Tuesday, 2018-11-06

« Monday, 2018-11-05 Index Wednesday, 2018-11-07 »
*** gyee has quit IRC00:25
*** felipemonteiro has joined #openstack-keystone00:59
*** felipemonteiro has quit IRC01:15
*** Dinesh_Bhor has joined #openstack-keystone01:54
*** Dinesh_Bhor has quit IRC01:59
*** stewie925 has quit IRC02:04
*** nicolasbock has quit IRC02:17
*** masayukig[m] has quit IRC02:17
*** Dinesh_Bhor has joined #openstack-keystone03:04
*** lbragstad has quit IRC03:16
*** cburgess has quit IRC03:41
*** cburgess has joined #openstack-keystone03:41
*** Dinesh_Bhor has quit IRC03:42
*** Dinesh_Bhor has joined #openstack-keystone03:44
*** ykarel has joined #openstack-keystone04:20
*** dave-mccowan has joined #openstack-keystone04:28
*** dave-mccowan has quit IRC04:53
*** felipemonteiro has joined #openstack-keystone05:28
*** aojea has joined #openstack-keystone05:45
*** aojea has quit IRC05:50
*** Dinesh_Bhor has quit IRC06:05
*** Dinesh_Bhor has joined #openstack-keystone06:09
*** felipemonteiro has quit IRC06:43
openstackgerritVu Cong Tuan proposed openstack/keystone master: Replace usage of get_legacy_facade() with get_engine()  https://review.openstack.org/61574907:12
openstackgerritwangxiyuan proposed openstack/keystone master: Remove unused lower constraints  https://review.openstack.org/61575007:14
*** Dinesh_Bhor has quit IRC07:21
*** Dinesh_Bhor has joined #openstack-keystone07:23
openstackgerritwangxiyuan proposed openstack/keystone master: Refresh health check doc  https://review.openstack.org/61575407:26
vishakhacmurphy:  Facing some issue in keystone federation using testshib.org as IDP and  keystone as SP.07:34
vishakhahttps://www.irccloud.com/pastebin/1UAF6vga/07:35
vishakhacmurphy: Above error is coming in horizon07:36
*** pcaruana has joined #openstack-keystone07:36
vishakhacmurphy: whereas I have configured metadata in shibbholeth2.xml07:37
openstackgerritlei zhang proposed openstack/keystone master: Fix the dead URL  https://review.openstack.org/61576007:39
cmurphyvishakha: testshib has been broken for a while, that's why our federation tests have been failing :(07:52
cmurphythere is a new thing samltest.id which i started trying to switch us to https://review.openstack.org/61539107:53
cmurphybut I was having trouble uploading metadata a couple of days ago, was going to check again today whether it was fixed and email the maintainer if it was still broken07:54
cmurphyvishakha: another alternative is this nodejs app which works pretty well as demoware https://github.com/mcguinness/saml-idp though it doesn't support ECP07:55
vishakhacmurphy:  Thank you for the response. Then I am thinking to make another keystone as IDP.08:02
cmurphyvishakha: that's a good idea too, though it won't let you play with horizon's websso functionality08:04
vishakhacmurphy: ohh. that can be tested only with CLi?08:05
*** Dinesh_Bhor has quit IRC08:05
cmurphyvishakha: it can use horizon but it works differently, you have to log into horizon first on the idp and then switch to the sp once you're already logged in08:06
vishakhacmurphy: I have a doubt here, that why do we have to login in to the kesytone IDP  first ?  to create user??08:12
cmurphyvishakha: no, it's just how keystone-to-keystone works. Keystone as an IdP doesn't implement the full SAML2.0 WebSSO spec, so you have to get a token from the keystone IdP first and then exchange it for a SAMLResponse from the IdP which you then use to get a token from the SP08:19
*** ykarel_ has joined #openstack-keystone08:19
cmurphywhich all happens under the hood when you log into horizon and then switch the service provider from the dropdown menu08:19
*** ykarel has quit IRC08:22
*** Dinesh_Bhor has joined #openstack-keystone08:30
*** amoralej|off is now known as amoralej08:44
vishakhacmurphy: Thanks. I will follow your above suggestions and try.08:49
openstackgerritwangxiyuan proposed openstack/oslo.limit master: Add basic enforce func  https://review.openstack.org/59652008:50
openstackgerritwangxiyuan proposed openstack/keystone master: Remove unused lower constraints  https://review.openstack.org/61575008:52
