Monday, 2014-06-09

*** nsquare has joined #openstack-keystone00:23
*** diegows has quit IRC00:23
*** bearhands is now known as comstud00:29
*** hrybacki has joined #openstack-keystone00:42
*** rodrigods has quit IRC00:44
*** diegows has joined #openstack-keystone00:56
*** xianghui has joined #openstack-keystone01:03
*** Chicago has joined #openstack-keystone01:05
*** Chicago has joined #openstack-keystone01:05
*** xianghui has quit IRC01:09
*** mberlin1 has joined #openstack-keystone01:12
*** xianghui has joined #openstack-keystone01:12
*** mberlin has quit IRC01:14
*** diegows has quit IRC01:26
openstackgerritA change was merged to openstack/keystone: Code which gets and deletes elements of tree was moved to one method
*** sbfox has joined #openstack-keystone02:09
*** hrybacki has quit IRC02:18
*** stevemar has joined #openstack-keystone02:27
*** dstanek is now known as dstanek_zzz02:27
*** xianghui has quit IRC02:28
*** dstanek_zzz is now known as dstanek02:29
*** mgagne1 is now known as mgagne02:30
*** zhiyan_ is now known as zhiyan02:35
*** xianghui has joined #openstack-keystone02:41
*** dstanek is now known as dstanek_zzz02:54
*** gokrokve has joined #openstack-keystone02:59
*** lbragstad has joined #openstack-keystone03:07
*** Abhijeet has joined #openstack-keystone03:08
*** dstanek_zzz is now known as dstanek03:16
*** dstanek is now known as dstanek_zzz03:26
*** gokrokve has quit IRC03:38
*** gokrokve has joined #openstack-keystone03:39
*** gokrokve has quit IRC03:43
*** dstanek_zzz is now known as dstanek03:55
*** praneshp has quit IRC04:42
*** xianghui has quit IRC04:42
*** praneshp has joined #openstack-keystone04:42
*** sbfox has quit IRC04:45
*** xianghui has joined #openstack-keystone04:49
*** lbragstad has quit IRC05:01
*** sbfox has joined #openstack-keystone05:03
*** zhiyan is now known as zhiyan_05:04
*** gokrokve has joined #openstack-keystone05:27
*** henrynash has joined #openstack-keystone05:30
*** gokrokve has quit IRC05:33
*** gokrokve has joined #openstack-keystone05:46
*** ajayaa has joined #openstack-keystone05:55
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** sbfox has quit IRC06:06
*** zhiyan_ is now known as zhiyan06:08
*** dstanek is now known as dstanek_zzz06:24
*** gokrokve has quit IRC06:24
*** gokrokve has joined #openstack-keystone06:25
*** gokrokve has quit IRC06:29
*** henrynash has quit IRC06:42
*** henrynash has joined #openstack-keystone06:44
*** dstanek_zzz is now known as dstanek06:46
*** ukalifon has joined #openstack-keystone06:53
*** gokrokve has joined #openstack-keystone06:57
*** gokrokve has quit IRC07:02
*** dstanek is now known as dstanek_zzz07:02
*** stevemar has quit IRC07:07
*** jaosorior has joined #openstack-keystone07:14
*** nsquare has quit IRC07:24
*** amerine has joined #openstack-keystone07:38
*** gokrokve has joined #openstack-keystone07:57
openstackgerrithenry-nash proposed a change to openstack/keystone: multi-backend support for identity
*** gokrokve has quit IRC08:02
*** openstackgerrit has quit IRC08:02
*** openstackgerrit has joined #openstack-keystone08:06
*** praneshp has quit IRC08:09
*** anteaya has quit IRC08:10
*** andreaf has joined #openstack-keystone08:16
*** kun_huang has joined #openstack-keystone08:20
*** radez_g0n3 has quit IRC08:31
*** Chicago has quit IRC08:31
*** radez_g0n3 has joined #openstack-keystone08:32
*** Chicago has joined #openstack-keystone08:32
*** Chicago has joined #openstack-keystone08:32
*** Abhijeet has quit IRC08:50
*** marekd|away is now known as marekd08:53
*** dstanek_zzz is now known as dstanek08:54
*** Fredrik has joined #openstack-keystone09:00
*** Fredrik is now known as Guest3676409:00
*** kun_huang has quit IRC09:04
*** henrynash has quit IRC09:04
*** dstanek is now known as dstanek_zzz09:04
*** Chicago has quit IRC09:21
*** gokrokve has joined #openstack-keystone09:27
*** gokrokve has quit IRC09:32
*** kun_huang has joined #openstack-keystone09:33
*** schofiel- has joined #openstack-keystone09:37
*** erecio has quit IRC09:42
*** schofield has quit IRC09:42
*** schofiel- is now known as schofield09:42
*** erecio has joined #openstack-keystone09:43
*** rodrigods has joined #openstack-keystone09:50
*** dstanek_zzz is now known as dstanek09:55
*** kun_huang has quit IRC09:58
Guest36764Hi, I've been following to try to run keystone via apache.  I have a keystone that is up and running, shut it down and include wsgi config to apache (according to website, have removed SSL part of config) but I only get issue (ends with)  "AttributeError: 'module' object has no attribute 'ismodule'"   from the    Anyone that can prov10:03
*** dstanek is now known as dstanek_zzz10:05
openstackgerritA change was merged to openstack/keystone: Remove obsolete note from ldap
*** kun_huang has joined #openstack-keystone10:09
*** anteaya has joined #openstack-keystone10:11
*** zhiyan is now known as zhiyan_10:17
*** kun_huang has quit IRC10:22
*** gokrokve has joined #openstack-keystone10:27
*** gokrokve has quit IRC10:31
*** dstanek_zzz is now known as dstanek10:56
*** rodrigods has quit IRC10:57
*** kun_huang has joined #openstack-keystone11:03
*** dstanek is now known as dstanek_zzz11:06
*** rodrigods has joined #openstack-keystone11:17
*** diegows has joined #openstack-keystone11:20
*** kun_huang has quit IRC11:20
*** rodrigods has quit IRC11:27
*** gokrokve has joined #openstack-keystone11:27
*** gokrokve has quit IRC11:32
Guest36764Hi, I've been following to try to run keystone via apache.  Seems to start OK but request towards it produces error ( anyone that can provide suggestion on how to solve?11:44
*** dstanek_zzz is now known as dstanek11:57
*** henrynash has joined #openstack-keystone12:05
*** dstanek is now known as dstanek_zzz12:07
*** erecio has quit IRC12:08
*** topol has joined #openstack-keystone12:10
*** gokrokve has joined #openstack-keystone12:27
*** rodrigods has joined #openstack-keystone12:28
*** rodrigods has joined #openstack-keystone12:28
*** gokrokve has quit IRC12:31
*** erecio has joined #openstack-keystone12:35
*** hrybacki has joined #openstack-keystone12:38
*** gordc has joined #openstack-keystone12:48
*** dstanek_zzz is now known as dstanek12:54
ajayaaHi, what is a policy and what is its use?13:00
*** hrybacki_ has joined #openstack-keystone13:00
ajayaafor e.g.
