Friday, 2013-09-06

« Thursday, 2013-09-05 Index Saturday, 2013-09-07 »
*** galstrom_zzz is now known as galstrom00:01
*** jduhamel has quit IRC00:05
*** anniec has quit IRC00:07
*** anniec has joined #openstack-dev00:07
*** Ryan_Lane has quit IRC00:11
*** Ryan_Lane has joined #openstack-dev00:11
*** anniec has quit IRC00:12
*** galstrom is now known as galstrom_zzz00:13
*** faramir has joined #openstack-dev00:14
*** anniec has joined #openstack-dev00:14
*** hemna has quit IRC00:16
*** shanewang_away is now known as shanewang00:24
*** otherwiseguy has joined #openstack-dev00:29
*** galstrom_zzz is now known as galstrom00:31
*** Ryan_Lane has quit IRC00:32
*** xarses has quit IRC00:41
*** SumitNaiksatam has quit IRC00:42
*** reed_ is now known as reed00:46
*** reed has joined #openstack-dev00:46
*** sballe_ has quit IRC00:49
*** sballe_ has joined #openstack-dev00:49
*** nosnos has joined #openstack-dev00:53
*** dina_belova has joined #openstack-dev00:54
*** gyee has quit IRC00:54
*** matiu has quit IRC00:55
*** galstrom is now known as galstrom_zzz00:57
*** rfolco has joined #openstack-dev00:57
*** dina_belova has quit IRC00:58
*** michchap has joined #openstack-dev00:59
*** sthaha has joined #openstack-dev00:59
*** gongysh has quit IRC01:02
*** martyntaylor has quit IRC01:04
*** angdraug has quit IRC01:05
*** Mandell has quit IRC01:05
*** changbl has joined #openstack-dev01:09
morganfainbergjamielennox, sorry back now01:09
morganfainbergjamielennox, if you're here01:09
jamielennoxmorganfainberg: yep01:09
*** galstrom_zzz is now known as galstrom01:09
morganfainbergjamielennox, so atiwari brought up an interesting point01:09
morganfainbergjamielennox, looks like check and validate tokens in keystone are returning 401s instead of 404s if the check/validate fails01:10
morganfainbergjamielennox, am i wrong in understanding the auth_token middleware then re-requests it's "admin" token on a 401?01:10
*** xarses has joined #openstack-dev01:11
jamielennoxmorganfainberg: off the top of my head i think that is correct01:12
*** erkules_ has joined #openstack-dev01:12
jamielennoxa 401 says that the token you are using to validate is not good01:12
morganfainbergjamielennox, yeah, so it's a bug.01:12
jamielennoxso you should re-fetch an admin token and try again01:12
jamielennoxa 404 says that you are valid but the token you are authing is not there01:12
morganfainbergjamielennox, yep. thats what my understanding has been01:12
*** freedomhui has joined #openstack-dev01:13
jamielennoxwhy is that a bug?01:13
morganfainbergjamielennox, the current behavior, not the way you describe01:13
morganfainbergas in, we should raise tokennotfound not unauthorized01:13
*** rfolco has quit IRC01:14
morganfainbergjamielennox, thanks.  just making sure my understanding was sane.01:14
*** erkules has quit IRC01:14
jamielennoxtoken not found should be 404 right?01:15
morganfainbergyep01:15
jamielennoxso you need to distinguish between the event that the admin token failed and the token you are checking failed01:15
jamielennoxbecause validation is a priviledged operation01:15
morganfainbergthat is handled by @protected decorator01:15
morganfainbergthe issue is that the provider's validate_token methods cause 401s on TokenNotfound01:16
jamielennoxif your admin token is expired and all of a sudden it just starts showing 404s instead of 401s then it will assume that the token you are validating is bad01:16
morganfainbergthis appears to have been introduced (in v3 auth) at the v3 auth inception.01:16
*** anniec has quit IRC01:16
morganfainbergright.  @protected decorator should cause 401s01:17
morganfainbergon invalid token.01:17
*** trey_h has joined #openstack-dev01:17
jamielennoxon invalid admin token01:17
morganfainbergyes01:17
morganfainberg@protected doesn't care about X-Subject-Token01:17
morganfainbergit cares about the auth token01:17
morganfainbergvalidate_token et al, should care about x-subject-token (v3 terminology)01:18
morganfainbergin v2, token we care about is from the URI, not the x-auth-token header01:18
morganfainbergin valiate_token/check_token that is01:18
morganfainbergvalidate*01:18
*** yongli_going_hom is now known as yongli01:19
*** anniec has joined #openstack-dev01:19
*** gongysh has joined #openstack-dev01:19
jamielennoxok, so you're saying that an invalid x-subject-token is returning a 401?01:20
morganfainbergyep01:21
jamielennoxhmmm01:21
jamielennoxthat's tough01:21
morganfainbergthat appears to have always been the case in v301:21
jamielennoxbecause you can't really return a 404 from /v3/auth/tokens01:21
jamielennoxthe caching would go nuts01:21
morganfainberghow so?01:21
jamielennoxsorry, not our caching01:22
morganfainbergoh01:22
morganfainbergright01:22
morganfainbergwell, we should be tossing pragma-cache headers in01:22
jamielennoxbut in theory you should be able to run this via squid or something and it would work01:22
morganfainbergexcept.. that would be broken01:22
morganfainbergalways01:22
*** armax has left #openstack-dev01:22
morganfainbergunless squid cared about the headers01:23
morganfainbergthat would be a bad idea to cache that in either case.01:23
jamielennoxit's a POST operation, it shouldn't touch it01:23
*** waa has quit IRC01:23
*** SumitNaiksatam has joined #openstack-dev01:23
jamielennoxanyway whaterver01:23
morganfainbergright, but a get or head?01:23
morganfainbergx-subject-token is the important part of that request01:23
jamielennoxit doesn't make sense to return 404 from /v3/auth/tokens IMO01:23
morganfainbergthen how do you differentiate between a bad auth token and x-subject-token?01:24
morganfainbergsame concern as with V201:24
jamielennoxright01:24
jamielennoxno idea :)01:24
morganfainbergand caching v3/auth/token on get/head unless you also looked at x-subject-token header would be tragic.01:25
jamielennoxwhat happens now? a new admin token is being called for every time  a token is missed?01:25
morganfainbergin v2, yes01:25
jamielennoxin v301:25
morganfainbergmiddleware doesn't do v3 iirc01:25
jamielennoxi think i've always set up PKI when using v301:25
morganfainbergmost people do.01:25
jamielennoxumm, it can i think01:25
morganfainbergwell then it would have the same behavior01:26
morganfainbergnew admin token on each invalid token01:26
jamielennoxactually, no it can deal with v2 tokens but it always sends them over the v2 api01:26
jamielennoxv3 tokens01:26
morganfainbergright.01:26
morganfainbergwhich results in some odd data mismatching.01:26
morganfainbergbut, nothing serious01:26
morganfainbergor even relevant in this case.01:27
*** krtaylor has quit IRC01:28
morganfainbergjamielennox, also: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#404-not-found01:28
jamielennoxsorry, i confused that - it can talk to the v3 api it's just it can only have a v2 admin token01:28
*** sld has quit IRC01:28
morganfainbergjamielennox, ah. in either case. 401 = new admin token (as i understand)01:28
jamielennoxyes01:29
jamielennoxit's the verify_uuid_token function01:29
morganfainbergyep01:29
morganfainbergour spec (also) says the current behavior of keystone is wrong.01:29
morganfainbergi think.01:29
jamielennoxhttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L105701:29
morganfainbergah ys01:29
morganfainberggot it01:29
*** dkehn has quit IRC01:30
morganfainbergi'm going to open a bug since atiwari didn't and see what can be done about it.  this seems like a sub-optimal behavior and could cause excess token churn/failures01:31
morganfainbergerm. just token churn01:31
jamielennoxso the v3 api says that01:32
*** jasondotstar has joined #openstack-dev01:32
morganfainbergand v2 until recently, didn't do this.01:32
jamielennoxThe Identity service will return the exact same response as when the subject token was issued by POST /auth/tokens.01:32
jamielennoxthat's for get /auth/tokens01:32
morganfainberghrm.01:32
jamielennoxand POST /auth/tokens only mentions a 40101:32
morganfainberghrm.01:33
morganfainbergright.01:33
morganfainbergi'm thinking this is an unclear spec :P01:33
*** marun has quit IRC01:33
morganfainbergis the "same response" meant to be if the token validates?01:33
morganfainbergor in _all_ cases.01:33
jamielennoxwell  i would suggest it was interpretted as all cases01:33
jamielennoxbecause you get a 401 in the event of failure01:34
jamielennoxwhich is the same as specified by POST /auth/tokesn01:34
jamielennoxIMO i think we modify the spec to say that in the event of x-subject-token failure we return a 40301:34
jamielennoxThis status code is returned when the request is successfully authenticated but not authorized to perform the requested action.01:34
morganfainbergthat is a good option01:34
jamielennoxnot authorized is not quite correct01:35
*** dkehn has joined #openstack-dev01:35
jamielennoxbut it says yes, you passed the correct auth-token just the x-subject-token is wrong01:35
morganfainbergexcept this is more of a 404 instance01:35
jamielennoxi'm not a fan of returning a 404 from a valid url01:36
*** danwent has quit IRC01:36
morganfainbergjamielennox, we should use 402, payment required :P01:37
jamielennoxespecially one that is so publicly available01:37
jamielennoxi really want a situation where i can use that01:37
morganfainbergi also legitimately want to use "I'm a teapot" 31801:38
morganfainbergerm 41801:38
jamielennoxi would be interested in getting into the smart appliances sector, purely to build a kettle that could use it01:38
morganfainbergheheh01:38
morganfainbergsorry, i can't handle that request reason: I'm a teapot,01:39
jamielennoxsimply replace all 404 errors with 418s01:40
morganfainbergLOL01:40
jamielennoxGET /bacon, sorry i'm a teapot01:40
*** galstrom is now known as galstrom_zzz01:42
*** ericw has joined #openstack-dev01:44
*** dims has quit IRC01:45
*** ayoung has joined #openstack-dev01:51
*** dina_belova has joined #openstack-dev01:54
*** lnxnut has joined #openstack-dev01:55
ayoungjamielennox, I'm not really here, just checking in before bed.  Anything burning?01:55
jamielennoxayoung: no, i think it's all good01:55
morganfainbergayoung, all quiet (for the moment)01:56
*** sdake_ has quit IRC01:56
*** dina_belova has quit IRC01:58
*** sarob_ has joined #openstack-dev01:59
*** sarob has quit IRC01:59
*** d34dh0r53 has joined #openstack-dev01:59
*** comay has quit IRC02:00
*** d34dh0r53 has quit IRC02:01
*** freedomhui has quit IRC02:04
*** clayb has quit IRC02:04
*** ericw has quit IRC02:05
*** nati_ueno has quit IRC02:05
*** freedomhui has joined #openstack-dev02:08
*** jimjiang has joined #openstack-dev02:11
*** gongysh has quit IRC02:13
*** yaguang has joined #openstack-dev02:13
*** rcleere has joined #openstack-dev02:15
*** alop has joined #openstack-dev02:18
*** reed has quit IRC02:18
*** sarob_ has quit IRC02:20
*** sarob has joined #openstack-dev02:20
*** anniec has quit IRC02:25
*** galstrom_zzz is now known as galstrom02:29
*** markwash has joined #openstack-dev02:29
*** radsy has quit IRC02:31
ayoungjamielennox, on  https://etherpad.openstack.org/devstack-freeipa  yeah, we would honor env vars in localrc of course02:31
jamielennoxayoung: i wasn't thinking so much honour them as just make ipa one means of providing that information into a generic system02:32
ayounginteresting...02:33
jamielennoxso example when you want to put in certs you make IPA fill in a bunch of env variables containing cert data, but the deployment of certs is generic02:33
ayoungjamielennox, I was just talking devstack, but how would ipa provide anything, short of a DNS lookup02:33
jamielennoxotherwise we're going to have a massive IPA section to devstack to maintain02:33
ayoungjamielennox, when you say IPA, you mean the ipa plugin to devstack?02:34
jamielennoxplugin? i mean whatever the path would be through devstack for ipa02:34
ayoungdeployment of certs is really not generic.02:34
jamielennoxayoung: why?02:34
ayoungjamielennox, certonger!02:34
ayoungipa manages certs.  It just needs to know about them02:34
jamielennoxi don't think it makes sense for devstack02:34
*** shang has joined #openstack-dev02:35
*** xchu has joined #openstack-dev02:35
ayoungjamielennox, yes it does...if you think of devstack as the place where people learn how to set up and confiugre openstack02:35
ayoungplus it has to be in devstack for gating jobs to use it02:35
jamielennoxso for example we set up a lot of env variables like IDENTITY_CERTFILE and IDENTITY_KEYFILE for {service}_{key}02:36
jamielennoxputting the files into the correct place is then a generic operation02:36
jamielennoxpopulating the variables is an IPA operation02:36
jamielennoxsame for kerberos02:36
ayoungjamielennox, in this case, it would take that info and pass it to Certmonger02:36
*** shang has quit IRC02:37
*** shang has joined #openstack-dev02:37
jamielennoxdoes it have to be?02:37
ayoungjamielennox, wouldn't be much for the ipa part of devstack to do except to say "don't try to do this yourself"02:37
ayoungjamielennox, I am not saying that FreeIPA wopuld be required for devstack02:38
*** galstrom is now known as galstrom_zzz02:38
ayoungit would be optional, but, if triggerd, would use IPA to the utmost02:38
jamielennoxi mean in an ideal situation it would but you can deploy certs from ipa without certmonger and you can use certmonger without ipa02:38
*** schwicht has quit IRC02:40
*** yaguang has quit IRC02:40
ayoungjamielennox, "same for Kerberos" I think that is the real issue.  Without FreeIPA, Kerberos is a non-starter in a devstack environment02:40
ayoungI'm less concerned about the X509 side02:41
jamielennoxwhy?02:41
ayoungdevstack setting up Kerberos is ...02:41
ayounginsanity?02:41
ayoungwicked hard?02:41
ayoungein bissel meshugie?02:41