*** ykarel__ has joined #openstack-keystone09:11
*** ykarel_ has quit IRC09:12
*** itlinux has joined #openstack-keystone09:14
*** ykarel__ is now known as ykarel09:19
*** Emine has joined #openstack-keystone09:20
*** mvkr has quit IRC09:31
*** Dinesh_Bhor has quit IRC09:35
*** Dinesh_Bhor has joined #openstack-keystone09:42
*** lbragstad has joined #openstack-keystone10:00
*** ChanServ sets mode: +o lbragstad10:00
*** mvkr has joined #openstack-keystone10:01
*** ykarel is now known as ykarel|lunch10:12
lbragstadcmurphy did you happen to see jaypipes comment about oslo.limit yesterday?10:16
cmurphylbragstad: no10:17
cmurphyml?10:17
lbragstadIRC - i spent most of yesterday in -nova working on the limits stuff10:18
cmurphyoh i'm not in -nova10:18
lbragstadwe were trying to figure out the dance between oslo.limit and the service10:19
lbragstadjay suggested not having enforcement in oslo.limit at all10:19
lbragstadand keeping oslo.limit as pretty much a client for limits information10:20
lbragstadthoughts?10:20
* cmurphy checks eavesdrop logs10:21
lbragstadiirc - the conversation started with me and johnthetubaguy10:21
lbragstadhttp://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2018-11-05.log.html#t2018-11-05T16:48:3810:23
cmurphyif oslo.limit is just a client for /v3/limits then we could have just put it in keystoneclient10:26
cmurphythe point was to have a common interface for quota management, based on the assumption that calculating usage also required knowledge of the limits10:27
cmurphyit also had to do with dealing with the project hierarchy, keystone can return the hierarchy and the limits but e.g. nova doesn't natively understand that, it needs oslo.limit to understand the different hierarchical models and do the quota usage calculation based on that10:32
*** ykarel|lunch is now known as ykarel10:33
cmurphyso those are my thoughts but i haven't been working on oslo.limit as much as you and wxy-xiyuan and also i trust jay and mel know way more about quota management than any of us do10:34
* lbragstad nods10:36
lbragstadi agree about the hierarchical part10:37
lbragstadi think the awkward-ness around trying to find a good way for oslo.limit to get usage isn't exactly helping10:38
cmurphywhat's awkward about it? (i haven't been paying attention)10:38
lbragstadthe callback specifically10:39
lbragstadand the arguments passed to it10:39
lbragstadyesterday we were trying to work through how oslo.limit should be calling this usage function handed to it by the service10:40
*** mvkr has quit IRC10:44
cmurphyyeah i don't know enough about how nova handles it currently to have an opinion on how we should be doing it10:45
*** mvkr has joined #openstack-keystone10:58
lbragstadack - just thinking out loud11:02
* lbragstad reboots11:02
*** lbragstad has quit IRC11:02
*** lbragstad has joined #openstack-keystone11:04
*** ChanServ sets mode: +o lbragstad11:04
*** Dinesh_Bhor has quit IRC11:13
openstackgerritColleen Murphy proposed openstack/keystone master: Add py36 tox environment  https://review.openstack.org/61584111:53
*** raildo has joined #openstack-keystone11:54
openstackgerritColleen Murphy proposed openstack/keystone master: Clean up python3.5 usage in tox.ini  https://review.openstack.org/61584211:55
openstackgerritColleen Murphy proposed openstack/keystonemiddleware master: Add py36 tox environment  https://review.openstack.org/61584311:56
openstackgerritColleen Murphy proposed openstack/keystoneauth master: Add py36 tox environment  https://review.openstack.org/61584511:57
openstackgerritColleen Murphy proposed openstack/python-keystoneclient master: Add py36 tox environment  https://review.openstack.org/61584611:58
openstackgerritColleen Murphy proposed openstack/ldappool master: Add py36 tox environment  https://review.openstack.org/61584711:59
*** amoralej is now known as amoralej|lunch12:01
*** markvoelker has joined #openstack-keystone12:27
*** dave-mccowan has joined #openstack-keystone12:29
jristhi all. we've got a bug in tripleo that seems like it's keystone. does anyone have a moment to look? https://bugs.launchpad.net/bugs/180177812:53
openstackLaunchpad bug 1801778 in tripleo "Keystone circular reference on OPTIONS" [High,Triaged]12:53
*** Emine has quit IRC12:59
lbragstadjrist it's detecting a circular reference in your roles13:07
jristit sort of seemed like that. do you happen to have any insight on how we might go about fixing?13:07
jristI'm clueless.13:08
lbragstadspecifically, the role implication has a circular reference13:08
