Monday, 2013-02-25

« Sunday, 2013-02-24 Index Tuesday, 2013-02-26 »
*** winston-d_ has joined #openstack-dev00:06
*** lucid- has quit IRC00:08
*** osphy has quit IRC00:12
*** lucid- has joined #openstack-dev00:16
*** markwash has joined #openstack-dev00:19
*** jeblair has quit IRC00:21
*** soody has quit IRC00:28
openstackgerritA change was merged to openstack/tempest: Add tests for server metadata  https://review.openstack.org/2243000:35
*** markmcclain has joined #openstack-dev00:36
*** ilblackdragon has joined #openstack-dev00:44
*** anniec has joined #openstack-dev00:45
*** markwash has quit IRC00:45
*** ilblackdragon has quit IRC00:46
*** anniec has quit IRC00:46
*** anniec has joined #openstack-dev00:48
*** morganfainberg has joined #openstack-dev00:49
*** hoodow has quit IRC01:09
*** hoodow has joined #openstack-dev01:09
*** jcmartin has joined #openstack-dev01:10
*** buzztroll_ has joined #openstack-dev01:11
*** soody has joined #openstack-dev01:13
*** markmcclain has quit IRC01:14
*** stevebaker has quit IRC01:14
*** stevebaker has joined #openstack-dev01:16
*** markmcclain has joined #openstack-dev01:17
*** markwash has joined #openstack-dev01:26
*** soody has quit IRC01:26
*** buzztroll_ has quit IRC01:33
*** markwash has quit IRC01:35
*** adjohn has quit IRC01:38
*** adjohn has joined #openstack-dev01:40
*** soody has joined #openstack-dev01:40
*** soody has quit IRC01:47
*** gongysh has joined #openstack-dev01:47
*** gongysh has quit IRC01:47
*** gongysh has joined #openstack-dev01:48
*** yaguang has joined #openstack-dev01:51
*** soody has joined #openstack-dev01:51
*** morganfainberg has quit IRC01:54
*** danwent has joined #openstack-dev01:54
*** soody has quit IRC01:55
*** morganfainberg has joined #openstack-dev01:56
*** morganfainberg has quit IRC01:59
*** ladquin has quit IRC01:59
*** morganfainberg has joined #openstack-dev02:00
*** buzztroll_ has joined #openstack-dev02:00
*** morganfainberg1 has joined #openstack-dev02:02
*** morganfainberg has quit IRC02:02
*** amotoki has joined #openstack-dev02:03
*** bing_bu has joined #openstack-dev02:06
*** buzztroll_ has quit IRC02:06
*** aeperezt has quit IRC02:07
*** Tross has joined #openstack-dev02:07
*** gongysh has quit IRC02:09
*** aeperezt has joined #openstack-dev02:11
*** jeblair has joined #openstack-dev02:11
*** soody has joined #openstack-dev02:15
openstackgerritA change was merged to openstack/cinder: XenAPINFS: Fix Volume always uploaded as vhd/ovf  https://review.openstack.org/2257602:22
*** soody has quit IRC02:35
*** markmcclain has quit IRC02:36
*** torandu has quit IRC02:38
lifelessttx: http://summit.openstack.org/cfp is missing a Quantum topic02:38
lifelessttx: 'networking' suggests nova-network to me :/02:38
*** torandu has joined #openstack-dev02:40
*** Ryan_Lane has quit IRC02:40
*** Ryan_Lane has joined #openstack-dev02:43
*** alexxu has joined #openstack-dev02:44
*** markmcclain has joined #openstack-dev02:47
*** stevebaker2 has joined #openstack-dev02:48
*** stevebaker has quit IRC02:49
*** zodiak has joined #openstack-dev02:51
*** soody has joined #openstack-dev02:55
*** stevebaker2 has quit IRC02:56
*** stevebaker has joined #openstack-dev02:56
*** soody has quit IRC03:00
*** bing_bu has quit IRC03:04
*** soody has joined #openstack-dev03:12
*** gongysh has joined #openstack-dev03:13
*** bing_bu has joined #openstack-dev03:17
*** tomoe_ has joined #openstack-dev03:17
*** tomoe_ has quit IRC03:21
*** bing_bu has quit IRC03:23
*** tomoe_ has joined #openstack-dev03:27
*** shang_ has quit IRC03:27
*** shang has joined #openstack-dev03:31
openstackgerritA change was merged to openstack/quantum: Imported Translations from Transifex  https://review.openstack.org/2280903:34
*** bing_bu has joined #openstack-dev03:36
BLZbubbaok this is a weird one, i moved nova-api to its own machine and i can create & reboot vm's, but when I try to terminate one I get this:03:41
BLZbubbahttp://pastebin.ca/231719403:41
BLZbubba"This method may not be used."03:41
*** ewindisch has joined #openstack-dev03:42
*** Tross has quit IRC03:44
*** ilblackdragon has joined #openstack-dev03:48
*** gongysh has quit IRC03:48
*** sacharya has joined #openstack-dev03:52
*** sacharya has quit IRC03:52
annieclogger url03:58
*** anniec has left #openstack-dev03:59
*** anniec has joined #openstack-dev03:59
*** ewindisch has quit IRC04:03
*** sthaha has joined #openstack-dev04:07
*** uvg has joined #openstack-dev04:11
*** Tross has joined #openstack-dev04:16
*** soody has quit IRC04:38
BLZbubbaah, it was the proxy that was returning that error04:41
*** Tross has quit IRC04:48
*** pixelbeat has quit IRC04:49
*** boris-42 has joined #openstack-dev04:52
*** nati_ueno has joined #openstack-dev04:54
*** Mandell has joined #openstack-dev04:59
*** Tross has joined #openstack-dev05:08
*** Tross has quit IRC05:08
*** Tross has joined #openstack-dev05:12
*** markwash has joined #openstack-dev05:13
*** aeperezt has quit IRC05:14
*** mohits has joined #openstack-dev05:17
*** markwash has quit IRC05:18
*** woodspa has quit IRC05:19
*** gongysh has joined #openstack-dev05:22
*** anniec has quit IRC05:25
*** davidha has joined #openstack-dev05:28
*** ritzcarltn has joined #openstack-dev05:29
*** navid has joined #openstack-dev05:32
*** jcmartin has quit IRC05:43
*** kagan has joined #openstack-dev05:45
*** almaisan-away is now known as al-maisan05:51
*** al-maisan is now known as almaisan-away05:52
*** armaan has joined #openstack-dev05:58
*** uvg has left #openstack-dev06:01
*** davidha has quit IRC06:06
*** morganfainberg1 has left #openstack-dev06:07
*** morganfainberg has joined #openstack-dev06:08
*** darjeeling has quit IRC06:08
*** koolhead17 has joined #openstack-dev06:10
*** kagan has quit IRC06:10
*** alunduil has joined #openstack-dev06:19
*** hattwick has quit IRC06:19
*** shang has quit IRC06:22
*** otherwiseguy has quit IRC06:26
*** afazekas has joined #openstack-dev06:31
*** adjohn has quit IRC06:32
*** flepied has quit IRC06:34
*** shang has joined #openstack-dev06:35
*** CaptTofu has joined #openstack-dev06:37
*** ritzcarltn has quit IRC06:38
*** CaptTofu has quit IRC06:43
*** adjohn has joined #openstack-dev06:44
*** CaptTofu has joined #openstack-dev06:44
*** adjohn has quit IRC06:45
*** adjohn has joined #openstack-dev06:45
*** fc__ has joined #openstack-dev06:54
*** CaptTofu has quit IRC07:01
*** CaptTofu has joined #openstack-dev07:01
*** adjohn has quit IRC07:03
*** garyk has joined #openstack-dev07:04
*** adjohn has joined #openstack-dev07:05
*** CaptTofu has quit IRC07:06
*** markmcclain has quit IRC07:13
*** AnilV4 has joined #openstack-dev07:19
*** yolanda has joined #openstack-dev07:30
*** darjeeling has joined #openstack-dev07:32
*** avishay has joined #openstack-dev07:33
*** henrynash has joined #openstack-dev07:37
*** hemna has quit IRC07:41
*** flepied has joined #openstack-dev07:46
*** corXi has joined #openstack-dev07:55
*** reidrac has joined #openstack-dev07:55
*** yuanz has joined #openstack-dev07:59
*** techlife has quit IRC08:00
*** mmagr has joined #openstack-dev08:01
*** flaper87 has joined #openstack-dev08:02
*** melwitt has joined #openstack-dev08:02
*** avishay has quit IRC08:03
*** rafaduran has joined #openstack-dev08:03
*** zoresvit has joined #openstack-dev08:04
*** adjohn has quit IRC08:04
*** reidrac has quit IRC08:07
*** psedlak has joined #openstack-dev08:07
*** nati_ueno has quit IRC08:07
*** nati_ueno has joined #openstack-dev08:08
*** reidrac has joined #openstack-dev08:09
*** techlife has joined #openstack-dev08:10
*** nati_ueno has quit IRC08:13
*** amerine has joined #openstack-dev08:16
*** koolhead17 has quit IRC08:17
*** jprovazn has joined #openstack-dev08:18
*** pasquier-s has joined #openstack-dev08:19
openstackgerritA change was merged to openstack/quantum: Add pagination parameters for extension extraroute  https://review.openstack.org/2266608:22
*** thouveng has joined #openstack-dev08:22
*** avishay has joined #openstack-dev08:25
*** techlife has quit IRC08:27
*** flaper87 has quit IRC08:28
*** techlife has joined #openstack-dev08:28
*** flaper87 has joined #openstack-dev08:29
*** zoresvit has quit IRC08:33
*** adjohn has joined #openstack-dev08:35
*** avishay has quit IRC08:35
garykamotoki: ping08:35
amotokigaryk: pong08:35
*** flepied has quit IRC08:35
*** almaisan-away is now known as al-maisan08:35
garykamotoki: hi, how are you? question regarding devstack and security groups - do i need to configure anyhthing special?08:35
garykamotoki: for nova I have LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver08:36
garykamotoki: anything else?08:36
*** aloga has joined #openstack-dev08:36
*** flepied has joined #openstack-dev08:36
amotokigaryk: which plugin do you use? ovs?08:36
garykamotoki: ovs08:36
amotokiat the moment, the default value of quantum firewall_driver for OVS pluign is noop.08:37
amotokigaryk: so we need to configure plugin ini.08:37
garykamotoki: what should i configure there?08:37
amotokigaryk: firewall_driver = quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver  in ovs_quantum_plugin.ini is comment out by default.08:38
amotokigaryk: please uncomment it.08:38
garykamotoki: ok, thanks08:38
gongyshgaryk: why do u need it?08:38
*** melwitt has quit IRC08:39
garykgongysh: on fedora 18 the dhcp request is discarded by the iptables.08:39
*** gael_ has joined #openstack-dev08:40
gongyshovs plugin should have no iptables by default. so it is not the quantum problem if fedora 18 does not like the dhcp package.08:40
amotokigaryk: the behavior is different from expected one. If firewall_driver both in nova and quantum are Noop, no one drop the packets....08:40
gongyshgaryk: dhcp package -> dhcp message.08:41
*** Qten has joined #openstack-dev08:41
garykgongysh: amotoki: by default fedora has discard rules.08:42
garykgive me a few minutes and i'll post the tables08:44
*** adjohn has quit IRC08:44
*** dosaboy has joined #openstack-dev08:45
garykamotoki: gongysh: with quantums security group rules it works! this is a great sign. by default nova's do not.08:48
*** giulivo has joined #openstack-dev08:49
*** zoresvit has joined #openstack-dev08:50
amotokigaryk: Sounds nice. In quantum security group, the bottom riquantum-*-sg-chain of iptables rules is ACCEPT. Thus if all security group rules are passed for the packet, the packet is accepted.08:50
garykamotoki: :)08:50