jamielennoxyou need keytabs and krb5.conf stuff02:41
jamielennoxare you talking about doing that one per service?02:42
*** ericw has joined #openstack-dev02:42
ayoungipa-client-install handles that to start with.  ipa-getkeytab simplifies it for additional services, too02:42
ayoungyes, one per service02:42
jamielennoxi'm not saying we don't use that02:43
jamielennoxi'm asking what would be required to provide that information manually, that we could then have IPA auto configure02:43
*** edmund has joined #openstack-dev02:43
ayoungjamielennox, so you are saying that you think the provisioning for the ipa case should be the same as the provisioning for the non-ipa case.  I suspect that is actually harder than letting ipa-client and certmonger do their jobs02:44
*** jbresnah has quit IRC02:44
*** unkown has joined #openstack-dev02:45
ayoungWe'd still need a mechanism to, say, fetch a cert from ipa and put it in place02:45
*** ericw has quit IRC02:45
jamielennoxayoung: right, but we'll need that anyway02:45
ayoungwhic hexsts, but we would need a separate call out to it in the ipa case than in the non-ipa case...which probably does self signed02:45
jamielennoxwe don't' have to provide the non-ipa case, someone might wish to02:45
ayoungno, I mean the current way *is* the non ipa case...when the cert doesn't come from IPA, it has to be openssl generated02:46
jamielennoxok02:46
jamielennoxi didn't realize devstack was generating that many certs, but good02:46
*** markwash has quit IRC02:46
ayoungyeah...or it is not setting up SSL at all.02:47
ayoungI am not sure which02:47
jamielennoxso let's rephrase the question, what does it take to make the SSL cert stuff a 'plugin'02:47
jamielennoxi'm not that familiar with devstack's internals but as i see it there are two ways to accomplish it02:48
*** novas0x2a|laptop has quit IRC02:48
jamielennox1. have an actual plugin that gets called with 'generate a new cert for X'02:48
ayounggood question.  I'd have to scan the code, but I suspect the answer is " a lot of shell scripting"  and, for the IPA case, if that does not currently exist, we don't need to do it, either02:48
jamielennox2. pregenerate a bunch of certificates and put them into ENV variables, and then use them iff they are set02:48
ayoungI have to admit I have learned and forgotten and relearned and reforgotten much of devstack02:49
*** Shaan7 has quit IRC02:49
ayoungnot a bad idea, but lets keep that as a stretch goal.  We can move that way if it looks easier to do.02:49
jamielennoxif we can make it number 2 then to my mind it's easy02:49
*** Shaan7 has joined #openstack-dev02:49
jamielennoxbecause you take either the openssl path, the ipa path, or neither02:50
*** jasdeepH has quit IRC02:50
jamielennoxthe handling/installing of certs is generic, the generation is done up front02:50
ayoungjamielennox, he look https://github.com/openstack-dev/devstack/commit/d98a5d0a58c1fae2ce8adcd8098cefaa9f55838102:51
jamielennoxbet they're regretting writing devstack in bash these days02:52
ayoungjamielennox, devstack sets up certificates for keystone pki, but I don't think it does ssl elsewhere02:52
ayoungjamielennox, beats Perl02:53
ayoungmaybe02:53
jamielennoxi've never done perl, but i'd suggest it doesn't02:53
jamielennoxi mean i've read enough and know the arguments02:54
jamielennoxthere are throwbacks who really love perl but02:54
*** dina_belova has joined #openstack-dev02:55
ayoungpersonally, I hate all languages.  Each for a different reason, of course02:55
morganfainbergayoung, i'll take python over perl (at the very least)02:56
jamielennoxdo you know what the tls proxy in devstack is for?02:57
ayounganyway, cert generation aside, jamielennox heh, I just found that too   Only other place that seems to be doing openssl02:57
ayounglet see if git can tell us02:57
*** alexxu has joined #openstack-dev02:57
ayoungjamespage, commit c83a7e1202:58
jamielennoxi can see a good argument for saying i want to setup keystone/other service with this certificate02:58
ayoungspecifically for Keystone02:58
jamielennoxso you put IDENTITY_CERT in localrc02:58
jamielennoxprobably IDENTITY_CA and IDENTITY_KEY as well02:58
jamielennoxsame for all services02:58
jamielennoxthat is first challenge02:59
*** yaguang has joined #openstack-dev02:59
*** dina_belova has quit IRC02:59
jamielennoxthen you say, you asked to be setup with a freeipa server, let me just prefill all those {SERVICE}_{CERT|CA|KEY} variables for you02:59
ayoungjamielennox, so, It might end up being the same...if they are all running in an apache instance, just on different ports, I think they can share a cert.02:59
jamielennoxayoung: can, depends on what makes sense i guess03:00
*** mjfork has quit IRC03:01
ayoungjamielennox, ok, lets table this detail for now.  I suspect that we will just skip it for the IPA case, as I think that lib/tls is not even used if Keystone is running in HTTPD, and you want  the HTTPD server to provide SSL support03:01
ayoungSo it would more likely be that lib/apache makes use of certmonger for ssl, otherwise, no ssl.03:02
jamielennoxyea, i think lib/tls is going to be irrelevant with httpd03:02
jamielennoxayoung: allways uses certmonger? that seems extreme03:03
ayoungjamielennox, I mean that the IPA work is going to be the first to do this, so we will set it up with cermonger via ipa-cleint.  If someone else wants to do more, they are welcome to03:04
jamielennoxsurely the first situation is going to be deploying with apache though, certmonger being the extension03:04
*** stevemar has joined #openstack-dev03:05
ayoungapache work is already done for keystone.  We will leverage that.  We will just have, as part of lib/ipa (or whatever) code that registers the httpds service, allocates the certificatre, and tells certmaonger to manage it.03:06
ayoungjamielennox, I think that when you run ipa-getcert, certmonger knows about it if the machine is an ipa-client03:07
jamielennoxi don't know enough about how that works03:08
jamielennoxif certmonger knows about it does that imply httpd knows somehow03:09
*** pmathews has joined #openstack-dev03:09
ayoungjamielennox, I have the advantage that I sit back to back with Nalin. He's basically certmonger maestro03:09
jamielennoxi've seen it in use with IPA but not otherwise, and i don't remember how i set it up03:10
*** ljjjustin has joined #openstack-dev03:10
jamielennoxi'm still not convinced that certmonger should be the default route for certs though03:10
ayoungactually , I need to figure out how to reissue the ipa servers HTTPS cert, as I am getting that "reissued certificate serial number" error now that I rebuilt or dev IPA server03:10
ayoungBTW, I rebuilt our dev ipa server03:11
jamielennoxit seems like giving devstack even the option of using certs is first03:11
ayoungjamielennox, one of the reasons to use IPA is to make all of this easy03:11
ayoungcerts, kerberos, ldap, dns03:11
ayoungcentralized sudo and HBAC are add ons on top of that.03:12
jamielennoxayoung: i get that, the thing that i like most about ipa though is it more or less management of well known services, and there should be the option of using those without ipa03:12
ayoungjamielennox, there is no standardized way of getting certificates from a CA03:12
*** KurtMartin has joined #openstack-dev03:13
ayoungbut, every way that is close to standardized is supported by cermonger03:13
jamielennoxtrue03:13
ayoungI would say, use certmonger, even in the absence of IPA03:13
*** xmltok has quit IRC03:14
ayoungok...I'm off to bed.  Have to work tomorrow.03:14
jamielennoxand i think that building certmonger into devstack is a good idea - it should be able to be independant of the freeipa stuff03:14
jamielennoxayoung: ok, good night03:14
*** coolsvap has joined #openstack-dev03:16
*** alop has quit IRC03:17
*** jhesketh has joined #openstack-dev03:18
*** colinmcnamara has quit IRC03:19
*** unkown has quit IRC03:22
*** dims has joined #openstack-dev03:22
*** unkown has joined #openstack-dev03:22
*** prekarat has joined #openstack-dev03:22
*** markwash has joined #openstack-dev03:23
*** colinmcnamara has joined #openstack-dev03:23
*** jbresnah has joined #openstack-dev03:25
*** prekarat has quit IRC03:25
*** jasdeepH has joined #openstack-dev03:27
*** prekarat has joined #openstack-dev03:27
*** garyk1 has quit IRC03:30
*** prekarat has quit IRC03:31
*** prekarat has joined #openstack-dev03:31
*** shinylasers has quit IRC03:33
*** unkown has quit IRC03:37
*** sballe_ has quit IRC03:45
*** sballe_ has joined #openstack-dev03:46
*** xchu has quit IRC03:47
*** stevemar has quit IRC03:49
*** aditirav has joined #openstack-dev03:52
*** aditirav has quit IRC03:53
*** aditirav has joined #openstack-dev03:53
*** sridevi has joined #openstack-dev03:53
*** rcleere has quit IRC03:54
*** Mandell has joined #openstack-dev03:54
*** dina_belova has joined #openstack-dev03:55
*** sandywalsh has quit IRC03:56
*** KurtMartin has quit IRC03:59
*** dina_belova has quit IRC04:00
*** basha has joined #openstack-dev04:00
*** nati_ueno has joined #openstack-dev04:01
*** pmathews has quit IRC04:03
*** sumanthns has joined #openstack-dev04:04
*** danwent has joined #openstack-dev04:06
*** tsmithgc has quit IRC04:06
*** edmund1 has joined #openstack-dev04:12
*** edmund has quit IRC04:12
*** sridevi has quit IRC04:12
*** sthaha has quit IRC04:14
*** ljjjustin has quit IRC04:14
*** sushils has quit IRC04:15
*** torgomatic has quit IRC04:15
*** lnxnut has quit IRC04:15
*** yaguang has quit IRC04:17
*** torgomatic has joined #openstack-dev04:17
*** xchu has joined #openstack-dev04:18
*** yongli has quit IRC04:20
*** stevemar has joined #openstack-dev04:24
*** jhesketh_ has quit IRC04:24
*** xchu has quit IRC04:25
*** jhesketh_ has joined #openstack-dev04:25
*** yaguang has joined #openstack-dev04:34
*** freedomhui has quit IRC04:36
*** sandywalsh has joined #openstack-dev04:39
*** Mandell has quit IRC04:41
*** xchu has joined #openstack-dev04:42
*** hemna has joined #openstack-dev04:43
*** amotoki has joined #openstack-dev04:45
*** bashok has joined #openstack-dev04:46
*** Ruetobas has quit IRC04:48
*** jergerber has joined #openstack-dev04:49
*** sridevi has joined #openstack-dev04:54
*** colinmcnamara has quit IRC04:54
*** dina_belova has joined #openstack-dev04:56
*** nati_uen_ has joined #openstack-dev04:57
*** sarob has quit IRC04:57
*** sarob has joined #openstack-dev04:57
*** dina_belova has quit IRC04:58
*** dina_bel_ has joined #openstack-dev04:58
*** dina_bel_ has quit IRC04:58
*** yongli has joined #openstack-dev04:59
*** sarob has quit IRC05:02
*** trey_h has quit IRC05:07
*** trey_h has joined #openstack-dev05:07
*** jimfehlig has quit IRC05:09
*** sarob has joined #openstack-dev05:11
*** neoXsys has quit IRC05:12
*** trey_h has quit IRC05:12
*** terriyu has quit IRC05:15
*** freedomhui has joined #openstack-dev05:16
*** sarob has quit IRC05:16
*** sushils has joined #openstack-dev05:16
*** Ryan_Lane has joined #openstack-dev05:20
*** freedomhui has quit IRC05:25
*** kushal has joined #openstack-dev05:26
*** neoXsys has joined #openstack-dev05:27
*** aditirav has quit IRC05:27
*** aditirav has joined #openstack-dev05:28
*** hemna has quit IRC05:31
*** xchu has quit IRC05:31
*** jasdeepH has quit IRC05:31
*** jcoufal has joined #openstack-dev05:32
*** nati_ueno has quit IRC05:33
*** kaushikc has joined #openstack-dev05:33
*** nati_ueno has joined #openstack-dev05:34
*** kushal has quit IRC05:35
*** AnilV4 has joined #openstack-dev05:36
*** xchu has joined #openstack-dev05:43
*** bashok has quit IRC05:44
*** bashok has joined #openstack-dev05:44
*** kushal has joined #openstack-dev05:46
*** garyk has joined #openstack-dev05:49
*** Mandell has joined #openstack-dev05:54
*** zaitcev has quit IRC05:55
*** erkules_ is now known as erkules05:55
*** Brainspa1kle is now known as Brainspackle05:56
*** kaushikc has quit IRC05:58
*** kaushikc has joined #openstack-dev05:59
*** dina_belova has joined #openstack-dev05:59
*** marios has joined #openstack-dev05:59
*** edmund1 has quit IRC06:02
*** dina_belova has quit IRC06:03
*** o_petit has joined #openstack-dev06:08
*** dina_belova has joined #openstack-dev06:09
*** o_petit has quit IRC06:09
*** stevemar has quit IRC06:10
*** danwent has quit IRC06:12
*** dina_belova has quit IRC06:13
*** o_petit has joined #openstack-dev06:13
*** jtomasek has joined #openstack-dev06:14
*** odyssey4me has joined #openstack-dev06:16
*** sushils has quit IRC06:16
*** sushils has joined #openstack-dev06:18
*** vartom9 has joined #openstack-dev06:19
*** MaxV has joined #openstack-dev06:19
*** xchu has quit IRC06:20
*** gareth_kun has joined #openstack-dev06:20
*** mrunge has joined #openstack-dev06:21
*** nati_ueno_2 has joined #openstack-dev06:21
*** alexpilotti has quit IRC06:22
*** sarob has joined #openstack-dev06:22
*** bashok has quit IRC06:22
*** nati_ueno has quit IRC06:25
*** otherwiseguy has quit IRC06:27
*** sarob has quit IRC06:28
*** aditirav has quit IRC06:30
*** sushils has quit IRC06:31
*** xchu has joined #openstack-dev06:33
*** MaxV has quit IRC06:34
*** sushils has joined #openstack-dev06:37
*** asavu has joined #openstack-dev06:37
*** yolanda has joined #openstack-dev06:38
*** danwent has joined #openstack-dev06:39
*** jayg is now known as jayg|g0n306:42
*** jamielennox is now known as jamielennox|away06:48
*** jprovazn has joined #openstack-dev06:54
*** corXi has joined #openstack-dev06:57
*** o_petit has quit IRC06:57
*** o_petit has joined #openstack-dev06:58
*** safchain has joined #openstack-dev07:02
*** dina_belova has joined #openstack-dev07:04
*** dina_belova has quit IRC07:09
*** o_petit has quit IRC07:10
*** ifarkas has joined #openstack-dev07:11
