Friday, 2017-03-24

« Thursday, 2017-03-23 Index Saturday, 2017-03-25 »
*** jlopezgu_ has quit IRC00:01
*** spzala has quit IRC00:02
*** jdennis has quit IRC00:03
*** jdennis1 has joined #openstack-keystone00:03
*** adrian_otto has quit IRC00:16
*** dave-mccowan has quit IRC00:29
*** Aqsa has quit IRC00:31
*** Shunli has joined #openstack-keystone00:44
*** agrebennikov_ has quit IRC00:46
*** guoshan has joined #openstack-keystone00:48
*** dave-mccowan has joined #openstack-keystone00:48
*** dave-mcc_ has joined #openstack-keystone00:55
*** dave-mccowan has quit IRC00:57
*** tovin07 has joined #openstack-keystone00:58
*** spzala has joined #openstack-keystone01:08
*** dave-mccowan has joined #openstack-keystone01:09
*** wxy has quit IRC01:10
*** wxy has joined #openstack-keystone01:10
*** dave-mcc_ has quit IRC01:11
*** liujiong has joined #openstack-keystone01:12
*** MasterOfBugs has joined #openstack-keystone01:17
*** spzala has quit IRC01:20
*** spzala has joined #openstack-keystone01:20
*** spzala has quit IRC01:21
*** spzala has joined #openstack-keystone01:21
*** guoshan has quit IRC01:22
*** zhurong has joined #openstack-keystone01:26
*** jamielennox is now known as jamielennox|away01:39
*** jamielennox|away is now known as jamielennox01:48
*** spzala has quit IRC01:56
*** spzala has joined #openstack-keystone01:56
*** guoshan has joined #openstack-keystone01:57
*** knangia has quit IRC02:01
*** spzala has quit IRC02:02
*** guoshan has quit IRC02:03
*** ravelar has quit IRC02:04
*** guoshan has joined #openstack-keystone02:04
*** spzala has joined #openstack-keystone02:19
*** kukacz has quit IRC02:20
*** spzala has quit IRC02:23
*** namnh has joined #openstack-keystone02:33
*** knikolla has quit IRC02:38
*** aleph1 has quit IRC02:38
*** phalmos_ has quit IRC02:43
*** phalmos has joined #openstack-keystone02:44
openstackgerritzhongshengping proposed openstack/oslo.policy master: Check reStructuredText documents for common style issues.  https://review.openstack.org/44941002:45
*** aleph1 has joined #openstack-keystone02:47
*** raginbajin has quit IRC02:47
*** knikolla has joined #openstack-keystone02:50
*** raginbajin has joined #openstack-keystone02:52
*** spzala has joined #openstack-keystone03:00
*** spzala has quit IRC03:05
*** dave-mccowan has quit IRC03:08
*** prashkre has joined #openstack-keystone03:26
*** edmondsw has quit IRC03:32
*** spzala has joined #openstack-keystone03:42
*** spzala has quit IRC03:47
*** knangia has joined #openstack-keystone03:52
*** guoshan has quit IRC03:56
*** edmondsw has joined #openstack-keystone03:59
*** edmondsw has quit IRC04:04
*** zhurong has quit IRC04:07
*** spzala has joined #openstack-keystone04:09
*** htruta` has quit IRC04:11
*** htruta has joined #openstack-keystone04:12
*** spzala has quit IRC04:13
*** prashkre has quit IRC04:19
*** links has joined #openstack-keystone04:20
*** prashkre has joined #openstack-keystone04:34
openstackgerritjunboli proposed openstack/keystone master: Remove log translations  https://review.openstack.org/44942704:43
*** namnh has quit IRC04:47
openstackgerritjunboli proposed openstack/keystone master: Remove log translations  https://review.openstack.org/44942704:54
*** rderose has quit IRC04:54
*** spzala has joined #openstack-keystone05:01
*** spzala has quit IRC05:06
*** zhurong has joined #openstack-keystone05:16
*** prashkre has quit IRC05:22
*** prashkre has joined #openstack-keystone05:22
*** spzala has joined #openstack-keystone05:23
*** spzala has quit IRC05:27
*** eandersson_ has joined #openstack-keystone05:38
*** eandersson has quit IRC05:42
*** richm has quit IRC05:44
*** spzala has joined #openstack-keystone06:00
*** knangia has quit IRC06:01
*** spzala has quit IRC06:05
*** aojea has joined #openstack-keystone06:12
*** aojea has quit IRC06:18
*** MasterOfBugs has quit IRC06:32
*** spzala has joined #openstack-keystone06:42
*** spzala has quit IRC06:47
*** mvk has quit IRC06:47
*** edmondsw has joined #openstack-keystone06:59
*** edmondsw has quit IRC07:04
*** spzala has joined #openstack-keystone07:10
*** spzala has quit IRC07:15
*** Andrew_jedi has joined #openstack-keystone07:25
*** Andrew_jedi has quit IRC07:30
*** tesseract has joined #openstack-keystone07:31
*** Aqsa has joined #openstack-keystone07:41
*** liujiong has quit IRC07:45
*** spzala has joined #openstack-keystone07:52
*** jaosorior has joined #openstack-keystone07:55
*** spzala has quit IRC07:57
*** prashkre has quit IRC07:57
*** prashkre has joined #openstack-keystone07:58
*** belmoreira has joined #openstack-keystone07:59
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:01
openstackgerritChangBo Guo(gcb) proposed openstack/oslo.policy master: Simplify message of exception PolicyNotAuthorized  https://review.openstack.org/44947008:03
*** aojea has joined #openstack-keystone08:18
*** aojea has quit IRC08:18
*** aojea has joined #openstack-keystone08:19
*** prashkre has quit IRC08:23
*** prashkre has joined #openstack-keystone08:24
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Imported Translations from Zanata  https://review.openstack.org/44948408:30
*** spzala has joined #openstack-keystone08:33
*** spzala has quit IRC08:38
*** alex_xu has quit IRC08:58
*** alex_xu has joined #openstack-keystone08:59
*** alex_xu has quit IRC09:01
*** alex_xu has joined #openstack-keystone09:02
*** alex_xu has quit IRC09:06
*** alex_xu has joined #openstack-keystone09:07
openstackgerritjunboli proposed openstack/keystone master: Remove log translations  https://review.openstack.org/44942709:09
