Thursday, 2014-02-20

« Wednesday, 2014-02-19 Index Friday, 2014-02-21 »
jamielennoxmorganfainberg: ah, there's no way i'm cool enough for something like that00:00
morganfainbergjamielennox, neither am I, thats why I'm not in that channel00:01
nkinderopenstack-keystone-badcrowd? :)00:12
*** david_lyle has quit IRC00:20
bknudsonhow do I generate sample config00:28
bknudson?00:28
*** browne has joined #openstack-keystone00:35
bknudsonnever mind, figured it out00:35
morganfainbergbknudson, yeah. maybe we need some docs for that before that merges00:38
morganfainbergbknudson, do you want me to remove the () around all the help strings?  i seem ot have added it a lot of places00:39
bknudsonmorganfainberg: it's not consistently done00:39
morganfainbergbknudson, it should be consistent, any string that was spanning mulitple lines should have it00:40
bknudsonmorganfainberg: if you'd done it on every multi-line help text I'd say don't change it since it's consistent but it's not.00:40
morganfainbergbknudson, but i'm fine pulling it out of config.py00:40
morganfainbergbknudson, the warnings are expected until we get helpstrings for everything00:40
bknudsonseems like we should have help strings for everything.00:41
morganfainbergbknudson, ++ we should00:41
morganfainbergbknudson, some of them, I'm not sure what to write :)00:41
bknudsonmorganfainberg: just put a ? or a ;)00:42
morganfainbergbknudson, "Good luck figuring out what this does"00:42
morganfainberginterestingly, looks like we lost some helpstrings in the sample config =/00:43
morganfainbergactually... lost all of them in the last patchset00:43
morganfainbergsomehow.00:43
bknudsonmorganfainberg: I didn't look closely, just ran the generator and the files were different00:44
morganfainbergbknudson, yeah something wonky is going on00:44
bknudsonmight depend on whatever oslo.config you have installed locally00:44
morganfainbergmaybe.00:44
morganfainbergbut a previous version worked as expected00:44
morganfainberg*grumble*00:44
bknudsonthis is where we need instructions00:44
morganfainbergbknudson, yeah, sounds good00:45
morganfainbergwell... there is the README:P00:45
bknudsondon't I just run "./tools/config/generate_sample.sh" ?00:46
*** browne has quit IRC00:54
*** gokrokve has quit IRC01:00
*** stevemar has quit IRC01:00
*** gokrokve has joined #openstack-keystone01:00
*** stevemar has joined #openstack-keystone01:00
*** ChanServ sets mode: +v stevemar01:00
*** gokrokve has quit IRC01:03
morganfainbergbknudson, that should be it01:05
morganfainbergbknudson, but i think there must be a bug somehow01:05
morganfainbergbknudson, let me chase this down01:05
*** gokrokve has joined #openstack-keystone01:05
bknudsonmorganfainberg: the README doesn't say "just run ./tools/config/generate_sample.sh"01:08
morganfainbergbknudson, but when the pep8 fails, it tells you to run it just like that01:10
morganfainbergbknudson, there is something else going on, because before it "just worked" when i ran " ./tools/config/generate_sample.sh"01:10
bknudsonmorganfainberg: that doesn't work for you?01:10
bknudsonI think it worked for me.01:11
morganfainbergbknudson, are the keystone options in there or just the oslo options01:11
morganfainbergbknudson, look for [cache]01:11
morganfainbergbknudson, and see if the helpstrings are in the sample01:11
morganfainbergi just had an issue where that didn't work01:11
bknudsonmorganfainberg: doesn't find it... also, not much help text.01:12
morganfainbergbknudson, yep, something is going on01:12
bknudsonoh, I'm on master.01:12
morganfainbergbknudson, oh vs. on the changeset?01:12
bknudsonmorganfainberg: now it looks good.01:13
bknudsonwhen I've got 72808 checked out01:13
morganfainberghmmm01:13
bknudson[cache] is there.01:14
morganfainbergmine keeps running w/o cache being there01:14
morganfainbergbknudson, ... hmm. do you install keystone in your environment? (develop or whatever)?01:17
*** dstanek has quit IRC01:17
bknudsonmorganfainberg: I ran devstack a year ago and keep running it... who knows what it does.01:17
morganfainbergbknudson, hmm...01:17
morganfainbergbknudson, i think my issue is that keystone isn't installed so it's not doing the right thing trying to find the options01:18
bknudsonmorganfainberg: does devstack run on your system?01:18
morganfainbergbknudson, i don't run devstack in most VMs i run unit tests in01:18
morganfainbergbknudson, i usually have specific devstack VMs01:18
*** gokrokve has quit IRC01:18
*** gokrokve has joined #openstack-keystone01:19
*** hxgqh1987 has joined #openstack-keystone01:21
*** gokrokve has quit IRC01:23
*** marcoemorais has quit IRC01:43
*** dstanek has joined #openstack-keystone01:44
*** ChanServ sets mode: +v dstanek01:44
*** richm has quit IRC01:45
*** dolphm_503 is now known as dolphm01:45
dolphmbknudson: you've been on a single devstack install for a year?01:46
morganfainbergbknudson, ok it def. looks like it is because "./" isn't in sys.path01:46
morganfainbergin my environment01:46
morganfainbergwhen running the generate thing01:46
morganfainbergstevemar, look! dolphm service is available again01:47
* dolphm runs01:47
bknudsondolphm: essentially since I started working on this.01:47
stevemarget him!01:47
dolphmi guess my away nick worked01:47
morganfainbergdolphm, naH, stevemar tried to reboot you01:47
*** dstanek has quit IRC01:48
stevemarhenrynashs stuff got merged01:48
stevemarweee01:48
dolphmmorganfainberg: going to check the eavesdrop logs01:49
dolphmstevemar: YAY01:49
morganfainbergdolphm, hehe01:49
dolphmmorganfainberg: aww, eavesdrop started too late01:50
morganfainbergdolphm, yeah01:50
*** dstanek has joined #openstack-keystone02:01
*** ChanServ sets mode: +v dstanek02:01
stevemardolphm,02:07
stevemaroops02:07
dolphmstevemar,02:07
stevemarfor normal token rescoping, you use the unscoped token in the X-Auth-Token header right?02:08
stevemarit should be the same in our case02:08
morganfainbergbknudson, oh the way this is being done it _HAS_ to have keystone installed02:10
morganfainbergbknudson, how stevedore works02:10
dolphmstevemar: yes02:10
morganfainbergugh02:10
bknudsonmorganfainberg: what does it mean to be installed?02:10
morganfainbergbknudson, pip, setup, whatever02:10
bknudsondevstack probably does it02:11
morganfainbergbknudson, it relies on information that comes from the setup.py process02:11
morganfainbergbknudson, if we're ok with that limitation, i can doc it up02:11
bknudsonmorganfainberg: everybody else seems to be02:11
morganfainbergbknudson, if we want it to "just work".. it'll take a bit more02:11
morganfainbergbknudson, nah, we do things differently because we don't register configs on import02:11
stevemardolphm, marek is doing something funny with it at the moment, look at line 1087 of: https://review.openstack.org/#/c/71353/28/keystone/tests/test_v3_federation.py02:12
stevemarhe's putting the unscoped token in a random "id" field02:12
dolphmwasn't that supposed to be IdP or something?02:13
stevemardolphm, yes02:14
stevemarhe does that for the unscoped token02:14
dolphmdoes any of this new approach work with mod_shib / mod_mellon?02:14
bknudsonstevemar: if you upload a new patch set -- please set "basing" to "based" in the commit message02:14
stevemarbknudson, will do02:15
bknudsonI'm tired of seeing that bad grammar in my inbox02:15
dstanekbknudson: :-)02:15
stevemarbknudson, took me a second to realize what you were talking about... I usually just look for 'generate'02:15
stevemarbknudson, but yes, i will fix it02:15
ayoungnkinder, I'm about to resubmit remember-the-dn with  pep8 fixed02:15
dolphmand what's with the obsessively building kwargs dictionaries before immediately passing them into a function call as **kwargs? did i miss a mailing list thread or something? that makes no sense to me02:16
morganfainbergbknudson, yep, requires entry points, which wont be populated w/o setup process *grumble* and the generator is... sub-optimal to be used like we do outside of entry points02:17
dolphmstevemar: did the group change get squashed again?02:17
dolphmor something?02:18
stevemardolphm, I don't know what you mean?02:18
dolphmdo they not need to merge in order..?02:18
stevemarno, they dont02:18
dolphmoh ok02:18
stevemardolphm, in the tests we know the group ids, right02:18
stevemarso it could be broken off, cleanly02:19
morganfainbergdolphm, https://review.openstack.org/#/c/74598/2/cinderclient/service_catalog.py this seems like copy/paste of keystoneclient... am i missing something as to why they aren't doing from keystoneclient import service_catalog?02:19
jamielennoxmorganfainberg: yea, we know02:20
jamielennoxmorganfainberg: although apparently it was subtly tweaked that you just can't import it now02:20
morganfainbergjamielennox, ...02:20
nkinderayoung: sigh... I should have caught that.02:20
morganfainbergjamielennox, so instead of fixing that issue, copy/paste is the answer?02:20
nkinderayoung: I'll fix it and resubmit02:20
ayoungnkinder, nope02:20
ayoungI got it02:20
ayoungjust running the tests now02:20
jamielennoxmorganfainberg: i have no answer for you here...02:21
morganfainbergjamielennox, i feel like ... i don't get it02:21
ayoungnkinder, what did you do differently?  I had trouble doing a side by side diff with my earlier patch02:21
nkinderayoung: I fixed up groups02:21
nkinderayoung: you only focused on users02:21
ayoungcool02:21
*** gokrokve has joined #openstack-keystone02:22
ayounggood extension, and we can deal with assignments after we hear back from Cern...which we might have already, but I have 800+ messages still to plough through02:22
morganfainbergjamielennox, -1'd it with that question02:22
morganfainbergjamielennox, i guess we'll see what the answer is02:22
jamielennoxthere was a review?02:22
morganfainberghttps://review.openstack.org/#/c/74598/02:22
stevemardolphm, lol'ed at your kwargs remark02:23
nkinderayoung: I also cleaned up a few things with where you had the filter_user() method02:23
ayounglike what?02:23
jamielennoxmorganfainberg: jeez02:23
dolphmstevemar: i feel like i'm picking on him, but i've seen it several times recently -- the scale there was intense though02:23
morganfainbergjamielennox, yeah.. this is like round 2 of "WTF?"02:23
jamielennoxmorganfainberg: i put a -1 on something very like this not long ago02:23
*** gokrokve_ has joined #openstack-keystone02:23
morganfainbergjamielennox, yeah02:23
stevemardolphm, s'all good02:24
nkinderayoung: well, you defined it outside of any class02:24
morganfainbergjamielennox, just pingd' john and mike perez about that and the -1 i added02:25
jamielennoxmorganfainberg: cool02:25
morganfainbergjamielennox, wouldn't hurt if you -1'd as well ;) if you are so inclined02:25
jamielennoxmorganfainberg: was it cinder we recently stopped this on as well02:25
ayoungmorganfainberg, jamielennox I dogpiled on that rabbit02:25
morganfainbergjamielennox, yeah where they implemented their own and we told them to use keystoneclient impl02:25
nkinderayoung: I instead added methods to the UserApi class (get_filtered and filter_attributes)02:26
morganfainbergwell i guess they are using keystoneclient's impl now.. *boggle*02:26
nkinderayoung: I did the same for groups in a consistent way.02:26
*** gokrokv__ has joined #openstack-keystone02:27
jamielennoxmorganfainberg: lol - but not02:27
morganfainbergjamielennox, right02:27