*** ericvw has joined #openstack-keystone13:03
*** dstanek is now known as dstanek_zzz13:05
hrybackiHas anyone else been failing oauth tox tests for python-keystone tests?13:11
*** nkinder has quit IRC13:11
marekdhrybacki: probably everybody.13:11
uvirtbotLaunchpad bug 1327430 in python-keystoneclient "get_oauth_params() missing 1 required positional argument: 'request'" [Undecided,In progress]13:11
*** vhoward has joined #openstack-keystone13:12
marekdthanks bknudson  i didn't know the bugid.13:12
hrybackiSo I thought if I downgraded to 0.6.0 (what's in the requirements file) they would run but it didn't work either. Any thoughts? Is there a way I can run all the tests and skip the oauth ones?13:13
bknudsonit worked for me to downgrade to the prev release13:13
bknudsonif it doesn't work with 0.6.0 then that would be a bug too13:14
hrybackibknudson: nods, I'll try 0.6.113:14
bknudson.tox/py27/bin/pip install "oauthlib<0.6.2"13:14
hrybackitox uses it's own requirements file?13:16
hrybackior I should say maintains its own set of dependencies and installs them in it's own venv13:17
bknudsonthere's a requirements.txt and test-requirements.txt13:17
hrybackiah, oauthlib>=0.613:18
hrybackithank you!13:19
*** gokrokve has joined #openstack-keystone13:27
*** ukalifon has quit IRC13:27
*** ukalifon has joined #openstack-keystone13:29
*** gokrokve has quit IRC13:32
ajayaahenrynash, ping!13:34
henrynashajayya: hi13:34
henrynashajayaa: hi13:36
ajayaahenrynash: hi. in, I don't understand why multiple calls to _set_policy doesn't work properly.13:37
uvirtbotLaunchpad bug 1271273 in keystone "Policy testing checks could be simplified in test_v3_filters" [Wishlist,Triaged]13:37
henrynashajayaa: good question, I’ll have to try and reload that backup tape to my brain to remember myself13:38
ayoung  henrynash I'm going to suggest that we declare victory on this, and that we agree any future changes can be submitted as updates to the spec13:38
ajayaahenrynash, please restore the backup for a while. :)13:38
ayoungwe need to be able to approve things in this team:  we seem to be a bit trigger shy13:39
henrynashayoung: ++13:39
ayounghenrynash, have you tested your code against LDAP + something else?13:39
ajayaahenrynash, I could use a +1 from you in :)13:39
henrynashajayaa: I don’t think I ever actually worked out why it failed when called repeatable….13:39
henrynashayoung: So there is a test case that uses some LDAP domains and some SQL domains13:40
ayounghenrynash, Live, or just FakeLDAP?13:40
henrynashayoung: so that just uses fake13:40
ayounghenrynash, have you tested it live?  Can w calim we have a solution for Read only LDAP with service users in SQL?13:41
henrynashayoung: i think what we really want is a tempest test for this...13:41
henrynashayoung: I did test that earlier….I’ll run anotehr test and confirm the results13:41
henrynashayoung: (Live LDAP + sql for default domain)13:42
ayounghenrynash, So long as it was run at some point13:42
ayounghrybacki, send me what you got.13:42
ayounghenrynash, so your origianal plan was for service users to be in the default domain and LDAP in a specific one.  But even if we reverse that, we are going to have to make sure V3 works somewhere that it is not currently used13:44
ayoungHorizon doesn't ask for domain yet, does it?13:44
henrynashayoung: I’m not sure it does13:44
henrynashayoung: but to your earlier point, yes, I imagined the default domain contains service users, and a separate domain(s) point at LDAP….13:46
ayounghenrynash, if we reverse that, it means the only place we need to fix to get things working is auth_token middleware13:47
ayounghenrynash, if we let AD handle the default domain, users can happily log in13:47
henrynashayoung: OK, yes, I see the idea13:47
ayoungthen the remote services just need to know Domain for revocation list fetch, etc13:47
ayounghenrynash, just a tactical move to get us up and running13:48
henrynashayoung: no reason why we shouldn’t do that….13:48
henrynashayoung: interesting13:48
*** nkinder has joined #openstack-keystone13:48
*** topol has quit IRC13:49
*** stevemar has joined #openstack-keystone13:53
*** jsavak has joined #openstack-keystone13:54
ajayaaHi. How do I modify the rule "identity: delete_user" so that a project_manager can delete users only in his project.13:58
*** gokrokve has joined #openstack-keystone14:00
rodrigodsajayaa, hey, one option is to use project_id:%(
*** rwsu has joined #openstack-keystone14:04
rodrigodsajayaa, you can check some of this rules here: . There is rules for project_admin, domain_admin, etc14:05
ajayaarodrigods: The api call looks like " DELETE /users/{userid}". What happens if a user is associated with multiple projects?14:08 == default_project_id?14:09
ajayaarodrigods, I can try it out probably. Thanks. What type of test is recommended for testing custom policies?14:14
ajayaaunit, functional (change in tests/ or tempest?14:15
ayoungajayaa, good question.   I don't think we have one...itwould be a very useful stand along tool, though...14:16
*** hrybacki has quit IRC14:18
ajayaaayoung, How would you go about generating tests? Manually write a number of tests or some generic stuff which would read policy.json and generate tests from it.14:19
ayoungajayaa, we have some tests...looking...14:20
ajayaain, I think.14:20
*** CaioBrentano has joined #openstack-keystone14:23
ayoungajayaa, yep14:23
ayoungajayaa, not sure, though, what happens if the policy dictates that something should be read from the database, which is the case with your policy rule14:24
ayoungajayaa, if the user is associated with multiple projects, only the project associated with the token that they present is relevant14:25
ajayaaayoung, Are you talking about this? From the api example I couldn't figure out what is it?14:26
ayoungajayaa, nope14:27
ayoungajayaa, look at the trust rules14:27
*** ukalifon3 has joined #openstack-keystone14:29
*** hrybacki has joined #openstack-keystone14:30
*** ukalifon has quit IRC14:30
rodrigodsayoung, ajayaa ++14:31
*** alanvitor has joined #openstack-keystone14:31
rodrigodswould be great to enforce by the projects where a user has a role14:32
rodrigodsnot just for the default_project_id14:33
*** radez_g0n3 is now known as radez14:34
*** dims has joined #openstack-keystone14:36
ayoungrodrigods, ajayaa please make it so.14:38
