breton	rodrigods: neither in the gates, nor locally	11:25
breton	dependency is missing	11:25
*** haplo37_ has quit IRC		11:28
*** haplo37_ has joined #openstack-keystone		11:31
openstackgerrit	Merged openstack/oslo.policy: Fix typo in oslo.policy https://review.openstack.org/392042	11:41
*** narasimha_SV has joined #openstack-keystone		11:42
narasimha_SV	to have keystone2keystone federation	11:43
narasimha_SV	in IDP it is said that I need to place SSL confs in vhost	11:43
narasimha_SV	http://paste.openstack.org/show/587537/	11:43
narasimha_SV	where do I need to add these details in wsgi-kesytone.conf file	11:43
stevemar	breton: i noticed that it was failing around 25% of the time	11:50
openstackgerrit	Merged openstack/keystone: Adds warning when no domain configs were uploaded https://review.openstack.org/214287	11:50
breton	stevemar: with what error?	11:50
breton	stevemar: now it fails always, and this seems to be an issue on oslo-messaging side	11:51
stevemar	ah	11:51
stevemar	unrelated then	11:51
breton	stevemar: but what was your error?	11:51
stevemar	breton: can't remember, i think it was asserting something had size 1 when it was 2/	11:52
stevemar	breton: it was only 1 test that would fail, consistently	11:52
stevemar	let me look up the requirements change, it had the failure	11:52
*** richm has joined #openstack-keystone		11:52
stevemar	breton: https://review.openstack.org/#/c/391130/	11:52
stevemar	breton: http://logs.openstack.org/30/391130/1/check/gate-keystonemiddleware-python34/3ea5248/testr_results.html.gz	11:52
breton	stevemar: oooh, i am fighting this one now.	11:53
breton	stevemar: (well, tried fighting it, before ran into oslo-messaging issue :( )	11:53
stevemar	yeah,, seeing that now	11:54
stevemar	probably need to block that version of kombu	11:54
stevemar	http://logs.openstack.org/98/392098/1/check/gate-keystonemiddleware-python27-ubuntu-trusty/cb33283/testr_results.html.gz	11:54
breton	stevemar: yes, make it '< 4.0'	11:54
stevemar	i'd say just make it !=4.0.0 for now	11:55
stevemar	the requirements team doesn't like <, but in this case... maybe its a better idea	11:55
breton	upper-constraints in requirements has kombu===3.0.37	11:57
stevemar	ha	11:57
breton	why is it failing then?	11:58
stevemar	good question	11:58
stevemar	let me ask in -requirements	11:59
*** guoshan has joined #openstack-keystone		12:06
openstackgerrit	Merged openstack/keystone: Add bindep environment to tox https://review.openstack.org/391613	12:11
*** _sigmavirus24 is now known as sigmavirus		12:12
*** sigmavirus has joined #openstack-keystone		12:12
openstackgerrit	Merged openstack/keystone: Document v2 Revoked Token Route https://review.openstack.org/390913	12:12
stevemar	breton: oslo and requirements teams will work on the issue i think	12:16
*** iurygregory has joined #openstack-keystone		12:17
openstackgerrit	Steve Martinelli proposed openstack/keystone: Document OS-SIMPLE-CERT Routes https://review.openstack.org/385028	12:26
*** edmondsw has joined #openstack-keystone		12:38
*** jerrygb_ has quit IRC		12:38
*** mvk has quit IRC		12:45
*** dave-mccowan has joined #openstack-keystone		12:46
*** jerrygb has joined #openstack-keystone		12:52
*** ayoung has quit IRC		12:58
*** narasimha_SV has quit IRC		12:58
*** narasimha_SV has joined #openstack-keystone		13:10
narasimha_SV	http://paste.openstack.org/show/587537/ where do I need to keep these values in wsgi-kesytone.conf file	13:10
narasimha_SV	to enable SSL over IDP kesytone in federattion	13:10
*** links has quit IRC		13:14
*** narasimha_SV has quit IRC		13:15
*** mvk has joined #openstack-keystone		13:23
breton	stevemar: i think i started always getting "AttributeError: None does not have the attribute 'info'"	13:23
*** jperry has joined #openstack-keystone		13:28
breton	i actually understand why it fails	13:29
breton	i don't understand why it didn't.	13:29
robcresswell	stevemar: Does keystone allow setting arbitrary k/v data on a user? I was wondering if Horizon could manipulate that for storing settings instead of using the cookie.	13:32