jamielennoxmorganfainberg: can we coin col for crying?02:27
ayoungOK.  looking.  I reposted the reivew.  I convertedold_obj to old tin order to shorten the line for pep8.  I flipping hate Python line wrap rules02:27
morganfainbergjamielennox, HAH02:27
*** gokrokve has quit IRC02:27
*** gokrokve_ has quit IRC02:28
ayoungnkinder, was filter_user LDAP specific?  I thought it made sense to be in identity and usable by the other backends02:29
ayoungnkinder, that might have been because I was using it for assignments as well02:30
* ayoung wrote this so long ago slash me forgot02:30
ayoungso we still have filter_user, but we also have filter_attributes? nkinder does that make sense?  I guess so, since we need to filter the DN out of all of the objects, and filter_user originally had a different purpose02:32
*** lbragstad has joined #openstack-keystone02:33
*** david-lyle has joined #openstack-keystone02:35
stevemardolphm if a protocol is deleted, then we delete any tokens with OS-FEDERATION... but not for protocol or mapping right.. ?02:35
stevemardolphm, also, what's to stop chaining tokens? would the user have to start with an unscoped token every time?02:36
nkinderayoung: yes, I left the old filter_user alone since it had another purpose02:40
stevemardolphm, also, you suggested to rename `list_xxxx_for_groups` to `list_accessible_groups` in the controller side, what about at the SQL backend level? same convention?02:40
nkinderayoung: ok, I ran pep8 and it all passed, but then I converted old back to old_obj, as I didn't see why you changed it02:41
nkinderayoung: now I know it was due to pep8 :P02:41
*** morganfainberg is now known as morganfainberg_Z02:42
nkinderayoung: filter_user was outside of the class to be used by assignment, but I found it wasn't really needed for that (when I had changed assignment as well)02:43
ayoungnkinder, can you submit a follow on patch for assignments?02:43
ayounglets keep it in the system02:44
ayoungsubmit it as a WIP or Draft, so long as it is recorded.02:47
nkinderayoung: ok, but it's completely broken unless I add back in the identity_api stuff that bknudson removed.02:53
nkinderayoung: I can add that back in for the LDAP assignments driver only, but some of the unit tests will fail (the test_*_no_user ones that bknudson added when he made his changes)02:53
nkinderI'm not sure if there is an easy way to skip those tests only if LDAP assignments are being used.02:53
ayoungnkinder, please add it back in.02:53
ayoungI suspect that it will be necessary for assignments to work in LDAP in general.  Just a suspicion02:54
nkinderthe tests are defined in test_backend.py02:54
ayoungoverload them in the unit tests for LDAP assignments02:54
bknudsonnkinder: they only fail on live ldap?02:54
nkinderayoung: ok, will do.02:54
ayoungnkinder, thanks02:55
nkinderbknudson: any LDAP, but this is only if I add back searching for the users02:55
bknudsonnkinder: well, they don't fail with fake ldap ?02:55
nkinderbknudson: your tests pass with fake and live LDAP right now.  It's only with my changes to the LDAP assignment backend that cause it to fail (fake or live)02:55
bknudsonnkinder: what changes are you making?02:56
nkinderbknudson: my code relies on looking up the users, but your tests want role assignment to work when users don't exist02:56
nkinderbknudson: https://bugs.launchpad.net/keystone/+bug/123026002:56
uvirtbotLaunchpad bug 1230260 in keystone "Multiple round trips for DNs" [Medium,In progress]02:56
ayoungnkinder, skip tests for that are acceptable...I'll show you where02:57
bknudsonnkinder: I thought we wanted it to work that way but I've since been told that users should exist for assignments02:57
nkinderbknudson: the current patch is for identity LDAP only, but I was trying to avoid additional LDAP search ops for users and groups in the LDAP assignment code too.02:57
nkinderok, for LDAP only?02:57
bknudsonnkinder: all the backends should work the same.02:57
bknudsonwould be pretty confusing for users if it worked differently depending on the backend.02:58
nkinderbknudson: so does your patch need to be reverted in entirety?02:58
bknudsonsince they don't know what backend is configured02:58
bknudsonnkinder: what patch? I've got a lot of patches.02:59
ayoungDid we not split the assignment tests out of identity?02:59
* ayoung way too lazy02:59
nkinderbknudson: https://github.com/openstack/keystone/commit/ab1b0c283bd37b2f547aa087bd722aaa3f973df202:59
*** hxgqh1987 has quit IRC03:00
ayoungnkinder, looks like they would just go in LDAPIdentity in test_backend_ldap.py  I really need to split assignment tests from Identity tests.  THen again, we need to split the tests along functional lines and not along backend lines....03:01
bknudsonnkinder: I guess if we want it to work the way that it did before then the easiest would be to revert that one.03:01
ayoungnah, just skip for the LDAP assign tests03:01
*** devlaps has quit IRC03:01
*** morganfainberg_Z is now known as morganfainberg03:02
nkinderayoung: It seems to be like we need to determine what the plan is for LDAP assignments in general.03:02
nkinderIs it being deprecated or not?03:03
nkinderIf not, should require LDAP identity (I believe the answer is yes for this currently).03:04
nkindersorry, let me retry that...03:04
nkinderShould LDAP assigments require LDAP identity?03:04
nkinderIf so, how does that work for federation?03:04
bknudsonnkinder: why does LDAP assignments require LDAP identity?03:05
nkinderI think those answers are needed before we rush into changing LDAP assignments to be different that SQL assignments here (especially since the patch at hand is only an optimization)03:06
nkinderbknudson: I believe ayoung said that it requires LDAP identity03:06
dolphmayoung: nkinder: from cern, it sounds like ldap assignments can be deprecated for icehouse03:06
dolphmas long as we still support it and allow time to migrate away03:06
nkinderdolphm: if that's the case, I'd rather not bother with optimizing it now03:06
dolphmnkinder: it's never been an optimal solution... as long as it's not worse than havana, i don't think much effort should be put into it03:07
nkinderdolphm: +1, that's my feeling too03:07
bknudsonI'm sure there's some optimizations that could be done for ldap if you want to improve it.03:08
dolphmclean separation from identity is most important so that it can be dumped when we're ready03:08
bknudsonconnection pooling03:08
nkinderkeep it working, but don't expend any extra effort03:08
dolphmbknudson: those would apply equally to identity though03:08
dolphmbknudson: so, ++03:08
nkinderbknudson: I have other LDAP nitpicks first...03:08
nkinderFor one, the DN comparison code is fragile03:08
bknudsonproperly handling attribute names03:08
dolphmi'd still like to see first class support for AD next to LDAP03:08
nkinderWe're just comparing DNs as strings, but we need to be syntax aware03:09
bknudsonwe'll just query the ldap server to get the schema.03:09
nkinderno, it's not a schema issue03:09
nkinderthe DN syntax is quite complex03:09
nkinderWhen you compare DN's, you can't just do a string comparison to see if they are equal03:10
bknudsonhow do you know if the attribute is compared case-sensitive without the schema?03:10
dolphmwe also had an interesting suggestion to have a templated ldap driver, that loaded templated queries from disk (deployer configurable), and just used those as-is03:10
nkinderthis isn't case sensitivity03:10
nkindercharacters can be supplied as hex escapes for example03:10
nkinderSee RFC 4517 if you're curious.  DNs are quite complex and have many different forms that represent the same exact DN03:11
nkinderThere is some good DN comparison code in FreeIPA that a co-worker is going to try to get into python-ldap.03:11
nkinderIf we can get it there, we can then leverage it in Keystone.03:11
lbragstaddolphm: fix for the olso messaging stuff is here: https://review.openstack.org/#/c/74804/03:12
lbragstadFYI03:12
ayoungdolphm, why is it that you don't want endpoints to know about their IDs, and instead to user URLs?03:12
dolphmayoung: i put the reasoning i have in the blueprint -- i'm not suggesting one solution in particular, i just wanted to enumerate the options03:13
bknudsonwe also need to know the oids for the attribute names in case someone uses that instead.03:13
dolphmlbragstad: looking03:14
ayoungdolphm, right..I guess waht I was really asking was do you have a strong preference on it03:14
ayoungI can see the restart issue03:14
nkinderbknudson: yep, that's another quick (though not common)03:14
nkinderbknudson: it's usually the escape codes and case, but there are other corner cases like attribute names vs. OID and the RDN order of a DN with multiple RDNs03:15
lbragstaddolphm: so that *should* take care of the log_handler stuff.. added an extra test case from bnemec too so that's a plus03:15
ayoungbut...I've been talking with the #moc folks, and they have an interesting architecture.  THey are proposing that multiple endpoints for a given service be deployed, each from a different...Provider?  Company?  THe idea is that each would offer some quality of service, and then when you were buying into a cloud, you would select the service endpoints that met your need.  THe thing is, if you do that, you have the endpoints r03:17
ayoungegistering themselves, and I was wondering if using the URL provided a possbility for a security issue, either intentionally or through misconfiguration03:17
bknudsonI think clients usually have a mini-schema that has the standard attributes that commonly occur in DNs.03:17
bknudsonbetter off not trying to do DN comparisons... leave that to the server03:17
lbragstadchecking latest o-i and I'm not seeing any import log_handler statements.03:17
lbragstadso, once that is in o-m we should be able to just rip out the notifier/rpc/log_handler modules from o-i, I think? and then do the Keystone sync... I guess thats another part I have a question on. If we are removing things from openstack.common code in keystone, does it have to be a sync from o-i? I've never handled that case.03:19
jamielennoxmorganfainberg: do we approve of openstack.common.cache/03:37
ayoungdo we have a tox cheat-sheet somewhere?03:42
morganfainbergjamielennox, the current incarnation that is merged? no03:57
morganfainbergjamielennox, working with dhellmann, dims, and flapper87 to get a dogpile one setup03:58
jamielennoxmorganfainberg: yea, i looked through it a bit and realized how limited it was03:58
morganfainbergjamielennox, https://review.openstack.org/#/c/72291/03:58
morganfainbergi need to fire a ML thread up about it.03:58
jamielennoxmorganfainberg: i was hoping i could use it to cleanup memcache access in auth_token03:59
jamielennoxi remember you were working on something04:00
jamielennoxthat's alright04:00
morganfainbergjamielennox, i am working on it... just slow... yanno04:00
jamielennoxmorganfainberg: i get it04:00
*** chandan_kumar has joined #openstack-keystone04:20
*** Kanagaraj has joined #openstack-keystone04:30
*** chandan_kumar has quit IRC04:37
ayoungis there a spreadsheet equivalent to Etherpad?04:47
ayoungassignment tables have been rationalized.  Henrynash has earned his beer04:52
ayoungmorganfainberg, non-expiring keys merged w00t04:54
morganfainbergayoung, yep04:54
morganfainbergayoung, and iirc memache was on it's way04:54
ayoungschweeet!04:54
