Thursday, 2013-09-26

« Wednesday, 2013-09-25 Index Friday, 2013-09-27 »
jamielennoxstevemar: ping00:00
stevemarjamielennox pong00:00
jamielennoxi'm having a look through your oauth review00:01
*** pixelb has joined #openstack-dev00:01
*** FatDarrel has quit IRC00:01
jamielennoxactually give me a sec, i'll post the reviews i have00:01
jamielennoxstevemar: ok, reviewed00:02
*** salv-orlando has quit IRC00:02
jamielennoxso looking and token manager - if access_token and request_token are fairly different things does it make sense to split them into different managers?00:03
stevemarjamielennox thanks for the review - dolphm mentioned the same thing, but wasn't insistent on it00:04
stevemarjamielennox, i think that might be over-doing it00:04
jamielennoxi think with everything _access_token it's different to the standard way we use managers00:05
jamielennoxso we typically have just list() or get()00:05
jamielennoxi think what i would do is split TokenManager into two parts AccessTokenManager and RequestTokenManager00:05
jamielennoxthen you have client.oauth1.access_token and client.oauth1.request_token00:06
jamielennoxthen when you want to do a list it's client.oauth1.access_token.list()00:06
jamielennoxstill explicit and obvious and fits in much better with the other client managers00:06
*** sarob has joined #openstack-dev00:06
jamielennoxand you can have client.oauth1.access_token.authenticate and client.oauth1.request_token.authenticate without clashing00:07
jamielennox(btw, even if it's not _strictly_ correct i would pick either authenticate or authorize and use it for both managers)00:07
jamielennox(authenticate would be my preference i think)00:09
jamielennox(but whatever)00:09
*** adjohn has quit IRC00:11
*** sarob has quit IRC00:11
*** cjellick1 has quit IRC00:14
*** sthaha has joined #openstack-dev00:16
*** faramir1 has joined #openstack-dev00:17
*** mangelajo has joined #openstack-dev00:18
*** vuil has quit IRC00:20
*** cjellick has joined #openstack-dev00:21
*** rnirmal has quit IRC00:22
*** matsuhashi has joined #openstack-dev00:22
*** mangelajo has quit IRC00:23
*** jfcastro has joined #openstack-dev00:24
jfcastroanybody has deployed glance-scrubber in Unbuntu and Grizzly?00:24
*** bdpayne has quit IRC00:28
stevemarjamielennox, ping00:31
jamielennoxstevemar: i'm here00:31
stevemarjamielennox, your comment here: https://review.openstack.org/#/c/30043/39/keystoneclient/v3/contrib/oauth1/core.py00:31
jamielennoxyep00:31
stevemarwhat should I be inheriting from then?00:31
jamielennoxobject00:31
stevemaror just object00:31
stevemarrgr00:32
*** morazi has quit IRC00:32
*** nermina has left #openstack-dev00:32
gyeestevemar!00:34
stevemargyee: ahoy00:34
gyeeis HEAT using OAUTH yet?00:35
jamielennoxit might be worth thinking about putting in some   raise exceptions.HTTPNotImplemented("Update not supported for trusts") style statements for things that don't make sense as well00:35
stevemargyee: don't think so :(00:35
gyeestevemar, you know any OpenStack service integrated with OAUTH yet?00:35
stevemargyee: nope00:35
stevemargyee: some folks have poked around it00:35
gyeestevemar, we are looking at it too00:36
stevemargyee: is this mark miller and such?00:36
gyeeI want to to gather some fire power so I can walk into the meeting with my guns blazing :)00:36
gyeelike there are 15 services lining up to integrate with it!00:37
gyeesomething like that :)00:37
stevemargyee: lol, by services you mean OS or HP ones?00:38
gyeeOS00:38
stevemargyee: cool, can you be more specific, mainly heat ones?00:38
gyeeI just want to be able to argue on use cases00:38
gyeestevemar, my understanding is that heat need to perform operations in the user context00:39
gyeethat's why they need delegation00:39
gyeeI wonder what other use cases out there00:39
gyeemaybe nova launching a vm in the user context?00:40
stevemargyee: yup, that was one we had in mind00:40
gyeeor backup an image to glance?00:40
stevemargyee: any service that you want delegated really, our internal use case was more for users who weren't known to OS00:41
*** adjohn has joined #openstack-dev00:41
*** dtyarnell has joined #openstack-dev00:42
gyeestevemar, ah federation and oauth00:42
*** wenjianhn has joined #openstack-dev00:43
stevemargyee: actually federation wasn't even in mind yet - but it did work out nicely that way00:43
stevemargyee: but let me know if you have any hiccups with it, i'll certainly help as much as i can00:43
stevemargyee: you are working on heat nowadays?00:43
gyeestevemar, I am just looking at it from operation standpoint, haven't dig into the details yet00:44
stevemarah okay00:44
stevemargyee: yeah, lots of poking around oauth :)00:44
*** ctracey has quit IRC01:00
*** ctracey has joined #openstack-dev01:01
*** blamar has quit IRC01:02
*** blamar has joined #openstack-dev01:02
*** utlemming has quit IRC01:02
*** ctracey has quit IRC01:02
*** ctracey has joined #openstack-dev01:03
*** utlemming has joined #openstack-dev01:03
*** ron-slc has quit IRC01:04
*** BLZbubba has quit IRC01:04
*** thingee has quit IRC01:04
*** thingee has joined #openstack-dev01:04
*** anteaya has quit IRC01:04
*** BLZbubba has joined #openstack-dev01:05
*** ron-slc has joined #openstack-dev01:05
*** Mandell has joined #openstack-dev01:07
*** nermina has joined #openstack-dev01:07
*** mfer has joined #openstack-dev01:09
*** nermina has left #openstack-dev01:09
jog0any neutron folks around01:09
jfcastrowhere I must deploy cinder-scheduler: at controller or with cinder-volume?01:10
*** jbresnah has joined #openstack-dev01:12
*** freedomhui has joined #openstack-dev01:12
*** sandywalsh_ has quit IRC01:14
*** READ10 has quit IRC01:16
*** ctracey has quit IRC01:16
*** comay has quit IRC01:18
*** tvb|afk has joined #openstack-dev01:18
*** tvb|afk has quit IRC01:18
*** tvb|afk has joined #openstack-dev01:18
*** mangelajo has joined #openstack-dev01:19
*** venkatesh has joined #openstack-dev01:20
morganfainbergjog0, pinfg01:20
morganfainbergwow.  ping even01:20
morganfainbergjog0, ran into an interesting side-effect of the cache code you were requesting.01:20
*** topol has joined #openstack-dev01:21
morganfainbergjog0, when using os_cache, there is no guarantee or need to be explicitly passing a password in.  I can simply invalidate the cache, but, that is about all I can do.  re-authing is not guaranteed to be in the cards.01:21
*** tvb|afk has quit IRC01:23
*** adjohn has quit IRC01:23
jog0morganfainberg: are you saying that if the token expired all you can do is flush the cache. but can't guarantee a re-auth wiil work?01:23
jog0if so thats what I expected01:24
*** mangelajo has quit IRC01:24
morganfainbergjog0, ok i can also add in the logic to try and re-auth if there is self.username/self.password (90% there actually)01:24
morganfainbergjog0, but not really required.01:24
*** jasdeepH has quit IRC01:24
morganfainbergjog0, ok so i just need to tell the keyring saver to nuke it's save.  cool that is way less work when it comes to tests.01:25
morganfainberg:P01:25
*** mfer has quit IRC01:27
*** fifieldt has joined #openstack-dev01:27
jog0so the use case I imagine is: user auths, keyring saves token.  a few hours later user is using the same token, turns out it expired.01:27
jog0morganfainberg: so keyring flushes token, and user needs  a new token now.  If the user has to rerun a command to fetch a new token that seems reasonable but if its done behind the scenes if self.username is present even better01:28
*** ctracey has joined #openstack-dev01:29
jog0in all this the user ideally doesn't notice01:29
morganfainbergjog0, sounds good i have most of that test work done.01:29
jog0\o/01:29
*** changbl has joined #openstack-dev01:30
morganfainbergjog0, just need to convince keyring saver to flush it.01:30
morganfainbergjog0, in either case that is01:30
jog0what are the two cases?01:30
*** gordc has joined #openstack-dev01:30
morganfainberg1: username and password are available, attempt reauth01:31
morganfainberg2: username and password aren't both available, simply flush the cache01:31
jog0right01:31
morganfainbergactually case 1, flush cache, THEN re-auth01:31
jog0morganfainberg: in my mind i decoupled those two actions because if no token in cache then attempt auth01:32
*** mangelajo has joined #openstack-dev01:32
jog0but the code may not be layed out that way01:32
morganfainbergjog0, this is only in the exceptional case of token validate fails01:32
morganfainbergjog0, but yes, you are correct, it is logically like this01:32
morganfainbergjog0, that*01:32
morganfainbergjog0, i'm working from the assumption that we already failed to validate a cached token (it was cached and loaded)01:33
jog0morganfainberg: ahh01:33
morganfainbergjog0, if that isn't the case, we wouldn't even hit this new code path.01:33
*** angdraug has quit IRC01:34
jog0*nod*01:35
*** dstanek has quit IRC01:35
*** mangelajo has quit IRC01:36
*** erkules has quit IRC01:36
stevemarjamielennox, new patch boss01:38
morganfainbergjog0, ah. we don't support flushing the cache out in the secret helper.01:41
*** danwent has quit IRC01:41
morganfainbergjog0, i think it is assumed you'd get a 404/401 in either case.01:41
morganfainbergjog0, so no reason to purge out the cache.01:42
morganfainbergjog0, not sure if i like that behavior.01:42
jamielennoxstevemar: shall do01:44
stevemarjamielennox, give it 30 more seconds, just noticed that i'm using assertEquals instead of assertEqual01:44
stevemarwe're fixing it in keystone, so may as well be consistent here01:44
*** matiu has quit IRC01:46
*** venkatesh has quit IRC01:48
*** sandywalsh has joined #openstack-dev01:48
*** mfer has joined #openstack-dev01:48
*** spzala has joined #openstack-dev01:50
*** erkules has joined #openstack-dev01:53
*** tserong_ has joined #openstack-dev01:56
*** ljjjustin has joined #openstack-dev01:57
*** tserong has quit IRC01:59
*** tserong_ is now known as tserong01:59
*** rcrit has quit IRC02:01
*** xchu has joined #openstack-dev02:04
*** jfcastro has left #openstack-dev02:06
*** amohn9 has joined #openstack-dev02:07
*** mfer has joined #openstack-dev02:09
*** zhikunliu has joined #openstack-dev02:11
*** boris-42 has quit IRC02:13
*** dubsquared has joined #openstack-dev02:13
*** rcrit has joined #openstack-dev02:14
*** dubsquar_ has joined #openstack-dev02:15
*** Mandell has quit IRC02:17
*** dubsquared has quit IRC02:17
*** cjellick has quit IRC02:19
*** mangelajo has joined #openstack-dev02:19
*** mfer has quit IRC02:20
*** grizzled has quit IRC02:20
ayoungjamielennox, did you see my message about certmonger/certmaster yesterday?02:24
jamielennoxayoung: yea, i did - i haven't had a chance to look at certmaster since though02:24
ayoungjamielennox, talked with nalin about it.  It sounds like a good "development" tool.02:25
*** mangelajo has quit IRC02:25
ayoungDoesn't to OCSP or CRLs02:25
ayoungto->do02:25
jamielennoxthat's ok - it act's as a certmonger backend02:25
jamielennox?02:25
ayoungyes02:26
ayoungcertmaster would be the story for multinode02:26
*** sld has quit IRC02:26
ayoungyou'd probably have to decide up front whether to use it, so maybe once we have certmaster in, we always use it, even for single node deployments02:27
*** sld has joined #openstack-dev02:27
ayoungjamielennox, I think I want to use it for the pki_setup in Keystone02:27
ayoungcermonger, that is02:27
jamielennoxthat's a run time dependency...02:28
ayoungYep02:28
ayoungbut a good one02:28
ayoungit provides a way to keep the certs active and updated02:28
*** dubsquar_ has quit IRC02:28
ayoungsomething that is missing now02:28
ayoungalso, it will give us a way to tie in with barbican or whatever the cloudkeep folks end up calling their CA once they have it out.02:29
jamielennoxstevemar: done02:29
jamielennoxinteresting cloudkeep as a backend to certmonger02:29
ayoungjamielennox, yeah...or whatever other CAs come up.  We make certmonger a bridge component to keep the configuration simple02:32
*** gyee has quit IRC02:32
*** dims has quit IRC02:33
ayoungThen it becomes the common point for people to define how to talk to their particular CAs.  We can even, potentially, tie it in with AMQP for notifications if we want to.02:33
stevemarjamielennox, alright, probably gonna fix it up tmrw, gettin sleepy02:33
jamielennoxif we back barbican to dogtag, then certmonger to barbican - way to complicate life02:34
jamielennoxstevemar: no worries02:35
jamielennoxit's the right approach though02:35
ayoungstevemar, which patch?02:35
jog0morganfainberg: I think we need to change that behavior then?  we need to be able to flush the cache right?02:35
jamielennoxthough i'm not sure that SSL certs is barbicans area02:35
jamielennoxsorry the right approach thing was intended at you ayoung02:36
jamielennoxayoung: https://review.openstack.org/#/c/30043/02:36
jamielennoxtell you what though the way stevemar is going your old trust reviews record may not keep you in the top couple02:37
ayoungjamielennox, the Dogtag folks are working on making the key escrow stuff work with an external CA.  Barbican would work with that.  So, yeah, not the SSL cert stuff.  But somethihng in CLoudkeep is going to end up as a CA02:37
*** amcrn has quit IRC02:37
jamielennoxayoung: are the dogtags folks looking at integrating with barbican or just the principal02:37
*** twoputt_ has joined #openstack-dev02:38
*** vipul has quit IRC02:38
*** stevemar has quit IRC02:38
jamielennox(i had kind of thought it might be me that ends up looking at that integration)02:38
ayoungjamielennox, I don't know what is going on there.  I think that talks have broken down.  I suspect that  the Coudkeepers sopped listening at Java02:38
ayoungstopped02:38
jamielennoxi thought the talks were regarding API design02:39
*** vipul has joined #openstack-dev02:39
jamielennoxthey just had troubles getting the thing up and running, so long as the backend is pluggable i don't think it matters that much in the long run02:40
ayoungthey were...but I suspect Ade got involved with day to day dogtag work (lots of it) and the CLoudkeep folk went on doing Python dev as they see it.  I hope at least they took a good read of the API doc.02:40
ayoungTHe install process for Dogtag is a farce.  That is the one thing that really, really is in need of a do-over02:41
*** mangelajo has joined #openstack-dev02:42
ayoungI mean, yeah, for FIPS etc you need to lock down the server...but...its a tomcat app....02:42
jamielennoxi eventually got a standalone dogtag working for rhel6 - was a PITA though02:42
ayoungdo it like every other tomcat app out there.02:42
*** sdague has quit IRC02:42
*** sdague has joined #openstack-dev02:42
*** neelashah has joined #openstack-dev02:42
jamielennoxi've no experience deploying java02:43
ayoungI had it all down back 2 years ago.  Then bstein came by with "Hey, I have something you might be interested in working on."02:43
*** giulivo has quit IRC02:43
ayoungDId Java from 99 through 2004, and then again for my first year at RH02:44
*** freedomhui has quit IRC02:44
*** dtyarnell has quit IRC02:45
jamielennoxayoung: i don't mind it, the bit i've done - i've just never found the extra memory of the JVM worth it02:45