*** nkinder has quit IRC14:40
*** topol has joined #openstack-keystone14:41
ajayaaayoung, Could you please tell me, how does someone specify that a rule be fetched from database?14:42
*** daneyon has joined #openstack-keystone14:43
ajayaaas far as I could understand, either attributes are fetched from api call and token and object being acted on.14:46
ayoungajayaa, did you look at the trust rules?  Also look at the decorator that activates them, in keystone/trusts/controllers.py14:47
ajayaaI will have a look. Thanks a lot. :)14:47
*** erecio has quit IRC14:48
*** ajayaa has quit IRC14:48
*** erecio has joined #openstack-keystone14:49
*** erecio has quit IRC14:49
*** thedodd has joined #openstack-keystone14:50
*** gokrokve has quit IRC14:53
*** richm has joined #openstack-keystone14:53
*** gokrokve has joined #openstack-keystone14:53
*** lbragstad has joined #openstack-keystone14:54
*** nkinder has joined #openstack-keystone14:55
*** gokrokve has quit IRC14:57
*** sbfox has joined #openstack-keystone14:59
*** ukalifon3 has quit IRC15:03
*** ayoung has quit IRC15:05
*** jsavak has quit IRC15:09
*** jsavak has joined #openstack-keystone15:09
*** dstanek_zzz is now known as dstanek15:10
dstaneki see the hackathon is at Geekdom. nice!15:11
*** erecio has joined #openstack-keystone15:12
stevemardstanek, welcome back!15:15
dstanekstevemar: thanks15:16
*** morganfainberg_Z is now known as morganfainberg15:18
morganfainbergdstanek, you're back?! have a good vacation?15:19
dstanekmorganfainberg: i think i took today off too, but it looks like i have a lot to catch up on15:20
morganfainbergdstanek, ah15:20
dstaneklooks like the bug count is going down nicely15:23
morganfainbergdstanek, yeah. i spent 2 days smashing out bugs that were dupes / already closed / wtf? no / etc15:23
morganfainbergdolphm, dstanek, stevemar, bknudson, jamielennox|away, topol, ayoung, lbragstad - Quick question, for approving specs, what are we doing, 2x+2 then +A?, +2s and PTL approves?  3x+2, then +A15:26
topoldstanek, welcome back15:26
topolmorganfainberg, good question15:27
morganfainbergi think we forgot to specify that when we spun up the -specs repo15:27
*** gyee has joined #openstack-keystone15:27
*** ayoung has joined #openstack-keystone15:27
topolmorganfainberg, I suspect the PTL needs to approve if we are to be consistent with the previous provess15:27
morganfainbergbut... we need to get these specs in ASAP, so..... it's time to get that decision in place15:27
stevemarmorganfainberg, i think we need more than the usual 2x+215:28
morganfainbergstevemar, i agree, thats why i am asking.15:28
bknudsonmorganfainberg: different groups do it differently15:28
lbragstadI think whatever allows for the most eyes on a spec would be good...15:28
bknudsonI would expect dolphm to do the honors15:28
bknudsonbut maybe that's more restrictive than we need to be15:28
ayoungthe spec process is broken.  Specs should not have to be "approaved" in that every t is dotted and i is crossed before we say "go ahead and do it."15:28
lbragstadI'd agree with htat15:28
ayoungWe need to say "OK,  this spec is good enough, lets do it15:28
lbragstadwe currently have 11 specs up...,n,z15:28
ayoungand then have a follow on process to convert the spec into documentation for the project15:29
morganfainbergayoung, which is why i'm asking the question of when do we approve it.15:29
topolwe have a PTL who can do the good enough role15:29
ayoungmorganfainberg, do you think I am arguing against you?15:29
bknudsonyou're not stopped from doing any work before the spec is approved15:29
morganfainbergayoung, nope15:29
lbragstadbknudson: right15:29
topolyou have to admit the specs look incredibly good compared to previous ones thanks to the new process15:29
morganfainbergbknudson, there is some legitimate concern that if a spec hasn't been (at least tenatively approved) the work is throw-away15:29
ayoungtopol, but the code is not getting written15:30
ayoungWe have very pretty wrppaing papaer, a bow, and an empty box15:30
lbragstadbut by the time you really start iterating over the spec and no one has raised a serious red flag, I *think* it would be safe to start implement something?15:30
dstanektopol: thanks15:30
morganfainberglbragstad, unless the spec gets mothballed and left.15:30
bknudsonmorganfainberg: sure, I think if another core has looked at it and didn't have any major objections then go ahead.15:31
topolso thats the same problem a newcomer has to a project where no one reviews their stuff. The answer I give them is the same. Go start writying a patch. code TALKS15:31
ayoungbknudson, so what if we have another termie incident?15:31
bknudsonayoung: what's a termie incident?15:31
ayoungSomeone coming in months later and decideing "nope"  and -2ing it and sitting on the code15:31
ayounga core at that15:31
lbragstadthe trust thing?15:31
topolwhats stopping any of us from doing a WIP patch.  We iterate on everything a ton anyway15:31
ayoungthe approval means "this is the approach that we are going with"15:32
bknudsonayoung: I would hope that the spec process helps with that!15:32
topolagain, we have a PTL to fix those issues. We need dolphm for this conversation15:32
ayoungnot that every last detail is perfect...and I think a spec should be approvable even before it is ready for inclusion in the next O'Reilly book.15:32
dstanekit would be nice to somehow have the process be more agile - first phase is an approval "we like this and the approach looks good enough to explore"15:33
dstaneksecond phase - "API is solid and all the i's are crossed and t's are dotted!"15:33
ayoungtopol, I'm just a little worried that we keep putting more and more restrictions in place, we are going to be paralyzed.  Right now, we only have until J2 to get API changes in, and now we spin a lot of iterations on getting the Sepc right, which is, hopefully going to replace the API process....15:33
dstaneklooks like i just got bounced - did my messages get through?15:34
ayoungdstanek, so I think that is what I want here too15:34
ayoungdstanek, yes15:34
ayoungdstanek, " first phase is an approval..."15:34
bknudsonwe're paralyzed already because it takes time to review and we don't always have time to do reviews15:35
dstaneki think part of the issue will always be that certain parts of APIs (etc) will need to be coded before being stamped in stone as a spec15:35
