*** daneyon has quit IRC | 00:04 | |
openstackgerrit | Clayton O'Neill proposed a change to openstack/keystone: Add pluggable range functions for token flush https://review.openstack.org/101726 | 00:13 |
---|---|---|
*** zigo has quit IRC | 00:17 | |
*** zigo has joined #openstack-keystone | 00:21 | |
*** gokrokve has quit IRC | 00:26 | |
*** praneshp has quit IRC | 00:27 | |
*** erecio has joined #openstack-keystone | 00:28 | |
*** zigo has quit IRC | 00:35 | |
*** marcoemorais has quit IRC | 00:45 | |
*** marcoemorais has joined #openstack-keystone | 00:45 | |
*** zigo has joined #openstack-keystone | 00:47 | |
*** henrynash has quit IRC | 00:48 | |
*** marcoemorais has quit IRC | 00:49 | |
*** marcoemorais has joined #openstack-keystone | 00:49 | |
*** rodrigods has quit IRC | 00:54 | |
*** marcoemorais has quit IRC | 00:55 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Convert keystone CLI to use auth plugins https://review.openstack.org/95680 | 01:03 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Plugin loading from config objects https://review.openstack.org/79542 | 01:03 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from conf https://review.openstack.org/95015 | 01:03 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from CLI options https://review.openstack.org/95678 | 01:03 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow loading auth plugins from CLI https://review.openstack.org/95679 | 01:03 |
*** gokrokve has joined #openstack-keystone | 01:05 | |
*** dstanek is now known as dstanek_zzz | 01:06 | |
*** gokrokve_ has joined #openstack-keystone | 01:07 | |
*** rodrigods has joined #openstack-keystone | 01:09 | |
*** gokrokve has quit IRC | 01:10 | |
*** richm has left #openstack-keystone | 01:16 | |
*** diegows has quit IRC | 01:20 | |
*** erecio has quit IRC | 01:23 | |
*** hrybacki has quit IRC | 01:25 | |
openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Fix docs for pki_setup and ssl_setup references https://review.openstack.org/103697 | 01:28 |
*** hrybacki has joined #openstack-keystone | 01:29 | |
*** hrybacki has quit IRC | 01:32 | |
*** mberlin has quit IRC | 01:34 | |
*** dstanek_zzz is now known as dstanek | 01:36 | |
morganfainberg | dtroyer, ping wanted to check up with you on two devstack changes | 01:39 |
morganfainberg | dtroyer, https://review.openstack.org/#/c/102326/ and https://review.openstack.org/#/c/101611/ | 01:39 |
openstackgerrit | A change was merged to openstack/keystonemiddleware: add README https://review.openstack.org/103628 | 01:45 |
*** gokrokve_ has quit IRC | 01:45 | |
morganfainberg | dtroyer, responded to your comment on the latter one | 01:46 |
openstackgerrit | A change was merged to openstack/keystonemiddleware: add CONTRIBUTING.rst https://review.openstack.org/103631 | 01:46 |
*** mberlin has joined #openstack-keystone | 01:50 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Add a fixture for Keystone version discovery https://review.openstack.org/99846 | 01:53 |
*** stevemar has joined #openstack-keystone | 02:08 | |
*** nsquare has quit IRC | 02:11 | |
*** bobt has joined #openstack-keystone | 02:19 | |
*** rodrigods has quit IRC | 02:23 | |
*** zhiyan_ is now known as zhiyan | 02:38 | |
*** navid has quit IRC | 02:41 | |
openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Fix docs and scripts for pki_setup and ssl_setup https://review.openstack.org/103697 | 02:44 |
openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Fix docs and scripts for pki_setup and ssl_setup https://review.openstack.org/103697 | 02:46 |
*** dims_ has quit IRC | 02:46 | |
*** zhiyan is now known as zhiyan_ | 02:50 | |
*** zhiyan_ is now known as zhiyan | 02:51 | |
dstanek | lbragstad_: i just commented again on that review - i think two minor tweaks and then a +2 is in order | 02:58 |
*** harlowja is now known as harlowja_away | 03:02 | |
*** harlowja_away is now known as harlowja | 03:09 | |
*** praneshp has joined #openstack-keystone | 03:10 | |
*** harlowja is now known as harlowja_away | 03:10 | |
*** harlowja_away is now known as harlowja | 03:11 | |
*** praneshp_ has joined #openstack-keystone | 03:13 | |
*** praneshp has quit IRC | 03:16 | |
*** praneshp_ is now known as praneshp | 03:16 | |
jamielennox | dstanek: assume you're gone but i change that review so keystoneclient will always depend on oslo.config | 03:26 |
dstanek | jamielennox: i'm never gone! | 03:33 |
dstanek | jamielennox: nice, i'll take a look | 03:34 |
jamielennox | dstanek: that might not be healthy | 03:34 |
jamielennox | it was was https://review.openstack.org/#/c/95015/ | 03:34 |
jamielennox | thanks, i need to push that along | 03:34 |
morganfainberg | dstanek, you should sleep sometime :P | 03:35 |
morganfainberg | jamielennox, ah conf patch redux? | 03:36 |
dstanek | morganfainberg: ha, it's not even midnight yet | 03:36 |
jamielennox | morganfainberg: i caved and used oslo.config for describing plugin parameters later in the series | 03:36 |
morganfainberg | jamielennox ah | 03:37 |
jamielennox | if i'm going to do that there's no point checking whether it's available | 03:37 |
morganfainberg | lol | 03:37 |
jamielennox | means we will always have a dep on oslo.config though | 03:37 |
jamielennox | :( | 03:37 |
morganfainberg | not a lot different than most of OpenStack | 03:37 |
jamielennox | morganfainberg: it's different on the client side | 03:37 |
dstanek | jamielennox: i'd be surprised if that doesn't eventually change | 03:45 |
jamielennox | dstanek: yea, well given that the servers are a large precentage of the consumers it's not a big deal, i know dtroyer is against it for OSC, but he has it there implicitly now anyway | 03:46 |
*** daneyon has joined #openstack-keystone | 03:46 | |
jamielennox | the annoying part is that i get almost no current benefit from it, oslo.config is kinda crap unless you are writing servers | 03:47 |
jamielennox | it gives them a reason to fix that though | 03:47 |
dstanek | jamielennox: is there any reason why you created the _make classmethod instead of just specifying the default values on construct? | 03:59 |
*** chandan_kumar has joined #openstack-keystone | 03:59 | |
kashyap | Hi, can any other more experienced Keystone dev please confirm my testing (and NACK) here is valid? -- https://review.openstack.org/#/c/103188/ (Register the CA chain in glance) | 03:59 |
jamielennox | dstanek: construct() is a little funny in that it takes an in/out dictionary so that after calling construct you can tell if you have leftover kwargs | 04:00 |
dstanek | jamielennox: ah, it's misleading because the name is kwargs, but it's not actually kwargs | 04:01 |
dstanek | that part was folded away in the review :-( | 04:02 |
*** fifieldt has quit IRC | 04:11 | |
*** gyee has quit IRC | 04:11 | |
*** jamielennox has quit IRC | 04:11 | |
*** ekarlso has quit IRC | 04:11 | |
*** chmouel has quit IRC | 04:11 | |
*** gyee_ has quit IRC | 04:11 | |
*** ByteSore has quit IRC | 04:11 | |
*** mrda has quit IRC | 04:12 | |
*** erecio has joined #openstack-keystone | 04:21 | |
*** mrda has joined #openstack-keystone | 04:22 | |
*** fifieldt has joined #openstack-keystone | 04:22 | |
*** gyee has joined #openstack-keystone | 04:22 | |
*** chmouel has joined #openstack-keystone | 04:22 | |
*** gyee_ has joined #openstack-keystone | 04:22 | |
*** ekarlso has joined #openstack-keystone | 04:22 | |
*** jamielennox has joined #openstack-keystone | 04:22 | |
*** ByteSore has joined #openstack-keystone | 04:22 | |
*** gyee has quit IRC | 04:31 | |
*** jamielennox has quit IRC | 04:31 | |
*** gyee has joined #openstack-keystone | 04:31 | |
*** jamielennox has joined #openstack-keystone | 04:32 | |
*** IAmNewB has joined #openstack-keystone | 04:44 | |
*** gokrokve has joined #openstack-keystone | 04:45 | |
IAmNewB | Hello, I am setting up keystone with postgres database, while db_sync i am getting error "[root@swiftProxyNode ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone 2014-06-30 22:08:36.304 10925 CRITICAL keystone [-] (OperationalError) could not connect to server: Connection refused Is the server running on host "keystonehost" and accepting TCP/IP connections on port 5432? None None" | 04:45 |
jamielennox | IAmNewB: what is the connection string in your config file? | 04:47 |
jamielennox | the [database] connection= string | 04:47 |
IAmNewB | jamielennox : connection = postgresql://keystone:Passw0rd@keystonehost/keystone | 04:49 |
jamielennox | so is keystonehost correct there? you're saying that the machine name is keystonehost? | 04:49 |
IAmNewB | keystonehost host is resolving to the ip address of machine | 04:50 |
jamielennox | ok, so can you telnet keystonehost 5432 ? | 04:51 |
IAmNewB | i changed keystonehost to 127.0.0.1 now my connection looks like connection = postgresql://keystone:Passw0rd@127.0.0.1/keystone | 04:51 |
IAmNewB | now i am getting 2014-06-30 22:17:53.437 11427 CRITICAL keystone [-] (OperationalError) FATAL: Ident authentication failed for user "keystone" None None | 04:51 |
jamielennox | oh - ok, i think you've got postgres misconfigured | 04:51 |
jamielennox | i'm not particularly good at postgres configs, but what do you have in your hba.conf? | 04:52 |
IAmNewB | for telnet keystonehost 5432 it is saying the connection refused | 04:52 |
*** nsquare has joined #openstack-keystone | 04:52 | |
jamielennox | ok, so postgres isn't accepting connections on the port | 04:53 |
*** erecio has quit IRC | 04:53 | |
IAmNewB | is it /etc/hba.conf ? or /var/lib/pgsql/data/pg_hba.conf | 04:53 |
jamielennox | the second | 04:54 |
jamielennox | (oh - and is postgres running? ) | 04:54 |
IAmNewB | local all all ident host all all 127.0.0.1/32 ident host all all ::1/128 ident host all all 192.122.124.0 255.255.254.0 trust | 04:55 |
IAmNewB | yes, postmaster (pid 10912) is running... | 04:55 |
jamielennox | for host all all 127.0.0.1/32 ident change ident to md5 | 04:56 |
jamielennox | restart, have another try | 04:57 |
jamielennox | also do sudo netstat -ltpn and make sure postgres is in there on :5432 | 04:58 |
IAmNewB | yes, it started working | 04:58 |
jamielennox | it might be an iptables rule or something | 04:58 |
IAmNewB | i can add user and list user | 04:58 |
jamielennox | great | 04:59 |
IAmNewB | thank you very much | 04:59 |
jamielennox | IAmNewB: no problem | 04:59 |
*** ajc_ has joined #openstack-keystone | 04:59 | |
IAmNewB | what was the issue and how you noticed it ? | 05:00 |
jamielennox | so that last parameter in pg_hba.conf is what sort of authentication mechanism you use when connection to postgres | 05:01 |
jamielennox | i can't remember what ident does, but it's something to do with getting your username from the operating system | 05:01 |