ayounganyway...I think you are on the right track with the "here are where the files go" env vars.  Instead ostraight openssl calls, we do certmonger with the self signed options for the first irteration, and do certmaster for the second.  We might even decide to move the certmaster stuff into the core projects02:45
jamielennoxi understand it from a mainframe and enterprise view but otherwise just no02:46
ayoungjamielennox, talk to me when we are not working on a project in a language with a GIL02:46
*** mangelajo has quit IRC02:46
jamielennoxi've done plenty of C and multithreaded C02:46
jamielennoxthat gets fun02:46
ayoungyeah...I miss that, too02:46
ayoungI liked the Kernel work I was doing at Penguin.02:47
jamielennoxanyway again, i'm not specifying where the cert files go - the user is telling me02:47
ayoungProcess migration, file caching, remote forks, signal forwarding...and maintaining Posix semantics.  Everything since then has felt like kids stuff02:47
ayoungright, right...it is the cert genreation game that I want us out of.  Where it goes is up to the user.02:48
*** jbresnah has quit IRC02:48
ayoungI thin I am going to open a blueprint for Certmonger integration for Keystone.02:48
jamielennoxmmm, not really - where it goes is up to whoever made the certs - i don't want to be creating files into a specific location02:49
jamielennoxif i'm creating certs then i'll put them wherever I want because apparently the user doesn't care02:49
jamielennoxso long as they work02:49
jamielennoxanyway i need to look into fixing grenade before i can make that work02:50
ayoungKeystone knows.  It is in the config file02:50
*** sandywalsh has quit IRC02:50
ayoungto keystone_manage pki_setup and ssl_setup can just be calls to certmonger02:50
ayoungwe could even, potentially do the same thing for the signing certs from auth_token02:51
ayoungbut that is not really the right thing...02:51
*** dtyarnell has joined #openstack-dev02:52
*** nati_ueno has joined #openstack-dev02:53
*** anniec has quit IRC02:53
*** johnpur has quit IRC02:54
*** briancurtin has quit IRC02:54
*** dkranz has joined #openstack-dev02:55
jamielennoxthis sounds like something that should be driven from packstack or something rather that part of keystone-manage02:59
jamielennoxbut i'm happy with the idea that we should say use certmonger instead of doing ssl_setup02:59
*** amohn9 has left #openstack-dev03:01
ayoungjamielennox, maybe.  But I like the idea of making the SSL work be as simple as possible.  THis way, only Keystone needs to get it right.03:01
*** freedomhui has joined #openstack-dev03:01
*** paragan has joined #openstack-dev03:05
*** martine has joined #openstack-dev03:07
*** martine is now known as Guest6041803:07
*** edmund has quit IRC03:08
*** galstrom_zzz is now known as galstrom03:09
jamielennoxayoung: going to get lunch, cya tomorrow03:11
ayoungjamielennox, g'night03:11
*** edmund has joined #openstack-dev03:13
*** anniec has joined #openstack-dev03:15
*** stevemar has joined #openstack-dev03:17
*** jecarey has joined #openstack-dev03:18
*** freedomhui has quit IRC03:18
*** anniec_ has joined #openstack-dev03:18
*** anniec has quit IRC03:19
*** anniec_ is now known as anniec03:19
*** freedomhui has joined #openstack-dev03:19
*** mangelajo has joined #openstack-dev03:20
*** alexxu has joined #openstack-dev03:21
*** novas0x2a|laptop has quit IRC03:22
*** mangelajo has quit IRC03:25
*** galstrom is now known as galstrom_zzz03:29
*** jecarey has quit IRC03:30
*** schwicht has quit IRC03:31
*** pixelb has quit IRC03:33
*** amotoki has quit IRC03:36
*** spzala has quit IRC03:39
*** zhiyan has joined #openstack-dev03:40
*** ayoung has quit IRC03:41
*** sushils has joined #openstack-dev03:45
*** galstrom_zzz is now known as galstrom03:46
*** twoputt has quit IRC03:48
*** twoputt_ is now known as twoputt03:48
*** adjohn has joined #openstack-dev03:49
*** sushils has quit IRC03:49
*** adjohn has quit IRC03:50
*** sushils has joined #openstack-dev03:52
*** terriyu has quit IRC03:52
*** neelashah has quit IRC03:55
*** Mandell has joined #openstack-dev03:58
*** matsuhashi has quit IRC03:59
*** matsuhashi has joined #openstack-dev04:02
*** stevemar has quit IRC04:03
*** galstrom is now known as galstrom_zzz04:11
*** gongysh has joined #openstack-dev04:13
*** vipul is now known as vipul-away04:14
*** ecarlin has joined #openstack-dev04:16
*** ecarlin has quit IRC04:16
*** anniec has quit IRC04:17
*** mangelajo has joined #openstack-dev04:20
*** pmathews has joined #openstack-dev04:22
*** aditirav has joined #openstack-dev04:23
*** kaushikc has joined #openstack-dev04:24
*** mangelajo has quit IRC04:25
*** aditirav has quit IRC04:26
*** kaushikc1 has joined #openstack-dev04:27
*** aditirav has joined #openstack-dev04:27
*** sridevi has joined #openstack-dev04:28
*** kaushikc has quit IRC04:29
*** bnemec_ has joined #openstack-dev04:30
*** bnemec has quit IRC04:30
*** kaushikc has joined #openstack-dev04:31
*** kaushikc has quit IRC04:31
*** kaushikc has joined #openstack-dev04:31
*** adjohn has joined #openstack-dev04:33
*** kaushikc has quit IRC04:34
*** kaushikc has joined #openstack-dev04:34
*** kaushikc1 has quit IRC04:34
*** kaushikc1 has joined #openstack-dev04:35
*** Guest60418 has quit IRC04:35
*** freedomhui has quit IRC04:37
*** jhesketh has quit IRC04:38
*** jhesketh__ has quit IRC04:38
*** kaushikc has quit IRC04:38
*** edmund has quit IRC04:39
*** kaushikc1 has quit IRC04:48
*** sumanthns has joined #openstack-dev04:48
*** melwitt has quit IRC04:51
*** jhesketh has joined #openstack-dev04:51
*** jhesketh__ has joined #openstack-dev04:51
*** reed has quit IRC04:54
*** mangelajo has joined #openstack-dev04:57
*** mangelajo has quit IRC05:01
*** alexxu has quit IRC05:02
*** claxton has joined #openstack-dev05:02
*** otherwiseguy has quit IRC05:05
*** gordc has quit IRC05:07
*** jbresnah has joined #openstack-dev05:09
*** zaitcev has quit IRC05:11
*** nshaikh has joined #openstack-dev05:17
*** bashok has joined #openstack-dev05:17
*** prekarat1 has joined #openstack-dev05:17
*** aditirav_ has joined #openstack-dev05:18
*** aditirav_ has joined #openstack-dev05:19
*** fifieldt has quit IRC05:21
*** aditirav has quit IRC05:22
*** aditirav_ is now known as aditirav05:22
*** tvb|afk has joined #openstack-dev05:22
*** nati_ueno has quit IRC05:26
*** mangelajo has joined #openstack-dev05:27
*** freedomhui has joined #openstack-dev05:27
*** tvb|afk has quit IRC05:27
*** alexxu has joined #openstack-dev05:28
*** mangelajo has quit IRC05:32
*** rwsu has quit IRC05:34
*** jbresnah has quit IRC05:36
*** jbresnah has joined #openstack-dev05:36
*** SkyRocknRoll_ has joined #openstack-dev05:38
*** SkyRocknRoll_ is now known as SkyRocknRol05:38
*** SkyRocknRol has quit IRC05:38
*** raies has joined #openstack-dev05:40
*** twoputt has quit IRC05:41
*** twoputt has joined #openstack-dev05:42
*** nati_ueno has joined #openstack-dev05:45
*** rwsu has joined #openstack-dev05:45
*** zhikunliu has quit IRC05:47
*** afazekas_zz is now known as afazekas05:47
*** eglynn has joined #openstack-dev05:49
*** pmathews has quit IRC05:51
*** zhikunliu has joined #openstack-dev05:52
*** bashok has quit IRC05:55
*** yaguang has joined #openstack-dev05:59
*** claxton has quit IRC06:00
*** adjohn has quit IRC06:00
*** yaguang has quit IRC06:00
*** yaguang_ has joined #openstack-dev06:00
*** xchu has quit IRC06:09
*** yolanda has joined #openstack-dev06:10
*** yaguang_ has quit IRC06:10
*** yaguang has joined #openstack-dev06:12
*** rahmu has quit IRC06:12
*** _anant has joined #openstack-dev06:13
*** gaelL has quit IRC06:13
*** rahmu has joined #openstack-dev06:13
*** gaelL has joined #openstack-dev06:14
*** afazekas is now known as __afazekas06:14
*** yaguang has quit IRC06:17
*** yaguang has joined #openstack-dev06:17
*** SergeyLukjanov has joined #openstack-dev06:21
*** belmoreira has joined #openstack-dev06:22
*** MaxV has joined #openstack-dev06:23
*** tvb|afk has joined #openstack-dev06:23
*** xchu has joined #openstack-dev06:25
*** yaguang has quit IRC06:26
*** mangelajo has joined #openstack-dev06:27
*** yaguang has joined #openstack-dev06:27
*** zhiyan has quit IRC06:31
*** jcoufal has joined #openstack-dev06:32
*** xqueralt-afk is now known as xqueralt06:33
*** yaguang has quit IRC06:34
*** MaxV has quit IRC06:36
*** prekarat1 has quit IRC06:38
*** afazekas has joined #openstack-dev06:43
*** vartom10 has joined #openstack-dev06:45
*** tvb|afk has quit IRC06:47
*** matsuhashi has quit IRC06:47
*** corXi has joined #openstack-dev06:55
*** reidrac has joined #openstack-dev06:56
*** zhiyan has joined #openstack-dev06:56
*** topol has quit IRC06:58
*** ndipanov has joined #openstack-dev06:59
*** mrunge has joined #openstack-dev07:00
*** adjohn has joined #openstack-dev07:02
*** nil1511 has joined #openstack-dev07:02
*** prekarat has joined #openstack-dev07:04
*** odyssey4me has joined #openstack-dev07:06
*** matsuhashi has joined #openstack-dev07:06
*** xga has joined #openstack-dev07:06
*** nil1511 has quit IRC07:08
*** rdopieralski has joined #openstack-dev07:09
*** rdopiera1ski has joined #openstack-dev07:09
*** DeeJay1 has joined #openstack-dev07:10
*** adjohn has quit IRC07:10
*** ema has joined #openstack-dev07:10
*** ema has joined #openstack-dev07:10
*** gongysh has quit IRC07:14
*** jprovazn has joined #openstack-dev07:14
*** corXi has quit IRC07:15
*** fbo_away is now known as fbo07:15
*** gongysh has joined #openstack-dev07:16
*** martyntaylor has joined #openstack-dev07:17
*** corXi has joined #openstack-dev07:17
*** jbresnah has quit IRC07:17
*** vartom11 has joined #openstack-dev07:21
*** vartom10 has quit IRC07:22
*** o_petit has joined #openstack-dev07:22
*** SergeyLukjanov has quit IRC07:24
*** eglynn has quit IRC07:24
*** rdopiera1ski is now known as rdopieralski07:26
*** gongysh has quit IRC07:26
*** feleouet has joined #openstack-dev07:27
*** SergeyLukjanov has joined #openstack-dev07:30
*** henrynash has joined #openstack-dev07:30
*** safchain has joined #openstack-dev07:30
*** gongysh has joined #openstack-dev07:35
*** xga_ has joined #openstack-dev07:36
*** romcheg1 has joined #openstack-dev07:36
*** xga has quit IRC07:39
*** salv-orlando has joined #openstack-dev07:39
*** gongysh has quit IRC07:39
*** johnthetubaguy has joined #openstack-dev07:41
*** gongysh has joined #openstack-dev07:42
*** tvb|afk has joined #openstack-dev07:43
*** bashok has joined #openstack-dev07:45
*** johnthetubaguy has quit IRC07:45
*** kspear has quit IRC07:45
*** SergeyLukjanov has quit IRC07:45
*** ljjjustin has quit IRC07:46
*** SergeyLukjanov has joined #openstack-dev07:46
*** claxton has joined #openstack-dev07:47
*** rossella_s has joined #openstack-dev07:48
*** pabelanger has quit IRC07:50
*** kspear has joined #openstack-dev07:52
*** romcheg1 has left #openstack-dev07:53
*** Oneiroi has quit IRC07:55
*** shang has quit IRC07:56
*** _anant has quit IRC07:56
*** danpb has joined #openstack-dev07:56
*** _anant has joined #openstack-dev07:56
*** MaxV has joined #openstack-dev07:58
*** bogdando has quit IRC07:59
*** bashok_ has joined #openstack-dev08:00
*** ifarkas has joined #openstack-dev08:00
*** _anant has quit IRC08:00
*** _anant has joined #openstack-dev08:01
*** bogdando has joined #openstack-dev08:02
*** SergeyLu_ has joined #openstack-dev08:02
*** pabelanger has joined #openstack-dev08:03
*** kspear has quit IRC08:03
*** bashok has quit IRC08:03
*** networkstatic has quit IRC08:03
*** SergeyLukjanov has quit IRC08:04
*** boden has joined #openstack-dev08:04
*** _anant has quit IRC08:04
*** _anant has joined #openstack-dev08:06
*** o_petit has quit IRC08:09
*** o_petit has joined #openstack-dev08:09
*** _anant has quit IRC08:09
*** _anant has joined #openstack-dev08:10
*** zhikunliu has quit IRC08:10
*** briancline has quit IRC08:10
*** kspear has joined #openstack-dev08:10
*** eglynn has joined #openstack-dev08:10
*** derekh has joined #openstack-dev08:12
*** _anant has quit IRC08:14
*** _anant has joined #openstack-dev08:14
*** athomas has joined #openstack-dev08:14
*** briancline has joined #openstack-dev08:17
*** zhikunliu has joined #openstack-dev08:17
*** yongli is now known as yongli_away08:18
*** _anant has quit IRC08:19
*** _anant has joined #openstack-dev08:20
*** DeeJay1 has quit IRC08:20
*** claxton has quit IRC08:21
*** claxton has joined #openstack-dev08:22
*** DeeJay1 has joined #openstack-dev08:22
*** kspear has quit IRC08:23
*** _anant has quit IRC08:24
*** twoputt_ has joined #openstack-dev08:25
*** _anant has joined #openstack-dev08:25
*** _anant has quit IRC08:29
*** _anant has joined #openstack-dev08:29
*** nati_ueno has quit IRC08:29
*** fifieldt has joined #openstack-dev08:31
*** xchu has quit IRC08:31
*** o_petit has quit IRC08:32
*** fifieldt has quit IRC08:33
*** xga__ has joined #openstack-dev08:33
*** o_petit has joined #openstack-dev08:34
*** _anant has quit IRC08:34
*** _anant has joined #openstack-dev08:34
*** lucasagomes has joined #openstack-dev08:35
*** prekarat has quit IRC08:35
*** xga_ has quit IRC08:36
*** shang has joined #openstack-dev08:37
*** bashok__ has joined #openstack-dev08:38
*** mmagr has joined #openstack-dev08:38
*** bashok_ has quit IRC08:41
*** twoputt_ has quit IRC08:44
*** o_petit has quit IRC08:44
*** twoputt has quit IRC08:45
*** jtomasek has joined #openstack-dev08:45
*** athomas_ has joined #openstack-dev08:46
*** _anant has quit IRC08:46
*** bashok has joined #openstack-dev08:46
*** _anant has joined #openstack-dev08:46
*** mestery has quit IRC08:47
*** jistr has joined #openstack-dev08:47
*** yaguang has joined #openstack-dev08:47
*** Alexei_987 has joined #openstack-dev08:49
*** bashok__ has quit IRC08:49
*** _anant has quit IRC08:51
*** xchu has joined #openstack-dev08:51
*** _anant has joined #openstack-dev08:51
*** iartarisi has joined #openstack-dev08:53
*** romcheg1 has joined #openstack-dev08:55
*** giulivo has joined #openstack-dev08:55
*** dripton has quit IRC08:56
*** yassine has joined #openstack-dev08:57
*** AnilV4 has joined #openstack-dev08:58
*** henrynash has quit IRC08:58
*** dripton has joined #openstack-dev08:59
*** bashok_ has joined #openstack-dev09:00
*** bashok__ has joined #openstack-dev09:01
*** bashok has quit IRC09:03
*** _anant has quit IRC09:04
*** xga__ has quit IRC09:04
*** _anant has joined #openstack-dev09:04
*** xga__ has joined #openstack-dev09:05
*** bashok_ has quit IRC09:05
*** AnilV4 has quit IRC09:05
*** flaper87|afk is now known as flaper8709:07
*** mrda has quit IRC09:08
*** _neoXsys_ has joined #openstack-dev09:08
*** AnilV4 has joined #openstack-dev09:11
*** sushils has quit IRC09:11
*** neoXsys has quit IRC09:12
*** mkollaro has joined #openstack-dev09:12
*** gmurphy has quit IRC09:12
*** romcheg has quit IRC09:12
*** DeeJay1 has quit IRC09:13
*** martyntaylor has quit IRC09:13
*** DeeJay1 has joined #openstack-dev09:13
*** _anant has quit IRC09:16
*** _anant has joined #openstack-dev09:17
*** belmoreira1 has joined #openstack-dev09:17
*** alexxu has quit IRC09:17
*** alexxu has joined #openstack-dev09:18
*** jcoufal has quit IRC09:18
*** martyntaylor has joined #openstack-dev09:19
*** belmoreira has quit IRC09:19
*** vartom11 has quit IRC09:20
*** _anant has quit IRC09:21
*** _anant has joined #openstack-dev09:21
*** tstevenson has