Thursday, 2017-08-10

« Wednesday, 2017-08-09 Index Friday, 2017-08-11 »
*** dstepanenko has joined #openstack-keystone00:00
*** thorst has joined #openstack-keystone00:04
*** dstepanenko has quit IRC00:05
*** aojea has joined #openstack-keystone00:17
*** aojea has quit IRC00:22
*** kornicameister has quit IRC00:25
*** kornicameister has joined #openstack-keystone00:26
*** mjax has joined #openstack-keystone00:26
*** mjax has quit IRC00:27
*** edmondsw has joined #openstack-keystone00:30
*** aojea has joined #openstack-keystone00:31
*** thorst has quit IRC00:31
*** edmondsw has quit IRC00:34
*** aojea has quit IRC00:35
*** kornicameister has quit IRC00:40
*** sbezverk has quit IRC00:44
*** kornicameister has joined #openstack-keystone00:45
*** markvoelker has joined #openstack-keystone00:45
*** dave-mccowan has joined #openstack-keystone01:07
*** Shunli has joined #openstack-keystone01:08
*** thorst has joined #openstack-keystone01:08
*** thorst has quit IRC01:08
*** thorst has joined #openstack-keystone01:09
*** ioggstream has quit IRC01:10
*** thorst has quit IRC01:13
*** thorst has joined #openstack-keystone01:25
*** thorst has quit IRC01:27
*** kornicameister has quit IRC01:30
*** kornicameister has joined #openstack-keystone01:35
*** gongysh has joined #openstack-keystone01:47
*** dstepanenko has joined #openstack-keystone01:48
*** dstepanenko has quit IRC01:53
*** otleimat has quit IRC01:54
*** ducttape_ has joined #openstack-keystone02:03
*** aselius has quit IRC02:04
*** ducttap__ has joined #openstack-keystone02:06
*** ducttape_ has quit IRC02:09
*** ducttape_ has joined #openstack-keystone02:10
*** ducttap__ has quit IRC02:13
*** dave-mccowan has quit IRC02:27
*** thorst has joined #openstack-keystone02:28
openstackgerritMerged openstack/keystone master: Remove unused hints from assignment APIs  https://review.openstack.org/49192102:28
*** thorst has quit IRC02:29
*** kornicameister has quit IRC02:29
*** kornicameister has joined #openstack-keystone02:35
*** dstepanenko has joined #openstack-keystone02:43
*** kbaegis has quit IRC02:45
*** dstepanenko has quit IRC02:47
*** dklyle has quit IRC02:49
*** ducttap__ has joined #openstack-keystone02:50
*** zhurong has joined #openstack-keystone02:52
*** ducttape_ has quit IRC02:53
*** dave-mccowan has joined #openstack-keystone02:54
*** kbaegis has joined #openstack-keystone02:55
*** markvoelker has quit IRC03:02
*** markvoelker has joined #openstack-keystone03:03
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone master: WIP: Reproduce 1703917  https://review.openstack.org/49236203:15
samueldmqlbragstad: gagehugo: ^ tried this to see if the bug would happen within keystone tests. I ran that 1000x and it worked as expected03:16
samueldmqsomething very specific to tempest/that keystone setup is making it to fail03:16
samueldmqI will give a try with tempest tomorrow. we hit it in https://review.openstack.org/#/c/487143/03:16
*** ducttap__ has quit IRC03:18
*** david-lyle has joined #openstack-keystone03:22
*** Shunli has quit IRC03:25
*** kbaegis1 has joined #openstack-keystone03:26
*** nicolasbock has joined #openstack-keystone03:29
*** kbaegis has quit IRC03:29
*** dave-mccowan has quit IRC03:48
*** kornicameister has quit IRC03:53
*** kornicameister has joined #openstack-keystone03:54
*** markvoelker has quit IRC04:01
*** markvoelker has joined #openstack-keystone04:01
*** thorst has joined #openstack-keystone04:04
*** rmcall has quit IRC04:07
*** thorst has quit IRC04:09
*** ducttape_ has joined #openstack-keystone04:18
*** ducttape_ has quit IRC04:23
*** thorst has joined #openstack-keystone04:26
*** gongysh has quit IRC04:30
*** thorst has quit IRC04:30
*** dstepanenko has joined #openstack-keystone04:31
*** dstepanenko has quit IRC04:35
*** sbezverk has joined #openstack-keystone04:36
*** sbezverk has quit IRC04:40
*** rmcall has joined #openstack-keystone04:40
*** david-lyle has quit IRC04:44
*** rmcall has quit IRC04:45
*** dklyle has joined #openstack-keystone04:45
*** gyee has joined #openstack-keystone04:48
*** prashkre__ has joined #openstack-keystone04:54
*** gongysh has joined #openstack-keystone05:09
*** prashkre__ has quit IRC05:16
*** dstepanenko has joined #openstack-keystone05:27
*** dstepanenko has quit IRC05:31
*** dstepanenko has joined #openstack-keystone05:45
*** mvk has joined #openstack-keystone05:49
*** rcernin has joined #openstack-keystone06:05
*** dstepanenko has quit IRC06:05
*** rajalokan has joined #openstack-keystone06:06
*** junbo has quit IRC06:12
*** junbo has joined #openstack-keystone06:15
*** ducttape_ has joined #openstack-keystone06:20
*** ducttape_ has quit IRC06:25
*** thorst has joined #openstack-keystone06:26
*** prashkre has joined #openstack-keystone06:28
*** thorst has quit IRC06:31
*** kukacz has joined #openstack-keystone06:43
*** kukacz_ has joined #openstack-keystone06:44
*** rajalokan has quit IRC06:47
*** kukacz has quit IRC06:47
*** dstepanenko has joined #openstack-keystone06:52
*** dstepanenko has quit IRC06:56
*** tobberydberg has joined #openstack-keystone07:00
*** mjax has joined #openstack-keystone07:00
*** mjax has quit IRC07:01
*** kukacz_ has quit IRC07:10
*** kukacz has joined #openstack-keystone07:10
*** tesseract has joined #openstack-keystone07:13
*** prashkre has quit IRC07:59
*** dstepanenko has joined #openstack-keystone08:01
*** Drankis has joined #openstack-keystone08:17
*** ducttape_ has joined #openstack-keystone08:22
DrankisHello! Can someone point me how I can do upstream changes to stable branches? I find a bug and want to solve it in Newton release.08:25