*** aojea_ has joined #openstack-keystone09:10
*** aojea has quit IRC09:12
*** spzala has joined #openstack-keystone09:15
*** spzala has quit IRC09:19
ma9_I'm debugging the HTTP communication when logging into Horizon. How can I see the token I was given by Keystone? I'm reading that It uses sessions ID as token… is it the same thing? https://wiki.openstack.org/wiki/OSSN/OSSN-001709:29
*** pnavarro has joined #openstack-keystone09:29
*** bjornar_ has joined #openstack-keystone09:32
bjornar_how do I send config-dir to initialize_public_application()09:32
*** jrist has quit IRC09:34
*** prashkre has quit IRC09:40
*** prashkre has joined #openstack-keystone09:42
*** prashkre_ has joined #openstack-keystone09:43
*** prashkre has quit IRC09:43
*** Shunli has quit IRC09:46
*** prashkre_ has quit IRC09:46
*** prashkre has joined #openstack-keystone09:47
*** spzala has joined #openstack-keystone09:48
*** prashkre has quit IRC09:49
*** prashkre has joined #openstack-keystone09:50
*** prashkre has quit IRC09:50
*** prashkre has joined #openstack-keystone09:52
*** spzala has quit IRC09:53
*** prashkre_ has joined #openstack-keystone09:56
*** mvk has joined #openstack-keystone09:57
*** prashkre has quit IRC09:58
*** pcaruana has joined #openstack-keystone10:05
*** richm has joined #openstack-keystone10:13
*** prashkre__ has joined #openstack-keystone10:23
*** prashkre_ has quit IRC10:24
*** prashkre_ has joined #openstack-keystone10:24
*** prashkre__ has quit IRC10:28
*** spzala has joined #openstack-keystone10:29
*** spzala has quit IRC10:34
*** edmondsw has joined #openstack-keystone10:35
openstackgerritChangBo Guo(gcb) proposed openstack/oslo.policy master: Simplify message of exception PolicyNotAuthorized  https://review.openstack.org/44947010:36
dstanekma9_: how are you debugg?10:37
dstanek*debugging10:37
*** nicolasbock has joined #openstack-keystone10:38
ma9_using firefox developer tools10:39
ma9_looking at the network traffic10:39
ma9_*dstanek10:39
ma9_is it so that the keystone token is saved into memcached and never reached the web browser?10:40
ma9_instead, a session id is used to keep the web browser session with horizon?10:40
*** zhurong has quit IRC10:40
*** edmondsw has quit IRC10:40
dstanekma9_: yeah, i don't think you'll ever see a token unless you see the traffic between horizon and keystone (horizon actually has it, not just in memcached)10:41
ma9_I see. The reasoning behind this is that I'm using Keycloack to implement SSO. It works form Horizon but not from the CLI as far as I know… so I was hoping to be able to get the Token from Horizon and reuse it on the CLI somehow10:42
dstanekma9_: does it support ECP?10:43
ma9_the communication betweek Keystone and Keycloack can work wither with OIDC or SAML. I thnk ECP is supported but I'm not 100% sure.10:45
ma9_(Keycloack then is a broker for different backends, for example LDAP/KRB,AD,Shibboleth,OIDC… but that's not visible on the keystone side)10:46
dstanekhow are you trying to use it from the command line OIDC or SAML?10:47
dstanekma9_:  or taking a step back.... what part is not working? is keystone responding incorrectly?10:48
Dinesh_Bhordstanek: Hi, I have written some tests for request-id. Whenever you get time please take a look at it and give your valuable suggestions: https://review.openstack.org/#/c/329913/10:52
ma9_RedHat told us the CLI does not work with KEycloack… but is the CLI  supposed to be able to work with SAML if ECP is supported? I found this document which maybe explains how to do it: https://platform9.com/support/using-openstack-cli-saml-authentication/10:54
*** prashkre__ has joined #openstack-keystone11:05
*** rmascena has joined #openstack-keystone11:06
*** Dinesh_Bhor has quit IRC11:07
*** prashkre_ has quit IRC11:08
dstanekma9_: yes, if the IdP support ECP the command line should work11:08
ma9_do you know if there is some official documentation for that? I could not find much11:10
dstanekma9_: for what IdP?11:10
dstanekis keycloak the IdP?11:10
ma9_yes11:11
dstanekit looks like it might be. if you can't you that from the command line then this won't work11:12
*** bjornar_ has quit IRC11:12
ma9_I will contact the RH support, and continue investigating11:14
*** prashkre__ has quit IRC11:14
ma9_thanks for now!11:14
*** prashkre has joined #openstack-keystone11:15
dstanekma9_: np. just for reference when talking to redhad. saml has a couple different profiles. one is the normal web flow and another is ECP the command line one (the others are not relevant for this usecase)11:19
dstanekit seems that many products don't support ecp yet11:20
*** tovin07 is now known as tovin07_at_work11:20
*** Dinesh_Bhor has joined #openstack-keystone11:20
dstanekhttps://en.wikipedia.org/wiki/SAML_2.0#SAML_2.0_Profiles11:20
*** tovin07_at_work has quit IRC11:20
openstackgerritjunboli proposed openstack/keystone master: Remove log translations  https://review.openstack.org/44942711:23
*** edmondsw has joined #openstack-keystone11:32
*** spzala has joined #openstack-keystone11:50
*** prashkre has quit IRC11:52
*** prashkre has joined #openstack-keystone11:52
dstanekhappy bug day!11:55
*** spzala has quit IRC11:56
*** pnavarro has quit IRC12:00
*** links has quit IRC12:02
*** links has joined #openstack-keystone12:05
*** d0ugal has quit IRC12:24
*** spzala has joined #openstack-keystone12:32
*** spzala has quit IRC12:37
ma9_thank you dstanek12:44
