Thursday, 2014-08-07

hrybacki	morganfainberg: I'm talking to jamielennox about the retry logic in auth_token	00:04
morganfainberg	hrybacki, ++	00:04
hrybacki	should we care about the retry at all?	00:04
morganfainberg	jamielennox, yeah error with it or something, mine just ... stopped working so i marked it private	00:04
jamielennox	morganfainberg: hrybacki says you had a reason to keep it around	00:04
morganfainberg	jamielennox, hrybacki, if we can get rid of it that works too	00:04
morganfainberg	jamielennox, hrybacki, if we can't get rid of the logic we need to test it :) that is my only point (so we don't get a regression or omission if we refactor again)	00:05
bknudson	why would we remove a behavior that was working?	00:05
hrybacki	morganfainberg: I'll post a patch with some reasoning in the commit msg	00:05
morganfainberg	bknudson, if it isn't needed anymore, it's valid to remove the logic.	00:05
jamielennox	bknudson: so https://review.openstack.org/#/c/105031/14/keystonemiddleware/auth_token.py around line 1170	00:05
bknudson	I expect I'll start getting calls from customers if that's removed.	00:06
morganfainberg	bknudson, i think it's only needed if the admin token is expired, and session shouldn't need that bit.	00:06
jamielennox	we used to have retry logic that if auth_token had an expired token to fetch a new one and then re-issue the verify	00:06
jamielennox	that request a new one should be handled by the auth plugins now	00:06
hrybacki	jamielennox++	00:06
bknudson	is that the only time we'd retry?	00:06
jamielennox	retrying the request should do nothing	00:06
jamielennox	bknudson: yes	00:06
morganfainberg	bknudson, but.. if it isn't needed, we can remove it, if we need to keep it, we should test it. I haven't evaluated any case we need to keep or not at this time.	00:06
bknudson	there's other reasons you might want to retry	00:06
bknudson	a network glitch	00:06
bknudson	or maybe keystone just isn't started up yet.	00:07
hrybacki	was/is retry used for anything else	00:07
jamielennox	bknudson: this is specifically within the verify_token function, any of that would be handled by the retry logic down at _http_request function	00:07
bknudson	if session takes care of it now then we don't need it in auth_token	00:07
jamielennox	session won't handle automatically retrynig things like a network outage - it was suggested but not implemented yet	00:08
bknudson	ok, then we need it in auth_token	00:08
jamielennox	this specific case is purely for re-fetching a new service token in auth_token so that we can continue to verify UUIDs	00:08
jamielennox	that part is handled by auth plugins	00:09
hrybacki	consensus on if it's needed or not?	00:13
jamielennox	hrybacki: take it out, let the gate vote, it shouldn't be needed	00:14
hrybacki	jamielennox++ what about the exception itself?	00:14
hrybacki	401's were being caught by the HTTPError	00:15
jamielennox	i'd leave the two log statements, they really should be being picked up in priority to the HttpError one	00:15
hrybacki	I agree, I was surprised they didn't raise an Unauthorized	00:15
bknudson	I could have sworn on commented on this on the original review...	00:15
hrybacki	the exception code hierarchy is confusing	00:16
jamielennox	but looking at them there is no difference between the two cases so you can probably remove the whole block	00:16
jamielennox	bknudson: it's been through a lot of revisions	00:16
hrybacki	bknudson: you likely did -- I had a lot thrown at me, sorry =/	00:16
bknudson	so we used to retry on just about every error, and now we only retry on unauthorized	00:16
bknudson	which jamielennox is saying it's not worth it to retry on anyways	00:16
jamielennox	the exception hierarchy was a bit weird and then the apiclient came along and made it weirder	00:17
hrybacki	now we don't need to retry and unauthorized exception block should go	00:17
jamielennox	bknudson: we continue to have this retry https://review.openstack.org/#/c/105031/14/keystonemiddleware/auth_token.py	00:17
jamielennox	this is the traditional behaviour	00:18
jamielennox	it would originally not retry http errors	00:18
bknudson	jamielennox: which retry? the only retry is for Unauthorized.	00:18
jamielennox	bknudson: so that's exactly the same as https://github.com/openstack/keystonemiddleware/blob/1.0.0/keystonemiddleware/auth_token.py#L788	00:19
bknudson	whereas originally it would retry for everything other than 200, 404	00:19
jamielennox	because getting a 404 via the requests library doesn't return an error it returns a response with a 404 status code	00:19
bknudson	jamielennox: it's not the same... if you got a 500 error it used to retry	00:19
bknudson	(not sure how useful it is to retry in that case anyways)	00:20
bknudson	am I not reading the code correctly?	00:21
hrybacki	every day I am more and more impressed by how much info you all track from the various keystone repos	00:21
*** amcrn has quit IRC		00:22
*** gyee has quit IRC		00:22
*** arborism has joined #openstack-keystone		00:22
hrybacki	it's still retrying on errors in _http_request	00:22
