Monday, 2014-04-28

ayoungjamielennox,  am I right in how that is supposed to be working?00:08
*** morganfainberg_Z is now known as morganfainberg00:09
jamielennoxayoung: 1 sec00:10
*** diegows has joined #openstack-keystone00:12
boris-42morganfainberg ayoung jamielennox guys could I ask you to +1 adding rally job to keystone ?00:13
ayoungboris-42, dangerous.  I might not want to +1....but I will look.00:13
boris-42ayoung why?)00:14
ayoungboris-42, I want our gate failing less.00:14
boris-42ayoung it's non voting00:14
ayoungI see that...00:14
boris-42ayoung plus rally don't fails00:14
ayoungwhat does this buy us?00:14
ayoungwhat is rally?00:14
boris-42ayoung perfromance tool00:14
morganfainbergayoung, performance metrics00:14 expensive is it to run?>00:14
boris-42ayoung it depends00:15
boris-42ayoung on config that you'll have in keystone/rally-scenarios/keystone.yaml00:15
morganfainbergayoung, i'll defer to boris-42 on that, but it's pretty awesome. it also generates cool graphs00:15
boris-42ayoung let me find graphs00:15
boris-42ayoung from rally job00:15
ayoungmorganfainberg, what load is it going to put on gate?  And does it belong there?00:15
boris-42ayoung ^ run 2k times create_and_list_tenatns00:16
boris-42ayoung I am going to add errors aggregation to this plots00:17
boris-42ayoung but from console log I saw that there are mostly timeouts in authenticate stuff00:17
ayoungboris-42, its good stuff, just not certain it should be a gate job00:17
boris-42ayoung it's check job00:17
boris-42ayoung you can have nothing in keystone.yaml00:18
boris-42ayoung and if somebody is working on performance he can change keystone.yaml to show that his fix works00:18
boris-42ayoung avoiding running by all cores performance tests by hands00:18
ayoungmorganfainberg, does it belong in gate?00:19
morganfainbergayoung, in check for now, (for sure)00:19
boris-42ayoung it won't be soon in gates00:19
morganfainbergayoung, not sure if it belongs in gate.00:19
morganfainbergayoung, but it will be good to see metrics on each patchset as they're submitted00:19
boris-42ayoung I should remember all math that I learned to make normalization function for results00:19
ayoungregardless...check/ gate, it puts load on Zuul and the systems it runs.00:19
morganfainbergayoung, this one is worth it imo00:20
ayoungI want to make sure that is a worthwhile cost.00:20
morganfainbergayoung, it'll help us be sure we're headed the right direction with the performance optimisations etc00:20
ayoungand is this the right performance metric to gather>00:21
boris-42ayoung you have a framework for doing any benchmarks00:21
morganfainbergayoung, we get to tune/define those. it's about setting up the scenarios in the rally config in the keystone tree00:21
jamielennoxstill busy, but ++ for nice pics00:21
morganfainbergjamielennox :)00:22
boris-42ayoung so you'll be able to write benchmark scenarios inside keystone tree00:22
boris-42ayoung avoiding fully rally team=)00:22
boris-42ayoung so it's quite precise tool that should test some specific aspect00:22
ayoungboris-42, in general I am in favor of the idea.  I would like to hear from some of the other perf people.00:23
boris-42ayoung e.g. list operation of users/tenatns00:23
morganfainbergayoung, for the most part, we're going to define what we want to test and how we want to go about it.00:23
boris-42morganfainberg ayoung  goal of rally is to provide simple way to that00:23
ayoungmorganfainberg, and what repo is that going to live in?00:24
morganfainbergboris-42, looks like you're well on the way to it00:24
*** topol has quit IRC00:24
morganfainbergayoung, the definitions we test? in the keystone tree00:24
ayoungOK...I can live with that00:24
boris-42ayoung otherwise it will be hard to work with it00:24
boris-42ayoung we were thinking about keeping tasks inside rally but thought that it will be hell=)00:25
ayoungmorganfainberg, does 90405 need to land before 90404?00:26
morganfainbergboris-42, ^ does 90405 need to land before the gate config?00:26
boris-42ayoung nope after00:26
morganfainbergboris-42, ah shouldn't matter then00:27
morganfainbergboris-42, it wont be used until infra change is in00:27
boris-42ayoung yep it won't just run anything00:27
boris-42morganfainberg ^ btw in gates the same issue00:27
boris-42morganfainberg that I faced00:27
morganfainbergboris-42, ah00:27
boris-42morganfainberg the same first it was working well00:28
boris-42morganfainberg and then bah00:28
morganfainbergboris-42, new tools. happens00:28
morganfainbergayoung, got roped into dinner, will be trying to get the upload for apache check jobs tonight, will add you to them so we can get them going00:28
ayoungmorganfainberg, please do.  I like this direction00:29
morganfainbergayoung, initially i'll just have apache listen on 5000 and 35357.00:29
morganfainbergwe can work on doing the shared port 80/443 once we are at least testing00:29
morganfainbergwe might have devstack changes needed before we can share port80/44300:29
ayoungbut 5000 is port reserved for another service and 35357 ois smack dab in the middle of the ephemeral range  ;)00:29
morganfainbergayoung, yes, but at least we're testing the mod_wsgi stuff then (step in the right direction)00:30
morganfainbergas soon as we can make that check job share port80/443 we convert over to it00:30
morganfainbergbut i want to make sure we're testing mod_wsgi config every patch ASAP.00:30
morganfainbergannnyway... dinner bbib00:31
*** kun_huang has joined #openstack-keystone00:32
*** kun_huang has quit IRC00:38
*** morganfainberg is now known as morganfainberg_Z00:41
*** bach has quit IRC00:46
*** shakamunyi has joined #openstack-keystone00:50
*** daneyon has joined #openstack-keystone00:51
*** shakamunyi has quit IRC00:54
*** derek_c has joined #openstack-keystone00:55
jamielennoxayoung: still here/.01:15
ayoungMe too01:15
jamielennoxoops, was going for the question01:15
jamielennoxso what's the problem you had earlier01:15
ayoungjamielennox, the review you posted, and whether it should allow a Catalog from Keystone with a V2.0 endpoint to return a v3 url.01:18
jamielennoxayoung: ok, i was just replying to that01:21
jamielennoxthere is no v2/v3 hack in the new client code01:21
jamielennoxthat was done in a way that is specific to the old code01:21
ayoungso ... what do I need to do?01:21
jamielennoxthe point of that patch is to allow something at / to do a lookup01:22
ayoungis there a change en route that deals with it01:22
jamielennoxit's not hard to do i think01:22
jamielennoxthe point was to get that version stuff in first, so that way you can say if version == 3 and endpoint == 2 then fix it01:22
jamielennoxit doesn't have to though i guess01:23
jamielennoxyou could just fix it in v3 identity plugins01:23
jamielennoxnot sure01:23
jamielennoxayoung: there are still other open questions here - like i'm pretty sure i need to extend the same functionality to original clients01:23