morganfainbergayoung, yep, kvs tokens are fully converted to dogpile04:55
morganfainberg*phew*04:55
ayoungmorganfainberg, will we have cassandra as an option this release, or just mongo and memcache?04:55
* ayoung greedy bastid04:55
morganfainbergayoung, likely mongo, memcached, redis, and in-memory04:55
ayoungmorganfainberg, that is Single-Malt-Scotch worthy04:56
morganfainbergayoung, no one has worked on cassandra and it missed the FPF04:56
morganfainbergayoung, but i am confident mongo will merge.04:56
ayoungcassandra should be easy enough now04:56
ayounglow hanging fruit for Juno04:57
morganfainbergayoung, yep!05:00
ayoungmorganfainberg, doc failure...how do I test that?  tox -edocs?05:00
morganfainbergayoung, wasn't sphinx something?05:00
ayoungmorganfainberg, I installed that by hand05:00
ayoungenable venv and pip install05:01
morganfainbergtox -edocs maybe?05:01
morganfainbergyeah -edocs looks right based on tox.ini05:01
morganfainbergayoung, so my evening went from good to extremely good05:01
morganfainbergayoung, code merging, things coming together for icehouse, and.. feeling like life is getting in order.05:02
ayoungYou keep your personal life out of this channel, thank you very much05:02
ayoungoh...boring....05:02
morganfainbergayoung, haha05:02
ayoungsphinx.errors.SphinxWarning: /opt/stack/keystone/keystone/contrib/revoke/core.py:docstring of keystone.contrib.revoke.core.Manager.check_token:5: ERROR: Unexpected indentation.05:02
ayoungacha!05:02
morganfainbergayoung, beat you to the keeping personal life out of the channel!05:02
morganfainbergayoung, ha!05:02
morganfainbergah that error looks... pretty descriptive05:02
morganfainbergi think i have 1 or two small cleanup kvs patches (more testing) to add05:03
morganfainbergayoung, but thats super easy05:03
ayoungI might need some KVS smarts on the events05:03
morganfainbergayoung, sure thing. actually i want to layer in caching too05:03
ayoungcan you tag the patch with how to implement?  All events will be going into one page for now....05:04
ayoungcaching can come in Juno05:04
morganfainbergsure, i'll toss a patch for KVS stuff up... prob tomorrow05:04
ayoungbut backend should take advantage of what you've done, and I really couldn't do that yet until your other patches merged without rebase hell05:04
morganfainbergayoung, ++ totally05:04
ayoungthanks.  I'm going to punt on the multi page thing for this patch, but might sneak it in as a bug fix05:05
morganfainbergayoung, sure, seriously if you have _THAT_ many events, god05:05
ayoungyou know "revocation events fill up a page..."05:05
ayoungI* don't think we will05:05
ayoungevents should be pretty efficient05:05
morganfainbergayoung, and it's only memcache we need to really worry about, redis is better about it05:05
morganfainbergas is mongo etc05:06
ayoungfor example, our QE had a test that had thousands of tokens active for a given use, and when they delete him, get thousands of revoked tokens.  Now that will be one event05:06
*** chandan_kumar has joined #openstack-keystone05:06
morganfainbergand if anyone tells me they are using in-mem in production... i think they need to have thier fingers broken05:06
morganfainbergayoung, yeah same issue we have in production05:06
ayoungI really want the default to be persisted05:06
morganfainbergayoung, it's why i was so so very excited to have your event stuff landing in icehouse05:07
ayoungglad to hear it...maybe I'll bump the testing priority for out QA for it05:07
ayoungour05:07
morganfainbergayoung, next upgrade of Keystone (afaik) for us is going to be I, which means i'm going to push hard for events05:07
morganfainbergeven if i have to get on a soapbox about using i keystone w/ G everything else05:07
morganfainberg(though... that isn't as good a plan as other alternatives)05:08
*** dstanek_afk has joined #openstack-keystone05:08
*** ChanServ sets mode: +v dstanek_afk05:08
ayoungI've got a meeting with them tomorrow, and I am trying, desperately, for them to engage in the upstream, instead of using the developers as their proxy.  Wish me luck05:08
morganfainbergayoung, best of luck! seriously!05:08
morganfainbergayoung, also, for next release i might have a SEG type person who might be interested in being involved in OpenStack (he's RH employee already)05:09
ayoungyeah, we have some kick ass QA folks, they just have to realize the amount of community support we can get if they engage upstrean05:09
ayoungSEG?05:09
morganfainbergayoung, he's doing uh,... Gnome fixes and the like05:09
morganfainbergsupport engineering?05:09
ayoungAh05:09
morganfainbergayoung, he said they were looking for folks to help w/ OpenStack as well05:10
morganfainbergtrying to convince him he should (I got him to setup his dev/test env on openstack already and he loves it)05:10
ayoungof course...and if he wants an internal transfer, that seems to be well supported05:10
*** dstanek has quit IRC05:10
morganfainbergayoung, exactly.  but it would be for Juno likely, he has some family stuff he's dealing with right now05:10
morganfainbergbut it should be all cleared up in a month or two05:11
* morganfainberg hopes05:11
*** gokrokv__ has quit IRC05:11
morganfainbergbut more damn good people on OpenStack would be fantastic05:11
*** gokrokve has joined #openstack-keystone05:11
ayoungI spend more time messing with format than I do writing code05:13
ayoungsphinx.errors.SphinxWarning: /opt/stack/keystone/keystone/contrib/revoke/core.py:docstring of keystone.contrib.revoke.core.Manager.check_token:6: WARNING: Definition list ends without a blank line; unexpected unindent.05:13
*** gokrokve_ has joined #openstack-keystone05:16
*** gokrokve has quit IRC05:16
morganfainbergayoung, wait.. isn't that the opposite of the last round?05:16
ayoungI added a blank line and it stopped complaining05:17
morganfainbergah05:18
morganfainbergok05:18
* morganfainberg shrugs05:18
morganfainbergwe have a bunch of work to do to get other KVS backends off the legacy stuff in J05:19
morganfainbergmight be interesting to use mongo as an assignment backend.  with henry's changes, the stuff seems less relational now05:19
morganfainbergthat grant table cleanup is another big win for Icehouse05:19
*** gokrokve_ has quit IRC05:20
*** gokrokve has joined #openstack-keystone05:20
jamielennoxayoung: did you generate the PKI tokens in testing by hand/05:21
ayoungnope05:22
ayoungjamielennox, client or server?05:22
jamielennoxayoung: client05:22
ayoungthere is a script in examples that generates them05:23
ayoungyou don't want to run the whole script, as it regens the certs etc05:23
jamielennoxhttp://paste.openstack.org/show/67490/05:23
ayoung/opt/stack/python-keystoneclient/examples/pki/gen_pki.sh05:23
jamielennoxoh wait, that's v205:24
ayoungjamielennox, you mean did I mock up the JSON by hand?  I can't remember05:24
jamielennoxwhat the hell is going on...05:24
*** gokrokve has quit IRC05:25
ayoungjamielennox, what is going on is that it is past midnight and I am going to bed05:28
jamielennoxayoung: ok05:28
jamielennoxayoung: all the example tokens are missing a 'methods' entry05:28
ayoungprobably predate it05:28
jamielennoxit should be a core v3 thing right?05:29
jamielennoxat least for tokens with a service catalog05:29
ayoungor...yeah, I probably took them from the docs...hmmm05:29
ayoungno idea.  But easy to fix05:29
jamielennoxayoung: ok, that's a pain05:29
jamielennoxnight05:29
ayoungjamielennox, here's the deal, the bottom of gen_pki.sh has the calls to the top level functions,  so change that file to something that should be sourced, and drop off the function calls05:30
ayoungthen call them from the command line or another script.  I have an example of that in one of the compressed token patches05:31
jamielennoxayoung: i think i just need to patch the .json files05:31
jamielennoxthen rerun the generator05:31
ayoungjamielennox, yesm but don;t do it blindly.05:31
jamielennoxhmm?05:31
ayounghttps://review.openstack.org/#/c/71181/13/examples/pki/gen_pki.sh05:32
ayoungand then just run the last function05:32
ayounggen_sample_cms05:32
ayoungyou can leave off the changes that are specific to the compressed token patch05:32
ayoungyou don;'t want to regen the certs etc, as it will make the patch redict huge with no benefit05:32
ayoungand scare off reviewers05:33
jamielennoxi'll see - i think i have to regen the tokens05:33
ayoungif you want, I can split the patch out so that you don't regen all the keys and certs05:33
ayoungthen you can just rerun it05:33
*** topol has joined #openstack-keystone05:34
jamielennoxayoung: it's not to do with that patch05:35
ayoungjamielennox, let me submit a cleanup patch, and you can rebase onto it05:35
ayoungyou'll see...05:35
ayoungjamielennox, https://review.openstack.org/#/c/74930/05:39
ayounginstead of running run_all.sh just source gen_pki.sh and run05:40
ayounggen_sample_cms05:40
ayoungugh, that patch still needs cleanup, but not tongiht05:40
jamielennoxayoung: i don't think it'll work05:40
jamielennoxbecuase the signing keys etc are shared05:40
jamielennoxif i only regenerate some of the certs they aren't going to verify05:40
ayoungyou need to edit the JSON and then regenerate the signed tokens05:41
ayounggen_sample_cms  does just the tokens05:41
ayoungit will leave the certs and keys alone05:41
jamielennoxoh, right05:41
ayounglemm fix that patch05:42
ayounganyway, use that as the basis, jamielennox and your patch should be smaller an more reviewable05:43
ayoungnow bed for me05:43
jamielennoxayoung: shall do05:43
jamielennoxnight05:43
*** ayoung is now known as ayoung-ZzZzZzZ05:43
morganfainbergjamielennox, most of our "example" tokens look nothing like real tokens05:45
jamielennoxmorganfainberg: yea - how does that happen/05:45
morganfainbergjamielennox, because we sucked at making good fixtures (sorry, it's true)05:45
*** marcoemorais has joined #openstack-keystone05:46
morganfainbergjamielennox, i have a patch or three to help with some of it. but it's a lot of test restructuring.05:46
morganfainbergjamielennox, i have some internal-company work that must get done first before i can work on those05:46
morganfainbergplus some I3 target bugs05:46
jamielennoxmorganfainberg: yea, we would also need to fix a whole lot of test code to look like the new fixtures05:46
morganfainbergjamielennox, but i plan on making a token fixture probably next week or so05:46
morganfainbergand convert tests over to using it05:47
morganfainbergno more loveingly hand-crafted token examples05:47
jamielennoxmorganfainberg: the problem is doing it in a way that we don't just generate things internally that are wrong and then verify they are wrong05:48
morganfainbergjamielennox, the correct way is to generate it once "correctly" and use that as the basis (template)05:48
morganfainbergbut make sure it really looks like a token05:48
jamielennoxmorganfainberg: anyway i agree - mostly client side i'm still looking at the moment though05:49
morganfainbergi almost have a working fixed-format token that could be used inter-changably V2/V305:49
morganfainbergas in, easy to transform05:49
morganfainbergbasically a to_version and from_version mechanism that i'll be landing in J so token versions can be independant of API versions05:50
morganfainbergand we can then place a schema on the tokens, and validate they are correct05:51
jamielennoxi like05:51
morganfainbergrather than "fixed" values.05:51