bknudsone.g., I need to make presentations and look at bugs and stuff15:35
ayoungbknudson, yeah15:35
bknudsonhopefully the spec process will make the code reviews go faster15:35
ayoungbknudson, and Red Hat waits until Icehouse goes out the door to do its big QA push, which means right now everyone is demanding my time.15:36
bknudsonayoung: we have the same thing here15:36
ayoungdstanek, maybe the first thing someone should submit is a proof-of-concept.  Out of tree?15:36
openstackgerritStuart McLaren proposed a change to openstack/keystone: enable multiple keystone-all worker processes
* ayoung is going to +A ^^ just so people stop submitting it15:38
dstanekayoung: if i were doing this from scratch and had the power to make the decision i would say yes15:38
topolso this is a new process and clearly some kinks need to be worked out.  Perhaps we all relax and not nit pick everything15:38
dstaneksimilar to how vish created a POC for the work he wanted to do15:38
ayoungdstanek, ++15:38
dstanekbut i realize that in a corporate setting that may not work because of the "throw away factor"15:38
ayoungdstanek, the code review process should feed into the documentation, too15:39
ayoungIE:  when I explain to you how something I wrote works, we should capture that as part of the docs15:39
lbragstadpart of that does get captured in the spec review, I would say15:40
topolso we still have a blueprint entry in launchpad for each spec.  Cant the PTL just approve it there and then you know to proceed with coding?15:40
ayoungdstanek, I like the SPEC process.  And some of the Proof-of-concpet things, like what Kent did for Federation, needed som serious reworking before it fit in with the rest of Keystone15:40
ayoungtopol, why PTL only15:40
ayoungthat is too much on dolphm 's shoulders, as broad as they are15:41
dstanekhow does the whole flow work end-to-end? if i submit a spec when do i create a blueprint and how do i link them?15:41
ayounghow about a vote at the tuesday meeting15:41
topolI thought thats how it used to work. Didnt the PTL use to approve which blueprints when each relase?15:41
morganfainbergtopol, not really15:41
ayoungthumbs up or down, PTL gets a Veto?15:41
morganfainbergtopol, any drivers could/can15:41
morganfainbergdrivers = core15:41
topolOh, OK, so then why can't you guys just do a single +2 and we have the same model?15:42
ayoungtopol, what I think we all want, and have no way of collecting is :  THis approach is OK.  No serious objections15:43
topoli.e. single +2 gets the spec merged15:43
topolhow did you have that beofre?15:43
ayoungcan we all just go through and +1 all the specs that we think are OK,  with +2 meaning "read in depth, and willing to approve?"15:43
ayoungtopol, nothing formatl15:44
bknudsonI guess my concern is, how do you raise an objection after the spec has been +A?15:44
bknudsonmaybe you think the database schema is messed up15:44
lbragstadhave a vote and amend the spec with some sort of label?15:45
morganfainbergbknudson, are we putting the DDL information into the spec?15:45
morganfainbergbknudson, if so, then that is a reason to -1 the spec.15:45
ayoungbknudson, there is still Code review, there is still bugs15:45
topoland we have seen things come down to the wire based on the content/quality of the code regarding whether something gets in or not15:45
bknudsonthis is kind of the "termie" issue15:45
morganfainbergbknudson, if we're not, we do that in the code review that has the db schema in it15:45
bknudsonright, maybe something comes up during code review where the design is just broken15:45
topoldo folks really feel that previously when they had a blueprint approved that that guaranteed their code would get in?15:45
morganfainbergi think we need to clarify an approved spec is not set in stone. you can propose changes to it.15:46
bknudsondo we go back and fix the spec15:46
morganfainbergbknudson, if it's a legitimate issue, fix the spec :)15:46
bknudsonthat works for me15:46
morganfainbergit's a guideline of what we're aiming for15:46
ayoungbknudson, we need to be willing to iterate15:46
ayoungI try to make it a point that if I ever block someone's approach, at a minimum I give them an alternative that I think will still suit their needs and be more in line with the project15:47
morganfainbergthat is why i don't think the DDL needs to be in the spec unless it's massively complex (for example)15:47
morganfainbergi think that can be handled in the code review.15:47
bknudsonmy concern is that it can be difficult to go back and update the spec15:47
bknudsonbut if people are willing to iterate then i'm fine with that15:47
morganfainbergbknudson, i think that the spec should really be a guideline on what we're aiming for, to limit scope of a bp and keep us all on track15:47
morganfainbergbknudson, "i propose changing X and Y, but in code I do Z, Q, and R'  that is a nogo.15:48
topoljust some of them were so well written they were great design docs.  It was intoxicating..15:48
morganfainbergas far as i am concerned, the specs are looking very good.15:49
lbragstadok so..15:49
lbragstadI have a question15:49
topolI have to travel and wont be at the Tuesday meeting. Ideally whatever solution you can come up with that doesnt stall progress works for me15:49
dstanekat what point do we say the spec is stable and will only change for bugs in the spec? after all code is merged? after released?15:49
ayoungBTW:  don't start your spec with "add spec"  Lets try to keep the one liners matching the blueprints.  so instead of "Add spec for using JSON Home"  call it "JSON Home"  just to pcik on bknudson.  Then we can say approaval of the spec doc that matches the blueprint implies approval of the blue print on  or comparable15:50
topolred tape slowing us down is not what anyone wants15:50
lbragstadlets say I have a spec up that needs to be updated, with I do in commit A... and then I modify my implementation to follow the spec in commit B. Should we *always* approve and merge A before B?15:50
lbragstadAlways make sure the spec is updated before the implementation?15:51
lbragstadto avoid getting the two out of sync?15:51
bknudsonlbragstad: aren't reviewers going to see that the code doesn't match the approved spec?15:51
*** david-lyle has joined #openstack-keystone15:51
morganfainbergbknudson, the hope is that reviewers will look at the spec15:51
lbragstadright, I'm just trying to think of cases where they would get out of sync15:52
