Wednesday, 2014-09-03

« Tuesday, 2014-09-02 Index Thursday, 2014-09-04 »
*** bklei has joined #openstack-keystone00:02
*** nkinder has joined #openstack-keystone00:03
*** bklei has quit IRC00:05
*** gokrokve has joined #openstack-keystone00:12
bobtmorganfainberg: thanks (plus thanks to stevemar, gyee, henry-nash, bknudson, dstanek, and fabio) for the reviews.00:17
*** bklei has joined #openstack-keystone00:18
bobtand wu!00:18
*** bklei has quit IRC00:27
*** bklei has joined #openstack-keystone00:28
*** bklei_ has joined #openstack-keystone00:31
*** bklei has quit IRC00:32
*** gokrokve_ has joined #openstack-keystone00:33
*** gokrokve has quit IRC00:34
*** sigmavirus24_awa is now known as sigmavirus2400:39
*** gokrokve_ has quit IRC00:51
*** r-daneel has quit IRC01:00
dstanekbobt: thanks for the code01:00
*** amerine has quit IRC01:00
openstackgerritguang-yee proposed a change to openstack/keystone: Use id attribute map for read-only LDAP  https://review.openstack.org/11765801:03
*** gyee has quit IRC01:04
*** lnxnut has joined #openstack-keystone01:06
*** dims has joined #openstack-keystone01:11
*** lnxnut has quit IRC01:16
*** gokrokve has joined #openstack-keystone01:17
*** bknudson has joined #openstack-keystone01:18
*** dims has quit IRC01:23
*** rkofman has quit IRC01:23
*** dims has joined #openstack-keystone01:23
*** marcoemorais has quit IRC01:23
*** marcoemorais has joined #openstack-keystone01:24
*** crinkle has left #openstack-keystone01:25
*** dims_ has joined #openstack-keystone01:26
*** ayoung_ has joined #openstack-keystone01:26
*** dims has quit IRC01:28
*** rushiagr_away is now known as rushiagr01:29
*** bobt has quit IRC01:31
*** cjellick has quit IRC01:32
*** cjellick has joined #openstack-keystone01:33
*** marcoemorais has quit IRC01:36
*** cjellick has quit IRC01:37
*** richm has quit IRC01:39
*** rushiagr is now known as rushiagr_away01:45
*** stevemar has joined #openstack-keystone01:46
*** diegows has quit IRC01:49
*** dims_ has quit IRC02:03
*** dims has joined #openstack-keystone02:03
*** alex_xu has joined #openstack-keystone02:06
*** rushiagr_away is now known as rushiagr02:08
*** dims has quit IRC02:08
*** dims has joined #openstack-keystone02:13
*** gokrokve_ has joined #openstack-keystone02:14
ayoung_jamielennox, so,  what is the right approach to enumerating projects for a user with an unscoped token?  We don't have a service catalog.02:14
ayoung_https://review.openstack.org/#/c/106838/02:15
*** gokrokve_ has quit IRC02:16
*** gokrokve has quit IRC02:18
*** stevemar has quit IRC02:18
jamielennoxayoung_: something like https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v2_0/tenants.py#L122-L12702:19
*** stevemar has joined #openstack-keystone02:19
ayoung_jamielennox, I thought that was what I was doing02:20
*** gokrokve has joined #openstack-keystone02:21
jamielennoxayoung_: so i'm still just looking at what you're actually doing in the projects bit02:21
jamielennoxbut this: https://review.openstack.org/#/c/106838/9/keystoneclient/v3/client.py is what i really don't want02:21
ayoung_I also don;t know why it fails02:21
jamielennoxi'm trying to figure out why you can't call super on that list - why you had to do all that query handling02:22
ayoung_jamielennox ok,  I can move that logic into the DOA code, but I need to know if the user would be authenticated separate from the Project list call failing due to insufficient permissions02:23
ayoung_I guess it could be done all at once, but I need the unscoped token and then the scoped token02:23
*** ayoung_ is now known as ayoung02:23
*** gokrokve has quit IRC02:25
jamielennoxayoung: oh, ok so that is so that the auth happens, you can get a user_id, and then you get the url based on that user id02:27
ayoungyep02:27
*** amerine has joined #openstack-keystone02:27
jamielennoxtoo early this morning .... struggling02:27
ayoungbecause, as You know, we have now way of asking keystone "who am I anyway"02:27
jamielennoxyou need .....02:28
morganfainberghey keystone whoami?02:28
morganfainbergkeystone: 40102:28
jamielennoxhttps://review.openstack.org/#/c/97681/29/keystoneclient/httpclient.py02:28
jamielennoxthen you can just do self.api.user_id02:29
jamielennoxbut user is being passed. where does that normally come from?02:30
jamielennoxoh, horizon expects to call client.auth_ref.user_id i bet02:31
jamielennoxthis will be better in Juno because or /auth/projects02:32
*** amerine has quit IRC02:32
ayoungjamielennox, yeah that "Best effort to retrieve the user_id from the plugin." sounds about right02:32
jamielennoxayoung: i think i may have no choice but to give plugins a get_user_id and get_project_id method02:32
ayoungjamielennox, the first, maybe,  but project_id...02:33
ayoungnot so certain02:33
jamielennoxah - the wisdom of cinder, nova v1 and all the other APIs that put /{project_id}/ in the url02:34
ayoungshudder02:37
*** amcrn has quit IRC02:38
jamielennoxyea, i'm killing things off but some remain - so user_id and project_id might be needed, i'll do them as seperate reviews anyway02:38
jamielennoxit's better than 'best guess'02:39
*** david-lyle has joined #openstack-keystone02:39
ayoungjamielennox, cool.  let me know when I can review and try them with mine02:41
jamielennoxso you can rebase onto that adapter one02:41
jamielennoxthe chain that that review is a part of is the ones i need in02:41
ayoungmorganfainberg, http://adam.younglogic.com/2014/09/three-types-of-keystone-users/  thought you might like that.02:41
jamielennoxand the first few are fairly easay02:41
*** alex_xu has quit IRC02:45
*** sigmavirus24 is now known as sigmavirus24_awa02:46
*** alex_xu has joined #openstack-keystone02:50
*** harlowja is now known as harlowja_away02:52
*** bklei_ has quit IRC02:54
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow fetching user_id from an auth plugin  https://review.openstack.org/11852002:55
jamielennoxayoung: ^02:55
ayoungjamielennox, thanks02:55
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add V3 JSON Home support to GET /  https://review.openstack.org/11824002:55
ayoungjamielennox, I'll still need a deliberate process_token with that, right?02:55
bknudsonthis might make you throw up a little ^02:56
jamielennoxayoung: no02:56
*** dims has quit IRC02:56
ayoungjamielennox, ah02:56
ayoung because when I call it and there is no token, it will get one02:56
*** dims has joined #openstack-keystone02:57
jamielennoxayoung: i'll need to rebase my existing queue around that a little but it will become a part of the adapter02:57
ayoungcool.  I'll rebase and test.  Probably have more for you tomorrow.02:57
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add V3 JSON Home support to GET /  https://review.openstack.org/11824002:58
jamielennoxayoung, bknudson, morganfainberg: have a look at the first 2 or 3 of this series https://review.openstack.org/#/c/117399/2 all < 100 lines of change and easy to comprehend02:59
jamielennoxsigh and i'll have a look at json home02:59
ayoungjamielennox, "always"  seems wrong03:00
ayoungI don't know if I need to use the auth url until I get the unscoped token03:00
*** rushiagr is now known as rushiagr_away03:00
ayoungjamielennox, or is it just "fall back"  if no service catalog?03:00
jamielennoxalways?03:00
jamielennoxwhat am i looking at?03:01
ayounghttps://review.openstack.org/#/c/117399/2/keystoneclient/adapter.py,cm03:01
*** KanagarajM has joined #openstack-keystone03:01
ayoungAlways use this endpoint URL for requests03:01
jamielennoxayoung: no it's an override03:01
*** dims has quit IRC03:01
jamielennoxso use this in preference of whatever is in the catalog03:01
ayounghmmmm03:02
jamielennoxlike how keystoneclient let's you set management_url, or nova has --bypass-url03:02
jamielennoxall sorts of nasty things like that03:02
ayoungso this is not for my use case?03:02
jamielennoxit came up with bknudson the other day as well where neutronclient in nova is configured to use a particular URL not the catalog03:02
jamielennoxayoung: no, not your usecase03:03
ayoungK03:03
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove extra V3 version router  https://review.openstack.org/11852203:11
jamielennoxbknudson: ugh, is it really necessary to store latest_app?03:21
