Wednesday, 2017-01-25

*** agrebennikov__ has quit IRC		00:00
*** antwash has quit IRC		00:00
morgan	rderose: i found the issue	00:03
morgan	rderose: it's an assumption I made in the use of to_dict being always within the context of a session	00:04
morgan	rderose: in most every case it is used within the session context. your tests it is not.	00:05
morgan	looking for a way to see that we're in a session context so i can raise an exception when .to_dict is used outside of a session context	00:06
morgan	zzzeek: ping - is it possible to know I'm in a session context (reader or writer)? from the context manager globally?	00:06
jamielennox	stevemar, lamt: -1ed	00:06
*** pramodrj07 has quit IRC		00:07
lamt	jamielennox: thanks, will look at it	00:09
*** nicolasbock has quit IRC		00:12
*** furface has joined #openstack-keystone		00:13
*** lamt has quit IRC		00:17
morgan	rderose: i can just require to_dict to take session obj	00:17
morgan	and it would solve the issue	00:17
*** Trident has joined #openstack-keystone		00:21
*** Trident has quit IRC		00:24
*** Trident has joined #openstack-keystone		00:26
*** nicolasbock has joined #openstack-keystone		00:28
*** Trident has quit IRC		00:28
*** Trident has joined #openstack-keystone		00:29
*** nicolasbock has quit IRC		00:33
morgan	rderose: but in short the fix is indent return base.filter_user(user_ref.to_dict()) on line 647 of test_backend_sql	00:35
*** phalmos has quit IRC		00:36
*** hoangcx has joined #openstack-keystone		00:39
*** chris_hultin is now known as chris_hultin\|AWA		00:41
*** thorst_ has joined #openstack-keystone		00:42
*** adrian_otto has joined #openstack-keystone		00:43
*** antwash has joined #openstack-keystone		00:44
*** antwash has quit IRC		00:49
*** nicolasbock has joined #openstack-keystone		00:49
*** adrian_otto has quit IRC		00:57
*** thorst_ has quit IRC		00:58
rderose	morgan: back	00:58
rderose	morgan: looking...	00:58
morgan	rderose: this is a rather serious issue we have	01:00
morgan	lazy-loaded via subquery is not guaranteed to work outside of the active context	01:01
morgan	the attribute mapper is just more sensitive to this	01:01
morgan	so the options require .to_dict to be called in the active session.	01:01
morgan	the bigger issue is we have this pattern where we call .to_dict() outside of the method that does the sql-query	01:01
morgan	stevemar: ^ cc	01:02
morgan	dstanek: ^ cc	01:02
*** adrian_otto has joined #openstack-keystone		01:02
rderose	morgan: hmm...	01:02
morgan	rderose: the issue you were seeing is easily solved with indenting the test, but there are at least 10 other places we will have issues since we call to_dict outside of User's session	01:02
rderose	morgan: but I guess you really should call to_dict outside of the session, right?	01:04
morgan	rderose: the real solution is to make to_dict not callable outside of the session context somehow (likely move off the sql_objects)	01:04
morgan	well... sortof	01:04
rderose	*sorry, you should not	01:04
morgan	we don't in 95% of the cases	01:04
morgan	yeah	01:04
morgan	so... i can propose a fix... will take me a couple hours to write it	01:05
morgan	i'm surprised we haven't hit this elsewhere	01:05
morgan	but in short... we're lucky	01:05
rderose	yeah	01:05
rderose	I mean, your fix is to do that indenting throughout?	01:05
morgan	sortof	01:05
morgan	some cases you can't just indent	01:05
morgan	because... the active session is not started within the method	01:05
rderose	oh	01:06
morgan	i think we can just do a with sql.session_as_<blah> in the outer method too	01:06
morgan	let me try this with the broken test(s)	01:06
*** namnh has joined #openstack-keystone		01:06
rderose	morgan: this is outside of the session: https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py#L72	01:07
rderose	morgan: and it is calling local_user via subquery	01:07
rderose	outside of the session	01:08
*** antwash has joined #openstack-keystone		01:08
morgan	that is one of the cases that can cause issues	01:08
rderose	morgan: but it's not	01:08
morgan	it doesn't always break because some sessions may be active when it's called	01:08
morgan	sessions can wrap sessions can wrap sessions	01:08
rderose	wow	01:08
morgan	if it was called at the top level, it might break in some cases.	01:08
morgan	https://www.irccloud.com/pastebin/nOSQbQu4/	01:09
morgan	note the extra context manager in the diff	01:09
morgan	i can pretty much just wrap a few bad cases in another session	01:09
morgan	there are some things that need indenting and are just blatantly wrong	01:09
morgan	95% of all calls to "to_dict" are within a session context	01:10
morgan	we're just on the edge of edge of edge cases here	01:10
morgan	hence hitting it wiht my new attribute mapper	01:10
morgan	i'll bet if we tried to touch the federation info in .to_dict you'd error the same way	01:10
rderose	I see	01:11
morgan	i don't want to do a hybrid property for options	01:11
morgan	because the attribute mapper is touchy about when someone does "model.options = {}"	01:11
morgan	basically, you just wiped all the options out	01:11
rderose	I see	01:12
morgan	i guess i could do something without a .settr, but likewise a .update() etc all start causing issues	01:12
rderose	right	01:12
morgan	i also guess i could just mark options as an internal attr even with the hybrid	01:13
morgan	just note, to_dict should still not be called outside of the active session afaict. hybrid doesn't really solve it	01:13
morgan	so... the question is... how should we fix it	01:14
*** adrian_otto has quit IRC		01:14
*** furface has quit IRC		01:14
rderose	morgan: fix the 5% that are outside the session	01:14
morgan	ok. i think all but like 4 are easy fixes (just indent)	01:15
morgan	i guess this should be a new patch under my patch... give me a few	01:15
*** adrian_otto has joined #openstack-keystone		01:15
rderose	the other ones, you'd have to pass the session to the method or something	01:15
rderose	okay	01:16
morgan	nah, just call sql.session_as<type>() in a context outside	01:16
morgan	and put a #TODO to fix it	01:16
rderose	gotcha	01:16
rderose	morgan: nice catch btw, I kept thinking it has something to do with the orm relationship defined for options	01:16
*** adrian_otto has quit IRC		01:16
openstackgerrit	Merged openstack/keystone: Remove code supporting moving resources between domains https://review.openstack.org/424850	01:19
rderose	lbragstad: how did the upgrade testing go?	01:21
*** adrian_otto has joined #openstack-keystone		01:26
*** lamt has joined #openstack-keystone		01:31
*** adrian_otto has quit IRC		01:32
morgan	rderose: ok almost done with this patch	01:36
morgan	then i'll rebase the option one	01:36
*** tqtran has quit IRC		01:37
rderose	morgan: cool	01:37
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Code-Defined Resource-specific Options https://review.openstack.org/424334	01:40
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Do not call `to_dict` outside of a session context https://review.openstack.org/424922	01:40
morgan	rderose: ^ now the code-defined options should work	01:40
morgan	even with your tests	01:40
morgan	that were breaking	01:40
rderose	cool, thx	01:41
morgan	that took a good bit of debugging fwiw ;)	01:41
rderose	:)	01:41
rderose	yeah, it sure had me scratching my head	01:41
morgan	i only found it because i had run into similar when putting the option code together in the first place	01:41
