Thursday, 2014-07-17

« Wednesday, 2014-07-16 Index Friday, 2014-07-18 »
*** topol has quit IRC00:05
*** bknudson has joined #openstack-keystone00:07
*** oomichi has joined #openstack-keystone00:08
*** hrybacki has quit IRC00:09
*** bknudson has quit IRC00:11
*** alex_xu has joined #openstack-keystone00:18
*** mgarza has quit IRC00:21
*** dims_ has quit IRC00:21
*** bknudson has joined #openstack-keystone00:28
bknudsondstanek: https://review.openstack.org/#/c/95827/8 ?? what's up with this?00:36
dstanekbknudson: we can't officially support Python3 with that, but it's sorta necessary now so that I can start testing that stuff00:37
dstanekbknudson: the official version doesn't do Py3 and the haven't merged this guys changes in yet00:37
bknudsondstanek: do you want it merged?00:37
bknudsoninto keystone?00:37
dstanekbknudson: i think so, but maybe that would be a good topic for the next meeting00:37
bknudsondstanek: there's a bunch of other changes piled up behind it that it seems like we could merge.00:38
dstaneki'm going to mark it a wip and move it out of the way00:38
dstanekand add a meeting agenda item to discuss00:38
bknudsonalso, tip to reviewers -- if the change depends on another one review the base change first.00:39
openstackgerritA change was merged to openstack/keystone-specs: Updated from global requirements  https://review.openstack.org/10623300:43
*** dims_ has joined #openstack-keystone00:44
openstackgerritA change was merged to openstack/keystone: Avoid loading a ref from SQL to delete the ref  https://review.openstack.org/10614001:31
*** topol has joined #openstack-keystone01:31
*** lbragstad has joined #openstack-keystone01:34
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove fixture from openstack-common.conf  https://review.openstack.org/10325501:37
openstackgerritBrant Knudson proposed a change to openstack/keystone: Use config fixture from oslo.config  https://review.openstack.org/10325401:37
openstackgerritA change was merged to openstack/keystone: Sync with oslo-incubator  https://review.openstack.org/10721701:40
bknudsondolphm: look familiar? https://review.openstack.org/#/c/105634/01:44
*** stevemar has joined #openstack-keystone01:44
*** mberlin1 has joined #openstack-keystone01:55
*** mberlin has quit IRC01:56
*** marcoemorais1 has quit IRC01:58
*** richm has quit IRC01:59
openstackgerritA change was merged to openstack/keystone: Update the configuration docs for the revocation extension  https://review.openstack.org/10641602:01
*** spandhe has quit IRC02:01
*** dobson has joined #openstack-keystone02:01
*** oomichi has quit IRC02:03
*** gokrokve has joined #openstack-keystone02:11
*** dims_ has quit IRC02:17
*** gokrokve has quit IRC02:23
ayoungbknudson, https://review.openstack.org/#/c/104734/8  Does a singleton make any more sense than a constant string?  It is going to be passed as a string from outside.02:27
ayoungdstanek, added some LDAP smart people to that patch, in order to make sure we are all tracking on the py3 LDAP issues.02:29
*** gabriel-bezerra has quit IRC02:29
*** gabriel-bezerra has joined #openstack-keystone02:30
*** gokrokve has joined #openstack-keystone02:40
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes a Python3 syntax error  https://review.openstack.org/10273402:50
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds several more test modules that pass on Py3  https://review.openstack.org/10273502:50
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds a fork of python-ldap for Py3 testing  https://review.openstack.org/9582702:50
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes test_exceptions.py for Python3  https://review.openstack.org/10273702:50
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes test_wsgi for Python3  https://review.openstack.org/10273602:50
*** gabriel-bezerra has quit IRC02:50
*** gabriel-bezerra has joined #openstack-keystone02:51
*** chandankumar has joined #openstack-keystone02:51
*** chandankumar has quit IRC02:52
*** chandankumar has joined #openstack-keystone02:55
*** lbragstad has quit IRC02:56
openstackgerritayoung proposed a change to openstack/python-keystoneclient: use embedded URLs for hyperlinks in the README  https://review.openstack.org/10363603:02
morganfainbergbknudson, so, I have no idea what you're expecting from the "Sane startup of a system"03:03
morganfainbergbknudson, re removing DI03:03
morganfainbergbknudson, what is "sane" startup with a set of managers that depend on each other03:04
*** ayoung has quit IRC03:04
morganfainbergis there an instance of each manager on the manager that needs that dependency?03:04
morganfainbergbknudson, what does the startup end up looking like? I just am no sure how to make a 'clear and understandable startup' with the combination of managers we have (beyond that DI needs to go away)03:05
*** gokrokve has quit IRC03:15
*** gokrokve has joined #openstack-keystone03:15
*** gokrokve has quit IRC03:19
*** alex_xu has quit IRC03:33
*** chandankumar has quit IRC03:34
*** alex_xu has joined #openstack-keystone03:45
*** chandankumar has joined #openstack-keystone03:48
*** alex_xu has quit IRC03:50
*** jaosorior has joined #openstack-keystone03:54
*** alex_xu has joined #openstack-keystone04:02
*** amcrn has quit IRC04:03
*** gabriel-bezerra has quit IRC04:30
*** gabriel-bezerra has joined #openstack-keystone04:30
*** amcrn has joined #openstack-keystone04:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Use token and discovery fixture in identity tests  https://review.openstack.org/10755404:37
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Control identity plugin reauthentication  https://review.openstack.org/10755504:37
*** chandankumar has quit IRC04:48
*** jamielennox is now known as jamielennox|away04:48
*** gokrokve has joined #openstack-keystone04:54
*** chandankumar has joined #openstack-keystone04:56
*** dims_ has joined #openstack-keystone04:57
*** chandankumar has quit IRC04:57
*** chandankumar has joined #openstack-keystone05:00
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Mark the 'check_vX_token' methods deprecated  https://review.openstack.org/10756005:00
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Move token persistence classes to token.persistence module  https://review.openstack.org/10756105:00
openstackgerritArun Kant proposed a change to openstack/keystone: Adding support for ldap connection pooling.  https://review.openstack.org/9530005:01
*** dims_ has quit IRC05:02
*** gokrokve has quit IRC05:17
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Move token persistence classes to token.persistence module  https://review.openstack.org/10756105:21
openstackgerritA change was merged to openstack/python-keystoneclient: remove useless part of error message  https://review.openstack.org/10712205:22
*** shausy has joined #openstack-keystone05:25
*** topol has quit IRC05:28
*** jamielennox|away is now known as jamielennox05:29
*** morganfainberg is now known as morganfainberg_Z05:33
openstackgerritA change was merged to openstack/identity-api: Fix typo  https://review.openstack.org/10713805:40
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Versioned Endpoint hack for Sessions  https://review.openstack.org/9063205:40
*** daneyon has joined #openstack-keystone05:45
*** daneyon_ has quit IRC05:47
openstackgerritA change was merged to openstack/python-keystoneclient: Fix mistakes in token fixtures  https://review.openstack.org/10722805:52
*** dims_ has joined #openstack-keystone05:58
*** dims_ has quit IRC06:02
*** daneyon has quit IRC06:02
*** daneyon has joined #openstack-keystone06:02
*** andreaf has quit IRC06:05
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/10693906:06