*** amerine has joined #openstack-keystone03:28
*** alex_xu has quit IRC03:32
*** amerine has quit IRC03:33
*** alex_xu has joined #openstack-keystone03:41
*** radez is now known as radez_g0n303:46
*** rkofman has joined #openstack-keystone04:01
*** rushiagr_away is now known as rushiagr04:07
*** ajayaa has joined #openstack-keystone04:24
*** ukalifon has quit IRC04:31
*** KanagarajM has quit IRC04:34
*** ajayaa has quit IRC04:59
*** jaosorior has joined #openstack-keystone05:01
*** yasukun has joined #openstack-keystone05:12
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add docs for enabling endpoint policy  https://review.openstack.org/11853005:12
*** chandankumar has joined #openstack-keystone05:13
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make tests run against original client and session  https://review.openstack.org/11708905:14
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Add auth manager  https://review.openstack.org/11853105:14
*** ajayaa has joined #openstack-keystone05:19
*** amirosh has joined #openstack-keystone05:19
ajayaajamielennox, Hi.05:24
ajayaaWhen a token is cached and then it is revoked, is it still usable?05:25
ajayaa*cached by keystonemiddleware05:25
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the federation configuration docs for saml2  https://review.openstack.org/11853205:31
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update paste pipelines in configuration docs  https://review.openstack.org/11853305:38
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update paste pipelines in configuration docs  https://review.openstack.org/11853305:49
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the revocation configuration docs  https://review.openstack.org/11853605:51
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Remove expected dates for new features  https://review.openstack.org/11853705:55
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/11192006:05
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the docs that list sections in keystone.conf  https://review.openstack.org/11855006:09
*** jimhoagland has joined #openstack-keystone06:15
*** stevemar has quit IRC06:16
*** k4n0 has joined #openstack-keystone06:18
*** afazekas has joined #openstack-keystone06:18
*** david-lyle has quit IRC06:19
*** ukalifon1 has joined #openstack-keystone06:23
*** ncoghlan has joined #openstack-keystone06:24
jamielennoxajayaa: it can be yes06:34
jamielennoxthere is a setting to prevent that - which for some reason i forget is turned off by default06:34
*** rkofman has left #openstack-keystone06:35
ajayaajamielennox, how does revocation list of tokens work? Each time you try to verify a token, does the middleware fetch the revocation list?06:36
ekarlsojamielennox: has the session stuff stabilized yet ?06:37
jamielennoxajayaa: it fetches it after some timeout - i think it's 30 sec by default06:39
jamielennoxand then it should compare every request06:39
jamielennoxcheck_revocations_for_cached should be set to true06:40
jamielennoxekarlso: yes, it's still being driven in a number of ways but it's usable06:40
ekarlsojamielennox: what does that mean ? ;P06:40
jamielennoxekarlso: i'm still doing a lot with it, but it's usable as it and everything that uses it will get the new stuff as it becomes availbae06:41
ekarlsojamielennox: what new stuff ? :)06:41
jamielennoxum, serializing auth plugins, theres some new plugins, some better work on adapters...06:43
jamielennoxnone of this would prevent you using it06:43
ajayaajamielennox, If you use that option, does it not defeat the whole purpose of caching?06:43
*** ncoghlan is now known as ncoghlan_afk06:44
jamielennoxajayaa: it's disabled by default :( - i would argue yes, there was a political reason not to switch it that i don't understand06:44
ajayaajamielennox, unless the backend calls are optimized for checking revocation request. That's still a htpp call over network.06:44
ajayaajamielennox, okay.06:44
jamielennoxajayaa: not really, it will still cache the http response - it just wants to know about things that have expired after it has been cached06:45
ajayaajamielennox, How does complete ephemeral pki token and token revocation play out?06:46
jamielennoxephemeral pki?06:47
jamielennoxso pki is signing the token response and passing that around06:47
jamielennoxauth_token then verifies the signature and trusts the response rather than fetch from the server06:48
jamielennoxit still needs to look at revocations06:48
ajayaasorry non-persistent*06:48
*** wanghong has quit IRC06:48
jamielennoxit means it doesn't need to do the http request06:48
*** wanghong has joined #openstack-keystone06:49
*** chandankumar has quit IRC07:07
*** chandan_kumar has joined #openstack-keystone07:13
*** lsmola has quit IRC07:16
*** chandan_kumar has quit IRC07:33
*** alex_xu has quit IRC07:45
*** chandan_kumar has joined #openstack-keystone07:47
ekarlsojamielennox: how would you say the best way is to determine v2 / v3 auth in https://github.com/openstack/python-designateclient/blob/master/designateclient/v1/__init__.py#L26-L70 ?07:51
ekarlsoI want to port that to use sessions instead of what we have now07:51
*** ncoghlan_afk is now known as ncoghlan07:52
jamielennoxekarlso: you need to maintain consistency with the existing arguments?07:55
ekarlsojamielennox: yeah, I don't wanna break stuff for people using just the bindings ;)07:55
ekarlsofor v1 anyways07:55
jamielennoxcause ideally you don't test the difference at all you just accept the auth plugin07:55
ekarlso?07:55
*** alex_xu has joined #openstack-keystone07:56
ekarlsojamielennox: not following that one07:57
jamielennoxso ideally a client would never deal with figuring out the auth type at all, you just accept the plugin as an argument07:58
ekarlsoyeah07:58
ekarlsobut if I change that, that's breaking the existing API07:58
ekarlsowhich kinda sucks :)07:59
jamielennoxyep07:59
ekarlsoand will def get a -1 on first attempt :P07:59
ekarlsois there a "good way" to figure it out ?07:59
ekarlsofor v2 client we're dropping anything but session + auth as arguments anyways07:59
jamielennoxok so you want to look at keysteonclient.adapter.Adapter07:59
*** bvandenh has joined #openstack-keystone08:00
jamielennoxyou should take and pass the __init__(**kwargs) to it08:00
ekarlsowhat's that for ?08:00
jamielennoxmakes the arguments that are passed to a client the same for all clients08:01
jamielennoxmakes handling of sessions the same08:01
jamielennoxit's the httpclient object that other clients have08:01
jamielennoxi don't see if you guys have one of those08:01
ekarlsoso it's a wrapper around a session kinda08:02
ekarlso?08:02
jamielennoxsession is global08:02
jamielennoxyou can pass it to as many clients as you have08:03
jamielennoxadapter is local, you make one for every client that you have using the session08:03
ekarlsoI guess what I was wanting to do08:03
ekarlsois to create the auth / session if there's none provided08:04
jamielennoxyea, ideally you want https://review.openstack.org/#/c/81147/08:05
jamielennoxobviously it's not merged yet :p08:05
ekarlsooooooooooooh08:05
ekarlsoNICE!08:05
ekarlso:D08:05
* ekarlso gives jamielennox a vHug08:05
ekarlsowill that make it for juno ?08:06
jamielennoxumm, not sure08:06
jamielennoxclients don't really work like that we release when it's ready08:06
ekarlso?ah08:06
ekarlsowould be nice to see that in soon08:06
ekarlsoI want to use session stuff badly for designate08:07
jamielennoxyea, i want to see it used for everything08:07
ekarlsoand btw, I really thinkg your work with this is absolutely awesome08:07
*** lsmola has joined #openstack-keystone08:07
jamielennoxekarlso: thanks very much - it's taken a while, but its starting to be really useful08:07
ekarlsoI've been using many of the python-<name>client lately on something in HP and it's scary to see how many different patterns there is to constructing the clients08:08
ekarlsonor that the clients have parity when it comes to what keystone version they support :'(08:08
jamielennoxyea, i've spent a lot of time working with them - they're a mess08:08
*** jimhoagland has quit IRC08:08
ekarlsoideally bindings would just use your stuff from keystone and kick out all the other stuff08:08
jamielennoxand various levels of code control08:08
ekarlsoat least that's what I'm hoping to do in designate08:09
jamielennoxi would love that - unfortunately backwards compatability is a real issue08:09
jamielennoxmy hope is that if i can at least move everyone across and it becomes a pattern it gets much easier to convert everyone else08:09
