| *** leseb has joined #openstack-keystone | 00:01 | |
| *** Fin1te has quit IRC | 00:01 | |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: document that --pass can be required https://review.openstack.org/77605 | 00:04 |
|---|---|---|
| *** leseb has quit IRC | 00:05 | |
| *** nkinder has quit IRC | 00:13 | |
| *** dolphm has quit IRC | 00:14 | |
| *** dolphm has joined #openstack-keystone | 00:15 | |
| *** bobt has joined #openstack-keystone | 00:19 | |
| jamielennox | bknudson: re: https://review.openstack.org/#/c/72515 - the module docs seem to be generated for me on master without this patch | 00:27 |
| jamielennox | is that trying to link it into an automated process upstream/ | 00:27 |
| jamielennox | dstanek: you might know as well as you are listed as co-author | 00:27 |
| jamielennox | rm -rf doc/build/ && python setup.py build_sphinx && firefox doc/build/html/py-modindex.html | 00:27 |
| bknudson | jamielennox: do you have doc/source/api<something... | 00:27 |
| morganfainberg | bknudson, there are a lot of cases that assume revoke_api is "just loaded" | 00:27 |
| morganfainberg | :( | 00:27 |
| morganfainberg | all over the tests | 00:27 |
| jamielennox | bknudson: ah possibly - i have tried this out previously | 00:27 |
| jamielennox | i just have some hanging around stuff that i didn't do a clean | 00:27 |
| bknudson | morganfainberg: the driver can be loaded for the tests... that's common | 00:27 |
| bknudson | morganfainberg: we do that with oauth for example. | 00:27 |
| morganfainberg | bknudson, right, and i'm trying to do that | 00:27 |
| morganfainberg | bknudson, it's unwinding a lot of things. | 00:27 |
| morganfainberg | most of the tests were written assuming it was loaded with service.py so there is a chunk of things that are ... odd | 00:27 |
| bknudson | jamielennox: rm -r doc/source/api | 00:27 |
| morganfainberg | bknudson, nothing terrible just annoying :( | 00:27 |
| jamielennox | yea, it's listed in .gitignore so it's not cleaned | 00:27 |
| *** dstanek_afk has joined #openstack-keystone | 00:27 | |
| morganfainberg | i might punt this over to ayoung. | 00:27 |
| *** stevemar has joined #openstack-keystone | 00:27 | |
| *** dstanek has quit IRC | 00:28 | |
| *** daneyon_ has quit IRC | 00:30 | |
| openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: Generate module docs https://review.openstack.org/72515 | 00:31 |
| jamielennox | bknudson: click rebase on: https://review.openstack.org/#/c/73878/ | 00:32 |
| jamielennox | bknudson: can you please click rebase on: https://review.openstack.org/#/c/73878/ | 00:33 |
| bknudson | jamielennox: what happens? | 00:33 |
| jamielennox | bknudson: i assume it works, it's just out of date | 00:33 |
| jamielennox | and i don't have a rebase change button for some reason | 00:33 |
| bknudson | "The rebase failed since conflicts occured during the merge." | 00:34 |
| jamielennox | oh, ok - i guess that's why i don't have a button :) | 00:34 |
| jamielennox | oh you redid the patch underneath while i was looking at it - i should wait and let you work | 00:36 |
| openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: Fix doc build errors https://review.openstack.org/73878 | 00:36 |
| *** thedodd has joined #openstack-keystone | 00:36 | |
| bknudson | jamielennox: rebased it the old fashioned way | 00:37 |
| openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Removal of test .conf files https://review.openstack.org/79525 | 00:39 |
| openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Move test .conf files to keystone/tests/config_files https://review.openstack.org/79526 | 00:39 |
| openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Make LIVE Tests configurable with ENV https://review.openstack.org/80409 | 00:39 |
| morganfainberg | bknudson, here is the other bug report https://bugs.launchpad.net/keystone/+bug/1292283 | 00:40 |
| morganfainberg | to fix the "logic" for revocation_events | 00:40 |
| *** gtt116 has joined #openstack-keystone | 00:41 | |
| bknudson | morganfainberg: this only affects revocation events? | 00:41 |
| morganfainberg | yep | 00:41 |
| morganfainberg | no no | 00:41 |
| morganfainberg | if revocation events are enabled it breaks things | 00:42 |
| morganfainberg | badly | 00:42 |
| morganfainberg | if you delete a token in a chain | 00:42 |
| morganfainberg | e.g. use horizon's "switch project" drop down | 00:42 |
| bknudson | ok, so you enable it, and now regular tokens aren't working as expected? | 00:42 |
| morganfainberg | basically if you do a delete on a token, any token in that chain (parent or otherwise) is revoked | 00:42 |
| morganfainberg | so if you switch projects, horizon says "delete old token" | 00:43 |
| morganfainberg | now the new token, the unscoped token, etc are all revoked | 00:43 |
| bknudson | we can't revoke a single token through revocation events? | 00:43 |
| morganfainberg | nope. | 00:43 |
| morganfainberg | it revokes all tokens with the expiraiton_time | 00:43 |
| bknudson | that seems like a use case that we need to support | 00:44 |
| morganfainberg | yep. | 00:44 |
| morganfainberg | we do need to support it | 00:44 |
| *** gtt116 has quit IRC | 00:44 | |
| morganfainberg | the idea is likely that you need to revoke by expiration and issued unless you really want to nuke the entire chain | 00:45 |
| morganfainberg | i'm not sure how much more complicated that is going to make the revocation code | 00:45 |
| morganfainberg | ayoung_dad_mode, https://bugs.launchpad.net/keystone/+bug/1292283 revocation event bug | 00:45 |
| morganfainberg | bknudson, if we can get revocation events loaded truely optional (i need to leave, but i'll look at it later unless ayoung beats me to it) | 00:46 |
| ayoung_dad_mode | morganfainberg, its a feature | 00:48 |
| morganfainberg | bknudson, then this impact is only if you enable an expirimental feature | 00:48 |
| *** openstack has joined #openstack-keystone | 00:49 | |
| -dickson.freenode.net- [freenode-info] channel flooding and no channel staff around to help? Please check with freenode support: http://freenode.net/faq.shtml#gettinghelp | 00:49 | |
| morganfainberg | because horizon is revoking the token on switch project (not unreasonable) | 00:50 |
| *** sudorandom has quit IRC | 00:50 | |
| ayoung_dad_mode | but they don't reauthenticate. | 00:50 |
| morganfainberg | specifically when you drop from "admin" like context to a non-admin like context | 00:50 |
| morganfainberg | they use the current token and rescope | 00:50 |
| ayoung_dad_mode | hmmmm | 00:50 |
| morganfainberg | the new re-scoped token is invalid because the revoke_api has invalidated all tokens with the same expiration_time | 00:50 |
| ayoung_dad_mode | Oh, I get it. | 00:50 |
| morganfainberg | yep | 00:51 |
| *** ayoung_dad_mode is now known as ayoung_sad_mode | 00:51 | |
