Wednesday, 2017-01-25

*** agrebennikov__ has quit IRC00:00
*** antwash has quit IRC00:00
morganrderose: i found the issue00:03
morganrderose: it's an assumption I made in the use of to_dict being always within the context of a session00:04
morganrderose: in most every case it is used within the session context. your tests it is not.00:05
morganlooking for a way to see that we're in a session context so i can raise an exception when .to_dict is used outside of a session context00:06
morganzzzeek: ping - is it possible to know I'm in a session context (reader or writer)? from the context manager globally?00:06
jamielennoxstevemar, lamt: -1ed00:06
*** pramodrj07 has quit IRC00:07
lamtjamielennox: thanks, will look at it00:09
*** nicolasbock has quit IRC00:12
*** furface has joined #openstack-keystone00:13
*** lamt has quit IRC00:17
morganrderose: i can just require to_dict to take session obj00:17
morganand it would solve the issue00:17
*** Trident has joined #openstack-keystone00:21
*** Trident has quit IRC00:24
*** Trident has joined #openstack-keystone00:26
*** nicolasbock has joined #openstack-keystone00:28
*** Trident has quit IRC00:28
*** Trident has joined #openstack-keystone00:29
*** nicolasbock has quit IRC00:33
morganrderose: but in short the fix is indent             return base.filter_user(user_ref.to_dict())  on line 647 of test_backend_sql00:35
*** phalmos has quit IRC00:36
*** hoangcx has joined #openstack-keystone00:39
*** chris_hultin is now known as chris_hultin|AWA00:41
*** thorst_ has joined #openstack-keystone00:42
*** adrian_otto has joined #openstack-keystone00:43
*** antwash has joined #openstack-keystone00:44
*** antwash has quit IRC00:49
*** nicolasbock has joined #openstack-keystone00:49
*** adrian_otto has quit IRC00:57
*** thorst_ has quit IRC00:58
rderosemorgan: back00:58
rderosemorgan: looking...00:58
morganrderose: this is a rather serious issue we have01:00
morganlazy-loaded via subquery is not guaranteed to work outside of the active context01:01
morganthe attribute mapper is just more sensitive to this01:01
morganso the options require .to_dict to be called in the active session.01:01
morganthe bigger issue is we have this pattern where we call .to_dict() outside of the method that does the sql-query01:01
morganstevemar: ^ cc01:02
morgandstanek: ^ cc01:02
*** adrian_otto has joined #openstack-keystone01:02
rderosemorgan: hmm...01:02
morganrderose: the issue you were seeing is easily solved with indenting the test, but there are at least 10 other places we will have issues since we call to_dict outside of User's session01:02
rderosemorgan: but I guess you really should call to_dict outside of the session, right?01:04
morganrderose: the real solution is to make to_dict not callable outside of the session context somehow (likely move off the sql_objects)01:04
morganwell... sortof01:04
rderose*sorry, you should not01:04
morganwe don't in 95% of the cases01:04
morganso... i can propose a fix... will take me a couple hours to write it01:05
morgani'm surprised we haven't hit this elsewhere01:05
morganbut in short... we're lucky01:05
rderoseI mean, your fix is to do that indenting throughout?01:05
morgansome cases you can't just indent01:05
morganbecause... the active session is not started within the method01:05
morgani *think* we can just do a with sql.session_as_<blah> in the outer method too01:06
morganlet me try this with the broken test(s)01:06
*** namnh has joined #openstack-keystone01:06
rderosemorgan: this is outside of the session:
rderosemorgan: and it is calling local_user via subquery01:07
rderoseoutside of the session01:08
*** antwash has joined #openstack-keystone01:08
morganthat is one of the cases that can cause issues01:08
rderosemorgan: but it's not01:08
morganit doesn't always break because some sessions may be active when it's called01:08
morgansessions can wrap sessions can wrap sessions01:08
morganif it was called at the top level, it might break in some cases.01:08
morgannote the extra context manager in the diff01:09
morgani can pretty much just wrap a few bad cases in another session01:09
morganthere are some things that need indenting and are just blatantly wrong01:09
morgan95% of all calls to "to_dict" are within a session context01:10
morganwe're just on the edge of edge of edge cases here01:10
morganhence hitting it wiht my new attribute mapper01:10
morgani'll bet if we tried to touch the federation info in .to_dict you'd error the same way01:10
rderoseI see01:11
morgani don't want to do a hybrid property for options01:11
morganbecause the attribute mapper is touchy about when someone does "model.options = {}"01:11
morganbasically, you just wiped all the options out01:11
rderoseI see01:12
morgani *guess* i could do something without a .settr, but likewise a .update() etc all start causing issues01:12
morgani also guess i could just mark options as an internal attr even with the hybrid01:13
morganjust note, to_dict should still not be called outside of the active session afaict. hybrid doesn't really solve it01:13
morganso... the question is... how should we fix it01:14
*** adrian_otto has quit IRC01:14
*** furface has quit IRC01:14
rderosemorgan: fix the 5% that are outside the session01:14
morganok. i think all but like 4 are easy fixes (just indent)01:15
morgani guess this should be a new patch under my patch... give me a few01:15
*** adrian_otto has joined #openstack-keystone01:15
rderosethe other ones, you'd have to pass the session to the method or something01:15
morgannah, just call sql.session_as<type>() in a context outside01:16
morganand put a #TODO to fix it01:16
rderosemorgan: nice catch btw, I kept thinking it has something to do with the orm relationship defined for options01:16
*** adrian_otto has quit IRC01:16
openstackgerritMerged openstack/keystone: Remove code supporting moving resources between domains
rderoselbragstad: how did the upgrade testing go?01:21
*** adrian_otto has joined #openstack-keystone01:26
*** lamt has joined #openstack-keystone01:31
*** adrian_otto has quit IRC01:32
morganrderose: ok almost done with this patch01:36
morganthen i'll rebase the option one01:36
*** tqtran has quit IRC01:37
rderosemorgan: cool01:37
openstackgerritMorgan Fainberg proposed openstack/keystone: Code-Defined Resource-specific Options
openstackgerritMorgan Fainberg proposed openstack/keystone: Do not call `to_dict` outside of a session context
morganrderose: ^ now the code-defined options should work01:40
morganeven with your tests01:40
morganthat were breaking01:40
rderosecool, thx01:41
morganthat took a good bit of debugging fwiw ;)01:41
rderoseyeah, it sure had me scratching my head01:41
morgani only found it because i had run into similar when putting the option code together in the first place01:41
rderoseI see01:42
openstackgerritTin Lam proposed openstack/python-keystoneclient: Allow Multiple Filters of the Same Key
*** antwash has quit IRC01:45
*** esp_ has quit IRC01:45
morganstevemar: see comments on KVS, but in short: anything using KVS would throw a deprecation warning. It was placed there explicitly in newton so the rest of the KVS code, docs, etc could be dropped. Evetrything in the patch removed is01:47
morganuseless without that code. if we have to mark every function with deprecation warnings we wont ever remove KVS from keystone.01:47
morgankvs has been effectively useless since you've been PTL :P01:48
*** jose-phillips has quit IRC01:49
*** jose-phillips has joined #openstack-keystone01:57
*** browne has quit IRC02:16
openstackgerritRon De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use
stevemarmorgan: AH RIGHT02:24
stevemarmorgan: i forgot about that deprecation warning02:24
*** esp_ has joined #openstack-keystone02:29
stevemarjamielennox: yeah, i dunno... is that something we can do?02:30
*** ravelar has quit IRC02:32
lbragstadrderose working through a snag with openstack-ansible02:40
lbragstadhoping to have something done here soon02:40
rderoselbragstad: ah, okay02:40
rderoselbragstad: thanks02:40
stevemarjamielennox: want to punt it throuhg?