lbragstadjrist you can query the implied role linkage using openstackclient13:10
lbragstad`openstack implied role list` should give you that information, which you should be able to use to track down the circular reference13:11
*** ykarel_ has joined #openstack-keystone13:11
lbragstadbiab13:11
*** ykarel has quit IRC13:14
*** Emine has joined #openstack-keystone13:15
*** amoralej|lunch is now known as amoralej13:19
*** emine__ has joined #openstack-keystone13:19
*** Emine has quit IRC13:20
*** markvoelker has quit IRC13:21
*** ykarel_ is now known as ykarel13:21
jristthanks lbragstad13:22
*** honza has joined #openstack-keystone13:24
honzalbragstad: i'm not sure if the circular reference issue is in fact causing the 500 error on OPTIONS13:29
honzalbragstad: have there been any issues with the OPTIONS handler in cors?13:29
lbragstadnot that i'm aware of13:34
honzalbragstad: cool, thanks13:35
lbragstadi'm not seeing the OPTIONS in the trace?13:35
*** ykarel has quit IRC13:42
*** aojea_ has joined #openstack-keystone13:59
*** felipemonteiro has joined #openstack-keystone14:03
*** david-outreachy has joined #openstack-keystone14:15
*** emine__ has quit IRC14:15
*** aojea_ has quit IRC14:18
*** david-outreachy has quit IRC14:20
*** nelsnelson has quit IRC14:23
*** felipemonteiro has quit IRC14:43
*** aojea_ has joined #openstack-keystone14:59
ildikovlbragstad: can you join the edge call now? :)15:02
lbragstadildikov oh - yes15:02
*** aojea_ has quit IRC15:02
gagehugoo/15:03
*** aojea_ has joined #openstack-keystone15:15
cmurphywe keep hitting the timeout for the py27 unit tests :( https://review.openstack.org/61559815:24
lbragstadhmm - that must have been pretty recent?15:29
*** wxy| has joined #openstack-keystone15:31
*** aojea_ has quit IRC15:31
*** felipemonteiro has joined #openstack-keystone15:34
*** itlinux has quit IRC15:38
gagehugolooks like intermittent slowdowns from the timestamps15:38
*** aojea_ has joined #openstack-keystone15:39
lbragstadDST reminder that the keystone meeting will be in about 20 minutes15:39
lbragstadkmalloc knikolla cmurphy let me know if there are specific for the keystone-as-an-idp forum session15:40
lbragstadthe etherpad is ready to be populated15:40
lbragstadhttps://etherpad.openstack.org/p/BER-stein-keystone-as-idp15:40
lbragstadthank you kmalloc15:45
kmalloclbragstad: sure thing15:46
*** felipemonteiro has quit IRC15:46
*** ayoung has joined #openstack-keystone15:50
* kmalloc kicks DST hard.15:51
kmalloclbragstad: is it wrong that I think I slept worse this time change than last one?15:51
lbragstadthat makes none sense15:52
*** d34dh0r53 has quit IRC16:02
*** eglute has quit IRC16:02
kmalloclbragstad: ok added a chunk to that etherpad16:04
kmalloclike... not a small amount of things.16:04
kmallocthat should cover the next couple cycles of work16:04
kmalloc:P16:04
*** eglute has joined #openstack-keystone16:08
*** d34dh0r53 has joined #openstack-keystone16:08
*** nwilburn has joined #openstack-keystone16:11
lbragstadgood deal - thanks!16:12
*** imacdonn has quit IRC16:17
*** imacdonn has joined #openstack-keystone16:17
*** gyee has joined #openstack-keystone16:21
*** aojea_ has quit IRC16:23
*** aojea_ has joined #openstack-keystone16:24
*** aojea_ has quit IRC16:28
openstackgerritColleen Murphy proposed openstack/python-keystoneclient master: Make the functional test voting  https://review.openstack.org/61378116:29
openstackgerritColleen Murphy proposed openstack/python-keystoneclient master: Use python3 for functional tests  https://review.openstack.org/61378216:29
cmurphywxy-xiyuan: kmalloc ^16:29
kmallocnice16:29
kmalloc+216:29
wxy|cmurphy: cool. My last review today.:)16:34
wxy|Good night, guys.16:34
lbragstadgood night wxy|16:34
*** wxy| has quit IRC16:35
*** andymccr has quit IRC16:36
ayoungWe meet in 18 mihnuts, right?16:42
lbragstadayoung DST happened16:42
ayounglbragstad, so I adjusted wrong direction?16:42
kmallocayoung: yep.16:49
ayoungkmalloc, its ok, would not have been able to make that anyway.  REad throug the evesdrop16:50
ayoungand I'll see y'all next week16:51
* kmalloc nods.16:51
hrybackioh shoot16:53
hrybackiayoung:  same16:54
*** aojea_ has joined #openstack-keystone17:05
kmalloclbragstad: https://review.openstack.org/#/c/613961/ this is critical to land ASAP.17:13
kmalloclbragstad: it's very broken otherwise (500 errors on any non-routed path)17:13
