Thursday, 2014-04-24

*** gokrokve has quit IRC00:03
*** browne has quit IRC00:12
*** marcoemorais has quit IRC00:13
*** browne has joined #openstack-keystone00:13
*** marcoemorais has joined #openstack-keystone00:15
*** browne has quit IRC00:17
boris-42morganfainberg ping00:18
boris-42Seems like something wired is happening with keystone00:23
boris-42when it is under load for a long period of time00:23
boris-42^ take a look at these graphs ^00:24
bknudsonboris-42: that's why we need rally00:24
boris-42bknudson take a look at graph00:24
boris-42bknudson first 3k iterations everything was fine00:24
boris-42bknudson and then BOOM00:24
boris-42bknudson btw rally gates are almost ready00:25
bknudsonit crashed by browser00:25
boris-42bknudson hehe00:25
boris-42bknudson we should improve this stuff00:25
boris-42bknudson when we have 6k iterations..00:25
boris-42let me just share image00:26
*** praneshp has quit IRC00:26
boris-42most of errors are timeouts00:28
boris-42to /tokens00:28
bknudsonboris-42: mysql?00:28
boris-42bknudson it was devstack installation with apache in localsc00:29
boris-42so I think yes mysql00:29
bknudsonboris-42: there's plans for juno to have ephemeral tokens so we won't have to store those in the db00:29
*** joesavak has joined #openstack-keystone00:30
bknudson20 seconds to get a token?00:30
bknudsoneven that seems like a long time!00:30
*** gokrokve has joined #openstack-keystone00:30
boris-42timeout was set to 3000:30
boris-42so nope benchmark is a bit another00:30
boris-421) create user 2) delete user00:30
boris-42^ 2 steps00:31
bknudsonboris-42: does it get a token every time?00:31
boris-421) get token00:31
boris-422) create user00:31
boris-423) delete user00:31
bknudsonso the token table will continue to grow00:31
boris-426k times under load of 50 concurrency scenarious00:31
bknudsonif you want to test user creation time, don't create a token every time00:32
boris-42but it should have only 6k records00:32
boris-42bknudson we have some kind of rules inside rally about benchmarking00:32
boris-42we are simulating real situations00:32
boris-42so no caching between to iterations00:32
bknudsonI'm not sure how realistic it would be for a cloud to have 50 concurrent users creating 6k users.00:33
bknudsonand then deleting them right away00:33
bknudsonboris-42: doesn't a test with just getting a token show the same thing?00:33
boris-42bknudson I didn't run it00:33
boris-42bknudson with such amount of iterations00:34
*** jsavak has joined #openstack-keystone00:34
bknudsonboris-42: it's more realistic that a cloud would have 50 concurrent users getting 6k tokens.00:34
*** amcrn has joined #openstack-keystone00:34
boris-42bknudson that is possible to do00:34
*** gokrokve has quit IRC00:34
boris-42bknudson and benchmark as well00:34
boris-42bknudson and it is possible to make next benchmark create 1 tenant + N users (where N you may specify)00:35
boris-42bknudson but in any case00:36
boris-42bknudson why this thing is so sharp?00:36
boris-42bknudson why it didn't raise smooth00:37
bknudsonboris-42: maybe a case of a database lock changing mode from row to table?00:37
*** zhiyan_ is now known as zhiyan00:37
bknudsonor switching from something fitting in memory to moving to disk?00:37
bknudson(e.g., the token table)00:38
boris-42bknudson but it's not so huge00:38
*** joesavak has quit IRC00:38
boris-42bknudson I will try to repeat this experiment00:38
boris-42bknudson with new deployment00:38
bknudsonboris-42: you  said this is running keystone in apache?00:39
boris-42bknudson yep00:40
bknudsonboris-42: how many keystone processes do you wind up with?00:40
boris-42bknudson btw started one more time benhmark00:40
bknudsonapache log usually shows startup of the servers00:40
boris-42bknudson everything works fine!00:40
boris-42bknudson lol00:41
boris-42I mean I run just 100 iterations00:41
boris-42all passed00:41
boris-42running one more time 20000:41
bknudsonI thought it was 3000 was the problem?00:42
boris-42bknudson yep00:42
boris-42bknudson after 3k00:42
boris-42bknudson something happened00:42
boris-42bknudson but I just wait for some period of time00:42
bknudsonif requestcount > 3000: sleep(40)00:43
boris-42bknudson and re run just 100 iterations to check does it make sense that the load was continious00:43
boris-42yep something like that=)00:43
boris-42actually no00:44
boris-42if avg_load_for_last_is(50) and requestcount > 3000: sleep(40)00:44
bknudsonoh, it wakes back up again?00:44
boris-42it works fine00:44
boris-42I run 200 iterations with load of 50 concurrency scnearios00:45
bknudsonso maybe it gets backed up and can't recover?00:45
boris-42and it works fine00:45
boris-42but something strange is happaning00:45
bknudsonfor example, if it doesn't notice that clients disconnect and cancel the operation00:45
boris-42bknudson hm probably00:46
boris-42bknudson seems like there is some data and GC00:47
boris-42bknudson and if load is bigger then XXX after some time GC is not able to cleanup everything00:47
boris-42bknudson not super big expert of keystone code00:47
boris-42bknudson seems like I should deep dive into it00:48
bknudsoncould be. keystone doesn't do anything special with gc as far as I know00:48
boris-42bknudson I will try to run just authenticate benchmark00:48
boris-42bknudson so we will be able to localize issue00:49
bknudsonboris-42: I think that one's more important than speed of creating users.00:49
boris-42yep cause probably the same can happen even on smaller load00:49
boris-42bknudson so sorry but I have to sleep a bit=)00:50
boris-425 a.m. lol00:50
boris-42bknudson see you later00:50
bknudsonboris-42: ok, thanks for working on this00:50
bknudsonwill be really valuable if we can have some numbers to work with00:51
bknudsonwe'll be able to see if token compression helps00:53
bknudsonand ephemeral tokens00:53
bknudsonand revocation events00:53
bknudsonthese are all being done to supposedly improve performance.00:53
*** jsavak has quit IRC00:54
*** huats_ has joined #openstack-keystone00:58
*** huats_ has quit IRC00:58
*** huats_ has joined #openstack-keystone00:58
*** zhiyan has quit IRC00:58
*** huats has quit IRC00:58
*** gokrokve has joined #openstack-keystone00:59
*** zhiyan has joined #openstack-keystone01:00
morganfainbergboris-42, looking at the graphs now01:00
morganfainbergbknudson, oh wow01:00
*** derek_c has joined #openstack-keystone01:00
*** harlowja has joined #openstack-keystone01:00
*** theocean_ has joined #openstack-keystone01:02
*** marcoemorais has quit IRC01:02
*** theocean_ is now known as theocean15401:02
*** dstanek_zzz has quit IRC01:02
*** marcoemorais has joined #openstack-keystone01:03
*** gokrokve has quit IRC01:04
morganfainbergbknudson, that's an interesting graph01:05
*** browne has joined #openstack-keystone01:05
*** theocean154 is now known as theocean154_zzz01:24
*** marcoemorais has quit IRC01:25
*** wchrisj has quit IRC01:33
*** bach has joined #openstack-keystone01:39
*** theocean154_zzz has quit IRC01:54
openstackgerritA change was merged to openstack/python-keystoneclient: Add new error for invalid response
openstackgerritA change was merged to openstack/keystone: Fix typo on cache backend module
*** gokrokve has joined #openstack-keystone01:59
*** gokrokve has quit IRC02:00
*** gokrokve has joined #openstack-keystone02:01
*** gokrokve has quit IRC02:05
openstackgerritA change was merged to openstack/python-keystoneclient: Fix the catalog format of a sample token
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation
*** derek_c has quit IRC02:26
*** mberlin1 has quit IRC02:28
*** bach has quit IRC02:36
*** bach has joined #openstack-keystone02:37
*** amcrn has quit IRC02:41
*** mberlin has joined #openstack-keystone02:42
*** morganfainberg is now known as morganfainberg_Z02:47
*** gokrokve has joined #openstack-keystone02:59
*** praneshp has joined #openstack-keystone03:01
*** harlowja is now known as harlowja_away03:09
*** lbragstad has joined #openstack-keystone03:11
openstackgerritNathan Kinder proposed a change to openstack/keystone: Reduce excess LDAP searches
openstackgerritNathan Kinder proposed a change to openstack/keystone: Reduce excess LDAP searches
*** amcrn has joined #openstack-keystone04:06
*** gokrokve has quit IRC04:08
openstackgerritNathan Kinder proposed a change to openstack/keystone: Reduce excess LDAP searches
*** harlowja_away is now known as harlowja04:18
*** marcoemorais has joined #openstack-keystone04:20
*** stevemar has joined #openstack-keystone04:27
*** chandan_kumar has joined #openstack-keystone05:00
*** gokrokve has joined #openstack-keystone05:07
*** rwsu has quit IRC05:07
*** gokrokve has quit IRC05:11
*** lbragstad has quit IRC05:16
*** marcoemorais has quit IRC05:16
*** daneyon has quit IRC05:23
*** rwsu has joined #openstack-keystone05:23
*** bach has quit IRC05:25
*** bach has joined #openstack-keystone05:27
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** tomoiaga has joined #openstack-keystone06:02
*** gyee has quit IRC06:05
*** tomoiaga has quit IRC06:06
*** gokrokve has joined #openstack-keystone06:07
*** gokrokve has quit IRC06:12
*** harlowja is now known as harlowja_away06:30
openstackgerritA change was merged to openstack/python-keystoneclient: Limited use trusts
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Added statement for ... if ... else
*** stevemar has quit IRC06:54
*** jaosorior has joined #openstack-keystone06:57
*** bach has quit IRC06:58
*** amcrn has quit IRC07:04
*** gokrokve has joined #openstack-keystone07:08
*** marekd|afk is now known as marekd07:08
*** marcoemorais has joined #openstack-keystone07:12
*** gokrokve has quit IRC07:12
*** praneshp has quit IRC07:20
*** d0ugal has quit IRC07:27
*** d0ugal has joined #openstack-keystone07:29
*** d0ugal has joined #openstack-keystone07:29
*** andreaf has joined #openstack-keystone07:50
openstackgerritA change was merged to openstack/python-keystoneclient: Ensure that cached token is not revoked
