Monday, 2018-05-14

*** masber has joined #openstack-keystone00:03
*** masber has quit IRC00:03
*** masber has joined #openstack-keystone00:03
*** masber has quit IRC00:04
*** masber has joined #openstack-keystone00:04
*** masber has quit IRC00:04
*** masber has joined #openstack-keystone00:06
*** masber has quit IRC00:06
*** masber has joined #openstack-keystone00:08
*** germs has joined #openstack-keystone00:37
*** germs has quit IRC00:37
*** germs has joined #openstack-keystone00:37
*** felipemonteiro__ has joined #openstack-keystone00:41
*** germs has quit IRC00:41
*** felipemonteiro__ has quit IRC00:47
*** edmondsw has joined #openstack-keystone01:07
*** wxy has joined #openstack-keystone01:10
*** edmondsw has quit IRC01:11
*** edmondsw has joined #openstack-keystone01:22
*** edmondsw has quit IRC01:34
*** edmondsw has joined #openstack-keystone01:35
*** edmondsw has quit IRC01:37
*** edmondsw has joined #openstack-keystone01:37
*** edmondsw has quit IRC01:38
*** eschwartz is now known as o_O01:41
*** o_O is now known as Guest4411801:41
*** Guest44118 is now known as eschwartz01:42
adriantlbragstad, cmurphy: I'm just working on the auth receipt code and realised that we've still got references to uuid tokens in places:02:13
adriantNot that it's even remotely urgent, but it's probably something I can look at cleaning up if no one has grabbed that work.02:13
cmurphyadriant: we'll take any help we can get with cleanup work :)02:19
adriantcmurphy: cool, after this patch is at least in a mostly ready for review stage I'll do some extra cleanup stuff. :)02:20
adriantthe auth receipt code is actually not looking as terrifying as I originally expected it to be :)02:20
*** xinran__ has joined #openstack-keystone02:30
wxyadriant:  this is maybe what you want
adriantwxy: that's the one :)02:33
adriantthat's why I asked, awesome will help review!02:34
wxycool ;)02:34
*** germs has joined #openstack-keystone02:38
*** germs has quit IRC02:42
*** threestrands has joined #openstack-keystone03:59
*** liuzz_ has joined #openstack-keystone03:59
*** threestrands_ has joined #openstack-keystone04:00
*** threestrands_ has quit IRC04:01
*** threestrands_ has joined #openstack-keystone04:02
*** liuzz has quit IRC04:02
*** threestrands has quit IRC04:04
*** kevinbenton has joined #openstack-keystone04:05
*** hoonetorg has quit IRC04:21
*** germs has joined #openstack-keystone04:39
*** hoonetorg has joined #openstack-keystone04:39
*** threestrands_ has quit IRC04:39
*** pooja_jadhav has joined #openstack-keystone04:40
*** links has joined #openstack-keystone04:41
*** germs has quit IRC04:44
*** xinran__ has quit IRC04:49
*** pcichy has joined #openstack-keystone04:54
*** threestrands has joined #openstack-keystone05:04
*** threestrands has quit IRC05:07
kmallocadriant: I figured the receipt code wouldn't be that bad, but that is why we iterated on the design before hand.05:24
adriantkmalloc: the most annoying part is just getting the provider logic down. I've pretty much duplicated a chunk from tokens and am stripping it of non-essential parts.05:29
adriantThe auth controller code on the other hand is tiny05:29
adriantkmalloc: I should have a working WIP review up hopefully next week but without unit tests.05:31