ekarlsoyou know when that review is gonan be merged ?08:10
jamielennoxmy big problem at the moment is that there is no 'clean' implementation of what a client should look like cause they all have hacks for there own weird stuff08:10
jamielennoxekarlso: not really, i've been pushing other reviews recently08:10
ekarlsowould be cool if you could get that one at least in ;P08:11
jamielennoxthat one doesn't look like its seen action in two weeks08:11
jamielennoxyea, i want that one08:11
jamielennoxok - i'll push that one08:11
ekarlsocause then I can do sessions in designateclient : )08:11
ekarlsobothj for v1 and v208:11
jamielennoxso for the existing code it's not too hard to tell the difference08:11
jamielennoxessentially if you do session.get_endpoint(auth, endpoint_filter={'service_type': 'identity', 'interface': 'public', 'version': 2)08:12
jamielennoxif that returns a URL then that is the keystone v2 url08:13
jamielennoxswitch 2 for 3 to test for version 3 support08:13
jamielennoxthen it's just a matter of doing keystone.auth.identity.[v2|v3].[Password|Token] depending on the provided parameters08:14
jamielennoxah scrap that, actually you need to use keystoneclient.discover.Discovery() and do url_for there because get_endpoint relies on having a catalog already08:15
ekarlsois discovery just for keystone though ?08:15
jamielennoxno08:16
jamielennoxif your root GET / returns the same format as either nova/keystone/cinder it will work08:17
*** zeridon has joined #openstack-keystone08:17
jamielennoxthey're the one i think we test against anywya08:17
*** BAKfr has joined #openstack-keystone08:21
zeridonmorning guys08:21
zeridonIs it possible to use keystone just as identity/authorization provider for a service not related to openstack at all08:21
zeridone.g. are there specific assumptions that there is an openstack installation available08:22
jamielennoxzeridon: you could... and there are definetly things we do that are for openstack08:24
jamielennoxzeridon: do you have a keystone already and you want to integrate with it or you want to use a new keystone for something competely different08:25
*** oomichi has quit IRC08:25
zeridonjamielennox, no keystone available, starting from scratch to try and implement api style (token/header/etc) authn/authz infrastructure08:26
jamielennoxzeridon: so there's nothing that would prevent you from using it. on the other hand there are a lot of assumptions that are for openstack08:26
jamielennoxif you're looking for a generic auth system there are others available08:26
zeridonok thanks, can you point me to something considered stable that has the tenant/user paradigm08:28
jamielennoxum, depends on scale, user base etc08:29
*** chandan_kumar has quit IRC08:29
zeridonsmall scale ... ~500 - 1000 tenants, 1 - 5 users per tenant08:29
jamielennoxfreeipa or anything ldap based can handle that stuff easily08:30
zeridonthanks08:31
zeridonyou have a beer if i bump into you someday :)08:31
jamielennoxnp08:31
*** andreaf has joined #openstack-keystone08:53
*** alex_xu has quit IRC09:08
*** aix has joined #openstack-keystone09:13
*** amerine has joined #openstack-keystone09:20
*** amerine has quit IRC09:24
*** ncoghlan is now known as ncoghlan_afk09:56
*** ajayaa has quit IRC10:00
*** topol has joined #openstack-keystone10:08
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings validation  https://review.openstack.org/11859010:10
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings validation  https://review.openstack.org/11859010:12
openstackgerrithenry-nash proposed a change to openstack/keystone: Add docs for enabling endpoint policy  https://review.openstack.org/11853010:15
*** Xeye is now known as amakarov10:18
*** amakarov is now known as xeye10:19
*** xeye is now known as x-eye10:19
x-eyeGreetings!10:19
x-eyeI ran into strange thing with LDAP models in backend:10:20
*** amerine has joined #openstack-keystone10:20
x-eyeif I try to validate LDAP search results against required model fields many tests fail10:22
x-eyeseems current code depend on such ORM behaviour: incomplete models are freely stored in LDAP10:23
x-eyethere are even tests rely on it10:24
x-eyeI uploaded a patch with validation issuing warnings instead of raising errors10:25
*** ncoghlan_afk is now known as ncoghlan10:25
*** amerine has quit IRC10:25
x-eyehttps://review.openstack.org/#/c/118590/10:25
x-eyeSomebody please explain: are requried model fields really required or what purpose of it otherwise?10:28
openstackgerritA change was merged to openstack/keystone: Remove TODO that was done  https://review.openstack.org/11820410:34
*** ncoghlan is now known as ncoghlan_afk10:35
*** htruta has quit IRC10:43
*** ajayaa has joined #openstack-keystone10:43
*** bvandenh has quit IRC10:44
*** bvandenh has joined #openstack-keystone10:45
*** Ephur has quit IRC11:03
*** jraim_ has quit IRC11:03
*** sbasam has quit IRC11:03
*** sbasam has joined #openstack-keystone11:03
*** comstud has quit IRC11:03
*** miqui has quit IRC11:05
*** jraim__ has joined #openstack-keystone11:06
*** dims has joined #openstack-keystone11:06
ekarlsojamielennox: you around still ?11:06
*** sigmavirus24_awa has quit IRC11:06
*** dolphm has quit IRC11:06
jamielennoxekarlso: sort of11:07
ekarlsojamielennox: https://review.openstack.org/#/c/81147/19/keystoneclient/auth/identity/generic/token.py for example is that a authmethod or plugin ?11:07
ekarlsoaka does it go in the session.auth or not11:07
*** Ephur has joined #openstack-keystone11:08
jamielennoxit's a plugin11:08
ekarlsoso session.auth = generic.Password() f ex ?11:08
jamielennoxyep11:08
*** comstud has joined #openstack-keystone11:08
*** dolphm has joined #openstack-keystone11:11
*** dims has quit IRC11:12
*** sigmavirus24_awa has joined #openstack-keystone11:12
*** jdennis1 has joined #openstack-keystone11:12
*** jdennis has quit IRC11:13
*** dims has joined #openstack-keystone11:13
*** dims_ has joined #openstack-keystone11:14
*** jdennis has joined #openstack-keystone11:14
ekarlsohmmm jamielennox I'm getting a recursion error : |11:15
jamielennoxreally... i have tested it but i don't think it's had much practical use11:15
jamielennoxwhat do you get?11:15
ekarlsohttp://paste.ubuntu.com/8222761/ but wondering if it's due to that it's hitting designate api or keystone11:16
*** jdennis1 has quit IRC11:17
*** dims has quit IRC11:17
jamielennoxekarlso: damn - auth/identity/generic/base.py:12411:20
jamielennoxget_discovery()11:20
ekarlso:'(11:20
ekarlsocare for a quick fix ? ;)11:20
jamielennoxadd authenticated=False to the end of that call11:21
*** amerine has joined #openstack-keystone11:22
*** amerine has quit IRC11:26
ekarlsoq though jamielennox, will it attempt a new discovery each time it does a api call ?11:26
ekarlsoor is that cached somehow11:26
jamielennoxcached on the session and on the auth plugin11:27
jamielennoxso if you share either of them it will stay cached11:27
ekarlsoi mean discovery for the service not keystone11:27
jamielennoxsame11:27
ekarlsooh o k11:27
*** dims_ has quit IRC11:29
*** dims has joined #openstack-keystone11:29
jamielennoxekarlso: did authenticated=False fix it? i'll update the review11:30
ekarlsojamielennox: ya11:33
*** dims has quit IRC11:34
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Version independent plugins  https://review.openstack.org/8114711:34
ekarlsojamielennox: how does that fair though if the keystone (hp public cloud) for example doesn't support discovery ? ;P11:35
jamielennoxekarlso: seriously?11:35
ekarlsojamielennox: ? ;)11:36
jamielennoxhp public cloud doesn't do discovery?11:36
ekarlsodon't think so11:36
jamielennoxso it will fallback to looking for a /v2 or /v3 in the URL so i expect that would still be ok11:36
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings validation  https://review.openstack.org/11859011:36
ekarlsok11:36
jamielennoxafter that it will fail11:37
ekarlsoi'll test it later towards our public cloud : )11:37
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings validation  https://review.openstack.org/11859011:37
*** dims has joined #openstack-keystone11:37
*** zeridon has quit IRC11:49
*** dims has quit IRC11:50
*** diegows has joined #openstack-keystone11:50
*** dims has joined #openstack-keystone11:50
jamielennoxalright, im out11:50
