Monday, 2014-09-15

*** mflobo_ has joined #openstack-keystone00:01
*** sigmavirus24b has joined #openstack-keystone00:02
*** cjellick_ has joined #openstack-keystone00:03
*** joesavak has joined #openstack-keystone00:03
openstackgerritA change was merged to openstack/keystone: Ensure a consistent transactional context is used
*** gus_ has joined #openstack-keystone00:06
*** mhu1 has joined #openstack-keystone00:06
*** dutsmoc has joined #openstack-keystone00:07
*** jraim_ has joined #openstack-keystone00:07
*** rm_work| has joined #openstack-keystone00:07
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix delete group cleans up role assignments with LDAP
openstackgerritBrant Knudson proposed a change to openstack/keystone: Ensure identity sql driver supports domain-specific configuration.
openstackgerritBrant Knudson proposed a change to openstack/keystone: Reduce unit test log level for notifications.
*** mgagne has joined #openstack-keystone00:08
*** d34dh0r53 has joined #openstack-keystone00:09
*** mgagne is now known as Guest7273900:09
*** dolphm_ has joined #openstack-keystone00:09
*** lbragstad1 has joined #openstack-keystone00:12
*** EmilienM_ has joined #openstack-keystone00:13
*** jraim has quit IRC00:13
*** jsavak has quit IRC00:13
*** nonameentername has quit IRC00:13
*** cjellick has quit IRC00:13
*** adam_g has quit IRC00:13
*** rm_work has quit IRC00:13
*** _d34dh0r53_ has quit IRC00:13
*** sigmavirus24_awa has quit IRC00:13
*** dolphm has quit IRC00:13
*** comstud has quit IRC00:13
*** Guest6936 has quit IRC00:13
*** mhu has quit IRC00:13
*** EmilienM has quit IRC00:13
*** gus has quit IRC00:13
*** mflobo has quit IRC00:13
*** mhu1 is now known as mhu00:13
*** dolphm_ is now known as dolphm00:13
*** jraim_ is now known as jraim00:13
*** EmilienM_ is now known as EmilienM00:13
*** rm_work| is now known as rm_work00:13
*** rm_work has quit IRC00:13
*** rm_work has joined #openstack-keystone00:13
*** packet has joined #openstack-keystone00:18
*** adam_g has joined #openstack-keystone00:19
*** adam_g has quit IRC00:19
*** adam_g has joined #openstack-keystone00:19
openstackgerritBrant Knudson proposed a change to openstack/keystone: ldap/core deleteTree not always supported
openstackgerritA change was merged to openstack/keystonemiddleware: convert the conf value into correct type
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance FakeLdap to require base entry for subtree search
openstackgerritBrant Knudson proposed a change to openstack/keystone: Refactor FakeLdap to share delete code
*** gus_ is now known as gus00:29
*** packet has quit IRC00:32
*** HenryG has quit IRC00:37
*** ncoghlan has joined #openstack-keystone00:45
*** packet has joined #openstack-keystone00:51
*** dimsum_ has quit IRC00:57
*** mitz_ has joined #openstack-keystone01:05
*** dimsum_ has joined #openstack-keystone01:13
*** packet has quit IRC01:15
*** lbragstad1 has quit IRC01:16
*** packet has joined #openstack-keystone01:17
*** rodrigods has quit IRC01:17
morganfainbergbknudson, beat me to the rebases01:32
morganfainbergbknudson, just waiting for the final check to pass then should be gating01:33
*** wanghong has joined #openstack-keystone01:34
*** dimsum_ has quit IRC01:51
*** ncoghlan is now known as ncoghlan_afk01:51
*** wwriverrat has joined #openstack-keystone01:54
*** alex_xu has joined #openstack-keystone01:56
*** joesavak has quit IRC01:59
*** wanghong has quit IRC02:00
*** lbragstad1 has joined #openstack-keystone02:10
openstackgerritA change was merged to openstack/keystone-specs: Add RSS feed
*** wanghong has joined #openstack-keystone02:12
openstackgerritA change was merged to openstack/keystone-specs: Remove templates from toctrees
openstackgerritA change was merged to openstack/keystone-specs: Use the current date for the copyright statement
*** wwriverrat has quit IRC02:23
jamielennoxmorganfainberg: you here?02:26
morganfainbergmight be02:26
*** wanghong has quit IRC02:27
jamielennoxmorganfainberg: do you mind doing a quick read through of a post for me02:27
jamielennoxi'm way to close to it and so it makes sense to me02:27
morganfainbergjamielennox, uh sure. but realize i've not had food yet02:28
morganfainbergjamielennox, so brain is a little foggy. shouldn't be a big deal02:28
morganfainbergbut if i say something wacky, just disregard it :)02:28
jamielennoxmorganfainberg: foggy is better - if you don't get it i didn't explain it well02:28
jamielennoxI can't put everything in there, hoping that will be enough to send people looking through the code02:30
jamielennoxthen i can do a bunch of docs when i'm back02:30
morganfainbergreading now02:31
*** ncoghlan_afk is now known as ncoghlan02:32
morganfainberglooks good to me02:32
morganfainbergpretty straight forward02:32
jamielennoxmorganfainberg: excellent, done02:33
morganfainbergwhen are you off?02:33
jamielennoxmostly trying to just write emails and a few things today - and that should be it02:34
morganfainberghave a good time :)02:34
morganfainbergwe'll try not to break the client too badly between now and when you're back02:34
jamielennoxoh - i will02:35
* morganfainberg could use a nice long vacation02:35
jamielennoxheh, you can't break it more than it already is02:35
morganfainbergjamielennox, ... Challenge Acc... maybe not02:36
jamielennoxmaybe you can purge it from the internet so i can just start again02:36
morganfainbergKeystoneclient 1.002:37
morganfainbergrewrite, incompatible with old versions02:37
*** packet has quit IRC02:37
jamielennoxtimed to coincide with keystone API v4 is my understanding02:37
morganfainbergpin the global reqs to <1.002:37
morganfainbergor more appropriate <=0.99902:37
morganfainbergi could see a complete re-write of the lib being less work than a new api version02:38
morganfainbergand if it was stated it was going to be incompatible out the gate, i think it could free a lot up02:38
jamielennoxthe lib bit is easy, trying to convert people will be hard02:38
morganfainbergthough it would probably take 2 cycles+ to get it adopted02:38
jamielennoxand we still have all the like service catalog hacks to deal with02:38
morganfainbergeh, i'd consider it a valid topic to explore going into L02:39
morganfainbergexpecting to be maintaining / developing on 0.XX version for a couple cycles as well, but a full on streamline/cleanup 1.0 isn't a *bad* thing02:40
jamielennoxmorganfainberg: they're really hard to run out of the same repo with pip02:40
jamielennoxessentially you need to write keystoneclient202:40
morganfainbergjamielennox, i wouldn't run it out of the same repo02:40
morganfainbergok so we call it keystoneclient202:40
morganfainbergor python-keystoneclient-202:41
jamielennoxhm, -kerberos still not approved02:43
*** wanghong has joined #openstack-keystone02:44
morganfainbergooh uh02:45
morganfainbergare we using python-keystoneclient's LP page for those?02:45
morganfainbergmy guess is we *shouldn't* because it's gonna be hard to track02:45