dstanekma9_: np12:45
*** prashkre has quit IRC12:48
*** lamt has joined #openstack-keystone12:52
*** lamt has quit IRC12:52
*** david-lyle has quit IRC12:55
*** lamt has joined #openstack-keystone12:56
*** spilla has joined #openstack-keystone12:56
*** spzala has joined #openstack-keystone13:06
*** spilla has quit IRC13:07
*** spilla has joined #openstack-keystone13:09
*** spzala has quit IRC13:12
*** jrist has joined #openstack-keystone13:22
*** agrebennikov_ has joined #openstack-keystone13:36
*** Dinesh_Bhor has quit IRC13:39
*** d0ugal has joined #openstack-keystone13:45
*** spzala has joined #openstack-keystone13:45
*** spzala has quit IRC13:50
*** links has quit IRC13:53
*** phalmos has quit IRC13:57
*** ma9_ has quit IRC13:59
*** jlopezgu_ has joined #openstack-keystone14:05
*** dave-mccowan has joined #openstack-keystone14:08
*** spzala has joined #openstack-keystone14:08
*** lamt has quit IRC14:09
openstackgerritjunboli proposed openstack/keystone master: Remove log translations  https://review.openstack.org/44942714:10
*** pnavarro has joined #openstack-keystone14:12
knikollamorning o/14:18
lbragstadknikolla o/14:20
*** spzala has quit IRC14:21
*** chlong has joined #openstack-keystone14:25
*** david-lyle has joined #openstack-keystone14:26
dstaneklbragstad: new patch just about ready for the webob thing......just waiting on the full test suite to run14:27
lbragstaddstanek awesome - thank you for doing taht14:27
lbragstadcc jdennis1 ^14:27
lbragstadI'd like to get that merged today (to close the bug) and also so requirements can make that bump14:27
lbragstadcc dims ^14:27
dimsyay, thanks lbragstad14:28
lbragstaddims i didn't do anything - dstanek did it all ;)14:28
dimsthanks dstanek !14:29
dstaneklbragstad: i stepped back rethought it and did the simplest thing to make it work. i haven't compared it to my original patch though :-) was trying not to bias the work towards the complicated14:29
dstanekdims: my pleasure14:29
*** alex_xu has quit IRC14:37
*** alex_xu has joined #openstack-keystone14:38
*** ravelar has joined #openstack-keystone14:39
jdennis1lbragstad, dstanek: I will review, I've got meetings for the next few hours though ...14:40
lbragstadjdennis1 no worries - whenever you get a minute, it'd be nice to have your opinion on it14:41
*** spzala has joined #openstack-keystone14:43
*** phalmos has joined #openstack-keystone14:45
*** erhudy has quit IRC14:50
dstanekok, passes. going to snag my original commit message14:51
*** lucasxu has joined #openstack-keystone14:59
openstackgerritRichard Avelar proposed openstack/keystone master: Address comments from Steve Mar Policy in Code 5  https://review.openstack.org/44882615:02
*** rmascena is now known as rmascena|lunch15:04
lbragstaddstanek sweet15:05
openstackgerritRichard Avelar proposed openstack/keystone master: Address comments from Policy in Code 5  https://review.openstack.org/44882615:11
*** rderose has joined #openstack-keystone15:14
*** david-lyle has quit IRC15:15
*** edtubill has joined #openstack-keystone15:15
openstackgerritRichard Avelar proposed openstack/keystone master: Remove policy file from source and refactor tests  https://review.openstack.org/44967515:16
openstackgerritDavid Stanek proposed openstack/keystone master: Small fixes for WebOb 1.7 compatibiltity  https://review.openstack.org/42223415:17
lbragstadhere's one that we can probably merge at some point today - https://review.openstack.org/#/c/437441/1515:22
ravelarlbragstad I have a problem with that test.15:24
lbragstadravelar which one?15:24
ravelarlbragstad there is essentially no way to get that error in db_sync check to return without the dbmigration error that I created to raise first15:25
ravelareven if I were to call db_sync check directly15:25
ravelarthe only way I could possibly get it to return that message in db_sync check is if I were to mock stuff to pretend that dbmigration didnt work and then mock stuff to pretend that it was still out of order (at which point I feel like it would be meaningless since its not really testing what would happen)15:26
lbragstadhmm15:26
ravelarand I understand that "we shouldn't remove that test because db_sync has that as a possible if statement" but this patch solves that15:27
ravelarwhich is why I wanted to remove it from the beginning when writing this patch15:27
ravelarhowever, I understand keeping it there. I am just not sure there is a sensible way to test it since it can never run now15:28
ravelarso i am stuck lol15:28
lbragstaddstanek just to clarify - with your latest patch set https://review.openstack.org/#/c/447712/1 is now irrelevant, right?15:28
lbragstadravelar i'll have another look at it15:28
lbragstadravelar i'm happy to see that we're not just removing the test though15:29
ravelarlbragstad thank you! :)15:29
ravelarlbragstad yeah no problem, totally understand15:29
dstaneklbragstad: i'm not sure what you were trying to do there15:29
lbragstadravelar in your latest patch you've replaced it with three other tests15:29
lbragstaddstanek me either, i was trying to work jdennis1's comment in, but didn't fully understand them - i'm going to abandon15:29
ravelarlbragstad well the full summary is db_sync check used to have to take care of the case where it was run out of order (but that would only tell you after the fact, not as it was happening)15:30
*** jaosorior has quit IRC15:30
lbragstadravelar ah15:31