topolPerhaps the problem is the template, not the spec-repo. It requires a ton of details.  Perhaps making that lighter fixes this issue?15:52
morganfainbergthe way i see the spec is it's an enhancement to the API repo we have15:52
morganfainbergit documents what the API repo couldn't15:53
morganfainbergit shouldn't be "every detail of everything captured in prose"15:53
bknudsonpart of the problem is we just haven't been doing things right15:53
morganfainbergit's a framework for the implementation. it really is more to cover what the workload is. - and to keep scope in check15:53
bknudsone.g., we don't have tempest tests for common scenarios15:53
bknudsonso we either have to fix that first15:54
morganfainbergbknudson, that is part of what the spec is meant to cover "hey, guys, we need to do this too"15:54
bknudsonor fix it while we're trying to implement features15:54
morganfainbergi think we need to go with the latter, perhaps work on the comon scenarios once we're past the J2 limit15:55
morganfainbergbknudson, a more concerted effort focusing on the common scenarios15:55
morganfainbergbknudson, vs more ad-hoc up front15:55
bknudsonand maybe this is part of what topol is talking about -- do we want to slow down and do it right? or keep up the speed doing it wrong?15:55
ayoungtopol, Or just making it clearer :  this is a superset of the spec data, include only that which is relevant to your design15:55
bknudsonI would expect a feature like federation would take much longer if tempest tests were a requirements15:56
ayoungcan we start by all agreeing to approve
bknudsonbut now it's in and there's no tempest15:56
ayoungwith the undertanding that it is the code that counts?15:56
bknudsonso can changes to federation require tempest tests?15:56
morganfainbergbknudson, we have debt to payback.15:58
morganfainbergwe can require future looking changes to implement tempest, but more likely, we wont be able to do the full run on some of those things yet (we can't run in apache, we can't do tempest for federation)15:58
topolayoung+++ you know you have my vote15:59
topolthats a tony award winning spec :-)15:59
morganfainbergbknudson, we've got gaps on testing that are bigger issues than not having a tempest scenario for a feature :(15:59
*** gokrokve has joined #openstack-keystone15:59
*** andreaf has quit IRC16:00
morganfainbergbknudson, i expect to have a lot of those gaps closed this cycle16:00
morganfainbergbknudson, but until they are...16:00
bknudsonmorganfainberg: closing tempest testing gaps would be impressive.16:00
morganfainbergbknudson, well, i'll be closing the gaps on things like LDAP backed tempest runs, and apache deployments16:01
morganfainbergbknudson, once we're there, we can say "ok federation needs tempest"16:01
bknudsonthat would be significant16:01
morganfainbergbknudson, that is one of my goals this cycle.16:01
morganfainbergbknudson, but it might be right up until J3 before it's really done16:02
morganfainbergbknudson, so i don't want to prevent all forward motion on things we _cant_ tempest test16:02
*** jsavak has quit IRC16:02
*** ayoung has quit IRC16:02
bknudsonthe concern is that we're kind of flying blind16:03
*** jsavak has joined #openstack-keystone16:03
morganfainbergbknudson, we are. we're getting closer.16:03
morganfainbergbknudson, but once we have a LDAP target, a apache target, the other basic things in gate16:03
morganfainbergbknudson, we will need to pay back debt.16:03
morganfainbergbknudson, and likely with that debt will come some bug smashing16:04
*** thedodd has quit IRC16:04
morganfainbergbknudson, so - for things we can test, lets make sure there is tempest for them - to the best of our abilities16:05
morganfainbergbknudson, at least isolated for the new functionality16:05
morganfainbergbknudson, as part of the spec.16:05
morganfainbergspecs can be iterated on, please propose a change if there is a major issue with them during plementation.16:06
*** david-lyle has quit IRC16:06
bknudsonI don't think we answered what's required for spec approval? Maybe add it to the meeting agenda16:06
morganfainbergspecs should provide enough justification for the work and targets to be useful in determining if we're on the right path with implementation.16:06
morganfainbergbknudson, ++ and we need to say "XYZ is needed for approval"16:07
bknudsonI would hope that a spec could also anticipate issues that you're going to have...16:07
bknudsone.g., maybe there's some issue with identity & assignment being separate backends16:07
morganfainbergbknudson, sure, but doesn't mean you wont run into some crazy edge case that blind sided you and requires a modification to the spec.16:08
bknudsonmorganfainberg: I agree, we need to be able to iterate after approval16:09
morganfainbergbknudson, ok i'll toss this on the agenda16:09
*** clu_ has joined #openstack-keystone16:10
dstaneki would love to see a spec for the spec process :-)16:12
topolWhat on a spec the PTL (or other folks that have blueprint approval rights) leave a comment that says I approve patch xx of the spec as able to go in?16:15
topolWhy doesnt that fix this?16:15
topolcomment says approved and we have a version that was approved and then folks can go work on stuff knowing its approved16:16
topolthank goodness for comments16:16
*** sbfox has quit IRC16:20
*** ayoung has joined #openstack-keystone16:25
*** dstanek is now known as dstanek_zzz16:25
*** ayoung has quit IRC16:25
*** dstanek_zzz is now known as dstanek16:26
*** praneshp has joined #openstack-keystone16:26
*** david-lyle has joined #openstack-keystone16:28
topoldstanek, is there a metadata model for the spec for the spec process? :-)16:29
*** ayoung has joined #openstack-keystone16:29
ayoungbknudson, morganfainberg how about we put "thumbs up down vote on Spec X,Y,Z" on each weeks agenda16:35
bknudsonayoung: I have no problem with that.16:36
bknudsonthen I'd expect 2 +2 to +A16:36
bknudsonthumbs up/down would just be an agreement on whether this is good for keystone16:37
bknudsonor a no-go16:37
morganfainbergbknudson, ++16:37
ayoungbknudson, unless anyone strenuously objects, I say we approve the spec, and allow future revisions for nits16:38
ayoungbknudson, I think we don't want 2 +216:39
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove `with_lockmode` use from Trust SQL backend.
