dolphm | derek_c: it doesn't really matter where the code lives (although contrib is appropriate) -- you just need to reference it in your paste file (keystone.paste.ini) | 00:00 |
---|---|---|
dolphm | in etc/ | 00:00 |
dolphm | derek_c: and put it into your wsgi pipeline(s) wherever appropriate | 00:00 |
derek_c | dolphm: great, I will give it a try. thanks! | 00:02 |
*** elmiko_afk is now known as elmiko | 00:10 | |
nkinder | bknudson: I just added two minor comments to https://review.openstack.org/#/c/80401/ | 00:19 |
nkinder | bknudson: I'm fine if you choose not to address them. | 00:20 |
nkinder | bknudson: the way the tests hash the tokens just seemed odd to me at first | 00:21 |
nkinder | bknudson: it sounds like you may be changing the approach anyway given your discussion with dolphm above | 00:24 |
*** RockKuo has joined #openstack-keystone | 00:28 | |
*** RockKuo_ has joined #openstack-keystone | 00:28 | |
*** RockKuo_ has quit IRC | 00:28 | |
*** browne has quit IRC | 00:29 | |
*** dims has joined #openstack-keystone | 00:32 | |
ayoung | jamielennox, so...to solve the race condition, I thought the solution before was to do an atomic write of the files, right? That should still be the case | 00:34 |
ayoung | what is different this time around | 00:36 |
*** andreaf has quit IRC | 00:37 | |
ayoung | ah...we don't do that for the token revocation list... dolphm ? | 00:37 |
*** lbragstad has joined #openstack-keystone | 00:38 | |
ayoung | no, we do atomic write for TRL, but verify it using the certificates which have not been fetched yet... | 00:38 |
ayoung | TRACE keystoneclient.middleware.auth_token File "/opt/stack/new/python-keystoneclient/keystoneclient/middleware/auth_token.py", line 1275, in verify_signed_token that is not what I have in my repo...maybe an old keystone client? | 00:41 |
ayoung | dolphm, we don't keep a tag on the last release python-keystoneclient? | 00:42 |
bknudson | nkinder: if I keep that code around then I'll look at making that change. | 00:42 |
ayoung | dolphm, I think that the problem with the race condition is an old version of python-keystoneclient | 00:45 |
ayoung | ah...disreagrd, that was the old log from an old bug report | 00:46 |
*** wchrisj has quit IRC | 00:50 | |
*** elmiko has quit IRC | 00:51 | |
dstanek | we have some tests make sure that the domain name unique constraint is case insensitive. is that the expectation of the operators or is that just an artifact of our dev environment? | 00:52 |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: Hash functions support different hash algorithms https://review.openstack.org/86202 | 00:55 |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: Support token hash algorithm https://review.openstack.org/80398 | 00:55 |
*** wchrisj has joined #openstack-keystone | 01:09 | |
ayoung | nkinder, check me on this: http://logs.openstack.org/34/81834/8/check/check-tempest-dsvm-neutron-heat-slow/0976a2d/logs/screen-h-api.txt.gz#_2014-04-08_13_26_47_942 shows | 01:18 |
ayoung | raise exceptions.CertificateConfigError(err) | 01:18 |
ayoung | that should be raised by common/cms.py and caught in auth_token middleware | 01:19 |
ayoung | I'll link | 01:19 |
ayoung | https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1209 | 01:20 |
*** wchrisj has quit IRC | 01:20 | |
ayoung | its like it is not matching the exception | 01:20 |
ayoung | both are doing from keystoneclient import exceptions | 01:22 |
ayoung | raise exceptions.CertificateConfigError(err) on the cms side | 01:23 |
ayoung | except exceptions.CertificateConfigError as err: on the middleware | 01:23 |
*** ilives has joined #openstack-keystone | 01:24 | |
nkinder | ayoung: being called to dinner. Will check afterwards | 01:24 |
ayoung | nkinder, thanks... | 01:24 |
ayoung | dolphm, I don't think that http://logs.openstack.org/34/81834/8/check/check-tempest-dsvm-neutron-heat-slow/0976a2d/logs/screen-h-api.txt.gz#_2014-04-08_13_26_47_942 is the race condition. I think it is a different bug | 01:25 |
ayoung | dstanek, check me on this: http://logs.openstack.org/34/81834/8/check/check-tempest-dsvm-neutron-heat-slow/0976a2d/logs/screen-h-api.txt.gz#_2014-04-08_13_26_47_942 shows a raise of an excpetion at https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/common/cms.py#L134 that should be caught at https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_to | 01:29 |
ayoung | ken.py#L1211 but it is not | 01:29 |
ayoung | https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1211 was that last link | 01:30 |
jamielennox | ayoung: anything i can help with? | 01:30 |
ayoung | its like Python Class matching got broken | 01:30 |
ayoung | jamielennox, sure. Anyone | 01:30 |
ayoung | jamielennox, see the above | 01:30 |
jamielennox | i haven't been following | 01:30 |
ayoung | jamielennox, its not a race condition | 01:30 |
ayoung | its a failed exception handle | 01:30 |
jamielennox | there was a change to exceptions overnight | 01:30 |
jamielennox | they were moved into openstack.common.apiclient | 01:31 |
jamielennox | but they should be compatible | 01:31 |
ayoung | jamielennox, so an exception thrown from one piece of code is not caught by another | 01:31 |
ayoung | thrown https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/common/cms.py#L134 | 01:31 |
ayoung | caught https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1211 | 01:31 |
ayoung | stack trace showing that not happinging http://logs.openstack.org/34/81834/8/check/check-tempest-dsvm-neutron-heat-slow/0976a2d/logs/screen-h-api.txt.gz#_2014-04-08_13_26_47_942 | 01:32 |
ayoung | jamielennox, one piece of code is out of sync with the other? | 01:32 |
*** richm has quit IRC | 01:32 | |
jamielennox | that is.. weird | 01:34 |
ayoung | jamielennox, so let me see the change | 01:35 |
jamielennox | ayoung: it shouldn't matter cause they are explicitly throwing the same thing | 01:35 |
ayoung | jamielennox, yeah. | 01:35 |
jamielennox | i thought it might have been some HTTP error edge case | 01:35 |
jamielennox | i can't think of even a race condition that would be a problem witht that | 01:37 |
ayoung | jamielennox, It might be an older change. I think they said they've been seeing this problem since the 31st or so | 01:37 |
ayoung | but the two logs on the bug report are both post that merge | 01:39 |
jamielennox | ayoung: yea, but it's not one of the exceptions that was moved | 01:40 |
ayoung | jamielennox, yeah | 01:40 |
jamielennox | obviously it's not reproducable | 01:42 |
*** gokrokve has joined #openstack-keystone | 01:42 | |
jamielennox | ayoung: oh, that makes sense | 01:42 |
jamielennox | line 1211 | 01:43 |
jamielennox | it's being re-raised | 01:43 |
jamielennox | so it is a race | 01:43 |
jamielennox | it does a verify and the files are missing | 01:43 |
jamielennox | something else is downloading them | 01:43 |
jamielennox | it checks to see if signing missing - nope it's there now | 01:43 |
jamielennox | it checks to see if cert_file is missing - nope, that's there as well | 01:44 |
ayoung | AHA! | 01:44 |
ayoung | yep | 01:44 |
jamielennox | prints the CMS verify output then re-raisese | 01:44 |
jamielennox | ayoung: ages ago i had an object that did this downloding stuff | 01:45 |
jamielennox | i don't think it ever got through review | 01:45 |
ayoung | OK...wonder that we never saw this before. | 01:46 |
ayoung | like most bugs it goes from "why is this broken" to "how did this ever work?" | 01:46 |
jamielennox | https://review.openstack.org/#/c/38763/13/keystoneclient/utils.py | 01:47 |
jamielennox | have a look at FetchableFile in there | 01:47 |
jamielennox | so maybe if we do a check for an object rather that a file, and let the object do things on __init__ | 01:47 |
jamielennox | then you can essentially use the presence of the object as a lock | 01:47 |
ayoung | that is too big a fix for this, though. | 01:48 |
jamielennox | yea, guess os | 01:48 |
ayoung | my code is incorrectly reporting an error when all is well. | 01:49 |
jamielennox | the existing stuff you mean? | 01:49 |
ayoung | we need to correctly ID the error, and match the solution to the problem | 01:49 |
ayoung | yeah | 01:49 |
jamielennox | no, it's right most of the time | 01:49 |
ayoung | now, we could drop the "raise" at the end. But that would put us in an endless loop if the exception comes for some other reason | 01:50 |
jamielennox | which would be the majority of cases | 01:50 |
ayoung | what if we allow it to run through once? | 01:51 |
ayoung | at line 1220 something like | 01:51 |
jamielennox | it's hacky | 01:51 |
ayoung | if (not rechecked) : rechecked = True continue | 01:51 |
ayoung | agreed. And we can do a more elegant solution like you proposed once we have some breathing room | 01:52 |
jamielennox | we could just put in a lock | 01:54 |
ayoung | where? | 01:54 |
ayoung | in the exception block? | 01:54 |
jamielennox | http://eventlet.net/doc/modules/event.html | 01:54 |
ayoung | but this is not eventlet specific code | 01:54 |
jamielennox | signing_cert = signing_cert_evt.wait() | 01:55 |
jamielennox | meh event is wrong | 01:55 |
jamielennox | ayoung: it's only going to occur on eventlet though right/ | 01:55 |
ayoung | nope | 01:56 |
jamielennox | ayoung: no - because they are writing to the same place | 01:56 |
jamielennox | damn | 01:56 |
ayoung | this is a multi threading issue for anything | 01:56 |
jamielennox | hmm, we could download per pid but that's not nice | 01:57 |
jamielennox | http://pythonhosted.org//lockfile/lockfile.html is in the global requirements | 01:59 |
jamielennox | i don't think the intention is you lock the file you are writing to | 01:59 |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with sha256 https://review.openstack.org/86206 | 01:59 |
jamielennox | but you could use a temp | 01:59 |
jamielennox | at least to solve the immediate problem | 02:00 |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with sha256 https://review.openstack.org/80398 | 02:00 |
*** marcoemorais has quit IRC | 02:01 | |
bknudson | dolphm: ^ checks with both md5 and sha256 | 02:02 |
ayoung | bknudson, interesting | 02:02 |
bknudson | ayoung: dolphm suggested it. seems to work | 02:03 |
ayoung | bknudson, people are really bothered by this MD5 thing, huh? | 02:03 |
ayoung | I mean, I understand it. Its just not really an issue here. | 02:03 |
ayoung | But...yeah | 02:03 |
*** browne has joined #openstack-keystone | 02:05 | |
ayoung | bknudson, yeah, it makes sense....and it is very elegant | 02:06 |
bknudson | ayoung: one enhancement is to add an option to skip the md5. | 02:06 |
ayoung | favor sha256 cuz that is what we are going with long term...drop md5 over time....is there a possibility of sha256 getting the wrong token? | 02:06 |
ayoung | like, keystone is using md5, but sha256 matches? | 02:07 |
bknudson | sha256 is longer | 02:07 |
derek_c | dolphm: I added my module to keystone-paste.ini but am now getting this error: No section 'tfa_extension' (prefixed by 'app' or 'application' or 'composite' or 'composit' or 'pipeline' or 'filter-app') found in config /etc/keystone/keystone-paste.ini | 02:08 |
derek_c | I tried do it exactly the same way as the ec2 module | 02:08 |
*** mberlin1 has joined #openstack-keystone | 02:08 | |
derek_c | so not sure what I'm supposed to add here | 02:08 |
*** mberlin has quit IRC | 02:08 | |
bknudson | ayoung: do you mean a hash collision? that could happen with 2 tokens with md5, too. | 02:08 |
ayoung | bknudson, yep. | 02:09 |
*** zhiyan is now known as zhiyan_ | 02:11 | |
*** zhiyan_ is now known as zhiyan | 02:12 | |
derek_c | does anyone know the correct way to modify keystone-paste.ini in order to enable your own API extensions? | 02:13 |