jamielennox | changing that to md5 says to expect the username and password (an md5 hash of the password) to be presented in the connection - and we need that here | 05:02 |
jamielennox | as for noticing it, i've just done it a few times | 05:03 |
IAmNewB | hmm | 05:04 |
IAmNewB | with ident if i try to do psql with keystone it fails with psql -h localhost -U keystone -W Password for user keystone: psql: could not connect to server: Connection refused Is the server running on host "localhost" and accepting TCP/IP connections on port 5432? FATAL: Ident authentication failed for user "keystone" | 05:04 |
IAmNewB | but with md5 i am able to login | 05:04 |
IAmNewB | thanks for the explaination and help | 05:05 |
*** dstanek is now known as dstanek_zzz | 05:05 | |
*** harlowja is now known as harlowja_away | 05:06 | |
*** ukalifon has joined #openstack-keystone | 05:09 | |
*** dstanek_zzz is now known as dstanek | 05:13 | |
*** topol has quit IRC | 05:19 | |
*** daneyon has quit IRC | 05:21 | |
*** daneyon has joined #openstack-keystone | 05:21 | |
*** dstanek is now known as dstanek_zzz | 05:28 | |
*** tkelsey has joined #openstack-keystone | 05:32 | |
*** gokrokve has quit IRC | 05:33 | |
*** daneyon has quit IRC | 05:33 | |
*** chandan_kumar has quit IRC | 05:37 | |
openstackgerrit | guang-yee proposed a change to openstack/keystone: X.509 SSL certificate authentication plugin https://review.openstack.org/103736 | 05:42 |
*** gyee has quit IRC | 05:47 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/103380 | 06:00 |
openstackgerrit | A change was merged to openstack/keystone: Move bash8 to run under pep8 tox env https://review.openstack.org/103299 | 06:07 |
*** zigo has quit IRC | 06:13 | |
*** henrynash has joined #openstack-keystone | 06:13 | |
*** stevemar has quit IRC | 06:13 | |
*** zigo has joined #openstack-keystone | 06:14 | |
*** dstanek_zzz is now known as dstanek | 06:29 | |
*** henrynash has quit IRC | 06:32 | |
*** chandan_kumar has joined #openstack-keystone | 06:41 | |
*** nsquare has quit IRC | 06:51 | |
*** amerine has quit IRC | 06:56 | |
openstackgerrit | wanghong proposed a change to openstack/keystone: Do not consume trust uses when create token fails https://review.openstack.org/103445 | 06:59 |
*** nsquare has joined #openstack-keystone | 06:59 | |
*** amerine has joined #openstack-keystone | 06:59 | |
*** nsquare has quit IRC | 07:00 | |
openstackgerrit | lawrancejing proposed a change to openstack/keystone: Fix the section name in CONTRIBUTING.rst https://review.openstack.org/103758 | 07:00 |
*** amerine_ has joined #openstack-keystone | 07:03 | |
*** BAKfr has joined #openstack-keystone | 07:05 | |
openstackgerrit | lawrancejing proposed a change to openstack/python-keystoneclient: Add CONTRIBUTING.rst https://review.openstack.org/103761 | 07:06 |
*** amerine has quit IRC | 07:06 | |
openstackgerrit | David Stanek proposed a change to openstack/keystone: Fixes the order of assertEqual arguments https://review.openstack.org/77514 | 07:12 |
openstackgerrit | wanghong proposed a change to openstack/keystone: trustor_user_id not available in v2 trust token https://review.openstack.org/101829 | 07:12 |
*** morganfainberg is now known as morganfainberg_Z | 07:12 | |
*** amerine has joined #openstack-keystone | 07:18 | |
*** amerine__ has joined #openstack-keystone | 07:19 | |
*** amerine_ has quit IRC | 07:20 | |
*** amerine has quit IRC | 07:23 | |
*** dstanek is now known as dstanek_zzz | 07:24 | |
*** praneshp has quit IRC | 07:27 | |
*** amerine has joined #openstack-keystone | 07:31 | |
*** amerine__ has quit IRC | 07:34 | |
openstackgerrit | wanghong proposed a change to openstack/keystone: auth tests should not require admin token https://review.openstack.org/101861 | 07:37 |
*** mrda is now known as mrda-away | 07:49 | |
*** erecio has joined #openstack-keystone | 07:51 | |
*** leseb has joined #openstack-keystone | 07:55 | |
*** morganfainberg_Z is now known as morganfainberg | 07:55 | |
*** mberlin has quit IRC | 08:01 | |
*** marekd|away is now known as marekd | 08:08 | |
*** henrynash has joined #openstack-keystone | 08:11 | |
*** dstanek_zzz is now known as dstanek | 08:15 | |
*** mberlin has joined #openstack-keystone | 08:15 | |
*** erecio has quit IRC | 08:24 | |
*** dstanek is now known as dstanek_zzz | 08:25 | |
*** leseb has quit IRC | 08:38 | |
*** leseb has joined #openstack-keystone | 08:38 | |
*** andreaf_ has joined #openstack-keystone | 08:39 | |
*** leseb has quit IRC | 08:42 | |
openstackgerrit | lawrancejing proposed a change to openstack/python-keystoneclient: Use immutable arg rather mutable arg https://review.openstack.org/103801 | 08:42 |
*** leseb has joined #openstack-keystone | 09:00 | |
*** andreaf has quit IRC | 09:10 | |
*** andreaf_ is now known as andreaf | 09:11 | |
*** andreaf_ has joined #openstack-keystone | 09:11 | |
*** dstanek_zzz is now known as dstanek | 09:16 | |
openstackgerrit | henry-nash proposed a change to openstack/keystone: Add identity mapping capability https://review.openstack.org/102430 | 09:17 |
*** lbragstad_ has quit IRC | 09:22 | |
*** jdennis has quit IRC | 09:22 | |
*** jdennis has joined #openstack-keystone | 09:23 | |
*** lbragstad_ has joined #openstack-keystone | 09:24 | |
*** dstanek is now known as dstanek_zzz | 09:26 | |
*** oomichi has quit IRC | 09:30 | |
*** dstanek_zzz is now known as dstanek | 09:48 | |
*** henrynash has quit IRC | 09:52 | |
*** henrynash has joined #openstack-keystone | 09:53 | |
*** amerine has quit IRC | 09:53 | |
*** dstanek is now known as dstanek_zzz | 09:58 | |
*** amerine has joined #openstack-keystone | 10:08 | |
*** chandan_kumar has quit IRC | 10:47 | |
*** leseb has quit IRC | 10:47 | |
*** leseb has joined #openstack-keystone | 10:47 | |
*** dstanek_zzz is now known as dstanek | 10:49 | |
*** openstack has joined #openstack-keystone | 10:51 | |
-dickson.freenode.net- [freenode-info] why register and identify? your IRC nick is how people know you. http://freenode.net/faq.shtml#nicksetup | 10:51 | |
*** leseb has quit IRC | 10:52 | |
*** dstanek is now known as dstanek_zzz | 10:59 | |
*** jaosorior has joined #openstack-keystone | 11:06 | |
*** dims_ has joined #openstack-keystone | 11:07 | |
*** topol has joined #openstack-keystone | 11:11 | |
*** rodrigods has joined #openstack-keystone | 11:15 | |
*** rodrigods has quit IRC | 11:16 | |
*** tkelsey has quit IRC | 11:17 | |
*** leseb has joined #openstack-keystone | 11:18 | |
*** chandan_kumar has joined #openstack-keystone | 11:20 | |
*** erecio has joined #openstack-keystone | 11:22 | |
*** leseb has quit IRC | 11:24 | |
*** IAmNewB has quit IRC | 11:25 | |
*** diegows has joined #openstack-keystone | 11:28 | |
otwieracz | Hi. | 11:30 |
otwieracz | I wanted to send my patch for review. | 11:30 |
otwieracz | I've created branch „fix_bug_1313837”. | 11:31 |
otwieracz | But I am not sure how I should now push my changes. | 11:32 |
openstackgerrit | Andre Aranha proposed a change to openstack/keystone: Hierarchical Multitenacy https://review.openstack.org/103850 | 11:33 |
openstackgerrit | Juan Manuel Ollé proposed a change to openstack/python-keystoneclient: Keystoneclient create user API should have optional password. https://review.openstack.org/97597 | 11:35 |
*** leseb has joined #openstack-keystone | 11:42 | |
marekd | otwieracz: commit your changes | 11:43 |
marekd | otwieracz: and type git review (I assume you have configured gerrit) | 11:43 |
otwieracz | and then git review? | 11:43 |
otwieracz | OK | 11:43 |
marekd | otwieracz: if everything is fine new branch will be created on gerrit | 11:44 |
openstackgerrit | Slawomir Gonet proposed a change to openstack/keystone: Exception messages format changed to match one used in other componetns (no period at the end of message in cases where it can make problems while copying from terminal). https://review.openstack.org/103852 | 11:45 |
otwieracz | \o/ | 11:45 |
*** dstanek_zzz is now known as dstanek | 11:50 | |
*** leseb has quit IRC | 11:56 | |
*** leseb has joined #openstack-keystone | 12:00 | |
*** dstanek is now known as dstanek_zzz | 12:00 | |
*** achampion has quit IRC | 12:04 | |
*** kashyap_bbiab has joined #openstack-keystone | 12:08 | |
*** kashyap_bbiab has quit IRC | 12:09 | |
*** kashyap_bbiab has joined #openstack-keystone | 12:09 | |
*** kashyap` has joined #openstack-keystone | 12:10 | |
*** kashyap has quit IRC | 12:11 | |
*** kashyap_bbiab has quit IRC | 12:14 | |
*** kashyap` is now known as kashyap | 12:16 | |
*** ajc_ has quit IRC | 12:17 | |
*** rodrigods has joined #openstack-keystone | 12:17 | |
*** dhellmann is now known as dhellmann_ | 12:19 | |
*** mitz_ has quit IRC | 12:25 | |
*** dims_ has quit IRC | 12:32 | |
*** dims_ has joined #openstack-keystone | 12:32 | |
*** hrybacki has joined #openstack-keystone | 12:42 | |
*** hrybacki has quit IRC | 12:43 | |
*** hrybacki has joined #openstack-keystone | 12:43 | |
*** tkelsey has joined #openstack-keystone | 12:43 | |
*** dstanek_zzz is now known as dstanek | 12:50 | |
*** topol has quit IRC | 12:54 | |
*** xianghuihui has joined #openstack-keystone | 12:56 | |
*** chandan_kumar has quit IRC | 12:59 | |
*** achampion has joined #openstack-keystone | 12:59 | |
*** xianghui has quit IRC | 12:59 | |
*** dstanek is now known as dstanek_zzz | 13:00 | |
*** _elmiko is now known as elmiko | 13:07 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/101800 | 13:07 |
*** chandan_kumar has joined #openstack-keystone | 13:07 | |
*** nkinder_ has quit IRC | 13:09 | |
*** rodrigods has quit IRC | 13:14 | |
*** joesavak has joined #openstack-keystone | 13:17 | |
*** chandan_kumar is now known as chandankumar | 13:30 | |
*** topol has joined #openstack-keystone | 13:31 | |
*** hrybacki_ has joined #openstack-keystone | 13:31 | |
openstackgerrit | Marek Denis proposed a change to openstack/identity-api: Fix links sections in OS-FEDERATION docs https://review.openstack.org/103888 | 13:32 |
openstackgerrit | Marek Denis proposed a change to openstack/identity-api: Fix links sections in federation mapping docs https://review.openstack.org/103888 | 13:34 |
*** hrybacki has quit IRC | 13:35 | |
*** hrybacki_ has quit IRC | 13:36 | |
*** bobt has quit IRC | 13:38 | |
*** rodrigods has joined #openstack-keystone | 13:42 | |
*** rodrigods has quit IRC | 13:42 | |
*** rodrigods has joined #openstack-keystone | 13:42 | |
*** hrybacki has joined #openstack-keystone | 13:42 | |
*** dstanek_zzz is now known as dstanek | 13:51 | |
*** nkinder_ has joined #openstack-keystone | 13:55 | |
*** chandan_kumar has joined #openstack-keystone | 13:58 | |
*** chandankumar has quit IRC | 13:59 | |
*** chandan_kumar is now known as chandan|afk | 14:00 | |
*** chandan|afk is now known as ciypro|afk | 14:00 | |
*** david-lyle has joined #openstack-keystone | 14:01 | |
*** chandan_kumar has joined #openstack-keystone | 14:04 | |
*** gokrokve has joined #openstack-keystone | 14:06 | |
hrybacki | bknudson: could I pick your brain about the test in https://review.openstack.org/#/c/103229/2/keystoneclient/tests/v2_0/test_endpoints.py ? | 14:07 |