*** bvandenh has joined #openstack-keystone08:03
*** andreaf has quit IRC08:06
*** gokrokve has joined #openstack-keystone08:09
*** jamielennox is now known as jamielennox|away08:12
*** gokrokve has quit IRC08:13
*** andreaf has joined #openstack-keystone08:40
*** huats_ is now known as huats08:57
*** derek_c has joined #openstack-keystone09:03
*** marcoemorais has quit IRC09:06
*** gokrokve has joined #openstack-keystone09:10
*** gokrokve has quit IRC09:14
*** derek_c has quit IRC09:15
openstackgerritMarek Denis proposed a change to openstack/keystone: Add detailed federation configuration docs
*** zhiyan is now known as zhiyan_09:32
*** marcoemorais has joined #openstack-keystone09:33
*** marcoemorais1 has joined #openstack-keystone09:35
boris-42morganfainberg_Z oh sorry was sleeping09:38
*** marcoemorais has quit IRC09:38
*** marcoemorais1 has quit IRC09:39
*** tomoiaga has joined #openstack-keystone09:42
*** deani has joined #openstack-keystone09:42
tomoiagaI'm trying to find out if I can limit an admin user using a token scope. If I login as admin (cloud_admin), can I limit the operations that admin can perform using the token scope ? (Or I missunderstood what the scope is)09:43
deaniI am trying to setup only glance and keystone09:43
deanibut while cofiguring the identity service according to
deanii am always getting Unable to communicate with identity service: (503, 'Service Unavailable'). (HTTP 400)09:44
tomoiagadeani: did you check the error log for keystone ? (usually /var/log/keystone.log)09:45
deaniwhile doing a keystone user-create --name=admin --pass=ADMIN_PASS --email=blabla09:45
*** bvandenh has quit IRC09:45
deani@tomoiaga: i am checking the same09:45
*** bvandenh has joined #openstack-keystone09:45
deaniis empty09:46
deanido i have to enable some thing09:46
deaniwhile restarting opestack-keystone service09:46
tomoiagaif keystone is running it should write something on the log09:47
openstackgerritMatthieu Huin proposed a change to openstack/keystone: More random values for oAuth1 verifier
deaniwell this is the problem09:48
deanikeystone is dying09:48
deani[root@mccvm162 ~]# service openstack-keystone status keystone dead but pid file exists09:48
deanii can restart the same but it again dies when ever i try to add09:49
tomoiagadoes it die after you run the command or just after the restart ?09:49
tomoiagaok, try to enable debug logging and verbose09:49
tomoiagain /etc/keystone/keystone.conf09:49
tomoiagaprobably the db is not setup correctly, but we will see in a minute09:49
tomoiagais mysql running and if it is, do you see the keystone database there ?09:50
deaniya i recreated it09:50
deanii min hold on shall i turn on debig too09:50
deanidebug too09:50
deanioo i saw the top messsage09:51
tomoiagaI would also try to connect to mysql using the username and password configured in keystone.conf. Also the host should be setup correctly. I see in the pdf that the host is "controller". In case you have not replaced this with the actual IP/Host, this may be a problem.09:52
deaniwell i kind of suspected that09:54
deanii am connecting to the database with keystone credentials09:54
deanias root i have done these09:54
deanimysql> show databases     -> ; +--------------------+ | Database           | +--------------------+ | information_schema | | glance             | | keystone           | | mysql              | | test               | +--------------------+ 5 rows in set (0.00 sec)09:54
deani@tomoiga: I must confess that today i am ttying with the instructions in
deaniyesterday i tried with the instructions in
deanibut nonethe less the same error09:57
tomoiagadeani: set debug=True si verbose=True in keystone.conf. After that restart keystone to see if any log messages appear in the log file09:57
*** zhiyan_ is now known as zhiyan09:58
deaniI think we have narrowed down09:59
deanithe problem to the keystone db09:59
deaniso what do u want me to see in the db09:59
tomoiagais keystone connecting to the db correctly ? Or what is the error you see in the logs10:00
tomoiagayou can also try to run: keystone-manage db_sync10:00
deaniok i think the credentials10:00
deani[root@mccvm162 ~]# mysql -ukeystonedbadmin -p Enter password: ERROR 1045 (28000): Access denied for user 'keystonedbadmin'@'localhost' (using password: YES)10:00
deanibut i did the keystone-mange db_sync10:00
tomoiagayeap, try to change them and also set them correctly in keystone.conf after that10:00
tomoiagakeystone-manage db_sync tries to sync the db, it won't change users and passwords10:01
deaniwell i did this as per the URL  hastexo10:02
deanimysql -u root <<EOF CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystonedbadmin'@'%'   IDENTIFIED BY 'Ue0Ud7ra'; EOF10:02
deaniso keystone should be another table in the db10:02
deanior it should be a db in itself , i am a bit confused10:02
tomoiagawell, add keystonedbadmin and the password in the keystone.conf file so keystone knows the user and password you set in mysql10:03
deani [sql] connection = mysql://keystonedbadmin:keystone@
deanii changed the pwd10:04
deaniin both places10:04
tomoiagathis needs to be: mysql://keystonedbadmin:Ue0Ud7ra@
deanii mean i did change the pwd in both places10:05
deaniso if i do mysql -u keystonedbadmin -p keystone10:05
deanii should be able to log on to the db10:05
tomoiagait should be -pkeystone if 'keystone' is the password and you want to avoid the password prompt again10:06
deaniso i am getting access denied10:06
tomoiagatry with -pUe0Ud7ra10:06
deaninahh same10:07
deaniso i should restup the db10:07
tomoiagaexecute the grant all again10:07
deanias root10:07
tomoiagalogin to mysql and execute just the grant all on … identified by 'Ue0Ud7ra';10:07
*** dims has quit IRC10:08
*** zhiyan is now known as zhiyan_10:08
deanimysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \  IDENTIFIED BY 'KEYSTONE_DBPASS'; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \  IDENTIFIED BY 'KEYSTONE_DBPASS';10:09
deanishall i change the localhost10:09
deanito reflect my IP10:09
deaniand in some text they say to execute both the and some say one10:10
deanii am doing both10:10
*** gokrokve has joined #openstack-keystone10:11
tomoiagadeani: is the keystone server local to the db ? if yes, then since keystone will connect through localhost, you can keep localhost. If keystone is using a remote DB, than yes, you can place the keystone server IP there, or % while you test everything10:11
deanii am in a single vm10:13
tomoiagadeani: ok, localhost will do10:13
deaniso keystone, mysql and glance all 3 will be local10:13
deaniok my keystone.conf is "connection = mysql://keystonedbadmin:keystone@"10:13
tomoiagadeani: I see you granted access to 'keystone' and not keystonedbadmin. You may want to change the user in the conf file10:14
deaniso the GRANT will be like "GRANT ALL PRIVILEGES ON keystone.* TO 'keystonedbadmin'@'' IDENTIFIED BY 'keystone';10:14
*** gokrokve has quit IRC10:15
tomoiagaif is your PC IP, than no, just set localhost instead of that. That IP is the IP from which a user is allowed to login. Since keystone is local , it will try to login to the DB from localhost.10:15
tomoiagaGRANT ALL PRIVILEGES ON keystone.* TO 'keystonedbadmin'@'localhost' IDENTIFIED BY 'keystone'10:16
tomoiagaconnection = mysql://keystonedbadmin:keystone@localhost/keystone10:16
tomoiaga(ah, I see both had, it should have been correct that way too, sorry)10:16
deanii guess then i can use "GRANT ALL PRIVILEGES ON keystone.* TO 'keystonedbadmin'@'' IDENTIFIED BY 'keystone';"10:17
tomoiagaif is your VPS IP, yes10:17
deaniyes it is10:18
deanii do not have to be consistent isnt it10:18
deanion conf i can use ip and here  local host10:18
deanibut i see a point in yr thing i wol always be using localhost10:18
deaniso use that consistently oin both places10:19
tomoiagadeani: yeah, localhost should be ok, especially since an IP can change10:19
*** dims has joined #openstack-keystone10:19
deaniconnection = mysql://keystonedbadmin:keystone@localhost/keystone   and  GRANT ALL PRIVILEGES ON keystone.* TO 'keystonedbadmin'@'localhost' IDENTIFIED BY 'keystone'10:21
deanii am weak in sql10:21
deanii connected as root10:22
deaniand then said use keystone10:22
deaniand then i did the grant10:22
deanias per the official guilde they say do this too10:22
deaniGRANT ALL PRIVILEGES ON keystone.* TO 'keystonedbadmin'@'%' IDENTIFIED BY 'keystone';10:22
tomoiagayes, % means any host, just in case10:23
deanihow to check if the tables are correctly10:23
tomoiagaif the connection to mysql works I would do a db_sync again10:24
deanishow tables got this10:25
deani mysql> show tables; +------------------------+ | Tables_in_keystone     | +------------------------+ | ec2_credential         | | endpoint               | | metadata               | | migrate_version        | | role                   | | service                | | tenant                 | | token                  | | user                   | | user_tenant_membership | +------------------------+10:25
tomoiagayes, should be ok10:25
tomoiagatry to create a user10:25
deanisync done10:26
deanihey founnd this10:26
deanimy keystone service is dying as soon as i restart it10:27
deaniwithout doing anythign10:27
deani Stopping keystone:                                         [FAILED] Starting keystone:                                         [  OK  ] [root@mccvm162 ~]# service openstack-keystone status10:27
tomoiagacheck the logs, to see if something new appears there10:28