*** alexpilotti has joined #openstack-dev07:13
*** sushils has quit IRC07:15
*** xga has joined #openstack-dev07:15
*** wfoster_away is now known as wfoster07:16
*** jaimegil has joined #openstack-dev07:24
*** ndipanov_gone is now known as ndipanov07:25
*** wfoster is now known as wfoster_away07:25
*** corXi has quit IRC07:25
*** MaxV has joined #openstack-dev07:28
*** jistr has joined #openstack-dev07:30
*** dina_belova has joined #openstack-dev07:31
*** danwent has quit IRC07:31
*** xga_ has joined #openstack-dev07:31
*** egallen has joined #openstack-dev07:32
*** bauzas has quit IRC07:32
*** bauzas has joined #openstack-dev07:32
*** wfoster_away is now known as wfoster07:32
*** xga has quit IRC07:33
*** o_petit has joined #openstack-dev07:34
*** jergerber has quit IRC07:35
*** JordanP has joined #openstack-dev07:37
*** flaper87|afk is now known as flaper8707:38
*** mkerrin has quit IRC07:39
*** nati_uen_ has quit IRC07:39
*** asavu has quit IRC07:40
*** dina_belova has quit IRC07:40
*** dina_belova has joined #openstack-dev07:42
*** pixelbeat has joined #openstack-dev07:42
*** basha has quit IRC07:46
*** corXi has joined #openstack-dev07:46
*** xqueralt-afk is now known as xqueralt07:47
*** yassine has joined #openstack-dev07:47
*** mkerrin has joined #openstack-dev07:47
*** sridevi has quit IRC07:48
*** corXi_ has joined #openstack-dev07:48
*** corXi has quit IRC07:48
*** jpich has joined #openstack-dev07:49
*** boris-42 has joined #openstack-dev07:49
*** hoodow has quit IRC07:54
*** basha has joined #openstack-dev07:57
*** kaushikc has quit IRC07:58
*** vartom9 has quit IRC07:58
*** sld has joined #openstack-dev07:58
*** basha has quit IRC08:00
*** xga has joined #openstack-dev08:01
*** xchu has quit IRC08:03
*** xga_ has quit IRC08:04
*** asavu has joined #openstack-dev08:06
*** lucasagomes has joined #openstack-dev08:12
*** henrynash has joined #openstack-dev08:15
*** xchu has joined #openstack-dev08:16
*** alexpilotti has quit IRC08:17
*** bauzas is now known as sbauza08:21
*** sbauza is now known as bauzas08:23
*** dina_belova has quit IRC08:24
*** alexpilotti has joined #openstack-dev08:26
*** derekh has joined #openstack-dev08:32
*** eglynn has joined #openstack-dev08:34
*** mmagr has joined #openstack-dev08:37
*** asavu has quit IRC08:39
*** sushils has joined #openstack-dev08:44
*** ruhe has joined #openstack-dev08:44
*** Ryan_Lane has quit IRC08:47
*** ruhe has quit IRC08:48
*** Mandell has quit IRC08:50
*** shang has quit IRC08:51
*** doron_afk has joined #openstack-dev08:53
*** dkehn has quit IRC08:53
*** dkehn has joined #openstack-dev08:54
*** Ruetobas has joined #openstack-dev08:54
*** donaldh has joined #openstack-dev08:55
*** o_petit has quit IRC08:57
*** ruhe has joined #openstack-dev08:59
*** danpb has joined #openstack-dev08:59
*** wolfdreamer has quit IRC09:00
*** o_petit has joined #openstack-dev09:00
*** yolanda has quit IRC09:02
*** gareth_kun has left #openstack-dev09:09
*** egallen has quit IRC09:11
*** saschpe has quit IRC09:11
*** basha has joined #openstack-dev09:11
*** gmoro has quit IRC09:12
*** xchu has quit IRC09:12
*** ljjjustin has joined #openstack-dev09:13
*** kaushikc has joined #openstack-dev09:14
*** sridevi has joined #openstack-dev09:14
*** kaushikc has quit IRC09:14
*** egallen has joined #openstack-dev09:15
*** dina_belova has joined #openstack-dev09:22
*** Shaan7 has quit IRC09:24
*** gmoro has joined #openstack-dev09:24
*** sandywalsh has quit IRC09:26
*** xga_ has joined #openstack-dev09:29
*** alexpilotti has quit IRC09:30
*** gmoro has quit IRC09:30
*** xga has quit IRC09:32
*** faramir has quit IRC09:34
*** dina_belova has quit IRC09:35
*** CaptTofu has quit IRC09:38
*** CaptTofu has joined #openstack-dev09:39
*** alexpilotti has joined #openstack-dev09:42
*** CaptTofu has quit IRC09:44
*** yaguang has quit IRC09:44
*** gmoro has joined #openstack-dev09:46
*** prekarat has quit IRC09:52
*** prekarat has joined #openstack-dev09:55
*** martyntaylor has joined #openstack-dev09:57
*** alexpilotti_ has joined #openstack-dev09:57
*** dkehn_ has joined #openstack-dev09:57
*** prekarat1 has joined #openstack-dev09:57
*** prekarat1 has joined #openstack-dev09:58
*** prekarat has quit IRC09:59
*** alexpilotti has quit IRC10:00
*** alexpilotti_ is now known as alexpilotti10:00
*** pcm_ has joined #openstack-dev10:00
*** ljjjustin has quit IRC10:00
*** dkehn has quit IRC10:00
*** arezmerita_ has joined #openstack-dev10:01
*** dina_belova has joined #openstack-dev10:03
*** Ruetobas has quit IRC10:03
*** sballe has joined #openstack-dev10:04
*** sballe_ has quit IRC10:06
*** sballe_ has joined #openstack-dev10:07
*** mjfork has joined #openstack-dev10:08
*** o_petit has quit IRC10:09
*** sballe has quit IRC10:11
*** toabctl has quit IRC10:15
*** ruhe has quit IRC10:17
*** kushal has quit IRC10:17
bashaHey can someone please review https://review.openstack.org/#/c/44843/10:17
*** toabctl has joined #openstack-dev10:17
*** wfoster is now known as wfoster_away10:20
*** ruhe has joined #openstack-dev10:20
*** kaushikc has joined #openstack-dev10:22
*** kushal has joined #openstack-dev10:23
*** kaushikc has quit IRC10:25
*** kaushikc has joined #openstack-dev10:25
sshturmjd__: Could you please review a patch that fixed wrong downgrade in migrations? https://review.openstack.org/#/c/45410/10:29
*** romcheg has joined #openstack-dev10:31
*** ruhe has quit IRC10:32
*** xga_ has quit IRC10:32
*** pcm_ has quit IRC10:32
*** pcm_ has joined #openstack-dev10:33
*** dkehn__ has joined #openstack-dev10:35
*** dkehn_ has quit IRC10:39
*** jaimegil has quit IRC10:39
*** xga has joined #openstack-dev10:39
*** jruzicka has joined #openstack-dev10:41
*** sergmelikyan has joined #openstack-dev10:41
sergmelikyanjoin #openstack-infra10:41
*** romcheg has quit IRC10:42
*** romcheg has joined #openstack-dev10:43
*** anniec has joined #openstack-dev10:43
*** anniec_ has joined #openstack-dev10:46
*** vkmc has joined #openstack-dev10:47
*** anniec has quit IRC10:48
*** anniec_ is now known as anniec10:48
*** kushal has quit IRC10:50
*** sergmelikyan has quit IRC10:53
*** markvoelker has quit IRC10:54
*** vartom7 has joined #openstack-dev10:56
*** kaushikc has quit IRC11:01
*** dkehn__ has quit IRC11:03
*** dkehn__ has joined #openstack-dev11:04
*** vartom7 has quit IRC11:04
*** markvoelker has joined #openstack-dev11:07
*** saschpe_ has joined #openstack-dev11:08
*** o_petit has joined #openstack-dev11:10
*** mrunge has quit IRC11:11
*** kbringard has joined #openstack-dev11:13
*** o_petit has quit IRC11:14
*** gmoro has quit IRC11:14
*** ruhe has joined #openstack-dev11:17
*** mrunge has joined #openstack-dev11:19
*** CaptTofu has joined #openstack-dev11:20
*** kaushikc has joined #openstack-dev11:20
*** sridevi has quit IRC11:20
*** o_petit has joined #openstack-dev11:23
*** kaushikc has quit IRC11:25
*** kaushikc has joined #openstack-dev11:25
*** gmoro has joined #openstack-dev11:26
*** nosnos has quit IRC11:29
*** kaushikc has quit IRC11:29
*** kaushikc has joined #openstack-dev11:30
*** martyntaylor1 has joined #openstack-dev11:30
*** martyntaylor has quit IRC11:31
*** AnilV4 has quit IRC11:32
*** rcrit has quit IRC11:36
*** jayg|g0n3 is now known as jayg11:38
*** zbitter has joined #openstack-dev11:41
*** kaushikc has quit IRC11:43
*** zaneb has quit IRC11:43
*** wfoster_away is now known as wfoster11:43
*** FunnyLookinHat has joined #openstack-dev11:46
*** FunnyLookinHat has joined #openstack-dev11:46
*** rcrit has joined #openstack-dev11:49
*** lucasagomes is now known as lucas-hungry11:50
*** kaushikc has joined #openstack-dev11:50
*** dkranz has quit IRC11:51
*** zbitter is now known as zaneb11:51
*** asalkeld has quit IRC11:55
*** mkollaro has joined #openstack-dev11:59
*** mrunge has quit IRC12:00
*** adalbas has quit IRC12:01
*** coolsvap has quit IRC12:02
*** sridevi has joined #openstack-dev12:02
*** dolphm has joined #openstack-dev12:03
*** anteaya has joined #openstack-dev12:04
*** bashok has joined #openstack-dev12:05
*** wfoster is now known as wfoster_brb12:06
*** ruhe has quit IRC12:07
*** safchain_ has joined #openstack-dev12:08
*** terryh has joined #openstack-dev12:09
*** safchain has quit IRC12:11
*** rfolco has joined #openstack-dev12:12
*** rfolco has quit IRC12:13
*** ruhe has joined #openstack-dev12:15
*** ruhe has quit IRC12:16
*** terryh has quit IRC12:16
*** adalbas has joined #openstack-dev12:18
*** waa has joined #openstack-dev12:18
*** gordc has joined #openstack-dev12:19
*** dkehn has joined #openstack-dev12:21
*** dkehn__ has quit IRC12:22
*** ruhe has joined #openstack-dev12:25
*** mmagr has quit IRC12:25
*** drewlander has joined #openstack-dev12:26
*** drewlander has quit IRC12:26
*** drewlander has joined #openstack-dev12:27
*** annegentle has quit IRC12:27
*** terryh has joined #openstack-dev12:28
*** schwicht has joined #openstack-dev12:28
*** mmagr has joined #openstack-dev12:29
*** terryh has quit IRC12:29
*** para__ has joined #openstack-dev12:30
*** terryh has joined #openstack-dev12:30
*** tmclaugh[work] has joined #openstack-dev12:30
*** dvarga has joined #openstack-dev12:31
*** terryh has quit IRC12:31
*** terryh has joined #openstack-dev12:33
*** terryh has quit IRC12:33
*** morazi has joined #openstack-dev12:35
*** sridevi has quit IRC12:39
*** imsurit has joined #openstack-dev12:39
*** bknudson has joined #openstack-dev12:40
*** ruhe_ has joined #openstack-dev12:42
*** ruhe has quit IRC12:43
*** sballe_ has quit IRC12:43
*** enikanorov-w has joined #openstack-dev12:44
*** sballe_ has joined #openstack-dev12:44
*** odyssey4me has quit IRC12:47
*** markmcclain has quit IRC12:47
*** roz has joined #openstack-dev12:49
*** roz is now known as AndreaRosa12:49
*** kaushikc has quit IRC12:49
*** kaushikc has joined #openstack-dev12:50
*** sballe_ has quit IRC12:52
*** lbragstad has joined #openstack-dev12:53
AndreaRosaI am putting an import pdb; pdb.set_trace() in a test, I'd like to run it (using tox or run_test) and enter in the pbr, is that possible?12:54
*** jistr has quit IRC12:55
AndreaRosaI mean pdb12:55
*** networkstatic has quit IRC12:56
*** kaushikc has quit IRC12:56
*** jistr has joined #openstack-dev12:56
*** spzala has joined #openstack-dev12:56
*** sumanthns has quit IRC12:57
*** dprince has joined #openstack-dev12:58
dolphmayoung: this isn't an LDAP vs AD issue, is it? https://bugs.launchpad.net/keystone/+bug/121014113:00
uvirtbotLaunchpad bug 1210141 in keystone "LDAP identity provider fails when using samAccountName" [Medium,Triaged]13:00
*** annegentle has joined #openstack-dev13:01
*** lucas-hungry is now known as lucasagomes13:01
*** pcm__ has joined #openstack-dev13:03
*** pcm__ has quit IRC13:04
*** blentz has joined #openstack-dev13:04
*** pcm__ has joined #openstack-dev13:05
*** stevemar has joined #openstack-dev13:05
*** pcm_ has quit IRC13:06
dolphmchmouel: mind if i assign you bug 1210515?13:09
uvirtbotLaunchpad bug 1210515 in keystone "keystone chokes on empty "description" field in active directory" [Medium,Triaged] https://launchpad.net/bugs/121051513:09
AndreaRosarun_tests -d it works, my problem is on a specific test...debugging it. thanks13:10
chmoueldolphm: i think i am assigned already :)13:10
dolphmchmouel: so you are. ;)13:10
*** ctlaugh_ has joined #openstack-dev13:10
*** ctlaugh has quit IRC13:11
*** dina_belova has quit IRC13:11
*** markmcclain has joined #openstack-dev13:13
*** dstanek has joined #openstack-dev13:14
henrynashdolphm: quick question….in the V2 identity controller there are some Diablo CRUD "extensions" for getting and creating role_refs…..I assume we still need to support these (I noticed we don't test them anywhere!)13:14
dolphmhenrynash: test_keystoneclient doesn't hit that stuff?13:15
henrynashdolphm:let me check13:15
dolphmhenrynash: line 1030 ish13:16
dolphmhenrynash: first few tests in KcEssex3TestCase13:16
henrynashdolphm: oops, sorry my search filter was wrong….13:17
henrynashdolphm: …and I assume support is still required…13:17
*** bashok has quit IRC13:17
henrynashdolphm: just rationalising where I need to make changes for the bug in list/get user projects13:17
dolphmhenrynash: yeah, i'd like to consider it deprecated though, if possible13:18
*** imsurit has quit IRC13:18
*** yaguang has joined #openstack-dev13:19
henrynashdolphm: ok13:19
*** maheshp has joined #openstack-dev13:19
*** maheshp1 has joined #openstack-dev13:19
dolphmhenrynash: maybe in icehouse-1 we can add deprecation warnings to all of the v2 controller methods?13:20
*** stevemar has quit IRC13:20
henrynashdolphm: yes, I was thinking something like that…we haven't really made any statements on v2 yet13:20
*** garyk has quit IRC13:22
dolphmhenrynash: if we do it in icehouse, then we can drop support as soon as K-113:22
*** basha has quit IRC13:22
henrynashdolphmL yep13:22
*** egallen has quit IRC13:22
*** garyk has joined #openstack-dev13:22
henrynashdolphm: feels about the right sort of time13:22
dolphmhenrynash: i imagine we'll have to support /v2.0/tokens much longer though13:23
dolphmhenrynash: but all the admin stuff can go ASAP13:23
henrynashdolphm: agreed13:23
*** derekh has quit IRC13:23
dolphmhenrynash: i guess that's a blueprint worthy endeavor... i'll go file one13:24
henrynashdolphm: good plan13:24
*** basha has joined #openstack-dev13:24
*** ctlaugh_ has quit IRC13:24
*** dims has quit IRC13:24
*** ctlaugh has joined #openstack-dev13:25
*** arezmerita has quit IRC13:25
*** arezmerita_ has quit IRC13:25
*** rushiagr has joined #openstack-dev13:27
*** eharney has joined #openstack-dev13:28
*** krtaylor has joined #openstack-dev13:29
*** derekh has joined #openstack-dev13:30
*** johnthetubaguy has joined #openstack-dev13:31
*** alunduil has quit IRC13:31
*** wfoster_brb is now known as wfoster13:31
dolphmhenrynash: https://blueprints.launchpad.net/keystone/+spec/deprecate-v2-api13:32
