Friday, 2014-06-20

« Thursday, 2014-06-19 Index Saturday, 2014-06-21 »
jgriffithhey.. what's signing dir do?00:00
jgriffithit's in my past-ini but it doesn't exist00:00
morganfainbergah, paste-ini maybe is where00:01
morganfainbergand i think thats where it's looking?00:01
* morganfainberg looks at auth_token00:01
morganfainbergthe code looks to be looking for certfile cafile00:02
morganfainbergor signing_dir where all the certs/ca stuff lives00:02
morganfainbergoh00:02
morganfainbergno no signing_dir is where the cert info should life00:03
morganfainberglive*00:03
morganfainbergfor validating tokens00:03
jgriffithmorganfainberg: seems weird that it doesn't exist on my system?00:03
jgriffithmorganfainberg: maybe that's a problem :)00:03
morganfainberghehe point it to where you put the stuff for validating the tokens00:03
jgriffithmorganfainberg: so like /var/lib/nova/CA ?00:04
jgriffithor the keystone versions?00:04
jgriffith/varlib/keystone/certs?00:05
morganfainberguh. you put the validation certs in /var/lib/nova/CA?00:05
morganfainbergwherever you put the new certs00:05
jgriffithmorganfainberg: I copied them there00:05
jgriffithgenerated them in /var/lib/keystone/cert00:05
morganfainbergright try the nova/CA location00:06
jgriffithkinda followed this dudes blog00:06
*** nsquare has quit IRC00:07
*** nsquare has joined #openstack-keystone00:10
jgriffithmorganfainberg: ha!!00:18
jgriffithmorganfainberg: frikin cached copy of the certs00:18
morganfainbergworks?00:18
morganfainberghehe00:18
morganfainbergjoy00:18
jgriffithso the past.ini didn't seem to do anything00:18
jgriffithbut...00:18
morganfainbergahh00:18
jgriffithI hit the var/lib/nova/keystone-signing dir and noticed everything was "the old dates" again00:19
jgriffithnuked, restarted and bingo00:19
morganfainbergthere ya go00:19
morganfainbergok then!00:19
* morganfainberg feels productive00:20
morganfainbergI helped! some!00:20
morganfainbergand .. only 3 failures on my split/merge/split/split/merge in testing00:20
morganfainbergwoo00:20
jgriffithmorganfainberg: lol00:26
jgriffithmorganfainberg: well, if I can ever return the favor let me know00:26
jgriffithjust not right now :)00:26
morganfainbergjgriffith, haha sounds good :)00:26
jgriffithmorganfainberg: take care00:26
morganfainbergcheers, you too00:27
*** hrybacki has quit IRC00:29
*** hrybacki has joined #openstack-keystone00:29
morganfainbergjamielennox, dolphm, stevemar, bknudson, ayoung_DadMode, dstanek_404, https://github.com/morganfainberg/keystonemiddleware that should be the split-out/merge down of the middlewares00:34
morganfainbergit (at the very least) passes pep8 and py2700:34
stevemarmorganfainberg, now that is pretty neat00:35
*** topol has joined #openstack-keystone00:35
morganfainbergstevemar, it also contains all the history for the tests and the middleware files00:36
* morganfainberg is getting better at git00:36
jamielennoxcool, do we have any consensus of naming or where it will go?00:36
jamielennoxmorganfainberg: yea, that was the first thing i checked - it would be a shame to loose all that00:36
morganfainbergopenstack/keystonemiddleware00:36
jamielennoxok00:36
*** leseb has joined #openstack-keystone00:36
morganfainbergjamielennox, i'm going to spin up the review tonight for infra to add it tomorrow00:37
morganfainbergso by tomorrow afternoon *hope* we will have it open for reviews00:37
morganfainbergalready registered the LP project00:37
morganfainbergand setup the pypi packaging info00:37
stevemarmorganfainberg, so what's keystoneclient going to look like?00:38
morganfainbergstevemar, the same as it is now, the middleware will be simply frozen (e.g. -2 on any reviews for it) except for security maintenance00:38
morganfainbergstevemar, first release of the new package will be 1.0.000:38
morganfainbergstevemar, so, this is the time to play cleanup :)00:38
morganfainbergsame for ec2_token middleware in keystone (btw, we don't have tests for that)00:39
morganfainbergso we'll need some00:39
*** hrybacki has quit IRC00:40
morganfainbergany new middleware from this point will not be able to keep 100% of the history without each commit being submitted independently00:40
jamielennoxmorganfainberg: 1.0.0 of keystoneclient?00:40
morganfainbergjamielennox, keystonemiddleware00:41
jamielennoxyea, figured00:41
morganfainbergjamielennox, i figure we have incubated it long enough, it's time to call it mature.00:41
jamielennoxmorganfainberg: it's stable anyway - we're not allowed to change it so we may as well call it00:41
morganfainbergjamielennox, yep.00:41
*** leseb has quit IRC00:41
*** ncoghlan_afk is now known as ncoghlan00:42
morganfainbergok i need to get to the gym00:44
morganfainbergbe back in a bit00:44
*** devlaps has joined #openstack-keystone00:45
*** daneyon has quit IRC00:47
*** dims has joined #openstack-keystone00:58
*** daneyon has joined #openstack-keystone01:01
*** dims has quit IRC01:02
morganfainbergack, forgot docs!01:02
morganfainbergtotally need to fix that.01:02
morganfainbergat least that shouldn't be awful to do the merge/split magic on01:02
*** dims_ has joined #openstack-keystone01:05
*** diegows has quit IRC01:07
jamielennoxmorganfainberg: i think the docs are pretty dead anyway - most of them are in keystone i think01:07
morganfainbergeh, still going to see if there is anything i can salvage01:07
morganfainbergif not *shrug* need to write em01:08
*** mberlin has joined #openstack-keystone01:11
*** mberlin1 has quit IRC01:12
*** dstanek_404 is now known as dstanek01:14
*** bobt has quit IRC01:21
*** gokrokve has quit IRC01:22
*** leseb has joined #openstack-keystone01:37
*** dims_ has quit IRC01:39
*** leseb has quit IRC01:42
*** richm has left #openstack-keystone01:45
ayoung_DadModejamielennox, so, today morganfainberg and I discovered that Horizon is pretty much defaulting to UUID mode with tokens.  Give it a PKI token, it takes the MD5 hash, and forgets the body01:46
ayoung_DadModeso...01:46
*** ayoung_DadMode is now known as ayoung01:46
*** browne has quit IRC01:46
*** marcoemorais has quit IRC01:46
ayoungI want to make use of the cache01:46
ayoungspecifically, I want to take what we do in Auth_token middleware, move it into the client proper, and make it so that any client can save tokens in dogpile.01:46
*** gokrokve has joined #openstack-keystone01:47
*** daneyon has quit IRC02:03
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Update keystoneclient code to account for hacking 0.9.2  https://review.openstack.org/10015202:15
*** nsquare has quit IRC02:16
*** rwsu has quit IRC02:24
*** praneshp has quit IRC02:30
*** stevemar has quit IRC02:31
openstackgerritwanghong proposed a change to openstack/keystone: remove default=None for config options  https://review.openstack.org/10139102:33
*** leseb has joined #openstack-keystone02:38
*** leseb has quit IRC02:43
*** zhiyan_ is now known as zhiyan02:49
*** ayoung has quit IRC02:54
*** ayoung has joined #openstack-keystone02:55
ayoungmorganfainberg, jamielennox can I please merge https://review.openstack.org/#/c/101302/4  and https://review.openstack.org/#/c/95989/1102:55
*** harlowja is now known as harlowja_away02:56
*** devlaps has quit IRC03:10
*** gyee has quit IRC03:20
morganfainbergayoung, +2 on both03:23
*** praneshp has joined #openstack-keystone03:32
*** praneshp_ has joined #openstack-keystone03:34
*** praneshp has quit IRC03:37
*** praneshp_ is now known as praneshp03:37
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/10140403:38