robcresswell	(I imagine there is more to this than I'm thinking, but just investigating)	13:33
stevemar	robcresswell: not really, we have an "extras" field where you can dump things into as k/v, but we don't support removing/changing the data there	13:33
robcresswell	stevemar: Ah, got it. Thats a shame. It's one of the places where Horizon's lack of db falls over a little.	13:34
robcresswell	stevemar: Thanks anyway!	13:34
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: Mock log only after app creation https://review.openstack.org/392167	13:39
breton	^ will fail for now because the gate is broken, however after that it should fix the problem that we ran into in https://review.openstack.org/#/c/391130/	13:40
knikolla	morning! o/	13:52
*** ashyoung has joined #openstack-keystone		13:57
*** guoshan has quit IRC		13:57
*** jerrygb_ has joined #openstack-keystone		14:00
stevemar	breton: nice	14:00
lbragstad	stevemar caching question for you	14:01
lbragstad	stevemar are we suppose to deprecate https://github.com/openstack/keystone/blob/fab399e26cdbe7cffba895f99d7247896ec6cb82/keystone/common/kvs/backends/memcached.py#L96-L99	14:01
lbragstad	this option specifically - https://github.com/openstack/keystone/blob/9c2a48829d49eb1f59bada735c15280138470b96/keystone/conf/memcache.py#L18-L30 ?	14:02
*** narasimha_SV has joined #openstack-keystone		14:02
*** dave-mccowan has quit IRC		14:02
narasimha_SV	after configuring SSL confs in wsgi-keystone.conf	14:02
lbragstad	because we also have https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L468-L470	14:02
*** jerrygb has quit IRC		14:02
narasimha_SV	getting this issue when i execute any openstack command	14:02
narasimha_SV	# openstack endpoint list Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. SSL exception connecting to https://192.168.56.101:35357/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)	14:03
narasimha_SV	in log file i see this line : RSA certificate configured for 192.168.56.101:5000 does NOT include an ID which matches the server name	14:04
knikolla	narasimha_SV, are you able to curl the keystone endpoint?	14:04
openstackgerrit	David Stanek proposed openstack/keystone: Additional logging when authenticating https://review.openstack.org/333490	14:04
bknudson	narasimha_SV: https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=rsa%20certificate%20configured%20for%20does%20not%20include	14:05
stevemar	lbragstad: yo	14:06
lbragstad	evrardjp and I have a question for you in -ansible :)	14:07
stevemar	lbragstad: reading	14:07
stevemar	lbragstad: yeah, saw that, was in the middle of a discussion with cinder team, thats over now, catching up	14:07
*** narasimha_SV has quit IRC		14:08
stevemar	lbragstad: i want to say probably...	14:10
stevemar	lbragstad: all of the [memcache] options seem to have a [cache] equivalent	14:12
lbragstad	stevemar right - i was digging through the code but it doensn't look like we should be using [memcache]?	14:13
lbragstad	according to the comments	14:13
*** ashyoung has quit IRC		14:13
stevemar	lbragstad: and theres only one instance of it: https://github.com/openstack/keystone/blob/fab399e26cdbe7cffba895f99d7247896ec6cb82/keystone/common/kvs/backends/memcached.py#L100	14:13
lbragstad	in code - there is nothing officially documenting or deprecating it though	14:13
stevemar	lbragstad: easy enough to deprecate something, just need to make sure we should be doing it	14:13
*** kiran-r has joined #openstack-keystone		14:14
stevemar	lbragstad: i think its safe to deprecate that entire [memcache] section	14:14
*** anushkrishnamurt has joined #openstack-keystone		14:15
evrardjp	I have the feeling I tried to help, and opened a pandora box	14:15
lbragstad	stevemar ok - i'll see if I can get something in the works to officially deprecate that	14:15
evrardjp	:p	14:15
*** ashyoung has joined #openstack-keystone		14:15
stevemar	lbragstad: fair enough, bug morgan_ if you can	14:15
stevemar	evrardjp: boxes need to be opened!	14:16