ayoungthe first thing to solve is to let V3 clients work when the endpoints all say v2.001:24
jamielennoxbecause at the moment it will only be activated if you create the session first, but that means that things like horizon won't benefit from the change simply by having an updated client version01:24
ayoungwe need *a* way to do it, programttically. and then we can move that into horizon01:24
jamielennoxright - but what i would like to do here is not just hack a /v3 on the end like we did with the old client01:25
jamielennoxwhen we have discovery if you have a v2 only url we should be able to just trim the v2 part and let discovery handle finding v2 or v301:26
jamielennoxinstead of trimming v2.0 and appending v301:26
*** diegows has quit IRC01:26
ayoungOK,  so I'm OK with that, since discovery wil just be run once...but we need a way to find the root URL01:27
ayoungShould we inject a "root" into the "v2.0" response?01:28
ayoungjamielennox, can we do that as a follow on to  ?01:31
boris-42ayoung still around?01:34
jamielennoxayoung: we can - i don't know if that's a good way though because we will end up waiting for that to be proliferated01:35
boris-42ayoung morganfainberg_Z so I got that bug from my local development in gates01:35
boris-42ayoung morganfainberg_Z
boris-42^ ayoung  zeros on graph means errors01:35
jamielennoxthere are a number of places where i'm pretty sure if you aren't using the defined /v2.0 and /v3 prefixes things just won't work01:35
boris-42ayoung so it works perfect under load first ~2k iterations01:36
boris-42ayoung but after 2k something wired is hapen01:36
ayoungjamielennox, let me put it to you this way:  how would I make a v3 call to a Keystone server with V2.0 in the URL?01:36
ayoungboris-42, might be a MySQL thing...01:37
boris-42ayoung not sure01:37
ayoungbut...TBH I don't care about stresstesting Eventlet01:37
boris-42ayoung cause when I was playing with my deployment01:37
boris-42ayoung after some amount of time I repeated01:37
ayoungboris-42, run it against apache HTTPD and I might be more interested01:37
boris-42ayoung one sec01:38
ayoungjamielennox, I would have thought that explicitly setting endpoint would override the value that comes back from the service catalog01:39
boris-42ayoung does this turn on APACHE_ENABLED_SERVICES+=keystone ?01:39
boris-42ayoung if I put it in devstack locarlc?01:39
boris-42ayoung if so then I get the same issue01:40
boris-42ayoung but it was after 3k iteration not 2k01:40
ayoungboris-42, do you have a link?  I could tell you if it was actually HTTPD?01:40
boris-42ayoung link to what?01:41
ayoungthe test run01:41
boris-42ayoung it was not in gates01:41
jamielennoxayoung: if you use the existing client (non-session) it will work - the hack has been installed in the v3 client that if there is a v2.0 ending it will cut it off and replace with a /v3 ending01:41
ayoungwas it publically accessable?  Or, do you still ahve the machine running?01:41
boris-42ayoung nope01:42
boris-42ayoung I have some issue with VPN01:42
jamielennoxayoung: if you use the session there is no endpoint override01:42
boris-42so not able to access it =(01:42
jamielennoxif you need one i can add one but i haven't seen the need as yet01:42
ayoungjamielennox, hm...that kindof limits sessions for me01:42
boris-42ayoung probably you have a running keystone with httpd?01:42
jamielennoxif you have a token/endpoint then there is a auth plugin for that01:42
jamielennox(desinged for testing and ADMIN_TOKEN etc)01:42
ayoungboris-42, not anywhere near a useable state  though01:42
jamielennoxbut if you are using the session why are you needing to manually set an endpoint ?01:43
ayoungjamielennox, I need to talk to a devstack/packstack setup system using the Federation API01:43
ayoungI can01:43
ayoungI can't just drop V2.0 off the catalog or other clients will break01:43
boris-42ayoung so actually we in rally are trying to make it simple to repeat experiment locally01:44
boris-42ayoung so when you have some cloud to test ping me pls=)01:44
ayoungboris-42, if you do, capture the logs, and I could tell you if HTTPD is enabled.  Or ask morganfainberg_Z when he is next around01:44
boris-42 so here is the small tutorial01:45
boris-42ayoung ^ if you'll be interested01:45
ayoungboris-42, what was happening at 2k/3k load?01:46
boris-42ayoung it's not load 2k01:46
boris-42ayoung it's iteration01:46
boris-42ayoung load is constant01:46
ayoungwhatever...what happens?01:47
boris-42ayoung 408 error01:47
boris-42ayoung authorization failed timeout01:47
ayoungboris-42, is there a mysql problem?01:47
boris-42ayoung I am not sure, cause after this benchmark if you re run it (after 5 min) everything will be ok01:47
ayoungboris-42, get it reproducible and I'll be happy to help you debug, but right now I am just guessing in the dark01:48
boris-42ayoung it's reproducable01:48
boris-42ayoung in gates01:48
jamielennoxayoung: yep, so my plan would be in v3 auth plugins if the entry in the service catalog ends with /v2.0 then trim that01:48
ayoungget it reproduced, then01:48
boris-42ayoung I already gave you link=)01:48
ayoungjamielennox, so...follow on patch?01:48
boris-42ayoung it's not enough?01:48
boris-42ayoung run any amount of recheck no bug here
ayoungboris-42, I don't have time to run through that.  THis is your bailywick.  I'm willing to help,01:49
jamielennoxayoung: for the purposes you are using it for now the old client method will work for you :)01:49
boris-42ayoung lemme explain01:49
ayounggate-rally-python27  passed01:49
ayoung33 is going to fail, but we all know that01:49
boris-42ayoung ?)01:49
boris-42ayoung check-rally-dsvm-rally is performance in gate01:49
ayoungthat passsed too01:50
boris-42ayoung it runs this benchmark
boris-42ayoung sure it passed01:50
jamielennoxayoung: wow - did you add a crap load of people to that review?01:50
ayoungok...looking at the keystone log01:50
boris-42ayoung cause rally didn't failed01:50
boris-42ayoung ohhh01:51
boris-42ayoung so big file=)01:51
ayoungjamielennox, you bret I did...keystone-core + Nathan01:51
ayoungand a few other PTLs, too01:51
jamielennoxayoung: yea, it was the other pts i was thinking of01:51
ayoungboris-42, you said 408, right?01:51
boris-42ayoung yep01:52
boris-422014-04-28 01:15:06.768 23810 WARNING keystone.common.wsgi [-] Could not find role, admin.01:52
boris-42ayoung it's output of rally01:53
boris-42ayoung so HTTP 40801:53
ayoungboris-42, so this is what I meant by "linlk"  before, BTW.  I'm happy to help spelunk these01:53
boris-42ayoung so if you would like to repeat on your cloud lemme now I can make some 5 min live demo01:54
boris-42ayoung to explain how to use rally01:54
ayoungNah, that is OK...I'm trying to find the error in Keystone log01:54
ayoungboris-42, I assure you, I don't have the brainpower or time to do that right now01:55
boris-42ayoung ?)01:55
ayoungboris-42, in the keystone log look for 2014-04-28 01:28:07.33101:56
*** dims has quit IRC01:56
boris-42ayoung hehe01:56
boris-42ayoung eventlet crap01:56