*** browne has joined #openstack-keystone02:51
*** thorst_ has joined #openstack-keystone02:57
*** thorst_ has quit IRC02:57
*** antwash has joined #openstack-keystone03:10
*** antwash has quit IRC03:11
*** browne has quit IRC03:23
*** dikonoor has joined #openstack-keystone03:26
stevemarmorgan: uh oh03:41
stevemar"TypeError: Can't upgrade a READER transaction to a WRITER mid-transaction "03:41
morganI'll poke at it. but yeah it's an issue. and ugly.03:42
morganpost dinner.03:42
*** browne has joined #openstack-keystone03:46
stevemarmorgan: rgr03:53
stevemarlbragstad: around-ish?03:53
*** spotz_zzz is now known as spotz03:53
*** portdirect_away is now known as portdirect03:55
lbragstadstevemar I'm working through some wrinkles with up rolling upgrade tests03:55
stevemarlbragstad: ++03:56
lbragstadstevemar i'm not sure what the deal is - but it seems dependency related03:56
lbragstadi'm on my 3rd vm03:56
*** richm has quit IRC04:00
*** tovin07 has quit IRC04:02
*** spotz is now known as spotz_zzz04:03
stevemarlbragstad: =\04:04
dstaneklbragstad: :-(04:08
*** esp_ has quit IRC04:09
lbragstadfwiw - i'm following the install process I documented here -
lbragstadone ^ those steps are done, I swap out to point to
lbragstadso that I can leverage all the openstack-ansible bits to orchestrate the upgrade and install the patches we want04:12
lbragstadwithin a venv, like an operator would do04:13
rderosestevemar morgan: going to spin up another patch for
*** adrian_otto has joined #openstack-keystone04:16
*** nicolasbock has quit IRC04:16
*** adrian_otto has quit IRC04:16
*** browne has quit IRC04:23
*** dave-mccowan has quit IRC04:30
stevemarrderose: do it up04:30
*** lamt has quit IRC04:32
rderosestevemar: 5 tests to go...04:35
stevemarrderose: chip chip chip away04:35
*** jose-phillips has quit IRC04:40
*** browne has joined #openstack-keystone04:41
openstackgerritMerged openstack/python-keystoneclient: Allow Multiple Filters of the Same Key
*** thorst_ has joined #openstack-keystone04:59
*** edmondsw has joined #openstack-keystone05:02
*** thorst_ has quit IRC05:03
*** jamielennox is now known as jamielennox|away05:06
*** edmondsw has quit IRC05:06
stevemarbreton: o/05:09
*** Jack_V has joined #openstack-keystone05:13
*** lamt has joined #openstack-keystone05:14
stevemarbreton: if you're looking for patches to review let me know05:15
bretonstevemar: yes i am!05:16
stevemarbreton: -- i've already +2'ed most of that chain05:16
openstackgerritRon De Rose proposed openstack/keystone: Do not call `to_dict` outside of a session context
openstackgerritRon De Rose proposed openstack/keystone: Do not call `to_dict` outside of a session context
*** tlbr_ has quit IRC05:20
*** tqtran has joined #openstack-keystone05:37
*** tqtran has quit IRC05:41
*** tlbr has joined #openstack-keystone05:49
*** spotz_zzz is now known as spotz05:50
*** spotz is now known as spotz_zzz06:11
openstackgerritRon De Rose proposed openstack/keystone: Do not call `to_dict` outside of a session context
openstackgerritRon De Rose proposed openstack/keystone: Code-Defined Resource-specific Options
*** spotz_zzz is now known as spotz06:46
*** edmondsw has joined #openstack-keystone06:51
*** tovin07 has joined #openstack-keystone06:54
*** edmondsw has quit IRC06:55
*** spotz is now known as spotz_zzz06:56
*** hoangcx_ has joined #openstack-keystone06:57
*** thorst_ has joined #openstack-keystone06:59
*** hoangcx has quit IRC07:00
*** antwash has joined #openstack-keystone07:01
*** thorst_ has quit IRC07:04
*** antwash has quit IRC07:04
*** namnh has quit IRC07:06
*** spotz_zzz is now known as spotz07:07
*** spotz is now known as spotz_zzz07:17
*** adriant has quit IRC07:19
*** pcaruana has joined #openstack-keystone07:28
*** tovin07 has quit IRC07:32
*** tesseract has joined #openstack-keystone07:34
*** jlwhite has quit IRC07:40
*** spotz_zzz is now known as spotz07:42
*** tovin07 has joined #openstack-keystone07:45
*** hoangcx has joined #openstack-keystone07:46
*** browne has quit IRC07:46
*** hoangcx_ has quit IRC07:48
*** spotz is now known as spotz_zzz07:52
*** stingaci has joined #openstack-keystone08:09
*** sfilatov has joined #openstack-keystone08:11
*** sfilatov has quit IRC08:12
*** sfilatov has joined #openstack-keystone08:12
*** tovin07 has quit IRC08:13
*** tovin07 has joined #openstack-keystone08:29
*** spotz_zzz is now known as spotz08:36
*** jlwhite has joined #openstack-keystone08:39
*** spotz is now known as spotz_zzz08:46
*** tlbr has quit IRC08:58
*** hoangcx has quit IRC09:00
*** zzzeek has quit IRC09:00
*** thorst_ has joined #openstack-keystone09:00
*** zzzeek has joined #openstack-keystone09:00
*** tovin07 has quit IRC09:00
*** stingaci has quit IRC09:04
*** stingaci has joined #openstack-keystone09:05
*** thorst_ has quit IRC09:05
*** tlbr has joined #openstack-keystone09:06
*** rvba` is now known as rvba09:13
*** tovin07 has joined #openstack-keystone09:15
*** pnavarro has joined #openstack-keystone09:20
*** sfilatov has quit IRC09:21
*** sfilatov has joined #openstack-keystone09:22
*** portdirect is now known as portdirect_brb09:22
*** tqtran has joined #openstack-keystone09:24
*** sfilatov has quit IRC09:26
*** tqtran has quit IRC09:28
*** spotz_zzz is now known as spotz09:30
*** sfilatov has joined #openstack-keystone09:31
*** portdirect_brb is now known as portdirect09:32
*** spotz is now known as spotz_zzz09:40
*** tovin07 has quit IRC09:41
openstackgerritOpenStack Release Bot proposed openstack/python-keystoneclient: Update reno for stable/ocata
*** sfilatov has quit IRC09:51
*** tlbr has quit IRC10:02
*** sfilatov has joined #openstack-keystone10:05
*** pnavarro has quit IRC10:06
*** spotz_zzz is now known as spotz10:06
*** pnavarro has joined #openstack-keystone10:08
*** spotz is now known as spotz_zzz10:16
*** openstackgerrit has quit IRC10:17
*** sfilatov has quit IRC10:22
*** mvk has quit IRC10:23
*** sfilatov has joined #openstack-keystone10:24
*** portdirect is now known as portdirect_away10:27
*** edmondsw has joined #openstack-keystone10:28
*** stingaci has quit IRC10:29
*** edmondsw has quit IRC10:32
*** tlbr has joined #openstack-keystone10:38
*** tlbr has quit IRC10:46
*** mvk has joined #openstack-keystone10:56
*** stingaci has joined #openstack-keystone10:57
*** tlbr has joined #openstack-keystone10:59
*** spotz_zzz is now known as spotz11:00
*** thorst_ has joined #openstack-keystone11:01
*** stingaci has quit IRC11:01
*** thorst_ has quit IRC11:05
*** nicolasbock has joined #openstack-keystone11:09
*** spotz is now known as spotz_zzz11:10
*** spotz_zzz is now known as spotz11:36
*** sfilatov has quit IRC11:42
*** spotz is now known as spotz_zzz11:46
*** sfilatov has joined #openstack-keystone11:49
*** stingaci has joined #openstack-keystone12:01
*** portdirect_away is now known as portdirect12:02
*** haplo37_ has quit IRC12:08
*** haplo37_ has joined #openstack-keystone12:10
*** d0ugal has quit IRC12:10
*** sfilatov has quit IRC12:15
*** raildo has joined #openstack-keystone12:16
*** sfilatov has joined #openstack-keystone12:17
*** d0ugal has joined #openstack-keystone12:18
*** catintheroof has joined #openstack-keystone12:28
*** spotz_zzz is now known as spotz12:30
*** iurygregory has quit IRC12:38
*** openstackgerrit has joined #openstack-keystone12:40
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Update reno for stable/ocata
