Monday, 2014-08-18

« Sunday, 2014-08-17 Index Tuesday, 2014-08-19 »
openstackgerritBoris Pavlovic proposed a change to openstack/python-keystoneclient: Add shell --profile option to tirgger osprofiler from CLI  https://review.openstack.org/11485600:01
openstackgerritMorgan Fainberg proposed a change to openstack/identity-api: Update revoke-ext  https://review.openstack.org/11485700:01
openstackgerritBoris Pavlovic proposed a change to openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336800:03
boris-42morganfainberg hi00:03
openstackgerritBoris Pavlovic proposed a change to openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336800:04
*** mriedem has quit IRC00:06
openstackgerritMorgan Fainberg proposed a change to openstack/identity-api: Update revoke-ext  https://review.openstack.org/11485700:13
boris-42morganfainberg I made using & testing of Osprofiler much simpler00:15
boris-42morganfainberg if you have some free slots could you take a look at https://review.openstack.org/#/c/114856/00:15
*** mitz has joined #openstack-keystone00:32
*** hrybacki has joined #openstack-keystone00:38
openstackgerritBoris Pavlovic proposed a change to openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336800:39
*** hrybacki has quit IRC00:43
*** oomichi has joined #openstack-keystone00:47
*** xianghui has joined #openstack-keystone00:55
*** harlowja is now known as harlowja_away00:58
*** shakayumi is now known as shakamunyi00:59
*** alex_xu has joined #openstack-keystone01:20
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Sync with oslo-incubator  https://review.openstack.org/11486301:21
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Revoke by Audit Id / Audit Id Chain instead of expires  https://review.openstack.org/11486401:21
openstackgerritBoris Pavlovic proposed a change to openstack/python-keystoneclient: Add shell --profile option to tirgger osprofiler from CLI  https://review.openstack.org/11485601:25
*** ncoghlan has joined #openstack-keystone01:31
*** morganfainberg is now known as morganfainberg_Z01:35
*** RicoLin has joined #openstack-keystone01:39
*** hrybacki has joined #openstack-keystone01:40
openstackgerritBoris Pavlovic proposed a change to openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336801:40
*** yasukun has joined #openstack-keystone01:44
*** shakayumi has joined #openstack-keystone01:46
openstackgerritJeffrey Zhang proposed a change to openstack/keystone: Redirect stdout and stderr when using subprocess  https://review.openstack.org/5161001:47
*** shakamunyi has quit IRC01:49
*** yasukun has quit IRC01:52
*** nonameentername has quit IRC01:53
*** nonameentername has joined #openstack-keystone01:53
jamielennoxdo we not have an equivalent to /users/{id}/projects for domains?02:22
openstackgerritwanghong proposed a change to openstack/keystone: trustor_user_id not available in v2 trust token  https://review.openstack.org/10182902:34
*** morganfainberg_Z is now known as morganfainberg02:37
*** hrybacki has quit IRC02:44
openstackgerritwanghong proposed a change to openstack/keystone: V2 token from trust cannot be generated with user/pass  https://review.openstack.org/11223002:47
openstackgerritA change was merged to openstack/python-keystoneclient: Revert "Use oslo.utils"  https://review.openstack.org/11482502:49
openstackgerritA change was merged to openstack/python-keystoneclient: Revert "Add oslo.utils requirement"  https://review.openstack.org/11483302:50
openstackgerritBoris Pavlovic proposed a change to openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336802:52
*** andreaf_ has joined #openstack-keystone02:57
*** andreaf has quit IRC03:00
*** hrybacki has joined #openstack-keystone03:02
openstackgerritBoris Pavlovic proposed a change to openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336803:03
*** RicoLin has quit IRC03:06
*** RicoLin has joined #openstack-keystone03:06
*** hrybacki has quit IRC03:07
openstackgerritA change was merged to openstack/keystone: Use mail for the default LDAP email attribute name  https://review.openstack.org/9466803:08
*** hrybacki has joined #openstack-keystone03:10
*** stevemar has joined #openstack-keystone03:14
boris-42jamielennox around/03:15
boris-42?03:17
*** alex_xu has quit IRC03:21
openstackgerritwanghong proposed a change to openstack/keystone: add --rebuild option for ssl/pki_setup  https://review.openstack.org/8820703:41
*** alex_xu has joined #openstack-keystone03:43
openstackgerritMorgan Fainberg proposed a change to openstack/identity-api: Update revoke-ext  https://review.openstack.org/11485703:44
*** cjellick has joined #openstack-keystone03:54
*** cjellick has quit IRC03:55
*** cjellick has joined #openstack-keystone03:55
*** Krast has joined #openstack-keystone03:56
*** cjellick has quit IRC04:00
*** ncoghlan is now known as ncoghlan_afk04:04
*** KanagarajM has joined #openstack-keystone04:04
*** ncoghlan_afk is now known as ncoghlan04:27
*** hrybacki has quit IRC04:32
*** nkinder has quit IRC04:34
*** nkinder has joined #openstack-keystone04:35
*** stevemar has quit IRC04:44
openstackgerritMorgan Fainberg proposed a change to openstack/identity-api: Update revoke-ext  https://review.openstack.org/11485704:50
*** chandankumar has joined #openstack-keystone05:00
morganfainbergjamielennox, thanks for responding to ayoung's comment on your spec. lets 2x check w/ others and if no issues i'm still +2 on it.05:10
