Friday, 2014-02-07

« Thursday, 2014-02-06 Index Saturday, 2014-02-08 »
*** changbl has quit IRC00:02
*** dfarrell07 has joined #openstack-dev00:02
*** morazi has joined #openstack-dev00:03
*** amcrn has quit IRC00:04
*** harlowja is now known as harlowja_away00:04
*** kgriffs is now known as kgriffs_afk00:06
*** carl_baldwin has quit IRC00:07
*** venkatesh has quit IRC00:11
*** amcrn has joined #openstack-dev00:11
*** mriedem has quit IRC00:11
*** eglynn has joined #openstack-dev00:11
*** rodrigods has quit IRC00:13
*** byeager has quit IRC00:13
*** harlowja_away is now known as harlowja00:15
*** RajeshMohan has quit IRC00:17
*** pmathews has quit IRC00:17
*** mrodden has quit IRC00:18
*** matsuhashi has joined #openstack-dev00:19
*** csaba|afk is now known as csaba00:20
*** eglynn has quit IRC00:20
*** sweston has joined #openstack-dev00:21
*** enikanorov_ has joined #openstack-dev00:21
*** giulivo has quit IRC00:21
*** asalkeld has quit IRC00:22
*** anniec has joined #openstack-dev00:22
*** MaxV has quit IRC00:22
*** enikanorov has quit IRC00:23
*** atiwari has quit IRC00:23
*** tjones has quit IRC00:23
*** mrda is now known as mrda_away00:23
*** RajeshMohan has joined #openstack-dev00:23
*** tjones has joined #openstack-dev00:23
*** zyluo has joined #openstack-dev00:24
zyluobnemec, ping00:24
*** FunnyLookinHat has quit IRC00:25
*** flaper87 is now known as flaper87|afk00:27
*** sweston has quit IRC00:27
*** tjones has quit IRC00:28
*** CaptTofu has quit IRC00:29
*** CaptTofu has joined #openstack-dev00:30
*** gokrokve has quit IRC00:30
*** marcoemorais has quit IRC00:31
*** marcoemorais has joined #openstack-dev00:31
*** sweston has joined #openstack-dev00:32
*** CaptTofu has quit IRC00:34
*** dfarrell07 has quit IRC00:38
*** jckasper has joined #openstack-dev00:39
*** IanGovett has quit IRC00:40
*** IanGovett has joined #openstack-dev00:40
*** cadenzajon has quit IRC00:41
*** sarob has joined #openstack-dev00:41
*** CaptTofu has joined #openstack-dev00:41
*** jf-jenni has joined #openstack-dev00:42
*** thuc has quit IRC00:42
*** thuc has joined #openstack-dev00:43
*** zzelle_ has quit IRC00:44
*** thuc_ has joined #openstack-dev00:45
*** sarob has quit IRC00:46
*** spzala has quit IRC00:46
*** thuc has quit IRC00:47
*** lcheng_ has joined #openstack-dev00:47
*** devoid has quit IRC00:50
*** sarob has joined #openstack-dev00:51
*** dfarrell07 has joined #openstack-dev00:52
*** stevemar has quit IRC00:55
*** sarob has quit IRC00:56
*** kgriffs_afk is now known as kgriffs00:58
*** yamahata has joined #openstack-dev00:59
*** markwash_ has joined #openstack-dev00:59
*** browne has quit IRC01:01
*** pablosan has quit IRC01:01
*** lcheng_ has quit IRC01:02
*** markwash has quit IRC01:02
*** markwash_ is now known as markwash01:02
*** sarob has joined #openstack-dev01:02
*** dfarrell07 has quit IRC01:03
*** nelsnelson has quit IRC01:03
*** zyluo has quit IRC01:04
*** anniec has quit IRC01:04
*** zyluo has joined #openstack-dev01:04
*** pablosan has joined #openstack-dev01:05
*** mkollaro has quit IRC01:05
*** BLZbubba has quit IRC01:07
*** godara has quit IRC01:07
*** BLZbubba has joined #openstack-dev01:07
*** kgriffs is now known as kgriffs_afk01:07
*** sarob has quit IRC01:08
*** tongli has quit IRC01:09
*** ijw has quit IRC01:09
*** mrodden has joined #openstack-dev01:09
*** csaba is now known as csaba|afk01:10
*** anniec has joined #openstack-dev01:10
*** cdub has joined #openstack-dev01:10
jamielennoxdolphm, was there another client release?01:11
*** mrodden1 has joined #openstack-dev01:12
*** epim has quit IRC01:12
*** melwitt has quit IRC01:12
*** mrodden has quit IRC01:14
*** sandywalsh has quit IRC01:14
*** enikanorov_ has quit IRC01:17
*** enikanorov has joined #openstack-dev01:17
*** thuc_ has quit IRC01:19
*** thuc has joined #openstack-dev01:20
*** xarses has quit IRC01:21
jamielennoxayoung-afk: have you changed anything about v2 revocations?01:23
*** ayoung-afk is now known as ayoung01:23
ayoungnope01:23
*** xmltok has quit IRC01:24
*** thuc has quit IRC01:24
*** tsekiyam_ has joined #openstack-dev01:27
*** nosnos has joined #openstack-dev01:28
*** smurugesan has quit IRC01:29
ayoungmorganfainberg, jamielennox dstanek_afk can we put this one to bed? https://review.openstack.org/#/c/68548/01:30
*** tsekiyama has quit IRC01:30
*** cnesa has quit IRC01:30
*** novas0x2a|laptop has quit IRC01:30
*** hemna has quit IRC01:31
jamielennoxayoung: my only question about that one is does it make sense to advertise that over ampq or is it really only relevant internal to keystone01:31
ayoungAAAAAH!01:31
ayoungno idea01:31
ayoungdoes it matter?01:31
jamielennoxayoung: no idea :)01:31
*** tsekiyam_ has quit IRC01:31
morganfainbergand jamielennox from left field01:32
jamielennox:)01:32
morganfainbergayoung, i think a disable event on amqp is fine01:32
morganfainbergand likely is more relevant than update01:32
jamielennoxi can see that other services would want to know about a disable01:32
ayoungI think that some people will want it01:32
morganfainbergsomeone might care01:32
ayoungdisable a user and shutdown their vms?01:32
ayoungdoes that have anything to do with this patch?  Do we indicate an events availability?01:33
*** mrda_away is now known as mrda01:33
*** sweston has quit IRC01:33
ayoungFeeping Creaturism01:33
*** peoplemerge has quit IRC01:33
morganfainbergeh,01:34
morganfainberg*shrug*01:34
ayoungmorganfainberg, this is all your fault01:34
*** cdub has quit IRC01:34
jamielennoxi think the whole what goes onto the bus is new to all of us01:34
morganfainbergayoung, lol01:34
ayoung"you should use notifications" you said "It will be easy" you said01:34
morganfainbergand you're the one that listened!01:34
ayoungFool me once, shame on you, fool me twice...you can't get fooled again.01:35
jamielennoxfool me once, shame on you GOTO 1001:36
ayoungjamielennox, have you ever programmed in Basic?01:36
ayoungI'm guessing yes01:36
jamielennoxeh, not really just the best way to write something like that01:37
*** sweston has joined #openstack-dev01:37
ayoungI was actually looking into Logo as a first language to teach my Son.  We've been playing a "board game" called Robot Turtles that is like turtle graphics programming (each card is an instruction to move the turtle)  and Logo ssems the logical next step01:37
ayoungturns out there is UCBLogo on Fedora with turtle graphics01:38
jamielennoxlogo was the first thing i got taught01:38
ayoungreally?01:38
*** thuc has joined #openstack-dev01:38
jamielennoxearly high school course01:39
jamielennoxcountry schools thought that it counted as teaching programming01:39
*** dims has quit IRC01:39
*** sarob has joined #openstack-dev01:39
*** zyluo has quit IRC01:39
achampionhow old is you son?01:39
*** sweston_ has joined #openstack-dev01:40
*** dims has joined #openstack-dev01:40
ayoungachampion, I'm old, he's young,01:40
ayoungBut I am Young01:41
*** mst89 has quit IRC01:41
achampionyou = your01:41
ayoungsorry, that should read01:41
ayoungI AM Young01:41
*** tqtran has quit IRC01:41
ayoungachampion, heh01:42
*** igor__ has joined #openstack-dev01:42
ayoungHe's 701:42
achampionI've been teaching programming to a nephew (10) using robomind01:42
*** igor has quit IRC01:42
ayoungachampion, does it take Logo?01:43
*** alop has quit IRC01:43
*** sweston has quit IRC01:44
ayoungachampion, how do you like it?01:44
achampionno, it's a simple pseudo-code style with basic flow control structures01:44
*** bdpayne has quit IRC01:44
*** nati_ueno has quit IRC01:44
*** nati_ueno has joined #openstack-dev01:45
achampionbeen reasonable easy to pick up, from simple instructions left, right, and paintWhite, to flow control structure if, repeat and procedures01:46
achampionwe did a specific maze solver, then progressed to a general maze solver01:47
ayoungNice01:47
*** nati_uen_ has joined #openstack-dev01:48
ayoungmorganfainberg, you OK with my responses on "Notifications upon disable"01:48
*** sarob_ has joined #openstack-dev01:48
achampionit displays a robot in a universe, with the program visually affecting the robot universe.01:48
*** bknudson has joined #openstack-dev01:49
achampionNext is a copier, then a copier with scale (1/2, double)01:49
*** sarob has quit IRC01:49
achampionhttp://www.robomind.net/01:49
*** llu has joined #openstack-dev01:51
*** otherwiseguy has joined #openstack-dev01:51
*** nati_ueno has quit IRC01:51
*** ijw has joined #openstack-dev01:53
*** _cjones_ has quit IRC01:54
*** thuc_ has joined #openstack-dev01:54
*** morganfainberg is now known as morganfainberg_Z01:54
*** thuc has quit IRC01:58
*** thuc_ has quit IRC01:58
*** kgriffs_afk is now known as kgriffs01:58
*** newell has quit IRC02:02
ayoungjamielennox, what is the path to being able to use client certs and Kerberos with the Keystone client?  I'm assuming we get auth plugins merged, and we need a plugin for each of those.02:02
jamielennoxayoung: not as much as you'd think - both of those will fall within the transport base session object02:03
jamielennoxclient certs should be supported already02:03
jamielennoxkerberos is not actually all that hard to add02:03
ayoungand we need to shortcircuit the logic to try and pass through the password, and the format for the token request02:03
jamielennoxayoung: yea - so what we would essentially need is a no-op plugin02:03
ayoungno methods="password"02:03
jamielennoxauth plugins will fill things into the X-Auth-Token, you just need to get a token02:04
jamielennoxif you have no password or whatever just kerberos then you would still have to have something that got a token - you would just not have the plugin submit a password or whatever02:05
jamielennoxayoung: did that make sensse?02:05
*** alexpilotti has quit IRC02:05
*** mriedem has joined #openstack-dev02:06
ayoungjamielennox, what writes the body of the request now?02:06
*** ijw has quit IRC02:06
ayoungpasswword plugin?02:06
jamielennoxwhich request?02:06
jamielennoxthe auth request ?02:06
*** dstanek_afk is now known as dstanek02:07
jamielennoxPlugins are essentially just v2 or v3 keystone02:07
ayounggyee, can you just +2 https://review.openstack.org/#/c/61247/9  so we can move this, and we'll work up the documentation as future work?02:07
ayoungyeah, the body for POST /v3/auth02:08
jamielennoxgyee: sorry just saw your comment cause there was no +/-02:08
jamielennoxgyee: why would someone want to develop a custom session?02:08
jamielennoxgyee: i'm fine if they do but what for?02:08
*** kgriffs is now known as kgriffs_afk02:08
ayoungjamielennox, he wants a custome everything. It is the HP way02:08
*** IanGovett has quit IRC02:09
*** ijw has joined #openstack-dev02:09
jamielennoxayoung: i get the custom auth_plugin but that is well defined, the session is just a transport layer if there is something wrong with that then it is a bug i don't see why someone would want to reimplement it02:09
bknudsonERROR: openstackclient.shell Exception raised: (pbr 0.5.23.37.g4480343 (/opt/stack/pbr), Requirement.parse('pbr>=0.6,<1.0'))02:09
bknudsonwhat do I do about that?02:10
ayoungbknudson, in  your venv?02:10
ayoungactivate it and pip upgrade pbr02:10
bknudsonayoung: no, not in this case... starting devstack02:10
ayoungbknudson, if its been a while since you ran devstack on this machine, maybe the pbr repo has moved ahead?  Update the git repo>02:11
bknudsonCan't uninstall 'pbr'. No files were found to uninstall.02:11
jamielennoxayoung: so anyway yes there is a v3 plugin and it handles all forms of v3 auth - password, token, oauth whatever02:11
bknudson-e git+https://github.com/openstack-dev/pbr.git@44803433a7da66b5e7404806290237469f07fd5d#egg=pbr-master02:12
bknudsonthat's the output of pip freeze | grep pbr02:12
jamielennoxayoung: i'd be willing to look at subclassing v3 into password/token/whatever - i'm not sure if thats a win or not02:12
*** ijw has quit IRC02:12
ayoungjamielennox, it would help if we got the code inmalingered.02:13
ayoungheh02:13
ayoungIts been malingering02:13
ayoungwe're a little too detail oriented.  Usually that is OK, but sometimes you need to ship.02:13
*** emagana has quit IRC02:13
bknudsonok, I do have an /opt/stack/pbr... so I git pull and setup.py install02:14
*** yamahata has quit IRC02:14
bknudsonseems to work02:14
ayoungbknudson, is your +2 on https://review.openstack.org/#/c/61247/9  still good?  Can I pull the trigger on it?02:15
*** unicell has joined #openstack-dev02:15
*** jasondotstar has quit IRC02:15
bknudsonayoung: I'll take a quick look and approve.02:16
ayoungbknudson, thanks.  The important one is the one that follows it, and gyee and I have both +2ed it02:16
dstanekayoung: thinking about notification of disabled entities - is this for internal use or are we advertising the capability outside of keystone?02:16
ayoungdstanek, I need for internal.  External is a different conversation, and to be blunt, I don't care02:16
dolphmdstanek: they're emitted from keystone02:17
ayoungI can see arguments either way, but Federation is going to make it moot02:17
ayoungor Mute02:17
dolphmayoung: you should use internal callbacks instead02:17
*** gokrokve has joined #openstack-dev02:17
*** comay has quit IRC02:18
* ayoung goes and soaks his head02:18
dstanekayoung: i'm definitely not for it; i'd rather wait so that we can adjust as we learn more; i'm thinking of your question about a notification for changing passwords02:18
ayoungChange PW is different from user disable.02:18
ayoungBut disable events...should go out to the world02:18
ayoungthey are more important than update events02:19
*** jasondotstar has joined #openstack-dev02:19
*** lbragstad has joined #openstack-dev02:19
*** sarob_ has quit IRC02:19
dolphmupdates events go out on disable already02:19
*** sarob has joined #openstack-dev02:19
dolphmi've been very hesitant on the redundant notifications02:20
ayoungdolphm, yes, but the end users don't have enough detail to distinguish between them02:20
ayoungI split them02:20
dolphminternal callsbacks seems like a sufficient baby step02:20
ayoungthe notifications are either/or02:20
dolphmso you don't emit notifications on disable anymore?02:21
dolphmerr..02:21
dolphmyou don't emit update notifications on disable anymore?02:21
ayoungdolphm, that is correct.02:21
dolphmso if anyone was subscribed to update notifications and only cared about disable events, they won't get them anymore? :-/02:22
ayoungYep02:22
dolphmwhat if disable is only part of the overall PATCH? i.e. name got updated as well02:22
jamielennoxas a side append to what i was saying with notifications earlier the problem is they essentially are part of API now - people will start to rely on them02:22
*** pradeep has joined #openstack-dev02:22
dstanekcan an update disable a user and change other stuff in the entity?02:22
dstanekdolphm: yes, exactly02:23
ayoungtechnically, yes, and only the disable would go through02:23
jamielennoxcan we just put a flag public=False on the notify callback which does the internal callback without the ampq?02:23
ayoungbut...I still think that this is more correct02:23
dolphmjamielennox: ++02:23
jamielennoxwe can start putting these things on the wire when we have a plan for this stuff02:23
ayoungdisable is only an update due to implementation02:23
ayoungI think it is the disable evetns that the remote systems are most concerned about.  If a user or project gets disabled, they want to disable resources02:24
*** sarob has quit IRC02:24
dolphmayoung: you don't have an immediate use case for emitting disable events beyond keystone? so why not use internal callbacks02:24
jamielennoxayoung: user disable is a tough thing to commit to when we are moving away from having control over users02:24
ayoungRight now..I am guessing they have to do a callback to see status upon an update to see if it is disabled02:24
jamielennox(eg federation)02:25
ayounghmmm...so roll back to the double notification approach, and tag the "disable" event as internal only?02:25
jamielennoxayoung: i think we tag as much as possible as internal only for the time being02:26
ayoungDo we have a mechanism for internal callbacks?  Does notify do internal only?02:26
dolphmayoung: ++ that seems like the least controversial solution for icehouse, without having to worry about backwards compatibility etc02:26
dolphmayoung: yes and yes02:26
*** markvoelker1 has joined #openstack-dev02:26
jamielennoxayoung: it does both, but it would be a really easy thing to skip the ampq part if not public02:26
dolphmayoung: https://blueprints.launchpad.net/keystone/+spec/internal-callbacks02:27
*** yamahata has joined #openstack-dev02:27
jamielennoxdolphm: just that the implementation of that has squeezed in with the ampq stuff so at the moment you don't have control over just internal02:28
*** sarob has joined #openstack-dev02:28
*** sarob has quit IRC02:28
*** primemin1sterp has joined #openstack-dev02:28
*** sarob has joined #openstack-dev02:28
jamielennoxanyway side question from something i had dropped earlier and we appear to have a quorum still awake02:29
ayoungYeah...so how would I tag it as an internal only callback?02:29
dolphmjamielennox: ooooooh, i see what you mean02:29
dolphmjamielennox: yeah, we should add an internal_only kwarg :-/02:29
jamielennoxdolphm, ayoung, dstanek, bknudson: does having auth plugins like V3Password, V3Token etc make sense as opposed to a similar state as now where you have just V3Auth(username='', password='', token='')02:30
dolphmi remember talking to morgan about this now; didn't see this as a downside at the time02:30
jamielennoxdolphm: public=False02:30
dolphmjamielennox: ++02:30
jamielennoxayoung: it would be simple to add that param to the wrapper02:30
*** achampio1 has joined #openstack-dev02:30
*** primeministerp has quit IRC02:31
*** erkules_ has joined #openstack-dev02:31
dstanekjamielennox: i like the separate classes if there is different logic for each one that should be encapsulated02:31
jamielennoxdolphm: was the ++ for the plugins or for the public=False?02:32
jamielennoxdstanek: the main upside i see is adding new auth types to v3 and not extending that list02:32
dolphmjamielennox: oh, public02:32
*** rkukura has joined #openstack-dev02:32
*** yamahata has quit IRC02:32
jamielennoxthe main downside i see is when you have everything in a CONF or something where all you really want is a plugin that works02:32
dolphmjamielennox: and yes, i'd like them to be separate plugins02:32
*** achampion has quit IRC02:33
bknudsonjamielennox: you instantiate one of these plugins and pass it in to the client?02:33
jamielennoxayoung: completely understand how you feel when you think you're almost done and things get changed02:33
ayoungdoes def _send_notification(operation, resource_type, resource_id, host=None)  have to be internal?02:33
jamielennoxbknudson: yes02:33
jamielennoxahh,02:33
ayoungjamielennox, heh02:33
dolphmjamielennox: i could see v3password extending v3token or something though, to manage refreshing?02:33
jamielennoxbknudson: you pass it to the session02:33
*** erkules has quit IRC02:33
jamielennoxdolphm: v3 token i was thinking auth_url/token02:33
* ayoung is used to it by now. And we are better off catching these things before commit.02:34
jamielennoxthey will all need to manage tokens02:34
bknudsonayoung: _send_notification doesn't have to be internal02:34
bknudsonthe wrappers are there are just because it was a convenient way to implement it...02:34
bknudsonif it doesn't match how we want to use it now then there's no need to be stuck with just the wrappers.02:35
jamielennoxayoung: you're not making the function internal - just the emitted event02:35
ayoungjamielennox, so https://github.com/openstack/keystone/blob/master/keystone/notifications.py#L155 would be conditional on if (public):  ?02:35
jamielennoxbknudson: ++ i was playing with it recently and i think the wrapper is useful but not the only way02:35
jamielennoxayoung: right, indent that whole block with if public:02:36