*** thorst_ has joined #openstack-keystone12:44
-openstackstatus- NOTICE: Gerrit is going to be restarted due to slow performance12:46
-openstackstatus- NOTICE: Gerrit has been successfully restarted12:49
*** iurygregory has joined #openstack-keystone13:04
*** sfilatov has quit IRC13:07
*** sfilatov has joined #openstack-keystone13:13
*** tqtran has joined #openstack-keystone13:25
*** spotz is now known as spotz_zzz13:26
*** v1k0d3n has quit IRC13:27
*** stingaci has quit IRC13:27
*** edmondsw has joined #openstack-keystone13:28
*** v1k0d3n has joined #openstack-keystone13:29
*** tqtran has quit IRC13:30
*** spotz_zzz is now known as spotz13:32
*** lamt has quit IRC13:37
*** lamt has joined #openstack-keystone13:38
stevemarrodrigods: if you're otherwise okay with can you punt it through? its got a lot of patches on top of it and i don't want to cause a rebase party13:40
*** spotz is now known as spotz_zzz13:41
*** lamt has quit IRC13:42
*** spotz_zzz is now known as spotz13:48
samueldmqmorning all13:53
samueldmqstevemar: o/13:53
stevemarsamueldmq: heyo13:53
rodrigodsstevemar, sure13:54
*** pnavarro has quit IRC13:57
gemastevemar: I have followed your instructions pretty much to the letter ( and when it comes to try to ask for a token I get this error:, any idea what it may be related to? I have had a look at what ldap returns and all the configuration looks good to me14:06
*** spilla has joined #openstack-keystone14:12
*** zzzeek has quit IRC14:12
*** zzzeek has joined #openstack-keystone14:14
*** dave-mccowan has joined #openstack-keystone14:17
openstackgerritRon De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use
openstackgerritRon De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use
*** stingaci has joined #openstack-keystone14:27
*** jperry has joined #openstack-keystone14:28
*** tlbr has quit IRC14:35
*** jaugustine has joined #openstack-keystone14:40
*** spotz is now known as spotz_zzz14:44
*** agrebennikov__ has joined #openstack-keystone14:45
*** pnavarro has joined #openstack-keystone14:53
*** phalmos has joined #openstack-keystone14:55
*** mvk has quit IRC14:55
openstackgerritMerged openstack/keystone: Change unit test class to a less generic name
*** catinthe_ has joined #openstack-keystone15:00
*** stingaci has quit IRC15:01
openstackgerritMerged openstack/keystone: Verbose breakup of method into seperate methods
*** catintheroof has quit IRC15:02
openstackgerritRon De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use
rderosemorgan: when I set the resource option in the registry:
rderosemorgan: I'm expecting to be able to do this: user_dict['enforce_password_expires']15:05
*** chris_hultin|AWA is now known as chris_hultin15:07
rderosemorgan: or, user_ref.options['1000'].option_value15:07
rderosemorgan: instead, I'm getting: KeyError: 'enforce_password_expires'15:07
*** chris_hultin is now known as chris_hultin|AWA15:08
*** spotz_zzz is now known as spotz15:09
*** chris_hultin|AWA is now known as chris_hultin15:10
*** jaosorior has joined #openstack-keystone15:10
gemastevemar: nevermind had a bit of a mess in terms of pip packages, all sorted now. now I cannot authenticate, great problem to have!15:17
*** lamt has joined #openstack-keystone15:19
rderosemorgan: looks like the attribute only gets added if it exists for that user15:22
rderosemorgan: means, different attributes will be returned for different users?15:22
openstackgerritMerged openstack/keystone: Do not call `to_dict` outside of a session context
*** markvoelker has quit IRC15:31
*** markvoelker has joined #openstack-keystone15:32
knikollao/ morning15:35
*** markvoelker has quit IRC15:36
openstackgerritMerged openstack/python-keystoneclient: Update reno for stable/ocata
morganrderose: the that is the design. I could change it.15:41
rderosemorgan: you could change it in to_dict, but the user object return wouldn't automatically add it15:43
*** catintheroof has joined #openstack-keystone15:43
rderosemorgan: still playing with it, give me a few15:43
*** jose-phillips has joined #openstack-keystone15:44
*** catinthe_ has quit IRC15:46
*** phalmos has quit IRC15:51
*** phalmos has joined #openstack-keystone15:55
lbragstadjust a heads up that the policy meeting is going to be starting in a few minutes. we have a really light schedule today and we're in the middle of trying to get ocata out the door, so it will be a quick meeting15:56
rderoselbragstad: cool15:57
rderoseyeah, could use the time15:57
lbragstadrderose ++15:57
lbragstadme, too15:57
morganlbragstad: sorry have another meeting to hop on16:01
lbragstadmorgan no worries16:02
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table
lbragstadping raildo, ktychkova, dolphm, dstanek, rderose, htruta, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, stevemar, ravelar, morgan about policy meeting in #openstack-meeting-cp for those interested16:02
lbragstadit will be a quick one today16:02
openstackgerritRon De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use
*** ravelar has joined #openstack-keystone16:07
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users tests
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users
*** dikonoor has quit IRC16:11
morganrderose: my view was these are options. they are not guaranteed to be there16:13
morganrderose: so we use conditionals when poking at them.16:13
rderosemorgan: I see16:14
morganrderose: it avoids storing data in the DB when not needed (prevents loading extra data just for defaults)16:14
rderosemorgan: my only concern is not returning the attributes in the API16:15
morganwe could populate it and add a "default" concept that doesn't store in the db16:16