*** felipemonteiro has joined #openstack-keystone17:19
*** aojea_ has quit IRC17:27
*** aojea_ has joined #openstack-keystone17:28
*** aojea_ has quit IRC17:32
lbragstadkmalloc does that need to be backported?17:41
kmallocnope17:42
kmallocit's a stein only issuye17:42
kmallocbut i don't want that lingering around17:42
lbragstadsure - good catch17:48
*** felipemonteiro has quit IRC17:53
honzalbragstad: i had another look, and there are no errors directly surrounding the OPTIONS HTTP call; inspecting the 500 page further, it looks like it might be from haproxy instead17:59
honzajrist: ^^17:59
*** amoralej is now known as amoralej|off18:10
jristew18:13
jrist:)18:13
jristhonza: thanks18:13
*** markvoelker has joined #openstack-keystone18:31
*** gyee has quit IRC18:34
kmalloclbragstad: i'm ripping osprofiler out of keystone18:52
kmallocit got an agregate of 35 reviews in all of rocky for it's entire repo18:52
kmallocand has next to no changes/eyes. my concern is if there is ever an issue it'll just be broken18:52
lbragstadif that's the case i wonder if other project are considering the same thing18:53
lbragstadbecause i've heard some folks (in osa for example) use it for timing database transactions18:54
kmallocI worry it is just bitrotting18:54
kmalloci'd rather have explicit hooks people can hook into for timing things18:54
kmallocosprofiler was a trainwreck when it was written18:54
odyssey4mekmalloc um, yeah - I think jrosser and cloudnull wouldn't like that18:55
kmallocthe whole emit things via the API is bad.18:55
kmallocand i still stand firmly by the fact it is inherently an insecure design18:55
kmallocif it was just logging out data in a sane way, i'd be less worried18:56
kmallocand probably would just do the same thing we do with debug18:56
kmalloc(debug middleware)18:56
*** cloudnull has joined #openstack-keystone18:56
kmallocmake it loadablle18:56
kmallocbut it is so bad.18:56
* kmalloc shrugs.18:56
lbragstadi haven't parsed the code, so i can't speak to that18:56
odyssey4mekmalloc I've asked cloudnull and jrosser to join, given they're actually using it.18:56
lbragstadbut i'm just aware of people using it18:57
kmalloci spent a huge amount of time dealing with osprofiler18:57
kmallocespecially the landing it in keystone18:57
cloudnullo/18:57
kmallocand i regret agreeing to land it every single day i look at it18:57
* kmalloc really would rather have appropriate hook points we can link in for the profiling data 18:57
cloudnullI am using osprofiler and feeding the data back to elasticsearch18:57
kmallocand not some opaque library that lives in there.18:57
* cloudnull is a bad person 18:57
lbragstadlol18:58
kmalloci asked when it was being implemented for it to support hook points, e.g. SQL, etc.18:58
kmallocand work to implement them in the projects18:58
kmalloccloudnull: I worry that osprofiler is basically in bitrot mode18:59
lbragstadi'm not opposed to hooks, but i'd certainly wait to remove osprofiler until we have those in pace18:59
lbragstadplace*18:59
kmalloci think i'm going to at least do the same thing we did with debug.18:59
kmallocnot even load osprofiler if it's not enabled18:59
kmalloci really don't trust it to do the right thing when not opted in19:00
*** jrosser has joined #openstack-keystone19:00
lbragstadhow is that going to affect the folks using it?19:00
kmallocnil19:00
kmallocthey can just enable it as per normal19:00
kmallocand it will work19:00
lbragstadthey already enable it, so it should be a noop?19:00
kmallocyep19:00
kmallocbut by default we wont even load in osprofiler19:00
cloudnullkmalloc thats ok. if its something that is largely being unmaintained/used dont keep it around on my expense. I'll adjust.19:00
kmalloccloudnull: it got an aggregate of 35 reviews total in rocky19:00
kmallocand most code is "fix tests"19:01
kmallocfrom then and stien19:01
kmalloci'll work to find an alternative before removing it19:01
cloudnullwe really like the capability but its not something I'll lose sleep over.19:01
kmalloci'll just make the disabled mode more "disableD"19:01
cmurphyit's not about keeping it around for cloudnull we need to keep it for anyone using it who didn't happen to catch this conversation19:01
kmallocas in, we wont even load the middleware bits.19:01
