Wednesday, 2017-04-19

*** guoshan has joined #openstack-keystone00:05
*** mpjetta has quit IRC00:14
*** Aqsa has quit IRC00:19
*** thorst has quit IRC00:25
*** namnh has joined #openstack-keystone00:37
*** david-lyle has joined #openstack-keystone00:44
*** topol has quit IRC00:54
*** gyee has quit IRC01:01
*** guoshan has quit IRC01:03
*** guoshan has joined #openstack-keystone01:04
*** guoshan has quit IRC01:09
*** shuyingya has joined #openstack-keystone01:12
*** guoshan has joined #openstack-keystone01:22
*** gus has joined #openstack-keystone01:26
*** aojea has joined #openstack-keystone01:30
*** aojea has quit IRC01:36
*** liujiong has joined #openstack-keystone01:46
openstackgerrithuangtianhua proposed openstack/keystone master: Role name is unique within the owning domain
*** ngupta has joined #openstack-keystone01:47
*** thorst has joined #openstack-keystone02:00
*** Shunli has joined #openstack-keystone02:05
*** mpjetta has joined #openstack-keystone02:12
*** thorst has quit IRC02:16
*** shuyingy_ has joined #openstack-keystone02:16
*** shuyingya has quit IRC02:16
*** ngupta has quit IRC02:32
*** ngupta has joined #openstack-keystone02:33
*** ngupta has quit IRC02:37
*** dave-mccowan has quit IRC02:47
*** lamt has joined #openstack-keystone02:59
*** MasterOfBugs has quit IRC03:11
*** thorst has joined #openstack-keystone03:13
openstackgerritliyanhang proposed openstack/keystone master: Fix-test-of-assertValidRole
*** ngupta has joined #openstack-keystone03:17
*** links has joined #openstack-keystone03:19
*** kencjohnston_ has quit IRC03:19
*** kencjohnston has joined #openstack-keystone03:19
*** shuyingy_ has quit IRC03:20
*** shuyingya has joined #openstack-keystone03:20
*** jerrygb has joined #openstack-keystone03:21
*** shuyingy_ has joined #openstack-keystone03:26
*** ngupta has quit IRC03:28
*** smccully has quit IRC03:28
*** ngupta has joined #openstack-keystone03:29
*** shuyingya has quit IRC03:30
*** ngupta has quit IRC03:31
*** ngupta has joined #openstack-keystone03:32
*** thorst has quit IRC03:32
*** aojea has joined #openstack-keystone03:32
*** lamt has quit IRC03:34
*** ngupta has quit IRC03:36
*** aojea has quit IRC03:37
*** lamt has joined #openstack-keystone03:41
openstackgerritRichard Avelar proposed openstack/keystone master: Add federated support for get user
*** lifeless has joined #openstack-keystone03:46
openstackgerritShan Guo proposed openstack/python-keystoneclient master: Remove log translations
*** nicolasbock has quit IRC03:51
*** chlong has quit IRC03:58
*** guoshan has quit IRC04:05
*** lamt has quit IRC04:26
*** aojea has joined #openstack-keystone04:33
*** links has quit IRC04:36
*** aojea has quit IRC04:38
*** links has joined #openstack-keystone04:53
*** lamt has joined #openstack-keystone05:01
*** lamt has quit IRC05:05
*** links has quit IRC05:25
*** jerrygb has quit IRC05:25
*** thorst has joined #openstack-keystone05:29
*** markvoelker has quit IRC05:29
*** aojea has joined #openstack-keystone05:32
*** links has joined #openstack-keystone05:37
*** zhurong has joined #openstack-keystone05:42
*** richm has quit IRC05:44
*** thorst has quit IRC05:48
*** stingaci has quit IRC06:00
*** guoshan has joined #openstack-keystone06:06
*** aojea has quit IRC06:07
*** aojea has joined #openstack-keystone06:07
*** rcernin has joined #openstack-keystone06:08
*** guoshan has quit IRC06:11
*** aojea has quit IRC06:12
*** guoshan has joined #openstack-keystone06:21
*** voelzmo has joined #openstack-keystone06:25
*** markvoelker has joined #openstack-keystone06:29
*** pcaruana has joined #openstack-keystone06:33
*** markvoelker has quit IRC06:35
*** lamt has joined #openstack-keystone06:44
*** lamt has quit IRC06:44
*** thorst has joined #openstack-keystone06:45
*** thorst has quit IRC06:49
*** Aqsa has joined #openstack-keystone06:52
*** jaosorior has joined #openstack-keystone06:53
*** tesseract has joined #openstack-keystone07:01
*** MasterOfBugs has joined #openstack-keystone07:03
*** belmoreira has joined #openstack-keystone07:04
*** tovin07 has joined #openstack-keystone07:12
*** faizy has joined #openstack-keystone07:20
openstackgerritHemanth Nakkina proposed openstack/keystone master: Minor corrections in OS-OAUTH1 api documentation