morganhowever... it felt weird doing so16:16
rderosemorgan: yeah16:16
*** markvoelker has joined #openstack-keystone16:17
rderosemorgan: we returning password_expires_at for all users (including ldap) and just setting it to None. I just assumed that we couldn't return different attributes for different users.16:17
dstaneklbragstad: i was just going to ask a policy question :-P16:17
morganrderose: we always have supported that concept with the extras16:18
dstaneklbragstad: do we have plans to do some policy discussion at PTG?16:18
*** markvoelker_ has joined #openstack-keystone16:18
morganrderose: we could add the data into user_ref[options] = {}16:19
morganrderose: if that helps16:19
lbragstaddstanek sorry :(16:19
morgani would have said password_expires is optional and doesn't return if we don't control the password16:19
lbragstaddstanek yeah - i plan on trying to set something up for policy16:19
rderosemorgan: yeah, that might work16:20
morganbut that would have been my view16:20
lbragstaddstanek specifically with nova and cinder (mriedem or johnthetubaguy or smcginnis)16:20
morgani have never been a fan of spewing useless data for the sake of useless date (or setting the values to explicitly None to communicate it isn't used)16:20
lbragstaddstanek I imagine we are going to start planning the PTG schedule sometime next week?16:21
lbragstadcc stevemar ^16:21
rderosemorgan: yeah, I think I like the idea of returning an options array in the API16:21
lbragstaddstanek but that will be one of the first things I ask about since it will require representation from other projects16:21
rderosemorgan: as opposed to a list of extra attributes16:21
rderosemorgan: keeping it like extras16:21
morganrderose: dict, but yes.16:22
*** markvoelker has quit IRC16:22
morganrderose: sure, though i did like that it wasn't in a weird special place in the ref onn the post request16:22
dstaneklbragstad: perfect, thanks16:23
rderosemorgan: so something like this:16:24
rderose    "user": {16:24
rderose        "default_project_id": "263fd9",16:24
rderose        "domain_id": "1789d1",16:24
rderose        "enabled": true,16:24
rderose        "name": "James Doe",16:24
rderose        "options": [16:24
rderose            "password_expires_at": "2016-11-06T15:32:17.000000"16:24
rderose        ]16:24
rderose    }16:24
morganwe could do that.16:24
morganthough password_expires_at is already encoded16:24
morganand i wouldn't change it16:24
morgan(or that it is communicated)16:24
rderosemorgan: true16:24
*** mvk has joined #openstack-keystone16:25
rderosemorgan: so in that case:16:25
rderose    "user": {16:25
rderose        "default_project_id": "263fd9",16:25
rderose        "domain_id": "1789d1",16:25
rderose        "enabled": true,16:25
rderose        "name": "James Doe",16:25
rderose"password_expires_at": "2016-11-06T15:32:17.000000",16:25
rderose        "options": [16:25
rderose            "enforce_password_expires": False16:25
rderose        ]16:25
rderose    }16:25
morganthat would be a way to handle options16:26
rderosemorgan: yeah16:26
morgani wouldn't be opposed to it16:26
morganvs just in the dict, now... realize16:27
lbragstaddstanek np16:27
rderosemorgan: right16:27
morganthat may break people consuming the ref downstream16:27
morganhopefully not16:27
*** stingaci has joined #openstack-keystone16:27
rderosemorgan: by having additional attributes?16:28
morganby having a non-scalar like item16:28
morganeveryting in the ref has been non-complex object (aka not list/dict/etc)16:28
rderosewe could keep it as a dict:16:29
rderose    "user": {16:29
rderose        "default_project_id": "263fd9",16:29
rderose        "domain_id": "1789d1",16:29
rderose        "enabled": true,16:29
rderose        "name": "James Doe",16:29
rderose        "password_expires_at": "2016-11-06T15:32:17.000000",16:29
rderose        "options": {16:29
rderose            "enforce_password_expires": False16:29
dstanekmorgan: we can't potect against stupid though16:29
rderose        }16:29
rderose    }16:29
morganrderose: we should keep it a dict16:31
morganbut yeah.16:31
*** sfilatov has quit IRC16:32
rderosemorgan: either way, I like the idea of having a new 'options' attribute16:32
*** sfilatov has joined #openstack-keystone16:33
rderoseand adding that to the user API16:33
rderosedstanek: any thoughts on this?16:33
rderosedstanek: as far as changing the user API16:34
dstanekrderose: i didn't see any API changes. what were they?16:34
rderosedstanek: above, changing the user response object to include a 'options' attribute16:35
*** AlexeyAbashkin has quit IRC16:35
rderosedstanek: different than how we've done password_expires_at16:35
dstanekrderose: ah, i don't consider the data format changes API changes. i'm fine with it. not thrilled on the name, but i can't think of anything better since 'metadata' is overused16:36
rderosedstanek: yeah, cool16:36
dstanekwhat else may go in there?16:36
rderosedstanek: the other one I have is lock_out_ignore_list16:37
dstanekrderose: what is that?16:37
dstanekthe 'options' are things that can't be changed right?16:37
rderosedstanek: user attempts failed login max times and is locked out16:37
*** stingaci has quit IRC16:37
rderosedstanek: we have an ignore list for that in config16:38
*** sfilatov has quit IRC16:38
morgandstanek: those would be pulled out of the keystone.config16:38
morganbecause it requires a keystone restart every time you change it (pulled out-option deprected)16:38
rderosemorgan: right16:38
morganrderose: hm. wonder if we can call it something other than "options"16:38
morganrderose: in the user_ref16:39
rderosedstanek: so something like 'allow_lockout'16:39
dstanekmorgan: ah, it wouldn't be a list then right? a boolean 'lock_out_ignore' or whatever16:39
rderosemorgan: metadata ;)16:39
dstanekmorgan: what's a synonym for metadata16:39
morgandstanek: it would be a dict, because things like MFA Rules would be in there16:39
rderosedstanek: yeahg16:39
dstanekmorgan: no, by list i meant 'lock_out_ignore_list'16:40
morganin the keystone config it is a list opt16:40
morganwe'd be moving it to a user-property16:40
rderosemorgan: yep16:40
morganso it is set on the user tiself... like most IDPs do16:40
dstanekright, but in the user it would be b a boolean saying if the user is exempt from lockout16:40
morganbut MFA Rules, for example, is a list of lists16:41
dstanekwhat's interesting about this is that 'options' is a part of the user, but we don't want the user to change it. almost feels like it should be at the same level at 'user'16:41