*** o_petit has quit IRC13:33
*** sandywalsh_ has joined #openstack-dev13:34
*** sandywalsh has joined #openstack-dev13:34
*** sandywalsh_ has quit IRC13:36
*** sandywalsh has quit IRC13:37
*** dims has joined #openstack-dev13:38
*** prad has joined #openstack-dev13:40
*** hellome has quit IRC13:40
*** otherwiseguy has joined #openstack-dev13:40
*** hellome has joined #openstack-dev13:41
*** dina_belova has joined #openstack-dev13:43
*** jhesketh has quit IRC13:44
sdaguedtroyer: so I'm actually thinking that we could use a pep8 equiv for devstack, at least something to check basic indentation and whitespace things. Am I crazy for thinking about banging that out?13:46
lxsliHi, please could I have eyes on https://review.openstack.org/#/c/45432/ ? Very small change13:47
*** terryh has joined #openstack-dev13:48
dtroyersdague: not at all.  I've thought that before too...13:48
*** hartsocks has joined #openstack-dev13:48
*** hartsocks has left #openstack-dev13:48
*** tstevenson has joined #openstack-dev13:48
sdagueok, well I'm putting it on my list :)13:48
*** ruhe_ has quit IRC13:49
*** sballe has joined #openstack-dev13:49
sdaguemaybe a good thing to hack on in new orleans at linux con when other things aren't going on13:49
*** FunnyLookinHat has quit IRC13:49
*** radez_g0n3 is now known as radez13:51
*** athomas has quit IRC13:52
*** burt has joined #openstack-dev13:56
*** stevemar has joined #openstack-dev13:56
*** jhesketh has joined #openstack-dev13:57
*** trey_h has joined #openstack-dev13:58
*** athomas has joined #openstack-dev13:58
*** crazed has joined #openstack-dev13:59
*** xga_ has joined #openstack-dev14:01
*** dvarga_ has joined #openstack-dev14:01
*** tong|2 has joined #openstack-dev14:01
*** pcm_ has joined #openstack-dev14:01
*** dvarga has quit IRC14:03
*** prekarat1 has quit IRC14:03
*** doron_afk has quit IRC14:03
*** prekarat has joined #openstack-dev14:03
*** doron_afk has joined #openstack-dev14:03
*** pcm__ has quit IRC14:04
*** xga has quit IRC14:04
*** litong has quit IRC14:04
*** rcrit has quit IRC14:06
*** otherwiseguy has quit IRC14:10
*** dina_belova has quit IRC14:10
*** o_petit has joined #openstack-dev14:10
*** dkranz has joined #openstack-dev14:11
*** alunduil has joined #openstack-dev14:12
stevemardolphm: ping14:14
*** dina_belova has joined #openstack-dev14:15
dolphmstevemar: pong14:16
dolphmhenrynash: this is now invalid, right? https://bugs.launchpad.net/keystone/+bug/119501914:16
uvirtbotLaunchpad bug 1195019 in keystone "GET /role_assignments not supported on LDAP backend" [Wishlist,Triaged]14:16
stevemardolphm: so, trying to recreate your bug (https://bugs.launchpad.net/keystone/+bug/1221418), can't at all =\14:17
uvirtbotLaunchpad bug 1221418 in keystone "creating duplicate users is allowed, MultipleResultsFound exception on auth" [Medium,Won't fix]14:17
dolphmstevemar: see my comment this morning14:17
stevemarack14:17
stevemardolphm: i didn't refresh the page this morning14:18
dolphmstevemar: i need to update the role one as well14:18
*** trey_h has quit IRC14:18
dolphmstevemar: i tried to repro against mysql and it doesn't seem possible, but i can repro against sqlite easily14:18
dolphmstevemar: and somehow sqlite has gotten worse14:18
stevemardolphm: and I don't get launchpad emails right away for some reason, there is at least a 30 minute delay14:18
stevemardolphm: alright, btw I wanted to show you an error i was getting this time around14:19
*** rcrit has joined #openstack-dev14:19
*** jvrbanac has joined #openstack-dev14:19
*** sgordon has joined #openstack-dev14:20
stevemardolphm: http://paste.openstack.org/show/45910/14:20
dolphmstevemar: well that's new14:21
*** o_petit_ has joined #openstack-dev14:22
stevemardolphm: and not so good14:22
*** mlavalle has joined #openstack-dev14:22
bknudsonwhy is that a 400? the request was fine.14:22
dolphmstevemar: that's not reproducible on master for me14:22
*** hartsocks has joined #openstack-dev14:23
*** hartsocks has left #openstack-dev14:23
stevemardolphm: i did this last night at 1am, token format is UUID, that's the only change to devstack i made14:23
*** clayb has joined #openstack-dev14:23
dolphmstevemar: i have the same config against mysql14:24
dolphmstevemar: changed the username to something unique http://pasteraw.com/gom6szp72hdphwiuacvp0rvyvecns6a14:24
*** o_petit has quit IRC14:24
dolphmstevemar: http://pasteraw.com/c4pgfb02lmv610jjw7l3cclk9r4095q14:25
stevemarhmm14:26
*** hemna has joined #openstack-dev14:26
*** basha has quit IRC14:26
*** dina_belova has quit IRC14:26
*** jcoufal_ has joined #openstack-dev14:28
*** thedodd has joined #openstack-dev14:28
*** markwash has quit IRC14:29
*** jcoufal has quit IRC14:30
*** souvik has joined #openstack-dev14:31
*** markmcclain has quit IRC14:31
*** prekarat has quit IRC14:32
*** o_petit_ has quit IRC14:34
*** dstanek has quit IRC14:35
med_have the 2013.2.b3 tags gone out yet? I'm not seeing them.14:37
med_or is that close-of-biz today?14:37
med_ttx, ^14:38
*** otherwiseguy has joined #openstack-dev14:38
*** rcrit has quit IRC14:38
*** wolfdreamer has joined #openstack-dev14:38
*** edmund has joined #openstack-dev14:38
ttxmed_: it's today. Looks like I'll push them out in 30min14:38
*** alexpilotti has quit IRC14:38
med_thanks ttx14:38
*** FunnyLookinHat has joined #openstack-dev14:41
*** ruhe has joined #openstack-dev14:41
*** jcoufal_ has quit IRC14:44
*** FunnyLookinHat has quit IRC14:45
*** jmontemayor has joined #openstack-dev14:46
*** FunnyLookinHat has joined #openstack-dev14:47
*** arezmerita has joined #openstack-dev14:48
*** markmcclain has joined #openstack-dev14:48
*** _TheDodd_ has joined #openstack-dev14:49
*** thedodd has quit IRC14:49
*** dina_belova has joined #openstack-dev14:49
*** sarob has joined #openstack-dev14:50
*** thedodd has joined #openstack-dev14:50
*** mmagr has quit IRC14:50
*** thedodd has quit IRC14:50
*** rcrit has joined #openstack-dev14:50
*** bashok has joined #openstack-dev14:51
*** Shaan7 has joined #openstack-dev14:51
*** rushiagr has quit IRC14:52
*** diogogmt has joined #openstack-dev14:52
*** _TheDodd_ has quit IRC14:53
*** thedodd has joined #openstack-dev14:53
*** matiu has joined #openstack-dev14:54
*** thedodd has quit IRC14:56
*** corXi_ has quit IRC14:57
*** pabelanger has quit IRC14:57
*** eglynn_ has joined #openstack-dev14:58
*** eglynn has quit IRC14:58
*** thedodd has joined #openstack-dev14:59
*** sarob has quit IRC14:59
*** jprovazn has quit IRC14:59
*** sarob has joined #openstack-dev14:59
*** sarob has quit IRC15:00
*** jasdeepH has joined #openstack-dev15:00
*** sarob has joined #openstack-dev15:00
*** sarob has quit IRC15:00
*** sarob has joined #openstack-dev15:01
*** colinmcnamara has joined #openstack-dev15:02
*** dstanek has joined #openstack-dev15:03
*** sarob has quit IRC15:05
*** maheshp1 has quit IRC15:06
*** jimfehlig has joined #openstack-dev15:06
*** armax has joined #openstack-dev15:08
*** sarob has joined #openstack-dev15:09
*** sarob has quit IRC15:09
*** sarob has joined #openstack-dev15:09
*** troytoman-away is now known as troytoman15:09
*** galstrom_zzz is now known as galstrom15:11
*** wfoster is now known as wfoster_away15:13
*** arezmerita has quit IRC15:15
*** bdpayne has quit IRC15:16
*** dina_bel_ has joined #openstack-dev15:18
*** ndipanov has quit IRC15:18
*** coolsvap has joined #openstack-dev15:20
*** ericw has joined #openstack-dev15:21
*** dina_belova has quit IRC15:22
*** rnirmal has joined #openstack-dev15:22
*** pmathews has joined #openstack-dev15:23
*** imsurit has joined #openstack-dev15:25
*** imsurit is now known as Guest2773815:25
*** Guest27738 is now known as imsurit115:26
*** shinylasers has joined #openstack-dev15:29
*** hemna has quit IRC15:29
*** arezmerita has joined #openstack-dev15:30
*** shinylasers has quit IRC15:32
henrynashdolphm: on https://bugs.launchpad.net/keystone/+bug/1195019 it is technically still an issue, although likely no longer such an issue….since with split-identity, you can have users/groups in ldap, but roles in sql…so the issue raised is only relevant if you want the assignment backend also in ldap….for which I think we are deficient in most v3 role APis (e.g. grants)15:32
uvirtbotLaunchpad bug 1195019 in keystone "GET /role_assignments not supported on LDAP backend" [Wishlist,Invalid]15:32
dolphmhenrynash: want to keep it open then?15:33
*** svapneel has joined #openstack-dev15:33
*** sandeepr_ltp has joined #openstack-dev15:33
dolphmhenrynash: or supersede it with a broader wishlist item?15:33
*** odyssey4me has joined #openstack-dev15:33
*** o_petit has joined #openstack-dev15:34
*** coolsvap has quit IRC15:34
henrynashdolphm: let's go for a broader wish list - which is to decide what we do about ldap assigmnet backend….do we freeze it as is, bring it up to full capability, depreceite it etc.15:34
dolphmhenrynash: ++15:34
henrynashdolphm: want me to put that in?15:34
dolphmhenrynash: sounds good15:35
henrynashdolphm: maybe that's a blueprint?15:35
*** radez is now known as radez_g0n315:35
dolphmhenrynash: well, the decision should be a bp, not the fact that it's incomplete15:36
*** bashok has quit IRC15:36
henrynashdolphm: ok15:36
dolphmhenrynash: .. if that makes any sense15:36
*** pasquier-s has quit IRC15:36
*** xarses has quit IRC15:37
*** alop has joined #openstack-dev15:37
chmoueldolphm: about https://bugs.launchpad.net/keystone/+bug/122157915:37
uvirtbotLaunchpad bug 1221579 in keystone "Disabling a tenat with ldap does not seem to do much" [Undecided,Incomplete]15:37
chmoueli think we should just come back with an error right?15:38
*** imsurit1 has quit IRC15:39
*** odyssey4me2 has joined #openstack-dev15:39
*** odyssey4me has quit IRC15:40
*** svapneel has quit IRC15:40
*** chenxu has joined #openstack-dev15:40
*** tstevenson has quit IRC15:40
chenxuquestion: on dhcp-agent of neutron, RemoteError: Remote error: AgentNotFoundByTypeHost Agent with agent_type=DHCP agent and host=openstack-n1 could not be found15:41
chenxuwhere to look first?15:41
chenxurunning trunk btw15:41
*** thedodd has quit IRC15:41
*** thedodd has joined #openstack-dev15:42
crazedso quantum was renamed to neutron in havana?15:42
*** tstevenson has joined #openstack-dev15:42
*** hellome has quit IRC15:43
crazeder wrong channel15:43
*** bdpayne has joined #openstack-dev15:44
*** hellome has joined #openstack-dev15:44
*** cococafe has joined #openstack-dev15:44
*** insanidade has joined #openstack-dev15:45
*** o_petit_ has joined #openstack-dev15:45
*** dina_belova has joined #openstack-dev15:46
*** dina_bel_ has quit IRC15:47
*** yassine has quit IRC15:47
*** mrodden has joined #openstack-dev15:47
*** o_petit has quit IRC15:48
*** markmcclain has quit IRC15:48
henrynashayoung: ping15:49
*** odyssey4me has joined #openstack-dev15:49
*** pabelanger has joined #openstack-dev15:49
*** dina_belova has quit IRC15:49
bknudsonhenrynash: deprecate ldap assignment backend.15:49
*** dina_belova has joined #openstack-dev15:49
insanidadehi all. question: I'm trying to use a routar openstack still doesn't support. I have to write code so that that router's api can be invoked and responses are translated back into openstack. I understand that's an agent's responsability. As I don't understand the complete flow yet, I ask: do I have to create a new driver for that router and make the agent use that driver ?15:50
henrynashbknudson: is that proposal or a question ?15:50
henrynashbknudson: :-)15:50
bknudsonhenrynash: my opinion is it should be deprecated15:50
henrynashbknudson: I agree…15:50
ayounghenrynash, yeah15:51
*** sarob has quit IRC15:51
ayoungbknudson, I agree15:51
*** odyssey4me2 has quit IRC15:51
henrynashayoung: question for you default project and membership role (which i kind of saw you in conversation about a while back)15:51
ayoungit is there to provide a migration path for people currently using LDAP for Identity.  We can't cut them off, but it should not be a long term approach15:51
*** ruhe has quit IRC15:52
henrynashayoung: I though a default project meant you would have (at least) the membership role on the project, no?15:52
ayounghenrynash, so the discussion was whether changing default shoud unenroll you.  I say, no way Jose15:52
ayoungand it should enroll you, I think, as a streamline15:52
ayoungbut removing it as your default project should not unenroll you15:52
*** michchap has quit IRC15:53
*** terriyu has joined #openstack-dev15:53
ayoungalternatively, we could force the user to explicitly enroll before changing default.15:53
*** hellome has quit IRC15:53
ayoungthat would be consistent, but obnoxious.  Hobgoblin.15:53
*** odyssey4me has quit IRC15:53
henrynashayoung: I'm actually looking at a separate issue…which is, can you safely assume that if you want to respond to "list projects for suer" that we can just return any project that has a role for that user...15:54
*** dina_belova has quit IRC15:54
*** egallen has joined #openstack-dev15:54
henrynashayoung: today the code (sometimes) also adds in the default project from the user record explicitly…that seems redundant to me15:54
*** hellome has joined #openstack-dev15:54
*** matrohon has quit IRC15:55
*** aeperezt has joined #openstack-dev15:55
ayounghenrynash, hmmm. does setting default role currently enroll the user?15:55
henrynashayoung: yes15:55
henrynashayoung: on create user, yes15:56
ayounghenrynash, how about update?15:56
*** hellome has quit IRC15:56
ayounghenrynash, so, to contradict myself, I would say that we should not enroll a user upon setting default.  But we should allow a user to set their own default.15:57
