Saturday, 2017-01-21

« Friday, 2017-01-20 Index Sunday, 2017-01-22 »
morganugh.00:00
morganUGH.00:00
knikollamorgan: i gave it a few tries but came up short.00:00
gagehugomorgan: https://review.openstack.org/#/c/374482/00:00
gagehugoyeah it's messy00:00
morganI'm thinking maybe we just patch in a "temp" thing.00:00
morganthat is test-only00:00
knikollamorgan: we can subclass the driver00:01
morganbasically we make the driver itself simply fail00:01
morganand then subclass for tests (for now)00:01
morganlong term we should stop doing "unit" tests on functional backends00:01
knikollamorgan: i was going to add that approach to the meeting on tuesday00:01
morganand we should use a real LDAP server really populated with real useful data00:01
knikollasince ocata is coming near00:01
morgani just need to solve one last issue and my patch should be good to go00:02
morganwith testing to come next00:02
openstackgerritEric Brown proposed openstack/keystone: Add warning about using `external` with federation  https://review.openstack.org/42356100:05
morganok... wtf.00:05
morganwhy is this telling me the value exists?00:05
morganoooh so, looks like we can't use the MFA code with normal identity backends, it needs to be done as a properly mapped user with a local shadow00:08
* morgan grumbles00:15
morganknikolla: this is really ugly00:15
morganknikolla: this ldap backend is just a trainwreck :(00:15
morganstill00:15
knikollamorgan: i'm subclassing a rw ldap from a ro ldap just for the tests, for now.00:17
knikollamorgan: for the next release we should have functional tests for this stuff.00:17
morganhmm00:18
morganso should i add mfa_rules_attribute and mfa_rules_attribute_enabled here?00:19
morgani'm thinking no....00:19
morganand just make ldap not support it.00:19
morganthe whole shadow user thing should be the use-model for the mfa stuff00:19
knikollamorgan: so basically ldap would not support mfa?00:20
morganyep00:20
*** thorst_ has joined #openstack-keystone00:20
morganunless you did it with the local shadow user bits00:20
morganwhich, IIRC is supposed to be how it works00:21
morganbut i need rderose to confirm00:21
knikollamorgan: that would be my guess to.00:21
morganit is literally a single unit test failing00:22
morganand it's the LDAP password update one00:22
morganthis tells me this unit test is bad.00:22
knikollamorgan: AFAIK ldap doesn't have password update in the driver.00:23
morganit does.00:23
morgani am also inclined to just say "#nope" and make the backend fail the password update.00:23
morganand make the test expect it00:23
knikolladef change_password(self, user_id, new_password):00:24
knikolla    raise exception.NotImplemented(00:24
knikolla        _('Self-service user password changes are not implemented for '00:24
knikolla          'LDAP.'))00:24
knikolla^^ ?00:24
morganhttps://www.irccloud.com/pastebin/MR6u9g0X/00:24
morgani guess i could just dump that test00:25
brownelbragstad: dstanek: on bug 1657978, it looks like we already have jsonschema to require domain for group_by_name which is what i did00:25
openstackbug 1657978 in OpenStack Identity (keystone) "Internal Server Error: KeyError: 'domain'" [Medium,New] https://launchpad.net/bugs/1657978 - Assigned to Eric Brown (ericwb)00:25
morganknikolla: make sure that the RW driver you make for ldap for tests is basically only used during setUp00:25
*** thorst_ has quit IRC00:25
morganknikolla: not actually used during real testing00:25
brownehttps://github.com/openstack/keystone/blob/bc8a145de14e455a2a73824e8a84d92ac27aae1c/keystone/federation/utils.py#L22100:26
knikollamorgan: yeah, i'll look into that.00:26
browneoh nevermind, looks like mitaka didn't have the required props00:27
*** nicolasbock has quit IRC00:27
morganok i just hacked a little code into the LDAP driver to handle this edge-case00:39