*** belmoreira has joined #openstack-keystone06:08
*** pcaruana has joined #openstack-keystone06:31
*** annp has joined #openstack-keystone06:34
*** germs has joined #openstack-keystone06:40
*** germs has quit IRC06:40
*** germs has joined #openstack-keystone06:40
*** germs has quit IRC06:44
*** martinus__ has joined #openstack-keystone06:49
*** tesseract has joined #openstack-keystone07:10
*** rcernin has quit IRC07:39
*** AlexeyAbashkin has joined #openstack-keystone07:46
*** rpittau has joined #openstack-keystone07:53
*** kevinbenton has quit IRC07:56
*** annp has quit IRC07:57
*** annp has joined #openstack-keystone07:58
*** belmoreira has quit IRC08:01
*** belmoreira has joined #openstack-keystone08:04
*** alex_xu has quit IRC08:32
*** alex_xu has joined #openstack-keystone08:33
*** srihas has joined #openstack-keystone08:40
srihashi guys, I have just installed Openstack with JUJU. When  I try to login from horizon, I am getting an error "Unable to establish connection to HTTPConnectionPool(host='', port=5000): Max retries exceeded with url: /v2.0/tokens (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0x7f805b125f90>: Failed to establish a new connection: [Errno 111] Connection refu08:56 has the OPENSTACK_HOST set to the IP of keystone though08:57
srihascan someone help?08:57
*** annp has quit IRC09:04
*** annp has joined #openstack-keystone09:05
*** masber has quit IRC09:06
*** jaosorior has joined #openstack-keystone09:56
*** xinran__ has joined #openstack-keystone10:05
*** nicolasbock has joined #openstack-keystone10:29
*** edmondsw has joined #openstack-keystone11:03
*** links has quit IRC11:05
*** links has joined #openstack-keystone11:17
*** nicolasbock has quit IRC11:49
*** links has quit IRC11:52
*** links has joined #openstack-keystone11:52
*** raildo has joined #openstack-keystone12:02
*** gyankum has joined #openstack-keystone12:11
*** nicolasbock has joined #openstack-keystone12:12
*** doxa has joined #openstack-keystone12:20
doxagood day12:21
doxaI am looking into using totp auth. When I use the info12:22
doxaI get error {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}12:22
doxaany thoughts ?12:22
*** xinran__ has quit IRC12:25
*** gyankum has quit IRC12:42
*** Shilpa has joined #openstack-keystone12:44
Shilpacmurphy: Hi12:47
*** dklyle has quit IRC13:02
*** dklyle has joined #openstack-keystone13:03
*** felipemonteiro__ has joined #openstack-keystone13:04
*** dklyle has quit IRC13:06
*** felipemonteiro_ has joined #openstack-keystone13:11
*** dklyle has joined #openstack-keystone13:12
*** felipemonteiro__ has quit IRC13:15
*** mvk has quit IRC13:16
*** dklyle has quit IRC13:17
*** felipemonteiro__ has joined #openstack-keystone13:27
*** felipemonteiro_ has quit IRC13:27
*** superdan is now known as dansmith13:33
*** belmorei_ has joined #openstack-keystone13:33
*** belmoreira has quit IRC13:35
*** mvk has joined #openstack-keystone13:42
*** devx has joined #openstack-keystone13:55
*** devx has quit IRC13:56
*** jgwentworth is now known as melwitt13:57
*** devx has joined #openstack-keystone13:59
*** xinran__ has joined #openstack-keystone14:01
*** links has quit IRC14:03
*** r-daneel has joined #openstack-keystone14:05
*** spilla has joined #openstack-keystone14:09
*** gyankum has joined #openstack-keystone14:34
*** gyankum has quit IRC14:34
prometheanfireI think keystone is the only project left that webob-1.8.1 breaks things on
openstackLaunchpad bug 1765748 in OpenStack Global Requirements "webob-1.8.1 breaks projects" [High,In progress] - Assigned to Matthew Thode (prometheanfire)14:36
openstackgerritLance Bragstad proposed openstack/keystone master: Update tests to work with WebOb 1.8.1
lbragstadprometheanfire: ^14:36
lbragstadfast ping->bug fix ever!14:36
lbragstadprometheanfire: i'm not sure if you've been noticing a specific pattern with projects that have been affected by this14:38
lbragstadbut i just replaced our uuid usage with 'en'14:38
* lbragstad shrugs14:38
lbragstadsince i don't suppose we're all that interested in testing how webob deals with that header, i just replaced it with something that passes the new regex14:39
prometheanfirelbragstad: sure, all I know offhand is that it was a quick fix for them too14:40
