19:01:10 #startmeeting keystone-office-hours 19:01:11 Meeting started Tue Oct 24 19:01:10 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:01:12 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 19:01:15 The meeting name has been set to 'keystone_office_hours' 19:01:18 o/ 19:03:30 o/ 19:04:38 o/ 19:05:40 alright - what are folks itching to work on? 19:05:54 bug reviews are pretty low 19:06:09 so we could dedicate time towards picking up fixes or proposing new ones. 19:06:17 keystone is bug free 19:06:19 good job team 19:06:29 lol 19:06:48 * lbragstad slowly starts to cry because he knows it isn't true 19:07:12 :'( 19:07:25 we could also clean up/merge specs 19:08:10 cmurphy: fyi - thanks for reviews on https://review.openstack.org/#/c/511822/4 19:08:33 we also got some feedback on https://review.openstack.org/#/c/460344/ 19:17:35 I reported a bug this morning if anyone is interested in taking a look https://bugs.launchpad.net/keystone/+bug/1726736 19:17:35 Launchpad bug 1726736 in OpenStack Identity (keystone) ""no auth token" debug logs are confusing" [Wishlist,New] 19:17:51 people ask me about this all the time and i don't know what to tell them except "don't worry about it" 19:20:41 cmurphy: oh - yes! 19:20:52 cmurphy: that one is confusing 19:25:13 seems like it existed when keystone/middleware/auth.py was created 19:25:15 cf81d1ec356beca65d40a78a1dca915f4b5448fb 19:28:57 hmm originally added here i think https://review.openstack.org/#/c/156870/ 19:33:39 cmurphy: yeah - that seems like the current version 19:34:00 but it looks like there was a previous version of that same vague message @ line 199 19:34:03 https://review.openstack.org/#/c/156870/62/keystone/middleware/core.py 19:34:22 o/ 19:34:39 oh hmm 19:34:49 the plot thickens 19:34:53 yes... 19:35:10 which appears to be around since 2015 versioning?! 19:35:12 http://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/core.py?h=2015.1.0 19:36:31 okay i guess the original version just meant X-Auth-Token wasn't in the request headers which just means it's a regular token request 19:36:32 and 2014.2 http://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/core.py?h=2014.2#n270 19:37:18 cmurphy: that should just mean it's not a "validate this token" call, yeah? 19:37:42 wait - nevermind 19:37:51 lbragstad: you're thinking X-Subject-Token 19:37:54 yeah 19:39:01 so - there isn't a whole lot you can do if X-Auth-Token isn't in the headers (except APIs that are "unprotected" like authenticate) 19:44:55 that's true, but I'm not sure there's that much value in logging that for every POST /auth/tokens 19:46:31 yeah.. me either 19:46:38 does it generate more value than confusion? 19:48:13 also - that message never actually makes it back to the user who it hitting POST /auth/tokens unless they are an operator and tailing the logs at the same time 19:48:44 right 19:48:57 it also contains no information about the user making the request - so the usability from an operator perspective is slim 19:49:10 but if you do try to hit /projects with no X-Auth-Token the logs have a warning with "Authorization failed. auth_context did not decode anything useful" 19:49:31 so i'm not sure there's ever a case where x-auth-token is unset and that message is useful 19:50:16 cmurphy: right - in those cases the API requires a token and if it doesn't get it, it should provide some useful info to the user 19:50:55 well it just provides a 401 but that's about as useful as you're going to get without giving too much away 19:51:18 unless we're going to start including entity information in the message, i'm in favor of removing it or replacing it with an inline comment 19:52:08 s/message/log message/ 19:57:39 Colleen Murphy proposed openstack/keystone master: Remove "no auth token" debug log https://review.openstack.org/514810 19:57:49 lbragstad: done ^ 19:57:57 reviewing 19:59:49 when authenticating with x509 and the certificate is invalid, you'd expect to get a 401 back just like you would for an invalid password, right? 20:01:31 I think so, I've never played with it though 20:02:04 either way, the usefulness is in the response and not vague logs 20:02:28 cmurphy: quick-approved :) nice to see that message go away 20:03:17 \o/ 20:11:08 #link https://review.openstack.org/#/c/460344/ and https://review.openstack.org/#/c/462733/12 are ready to go 20:19:23 Gage Hugo proposed openstack/keystone master: Consolidate V2Controller functionality https://review.openstack.org/514814 20:28:34 Lance Bragstad proposed openstack/keystone-specs master: Specification for system roles https://review.openstack.org/464763 20:30:51 has anyone been able to recreate the functional v2.0 test failures in ksc 20:30:55 ? 20:34:32 * cmurphy hadn't tried 20:34:46 is it something more than just devstack not having v2 anymore? 20:38:10 looking at a failed test run 20:38:19 and the python-keystoneclient functional suite 20:38:27 https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/functional/test_base.py#L24-L28 is the only thing that failed 20:44:15 https://github.com/openstack/python-keystoneclient/tree/master/keystoneclient/tests/functional/v2_0 doesn't have much in it either 20:46:05 Lance Bragstad proposed openstack/python-keystoneclient master: Remove v2.0 functional tests https://review.openstack.org/514823 20:46:17 we'll see if ^ passes 21:39:40 whew - the assignment api is complex 22:00:12 #endmeeting