tomoiagadeani: you can also try to run: keystone-all to see if any errors are printed on the screen10:30
*** marcoemorais has joined #openstack-keystone10:36
deani@tomoiaga: keystone-all is taking forever10:37
deanito complete10:37
tomoiagait won't complete, it will stay running until you hit ctrl+c. The main thing is to see if it's showing any errors or if it's running ok. Try with a second ssh connection to add a user and see if you get any errors in the screen with the keystone-all running.10:39
tomoiagastop any instance of keystone while you run keystone-all. Run keystone-all, connect to a second ssh console and try to add a user10:40
*** marcoemorais has quit IRC10:40
*** dstanek_zzz has joined #openstack-keystone10:44
*** dstanek_zzz is now known as dstanek10:44
*** waterkinfe has joined #openstack-keystone10:45
*** waterkinfe has quit IRC10:46
*** waterkinfe has joined #openstack-keystone10:47
*** waterkinfe has quit IRC10:52
*** waterkinfe has joined #openstack-keystone10:52
deaniu tehre11:08
deani@tomoiaga: i am getting the logs now11:10
deani@tomoiaga:  2014-04-24 16:07:37    DEBUG [eventlet.wsgi.server] (8771) wsgi starting up on is where the logs is standing11:10
*** gokrokve has joined #openstack-keystone11:11
deanii will be back in 30 mins11:13
*** gokrokve has quit IRC11:16
*** marcoemorais has joined #openstack-keystone11:37
*** marcoemorais has quit IRC11:41
*** chandan_kumar has quit IRC11:45
*** Rob_d has joined #openstack-keystone11:49
Rob_dhi all, starting a test deploy of icehouse today, I want to test SAML using shibboleth idp 2.4 - any tips?11:52
*** tomoiaga has left #openstack-keystone11:52
mhuRob_d, you can check this for starters:
*** jimbaker has quit IRC12:01
*** jimbaker has joined #openstack-keystone12:05
*** jimbaker has quit IRC12:05
*** jimbaker has joined #openstack-keystone12:05
Rob_dmhu, thanks12:05
*** erecio has joined #openstack-keystone12:09
*** gokrokve has joined #openstack-keystone12:12
*** erecio has quit IRC12:13
*** gokrokve has quit IRC12:17
*** erecio has joined #openstack-keystone12:24
openstackgerritAla Rezmerita proposed a change to openstack/python-keystoneclient: Enable users to manage EC2-credentials on publicURL
*** erecio has quit IRC12:27
marekdRob_d: hi, do you have your own IdP installed and running?12:30
Rob_dmarejd: I do12:31
Rob_dmarekd even^12:32
marekdRob_d: ok then :-)12:32
marekdRob_d: Depending if you already have groups, roles, projects or not you can take a look at this scripts that create required objects - IdP, protocol, mapping, group, project, role. YOu can base on that as I made it for public IdP.12:34
Rob_dmarekd: this is a great help - you have my thanks **tips hat**12:37
*** marcoemorais has joined #openstack-keystone12:37
marekdRob_d:  No problem :-)12:38
*** topol has joined #openstack-keystone12:39
*** erecio has joined #openstack-keystone12:40
*** marcoemorais has quit IRC12:42
*** waterkinfe has quit IRC12:45
*** diegows has joined #openstack-keystone12:47
*** kun_huang has joined #openstack-keystone12:56
*** ayoung has quit IRC12:59
*** gokrokve has joined #openstack-keystone13:13
*** bknudson has quit IRC13:14
*** gokrokve has quit IRC13:17
*** rodrigods has joined #openstack-keystone13:24
*** rodrigods has joined #openstack-keystone13:24
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync test_migrations
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Redundant unique constraint
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Migration DB_INIT_VERSION in common place
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync on-demand database schemas
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.
openstackgerritAlan Pevec proposed a change to openstack/keystone: Refactor service readiness notification
openstackgerritAlan Pevec proposed a change to openstack/keystone: Refactor service readiness notification
*** marcoemorais has joined #openstack-keystone13:38
*** lbragstad has joined #openstack-keystone13:39
*** bknudson has joined #openstack-keystone13:41
*** marcoemorais has quit IRC13:42
*** nkinder has quit IRC13:43
*** ayoung has joined #openstack-keystone13:49
*** zhiyan_ is now known as zhiyan13:55
*** joesavak has joined #openstack-keystone13:57
*** gokrokve has joined #openstack-keystone14:01
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.
*** thedodd has joined #openstack-keystone14:15
*** wchrisj has joined #openstack-keystone14:16
*** wchrisj has left #openstack-keystone14:16
*** richm has joined #openstack-keystone14:20
*** deani has quit IRC14:30
*** nkinder has joined #openstack-keystone14:34
lbragstadmarekd: mind if I add this back in?
openstackgerritMatthieu Huin proposed a change to openstack/keystone: More random values for oAuth1 verifier
marekdlbragstad: well, if you use it - go ahead!14:38
*** marcoemorais has joined #openstack-keystone14:39
marekdlbragstad: I don't know at the moment whether those methods will be removed from V3Controller or not. I did see your discussion and arguments that you have some patches using those methods but I don't know what was  eventually the verdict..14:39
lbragstadmarekd: right, me either.14:39
marekdBTW, USA/Canada have some holiday today?14:40
lbragstadmarekd: I started working on the api validation stuff and then stumbled across the json schema impl too... so we only really need one implementation14:40
marekdlbragstad: isn't something we already discussed? With you and bknudson I think?14:41
lbragstadmarekd: yes, I think we did'14:41
marekdlbragstad: I think it was you who pointed out nova has good validation implementation based on top of jsonschema.14:42
bknudsonit was earth day a couple days ago14:42
*** marcoemorais has quit IRC14:43
marekdbknudson: and because of the 'earth day' everybody is on holiday today? :P14:43
lbragstadmarekd: yeah, I think I'll go back to the json schema impl14:44
marekdlbragstad: now i am puzzled. I thought that was your ultimate goal..14:44
lbragstadyeah it was, but I got a couple reviews on so I thought about addressing those14:45
openstackgerritLance Bragstad proposed a change to openstack/keystone: Allow 'description' in V3 Regions to be optional
openstackgerritA change was merged to openstack/keystone: Imported Translations from Transifex
*** daneyon has joined #openstack-keystone14:53
dstaneki'm looking that the exception hierarchy now; does MalformedEndpoint really deserve to be a SecurityError?14:55
*** bach has joined #openstack-keystone14:58
*** dims has quit IRC15:03
bknudsondstanek: what causes MalformedEndpoint to be returned?15:03
bknudsonif there's no reason that the user should have to know what the cause was then I think it should be a SecurityError15:03
bknudsonor some new type of error that indicates to not tell the user what the prob was15:03
dstanekbknudson: building a catalog response15:04
*** chandan_kumar has joined #openstack-keystone15:04
bknudsonI would think that only a 400-range request wasn't a security error15:04
dstanekso i may need to do some surgery :-( format_url probably shouldn't raise HTTP exceptions15:04
bknudsondstanek: I don't think that the user typically needs to know why keystone couldn't build a catalog. So SecurityError seems to make sense unless there was a better one15:05
*** dims has joined #openstack-keystone15:05
dstanekright now i want to use format_url to validate incoming urls to that we can prevent bad things from happening; so i'll proabably just change the exception it raises to be non-HTTP and have the controller catch it and raise a HTTP one15:06
*** bach has quit IRC15:06
dstanekthat way during validation i can catch an exception and get a useful message15:07
jaosoriorHi, I've noticed that using the SQL backend, when querying for users, when a certain user has no email set up, it prints the email as null. while this is not the case if the user has no description. Is there a specific reason this is made this way?15:08
jaosoriorI was thinking of filtering the null values when the data from the users is gotten15:10
Rob_djaosorior: you can describe the table - the default value for email is probably null and no value for description15:10
jaosorioryeah, that is indeed the value of the table, I was just wondering if this is the desired output API-wise. That it would actually print the key with a null value, or not print the key at all15:12
*** david-lyle has joined #openstack-keystone15:16
*** chandan_kumar has quit IRC15:16
dstanekjaosorior: where is the email actually stored?15:16
boris-42bknudson hi15:17
boris-42bknudson btw
jaosoriorwould it be better to return (api-wise) this ->  or this ->
jaosoriordstanek, at the moment I'm fixing the sql issue where the email is not actually stored, yet, I stumbled upon that, for example, in ldap, the email is stored, but if it's null, it will simply not be displayed. So I'm trying to figure out how to make it consistent.15:18
jaosoriorany suggestions?15:20
bknudsonboris-42: I'll be there15:21
boris-42bknudson and I have session for openstack cross service/project profielr15:21
boris-42bknudson without it it's actually hard to detect where is the issue in code15:22
bknudsonboris-42: do you need some kind of request ID15:22
*** bach has joined #openstack-keystone15:23
openstackgerritDavid Stanek proposed a change to openstack/keystone: Ignore broken endpoints in get_catalog
openstackgerritDavid Stanek proposed a change to openstack/keystone: Ignore broken endpoints in get_v3_catalog
boris-42bknudson actually I know there is a work in cross service request ID15:23
boris-42bknudson but this things works in a bit different way15:23
boris-42bknudson it has own ids15:23
dolphmdstanek: what makes you prefer the underlined links?