*** gabriel-bezerra has quit IRC06:06
*** andreaf has joined #openstack-keystone06:06
*** gabriel-bezerra has joined #openstack-keystone06:07
*** tomoiaga has joined #openstack-keystone06:14
*** k4n0 has joined #openstack-keystone06:22
*** andreaf has quit IRC06:23
*** andreaf has joined #openstack-keystone06:24
*** huats_ has joined #openstack-keystone06:31
*** huats_ has joined #openstack-keystone06:31
*** gabriel-bezerra has quit IRC06:32
*** gabriel-bezerra has joined #openstack-keystone06:32
*** mfisch has quit IRC06:34
*** alex_xu has quit IRC06:34
*** d0ugal has quit IRC06:34
*** gmurphy has quit IRC06:34
*** mfisch` has joined #openstack-keystone06:34
*** k4n0 has quit IRC06:34
*** huats has quit IRC06:34
*** alex_xu has joined #openstack-keystone06:34
*** gabriel-bezerra has quit IRC06:34
*** gmurphy has joined #openstack-keystone06:35
*** gabriel-bezerra has joined #openstack-keystone06:35
*** d0ugal has joined #openstack-keystone06:36
*** k4n0 has joined #openstack-keystone06:36
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Isolate get_discovery function  https://review.openstack.org/10756906:37
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow unauthenticated discovery  https://review.openstack.org/10757006:37
openstackgerritA change was merged to openstack/keystone: Migrate default extensions  https://review.openstack.org/9632606:38
openstackgerritA change was merged to openstack/python-keystoneclient: Add v2 Token manager authenticate tests  https://review.openstack.org/10476906:38
*** dvorak has quit IRC06:38
*** dims_ has joined #openstack-keystone06:58
*** andreaf has quit IRC07:02
*** dims_ has quit IRC07:04
*** jamielennox is now known as jamielennox|away07:05
*** dstanek is now known as dstanek_zzz07:06
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens.  https://review.openstack.org/9970407:08
*** BAKfr has joined #openstack-keystone07:15
*** daneyon has quit IRC07:19
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Bump hacking to 0.9.x series  https://review.openstack.org/10732807:21
*** daneyon has joined #openstack-keystone07:22
openstackgerritA change was merged to openstack/python-keystoneclient: Test that tenant list function can use auth_url  https://review.openstack.org/10477007:38
*** harlowja is now known as harlowja_away07:41
*** daneyon has quit IRC07:52
*** daneyon has joined #openstack-keystone07:52
*** andreaf has joined #openstack-keystone07:55
*** dims_ has joined #openstack-keystone07:59
*** tkelsey has joined #openstack-keystone08:00
*** andreaf has quit IRC08:01
*** stevemar has quit IRC08:01
*** dims_ has quit IRC08:06
*** rwsu has quit IRC08:13
*** andreaf has joined #openstack-keystone08:17
*** daneyon has quit IRC08:22
*** afazekas has joined #openstack-keystone08:26
*** daneyon has joined #openstack-keystone08:28
*** dims_ has joined #openstack-keystone08:28
*** dims_ has quit IRC08:32
*** mrmoje has joined #openstack-keystone08:34
*** bvandenh has joined #openstack-keystone08:35
*** daneyon has quit IRC08:45
*** daneyon has joined #openstack-keystone08:47
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: List federated projects and domains  https://review.openstack.org/10739309:01
*** alex_xu has quit IRC09:15
*** dstanek_zzz is now known as dstanek09:16
*** bvandenh has quit IRC09:35
*** Dafna has quit IRC09:43
*** bvandenh has joined #openstack-keystone09:47
*** kwss has joined #openstack-keystone09:48
*** ajayaa has joined #openstack-keystone09:49
openstackgerritA change was merged to openstack/keystone: Fixes the order of assertEqual arguments  https://review.openstack.org/7751409:58
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: List federated projects and domains  https://review.openstack.org/10739310:01
*** fmarco76 has joined #openstack-keystone10:02
*** fmarco76 has left #openstack-keystone10:03
*** daneyon has quit IRC10:10
*** daneyon has joined #openstack-keystone10:15
*** ajayaa has quit IRC10:22
*** chandankumar has quit IRC10:25
*** dims_ has joined #openstack-keystone10:25
*** chandankumar has joined #openstack-keystone10:33
*** andreaf has quit IRC10:34
*** andreaf has joined #openstack-keystone10:35
*** afazekas has quit IRC10:35
*** ajayaa has joined #openstack-keystone10:36
*** ajayaa has quit IRC10:48
*** Dafna has joined #openstack-keystone11:00
*** daneyon has quit IRC11:01
*** afazekas has joined #openstack-keystone11:02
*** daneyon has joined #openstack-keystone11:04
*** ajayaa has joined #openstack-keystone11:13
*** diegows has joined #openstack-keystone11:24
*** Dafna has quit IRC11:29
*** daneyon has quit IRC11:34
*** daneyon has joined #openstack-keystone11:36
*** Dafna has joined #openstack-keystone11:43
*** daneyon has quit IRC12:02
*** dvorak has joined #openstack-keystone12:03
*** daneyon has joined #openstack-keystone12:04
*** shausy has quit IRC12:07
*** daneyon has quit IRC12:20
*** daneyon has joined #openstack-keystone12:21
*** diegows has quit IRC12:21
*** dims_ has quit IRC12:30
*** jdennis has joined #openstack-keystone12:32
*** gabriel-bezerra has quit IRC12:36
*** andreaf has quit IRC12:36
*** gabriel-bezerra has joined #openstack-keystone12:37
*** andreaf has joined #openstack-keystone12:37
*** dims has joined #openstack-keystone12:39
*** miqui has joined #openstack-keystone12:41
*** richm has joined #openstack-keystone12:46
*** chandankumar has quit IRC12:50
*** gabriel-bezerra has quit IRC12:50
*** gabriel-bezerra has joined #openstack-keystone12:51
openstackgerritJustin Shepherd proposed a change to openstack/keystone: Adding an index on token.user_id  https://review.openstack.org/10204112:57
*** bvandenh has quit IRC12:59
*** k4n0 has quit IRC13:01
*** toddnni has quit IRC13:01
*** lbragstad has joined #openstack-keystone13:04
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor set domain-id and mapping code  https://review.openstack.org/10768013:04
*** lbragstad has quit IRC13:05
*** lbragstad has joined #openstack-keystone13:05
*** chandankumar has joined #openstack-keystone13:07
*** joesavak has joined #openstack-keystone13:15
*** ayoung has joined #openstack-keystone13:22
*** gokrokve has joined #openstack-keystone13:23
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Introduce pragma no cover to asbtract classes  https://review.openstack.org/10769513:33
*** bknudson has quit IRC13:35
*** ajayaa has quit IRC13:47
*** gokrokve has quit IRC13:50
*** gokrokve has joined #openstack-keystone13:51
*** daneyon has quit IRC13:51
*** bknudson has joined #openstack-keystone14:00
*** daneyon has joined #openstack-keystone14:02
*** mrmoje has quit IRC14:04
*** mrmoje has joined #openstack-keystone14:04
*** vhoward has joined #openstack-keystone14:07
*** topol has joined #openstack-keystone14:09
*** joesavak has quit IRC14:30
*** jdennis has quit IRC14:31
*** amcrn has quit IRC14:31
*** lbragstad has quit IRC14:32
*** hrybacki has joined #openstack-keystone14:33
openstackgerritSean Dague proposed a change to openstack/python-keystoneclient: Only conditionally import working keyring  https://review.openstack.org/10771914:33
*** gokrokve has quit IRC14:33
*** gokrokve has joined #openstack-keystone14:34
*** morganfainberg_Z is now known as morganfainberg14:35
*** mrmoje has quit IRC14:36
*** mrmoje has joined #openstack-keystone14:37
*** jdennis has joined #openstack-keystone14:38
*** gokrokve has quit IRC14:38
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds several more test modules that pass on Py3  https://review.openstack.org/10273514:40
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds a fork of python-ldap for Py3 testing  https://review.openstack.org/9582714:40
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes test_exceptions.py for Python3  https://review.openstack.org/10273714:40
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes test_wsgi for Python3  https://review.openstack.org/10273614:40