morganno, some options will be admin set16:41
morgansome options would be user-set16:41
morganMFA rules, for example would be one I'd expect the user (in most cases) to set16:41
morgandstanek: i want to make each option (long term) have a policy check for setting.16:42
dstanekso upon post we have to evaluate each option for changes?16:42
morganto start, it's like any value in user...16:42
morganset only via update_user access16:42
dstanekdoes the whole option object need to be provided for updates?16:43
morganeach option can be set independantly, not specifying an option will mean that option stays the same16:43
morganspecifying an option with the explicit value of None deletes it from the DB16:43
morganif the option is undefined (follow up patch, needs rebase) in the code it is stripped from the DB when update happens16:43
morganonly options defined in code will end up in the options dict in the user16:44
morganso options undefined down the road, will stay in the db until update, but will not display16:44
dstaneksounds good to me16:45
morganeach option is a row in the db (in the case) in user_options16:45
morganthe PK is (user_id, option_id)16:45
morganand the value is a jsonblob (text w/ loads/dumps) feild16:45
morganmost of the magic occurs in to_dict and from_dict methods (and a little bit in the actual SQL transaction/session context for lazy-load stuff)16:46
rderosemorgan: so if a request comes in with one option and the user has other options already defined, we don't remove those other options16:46
morganrderose: correct, i have a test case for that showing that exact behavior16:46
rderosemorgan: we just update the one passed in16:46
*** stingaci has joined #openstack-keystone16:47
morganit is the reason we're using the attribute mapper16:47
*** diazjf has joined #openstack-keystone16:47
morganit allows us to do that with a dict-like interface ( options[id] = value sets the value for the option, pop would remove from the dict and the db, user.options = dict() replaces the entire set of options)16:48
dstanekmorgan: so basically like extras?16:48
morgandstanek: no extras are completly contained in a single column on the user table16:48
morganthis is a separate table and a row per-user-per-option set16:49
morganso we can implement filtering/searching on it16:49
dstanekmorgan: no i realize that, but we are just taking extras and moving it to a separate row16:49
morganit's what i was advocating extras should become ... but this has no deployer choice in what can be stored there, only what we define as keystone supported options16:49
morganextras had no validation, no form, and no limits16:50
dstanekmorgan: any reason not to have a 'options' table name string(64) PK, desc string(256) and a user_options table containing the values?16:50
dstanekthat was you can query and filter based on the option name16:51
morganwe could move to that instead of the ID, i was looking to not limit the name length16:51
morganthe ability to map name->id is pretty quick16:51
dstanekwhat do you mean by mapping name to id?16:52
morgani can offer a clean interface to make a dict out of that.16:52
morganoption object has an id and a name16:52
morganyou can lookup in the registry the option id and get the name16:52
morganin python we can use that to pass back to the backend16:52
morganthe only reason you'd do what you're saying is if we want to circumvent that and/or allow easy sql-queries w/o keystone16:52
dstanekbut you can't filter if it's in a blob16:53
morganthe name isn't sotored in the db16:53
morganthe name is stored in the code only16:53
dstaneki would actually store it in the DB using the name as the PK16:53
morgani was trying to make the id much smaller and keep the lookup tables fully indexed16:53
dstanekwhat if you want to query the users and find all the ones that are exempt from password expiration?16:54
morganso, the way you'd do that is look for all users with option_id X, then filter in code for True16:54
dstanekmorgan: i think i'm missing something. how do you know they have option x?16:54
morganeach option has an ID.16:55
morganthe user_options table is: PK(user_id, option_id)16:55
morganyou're looking up the ID instead of the name16:55
morganname could be much much longer than the id.16:55
morganthe value is the only thing in a jsonblob16:56
dstanekmorgan: ah, ok. so not like extras at all16:56
morganno it is what i wanted extras to become16:56
dstanekwhen you said json blob earlier i imagined a single row per user16:56
dstanekthat makes sense16:56
morganno no, each option set is a row, per user16:57
dstaneki still like the human readable ids, but i wouldn't -2 for it or anything16:57
morganso it's per-user-per-option16:57
dstanekit would just be much easier to work with16:57
morganit only matters in the db16:57
morganif you are doing direct SQL stuff it matters16:57
* stevemar groans16:57
morganif you are not, it is always translated when loading the model16:57
morganit is translated in the fromt_dict/to_dict layer16:58
dstanekmorgan: yep, exactly. that's part of testing and debugging :-P16:58
dstanekstevemar: were you shanked?16:58
rderosemorgan: so I think we need to update your patch and return 'options' is as an attribute16:58
rderoseattributes = ['id', ..., 'options']16:58
morganrderose: can't do that16:58
morganrderose: you do not want to have the attribute mapper directly exposed16:58
*** stingaci has quit IRC16:58
morganwithout a lot of reworking, we will replace the options completly each time16:59
morganmeaning we break the contract that specifying a single option will not touch the other options16:59
*** markvoelker_ has quit IRC16:59
rderosemorgan: so we'd have to name it something else and manually add it?16:59
*** markvoelker has joined #openstack-keystone16:59
morganthe reason i do the work in the dict model16:59
morganso we don't have to do that17:00
*** stingaci has joined #openstack-keystone17:00
morganit's why you see the code that extracts the values and then sets them in user.options[id] = value17:00
morganand does an explicit .pop17:00
morganif we make it a real attribute on the model we will do user.options = options each time17:00
morgan*and* we have to take the values and build a UserOption object17:01
morganspecifically, it can't be just a string17:01
*** stingaci has quit IRC17:01
morgani looked at that as the first iteration before pushing this. making options a top-level attrribute like the other attributes is going to make this much more complex and more prone to failure17:02