ayoungthat is one stack trace...indicates something died while eventlet was writing01:56
ayoungboris-42, I see a bunch of those01:57
boris-42ayoung yep I just wrote to find Traceback01:57
boris-42ayoung so I hope now you understand better why it's useful to have rally?)01:58
ayoungboris-42, to prove that eventlet can't stand up to load?01:58
ayoungI didn;t need Rally for that01:58
boris-42ayoung actually it's only one case01:59
boris-42ayoung I don't think that performance of all other stuff in keystone will handle load01:59
boris-42ayoung so we can catch issues02:00
ayoungboris-42, that may well be.  But I am really only concerned with running it in HTTPD, as I think Eventlet is a dead end.  I need numbers forthat02:00
boris-42ayoung so when we switch in gates to HTTPD by default02:00
ayoungboris-42, ++02:00
boris-42ayoung we will be able to benchmark other stuff02:01
boris-42ayoung but actually this is serious reason to switch to HTTPD by default02:01
*** dims has joined #openstack-keystone02:09
*** gabriel-bezerra has joined #openstack-keystone02:15
*** bach has joined #openstack-keystone02:17
*** daneyon has quit IRC02:18
*** mberlin has joined #openstack-keystone02:23
*** mberlin1 has quit IRC02:23
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: V2.0 Hack for auth plugins
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Unversioned endpoints in service catalog
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Discovery URL querying functions
jamielennoxayoung: try the first one of those ^02:26
jamielennoxlet me know if the hack works for your case02:26
*** gokrokve has quit IRC02:41
ayoungjamielennox, will do...about to sign off for the night02:44
*** zhiyan_ is now known as zhiyan02:47
*** shakamunyi has joined #openstack-keystone02:51
*** ayoung has quit IRC02:54
*** shakamunyi has quit IRC02:56
*** sbfox has joined #openstack-keystone03:06
*** ayoung has joined #openstack-keystone03:09
*** ayoung is now known as ayoung_ZZZ03:09
*** gokrokve has joined #openstack-keystone03:11
*** RockKuo_Office has joined #openstack-keystone03:12
*** gokrokve_ has joined #openstack-keystone03:14
*** gokrokve has quit IRC03:16
*** dims has quit IRC03:17
*** dims has joined #openstack-keystone03:18
*** gokrokve_ has quit IRC03:19
*** topol has joined #openstack-keystone03:21
*** sbfox has quit IRC03:23
*** Chicago has joined #openstack-keystone03:29
*** Chicago has joined #openstack-keystone03:29
*** sbfox has joined #openstack-keystone03:31
*** shakamunyi has joined #openstack-keystone03:52
*** topol has quit IRC03:54
*** shakamunyi has quit IRC03:57
*** gokrokve has joined #openstack-keystone04:14
*** gokrokve has quit IRC04:19
*** shakamunyi has joined #openstack-keystone04:53
*** shakamunyi has quit IRC04:57
*** chandan_kumar has joined #openstack-keystone05:06
*** gokrokve has joined #openstack-keystone05:07
*** gokrokve has quit IRC05:10
*** derek_c has quit IRC05:15
*** zhiyan is now known as zhiyan_05:26
*** chandan_kumar has quit IRC05:31
*** zhiyan_ is now known as zhiyan05:33
*** praneshp has quit IRC05:41
*** gokrokve has joined #openstack-keystone05:41
*** chandan_kumar has joined #openstack-keystone05:42
*** sbfox has quit IRC05:45
*** gokrokve has quit IRC05:46
*** shakamunyi has joined #openstack-keystone05:53
*** tomoiaga1 has joined #openstack-keystone05:55
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Some methods in ldap were moved to superclass
*** shakamunyi has quit IRC05:58
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** bvandenh has joined #openstack-keystone06:04
*** gokrokve has joined #openstack-keystone06:14
*** derek_c has joined #openstack-keystone06:17
*** bach has quit IRC06:18
*** jaosorior has joined #openstack-keystone06:18
*** stevemar has joined #openstack-keystone06:18
*** gokrokve has quit IRC06:19
*** mberlin has quit IRC06:21
*** cynosure__ has joined #openstack-keystone06:23
cynosure__hi getting error code 401 the strange part is sending a http request and I see the keystone-uri being used is https "'www-authenticate': "Keystone uri=''"" is this normal. I haven't used or configured https anywhere in keystone.conf06:24
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/identity-api: Remove email as optional query parameter
*** jamielennox is now known as jamielennox|away06:31
*** mberlin has joined #openstack-keystone06:32
*** stevemar has quit IRC06:40
*** chandan_kumar has quit IRC06:46
*** shakamunyi has joined #openstack-keystone06:54
*** chandan_kumar has joined #openstack-keystone06:54
*** shakamunyi has quit IRC06:58
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/identity-api: Remove email as optional query parameter
jaosoriorplease ignore 90652, 90656 is the good one07:01
*** marekd|away is now known as marekd07:12
*** gokrokve has joined #openstack-keystone07:14
*** gokrokve has quit IRC07:18
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/identity-api: Fix typo in federation api
*** leseb has joined #openstack-keystone07:26
openstackgerritMarek Denis proposed a change to openstack/identity-api: Add ``user`` object to the mapping rules examples.
*** derek_c has quit IRC07:49
*** shakamunyi has joined #openstack-keystone07:55
openstackgerritChmouel Boudjnah proposed a change to openstack/python-keystoneclient: Add test for unicoded path in s3_token mw
*** shakamunyi has quit IRC08:00
*** derek_c has joined #openstack-keystone08:04
*** zhiyan is now known as zhiyan_08:11
*** gokrokve has joined #openstack-keystone08:14
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/identity-api: Fix typo in federation api
*** zhiyan_ is now known as zhiyan08:16
*** gokrokve has quit IRC08:19
*** derek_c has quit IRC08:22
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/identity-api: Fix typo in federation api
*** morganfainberg_Z is now known as morganfainberg08:34
*** chandan_kumar has quit IRC08:46
*** shakamunyi has joined #openstack-keystone08:56
*** bada has joined #openstack-keystone09:01
*** shakamunyi has quit IRC09:01
openstackgerritOlga Kopylova proposed a change to openstack/keystone: Pagination for api request to users list
*** chandan_kumar has joined #openstack-keystone09:04
*** cynosure__ has quit IRC09:07
*** gokrokve has joined #openstack-keystone09:14
*** tomoiaga1 has joined #openstack-keystone09:19
*** gokrokve has quit IRC09:19
*** morganfainberg is now known as morganfainberg_Z09:30
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Cleanup of ldap backends
*** bvandenh has quit IRC10:03
*** gokrokve has joined #openstack-keystone10:14
*** gokrokve has quit IRC10:18
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync test_migrations
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Redundant unique constraint
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Migration DB_INIT_VERSION in common place
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync on-demand database schemas
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.