morganand it will 100% go away once this test is removed.00:39
knikollamorgan: since we are removing write support anyway, the test shouldn't really matter.00:40
morganexactly00:40
morganbut i'm not toasting the test until we drop write support so i tacked in a work-around00:41
*** adrian_otto has quit IRC00:51
*** adrian_otto has joined #openstack-keystone00:52
knikollamorgan: damn. writes are all over the place, not just in setUp.01:00
*** nkinder has quit IRC01:02
knikollabut i think i can resolve that by wrapping the create calls between switching backends.01:03
*** jose-phillips has quit IRC01:04
*** browne has quit IRC01:05
morganso01:08
morgani think the simplest solution is make it so the allow writes is no longer config option01:08
*** ravelar has quit IRC01:08
morganand hold the "LDAP write is ok" in a central global place01:08
morganthen setup sets it, and then unsets it before tests are run01:08
morganany test doing a write to ldap, needs to be fixed or skipped or something01:09
morganthen we can work on a better way of testing01:09
knikollamorgan: that would be *most* of them01:09
morganif it is testing something that is a write and the backend is ldap, it is skipped01:09
morgansimple.01:09
morganor not applied to the LDAP backend01:09
morganyou don't have to run *every* test for a read-only backend01:10
morganin fact, you shouldn't be.01:10
knikollamorgan: even tests that don't test writing functionality, write during the test to setup the scenarion. for example a test that tests simple bind, creates the user during the tests, not during setup.01:10
morganthen that needs to be moved to setup01:11
morganor we use a fixture01:11
morganfixture.EnableLdapWrite01:11
morganand use it as a context manager when doing the write01:11
morganbut we should fix the test(s)01:11
knikollamorgan: hmm… i like that01:11
morganif you do a fixture, make sure that every place you insert it add a #TODO(Fix this test to not write to LDAP)01:11
morganso steps to not supporting ldap write: 1) make the option go away in conf.01:12
morgan2) make a global/central toggle that can be referenced01:12
morgan3) fixture to enable while in a context (only used as a context manager) in tests01:12
morganany test testing "writes" is skipped, any test doing setup *in* the test gets the context manager and a TOD01:13
morganO01:13
morganto fix01:13
knikollamorgan: sounds good. i like the toggle/fixture method.01:14
morganand in ocata ldap write is gone from production keystone(s)01:15
morganas planned01:15
* morgan glares at the tests... please pass...01:15
morgan... please ....01:15
*** thorst_ has joined #openstack-keystone01:21
openstackgerritMorgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules  https://review.openstack.org/42354801:22
morganknikolla: ^ phew01:22
knikollamorgan: passed?01:23
openstackgerritMorgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules  https://review.openstack.org/42354801:24
morganknikolla: locally01:25
openstackgerritMerged openstack/keystone: Improvements to external auth documentation page  https://review.openstack.org/42335601:25
*** thorst_ has quit IRC01:26
knikollaalmost 7 hours to gate ^^ wow…01:27
lbragstadmust be getting close to feature freeze01:27
knikollatrue01:28
*** adrian_otto has quit IRC01:34
*** v1k0d3n has joined #openstack-keystone01:35
*** v1k0d3n has quit IRC01:36
*** christophler has quit IRC01:45
openstackgerritKristi Nikolla proposed openstack/keystone: WIP: Remove LDAP Support  https://review.openstack.org/42357201:49
openstackgerritKristi Nikolla proposed openstack/keystone: WIP: Remove LDAP Write Support  https://review.openstack.org/42357201:49
knikollaargh, typo. lol01:49
knikollamorgan ^^ quick first draft.01:49