ayoungjamielennox, yeah, but the decorators are kindof awkward for firing an event from the middle of a function.  I'd just as soon call it explicitly02:36
bknudsonjamielennox: so can I pass multiple auth plugins ... maybe pass both v3password and v3token? Not sure what it should do.02:36
bknudsonmaybe a v3password and a v2password and it figures out which one to use based on the endpoint?02:36
jamielennoxayoung: that's what i mean - we will need a way of doing a manual notify02:36
jamielennoxbknudson: i have a scenario for dealing with multiple plugins in mind02:37
jamielennoxwe're not there yet02:37
*** rtheis has quit IRC02:37
jamielennoxbut it can/will work02:37
bknudsonit would be sad to have the api version in the plugin.02:37
jamielennoxbknudson: also endpoint are managed by the plugins (because endpoints come from the service catalog)02:37
*** tsekiyama has joined #openstack-dev02:38
dolphmbknudson: was just wondering if that was necessary as well...02:38
*** achampion has joined #openstack-dev02:38
bknudsonjamielennox: wait, I thought with token auth you wouldn't have a catalog?02:38
*** vkmc has quit IRC02:38
jamielennoxbknudson: there are two forms of token auth02:38
jamielennoxendpoint/token is when you always use that endpoint/token02:39
jamielennoxauth_url/token is when you rescope a token02:39
*** amcrn has quit IRC02:39
jamielennoxor for whatever reason you get a token from a tokne02:39
jamielennoxauth_url/token will give you a service catalog02:39
jamielennoxendpoint/token won't - but it doesn't matter cause you are always using the same endpoint02:40
*** achampio1 has quit IRC02:40
dolphm+1 to all of the above02:40
jamielennoxfor future contemplation the way i was thinking of dealing with multiple auth plugins is to name them. So if you rescope a token you can have 'default' and 'project_scoped' for example02:41
jamielennoxthen when you create a client with that session you can say use auth='project_scoped' and it will tell the session which plugin it should use for requests02:42
ayoungjamielennox, I just +2ed Auth PLugins on top of  bknudson approving the session patch.02:42
jamielennoxi've still got to get even close to that though02:42
*** tsekiyama has quit IRC02:42
ayoungWe're going to have a pretty cool client next release....02:42
jamielennoxayoung: no - our client is ugly as sin, but 2.0 is shaping up nicely02:43
ayoungHeh02:43
jamielennoxalright - guess now i need to rewrite my v2/v3 token plugins02:43
*** ewindisch has quit IRC02:44
jamielennoxi'll try and run that one past dtroyer first02:44
ayoungjamielennox, so https://review.openstack.org/#/c/68007/4/keystoneclient/auth/identity/v3.py  is your current approach,  what are you going to do instead>02:44
jamielennoxayoung: 90% of that is common02:44
jamielennoxbut subclass the actual auth method02:44
jamielennoxso a UsernamePassword(Auth)02:44
ayoungso a base v3 auth plugin ...I assume password will come out of the init param list?02:45
jamielennoxand a UsernameToken(Auth)02:45
ayoungas will token02:45
jamielennoxi'm not sure what becomes of user_id02:45
*** markvoelker1 has quit IRC02:45
jamielennoxegh, user_domain_name etc will all have to go with username02:45
jamielennoxthis is why i think i opted to keep it how it was02:46
*** nati_uen_ has quit IRC02:46
ayoungjamielennox, yeah, I was having the same thoughts on the revocation.  user: id, name, domain_id}  is much cleaner than separate vars02:46
jamielennoxso scoping and trust will stay as the base and the rest will go to subclasses02:46
dolphmjamielennox: do you think the auth plugins need to bother with exposing auth / scoping by ID's instead of just names?02:47
ayoungtrust should somehow be under scope...02:47
*** anniec has quit IRC02:47
jamielennoxdolphm: the only thing i can think of is that the CLI still allows that02:47
jamielennoxand i think  OSC as well02:47
*** otherwiseguy has quit IRC02:48
jamielennoxdolphm, ayoung and bknudson: you've all been relatively quiet on the actual plugins - if you can see a way to clean up the parameters that we take for auth then now is the best time to speak up02:48
jamielennoxdstanek: ^^02:48
bknudsonjamielennox: was looking at https://review.openstack.org/#/c/68007/4/keystoneclient/auth/identity/v3.py and it looks good to me.02:49
jamielennoxbknudson: yea, i feel i'm biased at this point02:49
jamielennoxi'm so used to parameters like user_domain_id that it makes sense02:49
ayoungjamielennox, how is the plugin going to be selected when run from the CLI?02:49
*** markvoelker1 has joined #openstack-dev02:50
bknudsonseems like it would be better to complain about the scope conflict on construction rather than on get_auth_ref02:50
*** markvoelker1 has quit IRC02:50
ayoungI assume that is OS_PASSWORD is set, we get the password plugin until we have a token, and then we use the token plugin, right?02:50
ayoungand to do Kerberos or client auth, it will be an env var or CLI option?02:50
jamielennoxayoung: so auth discoverability is somewhat harder than client discoverabiility02:50
bknudsonand I don't think the client should be raising AuthorizationFailure ... that should be coming from the server response only.02:51
dstanekjamielennox: looking at the review now02:51
jamielennoxayoung: this is why another reason i kept it close to the current layout02:51
ayoungjamielennox, simple things should be simple, and hard things should be possible02:51
ayoungwhat if it is just OS_AUTH_PLUGIN=<name>02:51
jamielennoxit's really easy to just pass through all the current client params to just the v3.Auth method and nothing will change02:52
ayoungand we have a registry of names.  If it isn't set it defaults to  ...v2?02:52
ayoungv3?02:52
dstanekjamielennox: is that what you wanted to break up in to separate classes?02:52
jamielennoxayoung: heh, that was when someone was optimistic about a v3 client02:52
jamielennoxauth version is ignored02:52
dstanekjamielennox: the Auth class from v3.py02:52
jamielennoxsilently i think02:53
jamielennoxdstanek: yes, does it make sense to seperate a UsernamePasswordAuth from other types of auth like Oauth02:53
ayoungI'd prefer it if the param list for an Auth plugin specified what it requires.  Parameters that are necessary for the plugin to work should be required params, and others optional, and only if they will be used02:53
jamielennox(OAuth is the one that's been bugging at me for a while now - it doesn't quite fit)02:53
*** gordc has quit IRC02:54
jamielennoxayoung: so the current approach has very much been give everything and then check the combinations02:54
*** tsekiyama has joined #openstack-dev02:54
ayoungWe can do it using an array of parameter names, and have each method specify which list, and then have a common base list or something02:54
ayoungright.  And I personally want passwords to die02:54
*** anniec has joined #openstack-dev02:55
jamielennoxayoung: i've been thinking about arrays of param names - if it works for the CLI to do that i'm happy to - but i think i would like to maintain some seperation between the plugins and the CLI02:55
dstanekjamielennox: i would definitely vote for separate classes that have smaller param lists02:55
jamielennoxit's the CLIs job to figure out how to instantiate plugins02:55
ayoung++02:55
jamielennoxdstanek: that's the way most of this has been going02:55
*** smurugesan has joined #openstack-dev02:55
ayoungplugin.required_params and .optional_params02:56
jamielennoxas i said i'm so used to this stuff now i'm biased02:56
dstanekjamielennox: are all of the Auth param really optional?02:56
jamielennoxdstanek: legacy of the old client02:56
bknudsonwill need some kind of plugin factory02:56
jamielennoxbecause there are so many ways to mix and match options everything is optional and then you pick what you need and error if something is missing02:56
jamielennoxbknudson: right, it was easy before - now we need some way of distinguishing plugins02:57
jamielennoxand it would be good to have 3rd party plugins in that02:57
bknudsonlike kerberos or ssl client cert or something02:57
jamielennoxbut these are things i've felt that are not quite core to the actual plugin process02:57
bknudsonor http basic auth02:57
jamielennoxif we could define the interface to a plugin then we can go through that transformation later without problem02:58
*** marcoemorais has quit IRC02:58
jamielennoxbasic auth counts, kerberos and SSL only somewhat02:58
jamielennoxauth plugins only deal with the HTTP side of authenticating02:59
jamielennoxkerberos and SSL are transport parameters (even though they can/are used for auth)02:59
ayoungbasic-auth!02:59
jamielennoxhmm02:59
ayoungI have code for that somewhere02:59
*** kgriffs_afk is now known as kgriffs02:59
jamielennoxcrap - can i do ssl from a plugin?02:59
jamielennoxuggh, it's possible i *might* be able to run ssl and kerberos from a plugin ...03:00
jamielennoxthat's difficult and may require a new plugin hook03:00
jamielennoxbut not impossible and probably not that ugly03:00
jamielennoxwith both kerberos and SSL plugins though you need to still actually have something to put in a token right?03:01
bknudsonjamielennox: who knows how it's going to work with federation.03:02
*** markwash has quit IRC03:03
bknudsonkerberos and SSL don't have all the info you need for a regular auth request -- the scope.03:03
jamielennoxbknudson: i'm just wondering if you set either kerberos or SSL certs via an auth plugin what do you expect then? are these used for every request or just auth?03:03
bknudsonwe should have the scope in the url... /v3/auth/tokens/project/<id>03:04
*** evilstephen has joined #openstack-dev03:04
jamielennoxbknudson: right in the tests i've done with kerberos/ssl it was alway in addition to regular authentication03:04
bknudsonjamielennox: good question... once you have a token you don't need to keep presenting the client cert everywhere.03:04
*** angdraug has quit IRC03:05
jamielennoxbknudson: but then do i have to put the option of SSL certs and kerberos into the base of every auth plugin?03:05
bknudsonthat's where the question of multiple plugins comes in.03:05
jamielennoxbknudson: so i don't think we should have multiple cooperative plugins03:06
*** gokrokve has quit IRC03:06
*** dkranz has joined #openstack-dev03:06
jamielennoxeverything i've done has been on the impression that 1 plugin is 1 token03:06
jamielennoxyou can then ask things of it that are relevant to that token03:06
bknudsonjamielennox: you can do re-auth with the username/password plugin, though?03:07
*** fandi has joined #openstack-dev03:07
jamielennoxbknudson: yes, it was decided that that should be handled internally to the plugin03:07
bknudsonhopefully you can tell when your token is close to expiring, or it did expire.03:07
jamielennoxso when i ask for a token the plugin has the option to refresh it03:07
bknudsonjamielennox: the plugin stores the token? is that in BaseIdentityPlugin03:09
jamielennoxyes03:09
*** kgriffs is now known as kgriffs_afk03:09
*** paragan has joined #openstack-dev03:10
*** markmcclain has joined #openstack-dev03:10
*** CaptTofu has quit IRC03:11
*** relaxdiego has joined #openstack-dev03:14
*** anniec has quit IRC03:14
jamielennoxbknudson: re https://review.openstack.org/#/c/70902/203:18
jamielennoxi thought we used 300 for / always if there is only one option i should return 200?03:18
*** primemin1sterp has quit IRC03:20
bknudsonjamielennox: it doesn't make sense to me to return 300 multiple choice when there's only one choice03:22
bknudsona regular redirect makes more sense to me.03:23
*** caleb_ has joined #openstack-dev03:23
jamielennoxbknudson: a redirect for / -> v1 ? that seems dangerous for later03:23
bknudsonjamielennox: I assume it's going to be documented in the api reference.03:24
*** alexpilotti has joined #openstack-dev03:24
jamielennoxright but you consult / for the available versions and then you get the link to your api versoin03:24
bknudsonjamielennox: I guess 200 makes sense then.03:25
bknudsonI thought that this was implementing some spec... what's the spec say?03:26
*** kgriffs_afk is now known as kgriffs03:26
*** yamahata has joined #openstack-dev03:26
bknudsonjamielennox: this should all be defined in https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-kds-ext.md03:27
*** alop has joined #openstack-dev03:28
*** arnaud__ has quit IRC03:29
*** arnaud___ has quit IRC03:29
jamielennoxbknudson: similar to i guess v3 i only define the actual api interaction for v103:29
jamielennoxalso regarding discovery http://paste.openstack.org/show/62947/03:30
jamielennoxthats a sample of some of what's used03:30
*** caleb_ has quit IRC03:30
bknudsonwhat a mess03:30
bknudsonwhat is kds going to use?03:30
*** yamahata has quit IRC03:31
jamielennoxbknudson: this is what i used to generate them: http://paste.openstack.org/show/62949/03:31
*** mlavalle has quit IRC03:31
jamielennoxi've been meaning to run it on a full devstack to get a wider sample but i seem to not have access to our OS instance03:31
bknudsonjamielennox: do they all return 300?03:31
jamielennoxbknudson: didn't print that03:31
*** tchaypo is now known as jamezpolley03:32
bknudsonv2.0 is beta?03:32
*** jamezpolley is now known as tchaypo03:32
bknudsonI think this is all the more reason to document what you plan to do and get agreement on that03:33
jamielennoxi have a feeling it's an old instance03:33
*** RajeshMohan has quit IRC03:34
ayoungjamie, if there is no scope, and you do REMOTE_USER auth of any sort, the token is an unscoped token.  They can always trade that for a scoped token03:35
*** RajeshMohan has joined #openstack-dev03:35
jamielennoxayoung: sure03:36
*** kgriffs is now known as kgriffs_afk03:36
ayoungI'd probably make the scoping parameters on the CLI/env vars, and make a scope object that the auth plugins can accept that gets apssed through verbatim to the token request03:36
*** doug_shelley66 has quit IRC03:38
jamielennoxayoung: the auth plugins are going to need to deal with both, how the user of the plugin gets that information isn't up to the plugin right?03:38
ayoungcorrect.  something builds the scope and then the auth plugin just accepts a scope object03:38
*** gokrokve has joined #openstack-dev03:38
ayoungheh, its a pipeline, just the mirror of what we want to build on the token side in the server03:38
*** carl_baldwin has joined #openstack-dev03:39
*** anniec has joined #openstack-dev03:39
*** gokrokve_ has joined #openstack-dev03:40
*** sarob has quit IRC03:40
*** sarob has joined #openstack-dev03:41
*** baoli has quit IRC03:42
*** gokrokve has quit IRC03:43
*** carl_baldwin has quit IRC03:43
ayoungjamielennox, is anything holding up https://review.openstack.org/#/c/70664/  as I think that is the key one for RDO03:43
*** evilstephen has quit IRC03:43
*** gokrokve_ has quit IRC03:44
*** bswartz has joined #openstack-dev03:45
jamielennoxayoung: there are 3 patches in front of it03:45
jamielennoxayoung: damn didn't see that they need rebasing03:45
jamielennoxayoung: start: https://review.openstack.org/#/c/70661/203:46
*** sarob has quit IRC03:46
ayoungre-approved03:46
jamielennoxhmm lbragstad pushed an updated one - i missed that03:46
jamielennoxgrr03:46
jamielennox:)03:47
lbragstadjamielennox: oh the doc change?03:47
*** sarob has joined #openstack-dev03:47
lbragstadI had dependent on yours?03:47
jamielennoxlbragstad: yea, it recommited the first patch so the others lost there dep03:47
*** buzztroll has quit IRC03:47
lbragstadahhh03:47
ayoungjamielennox, rebase https://review.openstack.org/#/c/71044/  as well then03:48
ayoungPITA03:48
*** sarob has quit IRC03:49
jamielennoxayoung: yep did the first one, because that one belongs to jay i have to do it manually03:49
ayoungOk my approval spree is over.  I'll look back in come the morning.03:49
*** sarob has joined #openstack-dev03:49
jamielennoxayoung: so the reason the last one is failing tests is cause oslo.messaging defaults to using the rabbit driver03:49
jamielennoxwhich defaults to a dependency on kombu03:50
jamielennoxdoes that mean that keystone needs a dependency on kombu - i can't see any other choice but it seems unnecessary03:50
ayoungAHHHHHHHH03:51
*** yaguang has joined #openstack-dev03:52
*** harlowja is now known as harlowja_away03:53
*** carl_baldwin has joined #openstack-dev03:54
*** sarob has quit IRC03:54
*** aditirav has joined #openstack-dev03:54
jamielennoxrage quit03:55
jamielennoxbknudson: you'll like this - a larger sample: http://paste.openstack.org/show/62955/03:56
jamielennoxso there is precendent with heat for using a 300 with only one version03:56
bknudsonit's just totally random...03:57
bknudsonshould just return rand()03:57
jamielennoxand cinder has 2 versions and uses 20003:57
*** markmcclain1 has joined #openstack-dev03:57
*** markmcclain has quit IRC03:57
*** alex_klimov has joined #openstack-dev03:58
ayoungwhat is that utility that gets you command history in aplications that don';t have it...I used it with oracles command line years ago...03:59
StevenKayoung: readline?03:59
jamielennoxbknudson: so i can use whatever i like?03:59
ayoungStevenK, nah, it is something that wraps another command prompt program.  I though it was a two letter command03:59
ayoungfc I thin04:00
*** edmund has quit IRC04:00
jamielennoxbknudson: most services don't have an updated_at - i think that ones kind of useless04:00
bknudsonjamielennox: you can use whatever's documented04:00
ayoungnope04:00
StevenKayoung: rlwrap04:00
jamielennoxi thought other servies had media-types as well but it appears its just us04:00
ayoungStevenK, that sounds promising04:01
*** morazi has quit IRC04:01
*** tiamar has joined #openstack-dev04:03
ayoungStevenK, 31 packages of Perl now installing04:04
StevenKHaha04:04
*** alex_klimov has quit IRC04:04
*** aveiga has quit IRC04:05
ayoungStevenK, thanks...that was it04:06
StevenKayoung: You're welcome04:06
*** ytwu has joined #openstack-dev04:06
*** alexpilotti has quit IRC04:07
*** radix has left #openstack-dev04:08
*** marcoemorais has joined #openstack-dev04:08
*** marcoemorais has quit IRC04:08
*** ayoung is now known as ayoung-ZZZZZ04:09
*** radix has joined #openstack-dev04:09
*** xarses has joined #openstack-dev04:10
*** changbl has joined #openstack-dev04:13
*** yamahata has joined #openstack-dev04:17
*** dstanek has quit IRC04:19
*** dstanek has joined #openstack-dev04:19
*** evilstephen has joined #openstack-dev04:21
*** sarob has joined #openstack-dev04:21
*** carl_baldwin has quit IRC04:21
*** ayoung-ZZZZZ has quit IRC04:22
*** anniec has quit IRC04:22
*** evilstephen has quit IRC04:25
*** kgriffs_afk is now known as kgriffs04:27
*** mikeoutland has joined #openstack-dev04:27
*** bhuvan has joined #openstack-dev04:28
*** anniec has joined #openstack-dev04:30
*** bhuvan has quit IRC04:33
*** sarob has quit IRC04:34
*** sarob has joined #openstack-dev04:35
*** kgriffs is now known as kgriffs_afk04:36
*** halfie has joined #openstack-dev04:36
*** pablosan has quit IRC04:37
*** buzztroll has joined #openstack-dev04:38
*** evilstephen has joined #openstack-dev04:38
*** sarob has quit IRC04:39
*** sarob has joined #openstack-dev04:39
*** pablosan has joined #openstack-dev04:39
*** gokrokve has joined #openstack-dev04:39
*** Tross has joined #openstack-dev04:40
*** gokrokve_ has joined #openstack-dev04:41
*** Tross has left #openstack-dev04:42
*** buzztroll has quit IRC04:42
*** Ryan_Lane has quit IRC04:44
*** gokrokve has quit IRC04:44
*** thuc has joined #openstack-dev04:44
*** terrylhowe has quit IRC04:45
*** sweston_ has quit IRC04:46
*** thuc has quit IRC04:47
*** thuc has joined #openstack-dev04:48
*** tsekiyama has quit IRC04:48
*** pabelanger has left #openstack-dev04:49
*** markmcclain1 has quit IRC04:50
*** markmcclain has joined #openstack-dev04:50
markmcclainsdague or mtreinish: around ?04:51
