Monday, 2014-04-28

ayoung	jamielennox, https://review.openstack.org/#/c/74599/ am I right in how that is supposed to be working?	00:08
*** morganfainberg_Z is now known as morganfainberg		00:09
jamielennox	ayoung: 1 sec	00:10
*** diegows has joined #openstack-keystone		00:12
boris-42	morganfainberg ayoung jamielennox guys could I ask you to +1 adding rally job to keystone https://review.openstack.org/#/c/90404/ ?	00:13
ayoung	boris-42, dangerous. I might not want to +1....but I will look.	00:13
boris-42	ayoung why?)	00:14
ayoung	boris-42, I want our gate failing less.	00:14
boris-42	ayoung it's non voting	00:14
ayoung	I see that...	00:14
boris-42	ayoung plus rally don't fails	00:14
ayoung	what does this buy us?	00:14
ayoung	what is rally?	00:14
boris-42	ayoung perfromance tool	00:14
morganfainberg	ayoung, performance metrics	00:14
ayoung	oooh...how expensive is it to run?>	00:14
boris-42	ayoung it depends	00:15
boris-42	ayoung on config that you'll have in keystone/rally-scenarios/keystone.yaml	00:15
morganfainberg	ayoung, i'll defer to boris-42 on that, but it's pretty awesome. it also generates cool graphs	00:15
boris-42	ayoung let me find graphs	00:15
boris-42	ayoung from rally job	00:15
ayoung	morganfainberg, what load is it going to put on gate? And does it belong there?	00:15
boris-42	ayoung http://logs.openstack.org/48/90248/5/check/check-rally-dsvm-rally/f099cfd/rally-plot/results.html.gz	00:16
boris-42	ayoung ^ run 2k times create_and_list_tenatns	00:16
boris-42	ayoung I am going to add errors aggregation to this plots	00:17
boris-42	ayoung but from console log I saw that there are mostly timeouts in authenticate stuff	00:17
ayoung	boris-42, its good stuff, just not certain it should be a gate job	00:17
boris-42	ayoung it's check job	00:17
boris-42	ayoung you can have nothing in keystone.yaml	00:18
boris-42	ayoung and if somebody is working on performance he can change keystone.yaml to show that his fix works	00:18
boris-42	ayoung avoiding running by all cores performance tests by hands	00:18
ayoung	morganfainberg, does it belong in gate?	00:19
morganfainberg	ayoung, in check for now, (for sure)	00:19
boris-42	ayoung it won't be soon in gates	00:19
morganfainberg	ayoung, not sure if it belongs in gate.	00:19
morganfainberg	ayoung, but it will be good to see metrics on each patchset as they're submitted	00:19
boris-42	ayoung I should remember all math that I learned to make normalization function for results	00:19
ayoung	regardless...check/ gate, it puts load on Zuul and the systems it runs.	00:19
morganfainberg	ayoung, this one is worth it imo	00:20
ayoung	I want to make sure that is a worthwhile cost.	00:20
morganfainberg	ayoung, it'll help us be sure we're headed the right direction with the performance optimisations etc	00:20
ayoung	++	00:20
ayoung	and is this the right performance metric to gather>	00:21
ayoung	?	00:21
boris-42	ayoung you have a framework for doing any benchmarks	00:21
morganfainberg	ayoung, we get to tune/define those. it's about setting up the scenarios in the rally config in the keystone tree	00:21
jamielennox	still busy, but ++ for nice pics	00:21
morganfainberg	jamielennox :)	00:22
boris-42	ayoung so you'll be able to write benchmark scenarios inside keystone tree	00:22
boris-42	ayoung avoiding fully rally team=)	00:22
boris-42	ayoung so it's quite precise tool that should test some specific aspect	00:22
ayoung	boris-42, in general I am in favor of the idea. I would like to hear from some of the other perf people.	00:23
boris-42	ayoung e.g. list operation of users/tenatns	00:23
morganfainberg	ayoung, for the most part, we're going to define what we want to test and how we want to go about it.	00:23
boris-42	morganfainberg ayoung goal of rally is to provide simple way to that	00:23
ayoung	morganfainberg, and what repo is that going to live in?	00:24
morganfainberg	boris-42, looks like you're well on the way to it	00:24
*** topol has quit IRC		00:24
morganfainberg	ayoung, the definitions we test? in the keystone tree	00:24
ayoung	OK...I can live with that	00:24
boris-42	ayoung otherwise it will be hard to work with it	00:24
morganfainberg	ayoung, https://review.openstack.org/#/c/90405/	00:25
boris-42	ayoung we were thinking about keeping tasks inside rally but thought that it will be hell=)	00:25
ayoung	Agreed	00:26
ayoung	morganfainberg, does 90405 need to land before 90404?	00:26
morganfainberg	boris-42, ^ does 90405 need to land before the gate config?	00:26
boris-42	ayoung nope after	00:26
morganfainberg	boris-42, ah shouldn't matter then	00:27
morganfainberg	boris-42, it wont be used until infra change is in	00:27
boris-42	ayoung yep it won't just run anything	00:27
boris-42	morganfainberg https://jenkins06.openstack.org/job/check-rally-dsvm-rally/14/consoleFull	00:27
boris-42	morganfainberg ^ btw in gates the same issue	00:27
boris-42	morganfainberg that I faced	00:27
morganfainberg	boris-42, ah	00:27
boris-42	morganfainberg the same first it was working well	00:28
boris-42	morganfainberg and then bah	00:28
morganfainberg	boris-42, new tools. happens	00:28
morganfainberg	ayoung, got roped into dinner, will be trying to get the upload for apache check jobs tonight, will add you to them so we can get them going	00:28
ayoung	morganfainberg, please do. I like this direction	00:29
morganfainberg	ayoung, initially i'll just have apache listen on 5000 and 35357.	00:29
ayoung	Ugh	00:29
morganfainberg	we can work on doing the shared port 80/443 once we are at least testing	00:29
morganfainberg	we might have devstack changes needed before we can share port80/443	00:29
ayoung	but 5000 is port reserved for another service and 35357 ois smack dab in the middle of the ephemeral range ;)	00:29
morganfainberg	ayoung, yes, but at least we're testing the mod_wsgi stuff then (step in the right direction)	00:30
morganfainberg	as soon as we can make that check job share port80/443 we convert over to it	00:30
morganfainberg	but i want to make sure we're testing mod_wsgi config every patch ASAP.	00:30
morganfainberg	annnyway... dinner bbib	00:31
*** kun_huang has joined #openstack-keystone		00:32
*** kun_huang has quit IRC		00:38
*** morganfainberg is now known as morganfainberg_Z		00:41
*** bach has quit IRC		00:46
*** shakamunyi has joined #openstack-keystone		00:50
*** daneyon has joined #openstack-keystone		00:51
*** shakamunyi has quit IRC		00:54
*** derek_c has joined #openstack-keystone		00:55
jamielennox	ayoung: still here/.	01:15
ayoung	Me too	01:15
jamielennox	oops, was going for the question	01:15
jamielennox	so what's the problem you had earlier	01:15
ayoung	jamielennox, the review you posted, and whether it should allow a Catalog from Keystone with a V2.0 endpoint to return a v3 url.	01:18
ayoung	jamielennox, https://review.openstack.org/#/c/74599/	01:19
jamielennox	ayoung: ok, i was just replying to that	01:21
jamielennox	there is no v2/v3 hack in the new client code	01:21
jamielennox	that was done in a way that is specific to the old code	01:21
ayoung	so ... what do I need to do?	01:21
jamielennox	the point of that patch is to allow something at / to do a lookup	01:22
ayoung	is there a change en route that deals with it	01:22
jamielennox	it's not hard to do i think	01:22
jamielennox	the point was to get that version stuff in first, so that way you can say if version == 3 and endpoint == 2 then fix it	01:22