morganfainbergjamielennox, anyway.. catch you tomorrow05:10
jamielennoxmorganfainberg: i don't think they are a problem for this patch05:11
morganfainbergjamielennox, fairly certain you addressed his comments directly and well05:11
jamielennoxmorganfainberg: i'm doing the impl now and it's more involved than expected but will be ok05:11
jamielennoxwe don't have a list domains for user operation at all05:11
morganfainbergbut... /me is sleepy and hurting cause of revocation event cleanup05:11
morganfainbergi *think* i know the last couple fixes to tests to make this work05:12
morganfainbergbut ugh. so many assumptions that things *will* be a certain way05:12
jamielennoxmorganfainberg: yea, that would be a PITA i remember trying to review it05:12
jamielennoxthere's still the one on client side which i haven't done for that because i just have no idea05:12
morganfainbergjamielennox, we should hold off on that until we get it solid in keystone05:12
morganfainbergjamielennox, right now... it's getting close to re-writing a chunk of it05:13
jamielennoxmorganfainberg: have always agreed with that05:13
jamielennoxmorganfainberg: anyway, sleep i'll talk to you later05:14
*** amirosh has joined #openstack-keystone05:21
*** ukalifon1 has joined #openstack-keystone05:39
*** ajayaa has joined #openstack-keystone05:50
*** tomoiaga has joined #openstack-keystone05:52
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/11192006:05
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Revoke by Audit Id / Audit Id Chain instead of expires  https://review.openstack.org/11486406:13
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Sync with oslo-incubator  https://review.openstack.org/11486306:13
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add audit ids to tokens  https://review.openstack.org/11430606:13
jamielennoxmorganfainberg: you were leaving an hour ago06:14
morganfainbergjamielennox, yeah i am actually leaving now06:14
morganfainbergjamielennox, was trying to solve the last few of those test failures ^^06:14
morganfainbergdown to ~5, and i know what they are from06:14
morganfainbergso will deal with them tomorrow.. then more rebase hell06:15
jamielennoxmorganfainberg: yea, know that feeling06:15
*** ncoghlan is now known as ncoghlan_afk07:00
*** ncoghlan_afk is now known as ncoghlan07:11
*** mflobo has joined #openstack-keystone07:53
openstackgerritJamie Lennox proposed a change to openstack/keystone: Create authentication specific routes  https://review.openstack.org/11490308:08
*** henrynash has joined #openstack-keystone08:08
*** afazekas_ has joined #openstack-keystone08:14
*** mflobo has quit IRC08:19
*** jamielennox is now known as jamielennox|away08:26
*** xianghui has quit IRC08:27
*** xianghui has joined #openstack-keystone08:31
*** ncoghlan is now known as ncoghlan_afk08:33
*** henrynash has quit IRC08:38
*** aix has joined #openstack-keystone08:43
*** aix has quit IRC08:53
*** henrynash has joined #openstack-keystone08:56
*** alex_xu has quit IRC09:05
*** afazekas has quit IRC09:09
*** afazekas_ is now known as afazekas09:09
*** aix has joined #openstack-keystone09:14
*** ajayaa has quit IRC09:23
*** ajayaa has joined #openstack-keystone09:35
*** Clabbe has quit IRC10:42
*** kwss has joined #openstack-keystone10:43
*** cosss has joined #openstack-keystone10:43
*** Clabbe has joined #openstack-keystone10:58
*** cosss has quit IRC10:59
*** KanagarajM has quit IRC11:01
*** henrynash has quit IRC11:01
*** xianghui has quit IRC11:07
*** xianghui has joined #openstack-keystone11:08
*** Clabbe has quit IRC11:10
*** Clabbe has joined #openstack-keystone11:12
*** fifieldt has joined #openstack-keystone11:23
*** afaranha has joined #openstack-keystone11:25
*** Clabbe has quit IRC11:25
*** Clabbe has joined #openstack-keystone11:32
*** bvandenh has joined #openstack-keystone11:32
*** hrybacki has joined #openstack-keystone11:54
*** bvandenh has quit IRC11:54
*** hrybacki has quit IRC11:58
*** miqui has quit IRC12:07
*** afaranha has quit IRC12:07
*** gordc has joined #openstack-keystone12:08
*** andreaf has joined #openstack-keystone12:10
*** andreaf has quit IRC12:11
*** andreaf has joined #openstack-keystone12:11
*** andreaf_ has quit IRC12:13
*** htruta has joined #openstack-keystone12:14
openstackgerritKristy Siu proposed a change to openstack/keystone: Standardizing the Federation Process  https://review.openstack.org/10559712:17
*** rodrigods has joined #openstack-keystone12:21
*** raildo has joined #openstack-keystone12:27
*** radez_g0n3 is now known as radez12:47
ajayaaHi. If I have to add something to http://developer.openstack.org/api-ref-identity-v2.html, where do I do it?12:50
*** hrybacki has joined #openstack-keystone12:50
*** ukalifon3 has joined #openstack-keystone12:58
*** ukalifon1 has quit IRC12:59
*** RicoLin has quit IRC13:00
*** richm has joined #openstack-keystone13:04
*** bknudson1 has quit IRC13:08
*** nkinder has quit IRC13:10
dolphmajayaa: that's either in https://github.com/openstack/api-site or based on XSD/WADLs in https://github.com/openstack/identity-api/tree/master/v2.0/src13:11
*** radez is now known as radez_g0n313:18
*** joesavak has joined #openstack-keystone13:20
*** hrybacki has quit IRC13:23
*** chandankumar has quit IRC13:42
*** ukalifon3 has quit IRC13:45
*** ukalifon has joined #openstack-keystone13:53
*** nkinder has joined #openstack-keystone13:56
*** Krast_ has joined #openstack-keystone14:04
*** xianghuihui has joined #openstack-keystone14:06
*** zzzeek has joined #openstack-keystone14:06
*** hyakuhei_ has joined #openstack-keystone14:06
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101714:08