*** thuc has quit IRC04:52
*** 23LAA4WAK has joined #openstack-dev04:53
*** 23LAA4WAK has quit IRC04:53
*** markmcclain1 has joined #openstack-dev04:54
*** markmcclain2 has joined #openstack-dev04:54
*** pcm_ has quit IRC04:55
*** armax has quit IRC04:55
*** markmcclain has quit IRC04:56
*** gcha has quit IRC04:58
*** markmcclain1 has quit IRC04:59
*** comay has joined #openstack-dev04:59
*** clayb|2 has quit IRC05:03
*** radsy has quit IRC05:03
*** amcrn has joined #openstack-dev05:04
*** killer_prince has joined #openstack-dev05:06
*** Ryan_Lane has joined #openstack-dev05:07
*** relaxdiego has quit IRC05:07
*** saju_m has joined #openstack-dev05:08
*** amcrn_ has joined #openstack-dev05:08
*** markmcclain2 has quit IRC05:10
*** amcrn has quit IRC05:11
*** gokrokve_ has quit IRC05:11
*** gokrokve has joined #openstack-dev05:11
*** CaptTofu has joined #openstack-dev05:12
*** gokrokve has quit IRC05:12
*** gokrokve has joined #openstack-dev05:12
*** gokrokve has quit IRC05:12
*** gokrokve has joined #openstack-dev05:13
*** gokrokve has quit IRC05:13
*** sarob has quit IRC05:14
*** sarob has joined #openstack-dev05:14
*** jcooley_ has quit IRC05:14
*** jcooley_ has joined #openstack-dev05:15
*** CaptTofu has quit IRC05:16
*** gokrokve has joined #openstack-dev05:18
*** gokrokve has quit IRC05:18
*** sarob has quit IRC05:19
*** ytwu has quit IRC05:21
*** alex_xu has joined #openstack-dev05:21
*** harlowja_at_home has joined #openstack-dev05:22
*** kushal has joined #openstack-dev05:22
*** nshaikh has joined #openstack-dev05:22
*** mikeoutland has quit IRC05:22
*** aditirav_ has joined #openstack-dev05:23
*** aditirav has quit IRC05:26
*** aditirav_ is now known as aditirav05:26
*** kgriffs_afk is now known as kgriffs05:27
*** aditirav has quit IRC05:28
*** aditirav has joined #openstack-dev05:28
*** kushal has quit IRC05:31
*** buzztroll has joined #openstack-dev05:32
*** rohitk has joined #openstack-dev05:34
*** stevemar has joined #openstack-dev05:35
*** gyee has quit IRC05:36
*** unicell has quit IRC05:37
*** kgriffs is now known as kgriffs_afk05:37
*** kushal has joined #openstack-dev05:39
*** kushal has joined #openstack-dev05:39
*** harlowja_at_home has quit IRC05:41
*** mriedem has quit IRC05:41
*** rohitk has quit IRC05:44
*** sarob has joined #openstack-dev05:45
*** rdas has joined #openstack-dev05:47
*** achampion has quit IRC05:47
*** pradeep1 has joined #openstack-dev05:50
*** pradeep has quit IRC05:52
*** gokrokve has joined #openstack-dev05:53
*** gokrokve has quit IRC05:58
*** mikeoutland has joined #openstack-dev05:58
*** rohitk has joined #openstack-dev06:00
*** sweston has joined #openstack-dev06:01
*** doug_shelley66 has joined #openstack-dev06:02
*** sarob has quit IRC06:07
*** neeti has joined #openstack-dev06:08
*** mikeoutland has quit IRC06:09
*** paragan has quit IRC06:13
*** achampion has joined #openstack-dev06:14
*** sarob has joined #openstack-dev06:14
*** paragan has joined #openstack-dev06:16
*** mrda is now known as mrda_away06:17
*** comay has quit IRC06:17
*** saju_m has quit IRC06:18
*** achampion has quit IRC06:18
*** tqtran has joined #openstack-dev06:20
*** sarob has quit IRC06:25
*** denis_makogon has joined #openstack-dev06:25
*** sarob has joined #openstack-dev06:25
*** DinaBelova_ is now known as DinaBelova06:26
*** kgriffs_afk is now known as kgriffs06:28
*** neeti has quit IRC06:30
*** sarob has quit IRC06:30
*** qs201 has joined #openstack-dev06:32
*** qs201 has quit IRC06:34
*** cfriesen has quit IRC06:35
*** cadenzajon has joined #openstack-dev06:37
*** jamespage_ has joined #openstack-dev06:37
*** jasondotstar has quit IRC06:38
*** kgriffs is now known as kgriffs_afk06:38
*** alex_klimov has joined #openstack-dev06:39
*** gokrokve has joined #openstack-dev06:39
*** amotoki has joined #openstack-dev06:40
*** smurugesan has quit IRC06:41
*** pradeep1 has quit IRC06:41
*** cadenzajon has quit IRC06:41
*** gokrokve has quit IRC06:44
*** pschaef has joined #openstack-dev06:46
*** anniec has quit IRC06:48
*** mikeoutland has joined #openstack-dev06:49
*** jprovazn has joined #openstack-dev06:50
*** tqtran has quit IRC06:51
*** bhuvan has joined #openstack-dev06:52
*** erkules_ is now known as erkules06:53
*** pcm_ has joined #openstack-dev06:56
*** stevemar has quit IRC06:56
*** neeti has joined #openstack-dev06:59
*** sarob has joined #openstack-dev07:00
*** pcm_ has quit IRC07:00
*** sarob has quit IRC07:01
*** pradeep has joined #openstack-dev07:01
*** sarob has joined #openstack-dev07:01
*** alex_klimov has quit IRC07:01
*** jcooley_ has quit IRC07:05
*** matsuhashi has quit IRC07:05
*** sarob has quit IRC07:06
*** jcooley_ has joined #openstack-dev07:06
*** MaxV has joined #openstack-dev07:06
*** jcooley_ has quit IRC07:08
*** vartom1111111117 has joined #openstack-dev07:09
*** CaptTofu has joined #openstack-dev07:13
*** NikitaKonovalov_ is now known as NikitaKonovalov07:13
*** lcheng_ has joined #openstack-dev07:14
*** sushils has quit IRC07:17
*** CaptTofu has quit IRC07:18
*** dkranz has quit IRC07:18
*** dkranz has joined #openstack-dev07:18
*** markwash has joined #openstack-dev07:20
*** NikitaKonovalov is now known as NikitaKonovalov_07:20
*** matsuhashi has joined #openstack-dev07:21
*** rgerganov has joined #openstack-dev07:21
*** dstanek has quit IRC07:23
*** buzztroll has quit IRC07:25
*** buzztroll has joined #openstack-dev07:25
*** buzztroll has quit IRC07:25
*** Drankis has joined #openstack-dev07:26
*** buzztroll has joined #openstack-dev07:26
*** kgriffs_afk is now known as kgriffs07:29
*** dstufft_ has joined #openstack-dev07:29
*** amcrn_ is now known as amcrn07:30
*** jamieh has joined #openstack-dev07:31
*** ytwu has joined #openstack-dev07:31
*** dstufft has quit IRC07:32
*** saju_m has joined #openstack-dev07:32
*** jcooley_ has joined #openstack-dev07:34
*** yolanda has joined #openstack-dev07:34
*** rohitk has quit IRC07:34
*** Drankis has quit IRC07:37
*** comay has joined #openstack-dev07:38
*** kgriffs is now known as kgriffs_afk07:39
*** gokrokve has joined #openstack-dev07:39
*** jhesketh__ has quit IRC07:40
*** markwash has quit IRC07:40
*** AlexF has joined #openstack-dev07:41
*** bvandenh has joined #openstack-dev07:43
*** athomas has quit IRC07:43
*** gokrokve has quit IRC07:44
*** DinaBelova is now known as DinaBelova_07:44
*** dkuffner has joined #openstack-dev07:45
*** MaxV has quit IRC07:45
*** markwash has joined #openstack-dev07:47
*** taps has quit IRC07:47
*** rohitk has joined #openstack-dev07:47
*** bauzas has joined #openstack-dev07:48
*** dstufft_ is now known as dstufft07:50
*** nosnos_ has joined #openstack-dev07:51
*** paragan has quit IRC07:52
*** NikitaKonovalov_ is now known as NikitaKonovalov07:52
*** kushal has quit IRC07:53
*** nosnos has quit IRC07:54
*** afazekas_ has joined #openstack-dev07:56
*** johnthetubaguy has joined #openstack-dev08:01
*** achampion has joined #openstack-dev08:03
*** johnthetubaguy has quit IRC08:03
*** johnthetubaguy has joined #openstack-dev08:03
*** denis_makogon has quit IRC08:04
*** smurugesan has joined #openstack-dev08:06
*** kushal has joined #openstack-dev08:07
*** gcha has joined #openstack-dev08:08
*** smurugesan has quit IRC08:10
*** matsuhashi has quit IRC08:10
*** sarob has joined #openstack-dev08:12
*** lari_ has quit IRC08:12
*** johnthetubaguy has quit IRC08:12
*** oro has joined #openstack-dev08:13
*** afazekas_ has quit IRC08:13
*** paragan has joined #openstack-dev08:13
*** Ryan_Lane has quit IRC08:14
*** lari_ has joined #openstack-dev08:14
*** jamespage_ has joined #openstack-dev08:15
*** sarob has quit IRC08:17
*** reed has joined #openstack-dev08:20
*** posito has joined #openstack-dev08:22
*** lcheng_ has quit IRC08:23
positoHello, can i apply manually a patch from review.openstack.org (devstack-gate is a bit overkill for my need).08:24
*** jamespage_ has quit IRC08:24
*** xga has joined #openstack-dev08:25
*** xga_ has joined #openstack-dev08:25
rushiagrposito: for submissions upstream, no, you cannot skip the process08:25
*** martyntaylor has joined #openstack-dev08:25
positorushiagr: I am not trying to vote just understand when I have to do the cherry-pick in my flow08:25
rushiagrposito: sorry, I didn't get you08:26
positorushiagr:  regarding my message it's not clear. Let me try it again. I want to test (https://review.openstack.org/#/c/70835/) How should I apply the patch.08:28
*** MaxV has joined #openstack-dev08:28
*** flaper87|afk is now known as flaper8708:29
rushiagrposito: oh, okay. Sorry, I misunderstood you08:29
rushiagryou can see a line starting with 'git fetch https://....' on the review page08:30
*** kgriffs_afk is now known as kgriffs08:30
rushiagrand a copy icon next to it08:30
rushiagrposito: so just copy it and paste it into your local repository if you want to apply that patch08:30
positorushiagr: Yes... but when I will do a stack.sh those change will discarded unless i go in offline mode08:31
rushiagrposito: you are right08:31
*** bauzas has quit IRC08:31
rushiagrposito: for that, what you can do is: 1. set up devstack 2. apply this patch 3. restart the affected screens08:31
rushiagrposito: I'm not a compute expert so can't say what all services you need to restart inside the screen sessions08:32
rushiagrposito: i'll just restart all screens starting with 'n-' :)08:32
rushiagrposito: ask me if you need help regarding screens08:33
*** mmagr has joined #openstack-dev08:35
positorushiagr:actually i am interested in neutron. So i should do is 1) run my stack normally. 2)go the location where stack is installed. do a git fetch 3) restart neutron08:35
*** nacim has joined #openstack-dev08:36
rushiagrposito: I am not completely sure, but the code affected by the change is only in nova, so you need to restart nova services only08:36
positorushiagr: the review that I showed you earlier was just a sample. But in general is there any patch that will change more than one service ?08:38
rushiagrposito: I don't think so08:38
*** sahid has joined #openstack-dev08:38
positorushiagr: also when I restart the service it will drop and recreate the mandatory database ?08:39
rushiagrposito: no08:39
rushiagrit won't as far as I know08:39
*** gokrokve has joined #openstack-dev08:39
*** florentflament has joined #openstack-dev08:40
*** kgriffs is now known as kgriffs_afk08:40
positorushiagr: hum... will it create them or nothing at all08:40
*** ndipanov_gone is now known as ndipanov08:41
rushiagrposito: it will just restart the service, and won't recreate databases. However, restarting screens might affect database entries, possibly08:41
positorushiagr: so maybe a better way would be to restart the screens08:41
rushiagrposito: right08:42
*** gokrokve has quit IRC08:44
*** iartarisi has joined #openstack-dev08:46
positorushiagr: damnint i thought i could use rejoin-stack.sh08:47
*** mrunge has joined #openstack-dev08:48
positorushiagr:  the description is strange though (Restart openstack services after running stack.sh)08:48
rushiagrposito: yes, it restarts all services, if all services are not running. But I'm not sure if it works with some of the services killed and the others running08:49
*** haomai___ has quit IRC08:49
positorushiagr: I could do a kill -9 on the neutron PID and then run this08:50
*** haomaiwang has joined #openstack-dev08:50
*** sushils has joined #openstack-dev08:51
rushiagrposito: is it throwing some error? Generally i've used rejoin stack only if all the devstack processes are not running08:51
positorushiagr: i didn't try it it .08:53
*** lcheng_ has joined #openstack-dev08:53
positorushiagr: i didn't try it yet. - I assume that it is is down, it will try to re-start the service08:53
rushiagrposito: or you can just go to that screen, kill the process with ctrl+C, press up arrow to see the last statement executed, and execute it08:54
positorushiagr: I would like to try to do this with a script08:55
*** ygbo has joined #openstack-dev08:55
rushiagrposito: oh08:55
positorushiagr: the devstack-gate, seems to be really great but a bit overkill with all of the customization that i need to do before08:56
*** DinaBelova_ is now known as DinaBelova08:57
*** yassine has joined #openstack-dev08:58
*** cnesa has joined #openstack-dev08:58
*** nkinder has joined #openstack-dev08:59
*** jpich has joined #openstack-dev09:00
*** zzelle has joined #openstack-dev09:01
*** AlexF has quit IRC09:02
*** markmc has joined #openstack-dev09:04
*** xqueralt has joined #openstack-dev09:05
*** julienvey has joined #openstack-dev09:06
*** sarob has joined #openstack-dev09:07
*** bauzas has joined #openstack-dev09:07
*** Ryan_Lane has joined #openstack-dev09:07
*** amerine_ has joined #openstack-dev09:09
*** DinaBelova is now known as DinaBelova_09:09
*** skudriashev has joined #openstack-dev09:10
*** amerine has quit IRC09:11
*** posito has quit IRC09:11
*** sarob has quit IRC09:11
*** CaptTofu has joined #openstack-dev09:14
*** stannie has joined #openstack-dev09:14
*** marun has quit IRC09:16
*** mflobo has quit IRC09:17
*** safchain has joined #openstack-dev09:17
*** Ryan_Lane has quit IRC09:17
*** CaptTofu has quit IRC09:18
*** eglynn has joined #openstack-dev09:19
*** rdas has quit IRC09:22
*** derekh has joined #openstack-dev09:22
*** bhuvan has quit IRC09:22
*** marekd|away is now known as marekd09:22
*** yolanda has quit IRC09:26
*** yolanda has joined #openstack-dev09:26
*** sweston has quit IRC09:27
*** DinaBelova_ is now known as DinaBelova09:27
*** lucasagomes has joined #openstack-dev09:30
*** kgriffs_afk is now known as kgriffs09:31
*** lcheng_ has quit IRC09:32
*** giulivo has joined #openstack-dev09:35
*** gilliard has joined #openstack-dev09:36
*** Oneiroi has joined #openstack-dev09:39
*** kgriffs is now known as kgriffs_afk09:40
*** nkinder has quit IRC09:41
*** mkollaro has joined #openstack-dev09:41
*** lari_ has quit IRC09:41
*** nosnos_ has quit IRC09:43
*** lari_ has joined #openstack-dev09:45
*** max_lobur_afk is now known as max_lobur09:46
*** sushils has quit IRC09:49
*** YorikSar has joined #openstack-dev09:51
*** bhuvan has joined #openstack-dev09:51
*** Ryan_Lane has joined #openstack-dev09:54
*** mkollaro1 has joined #openstack-dev09:55
*** mkollaro has quit IRC09:55
*** buzztroll has quit IRC09:56
*** saju_m has quit IRC09:58
*** Ryan_Lane has quit IRC09:59
*** marun has joined #openstack-dev09:59
*** jasondotstar has joined #openstack-dev10:00
*** yamahata has quit IRC10:02
*** killer_prince has quit IRC10:05
*** sarob has joined #openstack-dev10:08
*** danpb has joined #openstack-dev10:08
*** sarob has quit IRC10:14
*** rossella_s has joined #openstack-dev10:16
*** sarob has joined #openstack-dev10:18
*** bada has joined #openstack-dev10:18
*** sarob has quit IRC10:22
*** sushils has joined #openstack-dev10:23
*** NikitaKonovalov is now known as NikitaKonovalov_10:25
*** sulrich has quit IRC10:28
*** sulrich has joined #openstack-dev10:29
*** amcrn has quit IRC10:29
*** paragan has quit IRC10:30
*** Oneiroi has quit IRC10:31
*** kgriffs_afk is now known as kgriffs10:31
*** achampion has quit IRC10:32
*** cnesa has quit IRC10:37
*** xga__ has joined #openstack-dev10:39
*** xga_ has quit IRC10:39
*** xga has quit IRC10:39
*** gokrokve has joined #openstack-dev10:39
*** xga has joined #openstack-dev10:40
*** kgriffs is now known as kgriffs_afk10:41
*** posito has joined #openstack-dev10:42
*** alop has quit IRC10:43
*** gokrokve has quit IRC10:44
*** oro has quit IRC10:46
*** jcooley_ has quit IRC10:52
*** jcooley_ has joined #openstack-dev10:52
*** cnesa has joined #openstack-dev10:52
*** dkuffner has quit IRC10:53
*** pixelb has joined #openstack-dev10:53
*** Adri2000 has quit IRC10:54
*** Adri2000 has joined #openstack-dev10:55
*** Adri2000 has quit IRC10:55
*** cnesa has quit IRC10:57
*** jcooley_ has quit IRC10:57
*** DinaBelova is now known as DinaBelova_10:57
*** e0ne has joined #openstack-dev10:57
*** posito has quit IRC10:58
*** DinaBelova_ is now known as DinaBelova10:59
*** Adri2000 has joined #openstack-dev10:59
*** Adri2000 has quit IRC10:59
*** Adri2000 has joined #openstack-dev10:59
*** jasondotstar has quit IRC11:00
*** Adri2000 has quit IRC11:02
*** mrunge has quit IRC11:03
*** Adri2000 has joined #openstack-dev11:03
*** I159 has joined #openstack-dev11:03
*** Oneiroi has joined #openstack-dev11:04
*** xga__ has quit IRC11:04
*** xga__ has joined #openstack-dev11:04
*** xga has quit IRC11:05
*** xga has joined #openstack-dev11:05
*** NikitaKonovalov_ is now known as NikitaKonovalov11:06
*** buzztroll has joined #openstack-dev11:07
*** xarg has quit IRC11:08
*** xarg_ is now known as xarg11:08
*** sarob has joined #openstack-dev11:11
*** buzztroll has quit IRC11:11
*** cnesa has joined #openstack-dev11:14
*** rdas has joined #openstack-dev11:14
*** CaptTofu has joined #openstack-dev11:15
*** xarg_ has joined #openstack-dev11:15
*** sarob has quit IRC11:15
*** pcm_ has joined #openstack-dev11:15
*** pcm_ has quit IRC11:16
*** gcha has quit IRC11:17
*** CaptTofu has quit IRC11:19
*** pcm_ has joined #openstack-dev11:20
*** achampion has joined #openstack-dev11:21
*** pcm_ has quit IRC11:22
*** xga__ has quit IRC11:22
*** xga has quit IRC11:22
*** pcm_ has joined #openstack-dev11:23
*** romcheg is now known as romcheg_ltp11:24
*** romcheg_ltp is now known as romcheg11:24
*** jp_at_hp has joined #openstack-dev11:25
*** achampion has quit IRC11:27
*** rohitk has quit IRC11:28
*** boris-42_ has quit IRC11:30
*** kgriffs_afk is now known as kgriffs11:32
*** oro has joined #openstack-dev11:34
*** jamielennox is now known as jamielennox|away11:34
*** gokrokve has joined #openstack-dev11:39
*** mkollaro1 has quit IRC11:40
*** kgriffs is now known as kgriffs_afk11:42
*** viktors has joined #openstack-dev11:42
*** gokrokve has quit IRC11:44
*** jamespage_ has joined #openstack-dev11:46
*** nkinder has joined #openstack-dev11:49
*** colinmcnamara has joined #openstack-dev11:49
*** baoli has joined #openstack-dev11:50
*** martyntaylor has left #openstack-dev11:51
*** kushal has quit IRC11:53
*** boris-42_ has joined #openstack-dev11:53
*** Drankis has joined #openstack-dev11:53
*** jamespage_ has quit IRC11:55
*** baoli has quit IRC11:59
*** yassine has quit IRC12:00
*** dkuffner has joined #openstack-dev12:00
erlonhi guys, we are working in a feature for swift. We are running to make it ready before the feature freeze. My question is, what is the best approach, to create the blueprint right now and then update it with the code later or, should we wait to create the blueprint when we have some code to show?12:03
*** baoli has joined #openstack-dev12:06
*** baoli has quit IRC12:06
*** baoli has joined #openstack-dev12:06
*** jruzicka has joined #openstack-dev12:07
*** kushal has joined #openstack-dev12:07
*** xga has joined #openstack-dev12:07
*** xga__ has joined #openstack-dev12:07
*** yeylon__ has joined #openstack-dev12:08
*** cnesa has quit IRC12:08
*** jasondotstar has joined #openstack-dev12:09
*** sarob has joined #openstack-dev12:12
*** CaptTofu has joined #openstack-dev12:13
*** ytwu has quit IRC12:14
*** raildo has quit IRC12:15
*** yassine has joined #openstack-dev12:15
*** ytwu has joined #openstack-dev12:15
*** cnesa has joined #openstack-dev12:15
*** sarob has quit IRC12:17
*** sgran has quit IRC12:18
*** RajeshMohan has quit IRC12:18
*** mmagr has quit IRC12:19
*** tellesnobrega has quit IRC12:20
*** MaxV has quit IRC12:21
*** tellesnobrega has joined #openstack-dev12:21
*** bhuvan has quit IRC12:21
*** sarob has joined #openstack-dev12:22
*** ala has quit IRC12:22
*** aditirav has quit IRC12:22
*** Longgeek has joined #openstack-dev12:23
*** achampion has joined #openstack-dev12:23
*** jcooley_ has joined #openstack-dev12:24
*** FunnyLookinHat has joined #openstack-dev12:24
*** sarob has quit IRC12:26
*** achampion has quit IRC12:28
*** amotoki has quit IRC12:29
*** unicell has joined #openstack-dev12:29
*** unicell has quit IRC12:29
*** unicell has joined #openstack-dev12:29
*** bhuvan has joined #openstack-dev12:29
*** jcooley_ has quit IRC12:30
*** nkinder has quit IRC12:30
*** posito has joined #openstack-dev12:32
ihrachysdhellmann: around?12:33