evrardjp	stevemar: at least I have hope :p	14:16
lbragstad	evrardjp i'd stick to using https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L468-L470 for now	14:17
evrardjp	lbragstad: so as a list	14:18
evrardjp	makes sense	14:18
lbragstad	evrardjp yep	14:20
*** ayoung has joined #openstack-keystone		14:23
*** ChanServ sets mode: +v ayoung		14:23
*** edtubill has joined #openstack-keystone		14:24
*** GB21 has joined #openstack-keystone		14:26
*** ravelar has joined #openstack-keystone		14:29
knikolla	stevemar, what's some areas of keystone that have the most knowledge debt?	14:30
*** jerrygb has joined #openstack-keystone		14:31
*** chirag has joined #openstack-keystone		14:32
stevemar	knikolla: not sure i get the question	14:32
knikolla	stevemar, areas of the codebase which few people understand anymore	14:33
stevemar	knikolla: caching :P	14:33
*** kiran-r has quit IRC		14:33
chirag	Hello, Can someone help me with "DiscoveryFailure: Cannot use v2 authentication with domain scope" my keystone is working fine but I am facing mentioned error while requesting from ceilometer.	14:33
*** jerrygb_ has quit IRC		14:33
breton	unit tests.	14:34
breton	the thing i know worst in keystone is the structure of our unit tests.	14:35
lbragstad	breton ++	14:35
lbragstad	we have a few interesting patterns in our unit tests	14:35
stevemar	i'd also say how keystonemiddleware's auth_token actually works	14:36
stevemar	i think only jamielennox and bknudson know that :P	14:36
knikolla	that's plenty to look into for now.	14:36
breton	auth_token is not that bad actually.	14:37
*** tobberydberg has joined #openstack-keystone		14:37
breton	i've never felt bad about debugging there	14:38
*** chris_hultin\|AWA is now known as chris_hultin		14:38
dstanek	samueldmq: what are you thinking for self._validateCredentialList(credentials, self.user_credentials)	14:39
breton	but with unit tests it's always 5-6 open vim windows.	14:39
dstanek	samueldmq: wrong cut-n-paste	14:39
dstanek	samueldmq: https://review.openstack.org/#/c/345688/27/doc/source/configuration.rst	14:39
samueldmq	dstanek: I was thinking of updating it to: "Keystone provides UUID, PKI, PKIz and Fernet token providers."	14:40
samueldmq	dstanek: so we just don't say we support "both UUID and PKI"	14:42
*** jaugustine has joined #openstack-keystone		14:42
stevemar	gagehugo: i saw your email about ldap, but i am super jammed this week, can i get back to you next week?	14:42
*** chirag has quit IRC		14:43
stevemar	dstanek: if you have time today, can you look at https://review.openstack.org/#/c/374482/ ?	14:43
gagehugo	stevemar: yeah that's fine, I still need to look over what tests we don't need anymore	14:44
knikolla	breton, what aspect of the unit tests structure?	14:47
lbragstad	knikolla i know one thing about our unit tests that gets me (and dstanek) is how much stuff is set up for each test	14:48
lbragstad	the whole setup chain, as it exists today is rather confusing	14:48
samueldmq	dstanek: does that make sense ?	14:48
*** dave-mccowan has joined #openstack-keystone		14:48
lbragstad	and when something like that is confusing, it tends to make it easier for developers to just copy-paste it around until something works...	14:48
lbragstad	(which only adds to the confusion later on)	14:49
knikolla	lbragstad, i see.	14:49
knikolla	i'll do a deep dive and see if i can better document what's happening.	14:50
lbragstad	knikolla cool - dstanek has also done a bunch of work with the unit tests to make setups more clear	14:50
knikolla	lbragstad, cool. i'll look into that.	14:51
openstackgerrit	Richard Avelar proposed openstack/keystone: Remove unused statements in matches https://review.openstack.org/387548	14:52
*** chris_hultin is now known as chris_hultin\|AWA		15:00
*** dave-mccowan has quit IRC		15:00
*** jerrygb_ has joined #openstack-keystone		15:00
*** jerrygb has quit IRC		15:03
*** chris_hultin\|AWA is now known as chris_hultin		15:03
*** jperry has quit IRC		15:05
*** jperry has joined #openstack-keystone		15:06
*** ashyoung has quit IRC		15:06
dstanek	samueldmq: yeah, i think so	15:08