*** leseb has joined #openstack-keystone03:39
*** leseb has quit IRC03:43
morganfainbergayoung, jamielennox, https://review.openstack.org/#/c/101406/ woo :)04:10
*** ncoghlan is now known as ncoghlan_afk04:37
*** leseb has joined #openstack-keystone04:39
*** leseb has quit IRC04:44
*** stevemar has joined #openstack-keystone04:50
*** openstackgerrit has quit IRC04:57
*** ncoghlan_afk is now known as ncoghlan05:00
*** ncoghlan is now known as ncoghlan_afk05:05
*** praneshp has quit IRC05:19
*** stevemar has quit IRC05:23
*** ajayaa has joined #openstack-keystone05:30
*** henrynash has joined #openstack-keystone05:38
*** chandan_kumar has joined #openstack-keystone05:40
*** leseb has joined #openstack-keystone05:40
*** leseb has quit IRC05:45
*** henrynash has quit IRC05:45
*** amirosh has joined #openstack-keystone05:54
ajayaaHi. Jenkin build fails in python-keystoneclient because of http-pretty bug?06:03
ajayaajamielennox,06:03
*** ncoghlan_afk is now known as ncoghlan06:08
*** amerine has joined #openstack-keystone06:09
*** topol has quit IRC06:34
*** leseb has joined #openstack-keystone06:41
*** leseb has quit IRC06:46
*** gokrokve_ has joined #openstack-keystone06:58
*** gokrokve has quit IRC07:02
*** BAKfr has joined #openstack-keystone07:06
*** leseb has joined #openstack-keystone07:42
*** leseb has quit IRC07:46
marekdajayaa: it looks fine now.07:51
marekdpull the master, and issue tox -re py2707:52
*** jimbaker has quit IRC07:55
*** jimbaker has joined #openstack-keystone08:00
*** jimbaker has quit IRC08:00
*** jimbaker has joined #openstack-keystone08:00
*** zhiyan is now known as zhiyan_08:00
*** i159 has joined #openstack-keystone08:01
*** henrynash has joined #openstack-keystone08:03
*** zoresvit has joined #openstack-keystone08:04
marekdjamielennox: still here?08:09
*** henrynash has quit IRC08:09
*** ramonskie has joined #openstack-keystone08:14
ramonskiei had a slow horizon and bumped in to this blog http://www.sebastien-han.fr/blog/2012/12/12/cleanup-keystone-tokens/ after i executed that script i'm not able to use the api anymore with test-kitchen or bosh (tools that uses the openstack api to create vm's08:16
ramonskiei already did a "keystone-manage db_sync"08:17
ramonskieo and i'm still on grizzly08:17
*** henrynash has joined #openstack-keystone08:38
*** ncoghlan is now known as ncoghlan_afk08:42
*** leseb has joined #openstack-keystone08:42
*** leseb has quit IRC08:47
*** oomichi has quit IRC08:53
*** oomichi has joined #openstack-keystone08:54
*** oomichi has quit IRC08:55
*** leseb has joined #openstack-keystone09:01
*** chandan_kumar has quit IRC09:09
*** henrynash has quit IRC09:15
*** henrynash has joined #openstack-keystone09:17
*** henrynash has quit IRC09:18
*** leseb has quit IRC09:18
*** andreaf_ has joined #openstack-keystone09:18
*** ajayaa has quit IRC09:31
*** jamielennox is now known as jamielennox|away09:35
*** leseb has joined #openstack-keystone10:19
*** leseb has quit IRC10:23
*** fifieldt has joined #openstack-keystone10:26
*** toddnni_ has quit IRC10:43
*** toddnni has joined #openstack-keystone10:43
*** openstackgerrit has joined #openstack-keystone10:56
*** leseb has joined #openstack-keystone11:19
*** topol has joined #openstack-keystone11:23
*** leseb has quit IRC11:24
*** toddnni has quit IRC11:27
*** sdfsw2g2h has joined #openstack-keystone11:39
*** henrynash has joined #openstack-keystone11:39
*** sdfsw2g2h is now known as toddnni11:40
*** toddnni has quit IRC11:46
*** gokrokve_ has quit IRC11:54
*** henrynash has quit IRC11:57
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.  https://review.openstack.org/8382911:57
*** ramonskie has quit IRC12:01
*** leseb has joined #openstack-keystone12:01
*** henrynash has joined #openstack-keystone12:05
*** leseb has quit IRC12:06
*** sdfsw2g234sva has joined #openstack-keystone12:09
*** henrynash has quit IRC12:10
*** sdfsw2g234sva has quit IRC12:11
*** toddnni has joined #openstack-keystone12:17
*** gokrokve has joined #openstack-keystone12:32
*** diegows has joined #openstack-keystone12:34
*** joesavak has joined #openstack-keystone12:34
*** wyllys has joined #openstack-keystone12:36
*** hrybacki has joined #openstack-keystone12:37
*** gokrokve has quit IRC12:37
ayoungbknudson, so it looks like we have more work to do on a compliance/MD5 removal front12:53
*** stevemar has joined #openstack-keystone12:53
*** henrynash has joined #openstack-keystone12:53
hrybackiayoung: any time this morning to hammer out a tentative timeline/milestone list?12:54
ayounghrybacki, sure12:54
*** richm has joined #openstack-keystone12:54
ayounghrybacki, the majore milestone is "submit change to glance client that uses keystoneclient sessions"12:54
ayoungIdeally, that would be followed by getting it merged into the repo12:55
hrybackiNods12:55
hrybackinow lets work backwards from there -- you said you are doing something very similar with horizon?12:56
ayounghrybacki, yeah13:02
ayounghorizon uses a separate project...13:02
*** leseb has joined #openstack-keystone13:02
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Always use a hash based Public ID for cross backend identifiers  https://review.openstack.org/10049713:02
hrybacki?13:02
ayounghrybacki, openstack/django_openstack_auth13:02
ayoungSo I am working on getting that to use the session object instead of just making a client13:03
hrybackioh, well that'll make it simple :P13:03
ayoungand...then there is going to be some other fun stuff that doesn't involve this13:03
ayounghrybacki, I don';t know how granular we can make this13:03
ayoungyou need to go dig in to the glance code and see what it is doing13:04
henrynashayoung: are you persuing the endpoint-specific policy idea….I’d be happy to provide some help if you need it?13:04
ayoungideally, you will be running not just the glance unit tests, but the tempest tests as well13:04
henrynashayoung: saw that the spec is a little “light” right now13:04
ayounghenrynash, yeah, although I was afraid we'd have to set it on the back burner.  If you ahve thoughts, I'd love to hear them13:04
ayounghenrynash, the question is how to get the right policy13:05
henrynashayoung: backburner due to lack of time, or problems13:05
hrybackiayoung: I raised the question yesterday, with tempest can you even run 'component specific' suites? It seems very broad strokes13:05
ayoungand maybe it should not be due to "endpoint id" but rather the project of the service user that fetches the policy13:05
ayounghrybacki, I think you can.  dkranz (internal and external) should be able to help you there13:05
henrynashayoung: Ok, so probably worth atricuating the use cases….I’ll take a crack at that13:05
ayounghenrynash, ++13:06
ayounghenrynash, one other thing13:06
ayoungdolphm has this idea that we don;t need to fetch just the policy for the endpoint13:06
hrybackiayoung++13:06
ayoungso we can have a unified policy file for all endpoints within a single scope13:06
ayoungwhatever that scope might be13:06
*** leseb has quit IRC13:07
ayounghenrynash, one nice aspect of that is they can then share the top level rules like  is_admin....13:07
henrynashayoung: hmmm, OK, kind of see the idea…let me mull on that….13:07
ayoungbut, it leads to complexity on the maintain and assemble side of the policy process13:07
henrynashayoung: yeah, agreed….13:07
henrynashayoung: get’s hard to easily see what the rule is for a given API13:07
ayounghenrynash, so, while we could do it all with CLI tools, it might make sense to be able to assemble a policy blob out of other policy blobs inside of keystone, but that is a lot of overhead13:08