*** kgriffs_afk is now known as kgriffs12:33
ihrachysdhellmann: reading oslo meeting notes from prev Fri... so am I right that oslo devs consider oslo.messaging to be the master for 'stable' oslo-rpc implementation found in oslo-incubator?12:34
*** jamespage_ has joined #openstack-dev12:35
ihrachysdhellmann: meaning, any fix should go to oslo.messaging first and then be 'backported' to oslo-rpc12:35
*** jamespage_ has quit IRC12:35
*** jasondotstar has quit IRC12:37
*** ctlaugh_ has joined #openstack-dev12:38
*** glenng has quit IRC12:38
*** ctlaugh has quit IRC12:39
*** gokrokve has joined #openstack-dev12:39
*** alexpilotti has joined #openstack-dev12:40
*** lucasagomes is now known as lucas-hungry12:40
*** bhuvan has quit IRC12:41
*** colinmcnamara has quit IRC12:41
*** mflobo has joined #openstack-dev12:42
*** fandi has quit IRC12:42
*** kgriffs is now known as kgriffs_afk12:43
*** pschaef has quit IRC12:43
*** gokrokve has quit IRC12:44
*** DinaBelova is now known as DinaBelova_12:44
*** RajeshMohan has joined #openstack-dev12:45
*** posito has quit IRC12:45
*** rfolco has joined #openstack-dev12:46
*** nkinder has joined #openstack-dev12:47
*** nermina has joined #openstack-dev12:48
*** AnilV4 has quit IRC12:50
*** AnilV4 has joined #openstack-dev12:50
*** neeti has quit IRC12:52
*** IanGovett has joined #openstack-dev12:52
*** AMike has quit IRC12:54
*** rohitk has joined #openstack-dev12:55
*** galstrom_zzz is now known as galstrom12:57
*** gcha has joined #openstack-dev12:58
rushiagrerlon: hey12:58
rushiagrerlon: you can create the blueprint before submitting the code12:59
erlonrushiagr: hey Rushi12:59
*** ala has joined #openstack-dev13:00
*** ayoung has joined #openstack-dev13:00
*** bhuvan has joined #openstack-dev13:00
erlonrushiagr: great13:01
erlontks13:01
rushiagrerlon: it is also a good idea that you communicate your intent to submit code, and timeline if any, in the weekly team meeting13:02
erlonhmm, good, and when is this weekly meeting?13:02
erlonhere in IRC?13:02
*** lari_ has quit IRC13:02
erlonrushiagr: ^13:03
*** lari_ has joined #openstack-dev13:03
rushiagrerlon: it is on IRC. You can check the wiki to see the date and time of Swift meeting13:03
rushiagrhttps://wiki.openstack.org/wiki/Meetings13:04
rushiagrerlon: https://wiki.openstack.org/wiki/Meetings#Swift_team_meeting13:05
*** yamahata has joined #openstack-dev13:05
*** nermina has quit IRC13:05
*** danpb has quit IRC13:10
*** DinaBelova_ is now known as DinaBelova13:11
*** david-lyle has quit IRC13:11
*** danpb has joined #openstack-dev13:12
*** nkinder has quit IRC13:12
*** achampion has joined #openstack-dev13:14
*** sarob has joined #openstack-dev13:15
*** bhuvan has quit IRC13:16
*** colinmcnamara has joined #openstack-dev13:16
*** athomas has joined #openstack-dev13:16
*** RajeshMohan has quit IRC13:16
*** RajeshMohan has joined #openstack-dev13:17
*** ytwu has quit IRC13:18
*** MaxV has joined #openstack-dev13:18
*** afazekas_ has joined #openstack-dev13:18
*** Drankis has quit IRC13:19
*** achampion has quit IRC13:19
*** jcooley_ has joined #openstack-dev13:19
*** yolanda has quit IRC13:19
*** MaxV has quit IRC13:19
*** sarob has quit IRC13:19
*** MaxV has joined #openstack-dev13:19
*** dstanek has joined #openstack-dev13:19
*** nermina has joined #openstack-dev13:22
*** markvoelker has quit IRC13:23
*** bhuvan has joined #openstack-dev13:24
*** bhuvan has quit IRC13:24
*** bhuvan has joined #openstack-dev13:24
*** jdob has joined #openstack-dev13:25
*** yolanda has joined #openstack-dev13:25
*** jcooley_ has quit IRC13:26
*** Clabbe has joined #openstack-dev13:26
*** colinmcnamara has quit IRC13:27
*** johnthetubaguy has joined #openstack-dev13:28
*** johnthetubaguy has quit IRC13:29
*** belmoreira has joined #openstack-dev13:29
*** CaptTofu has quit IRC13:30
*** johnthetubaguy has joined #openstack-dev13:30
*** cfriesen has joined #openstack-dev13:30
*** russellb is now known as rustlebee13:30
*** ndipanov is now known as ndipanoff13:31
*** haomaiwang has quit IRC13:32
*** vladikr has joined #openstack-dev13:33
*** haomaiwang has joined #openstack-dev13:33
*** afazekas_ has quit IRC13:33
*** kgriffs_afk is now known as kgriffs13:34
*** doug_shelley66 has quit IRC13:34
*** yassine has quit IRC13:34
*** sahid has quit IRC13:35
*** raildo has joined #openstack-dev13:36
*** yassine has joined #openstack-dev13:37
*** vartom1111111117 has quit IRC13:38
*** aveiga has joined #openstack-dev13:38
*** yeylon__ has quit IRC13:38
*** rohitk has quit IRC13:38
*** gmoro has quit IRC13:38
*** gokrokve has joined #openstack-dev13:39
*** sulrich has quit IRC13:39
*** milki has quit IRC13:39
*** alexpilotti has quit IRC13:40
*** milki has joined #openstack-dev13:43
*** gokrokve has quit IRC13:44
*** sahid has joined #openstack-dev13:44
*** kgriffs is now known as kgriffs_afk13:44
*** CaptTofu has joined #openstack-dev13:44
*** achampion has joined #openstack-dev13:45
*** nermina has quit IRC13:47
*** achampion has quit IRC13:47
*** jecarey has quit IRC13:48
*** joesavak has joined #openstack-dev13:49
*** jasondotstar has joined #openstack-dev13:50
*** pschaef has joined #openstack-dev13:50
*** gmoro has joined #openstack-dev13:50
*** rohitk has joined #openstack-dev13:51
*** bhuvan has quit IRC13:54
*** NikitaKonovalov is now known as NikitaKonovalov_13:56
*** dvarga has joined #openstack-dev13:58
*** sulrich has joined #openstack-dev13:58
*** lucas-hungry is now known as lucasagomes13:58
*** galstrom is now known as galstrom_zzz13:59
*** lbragstad has quit IRC13:59
*** colinmcnamara has joined #openstack-dev14:00
*** thomasem has joined #openstack-dev14:00
*** bhuvan has joined #openstack-dev14:01
*** dbalog has joined #openstack-dev14:02
*** dsirrine has joined #openstack-dev14:02
*** gordc has joined #openstack-dev14:03
*** morazi has joined #openstack-dev14:03
*** tmclaugh[work] has joined #openstack-dev14:04
*** mriedem has joined #openstack-dev14:04
*** mfer has joined #openstack-dev14:04
*** alexpilotti has joined #openstack-dev14:05
*** jsavak has joined #openstack-dev14:07
*** doug_shelley66 has joined #openstack-dev14:09
tellesnobregadolphm: hi, during the hierarchical multitenancy meeting you said that having a admin domain and admin project to have a project_admin and a domain_admin role, do you think its worth to invest time in fixing this?14:09
*** NikitaKonovalov_ is now known as NikitaKonovalov14:10
*** tongli has joined #openstack-dev14:10
*** dprince has joined #openstack-dev14:10
*** thuc has joined #openstack-dev14:10
tellesnobregadolphm: im trying to come up with problems that could be solved by the summit, at least with a PoC, so it could be presented there and gather opinions14:11
*** rohitk has quit IRC14:11
dolphmtellesnobrega: with hierarchical multitenancy, it might make a lot of sense to replace those rather arbitrary concepts with role assignments on the root tenant/project14:11
*** joesavak has quit IRC14:11
dolphmtellesnobrega: another approach- https://blueprints.launchpad.net/keystone/+spec/service-scoped-tokens14:12
*** glenng has joined #openstack-dev14:12
*** thuc_ has joined #openstack-dev14:12
tellesnobregadolphm: i see, this role assignments are also included in vishy's PoC?14:12
*** sgran has joined #openstack-dev14:12
dolphmtellesnobrega: they are not, but it might be a logical next step14:13
*** bknudson has quit IRC14:13
tellesnobregadolphm: good, i think i will put this on the background for now, since the concept of hierarchical multi tenancy will be defined in the summit, and im looking to bring something to the summit14:14
*** pberis has quit IRC14:14
*** jcooley_ has joined #openstack-dev14:14
dolphmraildo: o/14:14
*** igor_ has joined #openstack-dev14:15
*** igor__ has quit IRC14:15
dolphmtellesnobrega: it's a long standing issue against keystone https://bugs.launchpad.net/keystone/+bug/96869614:16
*** thuc has quit IRC14:16
uvirtbotLaunchpad bug 968696 in keystone ""admin"-ness not properly scoped" [High,Confirmed]14:16
*** sarob has joined #openstack-dev14:16
*** tdruiva has joined #openstack-dev14:16
*** colinmcnamara has quit IRC14:16
*** jaypipes has joined #openstack-dev14:16
raildodolphm: I'm working with tellesnobrega and we are trying to create a cool idea, to send to the summit = D14:17
*** jdob has quit IRC14:17
*** jdob has joined #openstack-dev14:17
*** tdruiva has quit IRC14:17
dolphmthis is a topic we'll certainly be discussing - i was hoping to have a solution land in icehouse, but it's too late for that now14:17
*** jecarey has joined #openstack-dev14:18
*** tdruiva has joined #openstack-dev14:18
*** IanGovett has quit IRC14:19
*** jcooley_ has quit IRC14:19
raildodolphm: Do you think a good idea to remove the requirement to be connected to domain and project to create a super admin?14:19
*** jckasper has quit IRC14:20
raildodolphm: I think we could better discuss about it in some meeting, or create a mailing list for it14:20
*** blues-man has joined #openstack-dev14:21
*** Ajaeger has joined #openstack-dev14:22
raildoSend an email to the mailing list openstack-dev *14:22
*** sarob has quit IRC14:22
tellesnobregadolphm: we are really interested in having multi tenancy on OS. Our goal is to have some improvement in this direction to show in Atlanta14:24
*** NikitaKonovalov is now known as NikitaKonovalov_14:24
*** adreznec has joined #openstack-dev14:25
raildo+114:25
*** sarob has joined #openstack-dev14:25
*** colinmcnamara has joined #openstack-dev14:27
*** xqueralt_ has joined #openstack-dev14:27
*** xqueralt_ has quit IRC14:28
*** xqueralt_ has joined #openstack-dev14:28
*** Nithya has joined #openstack-dev14:28
*** thuc has joined #openstack-dev14:29
*** sarob has quit IRC14:30
*** xqueralt has quit IRC14:31
*** xqueralt_ is now known as xqueralt14:31
*** lbragstad has joined #openstack-dev14:32
*** nshaikh has quit IRC14:33
*** thuc_ has quit IRC14:33
*** thuc has quit IRC14:34
*** kgriffs_afk is now known as kgriffs14:35
*** rdas has quit IRC14:35
*** florentflament has quit IRC14:35
*** xga__ has quit IRC14:36
*** xga_ has joined #openstack-dev14:36
*** xga has quit IRC14:36
*** edmund has joined #openstack-dev14:36
*** xga has joined #openstack-dev14:36
*** primeministerp has joined #openstack-dev14:37
*** jayg|g0n3 is now known as jayg14:37
*** prad_ has joined #openstack-dev14:38
*** bhuvan has quit IRC14:39
*** colinmcnamara has quit IRC14:39
*** doug_shelley66 has quit IRC14:39
*** gokrokve has joined #openstack-dev14:39
*** bknudson has joined #openstack-dev14:39
*** peristeri has joined #openstack-dev14:40
*** alex_xu has quit IRC14:40
raildoayoung: I was discussing with some colleagues the idea of creating a super admin for the keystone, in case it would be a user that is not related to any project or area and have the privileges to control the entire cloud. But currently, you can not do this, because every user must be associated with a project and field, for us it is conceptually wrong. So we wanted to propose the idea to the summit of being able to create a su14:41
raildowithout being associated with any field or project and basically would include validations where there are the projects and domains, if the user has the role of super admin. You think it's valid, we spend time to propose this to the summit?14:41
ayoungraildo, I think it is wrong14:41
ayoungI think you are thinking about a different problem14:42
*** martyntaylor has joined #openstack-dev14:42
ayoungand I think you want to check out the discussion about hierarchical multitenancy on the dev mailing list14:42
ayoungI could see "endpoint specific roles"14:43
*** haomaiwang has quit IRC14:43
ayoungwith the keystone server itself being an endpoint. As well as service level roles.14:43
*** haomaiwang has joined #openstack-dev14:43
ayoungatiwari was actually working on that, but had some misconceptions himself.14:43
*** gokrokve has quit IRC14:43
ayoungas far as the distinction between a role definition and a role assignment, but he was generally on the right track14:44
*** athomas has quit IRC14:44
*** aeperezt has joined #openstack-dev14:44
*** kgriffs is now known as kgriffs_afk14:44
ayoungraildo, everything is controlled by a rule that says "does the user have the appropriate role in this scope"14:44
ayoungso the question is whether the scopes we have currently defined are sufficient.  I am fairly certain that they are, you just need to think about the roles themselves differently.14:45
ayoungHowever, I could see an endpoint-specific role assignment as "semantic sugar" to simplify14:46
*** jdob_ has joined #openstack-dev14:46
*** jdob has quit IRC14:46
*** burt1 has joined #openstack-dev14:47
*** stan_ivanov has joined #openstack-dev14:47
*** rtheis has joined #openstack-dev14:48
*** NikitaKonovalov_ is now known as NikitaKonovalov14:49
*** otherwiseguy has joined #openstack-dev14:49
*** bhuvan has joined #openstack-dev14:50
*** hackeru has joined #openstack-dev14:50
hackerulol14:51
hackeru?14:51
hackeru??14:51
*** hackeru has left #openstack-dev14:51
dolphmayoung: if you consider services to be inherent owners of their own data, then it makes sense for all tenants/projects to inherit role assignments from a root tenant which owns the services themselves14:52
*** hackeru has joined #openstack-dev14:52
tellesnobregaayoung: what raildo is suggesting it to be able to have a user that won't be attached to any domains or projects, and will have a super_admin role, and this role will be inherited in all domains and projects, so he will be able to manage the whole cloud. He will need to get a token to whichever scope he wants to manage14:52
dolphmi'm sure deployments like HP's will happily complicate things further by having hierarchies of services14:52
ayoungtellesnobrega, we've been there before14:52
ayoungit wa called global roles.14:52
raildoI see today is that the roles are not sufficient to elaborate a better cloud, then the implementation of the new policy.json v3, where we can create a domain admin or project admin, for example, will greatly improve it but when we treat the super admin, I think this is kinda weird being required to authenticate a project to list the roles, since it will not actually run anything on any project14:52
raildoBut I'll read the best and suggested discussion about the endpoint-specific role assign, to see how I can help with that.14:53
ayoungBetter, and more consistent, to have a container for a role14:53
*** dperaza1 has joined #openstack-dev14:53
*** jruzicka is now known as limited_cocotte14:53
tellesnobregaayoung: i see14:53
dolphmraildo: the concept of global role assignments contradicts the rules of multitenancy14:53
ayoungBottom line is, yes, there needs to be something at the root of the tree14:54
hackeru=))))14:54
*** FunnyLookinHat has quit IRC14:55
*** athomas has joined #openstack-dev14:55
*** dperaza has quit IRC14:55
*** limited_cocotte is now known as transcendence14:56
*** dansmith is now known as damnsmith14:56
*** transcendence is now known as jruzicka14:56
*** dims has quit IRC14:57
tellesnobregaayoung and dolphm and raildo, from what im getting from this, and i may be wrong (correct if i am), working with roles right now isn't a good plan, since the definition on hierarchical multitenancy will define how roles will work from this point on.14:57
raildodolphm: I understand. Do you have any idea how it would be a super admin using multitenancy? In the context of hierarchical multitenancy , super admin would be associated with the project and have root access to their children, grandchildren ... to the leaves, and project_admin would have access only to your project, right?14:57
ayoungso... domain is the root of the tree for multitenancy14:57
dolphmtellesnobrega: ++14:57
ayoungthink of a domain as a project without a parent14:57
*** Ajaeger has left #openstack-dev14:57
dolphmayoung: --14:58
ayoungfeh14:58
dolphmclose, but...14:58
*** byeager has joined #openstack-dev14:58
ayoungdolphm, it is the top level namespace as well.14:58
dolphmayoung: as discussed in last week's meeting, all current domains would basically inherit from a single root/null node14:58
dolphmayoung: so you can only have a single hierarchy14:58
*** oro has quit IRC14:58
ayoungAnd it gets dropped off the namespace for a project so that tenantA doesnt see too much info about tenantB14:58
*** markvoelker has joined #openstack-dev14:59
raildoWhat need a domain? I think the valid existence because the features that exist today but conceptually this does not seem right.14:59
ayoungraildo, namespacing14:59
*** tsekiyama has joined #openstack-dev15:00
ayoungcoke and pepsi in the same datacenter15:00
ayoungeach get a project called "general"15:00
ayoungprior to domain, was not possible15:00
ayoungit would have to be flat, like variable names in C15:00
*** kevinconway has joined #openstack-dev15:00
ayoungcoke_general and pepsi_general15:00
*** jmckind has joined #openstack-dev15:00
*** Gordonz has joined #openstack-dev15:01
*** n0ano has quit IRC15:01
mtreinishmarkmcclain: hey, I'm around now15:02
*** IanGovett has joined #openstack-dev15:03
*** vijendar has joined #openstack-dev15:03
*** eharney has joined #openstack-dev15:04
raildoayoung: e dolphm thanks for the help, we will talk here, think of something useful and returned to discuss with you (if it is not bothering you too much)15:04
ayoungNot at all15:04
dolphmraildo: happy to talk through it15:04
tellesnobregatellesnobrega: appreciate the help as well15:05
*** doug_shelley66 has joined #openstack-dev15:06
*** tkammer has joined #openstack-dev15:06
mtreinishmarkmcclain: hey, I'm around now15:07
*** ArxCruz has quit IRC15:07
*** iartarisi has quit IRC15:07
*** zul has quit IRC15:07
*** vijendar has quit IRC15:08
*** jcooley_ has joined #openstack-dev15:08
YorikSarHello, everyone. I want to raise here a question I've already asked on ML: Do we really need eventlet (or asyncio or whatever) in our projects? http://lists.openstack.org/pipermail/openstack-dev/2014-February/026568.html15:08
*** stevemar has joined #openstack-dev15:08
*** rbrady is now known as rbrady-mtg15:08
YorikSarA little followup here: http://lists.openstack.org/pipermail/openstack-dev/2014-February/026583.html15:09
*** ArxCruz has joined #openstack-dev15:09
*** zaitcev has joined #openstack-dev15:10
*** zul has joined #openstack-dev15:10
*** dims has joined #openstack-dev15:10
YorikSarayoung: I'm really interested in your opinion on that matter as Keystone have been shifted away from eventlet thanks to you.15:10
*** boris-42_ has quit IRC15:12
*** bvandenh has quit IRC15:13
ayoungYorikSar, no good deed goes unpunished.  I've been telling people to move to HTTPD for years (2 to be exact) and now that they are, we find mod_wsgi has a hardcoded header size limit that prevents the tokens from holding large catalogs15:13
*** boris-42_ has joined #openstack-dev15:13
ayoungso...I'm wokring on compressing tokens15:13
ayoungeventlet and continuation based web servers make sense for certain workloads, but read/write DB apps are not one of them15:14
ayoungwith Keystone tokens going crypto, we incurr a higher CPU load, and greenthreads don't have a good answer for that either15:14
*** jcooley_ has quit IRC15:14
*** ijw has joined #openstack-dev15:14
*** schwicke has joined #openstack-dev15:14
ayoungasync io is a tool in the toolbox, but as a clever man once observed "There is no silver bullet" in programming.15:14
YorikSarayoung: I think it's kept around as just some tool with no actual use.15:16
*** ogelbukh has quit IRC15:16
ayounginteria is a powerful force15:16
YorikSarayoung: Btw, why not deploy Keystone with some other server then?15:17
ayoungYorikSar, other than HTTPD?15:17
YorikSarayoung: Yes15:17
ayoungits a bug in mod_wsgi15:17
ayoungpackaging15:17
hackeru"___"15:17
YorikSarayoung: Oh...15:17