jamielennox	it doesn't have to though i guess	01:23
jamielennox	you could just fix it in v3 identity plugins	01:23
jamielennox	not sure	01:23
jamielennox	ayoung: there are still other open questions here - like i'm pretty sure i need to extend the same functionality to original clients	01:23
ayoung	the first thing to solve is to let V3 clients work when the endpoints all say v2.0	01:24
jamielennox	because at the moment it will only be activated if you create the session first, but that means that things like horizon won't benefit from the change simply by having an updated client version	01:24
ayoung	we need a way to do it, programttically. and then we can move that into horizon	01:24
jamielennox	right - but what i would like to do here is not just hack a /v3 on the end like we did with the old client	01:25
jamielennox	when we have discovery if you have a v2 only url we should be able to just trim the v2 part and let discovery handle finding v2 or v3	01:26
jamielennox	instead of trimming v2.0 and appending v3	01:26
*** diegows has quit IRC		01:26
ayoung	OK, so I'm OK with that, since discovery wil just be run once...but we need a way to find the root URL	01:27
ayoung	Should we inject a "root" into the "v2.0" response?	01:28
ayoung	jamielennox, can we do that as a follow on to https://review.openstack.org/#/c/74599/ ?	01:31
boris-42	ayoung still around?	01:34
jamielennox	ayoung: we can - i don't know if that's a good way though because we will end up waiting for that to be proliferated	01:35
boris-42	ayoung morganfainberg_Z so I got that bug from my local development in gates	01:35
boris-42	ayoung morganfainberg_Z http://logs.openstack.org/48/90248/8/check/check-rally-dsvm-rally/23c0d03/rally-plot/results.html.gz	01:35
boris-42	^ ayoung zeros on graph means errors	01:35
jamielennox	there are a number of places where i'm pretty sure if you aren't using the defined /v2.0 and /v3 prefixes things just won't work	01:35
boris-42	ayoung so it works perfect under load first ~2k iterations	01:36
boris-42	ayoung but after 2k something wired is hapen	01:36
ayoung	jamielennox, let me put it to you this way: how would I make a v3 call to a Keystone server with V2.0 in the URL?	01:36
ayoung	boris-42, might be a MySQL thing...	01:37
boris-42	ayoung not sure	01:37
ayoung	but...TBH I don't care about stresstesting Eventlet	01:37
boris-42	ayoung cause when I was playing with my deployment	01:37
boris-42	ayoung after some amount of time I repeated	01:37
ayoung	boris-42, run it against apache HTTPD and I might be more interested	01:37
boris-42	ayoung one sec	01:38
ayoung	jamielennox, I would have thought that explicitly setting endpoint would override the value that comes back from the service catalog	01:39
boris-42	ayoung does this turn on APACHE_ENABLED_SERVICES+=keystone ?	01:39
boris-42	ayoung if I put it in devstack locarlc?	01:39
boris-42	ayoung if so then I get the same issue	01:40
boris-42	ayoung but it was after 3k iteration not 2k	01:40
ayoung	boris-42, do you have a link? I could tell you if it was actually HTTPD?	01:40
boris-42	ayoung link to what?	01:41
ayoung	the test run	01:41
boris-42	ayoung it was not in gates	01:41
jamielennox	ayoung: if you use the existing client (non-session) it will work - the hack has been installed in the v3 client that if there is a v2.0 ending it will cut it off and replace with a /v3 ending	01:41
ayoung	was it publically accessable? Or, do you still ahve the machine running?	01:41
boris-42	ayoung nope	01:42
boris-42	ayoung I have some issue with VPN	01:42
jamielennox	ayoung: if you use the session there is no endpoint override	01:42
boris-42	so not able to access it =(	01:42
jamielennox	if you need one i can add one but i haven't seen the need as yet	01:42
ayoung	jamielennox, hm...that kindof limits sessions for me	01:42
boris-42	ayoung probably you have a running keystone with httpd?	01:42
jamielennox	if you have a token/endpoint then there is a auth plugin for that	01:42
jamielennox	(desinged for testing and ADMIN_TOKEN etc)	01:42
ayoung	boris-42, not anywhere near a useable state though	01:42
jamielennox	but if you are using the session why are you needing to manually set an endpoint ?	01:43
ayoung	jamielennox, I need to talk to a devstack/packstack setup system using the Federation API	01:43
ayoung	I can	01:43
ayoung	I can't just drop V2.0 off the catalog or other clients will break	01:43
boris-42	ayoung so actually we in rally are trying to make it simple to repeat experiment locally	01:44
boris-42	ayoung so when you have some cloud to test ping me pls=)	01:44
ayoung	boris-42, if you do, capture the logs, and I could tell you if HTTPD is enabled. Or ask morganfainberg_Z when he is next around	01:44
boris-42	https://wiki.openstack.org/wiki/Rally/HowTo so here is the small tutorial	01:45
boris-42	ayoung ^ if you'll be interested	01:45
ayoung	boris-42, what was happening at 2k/3k load?	01:46
boris-42	ayoung it's not load 2k	01:46
boris-42	ayoung it's iteration	01:46
boris-42	ayoung load is constant	01:46
ayoung	whatever...what happens?	01:47
boris-42	ayoung 408 error	01:47
boris-42	ayoung authorization failed timeout	01:47
ayoung	boris-42, is there a mysql problem?	01:47
boris-42	ayoung I am not sure, cause after this benchmark if you re run it (after 5 min) everything will be ok	01:47
ayoung	boris-42, get it reproducible and I'll be happy to help you debug, but right now I am just guessing in the dark	01:48
boris-42	ayoung it's reproducable	01:48
boris-42	ayoung in gates	01:48
jamielennox	ayoung: yep, so my plan would be in v3 auth plugins if the entry in the service catalog ends with /v2.0 then trim that	01:48
ayoung	get it reproduced, then	01:48
boris-42	ayoung I already gave you link=)	01:48
ayoung	jamielennox, so...follow on patch?	01:48
jamielennox	yep	01:48
boris-42	ayoung it's not enough?	01:48
boris-42	ayoung run any amount of recheck no bug here https://review.openstack.org/#/c/90248/	01:49
ayoung	boris-42, I don't have time to run through that. THis is your bailywick. I'm willing to help,	01:49
jamielennox	ayoung: for the purposes you are using it for now the old client method will work for you :)	01:49
boris-42	ayoung lemme explain	01:49
ayoung	gate-rally-python27 passed	01:49
ayoung	33 is going to fail, but we all know that	01:49
boris-42	ayoung ?)	01:49
ayoung	in https://review.openstack.org/#/c/90248/	01:49
boris-42	ayoung check-rally-dsvm-rally is performance in gate	01:49
ayoung	that passsed too	01:50
boris-42	ayoung it runs this benchmark https://review.openstack.org/#/c/90248/8/rally-scenarios/rally.yaml	01:50
boris-42	ayoung sure it passed	01:50
jamielennox	ayoung: wow - did you add a crap load of people to that review?	01:50
ayoung	ok...looking at the keystone log	01:50
boris-42	ayoung cause rally didn't failed	01:50
ayoung	http://logs.openstack.org/48/90248/8/check/check-rally-dsvm-rally/23c0d03/logs/screen-key.txt.gz	01:51
boris-42	ayoung ohhh	01:51
boris-42	ayoung so big file=)	01:51
ayoung	jamielennox, you bret I did...keystone-core + Nathan	01:51
ayoung	and a few other PTLs, too	01:51
jamielennox	ayoung: yea, it was the other pts i was thinking of	01:51
ayoung	boris-42, you said 408, right?	01:51
boris-42	ayoung yep	01:52