*** morganfainberg is now known as morganfainberg_Z14:40
*** spandhe has joined #openstack-keystone14:41
*** morganfainberg_Z is now known as morganfainberg14:41
*** gokrokve has joined #openstack-keystone14:43
*** david-lyle has joined #openstack-keystone14:46
*** daneyon has quit IRC14:46
*** daneyon has joined #openstack-keystone14:48
*** lbragstad has joined #openstack-keystone14:53
*** gokrokve_ has joined #openstack-keystone14:54
*** thedodd has joined #openstack-keystone14:55
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: SAML2 wrapper plugin for full federation authN  https://review.openstack.org/10675114:57
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens.  https://review.openstack.org/9970414:57
*** spandhe_ has joined #openstack-keystone14:58
*** daneyon_ has joined #openstack-keystone15:01
*** lbragstad has quit IRC15:02
*** tomoiaga has quit IRC15:02
*** morganfainberg is now known as morganfainberg_Z15:02
*** daneyon has quit IRC15:02
*** gokrokve has quit IRC15:02
*** spandhe has quit IRC15:02
*** spandhe_ is now known as spandhe15:02
*** mrmoje has quit IRC15:02
*** andreaf has quit IRC15:02
*** Dafna has quit IRC15:02
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens.  https://review.openstack.org/9970415:03
*** andreaf has joined #openstack-keystone15:03
*** mrmoje has joined #openstack-keystone15:04
*** stevemar has joined #openstack-keystone15:05
*** Dafna has joined #openstack-keystone15:07
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: SAML2 wrapper plugin for full federation authN  https://review.openstack.org/10675115:07
*** huats_ is now known as huats15:11
*** lbragstad has joined #openstack-keystone15:14
openstackgerritJustin Shepherd proposed a change to openstack/keystone: Adding an index on token.user_id  https://review.openstack.org/10204115:16
*** daneyon_ has quit IRC15:18
*** daneyon has joined #openstack-keystone15:20
*** gokrokve_ has quit IRC15:21
*** gokrokve has joined #openstack-keystone15:22
*** andreaf has quit IRC15:23
*** morganfainberg_Z is now known as morganfainberg15:24
*** gokrokve has quit IRC15:26
openstackgerritBob Thyne proposed a change to openstack/identity-api: Update OS-EP-FILTER API  https://review.openstack.org/10629215:27
*** daneyon has left #openstack-keystone15:28
*** spandhe has quit IRC15:29
*** hrybacki has quit IRC15:30
openstackgerritBob Thyne proposed a change to openstack/identity-api: Update OS-EP-FILTER API  https://review.openstack.org/10629215:32
ayoungstevemar, did you really -1 morganfainberg 's  run_tests.sh patch because it doesn't support a tox option not supported by the origianl run_tests code?  Don't you think that would be scope creep for this patch?15:34
morganfainberglol15:34
stevemarayoung, i guess i really did15:34
ayoungstevemar, we are like -1 happy here15:37
ayoungstevemar, I was just looking at that as he documents how to do failfast.  I'd like to update run_tests.sh as I think it will help developers.  Care to rethink your vote on that, so we can get it on through?15:38
stevemarayoung, it's how i ask questions, i'm not stating that i need/want support for all envs.15:38
ayoungstevemar, and in general it is not a bad approach, but the -1 does tend to stop reviews in their tracks.15:39
ayoungFor something like this that is not security, runtime, or public doc facing, I would favor a "get it in and see what breaks"  approach15:40
stevemarayoung, theres been 3 reviews on this patch in almost 20 days :( - i doubt my -1 stopped anything15:40
*** xianghui has quit IRC15:40
stevemarayoung, but yeah, i agree that it's not security or runtime or public docs, so i should go easier on it15:41
ayoungstevemar, its more of a Keystone Cultural thing..., every -1 is minuscule, but with so many reviews, in bulk, they add up.15:42
ayoungstevemar, I guess I am asking you to +2 so I can +2a and start using it without having  to rebase my other patches15:42
stevemarayoung, more than happy to oblige15:43
ayoungthanks15:43
stevemarayoung, +a'ed :)15:43
ayoung++  thanks15:43
stevemari ain't unreasonable! it was just a question, albeit a silly one (didn't remember that debug was part of the original env)15:44
stevemarI recall trying to use pdb and the new run_tests, and it failing / not stopping the same way15:44
morganfainbergtopol, let me know when you got a sec.15:46
topolmorganfainberg, here15:46
openstackgerritSean Dague proposed a change to openstack/python-keystoneclient: Only conditionally import working keyring  https://review.openstack.org/10771915:50
stevemarayoung, care to return the favor: https://review.openstack.org/#/c/106292/ ? :)15:50
stevemarayoung, oops! https://review.openstack.org/#/c/106407/515:50
stevemarayoung, and possibly this one too :) https://review.openstack.org/#/c/106474/15:51
stevemaryou probably should review them since they are revocation related changes15:52
ayoungstevemar, is 106292  not one you are requestine me to look at?15:52
stevemarayoung, I'm reviewing 106292 now, that was a copy pasta error on my part15:52
ayoungOK15:52
ayounghttps://review.openstack.org/#/c/106474/1  +A15:53
*** diegows has joined #openstack-keystone15:53
ayoung https://review.openstack.org/#/c/106407/5  +A15:54
stevemarayoung, yay!15:54
*** hrybacki has joined #openstack-keystone15:55
*** hrybacki has quit IRC15:56
*** hrybacki has joined #openstack-keystone15:56
*** xianghui has joined #openstack-keystone15:57
*** henrynash has joined #openstack-keystone15:58
henrynashmorganfainberg: quick question on HEAD/GET…..15:59
morganfainberghenrynash, of course15:59
morganfainberghenrynash, what can i answer for you :)15:59
henrynashmorgafainberg: did you change it so taht wherever we do a HEAD< we have a GET…or both ways?16:00
morganfainbergwherever we have a HEAD we should have a GET16:00
morganfainbergand those should return the same16:00
henrynashmorgainfainberg: i.e. there are always matching HEADs & GETs for every entity16:00
morganfainbergbut i did not add a HEAD where we had GETs16:00
morganfainbergthat was out of scope for the immidiate fix16:00
*** afazekas has quit IRC16:01
morganfainberghenrynash, i want to add HEAD calls for each GET that doesn't have it. but it was a lot more code and i was concerned about the backport being too big.16:01
henrynashmorganfainberg: ok, that’s what I thought….so if we are adding new APIs that have a GET…..would you say we should add a HEAD?16:01
morganfainberghenrynash, I'd support that16:01
*** tkelsey has quit IRC16:01
morganfainberghenrynash, and anyplace you have a HEAD call it must implement GET and return the *exact* same data.16:01
henrynashmorganfainberg: ok, yep, I agree….thanks16:02
morganfainberglet apache/keystone.common.wsgi strip out the body16:02
morganfainberghenrynash, sure thing!16:02
morganfainbergayoung, stevemar, bknudson, before i duck out to continue working on non-persistent-tokens any specific code that needs eyes?16:03
* morganfainberg is in review-code-mode while eating breakfast.16:03
morganfainberghenrynash, dolphm, ^16:03
bknudsonmorganfainberg: https://review.openstack.org/#/c/104400/16:03
henrynashmorganfainberg: sure thing16:03
morganfainbergbknudson, NICE++++ on that one landing16:03
bknudsonmorganfainberg: https://review.openstack.org/#/c/103997/ -- easy one16:04
*** stevemar has quit IRC16:04
morganfainbergbknudson, +2/+A on that 2nd one16:04
bknudsonmorganfainberg: https://review.openstack.org/#/c/94679/16:05
morganfainbergbknudson, i thought that one had merged already16:05
*** kwss has quit IRC16:06
*** chandankumar has quit IRC16:06
bknudsonmorganfainberg: those were the obvious ones from me.16:08
morganfainbergbknudson, ++16:08
*** vhoward has left #openstack-keystone16:11
dolphmbknudson: morganfainberg: a bunch of stuff has merged in last 24 hours!16:11