ayoungYorikSar, a better approach is to replace mod_wsgi, I think15:17
*** kragniz has quit IRC15:18
ayoungthere is an alternative...15:18
hackeru;)15:18
YorikSarayoung: You mean, it can be repackaged so that we'll get bigger header limit?15:18
ayoungheh, I meant that switching web servers is a packaing headache for the major distros15:18
ayoungeasier to patch mod_wsgi15:18
*** mkollaro has joined #openstack-dev15:19
*** sweston has joined #openstack-dev15:19
ayoungI can't remember the name, but there is a different module...looking15:19
YorikSarayoung: There is mod_python, but it's an old dead thing.15:20
ayoungnah, something new and shiny that I don';t yet trust15:20
ayoungdolphm, what was the alternative to mod_wsgi people were looking for support on?15:20
*** mikeoutland has joined #openstack-dev15:20
ayounggunicorn15:21
dolphmayoung: chaussette?15:21
*** dvarga is now known as dvarga|away15:21
dolphmayoung: i don't know -- *any* other wsgi server?15:21
*** dvarga|away is now known as dvarga15:21
ayoungthat is a new one to me dolphm15:21
ayoungI think it is gunicorn15:21
dolphmayoung: they're all the same15:21
ayoungah15:21
dolphmin terms of how we support them15:21
*** ijw has quit IRC15:22
YorikSarOk, so they're basically separate servers talking to Apache frontend (if it's needed).15:22
YorikSaruWSGI is a cool one, for example.15:22
ayoungYorikSar, yeah15:22
ayoungbut prefork15:22
*** ijw has joined #openstack-dev15:22
YorikSarayoung: Some of them (gunicorn, for example) can for, spawn threads and run eventlet hubs in them.15:23
*** colinmcnamara has joined #openstack-dev15:23
YorikSar*fork15:23
ayoungso long as the SSL and other crypto is done native, prior to python code, I'm OK with it (I think)15:23
*** andreykurilin has joined #openstack-dev15:23
ayoungI want SSL everywhere and strong crypto authentication15:23
YorikSarayoung: Yeah, encrypt and authenticate everything - that's why you're in Keystone, right? :)15:24
*** mikeoutland has quit IRC15:25
YorikSarBut... Getting back to my question.15:25
YorikSarDo you see any use of async in core projects?15:25
*** browne has joined #openstack-dev15:26
*** rraja has joined #openstack-dev15:26
*** david-lyle has joined #openstack-dev15:26
YorikSarAsync is cool when there's a lot (really lot) network connections with really lot data transfer.15:26
YorikSarI don't see that happening in OpenStack.15:26
therveReally?15:27
YorikSartherve: What do you have in mind?15:28
*** xqueralt has quit IRC15:29
therveOpenStack is all about interacting APIs, if that's not a lot of network connections I don't know what that is15:29
*** xqueralt has joined #openstack-dev15:29
*** Nikolay_St has joined #openstack-dev15:32
*** ogelbukh has joined #openstack-dev15:32
YorikSartherve: A lot is P2P full-mesh connections in huge DHT network. OpenStack API servers won't handle 10k simultanious requests at a time because a) requests are handled too quickly and b) there's actually no need for it.15:33
*** florentflament has joined #openstack-dev15:33
ayoungYorikSar, so, it a task cannot be completed immediately, it should be recorded and the user should get back a 20215:33
ayoungnow...question is what is meant by "recorded"15:33
*** galstrom_zzz is now known as galstrom15:34
ayoungI probably it means appended to a high throughput log15:34
*** jgrimm has joined #openstack-dev15:34
YorikSarayoung: Services usually send an RPC request to some backend worker.15:34
ayoungyou can put it in a database, so long as it can be injected without conflicts15:34
ayoungRPC is problematic15:34
therveYorikSar, I don't understand your point. It seems to be "We shouldn't care about scaling in OpenStack", which seems weird to me15:34
ayoungyou don;t want to wait for a remote call15:34
YorikSarayoung: Or store something in DB (which won't yield greenthread btw)15:35
ayoungtherve, we should not worry about scaling in openstack15:35
ayoungright15:35
*** mrodden1 is now known as mrodden15:35
ayoungtherve, we should worry about scaling across openstack15:35
*** athomas has quit IRC15:35
ayoungbut scalability can't come with a sacrifice of security or stability15:35
*** kgriffs_afk is now known as kgriffs15:35
therveI don't understand the difference15:36
ayoungtherve, good, I've given you something to thinkabout then15:36
YorikSartherve: No. I suggest not to worry about scaling just because. I suggest to remove eventlet from and let Apache HTTPD, gunicorn, uWSGI, or whichever other application server handle scaling in production.15:36
*** hackeru has left #openstack-dev15:36
ayoungYorikSar, if we have to wait for an RPC, async IO off system, or even a write to local disk that is going to have contention, the request might as well be handled by a separate thread15:37
ayoungthe OS is going to be best capable of handling that15:37
therveYorikSar, Those are not application servers, but web servers.15:37
YorikSarayoung: Actually if you're waiting for RPC call, you thread will yield (GIL released, or eventlet's hub take it over).15:37
*** JoshuaG_AIM has left #openstack-dev15:38
*** Nikolay_St has quit IRC15:38
ayoungYorikSar, yes, assuming that all of the underlying code is greenlet friendly15:38
YorikSartherve: It depends on definition15:38
ayoungbut as soon as you need to call crypto, all bets are off15:38
ayoungand, for RPC calls, you need to call crypto, or you get no message signing,15:38
ayoungI hate the term RPC15:39
ayounglets call it posting to a queue15:39
*** achampion has joined #openstack-dev15:39
*** gokrokve has joined #openstack-dev15:39
*** pablosan has quit IRC15:39
*** alop has joined #openstack-dev15:39
YorikSarayoung: That's exactly my point: stop worrying about eventlet already. It's at least not helping when we cannot guarantee that all libs are eventlet-friendly.15:39
ayoungwhen you post a message to a queue from a web server, you want to sign the message first.  that is what the KDS work is all about.  Signing a message requires callling in to crypto library, the Bets" you can get from eventlet is to do a process fork and wait15:40
dstanekYorikSar: you have the same problem with gunicorn and others15:40
*** pablosan has joined #openstack-dev15:40
ayoungbut, even that, it turns out is problematic15:40
*** jergerber has joined #openstack-dev15:40
ayoungdstanek, not if you have already forked15:40
YorikSarayoung: And with asyncio things become even worse since even less libs are going to be asyncio-compatible.15:40
*** FunnyLookinHat has joined #openstack-dev15:40
*** jprovazn is now known as jprovazn_bbl15:41
dstanekayoung: foking has nothing to do with libs being greenlet friendly15:41
YorikSarayoung: You can have threads for this, actually.15:41
ayoungwith a prefork model, you can just do in process crypto, and who cares about the GIL etc at that point15:41
ayoungdstanek, I think you are missing the point15:41
ayoungnoin-greenlet friendly libs are usable in a prefork model15:42
YorikSarayoung: crypto libs should release GIL on CPU-intensive operations.15:42
ayoungYorikSar, then you need to have Python specific wrappers for everything you call.15:42
*** jnoller has joined #openstack-dev15:42
YorikSarayoung: What do you mean?15:42
*** vijendar has joined #openstack-dev15:43
*** colinmcnamara has quit IRC15:43
ayoungYorikSar, releaseing the GIL must be done in native code.15:43
*** mikeoutland has joined #openstack-dev15:43
YorikSarayoung: How do you call a library without a wrapper?15:43
danpbayoung: or wrap all the native API calls in  eventlet  native threadpool as we do for libvirt15:43
ayoungwhich means that a general purpose library then needs a python specific wrapper15:43
ayoungwhich is fine, if it exists15:43
YorikSarayoung: Do you have some specific crypto library that is GIL-greedy?15:44
*** gokrokve has quit IRC15:44
ayoungdanpb, if the majority of the work is going to require a threadpool, why even bother with eventlet?15:44
*** tjones has joined #openstack-dev15:44
*** alop has quit IRC15:44
ayoungYorikSar, I don;t want to have to care15:44
*** mikeoutland has quit IRC15:45
danpbayoung: well that is a good point - i frequently wish we use real threads everywhere instead ofo eventlet, but ho hum that decision was made a while back15:45
ayoungYorikSar, people used to complain about Java that it reimplemented everything in Java. I don't want to have the same complaint about Python15:45
*** kgriffs is now known as kgriffs_afk15:45
YorikSarayoung: Well... If you use some library with native calls, it'll most likely release GIL on CPU-intensive operations that doesn't touch Python objects, IO operations, etc.15:45
YorikSarayoung: If it doesn't, it's already considered a bad library/wrapper.15:46
ayoungdanpb, So We've worked hard in Keystone to make it such that it can be run either in an eventlet or non-eventlet based WSGI container, and that at  startup time, you have an explicit call to determine which model you are using15:46
*** alop has joined #openstack-dev15:46
*** vijendar has quit IRC15:47
*** tkammer has quit IRC15:47
YorikSarBut I'm not actually advocating for threaded model.15:47
ayoungYorikSar, the point is, for Keystone, HTTPD in prefork is logical.  If we need to then scale out to threads, it requires an additional level of complexity analysis.  Adding in greenthreads takes it yet again to another level.15:47
*** vijendar has joined #openstack-dev15:47
*** kolesovdv has quit IRC15:48
YorikSarAlthough it beats forking model in memory consumption.15:48
ayounghttp://c2.com/cgi/wiki?PrematureOptimization15:48
*** galstrom is now known as galstrom_zzz15:48
YorikSarayoung: What do you mean by complexity analysis? Like benchmarking or like looking for races?15:49
*** colinmcnamara has joined #openstack-dev15:50
YorikSarayoung: And yes, I think that using threads, especially the green ones is a one huge premature optimization that has been done extremely early in OpenStack life.15:50
ayoung++15:50
*** yaguang has quit IRC15:51
YorikSarayoung: That's why I really suggest to move away from any async stuff in our code instead of spending time replacing eventlet with whatever.15:51
*** rraja_ has joined #openstack-dev15:51
*** vijendar has quit IRC15:52
*** vijendar has joined #openstack-dev15:52
*** aveiga has quit IRC15:53
*** rraja has quit IRC15:53
ayoungYorikSar, there was a battle about 10 years ago for the soul of the threading model in Linux.  On one side was the "thread in kernel space" people, and on the other "thread in user space"  and the Kernel folks won out.  So we have people that think that we need to thread in userspace without Kernel support.  I'm of the opinion that we need to think in terms of web servers that can be massively scaled horizontally.  Lets not opti15:53
ayoungmize the servers for performance, lets optimize them for statelessness.15:53
*** kushal has quit IRC15:53
dstanekayoung: in most production deployments i have used gunicorn to prefork based on # of CPUs - with gunicorn the workers run with gevent15:53
ayoungthat is "cloud"15:53
*** pablosan_ has joined #openstack-dev15:54
*** pablosan has quit IRC15:54
*** VINOD_ has joined #openstack-dev15:54
*** carl_baldwin has joined #openstack-dev15:54
dstanekayoung: ++15:54
ayoungdstanek, I've been so "all over the place" in my career that I can't say what I've done in "most" deployments.15:54
YorikSarayoung: It looks like we're in the same camp on this topic. If you have some time could you please chime in on my thread in the ML? You word would give more weight to my point.15:55
ayoungOK...back to my day job15:55
*** atiwari has joined #openstack-dev15:55
ayoungYorikSar, I don;t think it matters at the "openstack" level.  I think each individual project has to commit to being able to run on servers other than eventlet or it is not going to happen15:55
ayoungI can barely cover the Keystone cases15:55
*** amerine_ has quit IRC15:55
dstanekayoung: i've been lucky (you might say unlucky) enough to have work almost exclusively in Python for the last 12 years15:56
ayoungpeople on swift are pushing there15:56
ayoungdstanek, python is a decent subset of Lisp, but it lacks a macro preprocessor15:56
*** mikeoutland has joined #openstack-dev15:56
ayoung:)15:56
dstanek:)15:56
*** tmclaugh[work] has quit IRC15:57
YorikSarayoung: Well... I'm not sure that it doesn't matter on the OpenStack level.15:57
ayoungYorikSar, are you heads down lookking at Nova code?  THat is the place that I care about it the most, and I have no time to get dirty with it,15:58
YorikSarayoung: Because if people invest a lot of time into shifting to asyncio, it'll be even harder to convince them to move away from it.15:58
*** dencaval has joined #openstack-dev15:58
*** jmontemayor has joined #openstack-dev15:58
ayoungYorikSar, actually, the consumers of the Messaging code are problematic.  Those use greenthreads, and probably need to move to Posix threads.  I am not as concerned about the Web APIS15:59
ayoungits the pure message driven code that should really be posix threaded15:59
YorikSarI already had one PTL telling me "Why the hell do we need this? All other projects use eventlet. It works for us as well. An hour spent on this topic is a waste of time."15:59
ayoungYorikSar, people can propose, but it still needs to get by code review15:59
ayoungYorikSar, fix Nova, and the rest will follow16:00
*** zul has quit IRC16:00
YorikSarayoung: I don't understand, what is your consern about messaging?16:00
*** Ruetobas has quit IRC16:01
YorikSarayoung: It can run inside application server just as WSGI app would.16:01
*** zul has joined #openstack-dev16:01
*** troytoman-away is now known as troytoman16:01
*** jcooley_ has joined #openstack-dev16:01
ayoungYorikSar, bigger topic than I have time for now.  I have an internal meeting in a few minutes16:01
*** tonix has joined #openstack-dev16:02
*** athomas has joined #openstack-dev16:02
*** raildo has quit IRC16:02
*** raildo has joined #openstack-dev16:02
YorikSarayoung: For example, uWSGI can be configured to run as much processes/threads as you want and quickly spawn new ones without having to go back to HTTP.16:02
*** tkammer has joined #openstack-dev16:02
YorikSarayoung: Oh, sure. Thanks for your time. I'm glad that I'm not alone with this mindset.16:02
*** Ruetobas has joined #openstack-dev16:03
*** pmathews has joined #openstack-dev16:03
*** amerine has joined #openstack-dev16:03
*** tjones has quit IRC16:04
*** xarses has quit IRC16:04
*** xga_ has quit IRC16:04
*** mflobo has quit IRC16:05
*** tjones has joined #openstack-dev16:05
*** pradeep has left #openstack-dev16:07
*** kushal has joined #openstack-dev16:07
*** jcooley_ has quit IRC16:08
*** Ruetobas has quit IRC16:08
*** david-lyle has quit IRC16:08
*** mikeoutland has quit IRC16:09
dstanekayoung: don't you love these really big and complicated reviews..https://review.openstack.org/7193216:10
*** pablosan_ has quit IRC16:11
*** pablosan has joined #openstack-dev16:11
*** dkuffner has quit IRC16:11
*** tjones has quit IRC16:12
ayoungdstanek, I think you are just submitting that to get the ATC discount at the summit16:13
*** troytoman is now known as troytoman-away16:13
*** Ruetobas has joined #openstack-dev16:13
*** capri has quit IRC16:13
dstanekayoung: ssshhhh16:14
*** AlexF has joined #openstack-dev16:14
*** capri has joined #openstack-dev16:14
*** tkammer has quit IRC16:17
*** thouveng has quit IRC16:17
dhellmannihrachys: yes, you have that right about oslo.messaging16:17
*** salv-orlando has quit IRC16:17
*** athomas has quit IRC16:17
*** tmclaugh[work] has joined #openstack-dev16:17
*** mikeoutland has joined #openstack-dev16:18
*** cnesa has quit IRC16:18
*** salv-orlando has joined #openstack-dev16:18
*** afazekas_ has joined #openstack-dev16:18
*** adnan has joined #openstack-dev16:19
*** jamieh has quit IRC16:19
*** jamieh has joined #openstack-dev16:21
*** jobewan has joined #openstack-dev16:22
*** xqueralt has quit IRC16:23
*** bnemec is now known as beekneemech16:23
*** bswartz has quit IRC16:24
*** armax has joined #openstack-dev16:26
*** bauzas has quit IRC16:26
*** bdpayne has joined #openstack-dev16:29
*** romcheg1 has joined #openstack-dev16:30
*** romcheg1 is now known as romcheg_ltp16:30
*** rraja_ has quit IRC16:31
*** mlavalle has joined #openstack-dev16:32
*** cdub has joined #openstack-dev16:34
*** PaulMurray has quit IRC16:34
*** ijw has quit IRC16:34
*** devoid has joined #openstack-dev16:35
*** morazi has quit IRC16:36
*** kgriffs_afk is now known as kgriffs16:36
*** ijw has joined #openstack-dev16:36
*** lcheng_ has joined #openstack-dev16:37
*** buzztroll has joined #openstack-dev16:37
*** thuc has joined #openstack-dev16:38
*** gokrokve has joined #openstack-dev16:39
*** ppetit has quit IRC16:40
*** morazi has joined #openstack-dev16:40
*** viktors has left #openstack-dev16:40
*** ijw has quit IRC16:41
*** sballe has joined #openstack-dev16:41
*** mjfork has quit IRC16:42
*** rraja_ has joined #openstack-dev16:42
*** CaptTofu has quit IRC16:43
*** YorikSar has quit IRC16:43
*** pasquier-s has quit IRC16:43
*** CaptTofu has joined #openstack-dev16:43
*** pasquier-s_ has quit IRC16:43
*** gokrokve has quit IRC16:44
*** aaronjamesford has joined #openstack-dev16:45
*** xmltok has joined #openstack-dev16:46
*** kgriffs is now known as kgriffs_afk16:46
*** SumitNaiksatam has quit IRC16:47
*** nati_ueno has joined #openstack-dev16:47
*** CaptTofu has quit IRC16:48
*** terrylhowe has joined #openstack-dev16:48
*** e0ne has quit IRC16:48
*** CaptTofu has joined #openstack-dev16:49
*** markmcclain has joined #openstack-dev16:49
*** sushils has quit IRC16:49
*** sahid has quit IRC16:51
*** mikeoutland has quit IRC16:52
*** tjones has joined #openstack-dev16:52
*** taps has joined #openstack-dev16:52
*** xqueralt has joined #openstack-dev16:53
*** smurugesan has joined #openstack-dev16:53
*** lcheng_ has quit IRC16:54
*** nelsnelson has joined #openstack-dev16:55
*** _cjones_ has joined #openstack-dev16:55
*** mjfork has joined #openstack-dev16:55
*** ijw has joined #openstack-dev16:55
*** marcoemorais has joined #openstack-dev16:56
*** armax has left #openstack-dev16:56
*** cnesa has joined #openstack-dev16:57
*** VINOD_ has quit IRC16:57
*** afazekas_ has quit IRC16:57
*** schwicke has quit IRC16:58
*** rraja_ has quit IRC16:58
*** VINOD has joined #openstack-dev16:58
*** tiamar has quit IRC16:58
*** VINOD has quit IRC16:58
*** csd has joined #openstack-dev16:58
*** jcooley_ has joined #openstack-dev16:59
*** pschaef has quit IRC16:59
*** doug-fish has quit IRC17:00
*** markmc has quit IRC17:01
*** gokrokve has joined #openstack-dev17:01
*** kbrierly has quit IRC17:01
*** obondarev has quit IRC17:02
*** kbrierly has joined #openstack-dev17:02
*** obondarev has joined #openstack-dev17:03
*** ijw has quit IRC17:03
*** jcooley_ has quit IRC17:03
*** NikitaKonovalov is now known as NikitaKonovalov_17:03
stevemarbknudson, ping17:04
bknudsonstevemar: what's up?17:04
*** yassine has quit IRC17:04
*** ijw has joined #openstack-dev17:04
stevemarbknudson, not sure if you had a chance to read my rambling comments on the ruleprocessor patch, wanted to chat about how to improve it17:04
*** mkerrin has quit IRC17:05
*** doug-fish has joined #openstack-dev17:05
*** vuil has joined #openstack-dev17:05
jnolleranyone got a link for a project's blueprint that are *good* - there's a lot of ones that seem light on information or super heavyweight17:05
*** xarses has joined #openstack-dev17:05
*** vuil has quit IRC17:05
*** gokrokve has quit IRC17:06
bknudsonstevemar: ok, so maybe shouldn't return if "any_one_of", but continue to the next requirement17:06
*** cnesa has quit IRC17:06
bknudsonusing continue17:07
*** rgerganov has quit IRC17:07
stevemarbknudson, right, I was thinking about that last night, but returning content is still an issue17:08
*** kgriffs_afk is now known as kgriffs17:08
stevemarbknudson, I was thinking, maybe do the local variable replacement, if it's neither any_one_of or not_any_of, and just return true/false for that function17:08
