Monday, 2016-11-28

*** hoangcx has joined #openstack-keystone00:41
*** rcernin has quit IRC00:42
*** guoshan has joined #openstack-keystone00:45
*** guoshan has quit IRC01:05
*** gus has quit IRC01:07
*** gus has joined #openstack-keystone01:11
*** davechen_afk has joined #openstack-keystone01:15
*** davechen_afk has joined #openstack-keystone01:16
*** catinthe_ has quit IRC01:16
*** davechen_afk is now known as davechen01:16
*** gus has quit IRC01:16
*** gus has joined #openstack-keystone01:17
*** catintheroof has joined #openstack-keystone01:17
*** catintheroof has quit IRC01:21
*** jamielennox is now known as jamielennox|away01:26
*** liujiong has joined #openstack-keystone01:29
*** guoshan has joined #openstack-keystone01:30
*** brad[] has quit IRC01:40
*** brad[] has joined #openstack-keystone01:42
*** jamielennox|away is now known as jamielennox02:15
*** jperry has quit IRC02:25
*** markvoelker has joined #openstack-keystone02:31
openstackgerritzhangyanxian proposed openstack/keystone: Fix typo in
openstackgerritzhangyanxian proposed openstack/keystone: Fix typo in
openstackgerritzhangyanxian proposed openstack/keystone: Fix typo in
openstackgerritJamie Lennox proposed openstack/keystone: Allow fetching an expired token
openstackgerritMerged openstack/python-keystoneclient: Show team and repo badges on README
openstackgerritMerged openstack/keystonemiddleware: Show team and repo badges on README
openstackgerritMerged openstack/keystoneauth: Drop - it's not needed by pbr
openstackgerritMerged openstack/keystoneauth: Show team and repo badges on README
jamielennoxbreton, stevemar, lbragstad: we need to pass reasonably soon to have a chance of getting it done this cycle, can you look and if it's a small change let it be a follow up patch03:27
stevemaroh yeah03:28
openstackgerritayoung proposed openstack/keystone: URL pattern based RBAC Management Interface
*** ayoung has joined #openstack-keystone03:38
*** ChanServ sets mode: +v ayoung03:38
*** nkinder has joined #openstack-keystone03:56
stevemarjamielennox: tweaking your release note04:06
openstackgerritSteve Martinelli proposed openstack/keystone: Allow fetching an expired token
stevemarjamielennox: oh looks like needs love04:08
*** code-R has quit IRC04:09
*** code-R has joined #openstack-keystone04:09
jamielennoxstevemar: thanks - yea, the client one has to merge and be released before we can use that anyway04:09
stevemarjamielennox: thoughts on the whole request id thing in client04:10
stevemari think we need to merge that chain that has been languishing...04:10
stevemarcut a major version04:11
stevemaror are we sure it works now without breaking things04:11
*** links has joined #openstack-keystone04:13
jamielennoxstevemar: i haven't looked in a while, it's ugly04:15
jamielennoxlast i saw they were wrapping it with wrapt which i think won't break anything04:15
jamielennoxbut dstanek was having a look at an alternative04:16
*** code-R has quit IRC04:21
*** code-R has joined #openstack-keystone04:21
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Show team and repo badges on README
stevemarjamielennox: i'm bumping the priority on that one04:29
stevemarjamielennox: almost all core projects have it merged but us04:29
stevemarwe're lookin like chumps out there!04:30
*** code-R has quit IRC04:41
*** udesale has joined #openstack-keystone04:57
*** zhangjl has joined #openstack-keystone05:09
*** guoshan has quit IRC05:20
stevemarbreton: jamielennox either of you around?05:31
stevemarcan one of you verify my plan on action on ?05:32
stevemar3rd last comment05:32
*** jrist has quit IRC05:39
*** jaosorior has joined #openstack-keystone05:57
*** code-R has joined #openstack-keystone06:00
*** guoshan has joined #openstack-keystone06:07
bretonstevemar: yes06:07
bretonstevemar: looks good06:07
stevemarbreton: okay, i'll make the change06:10
stevemarbreton: looks like the requirements patch will land soon and i don't want us broken06:10
stevemarbreton: also, thoughts on
bretonstevemar: not really. Is Colleen on IRC? I would like her to +1 it too06:17
openstackgerritSteve Martinelli proposed openstack/keystone: Send the identity.deleted.role_assignment after the deletion
stevemarbreton: yes, she is crinkle06:18
stevemarbreton: ok, i will chat with her, she is west coast time, or actually... i think shes in EU now?06:19
stevemarbreton: maybe you can chat with her sooner than i can :P06:19
openstackgerritzhangyanxian proposed openstack/keystone: Fix typo in
openstackgerritSteve Martinelli proposed openstack/keystone: ignore deprecation warning for .encrypt()
openstackgerritSteve Martinelli proposed openstack/keystone: Use sha512.hash() instead of .encrypt()
stevemarbreton: i set up the patches, if they should fail for a silly typo, feel free to fix and reapprove, i really don't want a broken gate06:25
masuberuI see this on my openstack host --> openstack-keystone.service | not-found | inactive | dead | openstack-keystone.service06:27
masuberuhowever I can login using horizon, is this normal?06:28
stevemarbreton: signing off sir o\06:33
bretonstevemar: пщщв тшпре06:34
bretonstevemar: good night06:34
stevemarsecret code, i like it06:34
stevemarbreton: google knew what you meant :)06:35
*** code-R_ has joined #openstack-keystone06:49
*** code-R has quit IRC06:52
*** jaosorior has quit IRC07:04
*** jaosorior has joined #openstack-keystone07:05
*** adriant has quit IRC07:20
*** code-R_ has quit IRC07:20
*** code-R has joined #openstack-keystone07:35
openstackgerritMerged openstack/keystone: Allow fetching an expired token
*** rcernin has joined #openstack-keystone07:44
*** pcaruana has joined #openstack-keystone07:45
*** code-R_ has joined #openstack-keystone07:57
*** code-R has quit IRC07:59
*** jpich has joined #openstack-keystone08:03
*** pnavarro has joined #openstack-keystone08:29
*** code-R_ has quit IRC08:30
*** code-R has joined #openstack-keystone08:34
crinklebreton: stevemar I still think 390948 doesn't really work properly in certain cases so can't really +1, but I took away my -1 since other reviewers think it's good enough08:48