rderose	I see	01:42
openstackgerrit	Tin Lam proposed openstack/python-keystoneclient: Allow Multiple Filters of the Same Key https://review.openstack.org/423339	01:44
*** antwash has quit IRC		01:45
*** esp_ has quit IRC		01:45
morgan	stevemar: see comments on KVS, but in short: https://github.com/openstack/keystone/blob/a3aee6ccb52d85eac1deedec31724a955d47fa96/keystone/common/kvs/core.py#L98-L101 anything using KVS would throw a deprecation warning. It was placed there explicitly in newton so the rest of the KVS code, docs, etc could be dropped. Evetrything in the patch removed is	01:47
morgan	useless without that code. if we have to mark every function with deprecation warnings we wont ever remove KVS from keystone.	01:47
morgan	kvs has been effectively useless since you've been PTL :P	01:48
*** jose-phillips has quit IRC		01:49
*** jose-phillips has joined #openstack-keystone		01:57
*** browne has quit IRC		02:16
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use https://review.openstack.org/424856	02:18
stevemar	morgan: AH RIGHT	02:24
stevemar	morgan: i forgot about that deprecation warning	02:24
*** esp_ has joined #openstack-keystone		02:29
stevemar	jamielennox: yeah, i dunno... is that something we can do?	02:30
*** ravelar has quit IRC		02:32
lbragstad	rderose working through a snag with openstack-ansible	02:40
lbragstad	hoping to have something done here soon	02:40
rderose	lbragstad: ah, okay	02:40
rderose	lbragstad: thanks	02:40
stevemar	jamielennox: want to punt it throuhg? https://review.openstack.org/#/c/423339/6	02:41
*** browne has joined #openstack-keystone		02:51
*** thorst_ has joined #openstack-keystone		02:57
*** thorst_ has quit IRC		02:57
*** antwash has joined #openstack-keystone		03:10
*** antwash has quit IRC		03:11
*** browne has quit IRC		03:23
*** dikonoor has joined #openstack-keystone		03:26
stevemar	morgan: uh oh	03:41
stevemar	"TypeError: Can't upgrade a READER transaction to a WRITER mid-transaction "	03:41
morgan	I'll poke at it. but yeah it's an issue. and ugly.	03:42
morgan	post dinner.	03:42
*** browne has joined #openstack-keystone		03:46
stevemar	morgan: rgr	03:53
stevemar	lbragstad: around-ish?	03:53
*** spotz_zzz is now known as spotz		03:53
lbragstad	ya	03:54
*** portdirect_away is now known as portdirect		03:55
lbragstad	stevemar I'm working through some wrinkles with up rolling upgrade tests	03:55
stevemar	lbragstad: ++	03:56
lbragstad	stevemar i'm not sure what the deal is - but it seems dependency related	03:56
lbragstad	i'm on my 3rd vm	03:56
*** richm has quit IRC		04:00
*** tovin07 has quit IRC		04:02
*** spotz is now known as spotz_zzz		04:03
stevemar	lbragstad: =\	04:04
dstanek	lbragstad: :-(	04:08
*** esp_ has quit IRC		04:09
lbragstad	fwiw - i'm following the install process I documented here - https://github.com/lbragstad/keystone-performance-upgrade#stable-newton-install-process	04:11
lbragstad	one ^ those steps are done, I swap out https://github.com/openstack/openstack-ansible-os_keystone/blob/master/defaults/main.yml#L30-L31 to point to https://github.com/lbragstad/keystone/tree/add-domain-id-to-user-table	04:12
lbragstad	so that I can leverage all the openstack-ansible bits to orchestrate the upgrade and install the patches we want	04:12
lbragstad	within a venv, like an operator would do	04:13
rderose	stevemar morgan: going to spin up another patch for https://review.openstack.org/#/c/424922/	04:13
*** adrian_otto has joined #openstack-keystone		04:16
*** nicolasbock has quit IRC		04:16
*** adrian_otto has quit IRC		04:16
*** browne has quit IRC		04:23
*** dave-mccowan has quit IRC		04:30
stevemar	rderose: do it up	04:30
*** lamt has quit IRC		04:32
rderose	stevemar: 5 tests to go...	04:35
stevemar	rderose: chip chip chip away	04:35
*** jose-phillips has quit IRC		04:40
*** browne has joined #openstack-keystone		04:41
openstackgerrit	Merged openstack/python-keystoneclient: Allow Multiple Filters of the Same Key https://review.openstack.org/423339	04:45
*** thorst_ has joined #openstack-keystone		04:59
*** edmondsw has joined #openstack-keystone		05:02
*** thorst_ has quit IRC		05:03
*** jamielennox is now known as jamielennox\|away		05:06
*** edmondsw has quit IRC		05:06
breton	o/	05:08
stevemar	breton: o/	05:09
*** Jack_V has joined #openstack-keystone		05:13
*** lamt has joined #openstack-keystone		05:14
stevemar	breton: if you're looking for patches to review let me know	05:15
breton	stevemar: yes i am!	05:16
stevemar	breton: https://review.openstack.org/#/q/topic:bp/per-user-auth-plugin-reqs -- i've already +2'ed most of that chain	05:16
openstackgerrit	Ron De Rose proposed openstack/keystone: Do not call `to_dict` outside of a session context https://review.openstack.org/424922	05:18
openstackgerrit	Ron De Rose proposed openstack/keystone: Do not call `to_dict` outside of a session context https://review.openstack.org/424922	05:20
*** tlbr_ has quit IRC		05:20
*** tqtran has joined #openstack-keystone		05:37
*** tqtran has quit IRC		05:41
*** tlbr has joined #openstack-keystone		05:49
*** spotz_zzz is now known as spotz		05:50
*** spotz is now known as spotz_zzz		06:11
openstackgerrit	Ron De Rose proposed openstack/keystone: Do not call `to_dict` outside of a session context https://review.openstack.org/424922	06:12
openstackgerrit	Ron De Rose proposed openstack/keystone: Code-Defined Resource-specific Options https://review.openstack.org/424334	06:15
*** spotz_zzz is now known as spotz		06:46
*** edmondsw has joined #openstack-keystone		06:51
*** tovin07 has joined #openstack-keystone		06:54
*** edmondsw has quit IRC		06:55
*** spotz is now known as spotz_zzz		06:56
*** hoangcx_ has joined #openstack-keystone		06:57
*** thorst_ has joined #openstack-keystone		06:59
*** hoangcx has quit IRC		07:00
*** antwash has joined #openstack-keystone		07:01
*** thorst_ has quit IRC		07:04
*** antwash has quit IRC		07:04
*** namnh has quit IRC		07:06
*** spotz_zzz is now known as spotz		07:07
*** spotz is now known as spotz_zzz		07:17
*** adriant has quit IRC		07:19
*** pcaruana has joined #openstack-keystone		07:28
*** tovin07 has quit IRC		07:32
*** tesseract has joined #openstack-keystone		07:34
*** jlwhite has quit IRC		07:40
*** spotz_zzz is now known as spotz		07:42
*** tovin07 has joined #openstack-keystone		07:45
*** hoangcx has joined #openstack-keystone		07:46
*** browne has quit IRC		07:46
*** hoangcx_ has quit IRC		07:48
*** spotz is now known as spotz_zzz		07:52
*** stingaci has joined #openstack-keystone		08:09
*** sfilatov has joined #openstack-keystone		08:11
*** sfilatov has quit IRC		08:12
*** sfilatov has joined #openstack-keystone		08:12
*** tovin07 has quit IRC		08:13
*** tovin07 has joined #openstack-keystone		08:29
*** spotz_zzz is now known as spotz		08:36
*** jlwhite has joined #openstack-keystone		08:39
*** spotz is now known as spotz_zzz		08:46
*** tlbr has quit IRC		08:58
*** hoangcx has quit IRC		09:00
*** zzzeek has quit IRC		09:00
*** thorst_ has joined #openstack-keystone		09:00
*** zzzeek has joined #openstack-keystone		09:00
*** tovin07 has quit IRC		09:00
*** stingaci has quit IRC		09:04
*** stingaci has joined #openstack-keystone		09:05
*** thorst_ has quit IRC		09:05
*** tlbr has joined #openstack-keystone		09:06
*** rvba` is now known as rvba		09:13
*** tovin07 has joined #openstack-keystone		09:15
*** pnavarro has joined #openstack-keystone		09:20
*** sfilatov has quit IRC		09:21
*** sfilatov has joined #openstack-keystone		09:22
*** portdirect is now known as portdirect_brb		09:22
*** tqtran has joined #openstack-keystone		09:24
*** sfilatov has quit IRC		09:26
*** tqtran has quit IRC		09:28
*** spotz_zzz is now known as spotz		09:30
*** sfilatov has joined #openstack-keystone		09:31
*** portdirect_brb is now known as portdirect		09:32
*** spotz is now known as spotz_zzz		09:40
*** tovin07 has quit IRC		09:41
openstackgerrit	OpenStack Release Bot proposed openstack/python-keystoneclient: Update reno for stable/ocata https://review.openstack.org/425090	09:49