ravelarlbragstad now this patch does it as it happens, so that already stops it from ever occurring in db_sync check. On top of that, db_sync check has to pull all the repos so if it were to occur in the db_sync check method, it would again raise my error15:31
ravelarbefore it gets to the if statement15:31
lbragstadhmm15:31
ravelarso I could never get to the if statement even if I wanted, unless I mocked stuff in test to do really weird things and lie lol15:31
*** Joannah has joined #openstack-keystone15:32
ravelarhence I removed the one test in db_sync check and made tests for the change I made15:32
ravelarthat does this for db_sync check now15:32
ravelaris that making sense? sorry I feel like texting all this isn't too clear15:32
lbragstadravelar i'll revisit the patch15:34
ravelarlbragstad alrighty, thanks. Let me know if there is anything you have a question about15:34
*** prashkre has joined #openstack-keystone15:36
lbragstadravelar reviewing it again quick15:39
*** rderose_ has joined #openstack-keystone15:40
*** knangia has joined #openstack-keystone15:42
*** rderose has quit IRC15:43
*** rderose_ has quit IRC15:43
openstackgerritFelipe Monteiro proposed openstack/keystone master: Allow policy actions in code to be importable  https://review.openstack.org/44969415:44
*** rderose has joined #openstack-keystone15:44
*** gyee has joined #openstack-keystone15:45
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unnecessary revocation events  https://review.openstack.org/44818615:46
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused revoke_by_project_role_assignment  https://review.openstack.org/44861315:46
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused revoke_by_domain_role_assignment  https://review.openstack.org/44861515:46
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unnecessary revocation events revoke grant  https://review.openstack.org/44819215:46
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unnecessary revocation events  https://review.openstack.org/44756215:46
*** d0ugal has quit IRC15:52
*** bjornar_ has joined #openstack-keystone16:00
*** pcaruana has quit IRC16:03
dstanekrderose: looking at the bug to remove the ephemeral user type....is that something that is possible?16:11
rderosedstanek: I think so, I mean federated users are no longer ephemeral16:12
rderosedstanek: we'd still support the API, but refactor underlying code16:13
*** d0ugal has joined #openstack-keystone16:14
*** d0ugal has quit IRC16:14
*** d0ugal has joined #openstack-keystone16:14
dstanekrderose: well I don't know, that's why i'm asking :-) they are not ephemeral in the sense that we have them persisted...but is there still a different between mapping to a user in another backend using type:local+domain vs ephemeral groups?16:16
rderosedstanek: not following your question16:20
rderosedstanek: the only difference is that a federated user will get the mapped group roles16:20
*** belmoreira has quit IRC16:21
*** d0ugal has quit IRC16:22
*** lamt has joined #openstack-keystone16:23
dstanekrderose: ephemeral users were dynamically put into groups. local users were mapped to an existing user. i'm not sure if they could have dynamic groups or not. i'm asking if they are both the same now?16:24
dstanekcan they both be mapped to a local user to get concrete roles *and* dynamic groups to get additional roles?16:25
rderosedstanek: yes, they both can16:25
rderosehowever, a local user would have to have a federated profile (can't do this yet - ravelar's patch) to get dynamic group roles16:28
dstanekrderose: shouldn't that aleady be possible? or did we break it?16:29
dstanekrderose: i thought a 'local' user wouldn't get a federated_user record16:29
*** Joannah has quit IRC16:30
rderosedstanek: correct, currently a local could not get a federated_user record16:31
dstanekrderose: right, but i can federate into keystone get a local user and dynamic groups right?16:32
rderosedstanek: you ca federate in, we'll create a user > federated_user record (shadow mapping)16:33
rderoseand you'll get the mapped group roles16:33
rderoseso yes16:33
dstanekrderose: so you can't map to an existing local user anymore?16:33
*** david-lyle has joined #openstack-keystone16:33
rderosedstanek: I don't think so16:34
*** niteshnarayanlal has joined #openstack-keystone16:34
dstanekhmmm.... that's not good16:34
rderosedstanek: we had someone try that recently and only got the dynamic group roles; not the mapped local user roles16:34
dstanekso local and ephemeral do have different behavior now16:35
rderoseof course, you could assign concrete role assignments to federated users and they will get the concrete roles and dynamic group roles16:35
rderosedstanek: well, mapping a federated user to a local user doesn't work as I thought it would16:36
rderosenot sure if that is broken, or if it has never worked16:36
dstanekrderose: at one time it did work16:36
rderosedstanek: do we have test coverage?16:37
dstanekrderose: so in today's world what should happen if i wnat to map to a local user? or maybe i just can't anymore?16:37
dstanekrderose: we've never had functional test coverage for federation16:37
rderosehmm...16:37
dstanekit sucks that we lost merek. he was the guys that not only knew how everything worked, but why it had to work that way16:38
rderosedstanek: I see16:38
rderosedstanek: yeah, it totally seemed reasonable to me that you should be able to map a federated user to a local user, and get the local user roles16:39