*** Mandell has quit IRC17:08
*** mrodden has quit IRC17:08
*** cnesa has joined #openstack-dev17:09
*** DinaBelova is now known as DinaBelova_17:09
*** belmoreira has quit IRC17:09
bknudsonstevemar: it would be nice to only have to look at them once.17:09
*** feleouet has quit IRC17:09
*** jasondotstar has quit IRC17:09
stevemaragreed17:09
*** vuil has joined #openstack-dev17:10
stevemarbknudson, but that would mean overwriting what comes in?17:10
bknudsonstevemar: it does "direct_maps += direct_map_value" -- couldn't it do "direct_maps += do_replacement(direct_map_value)" ?17:11
stevemarbknudson, yeah, thats what i'm getting what17:12
*** david-lyle has joined #openstack-dev17:12
stevemarbknudson, but you mentioned you didn't like over-writing the values of the input data17:12
bknudsonstevemar: direct_maps is a new list -- direct_maps = []17:13
bknudsonadding to it isn't going to overwrite anything.17:13
*** tanisdl has joined #openstack-dev17:13
*** kbrierly has quit IRC17:13
*** kbrierly has joined #openstack-dev17:14
*** amerine has quit IRC17:15
*** safchain has quit IRC17:15
*** Gordonz has quit IRC17:16
*** david-lyle has quit IRC17:17
*** martyntaylor has left #openstack-dev17:17
*** zzelle has quit IRC17:18
*** ygbo has quit IRC17:18
*** AlexF has quit IRC17:20
*** matrohon has quit IRC17:20
*** xgsa has quit IRC17:20
*** jpich has quit IRC17:20
*** dshulyak has quit IRC17:20
*** xga has quit IRC17:21
*** MaxV has quit IRC17:21
*** ndipanoff has quit IRC17:22
*** pablosan has quit IRC17:22
*** chris_johnson has joined #openstack-dev17:23
*** godara has joined #openstack-dev17:24
*** gcha has quit IRC17:24
*** rbrady-mtg is now known as rbrady17:24
*** martyntaylor has joined #openstack-dev17:24
*** mjfork_ has joined #openstack-dev17:24
*** mrodden has joined #openstack-dev17:24
*** hemnafk is now known as hemna17:25
*** pvaneck has joined #openstack-dev17:26
*** mjfork has quit IRC17:27
*** mjfork_ is now known as mjfork17:27
*** bauzas has joined #openstack-dev17:28
*** nati_ueno has quit IRC17:28
*** jayg has quit IRC17:28
*** nati_ueno has joined #openstack-dev17:29
*** gyee has joined #openstack-dev17:30
*** eglynn has quit IRC17:31
openstackstatusNOTICE: Gerrit and Zuul going offline at 20:00 UTC for ~15mins for project renames17:34
*** AlexF has joined #openstack-dev17:34
*** openstackstatus has quit IRC17:34
*** openstackstatus has joined #openstack-dev17:35
*** newell has joined #openstack-dev17:35
openstackstatusNOTICE: Gerrit and Zuul going offline at 20:00 UTC for ~15mins for project renames17:35
*** ChanServ changes topic to "Gerrit and Zuul going offline at 20:00 UTC for ~15mins for project renames"17:35
*** Longgeek has quit IRC17:36
*** gokrokve has joined #openstack-dev17:37
vishydolphm: if I want to get a project_name from a project_id and vice-versa using a service token17:38
vishyis there a good way to do that17:38
vishysecondarily is there a good way to do multiple at once?17:38
*** chris_johnson is now known as wchrisj|away17:39
*** anniec has joined #openstack-dev17:39
*** florentflament has quit IRC17:40
*** akrivoka has joined #openstack-dev17:40
*** angdraug has joined #openstack-dev17:41
*** tanisdl has quit IRC17:41
*** gokrokve has quit IRC17:41
*** tqtran has joined #openstack-dev17:42
*** I159 has quit IRC17:42
*** tanisdl has joined #openstack-dev17:42
ayoungvishy, right now the first is trivial;17:43
ayoungthe second is not17:43
ayoungbut multiple at once....17:43
ayoungif you do a list projects, you get both, more data than you need, but maybe that is the right approach for your use17:44
*** danpb has quit IRC17:44
*** ijw has quit IRC17:45
*** killer_prince has joined #openstack-dev17:46
*** david-lyle has joined #openstack-dev17:46
stevemarbknudson, shoot, tests found an example where it wouldn't work unless we have all the data ready to replace17:46
vishyayoung: the second meaning get an id from a name?17:47
ayoungvishy, yeah17:47
*** SumitNaiksatam has joined #openstack-dev17:47
ayoungthere is an internal API to do that, but not exposed17:47
ayoungum, wait17:47
*** nati_ueno has quit IRC17:48
ayoungI think actually filter works for that. 1 sec17:48
ayoungget_project_by_name17:48
dstanekstevemar: still working on mapping issues?17:49
ayoungbut that is v217:49
stevemardstanek, you know it, just trying to make it awesome17:49
ayounglist_projects is what we want, takes a filter...17:49
*** jcooley_ has joined #openstack-dev17:50
*** amerine has joined #openstack-dev17:51
dstanekstevemar: nice17:51
*** jp_at_hp has quit IRC17:52
*** Gordonz has joined #openstack-dev17:52
ayoungvishy, so we have pretty complex logic for listing projects based on a user_id.17:52
*** Gordonz has quit IRC17:52
*** jmckind has quit IRC17:52
*** max_lobur is now known as max_lobur_afk17:52
ayoungWe have an internal API get_project_by name, but that is only exposed via the V2 api17:53
*** Gordonz has joined #openstack-dev17:53
*** markmcclain has quit IRC17:53
vishyayoung: so it is in v2 but not v317:53
*** galstrom_zzz is now known as galstrom17:53
ayoungvishy, still looking17:54
ayoungvishy, I thought we supported it with filters, too17:54
ayoungvishy, one thing that is wonky is we don';t have a concept of "this role means you get to know about projects inside this domain"17:54
ayoungwe have list_projects_for_domain17:54
ayoungvishy, https://github.com/openstack/keystone/blob/master/keystone/assignment/routers.py17:55
*** YorikSar has joined #openstack-dev17:56
ayoungwow...17:56
ayoungwe have some identity stuff in there17:56
*** jcooley_ has quit IRC17:56
*** rodrigods has joined #openstack-dev17:57
*** rodrigods_ has joined #openstack-dev17:57
*** blues-man has quit IRC17:57
*** jprovazn_bbl has quit IRC17:59
*** marcoemorais has quit IRC17:59
ayoungvishy, OK,  starting from the API17:59
ayounghttps://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#list-projects-get-projects17:59
ayoungIt should be GET /v3/projects?name=<name>17:59
*** marcoemorais has joined #openstack-dev18:00
ayoungI assume that would required18:00
ayoungdomain_id as well, to deconflict between two domains18:00
*** bswartz has joined #openstack-dev18:00
stevemarbknudson, the only change that i ended up making was returning early if the eval was false, and continuing if it was valid18:00
ayoungotherwise...I'm guessing it will match the domain from the user that is requesting it, but I have not tested it18:00
*** marekd is now known as marekd|away18:00
ayoungvishy, a lot of the logic is collected into the keystone/common/routers.py file18:02
ayoungthat implementes the repeated CRUD operations18:02
*** ijw has joined #openstack-dev18:03
ayoungthen the filters accepted would be passed down to the controller, in this case the V318:03
*** jog0 is now known as flashgordon18:03
*** rossella_s has quit IRC18:04
ayoungthe majic is in here  project_refs = self.filter_query(Project, query, hints)18:04
*** BobBall is now known as BobBallAway18:04
*** cadenzajon has joined #openstack-dev18:05
*** andreaf has joined #openstack-dev18:06
ayoungvishy, OK, that was way too "in the weeds" answer but the short of it is "yes, you can get a project object based on either id or name, with name being less efficient" I assume, though, that you are pursuing hierarchical with this...18:07
*** rossella_s has joined #openstack-dev18:07
vishynot exactly no18:08
vishyalthough it may apply18:08
vishyi was actually going to use it for dns18:08
vishybut i may use the sme thing in hierachical18:08
*** kgriffs is now known as kgriffs_afk18:10
ayoungso...you probably want to do a bulk list18:10
*** lbragstad has quit IRC18:10
ayoungand cache the results18:10
*** lucasagomes has quit IRC18:11
ayoungwe send out notifications when a project is created, so you could register for that as well18:11
ayoungor just periodically refetch and rebuild18:11
*** nacim has quit IRC18:11
ayoungIf we had a "parent" field in there (as opposed to just domain) you could, in theory, build the whole project name from parts by querying all projects for a domain18:12
ayoungand use that as the FQDN18:12
*** martyntaylor has left #openstack-dev18:13
*** IanGovett has quit IRC18:13
*** nati_ueno has joined #openstack-dev18:14
*** AlexF has quit IRC18:14
*** sweston has quit IRC18:15
*** bauzas has quit IRC18:15
*** morganfainberg_Z is now known as morganfainberg18:15
*** dvarga has quit IRC18:16
*** jcooley_ has joined #openstack-dev18:16
*** lbragstad has joined #openstack-dev18:17
*** igor_ has quit IRC18:17
*** igor_ has joined #openstack-dev18:18
*** harlowja_away is now known as harlowja18:18
*** sarob has joined #openstack-dev18:18
*** sarob has quit IRC18:19
*** sarob has joined #openstack-dev18:19
*** jcooley_ has quit IRC18:20
*** otherwiseguy has quit IRC18:21
*** READ10 has quit IRC18:22
*** Mandell has joined #openstack-dev18:22
*** jasondotstar has joined #openstack-dev18:22
*** colinmcnamara has quit IRC18:23
*** AlexF has joined #openstack-dev18:23
*** igor_ has quit IRC18:24
*** e0ne has joined #openstack-dev18:24
*** galstrom is now known as galstrom_zzz18:26
*** markmcclain has joined #openstack-dev18:26
*** kushal has quit IRC18:27
*** wchrisj|away is now known as chris_johnson18:27
*** pablosan has joined #openstack-dev18:28
*** vuil has quit IRC18:28
*** capri has quit IRC18:28
*** capri has joined #openstack-dev18:31
*** mattymo has quit IRC18:33
*** AlexF has quit IRC18:34
*** mattymo has joined #openstack-dev18:34
*** jcooley_ has joined #openstack-dev18:40
*** RajeshMohan has quit IRC18:42
*** RajeshMohan has joined #openstack-dev18:43
*** mkollaro has quit IRC18:46
*** hemna has quit IRC18:46
*** hemna has joined #openstack-dev18:46
*** ijw has quit IRC18:47
*** zzelle has joined #openstack-dev18:47
*** hemna has quit IRC18:47
*** jcooley_ has quit IRC18:47
*** jcooley_ has joined #openstack-dev18:48
*** igor_ has joined #openstack-dev18:50
*** rossella_s has quit IRC18:51
*** dspano has joined #openstack-dev18:52
*** jcooley_ has quit IRC18:52
*** jcooley_ has joined #openstack-dev18:53
*** dvarga has joined #openstack-dev18:53
*** hemna has joined #openstack-dev18:55
*** igor_ has quit IRC18:55
*** anniec has quit IRC18:56
*** jamespage_ has joined #openstack-dev18:56
*** martyntaylor has joined #openstack-dev18:56
*** martyntaylor has left #openstack-dev18:56
*** jamespage_ has quit IRC18:58
openstackstatusNOTICE: Zuul is now in queue-only mode preparing for project renames at 20:00 UTC18:59
*** jayg|g0n` has joined #openstack-dev19:01
*** galstrom_zzz is now known as galstrom19:01
*** epim has joined #openstack-dev19:02
*** SumitNaiksatam has quit IRC19:02
*** jhesketh_ has quit IRC19:02
*** shakayumi has joined #openstack-dev19:02
*** melwitt has joined #openstack-dev19:03
*** anniec has joined #openstack-dev19:03
*** kenperkins_ is now known as kenperkins19:03
*** galstrom is now known as galstrom_zzz19:04
*** jcooley_ has quit IRC19:06
*** DinaBelova_ is now known as DinaBelova19:06
raildodolphm: you read the log from today's meeting about Hierarchical multitenancy? I and tellesnobrega were responsible for try making keystone have nested projects and send a bigger scope. I was thinking initially test a simple solution in which for a project I would create a column "parent_project" and populate it with the name(or id) of the parent project, the higher the level of this project and the project root it will be nul19:06
dolphmraildo: i did read it, yes19:06
dolphmraildo: only use id's internally, so it would be a parent_project_id19:07
raildook19:07
*** thuc has quit IRC19:08
dolphmraildo: are you looking to supersede domains using the project hierarchy?19:08
*** thuc has joined #openstack-dev19:08
*** thuc has quit IRC19:08
raildono19:09
*** thuc has joined #openstack-dev19:09
dolphmraildo: you don't think that domains should become 1st level projects, after a root project?19:10
*** thuc has quit IRC19:10
*** thuc_ has joined #openstack-dev19:10
raildoI want to follow the idea that there would be a domain, and root project attached to it, and then create the project hierarchy.19:10
*** thuc_ has quit IRC19:11
*** thuc has joined #openstack-dev19:11
raildodolphm: IMO, domain is very important for the architecture of the infrastructure in openstack.19:12
*** jcooley_ has joined #openstack-dev19:13
raildoOnly it was not clear to me, the issue of increasing the scope of the token but will primarily focus on the implementation of nested project.19:15
*** johnthetubaguy has quit IRC19:15
*** arnaud has joined #openstack-dev19:16
*** arnaud__ has joined #openstack-dev19:16
*** annashen has left #openstack-dev19:16
*** amcrn has joined #openstack-dev19:18
*** Longgeek has joined #openstack-dev19:18
*** kgriffs_afk is now known as kgriffs19:18
dolphmraildo: so in your perspective, each domain has a 1:1 relationship with a "root" project?19:22
morganfainbergraildo, dolphm, i think that is a ... bad structure19:22
dolphmmorganfainberg: ++19:22
morganfainbergdare i say, pointless19:22
dolphmpost-migration: http://i.imgur.com/vBsrdi2.png19:22
morganfainbergi'd advocate domains existing as an abstraction if we want to keep user-namespacing in them19:22
*** Longgeek has quit IRC19:23
dolphmmigrating all domains to be project will null parents, and migrating all projects to be exposed as children of the new top-level projects19:23
dolphmmorganfainberg: +++19:23
morganfainbergdolphm, in fact, that resolves my complaints about domain issues.19:23
morganfainbergdolphm, if projects no-longer are "in domains" but are just (effectively) in other projects19:24
dolphmyep19:24
*** galstrom_zzz is now known as galstrom19:24
morganfainbergconceptually at least it makes it easier to talk about... and all that stuff19:24
*** Mandell has quit IRC19:24
*** sweston has joined #openstack-dev19:25
raildoI had thought about a 1:1 initially had not thought this way,19:26
*** sweston has quit IRC19:26
*** gordc has quit IRC19:26
*** sweston has joined #openstack-dev19:26
raildoI think the structure will be so much better19:26
*** rcleere has joined #openstack-dev19:27
morganfainbergraildo, pointless data structures for the sake of pointless data structures is ugly and leads to legacy code ;)19:27
raildo+119:27
dolphmmorganfainberg: how do we do this migration without breaking every other project? add an option to auth_token that mutates the project scope with X-PROJECT-ID: project_id.split('.').pop() ?19:29
morganfainbergdolphm, hmmmmm.19:29
*** SumitNaiksatam has joined #openstack-dev19:29
tellesnobregatellesnobrega: i might have come too late to this conversation, why should we have a root_project with domains and then projects again attached to the domain?19:29
dolphm[auth_token] do_not_understand_hierarchical_multitenancy = true19:29
morganfainbergdolphm, LOL.19:29
dolphmseriously!19:29
morganfainbergdolphm, can we just add a new variable that they can consume when they want?19:30
*** nati_uen_ has joined #openstack-dev19:30
morganfainbergdolphm, X-PROJECT-HIERARCHY19:30
*** jamieh has quit IRC19:30
morganfainbergor something19:30
dolphmmorganfainberg: HMMMMMMMMMMMMMMMMMMMMMMMMMMM19:30
dolphmmorganfainberg: -ID is forever a lie then19:30
*** nati_uen_ has quit IRC19:30
morganfainbergdolphm, it is likely the easiest migration path.  offer both, and deprecate out the old one in X-cycles19:30
morganfainbergdolphm, it might be a lie, but it is no different than someone trying to consume V2 API vs V3.19:31
*** nati_uen_ has joined #openstack-dev19:31
morganfainbergV2 is ... going to give you a wildly different answer in some cases19:31
morganfainbergand if they don't care about the hierarchy initially, does it really matter?  they wont be setup for the cascading roles etc anyway19:32
*** nati_ueno has quit IRC19:32
tellesnobregamorganfainberg, dolphm the point of having the root_project on top of domains is to offer the super admin role or is there another use for it?19:33
*** thuc has quit IRC19:33
dolphmmorganfainberg: yeah, we'd have to shield v2 from the impact of this quite a lot19:33
morganfainbergtellesnobrega, there is no difference between a root project or a domain19:34
dolphmtellesnobrega: that's the primary use case in my mind19:34
morganfainbergtellesnobrega, in that context really19:34
*** thuc has joined #openstack-dev19:34
*** lyxus has quit IRC19:34
morganfainbergshort of having a domain that can contain root projects...19:34
morganfainbergwhich, seems to defeat the point.19:34
dolphmtellesnobrega: i think vishy suggested that that project have an id of 'openstack'19:34
tellesnobregadolphm: ++19:34
dolphmmorganfainberg: which would actually be better for our role assignment api ^19:34
morganfainbergdolphm, i actually like that19:34
*** anniec has quit IRC19:35
morganfainbergdolphm, we make an implicit (and by implicit i mean code construct) project called Openstack.19:35
*** hartsocks is now known as hartbot19:35
dolphmmorganfainberg: then every project ID becomes something like openstack.default.e5f9y8jdygdz95wpu3e5wuj3t19:35
*** lyxus has joined #openstack-dev19:35
morganfainbergdolphm, i don't want to have to seed the project into the DB if we have a "root" project like that19:35
dolphmmorganfainberg: if it exists in the db, then objects have to explicitly point to it, and then we'll have users that want to create a second tree19:36
tellesnobregamorganfainberg: ++19:36
morganfainbergdolphm, that is why i think it should be a code construct -- there isn't duplicate trees19:36
tellesnobregathe id should be like domain1.kl2jhkl1jhkl25jkl12j519:36
dolphmmorganfainberg: yay19:36
morganfainbergdolphm, we can then move domains into being the management for IDPs if we want to keep that term (since we already use it in the REST api)19:37
dolphmmorganfainberg: aaand you lost me19:37
raildodolphm: tellesnobrega and I'll start implementing it =]19:37
morganfainbergdolphm, domains no longer are an assignment construct19:38
dolphmmorganfainberg: still lost19:38
morganfainbergdolphm, they are a user-namespace management construct19:38
dolphmmorganfainberg: "domain" == "project with null parent" ?19:38
*** adnan_ has joined #openstack-dev19:38
morganfainbergdolphm, nah, projects would cease to care about domains19:38
*** thuc has quit IRC19:38
morganfainbergdolphm, root project = openstack19:38
*** mrodden has quit IRC19:38
morganfainbergthere is no domain container really.19:38
morganfainbergdon't even call it a domain :P19:39
morganfainbergno reason to19:39
dolphmmorganfainberg: right, but in terms of GET /v3/domains, why not return SELECT * FROM projects WHERE parent_project_id IS NULL; ?19:39
morganfainbergdolphm, ehhhhh19:39
dolphmi know19:39
*** vkmc has joined #openstack-dev19:39
dolphmmorganfainberg: you just want to kill GET /v3/domains immediately?19:39
morganfainbergdolphm, i'd really like to move us away from referring to it as domains  sure for transitional19:39
dolphmi'm just talking juno19:40
*** adnan_ has left #openstack-dev19:40
morganfainbergdolphm, well, it is a question of if domains will stick around for user stuff in V319:40
morganfainbergdolphm, i am guessing it has to for Idenitty purposes19:40
morganfainbergdolphm, short of moving to V419:41
morganfainbergsince "domain" still constructs the wrapper for authentication for users and the like...19:41
*** AnilV4 has quit IRC19:41
*** LLKCKfan has joined #openstack-dev19:41
LLKCKfanIs there any natural ways to relieve pain without using herbs or weed? No drugs19:41
morganfainbergdolphm, so, do we just go w/ domains being parentless projects19:42
morganfainbergoh, joy a spammer....19:42
*** thuc has joined #openstack-dev19:42
dolphmttx: jeblair: ^19:42
morganfainbergdidn't this guy get banned in the pas?19:42
morganfainbergpast*19:42
raildohahahaha19:42
dolphmi don't recognize the name19:42
morganfainbergmordred, ^19:42
*** mrodden has joined #openstack-dev19:43
tellesnobregashouldn't domains have parent_project_id = openstack?19:44