dolphms/links/urls/ anyway15:25
dstanekdolphm: nothing really - i could live with either15:26
dolphmdstanek: i find them super noisy, visually speaking15:26
dstanekunderlines just make it feel clickable, but don't really provide much other value15:26
dstanekdolphm: i wouldn't mind not having them15:27
bknudsonmy konsole adds the underline when you move the cursor over the link15:27
dolphmdstanek: are they actually clickable in whatever terminal you use?15:27
*** bach has quit IRC15:27
dstanekdolphm: yes, if i command-click links in iterm2 it will open in the browser15:28
dolphmin OS X, i have to "right" click, and it recognizes it's a link, highlights the whole thing, and gives me an option to open it (but just clicking on it doesn't do anything special)15:28
*** bach has joined #openstack-keystone15:29
dstanekdolphm: what happens if you hold down command and click?15:30
dolphmdstanek: nothing at all15:31
dolphmdstanek: option click == "right" click == two finger tap, though15:31
dstanekodd, maybe i configured something to do that along the way15:31
Rob_dwell I can't install on Ubuntu - giving up15:32
dstanekRob_d: can't install keystone?15:32
*** bach has quit IRC15:33
Rob_dsorry wrong channel - I'm trying Tuskar15:33
*** bach has joined #openstack-keystone15:36
jaosoriordstanek or dolphm, do you guys have any suggestions or insights on what I said above?15:40
dolphmjaosorior: aren't emails stored into 'extra'?15:40
dolphmjaosorior: in sql, anyway15:40
dstanekjaosorior: i think you are putting the email in with a None value and that's why it comes back null?15:40
dstanekdolphm: yes, i don't believe that we have an email column in sql15:41
jaosoriorwhy is this the case? wouldn't it be better to have a column for email?15:42
dolphmjaosorior: what would keystone use email addresses for?15:42
jaosoriorwell, that is a good point, yet, it seems to be the case that it's added in ldap15:42
jaosoriorthe bug that I'm trying to address is this one:
uvirtbotLaunchpad bug 1306835 in keystone "V3 list users  filter by email address throws exception" [Medium,In progress]15:43
jaosoriorI could of course try to get it from "extra" if needed15:43
dolphmjaosorior: it's just not a first class attribute today because openstack doesn't have a hard use case for them. i suspect that first class support for email addresses will open a very large can of worms (validation, authentication by email, etc)15:44
openstackgerritMarek Denis proposed a change to openstack/identity-api: Add ``user`` object to the mapping rules examples.
jaosoriorAlright, I'll use the "extra" attributes then15:45
dstanekdolphm: i'm going to drop that ssh pull request. i've started using the config file and that works well enough15:46
dolphmdstanek: fair enough15:46
*** browne has joined #openstack-keystone15:48
dolphmjaosorior: i'm not really sure what the best way to solve that bug would be. we shouldn't be raising an exception, obviously, but i'd hesitate to say that any special support for 'email' is the correct solution either (i.e. we could make email a first class attribute in the API, etc, and then i could file the same bug for "maiden_name", for example)15:48
*** marekd is now known as marekd|away15:48
dolphmjaosorior: i think the exception avoided before anything else?15:49
jaosoriorWell, email IS an attribute that's specified as queriable15:50
jaosoriorIn the documentation15:50
dstanekdolphm: what is this doing?
dstaneklooks like we anticipate email being firt class?15:51
dolphmdstanek: filterprotected?15:51
dolphmdstanek: oh that's weird...15:51
jaosoriorIf it really should not be a first class attribute I could try to fix that also15:53
dolphmdstanek: i can't find any meaningful tests using 'email', even for ldap (the one ldap test asserts that email can be ignored)15:57
dolphmmost of the references to 'email' in tests are basically just asserting that arbitrary attributes can be shuffled around15:58
dolphmjaosorior: dstanek: is filterprotected() what's mistakenly trying to access ?15:58
*** ericn has joined #openstack-keystone15:58
dolphmjaosorior: if so, removing email from that list is probably the fix! ^15:59
jaosoriorFair enough, sounds like a plan then15:59
jaosoriorBy the way, had anybody gotten the rest suite to work on arch Linux?16:01
jaosoriorI've been working on ubuntu but it would also be cool to be able to work on my arch machine16:02
*** dims has quit IRC16:03
*** leseb has joined #openstack-keystone16:04
*** dims has joined #openstack-keystone16:06
*** bvandenh has quit IRC16:14
dstanekdolphm: i don't think removing it would fix it - i think it's the fact that it's being used as a filter16:17
*** marcoemorais has joined #openstack-keystone16:17
*** dims has quit IRC16:17
*** dims has joined #openstack-keystone16:17
dolphmdstanek: but if it's not in that list, i suspect we'd just ignore it as a query string right?16:18
dolphmjaosorior: i'm sure you'd be able to, if you can find all the package deps that you'd need (xml and openssl, stuff, etc)16:19
dolphmjaosorior: you can probably work out what you need from the ubuntu & fedora deps
dstanekdolphm: yeah, it looks like that would be the case - filterprotected is doing more than i thought it would16:22
dolphmjaosorior: ^16:22
ayoungdstanek, you made thie right call on
jaosoriorShould filterprotected be refractors then?16:23
ayoungI am pretty sure that patch would cause a CVE16:23
ayoungjaosorior, dolphm there is a pretty strong argument for using EMail as the login field, and then using that to figure out what domain/IdP a user is in16:24
dstanekayoung: i'm glad i didn't push it forward then16:24
ayoungdstanek, here's the scenario16:24
*** diegows has quit IRC16:24
ayoungI'm an admin at , say a bank, and I set up an OpenStack impl that talks to corporate LDAP16:24
ayoungI tell people:  test this out for me, please16:24
ayoungand I enable this option, then start harvesting passwords.16:25
*** chandan_kumar has joined #openstack-keystone16:25
ayoungyes...if you have full admin rights to the machine, you could do that with code changes already,  but this would make it a config file change, and those are managed differently16:25
ayoungfor a locked down deployment, this would not fly16:25
*** gyee has joined #openstack-keystone16:26
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements
richmayoung: it may be faster to just try it out the openldap debug flag rather than wait/fight for an answer on #openldap . . .16:28
ayoungrichm, we did, and found it was dumping passwords in the clear16:28
dolphmayoung: people already do that, they just use the 'name' attribute16:28
ayoungdolphm, on the email thing?  yeah16:29
dolphmayoung: yes16:29
*** bvandenh has joined #openstack-keystone16:29
richmayoung: Then you'll have to file a ITS at openldap.org16:29
ayoungdolphm, so had an interesting discussion about this whole thing with my team on Tuesday.16:30
dstanekayoung: wow, that would be pretty bad16:30
ayoungI'm still pretty strong against shadowing users in a table in Keystone from external IdPs.16:31
dstanekeven if you were not trying to be malicious16:31
ayoungThe question, then, is if we allow a range of options for deconflicting Ids16:31
ayoungdstanek, ++16:31
dstanekayoung: maybe rename the setting to 'ldap_debug_yes_i_know_passwords_will_be_logged_in_clear_text'? :-P16:32
ayoungdstanek, nope16:32
ayoungdstanek, you can't make it a config option16:32
*** gokrokve_ has joined #openstack-keystone16:32
ayoungconfitg is managed seperately from code, and this opens up access to people that can make config changes16:33
dstaneknah, i was just kidding16:33
ayoungyeah, just wanted to be clear.  If we could drop the simple_bind, then this would be OK16:33
ayoungOr if the simple_bind went by a different path.16:33
ayoungactually, that is probably the right solution:  disable debugging for authentication16:34
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements
ayoungbut even then, I would be worried that someone would enable it down the road16:34
openstackgerritDolph Mathews proposed a change to openstack/keystone: no one uses macports
*** gokrokve has quit IRC16:36
ayoungdolphm, what if, for multi-domain support we disallowed loggin in using userid and only allowed usernames, but also allowed an explict email_address as an option?16:37
ayoungand then if we do user_id = sha256(uid, domain_name)  we don't provide a way to map backwards?16:38
ayoungIf people do need to map backwards, we also support userid = uid@@domainid16:39
ayoungselect one or the other is a config option?16:39
*** harlowja_away is now known as harlowja16:51
mfischayoung: question on your concern on my review, is there a specific debug setting that will dump logs?16:52
mfischayoung: I ask because even when I have it set to -1, which should be ALL I dont see passwords16:52
mfischayoung: I can paste a log from when I have full debug enabled, but perhaps it's different depending on server? I'd think though that the underlying library wouldn't log passwords16:53
*** bach has quit IRC16:54
ayoungmfisch, I looked at the output from openldap debug, not Keystone itself16:54
ayoungmfisch, what do you get when an ordinary user logs in?16:54
mfischayoung: I just did a user-list after authenticating as my AD user, let me paste the output16:55
ayoungmfisch, just do a token-get16:55
mfischgive me a minute16:55
ayoungI want to focus it down to the authenticate call.  The rest of the stuff happens as admin, which for anyone sane is done using anonymous and read only anyway16:56
ayoungie  !CERN who has been driving read/write LDAP16:57