*** adriant has quit IRC07:23
*** aojea has joined #openstack-keystone07:24
*** markvoelker has joined #openstack-keystone07:30
*** shuyingy_ has quit IRC07:34
*** shuyingya has joined #openstack-keystone07:34
*** markvoelker has quit IRC07:35
*** zsli_ has joined #openstack-keystone07:43
*** thorst has joined #openstack-keystone07:46
*** Shunli has quit IRC07:46
*** thorst has quit IRC07:50
*** lennyb has joined #openstack-keystone07:53
*** jerrygb has joined #openstack-keystone07:55
*** zzzeek has quit IRC08:00
*** jerrygb has quit IRC08:00
openstackgerritPeter Sabaini proposed openstack/keystone master: Make flushing tokens more robust
*** zzzeek has joined #openstack-keystone08:01
openstackgerritShan Guo proposed openstack/keystone master: Remove unused log translation code
*** mvk has quit IRC08:26
*** aloga has quit IRC08:34
*** aloga has joined #openstack-keystone08:35
*** MasterOfBugs has quit IRC08:37
*** shuyingy_ has joined #openstack-keystone08:41
*** shuyingya has quit IRC08:44
*** thorst has joined #openstack-keystone08:47
*** thorst has quit IRC08:52
*** mvk has joined #openstack-keystone08:56
*** Aqsa has quit IRC09:05
*** Aqsa has joined #openstack-keystone09:07
*** mvk has quit IRC09:12
*** rocky_ has quit IRC09:13
*** zhugaoxiao has joined #openstack-keystone09:13
*** xuhaigang has joined #openstack-keystone09:16
*** tuan__ has joined #openstack-keystone09:16
*** tuan__ has quit IRC09:19
*** tuan__ has joined #openstack-keystone09:22
*** mvk has joined #openstack-keystone09:23
*** zsli_ has quit IRC09:27
openstackgerritStephen Finucane proposed openstack/keystone master: Explicitly set 'builders' option
*** thorst has joined #openstack-keystone09:47
*** thorst has quit IRC09:52
openstackgerrithuangtianhua proposed openstack/keystone master: Role name is unique within the owning domain
*** stingaci has joined #openstack-keystone09:57
*** stingaci has quit IRC10:01
*** liujiong has quit IRC10:11
*** richm has joined #openstack-keystone10:13
*** shuyingy_ has quit IRC10:18
*** shuyingya has joined #openstack-keystone10:18
*** luisnho223 has joined #openstack-keystone10:26
*** tuan__ has quit IRC10:27
luisnho223Hey guys. You guys know any type of tutorial or something to implement angularJS with Openstack/Devstack? Im developing an app that needs to send and receive requests through Openstack API and I am using AngularJS for that10:28
*** nicolasbock has joined #openstack-keystone10:28
luisnho223I know i need to authenticate first but don't know how to do it with angularJS10:29
*** tuan__ has joined #openstack-keystone10:29
*** guoshan has quit IRC10:30
*** zhurong has quit IRC10:34
*** tuan__ has quit IRC10:45
*** thorst has joined #openstack-keystone10:48
*** thorst has quit IRC10:53
*** shuyingy_ has joined #openstack-keystone10:54
*** shuyingya has quit IRC10:57
*** tuan has joined #openstack-keystone10:58
*** dmk0202 has joined #openstack-keystone11:02
*** rojo16 has joined #openstack-keystone11:07
*** rojo16 has quit IRC11:07
*** dmk0202 has quit IRC11:21
*** dmk0202 has joined #openstack-keystone11:21
*** tuan has quit IRC11:27
*** thorst has joined #openstack-keystone11:42
*** thorst_ has joined #openstack-keystone11:42
*** edmondsw has joined #openstack-keystone11:46
*** thorst has quit IRC11:47
openstackgerritZhaokun Fu proposed openstack/keystone master: fix overridden error
*** stingaci has joined #openstack-keystone11:58
*** stingaci has quit IRC12:02
*** markvoelker has joined #openstack-keystone12:19
openstackgerritayoung proposed openstack/keystone master: Route based RBAC Management Bulk API
*** namnh has quit IRC12:21
*** voelzmo has quit IRC12:23
*** voelzmo has joined #openstack-keystone12:23
*** voelzmo has quit IRC12:24
*** voelzmo has joined #openstack-keystone12:24
*** edmondsw has quit IRC12:29
*** edmondsw has joined #openstack-keystone12:30
*** zhurong has joined #openstack-keystone12:31
*** shuyingy_ has quit IRC12:38
*** zhurong has quit IRC12:45
*** lamt has joined #openstack-keystone12:47
*** catintheroof has joined #openstack-keystone12:48
*** jerrygb has joined #openstack-keystone12:53
*** raildo has joined #openstack-keystone12:56
*** lamt has quit IRC12:58
*** lamt has joined #openstack-keystone13:01
*** Aqsam has joined #openstack-keystone13:05
*** Aqsa has quit IRC13:08
*** shuyingya has joined #openstack-keystone13:11
*** shuyingya has quit IRC13:11
*** mpjetta has quit IRC13:11
*** shuyingya has joined #openstack-keystone13:11
*** lamt has quit IRC13:14
*** lamt has joined #openstack-keystone13:16
*** shuyingya has quit IRC13:16
*** shuyingya has joined #openstack-keystone13:16
*** ngupta has joined #openstack-keystone13:17
*** amrith has joined #openstack-keystone13:26
*** shuyingy_ has joined #openstack-keystone13:32
amrithhiya keystone, did something just change (like yesterday) in the gate setup that makes keystone auth v2.0 not work any longer?13:34