*** sfilatov has quit IRC		09:51
*** tlbr has quit IRC		10:02
*** sfilatov has joined #openstack-keystone		10:05
*** pnavarro has quit IRC		10:06
*** spotz_zzz is now known as spotz		10:06
*** pnavarro has joined #openstack-keystone		10:08
*** spotz is now known as spotz_zzz		10:16
*** openstackgerrit has quit IRC		10:17
*** sfilatov has quit IRC		10:22
*** mvk has quit IRC		10:23
*** sfilatov has joined #openstack-keystone		10:24
*** portdirect is now known as portdirect_away		10:27
*** edmondsw has joined #openstack-keystone		10:28
*** stingaci has quit IRC		10:29
*** edmondsw has quit IRC		10:32
*** tlbr has joined #openstack-keystone		10:38
*** tlbr has quit IRC		10:46
*** mvk has joined #openstack-keystone		10:56
*** stingaci has joined #openstack-keystone		10:57
*** tlbr has joined #openstack-keystone		10:59
*** spotz_zzz is now known as spotz		11:00
*** thorst_ has joined #openstack-keystone		11:01
*** stingaci has quit IRC		11:01
*** thorst_ has quit IRC		11:05
*** nicolasbock has joined #openstack-keystone		11:09
*** spotz is now known as spotz_zzz		11:10
*** spotz_zzz is now known as spotz		11:36
*** sfilatov has quit IRC		11:42
*** spotz is now known as spotz_zzz		11:46
*** sfilatov has joined #openstack-keystone		11:49
*** stingaci has joined #openstack-keystone		12:01
*** portdirect_away is now known as portdirect		12:02
*** haplo37_ has quit IRC		12:08
*** haplo37_ has joined #openstack-keystone		12:10
*** d0ugal has quit IRC		12:10
stevemar	o/	12:12
*** sfilatov has quit IRC		12:15
*** raildo has joined #openstack-keystone		12:16
*** sfilatov has joined #openstack-keystone		12:17
*** d0ugal has joined #openstack-keystone		12:18
*** catintheroof has joined #openstack-keystone		12:28
*** spotz_zzz is now known as spotz		12:30
*** iurygregory has quit IRC		12:38
*** openstackgerrit has joined #openstack-keystone		12:40
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Update reno for stable/ocata https://review.openstack.org/425090	12:40
*** thorst_ has joined #openstack-keystone		12:44
-openstackstatus- NOTICE: Gerrit is going to be restarted due to slow performance		12:46
-openstackstatus- NOTICE: Gerrit has been successfully restarted		12:49
*** iurygregory has joined #openstack-keystone		13:04
*** sfilatov has quit IRC		13:07
*** sfilatov has joined #openstack-keystone		13:13
*** tqtran has joined #openstack-keystone		13:25
*** spotz is now known as spotz_zzz		13:26
*** v1k0d3n has quit IRC		13:27
*** stingaci has quit IRC		13:27
*** edmondsw has joined #openstack-keystone		13:28
*** v1k0d3n has joined #openstack-keystone		13:29
*** tqtran has quit IRC		13:30
*** spotz_zzz is now known as spotz		13:32
*** lamt has quit IRC		13:37
*** lamt has joined #openstack-keystone		13:38
stevemar	rodrigods: if you're otherwise okay with https://review.openstack.org/#/c/424922/ can you punt it through? its got a lot of patches on top of it and i don't want to cause a rebase party	13:40
*** spotz is now known as spotz_zzz		13:41
*** lamt has quit IRC		13:42
*** spotz_zzz is now known as spotz		13:48
samueldmq	morning all	13:53
samueldmq	stevemar: o/	13:53
stevemar	samueldmq: heyo	13:53
rodrigods	stevemar, sure	13:54
*** pnavarro has quit IRC		13:57
gema	stevemar: I have followed your instructions pretty much to the letter (https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/) and when it comes to try to ask for a token I get this error: http://paste.openstack.org/show/596446/, any idea what it may be related to? I have had a look at what ldap returns and all the configuration looks good to me	14:06
*** spilla has joined #openstack-keystone		14:12
*** zzzeek has quit IRC		14:12
*** zzzeek has joined #openstack-keystone		14:14
*** dave-mccowan has joined #openstack-keystone		14:17
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use https://review.openstack.org/424856	14:17
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use https://review.openstack.org/424856	14:17
*** stingaci has joined #openstack-keystone		14:27
*** jperry has joined #openstack-keystone		14:28
*** tlbr has quit IRC		14:35
*** jaugustine has joined #openstack-keystone		14:40
*** spotz is now known as spotz_zzz		14:44
*** agrebennikov__ has joined #openstack-keystone		14:45
*** pnavarro has joined #openstack-keystone		14:53
*** phalmos has joined #openstack-keystone		14:55
*** mvk has quit IRC		14:55
openstackgerrit	Merged openstack/keystone: Change unit test class to a less generic name https://review.openstack.org/424727	15:00
*** catinthe_ has joined #openstack-keystone		15:00
*** stingaci has quit IRC		15:01
openstackgerrit	Merged openstack/keystone: Verbose breakup of method into seperate methods https://review.openstack.org/424740	15:02
*** catintheroof has quit IRC		15:02
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use https://review.openstack.org/424856	15:04
rderose	morgan: when I set the resource option in the registry: https://review.openstack.org/#/c/424856/7/keystone/identity/backends/identity_resource_options.py	15:05
rderose	morgan: I'm expecting to be able to do this: user_dict['enforce_password_expires']	15:05
*** chris_hultin\|AWA is now known as chris_hultin		15:07
rderose	morgan: or, user_ref.options['1000'].option_value	15:07
rderose	morgan: instead, I'm getting: KeyError: 'enforce_password_expires'	15:07
*** chris_hultin is now known as chris_hultin\|AWA		15:08
*** spotz_zzz is now known as spotz		15:09
*** chris_hultin\|AWA is now known as chris_hultin		15:10
*** jaosorior has joined #openstack-keystone		15:10
gema	stevemar: nevermind had a bit of a mess in terms of pip packages, all sorted now. now I cannot authenticate, great problem to have!	15:17
*** lamt has joined #openstack-keystone		15:19
rderose	morgan: looks like the attribute only gets added if it exists for that user	15:22
rderose	morgan: means, different attributes will be returned for different users?	15:22
openstackgerrit	Merged openstack/keystone: Do not call `to_dict` outside of a session context https://review.openstack.org/424922	15:29
*** markvoelker has quit IRC		15:31
*** markvoelker has joined #openstack-keystone		15:32
knikolla	o/ morning	15:35
*** markvoelker has quit IRC		15:36
openstackgerrit	Merged openstack/python-keystoneclient: Update reno for stable/ocata https://review.openstack.org/425090	15:37
morgan	rderose: the that is the design. I could change it.	15:41
rderose	morgan: you could change it in to_dict, but the user object return wouldn't automatically add it	15:43
*** catintheroof has joined #openstack-keystone		15:43
rderose	morgan: still playing with it, give me a few	15:43