dstanek	stevemar: sure	15:08
dstanek	breton: knikolla: i with we have test_blah.py for each blah.py as the basic structure	15:09
dstanek	lbragstad: did samueldmq's comment make sense to you?	15:11
knikolla	dstanek, yeah, that makes a lot of sense. not sure if folks would agree to such a large refactor though.	15:11
lbragstad	dstanek yeah - i can respin	15:11
*** dave-mccowan has joined #openstack-keystone		15:12
openstackgerrit	Steve Martinelli proposed openstack/keystoneauth: mark a few oidc parameters as required https://review.openstack.org/392198	15:14
*** kiran-r has joined #openstack-keystone		15:35
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Support domain-specific configuration management https://review.openstack.org/358770	15:35
*** sheel has quit IRC		15:40
*** agrebennikov has joined #openstack-keystone		15:43
*** pcaruana has joined #openstack-keystone		15:44
*** adrian_otto has joined #openstack-keystone		15:45
*** Guest14381 has quit IRC		15:51
dstanek	stevemar: i took a look...it doesn't look completed	15:58
openstackgerrit	Lance Bragstad proposed openstack/keystone: Switch fernet to be the default token provider. https://review.openstack.org/345688	15:58
*** jaugustine has quit IRC		15:59
lbragstad	samueldmq done ^	15:59
samueldmq	lbragstad: thanks	16:00
*** rcernin has quit IRC		16:06
*** pcaruana has quit IRC		16:07
*** tobberydberg has quit IRC		16:10
stevemar	i did it guys	16:11
stevemar	i reviewed everything i had opened in my tabs	16:11
breton	lol	16:12
breton	congrats	16:12
stevemar	now to do the slide deck for the presentation on thursday -_-	16:13
stevemar	i need foods!	16:15
dstanek	stevemar: nice	16:15
*** jaugustine has joined #openstack-keystone		16:15
breton	i have checked the performance issue with cache fix i mentioned	16:15
stevemar	oh?	16:16
stevemar	good news i hope :)	16:16
*** LamT__ has joined #openstack-keystone		16:16
stevemar	i'll be slow to respond for the remainder of the afternoon	16:16
breton	it currently exists in mitaka, and is bad there. In newton and master but is mitigated by https://review.openstack.org/#/c/309146/, but only for token validation.	16:17
*** jaosorior has quit IRC		16:17
*** martinus__ has quit IRC		16:20
openstackgerrit	Merged openstack/keystone: Add release note for fernet tokens https://review.openstack.org/376526	16:21
openstackgerrit	ayoung proposed openstack/keystone-specs: Token Verify Role Check https://review.openstack.org/391624	16:22
ayoung	lbragstad, et alles: ^^ is very different from my previous versions. I think it solves the majority of the issues we've had with policy thus far	16:23
lbragstad	stevemar dstanek was saying that we use CONF.memcache.server for the kvs token backend but we use oslo.cache for everything else	16:25
*** ashyoung has joined #openstack-keystone		16:26
*** ashyoung has quit IRC		16:26
lbragstad	dstanek just to confirm - we use oslo.cache for storing the token region, right?	16:26
openstackgerrit	Gage Hugo proposed openstack/keystone: Doctor ldap check fix for config files https://review.openstack.org/392229	16:27
lbragstad	the only thing we use CONF.memcache.server for should be the kvs backend?	16:28
*** jperry has quit IRC		16:30
lbragstad	dstanek stevemar fwiw - we don't really document any of those differences anywhere - I would think we'd need to open a bug for it?	16:33
*** belmoreira has quit IRC		16:35
*** jerrygb has joined #openstack-keystone		16:41
*** jaugustine has quit IRC		16:41
*** jerrygb_ has quit IRC		16:43
*** jperry has joined #openstack-keystone		16:44
*** jerrygb_ has joined #openstack-keystone		16:44
*** GB21 has quit IRC		16:44
*** markvoelker has quit IRC		16:44
*** jaugustine has joined #openstack-keystone		16:45
*** jerrygb has quit IRC		16:46
*** markvoelker has joined #openstack-keystone		16:46
*** mvk has quit IRC		16:48
*** jvarlamova has joined #openstack-keystone		16:53
*** jpich has quit IRC		17:01
*** GB21 has joined #openstack-keystone		17:03
*** Zer0Byte__ has joined #openstack-keystone		17:06
openstackgerrit	Lance Bragstad proposed openstack/keystone: Doc the difference between memcache and cache https://review.openstack.org/392242	17:11