tellesnobregaor did i lose something in the way?19:44
dolphmtellesnobrega: i'd like to do that at the controller layer19:44
*** julienvey has quit IRC19:44
dolphmor even managers19:45
morganfainbergtellesnobrega, the "openstack" parent_project needs to be a code construct not an element in the db19:45
*** alexpilotti has quit IRC19:45
*** SumitNaiksatam has quit IRC19:45
morganfainbergdolphm, ++ managers might be the right place19:45
tellesnobregai see19:45
*** Mandell has joined #openstack-dev19:45
marunanybody able to answer questions about docker in openstack?19:48
*** igor_ has joined #openstack-dev19:49
dolphmmorganfainberg: so maybe since we're dumping domains, we should go back to v2 -- that's how that works, right?19:49
morganfainbergdolphm, lol19:49
*** sarob has quit IRC19:50
dolphm"Due to support for hierarchical multitenancy, v3 is now deprecated in favor of v2. Hugs and kisses, -keystone"19:50
morganfainbergdolphm, i vote we go back to pre-V2 days19:50
*** ChanServ sets mode: +o jeblair19:50
dolphmmorganfainberg: reboot v1?19:50
ayoungmorganfainberg, food for thought:  a project "belongs" to a domain in a way that it will not "belong" to a parent project....19:50
morganfainbergdolphm, ++19:50
*** jeblair sets mode: +b *!~LLKCKfan@*19:50
ayoungIE19:50
*** vartom1111111117 has joined #openstack-dev19:50
marunsamalba: ping19:50
dolphmjeblair: thanks!19:50
morganfainbergayoung, sorry i don't use IE19:51
ayoungif I want to move a project from one parent to another, good to go19:51
*** LLKCKfan was kicked by jeblair (LLKCKfan)19:51
morganfainbergoooh i.e.19:51
dolphmayoung: that changes the project's exposed ID, and breaks every other project19:51
ayounge.i.e.i.o19:51
dolphmayoung: parent_project_id has to immutable19:51
morganfainbergayoung, i think part of the discussion was projects do not get reparented19:51
morganfainbergdolphm, but people will ask for that >.<19:52
* dolphm what if projects only existed as assignment targets19:52
ayoungbut...that is a an easy answer for Keystone, but tough for people that use projects to contain *things*19:52
dolphmayoung: things can move19:52
dolphmayoung: that's up to the other services19:53
*** clu_ has joined #openstack-dev19:53
ayoungI think that people will want to move projects around in the hierarchy19:53
ayoungso if a VM has a project_id for "owner" or whatever19:53
dolphmayoung: then move the VM to a new project19:53
dolphmreparent individual resources, rather than breaking the entire cloud19:53
ayoungdolphm, that is like saying "hey Nova, do all the tough work"19:53
ayoungand then you need to keep it in sync across projects19:53
ayoungnah,  no me likey19:53
dolphmayoung: keep what in sync where?19:54
ayoungwe need to be able to reparent projects without breaking things19:54
dolphmayoung: that's literally impossible19:54
ayoungdolphm, network for a VM between nova nad Neutron?19:54
*** dvarga is now known as dvarga|away19:54
*** dvarga|away is now known as dvarga19:54
morganfainbergayoung, this is a cloud, if you need a resource in another project, spin one up :P19:55
*** anniec has joined #openstack-dev19:55
ayoungdolphm, morganfainberg do you understand how SELinux lables inodes?19:55
ayoungI would say this:19:55
morganfainbergayoung, ok ok now that i got that out of my system19:55
ayoungdomain_id stays immutable for a project19:55
ayoungbut projects are like dentries19:55
ayoungand I should be able to move a dentry from one parent to another and carry along the contents19:56
ayoungbut not from one domain to another19:56
dolphmmorganfainberg: lol19:56
ayoungthen, something like a VM can have a project_id, and , if that project moves throughout the tree, fine19:56
dolphmayoung: domains don't exist anymore, and are just an arbitrarily constrained perspective on the project hierarchy19:57
ayoungits project  id is immutable, but the absolute project name may change...to ditinguish from a relative project name...  parent/child vs child19:57
*** ijw has joined #openstack-dev19:57
morganfainbergayoung, can we table that and come back around to solving it as we have demand for it?19:58
ayoungmorganfainberg, no no no no no19:58
ayoungwe punt on this and they get it wrong, everyone suffers19:58
morganfainbergayoung, i think that is adding a lot of scope creep, and making this a hard target for juno19:58
ayoungno19:58
ayoungthis is getting the abstraction right19:58
ayoungI'm ok with getting rid of domains.19:58
*** alexpilotti has joined #openstack-dev19:58
*** dprince has quit IRC19:59
* annegentle waves at dims19:59
morganfainbergmoving a project is in-dependant of the hierarchical structure19:59
ayoungjust wanted to make sure it is a deliberate decision and we understand the implications19:59
ayoungmorganfainberg, project ID id immutable.  parent_id does not have to be19:59
morganfainbergayoung, it can be to start, and then we can add that capability in19:59
ayounglets not force it to be until we have some stake in the ground reason20:00
ayoungI would say "domain is a project with no parent"20:00
*** julienvey has joined #openstack-dev20:00
ayoungthat way we provide language for people to port from the existing docs20:00
ayoungor20:00
ayoungdomains are projects that live directly under the root node20:00
*** MaxV has joined #openstack-dev20:01
morganfainbergayoung, i'd rather have a solid understanding of the hierarchy and present that (and associated roles, etc) to the services and then figure out how to "move" things rather than figure out how to move things then define the hierarchy20:01
morganfainbergayoung, if that makes sense.20:01
*** MaxV has quit IRC20:01
ayoungmorganfainberg, so I am not the one that originated this idea...it has come up before...20:01
ayoungtrying to drag the conversation out of long term memory...20:01
morganfainbergyou can say avoid staking in the ground "partents are immutable" but you also don't provide a way to move things.20:01
*** ijw has quit IRC20:02
*** thuc has quit IRC20:02
ayoungPATCH /v3/projects/<id>  {parente=new id}20:02
morganfainbergbut.. you're going to have other issues when it comes to keeping all that in sync w/ nova etc as well20:02
ayoungwe'd have to explicitly forbit that20:02
*** thuc has joined #openstack-dev20:03
morganfainbergayoung, we would want to forbid that in a perfect world anyway20:03
morganfainbergayoung, i'd argue that should be a separate API in either case20:03
ayoungits an update notification.20:03
morganfainbergreparenting has a much much larger implication than other updates20:03
ayoungwhy complicate things20:03
*** gokrokve has joined #openstack-dev20:03
morganfainbergayoung, because it isn't just an update.20:03
ayoungno, disable has much larger implications20:03
*** gokrokve has quit IRC20:03
*** gokrokve has joined #openstack-dev20:03
morganfainbergayoung, reparent has more incommon with disable20:04
morganfainbergayoung, you could be forcing a masiive shift in permissions / access20:04
*** thuc has quit IRC20:04
morganfainbergayoung, than a project getting an update.20:04
*** thuc has joined #openstack-dev20:04
ayoungmorganfainberg, the person making the change would need a role on both the source and target parent projects.20:04
dolphmmorganfainberg: ayoung: raildo: tellesnobrega: vishy: starting drafting the long term impact on keystone https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy20:04
ayoungcreate subproject20:05
ayoungand delete subproject20:05
raildodolphm: i just sign up on it, thanks20:06
tellesnobregatellesnobrega: me too20:06
dolphmtellesnobrega: raildo: thanks, i'm sure we'll all be pitching in20:06
*** henrique has joined #openstack-dev20:07
*** capri has quit IRC20:07
*** tjones has quit IRC20:07
tellesnobregadolphm: we want to have something done by friday so we can show vishy at the meeting, of course we won't be able to have all that was discussed done, but we would like to have the hierarchy working20:08
*** akrivoka has quit IRC20:08
*** capri has joined #openstack-dev20:08
*** ewindisch has joined #openstack-dev20:09
*** jruzicka has quit IRC20:09
raildo+120:09
*** ewindisch has quit IRC20:10
openstackstatusNOTICE: Gerrit and Zuul are offline for project renames. ETA 20:30 UTC.20:10
*** ChanServ changes topic to "Gerrit and Zuul are offline for project renames. ETA 20:30 UTC."20:10
tellesnobregaand write something to submit for the summit and present it there.20:10
*** ewindisch has joined #openstack-dev20:10
vishyayoung: cool20:12
vishydolphm: ^^20:12
tellesnobregavishy: raildo and I are going to implement this hierarchical projects, or whatever we can do of it, by friday so we can show at the multitenancy meeting and bring it to the summit, did you get a chance to read this whole conversation?20:13
*** networkstatic has joined #openstack-dev20:16
*** edmund has quit IRC20:17
*** anniec has quit IRC20:18
*** otherwiseguy has joined #openstack-dev20:18
*** DinaBelova is now known as DinaBelova_20:18
*** comstud is now known as bearhands20:18
*** rfolco has quit IRC20:18
ayoungdolphm, geting the client review done early is going to be crucial for the  token compression.  I appreciate it if you rip it apart soon-rather-than-later.  https://review.openstack.org/#/c/71181/20:19
*** Longgeek has joined #openstack-dev20:19
*** nati_ueno has joined #openstack-dev20:19
ayoungdstanek, bknudson ^^20:19
dolphmayoung: the referenced bug is not tracked against the client20:19
dolphmayoung: and gerrit is down :)20:20
bknudson503 Service Temporarily Unavailable20:20
*** DinaBelova_ is now known as DinaBelova20:20
dolphmfrom fridge import beer;20:21
*** thuc has quit IRC20:21
morganfainbergdolphm, from kegerator import tap \n pint = tap.pour_beer  pint.drink()20:21
*** thuc has joined #openstack-dev20:21
dolphmmorganfainberg: SyntaxError                               ^20:22
morganfainbergdolphm, LOL20:22
*** nati_ueno has quit IRC20:22
*** taps has quit IRC20:22
*** nati_uen_ has quit IRC20:22
*** tjones has joined #openstack-dev20:23
*** nati_ueno has joined #openstack-dev20:23
*** dbalog has left #openstack-dev20:23
ayoungdolphm, FTFY20:23
ayounghttps://bugs.launchpad.net/python-keystoneclient/+bug/125532120:23
*** Longgeek has quit IRC20:24
uvirtbotLaunchpad bug 1255321 in keystone "v3 token requests result in 500 error when run in apache" [Medium,Confirmed]20:24
*** taps has joined #openstack-dev20:24
dolphmayoung: danke20:24
ayoungBitte20:24
*** eglynn has joined #openstack-dev20:25
dolphmmorganfainberg: http://pasteraw.com/64uboev8qhk7cfggv4yejjurrn18vdq20:25
* ayoung going to gym to perform 1/lunch20:25
*** MaxV has joined #openstack-dev20:25
morganfainbergdolphm, http://pasteraw.com/4hmo6g7u0ivdqhakqn80e3qj9wif59d20:25
morganfainbergbetter?20:26
morganfainberg:P20:26
*** ChanServ changes topic to "OpenStack development || Support is in #openstack"20:26
*** thuc has quit IRC20:26
ayoungmorganfainberg, the pur_craft_beer function makes no sense,  you need to select the craft beer tap from the taps collection20:26
morganfainbergayoung, nah, i have the simplified keggerator library20:27
*** vkmc has quit IRC20:27
ayoungotherwise, you get whatever keggerator has20:27
*** tjones has quit IRC20:27
ayoungso just "pour"20:27
ayoung-120:27
morganfainbergyou're thinking of the bar or tap room mechanism20:27
*** edmund has joined #openstack-dev20:27
morganfainbergsince the non-simplified library is not in globale requirements, we can't use it yet20:27
morganfainbergand the collection is unavailable20:27
ayoungimport bar20:27
ayounggalss.contensts = bar.taps['Guinness'].pour20:28
dolphmmorganfainberg: success http://pasteraw.com/hh9vbloy84o11xo1tb9vcvsosdpyjos20:28
ayoungglass.contensts = bar.taps['Guinness'].pour20:28
ayoungugh...fuergetit  me go gym20:28
dolphmmorganfainberg: although this apparently works too http://pasteraw.com/bw5bxwu2xrq4pjqr1avykeoihq5q0m420:29
dolphmnever tried piping straight to python ..20:29
bknudsoncurl | python -mjson.tool20:29
dolphmbknudson: but the module is just being executed there, not the curl'd data20:30
ayoungsometimes I wish they had chosen python instead of Javascript for the browser language.  And by sometimes, I mean daytime and nightimes.20:30
bknudsonI think you just reinvented java applets20:30
morganfainbergdolphm, https://twitter.com/MdrnStm/status/43188764724234240120:30
dolphmbknudson: lol20:30
dolphmayoung: i assume .pour was supposed to be a callable20:31
morganfainbergdolphm, nah it's a true/false :P20:32
dolphmayoung: unless you meant .poor which is a @property of self20:32
morganfainberglol20:32
morganfainbergif self.poor: bar.exit_sober() ?20:32
*** sweston has quit IRC20:32
raildoabout this conversation http://ryanesaki.com/wp-content/uploads/2014/01/Anchorman_well_that_escalated_quickly_966.jpg hahahahaha20:32
*** READ10 has joined #openstack-dev20:33
dolphmmorganfainberg: should definitely be a raise20:33
morganfainbergdolphm, assert self.poor is False20:33
morganfainbergor is that inverted20:33
dolphmmorganfainberg: raise PaymentProcessorError() ?20:33
morganfainbergLOL20:33
dolphmassert not self.poor  # reads a bit better20:34
morganfainbergexcept PaymentProcessError: self.dine_and_dash()20:34
dolphmlol20:34
*** igor___ has joined #openstack-dev20:34
*** csd has quit IRC20:35
dolphmmorganfainberg: dining belongs in the try block http://pasteraw.com/tf1arys1o4xe6b2p5uiwhoj3d6d0j0y20:35
morganfainbergdolphm, hehe20:35
dolphmoh, gerrit is back20:36
*** igor_ has quit IRC20:36
morganfainbergyeah has been for a few minutes20:36
*** anniec has joined #openstack-dev20:36
dstanekayoung: i don't think you addressed any of my comments yet20:36
*** Longgeek has joined #openstack-dev20:37
bknudsonever seen this? https://pypi.python.org/pypi/Spawning/20:37
bknudsonwas just looking at eventlet docs20:37
dolphmdstanek: yep20:37
*** nati_ueno has quit IRC20:38
devoidanyone here have experience getting nova to use sheepdog root disks?20:38
dolphmwhy are we supporting two PKI token formats?20:38
dolphmwhy not read both, but only produce the compressed format?20:38
*** tjones has joined #openstack-dev20:38
dolphmi know i've asked this twice, but i don't recall ayoung answering ^20:39
*** markmcclain has quit IRC20:39
*** Longgeek has quit IRC20:41
*** nati_ueno has joined #openstack-dev20:41
dstanekdolphm: i thought it was to support old clients20:41
dolphmdstanek: old keystoneclients?20:41
*** jasondotstar has quit IRC20:42
*** nati_ueno has quit IRC20:42
*** anniec has quit IRC20:42
bknudsonold auth_token middlewares?20:42
*** nati_ueno has joined #openstack-dev20:42
*** NikitaKonovalov_ is now known as NikitaKonovalov20:43
*** tjones has quit IRC20:43
dolphmbknudson: so we want to support the combination of a new client in keystone, and old clients in front of other services?20:43
dolphmdoesn't seem like it's worth all this duplicated crap20:44
bknudsondolphm: that would be a weird combo... not sure why anyone would be stuck with that... maybe a distributed upgrade?20:44
dolphmbknudson: even then -- upgrade auth_token middlewares to the latest client first -- done.20:44
dolphmi *really* don't want to ship 3 token formats and have to explain that one of them has no use case20:45
dstanekdolphm: ++20:45
sdaguedavid-lyle: I wanted to circle around with you again about the failure with horizon if we set -o errexit in devstack20:46
*** rfolco has joined #openstack-dev20:46
*** cadenzajon has quit IRC20:47
*** thomasem has quit IRC20:48
*** tjones has joined #openstack-dev20:49
*** pingveno has quit IRC20:49
dolphm-2'd for now20:50
*** denis_makogon_ has joined #openstack-dev20:51
*** sarob has joined #openstack-dev20:52
*** ijw has joined #openstack-dev20:56
*** CaptTofu has quit IRC20:57
*** tjones has quit IRC20:57
*** sarob has quit IRC20:57
*** pablosan has quit IRC20:59
*** lcheng_ has joined #openstack-dev21:00
*** rcleere has quit IRC21:01
*** mgagne has quit IRC21:01
*** anniec has joined #openstack-dev21:03
*** sarob has joined #openstack-dev21:06
*** safchain has joined #openstack-dev21:06
*** prad_ has quit IRC21:06
*** safchain has quit IRC21:06
*** sarob has quit IRC21:10
*** godara has quit IRC21:10
*** IanGovett has joined #openstack-dev21:10
*** dbalog has joined #openstack-dev21:11
*** jgrimm has quit IRC21:11
*** jgrimm has joined #openstack-dev21:12
*** cadenzajon has joined #openstack-dev21:13
*** doug_shelley66 has quit IRC21:13
*** rfolco has quit IRC21:13
*** doug_shelley66 has joined #openstack-dev21:14
stevemarlbragstad, good detective skills on https://review.openstack.org/#/c/66642/21:16
lbragstad:) hopefully it works21:16
*** yolanda has quit IRC21:18
*** DinaBelova is now known as DinaBelova_21:19
*** tjones has joined #openstack-dev21:20
*** Longgeek has joined #openstack-dev21:20
*** byeager has quit IRC21:21
*** thuc has joined #openstack-dev21:21
*** Longgeek has quit IRC21:21
*** jmeridth has left #openstack-dev21:21
*** byeager has joined #openstack-dev21:22
yjiang5baoli: hi21:22
*** lcheng_ has quit IRC21:22
*** Longgeek has joined #openstack-dev21:23
*** eglynn has quit IRC21:23
*** Longgeek has quit IRC21:23
*** tjones has quit IRC21:23
*** Longgeek has joined #openstack-dev21:24
*** Longgeek has quit IRC21:25
*** byeager has quit IRC21:25
*** Longgeek has joined #openstack-dev21:25
*** Longgeek has quit IRC21:26
*** Longgeek has joined #openstack-dev21:26
*** jayg|g0n` has quit IRC21:27
*** Longgeek has quit IRC21:27
*** Longgeek has joined #openstack-dev21:28
*** Longgeek has quit IRC21:29
*** Longgeek has joined #openstack-dev21:29
*** Longgeek has quit IRC21:30
*** networkstatic has quit IRC21:31
*** networkstatic has joined #openstack-dev21:32
*** Longgeek has joined #openstack-dev21:32
*** anniec has quit IRC21:32
*** Longgeek has quit IRC21:32
*** Longgeek has joined #openstack-dev21:33
*** sweston has joined #openstack-dev21:33
*** Longgeek has quit IRC21:33
*** doug-fish has quit IRC21:36
*** Longgeek has joined #openstack-dev21:36
*** Longgeek has quit IRC21:36
*** Longgeek has joined #openstack-dev21:38
*** doug-fish has joined #openstack-dev21:38
*** xqueralt has quit IRC21:38
*** Longgeek has quit IRC21:39
*** Longgeek has joined #openstack-dev21:39
stevemarbknudson, i'm reverting the name changes from RULE_blah to MAPPING_blah. reasoning is, I want them the fixtures to be used for the mappingCRUD tests and the rule processing tests, either way I'm going to have to either grab the rules out of the mapping, or pad them with a {mapping:{rules: []}} block21:40
*** Longgeek has quit IRC21:40
*** tmclaugh[work] has quit IRC21:40
bknudsonstevemar: that makes sense... if they're mappings call them mappings and if they're rules then call them rules.21:40
stevemarbknudson, deal21:40
bknudsonnot sure why we have to use the same fixtures for rule tests and mapping tests.21:40
*** Longgeek has joined #openstack-dev21:40
bknudsonor why the fixtures have to be in a separate file... just put them in the test class.21:41
*** anniec has joined #openstack-dev21:41
bknudsonI shouldn't have to go digging around to separate files to figure out what the test is.21:41
*** jasondotstar has joined #openstack-dev21:41
*** Longgeek has quit IRC21:41
*** gordc has joined #openstack-dev21:41
*** Longgeek has joined #openstack-dev21:42
*** Longgeek has quit IRC21:42
*** Longgeek has joined #openstack-dev21:43
bknudsonstevemar: seems like there should be a test that does rp = mapping_utils.RuleProcessor({}) -- shouldn't have to go to a separate file to find that rules is empty.21:43
*** glenng has quit IRC21:44
*** Longgeek has quit IRC21:44
bknudsonRULES_SMALL doesn't tell me anything about what's being tested in the rules processor21:44
*** Longgeek has joined #openstack-dev21:44
*** luisbg has left #openstack-dev21:45
*** Longgeek has quit IRC21:45
*** mrodden has quit IRC21:46
stevemarbknudson, I can do the first change in another commit, moving the fixture around, but it'll only be tested in MappingCRUD21:46