quit IRC09:21
*** alexpilotti has joined #openstack-dev09:26
*** mrunge has quit IRC09:31
*** ndipanov has quit IRC09:32
*** o_petit has joined #openstack-dev09:33
*** _anant has quit IRC09:34
*** _anant has joined #openstack-dev09:35
*** mrunge has joined #openstack-dev09:35
*** xga__ has quit IRC09:38
*** SergeyLu_ has quit IRC09:39
*** xga has joined #openstack-dev09:40
*** eglynn is now known as eglynn-fuse-summ09:40
*** eglynn-fuse-summ is now known as eglynn-fuse-f2f09:40
*** _anant has quit IRC09:40
*** mestery has joined #openstack-dev09:40
*** _anant has joined #openstack-dev09:41
*** ndipanov has joined #openstack-dev09:41
*** xga_ has joined #openstack-dev09:42
*** vartom11 has joined #openstack-dev09:43
*** o_petit has quit IRC09:44
*** xga has quit IRC09:45
*** _anant has quit IRC09:46
*** _anant has joined #openstack-dev09:46
*** o_petit has joined #openstack-dev09:48
*** _anant has quit IRC09:50
*** _anant has joined #openstack-dev09:51
*** sergmelikyan has quit IRC09:54
*** tvb|afk has quit IRC09:54
*** alexxu has quit IRC09:55
*** ifarkas has quit IRC09:58
*** _anant has quit IRC09:59
*** _anant has joined #openstack-dev09:59
*** donaldh has joined #openstack-dev09:59
*** tvb|afk has joined #openstack-dev10:00
*** ifarkas has joined #openstack-dev10:00
*** donaldh has quit IRC10:01
*** tsufiev has quit IRC10:01
*** tsufiev has joined #openstack-dev10:02
*** qba73 has joined #openstack-dev10:02
*** boris-42 has joined #openstack-dev10:04
*** _anant has quit IRC10:04
*** _anant has joined #openstack-dev10:05
*** danpb has quit IRC10:10
*** faramir1 has quit IRC10:11
*** danpb has joined #openstack-dev10:12
*** tvb|afk has quit IRC10:13
*** gongysh has quit IRC10:13
*** ygbo has joined #openstack-dev10:13
*** o_petit has quit IRC10:14
*** wenjianhn has quit IRC10:16
*** xchu has quit IRC10:20
*** MaxV has quit IRC10:26
*** athomas_ has quit IRC10:26
*** claxton has quit IRC10:27
*** athomas has quit IRC10:29
*** tvb|afk has joined #openstack-dev10:29
*** markmc has joined #openstack-dev10:33
*** AnilV4 has quit IRC10:37
*** schwicht has joined #openstack-dev10:39
*** paragan has quit IRC10:39
*** freedomhui has quit IRC10:43
*** o_petit has joined #openstack-dev10:45
*** bvandenh has joined #openstack-dev10:47
*** yaguang has quit IRC10:50
*** o_petit has quit IRC10:53
*** athomas has joined #openstack-dev10:54
*** bashok_ has joined #openstack-dev10:56
*** athomas has quit IRC10:57
*** bashok__ has quit IRC10:59
*** lucasagomes is now known as lucas-afk11:00
*** jtomasek_ has joined #openstack-dev11:00
*** athomas has joined #openstack-dev11:00
*** claxton has joined #openstack-dev11:01
*** romcheg1 is now known as romcheg11:01
*** jtomasek has quit IRC11:04
*** pixelb has joined #openstack-dev11:10
*** o_petit has joined #openstack-dev11:10
*** freedomhui has joined #openstack-dev11:11
*** vartom11 has quit IRC11:12
*** zhiyan has quit IRC11:19
*** dims has joined #openstack-dev11:20
*** nshaikh has quit IRC11:21
*** AlexF has joined #openstack-dev11:24
*** o_petit has quit IRC11:26
*** imsurit has joined #openstack-dev11:27
*** dstanek has joined #openstack-dev11:28
*** imsurit is now known as Guest796511:28
*** o_petit has joined #openstack-dev11:30
*** prekarat has joined #openstack-dev11:31
*** claxton has quit IRC11:33
*** claxton has joined #openstack-dev11:33
*** nshaikh has joined #openstack-dev11:44
*** eglynn-fuse-f2f has quit IRC11:45
*** egallen has joined #openstack-dev11:49
*** kiall_ is now known as Kiall11:52
*** SergeyLukjanov has joined #openstack-dev11:55
*** AlexF has quit IRC11:56
*** venkatesh has joined #openstack-dev11:57
*** claxton has quit IRC11:57
*** belmoreira1 has quit IRC12:01
*** eglynn-fuse-f2f has joined #openstack-dev12:01
*** sdake_ has quit IRC12:02
*** sdake has quit IRC12:02
*** MaxV has joined #openstack-dev12:02
*** bcrochet is now known as bcrochet|ex21012:03
*** bcrochet|ex210 is now known as bcrochet12:03
*** bauzas has joined #openstack-dev12:03
*** mohits has joined #openstack-dev12:03
*** bauzas has quit IRC12:03
*** sdake has joined #openstack-dev12:03
*** sdake_ has joined #openstack-dev12:04
*** sdake_ has quit IRC12:04
*** sdake_ has joined #openstack-dev12:04
*** belmoreira has joined #openstack-dev12:04
*** bauzas has joined #openstack-dev12:05
*** vartom11 has joined #openstack-dev12:05
*** bcrochet has quit IRC12:06
*** dims has quit IRC12:07
*** bashok_ has quit IRC12:07
*** bcrochet has joined #openstack-dev12:08
*** claxton has joined #openstack-dev12:09
*** nil1511 has joined #openstack-dev12:09
*** sridevi has quit IRC12:09
*** _anant has quit IRC12:12
*** dstanek has quit IRC12:14
*** FunnyLookinHat has joined #openstack-dev12:15
*** nil1511 has quit IRC12:15
*** nil1511 has joined #openstack-dev12:17
*** Guest7965 has quit IRC12:19
*** dims has joined #openstack-dev12:20
*** ekarlso has quit IRC12:20
*** dstanek has joined #openstack-dev12:21
*** ifarkas has quit IRC12:23
*** romcheg1 has joined #openstack-dev12:23
*** ifarkas has joined #openstack-dev12:26
*** lucas-afk is now known as lucasagomes12:26
*** dtyarnell has quit IRC12:27
*** romcheg has quit IRC12:28
*** dolphm has joined #openstack-dev12:31
*** jruzicka has quit IRC12:33
*** jruzicka has joined #openstack-dev12:33
*** matsuhashi has quit IRC12:34
*** lucasagomes has quit IRC12:36
*** nil1511 has quit IRC12:36
*** lucasagomes has joined #openstack-dev12:36
*** zhikunliu has quit IRC12:42
*** statik has left #openstack-dev12:42
*** maheshp has joined #openstack-dev12:45
*** karlsone has joined #openstack-dev12:47
chmoueldolphm: ping12:48
dolphmchmouel: pong12:48
chmouelso not sure what's the status of https://review.openstack.org/#/c/45447/12:48
chmouelsaw my name falshing in my scrollback12:48
chmouelshould I update the tests12:49
dolphmchmouel: lol dstanek's revision merged with your name on it12:49
chmouelah k cool12:49
chmouelso i can abandon that one?12:49
dolphmchmouel: yep!12:49
chmouelnice :)12:49
dolphmchmouel: i wrote some additional tests here https://review.openstack.org/#/c/48340/12:49
chmouelcool, revieweing12:50
chmouelso moving it to  test_backend.py ?12:50
chmouel(or adding it even)12:50
*** sgordon has joined #openstack-dev12:52
*** jay-lau-513 has joined #openstack-dev12:52
*** donaldh has joined #openstack-dev12:54
*** o_petit has quit IRC12:54
*** giulivo has quit IRC12:56
*** belmoreira has quit IRC12:56
*** romcheg has joined #openstack-dev12:56
*** corrigac has joined #openstack-dev12:57
*** belmoreira has joined #openstack-dev12:58
*** ccorrigan has quit IRC12:59
*** thomasm has joined #openstack-dev12:59
*** Ruetobas has quit IRC12:59
*** eglynn-fuse-f2f has quit IRC13:00
*** romcheg1 has quit IRC13:00
*** venkatesh has quit IRC13:02
*** morazi has joined #openstack-dev13:03
*** statik has joined #openstack-dev13:04
*** dolphm has quit IRC13:04
*** martine has joined #openstack-dev13:06
*** yaguang has joined #openstack-dev13:07
*** martine is now known as Guest4937113:07
*** wenjianhn has joined #openstack-dev13:08
*** aditirav has quit IRC13:08
*** xchu has joined #openstack-dev13:09
*** dolphm has joined #openstack-dev13:10
*** nermina has joined #openstack-dev13:10
*** o_petit has joined #openstack-dev13:11
*** bashok has joined #openstack-dev13:13
*** rfolco has joined #openstack-dev13:14
*** eglynn-fuse-f2f has joined #openstack-dev13:14
*** maheshp has quit IRC13:15
*** maheshp has joined #openstack-dev13:15
*** gordc has joined #openstack-dev13:17
*** portante|afk is now known as portante13:18
*** jayg|g0n3 is now known as jayg13:18
*** dvarga has joined #openstack-dev13:19
*** Ruetobas has joined #openstack-dev13:20
*** cthulhup has joined #openstack-dev13:20
*** martine_ has joined #openstack-dev13:21
*** dprince has joined #openstack-dev13:22
*** alunduil has quit IRC13:24
*** Guest49371 has quit IRC13:24
*** dkranz has quit IRC13:25
*** jaypipes has joined #openstack-dev13:25
*** gordc has quit IRC13:26
*** shang has quit IRC13:27
*** jab416171 has quit IRC13:27
*** akscram has quit IRC13:28
*** jasondotstar has joined #openstack-dev13:29
*** xjiujiu has joined #openstack-dev13:29
*** zhiyan has joined #openstack-dev13:29
*** markmc has quit IRC13:30
*** ayoung has joined #openstack-dev13:30
*** markmc has joined #openstack-dev13:31
*** edmund has joined #openstack-dev13:31
*** bashok has quit IRC13:32
*** shang has joined #openstack-dev13:32
*** akscram has joined #openstack-dev13:32
*** dtyarnell has joined #openstack-dev13:32
*** DinaBelova has joined #openstack-dev13:32
*** karlsone has quit IRC13:33
*** mjfs has joined #openstack-dev13:34
*** maheshp has quit IRC13:34
*** martine_ has quit IRC13:35
*** jswarren has quit IRC13:35
*** jswarren has joined #openstack-dev13:36
*** MaxV has quit IRC13:36
*** jswarren has quit IRC13:37
*** lbragstad has joined #openstack-dev13:38
*** neelashah has joined #openstack-dev13:38
*** ron-slc has quit IRC13:38
*** jswarren has joined #openstack-dev13:38
*** dkranz has joined #openstack-dev13:38
*** gordc has joined #openstack-dev13:38
*** jecarey has joined #openstack-dev13:38
*** jswarren has quit IRC13:39
*** jhesketh has quit IRC13:39
*** jswarren has joined #openstack-dev13:39
*** enikanorov has joined #openstack-dev13:40
*** enikanorov_ has quit IRC13:43
*** matsuhashi has joined #openstack-dev13:43
*** ron-slc has joined #openstack-dev13:44
*** kbringard has joined #openstack-dev13:46
*** prad_ has joined #openstack-dev13:46
*** cthulhup has quit IRC13:46
*** AnilV4 has joined #openstack-dev13:47
*** litong has joined #openstack-dev13:48
*** cjellick has joined #openstack-dev13:48
*** paragan has joined #openstack-dev13:48
*** burt has joined #openstack-dev13:49
*** Max_ has joined #openstack-dev13:49
*** mrunge has quit IRC13:52
*** davidhadas_ has quit IRC13:52
*** mjfs has quit IRC13:53
*** FunnyLookinHat has quit IRC13:53
*** tvb|afk has quit IRC13:53
*** martine_ has joined #openstack-dev13:54
*** yaguang has quit IRC13:54
*** eharney has joined #openstack-dev13:54
*** cjellick has quit IRC13:54
*** cjellick has joined #openstack-dev13:54
*** venkatesh has joined #openstack-dev13:54
*** dkranz has quit IRC13:59
*** topol has joined #openstack-dev13:59
*** jmontemayor has joined #openstack-dev13:59
*** markwash has joined #openstack-dev13:59
*** o_petit has quit IRC14:00
*** stevemar has joined #openstack-dev14:02
*** johnthetubaguy has joined #openstack-dev14:03
*** beraldo has joined #openstack-dev14:03
*** belmoreira has left #openstack-dev14:03
*** alunduil has joined #openstack-dev14:04
*** stevemar has quit IRC14:04
beraldohi, I'm having problems to configure keystone + ldap, keystone user-list show everthing ok, uid, name, enabled and email. But when I do keystone user-get "uid" dont show user, my config file user_id_attribute = uid, but keystone insist in use cn to get user, if I do keystone user-get "Complete CN" works.14:05
*** jtomasek_ is now known as jtomasek14:06
*** nshaikh has left #openstack-dev14:08
*** vartom11 has quit IRC14:08
*** pberis has quit IRC14:09
*** changbl has quit IRC14:09
*** pberis has joined #openstack-dev14:09
*** aloga has quit IRC14:10
beraldoI can see the bug #99770014:11
uvirtbotLaunchpad bug 997700 in keystone/essex "LDAP should not check username on "sn" field" [Medium,Fix released] https://launchpad.net/bugs/99770014:11
*** pberis has quit IRC14:11
*** jasondotstar has quit IRC14:11
beraldobut i think that the fix proposed is only on user_name_attribute, may be is missing a user_id_attribute ?14:12
*** pberis has joined #openstack-dev14:12
*** o_petit has joined #openstack-dev14:12
*** giulivo has joined #openstack-dev14:12
*** jmontemayor has quit IRC14:12
*** hemanth has joined #openstack-dev14:13
*** matsuhashi has quit IRC14:13
*** eglynn-fuse-f2f has quit IRC14:14
*** wenjianhn has quit IRC14:16
*** briancurtin has joined #openstack-dev14:16
*** xchu has quit IRC14:18
*** jasondotstar has joined #openstack-dev14:18
*** tmclaugh[work] has joined #openstack-dev14:20
*** xga__ has joined #openstack-dev14:20
*** xga_ has quit IRC14:21
*** DeeJay1 has quit IRC14:21
*** johnpur has joined #openstack-dev14:24
*** tvb|afk has joined #openstack-dev14:24
*** karlsone has joined #openstack-dev14:24
*** ericw has joined #openstack-dev14:24
*** prekarat1 has joined #openstack-dev14:25
*** prekarat has quit IRC14:26
*** eglynn-fuse-f2f has joined #openstack-dev14:26
*** dolphm has quit IRC14:26
*** romcheg has quit IRC14:27
*** romcheg has joined #openstack-dev14:27
*** richardwoo has joined #openstack-dev14:27
*** martine_ has quit IRC14:27
*** Guest19249 is now known as esheffield14:27
*** eglynn-fuse-f2f has quit IRC14:28
*** eglynn has joined #openstack-dev14:28
*** wenjianhn has joined #openstack-dev14:29
*** martine has joined #openstack-dev14:30
*** martine is now known as Guest2950614:30
*** xjiujiu has quit IRC14:31
*** cjellick1 has joined #openstack-dev14:32
*** rnirmal has joined #openstack-dev14:33
*** cjellick has quit IRC14:34
*** dolphm has joined #openstack-dev14:35
*** pberis has quit IRC14:35
*** cjellick1 has quit IRC14:36
*** devoid has joined #openstack-dev14:36
*** cjellick has joined #openstack-dev14:36
*** devoid has quit IRC14:36
*** sthaha has quit IRC14:38
*** corXi has quit IRC14:38
*** otherwiseguy has joined #openstack-dev14:38
*** anteaya has joined #openstack-dev14:38
*** richardwoo has quit IRC14:39
*** bvandenh has quit IRC14:39
*** johnpur has quit IRC14:39
*** markmc has quit IRC14:39
icchaannegentle: do u know thomas leaman's irc nick?14:40
*** rcleere has joined #openstack-dev14:41
*** datsun180b has joined #openstack-dev14:41
*** FunnyLookinHat has joined #openstack-dev14:41
*** mangelajo has quit IRC14:42
*** mjfork has joined #openstack-dev14:42
*** mjfork has quit IRC14:42
*** wenjianhn has quit IRC14:42
*** mangelajo has joined #openstack-dev14:42
*** johnpur has joined #openstack-dev14:44
bugsdugganiccha: I am he14:46
icchahey bugsduggan14:46
bugsdugganhowdy14:46
icchabugsduggan: so we were talking about ur patch in glance14:46
icchaand I was wondering if u could remove the dependency?14:47
icchaand remove references to @ and !14:47
icchaso we can include it in rc1?14:47
icchathanks for ur work on it :)14:47
*** venkatesh has quit IRC14:47
*** mangelajo has quit IRC14:47
*** sumanthns has quit IRC14:48
bugsdugganiccha: I can remove the dependancy, that's fine. Can I ask why the decision to remove the '@' and '!'?14:48
icchabugsduggan: its going to be in ice house, thats all :)14:48
*** Guangya has joined #openstack-dev14:49
*** Guangya has quit IRC14:50
bugsdugganiccha: would it be easier to create a separate change to remove the dep? and you can -2 my other change for now?14:50
icchabugsduggan: sure will do14:51
icchacan we have the patch today?14:51
*** galstrom_zzz is now known as galstrom14:51
bugsdugganiccha: excellent, I'll get that patch to you today14:52
icchathanks bugsduggan :)14:52
*** jay-lau-513 has quit IRC14:52
bugsdugganiccha: my pleasure ;)14:52
*** markwash has quit IRC14:53
*** radix has quit IRC14:53
*** radix has joined #openstack-dev14:54
*** radez_g0n3 is now known as radez14:54
*** wenjianhn has joined #openstack-dev14:55
*** twoputt has joined #openstack-dev14:55
*** markmc has joined #openstack-dev14:57
*** gargya has joined #openstack-dev14:57
*** atiwari has joined #openstack-dev14:57
*** venkatesh has joined #openstack-dev14:57
dolphmatiwari: o/14:58