lbragstad	stevemar dstanek ^	17:11
lbragstad	evrardjp ^	17:11
dstanek	lbragstad: i don't think a bug is necessary	17:11
*** harlowja has joined #openstack-keystone		17:11
lbragstad	dstanek cool - i didn't create one	17:11
*** anushkrishnamurt has quit IRC		17:18
openstackgerrit	Lance Bragstad proposed openstack/keystone: Doc the difference between memcache and cache https://review.openstack.org/392242	17:19
stevemar	lbragstad: so no need to deprecate memcache options then?	17:21
*** artmr has joined #openstack-keystone		17:22
*** intr1nsic has joined #openstack-keystone		17:24
*** edtubill has quit IRC		17:24
*** jerrygb has joined #openstack-keystone		17:25
*** ankur-gupta-f has joined #openstack-keystone		17:25
*** ankur-gupta-f has left #openstack-keystone		17:25
*** intr1nsic is now known as matt_welch		17:27
*** jerrygb_ has quit IRC		17:28
stevemar	rodrigods: your functional test is failing :( https://review.openstack.org/#/c/358770/8	17:29
*** ravelar has quit IRC		17:29
lbragstad	stevemar i don't think so	17:30
lbragstad	it looks like the [memcache] section is dedicated to kvs backends	17:31
lbragstad	so unless we get rid of all kvs backends - I don't think we can deprecate it	17:31
*** notbreton has joined #openstack-keystone		17:50
stevemar	lbragstad: there is a bug to remove all kvs backends	17:51
stevemar	long standing one	17:51
openstackgerrit	Jeffrey Augustine proposed openstack/keystone-specs: Add keystone project properties https://review.openstack.org/388886	17:52
*** mvk has joined #openstack-keystone		17:54
*** ChanServ sets mode: +v henrynash		17:55
*** browne has joined #openstack-keystone		17:57
*** lamt has joined #openstack-keystone		17:57
stevemar	ping ajayaa, amakarov, ayoung, breton, browne, crinkle, claudiub, davechen, david8hu, dolphm, dstanek, edmondsw, gagehugo, gyee, henrynash, hogepodge, htruta, jamielennox, jaugustine, joesavak, jorge_munoz, knikolla, lbragstad, MaxPC, morgan, nishaYadav, nkinder, notmorgan, raildo, ravelar, rodrigods, rderose, roxanaghe, samleon, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, xek, StefanPaetowJis	17:59
stevemar	c	17:59
notbreton	o/	18:00
*** anushkrishnamurt has joined #openstack-keystone		18:04
*** edtubill has joined #openstack-keystone		18:04
*** ravelar has joined #openstack-keystone		18:05
*** spilla has joined #openstack-keystone		18:08
mfisch	stevemar: digging into your upgrades stuff finally this is going to suck with puppet	18:29
mfisch	can you tell me is --expand --migrate ideimpotent?	18:29
mfisch	also is --expand --migrate --contract == db_sync with no args?	18:34
*** GB21 has quit IRC		18:34
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP validate consumer_id exists directly https://review.openstack.org/388842	18:35
stevemar	mfisch: hold up, keystone meeting, dont run away	18:38
mfisch	sure	18:39
mfisch	im on a call now anyway	18:39
*** notbreton has quit IRC		18:39
*** adrian_otto has quit IRC		18:58
gagehugo	500 total wat	19:00
lbragstad	stevemar ayoung there are only 500 tickets for the PTG for all projects?	19:00
stevemar	gagehugo: yep, just devs	19:00
stevemar	lbragstad: yes	19:00
lbragstad	stevemar do we get registration codes?	19:01
knikolla	and is it not free for atc?	19:01
stevemar	it is not free for ATC, no	19:01
lbragstad	i see the tickets are $100	19:01
stevemar	yes, $100	19:01
lbragstad	really?!	19:01
stevemar	lbragstad: not free for anyone	19:01
gagehugo	:(	19:01
knikolla	i'll query for an educational discount :/ maybe they have that	19:01
stevemar	lbragstad: if you attend a PTG you do get a discount code for the forum (nee summit)	19:01
stevemar	knikolla: ask for travel assistance	19:02
lbragstad	stevemar there was a session on this in barcelona, right?	19:02
stevemar	lbragstad: not really	19:02