amotokigaryk: The reason that quantum secgroup in OVS plugin is disabled by default is to pass gating. devstack and gating test have no support of quantum secgroup now.08:52
garykamotoki: ok. thanks for the clarifications.08:53
*** yaguang has quit IRC08:54
*** yaguang has joined #openstack-dev08:54
*** Ritz has joined #openstack-dev08:55
*** winston-d_ has quit IRC08:55
*** jgallard has joined #openstack-dev08:57
*** tomoe_ has quit IRC08:58
*** tomoe_ has joined #openstack-dev08:59
*** zoresvit has quit IRC08:59
*** jpich has joined #openstack-dev09:03
*** tomoe_ has quit IRC09:04
*** jgallard has quit IRC09:08
*** adjohn has joined #openstack-dev09:10
*** jdurgin has quit IRC09:12
*** zoresvit has joined #openstack-dev09:12
*** derekh has joined #openstack-dev09:13
*** negronjl` is now known as negronjl09:13
*** ndipanov has joined #openstack-dev09:14
*** adjohn has quit IRC09:15
*** darjeeling has quit IRC09:16
*** gongysh has quit IRC09:16
*** henrynash has quit IRC09:17
*** nsatterl_ has joined #openstack-dev09:24
*** jdurgin has joined #openstack-dev09:24
*** nsatterl_ has joined #openstack-dev09:25
*** johnthetubaguy has joined #openstack-dev09:25
*** navid has quit IRC09:26
*** amerine has quit IRC09:26
*** jgallard has joined #openstack-dev09:28
*** alexxu has quit IRC09:28
*** pixelbeat has joined #openstack-dev09:28
*** bing_bu has quit IRC09:30
*** darraghb has joined #openstack-dev09:30
*** afazekas has quit IRC09:33
*** psedlak has quit IRC09:33
*** romcheg has joined #openstack-dev09:33
*** psedlak has joined #openstack-dev09:36
*** giulivo has quit IRC09:38
*** dosaboy has quit IRC09:38
*** giulivo has joined #openstack-dev09:38
*** danwent has quit IRC09:38
*** dosaboy has joined #openstack-dev09:38
*** koolhead17 has joined #openstack-dev09:39
*** lucasagomes has joined #openstack-dev09:42
*** giulivo has quit IRC09:42
*** afazekas has joined #openstack-dev09:45
*** eglynn has joined #openstack-dev09:45
*** osphy has joined #openstack-dev09:46
*** vkmc has joined #openstack-dev09:51
*** psedlak has quit IRC09:52
*** psedlak has joined #openstack-dev09:52
*** yaguang has quit IRC09:53
*** giulivo has joined #openstack-dev09:53
*** buzztroll_ has joined #openstack-dev09:53
*** AnilV4 has quit IRC09:55
*** henrynash has joined #openstack-dev09:56
*** thickski_ has joined #openstack-dev10:00
*** psedlak_ has joined #openstack-dev10:02
thickski_hello all.10:02
thickski_http://pastebin.com/8BM6PkMU10:02
*** flepied has quit IRC10:02
*** flepied1 has joined #openstack-dev10:02
thickski_ I can`t install quantum-l3-agent-g210:03
*** buzztroll_ has quit IRC10:05
*** psedlak has quit IRC10:06
*** henrynash has quit IRC10:07
*** thickski_ has left #openstack-dev10:07
*** iartarisi has joined #openstack-dev10:09
*** danpb has joined #openstack-dev10:10
*** adjohn has joined #openstack-dev10:11
*** darjeeling has joined #openstack-dev10:11
*** darjeeli_ has joined #openstack-dev10:11
*** henrynash has joined #openstack-dev10:14
*** psedlak_ has quit IRC10:15
*** trapniii has quit IRC10:15
*** darjeeling has quit IRC10:15
*** adjohn has quit IRC10:15
*** henrynash has quit IRC10:16
*** afazekas has quit IRC10:18
*** afazekas has joined #openstack-dev10:24
*** psedlak has joined #openstack-dev10:28
*** psedlak has quit IRC10:29
*** psedlak has joined #openstack-dev10:29
*** doude has joined #openstack-dev10:29
*** trapni has joined #openstack-dev10:31
*** ondergetekende has joined #openstack-dev10:32
*** hattwick has joined #openstack-dev10:35
*** amerine has joined #openstack-dev10:36
*** zoresvit has quit IRC10:36
*** johnthetubaguy has quit IRC10:44
*** anniec has joined #openstack-dev10:45
*** bourke_ has joined #openstack-dev10:45
*** bourke has quit IRC10:46
ondergetekendeI submitted a change for review, just over a week ago, but my most recent patchset hasn't seen any reviews yet.10:47
ondergetekendeShould I be patient, or is there something I forgot to do?10:47
vkmcondergetekende, Hi! Link?10:48
*** johnthetubaguy has joined #openstack-dev10:51
*** johnthetubaguy1 has joined #openstack-dev10:53
*** amerine has quit IRC10:54
*** zoresvit has joined #openstack-dev10:55
*** trapnii has joined #openstack-dev10:55
*** johnthetubaguy has quit IRC10:56
*** trapni has quit IRC10:58
*** adjohn has joined #openstack-dev11:11
ondergetekendevkmc, https://review.openstack.org/#/c/21958/11:15
*** adjohn has quit IRC11:16
*** afazekas has quit IRC11:17
*** afazekas has joined #openstack-dev11:18
*** amerine has joined #openstack-dev11:21
vkmcondergetekende, It looks good! So I guess you should wait a little more11:21
ondergetekendeThanks. I'll do that.11:21
vkmcondergetekende, I saw you had some issues with Jenkins pep8 tests11:22
ondergetekendeYeah, i did11:22
vkmcondergetekende, Tox provides a way to test them before commit :)11:22
vkmcondergetekende, tox -e pep811:22
ondergetekendeWhere would I find tox?11:23
vkmcondergetekende, sudo pip install tox11:23
ondergetekendeWill do.11:23
vkmcondergetekende, Is used by Oslo folks to test their code, so it may be handy for you if you keep contributing to that project11:24
vkmcondergetekende, https://github.com/openstack/oslo-incubator more info here11:24
zykes-vkmc: do you develop horizon stuffs ?11:24
ondergetekendeThere's no mention of tox in the general openstack 'how to contribute' wiki.11:24
vkmczykes-, Yeap :)11:24
vkmcondergetekende, Nope... testing is different in each project usually11:25
ondergetekendeGood to know.11:26
vkmcondergetekende, So it's always good to check project's code rep, channel and wiki to get more information11:26
*** AnilV4 has joined #openstack-dev11:27
*** adalbas has joined #openstack-dev11:33
*** johnthetubaguy1 is now known as johnthetubaguy11:36
*** amerine has quit IRC11:40
*** afrittoli has quit IRC11:52
*** david2 has joined #openstack-dev11:52
*** andreaf has joined #openstack-dev11:52
*** mohits has quit IRC11:57
*** jruzicka has joined #openstack-dev11:59
*** eharney has joined #openstack-dev12:02
*** eharney has quit IRC12:02
*** eharney has joined #openstack-dev12:02
*** rkukura has left #openstack-dev12:03
*** nsatterl_ has quit IRC12:03
*** amerine has joined #openstack-dev12:07
*** cdub_ has quit IRC12:07
*** cdub_ has joined #openstack-dev12:08
*** timello has quit IRC12:16
*** timello has joined #openstack-dev12:16
*** alexxu has joined #openstack-dev12:16
*** ladquin has joined #openstack-dev12:18
*** markmc has joined #openstack-dev12:18
*** mindpixel has joined #openstack-dev12:19
*** amerine has quit IRC12:22
*** jbr_ has joined #openstack-dev12:26
*** Yada has joined #openstack-dev12:26
*** martine_ has joined #openstack-dev12:27
amotokigaryk: ping12:29
garykamotoki: hi12:30
amotokigaryk: have you tested router schduler of yong's patch?12:30
garykamotoki: i am testing it at the moment. i have an all in one setup and in the process of adding another host.12:30
amotokigaryk: I am in a half way of testing. test for dhcp-agnet scheduler works well with multi nodes.12:31
garykamotoki: i have just tested the basics at the moment12:31
*** darjeeling has joined #openstack-dev12:31
amotokigaryk: it is good we don't have duplicated tests so far :-)12:31
garykamotoki: :). it is a big patch set12:32
*** martine_ has quit IRC12:32
amotokiI will test router scheduler with three nodes tommorow.12:32
amotokigaryk: it becomes good shape as far as I tested.12:33
*** zoresvit has quit IRC12:33
garykamotoki: me too12:33
amotokigaryk: thanks.12:34
garykamotoki: thank you12:34
*** darjeeli_ has quit IRC12:35
*** jruzicka has quit IRC12:36
*** tomoe_ has joined #openstack-dev12:37
*** ewindisch has joined #openstack-dev12:40
*** adjohn has joined #openstack-dev12:42
*** zoresvit has joined #openstack-dev12:45
*** darjeeling has quit IRC12:46
*** ewindisch has quit IRC12:47
*** adjohn has quit IRC12:47
*** amerine has joined #openstack-dev12:51
*** jruzicka has joined #openstack-dev12:52
*** lucasagomes has quit IRC12:53
*** giulivo has quit IRC12:57
*** giulivo has joined #openstack-dev12:58
*** digitalsanctum has joined #openstack-dev13:01
*** amerine has quit IRC13:09
*** pcm_ has joined #openstack-dev13:10
*** martine_ has joined #openstack-dev13:11
*** sthaha has quit IRC13:11
*** adjohn has joined #openstack-dev13:13
maurosrboris-42, good morning, are you boris pavlovic?13:13
boris-42maurosr yes13:14
maurosrboris-42: do you have a momment to give me some help on db migrations?13:14
*** adjohn has quit IRC13:17
*** anniec_ has joined #openstack-dev13:18
*** gargya has joined #openstack-dev13:21
*** anniec has quit IRC13:21
*** anniec_ is now known as anniec13:21
*** zoresvit has quit IRC13:23
*** amotoki has quit IRC13:28
*** johnthetubaguy has quit IRC13:30
*** READ10 has joined #openstack-dev13:34
*** flepied1 is now known as flepied13:35
*** CaptTofu has joined #openstack-dev13:37
*** amerine has joined #openstack-dev13:37
*** salv-orlando has quit IRC13:38
*** zoresvit has joined #openstack-dev13:38
*** salv-orlando has joined #openstack-dev13:39
*** afazekas has quit IRC13:40
*** yamahata has joined #openstack-dev13:41
*** nunosantos has joined #openstack-dev13:42
*** adjohn has joined #openstack-dev13:44
*** darjeeling has joined #openstack-dev13:45
*** adjohn has quit IRC13:48
*** mtreinish has joined #openstack-dev13:49
*** parthi has joined #openstack-dev13:50
*** terryh has joined #openstack-dev13:53
*** anteaya has joined #openstack-dev13:57
*** amerine has quit IRC13:57
*** parthi has quit IRC13:59
*** johnthetubaguy has joined #openstack-dev14:00
*** yamahata has quit IRC14:00
*** esheffield has joined #openstack-dev14:01
*** cabral has joined #openstack-dev14:02
*** arbrandes has joined #openstack-dev14:02
*** dprince has joined #openstack-dev14:03
*** alunduil has quit IRC14:04
*** henrynash has joined #openstack-dev14:04
*** CaptTofu has quit IRC14:04
ayounghenrynash, how do you specify the parameters to setUp?14:07
xxiaois there a clean way to enable OFFLINE_COMPRESS=True in devstack for horizon?14:07
henrynashwhen you call the superclass setup in the child14:08
xxiaoI did that and at run time I'm still asked to run 'python manage.py compress', but for my platform(powerpc), there is no node-less to do that14:08
xxiaoi was thinking on run that on x86 to generate all static css/js etc then copy over, but still horizon refuses to run14:08
*** CaptTofu has joined #openstack-dev14:09
*** woodspa has joined #openstack-dev14:09
xxiaocan horizon just pick all the pre-built css/js whenever I set OFFLINE_COMPRESS=True?14:10