*** adjohn has joined #openstack-dev14:59
dolphmatiwari: your change is dependent on the oslo sync, so they'll be tested together -- it won't be an issue14:59
dolphm(or was, in patchset 12)14:59
atiwariok, in that case I ma good?15:00
dolphmatiwari: it looks like you squashed an old copy of gyee's fix into your patchset 13, which IS causing issues15:00
dolphmatiwari: so, i'm trying to work out what else you changed between patchset 12 and 13?15:00
*** adjohn_ has joined #openstack-dev15:00
*** cthulhup has joined #openstack-dev15:00
dolphmatiwari: i found this- http://pasteraw.com/hihepsgbe3et83qcqpnics3e9m5fskv15:00
dolphmatiwari: that change looks good15:00
atiwarithat is one change15:01
dolphmatiwari: i also ran into a test failure on test_admin_on_project_filter15:01
dolphmatiwari: what did you do to resolve that?15:01
dolphmatiwari: it was in one of your new tests in TestTokenRevokeSelfAndAdmin15:02
atiwarilet me see, I think the assertRaise had unauth15:03
atiwariI made it to notfound15:03
*** kenperkins has quit IRC15:03
*** zhikunliu has joined #openstack-dev15:03
dolphmatiwari: also, *please* don't do a git-review on your patch for the moment :)15:03
*** adjohn has quit IRC15:03
dolphmatiwari: i want to make sure the oslo policy sync gets in as fast as possible, so i want to avoid rebasing & restarting the gate on it15:03
atiwariok15:04
dolphmatiwari: we can still push changes to your patch, we just need to be careful about it15:04
*** xga__ has quit IRC15:04
atiwariI am not going to touch, until you ask me :)15:04
*** xga has joined #openstack-dev15:04
dolphmatiwari: thanks! this is the failure i'm seeing that it looks like you resolved in patchset 13: http://pasteraw.com/ijpdmywy2kyjet8wicqug2podatd5hl15:05
*** jvrbanac has joined #openstack-dev15:05
dolphmnote the "keystone.openstack.common.policy: ERROR: Failed to understand rule admin_on_project_filter"15:05
*** wenjianhn has quit IRC15:06
*** jecarey has quit IRC15:06
*** mrodden has joined #openstack-dev15:06
*** kbrierly has joined #openstack-dev15:06
atiwaridolphm, I did not see that test fail15:07
*** reidrac has quit IRC15:07
dolphmatiwari: hmm15:07
*** zhikunliu has quit IRC15:07
*** twoputt has quit IRC15:07
atiwaridolphm, http://logs.openstack.org/23/46123/12/check/gate-keystone-python27/fa781f6/nose_results.html are the only tests I fixed15:08
*** prekarat1 has quit IRC15:08
*** prekarat has joined #openstack-dev15:08
dolphmatiwari: you also rewrote your keystone.common.controller changes?15:08
*** mjfork has joined #openstack-dev15:08
atiwariyes, as per Gyee comment I made the toke_ref lighter15:09
atiwaridolphm, http://paste.openstack.org/show/47544/15:09
*** karlsone has quit IRC15:09
atiwariand small change in https://review.openstack.org/#/c/46123/13/keystone/token/providers/uuid.py15:11
dolphmatiwari: ooh, that looks significant15:11
dolphmatiwari: i missed that15:11
*** dubsquared has joined #openstack-dev15:11
atiwariboth to resolve gyee comments in patch 1115:11
*** dkranz has joined #openstack-dev15:12
*** jecarey has joined #openstack-dev15:12
*** masumotok has joined #openstack-dev15:12
*** mangelajo has joined #openstack-dev15:12
dolphmatiwari: how are those changes tested?15:13
dolphmatiwari: i think i'm down to two errors across the entire test suite15:14
atiwariI ran entire test before pushing15:14
*** prekarat has quit IRC15:15
atiwarilet me run it again15:15
masumotokHi, does anyone know when ZBF mode in swift object auditor can be used? In manual, this feature can be used " only zero byte files are audited", but I would like to know when swift experts use this feature *for example*.15:15
*** changbl has joined #openstack-dev15:16
*** karlsone has joined #openstack-dev15:16
dolphmmasumotok: might want to try asking in #openstack-swift15:16
atiwaridolphm, what are those two?15:17
masumotokdolphm: Uh.. there might be better place to ask, thank you!15:17
dolphmmasumotok: anytime15:17
dolphmatiwari: two of your new tests15:17
*** masumotok has quit IRC15:17
atiwarihmm15:17
dolphmatiwari: same failure in my paste from above15:17
atiwariI am running it here15:17
dolphmatiwari: i'd like to ask henrynash about them... as her wrote the rules it's stumbling on15:17
*** karlsone has quit IRC15:18
*** o_petit has quit IRC15:18
*** karlsone has joined #openstack-dev15:18
*** wolfdreamer has joined #openstack-dev15:19
*** nati_ueno has joined #openstack-dev15:19
dolphmatiwari: failures from a full run: http://pasteraw.com/ftxrq3urvklrk9wva12wl7u8vh4obzs15:20
*** mangelajo has quit IRC15:23
*** freedomhui has quit IRC15:23
*** freedomhui has joined #openstack-dev15:23
*** sandeepr_ltp has joined #openstack-dev15:26
atiwaridolphm, let me see. I am running complete tests locally on my local branch which exactly same as patch #13.15:26
atiwariDid you rebase with master?15:26
dolphmatiwari: no15:27
dolphmatiwari: what's in master that would affect this?15:27
*** jab416171 has joined #openstack-dev15:27
dolphmatiwari: these are the changes i've made to patchset 12 so far http://pasteraw.com/2e491vbrg44dalep82e0nyihltd2rai15:28
atiwaridolphm, I don't know, thought any change coming from master which is making this test unhappy.15:28
dolphmatiwari: just tried rebasing on master, still seeing these failures15:29
dolphmatiwari: ooh, i think i figured this out15:32
atiwaridolphm, what was that15:33
atiwari?15:33
atiwariI am blocked with nasty proxy issue here15:33
*** gyee has joined #openstack-dev15:34
*** DinaBelova has quit IRC15:34
dolphmatiwari: no worries; i think there's a subtle difference between 12 and 13 about how the policy dict is constructed (it appears to be broken in 12 and fixed in 13)15:34
*** shinylasers has joined #openstack-dev15:34
atiwaridolphm, so you are good now?15:36
dolphmatiwari: working on it :)15:36
*** mfer_ has joined #openstack-dev15:36
*** gargya_ has joined #openstack-dev15:37
*** hemanth is now known as Guest6862215:37
*** comay has joined #openstack-dev15:37
dolphmatiwari: i can change the nature of the failure by cherry picking your keystone.common.controller changes back to patchset 1215:37
*** boris-42 has quit IRC15:38
*** gargya has quit IRC15:38
icchabugsduggan: hey i am not sure if i was clear but i meant the documentation as a sepaarte patch15:39
*** aditirav has joined #openstack-dev15:39
*** pmathews has joined #openstack-dev15:40
*** fbo is now known as fbo_away15:40
cjellickhi all. should i be able to get all of the keystone tests to pass locally? i get roughly 500 failures. many of these are in the v3 api tests, but not all of them15:42
dolphmatiwari: passing!15:42
atiwarigreat15:42
*** gargya_ has quit IRC15:42
*** dkranz has quit IRC15:44
*** nati_ueno has quit IRC15:45
bugsdugganiccha: I'm about to push a (entirely separate) patch for the docs15:45
*** alop has joined #openstack-dev15:45
icchabugsduggan: awesome :)15:45
*** SergeyLukjanov has quit IRC15:45
*** SergeyLukjanov has joined #openstack-dev15:46
zhiyanafazekas: ping15:46
dolphmatiwari: uploaded patchset 14 https://review.openstack.org/#/c/46123/15:47
*** jtomasek has quit IRC15:47
*** fbo_away is now known as fbo15:47
dolphmatiwari: note it a lot like patchset 12, but should include all of your changes from patchset 13 with an exception15:47
atiwaridolphm, thanks15:47
*** nplanel_ has joined #openstack-dev15:47
dolphmatiwari: i simplified your keystone.common.controller changes in patchset 13 back to something very similar to patchset 1215:47
*** nplanel has quit IRC15:47
atiwariok15:48
dolphmatiwari: so... my ONE question on this review now... :)15:48
*** mangelajo has joined #openstack-dev15:48
dolphmatiwari: why do you have a try/except in that file to suppress the TokenNotFound?15:48
bugsdugganiccha: https://review.openstack.org/#/c/48475/ https://review.openstack.org/#/c/48482/15:48
*** bdpayne has joined #openstack-dev15:49
dolphmatiwari: my intuition is that the goal of hte patch is to raise a 404 on an invalid X-Subject-Token, so why not let that bubble up immediately?15:49
bugsdugganiccha: I hope that's what you were expecting, let me know if I'm way off the mark15:49
atiwarilet me see15:49
icchathanks bugsduggan ! yes was looking for https://review.openstack.org/#/c/48482/ :) appreciate ur effort to work with us on this15:49
*** alop has quit IRC15:49
atiwarihave you added comment in 14?15:49
*** angdraug has joined #openstack-dev15:49
bugsdugganiccha: no problem at all, happy to help15:50
dolphmatiwari: no, that was already there15:50
icchaminor q bugsduggan on patch15:50
atiwaridolphm, I dot that let me explain15:51
atiwariby that line auth did not take place and if you return 404 an unauth user can guess about a token and may open a token harvesting issues15:52
*** vkmc has joined #openstack-dev15:52
*** vkmc has joined #openstack-dev15:52
atiwariI am eating it up so that auth will kate place15:52
bugsdugganiccha: good catch, I'll fix that now ;)15:52
*** alop has joined #openstack-dev15:52
*** zhiyan has quit IRC15:52
*** zhiyan has joined #openstack-dev15:53
atiwaridolphm, am I making sense ?15:53
*** mangelajo has quit IRC15:53
afazekaszhiyan: if the open throws an exception the connection will be None15:53
*** xga has quit IRC15:54
*** xga_ has joined #openstack-dev15:54
dolphmatiwari: hmm, making sure auth takes place based on what?15:54
dolphmatiwari: if you know it's going to fail, why not fail earlier?15:54
*** dubsquar_ has joined #openstack-dev15:56
*** adjohn_ has quit IRC15:56
atiwariOK, I think for unauth user it should be 401 and 404 only for auth user15:56
*** SergeyLukjanov has quit IRC15:56
atiwariif you do not pass on that will not happen15:56
dolphmatiwari: ooh, so you want to ensure that X-Auth-Token is processed before X-Subject-Token?15:57
*** dkranz has joined #openstack-dev15:57
atiwaricorrect15:57
dolphmatiwari: but in reality, you're processing X-Subject-Token, X-Auth-Token, and then raising 404 for an invalid X-Subject-Token based on the fact that there's no user_id in the policy dict?15:57
*** dubsquared has quit IRC15:59
*** shardy is now known as shardy_afk15:59
*** donaldh has quit IRC15:59
atiwaridolphm, I am adding x-subject-token in the target, so that my policy does the auth.16:00
atiwarithat way if x-auth-token is of admin he will get 40416:00
*** tserong has quit IRC16:00
atiwariin case f the token is not found16:00
dolphmatiwari: "is of admin" ?16:00
*** o_petit has joined #openstack-dev16:00
*** zaitcev has joined #openstack-dev16:01
*** markmc has quit IRC16:01
*** danwent has joined #openstack-dev16:01
*** Ruetobas has quit IRC16:01
*** tserong has joined #openstack-dev16:01
*** xBytez has quit IRC16:01
atiwaridolphm, id not get your last question16:01
*** xBytez has joined #openstack-dev16:01
*** rdopieralski has quit IRC16:02
dolphmatiwari: i'm trying to work out what you meant by "that way if x-auth-token is of admin he will get 404"16:02
dolphmatiwari: if the x-auth-token represents a user with the admin role?16:02
atiwariyes16:02
*** Ruetobas has joined #openstack-dev16:03
*** mangelajo has joined #openstack-dev16:03
atiwarian x-auth-token with admin role is trying to revoke user token. if user (x-subject-token) is already deleted admin admin should get 40416:04
*** xga__ has joined #openstack-dev16:04
*** Mandell has quit IRC16:05
dolphmatiwari: if i remove that try/except, all the tests still pass16:05
*** xga_ has quit IRC16:06
*** topol has quit IRC16:06
atiwaridolphm, something is wrong16:06
atiwarilet me see16:06
dolphmatiwari: there's a patchset 15 now, btw -- it's just a trivial rebase16:07
atiwariok16:07
dolphmatiwari: and this is a diff to remove the try/except, which results in passing tests http://pasteraw.com/fwzyh9wb1vza7a5d1fnh230a2hcauew16:07
*** patelna has joined #openstack-dev16:08
*** Ruetobas has quit IRC16:08
atiwariI think I should have added one test where a revoked x-auth-token is trying to revoke x-subject-token16:08
atiwariin that case test will fail16:08
atiwarilket me see16:08
*** ifarkas has quit IRC16:09
*** ravikumar_hp has joined #openstack-dev16:09
dolphmatiwari: if you want to contribute a new test, make sure you checkout patchset 15 and then either push directly to gerrit with `git push gerrit HEAD:refs/for/master` or use `git-review --no-rebase`16:11
dolphmatiwari: that will avoid rebasing the policy sync while it's gating :)16:11
atiwariwhich try/catch you removed?16:12
atiwariit is still there16:12
atiwarihttps://review.openstack.org/#/c/46123/15/keystone/common/controller.py16:12
dolphmatiwari: it's removed in this diff: http://pasteraw.com/fwzyh9wb1vza7a5d1fnh230a2hcauew16:12
dolphmatiwari: i haven't uploaded that change16:12
*** danwent has quit IRC16:12
*** rackerjoe has joined #openstack-dev16:12
*** twoputt has joined #openstack-dev16:13
*** danwent has joined #openstack-dev16:13
*** o_petit has quit IRC16:13
*** afazekas has quit IRC16:14
atiwaridolphm, working on #15. I will follow your instructions16:14
atiwarifor push16:14
*** Shaan7 has quit IRC16:15
*** Ruetobas has joined #openstack-dev16:15
*** freedomhui has quit IRC16:16
*** romcheg has quit IRC16:16
*** hemna_ is now known as hemna16:16
*** tvb|afk has quit IRC16:16
*** flaper87 is now known as flaper87|afk16:16
*** jtomasek has joined #openstack-dev16:16
*** safchain has quit IRC16:19
*** ericw has quit IRC16:19
*** feleouet has quit IRC16:23
*** davidhadas_ has joined #openstack-dev16:25
*** yassine has quit IRC16:25
*** odyssey4me has quit IRC16:25
dolphmatiwari: thanks!16:25
*** nermina has quit IRC16:25
*** Max_ has quit IRC16:26
*** jmontemayor has joined #openstack-dev16:26
garykarosen: ping16:26
*** bswartz has quit IRC16:27
*** romcheg has joined #openstack-dev16:27
arosengaryk: pong16:27
*** dubsquar_ has quit IRC16:27
*** jmontemayor has quit IRC16:28
*** jasondotstar has quit IRC16:29
*** jtomasek has quit IRC16:31
*** jtomasek has joined #openstack-dev16:32
*** Shaan7 has joined #openstack-dev16:32
*** mfer_ is now known as mattfarina16:32
*** ravikumar_hp has quit IRC16:33
*** openfly has quit IRC16:34
*** aditirav has quit IRC16:34
*** Birk_ has joined #openstack-dev16:35
*** iartarisi has quit IRC16:36
*** ygbo has quit IRC16:36
*** dkehn_ has joined #openstack-dev16:39
*** __afazekas is now known as afazekas16:41
*** dkehn has quit IRC16:42
*** zigo_ has quit IRC16:42
*** zigo has joined #openstack-dev16:42
*** jtomasek has quit IRC16:43
*** briancurtin has quit IRC16:43
*** eglynn has quit IRC16:44
*** venkatesh has quit IRC16:45
*** Alexei_987 has quit IRC16:47
*** prekarat has joined #openstack-dev16:47
*** prekarat has quit IRC16:48
*** jistr has quit IRC16:48
*** SergeyLukjanov has joined #openstack-dev16:49
*** prekarat has joined #openstack-dev16:50
*** bswartz has joined #openstack-dev16:50
*** xga has joined #openstack-dev16:50
*** reed has joined #openstack-dev16:51
*** xga__ has quit IRC16:52
*** jtomasek has joined #openstack-dev16:53
*** jdurgin1 has joined #openstack-dev16:54
*** briancurtin has joined #openstack-dev16:54
*** READ10 has joined #openstack-dev16:55
*** martyntaylor has quit IRC16:55
*** mmagr has quit IRC16:55
*** DinaBelova has joined #openstack-dev16:56
*** paragan has quit IRC16:58
*** jbresnah has joined #openstack-dev16:59
*** mlavalle has joined #openstack-dev17:00
*** derekh has quit IRC17:00
atiwaridolphm, I think you are correct. no need to add any test. we can remove the try/catch17:01