ayoungthat is a different standard16:39
ayoungand is good for code, but not for specs16:39
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove `with_lockmode` use from Trust SQL backend.
bknudsonok, I'm just wondering how much work we expect to put into the spec16:39
ayoungfor specs it should be "I have no objections to this approach"16:39
morganfainbergtopol, ^ if i addressed your concerns please remove the -1.16:39
ayoung"you have not thought about this enought"16:39
bknudsonwe could thumbs up just with a description16:39
ayoungbknudson, lets battle through the unique ID spec tomorrow, and see what we learn from that16:40
*** dstanek is now known as dstanek_zzz16:40
bknudsonI don't think there's a battle to be had over the unique ID spec16:40
bknudsonayoung: maybe session tokens? I don't know much about it.16:42
bknudsonayoung: there's several proposals, we could try to thumbs up/down16:43
ayoungbknudson, lets list all of them, and go through them16:43
*** david-lyle has quit IRC16:43
bknudsonmaybe someone doesn't want the server to do v3 extension advertisement?16:43
bknudsonI got good feedback on the code that I posted before there was a spec16:44
topolmorganfainberg, yes you did and the -1 is gone.16:45
*** raildo has quit IRC16:50
ayoungbknudson, they are on the agenda. We can vote:  "Yes", "No", or "Come back with more details."16:51
*** tellesnobrega has quit IRC16:51
*** htruta has quit IRC16:51
*** rodrigods has quit IRC16:52
openstackgerritBoris Pavlovic proposed a change to openstack/keystone: Add rally plugins support
boris-42bknudson morganfainberg ^16:59
boris-42bknudson morganfainberg  hi there16:59
morganfainbergboris-42, saw! that'll make using rally even better16:59
boris-42morganfainberg there will be one more important feature soon17:00
boris-42morganfainberg criteria of benchmark success17:00
*** nkinder has quit IRC17:00
boris-42morganfainberg there will be one more field args, runner, context and new one will be criteria17:00
boris-42morganfainberg where you can specify max failure rate, avg, max duration and probably other interesting arguments17:01
*** gordc has quit IRC17:01
*** gordc has joined #openstack-keystone17:03
*** dstanek_zzz is now known as dstanek17:03
*** _bluev has joined #openstack-keystone17:07
*** jsavak has quit IRC17:07
*** jsavak has joined #openstack-keystone17:08
_bluevis it possible with v2 or v3 to give out a specific service catalog for a tenant ? The catch-all service catalog would be given unless the user matches, something like that.17:09
*** amcrn has joined #openstack-keystone17:09
*** harlowja_away is now known as harlowja17:09
*** tellesnobrega has joined #openstack-keystone17:10
_bluevIM *tenant* matches17:10
*** thedodd has joined #openstack-keystone17:12
openstackgerritStuart McLaren proposed a change to openstack/keystone: enable multiple keystone-all worker processes
openstackgerritStuart McLaren proposed a change to openstack/keystone: Sync service module from oslo-incubator
stevemarwas there a patch going around for devstack to rename the keystone apache site file to keystone.conf17:16
stevemarto account for apache 2.4 default behaviour17:16
*** nkinder has joined #openstack-keystone17:17
*** thedodd has quit IRC17:21
morganfainbergstevemar, not sure.17:28
*** nsquare has joined #openstack-keystone17:29
*** rodrigods has joined #openstack-keystone17:34
*** rodrigods has joined #openstack-keystone17:34
*** amcrn has quit IRC17:36
*** raildo has joined #openstack-keystone17:39
*** amcrn has joined #openstack-keystone17:40
*** dolphm has quit IRC17:41
*** raildo has quit IRC17:44
*** dolphm has joined #openstack-keystone17:44
*** daneyon has quit IRC17:44
*** tellesnobrega has quit IRC17:44
*** rodrigods has quit IRC17:46
*** dolphm has quit IRC17:48
*** _bluev has quit IRC17:49
*** dolphm has joined #openstack-keystone17:49
*** marcoemorais has joined #openstack-keystone17:50
*** stevemar has quit IRC17:50
*** marcoemorais has quit IRC17:50
*** marcoemorais has joined #openstack-keystone17:51
openstackgerritayoung proposed a change to openstack/keystone: Allow for multiple PKI Style Providers
*** stevemar has joined #openstack-keystone17:51
*** htruta has joined #openstack-keystone17:52
*** rodrigods has joined #openstack-keystone17:52
morganfainbergstevemar, we should document the changes for making apache 2.4 work17:55
morganfainbergstevemar, at the very least17:55
stevemarmorganfainberg, agreed17:55
*** ajayaa has joined #openstack-keystone17:56
*** dstanek is now known as dstanek_zzz17:57
*** jsavak has quit IRC17:58
*** jsavak has joined #openstack-keystone17:59
*** tellesnobrega has joined #openstack-keystone18:00
htrutastevemar: ping18:01
*** afaranha has joined #openstack-keystone18:06
*** afaranha has left #openstack-keystone18:06
*** daneyon has joined #openstack-keystone18:07
morganfainbergayoung, re ^ the multiple PKI providers, should there be a PKI base class or an attribute? or do we not care about the simple cert stuff in the case of the UUID provider?18:10
gabriel-bezerrastevemar: I sent a patch renaming the apache site configuration files18:14
*** erecio has quit IRC18:19
*** erecio has joined #openstack-keystone18:19
ayoungmorganfainberg, that check can go away.  Lets not force a base class for no real benefit.18:20
ayoungmorganfainberg, the simple-cert extension might be useful in the absence of the token provider18:20
ayoungfor example, if it were used with Oslo messaging18:21
morganfainbergayoung, works for me.18:21
morganfainberggabriel-bezerra, there is some odd issue going on with the new apache-services test. claiming apache2ctl isn't available18:22
morganfainberggabriel-bezerra, i expect to look at that a little more in depth here shortly18:23
morganfainberggabriel-bezerra, unless you hpapen to knoww of the top of your head18:23