bknudson | derek_c: you need to define the filter and then add it to the pipeline | 02:14 |
derek_c | bknudson: I think I did that, yeah | 02:15 |
derek_c | bknudson: http://upl.io/zb1vt1 | 02:15 |
derek_c | "tfa_extension" is the extension I'm trying to add | 02:15 |
derek_c | getting this error when trying to run keystone though: error: No section 'tfa_extension' (prefixed by 'app' or 'application' or 'composite' or 'composit' or 'pipeline' or 'filter-app') found in config /etc/keystone/keystone-paste.ini | 02:16 |
ayoung | derek_c, I think you want it before admin_service | 02:16 |
bknudson | derek_c: it might be because it's the last one in the list. | 02:17 |
ayoung | jamielennox, tox is still runnning, but I think I am going to submit my hack | 02:17 |
derek_c | why does the order matter? | 02:18 |
bknudson | derek_c: http://pythonpaste.org/deploy/#filter-composition | 02:19 |
bknudson | "pipeline is a list of filters ended by an application" | 02:19 |
*** gyee has quit IRC | 02:47 | |
derek_c | I see. thanks guys! | 02:55 |
openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: once more into the breach, good friends https://review.openstack.org/86212 | 03:01 |
ayoung | bknudson, ^^ is quite possibly the ugliest code I have written this week. | 03:01 |
*** harlowja is now known as harlowja_away | 03:12 | |
dstanek | ayoung: are you still having that issue? | 03:16 |
*** Guest_ has joined #openstack-keystone | 03:16 | |
*** david-lyle has joined #openstack-keystone | 03:18 | |
derek_c | I'm trying to PATCH something from openstackclient; however the HTTP request apparently doesn't have context['token_id'] with it, resulting in a key error on the server side. How do I make sure the token_id is part of the request? | 03:19 |
dstanek | ayoung: that exception is getting re-raised https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1221 | 03:22 |
*** stevemar has joined #openstack-keystone | 03:22 | |
*** amcrn has quit IRC | 03:30 | |
derek_c | ah, apparently my request does have "X-Auth-Token" | 03:31 |
derek_c | but for some reason, the "context" object does not contain a 'token_id' field, but only a 'X-Auth-Token' field | 03:32 |
derek_c | does anyone know why this could happen? | 03:32 |
derek_c | oh!! | 03:32 |
derek_c | I see, it's the order of the middleware that is wrong | 03:33 |
derek_c | it seems like unstack and then rejoin-stack is not enough to make use of a new keystone-paste.ini? | 03:36 |
*** mjfork has quit IRC | 03:40 | |
*** chandan_kumar has joined #openstack-keystone | 04:04 | |
*** zhiyan is now known as zhiyan_ | 04:06 | |
*** topol has joined #openstack-keystone | 04:06 | |
*** sld has left #openstack-keystone | 04:35 | |
*** wchrisj has joined #openstack-keystone | 04:37 | |
*** wchrisj has quit IRC | 04:52 | |
*** chandan_kumar has quit IRC | 05:00 | |
*** henrynash_ has joined #openstack-keystone | 05:06 | |
*** chandan_kumar has joined #openstack-keystone | 05:14 | |
*** marcoemorais has joined #openstack-keystone | 05:24 | |
*** marcoemorais1 has joined #openstack-keystone | 05:26 | |
*** marcoemorais has quit IRC | 05:28 | |
*** zhiyan_ is now known as zhiyan | 05:31 | |
*** gokrokve has quit IRC | 05:32 | |
*** stevemar has quit IRC | 05:43 | |
*** gokrokve_ has joined #openstack-keystone | 05:44 | |
*** topol has quit IRC | 05:54 | |
*** henrynash_ has quit IRC | 05:55 | |
openstackgerrit | Jenkins proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/83955 | 06:01 |
*** Guest_ has quit IRC | 06:05 | |
*** Guest_ has joined #openstack-keystone | 06:06 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Session Bindings https://review.openstack.org/86237 | 06:14 |
derek_c | I created several columns for sql.User by using a migration script in common/sql/migrate_repo. However, seems like the columns I created in the migration script are not directly accessible from a User object | 06:16 |
*** inc0 has joined #openstack-keystone | 06:21 | |
*** inc0 has quit IRC | 06:26 | |
*** tomoiaga has joined #openstack-keystone | 06:34 | |
*** jamielennox is now known as jamielennox|away | 06:35 | |
*** gokrokve_ has quit IRC | 06:36 | |
*** dims has quit IRC | 06:48 | |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Sync test_migrations https://review.openstack.org/80618 | 07:01 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Redundant unique constraint https://review.openstack.org/84447 | 07:01 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value. https://review.openstack.org/84446 | 07:01 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models. https://review.openstack.org/84445 | 07:01 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes. https://review.openstack.org/84444 | 07:01 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks https://review.openstack.org/84448 | 07:01 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: WIP: Comparision of database models and migrations. https://review.openstack.org/80630 | 07:01 |
*** dims has joined #openstack-keystone | 07:02 | |
*** Guest_ has quit IRC | 07:05 | |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Sync test_migrations https://review.openstack.org/80618 | 07:08 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Redundant unique constraint https://review.openstack.org/84447 | 07:08 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value. https://review.openstack.org/84446 | 07:08 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models. https://review.openstack.org/84445 | 07:08 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes. https://review.openstack.org/84444 | 07:09 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks https://review.openstack.org/84448 | 07:09 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630 | 07:09 |
*** Guest_ has joined #openstack-keystone | 07:09 | |
*** henrynash has joined #openstack-keystone | 07:11 | |
*** Guest_ has quit IRC | 07:16 | |
openstackgerrit | song (bruce) zhang proposed a change to openstack/keystone: replace word 'by' with 'be' https://review.openstack.org/86246 | 07:18 |
openstackgerrit | song (bruce) zhang proposed a change to openstack/keystone: replace word 'by' with 'be' Related-Bug:#1304834 https://review.openstack.org/86246 | 07:22 |
openstackgerrit | Juan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor: moved flatten function to utils https://review.openstack.org/85721 | 07:24 |
*** Gue______ has joined #openstack-keystone | 07:26 | |
*** gokrokve has joined #openstack-keystone | 07:36 | |
*** marekd|away is now known as marekd | 07:38 | |
*** Gue______ has quit IRC | 07:39 | |
*** Gue______ has joined #openstack-keystone | 07:39 | |
*** gokrokve has quit IRC | 07:41 | |
*** Guest_ has joined #openstack-keystone | 07:51 | |
*** Gue______ has quit IRC | 07:53 | |
*** Guest_ has quit IRC | 07:53 | |
*** Guest_ has joined #openstack-keystone | 07:54 | |
*** Guest_ has quit IRC | 07:54 | |
openstackgerrit | Sergey Nikitin proposed a change to openstack/keystone: Some methods in ldap were moved to superclass https://review.openstack.org/86250 | 08:05 |
*** leseb has joined #openstack-keystone | 08:15 | |
*** d0ugal has quit IRC | 08:18 | |
*** d0ugal has joined #openstack-keystone | 08:21 | |
*** gokrokve has joined #openstack-keystone | 08:37 | |
*** gokrokve has quit IRC | 08:42 | |
*** chandan_kumar has quit IRC | 08:49 | |
*** mberlin1 is now known as mberlin | 09:02 | |
*** chandan_kumar has joined #openstack-keystone | 09:03 | |
*** morganfainberg is now known as morganfainberg_Z | 09:16 | |
*** david-lyle has quit IRC | 09:20 | |
*** gokrokve has joined #openstack-keystone | 09:38 | |
*** gokrokve has quit IRC | 09:42 | |
*** zhiyan is now known as zhiyan_ | 09:43 | |
*** marcoemorais1 has quit IRC | 09:43 | |
*** chandan_kumar_ has joined #openstack-keystone | 10:03 | |
*** chandan_kumar has quit IRC | 10:06 | |
*** marcoemorais has joined #openstack-keystone | 10:11 | |
*** marcoemorais has quit IRC | 10:12 | |
*** marcoemorais has joined #openstack-keystone | 10:12 | |
*** marcoemorais has quit IRC | 10:17 | |
*** dims has quit IRC | 10:29 | |
*** chandan_kumar_ has quit IRC | 10:32 | |
*** gokrokve has joined #openstack-keystone | 10:39 | |
*** gokrokve has quit IRC | 10:43 | |
*** chandan_kumar_ has joined #openstack-keystone | 10:58 | |
*** topol has joined #openstack-keystone | 11:08 | |
*** RockKuo has quit IRC | 11:09 | |
*** marcoemorais has joined #openstack-keystone | 11:13 | |
*** marcoemorais has quit IRC | 11:17 | |
*** jamielennox|away is now known as jamielennox | 11:30 | |
*** jamielennox is now known as jamielennox|away | 11:33 | |
*** dims has joined #openstack-keystone | 11:39 | |
*** leseb has quit IRC | 11:48 | |
*** leseb has joined #openstack-keystone | 11:50 | |
afaranha | Hello, does somebody knows how to retrieve the keystone url from the auth_token in API? | 11:59 |
*** dims has quit IRC | 12:03 | |
*** d0ugal_ has joined #openstack-keystone | 12:04 | |
*** d0ugal has quit IRC | 12:07 | |
openstackgerrit | Sergey Nikitin proposed a change to openstack/keystone: Code which get elements of tree in ldap moved to one common method https://review.openstack.org/86302 | 12:09 |
*** zhiyan_ is now known as zhiyan | 12:10 | |
*** diegows has joined #openstack-keystone | 12:11 | |
afaranha | I want to use keystoneclient in nova api. Should I use "keystoneclient.Client(token=context.auth_token, auth_url=auth_url)"? If so how do I get the "auth_url"? Thank you | 12:12 |
*** marcoemorais has joined #openstack-keystone | 12:14 | |
*** marcoemorais has quit IRC | 12:18 | |
tomoiaga | afaranha: you can check how horizon did it for example: https://github.com/openstack/horizon/tree/master/openstack_dashboard/api | 12:18 |
*** d0ugal_ is now known as d0ugal | 12:23 | |
afaranha | tomoiaga: It uses a request to instantiate the keystone, I'll try to use the "request_id" from context, should it work? Thank you | 12:26 |
tomoiaga | request is used for context data (conatins different things), however, you should know the keystone url when you authenticate, after that you should request the catalog. In horizon I seem to remember they are doing that (trying to find endpoints where to send requests) | 12:29 |
tomoiaga | afaranha: as mentioned, you should know the auth_url, if not, nova should have it somewhere and you should be able to use it. See how nova does the token verification | 12:30 |
*** gokrokve has joined #openstack-keystone | 12:40 | |
tomoiaga | afaranha: as far as I can see, horizon looks at the settings file for the auth_url which seems a normal thing to do: auth_url = getattr(settings, 'OPENSTACK_KEYSTONE_URL') | 12:41 |
tomoiaga | afaranha: also this may help, at least it did help me out when I first looked at how to use the clients in a python script: http://www.ibm.com/developerworks/cloud/library/cl-openstack-pythonapis/index.html?ca=drs- | 12:43 |
*** wchrisj has joined #openstack-keystone | 12:44 | |
afaranha | tomoiaga: As I'm seeing in Nova for neutro_url it uses this: "CONF.neutron_admin_auth_url" I think I could work with both and see how will work in my case. Thank you :) | 12:44 |
*** gokrokve has quit IRC | 12:45 | |
tomoiaga | afaranha: the rest of the urls except keystone's auth_url, can be gathered from the keystone catalog. | 12:45 |
dolphm | dstanek: did you look into https://bugs.launchpad.net/cinder/+bug/1285833 ? | 12:46 |
uvirtbot | Launchpad bug 1285833 in python-keystoneclient "Keystone client racing on certificate lookups causing 401 Unauthorized on API calls" [Critical,In progress] | 12:46 |
dolphm | tomoiaga: ignoring regions, auth_url is the public identity endpoint | 12:46 |
afaranha | tomoiaga: Yes, having the keystone it seems really easy to get others informations | 12:46 |