*** gokrokve_ has joined #openstack-keystone | 14:07 | |
bknudson | hrybacki: ok | 14:07 |
hrybacki | bknudson: please keep in mind I'm still learning a lot of these testing functions | 14:08 |
hrybacki | bknudson: so what I really want is to submit a request like the one on line 87 | 14:09 |
*** chandan_kumar is now known as chandankumar | 14:09 | |
bknudson | hrybacki: isn't that what line 112 does? | 14:09 |
hrybacki | and then make sure that the endpoint was created like we would expect using adminurl=None and internalurl=None | 14:09 |
bknudson | hrybacki: the client tests don't actually create anything | 14:10 |
hrybacki | it does -- I was basing the test structure off of the test on line 42 | 14:10 |
bknudson | the client tests simulate what the server would respond with | 14:10 |
hrybacki | okay | 14:10 |
*** gokrokve has quit IRC | 14:11 | |
bknudson | so the client tests need to validate that an API call generates the expected request and can parse the expected response | 14:11 |
hrybacki | that's what the stub_url call is for? | 14:11 |
bknudson | y, stub_url generates the simulated response from the server | 14:11 |
hrybacki | okay, and _that_ should return a json with the other params + admin/internalurl=None | 14:12 |
hrybacki | and 'self.client.endpoints.create(...)' will post to that stubbed url and get the response I just talked about back? | 14:13 |
bknudson | maybe stub_url should setup the response so that it has admin/internalurl=None... I'm not sure what the server typically responds with in this case. | 14:14 |
bknudson | give it a try | 14:14 |
openstackgerrit | Ryan Bak proposed a change to openstack/keystone: LDAP: Added documentation for debug_level option https://review.openstack.org/94679 | 14:14 |
hrybacki | kk | 14:15 |
bknudson | y, 'self.client.endpoints.create(...)' does a request and the stubbed url will generate a reply | 14:15 |
bknudson | if the client call hits the wrong url then it would get a 404 or something | 14:16 |
*** jamielennox has quit IRC | 14:17 | |
*** radez_g0` is now known as radez | 14:18 | |
*** jamielennox has joined #openstack-keystone | 14:19 | |
openstackgerrit | Marek Denis proposed a change to openstack/identity-api: Remove Trusted Attributes API from Identity docs https://review.openstack.org/103905 | 14:19 |
*** erecio has quit IRC | 14:19 | |
*** daneyon has joined #openstack-keystone | 14:20 | |
hrybacki | bknudson: okay so when I set the stub_url json to include adminurl: None, internalurl: None, the 'None's become 'null's after being pulled from httpretty.last_request().body | 14:20 |
*** jamielennox_ has joined #openstack-keystone | 14:21 | |
*** daneyon has quit IRC | 14:21 | |
*** daneyon has joined #openstack-keystone | 14:21 | |
bknudson | hrybacki: weird. | 14:22 |
bknudson | hrybacki: is that a bug in httpretty? | 14:22 |
hrybacki | bknudson: I'm not sure -- want me to post a patch so you can see it? | 14:22 |
*** jamielennox_ is now known as jamielennox|away | 14:22 | |
hrybacki | or recreate it rather | 14:22 |
bknudson | hrybacki: might as well | 14:23 |
hrybacki | kk | 14:23 |
*** jamielennox has quit IRC | 14:23 | |
openstackgerrit | henry-nash proposed a change to openstack/keystone: Add identity mapping capability https://review.openstack.org/102430 | 14:24 |
*** rodrigods has quit IRC | 14:25 | |
*** rodrigods has joined #openstack-keystone | 14:25 | |
hrybacki | bknudson: it'll be up in a second -- my vm seems to loose it's network connection whenever my laptop sleeps forcing me to restart the vm | 14:27 |
*** dims_ has quit IRC | 14:28 | |
openstackgerrit | Harry Rybacki proposed a change to openstack/python-keystoneclient: Add tests without optional create endpoint params https://review.openstack.org/103229 | 14:28 |
*** vhoward- has joined #openstack-keystone | 14:31 | |
bknudson | hrybacki: I tried running the test and it fails | 14:32 |
hrybacki | yes, because the None's are being converted to Nulls and I'm not sure why | 14:33 |
bknudson | I don't know what that means... None is converted to Nulls | 14:33 |
hrybacki | one second | 14:34 |
*** vhoward- has left #openstack-keystone | 14:34 | |
marekd | bknudson: how usually is None represented when Keystone returns it in JSON response? | 14:36 |
marekd | bknudson: is it somehow serialized to binary (or something)? | 14:36 |
bknudson | JSON uses null for the same thing that python uses None for | 14:36 |
hrybacki | bknudson: okay, on line 104 of test_endpoints assertRequestBodyIs is called against the expected response starting on line 86 | 14:36 |
marekd | bknudson: exactly, maybe httpretty maps None->null because it sees json | 14:37 |
hrybacki | but when the body from the last request is called via 'last_request_body = httpretty.last_request().body' the 'None's that were sent in the actual request have become 'null' | 14:37 |
hrybacki | and the test fails | 14:38 |
hrybacki | marekd: if that's the case how would I account for that in the test? | 14:38 |
otwieracz | Hmm. | 14:40 |
otwieracz | py33 tests do not pass for me. | 14:40 |
*** gokrokve_ has quit IRC | 14:40 | |
otwieracz | even on original keystone sources | 14:40 |
*** dims_ has joined #openstack-keystone | 14:41 | |
bknudson | hrybacki: the test fails for me because the expected request doesn't match the actual request | 14:42 |
bknudson | the actual request has "u'adminurl': None, u'internalurl': None" and the reference request doesn't have those. | 14:42 |
openstackgerrit | A change was merged to openstack/keystone: Updated from global requirements https://review.openstack.org/101800 | 14:43 |
*** daneyon has quit IRC | 14:44 | |
hrybacki | bknudson: well I'm not sure how to check against the request body that was sent (as it will never match the response) | 14:46 |
hrybacki | bknudson: should I modify it post request (adding the Nones it should have) and then check against that? | 14:46 |
bknudson | hrybacki: do the tests pass if you "modify it post request (adding the Nones it should have)" ? | 14:48 |
hrybacki | bknudson: yes, but this all seems rather hackish | 14:51 |
bknudson | hrybacki: that's probably not the right way to do it then | 14:51 |
*** gokrokve has joined #openstack-keystone | 14:52 | |
hrybacki | bknudson: indeed, I'm just not sure how to move forward | 14:53 |
bknudson | seems like eq_body_without_defaults should have 'adminurl': None, 'internalurl': None | 14:53 |
bknudson | req_body_without_defaults | 14:53 |
bknudson | ? | 14:53 |
hrybacki | bknudson: but then we aren't actually testing create() without handing it those defaults, right? | 14:54 |
*** xianghuihui has quit IRC | 14:54 | |
bknudson | hrybacki: the call to create() is at line 98 in https://review.openstack.org/#/c/103229/3/keystoneclient/tests/v2_0/test_endpoints.py | 14:54 |
bknudson | and that call doesn't use adminurl or internalurl , so the defaults will be used | 14:55 |
hrybacki | bknudson: god damnit | 14:55 |
hrybacki | thank you | 14:55 |
bknudson | no problem | 14:57 |
*** mitz_ has joined #openstack-keystone | 14:57 | |
*** mitz_ has quit IRC | 14:57 | |
hrybacki | bknudson: as far as populating the service_id with a UUID, should that be done for the just above mine as well? If so, should I do that in this change or should that be another change? | 14:59 |
*** vhoward- has joined #openstack-keystone | 14:59 | |
*** david-lyle has quit IRC | 14:59 | |
*** david-lyle has joined #openstack-keystone | 15:00 | |
*** dstanek is now known as dstanek_zzz | 15:02 | |
bknudson | hrybacki: don't make changes in urelated parts of the code in the same commit. | 15:03 |
*** david-lyle has quit IRC | 15:03 | |
bknudson | so that would be a separate commit if you think it's worth it | 15:03 |
*** david-lyle has joined #openstack-keystone | 15:03 | |
*** david-lyle has quit IRC | 15:03 | |
hrybacki | bknudson++ uniformity is good. Should there be a bug created for the other test and then a commit to close that bug? Trying to get the workflow down. | 15:04 |
hrybacki | uniformity in code is good | 15:04 |
*** david-lyle has joined #openstack-keystone | 15:04 | |
bknudson | if you want to open a bug you can do that. I wouldn't. | 15:04 |
*** gokrokve has quit IRC | 15:08 | |
*** mitz has quit IRC | 15:08 | |
*** jsavak has joined #openstack-keystone | 15:08 | |
*** dstanek_zzz is now known as dstanek | 15:09 | |
*** joesavak has quit IRC | 15:11 | |
*** mitz has joined #openstack-keystone | 15:12 | |
*** david-lyle has quit IRC | 15:12 | |
openstackgerrit | Dolph Mathews proposed a change to openstack/keystone-specs: Propose Specification for Endpoint Group Filter https://review.openstack.org/102023 | 15:16 |
openstackgerrit | Harry Rybacki proposed a change to openstack/python-keystoneclient: Add tests without optional create endpoint params https://review.openstack.org/103229 | 15:19 |
*** praneshp has joined #openstack-keystone | 15:20 | |
dolphm | hrybacki: for refactors that only impact developers, bug reports don't serve too much use | 15:26 |
hrybacki | dolphm: okay | 15:26 |
*** erecio has joined #openstack-keystone | 15:33 | |
hrybacki | Do the zuul tests have any sort of priority metrics built in that we know of? | 15:35 |
openstackgerrit | Marek Denis proposed a change to openstack/identity-api: Add public key API for Identity provider https://review.openstack.org/103925 | 15:39 |
marekd | dolphm: hey there. I pushed some changed for public_keys tied to IdP objects in Keystone. I don't have any strong opinions whether the key should be directly embeded in identity_provider object or tied to it. | 15:40 |
marekd | dolphm: https://review.openstack.org/#/c/103925/1/v3/src/markdown/identity-api-v3-os-federation-ext.md | 15:40 |
*** gokrokve has joined #openstack-keystone | 15:43 | |
*** dstanek is now known as dstanek_zzz | 15:47 | |
dolphm | marekd: would there ever be multiple public keys per idp? | 15:49 |
dolphm | marekd: if it's 1:1, then i'd just include it as an attribute of an IdP. if it could be 1:many or even many:many, then make it a separate collection | 15:50 |
dolphm | hrybacki: priority metrics? | 15:50 |
dolphm | hrybacki: some changes are marked as priority, but i'm not sure what that looks like in zuul's API. i just know that those changes can jump ahead in the queue | 15:51 |
hrybacki | dolphm: okay -- was just wondering if it did anything odd while determining what changes get the most resources | 15:52 |
*** stevemar has joined #openstack-keystone | 15:52 | |
dolphm | hrybacki: oh, i'm not aware of any kind of priority in that respect | 15:52 |