henrynashayoung: yeah, and right now we never interpret the blob….REALLY you’d want keystone (or maybe support functions in oslo) to geneate the resulting policy file from a hiearchy of blobs (!)13:09
*** jsavak has joined #openstack-keystone13:09
hrybackiayoung: I don't see dkranz around, what channels is he normally in / is he in another time zone?13:10
*** joesavak has quit IRC13:10
henrynashayoung, dolphm, morganfainberg, dtsanek: Unless any more concerns, really like to get latest version of multi-backend uuid spec: https://review.openstack.org/#/c/100497/ approved….as well as and new version of pre-cursor move of ID generation from controller to manager: https://review.openstack.org/#/c/100833/13:11
ayounghenrynash, dagnabit, I just +2ed that13:12
henrynashayoung: ah, great, thx13:12
ayounghenrynash, and another +2...we need to stop bike shedding.  Specs do not need to be letter perfect until we decide to turn them in to documentation13:13
*** ayoung is now known as ayoung_afk13:13
ayoung_afkbiab13:13
*** henrynash has quit IRC13:26
*** bknudson has left #openstack-keystone13:28
*** joesavak has joined #openstack-keystone13:31
*** ayoung_afk is now known as ayoung13:32
*** gokrokve has joined #openstack-keystone13:34
*** jsavak has quit IRC13:34
*** gokrokve has quit IRC13:39
*** amirosh has quit IRC13:41
*** bknudson has joined #openstack-keystone13:42
*** zhiyan_ has quit IRC13:50
*** joesavak has quit IRC13:53
*** gokrokve has joined #openstack-keystone13:55
marekdstevemar: thanks for +2 :-)13:58
* stevemar shrugs, it was well done, and a good reason /cc marekd 13:58
* marekd lol13:59
stevemarthats my criteria anyway :P13:59
stevemarmarekd, i think i know what was wrong with my sp/idp config13:59
marekdstevemar: tell me!13:59
*** gokrokve has quit IRC14:00
stevemarmarekd, in the sp metadata, the AssertionConsumerService values didn't have the port numbers14:00
stevemari have hacked it up, sent it to our idp guy, (i don't have access to the box)14:01
marekdstevemar: i am checking again the file i had sent to you and i looks like mine had port sepcified.14:01
stevemaryeah14:02
marekdstevemar: ah ok...i thought i had provided you wrong examples.14:02
stevemardid you get it generated that way? or did you hack it up?14:02
*** gokrokve has joined #openstack-keystone14:02
*** leseb has joined #openstack-keystone14:03
marekdstevemar: I hacked it, but I just confirmed, that when you have port specified in shibboleth2.xml config you just download Metadata and everything is in place.14:04
*** comstud is now known as bearhands14:04
stevemarmarekd, where do you specify it14:05
stevemar?14:05
marekdstevemar: what, port?14:05
stevemarmarekd, yeah14:05
stevemarits a big config file :)14:05
hrybackitrying to setup a keystone server from the repo on Fedora 20, having problems using pip to install the requirements -- failing on libxml (of course) -- the docs are from Fedora 15 http://docs.openstack.org/developer/keystone/setup.html -- I can't seem to figure out which version of libxml to install -- thoughts?14:05
marekdstevemar: wait a sec - you are asking about Metadata or shibboleth2.xml now?14:05
*** daneyon has joined #openstack-keystone14:06
hrybackierror log: http://fpaste.org/111480/73159140/14:06
stevemarmarekd, shibboleth2, metadata is auto generated right?14:06
marekdstevemar: yes. metadata is something usually accessible from http://service_provider.org:<port>/Shibboleth.sso/Metadata14:07
*** leseb has quit IRC14:07
stevemarmarekd, correct, so is there a way I can specify the port # in shibboleth2.xml, so that when I fetch the metadata, it's already there?14:07
*** radez_g0n3 is now known as radez14:08
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: Trusted Attributes Policy for External Identity Providers  https://review.openstack.org/10027914:12
marekdstevemar: sec.14:13
*** joesavak has joined #openstack-keystone14:14
bknudsonmorganfainberg: regarding keystonemiddleware --14:14
bknudsoncould add doc/source/api/ to .gitignore14:14
bknudsonmorganfainberg: doesn't look like keystonemiddleware uses argparse, so could remove that from requirements.txt14:16
marekdstevemar: ok, i gave you wrong info...to much ad-hoc hacking :( You don't specify port in your shibboleth2.xml file. What you do is (of course) setup vhost to listen on a port, like 5000, and when getting a Metadata later to be provided to the IdP you just specify the port in the URL: https://keystone-sp.local:5000/Shibboleth.sso/Metadata -> Shibboleth will adjust the URLs in the file accordingly. Just checked with various ports.14:16
marekdbrb14:17
bknudsonmorganfainberg: should update the httpretty req in test-requirementst.xt14:18
bknudsonmorganfainberg: and remove keyring , it's not used in middleware14:18
bknudsonmorganfainberg: and oauthlib14:18
morganfainbergbknudson sure14:20
morganfainbergwill do14:20
*** httt has joined #openstack-keystone14:21
bknudsonmorganfainberg: also, bring over tools/debug_helper.sh14:21
morganfainbergbknudson we can also add change any of this once the repo is made.14:21
*** httt has quit IRC14:21
bknudsonmorganfainberg: y, I don't think any of these are required... except would be good to have httpretty req correct, otherwise everything will fail14:23
morganfainbergbknudson, ++ yeah fixing it now14:23
marekdstevemar: do you know if eventually jamielennox|away is working on something more...pluggable and extendable regarding auth methods in OSC?14:27
marekdstevemar: otherwise I thought about pointing that out to Matthieu and Florent.14:28
morganfainbergbknudson, ok updated all of those items.14:28
marekdjamielennox|away: is 8h ahead of me so it's quite difficult to catch up with him14:28
*** david-lyle has joined #openstack-keystone14:29
bknudsonmorganfainberg: thanks, +214:31
marekddstanek: o/14:31
morganfainbergbknudson, i learned a lot more about git doing this. the graduation scripts were insufficient but subtree is kinda neat14:32
bknudsonmorganfainberg: so it actually has the commit history for just the parts included?14:32
morganfainbergyep14:32
marekddstanek: was just about to ask to review _AuthConstructor patch :P14:33
morganfainberg680 commits sources from across keystoneclient and keystone server (and some for setting up this repo)14:33
bknudsonlooks like it's got commits from other parts too14:34
hrybackiAnyone run into ' TypeError: dist must be a Distribution instance ' when running setup.py for keystone before?14:34
stevemarmarekd, i doubt he is looking at it, you could point mathieu and florent there if you'd like14:34
marekdstevemar: ok14:35
*** BAKfr has quit IRC14:35
ayoungbknudson, did you see my previous message?14:35
marekdstevemar: i will take a look at his patches and write them an e-mail.14:35
*** rwsu has joined #openstack-keystone14:35
morganfainbergbknudson, well there was some stuff that needed intermeidiary repos to get it merged together14:35
bknudsonayoung: which?14:35
ayoungbknudson, so it looks like we have more work to do on a compliance/MD5 removal front;  Horizon hard codes MD5 into its auth code.14:36
ayounghttps://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/user.py#L7214:36
ayoungbknudson, basically, Horizon punts on anything PKI tokenish14:37
ayoungif the token is ASN1 (starts with MII) they MD5 hash it14:37
ayoungwhich, to be fair, was what I told them to do, two years ago14:37
bknudsonayoung: y, we weren't using horizon so I wasn't looking at it.14:37