*** dims_ has joined #openstack-keystone11:51
*** dims has quit IRC11:54
*** topol has quit IRC11:55
*** KanagarajM has joined #openstack-keystone12:00
*** lsmola has quit IRC12:01
*** HenryG is now known as HenryG_afk12:04
*** lsmola has joined #openstack-keystone12:10
*** amerine has joined #openstack-keystone12:22
*** amerine has quit IRC12:27
*** dims_ has quit IRC12:29
*** dims has joined #openstack-keystone12:30
*** dims_ has joined #openstack-keystone12:32
*** dims has quit IRC12:34
*** KanagarajM has quit IRC12:38
*** yasukun has quit IRC12:38
*** dims_ has quit IRC12:45
*** dims has joined #openstack-keystone12:46
openstackgerritPeter Razumovsky proposed a change to openstack/keystone: Refactor LDAP backend using context manager for connection  https://review.openstack.org/11813812:47
*** aix has quit IRC12:58
*** aix has joined #openstack-keystone13:01
*** richm has joined #openstack-keystone13:02
*** bklei has joined #openstack-keystone13:06
*** vhoward has joined #openstack-keystone13:07
*** henrynash has quit IRC13:08
*** nkinder has quit IRC13:11
ayoungdstanek, https://review.openstack.org/#/c/118383/2  looks right to me.  But it got me to realize that we are broken when it comes to the client.  We really need to run the client against a live Keystone server for unit testing.  We really should be building keystoneclient, keystonemiddleware and keystone server out of the same repository and just packaging them separately.13:18
*** henrynash has joined #openstack-keystone13:18
*** joesavak has joined #openstack-keystone13:20
*** gordc has joined #openstack-keystone13:21
dstanekayoung: we do right? in unit tests to some extent and tempest. looks like our coverage is great13:22
*** radez_g0n3 is now known as radez13:22
ayoungdstanek, not from the client side13:22
ayoungdstanek, client side unit tests are not against a live server13:23
*** zzzeek has joined #openstack-keystone13:23
dstanekthey go against an in memory server which should be good enough13:23
ayoungdstanek, no13:23
ayoungthat was the old testing in the server code13:23
ayoungclient goes against  fixtures only13:23
dstanekthose fixtures that up servers that listen on real ports13:24
ayoungtempest is better, but having the tests in someone elses repository means they cannot be modified with the code. In the case of "region"  vs "region_id" it means we don't test what the server really responds to13:24
*** rodrigods has joined #openstack-keystone13:25
ayoungdstanek, nah, its all httpretty style responses13:25
dstanekso it sounds like the change wasn't backward compatible13:25
dstanekayoung: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_keystoneclient.py13:25
ayoungdstanek, that is inthe keystone server tree, not in client13:25
dstanekayoung: i know - that's were we test for compatibility which should have caught this13:26
*** bknudson has quit IRC13:26
ayoungdstanek, sure.  But look at the state right now.  There is no way to add a test.  If we added a test to server, that test would fail13:27
ayoungso we fix things in the client, but then there is no live server test13:27
ayoungfinally we can add the test to server13:27
ayoungbut there is no way Gerrit can track that for us, because things are in separate repos13:27
dstanekayoung: i think the client fix isn't the right fix to make13:28
ayoung?13:28
dstanekthe API should have been backward compatible and that needs to be fixed13:28
ayoungshould be fixed on server side?13:28
dstaneki'm looking for what went wrong now13:28
ayoungcool13:28
dstanekabsolutely13:28
*** ukalifon1 has quit IRC13:29
dstanekthe guidelines say that we are not supposed to remove stuff13:29
*** topol has joined #openstack-keystone13:33
*** jasondotstar has joined #openstack-keystone13:39
*** bknudson has joined #openstack-keystone13:44
*** r-daneel has joined #openstack-keystone13:47
dstaneki need to spend some time this weekend making these tests faster/better/stronger13:48
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add V3 JSON Home support to GET /  https://review.openstack.org/11824013:51
*** dhellmann has quit IRC13:57
*** dhellmann has joined #openstack-keystone13:58
*** nkinder has joined #openstack-keystone13:58
*** jdennis has quit IRC13:59
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes formatting error in debug log statement  https://review.openstack.org/11864014:03
*** rm_work is now known as rm_work|away14:03
openstackgerritA change was merged to openstack/keystone: Fix follow up review issues with endpoint policy backend patch.  https://review.openstack.org/11807214:08
*** jdennis has joined #openstack-keystone14:09
openstackgerritAlexey Miroshkin proposed a change to openstack/keystone: Notify a consumer that all dependenices injected  https://review.openstack.org/11752314:11
*** saipandi has joined #openstack-keystone14:12
*** sigmavirus24_awa is now known as sigmavirus2414:13
*** sigmavirus24 has joined #openstack-keystone14:13
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings validation  https://review.openstack.org/11859014:14
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings validation  https://review.openstack.org/11859014:15
*** bklei has quit IRC14:15
*** bklei has joined #openstack-keystone14:16
*** ukalifon1 has joined #openstack-keystone14:18
*** ajayaa has quit IRC14:19
*** htruta has joined #openstack-keystone14:19
*** htruta has quit IRC14:19
*** htruta has joined #openstack-keystone14:20
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Fix return from list role assignments on KVS  https://review.openstack.org/11848214:21
*** amerine has joined #openstack-keystone14:24
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the federation configuration docs for saml2  https://review.openstack.org/11853214:27
*** rushiagr is now known as rushiagr_away14:28
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update paste pipelines in configuration docs  https://review.openstack.org/11853314:28
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the revocation configuration docs  https://review.openstack.org/11853614:28
*** andreaf has quit IRC14:28
*** amerine has quit IRC14:28
*** BAKfr has quit IRC14:31
*** ChanServ sets mode: +o dolphm14:33
*** HenryG_afk is now known as HenryG14:36
*** david-lyle has joined #openstack-keystone14:36
*** stevemar has joined #openstack-keystone14:36
*** bdossant has joined #openstack-keystone14:38
bdossanthi! Can anyone tell me if it is possible to list the users of a domain using the openstackclient?14:39
bdossantI always get this error: ERROR: cliff.app The request you have made requires authentication.14:39
bdossantI can create users but not list or delete them14:39
bdossantkeystone says: Invalid token found while getting domain ID for list request14:41
x-eyeHi! Look into keystone.conf: [ldap]user_allow_delete and so on14:43
x-eyeJust a suggestion14:43
*** BAKfr has joined #openstack-keystone14:44
*** ukalifon1 has quit IRC14:46
bdossantx-eye: im using different domains, i can list the users from ldap14:46
*** dolphm changes topic to "Dearest keystone-core, please avoiding sending non-juno3-critical patches to the gate until next week. <3 -dolphm"14:53
dolphmayoung, bknudson, dstanek, jamielennox, morganfainberg, stevemar, gyee, henrynash, lbragstad: ^14:53
bknudsonwhat are juno3-critical patches?14:54
dolphmbknudson: ones fulfilling blueprints14:54
dolphmbknudson: or wishlist bugs14:54
dolphmbknudson: if it can wait to land it until rc1, we should. the gate is waaay overloaded14:55
bknudsonbtw, I posted https://review.openstack.org/#/c/118240/ to provide V3 JSON Home from /14:55
bknudsonit's ugly but seems to work14:55
lbragstadaren't we close to 20 hours on the gate?14:56
stevemarlbragstad, yeah, something silly like that14:56
dolphmgate load http://graphite.openstack.org/render/?from=-135days&width=1920&height=160&margin=0&hideLegend=true&hideAxes=false&hideGrid=true&target=color(stats.gauges.zuul.pipeline.gate.current_changes,%20%27000000%27)&bgcolor=ffffff14:57
stevemarso only approve things that really need to be in within the next 24 hrs14:59
stevemargotcha14:59
*** rushiagr_away is now known as rushiagr14:59
bknudsoneverything on https://review.openstack.org/#/q/starredby:dolph+is:open,n,z is approved14:59
*** ajayaa has joined #openstack-keystone15:03
*** gokrokve has joined #openstack-keystone15:16
*** amerine has joined #openstack-keystone15:25
*** cjellick has joined #openstack-keystone15:29
*** aix has quit IRC15:29
*** amerine has quit IRC15:29
dstanekdolphm: ping15:30