dolphmmorganfainberg: bknudson: the blocker for lbragstad's series in gating to tempest now as well16:11
morganfainbergdolphm, W00t!16:12
dolphmmorganfainberg: bknudson: we should be able to recheck his stuff soon- https://review.openstack.org/#/c/106420/16:12
morganfainbergdolphm, didn't https://bugs.launchpad.net/keystonemiddleware/+bug/1336056 get fixed?16:17
uvirtbotLaunchpad bug 1336056 in keystonemiddleware "Keystone V3 Should Be Used By Default Over V2" [Wishlist,Triaged]16:17
morganfainbergthat was your v3 patch16:17
*** gokrokve has joined #openstack-keystone16:23
*** BAKfr has quit IRC16:27
*** joesavak has joined #openstack-keystone16:32
morganfainbergbknudson, oooh does the i18n change mean we don't import pbr directly in keystone anymore?16:35
morganfainbergoh no it was just moved16:35
morganfainbergnvm16:35
*** afazekas has joined #openstack-keystone16:39
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes a Python3 syntax error  https://review.openstack.org/10273416:43
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds several more test modules that pass on Py3  https://review.openstack.org/10273516:43
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds a fork of python-ldap for Py3 testing  https://review.openstack.org/9582716:43
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes test_exceptions.py for Python3  https://review.openstack.org/10273716:43
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes test_wsgi for Python3  https://review.openstack.org/10273616:43
*** lbragstad has quit IRC16:44
dolphmmorganfainberg: yes! we don't have a hudson bot on keystonemiddleware16:44
morganfainbergooh16:44
morganfainberglet me figure out how to fix that.16:44
*** lbragstad has joined #openstack-keystone16:45
*** gabriel-bezerra has quit IRC16:45
*** gabriel-bezerra has joined #openstack-keystone16:46
*** rwsu has joined #openstack-keystone16:55
mhuHi, is there a way to run tox tests using python-keystoneclient from the github master branch rather than the PyPI version in test-requirements ?16:57
*** gabriel-bezerra has quit IRC16:57
*** gabriel-bezerra has joined #openstack-keystone16:57
ayoungarunkant, you got a moment to talk your ldap pooling patch?17:06
ayoungarunkant, it looks like you duplicated some of the pool tests in the live version, and I was wondering if that was intentional or just due to not knowing how to mix the liveldap tests with the pool tests.17:07
*** dstanek is now known as dstanek_zzz17:11
*** Dafna has quit IRC17:16
*** dstanek_zzz is now known as dstanek17:17
dstanekmhu: you can always install the master version into your tox venv17:19
dstanekmhu: also i'm pretty sure tests_keystoneclient.py tests do use master as well as certain versions17:20
*** harlowja_away is now known as harlowja17:20
*** afazekas has quit IRC17:22
*** bvandenh has joined #openstack-keystone17:28
*** marcoemorais has joined #openstack-keystone17:30
*** thedodd has quit IRC17:33
mhudstanek, thx, the tests_keystoneclient.py approach doesn't suit me so I'll look into the tox venv17:34
*** amcrn has joined #openstack-keystone17:49
dstanekmhu, what are you trying to do?17:53
mhudstanek, trying to leverage keystoneclient auth plugins in python-openstackclient17:55
mhuthe merge was done about a week ago or so in keystoneclient17:55
openstackgerritayoung proposed a change to openstack/keystone: Make run_tests.sh a wrapper for tox  https://review.openstack.org/10328217:55
openstackgerritayoung proposed a change to openstack/keystone: No default assignment backend  https://review.openstack.org/10778517:55
mhudstanek, this: https://review.openstack.org/gitweb?p=openstack%2Fpython-keystoneclient.git;a=commitdiff;h=5c91ede44768ebbb2fff12f9a7c93e63b9bbd56d17:57
ayoungmorganfainberg, http://paste.openstack.org/show/86997/  what is causing that?18:00
morganfainberguhm.18:01
ayoungmorganfainberg, hmm, I have a venv activated...18:01
morganfainberghaven't seen that before18:01
ayounglet me deactivate18:01
morganfainbergmight be making things a bit wonky18:02
ayoungmorganfainberg, I get it all the time.... I need to figure out why and make it not happen18:02
ayoungmorganfainberg, now I get http://paste.openstack.org/show/86999/18:02
morganfainbergvenv out of date?18:03
ayoungmorganfainberg, shouldn't -u take care of that18:03
morganfainberg-r ?18:03
ayoungmorganfainberg, that was for tox.18:03
ayoungI just ran tox -epy27 -r18:03
ayoungpriopr to run_tests.sh18:03
*** stevemar has joined #openstack-keystone18:04
morganfainbergoh, under tox there isn't / wasn't a way to "update" the venv18:04
morganfainbergafaict18:04
morganfainbergonly complete rebuild18:04
morganfainberglooks like i might have changed -u to -r in the new one, sorry >.<18:04
ayoung-r in tox was a full recreate18:05
ayoung-u was just an update in run_tests, much faster18:05
morganfainbergright18:05
morganfainbergwhich doesn't work in tox18:05
morganfainbergthere is no *update venv*18:05
morganfainbergafact18:05
morganfainbergchange in run_tests when i made it a wrapper for tox18:06
ayoungmorganfainberg, OK,  wiping the .tox subdir and trying from scratch18:06
ayoung./run_tests.sh -x18:06
ayounglets see what happens...18:06
* ayoung takes nap while tox runs18:06
morganfainbergthe issue is you passed -u which was then passed to subunit18:06
morganfainbergwhich i think is what was causing that OSError18:06
ayoungmorganfainberg, ok,  so we need to swallow the -u in run_tests for now18:07
morganfainbergayoung, or just alias -u and -f to -r18:14
ayoungmorganfainberg, -f yes....-u exist out for now saying cannot support18:14
ayoungexit out18:14
morganfainbergsure18:14
ayoungrebuilding is expensive.  I am still waiting18:15
ayoungmorganfainberg, is there any reason we have a separate venv for pep8 and py27?18:15
ayounginside of tox, I mean.  Shouldn't pep 8 run on the py27 code ?18:15
morganfainbergpep8 uses the default for your platform18:15
morganfainbergi think18:15
morganfainberg*shrug* we inherited that from a long time ago18:15
ayoungbuilding 2 venvs is time consuming.  I assume the pep8 one is a subset of the p72718:16
ayoungpy2718:16
*** tkelsey has joined #openstack-keystone18:16
morganfainbergthye are actually the same18:16
morganfainbergboth do pip -r requirements.txt -r test-requirements.txt18:16
ayoungmorganfainberg, yeah, I meant that running pep8 requires a subset of the requirements for py27, but that they use the same versions of python files to fulfill18:19
openstackgerritSam Leong proposed a change to openstack/keystone: Disable a domain will revoke domain scoped tokens  https://review.openstack.org/10719418:19
*** joesavak has quit IRC18:19
ayoungbascially, we can merge the two together, and in the future run pep8-py3318:19
ayoungmorganfainberg, I'm actually thinking that running tox -epy27 could run pep8 first anyway18:20
morganfainbergayoung, in most cases it requires the full requirements/test-requirements because flake8 does the 'make sure import modules only' which does import inspection and imports things to make sure they are modules18:20
dstanektopol: I always have time for your questions!18:20
morganfainbergayoung, we should not do that, it would make gate unhappy18:20
morganfainbergayoung, it would mean a pep8 failure would fail py27, not a good indicator.18:21
ayoungmorganfainberg, I would be 100% fine with that18:21
ayoungpep8 is like the compiler;  don't do anything unless it runs 100%18:21
morganfainbergayoung, but that isn't the way it works for check/gate18:21
morganfainbergit makes it easy to know if you have a pythong issue or a pep8 violation18:21
ayoungunderstood18:21
openstackgerritA change was merged to openstack/keystone: LDAP: Added documentation for debug_level option  https://review.openstack.org/9467918:21