lbragstad	is that were all this was discussed?	19:02
knikolla	stevemar, i already got a verbal approval from my manager.	19:02
stevemar	lbragstad: its still very much in the foundation's hands, i have some early info	19:02
stevemar	mfisch: to answer your questions --	19:03
stevemar	mfisch: they are not idempotent AFAIK, we have a bunch of bugs that we need to fix surrounding the new upgrade flow: https://bugs.launchpad.net/keystone/+bugs?field.tag=upgrades	19:04
mfisch	$100 is far less than the travel and time away from work isnt it	19:04
stevemar	mfisch: if you just do a db_sync with no args, i believe it runs --expand, --migrate, --contract under the covers	19:05
knikolla	we've been staying in airbnbs though for the past summits/midcycles :P	19:05
stevemar	mfisch: if you run it with no args, we assume you are doing an offline upgrade	19:05
mfisch	stevemar: the trouble is getting puppet to do something intelligent here	19:06
mfisch	which I will bring up at the next meeting for puppet	19:06
mfisch	if you want to attend	19:06
stevemar	mfisch: when is it?	19:06
mfisch	9am mountain next tuesday	19:06
stevemar	mfisch: i'm away thursday and friday	19:06
stevemar	okay	19:06
stevemar	send me a ping? i'm awake at that time anyway	19:06
mfisch	sure	19:06
mfisch	Ideally we could do this ideimpotently: keystone-manage db_sync --expand --migrate	19:07
mfisch	then I'd just always run that	19:07
stevemar	no contract?	19:07
mfisch	contract I'd run offline after every node	19:07
mfisch	disable puppet on nodes 2/3 and run puppet on node1, upgrade node 1, puppet runs that db_sync command above ^	19:08
mfisch	repeat for nodes 2/3	19:08
mfisch	when done all 3 , run contract	19:08
mfisch	jlk has an easier time since ansible is designed for this kind of thing	19:08
mfisch	stevemar: given the bugs is it still useful for me to test it right now?	19:09
*** artmr has quit IRC		19:09
*** dave-mccowan has quit IRC		19:11
stevemar	mfisch: the bugs are RFEs, not actual "bugs"	19:11
*** Administrator__ has joined #openstack-keystone		19:11
mfisch	JLK's looks legit	19:12
stevemar	mfisch: ah right, where he hit it with rally 15 times	19:13
*** zhugaoxiao has quit IRC		19:15
stevemar	mfisch: so part of the reason why i'm asking you to try it out is to see if you also get that error, we need more info here in general about our new upgrade flow	19:15
*** lamt has quit IRC		19:15
stevemar	if you're not comfortable with that, that's cool	19:15
*** jaugustine has quit IRC		19:17
*** jaugustine has joined #openstack-keystone		19:17
mfisch	stevemar: I can still try it	19:26
mfisch	M to N?	19:26
mfisch	right	19:26
*** browne has quit IRC		19:27
*** anushkrishnamurt has quit IRC		19:28
*** browne has joined #openstack-keystone		19:30
*** dave-mccowan has joined #openstack-keystone		19:31
*** matt_welch has quit IRC		19:37
*** kiran-r has quit IRC		19:37
openstackgerrit	Kristi Nikolla proposed openstack/keystone: WIP: remove LDAP write support https://review.openstack.org/374482	19:38
*** mtreinish has quit IRC		19:40
*** rcernin has joined #openstack-keystone		19:41
*** mtreinish has joined #openstack-keystone		19:43
*** clsacramento has joined #openstack-keystone		19:44
*** woodburn has quit IRC		19:47
stevemar	mfisch: correct sir	19:49
mfisch	ok	19:49
mfisch	I'll see what I can do	19:49
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP validate consumer_id exists directly https://review.openstack.org/388842	19:55
mfisch	stevemar: expand failed	19:56
mfisch	stevemar: http://paste.openstack.org/show/587582/	19:57
mfisch	Since setting this up is a pain. I will hold here and see what else I can get info wise	19:57
stevemar	mfisch: same error jlk ran into the first time	19:59
stevemar	you gotta change something in your db settings	19:59
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP validate consumer_id exists directly https://review.openstack.org/388842	19:59
stevemar	jlk / dolphm remember what the setting was?	19:59
mfisch	I guess you need to be SUPER to create triggers	20:00