*** jtomasek has quit IRC17:01
atiwarido you want me to do that or you are planning to push?17:01
*** reed has quit IRC17:02
*** vipul-away is now known as vipul17:03
*** nplanel_ has quit IRC17:03
ayoungdolphm, what should I be looking at for RC1?  Anything?  THe only Bug we have open has a Keystone commit.  Are we just waiting on Tempest, or is it something else?17:03
ayounghttps://review.openstack.org/#/c/46123/1517:04
ayoungatiwari, I take it this is the effort ^^17:04
atiwariayoung, thanks17:05
atiwariyes, we need to remove try/catch as mentioned in dolphm comment in #1517:06
*** qba73 has quit IRC17:06
ayoungatiwari, I suspect that the logic you are putting in there should be up in _build_policy_check+_credentials.17:08
*** reed has joined #openstack-dev17:08
zhiyanafazekas: ping17:09
afazekaszhiyan: pong17:09
ayoungor, probably more correct, the logic from that function should apply to tokens17:09
ayoungto subject tokens17:09
atiwariayoung, I think no because  _build_policy_check+_credentials creates creds and my change is adding target17:10
*** prekarat has quit IRC17:10
ayoungatiwari, I am aware,  that is not what I am trying to say17:10
*** bknudson has quit IRC17:10
ayoungI'm saying that we should refereto the credentials consistantly17:10
zhiyanafazekas: still around, tbh i'm still not sure your ut change in #47786 is enough, so can you pls give some explaining to me? since we need cut rc1 this wee (2 days left) and i asked markwash to mark your fix as rc1 but,  so a little push, sorry.17:10
ayoungthe logic indies _build_policy_check_credentials  is for normalizing between v2 and v3 tokens17:10
zhiyanafazekas: pm?17:10
morganfainbergo/17:11
*** epim has joined #openstack-dev17:11
ayoungatiwari, it won't make a difference for the rule you are addeding to cloud init17:11
ayoungcloudsample.policy17:11
atiwariayoung, I placed similar logic to build target but sees dolphm did not liked that17:11
atiwarilook at patch #1317:12
ayoungatiwari, earlier patch?17:12
ayounglooking17:12
atiwariyes17:12
*** prekarat has joined #openstack-dev17:12
morganfainbergdolphm, ping17:12
ayoungatiwari, well, that was cut and pasted...you should probably refactor.17:12
ayoungBut..if it is not needed for this feature, we can address in icehouse17:12
*** terriyu has joined #openstack-dev17:12
*** dhellmann_ is now known as dhellmann17:13
*** johnthetubaguy has quit IRC17:13
*** jtomasek has joined #openstack-dev17:13
atiwariayoung, let address it in icehouse17:13
atiwariis that OK?17:13
ayoungatiwari, yes17:14
atiwarigreat17:14
ayoungatiwari, so, why the try catch?  If policy throws an exception here, it gets converted to a 404, right?17:14
ayoungA generic exception17:14
atiwariayoung, we can remove try/catch17:15
ayoungatiwari, I'm trying to understand where that exception would be handled17:16
atiwariin wsgi17:16
ayoungI don't like "spooky actions at a distance" in my code bases...17:16
*** ema has quit IRC17:17
atiwariI added try/catch to make it cleaner17:17
ayoungAh...a Token Not found maps to a 40417:17
atiwariyes17:17
*** jcoufal has joined #openstack-dev17:17
ayoungthat is a little misleading.  I suspect the error message would say "Token was not found" as opposed to "Resource is not found"17:18
ayoungBut in your case that is OK17:18
ayoungatiwari, yeah, remove the try block, but a comment explaining that the token not found generates a 404 is probably appropriate there17:19
*** jtomasek has quit IRC17:19
*** AlexF has joined #openstack-dev17:19
atiwariayoung, I am good17:19
*** nati_ueno has joined #openstack-dev17:20
*** Guest29506 has quit IRC17:21
*** eglynn has joined #openstack-dev17:21
ayoungatiwari, ok, ping me when the new patch passes gate.  I'm assuming just that change will be in there.  Rest of the patch looks good, although I'm going through the tests a little bit now17:24
atiwariayoung, did you push the change?17:25
*** martyntaylor has joined #openstack-dev17:26
*** tvb|afk has joined #openstack-dev17:27
*** tvb|afk has quit IRC17:27
*** tvb|afk has joined #openstack-dev17:27
*** carl_baldwin has joined #openstack-dev17:27
*** cthulhup has quit IRC17:27
*** negronjl has quit IRC17:27
salv-orlando6717:27
*** networkstatic has joined #openstack-dev17:28
*** henrynash has joined #openstack-dev17:28
*** lucasagomes has quit IRC17:28
*** vipul is now known as vipul-away17:29
*** vladikr has joined #openstack-dev17:29
*** martine has joined #openstack-dev17:29
*** martine has quit IRC17:29
*** vipul-away is now known as vipul17:29
*** jasdeepH has joined #openstack-dev17:30
*** alop has quit IRC17:30
*** dstanek has quit IRC17:30
*** bknudson has joined #openstack-dev17:31
*** alop has joined #openstack-dev17:31
*** tvb|afk has quit IRC17:31
*** jasondotstar has joined #openstack-dev17:31
*** jtomasek has joined #openstack-dev17:32
*** negronjl has joined #openstack-dev17:33
*** athomas has quit IRC17:33
*** mlavalle has quit IRC17:33
*** litong has quit IRC17:37
*** anniec has joined #openstack-dev17:37
*** gyee has quit IRC17:40
*** venkatesh has joined #openstack-dev17:41
*** jruzicka has quit IRC17:43
*** ericw has joined #openstack-dev17:44
*** spzala has joined #openstack-dev17:45
*** belmoreira has joined #openstack-dev17:46
atiwariayoung, I made changes on #15 as we discussed and doing "git review --no-rebase" as suggested by dolphm and getting http://paste.openstack.org/raw/47564/17:48
*** sushils has joined #openstack-dev17:48
atiwariit seems "af68f75 sync oslo policy" in there17:49
*** martyntaylor has left #openstack-dev17:50
*** adjohn has joined #openstack-dev17:52
annegentledolphm: around?17:52
*** karlsone is now known as ekarlso17:54
*** henrynash has quit IRC17:54
*** oubiwann is now known as bloodninja17:54
*** bloodninja is now known as oubiwann17:55
*** jtomasek has quit IRC17:55
*** changbl has quit IRC17:55
*** krtaylor has quit IRC17:55
*** colinmcnamara has joined #openstack-dev17:55
*** Mandell has joined #openstack-dev17:58
*** openfly has joined #openstack-dev17:58
adam_gdoes anyone know if the version requirements of os client libraries set by individual projects requirements.txt are frozen at this point for H?17:59
*** belmoreira has quit IRC18:00
ayoungatiwari, I'm just reviewing.  I am not making changes.18:01
*** ruhe has joined #openstack-dev18:01
*** dstanek has joined #openstack-dev18:02
ayoungatiwari, you should be able to type "yes" on that review and be good to go.  I assume that no changes to the oslo review have gone in.18:02
dolphmannegentle: o/18:02
dolphmmorganfainberg: thanks for the reverify, what's up?18:03
dolphmayoung: i think atiwari's patch is the last for rc118:03
morganfainbergdolphm, did we want to pull docs about the per-domain-identity backend out, since i don't think we're going to get cleanup patches (and other dependant changes) in before RC1 is cut w/o some added buffer time.18:03
dolphmatiwari: also, we either need to remove the try/except or test it18:04
dolphmatiwari: if you don't think we need it, we can remove it18:04
*** nplanel has joined #openstack-dev18:04
*** anniec has quit IRC18:04
dolphmmorganfainberg: can you link me to the latest patch for that?18:04
dolphmmorganfainberg: (to clean it up)18:04
morganfainbergdolphm, it's the same one as before, haven't had time to roll a new one18:05
*** romcheg has quit IRC18:05
morganfainberglooking for it18:05
*** romcheg has joined #openstack-dev18:05
morganfainbergdolphm, https://review.openstack.org/#/c/45649/18:05
dolphmatiwari: i'll push a patchset 16 without the try/except -- i've already got it ready to go...18:05
dolphmatiwari: done- https://review.openstack.org/#/c/46123/16/keystone/common/controller.py18:06
dolphmmorganfainberg: thanks18:06
*** xmltok_ has quit IRC18:06
dolphmmorganfainberg: ah, it was abandoned-- that's why i lost it :P18:06
atiwaridolphm, thanks18:06
morganfainbergdolphm, i can work on the comments and splitting it up starting today, just not sure how far it'll get.18:06
dolphmmorganfainberg: understood18:07
*** melwitt has joined #openstack-dev18:07
morganfainbergdolphm, yeah, i didn't resurrect it since i've been stuck with some work internally here at my company + helping with some other RC1 stuff :)18:07
dolphmmorganfainberg: i'd like to get this gating (in some form) first https://review.openstack.org/#/c/46123/18:07
morganfainbergdolphm, absolutely.18:07
dolphmmorganfainberg: and then we'll have until tomorrow morning to get a fix in for identity-per-domain if we want to? i'm happy to pursue that for the rest of the day18:07
*** changbl has joined #openstack-dev18:09
*** xmltok has joined #openstack-dev18:09
*** xmltok has joined #openstack-dev18:09
morganfainbergdolphm, if we don't hit it tomorrow, lets just pull the docs.  i'll start carving that one up into the peices it needs to be in.  also, we need to accept that we might have ID collisions if it's used.  probably should add a document line about "this isn't enforced…expirimental people"18:09
*** jtomasek has joined #openstack-dev18:09
morganfainberg(i'll base the new patch on atiwari's so that one goes in first for sure)18:09
*** shinylasers has quit IRC18:10
dolphmmorganfainberg: maybe add a link in docs to the primary bug?18:10
morganfainbergdolphm, sounds good.18:11
dolphmmorganfainberg: that way there's something traceable18:11
dolphmatiwari: i added a comment on https://review.openstack.org/#/c/46123/16/keystone/common/controller.py18:11
*** amcrn has joined #openstack-dev18:11
*** salv-orlando has quit IRC18:12
*** colinmcnamara has quit IRC18:13
*** colinmcnamara has joined #openstack-dev18:13
*** afazekas is now known as afazekas_zz18:14
*** jmontemayor has joined #openstack-dev18:15
ayoungdolphm, atiwari +2 from me18:16
dolphmayoung: thanks!18:17
ayoungdolphm, what is the plan for morganfainberg 's patch?  https://review.openstack.org/#/c/45649/  Is that in the category of "if there is an RC 2 we might accept it?"18:17
*** jtomasek has quit IRC18:17
*** alop has quit IRC18:18
ayoungOr are we still waiting on the rest of OS for RC1, so we might add a fix for that if we feel it is justified?18:18
dolphmayoung: whoa, the elif might present a security vulnerability18:18
morganfainbergdolphm, ayoung, atiwari, https://review.openstack.org/#/c/46123/16/keystone/token/providers/uuid.py line 562, do we really want to catch/smash unauthorized?18:18
ayoungdolphm, the elif is based on the policy rule.18:19
dolphmayoung: not completely true18:19
ayoungoh..yeah...that would be bad...18:19
ayoungI misread that.18:19
dolphmayoung: if a CLIENT specifies an X-Subject-Token, then the member policy stuff gets bypassed18:20
morganfainbergoh i guess, so, but shouldn't that raise up a 404 instead of just logging?18:20
dolphmayoung: i'm not sure if policy would fail with a 401 or 500 or it would allow it?18:20
*** dprince has quit IRC18:20
dolphmmorganfainberg: the try/except is gone, if that's what you're referring to18:20
ayoungdolphm, that logic should be based on the policy rule, not what the user sends in....it couldn't be hacked, as they can't arbitrarily put data into the token, but still...that one needs to be changed18:20
*** nermina has joined #openstack-dev18:21
morganfainbergdolphm, oh it is?18:21
morganfainbergin validate_v3_token(18:21
dolphmmorganfainberg: latest patch https://review.openstack.org/#/c/46123/16/keystone/common/controller.py18:21
morganfainbergno no, providers/uuid.py18:21
dolphmmorganfainberg: oh, where's that?18:21
morganfainberghttps://review.openstack.org/#/c/46123/16/keystone/token/providers/uuid.py18:21
ayoungdolphm, my thinking is that we should proably be merging the two dictionaries18:21
morganfainbergline 56218:21
dolphmmorganfainberg: ah, hrm18:21
dolphmmorganfainberg: this might be a bad cherry pick on my part18:22
morganfainbergthat likely needs to re-raise a 404 of some sort18:22
morganfainbergdolphm, i think that was there in earlier patches18:22
dolphmmorganfainberg: yeah, it was - nvm18:22
*** jtomasek has joined #openstack-dev18:22
atiwarimorganfainberg, I had removed that exception.Unauthorized from the list18:22
dolphmmorganfainberg: gyee had the same concern here https://review.openstack.org/#/c/46123/11/keystone/token/providers/uuid.py18:22
*** belmoreira has joined #openstack-dev18:23
atiwariwe do not want exception.Unauthorized in the catch list18:23
morganfainbergi think the correct answer is reraise TokenNotFound18:23
*** belmoreira has quit IRC18:23
morganfainbergsince we've already passed x-auth-token is valid by that point18:23
atiwarihttps://review.openstack.org/#/c/46123/13/keystone/token/providers/uuid.py18:23
atiwaridoes not have it18:23
morganfainbergatiwari, that doesn't change the net-effect, it probably needs to raise a 404, since validation failed18:24
*** sushils has quit IRC18:24
*** danpb has quit IRC18:25
dolphmayoung: testing this now http://pasteraw.com/jxjhg3uxcm3xflkvzhr7j0aj19rd40k18:26
*** jasondotstar has quit IRC18:27
*** jang has quit IRC18:27
*** corrigac has quit IRC18:27
*** mkerrin has quit IRC18:27
*** rossella_s has quit IRC18:28
dolphmmorganfainberg: what's the point of catching any of these exceptions? why not raise them all?18:28
*** epim has quit IRC18:28
*** roz has quit IRC18:28
morganfainbergdolphm, if we have a legitimate unauthorized, we should turn that into a 404 (or any other error)18:28
morganfainbergdolphm, any current 404s should be fine.18:28
morganfainbergdolphm, hrm. maybe just unauthorized.  this is to keep from claiming x-auth-token is invalid (which is what a 401 would indicate)18:29
dolphmmorganfainberg: on token validation18:29
morganfainbergyes.18:29
dolphmmorganfainberg: if i pass in an invalid X-Auth-Token, i should get a 40118:29
morganfainbergdolphm, that is checked controller level? not provider level18:30
morganfainbergby the time we hit the provider x-auth-token should be valid.  if it isn't, we're doing something very wrong higher up18:30
morganfainbergdolphm, the whole crux of this patchset is that invalid x-subject-token should be 404, not 401.18:31
dolphmmorganfainberg: right18:31
atiwarinot totally correct18:31
*** giulivo has quit IRC18:31
morganfainbergatiwari, ?18:31
atiwariif x-auth-token has auth then 404 if not 40118:32
ayoungdolphm, I don't think there is a security issue.  No reason that passing -X-Subject-Token is any different than passing -X-Auth_Token.  A user that knows the token could always call the API either way.  This is really just simplifying things.  I think your logic is partially correct.18:32
dolphmayoung: it's VERY different18:32
morganfainbergatiwari, not sure what you mean.18:32
ayoungBut whether to use the subject token or the auth token as the target should be based on the rule, not the presense of the value in the request18:32
dolphmayoung: one expresses the API user's authorization and one expresses the resource they're trying to access18:32
ayoungdolphm, understood. and I think we should change it18:32