*** jose-phillips has joined #openstack-keystone		15:44
*** catinthe_ has quit IRC		15:46
*** phalmos has quit IRC		15:51
*** phalmos has joined #openstack-keystone		15:55
lbragstad	just a heads up that the policy meeting is going to be starting in a few minutes. we have a really light schedule today and we're in the middle of trying to get ocata out the door, so it will be a quick meeting	15:56
rderose	lbragstad: cool	15:57
rderose	yeah, could use the time	15:57
rderose	:)	15:57
lbragstad	rderose ++	15:57
lbragstad	me, too	15:57
morgan	lbragstad: sorry have another meeting to hop on	16:01
lbragstad	morgan no worries	16:02
openstackgerrit	Ron De Rose proposed openstack/keystone: Add domain_id to the user table https://review.openstack.org/409874	16:02
lbragstad	ping raildo, ktychkova, dolphm, dstanek, rderose, htruta, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, stevemar, ravelar, morgan about policy meeting in #openstack-meeting-cp for those interested	16:02
lbragstad	it will be a quick one today	16:02
ayoung	Heyo	16:02
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use https://review.openstack.org/424856	16:03
*** ravelar has joined #openstack-keystone		16:07
openstackgerrit	Ron De Rose proposed openstack/keystone: Refactor shadow users tests https://review.openstack.org/423705	16:11
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/423708	16:11
*** dikonoor has quit IRC		16:11
morgan	rderose: my view was these are options. they are not guaranteed to be there	16:13
morgan	rderose: so we use conditionals when poking at them.	16:13
rderose	morgan: I see	16:14
morgan	rderose: it avoids storing data in the DB when not needed (prevents loading extra data just for defaults)	16:14
rderose	morgan: my only concern is not returning the attributes in the API	16:15
morgan	we could populate it and add a "default" concept that doesn't store in the db	16:16
morgan	however... it felt weird doing so	16:16
rderose	morgan: yeah	16:16
*** markvoelker has joined #openstack-keystone		16:17
rderose	morgan: we returning password_expires_at for all users (including ldap) and just setting it to None. I just assumed that we couldn't return different attributes for different users.	16:17
dstanek	lbragstad: i was just going to ask a policy question :-P	16:17
morgan	rderose: we always have supported that concept with the extras	16:18
dstanek	lbragstad: do we have plans to do some policy discussion at PTG?	16:18
*** markvoelker_ has joined #openstack-keystone		16:18
morgan	rderose: we could add the data into user_ref[options] = {}	16:19
rderose	morgan: https://github.com/openstack/keystone/blob/master/api-ref/source/v3/samples/admin/user-show-response.json#L11	16:19
morgan	rderose: if that helps	16:19
lbragstad	dstanek sorry :(	16:19
morgan	i would have said password_expires is optional and doesn't return if we don't control the password	16:19
lbragstad	dstanek yeah - i plan on trying to set something up for policy	16:19
rderose	morgan: yeah, that might work	16:20
morgan	but that would have been my view	16:20
lbragstad	dstanek specifically with nova and cinder (mriedem or johnthetubaguy or smcginnis)	16:20
morgan	i have never been a fan of spewing useless data for the sake of useless date (or setting the values to explicitly None to communicate it isn't used)	16:20
lbragstad	dstanek I imagine we are going to start planning the PTG schedule sometime next week?	16:21
lbragstad	cc stevemar ^	16:21
rderose	morgan: yeah, I think I like the idea of returning an options array in the API	16:21
lbragstad	dstanek but that will be one of the first things I ask about since it will require representation from other projects	16:21
rderose	morgan: as opposed to a list of extra attributes	16:21
rderose	morgan: keeping it like extras	16:21
morgan	rderose: dict, but yes.	16:22
*** markvoelker has quit IRC		16:22
morgan	rderose: sure, though i did like that it wasn't in a weird special place in the ref onn the post request	16:22
dstanek	lbragstad: perfect, thanks	16:23
rderose	morgan: so something like this:	16:24
rderose	{	16:24
rderose	"user": {	16:24
rderose	"default_project_id": "263fd9",	16:24
rderose	"domain_id": "1789d1",	16:24
rderose	"enabled": true,	16:24
rderose	"name": "James Doe",	16:24
rderose	"options": [	16:24
rderose	"password_expires_at": "2016-11-06T15:32:17.000000"	16:24
rderose	]	16:24
rderose	}	16:24
rderose	}	16:24
morgan	we could do that.	16:24
morgan	though password_expires_at is already encoded	16:24
morgan	and i wouldn't change it	16:24
morgan	(or that it is communicated)	16:24
rderose	morgan: true	16:24
*** mvk has joined #openstack-keystone		16:25
rderose	morgan: so in that case:	16:25
rderose	{	16:25
rderose	"user": {	16:25
rderose	"default_project_id": "263fd9",	16:25
rderose	"domain_id": "1789d1",	16:25
rderose	"enabled": true,	16:25
rderose	"name": "James Doe",	16:25
rderose	"password_expires_at": "2016-11-06T15:32:17.000000",	16:25
rderose	"options": [	16:25
rderose	"enforce_password_expires": False	16:25
rderose	]	16:25
rderose	}	16:25
rderose	}	16:25
morgan	that would be a way to handle options	16:26
rderose	morgan: yeah	16:26
morgan	i wouldn't be opposed to it	16:26
morgan	vs just in the dict, now... realize	16:27
lbragstad	dstanek np	16:27
rderose	morgan: right	16:27
morgan	that may break people consuming the ref downstream	16:27
morgan	hopefully not	16:27
*** stingaci has joined #openstack-keystone		16:27
rderose	morgan: by having additional attributes?	16:28
morgan	by having a non-scalar like item	16:28
morgan	everyting in the ref has been non-complex object (aka not list/dict/etc)	16:28
rderose	we could keep it as a dict:	16:29
rderose	{	16:29
rderose	"user": {	16:29
rderose	"default_project_id": "263fd9",	16:29
rderose	"domain_id": "1789d1",	16:29
rderose	"enabled": true,	16:29
rderose	"name": "James Doe",	16:29
rderose	"password_expires_at": "2016-11-06T15:32:17.000000",	16:29
rderose	"options": {	16:29
rderose	"enforce_password_expires": False	16:29
dstanek	morgan: we can't potect against stupid though	16:29
rderose	}	16:29
rderose	}	16:29
rderose	}	16:29
morgan	rderose: we should keep it a dict	16:31
morgan	but yeah.	16:31
*** sfilatov has quit IRC		16:32
rderose	morgan: either way, I like the idea of having a new 'options' attribute	16:32
*** sfilatov has joined #openstack-keystone		16:33
rderose	and adding that to the user API	16:33
rderose	dstanek: any thoughts on this?	16:33
rderose	dstanek: as far as changing the user API	16:34
dstanek	rderose: i didn't see any API changes. what were they?	16:34
rderose	dstanek: above, changing the user response object to include a 'options' attribute	16:35
*** AlexeyAbashkin has quit IRC		16:35
rderose	dstanek: different than how we've done password_expires_at	16:35
dstanek	rderose: ah, i don't consider the data format changes API changes. i'm fine with it. not thrilled on the name, but i can't think of anything better since 'metadata' is overused	16:36
rderose	dstanek: yeah, cool	16:36
dstanek	what else may go in there?	16:36
rderose	dstanek: the other one I have is lock_out_ignore_list	16:37
dstanek	rderose: what is that?	16:37
dstanek	the 'options' are things that can't be changed right?	16:37
rderose	dstanek: user attempts failed login max times and is locked out	16:37
*** stingaci has quit IRC		16:37
rderose	dstanek: we have an ignore list for that in config	16:38
*** sfilatov has quit IRC		16:38
morgan	dstanek: those would be pulled out of the keystone.config	16:38
morgan	because it requires a keystone restart every time you change it (pulled out-option deprected)	16:38