*** adrian_otto has joined #openstack-keystone		20:00
stevemar	mfisch: https://github.com/soundcloud/lhm/issues/76 ?	20:00
stevemar	set global log_bin_trust_function_creators=1	20:01
mfisch	yeah	20:01
mfisch	whatever that does	20:01
mfisch	the sudafed tells me to jfdi!	20:01
stevemar	hehe	20:01
stevemar	i gotta head out now, family stuff, but i'll be on tonight and tomorrow	20:01
mfisch	mysql> select user,super_priv from mysql.user where user="keystone";	20:01
mfisch	+----------+------------+	20:01
mfisch	\| user \| super_priv \|	20:01
mfisch	+----------+------------+	20:01
mfisch	\| keystone \| N \|	20:01
mfisch	\| keystone \| N \|	20:01
*** haplo37_ has quit IRC		20:01
mfisch	\| keystone \| N \|	20:01
mfisch	+----------+------------+	20:01
mfisch	I can just fix that ^ in puppet	20:01
stevemar	eh sure	20:02
stevemar	ttyl	20:03
mfisch	thx	20:03
mfisch	I did have 1 blip in tehre also	20:03
mfisch	jlk: you around?	20:04
*** haplo37_ has joined #openstack-keystone		20:04
*** kiran-r has joined #openstack-keystone		20:07
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove support for PKI and PKIz tokens https://review.openstack.org/374479	20:10
samueldmq	stevemar: I really like your patch to remove PKI/PKIz support	20:14
samueldmq	stevemar: it's a huge amount of code and docs we won't need to maintain anymore	20:15
samueldmq	yay	20:15
morgan_	lbragstad: you were looking for me yesterday?	20:27
lbragstad	morgan_ ah ha!	20:29
lbragstad	morgan_ yes - i was	20:29
lbragstad	I was curious about some caching stuff	20:29
*** spilla has quit IRC		20:29
lbragstad	morgan_ i ended up creating a PR for it - https://review.openstack.org/#/c/392242/	20:30
morgan_	fwiw, we should drop token.kvs	20:31
morgan_	and deprecate [memcache] section	20:31
lbragstad	morgan_ ++	20:31
morgan_	but +3 for that change	20:31
morgan_	for now	20:31
morgan_	because it's better than what we had	20:31
lbragstad	morgan_ i'd be happy to remove that	20:31
morgan_	yeah. token.kvs should go away. iirc it was deprecated a long time ago	20:32
morgan_	and we don't support memcache backend for tokens	20:32
morgan_	iirc that was the last of the "kvs" things	20:32
lbragstad	morgan_ we have a kvs entry point for the token backend	20:32
morgan_	if kvs is gone, [memcache] config can be deprecated (but not removed yet since it ties into [cache] in some cases still)	20:33
morgan_	lbragstad: right. but token.kvs should be clear to be deleted	20:33
morgan_	it isn't well supported	20:33
morgan_	at best its legacy code that hasn't been removed yet	20:33
morgan_	it was supposed to be deprecated a long time ago	20:33
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove support for PKI and PKIz tokens https://review.openstack.org/374479	20:35
jlk	mfisch: I am, what's up?	20:40
jlk	mfisch: oh you're looking at the migrations, and the rights needed for triggers	20:42
mfisch	jlk: yeah	20:42
mfisch	not sure adding SUPER is a great plan	20:42
jlk	heh, there is a smaller target	20:42
mfisch	did you just set that variable?	20:42
jlk	at least on percona	20:42
mfisch	whats that	20:43
*** r1chardj0n3s_afk is now known as r1chardj0n3s		20:43
jlk	https://github.com/blueboxgroup/ursula/pull/2254/files#diff-bc319867f5c2c76b86de4e6dbef94f94R39	20:43
jlk	log_bin_trust_function_creators = 1	20:43
mfisch	yeah thats "the variable" I vaguely mentioned	20:43
jlk	yup, setting that and restarting percona everywhere made things work for me	20:44
mfisch	I think you can set that one live	20:44
mfisch	but I will find out	20:44
jlk	You can	20:44
jlk	I chose not to, because I hate it when live config doesn't necessarily match config file configuration. Can lead to really ugly surprises down the road	20:44
*** adriant has joined #openstack-keystone		20:45
mfisch	jlk: sure, I'm just hacking for now to test it some more. puppet has other issues because of the implied ordering	20:45
jlk	oh, yeah, ordering, and puppet. You're going to have a good time.	20:45
mfisch	which is why we drive upgrades with ansible	20:45
