Monday, 2014-03-17

*** henrynash has joined #openstack-keystone00:29
openstackgerritA change was merged to openstack/keystone: Ensure v3policysample correctly limits domain_admin access
*** henrynash has quit IRC01:15
*** shakamunyi has joined #openstack-keystone01:37
*** bknudson has quit IRC01:38
*** ayoung-zzzZZ has quit IRC02:10
*** zhiyan_ is now known as zhiyan02:30
*** zhiyan is now known as zhiyan_02:35
*** stevemar has joined #openstack-keystone02:46
*** mberlin has joined #openstack-keystone03:00
*** mberlin1 has quit IRC03:01
*** stevemar has quit IRC03:08
*** stevemar has joined #openstack-keystone03:09
openstackgerritA change was merged to openstack/keystone: Do not use keystone.conf.sample in tests
*** stevemar has quit IRC04:44
*** stevemar has joined #openstack-keystone04:45
*** zhiyan_ is now known as zhiyan05:02
*** stevemar has quit IRC05:32
*** morganfainberg_Z is now known as morganfainberg05:34
openstackgerritA change was merged to openstack/keystone: Use class attribute to represent 'user' and 'group'
*** derek_c has joined #openstack-keystone05:56
derek_cI'm trying to write a contrib module for keystone.  does anyone know how I can make sure that an action is triggered only if the user has been authenticated?06:00
derek_cso I have set up an endpoint using mapper.connect06:01
derek_cbut I want to make sure whoever calls this endpoint has been authenticated already06:01
morganfainbergderek_c, ah, you need to use the @controller.protected() decorator (look in keystone.identity.controllers(06:02
morganfainbergand have the appropriate entry in the policy file.06:02
openstackgerritJenkins proposed a change to openstack/keystone: Imported Translations from Transifex
derek_cmorganfainberg: ah thanks!  what do you mean by "have the appropriate entry in the policy file?"06:03
morganfainbergderek_c, policy.json describes what is allowed / not allowed06:03
morganfainbergderek_c, look in etc/policy.json and etc/policy.v3cloudsample.json06:04
morganfainbergderek_c, that is the policy language, so you can define things like "must be admin" etc06:04
morganfainbergderek_c,if you're defining new protected restful api actions, you should be familiar with policy so you can see how to control it :)06:05
derek_cmorganfainberg: great, I will look at it.  thanks :)06:06
morganfainbergderek_c, np06:07
jamielennoxmorganfainberg: uh oh:
morganfainbergjamielennox, OH SNAP!06:08
morganfainbergjamielennox, hmm, jenkins doesn't like it06:08
morganfainbergjamielennox, hmmmmmm i guess we need to go debug that.06:09
derek_cI see this line saying ""identity:update_user": [["rule:admin_required"]],"06:09
derek_cin policy.json06:09
morganfainbergjamielennox, will look at it tomorrow.06:09
derek_cso that means, only the admin can modify a user, but not even the user himself?06:09
jamielennoxmorganfainberg: yea, i was going to go for a quick look but i'm not sure06:09
morganfainbergjamielennox, if thats cool (unless you tell me you don't need help by then)06:09
jamielennoxnot sure if those logs are available to us06:10
jamielennoxderek_c: yes, in that case06:10
morganfainbergjamielennox, eh, likely i failed to get the jobs created sanely in the jenkins job builder06:10
morganfainbergjamielennox, look in config/modules/openstack_project/jenkins_job_builder06:10
jamielennoxderek_c: update_user maps to a very specific function though in the controller06:10
morganfainbergjamielennox, i think06:11
derek_cjamielennox: I see that.  thanks :)_06:11
jamielennoxderek_c: also the policy.json file is way more simplified than the policy v3 file06:11
derek_cjamielennox: ah, I see06:11
derek_cdoes v3 APIs use the v3 policy file by default?  It seems to just be a sample06:12
jamielennoxderek_c: no06:12
jamielennoxnothing uses it by default06:12
jamielennoxunfortunately to swap the default is a big break in compatability and so we just haven't done it but v3 is the recommended06:12
derek_cjamielennox: I see. thanks :)06:14
morganfainbergjamielennox, i'm scared, i think i somehow grasp the python MRO a lot better than before06:27
jamielennoxmorganfainberg: that's a bit like staring into the abyss right06:27
morganfainbergjamielennox, i think so06:28
jamielennoxi get the principal - there are times i don't like to risk it06:28
jamielennoxmultiple inheritence with the same function call on all parents, i just prefer to make that explicit06:28
morganfainbergjamielennox, it ... just kinda makes sense now06:30
morganfainbergjamielennox, it clicked when i was mucking with our tests06:31
morganfainbergjamielennox, i dunno... it feels almost zen... but darker06:31
morganfainbergi think i like this cleanup of the test_configs even more now.06:32
morganfainbergjust need to get the last test case to stop failing and should be good.06:33
jamielennoxmorganfainberg: i started looking through it06:33
jamielennoxi +Aed the base one06:33
morganfainbergyeah addressing bknudson's comments on the test_conf removal one06:33
jamielennoxi'm not sure why we still need the files at all in the later ones06:33
morganfainbergthere are a couple cases where we want to allow overriding06:33
jamielennoxsure but why do we do that by file?06:33
morganfainbergand specifically LDAP is an ugly mess of options that it's easier to load from a config.06:33
morganfainbergjamielennox, env variables?06:34
morganfainbergjamielennox, not sure if we have a better way06:34
jamielennoxso load this file via env var?06:34
morganfainbergjamielennox, especially when we let people run against (say) a live ldap server06:34
morganfainbergjamielennox, well, i guess we could move to a "use this file from a path"06:34
morganfainbergbut like i said in the case of the LDAP tests, we can't just do that because config_fixture.config overides anything loaded from a file06:35
morganfainbergso we need to set the default, and then set the default back?06:35
jamielennoxbut that seems like a fault in the LDAP tests rather than something we should be wroking around06:35
morganfainbergi think i can work through it, but i am inclined to make it as incremental as possible.06:35
morganfainbergjamielennox, the ldap tests (and BaseLDAP object) need a lot of reworking anyway06:36
morganfainbergjamielennox, i figure i'll hit those when i get to that part (towards parallel testing)06:36
morganfainbergjamielennox, cleanup when it involves the tests at this scale will always be incremental :(06:38
jamielennoxyea, it's a hard thing to move06:39
morganfainbergwtf.  how did this.. fail.06:39
* morganfainberg goes digging06:40
morganfainbergoooh *doh*06:47
*** saju_m has joined #openstack-keystone06:47
jamielennoxmorganfainberg: that sounded revealing06:51
morganfainbergjamielennox, 2 things 1: type, 2: oopse forgot to override an option on a secondary TestCase class06:52
morganfainbergjamielennox, about to post a fix for the couple of brant's comments06:52
morganfainbergjamielennox, then i'll rebase the next couple patches in that chain06:52
jamielennoxit's gotten to the point i don't like approving things until brant's had a go over it06:53
morganfainberginitially i was that way06:53
morganfainbergjamielennox, i think it's mixed.06:54
morganfainbergjamielennox, some cases yes06:54
morganfainbergjamielennox, some cases no.06:54
jamielennoxnah, i'm still going to do it - it's just he seems to find a whole bunch of stuff that are obvious when someone else points it out to you06:54
*** YorikSar has quit IRC06:55
morganfainberghmm 1 more test case still failing06:57
morganfainbergsooooo close06:57
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Discover should support other services
morganfainbergookcay so wtf. somehow a single domain isn't being created correctly...07:02
*** YorikSar has joined #openstack-keystone07:15
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Handle URLs via the session and auth_plugins
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Removal of test .conf files
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Move test .conf files to keystone/tests/config_files
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make LIVE Tests configurable with ENV
morganfainbergjamielennox, ok so the first one (major conf removal) should be good to be looked at if you care to dig in.07:22
morganfainbergjamielennox, if not, no worries :)07:22
jamielennoxmorganfainberg: yep, tomorrow07:22
jamielennox(assuming it's not passed by then)07:23
morganfainbergjamielennox, it's cleanup so it can happen as people have time (hopefully J1-ish no later so it's less fighting features)07:23
morganfainbergjamielennox, i kinda like how much smaller the queue of reviews gets towards the end of the cycle07:24
morganfainbergjamielennox, :P07:24
jamielennoxare we looking at the same queue?07:25
morganfainbergjamielennox, also, if you didn't see the reverts on the oauthlib stuff for keystoneclient ... those got pushed through post-haste, (and keep in mind for the future even though stable trees now track that w/ gate checks_)07:25