| morganfainberg | also https://bugs.launchpad.net/horizon/+bug/1291099 which needs to be addressed before icehouse ships | 00:51 |
| morganfainberg | revoke_api isn't "optional" really | 00:51 |
| ayoung_sad_mode | it was supposed to be. Is it getting activated by accident? | 00:51 |
| morganfainberg | service.py loads it | 00:51 |
| morganfainberg | and providers need it | 00:51 |
| ayoung_sad_mode | Ah | 00:51 |
| ayoung_sad_mode | we can drop that | 00:51 |
| morganfainberg | and a bunch of tests are structured to assume it's auto-loaded | 00:51 |
| morganfainberg | yeah i got bound up trying to fix the tests | 00:51 |
| morganfainberg | but i need to bail for the evening | 00:51 |
| *** haneef_ has joined #openstack-keystone | 00:51 | |
| morganfainberg | if you're up for fixing it, great! steal the bug :) | 00:51 |
| morganfainberg | if not, well, i'll keep poking at it when i'm back | 00:51 |
| ayoung_sad_mode | horizon is going to get messed up by one hour tokens, too | 00:51 |
| *** openstack has quit IRC | 00:51 | |
| *** openstack has joined #openstack-keystone | 00:51 | |
| *** haneef__ has quit IRC | 00:51 | |
| morganfainberg | but at least that is something that a deployer can change | 00:51 |
| ayoung_sad_mode | who is wrong here? | 00:51 |
| jamielennox | bknudson: when you say the hash_algorithm is used for the revocation list do you mean the new revocation list or what exists now? | 00:51 |
| *** thedodd has joined #openstack-keystone | 00:51 | |
| *** openstack has quit IRC | 00:52 | |
| *** openstack has joined #openstack-keystone | 00:52 | |
| ayoung_sad_mode | morganfainberg, so, I am assuming that they don't want to keep the password in memory, which is why they keep the token | 00:52 |
| *** ayoung_sad_mode is now known as ayoung | 00:52 | |
| ayoung | jamielennox, yes it does | 00:52 |
| morganfainberg | ayoung_sad_mode, *shrug* not sure on that. | 00:52 |
| morganfainberg | ayoung, i think they keep token in session cookie | 00:53 |
| *** richm has joined #openstack-keystone | 00:53 | |
| bknudson | jamielennox: {"revoked": [{"expires": "2014-03-13T23:14:26Z", "id": "af217e158e0d1c95ac9e06ab052e5c3343578c9f93cea7cbf699f01448255012"}]} | 00:53 |
| bknudson | that's the revocation list that's returned | 00:53 |
| morganfainberg | dunno if you really want a password in there | 00:53 |
| ayoung | morganfainberg, well, for the moment, can let disable the change in service | 00:53 |
| morganfainberg | ayoung, aye. | 00:53 |
| *** dims_ has joined #openstack-keystone | 00:53 | |
| morganfainberg | ayoung, that is the important stuff to fix, making revoke actually optional for Icehouse. | 00:53 |
| morganfainberg | token TTL we can discuss next week | 00:54 |
| morganfainberg | we can rush a change back to something higher if needed | 00:54 |
| morganfainberg | and the revoke logic to support more specific token revocaiton can happen in Juno | 00:54 |
| * morganfainberg is just thinking timelines. | 00:54 | |
| jamielennox | bknudson: ok then i think you got the wrong method: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1239 | 00:55 |
| morganfainberg | anyway. catch ya later on man | 00:55 |
| *** sudorandom has joined #openstack-keystone | 00:55 | |
| *** openstack has joined #openstack-keystone | 00:56 | |
| -dickson.freenode.net- [freenode-info] channel trolls and no channel staff around to help? please check with freenode support: http://freenode.net/faq.shtml#gettinghelp | 00:56 | |
| *** dstanek_afk is now known as dstanek | 00:56 | |
| bknudson | jamielennox: but keystone server calls cms_hash_token | 00:57 |
| jamielennox | bknudson: yep, i realize we need it for server side, i was just thinking of auth_token | 00:57 |
| jamielennox | bknudson: is it possible that we could put the hash algorithm in the revoke list data? | 00:57 |
| bknudson | jamielennox: I think it's possible to do that. | 00:57 |
| *** openstack has quit IRC | 00:57 | |
| *** openstack has joined #openstack-keystone | 00:58 | |
| jamielennox | auth_token isn't going to handle that change yet anyway so it should be no different for backwards compat | 00:58 |
| bknudson | jamielennox: well, we still need to not use md5. | 00:59 |
| bknudson | so cms_hash_token has to not use md5 | 00:59 |
| jamielennox | bknudson: sure, i don't mind that part, it's just auth_token i'm thinking atm | 01:02 |
| bknudson | jamielennox: auth_token calls cms_hash_token .. so maybe it can always do sha256 there? | 01:02 |
| jamielennox | bknudson: yea that would be ok. the way it's used in that function (as i said in a comment) is just for memcache so if we change that no big deal you just lose the cache | 01:02 |
| bknudson | jamielennox: ok, hash_signed_token is also using md5, and we've got the revocation list... so should be able to change hash_signed_token to optionally use sha256 and get the algorithm from the revocation list response... | 01:03 |
| bknudson | jamielennox: thanks! | 01:03 |
| *** YorikSar_ has quit IRC | 01:03 | |
| *** topol has joined #openstack-keystone | 01:06 | |
| *** dolphm has quit IRC | 01:07 | |
| bknudson | jamielennox: so maybe keystone should be calling hash_signed_token rather than cms_hash_token. | 01:08 |
| jamielennox | yea, i'm not sure why those two functions are in different modules like that | 01:08 |
| *** YorikSar has joined #openstack-keystone | 01:08 | |
| bknudson | cms_hash_token passes through uuids | 01:08 |
| bknudson | but cms_hash_token could call hash_signed_token. | 01:08 |
| jamielennox | but from the server side it doesn't need to check UUID it should know that already | 01:08 |
| jamielennox | or can you revoke a UUID token? | 01:08 |
| bknudson | jamielennox: you can revoke a uuid token | 01:08 |
| bknudson | you don't have to hash it | 01:08 |
| jamielennox | ok so that makes sense then | 01:08 |
| openstackgerrit | A change was merged to openstack/keystone: Fix db_version failed with wrong arguments https://review.openstack.org/79196 | 01:08 |
| jamielennox | that won't affect the hash_algorithm being in there though, because you still won't get a collision with the UUID | 01:08 |
| *** dolphm_ has joined #openstack-keystone | 01:08 | |
| *** thedodd has quit IRC | 01:08 | |
| *** dolphm_ is now known as dolphm | 01:08 | |
| *** amcrn has quit IRC | 01:08 | |
| ayoung | jamielennox, bknudson is this the whole "why are you using md5 thing?" Cuz that is a red herring | 01:08 |
| bknudson | ayoung: I agree, but it's a checkbox for FIPS | 01:08 |
| jamielennox | ayoung: yes and yes | 01:10 |
| ayoung | ah | 01:10 |
| ayoung | yeah, put the algorithm in the revocation list | 01:10 |
| ayoung | with a big warning that if you change the config value, all of your token revocations will be dropped | 01:12 |
| *** openstack has joined #openstack-keystone | 01:14 | |