openstackgerritLance Bragstad proposed openstack/keystone master: Update tests to work with WebOb 1.8.1
lbragstadok - updated so that it will be easier to ever tell if the mock stop works on a system with 'en' by default (which i assume would be wide range)14:45
lbragstadstops working*14:45
*** belmorei_ has quit IRC14:54
*** pcaruana has quit IRC15:02
*** dklyle has joined #openstack-keystone15:14
*** dklyle has quit IRC15:22
*** rajalokan has joined #openstack-keystone15:22
*** panbalag has joined #openstack-keystone15:31
*** panbalag has left #openstack-keystone15:31
*** felipemonteiro__ has quit IRC15:34
kmalloclbragstad: hm. you know if henrynash been around recently?15:42
kmalloclbragstad: had a question for him15:42
*** kmalloc sets mode: -o kmalloc15:43
lbragstadkmalloc: i have not seen him in some time15:44
lbragstadlast i talked to him was in dublin15:44
kmalloclbragstad: ok15:44
*** nicolasbock has quit IRC15:50
*** ayoung has joined #openstack-keystone15:53
*** nicolasbock has joined #openstack-keystone15:53
kmalloclbragstad: replacing the header is fine16:02
kmalloclbragstad: it's a silly test we're doing there... "does webob work"16:02
kmalloc... if it doesn't...16:02
kmallocwhy are we using it.16:02
kmalloclbragstad: so... nit on structure for my current thing16:04
kmalloclbragstad: keystone.flask or keystone.common.wsgi.flask or...?16:04
kmalloclbragstad: any preferance?16:04
* kmalloc leans towards keystone.flask16:05
*** rmascena has joined #openstack-keystone16:06
*** raildo has quit IRC16:08
lbragstadwhy keystone.flask?16:08
kmallocor keystone.server.flask16:09
kmalloctrying to avoid keystone.common dumping ground16:09
kmalloci'll use keystone.server.flask16:10
lbragstadyeah - that's fine16:10
lbragstadi'm not sure if i have a strong preference?16:10
lbragstadi feel like it should be in common, but at the same time we also have things like keystone.exception, keystone.notification, etc..16:11
kmallocright, we have wsgi initialization stuff in keystone.server16:11
kmalloc(paste deploy, etc)16:11
kmallocso, i figure that is the right place to keep this stuff16:11
*** gyee has joined #openstack-keystone16:13
lbragstadsure - that works16:13
*** pcaruana has joined #openstack-keystone16:20
*** dave-mccowan has joined #openstack-keystone16:23
*** dave-mccowan has quit IRC16:28
*** jmlowe has quit IRC16:29
*** dave-mccowan has joined #openstack-keystone16:32
*** felipemonteiro has joined #openstack-keystone16:32
lbragstadstepping away to get a run in over lunch quick16:47
*** AlexeyAbashkin has quit IRC16:57
*** mugsie has quit IRC17:06
*** mugsie has joined #openstack-keystone17:06
*** mugsie has quit IRC17:06
*** mugsie has joined #openstack-keystone17:06
*** mugsie has quit IRC17:08
*** tesseract has quit IRC17:11
*** mugsie has joined #openstack-keystone17:12
*** mugsie has quit IRC17:12
*** mugsie has joined #openstack-keystone17:12
*** xinran__ has quit IRC17:21
*** rajalokan has quit IRC17:31
kmalloclbragstad: man, converting to flask is a bunch of work. just getting out from under paste is weird.17:33
*** germs has joined #openstack-keystone17:33
kmalloclbragstad: i think i have a pretty smooth path forward here. it's starting to shape up, and it looks like the biggest impact is just going to be convering how we do routes (from mapper/dispatch) to flask-specific [which, btw, is much better for validation of the URI elements]17:33
lbragstadok - cool]\17:36
lbragstadthe mapper stuff has always been a little obtuse to me, but that's a personal opinion17:36
lbragstadcurious to see what that looks like in flask17:37
kmalloclbragstad: well, i'm mirroring it mostly right now, basically new application_factory loads in the routers and calls .add_routes()17:44