*** leseb has quit IRC10:24
*** chandan_kumar has quit IRC10:32
*** zhiyan is now known as zhiyan_10:41
*** andreaf has joined #openstack-keystone10:47
*** chandan_kumar has joined #openstack-keystone10:49
*** gokrokve has joined #openstack-keystone11:14
*** gokrokve has quit IRC11:18
*** diegows has joined #openstack-keystone11:18
*** RockKuo_Office has quit IRC11:27
*** leseb has joined #openstack-keystone11:56
*** leseb has quit IRC12:01
*** kun_huang has joined #openstack-keystone12:05
*** chandan_kumar has quit IRC12:06
*** gokrokve has joined #openstack-keystone12:14
*** gokrokve has quit IRC12:18
*** erecio has joined #openstack-keystone12:18
*** chandan_kumar has joined #openstack-keystone12:24
*** leseb has joined #openstack-keystone12:30
*** andriyk0 has joined #openstack-keystone12:37
*** rodrigods has joined #openstack-keystone12:39
*** rodrigods has joined #openstack-keystone12:39
andriyk0Hello. I would like to make authentication optional in v3.client.Client. What is the best way to achieve it? Is overriding of 'get_raw_token_from_identity_service' ok?12:39
*** dims has quit IRC12:43
*** joesavak has joined #openstack-keystone12:44
*** dstanek_zzz is now known as dstanek12:52
*** zhiyan_ is now known as zhiyan12:56
*** dims has joined #openstack-keystone12:56
*** ayoung_ZZZ is now known as ayoung13:10
ayoungandriyk0, client does not control auth.  You need something to pass in a token.13:10
andriyk0I want to provide resources that do not require authentication at all13:12
andriyk0no username/password, no token13:12
andriyk0something like: >>> keystone = client.Client(auth_url='')13:13
*** gokrokve has joined #openstack-keystone13:14
*** gokrokve has quit IRC13:18
*** Nils__ has joined #openstack-keystone13:20
Nils__Hello, when I am using keystone with debian and icehouse release I always get 'No handlers could be found for logger "keystoneclient.httpclient"'. I found a bugreport but it is already cloesed. Any hints what I am doning wrong?13:22
*** daneyon has joined #openstack-keystone13:29
*** daneyon has quit IRC13:29
*** daneyon has joined #openstack-keystone13:30
Nils__I would appreciate any help. I am setting up openstack for the first time and my keystone seems to be broken. I can get a token but all other requests result in the error message above. And the requests take very long (40 seconds).13:38
gabriel-bezerraayoung: are you setting up keystone on apache using devstack's APACHE_ENABLED_SERVICES?13:39
ayounggabriel-bezerra, I haven't actually tried that.  morganfainberg_Z made that work,  but you'll need to ask him about it in couple of hours13:39
gabriel-bezerraThere is a bug with devstack's code to make it run on ubuntu and as I suppose you use something fedora-like I'd like to hear from you about how to configure apache13:40
gabriel-bezerrato see if I can make it the same way on both systems or if I have to put some if-else on the code13:41
gabriel-bezerrathe problem is that $apache_conf_dir/keystone does not work on ubuntu, it would have to be $apache_conf_dir/keystone.conf13:42
*** nkinder has quit IRC13:42
Nils__also any hint to any documentation that can help is appreciated very much. at the moment I am following but it does not work as expected. And I am not knowing what to do. token-get works but user-list not. But there are entries in my mysql...13:48
gabriel-bezerraI tested it by creating a symlink and it worked well13:49
ayounggabriel-bezerra, $apache_conf_dir/  should be /etc/httpd/conf.d13:49
ayoungplease tell me that exisits on Ubuntu?13:49
gabriel-bezerrain ubuntu it is /etc/apache2/sites-available13:49
ayoung $apache_conf_dir/keystone   seems to imply it is /etc/keystone/13:50
*** jsavak has joined #openstack-keystone13:50
ayoungthere is not straight keystone under apache.13:50
ayoungthat looks like maybe a typo13:50
gabriel-bezerrathe problem is: a2ensite only recognises keystone if the file is /etc/apache2/sites-available/keystone.conf13:50
ayoungNo, I get it13:50
ayoungbut it should not be  $apache_conf_dir/keystone  on Fedora, either, I would think13:51
ayoungin fact, the conf file is13:51
gabriel-bezerrafrom devstack's lib/keystone: sudo cp $FILES/apache-keystone.template /etc/$APACHE_NAME/$APACHE_CONF_DIR/keystone13:51
ayoungshould work as .conf for either13:52
gabriel-bezerrabut in ubuntu it should be: sudo cp $FILES/apache-keystone.template /etc/$APACHE_NAME/$APACHE_CONF_DIR/keystone.conf13:52
ayoungis there a mkdir for /etc/$APACHE_NAME/$APACHE_CONF_DIR/keystone  ?13:52
gabriel-bezerrano, it is a file13:52
ayoungand $FILES/apache-keystone.template /etc/$APACHE_NAME/$APACHE_CONF_DIR/keystone  should come from the Keystone config dir13:52
ayoungkeystone git repo13:52
* ayoung goes to look13:52
ayoungah...all of that ADMIN Port silliness13:53
dimsayoung, pet peeve? :)13:54
*** joesavak has quit IRC13:54
*** joesavak has joined #openstack-keystone13:54
ayoungdims, yes, living with dumb mistakes made before my time that I've worked 2 years to eradicate is a pet peeve of mine13:55
ayounggabriel-bezerra, do you want to do this right, or just make it work?13:55
*** jsavak has quit IRC13:55
dimsayoung, agree with you :)13:56
gabriel-bezerraI suppose that copying as _.conf will make it right, won't it?13:56
gabriel-bezerraI'm trying to deploy a devstack with federated keystone. If it is a quick fix, ok. Otherwise, we register the bug and leave the fix for later.13:58
openstackgerritDolph Mathews proposed a change to openstack/identity-api: Fix federation mapping rules examples.