*** zhiyan has quit IRC18:33
dolphmayoung: based on what?18:33
ayoungdolphm, I think we should make both part of the policy dictionary18:33
*** reed_ has joined #openstack-dev18:33
*** amohn9 has joined #openstack-dev18:33
ayoungbut with the ability to differentiate18:33
ayoungsomething like18:33
atiwariok, the is user who is making validate/revoke token has auth then only he should see 404 for invalid x-subject-token18:33
*** reed_ has quit IRC18:33
*** networkstatic has quit IRC18:33
atiwariotherwise it should be 40118:34
ayoung{"target + : auth-token-data, "subject":subject-token-data}18:34
*** reed has quit IRC18:34
dolphmayoung: that's what this patch is introducing18:34
dolphmayoung: did you even review it?18:34
ayoungdolphm, I mean the elif18:34
morganfainbergatiwari, correct, and the question was regarding the check in the provider's validate_v3_token method.18:34
ayoungI have the values wrong...but what I amsaying is that the subject should be added to the dictionary18:35
dolphmayoung: 'target' and 'subject' are synonyms here18:35
ayoungso instead of an elif18:35
ayoungdolphm, that is confusing18:35
*** radix has quit IRC18:35
morganfainbergatiwari, let me check, i think that should always cause a 404 on invalid token.18:35
*** radix has joined #openstack-dev18:35
atiwariI do not understand the need to elif18:35
dolphmayoung: something more like this? http://pasteraw.com/jxjhg3uxcm3xflkvzhr7j0aj19rd40k18:36
*** gyee has joined #openstack-dev18:36
*** reed has joined #openstack-dev18:36
*** krtaylor has joined #openstack-dev18:37
*** sdake has quit IRC18:37
ayoungdolphm, yeah, although I think you need to initialize policy_dict to {} for the second block18:37
*** tmclaugh[work] has quit IRC18:37
*** sdake has joined #openstack-dev18:37
atiwarimorganfainberg, some how the upper layer is converting to 401.18:37
*** mlavalle has joined #openstack-dev18:37
atiwariand that is why I added try/catch in controller18:38
ayoungdolphm, It might be better, though, instead o saying "target"  we wrote rules designed to use the subject token as "subject" or something18:39
dolphmayoung: how is that different from 'target'?18:39
*** angdraug has quit IRC18:39
ayoung ["user_id:%(subject.entity.user_id)s"]18:40
ayoungdolphm, it is more explicit:  it says that you must have a subject token, and that the value checked will be the subject's data18:40
ayoungit will allow writing rules that say things like target = one user and subject = another18:40
annegentledolphm: hi, I know I should know this, but are people considering v3 'complete" for havana?18:40
dolphmayoung: i see your confusion then, from the perspective of writing policy.json18:41
dolphmannegentle: i'd say is was 'complete' for grizzly18:41
dolphmannegentle: most of the bugs we've seen since are a result of using both API's in the same deployment18:42
*** mkerrin has joined #openstack-dev18:42
annegentledolphm: yeah I thought you said that at grizzly time18:42
dolphmannegentle: not from v3 being insufficient18:42
annegentle(that it was ready)18:42
dolphmayoung: ["subject_user_id:%(target.entity.user_id)s"]] ? i don't know18:43
ayoungdolphm, yeah, target versus subject is also confusing.  Although I suspect the subject part is the less confusing of the two18:44
dolphmayoung: you're only confused because you're aware that it's called X-Subject-Token in the API18:44
dolphmayoung: if you don't know that, then this implementation is consistent with the rest of our policy.json target stuff18:44
*** novas0x2a|laptop has joined #openstack-dev18:44
atiwaridolphm, +118:45
dolphmayoung: if we renamed X-Target-Token in the API, you'd be satisfied as well?18:45
dolphm(not that we can do that)18:45
morganfainbergatiwari18:45
atiwariyes18:45
ayoungdolphm, let me phrase it this way.  Would we ever want to write policy that need to distinguish between data from the Auth token and the Subject token?18:45
dolphmayoung: i uploaded a new patch that merges the two datasets together, btw: https://review.openstack.org/#/c/46123/16/keystone/common/controller.py18:46
*** AlexF has quit IRC18:46
ayoungwould you expect them both to be passed in, to be different, and for the policy to have to decide on whether an operation was acceptable.18:46
dolphmmorganfainberg: this patchset ^ does NOT address your concerns here https://review.openstack.org/#/c/46123/16/keystone/token/providers/uuid.py18:46
morganfainbergdolphm, atiwari, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/provider.py#n194 might be a culprit18:47
dolphmayoung: so, the latest patchset makes that exact use case possible18:47
morganfainbergfor improper transformation to Unauthorized18:47
dolphmayoung: you could even write policy that uses both18:47
*** networkstatic has joined #openstack-dev18:47
dolphmmorganfainberg: the ", we have a malformed token, or something went wrong." makes me nervous there18:48
dolphmthe try/except there should go away18:48
morganfainbergdolphm, that was lifted from the drivers18:49
morganfainbergoh18:49
morganfainbergoh18:49
morganfainbergthat18:50
morganfainbergmaybe just catch keyerror?18:50
morganfainbergand type/value error?18:50
*** ruhe has quit IRC18:50
morganfainbergor do we want to raise up exceptions for bad timeutils conversions etc18:50
dolphmmorganfainberg: i have no idea :(18:50
dolphmmorganfainberg: i would think any of that should cause a 500 because we have no idea what went wrong18:50
morganfainbergdolphm, fair enough. try/except should be removed.18:51
morganfainbergdolphm, no complaints on ISE on that.18:51
dolphmmorganfainberg: ISE?18:51
morganfainberginternal server error18:51
dolphmah18:51
morganfainbergdolphm, want me to toss a separate review up to clean that up?18:52
ayoungdolphm, yes...but we are still overloading the term target.  It origianlly mean the value in the URL.  Now we are saying that it is the value in the subject token.  Now, maybe this is stretching things, but what if we had an operation where we were checking if a delegation operation were valid.  We would need to be able to confirm A)  the XAuth-Token was valid,  B) the User from the Subject-token could perform the operation on the user18:52
ayoung signified as the target?  We'd want to keep the user ids from the subject token separate from the target user id.18:52
*** vipul is now known as vipul-away18:52
*** epim has joined #openstack-dev18:52
atiwariayoung, IMO it is the way you view the target18:53
dolphmmorganfainberg: sure18:53
dolphmayoung: it's the same thing though18:53
ayoungatiwari, right, so the question is will we need to maintain a clear way to tell which item we are talking about18:53
atiwariin all the token operations there is no target but the x-subject-token is the target of the token api18:54
dolphmayoung: we just moved GET /v2.0/tokens/{token_id} to GET /v3/auth/tokens X-Subject-Token: {token_id}18:54
dolphmdoesn't matter if you call it subject or target, it's the resource being validated18:54
atiwariIMO, no target is OK in case of token API18:54
*** dubsquared has joined #openstack-dev18:55
dolphmatiwari: can you be more specific? i don't follow18:55
*** martine_ has joined #openstack-dev18:55
atiwaridolphm, as you mentioned in V3 we came up with X-Subject-Token, that is actually the target of all the token APIs18:56
*** jcoufal has quit IRC18:56
dolphmatiwari: correct18:56
dolphmatiwari: (that was actually an api extension in v2)18:56
*** epim has quit IRC18:56
dolphmin essex18:56
atiwaricorrect18:56
*** tmclaugh[work] has joined #openstack-dev18:56
ayoungdolphm, so what you are saying is that we just have the token in the header to hide it from the url.  So continuing to call it target is more correct.18:57
*** epim has joined #openstack-dev18:57
ayoungAnd we will not write APIs that mix the two concepts.18:57
dolphmayoung: yes, but i don't think it's "more correct", i just see it as the same thing, so i'd rather not use two different termonologies18:57
dolphmterminologies*18:57
*** venkatesh has quit IRC18:57
dolphmayoung: we could, i suppose, write API's that mix the two concepts... but we haven't, yet18:58
*** sarob has joined #openstack-dev18:58
ayoungIn that case, then the elif is probably  correct conceptually.  But choseing where to get it should probably be based on the API, not based on the user input.  I can't think how it would be a security issue, as the user needs access to the tokenId in the first place to do anything, and the token is fetched from the backend, so there is no arbitraty data.18:59
dolphmayoung: theoretical- get me the common subset of my catalog and this user's catalog? GET /catalog X-Auth-Token: {admin's token} X-Subject-Token: {some client's token}18:59
dolphmi dunno18:59
ayoungyour latest patch is OK, too18:59
ayoungdolphm, I was thinking,  "A user just gave me token X to perform an operation on user Y"19:00
ayoungcan they do it19:00
dolphmayoung: right, i don't think it's a security vulnerability against the current codebase, but i could see someone writing a policy that used this feature, and then it gets bypassed because an api client passes a valid X-Subject-Token into an API that doesn't expect it19:00
*** krtaylor has quit IRC19:01
ayoungdolphm, yeah...get_member_from_driver is not implemented on the token or auth controllers, so we won't accidentally trip that logic in the current code base.19:03
ayoungbut it feels like there is a better way to do this.  Something like ask the controller to give you the subject19:04
*** sarob has quit IRC19:04
*** ndipanov has quit IRC19:04
*** sarob has joined #openstack-dev19:04
ayoungwe could pass the subject token to the auth driver and let it make the decision instead of doing it in the common controller19:05
dolphmayoung: that's why get_member is configurable19:05
dolphmayoung: it's a callable specified by the controller to return the target19:05
dolphmayoung: ++ for passing the subject token to the controller19:05
ayoungdolphm, right.  But it doesn't have access to the headers19:05
dolphm(but that's kind of what we're doing anyway, since @protected is wrapping controller methods)19:06
*** dubsquared has quit IRC19:06
dolphmayoung: headers are in context19:06
ayoungget_member_from_driver just gets the %_id, though19:06
*** neelashah has quit IRC19:07
ayoungdolphm, what if it were a separate @attribute,19:07
ayoung@subject_token_protected19:07
* ayoung has gone of the deep end19:07
*** rch has quit IRC19:08
ayoungdolphm, would it be more correct for the policy to know to get the value out of the header, or for the controller to know that, in this case, the target should come from the subject header?19:09
*** dubsquared has joined #openstack-dev19:09
ayoungif it is the controller's decision, then let it be a parameter passed to the attribute function.  @protected(subject_token=True)19:10
*** prekarat has quit IRC19:10
*** adjohn has quit IRC19:10
*** rch has joined #openstack-dev19:10
*** neelashah has joined #openstack-dev19:10
*** colinmcnamara has quit IRC19:11
*** adjohn has joined #openstack-dev19:12
*** dubsquar_ has joined #openstack-dev19:13
*** dubsquared has quit IRC19:13
*** thingee is now known as thingee_zzz19:15
*** hugokuo has quit IRC19:15
*** yolanda has quit IRC19:15
*** gimps_ has joined #openstack-dev19:15
*** adjohn has quit IRC19:16
*** networkstatic has quit IRC19:17
*** joearnold has quit IRC19:18
*** jasdeepH has quit IRC19:18
*** adepti37 has quit IRC19:19
*** garyk has quit IRC19:20
*** joearnold has joined #openstack-dev19:20
*** beraldo has quit IRC19:21
*** mkollaro has quit IRC19:21
*** jprovazn has quit IRC19:21
*** hugokuo has joined #openstack-dev19:21
*** dstanek has quit IRC19:22
*** antonym has quit IRC19:22
*** venkatesh has joined #openstack-dev19:22
*** romcheg has quit IRC19:23
*** venkatesh has quit IRC19:23
*** venkatesh has joined #openstack-dev19:24
*** venkatesh has quit IRC19:25
*** antonym has joined #openstack-dev19:25
*** stevemar has joined #openstack-dev19:26
stevemardolphm, ping19:27
*** garyk has joined #openstack-dev19:29
dolphmstevemar: pong19:29
*** anderstj has quit IRC19:30
*** amohn9 has quit IRC19:30
*** adepti37 has joined #openstack-dev19:30
*** gatuus has joined #openstack-dev19:30
*** anderstj has joined #openstack-dev19:30
stevemardolphm, just wondering if there was something wrong with my comment: https://review.openstack.org/#/c/46975/19:30
stevemardolphm, doesn't look like jenkins got kicked off again19:31
dolphmstevemar: yep!19:31
dolphmstevemar: use recheck to restart checks, use reverify to restart gating19:31
stevemarahhhh19:31
dolphmstevemar: you *may* have to be core to use reverify? i'd be curious to know for sure19:31
stevemardolphm, no time like the present to give a whirl19:32
morganfainbergdolphm, don't think so19:32
stevemarworked!19:32
dolphmstevemar: awesome19:32
morganfainbergugh. changing that validate call to raise TokenNotFound is ugly.19:32
dolphmmorganfainberg: _verify_token() ?19:33
morganfainbergdolphm, _is_valid_token()19:33
morganfainbergdolphm, the one you said we should remove try/exepct from19:33
morganfainbergin provider manager19:33
*** tmclaugh[work] has quit IRC19:33
*** amohn9 has joined #openstack-dev19:33
dolphmmorganfainberg: =( what's the impact?19:33
morganfainbergdolphm, i'm chasing a ton of tests.19:34
*** vipul-away is now known as vipul19:34
morganfainbergdolphm, but a lot of things assume that call will raise unauthorized19:34
dolphmmorganfainberg: wait are you changing Unauthorized -> TokenNotFound?19:34
*** tmclaugh[work] has joined #openstack-dev19:35
morganfainbergdolphm, was looking into that.  it should, when validate/check comes through the controller raise a 404 instead of 401 on expired x-subject-token19:35
morganfainbergdolphm, though we could probably just leave this one be.19:36
morganfainbergand cleanup in icehouse.19:36
dolphmmorganfainberg: ah19:36
morganfainbergdolphm, if it's easy to fix most of these it might be a simple patch to apply after atiwari's (move to 404 vs. 401 there)19:38
morganfainbergactually.. that paert might need to gert into his patch. so we aren't passing inconsistent stuff back and forth.19:38
morganfainberghmmm.19:38
morganfainbergayoung, ping19:40
*** dhellmann has quit IRC19:42
*** dhellmann has joined #openstack-dev19:43
bknudsonFile ".../keystone/token/backends/memcache.py", line 54, in _get_memcache_client19:43
*** ayoung has quit IRC19:43
bknudsonTypeError: __init__() got an unexpected keyword argument 'cache_cas'19:44
bknudsonever seen that?19:44
bknudsonwith older versions of memcache19:44
bknudsonwhat does cache_cas do?19:44
*** Vek has quit IRC19:44
bknudsonmorganfainberg: ^19:45
morganfainbergbknudson, yeah, the older version of memcache clients leak memory like a seieve19:45
morganfainbergbknudson, basically  they always store the cas_ids even if it isn't explicitly told to, they still have some cas semantics, just not the init to enable caching the ids19:46
bknudsonshould we require whatever version added cache_cas?19:46
morganfainbergbknudson, hrm, yes, i thought we did19:46
morganfainbergbknudson, it's a fairly old version that added that option.19:46
bknudsonwe might, but old OSes like RHEL 6.4 don't provide it.19:46
morganfainbergbknudson, ahhh. we def. should then19:47