ayoungmfisch, lets assume for a moment that it is doing the bad thing that I feared.  There is a way around it.17:00
mfischayoung: PMd you the log17:00
mfischayoung: and go ahead17:00
ayoungThe simple_bind is only used in the authenticate path.  For authenticate, we can explicitly not allow LDAP debugging.17:00
ayoungyou mean emaiL?17:01
ayoungAh..scrolled off my screen. got it17:01
mfischayoung: just a private message here on IRC, did it not come through?17:01
mfischayoung: as you can see it doesn't say much about the bind17:02
mfischayoung: my bind account isnt even called out, user or pass17:02
openstackgerritDavid Stanek proposed a change to openstack/keystone: Validates URL when creating/updating endpoints
ayoungmfisch, still looking17:03
*** Rob_d has quit IRC17:03
*** zhiyan is now known as zhiyan_17:03
*** thedodd has quit IRC17:04
*** thedodd has joined #openstack-keystone17:06
ayoungmfisch, I don't know if that is conclusive17:06
mfischayoung: I suspect it depends on what the underlying library allows17:07
mfischayoung: which might depend on version even17:07
ayoungmfisch, what are you running on?17:07
mfischayoung: havana on top of Ubuntu17:07
*** gokrokve_ has quit IRC17:08
ayoungmfisch, you can see what it pulls in by doing this:17:09
ayoung ps -ef | grep keystone   to find the pid17:10
ayoung sudo cat /proc/22706/maps | grep ldap17:10
ayoungreplace 22706 with your pid17:10
ayoungmfisch, I have a system, I'll try out with your patch.17:10
mfischayoung: I am heading out to lunch and to take my kid to school, I17:11
mfischI'll get back with you in an hour or so17:11
ayoungmfisch, that is fine.  I won't sit on this one if it proves to be safe17:11
mfischayoung: perfect, my new hire is all lined up with the doc change ready to go17:11
*** morganfainberg_Z is now known as morganfainberg17:12
morganfainbergdstanek, ping17:14
morganfainbergdstanek, re: i think i have a 2 line fix to solve this issue17:14
dstanekmorganfainberg: git you push it to gerrit?17:17
morganfainbergdstanek, making sure it works both ways (usedevelop=true/false) and i will17:17
morganfainbergdstanek, give me ... 10 minutes17:18
morganfainbergwell, maybe it's 4 lines :P17:18
morganfainbergbut it's a slice issue for sure17:18
dstanekcool, thought so17:18
*** chandan_kumar has quit IRC17:19
*** chandan_kumar has joined #openstack-keystone17:19
morganfainbergdolphm, i think everyone else is going to the gerrit spec-repo stuff (well most projects seem to be headed that way). you want to revisit post summit?17:21
morganfainbergdolphm, for keystone17:21
*** diegows has joined #openstack-keystone17:23
ericnI am a noob to Keystone, looking for suggestions on how to begin to contribute here.17:25
ericnI have Keyston source running, and got tox to run as well as spec'd on Fedora 15, etc.17:26
*** thedodd has quit IRC17:28
morganfainbergericn, Hi! Welcome :). You can take a look at the launchpad bug tracker if you're interested in tacking some of the bugs17:28
morganfainbergit's always good to see if any of the low-hanging-fruit tagged bugs looks like somehting to tackle17:29
morganfainbergthose often can get you some insight into the workings of keystone.17:29
morganfainbergericn, if you have questions on the bug, need direction we're pretty friendly around here and happy to help17:30
morganfainbergericn, make sure you're all setup to contribute (including the CLA signing, etc)
ericnCool...  I did look at the bugs, not much in the low hanging fruit area.17:30
*** gyee has quit IRC17:31
ericnShould I take the on ethat is confirmed?17:31
morganfainbergericn, yeah we don't always tag as much there (some of the bugs are "low-ish hanging" compared to others but still fairly in depth)17:31
morganfainbergericn, confirmed and triaged typically mean they aren't being actively worked on (see if it's assigned to someone and hit them up in IRC to see if they are working on it)17:32
morganfainberglow-hanging fruit may be a bad tag, you might have more luck looking at the other bugs. sorry about that. but in either case grab a bug. hit us up here if needed.17:33
ericnOK, there is exactly one non-documentation bug to work through,
uvirtbotLaunchpad bug 1255321 in python-keystoneclient "v3 token requests result in 500 error when run in apache" [High,In progress]17:33
morganfainbergericn, i also recommend reviewing active code reviews.,n,z and,n,z17:34
dstanekericn: yeah, code reviews will help get familiar with the code be seeing the changes people are making and the commentary from the reviewers17:35
morganfainbergericn, you can get familiar with the code, the kinds of comments/feedback thats provided (helps understanding with the code standards we use) and finally a bit of a primer on stuff17:35
ericnI'll start there,17:35
dstanekericn: and welcome17:35
morganfainbergdstanek, ++ :)17:35
morganfainbergericn, happy to have you on board!17:35
morganfainbergdstanek, sorry still chekcing my slice logic is sound posting very soon17:36
dstanekmorganfainberg: np, i'm not in a rush17:36
*** thedodd has joined #openstack-keystone17:37
ericnYeah, need to swim in the code a bit before doing too much.  Will get back after some code reviews  and primer.17:37
*** bach has joined #openstack-keystone17:38
*** daneyon has quit IRC17:38
ayoungericn, what is your particular interest?17:39
*** gokrokve has joined #openstack-keystone17:40
marekd|awaydolphm: your point was that Keystone should let define rules without maping a user name or I am misunderstanding your comment?17:45
uvirtbotLaunchpad bug 1312221 in keystone "Add user objects to mapping rules examples in OS-FEDERATION docs" [Undecided,Incomplete]17:45
*** marekd|away is now known as marekd17:45
openstackgerritDavid Stanek proposed a change to openstack/keystone: Make the py33 Jenkins job happy
openstackgerritDavid Stanek proposed a change to openstack/keystone: setUp must be called on a fixture's parent first
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fix cache configuration checks
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixed the size limit tests in Python 3
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixed the policy tests in Python 3
openstackgerritDavid Stanek proposed a change to openstack/keystone: First real Python 3 tests
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds several more tests to the Python 3 test run
dstanekall that is now based on bknudson's oslo sync17:46
bknudsondstanek: the sync is broken due to a bug in the update tool.... I need to re-do it.17:46
bknudsonit replaced oslotest with keystonetest17:47
dstanekreally? my tests were still passing17:47
*** diegows has quit IRC17:48
dstanekinteresting - looks like those replacements won't kill the tests17:48
dstanekbknudson: was sync fixed?17:48
bknudsonit breaks the doc build17:48
dstanekerr...update fixed?17:48
bknudsondstanek: could just check that out and do the update again17:49
*** marekd is now known as marekd|away17:51
dstanekbknudson: i'll do that now17:53
ericnayoung:  I have done a lot of work around authn and tenancy.... at CA Technologies building out their internal platform17:55
ayoungericn, glad to have you aboard.17:56
morganfainbergdstanek, bknudson, would you prefer an explicit .lstript('.') or assume that a path is pre-pended with . for a string replacement?17:56
ayoungwhat forms of authn are you focused on ?17:56
morganfainbergdstanek, bknudson, e.g. root.replace(os.sep, '.').lstrip('.')17:56
morganfainbergor skip the lstrip and do the substitution assuming a '.' is at the start?17:57
ericnSAML, OAuth, and SiteMinder SSO17:57
morganfainbergoooh more SAML, OAuth, and SSO experience :)17:57 here's an interesting one for you17:57
ericnWe included an authenticated tenant id in a customer header as well.17:57
dstanekmorganfainberg: how are you doing the slice? i was anticipating it not leaving a / and the begining of root17:58
ayoungericn, I'm looking in to how we auth to Horizon, and was wondering if we could replace that with Oauth17:58
morganfainbergdstanek, root[len(keystone_root):]17:58
morganfainbergdstanek, and i'm explicitly adding keystone back in with the stringsub (you did root + 'sql', i'm doing 'keystone%s.sql' % root17:58
*** thedodd has quit IRC17:59
ayoungit  turns out there is a mod_auth_form, that we might be able to leverage from Apache HTTPD, and that could do the login to Keystone, and then get the token,  so Horizon has somewhere to redierct the user to17:59
*** henrynash has joined #openstack-keystone17:59
morganfainbergdstanek, i don't like the way that looks.17:59
morganfainbergdstanek, i would prefer 'keystone.%s.sql' % root17:59
ericnHorizon  is not equivalent to Oauth17:59
dstaneki like 'keystone.%s.sql' % root too18:00
morganfainbergdstanek, i can just .lstrip('.') in the replace part18:00
morganfainbergit works just fine18:00
morganfainbergit's an extra op, but meh.18:00
morganfainbergit's a one-time operation (the walk/import)18:01
*** thedodd has joined #openstack-keystone18:01
ericnThat sounds similar to what we did with CA SiteMinder to integrate with OAuth.18:02
*** andreaf has quit IRC18:02
ericnHad a dedicated form on the proxy that was intended only as an API.18:03
ericnbut not pretty.18:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Fix the "search for" files for db models
morganfainbergdstanek, ^18:06
ericnHorizon (and SiteMinder) do not do persistent/revokable authn as needed for mobile and API-only clients, OAuth does18:06
morganfainbergdstanek, added some comments so there is no confusion as to what is intended18:07
morganfainbergdhellmann, that should solve your packaging issue directly. I'm still in favor of stevedore, but i think it'll be more work/longer to get that through - i'd like this fixed asap18:07