morganfainbergi'll go create the LP projects if you haven't02:45
*** lbragstad1 has quit IRC02:46
jamielennoxmorganfainberg: no i didn't create launchpads for it, i figured it was under the same group and drivers02:55
jamielennoxand that we weren't going to see that many bugs for it we could probably manage with tags02:55
jamielennoxbut either way doesn't really bother me02:56
morganfainbergjamielennox, the issue is release milestones under one project gets wonky02:56
morganfainbergjamielennox, you need to create new series and such and it's not straight forward. easier to just make it separate bug trackers :(02:57
jamielennoxmorganfainberg: ok02:57
morganfainbergjamielennox, anyway you didn't 'group' the new repos02:58
morganfainbergjamielennox, so it would need it's own LP project02:58
morganfainbergnbd really.02:58
morganfainbergcould have added it after the fact but i think it's cleaner to have it's own project02:59
morganfainbergno big deal02:59
jamielennoxok - i haven't seen 'group' before02:59
*** KanagarajM has joined #openstack-keystone03:01
*** stevemar has quit IRC03:18
*** stevemar has joined #openstack-keystone03:19
*** david-lyle has joined #openstack-keystone03:30
*** alex_xu has quit IRC03:32
*** alex_xu has joined #openstack-keystone03:35
*** larsks|alt is now known as larsks03:35
openstackgerritA change was merged to openstack/keystonemiddleware: Create an Auth Plugin to pass to users
*** gokrokve_ has quit IRC03:54
openstackgerritA change was merged to openstack/keystone: ldap/core deleteTree not always supported
*** ncoghlan is now known as ncoghlan_afk03:56
openstackgerritDave Chen proposed a change to openstack/keystone: local configuration should be allowed in "keystone-paste.ini"
*** ncoghlan_afk is now known as ncoghlan04:09
*** gokrokve has joined #openstack-keystone04:15
*** ChanServ sets mode: -v morganfainberg04:19
*** gokrokve has quit IRC04:20
*** gokrokve has joined #openstack-keystone04:22
*** achampion has joined #openstack-keystone04:24
*** achampio1 has quit IRC04:27
*** gokrokve has quit IRC04:27
*** rushiagr_away is now known as rushiagr04:37
*** david-lyle has quit IRC04:47
*** david-lyle has joined #openstack-keystone04:48
*** aix has quit IRC05:02
*** ncoghlan is now known as ncoghlan_afk05:06
*** jraim has quit IRC05:10
*** ncoghlan_afk is now known as ncoghlan05:11
*** jraim_ has joined #openstack-keystone05:12
*** rushiagr is now known as rushiagr_away05:24
ekarlsojamielennox: u here still or have u left ?05:34
ekarlsoanyone else around ? ;)05:36
openstackgerritKevin Benton proposed a change to openstack/keystone: Fail on empty userId/username before query
*** stevemar has quit IRC05:46
*** ajayaa has joined #openstack-keystone05:49
*** ukalifon1 has joined #openstack-keystone05:54
*** alex_xu has quit IRC05:55
*** k4n0 has joined #openstack-keystone05:57
*** KanagarajM has quit IRC06:04
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** wanghong has quit IRC06:04
*** alex_xu has joined #openstack-keystone06:14
*** mflobo_ has quit IRC06:16
*** rushiagr_away is now known as rushiagr06:18
*** achampio1 has joined #openstack-keystone06:18
*** henrynash has joined #openstack-keystone06:19
*** achampion has quit IRC06:20
*** alex_xu has quit IRC06:21
*** alex_xu has joined #openstack-keystone06:21
*** gokrokve has joined #openstack-keystone06:22
*** rushiagr is now known as rushiagr_away06:23
*** palendae has quit IRC06:23
*** gokrokve has quit IRC06:23
*** gokrokve has joined #openstack-keystone06:24
*** palendae has joined #openstack-keystone06:25
jamielennoxekarlso: in and out06:28
ekarlsojamielennox: so allmost fixed up the cli stuff06:28
*** gokrokve has quit IRC06:28
ekarlsojust need to fix tests :(06:29
jamielennoxekarlso: excellent - and all working?06:32
ekarlsojamielennox: allmosT ;)06:33
ekarlsojamielennox: some of the old behaviour is borking atm06:44
jamielennoxekarlso: anything in particular?06:45
ekarlsoI see why06:46
ekarlsoI looked at your patch and removed self.auth_check()06:46
ekarlsojamielennox: is that intended to be removed or ?06:47
jamielennoxekarlso: i can't remember which patch auth_check was on06:50
jamielennoxor what it was doing06:50
jamielennoxunfortunately none of the clients are standard enough to figure that out06:50
ekarlsoI was hoping the CLI plugin would land in J06:52
*** david-lyle has quit IRC06:52
ekarlsothat way I don't have to write custom crap for designate v206:52
ekarlsosince ks now has all the goodies06:52
jamielennoxwill be released this week06:54
jamielennoxthe main issue is i just don't know what people want, if you can get away with it just use generic.Password as your CLI default06:55
ekarlsojamielennox: so your options atm doesn't honor --os_password but only os-password06:55
ekarlsobtw : )06:55
jamielennoxthat's good06:56
jamielennoxi don't want to drag --os_password around06:56
ekarlsooh ok06:56
*** Sanchit has joined #openstack-keystone06:56
jamielennoxif you have --os_password already and need to maintain compatability you can add it and use SUPRESS or something so that it doesn't end up in the --help options06:57
jamielennoxbut you should be able to do that independently of the plugin06:57
SanchitHi. I am trying to configure keystone and start the services. When I run keystone-all command, I am getting this error: ImportError: cannot import name backends.06:58
SanchitCan anybody explain me the issue and help resolving the same?06:58
jamielennoxSanchit: sounds like you haven't got keystone installed into the python path06:58
jamielennoxso like python install06:59
*** KanagarajM has joined #openstack-keystone06:59
*** ajayaa has quit IRC06:59
jamielennoxyou should be able to get a python prompt and type import keystone to test that it's picking up the correct directory06:59
Sanchitwhen i get a python prompt and write >>> import keystone07:00
SanchitIt simply advances to next prompt line07:00
ekarlsojamielennox: what is it that adds the SUPRSES thing ?07:00
ekarlsoI see why it broke: )07:01
Sanchitjamielennox: When I write >>> import keystone  >>> from keystone import backends07:02
SanchitI get the following error: AttributeError: 'module' object has no attribute 'wraps'07:02
ekarlsojamielennox: :'( 1 failure still :p07:03
jamielennoxSanchit: wraps? do you have a line number? that sounds like functools07:03
jamielennoxekarlso: which bit07:03
Sanchitjamielennox: File "keystone/openstack/common/", line 128, in __call__     @six.wraps(func_or_cls) AttributeError: 'module' object has no attribute 'wraps'07:04
*** henrynash has quit IRC07:04
Sanchitjamielennox: Could you please walk me through this?07:07
ekarlsojamielennox: meh, rather 33 failures (forgot to run all tests because I was fixing tests.test_shell07:08
ekarlsojamielennox: I wonder if it's the discover part or smth when the auth plugins are loading that's borking07:08
jamielennoxSanchit: ummm - that just looks like a bug to me, i just don't see how this would be the first time it was found07:13
jamielennoxSanchit: no six.wraps is a thing but it isn't installed on my machine either07:15