| *** morganfainberg is now known as morganfainberg_Z | 01:14 | |
| bknudson | ayoung: that sounds reasonable... they're not going to match anymore | 01:14 |
| bknudson | makes this change kind of scary | 01:14 |
| ayoung | bknudson, it is scary | 01:14 |
| ayoung | unless we go through and rehash all the old tokens....which means that ugh..... | 01:14 |
| jamielennox | well you can do a global has_algoirithm and a local overrid | 01:14 |
| *** wchrisj has joined #openstack-keystone | 01:14 | |
| ayoung | OK....so if the algorithm changes, you should go reindex all tokens in the backend | 01:14 |
| jamielennox | at root say anything that doesn't have a hash_algorithm in the per token part has algo sha256 and then put an md4 in all the old stuff | 01:14 |
| jamielennox | 5! md5! | 01:14 |
| *** gtt116 has joined #openstack-keystone | 01:14 | |
| *** openstack has joined #openstack-keystone | 01:19 | |
| ayoung | and we can put FIPS=True to deny any MD5 | 01:19 |
| *** wchrisj has quit IRC | 01:19 | |
| jamielennox | i *think* we're saying the same thing | 01:19 |
| ayoung | jamielennox, probably | 01:19 |
| ayoung | if you switch algo...all tokens should be revoked any way | 01:20 |
| *** openstack has quit IRC | 01:24 | |
| *** openstack has joined #openstack-keystone | 01:25 | |
| *** sudorandom has quit IRC | 01:25 | |
| *** sudorandom has joined #openstack-keystone | 01:25 | |
| *** openstack has joined #openstack-keystone | 15:08 | |
| -dickson.freenode.net- [freenode-info] please register your nickname...don't forget to auto-identify! http://freenode.net/faq.shtml#nicksetup | 15:08 | |
| *** jimbaker has joined #openstack-keystone | 15:48 | |
| *** gyee has joined #openstack-keystone | 15:49 | |
| *** raildo has quit IRC | 16:04 | |
| *** raildo has joined #openstack-keystone | 16:05 | |
| *** gokrokve_ has quit IRC | 16:05 | |
| ayoung | bknudson, what class or file gives us the function that is the underscore used for I18N like _("Expecting to find %(attribute)s in %(target)s.") | 16:11 |
| bknudson | ayoung: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/openstack/common/gettextutils.py#n97 | 16:12 |
| bknudson | ayoung: gettextutils.install does "moves.builtins.__dict__['_'] = _lazy_gettext" | 16:12 |
| bknudson | or it could call regular gettext.install | 16:13 |
| ayoung | bknudson, its OK. I need to add that to keystone.exceptions | 16:13 |
| ayoung | just doing an import seems OK | 16:13 |
| bknudson | ayoung: there's a WIP to change it: https://review.openstack.org/#/c/58766/ | 16:14 |
| ayoung | is there any drawbacks to just importing it in a single file? | 16:14 |
| *** chandan_kumar has quit IRC | 16:14 | |
| ayoung | OK, so if I add it to my commit, it will get rebased in anyway | 16:14 |
| ayoung | thanls | 16:14 |
| ayoung | thanks | 16:14 |
| bknudson | ayoung: the problem is with _() that are created on import... we need to ensure that _ is set up before the import is done. | 16:15 |
| bknudson | because otherwise the messages in the exception aren't going to be translated | 16:15 |
| bknudson | ayoung: keystone-all does it early: http://git.openstack.org/cgit/openstack/keystone/tree/bin/keystone-all#n37 | 16:16 |
| bknudson | ayoung: tests do it in __init__ -- http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/__init__.py#n15 | 16:16 |
| bknudson | and http: http://git.openstack.org/cgit/openstack/keystone/tree/httpd/keystone.py#n20 | 16:18 |
| ayoung | bknudson, add it to the review, please | 16:19 |
| ayoung | update the review | 16:19 |
| bknudson | ayoung: which review? | 16:19 |
| ayoung | https://review.openstack.org/#/c/58766/ | 16:20 |
| dstanek | bknudson: that's why we are setting it use use lazy to the messages do get translated | 16:20 |
| ayoung | don't just -1 and leave it | 16:20 |
| bknudson | dstanek: http://git.openstack.org/cgit/openstack/keystone/tree/httpd/keystone.py#n22 doesn't need the change? | 16:20 |
| bknudson | ayoung: https://review.openstack.org/#/c/58766/ is a work in progress... can't merge it anyways. | 16:21 |
| ayoung | k | 16:22 |
| bknudson | unless someone wanted to pick it up... not sure why it's a wip. | 16:22 |
| bknudson | maybe some new parts were added | 16:22 |
| bknudson | dstanek: do you want to get https://review.openstack.org/#/c/58766/ up to date? otherwise I can get to it this aft. | 16:23 |
| dstanek | bknudson: i'll have to look at https://review.openstack.org/#/c/58766 again because there are definitely some issues with it | 16:24 |
| dstanek | bknudson: some stuff that i thought i added is now missing | 16:24 |
| bknudson | dstanek: oh... thanks for looking. | 16:25 |
| dstanek | bknudson: you didn't like what i did in https://review.openstack.org/#/c/58766/22/keystone/tests/__init__.py so Ilya removed it | 16:27 |
| dstanek | but didn't add the equivalent anywhere | 16:27 |
| bknudson | dstanek: it was in a separate commit | 16:27 |
| dstanek | bknudson: ah, i see - that commit should have also deleted the logic from keystone.tests.core | 16:28 |
| bknudson | dstanek: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/__init__.py | 16:28 |
| bknudson | dstanek: maybe that's why it's a WIP | 16:28 |
| dstanek | bknudson: it's also unfinished; it looks like new uses of _() were added to files that don't explicitly do the import | 16:30 |
| *** gokrokve has joined #openstack-keystone | 16:30 | |
| dstanek | bknudson: i'll revisit and see if there are any other issues | 16:31 |
| bknudson | dstanek: does missing _() cause a pep8 or test failure now? | 16:31 |
| dstanek | bknudson: no | 16:32 |
| *** marcoemorais has joined #openstack-keystone | 16:32 | |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Sync test_migrations https://review.openstack.org/80618 | 16:33 |
| *** openstackstatus has joined #openstack-keystone | 16:38 | |
| *** henrynash has joined #openstack-keystone | 16:48 | |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630 | 16:54 |
| *** dims has joined #openstack-keystone | 16:54 | |
| *** petertoft has quit IRC | 16:57 | |
| *** dims has quit IRC | 17:00 | |
| *** harlowja_away is now known as harlowja | 17:02 | |
| *** marekd is now known as marekd|away | 17:02 | |
| openstackgerrit | Marek Denis proposed a change to openstack/keystone: Filter out nonstring environment variables before rules mapping. https://review.openstack.org/80293 | 17:07 |
| *** morganfainberg_Z is now known as morganfainberg | 17:21 | |
| morganfainberg | ayoung, i saw a patch to make revoke really optional via email, i assume thats somewhere in gerrit? | 17:22 |
| *** stevemar has quit IRC | 17:25 | |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Uses explicit imports for _ https://review.openstack.org/58766 | 17:25 |
| *** topol has quit IRC | 17:33 | |
| morganfainberg | how is everyone's friday? | 17:33 |
| vhoward- | great thanks | 17:35 |