jamielennox	bknudson: not through that logic: http://paste.openstack.org/show/91247/	00:22
hrybacki	it's just not a param handed in	00:23
hrybacki	it's a predetermined number of times form the config	00:23
hrybacki	or up to rather	00:23
jamielennox	so that _http_request code from 1.0 won't handle retrying on a 500	00:24
jamielennox	because no exception is thrown there	00:24
jamielennox	the only things that cause exceptions coming out of requests are things like ConnectionError, SSLError and Timeouts	00:24
hrybacki	what gets returned on a 500?	00:25
hrybacki	and do we want it to retry on server errors?	00:26
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Handle invalidate in identity plugins correctly https://review.openstack.org/112440	00:29
jamielennox	hrybacki: so on a 500 we get back a response object with a response.status_code == 500	00:29
jamielennox	but not an exception	00:29
hrybacki	okay	00:29
hrybacki	simple to retry on that as well if we want that behavior	00:30
jamielennox	do we want to retry on server errors? i don't know	00:30
hrybacki	that's the question I posed :P	00:30
jamielennox	i think though what is important around these patches is that we are trying not to change the behaviour of the middleware	00:30
jamielennox	if we do want to retry 500 errors that should be a different patch and discussion can happen around that	00:30
hrybacki	okay	00:31
bknudson	y, if we don't have tests around it then it's kind of fair game	00:31
hrybacki	so, for now, we are opting to remove the Unauthorized exception block as well as the retry param as the former isn't ever raised (401's are caught by HTTPError) and the latter will then be moot	00:32
bknudson	hrybacki: do the tests fail if you change it?	00:32
jamielennox	i'm surprised the former doesn't get raised, being higher in the list should take priority - but i see no reason to keep it	00:32
hrybacki	bknudson: sec	00:32
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Handle invalidate in identity plugins correctly https://review.openstack.org/112440	00:33
*** gokrokve has quit IRC		00:34
ayoung	morganfainberg, I'll host your blog for you if you want	00:36
*** yasukun has joined #openstack-keystone		00:36
morganfainberg	ayoung, i have hosting, just have to fix the thing. i'll get around to it	00:36
jamielennox	morganfainberg: i went static pages on github, it can be a bit more fiddly but never have to worry about it	00:38
jamielennox	means i can do git and vim as well	00:39
*** yasukun has quit IRC		00:41
hrybacki	mmm I've pulled the latest version of keystonemiddleware from github but for whatever reason I'm failing the tox tests	00:44
hrybacki	32 of them actually	00:44
hrybacki	did something change recently where we need more than the repo setup for them to run?	00:44
*** jasondotstar has quit IRC		00:48
bknudson	hrybacki: try rebuild your venv	00:50
hrybacki	bknudson: I ran `tox -repy27` first	00:50
hrybacki	didn't work so I nuked the repo and retried	00:50
hrybacki	output: http://fpaste.org/123740/72627140/	00:50
hrybacki	weird	00:51
bknudson	hrybacki: it worked for me... had to get /opt/stack/python-keystoneclient to master first	00:54
hrybacki	the tox tests are just unit tests local to the repo though, yeah?	00:54
hrybacki	this isn't running on a full openstack deployment (I haven't done that for patches unless I needed to)	00:55
*** marzif_ has quit IRC		00:55
*** jasondotstar has joined #openstack-keystone		00:55
bknudson	VersionConflict: (python-keystoneclient 0.9.0 (/opt/stack/keystonemiddleware/.tox/py27/lib/python2.7/site-packages), Requirement.parse('python-keystoneclient>=0.10.0'))	00:56
bknudson	that was the error that I got and so I updated /opt/stack/python-keystoneclient	00:56
*** jasondotstar has quit IRC		00:59
hrybacki	but as far as my local repo is concerned there is no python-keystoneclient so shouldn't it be pulling 0.10.0 during insalldeps ?	00:59
bknudson	hrybacki: y, I think in that case you get whatever's in pypi	01:04
hrybacki	yeah 0.10.1	01:04
hrybacki	and that's what's in my site-packages	01:04
bknudson	".tox/py27/bin/pip freeze \| grep python-keystoneclient" says "python-keystoneclient==0.10.1" for me	01:05
hrybacki	same	01:06
hrybacki	hopefully this will magically work in the morning	01:07
*** jasondotstar has joined #openstack-keystone		01:12
*** diegows has quit IRC		01:18
*** marcoemorais has quit IRC		01:27
*** gokrokve has joined #openstack-keystone		01:34
openstackgerrit	wanghong proposed a change to openstack/python-keystoneclient: move attributes of v3.client.Client into alphabetical order https://review.openstack.org/111939	01:48