jamielennoxmorganfainberg: yea i saw that, it was a dependency error right - something in keystoneclient's requirements.txt that wasn't in global?07:26
morganfainbergjamielennox, it's < 100, we were close to 200 before Milestone307:26
morganfainbergwasn't in stable/havana global07:26
jamielennoxhow did that happen - i thought there was a gate job that would pick that up07:26
morganfainbergthere are now checks for stable/havana07:26
jamielennoxok, cool - that was my next poin t07:26
morganfainbergthis makes progressing clients very hard07:26
morganfainbergesp. since distro maintainers might get unhappy w/ new requirements after a version ships07:27
jamielennoxyea, that would annoy me - i'm not sure that's the right approach for clients07:27
morganfainbergso things like oauthlib in ksc would be 2 releases away?07:27
jamielennoxno we can't hinge on that07:28
morganfainbergi am firmly of the opinion (now) that we need to not have python-*client libraries07:28
morganfainbergwell not managed by each project07:28
morganfainbergmore centrally managed that is07:29
jamielennoxnot sure how that would change this07:29
morganfainbergactually i have an idea on this.07:29
morganfainbergstrike last couple lines07:29
morganfainbergkeystoneclient plugins package.07:29
morganfainbergrelease auth_plugins separate from keystoneclient07:30
*** flaper87|afk is now known as flaper8707:30
morganfainbergwe might be able to use that to avoid making distro maintainers unhappy07:30
morganfainbergor alternatively07:31
morganfainbergwe can use the same methodology dogpile.cache uses to load the libs in ksc07:31
jamielennoxso yes and no, i'm already looking at loading auth plugins from outside of ksc07:31
morganfainbergbasically don't do the import until the plugin is actually loaded07:32
jamielennoxat some point we need to figure out what to do about extensions07:32
jamielennoxcause they should be able to be external - which is most things in contrib07:33
morganfainbergjamielennox, i am mixed on that stuff07:33
jamielennoxbut there are problems with that07:33
morganfainbergjamielennox, but yeah.07:34
jamielennoxi think auth we need to be able to extend, i'm holding off the 'magic' concept07:34
jamielennoxbut i'm not sure if it helps us with the distros07:34
jamielennoxat some point we will still need to add new deps07:34
morganfainbergjamielennox, well if we don't load a plugin and the code wouldn't be executed...07:35
morganfainbergjamielennox, i don't see it as being an issue07:35
morganfainbergdocument "if you want to use auth X, you need module Y"07:35
morganfainbergrelease the auth plugins a separate packages07:35
morganfainbergi'm actually kindof liking that.07:35
jamielennoxyea, maybe we should have done that for oauth - i'm not sure what hooks we would need07:35
morganfainbergif we do it right we can make the auth plugin package be the same for keystone and keystoneclient (if we can make sure the auth plugin interface is super stable)07:36
morganfainbergand i mean commit to that interface for the lifespan of the api version07:36
jamielennoxi want to fixup the server side auth plugins in J07:37
morganfainbergjamielennox, ++++++07:37
jamielennoxcause i've thought that too that we should be able to do client and server plugins together07:37
jamielennoxor at lesat somehow linked i guess07:37
morganfainbergif you think we can commit to a stable interface, i am 100% for making auth plugins released separately from keystone and keystone client07:37
morganfainbergit would make them truely optional07:37
morganfainbergexcept (obviously) the core "password, token, external" et al ones07:38
jamielennoxit's hard because the dependencies can be rather different07:38
morganfainbergeh, not too much different07:38
jamielennoxalthough i guess you just pass the request etc by param07:38
jamielennoxdon't need to actually import pecan just use the values passed07:39
morganfainbergjamielennox, something to think about07:39
morganfainbergjamielennox, yep.07:39
morganfainbergjamielennox, i think we can make this work.07:39
jamielennoxso steve should be able to fix oauth without worrying about the auth_plugin07:39
jamielennoxoh - not the auth plugins are still loaded by default07:40
jamielennoxmaybe i should have made him put the plugin in the oauth file rather than the v3 auth file07:40
jamielennoxyea, i think i should hvae07:40
jamielennoxit's not a core method07:40
jamielennoxand he can still link back in when it gets pluggable07:41
jamielennoxok, i'll enforce that next time the review comes through07:41
morganfainbergdo need to document requirements for those plugins though e.g. for havana if someone wants that.07:41
jamielennoxthe server side auth plugins?07:42
morganfainbergthe clientside07:42
morganfainbergwait i mistook what you were saying07:42
jamielennoxthat shouldn't make a difference to requirements07:42
morganfainbergugh it's too late i'm crossing things in my brain07:42
jamielennoxyea, these aren't immediate problems07:43
jamielennoxi'm going home i think07:43
morganfainbergjamielennox, i'm gonna try and fix my pull request for tox and then get sleep07:43
jamielennoxgood luck07:43
morganfainbergdo you know if you can "change" the commit in a pull request?07:43
morganfainbergor is it just make a new one?07:43
jamielennoxoh, and if your review queue is getting too short remember you can also look at the client side07:43
* morganfainberg dislikes pull requests compared to gerrit.07:43
jamielennoxyea, if you push with --force it will change it07:44
morganfainbergjamielennox, haha, i've been trying to do both.07:44
jamielennoxi think you loose a lot of context though07:44
morganfainbergjamielennox, if you noticed i've been reviewing client stuff too!07:44
jamielennoxmorganfainberg: i'm biased to my list i guess, though i saw one of yours today i'm sure07:45
morganfainbergit's not been as common because of RC looming07:45
jamielennoxwas hoping that would start to make it more common as people can't submit features07:46
morganfainbergi think it will provided we have no more emergencies07:46
morganfainbergjamielennox, i'm also being yanked towards building infrastructure internally.07:47
morganfainbergjamielennox, so i'm about elbow deep in puppet manifests07:47
jamielennoxalright, i'm going home07:48
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Handle URLs via the session and auth_plugins
*** jamielennox is now known as jamielennox|away07:50
*** marekd|away is now known as marekd08:07
*** amuller has joined #openstack-keystone08:14
*** derek_c has quit IRC08:16
*** openstack has quit IRC08:21
*** openstack has joined #openstack-keystone08:29
*** openstackstatus has joined #openstack-keystone08:30
*** andreaf has joined #openstack-keystone08:31
*** amuller has joined #openstack-keystone08:33
*** morganfainberg is now known as morganfainberg_Z08:45
*** leseb has joined #openstack-keystone08:46
*** henrynash has joined #openstack-keystone08:52
*** leseb has quit IRC09:00
*** leseb_ has joined #openstack-keystone09:03
*** andreaf2 has joined #openstack-keystone09:04
*** leseb_ has quit IRC09:05
*** leseb_ has joined #openstack-keystone09:05
*** andreaf has quit IRC09:07
*** leseb_ has quit IRC09:09
*** leseb has joined #openstack-keystone09:09
*** leseb has quit IRC09:18
*** leseb_ has joined #openstack-keystone09:21
openstackgerritwanghong proposed a change to openstack/keystone: For ldap, API wrongly reports user is in group
openstackgerrithenry-nash proposed a change to openstack/keystone: Provide option to make domain_id immutable
marekdhenrynash: Morning! Looks like you are one of the few not sleeping :-) A quick question, do you know if there is any possibility to write a unittest in that test change a configration parameter (normally stored in the keystone.conf file) ?09:47
*** chandan_kumar has joined #openstack-keystone09:48
henrynashmarekd: absolutelly09:49
henrynashmarekd: see a change I just proposed as an example (
henrynashmarekd: see the line: self.config_fixture.config(domain_id_immutable=True)09:50
marekdhenrynash: oh, great!09:50
henrynashmarekd: no problem09:51
marekdso this hardcoded name self.config_fixture does the magic?09:51
marekdhenrynash: ^^09:51
henrynashmarekd: yep…and won't affect other tests :-)09:52
marekdhenrynash: cool!09:52
*** leseb_ has quit IRC09:57
*** leseb has joined #openstack-keystone10:02
*** mberlin has quit IRC10:12
*** saju_m has quit IRC10:17
*** amuller has quit IRC10:25
marekdhenrynash: do you know how can actually set parameter under certain 'section' ?10:25
*** mberlin has joined #openstack-keystone10:25
marekdhenrynash: in my case it's stored under 'federation'10:25
marekdhenrynash: ok, found it.10:27
marekdhenrynash: self.config_fixture.config(group='federation', assertion_prefix='someval')10:27
*** saju_m has joined #openstack-keystone10:33
openstackgerritwanghong proposed a change to openstack/keystone: For ldap, API wrongly reports user is in group
openstackgerritMarek Denis proposed a change to openstack/keystone: Filter SAML2 assertion parameters with certain prefix.