DrankisCode in master release are already revorked, so no need to change something in master, but small change in Newton are necessary.08:26
*** ducttape_ has quit IRC08:26
*** thorst has joined #openstack-keystone08:27
*** dstepanenko has quit IRC08:30
*** hoonetorg has quit IRC08:32
*** thorst has quit IRC08:32
*** jaosorior has quit IRC08:37
*** prashkre has joined #openstack-keystone08:37
*** jaosorior has joined #openstack-keystone08:41
openstackgerritAleksey Nakoryakov proposed openstack/python-keystoneclient master: Closes-Bug: 1498693. Raise ClientError if url parameter is None. Added test for this.  https://review.openstack.org/49243508:46
openstackbug 1498693 in python-keystoneclient "unfriendly error when keystone tries to parse a URL" [Medium,Triaged] https://launchpad.net/bugs/1498693 - Assigned to Aleksey Nakoryakov (alfnak)08:46
*** hoonetorg has joined #openstack-keystone08:49
*** jaosorior has quit IRC08:54
*** dstepanenko has joined #openstack-keystone08:58
*** gongysh has quit IRC09:19
*** gongysh has joined #openstack-keystone09:37
*** kukacz has quit IRC09:39
*** markvoelker has quit IRC09:42
*** kukacz has joined #openstack-keystone09:47
*** jaosorior has joined #openstack-keystone09:54
*** mvk_ has joined #openstack-keystone10:02
*** mvk has quit IRC10:05
*** kukacz_ has joined #openstack-keystone10:11
*** kukacz has quit IRC10:12
*** kukacz_ has quit IRC10:13
*** kukacz has joined #openstack-keystone10:22
*** kukacz has quit IRC10:22
*** kukacz has joined #openstack-keystone10:26
*** kukacz has quit IRC10:26
*** thorst has joined #openstack-keystone10:28
*** thorst has quit IRC10:33
*** zhurong has quit IRC10:39
*** dstepanenko has quit IRC10:48
*** dstepanenko has joined #openstack-keystone10:48
openstackgerritMerged openstack/keystone master: Add description for relationship links in api-ref  https://review.openstack.org/49193410:49
*** gongysh has quit IRC11:01
*** mkrcmari__ has joined #openstack-keystone11:01
*** mvk_ has quit IRC11:04
samueldmqcmurphy: I wonder if returning v2.0 when you ask for v3 is a bug11:12
samueldmqor the default behavior could be return the latest with there is no version matching what's requested11:13
samueldmqre: bug 170965811:13
openstackbug 1709658 in keystoneauth ""Could not find requested endpoint in Service Catalog" when requesting unavailable identity endpoint" [Undecided,New] https://launchpad.net/bugs/170965811:13
samueldmqcc mordred ^11:13
*** mkrcmari__ has quit IRC11:28
*** mkrcmari__ has joined #openstack-keystone11:29
cmurphysamueldmq: i don't follow - the bug isn't that it's returning v2.0, it's that it's returning nothing11:32
*** kbaegis1 has quit IRC11:34
*** kbaegis has joined #openstack-keystone11:34
*** dstepanenko has quit IRC11:36
samueldmqcmurphy: but it should be returning v2.0, correct?11:40
samueldmqwhat I mean is, the fact it was returning v2.0 when you were asking for v3 could be seen in 2 ways11:41
samueldmq1) it was a bug11:41
samueldmq2) working as designed, where when you ask for a version (v2 in that case) and it doesn't exist, return the latest available (v2.0 in that case)11:41
*** dave-mccowan has joined #openstack-keystone11:43
cmurphysamueldmq: it wasn't returning v2 when asked for v3, it was returning v3 despite what was in the catalog, which is weird but working as designed i think11:44
cmurphyalso -11:44
openstackgerritColleen Murphy proposed openstack/keystoneauth master: Allow discovery URLs to have trailing slashes  https://review.openstack.org/49248411:45
cmurphyfound it ^11:45
*** kbaegis has quit IRC11:49
*** kbaegis has joined #openstack-keystone11:49
*** kbaegis has quit IRC11:53
*** kbaegis has joined #openstack-keystone11:54
*** raildo has joined #openstack-keystone12:01
*** thorst has joined #openstack-keystone12:02
*** kbaegis has quit IRC12:06
*** kbaegis has joined #openstack-keystone12:06
cmurphyjeez ksa has so many unit tests now12:11
*** kbaegis1 has joined #openstack-keystone12:12
*** kbaegis has quit IRC12:12
samueldmqcmurphy: is that fix related to the bug?12:15
samueldmqcmurphy: I assume you're adding some tests now?12:15
cmurphysamueldmq: it fixes the bug12:15
cmurphygoing to write a better commit message and add a test12:15