xxiaothe whole point of OFFLINE_COMPRESS=True is to avoid 'python manage.py compress' I thought...14:10
henrynashayoung: when you call the superclass setup in the child (sorry, missed off your handle on first reply)14:11
ayounghenrynash, nope, I got it14:12
ayounghenrynash, are you good with my changes to the API doc for Trusts?  I think i addressed all of your points.14:13
*** adjohn has joined #openstack-dev14:14
henrynashayoung: yes, thanks,…although just not  quite sure about your reply on impersonation…was your comment saying that we only change the user_id if impersonation is set, or maybe making a more general comment?14:15
ayoungwe only change the userid if impersonation is set14:15
ayoungI was just explaining the rationale14:15
*** radez_g0n3 is now known as radez14:16
henrynashayoung: Ok, agreed….(and although I know you want us to concentrate on the code), that text implies we always change the user_id14:17
ayounghenrynash, no, that is cool.  Let me reread it...14:17
henrynashayoung: other than that, +2 from me14:17
ayounghenrynash, yes, that needs to be fixed.  I'll hit that right now14:18
henrynashayoung: ok, great14:18
*** beagles has quit IRC14:18
*** adjohn has quit IRC14:18
*** digitalsanctum has quit IRC14:20
ayounghenrynash,   Reposted14:20
henrynashayoung: looking...14:21
*** eharney has quit IRC14:21
henrynashayoung: ok, +2's14:23
henrynash+2'd14:23
*** amerine has joined #openstack-dev14:23
ayounghenrynash, now on to the code....14:24
henrynashayoung: yep….gone through some, will do more this afternoon14:24
*** flepied has quit IRC14:24
henrynashguang: you on?14:25
ayounghenrynash, please tell me that you are in Europe and "this afternoon" is not 3 hours away!14:25
henrynashayoung: I'm in Europe!14:25
*** eharney has joined #openstack-dev14:25
*** eharney has quit IRC14:25
*** eharney has joined #openstack-dev14:25
*** armaan has left #openstack-dev14:25
henrynashayoung: so already working through it…made a few comments14:26
*** annegentle has joined #openstack-dev14:26
*** johnthetubaguy has quit IRC14:26
*** NobodyCam has joined #openstack-dev14:27
*** avishay has joined #openstack-dev14:29
*** bknudson has joined #openstack-dev14:29
*** cdub has quit IRC14:31
*** cdub has joined #openstack-dev14:32
*** trapnii has quit IRC14:32
*** ewindisch has joined #openstack-dev14:32
*** rkukura has joined #openstack-dev14:33
*** zing has joined #openstack-dev14:33
*** beagles has joined #openstack-dev14:34
*** dev_sa has joined #openstack-dev14:37
*** jimfehlig has joined #openstack-dev14:38
*** johnthetubaguy has joined #openstack-dev14:38
henrynashayoung: so are we really trying to allow authentication via the v2 api of a v3 token (the other way makes perfect sense)?14:39
ayounghenrynash, No, I don't think I added that in there.14:40
*** arbrandes has quit IRC14:40
*** amerine has quit IRC14:41
henrynashyoung; So in the v2 Auth controller…you are checking for trusts as part of the token being used to authenticate with…surely that can only be a v3 token?14:41
henrynash..can only be from a v3 token14:41
ayounghenrynash, nope14:44
ayounghenrynash, we need trusts for v2 tokens, as people are asking for trusts now.14:44
*** adjohn has joined #openstack-dev14:45
henrynashayoung: ah, so we are changing the v2 token api to allow you to include a trust in the auth?14:46
ayounghenrynash, what do you mean in your review by "Do we not also need to add in any project_id that is present (that would be in the v2 token as a tenant_id)?"14:46
ayounghenrynash, do you mean out of the payload?14:46
ayoungah, out of the token, so policy can make an RBAC decision on it14:47
henrynashayoung: well in the previous v2 code (before I messed with it), it put the tenant_id into the creds (presumably so you can match by default tenant)14:48
ayoungok...yep missed that.  cool14:48
henrynashayoung: ok14:48
*** adjohn has quit IRC14:50
ayounghenrynash, thing is, none of our policy currently uses that14:50
ayoungbut it should be there.14:50
henrynashayoung: agreed14:51
*** david2 has quit IRC14:51
flaper87is it possible to add a dependency to an existing review?14:51
ayoungflaper87, yes14:51
*** avishay has quit IRC14:52
ayoungflaper87, if you upload a new version that depends on another review, both with be uploaded/updated14:52
ayoungflaper87, if the dependency has not changed, then just your top level commit will be updated, and will show that it depends on the other14:52
*** portante has quit IRC14:53
flaper87ayoung: cool, thanks14:54
*** sandywalsh has joined #openstack-dev14:55
henrynashayoung: so on trusts & v2 tokens…are you saying we should be able to issue a v2 token based on trust from a v3 api call…or from either a v2 or v3 api call?14:56
flaper87ayoung: mmh, what if the dependency was created after the review that depends on it ?14:59
* flaper87 is missing somethign14:59
flaper87something*14:59
ayoungflaper87, doesn't matter.15:00
*** arbrandes has joined #openstack-dev15:00
*** trapni has joined #openstack-dev15:00
*** trapni has joined #openstack-dev15:00
ayounghenrynash, I think it is OK to create a trust with V3, and use that trust in V2.15:00
openstackgerritA change was merged to openstack/ceilometer: Make sure that the period is returned as an int as the api expects an int.  https://review.openstack.org/2281715:00
ayounghenrynash, creating the trust and using it will happen at different times.15:00
openstackgerritA change was merged to openstack/ceilometer: Imported Translations from Transifex  https://review.openstack.org/2264215:00
henrynashayoung: but that means we are change the v2 auth rrequest format, no?15:00
ayounghenrynash, we are adding to it in a backwards compatbile way.  That request is fairly well undocumented.15:01
ayounghenrynash, something else we need to rectify15:01
*** alunduil has joined #openstack-dev15:02
openstackgerritA change was merged to openstack/ceilometer: Remove compat cfg wrapper  https://review.openstack.org/2277215:02
henrynashayoung: Ok, hadn't twigged we were doing that.  Can you point me at the spec for the v2 api?15:02
ayounghenrynash, there is an old one, but it has severly bit-rotted.15:02
henrynashayoung: aahh, sorry, freudian slip you said undocumented!15:03
ayounghenrynash, so, for all intensive porposes, no15:03
henrynashayoung:  OK, btw, just looking again at the (new) spec for Trust API…is the auth request for the Trust authentication method right?  It doesn't seem to match the format of the others15:04
flaper87ayoung: perfect, thanks, worked like a charm15:04
*** utlemming has joined #openstack-dev15:05
ayounghenrynash, all it should have in it is the token id and trust id15:06
ayounghenrynash, line 1115?15:06
ayounghenrynash, it is pretty much identical to the version above it15:07
*** annegentle has quit IRC15:07
henrynashayoung: section starting at 1006: the example uses "authentication" rather than, I assume "auth"15:07
*** boris-42 has quit IRC15:07
ayounghenrynash, BRB...got to take my wife to the train, back in 1515:07
*** david2 has joined #openstack-dev15:07
ayounghenrynash, ah, yeah, that is true. I'll figrue oput which is right and repost15:08
henrynashayoung: :-)15:08
*** amerine has joined #openstack-dev15:09
*** johnthetubaguy1 has joined #openstack-dev15:10
*** yidclare has joined #openstack-dev15:12
*** maoy has joined #openstack-dev15:16
garyksdague: ping15:16
*** nati_ueno has joined #openstack-dev15:18
*** eharney has quit IRC15:20
*** rustlebee is now known as russellb15:20
*** koolhead17 has quit IRC15:22
ayounghenrynash, I tend to avoid abbreviations, but in this case, the abbreviation was deliberate, to avoid deciding between authentication and authorization15:23
henrynashayoung: but compare the trust authentication format with the methods above (password & token)…is there a reason they don't look more similar?15:25
ayounghenrynash, "identity": {  didn't work when I tried it.  I think that the code and the api have diverged15:26
*** sacharya has joined #openstack-dev15:26
ayoungand I see no reason that 'identity' should be in there.  Do you?15:26
henrynashayoung: so dolph added that recently15:26
*** nati_ueno has quit IRC15:27
henrynashayoung: it is so you can have identity and scope at that level15:27
henrynashwith auth at the top level15:27
henrynash(and you can only have one thing at the top level)15:27
*** aeperezt has joined #openstack-dev15:28
ayounghenrynash, hm...the XML thing?15:28
henrynashayoung: (yep)….so I'd have expected trusts to be "auth" : "methods" : "trust"15:28
*** amerine has quit IRC15:29
henrynashand have "token" and "trust" (with their respective data) at the same level as methods15:29
*** dolphm has joined #openstack-dev15:29
*** diogogmt has joined #openstack-dev15:29
*** diogogmt has joined #openstack-dev15:30
ayounghenrynash, except that a trust is not an auth method15:30
henrynashayoung: ah15:30
henrynashayoung: retreats15:30
ayounghenrynash, it might be hair-splitting, but a trust is more a modifier of a token.  It doesn't provide any more confirmation of identity....15:31
henrynashayoung: about to say that…yes it's a form to token auth15:31
henrynashayoung: so I guess the format should just look like the token one, with the "trust" added on?15:32
ayounghenrynash, that is my thought.15:32
henrynashayoung: OK, yep.  agreed.15:32
ayounghenrynash, The trust modifier could potentially be added to other auth methods in the future15:32
*** cloudchimp has joined #openstack-dev15:32
*** jruzicka has quit IRC15:32
henrynashayoung: yes, true15:32
sdaguegaryk: pong15:33
henrynashayoung: so, if you update the spec to that, I'm a happy bunny15:33
*** alszar has joined #openstack-dev15:33
*** terryh has quit IRC15:33
*** alszar has quit IRC15:33
garyksdague: hi, any chance that you can look at https://review.openstack.org/#/c/22546/. i have addressed your comments.15:34
*** alszar has joined #openstack-dev15:34
*** CaptTofu has quit IRC15:34
henrynashayoung: as an aside, I think I have another v2/v3 token issue15:34
*** jaypipes has joined #openstack-dev15:35
ayounghenrynash, will do....but I think that the code might be broken on the v3 token side15:35
*** sacharya has quit IRC15:35
garyksdague: thanks!15:36
henrynashayoung: updating the auth token middleware….as when I get a token from the caller, how do I know whether to validate it via a v2 or a v3 api…since the v3 api I think, assumes that any token it has stored is a v3 one15:36