jamielennoxbut i almost prefer the idea of a fixed token data with different 'views'05:52
morganfainbergso validating a test token is correct is knowing the expected fixed form values, and then doing a schema validation (json or whatever)05:52
morganfainbergjamielennox, thats the idea, the to-from stuff will be at the controller layer05:52
morganfainbergnot internally used05:52
jamielennoxok05:52
jamielennoxyea, i have a few ideas along that front as well05:52
morganfainbergwhat i really want is tokens to be forward compatible05:53
morganfainbergV3 token may not have all the same data as v4, but v4, 5, 6 X should be able to read V3 and provided data is there, it's workable05:53
morganfainbergor, we do major/minor versioning05:53
morganfainbergor token versions are compatible over 2 token version revs, etc05:54
morganfainbergyou know, something that makes sense05:54
morganfainbergobviously V4 will be the first "real" token version of the new system.05:54
morganfainberganyways... thats not I3 :)05:55
*** bvandenh has quit IRC05:57
jamielennoxmorganfainberg: and we scope the whole thing to /auth/vX/05:57
*** bvandenh has joined #openstack-keystone05:58
jamielennoxnot /v3/auth/vX - straight up /auth/VX05:58
jamielennoxcompletely outside of the keystone standard apis05:58
jamielennoxmorganfainberg: ughh, i found another incorrect token example in the tests05:59
jamielennoxone that we test to :(05:59
*** gokrokve has joined #openstack-keystone06:16
*** gokrokve has quit IRC06:21
*** gokrokve has joined #openstack-keystone06:22
*** gokrokve has quit IRC06:27
*** topol has quit IRC06:28
*** amerine_ has joined #openstack-keystone06:36
*** chandan_kumar has quit IRC06:38
*** amerine has quit IRC06:40
*** chandan_kumar has joined #openstack-keystone07:03
*** Kanagaraj has quit IRC07:05
*** saju_m has joined #openstack-keystone07:15
morganfainbergjamielennox, :(07:20
morganfainbergannnyways... i am going to sleep now i think07:20
morganfainberglike actually07:20
morganfainbergsleep07:20
jamielennoxmorganfainberg: night07:20
*** saju_m has quit IRC07:20
*** saju_m has joined #openstack-keystone07:21
*** gokrokve has joined #openstack-keystone07:22
*** amerine_ has quit IRC07:26
*** saju_m has quit IRC07:26
*** saju_m has joined #openstack-keystone07:27
*** gokrokve has quit IRC07:27
*** morganfainberg is now known as morganfainberg_Z07:32
*** david_lyle_ has joined #openstack-keystone07:44
*** david-lyle has quit IRC07:47
*** saju_m has quit IRC07:49
*** Kanagaraj has joined #openstack-keystone07:55
*** marekd|away is now known as marekd08:08
*** amerine has joined #openstack-keystone08:10
marekdstevemar: still here?08:18
stevemarmarekd, maybe...08:19
marekdstevemar: maybe not. So in your last patch you basically refactored auth plugin and helper-token-methods, right? I did skim the code and this TODO list you mentioned in one of the comments is not yet done.08:20
marekdright?08:20
*** gokrokve has joined #openstack-keystone08:22
stevemarmarekd, sort of, there are were three todos08:22
marekdyep.08:23
stevemar1 is a no-op, the one about putting token in header... forget that one, i was confused/mixed up08:23
marekdstevemar: TBH i was not sure what you meant while writing that :-)08:23
stevemarit's sort of unconventional to put a token id in the saml2 section, that's why i was confused08:24
stevemarthe third one, just a small change in tokens/provider/common, to add OS-FEDERATION ...08:24
marekdok, i will look into 1st and 3rd08:24
stevemarthird one is done, i submitted a patch a few minutes ago :O08:24
marekdstevemar: ah, ok.08:25
marekdstevemar: always 2 steps ahead. ;-)08:25
stevemar1st one is easy, just follow what oauth did in tokens/provider, ctrl+f "consumer_id"08:25
stevemarwherever it says delete_token/list_token08:25
stevemarbut i think we should hold off on that one...08:25
marekdwhy?08:25
*** leseb has joined #openstack-keystone08:26
stevemarin case dolph has a better idea08:26
stevemarthe way of deleting tokens is so ... rigid08:27
marekdok, i will talk to him when he is online.08:27
marekdyou'd better go to bed.08:27
*** gokrokve has quit IRC08:27
stevemartheres a lot we can do for tests08:27
stevemarlike, try and process an assertion that comes up with no user name, it should raise 401.08:28
stevemarwe also don't scope to domains at all08:28
marekduhm.08:28
marekdok, i will look into it today.08:28
marekdanything else?08:28
stevemarand we should probably see if we can *use* the scoped token that we end getting back, try and create a user or something08:28
marekdhmmm, this should be then kind of admin_token i guess...08:29
stevemarAnnnnnd, we should make sure it works in a real apache configured environment ...08:29
stevemarand hope ayoungs thinking about the protected url is right08:29
*** chandan_kumar has quit IRC08:29
stevemarit's just more and more testing tbh08:30
stevemarwhich is good, cause there are no more to-dos :)08:30
marekdyes...........08:30
*** jamielennox is now known as jamielennox|away08:31
stevemarmarekd, that said, good morning!08:32
marekdheh, good morning, for both of us!08:32
marekdsleep well!08:33
*** chandan_kumar has joined #openstack-keystone08:37
stevemarmarekd, emailing you and dolphm08:41
*** saju_m has joined #openstack-keystone08:45
stevemarmarekd, alright, i'm out!08:48
*** stevemar has quit IRC08:53
*** pheadron has joined #openstack-keystone09:00
*** david_lyle_ has quit IRC09:04
*** Kanagaraj has quit IRC09:08
*** KanagarajM_ has joined #openstack-keystone09:08
*** marcoemorais has quit IRC09:12
*** marcoemorais has joined #openstack-keystone09:14
*** marcoemorais has quit IRC09:18
*** gokrokve has joined #openstack-keystone09:22
*** gokrokve has quit IRC09:26
*** david-lyle has joined #openstack-keystone09:27
*** marcoemorais has joined #openstack-keystone09:43
*** marcoemorais has quit IRC09:48
*** gokrokve has joined #openstack-keystone10:22
*** gokrokve has quit IRC10:27
*** marcoemorais has joined #openstack-keystone10:44
*** marcoemorais has quit IRC10:48
*** gokrokve has joined #openstack-keystone11:22
*** gokrokve has quit IRC11:27
*** KanagarajM_ has quit IRC11:28
*** marcoemorais has joined #openstack-keystone11:44
lesebhy all, can I create an "admin" user that could not modify quotas (nova)? and also create users within a specific tenant using V2 API? thanks!11:48
*** marcoemorais has quit IRC11:49
*** dstanek_afk has quit IRC11:50
*** pheadron has quit IRC11:54
*** d0ugal has joined #openstack-keystone11:56
*** dstanek_afk has joined #openstack-keystone11:58
*** ChanServ sets mode: +v dstanek_afk11:58
*** gokrokve has joined #openstack-keystone12:07
*** gokrokve has quit IRC12:19
*** gokrokve has joined #openstack-keystone12:19
*** leseb has quit IRC12:20
*** gokrokve has quit IRC12:23
*** dstanek_afk is now known as dstanek12:25
dstanekbknudson: i have a question about https://review.openstack.org/#/c/72106 when you are awake12:26
marekddolphm: hey.12:40
*** marcoemorais has joined #openstack-keystone12:45
*** leseb has joined #openstack-keystone12:47
*** marcoemorais has quit IRC12:50
*** gokrokve has joined #openstack-keystone12:50
*** gokrokve_ has joined #openstack-keystone12:52
*** gokrokve has quit IRC12:55
*** gokrokve_ has quit IRC12:56
*** marcoemorais has joined #openstack-keystone13:09
*** marcoemorais has quit IRC13:13
*** david-lyle has quit IRC13:17
*** henrynash has joined #openstack-keystone13:21
*** gokrokve has joined #openstack-keystone13:22
*** gokrokve has quit IRC13:27
bknudsondstanek: what's the question?13:28
*** dstanek has quit IRC13:34
*** dstanek has joined #openstack-keystone13:43
*** ChanServ sets mode: +v dstanek13:43
marekddolphm: ping13:53
*** gokrokve has joined #openstack-keystone13:54
*** ayoung-ZzZzZzZ has quit IRC13:59
*** YorikSar has quit IRC13:59
*** saju_m has quit IRC14:11
*** henrynash has quit IRC14:11
*** topol has joined #openstack-keystone14:11
*** henrynash_ has joined #openstack-keystone14:15
*** dstanek has quit IRC14:15
*** ayoung-ZzZzZzZ has joined #openstack-keystone14:15
*** YorikSar has joined #openstack-keystone14:16
*** marcoemorais has joined #openstack-keystone14:16
*** henrynash_ is now known as henrynash14:16
*** saju_m has joined #openstack-keystone14:16
*** marcoemorais has quit IRC14:16
*** topol has quit IRC14:16
*** topol has joined #openstack-keystone14:16
*** YorikSar has quit IRC14:20
*** saju_m has quit IRC14:27
*** topol_ has joined #openstack-keystone14:29
*** chandan_kumar has quit IRC14:29
*** d0ugal_ has joined #openstack-keystone14:31
*** d0ugal_ has quit IRC14:31
*** d0ugal_ has joined #openstack-keystone14:31
*** YorikSar has joined #openstack-keystone14:33
*** uvirtbot has quit IRC14:38
*** d0ugal has quit IRC14:38
*** topol has quit IRC14:38
*** dstanek has joined #openstack-keystone14:39
*** ChanServ sets mode: +v dstanek14:39
dstanekbknudson: i was just wondering if it mean that get project users will not work once we implement federation14:41
*** d0ugal_ has quit IRC14:41
bknudsondstanek: federated users don't exist in keystone, so there's no way to get all the users that have an assignment on a project.14:41
*** browne has joined #openstack-keystone14:42
*** d0ugal_ has joined #openstack-keystone14:42
bknudsondstanek: I'm sure a customer will report a bug saying that keystone should return all those users too.14:42
dstanekcan a installation have federation enable and still use sql identity in addition to that?14:43
*** d0ugal_ is now known as d0ugal14:43
*** uvirtbot has joined #openstack-keystone14:43
dstanekbknudson: i'm not aware of all of the federation implications14:43
dolphmdstanek: yes14:43
bknudsondstanek: you're going to need an identity backend14:43
dolphmmarekd: pong - alhtough i just responded to your email14:43
bknudsondstanek: for the groups14:43
dolphmbknudson: ++14:43
dolphmbknudson: and for service users14:44
marekddolphm: is it actually the desired configuration (empty policy req) ?14:44
dolphmmarekd: you want it to be accessible with an unscoped token14:44
dolphmwhich has no authorization, beyond implied service-level authz on keystone14:44
marekddolphm: ok, understood.14:45
dstanekbknudson: so this is just saying then that you can't fix federated uses and users from other backends in the same project?14:46
bknudsondstanek: which change is this?14:46
dstanekbknudson: https://review.openstack.org/#/c/72106/3/keystone/assignment/controllers.py14:46
dstanekbknudson: even without your patch it still wouldn't have worked in that situation14:47
bknudsondstanek: if you're using LDAP for identity and SQL for assignment, someone could remove the user from LDAP directly. Then you could have assignments that don't correspond to users in identity.14:50
bknudsondstanek: which previously that would result in a 404 result when you get project users.14:51
bknudsonNow it returns a 50014:51
bknudsonso I think this is making the error more accurate -- should returns a 404 Not Found when the requested resource actually exists.14:52
bknudson"should returns" to "shouldn't return"14:52
dstanekbknudson: i don't disagree with that14:52
bknudsonthis isn't changing support for anything, just changing the response code14:53
dstanekbknudson: i'm just wondering if these kinds of call will stop working once federation is implemented14:53
bknudsondstanek: ok, so I was under the impression that federated users wouldn't exist in identity and you could assign roles to them14:53