*** kevinbenton_ has joined #openstack-keystone14:10
*** alex_xu has joined #openstack-keystone14:10
*** xianghui has quit IRC14:11
*** Krast has quit IRC14:11
*** wanghong has quit IRC14:11
*** gabriel-bezerra has quit IRC14:11
*** kevinbenton has quit IRC14:11
*** hyakuhei has quit IRC14:11
*** kevinbenton_ is now known as kevinbenton14:12
ajayaadolphm, What purpose does default_project_id server when creating an user?14:14
ajayaaserve*14:14
dolphmajayaa: if you don't specify an explicit scope (project ID / domain ID) during authentication, then it attempts to scope of your default project14:14
dolphmajayaa: on v2, it provides implicit authorization, and on v3 requires seperate explicit authorization14:15
dolphmuser.tenant_id in v2 == user.default_project_id in v314:15
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Implement validation on the Catalog V3 resources  https://review.openstack.org/9626614:15
dolphmajayaa: docs- https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#users-v3users14:15
*** oomichi has quit IRC14:16
*** gabriel-bezerra has joined #openstack-keystone14:17
ajayaaI can create a user with a non existent project. In v2 there is a check for existence of project whereas in v3 it is not.14:18
*** wanghong has joined #openstack-keystone14:18
ajayaadolphm, now makes sense. What role is granted in v2? member?14:18
dolphmajayaa: yes, keystone.conf [DEFAULT] member_role_id + member_role_name14:19
dolphmajayaa: and that role is created if it doesn't exist at v2 user creation14:20
dolphms/at v2 user creation/at some point =)/14:20
dolphmmight be on auth14:20
ajayaadolphm, it is in auth I suppose. I am currently looking at user creation v2.14:21
ajayaa:)14:21
*** henrynash has joined #openstack-keystone14:23
*** ayoung has joined #openstack-keystone14:25
*** david-lyle has joined #openstack-keystone14:26
*** topol has joined #openstack-keystone14:27
*** topol has quit IRC14:27
ayoungmarekd, . ``xmlsec1`` cannot read input data from stdin ?  Really14:33
ayoungWhat is it doing?14:33
*** radez_g0n3 is now known as radez14:38
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Error on _ldap_get_list without attrlist value  https://review.openstack.org/11498614:45
*** rustlebee is now known as russellb14:52
*** bknudson has joined #openstack-keystone14:54
*** gpocente1 is now known as gpocentek15:07
*** gpocentek has quit IRC15:07
*** gpocentek has joined #openstack-keystone15:07
*** stevemar has joined #openstack-keystone15:11
*** tomoiaga has quit IRC15:18
*** joesavak has quit IRC15:19
*** chandankumar has joined #openstack-keystone15:20
*** Jean-Daniel has joined #openstack-keystone15:22
Jean-Danielhi all15:22
Jean-DanielI'm trying to fine tune my policy.json15:23
Jean-Danielin few words, i'm trying to have a super_admin and admin15:24
Jean-Danielonly super admin can CRUD specific user/tenant/endpoint15:25
Jean-Danielwhere I can find docs on this question?15:25
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Validation of parameters during user creation  https://review.openstack.org/11499715:26
*** ajayaa has quit IRC15:26
ayoungJean-Daniel, are you starting with the standart policy.json, or are you using the cloudsample version?15:27
Jean-Danielthe standart one15:28
*** bearhands is now known as comstud15:28
Jean-DanielI'm still using APIv215:29
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Expose context to create and delete role_assignments  https://review.openstack.org/11480915:32
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Expose context to create grant and delete grant  https://review.openstack.org/11480915:33
*** ukalifon has quit IRC15:35
Jean-Danielnobody to give me a good docs ?15:37
*** jorge_munoz has joined #openstack-keystone15:39
ayoungAPVv2 is not going to work for you across the board15:40
*** amirosh has quit IRC15:40
ayoungnot all of the the Calls are protected  by anything other than "is_admin" which is not a policy check15:40
ayoungsorry15:40
ayoungJean-Daniel, an no, there are no good docs yet/15:40
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Revoke by Audit Id / Audit Id Chain instead of expires  https://review.openstack.org/11486415:40
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api  https://review.openstack.org/11342915:40
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Sync with oslo-incubator  https://review.openstack.org/11486315:40
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add audit ids to tokens  https://review.openstack.org/11430615:40
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add __str__ and __repr__ to KeystoneToken model  https://review.openstack.org/11343015:41
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api  https://review.openstack.org/10946215:41
*** cjellick has joined #openstack-keystone15:45
*** joesavak has joined #openstack-keystone15:47
*** afazekas has quit IRC15:49
*** Kui has quit IRC15:51
Jean-Danielok thx for your answers ;)15:51
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Expose context to create grant and delete grant  https://review.openstack.org/11480915:55
*** gyee has joined #openstack-keystone15:57
*** amirosh has joined #openstack-keystone16:04
*** chandankumar has quit IRC16:10
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api  https://review.openstack.org/10946216:22