| *** dims has joined #openstack-keystone | 17:40 | |
| *** amcrn has joined #openstack-keystone | 17:40 | |
| bknudson | morganfainberg: https://review.openstack.org/#/c/80441/ ? | 17:41 |
| bknudson | commit message says "revoke.model" | 17:42 |
| *** leseb has quit IRC | 17:42 | |
| morganfainberg | bknudson, yeah found it | 17:48 |
| morganfainberg | jamielennox|away, looks like we have a couple +2s on the kite repos | 17:59 |
| *** marcoemorais has quit IRC | 18:01 | |
| *** marcoemorais has joined #openstack-keystone | 18:01 | |
| *** amcrn has quit IRC | 18:03 | |
| *** amcrn has joined #openstack-keystone | 18:10 | |
| *** stevemar has joined #openstack-keystone | 18:17 | |
| *** rwsu has quit IRC | 18:30 | |
| ayoung | morganfainberg, WIP | 18:30 |
| morganfainberg | ayoung, *nod* | 18:30 |
| morganfainberg | ayoung, let me know if you need to jump in and help | 18:30 |
| ayoung | It works (sans a random check failure) | 18:31 |
| morganfainberg | ayoung, cool. | 18:31 |
| *** YorikSar has quit IRC | 18:32 | |
| morganfainberg | ayoung, awesome. i'll do a quick verify and then +2 for closing out the rc-blocking issue whenever you want to move it from WIP | 18:33 |
| ayoung | morganfainberg, so....here's the deal | 18:37 |
| ayoung | morganfainberg, the patch "works" in that it does not activate the revoke_api | 18:37 |
| ayoung | and, if I am right, cannot *ever* activate the revoke_api | 18:37 |
| ayoung | which is suboptimal | 18:37 |
| ayoung | so... | 18:38 |
| ayoung | I want to *activate* an optional dependency based on the fact that it is registered (not actively created, like we do now) | 18:38 |
| ayoung | and...still figuring out the sequence | 18:38 |
| morganfainberg | ayoung, ++ ok | 18:38 |
| morganfainberg | ayoung, sounds good to me | 18:39 |
| ayoung | morganfainberg, I seem to have it implemented, but for some reason, the revoke_api (which is getting created) is not getting set on a test that has @dependency.requires('revoke_api') | 18:39 |
| morganfainberg | ayoung, yeah that was what i ran into last night when trying to propose a quick fix | 18:40 |
| morganfainberg | ayoung, and i had to leave vs. working late on it | 18:40 |
| *** thiagop has joined #openstack-keystone | 18:42 | |
| thiagop | Hi everyone, I'm taking a look a this bug: https://bugs.launchpad.net/keystone/+bug/1261847 | 18:43 |
| thiagop | I was unable to replicate the error reported | 18:43 |
| thiagop | here is what I tryied (I'm new to OpenStack): | 18:43 |
| thiagop | 1 - Created a new user 'test' | 18:44 |
| thiagop | 2 - Created domain 'domain1' | 18:44 |
| thiagop | 3 - Created domain 'domain2' | 18:44 |
| thiagop | 4 - Assigned 'admin' role to 'test' user in 'domain1' | 18:45 |
| thiagop | 5 - Assigned 'Member' role to 'test' in 'domain2' | 18:45 |
| thiagop | 6 - Got a domain scoped token to 'domain1', it says that I have 'admin' role | 18:45 |
| thiagop | 7 - Got a domain scoped token to 'domain2', it says that I have 'Member' role | 18:46 |
| thiagop | By the description of the bug, I was unable to identify if it was reproduced with a domain-scoped or project-scoped token, and if it was with a project-scoped | 18:47 |
| thiagop | I think it is with the appropriate behaviour | 18:48 |
| thiagop | it HAS the appropriate behaviour** | 18:48 |
| openstackgerrit | David Stanek proposed a change to openstack/keystone: Use assertIsNone when comparing against None https://review.openstack.org/78118 | 18:49 |
| openstackgerrit | David Stanek proposed a change to openstack/keystone: Adds style checks to ease reviewer burden https://review.openstack.org/78119 | 18:49 |
| openstackgerrit | David Stanek proposed a change to openstack/keystone: Add a space after the hash for block comments https://review.openstack.org/78116 | 18:49 |
| openstackgerrit | David Stanek proposed a change to openstack/keystone: Removes the use of mutables as default args https://review.openstack.org/78117 | 18:49 |
| dstanek | lbragstad: i updated https://review.openstack.org/#/c/78119/ based on your comments. when you get a chance see if the docs make sense. thanks! | 18:52 |
| lbragstad | dstanek: cool, I'll check it out, thanks for the heads up! | 18:53 |
| *** leseb has joined #openstack-keystone | 18:53 | |
| bknudson | ayoung: here's how the oauth1.Manager gets instantiated when it's in the pipeline: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/oauth1/routers.py#n55 | 18:54 |
| *** leseb has quit IRC | 18:58 | |
| ayoung | bknudson, heh, I think I wrote that origianlly | 19:01 |
| ayoung | bknudson, I'll probably end up doing that. But, dagnabit, I want proper component activation and I am so close! | 19:02 |
| bknudson | ayoung: did oauth1 do it wrong? | 19:02 |
| *** tstevenson has joined #openstack-keystone | 19:02 | |
| ayoung | bknudson, no, its finme | 19:03 |
| ayoung | fine | 19:03 |
| ayoung | bknudson, I want lazy activation of components, and I was going to use this to actually implement it | 19:04 |
| ayoung | but... | 19:04 |
| ayoung | its probably too big for a bug fix | 19:04 |
| bknudson | ayoung: you'd have to call dependency.resolve_future_dependencies when it's created. | 19:05 |
| ayoung | bknudson, its not that oauth did it wrong, it is that by doing it that way, our tests don't really mirror the server | 19:05 |
| ayoung | bknudson, let me post a fixed version of the patch above, and then I'll revisit | 19:05 |
| *** nkinder has quit IRC | 19:06 | |
| *** tstevenson has quit IRC | 19:08 | |
| *** YorikSar has joined #openstack-keystone | 19:10 | |
| ayoung | bknudson, this is what I am trying to fix | 19:11 |
| ayoung | https://github.com/openstack/keystone/blob/master/keystone/tests/core.py#L431 | 19:11 |
| bknudson | ayoung: the way the startup there does mirror what the server does... it calls load_backends, then initializes the paste pipeline which creates the oauth1.Manager and federation.Manager, and then calls resolve_future_dependencies. | 19:14 |
| ayoung | bknudson, but the fact that we do the import and actively create those services separate from the others bothers me | 19:15 |
| ayoung | but....meh | 19:15 |
| bknudson | ayoung: I agree it's not perfect. | 19:15 |
| ayoung | bknudson, one of the things I want to hammer out in the dev loungd | 19:16 |
| ayoung | lounge | 19:16 |
| bknudson | maybe we need to essentially do the config & paste pipeline startup in the tests. | 19:16 |
| bknudson | something might be doable if we move code out of keystone-all -- https://review.openstack.org/#/c/62275/ | 19:17 |
| bknudson | but I haven't had time to work on that one. | 19:17 |
| openstackgerrit | Pablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager https://review.openstack.org/80368 | 19:18 |
| ayoung | bknudson, that is a good devlounge hack effort . | 19:36 |
| ayoung | We can have that done on Monday | 19:36 |