*** openstackgerrit has quit IRC11:10
*** openstackgerrit has joined #openstack-keystone11:10
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync test_migrations
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.
*** amuller has joined #openstack-keystone11:11
*** amuller has left #openstack-keystone11:14
*** saju_m has quit IRC11:15
*** andreaf2 has quit IRC11:21
*** leseb has quit IRC11:28
*** leseb has joined #openstack-keystone11:28
*** leseb has quit IRC11:33
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Uses explicit imports for _
*** saju_m has joined #openstack-keystone11:37
*** leseb has joined #openstack-keystone11:59
*** leseb has quit IRC12:00
*** leseb has joined #openstack-keystone12:01
*** YorikSar_ is now known as YorikSar12:01
*** leseb has quit IRC12:05
openstackgerritA change was merged to openstack/python-keystoneclient: document that --pass can be required
openstackgerritA change was merged to openstack/python-keystoneclient: Generate module docs
openstackgerritA change was merged to openstack/python-keystoneclient: Fix doc build errors
*** dims has quit IRC12:18
*** dims has joined #openstack-keystone12:18
*** chandan_kumar has quit IRC12:21
*** ChanServ sets mode: +o dolphm12:43
*** leseb has joined #openstack-keystone12:54
*** pcargnel has joined #openstack-keystone12:59
*** lbragstad has quit IRC13:07
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Uses explicit imports for _
*** browne has joined #openstack-keystone13:15
*** dstanek has joined #openstack-keystone13:19
*** ayoung has joined #openstack-keystone13:20
*** YorikSar has quit IRC13:30
*** wchrisj has joined #openstack-keystone13:34
*** lbragstad has joined #openstack-keystone13:38
*** wchrisj has quit IRC13:39
*** YorikSar has joined #openstack-keystone13:46
*** bknudson has joined #openstack-keystone13:58
*** wchrisj has joined #openstack-keystone14:01
*** rwsu has joined #openstack-keystone14:07
*** stevemar has joined #openstack-keystone14:08
*** jraim has quit IRC14:11
*** jraim has joined #openstack-keystone14:11
openstackgerritPablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager
*** nkinder has joined #openstack-keystone14:17
henrynashayoung: hi14:24
ayounghey henrynash14:24
henrynashayoung: so do you think it should be in the manager of all entity types, or just the assignment14:25
ayounghenrynash, actually, it most needs to be in the identity manager]14:25
ayoungas it is most important not to be able to change a user's domain id14:26
ayoungbut same gos for project14:26
*** flaper87 has quit IRC14:26
ayoungany way that a role assignement could get flipped from one domain to another needs to be limited14:26
henrynashayoung: so I agree with that…and I did start implementing it in the manager….but as you say it is more complicated -14:26
ayounghenrynash, yeah,  just a TODO for now14:27
ayoungbut I don't want to lose that concept once it is checked in14:27
henrynashayoung: ok….I can imaging implementing it there once we make whatever changes we will do for multi-backend etc. as we;;14:27
ayounghenrynash, if you could give this one an +2+A  I'd appreciate it.  I am alomst willing to hit the +A myself, as morganfainberg_Z 's really reviewed it, just added a few adjustments14:29
ayoungbut doing it proper is always best, and it is an RC blocker14:29
henrynashayoung: was just looking at it14:29
*** flaper87|afk has joined #openstack-keystone14:31
*** flaper87|afk is now known as flaper8714:32
*** flaper87 has quit IRC14:32
*** flaper87 has joined #openstack-keystone14:32
henrynashayoung: any reason I should not approve rather than just +2 ?14:32
ayounghenrynash, please approve if you are willing to14:32
henrynashayoung: done14:33
openstackgerrithenry-nash proposed a change to openstack/keystone: Provide option to make domain_id immutable
*** ram5391 has joined #openstack-keystone14:45
ram5391Hi, I just deployed a new openstack installation via juju. I'm having trouble starting keystone due to a port conflict on the machine. Is the keystone service that juju deploys somehow separate from 'service keystone start'?14:53
ram5391any keystone command I give (with proper credentials) is met with a 504 "unable to communicate with identity service" issue14:54
ayoungram5391, might be port 500014:55
ayoungthat is the public port, but registered to somethuing else like Plug and play14:55
ayoung$ getent services 500014:56
ayoungcommplex-main         5000/tcp14:56
ayoungnot likely though ram539114:56
ayoungis it possible that you have two copies of Keystone running?14:56
ram5391ayoung: I suppose it is possible, but when I run a netstat command to find a pid, there is no pid associated with the 35357 or 5000 port14:57
ayoungram5391, are you only deploying Keystone on the box?14:57
ram5391ayoung, so my services are running \separately on their own vms, keystone has it's own vm, nova has its own etc. So on that vm, yes only keystone is deployed14:59
ram5391doing a ps aux reveals that avahi-daemon seems to be doing something with keystone15:00
*** thedodd has joined #openstack-keystone15:01
*** saju_m has quit IRC15:03
ram5391killing those instances of keystone doesn't seem to do anything though15:04
marekd <--- need another approval :-)15:06
marekd <- this should be easy for you guys as well...15:08
*** daneyon has joined #openstack-keystone15:13
*** daneyon has quit IRC15:13
*** daneyon has joined #openstack-keystone15:13
*** andreaf has joined #openstack-keystone15:14
henrynashdolphm: hi15:15
*** fabiog has joined #openstack-keystone15:15
dolphmhenrynash: o/15:15
dolphmmarekd: can you repeat your question here?15:16
henrynashdolphm: for, this has a new string in it…"Can't change Domain ID"…now we are past string freeze, so....15:16
henrynashdolphm: we could ask for an exception, or15:16
dolphmhenrynash: new strings are acceptable15:17
marekddolphm: yeah, sorry, wanted to do it here...15:17
henrynashdolphm: ok, in that case, fine!15:17
dolphmhenrynash: it's changing existing translated strings causes churn for the translation folks15:17
henrynashdolphm: ah, right15:17
marekdI  got that error when was playing with federated-apache when my browser was mimicing a client.15:18
marekd I think I tried to raise that - engines that build responses in XML doesn't really like variable  OS-FEDERATION:groups and make Keystone fail. Is it something that should really concern us?15:19
*** saju_m has joined #openstack-keystone15:21
bknudsonhenrynash: can you re-gen the sample config?