tomoiaga | dolphm: indeed | 12:47 |
*** raildo has joined #openstack-keystone | 12:47 | |
afaranha | tomoiaga: I hope now this work. I have many option to try now (I can also try to use os.environ) | 12:47 |
dstanek | dolphm: i didn't realize there was a bug for it, but i responsed to a query from ayoung last night | 12:48 |
dolphm | dstanek: that's why i asked | 12:48 |
dstanek | dolphm: ayoung: that exception is getting re-raised https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1221 | 12:48 |
dolphm | dstanek: should it not be? | 12:49 |
dstanek | dolphm: not sure i'll read the bug | 12:49 |
raildo | dolphm: can you explain to me, how policy(not policy.json, the policy service) wokrs in keystone? | 12:49 |
dolphm | dstanek: the original bug description has been fixed | 12:50 |
dolphm | dstanek: but there's an elastic recheck query that's suddenly seeing the same backtrace again | 12:50 |
dolphm | raildo: what do you mean by "policy service" ? | 12:50 |
dolphm | raildo: /v3/policies ? oslo.policy enforcement? | 12:51 |
raildo | dolphm: http://api.openstack.org/api-ref-identity.html#Policy_Calls | 12:51 |
dolphm | raildo: it's not really used by openstack (yet), but could be consumed by oslo.policy to centralize policy management https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#policy | 12:51 |
*** thiagop has joined #openstack-keystone | 12:55 | |
raildo | dolphm: thanks | 12:55 |
*** dims has joined #openstack-keystone | 12:56 | |
ayoung | dolphm I think it says something about our code reviewers that they can even catch misquoted Shakespear. | 13:00 |
ayoung | Shakespeare that is | 13:00 |
dims | :) | 13:00 |
dstanek | dolphm, ayoung: i wonder if the filenames don't match in cert_file_missing...like a symlink or something | 13:01 |
ayoung | dstanek, no, I think it is a race | 13:02 |
dolphm | ayoung: caused by what? | 13:02 |
ayoung | dstanek, two threads each download the files. | 13:02 |
ayoung | or rather, two threads each get an exception due to a missing file | 13:02 |
ayoung | the first one downloads the file (the second one to be checked) and then the second thread hits the condition where it checks for existence | 13:03 |
dstanek | say that happens..won't they both download and write the file in an atomic way? | 13:03 |
ayoung | but now it does exist, so it falls through to the 'raise' | 13:03 |
dolphm | oh. | 13:03 |
ayoung | dstanek, the problem is in the error recover section | 13:03 |
dstanek | ah | 13:03 |
dstanek | lol, yeah that would do it | 13:03 |
ayoung | dstanek, jamielennox|away gets credit for realizing it | 13:04 |
ayoung | hence. https://review.openstack.org/#/c/86212/ | 13:04 |
dolphm | so how do we eliminate the race altogether, rather than just trying to ignore it? | 13:05 |
ayoung | dolphm, I see ^^ as a stopgap | 13:05 |
dolphm | unconditionally call self.fetch_signing_cert() and self.fetch_ca_cert() ? | 13:05 |
ayoung | dolphm, two ways: either we lock upon fetch, or we fetch at startup | 13:05 |
ayoung | problem with fetch at startup is if the keystone server is not up, we can't start | 13:05 |
ayoung | this is in some ways an artificial problem. We see it in testing, but not on a live system. It happens, once, early on and that is it | 13:06 |
dstanek | ayoung: why check at all if the file exists? if the error message says it doesn't just download it | 13:06 |
ayoung | dstanek, there are two different files to download. And then the download could fail, so we need some way to avoid an endless loop | 13:07 |
ayoung | dstanek, this code was written to make the expected case fast. And I think we should keep that philosophy | 13:07 |
dolphm | ayoung: why wouldn't it happen in a live system..? | 13:07 |
ayoung | dolphm, it might happen once, but then the certs would be in place, and all would work | 13:08 |
dstanek | ayoung: it just feels really complicated to me; the loop even | 13:08 |
ayoung | dstanek, checking for the existence of the file is a blocking operation | 13:08 |
ayoung | the popen itself is already expensive | 13:08 |
openstackgerrit | Dolph Mathews proposed a change to openstack/python-keystoneclient: eliminate race condition https://review.openstack.org/86321 | 13:09 |
ayoung | this code is executed on every request, so we need to streamline the expected case as much as possible | 13:09 |
ayoung | dolphm, you've just written an infinite loop if the keystone server is down | 13:09 |
dolphm | ayoung: _fetch_cert_file will raise an unhandled exception and break the loop | 13:10 |
dolphm | ayoung: i can remove cert_file_missing() though now | 13:11 |
dstanek | i don't see the need for the while True | 13:11 |
dstanek | we don't really want to try the operation more that twice anyway | 13:11 |
dolphm | dstanek: ++ | 13:12 |
openstackgerrit | Dolph Mathews proposed a change to openstack/python-keystoneclient: eliminate race condition https://review.openstack.org/86321 | 13:13 |
dolphm | eliminated while loop | 13:13 |
dolphm | also restored the warning log, but i'm not sure it's necessary since it's raising anyway | 13:14 |
dolphm | whoops, one sec | 13:15 |
dstanek | dolphm: i was thinking something slightly different | 13:15 |
dolphm | dstanek: ? | 13:15 |
dstanek | dolphm: ah no, nm - didn't see the recursive call | 13:16 |
openstackgerrit | Dolph Mathews proposed a change to openstack/python-keystoneclient: eliminate race condition https://review.openstack.org/86321 | 13:16 |
dolphm | dstanek: i forgot to actually use 'retry' until ^ | 13:16 |
dstanek | well, that explains why i didn't see it :-) | 13:17 |
dolphm | i mean, i meant to replace the race condition with infinite recursion | 13:17 |
ayoung | dolphm, that last versions looks about right | 13:18 |
ayoung | so if there are no certs, fetch each one, and then retry | 13:18 |
*** henrynash has quit IRC | 13:18 | |
ayoung | if the fetch fails, we'll error out | 13:18 |
dolphm | damn, i introduced another bug... | 13:19 |
dstanek | dolphm: what is the value of the 'return True'? | 13:19 |
*** topol has quit IRC | 13:19 | |
ayoung | if they succeed, either by this thread or another, the validate will process as per normal | 13:19 |
dolphm | dstanek: i wanted to retry if either cert got updated successfully... but i'm not doing that (i'm only refetching the first one, then retrying) | 13:19 |
*** henrynash has joined #openstack-keystone | 13:20 | |
ayoung | dolphm, change or to and | 13:20 |
ayoung | or better yet | 13:20 |
ayoung | except exceptions.CertificateConfigError as err: | 13:20 |
ayoung | if retry: | 13:20 |
ayoung | self.fetch_signing_cert() | 13:20 |
ayoung | self.fetch_ca_cert()) | 13:21 |
dolphm | ayoung: i just wrote that lol | 13:21 |
dstanek | if either fails an exception will be raised so you can probably just write them as separate statements instead of an if | 13:21 |
ayoung | dolphm, cool | 13:21 |
dolphm | dstanek: and about to remove the return True | 13:21 |
dolphm | dstanek: ++ | 13:21 |
openstackgerrit | Dolph Mathews proposed a change to openstack/python-keystoneclient: eliminate race condition https://review.openstack.org/86321 | 13:21 |
dstanek | dolphm: this is what i was originally thinking http://paste.openstack.org/show/75413/ | 13:24 |
dstanek | but i have an infinte recursion problem :-( | 13:25 |
dolphm | dstanek: lol is there any advantage to avoiding recursion? | 13:25 |
dstanek | oh, nm i pasted you the second link | 13:25 |
dolphm | dstanek: yeah i don't see infinite recursion... | 13:25 |
dstanek | in that one i use the nested function to avoid the extra param | 13:26 |
dstanek | dolphm: i pasted a few diff revisions and i thought i gave you the broken one :-) | 13:26 |
dolphm | dstanek: so you're just not a fan of exposing retry=True in the method signature? | 13:27 |
dstanek | if we think it'll be useful outside of avoiding infinite recursion, i don't mind | 13:28 |
dstanek | but if it's really internal book keeping exposed as an argument, i'm sad | 13:28 |
dolphm | dstanek: i can get behind that, but we do it in several places in auth_token | 13:28 |
openstackgerrit | Sergey Nikitin proposed a change to openstack/keystone: Fixed wrong behavior in method search_s in BaseLdap class. https://review.openstack.org/86325 | 13:29 |
dstanek | yeah i saw that and the other 'while True' | 13:30 |
*** joesavak has joined #openstack-keystone | 13:30 | |
dolphm | dstanek: i don't think you should escalate the log to ERROR though - this will occur on every devstack run at least once | 13:31 |
dolphm | dstanek: it's just the only place we fetch certs | 13:31 |
openstackgerrit | Dolph Mathews proposed a change to openstack/python-keystoneclient: eliminate race condition https://review.openstack.org/86321 | 13:33 |
dstanek | yeah, that makes sense | 13:33 |
dolphm | dstanek: do you use dstanek@dstanek.com for gerrit? | 13:34 |
dstanek | dolphm: yep | 13:34 |
dstanek | dolphm: that looks good | 13:34 |
dolphm | dstanek: i'm adding you as a co-author | 13:35 |
dolphm | ayoung: and jamie lennox figured out the root cause? | 13:35 |
openstackgerrit | Dolph Mathews proposed a change to openstack/python-keystoneclient: eliminate race condition fetching certs https://review.openstack.org/86321 | 13:35 |
ayoung | dolphm, don't need the retry param | 13:36 |
openstackgerrit | Dolph Mathews proposed a change to openstack/python-keystoneclient: eliminate race condition fetching certs https://review.openstack.org/86321 | 13:37 |
dolphm | ayoung: ^ also didn't need 'as err' | 13:37 |
*** vhoward has left #openstack-keystone | 13:37 | |
ayoung | you are going to have this down to a one liner if we keep this up | 13:37 |
ayoung | dolphm, I think we want err.output | 13:38 |
ayoung | that is what tells you the actual problem | 13:38 |
dolphm | ayoung: it'll get unconditionally raised if it still occurs in the second verify() | 13:38 |
dolphm | ayoung: so you'll get an exception log | 13:38 |
dolphm | ayoung: right? | 13:39 |
*** marcoemorais has joined #openstack-keystone | 13:39 | |
ayoung | dolphm, yeah, but I don;t think we actually get the problem message unless we explicitly print output | 13:39 |
ayoung | http://logs.openstack.org/34/81834/8/check/check-tempest-dsvm-neutron-heat-slow/0976a2d/logs/screen-h-api.txt.gz#_2014-04-08_13_26_47_942 | 13:40 |
dstanek | we could add a try around the second verify to log | 13:40 |
dstanek | and then reraise | 13:40 |
ayoung | the real message is ERROR keystoneclient.middleware.auth_token [-] CMS Verify output: Error loading file /var/cache/heat/cacert.pem | 13:40 |
ayoung | 140047624885920:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('/var/cache/heat/cacert.pem','r') | 13:40 |
ayoung | and that is in the output string | 13:40 |
ayoung | but the exception itself only produces the stack trace underneath | 13:40 |
*** marcoemorais1 has joined #openstack-keystone | 13:41 | |
*** gokrokve has joined #openstack-keystone | 13:41 | |
dolphm | ayoung: gotcha, adding another try/except lol | 13:41 |
ayoung | dolphm, just print it out before reraising, I think | 13:41 |
dolphm | ayoung: ++ | 13:42 |
openstackgerrit | Dolph Mathews proposed a change to openstack/python-keystoneclient: eliminate race condition fetching certs https://review.openstack.org/86321 | 13:42 |
dolphm | ayoung: `^ | 13:42 |
*** marcoemorais has quit IRC | 13:43 | |
ayoung | AHHH@! | 13:43 |
ayoung | I can't keep up | 13:43 |
ayoung | Ah, nevermind, that was the version I +2ed | 13:44 |
dolphm | ayoung: then you were really fast | 13:44 |
tomoiaga | does it make sense to create a keystone auth plugin if I want to allow an already authenticated user in a django app, access to services ? (users will live in keystone and in the django app also) | 13:44 |