Sanchitjamielennox: I am running Python v2.707:15
SanchitWhen I tried to run tests script in virual environment, It went through quite smoothly.07:16
jamielennoxSanchit: so the problem is the version of the six library07:16
jamielennoxit's too old07:17
jamielennoxthough i can't see what version it is you need07:17
ekarlsojamielennox: nice, this stuff is working nicely!07:17
jamielennoxekarlso: good! i was coming back07:17
ekarlsojamielennox: coming back ?07:18
jamielennoxekarlso: i hadn't answered the last few things you said07:18
jamielennoxSanchit: So in six 1.6.1 there is no wraps function, in six 1.7.3 there is - so i'm *guessing* you need six 1.707:19
jamielennoxSanchit: so depending on what machine you are working on you probably won't have new enough versions in your system packages07:20
Sanchitjamielennox: I am just on it. Upgrading to six 1.7.007:20
*** ajayaa has joined #openstack-keystone07:20
jamielennoxi'm on an up to date fedora and i need a virtual env to run things out of git07:20
*** gokrokve has joined #openstack-keystone07:22
Sanchitjamielennox: I upgraded to six 1.7.0 and still the same error. Do I need to reboot?07:23
jamielennoxSanchit: import six; print six.__version__07:24
SanchitAaah. Its 1.5.207:25
jamielennoxif you just type six it will show you the path it is getting six from07:26
jamielennoxor print six i guess07:26
Sanchitjamielennox: <module 'six' from '/usr/lib/python2.7/dist-packages/six.pyc'>07:26
*** gokrokve has quit IRC07:26
jamielennoxso whereever you installed six it is a lower priortiy than that07:27
ekarlsojamielennox: < hmmm requests mock is borking there since sessions is hitting a unmocked addr07:27
jamielennoxekarlso: that looks like discovery07:29
ekarlsojamielennox: yea i figured07:29
ekarlsojamielennox: clue on a fix ?07:29
jamielennoxeither from the service catalog or the initial call07:29
ekarlsoregister a stuburl on that endpoint stuff in the test07:30
ekarlsoI guess07:30
Sanchitjamielennox: I am a newbie in this field. Could you please guide me in detail on how to go about and fix this discrepency?07:30
jamielennoxyea, i'm not sure why it would break now07:30
ekarlsojamielennox: I think it's since I'm loading a plugin by default ?07:30
jamielennoxbut yes, you should be able to just put a discovery response it for that url07:30
ekarlsodon't think it used to do that before07:31
jamielennoxoh - yea, that would make sense07:31
jamielennoxif nothing is specified by default it would return None07:31
jamielennoxso there wouldn't be anything called07:31
jamielennoxnow it's trying to do real behaviour and the test isn't set up for it07:31
jamielennoxSanchit: how did you install six07:31
SanchitIt was listed as a dependency in requirement.txt in keystone07:32
jamielennoxah, i need to go - going to keep irc open on phone - not sure how this will work07:32
jamielennoxright but where did it go07:32
ekarlsojamielennox: going home ? : P07:32
jamielennoxif you import sys; print sys.path07:32
jamielennoxyou will see the directories tht python is looking for code, so six has to go in one of those07:33
jamielennoxekarlso: been working from home, was about to go out when i checked to make sure no-one had said anything on irc07:33
jamielennoxthat was 30 odd minutes ago07:33
Sanchitjamielennox: >>> import sys >>> sys.path ['', '/home/sanchit/python-swiftclient', '/usr/lib/python2.7/dist-packages', '/home/sanchit/swift', '/home/sanchit/keystone', '/home/sanchit/python-swiftclient/pbr-0.10.0-py2.7.egg', '/usr/local/lib/python2.7/dist-packages/virtualenv-1.11.6-py2.7.egg', '/usr/lib/python2.7', '/usr/lib/python2.7/plat-x86_64-linux-gnu', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old', '/usr/lib/pytho07:34
jamielennoxthats a bit funny looking07:35
Sanchitjamielennox: sorry for that.07:35
jamielennoxbut wherever you installed six needs to be before /usr/lib/python2.7/dist-packages07:36
jamielennoxotherwise it will take that one in priority07:36
jamielennoxSanchit: not your fault - if I really had to i would have done it :)07:37
Sanchitjamielennox: Okay. I'll figure that out.07:37
ekarlsojamielennox: this stuff is pain...07:46
ekarlsonow discovery get's pulled in everywhere :P07:46
*** BAKfr has joined #openstack-keystone07:46
*** garnav has joined #openstack-keystone07:47
*** jamielennox is now known as jamielennox|away07:49
*** _nonameentername has joined #openstack-keystone07:59
openstackgerritwanghong proposed a change to openstack/keystone: add --rebuild option for ssl/pki_setup
*** jamielennox|away is now known as jamielennox08:03
ekarlsojamielennox: u able to help with that timeout test ? :/08:04
jamielennoxWhich timeout test?08:04
jamielennoxI can't run it, but if you show me i might be able to help08:04
*** ncoghlan has quit IRC08:05
*** ncoghlan has joined #openstack-keystone08:05
*** jraim_ has quit IRC08:05
*** jraim_ has joined #openstack-keystone08:05
*** ukalifon1 has quit IRC08:05
*** ukalifon1 has joined #openstack-keystone08:05
*** k4n0 has quit IRC08:05
*** k4n0 has joined #openstack-keystone08:05
*** Sanchit has quit IRC08:06
*** Sanchit has joined #openstack-keystone08:06
*** KanagarajM has quit IRC08:06
*** KanagarajM has joined #openstack-keystone08:06
ekarlso < jamielennox there the test is08:06
*** garnav has quit IRC08:06
*** garnav has joined #openstack-keystone08:06
jamielennoxWhat does it do08:08
ekarlso @ jamielennox08:08
ekarlsoblows up saying it's never called08:09
marekdanyone using ubuntu 14 for openstack development at the moment?08:09
ekarlsomarekd: ye08:10
jamielennoxSo it looks like the path to calling request has changed, the request is happening where it should hit the mock08:11
jamielennoxThis is possible actually because i moved the fake session object08:12
ekarlsojamielennox: :|08:12
*** wanghong has joined #openstack-keystone08:12
ekarlsojamielennox: clue on a solution ?08:12
jamielennoxSo if you're not using sessions then there is an object at the top of httpclient that is used so requests.request would come from there instead of session. Py08:13
jamielennoxChange sessions.requests.request to "requests.request"08:14
marekdekarlso: hm, no problem with python2 so far?08:14
jamielennoxWhich i think means you have to do just mock. Patch not patch object08:14
ekarlsomarekd: nope08:14
marekdekarlso: i've read they are pushing for py308:14
ekarlsomarekd: yea08:15
marekdok i think i will have to give it a try.08:15
ekarlsojamielennox: same thing08:22
ekarlsodoesn't get called08:22
ekarlsothe requests.request method that is08:23
*** f13o has quit IRC08:23
ekarlsobut technically I could patch keystone.session.Session.request instead I guess08:23
*** f13o has joined #openstack-keystone08:25
*** jamielennox is now known as jamielennox|away08:28
openstackgerritA change was merged to openstack/keystone: Fix delete group cleans up role assignments with LDAP
openstackgerritA change was merged to openstack/keystone: Reduce unit test log level for notifications.