dstanekbknudson: oh no, i'm not saying there is anything wrong with your change; i just using it to learn a little more :-)14:54
bknudsonbut it turns out I was wrong -- you can't assign roles to federated users.14:54
bknudsonfederated role assignments come through the groups that the mapping comes up with14:54
bknudsonand the groups have to be known to identity14:54
bknudsonso there actually is no reason to allow assigning roles to users and groups that don't exist14:55
bknudsonfor federation...14:55
bknudsonnow there's the other case where you're using LDAP identity in read-only --14:55
bknudsonso that administrators are mucking with LDAP users outside of keystone's knowledge14:55
bknudsonso maybe there's still a requirement to allow having assignments to users and groups that don't exist.14:56
bknudsonbut it's not federation14:56
dstanekbknudson: thx for the info; i think i need to look a little more at the federation changes14:58
bknudsondstanek: what do you think about the controller test?14:59
bknudsonI decided not to add a new test to the keystoneclient tests15:00
dstanekbknudson: i think the controller test on that patchset looked good15:02
dolphmbknudson: what is the requirement for having assignments to non-existing users & groups, if it's not in support of federation?15:06
bknudsondolphm: so someone's using LDAP for identity and they delete the user. Now they've got assignments to users that don't exist.15:07
dolphmbknudson: oh, sure -- but there's no reason to support actively creating assignments to users that can't be verified15:07
bknudsondolphm: I agree with that... unless there was someone wanted to create the assignment in keystone and they have to wait a while for the LDAP admins to get their act together and create the user.15:08
bknudsonseems like they could wait15:08
bknudsondolphm: just making sure about this -- we now want to 404 when you try to create an assignment to a user or group that doesn't exist?15:09
dolphmbknudson: with the number of bug report we've gotten over the years for "i made a typo and keystone didn't complain" ... i'd rather do any verification we can15:09
*** YorikSar has quit IRC15:09
*** YorikSar has joined #openstack-keystone15:09
dolphmbknudson: that's what we do today, right? i don't see a reason for it to change (yet, anyway)15:09
bknudsondolphm: the changes in https://review.openstack.org/#/c/72142/2/keystone/assignment/controllers.py for example ...15:10
bknudsonit's 404 because the user doesn't exist.15:10
bknudsonbut it's not because the code is actually checking that the user exists.15:10
*** marcoemorais has joined #openstack-keystone15:10
bknudsonthe code is checking if the user has authority to do the operation.15:10
bknudsonit used to be that we did "self.identity_api.get_user(user_id)" all over the place to ensure that the user exists.15:11
dolphmbknudson: yeah, that was a mess. in the case of policy, we should never check the actual user id15:12
bknudsonalso, the _check_grant_protection only happens for v3 APIs15:12
bknudsonso the v2 APIs are not failing (don't check policy) and the v3 APIs are failing only because they do this policy check.15:12
dolphmbknudson: why should this policy check care about user_id?15:13
dolphmmaybe i need to see how this is used... not sure if the user_id is the API user, or the destination of the assignment?15:14
bknudsondolphm: it's the destination15:14
dolphmthen it makes sense to check that it exists15:14
dolphmbut i wouldn't put that under the umbrella of "policy"15:15
dolphmi think that's what confused me15:15
*** marcoemorais has quit IRC15:15
*** Kanagaraj has joined #openstack-keystone15:15
bknudsondolphm: it gets the user which checks for existence... so there's now no reason to check for existence again in create_grant anymore.15:15
bknudsondolphm: should it be the controller checking existence or the manager?15:16
bknudsonseems like it should be the manager.15:16
dolphmbknudson: manager, ideally15:18
*** amcrn has joined #openstack-keystone15:18
bknudsondolphm: ok, when I add the checks back in I'll try to put it in the manager.15:19
dolphmbknudson: sounds good15:19
*** arborism has joined #openstack-keystone15:20
*** amcrn has quit IRC15:24
dstanekdolphm: once the change for generating the sample config are merged will these get wiped out? https://review.openstack.org/#/c/7167415:30
*** dolphm is now known as dolphm_50315:33
*** Kanagaraj has quit IRC15:40
*** Kanagaraj has joined #openstack-keystone15:40
*** stevemar has joined #openstack-keystone15:43
*** ChanServ sets mode: +v stevemar15:43
*** david-lyle has joined #openstack-keystone15:44
*** dolphm_503 is now known as dolphm16:03
*** dolphm is now known as dolphm_50316:13
*** dolphm_503 is now known as dolphm16:26
*** ayoung-ZzZzZzZ has quit IRC16:26
*** gokrokve has quit IRC16:28
*** gokrokve has joined #openstack-keystone16:28
*** devlaps has joined #openstack-keystone16:30
*** gokrokve has quit IRC16:33
topol_morganfainberg you there?16:35
*** dolphm is now known as dolphm_50316:35
*** browne has quit IRC16:42
*** warpig has joined #openstack-keystone16:45
*** gokrokve has joined #openstack-keystone16:48
*** dolphm_503 is now known as dolphm16:57
stevemarmarekd, ping16:58
marekdstevemar: hey.16:58
stevemarmarekd, how goes it16:58
marekdstevemar: extended patch for listing project/domains from groups/17:00
*** dolphm is now known as dolphm_50317:00
*** dolphm_503 is now known as dolphm17:02
*** gokrokve has quit IRC17:04
*** gokrokve has joined #openstack-keystone17:04
marekdstevemar: feel free to take a look at https://review.openstack.org/#/c/7453417:05
*** marcoemorais has joined #openstack-keystone17:05
marekdstevemar: i have basically recreated groups/projects/roles from SAML2-auth patch, so it should be easy to rebase later the test_list_projects/test_list_domains tests...17:06
*** browne has joined #openstack-keystone17:06
*** browne has quit IRC17:06
*** browne has joined #openstack-keystone17:07
*** Kanagaraj has quit IRC17:07
*** gokrokve has quit IRC17:09
stevemarmarekd, commented17:13
marekdstevemar: looking, fixing17:15
marekdhttps://review.openstack.org/#/c/74534/9/keystone/middleware/core.py - you are talking about empty lines, right?17:17
marekdstevemar: ^^^^17:18
stevemaryep17:18
marekdstevemar: ok17:19
*** gokrokve has joined #openstack-keystone17:25
*** saju_m has joined #openstack-keystone17:33
marekdstevemar: added17:36
*** saju_m has quit IRC17:46
stevemarmarekd, i'm confused17:46
stevemarmarekd, i'm overlaying the sql work on top of the saml auth work ... and trying to use the tokens we save in load_federation_data17:47
marekdstevemar: hm.17:50
stevemarnvm17:51
stevemarthe authorization bit is a little wron17:51
stevemarg17:51
marekdstevemar: which authorization ;/17:52
stevemarin common/authorization: g['id'] for g in token_data.get('OS-FEDERATION:groups', [])]17:52
marekdstevemar: i would rename token_customer => tokens['CUSTOMER_ASSERTION']. Something like that.17:53
stevemarit should be OS-FEDERATION['groups']17:53
stevemaryeah, thats what i'm doing now17:53
marekdstevemar: why would you say it should be OS-FEDERATION['groups'] ?17:53
stevemarmarekd, because that's the way it's being stored right now in tokens/provider/common _handle_saml2_tokens17:54
stevemarmarekd, doesn't matter, we just need to finalize how to store it17:57
marekdstevemar: https://gist.github.com/stevemart/43be0bbc4508b8c47e44 i think i was basing on this...if we get response with that structure...17:57
marekdstevemar: yep, it's just more like convention i think...?17:57
stevemaryeah, lets go with that17:57
stevemarmarekd, i might just merge these two together?17:58
stevemarif we're going to test it out, lets do it properly17:58
marekdgo ahead.17:58
marekdi thought you wanted to keep those patches splited, that's why i added tests to listing projs/domains17:59
stevemari did18:02
stevemarmarekd, but to test them properly, i want to use the tokens we get back, not play around with token_api.create_token blah18:02
*** dstanek has quit IRC18:03
marekdunderstood.18:03
*** saju_m has joined #openstack-keystone18:09
stevemarmarekd, i don't think your domain listing tests will pass?18:10
marekdstevemar: it was locally...18:10
stevemarprojects will18:10
marekdstevemar: why domains not ?18:10
stevemardomains will come back empty list every time18:10
stevemaryou never created grants for domains :)18:10
stevemarcreating a grant on a project on domainA, doesn't mean the group has access to domainA18:11
stevemarjust to the project18:11
stevemaruser XOR group AND project XOR domain18:11
marekdstevemar: that18:11
marekdstevemar: https://review.openstack.org/#/c/74534/9/keystone/tests/test_v3_federation.py - starting from line 82518:12
marekdbut yes, in the saml2-auth i removed grants for domains because i was not testing them THERE, so somebody would eventually complain ;-)18:13
stevemarmarekd, i'm going to squash the two together18:14
stevemarsubmitting a patch now18:14
marekdok18:15
marekdafter you submit it i will add new test.18:15
marekd(raise 401 when 'user' obj is not produced)18:16
*** dstanek has joined #openstack-keystone18:16
*** ChanServ sets mode: +v dstanek18:16
marekdare you running tests now or submitting right away ?18:16
*** saju_m has quit IRC18:17
*** gyee has joined #openstack-keystone18:18
*** saju_m has joined #openstack-keystone18:21
*** leseb has quit IRC18:22
marekdstevemar:after you submit your patch i wanted to also add this: http://pasteraw.com/tnln5ejyvsbzibb4445vlu8q4yojauo18:26
*** saju_m has quit IRC18:28
stevemar1 sec, just running tests one last time18:29
dstanekstevemar: one sec? what kind of machine do you have?18:30
dstaneki'd have to say "1 hour"18:30
marekddstanek: lol18:30
stevemardstanek, just from the federation suite :P18:30
stevemarthe whole test suite would be about 20 minutes :P18:30
marekdstevemar: exactly18:31
dstanekso many codes to review; so little time18:32
*** saju_m has joined #openstack-keystone18:33
*** browne has quit IRC18:35
marekdstevemar: ok, need to do some business now, i should get back later.18:35
*** marekd is now known as marekd|away18:35
*** morganfainberg_Z is now known as morganfainberg18:44
morganfainbergtopol_, hi18:48
morganfainbergtopol_, i'm here now18:48
morganfainbergtopol_, west coast time >.<18:48
morganfainbergtopol_, you know18:48
morganfainbergdolphm, so with the deal on holding for Kite via TC meeting, we're also holding on splitting the repos?18:49
morganfainbergdolphm, i don't want to chase infra about creating the repo if we're holding on both fronts18:49
dolphmmorganfainberg: the TC had an informal conversation this week; ttx wasn't around to say for sure, but it sounds like the TC doesn't think they need to vote on integrating a new project in an already integrated program18:50
dolphmmorganfainberg: the proposal to openstack/governance was more so book keeping that ttx can rubberstamp; let's poke him in #openstack-relmgr-office and find out18:51
morganfainbergdolphm, k18:51
dolphmmorganfainberg: (waiting for you to join)18:52
morganfainbergsec.18:52
*** browne has joined #openstack-keystone18:53
morganfainbergdolphm, i thought i had joined had an issue with copy paste:P ended up in relmgr-offic18:54
morganfainbergno e18:54
dstanekdolphm: jenkins passed on https://review.openstack.org/#/c/72102/ so i'm going to approve it18:57