samueldmqcmurphy: how was it failing because of the discovery url having a slash?12:16
samueldmqif you don't mind detailing it a bit :-)12:17
*** kbaegis1 has quit IRC12:17
*** kbaegis has joined #openstack-keystone12:17
cmurphysamueldmq: the url split on '/' which left an empty string at the end of url_parts, which is meaningless12:18
cmurphynormally it sees the version at the end, finds it doesn't match, discards it, and tries again with the unversioned endpoint12:18
cmurphybut it was just discarding the empty string and failing again to find a match with the versioned endpoint12:19
samueldmqcmurphy: aha! because it do parts and reverse it12:19
samueldmqthe a discovery url of something like http://identity-server:5000/v3/ would fail12:20
mordredcmurphy: good find!12:22
*** dstepanenko has joined #openstack-keystone12:22
*** edmondsw has joined #openstack-keystone12:27
*** dstepanenko has quit IRC12:28
*** ioggstream has joined #openstack-keystone12:31
*** catintheroof has joined #openstack-keystone12:45
*** mkrcmari__ has quit IRC12:46
*** sbezverk has joined #openstack-keystone12:48
efriedcmurphy Ah, cool.  I left my review before I caught up with this.12:53
cmurphyefried: yeah i'm definitely not done12:54
efried:)12:54
*** mvk has joined #openstack-keystone12:54
prashkrelbragstad: Hi. Gud morning!12:54
prashkrelbragstad: could you please take a look at latest comment from Matthew on https://review.openstack.org/#/c/490138/12:54
efriedDrankis Want to join me in #openstack-dev to talk about stable branch changes?12:55
*** jrist has joined #openstack-keystone12:58
*** lucasxu has joined #openstack-keystone13:09
lbragstadprashkre: good morning, i've already reviewed it - it needs folks from stable to look at it13:12
prashkrelbragstad: ok. Thank you!. could you please help me who can review from stable team?.13:14
prashkrelbragstad: so that i can add to review list.13:15
lbragstadprashkre: you can look up any of the team members using gerrit - like this13:15
lbragstadhttps://review.openstack.org/#/admin/groups/538,members13:15
openstackgerritColleen Murphy proposed openstack/keystoneauth master: Allow discovery URLs to have trailing slashes  https://review.openstack.org/49248413:19
prashkrelbragstad: Thank you!13:21
*** kbaegis1 has joined #openstack-keystone13:27
*** kbaegis has quit IRC13:29
*** kbaegis has joined #openstack-keystone13:31
*** kbaegis1 has quit IRC13:31
*** kbaegis has quit IRC13:33
*** kbaegis has joined #openstack-keystone13:34
*** kbaegis has joined #openstack-keystone13:34
*** kbaegis1 has joined #openstack-keystone13:36
*** kbaegis2 has joined #openstack-keystone13:36
*** kbaegis has quit IRC13:36
DrankisHello all! Please, check my commit to Newton code, which solve issue with endpoint_filter catalog driver: https://review.openstack.org/#/c/492527/13:37
*** kbaegis has joined #openstack-keystone13:38
*** kbaegis has quit IRC13:40
*** kbaegis3 has joined #openstack-keystone13:40
*** kbaegis2 has quit IRC13:40
*** kbaegis3 has quit IRC13:40
*** kbaegis1 has quit IRC13:40
*** ppiela has quit IRC13:42
*** sjain has joined #openstack-keystone13:48
*** sasaniak has joined #openstack-keystone13:51
sasaniakhi there13:51
sasaniaki'm trying to better understand policy.rules, and i came across an issue that i'm unable to work out13:52
sasaniaki have a user setup, https://safar.sk/openstack.txt13:52
sasaniakwith a policy file (only slightly modified): https://safar.sk/policy.json13:52
sasaniakbut i'm unable to list users when i try to do that as the user113:53
sasaniakcan anyone point me to what i'm doing wrong?13:53
kmalloclbragstad: the code from Drankis is Newton only?13:58
openstackgerritLance Bragstad proposed openstack/keystone master: Unset project ids for all identity backends  https://review.openstack.org/49191613:58
Drankiskmalloc, yes, in ocata and master it is rewriten.13:58
lbragstadcmurphy: kmalloc ^ added  a unit test13:58
kmallocDrankis: well two things, Newton is in Phase 2 support status, meaning only critical bugs and security fixes. Not sure if this is a critical fix14:01
lbragstadDrankis: do you know if there is a test case for this in master?14:02
kmallocThe second thing, the endpoint filtering is something that shouldnt really be used.14:02
*** gongysh has joined #openstack-keystone14:03
Drankiskmalloc, for someone maybe it is :) Without this fix, if user use endpoint_filter he won't get running, for example, heat service or any other which use separate domain for administration purposes.14:03
*** gongysh has quit IRC14:03
kmallocIt is only maintained because we can't really remove the functionality. I highly recommend not using it, different catalogs based upon your scope is bad news.14:03
lbragstadDrankis: you weren't able to recreate this in master?14:04
lbragstador stable/ocata?14:04
Drankislbragstad, again, there is not such code anymore. File in which I made changes did not exist anymore and functionality are compleatly rewriten.14:05