*** gokrokve has quit IRC | 13:45 | |
ayoung | dolphm, well, it is a short patch, and I was just looking for that diff...I think we are good. | 13:45 |
*** marcoemorais1 has quit IRC | 13:45 | |
dstanek | dolphm: nice, thanks | 13:46 |
*** chandan_kumar_ has quit IRC | 13:46 | |
dolphm | tomoiaga: users shouldn't live in more than one place, but yes | 13:46 |
openstackgerrit | David Stanek proposed a change to openstack/keystone: Moves test database setup/teardown into a fixture https://review.openstack.org/85651 | 13:47 |
dstanek | dolphm: ayoung: gating our unit tests on a real database like mysql/postgres...wishlist or must have? | 13:48 |
ayoung | dstanek, I would say it is the sign of a mature product? | 13:49 |
ayoung | So...somewhere in between | 13:49 |
ayoung | We've dealt without it this long, but we've been lucky | 13:49 |
dolphm | dstanek: high priority wish list? | 13:49 |
dstanek | ok, i'll make a blueprint for it | 13:50 |
*** andreaf has joined #openstack-keystone | 13:50 | |
dolphm | dstanek: for bonus points, you can run mysql in memory :) | 13:50 |
dstanek | i thought i could fix some tests but ran into lots of issues | 13:50 |
ayoung | Isn't there one already? | 13:50 |
dstanek | ayoung: not sure, but i'll search for it first | 13:51 |
ayoung | dstanek, thought I wrote one. I write a lot of blueprints | 13:51 |
tomoiaga | dolphm: that's true. I would like to keep users in keystone to be able to manage the permissions/domains/projects from there and not from the django app. | 13:51 |
dolphm | dstanek: i take it back, running mysql in memory instead of using innodb is probably just as useless as sqlite.... | 13:51 |
dstanek | dolphm: ayoung: one of my queries from last night: | 13:51 |
dstanek | we have some tests make sure that the domain name unique constraint is case insensitive. is that the expectation of the operators or is that just an artifact of our dev environment? | 13:52 |
ayoung | dstanek, strange. that is news to me | 13:52 |
dolphm | dstanek: did i write that? :-/ | 13:52 |
ayoung | dstanek, that whole effort was driven by gyee. | 13:52 |
ayoung | I'd ask him | 13:52 |
dstanek | oops i mean case sensitive | 13:52 |
ayoung | Hmmm | 13:53 |
dstanek | dolphm: it's in a bunch of different places, but mostly test_backend.py | 13:53 |
ayoung | probably not what we want, is it | 13:53 |
*** ayoung is now known as ayoung-afk | 13:53 | |
dolphm | dstanek: i think those tests were the result of a mailing list conversation complaining that we were case insensitive somewhere | 13:53 |
dolphm | dstanek: and it turned out to be an issue with their mysql config | 13:54 |
*** chandan_kumar_ has joined #openstack-keystone | 13:54 | |
dolphm | or whatever their backend was, i don't recall | 13:54 |
dolphm | dstanek: the tests simply illustrate the current intent, as we make no effort to handle case insensitivity properly | 13:54 |
dstanek | mysql by default won't allow 'Default' and 'default' to co-exist as domains, but our code expects that to work | 13:55 |
dstanek | well test code, our code code doesn't care | 13:55 |
dolphm | dstanek: i'd care more about user names than domains | 13:55 |
dstanek | dolphm: are 'dstanek' and 'DStanek' different users? | 13:55 |
dolphm | dstanek: they are today, right? | 13:56 |
dstanek | in sqlite yes, in mysql no | 13:56 |
dstanek | at least in the devstack mysql | 13:56 |
dstanek | well i take that back - in the way our models generate the schema during test runs | 13:56 |
dstanek | testing devstack itself now | 13:57 |
dolphm | dstanek: aren't they varchar columns? | 13:57 |
dolphm | dstanek: (maybe i'm out of date on this issue, or misunderstood it) | 13:57 |
*** topol has joined #openstack-keystone | 13:58 | |
dstanek | dolphm: yes, they are varchar with a unique constraint | 13:59 |
dstanek | dolphm: http://paste.openstack.org/show/75420/ | 13:59 |
dstanek | dolphm: our unit tests expect that to be possible | 13:59 |
dstanek | dolphm: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_backend.py#n1791 | 14:00 |
dstanek | i'm going to file a bug for this, but i was hoping to get a little insight first | 14:01 |
*** samuelmz has joined #openstack-keystone | 14:04 | |
*** gokrokve has joined #openstack-keystone | 14:06 | |
tomoiaga | dolphm: the external authentication seems to be doing something similar. Users are "kept" in two places (httpd and keystone). Not sure how else to approach this yet. | 14:09 |
afaranha | tomoiaga: It's possible to get the endpoints by the request headers, it's a field with the catalog called "X-Service-Catalog". I could get the keystone url this way: "req.headers.get('X-Service-Catalog', req.headers.get('X_STORAGE_TOKEN'))". | 14:09 |
afaranha | The problem is that the catalog don't show keystone v3, only v2. To use it I just need to supply a v2 token? (I tried it but got error =/) | 14:09 |
tomoiaga | afaranha: you need to define v3 endpoints (for services that support this) in keystone if you want them to show up | 14:09 |
dolphm | dstanek: well i'd say mysql's behavior is preferrable then | 14:10 |
samuelmz | Hey guys, I took a look at the multitenancy proposal at https://wiki.openstack.org/wiki/HierarchicalMultitenancy and I'd like to know what's already implemented and what's missing | 14:17 |
samuelmz | Could you give me some info or say me who I should ask to get this info? | 14:17 |
samuelmz | I guess vishvananda is the leader of this feature, right? | 14:17 |
*** thedodd has joined #openstack-keystone | 14:22 | |
*** henrynash has quit IRC | 14:24 | |
dolphm | samuelmz: there's a weekly meeting where i'm sure all the work as been shared and discussed, i'd skim through the meeting logs | 14:25 |
dolphm | samuelmz: there's also a mailing list discussion with links to the various efforts, and two summit sessions | 14:25 |
*** henrynash has joined #openstack-keystone | 14:25 | |
*** henrynash has quit IRC | 14:25 | |
*** saju_m has joined #openstack-keystone | 14:26 | |
*** gokrokve has quit IRC | 14:26 | |
*** gokrokve has joined #openstack-keystone | 14:32 | |
tomoiaga | I see that with LDAP, users are also kept in two places if one would like to keep user authorization in keystone | 14:32 |
samuelmz | dolphm, do you know when this meeting take place? (the day, hour) | 14:32 |
samuelmz | dolphm, do you have a link to this ML thread? | 14:32 |
dolphm | samuelmz: https://wiki.openstack.org/wiki/Meetings#Hierarchical_Multitenancy_Meeting | 14:32 |
samuelmz | dolphm, great, thank you | 14:33 |
dolphm | samuelmz: there's a lot to dig through https://www.google.com/search?q=openstack-dev+archive+hierarchical+multitenancy | 14:34 |
*** htruta has joined #openstack-keystone | 14:36 | |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Sync test_migrations https://review.openstack.org/80618 | 14:43 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Redundant unique constraint https://review.openstack.org/84447 | 14:43 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value. https://review.openstack.org/84446 | 14:43 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models. https://review.openstack.org/84445 | 14:43 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes. https://review.openstack.org/84444 | 14:43 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks https://review.openstack.org/84448 | 14:43 |
openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630 | 14:43 |
htruta | hello! i'm working on this bug: https://bugs.launchpad.net/keystone/+bug/1264325 openstackgerrit | 14:50 |
uvirtbot | Launchpad bug 1264325 in keystone "API v3 - Unable to perform scope independant operations with unscoped token" [High,Triaged] | 14:50 |
htruta | i want to know how can I allow this unscoped user to make such operations. One can easily do this by removing de rule on the policy.json. However, it will allow any user to do this. The question is: Who should be able to do these operations? | 14:52 |
*** kun_huang has joined #openstack-keystone | 14:53 | |
*** david-lyle has joined #openstack-keystone | 14:55 | |
*** saju_m has quit IRC | 14:58 | |
*** rodrigods has joined #openstack-keystone | 15:02 | |
*** ilives has quit IRC | 15:13 | |
*** dstanek is now known as dstanekafk | 15:19 | |
openstackgerrit | Dolph Mathews proposed a change to openstack/python-keystoneclient: eliminate race condition fetching certs https://review.openstack.org/86321 | 15:19 |
*** dstanekafk is now known as dstanek | 15:20 | |
dolphm | ayoung-afk: dstanek: deleted cert_file_missing() and never removed the corresponding test until ^ | 15:21 |
dstanek | dolphm: lgtm still | 15:22 |
*** dolphm has quit IRC | 15:29 | |
*** dolphm has joined #openstack-keystone | 15:30 | |
*** ChanServ sets mode: +o dolphm | 15:30 | |
*** ayoung-afk is now known as ayoung | 15:32 | |
*** wchrisj has left #openstack-keystone | 15:32 | |
*** zhiyan has quit IRC | 15:45 | |
*** stevemar has joined #openstack-keystone | 15:46 | |
*** browne has joined #openstack-keystone | 15:52 | |
*** Chicago has quit IRC | 15:55 | |
dolphm | ayoung: this is why we don't backport refactors! https://bugs.launchpad.net/keystone/+bug/1305056 | 15:55 |
uvirtbot | Launchpad bug 1305056 in keystone "Impossible to use method search_s in BaseLdap if attribute 'page_size' is not 0." [Medium,In progress] | 15:55 |
*** Chicago has joined #openstack-keystone | 15:55 | |
*** Chicago has joined #openstack-keystone | 15:55 | |
ayoung | dolphm, yeah, and as I am now unloaded of responsibility for getting that particular bug fixed, I can say I wholeheartedly agree with you | 15:56 |
dolphm | ayoung: i know ;) | 15:57 |
ayoung | seems we have a good enough workaround, but I still think we'll get a backport for Icehouse in the early May time frame | 15:57 |
ayoung | without the refactor | 15:57 |
dolphm | ayoung: that'd be great to see (could apply to havana too) | 15:57 |
ayoung | dolphm, to test SAML, would this make sense: set up Keystone with an LDAP backend. Use that same LDAP provider for SAML, enable the SAML plugin, and test if authenticate works? | 15:58 |
ayoung | We need to have the user in the identity backend stil, right? | 15:58 |
dolphm | ayoung: are you talking about federation? | 15:58 |
ayoung | dolphm, yes | 15:59 |
dolphm | ayoung: use the sql identity backend (no need to duplicate users), and ask marekd for docs to configure mod_shib + OS-FEDERATION together | 16:00 |
ayoung | dolphm, but my SAML provider uses LDAP. THat is why I am asking | 16:00 |
*** jsavak has joined #openstack-keystone | 16:01 | |
ayoung | Itwould be the same LDAP source for both SAML and Keystone, so no duplication | 16:01 |
ayoung | marekd, ^^ question is really for you, then | 16:01 |
dolphm | ayoung: what do you want out of OS-FEDERATION then? | 16:01 |
ayoung | dolphm, just a sanity test. | 16:01 |
dolphm | ayoung: you want keystone to use SAML instead of talking to LDAP at all, no? | 16:01 |
ayoung | And to make sure we can support it | 16:02 |
ayoung | dolphm, eventually, but not this round. For this round, I want to just test using SAML to create a token | 16:02 |
marekd | dolphm: ayoung hello. | 16:02 |
marekd | ayoung: you want a unit test that utilized mod_shib? | 16:02 |
dolphm | ayoung: i'm not sure what the in-between solution you're looking for would be | 16:03 |
*** zhiyan has joined #openstack-keystone | 16:03 | |
ayoung | marekd, sure, that would be a good starting point. | 16:03 |
*** joesavak has quit IRC | 16:04 | |
dolphm | samuelmz: hierarchical multitenancy meeting is starting | 16:04 |
ayoung | dolphm, I thought we needed to have any user in the identity backend. But that does not mean they have to be in SQL, right? THey could be in LDAP as the identity backend, and it would all work still, no? | 16:04 |
dolphm | samuelmz: false alarm. lol | 16:04 |