*** amcrn has joined #openstack-keystone18:09
*** praneshp has joined #openstack-keystone18:12
*** bach has quit IRC18:14
openstackgerritDavid Stanek proposed a change to openstack/keystone: Make the py33 Jenkins job happy
openstackgerritDavid Stanek proposed a change to openstack/keystone: setUp must be called on a fixture's parent first
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fix cache configuration checks
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixed the size limit tests in Python 3
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixed the policy tests in Python 3
openstackgerritDavid Stanek proposed a change to openstack/keystone: First real Python 3 tests
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds several more tests to the Python 3 test run
openstackgerritDavid Stanek proposed a change to openstack/keystone: Sync with oslo-incubator 74ae271
dstanekmorganfainberg: does that result in keystone..module.sql?18:18
*** browne has quit IRC18:18
*** browne has joined #openstack-keystone18:19
*** browne has quit IRC18:19
*** browne has joined #openstack-keystone18:19
jaosoriorI had to go, but, dstanek, dolphm, ayoung, was there any resolution on the email thing? should I remove it then from the filterprotected?18:20
morganfainbergdstanek, without the lstrip18:20
morganfainbergdstanek, but with the lstrip no18:20
dstanekmorganfainberg: ah, ok18:20
dstanekwe talked about that, but for some reason i didn't see it18:20
morganfainberglstrip isn't specifically needed, but it makes the substitution less ... "oops this broke" feeling18:21
*** henrynash has quit IRC18:22
dstanekmorganfainberg: you could also 'root = root[len(...)+1:]' which is what i expected, but with the lstrip if should be just fine18:22
morganfainbergdstanek, i didn't like the +1 :P18:23
morganfainbergbesides, this is more resilient, if someone somehowmanaged to avoid having the / on the front, this code would still work18:23
dstanekany thoughts on ?18:23
morganfainbergwith the +1 you'd end up with keystone.ssignment.backends.sql18:24
morganfainbergdstanek, looking now18:24
dstanekmorganfainberg: yeah, that is just trying to add test for existing functionality18:28
morganfainbergwasn't sure, we have the disabled callback now too18:29
morganfainbergif this is just on-the-wire refactoring, works for me, *continues review*18:29
dstaneki don't like how i'm looking at the log mesages, but that's because i needed a seam to refactor against18:29
morganfainbergdstanek, right, but it's something we can "fix" going forward.18:30
morganfainbergdstanek, if it gets us from here to there18:30
morganfainbergit's fine18:30
morganfainbergalso yay for mock.Mock!18:30
*** leseb has quit IRC18:30
*** praneshp_ has joined #openstack-keystone18:33
*** praneshp has quit IRC18:35
*** praneshp_ is now known as praneshp18:35
morganfainbergdstanek, +2/+A18:36
*** thedodd has quit IRC18:37
morganfainbergbknudson, woo, more debug for that odd racy-lilke-condition on the revocation events18:38
dstanekmorganfainberg: thx18:38
dstaneknkinder: you around?18:38
bknudsonmorganfainberg: yes, I looked at it... not sure if it's going to help debug the issue :(18:39
morganfainbergbknudson, yeah that's a beast to read the debug on18:39
morganfainbergwe might need a lot more debugging :(18:39
morganfainbergas in, debug on every event added.18:40
bknudsonmorganfainberg: essentially should try to log the struct before and after18:40
morganfainbergbknudson, yeah.18:40
bknudsonwe know where the prob is.18:40
*** thedodd has joined #openstack-keystone18:40
morganfainbergbknudson, i'll get that logging into the test case.18:40
bknudsonmorganfainberg: it's not too bad to work on it with the debugger, can just paste the struct in there to overwrite the current one18:40
nkinderdstanek: yup18:40
morganfainbergbknudson, cool.18:40
morganfainbergbknudson, yeah debugger will help18:41
bknudsonunfortunately still don't know what the struct looked like before the new value was added18:41
bknudsonI think we're trying to see if there's a value being added with the same timestamp18:41
morganfainbergbknudson, yeah but we're also using a UUID.18:41
dstaneknkinder: i'm looking at and noticed your comment about AD at the very bottom of that page18:41
bknudson... which shouldn't be possible unless your machine is the fastest on the planet18:41
morganfainbergbknudson, falling between CPU ticks18:41
morganfainbergbknudson, i _dont_ think our CI boxes are that fast18:42
morganfainbergjust a hunch :P18:42
dstaneknkinder: is case only an issue for that one specific case or is it an issue for the other places that use self.use_dumb_member18:42
morganfainbergbknudson, would including the "old" struct in that message help you?18:42
morganfainbergbknudson, or just a log of each?18:42
bknudsonmorganfainberg: yes, the old struct, the input, the new struct18:43
bknudsonthat should be everything we need.18:43
morganfainbergbknudson, cool i'll extend the error message when mismatch occurs to include all three18:43
morganfainbergso we don't explode logs when it succeeds18:43
bknudsonmorganfainberg: you'll have to make a deep copy of the dict or something.18:43
morganfainbergbknudson, yep18:44
morganfainbergbknudson, that was my plan18:44
morganfainbergi really wish i could dupe this bug locally18:44
morganfainbergwould be _so_ much easier18:44
*** doddstack has joined #openstack-keystone18:46
ayoungmfisch, OK, so I think the passwrod thing was due to the CLI using different options to debug BER data, and that option is not set by your code18:47
nkinderdstanek: sorry, was just wrapping up a meeting18:47
ayoungnkinder, can you take a look at a sensitive patch18:47
nkinder...and now the fire alarm is going off here at work18:48
morganfainbergbknudson, could the revoke_by_user be causing the issue?18:48
nkinderayoung, dstanek: I'll get back to you both in a bit18:48
morganfainbergbknudson, i don't see how...18:48
mfischayoung: can you explain that a bit more? BER data?18:48
ayoungnkinder, ignore the firealarm.  It is just cfu's lunch18:48
ayoungmfisch, it is just another form of Debugging.18:48
*** bach has joined #openstack-keystone18:48
ayoungBasic encoding Rules?18:48
*** thedodd has quit IRC18:49
ayoungmfisch, try running ldapsearch with debugging on....18:49
ayounguser the -d 3 option18:49
mfischayoung: k18:49
mfischayoung: and thar be my password18:50
ayoungmfisch, but (and I can't take credit for knowing any of this, I'm just the conduit)18:50
ayoungthat is set by a diferent option, one not accessable to the python LDAP code18:51
mfischthats good18:51
ayoungmfisch, I kindof want nkinder to look at it, as he's much more LDAP savvy than I am, and then I'll +2 if he say OK18:51
ayoungbut he is on fire right now18:52
*** chandan_kumar has quit IRC18:52
mfischayoung: absolutely, there's no hurry from my end, we have until October, I just wanted some eyes on it so thanks18:52
bknudsonmorganfainberg: I looked over the code once and I couldn't figure out hot it could fail other than the same timestamp.18:54
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Expand debugging
morganfainbergbknudson, i changed the identifiers to be a little easier to pickout.18:56
morganfainbergbknudson, but just added a copy.deepcopy and added it to the message on a mismatch18:56
morganfainbergdstanek, ayoung, could use a pair of eyes so we can get this icky hard-to-find test bug smashed18:57
ayoungmorganfainberg, will do...19:02
*** kun_huang has quit IRC19:02
ayoungmorganfainberg, what is the bug?19:03
*** serverascode has quit IRC19:11
*** dims has quit IRC19:11
*** serverascode has joined #openstack-keystone19:13
*** chandan_kumar has joined #openstack-keystone19:15
*** marcoemorais has quit IRC19:17
*** bvandenh has quit IRC19:21
*** diegows has joined #openstack-keystone19:23
*** chandan_kumar has quit IRC19:23
*** david-lyle_ has joined #openstack-keystone19:26
*** KurtMartin has joined #openstack-keystone19:30
*** kmartin has quit IRC19:33
*** dims has joined #openstack-keystone19:33
*** marcoemorais has joined #openstack-keystone19:36
openstackgerritDavid Stanek proposed a change to openstack/keystone: Make the py33 Jenkins job happy
openstackgerritDavid Stanek proposed a change to openstack/keystone: setUp must be called on a fixture's parent first
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fix cache configuration checks
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixed the size limit tests in Python 3
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixed the policy tests in Python 3
openstackgerritDavid Stanek proposed a change to openstack/keystone: First real Python 3 tests
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds several more tests to the Python 3 test run
openstackgerritChristina Darretta proposed a change to openstack/keystone: Removed duplication with list_user_ids_for_project
uvirtbotLaunchpad bug 1300581 in keystone "test_revoke.RevokeTreeTests.test_cleanup fails" [Critical,Triaged]19:46
morganfainbergayoung, ah that, should add related-bug then19:47
bknudsonmorganfainberg: try a few rechecks before merging it19:47
morganfainbergbknudson, sounds good19:47
morganfainbergoh.. haha hadn't passed yet *doh*19:48
bknudsonya, might as well get a result19:48
morganfainbergrecheck if it hasn't passed yet does nothing iirc19:48
bknudsonalthough maybe the py26/27 finished already?19:48
morganfainbergit did and success19:48
bknudsonhopefully the deepcopy won't slow it down so it never happens19:48
morganfainbergno error yet19:49