dstaneki wonder what version cern is on? i'm wondering if we broken them with our federation changes16:41
rderosedstanek: not sure.  maybe not, as I don't think it would be common for you to create local users for federation mapping16:42
rderosedstanek: maybe for admins16:42
rderosebut not normal users16:42
*** nishaYadav has joined #openstack-keystone16:44
nishaYadavo/16:45
*** MasterOfBugs has joined #openstack-keystone16:46
dstanekrderose: not sure. most of the federation was driven by cern and ibm i believe16:47
rderoseI see16:47
*** niteshnarayanlal has quit IRC16:47
*** rmascena|lunch is now known as rmascena16:50
rderosedstanek: last I looked at the code/docs, I don't think we actually implemented mapping a federated user to a local user16:50
dstanekn0tn0wm4n16:51
dstanekkdirdir16:51
rderosedstanek: if you provided a local user ID and name, it would simply be used as the ephemeral user's id and name16:51
dstanekfutte16:51
dstaneklol16:51
rderosedstanek: but not actually tied to a local user16:51
dstanekalter.py just went nutz16:51
openstackgerritRichard Avelar proposed openstack/keystone master: Add federated support for get user  https://review.openstack.org/44873016:52
dstanekf0urt33ntH!16:52
dstaneka3rt fir$t16:52
dstanekgrrrr.....sorry... turning off the plugin...16:52
rderosedstanek: huh??16:53
dstanekrderose: i've been writing a plugin for weechat to alert me when thinks are happening. it just went nuts printing out hostnames in chat and giving me messages for *every* chat event in every channel i'm in16:54
rderosehaha16:54
knikolladstanek: we have functional test coverage for federation16:54
rderoseI see16:54
dstanekknikolla: we have some tests now, but that's all after these changes.16:55
dstanekknikolla: do you know if we test local users or what the behavior is?16:55
knikolladstanek: https://github.com/openstack/keystone/blob/master/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py16:55
*** aojea_ has quit IRC16:56
dstanekknikolla: doesn't look like it16:56
knikollawe only test the saml auth flow, but not local users16:56
knikollayes16:56
dstanekknikolla: the local users use the SAML flow16:56
knikollathe terminology is a bit tricky after the introduction of the shadow backend16:57
dstanekknikolla: so basically at one type you could specify type:local + domain in the mapping to map to a local user16:57
dstaneki'm pretty sure i remember it working and i'm just trying to confirm16:58
knikolladstanek: i have some old mappings. let me check16:58
*** edtubill has quit IRC16:58
knikolladstanek: this still works for me https://github.com/knikolla/ansible-k2k/blob/master/roles/federation-sp/files/register_identity_providers.py#L99-L12416:59
knikollanot sure if it's because of the presence of the group too16:59
*** edtubill has joined #openstack-keystone17:00
dstanekknikolla: does that map back to a local user in SQL?17:00
*** niteshnarayanlal has joined #openstack-keystone17:00
knikolladstanek: oh, my whole life is a lie. it doesn't.17:01
knikollatoo much automation i haven't touched in a year.17:02
dstaneklol17:05
dstanekbrb...still getting fork bombed so i'm killing weechat for a sec17:05
dstaneklet's see if that's better...17:06
dstanekrderose: knikolla: https://lists.launchpad.net/yahoo-eng-team/msg62331.html17:06
dstanekhttps://wiki.geant.org/download/attachments/53117373/20160122%20-%20Federated%20access%20to%20Openstack.pdf?version=1&modificationDate=1453390823908&api=v217:06
dstanekthere are lots of non-OpenStack resources talking about the local mapping thing17:07
dstaneki'll have to fire up a new environment and give it a try17:07
knikolladstanek: let me know. i remember i asked your help a few months ago about that, but i forgot the specifics.17:09
knikollai think i wasn't able to get it working.17:10
rderosedstanek: from looking at the code, you can specify a user type and domain17:10
rderosedstanek: which can then be used for federation17:11
dstanekrderose: so i believe that what is supposed to happen is that you map to a local user and then all operations/tokens/etc are for their id17:12
rderosedstanek: yeah, I think that happens17:12
rderosedstanek: but it doesn't pull in the mapped local user role assignments17:12
rderosedstanek: which is what I would expect17:12
rderosedstanek: so I think you can map to a local user, but you still only get the mapped group roles17:14
*** catintheroof has joined #openstack-keystone17:14
*** catintheroof has quit IRC17:15
*** catintheroof has joined #openstack-keystone17:15
rderosedstanek: and just a side note, we're only shadowing users (and shadow mapping for that matter) for ephemeral users17:16
*** d0ugal has joined #openstack-keystone17:17
rderosebut not when you specify a user type and domain17:17
*** lamt has quit IRC17:17
dstaneki wonder what yahoo is expecting to happen.17:21
dstaneklbragstad: https://bugs.launchpad.net/keystone/+bug/160208117:26
openstackLaunchpad bug 1602081 in OpenStack Identity (keystone) "Use oslo.context's policy dict" [High,In progress] - Assigned to Jamie Lennox (jamielennox)17:26
dstanekdone?17:26
openstackgerritRichard Avelar proposed openstack/keystone master: Add a note to db_sync configuration section  https://review.openstack.org/44974417:26
lbragstaddstanek check17:27
lbragstadchecking*17:27
*** ravelar has quit IRC17:27
lbragstaddstanek looks like https://review.openstack.org/#/c/371856/ was the only related fix merged to keystone17:29