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api  https://review.openstack.org/11342916:22
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove SAML2 plugin dependency on token_api  https://review.openstack.org/11501216:22
*** kwss has quit IRC16:26
*** gokrokve has joined #openstack-keystone16:36
*** hrybacki has joined #openstack-keystone16:42
*** zzzeek has quit IRC16:42
*** harlowja_away is now known as harlowja16:45
ayoungPucking Phython16:49
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Expose context to create grant and delete grant  https://review.openstack.org/11480916:50
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add CADF notifications for role assignment create and delete  https://review.openstack.org/11220416:50
*** zzzeek has joined #openstack-keystone16:50
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Expose context to create grant and delete grant  https://review.openstack.org/11480916:51
dstanekayoung: ?16:51
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add CADF notifications for role assignment create and delete  https://review.openstack.org/11220416:51
ayoungdstanek, debugging in Pycharm16:52
dstanekhaha - i've never done that before16:52
ayoungdstanek, its the testing stuff16:52
ayoungand the fact that everyone wants to rewrite base tools, like unit testing frameworks16:52
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Create additional docs for role assignment events  https://review.openstack.org/11481316:53
ayoungso tox doesn't work with nose and I can't run just the test I want to in the debugger16:53
ayoungdstanek, and the failure was that the self object in setup didn't have a conft attribute, and that is just something I don't want to look at16:53
ayoungdolphm, morganfainberg OK,  I figured out why the copy of the old test is failing.  The old test was passing incorrectly.  We need to clean the cache before the test. The test was working with a Hashed version that was being validated by "Keystone"  (mock call) and not due to the caching.16:59
morganfainbergayoung, ah17:00
ayoungAnd....there is the whole issue of which hash to store17:00
ayoungmorganfainberg, and I think the test is using the MD5 version, but the "server" caches using SHA17:00
morganfainbergayoung, why do we invalidate tokens for a user when we add the user to a group?17:00
morganfainbergthat seems... broken17:01
ayoungmorganfainberg, it should be scaled back to only on remove17:01
morganfainbergfigured as much17:01
ayoungwe were hyperaggresive on revocations17:01
ayoungdidn't realize I miss that one17:01
morganfainberghm. now i need to figure out how to make a callback with notifications work for when a user is removed from a group17:02
ayoungmorganfainberg, so if the client passes a MD5 token to auth_token middleware, it is going to be a cache miss17:02
morganfainbergand i'll have token_api removed from identity.core17:02
ayoungmorganfainberg, is there a notification only for change?17:03
morganfainbergnot for user being added/removed from a group17:03
morganfainbergfor user password changes i made a new internal notification class (worthwhile)17:03
morganfainbergbut... i feel silly making new notification (resource_types) for things like 'user_removed_from_group17:04
ayoungmorganfainberg, be silly17:04
morganfainbergyeah thats kindof where i'm going17:04
ayoungmorganfainberg, so we awere hasing in the test code with MD5, but  caching with sha25617:09
ayoungI think I have it fixed...testing now, will resubmit17:10
morganfainbergayoung, i think that was intentional, e.g. the MD5 should be a 200, the sha1 should fail17:10
morganfainbergthe first time17:10
ayoungI'll wait until middleware gets approved before resubmitting in keystonclient17:10
ayoungnope17:10
morganfainbergthe md5 would fail subsequently17:10
ayoungnot the way the code is written17:10
ayoungmd5 will never actually validate with the code the way it is wrrite17:10
morganfainbergthe test says provide hashes for [md5, sha1]17:10
morganfainbergoh because we only cache token_ids[0]17:11
morganfainbergright17:11
ayoungmorganfainberg, that will work, but its only cached on sha117:11
ayoungand the old test passed because we use the sample data to respond to an online lookup.  Its a shortcoming in out test code that we use the same token for both hashed and unhahsed version of the tokens17:11
openstackgerritayoung proposed a change to openstack/keystonemiddleware: Hash for PKIZ  https://review.openstack.org/11464617:15
*** rwsu has joined #openstack-keystone17:23
ayoungmorganfainberg, what do you think about this idea:  we have an LDAP server available for gate tests.  It is read only, with known, fixed values in it.  Anyone can test against it, or duplicate.  Then, as part of the devstack setup for gate, we do the multi-domain setup, and point at that preconfigured LDAP?17:29
morganfainberghm17:35
morganfainbergperhaps. though i think that is going to run into issues.17:35
morganfainbergprobably better to setup an LDAP tempest (runs only for keystone) and have the multi-domain stuff come from a separate tree in the ldap hierarchy17:36
*** joesavak has quit IRC17:39
*** marcoemorais has joined #openstack-keystone17:45
*** marcoemorais has quit IRC17:46
*** harlowja is now known as harlowja_away17:46
*** marcoemorais has joined #openstack-keystone17:47
dstanekhow did we generate the sample config in havana? by hand?17:48