bretoncrinkle: are there things that worked before the patch and won't work with the patch?08:52
*** amoralej|off is now known as amoralej08:52
crinklebreton: no, it doesn't break anything08:53
*** aloga_ has joined #openstack-keystone08:58
*** zzzeek has quit IRC09:00
*** code-R has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:01
openstackgerritKseniya Tychkova proposed openstack/python-keystoneclient: [WIP] Quota limits
openstackgerritKseniya Tychkova proposed openstack/keystonemiddleware: [WIP] Quota limits
openstackgerritKseniya Tychkova proposed openstack/keystone: [WIP] Quota limits spec:
*** davechen is now known as davechen_afk09:41
*** jperry has joined #openstack-keystone09:50
*** code-R has joined #openstack-keystone09:55
*** asettle has joined #openstack-keystone09:56
*** code-R_ has joined #openstack-keystone09:57
*** code-R has quit IRC10:00
*** aloga_ has quit IRC10:02
*** guoshan has quit IRC10:10
*** guoshan has joined #openstack-keystone10:11
openstackgerritHa Van Tu proposed openstack/keystone: Refactor Keystone admin-tokens and admin-users v2
*** topol has quit IRC10:18
*** stevemar has quit IRC10:19
*** liujiong has quit IRC10:29
*** hoangcx has quit IRC10:37
*** guoshan has quit IRC10:37
*** zhangjl has quit IRC10:44
*** kragniz has quit IRC10:54
*** kragniz has joined #openstack-keystone10:54
*** udesale has quit IRC10:59
*** guoshan has joined #openstack-keystone11:02
*** guoshan has quit IRC11:16
*** jaosorior has quit IRC11:30
*** guoshan has joined #openstack-keystone11:44
*** nicolasbock has joined #openstack-keystone11:45
openstackgerritColleen Murphy proposed openstack/keystone: Document token header in federation auth response
*** jperry has quit IRC11:54
*** guoshan has quit IRC11:54
*** code-R_ has quit IRC11:59
*** code-R has joined #openstack-keystone12:04
openstackgerritRodrigo Duarte proposed openstack/keystone: Document token header in federation auth response
*** rodrigods has quit IRC12:17
*** rodrigods has joined #openstack-keystone12:17
*** dave-mccowan has joined #openstack-keystone12:19
*** jaosorior has joined #openstack-keystone12:29
*** iurygregory has joined #openstack-keystone12:42
*** amoralej is now known as amoralej|off12:46
*** amoralej|off is now known as amoralej|lunch12:46
*** lamt has quit IRC12:58
*** jaosorior is now known as jaosorior_brb13:16
*** code-R_ has joined #openstack-keystone13:20
*** code-R has quit IRC13:23
*** dims has quit IRC13:33
*** guoshan has joined #openstack-keystone13:33
*** mrsoul has quit IRC13:41
*** dims has joined #openstack-keystone13:44
*** stevemar__ has joined #openstack-keystone13:47
*** mrsoul has joined #openstack-keystone13:47
*** amoralej|lunch is now known as amoralej13:50
*** lamt has joined #openstack-keystone14:00
*** links has quit IRC14:04
*** richm has joined #openstack-keystone14:05
*** henrynash_ has quit IRC14:10
*** jperry has joined #openstack-keystone14:16
*** clenimar has joined #openstack-keystone14:18
*** agrebennikov has joined #openstack-keystone14:22
*** rszmigie has joined #openstack-keystone14:22
lbragstadstevemar__ ayoung o/14:23
lbragstadsaw i had a couple pings from you two14:23
stevemar__lbragstad: yo14:23
lbragstadi'm back from my food induced coma14:23
ayounglbragstad, so, do you have any fundamental problems with the RBAC approach, or are you just trying to get the spec perfect before getting it in?14:24
stevemar__ayoung: i feel you are trying to ramrod things through14:24
lbragstadayoung my biggest concern was the performance perspective14:24
lbragstadsince keystone is responsible for another data point that policy needs14:25
ayounglbragstad, OK, so if we go for in middleware as opposed to along with the token validation the only overhead is the call to get the RBAC data14:25
ayoungand that can be cached14:25
stevemar__ayoung: you've been on a death march for this one, more so than your other work14:25
ayoungstevemar__, it has been my experience that this is the only way to get things into Keystone14:25
ayounglbragstad, so, assuming the RBAC data gets cached, lets say for 5 minutes14:26
lbragstadwell - *should* that be something that is cached?14:26
stevemar__i disagree with that.14:26
ayounglbragstad, yes it will rarely change14:26
lbragstadbut when it does it is something that needs to be reflected immediately, no?14:27
ayoung and...we could always find a way to trigger a cache invalidation if we need to as well... I have a though on that14:27
*** rcernin has quit IRC14:27
ayoungRBAC changes?  Probably not.  My assumption is that most changes are going to be "loosening up" not "tightening up"14:27
lbragstadthat's part of why i want to avoid it... the whole cache and revocation thing is complicated - especially after trying to fix all the issues we had with revocation events and caching last release14:27
ayoungbut, lets talk cache invalidation14:27
*** openstackstatus has quit IRC14:28
ayoungsay we want to change the RBAC rules  for Nova14:28
ayoungand we want those changes in effect fast14:28
ayoungso, right now, we have 0 ability to do that anyway, this is new...14:28
ayoungbut we want it, so lets add an additional cache control header to a call to Nova, that is only honored for an admin roled token14:28
lbragstadthat change requires an operator to lay down the specific rule they want to over ride in a policy file14:29
*** openstackstatus has joined #openstack-keystone14:29
*** ChanServ sets mode: +v openstackstatus14:29
ayoungCache-Control: rbac-fresh14:29
ayoungand if a user with an admin token passes that cache control header on any call to Nova, Nova will refetch the rbac data14:30
ayounglbragstad, so, no revocation14:30
ayoungif you don't tell nova to flush, the ordinary cache time out for the rbac rules takes effect.  Same time frame as the tokens14:30
lbragstadso - keystone performance will fluctuate depending on how nova is called?14:31