kmallocin the future i'll convert these to flask blueprints [future patch] which will make it more explicit17:44
kmallocbut we need to address @protected etc17:44
*** germs has quit IRC17:46
lbragstadremoving that decorator is going to make fixing easier17:54
*** jmlowe has joined #openstack-keystone17:56
kmallocflask likes to use the app.route() decorator for each item, but i don't think that works for our architecture (we don't want to initialize the app early)17:56
kmallocnot too bad though17:56
kmallocthe JSON_HOME bits are going to be the hardest part17:56
kmallocand maybe json_schema17:56
*** pcichy has quit IRC17:58
kmalloceuuw. flask wants regparse instead of json-schema... yeah i'll just implement json-schema support directly17:58
*** r-daneel_ has joined #openstack-keystone18:00
kmallocoh nvm, we already od it, we could move the json-schema bits higher up in flask though, nice18:00
lbragstadcool - make api validation happen closer to the edge of the app then18:00
*** r-daneel has quit IRC18:01
*** r-daneel_ is now known as r-daneel18:01
kmalloclbragstad: yeah.18:09
*** harlowja has joined #openstack-keystone18:12
*** mvk has quit IRC18:22
*** idlemind has joined #openstack-keystone18:27
kmalloclbragstad: ... how does our json_home thing even work?18:27
kmalloccmurphy: yeah... it looks like it18:34
kmalloccmurphy: =/18:34
lbragstadi haven't dug into the details of it in a while but it uses the routes bits to build the document, then just emits that when content-type: application/json18:37
lbragstadiirc brant did a bunch of that stuff18:38
*** Guest16323 is now known as mgagne18:40
*** mgagne has joined #openstack-keystone18:40
*** markvoelker_ has joined #openstack-keystone18:42
*** markvoelker has quit IRC18:43
lbragstadi'm not sure i have all the context on this yet, but is there any reason why we don't use oslo.service?18:44
lbragstador is it just because oslo.service came after we had something that did pretty much the same thing?18:44
*** dklyle has joined #openstack-keystone18:49
*** markvoelker has joined #openstack-keystone18:49
*** markvoelker_ has quit IRC18:50
*** mvk has joined #openstack-keystone18:52
*** r-daneel has quit IRC18:59
*** r-daneel_ has joined #openstack-keystone18:59
*** r-daneel_ is now known as r-daneel19:01
*** jmlowe has quit IRC19:13
*** jmlowe has joined #openstack-keystone19:13
*** jmlowe has quit IRC19:13
lbragstadkmalloc: i think we're digging close to the same area of code actually19:19
lbragstadi'm looking at what it would take to implement the community goal for this release, without having to intercept SIGUP signals19:20
lbragstadone of the suggestions is to setup a listener to see if the configuration file changes during run time, and just reload the logger19:21
lbragstadthat'd would have to take place after wouldn't it?19:22
lbragstadbecuase application is what is returned to the web server, right?19:25
*** jmlowe has joined #openstack-keystone19:34
*** dave-mccowan has quit IRC19:36
*** belmoreira has joined #openstack-keystone19:38
*** felipemonteiro_ has joined #openstack-keystone19:38
*** felipemonteiro has quit IRC19:42
*** devx has quit IRC19:43
*** devx has joined #openstack-keystone19:44
*** dave-mccowan has joined #openstack-keystone19:53
*** jmlowe has quit IRC20:06
*** jmlowe has joined #openstack-keystone20:08
*** felipemonteiro_ has quit IRC20:17
*** felipemonteiro_ has joined #openstack-keystone20:17
openstackgerritBrian Rosmaita proposed openstack/keystoneauth master: WIP - fix logging of encoded headers