*** f13o has quit IRC08:32
*** ajayaa has quit IRC08:37
*** f13o has joined #openstack-keystone08:39
*** diegows has joined #openstack-keystone08:43
*** k4n0 has quit IRC08:48
*** henrynash has joined #openstack-keystone08:49
*** ncoghlan has quit IRC08:54
*** chmouel_ is now known as chmouel08:59
*** k4n0 has joined #openstack-keystone09:08
*** alex_xu has quit IRC09:09
*** Guest37890 is now known as amakarov09:10
*** aix has joined #openstack-keystone09:19
ekarlsoany cli gurus here since jamielennox|away went away ? :)09:22
*** gokrokve has joined #openstack-keystone09:22
ekarlsoi'm wondering if it would be bad to move the functionality of the shell class's auth_check() into the given auth plugin instead09:23
ekarlsosince if you do ksc --os-auth-plugin v2token for example it will break since the options like username isn't registered09:23
*** gokrokve has quit IRC09:27
*** rushiagr_away is now known as rushiagr09:42
openstackgerrithenry-nash proposed a change to openstack/keystone: Ensure identity sql driver supports domain-specific configuration.
*** henrynash has quit IRC09:49
ukalifon1andreaf: Hi, Andrea. did you get a chance to work on ?09:51
*** f13o has quit IRC09:52
*** ajayaa has joined #openstack-keystone09:56
andreafukalifon1, Hi - no sorry - I'll spend some time on it today10:00
*** Sanchit has quit IRC10:00
andreafukalifon1, I still see only one changeset and don't see your test running?10:01
ukalifon1andreaf: I thought I fixed it, I'll check if it didn't run. Can you give me an example of something that did run and what you are looking to see in it?10:03
andreafukalifon1, for instance there's no trace of your test in or
andreafukalifon1, it may be you fixed it, but did you push the new code to gerrit? I only see one changeset10:05
*** junhongl has joined #openstack-keystone10:07
ukalifon1andreaf: There are 5 patch sets in
ukalifon1is that what you mean?10:07
andreafukalifon1, I guess that means I need more coffee :P10:08
andreafukalifon1, do you have the link to a log where your test ran?10:08
andreafukalifon1, I download your change I'm looking at it anyways10:09
ekarlsohmmm, auth_check is evil...10:11
*** sanchit has joined #openstack-keystone10:12
sanchitjamielennox|away: Hi, I tried fixing the six library issue10:13
ekarlsoif you use --os-auth-plugin <name> it doesn't load the wanted options and ks client shell goes bork10:13
sanchitjamielennox|away: I upgraded to six 1.8.0 and I am able to import backends from keystone in python prompt10:13
sanchitjamielennox|away: But, When I try keystone-all, it still displayes error  File "/usr/local/bin/keystone-all", line 43, in <module>     from keystone import backends ImportError: cannot import name backends10:14
sanchitCan Anyone help mw with this issue10:15
andreafukalifon1, so you added a new folder but you don't have an in it, that's why your test is not picked up10:18
andreafukalifon1, do you mind if I upload a new patchset?10:19
*** mflobo has joined #openstack-keystone10:22
*** gokrokve has joined #openstack-keystone10:22
andreafukalifon1, ok I added a new patchset - let's wait for it to run10:25
ukalifon1andreaf: thanks very much10:25
*** gokrokve has quit IRC10:27
*** ajayaa has quit IRC10:30
*** ajayaa has joined #openstack-keystone10:31
*** Krast has joined #openstack-keystone10:34
*** Krast has quit IRC10:35
*** HenryG has joined #openstack-keystone10:37
*** rushiagr is now known as rushiagr_away10:37
*** diegows has quit IRC10:38
*** k4n0 has quit IRC10:42
*** rushiagr_away is now known as rushiagr10:44
*** ajayaa has quit IRC10:54
*** ajayaa has joined #openstack-keystone10:54
*** rushiagr is now known as rushiagr_away10:56
*** k4n0 has joined #openstack-keystone11:04
*** lufix has joined #openstack-keystone11:05
lufixIs it okay to ask a general keystone question or is this channel meant for developers of keystone only?11:07
*** topol has joined #openstack-keystone11:07
ekarlso5 failurse11:10
*** afaranha has joined #openstack-keystone11:11
ekarlsoanyone wanna help me conquor ksclient to use sessions atm ?11:12
ekarlsowith the cli..11:12
ekarlso4 tests are failing on auth_tenant_id auth_user_id being used in the CLI11:12
*** dimsum_ has joined #openstack-keystone11:12
*** f13o has joined #openstack-keystone11:13
*** sanchit has quit IRC11:16
*** alex_xu has joined #openstack-keystone11:22
*** gokrokve has joined #openstack-keystone11:22
*** alex_xu has quit IRC11:23
*** alex_xu has joined #openstack-keystone11:23
*** dims_ has joined #openstack-keystone11:24
*** dimsum_ has quit IRC11:24
*** alex_xu has quit IRC11:24
*** alex_xu has joined #openstack-keystone11:25
*** alex_xu has quit IRC11:25
*** samuelmz has joined #openstack-keystone11:26
*** alex_xu has joined #openstack-keystone11:27
*** gokrokve has quit IRC11:27
*** alex_xu has quit IRC11:27
*** alex_xu has joined #openstack-keystone11:29
*** alex_xu has quit IRC11:30
*** dims_ has quit IRC11:33
*** dims has joined #openstack-keystone11:33
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Improve list role assignments filters performance
*** KanagarajM has quit IRC11:38
*** rushiagr_away is now known as rushiagr11:42
*** alex_xu has joined #openstack-keystone11:48
*** rodrigods has joined #openstack-keystone11:58
marekddolphm: o/12:10
*** dims has quit IRC12:18
*** dims has joined #openstack-keystone12:19
*** gokrokve has joined #openstack-keystone12:22
openstackgerritEndre Karlson proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter
openstackgerritEndre Karlson proposed a change to openstack/python-keystoneclient: Allow retrying some failed requests
openstackgerritEndre Karlson proposed a change to openstack/python-keystoneclient: Make Keystone use CLI Plugin
ekarlsogit needs pep8 cleanup :/12:26