henrynashayoung: that was the bug that was in question to which you responded…what happens if you update the default project…and the fix was to indeed enrol you15:57
henrynashsorry gotta nip offline…will be back on line later to continue...15:57
ayounghenrynash, so, do you thin a user should be able to set their own default?15:57
*** hellome has joined #openstack-dev15:58
*** o_petit_ has quit IRC15:58
*** danwent has joined #openstack-dev15:59
*** Ryan_Lane has joined #openstack-dev16:00
dtroyerayoung: fwiw, as a user I would like to choose the default…if I already am a member of the project.16:00
ayoungdtroyer, yep16:00
ayoungme too16:00
ayoungdtroyer, as a user of an OS cluster, I was messed up by that very issue on Wednesday16:00
ayoungAll our accounts were created with a user specific project, but as a team we started using a team project, and I wanted to change my default/16:01
dtroyerstevemar: (or anyone else interested in OAuth in DevStack)  could you have a look at https://review.openstack.org/#/c/44401 when you get a sec?16:01
ayoungdtroyer, I'll look16:01
dtroyerayoung: thanks16:02
*** xga__ has joined #openstack-dev16:02
ayoungdtroyer, shouldn't we have something like KEYSTONE_EXTENSIONS=oauth, kds,vargarble,snurp16:02
bknudsonayoung: is that a copy of the config in the pipeline?16:03
dtroyerayoung: possibly...16:03
bknudsonayoung: or do we change the pipeline to have an extension handler16:03
ayoungbknudson, this would be additional extensions16:03
ttxhavana-3 is out16:03
ayoungttx, rock on!16:04
ttxNow let's test and fix :)16:04
dtroyerthis is the first extension to be enabled in DevStack, right?  (I don't know what is and what isn't an extension offhand)16:04
ttxmed_: ^16:04
bknudsonshould be like enable_keystone_oauth16:04
*** MaxV has quit IRC16:04
*** xga_ has quit IRC16:04
dtroyerbknudson: I'd prefer to do it like we do services now, just have a list to enable and do the right thing in the code.  but yeah16:05
ayoungdtroyer, he'll need to run the migration script for it, too16:06
dtroyerayoung: good to know…please leave a comment16:06
ayoungdtroyer, working on it16:07
*** alop_ has joined #openstack-dev16:07
*** gyee has joined #openstack-dev16:07
dtroyercoolness…thanks16:07
*** markwash has joined #openstack-dev16:07
med_ttx, ,many thanks16:07
ayoungdtroyer, how'16:08
ayoungs that?16:08
*** angdraug has joined #openstack-dev16:08
*** ayoung is now known as ayoung-afk16:08
*** odyssey4me has joined #openstack-dev16:08
dtroyerayoung-afk: looks good, thanks again16:09
*** xarses has joined #openstack-dev16:09
*** alop has quit IRC16:10
*** alop_ is now known as alop16:10
*** gmoro has quit IRC16:10
*** drewlander has quit IRC16:14
*** jistr has quit IRC16:16
*** johnthetubaguy has quit IRC16:23
*** jpich has quit IRC16:24
*** jdennis1 has quit IRC16:26
*** drewlander has joined #openstack-dev16:27
*** xga__ has quit IRC16:29
*** insanida1e has joined #openstack-dev16:29
wolfdreamerso question, I have an issue that I've completed, but the changes break a test in tempest, what is the procedure for being able to make modifications to tempest and original issue16:29
*** zz_Guest35249 is now known as leif16:31
*** leif is now known as Guest4070416:31
*** souvik1 has joined #openstack-dev16:31
*** xga has joined #openstack-dev16:31
*** comay has joined #openstack-dev16:32
*** insanidade has quit IRC16:32
*** drewlander has quit IRC16:33
*** souvik has quit IRC16:33
*** Mandell has joined #openstack-dev16:34
*** kbrierly has joined #openstack-dev16:34
*** markmcclain has joined #openstack-dev16:35
*** souvik1 has quit IRC16:36
*** changbl has quit IRC16:37
*** gmoro has joined #openstack-dev16:38
*** chenxu has quit IRC16:39
*** anniec has quit IRC16:39
*** xga_ has joined #openstack-dev16:39
*** paragan has joined #openstack-dev16:40
*** paragan has joined #openstack-dev16:40
*** aeperezt has quit IRC16:41
*** CaptTofu has quit IRC16:42
*** CaptTofu has joined #openstack-dev16:42
*** xga has quit IRC16:43
*** Mandell has quit IRC16:46
*** CaptTofu has quit IRC16:47
*** aeperezt has joined #openstack-dev16:47
*** JordanP has quit IRC16:50
*** arezmerita has quit IRC16:52
*** dkehn has quit IRC16:53
*** dkehn has joined #openstack-dev16:54
*** gyee has quit IRC16:55
*** xmltok has joined #openstack-dev16:59
*** xga_ has quit IRC16:59
*** dina_belova has joined #openstack-dev17:00
*** troytoman is now known as troytoman-away17:01
*** CaptTofu has joined #openstack-dev17:02
*** dina_belova has quit IRC17:05
*** rushiagr has joined #openstack-dev17:06
*** nati_ueno has joined #openstack-dev17:08
*** alop has quit IRC17:09
*** ruhe has joined #openstack-dev17:09
*** radez_g0n3 is now known as radez17:09
*** alop has joined #openstack-dev17:12
*** gyee has joined #openstack-dev17:15
*** MaxV has joined #openstack-dev17:15
*** chenxu has joined #openstack-dev17:18
*** kaushikc has joined #openstack-dev17:19
*** MaxV has quit IRC17:19
*** derekh has quit IRC17:22
*** reed has joined #openstack-dev17:22
*** kaushikc has quit IRC17:23
*** mlavalle has quit IRC17:23
*** basha has joined #openstack-dev17:24
*** dvarga_ has quit IRC17:25
*** ayoung-afk is now known as ayoung17:25
*** paragan has quit IRC17:25
*** athomas has quit IRC17:25
*** martyntaylor1 has quit IRC17:25
*** vuil has joined #openstack-dev17:26
ayoungwolfdreamer, submit a  change to tempest first that removes the old test, with an link to the change that breaks it.  Ater you have the new change in, submit an additional test to tempest17:26
*** dvarga has joined #openstack-dev17:26
*** dina_belova has joined #openstack-dev17:26
wolfdreamerayoung, thanks for the info. Test to tempest didn't need to be removed first but will keep in mind for future17:29
*** hartsocks has joined #openstack-dev17:29
*** hartsocks has left #openstack-dev17:30
*** souvik has joined #openstack-dev17:31
*** jdennis1 has joined #openstack-dev17:31
*** athomas has joined #openstack-dev17:31
*** ruhe has quit IRC17:32
*** mkerrin has quit IRC17:32
*** lucasagomes has quit IRC17:32
*** dkehn has quit IRC17:36
*** dkehn has joined #openstack-dev17:36
*** rushiagr has quit IRC17:39
*** hemnafk is now known as hemna17:40
*** eglynn_ has quit IRC17:41
*** xqueralt is now known as xqueralt-afk17:41
*** dkehn has quit IRC17:41
*** ruhe has joined #openstack-dev17:44
*** nati_ueno_2 has quit IRC17:45
*** nati_ueno_2 has joined #openstack-dev17:45
bknudsonI'm not able to start up devstack with LDAP keystone ...17:46
bknudsonUNDEFINED_TYPE: {'info': 'enabled: attribute type undefined', 'desc': 'Undefined attribute type'}17:46
stevemarbknudson, i saw that last night, i think it's independent of ldap17:47
*** dkehn has joined #openstack-dev17:47
bknudsonstevemar: I'll try without.17:47
bknudsonI think I had seen this a few times yesterday but then it would mysteriously go away17:47
chmoueli have tried ldap/devstack keystone just this morning and had no troubles so far17:48
chmouelbknudson: ^17:48
*** alop has quit IRC17:49
*** alop has joined #openstack-dev17:49
*** nati_ueno_2 has quit IRC17:50
*** danpb has quit IRC17:50
*** mkollaro has quit IRC17:50
stevemardtroyer, i'm taking a look at https://review.openstack.org/#/c/4440117:50
*** RajeshMohan has quit IRC17:51
*** RajeshMohan has joined #openstack-dev17:51
*** rushiagr has joined #openstack-dev17:52
ayoungwolfdreamer, also watch out for the Foresaken.  One of them has been hiding out in Tempest.  I think it is Samael.17:52
*** gordc has quit IRC17:53
*** souvik has quit IRC17:54
*** mlavalle has joined #openstack-dev17:55
*** athomas has quit IRC17:56
*** yaguang has quit IRC17:58
*** maheshp has joined #openstack-dev17:58
*** sushils has quit IRC18:00
*** feleouet has quit IRC18:01
*** comay has quit IRC18:02
*** souvik has joined #openstack-dev18:03
*** vuil1 has joined #openstack-dev18:03
*** vuil has quit IRC18:05
*** ifarkas has quit IRC18:05
*** jbresnah_ has joined #openstack-dev18:06
*** mkollaro has joined #openstack-dev18:06
*** maheshp1 has joined #openstack-dev18:06
*** maheshp has quit IRC18:06
*** cococafe has quit IRC18:06
*** dina_belova has quit IRC18:07
*** cococafe has joined #openstack-dev18:07
*** gerritTestMan has joined #openstack-dev18:08
wolfdreamerayoung, just trying to avoid Ishamael18:08
*** gerritTestMan has left #openstack-dev18:08
*** chenxu has quit IRC18:08
*** jbresnah has quit IRC18:09
*** dosaboy has quit IRC18:09
*** dosaboy has joined #openstack-dev18:11
bknudsonmy ldap problem was my own mistake... had changed lib/keystone to not set user_attribute_ignore enabled to work on a diff fix.18:13
*** changbl has joined #openstack-dev18:13
morganfainbergdolphm, digging into https://bugs.launchpad.net/keystone/+bug/1218094, I'm finding a lot of gaps in multi-domain support.  I can probably get a bug fix in before RC1, but it's likely going to have a good deal of delta.18:15
uvirtbotLaunchpad bug 1218094 in keystone "Multi domain code not searching domains for LDAP read only users" [Medium,Triaged]18:15
*** sushils has joined #openstack-dev18:15
dolphmmorganfainberg: https://bugs.launchpad.net/keystone/+bug/121809418:15
*** egallen has quit IRC18:15
dolphmmorganfainberg: i was starting to suspect there was a significant gap :(18:16
morganfainbergyep.  a lot of calls wont handle domain_scop.  i think i'm about 50% there with  11 files changed, 58 insertions(+), 54 deletions(-)18:16
morganfainbergand that doesn't include touching a single test18:16
morganfainbergplus.  user_id's don't look very unique based upon how we do str2dn18:17
dolphmmorganfainberg: ouch18:17
*** networkstatic has joined #openstack-dev18:17
morganfainbergdolphm, we should likely be storing user_id as something like user_id@domain18:18
morganfainbergbut that seems like it will be a pretty massive change.18:18
*** mkollaro has quit IRC18:18
dolphmmorganfainberg: it is - and you either need to encode at least one half, or ensure that '@' can't appear in at least one half18:19
morganfainbergi'd use the same logic as the external user, use an rsplit('@', 1) if anything18:19
morganfainbergdolphm,  that has edge cases as well, now that i think about it18:20
*** adalbas has quit IRC18:20
dolphmmorganfainberg: edge cases like user@ex@mple.com ? or something else18:21
*** vishy is now known as vishious18:22
*** maheshp has joined #openstack-dev18:22
morganfainbergdolphm, i was thinking upgrade issues.  user@something (username), now we do an rsplit, "something" isn't a domain18:22
morganfainbergit should be user@somthing@domain18:22
*** jog0 is now known as flashgordon18:23
*** maheshp1 has quit IRC18:23
*** adalbas has joined #openstack-dev18:23
morganfainbergso we'd need to write a migration script for that.  that likely would be an ugly migration script.  or we have to do some wierd compat code.18:24
*** cococafe has quit IRC18:24
dolphmmorganfainberg: also doesn't solve the upgrade issue of a user who is already authenticating with a pre-upgrade user_id and no domain18:24
*** zaitcev has joined #openstack-dev18:24
morganfainbergdolphm, there is one other issue. https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L352 is used to extract domain information,  in some cases this would limit keystone so there cannot be a "super admin" that could lookup/edit/etc things outside of the current token's domain scope.18:24
*** feleouet has joined #openstack-dev18:24
morganfainbergsuper admin/cloud admin/etc18:24
*** cococafe has joined #openstack-dev18:25
*** Mandell has joined #openstack-dev18:25
dolphmmorganfainberg: wow, that code is also incredibly broken18:26
morganfainbergdolphm, yep.18:26
morganfainbergdolphm, i am pretty sure i could put together a 75% ish fix.  but, there would be strange edge cases / lack of functionality18:27
*** rushiagr has quit IRC18:28
morganfainbergdolphm, so, not sure if we want to mothball this up some until icehouse or push for a fix.  it's kind of 11th hour for this type of rabbit hole.18:29
dolphmmorganfainberg: +++18:30
dolphmmorganfainberg: i'm now worried that not-split-identity use case could be very broken as well18:31
morganfainbergdolphm, my digging in shows (for the most part) it looks sane as long as you never have multiple identity drivers (no split domain drivers).18:32
dolphmmorganfainberg: comforting words ^^ :P18:32
morganfainbergdolphm, yeah i know.  :P18:32
*** christopherevans has joined #openstack-dev18:33
*** pmathews has quit IRC18:35
*** pmathews has joined #openstack-dev18:35
*** stevemar has quit IRC18:36
morganfainbergdolphm, i'm going to get some lunch, once i'm back (and i've stewed on thsi some more) we can figure out what we want to do18:38
morganfainbergdolphm, s/once i'm back/once back i'll hit you up/18:38
dolphmmorganfainberg: henrynash: https://etherpad.openstack.org/keystone-identity-driver-per-domain-icehouse18:38
*** dvarga has quit IRC18:39
dolphmmorganfainberg: starting to map that out ^18:39
morganfainbergdolphm, cool.  looking now (have a few mins before lunch train takes off)18:39
*** souvik has quit IRC18:40
*** russellb is now known as rustlebee18:43
morganfainbergdolphm, ok i'll be back in a few.  hit you up then.18:44
*** garyk1 has joined #openstack-dev18:44
dolphmmorganfainberg: o/18:44