*** raildo has quit IRC13:34
amrithseeing a failure to get on /v2.0/tokens now13:34
dstanekamrith: what's the failure?13:35
amrithor did a port change or something, no longer on port 5000 maybe?13:35
*** shuyingya has quit IRC13:35
amrithdstanek, sending paste one second.13:35
ayoungamrith, I think it was devstack13:35
ayoungamrith, someone was asking yesterday.   let me look13:35
amrithhi ayoung13:36
ayoungamrith, heyo13:36
amrithayoung, asking where? this channel? let me hunt for scrollback13:36
ayoungamrith, here13:37
ayoung"<rm_work> kk found the issue I think, devstack change w/r/t keystone wsgi"13:37
ayoungamrith, I wonder if it was the systemd work13:37
ayoungI think I have that on a running devstack...1 set13:37
amrithtx, I just reran devstack on a brand new machine13:38
amrithI see a response from keystone13:38
*** voelzmo has quit IRC13:38
amrithto the conn request; a whole service catalog for example13:38
ayoungamrith, try "",13:38
amrithhow do you mean? the URL changed?13:39
*** voelzmo has joined #openstack-keystone13:39
amrithnot /v2.0/tokens but /identity/v2.0?13:39
*** topol has joined #openstack-keystone13:39
ayounginstelad of port 500013:39
amrithoh, I see, the wsgi crap13:39
ayoungcurl | jq .| fpaste  gives13:40
ayoungso do a curl of your auth_url from sourcing openrc and see what you get13:40
cmurphyI think it was, it was talked about in -qa in the eavesdrop link I posted13:40
*** voelzmo has quit IRC13:43
*** voelzmo has joined #openstack-keystone13:46
ayounglbragstad, do we need to set up a group or something for the video chat?13:47
amrithyes, that sounds about right cmurphy ... I noticed a change in the requirements and that uWSGI was enabled in the failing runs. is WSGI_MODE going to be supported going forward or is it going to be orphaned? can trove rely on wsgi mode setting for the foreseeable future?13:48
*** lamt__ has joined #openstack-keystone13:52
*** lamt has quit IRC13:53
*** links has quit IRC14:02
*** chlong has joined #openstack-keystone14:03
*** david-lyle has quit IRC14:04
luisnho223Hey guys one question. I installed Devstack and I am trying sending JSON requests to my Devstack my third party app. How I enable CORS to do that?14:05
*** ksavich has joined #openstack-keystone14:11
*** luisnho223 has quit IRC14:13
*** mpjetta has joined #openstack-keystone14:13
*** david-lyle has joined #openstack-keystone14:14
amrithdstanek, ayoung, cmurphy thanks for the pointers. the error was in trove's devstack plugin; it didn't set the auth url for one of the 3 services.14:17
amrithtesting the change now, will push it up soon. thanks. ayoung lunch sometime?14:17
*** lamt__ has quit IRC14:35
*** belmoreira has quit IRC14:35
knikollacmurphy: hi. i remember you updating the docs for setting up federation. do you happen to have some pointers on how to set up federation with mod_proxy_uwsgi and uwsgi (as opposed to mod_wsgi)? i need to update our devstack plugin for federation after
*** arturb has quit IRC14:50
cmurphyknikolla: no I never played with uwsgi :(14:51
cmurphyknikolla: I imagine it would be mostly the same except for the WSGIScriptAlias ?14:53
*** chris_hultin|AWA is now known as chris_hultin14:54
knikollacmurphy: probably. but the conf file only contains a ProxyPass directive pointing it to the uwsgi socket. so i'm unsure. i'll do some research.14:55
knikolladstanek: do you know something about this ^^ ?14:56
ayounglbragstad, policy meeting time?15:01
knikollaayoung: it's 12EST15:01
ayoungknikolla, OK. thanks15:02
dstanekhey knikolla. i don't have scrollback right now. what's up?15:02
ayoungknikolla, do you have hangouts setup?  Care to give me a commo test15:02
*** rcernin has quit IRC15:03
lbragstadayoung in an hour :)15:03
openstackgerritMerged openstack/keystone master: Make flushing tokens more robust
knikolladstanek: devstack switched from mod_wsgi to mod_proxy_uwsgi with uwsgi, which broke the devstack plugin that sets up federation.15:03
ayounglbragstad, must not have updated the caledar for DST.15:03
lbragstadayoung the meeting time is in UTC15:03
lbragstadayoung so DST shouldn't matter15:03
dstanekknikolla: ah, i see. so a little apache magic is needed?15:03
ayounglbragstad, but My calendar is not.15:04
ayounglbragstad, I should have said *I*  must not have updated the caledar for DST15:04
*** voelzmo has quit IRC15:04
lbragstadayoung oh15:04
lbragstadayoung if you need an updated ical -
ayounglbragstad, anyway, I set up the chat, and got kicked out...turns out Google and Firefox are at odds.  It works with chrome15:04