dstanekthat's what i was thinking. so it's safe to mark as done right?17:36
*** lucasxu has quit IRC17:36
lbragstaddstanek looking at the patch17:36
dstaneklbragstad: the commit message says related not closes, but no other patch has been proposed17:39
lbragstaddstanek right17:39
lbragstaddstanek i double checked the bug, too17:39
lbragstadi'll have to dig into the patch17:40
dstaneklbragstad: ok, no worries. i can dig into it. didn't know if you knew the status offhand17:44
* dstanek is running to go get a late lunch17:44
*** ravelar has joined #openstack-keystone17:44
*** spzala has quit IRC17:45
*** spzala has joined #openstack-keystone17:47
*** tesseract has quit IRC17:50
*** spzala has quit IRC17:52
*** spzala has joined #openstack-keystone17:52
*** bjornar_ has quit IRC17:56
*** bas_____ has joined #openstack-keystone18:01
*** nishaYadav has quit IRC18:01
*** jlopezgu_ has quit IRC18:01
*** dolphm is now known as dr_dolphm18:02
*** bjornar_ has joined #openstack-keystone18:05
*** thiagolib has joined #openstack-keystone18:09
bas_____Hi! Can I write here about Outreachy? There's no one in opw channel18:10
rodrigodsbas_____, sure, we are here to help18:11
openstackgerritprashkre proposed openstack/keystone master: Error messages are not translating with locale.  https://review.openstack.org/44976918:11
rodrigodsbas_____, you can also try the #openstack-outreachy channel18:11
*** d0ugal has quit IRC18:17
bas_____oh, sorry, I'll go there then18:18
*** mvk has quit IRC18:23
*** chlong has quit IRC18:24
*** MasterOfBugs has quit IRC18:28
*** lamt has joined #openstack-keystone18:40
*** MasterOfBugs has joined #openstack-keystone18:46
*** lucasxu has joined #openstack-keystone18:50
lbragstadravelar do you know if upgrades.upgrade() is called anywhere?18:55
lbragstadravelar i'm running coverage on you patch now18:55
ravelarlbragstad unit tests18:56
ravelarlbragstad but not anywhere else18:56
*** Aqsa has quit IRC18:56
ravelarlbragstad I believe, its been a couple months since looking at it, let me recheck that18:57
dstaneklbragstad: jamielennox's commit message on that patchs leads me to believethat the is still quite a bit of work to be done18:57
ravelarthe gist that I got when doing the patch was that (although highly unlikely the database would ever let you contract without running expand first) there wasn't a logical validation to stop it18:58
ravelarand the unit tests would allow you to do something like that because of that method upgrades (which wasn't actually used from keystone-manage db_sync but was in unit tests)18:58
*** mvk has joined #openstack-keystone19:00
*** bjornar_ has quit IRC19:02
lbragstaddstanek i got that impression, too... but it's not really laid out in any detail19:03
lbragstadravelar this is the latest coverage report i'm generating with your patch - http://104.130.175.68/cover/keystone_common_sql_upgrades_py.html19:03
ravelarhttps://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_sql_upgrade.py#L226-L24019:04
ravelarhttps://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_sql_upgrade.py#L219-L22419:04
knikollathis release note seems to be in the wrong folder :/ https://github.com/openstack/keystone/tree/master/keystone/releasenotes/notes19:05
*** bas_____ has quit IRC19:05
lbragstadravelar yeah - my last question doesn't really make sense - upgrade is called everywhere...19:06
lbragstadjust through it was strange because there are a couple untested cases in that method19:06
*** nishaYadav has joined #openstack-keystone19:08
dstaneklbragstad: lol, the webob patch fails tests because it expects the new behavior....i think i'm going to delete the those test checks19:11
lbragstaddstanek yeah - that works for me19:11
lbragstadit doesn't make sense to keep those assertions around19:12
ravelarlbragstad so what is the consensus on the patch? lol im confused19:12
lbragstadravelar i'm trying to understand the approach to testing19:13
lbragstadtechnically the tests you've written should cover the cases, but they don't appear to19:13
lbragstadravelar like here - http://104.130.175.68/cover/keystone_common_sql_upgrades_py.html19:13
dstaneklbragstad: needs to kick off one more build...then i'll make those changes19:13
lbragstadlines 306, 319, and 33019:13
lbragstaddstanek thanks19:14
ravelar lbragstad ah okay lol19:14
lbragstadravelar line 1709 here https://review.openstack.org/#/c/437441/15/keystone/tests/unit/test_sql_upgrade.py19:15
dstaneklbragstad: talking to you really helps tune my scripts heuristics :-)19:16
lbragstadmakes me think we should be covering the expand method at line 306 - http://104.130.175.68/cover/keystone_common_sql_upgrades_py.html19:16
lbragstaddstanek at least i'm good for somethin'19:16
dstanek:-)19:16
dstaneki was working on my alert.py script last night and when i enabled it today it went crazy19:17
lbragstaddstanek what's it do?19:17
dstanekit's a weechat plugin to alter me of conversations19:18
lbragstadah19:18
dstanekmost scripts see your nick and alter you. i actually wanted to track conversations. for example, i got an alert for 'ah' just now19:18
dstanekit knows that we are talking19:19
lbragstad...19:19
lbragstadis it working?19:19
dstanekbut when you talked to ravelar i also got an alert19:19
dstanekyep that works fine :-)19:19
lbragstad:)19:19
lbragstadinteresting19:19
lbragstadso i don't have to use your nick dstanek constantly?!19:19