ayoungrevocation was always a bad idea for tokens.  I should have fought it when I was first pressed on it, but I had just spend 6 months getting the PKI stuff working, and, as most things, it was getting held up right at freeze time by someone that had not been paying attention until that point14:31
stevemar__ayoung: adam, you really need to get more than just lance to look (and approve) at the spec. overhauling policy was not identified as a priority for ocata we have a very short runway. (ocata 2 is less than 2 weeks from now)14:31
ayoungstevemar__, he's not the only one looking at it, just the most active reviewer, and has the most concerns14:32
ayoungstevemar__, the goal here is to get the bones in to Ocata as experimental14:32
stevemar__ayoung: henry has 1 review and rodrigo has 214:32
ayoungstevemar__, Henry +2ed it already.  I know he gets it.14:33
ayoungand I've talked it ove with Jamie on IRC, which is whjere the caching concerns came out14:33
ayoungstevemar__, and I know that the people that worked on Dynamic Policy in the past get the general idea.  AFAICT this is the only way to solve the majority of the access control problems we have in OpenStack.14:34
ayoung1.  It lets people customize roles without breaking existing policy14:35
stevemar__ayoung: i agree policy is in a shit state and needs overhaul14:35
ayoung2. I lets someone know what role they need to perform an action without compromising security14:35
ayoungstevemar__, but not an overhaul14:35
stevemar__i do not agree with the fact that we need to do it *now*14:35
ayoungstevemar__, overhauls break everything14:35
stevemar__(in ocata)14:35
ayoungstevemar__, I am not willing to work on policy for another year.  Its been 3 so far14:36
ayoungnot without at least making progress14:36
stevemar__this is coming off as very rushed, and that gets me on edge14:36
ayoungstevemar__, it should not14:36
*** rcernin has joined #openstack-keystone14:36
ayoungstevemar__, this is the result of a couple years iterations, finely tuned to the problem at hand14:36
ayoungreduced in scope so as to not break anything existing.14:36
ayoungit is an additional layer14:36
ayoungnot breaking, not replacing, adding to14:37
ayoungand that has been shown to be essential14:37
ayoungit is completly within Keystone managed code14:37
ayoungand, no, it is not rushed.  It is just the primary thing I am working on.14:38
stevemar__i feel it's being rammed through cause we want a fix14:38
stevemar__we don't all focus on what adam is working on14:38
stevemar__look, i owe you a review of the spec, but i'm going to review what was discussed as a priority of the summit first14:39
ayoungstevemar__, I don't track every last thing going on in Keystone eiother14:39
ayoungstevemar__, you do realize that this A) came out of discussions at the summit and B) was posted as soon after the summit as I could?  We had summit sessions about policy, but no clear approach until this.14:40
ayoungWe did the dynamic policy code over a year ago, and there were issues that were raised that we didn't know how to solve14:42
ayoungwe could not do this approach until we had implied roles, which I worked on 2 releases ago14:42
ayoungSo, I've been working on this very steadily for years, and I have made an effort to get the information out in an understandable manner as soon as I can.14:43
ayoungThis addresses a lot of the issues that jamielennox and dolphm butted up against trying to get the standard set of roles definied, remember?14:43
ayoungstevemar__,  and the mechanisms are ones we've talked about for years:  splitting rbac from the scope check , doing RBAC in middleware14:44
stevemar__i do not remember those issues, no.14:44
ayoungstevemar__, that is because there are many people working on Keystone, and even you cannot track EVERYTHING that goes on.14:44
ayoungstevemar__, let me see if I can find the review.14:44
stevemar__ayoung: if you get enough people to OK it, then that's fine with me. i am just sharing my thoughts and why i haven't reviewed it yet14:45
ayoungstevemar__, you should review it.  I think you will like it, and it will scare you less14:46
ayoungI do owe lbragstad a split of the spec14:46
ayoungI am going to pull off the parts where it does the rbac check as part of the token validation, as that can happen 2nd, if at all14:46
stevemar__ayoung: a split would be great14:46
lbragstadas an action item from the summit - we do have the policy meeting14:46
ayoungits on my task list for today14:46
stevemar__i also didn't want lbragstad's policy initiative to get trampled on, in case he had another approach and is too nice to say otherwise14:47
openstackgerritMerged openstack/oslo.policy: Remove wrong parameter type for class NotCheck from docstring
ayounglbragstad, yes, and  we also have people attempting to force through a compete ABAC solution in policy which we've already evaluated.  We've shown A) that it can be done and B) it is not practical for most deployments and C) it still does not solve the problem of how to tell a user what roles/attributes they need to perform an action.  The new people on the project were not here when we went through those iterations.14:50
ayoungWe've seen that people doing RBAC with Fortress do not understand the issues with Keystone project scoping.  Keystone started with GLobal roles, and we made a decision to go with scoped roles.14:51
ayoungI think it is a huge step forward, beyond what most places do with RBAC, so I am happy to help educate people on that./14:52
ayoungBut we've been working on this since ... Paris?14:52
openstackgerritMerged openstack/keystone: ignore deprecation warning for .encrypt()
ayounglbragstad, stevemar__ BTW, I did find a way to automate the creation of the RBAC rules from existing resources:14:55
*** phalmos has joined #openstack-keystone14:55
ayounglbragstad, stevemar__ for example, for NOVA14:55
ayoungfind ./api-ref/source/ -name \*inc | xargs awk '/rest_method/ {print "{ verbs=[\"" $3"\"], url_pattern=\""$4"\" role=\"Member\" },"}14:55