knikollagagehugo: cc01:51
openstackgerritMerged openstack/keystone: Fix warnings generated by os-api-ref 1.2.0  https://review.openstack.org/42338702:04
openstackgerritMerged openstack/keystone: Allow user to change own expired password  https://review.openstack.org/40402202:04
*** yarkot has quit IRC02:06
*** ayoung has quit IRC02:09
*** yarkot has joined #openstack-keystone02:09
*** jerrygb has quit IRC02:10
*** browne has joined #openstack-keystone02:15
*** yarkot has quit IRC02:21
*** browne has quit IRC02:22
*** woodster_ has quit IRC02:25
*** pramodrj07 has quit IRC02:33
*** MasterOfBugs has quit IRC02:34
*** stingaci has joined #openstack-keystone02:34
*** stingaci has quit IRC02:38
*** thorst_ has joined #openstack-keystone02:39
*** thorst_ has quit IRC02:44
*** pramodrj07 has joined #openstack-keystone02:52
*** MasterOfBugs has joined #openstack-keystone02:52
*** yarkot has joined #openstack-keystone03:05
*** nkinder has joined #openstack-keystone03:17
*** nkinder has quit IRC03:24
*** nkinder has joined #openstack-keystone03:36
*** jerrygb has joined #openstack-keystone03:41
*** jerrygb has quit IRC03:47
*** stingaci has joined #openstack-keystone04:03
*** adrian_otto has joined #openstack-keystone04:07
*** stingaci has quit IRC04:07
*** adrian_otto has quit IRC04:14
stevemarugh, sorry morgan and knikolla - i was gone for most of the evening :(04:30
morganstevemar: sure sure, excuses... ;)04:32
morganstevemar: all the code for handling MFA rules in the auth path is done (needs some limited added tests)04:34
morganstevemar: beyond the tests, API changes are needed to allow setting of the values.04:35
morganpretty straight forward stuff, should be pretty easy to get done.04:35
stevemarnice04:37
*** thorst_ has joined #openstack-keystone04:41
morganstevemar: don't know how fast i should work on the API stuff. adriant said he was going to work on it, but i haven't seen him in days04:42
morganstevemar: i could probably finish it all tonight/tomorrow at this point.04:42
*** thorst_ has quit IRC04:45
stevemarmorgan: given the deadline is thursdayish i wouldn't wait :)04:48
morganok i'll hammer out the last bits04:49
morganstevemar: i think the tests for the new auth code paths is going in a followup04:50
*** adrian_otto has joined #openstack-keystone04:54
*** jefrite has quit IRC05:02
*** pnavarro has quit IRC05:10
*** adrian_otto has quit IRC05:18
openstackgerritSteve Martinelli proposed openstack/keystone: PCI-DSS Force users to change password upon first use  https://review.openstack.org/40391605:21
openstackgerritSteve Martinelli proposed openstack/keystone: PCI-DSS Force users to change password upon first use  https://review.openstack.org/40391605:23
openstackgerritSteve Martinelli proposed openstack/keystone: PCI-DSS Force users to change password upon first use  https://review.openstack.org/40391605:24
*** itisha has joined #openstack-keystone05:47
stevemarreviewed all ocata-3 critical patches \o/06:03
stevemarmorgan: i'll review yours in the AM06:03
*** lamt has joined #openstack-keystone06:09
*** edmondsw has joined #openstack-keystone06:17
*** edmondsw has quit IRC06:22
*** eglute has quit IRC06:40
*** evrardjp has quit IRC06:40
*** eglute has joined #openstack-keystone06:40
*** evrardjp has joined #openstack-keystone06:40
*** thorst_ has joined #openstack-keystone06:41
*** sigmavirus has quit IRC06:41
*** richm has quit IRC06:42
*** _sigmavirus24 has joined #openstack-keystone06:43
*** thorst_ has quit IRC06:46
morganstevemar: sorry, -1 on that ^07:03
morganstevemar: we need to STOP designing configuration options that are encoding uuids or other randomly generated ids in the config07:04