ayounghenrynash, that is a good question.  A question that needs to be asked.  I am not going to answer that question.15:37
ayounghenrynash, but...15:37
henrynashayoung: ha! :-)15:37
ayoungI can suggest that we do the same thing that policy does15:37
ayoung if 'token_data' in token_ref:15:37
*** al-maisan is now known as almaisan-away15:37
henrynashayoung: but in the auth token middleware I only had the token Id I think?15:38
*** zbitter is now known as zaneb15:38
henrynashayoung: I fear that the v3 token validation might need to look at the store token and then pass back that data in either v2 or v3 format15:39
henrynashayoung: in the keystone server i=I mean15:39
*** rnirmal has joined #openstack-dev15:39
ayounghenrynash, no, a PKI token will have all it needs to validate without calling the server15:40
ayoungthat is whythe darn things are so long15:40
henrynashayoung: true for PKI15:40
ayounghenrynash, but...15:40
ayoungan interesting question about on line validation15:40
henrynashayoung: not for regular UUID tokens….15:40
ayoungthe v2 API will pass iback in v2 format, the 3 in v3 format15:41
ayoungthe data is the same.15:41
*** digitalsanctum has joined #openstack-dev15:41
ayoungBut v2 knows nothing about domains....15:41
*** dolphm has quit IRC15:41
ayounghenrynash, quesions for gyee and dolphm15:41
henrynashayoungL yep, agreed…you get back to coding trusts....15:41
henrynashayoung: afk for a bit, back in 30 mins or so...15:43
*** terryh has joined #openstack-dev15:43
*** zbitter has joined #openstack-dev15:45
*** ondergetekende has quit IRC15:46
*** adjohn has joined #openstack-dev15:46
*** bourke_ has quit IRC15:47
*** bourke has joined #openstack-dev15:48
*** kbringard has joined #openstack-dev15:48
*** dolphm has joined #openstack-dev15:48
*** CaptTofu has joined #openstack-dev15:48
*** jrodom has joined #openstack-dev15:48
*** zaneb has quit IRC15:49
*** dachary has joined #openstack-dev15:49
dacharyHi, is there a chan devoted to the next openstack summit ?15:49
*** mestery has quit IRC15:49
openstackgerritA change was merged to openstack/oslo-incubator: Clean up sqlalchemy exception code  https://review.openstack.org/2270415:50
*** topol has joined #openstack-dev15:50
*** adjohn has quit IRC15:51
*** wowdd1 has joined #openstack-dev15:52
*** amerine has joined #openstack-dev15:55
*** jrodom has quit IRC15:55
*** eharney has joined #openstack-dev15:55
*** yamahata has joined #openstack-dev15:56
topolhenrynash, regarding my bug fix. I need to recommit the patch and swap the two comment lines, correct?15:56
*** pcm_ has quit IRC15:57
*** amerine has quit IRC15:59
*** zoresvit has quit IRC16:00
*** reidrac has quit IRC16:01
*** david2 has quit IRC16:01
*** adjohn has joined #openstack-dev16:02
*** dachary has quit IRC16:02
*** Mandell has quit IRC16:02
*** davidha has joined #openstack-dev16:02
*** zoresvit has joined #openstack-dev16:02
*** gargya has quit IRC16:03
*** amerine has joined #openstack-dev16:03
*** koolhead17 has joined #openstack-dev16:03
*** wowdd1 has quit IRC16:04
*** crandquist has joined #openstack-dev16:04
*** buzztroll_ has joined #openstack-dev16:05
*** amerine has quit IRC16:07
*** zeriouz has joined #openstack-dev16:07
*** markmcclain has joined #openstack-dev16:08
openstackgerritA change was merged to openstack/nova: Clean unused kernels and ramdisks from image cache  https://review.openstack.org/2277716:09
*** giroro_ has quit IRC16:10
*** imsplitbit has joined #openstack-dev16:12
*** cp16net is now known as cp16net|away16:12
*** zaitcev has joined #openstack-dev16:12
*** pcm__ has joined #openstack-dev16:13
ayoungdolphm, henrynash noticed a couple things that needed to be fixed in the V3 Trust API doc.  Posted the new changes.  Can you take a look?  I'm starting to feel the ticks of the clock....16:13
*** jprovazn has quit IRC16:14
*** zoresvit has quit IRC16:15
*** Ruetobas has joined #openstack-dev16:15
*** boris-42 has joined #openstack-dev16:15
*** Gordonz has joined #openstack-dev16:15
*** datsun180b has joined #openstack-dev16:16
*** cloudchimp has quit IRC16:17
*** Gordonz has quit IRC16:17
*** Gordonz has joined #openstack-dev16:17
*** alexxu has quit IRC16:19
dolphmayoung: i'm making changes for you and will post a diff16:19
ayoungdolphm, thanks16:20
*** Ruetobas has quit IRC16:20
*** pabelanger has joined #openstack-dev16:20
dolphmayoung: how do you plan on enforcing the subset of endpoints? we have no infrastructure for that16:20
ayoungdolphm, enforcement is not on the token side anyway.16:21
dolphmayoung: that's my question16:21
ayoungdolphm, so that is probably going to be part of an auth_token middleware patch16:21
dolphmayoung: it seems like a feature that needs to be on the token first16:21
ayoungdolphm, agreed.16:21
dolphmayoung: then what's the point of putting it in trusts now?16:21
*** brianr_ has quit IRC16:21
ayoungdolphm, I wrote it thinking we would get it in this round...back in October or so16:22
*** otherwiseguy has joined #openstack-dev16:22
*** brianr_ has joined #openstack-dev16:22
henrynashtopol: yes, just to a git commit --amend (or equivalent) and change the comments16:22
dolphmayoung: can we pull endpoints for the moment then, and then repropose in a couple weeks as v3.1?16:22
ayoungdolphm, definitely16:22
dolphmayoung: mind if i make that change in my diff?16:22
ayoungdolphm, not at all16:22
*** Ruetobas has joined #openstack-dev16:22
*** thouveng has quit IRC16:23
*** sacharya has joined #openstack-dev16:23
*** johnthetubaguy2 has joined #openstack-dev16:24
*** yidclare has quit IRC16:27
*** johnthetubaguy1 has quit IRC16:27
*** negronjl has quit IRC16:27
*** negronjl has joined #openstack-dev16:28
ayoungdolphm, I'll go ahead and excise the endpoints stuff from the Trusts patch.16:28
*** danwent has joined #openstack-dev16:28
*** mestery has joined #openstack-dev16:29
*** jsindy has joined #openstack-dev16:29
*** Ruetobas has quit IRC16:31
*** johnthetubaguy2 has quit IRC16:31
*** Ruetobas has joined #openstack-dev16:31
*** zoresvit has joined #openstack-dev16:32
*** johnthetubaguy1 has joined #openstack-dev16:33
ayoungdolphm, I actually really like yanking the enpoints code.  I am running the tests now. I'll post a new Trusts patch in a few minutes16:34
*** alszar has quit IRC16:34
*** trapni has quit IRC16:35
*** dolphm has quit IRC16:35
*** mrodden has quit IRC16:36
ayounghenrynash, removed all endpoint code from trusts.  dolphm, suggested it, since we don't enforce yet.16:36
henrynashayoung: ok…is is there an api update and a code update ready to look at ?16:37
*** bdpayne has joined #openstack-dev16:37
*** jcmartin has joined #openstack-dev16:38
*** dolphm has joined #openstack-dev16:38
*** amerine has joined #openstack-dev16:40
*** mohits has joined #openstack-dev16:42
*** gyee has joined #openstack-dev16:43
*** stevemar has joined #openstack-dev16:43
*** splitbit has joined #openstack-dev16:45
ayounghenrynash, dolphm was reworking the API.  I already posted the code16:45
henrynashayoung: ok16:46
ayounghenrynash, patch 22 should have not references to endpoints in the trust code.16:46
ayoungmake that 2316:46
henrynashayoung: 0k :-)16:46
dolphmayoung: henrynash: gyee and i also discussed "trust" becoming an attribute of "scope" during auth, as "trust" effectively changes the scope of authz that the token will receive16:47
*** salgado is now known as salgado-lunch16:47
dolphmayoung: henrynash: it wouldn't make sense to provide a "trust" attribute (which contains a project_id) and then attempt to specify some other scope (a project or domain) in the same request16:47
dolphmayoung: mind if i include that change as well?16:47
dolphmayoung: henrynash: thoughts/concerns?16:48
henrynashdolphm: yes, I can see that argument16:48
dolphmgyee: ^16:48
dolphmgyee: didn't realize you were on16:48
*** doude has left #openstack-dev16:48
ayoungdolphm, no, that makes perfect sense16:48
ayoungI like it16:49
dolphmayoung: cool16:49
*** david2 has joined #openstack-dev16:49
*** imsplitbit has quit IRC16:49
*** burris has quit IRC16:50
*** burris has joined #openstack-dev16:50
henrynashdolphm: btw, when you have a moment, got a question on in-line validation of tokens in the v2/v3 world we our middleware will be living in….(but finish what your doing on trusts first)16:50
*** ilblackdragon has quit IRC16:50
ayounghenrynash, BTW, I was wrong16:50
*** dontalton has joined #openstack-dev16:51
*** flepied has joined #openstack-dev16:51
ayoungthe validate API should be pulling the token out of the backend.  So V2 will need to be able to look at the serialized version of a V3 token and V3 will need to look at the serialized version of a v2 token16:51
dolphmhenrynash: inline or online?16:52
* ayoung thinks that is a good reason to normalize the backend storage16:52
henrynashayoung: well I was looking at auth_token and what we have to do to makeit hanlde v2 and v3 tokens16:52
dolphmayoung: ideally both controllers should be writing the same token format to the backend, which should be a v3 token16:53
dolphmayoung: that's not the case though16:53
*** mrodden has joined #openstack-dev16:53
*** beagles is now known as beagles|brb16:53
ayoungdolphm, I'll have to think through that, but on first blush, it will break things.16:53
ayoungdolphm, it is comparable to changing the return format from the validate API call16:54
*** jcmartin has quit IRC16:54
*** nati_ueno has joined #openstack-dev16:54
henrynashdolphm: and came to the point if I have a token id handed to me to validate (I don't know if its a v2 or v3 token I believe), then to I call v2/token or the v3 equivalent?16:54
ayoungdolphm, ugh, the more I think about this...Ok, let me mull on that for a while.16:54
henrynashdolphm: and if I call v3 and its a v2 token, I do't think our code handles that16:55
ayoungIf I pass a v3 token to a remote server, and it expects a v2 token, then it calls the v2 validate API, it is going to blow up right now.  Best case it gets an invalid token response.16:55
ayoungbut my guess is we'll get a 500, as the token will be pulled out of the backend, but will be missing the v2 fields that the validate code expects16:56
*** john5223 has joined #openstack-dev16:57
*** pcm__ has quit IRC16:57
gyeeayoung, v2 and v3 can be used interchangeably unless non default domain is involved16:58
gyeev2 and v3 tokens16:58
ayounggyee, OK, glad to hear it.16:58
*** amerine has quit IRC16:59
*** garyTh has joined #openstack-dev16:59
henrynashgyee: so can I call v3.validate_token with a token id that was created as a v2 token?16:59