*** ncoghlan is now known as ncoghlan_afk		01:50
*** ncoghlan_afk is now known as ncoghlan		01:52
*** arborism has quit IRC		02:18
*** richm has quit IRC		02:28
*** spandhe has quit IRC		02:41
*** jasondotstar has quit IRC		02:42
*** spandhe has joined #openstack-keystone		02:51
*** spandhe has quit IRC		02:58
*** gokrokve_ has joined #openstack-keystone		03:19
*** spandhe has joined #openstack-keystone		03:20
*** gokrokve has quit IRC		03:22
*** jorge_munoz has quit IRC		03:35
*** ayoung has quit IRC		03:35
*** ncoghlan is now known as ncoghlan_afk		03:37
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Mark auth plugin options as secret https://review.openstack.org/112462	03:41
*** spandhe has quit IRC		03:46
*** oomichi has joined #openstack-keystone		03:58
*** gokrokve_ has quit IRC		04:03
*** ncoghlan_afk is now known as ncoghlan		04:15
*** gpocente1 has joined #openstack-keystone		04:30
*** jgriffit1 has joined #openstack-keystone		04:31
*** sbasam has joined #openstack-keystone		04:32
*** dvorak_ has joined #openstack-keystone		04:34
*** vish1 has joined #openstack-keystone		04:34
*** vishy has quit IRC		04:35
*** junhongl has quit IRC		04:35
*** Guest71676 has quit IRC		04:35
*** anteaya has quit IRC		04:35
*** gpocentek has quit IRC		04:35
*** sbasam_ has quit IRC		04:35
*** tristanC has quit IRC		04:35
*** dvorak has quit IRC		04:35
*** uvirtbot has quit IRC		04:35
*** vish1 is now known as vishy		04:35
*** dvorak_ is now known as dvorak		04:35
*** junhongl has joined #openstack-keystone		04:42
*** anteaya has joined #openstack-keystone		04:44
*** hrybacki has quit IRC		04:45
*** hrybacki has joined #openstack-keystone		04:51
*** traz__ has quit IRC		04:54
*** k4n0 has joined #openstack-keystone		04:56
*** hrybacki has quit IRC		04:56
*** hrybacki has joined #openstack-keystone		04:57
openstackgerrit	Jamie Lennox proposed a change to openstack/keystone: Fix documentation link https://review.openstack.org/112472	04:59
*** jaosorior has joined #openstack-keystone		05:02
*** chandankumar has joined #openstack-keystone		05:06
*** k4n0 has quit IRC		05:21
*** hrybacki has quit IRC		05:30
*** hrybacki has joined #openstack-keystone		05:30
*** uvirtbot has joined #openstack-keystone		05:33
*** k4n0 has joined #openstack-keystone		05:34
*** hrybacki has quit IRC		05:35
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Remove intersphinx mappings https://review.openstack.org/112479	05:50
*** ukalifon1 has joined #openstack-keystone		05:53
*** tomoiaga has joined #openstack-keystone		05:54
openstackgerrit	Jamie Lennox proposed a change to openstack/keystonemiddleware: Remove intersphinx mappings https://review.openstack.org/112480	06:02
*** ajayaa has joined #openstack-keystone		06:03
openstackgerrit	Jamie Lennox proposed a change to openstack/keystone: Delete intersphinx mappings https://review.openstack.org/112485	06:05
*** k4n0 has quit IRC		06:12
*** wolsen has joined #openstack-keystone		06:13
*** k4n0 has joined #openstack-keystone		06:28
*** ajayaa has quit IRC		06:33
*** sijo_ has joined #openstack-keystone		06:41
sijo_	I want to get a keystone token for interacting cinder service through python..	06:42
sijo_	How can I achieve it..?	06:43
*** ajayaa has joined #openstack-keystone		06:45
*** ukalifon1 has quit IRC		06:47
tomoiaga	sijo_: see the readme, at the bottom: https://github.com/openstack/python-cinderclient/	06:48
sijo_	tomoiaga: thanks, let me see it..	06:49
*** ukalifon has joined #openstack-keystone		06:51
*** jamielennox is now known as jamielennox\|away		07:06
*** afazekas has joined #openstack-keystone		07:20
*** henrynash has joined #openstack-keystone		07:33
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630	07:53
*** mrmoje has quit IRC		08:03
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Use metadata.create_all() to fill a test database https://review.openstack.org/93558	08:22
*** bvandenh has joined #openstack-keystone		08:33
*** arunkant has quit IRC		08:34
*** ncoghlan has quit IRC		08:36
*** mitz has quit IRC		08:49
*** mrmoje has joined #openstack-keystone		08:49
*** marzif_ has joined #openstack-keystone		09:07
*** oomichi has quit IRC		09:11
*** henrynash has quit IRC		09:15
*** ajayaa has quit IRC		09:16
*** ajayaa has joined #openstack-keystone		09:31
*** BAKfr has joined #openstack-keystone		10:10
*** henrynash has joined #openstack-keystone		11:27
*** arunkant has joined #openstack-keystone		11:33
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Individual plugin CLI registering https://review.openstack.org/112563	11:44
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow registering additional plugins https://review.openstack.org/112564	11:45
*** Clabbe has joined #openstack-keystone		11:53
Clabbe	If every user would call every API, would the total minimum amount of tokens be for each user = nrOfServices*nrOfTenants ?	11:55
Clabbe	Or is it possible to use same token for all services?	11:56
*** afazekas has quit IRC		12:04
openstackgerrit	Marcos Fermín Lobo proposed a change to openstack/keystone: Group related methods for LDAP backend https://review.openstack.org/102244	12:10