*** voelzmo has joined #openstack-keystone07:12
*** eglute has quit IRC07:32
*** odyssey4me has quit IRC07:32
*** eglute has joined #openstack-keystone07:32
*** dolphm has quit IRC07:33
*** fungi has quit IRC07:33
*** dolphm has joined #openstack-keystone07:38
*** ChanServ sets mode: +o dolphm07:38
*** odyssey4me has joined #openstack-keystone07:41
*** fungi has joined #openstack-keystone07:43
*** stingaci has joined #openstack-keystone07:49
*** pramodrj07 has quit IRC07:58
*** MasterOfBugs has quit IRC08:00
*** chrisplo_ has quit IRC08:02
*** stingaci has quit IRC08:07
*** thorst_ has joined #openstack-keystone08:42
*** thorst_ has quit IRC08:49
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** voelzmo has joined #openstack-keystone09:19
*** voelzmo has quit IRC09:28
*** pnavarro has joined #openstack-keystone09:37
*** chrisplo_ has joined #openstack-keystone10:04
*** chrisplo_ has quit IRC10:09
*** jerrygb has joined #openstack-keystone10:12
*** jerrygb has quit IRC10:17
mordredmorgan: ++10:28
mordredUUIDs should really never got into a config file10:28
*** voelzmo has joined #openstack-keystone10:29
*** voelzmo has quit IRC10:36
*** thorst_ has joined #openstack-keystone10:45
*** dikonoor has joined #openstack-keystone10:50
*** thorst_ has quit IRC10:50
*** iurygregory has quit IRC11:03
*** clenimar has quit IRC11:03
*** richm has joined #openstack-keystone11:13
*** stingaci has joined #openstack-keystone11:28
*** stingaci has quit IRC11:33
*** nicolasbock has joined #openstack-keystone11:39
*** edmondsw has joined #openstack-keystone11:42
*** edmondsw has quit IRC11:47
*** stingaci has joined #openstack-keystone11:49
*** stingaci has quit IRC11:54
*** stingaci has joined #openstack-keystone12:06
*** stingaci has quit IRC12:10
*** stingaci has joined #openstack-keystone12:14
*** thorst_ has joined #openstack-keystone12:21
*** thorst_ has quit IRC12:25
*** dave-mccowan has joined #openstack-keystone13:06
*** chrisplo_ has joined #openstack-keystone13:08
*** pnavarro has quit IRC13:09
*** stingaci has quit IRC13:10
*** chrisplo_ has quit IRC13:13
*** itisha has quit IRC13:22
*** stingaci has joined #openstack-keystone13:26
*** dave-mccowan has quit IRC13:30
*** stingaci has quit IRC13:30
*** david_cu has joined #openstack-keystone13:31
*** dave-mccowan has joined #openstack-keystone13:31
*** jefrite has joined #openstack-keystone13:31
*** pnavarro has joined #openstack-keystone13:32
knikollastevemar: no one should really be expected to work on evenings13:36
knikolla(or saturday mornings)13:36
knikolla:)13:37
*** dikonoor has quit IRC13:37
*** voelzmo has joined #openstack-keystone13:48
*** pnavarro has quit IRC13:53
*** voelzmo has quit IRC13:53
*** thorst_ has joined #openstack-keystone14:01
*** stingaci has joined #openstack-keystone14:12
*** jerrygb has joined #openstack-keystone14:13
*** stingaci has quit IRC14:16
*** jerrygb has quit IRC14:17
stevemarknikolla: thats what they all say :)14:24
stevemarmorgan: doh14:26
stevemarrderose: there is another uuid based option ... another user ignore list for not having to change passwords every X days14:27
stevemarmorgan: ^14:27
knikollastevemar: i have only been active during your ptl reign, so i may have unreasonable expectations of the successor. haha14:30
stevemarknikolla: i had to catch up to the previous PTLs :P14:35
knikollastevemar: we need some lazy ptl to break the vicious cycle :P14:37
openstackgerritKristi Nikolla proposed openstack/keystone: WIP: Remove LDAP Write Support  https://review.openstack.org/42357214:40
*** chrisplo_ has joined #openstack-keystone14:41
*** chrisplo_ has quit IRC14:45
*** richm has quit IRC14:48
*** clenimar has joined #openstack-keystone14:52
*** iurygregory has joined #openstack-keystone14:52
*** g2 is now known as BrAsS_mOnKeY15:02
*** v1k0d3n has joined #openstack-keystone15:14
openstackgerritzhongshengping proposed openstack/keystone: Remove releated role_tree_dn test  https://review.openstack.org/42366015:16