rderosemorgan: right, it's not a string, but a dict within a dict17:02
rderosemorgan: hmm...17:02
morganactually the Atrribute mapper needs to be a SQL-A-Dict-thing, strings are keys, but the UserOption object must be the value17:02
morganso user.options[<id>] = UserOption(option_id=option_id, option_value=option_value)17:03
*** markvoelker has quit IRC17:03
morganthat is the only way it works in the backend17:03
dtroyerstevemar: around?17:04
morganit could be done in a comprehension, but it needs a lot of extra logic17:04
stevemardtroyer: in a way17:04
morgandtroyer: stevemar is clearly tired.17:04
stevemarmorgan: how are options unset?17:04
morganstevemar: set them to a Value of None17:04
morganit explicitly deletes the option from the backend17:04
dtroyercan you remove your -2 on real quick?17:04
stevemari had -2 on things?17:04
stevemarwell, -w17:05
stevemaroh good, novaclient was merged17:05
dtroyerthanks, ya, -w my bad17:05
morganif it is undefined (the object is removed) from code, it then is unset (same as an explicit None) when an update occurs17:05
stevemarthanks dtroyer17:05
*** antwash has joined #openstack-keystone17:05
rderosemorgan: so not adding the 'options' to attributes, but if they don't exists add the key and give a value of None17:05
rderosemorgan: like we do with password_expires_at17:05
dstanekrderose: i took the above to mean that if the option is unset it will net be in 'options'17:06
rderoseah, gotchea17:06
morgandstanek: ++17:07
*** antwash has quit IRC17:07
morganif an option is not set, it does not appear17:07
morganif an option has a value in the db, it is set, even if the value is the "default" behavior17:07
morganoptions do not have a "default" concept atm17:07
morganbecause they don't appear if not set.17:07
*** antwash has joined #openstack-keystone17:08
*** phalmos has quit IRC17:08
rderosemorgan: so what needs to happen in your patch to return 'options' in user attributes? is it just modify to_dict()17:10
*** phalmos has joined #openstack-keystone17:10
rderosemorgan: so that e can do:
morganrderose: and from_dict17:13
rderosemorgan: oh, right17:14
morganand the tests17:14
rderosemorgan: yeah, it will break a lot of tests I'm sure :)17:14
morgannah not a ton of tests to break17:14
morganonly ~3 or so17:14
morganthe code paths for this are incredibly narrow17:14
morganso, easy to fix that bit17:15
rderoseI see17:15
*** arunkant has joined #openstack-keystone17:15
morganthe tests are the OptionsObject, the Registry Object, and ~3 cases of setting user options17:16
morganset an option, check set/update/delete17:16
morganand check set/set opt2/delete opt and make sure options are maintained17:16
morganit really is meant to be super straightforward to build/replicate on other resourcetypes17:16
morgani expect project, groups,  and possibly IDP/protocol will get the same treatment(s)17:17
rderosemorgan: do you still want to keep the name as 'options'17:17
morganrderose: i'd like to call what we present to the user in the dict (out the API) something else17:17
morganbut internally, i like ResourceOptions17:17
morganbecause it is what they are17:17
rderosemorgan: works for me17:18
morganif we can't come up with a name, options will work17:18
rderosemorgan: options in the API response and resource_options in code17:18
morganso we have ~30-40m to come up with a name or i'm just rolling with it as options.17:18
morgani'll rename the thing on the user-object to resource_options17:18
morganand respin to output in a dict / extract from a dict shortly17:19
rderosemorgan: ah, cool17:19
morganrderose: thanks for updating the other one last night17:19
rderosemorgan: np17:19
morganlong term we should move to_dict off the model(s) and make it something that can't be used outside of a session context17:19
morganbut that was a lot more work than some indenting.17:19
morganfrom_dict makes sense being a class thing17:20
rderosemorgan: thank you for working on options :)17:20
morganok, i need to do breakfast17:20
morganeggs are calling my name.17:20
morganwell omlett with habenero in it17:20
morganis sitting in it's deconstructed state on the cutting board17:20
morganso let me cook/eat and then i'll have code and i'll work on the options bit for ignore_password_expiry and ignore_lockout as well in one fell swoop17:21
morgan(and then MFA rules and such)17:21
*** browne has joined #openstack-keystone17:21
*** jaosorior has quit IRC17:22
rderosemorgan: cool17:23
*** sfilatov has joined #openstack-keystone17:24
stevemarmorgan: rderose lbragstad dstanek i'm going to push and one of the subsequent patches17:25
stevemarwhile we don't have anything gating...17:25
*** tqtran has joined #openstack-keystone17:26
dstanekstevemar: i haven't looked at it, but i trust y'all17:26
*** sfilatov has quit IRC17:28
dstanekmorgan: is your options stuff something that we need to get in this week then?17:30
*** sfilatov has joined #openstack-keystone17:31
*** phalmos_ has joined #openstack-keystone17:31
*** jaosorior has joined #openstack-keystone17:32
*** tesseract has quit IRC17:33
*** phalmos has quit IRC17:34
rderosedstanek: I thought some of the MFA stuff was dependent on it and my PCI patch is dependent on the options stuff17:34
morganMFA is17:40
morganor will be17:40
morganand yeah PCI will be17:40
dstanekrderose: morgan: i'll get to reviewing that17:40
morganwe can hold all until pike but it hsould be all ready in a few17:40
morgani need to respin patches17:40
morganalso... i needed more habanero17:40
morganit wasn't hot enough :(17:40
* morgan might need to step up hot pepper consumption ot the red savinas next17:41
*** diazjf has quit IRC17:57
*** antwash has quit IRC18:13
brownehi all, is there any guide on using the openstack cli with federation? is it possible?18:21
stevemarbrowne: it is, yes18:23
brownei see there's a v3unscopedsaml os-auth-type, but i can't find any documentation on how to properly use it18:25
browneand somehow i'm missing an argument and get18:25
browneTypeError: __init__() takes exactly 6 arguments (5 given)18:25
*** sfilatov has quit IRC18:31
*** catinthe_ has joined #openstack-keystone18:33
*** sfilatov has joined #openstack-keystone18:34
*** sfilatov has quit IRC18:34
*** catintheroof has quit IRC18:35
morgandstanek, rderose about to push the update for options18:37
morganit should now place options in user['options']18:37
rderosemorgan: sweet!18:37
*** mvk has quit IRC18:42
dstanekmorgan: cool, i'll start looking as soon as you push18:46