*** marekd is now known as mareklu		12:13
*** mareklu is now known as marekd		12:13
*** nkinder has quit IRC		12:17
*** afazekas has joined #openstack-keystone		12:19
*** henrynash has quit IRC		12:21
*** nkinder has joined #openstack-keystone		12:24
*** abhishek has joined #openstack-keystone		12:27
abhishek	dstanek:hi, you around?	12:28
dstanek	abhishek: hi	12:29
openstackgerrit	wanghong proposed a change to openstack/keystone: remove default check keys in assertValidEntity https://review.openstack.org/112573	12:29
abhishek	dstanek:i have replied to your review comments on the patch	12:29
abhishek	dstanek:i guess you are still not satisfied with the moving of listen() call	12:30
*** bjornar has quit IRC		12:33
abhishek	dstanek:https://review.openstack.org/#/c/107482/	12:33
dstanek	abhishek: i don't see any value in doing that	12:35
dstanek	did you see my comments on the bug?	12:35
abhishek	dstanek:yes, just now I have seen that	12:35
abhishek	dstanek:my intention is not to reload the configuration file at all	12:36
dstanek	abhishek: what do you want to do then?	12:36
abhishek	dstanek:I was just testing wheter sighup signal is working correctly or not	12:37
abhishek	dstanek:as common service framework has provided this facility and while i tested with nova and cinder I found that keystone is also using this framework	12:38
abhishek	dstanek:so while testing this, I found this bug	12:39
dstanek	abhishek: i guess i don't understand why you'd sent it a signal if it doesn't actually do anything	12:39
abhishek	dstanek:as I told you, i was just testing whether service is getting started or not after receiving the sighup signal	12:40
dstanek	abhishek: i looked a the oslo framework and i think it is just broken - doesn't make sense to me	12:40
openstackgerrit	Jeffrey Zhang proposed a change to openstack/keystone: Redirect stdout and stderr when using subprocess https://review.openstack.org/51610	12:40
abhishek	dstanek:so, there is no need to fix this issue?	12:43
*** henrynash has joined #openstack-keystone		12:44
dstanek	abhishek: since the fix is so small it's not a big deal, but i don't think anyone will ever send it a SIGHUP because right now it just kills the process and then when fixed it doesn't do anything	12:45
dstanek	abhishek: did you see my alternate proposal?	12:45
abhishek	dstanek:yes, i have seen that	12:45
abhishek	dstanek:its failing because, you can not duplicate the ssl socket	12:46
dstanek	abhishek: yes, that's why I gave it a -1 - i just wanted to show what i was thinking - i didn't take the time to split the listen method	12:49
*** afazekas has quit IRC		12:50
abhishek	dstanek:ok, i got it	12:51
*** nkinder is now known as nkinder_away		12:51
abhishek	dstanek:thank you for your time	12:52
dstanek	abhishek: no problem, that's what i'm here for :-) i'm going to abandon my review so that you can fix up yours and we can get it through	12:53
*** henrynash has quit IRC		12:53
abhishek	dstanek:thank you	12:54
abhishek	dstanek: :)	12:54
*** bknudson has quit IRC		12:57
*** abhishek has quit IRC		12:57
*** k4n0 has quit IRC		12:59
*** gordc has joined #openstack-keystone		13:01
*** jasondotstar has joined #openstack-keystone		13:03
*** bknudson has joined #openstack-keystone		13:15
*** afazekas has joined #openstack-keystone		13:18
*** saipandi has joined #openstack-keystone		13:19
*** saipandi has quit IRC		13:21
*** saipandi has joined #openstack-keystone		13:21
*** henrynash has joined #openstack-keystone		13:27
*** stevemar has joined #openstack-keystone		13:40
*** joesavak has joined #openstack-keystone		13:41
*** hrybacki has joined #openstack-keystone		13:42
*** traz__ has joined #openstack-keystone		13:44
*** zzzeek has joined #openstack-keystone		13:48
afaranha	Hello, does anybody knows whats the difference in assignment between the operations "list_role_assignments" and "list_grants", is it only because the effective parameter? In my opinion what we could do using list_role_assignment we could do using "list_grants" with some modifications. What do you think?	13:49
*** shakamunyi has joined #openstack-keystone		13:50
*** ayoung has joined #openstack-keystone		14:04
*** vhoward has joined #openstack-keystone		14:07
*** shakamunyi has quit IRC		14:23
*** diegows has joined #openstack-keystone		14:24
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: SAML2 federated authentication for ADFS. https://review.openstack.org/111771	14:25
*** BAKfr has quit IRC		14:30
*** shakamunyi has joined #openstack-keystone		14:37
*** richm has joined #openstack-keystone		14:39
*** david-lyle has joined #openstack-keystone		14:48
*** ajayaa has quit IRC		14:50
*** ukalifon has quit IRC		14:56
*** tomoiaga has quit IRC		15:10
*** tomoiaga has joined #openstack-keystone		15:12
nonameentername	/SET nicklist_width 20	15:15
*** tomoiaga has quit IRC		15:16
*** sijo_ has quit IRC		15:23
*** hrybacki has quit IRC		15:38
*** Morgan__ has joined #openstack-keystone		15:39
*** Morgan__ has quit IRC		15:40
*** MorganB has joined #openstack-keystone		15:40
*** MorganB is now known as morganbird		15:41
*** jaosorior has quit IRC		15:42
openstackgerrit	Stuart McLaren proposed a change to openstack/keystonemiddleware: Add composite authentication support https://review.openstack.org/108384	15:48