ayoungbknudson, you suck14:38
*** gokrokve has quit IRC14:38
ayounghrybacki, I have not14:38
ayounghrybacki, but then, I never run that directly14:38
hrybackiayoung: thought it would be a good exercise and I could update the docs afterwards, might be a fruitless idea14:39
ayounghrybacki, are you running inside a venv?14:39
hrybackiof course14:39
hrybackihttp://fpaste.org/111487/74377140/ -- output if you'd like to take a look14:40
dstanekmarekd: hi14:41
*** radez is now known as radez_g0n314:42
dstanekmarekd: yeah, i saw it in my inbox. i14:42
dstanek'm actually going to reviews with next-review now14:43
marekdnext-review?14:43
bknudsonmarekd: https://pypi.python.org/pypi/next-review14:48
dstanekyeah, it uses you starred projects to suggest the next review to work on14:49
marekdbknudson: dstanek oh, that's great :-)14:49
marekddstanek: ...or 'about to expire' projects.14:50
ayounghrybacki, "/usr/lib64/python2.7/distutils/cmd.py"  I wonder if there is a version conflict14:55
ayoungmight be a version of PBR? Or Of distutils?14:55
*** chandan_kumar has joined #openstack-keystone14:55
hrybackihrm14:56
ayounghrybacki, are you running with both of these from RPMS?14:56
ayoungbecause the tox version builds a venv and installs from PIP14:56
ayoungand you are likely to have older versions in the RPM approach14:56
morganfainbergdstanek, gertty is pretty awesome too14:57
morganfainbergbut you need some of the in-flight reviews for gertty to be non-crashy14:57
ayoungbknudson, are you guys really punting on all of Horizon14:57
* ayoung so jealous14:57
hrybackiayoung: I literally followed http://docs.openstack.org/developer/keystone/setup.html (with a few more system utilities installed as they are needed for stuff now)14:57
hrybackihaven't even gotten to running tests yet14:57
bknudsonayoung: that was the value add -- we had a "better" UI.14:58
*** radez_g0n3 is now known as radez14:58
ayounghrybacki, when you ran setup.py did you have the venv activated?14:58
hrybackiyes14:58
bknudsonayoung: although with the icehouse release we actually do have horizon14:58
ayoungbknudson, OK, so you need to solve this too.  Good14:59
ayoungbknudson, here's my thought14:59
bknudsonayoung: we'll need to solve it14:59
ayoungwe should make Horizon cache the PKI tokens14:59
dstanekmorganfainberg: gertty looks interesting14:59
ayoungbut we should make that easy to do14:59
bknudsonI would probably assign it to our horizon group14:59
ayoungso, we take the caching code from Auth token middleware and move it into the keystone client14:59
bknudsontoken caching?14:59
ayoungand then any client can use it14:59
dstanekmorganfainberg: do you use it?14:59
ayoungits up to that client to select the caching backend15:00
ayoungand so we will support the memcached (swift ring?) and in memory KVS15:00
morganfainbergdstanek, yeah15:00
morganfainbergdstanek, i actually dig it15:00
bknudsonayoung: luckily the token caching code was just moved into its own class15:00
ayoungshould be code just like the KVS stuff in Keystone that morganfainberg did.  Using Dogpile.15:00
ayoungwas it?  Good15:00
bknudsonhttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/middleware/auth_token.py#n134615:01
bknudsonIt's probably still got some auth-token specific things15:01
dstanekwhat do i use for the password since we login through launchpad?15:01
dstanekmorganfainberg: ^15:01
bknudsonayoung: well, looking at it it's not too bad.15:02
morganfainbergdstanek, you create an http password in gerrit15:02
ayoungbknudson, agreed15:02
morganfainbergdstanek, https://review.openstack.org/#/settings/http-password15:02
ayoungbknudson, and we'll need that for Ephemeral15:02
ayoungbknudson, I'm going to be doing a bunch of work in that modulke anyway for Kerberos15:02
bknudsonayoung: the env thing is auth-token specific but that should be easy to move out15:02
ayoungto include making it use the Session object15:02
hrybackiayoung: pbr is the current version in the venv15:02
dstanekmorganfainberg: thx15:02
bknudsonpass in the cache rather than have TokenCache extract it from the env15:03
ayounghrybacki, if you run tox -epy27 it builds a venv for you.  See if you can spot the difference between what that does and what you did by hand15:03
ayoungthe venv is in .tox/py2715:03
hrybackinods15:03
ayoungand the config for  it is in tox.ini15:03
morganfainbergdstanek, you'll want to cherrypick this: https://review.openstack.org/#/c/99563/ and https://review.openstack.org/#/c/99272/ this in15:03
dstanekmorganfainberg: whoa - offline use?15:03
morganfainbergdstanek, yep,15:03
morganfainbergdstanek, :) it's pretty awesome... plane flight and able to do reviews!15:04
*** leseb has joined #openstack-keystone15:04
morganfainbergw/o wifi on flight15:04
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Add V3 parameters to V2 Password plugin  https://review.openstack.org/10157415:04
*** thedodd has joined #openstack-keystone15:05
morganfainbergbknudson, dstanek, ayoung, do you see a benefit to having the milestone-proposed logic for the middleware repo?15:06
morganfainberge.g. so we could release a patch to a specific version instead of needing a complete release to "fix" a bug?15:06
bknudsonmorganfainberg: we're releasing on a different schedule15:06
morganfainbergbknudson, right, but does it benefit us to have milestone-proposed capabilities15:06
ayoungmorganfainberg, hmmm15:06
morganfainbergso we can do 1.0.1 with an isloated fix instead of a "next release" 1.1 or a 1.0.1 with a bunch of other things15:07
ayoungmorganfainberg, my concern is that we are going to fix something, and then every project is going to have to update its minimum version.  And that needs to be coordinated15:07
ayoungyeah...15:07
bknudsonmorganfainberg: hmmm... well, we do seem to have the occasional security issue, so maybe it would be useful15:07
ayoungyes, that seems like the right approach15:07
bknudsonmorganfainberg: is there any reason not to?15:08
morganfainbergbknudson, if we want it, we get it. if we don't want it, i'm removing it from the ACL15:08
*** leseb has quit IRC15:08
morganfainbergbknudson, we can always add it back in later, but it's an infra-config change to add it back in15:08
morganfainbergif we're not going to use it, it's not worth cluttering up the ACL file.15:08
bknudsonmorganfainberg: does keystoneclient have it?15:09
morganfainbergbknudson, it does, we never use it15:09
morganfainbergbknudson, we tend to bundlefixes into the next release15:09
bknudsony, we're not shy about releasing new keystoneclient15:09
morganfainbergbut with calling this 1.0.0 (stable), we may want to be more rigid about releasing versions of the iddleware15:10
bknudsonthat is funny that keystoneclient isn't 1.015:10
dstanekmarekd: i think in https://review.openstack.org/#/c/83829/19 you should do the same response to expected renaming in all of the methods15:10
morganfainbergalso going to make the requirements <=1.999.0 when we release15:10
morganfainbergso we can have a 2.0 milestone (restructure) down the line.15:10
dstanekmarekd: then you could get rig of the extra attrs assertion method15:10
marekddstanek: roger that!15:11
morganfainbergif we want.15:11
bknudsonmorganfainberg: 2.0 means that we removed deprecated function15:11
morganfainbergor even totally change things between major versions15:11
morganfainbergbknudson, yep. exactly.15:11
marekddstanek: i enforced mapping_id in the func signature.15:11
bknudsonmorganfainberg: it has to be backwards compat with non-deprecated15:11