ayoungI'm good15:04
knikolladstanek: yep. docs don't say anything about how. besides "use mod_wsgi"15:05
knikollaso i'm hunting for blog posts.15:05
ayounglbragstad, care to check in to the hangout for a moment to make sure sound is good?15:05
lbragstadayoung thanks for testing it early15:05
knikollaayoung: sorry, i haven't set things up yet. i'll probably be joining from my phone.15:06
gagehugoguess I need to install chrome real quick15:07
*** lamt has joined #openstack-keystone15:07
*** topol_ has joined #openstack-keystone15:11
*** topol has quit IRC15:13
dstanekknikolla: i can take a look after this meeting. it should only be a minimal change depending on how they configure apache in devstack15:14
knikolladstanek: thanks!15:14
*** stingaci has joined #openstack-keystone15:16
openstackgerritJohn Garbutt proposed openstack/keystone master: Add docs around RBAC and policy
*** rajpatel has joined #openstack-keystone15:23
*** ksavich has quit IRC15:26
*** pcaruana has quit IRC15:28
*** rajpatel has quit IRC15:33
*** shuyingy_ has quit IRC15:34
*** david-lyle has quit IRC15:41
*** shuyingya has joined #openstack-keystone15:43
*** arunkant has quit IRC15:49
*** aojea has quit IRC15:51
rm_workamrith: yeah the key is to use $OS_AUTH_URL from devstack15:56
rm_workinstead of setting manually15:56
rm_workwe had hardcoded to
rm_workbut we changed to $OS_AUTH_URL/v2.015:56
rm_workor actually, $OS_AUTH_URL/v315:56
rm_workthere is a strong contract on that variable15:57
*** tesseract has quit IRC15:59
dstanekknikolla: ok, i'll start poking during this next meeting. does it error on installation?15:59
gagehugomy mic is acting up one sec16:01
ayoungjohnthetubaguy, care to join the policy chat?16:02
johnthetubaguyayoung: sorry, running late, be there really soon16:02
*** dave-mccowan has joined #openstack-keystone16:06
*** dulek has left #openstack-keystone16:09
*** dmk0202 has quit IRC16:09
*** Aqsam has quit IRC16:11
*** mvk has quit IRC16:11
*** david-lyle has joined #openstack-keystone16:19
*** chris_hultin is now known as chris_hultin|AWA16:26
mnaseri've been trying to look at the impact scope of switching an existing cloud to the v3 domain admin policy16:27
mnaserive been giving it thought and i dont think it'll be an issue as long as the default domain still exists?16:28
mordredmnaser: is the v3 domain admin policy the one where each customer gets a domain and is domain admin of that domain?16:34
mnaseryup mordred16:35
mnaser(you see where im going with this :-p)16:35
mordredyes I do!16:35
mordredas usual, I think you are awesome :)16:35
mnasercustomers are convinced and asked for it so we might be flipping the switch soon16:35
mordredlbragstad: I have just noticed that keystoneauth repo does not have a bindep.txt file16:36
mordreddo we have the list of distro depends for ksa for tests documented anywhere/16:36
mordredmnaser: WOOT16:36
mordredmnaser: let me know when you do so I can blog/tweet about you being awesome16:36
lbragstadmordred that's a good question - not that i am aware of16:36
lbragstadmordred but i can make a note to follow up on that16:36
mordredwell, I'll figure it out by hitting my head against a wall real quick16:37
lbragstadmordred i have a feeling jamielennox would have a better answer for that than I would16:37
mnaserthanks mordred !  im thinking if we get the cloud_admin role and stuff setup before hand, replacing the policys shouldnt have an affect16:37
mnaserbecause all old users will stay under the default domain and the old "admin" will continue to administer that domain16:37
mnaserand then the new cloud_admin will manage all domains16:37
mnaserso it makes sense in theory16:38
mordredmnaser: I'm guessing existing users would have to just create a new user to take advantage of the new stuff?16:39
mnasermordred yeah, it would be opt in16:39
mnaserthe most important thing is not breaking the existing environment16:40
mnaserso tenants that exist under the default domain still work and authenticate correctly16:40
*** shuyingya has quit IRC16:44
*** david-lyle has quit IRC16:51
*** chlong has quit IRC17:09
*** harlowja_ has quit IRC17:13
*** harlowja has joined #openstack-keystone17:15
*** harlowja has quit IRC17:17
*** harlowja has joined #openstack-keystone17:17
*** chlong has joined #openstack-keystone17:25
*** andreykurilin has joined #openstack-keystone17:33
openstackgerritMerged openstack/keystone master: Minor corrections in OS-OAUTH1 api documentation