morganfainbergnot only because its required for us, but because without it, those libs really do just endlessly leak memory19:47
morganfainberglet me see what version fedora … 18? uses, I think that distro had one of the earliest working versions19:48
morganfainbergbknudson, let me chase that down after lunch.19:49
*** neelashah has quit IRC19:53
bknudsonmorganfainberg: thanks!19:53
*** garyk has quit IRC19:56
*** Birk_ has quit IRC19:57
*** gimps_ has quit IRC19:57
*** jasdeepH has joined #openstack-dev19:58
*** angdraug has joined #openstack-dev19:58
*** dubsquar_ has quit IRC19:59
*** egallen has quit IRC19:59
*** AlexF has joined #openstack-dev20:00
*** colinmcnamara has joined #openstack-dev20:00
*** litong has joined #openstack-dev20:00
*** eharney has quit IRC20:02
*** cjwilson has joined #openstack-dev20:02
*** neelashah has joined #openstack-dev20:04
*** dubsquar_ has joined #openstack-dev20:04
*** neelashah has quit IRC20:05
*** radez is now known as radez_g0n320:05
*** alunduil has quit IRC20:06
*** dmakogon_ has joined #openstack-dev20:06
*** dstanek has joined #openstack-dev20:07
*** dmakogon_ has left #openstack-dev20:09
*** venkatesh has joined #openstack-dev20:09
*** iccha has quit IRC20:10
*** rossella_s has joined #openstack-dev20:13
*** ekarlso has quit IRC20:13
*** ekarlso has joined #openstack-dev20:13
*** DinaBelova has quit IRC20:13
*** rickerc has joined #openstack-dev20:14
*** iccha has joined #openstack-dev20:15
dolphmatiwari: gyee: morganfainberg: bknudson: i pushed another patch here to address this comment https://review.openstack.org/#/c/46123/17/keystone/token/providers/uuid.py20:16
dolphmthe new diff makes it much more clear that only TokenNotFounds are being unsuppressed https://review.openstack.org/#/c/46123/18/keystone/token/providers/uuid.py20:16
*** adjohn has joined #openstack-dev20:16
*** changbl_ has joined #openstack-dev20:17
*** changbl has quit IRC20:18
*** jasdeepH has quit IRC20:20
*** adjohn has quit IRC20:21
*** jmontemayor has quit IRC20:21
*** sgordon has quit IRC20:24
*** eglynn has quit IRC20:24
*** adjohn has joined #openstack-dev20:25
*** tserong has quit IRC20:25
*** changbl_ has quit IRC20:26
*** changbl has joined #openstack-dev20:26
*** tserong has joined #openstack-dev20:26
*** AlexF has quit IRC20:27
*** ayoung has joined #openstack-dev20:31
*** boden has quit IRC20:31
*** fbo is now known as fbo_away20:32
ayoungmorganfainberg, sorry, moved offices...you rang?20:33
*** jasdeepH has joined #openstack-dev20:34
*** epim has quit IRC20:34
*** adjohn has quit IRC20:37
*** AlexF has joined #openstack-dev20:38
*** amohn9 has quit IRC20:39
*** dkehn_ is now known as dkehn20:40
dolphmatiwari: gyee: morganfainberg: bknudson: ayoung: see my comments on patchsets 17 and 18 -- they're both small and don't seem to affect tests so i submitted patchset 19 to clean those bits up and +2'd20:40
dolphmhttps://review.openstack.org/#/c/46123/20:40
*** boris-42 has joined #openstack-dev20:41
*** epim has joined #openstack-dev20:41
*** rossella_s has quit IRC20:41
*** MaxV has joined #openstack-dev20:43
*** AlexF has quit IRC20:43
*** adjohn has joined #openstack-dev20:43
gyeedolphm, looking20:46
*** dolphm has quit IRC20:46
*** adjohn has quit IRC20:46
*** ondergetekende_ has joined #openstack-dev20:47
*** eglynn has joined #openstack-dev20:48
*** romcheg has joined #openstack-dev20:48
ayounggyee, I just +2ed.  Feel free to merge if you think it is good20:49
*** krtaylor has joined #openstack-dev20:50
*** thingee_zzz is now known as thingee20:50
gyeeayoung, I think we need the rest of the token attributes20:50
gyeelike scope and roles20:50
ayounggyee, in icehouse20:50
ayounggyee, so long as the semantics are OK as is, we can do that in a followon20:51
*** xqueralt is now known as xqueralt-afk20:51
gyeeayoung, k, that sounds reasonable20:51
gyeelemme change me vote20:51
*** jtomasek has quit IRC20:51
ayounggyee, please file a ticket for that, too.20:51
morganfainberggyee, you talking about token patch?20:51
ayoungmorganfainberg, yeah.  we only get the userid out of the subject token,20:51
gyeemorganfainberg, https://review.openstack.org/#/c/46123/20:51
gyeeI am fine with the framework changes20:52
morganfainbergnod.20:52
ayoungline 150ish20:52
morganfainbergi'm trying to see if this patchset is actually solving the 404 vs 401 issue20:52
morganfainbergon x-subject-token20:52
ayoungmorganfainberg, doesn't the unit test  confirm that?20:53
morganfainbergayoung, well20:53
morganfainberghttps://review.openstack.org/#/c/46123/19/keystone/token/providers/uuid.py line 55620:53
gyeemorganfainberg, you want to go over it before hitting the approve button?20:53
*** boris-42 has quit IRC20:53
*** litong has quit IRC20:53
morganfainberglooks like we've added back in Unauthorized exception for validate20:53
morganfainbergcrud. let me once over this20:54
*** yaguang has joined #openstack-dev20:54
morganfainbergayoung, as far as i can tell, the provider shouldn't ever raise up an unauthorized20:55
morganfainbergthat was the root of this whole bug20:55
*** epim has quit IRC20:55
morganfainbergplease feel free to tell me i'm crazy20:55
ayoungmorganfainberg, https://review.openstack.org/#/c/46123/19/keystone/tests/test_v3_auth.py  line 455 and beyond20:56
ayounginvalid X-Auth-TOken raises a 40120:56
morganfainbergayoung, ah i think i see the core of the issue20:56
morganfainbergayoung, no unit tests for v220:56
morganfainbergwell no changes.20:56
*** boris-42 has joined #openstack-dev20:57
*** epim has joined #openstack-dev20:57
morganfainbergonly v3 restful test case changes20:57
ayounghttps://review.openstack.org/#/c/46123/19/keystone/tests/test_auth.py20:57
ayoungbut that is not a content specific one...20:57
*** spzala has quit IRC20:57
morganfainbergand that likely will return a 40420:57
ayoungmorganfainberg, so...we could probably put one in test_contenttypes.py20:58
morganfainbergayoung, i think we need to.  I think we've resolved… in a partial way, the issues with unauthorized, though not completely for v320:58
morganfainbergbut we're still going to run up against it for v220:59
ayoungmorganfainberg, -1 it20:59
*** adjohn has joined #openstack-dev20:59
morganfainbergyep will od.20:59
*** cjellick has quit IRC20:59
gyeemorganfainberg, this is v3 changes20:59
gyeev2 is already doing the right thing20:59
morganfainberggyee, actually, it wasn't21:00
*** lbragstad has quit IRC21:00
morganfainberggyee, it still returns Unauthorized in some cases it looks like, for invalid x-subject-tokens21:00
gyeelooking21:00
*** adjohn has quit IRC21:00
*** venkatesh has quit IRC21:01
morganfainbergthe issue between 404 and 401 was introduced into v2 by my cache changes and ayoung's validate changes21:01
ayoungmorganfainberg, I don't think v2 accepts x-subject-tokens according to the API spec.21:01
morganfainbergayoung, it doens't but the URI token id is the same thing21:01
morganfainbergayoung, sorry i should have been more clear about x-subject vs token_id in uri21:01
ayoungmorganfainberg, OK...lets see if we have a test we can extend in content types21:02
*** zbitter has joined #openstack-dev21:02
*** tmclaugh[work] has quit IRC21:02
*** ericw has quit IRC21:02
morganfainbergif i'm totally crazy here, i'm fine with that.  I just think i'm seeing issues with v2 still returning unauthorized in some cases (i would rather be crazy tbh, this change could go in then)21:02
*** jmontemayor has joined #openstack-dev21:03
ayoungmorganfainberg, test_validate_token21:03
ayoungline 396...lets add to that test21:03
gyeemorganfainberg, it going through the same provider21:03
gyeeso the changes will take care of both21:03
morganfainberghm.21:04
morganfainbergayoung, sec21:04
ayoungmorganfainberg, whenever I try to run just that test, though, I get an error:21:05
*** zaneb has quit IRC21:05
*** reed_ has joined #openstack-dev21:05
ayoungNoSuchOptError: no such option: policy_file21:06
gyee:)21:06
morganfainberggyee, _validate_v2_token, what in there can raise ValidationError?21:07
*** donaldh has joined #openstack-dev21:07
*** reed has quit IRC21:07
morganfainbergi'm not seeing anything21:07
morganfainberggyee, if there is nothing that can raise ValidationError, my concerns are moot21:07
morganfainbergand we can move on.21:07
gyeeValidationError is fine21:07
gyeewe just don't want to catch TokenNotFound error421:08
morganfainberggyee, but on validation error we raise unauthorized21:08
morganfainbergre-raise21:08
*** dtyarnell has quit IRC21:08
morganfainbergwhich would net a 401 not a 500 ISE21:08
gyeemorganfainberg, that's expected21:08
morganfainbergexcept that is incorrect then?21:08
gyeefor token validation, you either get 404 or 40121:08
gyeetoken not found is 404, everything else 40121:08
morganfainbergif x-auth-token is invalid (checked at controller level) 40121:08
morganfainbergright?21:08
*** rnirmal has quit IRC21:09
morganfainberginvalid token should be 40421:09
morganfainbergor ISE for some massive error21:09
gyeecorrect, we basically want to distinguish between 404 and 40121:09
ayoungmorganfainberg, OK confirmed21:09
morganfainbergprovider validate is a x-subject-token21:09
gyeeinvalid token should be 40121:09
gyeetoken not found should be 40421:09
morganfainbergi would say no.21:10
*** markmcclain has quit IRC21:10
morganfainberghow do you distinguish between the auth-token vs the subject-token being invalid/incorrect then?21:10
morganfainbergwe aren't checking if you have access here.21:10
gyeeauth-token invalid will result in 40121:11
morganfainbergx-auth-token21:11
morganfainberggyee, ok, so assume valid auth-token21:11
gyeewe are talking about x-subject-token21:11
morganfainbergsubject-token is invalid21:11
morganfainbergthat should be a 401?21:11
*** cjellick has joined #openstack-dev21:11
morganfainberghow do you know which one is invalid at the consumer (outside) keystone based upon that?21:11
gyeeunderstood21:12
*** cjellick has quit IRC21:12
morganfainbergi get a 401 back, i don't know if it's my subject token or auth token21:12
gyeeI see your point21:12
*** johnthetubaguy has joined #openstack-dev21:12
gyeeyeah, seem like it should be 403 if auth-token is invalid21:12
morganfainbergthat would make sense21:12
gyeemorganfainberg, good catch!21:12
ayoungmorganfainberg, http://paste.fedoraproject.org/42539/2996213821:12
*** adjohn has joined #openstack-dev21:13
morganfainbergayoung, that looks good.21:13
ayoungmorganfainberg, OK, so you think the change should be to validate?21:13
morganfainberggyee, that also means http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/provider.py#n194 is incorrect21:14
*** ericw has joined #openstack-dev21:14
*** ericw has quit IRC21:14
gyeemorganfainberg, that one is valid21:14
morganfainbergayoung, that should catch the majority of the cases (most of the time we wont have validation errors, etc)21:14
morganfainberggyee, is it?21:15
gyeeyes, because token exist but not valid21:15
morganfainberggyee, again, maybe 403?21:15
morganfainbergvs 40121:15
gyee403 is for policy check only21:15
ayoung404 is fine21:15
ayoungcould not find a valid token...many reasons for that21:16
*** mrodden has quit IRC21:16
stevemarayoung: ping, (when you're done)21:16
gyeeayoung, you mean 404 for any subject token validation errors?21:16
*** epim has quit IRC21:16
morganfainberggyee, i think that is an accurate approach21:16
ayounggyee, yep21:16
gyeebut that's just as confusing21:17
morganfainberggyee, this is done as a rest call, externally saying "hey give me the data for this token"21:17
ayounggyee, morganfainberg using the return code is probably a violation here.  THe call itself is successful, just the content is telling us that the tokne is invalid.  404 is as correct as anything else21:17
*** vladikr has quit IRC21:17
ayoungshould be 200  with a body that says "invalid"21:18
morganfainbergayoung, ++ if that wouldn't break a lot of stuff… i'd say that would be the best approach21:18
*** mrda has joined #openstack-dev21:18
ayoungthis is not a client error.  This is a valid request.  So, 404 is actually a violation of the HTTP spec in V3, but is appropraite for v2 where we put the token in the URL21:19
*** venkatesh has joined #openstack-dev21:19
dstanekis there any reason why creating a user returns a 200 and not a 201?21:19
*** venkatesh has quit IRC21:19
ayoungdstanek, becasue we don't pay that much attention to the spec21:19
gyeeheh21:19
morganfainbergayoung, well i guess we could leave that 401.  really we shouldn't be getting that far most of the time21:19
*** dubsquar_ has quit IRC21:19
ayoungdstanek, and, lets face it, who really cares.  Oh, wait, we do.21:20
dstanekayoung: on purpose?21:20
*** adjohn has quit IRC21:20
ayoungmorganfainberg, I'm OK with not breaking the auth_token middleware.  I'd say that 404 is more correct, but I don't really think it matters21:20
dstanekayoung: by spec are you talking about the identity spec or HTTP?21:20
ayoungdstanek, HTTP21:20
morganfainbergayoung, if you want to add that test as a subsequent patch i'll say we can let this go as is.21:20
ayoungdstanek, I'm being flip.  You are, of course, correct21:21
gyeek, I am fine with 40421:21
morganfainbergi have a minor cleanup on a try/except to come in after, but i'm not worried about that.21:21
ayounggyee, I am not21:21
ayounggyee, I don't want to change v221:21
ayoungunless there is an overwhelming need to21:21
gyeeanything more would be diminishing return :)21:21
*** bswartz has quit IRC21:21
morganfainbergayoung, a 401 on v2 will cause auth_token to re-request admin token21:21
ayoungmorganfainberg, OK, that is bad.21:22
ayoungA 404 works for me21:22
dstanekayoung: i figured :)21:22
*** mattfarina has quit IRC21:22
ayoungmorganfainberg, ...let me now get that est to pass21:22
*** tmclaugh[work] has joined #openstack-dev21:22
morganfainbergayoung, ok, you want to switch the unauthorized to 404 as well? or you want me to to do so separately?21:23
*** dubsquared has joined #openstack-dev21:23
atiwari"unauthorized to 404" in which scenario ?21:23
morganfainbergatiwari, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/provider.py#n19421:23
morganfainbergif a cached token validate has an expired token in it21:24
morganfainbergatiwari, make that a 404 instead of a 40121:24
atiwarithat does not make sense21:24
*** dkranz has quit IRC21:24
atiwariit should be 40121:25
morganfainbergatiwari, this would be x-subject-token21:25
morganfainbergnot x-auth-token21:25
*** adalbas has quit IRC21:25
atiwari1 sec21:25
morganfainbergthe scenario is as follows:  validate call for token X is cached (it succeeds), when you call validate again for token X, the token has expired, but the cache hasn't expired, so it still succeeds21:26
atiwarias long as x-auth-token has auth 404 is ok21:26
atiwariif x-auth-token does not has auth it should be 40121:26
morganfainbergatiwari, that shouldn't change21:26
atiwarieven if x-subject-toekn is whatever21:27
atiwariok21:27
gyeeatiwari, how do we distinguished 401 for x-subject-token or x-auth-token?21:27
morganfainberggyee, actually change http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/provider.py#n194 to 404 would be consistent.  if the token was invalid the validate call would return 404.  that just handles cached validate call.21:27