*** shakamunyi has quit IRC		15:51
*** bvandenh has quit IRC		15:53
*** ukalifon1 has joined #openstack-keystone		15:54
*** richm has quit IRC		15:58
*** afazekas has quit IRC		15:58
*** marcoemorais has joined #openstack-keystone		15:58
*** andreaf_ has joined #openstack-keystone		16:04
*** andreaf has quit IRC		16:07
*** ukalifon1 has quit IRC		16:08
stevemar	so quiet today	16:11
*** mrmoje has quit IRC		16:12
*** kwss has joined #openstack-keystone		16:13
kwss	Hey :) I was wondering if it was possible to setup the Keystone policy.json so that unauthenticated users can access certain API functions?	16:13
stevemar	kwss, hey, just don't add the @controller.protected decorator	16:29
kwss	stevemar, thanks :) so there's no way to configure existing functions without modifying the code?	16:30
stevemar	kwss, hmm, you might be able to just set the policy to ""	16:30
stevemar	kwss, like here https://github.com/openstack/keystone/blob/master/etc/policy.json#L142	16:31
kwss	stevemar, tried that but no, that just means an authenticated user doesn't need any roles etc.	16:31
stevemar	oh	16:31
stevemar	doh	16:31
stevemar	yeah, you'd have to tinker w/ the code to remove the decorator	16:31
kwss	I'd like to let unauthenticated users list available IdPs	16:31
kwss	stevemar, well thanks a lot for your help :)	16:32
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Refactor serializer import to XmlBodyMiddleware https://review.openstack.org/111108	16:33
*** bobt has quit IRC		16:33
*** marzif_ has quit IRC		16:33
*** richm has joined #openstack-keystone		16:36
*** jaosorior has joined #openstack-keystone		16:40
*** kwss has quit IRC		16:42
openstackgerrit	Anne Gentle proposed a change to openstack/identity-api: Removes WADL references from Identity v2.0 API https://review.openstack.org/112620	16:46
*** chandankumar has quit IRC		16:46
*** bvandenh has joined #openstack-keystone		16:55
*** marcoemorais has quit IRC		16:59
*** marcoemorais has joined #openstack-keystone		17:00
*** marcoemorais has quit IRC		17:00
*** marcoemorais has joined #openstack-keystone		17:01
*** vhoward has left #openstack-keystone		17:07
*** hrybacki has joined #openstack-keystone		17:22
openstackgerrit	Rodrigo Duarte proposed a change to openstack/keystone: Base methods to handle hierarchical projects https://review.openstack.org/111841	17:41
*** gyee has joined #openstack-keystone		17:49
*** jsavak has joined #openstack-keystone		17:51
*** joesavak has quit IRC		17:54
*** jdennis has quit IRC		17:54
*** marcoemorais has quit IRC		17:56
*** marcoemorais has joined #openstack-keystone		17:56
*** marcoemorais has quit IRC		18:00
*** marcoemorais has joined #openstack-keystone		18:01
*** bknudson has quit IRC		18:11
*** jdennis has joined #openstack-keystone		18:22
*** bknudson has joined #openstack-keystone		18:30
*** ajayaa has joined #openstack-keystone		18:34
*** bknudson has quit IRC		18:35
*** tpatil has joined #openstack-keystone		18:35
ayoung	stevemar, nope	18:36
ayoung	stevemar, "" means "you must have a token, but I don't care what is in it"	18:36
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove assignment controller dependency on token_api https://review.openstack.org/109162	18:37
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Expose token revocation list via token_provider_api https://review.openstack.org/109170	18:37
ayoung	Ah...yeah, you got that far.	18:37
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove ec2 contrib dependency on token_api https://review.openstack.org/109173	18:37
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api https://review.openstack.org/109462	18:37
ajayaa	ayoung, morganfainberg, https://review.openstack.org/#/c/110575/	18:46
ajayaa	already polished! :)	18:46
morganfainberg	ayoung, "" means use the default rule iirc	18:46
morganfainberg	ayoung, not no rule	18:46
ayoung	morganfainberg, mybe, but regardless, it means you need a token	18:47
ayoung	and that should not be the case.	18:47
*** bknudson has joined #openstack-keystone		18:47
ayoung	morganfainberg, I ran in to that on GET revocation_events	18:47
ayoung	ajayaa, what is different about this version of the patch?	18:48
*** jsavak has quit IRC		18:48
morganfainberg	ayoung, my guess is it's cleanup on tests	18:48
ajayaa	yes.	18:48
morganfainberg	ayoung, there is one more thing needed	18:49
*** joesavak has joined #openstack-keystone		18:49
morganfainberg	ajayaa not ayoung	18:49
morganfainberg	ajayaa, there is a test decorator we need to add	18:50
morganfainberg	ajayaa, it's the one that skips if caching is disabled. sorry :( i fogot about it last time	18:50
*** amerine_ has quit IRC		18:50
ajayaa	morganfainberg, ohk! I will do that right away.	18:50
*** jsavak has joined #openstack-keystone		18:50
ajayaa	np	18:50
*** zzzeek has quit IRC		18:50
morganfainberg	ajayaa, yeah sorry :( i totally spaced on that.	18:50