ayoungthat works for the projects that have their APIs in the api-ref dir. Keystone Nova Glance and Cinder14:56
ayoungneutron does not14:57
openstackgerritMerged openstack/keystone: Document token header in federation auth response
*** phalmos_ has joined #openstack-keystone15:00
*** phalmos has quit IRC15:02
*** iurygregory has quit IRC15:05
*** jaosorior_brb has quit IRC15:05
*** clenimar has quit IRC15:05
*** jaosorior_brb has joined #openstack-keystone15:05
*** iurygregory has joined #openstack-keystone15:07
*** clenimar has joined #openstack-keystone15:07
*** daemontool has joined #openstack-keystone15:10
*** chris_hultin|AWA is now known as chris_hultin15:15
*** guoshan has quit IRC15:23
*** bknudson has joined #openstack-keystone15:23
*** ChanServ sets mode: +v bknudson15:23
*** ravelar has joined #openstack-keystone15:29
*** rszmigie has quit IRC15:31
*** ravelar has quit IRC15:32
*** dims has quit IRC15:36
*** jaosorior_brb is now known as jaosorior15:37
*** dims has joined #openstack-keystone15:41
*** ravelar has joined #openstack-keystone15:41
*** phalmos_ has quit IRC15:46
*** ravelar has quit IRC15:46
*** ravelar has joined #openstack-keystone15:47
*** phalmos has joined #openstack-keystone15:47
*** code-R_ has quit IRC15:51
zzzeekso re: these still seem to be running against passlib==1.6.5 in the gate, has anyone tested against 1.7?  I'm getting new failures now15:52
*** mvk has quit IRC16:01
*** david-lyle has quit IRC16:01
*** HenryG has quit IRC16:01
*** andreaf has quit IRC16:01
*** Kimmo__ has quit IRC16:01
*** jefrite has quit IRC16:01
*** zigo has quit IRC16:01
*** rm_work has quit IRC16:01
*** ccard_ has quit IRC16:01
*** charz_ has quit IRC16:01
*** freerunner has quit IRC16:01
*** zigo has joined #openstack-keystone16:01
*** Kimmo__ has joined #openstack-keystone16:02
*** mvk has joined #openstack-keystone16:02
*** ccard_ has joined #openstack-keystone16:02
*** david-lyle has joined #openstack-keystone16:02
*** vryzhenkin has joined #openstack-keystone16:02
*** rm_work has joined #openstack-keystone16:02
*** vryzhenkin is now known as freerunner16:02
*** charz has joined #openstack-keystone16:02
*** HenryG has joined #openstack-keystone16:02
*** jefrite has joined #openstack-keystone16:05
*** andreaf has joined #openstack-keystone16:12
*** raildo has joined #openstack-keystone16:15
*** edtubill has joined #openstack-keystone16:17
*** mvk has quit IRC16:17
*** code-R has joined #openstack-keystone16:25
*** rcernin has quit IRC16:27
*** arunkant__ has joined #openstack-keystone16:29
*** code-R_ has joined #openstack-keystone16:31
*** phalmos has quit IRC16:33
*** code-R has quit IRC16:34
openstackgerritGage Hugo proposed openstack/keystone: Add reason to CADF notifications in docs
*** josecastroleon has quit IRC16:40
lbragstadzzzeek what other errors are you seeing?16:45
lbragstadzzzeek are you seeing them locally?16:45
zzzeeklbragstad: so far on my CI16:45
zzzeeklbragstad: i only run a subset of the tests16:46
lbragstadzzzeek do you have a paste?16:46
zzzeeklbragstad: i pasted them in the launchpad bug, I can reprodcue a more localized test16:46
*** phalmos has joined #openstack-keystone16:46
lbragstadzzzeek hmmm - that looks similar to
zzzeeklbragstad: check which passlib is there16:48
lbragstadzzzeek passlib==1.7.016:49
lbragstadzzzeek we attempted to update requirements -
lbragstadzzzeek is that what you have locally, too?16:50
zzzeeklbragstad: hmmmm16:50
rodrigodsstevemar__, looks like mapped isn' t put by default after all... shouldn' t we consider adding it?16:51
stevemar__rodrigods: totally16:51
rodrigodsstevemar__, ++ sending a quick patch here16:52
zzzeeklbragstad: im not exactly sure why my CI has passlib 1.7, I do play around w/ requirements.  but failures are w/ passlib 1.7 yes, you need to manually override requirements16:52
*** arunkant__ has quit IRC16:53
*** amrith has joined #openstack-keystone16:53
amrithstevemar__, ping. check out
stevemar__amrith: there you are!16:54
lbragstadzzzeek let me see if I can recreate locally with master... keystone did merge
stevemar__amrith: i haven't checked our twitter convo all morning, been busy like a chicken with no head16:54
zzzeeklbragstad: it reproduces, just install passlib 1.7 after you tox -e py27 --notest to install deps16:54
amrithstevemar__, np. just confirmed that the link does in fact render. ta ta16:54
lbragstadzzzeek cool - let me check16:54
stevemar__amrith: :)16:54
*** anush has joined #openstack-keystone16:57
*** tqtran has joined #openstack-keystone16:59
lbragstadzzzeek hummm...17:00
lbragstadstevemar__ i think we need to amend ?17:01
morgan_morning keystone17:01
zzzeeklbragstad: looks like we're waiting for
lbragstadstevemar__ i think the except case needs to deal with the case where 1.6.5 is installed17:01
lbragstadzzzeek aha17:02
lbragstadyeah - that's exactly what i did and it passed locally17:02
*** diazjf has joined #openstack-keystone17:04
*** daemontool has quit IRC17:04
lbragstadzzzeek stevemar__ well - i'm not sure why that patch is failing the cross jobs but - I've rebased it17:04
*** hrybacki is now known as hrybacki|moving17:14
openstackgerritLance Bragstad proposed openstack/keystone: Make try/except work for passlib 1.6 and 1.7
lbragstadstevemar__ zzzeek i proposed ^ and made the requirements change dependent on it17:17
openstackgerritRodrigo Duarte proposed openstack/keystone: Include mapped in the default auth methods
lbragstadi tested it locally with passlib 1.6.5 and 1.717:17
lbragstadand both pass, where-as before I was getting an invalid username/password error17:18
lbragstadwith passlib 1.717:18
lbragstadwhich i have a feeling is why we are getting the failures with the cross job on the requirements patch17:18
*** pcaruana has quit IRC17:19
*** code-R_ has quit IRC17:35
*** code-R has joined #openstack-keystone17:35
*** jpich has quit IRC17:37
*** diazjf has quit IRC17:54
*** pnavarro has quit IRC17:55
*** diazjf has joined #openstack-keystone17:58
*** diazjf has quit IRC17:59
openstackgerritRichard Avelar proposed openstack/keystone: Don't invalidate all user tokens of roleless group