*** aojea has joined #openstack-keystone17:38
*** eandersson has joined #openstack-keystone17:40
*** catintheroof has quit IRC17:47
*** jaosorior is now known as jaosorior_away17:54
openstackgerritMerged openstack/keystone master: Fix-test-of-assertValidRole
ayoungAnd now I am going to take the dog for a long walk!18:05
gagehugosorry my mic wasn't working, I liked the discussion18:05
gagehugoayoung, it's the same as "gauge"18:06
*** astudenov has joined #openstack-keystone18:12
*** aojea has quit IRC18:13
*** aojea has joined #openstack-keystone18:14
*** voelzmo has joined #openstack-keystone18:15
astudenovHi keystone developers, FYI
openstackLaunchpad bug 1684241 in OpenStack Identity (keystone) "Bug in url parser " [Undecided,New]18:18
*** aojea has quit IRC18:18
*** chlong has quit IRC18:20
ayoungastudenov, Is that a real problem?18:26
ayoungIt seems like a check that might no longer catch the problem early enough to give a good message, but no security aspect18:27
*** catinthe_ has joined #openstack-keystone18:30
*** aojea has joined #openstack-keystone18:34
*** aojea_ has joined #openstack-keystone18:35
*** aojea has quit IRC18:38
*** catinthe_ has quit IRC18:39
*** gyee has joined #openstack-keystone18:40
*** aojea_ has quit IRC18:41
*** aojea_ has joined #openstack-keystone18:44
*** nicolasbock has quit IRC18:45
*** lucasxu has joined #openstack-keystone18:45
*** chlong has joined #openstack-keystone18:45
astudenovayoung, no, I see only possible error there18:47
*** aojea has joined #openstack-keystone18:47
ayoungastudenov, ?18:47
ayoungpretty sure it will actually work18:47
ayoungif the url is https://hostname/identity/v2.0....  then the one issue is if it removes the /identity before it loos at /v2.018:48
ayoungastudenov, or...maybe I misunderstand what you are saying18:48
*** aojea_ has quit IRC18:48
ayoungis it that urlparse.urlparse(self.auth_url)  does the wrong thing?18:49
*** aojea_ has joined #openstack-keystone18:50
astudenovurl_parts.path.lower() returns "/identity/v2.0" in this case18:50
*** aojea has quit IRC18:53
ayoungastudenov, ah, and I misread the code18:54
ayoungI was just worried about it improperly passing on information, but it never trips the proper case there:18:54
*** nicolasbock has joined #openstack-keystone18:55
ayoungelif path.startswith('/v3'):18:55
ayoungplugin = self.create_plugin(session, (3, 0), self.auth_url)18:55
ayoungthat code is just a workaround for discovery not working, but a lot of people don't have discovery working...18:55
*** gyee has quit IRC18:55
ayoungastudenov, got a solution in mind?18:56
ayoungastudenov, I'm trying to remember if there is ever a case where we are about what comes after the /v2.0 here19:03
*** MasterOfBugs has joined #openstack-keystone19:03
ayoungastudenov, I think you are right...can you propose that as a fix?19:03
*** Aqsam has joined #openstack-keystone19:04
astudenovayoung, ok, will do19:04
ayoungastudenov, thanks.19:04
*** david-lyle has joined #openstack-keystone19:06
*** lucasxu has quit IRC19:08
*** lucasxu has joined #openstack-keystone19:09
openstackgerritRodrigo Duarte proposed openstack/keystone master: Writing API & Scenario Tests docs
rodrigodslbragstad, final piece ^19:11
rodrigodslbragstad, think something like that could be useful when you were trying to write some tests for shadow mapping :)19:11
lbragstadrodrigods awesome - thanks!19:16
*** david-lyle_ has joined #openstack-keystone19:17
*** david-lyle has quit IRC19:17
*** gyee has joined #openstack-keystone19:27
lbragstadknikolla weren't we just talking about the difference between auth_uri and auth_url recently?19:41
lbragstadknikolla do you remember if we opened a bug for figuring thatout?19:41
lbragstadlike - why does ksm need auth_uri and auth_url?19:42
knikollalbragstad: we opened this bug,
openstackLaunchpad bug 1679238 in keystonemiddleware "documented config options are deprecated" [Medium,Confirmed] - Assigned to Kristi Nikolla (knikolla)19:43
knikollalbragstad: for context i'd go to the irc logs the day this was opened19:44
knikollai had totally forgotten about it :/19:44
*** voelzmo has quit IRC19:44
*** Aqsam has quit IRC19:47
*** dmk0202 has joined #openstack-keystone19:47
*** david-lyle_ has quit IRC19:52
lbragstadwhats the difference between auth_url and auth_uri?19:55
lbragstadcc knikolla ^19:55
*** voelzmo has joined #openstack-keystone19:57
knikollalbragstad: from ksm19:59
knikollaauth_url = '%s/v2.0' % self._identity_uri19:59
lbragstadknikolla is that in ksm?19:59
lbragstadbecause we don't actually list that in the ksm options?19:59