ayounggyee, I realize I need to add the check that a token does not have "trust" in it before issuing another token for it. Is there any reason to avoid doing that in the "authenticate" method of the auth controller?16:59
gyeehenrynash, yes17:00
*** pcm_ has joined #openstack-dev17:00
henrynashgyee:…and I'll get back the token data in v3 format, I assume?17:00
*** dev_sa has quit IRC17:00
gyeeayoung, you can do it in token factory17:00
gyeeyou get the old token data in recreate_token17:01
gyeehenrynash, yes17:01
*** john5223 has quit IRC17:02
henrynashgyee: ok, excellent….17:02
*** zoresvit has quit IRC17:02
*** mindpixel has quit IRC17:02
henrynashgyee: btw, I started working on auth_token middleware to make sure it would handle domain scoped tokens, but then of course realised there was much more to it than that?  I don't want to step on your toes….where you planning to update the middleware for v3 tokens?  If not, I'm happy to continue17:03
*** dolphm has quit IRC17:03
*** tiamar has quit IRC17:03
*** garyTh has quit IRC17:03
*** tiamar has joined #openstack-dev17:04
gyeehenrynash, I am not working on middleware at the moment17:04
*** garyTh has joined #openstack-dev17:04
*** boris-42 has quit IRC17:05
*** john5223 has joined #openstack-dev17:06
*** salgado-lunch is now known as salgado17:07
*** edmund has joined #openstack-dev17:09
*** nati_ueno has quit IRC17:10
*** jsindy has quit IRC17:11
henrynashayoung, dolphm, gyee: I just want to validate a conversation that adam and I had earlier, that we are OK with changing the auth functionality of the v2 api to include the option of trusts…..I hadn't expected that…(not saying that there aren't customers that want that…)17:11
*** CaptTofu has quit IRC17:12
*** romcheg1 has joined #openstack-dev17:13
*** dachary has joined #openstack-dev17:13
*** splitbit has quit IRC17:14
*** dolphm has joined #openstack-dev17:14
henrynashtopol: if you have merged the two bug fixes into one change (nothing wrong with that)..then you should list both bug fixes in the comment.  For example, see my: https://review.openstack.org/#/c/22789/17:14
*** splitbit has joined #openstack-dev17:15
dolphmhenrynash: ideally you send it to the latest api you understand -- so v3 should be able to validate v2 tokens...17:15
*** nikhil has quit IRC17:15
*** romcheg1 has left #openstack-dev17:16
henrynashdolphm: Ok, yes, agrre17:16
*** markmc has quit IRC17:16
dolphmhenrynash: gyee wrote some v3/v2 "intermix" tests you should read in test_v3_auth17:16
henrynashdolphm: ok, thx17:16
*** nikhil has joined #openstack-dev17:17
*** jsindy has joined #openstack-dev17:17
*** koolhead17 has quit IRC17:21
topolHenrynash, will do17:23
*** adjohn has quit IRC17:23
*** jcmartin has joined #openstack-dev17:25
*** amerine has joined #openstack-dev17:25
topolhenrynash, done.  Thanks!17:27
*** zeriouz has quit IRC17:27
*** ilblackdragon has joined #openstack-dev17:27
henrynashtopol: +2'd17:28
*** Ryan_Lane has quit IRC17:28
*** Ryan_Lane has joined #openstack-dev17:29
*** anniec has quit IRC17:29
*** tomoe_ has quit IRC17:30
*** tomoe_ has joined #openstack-dev17:30
*** Ryan_Lane has quit IRC17:32
*** tomoe_ has quit IRC17:35
*** gargya has joined #openstack-dev17:37
henrynashdolphm: see my earlier question on trust extensions to v2 auth api...17:37
*** CaptTofu has joined #openstack-dev17:38
dolphmhenrynash: can you resend it? my wifi is going in and out17:38
*** cp16net|away is now known as cp16net17:38
ayounggyee, If I understand correctly, the test for a trust in the token authenticate method needs to be in auth/methdos/token17:39
henrynashdolphm: I just want to validate a conversation that adam and I had earlier, that we are OK with changing the auth functionality of the v2 api to include the option of trusts…..I hadn't expected that…(not saying that there aren't customers that want that…)17:39
*** esp1 has joined #openstack-dev17:39
gyeeayoung, no, "trust" is outside of methods17:40
gyeeauth/methods/token is just for validating the token17:40
dolphmhenrynash: i'd really, really, really rather avoid it, but if we're going to do it -- it needs to be documented in identity-api and should ideally be both implemented and documented as an extension17:41
ayounggyee, hmmm17:42
gyeeayoung, you can check for it in authenticate_for_token()17:43
ayounggyee, only the methods get accessto the actual token17:43
*** amerine has quit IRC17:43
ayounggyee, but it is an attribute of the token that is getting passed in17:44
*** beagles|brb is now known as beagles17:44
ayoung        if 'trust' in token_ref['token_data']:17:44
ayoung                        raise exception.Unauthorized(msg)17:44
gyeeif method is "token" and "scope" is "trust", then check to make sure "trust" is not already there in the requesting token17:44
*** psedlak has quit IRC17:44
*** amerine has joined #openstack-dev17:44
*** openstackjenkins has quit IRC17:44
*** corXi has quit IRC17:45
*** openstackjenkins has joined #openstack-dev17:45
henrynashdolphm, ayoung, gyee: …Adam, do you want to make the case for the extension to the v2 auth api to allow for trusts…since I think we need general agreement on that (and time is short!!)…and if it isn't agreed, there's less code for you to write!17:46
*** john5223 has quit IRC17:46
*** john5223 has joined #openstack-dev17:46
*** gael_ has quit IRC17:46
*** jog0 has joined #openstack-dev17:47
openstackgerritA change was merged to openstack/nova: Imported Translations from Transifex  https://review.openstack.org/2278317:47
ayounghenrynash, I think we do.  The code is already written, and the rest of the consumers out there are going to be consuming v2 tokens, not v317:47
*** david2 has quit IRC17:47
gyeeare you going to rename tenant to project in v2 as well?17:47
*** jog0 has quit IRC17:48
*** jog0 has joined #openstack-dev17:48
ayounggyee, I wish I could, but it breaks too much17:48
*** Tross has quit IRC17:48
dolphmayoung: erm, i'm at the point where not much is left from your last trust api patch -- should i just take over the review so you can focus on impl, or would you rather i send you a diff?17:48
ayoungdolphm, take over the review.17:49
dolphmayoung: definitely want you to thoroughly review the changes either way17:49
ayoungdolphm, will do17:49
ayoungdolphm, just as easy for me to use gerrit as it is for you to.17:49
dolphmayoung: it wouldn't be in the spirit of gerrit for me to send you a giant diff, and then +2 it myself lol17:50
ayounggyee, the thing is, only the methods call has access to the token data.  ONce we are back in authenticate_for_token17:50
ayoungdolphm, that is OK, I can +2 the doc if you send in the patch. Distributed pair programming.17:50
*** mohits has quit IRC17:51
ayoungdolphm, and we have henrynash and gyee here.   They can look at it too,17:51
*** mohits has joined #openstack-dev17:51
gyeeayoung, you uploaded a new patch already?17:51
*** markwash has joined #openstack-dev17:51
ayounggyee, not with the test for trust in the old token I haven;'t17:51
dolphmayoung: if the trustee already has a role on a project, and the trust delegates an additional role on the same project, does the trustee receive both roles in a token created based on the trust?17:52
ayoungdolphm, no17:52
*** morganfainberg has quit IRC17:52
ayoungonly what they get from the trust17:52
*** yidclare has joined #openstack-dev17:53
*** Tross has joined #openstack-dev17:54
*** rkukura has quit IRC17:54
*** fc__ has quit IRC17:55
*** romcheg1 has joined #openstack-dev17:57
*** rkukura has joined #openstack-dev17:57
henrynashayoung: on the extensions to v2…it seems a bit odd to be have different servers speaking v2.0 to have different functionality (other than bug fixes)….but if we are all Ok with adding this extension, then I can be persuaded!  I guess the questions is how do we document it etc. outside of the v3 context….i.e. it is really an extension to the v2 api you get with grizzly in addition to the v3 api17:57
*** roampune has joined #openstack-dev17:57
ayounghenrynash, good question.  I think the right answer is to update all of the V2 docs.17:57
ayounghenrynash, but that is beyond the scope of just trusts17:58
*** anniec has joined #openstack-dev17:59
*** yidclare has quit IRC17:59
ayounghenrynash, You won't be able to get a trust out of a Keystone server that doesn;t support the v3 api.17:59
*** kagan has joined #openstack-dev17:59
ayoungI think that should make it clear to consumers whether or not they can expect the trust attribute to work on a token18:00
*** fc__ has joined #openstack-dev18:00
henrynashayoung: agreed18:00
*** jgallard has quit IRC18:01
*** crandquist has quit IRC18:01
*** yidclare has joined #openstack-dev18:02
*** Tross has quit IRC18:05
*** gargya has quit IRC18:06
ayounggyee, once the Token method has returned, is the token that was fetched from the backend just discarded?18:08
gyeeayoung, yes18:08
gyeeayoung, good news is there's a auth_context dict18:09
gyeefeel free to stash it there18:09
ayounggyee, would it be OK for the method to set the 'trust ' value, but then to check for its presense outside the method?18:09
gyeeayoung, absolutely, add whatever information you need into the auth_context dict18:09
ayounggyee, OK, I've got it.18:12
henrynashheading out to grab something eat…back on later18:12
*** henrynash has quit IRC18:13
*** Ryan_Lane has joined #openstack-dev18:13
*** romcheg1 has quit IRC18:14
*** darraghb has quit IRC18:14
*** gasbakid_ has joined #openstack-dev18:15
*** derekh has left #openstack-dev18:15
*** derekh has quit IRC18:15
*** ek6 has quit IRC18:16
*** Tross has joined #openstack-dev18:17
*** epim has joined #openstack-dev18:18
*** romcheg1 has joined #openstack-dev18:18
*** ek6 has joined #openstack-dev18:19
*** jpich has quit IRC18:23
*** iartarisi has quit IRC18:23
*** dolphm has quit IRC18:25
*** dolphm has joined #openstack-dev18:27
ayounggyee, updated the patch with the check for trust in the token, and another unit tests to confirm18:27
gyeeayoung, k, I'll take a look18:28
ayounggyee, just saw your comment on the V3 API18:29
ayoungso...18:29
ayoungtrust goes in scope.18:30
ayoungOK...18:30
*** AlanClark has joined #openstack-dev18:30
ayoungNeed to change that18:30
openstackgerritA change was merged to openstack/nova: Readd run_tests.sh --debug option.  https://review.openstack.org/2276118:30