| *** leseb has joined #openstack-keystone | 19:47 | |
| morganfainberg | ayoung, ++ | 19:48 |
| morganfainberg | sounds like a great devloung quick hack | 19:48 |
| ayoung | morganfainberg, RuntimeError: KVS region os-revoke-synchonize is already configured. Cannot reconfigure. | 19:48 |
| ayoung | do we rally need that? | 19:48 |
| ayoung | can't we just say "oh, yeah, uits already configured dude.": | 19:49 |
| ayoung | and let it pass? | 19:49 |
| morganfainberg | uhmm. | 19:49 |
| morganfainberg | well, ideally you shouldn't ever reconfigure | 19:49 |
| morganfainberg | are you passing the same exact config object through? | 19:49 |
| ayoung | but it means you need to manage the order that different components do things | 19:49 |
| ayoung | it should be done on demand | 19:49 |
| ayoung | and done once and other things get the thing and the thing and the other thing thing | 19:50 |
| * ayoung gone off the deepend finally | 19:50 | |
| morganfainberg | if you are 100% sure you are passing the same config through, then it can be removed | 19:50 |
| morganfainberg | i don't think that is the case | 19:50 |
| morganfainberg | most of the time a reconfigure is done it's done w/ different data | 19:50 |
| morganfainberg | and i don't like silent "oh we didn't do anything and you have somehting you don't expect" | 19:51 |
| morganfainberg | perhaps the .configure could have a pass_on_reconfig boolean option? | 19:51 |
| morganfainberg | ayoung, eh, it's not the deepend, more the middle, i think you're a long way from off the deep end | 19:52 |
| ayoung | morganfainberg, I'm playing a penny whistle | 19:52 |
| ayoung | right now | 19:52 |
| morganfainberg | ayoung, heh | 19:52 |
| ayoung | Lots of fun at Finnegan's Wake | 19:54 |
| *** kfox1111 has joined #openstack-keystone | 19:57 | |
| ayoung | wouldna mind a "Drop o' the Craythur" meself. Keystone code is driving me to drink | 19:57 |
| kfox1111 | Is there a reason mysql would be spinning on keystone tokens table while using openstack-dashboard for viewing the instance list, volume list, etc? | 19:58 |
| lbragstad | dstanek: any thoughts on these? Just out of curiosity? https://review.openstack.org/#/c/78117/5/keystone/tests/test_wsgi.py | 19:58 |
| kfox1111 | shouldn't the pki token type make it avoid that table? | 19:58 |
| lbragstad | dstanek: since all_locales wouldn't be optional anymore would it? | 19:58 |
| ayoung | kfox1111, there are too many tokens and you are runing the token delete and there is lock conetition? | 20:00 |
| ayoung | contention | 20:00 |
| ayoung | kfox1111, probably cuz ther revoation list fetch parameter in the client is set to 0 | 20:01 |
| ayoung | and it is refetching the revocation list on every token | 20:01 |
| ayoung | and that is unnecessary | 20:01 |
| kfox1111 | we're clearing out the tokens daily now. | 20:01 |
| kfox1111 | hmmm... what is the default? 0? | 20:01 |
| ayoung | kfox1111, maybe, depends on the version | 20:02 |
| ayoung | but you can set it explicitly | 20:02 |
| kfox1111 | havana from rdo | 20:02 |
| kfox1111 | so I need to specify it on every service? | 20:02 |
| ayoung | https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L274 | 20:02 |
| ayoung | kfox1111, its client, so synced on a differen schedule | 20:02 |
| ayoung | try setting that value in, say, nova or glance's config file | 20:03 |
| kfox1111 | ah. so in havana, the default is 1. | 20:03 |
| kfox1111 | in trunk, its 300. | 20:04 |
| kfox1111 | I'm assuming thats seconds? | 20:04 |
| ayoung | kfox1111, yep | 20:04 |
| kfox1111 | hmm... | 20:04 |
| ayoung | kfox1111, or something is forcing you to fall back to UUID token evaluation | 20:05 |
| kfox1111 | there is a token_cache_time listed too. is that just the validation part? | 20:05 |
| kfox1111 | It took me a while, but I validated the middleware is executing the openssl cms command to validate tokens. | 20:05 |
| ayoung | once it is validated it is held in memcached and not refeteched from the server (uuid tokens) or the signature rechecked (PKI tokens) | 20:05 |
| kfox1111 | but I'm seeing mysql lookup the user in the tokens table all the time, taking about 2.5 seconds per lookup. | 20:05 |
| ayoung | probably for revocations | 20:06 |
| ayoung | up the revocation time out and that should settle down | 20:06 |
| kfox1111 | k. thanks. | 20:06 |
| *** raildo has quit IRC | 20:07 | |
| openstackgerrit | Pablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager https://review.openstack.org/80368 | 20:13 |
| kfox1111 | So... the middleware pulls the cert revocation list for a given token on first access, and caches for the revocation timeout number of seconds? | 20:16 |
| ayoung | OK bknudson so the reason why what I was doing was failing (and this is pretty dumb) is because we call dependency.reset() explicitly...I'm thinkg that all of this stuff needs to die a horrible death. | 20:16 |
| kfox1111 | rather then having a thread update a global revocation list every timeout number of seconds? | 20:16 |
| ayoung | but now, if revoke does what oauth was doing, we ended up calling manager twice | 20:16 |
| ayoung | and that causes a re-init of the KVS backend used as the storage | 20:17 |
| ayoung | I don't like this, not one...leeeeettle....bit | 20:17 |
| bknudson | ayoung: we don't want to keep the backends from the previous tests. | 20:17 |
| ayoung | bknudson, OK...I'm trying to keep from getting too theoretical here, but....we need a to separate component consumption from defintioin, and components definition from class definition | 20:20 |
| ayoung | we jumble them all together and it is a mess | 20:21 |
| ayoung | a class is not a component. A component is a class that has a specific lifespan and a specific configuration | 20:21 |
| ayoung | a test should be the lifespan of all of the componentns that it consumes | 20:21 |
| ayoung | which makes tests different from the live server | 20:21 |
| bknudson | that's what dependency code is supposed to take care of for you... there might be a python library for it. | 20:21 |
| ayoung | on a live server, the lifespans are global, applications (wsgi), session, and request | 20:22 |
| ayoung | not that I've seen | 20:22 |
| bknudson | we should fix the server so that lifespans aren't global. | 20:22 |
| ayoung | bknudson, we should also address how much is done at startup time per controller for the case where we are running in apache | 20:22 |
| ayoung | but just need to solve this.... | 20:23 |
| ayoung | the problem with testing in Python is that setUp is different from __init__ and that really is wrong | 20:23 |
| ayoung | but __init__ doesn't have a partner for teardown. | 20:23 |
| ayoung | Which is the problem with garbage collection in general | 20:24 |
| ayoung | you never know when you are done with your resources | 20:24 |