ayounggabriel-bezerra, should be ok as a .conf either way14:00
ayoungno need for an "if"14:00
gabriel-bezerrais the line: "enable_apache_site keystone" going to work on fedora if the filename is keystone.conf14:01
gabriel-bezerraon ubuntu it only works with keystone.conf14:02
gabriel-bezerraor should we make it: "enable_apache_site keystone.conf" in fedora?14:02
*** bgorski has joined #openstack-keystone14:02
bgorskiI have a question about "ldap + sql in keystone setup (multi-domain)"14:03
bgorskiIs it already supported?14:04
bgorskiI saw the BL to revert the multiple-ldap-servers"14:04
gabriel-bezerraayoung: I guess I'll need an if. See the way sites are enabled on fedora and on ubuntu in lib/apache14:05
andreafbknudson: ping14:05
bknudsonandreaf: what's up?14:06
ayounggabriel-bezerra, so be it14:06
andreafbknudson: first thanks for your reviews, I appreciate you taking the time on my tempest patchsets14:06
gabriel-bezerrashould I file a bug and then a fix or just send the fix for review?14:07
andreafbknudson: one question on a comment on
*** thiagop has joined #openstack-keystone14:07
andreafbknudson: the domain I have in there is for both user and project, as the assumption of the project being the same is good enough in tempest for the accounts from the config14:08
bknudsonandreaf: ok, just make it clear that it's both the user and project domain14:08
andreafbknudson: does this sound ok to you? If so I can include this in the comment14:08
*** rwsu has joined #openstack-keystone14:08
andreafbknudson: all right thanks14:08
bknudsonandreaf: yes, if that's good enough for the config. I noticed there's other code that allows setting user and project domain separately.14:09
andreafbknudson: the other question I had, about renaming keystoneV3 to identityv314:09
bknudsonandreaf: it really should be identity v3. keystone supports identity v2 and identity v3.14:10
bknudsonthere's no keystone v314:10
andreafso there are already some keystonev2 things in, so I can do identity v3 and it will look inconsistent for a while and then fix keystone v2 to identity v2 in a later patch14:11
bknudsonok... or stick a patch in front that changes keystonev2 to identityv214:11
andreafbknudson: ok I can do that14:12
*** andreaf has quit IRC14:14
*** gokrokve has joined #openstack-keystone14:14
*** gokrokve has quit IRC14:19
*** Nils__ has left #openstack-keystone14:20
*** gokrokve has joined #openstack-keystone14:22
*** daneyon has quit IRC14:24
*** daneyon has joined #openstack-keystone14:24
*** nkinder has joined #openstack-keystone14:24
*** shakamunyi has joined #openstack-keystone14:29
*** gokrokve has quit IRC14:29
*** daneyon has quit IRC14:29
*** david-lyle has joined #openstack-keystone14:30
*** david-lyle has quit IRC14:30
-openstackstatus- NOTICE: Gerrit downtime for upgrade begins in 90 minutes. See:
*** david-lyle has joined #openstack-keystone14:30
*** david-lyle has quit IRC14:31
*** david-lyle has joined #openstack-keystone14:32
*** stevemar has joined #openstack-keystone14:42
*** shakamunyi has quit IRC14:44
*** tomoiaga1 has left #openstack-keystone14:52
*** gokrokve has joined #openstack-keystone14:56
*** andriyk0 has quit IRC14:57
*** gokrokve has quit IRC14:57
*** gokrokve has joined #openstack-keystone14:58
*** gokrokve has quit IRC14:58
*** sbfox has joined #openstack-keystone15:01
*** chandan_kumar has quit IRC15:03
lbragstadjust curious if anyone would be opposed to changing the identity_client in tempest to not default domain_id  to 'default'?
*** shakamunyi has joined #openstack-keystone15:04
lbragstadit was picked up by the jsonschema validator commit15:05
openstackgerritayoung proposed a change to openstack/keystone: Ensure token is a string
gabriel-bezerraayoung: please see:
ayounggabriel-bezerra, then add me to the review....15:08
ayounggabriel-bezerra, you sure it can't be .conf for Fedora?15:12
*** richm has joined #openstack-keystone15:12
*** sbfox has quit IRC15:22
*** sbfox has joined #openstack-keystone15:28
dstanekgabriel-bezerra, ayoung: it may be worth looking at lib/horizon to see what they are doing there15:28
-openstackstatus- NOTICE: Gerrit downtime for upgrade begins in 30 minutes. See:
*** daneyon has joined #openstack-keystone15:31
openstackgerritFlorent Flament proposed a change to openstack/python-keystoneclient: Allow keystone_authtoken middleware to use v3 API
*** gokrokve has joined #openstack-keystone15:44
*** sbfox has quit IRC15:45
*** jamiec has quit IRC15:45
dstanekanyone know how long gerrit will be down?15:46
*** sbfox has joined #openstack-keystone15:48
*** gokrokve has quit IRC15:48
*** gyee has joined #openstack-keystone15:54
*** sbfox has quit IRC15:55
*** browne has joined #openstack-keystone15:56
*** jamiec has joined #openstack-keystone15:58
marekddstanek: quoting the e-mail from ml thread: "We would like to advise that you can expect a couple hours of downtime16:00
marekdfollowed by several more hours of automated systems not quite working16:00
marekdas expected."16:00
marekddstanek: they also mentioned that it's a suggested off-week :-)16:01
dstanekmarekd: ha, i guess it's a good time to catch up on background reading for the summit16:01
marekddstanek: i think so :-)16:02
marekddstanek: btw anything worth looking at, that's not super obvious? :-)16:02
*** sbfox has joined #openstack-keystone16:03
dstanekmarekd: not that i know of - in addition to the blueprints and linked docs i've been reading up on stevedor and other libraries that we seem to be moving toward16:03
gabriel-bezerraayoung: dstanek: it is used as a way of enabling/disabling sites. see lib/apache16:04
ayounggabriel-bezerra, not just enabling/disabling, though, according to what I have on my F20 box16:05
*** marcoemorais has joined #openstack-keystone16:05
marekddstanek: i am not following all the library changes so maybe you could name some more libs apart from stevedor (which by the way I knew about)- i guess it'd be a good time for me as well to catch up a little bit :(16:06
gabriel-bezerrasee devstack/lib/apache on function enable_apache_site16:06
ayoungstevemar, don't wew need a protocol plugin for Federation on the client side?  Is there a review missing?16:07
ayoungfound it16:07
dstanekmarekd: i want to be familiar with pecan/wsme and tulip/trollious because i think they have competing goals and i'm anticipating some discussion16:08
dstanekmarekd: i'm also very interested in OSC and RESTful-ness of our server APIs16:08
*** marcoemorais has quit IRC16:09
marekddstanek: oh, nice!16:10
marekdayoung: -> thanks16:10