*** stevemar has quit IRC | 15:52 | |
*** thedodd has joined #openstack-keystone | 15:54 | |
marekd | dolphm: well, old specs include multiple keys, but...do we really need it? There is only one pub/priv keypair configured in Keystone awhen it comes to PKI tokens, right? | 15:55 |
dolphm | marekd: for token signing? yes | 15:56 |
marekd | dolphm: yes, for token signing. | 15:56 |
marekd | dolphm: imho at the current state it will work essentialy in the same way... | 15:56 |
marekd | dolphm: KeystoneIdP will rather sign the token, not encrypt it. | 15:57 |
*** praneshp has quit IRC | 15:57 | |
marekd | dolphm: unless you think token to be used w/ remote cloud should be encrypted. | 15:57 |
morganfainberg | dolphm, marekd, wouldn't there need to be multiple keys per idp for rotation? or is that out of scope? | 15:58 |
marekd | morganfainberg: rotation? | 15:59 |
morganfainberg | marekd, changing the keys (security) | 15:59 |
morganfainberg | marekd, strictly operator concern | 15:59 |
*** praneshp has joined #openstack-keystone | 15:59 | |
marekd | this would be human step, how often do you think this should be caried out? | 15:59 |
marekd | and why not just replace keys? | 16:00 |
marekd | morganfainberg: ^^ | 16:00 |
morganfainberg | marekd, that was why i asked if it was out of scope | 16:00 |
morganfainberg | marekd, and i'm fine with it being out of scope | 16:00 |
marekd | morganfainberg: dolphm if we have multiple keys than we are risking or a round robin: "lets try key 1, ohh, didn't work, how about key 2?, this one didn't work either so let's raise an exception" | 16:01 |
*** vhoward- has left #openstack-keystone | 16:01 | |
marekd | dolphm: morganfainberg are we good with that? | 16:02 |
*** chandankumar has quit IRC | 16:02 | |
morganfainberg | marekd, sure. no need to do multiple keys | 16:03 |
*** david-lyle has joined #openstack-keystone | 16:03 | |
marekd | morganfainberg: as i said i don't have strong opinions, just trying to follow the KISS rule :-) | 16:04 |
morganfainberg | marekd, ++ | 16:04 |
marekd | morganfainberg: dolphm: are we good with just signing a token, or it should be encrypted? I think signing is fine. All in all we will try not to expose any sensitive information. | 16:05 |
raildo | Someone can explain me how it works (if it works) the API Policies in Keystone: http://developer.openstack.org/api-ref-identity-v3.html#policies-v3 ? | 16:09 |
*** BAKfr has quit IRC | 16:14 | |
*** guitarzan has joined #openstack-keystone | 16:15 | |
guitarzan | hi folks, this might be a dumb question, but what is supposed to happen when you have two endpoints to the same service type in the same region? | 16:18 |
*** zhiyan is now known as zhiyan_ | 16:19 | |
*** leseb has quit IRC | 16:19 | |
*** gyee_ has quit IRC | 16:20 | |
*** joesavak has joined #openstack-keystone | 16:20 | |
*** erecio has quit IRC | 16:21 | |
*** jose-idar has joined #openstack-keystone | 16:21 | |
*** jsavak has quit IRC | 16:23 | |
*** andreaf has quit IRC | 16:26 | |
*** gyee has joined #openstack-keystone | 16:28 | |
*** dstanek_zzz is now known as dstanek | 16:28 | |
openstackgerrit | Marek Denis proposed a change to openstack/identity-api: Add public key API for Identity provider https://review.openstack.org/103925 | 16:36 |
*** tkelsey has quit IRC | 16:40 | |
*** dims_ has quit IRC | 16:41 | |
*** dims_ has joined #openstack-keystone | 16:42 | |
*** erecio has joined #openstack-keystone | 16:48 | |
morganfainberg | i think i'm spoiled by Mock() being so much better than Mox | 16:51 |
*** jaosorior has quit IRC | 16:52 | |
openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Fix docs and scripts for pki_setup and ssl_setup https://review.openstack.org/103697 | 16:52 |
*** bobt has joined #openstack-keystone | 16:58 | |
*** chandan_kumar has joined #openstack-keystone | 17:04 | |
*** harlowja_away is now known as harlowja | 17:06 | |
henrynash | morganfainberg, ayoung: https://review.openstack.org/#/c/102430 is looking for a final +2… | 17:07 |
*** richm has joined #openstack-keystone | 17:07 | |
*** amcrn has joined #openstack-keystone | 17:14 | |
*** amcrn has quit IRC | 17:15 | |
*** dstanek is now known as dstanek_zzz | 17:22 | |
*** nsquare has joined #openstack-keystone | 17:23 | |
*** dstanek_zzz is now known as dstanek | 17:25 | |
lbragstad_ | dstanek: thanks for the info on the doc strings | 17:26 |
*** rodrigods_ has joined #openstack-keystone | 17:28 | |
*** lbragstad_ is now known as lbragstad | 17:31 | |
otwieracz | ok, guys: | 17:32 |
otwieracz | https://review.openstack.org/#/c/103852/ | 17:33 |
otwieracz | There's problem with commit message line length. | 17:33 |
otwieracz | What should I do? Resend it? or what? | 17:33 |
*** erecio has quit IRC | 17:35 | |
dstanek | lbragstad_: np | 17:38 |
dstanek | otwieracz: yes, fix the message by amending the commit and then run 'git review' again | 17:39 |
dstanek | otwieracz: 'git review' will know it's an update as long as you don't remove the change-id | 17:39 |
otwieracz | OK | 17:40 |
*** hrybacki has quit IRC | 17:41 | |
*** hrybacki has joined #openstack-keystone | 17:44 | |
*** hrybacki has quit IRC | 17:46 | |
dstanek | otwieracz: i added a few comments to your review. if you think they are valid please include in your next review | 17:46 |
otwieracz | OK, so now I should edit sources and then make ammend, right? | 17:47 |
*** erecio has joined #openstack-keystone | 17:50 | |
*** dhellmann_ is now known as dhellmann | 17:53 | |
openstackgerrit | Slawomir Gonet proposed a change to openstack/keystone: Exception messages format changed to match one used in other componetns (no period at the end of message in cases where it can make problems while copying from terminal). https://review.openstack.org/103852 | 17:54 |
dstanek | otwieracz: your comment still needs a bit of work | 17:59 |
*** bobt has quit IRC | 17:59 | |
otwieracz | dstanek: Thanks for notes. | 18:00 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Do not use keystone's config for nova's port https://review.openstack.org/103204 | 18:04 |
*** nkinder_ has quit IRC | 18:04 | |
*** jamielennox|away is now known as jamielennox | 18:04 | |
dstanek | otwieracz: no, problem | 18:05 |
morganfainberg | topol, ^ fixed the typo you pointed out | 18:05 |
topol | morganfainberg, OK, will re-review soon | 18:05 |
otwieracz | dstanek: http://wklej.org/hash/5020435c4cd/ | 18:07 |
otwieracz | dstanek: now it's better? | 18:07 |
topol | morganfainberg, done! | 18:09 |
*** harlowja is now known as harlowja_away | 18:10 | |
dstanek | otwieracz: remove period on line 1 and resize the rest of the lines to just under 72 chars | 18:10 |
otwieracz | dstanek: http://paste.lisp.org/display/143059 | 18:11 |
dstanek | otwieracz: Read "Summary of GIT commit message structure" on that wiki page | 18:11 |
*** thedodd has quit IRC | 18:11 | |
otwieracz | OK | 18:11 |
openstackgerrit | Slawomir Gonet proposed a change to openstack/keystone: Ending periods in exceptioon messages deleted https://review.openstack.org/103852 | 18:12 |
dstanek | otwieracz: in your paste exception is misspelled and you probably want 'contained a period' | 18:18 |
otwieracz | I see. | 18:19 |
*** nkinder_ has joined #openstack-keystone | 18:21 | |
otwieracz | dstanek: OK, what you think about Matt Fischer proposition? | 18:26 |
dstanek | otwieracz: ? | 18:26 |
dstanek | mfisch: ^ | 18:26 |
otwieracz | Line 271: " %(details)s") | 18:27 |
otwieracz | This is getting into a nitpick but I'd prefer: | 18:27 |
otwieracz | "Conflict occurred attempting to store %(type)s: %(details)s") | 18:27 |
*** hrybacki has joined #openstack-keystone | 18:28 | |
*** erecio has quit IRC | 18:28 | |
dstanek | otwieracz: yes, i agree with that - i wrote that here https://review.openstack.org/#/c/103852/1/keystone/exception.py | 18:29 |
otwieracz | but | 18:29 |
dstanek | otwieracz: sorry that i'll slow to respond - trying to pay attention in the Keystone team meeting | 18:29 |
otwieracz | Try to copy „foobar:” from terminal. | 18:29 |
otwieracz | foobar: is copying. | 18:29 |
dstanek | for me it doesn't :-( | 18:30 |
hrybacki | would someone mind taking a glance at the jenkins failures here: https://review.openstack.org/#/c/103229/ I think they may have been a fluke. Is there a way to re-run them without submitting a new patch? | 18:30 |
dstanek | maybe separate them with a -? '%(type)s - %(details)s' | 18:30 |
otwieracz | dstanek: Will be better. | 18:30 |
openstackgerrit | A change was merged to openstack/python-keystoneclient: Adjust Python 2.6 OSerror-on-EPIPE workaround https://review.openstack.org/96805 | 18:32 |
*** harlowja_away is now known as harlowja | 18:33 | |
*** hrybacki_ has joined #openstack-keystone | 18:34 | |
*** hrybacki has quit IRC | 18:35 | |
*** thedodd has joined #openstack-keystone | 18:36 | |
*** hrybacki_ has quit IRC | 18:37 | |
*** erecio has joined #openstack-keystone | 18:37 | |
*** nkinder_ has quit IRC | 18:43 | |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from conf https://review.openstack.org/95015 | 18:44 |
openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Session loading from CLI options https://review.openstack.org/95678 | 18:44 |
*** rodrigods_ has quit IRC | 18:46 | |
*** nkinder_ has joined #openstack-keystone | 18:55 | |
*** marcoemorais has joined #openstack-keystone | 18:59 | |
jamielennox | marekd: sorry, i've had your email sitting there for a few days meaning to get back to you | 19:01 |
marekd | jamielennox: no worries | 19:01 |
marekd | jamielennox: i am fine with squeezing everything in one auth-plugin and passing kwargs twice. | 19:02 |
jamielennox | i haven't looked at your saml patches for a little while | 19:02 |
jamielennox | so it'll need to be one auth plugin for the sake of loading it from configs /CLI | 19:02 |
jamielennox | however what i was trying to say from the other review is that internally you could manage it as multiple plugins | 19:03 |
marekd | and i did... | 19:03 |
jamielennox | ok - i don't think i've looked since then | 19:03 |
marekd | jamielennox: but that's not my point :-) | 19:03 |
marekd | jamielennox: essentialy i split the plugins - one does federation studd, gets unscoped token | 19:04 |
*** hrybacki has joined #openstack-keystone | 19:04 | |
marekd | and you should later call another plugin, for scoping token only that uses unscoped plugin token. It actually wraps it. | 19:04 |
marekd | but i didn't mean that. | 19:04 |
marekd | when you want to get unscoped token back, you actually need to authenticate with your IdP. | 19:05 |
marekd | this can be HTTP Basic Auth, certificates, some REST protocol...everythig. | 19:05 |
marekd | and this IdP auth should be configurable and pluggable. | 19:05 |
marekd | it's like an auth plugin inside auth plugin. | 19:05 |
jamielennox | yea, following that | 19:06 |