ekarlsoanyone wanna take a initial look ?12:26
*** gokrokve has quit IRC12:27
openstackgerritPeter Razumovsky proposed a change to openstack/keystone: Add a simple module to work with filters and DNs to LDAP backend
*** ajayaa has quit IRC12:31
*** andreaf has quit IRC12:35
marekdekarlso: ?12:35
*** andreaf has joined #openstack-keystone12:35
ekarlsomarekd: ya12:36
*** gordc has joined #openstack-keystone12:43
*** ajayaa has joined #openstack-keystone12:44
*** afazekas has joined #openstack-keystone12:46
openstackgerritEndre Karlson proposed a change to openstack/python-keystoneclient: Make Keystone use CLI Plugin
ekarlsomarekd: anything out of the glance that's bad ?12:50
ekarlsoat a glance )12:50
marekdekarlso: i will try to look at it later.12:51
ekarlsook :()12:52
andreafukalifon1: so the problem seems to be that token generation is controlled for all tests by the auth_version config flag12:56
*** diegows has joined #openstack-keystone12:56
andreafukalifon1: so you create a new user in a new domain, and try to obtain a token for it, however the token is requested via v2 API rather than v312:59
ukalifon1andreaf: I'll try to run it with auth_version=v3. Thanks. However, if I'm using auth.KeystoneV3Credentials in my code - shouldn't it also authenticate with v3?13:01
ukalifon1how will we mix tests of v2 and v3?13:02
andreafukalifon1: yes I suppose the code should consider that if you override the config and go for v3 regardless - which is a perfectly valid use case for identity tests - you may expect the token requests to go along via the same api13:04
andreafukalifon1: I'll see if I can fix this13:04
andreafukalifon1: in fact I expected keystone to be smart enough and generate a token via v213:05
andreafukalifon1: there's probably I good reason why it's not doing that13:05
ukalifon1andreaf: Not sure if I understand you... You expect keystone to generate a v3 token via v2? Of course it won't do that13:07
andreafukalifon1: I though keystone would generate a v2 token for an user provisioned via v3 api13:08
*** alex_xu has quit IRC13:08
ukalifon1andreaf: the problem is that v2 won't find the user that I created outside the default domain13:08
andreafukalifon1: so v2 only sees the Default domain?13:10
ukalifon1andreaf: yes, the default domain exists to provide compatibility with v213:11
andreafukalifon1: understood, thanks13:11
ukalifon1andreaf: if you create a user with v3 in the default domain, you can get a v2 token13:11
*** k4n0 has quit IRC13:13
*** bknudson has quit IRC13:15
uvirtbotLaunchpad bug 1369557 in tempest "Tempest auth provider uses v2 token with v3 Auth Provider" [Undecided,Confirmed]13:18
*** joesavak has joined #openstack-keystone13:20
*** gokrokve has joined #openstack-keystone13:22
*** jamielennox|away is now known as jamielennox13:25
*** gokrokve has quit IRC13:27
*** jamielennox is now known as jamielennox|away13:27
*** sigmavirus24b is now known as sigmavirus2413:31
*** sigmavirus24 has joined #openstack-keystone13:31
*** afaranha has quit IRC13:31
*** rodrigods has quit IRC13:33
*** samuelmz has quit IRC13:33
*** achampio1 has quit IRC13:37
*** ayoung has joined #openstack-keystone13:39
*** achampion has joined #openstack-keystone13:42
*** ChanServ sets mode: +o dolphm13:44
*** saipandi has joined #openstack-keystone13:46
*** nkinder has joined #openstack-keystone13:48
*** r-daneel__ has joined #openstack-keystone13:48
*** radez_g0n3 is now known as radez13:49
*** jimhoagland has joined #openstack-keystone13:51
*** bknudson has joined #openstack-keystone13:52
*** vhoward has joined #openstack-keystone13:54
*** gokrokve has joined #openstack-keystone14:00
*** ayoung has quit IRC14:05
andreafukalifon1, this should fix your issue
mfischnkinder: you in?14:09
nkindermfisch: yep14:09
mfischnkinder: would you be so kind to backport this?
mfischIts causing me headaches in Icehouse14:10
*** zzzeek has joined #openstack-keystone14:10
nkindermfisch: pretty sure I already proposed it.  Let me dig up the review.14:11
ukalifon1andreaf: Thank you. I will test it soon. Thanks for a very quick fix!14:11
mfischI tried the one click CP and it failed so I came here since I've not had coffee yet14:12
nkindermfisch: it has all of the reviews it needs.  I believe morganfainberg said he would approve it once the gate settled down.14:12
mfischyeah he's tired of my emails about this14:13
*** stevemar has joined #openstack-keystone14:13
mfischwe store crazy stuff in our LDAP like pictures of people14:13
*** gokrokve has quit IRC14:13
*** jimhoagland has quit IRC14:14
morganfainbergnkinder, yes i will14:18
* morganfainberg goes and hits +A14:18
*** gokrokve has joined #openstack-keystone14:20
*** rwsu has joined #openstack-keystone14:21
*** gokrokve has quit IRC14:25
*** gokrokve has joined #openstack-keystone14:25
*** david-lyle has joined #openstack-keystone14:33
*** gokrokve has quit IRC14:44
*** rodrigods has joined #openstack-keystone14:44
*** rodrigods has quit IRC14:44
*** rodrigods has joined #openstack-keystone14:44
*** gokrokve has joined #openstack-keystone14:44
*** Ephur has joined #openstack-keystone14:47
*** cjellick_ has quit IRC14:52
*** gokrokve has quit IRC14:52
*** jorge_munoz has joined #openstack-keystone14:55
*** dims_ has joined #openstack-keystone14:56
*** dims__ has joined #openstack-keystone14:58
*** dims has quit IRC14:59
*** dims_ has quit IRC15:01
*** jraim_ has quit IRC15:04
*** rushiagr is now known as rushiagr_away15:05
*** jraim has joined #openstack-keystone15:06
nkindermorganfainberg: thanks!15:08
*** rodrigods has quit IRC15:08
*** jimhoagland has joined #openstack-keystone15:11
*** ukalifon1 has quit IRC15:14
openstackgerritLance Bragstad proposed a change to openstack/keystone: Allow users to clean up role assignments.