kmallocIt provides zero extra security. It simply makes the catalog different depending on scope. If we could ditch endpoint filtering, I would have made that case before.14:05
Drankiskmalloc, hmm, for me endpoint filters work great. Maybe you can suggest other method how is possible to hide internal/admin endpoints from end users?14:05
kmallocDon't hide them.14:06
Drankis=]14:06
kmallocChanging the catalog based on scope is silly.14:06
kmallocIt adds zero security. Anyone can use any endpoint, the catalog is just convenience for looking up.14:07
kmallocUse firewalls/etc to prevent access to endpoints you don't want users to access14:07
lbragstadDrankis: https://github.com/openstack/keystone/commit/dafbf5b8b2ef93ef0e785432fd34629a9d76b24814:09
* kmalloc strongly believes the catalog should be effective ly static regardless of who logs in (you can add or remove endpoints, but the catalog shouldnt change based upon soft differences such as auth scope)14:09
*** spzala has joined #openstack-keystone14:10
Drankiskmalloc, exactly just don't want that regular users can list it. Internal/admin endpoints are well secured. More like cosmetic wish.14:11
*** dstepanenko has joined #openstack-keystone14:11
kmallocEndpoint filtering should be deprecated (not slated for removal). I'll re-propose that with a follow up to the yaml catalog14:12
kmalloclbragstad: ^14:12
Drankislbragstad, yeah, and completely https://github.com/openstack/keystone/commit/d35f36916e109f0d2557bb778424e7aee3bc6b3114:14
lbragstadkmalloc: i'd really like to find a way to do some sort of versioning so we can make it easier to do rewrites14:14
*** dstepanenko has quit IRC14:16
*** prashkre has quit IRC14:16
kmallocV414:16
kmallocSeriously14:16
lbragstadkmalloc: adopting takes forever14:16
kmallocJust no requirement to change auth too14:16
kmallocThat was the hard part14:16
lbragstadauth also has to be discoverable though14:17
lbragstadlike you said before14:17
kmallocIf v3 received no.features at all14:17
kmallocStable.14:17
kmallocV4 was development (and well defined targets)14:17
kmallocIt would work14:18
kmallocSadly, we never seemed able to.do that last part.14:18
kmallocI won't block microversion impl, I simply don't support it.14:19
kmalloc(I won't even -1 it unless code is bad)14:19
kmallocJust don't expect a +2 from me.14:19
lbragstadkmalloc: well - i don't disagree with your reasoning for microversions14:20
kmallocI know, and my compromise is I promise not to block it14:20
kmallocIf it is the way we have to move forward... It is the way.14:20
kmallocI'll concede that. I just can't approve/sign off on it personally14:21
lbragstadbut if it isn't - then finding a way to improve api without it taking forever would be nice14:21
kmallocI would much prefer a non-microversion option.14:21
*** Elangovan has joined #openstack-keystone14:21
kmallocUnfortunately, my only thought/offer on that is major api versions.14:22
kmallocATM.14:22
*** Elangovan has quit IRC14:22
*** Elangovan has joined #openstack-keystone14:22
*** nkinder has joined #openstack-keystone14:26
lbragstadhmm14:26
*** lbragstad has quit IRC14:28
*** jamespage has joined #openstack-keystone14:28
jamespagehi14:29
jamespage(hopefully) quick question about token revocation lists - do/did they only apply for PKI tokens? or do they also apply for UUID and Fernet formats as well?14:29
jamespagewe're dropping PKI support in the keystone charms they cycle - just figuring out what we do with regards to certs and ca files related to signing of revocation requests..14:30
*** tobberyd_ has joined #openstack-keystone14:32
*** sjain has quit IRC14:34
*** tobberydberg has quit IRC14:36
*** spzala has quit IRC14:37
*** tobberyd_ has quit IRC14:37
*** sjain has joined #openstack-keystone14:37
*** ducttape_ has joined #openstack-keystone14:38
*** ducttape_ has quit IRC14:39
*** ducttape_ has joined #openstack-keystone14:42
*** ducttap__ has joined #openstack-keystone14:43
*** ducttape_ has quit IRC14:46
*** PsionTheory has joined #openstack-keystone14:50
*** sbezverk has quit IRC14:55
kmallocjamespage: recommend not using them at all14:58
jamespagekmalloc: that was what I thought14:59
jamespagethanks for confirming14:59
* jamespage does not have to throw away the last hours work now :-)14:59
*** lbragstad has joined #openstack-keystone14:59
*** ChanServ sets mode: +o lbragstad14:59
kmallocjamespage: use fernet tokens, do not use the revocation list (even with uuid tokens). Largely it was for pki tokens, but easiest bet turn off "revoke by id" and ignore the rev list14:59
kmalloc:)14:59
kmallocjamespage: happy to make your life easier15:00
jamespage:)15:00
knikollao/15:03
*** otleimat has joined #openstack-keystone15:22
*** spzala has joined #openstack-keystone15:23
openstackgerritSamriddhi proposed openstack/keystone master: Update docs: fernet is the default provider  https://review.openstack.org/48660815:32