*** marcoemorais has quit IRC17:50
*** marcoemorais has joined #openstack-keystone17:50
morganfainbergdstanek, yeah17:55
dstanekmorganfainberg: good times18:00
*** aix has quit IRC18:02
*** zzzeek has quit IRC18:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove identity_api dependency on token_api  https://review.openstack.org/11504518:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add __str__ and __repr__ to KeystoneToken model  https://review.openstack.org/11343018:03
*** zzzeek has joined #openstack-keystone18:05
*** marcoemorais has quit IRC18:05
*** marcoemorais has joined #openstack-keystone18:05
*** marcoemorais has quit IRC18:08
*** marcoemorais has joined #openstack-keystone18:08
*** radez is now known as radez_g0n318:08
*** afazekas has joined #openstack-keystone18:09
*** ncoghlan_afk is now known as ncoghlan18:11
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api  https://review.openstack.org/11342918:11
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add __str__ and __repr__ to KeystoneToken model  https://review.openstack.org/11343018:12
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api  https://review.openstack.org/10946218:12
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove SAML2 plugin dependency on token_api  https://review.openstack.org/11501218:12
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove identity_api dependency on token_api  https://review.openstack.org/11504518:12
*** radez_g0n3 is now known as radez18:14
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054218:18
raildohenrynash: I sent a version of the spec earlier today, if you can review :)18:19
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Create, update and delete hierarchical projects  https://review.openstack.org/11184218:20
*** ncoghlan is now known as ncoghlan_afk18:21
*** marcoemorais has quit IRC18:23
*** marcoemorais has joined #openstack-keystone18:24
*** marcoemorais has quit IRC18:24
*** marcoemorais has joined #openstack-keystone18:25
*** marcoemorais has quit IRC18:25
*** marcoemorais has joined #openstack-keystone18:26
*** harlowja_away is now known as harlowja18:26
*** marcoemorais has quit IRC18:27
*** marcoemorais has joined #openstack-keystone18:27
*** marcoemorais has quit IRC18:27
openstackgerritOpenStack Proposal Bot proposed a change to openstack/identity-api: Updated from global requirements  https://review.openstack.org/11505318:28
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/11162018:28
*** marcoemorais has joined #openstack-keystone18:30
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/11406718:33
*** hrybacki has quit IRC18:41
*** amerine__ is now known as amerine18:49
henrynashraildo: will look at it later tonight, thank18:52
henrynashthanks18:52
raildohenrynash: great, thank you!18:52
richmIs there a known problem currently with running keystone tests in pdb?18:57
richmand stopping in tests?18:57
richmIf I try to stop in/step into tests, the interpreter gets some sort of "too many levels of recursion" exception18:58
richmIf I just continue, I see no such exception but my breakpoints are never hit18:58
richmI know it is executing the test function18:59
richmtools/with_venv.sh python -m pdb .venv/lib/python2.7/site-packages/testtools/run.py keystone.tests.test_backend_ldap.LDAPIdentity.test_something18:59
openstackgerritA change was merged to openstack/identity-api: Updated from global requirements  https://review.openstack.org/11505319:00
raildohenrynash: I was interested to start contributing to the endpoint policy. Could you give me information about the progress, if you ou ayoung need help to implementing or something like that?19:03
ayoungraildo, I think the spec is bascially OKed19:06
ayoungrichm, yes19:06
ayoungrichm, eventlet messes with it, so use --standard-threads switch19:06
raildoayoung: I was reading it.19:06
richmayoung: option --standard-threads not recognized19:10
richmayoung: I'm not trying to debug a keystone server, just a test19:10
richmso I didn't think threading would be involved19:11
ayoungrichm, export STANDARD_THREAD=True19:12
ayounger19:12
ayoungSTANDARD_THREADS19:12
ayoungrichm, eventlet monkeypatches the Python thread code.19:13
ayoungwhich means that the debugger can't switch threads upon hitting a breakpoint.19:13
ayoungour tests are usually run with eventlet, but we put in the work around for the debugger19:14
richmah, ok19:14
richmI didn't have to do this a few months ago, when last I tried to debug a test using pdb19:14
boris-42ayoung hi19:16
ayoungrichm, you lie19:16
ayoungrichm, I am pretty certain all of out tests monkeypatch eventlet in the setup code, and overriding must be done for debuggers19:17
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add CADF notifications for role assignment create and delete  https://review.openstack.org/11220419:18
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Create additional docs for role assignment events  https://review.openstack.org/11481319:18
dstanekayoung: i believe you are correct. we set STANDARD_THREADS in debug_helper.sh19:18
ayoungstevemar, morganfainberg I suspect that we are going to want to merge the CADF and internal notifications into one code path19:19
dolphmstevemar: cool http://pasteraw.com/b76mhgiq3p888knlhizym443l9i4yud19:19
stevemarayoung, yes, it's definitely something we should think of19:20