bknudsonI get a different result15:22
*** fabiog has quit IRC15:22
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Ensure that cached token is not revoked
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Ensure that cached token is not revoked
dolphmmarekd: i assume you got a backtrace somewhere? what was it?15:27
dolphmmarekd: the convention of using EXT-PREFIX:namespaced_parameter came from XML in the first place15:28
*** david-lyle has joined #openstack-keystone15:28
bknudsonhenrynash: I can post an updated review with the fixed sample config file if you want15:28
marekddolphm: let me reprodice it once i am back from the meetingn and paste it, but IIRC it was something around lxml etc.15:29
henrynashbknudson: yep, just saw that…not sure what happened….let me resolve15:29
*** shakamunyi has quit IRC15:31
*** flaper87 is now known as flaper87|afk15:34
*** andreaf has quit IRC15:42
openstackgerritDolph Mathews proposed a change to openstack/keystone: Replace httplib.HTTPSConnection in ec2_token
dstanekwhen can we deprecate the XML interface?15:49
dolphmdstanek: it is deprecated, i believe15:49
ayoungdolphm, you sure we should do this
ayoungdefaulting to "secure"  I mean15:49
dstanekdolphm: really? i don't remember seeing that, but that would be great15:49
dolphmayoung: we've made this same changes in several places, breaking insecure https deployments15:50
dolphmayoung: so, yes -- in the name of improving security15:50
ayoungdolphm, sounds good.  So long as it is deliberate and we are willing to stand up for it.15:50
dolphmayoung: ++15:51
dstanekdolphm: ah, nice. i was poking about a serialization last week and didn't see anything there. makes much more sense to be in the middleware15:52
dolphmbknudson: the sample conf generator refuses to produce a fresh sample conf for me :-/15:54
bknudsondolphm: I can post it if you want15:54
*** andreaf has joined #openstack-keystone15:54
dolphmbknudson: please do; i'm trying to debug the generator in the mean time15:54
openstackgerritBrant Knudson proposed a change to openstack/keystone: Replace httplib.HTTPSConnection in ec2_token
dolphmbknudson: thanks!15:57
openstackgerritA change was merged to openstack/python-keystoneclient: Rely on OSLO.config
*** gyee has joined #openstack-keystone16:13
*** saju_m has quit IRC16:15
henrynashbknudson: do you know how the oslo stuff gets into the conffig file….do I need to separately make sure I have the latesest oslo  on my machine to avoid the config -> keystone.conf translation from getting out of sync?16:23
dolphmhenrynash: it pulls it from keystone's repo, so as long as you're rebased onto master you'll be fine16:24
bknudsonhenrynash: that could very well be the case... I've got oslo.config in /opt/stack/oslo.config.16:24
henrynashdolphm: hmm, so Ijust did that (rebased on master), ran fox and most of the oslo config options are different in my to that of master16:25
henrynash(ran tox, rather)16:25
bknudsonwhat does the tox say?16:25
bknudsonhenrynash: did you tox -r -e sample_config?16:25
henrynashbknduson: agh, not….that doesn't happen automatically?16:26
bknudsonhenrynash: rebuild your venv? I don't think it happens automatically... I just wind up doing it every once in a while16:26
bknudsonI also sometimes wipe out my local pip cache16:27
henrynashbknudson: yep, got it…sorry my mind hadn't caught up with my typing :-)16:27
henrynashbknudson: rebuilding...16:27
marekddolphm: the traceback looks something like:
*** henrynash has quit IRC16:37
dolphmmarekd: hmm, i wonder if we need to break it apart into "OS-FEDERATION": {"groups": ...}16:38
dolphmpete5: can you propose your patch for in gerrit?16:47
*** amcrn has joined #openstack-keystone16:49
*** marcoemorais has joined #openstack-keystone16:50
*** browne has quit IRC16:51
*** dstanek has quit IRC16:55
marekddolphm: "OS-FEDERATION: {"groups": [id, id, id]}" ?16:55
marekddolphm: not so sure, just another layer (dictionary) for keeping a list of ids.....16:57
marekdhow about changing the parameter name?16:57
marekddolphm: OS-FEDERATION_groups (i know its ugly....)16:57
*** browne has joined #openstack-keystone17:01
dolphmmarekd: this is in the token, correct?17:04
marekddolphm:yes, issuing unscoped thoken.17:04
dolphmmarekd: i'd rather not make a bunch of irrelevant changes17:04
dolphmmarekd: it's a list of objects, correct?17:04
dolphmmarekd: not a list of string IDs17:05
marekddolphm: list of string ids.17:05
dolphmmarekd: that's not what it says in the spec
marekddolphm: my bad, you are right, just checked the code.17:07
*** harlowja_away is now known as harlowja17:09
openstackgerritDolph Mathews proposed a change to openstack/identity-api: merge OS-FEDERATION objects together
dolphmmarekd: i'd suggest this
marekddolphm: dolphm ok17:10
marekddolphm: ok, let it be this way.17:10
dolphmmarekd: there's a bug number for this, correct?17:10
marekddolphm: not yet.17:10
marekddolphm: shall i file a bug and submit a patch for that?17:11
*** morganfainberg_Z is now known as morganfainberg17:14
dolphmmorganfainberg: /salute17:17
dolphmmarekd: please!17:17
morganfainbergdolphm, have a good weekend?17:18
marekddolphm: roger that17:18
dolphmmorganfainberg: until i inhaled dirt and spent the last few days coughing up dirt & blood17:18
morganfainbergdolphm, ick! well17:18
morganfainbergdolphm, sometimes hazards of being out having fun17:18
dolphmmorganfainberg: i was doing yard work :(17:19
bknudsonhire it out, man17:19
morganfainbergbknudson, ++17:19
ayoungok....What is the rationale for not putting anything in  Why do we have empty files of these all over the place with imports from  Seems messy17:27
morganfainbergayoung, the argument is more to be explicit about importing17:27
ayoungmorganfainberg, but, why would you niot put the public interface in that file?17:28
morganfainbergfrom blah import * is harder to understand/resolve/etc17:28
morganfainbergeven in __init__17:28
morganfainbergayoung, fair enough, usually you should have iirc an __all__ in there but nothing else unless there is legitimately something used for the module level namespace vs. submodule17:29
morganfainbergayoung, but tbh, i prefer from core import *17:29
morganfainbergayoung, i just understand the complaint against using that17:29
ayoungmorganfainberg, so, I have in contrib/revoke in the server.  I want to move it to client.  It needs to be modified slightly, but should still be recognizable17:29
ayoungso I want to put it in keystoneclient/v3/contrib/revoke/model.py17:29
morganfainbergayoung, ok surer17:30
ayoungbut there is a some main behavior for the client (fetch from server, front the trwee, etc)17:30
ayoungand I don't undertand why it would be wrong to put it in __init__.py17:30
ayoungI mean, other than "blindly following a rule"17:30
morganfainbergayoung, convention17:30
*** richm has joined #openstack-keystone17:31
morganfainbergayoung, there is nothing unpythonic about putting things in __init__17:31
ayoungWe treading on Emmersonian ground here?17:32
*** zhiyan is now known as zhiyan_17:32
dolphmbknudson: wishlist?