rderose	morgan: right	16:38
morgan	rderose: hm. wonder if we can call it something other than "options"	16:38
morgan	rderose: in the user_ref	16:39
rderose	dstanek: so something like 'allow_lockout'	16:39
dstanek	morgan: ah, it wouldn't be a list then right? a boolean 'lock_out_ignore' or whatever	16:39
rderose	morgan: metadata ;)	16:39
dstanek	morgan: what's a synonym for metadata	16:39
morgan	dstanek: it would be a dict, because things like MFA Rules would be in there	16:39
rderose	dstanek: yeahg	16:39
rderose	*yeah	16:39
dstanek	morgan: no, by list i meant 'lock_out_ignore_list'	16:40
morgan	in the keystone config it is a list opt	16:40
morgan	we'd be moving it to a user-property	16:40
rderose	morgan: yep	16:40
morgan	so it is set on the user tiself... like most IDPs do	16:40
dstanek	right, but in the user it would be b a boolean saying if the user is exempt from lockout	16:40
morgan	correct	16:40
morgan	but MFA Rules, for example, is a list of lists	16:41
dstanek	what's interesting about this is that 'options' is a part of the user, but we don't want the user to change it. almost feels like it should be at the same level at 'user'	16:41
morgan	no, some options will be admin set	16:41
morgan	some options would be user-set	16:41
morgan	MFA rules, for example would be one I'd expect the user (in most cases) to set	16:41
morgan	dstanek: i want to make each option (long term) have a policy check for setting.	16:42
dstanek	so upon post we have to evaluate each option for changes?	16:42
morgan	yes.	16:42
morgan	to start, it's like any value in user...	16:42
morgan	set only via update_user access	16:42
dstanek	does the whole option object need to be provided for updates?	16:43
morgan	no	16:43
morgan	each option can be set independantly, not specifying an option will mean that option stays the same	16:43
morgan	specifying an option with the explicit value of None deletes it from the DB	16:43
morgan	if the option is undefined (follow up patch, needs rebase) in the code it is stripped from the DB when update happens	16:43
morgan	only options defined in code will end up in the options dict in the user	16:44
morgan	so options undefined down the road, will stay in the db until update, but will not display	16:44
dstanek	sounds good to me	16:45
morgan	:)	16:45
morgan	each option is a row in the db (in the case) in user_options	16:45
morgan	the PK is (user_id, option_id)	16:45
morgan	and the value is a jsonblob (text w/ loads/dumps) feild	16:45
morgan	most of the magic occurs in to_dict and from_dict methods (and a little bit in the actual SQL transaction/session context for lazy-load stuff)	16:46
rderose	morgan: so if a request comes in with one option and the user has other options already defined, we don't remove those other options	16:46
morgan	rderose: correct, i have a test case for that showing that exact behavior	16:46
rderose	morgan: we just update the one passed in	16:46
rderose	cool	16:47
*** stingaci has joined #openstack-keystone		16:47
morgan	it is the reason we're using the attribute mapper	16:47
*** diazjf has joined #openstack-keystone		16:47
morgan	it allows us to do that with a dict-like interface ( options[id] = value sets the value for the option, pop would remove from the dict and the db, user.options = dict() replaces the entire set of options)	16:48
dstanek	morgan: so basically like extras?	16:48
morgan	dstanek: no extras are completly contained in a single column on the user table	16:48
morgan	this is a separate table and a row per-user-per-option set	16:49
morgan	so we can implement filtering/searching on it	16:49
dstanek	morgan: no i realize that, but we are just taking extras and moving it to a separate row	16:49
morgan	it's what i was advocating extras should become ... but this has no deployer choice in what can be stored there, only what we define as keystone supported options	16:49
morgan	extras had no validation, no form, and no limits	16:50
dstanek	morgan: any reason not to have a 'options' table name string(64) PK, desc string(256) and a user_options table containing the values?	16:50
dstanek	that was you can query and filter based on the option name	16:51
morgan	we could move to that instead of the ID, i was looking to not limit the name length	16:51
morgan	the ability to map name->id is pretty quick	16:51
dstanek	what do you mean by mapping name to id?	16:52
morgan	i can offer a clean interface to make a dict out of that.	16:52
morgan	option object has an id and a name	16:52
morgan	you can lookup in the registry the option id and get the name	16:52
morgan	in python we can use that to pass back to the backend	16:52
morgan	the only reason you'd do what you're saying is if we want to circumvent that and/or allow easy sql-queries w/o keystone	16:52
dstanek	but you can't filter if it's in a blob	16:53
morgan	the name isn't sotored in the db	16:53
morgan	the name is stored in the code only	16:53
dstanek	i would actually store it in the DB using the name as the PK	16:53
morgan	i was trying to make the id much smaller and keep the lookup tables fully indexed	16:53
dstanek	what if you want to query the users and find all the ones that are exempt from password expiration?	16:54
morgan	so, the way you'd do that is look for all users with option_id X, then filter in code for True	16:54
dstanek	morgan: i think i'm missing something. how do you know they have option x?	16:54
morgan	each option has an ID.	16:55
morgan	the user_options table is: PK(user_id, option_id)	16:55
morgan	you're looking up the ID instead of the name	16:55
morgan	name could be much much longer than the id.	16:55
morgan	the value is the only thing in a jsonblob	16:56
dstanek	morgan: ah, ok. so not like extras at all	16:56
morgan	no it is what i wanted extras to become	16:56
dstanek	when you said json blob earlier i imagined a single row per user	16:56
dstanek	that makes sense	16:56
morgan	no no, each option set is a row, per user	16:57
dstanek	i still like the human readable ids, but i wouldn't -2 for it or anything	16:57
morgan	so it's per-user-per-option	16:57
dstanek	it would just be much easier to work with	16:57
morgan	it only matters in the db	16:57
morgan	if you are doing direct SQL stuff it matters	16:57
* stevemar groans		16:57
morgan	if you are not, it is always translated when loading the model	16:57
morgan	it is translated in the fromt_dict/to_dict layer	16:58
dstanek	morgan: yep, exactly. that's part of testing and debugging :-P	16:58
dstanek	stevemar: were you shanked?	16:58
rderose	morgan: so I think we need to update your patch and return 'options' is as an attribute	16:58
rderose	attributes = ['id', ..., 'options']	16:58
morgan	rderose: can't do that	16:58
morgan	rderose: you do not want to have the attribute mapper directly exposed	16:58
*** stingaci has quit IRC		16:58
morgan	without a lot of reworking, we will replace the options completly each time	16:59
morgan	meaning we break the contract that specifying a single option will not touch the other options	16:59
*** markvoelker_ has quit IRC		16:59
rderose	morgan: so we'd have to name it something else and manually add it?	16:59
*** markvoelker has joined #openstack-keystone		16:59
morgan	the reason i do the work in the dict model	16:59
morgan	so we don't have to do that	17:00
*** stingaci has joined #openstack-keystone		17:00
morgan	it's why you see the code that extracts the values and then sets them in user.options[id] = value	17:00