jamielennox | i think what you would have to do is have a wrapper plugin which is the entrypoint for CLI/CONF | 19:06 |
*** ukalifon has quit IRC | 19:06 | |
jamielennox | such that the outer p;lugin has conf arguments which tell it which inner plugins to load - and then it manages using them correctly | 19:07 |
marekd | yeah, that was my concern... | 19:07 |
marekd | it's like loading during parsing... | 19:08 |
marekd | jamielennox: but what do you mean by saying entrypoint for CLI/CONF? | 19:08 |
jamielennox | yea, a lot of plugins are going to have that problem because you don't know what arguments are going to be required until the user puts an option in | 19:09 |
jamielennox | marekd: so the plugins that are available via CLI/CONF are listed as entrypoints in the setup.cfg file | 19:09 |
marekd | jamielennox: does it actually need changes in the patches you are working on? | 19:10 |
jamielennox | if you haven't seen setuptools entrypoints you can google that one for a better explanation than i can give | 19:10 |
marekd | i don't have much experience with setuptools, but 'google it' is more than enough. | 19:11 |
*** achampion has quit IRC | 19:11 | |
jamielennox | marekd: only the loading from CLI/CONF i think | 19:11 |
marekd | jamielennox: ? | 19:11 |
jamielennox | so this shows the entrypoints: https://review.openstack.org/#/c/79542/10/setup.cfg | 19:11 |
jamielennox | in the format name = class to load | 19:11 |
jamielennox | so when i say --os-auth-plugin v2password that's where it looks to figure out what auth plugin to load | 19:12 |
marekd | jamielennox: ah ok, easy | 19:12 |
jamielennox | so you will probably want a new plugin that manages inner plugins that is registered in that list | 19:12 |
jamielennox | but that will likely only be used for CLI/CONF case and expect people who want to use it directly to use the old way | 19:13 |
jamielennox | so eventually when all these patches land you can add a new one for how to load all this from CLI, but i don't think you need to rebase your current changes on top of it | 19:14 |
marekd | jamielennox: hmmm, are you thinking about manager-plugin just for inner plugins, or for all auth plugins? | 19:15 |
topol | boris-42 your rally patch looks very good | 19:15 |
jamielennox | just for the case where the auth sequence is going to require multiple inner plugins | 19:15 |
dolphm | jamielennox: you didn't already have a patch up for keystonemiddleware to make everything private, did you? | 19:16 |
jamielennox | in the v2password case for example it's just one call | 19:16 |
jamielennox | dolphm: not yet | 19:16 |
marekd | jamielennox: ok, so let's say i am adding my ecp plugin for ecp saml, i'd add entrypoint to setup.cfg, e.g.: saml2 = keystoneclient.auth.identity.v3.saml2:UnscopedToken | 19:17 |
marekd | jamielennox: and another entry for a wrapper? | 19:17 |
marekd | i am trying to imagine who would call who. | 19:17 |
jamielennox | marekd: no because from a CLI perspective it will only know about one plugin | 19:17 |
jamielennox | i'm saying you'd create a new plugin lets say SamlManager and do saml2 = auth.identity....SamlManager | 19:18 |
jamielennox | one of the options that it would take would be a string that says which inner plugin to use - basic auth, REST, certs etc | 19:19 |
*** amcrn has joined #openstack-keystone | 19:19 | |
jamielennox | and you would probably looks those up using the same entrypoint style listing | 19:19 |
jose-idar | /leave | 19:19 |
*** achampion has joined #openstack-keystone | 19:19 | |
jose-idar | \leave | 19:19 |
*** jose-idar has left #openstack-keystone | 19:19 | |
jamielennox | jose-idar: noooooo | 19:20 |
marekd | jamielennox: ok, i get it now. and this SamlManager would simply do some parsing of the options from conf/cli. | 19:21 |
marekd | with Param objects and things like that | 19:21 |
jamielennox | marekd: exactly, and then handle the unscoped tokens etc internally | 19:21 |
marekd | jamielennox: makes sense. I will work on that. | 19:22 |
raildo | morganfainberg: ping | 19:22 |
morganfainberg | raildo, headed out to lunch :P sorry | 19:22 |
morganfainberg | raildo backi in ~1h or so. | 19:22 |
jamielennox | marekd: cool, i'd say no rush on that. it will take a while to get these patches through | 19:22 |
raildo | morganfainberg: ok | 19:22 |
marekd | jamielennox: this plugin would also have to import the inner plugin in runtime -so stevedore etc, right? | 19:23 |
jamielennox | marekd: yea, that's how i would do it | 19:23 |
marekd | jamielennox: ok, that's good starting point. Thanks! | 19:24 |
jamielennox | marekd: np, i'll chase up the existing reviews too | 19:24 |
marekd | jamielennox: thanks! | 19:24 |
dolphm | marekd: have an update to this? https://review.openstack.org/#/c/103905/ | 19:29 |
dolphm | marekd: that got messy :( | 19:30 |
*** chandan_kumar has quit IRC | 19:31 | |
marekd | dolphm: jenkins it failing on that :/ | 19:32 |
marekd | recheck bug doesnt work | 19:33 |
dolphm | marekd: ah, same issue as yesterday? | 19:33 |
*** leseb has joined #openstack-keystone | 19:33 | |
openstackgerrit | Bob Thyne proposed a change to openstack/keystone-specs: Propose Specification for Endpoint Group Filter https://review.openstack.org/102023 | 19:33 |
marekd | yes, bug was filed by stevemar but it doesnt help | 19:33 |
marekd | i pushed bunch of doc patches and they all fail on it... | 19:33 |
marekd | that's why i am holding off with adding reviewers.. | 19:33 |
marekd | regarding 103905 i forgot to remove trusted_attributes from links' sections. let me do this *now* | 19:34 |
marekd | dolphm: ^^ | 19:34 |
dolphm | marekd: thanks -- i was hoping to +2 even if jenkins is stuck | 19:35 |
marekd | dolphm: ah, ok | 19:35 |
marekd | 5 minutes please | 19:36 |
dolphm | marekd: sure - going to get caffeine | 19:36 |
marekd | dolphm: enjoy. | 19:36 |
openstackgerrit | Marek Denis proposed a change to openstack/identity-api: Remove Trusted Attributes API from Identity docs https://review.openstack.org/103905 | 19:41 |
marekd | dolphm: morganfainberg ^^ | 19:41 |
boris-42 | topol thank you=) | 19:41 |
boris-42 | topol btw soon we will get profiler | 19:42 |
boris-42 | topol in gates | 19:42 |
*** rodrigods_ has joined #openstack-keystone | 19:42 | |
topol | boris-42, cool | 19:42 |
boris-42 | topol if there won't be too much issues | 19:42 |
boris-42 | topol with to much opinions=) | 19:42 |
topol | boris-42 have you been interacting a lot with the refstack team? | 19:42 |
topol | boris-42 some of my folks on that team have extensive performance optimization backgrounds. So lots of synergies there | 19:43 |
boris-42 | topol nope not a lot | 19:43 |
boris-42 | topol I have a lot of experience in making things simple=) | 19:43 |
marekd | dolphm: i also found some mistakes in mapping HTTP responses in OS-FEDERATION docs: see https://review.openstack.org/#/c/103888 | 19:43 |
topol | boris-42, nothing wrong with that | 19:44 |
boris-42 | topol making it simple to fix openstack, will fix openstack=) | 19:44 |
boris-42 | topol so refstack is not abut bencmarking | 19:44 |
boris-42 | topol they are just running havana tempest | 19:44 |
topol | boris-42. I agree | 19:44 |
boris-42 | topol btw rally can do this as well=) | 19:44 |
boris-42 | topol and from master=) | 19:44 |
dolphm | marekd: ++ | 19:44 |
topol | boris-42, just some folks over there with itnerest in common with yours. Thats all | 19:45 |
boris-42 | topol yep I know =) | 19:45 |
boris-42 | topol we spoke with them during summit | 19:45 |
openstackgerrit | Marek Denis proposed a change to openstack/identity-api: Fix links sections in federation mapping docs https://review.openstack.org/103888 | 19:47 |
dstanek | henrynash: done with that review now | 19:47 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: JSON-Home PoC https://review.openstack.org/103983 | 19:49 |
marekd | dolphm: ehhh, could you please +2 https://review.openstack.org/#/c/103888/3 again? I missed the comma and added it after your review. | 19:53 |
marekd | dolphm: https://review.openstack.org/#/c/103888/2..3/v3/src/markdown/identity-api-v3-os-federation-ext.md | 19:53 |
dolphm | marekd: well now you have an extra comma :P | 19:53 |
marekd | no comma after list? | 19:54 |
dolphm | marekd: you know there's a Revert button that does all this work for you, right? | 19:54 |
marekd | dolphm: no | 19:54 |
dolphm | marekd: do you have a Revert Change button next to Review here? https://review.openstack.org/#/c/60489/ | 19:55 |
marekd | dolphm: yep. | 19:55 |
marekd | shall i use it? | 19:55 |
dolphm | marekd: push it! | 19:55 |
dolphm | marekd: it just proposed an automated patch if it can | 19:55 |
openstackgerrit | Marek Denis proposed a change to openstack/identity-api: Revert "Trusted Attributes Policy for External Identity Providers" https://review.openstack.org/103986 | 19:56 |
marekd | dolphm: LOL, awesome :D :D :D | 19:56 |
marekd | dolphm: gonna abandon the other patch. | 19:57 |
dolphm | marekd: i tried to abandon it for you and did the wrong one, oops! | 19:57 |
marekd | dolphm: you abandoned the right patch? | 19:58 |
dolphm | marekd: no, you can abandon it | 19:59 |
marekd | i did | 19:59 |
dolphm | k | 19:59 |
dolphm | can anyone following the above convo +2 this one: https://review.openstack.org/#/c/103986/ | 20:00 |
dolphm | i think +A will fail due to the new doc bug | 20:00 |
marekd | dolphm: speaking about mapping docs - there should be no comma after the list? | 20:00 |
dolphm | marekd: stick it into a JSON validator and find out | 20:00 |
marekd | dolphm: right. | 20:01 |
dolphm | marekd: i use "python -m json.tool" | 20:01 |
*** nkinder_ has quit IRC | 20:02 | |
henrynash | dstanek: thc | 20:04 |
henrynash | dstanek:thx | 20:04 |
*** gokrokve has quit IRC | 20:05 | |
*** henrynash has quit IRC | 20:07 | |
marekd | dolphm: thanks | 20:10 |
openstackgerrit | Marek Denis proposed a change to openstack/identity-api: Fix links sections in federation mapping docs https://review.openstack.org/103888 | 20:10 |
*** leseb has quit IRC | 20:10 | |
*** leseb has joined #openstack-keystone | 20:10 | |
dolphm | marekd: LGTM (but it did the first time too) | 20:10 |
marekd | dolphm: thanks. hope jenkins eventually lets this go through. | 20:11 |
openstackgerrit | Harry Rybacki proposed a change to openstack/python-keystoneclient: service_id should be random uuid https://review.openstack.org/103989 | 20:14 |
*** dims__ has joined #openstack-keystone | 20:15 | |
*** leseb has quit IRC | 20:15 | |
*** dims_ has quit IRC | 20:18 | |
hrybacki | jamielennox: I'm still glancing over the session changes glance and cinder are trying to make but I'm not sure I understand the keystone side well enough to help. Any recommendations on getting up to speed? | 20:18 |
*** dims__ has quit IRC | 20:20 | |
jamielennox | hrybacki: the keystone or the keystoneclient? | 20:20 |