morganfainberg	ajayaa, thanks!	18:50
*** zzzeek has joined #openstack-keystone		18:50
*** amerine has joined #openstack-keystone		18:50
morganfainberg	ajayaa, https://github.com/openstack/keystone/blob/master/keystone/tests/core.py#L182 is the decorator	18:51
*** david-lyle has quit IRC		18:51
ajayaa	morganfainberg, thanks.	18:51
*** david-lyle has joined #openstack-keystone		18:52
*** joesavak has quit IRC		18:53
tpatil	Hi dstanek: Are you there	18:56
*** joesavak has joined #openstack-keystone		18:56
dstanek	tpatil: yes	18:56
tpatil	dstanek: I have posted comment on the bug https://bugs.launchpad.net/keystone/+bug/1337850, please take a look at it.	18:56
uvirtbot	Launchpad bug 1337850 in keystone "Keystone service outputs error messages when SIGHUP signal is sent" [Medium,In progress]	18:56
*** david-lyle has quit IRC		18:56
dstanek	tpatil: yes, we talked about it this morning. the point of my patch was not to replace the one that was proposed, but to show in code what we were talking about the other day. i'll update the bug with the outcome of our discussion	18:58
*** jsavak has quit IRC		18:59
dstanek	tpatil: i think for the most part all of my feedback is already on that patch.	18:59
dstanek	tpatil: the odd thing will be that we no longer get a traceback when there is a sighup, but nothing really happens at all	19:00
tpatil	dstanek: Are you testing using devstack?	19:00
dstanek	tpatil: yes	19:00
tpatil	dstanek: it will only work if you are running keystone as a daemon process.	19:01
dstanek	tpatil: define work. what are you expecting it to do?	19:02
tpatil	dstanek: Basically while testing SIGHUP signal we came across the bug reported to the LP. After adding reset method, it failed to start the service for ssl.	19:03
dstanek	tpatil: no, i know that. what do you expect the SIGHUP to do in Keystone?	19:04
tpatil	dstanek: so to address that issue, we ended up with making changes to the listen and start method.	19:04
dstanek	obviously you don't want it to raise an exception	19:04
tpatil	dstanek: correct	19:05
tpatil	dstanek: reload the configuration files same as other openstack services.	19:05
dstanek	tpatil: i don't think this will actually acomplish that - that's why i asked in the bug report what the real end goal was	19:06
dstanek	that's also why i asked how keystone was being run - i am making the assumption that keystone-all is being run on the command-line with a config that defines more than one worker processes	19:07
tpatil	dstanek: Ok, I got it, we are planning to run the keystone-all process as a daemon.	19:08
tpatil	dstanek: _is_sighup_and_daemon method will return True. Also we have confirmed that it is reloading the configuration files and starting the service again for each worker.	19:11
dstanek	right now using the patch killing the parent seems to kill everything. how are you running it to test?	19:12
dstanek	tpatil: i should say 'kill -1' kills all of the processes for me	19:14
tpatil	dstanek: On devstack, in the _is_sighup_and_daemon method, simply change return _is_daemon() to return True	19:14
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Add notifications for role assignment created and deleted events https://review.openstack.org/112204	19:16
stevemar	dstanek, i feel dirty	19:17
stevemar	^	19:17
dstanek	stevemar: that's pretty close to what i have right now	19:17
stevemar	dstanek, :( it feels so wrong	19:18
stevemar	i'm sure you have some pythonista stuff in there, instead of 20 if's like i do	19:18
tpatil	dstanek: That's shouldn't happen. I will request Abhishek to check it once again and let you know.	19:20
dstanek	tpatil: i did a real simple test; ran keystone-bin without workers set so i had one process; i hacked the _is_daemon to always return true	19:24
dstanek	tpatil: when i changed the admin token it was not reloaded on SIGHUP	19:24
dstanek	out config is loaded when keystone-all is executed and i don't think we ever reload it anywhere else	19:25
dstanek	s/out/our/	19:26
tpatil	dstanek: After the SIGHUP signal is sent to the keystone process (worker > 1), then it calls Launcher.restart method in which is reloading the configuration files.	19:28
tpatil	dstanek: restarting my machine, please wait..	19:29
dstanek	tpatil: oh, nice. it looks like that worked	19:33
*** tpatil_ has joined #openstack-keystone		19:33
*** tpatil has quit IRC		19:33
dstanek	tpatil: not for all config options (i can't change ports, etc.), but in general things are loaded	19:34
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Merge "Remove `with_lockmode` use from Trust SQL backend." https://review.openstack.org/112663	19:36
tpatil_	dstanek: That is true, But we are ok with that.	19:37
tpatil_	Dstanek: Please give your comments on the patch and Abhishek can take care of it. Thanks for your time.	19:37
dstanek	tpatil_: i'm going to change the title and description to be more genericly about the problem being solved. when i talked to Abhishek this morning it sounded like the configuration reloaded was not expected	19:39