ayoungmarekd, yeah, that needs to go in.  Federation is kindof lost without it.  Also, please review jamielennox's patches for versionless discovery16:10
ayoungwithout that, v3 on v2 services is DOA16:11
*** marcoemorais has joined #openstack-keystone16:11
thervedstanek, You really need to get familiar if you think they have competing goals :)16:11
marekdayoung: DOA?16:11
ayoungDead On Arrival16:11
marekdayoung: links for jamielennox|away's patches?16:11
marekdayoung: ok16:11
*** jaosorior has quit IRC16:11
ayoung  and the two prior to it in the chain16:12
ayoungmarekd, ^^16:12
marekdayoung: thanks.16:12
ayoungmarekd, here's the deal16:12
ayoungwe need to support /v2.0 in the service catalog due to older clients16:12
ayoungbut we need to be able to make a v3 call alongside a v2.016:12
dstanektherve: goals may not be the right word - maybe competing ways to get to the same goals16:12
thervedstanek, They don't operate at the same level really.16:13
ayoungand that means we need to tunr a blind eye to what the service catalog actually returns, and let discovery work despite the fact that  it got a /v2.0 in the url16:13
*** sbfox has quit IRC16:13
dstanektherve: when i glanced at the wsme docs it looks like it would not be friendly to a callback, async framework and more like how we work with eventlet today16:14
dstanektherve: is that not the case?16:14
marekdayoung: but isn't the v2 going to be deprecated quite soon?16:14
ayoungmarekd, deprecated does not mean gone16:15
ayoungwe have to support the API for 2 releases after it is deprecated, and thje older clients for at least that long, too16:15
marekdayoung: how many features do we have with v3 only? oauth, federation...what else?16:15
thervedstanek, I think it'd be easier for wsme than pecan. Also those handle HTTP calls, but tulip is really about the lower level. It's not impossible to imagine pecan on top of tulip, I think.16:15
marekdayoung: yeah, right16:16
ayoungRevocation events16:16
marekdbasically everything that landed in Icehouse :-)16:16
dstanektherve: my understanding of tulip is that the programming model is more like twisted; so the developer/framework needs to be aware16:18
thervedstanek, Sure, you're right. Nothing prevents you from doing wsgi on top of it though.16:18
dstanektherve: our code right now can be unaware that it will be called asynchronously16:18
*** packet has joined #openstack-keystone16:18
openstackgerritA change was merged to openstack/identity-api: Fix federation mapping rules examples.
marekdyay ^^16:19
dstanektherve: right, but i don't know how wsme would work on top of it because it has a different programming model, from what i understand16:19
dhellmannwe're only using the parts of wsme that do (de)serialization and validation, would the event loop interfere with that?16:20
dstanekdhellmann: likely not; is that all the projects intend to use?16:21
dhellmanndstanek: yes, from wsme16:21
dstanekdhellmann: and what about pecan?16:21
dhellmannpecan does the wsgi and routing stuff16:21
dstanekdoes it use an eventloop based programming model?16:21
dhellmannit does not, itself16:22
dhellmannI think it should be ok, but can get that clarified16:22
dstanekdhellmann: this is part of what i wanted to research before the summit16:22
*** ryanpetrello has joined #openstack-keystone16:22
dhellmanndstanek: ryanpetrello should have more insight than I do about how pecan will work with eventlet or tulip16:23
dstanekdhellmann: i don't see why moving to pecan/wsme is any better than what we've been doing with routes and jsonschema16:23
dhellmannjsonschema wasn't around when I proposed wsme over a year ago (at least not as prevalent, if it existed at all); and pecan is better than the home-grown wsgi stack in nova16:24
ayoungmarekd, you are going to like what I am working on, then.16:24
ayoungI am doing some API script examples for Federation16:24
ryanpetrelloI can’t really speak to pecan + tulip16:26
ryanpetrellobut I have used pecan + eventlet before16:26
ryanpetrellothe only area of concern is the use of threadlocals in pecan, though `eventlet.monkey_patch` should properly patch the thread ident stuff to use greenthread idents instead16:27
dhellmannwe also have some locals stuff in oslo to work around that, iirc16:27
ryanpetrelloalso, re pecan/wsme vs routes/jsonschema, I’ve used routes in years past, and it is a solution that works16:28
ryanpetrelloI can only speak anecdotally here (and obviously, I’m a bit biased, being an author and user of pecan)16:28
ryanpetrellosome of the niceties that come w/ pecan in terms of generating a RESTful API are really nice-to-haves that you’d otherwise build on top of routes16:29
marekdayoung: you're working on examples for something like a blog post or a real scripts - kinda cli equivalent?16:29
dstanekdhellmann, ryanpetrello: i really want to get rid of eventlet so maybe it's possible to rework pecan slightly for tulip16:33
dstanekassuming that's even needed16:33
ryanpetrellodstanek: agreed on both of those comments16:33
dstaneki've not had a ton of time to read up on the docs or to test it all out yet16:33
dhellmanndstanek: yep, that is another goal for moving off of our home-grown thing16:34
*** marekd is now known as marekd|afk16:34
dhellmannalthough it's not clear that tulip is necessarily better than a robust wsgi container/server16:34
dhellmannwe don't recommend deploying pecan "bare"16:34
dstanekdhellmann: depends on the IO model of the service16:35
dhellmanndstanek: sure16:35
dstaneki've had a lot of luck depoying multiple processes with gunicorn where each process performed async IO16:35
dstanekthat gave us lots of concurrency with a way to spread out some CPU specific load across cores16:36
-openstackstatus- NOTICE: Gerrit is unavailable until further notice for a major upgrade. See:
*** ChanServ changes topic to "Gerrit is unavailable until further notice for a major upgrade. See:"16:36
ryanpetrellodstanek: in any event, an exploration related to tulip is going to be the same for Routes or pecan16:38
ryanpetrelloand as you’ll find, pecan is probably just 90% webob with glue16:38
dstanekryanpetrello: yep agreed (about the investigation)16:39