boris-42	2014-04-28 01:15:06.768 23810 WARNING keystone.common.wsgi [-] Could not find role, admin.	01:52
boris-42	lol	01:52
boris-42	ayoung http://logs.openstack.org/48/90248/8/check/check-rally-dsvm-rally/23c0d03/console.html	01:53
boris-42	ayoung it's output of rally	01:53
boris-42	ayoung so HTTP 408	01:53
ayoung	boris-42, so this is what I meant by "linlk" before, BTW. I'm happy to help spelunk these	01:53
boris-42	ayoung so if you would like to repeat on your cloud lemme now I can make some 5 min live demo	01:54
boris-42	ayoung to explain how to use rally	01:54
ayoung	Nah, that is OK...I'm trying to find the error in Keystone log	01:54
ayoung	boris-42, I assure you, I don't have the brainpower or time to do that right now	01:55
boris-42	ayoung ?)	01:55
ayoung	boris-42, in the keystone log look for 2014-04-28 01:28:07.331	01:56
*** dims has quit IRC		01:56
boris-42	ayoung hehe	01:56
boris-42	ayoung eventlet crap	01:56
ayoung	that is one stack trace...indicates something died while eventlet was writing	01:56
ayoung	boris-42, I see a bunch of those	01:57
boris-42	ayoung yep I just wrote to find Traceback	01:57
boris-42	ayoung so I hope now you understand better why it's useful to have rally?)	01:58
ayoung	boris-42, to prove that eventlet can't stand up to load?	01:58
ayoung	I didn;t need Rally for that	01:58
boris-42	ayoung actually it's only one case	01:59
boris-42	ayoung I don't think that performance of all other stuff in keystone will handle load	01:59
boris-42	ayoung so we can catch issues	02:00
ayoung	boris-42, that may well be. But I am really only concerned with running it in HTTPD, as I think Eventlet is a dead end. I need numbers forthat	02:00
boris-42	ayoung so when we switch in gates to HTTPD by default	02:00
ayoung	boris-42, ++	02:00
boris-42	ayoung we will be able to benchmark other stuff	02:01
boris-42	=)	02:01
boris-42	ayoung but actually this is serious reason to switch to HTTPD by default	02:01
*** dims has joined #openstack-keystone		02:09
*** gabriel-bezerra has joined #openstack-keystone		02:15
*** bach has joined #openstack-keystone		02:17
*** daneyon has quit IRC		02:18
*** mberlin has joined #openstack-keystone		02:23
*** mberlin1 has quit IRC		02:23
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: V2.0 Hack for auth plugins https://review.openstack.org/90632	02:26
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Unversioned endpoints in service catalog https://review.openstack.org/74599	02:26
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Discovery URL querying functions https://review.openstack.org/81146	02:26
jamielennox	ayoung: try the first one of those ^	02:26
jamielennox	let me know if the hack works for your case	02:26
*** gokrokve has quit IRC		02:41
ayoung	jamielennox, will do...about to sign off for the night	02:44
*** zhiyan_ is now known as zhiyan		02:47
*** shakamunyi has joined #openstack-keystone		02:51
*** ayoung has quit IRC		02:54
*** shakamunyi has quit IRC		02:56
*** sbfox has joined #openstack-keystone		03:06
*** ayoung has joined #openstack-keystone		03:09
*** ayoung is now known as ayoung_ZZZ		03:09
*** gokrokve has joined #openstack-keystone		03:11
*** RockKuo_Office has joined #openstack-keystone		03:12
*** gokrokve_ has joined #openstack-keystone		03:14
*** gokrokve has quit IRC		03:16
*** dims has quit IRC		03:17
*** dims has joined #openstack-keystone		03:18
*** gokrokve_ has quit IRC		03:19
*** topol has joined #openstack-keystone		03:21
*** sbfox has quit IRC		03:23
*** Chicago has joined #openstack-keystone		03:29
*** Chicago has joined #openstack-keystone		03:29
*** sbfox has joined #openstack-keystone		03:31
*** shakamunyi has joined #openstack-keystone		03:52
*** topol has quit IRC		03:54
*** shakamunyi has quit IRC		03:57
*** gokrokve has joined #openstack-keystone		04:14
*** gokrokve has quit IRC		04:19
*** shakamunyi has joined #openstack-keystone		04:53
*** shakamunyi has quit IRC		04:57
*** chandan_kumar has joined #openstack-keystone		05:06
*** gokrokve has joined #openstack-keystone		05:07
*** gokrokve has quit IRC		05:10
*** derek_c has quit IRC		05:15
*** zhiyan is now known as zhiyan_		05:26
*** chandan_kumar has quit IRC		05:31
*** zhiyan_ is now known as zhiyan		05:33
*** praneshp has quit IRC		05:41
*** gokrokve has joined #openstack-keystone		05:41
*** chandan_kumar has joined #openstack-keystone		05:42
*** sbfox has quit IRC		05:45
*** gokrokve has quit IRC		05:46
*** shakamunyi has joined #openstack-keystone		05:53
*** tomoiaga1 has joined #openstack-keystone		05:55
openstackgerrit	Sergey Nikitin proposed a change to openstack/keystone: Some methods in ldap were moved to superclass https://review.openstack.org/86250	05:57
*** shakamunyi has quit IRC		05:58
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/90288	06:01
*** bvandenh has joined #openstack-keystone		06:04
*** gokrokve has joined #openstack-keystone		06:14
*** derek_c has joined #openstack-keystone		06:17
*** bach has quit IRC		06:18
*** jaosorior has joined #openstack-keystone		06:18
*** stevemar has joined #openstack-keystone		06:18
*** gokrokve has quit IRC		06:19
*** mberlin has quit IRC		06:21
*** cynosure__ has joined #openstack-keystone		06:23
cynosure__	hi getting error code 401 the strange part is sending a http request and I see the keystone-uri being used is https "'www-authenticate': "Keystone uri='https://127.0.0.1:35357'"" is this normal. I haven't used or configured https anywhere in keystone.conf	06:24
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/identity-api: Remove email as optional query parameter https://review.openstack.org/90652	06:26
*** jamielennox is now known as jamielennox\|away		06:31
*** mberlin has joined #openstack-keystone		06:32
*** stevemar has quit IRC		06:40
*** chandan_kumar has quit IRC		06:46
*** shakamunyi has joined #openstack-keystone		06:54
*** chandan_kumar has joined #openstack-keystone		06:54
*** shakamunyi has quit IRC		06:58
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/identity-api: Remove email as optional query parameter https://review.openstack.org/90656	07:00
jaosorior	please ignore 90652, 90656 is the good one	07:01
*** marekd\|away is now known as marekd		07:12
*** gokrokve has joined #openstack-keystone		07:14
*** gokrokve has quit IRC		07:18
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/identity-api: Fix typo in federation api https://review.openstack.org/90659	07:20
*** leseb has joined #openstack-keystone		07:26
openstackgerrit	Marek Denis proposed a change to openstack/identity-api: Add ``user`` object to the mapping rules examples. https://review.openstack.org/90121	07:30
*** derek_c has quit IRC		07:49
*** shakamunyi has joined #openstack-keystone		07:55
openstackgerrit	Chmouel Boudjnah proposed a change to openstack/python-keystoneclient: Add test for unicoded path in s3_token mw https://review.openstack.org/90661	08:00
*** shakamunyi has quit IRC		08:00
*** derek_c has joined #openstack-keystone		08:04
*** zhiyan is now known as zhiyan_		08:11
*** gokrokve has joined #openstack-keystone		08:14
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/identity-api: Fix typo in federation api https://review.openstack.org/90659	08:14
*** zhiyan_ is now known as zhiyan		08:16
*** gokrokve has quit IRC		08:19
*** derek_c has quit IRC		08:22
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/identity-api: Fix typo in federation api https://review.openstack.org/90659	08:24