bknudsondolphm: could be... seems like a pretty obvious bug to me.17:33
bknudsondolphm: since user is supposed to allow description17:33
ayoungdolphm, why do users need description?  Most defy description17:33
ayoungExcept for descriptions you would get in trouble for recording anyway17:34
bknudsondolphm: the fix is -7 +317:34
morganfainbergayoung, i'd say put it in __init__ if it feels the right place, and fight that battle if someone complains17:34
bknudsondoensn't include the tests.17:34
ayoungmorganfainberg, except then I look like an idiot if I don't understand the rationale17:35
*** leseb has quit IRC17:35
morganfainbergayoung, this is going into keystoneclient?17:35
ayoungmorganfainberg, yeah.17:36
morganfainbergayoung, i have a good litmus test17:36
ayoungmorganfainberg, thing is, I can see that there is a client specific piece of code here, which makes it unsuitable for __init__17:36
ayoungIE,  it would not make sense if called from inside the keystone server....I think17:36
morganfainbergayoung, then make it a submodule17:36
ayoungwhere I think I am headed with this is that there is going to be 3 pieces17:36
morganfainbergayoung, and expect explicit import17:36
ayoungmodel, which is common17:36
ayoungclient fetch code (via JSON)  and server fetch code (via the backend)17:37
ayoungbut maybe I should move the model out of v3 then17:37
ayoungit makes no sense to have17:37
morganfainbergayoung, possibly17:37
morganfainbergayoung, if it is shared between v2 and v3, it should be shared in a common locaiton17:38
ayoungmorganfainberg, well, it is only v317:38
ayoungits shared between server and client17:38
ayoungor will be once it gets synced17:38
morganfainbergayoung, i think this is treading on difficult ground.17:38
ayoungmorganfainberg, yeah...I'm kindof going by feel here17:39
morganfainbergayoung, you can rationalize either option, pick the one that feels right and make a case for it, i don't think there is a wrong answer17:39
ayoungI need to make a minor extension to to deal with json marshalling.  Other than that, it should be a package rename only17:39
morganfainbergayoung, i wouldn't be opposed to either17:39
ayoungthere is a piece that needs to fit into the v3 client17:39
morganfainbergayoung, common or otherwise.17:39
ayoungIE  : here is how you fetch revocation events from the server17:39
morganfainbergayoung, but i would be inclined to put the model not in the client v3 specific path17:39
ayoungthe format of those events are failry v3 specific17:40
morganfainbergayoung, if i were to develop this17:40
ayoungso...there is a contrib submodule alread17:40
ayoungso I could put module into17:40
ayoungbut then there would be nopthing in in that directory17:41
ayoungbut naming the module would conflict with the v3 code, and make things less clear17:41
ayoungbknudson, so this is why there is no clear description field for users:
ayoungthat is the "base class" for users (lowest common denominator of LDAP object classes)17:44
dolphmcan we get one more +2 on ? brant and i contributed the last two patchsets17:44
ayoungexcpet that it turns out there is one in the superclass (even more simple than inet org person)
morganfainbergdolphm, so conversion to
ayoungright...that is where I was going17:45
bknudsonayoung: organizationalPerson is SUP person17:46
morganfainbergdolphm, vs urllib17:46
morganfainbergdolphm, LGTM +2/+A17:46
ayoungbknudson, I still don't see the rationale for a description field on Person17:46
*** marekd is now known as marekd|away17:46
ayoungbut, whatever, your patch is the right approach17:46
bknudsonupdate the spec then.17:46
ayoungbknudson, nah...too much water under the bridge.  Its obvisouly there in the LDAP world for some reason17:47
ayoungI( just don17:47
ayoung't understand the rationale....17:47
ayoungdolphm, sorry, was pretty sure I had +2ed your ec2 patch.17:48
ayoungsuspect bknudson where is the fix for  ass I coulda swore I saww it before?17:49
morganfainbergdolphm, isn't completed?17:51
morganfainbergi think henry already did that.17:51
bknudsonayoung: also
morganfainbergaha says complete17:52
morganfainbergjust wasn't tagged to the right milestone17:52
ayoungbknudson, how does that dfeal with 'description' ?17:52
morganfainbergdolphm, did you want that tagged to i3 where it was actually released?17:52
bknudsonayoung: if you have an extra_attribute_mapping with description it's ignored.17:52
dolphmmorganfainberg: removed the milestone assignment17:52
ayoungI saw something from nkinder or richm around description not long ago, but I thought it was due to use sending a blank and LDAOP chking on it17:53
bknudsonayoung: also, the search doesn't include any of the extra attributes, so description would not be included.17:53
morganfainbergdolphm, ++17:53
dolphmmorganfainberg: see the whiteboard and "Definition"17:53
nkinderayoung: yes, richm worked on a patch for that17:53
morganfainbergdolphm, aha i see it now17:53
bknudsonayoung: there is another "bug" where keystone is sending an empty string for description which LDAP is rejecting due to schema17:53
richmbknudson: my patch fixes that too17:53
bknudsonrichm: this is for projects/tenants?17:54
richmfor all ldap objects17:54
ayoungbknudson, my question is, if the bug you reported is true, how are we ever seing the descripotion even going back and forth17:54
bknudsonayoung: projects have description.17:54
ayoungbknudson, ah, so just a problem with users17:54
richmusers didn't have a "mandatory" description attribute in ldap - that's what my patch adds17:55
ayoungrichm, does your patch need to be brought back to life?17:55
richmby adding description to user_additional_attribute_mapping=description:description17:55
richmayoung: the patch is still active/current17:56
richmprobably needs a rebase17:56
richmbug 128267617:56
nkinderayoung: dolphm blocked it from icehouse for now17:57
ayoungnkinder, unly due to it not having a bug IIRC17:57
bknudsonrichm: how does your fix allow user_additional_attribute_mapping=description:description ?17:57
ayoung  is the heart of it, and the rest is just calling that function17:58
bknudsonbut 'description' isn't going to be allowed in extra attribute mapping.17:59
bknudsonfor users17:59
richmmy fix adds it - you recommended that this was the best way to add a "required" ldap attribute, rather than adding user_description_attribute17:59
ayoungbknudson, when you rebase that, add in a Fixes tag for bknudson 's but, plus any other bugs that it fixes.  I think it is important enough to get it in, and it really is bug fixes, not features17:59
*** tstevenson has joined #openstack-keystone17:59
richmbknudson: unless I misunderstood your review comment17:59
ayoungrichm, it also cleanly deals with empty descriptions, correct?17:59
richmon write - if an ldap attribute is none or empty, it will just remove the attribute from ldap - so that the ldap entry does not have that attribute anymore18:00
bknudsonrichm: the description mapping is just ignored anyways, because of
*** marcoemorais has quit IRC18:00
richmon read - if the entry does not have the attribute, but the ldap object -> keystone object mapping "requires" that property, the keystone object will get the property with a None value18:01
*** marcoemorais has joined #openstack-keystone18:01
*** marcoemorais has quit IRC18:01
*** marcoemorais has joined #openstack-keystone18:02
richmbknudson: I'm sorry - what should I be looking at in the above link?18:02
bknudsonrichm: self.attribute_mapping doesn't contain 'description' for user, so it'll print a warning and ignore it.18:02
*** Nathan255 has joined #openstack-keystone18:03
bknudsonrichm: is where attribute_mapping gets set.18:04
bknudsonrichm: is the attibute_options_names for users18:04
richmbknudson: right - and my previous patch had that18:04
richmbknudson: but you said that was not the way to do it - I can't find your review comment now18:05
ayoungdolphm, can we consider  for rc, please?18:05
richmbknudson: see
dolphmNathan255: o/18:06
dolphmayoung: looking18:06
bknudsonrichm: I see that...