ayoungdolphm, https://review.openstack.org/#/c/114646/  I've incorporated your test in there....sort of.  It turns out the old test was getting a pass incorrectly19:20
dolphmayoung: yeah, i saw your comment earlier19:20
ayoungdolphm, I'm guessing gate is wedged since that hasn't been accepted/rejected19:21
stevemardolphm, i'm not sure what to make of your pastie19:21
ayoungmorganfainberg, does keystonemiddleware not kick off the gate jobs?19:21
henrynashstevemar: if i want to receive notifications…and the ones I want are CADF, do I have to do know that and do different things (just thinking about other projects that might subscribe to our notifcations)?19:21
dolphmstevemar: just started listening to the gerrit event queue, and your thing was the first to pop up19:22
stevemardolphm, appropriate19:24
stevemarhenrynash, nope, it shouldn't matter really, they are all on the message bus19:24
stevemarhenrynash, the payload will be a slightly different format, non-cadf (the payload is just a uuid) vs cadf (elaborate dict)19:25
dolphmstevemar: what's the topic use for auth cadf notifications?19:26
*** mitz has quit IRC19:26
henrynashstevemar: I wonder if you should be able to “read” the event in non-cadf form, even if (unbeknown to you) it is in cadf format19:26
*** mitz has joined #openstack-keystone19:27
henrynashstevemar: otherwise we are setting ourselves up for a maintenance nightmare once lots of peopele start subscribing and we want to change an event from non-cadf to cadf19:28
stevemardolphm, no idea. auth cadf notifications... that was last release19:29
stevemarhenrynash, i'm not sure, i think it should be the other way19:30
henrynashstevemar: oh, you mean…all our evenst are in cadf format?19:30
henrynashstevemar: (which would be ok too)19:30
stevemarhenrynash, theres 2 main reasons for notifications right, as a callback function, and for auditing,19:31
henrynashstevemar: yep19:31
stevemari don't think all the non-cadf ones are necessarily valid audit events (like creating a project)19:31
dolphmstevemar: callbacks aren't emitted to messaging19:31
dolphmstevemar: they just sort of hijack the messaging pattern internally19:31
dolphmpublic=False # no message bus involved19:32
stevemardolphm, so whats the point of the identity / assignment CRUD notifications?19:32
henrynashdolphm: but, say, nova could receive it?19:32
dolphmstevemar: assignment - auditing only?19:32
dolphmhenrynash: nova should listen for non-cadf events that it cares about, like project deletion19:33
henrynashdolphm: agreed19:33
dolphmhenrynash: i don't think other services (besides maybe ceilometer or a CADF capture tool) should listen for anything CADF-ish19:33
stevemardolphm, so really the assignment ones should be CADF19:33
dolphmstevemar: yes19:33
henrynashdolphm: my only point was, today (and our docs say this), we chose, for any given event type, whether we will emit it as non-cadf or cadf19:34
stevemarwhat about the identity ones, deleting a user is pretty auditable19:34
dolphmhenrynash: yes. but i don't know what we should do in the case of an audit-relevant event that other services would be interested in (not that i have an example today) - do we emit CADF or non CADF there?19:35
henrynashdolphm: I think that’s exxactly what I’m trying to explore…today we emit one or the other…so it’s CADF19:35
henrynashstevemar: correct me if I’m wrong here19:35
henrynashdolphm: and my concern is, say, in the future we decided to make some event that is (today) non-cadf into a cadf one becuase peopel want it for auditing, all our scubscribers would have to change their code19:37
dolphmhenrynash: i think we'd have to emit two notifications there19:37
henrynashdolphm: which if so, I’d argue we should be emiting two for any cadf events today…for different types of subscriber (audit or just other interetsed parties)19:38
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Hash for PKIZ  https://review.openstack.org/11465419:38
stevemardolphm, ++ for the 2 notifications, it sounds good to me19:39
stevemarbknudson, thanks for the suggestion re: defaulting the context, instead of updating the tests19:45
lbragstaddstanek: have you updated the jsd library lately/19:46
lbragstad?19:46
lbragstaddstanek: just out of curiosity19:46
dstaneklbragstad: i have a ton of updates, but i have yet to make a release - i've started to get emails about adding other features of the spec19:47
lbragstaddstanek: nice!19:47
dstaneklbragstad: there are a few tests i need to get green before i release again. so maybe tonight or early tomorrow19:48
lbragstadother openstack projects want to use it? or not openstack specific?19:48
dstaneknot openstack specific19:48
lbragstadcool19:48
*** shakayumi has quit IRC19:53
*** nkinder has quit IRC19:54
*** henrique_ has joined #openstack-keystone19:57
*** gpocente1 has joined #openstack-keystone19:57
*** gyee_ has joined #openstack-keystone19:57
*** gyee has quit IRC19:58
*** htruta has quit IRC19:58
*** wolsen has quit IRC19:58
*** gpocentek has quit IRC19:58
richmayoung: http://paste.openstack.org/show/96997/19:59
richmThis does not work - does not hit any of my breakpoints19:59
*** wolsen has joined #openstack-keystone19:59
richmIf anyone knows how to run tests in a debugger, and set and hit breakpoints in test functions, I would appreciate any advice19:59
ayoungrichm, I don't run the tests that way.20:00
stevemarrichm, if you're not running keystone under apache, you can use the `debug` tox environment20:03