dolphmdstanek: o/15:30
dolphmbknudson: the head saml2 one failed gate this morning though :(15:31
dstanekdolphm: i'm working on a bug with the new endpoint->region reference15:31
dstanekdolphm: fixed it, but have a question about the original impl15:31
bknudsonthis is why you never split up changes.15:31
dstanekdolphm: why did we add the region creation logic to the controller instead of the backend? https://review.openstack.org/#/c/113183/27/keystone/catalog/controllers.py15:31
dolphmdstanek: the only reason i can think of is that it applies equally to all backends. manager probably would have been a better choice with that reasoning15:33
dstanekdolphm: that's what i though too. i'm going to put up a patch for that, but it's very, very non-critical15:33
dolphmdstanek: cool15:34
dstanekdolphm: the bug fix is critical because it seems to be breaking lots o'stuff15:34
dolphmdstanek: is it in LP?15:34
dstanekdolphm: https://bugs.launchpad.net/keystone/+bug/1364463?comments=all15:34
uvirtbotLaunchpad bug 1364463 in keystone "Incorrect key in endpoint dictionary" [Undecided,New]15:34
dstanekthey posted a client fix, but that's not the right thing to do15:34
*** hrybacki has joined #openstack-keystone15:35
*** gokrokve has quit IRC15:37
dstanekdolphm: it was a simple change, just fixing up the tests now15:37
dolphmdstanek: is the fix to ensure that both appear in the response?15:38
dstanekdolphm: yes15:38
*** gokrokve has joined #openstack-keystone15:39
dstanekthe original review removed region from the response15:39
*** andreaf has joined #openstack-keystone15:39
*** andreaf_ has joined #openstack-keystone15:42
dolphmdstanek: crap. is that what caused this? http://logs.openstack.org/88/110488/2/gate/gate-tempest-dsvm-full/3cb4c30/console.html15:43
*** mflobo has quit IRC15:43
*** amirosh has quit IRC15:43
dstanekdolphm: i believe so15:43
dolphmdstanek: we need to get your fix prioritized in the gate then15:43
*** amirosh has joined #openstack-keystone15:44
*** andreaf has quit IRC15:45
*** aix has joined #openstack-keystone15:48
*** amirosh has quit IRC15:48
x-eyeBug https://bugs.launchpad.net/keystone/+bug/1274715 seems to be a feature :)15:51
uvirtbotLaunchpad bug 1274715 in keystone "LOG.debug not working in LDAP code" [Medium,Triaged]15:51
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds region back into the catalog endpoint  https://review.openstack.org/11866715:51
x-eyemfisch, can you please recall where LOG.debug didn't work?15:52
x-eyeI can't reproduce it15:53
*** bdossant has quit IRC15:54
*** bvandenh has quit IRC15:54
dolphmdstanek: elastic-recheck query is gating https://review.openstack.org/#/c/118668/15:57
*** jorge_munoz has joined #openstack-keystone15:58
dolphmdstanek: the bug in heat was reported before the offending code landed in keystone?!16:00
dstanekdolphm: i think https://review.openstack.org/118667 fixes the catalog16:00
dolphmdstanek: that looks correct, but we also need to return both 'region_id' and 'region' in all the /endpoints calls16:01
dstanekdolphm: at least for v3, i don't think the v2 catalog has the problem16:01
*** marcoemorais has joined #openstack-keystone16:03
dolphmdstanek: is heat tripping up on the catalog or endpoint crud?16:03
*** vish1 has joined #openstack-keystone16:04
dstanekdolphm: has to be catalog, because as far as i can tell the crud is fine16:04
dstanekdolphm: also their client fix is in the catalog16:04
*** mrutkows has joined #openstack-keystone16:05
*** sbasam_ has joined #openstack-keystone16:05
dstanekdolphm: this is their fix https://review.openstack.org/#/c/118383/216:05
dolphmdstanek: they should still land that16:06
*** diegows has quit IRC16:06
*** wwriverrat has joined #openstack-keystone16:06
dolphmdstanek: v2 catalog does look good to me16:07
*** afazekas has quit IRC16:07
*** ctracey_ has joined #openstack-keystone16:08
*** ctracey has quit IRC16:08
*** vishy has quit IRC16:08
*** vish1 is now known as vishy16:08
*** swartulv has quit IRC16:08
*** jasondotstar has quit IRC16:08
*** sbasam has quit IRC16:08
*** k4n0 has quit IRC16:08
*** jaosorior has quit IRC16:08
*** arunkant has quit IRC16:08
*** rushiagr has quit IRC16:08
*** nonameentername has quit IRC16:08
*** _nonameentername has joined #openstack-keystone16:08
*** ctracey_ is now known as ctracey16:08
*** Ugallu has joined #openstack-keystone16:08
*** arunkant has joined #openstack-keystone16:09
*** k4n0_ has joined #openstack-keystone16:09
dolphmdstanek: jamielennox: +2 on https://review.openstack.org/#/c/118383/16:09
*** rushiagr has joined #openstack-keystone16:10
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds region back into the catalog endpoint  https://review.openstack.org/11866716:10
*** amcrn has joined #openstack-keystone16:10
*** jaosorior has joined #openstack-keystone16:10
*** BAKfr has quit IRC16:11
*** swartulv has joined #openstack-keystone16:11
dolphmdstanek: did you look at making the same fix to kvs? cc- bknudson16:12
dstanekdolphm: i just commented on it16:12
dstanekdolphm: bknudson: i don't think it's an issue, but I'm testing it now16:12
dolphmdstanek: ack16:12
bknudsondstanek: ok, thanks16:12
dolphmdstanek: the kvs backend wouldn't have caused the gate bug, at least16:13
bknudsonjust seems strange that the backend should have to care16:13
bknudsonwould expect this to be handled in the controller16:13
dolphmbknudson: AGREE16:13
dolphmbknudson: but the catalog code is in a funky spot16:13
bknudsony, if we need this fix it can be redone to put it in the controller later16:14
dstanekbknudson: kvs and templated use this http://git.openstack.org/cgit/openstack/keystone/tree/keystone/catalog/core.py#n450 but sql implements it's own16:14
bknudsondstanek: y, we needed to translate since there isn't really a v3 format for the templated backend.16:14
bknudsonso templated doesn't have region_id.16:15
dstanekbknudson: sql: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/catalog/backends/sql.py#n30616:15
*** amirosh has joined #openstack-keystone16:16
*** andreaf_ is now known as andreaf16:17
bknudsondstanek: and make_v3_endpoints creates the v3 catalog for the token?16:17
openstackgerritA change was merged to openstack/keystone: Mark the revoke kvs backend deprecated, for removal in Kilo  https://review.openstack.org/11806716:17
openstackgerritA change was merged to openstack/keystone: Mark the revoke kvs backend deprecated, for removal in Kilo  https://review.openstack.org/11806716:17
bknudsonoh, never mind, that's a function-scoped function16:18
*** gyee has joined #openstack-keystone16:20
*** amirosh has quit IRC16:21
*** amerine has joined #openstack-keystone16:22
*** rm_work|away is now known as rm_work16:22
openstackgerritDavid J Hu proposed a change to openstack/python-keystoneclient: Proper handling of catalog err cond w/os-token and os-endpoint  https://review.openstack.org/11868216:24
dstanekdoes the catalog kvs backend actually work? i don't think it can be used in practice at all16:30
morganfainbergdstanek, fairly certain it doesn't really work16:31
*** wwriverrat has left #openstack-keystone16:31
morganfainbergdstanek, tbh i didn't even realize we had a kvs catalog backend16:31
openstackgerritguang-yee proposed a change to openstack/keystone: Use id attribute map for read-only LDAP  https://review.openstack.org/11765816:32
dstanekmorganfainberg: i don't think it can either16:32
dstanekmorganfainberg: the only way to get a catalog is to have this private method called first - http://git.openstack.org/cgit/openstack/keystone/tree/keystone/catalog/backends/kvs.py#n13916:32
dstanekand only tests do16:32
morganfainbergyeah.16:32
openstackgerritDolph Mathews proposed a change to openstack/keystone: warn against sorting requirements  https://review.openstack.org/11868316:32
bknudsonSet "KEYSTONE_CATALOG_BACKEND=Template" in localrc for devstack to run with it.16:32
morganfainbergthat isn't broken or anything :P16:33
morganfainbergbknudson, that uses the template not the KVS one, right?16:33
morganfainbergoh16:33
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: warn against sorting requirements  https://review.openstack.org/11868516:33
bknudsonthe template backend uses kvs.16:33
morganfainbergtemplated is a subclass of kvs16:33
morganfainbergi see16:34