richm"we've already got user_additional_attribute_mapping so we don't need to add all of these separately."18:06
bknudsonrichm: I thought that user_addition_attribute_mapping actually worked18:06
bknudsonwhy would it ignore an attribute like description?18:07
richmbut it is not known that it doesn't work, so I need to rework my patch?18:07
richmbut it is now known18:07
bknudsonrichm: the way it is now, it doesn't work, right? description is ignored anyways.18:07
bknudsonI assume you get a warning that it's ignored every time the server starts18:08
richmlet me check18:08
morganfainbergayoung, changing the default value. hmmm.18:09
bknudsonlet's not change the default at this point.18:09
morganfainbergbknudson, ++18:09
ayoungmorganfainberg, that will have no real effect except to enable description is the users actual put anything in there18:10
ayoungwhich is part of the API spec.18:11
ayoungI guess we could leave the default though,18:11
ayoungjust more to document.  Still not a reason to -2 though18:11
morganfainbergayoung, sure, i'm concerned about changing a default this late, but i am not seeing much else that would warrant a -2.18:12
*** henrynash has joined #openstack-keystone18:13
ayoungrichm, what would reseting the default value do?  NOt much, right?  I mean the patch would fix the bug.18:14
ayoungJust it would require a little more 'splainin to do18:14
openstackgerrithenry-nash proposed a change to openstack/keystone: Provide option to make domain_id immutable
*** leseb has joined #openstack-keystone18:18
morganfainberghenrynash, i think we need to look at inverting that option and make domain immutable for the reasons we discussed before (though that requires an exception and/or an ok to break that functionality)18:20
morganfainberghenrynash, i'll let you describe the reasoning if you're up to it (i think your description was a bit more clear than mine) - or do tyou want to wait till the meeting?18:21
dolphmreviews for two RC1-blockers
openstackgerritBrant Knudson proposed a change to openstack/keystone: Allow any attributes in mapping
openstackgerritBrant Knudson proposed a change to openstack/keystone: Include extra attributes in list results
henrynashmorganfainberg: perhaps what we do is get the patch in as is….and then at the meeting discuss flipping the option18:21
morganfainberghenrynash, hm. sure18:21
morganfainbergdolphm, the string one needs to use six18:22
morganfainbergdolphm, instead of isinstance(v, basestring)18:23
morganfainbergdolphm, want me to push a fix for that real quick?18:23
dolphmmorganfainberg: oh good catch18:23
dolphmmorganfainberg: sure18:23
morganfainbergdolphm, ok18:23
morganfainberggive me a moment to fix it18:23
dolphmmorganfainberg: i remember looking at that line of code and thinking "i haven't seen isinstance(..., basestring) in awhile" -- didn't consider why!18:24
morganfainbergdolphm, hehe18:24
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Filter out nonstring environment variables before rules mapping.
morganfainbergdolphm, ok other than that, lgtm18:27
dolphmstevemar: were you going to try and tackle this?
stevemardolphm, i addressed #118:28
dolphmmorganfainberg: marekd|away: +218:28
dolphmstevemar: but didn't reference this bug?18:29
stevemardolphm, but as i looked deeper into the other issues, they were larger than anticipated18:29
dolphmstevemar: 2 and 3 are actually tracked in another bug18:29
stevemardolphm, thought i did...18:29
dolphm4) i'd rather just link to
morganfainbergdolphm, +1'd will let another core do +2/+A (even though my fix is small) *pokes stevemar*18:31
dolphmstevemar: hmm... that should have worked, but next time use Partial-Bug: 128394318:31
stevemarmorganfainberg, reviewing it now18:31
morganfainbergdolphm, i understand python MRO so much better now =/ as jamielennox|away so eloquently stated, it's kind of looking into the abyss :P18:32
*** vhoward has left #openstack-keystone18:33
*** vhoward has joined #openstack-keystone18:33
stevemarmorganfainberg, looks good, waiting for jenkins to pass18:34
*** vhoward has left #openstack-keystone18:34
stevemardolphm, okay, partial it is18:34
stevemardolphm, marekd sent us an email a few days ago, i think there are still 2 federation bugs18:34
ayounghenrynash, +A18:35
dolphmstevemar: commented and untargeted from RC1
morganfainbergdolphm, other one (SQL common) +2/+A18:37
openstackgerritBrant Knudson proposed a change to openstack/keystone: Include extra attributes in list results
stevemardolphm, cool, agree with all of those, no need to do it now if it's not icehouse specific18:37
morganfainbergdolphm, any reason not to +A
dolphmstevemar: i'd be happy to see those changes land within icehouse, but don't want to block icehouse on it18:38
morganfainbergthat one has been fighting rebases a lot.18:38
dolphmmorganfainberg: i haven't looked at that patch since jan 6th, when I +2'd lol ... happy to see it land now18:39
morganfainbergit looks fine now, going to +2/+A it after a quick once-over18:39
stevemardolphm, for federation: and the one i emailed you about, i'll open a bug soon18:40
dolphmmorganfainberg: i'll race you18:40
morganfainbergdolphm, i cheated, i didn't ask until i was over ½ way done18:41
dolphmmorganfainberg: i had already started too18:41
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance tests for user extra attribute mapping
openstackgerritBrant Knudson proposed a change to openstack/keystone: Allow any attributes in mapping
openstackgerritBrant Knudson proposed a change to openstack/keystone: Include extra attributes in list results
bknudsonthose are the changes for ^18:53
bknudsonI'll propose a change to devstack to set user_additional_attributes=description:description18:53
*** arunkant has joined #openstack-keystone18:57
*** marcoemorais has quit IRC18:59
stevemarayoung, ping19:03
* ayoung slaps stevemar with a wet noddle19:03
ayoungand yes, noddle, not noodle19:04
ayoungbecvause I cantt typoe19:04
stevemarayoung, oh yeah, forgot you hate ping requests19:04
ayoungstevemar, plus I am always here19:04
stevemarayoung, way back when, marekd|away had proposed a separate url for federation auth requests19:04
bknudsonI thought we had a separate url?19:04
stevemarayoung, stating that the apache mod couldn't handle both normal requests and saml requests19:05
ayoungit was more than an url;19:05
ayoungit was a whole separate controller19:05
stevemarbknudson, it goes to /auth/tokens19:05
bknudsonbtw - apache auth can't handle /v3/auth/tokens.19:05
stevemarayoung, correct19:05
ayoungand I said "do it in a separate url if you need, but use the same controller"19:05
*** leseb has quit IRC19:05
bknudsonwe should have a separate url for POST /v3/auth/tokens19:05
bknudsonor just external auth maybe19:06
*** marcoemorais has joined #openstack-keystone19:06
stevemarayoung, 'More19:07
stevemarreasonable to modify the file in keystone/httpd to mount the SAML19:07
stevemarprotected Keystone under a different suburl.'19:07
stevemarayoung, do you have any more info on the kind of changes that would be needed?19:11