*** morganfainberg_Z is now known as morganfainberg		08:34
*** chandan_kumar has quit IRC		08:46
*** shakamunyi has joined #openstack-keystone		08:56
*** bada has joined #openstack-keystone		09:01
*** shakamunyi has quit IRC		09:01
openstackgerrit	Olga Kopylova proposed a change to openstack/keystone: Pagination for api request to users list https://review.openstack.org/64159	09:03
*** chandan_kumar has joined #openstack-keystone		09:04
*** cynosure__ has quit IRC		09:07
*** gokrokve has joined #openstack-keystone		09:14
*** tomoiaga1 has joined #openstack-keystone		09:19
*** gokrokve has quit IRC		09:19
*** morganfainberg is now known as morganfainberg_Z		09:30
openstackgerrit	Sergey Nikitin proposed a change to openstack/keystone: Cleanup of ldap backends https://review.openstack.org/88517	09:39
*** bvandenh has quit IRC		10:03
*** gokrokve has joined #openstack-keystone		10:14
*** gokrokve has quit IRC		10:18
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Sync test_migrations https://review.openstack.org/80618	10:23
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Redundant unique constraint https://review.openstack.org/84447	10:23
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value. https://review.openstack.org/84446	10:23
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Migration DB_INIT_VERSION in common place https://review.openstack.org/88016	10:23
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Sync on-demand database schemas https://review.openstack.org/84448	10:23
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630	10:23
*** leseb has quit IRC		10:24
*** chandan_kumar has quit IRC		10:32
*** zhiyan is now known as zhiyan_		10:41
*** andreaf has joined #openstack-keystone		10:47
*** chandan_kumar has joined #openstack-keystone		10:49
*** gokrokve has joined #openstack-keystone		11:14
*** gokrokve has quit IRC		11:18
*** diegows has joined #openstack-keystone		11:18
*** RockKuo_Office has quit IRC		11:27
*** leseb has joined #openstack-keystone		11:56
*** leseb has quit IRC		12:01
*** kun_huang has joined #openstack-keystone		12:05
*** chandan_kumar has quit IRC		12:06
*** gokrokve has joined #openstack-keystone		12:14
*** gokrokve has quit IRC		12:18
*** erecio has joined #openstack-keystone		12:18
*** chandan_kumar has joined #openstack-keystone		12:24
*** leseb has joined #openstack-keystone		12:30
*** andriyk0 has joined #openstack-keystone		12:37
*** rodrigods has joined #openstack-keystone		12:39
*** rodrigods has joined #openstack-keystone		12:39
andriyk0	Hello. I would like to make authentication optional in v3.client.Client. What is the best way to achieve it? Is overriding of 'get_raw_token_from_identity_service' ok?	12:39
*** dims has quit IRC		12:43
*** joesavak has joined #openstack-keystone		12:44
*** dstanek_zzz is now known as dstanek		12:52
*** zhiyan_ is now known as zhiyan		12:56
*** dims has joined #openstack-keystone		12:56
*** ayoung_ZZZ is now known as ayoung		13:10
ayoung	andriyk0, client does not control auth. You need something to pass in a token.	13:10
andriyk0	I want to provide resources that do not require authentication at all	13:12
andriyk0	no username/password, no token	13:12
andriyk0	something like: >>> keystone = client.Client(auth_url='http://127.0.0.1:35357/v3/')	13:13
*** gokrokve has joined #openstack-keystone		13:14
*** gokrokve has quit IRC		13:18
*** Nils__ has joined #openstack-keystone		13:20
Nils__	Hello, when I am using keystone with debian and icehouse release I always get 'No handlers could be found for logger "keystoneclient.httpclient"'. I found a bugreport but it is already cloesed. Any hints what I am doning wrong?	13:22
*** daneyon has joined #openstack-keystone		13:29
*** daneyon has quit IRC		13:29
*** daneyon has joined #openstack-keystone		13:30
Nils__	I would appreciate any help. I am setting up openstack for the first time and my keystone seems to be broken. I can get a token but all other requests result in the error message above. And the requests take very long (40 seconds).	13:38
gabriel-bezerra	ayoung: are you setting up keystone on apache using devstack's APACHE_ENABLED_SERVICES?	13:39
ayoung	gabriel-bezerra, I haven't actually tried that. morganfainberg_Z made that work, but you'll need to ask him about it in couple of hours	13:39
gabriel-bezerra	There is a bug with devstack's code to make it run on ubuntu and as I suppose you use something fedora-like I'd like to hear from you about how to configure apache	13:40
gabriel-bezerra	to see if I can make it the same way on both systems or if I have to put some if-else on the code	13:41
gabriel-bezerra	the problem is that $apache_conf_dir/keystone does not work on ubuntu, it would have to be $apache_conf_dir/keystone.conf	13:42
*** nkinder has quit IRC		13:42
Nils__	also any hint to any documentation that can help is appreciated very much. at the moment I am following http://docs.openstack.org/icehouse/install-guide/install/apt-debian/content/keystone-verify.html but it does not work as expected. And I am not knowing what to do. token-get works but user-list not. But there are entries in my mysql...	13:48
gabriel-bezerra	I tested it by creating a symlink and it worked well	13:49
ayoung	gabriel-bezerra, $apache_conf_dir/ should be /etc/httpd/conf.d	13:49
ayoung	please tell me that exisits on Ubuntu?	13:49
gabriel-bezerra	in ubuntu it is /etc/apache2/sites-available	13:49
ayoung	wait....	13:50
ayoung	$apache_conf_dir/keystone seems to imply it is /etc/keystone/	13:50
*** jsavak has joined #openstack-keystone		13:50
ayoung	there is not straight keystone under apache.	13:50
ayoung	that looks like maybe a typo	13:50
gabriel-bezerra	the problem is: a2ensite only recognises keystone if the file is /etc/apache2/sites-available/keystone.conf	13:50
ayoung	No, I get it	13:50
ayoung	but it should not be $apache_conf_dir/keystone on Fedora, either, I would think	13:51
ayoung	in fact, the conf file is	13:51
ayoung	/etc/httpd/conf.d/wsgi-keystone.conf	13:51
gabriel-bezerra	from devstack's lib/keystone: sudo cp $FILES/apache-keystone.template /etc/$APACHE_NAME/$APACHE_CONF_DIR/keystone	13:51
ayoung	should work as .conf for either	13:52
gabriel-bezerra	but in ubuntu it should be: sudo cp $FILES/apache-keystone.template /etc/$APACHE_NAME/$APACHE_CONF_DIR/keystone.conf	13:52
ayoung	is there a mkdir for /etc/$APACHE_NAME/$APACHE_CONF_DIR/keystone ?	13:52
gabriel-bezerra	no, it is a file	13:52
ayoung	and $FILES/apache-keystone.template /etc/$APACHE_NAME/$APACHE_CONF_DIR/keystone should come from the Keystone config dir	13:52
ayoung	er	13:52
ayoung	keystone git repo	13:52
* ayoung goes to look		13:52
ayoung	ah...all of that ADMIN Port silliness	13:53
dims	ayoung, pet peeve? :)	13:54
*** joesavak has quit IRC		13:54
*** joesavak has joined #openstack-keystone		13:54
ayoung	dims, yes, living with dumb mistakes made before my time that I've worked 2 years to eradicate is a pet peeve of mine	13:55
ayoung	gabriel-bezerra, do you want to do this right, or just make it work?	13:55
*** jsavak has quit IRC		13:55
dims	ayoung, agree with you :)	13:56
gabriel-bezerra	I suppose that copying as _.conf will make it right, won't it?	13:56
gabriel-bezerra	:)	13:56