samuelmz | dolphm, ok, I'm gonna join it | 16:04 |
samuelmz | dolphm, wow D: | 16:05 |
samuelmz | dolphm, no problem :) | 16:05 |
dolphm | samuelmz: i was really confused as to why it was starting (wrong day!) | 16:05 |
dolphm | ayoung: you don't need *any* users in SQL to use OS-FEDERATION | 16:05 |
samuelmz | dolphm, yes, normally it happens on fridays :) | 16:05 |
dolphm | ayoung: you *should* have service users in SQL, still | 16:05 |
ayoung | dolphm ah....I thought that the assignment backend still looked for users in identity? | 16:06 |
marekd | ayoung: no, it takes user from mappings. | 16:06 |
marekd | more or less. | 16:06 |
dolphm | ayoung: ah, i see... you want to *continue* using the LDAP identity backend. that would be fine, but it's unrelated to what OS-FEDERATION requires | 16:06 |
dolphm | ayoung: OS-FEDERATION needs groups from identity, that's it | 16:07 |
dolphm | ayoung: group membership to federated users is handled by mapping | 16:07 |
marekd | ayoung: I also wonder how you want to make a unit test with mod_shib included.... | 16:07 |
*** joesavak has joined #openstack-keystone | 16:07 | |
marekd | ayoung: I didn't come up with any reasonably good idea, so I would like to hear something if you have one | 16:08 |
*** jsavak has quit IRC | 16:08 | |
*** chandan_kumar_ has quit IRC | 16:08 | |
ayoung | marekd, I wouldn't call it a unit test. I'd call it a proof-of-concept | 16:09 |
marekd | ayoung: ah, ok | 16:09 |
marekd | ayoung: you can try this: https://github.com/zaccone/keystone-federation | 16:10 |
marekd | ayoung: of course it need tweaking like adjusting the hostname etc. | 16:10 |
ayoung | marekd, cool | 16:10 |
marekd | ayoung: i used testshib.com as an IdP. | 16:11 |
ayoung | dolphm, OK, so I don't need to continue using LDAP as the Identity backend. I think I can go with this setup. | 16:11 |
marekd | ayoung: i think mhu was also trying to setup a federated-keystone. | 16:11 |
*** joesavak has quit IRC | 16:11 | |
marekd | ayoung: what IdP do you want to use? setup your own, any public one, or utilize one you already have access to? | 16:13 |
ayoung | marekd, excellent. We should be able to start by duplicating what you did, and then adding in our own SAML provider | 16:13 |
ayoung | marekd, we are working on one as a front to FreeIPA | 16:13 |
ayoung | among other things | 16:13 |
ayoung | https://git.fedorahosted.org/git/ipsilon.git marekd | 16:13 |
marekd | ayoung: understood. | 16:13 |
ayoung | should work for AD as well, or so I've been told | 16:14 |
ayoung | its new, and just being developed, but I want to start beating on it | 16:14 |
*** ukalifon1 has joined #openstack-keystone | 16:14 | |
marekd | ayoung: wait, ipsilon is a IdentityProvider implementing SAML2 ? | 16:14 |
marekd | ayoung: or i am misunderstanding? | 16:15 |
marekd | ayoung: something like IdP from Shibboleth? | 16:15 |
ayoung | marekd, it is an IPA client that exposes SAML | 16:15 |
ayoung | the IdP is FreeIPA | 16:15 |
*** marcoemorais has joined #openstack-keystone | 16:15 | |
marekd | ayoung: ok, so push for browserless extensions :-) | 16:16 |
ayoung | marekd, oh, indeed. | 16:16 |
*** gyee has joined #openstack-keystone | 16:17 | |
*** richm has joined #openstack-keystone | 16:20 | |
*** andreaf has quit IRC | 16:26 | |
dolphm | whoa we have external db2 ci! | 16:27 |
dolphm | when did that happen? | 16:27 |
bknudson | dolphm: just a couple of days ago they started reporting. | 16:27 |
bknudson | dolphm: it runs some tempest tests... it's not the unit tests. | 16:29 |
htruta | hello? anyone can help me with this bug https://bugs.launchpad.net/keystone/+bug/1264325 ? | 16:32 |
uvirtbot | Launchpad bug 1264325 in keystone "API v3 - Unable to perform scope independant operations with unscoped token" [High,Triaged] | 16:32 |
dolphm | htruta: it's really blueprint work to solve it, via https://blueprints.launchpad.net/keystone/+spec/service-scoped-tokens | 16:34 |
*** marcoemorais1 has joined #openstack-keystone | 16:38 | |
*** marcoemorais1 has quit IRC | 16:38 | |
*** marcoemorais has quit IRC | 16:38 | |
*** marcoemorais has joined #openstack-keystone | 16:39 | |
*** harlowja_away is now known as harlowja | 16:49 | |
afaranha | Did anybody get this error while using keystoneclient? "Current authorization does not have a known management url" | 16:49 |
*** leseb has quit IRC | 16:49 | |
*** tomoiaga has quit IRC | 16:49 | |
htruta | dolphm: So, the bug will be abandoned, right? | 16:54 |
*** marcoemorais has quit IRC | 16:58 | |
*** marcoemorais has joined #openstack-keystone | 16:59 | |
*** stevemar has quit IRC | 17:00 | |
*** gokrokve has quit IRC | 17:01 | |
*** amcrn has joined #openstack-keystone | 17:03 | |
*** chandan_kumar_ has joined #openstack-keystone | 17:24 | |
*** dstanek has quit IRC | 17:31 | |
*** dstanek has joined #openstack-keystone | 17:32 | |
*** chandan_kumar_ has quit IRC | 17:34 | |
*** wchrisj has joined #openstack-keystone | 17:34 | |
*** thedodd has quit IRC | 17:36 | |
*** gokrokve has joined #openstack-keystone | 17:37 | |
*** stevemar has joined #openstack-keystone | 17:37 | |
*** zhiyan is now known as zhiyan_ | 17:37 | |
ayoung | bknudson, I challenge you to get the CI running unit tests in DB2 before we can get them in Mysql | 17:38 |
*** marcoemorais has quit IRC | 17:38 | |
*** vhoward has joined #openstack-keystone | 17:38 | |
*** marcoemorais has joined #openstack-keystone | 17:38 | |
diegows | we never finish our discussion about PAM authentication module :) | 17:39 |
bknudson | ayoung: I don't think it's going to happen... they're been working on DB2 CI for a long time. | 17:39 |
openstackgerrit | A change was merged to openstack/keystone: Fixed wrong behavior in method search_s in BaseLdap class. https://review.openstack.org/86325 | 17:39 |
*** kun_huang has quit IRC | 17:41 | |
*** wchrisj has quit IRC | 17:45 | |
*** chandan_kumar_ has joined #openstack-keystone | 17:47 | |
*** rodrigods has quit IRC | 17:48 | |
*** morganfainberg_Z is now known as morganfainberg | 17:51 | |
morganfainberg | ooh db2 ci! | 17:52 |
morganfainberg | cool | 17:53 |
morganfainberg | bknudson, is there a way to get a patchset tested through the external ci? | 17:53 |
bknudson | morganfainberg: well, it might be in process already, not sure how would check that. | 17:54 |
bknudson | apparently there were some network problems. | 17:54 |
morganfainberg | bknudson, specifically https://review.openstack.org/#/c/78169/ happy to issue a recheck if that would help. | 17:54 |
morganfainberg | bknudson, but i'd love to have db2 weigh in on it | 17:54 |
bknudson | morganfainberg: 'recheck db2-test' should do it. | 17:55 |
morganfainberg | bknudson, cool. | 17:55 |
morganfainberg | bknudson, suggest you have them do the same thing gate does (if possible) post a comment that it's attempting to run the CI (or is that not allowed?) | 17:56 |
bknudson | morganfainberg: I haven't seen the other cis doing that... like in tempest/nova/neutron | 17:56 |
bknudson | although it might be a good idea if we're actually watching for it. | 17:57 |
morganfainberg | bknudson, hm. i really like that the check/gate does it, maybe it would net too much spam on the reviews though for externals to. | 17:57 |
morganfainberg | bknudson, i personally like knowing what external CIs are running (or attempting to run) | 17:57 |
morganfainberg | s/like/would like | 17:57 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Include extra attributes in list results https://review.openstack.org/81041 | 17:58 |
*** derek_c has quit IRC | 18:07 | |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Fedration Mapping Rules. https://review.openstack.org/83742 | 18:13 |
afaranha | Hello, Does someone knows how to add keystone v3 to service to be list in the keystone catalog? Thank you | 18:15 |
*** erecio has joined #openstack-keystone | 18:16 | |
*** thedodd has joined #openstack-keystone | 18:20 | |
lbragstad | bknudson: looks like https://review.openstack.org/#/c/81041/5 is still going to fail | 18:24 |
lbragstad | specifically in here: https://github.com/openstack/keystone/blob/master/keystone/tests/test_revoke.py#L413 | 18:25 |
lbragstad | MismatchError: 8 != 7, so I'm sure sure how relevant this failure is to your change? | 18:25 |
bknudson | lbragstad: 1300581 again? | 18:26 |
lbragstad | bknudson: looks like it | 18:26 |
lbragstad | fails randomly in the iteration? | 18:26 |
lbragstad | threading? | 18:27 |
bknudson | lbragstad: we don't have multiple threads, we've got different processes | 18:27 |
lbragstad | ok | 18:27 |
bknudson | lbragstad: it could also be an issue with the order the tests are run | 18:28 |
bknudson | since that could change based on what process gets which test | 18:28 |
lbragstad | right | 18:28 |
*** wchrisj_ has joined #openstack-keystone | 18:30 | |
*** morganfainberg has quit IRC | 18:31 | |
lbragstad | bknudson: looks like everything is going to pass except that, so probably just that bug | 18:31 |
*** ukalifon1 has quit IRC | 18:33 | |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Identity Providers. https://review.openstack.org/83337 | 18:36 |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Fedration Mapping Rules. https://review.openstack.org/83742 | 18:42 |
ayoung | nkinder, http://adam.younglogic.com/2014/04/teaching-horizon-to-share/ part one. | 18:43 |
ayoung | marekd, I can -1 from here Fedration | 18:43 |
marekd | ayoung: ? | 18:43 |
ayoung | Fedrations? Are those like MREs? | 18:44 |
marekd | ayoung: ayoung uf, i thought you found a serious bug. nice catch... | 18:45 |
marekd | gonna change it now. | 18:45 |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federation Mapping Rules. https://review.openstack.org/83742 | 18:48 |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Identity Providers. https://review.openstack.org/83337 | 18:51 |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federation Mapping Rules. https://review.openstack.org/83742 | 18:52 |
ayoung | marekd, out of curiosity why req_ref.pop('id') in the test https://review.openstack.org/#/c/83742/11/keystoneclient/tests/v3/test_federation.py | 18:55 |
marekd | 1 sec | 18:56 |
openstackgerrit | Priti Desai proposed a change to openstack/keystone: Adding more descriptive error message https://review.openstack.org/86187 | 18:57 |
*** ukalifon has joined #openstack-keystone | 18:59 | |
marekd | ayoung: if I don't pop that id it will stay in the reference json object | 18:59 |
ayoung | and the ID is not returned from the server? | 19:00 |
*** morganfainberg_Z has joined #openstack-keystone | 19:01 | |
*** morganfainberg_Z is now known as morganfainberg | 19:01 | |
ayoung | morganfainberg, http://adam.younglogic.com/2014/04/teaching-horizon-to-share/ | 19:01 |
marekd | ayoung: hm, it is: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-federation-ext.md#create-a-mapping-put-os-federationmappingsmapping_id ok, let me check this. | 19:02 |
morganfainberg | ayoung, reading now, but yay! | 19:02 |
*** derek_c has joined #openstack-keystone | 19:02 | |
morganfainberg | ayoung, i'd probably go with mod_rewrite vs a meta-refresh. | 19:03 |
ayoung | morganfainberg, but this was already in the install | 19:03 |
ayoung | but there are many ways to skin that cat | 19:03 |
morganfainberg | ayoung, aye. | 19:03 |
morganfainberg | ayoung, i do like it. | 19:04 |
morganfainberg | ayoung, simple and concise. | 19:04 |
ayoung | morganfainberg, I have threee posts. That one and two others I am still editing | 19:04 |
morganfainberg | ayoung, nice! | 19:04 |
ayoung | the next is on Kerberizing Keystone (to include SSL via NSS) | 19:04 |
ayoung | and then on NSS for horizon | 19:04 |
bknudson | morganfainberg: https://review.openstack.org/#/c/78169/ -- DB2 says succeeded | 19:05 |