*** catintheroof has joined #openstack-keystone19:59
knikollalbragstad: that's from the deprecated auth in ksm20:00
lbragstadknikolla this is what we have in ksm configuration options -
knikollalbragstad: before keystonauth20:00
* lbragstad facepalm20:01
*** voelzmo has quit IRC20:02
openstackgerritSean Dague proposed openstack/keystonemiddleware master: Remove reference to auth_url
knikolla^^ looks correct, since i saw no reference of auth_uri when i searched keystoneauth, osc, os-client-config, etc.20:03
knikollaerr, let me double check that20:03
lbragstadholy man - that was frustrating20:04
knikollai'm totally exhausted after the 2 hour policy meeting.20:04
lbragstadknikolla sdague is going to push a bunch of changes to devstack to clear that up20:04
lbragstadknikolla i asked if he could add us to those reviews when he has them ready so we can sign off on them20:04
lbragstadknikolla i am, too20:04
lbragstadknikolla i needed to look at something else because i'm fried20:05
knikollalbragstad: not sure untangling ksm options is the best thing after that20:06
knikollai'll give the reviews a look and play around with the ksm options myself20:06
lbragstadknikolla probably not20:06
lbragstadknikolla yeah - it turns out that a lot of the misdirection in ksm has bled into devstack20:06
knikollalbragstad: yeah, the correct option is auth_uri
lbragstadknikolla yep20:11
knikollalbragstad: gotta love when docstrings in the same file are wrong20:12
lbragstadknikolla ten bucks says it's because of things like this -
*** lucasxu has quit IRC20:13
knikollalbragstad: i know right. that's what got me too. url, uri, eureka.20:14
*** lucasxu has joined #openstack-keystone20:14
lbragstadone is a variable, one is a configuration option20:16
knikollalbragstad: i'm confused though. why are we calling it auth_uri in ksm, and auth_url in every other project?20:17
lbragstadknikolla what do you mean?20:17
knikollalbragstad: keystoneauth, osc, etc. refer to it as auth_url.20:17
knikollalbragstad: sure auth_uri in those brings up nothing.20:18
lbragstadknikolla oh - i have no idea20:18
lbragstadi'm not sure why it was done that way20:18
lbragstadbut no doubt, that can lead to confusion,too20:18
lbragstadit's just harder to change because it's a configuration option20:18
*** aojea has joined #openstack-keystone20:18
knikollalbragstad: then you have something like this:
*** chris_hultin|AWA is now known as chris_hultin20:20
*** aojea_ has quit IRC20:21
lbragstadknikolla oh wtf20:23
*** aojea_ has joined #openstack-keystone20:25
openstackgerritLance Bragstad proposed openstack/keystonemiddleware master: Remove auth_url
lbragstadcc knikolla ^20:26
knikollalbragstad: ack20:26
knikollalbragstad: that was glorious though. unsure which one to use? use both.20:27
lbragstadnothing beats the shotgun approach20:27
*** aojea has quit IRC20:28
cmurphyfwiw the puppet modules have been using that approach for years
lbragstadso has tripleo20:28
cmurphythat one actually makes auth_url a required parameter20:28
lbragstadand devstack20:28
lbragstadcmurphy we should patch that20:29
jaosorior_awaywell, tripleo that puppet module20:29
lbragstadjaosorior_away o/20:29
knikollalbragstad: would this be a nice moment to switch to make a 180 degree reversal and require auth_url instead and deprecate auth_uri. since nothing really uses that term anywhere besides ksm.20:30
knikollalbragstad: people seem to be confused and rely on both anyway20:30
*** ngupta has quit IRC20:31
lbragstadi personally don't care just so long as it's applied consistently and documented :)20:31
knikollalbragstad: i see it as an inconsistency between projects, but yeah.20:32
jaosorior_awaylbragstad: in tripleo we've been using both. So either way is fine on our side.20:33
lbragstadknikolla if you want to make it consistent across projects, we should go talk to sdague20:33
lbragstadknikolla he's currently on a terror fixing all the devstack stuff ;)20:34
openstackgerritRodrigo Duarte proposed openstack/keystone master: Writing API & Scenario Tests docs
knikollalbragstad: that's actually a good reason not to fix it now. too many moving parts.20:38
*** david-lyle_ has joined #openstack-keystone20:38
knikollalbragstad: i'm already dealing with the aftermath of his switching us to uwsgi, with needing to fix the devstack plugin20:38
lbragstadknikolla yeah - i'm it's not cool to have one be auth_uri and everything else be auth_url20:38
lbragstadbut there's nothing technical about it that's bad20:39
lbragstadjust a wart20:39
knikollalbragstad: we can open a low priority bug for it20:40