*** ruhe has quit IRC18:44
*** garyk has quit IRC18:45
*** colinmcnamara has quit IRC18:45
*** eglynn_ has joined #openstack-dev18:45
*** insanida1e is now known as insanidade18:47
*** pixelbeat has quit IRC18:47
*** novas0x2a|laptop has joined #openstack-dev18:48
*** christopherevans has quit IRC18:48
*** jruzicka has quit IRC18:50
*** cp16net has left #openstack-dev18:52
*** sdake_ has joined #openstack-dev18:53
*** bdpayne has quit IRC18:59
*** pmathews has quit IRC19:00
*** vkmc has quit IRC19:00
*** sushils has quit IRC19:02
*** sgordon has quit IRC19:03
*** bdpayne has joined #openstack-dev19:03
*** alop has quit IRC19:03
*** waa has quit IRC19:04
*** vipul is now known as vipul-away19:05
*** atiwari has joined #openstack-dev19:05
*** cococafe_ has joined #openstack-dev19:07
*** dstanek has quit IRC19:07
dolphmttx: will bugs / blueprints targeting 'next' automatically map to icehouse somehow?19:08
*** cococafe has quit IRC19:08
*** cococafe_ is now known as cococafe19:08
*** asavu has joined #openstack-dev19:08
atiwariAll I am waiting for review on https://review.openstack.org/#/c/37141/10/openstack-identity-api/v3/src/markdown/identity-api-v3-os-roles-ext.md19:11
atiwarialso, can some one validate https://bugs.launchpad.net/keystone/+bug/1221889?19:12
uvirtbotLaunchpad bug 1221889 in keystone "Wrong unit tests for v3 token head calls" [Undecided,New]19:12
*** tstevenson is now known as codenamekt19:13
*** stevemar has joined #openstack-dev19:13
*** sarob has joined #openstack-dev19:14
*** cococafe has quit IRC19:15
*** codenamekt is now known as tstevenson19:16
*** cburgess has quit IRC19:16
*** cococafe has joined #openstack-dev19:16
*** sarob has quit IRC19:17
*** sarob has joined #openstack-dev19:17
*** troytoman-away is now known as troytoman19:17
*** rmk has quit IRC19:18
*** CaptTofu has quit IRC19:18
*** Vivek has quit IRC19:19
*** hartsocks1 has joined #openstack-dev19:19
*** dstanek has joined #openstack-dev19:20
*** cburgess has joined #openstack-dev19:21
*** rmk has joined #openstack-dev19:23
*** hartsocks1 has quit IRC19:23
*** sgordon has joined #openstack-dev19:23
*** hartsocks has joined #openstack-dev19:23
*** hartsocks has left #openstack-dev19:23
*** cococafe has quit IRC19:25
*** cococafe has joined #openstack-dev19:26
*** Vivek has joined #openstack-dev19:26
*** reed has quit IRC19:27
*** Vivek is now known as Guest6395919:27
*** basha has quit IRC19:27
*** dvarga has joined #openstack-dev19:31
*** stevemar has quit IRC19:32
*** cococafe has quit IRC19:35
*** jdennis1 has quit IRC19:35
*** cococafe has joined #openstack-dev19:36
*** maheshp has quit IRC19:38
*** pmathews has joined #openstack-dev19:40
*** vartom7 has joined #openstack-dev19:41
*** reed has joined #openstack-dev19:41
*** cococafe has left #openstack-dev19:41
*** sushils has joined #openstack-dev19:42
*** kenperkins has quit IRC19:43
*** jhesketh has quit IRC19:43
crazedwhere's the best docs on the latest way to do metadata api? specifically i'm not running the l3_agent19:43
*** kenperkins has joined #openstack-dev19:43
*** yassine has joined #openstack-dev19:44
*** jhesketh has joined #openstack-dev19:45
morganfainbergdolphm, the etherpad looks good19:47
atiwarimorganfainberg,  I filed the bug https://bugs.launchpad.net/keystone/+bug/1221889, please take a look19:49
uvirtbotLaunchpad bug 1221889 in keystone "Wrong unit tests for v3 token head calls" [Medium,New]19:49
morganfainbergatiwari, i saw that.  Commented on it.19:50
atiwarijust saw19:51
*** mmoya has quit IRC19:52
*** danwent has quit IRC19:53
*** mmoya has joined #openstack-dev19:59
*** bdpayne has quit IRC19:59
*** romcheg has joined #openstack-dev20:00
dolphmmorganfainberg: /salute20:00
morganfainbergdolphm, i'll snag the tenant_id vs tenantId bug for rc1 so we can get that out the door.  I'll also work on the new BP for icehouse and the multi-domain stuff this weekend (so we have a starting place) unless you already grabbed that20:01
*** danwent has joined #openstack-dev20:02
dolphmmorganfainberg: i have not20:02
*** alunduil has quit IRC20:02
morganfainbergdolphm, sounds good.20:03
*** otherwiseguy has quit IRC20:03
*** vartom7 has quit IRC20:04
*** feleouet has quit IRC20:04
*** feleouet has joined #openstack-dev20:05
*** pmathews has quit IRC20:07
*** chenxu has joined #openstack-dev20:07
*** markwash has quit IRC20:08
*** markwash has joined #openstack-dev20:09
*** dstanek has quit IRC20:09
dolphmmorganfainberg: i amended the docs to identify the feature as experimental in havana... does the scope of work you're looking at to complete the overall feature fit under one of the currently filed bugs? or should we create a new one?20:10
dolphmmorganfainberg: i'm just trying to figure out what bug to cite in the commit message for docs as a Related-Bug20:11
*** sarob_ has joined #openstack-dev20:11
dolphmmorganfainberg: bug or bugs... probably plural20:11
morganfainbergdolphm, i think it covers the read-only bug and then some20:13
morganfainbergso i'll need to probably file a couple more bugs along the way.20:13
morganfainbergbut for now i think the 2 bugs you identified are the crux of why it can't be used in havana20:13
*** bdpayne has joined #openstack-dev20:13
*** sarob has quit IRC20:15
dolphmmorganfainberg: fair enough20:15
dolphmmorganfainberg: https://review.openstack.org/#/c/45486/20:15
morganfainbergdolphm, looking now.20:16
*** radez is now known as radez_g0n320:16
dolphmmorganfainberg: just realized the WARN should maybe be WARNING20:16
morganfainbergdolphm, yeah WARNING, also you're missing a capitalization on Keystone in line 108.20:17
morganfainbergotherwise, looks good to me20:17
dolphmmorganfainberg: fixed20:18
morganfainbergdolphm, Looks good, +2.20:19
morganfainbergany issue with me pressing "go" on the LLC -> Foundation patch?20:19
*** mars has quit IRC20:19
*** dvarga has quit IRC20:21
dolphmmorganfainberg: not that i'm aware of20:23
*** pmathews has joined #openstack-dev20:24
*** stevemar has joined #openstack-dev20:24
*** pabelanger has quit IRC20:25
*** yassine has quit IRC20:25
bknudsonis multi-domain experimental or it doesn't work?20:26
*** eharney has quit IRC20:29
*** ftcjeff has joined #openstack-dev20:30
*** ftcjeff has quit IRC20:30
*** hartsocks has joined #openstack-dev20:31
*** hartsocks has left #openstack-dev20:31
*** danwent has quit IRC20:34
dolphmbknudson: it makes several assumptions and appears to be incompletely implemented; a proper fix appears to be out of scope for havana20:35
morganfainbergbknudson, it would be a significant amount of delta to get it into havana20:36
morganfainbergbknudson, and there would be some odd edgecases where things would behave in non-intuitive ways20:36
bknudsonI assume it would be a significant delta to revert it?20:36
morganfainbergbknudson, i think that would be worse because of when it went in.  alot of things were built with it's changes already there20:37
bknudsoncould a small change disable it (reading the configs?)20:38
dolphmbknudson: prevent people from using it?20:38
*** dprince has quit IRC20:38
bknudsondolphm: right, not make it experimental make it so that it's not usable at all20:38
morganfainbergdolphm, bknudson, i think it's only tested (config option) in a couple places, could just move from if conf.<whatever> to if false20:38
bknudsonexperimental to me indicates that I can try it out.20:39
morganfainbergbknudson, it will sort of work… kind of… and produce very odd behavior.20:39
bknudsonbut if there's a bunch of stuff we know doesn't work?20:39
david-lylebknudson: which part of multi-domain?  the ability to create multiple domains?20:39
morganfainbergbknudson, a lot of things will just flat fail because user lookups don't provide domain_scope20:40
morganfainbergnot even including the same issues for grants, etc20:40
bknudsonare we going to get security issues?20:40
dolphmbknudson: we "generated" some useful bug reports by having it "usable" ... but you're right, we probably won't get much more useful feedback from havana20:40
*** dvarga has joined #openstack-dev20:40
morganfainbergdolphm, bknudson has a point.  this opens the door for some nasty problems.  disabling whole-sale might be a better course20:41
bknudsondavid-lyle: it appears that you can create multiple domains (there are unit tests for this), but then you couldn't find the correct users when looking up by id.20:42
bknudsonI could be wrong in the assessment.20:42
dolphmbknudson: that sounds correct20:42
morganfainbergthats the base of it20:42
bknudsonkeystone looks up stuff by id all the time... roles, groups, etc.20:42
*** mmoya has quit IRC20:43
morganfainbergbasically, anything controlled by the identity driver wasn't guaranteed to be able to be looked up by ID in all cases20:43
*** sgordon has quit IRC20:43
dolphmdavid-lyle: we have the ability to create multiple domains, and to specify discrete backend configuration per domain, but we're not entirely handling the consequences of that properly20:43
morganfainbergwith multiple domain backends.20:43
david-lyleso it's just the multiple backends in question?20:43
dolphmdavid-lyle: yes20:44
morganfainbergdavid-lyle, yes.20:44
dolphmdavid-lyle: multiple domains in SQL is fine, AFAIK20:44
david-lyleok, just wanted to check, Horizon added multi-domain support in Havana for at least SQL backends20:44
*** mmoya has joined #openstack-dev20:44
bknudsonoh, this isn't exactly multiple domains...20:44
bknudsonit's "split domains"20:45
morganfainbergbknudson - yes.20:45
dolphmwe have a lot of "split-X" blueprints lol20:45
morganfainberghehe20:45
bknudsonyou have a domain in LDAP1 and a domain in LDAP2 and a domain in SQL120:45
david-lyleok, just got worried when I read disable multi-domain :)20:45
dolphmand then most of your users suddenly can't be found :)20:45
morganfainbergbknudson, yep that is the problem scenario, the per-domain-backend20:46
david-lylethanks for the clarification20:47
*** danwent has joined #openstack-dev20:48
*** tmclaugh[work] has quit IRC20:49
dolphmmorganfainberg: if people didn't try and run "production" installs with debug enabled, i'd suggest just checking that debug = True to 'disable' it20:49
*** dvarga has quit IRC20:49
morganfainbergdolphm, fair point.20:50
bknudsonyou do have to work pretty hard to use it, it's not like someone's going to accidentally use it.20:50
dolphmmorganfainberg: bknudson: how about adding an --i-am-an-idiot that defaults to False20:52
*** asavu has quit IRC20:52
*** comay has joined #openstack-dev20:52
bknudsondolphm: I'm not sure about the default...20:53
*** feleouet has quit IRC20:53
dolphmbknudson: oh, but we should always provide it20:53
*** garyk1 has quit IRC20:54
*** spzala has quit IRC20:54
*** kenperkins has quit IRC20:55
*** devoid has joined #openstack-dev20:58
*** otherwiseguy has joined #openstack-dev20:59
*** slagle has quit IRC20:59
*** pabelanger has joined #openstack-dev21:00
*** otherwiseguy has quit IRC21:00
*** otherwiseguy has joined #openstack-dev21:00
*** marios has quit IRC21:01
*** Guest40704 is now known as zz_Guest4070421:04
*** boris-42 has quit IRC21:05
*** dstanek has joined #openstack-dev21:06
*** rnirmal has quit IRC21:06
*** mars has joined #openstack-dev21:07
*** mars has joined #openstack-dev21:07
*** ruhe has joined #openstack-dev21:07
*** donaldh has quit IRC21:07
*** donaldh has joined #openstack-dev21:08
*** donaldh has quit IRC21:09
morganfainbergbknudson / dolphm, make it also log "no seriously this feature is still being baked, you probably don't want to use it"21:12
stevemarhehe21:13
morganfainbergstevemar. you going to take: https://bugs.launchpad.net/keystone/+bug/1219739 or should I start working on it?21:13
uvirtbotLaunchpad bug 1219739 in keystone "LDAP use 'tenant_id' instead of 'tenantId' in user_ref" [Medium,New]21:13
stevemardolphm (and others if interested), i'm still getting that error i showed you earlier, where create user expects 3 args instead of 221:13
stevemarmorganfainberg: go ahead sir21:14
morganfainbergstevemar, cool.21:14
*** vipul-away is now known as vipul21:14
stevemarmorganfainberg: I "worked" on the duplicate name on, it's no longer on the list :P21:14
*** sarob_ has quit IRC21:14
bknudsonmaybe we need to push back on large patches ... https://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/21:14
stevemarmorganfainberg: that's not to say I wrote a patch21:14
bknudson"Review fewer than 200–400 lines of code at a time"21:14
*** sarob has joined #openstack-dev21:15
morganfainbergbknudson, that is the exact reason why i split the caching into each subsystem i was enablin caching for21:15
morganfainbergbknudson, it would be good to also split things into "basic support" and "enable support of new feature for <blah>" type patches21:16
morganfainbergbknudson, at least that way we could have a series of small changes to look at even if it amounts to a big change needed for a feature.  and we are more likely to catch issues like this.21:17
morganfainbergbefore they are a problem21:17
bknudsonmorganfainberg: I think everyone appreciated splitting up by subsystem... could concentrate on each one.21:17
morganfainbergbknudson, i think it is a good practice to encourage across the board (unless it _really_ isn't possible)21:17
*** prad has left #openstack-dev21:19
bknudsonI remember on that one I spent a lot of energy looking at the config changes21:19
bknudsonby "that one" I mean the split domains21:19
morganfainbergyeah, i spent like 4 hours last night chasing down all the edge cases21:20
morganfainbergand a lot of that was wrapping my head around the config system to make sure that wasn't going to bite me along the way21:20
*** stevemar has quit IRC21:21
*** mars has quit IRC21:21
*** colinmcnamara has joined #openstack-dev21:22
morganfainbergbknudson, i bet it was time consuming on initial review, there is some nuance to the approach - and a lot of things are touched by it21:22
ayoungannegentle, for many of the doc bugs, I can go through and provide the info inside the bug report.  Is that suffcient, or is it need to be the patch and submit process?21:23