*** pcaruana has quit IRC18:53
stevemarrderose: your changes to add domain id are mostly queued up :)18:57
stevemarrderose: will you be OK if i approve the MFA stuff?18:57
stevemaryou may hve to rebase18:57
rderosestevemar: sure18:57
stevemarbreton: you missed a patch:
stevemarmorgan: 2/4 MFA patches have been approved18:58
stevemarits mostly laying ground work18:59
*** nicolasbock has quit IRC19:03
*** MasterOfBugs has joined #openstack-keystone19:08
*** MasterOfBugs has quit IRC19:08
*** MasterOfBugs has joined #openstack-keystone19:09
*** pramodrj07 has joined #openstack-keystone19:09
*** diazjf has joined #openstack-keystone19:10
morganstevemar: -2'd the MFA rules table19:11
morganstevemar: unless you don't wnt that built on the new option stuff19:11
morganstevemar: i can lift the -2 before it blocks things19:12
morganstevemar: but... if we want this based on the options stuff, it shouldn't land.19:12
stevemarmorgan: eh19:12
morganstevemar: your call19:12
stevemarmorgan: ok ok, options stuff19:12
stevemarmorgan: hit the rebase button19:12
openstackgerritSteve Martinelli proposed openstack/keystone: Add user_mfa_rules table
morganwill do in a few19:12
morganah okie19:12
stevemarpopped it out of the queue19:12
morganthe -2 dropped with the rebase too19:13
morgani think we have an issue in gerrit19:13
stevemarno it didn't19:14
stevemarmorgan: sometimes there is lag19:14
morgani was on the wrong patchset19:14
dstanekmorgan: ping me when you push. i'm going to go grab lunch19:16
morgandstanek: will be very shortly srry19:16
dstanekmorgan: np, i've got plenty of other stuff keeping me busy. i just want to give this immediate attention since we making other stuff depend on it19:17
*** jaosorior has quit IRC19:21
*** tqtran has quit IRC19:26
bretonstevemar: morgan: what was that new option stuff you were talking about?19:31
*** antwash has joined #openstack-keystone19:39
*** antwash has quit IRC19:45
*** antwash has joined #openstack-keystone19:49
*** antwash has quit IRC19:50
*** ravelar has quit IRC19:56
*** tqtran has joined #openstack-keystone20:05
*** jaugustine has quit IRC20:07
*** jaosorior has joined #openstack-keystone20:12
*** mvk has joined #openstack-keystone20:13
dstanekstevemar: beyond that etherpad is there any other reviews we want to get through? i'm going to go heads down reviewing for a bit and want to prioritize the list20:14
*** ravelar has joined #openstack-keystone20:15
*** nicolasbock has joined #openstack-keystone20:16
*** jaosorior has quit IRC20:17
*** jaosorior has joined #openstack-keystone20:24
*** catinthe_ has quit IRC20:27
*** dougshelley66 has quit IRC20:38
*** dougshelley66 has joined #openstack-keystone20:45
*** jamielennox|away has quit IRC20:46
morgandstanek: posting in ~2m20:46
morganrderose, breton, stevemar: cc ^20:46
dstanekmorgan: cool, i'm around20:46
stevemardstanek: updating the etherpad20:47
openstackgerritMorgan Fainberg proposed openstack/keystone: Code-Defined Resource-specific Options
morgana good deal cleaner than the previous revision20:47
morganand everything is now in user['options'] (which is a dict) when emitted20:48
bretonmorgan: is there a spec about the change?20:49
morganbreton: no. not specifically. this is in support of the PCI-DSS expiration on first use, MFA rules, etc specs20:50
morganthis is because the current setup for those is really ugly and bad. this gets us to a replicatable/re-usable statew and lays the framework for similar in project-specific-options20:51
*** adriant has joined #openstack-keystone20:51
morganwhich will be needed in Pike20:51
* morgan gives 15-20m for questions on code before I start rebasing other things on it.20:52
stevemarlbragstad: & morgan easy one ^20:54
stevemarand another easy one...
morganstevemar: +2 and +2/+A20:55
lbragstadstevemar ok - so i finally got rderose's patch tested20:55
lbragstadbut not in an automated way :'(20:56
*** jamielennox|away has joined #openstack-keystone20:56
lbragstadi had to do it by hand20:56
stevemaras long as it works, for now, i guess20:56
rderoselbragstad: sorry and thanks!20:56
rderoselbragstad: so how'd it go?20:56
lbragstadrderose not your fault at all20:56
*** jamielennox|away is now known as jamielennox20:56
*** ChanServ sets mode: +v jamielennox20:56
lbragstadI just need to spend a little more time iwth osa to figure out how we can leverage it to automate this *whole* process20:57
lbragstadI think we're close20:57
stevemara lot of patches need to be re-based on in-code options20:57
lbragstadrderose stevemar it went well. I was able to stand up stable/newton20:57
stevemarlbragstad: so how were the resutls? :)20:57
lbragstadthen I installed
lbragstadwhich is the branch I had with all rderose's work in it20:57
lbragstadand I created a separate venv for it - and using two different nodes I was able to do a rolling upgrade20:58
dstaneklooks like i got beat to it20:58
lbragstadafter the expand i listed users per domain, and added several more to the various domains20:58
lbragstadso the triggers seemed to be doing their jobs20:58
lbragstadfrom what I could tell20:58
lbragstadthen I did the same thing after doing the migrate step20:58
lbragstadonce that's done, there shouldn't be any more stable/newton code running, everything should be on master20:59
lbragstadso - it all seemed to work well from what I could tell, after upgrading to master (+ rderose's patches) I was able to list all domains and stuff21:00
lbragstadand users within those domains21:00
*** antwash has joined #openstack-keystone21:00
lbragstadand all the information seemed correct21:00
lbragstadI only did this with local users21:00
*** antwash has quit IRC21:03
morgani'll start working on the rebase of things like the lockout and password expiry changes on the options thing once i'm done with foods21:03
lbragstadafter it's all said and done - i just want to confirm that there is suppose to be a domain id in both the user and local_user tables21:03
lbragstadcc rderose ^21:03
rderoselbragstad: correct21:04
*** raildo has quit IRC21:04
lbragstadrderose cool - i deleted a user after the migration and it removed it from both tables, too21:04
lbragstadrderose so - from my perspective (and my non-automated way of testing) the triggers seem to be working21:05
* lbragstad really wants to get this type of stuff automated21:05
lbragstadtesting by hand is just too error prone :)21:05
rderoselbragstad: great and thanks again. really appreciate you taking the time to do that (I know it wasn't easy :) )21:05