*** tjones has joined #openstack-dev21:47
stevemarbknudson, it would be an invalid map, so it wouldn't hit the processor21:47
*** jcooley_ has quit IRC21:48
bknudsonstevemar: well, only have to test valid mappings, but it should be a little more obvious what it's testing...21:48
bknudsonit should be obvious that we've got a test for "any_one_of"21:48
dstanekmorganfainberg: you around?21:48
bknudsonand a test for "not_any_of", and a test for direct maps.21:48
bknudsonand a test for regex21:48
*** d0ugal has quit IRC21:49
*** jcooley_ has joined #openstack-dev21:49
*** coasterz has joined #openstack-dev21:49
stevemarbknudson, ahhhh, okay, I can rename the tests, if that's better, and make sure the comments describe the test21:49
bknudsonstevemar: that would be great21:49
*** NikitaKonovalov is now known as NikitaKonovalov_21:50
*** romcheg1 has joined #openstack-dev21:51
*** romcheg_ltp has quit IRC21:51
*** Sukhdev has joined #openstack-dev21:51
*** jasondotstar has quit IRC21:51
*** Longgeek has joined #openstack-dev21:51
*** tjones has quit IRC21:51
*** Longgeek has quit IRC21:51
*** david-lyle has quit IRC21:51
*** Longgeek has joined #openstack-dev21:52
morganfainbergdstanek, hi21:52
*** mfer has quit IRC21:52
morganfainbergdstanek, was getting coffee and having ad-hoc meeting at the coffee shop ... i know /slacker21:52
*** Longgeek has quit IRC21:52
dstanekmorganfainberg: :-)  looking at https://review.openstack.org/#/c/71683/2/keystone/token/backends/memcache.py21:52
dstanekon line 115 would you be getting data in the old format?21:53
morganfainbergdstanek, correct21:53
*** prad has joined #openstack-dev21:53
*** dvarga has quit IRC21:54
*** mrodden has joined #openstack-dev21:54
*** Longgeek has joined #openstack-dev21:54
morganfainbergdstanek, or it might be the key has expired and is empty21:54
*** Longgeek has quit IRC21:54
morganfainbergdstanek, oh, no no nvm None is checked on line 11421:54
morganfainbergdstanek, your assumption is correct21:55
*** Longgeek has joined #openstack-dev21:56
morganfainbergdstanek, however, the core of the issue is that asking memcached a bunch for tokens locks up keystone, so we kind of need to start from scratch for that list.21:56
dstanekmorganfainberg: do we need to convert that to the new format or is it ok if is gets lost?21:56
morganfainbergdstanek, ideally...memcached should be flushed before this code goes live21:56
*** Longgeek has quit IRC21:57
morganfainbergdstanek, but we don't know if tokens are valid or not, we can't ask w/o possibly locking up keystone truying to ask for the data21:57
*** jasondotstar has joined #openstack-dev21:57
*** clayb has joined #openstack-dev21:57
morganfainbergdstanek, i think the only real solution is to clear the list and force the user(s) to get new tokens.21:57
*** sarob has joined #openstack-dev21:58
morganfainbergdstanek, it's an unfortunate design choice i made when i originally developed this code.21:58
*** Longgeek has joined #openstack-dev21:58
dstanekmorganfainberg: so when this code is deployed all token are expired?21:58
morganfainbergdstanek, not... exactly.21:58
*** Longgeek has quit IRC21:59
morganfainbergdstanek, tokens are no longer tracked.21:59
morganfainbergdstanek, i guess this means there is a <token_TTL> window of possible token abuse21:59
*** Longgeek has joined #openstack-dev21:59
morganfainberglet me look at something real quickly21:59
bknudsontokens that were valid before can't be validated via keystone... UUID tokens21:59
morganfainbergbknudson, correct, but PKI22:00
*** Longgeek has quit IRC22:00
bknudsonauth_token won't care about the pki tokens22:00
*** anniec has quit IRC22:00
bknudsonbut then keystone can't invalidate them (due to role change or whatever?)22:00
morganfainbergbknudson, you can't revoke PKI tokens22:00
morganfainbergbknudson, yeah22:00
morganfainbergbknudson, that is the issue22:00
*** Longgeek has joined #openstack-dev22:01
*** dspano has quit IRC22:01
morganfainbergbknudson, for uuid tokens, i expected it to impact the validity of them.22:02
morganfainbergbknudson, and that is covered in the commit message - a side effect of the fix really being required.22:02
*** Longgeek has quit IRC22:02
morganfainbergbknudson, not sure how to address the password-change/role-change/etc revocation of tokens for the token-ttl window after this is deployed22:03
morganfainbergi... guess we could just use current token-ttl and keep the elements of this list around longer than before?22:03
*** Longgeek has joined #openstack-dev22:03
*** marcoemorais has quit IRC22:03
morganfainbergbknudson, read in the list like we used to, hard-set token TTL to now+token_TTL time from conf, and then loop?22:03
*** Longgeek has quit IRC22:04
*** marcoemorais has joined #openstack-dev22:04
morganfainbergit only means the user-index would hold tokens that aren't valid anymore for longer.  it's expected some tokens will be invalid and in that list22:04
*** marcoemorais has quit IRC22:04
morganfainbergdstanek, ^22:04
*** READ10 has quit IRC22:05
*** Longgeek has joined #openstack-dev22:05
*** marcoemorais has joined #openstack-dev22:06
bknudsonmorganfainberg: I think that sounds reasonable... essentially fake out the tokens in the existing list with an expiration.22:06
*** Longgeek has quit IRC22:06
*** vuil has joined #openstack-dev22:06
dstanekmorganfainberg, bknudson: yes, that is what i was thinking22:06
morganfainbergok, that... shouldn't be too bad.  it has a potential gap in that if someone changed the TTL in the conf, but -- really I don't think we can address every edge-case22:06
*** Longgeek has joined #openstack-dev22:06
*** thuc has quit IRC22:07
*** Longgeek has quit IRC22:07
*** jdob_ has quit IRC22:07
morganfainbergok, i'll add some timedelta magic code in there.22:07
morganfainbergs/magic//22:07
*** thuc has joined #openstack-dev22:07
morganfainbergand i'll port that to the havana version as well.22:07
morganfainbergany other comments before i post a patchset? [don't want to cause issues with reviews/extra patches since this is important fix]22:08
*** Longgeek has joined #openstack-dev22:09
*** jasondotstar has quit IRC22:09
*** Longgeek has quit IRC22:09
*** Longgeek has joined #openstack-dev22:09
*** Longgeek has quit IRC22:10
dstanekmorganfainberg: the only other thing that struck me was line 172 on https://review.openstack.org/#/c/71683/2/keystone/tests/test_backend_memcache.py22:11
*** thuc has quit IRC22:11
*** thuc has joined #openstack-dev22:12
*** Longgeek has joined #openstack-dev22:12
dstaneki think it would be useful to call out that the next few lines are really to expire one of the tokens22:12
*** abhirc has joined #openstack-dev22:12
*** Longgeek has quit IRC22:13
dstanekor simplify it to just expire one of them and not look for the one labeled as expired.  i don't think you look to make sure the expired one was actually expired anyway22:13
*** tjones has joined #openstack-dev22:14
*** lparth has joined #openstack-dev22:15
*** Longgeek has joined #openstack-dev22:15
*** Longgeek has quit IRC22:15
bknudsonmorganfainberg: I posted a couple22:15
bknudsondstanek: that was my comment.22:16
*** Longgeek has joined #openstack-dev22:16
bknudsonwe think alike22:16
*** Longgeek has quit IRC22:16
*** Longgeek has joined #openstack-dev22:17
*** sballe has quit IRC22:18
*** Longgeek has quit IRC22:18
*** tjones has quit IRC22:18
*** Longgeek has joined #openstack-dev22:18
*** bswartz has quit IRC22:19
*** carl_baldwin has quit IRC22:21
*** Longgeek has quit IRC22:21
*** bknudson has quit IRC22:21
*** Longgeek has joined #openstack-dev22:22
*** peristeri has quit IRC22:23
*** otherwiseguy has quit IRC22:23
*** Longgeek has quit IRC22:24
*** julienvey has quit IRC22:24
dstanek:-)22:24
*** Longgeek has joined #openstack-dev22:24
*** rtheis has quit IRC22:26
*** arnaud has quit IRC22:26
*** _cjones__ has joined #openstack-dev22:27
*** melwitt has quit IRC22:27
*** csd has joined #openstack-dev22:27
*** abhirc has quit IRC22:27
*** Longgeek has quit IRC22:27
*** vladikr has quit IRC22:27
*** chris_johnson has quit IRC22:28
*** epim has quit IRC22:28
*** Longgeek has joined #openstack-dev22:28
*** vuil has quit IRC22:28
*** godara has joined #openstack-dev22:29
*** prad has quit IRC22:29
*** tjones has joined #openstack-dev22:29
*** marcoemorais has quit IRC22:30
*** _cjones_ has quit IRC22:30
*** marcoemorais has joined #openstack-dev22:30
*** jcooley_ has quit IRC22:31
*** Longgeek has quit IRC22:31
*** Longgeek has joined #openstack-dev22:31
*** arnaud has joined #openstack-dev22:31
*** tjones has quit IRC22:32
*** tjones has joined #openstack-dev22:32
*** epim has joined #openstack-dev22:32
*** melwitt has joined #openstack-dev22:32
*** _cjones__ has quit IRC22:34
*** Longgeek has quit IRC22:34
*** BLZbubba has quit IRC22:34
*** BLZbubba has joined #openstack-dev22:34
*** Longgeek has joined #openstack-dev22:35
*** sushils has joined #openstack-dev22:35
stevemari think i went overboard on docstrings :\22:37
*** sarob has quit IRC22:37
*** pablosan has joined #openstack-dev22:37
annegentlestevemar: unpossible22:37
stevemarannegentle, i think the docstring block is longer than the code now22:37
*** Longgeek has quit IRC22:37
dstanekstevemar: if they are helpful then that's a good thing22:38
*** carl_baldwin has joined #openstack-dev22:38
annegentlestevemar: :)22:38
*** anniec has joined #openstack-dev22:38
*** Longgeek has joined #openstack-dev22:38
morganfainbergdstanek, thanks22:38
*** Longgeek has quit IRC22:38
morganfainbergdstanek, i'll look at both your comments (in IRC) and brant's22:39
*** sarob has joined #openstack-dev22:39
*** Longgeek has joined #openstack-dev22:39
dstanekmorganfainberg: np22:39
*** Longgeek has quit IRC22:39
*** Longgeek has joined #openstack-dev22:40
*** anniec has quit IRC22:41
*** Mandeep has joined #openstack-dev22:42
*** Longgeek has quit IRC22:43
*** sarob has quit IRC22:43
*** bswartz has joined #openstack-dev22:43
*** anniec has joined #openstack-dev22:43
*** Longgeek has joined #openstack-dev22:44
Mandeephelp22:44
*** pmathews has quit IRC22:44
*** colinmcnamara has joined #openstack-dev22:44
*** ewindisch has quit IRC22:44
*** bknudson has joined #openstack-dev22:46
*** mriedem has quit IRC22:46
*** Longgeek has quit IRC22:46
*** Longgeek has joined #openstack-dev22:47
*** Longgeek has quit IRC22:48
*** colinmcnamara has quit IRC22:49
*** colinmcnamara has joined #openstack-dev22:49
ayoungdolphm, we can drop support for the MII format once we have the {cmsz} format22:50
ayoungdstanek, sorry, missed your review22:53
ayoungdolphm, I'm OK with dropping the MII format if you are22:53
ayoungbut this code will have to deal with both.22:53
ayoungat least until we can get the server to stop producing the MII format22:54
*** vkmc has joined #openstack-dev22:54
*** nati_ueno has quit IRC22:54
*** kevinconway has quit IRC22:55
*** nati_ueno has joined #openstack-dev22:55
*** ewindisch has joined #openstack-dev22:56
dolphmayoung: drop support for generating MII tokens - that's all. still support reading them in auth_token (the code in auth_token looks great afaict)22:56
dolphmother than i would swap the default value of DER vs PEM22:56
dolphmin whatever kwarg that was called (inform/outform?)22:56
*** nkinder has joined #openstack-dev22:57
ayoungdolphm, I'd like to do it in two stages.  I think dropping MII should be second.  If we merge the change that lets server use the client lib, and we drop support for MII at the same time, we'll be unable to merge.  We need to remove the change from the server side first22:57
ayoungand I really don;t want to duplicate this code onto both sides22:57
dolphmayoung: *thinking*22:58
*** lcheng_ has joined #openstack-dev22:58
ayoungI hear you on the DER vs PEM thing, but again, I was treating it like a public API, since the server is calling the cloned version of this code in keystone/common22:58
ayoungI can put in deprecations for now22:58
dolphmfair enough ^22:59
ayoungpersonally, I love the idea of dropping MII22:59
*** edmund has quit IRC22:59
dstanekmorganfainberg: let me know when you're ready with the memcached review and i'll get on it right away22:59
ayounglet me address dstanek 's comments, I didn;t even realize that review was in there...22:59
morganfainbergdstanek, working on the fixes now22:59
dolphmayoung: i'm not understanding why you need to do the client side in two patches? (that means two 0.x.0 releases?)22:59
dstanekmorganfainberg: take your time - i have all night :-)22:59
*** jnoller_ has joined #openstack-dev23:01
*** rwsu has quit IRC23:01
ayoungdolphm, yeah...I don't like it either.  Let me think it through and see if there is a way we can do it without breaking the server.23:01
*** jnoller has quit IRC23:01
*** byeager has joined #openstack-dev23:01
*** jcooley_ has joined #openstack-dev23:01
ayoungdolphm, OK,  so,  in order to do that, I would have to do one of two things.  Either clone the change to the server,  then change the server to use the library.  Or,  not clone the change to the server, and merge the change to use the library with the change to not produce MII tokens23:03
*** rwsu has joined #openstack-dev23:03
dolphmayoung: the server isn't consuming the client's cms module yet, right?23:03
ayoungdolphm, yeah, not yet23:03
dolphmayoung: so the token generation code is unused there?23:03
ayoungdue to what dstanek found about the check for Popen23:03
ayoungtoken generation code in the server is performed in keystone/common/cms.py23:04
ayoungsigning that is23:04
*** _cjones_ has joined #openstack-dev23:04
*** jobewan has quit IRC23:04
*** jsavak has quit IRC23:04
*** _cjones_ has quit IRC23:05
dolphmayoung: there's two steps required, right? A) client release supports generating compressed tokens, B) service is updated to use client's cms module23:05
*** _cjones_ has joined #openstack-dev23:05
dolphmi don't see how dropping support for generating MII in step A would break the server if it's not even used23:05
*** rwsu has quit IRC23:06
*** jcooley_ has quit IRC23:06
ayoungdolphm, OK, if the client drops support for generating MII tokens, I can do it all cleanly with 3 server patches.23:07
ayoung1:  move the generation of MII tokens out of common/cms.py  into a temp file23:07
ayoung2:  switch to using the client lib23:07
ayoung3: drop the MII tokens23:07
ayoungso, I can drop support for the MII tokens out of the client lib.  I'll do that this patch.23:08
*** otherwiseguy has joined #openstack-dev23:08
*** jdennis has quit IRC23:08
ayoungwe can  hold up on approving patch 1 above until 2 and 3 are approved, and it will pass gerrit as one virtual transaction23:08
*** Mandeep has quit IRC23:08
*** RajeshMohan has quit IRC23:09
*** jmontemayor has quit IRC23:10
*** burt1 has quit IRC23:10
*** RajeshMohan has joined #openstack-dev23:10
dolphmayoung: what does step 3 entail?23:10
*** browne has quit IRC23:11
*** ewindisch has quit IRC23:11
dolphmayoung: you won't be able to pass a jenkins check in step 2 until the client sees a release in step 1 though23:11
*** galstrom is now known as galstrom_zzz23:12
*** joesavak has joined #openstack-dev23:14
*** jgrimm has quit IRC23:15
*** tdruiva has quit IRC23:16
ayoungdolphm, right, so in step 1, I move all deprecated/removed functions out of keystone/common/cms.py and  to a temp file.   Step 2 is to drop keystone/common/cms.py23:16
ayoungstep 3 entails changing over all of the MII specific code to code that checks for and generats cmsz format, and drops the temp file.23:17
ayoungunit tests run to 100% on each step23:17
dolphmayoung: keystone/common/cms isn't public api -- don't worry about managing the transition like that23:17
*** marc_ has joined #openstack-dev23:18
ayoungdolphm, well, I can do it all in one commit, but it will be easier to review in the 3 steps above.23:18
*** marc_ is now known as Guest4510823:18
ayoungI need to go be a dad for a while.23:18
*** troytoman-away is now known as troytoman23:18
dolphmayoung: /salute23:18
*** ayoung is now known as ayoung-ZzZz23:18
*** markmcclain has joined #openstack-dev23:18
*** rwsu has joined #openstack-dev23:19
*** markmcclain has quit IRC23:20
*** markmcclain has joined #openstack-dev23:21
*** enikanorov has quit IRC23:21
*** byeager has quit IRC23:21
*** FunnyLookinHat has quit IRC23:21
*** IanGovett has quit IRC23:21
*** thuc has quit IRC23:21
*** jasondotstar has joined #openstack-dev23:22
*** thuc has joined #openstack-dev23:22
*** enikanorov has joined #openstack-dev23:24
*** doug_shelley66 has quit IRC23:24
*** doug_shelley66 has joined #openstack-dev23:25
*** tdruiva has joined #openstack-dev23:25
*** jnoller_ is now known as jnoller23:25
*** thuc has quit IRC23:26
*** radsy has joined #openstack-dev23:27
dolphmdhellmann: what's the impact on all the projects that have been added to bug 1277507 ?23:29
uvirtbotLaunchpad bug 1277507 in python-keystoneclient ""ImportError: No module named passlib.hash"; HTTP error 403 while getting ipaddr from googledrive.com" [Undecided,Invalid] https://launchpad.net/bugs/127750723:29
dhellmanndolphm: at this point ipaddr is available on pypi and so things should be working again23:29
*** Guest45108 has quit IRC23:29
dhellmanndolphm: I've been working on some internal stuff, though, so maybe something new is going on I don't know about?23:30
dolphmdhellmann: ++, do we need to bump requirements or something to avoid the issue recurring?23:30
dhellmanndolphm: let me look at what requirements says now23:30
*** mst89 has joined #openstack-dev23:30
dhellmannif there's only one version available, the mirror sync should pick that one up23:30
*** thuc has joined #openstack-dev23:30
dhellmanndolphm: ipaddr isn't in our requirements, I guess it's a 2nd tier requirement23:31
dolphmdhellmann: pretty sure WSME uses it?23:31
*** thuc_ has joined #openstack-dev23:31
*** achampion has quit IRC23:31
*** anniec has quit IRC23:31
dhellmanndolphm: yeah23:31
dhellmannI thought we had a direct dependency, too23:31
dolphmdhellmann: i thought we did as well, actually23:32
*** ijw has quit IRC23:32
*** thuc_ has quit IRC23:32
jnollerdhellmann: did he upload it to pypi23:32
jnoller?23:32
*** thuc has quit IRC23:32
dolphmjnoller: yes23:32
*** thuc has joined #openstack-dev23:32
*** joesavak has quit IRC23:32
*** arnaud__ has quit IRC23:33
*** arnaud has quit IRC23:33
*** morazi has quit IRC23:33
*** lbragstad has quit IRC23:34
*** adnan has quit IRC23:34
*** epim has quit IRC23:34
jnollerWoot23:34
jnollerhe didn't reply to my email so :(23:34
dhellmannjnoller: he replied on their dev list23:35
jnollerthis is why I can't have nice things23:35
* dhellmann is getting tired of subscribing to dev lists to communicate with package authors23:35
*** vuil has joined #openstack-dev23:35
*** arnaud has joined #openstack-dev23:36
*** arnaud__ has joined #openstack-dev23:36
*** thuc has quit IRC23:37
*** vuil has quit IRC23:38
*** vuil has joined #openstack-dev23:38
*** pablosan has quit IRC23:39
*** neelashah has quit IRC23:40
*** anniec has joined #openstack-dev23:40
*** thuc has joined #openstack-dev23:40
*** aaronjamesford has quit IRC23:42
*** markmcclain has quit IRC23:43
*** thuc has quit IRC23:44
*** e0ne has quit IRC23:44
*** thuc has joined #openstack-dev23:44
*** tjones1 has joined #openstack-dev23:45
*** denis_makogon_ has quit IRC23:45
*** tjones has quit IRC23:46
*** e0ne has joined #openstack-dev23:46
*** tjones1 has quit IRC23:48
*** tjones has joined #openstack-dev23:48
*** browne has joined #openstack-dev23:49
*** Sukhdev has quit IRC23:51
*** tjones has quit IRC23:53
*** jnoller has quit IRC23:54
*** anniec has quit IRC23:56
*** vuil has quit IRC23:57
*** abhirc has joined #openstack-dev23:58
*** MaxV has quit IRC23:59
*** jkoelker has quit IRC23:59
*** jkoelker has joined #openstack-dev23:59
*** clu_ has quit IRC23:59
*** vartom1111111117 has quit IRC23:59
« Thursday, 2014-02-06 Index Saturday, 2014-02-08 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!