dstaneki was adding two unrelated features last night. one to parse a message and try to figure out if it was for another conversation and not for me and another to parse user's user/profile details19:20
dstaneklbragstad: exactly19:20
*** erhudy has joined #openstack-keystone19:20
lbragstadlol nice19:20
dstaneklbragstad: do you use weechat?19:20
lbragstadtextual19:21
dstanekah19:21
dstanekfirst version of my script: https://gist.github.com/dstanek/d1bdc7eae621e821087d0a514d10dfd519:21
lbragstadsweet!19:22
dstanekconversation tracking in detail is tricky. even as a human i don't always know what message is for me if someone is having multiple conversations. you have to read it and see if it fits in what the discussion.19:24
dstaneki need machine learning for my IRC alerts!19:24
lbragstadright19:24
lbragstaddstanek or just make it a convention to use peoples nicks ;)19:25
dstanekwe've been chattin and for the last 6 mins you haven't mentioned my nick. so if i switched contexts i might now know you were trying to talk to e19:26
dstanekme19:26
lbragstaddstanek true19:26
dstanekgood times19:27
ravelar lbragstad sorry for the delay, meeting19:28
lbragstadravelar no worries19:29
ravelarlbragstad upgrades.upgrade is only used in test_sql_upgrade right?19:29
ravelarupgrades the file however is used in different places19:29
lbragstadyeah - it's used all over in test_sql_upgrades19:30
ravelarlbragstad is it possible that the only reason out of order is possible is because the unit tests use upgrades.upgrade19:30
ravelarand upgrades.upgrade isn't the same thing that db_sync uses to do rolling upgrades19:31
lbragstadi think that's the part that threw me off19:32
ravelarlbragstad yeah I remember being mildly confused/annoyed that it was implemented that way when I was writing it19:33
ravelarwhen I was writing the validation*19:33
ravelarcause I had to add it to the upgrades since that was the only way it was being tests in unit tests19:33
ravelarnot just the main work flow of db_sync19:34
lbragstadravelar so with your tests, when you call self.expand(), what does that call?19:35
ravelarupgrades.upgrade19:36
ravelarcause nothing was calling db_sync directly19:36
ravelarhowever, same validation is in both with my validation method19:36
ravelarjust have the method run before the schema is upgraded19:36
ravelarin both upgrades.upgrade (unit tests) and upgrades.expand_schema, migrade_data(), etc19:37
lbragstadahhhhhhhhhhhhhhh19:39
ravelarlbragstad so the big picture here is that you have this being run when db_sync is executed https://github.com/openstack/keystone/blob/master/keystone/common/sql/upgrades.py#L262-L29319:39
lbragstadso that's why expand_schema, migrate_data, and contract_schema don't show any test coverage19:40
lbragstadyup19:40
ravelarlbragstad and then you have this being run for unit tests https://github.com/openstack/keystone/blob/master/keystone/common/sql/upgrades.py#L42-L6919:40
ravelarlbragstad yeah i know its weird19:40
* lbragstad shakes head19:40
lbragstadwow19:40
ravelarlbragstad didn't understand it either19:40
lbragstadthat took me *way* too long to figure out19:40
* ravelar nods head with lbragstad19:42
lbragstadit'd be super nice if the implementation and the tests used the *same* entry point19:42
ravelarlbragstad should I do that as well?19:42
lbragstadthen we wouldn't have false positives in test coverage19:42
ravelarlbragstad right19:42
lbragstadravelar you could, but I wouldn't hold up the patch you have for it19:42
lbragstadi think that's it's own thing that needs to be refactored19:43
ravelarlbragstad well as long as I have confirmation to redo it, wasn't sure if there was a reason for it till you confirmed otherwise with me lol19:43
ravelarlbragstad, I could refactor first, then come back the validation stuff after I do proper test coverage and if it is still needed19:43
*** bjornar_ has joined #openstack-keystone19:43
lbragstadyeah - that'd work19:44
lbragstadit depends on how long you think the refactor will take19:44
ravelarlbragstad sweeet! hmm will I will take a stab at it lol19:44
ravelarand in the process probably hit why it was done that way in the first place when I get to a road block or something19:44
lbragstadbecause if it ends up being a sprawling change, i'd opt to fix the bug first then propose the cleanup afterwords19:44
ravelarahh okay i see19:45
*** Aqsa has joined #openstack-keystone19:45
openstackgerritKristi Nikolla proposed openstack/keystone master: Move release note from /keystone/releasenotes to /releasenotes  https://review.openstack.org/44979819:48
*** ynirk has left #openstack-keystone19:55
lbragstaddstanek you haven't been following the translation discussions have you?19:58
lbragstaddstanek it might relate to https://review.openstack.org/#/c/449769/119:58
lbragstaddstanek but i want to say that the discussion was only removing translated *logs*19:58
* lbragstad goes to double check19:58
dstaneklbragstad: looking19:58
dstaneklbragstad: that is us no translating error messages back to the user19:59
lbragstaddstanek19:59
lbragstaddstanek right19:59
lbragstaddstanek which is OK I think?20:00
dstaneklbragstad: ok, not to translate?20:00
lbragstaddstanek meaning that it is OK to fix?20:00
lbragstaddstanek i'm double checking http://lists.openstack.org/pipermail/openstack-dev/2017-March/113365.html20:00
lbragstadwhich seems specific to translating logs not error messages back to the user20:00