bknudsonthat doesn't mean you can use kvs by itself... not sure how that would work.16:34
morganfainbergbknudson, the point is it doesn't.16:34
*** amirosh has joined #openstack-keystone16:36
dstaneki don't think templated needs to be a subclass of kvs because i think the only thing that actually works is get_catalog (the kvs inherited methods AFAICT dont' work)16:37
dstaneki'm glad all of that crap is deprecated16:37
openstackgerritDolph Mathews proposed a change to openstack/keystonemiddleware: warn against sorting requirements  https://review.openstack.org/11868616:41
dolphmdstanek: they don't work, but they should. if all the templated driver did was populate the kvs backend, and inherit everything else from it... it'd be fine16:42
dstanekdolphm: it doesn't even populate kvs at all. it stores its data in a variable called templates and only uses that16:43
dolphmdstanek: yeah, i'm saying it *should* populate kvs16:44
morganfainbergdolphm, or use caching instead of kvs to store the data faster16:44
morganfainbergdolphm, (would be my choice)16:44
morganfainbergstore the data in a system that is faster to retrive from16:44
morganfainbergthat is16:44
bknudsonhow is caching faster than kvs?16:45
morganfainbergbknudson, kvs and caching are faster than reading the templated files16:45
morganfainbergbknudson, wasn't implying kvs was faster than caching16:45
morganfainbergor didn't mean to16:45
morganfainbergor vise versa16:46
dstanekshouldn't matter because the file is only read once16:48
*** vhoward has left #openstack-keystone16:49
*** amirosh has quit IRC16:50
openstackgerritDolph Mathews proposed a change to openstack/keystone: warn against sorting requirements  https://review.openstack.org/11868316:50
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: warn against sorting requirements  https://review.openstack.org/11868516:51
openstackgerritDolph Mathews proposed a change to openstack/keystonemiddleware: warn against sorting requirements  https://review.openstack.org/11868616:51
morganfainbergdolphm, +2 on that16:51
dolphmmorganfainberg: thanks16:52
*** hrybacki has quit IRC16:54
*** hrybacki has joined #openstack-keystone16:55
*** rkofman1 has quit IRC16:57
*** rkofman1 has joined #openstack-keystone16:58
openstackgerritA change was merged to openstack/keystone: Implement validation on Trust V3 API  https://review.openstack.org/10406616:59
*** marcoemorais has quit IRC17:00
*** marcoemorais1 has joined #openstack-keystone17:02
*** amcrn_ has joined #openstack-keystone17:02
*** gokrokve_ has joined #openstack-keystone17:03
*** gokrokve has quit IRC17:05
*** marcoemorais1 has quit IRC17:06
*** amcrn has quit IRC17:06
*** marcoemorais2 has joined #openstack-keystone17:06
*** marcoemorais2 has quit IRC17:06
*** amcrn_ is now known as amcrn17:06
*** marcoemorais1 has joined #openstack-keystone17:07
*** ncoghlan_afk is now known as ncoghlan17:07
*** ajayaa has quit IRC17:09
*** ajayaa has joined #openstack-keystone17:12
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy  https://review.openstack.org/11135517:16
*** ncoghlan is now known as ncoghlan_afk17:17
*** bobt has joined #openstack-keystone17:18
*** harlowja_away is now known as harlowja17:20
bknudsonDo we need to get the latest translations in  ? https://review.openstack.org/#/c/111920/17:26
bknudsonwe tried once but then it keeps getting updated17:26
ayoungbknudson, I think that does not have to be a J3  commit17:31
*** bobt has quit IRC17:32
*** mrutkows has quit IRC17:32
*** ajayaa has quit IRC17:42
*** ajayaa has joined #openstack-keystone17:43
*** morganfainberg is now known as morganfainberg_Z17:53
stevemarwhoa the gate is finally at <100 patches17:55
stevemarendpoint grouping is gonna merge :O17:58
openstackgerritA change was merged to openstack/keystone: Implementation of Endpoint Grouping  https://review.openstack.org/11194917:58
stevemardstanek, your last comment abt copyrights18:00
*** aix has quit IRC18:00
dstanekstevemar: howdy18:00
stevemardstanek, i honestly don't know... i think it's similar enough to the others, but IIRC i made the others and it was just copy pasta18:01
stevemarlast i checked, i don't work for the foundation :(18:01
stevemarrm the line?18:01
dstanekthat's what i figured... dolphm ^?18:01
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add docs for enabling endpoint policy  https://review.openstack.org/11853018:05
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the federation configuration docs for saml2  https://review.openstack.org/11853218:05
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update paste pipelines in configuration docs  https://review.openstack.org/11853318:05
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the revocation configuration docs  https://review.openstack.org/11853618:05
*** radez is now known as radez_g0n318:06
stevemardstanek, i rm'ed it, it was unnecessary18:07
stevemari kinda want to make 'configuring extensions' a top level item on our dev docs landing page18:07
stevemarinstead of having it nestled under configuration18:07
*** marcoemorais1 has quit IRC18:08
dstanekstevemar: lgtm18:08
*** marcoemorais has joined #openstack-keystone18:09
ayoungmorganfainberg_Z, WAKEY WAKEY EGGS AND BACKEY18:18
dstanekayoung: based on the bug we were discussing this morning https://review.openstack.org/#/c/118667/18:19
ayoungdstanek, so we will have both values in the dictionary?18:20
dstanekyes, which is what we do for endpoint crud too18:20
*** radez_g0n3 is now known as radez18:21
ayoungdstanek, +2ed.18:21
*** diegows has joined #openstack-keystone18:22
dstanekayoung: thx18:25
*** marcoemorais has quit IRC18:28
dstanekwhat is legacy_endpoint_id? seems rather pointless18:28
*** marcoemorais has joined #openstack-keystone18:28
*** gokrokve has joined #openstack-keystone18:29
*** marcoemorais has quit IRC18:29
*** marcoemorais has joined #openstack-keystone18:29
*** bklei has quit IRC18:31
*** gokrokve_ has quit IRC18:31
*** gokrokve has quit IRC18:33
*** rushiagr is now known as rushiagr_away18:33
dolphmstevemar: dstanek: the foundation's recommendation was to leave foundation-attributed copyrights alone, unless you want to go back and prove they're not valid... which probably isn't worth the hassle. if you just created one because copy/paste, definitely nuke it18:34
dstanekdolphm: that was a new file18:34
dolphmdstanek: do you want this to land before marking the bp implemented? https://review.openstack.org/#/c/117723/18:37
dolphmdstanek: legacy_endpoint_id is the v2 endpoint ID, which is for endpoints that contain the trifecta of public + internal + admin as one "endpoint"18:38
dolphmdstanek: in the backend, we split it into (up to) 3 records, sharing a legacy_endpoint_id, but each having discrete v3 endpoint ID18:39
dolphmdstanek: so basically, it's a workaround for v2 endpoint != v3 endpoint (they're basically different concepts)18:39
dstanekdolphm: we probably don't absolutely need that to mark the bp implemented18:39
dstanekdolphm: i'll have to take a deeper look sometime - at a high level it was not obvious that there was a purpose, but i didn't look at the tests18:40
dolphmdstanek: i'd be happy to document it better if you point me to where you think an explanation belongs18:42
dstanekdolphm: ha, i don't even know :-(18:42
dstanekdolphm: it was right near the code i was changing and made me wonder18:43
dolphmhenrynash: o/18:43
dolphmstevemar: ^18:43
henrynashdolphm: hi18:43
dolphmhenrynash: see the /topic for the channel18:43
henrynasherr….oops18:43
dolphmhenrynash: no worries18:44
henrynashok, now sitting on hands18:44
dolphmhenrynash: just doing our part to reduce unnecessary gate load18:44
stevemarhenrynash, we're a union for the next 24 hrs, no extra work mr nash18:44
henrynashblimey, is that the time, gotta be tea break, guv18:44
dolphmfwiw, there's a few non-critical things already in the gate queue that i'm going to let go until they either merge or fail. if they fail, i'll try to keep them from requeing18:44
*** Ugallu has quit IRC18:45
dolphmstevemar: lol18:45
stevemardolphm, i honestly wonder if it'll all get merged in 24 hrs18:46
stevemarthe gate is SO long18:46
dolphmstevemar: k2k is the only one at risk for being blocked by the gate load... if it doesn't make it, i'd be happy to use a feature freeze exception since it's already gating18:47