*** zzzeek_ has joined #openstack-keystone15:24
*** zzzeek has quit IRC15:24
*** zzzeek_ is now known as zzzeek15:24
*** diegows has quit IRC15:24
morganfainberglbragstad, think that patch will be ready today ^15:30
lbragstadmorganfainberg: i believe so, it was passing Jenkins last week and it had a good review15:31
lbragstadI just addressed those comments and plan on keeping a close eye on it today in case I need to update anything else15:31
morganfainberglbragstad, bknudson, i'm not sure we want to try to fix this for RC (or even at all)15:32
uvirtbotLaunchpad bug 1329891 in keystone "Keystone Not Able to Add Users to AD/Ldap and OpenLdap due to BAD_ATT_SYNTAX (Invalid DN syntax)" [Medium,Triaged]15:32
*** cjellick has joined #openstack-keystone15:33
morganfainberglbragstad, ++15:33
*** samuelmz has joined #openstack-keystone15:34
bknudsonmorganfainberg: there's no fix proposed so I can't guess what the change is that's being proposed for 132989115:34
morganfainberglbragstad, bknudson, from the AD perspective. I'm not sure about the OpenLDAP bit, but I've run devstack with OpenLDAP and have not seen this issue15:35
bknudsonmorganfainberg: as I mentioned, I don't see the point to even supporting write to AD.15:36
nkindermorganfainberg: I'm reading it over now15:36
morganfainbergbknudson, i'm fine with punting this if it isn't an openldap issue15:36
nkinderbknudson: I'm also inclined to agree with you about read/write to AD15:36
morganfainbergnkinder, thanks!15:36
*** lufix has quit IRC15:36
morganfainbergwe can mark it as wishlist if it's strictly AD15:36
nkinderThe 'enabled' attribute thing just seems like a mis-configuration to me15:37
morganfainbergand let it die somewhere down the line.15:37
nkinderIf they have it configured for userAccountControl, that part should work fine15:37
bknudsonlooks like the bug is also complaining about how keystone puts the ID as the CN.15:37
lbragstadwe run OpenLDAP in tests right?15:37
morganfainbergin K I expect to have an OpenLDAP gate,  but it's a lot of work because devstack doesn't play nice.15:37
morganfainberglbragstad, sadly no.15:37
bknudsonwhich I don't see how we're going to change that behavior15:37
lbragstadfrom bknudson's comment "We've got a devstack configuration that creates users in OpenLDAP through Keystone and it doesn't hit the problem with the DN mentioned here."15:38
morganfainberglbragstad, correct i've *run* devstack with ldap, but we don't gate on it15:38
nkinderI feel like hte rest of this issue is the same as what gyee recently fixed15:38
bknudsonlbragstad: it's easy to start up devstack with ldap as the backend.15:38
nkinderI think the problem being encountered is that the DN refers to an attribute that is not in the entry15:38
morganfainbergit's not so easy to make the gate play nice with it.15:38
lbragstadyeah that makes sense15:39
morganfainbergwhich is why i expect to work on that in K not at the last minute in J15:39
lbragstadok, well I'd be fine with punting on this if we can provide some documentation that might help the reporter?15:39
morganfainbergbesides i want to move to a more functional test framework anyway.15:39
morganfainbergwhich would make gating on LDAP easier to handle.15:39
lbragstadso they can get around the write with OpenLDAP case anyway,15:40
lbragstadnot sure about AD, but I think morganfainberg has a good point about using Keystone to manage AD15:40
morganfainbergnkinder, do you think you'd have the bandwidth to help out the reporter here isolate the OpenLDAP case?15:40
nkindermorganfainberg: I think this might be the same as
uvirtbotLaunchpad bug 1340041 in keystone "OpenLDAP 2.3: naming attribute [...] is not present in entry; Naming violation" [Medium,Fix committed]15:41
nkindermorganfainberg: I'll add some comments15:41
morganfainbergnkinder, ok i'm going to unset Juno RC15:41
bknudsonAD doesn't add the naming attribute value?15:41
morganfainbergnkinder, if it is a legitimate case we'll re add it15:41
lbragstadmorganfainberg: nkinder thanks15:41
nkinderbknudson: I think it might not.  I'd have to double check, but wouldn't be terribly surprised if it rejected it15:42
lbragstadmorganfainberg: ++ we'll re add if needed, but I think we'd be safe to remove RC1 as long as we provide some info15:42
nkinderbknudson: I don't see anything about the DN that is illegal from a quick glance at the LP15:42
nkinderbknudson: so I think it's saying that the DN is illegal since it refers to an attribute value that isn't present in the entry15:42
morganfainbergwe only have 1 bug left not in-progress.15:43
morganfainbergfor RC15:43
uvirtbotLaunchpad bug 1362245 in openstack-api-site "Update  Endpoint Filter APIs" [Undecided,New]15:43
bknudsonok, that would be fixed by the other change to add the value then. of course, then you'd have a multivalued cn.15:44
morganfainberglbragstad, bknudson, dstanek, stevemar, before I rebase any comments would be appreciated (i'll cover them myself, beyond my one comment about use of a variable called _ )15:46
*** gyee has joined #openstack-keystone15:50
lbragstadmorganfainberg: minor comments.15:51
morganfainberglbragstad, ok15:51
*** rodrigods has joined #openstack-keystone15:59
BAKfrmorganfainberg,  I've a question about a modification you've done in
BAKfrin assignement/, line 546,16:00
morganfainbergBAKfr, ok16:00
BAKfrIt shouldn't be self._emit_invalidate_user_token_persistence(user['id']) ?16:01
BAKfrinstead of self._emit_invalidate_user_token_persistence(user_id) ?16:01
morganfainbergBAKfr, looks like it.16:02
morganfainbergBAKfr, good catch16:02
BAKfrmorganfainberg, thanks16:03
morganfainbergBAKfr, please file a bug and if you don't mind submit a fix for that :)16:03
BAKfrmorganfainberg, And I've another question, on the same file: can we use "self._emit_invalidate_user_project_tokens_notification()" if project_id is not None ?16:04
*** ajayaa has quit IRC16:04
morganfainbergBAKfr, let me look in a moment16:04
*** rushiagr_away is now known as rushiagr16:05
BAKfrmorganfainberg, OK, thanks16:05
BAKfrmorganfainberg, I'll submit a fix later :)16:05
*** gokrokve has joined #openstack-keystone16:06
morganfainbergBAKfr, sure, it's not a big change but if you can get it in quickly i'd def. like you to get credit for it :)16:06
*** electrichead is now known as redrobot16:08
*** wwriverrat has joined #openstack-keystone16:09
*** marcoemorais has joined #openstack-keystone16:10
*** thiagop has joined #openstack-keystone16:10
morganfainbergBAKfr, the use of _emit_invalidate_user_project_tokens_notification will only occur with project_id != none16:11
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings validation
morganfainbergBAKfr, you *could* use it w/ project_id=None but it would just net the same effect as invalidating all user tokens16:12
morganfainbergok i'm going to get breakfast, when i'm back i'll push the fixes for
*** garnav has quit IRC16:15
BAKfrmorganfainberg, when project_id is defined in delete_grant, it would invalidate far less tokens ?16:15
morganfainbergBAKfr, yes, it only revokes tokens for the user scoped to that project16:16