*** ppiela has joined #openstack-keystone15:43
*** aselius has joined #openstack-keystone15:50
*** dstepanenko has joined #openstack-keystone15:59
efriedWhere do keystone* logs go when they're not in a journalctl unit?15:59
efried(Like, I think I'm using the wrong wsgi)15:59
efried(This is devstack btw)16:00
*** dklyle is now known as david-lyle16:02
*** dstepanenko has quit IRC16:03
*** Elangovan has quit IRC16:14
*** sjain has quit IRC16:15
*** Drankis has quit IRC16:15
*** Elangovan has joined #openstack-keystone16:16
*** tobberydberg has joined #openstack-keystone16:22
*** pcaruana has quit IRC16:25
*** tobberydberg has quit IRC16:26
*** lucasxu has quit IRC16:27
*** rcernin has quit IRC16:33
knikollaefried: screen -r?16:45
efriedknikolla Thanks - turns out it was in /var/log/apache216:46
knikollaefried: or actually in /var/log16:46
knikollayeah16:46
efried:)16:46
knikollawas gonna type that.16:46
knikollathe keystone screen is basically a tailf on /var/log/apache/16:46
samueldmqlbragstad: I ran test_password_history_not_enforced_in_admin_reset 110 times16:49
kmallocsamueldmq: any luck?16:49
samueldmqI was able to get 1 failure, at least was able to reproduce16:49
lbragstadnice16:49
samueldmqI will do further debugging to see what I get16:50
knikollasamueldmq: wanna share the logs?16:50
lbragstadkmalloc: you like meta programming don't you?16:50
samueldmqknikolla: no they're just mine16:50
samueldmqmuahaha16:50
samueldmqknikolla: give me a sec16:50
knikollasamueldmq: evil, haha16:51
samueldmqdo I get the keystone logs in /var/logs/apache2/error.log ?16:51
samueldmqor would that be access.log? it's been a while ... :(16:52
kmalloclbragstad: sigh. i can meta program16:53
kmalloclbragstad: why?16:53
lbragstadkmalloc: how come the last two assertions here fail?16:53
lbragstadv16:53
lbragstadhttps://gist.github.com/lbragstad/e0558a167e8abfe5f5d6ac1c181972fd16:53
*** dstepanenko has joined #openstack-keystone16:53
*** mjax has joined #openstack-keystone16:54
kmallocsec let me open that in an actual browser16:54
lbragstadkmalloc: when the registry is built, it appears that the values in the registry aren't actual objects16:54
lbragstadbut they are types of the class16:54
*** aojea has joined #openstack-keystone16:55
kmallocok so you're trying to use metaclasses to adjust the isinstance?16:55
lbragstadkmalloc: i want to use a meta class to build the dependency registry16:56
lbragstadkmalloc: i was shuffling through old reviews and found this https://review.openstack.org/#/c/163029/4/keystone/common/dependency.py16:56
lbragstadi want to use it as a way to get around the following pattern16:57
lbragstadsomething = SomeAPI()16:57
lbragstadset_provider('some_api', something)16:57
lbragstadwhere you have to handle registration of things manually16:57
*** dstepanenko has quit IRC16:58
lbragstadmy thought process was that using a metaclass would enforce that on manager automatically16:58
kmallocso metaclasses are handled at exactly one point, they are at import time16:58
lbragstadmanagers*16:58
kmallocalso don't use __metaclass__ =, use @six.add_metaclass()16:59
kmallocbut that aside16:59
lbragstadright - that's what i'm doing locally16:59
lbragstadwith the keystone code16:59
lbragstadthis was just a test16:59
lbragstadlet me push what i have so you can have a look16:59
kmalloci have your local example here16:59
kmallocand seeing the assertion error16:59
kmalloclet me poke for a sec16:59
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Remove dependency.provider  https://review.openstack.org/49262117:00
lbragstadkmalloc: ^17:00
*** ppiela_ has joined #openstack-keystone17:01
kmallocyour isinstance in your gist is backwards17:02
kmallocisinstance(obj, class_or_tuple, /)17:02
kmallocoh wait no17:02
kmalloci am mis-reading17:03
kmalloc(sorry catching up on coffee)17:03
kmallocoh17:03
kmalloclbragstad: wait, ok17:03
kmalloc---17:03
kmallocassert isinstance(registry['identity_api'], IdentityApi)17:03
kmallocthat is not asserting identity_api is an instance17:04
*** spilla has joined #openstack-keystone17:04
kmallocyour registry has the non-instanced versions in it17:04
*** ppiela has quit IRC17:04
kmalloclbragstad: __new__ is done at import time, so what you've done is you've created a registry of the non-instance classes (prior to calling IdentityApi())17:05
kmallocassert isinstance(registry['identity_api'], IdentityApi)17:05
kmallocwont work17:05
kmallocassert isinstance(registry['identity_api'], identity)17:05
kmallocdoes work17:05
*** tobberydberg has joined #openstack-keystone17:05
lbragstadah17:05
kmallocas would assert isinstance(IdentityApi, identity)17:05
lbragstadsure - that bit makes sense17:06
kmallocso, if you want to use a metaclass to change *how* a class is instanced, you cna replace __init__ within the __new__ and wrap the explicit __init__ passed [if it is]17:06