morganfainberg | bknudson, cool. i was concerned about that tbh | 19:05 |
bknudson | I had a fix at one point to show the --debug output in devstack but it wound up being abandoned. | 19:05 |
morganfainberg | bknudson, don't have much experience w/ db2 so wasn't sure what would break / work / not work | 19:05 |
bknudson | morganfainberg: it's always easier when there's a lot less code! | 19:06 |
morganfainberg | bknudson, :) | 19:06 |
morganfainberg | bknudson, so the DB2 test isn't voting yet? | 19:06 |
morganfainberg | oh (non voting) haha | 19:06 |
* morganfainberg learns to read | 19:06 | |
bknudson | morganfainberg: I'm not sure I've seen any external CI voting? | 19:07 |
*** chandan_kumar_ has quit IRC | 19:07 | |
morganfainberg | bknudson, turbo-hipster was. | 19:07 |
morganfainberg | as was minesweeper i think | 19:07 |
bknudson | morganfainberg: let's give it some time and make it voting if it's stable | 19:08 |
morganfainberg | bknudson, https://review.openstack.org/#/c/77450/ | 19:08 |
morganfainberg | bknudson, ++ | 19:08 |
bknudson | morganfainberg: last I heard minesweeper was broken for weeks. | 19:08 |
morganfainberg | yeah. | 19:08 |
morganfainberg | turbo-hipster seems to be working | 19:08 |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: Hash functions support different hash algorithms https://review.openstack.org/86202 | 19:12 |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with sha256 https://review.openstack.org/80398 | 19:12 |
*** ukalifon has quit IRC | 19:15 | |
dolphm | bknudson: i was just about to ping you about that ^ | 19:19 |
dolphm | bknudson: let me do a quick review in case you had the same idea i did... | 19:20 |
*** chandan_kumar_ has joined #openstack-keystone | 19:20 | |
morganfainberg | dstanek, dolphm, bknudson, we should move to the sql_upgrade style (migration) testing that nova is using https://github.com/openstack/nova/blob/master/nova/tests/db/test_migrations.py | 19:20 |
morganfainberg | or similar | 19:21 |
bknudson | morganfainberg: I think chris yeoh tried this once and we didn't take it | 19:21 |
dolphm | bknudson: (nope) but i think you'll like this -- make the hash algorithm a configurable *list* in auth_token, and default it to ['sha256', 'md5'] and have it attempt them in order exactly like you're doing | 19:21 |
dolphm | bknudson: that way you provide people a way to migrate to sha256, and then from sha256 to sha512 if they want, etc | 19:22 |
dstanek | morganfainberg: i wouldn't mind that | 19:22 |
bknudson | morganfainberg: but I think it was only because we wanted the code in oslo-incubator | 19:22 |
dolphm | morganfainberg: it's been proposed against keystone in the past | 19:22 |
bknudson | dolphm: I like the list. I'll go with that. | 19:22 |
dolphm | morganfainberg: we did a terrible job reviewing it (it was late in the grizzly cycle, i suppose) and the author gave up | 19:22 |
morganfainberg | dolphm, well probably time to resurrect it then :) i like the _check_XXX and _post_<action>_XXX _pre_action_XXX style | 19:23 |
morganfainberg | it's a bit better than the custom test each migration gets now | 19:23 |
marekd | ayoung: so basically req_ref should not pop id, but the last line should also check manager_ref instead of req_ref as it checks the request, not response and there should be no id in the body. | 19:23 |
dolphm | morganfainberg: agree | 19:24 |
ayoung | marekd, glad I asked | 19:24 |
morganfainberg | dolphm, once we get the collapse review through, i think it'll be easier to make this shift | 19:24 |
morganfainberg | dolphm, so i'll backlog that for later in the cycle | 19:24 |
marekd | ayoung: yes, thank you. | 19:24 |
morganfainberg | possibly post j-2 (since at that point we shouldn't be accepting new migrations) | 19:25 |
htruta | hello! is anyone working on this BP https://blueprints.launchpad.net/keystone/+spec/service-scoped-tokens ? | 19:27 |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federation Mapping Rules. https://review.openstack.org/83742 | 19:29 |
*** openstackgerrit has quit IRC | 19:34 | |
dstanek | marekd: did you get your git issue taken care of? | 19:34 |
bknudson | dolphm: qq -- you mentioned you didn't want the hash algorithm in the tokens ... | 19:34 |
bknudson | what about the revocation list? | 19:34 |
marekd | dstanek: yes! forgot to tell you! | 19:34 |
marekd | dstanek: basically git review -d <base> ; git review -x works perfectly :-) | 19:35 |
marekd | dstanek: thanks! | 19:35 |
dstanek | marekd: nice; yw | 19:35 |
bknudson | dolphm: it would be easy enough to apply the same list of hash algorithms for the revocations. | 19:37 |
*** marekd is now known as marekd|away | 19:37 | |
htruta | dolphm: do you know anything about that BP? | 19:41 |
afaranha | ayoung: Hello, I developing for nova but using keystoneclient. I saw that you a lot about openstack, could you help me? I need to enable keystone v3 in the catalog, do you know how to do it? Thank you | 19:41 |
*** leseb has joined #openstack-keystone | 19:41 | |
ayoung | afaranha, you are soaking in it | 19:42 |
*** openstackgerrit has joined #openstack-keystone | 19:42 | |
ayoung | v3 is arelady enabled | 19:42 |
ayoung | already even | 19:42 |
afaranha | but when I list it I dont get it. I get here: "request.headers.get('X-Service-Catalog', req.headers.get('X_STORAGE_TOKEN'))" | 19:44 |
afaranha | I'm stuking in this change instance ownership blueprint a long time, I always get some minor problems that I don't know how to deal with and lost a lot of time on it :P Thank you | 19:44 |
ayoung | afaranha, "when I list it" how? | 19:46 |
ayoung | afaranha, the catalog is going to return what you set in it for the endpoints. | 19:47 |
ayoung | You need to makes sure that you are making calls on the V3 suburl, and not V2 | 19:47 |
ayoung | did that hack ever get into keystoneclient? I thought so... | 19:47 |
afaranha | I get a request instance from a nova extension (action(self, req, id, body)) and do the following: | 19:48 |
afaranha | catalog = req.headers.get('X-Service-Catalog', req.headers.get('X_STORAGE_TOKEN')) | 19:48 |
afaranha | LOG.debug("Catalogs: %s" % catalog) | 19:48 |
stevemar | morganfainberg, thanks for the help on the trust not found message | 19:48 |
morganfainberg | stevemar, np | 19:48 |
morganfainberg | stevemar, was easy :) | 19:49 |
*** chandan_kumar_ has quit IRC | 19:49 | |
*** Krsna has joined #openstack-keystone | 19:51 | |
Krsna | Could someone point me in the direction to test out federated keystone. Using keystone as the idps instead of saml2, or is this feature still under development? | 19:52 |
afaranha | ayoung: Since I'm using it in Nova API, It's using V2. To get the catalog for keystone v3 I should not get it in the request header? So I need to list it in keystone? If I need to list it by keystone, it'll be V2, since I need an endpoint and the only endpoint I have is the Keystone V2. | 19:53 |
ayoung | afaranha, Huh? | 19:53 |
Krsna | I followed the few lines of direction here http://docs.openstack.org/developer/keystone/extensions/federation-configuration.html, however I did not see the new create_idp, etc cruds | 19:53 |
ayoung | afaranha, there are some assumptions in what you are saying that I don't really understand | 19:54 |
ayoung | Nova needs to start with a Keystone url it gets out of the catalog. and then it needs to chop /v2.0 off that if it is going to call on the V3 api | 19:54 |
*** d0ugal has quit IRC | 19:54 | |
ayoung | I assume you are not using keystoneclient for any of this | 19:55 |
afaranha | ayoung: Sorry, I didn't understand how could I list V3 version. The only way I know to do it is by the request headers (that I'm currently using) and by keystone.endpoints. | 19:55 |
afaranha | ayoung: Yes, to get the endpoint I'm not using keystone | 19:55 |
ayoung | afaranha, "request.headers.get('X-Service-Catalog' is data populated by auth token middleware into the Nova request. Nova needs to take that information and make a keystone call | 19:57 |
Krsna | From what I am reading it seems that some design decisions are still being discussed. However, if there is a clear path ahead and if the federated keystone feature is still under dev, where can I start to jump in help? | 19:57 |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398 | 19:58 |
ayoung | but I don't know the code that does that...basically, pull the endpoint out of the service catalog, chop off v2.0 and make your call on KEystone to get the data you need. | 19:58 |
stevemar | marekd|away, yay for getting keystoneclient stuff merged! | 19:58 |
bknudson | dolphm: ^ that's using the config list | 19:58 |
stevemar | well... approved anyway | 19:59 |
*** david_lyle_ has joined #openstack-keystone | 20:01 | |
afaranha | ayoung: Sorry, but I need an endpoint to instantiate the keystoneclient. I get the endpoint in the request headers and then instantiate it "keystoneclient.Client(token=context.auth_token, auth_url=auth_url, endpoint=auth_url)" auth_url contains the endpoint information. | 20:03 |
afaranha | How am I able to instantiate the keystoneclient without an endpoint? | 20:03 |
*** dklyle has joined #openstack-keystone | 20:03 | |
ayoung | afaranha, so you ARE using keystone client? | 20:03 |
afaranha | ayoung: yes, I'm using it. I use to list projects and users. | 20:04 |
bknudson | what's context.auth_token? | 20:04 |
*** david-lyle has quit IRC | 20:04 | |
bknudson | don't you want to use the nova service credentials? | 20:04 |
bknudson | also, is nova service be allowed to list projects and users? | 20:04 |
bknudson | is nova service allowed to list projects and users? | 20:05 |
bknudson | if move to federation there will be no user list. | 20:05 |
afaranha | But I need keystoneclient V3, because in the currently v2 I'm not able to do "keystoneclient.users.list()" I get an error, and when I change manually to V3 it works fine | 20:05 |
bknudson | afaranha: there's a keystoneclient.v3.Client | 20:05 |
*** david_lyle_ has quit IRC | 20:06 | |
dolphm | bknudson: that looks like it's going to unnecessarily hash it a second time with md5? | 20:07 |
ayoung | bknudson, did we merge the hack that lets the client chop off the /v2.0 | 20:07 |
bknudson | dolphm: in which case? | 20:07 |
bknudson | all cases? | 20:07 |
bknudson | (this is what it was already doing) | 20:07 |
afaranha | bknudson: yes, but I need a V3 endpoint also to make it work. When I'm using "from keystoneclient.v3 import client" "keystoneclient.Client(token=context.auth_token, auth_url="http://10.1.0.32:5000/v3", endpoint=http://10.1.0.32:5000/v3)" it works fine | 20:07 |
dolphm | bknudson: yeah, as a result of token_id = token_id or token_hash | 20:07 |
ayoung | afaranha, use 35375 | 20:07 |
ayoung | 5000 is the auth url, but doesn't have all of the admin functions | 20:08 |
bknudson | dolphm: it hashes it using sha256, checks cache, if it's not there then tries the same with md5 | 20:08 |
afaranha | ayoung: I also tried that, and with keystone.v2 and only keystone, and with "http://10.1.0.32:5000/v2.0" also | 20:08 |
ayoung | afaranha, chop the /v2.0 off the endpoint in the service catalog. I think the chang we need to make thing s work is not yet in the client | 20:09 |
bknudson | dolphm: token_id is None the first time through and the next time through it'll be the sha256 hash so will stay the sha256 hash | 20:09 |
dolphm | bknudson: but you're still doing the work of creating the md5 hash | 20:09 |
*** d0ugal has joined #openstack-keystone | 20:09 | |
*** d0ugal has quit IRC | 20:09 | |
*** d0ugal has joined #openstack-keystone | 20:09 | |
bknudson | dolphm: right, we have to check both sha256 and md5 | 20:10 |
dolphm | bknudson: well you have to check sha256, and then maybe md5 | 20:10 |