ayoungstevemar, it is all httpd config as far as I can tell.  It might require unforeseen code changes, but I don't think so19:12
ayoungyou need to tell apache "mount this wsgi app under this URL"19:12
ayoungand also19:12
ayoung"protect this URL with mod_auth_saml" or mellon or whatnot19:13
ayoungstevemar,  would get another script alias ,say19:15
ayoungWSGIScriptAlias /keystone/saml /var/www/cgi-bin/keystone/main19:16
ayoungand then also19:16
ayoungA segment like <Location "/keystone/saml">19:16
ayoungwith AuthType SAML or however that gets configured19:17
stevemarmarekd|away, ^^^^19:19
*** finite has joined #openstack-keystone19:20
ayoungstevemar, TBH, this is pretty basic HTTPD conf stuff, of which I am hardly an expert.19:21
*** leseb has joined #openstack-keystone19:22
*** gokrokve has joined #openstack-keystone19:27
*** marekd|away is now known as marekd19:29
*** topol has joined #openstack-keystone19:29
marekdstevemar: ayoung  i used sth like this for my internal setup...didn't really are whether the uri is 'good'.19:30
ayoungmarekd, if it works, it is good19:31
ayoungI loves me some snakeoil19:31
marekdayoung: yes, but ofc a client who wants unscoped token cannot go to /v3/auth/tokens.19:31
ayoung ofc?19:32
marekdof course19:32
marekdayoung: if that's what you are asking about :-)19:33
ayoungmarekd, ofc it was19:33
ayoungmarekd, when you say " a client who wants unscoped token" why is that?  Because the token scope is deduced from the SAML doc?19:34
marekdayoung: for the same reason you were proposing another <Location> in the keystone.conf file.. ? you mark in the apache/shib conf /auth/token as 'protected', you require valid saml session...if you protect /auth/tokens then no other auth methods will work..19:35
marekdayoung: apache doesn't care about the content, it cares about valid saml2 session per url.19:36
ayoungmarekd, so mount it twice19:36
ayoungURLs are cheap19:36
ayoungso you don't mean unscoped19:37
marekdayoung: mount the controller you mean?19:37
ayoungyou mean authenticated by something other than saml, right?19:37
marekdayoung: no, i mean: if I want to authn myself via federation i should not touch /v3/auth/tokens, i rather should go to /v3/OS-FEDERATION/whatever19:38
ayoungmarekd, sure.19:38
marekdayoung: ok, so we are on the same page.19:38
marekdayoung: i have setup my own federated-apache and used browser as a client.19:39
ayoungmarekd, yep, playing the same tune, and even on the same beat19:39
marekdi used as a publicly reference idp19:40
marekdso everybody can use it..19:40
ayoungsounds about right19:40
marekdalso needed my internal hack, but who cares - i wanted to make it work and see whether the cores stuff works as expected.19:41
ayoung"internal hack" being what marekd ?19:42
marekdwhen you use browser, you are redirected from idp to the sp (keystone) with a GET method.19:42
marekdayoung: ^^19:43
ayoungmarekd, so...that implies that we would at some point add a UI to Keystone?19:43
marekdUI you mean?19:44
ayoungmarekd, at least something that can handle direct web traffic19:47
marekdayoung: i think requests can do that? besides there are two stories. I think when you play ECP stuff you can control what you are sending and how, but i didn't have too much time to play with that. this is on my list starting Tuesday/Wednesday.19:48
ayoungmarekd, sounds cool.  I was thinking more interms of "SAML to Horizon, users gerts reduirected to the i SAML IDP, and then to Keystone to pick up the token data."  or some such none-sense19:49
marekdayoung: this sounds fine, but honestly i don't see federation as a usable solution if one can use it only from a horizon level...;/19:50
ayoungmarekd, agreed19:51
marekdayoung: there is a proof of concept that somebody wrote in Java that can authn against ADFS2.019:51
*** dstanek has joined #openstack-keystone19:52
marekdi am about to work on that and rewrite into Python. Later we cantry bake this into keystoneclient.19:52
marekds/cantry/can try/19:52
*** leseb has quit IRC19:53
marekdalready did some research, know some people who can help, as some MS classes are close-sourced and does this very important magic i cannot figure out :-)19:53
*** Nathan255 has quit IRC19:57
*** ram5391 has quit IRC19:59
marekdmorganfainberg: hi, thanks for patching . just curious, the only reason for pushing into six library is 2to3 compatilibity, nothing more, right?19:59
morganfainbergmarekd, np19:59
morganfainbergmarekd, yeah20:00
morganfainbergmarekd, the hope is when eventlet stops breaking py33, it'll be minimal work to get us to py33 compat20:00
marekdmorganfainberg: ok, understood.20:00
morganfainbergmarekd, same reason we now use "except Exception as e" instead of "except Exception, e"20:01
morganfainbergmarekd, one is py33 friendly, the other is not20:01
marekdmorganfainberg: ACK.20:01
marekdmorganfainberg: i might be mixing something, but are there any plans to remove eventlet in favour of something 'better' ?20:03
marekdmorganfainberg: utilizing threads...20:03
morganfainbergthat is a bigger conversation20:03
marekdmorganfainberg: i can imagine that :-)20:03
morganfainbergi don't know of any explicit plans yet, we've all talked about things.20:03
morganfainbergalso, threads in python suck to use :P20:03
morganfainbergyay GIL20:03
marekdmorganfainberg: hehe20:04
dstanekmorganfainberg: hiya20:04
morganfainbergdstanek, oh hai20:04
marekdmorganfainberg: hm, long story short any libs replacing eventlet or some 'design pattern'  - names, links?20:04
morganfainbergmarekd, there has been some ML traffic20:04
dstanekmorganfainberg: going through bugs and was that your review is actually a fix for
morganfainbergmarekd, but i don't know of anything specific.20:05
marekdmorganfainberg: ok, will look into that.20:05
morganfainbergdstanek, LOL sure20:05
dstanekoops wrong link i think20:05
morganfainbergdstanek, nah20:05
morganfainbergdstanek, same concept, different approach20:05
morganfainbergdstanek, you had the right links20:05
morganfainbergi'm happy to go with either solution20:06
dstanekmorganfainberg: i like yours20:06
morganfainbergdstanek, ayoung proposed the ENV vars, I didn't see your take on it20:06
morganfainbergdstanek, so i think we need to get a closes-bug line in there20:06
dstaneki was just about to rebase mine on master and i decided to rebase on your changes20:07
dstanekbut you already have it done20:07
ayoungmorganfainberg, cuz I am heads down working on the client side of revocation events and trying to ignore the world.20:07
morganfainbergayoung, keep at it, was just saying you proposed an idea.20:07
morganfainbergdstanek, :)20:07
morganfainbergdstanek, want me to toss the closes-bug on that review then?20:08
morganfainbergdstanek, and you can re-review the change chain20:08
dstanekmorganfainberg: sure, that sounds good to me20:09
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make LIVE Tests configurable with ENV
morganfainbergdstanek, done.20:10
*** derek_c has joined #openstack-keystone20:11
dstanekmorganfainberg: thanks!20:12
openstackgerritMarek Denis proposed a change to openstack/keystone: Filter SAML2 assertion parameters with certain prefix.