*** epim has quit IRC18:30
YorikSarayoung: Hi. I'm looking at that Trusts change now. I think, there's some code that should land separately that's is not dependent on trusts.18:30
*** garyk has quit IRC18:30
ayoungYorikSar, quite likely18:31
YorikSarayoung: Should I mark it there or you prefer to land it all together?18:31
*** danpb has quit IRC18:31
ayoungYorikSar, what are you thinking18:31
*** epim has joined #openstack-dev18:32
YorikSarayoung: Code like improving policy checks or purging project membership remains.18:33
*** romcheg1 has left #openstack-dev18:33
*** rafaduran has quit IRC18:34
ayoungYorikSar, yeah...Ideally that would become yet another separate patch, but I am getting a little worried about getting Trusts in on time18:34
openstackgerritA change was merged to openstack/oslo-incubator: Support qpid unit tests.  https://review.openstack.org/2280318:34
ayoungI think it is safe to go in here.18:34
ayoungYorikSar, the thing is, we are going to have to figure out policy in Keystone18:34
*** anniec has quit IRC18:35
ayoungand then we will need to extract that over to openstack-common anyway18:35
*** anniec has joined #openstack-dev18:35
*** cloudchimp has joined #openstack-dev18:35
*** AlanClark has quit IRC18:36
*** adjohn has joined #openstack-dev18:36
*** AlanClark has joined #openstack-dev18:36
*** Mandell has joined #openstack-dev18:37
YorikSarayoung: Ok, but that's only policy. Let me stamp every change I suggest to separate.18:38
ayoungYorikSar, sure.  I am ok with getting chunks of it carved off...Just don't want to delay the overall process.  And we can't really test that policy change without the changes to what it protects without writing more unit test.18:39
openstackgerritA change was merged to openstack/oslo-incubator: Update flakes.py to match 0.6.1.  https://review.openstack.org/2173818:40
*** andrewbogott_afk is now known as andrewbogott18:41
*** adjohn has quit IRC18:41
YorikSarayoung: Done.18:44
ayoungYorikSar, looking18:45
YorikSarayoung: I find it really scary to look for one small change in git blame and to find some thousand-lines commit including it.18:45
*** adjohn has joined #openstack-dev18:45
*** vishious is now known as vishy18:46
YorikSarayoung: Oh, you've already pushed another patchset.18:46
*** dolphm has quit IRC18:46
ayoungYorikSar, think how scary it is when you find yourself writing that patch18:48
*** dolphm has joined #openstack-dev18:48
YorikSarayoung: The more reason to keep it's impact on existing code at minimum18:49
*** flepied has quit IRC18:49
*** cp16net is now known as cp16net|away18:49
*** nati_ueno has joined #openstack-dev18:49
ayoungYorikSar, This one feature of mine has triggered more reworking and cleanup of the Keystone codebase than I would have thought possible18:50
ayoungYorikSar, I didn't even plan on getting into policy stuff.  That happened last week.18:50
YorikSarayoung: I can separate some parts by myself, for example SQL stuff _handle_conflict stuff.18:50
YorikSarayoung: I guess, ideas tend to multiply closer the release...18:51
ayoungYorikSar, I'd rather deal with it myself. Let me finish up on wha18:51
*** splitbit has quit IRC18:51
ayoungt I am doing for moving trust into the scope thing, then I will look at implementing the splits you recommend18:51
YorikSarayoung: Ok, I'll wait for it.18:52
*** mrodden1 has joined #openstack-dev18:53
*** vyper63 has joined #openstack-dev18:53
*** mrodden has quit IRC18:54
*** armaan has joined #openstack-dev18:54
*** splitbit has joined #openstack-dev18:56
*** gasbakid_ has quit IRC18:58
*** mmagr has quit IRC18:58
*** vyper63 has quit IRC18:58
*** gasbakid_ has joined #openstack-dev18:58
*** gasbakid__ has joined #openstack-dev18:58
*** gasbakid_ has quit IRC18:59
*** gasbakid__ has quit IRC18:59
*** gasbakid_ has joined #openstack-dev19:00
*** gasbakid_ has joined #openstack-dev19:02
*** gyee has quit IRC19:03
*** morganfainberg has joined #openstack-dev19:05
*** andrewbogott is now known as andrewbogott_afk19:06
*** andrewbogott_afk is now known as andrewbogott19:06
*** mestery has quit IRC19:06
*** almaisan-away has quit IRC19:07
*** mrodden1 has quit IRC19:08
*** Tross has quit IRC19:09
*** mrodden has joined #openstack-dev19:10
*** Tross has joined #openstack-dev19:10
*** john5223 has quit IRC19:13
openstackgerritA change was merged to openstack/glance: Pin jsonschema version below 1.0.0.  https://review.openstack.org/2286219:14
openstackgerritA change was merged to openstack/quantum: Add midonet to setup.py  https://review.openstack.org/2287719:14
openstackgerritA change was merged to openstack-infra/devstack-gate: Updates for current Grenade configuration  https://review.openstack.org/2244819:15
*** armaan has left #openstack-dev19:16
*** arbrandes has quit IRC19:16
*** melwitt has joined #openstack-dev19:18
*** flaper87 has quit IRC19:21
*** diogogmt has quit IRC19:22
*** diogogmt has joined #openstack-dev19:23
*** markmcclain has quit IRC19:24
*** Yada has quit IRC19:25
*** almaisan-away has joined #openstack-dev19:25
*** almaisan-away is now known as al-maisan19:25
dolphmayoung: all other authorization-changing actions in the api result in relevant tokens being revoked -- but somehow that doesn't cascade through trusts?19:26
ayoungdolphm, no, that happens, too19:26
ayoungdolphm, we revoke all trust where the user is the trustee19:26
dolphmayoung: so if a trustor loses a role, the trust becomes invalid and tokens generated based on that trust should be revoked as well, correct?19:26
ayoungdolphm, let me check if I catch that one.19:27
ayoungdolphm, but I think so19:27
*** nikhil has quit IRC19:27
ayoungdolphm, that is the correct behavior19:27
dolphmayoung: i'll revise the spec then -- it's not worded that way19:27
dolphmayoung: thanks19:27
ayoungso if a user loses a role19:27
*** nikhil has joined #openstack-dev19:28
ayoungdolphm, ok, I missed that one19:28
*** Tross has quit IRC19:30
dolphmayoung: no worries19:30
*** AlanClark__ has joined #openstack-dev19:30
*** Tross has joined #openstack-dev19:30
*** AlanClark has quit IRC19:30
*** AlanClark has joined #openstack-dev19:31
*** kbringard has quit IRC19:31
*** AlanClark__ has quit IRC19:31
*** AlanClark has quit IRC19:31
openstackgerritA change was merged to openstack/oslo-incubator: Decode / Encode string utils for openstack  https://review.openstack.org/2039319:32
*** AlanClark has joined #openstack-dev19:32
*** john5223 has joined #openstack-dev19:33
*** tiamar has quit IRC19:33
*** tiamar has joined #openstack-dev19:33
*** johnthetubaguy1 has quit IRC19:34
*** johnthetubaguy1 has joined #openstack-dev19:35
*** kmartin has quit IRC19:36
*** johnthetubaguy1 has quit IRC19:36
*** maroh has joined #openstack-dev19:38
*** vipul is now known as vipul|away19:40
*** vipul|away is now known as vipul19:40
*** eharney has quit IRC19:44
*** AlanClark has quit IRC19:44
*** eharney has joined #openstack-dev19:44
*** AlanClark has joined #openstack-dev19:44
*** yidclare has quit IRC19:46
openstackgerritA change was merged to openstack/quantum: Add password secret to brocade plugin  https://review.openstack.org/2286719:47
*** alunduil has quit IRC19:47
zaitcevchmouel: Do you know anything about Keystone hard-requiring a specific version of sqlalchemy? Sounds like a dumb fail to me. Is anyone working on fixing that?19:48
*** kbringard has joined #openstack-dev19:49
*** mdomsch has joined #openstack-dev19:51
*** al-maisan is now known as almaisan-away19:51
*** aeperezt has quit IRC19:51
*** cloudchimp has quit IRC19:52
ayoungYorikSar, dolphm   split off the first piece of the Trusts review .  https://review.openstack.org/2288919:54
*** Tross has quit IRC19:54
*** vipul is now known as vipul|away19:55
*** aeperezt has joined #openstack-dev19:55
*** kbrierly has joined #openstack-dev19:56
*** diogogmt has quit IRC19:58
dolphmayoung: can you abandon https://review.openstack.org/#/c/22063/ ? i'm writing the commit msg for the replacement19:58
*** diogogmt has joined #openstack-dev19:59
*** radez is now known as radez_g0n320:00
ayoungdolphm, hmmm...while I appreciate the editing job, shouldn't it all go into the same change ID?20:00
*** yidclare has joined #openstack-dev20:00
*** mrodden has quit IRC20:01
dolphmayoung: i was going to crosslink them and give you permanent credit in the commit message :)20:01
ayoungdolphm, I think it is safe to use the origianal commit message.  Leaves the history in one piece20:01
ayoungI mean, change ID20:02
dolphmhmm, i'll try20:02
*** kmartin has joined #openstack-dev20:02
*** mrodden has joined #openstack-dev20:02
ayoungdolphm, BTW, something I noticed in identity-api is that you only get a change ID once you amend a commit, for some reason20:03
*** olaph_ has joined #openstack-dev20:04
dolphmayoung: you might not have git-review setup correctly in that project?20:04
ayoungYorikSar, https://review.openstack.org/#/c/22890/20:04
ayoungdolphm, possible. Quite possible20:04
dolphmayoung: that worked https://review.openstack.org/#/c/22063/20:05
ayoungdolphm, cool.  Reading now20:06
*** vipul|away is now known as vipul20:06
*** mestery has joined #openstack-dev20:06
*** nati_ueno has quit IRC20:06
ayoungdolphm, I just posted two patches which should be non-controvesial, but which are chipped off the Trusts code20:06
*** olaph has quit IRC20:06
*** markmcclain has joined #openstack-dev20:07
ayoungI think I have a few more to do that way, and then I'll rebase and repost the trusts code20:07
dolphmayoung: lots of little changes since your last patch, but the highlights beyond what i've asked you about today: added the three calls at the very bottom of the doc, made "impersonation" attributes JSON booleans, and removed "endpoints" and "roles" from the trust entity responses20:07
*** nati_ueno has joined #openstack-dev20:07
*** Gordonz has quit IRC20:07
dolphmayoung: reviewing your patches now20:08
*** adjohn has quit IRC20:09
*** john5223 has quit IRC20:09
*** rkukura has quit IRC20:09
dolphmayoung: I +2'd the sql.Conflict change -- can you link me to the other one you split out?20:10
ayoungdolphm, you have a lot of places where the value true is shown in the examples.  It is not quoted.  Is that intentional?20:10
ayounghttps://review.openstack.org/#/c/22889/20:10
*** stevebaker has quit IRC20:10
ayoungdolphm, henrynash and I thrashed that one out.20:11
*** maoy has quit IRC20:11
ayoungIt actually fixes v2 token used for policy as well, now that I look at it.20:11