afaranha | ayoung: Ok, I'll try it, thank you, at the moment the cloud in working on is down, but when people fix it I'll try. Thank you | 20:10 |
dolphm | bknudson: you don't have to check *both* every time | 20:10 |
bknudson | dolphm: if sha256 was in the cache then it would have returned | 20:10 |
dolphm | bknudson: after wasting cycles producing an md5 hash :) | 20:11 |
bknudson | dolphm: the code doesn't get to the md5 hash if the sha256 hash was found in the cache. | 20:11 |
dolphm | bknudson: oh i'm getting myself confused. i read ~1215 first which is producing both hashes | 20:12 |
bknudson | dolphm: that's the revocation list. | 20:12 |
dolphm | bknudson: does auth_token not support online validation of PKI tokens?! | 20:12 |
bknudson | dolphm: I don't think there's any online validation of pki tokens. | 20:13 |
bknudson | you'd have to hash the token first | 20:13 |
dolphm | bknudson: exactly - that's where the conversation (and bug reported) started | 20:13 |
bknudson | dolphm: I think the bug was just don't use md5. | 20:13 |
bknudson | there's another bug that was about checking revocation list for token hash. | 20:14 |
dolphm | bknudson: when it was filed, that's the only place we were using md5: GET /v2.0/tokens/{md5_hashed_pki_token} | 20:14 |
*** openstackstatus has quit IRC | 20:15 | |
bknudson | dolphm: auth_token didn't cache pki tokens? | 20:16 |
*** openstackstatus has joined #openstack-keystone | 20:16 | |
bknudson | or maybe it cached them by the full pki token and that was broken | 20:16 |
dolphm | bknudson: exactly | 20:16 |
dolphm | bknudson: chasing token_id through this method makes my head hurt... | 20:16 |
dolphm | bknudson: if you have a PKI token that isn't in the cache, it looks like it's going to write an md5 hash as the key in L879 back to the cache | 20:18 |
dolphm | bknudson: bah, i'm wrong again :) | 20:18 |
bknudson | dolphm: it writes token_id.... which should only have been set to the first hash. | 20:19 |
bknudson | dolphm: I'm sure this could all be made more obvious | 20:19 |
dolphm | bknudson: i'm sure it could too - can you move L862 after L866? that might help a tiny bit | 20:20 |
dolphm | bknudson: or even rewrite it as if token_id is None: token_id = token_hash | 20:20 |
bknudson | dolphm: will do. | 20:20 |
bknudson | dolphm: I'll do that too | 20:20 |
dolphm | bknudson: s/first/preferred/ ? | 20:20 |
bknudson | dolphm: will do. | 20:21 |
dolphm | i wish we didn't treat PKI tokens any differently from UUID tokens | 20:23 |
dolphm | (hash them both equally, etc) | 20:23 |
morganfainberg | dolphm, can we make that change? | 20:24 |
dolphm | bknudson: logic seems right to me as-is | 20:24 |
morganfainberg | dolphm, auth_token makes my head hurt when i get into the caching bits | 20:24 |
dolphm | morganfainberg: i think it'd be a slight pain to make that transition, but we could | 20:24 |
dolphm | morganfainberg: as painful as what bknudson is working on now! | 20:24 |
bknudson | dolphm: I'll push up the latest version with the other comments. | 20:24 |
morganfainberg | dolphm, hehe | 20:24 |
dolphm | this will require conf updates in other projects, right? | 20:25 |
htruta | dolphm, ayoung: do you know it there is anyone working on this BP https://blueprints.launchpad.net/keystone/+spec/service-scoped-tokens ? | 20:25 |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398 | 20:25 |
htruta | if* | 20:25 |
ayoung | htruta, topic of discussion for the summit | 20:25 |
bknudson | dolphm: since it supports md5 they can keep their existing config. | 20:25 |
ayoung | htruta, but please feel free to take a hack at it | 20:25 |
dolphm | htruta: no one is right now. arvind assigned it to himself without knowing what it was, and i proposed my thoughts on the API here https://review.openstack.org/#/c/61869/ | 20:26 |
ayoung | been a few people expressing interest, but no work yet | 20:26 |
dolphm | bknudson: i mean sample conf updates | 20:26 |
bknudson | dolphm: Yes, I think so... some have got a sample conf generators now. | 20:27 |
ayoung | htruta, I think that the right solution is going to be to add values to the token request saying "only this service" or "only this endpoint" or "only these roles" | 20:27 |
dolphm | bknudson: i'm planning on cutting 0.8.0 ASAP for https://review.openstack.org/#/c/86321/ but don't want to cause pain to other projects while RC windows are open | 20:27 |
ayoung | and then enforcement is going to have to be in auth_token middleware | 20:27 |
bknudson | dolphm: this doesn't need to be in 0.8.0 | 20:27 |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398 | 20:33 |
bknudson | ^ this one will only hash with the preferred if found in revocation list. | 20:33 |
*** harlowja is now known as harlowja_away | 20:36 | |
*** Mikalv has joined #openstack-keystone | 20:38 | |
*** jamielennox|away is now known as jamielennox | 20:43 | |
htruta | dolphm, ayoung: hm... thanks! i'll see what i can do | 20:44 |
openstackgerrit | A change was merged to openstack/python-keystoneclient: eliminate race condition fetching certs https://review.openstack.org/86321 | 20:46 |
*** G________ has joined #openstack-keystone | 20:50 | |
*** harlowja_away is now known as harlowja | 20:55 | |
*** erecio has quit IRC | 20:56 | |
*** G________ has quit IRC | 20:56 | |
*** raildo has quit IRC | 20:59 | |
openstackgerrit | David Stanek proposed a change to openstack/keystone: Adds table and model for storing rotated passwords https://review.openstack.org/73368 | 20:59 |
openstackgerrit | David Stanek proposed a change to openstack/keystone: password rotation extension WIP https://review.openstack.org/74623 | 20:59 |
*** dklyle is now known as david-lyle | 21:03 | |
*** diegows has quit IRC | 21:04 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Add service name to catalog https://review.openstack.org/78410 | 21:05 |
*** G________ has joined #openstack-keystone | 21:14 | |
dstanek | topol: i just saw you comment in my review about small patches; you're welcome :-) but it's more for me than you | 21:14 |
*** openstackstatus has quit IRC | 21:14 | |
*** gokrokve has quit IRC | 21:14 | |
dstanek | now that's wierd - it looks like i lost a commit | 21:15 |
topol | dstanek, your approach makes reviewing a very pleasant one! | 21:15 |
dstanek | topol: i start out with a lot of local changes in a bunch of 'wip' commits - when i want to share i break it up sanely so i know what people are looking at | 21:16 |
dstanek | interactive rebasing is my best friend | 21:17 |
*** openstackstatus has joined #openstack-keystone | 21:22 | |
morganfainberg | topol, i saw a comment on the summit sessions by btopol, it took me > 5 minutes to figure out who that was. | 21:23 |
morganfainberg | topol, i am embarassed | 21:23 |
morganfainberg | topol, :P | 21:23 |
topol | morganfainberg, its nice to see I am making significant impression on key OpenStack conributors such as yourself :-) | 21:25 |
dstanek | ha ha | 21:25 |
topol | morganfainberg I am one chart deck and one blog article away from getting to go back to doing keystone reviews... | 21:26 |
morganfainberg | topol, if the name had been "topol" i would have connected it, but who the heck is btopol | 21:26 |
dstanek | topol: i'm not a key contributor, but you've make an impression on me! | 21:26 |
*** gokrokve has joined #openstack-keystone | 21:27 | |
morganfainberg | it's kinda like when stevemar2 appears in the channel | 21:27 |
morganfainberg | who the heck is that guy | 21:27 |
topol | dstanek gets and extra beer when I buy the first night | 21:27 |
morganfainberg | topol, oh so he's getting my share of beer... then :( | 21:28 |
morganfainberg | topol, :P | 21:28 |
topol | morganfainberg, nah... he just gets extra | 21:28 |
dstanek | now this is embarrassing - i merged two commits on accident | 21:28 |
topol | morganfainberg, dstanek, Thats assuming I have money of course. I travel 5 days to Vegas for IBM Impact conference end of April. Did I mention everyone in my family has a gambling problem?? | 21:29 |
morganfainberg | dstanek, thats what you get for doing interactive rebasing! :P | 21:29 |
*** thedodd has quit IRC | 21:30 | |
morganfainberg | topol, so... what you're saying is we should bet you for drinks on any given night? | 21:30 |
* lbragstad looks up card counting strategies for topol | 21:30 | |
topol | morganfainberg, i think the addiction only applies to limit and no limit texas holdem poker | 21:30 |
*** diegows has joined #openstack-keystone | 21:30 | |
morganfainberg | topol, hehe | 21:31 |
*** thedodd has joined #openstack-keystone | 21:32 | |
nkinder | ayoung: that LDAP attriubte case sensitivity thing is a bug in keystone | 21:33 |
nkinder | ayoung: I've got a patch written up that I'm testing out | 21:33 |
*** derek_c has quit IRC | 21:35 | |
stevemar | morganfainberg, was that stevemar2 guy here again? hate him. | 21:39 |
*** topol has quit IRC | 21:40 | |
morganfainberg | stevemar, yeah | 21:42 |
*** derek_c has joined #openstack-keystone | 21:48 | |
*** derek_c has quit IRC | 21:54 | |
*** gokrokve has quit IRC | 21:58 | |
*** david-lyle has quit IRC | 22:02 | |
Krsna | Who should I ping about federated keystone? | 22:04 |
morganfainberg | Krsna, stevemar and marekd|away are two very good resources that worked heavily on it | 22:07 |
morganfainberg | Krsna, i can try and answer some questions | 22:07 |
morganfainberg | Krsna, it depends on what you're trying to accomplish | 22:08 |
stevemar | morganfainberg, whats up | 22:08 |
morganfainberg | stevemar, ^ | 22:08 |
Krsna | morganfainberg: that would be awesome. I am trying to setup and test basic federated keystone. If the full implementation not in place then i would like to help out. | 22:08 |
morganfainberg | Krsna, so you want keystone to be the IDP and federate to other keystones? | 22:08 |
Krsna | I followed the few lines of direction here http://docs.openstack.org/developer/keystone/extensions/federation-configuration.html, however I did not see the new create_idp, etc cruds | 22:09 |
morganfainberg | Krsna, or use a SAML provider (free IPA? or similar) and have multiple keystones consume that? | 22:09 |
Krsna | morganfainberg: that is correct | 22:09 |
Krsna | morganfainberg: keystone to be the IDP and federate to other keystones not SAML | 22:09 |
morganfainberg | Krsna, ah, keystone can consume external IDPs but can only provide identity to itself at the moment | 22:09 |
morganfainberg | Krsna, short of using a shared (replicateD) ldap or sql backend | 22:09 |
*** leseb has quit IRC | 22:10 | |
morganfainberg | Krsna, that exact usecase is on my "can we have that! and how do we get there" short list | 22:10 |
morganfainberg | Krsna, i really want that functionality | 22:10 |
morganfainberg | stevemar, i've talked to you about that before actually. | 22:11 |
morganfainberg | Krsna, i think we even have a summit proposal for the ATL summit on this topic | 22:11 |
Krsna | morganfainberg: I don't know if I fully understood that. I would like to have keystone be the IDP and point (federate) to other keystones (some using sql backend others using LDAP) | 22:11 |
*** gokrokve has joined #openstack-keystone | 22:12 | |
morganfainberg | Krsna, right now, you can achieve this by replicating the backend data. This has a lot of issue | 22:12 |
Krsna | if that is not possible yet then where would could you point me to start to implement that so that when I come to the ATL summit we can make some real progress? | 22:12 |
morganfainberg | Krsna, in the future i want keystone (as soon as we can implement it) to be able to be a federated IDP to another keystone server | 22:12 |
*** leseb has joined #openstack-keystone | 22:12 | |
morganfainberg | Krsna, right now it isn't possible. | 22:12 |