hrybacki | jamielennox: likely both | 20:20 |
*** erecio has quit IRC | 20:21 | |
*** marekd is now known as marekd|away | 20:21 | |
hrybacki | jamielennox: Every time I think I get it I end up just getting more confused | 20:21 |
jamielennox | i know that feeling | 20:21 |
*** gokrokve has joined #openstack-keystone | 20:23 | |
*** gokrokve has quit IRC | 20:23 | |
jamielennox | hrybacki: ok, so are you looking particulary at auth or the structure of session in general? | 20:23 |
hrybacki | jamielennox: more so the flow of everything | 20:24 |
hrybacki | jamielennox: let's take glance for example -- a user requests an image for whatever reason, assuming that glance had switched to using keystoneclient/sessions how would the whole auth process work? | 20:25 |
jamielennox | ok | 20:28 |
jamielennox | glanceclient would construct a request body and pass it through to session | 20:29 |
jamielennox | it would include an endpoint filter with things like service_type and interface | 20:29 |
*** gokrokve has joined #openstack-keystone | 20:29 | |
jamielennox | the url would simply say /images because that's the part that glance knows | 20:29 |
jamielennox | session session would get a token if required | 20:30 |
jamielennox | then it would find the endpoint (base url) for glance | 20:30 |
jamielennox | this is included in the token | 20:30 |
jamielennox | it appends /images to that url | 20:30 |
jamielennox | then it's a fairly standard HTTP call | 20:31 |
hrybacki | hmmmk | 20:32 |
*** dims__ has joined #openstack-keystone | 20:33 | |
hrybacki | what's the status on https://review.openstack.org/#/c/74908/11 ? | 20:33 |
*** gokrokve has quit IRC | 20:33 | |
hrybacki | jamielennox: ^^ | 20:33 |
*** leseb has joined #openstack-keystone | 20:36 | |
jamielennox | hrybacki: there is a problem in the gate with merging it | 20:37 |
*** amcrn has quit IRC | 20:38 | |
jamielennox | currently if you supply both a user/pass and an admin token, if the token fails then it gets cleared and falls back to user/pass | 20:38 |
jamielennox | this happens in trove in the gate and is wrong | 20:38 |
jamielennox | i have this review: https://review.openstack.org/#/c/97163/ which would fix trove | 20:39 |
jamielennox | however it's failing because of trove problems with the gate | 20:39 |
hrybacki | jamielennox: well that's frustrating | 20:39 |
jamielennox | oops, not that one | 20:39 |
jamielennox | https://review.openstack.org/#/c/100659/ | 20:39 |
jamielennox | well both would do it | 20:40 |
hrybacki | and revocation events needs 74908 | 20:41 |
jamielennox | it does? | 20:41 |
*** dims__ has quit IRC | 20:41 | |
hrybacki | sorry, my patch merging it with middleware | 20:42 |
hrybacki | or change rather | 20:42 |
jamielennox | it shouldn't really | 20:42 |
hrybacki | ayoung had a solid reason (which I can't recall presently) for using your session patch | 20:43 |
jamielennox | auth token has worked as is for a long time, converting it to session should just be standardizing things | 20:43 |
jamielennox | was it just applying pressure? | 20:43 |
jamielennox | :) | 20:43 |
hrybacki | haha | 20:43 |
*** gokrokve has joined #openstack-keystone | 20:43 | |
hrybacki | jamielennox: could I get you to glance at these fails: https://review.openstack.org/#/c/103229/ -- I think it was a jenkins mix up | 20:44 |
*** nkinder_ has joined #openstack-keystone | 20:45 | |
*** daneyon has joined #openstack-keystone | 20:47 | |
jamielennox | hrybacki: so you can make jenkins run again with a "recheck bug XXXXX" or recheck no bug | 20:48 |
jamielennox | but if it's coming from one of the python26/27 then it's probably your fault | 20:49 |
jamielennox | oh - but not always | 20:49 |
hrybacki | tox ran on my machine | 20:49 |
hrybacki | and it looked like a dependency install issue | 20:49 |
jamielennox | yea, it's a jenkins issue | 20:50 |
jamielennox | so typically go to http://status.openstack.org/rechecks/ | 20:50 |
hrybacki | okay | 20:50 |
jamielennox | the third bug looks like it's proabbly your one 1326813 | 20:51 |
hrybacki | ah, so comment 'recheck buck 1326813' | 20:51 |
jamielennox | s/buck/bug then yes | 20:51 |
hrybacki | lol | 20:52 |
hrybacki | yes recheck bug | 20:52 |
*** daneyon has quit IRC | 20:55 | |
boris-42 | jamielennox hi man | 20:55 |
*** daneyon has joined #openstack-keystone | 20:56 | |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: Sync with oslo-incubator fd90c34a9 https://review.openstack.org/103997 | 20:56 |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: Config fixture from oslo-incubator is not used. https://review.openstack.org/103998 | 20:56 |
jamielennox | boris-42: hey | 20:57 |
*** guitarzan has left #openstack-keystone | 20:59 | |
boris-42 | jamielennox could you pls take a look at small patch | 21:00 |
boris-42 | jamielennox in python client | 21:00 |
boris-42 | jamielennox https://review.openstack.org/#/c/103367/1/keystoneclient/session.py | 21:00 |
boris-42 | jamielennox heh actually I can use importuils | 21:01 |
boris-42 | jamielennox cause they are in keystoneclient | 21:01 |
jamielennox | boris-42: i have never heard of that | 21:01 |
boris-42 | jamielennox about what? importutils? | 21:01 |
jamielennox | osprofiler | 21:01 |
boris-42 | jamielennox it's my lib | 21:02 |
jamielennox | i'll have to look it up, in general the only thing i'd say (without knowing how the lib works) is you can import osprofiler.web as osprofiler_web rather than do the assign | 21:02 |
boris-42 | jamielennox I think I will use oslo importuils | 21:03 |
jamielennox | boris-42: where's the repo? is there a readme there? | 21:04 |
boris-42 | jamielennox so it will be osprofier_web = try_import("osprofiler.wb", None) | 21:04 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystonemiddleware: Sync with oslo-incubator fd90c34a9 https://review.openstack.org/103999 | 21:04 |
boris-42 | jamielennox read me is in repo https://github.com/stackforge/osprofiler | 21:04 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystonemiddleware: Clean up openstack-common.conf https://review.openstack.org/104000 | 21:04 |
jamielennox | boris-42: you can, i don't think there's much of an advantage there - catching ImportError is a fairly standard operation | 21:04 |
boris-42 | jamielennox yep but there is function | 21:04 |
boris-42 | jamielennox that does exactly that | 21:04 |
jamielennox | if anything for me the except ImportError is clearer because it's an obvious python statement and i don't have to go looking for what oslo import utils does | 21:05 |
boris-42 | jamielennox https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/openstack/common/importutils.py#L68-L73 | 21:05 |
jamielennox | but whatever works | 21:06 |
boris-42 | jamielennox yep | 21:06 |
boris-42 | jamielennox try import is done to avoid dependency in python client | 21:07 |
boris-42 | jamielennox from osporifler | 21:07 |
jamielennox | yep | 21:07 |
jamielennox | so is osprofiler always on if it is imported? | 21:07 |
boris-42 | jamielennox so actually it's very lazy | 21:08 |
boris-42 | jamielennox if somewhere in the same process you did profiler.init() | 21:08 |
jamielennox | ok | 21:08 |
boris-42 | jamielennox it will add special header (actually 2) | 21:08 |
boris-42 | jamielennox otherwise it's noop method | 21:08 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystonemiddleware: Clean up openstack-common.conf https://review.openstack.org/104000 | 21:08 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystonemiddleware: Sync with oslo-incubator fd90c34a9 https://review.openstack.org/103999 | 21:08 |
boris-42 | jamielennox even if there is lib | 21:08 |
boris-42 | jamielennox we are putting this code in clients to be able to build one trace that goes through services of different projects | 21:09 |
jamielennox | so your review isn't trying to actually trying to profile the HTTP request in any way, just add the trace id context to the ongoing request | 21:09 |
*** hrybacki has quit IRC | 21:11 | |
dolphm | jamielennox: that's the next step | 21:11 |
boris-42 | jamielennox yep | 21:12 |
jamielennox | dolphm: yea, if you're going to have profiles then request() is a good one to profile | 21:12 |
boris-42 | jamielennox so another service in middleware will process it | 21:12 |
morganfainberg | raildo, back. | 21:12 |
dolphm | boris-42: so it's the clients generating the request ID, right? | 21:12 |
boris-42 | dolphm nope | 21:13 |
boris-42 | dolphm client doesn't generate anything | 21:13 |
dolphm | boris-42: oh? then i misunderstood something | 21:13 |
dolphm | boris-42: is it generated by middleware? | 21:13 |
boris-42 | it's handled by profiler | 21:13 |
boris-42 | osprofiler* | 21:13 |
boris-42 | osprofiler has thread safe list | 21:13 |
boris-42 | (that is actually stack) | 21:13 |
boris-42 | and when you are doing profiler.init(<base-id>, <parnet-id>) | 21:14 |
jamielennox | dolphm: yea, looks like the profiler is a constant for the service: https://github.com/stackforge/osprofiler/blob/master/osprofiler/web.py#L24-L28 | 21:14 |
boris-42 | you are putting to that list 2 <uuids> | 21:14 |
boris-42 | every call of profiler.start() will put one more uuid | 21:14 |
boris-42 | every proffer.stop() will pop from that list | 21:15 |
boris-42 | dolphm that's is how we are handling nested calls of profiler | 21:15 |
morganfainberg | dolphm, wanted me to look at the spec [see the ping in my scroll back] | 21:15 |
morganfainberg | ? | 21:15 |
jamielennox | boris-42: i see profiler.start and .stop in the readme - you have a contextmanager and a decorator there somewhere right? | 21:15 |
boris-42 | jamielennox yep lemme just point you to the cod | 21:16 |
boris-42 | code | 21:16 |
morganfainberg | dolphm, devstack change merged btw | 21:16 |
jamielennox | boris-42: that's ok, i just couldn't see one | 21:16 |
boris-42 | jamielennox https://github.com/stackforge/osprofiler/blob/master/osprofiler/profiler.py#L23-L24 | 21:16 |
boris-42 | jamielennox this is where we are storing profiler instance | 21:16 |
boris-42 | jamielennox this is what happens on init() https://github.com/stackforge/osprofiler/blob/master/osprofiler/profiler.py#L31-L44 | 21:16 |
jamielennox | yep | 21:16 |
boris-42 | jamielennox and this is base class https://github.com/stackforge/osprofiler/blob/master/osprofiler/profiler.py#L101 | 21:17 |
boris-42 | jamielennox it's instance is stored in thread safe varaibel | 21:17 |
boris-42 | jamielennox and here is the https://github.com/stackforge/osprofiler/blob/master/osprofiler/profiler.py#L107 | 21:17 |
jamielennox | i was just looking for an: | 21:17 |
boris-42 | trace_stack | 21:17 |
jamielennox | @osprofiler.profile(info='name') | 21:17 |
jamielennox | def func(): | 21:17 |
boris-42 | jamielennox ah there is no decorator for that | 21:17 |