morganfainbergbknudson, seriously hope it's not falling between ticks issue19:51
morganfainbergbknudson, i'd rather something we can actually fix (short of a sleep(0) or similar)19:51
*** marekd|away is now known as marekd19:52
ayoung self._assertEventsMatchIteration(i + 1)19:53
ayoungthat should not be getting run from cleanup19:53
ayoungthat is a sign of a failing test19:53
morganfainbergayoung, no the bug says cleanup wasn't occuring therefoere that was failing19:53
morganfainbergshould fix the bug, because that isn't the case. we are expecting more entries than there are (3 != 2)19:54
morganfainbergayoung, also test_cleanup was the test naem.19:54
morganfainbergnot something run from addCleanup19:54
*** david-lyle_ has quit IRC19:56
ayoungmorganfainberg, ok, my guess is that it is bleedover from the prior test19:57
morganfainbergayoung, that we're missing a event19:59
morganfainbergwe're expecting 3 at that point and only 2 have been added19:59
morganfainbergnot the inverse19:59
ayoungmorganfainberg, other way round, I'm guesssing19:59
morganfainbergnope, 3 is our expected count19:59
morganfainbergwe have 219:59
morganfainbergassertEqual(expected, actual)20:01
ayoungyeah... it was from the previous iteration.   'access_token_id=*'  should have 3 events under it, but only has two20:01
morganfainbergok so sure, why did one fall out... and why does it occur very intermittantly20:02
ayoungbecasue two of them hae the same expires-at time20:02
ayoungits time related20:02
morganfainbergayoung, so we're falling between cpu ticks?20:02
ayoungyeah.  next levle down the tree is 'expires_at=*'20:02
morganfainbergayoung, i didn't think our CI systems would be that ... speedy20:03
morganfainbergright. that calls utcnow()20:04
morganfainbergwith a timedelta20:04
morganfainbergare datetime objects not microsecond aware?20:05
ayoungmorganfainberg, OK...I think I have better logic20:05
morganfainbergi mean we could use a rand() :P20:05
ayoungmorganfainberg, outside the loop, call:  ft= _future_time()20:05
ayoungthen inside the loop  expirey = ft+i20:06
morganfainbergayoung, hm oh i see just make the loop do a timedelta as well20:06
ayoungthat ensures they are distinct.20:06
ayoungok...lemme post that20:06
*** harlowja is now known as harlowja_away20:06
*** marcoemorais has quit IRC20:06
morganfainbergif legitimately that is the issue i'll respin this patch to fix it.20:07
ayoungNah, lemme get credit for it20:07
morganfainberglol ok works for me20:07
ayoungI'll use your change id20:07
morganfainbergmake sure you --reset-author if you want credit20:07
*** derek_c has joined #openstack-keystone20:08
morganfainbergayoung, dstanek already approved it :P20:09
*** stevemar has joined #openstack-keystone20:09
bknudsonwhile True: print datetime.datetime.utcnow()20:09
bknudsonI get a different timestamp every time.20:09
*** marcoemorais has joined #openstack-keystone20:09
morganfainbergbknudson, same20:10
morganfainbergsometimes as little as 4 microseconds difference20:10
ayoungbknudson, if two timestamps are the same it would show this problem.  The logic in the test should be changed anyway20:10
morganfainbergbut.. still different20:10
ayoungit might get rounded20:10
morganfainbergwonder if this might be an artifact of running in a VM20:13
morganfainbergthe VM doesn't tick increment as reliably as the hardware would20:14
morganfainbergsame net solution20:14
morganfainbergmake the future_time distinct20:14
ayoungmorganfainberg, ++20:14
nkinderayoung: checking that review now...20:14
morganfainbergi guess treating a not-even-close-to-RTC the same as something that is a-lot-closer-to-RTC-than-the-VM-timing results in this20:15
bknudsonis it showing a problem in the code? could we get 2 events that close together in time?20:17
*** topol has quit IRC20:18
bknudsonor are they actually the same event so it's working as designed?20:18
openstackgerritayoung proposed a change to openstack/keystone: Make test_revoke expiry times distinct
ayoungbknudson, no, this is a deliberate test to show that we get the right number of revocation event entrys in the tree.  It assumes that the expires at times are going to be distinct, which is why the check was failing20:18
morganfainbergbknudson, it would revoke all tokens with a distinct expiry time20:18
ayoungif I made the expires_at value unique, then I would expect that chacke to be20:19
bknudsonoh, then the test should make sure the times are distinct.20:19
bknudsonuse _future_time + i20:19
ayoung self.assertEqual(1, len(self.tree.revoke_map  ....20:19
morganfainbergbknudson, ++ yep.20:19
ayoungsee ^^ review20:19
morganfainbergi'm going to block the expanded debugging review.20:20
morganfainbergthis change should solve it. we'll bring back expanded debugging if needed.20:20
morganfainbergok tossed a -2 on my review. hope your fix is what we need (it should be)20:21
nkinderayoung: I do think that will result in logged passwords20:22
nkinder...if you set the level high enough20:22
ayoungnkinder, does not look like it on my system, nor on mfisch es20:22
ayoungnkinder, I have it set to 0xffff20:23
nkinderok, it depends on what libldap logs (checking)20:23
mfischI have mine at -120:23
mfischwhich is the highest in theory20:23
ayoungmfisch, assume python does not try to be smart about -120:23
ayoungbut that is what DEBUG_ANY maps to in the C header file20:23
mfisch4095 is my normal level which is fairly high20:24
mfisch255 is a good enough level for most stuff20:24
ayoungmfisch, question here is not what is good enough, the question is what happens when you need to set the amps to 11.20:25
mfischayoung: agree20:25
mfischwhere -1 == 11 I think20:25
mfischI could never figure out for sure though whether those values were standard, is the underlying C library the same for everyone?20:26
nkindermfisch, ayoung: it looks lik ethe majority of debug logging for bind operations is simply function tracing.  Do you see things like "ldap_sasl_bind_s"?20:26
ayoungyeah, I see a sasl_bind, but no params20:27
mfischyep just that text only pretty much for bind20:27
nkinderyeah, it does log some other stuff in certain cases (mostly SASL binds)20:27
nkinderldap_sasl_interactive_bind: user selected: %s\n20:27
nkinderbut nothing that is a security issue that I can see20:27
*** bknudson has quit IRC20:28
nkindermfisch: why not add a test that sets logging as high as it goes, does a bind, then checks the log for the password?20:29
mfischnkinder: for the fake ldap backend? is that useful?20:30
ayoungnope.  fakeldap doesn'20:30
ayoungt go through the ldap library20:30
mfischthere's a real ldap test set in there20:30
ayoungmfisch, live_ldap.  And bascially that is what we are doing by hand here...I'm just not certain it would provide any real insurance20:34
openstackgerritayoung proposed a change to openstack/keystone: Make test_revoke expiry times distinct
ayoungmorganfainberg, fixed a type in the commit message.20:35
ayoungand I just saw another...damn I can't tpye20:36
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on projects
*** bknudson has joined #openstack-keystone20:37
openstackgerritayoung proposed a change to openstack/keystone: Make test_revoke expiry times distinct
nkinderayoung, mfisch: live_ldap would ideally be in the gate.  There is value in a test in case we ever get to the point where live ldap is gating.20:39
mfischI'm nervous that even that test is not enough20:41
mfischwhat if we do what ayoung said and dont log the bind20:41
ayoungmfisch, ++20:42
ayoungwrite the test, too.20:42
nkindermfisch: if we don't see anything that valuable from the debug out put of the bind anyway, then it should be fine to not set it for bind ops20:43
nkindermfisch: we should just have our own log message to say that the bind is occurring instead20:44
nkindermfisch: that way we're protected if libldap ever changed and started logging passwords20:44
*** vhoward has left #openstack-keystone20:44
nkinderdstanek: ok, back to your question about dumb_member20:44
nkinderdstanek: we only have to worry about any place where we compare a DN string against the dumb_member20:45
mfischin my setup I have a service account which does the bind, but then I also use creds for my corporate user, I'm not sure where that password check occurs but we'd want to make sure that's not logged either20:45
nkinderdstanek: let me see if there are any spots other than the one you pointed out20:45
nkindermfisch: it binds as the corporate user too20:46
nkindermfisch: the comparison is in LDAP20:46
nkindermfisch: the service account is used to lookup other information20:46
nkindermfisch: so keystone just passes the user DN and password through to perform an LDAP bind20:47
nkinderdstanek: correction... it's only when we're comparing a string returned from the LDAP server against the dumb_member DN that we have in keystone.conf20:48
*** derek_c has quit IRC20:48
openstackgerritAlan Pevec proposed a change to openstack/keystone: Refactor service readiness notification
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on projects
*** erecio has quit IRC20:55
nkinderdstanek: I think you're right.  It's needed in a few more spots (and tests should be added).20:55
nkinderdstanek: keystone/identity/backends/
nkinderdstanek: keystone/assignment/backends/
nkinderdstanek: it looks like just those 3 locations20:56
*** harlowja_away is now known as harlowja21:01
*** bvandenh has joined #openstack-keystone21:05
*** marcoemorais has quit IRC21:05
bknudsonfor some reason I thought that when a token was expired auth_token stored in the cache something that said it was expired21:06
bknudson_cache_store_invalid, ok found it21:08