*** erlon has quit IRC15:30
*** thorst_ has quit IRC15:44
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/42366815:49
knikollaone ldap test is failing after i hardcode the default dumb_member option :/15:49
*** nicolasbock has quit IRC15:51
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/42368215:56
*** pnavarro has joined #openstack-keystone16:05
*** edmondsw has joined #openstack-keystone16:13
*** dave-mccowan has quit IRC16:19
*** adrian_otto has joined #openstack-keystone16:31
*** stingaci has joined #openstack-keystone16:43
*** chrisplo_ has joined #openstack-keystone16:44
*** stingaci has quit IRC16:47
*** chrisplo_ has quit IRC16:48
*** edmondsw has quit IRC16:52
*** edmondsw has joined #openstack-keystone16:53
*** edmondsw has quit IRC16:53
*** edmondsw has joined #openstack-keystone16:53
*** edmondsw has quit IRC16:59
*** chrisplo_ has joined #openstack-keystone17:01
*** adrian_otto1 has joined #openstack-keystone17:11
*** adrian_otto has quit IRC17:14
*** stingaci has joined #openstack-keystone17:15
*** thorst_ has joined #openstack-keystone17:15
openstackgerritKristi Nikolla proposed openstack/keystone: Remove LDAP write support  https://review.openstack.org/42357217:16
openstackgerritKristi Nikolla proposed openstack/keystone: Remove LDAP write support  https://review.openstack.org/42357217:17
*** stingaci has quit IRC17:19
*** thorst_ has quit IRC17:19
knikolla\o/17:21
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/40833217:36
*** henrynash has joined #openstack-keystone17:46
*** ChanServ sets mode: +v henrynash17:46
*** stingaci has joined #openstack-keystone17:47
*** spzala has joined #openstack-keystone17:48
*** adrian_otto1 has quit IRC17:49
*** voelzmo has joined #openstack-keystone17:50
*** gagehugo has quit IRC17:51
*** stingaci has quit IRC17:52
*** voelzmo has quit IRC17:54
*** adrian_otto has joined #openstack-keystone17:56
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/40833217:59
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/40833217:59
*** adrian_otto has quit IRC18:09
*** adrian_otto has joined #openstack-keystone18:10
*** voelzmo has joined #openstack-keystone18:11
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/42366818:18
*** voelzmo has quit IRC18:18
*** spzala has quit IRC18:18
*** stingaci has joined #openstack-keystone18:19
*** henrynash has quit IRC18:19
*** stingaci has quit IRC18:24
*** spzala has joined #openstack-keystone18:26
*** spzala has quit IRC18:26
morganknikolla: yay18:27
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/42368218:34
openstackgerritMerged openstack/keystone: Remove releated role_tree_dn test  https://review.openstack.org/42366018:35
*** stingaci has joined #openstack-keystone18:36
*** stingaci has quit IRC18:41
knikollamorgan: made the ldapdb fixture switch the toggle to writeable. just need to see if everything passes and i'll do the final push.18:43
knikollahopefully before my laptop battery dies.18:43
morgancool. I'll review it today then.18:44
openstackgerritKristi Nikolla proposed openstack/keystone: Remove LDAP write support  https://review.openstack.org/42357218:46
knikollamorgan: ^^18:46
knikolla12 core vms are awesome at running unit tests18:47
morganI have a bunch of comments for this, but for now, it is sufficient. depending on how much time we have might make it even better.18:50
*** adrian_otto has quit IRC18:50
*** stingaci has joined #openstack-keystone18:52
*** stingaci has quit IRC18:56
openstackgerritRon De Rose proposed openstack/keystone: Set domain_id for federated users (refactored tests)  https://review.openstack.org/42370319:05