*** aojea has quit IRC17:07
kmallocthis is again because __new__ is called at import time (it's what builds the class object)17:07
*** aojea has joined #openstack-keystone17:07
lbragstad__new__ seemed like the right place for registry code to run17:07
* lbragstad shrugs17:07
kmallocyeah it would need to be a new __init__ that is replaced in the class_dict that is passed into new17:07
kmallocso, look in class_dict, and determine if __init__ is in there, if it is, wrap the init and add your registry code, if it isn't supply an __init__ that does registry *and* calls super()17:08
kmallocthe super() call is going to be wonky, since you'll need to supply info from cls not from Meta itself17:09
*** Elangovan has quit IRC17:09
kmalloci can draft up a quick example.17:09
lbragstadkmalloc: ack17:09
lbragstadfixing what i have locally and i'll push another ps17:09
*** tobberydberg has quit IRC17:10
*** mjax has quit IRC17:12
*** aojea has quit IRC17:12
*** mvk has quit IRC17:14
*** mjax has joined #openstack-keystone17:19
*** mjax has quit IRC17:20
kmalloclbragstad: https://gist.github.com/morganfainberg/dceb6be7c861febbc0e0ef40cfc1801617:26
*** ducttap__ has quit IRC17:27
otleimatlbragstad: working on https://review.openstack.org/#/c/408304/ I made some changes locally which clean part of the code up and made some adjustments to make it clear that all the options are not optional, I'm not sure if I what I implemented is acceptable. Should I push up to Gerrit to receive feedback?17:28
openstackgerritLance Bragstad proposed openstack/keystone master: Remove dependency.provider  https://review.openstack.org/49262117:29
*** ducttape_ has joined #openstack-keystone17:30
lbragstadotleimat: yes - please17:30
kmalloclbragstad: going to need another level of some stuff to inspect the __init__ args.17:30
lbragstadkmalloc: interesting17:30
lbragstadotleimat: when in doubt, push early and often17:31
kmallocbut... that gist is pretty close17:31
openstackgerritLance Bragstad proposed openstack/keystone master: Remove dependency.provider  https://review.openstack.org/49262117:32
lbragstadkmalloc: ack - ^ made all the name changes so that we can resolve the name from the class itself17:32
kmallocanywya...17:33
kmallocmetaclasses make for pain17:33
kmallocjust as an FYI17:33
openstackgerritLance Bragstad proposed openstack/keystone master: Remove dependency.provider  https://review.openstack.org/49262117:34
kmalloclbragstad: i don't see how that is going to work17:38
kmallocyou're registering the class?17:38
kmallocand then... how do you call the instanced version of the clasS?17:38
lbragstadkmalloc: it's still broken - i'm working through it17:38
otleimatlbragstad: will do shortly, it seems though that it isn't possible without logic added in main(), I reformatted the logic, and adjusted the parser slightly. The unit tests will fail rn because they don't hit main from test_cli.py, wondering if there is way to write unit tests that will go through and actually hit the logic?17:38
lbragstadkmalloc: my patch is still missing these bits https://review.openstack.org/#/c/163029/4/keystone/backends.py17:39
kmalloclbragstad: yeah you need to do it in __init__.17:39
kmallocyou can't set_provider on the non-instance17:39
lbragstadkmalloc: only you don't need the dependency.set_provider() pattern there17:40
kmallocexcept the registry the way you have it is the non-instanced classes17:40
lbragstadright - i need to change that17:40
kmallocyeah, you're going to also need to do some inspect work to pull out the signature of the __init__ that is in the super *or* in the class_dict to make sure you're passing the right stuff to it (notably if it takes no args, except self)17:41
*** ioggstream has quit IRC17:42
*** prashkre has joined #openstack-keystone17:44
*** aselius has quit IRC17:52
*** prashkre_ has joined #openstack-keystone17:52
*** prashkre has quit IRC17:52
*** spzala has quit IRC17:55
*** tobberydberg has joined #openstack-keystone18:01
*** aselius has joined #openstack-keystone18:03
*** ducttape_ has quit IRC18:04
*** spilla has quit IRC18:09
*** tobberydberg has quit IRC18:12
*** sjain has joined #openstack-keystone18:20
lbragstadhttps://review.openstack.org/#/c/491916/ is ready for some reviews18:28
lbragstad^ we should try and get that merged by EOD18:28
*** ducttape_ has joined #openstack-keystone18:32
*** rcernin has joined #openstack-keystone18:35
*** sjain has quit IRC18:39
*** dstepanenko has joined #openstack-keystone18:41
*** spzala has joined #openstack-keystone18:42
*** spzala has quit IRC18:43
*** spzala has joined #openstack-keystone18:44
*** alexz__ has joined #openstack-keystone18:44
*** dstepanenko has quit IRC18:46
*** alexz__ has quit IRC18:52
*** alexz__ has joined #openstack-keystone18:52
kmalloclbragstad: lgtm +218:56