ayoungrichm, try putting a breakpoint in test setup before the environment setup20:04
stevemarrichm, tox -e debug test_backend_ldap.LDAPIdentity.test_deleteTree       << if you're not running under apache, and using pdb20:04
richmI'm not running keystone under apache, I'm trying to debug keystone/tests/test_backend_ldap.py20:04
richmok20:04
*** amirosh has quit IRC20:11
*** amirosh has joined #openstack-keystone20:11
*** amirosh has quit IRC20:16
dstanekrichm: did you get it working yet?20:24
ayoungstevemar, is there a way to get that to stop on a breakpoint right away, as opposed to having to edit your code to set a breakpoint?20:25
stevemarayoung, not that i know of, dstanek ^20:26
dstanekayoung, stevemar: you mean no 'import pdb; pdb.set_trace()'?20:27
ayoungdstanek, exactly20:28
ayoungediting source is antisocial20:28
richmdstanek: ayoung: yes, it is working - pdb.set_trace() makes it work20:28
richmwhich is not ideal, but at least I can proceed20:28
dstanekthe only way i know of is to run the app with pdb and then use normal gdb-line command to set a breakpoint on a file20:29
ayoungdstanek, you taunt me20:30
ayoungdstanek, what would that look like?20:30
dstanekayoung: i thought the IDEs like pycharm could do that20:30
ayoungdstanek, I'd like to not have to use an IDE20:30
dstanekin our environment i'm not 100% sure20:31
*** radez is now known as radez_g0n320:31
ayoungdstanek, lets assume that richm 's line worked20:31
ayoung STANDARD_THREADS=True tools/with_venv.sh python -m pdb .venv/lib/python2.7/site-packages/testtools/run.py keystone.tests.test_backend_ldap.LDAPIdentity.test_deleteTree20:32
dstanekayoung: that looks like it would work, but testtools give me nightmares20:33
richmhmm - fakeldap search_s with SCOPE_SUBTREE does not return the given dn20:33
ayoungdstanek, Pucking Phython20:44
dstanekit'll grow on you20:44
dstaneklike a rash20:44
ayoungdstanek, I had the dermatologist remove it20:44
ayoungdstanek, its been 4 years.  Ain't gonna happen20:44
ayounganyway,  removing all the multiple ways we can obfuscate20:45
ayoungsay I did this20:45
ayoung. .venv/bin/activate20:45
ayoungand then  python -m pdb .venv/lib/python2.7/site-packages/testtools/run.py keystone.tests.test_backend_ldap.LDAPIdentity.test_deleteTree20:45
ayoungHow would I get pdb to stop before running the code20:46
ayounglike a normal debugger20:46
stevemaranyone why I can't reference the example certs/keys in a test? they don't seem to be there20:48
stevemarcorrection, i can refer to them in a test, but jenkins doesn't like that20:48
ayoungstevemar, liar20:49
ayoungstevemar, which project?20:49
stevemarayoung, in keystone, i just want the patch to any .pem file, to sign something20:50
ayoungstevemar, this for the SAML?20:50
ayoungsigning step?20:50
stevemarayoung, yep, i just want to make sure the library signs it correctly20:50
ayoungyou trying to use the keystone signing cert from the conf file?20:50
stevemaryep20:51
stevemarand it works in my dev. env20:51
ayoungstevemar, its done by keystoneclient now20:51
stevemarbut when i check it in, kablewie20:51
stevemarah20:51
ayoungstevemar, got a link?20:51
stevemarsec20:52
stevemarline 1584, https://review.openstack.org/#/c/110542/16/keystone/tests/test_v3_federation.py - i am just using the one for signing.keyfile20:52
stevemari set the value to be the same, i figured it was hacky/lazy20:53
stevemarjust testing it out20:53
stevemarand that works in my env.20:53
stevemarayoung, but the tests, http://logs.openstack.org/42/110542/16/check/gate-keystone-python26/ff82992/testr_results.html.gz don't pass because the value isn't set to the full path, just ''20:54
ayoungstevemar, the other tests that do token_signing have to do something.20:56
stevemarayoung, yeah, looking at test_cert_setup now, trying to figure out whats going on20:57
ayoungthe default value for that field is in /etc/keystone/ssl,  IIRC.  But the tests point to local.  Its in one of the test conf files20:57
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Create, update and delete hierarchical projects  https://review.openstack.org/11184221:00
*** bknudson has quit IRC21:03
*** hrybacki has joined #openstack-keystone21:03
*** nkinder has joined #openstack-keystone21:10
*** gordc has quit IRC21:11
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove identity_api dependency on token_api  https://review.openstack.org/11504521:19
*** ncoghlan_afk is now known as ncoghlan21:31
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add CADF notifications for role assignment create and delete  https://review.openstack.org/11220421:33
*** ncoghlan is now known as ncoghlan_afk21:41
*** henrynash has quit IRC21:45
*** marcoemorais1 has joined #openstack-keystone21:57
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054221:58
*** marcoemorais has quit IRC21:59
*** stevemar2 has joined #openstack-keystone22:02
*** zzzeek_ has joined #openstack-keystone22:03
*** stevemar2 has quit IRC22:09
*** chmouel_ has joined #openstack-keystone22:10
*** toddnni has quit IRC22:11
*** zzzeek has quit IRC22:11
*** stevemar has quit IRC22:11
*** chmouel has quit IRC22:11
*** toddnni has joined #openstack-keystone22:11
*** zzzeek_ is now known as zzzeek22:11
*** marcoemorais1 has quit IRC22:31
*** marcoemorais has joined #openstack-keystone22:31
*** jamielennox|away is now known as jamielennox22:42
*** hrybacki has quit IRC22:43
*** marcoemorais has quit IRC22:50
*** marcoemorais has joined #openstack-keystone22:51
*** zzzeek has quit IRC22:53
*** zzzeek has joined #openstack-keystone22:53
*** zzzeek has quit IRC22:53
*** jorge_munoz has quit IRC22:57
openstackgerritJamie Lennox proposed a change to openstack/keystone: Create authentication specific routes  https://review.openstack.org/11490322:59