openstackgerritA change was merged to openstack/keystone: Update docs to reflect new db_sync behaviour  https://review.openstack.org/10640718:22
topoldtsanek, thanks!!! The whole string switcheroo is just evil :-) Who are the ad wizards who came up with that :-)18:22
dstanekayoung: just run 'tox'18:22
topoltox rules!!! topol is a convert18:22
ayoungdstanek, I don't want to build 2 venvs18:22
* morganfainberg doesn't like run_tests.sh but meh18:22
morganfainbergpeople seem to like it18:22
ayoungI want tox to use the py27 venv for pep818:22
morganfainbergayoung, i think there is an environment variable you can set for that kind of support18:23
ayoungmorganfainberg, I was looking at it because run_tests.sh documents the fail fast logic, and saw your patch malingering18:23
morganfainbergbut i don't remember it18:23
morganfainbergtox -epy27 -- -- --failfast18:23
morganfainbergsuch an awful format18:23
dstanekayoung: I have a patch that does that and adds some py3 stuff18:23
ayoungdstanek, cool.  I was getting frustrated as I awaited a full venv rebuild for tox....18:24
ayoungI wonder if it speeds anything up to mount .tox on a ramdisk.18:25
morganfainbergayoung, some, not a lot18:25
openstackgerritA change was merged to openstack/keystone: Add revocation extension to default pipeline  https://review.openstack.org/10647418:25
ayoungalthough, as I recall, we do something wonky to access the source code, and that creas a cross mount issue18:25
morganfainbergayoung, a lot of the painful part is the python bytecode compiling/linking/etc18:25
morganfainbergand some python packages really don't like being on ramdisk18:26
*** joesavak has joined #openstack-keystone18:26
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor set domain-id and mapping code  https://review.openstack.org/10768018:30
*** ChanServ changes topic to "July 9-11 Hackathon notes https://etherpad.openstack.org/p/keystone-juno-hackathon | Now with 100% gate and check runs on Apache deployed Keystone | K release named "Kilo""18:32
*** tkelsey has quit IRC18:35
*** marcoemorais has quit IRC18:36
*** marcoemorais has joined #openstack-keystone18:37
*** marcoemorais has quit IRC18:37
*** marcoemorais has joined #openstack-keystone18:37
*** toddnni has joined #openstack-keystone18:38
*** thedodd has joined #openstack-keystone18:39
*** tkelsey_ has joined #openstack-keystone18:40
*** bvandenh has quit IRC18:46
*** tkelsey_ has quit IRC18:51
*** marcoemorais has quit IRC18:55
*** marcoemorais has joined #openstack-keystone18:55
*** marcoemorais has quit IRC18:56
*** marcoemorais has joined #openstack-keystone18:56
*** gothicmindfood has joined #openstack-keystone19:08
*** jdob has joined #openstack-keystone19:08
jdobhey all, I have a fresh devstack setup that runs fine until I unstack.sh and then rejoin-stack.sh. then i keep getting unable to establish connection to /v2.0/tokens. has anyone run into this before that can kick me in the right direction?19:09
jdobnm, got it :)19:15
openstackgerritA change was merged to openstack/python-keystoneclient: Sync with oslo-incubator fd90c34a9  https://review.openstack.org/10399719:22
afaranhamorganfainberg: Sorry for bothering again. From yesterday we discussed that the OS-INHERIT extension doesn't update an existing one, and also doesn't raise any error, leading the user to believe that the grant was successful, what do you think to OS-INHERIT operation raise an error/warning in this case?19:25
morganfainbergi think it would be fair to do some input validation that checks for the body19:25
*** hrybacki has quit IRC19:25
afaranhaAlso, do anyone knows why in http://developer.openstack.org/api-ref-identity-v3.html we don't have the project sessions anymore?19:25
morganfainbergthe sections?19:26
morganfainbergthere have been bugs on that page19:26
afaranhasection* yes19:26
morganfainberga number of things are missing19:26
morganfainbergneed to bug doc team again19:26
morganfainberglooks like projects is missing from http://developer.openstack.org/api-ref-guides/bk-api-ref-identity-v3.pdf as well19:27
afaranhaI think project gone missing recently, but the API to create a new User is missing a long time ago19:27
morganfainbergyeah19:28
morganfainbergafaranha, the create user bits are back19:29
afaranhaNice :)19:29
afaranhadidn't notice it19:30
morganfainbergafaranha, something is really wonky with the api site for keystone19:30
morganfainbergafaranha, http://developer.openstack.org/api-ref-identity-v3.html#users-v3 first one is post (create)19:30
afaranhaI saw, I needed it a few days ago and didn't see, guess it's new modification19:31
*** marcoemorais has quit IRC19:32
*** marcoemorais has joined #openstack-keystone19:32
*** marcoemorais has quit IRC19:33
*** marcoemorais has joined #openstack-keystone19:33
*** marcoemorais has quit IRC19:33
*** marcoemorais has joined #openstack-keystone19:33
morganfainbergafaranha, well then19:35
morganfainberghttps://github.com/openstack/api-site/blob/master/api-ref/src/docbkx/ch_identity-v3.xml#L12919:35
morganfainberglooks like projects was commented out19:35
afaranhabut.. why?19:36
morganfainbergno idea19:37
morganfainbergafaranha https://bugs.launchpad.net/openstack-api-site/+bug/134354019:38
uvirtbotLaunchpad bug 1343540 in openstack-api-site "Keystone V3 has no "Manage Projects" Section published" [Undecided,New]19:39
afaranhaI don't know if we can just uncomment this.....19:41
morganfainbergI'm happy to let the docs folks comment on why it was done19:42
morganfainbergthe commit that changed it didn't seem to make sense to me from that angle19:42
raildomorganfainberg: https://github.com/openstack/api-site/blame/master/api-ref/src/docbkx/ch_identity-v3.xml#L13019:43
morganfainbergraildo, yes, i looked. that commit doesn't make sense *why* projects was disabled to me19:43
morganfainbergi just don't know enough about it to know why it was needed to fix builds19:44
raildomorganfainberg: i agree19:44
raildoi will fix this19:44
raildook?19:44
morganfainbergraildo, feel free to19:44
morganfainbergraildo, :)19:44
dolphmis use_dumb_member & dumb_member (the DN) used by identity driver, or just assignment?19:48
afaranhamorganfainberg: I'll make inherit functionality raises an error when there is the assignment, seems ok?19:49
morganfainbergdolphm, i thought just identity, but ... uh19:49
dolphmmorganfainberg: oh.. i'm probably wrong/backwards19:50
morganfainbergnow i'm questioning that19:50
morganfainbergafaranha, well. no19:50
dolphmmorganfainberg: i'm looking to cut down sample conf for the things that are not required if you're using identity-only ldap19:50
morganfainbergah19:50
morganfainbergafaranha, i think something is wierd in that API the more we talk about it19:51
dstanekmorganfainberg: after reading you DI spec i tried to revisit some of the local commits where I was messing with DI19:52
dstanekmorganfainberg: the circular ref between identity and assignment is pretty bad19:52
morganfainbergdstanek, yeah19:52
dstanekmorganfainberg: in order to get my stuff to work i did all kinds of ugly hacks - mostly for that decorator in identity ( i think )19:53
morganfainbergdstanek, i think we can get around it, but we need to decide what the fix needs to look like first19:53
morganfainbergand i am not sure what it should look like :(19:53
dstanekmorganfainberg: so what i did was make @requires a bit smarter so that it could pass in deps as kwargs19:53
afaranhaI think weird that the user thinks the command did what it was suppose to do, but actually changed nothing at all19:53
morganfainbergafaranha, i think the whole API is a little weird19:54
dstanekthen i started to change the tests to manually construct19:54
david-lyleIf I were a cloud admin and had a token scoped to the admin domain, should I be able to administer identity in other domains?19:54