dolphmmorganfainberg: lol - must be dinner time18:57
dolphmdstanek: ++18:57
morganfainbergdstanek, ++ nice18:58
morganfainbergso, i think we're going to need to subclass the generator config stuff18:58
morganfainbergand then submit changes to oslo, going to hit up dhellmann about it first, but i do want to land that stuff in Icehouse.18:59
dstanekdolphm, morganfainberg: you guys are here at the same time. convenient!19:00
dstanekdolphm, morganfainberg: are we trying to land the auto config stuff soon? i noticed that dolphm has a few reviews for changes to the sample config19:01
dolphmdstanek: ignore mine19:01
dolphmdstanek: land morgans!19:02
morganfainbergdstanek, yes, i'm talking to dhellmann right now about fixing the stuff needed to make it work19:02
morganfainbergdstanek, whether we subclass and fix it in I for keystone, or i fasttrack a change for oslo19:02
morganfainbergand then sync it19:02
*** henrynash has quit IRC19:03
topol_morganfainberg, dolphm, stevemar, I just want to give a shout out to my dear friend morganfainberg for sending hired goons to sabotage my keystone meetup presentation :-)19:03
topol_morganfainberg I am happy to say your efforts failed :-)19:04
stevemargoons? hired goons?19:04
dstanekmorganfainberg: hmmm... so it needs entry points to create the docs?19:04
morganfainbergdstanek, right now.19:05
morganfainbergdstanek, there is some magic "discover groups" logic19:05
topol_stevemar, they were nice goons. It was fungi and he was not the heckler morganfainberg told him to be :-)19:05
dstanekmorganfainberg: what about 'setup.py develop'?19:05
morganfainbergdstanek, that is suboptimal because that is required to generate a sample, i'd prefer to just be able to run tools/config/generate_sample.sh vs. a more complex (and potentially error prone, i've had it generat bogus samples) process19:06
morganfainbergit doesn't errror when you try and generate and keystone isn't installed, it just produces a bogus sample file19:06
morganfainbergjamielennox|away, dolphm , ayoung, https://review.openstack.org/#/c/74598/ round two of -2 for trying to just copy/paste reimplement/whatever service_catalog19:16
morganfainbergjgriffith may come bug us for eyes / help if there are issues with using ksclient directly19:16
dolphmmorganfainberg: ++19:19
*** leseb has joined #openstack-keystone19:23
*** leseb has quit IRC19:28
*** gordc has joined #openstack-keystone19:29
*** dolphm is now known as dolphm_50319:30
marekd|awaystevemar: i see you also added that: http://pasteraw.com/tnln5ejyvsbzibb4445vlu8q4yojauo19:42
marekd|awaystevemar: thanks19:42
stevemarmarekd|away, np, didn't need to extend rules btw19:42
stevemarmarekd|away, the tests badly need a refactoring19:43
stevemar:P19:43
morganfainbergtopol_, so... what you're saying is i need to send more goons next time?19:44
marekd|awaystevemar: i can clean them, i think :P providing you sometimes sleep, eat, and breather instead of OpenStacking 25h/day and you don't do that now.19:45
stevemarmarekd|away, actually.. since you have the infrastructure already set up, can you test it live? with mod_mellon?19:46
stevemaryou've used it before, so i assume you have the infrastructure :S19:46
topol_morganfainberg, when you actually look at the presentation I sent you and see how good it is you will feel guilty for all your scheming19:48
morganfainbergtopol_, i looked at it19:48
*** topol_ is now known as topol19:48
morganfainbergtopol_, i still don't feel guilty19:48
morganfainbergtopol, :)19:48
topolmorganfainberg... BRUTAL19:48
morganfainbergtopol, it is damn good though19:48
topolsend it back. dont use a single chart!!!19:49
topoloh ok, you can use it19:49
morganfainbergtopol,  http://www.meetup.com/OpenStack-LA/events/165980892/19:49
morganfainbergtopol, i need to build slides for that19:49
topolmorganfainberg, good luck. They serve pizza at ours and its from a place that is really really good.  I love going to our meetups!19:50
morganfainbergwe have passable pizza here19:50
morganfainbergbut i want something not pizza19:50
topolfungi is a nice guy. It was good to match a name to the irc nickname19:51
morganfainbergthe last..... uhm.... 3 events have all been pizza19:51
topolerr face to the nickname19:51
morganfainbergtopol, yeah i plan on chasing fungi down to get a face to the irc nick in ATL19:51
morganfainbergamong a few other infra folks19:51
topolexcellent19:52
morganfainbergtopol, you submit any talks for ATL?19:52
morganfainbergtopol, i am a bit disappointed in the voting system, it's hard to give good feedback19:52
topolYep, one on cloud audit and one on federated identity that is joint with rackspace19:53
marekd|awaystevemar: not really, this is kinda problematic, because we need now work on the something that speaks ECP and doesn;t rely on webSSO.19:55
*** leseb has joined #openstack-keystone19:55
marekd|awaystevemar: IMHO this test suite basically suffices, as mod_mellon will just squeeze assertion into the environ, something we do now.19:55
marekd|awaybut yes, the next imo non trivial and high priority step is to work on the client side.19:56
*** haneef_ has joined #openstack-keystone19:56
marekd|awaystevemar: i already started doing some preparations for that.19:56
stevemarmarekd|away, cool cool19:57
topolmorganfainberg hopefully in ATL I can avoid my other duties and can go out at night with the keystone crowd. Had a lot of fun in San Antonio19:57
*** arunk has joined #openstack-keystone19:58
dstanekmorganfainberg: i love that you -1ed your own review19:58
topoldstanek, a new term is coined.  The self hating core contributor!!! :-)19:59
haneef_morganfainberg: ping19:59
dstanektopol: :-)20:00
haneef_morganfainberg:  quick question.  Why don't we have any  cache for catalog?.  Any reason? If we call get token multiple times,  cache in catalog will really help.20:00
morganfainberghaneef_, because it hasn't been implemented yet :)20:00
haneef_Thanks.20:00
morganfainberghaneef_, it's not a real answer, but yes just simply not done yet.20:01
bknudsonsweet, no more sql.Base class20:06
*** harlowja has joined #openstack-keystone20:06
lbragstadbknudson: ++ nice20:06
harlowjagot moved to a new channel, interesting20:06
stevemarmarekd|away, i'm just worried about protecting the /auth/tokens url20:07
morganfainbergbknudson, ++20:09
morganfainbergdstanek, ok have the stuff needed to resolve auto-sample generation in keystone, new tox target to build it20:10
morganfainbergtox -esample_config20:10
morganfainbergshould do it20:10
morganfainberg:)20:10
morganfainbergwill add it into my next patchset in the chain20:10
morganfainbergand adding some documentation20:10
morganfainbergbknudson, ^20:10
dstaneknice...looking forward to it20:10
bknudsonmorganfainberg: a tox venv for this seems like overkill.20:10
dstanekdoes that include a fix from dhellmann?20:11
morganfainbergdstanek, wont be needed20:11
morganfainbergbknudson, you can do it in any venv, but you need all the requirements/test requirements20:11
morganfainbergbknudson, you can use: tox -e venv '{toxinidir}/tools/config/generate_sample.sh'20:11
morganfainbergbut it really does guarantee that you have everything you need and you aren't getting some wacky/off the wall values20:12
dstanekmorganfainberg: can you specify an environment in tox.ini that already exists?20:12
bknudsonmorganfainberg: that sounds safer.20:12
morganfainbergbknudson, the only reason i was doing it's own target is it is the easiest to document20:12
morganfainbergdstanek, bknudson, and makes developing less painful "just run tox -esample_config" and you get the new sample20:13
morganfainbergtrying to minimize the chances for bad stuff20:13
bknudsonmorganfainberg: people will start complaining about running out of disk space.20:14
bknudsoncan you have 2 tox targets share a venv?20:14
morganfainbergbknudson, i.. don't think it owrks like that20:14
morganfainbergbknudson, short of overloading the commands20:14
morganfainbergbknudson, but.. i uhm, am not sure20:15
morganfainbergbknudson, looking at the docs now20:15
bknudsonmorganfainberg: don't worry too much about it. I've got plenty of disk space.20:16
morganfainbergbknudson, hehe20:16
morganfainbergbknudson, envdir we could make it double up with that option20:16
bknudsonmorganfainberg: the docs might want to say run "tox -r -e sample_config" since then would make sure they have a clean env20:16
morganfainbergbknudson, sure that amkes perfect sense20:16
bknudsonmorganfainberg: that sounds good! share with -e venv20:17
bknudsonwe should do the same for docs20:17
morganfainbergbknudson, i think that is doable.20:17
morganfainbergbknudson, i'll try it out20:17
dstanekmorganfainberg: cool, that's what i meant about specifying the environment in tox.ini :P20:18
*** henrynash has joined #openstack-keystone20:19
morganfainbergdstanek, yeah20:19
dstaneki saw that somewhere recently, but i dont' remember where20:20
*** ayoung has joined #openstack-keystone20:20
*** leseb has quit IRC20:21
morganfainbergdstanek, yeah.20:21
*** gyee has quit IRC20:37
dstanekmorganfainberg: is there a way to have comments on a section with auto generated configs?20:38
morganfainbergdstanek, on a whole section?20:38
morganfainbergdstanek, let me see.  perhpas20:38
* morganfainberg dives into oslo.config stuff20:38
dstanekmorganfainberg: like this: https://review.openstack.org/#/c/71674/1/etc/keystone.conf.sample20:38
morganfainbergdstanek, i don't think so though20:38
morganfainbergdstanek, i think the answer is no.20:39
morganfainbergbut let me look sec20:39
*** leseb has joined #openstack-keystone20:40
morganfainbergdstanek, no the generator cannot do comments on a "section"20:43
morganfainbergonly comments on individual options20:43
morganfainbergdstanek, https://github.com/openstack/oslo-incubator/blob/master/openstack/common/config/generator.py#L19220:43
dstanekthat's unfortunate20:44