bknudsonmorganfainberg: 24 changed files     with 1,050 additions     and 412 deletions   https://github.com/openstack/keystone/commit/1ed2046eaa91fa36926d66a5fe1e88ccd65373bb21:24
*** yjiang5 is now known as bmqq12321:24
morganfainbergbknudson, that is a sizable delta.21:25
*** ruhe has quit IRC21:25
bknudsonmorganfainberg: although not sizable enough21:25
*** donaldh has joined #openstack-dev21:26
morganfainbergbknudson, true21:26
*** alunduil has joined #openstack-dev21:26
ayoungdolphm, for a bug like this: https://bugs.launchpad.net/openstack-manuals/+bug/1090655  where do we document it?  Is it in the keystone project, or in the openstack-manual project?21:28
uvirtbotLaunchpad bug 1090655 in openstack-manuals "grizzly: keystone user groups" [Medium,Confirmed]21:28
*** esheffield has quit IRC21:29
*** kbringard has quit IRC21:29
*** tong|2 has quit IRC21:29
*** romcheg has quit IRC21:29
*** chenxu has quit IRC21:29
*** NobodyCam_ has joined #openstack-dev21:30
*** odyssey4me has quit IRC21:30
*** NobodyCam_ has quit IRC21:30
*** dolphm has quit IRC21:31
dstanekis the format for a templated catalog in Keystone documented anywhere?21:32
ayoungbknudson, morganfainberg still, domain specific ID backends might be the single most requested feature for Keystone21:33
dstanekah cool, i found an example in devstack21:33
ayoungexpect people to use it, and to break it21:34
morganfainbergayoung, and i really want it in (personally, i am stoked about being able to do this split).  I am just concerned about havana timelines and how broken it is.21:34
*** bmqq123 has quit IRC21:35
ayoungmorganfainberg, let's crank up the priority on bugs on that, then21:35
bknudsoncan we backport the fixes if they get through more testing in IceHouse?21:35
ayoungbknudson, we can still do bug fixes up until release, with major thinkgs backprotable from ICe house to Havana stable21:36
*** yjiang5 has joined #openstack-dev21:37
*** adalbas has quit IRC21:37
ayoungmorganfainberg, are there bug reports specific to multi-domain?21:37
morganfainbergayoung, per-domain backends, there are 221:38
*** galstrom is now known as galstrom_zzz21:38
henrynashwe're talking about the issues of user_id access with mulit-domain, I assume?21:38
morganfainberghenrynash, yes.21:38
ayounglink?21:38
morganfainberghenrynash and all other identity-controlled items (groups, etc all have the same issue)21:38
morganfainbergayoung, sec.21:38
morganfainberghttps://bugs.launchpad.net/keystone/+bug/1218094 and https://bugs.launchpad.net/keystone/+bug/121701721:39
uvirtbotLaunchpad bug 1218094 in keystone "Multi domain code not searching domains for LDAP read only users" [Medium,Triaged]21:39
*** jimfehlig has quit IRC21:39
*** sarob has quit IRC21:39
henrynashmorganfainberg: I think they'll all work Ok as log as you have a domain scoped token (or at least they should), with the exception of the bug in auth that we need to pass domain into get_user when setting project scope21:39
henrynash(as long as)21:40
morganfainberghenrynash, there are a lot of cases that never see domain scope passed when they do get_user21:41
morganfainberge.g. grants21:41
morganfainbergso it'll get a usernotfound error21:41
*** yjiang5 is now known as bmqq12321:41
morganfainberghenrynash and a scoped domain token will not allow a user (e.g. cloud admin) to access / update data from a domain they are not part of (in some cases)21:42
henrynashmorganfainberg: ahh, so management of "pure" identity assets are OK, but mixed assignment/idenity calls are an issue21:43
morganfainberghenrynash, there is a chunk of work to do to get this shored up. I have a partial delta together, but it's going to be a lot.  I wasn't sure if we wanted to try and wedge this in under RC.21:43
morganfainberghenrynash, yep.21:43
ayoungmorganfainberg, did you split the caching info off into a separate bug?  If not, that should be tracked separately21:44
morganfainberghenrynash and some cases it's very hard to derive domain since domain is derived from the ref returned by get_user (not commone, but i think i've found 2 or three)21:44
henrynashmorganfainberg: I understand your concern - but actually I thikn we do "get_user" all over the place when we really shouldn't…..it would be great to get that cleanup up…I really don;t think we ever want an assignment backend calling the identity backend…should all be done higher up (when scope can be checked)21:44
bknudsonmorganfainberg: henrynash: how to you get it to work other than query every backend for the id?21:44
morganfainbergayoung, ah, i should open that bug.21:44
morganfainbergayoung will do todya.21:44
bknudsonoh, move the lookup to someplace earlier.21:45
henrynashbknudson: so every query shouldn't be doing that, clearly….and if we can't see our way out of that hole, then I agree we have a problem21:45
morganfainbergbknudson, and if you don't already know the domain, how do you know which result to use (e.g. 2 users with the username "joe")21:45
*** dkranz has quit IRC21:45
morganfainbergin different domains.21:46
bknudsonmorganfainberg: I assume we're doing lookup by ID and not name.21:46
henrynashmorgainfainberg: to usernames with joe is fine...21:46
henrynashmorganfainberg: two users with the same users_id is not21:46
*** novas0x2a|laptop has quit IRC21:46
morganfainbergbknudson, in ldap, id is a str2dn[0][0][1], so cn=User,dc=example,dc=com becomes 'User'21:46
ayoungmorganfainberg, please make sure I am added as  a reviewer on all LDAP related bugs.21:46
*** novas0x2a|laptop has joined #openstack-dev21:46
morganfainbergayoung, will do.21:47
ayoungah. dolph submitted the fix on behalf of...sorry, morganfainberg misread that21:47
bknudsonI think we always had the assumption that user IDs were unique21:47
bknudsonthe assumption before domains was that user names were also unique21:47
morganfainbergayoung, no worries.  i know you're an ldap expert, anything i touch with LDAP i'll make sure you're part of.21:47
bknudsonso if they're violating unique user IDs then I think that's not our problem.21:48
morganfainbergbknudson, how do you enforce that with per-domain identity?21:48
ayoungmorganfainberg, Expert, in this case, means I've written more broken LDAP code than anyone else...21:48
ayoungwe should test a user ID and figure out what domain it is in21:48
ayoungUUID-> got to SQL21:48
morganfainbergayoung, hehe.21:49
bknudsonmorganfainberg: documentation21:49
ayoungDN-->  calculate the domain based on the subtree21:49
ayounghenrynash, is ^^ a workable solution?21:49
morganfainbergbknudson / ayoung, i think the right answer is to have the domain stored with the user.21:49
henrynashayoung: so caching on identity would really help…so after one call to find a user_id (that searched domains) subsequent calls would dome out of cache21:49
*** neoXsys has quit IRC21:49
ayounghenrynash, except that caching on Users from LDAP breaks the ability to have revocation events come from LDAP21:50
ayoungIf I remove a user from a group in LDAP, there is no notification21:50
ayoungand group assignments typically come off the user object  in a memberof21:50
ayoungso we have to be careful21:51
morganfainbergthis is one of the reasons i punted on any Identity caching for havana21:51
morganfainbergwanted a bit more time to work out sensible caching / etc21:51
ayoungmorganfainberg, caching is always at odds with responsiveness by definition.  YOu were right in favoring correctness over performance to start21:51
henrynashI'm going to mull on this issue this weekend…21:51
*** jayg is now known as jayg|g0n321:52
ayounghenrynash, is that in conjunction with the original meaning o "Mull"?21:52
*** mancdaz has left #openstack-dev21:52
*** mancdaz has joined #openstack-dev21:52
*** jmontemayor has quit IRC21:53
morganfainberghenrynash, i have a partial delta already on shoring up things, and i think i could have a semi-working solution (with some edgecases and limitations) by RC1, but it would have very odd edgecases w/o some serious restructuring of how things work (at odds for being this late in the cycle)21:53
henrynashayoung: no wine invloved...21:53
ayoungEn vino veritas21:53
henrynashmorganfainberg: so here's one thought…let's not check whether user_id or group_id is valid on grants….just assign it...21:53
ayoungmorganfainberg, what kind of edge cases21:53
ayounghenrynash, agreed21:53
ayounghenrynash, I thought I submitted a patch for just that?21:54
morganfainbergayoung, unless you are part of the domain, you can't get information about users, etc for the domain21:54
henrynashwe shouldn't bother doing get_user() etc. all over the place21:54
*** dstanek has quit IRC21:54
morganfainbergsince we rely on the scoped token to determine the domain in some cases21:54
morganfainbergso no super-admin/cloud admin being able to see into some data21:54
ayoung3be931165c6e218aaa5355a1f435ae58eb4484eb21:54
morganfainbergayoung, i can dig up the specifics on that over the weekend if it makes a difference.21:55
*** jasondotstar has quit IRC21:55
ayounghttps://github.com/openstack/keystone/commit/3be931165c6e218aaa5355a1f435ae58eb4484eb21:56
ayounghenrynash, ^^ is that not sufficient?  Where else are we doing that check?21:56
ayoungoh, I moved it into the controllers...21:57
*** mars has joined #openstack-dev21:57
morganfainbergayoung, yes.21:57
morganfainbergayoung, it just needs some modification to include domain scope.21:58
morganfainbergayoung, thats part of the change set i've been working on (those calls to identity included)21:58
ayoungmorganfainberg, I want to drop that.  It is going to make Federation really, rally hard21:59
morganfainbergayoung, that makes sense.  and i'm not opposed to providing some fixes for RC1, i just see this as being a massive bug fix (all things considered) very late in the cycle22:00
morganfainbergto get things cleaned up.  it's not a bad approach, it's just incomplete.22:00
morganfainberg(I wish I had looked at this more closely before H3)22:01
ayoungassume you are an admin and you want to create entries for a user that is going to authenticated from some remote domain, and verified via SAML.   You won't be able to query the system about that user...22:02
ayoungassignments will become impossible.  What do we give up if we stop checking user validity?22:02
ayoungmorganfainberg, so all of the V2 calls will assume default domain.  All of the v3 calls should be providing domain id with them.  We stop making the domain fields optional, we should be on the right track, no?22:02
*** jbresnah_ is now known as jbresnah22:02
morganfainbergayoung that is the essence of my patchset.22:02
ayoungmorganfainberg, H3 is not rc122:02
morganfainbergone exception.  v2 tokens need to know how to do lookups for domains in a sane way (easy enough)22:03
*** morazi has quit IRC22:03
*** insanidade has quit IRC22:03
ayoungfor all domains or just default?22:03
*** pcm_ has quit IRC22:03
morganfainbergif you ask about validity of a token by uuid/hashed id, it should respond correctly regardless of v2.0 or v3, no?22:04
morganfainbergwhich case it would fail on defaultdomain if the user was in a domain-specific backend22:04
morganfainbergbut that data is already there (scoped token that is)22:04
*** burt has quit IRC22:04
*** ericw has quit IRC22:05
morganfainbergayoung, i can have a workable patchset ready for some drive time next week if we want to do cleanup.  i've already chased a chunk of this down.22:06
morganfainbergayoung, but, in this case i'm defering to dolph and you guys about the scope we're willing to take on post H3 (feature freeze)22:07
morganfainbergmy opinion is there is a bunch to do.22:07
ayoungmorganfainberg, will it change either API or configuration?22:07
morganfainbergayoung, api will change some.  domain becomes manditory in a number of cases.22:07
morganfainbergs/number/some22:07
bknudsonGrant role to user on project: PUT /projects/{project_id}/users/{user_id}/roles/{role_id}22:07
bknudsondoesn't have a domain22:08
ayoungright22:08
bknudsonso should not check if the user exists or not?22:08
morganfainbergbknudson, iirc that assumes the scoped token is where the domain is derived from22:08
bknudson(wouldn't return 404 if user doesn't exist)22:08
ayoungbknudson, ouch22:08
morganfainbergbknudson, project id is unique, you can lookup domain from project_id22:08
ayoungyeah, proejct and domain stayed in the same backend for just that reason22:09
*** jtomasek has quit IRC22:09
*** kenperkins has joined #openstack-dev22:09
bknudsonI can't use the admin token to grant role to user on project ?22:09
morganfainbergbknudson, in that case you could. since project can be used to get domain22:10
morganfainbergbut deleting a user.  you couldn't do that22:10
bknudsonList user's roles on project: GET /projects/{project_id}/users/{user_id}/roles22:10
morganfainbergyou have to be part of the domain to delete a user, regardless of admin-token22:10
bknudsonhow can I get the domain from the project?22:10
morganfainbergbknudson, assignment_api.get_project()['domain_id']22:11
bknudsonIf it's LDAP, I'd be deleting the user from the LDAP directory directly, not going through keystone.22:11
morganfainbergbknudson, if it's read-only ldap.  but if you have a domain w/ a sql backend, and one with an ldap backend22:11
morganfainbergor 2 with sql backend22:11
ayounghenrynash, do we trust LDAP?22:11
morganfainbergor read-write ldap22:11
ayoungFor example, say I have two LDAP based domains registerd22:11
ayoungand I know that they will be searcheed A and then B22:12
ayoungif a user is in domain B, and I hack LDAP A to have a subtree that looks like it, will I be able to steal users from domain B?22:12
ayoungI think...we want to do a pattern match on the User IDs from LDAP.  they should contain the subtree22:13