alexz__hi everyone. any ideas how to deal with 401 errors http://paste.openstack.org/show/618091/ which appear during vm related tempest tests run? I have Ocata ha setup with fernet keys on shared glusterfs volumes. More info: http://paste.openstack.org/show/618089/18:58
*** rcernin has quit IRC18:59
lbragstadalexz__: the InvalidFernet key error is only used in one place within keystone19:00
lbragstadand that's if the fernet tokens can't be decrypted from by the cryptography library19:01
lbragstadalexz__: are you sure each keystone nodes is reading the same key repository?19:01
alexz__yes19:02
*** portdirect is now known as eteppete19:02
*** efried is now known as efried_afk19:02
*** openstackgerrit has quit IRC19:03
alexz__sometimes tests pass. also restarting of apache2 on all nodes or rebooting nodes helps19:03
*** eteppete is now known as portdirect19:03
alexz__so it is not 100% broken. some primitive operations are fine (e.g cli commands), meanwhile tempest tests may fail19:04
lbragstadhmm19:05
kmalloclbragstad: https://review.openstack.org/#/c/492529/119:12
kmallocsee my comment19:12
*** portdirect has quit IRC19:17
*** portdirect has joined #openstack-keystone19:17
*** itlinux has joined #openstack-keystone19:19
itlinuxgood morning all..19:20
lbragstadkmalloc: isn't there a string freeze on libraries, too?19:20
kmalloc*shrug*19:21
kmallocdunno19:21
itlinuxquick question on LDAP.. I have configured it and I can openstack user list --domain xxxxx but when I go to horizon I do not see them.. is there anything else I need to do to have them show up in the options since I cannot add them to any project ..thanks19:21
*** nicolasbock has quit IRC19:21
lbragstadkmalloc: yeah - https://releases.openstack.org/pike/schedule.html#p-final-clientlib19:21
*** ducttap__ has joined #openstack-keystone19:26
*** efried_afk is now known as efried19:27
*** ducttape_ has quit IRC19:29
*** openstackgerrit has joined #openstack-keystone19:35
openstackgerritLance Bragstad proposed openstack/keystone master: Unset project ids for all identity backends  https://review.openstack.org/49191619:35
lbragstadkmalloc: fixed ^19:36
lbragstad=/19:36
*** tobberydberg has joined #openstack-keystone19:38
lbragstadknikolla: samueldmq any luck on bug 170221119:38
openstackbug 1702211 in OpenStack Identity (keystone) "test_password_history_not_enforced_in_admin_reset failed in tempest test" [Medium,Confirmed] https://launchpad.net/bugs/170221119:38
*** sbezverk has joined #openstack-keystone19:39
*** tobberydberg has quit IRC19:42
*** ducttap__ has quit IRC19:45
*** prashkre_ has quit IRC19:47
*** prashkre_ has joined #openstack-keystone19:47
*** tobberydberg has joined #openstack-keystone19:47
*** jrist has quit IRC19:48
*** tobberydberg has quit IRC19:52
*** ppiela has joined #openstack-keystone19:55
*** tobberydberg has joined #openstack-keystone19:57
*** ppiela_ has quit IRC19:58
*** ducttape_ has joined #openstack-keystone20:01
*** tobberydberg has quit IRC20:09
knikollalbragstad: found some suspicious stuff (which may be nothing). Will patch keystone for more logging and try to reproduce.20:16
*** appletree has joined #openstack-keystone20:17
*** tobberydberg has joined #openstack-keystone20:18
appletreehi20:23
appletreeis it possible to have a cloud admin inherit roles from all domains and projects?20:23
*** appletree has quit IRC20:25
*** dstepanenko has joined #openstack-keystone20:29
openstackgerritGage Hugo proposed openstack/keystone master: Have project get domain_id from parent  https://review.openstack.org/48965520:31
*** dstepanenko has quit IRC20:34
lbragstadknikolla: samueldmq what's the concurrency level of the tests when you recreate?20:38
lbragstadknikolla: samueldmq are the tests running parallel or serial?20:38
knikollalbragstad: serial20:38
lbragstadinteresting20:39
lbragstadi was curious if running the tests in parallel was causing an issue where one tests was locking the account at exactly the right moment where another test was expecting it to be unlocked20:40
lbragstadbut if it's recreateable when running the tests serially, then that wouldn't be the case20:41
*** appletree has joined #openstack-keystone20:42
*** appletree is now known as _apple_tree20:42
_apple_treehi20:42
_apple_treeis it possible for a cloud admin to inherit roles from all domains and projects?20:42
knikollalbragstad: viewing the logs. There seemed to be a case where the auth request comes in before update_password has fully responded. Which is crazy.20:43
lbragstadknikolla: that should be unpossible20:43
knikollalbragstad: exactly.20:44
lbragstad_apple_tree: it should be possible for you to create implied roles from the admin role20:44
lbragstadthen the admin role can be given to the cloud admin20:44
_apple_tree@lbragstad: i see, i thought implied roles only worked on one level (eg. project)20:45
knikollalbragstad: i'd share the logs but i'm on my ipad in a meeting and don't have the links handy :/20:45
lbragstad_apple_tree: can you elaborate on one level?20:46
lbragstadknikolla: you dev on an iPad?!20:46