*** jraim has quit IRC16:17
BAKfrmorganfainberg, last question, should I submit one commit, or split into two (one for the bugfix, and another one for revoking less tokens ?16:17
*** jraim has joined #openstack-keystone16:18
*** jimhoagland has quit IRC16:18
morganfainbergBAKfr, wait, what case are we using that emit without project id?16:18
morganfainbergBAKfr, in delete_grant it should only ever call that with the complate project_id payload16:18
*** wwriverrat has left #openstack-keystone16:18
BAKfrmorganfainberg, when we deletes a domain grant ?16:19
morganfainbergBAKfr, ah ok that one has to revoke *all* tokens for the user16:20
BAKfrmorganfainberg, If I gives project_id=None to self._emit_invalidate_user_project_tokens_notification(), it revokes all tokens ?16:21
morganfainbergBAKfr we wont have project_id= None16:21
morganfainbergwhen dealing with domains grants we use _emit_invalidate_user_token_persistence16:21
BAKfrmorganfainberg, ok16:21
morganfainbergBAKfr, so the only bug is the user_id -> user['id'] fix16:22
dstanekmorganfainberg: i was already looking at that16:22
morganfainbergdstanek, cool.16:22
morganfainbergdstanek, i've got a patch rolled that handles most of my comments and lbragstad's comments16:22
ekarlsocould I get a bit help with ?16:22
*** jasonsb_ has quit IRC16:22
dstanekmorganfainberg: ok, i'll refresh and take a look st the new comments16:23
morganfainbergdstanek, i'll look for any comments you have when i'm back from breakfast and roll those into my fix16:23
dstanekmorganfainberg: i was going to see why dogpile's backend handles threads improperly, buy got side tracked16:23
nkindermorganfainberg: with the switch to uuid as the defautl token provider, shouldn't a similar change be made to puppet-keystone?16:24
nkindermorganfainberg: I know it falls outside of keystone itself, but I'm not sure if anyone had that on their radar16:24
morganfainbergdstanek, it's an issue with the underlying memcache lib - it explicitly uses thread.local16:24
morganfainbergdstanek, thread.local plays *too* well with eventlet16:24
morganfainbergdstanek, so each request spawns a new client object, consuming all sockets/FDs etc (to a point) potentially allowing for a Dos in some cases16:25
morganfainbergnkinder, i dunno if that team wants to switch it back.16:25
morganfainbergnkinder, i wouldn't be opposed to it. but largely i've left that type of decision to those who run that repo16:25
morganfainbergdstanek, in short eventlet is unsafe to use with the python-memcache library16:26
nkindermorganfainberg: ok, I wonder if they're aware of the default change on the Keystone side (and if they really want pki or have just followed the keystone defaults)16:26
morganfainbergnkinder, def something to follow up on16:26
dstanekmorganfainberg: that's really strange. and gc doesn't cleanup after itself?16:26
morganfainbergdstanek, it's not the GC, its that greenthreads are yeilded to another event16:27
morganfainbergdstanek, but it doesn't mean the socket / client doesn't exist16:27
lbragstadmorganfainberg: I'd say most of the keystone reviews here are looking good
morganfainbergdstanek, some cases gc also delays and takes a long time to cleanup.16:27
dstanekmorganfainberg: i just submitted the comments i had so far16:28
morganfainbergdstanek, ++ sounds good. like i said going to get food.16:28
morganfainbergbe back shortly16:28
morganfainberg(food and coffee)16:28
ekarlsoI would really appreciate someone with more ksclient knowledge to help on that one :)16:28
*** KanagarajM has joined #openstack-keystone16:29
*** marcoemorais has quit IRC16:34
*** marcoemorais has joined #openstack-keystone16:34
dstanekekarlso: what kind of help are you looking for?16:36
ekarlsodstanek: trying to figure out where it fails16:37
ekarlsobut my knowledge of ksclient is thin16:37
*** marcoemorais has quit IRC16:38
*** marcoemorais has joined #openstack-keystone16:38
dstanekekarlso: have you looked at tempest to see where it's getting the endpoint from?16:38
dstanekekarlso: maybe the catalog is getting returned to in incorrectly16:38
ekarlsodstanek: nope16:39
*** raildo has joined #openstack-keystone16:41
dstanekekarlso: what is the cli plugin that you are making?16:42
ekarlsodstanek: it was the idea jamielennox|away had16:43
raildodolphm, is there a topics list to design summit in Keystone  or something like that?16:43
ekarlsobasically use a seperate plugin for the cli if a user doesn't specif one16:43
raildoor etherpad16:43
dstanekekarlso: where did all of these options move to?16:44
ekarlsodstanek: they are in the auth plugins16:44
ekarlsoksc.auth.cli.register_* or what the func is called again registers the opts from the plugin cls16:45
*** ukalifon has joined #openstack-keystone16:45
dstanekekarlso: so those entries are redundant?16:47
dstanekekarlso: i did a real quick review on that16:51
openstackgerritA change was merged to openstack/keystone: Making KvsInheritanceTests use backend KVS
*** ayoung has joined #openstack-keystone16:54
*** richm has joined #openstack-keystone16:56
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements
*** dims__ has quit IRC16:59
*** marcoemorais1 has joined #openstack-keystone16:59
*** dims has joined #openstack-keystone16:59
*** afazekas has quit IRC17:02
*** morgan_remote_ has joined #openstack-keystone17:02
openstackgerritA change was merged to openstack/keystone: Adds hint about filter placement to extension docs
*** marcoemorais has quit IRC17:03
*** dims has quit IRC17:04
*** harlowja has joined #openstack-keystone17:04
*** dims has joined #openstack-keystone17:04
*** jimbaker has quit IRC17:06
*** afaranha has joined #openstack-keystone17:07
stevemarmorganfainberg, can you add to the list of bugs on your watch list17:07
*** andreaf is now known as andreaf_17:07
morgan_remote_dstanek: the upper bound on connections for memcache is meant to be managed with the maxsize value. On line 80. That may be insufficient though.17:08
*** jimbaker has joined #openstack-keystone17:09
*** jimbaker has quit IRC17:09
*** jimbaker has joined #openstack-keystone17:09
morgan_remote_stevemar: I'll add it when I'm back. dstanek and lbragstad I think can also add to that list.17:09
stevemaradd it to all the lists!17:10
dstanekmorgan_remote_: hmmm. i didn't see that before - i'll take another look in a few17:10
lbragstadstevemar: rc1 list?17:10
dstanekmorgan_remote_: i don't understand all the realup17:10
morgan_remote_dstanek: np. It's unfortunately complex code :(. But mucking with event let and threading always is.17:11
dstanekmorgan_remote_: i don't know. without the cleanup i think it could be much cleaner17:12
morgan_remote_I agree.17:12
dstanekmorgan_remote_: available and uses lists with a context manager that moves things between them17:13
morgan_remote_I am not super happy with the whole need a cleanup thread.17:13
dstaneki'm not sure that we actually need it17:13
morgan_remote_Maybe I'll take a crack at a complete rework today.17:13
morgan_remote_Minus the cleanup worker.17:13
openstackgerritKévin Bernard-Allies proposed a change to openstack/keystone: Revoke the tokens of group members when a group role is revoked