morganfainbergafaranha, there is some assumption that is wrong in it. we might need to fix that19:54
morganfainbergdavid-lyle, depends on what policy says19:54
morganfainbergdavid-lyle, it also depends on if that domain is classified as a cloud-wide-admin domain (for example)19:54
david-lyleassuming v3cloud admin sample shipped with keystone19:54
david-lyleyes assuming admin domain is cloud-wide-admin19:55
morganfainberghm. i think one of the domains is a cloud-wide admin (Default domain?)19:55
* morganfainberg checks19:55
david-lyleyes, there can be only one19:55
dstanekmorganfainberg: i'll get this stuff functional again so you can take a peek - i was something like 150 commits behind on that branch19:55
* david-lyle at least that's how I understand it19:55
morganfainbergthe idea is that admin of domain X should not be able to be admin on domain Y19:55
morganfainbergunless domain X is the 'cloud-admin-domain'19:55
david-lylebut I need a domain scoped token to do the identity admin stuff19:56
morganfainbergi think.19:56
david-lylelike add users19:56
david-lyleok, I'll keep playing, trying to make sure I'm not completely off base19:56
david-lylemorganfainberg: thanks19:57
morganfainbergdavid-lyle, happy to help (hope i was more helpful than I thought)19:57
david-lylejust trying to get some support for my assumptions19:57
morganfainbergah19:57
morganfainbergok19:57
morganfainbergdstanek, i think the part i'm unclear on is do we want each object ot have it's own instantiation of the API?19:58
morganfainbergdstanek, do we want the central-registry (instantiate once?)19:58
morganfainbergdstanek, do we want something wildly different?19:58
*** marcoemorais has quit IRC20:04
*** marcoemorais has joined #openstack-keystone20:04
morganfainbergafaranha, ok20:04
dstanekmorganfainberg: i'm doing a sort of hybrid20:05
morganfainbergafaranha, i think i see the issue20:06
morganfainbergafaranha, the big issue here is that inherited is not part of the PK for the role assignment20:06
morganfainbergafaranha, so you silently fail when you try and create a duplicated grant.20:07
*** marcoemorais has quit IRC20:07
morganfainbergafaranha, i think we have 2 solutions: 1) you cannot create an inherited grant if a normal grant of the same type exists (error raised)20:07
*** marcoemorais has joined #openstack-keystone20:07
morganfainbergafaranha, 2) make inheritance part of the unique/pk for the grant20:08
morganfainbergafaranha, i am not sure which one is a better choice.20:09
morganfainbergi lean towards the second option20:09
afaranhamorganfainberg: Maybe the first one20:10
morganfainbergi don't like the "revoke and re-grant" to get inheritence20:10
morganfainbergbut the first option is *way* less work to get done20:10
*** joesavak has quit IRC20:12
afaranhaIf we have inherit column as a PK, we will be allowed to have the same assign duplicated20:12
afaranhaone with inherit 0 and another with 1, in my opinion inherit column is not part of assignment20:13
afaranhabut, yes, revoke and re-grant is dislikeable20:14
*** lbragstad has quit IRC20:18
morganfainbergafaranha, i don't want to introduce "update grant" logic (via the api) I think it's incorrect to allow updating a grant, but... maybe OS-INHERIT needs that bit? a toggle for inheritable...20:20
morganfainbergafaranha, ok go for raise an exception first (revoke and re-grant), we can discuss that via code review if it's really wrong20:20
morganfainbergit's also the smallest amount of code.20:20
afaranhaIMHO the logic of grant is the type, actor and target, and the inherit column is just a field that can be updated without breaking the "grant"20:23
*** topol has quit IRC20:24
dstanekayoung: i was just about to push my patches for the tox stuff and realized that i may break people20:24
dstanekayoung: i make the assumption that a developer's default environment is 2.7 (because these changes were originally just for me)20:25
ayoungdstanek, for keystone that is a good assumption20:25
*** jdob has quit IRC20:25
ayoungthere is no 33 for keystone server20:26
dstanekwhat do you mean no 33?20:26
afaranhamorganfainberg: but I can do that, send the patch and then discuss.20:28
marekdopenstack summit in paris is Nov 3-7 or slightly longer? I think somebody mentioned it would also be on Sat, Nov 8th?20:30
ayoungmorganfainberg, versions page.  admin port reports onvly version3.  port 5000 reports v2 and v3.  Is this a bug?  Sounds like it to me20:31
ayoungdavid-lyle, I might be battling what you are battling20:32
david-lyleayoung, I'm trying to piece together domain admin/cloud admin capabilities in Horizon20:33
ayoungdavid-lyle, that is a policy decision made by keystone20:33
ayoungdavid-lyle, the problem is that horizon can't fetch policy from Keystone20:33
ayounga bell I have been ringing for a while20:33
david-lyleme too20:33
david-lylewe can have a copy of the keystone policy file and work from their20:34
david-lylethere*20:34
david-lylemaybe the v3cloudadmin sample is just not what I want to start from20:34
*** erecio has joined #openstack-keystone20:36
*** arun_kant has joined #openstack-keystone20:39
arun_kantayoung: I have added ldap pool specific livetest..can you please review https://review.openstack.org/#/c/95300/ again.20:40
ayoungarun_kant, I sent you a ping message before. There seems to be some duplication in your tests between liveldap pool and the fakeldap version20:41
arun_kanttest are sames, its just backend is different..20:42
*** joesavak has joined #openstack-keystone20:46
*** gabriel-bezerra has quit IRC20:46
*** gabriel-bezerra has joined #openstack-keystone20:46
*** lbragstad has joined #openstack-keystone20:49
*** lbragstad has quit IRC20:53
*** gokrokve_ has joined #openstack-keystone20:58
*** gokrokve has quit IRC21:00
*** alex_xu has joined #openstack-keystone21:00
*** lbragstad has joined #openstack-keystone21:09
*** lbragstad has quit IRC21:10
*** mrmoje has quit IRC21:12
*** gabriel-bezerra has quit IRC21:13
*** gabriel-bezerra has joined #openstack-keystone21:14
*** lbragstad has joined #openstack-keystone21:16
dstanekit looks like we can't hack up the tox.ini like i had hoped21:21
*** erecio has quit IRC21:29
*** jamielennox|away is now known as jamielennox21:39
jamielennoxdolphm: can you have a look at https://review.openstack.org/#/c/107325/ as it affects your /catalog change21:40
jamielennoxdolphm: i suggest moving it to /auth/catalog but i'm thinking it should be /auth/endpoints21:40
*** marcoemorais has quit IRC21:47
*** marcoemorais has joined #openstack-keystone21:47
*** henrynash has quit IRC21:49
*** andreaf has joined #openstack-keystone21:55
*** andreaf has quit IRC21:56
*** andreaf has joined #openstack-keystone21:56
openstackgerritSam Leong proposed a change to openstack/keystone: Disable a domain will revoke domain scoped tokens  https://review.openstack.org/10719421:57
*** ayoung has quit IRC21:57
dolphmjamielennox: i'd rather not have two conflicting specs in the same cycle :) https://review.openstack.org/#/c/107325/22:00
jamielennoxdolphm: my thought was that we haven't had a release of the get-caatalog one that we could just move it over22:02
jamielennoxthe problem obviously with relying on /users/{user_id}/projects and /domains is that we are actively moving away from a situation where we have an internal user_id22:03
dolphmjamielennox: propose that bit of the change to juno/get-catalog.rst22:03
jamielennoxregardless of if federation is core api or not, we are talking about doing LDAP and such via apache as an external service22:03
jamielennoxi think (though am not certain just now writing it) that it will cause the same issues with user ids22:04
jamielennoxthat and it really bugs me that you have to call seperate routes to list projects depending on if you have a federated token as opposed to a regular token, once you have a token they should be the same path22:06