*** catintheroof has joined #openstack-keystone18:04
openstackgerritMerged openstack/keystone: Remove unused statements in matches
stevemar__lbragstad: thanks18:04
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS
*** jperry has quit IRC18:07
*** jaosorior has quit IRC18:08
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS
*** hrybacki|moving is now known as hrybacki18:17
*** chris_hultin is now known as chris_hultin|AWA18:18
*** jperry has joined #openstack-keystone18:21
*** anush has quit IRC18:23
*** jperry has quit IRC18:26
*** jperry has joined #openstack-keystone18:26
*** browne has joined #openstack-keystone18:28
*** code-R has quit IRC18:38
*** code-R has joined #openstack-keystone18:38
*** chlong has joined #openstack-keystone18:42
*** phalmos has quit IRC18:44
*** diazjf has joined #openstack-keystone19:09
*** amoralej is now known as amoralej|off19:11
*** diazjf has quit IRC19:13
lbragstadstevemar__ zzzeek is passing now19:15
stevemar__lbragstad: i'm confused why it works, but it's a stop-gap, it'll be out in a few patches19:15
lbragstadstevemar__ the reason why it was failing was because of the cross job19:16
lbragstadit must do testing with multiple versions?19:16
stevemar__lbragstad: i fast approved19:17
lbragstadtusen takk!19:19
*** phalmos has joined #openstack-keystone19:19
openstackgerritAndrey Grebennikov proposed openstack/keystone: Allow to specify ID on project creation
*** phalmos has quit IRC19:23
*** diazjf has joined #openstack-keystone19:26
openstackgerritMerged openstack/keystone: Refactor Keystone admin-tokens and admin-users v2
*** diazjf has quit IRC19:32
*** chris_hultin|AWA is now known as chris_hultin19:33
*** gyee has joined #openstack-keystone19:34
agrebennikovhey folks, remember at austin summit we talked about potential multi-site solutions. And I proposed to implement custom project ID functionality in order to allow users to switch between regions19:36
*** spzala has joined #openstack-keystone19:37
*** diazjf has joined #openstack-keystone19:38
*** josecastroleon has joined #openstack-keystone19:41
*** josecastroleon has quit IRC19:46
*** amrith has left #openstack-keystone19:48
ayoungrodrigods, you mentioned before something about Federation and LDAP CI, and Outreachy.  What is happening there?19:56
stevemar__aw fail:
stevemar__agrebennikov: i remember some of that19:57
*** gyee has quit IRC20:00
agrebennikovstevemar__, I just submitted the patch for it, please take a look. And before I come to the weekly meeting tomorrow just wanted to let you know that I'm going to try to push you guys once again - another really big customer needs the sae feature to be implemented20:01
agrebennikovplease forgive me, the patch is very preliminary and doesn't contain any tests20:02
agrebennikovI just need an opinion20:02
agrebennikovand actually I'd like to discuss it with you guys tomorrow20:02
*** chlong has quit IRC20:02
agrebennikov(if it makes sense)20:02
*** woodster_ has joined #openstack-keystone20:05
*** browne has quit IRC20:08
*** browne has joined #openstack-keystone20:10
*** gyee has joined #openstack-keystone20:11
*** chlong has joined #openstack-keystone20:18
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Import TaskManager from shade/nodepool
*** adriant has joined #openstack-keystone20:25
morgan_stevemar__: the tail keeps getting longer20:25
morgan_stevemar__, ayoung, eyes would be welcome. this is code imported from shade and nodepool to suppor their cases. This makes sense to be available via session as the shade use-case is not isolated only to shade20:26
morgan_lbragstad: ^ cc20:26
*** anush has joined #openstack-keystone20:31
lbragstadmorgan_ cool - added it to the queue20:32
morgan_it needs a pep8 fix20:33
morgan_but that'll be shortly20:33
lbragstadmorgan_ for the test doc string?20:33
morgan_yeah i think that's it20:33
lbragstadnot being on a single title line?20:33
morgan_i'm confirming now, but fixing the dependant patch at the same time20:33
morgan_so will take care of that shortly20:33
morgan_oy, some of our pep8 things are icky20:34
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Import TaskManager from shade/nodepool
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Use TaskManager for all request interactions
morgan_lbragstad: ^ fixed. dependant change is also rebased20:37
*** spligak has quit IRC20:37
lbragstadmorgan_ sweet20:37
morgan_i'll be honest, i didn't test py27, just 35 and pep820:38
morgan_hopefully there isn't some silly py27 thing I missed20:38
morgan_lbragstad: ok all tests but the src-dsvm tests have passed20:44
ayoungmorgan_, it is not "Importing" python code  from shade/nodepool is it?20:44
morgan_ayoung: no it is forklifting it in20:45
morgan_so it is closer to the session oobejct and it will be removed form shade/nodepool after ksa has a release20:45
morgan_the task manager interface (and shade's use of it) is not uncommon20:45
morgan_it could enable the clients to be smarter about polling / updates / etc20:45
ayoungmorgan_, but usually in conjunction with some threading model20:46
morgan_it allow for built-in rate limiting by creating a task20:46
morgan_for the moment it is effectively a no-op unless someone adds task-specific-data to the session when instantiating it20:46
ayoungmorgan_, as a construct it is harmless20:47
morgan_the task manager could be thread aware directly20:47
ayoungI'm just not certain this is the place for it.  I'm not saying no, just that this is a huge context switch for me20:47
openstackgerritMatt Fischer proposed openstack/keystone: cache_on_issue default to true
morgan_it could also lean on threading on the wrapping client/user20:47
*** ravelar has quit IRC20:47
morgan_ayoung: the way i see it is that shade and nodepool absolutely use this and it's proven to be useful there.20:48