mfisch	for now I just hacked out the calls to db_sync that puppet made	20:46
openstackgerrit	ayoung proposed openstack/keystone: Disable list users https://review.openstack.org/392306	20:47
*** edtubill has quit IRC		21:07
*** kiran-r has quit IRC		21:09
openstackgerrit	Merged openstack/keystone: Additional logging when authenticating https://review.openstack.org/333490	21:12
lbragstad	ayoung addressed your comments here - https://review.openstack.org/#/c/374479/	21:14
openstackgerrit	Merged openstack/keystone: Doc the difference between memcache and cache https://review.openstack.org/392242	21:17
*** richm has quit IRC		21:22
*** chris_hultin is now known as chris_hultin\|AWA		21:30
*** ravelar has quit IRC		21:32
*** adrian_otto has quit IRC		21:36
ayoung	lbragstad, +2A based on morgan's comments	21:39
mfisch	jlk: I assume you're reading openstack-dev at least the keystone tag? I'm going to send my results	21:45
*** jerrygb has quit IRC		21:46
*** PsionTheory has joined #openstack-keystone		21:48
jlk	I'm not subscribed there at the moment.	21:48
mfisch	k	21:48
mfisch	I'll just email you and steve	21:49
jlk	thanks	21:49
mfisch	the commands do seem to be ideimpotent	21:49
mfisch	that helps puppet a bit	21:49
mfisch	jlk: your bug is odd, its almost like you had some old workers running?	21:50
jlk	that's what i found too, in that they exited 0 and shit didn't fall over after running them a second or many times.	21:50
jlk	mfisch: it is weird, but I wonder if it's just a timing of how the db actions are done	21:50
mfisch	like in-flight stuff	21:50
mfisch	I saw 1 DB deadlock during expand under pretty much no load	21:50
jlk	like, the logic to read/write to a new location gets put down before the location exists or something like that.	21:50
mfisch	1 thread getting a token every 3 seconds	21:50
mfisch	yeah	21:51
mfisch	and this vvv	21:51
openstackgerrit	Matt Fischer proposed openstack/keystone: cache_on_issue default to true https://review.openstack.org/383333	21:52
openstackgerrit	Matt Fischer proposed openstack/keystone: Allow running expand & migrate at the same time https://review.openstack.org/392320	21:52
mfisch	dang it, should have only been 1 review	21:52
*** richm has joined #openstack-keystone		21:53
mfisch	jlk: email is @ibm.com?	21:53
jlk	omgjlk@us.ibm.com	21:53
mfisch	us. thanks	21:53
*** Zer0Byte__ has quit IRC		21:58
*** jperry has quit IRC		21:59
*** Zer0Byte__ has joined #openstack-keystone		22:00
*** ravelar has joined #openstack-keystone		22:01
*** PsionTheory has quit IRC		22:04
*** jerrygb has joined #openstack-keystone		22:04
*** jerrygb has quit IRC		22:06
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove support for PKI and PKIz tokens https://review.openstack.org/374479	22:09
*** ravelar has quit IRC		22:14
*** edmondsw has quit IRC		22:24
*** haplo37_ has quit IRC		22:25
knikolla	the assumption that tests have write access to the identity backend is so deeply integrated into every abstraction layer of the unit tests. it's irritating.	22:26
*** rcernin has quit IRC		22:31
*** haplo37 has joined #openstack-keystone		22:38
jamielennox	lol, in my first couple of months on keystone i proposed a giant unit test refactor	22:46
jamielennox	i can't imagine they have gotten any better	22:46
*** lamt has joined #openstack-keystone		22:53
*** jaugustine has quit IRC		23:00
gagehugo	knikolla: ++	23:20
*** lamt has quit IRC		23:21
*** Zer0Byte__ has quit IRC		23:23
*** Zer0Byte__ has joined #openstack-keystone		23:25
*** kiran-r has joined #openstack-keystone		23:34
*** ravelar has joined #openstack-keystone		23:41
*** g2` is now known as g2[cubs-ATL]		23:42
*** ravelar has quit IRC		23:45
*** richm has quit IRC		23:48
*** LiYuenan has quit IRC		23:53
openstackgerrit	Merged openstack/keystone: Remove support for PKI and PKIz tokens https://review.openstack.org/374479	23:54
openstackgerrit	Adrian Turjak proposed openstack/keystone: adding combined password and totp auth plugin https://review.openstack.org/343422	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!