gabriel-bezerra	I'm trying to deploy a devstack with federated keystone. If it is a quick fix, ok. Otherwise, we register the bug and leave the fix for later.	13:58
openstackgerrit	Dolph Mathews proposed a change to openstack/identity-api: Fix federation mapping rules examples. https://review.openstack.org/90303	13:59
ayoung	gabriel-bezerra, should be ok as a .conf either way	14:00
ayoung	no need for an "if"	14:00
gabriel-bezerra	is the line: "enable_apache_site keystone" going to work on fedora if the filename is keystone.conf	14:01
gabriel-bezerra	on ubuntu it only works with keystone.conf	14:02
gabriel-bezerra	or should we make it: "enable_apache_site keystone.conf" in fedora?	14:02
*** bgorski has joined #openstack-keystone		14:02
bgorski	Hi	14:03
bgorski	I have a question about "ldap + sql in keystone setup (multi-domain)"	14:03
bgorski	Is it already supported?	14:04
bgorski	I saw the BL to revert the multiple-ldap-servers https://blueprints.launchpad.net/keystone/+spec/revert-multiple-ldap-servers"	14:04
gabriel-bezerra	ayoung: I guess I'll need an if. See the way sites are enabled on fedora and on ubuntu in lib/apache	14:05
andreaf	bknudson: ping	14:05
bknudson	andreaf: what's up?	14:06
ayoung	gabriel-bezerra, so be it	14:06
andreaf	bknudson: first thanks for your reviews, I appreciate you taking the time on my tempest patchsets	14:06
gabriel-bezerra	should I file a bug and then a fix or just send the fix for review?	14:07
andreaf	bknudson: one question on a comment on https://review.openstack.org/#/c/81872/9/etc/tempest.conf.sample	14:07
*** thiagop has joined #openstack-keystone		14:07
andreaf	bknudson: the domain I have in there is for both user and project, as the assumption of the project being the same is good enough in tempest for the accounts from the config	14:08
bknudson	andreaf: ok, just make it clear that it's both the user and project domain	14:08
andreaf	bknudson: does this sound ok to you? If so I can include this in the comment	14:08
*** rwsu has joined #openstack-keystone		14:08
andreaf	bknudson: all right thanks	14:08
bknudson	andreaf: yes, if that's good enough for the config. I noticed there's other code that allows setting user and project domain separately.	14:09
andreaf	bknudson: the other question I had, about renaming keystoneV3 to identityv3	14:09
bknudson	andreaf: it really should be identity v3. keystone supports identity v2 and identity v3.	14:10
bknudson	there's no keystone v3	14:10
andreaf	so there are already some keystonev2 things in, so I can do identity v3 and it will look inconsistent for a while and then fix keystone v2 to identity v2 in a later patch	14:11
bknudson	ok... or stick a patch in front that changes keystonev2 to identityv2	14:11
andreaf	bknudson: ok I can do that	14:12
*** andreaf has quit IRC		14:14
*** gokrokve has joined #openstack-keystone		14:14
*** gokrokve has quit IRC		14:19
*** Nils__ has left #openstack-keystone		14:20
*** gokrokve has joined #openstack-keystone		14:22
*** daneyon has quit IRC		14:24
*** daneyon has joined #openstack-keystone		14:24
*** nkinder has joined #openstack-keystone		14:24
*** shakamunyi has joined #openstack-keystone		14:29
*** gokrokve has quit IRC		14:29
*** daneyon has quit IRC		14:29
*** david-lyle has joined #openstack-keystone		14:30
*** david-lyle has quit IRC		14:30
-openstackstatus- NOTICE: Gerrit downtime for upgrade begins in 90 minutes. See: https://wiki.openstack.org/wiki/GerritUpgrade		14:30
*** david-lyle has joined #openstack-keystone		14:30
*** david-lyle has quit IRC		14:31
*** david-lyle has joined #openstack-keystone		14:32
*** stevemar has joined #openstack-keystone		14:42
*** shakamunyi has quit IRC		14:44
marekd	n	14:46
*** tomoiaga1 has left #openstack-keystone		14:52
*** gokrokve has joined #openstack-keystone		14:56
*** andriyk0 has quit IRC		14:57
*** gokrokve has quit IRC		14:57
*** gokrokve has joined #openstack-keystone		14:58
*** gokrokve has quit IRC		14:58
*** sbfox has joined #openstack-keystone		15:01
*** chandan_kumar has quit IRC		15:03
lbragstad	just curious if anyone would be opposed to changing the identity_client in tempest to not default domain_id to 'default'? https://github.com/openstack/tempest/blob/4fa79ad475225dee7548410bfe62aa19af8fd5d0/tempest/services/identity/v3/json/identity_client.py#L104	15:03
*** shakamunyi has joined #openstack-keystone		15:04
lbragstad	it was picked up by the jsonschema validator commit	15:05
openstackgerrit	ayoung proposed a change to openstack/keystone: Ensure token is a string https://review.openstack.org/90476	15:07
gabriel-bezerra	ayoung: please see: https://review.openstack.org/90771	15:08
ayoung	gabriel-bezerra, then add me to the review....	15:08
gabriel-bezerra	done	15:09
ayoung	gabriel-bezerra, you sure it can't be .conf for Fedora?	15:12
*** richm has joined #openstack-keystone		15:12
*** sbfox has quit IRC		15:22
*** sbfox has joined #openstack-keystone		15:28
dstanek	gabriel-bezerra, ayoung: it may be worth looking at lib/horizon to see what they are doing there	15:28
-openstackstatus- NOTICE: Gerrit downtime for upgrade begins in 30 minutes. See: https://wiki.openstack.org/wiki/GerritUpgrade		15:30
*** daneyon has joined #openstack-keystone		15:31
openstackgerrit	Florent Flament proposed a change to openstack/python-keystoneclient: Allow keystone_authtoken middleware to use v3 API https://review.openstack.org/88620	15:39
*** gokrokve has joined #openstack-keystone		15:44
*** sbfox has quit IRC		15:45
*** jamiec has quit IRC		15:45
dstanek	anyone know how long gerrit will be down?	15:46
*** sbfox has joined #openstack-keystone		15:48
*** gokrokve has quit IRC		15:48
*** gyee has joined #openstack-keystone		15:54
*** sbfox has quit IRC		15:55
*** browne has joined #openstack-keystone		15:56
*** jamiec has joined #openstack-keystone		15:58
marekd	dstanek: quoting the e-mail from ml thread: "We would like to advise that you can expect a couple hours of downtime	16:00
marekd	followed by several more hours of automated systems not quite working	16:00
marekd	as expected."	16:00
marekd	dstanek: they also mentioned that it's a suggested off-week :-)	16:01
dstanek	marekd: ha, i guess it's a good time to catch up on background reading for the summit	16:01
marekd	dstanek: i think so :-)	16:02
marekd	dstanek: btw anything worth looking at, that's not super obvious? :-)	16:02
*** sbfox has joined #openstack-keystone		16:03
dstanek	marekd: not that i know of - in addition to the blueprints and linked docs i've been reading up on stevedor and other libraries that we seem to be moving toward	16:03
gabriel-bezerra	ayoung: dstanek: it is used as a way of enabling/disabling sites. see lib/apache	16:04
ayoung	gabriel-bezerra, not just enabling/disabling, though, according to what I have on my F20 box	16:05
gabriel-bezerra	enable_apache_site	16:05
*** marcoemorais has joined #openstack-keystone		16:05
marekd	dstanek: i am not following all the library changes so maybe you could name some more libs apart from stevedor (which by the way I knew about)- i guess it'd be a good time for me as well to catch up a little bit :(	16:06
gabriel-bezerra	see devstack/lib/apache on function enable_apache_site	16:06
ayoung	stevemar, don't wew need a protocol plugin for Federation on the client side? Is there a review missing?	16:07
ayoung	found it	16:07