morgan_i could see this expanding the functionality of ksa without harming the core use. and not in a "feature creep" kind of way20:48
ayoungmorgan_, this is a "base client" type behavior, isn't it?20:48
ayoungNot auth specific20:48
ayoungand we have no base client20:48
morgan_core to interacting wiht requests for example20:48
morgan_and session should be the "base client" object20:48
morgan_in the openstack world20:49
ayoungksa asession is the closest we have...20:49
morgan_correct and i don't want a "base client" becuase session is meant to handle that.20:49
ayoungwhat would be the end relationship between the TaskManager and the session, then?20:50
morgan_TaskManager is an option that allows for added logic beyond the base "send things as fast as you can to the API"20:50
morgan_for example, shade knows it needs to rate limit some requests20:50
morgan_so it doesn't over load the APIs for clouds20:50
morgan_it can implement the taskmanager which allows it to set this rate limiting client side20:51
morgan_s/implement/use+implement the rate limit functionality/20:51
openstackgerritSamuel Pilla proposed openstack/keystone: [WIP] Add password expiration queries for PCI-DSS
morgan_ayoung: it is an abstraction that allows for more logic that is client-determined when interacting with an API through session.20:53
morgan_ayoung: but unless explicitly used, is no different that today's workflow20:54
ayoungmorgan_, is it something a session would use or soemthing that would use a session?20:55
morgan_it is something that is used by <code> using session20:55
ayoungsay I want to do...create user20:55
ayoungand use a specific task manager, how would I do it?20:56
morgan_you pass the task manager to the sesson on creation20:56
morgan_you cna either pass explicit tasks with logic added to it, or make the taks manager always perform the action (such as wait 10s between user-creates)20:57
morgan_most tasks are automatically generated and the added logic would be in the task manager20:57
ayoungso session takes an optional task manager upon creation?20:58
ayoungif it is passed, all tasks go through the task manager?20:58
morgan_yes. if it is not passed, a default (don't change any logic) manager is created and used20:58
morgan_ line 23320:59
ayoungmorgan_, so, besides rate-limiter what task mangers have been used thus far?21:00
morgan_let me go look through nodepool21:00
morgan_and shade21:00
*** spzala has quit IRC21:01
morgan_ayoung: for example, nodepool does caching with a provider manager for the flavour list21:02
morgan_right now it's directly implemented on the nodepool task manager, since it isn't down into the session object21:03
morgan_mordred: ^ see ayoung's question on task maangers that have been implemented21:04
morgan_ayoung: mordred can probably answer more directly.21:04
morgan_since i'm digging through code to find the managers21:04
ayoungmorgan_, could this be a general purpose utility, chain of responsiblity style, for adding new behaviour?21:04
morgan_ayoung: possibly.21:04
ayoungmorgan_, a couple things that seem like this is near:21:04
ayoungKerberos, where you want to specify --negotiate on ALL URLs, not just to Keystone,21:05
ayounggetting a token from a common store, like we did with Keyring21:05
morgan_that should be 100% possible to do21:05
morgan_based upon my understanding21:06
ayoungmorgan_, any workflow with tokens, where we want to maybe get something specific for a call....21:06
morgan_it might need a little massaging to get there21:06
morgan_but afaict yes.21:06
mordredayoung: rate limiting - also making sure only one thread and only one thread executes - also we stick logging/stats collection there21:06
ayoungit is, essentially, a decorator for "do this on all calls"21:06
mordredyah. it can certainly be that21:07
morgan_it is something we're lacking in KSA, but we don't want it to be default behavior (not all interactions/clouds/generic uses need the additional logic)21:07
ayoungmordred, so, what if you are doing multiple things, like both rate limiting and logging?21:07
morgan_ayoung: smarter task manager.21:08
mordredayoung: here's the nodepool one: fwiw21:08
ayoungthat seems like decorator21:08
morgan_mordred: replied to the logging comment.21:08
morgan_mordred: in short ++, either in a followup or depending on comments next patchset21:08
mordredmorgan_: woot21:08
ayoungseems like a wonky interface, though21:09
ayoungthe interface seems tuned to threading21:09
mordredthat's what it was written for - its primary purpose in life is enabling advanced things related to threading/rate-limiting21:09
ayoungseems like the start/stop should be the lifespan of the session itself.  How would that work if it were buried under the session object?21:09
mordredit can _also_ do other things21:09
mordredwhy would start/stop be the lifespan of the session? we make one session and use it for thousands of calls21:10
ayoungmordred, mordred I hear ya,  I am just trying to wrap my head around it////21:10
* morgan_ is glad mordred lurks in this channel too21:10
mordrednot meaning to be argumentative - mostly just poking/helping to poke so that I can try to help with the head wrapping21:10
ayoungmordred, but would you stop and start the task maanager from the session object on each call?21:10
ayoungwhat would call "start"21:10
mordredayoung: duh. sorry, brain not fully firing21:12
ayoungmordred, see, that is normal brain operation for me.21:13
mordredayoung: that's an excellent question - in the case you have a TaskManager (like the nodepool ones) I'd imagine you'd be passing the TaskManager to the session constructor - so you would have the handle to call start and stop as needed21:13
* morgan_ is sans coffee... sooooo brain is firing at .. 205%21:13
*** anush has quit IRC21:13
mordred205% is really good braining21:14
morgan_fingers are smarter than brain atm21:14
ayoungI think it wraps around21:14
ayoung101% == 1%21:14
mordredoh. then that's less good braining21:14