*** richm has quit IRC18:49
dolphmhenrynash: you can still remove the +A on this before it enters the gate :) https://review.openstack.org/#/c/118530/ it's still in the check queue18:50
henrynashdolphmL sure18:50
henrynashdolphm: done18:51
dolphmhenrynash: thanks!18:51
*** amcrn_ has joined #openstack-keystone18:51
openstackgerritDavid Stanek proposed a change to openstack/keystone: Moves create region from controller to manager  https://review.openstack.org/11874118:53
*** amcrn has quit IRC18:54
samuelmzHi. If I have an inherited role on a domain, can I get a token on a project in that domain? (even if I don't have a role on that project, ofc)18:54
dolphmsamuelmz: yes18:58
samuelmzdolphm, so the token api should use the role assignments one?18:59
dolphmsamuelmz: i don't understand the question18:59
samuelmzdolphm, to provide a token , we should verify if that user is who he  is saying to be (checking password) and if that user has permissions on a project/domain, right?19:01
dolphmsamuelmz: that's a reasonable statement, yes19:01
samuelmzdolphm, in that second part (verify permissions), do we use the role_assignments api?19:01
dolphmhenrynash: should this be invalid now? https://bugs.launchpad.net/keystone/+bug/136301919:02
uvirtbotLaunchpad bug 1363019 in keystone "test_versions.py is currently breaking pep8 in master" [Medium,In progress]19:02
dolphmsamuelmz: it uses the assignments manager/backend19:03
*** richm has joined #openstack-keystone19:03
samuelmzdolphm, do you have an entry point for this? It'd be great :)19:03
henrynashdolphm: so I think there is a minor issu, but the title is wroung….test_versions fails flake8 on  machine, but passes on master and if I fix it on my machine, it fails on master!19:03
dolphmsamuelmz: start with the token providers? i'm not quite sure what you're after19:04
*** diegows has quit IRC19:04
dolphmhenrynash: what versions of pep8, flake8 and hacking do you have installed?19:04
samuelmzdolphm, I'm part of the team implementing hierarchical projects and extending the inherited roles concept to it19:05
henrynashdolphm: checking19:05
samuelmzdolphm, I'd like to see how it's being done for inherited roles on domain, and then do the same to a project hierarchy19:06
samuelmzdolphm, I'll take a look at the token providers, thanks19:07
henrynashdolphm: pep8: 0.6.1-2ubuntu219:08
dolphmhenrynash: is there a better answer to samuelmz's question than "token providers"?19:09
dolphmhenrynash: that pep8 is *crazy* old -- be sure to install one from pip!19:09
dolphmhenrynash: what's the output of pep8 --version when you're seeing that error?19:10
henrynashdolphm: what this about token-provdiers?19:10
dstanekhenrynash: dolphm: i have a patch for test_versions that i haven't push up yet - i think because of the newest hacking19:10
samuelmzdolphm, henrynash, if the better answer is 'token providers', it's strange the fact that we haven't any test for inherited role at test_token_provider19:10
dolphmhenrynash: where to look for how role assignments are inherited to projects, and consumed during the token generation process?19:10
dstaneki also updated my logging hacking check to look for _LW instead of _19:10
henrynashdolphm: there’s a common methond in assignmentts…hold on19:11
dolphmsamuelmz: ^^19:11
henrynashdolphm, samuelmz: get_roles_for_user_and_project()19:12
henrynashsamuelmz: in assignment/core.py19:12
samuelmzhenrynash, I'm gonna take a look at this19:14
*** radez is now known as radez_g0n319:15
samuelmzhenrynash, I can't find the place where the domain is expanded to its porjects tho19:16
samuelmzhenrynash, I mean something like 'if extension is enabled, get user's domain and then check get_roles_for_user_and_project for each project in that domain'19:17
henrynashsamuelmz: start looking at line 18819:17
samuelmzhenrynash, does this make sense?19:17
henrynashsamuelmz: if CONF.os_inherit.enabled:19:17
samuelmzhenrynash, I guess I'm not in the correct file19:18
henrynashassgnment/core.py19:18
henrynashsamuelmz: ^^19:18
samuelmzhenrynash, that's clear19:19
*** gokrokve has joined #openstack-keystone19:19
samuelmzhenrynash, but where do we call get_roles_for_user_and_project at the token controller/api?19:19
samuelmzhenrynash, wow I'm sorry19:20
samuelmzhenrynash, I got confused, it's clear now19:20
henrynashsamuelmz: ok :-)19:20
henrynashsamuelmz: no I haven’t looked at the variouschanges we have done in tokens in Juno in details, but I think it probably still flows trhough here.19:21
henrynashsamuwlmz: fyi, the whole _get_metadata() thing is assignment/core is yukky..and we’re gonna kill it in Kilo (!), now that teh kvs backends will be deprcated…but the logic is still sond19:22
henrynashsound19:22
samuelmzhenrynash, great19:23
samuelmzhenrynash, get_roles_for_user_and_project does the same work of list_role_assignments, do you agree?19:25
samuelmzhenrynash, the only difference is that it returns only the role_id of each entry19:25
samuelmzhenrynash, filtered by user_id and project_id19:26
henrynashsamelmz: so yes, list_role_assignments is a newer api19:27
henrynashsamelmz: and we always kind of had it in mind that eventually we would use teh effective mode of role_assignment to do this19:28
samuelmzhenrynash, yes, and list_role_assignment is pretty inefficient19:29
henrynashsamuelmz: …there is work going on elsewhere to enable filtering in the backend method for that…whcih is really needed ahead of switching over to using that in place of what the get_roles_for_user_and_project() doe stoday19:30
samuelmzhenrynash, but this will be changed https://review.openstack.org/#/c/116682/19:31
henrynashsamuelmz: yep, that’s the work I was refering to19:31
samuelmzhenrynash, yes I'm doing it with my team :)19:31
henrynashsamuelmz: ah, ok..sorry!19:31
samuelmzhenrynash, also, we are implementing the hierarchical projects concept19:32
henrynashsamuelmz: yep, guessed that bit :-)19:32
samuelmzhenrynash, and now I'm not able to get a token from an inherited role.. I'm gonna implement the 'effective' part for hierarchical projects on get_roles_for_user_and_project19:33
henrynashsamuelmz: rght19:33
samuelmzhenrynash, even if we've already implemented the list_role_assignments and the code will be kept duplicated19:33
henrynashsamuelmz: ok, got it19:34
samuelmzhenrynash, I think the best approach is to do a refactoring once everything is merged19:34
henrynashsamuelmz: yep, ok19:34
samuelmzhenrynash, great19:35
samuelmzhenrynash, I couldn't find a test for token through an inherited domain role tho19:36
henrynashsamuelmz: so there are certinly lots of inhertied tests….I’d be surprised if we didn;t test that19:37
samuelmzhenrynash, ok.. I'm gonna create a test for it at IdentityInheritanceTestCase, is that a good place?19:38
*** bambam1 has quit IRC19:38
samuelmzhenrynash, and I am gonna submit a patch for this test today19:38
*** bambam1 has joined #openstack-keystone19:40
*** ajayaa has quit IRC19:46
bknudsonayoung: I think I know what the fix is for bug 1343579 -- were you looking at it?19:49
uvirtbotLaunchpad bug 1343579 in keystone "Versionless GET on keystone gives different answer with port 5000 and 35357" [High,Triaged] https://launchpad.net/bugs/134357919:49
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/service.py#n5719:49
*** radez_g0n3 is now known as radez19:51
*** raildo1 has left #openstack-keystone19:51
*** raildo1 has joined #openstack-keystone19:51
*** raildo1 has left #openstack-keystone19:54
*** raildo has joined #openstack-keystone19:55
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix admin server doesn't report v2 support in Apache httpd  https://review.openstack.org/11875720:00
*** joesavak has quit IRC20:03
*** radez is now known as radez_g0n320:06
*** stevemar has quit IRC20:07
*** marcoemorais has quit IRC20:10
*** marcoemorais has joined #openstack-keystone20:11
*** marcoemorais has quit IRC20:12
*** marcoemorais1 has joined #openstack-keystone20:13
ayoungbknudson, um20:16
ayoungbknudson, thought I submitted a patch for that, but I know the problem20:16
ayoungyep20:16
bknudsonayoung: oh, I just saw the bug and there wasn't a patch listed.20:17
*** fifieldt_ has joined #openstack-keystone20:17
ayoungbknudson, I've no problem with your submitting a patch.  Looks like I missed it one way or another20:17
bknudsonayoung: it's here https://review.openstack.org/118757 ... was only the one line20:18