morgan	and does an explicit .pop	17:00
morgan	if we make it a real attribute on the model we will do user.options = options each time	17:00
morgan	and we have to take the values and build a UserOption object	17:01
morgan	specifically, it can't be just a string	17:01
*** stingaci has quit IRC		17:01
morgan	i looked at that as the first iteration before pushing this. making options a top-level attrribute like the other attributes is going to make this much more complex and more prone to failure	17:02
rderose	morgan: right, it's not a string, but a dict within a dict	17:02
rderose	morgan: hmm...	17:02
morgan	actually the Atrribute mapper needs to be a SQL-A-Dict-thing, strings are keys, but the UserOption object must be the value	17:02
morgan	so user.options[<id>] = UserOption(option_id=option_id, option_value=option_value)	17:03
*** markvoelker has quit IRC		17:03
morgan	that is the only way it works in the backend	17:03
dtroyer	stevemar: around?	17:04
morgan	it could be done in a comprehension, but it needs a lot of extra logic	17:04
stevemar	dtroyer: in a way	17:04
morgan	dtroyer: stevemar is clearly tired.	17:04
stevemar	morgan: how are options unset?	17:04
morgan	stevemar: set them to a Value of None	17:04
morgan	it explicitly deletes the option from the backend	17:04
dtroyer	can you remove your -2 on https://review.openstack.org/#/c/424847/ real quick?	17:04
stevemar	i had -2 on things?	17:04
stevemar	well, -w	17:05
stevemar	done	17:05
stevemar	oh good, novaclient was merged	17:05
dtroyer	thanks, ya, -w my bad	17:05
morgan	if it is undefined (the object is removed) from code, it then is unset (same as an explicit None) when an update occurs	17:05
stevemar	thanks dtroyer	17:05
*** antwash has joined #openstack-keystone		17:05
rderose	morgan: so not adding the 'options' to attributes, but if they don't exists add the key and give a value of None	17:05
rderose	morgan: like we do with password_expires_at	17:05
rderose	?	17:05
dstanek	rderose: i took the above to mean that if the option is unset it will net be in 'options'	17:06
rderose	ah, gotchea	17:06
rderose	*gotcha	17:06
morgan	dstanek: ++	17:07
*** antwash has quit IRC		17:07
morgan	if an option is not set, it does not appear	17:07
morgan	if an option has a value in the db, it is set, even if the value is the "default" behavior	17:07
morgan	options do not have a "default" concept atm	17:07
morgan	because they don't appear if not set.	17:07
*** antwash has joined #openstack-keystone		17:08
*** phalmos has quit IRC		17:08
rderose	morgan: so what needs to happen in your patch to return 'options' in user attributes? is it just modify to_dict()	17:10
*** phalmos has joined #openstack-keystone		17:10
rderose	morgan: so that e can do: http://paste.openstack.org/show/596490/	17:12
morgan	rderose: and from_dict	17:13
rderose	morgan: oh, right	17:14
morgan	and the tests	17:14
morgan	;)	17:14
rderose	morgan: yeah, it will break a lot of tests I'm sure :)	17:14
morgan	nah not a ton of tests to break	17:14
morgan	only ~3 or so	17:14
morgan	the code paths for this are incredibly narrow	17:14
morgan	so, easy to fix that bit	17:15
rderose	I see	17:15
*** arunkant has joined #openstack-keystone		17:15
morgan	the tests are the OptionsObject, the Registry Object, and ~3 cases of setting user options	17:16
morgan	set an option, check set/update/delete	17:16
morgan	and check set/set opt2/delete opt and make sure options are maintained	17:16
morgan	it really is meant to be super straightforward to build/replicate on other resourcetypes	17:16
morgan	i expect project, groups, and possibly IDP/protocol will get the same treatment(s)	17:17
rderose	morgan: do you still want to keep the name as 'options'	17:17
morgan	rderose: i'd like to call what we present to the user in the dict (out the API) something else	17:17
morgan	but internally, i like ResourceOptions	17:17
morgan	because it is what they are	17:17
rderose	morgan: works for me	17:18
morgan	if we can't come up with a name, options will work	17:18
rderose	morgan: options in the API response and resource_options in code	17:18
morgan	so we have ~30-40m to come up with a name or i'm just rolling with it as options.	17:18
morgan	wfm.	17:18
morgan	i'll rename the thing on the user-object to resource_options	17:18
morgan	and respin to output in a dict / extract from a dict shortly	17:19
rderose	morgan: ah, cool	17:19
morgan	rderose: thanks for updating the other one last night	17:19
rderose	morgan: np	17:19
morgan	long term we should move to_dict off the model(s) and make it something that can't be used outside of a session context	17:19
morgan	but that was a lot more work than some indenting.	17:19
morgan	from_dict makes sense being a class thing	17:20
rderose	morgan: thank you for working on options :)	17:20
morgan	ok, i need to do breakfast	17:20
morgan	eggs are calling my name.	17:20
rderose	:)	17:20
morgan	well omlett with habenero in it	17:20
morgan	is sitting in it's deconstructed state on the cutting board	17:20
morgan	so let me cook/eat and then i'll have code and i'll work on the options bit for ignore_password_expiry and ignore_lockout as well in one fell swoop	17:21
morgan	(and then MFA rules and such)	17:21
*** browne has joined #openstack-keystone		17:21
*** jaosorior has quit IRC		17:22
rderose	morgan: cool	17:23
*** sfilatov has joined #openstack-keystone		17:24
stevemar	morgan: rderose lbragstad dstanek i'm going to push https://review.openstack.org/#/c/418166/ and one of the subsequent patches	17:25
stevemar	while we don't have anything gating...	17:25
*** tqtran has joined #openstack-keystone		17:26
dstanek	stevemar: i haven't looked at it, but i trust y'all	17:26
*** sfilatov has quit IRC		17:28
dstanek	morgan: is your options stuff something that we need to get in this week then?	17:30
*** sfilatov has joined #openstack-keystone		17:31
*** phalmos_ has joined #openstack-keystone		17:31
*** jaosorior has joined #openstack-keystone		17:32
*** tesseract has quit IRC		17:33
*** phalmos has quit IRC		17:34
rderose	dstanek: I thought some of the MFA stuff was dependent on it and my PCI patch is dependent on the options stuff	17:34
morgan	MFA is	17:40
morgan	or will be	17:40
morgan	and yeah PCI will be	17:40
dstanek	rderose: morgan: ack....so i'll get to reviewing that	17:40
morgan	we can hold all until pike but it hsould be all ready in a few	17:40
morgan	i need to respin patches	17:40
morgan	also... i needed more habanero	17:40
morgan	it wasn't hot enough :(	17:40
* morgan might need to step up hot pepper consumption ot the red savinas next		17:41
*** diazjf has quit IRC		17:57
*** antwash has quit IRC		18:13
browne	hi all, is there any guide on using the openstack cli with federation? is it possible?	18:21
stevemar	browne: it is, yes	18:23
browne	i see there's a v3unscopedsaml os-auth-type, but i can't find any documentation on how to properly use it	18:25
browne	and somehow i'm missing an argument and get	18:25
browne	TypeError: __init__() takes exactly 6 arguments (5 given)	18:25
*** sfilatov has quit IRC		18:31
*** catinthe_ has joined #openstack-keystone		18:33
*** sfilatov has joined #openstack-keystone		18:34
*** sfilatov has quit IRC		18:34
*** catintheroof has quit IRC		18:35
morgan	dstanek, rderose about to push the update for options	18:37
morgan	it should now place options in user['options']	18:37