tpatil_	dstanek: That's true, our intention is fix the raised exception issue because reloading of configuration file logic is already been called in the service framework when you SIGHUP signal.	19:41
tpatil_	stank: That's true, our intention is to fix the raised exception issue because reloading of configuration file logic is already been called in the service framework when you send SIGHUP signal.	19:42
tpatil_	dstanek: Apart from adding reset method, we have made several other changes because we were getting "cannot dup ssl socket" issue. I will request Abhishek to add this information to the bug and commit message.	19:44
dstanek	tpatil_: i think my biggest issue with the patch is the elimination of the listen method	19:46
tpatil_	dstanek: We can keep the listen method but will move the ssl related code to the start method.	19:50
tpatil_	dstanek: The main reason why we have eliminated listen method is that it not being used by other OpenStack services.	19:52
openstackgerrit	Anne Gentle proposed a change to openstack/identity-api: Removes WADL references from Identity v2.0 API https://review.openstack.org/112620	19:56
dstanek	the more reviews i do the more email i get and the more i feel like i'm drowning!	19:57
*** jorge_munoz has joined #openstack-keystone		20:01
*** afazekas has joined #openstack-keystone		20:09
*** jraim__ is now known as jraim		20:09
*** jorge_munoz has quit IRC		20:16
morganfainberg	stevemar, ping	20:20
stevemar	morganfainberg, pong	20:20
morganfainberg	stevemar, re: https://review.openstack.org/#/c/111873/2/v3/src/markdown/identity-api-v3-os-federation-ext.md is henrynash 's comment something we need to address before merging?	20:21
*** jorge_munoz has joined #openstack-keystone		20:21
stevemar	i thought i did..	20:22
stevemar	hmm	20:22
morganfainberg	about roles section in the token?	20:22
stevemar	morganfainberg, i think it's fine, we might need yet another patch to insert role's names, too	20:22
morganfainberg	stevemar, ?	20:23
stevemar	the roles section is in the scoped federation token, normally, it just doens't line up perfectly with the main API's format	20:23
stevemar	with the main API, the token also contains role names	20:23
stevemar	for federated tokens we just put in role ids	20:24
morganfainberg	not according to the review you have	20:24
morganfainberg	we put the whole role ref?	20:24
*** jorge_munoz has quit IRC		20:24
morganfainberg	stevemar, i have no idea where you're getting the id only part.	20:24
*** jorge_munoz has joined #openstack-keystone		20:25
stevemar	morganfainberg, wtf did i write there	20:25
morganfainberg	stevemar, ok, so now you see what i'm asking about	20:26
stevemar	yes	20:26
*** morganbird has quit IRC		20:26
stevemar	morganfainberg, give me a sec... let me run a federation test	20:28
morganfainberg	sure	20:28
stevemar	morganfainberg, OK, so the role section that comes back from a federation token includes enabled/name/description/id	20:30
morganfainberg	ok so your review is correct?	20:30
stevemar	henry was concerned that it doesn't match w/ the main API (just name and id), and we're missing "links"	20:30
stevemar	morganfainberg, yes, but the description and name are both a uuid	20:31
*** jorge_munoz has quit IRC		20:31
stevemar	i think it's worth fixing that	20:31
*** jorge_munoz has joined #openstack-keystone		20:32
*** hrybacki has quit IRC		20:33
morganfainberg	stevemar, so are you going to roll a new review on that one?	20:33
*** jorge_munoz has quit IRC		20:33
stevemar	yes, in about 1 second	20:33
morganfainberg	ok	20:34
openstackgerrit	Steve Martinelli proposed a change to openstack/identity-api: Add OS-FEDERATION section to scoped federation tokens https://review.openstack.org/111873	20:35
stevemar	morganfainberg, ^	20:35
*** joesavak has quit IRC		20:51
*** gokrokve has joined #openstack-keystone		20:53
openstackgerrit	Ajaya Agrawal proposed a change to openstack/keystone: Implemented caching in identity layer. https://review.openstack.org/110575	20:54
*** fifieldt_ has joined #openstack-keystone		20:59
*** fifieldt has quit IRC		21:02
*** bobt_ has joined #openstack-keystone		21:03
*** jasondotstar has quit IRC		21:04
ajayaa	morganfainberg, ayoung, https://review.openstack.org/#/c/110575/	21:05
*** raildo has left #openstack-keystone		21:08
*** morganbird has joined #openstack-keystone		21:11
openstackgerrit	Gabriel Assis Bezerra proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy https://review.openstack.org/111355	21:16
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Update CADF auditing example to show non-payload information https://review.openstack.org/111657	21:19
*** bvandenh has quit IRC		21:25
*** henrynash has quit IRC		21:38
*** henrynash has joined #openstack-keystone		21:38
*** henrynash has quit IRC		21:39
*** ajayaa has quit IRC		21:44
*** jorge_munoz has joined #openstack-keystone		21:47
stevemar	morganfainberg, lbragstad, dstanek ^ hopefully an easy review	21:51