*** antwash has joined #openstack-keystone21:06
lbragstadrderose anytime21:06
lbragstadrderose i was working with a few folks in openstack-ansible on it - and I think we are going to try and get something lined up at the PTG21:07
lbragstadrderose openstack-ansible has upgrade testing for keystone already21:07
lbragstadcc stevemar dstanek ^21:07
stevemarlbragstad: well it's +2'ed, care to push it throuhg?21:07
lbragstadstevemar yeah21:07
stevemardstanek: you already reviewed -- want to double back on it?21:08
stevemarlbragstad: last one: but i think it's far easier than the first :)21:08
lbragstadstevemar yep - reviewing now21:09
lbragstadstevemar ah - wrong link21:09
lbragstadstevemar reviewing now21:09
dstanekstevemar: sure21:09
*** antwash has quit IRC21:11
morganrderose: also, i renamed the table(s) as you requested21:16
rderosemorgan: cool21:17
rderosemorgan: I'm about to jump back on that one21:17
rderosemorgan: _resource_option_mapper huh21:17
rderosemorgan: i guess the name is appropriate, as it is a mapped collection :)21:18
*** erlon has quit IRC21:20
*** erlon has joined #openstack-keystone21:23
lbragstadstevemar done21:23
*** Jack_V has quit IRC21:25
knikolla6 patches gating, that's gonna take a while21:26
lbragstadthat should hopefully be the last of what we need to get in before ocata-321:27
* lbragstad crosses fingers21:27
morganlbragstad: depends on what folks think about the options, pci-dss, and mfa things21:30
morganlbragstad: buuuut anyway21:30
*** jaosorior has quit IRC21:31
lbragstadmorgan ah - true21:33
openstackgerritGage Hugo proposed openstack/keystoneauth: Fix ClientException message property not set properly
browne only affects Mitaka, so someone with permission might want to mark it as such21:42
openstackLaunchpad bug 1657978 in OpenStack Identity (keystone) "Internal Server Error: KeyError: 'domain'" [Medium,New] - Assigned to Eric Brown (ericwb)21:42
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Add support for endpoint group filtering
stevemarmorgan: lbragstad we should land the in-code options stuff for ocata-321:55
stevemarduring the RC period we can see if we want: 1) PCI patch, 2) MFA patches, and 3) the per-userID PCI options21:56
stevemarlbragstad:  we need for ocata-3 too21:56
morgandstanek: responded to your comments21:59
*** v1k0d3n has quit IRC21:59
*** v1k0d3n has joined #openstack-keystone22:01
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users
lbragstadstevemar yeah - i wanted to let the other two patches merge first before approving that one22:04
*** spilla has quit IRC22:08
stevemarlbragstad: meh22:14
*** pnavarro has quit IRC22:14
morganstevemar: ok i'm going to start building on the code-options patch now unless someone (cc @all) else has questions on it right now22:14
morgani'll circle back and look for comments/questions in a bit22:15
morganoopse missed a general test.22:16
morganthat broke py27/35 will deal with that shortly22:17
dstanekmorgan: sweet thanks22:20
dstanekmorgan: the tests just finished for me and i have a few failing22:20
dstanekmorgan: assertDictEqual for the user is failing22:21
morganits a very specific test22:22
morganthe test creating all attributes22:22
morganand a couple others i think22:22
morganbut mostly the test creating all attributes22:22
dstaneki have 12 or 13 failing because option() isn't in the initially created dict22:22
dstanekcan probably user add empty options to the create_user_ref22:23
dstanek...or make assertUsersEqual and be a little smarter than just the dict check22:23
morgani'll get those dealt with22:24
morganlook at the comment (responses)22:24
morganand then i can followup with either additions/fixes/etc with the fixes to those tests22:24
morganand i think i'll probably go with assertUserEqual22:24
morganor something like that22:24
morganbecause the dict check is going to be hard to maintain as options are added22:25
*** browne has quit IRC22:28
*** thorst_ has quit IRC22:28
dstanekmorgan: yep, exactly. responded.22:29
dstanekthis is looking pretty good22:29
lbragstadstevemar you had a +2 on
lbragstadstevemar but another patch set was pushed22:34
stevemarlbragstad: oh22:41
stevemarlet me see the diff22:41
stevemarlbragstad: rderose pushed22:42
rderosestevemar: yeahhhh :)22:42
rderosethanks guys22:42
stevemarmorgan: you can rebase the options stuff on -- it'll currently conflict with it22:43
morganstevemar: sure.22:47
stevemarlbragstad: holy damn, we actually merged the k2k stuff for horizon122:49
lbragstadstevemar do we need to cross something off the keystone+horizon etherpad?22:50
lbragstadthat was on there22:50
stevemarlbragstad: yes w do!22:50
stevemarlbragstad: looks like the left over there is some domain stuff that crinkle is working on, and PCI stuff22:52
*** dave-mcc_ has joined #openstack-keystone22:52
*** edmondsw has quit IRC22:52
*** spotz is now known as spotz_zzz22:53
*** dave-mccowan has quit IRC22:54
knikollastevemar: k2k in horizon? finally!!!22:55
*** edmondsw has joined #openstack-keystone22:55
knikollai need to get back to my k2k patch for osc22:56
* knikolla hides22:57
*** edmondsw has quit IRC22:59
*** catintheroof has joined #openstack-keystone23:00
*** chris_hultin is now known as chris_hultin|AWA23:00
*** antwash has joined #openstack-keystone23:03
*** dave-mccowan has joined #openstack-keystone23:05
*** dave-mcc_ has quit IRC23:05
*** jperry has quit IRC23:08
*** browne has joined #openstack-keystone23:10
*** antwash has quit IRC23:16
*** antwash has joined #openstack-keystone23:16
*** spotz_zzz is now known as spotz23:18
*** jperry has joined #openstack-keystone23:18
*** antwash has quit IRC23:21
dstanekknikolla: yes, hiding is a good thing!23:23
*** diazjf has quit IRC23:25
morgandstanek: almost have everything working and will fix the couple fixable comments in the next patch (give me 10-15min)23:36
dstanekmorgan: gotta go coach soccer. i'll be back in about 90 mins23:37
*** lamt has quit IRC23:42
morganwill get stevemar and rderose and lbragstad to review as well23:47
*** agrebennikov__ has quit IRC23:47
openstackgerritMorgan Fainberg proposed openstack/keystone: Code-Defined Resource-specific Options
morgandstanek, rderose, lbragstad, stevemar,breton, samueldmq, knikolla, ^ could use eyes23:53
morganit should be ready to go.23:54
*** lamt has joined #openstack-keystone23:58
*** catintheroof has quit IRC23:58
*** catintheroof has joined #openstack-keystone23:59

Generated by 2.14.0 by Marius Gedminas - find it at!