lbragstadknikolla switching auth_uri -> auth_url?20:40
knikollalbragstad: yes20:40
lbragstadknikolla yeah - we could do that20:41
lbragstadwhich would at the very least document it20:41
knikollalbragstad: yep20:41
openstackgerritGage Hugo proposed openstack/keystone-specs master: Remove pbr warnerrors in favor of sphinx check
*** david-lyle_ has quit IRC20:53
*** catintheroof has quit IRC20:55
*** catintheroof has joined #openstack-keystone20:55
*** catintheroof has quit IRC21:00
*** catintheroof has joined #openstack-keystone21:01
jamielennoxmordred: what would you expect in ksa bindep? it's a fairly small list of pure python libs:
jamielennoxshould bindep specify like python-dev?21:04
*** sjain has joined #openstack-keystone21:04
*** edmondsw has quit IRC21:05
*** edmondsw has joined #openstack-keystone21:06
*** aojea_ has quit IRC21:06
mordredjamielennox: gssapi is needed for tests21:08
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add bindep.txt file
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add latest methods to discovery object
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add support for requesting the most recent version
*** topol_ has quit IRC21:09
mordredjamielennox: so there's the bindep file - and then a pile of absurd code to get the latest_version stuff (I had fun while you were asleep)21:09
*** edmondsw has quit IRC21:10
*** thorst_ has quit IRC21:10
jamielennoxmordred:  oh good :)21:10
jamielennoxi might need a coffee or two first21:10
mordredjamielennox: oh yeah21:11
mordredjamielennox: it's ... my brain hurts21:11
mordredjamielennox: thank you, btw, for your comments and tests - they were all supremely helpful21:11
jamielennoxmordred: good - at the time i was envisioning usages like this - but then noone did - so at least it's getting used now21:12
mordredjamielennox: yah - I'm super excited that it exists - it felt silly to have in shade, and only slightly less silly to put into occ21:13
mordredalso, I've got a clear path in my head now to not having default versions in occ21:14
*** masterjcool has quit IRC21:19
*** lucasxu has quit IRC21:19
mordredjamielennox: I need to follow up with one more thing for dealing with catalog urls that have project_ids in them - and then something to extract min/max microversions21:20
mordredbut I'll hold off for a little bit and let you caffinate properly before assaulting you too much21:21
mordredsamueldmq: ^^ this is all related to the earlier discussion in #openstack-shade with jamielennox21:21
jamielennoxmordred: so i have things for catalog urls with project_id, depends exactly what you want to do21:21
mordredjamielennox: well - as an example ...21:22
mordredcatalog entry for manila on vexxhost is: ''21:22
mordredbut you can't doa GET on that21:22
mordredyou can do a GET on
mordredand on https://file-storage-ca-ymq-1.vexxhost.net21:23
mordredwhich will give you the versioned and unversioned discovery docs, respectively21:23
*** catintheroof has quit IRC21:24
mordredso to get a discovery doc from that, you'd need to pop the project_id, then apply version hacks, then potentially re-add the project-id at the end (since it _was_ in the catalog)21:24
mordredI have not done extensive testing on that case yet21:24
*** lucasxu has joined #openstack-keystone21:26
jamielennoxmordred: i'm going out for a bit, but you can twist the version hacks logic to do that21:26
jamielennoxyou can globally add your own hacks at
mordredjamielennox: yah - it's the adding the project_id back at the end that I'm concerned about21:27
jamielennoxso  add_catalog_version_hack('manilla-type', re.compile('/v2/[a-zA-Z0-9]*''), '/')21:27
jamielennoxmordred: ah, have something for that to21:28
* mordred loves it when jamielennox has already written all the code21:28
jamielennoxoh, i thought i did, but maybe it only applies to endpoint override21:29
jamielennoxthe idea was you could request a url with a %(project_id)s in the url and keystoneauth would fill it in appropriately21:30
jamielennox but yea, i guess come to think of it i'm not sure how you make that work with the catalog as well21:30
jamielennoxmordred: hmm, that might need a little work - not sure21:31
*** masterjcool has joined #openstack-keystone21:31
*** ngupta has joined #openstack-keystone21:31
*** sjain has quit IRC21:31
*** david-lyle_ has joined #openstack-keystone21:33
*** catintheroof has joined #openstack-keystone21:34
mordredjamielennox: I'll probably geek out on it tomorrow :)21:34
*** thorst has joined #openstack-keystone21:35
openstackgerritMerged openstack/ldappool master: [Fix gate]Update test requirement