morganfainbergbknudson, well sortof15:11
marekddstanek: but if it goes i feel a should issue a patch for idps and mappings (already merged)15:11
bknudsonmorganfainberg: otherwise we should call it middleware2 or something15:12
bknudsonmiddleware-ng15:12
morganfainbergbknudson, if the global req says <=1.999 in theory the release could be 2.0 and break compat15:12
morganfainbergbknudson, we wouldn't break older versions of openstack, new versions would get the new package based on res15:12
morganfainbergreqs*15:12
bknudsonmorganfainberg: when reqs are updated they need to overlap15:13
morganfainbergbknudson, overlap what?15:13
bknudsonmorganfainberg: overlap with the prev version.15:13
bknudsonotherwise you get a split gate15:13
bknudsonso the apps would need to support using both versions15:13
bknudsonmorganfainberg: ask sdague about it15:14
morganfainbergbknudson, sortof. there are ways around it15:14
*** joesavak has quit IRC15:14
morganfainbergbknudson, i've been working on some of this for mod_wsgi deployments15:14
morganfainbergbknudson, but in either case, major versions should be... well in fact major15:14
morganfainbergok so, are we really going to use milestone-proposed? or should we just add it in if we do need it?15:15
morganfainbergi'm thining latter vs former15:15
bknudsonI assume we can remove it?15:16
bknudsonI'd want dolphm's opinion on it since he might have some idea of what it would be used for.15:16
morganfainbergbknudson, we can change / add the permissions to do that as needed w/ a review15:16
morganfainbergbknudson, it's really easy. and we're not going to release 1.0.0 of this until we get some fixes through review15:16
bknudsonit's scary to be making changes to it if it's not gating15:17
bknudsoncovered by tempest15:17
morganfainbergbknudson, we can't gate initially.15:21
morganfainbergthe way we will need to test the gate on it is add the repo to the requirements and have a project or two try it out before release.15:21
morganfainbergonce we do a release we can add it to the gate, but -- it's something we need projects to be updated for.15:22
bknudsonmorganfainberg: maybe we need a moratorium on anything other than obvious bug fixes until it's gating.15:22
morganfainbergbknudson, we can also do an alpha release.15:22
*** joesavak has joined #openstack-keystone15:23
bknudsonalpha release seems like the way to go15:23
morganfainbergand get a review up that would have a project use it and just use that as a test-bed15:23
morganfainbergonce we're ready to cut the release and update projects (reviews standing by) i'll add the tripleo-expirimental and the tempest tests in for it15:24
bknudsonmorganfainberg: there shouldn't be any new tempest test?15:24
morganfainbergso the moment the merge to cut over to it goes through we are gating. but i didn't want to pre-load those tests until we were sure. easy reviews to add the tests.15:24
bknudsonunless we want something covering the middleware in keystoneclient15:24
morganfainbergbknudson, tempest doesn't test middleware directly, it does indirectly15:24
morganfainbergbknudson, i can add tempest tests back in if we have some direct test mechanism we want to add15:25
marekddolphm: next-review. Is there any way to make it open another review even the first proposed patch was not reviewed? :P15:25
bknudsonmorganfainberg: I mean we'd run tempest where the services are configured to use keystoneclient middleware15:25
bknudsonvs middleware middleware15:25
bknudsonas in a devstack option15:26
morganfainbergbknudson, right. i'm ok adding in tempest again.15:26
morganfainbergbknudson, it just means until a project uses the new middleware, it's needlessly running tempest gate.15:27
bknudsonmorganfainberg: oh, you're talking about tempest for changes to keystonemiddleware?15:28
dstanekayoung: i would love to have a few small things in https://review.openstack.org/#/c/100833/ fixed before it is merged.15:28
morganfainbergyes15:28
*** mberlin has quit IRC15:28
morganfainbergonce we have projects consuming it we should gate on every change.15:28
morganfainbergbut until then.15:28
dstanekayoung: i don't see henry here so i'll quickly make the changes and then i think it's ready to merge15:28
bknudsonmorganfainberg: I assumed you'd turn that on since there's no reason to delay switching the projects to it.15:29
morganfainbergi can add those back in easily15:29
morganfainbergit's no impact if we are going to do a release quicly of this15:29
bknudsonI assumed there wouldn't be many commits to keystonemiddleware before other projects were switched over15:29
*** wchrisj has joined #openstack-keystone15:29
morganfainbergif we're going to roll up other things before we do a release, then no real need to burn the resources15:29
*** mberlin has joined #openstack-keystone15:29
morganfainbergbknudson, agian, defering to folks here on this15:30
bknudsony, it's easy to change so don't worry about it15:30
bknudsonthat's the whole point of software defined environments15:31
wchrisjhey :dolphm - got a sec?15:31
openstackgerritA change was merged to openstack/python-keystoneclient: Rename v3._AuthConstructor to v3.AuthConstructor  https://review.openstack.org/10112715:31
morganfainbergwchrisj, dolphm is MIA today15:31
bknudsonmorganfainberg: I'm thinking I should -2 all my auth_token changes...15:32
wchrisjtkx :morganfainberg15:32
morganfainbergwchrisj, perhaps someone else can help you?15:32
bknudsonthen I'll just transfer them over to keystonemiddlware15:32
morganfainbergbknudson, I would prefer changes all go into the new repo once it's created today15:32
wchrisjsure - have been working with the docs related to identity, specifically here: http://developer.openstack.org/api-ref-identity-v3.html15:33
wchrisjspecifically with the get token call15:33
wchrisjpost /auth/tokens15:34
bknudsonhttps://review.openstack.org/#/q/status:open+project:openstack/python-keystoneclient+file:keystoneclient/middleware/auth_token.py,n,z15:34
wchrisjIt's not very obvious wht the request/response would look like - some differ greatly15:34
wchrisjWould you guys be receptive if I restructured that part of the page to show the requests and associated responses?15:34
morganfainbergbknudson, so, add the tempest gate jobs for keystonemiddleware back in once we're cutting a release?15:35
wchrisjwanted to see if it was done that way with a purpose in mind or not?15:35
bknudsonwchrisj: good luck with that15:35
morganfainbergbknudson, or now (since i need to push a new patchset now anyway)15:35
wchrisjhowso :bknudson ?15:35
wchrisjwas that sarcasm or honesty?15:35
wchrisj;-)15:35
bknudsonmorganfainberg: y, add the tempest gate job in once we've had a chance to verify that it's not completely broken15:36
morganfainbergk15:36
bknudsonwchrisj: if you can figure out how to change the files to get the docs to look correct I'd be impressed.15:36
wchrisjI'll see what I can do :bknudson - a challenge!15:37
bknudsonwchrisj: I've only been able to look at it on weekends when there's no docs people around, so maybe you'd have better luck.15:38
*** daneyon has quit IRC15:39
*** nsquare has joined #openstack-keystone15:39
bknudsonwchrisj: the sample jsons don't say whether it's the request or the response.15:40
*** gokrokve has joined #openstack-keystone15:41
richmayoung: ping - re: http://adam.younglogic.com/2014/04/packstack-to-ldap/ - it is working, including with users created in AD - keystone user-get aduser@addomain.test shows the user15:44