morganfainberggyee, eliminate cache, and you'd already have a 404 coming into that method.21:27
morganfainbergerm before it.21:27
*** adjohn has joined #openstack-dev21:28
morganfainberggyee, sorry for the headache on this one =/21:28
atiwarix-auth-token is the one you are doing auth on and x-subject-token is target, then what is the problem21:29
*** bnemec_ has quit IRC21:30
ayoungmorganfainberg, actually that test was bogus.  I was using an invalid token to auth as well as the target21:30
ayounghttp://paste.fedoraproject.org/42545/23100413/21:30
morganfainbergahhh21:31
ayoungatiwari, take a look at my fpaste link above and tell me if it is sane21:31
ayoungIf so, I'll merge it into the review request....21:31
atiwarilooking21:32
morganfainbergayoung, that looks sane to me.21:32
*** johnthetubaguy1 has joined #openstack-dev21:32
*** bnemec has joined #openstack-dev21:32
ayoungmorganfainberg, running the full battery of unit tests against that21:32
morganfainbergayoung, ok.  I am fairly certain the one on the provider manager will pass w/o issue21:33
morganfainbergi ran tests locally with that change just a few minutes ago21:33
*** cjwilson has quit IRC21:33
morganfainbergayoung, cool.  i think that'll at least prevent needless admin_token churning in auth_token middleware21:33
ayoungmorganfainberg, so...if someone removed the route to /v2.0/tokens/... it will also give a 40421:34
morganfainbergayoung, right =/21:34
ayoungWhich means that auth_token middleware will just list all tokens as invalid.  Which will then get cached into the memcache and those tokens will never be valid again21:34
*** johnthetubaguy has quit IRC21:35
ayoungWe've seen a bug like that in thepast21:35
atiwariayoung, test  looks good21:35
*** martine_ has quit IRC21:35
ayoungatiwari, but the logic is broken.  See my previous comment21:35
*** johnthetubaguy1 has quit IRC21:35
morganfainbergayoung, but this change, i don't think would mitigate that.21:35
*** sarob has quit IRC21:35
morganfainbergayoung, or not doing this change that is21:35
*** sarob has joined #openstack-dev21:36
ayoungmorganfainberg, except that we need to adjust auth_token middleware to whatever we do here...I suggest returning 420 for an invalid token "Enhance your Calm"21:36
morganfainbergayoung, not that i think changing v2 is a good idea21:36
morganfainbergor 41021:36
*** mlavalle has quit IRC21:36
morganfainberghehe, 402 enhan…damn it you made me laugh there21:37
ayoungYeah, that makes more sense21:37
*** bnemec_ has joined #openstack-dev21:37
morganfainberg420*21:37
ayoung45121:37
*** openfly has quit IRC21:37
ayoungSome one has a real sense of humor there21:37
morganfainbergLOL21:37
ayoung451 Unavailable For Legal Reasons (Internet draft)21:37
ayoung"I'm Ray Bradbury and I approve this message."21:37
*** bnemec has quit IRC21:37
morganfainbergperhaps making these all 410 would be the best choice?21:38
morganfainbergthen there is no confusion about routes.21:38
morganfainbergbut keystoneclient also needs an update for that.  iirc21:38
morganfainbergayoung, and what impact to the spec is that.  can we .. even do that sanely?21:38
ayoungmorganfainberg, leave it as is, and then the right answer is to not use the HTTP return code for this21:39
ayoungit is not a client error21:39
morganfainbergayoung, ISE!21:39
morganfainberg:P21:39
morganfainbergok, leave it as is then.21:39
morganfainbergi am convinced.21:39
ayoungmorganfainberg, let me see what auth_token middleware does...21:40
*** jasdeepH has quit IRC21:40
ayoungmorganfainberg, of course, no one should be using this, as they should be doing PKI tokens anyway21:40
morganfainbergayoung, ++21:40
morganfainbergback to the whole, can we deprecate v2 soon? :)21:41
morganfainberg(please)21:41
*** adalbas has joined #openstack-dev21:41
*** gordc has quit IRC21:41
morganfainberghttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L108521:41
ayoungmorganfainberg, OK, lets make it 40421:42
*** nachi has joined #openstack-dev21:42
ayoungits the least bad of all the options/21:42
ayoungI'll post my change for review21:42
morganfainbergayoung, sorry :(.  I hate picking least bad21:42
ayoungmorganfainberg, nah, its ok...this is a learning process21:43
*** adjohn has quit IRC21:43
gyeereminds me of Wreck It Ralph21:43
ayoungmorganfainberg, I need to fix some other tests21:43
gyeewe are bad, but thats good21:43
morganfainbergayoung, ok.21:43
morganfainberggyee, maybe we should pick breaking bad instead?21:43
*** adjohn has joined #openstack-dev21:43
*** portante is now known as portante|afk21:44
morganfainbergayoung, yeah hopefully we will have less of these issues in the future (learn from our past)21:44
*** dvarga has quit IRC21:46
*** adjohn has quit IRC21:47
*** yaguang has quit IRC21:48
*** adjohn has joined #openstack-dev21:48
*** adjohn has quit IRC21:48
*** markwash has joined #openstack-dev21:49
ayounggyee, soo, with the recent change to policy, the config option is in openstack.common...which means it gets bypassed from the tests.  If I import it, I get a pep8 error.  I think the right answer is to import it in tests/core.py with a #noqa21:50
*** neelashah has joined #openstack-dev21:50
gyeeayoung, yes21:50
ayoungatiwari, tests are looking good.  I will post a new version of the patch as soon as my run completes21:50
*** thomasm has quit IRC21:51
*** carl_baldwin has left #openstack-dev21:51
*** maheshp has joined #openstack-dev21:51
*** jecarey has quit IRC21:52
morganfainbergbknudson, i'm chasing that version down now.21:52
*** rnirmal has joined #openstack-dev21:54
ayounggyee, morazi atiwari https://review.openstack.org/#/c/46123/1921:55
*** alunduil has joined #openstack-dev21:56
ayoungok, I'm in family mode...I'll check back in before bed21:57
morganfainbergayoung, see ya.21:57
*** sarob has quit IRC21:58
*** sarob has joined #openstack-dev21:58
*** dolphm has joined #openstack-dev21:59
*** eglynn has quit IRC22:00
atiwariayoung, sure22:00
*** jbresnah has quit IRC22:01
*** egallen has joined #openstack-dev22:01
*** donaldh has quit IRC22:01
*** dubsquared has quit IRC22:01
*** egallen has quit IRC22:02
gyeedolphm, https://review.openstack.org/#/c/46123/22:04
dolphmgyee: already looking22:04
gyeenot sure if you catch the discussion, its now returning 404 on token validation error22:04
*** jbresnah has joined #openstack-dev22:05
*** burt has quit IRC22:05
*** briancurtin has quit IRC22:05
*** kbringard has quit IRC22:05
*** egallen has joined #openstack-dev22:05
morganfainbergdolphm, i'll pull out the try/except in the provider manager in a subsequent patch (posting shortly) dependant on this token one22:05
morganfainbergas you requested22:06
dolphmmorganfainberg: is it complicated?22:06
morganfainbergdolphm, nope, it's just removing the try/except22:06
morganfainberg4 lines of change.22:06
morganfainbergmaybe22:06
morganfainbergno test changes.22:06
*** rnirmal has quit IRC22:06
morganfainbergerm, take that back, eliminating a useless test then22:06
*** rnirmal has joined #openstack-dev22:07
dolphmayoung: undo the string freeze violation :-/22:07
morganfainbergit could wait for icehouse if you want.  wont really change anything significant22:07
morganfainbergdolphm, i'll fix that in a sec.22:08
morganfainbergif thats the only issue, i'll have a new patch up in a couple minutes.22:08
*** mfer has joined #openstack-dev22:08
dolphmmorganfainberg: thanks22:09
dolphmmorganfainberg: make sure you don't rebase the underlying patch!22:10
morganfainbergdolphm, git review --no-rebase?22:10
morganfainberg*checks*22:10
*** romcheg has quit IRC22:10
dolphmmorganfainberg: ++22:10
dolphmmorganfainberg: i do git push gerrit HEAD:refs/for/master when i'm super paranoid22:11
*** jmontemayor has quit IRC22:11
morganfainbergdolphm, sold.22:11
*** changbl has quit IRC22:11
atiwaridolphm, ayoung , morganfainberg I am proposing one BP https://blueprints.launchpad.net/keystone/+spec/attribute-access-privilege-based-on-role, please take a look whenever time permits. wondering if it is a right candidate for oslo22:12
*** neelashah has quit IRC22:12
morganfainbergdolphm, posted22:13
morganfainbergdolphm, https://bugs.launchpad.net/keystone/+bug/1231709 this should prob. be RC122:14
uvirtbotLaunchpad bug 1231709 in keystone "oauth controller calls are not protected" [Undecided,In progress]22:14
*** egallen has quit IRC22:15
*** stevemar has quit IRC22:15
*** vipul is now known as vipul-away22:16
*** dvarga has joined #openstack-dev22:17
dolphmmorganfainberg: eek22:17
morganfainbergdolphm, yeah.22:17
gyeewow22:18
*** epim has joined #openstack-dev22:18
dolphmmorganfainberg: done and done22:18
*** jbresnah has quit IRC22:18
morganfainbergdolphm, thankfulle we already have a review for it22:18
dolphmmorganfainberg: lol ++22:19
dolphmthank you steve, wherever you are22:19
morganfainbergdolphm, hehe22:19
ayoungdolphm, +2, but lets get at least one more set of eyes on it...this close to deadline22:20
ayoungdolphm, why the change in routers?22:20
atiwariwondering if https://review.openstack.org/#/c/46123/21/keystone/token/provider.py has indention issue22:20
ayoungwas it just busted before?22:20
*** vipul-away is now known as vipul22:21
morganfainbergayoung, looks like it22:21
morganfainbergoh22:21
morganfainbergno22:21
*** maheshp has quit IRC22:21
morganfainberghe changed the name of the method. from "authorize" to "authorize_request_token" probably to make the policy.json less confusing22:22
dolphmayoung: i appreciated that just because it was less ambiguous in policy.json ^ what morgan said22:22
ayoung conflicted with a different policy rule, but I wonder if this breaks unit test s...it should22:22
*** shel3over has left #openstack-dev22:22
morganfainbergayoung, if it's resftule test case, no.22:22
morganfainbergayoung, since that is gated through the controller.  right?22:22
*** mfer has quit IRC22:23
ayoungah...right, didn't change the url...OK.  looks good, and I understand it...22:23
morganfainbergatiwari, indentation issue?22:23
ayoungdolphm, In icehouse, we force every call to go through policy, and put in a specific policy rule to let things through unauthenticated22:24
morganfainbergayoung, ooh, i think i like that22:24
dolphmayoung: just an trivially true rule?22:25
boris-42ttx hi22:25
*** dvarga has quit IRC22:25
atiwarimorganfainberg, added comment in https://review.openstack.org/#/c/46123/22:26
*** sarob has quit IRC22:26
*** maheshp has joined #openstack-dev22:27
*** READ10 has quit IRC22:27
morganfainbergatiwari, responded.  but i'll say as much here too, that is the catch-all22:27
*** danwent has quit IRC22:28
morganfainberga few lines up if the token is valid, we return None22:28
*** twoputt has quit IRC22:28
morganfainbergthe method likely should be renamed _assert_token_valid22:28
morganfainbergatiwari, but the indent is correct in that case.22:28
*** MaxV has quit IRC22:28
*** gmurphy has joined #openstack-dev22:29
atiwariok22:30
*** jbresnah has joined #openstack-dev22:30
morganfainbergatiwari, i can totally see why that looks wrong though.22:30
morganfainbergayoung, hmm. i forgot to add the icehouse cleanup BP.  Now i need to remember what was supposed to go into it.  darn it.22:30
atiwarimorganfainberg, raising an exception in normal flow does not looks cool in  _is_valid_token :)22:33
ayoungdolphm, yeah, there is a a rule for that already.22:33
*** jbresnah has quit IRC22:34
ayoungTruCheck22:34
ayounghttps://github.com/openstack/oslo-incubator/blob/master/openstack/common/policy.py#L31822:34
*** sarob has joined #openstack-dev22:34
*** bswartz has joined #openstack-dev22:35
*** colinmcnamara has quit IRC22:35
*** dolphm has quit IRC22:36
ayoungatiwari, I'll pull the trigger if you say it is OK22:36
atiwariayoung, I am ok22:37
ayounggoing once22:38
morganfainbergayoung, wait for jenkins?22:38
*** SergeyLukjanov has quit IRC22:38
*** FunnyLookinHat has quit IRC22:38
ayoungmorganfainberg, sure.22:38
morganfainbergayoung, i don't mind if we jump it, but check queue is pretty backed up22:39
*** rcleere has quit IRC22:39
*** sarob has quit IRC22:39
ayoungyeah...I hav to head out.  I'll check back in a few hours22:39
morganfainbergayoung, but i thought we were supposed to wait (why a question)22:39
*** bknudson has left #openstack-dev22:39
morganfainbergayoung, sounds good.  if it clears check, i'll push go (if you don't get to it first)22:40
morganfainbergor it doesn't take until i need to go home .22:40
*** jhesketh has joined #openstack-dev22:41
*** maheshp has quit IRC22:42
*** jhesketh has quit IRC22:42
*** jhesketh has joined #openstack-dev22:43
*** sarob has joined #openstack-dev22:43
*** prad_ has quit IRC22:43
*** jhesketh has quit IRC22:44
*** cjwilson has joined #openstack-dev22:45
*** egallen has joined #openstack-dev22:45
*** dolphm has joined #openstack-dev22:45
*** egallen has quit IRC22:47
*** sarob has quit IRC22:47
*** sarob has joined #openstack-dev22:48
*** galstrom is now known as galstrom_zzz22:49
*** ericw has joined #openstack-dev22:50
dolphmboris-42: he's probably asleep22:50
boris-42dolphm sure=)22:50
boris-42dolphm but sometimes he doesn't sleep=)22:50
dolphmboris-42: he's just a bot22:51
*** egallen has joined #openstack-dev22:51
boris-42hehe=)22:52
*** sarob has quit IRC22:54
*** kbrierly has quit IRC22:54
*** dolphm has quit IRC22:56
*** atiwari has quit IRC22:57
*** epim has quit IRC22:59
*** boris-42 has quit IRC23:00
*** danwent has joined #openstack-dev23:00
*** egallen has quit IRC23:03
*** datsun180b has quit IRC23:04
*** sarob has joined #openstack-dev23:04
*** terriyu has quit IRC23:05
*** sarob has quit IRC23:05
*** sarob_ has joined #openstack-dev23:05
*** tmclaugh[work] has quit IRC23:06
*** jbresnah has joined #openstack-dev23:06
*** dtyarnell has joined #openstack-dev23:06
*** sarob has joined #openstack-dev23:07
*** sarob_ has quit IRC23:10
*** nermina has quit IRC23:12
*** jbresnah has quit IRC23:13
*** jbresnah has joined #openstack-dev23:15
*** twoputt has joined #openstack-dev23:16
*** dvarga has joined #openstack-dev23:21
*** sarob has quit IRC23:23
*** nati_ueno has quit IRC23:23
*** epim has joined #openstack-dev23:25
*** dvarga has quit IRC23:26
*** jayg is now known as jayg|g0n323:30
*** fifieldt has joined #openstack-dev23:31
*** utlemming has quit IRC23:31
*** changbl has joined #openstack-dev23:31
*** utlemming has joined #openstack-dev23:33
*** jbresnah has quit IRC23:35
*** openfly has joined #openstack-dev23:36
*** networkstatic has joined #openstack-dev23:38
*** nachi has left #openstack-dev23:40
*** epim has quit IRC23:43
*** sarob has joined #openstack-dev23:43
*** thomasm has joined #openstack-dev23:47
*** guest3 has joined #openstack-dev23:52
*** otherwiseguy has quit IRC23:52
*** dims has quit IRC23:53
*** rnirmal_ has joined #openstack-dev23:54
*** erivera has joined #openstack-dev23:55
*** rnirmal has quit IRC23:55
*** rnirmal_ is now known as rnirmal23:55
*** sarob_ has joined #openstack-dev23:58
*** guest3 has left #openstack-dev23:58
*** guest3 has joined #openstack-dev23:58
*** nati_ueno has joined #openstack-dev23:58
« Wednesday, 2013-09-25 Index Friday, 2013-09-27 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!