*** david-lyle_ has quit IRC21:39
lbragstadjamielennox o/21:40
*** thorst has quit IRC21:40
lbragstadjamielennox if i'm understanding correctly, if auth_url is configured in keystonemiddleware, it will be passed through to keystoneauth?21:41
*** mvk has joined #openstack-keystone21:44
*** stingaci has quit IRC21:47
*** jerrygb has quit IRC21:47
*** lucasxu has quit IRC21:49
*** lucasxu has joined #openstack-keystone21:54
*** chlong has quit IRC22:07
*** lucasxu has quit IRC22:08
*** ngupta has quit IRC22:11
*** ngupta has joined #openstack-keystone22:11
*** dmk0202 has quit IRC22:17
mnaseri've done some research and it seems that if a user does go the policy.v3cloudsample.json path, the domain admins are able to conduct things like contact nova and do a list of all servers with all_tenants=1, and because nova sees they have the role:admin .. it'll let them do it22:19
mnaseris that a correct assumption?22:19
mnaser =>
mnaserrule:admin_api has is_admin:True which is determined by context_is_admin that has role:admin22:31
mnaserwould it be more correct to have a role called domain_admin to prevent this?22:31
mordredmnaser: oh wow, that seems fun22:36
mordredmnaser: that does not, in fact, seem like it's what we want :)22:37
*** ngupta has quit IRC22:37
mnasermordred yeah that's not ideal .. i found this patch
mnaserthis kinda kills the whole idea in this case :(22:37
jamielennoxlbragstad: so auth_url is defined as one of the standard arguments required by the password (and all) auth plugins22:38
jamielennoxin the same way that user_domain_name and other things in that review are defined in the password plugin, not in auth_token middleware directly22:39
mnaserlooks like cinder is not affected by this -
jamielennoxauth_uri is unfortunately something different and gets used when auth_token responds with a 401 to fill out the authenticate header:
mnaserlooks like defining a "domain_admin" could still result in a problem, because domain_admin can create an "admin" role and then give admin access to the cloud22:42
*** david-lyle has joined #openstack-keystone22:45
jamielennoxmordred: :O, that's a big patch22:48
mordredjamielennox: yah. sorry about that22:48
mordredjamielennox: at this point I could likely go back and break it up into smaller ones - I learned things while writing this one22:49
*** jerrygb has joined #openstack-keystone22:49
jamielennoxmordred: meh, let me see if i can wrap my head around it first22:49
*** jerrygb has quit IRC22:53
*** chris_hultin is now known as chris_hultin|AWA22:59
*** lamt has quit IRC23:01
*** mpjetta has quit IRC23:09
*** topol has joined #openstack-keystone23:09
*** mpjetta has joined #openstack-keystone23:10
*** ngupta has joined #openstack-keystone23:13
*** mpjetta has quit IRC23:15
*** topol has quit IRC23:16
*** adriant has joined #openstack-keystone23:17
samueldmqjamielennox: mordred: interesting, so ksa implements most of the logic we were talking about already23:18
samueldmqand with that approach we could simply call adapter.get_endpoint() with the right params to get what we want23:19
samueldmqfor any service23:19
jamielennoxsamueldmq: that's the goal23:24
jamielennoxor more likely, get_endpoint is called within request() with the contents of endpoint_filter={}, so if you set the right params on the Adapter you shouldn't have to deal with the endpoint at all23:25
samueldmqjamielennox: I saw mordred has patches up for that already23:26
samueldmqjamielennox: how does endpoint_filter relates to that ?23:26
jamielennoxit's kind of an implementation detail, but in a straight request() call it calls get_endpoint(**endpoint_filter)23:27
jamielennoxso shade/os-c-c shouldn't have to deal with actually getting the endpoint and doing anything with it23:27
samueldmqjamielennox: so if it's configured right from the beginning we wouldn't need to get_endpoint(), do discovery and set endpoint_override23:27
samueldmqanymore, as we're doing in shade right now23:27
jamielennoxit should just be constructing the right parameters you should just do .get('/path/to/resource') and it'll all work for you23:27
samueldmqjamielennox: perfect, that'll be great23:28
*** stingaci has joined #openstack-keystone23:29
*** ngupta has quit IRC23:29
jamielennoxi just need to wrap my head around mordred's patches and figure out all the bits23:31
*** stingaci has quit IRC23:32
*** astudenov has quit IRC23:46
samueldmqjamielennox: ++ please add me as reviewer when you submit something :)23:46

Generated by 2.14.0 by Marius Gedminas - find it at!