| ayoung | bah...I'm going back to C++ | 20:24 |
| bknudson | ayoung: good idea... just use a smart_ptr | 20:24 |
| ayoung | nope | 20:24 |
| ayoung | I have a much better approach there | 20:25 |
| ayoung | http://adam.younglogic.com/2009/08/cpp-resolver/ | 20:25 |
| ayoung | clean up based on the stack | 20:25 |
| *** stevemar has quit IRC | 20:25 | |
| ayoung | bknudson, but that is a different lifetime | 20:26 |
| kfox1111 | is there a param for caching the certificate revocation list on the keystone server? | 20:28 |
| *** rwsu has joined #openstack-keystone | 20:28 | |
| ayoung | kfox1111, um...maybe? | 20:28 |
| ayoung | kfox1111, it would be in the token cache | 20:28 |
| ayoung | since it is the same backend | 20:29 |
| kfox1111 | wow. we're back up to 64,000 tokens in the db... | 20:30 |
| ayoung | expiration_time=REVOCATION_CACHE_EXPIRATION_TIME | 20:31 |
| ayoung | that is from token/core.py | 20:31 |
| kfox1111 | k. I'll try setting that too. | 20:31 |
| kfox1111 | hmm.... | 20:31 |
| kfox1111 | here's another part of the problem. | 20:31 |
| kfox1111 | there does not look to be an index on tokens. | 20:31 |
| ayoung | um | 20:31 |
| kfox1111 | mysql> show index in token; | 20:32 |
| kfox1111 | Empty set (0.00 sec) | 20:32 |
| ayoung | kfox1111, do you need to run the migration on your database> | 20:32 |
| ayoung | what version is the db set at? | 20:32 |
| kfox1111 | what field should I look at for that? | 20:32 |
| ayoung | keystone-manage has a subfunction for it | 20:33 |
| ayoung | db_version or somthing | 20:33 |
| ayoung | I'm in development mode, which means nothing on my box works | 20:33 |
| ayoung | sorry | 20:33 |
| ayoung | blame morganfainberg for telling me about the bug I am fixing right now | 20:33 |
| ayoung | AHHHH! | 20:34 |
| kfox1111 | 34. | 20:34 |
| ayoung | so..the whole Manager() thing was a wrapper around the driver, and you should be able to call it whenever you need a driver, at least that was the intention when termie wrote it. We've since made it into something that needs to be run exactly once. | 20:34 |
| kfox1111 | how do I see what version it considers "newest"? | 20:36 |
| ayoung | and the same damn logic that makes it magfically fetch the driver is keeping me from doing the same thing to magically fetch the cache | 20:36 |
| ayoung | kfox1111, that feels about like what I expect from Havana | 20:36 |
| ayoung | kfox1111, the migrations are listed under keystone/common/sql/migrate_repo | 20:37 |
| kfox1111 | so /usr/lib/python2.6/site-packages/keystone/common/sql/migrate_repo/versions I see up through 36 | 20:37 |
| kfox1111 | is it inclusive or exclusive on the nubmer. ie, did 34 get applied already or not? | 20:38 |
| ayoung | 34 was applied, 35 and 36 were not | 20:38 |
| ayoung | db_sync will apply them | 20:38 |
| kfox1111 | ah. 36 is idx = sql.Index('ix_token_valid', token.c.valid) | 20:39 |
| kfox1111 | that may help... | 20:39 |
| ayoung | 36 looks like it undoes 35 to my eyes | 20:39 |
| ayoung | 36 drops ix_token_valid' | 20:39 |
| ayoung | ix_token_expires_valid' ah | 20:40 |
| ayoung | slightly different | 20:40 |
| kfox1111 | oh. ok. | 20:40 |
| ayoung | morganfainberg, help | 20:40 |
| ayoung | I need to use a real cache setup for revoke | 20:40 |
| kfox1111 | shoudl I sync with keystone shutdown or can I do it live? | 20:40 |
| ayoung | not the syncronize non-sense I was doing | 20:41 |
| morganfainberg | ayoung, hi | 20:43 |
| ayoung | morganfainberg, OK. How do I cache something? | 20:44 |
| ayoung | I guess it needs to be a function call? | 20:44 |
| ayoung | so... | 20:44 |
| morganfainberg | ayoung, you looking to do cache (e.g. cache layer) or just KVS store? | 20:44 |
| ayoung | KVS store | 20:44 |
| ayoung | well | 20:44 |
| ayoung | cache layer | 20:44 |
| ayoung | in memory | 20:44 |
| morganfainberg | kvs or memoize | 20:44 |
| ayoung | no memoize if I can help it | 20:44 |
| morganfainberg | ok then kvs | 20:44 |
| ayoung | morganfainberg, this code | 20:44 |
| morganfainberg | easy | 20:44 |
| morganfainberg | you're already doing a lock | 20:45 |
| ayoung | https://github.com/openstack/keystone/blob/master/keystone/contrib/revoke/core.py#L190 | 20:45 |
| ayoung | I'm double configuring the cache though | 20:45 |
| ayoung | I think because I am doing it explicitly | 20:45 |
| ayoung | the other drivers don't do thjat | 20:45 |
| ayoung | that | 20:46 |
| ayoung | so I chjange | 20:46 |
| ayoung | if self._cache.revoke_map.is_revoked(token_values): | 20:46 |
| ayoung | to | 20:46 |
| ayoung | if self._get_revoke_map.is_revoked(token_values): | 20:46 |
| ayoung | and mark that function as cached? | 20:46 |
| ayoung | if self._get_revoke_map().is_revoked(token_values): | 20:46 |
| ayoung | cache on self._get_revoke_map() | 20:46 |
| morganfainberg | *blink* | 20:47 |
| morganfainberg | i think i'm lost | 20:47 |
| morganfainberg | if you're looking to just use an in-memory cache, you can do the same thing you're doing in the KVS backend | 20:47 |
| morganfainberg | .get() and .set() | 20:47 |
| ayoung | morganfainberg, I want to make it look like the other drivers | 20:47 |
| kfox1111 | the db upgrade failed. :/ | 20:47 |
| kfox1111 | OperationalError: (OperationalError) (1091, "Can't DROP 'ix_token_valid'; check that column/key exists") '\nDROP INDEX ix_token_valid ON token' () | 20:48 |
| morganfainberg | ayoung, so .. a manager? | 20:48 |
| ayoung | https://github.com/openstack/keystone/blob/master/keystone/token/core.py#L148 | 20:48 |
| ayoung | morganfainberg, like ^^ | 20:48 |
| morganfainberg | oh ok so you do want to memoize | 20:48 |
| ayoung | no | 20:49 |
| morganfainberg | that is memoization | 20:49 |
| ayoung | memoize would be a pickle | 20:49 |
| ayoung | no? | 20:49 |
| morganfainberg | no memoziation says take <args> and use that as a key for the returned value | 20:49 |
| ayoung | ah | 20:49 |
| morganfainberg | if the cache is not invalidated / current it will use the cached value first | 20:50 |
| ayoung | hm...well that is kindof what I want | 20:50 |
| kfox1111 | there is no ix_token_valid. :/ | 20:50 |
| kfox1111 | show indexes in token; | 20:50 |
| kfox1111 | | Table | Non_unique | Key_name | Seq_in_index | Column_name | Collation | Cardinality | Sub_part | Packed | Null | Index_type | Comment | | 20:50 |
| morganfainberg | ayoung, so any @cache.on_arguments decorated functions must not contain kwargs | 20:51 |
| kfox1111 | | token | 1 | ix_token_expires_valid | 1 | expires | A | 63791 | NULL | NULL | YES | BTREE | | | 20:51 |
| kfox1111 | | token | 1 | ix_token_expires_valid | 2 | valid | A | 63791 | NULL | NULL | | BTREE | | | 20:51 |
| kfox1111 | just those two indexes that 35 added. | 20:51 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Sync db, db.sqlalchemy from oslo-incubator 0a3436f https://review.openstack.org/78429 | 20:51 |