*** dims has quit IRC18:25
*** dims has joined #openstack-keystone18:25
*** ajayaa has quit IRC18:30
*** ChanServ sets mode: +o dolphm18:31
*** marcoemorais has quit IRC18:36
*** marcoemorais has joined #openstack-keystone18:37
*** thedodd has joined #openstack-keystone18:37
*** marcoemorais has quit IRC18:37
*** marcoemorais has joined #openstack-keystone18:37
*** sballe has joined #openstack-keystone18:39
*** ajayaa has joined #openstack-keystone18:41
morganfainberggabriel-bezerra, ah nvm, things look happier18:41
morganfainberggabriel-bezerra, or not...18:41
sballeHi, rkukura mentioned in the Neutron IRC that that there is some work in keystone around hierarchical tenants. is that true? I am looking for a feature that would allow me to "not share" a neutron network but still allow a group of tenant to access it. Currently "shared" means that all tenants can acess that Neutron network and of course not shared means that only one tenant can access it.18:43
sballegyee, Do you know ? ^^^^18:45
*** afazekas has joined #openstack-keystone18:45
*** sbfox has joined #openstack-keystone18:48
*** dstanek_zzz is now known as dstanek18:49
gabriel-bezerramorganfainberg: it is called on Ubuntu..18:53
gyeesballe, domain should work for you, if we are talking about resource isolation18:53
morganfainberggabriel-bezerra, it doesn't exist in the location specified.18:54
gabriel-bezerrafunction apache_site_config_for .. if is_ubuntu; then 10718:54
gabriel-bezerra        local apache_version=$(sudo /usr/sbin/apache2ctl -v | awk '/Server version/ {print $3}' | cu18:54
gabriel-bezerrat -f2 -d/)18:54
gabriel-bezerralib/apache, line 10818:54
morganfainberggabriel-bezerra, right and
gabriel-bezerrait should be called only if apache has been installed18:55
morganfainbergapache should installed in any/all cases for gate (tempest) because horizon uses it18:55
morganfainbergthe link above is failing - i think ... because it doesn't exist in the right place?18:55
sballegyee, the use case if that we have trusted VMs that belong to specific tenants e.g DBaaS, DNS, etc. and they need to get access to a Neutron shared Network unfortunatly shared means that everybody can get access to it. So we want to mark it as non shared for a given tenant which would emcompass the DBaaS, DNS tenant. Does this make sense? otherwise we can chat about it on the side18:55
morganfainbergi'm downloading a recent version of 12.04 to look into this18:56
gabriel-bezerramorganfainberg: I tried on both 12.04 and 14.04 and it worked. Maybbe that's something with some new version?18:56
morganfainberggabriel-bezerra, or apache isn't installed at the time you're calling it18:56
morganfainberggabriel-bezerra, actually...18:56
morganfainberggabriel-bezerra, yep.18:58
morganfainberggabriel-bezerra, you're calling it at source time of lib/keystone18:58
morganfainbergcan't do it there.18:58
morganfainbergthat will be run wayy too early in the setup18:58
morganfainberggabriel-bezerra, see how horizon is in a function 'init_horizon'18:59
morganfainberggabriel-bezerra, i'll propose a quick fix for this.19:00
*** dstanek is now known as dstanek_zzz19:02
gabriel-bezerramorganfainberg: ok, thanks, I can review if you wish19:02
gabriel-bezerramorganfainberg: keystone also has a init_keystone function19:02
*** Chicago has joined #openstack-keystone19:02
morganfainberggabriel-bezerra, sounds good, i'll tag you on the review19:02
*** Chicago has quit IRC19:02
*** Chicago has joined #openstack-keystone19:02
morganfainberggabriel-bezerra, right, but we use the config in a number of places, so it's a little different than horizon's use case.19:03
*** erecio has quit IRC19:04
*** erecio has joined #openstack-keystone19:04
*** nsquare has quit IRC19:07
*** praneshp has quit IRC19:08
morganfainberggabriel-bezerra, should do it19:11
morganfainberggabriel-bezerra, setting up env locally to be 100% sure.19:12
boris-42morganfainberg oh plugins works =)19:13
morganfainbergboris-42, nice19:13
*** marekd has quit IRC19:15
gabriel-bezerramorganfainberg: lgtm19:17
*** marekd_ has joined #openstack-keystone19:22
*** praneshp has joined #openstack-keystone19:31
*** thedodd has quit IRC19:40
*** yfujioka has joined #openstack-keystone19:40
*** raildo has joined #openstack-keystone19:42
*** yfujioka has quit IRC19:51
*** dstanek_zzz is now known as dstanek19:54
*** dstanek is now known as dstanek_zzz20:05
*** amcrn has quit IRC20:05
*** morganfainberg is now known as morganfainberg_Z20:06
*** radez is now known as radez_g0n320:06
*** boris-42 has quit IRC20:08
*** ajayaa has quit IRC20:10
*** boris-42 has joined #openstack-keystone20:12
jaosoriorWhen are the keystone dates for the mid-cycle meetup?20:22
*** nsquare has joined #openstack-keystone20:24
*** jsavak has quit IRC20:31
*** jsavak has joined #openstack-keystone20:31
*** dstanek_zzz is now known as dstanek20:33
*** topol has quit IRC20:41
*** hrybacki has quit IRC20:45
*** gyee has quit IRC20:46
*** dstanek is now known as dstanek_zzz20:49
*** hrybacki_ has quit IRC20:50
*** stevemar has quit IRC20:57
openstackgerritayoung proposed a change to openstack/keystone: Default to PKIZ tokens
*** marcoemorais has quit IRC21:00
*** marcoemorais has joined #openstack-keystone21:01
*** marcoemorais has quit IRC21:08
*** gyee has joined #openstack-keystone21:08
*** marcoemorais has joined #openstack-keystone21:08
*** NM has joined #openstack-keystone21:09
*** morganfainberg_Z is now known as morganfainberg21:10
*** praneshp has quit IRC21:11
*** jsavak has quit IRC21:15
*** jsavak has joined #openstack-keystone21:16
*** gordc1 has joined #openstack-keystone21:18
*** gordc has quit IRC21:18
*** gordc1 is now known as gordc21:18
*** gyee has quit IRC21:31
*** jsavak has quit IRC21:32
*** hrybacki has joined #openstack-keystone21:37
*** NM has quit IRC21:39
morganfainbergayoung, am i correct in assuming there is nothing preventing a delegation of trust to myself? [trustor and trustee are the same user_id]?21:40
morganfainbergi'm not seeing any check in the code that explicitly prohibits it...21:41