*** leseb has quit IRC20:52
*** arunk has quit IRC21:05
*** haneef_ has quit IRC21:05
*** harlowja has quit IRC21:05
*** dstanek has quit IRC21:05
*** david-lyle has quit IRC21:05
*** uvirtbot has quit IRC21:05
*** marcoemorais has quit IRC21:05
*** tellesnobrega has quit IRC21:05
*** mhu has quit IRC21:05
*** bknudson has quit IRC21:05
*** ayoung has quit IRC21:05
*** d0ugal has quit IRC21:05
*** henrynash has quit IRC21:05
*** browne has quit IRC21:05
*** topol has quit IRC21:05
*** bvandenh has quit IRC21:05
*** koolhead17 has quit IRC21:05
*** saju_m has quit IRC21:05
*** nkinder has quit IRC21:05
*** chmouel has quit IRC21:05
*** gokrokve has quit IRC21:05
*** warpig has quit IRC21:05
*** stevemar has quit IRC21:05
*** YorikSar has quit IRC21:05
*** huats has quit IRC21:05
*** simo has quit IRC21:05
*** gordc has quit IRC21:05
*** lari_ has quit IRC21:05
*** ChanServ has quit IRC21:05
*** morganfainberg has quit IRC21:05
*** dolphm_503 has quit IRC21:05
*** devlaps has quit IRC21:05
*** amerine has quit IRC21:05
*** lbragstad has quit IRC21:05
*** dtroyer has quit IRC21:05
*** Daviey has quit IRC21:05
*** rwsu has quit IRC21:05
*** marekd|away has quit IRC21:05
*** jamielennox|away has quit IRC21:05
*** Daviey has joined #openstack-keystone21:08
*** ChanServ has joined #openstack-keystone21:08
*** lari_ has joined #openstack-keystone21:08
*** huats has joined #openstack-keystone21:08
*** rwsu has joined #openstack-keystone21:08
*** jamielennox|away has joined #openstack-keystone21:08
*** morganfainberg has joined #openstack-keystone21:08
*** dickson.freenode.net sets mode: +ovov ChanServ jamielennox|away morganfainberg morganfainberg21:08
*** nkinder has joined #openstack-keystone21:08
*** marekd|away has joined #openstack-keystone21:08
*** koolhead17 has joined #openstack-keystone21:08
*** dolphm has joined #openstack-keystone21:08
*** dtroyer has joined #openstack-keystone21:08
*** simo has joined #openstack-keystone21:08
*** chmouel has joined #openstack-keystone21:08
*** lbragstad has joined #openstack-keystone21:08
*** bvandenh has joined #openstack-keystone21:08
*** amerine has joined #openstack-keystone21:08
*** topol has joined #openstack-keystone21:08
*** d0ugal has joined #openstack-keystone21:08
*** YorikSar has joined #openstack-keystone21:08
*** stevemar has joined #openstack-keystone21:08
*** devlaps has joined #openstack-keystone21:08
*** warpig has joined #openstack-keystone21:08
*** gokrokve has joined #openstack-keystone21:08
*** saju_m has joined #openstack-keystone21:08
*** browne has joined #openstack-keystone21:08
*** gordc has joined #openstack-keystone21:08
*** henrynash has joined #openstack-keystone21:08
*** ayoung has joined #openstack-keystone21:08
*** haneef__ has joined #openstack-keystone21:08
*** arun__ has joined #openstack-keystone21:08
*** bknudson has joined #openstack-keystone21:08
*** marcoemorais has joined #openstack-keystone21:08
*** mhu has joined #openstack-keystone21:08
*** tellesnobrega has joined #openstack-keystone21:08
*** dstanek has joined #openstack-keystone21:08
*** david-lyle has joined #openstack-keystone21:08
*** uvirtbot has joined #openstack-keystone21:08
*** dickson.freenode.net sets mode: +ovv dolphm stevemar dstanek21:08
morganfainbergayoung, heh21:08
ayoung Deprecated group/name - [DEFAULT]/bind_host21:09
ayoungis that how you forced that stuff to the top?21:09
dstanekmorganfainberg: thx21:09
morganfainbergayoung, i think so.21:09
morganfainbergwell to indicate deprecated options21:10
ayoungprogrammming by Voo doo?21:10
morganfainbergayoung, or.. no21:10
morganfainbergayoung, i thinkit's just alphabatized?21:10
morganfainbergor the order the options were registered21:10
ayoungthat would make more sense21:11
ayoungbut within the group....21:11
morganfainbergayoung, aye21:11
ayoungToo much messaging creap in there21:11
ayoungcrepes21:11
morganfainbergayoung, it's the order we defined the options21:12
ayoungsomething smells wrong21:12
morganfainbergayoung, if the options are registered on import they are there21:12
ayoungnot your code...the amount of crap we are putting in the default config file21:12
morganfainbergif we're not actually using the oslo-incubator stuff, we should remove it21:12
ayoungits a 1400 line empty config file....21:12
morganfainbergayoung, it covers every option available21:13
morganfainbergwith helpstrings and option types21:13
morganfainbergand deprecated alternatives21:13
ayoungour current is 500 lines21:13
morganfainbergayoung, and our current one is effectively unmaintainable w/ oslo incubator sync21:13
morganfainbergetc21:14
ayoungwe are putting too much into one config file21:14
ayoung/etc/keystone/config.d21:14
morganfainbergayoung, not for icehouse21:15
morganfainbergayoung, lets do that for J21:15
morganfainbergesp. when we get talking about oslo-incubator namespacing of options (properly)21:15
ayoungkeystone probably should not be configuring messaging.  We should inherit that from elsewhere....I think this is the cinderblock that breaks the camels back21:15
ayoungI'm OK with that, but I don't want to do this to our poor config file21:15
*** dstanek has quit IRC21:26
*** david-lyle has quit IRC21:26
*** uvirtbot has quit IRC21:26
*** marcoemorais has quit IRC21:26
*** tellesnobrega has quit IRC21:26
*** mhu has quit IRC21:26
*** bknudson has quit IRC21:26
*** ayoung has quit IRC21:26
*** d0ugal has quit IRC21:26
*** henrynash has quit IRC21:26
*** browne has quit IRC21:26
*** topol has quit IRC21:26
*** bvandenh has quit IRC21:26
*** koolhead17 has quit IRC21:26
*** haneef__ has quit IRC21:26
*** saju_m has quit IRC21:26
*** nkinder has quit IRC21:26
*** arun__ has quit IRC21:26
*** chmouel has quit IRC21:26
*** gokrokve has quit IRC21:26
*** warpig has quit IRC21:26
*** stevemar has quit IRC21:26
*** YorikSar has quit IRC21:26
*** huats has quit IRC21:26
*** simo has quit IRC21:26
*** gordc has quit IRC21:26
*** lari_ has quit IRC21:26
*** ChanServ has quit IRC21:26
*** morganfainberg has quit IRC21:26
*** dolphm has quit IRC21:26
*** devlaps has quit IRC21:26
*** amerine has quit IRC21:26
*** lbragstad has quit IRC21:26
*** dtroyer has quit IRC21:26
*** Daviey has quit IRC21:26
*** rwsu has quit IRC21:26
*** marekd|away has quit IRC21:26
*** jamielennox|away has quit IRC21:26
*** marcoemorais has joined #openstack-keystone21:49
*** mhu has joined #openstack-keystone21:49
*** dolphm has joined #openstack-keystone22:06
*** leseb has joined #openstack-keystone22:06
*** richm has joined #openstack-keystone22:06
*** gyee has joined #openstack-keystone22:06
*** harlowja has joined #openstack-keystone22:06
*** jamielennox|away has joined #openstack-keystone22:06
*** tellesnobrega1 has joined #openstack-keystone22:06
*** david_lyle has joined #openstack-keystone22:06
*** arunkant has joined #openstack-keystone22:06
*** dstanek has joined #openstack-keystone22:06
*** Daviey has joined #openstack-keystone22:06
*** ChanServ has joined #openstack-keystone22:06
*** lari_ has joined #openstack-keystone22:06
*** huats has joined #openstack-keystone22:06
*** rwsu has joined #openstack-keystone22:06
*** morganfainberg has joined #openstack-keystone22:06
*** dickson.freenode.net sets mode: +ovoo dolphm dstanek ChanServ morganfainberg22:06
*** nkinder has joined #openstack-keystone22:06
*** marekd|away has joined #openstack-keystone22:06
*** koolhead17 has joined #openstack-keystone22:06
*** dtroyer has joined #openstack-keystone22:06
*** simo has joined #openstack-keystone22:06
*** chmouel has joined #openstack-keystone22:06
*** lbragstad has joined #openstack-keystone22:06
*** bvandenh has joined #openstack-keystone22:06
*** amerine has joined #openstack-keystone22:06
*** d0ugal has joined #openstack-keystone22:06
*** YorikSar has joined #openstack-keystone22:06
*** stevemar has joined #openstack-keystone22:06
*** devlaps has joined #openstack-keystone22:06
*** warpig has joined #openstack-keystone22:06
*** browne has joined #openstack-keystone22:06
*** henrynash has joined #openstack-keystone22:06
*** ayoung has joined #openstack-keystone22:06
*** haneef__ has joined #openstack-keystone22:06
*** dickson.freenode.net sets mode: +vv morganfainberg stevemar22:06
richmso that means all of the test_backend_ldap tests that do CRUD should be skipped?22:08
*** david_lyle has quit IRC22:08
nkinderayoung: what's your take on the above about keystone writing to LDAP? ^^^22:10
*** bknudson has joined #openstack-keystone22:10
nkinderah, bknudson is back22:10
richmCUD, rather22:10
nkinderbknudson: I was just reading your comments about LDAP and writes.22:10
nkinderThe fact is, Keystone can write to LDAP (even if most deployments might not allow that)22:11
bknudsonso we need to fetch the schema and validate all the input matches the schema and massage it somehow?22:11
nkinderI don't see why we wouldn't want to avoid an attempt to store an empty value22:12
nkinderbknudson: what use case is there for ever storing an empty string as an attribute value?22:12
nkinderwhat *keystone* use case that is22:12
bknudsonI assume we store the empty string in sql?22:12
nkindernot sure, but what's the use case there too?22:12
bknudsonI don't think anyone has ever asked or would require that an empty string be treated differently than no value.22:15
ayoungnkinder, I was discussing that with richm before.  My view ir pretty much aligned with bknudson on this.  LDAP in read/write is in use, but it is minimal.  If we can find a way to support hte Flasy vlaues that is clean, we should, but if we can't it is OK to say "Sorry Dave, I can;t do that."22:15
richmThat is, what does it _mean_ to have an empty field?22:15
ayoungrichm, I assume the most common case is to remove a description that is erroneous22:16
richmFor example, what does it mean to have a description with the value of ''?22:16
ayoungnames can't be blank, email is questionable whether it should be22:16
nkinderayoung: so anyone using the keystone API needs to know what we allow and don't (depending on the backend driver that is used)?22:16
richmayoung: ok, that case is fine22:16
richmIn that case, ldap would simply remove the description22:17
richmfrom the entry22:17
nkinderIn this case, Horizon is setting an empty description.  Does horizon know if it's LDAP or SQL that's being used?22:17
bknudsonhorizon shouldn't be sending the empty string unless that's what they want stored.22:17
bknudsonif they don't want an empty string stored then don't send an empty string22:17
richmBut why would they want to store that and be able to retrieve that value?22:17
nkinderbut sql very likely allows it22:17
richmthe problem comes from when they retrieve the value22:18
ayoungrichm, so if it is a create, just don't add the field.  If it is an update, and it comes in blank, we would need to remove the attribute.  I thought that logic was there already, but maybe it was just something we discussed in the past22:18
richmand expect the value to be the empty string ''22:18
*** dolphm is now known as dolphm_50322:18
richmayoung: there is some CU logic there already22:18
richmit is incomplete22:18
ayoungColorado University?22:18
nkinderI would expect out LDAP drivers to know what is/is-not OK from an LDAP standpoint and deal with the details.22:18
richmmy proposed fix completes (Create Update)22:18
nkindercreate update22:18
ayoungah22:18
nkinderayoung: you added that I believe22:19
richmbut the problem is reading22:19
ayoungCUte22:19
richmif a client expects to be able to read that attribute, and expects the value to be ''22:19
nkinderayoung: create user and project methods check for an empty description and pop it before sending to LDAP22:19
nkinderupdate does not perform this check22:19
ayoungthe set of attributes of an object are pretty much fixed.  There is the "extra' thing which is kindof a blight22:19
bknudsonupdate should be consistent with create22:20
nkinderbknudson: yes, agreed22:20
ayoungnkinder, and if there is a value there, we need to del_attr it as well22:20
richmIf the set of attributes is very fixed, then we could simply add that attribute with a value of '' if it is not present in the entry upon a read operation22:20
nkinderayoung: yes, that's what richm added22:20
ayoungnkinder, yep...I saw it in the review, just making it poart of the discussion22:21
bknudsonthe set of attributes isn't fixes... in sql you can add extra attributes22:21
richmanother alternative - that attribute is always present in LDAP - deleting it or setting it to '' or None would write a "dummy" value22:22
nkinderseems better to not have it there at all22:22
richmso project['description'] = '' would be translated into LDAP as description: EMPTY22:22