rderose	morgan: sweet!	18:37
*** mvk has quit IRC		18:42
dstanek	morgan: cool, i'll start looking as soon as you push	18:46
*** pcaruana has quit IRC		18:53
stevemar	rderose: your changes to add domain id are mostly queued up :)	18:57
stevemar	rderose: will you be OK if i approve the MFA stuff?	18:57
stevemar	you may hve to rebase	18:57
rderose	stevemar: sure	18:57
stevemar	breton: you missed a patch: https://review.openstack.org/#/c/422912/7	18:58
stevemar	morgan: 2/4 MFA patches have been approved	18:58
stevemar	its mostly laying ground work	18:59
*** nicolasbock has quit IRC		19:03
*** MasterOfBugs has joined #openstack-keystone		19:08
*** MasterOfBugs has quit IRC		19:08
*** MasterOfBugs has joined #openstack-keystone		19:09
*** pramodrj07 has joined #openstack-keystone		19:09
*** diazjf has joined #openstack-keystone		19:10
morgan	stevemar: -2'd the MFA rules table	19:11
morgan	stevemar: unless you don't wnt that built on the new option stuff	19:11
morgan	stevemar: i can lift the -2 before it blocks things	19:12
morgan	stevemar: but... if we want this based on the options stuff, it shouldn't land.	19:12
stevemar	morgan: eh	19:12
morgan	stevemar: your call	19:12
stevemar	morgan: ok ok, options stuff	19:12
stevemar	morgan: hit the rebase button	19:12
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add user_mfa_rules table https://review.openstack.org/418166	19:12
morgan	will do in a few	19:12
morgan	ah okie	19:12
stevemar	popped it out of the queue	19:12
morgan	huh	19:13
morgan	the -2 dropped with the rebase too	19:13
morgan	weeeird	19:13
morgan	i think we have an issue in gerrit	19:13
stevemar	no it didn't	19:14
stevemar	morgan: sometimes there is lag	19:14
morgan	i was on the wrong patchset	19:14
dstanek	morgan: ping me when you push. i'm going to go grab lunch	19:16
morgan	dstanek: will be very shortly srry	19:16
dstanek	morgan: np, i've got plenty of other stuff keeping me busy. i just want to give this immediate attention since we making other stuff depend on it	19:17
*** jaosorior has quit IRC		19:21
*** tqtran has quit IRC		19:26
breton	stevemar: morgan: what was that new option stuff you were talking about?	19:31
rderose	breton: https://review.openstack.org/#/c/424334/	19:31
*** antwash has joined #openstack-keystone		19:39
*** antwash has quit IRC		19:45
*** antwash has joined #openstack-keystone		19:49
*** antwash has quit IRC		19:50
*** ravelar has quit IRC		19:56
*** tqtran has joined #openstack-keystone		20:05
*** jaugustine has quit IRC		20:07
*** jaosorior has joined #openstack-keystone		20:12
*** mvk has joined #openstack-keystone		20:13
dstanek	stevemar: beyond that etherpad is there any other reviews we want to get through? i'm going to go heads down reviewing for a bit and want to prioritize the list	20:14
*** ravelar has joined #openstack-keystone		20:15
*** nicolasbock has joined #openstack-keystone		20:16
*** jaosorior has quit IRC		20:17
*** jaosorior has joined #openstack-keystone		20:24
*** catinthe_ has quit IRC		20:27
*** dougshelley66 has quit IRC		20:38
*** dougshelley66 has joined #openstack-keystone		20:45
*** jamielennox\|away has quit IRC		20:46
morgan	dstanek: posting in ~2m	20:46
morgan	rderose, breton, stevemar: cc ^	20:46
dstanek	morgan: cool, i'm around	20:46
stevemar	dstanek: updating the etherpad	20:47
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Code-Defined Resource-specific Options https://review.openstack.org/424334	20:47
morgan	^	20:47
morgan	a good deal cleaner than the previous revision	20:47
morgan	and everything is now in user['options'] (which is a dict) when emitted	20:48
breton	morgan: is there a spec about the change?	20:49
morgan	breton: no. not specifically. this is in support of the PCI-DSS expiration on first use, MFA rules, etc specs	20:50
morgan	this is because the current setup for those is really ugly and bad. this gets us to a replicatable/re-usable statew and lays the framework for similar in project-specific-options	20:51
*** adriant has joined #openstack-keystone		20:51
morgan	which will be needed in Pike	20:51
* morgan gives 15-20m for questions on code before I start rebasing other things on it.		20:52
stevemar	dstanek: https://review.openstack.org/#/c/423753/	20:54
stevemar	lbragstad: & morgan easy one ^	20:54
stevemar	and another easy one... https://review.openstack.org/#/c/423561/	20:54
morgan	stevemar: +2 and +2/+A	20:55
lbragstad	stevemar ok - so i finally got rderose's patch tested	20:55
lbragstad	but not in an automated way :'(	20:56
*** jamielennox\|away has joined #openstack-keystone		20:56
stevemar	:'(	20:56
lbragstad	i had to do it by hand	20:56
stevemar	as long as it works, for now, i guess	20:56
lbragstad	(again)	20:56
rderose	lbragstad: sorry and thanks!	20:56
rderose	lbragstad: so how'd it go?	20:56
lbragstad	rderose not your fault at all	20:56
*** jamielennox\|away is now known as jamielennox		20:56
*** ChanServ sets mode: +v jamielennox		20:56
lbragstad	I just need to spend a little more time iwth osa to figure out how we can leverage it to automate this whole process	20:57
lbragstad	I think we're close	20:57
stevemar	a lot of patches need to be re-based on in-code options	20:57
lbragstad	rderose stevemar it went well. I was able to stand up stable/newton	20:57
stevemar	lbragstad: so how were the resutls? :)	20:57
lbragstad	then I installed https://github.com/lbragstad/keystone/tree/add-domain-id-to-user-table	20:57
lbragstad	which is the branch I had with all rderose's work in it	20:57
lbragstad	and I created a separate venv for it - and using two different nodes I was able to do a rolling upgrade	20:58
dstanek	looks like i got beat to it	20:58
lbragstad	after the expand i listed users per domain, and added several more to the various domains	20:58
lbragstad	so the triggers seemed to be doing their jobs	20:58
lbragstad	from what I could tell	20:58
lbragstad	then I did the same thing after doing the migrate step	20:58
lbragstad	once that's done, there shouldn't be any more stable/newton code running, everything should be on master	20:59
lbragstad	so - it all seemed to work well from what I could tell, after upgrading to master (+ rderose's patches) I was able to list all domains and stuff	21:00
lbragstad	and users within those domains	21:00
*** antwash has joined #openstack-keystone		21:00
lbragstad	and all the information seemed correct	21:00
lbragstad	I only did this with local users	21:00
*** antwash has quit IRC		21:03
morgan	i'll start working on the rebase of things like the lockout and password expiry changes on the options thing once i'm done with foods	21:03
lbragstad	after it's all said and done - i just want to confirm that there is suppose to be a domain id in both the user and local_user tables	21:03
lbragstad	cc rderose ^	21:03
rderose	yes	21:04
rderose	lbragstad: correct	21:04
*** raildo has quit IRC		21:04
lbragstad	rderose cool - i deleted a user after the migration and it removed it from both tables, too	21:04
rderose	perfect	21:05
lbragstad	rderose so - from my perspective (and my non-automated way of testing) the triggers seem to be working	21:05
* lbragstad really wants to get this type of stuff automated		21:05
lbragstad	testing by hand is just too error prone :)	21:05
rderose	lbragstad: great and thanks again. really appreciate you taking the time to do that (I know it wasn't easy :) )	21:05