*** prashkre_ has quit IRC20:47
_apple_tree@lbragstad: i thought you can only create implied roles from one project role to another project role20:47
*** prashkre_ has joined #openstack-keystone20:47
*** ducttap__ has joined #openstack-keystone20:47
knikollalbragstad: i carry one to meetings.20:48
lbragstadroles can be implied globally - i think20:48
_apple_treewow, that's great20:48
knikollaDeveloping in one is annoying, but possible. Have done a few patches from it actually.20:48
_apple_treeok i'll look into this more20:48
_apple_treethx @lbragstad20:48
lbragstad_apple_tree: https://developer.openstack.org/api-ref/identity/v3/#os-inherit-api20:49
_apple_treethanks! for some reason i couldn't find this20:49
lbragstad_apple_tree: our docs have changed a lot this release20:50
lbragstad_apple_tree: but you should be able to find everything from https://docs.openstack.org/keystone/latest/20:50
_apple_treeok will bookmark that20:50
*** ducttape_ has quit IRC20:50
*** prashkre_ has quit IRC20:56
*** prashkre_ has joined #openstack-keystone20:56
openstackgerritMerged openstack/keystone master: Cache list projects and domains for user  https://review.openstack.org/48714321:01
*** tobberydberg has quit IRC21:02
*** tobberydberg has joined #openstack-keystone21:02
*** tobberydberg has quit IRC21:07
*** prashkre_ has quit IRC21:07
*** aojea has joined #openstack-keystone21:16
*** aojea has quit IRC21:21
openstackgerritLance Bragstad proposed openstack/keystone master: Removed dependency.provider  https://review.openstack.org/16302921:21
openstackgerritLance Bragstad proposed openstack/keystone master: Remove deprecation of domain_config_upload  https://review.openstack.org/49269421:23
*** thorst has quit IRC21:24
*** aojea has joined #openstack-keystone21:24
*** dstepanenko has joined #openstack-keystone21:24
*** thorst has joined #openstack-keystone21:27
*** dstepanenko has quit IRC21:29
*** aojea has quit IRC21:30
*** thorst has quit IRC21:31
*** spzala has quit IRC21:37
*** spzala has joined #openstack-keystone21:38
*** spzala has quit IRC21:38
*** spzala has joined #openstack-keystone21:39
*** spzala has quit IRC21:44
*** thorst has joined #openstack-keystone21:49
*** raildo has quit IRC21:50
*** thorst has quit IRC21:54
lbragstadsamueldmq: cmurphy want to kick this one through for RC? https://review.openstack.org/#/c/491916/21:55
gyeelbragstad, have a question on https://review.openstack.org/#/c/487143/21:56
gyeebreton, sorry I missed your ping yesterday21:56
lbragstadgyee: responded21:59
lbragstadgyee: the resource cache region is computed in the assignment api and invalidated based on things we do there22:00
gyeelbragstad, excellent, that's a good one22:01
lbragstadgyee: yeah - i didn't realize how slow the assignment api is22:01
lbragstadespecially with effective role assignments22:01
lbragstad=/22:01
lbragstadat least caching will help stop the bleeding22:01
gyeeoh yeah, especially with thousands of users in LDAP22:02
lbragstadbut i'm sure there are things we're doing in that code that could be improved22:02
*** tesseract has quit IRC22:02
gyeeneed to retest, but I think that patch helps a lot22:02
lbragstadgyee: let me know if you can post those results publicly22:02
lbragstadi'd like to see the results!22:03
gyeelbragstad, sure22:03
lbragstadstevemar: last one for RC if you want to do a review - https://review.openstack.org/#/c/491916/22:05
*** ioggstream has joined #openstack-keystone22:06
*** openstackgerrit has quit IRC22:18
*** aojea has joined #openstack-keystone22:20
*** aojea has quit IRC22:43
*** aojea_ has joined #openstack-keystone22:44
*** catintheroof has quit IRC22:45
*** catintheroof has joined #openstack-keystone22:45
*** catintheroof has quit IRC22:49
*** edmondsw has quit IRC22:53
*** openstackgerrit has joined #openstack-keystone22:54
openstackgerritOmar Tleimat proposed openstack/keystone master: Fix mapping_purge failure  https://review.openstack.org/40830422:54
*** aojea_ has quit IRC22:55
*** spzala has joined #openstack-keystone22:55
*** spzala has quit IRC22:55
*** spzala has joined #openstack-keystone22:55
*** spzala has quit IRC22:55
*** spzala has joined #openstack-keystone22:56
*** spzala has quit IRC22:56
*** spzala has joined #openstack-keystone22:56
*** spzala has quit IRC22:56
*** spzala has joined #openstack-keystone22:57
*** spzala has quit IRC22:57
*** spzala has joined #openstack-keystone22:57
*** spzala has quit IRC22:58
*** ducttap__ has quit IRC23:10
*** dstepanenko has joined #openstack-keystone23:12
*** dstepanenko has quit IRC23:16
*** ioggstream has quit IRC23:31
*** gyee has quit IRC23:36
*** gyee has joined #openstack-keystone23:37
*** thorst has joined #openstack-keystone23:38
*** alexz__ has quit IRC23:49
*** ducttape_ has joined #openstack-keystone23:56
« Wednesday, 2017-08-09 Index Friday, 2017-08-11 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!