*** novas0x2a|laptop has quit IRC20:12
*** aeperezt has quit IRC20:12
dolphmayoung: "impersonation"? yes -- booleans in json are just true and false20:12
dolphmayoung: unquoted and lowercase20:12
*** notmyname has quit IRC20:12
*** garyk has joined #openstack-dev20:13
*** notmyname has joined #openstack-dev20:14
* ayoung needs a refresher20:14
ayoungdolphm, I'm going to repost the sql one. The only other backedn that uses it is policy.  Easier to fix now20:15
*** stevebaker has joined #openstack-dev20:15
ayoungdolphm, can you go back over your commit for trust-api and replace impersontation with impersonation?20:18
ayoungits the only thing that I've caught20:18
dolphmayoung: cool20:19
dolphmayoung: ha, sure20:19
dolphmayoung: holy crap i made that typo a lot20:19
ayoungdolphm, so you are cool with using the role { name } way of creating a trust.  Should I support both that and role {id} ?20:19
dolphmayoung: ... and i just typed it again on accident ...20:20
ayoungheh\20:20
dolphmayoung: both id and name should be capable of identifying a trust20:20
ayoungdolphm, I mean for the role20:20
dolphmayoung: err yeah, my bad20:21
ayoungdolphm, ok, so either role.id or role.name.  if both are specified, query by id, and make sure the name matches.  If it does not, error out.?20:21
dolphmayoung: since we haven't done this in the api before, i'd be fine with either `role_ids` (list of strings) or `role_names` (list of strings) or `roles` (list of objects identified by id or name) ... the last one is obviously the most future-proof20:22
dolphmayoung: sets us up for domain-owned roles and whatnot20:22
*** gyee has joined #openstack-dev20:22
ayoungdolphm, I had origianlly gone with role_names20:22
dolphmayoung: that just presents a blocker for domain-owned roles, when we get there20:22
*** splitbit has quit IRC20:23
dolphmayoung: and also identifying objects by url instead of id or name20:23
ayoungdolphm, OK.  That will probably affect how I store them in the backend20:23
ayoungdolphm, https://review.openstack.org/#/c/22890/2  covers policy backend now, too.  I assume your +2 still stands20:24
ayounggyee, simple refactoring for you, prereq for trusts https://review.openstack.org/#/c/22890/220:24
dolphmayoung: in sql.... trust_roles table: trust_id, role_id20:25
*** eglynn has quit IRC20:25
dolphmayoung: re+2'd20:25
gyeeayoung, looks good20:26
dolphmayoung: also fixed my speeling https://review.openstack.org/#/c/22063/20:26
dolphmgyee: not sure if you were on earlier -- but we pulled endpoint-restrictions from trusts ^20:26
gyeedolphm, that's fine20:27
dolphmgyee: we need to support that in the token first20:27
dolphmv3.1!20:27
gyeewe have no endpoint scoping right now anyway20:27
gyeeonto v3.120:27
*** cp16net|away is now known as cp16net20:28
dolphmgyee: ayoung: side note -- i'd like to only maintain a single api doc, so continue using the same one past today, but mark new features as like *New in version 3.1* and then we'll start a new changelog at the top of the doc20:28
*** epim has quit IRC20:29
*** epim has joined #openstack-dev20:29
gyeedolphm, good idea20:29
ayoungdolphm, Would be nice to be able to split things up into multiple docs.  It will lead to fewer merge conflicts in the future, especially now that we are emphasizing API changes have to happen first.20:30
*** jaypipes has quit IRC20:30
gyeeayoung, dolphm, you guys pull our the roles too?20:31
gyeepull out20:31
gyeethe examples is a bit confusing, roles are there on create trust20:33
gyeebut missing from list trusts20:33
*** pcm_ has quit IRC20:34
openstackgerritA change was merged to openstack/keystone: Ensure keystone unittests do not leave CONF.policyfile in bad state  https://review.openstack.org/2270520:34
openstackgerritA change was merged to openstack/quantum: Limit chain name to 28 characters  https://review.openstack.org/2287620:34
openstackgerritA change was merged to openstack/quantum: Latest common updates  https://review.openstack.org/2288320:34
ayoungdolphm, I just approved the API changes.  Anything else from here out will be an additional change on top of that, and I think it is good to have a checkpoint commited20:35
ayounggyee, that is intentional20:35
ayounglist trusts will only show the minimal amount.  Roughly what you would expect if you did a list:  a summary of each one20:36
*** markmcclain has quit IRC20:36
ayounginthis case, we decided to limit it to data that is in the header record in the database, so impersonation is OK,  but roles and, in the future, endpoints will not show up in the list20:36
*** dachary has quit IRC20:37
*** dachary has joined #openstack-dev20:37
gyeeayoung, ok, make sense20:38
*** henrynash has joined #openstack-dev20:38
*** rpedde_away is now known as rpedde20:38
*** sandywalsh has quit IRC20:39
*** alunduil has joined #openstack-dev20:42
YorikSarayoung: How could handle_conflicts change appear in both 'check' and 'gate' queues in Zuul?20:44
mdomschgood day.  Process question for folks familiar with using gerritt for blueprint patch review.  Our developers are working with a 3rd party contractor to develop some code towards an openstack blueprint.  Per protocol, the contractor's name will be the commit Author.  They will then send the patch to one of our developers for review, who adds the non-standard (to openstack, but common elsewhere) Signed-off-by: tag in the commit20:46
mdomsch.  The question is, can the signed-off-by person then submit the patch for review into gerritt, or must the original author do so?20:46
*** Tross has joined #openstack-dev20:48
*** john5223 has joined #openstack-dev20:48
*** eharney has quit IRC20:50
*** eharney has joined #openstack-dev20:50
YorikSarayoung: Looking at https://review.openstack.org/22892 now. What exception can be expected there?20:51
*** eglynn has joined #openstack-dev20:52
ayoungYorikSar, I think, If I remember the original case, it was where the body was supposed to be JSON, but came in Empty20:52
*** AlanClark has quit IRC20:52
*** AlanClark has joined #openstack-dev20:53
ayoungYorikSar, but it will handle most parsing errors now with an appropriate message, so more than just JSON20:53
YorikSarayoung: Isn't that already handled in previous try: block?20:53
*** novas0x2a|laptop has joined #openstack-dev20:53
ayoung params_parsed.iteritems():20:53
*** dhellmann has joined #openstack-dev20:54
ayoungmust have been in the command line parameters...20:54
YorikSarayoung: I see only one possible error there - non-string key.20:54
ayoungYorikSar, I have to admin, I hacked around this problem so long ago, I don't remember what I did to cause it20:54
*** jaypipes has joined #openstack-dev20:54
*** sandywalsh has joined #openstack-dev20:54
ayoungYorikSar, that rings a bell.20:55
YorikSarayoung: Oh, wait... If we pass a list in JSON, we'll get failure on .iteritems20:55
*** nati_ueno has quit IRC20:55
*** edmund has quit IRC20:55
*** nati_ueno has joined #openstack-dev20:56
*** markmcclain has joined #openstack-dev20:56
ayoungYorikSar, It may not be common, but I was certainly triggering it doing something like that.20:57
YorikSarayoung: I think, all these cases should be explicitely handled there. 'except Exception' without plain 'raise' makes me nervous.20:57
openstackgerritA change was merged to openstack/tempest: Move the console tests to the other server actions tests  https://review.openstack.org/2279720:57
*** amotoki has joined #openstack-dev20:57
*** rkukura has joined #openstack-dev20:57
ayoungYorikSar, yes, except that doing that at an entry point into an API server is erring on the side of caution20:57
ayoungbetter a 400 than a 50020:58
*** tomoe_ has joined #openstack-dev20:58
YorikSarayoung: Well, we can pass 400 to client, but we should log unexpected errors.20:58
ayoungYorikSar, not always20:58
*** mlavalle has joined #openstack-dev20:58
ayoungif those errors come from bad input, logging can lead to DOS attacks20:58
ayoungbetter just to drop them20:59
*** sandywalsh has quit IRC20:59
gyeedolphm, ayoung, henrynash, https://review.openstack.org/#/c/2289320:59
*** gasbakid_ has quit IRC21:00
*** alexpilotti has joined #openstack-dev21:00
ayounggyee, cool21:00
YorikSarayoung: Makes sense, yes.21:00
*** zzs has joined #openstack-dev21:02
*** dachary has left #openstack-dev21:02
YorikSarayoung: btw, if you ever have some time and want to watch another one fifth of LDAP backend code disappear: https://review.openstack.org/#/q/topic:ldap-cleanup,n,z21:04
ayoungYorikSar, those are on my radar.  After trusts goes in, we can clean house21:04
*** dprince has quit IRC21:05
*** woodspa has quit IRC21:05
*** spzala has joined #openstack-dev21:06
*** numero8 has joined #openstack-dev21:08
ayounghenrynash, I think you might have broken policy again.21:12
*** ek6 has quit IRC21:12
ayounghenrynash, either that, or I somehow managed to undo your change when rebasing21:13
*** mohits has quit IRC21:13
*** kgriffs has joined #openstack-dev21:14
*** sandywalsh has joined #openstack-dev21:14
kgriffsguys, I'm trying to get a feel for the "preferred" way of doing configuration for OpenStack projects. Is the answer "INI files all the way down" even for configuring more complex stuff like logging?21:16
dolphmgyee: downvoted, largely based on the subset of test coverage -- i'm not sure my comment there makes sense, so poke me if it's confusing21:17
kgriffsIs anyone using JSON or even code files (.py)21:17
ayoungkgriffs, nope.21:17
*** arbrandes has joined #openstack-dev21:17
kgriffsayoung: I came across this, but it uses YAML (yuck). http://www.python.org/dev/peps/pep-0391/21:19
kgriffs(btw, this is for Marconi)21:19
kgriffs(this question)21:19
*** adjohn has joined #openstack-dev21:19
*** bryansd has joined #openstack-dev21:22
*** arbrandes has quit IRC21:22
gyeedolphm, excellent points!21:23
gyeedolphm, so for policies, I am thinking about special-case it for now, any objection?21:23
dolphmgyee: zero21:24
dolphmgyee: xml is a special case ;)21:24
*** adjohn has quit IRC21:24
gyeedolphm, good one!21:24
*** melwitt has quit IRC21:25
*** yolanda has quit IRC21:27
*** johnthetubaguy1 has joined #openstack-dev21:28
*** Ritz has quit IRC21:29
ayoungdolphm, so, the original check was: if 'is_admin' in context and not context['is_admin']:21:29
ayoungI threw in  the part:   'is_admin' in context21:30
*** epim_ has joined #openstack-dev21:30
ayoungas it was blowing up on non-is_admin checks21:30
ayoungwhen I changed it to21:30
ayoungif context.get('is_admin', False):21:30