marekdstevemar: tox -e sample_config ^^20:13
morganfainbergmarekd, ++20:13
stevemarthx marekd20:13
marekdstevemar: morganfainberg  once it passes the tests (hopefully), please lean over that patchset :)20:15
marekdgotta run, should be back in 2-3 hours.20:17
morganfainbergdolphm, do we want an RC bug saying "make sure sample_config is up to date, this should be the last bug before we are ready to cut RC"?20:17
*** marekd is now known as marekd|bbl20:17
morganfainbergdolphm, we could do that each milestone instead of trying to keep things in sync and merge "fun" associated with it.20:17
dolphmmorganfainberg: worth trying20:18
morganfainbergdolphm, i'll do that for RC, if we like it... we can keep doing it20:18
dolphmmorganfainberg: and no reason not to20:18
morganfainbergdolphm, leaving it unassigned for now.20:20
morganfainbergunless you want me to assign it to you / me20:20
morganfainbergor i guess i could assign it to drivers.20:20
morganfainbergstevemar, ayoung, bknudson, gyee, henrynash, jamielennox|away, dolphm, dstanek, lbragstad, - don't worry about sample.config updates for patches going into RC (if they have them it's fine) but we're going to try and do a sync as the last bug in RC.20:24
stevemarmorganfainberg, yes, that would be helpful20:24
gyeemorganfainberg, wonder if we can gate this20:25
ayoungmorganfainberg, ++20:25
gyeemeaning auto detect any config changes20:25
morganfainberggyee, i am working on getting a check job that says "we are out of date"20:25
gyeemorganfainberg, nice!20:25
*** derek_c has quit IRC20:25
morganfainberggyee, it will be non-voting20:26
morganfainberggyee, just a "oh hay it's out of date"20:26
gyeewhy non-voting?20:26
morganfainberggyee, second, in Juno (probably middle/latter half) sample configs will hopefully be generated at release cut time and in doc runs20:26
bknudsongyee: it kept breaking when oslo libraries would change under us.20:26
morganfainberggyee, because it breaks the gate if a dependent library (oslo.messaging) changes opts20:26
gyeeoh bloody20:27
morganfainberggyee, yeah20:27
morganfainberggyee, the real solution being generate sample on demand (docs / release) not any other time20:27
morganfainberginitially i proposed a periodic like translations bug no one liked that20:27
dstanekmorganfainberg: i like the on demand approach20:28
morganfainbergso do i, but it's a bit of work to get there20:29
dstanekmorganfainberg: is there anything we can do in our code that could break the generation process that we should gate on?20:29
morganfainbergso lets stop-gap and make sure we're aware when we're out of sync20:29
morganfainbergwhen we get there, i think we will know more20:29
morganfainbergdstanek, probably nothing that wouldn't break docs20:29
morganfainbergdstanek, but we could make part of the doc build to ensure we actually built the sample20:30
morganfainbergdstanek, and fail if the sample doesn't build20:30
morganfainbergdstanek, going to circle back on that in Juno for sure.20:30
openstackgerritPablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager
morganfainbergalso working on getting a patch into tox so we can do optional things based upon env vars (e.g. the subunit thing, --failing, etc)20:32
morganfainbergdstanek, hg makes me cry though :(20:32
* morganfainberg likes git + gerrit workflows20:32
richmbknudson: you said "it doesn't work, right?" - is there a particular test/test suite that I should be running?  With my fix, both the live ldap tests pass, and tox -e py27 passes - or is the problem that we don't have an appropriate test for this?20:37
*** derek_c has joined #openstack-keystone20:39
openstackgerritA change was merged to openstack/keystone: Don't automatically enable revocation events.
*** harlowja is now known as harlowja_away20:44
openstackgerritDiane Fleming proposed a change to openstack/identity-api: Clean up naming to match  new conventions
dstanekmorganfainberg: was _ldap_skip_live left on on accident?
morganfainbergdstanek, so it was.20:51
morganfainbergoh wait no20:51
morganfainbergthat is wrong, it should call _ldap_skip_live20:51
morganfainbergbecause the TLS version inherits20:51
morganfainberggood catch20:52
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make LIVE Tests configurable with ENV
morganfainbergdstanek, fixed.20:53
dstanekmorganfainberg: lgtm, thanks!20:55
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: add pooling for cache references
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: add pooling for cache references
*** leseb has joined #openstack-keystone21:01
*** topol has quit IRC21:01
bknudsonrichm: I submitted a change to add a test --
bknudsonrichm: I don't think we would have a test that says description doesn't work as a mapping.21:03
bknudsonmorganfainberg: I wasn't able to recreate the problem described in the bug for
bknudsonmorganfainberg: I submitted a tempest test...21:05
*** derek_c has quit IRC21:07
morganfainbergbknudson, hm.. i'll get my coworker to chase down exactly what horizon was doing21:10
morganfainbergbknudson, oh, UUID tokens21:10
bknudsonmorganfainberg: it only affects UUID?21:10
morganfainbergbknudson, well it would affect anything that is asking keystone for a validate on a token21:10
morganfainbergbknudson, let me look at your tempest check21:11
bknudsonmorganfainberg: these tests are going directly to keystone21:11
bknudsonsince it's using unscoped token21:11
morganfainbergyeah let me look.21:11
morganfainbergthe case was nova was rejecting a UUID token as invalid21:11
morganfainbergbut in theory it would also affect keystone actions uuid or pki21:12
* dolphm is really happy with what entered the gate today :D21:13
* dolphm wanders off to find a beer21:13
morganfainbergbknudson, i think there is a missing step somewhere in here21:14
bknudsonmorganfainberg: so keystone had it in revoked tokens but it was still valid?21:15
bknudsonnot sure how that would happen since revoked tokens is generated from db query21:15
morganfainbergbknudson, well not in revoked tokens, it was matching a revoke event21:15
*** rwsu has quit IRC21:16
morganfainbergbknudson, and because revoke_api was loaded by default, it was gating validity of the tokens as well21:16
morganfainbergbknudson, revocation_list had nothing to do with it21:16
morganfainbergbknudson, to nail down the process i'll need to run this test against an unpatched version of keystone (i'll do it locally)21:16
morganfainbergsince we just merged the fix making revoke_api actually optional21:17
bknudsonmorganfainberg: I was hoping it would show the failure and then we'd fix it... but for some reason no failure21:17
morganfainbergbknudson, it was a headache to make the unit test work properly, it's a narrow scope21:18
morganfainbergbknudson, i'll see what i can turn up over the next couple days21:18
morganfainbergbknudson, hopefully i can force a failure to occur21:18
bknudsontempest seems to be a little short on keystone tests in general21:19
morganfainbergbknudson, yeah21:19
*** topol has joined #openstack-keystone21:19
morganfainbergwe have good coverage with our unit tests!21:19
bknudsonI just added the test for getting a token from unscoped21:19
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove duplication when picking test config files
*** finite has quit IRC21:29
*** rwsu has joined #openstack-keystone21:31
morganfainbergbknudson, mind seeing if that is still relevant with ?21:33
morganfainbergbknudson, if so, rebase on that.21:33
morganfainbergbknudson, or let me know so i can fix that review.21:33
*** nkinder has quit IRC21:34
*** topol has quit IRC21:36
*** topol has joined #openstack-keystone21:40
richmbknudson: ok - yes, keystone complains about Invalid additional attribute mapping21:47
openstackgerritPablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager
*** pcargnel has quit IRC21:53
*** topol has quit IRC22:00
openstackgerritA change was merged to openstack/keystone: Replace httplib.HTTPSConnection in ec2_token
*** jamielennox|away is now known as jamielennox22:03
*** david-lyle has quit IRC22:04
*** wchrisj has quit IRC22:05
*** lbragstad has quit IRC22:05
*** thedodd has quit IRC22:08
*** harlowja_away is now known as harlowja22:17
*** nkinder has joined #openstack-keystone22:30
*** ravikumar_hp has joined #openstack-keystone22:33
ravikumar_hpone question: -  when Keystone V2 APi will be deprecated ? Not in Icehouse release Right?22:36
*** leseb has quit IRC22:37
*** leseb has joined #openstack-keystone22:37
bknudsonravikumar_hp: it's deprecated in icehouse22:38
*** marekd|bbl is now known as marekd22:38
morganfainbergravikumar_hp, it'll be available and supported until K release22:39
*** openstackgerrit has quit IRC22:39
morganfainbergravikumar_hp, but it is officially deprecated as of Icehouse22:39
*** openstackgerrit has joined #openstack-keystone22:39
*** leseb has quit IRC22:42
*** browne has quit IRC22:49
*** andreaf has quit IRC22:50
*** leseb has joined #openstack-keystone22:54
*** bvandenh has quit IRC22:56
*** stevemar has quit IRC23:02
bknudsonthis test assumes that the order of the fields in a dict is fixed.23:11
*** derek_c has joined #openstack-keystone23:20
*** dims has quit IRC23:24
*** leseb has quit IRC23:31
*** henrynash has quit IRC23:32
morganfainbergbknudson, awesome.23:38
bknudsonmorganfainberg: it was actually easy to fix... used response body rather than response json.23:38
morganfainbergsounds good.23:38
bknudsonkind of surprising that it's worked all this time.23:38
*** bknudson has quit IRC23:39
*** dims has joined #openstack-keystone23:39
*** ravikumar_hp has quit IRC23:47
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Uses explicit imports for _

Generated by 2.14.0 by Marius Gedminas - find it at!