jamielennoxayoung: thanks for the run of reviews, did you figure out your problem with the service catalog and your review?23:00
*** jorge_munoz has joined #openstack-keystone23:01
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add __repr__ to KeystoneToken model  https://review.openstack.org/11343023:01
*** alex_xu has quit IRC23:08
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Sync with oslo-incubator  https://review.openstack.org/11486323:11
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Revoke by Audit Id / Audit Id Chain instead of expires  https://review.openstack.org/11486423:12
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api  https://review.openstack.org/11342923:12
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api  https://review.openstack.org/10946223:12
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove SAML2 plugin dependency on token_api  https://review.openstack.org/11501223:12
*** jorge_munoz has quit IRC23:12
jamielennoxmorganfainberg: i got a question on a review https://review.openstack.org/#/c/113579 about how to raise the correct unauthenticated message23:13
jamielennox(picking on you because you are the only erson thats been active for a while)23:13
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove identity_api dependency on token_api  https://review.openstack.org/11504523:13
*** marcoemorais has quit IRC23:13
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add __repr__ to KeystoneToken model  https://review.openstack.org/11343023:13
jamielennoxwhat do you think?23:13
*** marcoemorais has joined #openstack-keystone23:13
jamielennoxi thought if we raised an error and it got caught by the middleware it could transform it23:14
jamielennoxhowever most projects have a catch all exception handler so that the service doesn't cratch23:14
jamielennoxs/cratch/crash23:14
jamielennoxif the middleware is not being used then this is a bad idea to raise an exc23:15
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add extra guarding to revoke_by_audit_id methods  https://review.openstack.org/11514723:15
morganfainbergjamielennox, hmm?23:15
jamielennoxmorganfainberg: trying to reason something out, you were the only other person making noise in the channel23:16
morganfainbergjamielennox, i don't have a good answer.23:17
morganfainbergjamielennox, :(23:17
morganfainbergblech, brain is so deep in this token stuff at the moment...23:17
jamielennoxmorganfainberg: fair enough23:18
boris-42morganfainberg hi23:18
*** jorge_munoz has joined #openstack-keystone23:19
openstackgerritMorgan Fainberg proposed a change to openstack/identity-api: Add information about audit_id in token docs  https://review.openstack.org/11459023:22
morganfainbergboris-42, hi, warning i'm pretty focused on something that is taking a lot of concentration to keep track of23:22
morganfainbergboris-42, so, may not be much help at the moment23:23
boris-42morganfainberg I just would like to point you guys23:23
boris-42morganfainberg that I finished work on integration of OSProfiler in keystone23:23
boris-42morganfainberg and it works well23:23
boris-42morganfainberg here is nova/glance/keystone enabled http://boris-42.github.io/ngk.html (sample of trace)23:23
*** bknudson has joined #openstack-keystone23:32
*** jorge_munoz has quit IRC23:35
dstanekboris-42: neat23:48
boris-42dstanek hi there23:48
boris-42dstanek yep now there is simple interface to do this23:48
boris-42dstanek --profile in any python client, and then osprofiler trace show --html <TRACE_ID>23:48
boris-42dstanek btw this will be available in rally performance jobs (with benchmarking together)23:48
dstanekboris-42: does that assume that profiling is enabled on the server side all the time?23:49
boris-42dstanek yep23:49
boris-42dstanek I designed it for that23:49
boris-42dstanek that's why we have HMAC_KEY23:49
boris-42dstanek by default osprofiler middleware does nothing23:50
dstanekboris-42: what's the HMAC_KEY used for?23:50
boris-42dstanek it's secret key, that user should know to trigger profiler23:50
boris-42dstanek it's specified in api-paste.ini (so only admin knows it)23:50
dstanekboris-42: ah, i see23:50
boris-42dstanek code from osprofiler https://github.com/stackforge/osprofiler/blob/master/osprofiler/web.py#L101-L10323:51
boris-42dstanek so we are sign trace header with HMAC key23:51
dstanekboris-42: do you still have an open keystone review? i don't remember seeing it when i was looking through my list of todos23:51
boris-42dstanek heh..23:51
boris-42dstanek https://review.openstack.org/#/c/103368/23:51
boris-42https://review.openstack.org/#/c/114856/23:52
dstanekboris-42: great, thanks23:52
boris-42dstanek btw one patch is already merged23:52
boris-42dstanek https://review.openstack.org/#/c/103367/23:52
boris-42dstanek but cinder guys asked this neat --profile argument in CLI23:52
boris-42dstanek and I thought yaaa that is nice=)23:53
boris-42dstanek so it took some time to get it done23:53
*** gokrokve has quit IRC23:57
*** david-lyle has quit IRC23:59
« Sunday, 2014-08-17 Index Tuesday, 2014-08-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!