ayoungit fails because the token_id is 'Admin' and not something out of the database21:30
ayoungI am not clear on the logic myself21:30
ayoungLet me try it with defaulting to True instead?21:31
ayoungproblem is I can't test it with that patch, I need the trusts patch to catch the case21:32
*** epim has quit IRC21:32
*** epim_ is now known as epim21:32
ayoungNope21:34
*** dolphm has quit IRC21:34
kgriffsre logging configuration, I found this for anyone who is interested.21:34
kgriffshttps://github.com/openstack/keystone/blob/master/etc/logging.conf.sample21:34
kgriffsLooks like INI+inline python snippets21:35
*** dolphm has joined #openstack-dev21:36
*** yidclare has quit IRC21:37
icchaanyone getting this in glance? - ImportError: No module named oslo.config21:38
matiurussellb, if you get a free mo' today, could you please re-hit up: https://review.openstack.org/#/c/21185/21:39
ayoungiccha, you probably need to either update your .venv or your packags21:40
ayoungdolphm, OK,  so on is_admin...that gets set on the admin APIs.  See keystone/routers.py line 34 ish21:40
openstackgerritA change was merged to openstack/keystone: Move handle_conflicts decorator into sql  https://review.openstack.org/2289021:41
dolphmayoung: routers? that gets set in middlware21:41
*** diogogmt has quit IRC21:41
ayoungdolphm, ah....21:41
ayoungstill trying to see the root cause21:41
dolphmayoung: admin_token middleware or something, forgot what it's called, but it only has 1 job21:41
ayoungok21:41
dolphmayoung: you also have to expect that middleware not being in the pipeline at all21:41
ayoungmiddleware/core.py:60:    Sets 'is_admin' to true in the context, expected to be checked by21:42
*** yidclare has joined #openstack-dev21:43
zykes-Daviey: or zul ping21:44
ayoungdolphm, So, if is_admin is not set in the context...21:44
ayoung LOG.warning(_('RBAC: Bypassing authorization'))21:44
dolphmayoung: that warning should apply if is_admin = True21:45
ayoungcontext['is_admin'] = (token == CONF.admin_token)21:45
ayoungdolphm, I don't understand what is happening.21:45
ayoungIt is failing using the admin token21:46
dolphmayoung: if the static admin token is in used, there's no user to trace back to, and therefore no roles, no rbac, so authz is essentially being bypassed21:46
ayoungdolphm, I get that21:46
ayoungI don;'t understand the logic being executed, though21:46
dolphmcontext['is_admin'] is true if the X-Auth-Token matches CONF.admin_token21:46
ayoungif I use an admin token, or I don't use an admin token, I should get 'is_admin' set21:46
dolphmayoung: is that middleware missing in some pipelines your testing?21:47
ayoungdolphm, Perhpas what is going on is that this is happening on the admin port and it should be the non-admin?21:47
ayoungdolphm, perhaps21:47
ayoungdolphm, v3_tests21:47
icchaayoung: its happening when i do glance-api restart21:48
openstackgerritA change was merged to openstack/ceilometer: Fix count type in MongoDB  https://review.openstack.org/2286821:49
ayoungdolphm, so, if is_admin is not set, we need to go into the gate as well, Ok, I think my patch is wrong, and I know how to make it right....21:49
*** Ryan_Lane has quit IRC21:50
dolphmayoung: if is_admin is not set, normal rbac should kick in21:51
dolphmayoung: it should be the same as is_admin == False21:51
ayoungdolphm, yeah.  I can fix it by reversing the order of the blocks.21:51
ayoung I need to do a daycare pickup here shortly.  I'll try to squeeze the patch out again before I leave.21:51
russellbmatiu: still in feature freeze, it'll have to wait until april or so21:51
*** Ryan_Lane has joined #openstack-dev21:51
matiuah ok21:52
*** arbrandes has joined #openstack-dev21:52
matiuI guessed that was the reason :)21:52
matiuthanks russellb :)21:52
russellbyep np21:52
ayoungdolphm, so if 'is_admin' in context and context['is_admin']:21:53
ayoung#bypass21:54
*** vipul is now known as vipul|away21:54
ayoungotherwis/ RBAC21:54
*** adjohn has joined #openstack-dev21:54
*** pcm_ has joined #openstack-dev21:55
*** amotoki has quit IRC21:55
*** giulivo has quit IRC21:55
*** vipul|away is now known as vipul21:56
openstackgerritA change was merged to openstack/nova: Fix broken baremetal migration tests  https://review.openstack.org/2289421:56
*** vipul is now known as vipul|away21:57
*** vipul|away is now known as vipul21:57
*** cabral has quit IRC21:58
*** andrewbogott is now known as andrewbogott_afk21:58
*** andrewbogott_afk is now known as andrewbogott21:59
*** maroh has quit IRC22:04
*** olaph_ has quit IRC22:04
*** numero8 has quit IRC22:04
*** martine_ has quit IRC22:05
*** olaph has joined #openstack-dev22:05
*** giulivo has joined #openstack-dev22:08
*** cdub has quit IRC22:08
*** cdub_ has quit IRC22:08
dolphmayoung: that sounds good22:09
*** cdub has joined #openstack-dev22:09
*** cdub_ has joined #openstack-dev22:09
spzalaayoung: Hi! Can I please ask a LDAP code specific question? I am trying to create query to search a 'group' to list member 'users' it has and seems like I am lost. I could query 'groups' a 'user' is member of but not other way around.22:10
*** stevemar has quit IRC22:11
spzalaI have uploaded some code with current progress, so it's available for a quick look22:12
*** vipul is now known as vipul|away22:12
*** eharney has quit IRC22:13
*** andrewbogott is now known as andrewbogott_afk22:14
*** torandu has quit IRC22:15
*** andrewbogott_afk is now known as andrewbogott22:15
*** torandu has joined #openstack-dev22:15
*** markvoelker has quit IRC22:16
*** alexpilotti has quit IRC22:16
*** bknudson has left #openstack-dev22:19
*** melwitt has joined #openstack-dev22:21
chmouelzaitcev: about keystone and sqlalchemy i don't know, you maybe want to check with the keystone devs22:21
zaitcevchmouel: Do they have their own channel?22:22
chmouelyou can ping dolphm ayoung they usually pretty responsive22:22
dolphmo/22:22
zaitcevdolphm: do you know if anyone is working on relaxing the dependency on sqlalchemy? We ship 0.8.0 in Fedora development and Keystone blows up with it.22:24
dolphmzaitcev: is there a bug on the issue?22:24
openstackgerritA change was merged to openstack/oslo-incubator: openstack.common.setup: fails to get version from git  https://review.openstack.org/2253422:25
dolphmzaitcev: i haven't tried 0.8 myself since it's still marked as a beta22:26
zaitcevdolphm: No bug that I know.22:27
*** esheffield has quit IRC22:30
*** nati_ueno has quit IRC22:30
*** nati_ueno has joined #openstack-dev22:31
*** zing has quit IRC22:37
*** topol has quit IRC22:40
*** soody has joined #openstack-dev22:40
*** Tross has quit IRC22:43
sdaguezaitcev: the issue is that it also broke out some of the libraries separate, so I think we're frozen for grizzly on that22:46
openstackgerritA change was merged to openstack/ceilometer: Allow empty dict as metaquery param for sqlalchemy.  https://review.openstack.org/2266922:46
*** pabelanger has quit IRC22:48
ayoungdolphm, OK,  so I split out a couple of patches off the trusts patch, and now they are listed as dependencies.  This will allow me to continue to update them, and keep the trust patch current.22:48
dolphmayoung: cool22:48
ayoungdolphm, I would really appreciate it if you would do your ripping apart of the trusts patch now22:48
dolphmayoung: i've made a couple comments22:49
ayoungOk.  I'll take a look22:49
dolphmayoung: i'm planning on writing my own tests against it tonight to exercise it22:49
dolphmayoung: make sure i understand it, etc22:49
*** aeperezt has joined #openstack-dev22:50
ayoungdolphm, sounds good.  Feel free to hack on the test_v3_trusts22:50
ayoungThose do a lot of hand jammed JSON that could and should be cleaned up to be based on the v3_auth code.22:50
*** soody has quit IRC22:50
ayoungSo lets incorporate your changes into the patch.22:50
*** dolphm has quit IRC22:51
*** tomoe_ has quit IRC22:53
*** tomoe_ has joined #openstack-dev22:54
*** digitalsanctum has quit IRC22:55
*** brianr_ has quit IRC22:56
*** brianr_ has joined #openstack-dev22:57
*** brianr_ is now known as brianr-gone22:57
*** reed has joined #openstack-dev22:59
*** cloudchimp has joined #openstack-dev23:00
*** vipul|away is now known as vipul23:00
*** renner_ has joined #openstack-dev23:00
*** kbringard has quit IRC23:02
*** john5223 has quit IRC23:02
*** renner has quit IRC23:03
*** renner_ is now known as renner23:03
*** anniec has quit IRC23:03
*** anniec_ has joined #openstack-dev23:03
*** AlanClark has quit IRC23:04
henrynashdolphm:  your comments on https://review.openstack.org/#/c/22789/ , you really think we should support a query string which references an attribute that is not part of the object (i.e. "disabled")23:09
*** AlanClark has joined #openstack-dev23:09
*** mlavalle has quit IRC23:09
*** digitalsanctum has joined #openstack-dev23:09
*** sacharya has quit IRC23:10
*** tomoe_ has quit IRC23:10
*** tomoe_ has joined #openstack-dev23:10
*** soody has joined #openstack-dev23:10
*** openstack_ has joined #openstack-dev23:13
*** openstack_ is now known as gordc23:13
*** tomoe_ has quit IRC23:14
*** datsun180b has quit IRC23:14
ayoungWonderful.  PEP is now not letting me do the only way SqlAlchemy tests a column is NULL.23:14
*** utlemming has quit IRC23:15
*** tomoe_ has joined #openstack-dev23:16
*** yamahata has quit IRC23:18
*** aeperezt has quit IRC23:18
*** bknudson has joined #openstack-dev23:18
*** utlemming has joined #openstack-dev23:19
*** jbr_ is now known as jbr_zzz23:20
*** aeperezt has joined #openstack-dev23:20
*** mtreinish has quit IRC23:20
*** gordc has quit IRC23:21
*** gongysh has joined #openstack-dev23:27
*** rnirmal has quit IRC23:28
*** digitalsanctum has quit IRC23:36
openstackgerritA change was merged to openstack-infra/devstack-gate: Allow external calling context to inject values.  https://review.openstack.org/2267323:37
openstackgerritA change was merged to openstack/python-novaclient: Update the docstring of cloudpipe-configure command  https://review.openstack.org/2277523:39
*** jsindy has quit IRC23:45
*** johnthetubaguy1 has quit IRC23:48
*** kgriffs has quit IRC23:48
*** johnthetubaguy1 has joined #openstack-dev23:49
*** johnthetubaguy1 has quit IRC23:49
*** vipul is now known as vipul|away23:49
*** digitalsanctum has joined #openstack-dev23:52
*** gyee has quit IRC23:52
*** nati_ueno has quit IRC23:57
*** nati_ueno has joined #openstack-dev23:58
« Sunday, 2013-02-24 Index Tuesday, 2013-02-26 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!