*** dolphm_503 has quit IRC22:32
*** bknudson has quit IRC22:32
*** harlowja has quit IRC22:32
*** tellesnobrega1 has quit IRC22:33
*** ayoung has quit IRC22:33
*** richm has quit IRC22:33
*** d0ugal has quit IRC22:33
*** henrynash has quit IRC22:33
*** browne has quit IRC22:33
*** bvandenh has quit IRC22:33
*** koolhead17 has quit IRC22:33
*** gyee has quit IRC22:33
*** arunkant has quit IRC22:33
*** haneef__ has quit IRC22:33
*** nkinder has quit IRC22:33
*** chmouel has quit IRC22:33
*** leseb has quit IRC22:33
*** jamielennox|away has quit IRC22:33
*** warpig has quit IRC22:33
*** stevemar has quit IRC22:33
*** YorikSar has quit IRC22:33
*** huats has quit IRC22:33
*** simo has quit IRC22:33
*** lari_ has quit IRC22:33
*** ChanServ has quit IRC22:33
*** morganfainberg has quit IRC22:33
*** dstanek has quit IRC22:33
*** devlaps has quit IRC22:33
*** amerine has quit IRC22:33
*** lbragstad has quit IRC22:33
*** dtroyer has quit IRC22:33
*** Daviey has quit IRC22:33
*** rwsu has quit IRC22:33
*** marekd|away has quit IRC22:33
*** bknudson has joined #openstack-keystone22:37
*** dolphm_503 has joined #openstack-keystone22:37
*** leseb has joined #openstack-keystone22:37
*** richm has joined #openstack-keystone22:37
*** gyee has joined #openstack-keystone22:37
*** harlowja has joined #openstack-keystone22:37
*** jamielennox|away has joined #openstack-keystone22:37
*** tellesnobrega1 has joined #openstack-keystone22:37
*** arunkant has joined #openstack-keystone22:37
*** dstanek has joined #openstack-keystone22:37
*** Daviey has joined #openstack-keystone22:37
*** ChanServ has joined #openstack-keystone22:37
*** lari_ has joined #openstack-keystone22:37
*** huats has joined #openstack-keystone22:37
*** rwsu has joined #openstack-keystone22:37
*** morganfainberg has joined #openstack-keystone22:37
*** dickson.freenode.net sets mode: +ovoo dolphm_503 dstanek ChanServ morganfainberg22:37
*** nkinder has joined #openstack-keystone22:37
*** marekd|away has joined #openstack-keystone22:37
*** koolhead17 has joined #openstack-keystone22:37
*** dtroyer has joined #openstack-keystone22:37
*** simo has joined #openstack-keystone22:37
*** chmouel has joined #openstack-keystone22:37
*** lbragstad has joined #openstack-keystone22:37
*** bvandenh has joined #openstack-keystone22:37
*** amerine has joined #openstack-keystone22:37
*** d0ugal has joined #openstack-keystone22:37
*** YorikSar has joined #openstack-keystone22:37
*** stevemar has joined #openstack-keystone22:37
*** devlaps has joined #openstack-keystone22:37
*** warpig has joined #openstack-keystone22:37
*** browne has joined #openstack-keystone22:37
*** henrynash has joined #openstack-keystone22:37
*** ayoung has joined #openstack-keystone22:37
*** haneef__ has joined #openstack-keystone22:37
*** dickson.freenode.net sets mode: +vv morganfainberg stevemar22:37
morganfainbergayoung, hm. i think that is not 100% consistent, but is true in a number of cases22:37
ayounguser object is set in the body of the post message from the client22:37
morganfainbergyeah.22:37
ayoungI'm guessing that we could get a None if we did it direct from Curl...22:37
richmok22:37
morganfainbergayoung, likely.22:37
richmtake a look at test_backend.py - test_attribute_update22:37
richmthis tests expects to be able to set description = None, then update, then search, then compare description == None22:37
richmalso to set description = '', then update, then search, then compare description == ''22:38
richmI don't know how this can be supported with an LDAP backend22:39
bknudsonyou could put a special value into ldap to indicate it's an empty string22:39
richmegads22:39
bknudsonI know!22:39
richmI would rather pull my eyeballs out22:39
bknudsonit's kind of like the dummy group member22:40
richmyeah - broken groupOfNames22:40
stevemarbknudson, think you can give the saml stuff another review when you're free? im down to just refactoring tests and writing more tests..22:40
bknudsonstevemar: which one?22:40
stevemarbknudson, https://review.openstack.org/#/c/71353/22:40
stevemarbknudson, theres two more api spec related one: https://review.openstack.org/#/c/74531/ and https://review.openstack.org/#/c/74571/ just stuff we forgot to add in before, no new functions22:41
bknudsonstevemar: I haven't looked at it before.22:41
bknudsonother than to complain about the title.22:41
stevemarbknudson, yes, once, patch 16, to complain about the title22:42
stevemarwe need the bknudson seal of approval22:43
stevemarayoung and dolph have already chimed in a bunch22:43
ayoungbknudson, blank or non-existant value becomes ''22:44
richmI think the only way to make test_attribute_update pass with LDAP backend is to write "special" values in LDAP - description = '' is description: EMPTY and description = None is description: None22:44
ayoungrichm, nah,22:44
ayoungwe chose one of those rules and say that it applies to LDAP22:45
ayoungeither None or '' but not both22:45
ayoungI'm ok with the UI friendly approach of ''22:45
*** mhu has quit IRC22:46
*** marcoemorais has quit IRC22:46
*** bknudson has quit IRC22:46
*** harlowja has quit IRC22:46
*** dolphm_503 has quit IRC22:46
*** tellesnobrega1 has quit IRC22:46
*** ayoung has quit IRC22:46
*** richm has quit IRC22:46
*** d0ugal has quit IRC22:46
*** henrynash has quit IRC22:46
*** browne has quit IRC22:46
*** bvandenh has quit IRC22:46
*** koolhead17 has quit IRC22:46
*** gyee has quit IRC22:46
*** arunkant has quit IRC22:46
*** haneef__ has quit IRC22:46
*** nkinder has quit IRC22:46
*** chmouel has quit IRC22:46
*** leseb has quit IRC22:46
*** jamielennox|away has quit IRC22:46
*** warpig has quit IRC22:46
*** stevemar has quit IRC22:46
*** YorikSar has quit IRC22:46
*** huats has quit IRC22:46
*** simo has quit IRC22:46
*** lari_ has quit IRC22:46
*** ChanServ has quit IRC22:46
*** morganfainberg has quit IRC22:46
*** dstanek has quit IRC22:46
*** devlaps has quit IRC22:46
*** amerine has quit IRC22:46
*** lbragstad has quit IRC22:46
*** dtroyer has quit IRC22:46
*** Daviey has quit IRC22:46
*** rwsu has quit IRC22:46
*** marekd|away has quit IRC22:46
*** marcoemorais has joined #openstack-keystone22:48
*** mhu has joined #openstack-keystone22:48
*** bknudson has joined #openstack-keystone22:48
*** dolphm_503 has joined #openstack-keystone22:48
*** leseb has joined #openstack-keystone22:48
*** richm has joined #openstack-keystone22:48
*** gyee has joined #openstack-keystone22:48
*** harlowja has joined #openstack-keystone22:48
*** jamielennox|away has joined #openstack-keystone22:48
*** tellesnobrega1 has joined #openstack-keystone22:48
*** arunkant has joined #openstack-keystone22:48
*** dstanek has joined #openstack-keystone22:48
*** haneef__ has joined #openstack-keystone22:48
*** ayoung has joined #openstack-keystone22:48
*** henrynash has joined #openstack-keystone22:48
*** browne has joined #openstack-keystone22:48
*** warpig has joined #openstack-keystone22:48
*** devlaps has joined #openstack-keystone22:48
*** stevemar has joined #openstack-keystone22:48
*** YorikSar has joined #openstack-keystone22:48
*** d0ugal has joined #openstack-keystone22:48
*** amerine has joined #openstack-keystone22:48
*** bvandenh has joined #openstack-keystone22:48
*** lbragstad has joined #openstack-keystone22:48
*** chmouel has joined #openstack-keystone22:48
*** simo has joined #openstack-keystone22:48
*** dtroyer has joined #openstack-keystone22:48
*** koolhead17 has joined #openstack-keystone22:48
*** marekd|away has joined #openstack-keystone22:48
*** nkinder has joined #openstack-keystone22:48
*** morganfainberg has joined #openstack-keystone22:48
*** dickson.freenode.net sets mode: +ovvo dolphm_503 dstanek stevemar morganfainberg22:48
*** rwsu has joined #openstack-keystone22:48
*** huats has joined #openstack-keystone22:48
*** lari_ has joined #openstack-keystone22:48
*** ChanServ has joined #openstack-keystone22:48
*** Daviey has joined #openstack-keystone22:48
*** dickson.freenode.net sets mode: +vo morganfainberg ChanServ22:48
ayoungrichm, which do you think is less surprising?  None or ''?22:48
richmI guess it doesn't matter to me - it's really what is "least astonishing" for clients22:48
richmApply the principle of least astonishment22:48
nkinderayoung, richm: The CLI currently won't show description if one isn't set.  I expect that is because it finds None22:51
nkinderIf we add '', then the description field may always show up when you run "keystone user-find"22:52
nkinderI don't really care either way, but just a point to keep in mind22:52
richmso, None then22:52
*** stevemar has quit IRC22:52
ayoungsure.  all decisions are whimsical.  arbitrary.  and final22:52
*** arborism has quit IRC22:57
*** jamielennox|away is now known as jamielennox23:04
*** ChanServ sets mode: +v jamielennox23:04
morganfainbergayoung, motion to deprecate whimsical decisions in K.23:05
ayoungDenied23:05
morganfainbergayoung, damn23:05
ayoungAll decisions are whimsical,  arbitrary,  and final.  Including this one.23:06
morganfainbergayoung, suuuuure23:06
richmbtw, when running the liveldap tests - I have to set the ldap password in backend_liveldap.conf - is there some way to pass in the password to use without having to touch some file known to git?23:09
richme.g. KEYSTONE_LDAP_PASSWORD=password nosetests . . .23:10
nkinderrichm: that, or point it to an alternate config file since you might want to use different suffixes, etc.23:14
richmthe config files seem to be hard coded in _ldap_livetest23:14
richm_set_config()23:14
ayoungrichm, what we really need is SASL config so we can use Kerberos when talking to LDAP23:15
ayoung:)23:15
ayoungrichm, yes, the assumption is that the LDAP server was setup using devstack23:15
ayoungand that the user took the defaults23:15
ayoungrichm, the goal is to get it so that the Live tests are run as part of the Gate, and that means accpeting default passwords etc23:16
*** dolphm_503 is now known as dolphm23:17
richmok23:17
nkinderrichm: it's not a bad change to propose the ability to point it at a different config file though IMHO23:19
*** ayoung is now known as ayoung-dinner23:20
richmit's no big deal, it's just that you have to set the password in a file known to git, which makes commit/rebase/etc. a hassle23:20
bknudsonrichm: git update-index --assume-unchanged path/to/file.txt23:34
richmbknudson: thanks!23:35
morganfainbergdolphm, dstanek, auto_gen_config updated w/ bug references.23:40
dolphmmorganfainberg: thanks!23:41
*** devlaps has quit IRC23:41
dstanekmorganfainberg: nice, i'll take a look after dinner23:41
morganfainbergdolphm, i have a few more test cases for KVS to get in, but i'm going to aim to land those later on, since they should have 0 effect on any runtime code.23:42
morganfainbergdolphm, going to go glare at SQL stuff.23:42
morganfainbergsee if i can chase down that ipv6 thing and the with_lockmode races23:42
dolphmmorganfainberg: sounds good23:42
morganfainbergdolphm, i can almost see the light at the end of I3... almost23:42
dolphmwe're actually starting to have a digestible number of open reviews in support of blueprints23:46
morganfainbergdolphm, ++ yep23:47
dolphmi think it was like 24 on monday; pretty sure we're under 10 now, if you don't count the ones gating23:48
*** devlaps has joined #openstack-keystone23:48
dolphmalthough the 3 saml-id ones are also a single patch now23:48
*** dolphm is now known as dolphm_50323:51
*** mfisch has joined #openstack-keystone23:52
« Wednesday, 2014-02-19 Index Friday, 2014-02-21 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!