wchrisjThanks :bknudson, in the past I've pinged Anne Gentile, who has been a HUGE help. I'll ask if I cant figure it out. That API call in particular really needs to be MUCH clearer. All it would take is someone to test/record all the requests and responses and plug them into the docs.15:45
richmayoung: however, the keystone user - how do I make it an 'admin' user, since the 'admin' user is not working?15:45
bknudsonwchrisj: there's some examples here: http://docs.openstack.org/developer/keystone/api_curl_examples.html15:45
bknudsonwhich is in rst so it's easy to edit15:46
wchrisjThanks!15:46
wchrisjThat's a LOT easier to read too - what is the diff between that page and the one I noted earlier?15:48
*** sbasamaway is now known as sbasam15:48
wchrisj:bknudson ^^15:48
bknudsonwchrisj: here's the source for the developer docs: http://git.openstack.org/cgit/openstack/keystone/tree/doc/source/api_curl_examples.rst15:48
*** ncoghlan_afk is now known as ncoghlan15:49
wchrisjWhat's the diff between these dev docs and what I see on the http://developer.openstack.org/ site?15:49
bknudsonwchrisj: here's the source for the api site -- http://git.openstack.org/cgit/openstack/api-site/tree/api-ref/src/wadls/identity-api/src/v3/wadl/identity-admin-v3.wadl15:49
bknudsonwchrisj: rst is easier to write than wadls15:49
richmperhaps someone else can answer - If I have a user that I want to make an admin, and I have "locked myself out" of using the keystone client, what sql do I need to do to make this user an admin user?15:50
wchrisj:bknudson ^^15:50
bknudsonrichm: you can use the admin token to do just about anything if you have it configured15:51
wchrisjbknudson - What is the diff between those two sites/git repos?15:53
*** marekd is now known as marekd|weekend15:53
wchrisjWhy are things in multiple places?15:53
bknudsonwchrisj: the developer docs are supposed to be for keystone developers, whereas the api site is for application developers using openstack15:54
wchrisjSo, internal vs external documentation?15:54
bknudsonwchrisj: and since keystone developers can't figure out the wadls we don't keep them up to date15:54
bknudsonwchrisj: right, internal vs external15:54
wchrisjYeah, that wadls is tough15:55
*** hrybacki_ has joined #openstack-keystone15:55
richmbknudson: I have OS_SERVICE_TOKEN=string15:55
richmbknudson: in keystone.conf I have admin_token=string15:56
wchrisjthanks again bknudson!15:56
bknudsonrichm: right, that should do it... I don't know the env var off the top of my head15:56
richmbknudson: If I do that, does keystone bypass ldap authentication?15:57
*** jsavak has joined #openstack-keystone15:57
bknudsonrichm: yes, it bypasses auth. actually it doesn't do ldap auth anytime a token is used.15:57
richmbknudson: does the user need to be a member of a particular tenant/project/role?15:58
bknudsonrichm: there's no user when you use the admin token15:58
*** hrybacki has quit IRC15:59
bknudsonkeystone should probably audit use of the admin token more than it does15:59
*** ncoghlan is now known as ncoghlan_afk15:59
richmhmm - keystone tenant-list is empty, and keystone.log says WARNING: keystone.common.wsgi Authorization failed. - note that this is with Havana15:59
morganfainbergbknudson, +++++++++++++++++ (one million)15:59
*** hrybacki_ has quit IRC16:00
richmthe POST to /tokens returns 40116:00
bknudsonrichm: y, you don't use the admin token with /tokens... but you should be able to add a role to a user16:00
*** joesavak has quit IRC16:01
morganfainbergbknudson, we should probably emit a CADF notification anytime anything is done with the admin token16:01
bknudsonI think tenant-list shows the tenants that the token has access to so it maybe doesn't make sense for the admin token either16:01
*** joesavak has joined #openstack-keystone16:01
richmshouldn't the admin token have access to all tenants?16:01
*** jsavak has quit IRC16:01
ayoungrichm, yeah, drop the ADMIN_TOKEN  and add a the "admin" role to the user16:02
ayoungusually, you do that in the "admin" project, too16:02
ayoungyou want to unset  OS_SERVICE_TOKEN  and OS_SERVICE_ENDPOINT once you do that16:02
ayoungdstanek, ++16:03
bknudsonrichm: you should be able to list all projects, e.g., /v3/projects16:03
ayoungrichm, see the part of the blog post that starts with "I don’t tend to user ‘admin’ as the user name for Keystone"16:04
*** leseb has joined #openstack-keystone16:04
*** wyllys has left #openstack-keystone16:04
stevemarmarekd|weekend, yay got it working16:07
*** joesavak has quit IRC16:07
stevemarmorganfainberg, damn, i didn't think about that, thats probably very critical to audit16:09
*** leseb has quit IRC16:09
morganfainbergstevemar, right?16:09
morganfainbergstevemar, :)16:09
stevemarmorganfainberg, wasn't there something going around (on ML) to turn on auditing by default?16:10
bknudsoncould probably put something in the admin token middleware16:10
morganfainbergbknudson, thats where i'd put the audit stuff for it16:10
*** jsavak has joined #openstack-keystone16:13
bknudsonwould be great if we could get this merged somewhat quickly -- https://review.openstack.org/#/c/77210/ (haven't reviewed it myself yet)16:25
bknudson+28, -295916:25
morganfainbergbknudson, ooooooh /me likes16:28
morganfainbergbknudson, is https://review.openstack.org/#/c/77210/18/etc/keystone.conf.sample supposed to be 'oslo.sqlite' by default?16:31
*** gyee has joined #openstack-keystone16:31
bknudsonmorganfainberg: keystone doesn't use that option so it doesn't matter16:32
morganfainbergok16:32
bknudsonmorganfainberg: I tried to get them to remove the option since oslo.db doesn't even use it16:32
ayoungmorganfainberg, bknudson I thinkg that might mess up the extensions migrations16:33
bknudsonbut was -2 because other projects supposedly use it.16:33
bknudsonayoung: do we have tests for extensions migrations? probably not...16:33
ayoungbknudson, they should get run when the extensions themselves do16:34
ayoungbut if we are doing the "create the tables from the models" approach, then they won't16:34
bknudsonayoung: ok, were those tests rmoeved?16:34
bknudsonremoved16:34
*** marcoemorais has joined #openstack-keystone16:42
*** radez is now known as radez_g0n316:43
bknudsonwe should definitely try things out with the oslo.db code ... if you do comment on the review16:46
*** jsavak has quit IRC16:48
*** praneshp has joined #openstack-keystone16:52
ayoungCould we make Horizon work only with V3 of the Keystone API from Juno on forward?16:52
bknudsonwhy not? what's missing?16:52
ayoungV3 does everything that V2 does, right?16:52
ayoungbknudson, I think the DB code above is OK16:53
bknudson/v3/extensions16:53
bknudsonI don't know if horizon uses /v2/extensions16:53
ayoungI'll check with the Horizon folks, but I think that the dual version thing is just a case of old code not going away yet16:53
*** i159 has quit IRC16:54
*** richm has quit IRC16:55
*** nsquare has quit IRC16:56
*** marcoemorais has quit IRC16:59
*** marcoemorais has joined #openstack-keystone17:00
stevemarDoes horizon have a notion of domain and groups yet?17:00
stevemarayoung, bknudson ^17:00
*** harlowja_away is now known as harlowja17:00
gyeedavid-lyle ^^^17:01
stevemarthx gyee :)17:01
gyeeI think Horizon is v3 capable, but david-lyle is the authoritative voice on this one17:02
*** leseb has joined #openstack-keystone17:05
*** leseb has quit IRC17:10
*** richm has joined #openstack-keystone17:10
david-lyleHorizon has keystone v3 support17:12