openstackgerritRon De Rose proposed openstack/keystone: WIP - Set domain_id for federated users (refactor tests)  https://review.openstack.org/42370319:11
*** maestropandy has joined #openstack-keystone19:17
*** maestropandy has left #openstack-keystone19:17
*** thorst_ has joined #openstack-keystone19:20
*** thorst_ has quit IRC19:21
*** stingaci has joined #openstack-keystone19:24
*** stingaci has quit IRC19:28
*** stingaci has joined #openstack-keystone19:41
*** stingaci has quit IRC19:45
*** d0ugal has quit IRC19:46
*** d0ugal has joined #openstack-keystone19:47
*** adrian_otto has joined #openstack-keystone19:53
*** dave-mccowan has joined #openstack-keystone20:08
*** stingaci has joined #openstack-keystone20:13
*** d0ugal has quit IRC20:14
*** stingaci has quit IRC20:17
*** mvk has joined #openstack-keystone20:19
*** pnavarro has quit IRC20:21
*** stingaci has joined #openstack-keystone20:29
*** d0ugal has joined #openstack-keystone20:29
*** adrian_otto has quit IRC20:31
*** stingaci has quit IRC20:33
*** pnavarro has joined #openstack-keystone20:33
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users tests  https://review.openstack.org/42370520:48
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users tests  https://review.openstack.org/42370520:55
*** gagehugo has joined #openstack-keystone20:58
*** stingaci has joined #openstack-keystone21:01
*** stingaci has quit IRC21:05
*** jerrygb has joined #openstack-keystone21:07
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370821:11
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370821:12
*** adrian_otto has joined #openstack-keystone21:15
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370821:17
*** stingaci has joined #openstack-keystone21:18
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users tests  https://review.openstack.org/42370521:22
*** stingaci has quit IRC21:22
*** thorst_ has joined #openstack-keystone21:22
*** thorst_ has quit IRC21:27
*** stingaci has joined #openstack-keystone21:50
openstackgerritKristi Nikolla proposed openstack/keystone: Remove LDAP write support  https://review.openstack.org/42357221:51
*** stingaci has quit IRC21:54
*** yarkot has quit IRC22:00
*** yarkot has joined #openstack-keystone22:01
openstackgerritKristi Nikolla proposed openstack/keystone: Remove LDAP write support  https://review.openstack.org/42357222:04
knikollastevemar: sorry for pushing again, some code had weird indentation22:04
knikollastevemar: and i'll add the implements too22:05
*** stingaci has joined #openstack-keystone22:06
openstackgerritKristi Nikolla proposed openstack/keystone: Remove LDAP write support  https://review.openstack.org/42357222:06
knikollastevemar: final one (i hope)22:07
knikolla^^22:07
*** stingaci has quit IRC22:10
openstackgerritKristi Nikolla proposed openstack/keystone: Remove LDAP write support  https://review.openstack.org/42357222:11
knikollaspoke too soon22:12
*** nicolasbock has joined #openstack-keystone22:12
*** diazjf has joined #openstack-keystone22:35
*** stingaci has joined #openstack-keystone22:38
*** thorst_ has joined #openstack-keystone22:38
*** stingaci has quit IRC22:43
*** thorst_ has quit IRC22:43
*** richm has joined #openstack-keystone22:53
*** dave-mccowan has quit IRC23:04
*** adrian_otto has quit IRC23:05
*** stingaci has joined #openstack-keystone23:10
*** stingaci has quit IRC23:15
*** thorst_ has joined #openstack-keystone23:19
*** thorst_ has quit IRC23:20
*** jerrygb has quit IRC23:23
*** jamielennox|away is now known as jamielennox23:28
*** jistr has quit IRC23:41
*** stingaci has joined #openstack-keystone23:42
*** stingaci has quit IRC23:46
*** jistr has joined #openstack-keystone23:49
*** dims has quit IRC23:59
« Friday, 2017-01-20 Index Sunday, 2017-01-22 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!