ayoung	https://review.openstack.org/#/c/83829/	16:07
dstanek	marekd: i want to be familiar with pecan/wsme and tulip/trollious because i think they have competing goals and i'm anticipating some discussion	16:08
dstanek	marekd: i'm also very interested in OSC and RESTful-ness of our server APIs	16:08
*** marcoemorais has quit IRC		16:09
marekd	dstanek: oh, nice!	16:10
marekd	ayoung: https://review.openstack.org/#/c/83829/ -> thanks	16:10
ayoung	marekd, yeah, that needs to go in. Federation is kindof lost without it. Also, please review jamielennox's patches for versionless discovery	16:10
ayoung	without that, v3 on v2 services is DOA	16:11
*** marcoemorais has joined #openstack-keystone		16:11
therve	dstanek, You really need to get familiar if you think they have competing goals :)	16:11
marekd	ayoung: DOA?	16:11
ayoung	Dead On Arrival	16:11
marekd	ayoung: links for jamielennox\|away's patches?	16:11
marekd	ayoung: ok	16:11
*** jaosorior has quit IRC		16:11
ayoung	https://review.openstack.org/#/c/90632/ and the two prior to it in the chain	16:12
ayoung	marekd, ^^	16:12
marekd	ayoung: thanks.	16:12
ayoung	marekd, here's the deal	16:12
ayoung	we need to support /v2.0 in the service catalog due to older clients	16:12
ayoung	but we need to be able to make a v3 call alongside a v2.0	16:12
dstanek	therve: goals may not be the right word - maybe competing ways to get to the same goals	16:12
therve	dstanek, They don't operate at the same level really.	16:13
ayoung	and that means we need to tunr a blind eye to what the service catalog actually returns, and let discovery work despite the fact that it got a /v2.0 in the url	16:13
*** sbfox has quit IRC		16:13
dstanek	therve: when i glanced at the wsme docs it looks like it would not be friendly to a callback, async framework and more like how we work with eventlet today	16:14
dstanek	therve: is that not the case?	16:14
marekd	ayoung: but isn't the v2 going to be deprecated quite soon?	16:14
ayoung	marekd, deprecated does not mean gone	16:15
ayoung	we have to support the API for 2 releases after it is deprecated, and thje older clients for at least that long, too	16:15
marekd	ayoung: how many features do we have with v3 only? oauth, federation...what else?	16:15
therve	dstanek, I think it'd be easier for wsme than pecan. Also those handle HTTP calls, but tulip is really about the lower level. It's not impossible to imagine pecan on top of tulip, I think.	16:15
ayoung	Domains	16:15
marekd	ayoung: yeah, right	16:16
ayoung	:)	16:16
ayoung	Revocation events	16:16
marekd	basically everything that landed in Icehouse :-)	16:16
dstanek	therve: my understanding of tulip is that the programming model is more like twisted; so the developer/framework needs to be aware	16:18
therve	dstanek, Sure, you're right. Nothing prevents you from doing wsgi on top of it though.	16:18
dstanek	therve: our code right now can be unaware that it will be called asynchronously	16:18
*** packet has joined #openstack-keystone		16:18
openstackgerrit	A change was merged to openstack/identity-api: Fix federation mapping rules examples. https://review.openstack.org/90303	16:18
marekd	yay ^^	16:19
dstanek	therve: right, but i don't know how wsme would work on top of it because it has a different programming model, from what i understand	16:19
dhellmann	we're only using the parts of wsme that do (de)serialization and validation, would the event loop interfere with that?	16:20
dstanek	dhellmann: likely not; is that all the projects intend to use?	16:21
dhellmann	dstanek: yes, from wsme	16:21
dstanek	dhellmann: and what about pecan?	16:21
dhellmann	pecan does the wsgi and routing stuff	16:21
dstanek	does it use an eventloop based programming model?	16:21
dhellmann	it does not, itself	16:22
dhellmann	I think it should be ok, but can get that clarified	16:22
dstanek	dhellmann: this is part of what i wanted to research before the summit	16:22
*** ryanpetrello has joined #openstack-keystone		16:22
dhellmann	dstanek: ryanpetrello should have more insight than I do about how pecan will work with eventlet or tulip	16:23
dstanek	dhellmann: i don't see why moving to pecan/wsme is any better than what we've been doing with routes and jsonschema	16:23
dhellmann	jsonschema wasn't around when I proposed wsme over a year ago (at least not as prevalent, if it existed at all); and pecan is better than the home-grown wsgi stack in nova	16:24
ayoung	marekd, you are going to like what I am working on, then.	16:24
ayoung	I am doing some API script examples for Federation	16:24
marekd	ayoung: https://github.com/zaccone/keystone-federation/tree/setup_infra/requests	16:25
ryanpetrello	I can’t really speak to pecan + tulip	16:26
ryanpetrello	but I have used pecan + eventlet before	16:26
ryanpetrello	the only area of concern is the use of threadlocals in pecan, though `eventlet.monkey_patch` should properly patch the thread ident stuff to use greenthread idents instead	16:27
dhellmann	we also have some locals stuff in oslo to work around that, iirc	16:27
ryanpetrello	also, re pecan/wsme vs routes/jsonschema, I’ve used routes in years past, and it is a solution that works	16:28
ryanpetrello	I can only speak anecdotally here (and obviously, I’m a bit biased, being an author and user of pecan)	16:28
ryanpetrello	some of the niceties that come w/ pecan in terms of generating a RESTful API are really nice-to-haves that you’d otherwise build on top of routes	16:29
marekd	ayoung: you're working on examples for something like a blog post or a real scripts - kinda cli equivalent?	16:29
dstanek	dhellmann, ryanpetrello: i really want to get rid of eventlet so maybe it's possible to rework pecan slightly for tulip	16:33
dstanek	assuming that's even needed	16:33
ryanpetrello	dstanek: agreed on both of those comments	16:33
dstanek	i've not had a ton of time to read up on the docs or to test it all out yet	16:33
dhellmann	dstanek: yep, that is another goal for moving off of our home-grown thing	16:34
*** marekd is now known as marekd\|afk		16:34
dhellmann	although it's not clear that tulip is necessarily better than a robust wsgi container/server	16:34
dhellmann	we don't recommend deploying pecan "bare"	16:34
dstanek	dhellmann: depends on the IO model of the service	16:35
dhellmann	dstanek: sure	16:35
dstanek	i've had a lot of luck depoying multiple processes with gunicorn where each process performed async IO	16:35
dstanek	that gave us lots of concurrency with a way to spread out some CPU specific load across cores	16:36
-openstackstatus- NOTICE: Gerrit is unavailable until further notice for a major upgrade. See: https://wiki.openstack.org/wiki/GerritUpgrade		16:36
*** ChanServ changes topic to "Gerrit is unavailable until further notice for a major upgrade. See: https://wiki.openstack.org/wiki/GerritUpgrade"		16:36
ayoung	marekd\|afk, http://fpaste.org/97513/98702972/	16:36
ryanpetrello	dstanek: in any event, an exploration related to tulip is going to be the same for Routes or pecan	16:38
ryanpetrello	and as you’ll find, pecan is probably just 90% webob with glue	16:38
dstanek	ryanpetrello: yep agreed (about the investigation)	16:39