david-lyleit was the default in Havana, but we switched back to keystone v2.0 as the default in Icehouse due to other clients not supporting v317:13
david-lyleif you want to use v3 in Horizon, you can make a local_settings.py change to tell it to use v317:13
david-lylewithout other services support v3, we can't operate outside the default domain17:14
gyeestevemar, there ya go ^^^17:14
*** browne has joined #openstack-keystone17:16
david-lylewe could hedge and use v3 and make a note that multidomain support is turned off, but we were afraid the loophole that allows use of the default domain would get closed17:16
stevemarahhh i see17:18
stevemaroh david-lyle btw - could you look @ this keystone spec, and provide any feedback: https://review.openstack.org/#/c/96867/17:19
stevemarwe're all rather clueless on horizon details :)17:19
*** joesavak has joined #openstack-keystone17:19
*** nsquare has joined #openstack-keystone17:23
*** jsavak has joined #openstack-keystone17:24
*** richm has quit IRC17:26
*** joesavak has quit IRC17:28
*** daneyon has joined #openstack-keystone17:38
gyeeayoung, why Apache process is apache2 in debian, but httpd in fedora?17:41
gyeewhy two different names? just curious17:41
*** richm has joined #openstack-keystone17:42
*** diegows has quit IRC17:43
*** topol has quit IRC17:54
dstaneki remember reviewing some fixes for the new hacking version, but i can't find them anymore17:54
*** lbragstad has joined #openstack-keystone18:00
dstanekgyee: i think back in the day you could install apache or apache2 on debain18:02
*** marcoemorais has quit IRC18:02
*** marcoemorais has joined #openstack-keystone18:02
dstanekgyee: maybe fedora just switched from apache to apache2?18:02
gyeedstanek, its apache2 now on debian18:03
gyeebut its called httpd on fedora so I was wondering why the inconsistency18:03
ayounggyee, apache 1 vs 2,  but fedora just cut over at one point, IIRC18:03
gyeeayoung, fedora switched over to apache2 now, as oppose to httpd?18:05
ayoungdavid-lyle, but even if you go V3, you can talk to all the other services with V3 tokens18:05
gyeethat would be awesome18:05
ayoungno reason to limit Horzion to v2, is there?18:05
ayoungor does that change the UI?18:05
*** leseb has joined #openstack-keystone18:06
*** leseb has quit IRC18:10
dstanekgyee: right, there used to be an apache for 1.3 way back when18:10
morganfainbergayoung, think it changes the ui18:12
morganfainbergayoung, but.. i mean.. david-lyle is the exper here ;)18:12
*** marcoemorais has quit IRC18:13
lbragstaddolphm: do you have a set amount of days that a bug is assigned to someone without activity before unassigning?18:18
lbragstador morganfainberg ? ^18:18
morganfainberglbragstad, not sure what dolphm's metric for that is18:19
david-lyleayoung, only if you are using limiting to the default domain18:21
ayoungdavid-lyle, well, I wonder where that breaks down.  Keystone and auth_token both handle V3 fine.  What doesn't handle V3?18:21
david-lylelet me find the code line again18:22
morganfainbergayoung, afaik nova has issues with v318:22
lbragstadmorganfainberg: did you happen to know about this at all? https://github.com/jogo/openstack-infra-scripts/blob/master/infra_bugday.py18:22
lbragstadjogo's been using it to wrangle bugs in nova and infra18:23
morganfainberglbragstad, thats cool18:23
lbragstadnot sure if you used it when you went on your Keystone bug binge18:23
lbragstadyeha18:23
lbragstadhttp://paste.openstack.org/show/84537/18:23
morganfainbergnope sure didn't18:23
*** nsquare has quit IRC18:30
*** joesavak has joined #openstack-keystone18:31
*** juanmo has joined #openstack-keystone18:31
*** openstackgerrit_ has joined #openstack-keystone18:32
*** jsavak has quit IRC18:32
*** marcoemorais has joined #openstack-keystone18:34
david-lyleayoung, I believe this line was the issue https://github.com/openstack/keystone/blob/ee27d6eef62d201c99694d0f788ea2a96c6669a4/keystone/token/providers/uuid.py#L44818:36
david-lylewith v3 tokens coming back from non-default domains18:36
david-lyleget unauthorized every time18:36
ayoungdavid-lyle, ah, trying to authenticate against the V2 token api18:37
david-lyleyes18:37
ayoungdavid-lyle, because they all need to do V3 as well18:37
david-lylelogin in Horizon with v3 pass token to nova which treats it as v2.018:38
ayoungand that is an auth token issue18:38
ayoungIE, we can control that18:38
david-lyleonce that is resolved, all for v3 as the default18:39
david-lyleI'll put the patch in immediately after18:39
ayoungdavid-lyle, ++18:39
*** radez_g0n3 is now known as radez18:45
*** gokrokve_ has joined #openstack-keystone18:49
*** gokrokve has quit IRC18:52
bknudsonmorganfainberg: ayoung: I tried out some stuff with the oslo.db change and it worked for me.18:55
ayoungbknudson, excellent.  It looks good to me as well so I can support18:56
ayoungbknudson, +2a18:56
*** harlowja is now known as harlowja_away18:57
*** harlowja_away is now known as harlowja19:01
bknudsonayoung morganfainberg: https://review.openstack.org/#/c/101255/ is also needed for oslo.db19:02
ayoungbknudson, +2a19:03
*** leseb has joined #openstack-keystone19:07
lbragstadvhoward: ping19:08
lbragstadvhoward: would you be able to restore https://review.openstack.org/#/c/73907/2 ?19:09
lbragstador maybe a keystone core? ^ I cleaned up the comments on that patch and was going to push for review.19:09
bknudsonlbragstad: restored it19:10
lbragstadbknudson: thank you sir!19:10
openstackgerritLance Bragstad proposed a change to openstack/keystone: Make get_trust a protected method  https://review.openstack.org/7390719:10
*** leseb has quit IRC19:12
*** daneyon has quit IRC19:14
openstackgerritA change was merged to openstack/python-keystoneclient: Add role ids to the AccessInfo  https://review.openstack.org/10077419:15
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Migrate ID generation for users/groups from controller to manager  https://review.openstack.org/10083319:18
morganfainbergdstanek, ^ fixes your comments on henry's patch19:18
morganfainbergayoung, ^ might want to re-+2 that19:19
ayounglooking19:19
ayoungmorganfainberg, what is different?19:19
morganfainbergayoung, uuid moved up to stdlib in identity.core19:20
morganfainbergayoung, comment re-write19:20
ayoungk19:20
ayounglets see if git review -m handles it19:21
*** juanmo has quit IRC19:21
*** jsavak has joined #openstack-keystone19:22
ayoungmorganfainberg, how do you like that for a review comment?19:22
*** joesavak has quit IRC19:23
dstanekmorganfainberg: nice, thanks19:23
morganfainbergdstanek, sure thing19:23
morganfainbergdstanek want to get that rolled in soon so, figured quickest to fix the minor nits :)19:24
openstackgerritLance Bragstad proposed a change to openstack/keystone: Update docs to reference #openstack-keystone  https://review.openstack.org/10163319:30
openstackgerritBrant Knudson proposed a change to openstack/keystone: Don't set sqlite_db default  https://review.openstack.org/10163519:31
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds hacking check for debug logging translations  https://review.openstack.org/10163619:33
bknudsonmorganfainberg: how goes the middleware repo?19:33
dstanekmorganfainberg: ^ took me longer than expected to clean that up19:33
morganfainbergbknudson, waiting on infra now.19:33
morganfainbergbknudson, but they're in the middle of stuff.19:34
morganfainbergbknudson, gate related.19:34
bknudsonthey're always in the middle of something19:34
bknudsonsome major crapstorm brewing and we don't even know about it19:34