boris-42 | jamielennox it will be soon | 21:17 |
boris-42 | jamielennox I was just going to write it | 21:18 |
boris-42 | there will be something like | 21:18 |
boris-42 | from osprofiler import profiler | 21:18 |
jamielennox | boris-42: ok - well the addition to session looks fine to me | 21:18 |
boris-42 | @profiler.trace(name, info={}) | 21:18 |
boris-42 | def some_method() | 21:18 |
boris-42 | so there will be 1) manual profiler.start()/stop() 2) with statement profiler.Trace() 3) and decorator @profiler.trace() | 21:19 |
dolphm | david-lyle: regarding https://blueprints.launchpad.net/horizon/+spec/federated-horizon | 21:19 |
boris-42 | jamielennox but I am not sure that we should send any notification inside python clients | 21:19 |
boris-42 | jamielennox I mean trace it | 21:19 |
boris-42 | jamielennox but probably I am wrong) | 21:19 |
dolphm | david-lyle: it *is* stalled, but it sounds like there's a new dev starting a rax (and a ux designer?) that was going to work on it. i'll try to follow up on that | 21:20 |
jamielennox | boris-42: so i guess it depends, the way i see it is that you are checking that something has done the init() already and so it's not going to affect the CLI or anything | 21:20 |
david-lyle | dolphm, that would be great, I think there's a lot to tackle there | 21:21 |
jamielennox | your other option is to add it to the requesting code on all of the servers | 21:21 |
boris-42 | jamielennox hm other opinion? | 21:21 |
boris-42 | jamielennox maybe other part of code?) | 21:21 |
boris-42 | jamielennox it will be something like that | 21:22 |
boris-42 | jamielennox https://review.openstack.org/#/c/103368/ | 21:22 |
boris-42 | jamielennox so ultimate goal is to bind everything together | 21:22 |
boris-42 | jamielennox so we will be able to add any amount of traces() in patch + change rally task config in keystone source | 21:23 |
boris-42 | jamielennox and get all these traces under load | 21:23 |
*** leseb has quit IRC | 21:23 | |
jamielennox | yep, Session.request will get you there fastest | 21:23 |
boris-42 | jamielennox and find where is the issue in one click | 21:23 |
*** rodrigods_ has quit IRC | 21:24 | |
dolphm | david-lyle: i honestly wouldn't expect it to be completed in Juno at this point, but i'd love to see us try | 21:25 |
dolphm | david-lyle: i also haven't seen deepak's work out of tree, so i could be underestimating | 21:25 |
jamielennox | boris-42: so i'm ok to carry that in session because it means you'll get it for free in the projects as i push session around | 21:26 |
boris-42 | jamielennox yep it will be nice to have this stuff in one place=) | 21:26 |
david-lyle | dolphm: prof chadwick indicated that deepak may have been a bit off course | 21:26 |
jamielennox | so long as it has no effect if profiler is not available/not initialized | 21:26 |
boris-42 | jamielennox yep no affects | 21:27 |
david-lyle | I haven't looked beyond the BP | 21:27 |
boris-42 | jamielennox lemme just update patch | 21:27 |
jamielennox | dolphm, boris-42: just to check osprofiler is something that has been approved and accepted by the community/TC? | 21:28 |
dolphm | david-lyle: that tends to be chadwick's position on a lot of things :) but i have no reason to agree/disagree in this case | 21:28 |
boris-42 | jamielennox I hope so, we already have merged it in global requirement and ceilometer | 21:28 |
boris-42 | jamielennox there is olso.messaging left=) | 21:29 |
david-lyle | dolphm: fair enough | 21:30 |
jamielennox | boris-42: that's fine - just don't want to take on anything too experimental/3rd party | 21:30 |
openstackgerrit | Boris Pavlovic proposed a change to openstack/python-keystoneclient: Add profiling support to Keystone https://review.openstack.org/103367 | 21:32 |
boris-42 | jamielennox I did it a bit nicer ^ | 21:32 |
*** dims__ has joined #openstack-keystone | 21:36 | |
*** joesavak has quit IRC | 21:42 | |
*** radez is now known as radez_g0n3 | 21:43 | |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Extracting get group roles for project logic to drivers. https://review.openstack.org/86025 | 21:47 |
*** leseb has joined #openstack-keystone | 21:47 | |
*** topol has quit IRC | 21:51 | |
jamielennox | boris-42: is it possible to add a get_trace_id_headers() call? | 21:51 |
boris-42 | jamielennox everything is possible | 21:52 |
boris-42 | =) | 21:52 |
*** achampion has quit IRC | 21:52 | |
boris-42 | jamielennox but there is reason why I change get_trace_id_headers() | 21:52 |
boris-42 | to add_trace_id_headers() | 21:52 |
boris-42 | jamielennox to avoid human factors =) | 21:53 |
boris-42 | jamielennox and mistakes | 21:53 |
jamielennox | its not a big deal but id feel more comfortable doing headers.update(osprofiler_web.get_trace_id_headers()) because at the point you are calling headers already contains x-auth-token whic is sensitive data | 21:53 |
boris-42 | jamielennox okay i can fix that | 21:54 |
boris-42 | jamielennox in any case I need new version | 21:54 |
boris-42 | jamielennox seems like so | 21:54 |
boris-42 | jamielennox 0.2.0 is comming | 21:54 |
jamielennox | if we do it as is i would like to call add_() when the headers dict is still empty | 21:54 |
jamielennox | or at least before token is added | 21:54 |
boris-42 | jamielennox no worries I will make via update | 21:55 |
boris-42 | jamielennox but tomorrow | 21:55 |
boris-42 | jamielennox see you=) | 21:55 |
jamielennox | boris-42: thanks, later | 21:55 |
dolphm | morganfainberg: https://review.openstack.org/#/c/102326/ merged; jamielennox: is there a patch to privatize things in auth_token? | 21:59 |
dolphm | jamielennox: i know i asked earlier, but then i think i ran away (if you answered) | 21:59 |
morganfainberg | dolphm, quick run away before he answers, then ask again in like 20 minutes :P ;) | 22:00 |
jamielennox | dolphm: i'm about half way through | 22:00 |
*** rodrigods_ has joined #openstack-keystone | 22:02 | |
*** mrda-away is now known as mrda | 22:02 | |
*** rodrigods_ has quit IRC | 22:04 | |
dolphm | morganfainberg: jamielennox: marekd|away: an api change landed in identity-api before the spec was approved or the api was finished - here's a revert https://review.openstack.org/#/c/103986/ | 22:09 |
morganfainberg | dolphm, wait how did that happne? | 22:09 |
dolphm | morganfainberg: see the reverted commit hash | 22:10 |
morganfainberg | dolphm, hm. | 22:10 |
morganfainberg | dolphm, aren't we supposed to be getting rid of the identity-api repo? | 22:10 |
morganfainberg | dolphm, on a related note | 22:10 |
dolphm | morganfainberg: relatedly, i was thinking about the same thing | 22:10 |
morganfainberg | dolphm, +2, but not sure how to fix doc builds | 22:11 |
dolphm | morganfainberg: neither do i | 22:11 |
dolphm | morganfainberg: +A'd so we can find it quickly later | 22:12 |
morganfainberg | dolphm, works for me | 22:12 |
morganfainberg | dolphm, i'm going to post (today) a fix to keystone that normalizes the HEAD and GET requests (since we need it to flip to apache deployed gate) | 22:16 |
morganfainberg | dolphm, i think it's going to break a lot of things :( | 22:16 |
dolphm | morganfainberg: response codes? | 22:16 |
morganfainberg | dolphm, yeah | 22:16 |
morganfainberg | dolphm, do what we talked about, everything is a GET,HEAD | 22:16 |
morganfainberg | and make the wsgi code strip the body | 22:16 |
dolphm | as long as they stay within the 2xx range for example, we're allowed to do so, at least | 22:16 |
morganfainberg | right, i think tempest and other things are gonna get really cranky | 22:17 |
morganfainberg | just a hunch | 22:17 |
dolphm | morganfainberg: probably :( | 22:17 |
morganfainberg | i'll tag ya on the code once i get it posted | 22:17 |
morganfainberg | how hot has San Antonio been the last couple days? | 22:18 |
morganfainberg | since... you know we're all decending there shortly :) | 22:18 |
dolphm | morganfainberg: 90's and humid | 22:18 |
morganfainberg | ah, good time to stay in doors and air conditioned! | 22:19 |
*** leseb has quit IRC | 22:20 | |
*** dstanek is now known as dstanek_zzz | 22:28 | |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: JSON-Home PoC https://review.openstack.org/103983 | 22:31 |
*** elmiko is now known as _elmiko | 22:33 | |
dolphm | probably should have cancelled tuesday's keystone meeting - no one showed up to the one before last hackathon | 22:34 |
bknudson | https://wiki.openstack.org/wiki/APIChangeGuidelines#Generally_Not_Acceptable | 22:34 |
bknudson | "Changing which response code is returned on success " | 22:34 |
jamielennox | dolphm: let me know in advance | 22:35 |
dolphm | jamielennox: updating the agenda to say it's cancelled now | 22:35 |
jamielennox | ok | 22:35 |
*** dolphm changes topic to "Keystone meeting cancelled July 8th because | Hackathon July 9-11: http://dolphm.com/openstack-keystone-hackathon-for-juno/" | 22:37 | |
jamielennox | bknudson: fixed your question in https://review.openstack.org/#/c/95015/15 - when you get a sec | 22:38 |
*** thedodd has quit IRC | 22:38 | |
bknudson | jamielennox: thanks | 22:40 |
jamielennox | bknudson: anything i can do to get that moved along - just got another email regarding it :) | 22:40 |
*** dims__ has quit IRC | 22:44 | |
morganfainberg | bknudson, correct, except that we have a mismatch on what is returned depending on deployment method | 22:44 |
morganfainberg | bknudson, HTTP 204 is returned incorrectly on HEAD requests, apache will turn those into 200s | 22:44 |
morganfainberg | we can't really fix the latter | 22:44 |
bknudson | seems like we have a conflict between api stability and being able to run in apache | 22:45 |
bknudson | between a rock and a hard place | 22:45 |
morganfainberg | worse, we're breaking the HTTP spec | 22:46 |
morganfainberg | bknudson, The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response. The metainformation contained in the HTTP headers in response to a HEAD request SHOULD be identical to the information sent in response to a GET request. This method can be used for obtaining metainformation about the entity implied by the request without transferring the entity-body itself. This method is | 22:47 |
morganfainberg | often used for testing hypertext links for validity, accessibility, and recent modification. | 22:47 |
bknudson | we do that all over. | 22:47 |
bknudson | (break the HTTP spec) | 22:47 |
jamielennox | lol - i just had this conversation with someone earlier, swift apparently uses HEAD and returns data as well | 22:48 |
bknudson | for example we don't return Location header on created | 22:48 |
morganfainberg | i think this case we either need to fix the ~5-7 incorrect 204s or we need redact running under apache. | 22:48 |
bknudson | I don't think keystone is so bad as to return data on HEAD | 22:48 |