dolphmjamielennox: agree, i didn't like that about OS-FEDERATION either. does GET /v3/auth/projects return an empty list if you call it with a scoped token?22:07
dolphmjamielennox: (does it behave differently **at all** from GET /v3/users/{user_id}/projects if federation isn't involved?)22:07
jamielennoxdolphm: up for debate i suggest, this is probably a good place to say that you can't rescope a token and therefore returns an empty list for scoped22:08
jamielennoxthough i think that would break horizon22:08
jamielennoxbut, no i was thinking about it from just a workflow issue22:09
jamielennoxbasically from client side i've (purposely) abstracted the tokens so that you should never really want to pull information out of it22:10
*** andreaf has quit IRC22:11
*** bknudson has quit IRC22:13
jamielennoxdolphm: anyway, i'll make those fixes - think about it, i'm going to work22:14
dolphmjamielennox: fix horizon :)22:16
dolphmjamielennox: you could also 301 on GET /v3/OS-FEDERATION/projects & /domains :P22:17
jamielennoxdolphm: the first step would be to abolish default_project_id, so that's on us22:17
dolphmjamielennox: i've tried that so many times :(22:17
dolphmi've given up22:17
jamielennoxwhilst ever we have default_project_id we have to allow listing projects associated with scoped tokens22:17
jamielennoxyea, i can redirect from OS-FEDERATION/projects -> /auth/projects22:18
jamielennoxdolphm: that was accepted for juno right? it's way too late to just ditch OS-FEDERATION/projects in favour of /auth/projects22:19
dolphmjamielennox: OS-FEDERATION is icehouse22:19
*** marcoemorais has quit IRC22:20
jamielennoxyea, thought so22:20
morganfainbergdolphm, can we just delete default_project_id?22:21
morganfainbergdolphm, if the session tokens go through, it might work.22:22
morganfainbergdolphm, part of that spec is to include "available" projects in the unscoped token iirc22:22
dolphmmorganfainberg: which spec?22:22
dolphmmorganfainberg: oh session tokens22:22
morganfainbergdolphm, adam's session token spec22:22
dolphmmorganfainberg: we can't just delete it though, no :P22:23
morganfainbergdolphm, i know :(22:23
morganfainbergwell we *can* but someone would take issue with it :P22:23
morganfainbergs/someone/a lot of someones22:23
jamielennoxconfig option?22:23
jamielennoxjust take the same 3 cycle phase out we've done before22:24
morganfainbergjamielennox, i think we'd need the sessions or something similar first22:24
dolphmjamielennox: talk to joesavak about it - he'll argue on the ground of UX22:25
*** marcoemorais has joined #openstack-keystone22:26
*** gabriel-bezerra has quit IRC22:26
jamielennoxunscoped/scoped tokens aren't a security feature though, it's just a matter of establishing the standard workflow22:26
*** andreaf has joined #openstack-keystone22:27
*** andreaf has quit IRC22:27
jamielennoxi think if horizon works (which it must anyway) then from UX i don't think people care22:27
morganfainbergdolphm, that the default_project_id is a user "preference" ?22:28
morganfainbergdolphm, i'd argue that doesn't belong on the authoritative user-object if that is the case.22:28
morganfainbergnot that the concept of a default project "preference" is wrong.22:28
dolphmmorganfainberg: the user's password is equally a preference, right?22:29
jamielennoxdolphm: yes, hence federation and external LDAP22:29
morganfainbergdolphm, not as much. a default project is not needed to confer authentication22:29
*** gabriel-bezerra has joined #openstack-keystone22:30
*** david-lyle has quit IRC22:31
dolphmmorganfainberg: but both of them should be user-mutable, right?22:31
jamielennoxi think if you keep the concept of a default project then you should change the incoming auth packet so that instead of saying scope=project you say scope=defaultproject22:31
jamielennoxbut i'd prefer to just ditch it completely22:31
joesavakThe use cases that the default project id solves for is: (1) As a user I don't want to have to remember the project i've been working in most or the single project ID i have assigned in order to do a fast authentication.   (2) As an openstack implementor with many, many users, we want to eliminate extra API calls where possible to give users better availability.    (3) As a user of horizon/custom UI, I don't want to have to login th22:32
joesavaken choose a project then work when I really just want to go to the project I typically work in.22:32
joesavaksorry for wordy22:32
*** jaosorior has quit IRC22:32
morganfainbergdolphm, password has a higher bar for mutability / validation than project (and usually has an explicit interface, like we have, for it)22:32
*** marcoemorais has quit IRC22:32
*** marcoemorais has joined #openstack-keystone22:32
*** dims_ has joined #openstack-keystone22:33
*** marcoemorais has quit IRC22:33
morganfainbergjoesavak, the concept of default project isn't wrong. placing it in keystone is a sub-optimal place, or on the authoratative user object in keystone (if we had "options" extension that covered the 'extra' stuff for users, it would be more apporpriate, but only where that info needs to be passed to the requesting service not *anytime a user object is inspected*22:33
jamielennoxjoesavak: i don't think 3 is valid, horizon already has to be able to get an unscoped token and scope it to something else, the usability for that case shouuld be to return the default project id as part of the unscoped token22:33
*** marcoemorais has joined #openstack-keystone22:34
jamielennoxactually i think returning the default project id as part of an unscoed token solves for 1 as well22:34
dolphmjoesavak: (3) is an argument for horizon's behavior, which can be preserved without default_project_id22:35
*** dims has quit IRC22:35
morganfainbergjoesavak, and i would say that we could make the workflow an option in horizon (cookies, options?), also session tokens would solve *some* of the need for a scoped token off the bat for logging in22:35
morganfainbergdolphm, ++22:35
joesavakneed to review session tokens - spec?22:35
dolphmhas session tokens been broken into 3 specs yet?22:36
morganfainbergjoesavak, https://review.openstack.org/#/c/96648/ but it needs to be split up22:36
morganfainbergjoesavak, i don't think it's been split into multiuple specs as discussed22:36
joesavaki think having "defaultProject" as an indicator on the scope when authenticating is a good idea...22:36
joesavakthat allows  a user to just call identity once for a scoped token, instead of having to look up projects22:36
morganfainbergjoesavak, nothing saying horizon (or something else) couldn't convey that.22:37
morganfainbergbut having it be magical because of the property set on the user, that is my big issue22:37
morganfainbergwhich is what the current implementation implies22:37
morganfainberg"oh no scope, do you have a default project? ok scope you to that"22:37
jamielennoxmorganfainberg: ++ trying to figure out a user flow and not knowing whether you are expecting a scoped or unscoped token is bad22:38
morganfainbergjoesavak, but session tokens also says scoped_token rescoping shouldn't ever occur (it is a legitimate security concern)22:38
openstackgerritDolph Mathews proposed a change to openstack/keystone: implement GET /v3/catalog  https://review.openstack.org/10689322:40
morganfainbergdolphm, yay, catalog API!22:41
morganfainbergdolphm, that makes me really happy to see.22:41
joesavakthe spec to me doesn't do a good job of describing their proposal...22:41
morganfainbergjoesavak, it's because the spec is only partial, we mucked with it a lot at the hackathon, the earlier version is better22:41
dolphmjoesavak: it's split into two reviews; see the dependent one22:41
morganfainbergdolphm, oh we have subsequent ones ? cool22:42