morganfainbergthey're working on getting tempest to run on 14.04 for juno and later19:35
*** lbragstad has quit IRC19:36
dstanekmorganfainberg: you forgot a period, but i +2d it anyway19:36
morganfainbergdstanek, LOL ok19:36
bknudsonyou mean LOL ok.19:36
morganfainbergbknudson, Yes. you. are. right. about. that.19:37
morganfainbergi need to go get lunch19:38
*** marcoemorais has quit IRC19:48
*** marcoemorais1 has joined #openstack-keystone19:48
*** nsquare has joined #openstack-keystone19:49
*** marcoemorais1 has quit IRC19:49
*** marcoemorais has joined #openstack-keystone19:49
*** ncoghlan_afk is now known as ncoghlan19:50
*** thedodd has quit IRC19:55
*** marcoemorais has quit IRC19:58
*** marcoemorais has joined #openstack-keystone19:58
*** leseb has joined #openstack-keystone20:00
*** ncoghlan is now known as ncoghlan_afk20:00
*** marcoemorais1 has joined #openstack-keystone20:06
openstackgerritA change was merged to openstack/keystone: remove unneeded definitions of Python Source Code Encoding  https://review.openstack.org/9538320:08
openstackgerritA change was merged to openstack/keystone: Test `common.sql` initialization  https://review.openstack.org/10125520:08
openstackgerritA change was merged to openstack/keystone: oslo.db implementation  https://review.openstack.org/7721020:10
*** marcoemorais has quit IRC20:10
*** radez is now known as radez_g0n320:16
dstanekmorganfainberg: is gertty is subscribed projects different from starred projects?20:22
*** amerine has quit IRC20:23
*** amerine has joined #openstack-keystone20:25
*** gokrokve_ has quit IRC20:26
*** thedodd has joined #openstack-keystone20:26
*** ayoung has quit IRC20:32
*** joesavak has joined #openstack-keystone20:32
*** jsavak has quit IRC20:34
*** thedodd has quit IRC20:37
*** thedodd has joined #openstack-keystone20:38
*** daneyon has joined #openstack-keystone20:40
*** lbragstad has joined #openstack-keystone20:40
*** Camisa has joined #openstack-keystone20:41
*** Camisa has joined #openstack-keystone20:41
openstackgerritLance Bragstad proposed a change to openstack/keystone: Update docs to reference #openstack-keystone  https://review.openstack.org/10163320:45
*** zhiyan_ has joined #openstack-keystone20:46
*** rodrigods has joined #openstack-keystone20:54
*** jareking has joined #openstack-keystone20:55
*** ncoghlan_afk has quit IRC20:56
*** gokrokve has joined #openstack-keystone20:57
*** jsavak has joined #openstack-keystone20:57
*** gokrokve_ has joined #openstack-keystone20:59
*** joesavak has quit IRC21:01
*** gokrokve has quit IRC21:02
*** gokrokve_ has quit IRC21:04
*** marcoemorais1 has quit IRC21:07
*** marcoemorais has joined #openstack-keystone21:07
*** jamielennox|away has quit IRC21:08
*** marcoemorais has quit IRC21:10
*** marcoemorais has joined #openstack-keystone21:11
*** marcoemorais has quit IRC21:11
*** marcoemorais has joined #openstack-keystone21:12
*** rodrigods has quit IRC21:13
openstackgerritA change was merged to openstack/keystone: Migrate ID generation for users/groups from controller to manager  https://review.openstack.org/10083321:14
*** leseb has quit IRC21:16
*** leseb has joined #openstack-keystone21:16
stevemargyee, good thing i wasn't the only one confused by it https://review.openstack.org/#/c/101574/21:17
*** leseb_ has joined #openstack-keystone21:20
*** leseb has quit IRC21:21
gyeestevemar, yeah, I don't understand that change at all21:22
gyeeman, its going to take all day to review Henry's big patch :)21:23
stevemargyee, oh *that* one.... i'm scared of it21:23
gyeeI am having a hard time deciding whether to do that review or watching world cup21:25
jsavakboth!21:25
gyee+121:25
morganfainberggyee, eh, world cup21:25
morganfainberg:P21:25
gyeegooooooooaaaaaal21:25
openstackgerritLance Bragstad proposed a change to openstack/keystone: Update docs to reference #openstack-keystone  https://review.openstack.org/10163321:25
jsavakthat could either be a +1 on review or a world-cup soccer goal.21:27
jsavaker football21:27
morganfainbergugh having suddenly new issues with devstack and keystone under mod_wsgi tempest21:28
morganfainberggetting a 204 on a delete where a ...200 is expected?!21:30
morganfainbergwtf.21:30
gyeethat sounds familiar21:30
gyeemorganfainberg, you are not messing with mod_rewrite or anything right?21:31
morganfainberggyee, nope21:31
morganfainberghttp://logs.openstack.org/47/100747/4/check/check-tempest-dsvm-neutron/201d76a/console.html#_2014-06-20_20_49_05_07021:31
* morganfainberg goes to look at tempest. why do i get the suspicion someone changed something21:32
stevemargyee, next match isn't for 30 minutes, you can review some more before then :)21:33
morganfainberggyee did you see fra vs sui21:33
gyeeyeah, reviewing them now21:34
openstackgerritBrant Knudson proposed a change to openstack/keystone-specs: V3 extension advertisement  https://review.openstack.org/9597321:36
gyeemorganfainberg, no didn't watch that one, was doing agile sprint conclusion thingy all morning21:36
stevemargyee, you sound really excited about that21:36
gyeestevemar, what agile? do you really want to know how I feel :)21:37
stevemargyee, I think I know you feel :)21:38
bknudsonwe should have a reflection at the design summit21:38
gyeeyou do that21:39
bknudsonoh, I always miss it21:39
*** gokrokve has joined #openstack-keystone21:39
*** amerine has left #openstack-keystone21:39
*** jareking has quit IRC21:41
*** jareking has joined #openstack-keystone21:50
*** marcoemorais has quit IRC21:55
*** praneshp_ has joined #openstack-keystone21:56
*** marcoemorais has joined #openstack-keystone21:56
*** praneshp has quit IRC21:57
*** praneshp_ is now known as praneshp21:57
*** diegows has joined #openstack-keystone22:02
openstackgerritArun Kant proposed a change to openstack/keystone: Adding support for ldap connection pooling.  https://review.openstack.org/9530022:03
*** andreaf_ has quit IRC22:04
marekd|weekendstevemar: glad it worked!22:20
*** thedodd has quit IRC22:36
*** morganfainberg is now known as morganfainberg_Z22:41
*** david-lyle has quit IRC22:44
*** david-lyle has joined #openstack-keystone22:46
*** david-lyle has quit IRC22:50
*** leseb_ has quit IRC23:06
*** leseb has joined #openstack-keystone23:07
*** jsavak has quit IRC23:08
*** leseb has quit IRC23:11
openstackgerritA change was merged to openstack/keystone: Update docs to reference #openstack-keystone  https://review.openstack.org/10163323:14
*** richm has left #openstack-keystone23:24
*** nsquare_ has joined #openstack-keystone23:39
*** nsquare has quit IRC23:40
*** stevemar has quit IRC23:41
*** morganfainberg_L has joined #openstack-keystone23:45
morganfainberg_Lanything interesting going on?23:46
* morganfainberg_L needs to dig up access to personal vpn again (and znc) while other computer is being repaired23:47
*** gokrokve has quit IRC23:50
lbragstadmorganfainberg_L: not really, about to fire up the BBQ ;)23:50
morganfainberg_Llbragstad, sounds like a good plan. too hot here in SoCal though really to be BBQing23:51
morganfainberg_Lgonna go have a glass of whiskey with a friend though instead.23:51
lbragstadoh, that's a good sub.23:51
lbragstadmorganfainberg_L: enjoy!23:52
morganfainberg_Lyeah, gotta wait another ~30mins before headed out23:52
morganfainberg_Lactually... i think i'm gonna go cool off before headed out.. maybe a quick swim!23:56
*** david-lyle has joined #openstack-keystone23:56
*** bknudson has quit IRC23:57
« Thursday, 2014-06-19 Index Saturday, 2014-06-21 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!