dstaneklbragstad: i'm guessing so. my understanding of that was that we didn't want to translate log messages anymore20:01
lbragstadin this case I don't think we're translating logs - but an actual error message, so we should be good to fix20:01
lbragstadright - ok cool20:01
lbragstadsame page20:01
dstaneklbragstad: actually is prevents *anything* from being translated. we still have to remove the _* stuff to stop translating logs20:02
lbragstaddstanek what prevents anything from being translated?20:02
dstaneklbragstad: that bugs means that nothing is currently being translated20:05
dstaneki help them debug it in chat and gave them the fix20:05
*** spzala has quit IRC20:05
*** spzala has joined #openstack-keystone20:06
dstaneklbragstad: that was this conversation: http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-03-20.log.html#t2017-03-20T14:02:4920:08
openstackgerritprashkre proposed openstack/keystone master: Error messages are not translating with locale.  https://review.openstack.org/44976920:08
lbragstaddstanek oh - right20:09
lbragstaddstanek i see what you mean20:09
lbragstaddstanek i saw a patch for the removal of the log translations floating around at some point this last week20:09
prashkredstanek:lbragstad: Hi. Thanks for reivew and comments on https://review.openstack.org/#/c/449769/. I have update release notes with link to bug.. please review again.20:10
lbragstadprashkre reviewing again now20:10
*** spzala has quit IRC20:10
lbragstadprashkre thanks for the quick turn around20:10
dstanekalready did :-)20:11
prashkredstanek. new patch proposed addressing lbragstad comment.20:11
openstackgerritDavid Stanek proposed openstack/keystone master: Small fixes for WebOb 1.7 compatibiltity  https://review.openstack.org/42223420:12
lbragstaddstanek nice - i just pulled ^ that up agin20:12
lbragstadagain*20:12
dstaneklbragstad: i tested on both 1.6.0 and 1.7.220:13
lbragstaddstanek thanks for doing that20:13
prashkrelbragstad:dstanek: Thanks for quick review.20:15
*** spzala has joined #openstack-keystone20:15
*** aojea has joined #openstack-keystone20:18
*** thiagolib has quit IRC20:21
openstackgerritKristi Nikolla proposed openstack/keystone master: Move release note from /keystone/releasenotes to /releasenotes  https://review.openstack.org/44979820:22
*** nishaYadav has quit IRC20:23
*** niteshnarayanlal has quit IRC20:27
*** richm has quit IRC20:33
*** phalmos has quit IRC20:37
dstaneklbragstad: work in the i18n one for keystone.... these tests look to be useless https://review.openstack.org/#/c/447864/3/keystone/tests/unit/test_exception.py,unified20:38
dstaneki think i'm going to remove20:38
lbragstaddstanek sounds good20:39
dstaneklbragstad: i think i'm going to go get an early dinner and then finish up that patch20:41
openstackgerritKristi Nikolla proposed openstack/keystone master: Move release note from /keystone/releasenotes to /releasenotes  https://review.openstack.org/44979820:42
dstaneklbragstad: bugs still in the mid-90s :-(20:42
lbragstaddstanek works for me - i have family coming into town shortly and i have to run some errands in a bit anyway20:42
lbragstaddstanek i know, i wanted to get into the 80s today20:42
dstaneklbragstad: cool, if you're not online this weekend i'll see you on monday20:42
lbragstadwe have a couple fixes that will be gating shortly though20:42
dstaneklbragstad: i'm not done for the day yet :-)20:42
lbragstaddstanek i'll be online later20:43
lbragstaddstanek i'm trudging through a bunch of antwash's patches ;)20:43
dstaneklbragstad: have you +2 ready :-)20:43
lbragstadwe lucked out and got the DocumentedRuleDefault object in the oslo.policy 1.21.0 release20:43
dstaneknice20:43
lbragstadso all those patches antwash proposed are passing20:44
lbragstadwhich means we should be able to knock out the policy-docs spec next week20:44
dstaneklooks like stevemar still has his +2 handy20:45
* dstanek is walking out of the door20:46
*** dave-mccowan has quit IRC21:01
*** links has joined #openstack-keystone21:05
*** aojea has quit IRC21:06
*** pramodrj07 has joined #openstack-keystone21:16
*** rmascena has quit IRC21:18
*** MasterOfBugs has quit IRC21:20
*** antwash_ has quit IRC21:21
*** jlopezgu has quit IRC21:21
*** aojea has joined #openstack-keystone21:22
*** spilla has quit IRC21:24
*** edtubill has quit IRC21:26
openstackgerritjunboli proposed openstack/keystone master: Remove log translations  https://review.openstack.org/44942721:57
*** pramodrj07 has quit IRC22:03
*** pramodrj07 has joined #openstack-keystone22:03
*** knikolla has left #openstack-keystone22:03
*** prashkre has quit IRC22:08
*** richm has joined #openstack-keystone22:26
*** lucasxu has quit IRC22:27
*** richm has left #openstack-keystone22:29
*** spzala has quit IRC22:30
openstackgerritMerged openstack/keystone master: Error messages are not translating with locale.  https://review.openstack.org/44976922:52
*** aojea has quit IRC22:59
*** erhudy has quit IRC23:00
*** jlopezgu has joined #openstack-keystone23:02
*** jlopezgu has quit IRC23:03
*** jlopezgu has joined #openstack-keystone23:09
*** richm1 has joined #openstack-keystone23:13
*** markvoelker has quit IRC23:24
*** links has quit IRC23:24
*** agrebennikov_ has quit IRC23:26
*** lamt has quit IRC23:41
*** lucasxu has joined #openstack-keystone23:45
*** spzala has joined #openstack-keystone23:47
« Thursday, 2017-03-23 Index Saturday, 2017-03-25 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!