morgan_my brain is so fast, it's slow.21:15
ayoungOK, so... mordred say I am using a rate limiting task manager.  THat would just limite the rate on all calls, no need to call start or stop, right?21:16
*** chlong has quit IRC21:16
morgan_ooh i think this needs a reno as well. will poke at that21:17
mordredyah. that's how we use it in nodepool - the TaskManager is started at instantiation (when we give it the rate) and then it applies that rate to all calls21:17
mordredfor 'fancy' things like glanceclient where the call to glanceclient is actually a generator - so we have no way of knowing when it's going to make a remote call21:18
mordred(which will be fixed by pushing the rate limiting directly into the session itself)21:18
ayoungSo, it seems to me the TaskManager was designed external to the session, and maybe does not need to be more than a "decorate" call when added to the session?21:19
ayoungok, so lets say you are making calls via a bunch of processes, and you want them, all to go through some central session hub (wack idea)21:19
morgan_ayoung: wack idea indeed21:19
mordredthen you should be using oaktree ;)21:20
ayoungthe decorator would be the code that connects to the hub, say to serialize multple requests from different processes21:20
ayoungbut the start and stop would be called on the session hub, not on the decorator21:20
ayoungseems like the abstraction you want is really two different things?21:20
ayoungno idea what Oaktree is, so I cannot say21:21
morgan_ayoung: i'd say the "session hub" is likely going to end up being a proxy, the normal session would pass the info on to the session hub21:21
morgan_since a session is an actual request-generating-object21:21
mordredI'm not following the decorate construct21:21
morgan_mordred: task manager works like a decorator, execute/do things; execute actual function; execute/dothings/return21:22
ayoungmordred, an interface like the python @decorator approach, but that you dynamically add to a session21:22
ayoung2 functions21:22
morgan_mordred: it is an apt comparison to python code itself21:22
ayoungdo this before calling the remote API21:22
ayoungdo this after calling the remote API21:22
ayoungyeah, what morgan_ said21:22
ayoungdecorator as a Design pattern thiough, not talking about necessarilty using the Python impl21:23
mordredbecuase the python impl is a whole other thing21:23
morgan_it functionally is designed like a decorator works.21:23
ayoungso, instead of saying, create this session with this task manager, you would  say : here are the set of decorators to include on this session object21:25
mordredyes - one could do that - however, because the original intent of TaskManager is about queue running / rate limiting, I believe it would be hard to reason about if it was a generic "here are the request wrappers I want you to run, one of them will serialize in a queue all calls"21:26
mordredI could be wrong about that, of course21:26
morgan_also.. that would require metaclass magic21:26
morgan_if you're actually using decorators.21:27
morgan_i could see an interface like dogpile does with the proxy->proxy->proxy->backend21:28
morgan_but it feels like that could get wibbly-wobbly21:28
morgan_(proxy is an object fwiw)21:28
morgan_i like the added logic encapsulated in the task manager.21:29
*** anush has joined #openstack-keystone21:29
*** chlong has joined #openstack-keystone21:30
ayoungI still don't understand what would call start/stop21:30
morgan_ayoung: in the case of nodepool, which is heavily threaded. nodepool would manage start/stops21:30
mordredwhoever creates the TaskManager object is responsible for calling start/stop21:31
mordredit's also worth pointing out that a single TaskManager can be used for more than just the requests Session21:31
mordredor could be passed to more than one Session21:31
mordredso in the simple case, there is only one TaskManager and it's hidden from the user so nobody calls those because they don't matter21:32
morgan_in the case where it's not thread-magic the start/stop isn't needed (as seen in the default impl)21:32
mordredin the more complex case where the user knows they want a TaskManager that does other things, it's their job to start/stop if needed21:32
morgan_mordred: ++21:32
morgan_ayoung: in short, start/stop is for exceptionally complex uses such as nodepool or your "session hub" kind of concept21:32
morgan_but in most cases not a hard-set requirement21:33
morgan_erm.. used extensively in the simple cases that is21:33
mordredmorgan_: perhaps we should remove the run/stop methods from teh ksa.TaskManager21:33
ayoungmorgan_, could that be on a specific subclass, then, and not on the interface submitted to gerrit on this review?21:33
mordredit's not actually a part of the interface here21:33
morgan_mordred: possibly?21:33
morgan_i'm not opposed to that21:34
mordredyah. I think that might be the confusion21:34
ayoungnow, how about a "before and after call?"21:34
mordredthey aren't methods intended to be called by things that aren't the nodepool TaskManager21:34
morgan_if the task manager needs to be smarter it can be, but it's not nodepool specific21:34
morgan_or oaktree for that matter21:34
morgan_just supporting the base taskmanager interface is all ksa needs to do21:34
mordredyah. just saying - if someone made a QueueTaskManager and that neededa  start/stop, those are new methods for that21:35
morgan_and that is a sane approach21:35
mordredand ksa calling those methods would not be a thing21:35
*** diazjf has quit IRC21:35
mordredbecause how could ksa know when to call them - to ayoung's point :)21:35
morgan_ok i'll yank those methods off the ksa one.21:35
morgan_in the next patchset21:35
ayoungit kindof looks like the existing calls are before and after...if you squint and look out of the corner of your eye21:36
morgan_mordred: stop/run methods actually here, right?21:37
mordredthe ones that say "this doens't do anything"21:37