joesavakok - will do. Gotta run and get kiddo now thoug22:42
dolphmmorganfainberg: fixed all issues from henrynash & bknudson except henry also asked for a test with a domain-scoped token. i'd write that but i'm running out the door now :)22:42
jamielennoxmissed so much at the hackathon...22:42
morganfainbergdolphm, ++22:42
morganfainbergdolphm, sounds good.22:42
morganfainbergjamielennox, you should have been there!22:42
morganfainbergjamielennox, :P22:42
morganfainbergjamielennox, it was magical.22:42
jamielennoxyea, all alone in my hemisphere22:43
*** thedodd has quit IRC22:43
*** gabriel-bezerra has quit IRC22:43
morganfainbergnext hackathon in brisbane?22:44
morganfainberg:P22:44
jamielennoxthis probably came up, but why session tokens as opposed to like a session auth?22:44
jamielennoxmorganfainberg: i can organize that22:44
morganfainberg(somehow Idon't think i can justify it)22:44
*** gabriel-bezerra has joined #openstack-keystone22:44
morganfainbergwhat would a session auth look like in keystone-world?22:44
morganfainbergwould it look... an awful lot like a token?22:44
jamielennoxso by session auth i mean you install a UUID or other random thing as a short lived 'password'22:44
jamielennoxthen you can get unscoped tokens based on that 'password' but you can't refresh tokens22:45
morganfainbergso, an awful lot like a token22:45
jamielennoxevery time you acess the 'password' it extends it's length22:45
jamielennoxmorganfainberg: very much22:45
jamielennoxbut it's not allowing rescoping of tokens22:45
morganfainbergwe could also just use a token and (with persistent-less) not have to store them22:46
morganfainbergerm non-persistent tokens22:46
morganfainbergand it would be about as much work in the session object to support either22:46
jamielennoxsession doesn't care - it wouuld be a horizon thing22:46
jamielennoxi don't know somehow doing that install a cookie seems better to me than changing how our tokens work22:47
morganfainbergwouldn't the python-libs also need suppoort of it?22:47
*** joesavak has quit IRC22:47
jamielennoxit'd be a new operation, install password with expiry22:47
morganfainbergi mean, a truely unscoped token would be perfect for that. right?22:47
jamielennoxthen you do standard auth with auth-type that new password22:47
morganfainbergbut it conveys some extra info so we don't need to 'store' data in keystone for it22:48
jamielennoxmorganfainberg: i'm not following completely, but it sounds like that means exchanging an unscoped token for a new, loner expiry unscoped token22:48
jamielennoxs/loner/longer22:49
morganfainbergyes, that would be the only real difference, when you extend a session, you get a new "session" token22:49
jamielennoxwhich we've explicitly disallowed until now22:49
morganfainbergnot longer expiry, new token22:49
*** morganfainberg has quit IRC22:50
jamielennoxmorganfainberg: it doesn't matter, if you can exchange one token for another you can extend any session indefinetly22:50
*** morganfainberg has joined #openstack-keystone22:50
*** dickson.freenode.net sets mode: +o morganfainberg22:50
*** navid has quit IRC22:50
*** morganfainberg has quit IRC22:50
*** navid has joined #openstack-keystone22:51
*** morganfainberg has joined #openstack-keystone22:51
jamielennoxany token indefinitely22:51
*** gabriel-bezerra has quit IRC22:51
*** arun_kant has quit IRC22:51
*** ekarlso has quit IRC22:51
*** shufflebot has quit IRC22:51
*** raildo has quit IRC22:51
*** boris-42 has quit IRC22:51
*** morganfainberg has quit IRC22:51
*** morganfainberg has joined #openstack-keystone22:52
*** dvorak has quit IRC22:52
*** rharwood has quit IRC22:52
*** uvirtbot has quit IRC22:52
morganfainbergwow, that was an awesome netsplit.22:53
*** dvorak has joined #openstack-keystone22:53
*** rharwood has joined #openstack-keystone22:53
*** uvirtbot has joined #openstack-keystone22:53
jamielennoxbut yes i see the concern, we go from having tokens stored in the database to these uuid 'passwords' stored in the database22:53
*** gabriel-bezerra has joined #openstack-keystone22:53
*** arun_kant has joined #openstack-keystone22:53
*** boris-42 has joined #openstack-keystone22:53
*** ekarlso has joined #openstack-keystone22:53
*** shufflebot has joined #openstack-keystone22:53
*** raildo has joined #openstack-keystone22:53
morganfainbergi need to fix my server list for freenode a bunch don't resolve anymore22:53
*** afazekas has joined #openstack-keystone22:53
*** akscram has quit IRC22:54
*** gpocentek has quit IRC22:54
*** Mikalv has quit IRC22:54
jamielennoxmorganfainberg: last i saw from you "not longer expiry, new token"22:54
*** akscram has joined #openstack-keystone22:54
*** gpocentek has joined #openstack-keystone22:54
*** Mikalv has joined #openstack-keystone22:54
*** amcrn has quit IRC22:54
*** dolphm has quit IRC22:54
*** designated has quit IRC22:54
*** YorikSar has quit IRC22:54
*** zigo has quit IRC22:54
*** therve has quit IRC22:54
*** redrobot has quit IRC22:54
*** arunkant has quit IRC22:54
*** Ephur has quit IRC22:54
*** mgagne has quit IRC22:54
*** radez_g0n3 has quit IRC22:54
*** comstud has quit IRC22:54
morganfainbergyeah that was the last thing i said22:54
morganfainbergthen netsplit happened22:54
morganfainbergbesides 'NETSPLIT!'22:54
morganfainberg:P22:54
*** huats has quit IRC22:55
*** gothicmindfood has quit IRC22:55
*** jimbaker has quit IRC22:55
*** tristanC has quit IRC22:55
*** sudorandom has quit IRC22:55
*** baffle has quit IRC22:55
*** jamielennox has quit IRC22:55
*** jraim has quit IRC22:55
*** ciypro|afk has quit IRC22:55
*** amcrn has joined #openstack-keystone22:55
*** dolphm has joined #openstack-keystone22:55
*** YorikSar has joined #openstack-keystone22:55
*** designated has joined #openstack-keystone22:55
*** zigo has joined #openstack-keystone22:55
*** therve has joined #openstack-keystone22:55
*** redrobot has joined #openstack-keystone22:55
*** arunkant has joined #openstack-keystone22:55
*** Ephur has joined #openstack-keystone22:55
*** mgagne has joined #openstack-keystone22:55
*** radez_g0n3 has joined #openstack-keystone22:55
*** comstud has joined #openstack-keystone22:55
*** dickson.freenode.net sets mode: +o dolphm22:55
*** ChanServ sets mode: +o morganfainberg22:55
morganfainbergjamielennox you back yet, looks like we just netsplit again.22:56
*** gothicmindfood has joined #openstack-keystone22:56
*** huats has joined #openstack-keystone22:56
*** jimbaker has joined #openstack-keystone22:56
*** tristanC has joined #openstack-keystone22:56
*** sudorandom has joined #openstack-keystone22:56
*** baffle has joined #openstack-keystone22:56
*** jamielennox has joined #openstack-keystone22:56
*** jraim has joined #openstack-keystone22:56
*** ciypro|afk has joined #openstack-keystone22:56
morganfainbergjamielennox, welcome back22:56
morganfainbergchmouel, any recommendations on stuff to do (non-touristy, you know good stuff) while in Paris for the summit?22:57
*** lbragstad has quit IRC22:57
jamielennoxhmm, i'm going to work, this connection isn't coming back.......22:57
morganfainbergjamielennox, which connection?22:58
jamielennoxnetsplit22:58
jamielennoxanyway, need to actually go to the office22:58
jamielennoxback later22:58
morganfainbergjamielennox, ok22:59
*** jamielennox is now known as jamielennox|away22:59
*** gabriel-bezerra has quit IRC22:59
*** gabriel-bezerra has joined #openstack-keystone23:02
*** marcoemorais has quit IRC23:13
*** afazekas has quit IRC23:18
*** gokrokve_ has quit IRC23:18
*** ayoung has joined #openstack-keystone23:23
*** arun_kant has quit IRC23:27
*** oomichi has joined #openstack-keystone23:42
*** bknudson has joined #openstack-keystone23:56
« Wednesday, 2014-07-16 Index Friday, 2014-07-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!