ayoungbknudson, I bet if I look through my private git repo I will have exactly that change checked in to some nameless branch20:18
ayoungso happy to +220:19
*** fifieldt has quit IRC20:21
*** gordc has quit IRC20:24
samuelmzhenrynash, ping20:25
openstackgerritJeremy Stanley proposed a change to openstack/keystone: Work toward Python 3.4 support and testing  https://review.openstack.org/11877820:29
openstackgerritJeremy Stanley proposed a change to openstack/keystonemiddleware: Work toward Python 3.4 support and testing  https://review.openstack.org/11877920:29
openstackgerritJeremy Stanley proposed a change to openstack/python-keystoneclient: Work toward Python 3.4 support and testing  https://review.openstack.org/11880220:30
dstanekdolphm: i didn't realize that they could prioritze gate jobs like that20:48
dolphmdstanek: it's mostly reserved for pushing fixes that address transient issues through.. fortunately, we don't have too many of those :)20:49
*** marcoemorais1 has quit IRC20:50
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes a spacing issue that causes pep8 to complain  https://review.openstack.org/11888220:51
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds missing log hints for level E/I/W  https://review.openstack.org/11888320:51
openstackgerritDavid Stanek proposed a change to openstack/keystone: Extends hacking check for logging to verify i18n hints  https://review.openstack.org/11888420:51
*** marcoemorais1 has joined #openstack-keystone20:54
*** htruta has quit IRC20:58
*** jimhoagland has joined #openstack-keystone21:03
*** jasondotstar has joined #openstack-keystone21:05
samuelmzHi. Should we be able to update a grant? I know if we want to change its role or its project/domain, it will be no more the same grant, then delete it and create a new one21:06
samuelmzBut what about a grant becoming inherited? It will always be the same grant, but its effect will be propagated21:07
samuelmzWhat are you thoughts on this?21:08
*** david-lyle has quit IRC21:12
*** dencaval has quit IRC21:16
samuelmzdolphm, ^21:17
dolphmsamuelmz: they're immutable. they don't have a reference exposed to the HTTP API upon which to mutate anything21:17
*** saranjan has joined #openstack-keystone21:18
samuelmzdolphm, yes... that's the point. Now with the inherit attribute, it does make sense to make a grant inherited, doesn't?21:19
samuelmzdolphm, if so, we could expose this to the HTTP API21:20
*** dhellmann is now known as dhellmann_21:28
openstackgerritDolph Mathews proposed a change to openstack/keystone: use one indentation style  https://review.openstack.org/11889421:29
*** david-lyle has joined #openstack-keystone21:33
dstanekdolphm: i like  your fix better than mine21:37
dolphmdstanek: to the indentation thing?21:37
bknudsondolphm really didn't like the way I formatted that structure.21:37
bknudsonmy excuse is that pep8 only gives us like 40 characters to work with.21:38
dolphmbknudson: you used that mixed style through that bp :P but you slipped up here!21:38
*** ncoghlan_afk is now known as ncoghlan21:38
*** henrynash has quit IRC21:39
dstanekdolphm: yes, i just fixed the glitch21:41
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix admin server doesn't report v2 support in Apache httpd  https://review.openstack.org/11875721:42
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add test for single app loaded version response  https://review.openstack.org/11890221:42
*** jimbaker has quit IRC21:44
*** jimbaker has joined #openstack-keystone21:45
*** jimbaker has quit IRC21:45
*** jimbaker has joined #openstack-keystone21:45
*** diegows has joined #openstack-keystone21:45
dstanekmfisch: ping21:47
mfischdstanek: pong21:48
*** ncoghlan is now known as ncoghlan_afk21:48
dstanekmfisch: is that ldap debug logging bug still valid?21:49
dstanekhttps://bugs.launchpad.net/keystone/+bug/127471521:50
uvirtbotLaunchpad bug 1274715 in keystone "LOG.debug not working in LDAP code" [Medium,Triaged]21:50
mfischdstanek: I've been reading the follow-up on it but I've not had anytime to test it21:50
*** andreaf has quit IRC21:51
mfischwhy the sudden interest? I'm about 6 months past needing it to work21:51
dstanekthe issue you were having is that basically the log level was alway info and up regardless of the config setting? so the logs messages never appeared?21:51
mfischdstanek: yes, it appeared that the LDAP code did not inherit the setting from the main config file21:52
mfischdstanek: when I was debugging I ended up doing %s/info/warn/g and then reverting it later21:52
dstanekmfisch: mostly because it show up in my inbox today and it seems like someone is interested in fixing21:52
dstanekmfisch: OK thx21:52
mfischI was using H when it happened I believe, possible its been fixed. It should be easy to repro21:52
mfischassuming its not fixed21:52
* mfisch notes to send bugs to dstanek's inbox for immediate processing21:53
dstanekmfisch: if i get too many i'll have to add a filter :-)21:54
*** rm_work has quit IRC21:54
mfischpretty sure I have an open PO for beer though21:54
mfischanyway if it cannot repro I'm +1 to close21:55
dstanekhaha21:55
openstackgerritA change was merged to openstack/keystone: Adds region back into the catalog endpoint  https://review.openstack.org/11866721:59
*** rm_work|away has joined #openstack-keystone22:01
*** rm_work|away is now known as rm_work22:01
*** rm_work has joined #openstack-keystone22:01
*** jaosorior has quit IRC22:02
*** topol has quit IRC22:02
*** henrynash has joined #openstack-keystone22:04
*** marcoemorais1 has quit IRC22:05
*** marcoemorais has joined #openstack-keystone22:06
mfischok22:06
*** saipandi has quit IRC22:06
*** nkinder has quit IRC22:10
*** openstack has joined #openstack-keystone22:10
openstackgerritSarvesh Ranjan proposed a change to openstack/keystone: Fixed spelling mistakes in comments.  https://review.openstack.org/11891322:18
*** packet has joined #openstack-keystone22:22
*** nkinder has joined #openstack-keystone22:26
*** ncoghlan_afk is now known as ncoghlan22:30
*** saranjan has quit IRC22:33
*** marcoemorais has quit IRC22:33
*** marcoemorais has joined #openstack-keystone22:34
*** amerine has quit IRC22:34
*** amerine_ has joined #openstack-keystone22:34
*** ncoghlan is now known as ncoghlan_afk22:40
*** bknudson has quit IRC22:41
*** sigmavirus24 is now known as sigmavirus24_awa22:44
*** yasukun has joined #openstack-keystone22:46
*** dims has quit IRC22:52
*** dims has joined #openstack-keystone22:52
*** nkinder has quit IRC22:53
*** dims has quit IRC22:57
*** diegows has quit IRC22:58
*** gyee has quit IRC22:59
*** david-lyle has quit IRC23:14
*** openstackstatus has quit IRC23:19
jamielennoxdolphm: did you have a look at that etherpad? i'm going back through logs but i can't find the link23:19
*** openstackstatus has joined #openstack-keystone23:20
*** ChanServ sets mode: +v openstackstatus23:20
*** henrynash has quit IRC23:20
*** ncoghlan_ has joined #openstack-keystone23:25
*** ncoghlan_afk has quit IRC23:29
jamielennoxkeystone friends - in the next week i need to pass about 10 patches to keystoneclient so that they will be available in the next release which i expect will happen around RC time23:35
jamielennoxi'm willing to walk people through the logic, bribes and favours are available23:35
jamielennoxi WIPed most things that aren't important or still need work23:36
jamielennoxthanks for listening :)23:36
ayoungjamielennox, if you don't, do you still get married?23:37
jamielennoxayoung: something tells me that "getting things gated" is not a reasonable excuse23:38
*** rkofman has joined #openstack-keystone23:39
ayoungjamielennox, we'll work on them.  I think the post J3 lull should be perfect for some quality Client time23:39
jamielennoxi want to do the nova changes as early as possible in kilo so i don't want this stuff to slip a release23:40
ayoung++23:40
ayoungjamielennox, I need it, too23:40
ayoungall of the Kerberos work depends on the client being sane23:40
jamielennoxayoung: yea, figured it's easier then - need to start applying guilt now so that next week isn't the first people here about it23:40
jamielennoxayoung: did you see https://review.openstack.org/#/c/118531/23:41
*** jimhoagland has quit IRC23:45
*** gokrokve has quit IRC23:50
*** nkinder has joined #openstack-keystone23:51
*** hrybacki has quit IRC23:56
« Tuesday, 2014-09-02 Index Thursday, 2014-09-04 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!