bknudsonmorganfainberg: ok, I see that the project is owned by a domain... so we could say that you essentially can't go willy-nilly granting roles across domains.22:13
morganfainbergbknudson, yes.22:13
ayoungbknudson, A user in one domain can be granted access to a project in a different domain, though.22:14
bknudsonayoung: I was wondering if we could drop that (A user in one domain can be granted access to a project in a different domain)22:14
ayounghmmm, also, I am making the assumption that a userID will be their DN...22:14
ayoungbknudson, I don't think we want to drop that. It is too powerful an abstraction22:15
bknudsonor maybe only drop it if using split domains.22:15
ayoungI'm more concerned with...22:15
*** dolphm has joined #openstack-dev22:15
morganfainbergbknudson, except a22:15
morganfainberg"cloud admin" might want to be able to do grants22:15
morganfainbergon behalf of a customer?22:15
ayounglets say an LDAP deployment uses the posix numeric ID as the users ID.  We are definitely going to have overlap22:15
bknudsoncloud admin can get a token scoped to domain22:16
morganfainbergbknudson, without an account specifically in that split-id backend?22:16
ayoungwe should not allow that....userId needs to be globally uniqeu22:16
ayoungunique22:16
morganfainbergayoung, agreed22:16
bknudsonayoung: that's what I was going to say ... user ID unique.22:16
morganfainbergayoung, i think it needs to be enforced unique22:16
bknudsonbut we can only enforce it by documenatation22:16
morganfainbergbknudson, we could make domain required across the board (v2 only uses DEFAULT_DOMAIN)22:17
bknudsonwe can't stop someone updating their LDAP with a non-unique name22:17
bknudsonthis goes back to trusting LDAP22:17
morganfainbergbknudson, there is a difference between single ldap server with someone doing something dumb and multiple ldap servers22:17
ayoungugh, we should get the defaults out of the User Object in ldap.py22:18
morganfainbergif we force lookups to always include domain, we don't need to worry.22:18
*** dstanek has joined #openstack-dev22:18
*** eglynn_ has quit IRC22:18
bknudsonmorganfainberg: ... because then user IDs don't have to be unique22:18
morganfainbergbknudson, actually i'd encourace encoding the domain in the "user_id"22:19
morganfainbergencourage*22:19
*** otherwiseguy has quit IRC22:19
morganfainbergsomehow. or make it a composite of some sort we can rely on.22:19
bknudsonIf you were using LDAP and had unique email addresses, then could derive domain from email22:19
morganfainbergthen the "user_id" isn't the complete user_id as far as keystone is concerned.22:20
morganfainbergsimilar to how external auth could be user@domain22:20
ayoungugh, and we default ID to cn...what was I thinking?22:20
morganfainbergayoung, >.<22:20
morganfainbergayoung, you were thinking 1 identity back end?22:21
morganfainbergalso, isn't that configurable?22:21
*** tstevenson has quit IRC22:21
ayoungmorganfainberg, yeah, but so many people have been following the documentation....22:21
morganfainbergayoung, fair poiint22:21
ayoungugh....22:21
* ayoung goes to bang head against wall22:21
morganfainbergand if we change that… upgrades are going to be ugly22:22
morganfainberg(change the default)22:22
henrynashsorry, hopping in and out of this conversation...22:22
ayoungOK,  we knowthat no one is yet using multiple domains in a live deployment, so the damage is fairly limited22:22
bknudsonanybody with an existing LDAP would have to pick an attr that's unique .22:22
*** thedodd has quit IRC22:22
bknudsonmaybe it's cn or maybe it's posixAccountNumber22:23
ayoungmorganfainberg, yeah22:23
bknudsonprobably should pick one that's single-valued.22:23
morganfainbergbknudson, or samaccount or...22:23
ayoungstill we can fix the documentation on that22:23
ayoungdn22:23
ayoungnothing else really makes sense22:23
henrynashsurely for all the grants, list projects for user etc…..none of that needs to know the domain….since this is all manipulation of id mappings in assignemnt22:23
bknudsondn would be unique, but might be longer than the db allows22:24
morganfainbergbknudson, dn->hash?22:24
morganfainbergsha1 should be _safe_22:24
bknudsonmorganfainberg: that would be ok22:24
bknudsonoh, right, a nefarious user could pick their name to match another hash.22:25
morganfainbergbknudson, unless we hash it across the board, and store the hash'd for reversability…or use a reversable hashing22:26
morganfainbergerm non-hashed22:26
*** anniec has joined #openstack-dev22:26
*** sushils has quit IRC22:26
morganfainberghenrynash, i think that that argument can be made.  we'd need to ensure we're not assuming validity in a way that would break otherwise22:27
dolphm(if we're going to hash, i'd suggest something strong than sha1)22:27
morganfainberghenrynash, but as long as we decouple that cleanly, yes.22:27
dolphmstronger*22:27
morganfainbergdolphm, sha256?22:27
*** lbragstad has quit IRC22:27
dolphmmorganfainberg: that's as high as we can go for convenience, probably22:27
*** lbragstad has joined #openstack-dev22:28
bknudsoncould be keyed off some secret known about each domain.22:29
morganfainbergdolphm / bknudson, do we need anything to reverse the hashing?22:29
morganfainbergor would it always be a forward lookup?22:30
morganfainberghenrynash, actually list_projects for user (if you need to lookup the user from id) would need domain i think?22:31
morganfainbergunless the id was the full dn (or hash thereof)22:32
henrynashmorganfainberg: why would you need to look up the user?22:32
bknudsonhow about this API: List effective role assignments: GET /role_assignments22:32
dolphmmorganfainberg: you want to be able to rip apart a user ID to figure out the domain driver to call?22:32
bknudsonI guess that only deals with IDs.22:33
morganfainbergdolphm, i don't know if we need that.22:33
morganfainbergdolphm, just something to consider if we do hashing.22:33
henrynashbknudson: purely should reflect the id mappings in assignment…no need to look up users22:33
*** mlavalle has left #openstack-dev22:33
*** sarob has joined #openstack-dev22:33
morganfainbergdolphm is there ever a case we will have the hash and need to be able to get the user_ref.22:34
dolphmmorganfainberg: wait, is that not the point?22:34
henrynashmorganfainberg: list_project_for_user does uses get_user() today, but I'm looking at that for another bug…since it thinks it needs to get the default project for the user…but  I think that is superflous22:34
bknudsonhenrynash: what about ops like HEAD /projects/{project_id}/users/{user_id}/roles/{role_id}22:35
dolphmmorganfainberg: when you say hash, you mean "user_id = hash(dn)", right? so GET /users/{hashed_dn} has to return a user_ref22:35
morganfainbergbknudson, again, project_id can derive domain if needed.22:35
bknudsononly touches the assignment backend so doesn't need to look up at all?22:35
henrynashbknudson: nope, just a mapping look up22:35
morganfainbergdolphm, yes.22:35
bknudsonjust wouldn't return a 404 if user didn't exist.22:35
bknudsonalthough maybe it doesn't do that anywyas22:36
henrynashbknduson: yes the mapping is found or not22:36
morganfainbergdolphm, that is my thought, i might be wrong though.22:36
dolphmhow long can dn's really be?22:36
bknudsondo we want PUT /projects/{project_id}/users/{user_id}/roles/{role_id} to be successful if user doesn't exist or user isn't in project domain?22:36
morganfainbergdolphm, in AD as of 2012 looks like 255characters22:37
morganfainbergbknudson, i would say it should fail.22:38
henrynashbknudson: I guess it is debatable….but I would argue that we just allow the assignment and don't check the validity of UUIDs….as was point out earlier, future federation will be close to impossible otherwise22:38
dolphmbknudson: current behavior is that it would fail with a 40422:38
morganfainbergif it didn't it would be a vector for a seciurity problem.  create the grant, oops didn't exist, later a user is created that matches22:38
henrynashdolphm: I think that's true22:38
morganfainbergnow that user has an unintended grant22:38
bknudsonnow it will fail if the user doesn't exist22:39
henrynashmorganfainberg: a user is created with a random ID that just happens to match?22:39
bknudsonbut it will succeed if the user exists but is in a domain other than the project22:39
bknudsonright?22:39
*** ericw has joined #openstack-dev22:39
henrynashmorganfainberg: isn't that just as likely as two users getting the same UUID on creation?22:40
dolphmhashing was suggested because "dn would be unique, but might be longer than the db allows" ... if dn's can only be 255 chars, hashing isn't really a gain22:40
dolphm255 is fine22:40
dolphmso, how about just user_id = urlencode(dn)22:41
dolphmpersist in sql as plain text, urlencode on the wire22:41
dolphmwe could start url encoding / decoding everything without consequence (every *other* ID is url safe by design..)22:42
bknudsonit's the ID col that would be a problem... https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/sql.py#L64422:43
bknudsonit's 6422:43
dolphmbknudson: make it 255?22:43
bknudsonworks for me22:43
*** atiwari has quit IRC22:43
morganfainbergthat seems sane22:45
bknudsonbut also doesn't seem like something to put in H22:45
morganfainbergdolphm, with url-encode we should probably add some buffer in there.22:46
*** nati_ueno_2 has joined #openstack-dev22:46
dolphmmorganfainberg: store the plaintext dn in sql, no?22:46
morganfainbergdolphm, yes.22:47
morganfainbergdolphm, oh oh22:47
morganfainbergderp.22:47
dolphmmorganfainberg: encode/decode in the controllers22:47
bknudsonseems like we could configure some # of pieces of the DN rather than the whole thing.22:47
morganfainbergyes22:47
bknudsonif necessary22:47
morganfainbergdolphm, was thinking of storing encoded in the DB… :P22:48
morganfainbergwhich doesn't make sense22:48
morganfainbergplaintext is the right way for sure.22:48
dolphmmorganfainberg: if you do that then you should zlib it too :P22:48
morganfainbergdolphm, can we layer lzma and rot13 on it while we're at it?22:48
* dolphm win22:49
*** dolphm has quit IRC22:49
*** FunnyLookinHat has quit IRC22:49
*** wolfdreamer has quit IRC22:49
*** jvrbanac has quit IRC22:50
*** stevebaker_ has joined #openstack-dev22:51
*** ericw has quit IRC22:51
*** sarob has quit IRC22:52
*** jdennis1 has joined #openstack-dev22:52
*** bknudson has quit IRC22:52
*** donaldh has quit IRC22:54
*** zz_Guest40704 is now known as leif22:54
*** leif is now known as Guest8038022:54
*** nati_ueno_2 has quit IRC22:55
*** nati_ueno_2 has joined #openstack-dev22:55
*** vkmc has joined #openstack-dev22:56
*** vkmc has quit IRC22:56
*** vkmc has joined #openstack-dev22:56
*** kbrierly has quit IRC22:57
morganfainberghenrynash, fair enough, but if we have deterministic uids (partial DNs) it could be a problem22:58
henrynashmorganfainberg: that's a fair point22:58
*** nati_uen_ has joined #openstack-dev22:58
*** Mandell has quit IRC23:00
*** nati_ueno_2 has quit IRC23:00
*** dstanek has quit IRC23:01
*** Mandell has joined #openstack-dev23:01
*** devoid has quit IRC23:02
*** Ryan_Lane has quit IRC23:07
*** anniec has quit IRC23:07
*** Ryan_Lane has joined #openstack-dev23:07
*** dstanek has joined #openstack-dev23:08
*** clayb has quit IRC23:09
*** bnemec_away is now known as bnemec23:09
*** vipul is now known as vipul-away23:09
*** nati_uen_ has quit IRC23:09
*** nati_ueno_2 has joined #openstack-dev23:10
*** galstrom_zzz is now known as galstrom23:11
*** nati_uen_ has joined #openstack-dev23:11
*** galstrom is now known as galstrom_zzz23:12
*** nati_ueno_2 has quit IRC23:14
*** nati_uen_ has quit IRC23:16
*** nati_ueno_2 has joined #openstack-dev23:17
*** stevebaker_ has quit IRC23:17
*** xmltok has quit IRC23:18
*** stevebaker_ has joined #openstack-dev23:18
*** vipul-away is now known as vipul23:20
*** xmltok has joined #openstack-dev23:21
*** nati_ueno_2 has quit IRC23:21
*** xmltok has quit IRC23:23
*** terryh has quit IRC23:24
*** aeperezt has quit IRC23:25
*** malini1 has joined #openstack-dev23:27
*** sarob has joined #openstack-dev23:29
*** markwash has quit IRC23:29
*** stevebaker_ has quit IRC23:29
*** kenperkins has quit IRC23:30
morganfainberghenrynash, There is a lot to digest in this conversation today.  I think I'll see if I can come up with some cleanup / completion of the feature this weekend.23:32
*** armax has quit IRC23:32
*** stevebaker_ has joined #openstack-dev23:32
morganfainberghenrynash, it wont hurt us to be closer, but I'd still recommend keeping it marked as "experimental" since I think the final fixes will be Icehouse.23:33
henrynashmorganfainberg: I agree23:33
*** MaxV has joined #openstack-dev23:34
*** colinmcnamara has quit IRC23:35
*** bswartz has joined #openstack-dev23:38
*** henrynash has quit IRC23:40
*** chenxu has joined #openstack-dev23:41
*** pmathews has quit IRC23:41
*** colinmcnamara has joined #openstack-dev23:42
*** vishious is now known as vishy23:42
*** otherwiseguy has joined #openstack-dev23:44
*** hemna is now known as hemnafk23:44
*** CaptTofu has joined #openstack-dev23:45
*** malini1 has quit IRC23:47
*** otherwiseguy has quit IRC23:50
*** stevebaker_ has quit IRC23:50
*** MaxV has quit IRC23:51
*** stevebaker_ has joined #openstack-dev23:53
ayoungdon't hash...just put a rule that the user id has to be globally unique and document that it should be the DN23:55
*** lcheng has quit IRC23:55
*** diogogmt has quit IRC23:55
*** noslzzp has quit IRC23:55
*** jdennis1 has quit IRC23:56
*** comay has quit IRC23:57
*** danwent has quit IRC23:59
« Thursday, 2013-09-05 Index Saturday, 2013-09-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!