| ayoung | morganfainberg, that I can deal with. I only ever want one object to be cached | 20:51 |
| morganfainberg | ayoung, so you just need to do the import of the cache stuff like token does | 20:51 |
| morganfainberg | ayoung, https://github.com/openstack/keystone/blob/master/keystone/token/core.py#L24 | 20:52 |
| ayoung | morganfainberg, what is +SHOULD_CACHE = cache.should_cache_fn('revoke') | 20:52 |
| morganfainberg | ayoung, https://github.com/openstack/keystone/blob/master/keystone/token/core.py#L36 | 20:52 |
| ayoung | well, it is 'token' in the token core | 20:52 |
| morganfainberg | if you want a revocation config option for TTL on the cache | 20:52 |
| morganfainberg | erm | 20:52 |
| morganfainberg | sorry | 20:52 |
| morganfainberg | should_cache_fn is a factory to create a "yes/no" caching decision based on config opts | 20:53 |
| ayoung | so I need a 'revoke' version of that call | 20:53 |
| kfox1111 | why would 36 be broken? arrg. | 20:53 |
| morganfainberg | ayoung, https://github.com/openstack/keystone/blob/master/keystone/common/cache/core.py#L157 | 20:53 |
| ayoung | so I add +SHOULD_CACHE = cache.should_cache_fn('revoke') | 20:53 |
| morganfainberg | and then in config options you'd create in the [revoke] section a 'caching' option | 20:53 |
| morganfainberg | defaulted to "on" | 20:54 |
| morganfainberg | erm | 20:54 |
| morganfainberg | True | 20:54 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Sync db, db.sqlalchemy from oslo-incubator 0a3436f https://review.openstack.org/78429 | 20:54 |
| ayoung | kfox1111, I'd have to look at the git histroy | 20:54 |
| ayoung | morganfainberg, | 20:54 |
| ayoung | OK...I can fingure that out | 20:54 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Sync db, db.sqlalchemy from oslo-incubator 0a3436f https://review.openstack.org/78429 | 20:54 |
| morganfainberg | ayoung, and if you want a separate cache expiration time, do a lambda like https://github.com/openstack/keystone/blob/master/keystone/common/cache/core.py#L157 | 20:55 |
| morganfainberg | https://github.com/openstack/keystone/blob/master/keystone/common/cache/core.py#L157 so you can do a decorator like this | 20:55 |
| morganfainberg | then if caching is enabled, you will cache the value for <expiration_time> length | 20:56 |
| morganfainberg | finally, if you have a case that the cache needs to be invalidated, you need to do something like https://github.com/openstack/keystone/blob/master/keystone/token/core.py#L250 and call <method>.invalidate | 20:56 |
| kfox1111 | arg.... and keystone won't start. says address is already in use. | 20:56 |
| morganfainberg | and it'll do the magic to invalidate the cache so the next call to get will regenerate | 20:56 |
| kfox1111 | nova-api was using the 35357 port for a bit. shut it down, and now nothing is using it, but keystone still wont start. | 20:57 |
| morganfainberg | ayoung, it's a little unwieldy to develop, i'm working on that w/ the oslo port of dogpile stuff | 20:57 |
| ayoung | morganfainberg, so...If I store the revocation events and the tree in the cache, I can just dump the tree and recreate with the current set of events | 20:58 |
| kfox1111 | hmm.. ok. its started now... | 20:58 |
| ayoung | ugh, but ;last_fetch | 20:58 |
| ayoung | ah..I can just cache for internal use | 20:58 |
| kfox1111 | so I'm stuck at 35.. | 20:59 |
| morganfainberg | ayoung, make the last_fetch work done in process | 20:59 |
| morganfainberg | ayoung, not based on the backend | 20:59 |
| morganfainberg | ayoung, ? | 20:59 |
| morganfainberg | ayoung, so .get to the driver always returns all the events | 20:59 |
| morganfainberg | last_fetch is filtered in-memory | 20:59 |
| ayoung | yeah, I can do that | 20:59 |
| morganfainberg | CPU cost vs IO | 20:59 |
| morganfainberg | keep in mind when you .invalidate() you need to pass the exact same arguments (including the proper 'self') through | 21:00 |
| morganfainberg | that is again something i'm trying to solve, but it's a tough nut to crat | 21:00 |
| morganfainberg | crack* | 21:00 |
| kfox1111 | hmm... still no index on token.id | 21:01 |
| kfox1111 | thats proably what's killing performance... | 21:01 |
| morganfainberg | kfox1111, so how did the upgrade fail? | 21:01 |
| morganfainberg | kfox1111, you said you had an issue with upgrading the db, what was the exact isuse? | 21:01 |
| morganfainberg | kfox1111, it sounds like you're wedged between schema versions | 21:01 |
| morganfainberg | kfox1111, what does the migrate_version table say in the keystone db? | 21:02 |
| kfox1111 | | keystone | /usr/lib/python2.6/site-packages/keystone/common/sql/migrate_repo | 35 | | 21:03 |
| kfox1111 | Here's the info... | 21:04 |
| kfox1111 | http://pastebin.com/9m4Ui8ak | 21:04 |
| kfox1111 | Interestingly, I had debug level logging on at the time. :) | 21:05 |
| kfox1111 | I believe what it says. I don't think the index is there its trying to delete. | 21:06 |
| dstanek | lbragstad: just read your last comment, but i think i got it out of context. which review are you looking at the mutable defaults? | 21:09 |
| kfox1111 | grepping through migrate_repo, Ido not see an index on token id anywhere. | 21:09 |
| kfox1111 | even from trunk. | 21:09 |
| *** david-lyle has quit IRC | 21:09 | |
| kfox1111 | so I think that is one of the performance problems... | 21:09 |
| ayoung | morganfainberg, OK...I think I have it. I am going to run the tests and repost. please look at it very carefully | 21:10 |
| ayoung | kfox1111, please make sure that you file it as an RDO bug | 21:10 |
| *** leseb has quit IRC | 21:10 | |
| kfox1111 | You think its specific to RDO? | 21:11 |
| ayoung | kfox1111, no idea | 21:14 |
| ayoung | but lets assume that to be the case | 21:14 |
| ayoung | kfox1111, but if you file it there, the RH QA will pick it up and validate it , and then they will bug me to fix it. | 21:15 |
| kfox1111 | well, I was in the process of posting one to the openstack bugtracker. I can post another one to rdo if you think that would help. sorry. | 21:16 |
| ayoung | kfox1111, lets track it from RDO, since that is how you installed | 21:17 |
| *** thedodd has quit IRC | 21:17 | |
| kfox1111 | have a link to their tracker? | 21:18 |
| kfox1111 | looks liike the index was added in 25. | 21:18 |
| kfox1111 | I'm not finding a reference to a bug tracker anymore on openstack.redhat.com | 21:21 |
| *** openstackgerrit has quit IRC | 21:21 | |
| kfox1111 | Do all databases start at 1 and then get migrated through all the upgrades, | 21:21 |
| *** openstackgerrit has joined #openstack-keystone | 21:21 | |
| kfox1111 | or does it create half way through an upgrade? when a new install is made? | 21:21 |
| *** dstanek is now known as dstanek_afk | 21:30 | |
| *** openstackgerrit has quit IRC | 21:32 | |
| *** openstackgerrit has joined #openstack-keystone | 21:32 | |