*** topol has joined #openstack-keystone		16:41
*** topol_ has joined #openstack-keystone		16:42
*** gokrokve has joined #openstack-keystone		16:44
*** bach has joined #openstack-keystone		16:44
*** shakamunyi has quit IRC		16:46
*** topol has quit IRC		16:46
*** topol_ is now known as topol		16:46
*** bach_ has joined #openstack-keystone		16:46
*** kun_huang has quit IRC		16:47
*** bach has quit IRC		16:49
*** gokrokve has quit IRC		16:49
*** bach_ has quit IRC		16:52
*** marekd-mobile has joined #openstack-keystone		16:54
*** harlowja_away is now known as harlowja		17:00
*** ThomasCrowe1 has joined #openstack-keystone		17:00
*** bach has joined #openstack-keystone		17:05
*** shakamunyi has joined #openstack-keystone		17:13
*** bach has quit IRC		17:13
mfisch	Is there a grammatical reason that many of the error messages end with a period? it makes copying and pasting ids annoying. Besides many are not complete sentences.	17:13
mfisch	For example: "Could not find trust, %(trust_id)s."	17:13
ayoung	marekd\|afk, https://github.com/admiyo/python-keystoneclient/commits/federation_script	17:18
*** zhiyan is now known as zhiyan_		17:19
*** daneyon has quit IRC		17:20
*** daneyon has joined #openstack-keystone		17:21
*** marekd-mobile has quit IRC		17:22
*** marekd-mobile has joined #openstack-keystone		17:22
*** sbfox has joined #openstack-keystone		17:23
*** gokrokve has joined #openstack-keystone		17:24
*** praneshp has joined #openstack-keystone		17:24
*** topol has quit IRC		17:26
*** chandan_kumar has joined #openstack-keystone		17:26
*** gokrokve has quit IRC		17:29
*** bgorski has quit IRC		17:30
*** amcrn has joined #openstack-keystone		17:32
*** thedodd has joined #openstack-keystone		17:32
*** shakamunyi has quit IRC		17:35
*** marekd-mobile has quit IRC		17:37
*** morganfainberg_Z is now known as morganfainberg		17:48
morganfainberg	ayoung, didn't get a chance to post the gate jobs... will be doing that today i hope	17:49
*** daneyon has quit IRC		17:49
ayoung	morganfainberg, no rush	17:49
morganfainberg	ayoung, sunday dinner then oncall got in the way.	17:50
ayoung	Oooh.	17:50
morganfainberg	ayoung, yeah just was trying to get them up before this week.	17:50
*** daneyon has joined #openstack-keystone		17:50
morganfainberg	meh, we'll get them up this week :)	17:50
* morganfainberg drinks coffee.		17:50
* morganfainberg drinks lots of coffee		17:51
*** daneyon has quit IRC		17:52
ayoung	morganfainberg, my wife just told me that she read drinking coffee reduces the risk of type 2 diabeetus. Drink up	17:55
ayoung	and with that...I'm off to pick up my car.	17:55
*** ayoung is now known as ayoung_rrrrmmm		17:55
*** marcoemorais has quit IRC		18:00
morganfainberg	ayoung_rrrrmmm, hehe	18:00
*** packet has quit IRC		18:00
*** packet has joined #openstack-keystone		18:01
*** marcoemorais has joined #openstack-keystone		18:02
*** thedodd has quit IRC		18:13
*** gokrokve has joined #openstack-keystone		18:14
*** gokrokve has quit IRC		18:19
*** ryanpetrello has left #openstack-keystone		18:22
*** thedodd has joined #openstack-keystone		18:23
*** doddstack has joined #openstack-keystone		18:26
*** thedodd has quit IRC		18:28
*** marcoemorais has quit IRC		18:29
*** marcoemorais has joined #openstack-keystone		18:31
*** ayoung_rrrrmmm is now known as ayoung		18:32
*** browne1 has joined #openstack-keystone		18:57
*** praneshp has quit IRC		18:59
*** browne has quit IRC		19:00
*** praneshp has joined #openstack-keystone		19:03
*** openstackgerrit has quit IRC		19:04
*** bach has joined #openstack-keystone		19:06
*** leseb has quit IRC		19:08
*** gokrokve has joined #openstack-keystone		19:14
*** gokrokve has quit IRC		19:19
*** daneyon has joined #openstack-keystone		19:31
*** ChanServ changes topic to "Open discussion."		19:31
-openstackstatus- NOTICE: Gerrit upgrade to 2.8 complete. See: https://wiki.openstack.org/wiki/GerritUpgrade Some cleanup tasks still ongoing; join #openstack-infra if you have any questions.		19:31
*** sbfox has quit IRC		19:36
*** derek_c has joined #openstack-keystone		19:36
*** sbfox has joined #openstack-keystone		19:40
*** chandan_kumar has quit IRC		19:40
stevemar	ayoung, i don't know what the current state of your fix for 'token is string' is, but i think you were using six.string_type ?	19:52
stevemar	ayoung, i'm not sure that would work, as that would return true if it's str or unicode, i think https://pythonhosted.org/six/#six.string_types	19:52
ayoung	stevemar, hmmmm,	19:53
*** leseb has joined #openstack-keystone		19:53
ayoung	stevemar, you are correct. We are going to need to figure out the whole unicode to mod_wsgi thing for python33 separately.	19:54
bknudson	dolphm: are you thinking of another keystoneclient release soon?	19:55
ayoung	stevemar, if I read the six docs correctly, there is no way to do str().	19:55
ayoung	bknudson, I really want compressed and revoke api in there before we release	19:55
morganfainberg	ayoung, bytes()	19:55
ayoung	morganfainberg, I don;t think so	19:55
bknudson	ayoung: that sounds reasonable	19:55
ayoung	morganfainberg, bytes is binary, but the wsgi spec I think forces headers to be ascii	19:56
stevemar	bknudson, ayoung i wouldn't mind the oauth stuff in there either, need to make sure i don't break the gate again :\	19:56
morganfainberg	ayoung, not ascii, byte_str	19:56
morganfainberg	ayoung, iirc that was the error	19:56
ayoung	the fact that unicode when encoded using 'ascii' didn't work	19:56
morganfainberg	and i _think_ bytes() is equiv to byte_str	19:57
morganfainberg	well byte_str if you have characters in it	19:57
dolphm	bknudson: i wasn't expecting one, why?	19:57
dolphm	bknudson: maybe one before around the conference to ship token compression?	19:57
*** bach has quit IRC		19:58
bknudson	dolphm: we've added some new things, but I'm fine with waiting	19:58
ayoung	"TypeError: expected byte string object for header value, "	19:58
ayoung	morganfainberg, https://bugs.launchpad.net/python-keystoneclient/+bug/1312971	19:58
uvirtbot	Launchpad bug 1312971 in python-keystoneclient "mod_wsgi exception processing UTF-8 Header" [High,Triaged]	19:58
morganfainberg	ayoung, i think if you use bytes() in py33 with string data it's a byte string (c string) underlying	20:00
morganfainberg	oh thats cool. being able to edit commit messages in the gerrit web interface	20:03
*** gokrokve has joined #openstack-keystone		20:14
*** gokrokve_ has joined #openstack-keystone		20:16
*** shakamunyi has joined #openstack-keystone		20:17
ayoung	Oooh	20:17
bknudson	morganfainberg: wide enough commit message?	20:18
morganfainberg	bknudson, yeah found out it doesn't line-wrap	20:18
morganfainberg	:P{	20:18
morganfainberg	bknudson, but was easy to fix	20:18
morganfainberg	waaaay better than needing to upload a new changeset to add bp etc	20:18
*** gokrokve has quit IRC		20:19
*** sbfox has quit IRC		20:19
ayoung	https://review.openstack.org/#/c/71181/ compression should be ready...made all changes suggested to date dolphm	20:19
bknudson	"Submit TypeMerge if Necessary" ? wonder what that means	20:19
ayoung	morganfainberg, +++	20:20
*** gokrokve_ has quit IRC		20:20
ayoung	hmmm....what is the mapping rule comparable to external.DefaultDomain?	20:21
*** bach has joined #openstack-keystone		20:22
morganfainberg	ayoung, bknudson https://review.openstack.org/#/c/90812/	20:37
morganfainberg	changes to devstack-gate so we can configure mod_wsgi based services	20:37
ayoung	++++++++++++++++++++++++++++++++++++++++++++++++++++++++	20:38