*** topol has joined #openstack-keystone16:41
*** topol_ has joined #openstack-keystone16:42
*** gokrokve has joined #openstack-keystone16:44
*** bach has joined #openstack-keystone16:44
*** shakamunyi has quit IRC16:46
*** topol has quit IRC16:46
*** topol_ is now known as topol16:46
*** bach_ has joined #openstack-keystone16:46
*** kun_huang has quit IRC16:47
*** bach has quit IRC16:49
*** gokrokve has quit IRC16:49
*** bach_ has quit IRC16:52
*** marekd-mobile has joined #openstack-keystone16:54
*** harlowja_away is now known as harlowja17:00
*** ThomasCrowe1 has joined #openstack-keystone17:00
*** bach has joined #openstack-keystone17:05
*** shakamunyi has joined #openstack-keystone17:13
*** bach has quit IRC17:13
mfischIs there a grammatical reason that many of the error messages end with a period? it makes copying and pasting ids annoying. Besides many are not complete sentences.17:13
mfischFor example: "Could not find trust, %(trust_id)s."17:13
*** zhiyan is now known as zhiyan_17:19
*** daneyon has quit IRC17:20
*** daneyon has joined #openstack-keystone17:21
*** marekd-mobile has quit IRC17:22
*** marekd-mobile has joined #openstack-keystone17:22
*** sbfox has joined #openstack-keystone17:23
*** gokrokve has joined #openstack-keystone17:24
*** praneshp has joined #openstack-keystone17:24
*** topol has quit IRC17:26
*** chandan_kumar has joined #openstack-keystone17:26
*** gokrokve has quit IRC17:29
*** bgorski has quit IRC17:30
*** amcrn has joined #openstack-keystone17:32
*** thedodd has joined #openstack-keystone17:32
*** shakamunyi has quit IRC17:35
*** marekd-mobile has quit IRC17:37
*** morganfainberg_Z is now known as morganfainberg17:48
morganfainbergayoung, didn't get a chance to post the gate jobs... will be doing that today i hope17:49
*** daneyon has quit IRC17:49
ayoungmorganfainberg, no rush17:49
morganfainbergayoung, sunday dinner then oncall got in the way.17:50
morganfainbergayoung, yeah just was trying to get them up before this week.17:50
*** daneyon has joined #openstack-keystone17:50
morganfainbergmeh, we'll get them up this week :)17:50
* morganfainberg drinks coffee.17:50
* morganfainberg drinks lots of coffee17:51
*** daneyon has quit IRC17:52
ayoungmorganfainberg, my wife just told me that she read drinking coffee reduces the risk of type 2 diabeetus.  Drink up17:55
ayoungand with that...I'm off to pick up my car.17:55
*** ayoung is now known as ayoung_rrrrmmm17:55
*** marcoemorais has quit IRC18:00
morganfainbergayoung_rrrrmmm, hehe18:00
*** packet has quit IRC18:00
*** packet has joined #openstack-keystone18:01
*** marcoemorais has joined #openstack-keystone18:02
*** thedodd has quit IRC18:13
*** gokrokve has joined #openstack-keystone18:14
*** gokrokve has quit IRC18:19
*** ryanpetrello has left #openstack-keystone18:22
*** thedodd has joined #openstack-keystone18:23
*** doddstack has joined #openstack-keystone18:26
*** thedodd has quit IRC18:28
*** marcoemorais has quit IRC18:29
*** marcoemorais has joined #openstack-keystone18:31
*** ayoung_rrrrmmm is now known as ayoung18:32
*** browne1 has joined #openstack-keystone18:57
*** praneshp has quit IRC18:59
*** browne has quit IRC19:00
*** praneshp has joined #openstack-keystone19:03
*** openstackgerrit has quit IRC19:04
*** bach has joined #openstack-keystone19:06
*** leseb has quit IRC19:08
*** gokrokve has joined #openstack-keystone19:14
*** gokrokve has quit IRC19:19
*** daneyon has joined #openstack-keystone19:31
*** ChanServ changes topic to "Open discussion."19:31
-openstackstatus- NOTICE: Gerrit upgrade to 2.8 complete. See: Some cleanup tasks still ongoing; join #openstack-infra if you have any questions.19:31
*** sbfox has quit IRC19:36
*** derek_c has joined #openstack-keystone19:36
*** sbfox has joined #openstack-keystone19:40
*** chandan_kumar has quit IRC19:40
stevemarayoung, i don't know what the current state of your fix for 'token is string' is, but i think you were using six.string_type ?19:52
stevemarayoung, i'm not sure that would work, as that would return true if it's str or unicode, i think
ayoungstevemar, hmmmm,19:53
*** leseb has joined #openstack-keystone19:53
ayoungstevemar, you are correct.  We are going to need to figure out the whole unicode to mod_wsgi thing for python33 separately.19:54
bknudsondolphm: are you thinking of another keystoneclient release soon?19:55
ayoungstevemar, if I read the six docs correctly, there is no way to do str().19:55
ayoungbknudson, I really want compressed and revoke api in there before we release19:55
morganfainbergayoung, bytes()19:55
ayoungmorganfainberg, I don;t think so19:55
bknudsonayoung: that sounds reasonable19:55
ayoungmorganfainberg, bytes is binary, but the wsgi spec I think forces headers to be ascii19:56
stevemarbknudson, ayoung i wouldn't mind the oauth stuff in there either, need to make sure i don't break the gate again :\19:56
morganfainbergayoung, not ascii, byte_str19:56
morganfainbergayoung, iirc that was the error19:56
ayoungthe fact that unicode when encoded using 'ascii'  didn't work19:56
morganfainbergand i _think_ bytes() is equiv to byte_str19:57
morganfainbergwell byte_str if you have characters in it19:57
dolphmbknudson: i wasn't expecting one, why?19:57
dolphmbknudson: maybe one before around the conference to ship token compression?19:57
*** bach has quit IRC19:58
bknudsondolphm: we've added some new things, but I'm fine with waiting19:58
ayoung"TypeError: expected byte string object for header value, "19:58
uvirtbotLaunchpad bug 1312971 in python-keystoneclient "mod_wsgi exception processing UTF-8 Header" [High,Triaged]19:58
morganfainbergayoung, i think if you use bytes() in py33 with string data it's a byte string (c string) underlying20:00
morganfainbergoh thats cool. being able to edit commit messages in the gerrit web interface20:03
*** gokrokve has joined #openstack-keystone20:14
*** gokrokve_ has joined #openstack-keystone20:16
*** shakamunyi has joined #openstack-keystone20:17
bknudsonmorganfainberg: wide enough commit message?20:18
morganfainbergbknudson, yeah found out it doesn't line-wrap20:18
morganfainbergbknudson, but was easy to fix20:18
morganfainbergwaaaay better than needing to upload a new changeset to add bp etc20:18
*** gokrokve has quit IRC20:19
*** sbfox has quit IRC20:19
ayoung  compression should be ready...made all changes suggested to date dolphm20:19
bknudson"Submit TypeMerge if Necessary" ? wonder what that means20:19
ayoungmorganfainberg, +++20:20
*** gokrokve_ has quit IRC20:20
ayounghmmm....what is the mapping rule comparable to external.DefaultDomain?20:21
*** bach has joined #openstack-keystone20:22
morganfainbergayoung, bknudson
morganfainbergchanges to devstack-gate so we can configure mod_wsgi based services20:37
*** sbfox has joined #openstack-keystone20:39
morganfainbergrunning a devstack now to see if i need to do anything crazy to make this all happy, but i ... think this is going to be an easy couple patches (minus bikeshedding)20:39