*** jorge_munoz has quit IRC		21:53
*** turul_ has joined #openstack-keystone		21:55
*** afazekas is now known as __afazekas		21:55
*** turul_ is now known as afazekas		21:56
*** saipandi has quit IRC		22:02
*** marcoemorais has quit IRC		22:06
*** marcoemorais has joined #openstack-keystone		22:06
*** marcoemorais has quit IRC		22:07
*** marcoemorais has joined #openstack-keystone		22:07
*** marcoemorais has quit IRC		22:08
*** marcoemorais has joined #openstack-keystone		22:08
*** oomichi has joined #openstack-keystone		22:08
*** marcoemorais has quit IRC		22:10
*** marcoemorais has joined #openstack-keystone		22:10
*** rwsu has quit IRC		22:10
*** rwsu has joined #openstack-keystone		22:15
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Individual plugin CLI registering https://review.openstack.org/112563	22:18
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Individual plugin CLI registering https://review.openstack.org/112563	22:21
bknudson	https://review.openstack.org/#/c/109041/ could use a review	22:30
*** marcoemorais has quit IRC		22:31
*** marcoemorais has joined #openstack-keystone		22:31
*** marcoemorais has quit IRC		22:31
*** marcoemorais has joined #openstack-keystone		22:32
bknudson	https://review.openstack.org/#/c/112377/1/keystone/catalog/backends/templated.py that's funny	22:34
*** morganbird has quit IRC		22:34
*** jorge_munoz has joined #openstack-keystone		22:40
dstanek	bknudson: :-)	22:42
dstanek	bknudson: lots of that old code needs some love	22:42
bknudson	dstanek: I'd love to +2 it but I didn't like the new name.	22:42
bknudson	think of how much faster keystone would be if the names were all 1 letter	22:42
dstanek	bknudson: i'm fine with data; what did you mean with your comment about format_url all over the place?	22:42
bknudson	dstanek: keystone/contrib/endpoint_filter/backends/catalog_sql.py	22:43
*** jorge_munoz has quit IRC		22:43
dstanek	bknudson: we should try it!	22:43
bknudson	keystone/catalog/backends/sql.py	22:43
bknudson	dstanek: those	22:43
bknudson	dstanek: those 2	22:43
bknudson	Maybe "all over the place" was overstating it.	22:43
dstanek	bknudson: i see what you mean - they use d as well	22:44
bknudson	dstanek: well, it is a dict, so it makes sense	22:44
dstanek	bknudson: would you rather be leave the orignal d and just change o->catalog?	22:45
bknudson	dstanek: no, change d	22:45
bknudson	dstanek: that was a joke	22:45
bknudson	although "data" isn't especially descriptive either...	22:46
dstanek	bknudson: it's hard to tell with you sometimes :-P	22:46
bknudson	that's why I suggested replacement_values or something.	22:46
bknudson	format_url could also be changed from "data" to whatever name you pick	22:46
*** gordc has quit IRC		22:47
*** ayoung has quit IRC		22:53
dstanek	bknudson: i just realized that format_url is basically Python's string.Template	22:59
*** dhellmann is now known as dhellmann_		23:00
bknudson	dstanek: supposedly it's safe...	23:00
bknudson	but it doesn't look like it does any URL escaping.	23:01
dstanek	bknudson: yeah, no sure what's so safe about it	23:01
dstanek	bknudson: i'll create a failing test and a patch to actually make it sae	23:03
dstanek	or safe	23:03
*** bobt_ has quit IRC		23:08
*** morganbird has joined #openstack-keystone		23:10
*** marcoemorais has quit IRC		23:13
*** marcoemorais has joined #openstack-keystone		23:13
*** marcoemorais has quit IRC		23:14
*** marcoemorais has joined #openstack-keystone		23:14
*** morganbird has quit IRC		23:15
*** shufflebot has quit IRC		23:18
*** shufflebot has joined #openstack-keystone		23:18
*** jaosorior has quit IRC		23:22
*** jamielennox\|away is now known as jamielennox		23:23
jamielennox	gyee: do you know david hu's irc nick?	23:23
gyee	jamielennox, I don't see him at his desk, he may not be on irc at the moment	23:26
jamielennox	gyee: oh, you've got line of sight? useful. what's his nick so i can look for him?	23:27
jamielennox	foir later	23:27
gyee	k, I'll hurl an angry bird plush at him once I see him	23:28
gyee	that's our flintstone ping :)	23:28
openstackgerrit	David Stanek proposed a change to openstack/keystone: Refactor names in catalog backends https://review.openstack.org/112377	23:43
*** gokrokve has quit IRC		23:45
jamielennox	hey whoever's around, can we approve https://review.openstack.org/#/c/112479/ it's messing with the gate on keystoneclient stuff	23:45
dstanek	jamielennox: was the mapping setup just-in-case or was there a point where we linked docs?	23:56
jamielennox	dstanek: the same link exists in keystone and keystonemiddleware	23:57
jamielennox	i expect it was c&p-ed from somewhere initially and then just kept getting propogated	23:57
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystonemiddleware: Add composite authentication support https://review.openstack.org/108384	23:57
*** Dafna has quit IRC		23:58
gyee	jamielennox, pressed the button	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!