*** sbfox has joined #openstack-keystone		20:39
morganfainberg	running a devstack now to see if i need to do anything crazy to make this all happy, but i ... think this is going to be an easy couple patches (minus bikeshedding)	20:39
*** bach has quit IRC		20:51
ayoung	morganfainberg, you doing thius on Ubuntu, right?	20:53
*** erecio has quit IRC		20:53
*** marcoemorais has quit IRC		20:54
*** marcoemorais has joined #openstack-keystone		20:56
morganfainberg	ayoung, yes, but i'll also try it on fedora	20:57
morganfainberg	ayoung, ubuntu to start (since thats the gate jobs)	20:58
ayoung	morganfainberg, did you see this: https://review.openstack.org/#/c/90771/	20:58
morganfainberg	ah	20:59
morganfainberg	heh	20:59
morganfainberg	hadn't seen that one	20:59
morganfainberg	good to know	20:59
morganfainberg	i think that is wronfg	20:59
morganfainberg	in fact.. i'm almost sure that is wrong	20:59
morganfainberg	ayoung, i'll let you know if it works, but i am almost sure a2ensite etc doesn't care about .conf	21:03
ayoung	morganfainberg, that was my reaction as well	21:04
ayoung	but...why not .conf?	21:04
morganfainberg	ayoung no reason to block it	21:04
morganfainberg	ayoung, i mean, .conf is an accepted practice for apache configs	21:04
morganfainberg	ayoung, just the reasoning seems off.	21:05
*** joesavak has quit IRC		21:12
*** gokrokve has joined #openstack-keystone		21:14
*** sbfox has quit IRC		21:15
*** derek_c has quit IRC		21:16
*** gokrokve has quit IRC		21:19
*** leseb has quit IRC		21:21
ayoung	morganfainberg, but .conf should be acceptable fro both Fedora and Ubuntu	21:23
ayoung	never worked with a2ensite	21:23
*** bach has joined #openstack-keystone		21:27
*** bach has quit IRC		21:30
*** maelfius has joined #openstack-keystone		21:32
*** morganfainberg has quit IRC		21:33
*** maelfius is now known as morganfainberg		21:33
*** bach has joined #openstack-keystone		21:34
*** dstanek is now known as dstanek_zzz		21:34
*** dstanek_zzz is now known as dstanek		21:36
*** sbfox has joined #openstack-keystone		21:42
*** derek_c has joined #openstack-keystone		21:47
*** stevemar has quit IRC		21:47
*** stevemar has joined #openstack-keystone		21:48
*** openstackgerrit has joined #openstack-keystone		21:53
morganfainberg	ayoung, yeah just did the standup w/ keystone under apache	22:01
morganfainberg	looks like it works	22:01
morganfainberg	now... i'm going to need to fix the logging when under apache	22:01
morganfainberg	but, all in all, it's looking good	22:01
*** packet has quit IRC		22:04
*** packet has joined #openstack-keystone		22:05
*** derek_c has quit IRC		22:06
*** dims has quit IRC		22:09
*** nkinder has quit IRC		22:12
bknudson	there's now a "add comment" button at the bottom so it's easier to add the recheck comment.	22:13
*** gokrokve has joined #openstack-keystone		22:14
stevemar	i like the autocomplete in the search box	22:16
stevemar	i guess all WIP stuff is automatically -1'ed for the Workflow value	22:18
*** gokrokve has quit IRC		22:19
bknudson	label:Code-Review=2 -- used to be CodeReview	22:19
morganfainberg	stevemar, yeah	22:22
ayoung	Ok, so with mod_identity_lookup and sssd, I get two env vars set: REMOTE_USER for the Kerberos principal ID, and REMOTE_GROUPS, which is a list of groups, separated by colons (:) What mapping should I use? stevemar marekd\|afk ?	22:23
bknudson	looks like we can W-1 other people's changes.	22:23
stevemar	New "My -> Draft Comments", apparently I forget to actually publish my comments quite often	22:24
*** sbfox has quit IRC		22:24
stevemar	ayoung, REMOTE_GROUPS	22:24
stevemar	they should be separated by semi-colons	22:24
ayoung	stevemar, well they are not	22:26
ayoung	they are separated by colons and thats the way I LIKES EM!	22:26
morganfainberg	bknudson, cores can	22:26
morganfainberg	bknudson, but they can't clear the -1 w/o a new patchset.	22:26
morganfainberg	bknudson, there is likely going to be arguments on if we should be allowed to do that [someone was already asking about not letting anyone but the author -1 WIP]	22:27
morganfainberg	stevemar and if you want to see a trainwreck of a UI... look at the "new screen"	22:27
morganfainberg	vs. the old screen :P	22:27
ayoung	stevemar, does it make a difference?	22:27
*** dstanek is now known as dstanek_zzz		22:28
stevemar	ayoung, i don't think the mapping rule engine would work on colons, only semi-colons	22:30
stevemar	ayoung, https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L196..L200	22:30
stevemar	morganfainberg, the jenkins results need the color coding back	22:31
*** topol has joined #openstack-keystone		22:31
*** topol_ has joined #openstack-keystone		22:32
morganfainberg	stevemar, there are issues w/ the new stuff for sure	22:35
stevemar	topol, are you up or down?	22:35
stevemar	morganfainberg, of course, just commenting on it	22:35
morganfainberg	stevemar, http://etherpad.wikimedia.org/p/new-gerrit-change-view-comments	22:36
morganfainberg	oh wait no thats specific for the "new" screen	22:36
morganfainberg	not issues w/ the "default"	22:36
*** topol has quit IRC		22:36
*** dims has joined #openstack-keystone		22:36
stevemar	ahhh	22:36
*** topol_ is now known as topol		22:37
morganfainberg	stevemar, didn't think the gerrit UI could get worse did ya? :P	22:38
stevemar	morganfainberg, meh, it's still cool	22:38
*** bach has quit IRC		22:42
stevemar	alright, editing the commit msg from the web UI is super cool	22:43
morganfainberg	ayoung, minor update based upon sdague's preference, and thinking it over, i agree (we can make keystone default to using apache in the future, but it would be nice to test all services under apache with a toggle)	22:45
morganfainberg	https://review.openstack.org/#/c/90812	22:45
*** bach has joined #openstack-keystone		22:45
*** topol has quit IRC		22:49
*** dstanek_zzz is now known as dstanek		22:50
*** bach has quit IRC		22:54
*** browne1 has quit IRC		22:58
ayoung	stevemar, so what you are telling me is that a mapping needs a "separator_char" field	23:01
*** ayoung is now known as ayoung_DadMode		23:01
*** derek_c has joined #openstack-keystone		23:03
*** browne has joined #openstack-keystone		23:06
*** bach has joined #openstack-keystone		23:13
*** gokrokve has joined #openstack-keystone		23:14
*** bach has quit IRC		23:17
*** packet has quit IRC		23:18
*** gokrokve has quit IRC		23:19
*** david-lyle has quit IRC		23:22
stevemar	ayoung_DadMode, i think it might need another option for the env variable that contains the info, like REMOTE_GROUPS or ... whatever	23:33
*** sbfox has joined #openstack-keystone		23:34
openstackgerrit	A change was merged to openstack/identity-api: Fix typo: Endoint -> Endpoint https://review.openstack.org/90584	23:35
*** praneshp has quit IRC		23:35
*** sbfox has quit IRC		23:47
*** jamielennox\|away is now known as jamielennox		23:49
*** sbfox has joined #openstack-keystone		23:52
*** praneshp has joined #openstack-keystone		23:54
*** sbfox has quit IRC		23:55
*** ayoung_DadMode is now known as ayoung_		23:56
*** ayoung_ is now known as ayoung		23:56
ayoung	stevemar, we should be able to split up any random string based on a token, no?	23:57
ayoung	er...token might be a bad choice of words there	23:57
jamielennox	morganfainberg: see also: https://review.openstack.org/#/c/90631/2	23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!