| *** dims has quit IRC | 21:34 | |
| *** zhiyan is now known as zhiyan_ | 21:42 | |
| morganfainberg | ayoung, ++ will do | 21:44 |
| ayoung | morganfainberg, and...it broken | 21:52 |
| *** dims has joined #openstack-keystone | 21:53 | |
| morganfainberg | ayoung, :( | 21:54 |
| *** henrynash has quit IRC | 21:54 | |
| ayoung | morganfainberg, something is double configuring the KVS backend | 21:54 |
| morganfainberg | ayoung, let me take a look here in a sec | 21:54 |
| ayoung | I'm guessing that oauth doesn't default to the kvs backend? | 21:54 |
| ayoung | morganfainberg, I'll have to reposet the code | 21:55 |
| ayoung | morganfainberg, the problem is this code | 21:55 |
| morganfainberg | ayoung, ok | 21:55 |
| ayoung | def __init__(self, **kwargs): | 21:55 |
| ayoung | super(Revoke, self).__init__() | 21:55 |
| ayoung | self._store = kvs.get_key_value_store('os-revoke-driver') | 21:55 |
| ayoung | self._store.configure(backing_store=_KVS_BACKEND, **kwargs) | 21:55 |
| ayoung | if the driver gets re-initialized it gets called again | 21:55 |
| ayoung | oauth only has SQL backend | 21:55 |
| morganfainberg | ayoung, hmmm. | 21:55 |
| morganfainberg | ayoung, let me see how i did that in token? | 21:55 |
| ayoung | self._store = kvs.get_key_value_store('token-driver') | 21:56 |
| ayoung | if backing_store is not None: | 21:56 |
| ayoung | self.kvs_backend = backing_store | 21:56 |
| ayoung | self._store.configure(backing_store=self.kvs_backend, **kwargs) | 21:56 |
| morganfainberg | oh | 21:57 |
| morganfainberg | i did a dirty hack to get around this. | 21:57 |
| morganfainberg | ayoung, https://github.com/openstack/keystone/blob/master/keystone/tests/core.py#L424 | 21:58 |
| ayoung | morganfainberg, (╯°□°)╯︵ ┻━┻ | 21:58 |
| morganfainberg | i explicitly clear the weakref dict that is used to manage the registry | 21:58 |
| morganfainberg | ayoung, you're hitting that error means you're instantiating the _cache multiple times. | 21:58 |
| morganfainberg | in theory you shouldn't be doing tha | 21:58 |
| morganfainberg | t | 21:58 |
| ayoung | can't I check if it is configured already and not recall the code? | 21:59 |
| morganfainberg | i'm fine if you want to rip out the raise exception on reconfigure of the kvs backend | 21:59 |
| morganfainberg | sure | 21:59 |
| morganfainberg | i think it's if kvs_region.is_configured | 21:59 |
| ayoung | morganfainberg, but why doesn't your hack clear my cache too | 21:59 |
| morganfainberg | let me 2x check | 21:59 |
| ayoung | morganfainberg, I create the driver on the equivalent of https://github.com/openstack/keystone/blob/master/keystone/tests/core.py#L434 | 22:00 |
| morganfainberg | ayoung, you're initializing the cache 2 times before cleanup is called | 22:00 |
| *** browne has left #openstack-keystone | 22:00 | |
| morganfainberg | and no, i don't have a "is_configured" property | 22:00 |
| ayoung | morganfainberg, loadApp is triggering it | 22:01 |
| morganfainberg | ah. | 22:01 |
| morganfainberg | like i said, if you want to remove the exception for multiple configure calls (perhaps make it a warning?) | 22:01 |
| morganfainberg | i'm ok with that | 22:01 |
| ayoung | so it gets imported, cleared, created, and then imported again via loadApp and the paste pipeline | 22:02 |
| morganfainberg | i erred on the side of "be obnoxious about not letting people reconfigure and get unexpected results" | 22:02 |
| ayoung | not sure that would be correct. What if we are changing the cache backend for a driver or something from default to test it? | 22:02 |
| ayoung | won;t it still have the old config? | 22:02 |
| morganfainberg | ayoung, exactly the reason i was aiming to force an exception | 22:02 |
| ayoung | morganfainberg, OK, kids are bothering me, and I need to go | 22:03 |
| ayoung | gonna have to wait | 22:03 |
| morganfainberg | ayoung, if you post your code i can take a swing at that bit this evening | 22:03 |
| openstackgerrit | A change was merged to openstack/keystone: Update sample config https://review.openstack.org/78024 | 22:03 |
| morganfainberg | if not, i'll be around to discuss as needed. | 22:03 |
| bknudson | keystoneclient has both a test_utils.py and a utils.py | 22:11 |
| bknudson | guess which one has tests for keystoneclient.utils? | 22:11 |
| bknudson | it's neither | 22:11 |
| bknudson | ahh, guess I'm wrong... it's got some tests. | 22:12 |
| openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: Allow hash tokens with sha256 https://review.openstack.org/80398 | 22:17 |
| *** sudorandom has quit IRC | 22:18 | |
| *** sudorandom_ has joined #openstack-keystone | 22:19 | |
| *** sudorandom_ is now known as sudorandom | 22:19 | |
| *** richm has quit IRC | 22:20 | |
| *** leseb has joined #openstack-keystone | 22:21 | |
| *** YorikSar has quit IRC | 22:22 | |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Configurable token hash algorithm https://review.openstack.org/80401 | 22:22 |
| *** YorikSar has joined #openstack-keystone | 22:23 | |
| *** leseb has quit IRC | 22:26 | |
| *** flaper87 is now known as flaper87|afk | 23:27 | |
| *** gokrokve has quit IRC | 23:28 | |
| *** openstackstatus has quit IRC | 23:36 | |
| *** thiagop has quit IRC | 23:38 | |
| *** rwsu has quit IRC | 23:38 | |
| *** openstackgerrit has quit IRC | 23:39 | |
| *** marcoemorais has quit IRC | 23:45 | |
| *** lbragstad has quit IRC | 23:46 | |
| *** haneef_ has quit IRC | 23:46 | |
| *** bobt has quit IRC | 23:46 | |
| *** dolphm has quit IRC | 23:46 | |
| *** dstanek_afk has quit IRC | 23:46 | |
| *** Daviey has quit IRC | 23:46 | |
| *** YorikSar has quit IRC | 23:46 | |
| *** sudorandom has quit IRC | 23:46 | |
| *** marekd|away has quit IRC | 23:46 | |
| *** harlowja has quit IRC | 23:46 | |
| *** bknudson has quit IRC | 23:46 | |
| *** chmouel has quit IRC | 23:46 | |
| *** vhoward- has quit IRC | 23:46 | |
| *** tellesnobrega has quit IRC | 23:46 | |
| *** zhiyan_ has quit IRC | 23:46 | |
| *** jimbaker has quit IRC | 23:46 | |
| *** wchrisj has quit IRC | 23:46 | |
| *** dvorak has quit IRC | 23:46 | |
| *** amcrn has quit IRC | 23:46 | |
| *** mberlin has quit IRC | 23:46 | |
| *** jaypipes has quit IRC | 23:46 | |
| *** jamielennox|away has quit IRC | 23:46 | |
| *** flaper87|afk has quit IRC | 23:46 | |
| *** koolhead17 has quit IRC | 23:46 | |
| *** kfox1111 has quit IRC | 23:46 | |
| *** gyee has quit IRC | 23:46 | |
| *** dtroyer has quit IRC | 23:46 | |
| *** jordant has quit IRC | 23:46 | |
| *** zigo has quit IRC | 23:46 | |
| *** jraim has quit IRC | 23:46 | |
| *** mhu has quit IRC | 23:46 | |
| *** openstack has joined #openstack-keystone | 23:46 | |
| *** openstackstatus has joined #openstack-keystone | 23:47 | |
| *** dstanek_afk has joined #openstack-keystone | 23:54 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!