*** bach has quit IRC20:51
ayoungmorganfainberg, you doing thius on Ubuntu, right?20:53
*** erecio has quit IRC20:53
*** marcoemorais has quit IRC20:54
*** marcoemorais has joined #openstack-keystone20:56
morganfainbergayoung, yes, but i'll also try it on fedora20:57
morganfainbergayoung, ubuntu to start (since thats the gate jobs)20:58
ayoungmorganfainberg, did you see this:
morganfainberghadn't seen that one20:59
morganfainberggood to know20:59
morganfainbergi think that is wronfg20:59
morganfainbergin fact.. i'm almost sure that is wrong20:59
morganfainbergayoung, i'll let you know if it works, but i am almost sure a2ensite etc doesn't care about .conf21:03
ayoungmorganfainberg, that was my reaction as well21:04
ayoungbut...why not .conf?21:04
morganfainbergayoung no reason to block it21:04
morganfainbergayoung, i mean, .conf is an accepted practice for apache configs21:04
morganfainbergayoung, just the reasoning seems off.21:05
*** joesavak has quit IRC21:12
*** gokrokve has joined #openstack-keystone21:14
*** sbfox has quit IRC21:15
*** derek_c has quit IRC21:16
*** gokrokve has quit IRC21:19
*** leseb has quit IRC21:21
ayoungmorganfainberg, but .conf should be acceptable fro both Fedora and Ubuntu21:23
ayoungnever worked with a2ensite21:23
*** bach has joined #openstack-keystone21:27
*** bach has quit IRC21:30
*** maelfius has joined #openstack-keystone21:32
*** morganfainberg has quit IRC21:33
*** maelfius is now known as morganfainberg21:33
*** bach has joined #openstack-keystone21:34
*** dstanek is now known as dstanek_zzz21:34
*** dstanek_zzz is now known as dstanek21:36
*** sbfox has joined #openstack-keystone21:42
*** derek_c has joined #openstack-keystone21:47
*** stevemar has quit IRC21:47
*** stevemar has joined #openstack-keystone21:48
*** openstackgerrit has joined #openstack-keystone21:53
morganfainbergayoung, yeah just did the standup w/ keystone under apache22:01
morganfainberglooks like it works22:01
morganfainbergnow... i'm going to need to fix the logging when under apache22:01
morganfainbergbut, all in all, it's looking good22:01
*** packet has quit IRC22:04
*** packet has joined #openstack-keystone22:05
*** derek_c has quit IRC22:06
*** dims has quit IRC22:09
*** nkinder has quit IRC22:12
bknudsonthere's now a "add comment" button at the bottom so it's easier to add the recheck comment.22:13
*** gokrokve has joined #openstack-keystone22:14
stevemari like the autocomplete in the search box22:16
stevemari guess all WIP stuff is automatically -1'ed for the Workflow value22:18
*** gokrokve has quit IRC22:19
bknudsonlabel:Code-Review=2 -- used to be CodeReview22:19
morganfainbergstevemar, yeah22:22
ayoungOk,  so with mod_identity_lookup and sssd, I get two env vars set:  REMOTE_USER for the Kerberos principal ID, and REMOTE_GROUPS, which is a list of groups, separated by colons (:)    What mapping should I use?  stevemar marekd|afk ?22:23
bknudsonlooks like we can W-1 other people's changes.22:23
stevemarNew "My -> Draft Comments", apparently I forget to actually publish my comments quite often22:24
*** sbfox has quit IRC22:24
stevemarayoung, REMOTE_GROUPS22:24
stevemarthey should be separated by semi-colons22:24
ayoungstevemar, well they are not22:26
ayoungthey are separated by colons and thats the way I LIKES  EM!22:26
morganfainbergbknudson, cores can22:26
morganfainbergbknudson, but they can't clear the -1 w/o a new patchset.22:26
morganfainbergbknudson, there is likely going to be arguments on if we should be allowed to do that [someone was already asking about not letting anyone but the author -1 WIP]22:27
morganfainbergstevemar and if you want to see a trainwreck of a UI... look at the "new screen"22:27
morganfainbergvs. the old screen :P22:27
ayoungstevemar, does it make a difference?22:27
*** dstanek is now known as dstanek_zzz22:28
stevemarayoung, i don't think the mapping rule engine would work on colons, only semi-colons22:30
stevemarmorganfainberg, the jenkins results need the color coding back22:31
*** topol has joined #openstack-keystone22:31
*** topol_ has joined #openstack-keystone22:32
morganfainbergstevemar, there are issues w/ the new stuff for sure22:35
stevemartopol, are you up or down?22:35
stevemarmorganfainberg, of course, just commenting on it22:35
morganfainbergoh wait no thats specific for the "new" screen22:36
morganfainbergnot issues w/ the "default"22:36
*** topol has quit IRC22:36
*** dims has joined #openstack-keystone22:36
*** topol_ is now known as topol22:37
morganfainbergstevemar, didn't think the gerrit UI could get worse did ya? :P22:38
stevemarmorganfainberg, meh, it's still cool22:38
*** bach has quit IRC22:42
stevemaralright, editing the commit msg from the web UI is super cool22:43
morganfainbergayoung, minor update based upon sdague's preference, and thinking it over, i agree (we can make keystone default to using apache in the future, but it would be nice to test all services under apache with a toggle)22:45
*** bach has joined #openstack-keystone22:45
*** topol has quit IRC22:49
*** dstanek_zzz is now known as dstanek22:50
*** bach has quit IRC22:54
*** browne1 has quit IRC22:58
ayoungstevemar, so what you are telling me is that a mapping needs a "separator_char" field23:01
*** ayoung is now known as ayoung_DadMode23:01
*** derek_c has joined #openstack-keystone23:03
*** browne has joined #openstack-keystone23:06
*** bach has joined #openstack-keystone23:13
*** gokrokve has joined #openstack-keystone23:14
*** bach has quit IRC23:17
*** packet has quit IRC23:18
*** gokrokve has quit IRC23:19
*** david-lyle has quit IRC23:22
stevemarayoung_DadMode, i think it might need another option for the env variable that contains the info, like REMOTE_GROUPS or ... whatever23:33
*** sbfox has joined #openstack-keystone23:34
openstackgerritA change was merged to openstack/identity-api: Fix typo: Endoint -> Endpoint
*** praneshp has quit IRC23:35
*** sbfox has quit IRC23:47
*** jamielennox|away is now known as jamielennox23:49
*** sbfox has joined #openstack-keystone23:52
*** praneshp has joined #openstack-keystone23:54
*** sbfox has quit IRC23:55
*** ayoung_DadMode is now known as ayoung_23:56
*** ayoung_ is now known as ayoung23:56
ayoungstevemar, we should be able to split up any random string based on a token, no?23:57
ayounger...token might be a bad choice of words there23:57
jamielennoxmorganfainberg: see also:

Generated by 2.14.0 by Marius Gedminas - find it at!