*** felipemonteiro__ has joined #openstack-keystone20:29
*** devx has quit IRC20:30
*** devx has joined #openstack-keystone20:30
*** devx has quit IRC20:31
*** devx has joined #openstack-keystone20:31
*** dklyle has quit IRC20:31
*** felipemonteiro_ has quit IRC20:32
*** belmoreira has quit IRC20:33
*** devx has quit IRC20:34
*** devx has joined #openstack-keystone20:34
openstackgerritBrian Rosmaita proposed openstack/keystoneauth master: WIP - fix logging of encoded headers
*** devx has quit IRC20:38
*** devx has joined #openstack-keystone20:38
*** jmlowe has quit IRC20:39
*** devx has joined #openstack-keystone20:39
*** jmlowe has joined #openstack-keystone20:41
*** belmoreira has joined #openstack-keystone20:42
*** pcaruana has quit IRC20:43
*** felipemonteiro_ has joined #openstack-keystone20:46
*** felipemonteiro__ has quit IRC20:46
*** edmondsw has quit IRC20:47
*** aojea_ has joined #openstack-keystone20:47
*** germs has joined #openstack-keystone20:47
*** germs has quit IRC20:47
*** germs has joined #openstack-keystone20:47
*** edmondsw has joined #openstack-keystone20:47
*** belmoreira has quit IRC20:47
*** germs has quit IRC20:51
*** edmondsw has quit IRC20:52
*** devx has quit IRC20:53
*** devx has joined #openstack-keystone20:53
openstackgerritprashkre proposed openstack/python-keystoneclient master: WIP: Allow passing log attribute
*** spilla has quit IRC20:57
kmalloclbragstad: ah nice21:01
kmalloclbragstad: so, as long as we are doing something like inotify, we can have everything check the file for changes21:02
kmallocbut we're going to need to re-work how we handle the cases of instantiating managers21:02
lbragstaddhellmann just had some input on that front21:02
kmallocbecause they read from the files and it could be bad(tm) if we reconfigure mid-request.21:02
lbragstadand it kinda goes against the direction the oslo.config wants to take for pluggable config backends (e.g. secret storage) that aren't file-based21:03
lbragstadso maybe not as robust as i was thinking21:03
kmallocmy view is we can support something like apachectl reconfigure (SIGHUP) for the parent uwsgi process21:03
kmallocwhich should then winddown/cycle the subsequent processes21:04
kmalloc[or have a pipe we can issue a command on[]21:04
lbragstadi think that was along the lines of fungi's suggestion21:04
kmallocthat would be my go-to design21:04
kmallocwant to see the first bits of the paste-deploy-ectomy/flaskification?21:05
kmalloclet me push this review up.21:05
lbragstadfwiw - i punted on trying to figure out the mutable config stuff today and put it on the meeting schedule for tomorrow21:05
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert Keystone to use Flask
kmallocsounds good21:05
kmallocmutable configs are tough21:05
kmalloc^ that is the first pass [still needs lots of work]21:06
kmallocand that wont pass check / gate / pep821:06
kmallocbut that is the start.21:06
lbragstadi'm not sure which is best, and i don't know if converting to oslo.service and intercepting SIGUP when it's clearly documented as a no-no against mod_wsgi is a good thing21:06
*** r-daneel has quit IRC21:07
kmallocyeah, and with mod_Wsgi, you would need apachectl reconfigure anyway21:07
*** r-daneel has joined #openstack-keystone21:07
kmallocyou can't do pipe/socket really21:07
*** rmascena has quit IRC21:07
kmallocwith uwsgi / gunicorn, we are in a better state to do something.21:07
kmallocbut ... still not "great"21:07
kmallocfwiw, the "_path_prefix" values are temporary21:08
*** martinus__ has quit IRC21:08
* fungi is shocked at having had a suggestion... he has a short memory21:08
kmallocthat is just so i can build the dispatcher map.21:08
kmallocthen we can convert each subsystem into a flask "blueprint"21:09
fungiif memory serves, my suggestion was "signal handler or rpc socket"21:09
fungipretty vague21:09
kmallocfungi: lol ;)21:09
kmallocfungi: well rpc-socket would be my choice.21:09