Krsna | morganfainberg: ahhhh i see. basically you have to have the same data in all the different keystone instances? | 22:13 |
jamielennox | stevemar: has all that stuff with oauth libraries in stable been finished? | 22:13 |
morganfainberg | Krsna, correct. keystone doesn't provide data to other keystones (identity data) via a federated protocol. we haven't gotten there. | 22:13 |
stevemar | Krsna, right now we only support federation when using the SAML federation protocol, not other keystone instances | 22:14 |
morganfainberg | Krsna, if you're interested in this, i know i've heard from a number of deployers what would love that kind of support (I am one of them) | 22:14 |
stevemar | jamielennox, not yet, i'm waiting on the library being approved.. https://review.openstack.org/#/c/82929/ | 22:14 |
Krsna | morganfainberg, stevemar: where can I start to start to implemenet keystones via federated protocol | 22:15 |
jamielennox | stevemar: no worries, just looking through what reviews i've missed | 22:15 |
stevemar | jamielennox, and jogo had to make a bunch of changes to infra so it wouldn't break again | 22:15 |
Krsna | morganfainberg: Perfect! in that case where can I start? | 22:15 |
*** thedodd has quit IRC | 22:15 | |
stevemar | jamielennox, nah you're good | 22:15 |
morganfainberg | stevemar, Krsna, not sure where to start, i kindof would like it if keystone spoke SAML to other keystones... but i think we'd need to support some kind of common federation protocol (preferably not invent a new one) | 22:16 |
*** leseb has quit IRC | 22:17 | |
Krsna | morganfainberg: Do we have some kind of documentation of what we got now? That way I can catch up and think of other implementation ideas. | 22:17 |
stevemar | Krsna, it's all here: https://review.openstack.org/#/c/81022/2/openstack-identity-api/v3/src/markdown/identity-api-v3-os-federation-ext.md | 22:17 |
stevemar | oops | 22:17 |
stevemar | i meant https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-federation-ext.md | 22:17 |
morganfainberg | stevemar, lol | 22:18 |
stevemar | i rely on chromes auto-filling waaaay too much | 22:18 |
morganfainberg | Krsna, i think the first step is to figure out the best way for keystone to communicate to other keystones. again what kind of protocols make the most sense. | 22:18 |
stevemar | Krsna, also, a neat ppt -> https://github.com/stevemart/OpenStackFederation/blob/add_os_federation_slides/federated_identity_in_icehouse_4_8_14.pdf | 22:19 |
morganfainberg | Krsna, i really do want to avoid inventing another "federation" protocol just for keystone (unless there is a damn good reason to) | 22:19 |
Krsna | morganfainberg: well, if the saml works and we can leverage that then that is a good idea. | 22:19 |
stevemar | morganfainberg, yeah, we really don't want to create our own protocol here | 22:19 |
morganfainberg | Krsna, pysaml has issues but i started looking at it | 22:19 |
Krsna | stevemar: thanks for the resources keep them comming. I will read those and come back if I have questions. | 22:20 |
morganfainberg | Krsna, i think there was another lib that would let python act as a saml provider | 22:20 |
morganfainberg | Krsna, keep in mind that py33 compatibility is also important | 22:20 |
stevemar | so we really don't want rely on libraries that are not py33 compatible, like python-oauth2 :( | 22:21 |
stevemar | i learned my lesson from that one | 22:21 |
Krsna | morganfainberg: I will read more on pysaml and saml in general and see where I get. Are we making the assumption that all the different instances of keystone live on the same node/cluster/network or they can be on a remote cluster? | 22:23 |
*** derek_c has joined #openstack-keystone | 22:23 | |
morganfainberg | Krsna, if the backend data is not shared (e.g. a federated IDP), it shouldn't matter where keystone lives | 22:23 |
morganfainberg | Krsna, the federated keystone that is | 22:24 |
Krsna | right. | 22:24 |
morganfainberg | Krsna, the whole point would be so that a remote keystone server could provide identity ot your local keystone (e.g. cross businesses, cross AZ, cross deployment, etc) | 22:25 |
morganfainberg | Krsna, i'm very happy to see more interest in this :) | 22:25 |
Krsna | morganfainberg: Let me ask you a question. As a cluster admin I want to have an internal list of service accounts managed via sql (or whatever background) at the same time I would like to be able to have ldap backend that manages users,etc. Does federated keystone sound like the best solution? After reading through my options that seems to be the best bet | 22:26 |
*** G________ has quit IRC | 22:26 | |
morganfainberg | stevemar, ^ Krsna, I think this sounds more like a multi-backend approach. we have some stub code (should be fleshed out for Juno) that does exactly this: keystone reads identity information from multiple backends, e.g. multiple ldap servers, ldap servers and mysql, etc | 22:27 |
morganfainberg | Krsna, you could do it with federation as well. | 22:28 |
*** wchrisj_ has quit IRC | 22:28 | |
*** htruta has quit IRC | 22:28 | |
*** derek_c has quit IRC | 22:29 | |
*** openstack has joined #openstack-keystone | 22:33 | |
morganfainberg | Krsna, but there are use-cases for both, likely we will eventually support both. | 22:34 |
bknudson | dstanek: I thought the new release was imminent when we discussed it last. | 22:34 |
Krsna | morganfainberg: Either way sounds interesting. I will need to speak to my higher ups and see which one seems to satisfy the use case I gave you best. Then I should be able to work on one of those solutions. | 22:34 |
morganfainberg | Krsna, sounds good! let me know | 22:35 |
dstanek | bknudson: not sure what their release schedule is like, but our check can be disabled easily | 22:35 |
Krsna | morganfainberg: Will do. Thank you for clearing things up for me. Is this the best way to stay in touch with you? | 22:36 |
morganfainberg | Krsna, here on IRC, i'm US Pacific timezone but lurk around a lot | 22:36 |
Krsna | morganfainberg: I am in SF, we should be good ;) Thanks again. | 22:37 |
morganfainberg | Krsna, so often (even weekends) I'll respond (if my name is morganfainberg_Z on IRC, I'm away, but i'll see any messages you leave for me) | 22:37 |
* morganfainberg uses a IRC bouncer to capture IRC chatter when computer is off/not on the network. | 22:37 | |
Krsna | morganfainberg: Will keep that in mind. | 22:38 |
*** leseb has joined #openstack-keystone | 22:40 | |
*** derek_c has joined #openstack-keystone | 22:42 | |
*** leseb_ has joined #openstack-keystone | 22:42 | |
Krsna | morganfainberg: Ok setting up a meeting and will let you know the outcome. Just a few more questions if you don't mind. How many people do we have working on this other than you and I? Other than figureing out and implementing how keystone instances talk to one another what else would be needed ? | 22:43 |
morganfainberg | Krsna, the keystone core team would be involved (review / vetting / etc) and more specifically stevemar marekd|away did a bunch of the other federated work so i expect them heavily involved | 22:44 |
*** leseb__ has joined #openstack-keystone | 22:44 | |
*** leseb has quit IRC | 22:45 | |
Krsna | morganfainberg: Got it, and for keystone to act as the IDP federated to other keystones, only the protocol for them to speak is what is needed? | 22:46 |
morganfainberg | Krsna, well, there will need to be the protocol and the supporting implementation | 22:47 |
*** leseb_ has quit IRC | 22:47 | |
morganfainberg | Krsna, but i think we should determine what options we have / protocols first rahter than implementing something and then trying to wedge a protocol into that implementaiton | 22:47 |
Krsna | morganfainberg: fully agree. I hate throwing away code. Better to take the extra time to determine what we want/where we headed before writing code | 22:49 |
*** leseb__ has quit IRC | 22:49 | |
*** marcoemorais has quit IRC | 22:50 | |
morganfainberg | yep | 22:50 |
*** marcoemorais has joined #openstack-keystone | 22:50 | |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398 | 22:58 |
bknudson | jamielennox: thanks for the feedback on ^ ! | 23:00 |
jamielennox | bknudson: np - i guess that makes sense with the revocation list | 23:01 |
openstackgerrit | A change was merged to openstack/python-keystoneclient: Hash functions support different hash algorithms https://review.openstack.org/86202 | 23:02 |
bknudson | I haven't updated the keystone code for this change yet. | 23:02 |
jamielennox | the time period where you will actually have multiple algorithms configured should be fairly small so there's not a long term overhead for checking both algorithms against the list | 23:02 |
bknudson | jamielennox: it should be the token expiration time | 23:02 |
*** dims has quit IRC | 23:02 | |
bknudson | so 60 mins by default | 23:02 |
jamielennox | bknudson: so you want to hold it until it's committed to server? | 23:02 |
bknudson | jamielennox: that's a good idea | 23:03 |
jamielennox | ok, put a -2 or a WIP on it | 23:03 |
bknudson | I WIP'd it good. | 23:03 |
jamielennox | but it looks fine to me | 23:03 |
morganfainberg | bknudson, do you have your energy dome hat to go with the comment there? | 23:06 |
openstackgerrit | A change was merged to openstack/keystone: Adding more descriptive error message https://review.openstack.org/86187 | 23:15 |
*** diegows has quit IRC | 23:18 | |
*** gokrokve has quit IRC | 23:22 | |
*** wchrisj has joined #openstack-keystone | 23:28 | |
bknudson | morganfainberg: what comment? | 23:28 |
bknudson | oh... I didn't know what an energy dome hat was. | 23:29 |
bknudson | I thought they were flower pots | 23:29 |
morganfainberg | the WIP'd it good | 23:29 |
morganfainberg | haha | 23:29 |
morganfainberg | yeaaaah | 23:29 |
*** marcoemorais has quit IRC | 23:31 | |
*** marcoemorais has joined #openstack-keystone | 23:32 | |
bknudson | https://review.openstack.org/#/c/81041/ is somehow hitting bug 1300581 pretty consistently somehow | 23:32 |
uvirtbot | Launchpad bug 1300581 in keystone "test_revoke.RevokeTreeTests.test_cleanup fails" [Critical,Triaged] https://launchpad.net/bugs/1300581 | 23:32 |
bknudson | maybe it's just bad luck... sometimes on py26 and sometimes py27 | 23:33 |
bknudson | I haven't been able to recreate | 23:33 |
morganfainberg | bknudson, same, can't recreate locally | 23:33 |
morganfainberg | bknudson, i keep trying, even did a tight loop of testing | 23:33 |
morganfainberg | never failed | 23:33 |
bknudson | morganfainberg: The only thing I could think of looking at the code was somehow the same timestamp is getting returned... | 23:34 |
bknudson | would require a pretty fast computer. | 23:34 |
*** stevemar has quit IRC | 23:34 | |
morganfainberg | it's an odd one | 23:34 |
bknudson | or a broken clock | 23:34 |
bknudson | although I think from the output it's saying there's an extra one | 23:35 |
bknudson | maybe some better output would help | 23:35 |
morganfainberg | inverse | 23:35 |
morganfainberg | there aren't enough | 23:35 |
morganfainberg | we expect N but found N-1 | 23:35 |
bknudson | that would make more sense | 23:35 |
openstackgerrit | David Stanek proposed a change to openstack/keystone: Adds style checks to ease reviewer burden https://review.openstack.org/78119 | 23:36 |
*** browne has quit IRC | 23:45 | |
*** wchrisj has quit IRC | 23:47 | |
*** Chicago has quit IRC | 23:51 | |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: More debug output for test https://review.openstack.org/86472 | 23:54 |
*** Chicago has joined #openstack-keystone | 23:54 | |
*** Chicago has joined #openstack-keystone | 23:54 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!