*** anush has quit IRC21:37
morgan_mordred: hmm. i think the logger needs to not be a class property here.21:40
mordredmorgan_: nod21:40
morgan_is it sane to make the logger instance property? because we're not expecting every task to us ethe same logger object21:41
morgan_same with taskmanager?21:42
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to immediate change their password upon first use
ayoungmorgan_, mordred I am not sure how to capture this in the code review.21:45
morgan_ayoung: well ignore the start/run methods. if you want a before/after type method submitTask and submitFunction can be defined on the new subclassed taskmanager21:47
openstackgerritDavid Stanek proposed openstack/keystone: Move redelegated_trust_id out of extras
stevemar__rderose: ohh that sounds like a change of behaviour21:49
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Import TaskManager from shade/nodepool
*** diazjf has joined #openstack-keystone21:49
morgan_mordred: ^ fixed things based upon discussion here21:50
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to immediately change their password upon first use
morgan_mordred: also loggers are now instance properties.21:50
morgan_mordred: unless I am breaking something specifically... maybe we should allow passing of a logger in? in case you want to use a shared logger.21:50
*** masuberu has quit IRC21:51
stevemar__dstanek: thanks :)21:51
ayoungmorgan_, mordred responded.  Hope this discussion was helpful21:51
rderosestevemar__: need a spec?21:51
morgan_ayoung: thnx21:52
rderosestevemar__: it is a change in behavior, but was missed in the original PCI-DSS spec21:53
stevemar__rderose: oh21:53
stevemar__rderose: is there a bug? i missed that in the commit message i think21:53
stevemar__i thought you were changing things up completely21:53
rderosestevemar__: no, not changing things up completely21:54
morgan_ayoung: responded, patchset 4 removes stop/run methods from the task manager21:54
rderosestevemar__: planning to add a bug21:54
ayoungmorgan_, I know it is more work, but what about splitting it into before and after as I suggested21:56
morgan_mordred: do we need threading.event and wait in the baseTask?21:56
ayoungAnd then showing how the decorators would be called from the session object21:56
ayoungAt a minimum, show how it is going to be called from the session21:57
morgan_ayoung: the followup patch implements that21:57
ayoungmorgan_, yeah, but the no-op impl and the call from session is the important part and should be a single patch21:57
ayoungthe follow on does too much IIRC21:58
ayoungAh, it just logs21:58
ayoungdrop that21:58
*** chris_hultin is now known as chris_hultin|AWA21:58
morgan_drop the logging from the base implementation?21:59
morgan_oh i see the logger thing21:59
ayoungI really don't like the run approach.  You need to do kwargs to call an existing method...I won't hold it up, but, please think of the maintainers.21:59
morgan_i'll roll the log bit back into the previous patch, that is where it should have been.22:00
ayoungthe other thing I don't like is that it makes the client async doesn't it?22:00
morgan_not explictly22:00
morgan_it could be async.22:00
ayoungmesses with return code meaning then22:00
morgan_the threading bits will be dropped from the main basetask in the next patch22:01
* ayoung has to get kids22:01
morgan_mordred: i think i found a small gap in the code as well22:02
openstackgerritayoung proposed openstack/keystone-specs: Role Check Check from Middleware
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to immediately change their password upon first use
morgan_ayoung: it shouldn't be messing with the return code meaning. it should pass back up to the session in the same way22:03
ayounglbragstad, stevemar__ there is the version with RBAC in middelware only22:03
ayoungmorgan_, then it needs to be sync...22:03
ayoungor the task manager abstraction needs to be outside the call somehow...too much for me to think through right now.22:04
morgan_ayoung: it is a sync call unless the task manager implements async.22:04
morgan_ayoung: which case, that is on the implementor to manage/maintain (such as nodepool)22:04
ayoungright but the caller might not know that22:05
morgan_if you're overriding the task manager... your caller needs to know what is expected.22:05
*** lamt has quit IRC22:05
morgan_nodepool does know that and is what is conusming/using the session22:06
morgan_ayoung: go get kids22:07
*** chlong has quit IRC22:09
*** lamt has joined #openstack-keystone22:10
*** jrist has joined #openstack-keystone22:20
*** mvk has joined #openstack-keystone22:25
*** catintheroof has quit IRC22:28
*** zigo has quit IRC22:29
openstackgerritAndrey Grebennikov proposed openstack/keystone: Allow to specify ID on project creation
*** zigo has joined #openstack-keystone22:36
*** spligak has joined #openstack-keystone22:37
*** chris_hultin|AWA is now known as chris_hultin22:41
*** edtubill has quit IRC22:42
lbragstadmfisch did you ever figure out what was up with ?22:52
lbragstadand why it was failing?22:52
lbragstadmfisch I saw that you rebased it, did another patch land that fixed it?22:52
*** diazjf has quit IRC22:59
*** spzala has joined #openstack-keystone23:01
*** jperry has quit IRC23:02
*** spzala has quit IRC23:06
*** chris_hultin is now known as chris_hultin|AWA23:10
*** lamt has quit IRC23:18
rodrigodsayoung, hey... was afk23:31
openstackgerritMerged openstack/keystone: Make try/except work for passlib 1.6 and 1.7
ayoungrodrigods, me too23:44
ayoungrodrigods, what is going on with the upstream Federation CI effort?23:45
rodrigodsayoung, so... we have a devstack plugin being set up:
rodrigodsayoung, and we have functional tests:
ayoungrodrigods, do we currently have a check job to run the Functional tests?23:47
*** gyee has quit IRC23:49
*** agrebennikov has quit IRC23:50
ayoungrodrigods, like, are there any tests that ran with that review that actually show it was working?23:53

Generated by 2.14.0 by Marius Gedminas - find it at!