*** antwash has joined #openstack-keystone		21:06
lbragstad	rderose anytime	21:06
lbragstad	rderose i was working with a few folks in openstack-ansible on it - and I think we are going to try and get something lined up at the PTG	21:07
rderose	sweet!	21:07
lbragstad	rderose openstack-ansible has upgrade testing for keystone already	21:07
lbragstad	cc stevemar dstanek ^	21:07
stevemar	lbragstad: well it's +2'ed, care to push it throuhg?	21:07
lbragstad	stevemar yeah	21:07
stevemar	dstanek: you already reviewed https://review.openstack.org/#/c/423705/ -- want to double back on it?	21:08
stevemar	lbragstad: last one: https://review.openstack.org/#/c/423708/ but i think it's far easier than the first :)	21:08
lbragstad	stevemar yep - reviewing https://review.openstack.org/#/c/423753/1 now	21:09
lbragstad	stevemar ah - wrong link	21:09
lbragstad	stevemar reviewing https://review.openstack.org/#/c/423705/10 now	21:09
dstanek	stevemar: sure	21:09
*** antwash has quit IRC		21:11
dstanek	done	21:14
morgan	rderose: also, i renamed the table(s) as you requested	21:16
rderose	morgan: cool	21:17
rderose	morgan: I'm about to jump back on that one	21:17
rderose	morgan: _resource_option_mapper huh	21:17
rderose	morgan: i guess the name is appropriate, as it is a mapped collection :)	21:18
*** erlon has quit IRC		21:20
morgan	yep	21:21
*** erlon has joined #openstack-keystone		21:23
lbragstad	stevemar done	21:23
*** Jack_V has quit IRC		21:25
knikolla	6 patches gating, that's gonna take a while	21:26
stevemar	biab	21:27
lbragstad	that should hopefully be the last of what we need to get in before ocata-3	21:27
* lbragstad crosses fingers		21:27
morgan	lbragstad: depends on what folks think about the options, pci-dss, and mfa things	21:30
morgan	lbragstad: buuuut anyway	21:30
*** jaosorior has quit IRC		21:31
lbragstad	morgan ah - true	21:33
openstackgerrit	Gage Hugo proposed openstack/keystoneauth: Fix ClientException message property not set properly https://review.openstack.org/285757	21:37
browne	https://bugs.launchpad.net/keystone/+bug/1657978 only affects Mitaka, so someone with permission might want to mark it as such	21:42
openstack	Launchpad bug 1657978 in OpenStack Identity (keystone) "Internal Server Error: KeyError: 'domain'" [Medium,New] - Assigned to Eric Brown (ericwb)	21:42
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Add support for endpoint group filtering https://review.openstack.org/182658	21:50
stevemar	morgan: lbragstad we should land the in-code options stuff for ocata-3	21:55
stevemar	during the RC period we can see if we want: 1) PCI patch, 2) MFA patches, and 3) the per-userID PCI options	21:56
stevemar	lbragstad: we need https://review.openstack.org/#/c/423708/ for ocata-3 too	21:56
morgan	dstanek: responded to your comments	21:59
*** v1k0d3n has quit IRC		21:59
*** v1k0d3n has joined #openstack-keystone		22:01
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/423708	22:03
lbragstad	stevemar yeah - i wanted to let the other two patches merge first before approving that one	22:04
*** spilla has quit IRC		22:08
stevemar	lbragstad: meh	22:14
*** pnavarro has quit IRC		22:14
morgan	stevemar: ok i'm going to start building on the code-options patch now unless someone (cc @all) else has questions on it right now	22:14
morgan	i'll circle back and look for comments/questions in a bit	22:15
morgan	oopse missed a general test.	22:16
morgan	that broke py27/35 will deal with that shortly	22:17
dstanek	morgan: sweet thanks	22:20
dstanek	morgan: the tests just finished for me and i have a few failing	22:20
dstanek	morgan: assertDictEqual for the user is failing	22:21
morgan	yep	22:22
morgan	its a very specific test	22:22
morgan	the test creating all attributes	22:22
morgan	and a couple others i think	22:22
morgan	but mostly the test creating all attributes	22:22
dstanek	i have 12 or 13 failing because option() isn't in the initially created dict	22:22
dstanek	can probably user add empty options to the create_user_ref	22:23
dstanek	...or make assertUsersEqual and be a little smarter than just the dict check	22:23
morgan	yep	22:23
morgan	i'll get those dealt with	22:24
morgan	look at the comment (responses)	22:24
morgan	and then i can followup with either additions/fixes/etc with the fixes to those tests	22:24
morgan	and i think i'll probably go with assertUserEqual	22:24
morgan	or something like that	22:24
morgan	because the dict check is going to be hard to maintain as options are added	22:25
*** browne has quit IRC		22:28
*** thorst_ has quit IRC		22:28
dstanek	morgan: yep, exactly. responded.	22:29
dstanek	this is looking pretty good	22:29
lbragstad	stevemar you had a +2 on https://review.openstack.org/#/c/423708/	22:34
lbragstad	stevemar but another patch set was pushed	22:34
stevemar	lbragstad: oh	22:41
stevemar	let me see the diff	22:41
stevemar	done	22:42
stevemar	lbragstad: rderose pushed	22:42
rderose	stevemar: yeahhhh :)	22:42
rderose	thanks guys	22:42
stevemar	morgan: you can rebase the options stuff on https://review.openstack.org/#/c/423708/ -- it'll currently conflict with it	22:43
morgan	stevemar: sure.	22:47
stevemar	lbragstad: holy damn, we actually merged the k2k stuff for horizon1	22:49
stevemar	!	22:49
lbragstad	11!11!1!111!!!1!1!11!	22:49
lbragstad	stevemar do we need to cross something off the keystone+horizon etherpad?	22:50
lbragstad	that was on there	22:50
stevemar	lbragstad: yes w do!	22:50
stevemar	lbragstad: looks like the left over there is some domain stuff that crinkle is working on, and PCI stuff	22:52
*** dave-mcc_ has joined #openstack-keystone		22:52
*** edmondsw has quit IRC		22:52
*** spotz is now known as spotz_zzz		22:53
*** dave-mccowan has quit IRC		22:54
knikolla	stevemar: k2k in horizon? finally!!!	22:55
*** edmondsw has joined #openstack-keystone		22:55
knikolla	i need to get back to my k2k patch for osc	22:56
* knikolla hides		22:57
*** edmondsw has quit IRC		22:59
*** catintheroof has joined #openstack-keystone		23:00
*** chris_hultin is now known as chris_hultin\|AWA		23:00
*** antwash has joined #openstack-keystone		23:03
stevemar	:)	23:05
*** dave-mccowan has joined #openstack-keystone		23:05
*** dave-mcc_ has quit IRC		23:05
*** jperry has quit IRC		23:08
*** browne has joined #openstack-keystone		23:10
*** antwash has quit IRC		23:16
*** antwash has joined #openstack-keystone		23:16
*** spotz_zzz is now known as spotz		23:18
*** jperry has joined #openstack-keystone		23:18
*** antwash has quit IRC		23:21
dstanek	knikolla: yes, hiding is a good thing!	23:23
knikolla	:)	23:25
*** diazjf has quit IRC		23:25
morgan	dstanek: almost have everything working and will fix the couple fixable comments in the next patch (give me 10-15min)	23:36
dstanek	morgan: gotta go coach soccer. i'll be back in about 90 mins	23:37
*** lamt has quit IRC		23:42
morgan	np	23:47
morgan	will get stevemar and rderose and lbragstad to review as well	23:47
*** agrebennikov__ has quit IRC		23:47
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Code-Defined Resource-specific Options https://review.openstack.org/424334	23:53
morgan	dstanek, rderose, lbragstad, stevemar,breton, samueldmq, knikolla, ^ could use eyes	23:53
morgan	it should be ready to go.	23:54
*** lamt has joined #openstack-keystone		23:58
*** catintheroof has quit IRC		23:58
*** catintheroof has joined #openstack-keystone		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!