*** dstanek_zzz is now known as dstanek21:41
*** NM has joined #openstack-keystone21:43
*** praneshp has joined #openstack-keystone21:50
*** dstanek is now known as dstanek_zzz21:51
*** NM has quit IRC21:52
*** NM has joined #openstack-keystone21:54
*** andreaf has joined #openstack-keystone21:57
*** dims_ has joined #openstack-keystone22:00
*** gyee has joined #openstack-keystone22:02
*** dims has quit IRC22:02
*** henrynash has quit IRC22:07
*** daneyon has quit IRC22:08
*** sbfox has quit IRC22:08
*** marcoemorais has quit IRC22:09
*** marcoemorais has joined #openstack-keystone22:10
*** marcoemorais has quit IRC22:11
*** marcoemorais has joined #openstack-keystone22:11
ayoungmorganfainberg, I can see that being a very powerful abstraction actually22:12
morganfainbergayoung, i have a use case right now for it22:12
*** marcoemorais has quit IRC22:12
*** marcoemorais has joined #openstack-keystone22:13
ayoungmorganfainberg, its the only way you can get a token with a reduced set of roles:22:13
morganfainbergayoung, not through the traditional trust auth model, (initially through ec2) but i also think it would be great to support as a 1st order delegation method22:13
morganfainbergayoung, ++ exactly22:13
*** nkinder has quit IRC22:13
morganfainbergayoung, i don't see anything that prevents it, but i'm setting up a test env right now to confirm it works22:14
morganfainbergif so, i'm going to add a test to make sure it keeps working22:14
ayoungmorganfainberg, pretty sure I've used it before, but, sure, go ahead...would be a good thing to have made explicit22:14
morganfainbergcool, was making sure i wasn't missing some design bit that says "we should never do this ever"22:15
*** CaioBrentano1 has joined #openstack-keystone22:23
*** CaioBrentano has quit IRC22:25
*** gordc has quit IRC22:25
*** marcoemorais has quit IRC22:26
*** marcoemorais has joined #openstack-keystone22:26
*** marcoemorais has quit IRC22:27
*** marcoemorais has joined #openstack-keystone22:27
*** NM has quit IRC22:28
*** NM has joined #openstack-keystone22:36
openstackgerritChangBo Guo(gcb) proposed a change to openstack/python-keystoneclient: Don't use mock non-exist method assert_called_once
*** NM has quit IRC22:38
*** dstanek_zzz is now known as dstanek22:42
*** sballe_ has joined #openstack-keystone22:46
*** jamielennox|away is now known as jamielennox22:47
*** sballe has quit IRC22:47
*** hrybacki has quit IRC22:47
*** dstanek is now known as dstanek_zzz22:52
*** alanvitor has quit IRC22:59
*** hrybacki has joined #openstack-keystone23:10
*** sbfox has joined #openstack-keystone23:11
*** sbfox has quit IRC23:11
*** sbfox1 has joined #openstack-keystone23:11
*** amcrn has joined #openstack-keystone23:13
*** nkinder has joined #openstack-keystone23:24
*** morganfainberg is now known as morganfainberg_Z23:25
openstackgerritRichard Megginson proposed a change to openstack/keystone: test_user_mixed_case_attribute fails - mail, not email
*** jaosorior has quit IRC23:32
jamielennoxgyee: ping23:33
*** morganfainberg_Z is now known as morganfainberg23:42
*** dstanek_zzz is now known as dstanek23:43
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Remove _factory methods from auth plugins
gyeejamielennox, here23:43
gyeepatch looks good, lemme do the needful23:44
jamielennoxhey gyee, i just wanted to see if you'd had a go at converting barbican shell to those keystoneclient patches23:44
*** rodrigods_ has joined #openstack-keystone23:44
jamielennoxno, that one looks like it's failing for an oauth issue23:44
jamielennoxTypeError: get_oauth_params() takes exactly 2 arguments (1 given)23:45
jamielennoxhmm, get_oauth_params is an oauthlib thing though, not a problem of ours, stevemar isn't here...23:45
gyeejamielennox, I haven't been able to work on the barbican client patch the last couple of days23:47
jamielennoxok, i want to pull some of these patches out of WIP soon, i think the from_config stuff is good, but i want to make sure the CLI stuff and the auth_params stuff makes sense23:48
gyeejamielennox, I think we need the auth_params stuff, but I think we may run into some backward compatibility issues though23:49
gyeefor example, --os-cert versus os-cert-file23:49
gyeeI've see quite a few of these23:49
gyeeand the underscores, like --os-tenant-id versus --os_tenant_id23:50
jamielennoxgyee: oh, i have a slightly newer patch than is up23:50
hrybackihey all, does anyone have any pointers to docs explaining the structure of keystone extensions?23:52
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Plugin loading from config objects
morganfainberghrybacki, in what manner? we have an example extension in keystone/contrib/example that is a startingplace that can be used to develop an extension23:53
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from conf
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from CLI options
*** dstanek is now known as dstanek_zzz23:53
hrybackimorganfainberg++ I'll look at that thanks. I'm working with ayoung on the revocation events extension -- first time working on keystone really -- still figuring out how everything is pieced together23:53
jamielennoxgyee: so if you look at that first one: i added a deprecated_opts param23:53
morganfainberghrybacki, cool!23:54
jamielennoxthat will help with the transition for config, it should be relatively easy to do the same thing for CLI23:54
jamielennoxactually from memory CLI is easier because you can create the parser and then add all the deprecated stuff you need afterwards23:56
jamielennoxgyee: plugin loading from conf is completely new so i don't think i need to worry about that one23:56
gyeejamielennox, this one?
gyeewe still ned --cert-file23:57
jamielennoxyou should be able to add that afterwards23:57
gyeeright, I agree23:58
gyeewe just need to get the framework straighten out at this point23:58
jamielennoxyep, so when you add a CLI param you can specify supress=True so that it doesn't show up in --help and target='XXX' as to what variable the result is23:59
jamielennoxso i was expecting that you would load all the good ones from the session object and then add whatever you need to maintain compatability in addition23:59

Generated by 2.14.0 by Marius Gedminas - find it at!