kmallocand we can telegraph removal via deprecation when we have an alternative19:01
cloudnullhappy to provide examples and talk about my usecause if thats at all useful19:01
kmalloccloudnull: you going to be in berlin?19:02
cloudnullI will :)19:02
kmalloci'd like to hear that, because it would be nice to have a plan19:02
cloudnull++ lets grab some time to chat19:02
kmallocsince i'm doing a ton of the stuff in keystone that is mostly cleanup.19:02
* kmalloc wants to be able to support some of the other products out there easily for this type of profiling19:03
jrosserI think one of the few actual bug fixes to osprofiler was from us, for elasticsearch6.x19:03
* kmalloc nods.19:03
kmalloci figured.19:03
cloudnullwhatsapp - 415-827-6749 if your around. otherwise IRC works too.19:03
kmallocirc is best :P19:03
kmalloci don't use whatsapp...19:03
cloudnullall good19:03
kmallocactually i just use normal cell service (yay google fi being cheap)19:03
cloudnullsadly i have to jump to another meeting.19:04
kmalloccloudnull: np19:04
kmalloccloudnull: we'll chat in berlin19:04
kmalloccmurphy: i'll get us a step closer to where i feel less uncomfortable with osprofiler in keystone and we can work on future looking things19:04
cmurphykmalloc: okay :)19:05
kmalloccmurphy: for now i'll just wrap it the same way debugmiddleware is wrapped19:05
kmallocso it isn't loaded at all when disabled19:05
kmallocand that makes me not have that creepy-crawly feeling in my skin :)19:06
*** mvkr has quit IRC19:10
kmalloclbragstad, cmurphy: https://review.openstack.org/61597919:43
kmallocsince the latest fix for oslo.cache broke redis *sigh*19:44
kmallocI'm going to build the pymemcache backend in the next day or so.19:44
kmallocand we can deprecate the use of the old python-memcache backend in oslo.cache19:44
kmalloczzzeek: ^ I'll plan to upstream the pymemcache backend as well.19:44
*** david-lyle has joined #openstack-keystone19:46
*** dklyle has quit IRC19:49
kmallocgagehugo: ^ cc19:52
gagehugoack19:52
gagehugo:)19:52
zzzeekkmalloc: OK, isnt that something you were working on a long time ago19:54
kmalloczzzeek: yeah it now is a higher priority19:55
kmalloczzzeek: i'll also upstream a pymemcache pool (non-thread.local setup)19:56
zzzeekkmalloc: woop19:56
kmallocbecauxe pymemcache implements a thread-safe pool by default19:56
kmallocand we can deprecate use of python-memcache upstream as well, since it's effectively abandonware19:56
kmallocoh snap, we just can pass "use_pooling" to the hashclient and it does pooling for us.19:58
kmallocdamn that is slick19:58
*** mvkr has joined #openstack-keystone19:58
openstackgerritMerged openstack/python-keystoneclient master: Convert functional tests to Zuulv3  https://review.openstack.org/61338520:55
openstackgerritMerged openstack/python-keystoneclient master: Make the functional test voting  https://review.openstack.org/61378120:55
openstackgerritMerged openstack/python-keystoneclient master: Use python3 for functional tests  https://review.openstack.org/61378220:55
*** raildo has quit IRC21:06
openstackgerritMerged openstack/keystone master: Unregister "Exception" from flask handler  https://review.openstack.org/61396121:23
openstackgerritMerged openstack/keystone master: Fix uwsgi --http flag  https://review.openstack.org/61552221:23
openstackgerritMerged openstack/keystone master: Delete PKI middleware debugging section  https://review.openstack.org/61544821:23
*** aojea has joined #openstack-keystone21:28
*** pcaruana has quit IRC21:31
*** devx has quit IRC21:55
*** devx has joined #openstack-keystone21:57
openstackgerritColleen Murphy proposed openstack/keystone master: Switch devstack plugin to samltest.id  https://review.openstack.org/61539122:02
kmalloclbragstad: keeping the options around for the sake of keeping options around (in the KSM removal) doesn't make a lot of sense22:05
kmallocsince nothing references the options anywhere, deprecating for the sake of deprecating is carrying things for no real reason22:06
kmallocoslo.config ignores extra options in the config files22:06
*** felipemonteiro has joined #openstack-keystone22:33
*** dave-mccowan has quit IRC22:35
*** felipemonteiro has quit IRC23:07
*** aojea has quit IRC23:16
*** erus has joined #openstack-keystone23:39
« Monday, 2018-11-05 Index Wednesday, 2018-11-07 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!