bknudson | morganfainberg: or have a config option!!! | 22:48 |
morganfainberg | because we can't gate on it :P | 22:49 |
*** dstanek_zzz is now known as dstanek | 22:49 | |
morganfainberg | bknudson, so i need to know if something was previously a 204? or a 200? | 22:49 |
bknudson | morganfainberg: send a note to the ml | 22:49 |
morganfainberg | bknudson, seeing how much is broken before i do that | 22:49 |
morganfainberg | bknudson, plan was to post a WIP see how broken it was then hit the ML up | 22:50 |
bknudson | morganfainberg: ok | 22:50 |
gyee | morganfainberg, jamielennox, you guys aware of any known issues with httpretty and mock? they don't seem to play nice together. Like mocking each other out of something | 22:50 |
morganfainberg | bknudson, and actually keystone doesn't prevent data from being sent on head | 22:50 |
morganfainberg | bknudson, we just tend not to do it | 22:50 |
morganfainberg | bknudson, the change i am working on would explicitly prevent body data from being sent | 22:51 |
bknudson | it would be safer to prevent it... seems like that's something any decent HTTP server lib would enforce | 22:51 |
morganfainberg | yep | 22:51 |
morganfainberg | putting the code in keystone.common.wsgi.render_response | 22:51 |
jamielennox | gyee: i don't think so | 22:52 |
jamielennox | gyee: but i hate httpretty at the moment so i'm willing to hear more | 22:52 |
morganfainberg | lol, looks like 3 bad unit tests so far, and i know of one tempest test that would be broken for sure. | 22:52 |
gyee | jamielennox, http://paste.openstack.org/show/85279/ | 22:54 |
gyee | this traceback seem to show httpretty and mock and messing with each other | 22:55 |
gyee | starts in httpretty but ends in mock | 22:55 |
gyee | some voodoo | 22:56 |
jamielennox | gyee: have you spoken to hrybacki? | 22:57 |
jamielennox | he is also looking at glanceclient and sessions | 22:58 |
*** rodrigods_ has joined #openstack-keystone | 22:58 | |
gyee | jamielennox, I have a patch going already | 22:58 |
*** dims__ has joined #openstack-keystone | 22:58 | |
gyee | https://review.openstack.org/#/c/82126/ | 22:58 |
gyee | its basically getting glanceclient to support v3 | 22:59 |
gyee | the session stuff should be a separate patch is it needs *a lot more work* | 22:59 |
jamielennox | gyee: oh, ok i didn't realize that was yours | 23:01 |
gyee | I didn't start it, just trying to finish it as the original author is not available | 23:02 |
gyee | but I can work with hrybacki on the session stuff | 23:02 |
jamielennox | gyee: yea, he's still coming up to speed - i think i should probably have started him on an easier one | 23:03 |
gyee | I spent quite a bit of time staring at that code already | 23:03 |
jamielennox | well - he asked and i said it was the 'most interesting' | 23:03 |
gyee | jamielennox, he's going to hate you :) | 23:03 |
gyee | that code is pretty hairy | 23:04 |
jamielennox | yea, i went through it again recently | 23:04 |
*** rodrigods_ has quit IRC | 23:05 | |
jamielennox | so as you're involved here want to look at https://review.openstack.org/#/c/95015/15 and https://review.openstack.org/#/c/95678/ | 23:05 |
jamielennox | they're the session loading ones from CONF and CLI | 23:05 |
jamielennox | they've both got a +2 already | 23:05 |
gyee | oh, k, lemme look it over and A+ them | 23:06 |
jamielennox | cool, because the auth plugins are the complicated part and we haven't even got there yet :) | 23:07 |
*** oomichi has joined #openstack-keystone | 23:07 | |
jamielennox | gyee: i don't see mock anywhere in that traceback | 23:08 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: JSON-Home PoC https://review.openstack.org/103983 | 23:08 |
gyee | jamielennox, btw, when you dig into glanceclient code, beware of the easter eggs they'll deposit into your environment. See https://github.com/openstack/python-glanceclient/blob/master/glanceclient/v2/shell.py#L29 | 23:08 |
jamielennox | :O | 23:08 |
jamielennox | ummm - wtf! | 23:09 |
gyee | those will cause your tests to fail spectacularly when running repeatedly | 23:09 |
jamielennox | at least they've got it isolated to the CLI | 23:09 |
jamielennox | what does it do otherwise? | 23:09 |
jamielennox | there doesn't appear to be an else case there that will do anything | 23:10 |
gyee | no idea | 23:10 |
gyee | haven't had time to dig any deeper | 23:10 |
jamielennox | what does it do? is it trying to do jsonschema on the clientside? | 23:11 |
gyee | seem like it | 23:12 |
jamielennox | it's not jsonschema | 23:12 |
gyee | that file is empty after all the tests are done | 23:12 |
gyee | but if you tox again, your env will be totally messed up | 23:13 |
gyee | I have to manually remove that file after each test run | 23:13 |
jamielennox | lol | 23:13 |
bknudson | gyee: mock it | 23:13 |
gyee | mock yeah! | 23:13 |
jamielennox | it seems to be something like setting CLI args based on what it can discover from glance that the properties are | 23:14 |
jamielennox | i can't see the request though | 23:14 |
jamielennox | gyee: regarding httpretty i made my own replacement that i'm going to try and get through requirements | 23:16 |
jamielennox | it's requests only but it's just less of a pain | 23:17 |
gyee | jamielennox, cool, I think there's an issue with using httpretty and mock together, but I can't pinpoint it yet | 23:18 |
jamielennox | and it's a fairly easy conversion from httpretty so for something like glance which is still httplib you'd go tests -> httpretty -> requests_mock | 23:18 |
jamielennox | i'm not really sure how to start that ball rolling, just a review against requirements? | 23:18 |
gyee | yeah, if you are making your own package | 23:19 |
jamielennox | yea, it's all pypi-ed and readthedocs etc | 23:19 |
jamielennox | https://github.com/jamielennox/requests-mock | 23:20 |
jamielennox | just means once it's in requirements it needs to be api stable | 23:21 |
gyee | once its in global requirements then we can make use of it | 23:21 |
jamielennox | i just spent ages converting the nova tests to use it, will have to switch them all | 23:23 |
jamielennox | use httpretty i mean | 23:23 |
jamielennox | but i'm so sick of httpretty | 23:23 |
gyee | yeah need to find out what's the deal with httpretty and mock, I may end up dropping it and use mock exclusively for now | 23:25 |
jamielennox | what are you mocking? | 23:27 |
gyee | version discovery | 23:27 |
gyee | version discovery from keystone | 23:27 |
jamielennox | via mock? | 23:27 |
gyee | yeah, maybe we should add this in keystoneclient fixtures | 23:28 |
jamielennox | https://review.openstack.org/#/c/99846/ | 23:28 |
gyee | ha! | 23:28 |
jamielennox | my point was more that why are you doing it via mock rather than httpretty? | 23:29 |
jamielennox | i'm not sure the -1s there are valid so you can review that one too | 23:29 |
gyee | yeah, going through them | 23:29 |
gyee | jamielennox, Haneef's comment is valid | 23:30 |
gyee | version discovery is not in the official v3 spec | 23:31 |
gyee | so not all cloud provider are supporting it at the moment | 23:31 |
jamielennox | right but in terms of a fixture i only want to support building something that is valid right? | 23:31 |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/104018 | 23:32 |
gyee | right, but we are raising DiscoveryFailure if version data is available but incompatible | 23:33 |
jamielennox | ok, but that's not to do with the fixture code, that's to do with general discovery | 23:34 |
gyee | so we have 3 possible cases 1) identity service supports version discovery; 2) identity service support version discovery but incompatible with keystoneclient, and 2) identity service does not support version discovery | 23:34 |
gyee | well, fixtures are used to aide testing right? | 23:35 |
gyee | if we can test all three scenarios in one place that would be awesome | 23:35 |
jamielennox | but isn't that all tested by the discovery code we already have? | 23:37 |
jamielennox | most of that test_discovery file is testing exactly that | 23:37 |
gyee | integration tests? | 23:38 |
gyee | for example, I need something to cause a DiscoveryFailure from discovery so I can catch that error in glanceclient and act accordingly | 23:40 |
gyee | maybe that I can do with just mock | 23:40 |
gyee | ignore what Haneef said then :) | 23:41 |
jamielennox | but you could create a v2 only discovery and then look for v3 to do that | 23:42 |
jamielennox | i just feel this is testing the functionality of the discover command, where this review is about a fixture - the opposite side | 23:43 |
jamielennox | gyee: if you have an example of a test that i could add for a +2 i'll do it | 23:47 |
gyee | jamielennox, https://review.openstack.org/#/c/82126/25/tests/test_shell.py line 255 | 23:49 |
gyee | that test case simulates identity service does not support version discovery | 23:49 |
gyee | jamielennox, question on https://review.openstack.org/#/c/95678/6/keystoneclient/session.py | 23:50 |
gyee | do we need to worry about the backward compatbility options | 23:51 |
gyee | like --certfile --keyfile | 23:51 |
jamielennox | gyee: we will but not in the general case i think | 23:51 |
jamielennox | so i like to think as if we were starting from scratch what would we need to provide to that client | 23:51 |
gyee | reason I am asking is that once clients are integrated with this code, they'll still need to maintain backward compatibility for awhile | 23:51 |
gyee | so they'll need to handle those options separately | 23:52 |
jamielennox | and we don't want to load up a helper mechanism with deprecated optoins that it never had | 23:52 |
jamielennox | yep, it'll be up to the client code to handle the deprecation from the old parameter to the new one | 23:52 |
gyee | jamielennox, I agree with you | 23:52 |
jamielennox | i think those options are fairly standard though? | 23:52 |
jamielennox | i took them from keystoneclient which took them from novaclient... | 23:53 |
gyee | yes, problem is each client have their own legacy options | 23:53 |
jamielennox | dtroyer did a cleanup of all these things a while ago | 23:53 |
jamielennox | gyee: yea, we can't support all those cases in a general way | 23:53 |
gyee | but sure, lets force them to converge into one set | 23:53 |
gyee | user experience ftw! | 23:53 |
gyee | consistent user experience | 23:54 |
jamielennox | yep, the old clients may be always a bit screwy the new ones will be fine | 23:58 |
openstackgerrit | A change was merged to openstack/python-keystoneclient: Session loading from conf https://review.openstack.org/95015 | 23:59 |
jamielennox | also if we really get pushback on things like it should support --os-cert-file then it's easier to add it later than remove it | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!