*** marcoemorais has joined #openstack-keystone21:09
*** derek_c has joined #openstack-keystone21:12
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm
morganfainbergbknudson, didn't that one merge?  i might be losing my mind.21:31
bknudsonmorganfainberg: merge conflict21:31
morganfainbergbknudson, ahhhh21:31
bknudsonmorganfainberg: it was +A but then conflicted with the merge to check the revocation list21:31
morganfainbergbknudson, ok well i'll re+2 that now.21:31
bknudsonmorganfainberg: I'm working on some updated tests now21:31
morganfainbergah ok21:31
bknudsonthe coverage is not as good as I would like21:31
*** jaosorior has quit IRC21:31
morganfainbergwell still +2 :)21:32
morganfainbergyour "not as good as you'd like" is still damn good21:32
bknudsonmorganfainberg: also, review carefully because the conflict was significant21:32
morganfainbergoh was it?21:32
morganfainbergbknudson, it doesn't look too hairy21:33
bknudsonmorganfainberg: it was... the change is still essentially the same.21:33
morganfainbergah ok21:33
morganfainbergbknudson, i'm looking at it, it looks good to me. i'll down it to a +1 since you're WIP21:34
bknudsonmorganfainberg: the new old code would "expires = confirm_token_not_expired(data)" even when it got the token from the cache...21:34
bknudsonwhich seems unnecessary21:34
bknudsonbecause _cache_get already checks expiration21:34
morganfainbergi see it.21:35
bknudsonso this is why I say look carefully21:35
morganfainbergbknudson, would it make more sense to leverage the confirm_not_expired code path in the cache get?21:37
morganfainbergbknudson, instead of doing the expires logic independantly?21:37
morganfainbergorr... removing that code from the cache_get instead21:37
bknudsonI think that code should be in cache_get... no reason to get an expired token21:38
bknudsonalthough if we get an expired token I'm not sure if the cache should get updated??21:38
bknudsonI think this is separate from my patch21:38
morganfainbergbknudson, ++ works for me21:39
morganfainbergi'd argue that we should probably run it through the same code (checking expiration) in either case (whichever way)21:39
morganfainbergmostly so we only update one location if we change how we check expiration21:39
bknudsonauth_token needs some refactoring21:39
morganfainbergbknudson, ++21:40
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm
bknudsonI gotta get out of here... sounds like they're tearing down the building.21:42
*** bknudson has quit IRC21:42
*** bvandenh has quit IRC21:54
*** dims has quit IRC21:56
*** david-lyle has quit IRC21:57
*** KurtMartin has quit IRC22:00
*** KurtMartin has joined #openstack-keystone22:00
*** marcoemorais has quit IRC22:06
*** amcrn has quit IRC22:08
*** marcoemorais has joined #openstack-keystone22:08
*** dims has joined #openstack-keystone22:08
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on projects
*** bach has quit IRC22:10
*** marcoemorais has quit IRC22:12
*** marcoemorais has joined #openstack-keystone22:14
*** joesavak has quit IRC22:14
*** dstanek is now known as dstanek_zzz22:16
*** dstanek_zzz is now known as dstanek22:19
*** ayoung has quit IRC22:30
*** jaosorior has joined #openstack-keystone22:30
*** doddstack has quit IRC22:34
boris-42morganfainberg hi22:35
morganfainbergboris-42, hey!22:35
morganfainberginteresting graphs there22:35
boris-42morganfainberg so we have first gates!!22:35
morganfainbergboris-42, thats awesome. very happy to see that22:36
boris-42morganfainberg so actually I would ask you permission to add this perfromance-check to keystone22:36
morganfainbergboris-42, as part of the check queue i assume.22:37
boris-42morganfainberg yep it's just as a check non-voting stuff22:37
boris-42morganfainberg actually take a look at glance
morganfainbergboris-42, i'm totally on board with that22:37
boris-42morganfainberg you will have file rally-scenarios/glance.yaml22:37
boris-42morganfainberg inside it you may specify any rally benchmarks with any load22:38
boris-42morganfainberg for example that one that I run22:38
boris-42morganfainberg this one
boris-42morganfainberg ^ it's quite big page =)22:39
morganfainbergyeah i've seen it before22:39
boris-42morganfainberg I will optimize our graphs22:39
boris-42morganfainberg to show such a big amount of iterations22:39
morganfainbergvery cool.22:40
morganfainbergthis will be awesome to have available22:40
boris-42morganfainberg okay we will add then infra + keystone patch22:40
boris-42morganfainberg tomorrow22:40
morganfainbergsounds good22:40
boris-42(it's quite late here lol, 2:40 a.m.)22:40
boris-42morganfainberg Ok nice=)22:40
morganfainbergi'm very happy to see this before we start working on some of the performance stuff (eg ephemeral tokens)22:40
boris-42morganfainberg yep yep22:40
boris-42morganfainberg cause without it it's actually unclear what we are doing22:40
morganfainbergmake sure to tag me on the review (ayoung and bknudson as well)22:41
boris-42morganfainberg thanks22:41
morganfainbergyep. i want to see this kind of data for all the projects (well, incubated and integrated)22:41
morganfainbergi think some metric of performance should be required :)22:41
morganfainbergboris-42, have a good night. i'll look for the patchset to enable for keystone :)22:42
boris-42morganfainberg so yep22:43
boris-42morganfainberg that was one of major our goal22:43
boris-42morganfainberg to simplify benchmarking and getting numbers=)22:43
morganfainbergvery pleased to hear that.22:43
boris-42morganfainberg actually it's quite easy to use22:43
morganfainbergyeah, it looks very straightforward22:44
boris-42morganfainberg I hope to find some time to make a video=)22:44
*** bknudson has joined #openstack-keystone22:44
morganfainbergbknudson, i assume you escaped before they tore the building down? :P22:44
bknudsonmorganfainberg: yes, just in time.22:44
bknudsonfloor cleaner22:44
boris-42morganfainberg btw 2 probably interesting sessions for u22:44
boris-42morganfainberg ^ allows to find the source of issue22:45
morganfainbergboris-42, nice.22:45
boris-42morganfainberg rally juno roadmap
*** Chicago has joined #openstack-keystone22:45
*** Chicago has joined #openstack-keystone22:45
bknudsonmake sure they don't overlap with keystone sessions22:45
boris-42bknudson yep=)22:45
morganfainbergbknudson, ++22:46
morganfainbergboris-42, once the schedule is a little less tentative i'll be setitng everything up22:46
boris-42morganfainberg sure22:46
morganfainbergthose two look like places i'll need to be22:46
morganfainbergif at all possible22:46
boris-42morganfainberg sure sure I will try to ask somebody to make a video22:46
*** nkinder has quit IRC22:47
*** jamielennox|away is now known as jamielennox22:56
*** amcrn has joined #openstack-keystone22:57
*** mberlin has quit IRC23:01
*** mberlin has joined #openstack-keystone23:02
*** nkinder has joined #openstack-keystone23:03
*** ayoung has joined #openstack-keystone23:13
dstanek is passing now!23:16
morganfainbergdstanek, yay!23:19
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm
*** lbragstad has quit IRC23:20
*** gokrokve has quit IRC23:26
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Enhance tests for auth_token middleware
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm
bknudsonmorganfainberg: split out the tests that weren't totally related to the mode change
morganfainbergbknudson, ++ will make it easier to review23:39
morganfainbergbknudson, i looked over the code for the expired tokens (before last revision) and it looks sound23:40
bknudsondstanek: +2 on -- thanks!23:43
*** gokrokve has joined #openstack-keystone23:46
dstanekmorganfainberg: i was just looking and too and wondering if the fix should really be alembic23:46
dstaneki'm worried that we'll always have to explicitly name our FK indexes instead of letting the framework do it23:48
bknudsonmorganfainberg: I'm fine with Tried it out myself and it looks fine to me.23:49
bknudsonmorganfainberg: you can +A it if it passes your test23:49
bknudsondstanek: at least once the tests go in the tests will catch that we need to name the index23:49
dstanekbknudson: doesn't that review mean we'll always have to explicitly name FK indexes?23:49
bknudsondstanek: I would assume so, for mysql23:50
bknudsonuntil there's a fix to alembic23:50
dstanekit's just weird that we're doing this because of alembic and the only reason (right now) is that we are adding a test to compare model to migration23:51
morganfainbergbknudson, sounds good. i'll spin up a vm and test quickly23:51
morganfainbergbknudson, i am sure it's fine.23:51
morganfainbergbknudson, but these types of changes make me nervous23:51
dstanekmorganfainberg: exactly23:52
morganfainbergdstanek, heck i was super nevous about the SQL collapse.23:53
morganfainbergdstanek, but it _seems_ to work fine (and has been tested a good deal now)23:53
dstanekmorganfainberg, bknudson: are other projects explicitly nameing the FK indexes?23:54
morganfainbergdstanek, not sure.23:54
bknudsondstanek: how do you name the fk index explicitly?23:54
bknudsonwithout renaming like this change does23:55
morganfainbergbknudson, don't think there is any way to do it23:55
dstanekbknudson: that's a good question - so when adding a new foreign key will the tests always fail because it won't match what is expected?23:56
dstanekhmmm...there was another review that i comment on about this, but there is no renaming here it's adding another index23:59
morganfainbergdstanek, i see a lot of value comparing the model to the schema in the migration tests23:59

Generated by 2.14.0 by Marius Gedminas - find it at!