kmallocthough, like i said, under mod_Wsgi, you're better off doing an apachectl reconfigure anyway, since apache owns all the processes.21:10
fungisure. signal handling is kinda old-school bsd daemon think21:10
kmallocand some of the wsgi runners do a poooooor job of signal handling.21:10
kmalloclbragstad: i'm going to enable at least one hook point for custom middleware.21:11
kmallocit'll be a new config value, ListOpt and it will take stevedore-loadable entry-points21:12
kmallocso: oslo.middleware:debug21:12
kmallocand parse those.21:12
kmallocand load them in.21:12
*** felipemonteiro_ has quit IRC21:20
kmalloclbragstad: do we want to support middleware hook after ours or just before?21:20
lbragstadtoday we support both, right?21:20
kmalloce.g. just before healthcheck [if you look at paste-ini now], or just after json_body, or both21:20
lbragstadbut we don't guarantee it will work21:20
kmallocright now, we support anywhere21:20
kmalloci'm inclined to only support "pre" our middleware21:21
lbragstadi'm inclined to say before?21:21
lbragstadjust because once we run our middleware, we should pass it to our app21:21
*** jmlowe has quit IRC21:21
kmallocthat is my inclination21:22
lbragstadsupporting the ability to do things in between those events seems like a good way override what we do in middleware21:22
kmallocbut, that has the effect that no one can  hook in after we validate the token21:22
lbragstadwhat would we want to have people do with the token before passing control to keystone?21:23
*** sonuk has joined #openstack-keystone21:30
kmallocifthey wanted to add an extension or something that handles code to keystone21:30
kmalloctheir own apis21:30
kmalloci'm disinclined to support tht21:30
lbragstadi'm struggling to think of a good use case for that right now21:34
kmallocok, i think... i think i'm now at the point when i need to swap over to the new app factory21:35
kmallocand replace the "load_app" bit from paste21:35
kmallocthis is kindof awesome.21:35
kmallocthis might not even be too bad to review21:36
*** jmlowe has joined #openstack-keystone21:36
*** sonuk has quit IRC21:36
lbragstadkmalloc: might be good for you to look at when you have time21:38
*** jmlowe has quit IRC21:41
*** rcernin has joined #openstack-keystone21:53
*** harlowja has quit IRC21:56
*** dklyle has joined #openstack-keystone21:59
*** edmondsw has joined #openstack-keystone22:03
gagehugolbragstad I've been meaning to find something relatively stable to test that list_users refactor on22:07
*** jistr has quit IRC22:07
*** edmondsw has quit IRC22:08
*** dklyle has quit IRC22:08
*** aojea_ has quit IRC22:08
*** jistr has joined #openstack-keystone22:10
*** threestrands has joined #openstack-keystone22:16
lbragstadgagehugo: even if it's just a dev box with minimal stuff running22:30
lbragstadand you can abstract the performance improves into percentages22:31
lbragstadthat'd be just fine imo22:31
gagehugolbragstad I have a raspberry pi I could use :)22:37
gagehugobut I may have a dev laptop that I could wipe for testing22:38
*** dklyle has joined #openstack-keystone22:50
*** r-daneel has quit IRC22:54
adriantAny idea why keystonemiddleware would be returning: {"error": "Authentication Invalid"} when delay_auth_decision is true?22:56
*** dklyle has quit IRC22:56
kmallocnot sure.22:57
adriantweird. I'll have to dig further. Am having issues wrapping a little flask app with it22:57
adriantkmalloc: pretty much all I'm doing is: and that worked in the past so I'm not sure if I've screwed something up23:01
*** dave-mccowan has quit IRC23:02
adriantNVM, found the issue23:21
adriantit's not a middleware problem... it's our code23:21
*** dklyle has joined #openstack-keystone23:35

Generated by 2.15.3 by Marius Gedminas - find it at!