morgan_remote_Still will need some logic for cleaning up dead client connections. But I *think* we can do that inline of the context manager.17:16
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings validation
*** cdnchris has joined #openstack-keystone17:17
dstanekmorgan_remote_: dead meaning the socket died?17:17
*** marcoemorais has joined #openstack-keystone17:18
*** marcoemorais1 has quit IRC17:18
ekarlsodstanek: what entries ? :O17:18
stevemarlbragstad, sorta, it's middleware/client, so not really rc1, but we should get it in17:19
dstanekekarlso: the ones you deleted17:19
morgan_remote_Yeah. Or the server marked as dead. You want those clients deleted.17:19
lbragstadstevemar: cool, I'll add it17:19
dstanekmorgan_remote_: isn't the server marked dead handled by the memcache library itself?17:19
morgan_remote_Not well.17:19
ekarlsodstanek: uhm, point is that opts will be loaded from the plugins17:19
morgan_remote_Python-memcache (in my opinion) is a subwonderful lib all around.17:20
*** KanagarajM has quit IRC17:20
dstanekmorgan_remote_: really? i've never seen a problem with it. i'll have to look at the patch again and see what it adds?17:20
morgan_remote_Well this patch also forces reuse of17:21
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings validation
*** cdnchris has left #openstack-keystone17:21
morgan_remote_Connections. And the server being marked dead is more of a if you use the memcache lib directly for handling multiple servers. In this case we pool for each server.17:21
morgan_remote_So we need to independently mark servers as dead.17:23
*** dutsmoc is now known as comstud17:24
*** amcrn has joined #openstack-keystone17:26
*** amakarov is now known as amakarov_away17:30
*** afazekas has joined #openstack-keystone17:30
*** bjornar_ has joined #openstack-keystone17:33
*** BAKfr has quit IRC17:33
*** diegows has joined #openstack-keystone17:45
openstackgerritMarek Denis proposed a change to openstack/keystone: Document Keystone2Keystone federation
openstackgerritEndre Karlson proposed a change to openstack/python-keystoneclient: Make Keystone use CLI Plugin
ekarlsodstanek: thnx for the heads up on the obvious errors : )17:52
dstanekekarlso: we no longer support the old style options?17:53
*** aix has quit IRC17:54
ekarlsodstanek: gotta ask jamielennox|away about that one :)17:55
dstanekekarlso: did he say to remove the tests or did you do it because they were broken?17:56
ekarlsodstanek: I removed them since they broke and I asked him about the - vs _ opts17:58
dstanekekarlso: i wonder if tempest uses some of those18:00
ekarlsodstanek: :|18:00
ekarlsodstanek: i'll have to check with him in a few hours or tmrw then :)18:00
dstanekekarlso: he may not be around for a while - i don't remember when his vacation starts, but he's taking one before the summit18:01
ekarlsodarn :)18:01
ekarlsowell i'm not sure then :/18:01
ekarlsoit was a next step thingie for him after the generic plugin if I remember correctly18:01
*** marcoemorais has quit IRC18:02
*** marcoemorais has joined #openstack-keystone18:02
*** marcoemorais has quit IRC18:03
*** rushiagr is now known as rushiagr_away18:03
*** afazekas has quit IRC18:03
*** marcoemorais has joined #openstack-keystone18:03
ekarlsodstanek: but I don't get it, there's 1 test in py34 that's borking :'(18:03
dstanekekarlso: unit test?18:04
*** afazekas has joined #openstack-keystone18:04
*** cdnchris has joined #openstack-keystone18:05
*** jasonsb has joined #openstack-keystone18:05
*** dims has quit IRC18:06
dstanekekarlso: that's odd - and it works under 3.3?18:06
ekarlso2,7 works fine18:07
*** topol has quit IRC18:07
*** topol has joined #openstack-keystone18:08
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Document Keystone2Keystone federation
*** dims has joined #openstack-keystone18:11
*** cdnchris has quit IRC18:15
*** mitz_ has quit IRC18:16
*** cdnchris has joined #openstack-keystone18:21
*** gyee has quit IRC18:22
morganfainbergdstanek, ok i'm going to take a crack at this pool thing and see if i can remove the cleaner thread.18:24
morganfainbergdstanek, it should be much much easier to read if we do.18:24
morganfainbergdstanek, and less ... scary/brittle18:24
*** afazekas has quit IRC18:24
dstanekmorganfainberg: awesome - the current proxy design is likely to break with future dogpile changes if it's not already broken18:26
morganfainbergand once past RC going to see if we can fix dogpile and the rest of our stuff to use pymemcache18:27
morganfainberg(which looks like it solves all of the thread.local issues)18:27
morganfainbergamong other things18:27
ekarlsodstanek: u got a clue on the py34 failure ?18:27
dstanekekarlso: no, but i can try to apply your patch in a bit and see if i can reproduce18:28
ekarlsodstanek: coolio!18:28
*** afazekas has joined #openstack-keystone18:29
dstanekekarlso: my working copy is dirty with a change that is waiting on a pbr bugfix so i just have to move it out of the way18:29
*** openstackgerrit has quit IRC18:32
*** openstackgerrit has joined #openstack-keystone18:32
*** vhoward has left #openstack-keystone18:33
*** henrynash has joined #openstack-keystone18:38
*** cdnchris has left #openstack-keystone18:46
*** afazekas has quit IRC18:47
*** rushiagr_away is now known as rushiagr18:51
openstackgerritLance Bragstad proposed a change to openstack/keystone: Allow users to clean up role assignments.
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Extract Assignment tests from IdentityTestCase
nkinderlbragstad: does deleting a user automatically clean up the role assignments?18:58
nkinderlbragstad: your code fix for the role cleanup looks good (and it's a real problem I've encountered before), but I want to be sure the test covers it18:59
openstackgerrithenry-nash proposed a change to openstack/keystone: Ensure identity sql driver supports domain-specific configuration.
lbragstadnkinder: yes, deleting a user should clean up the role assignments19:00
nkinderlbragstad: when using read-only LDAP, a user will be deleted out from under keystone, which leaves role assignments19:00
lbragstadin that case, we *should* be able to remove the role assignment19:00
samuelmzlbragstad,  ^  Extract Assignment tests from IdentityTestCase (
nkinderlbragstad: ok, so shouldn't we have a test that simulates no user existing when we try to delete a role assignment?19:00
lbragstadnkinder: self.identity_api.driver.delete_user(user['id'])19:01
nkinderlbragstad: ok, just saw you're calling the driver directly19:01
lbragstadthat will remove the user from the identity backend, simulating the LDAP part19:01
nkinderlbragstad: so that bypasses the role cleanup19:01
nkinderlbragstad: cool.  Good change!19:02
*** jsavak has joined #openstack-keystone19:03
lbragstadnkinder: is what does the calling into the identity api19:04
lbragstad^ that's the reason I had to call into the identity_api.driver19:04
lbragstadsamuelmz: cool!19:05
*** joesavak has quit IRC19:06
nkinderlbragstad: could you use self.assignment_api.add_role_to_user_and_project() in the tests instead of constructing the URLs?19:06
lbragstadnkinder: good point, yes I could do that19:07
lbragstadI was basing it off related (surrounding) test cases19:08
*** rushiagr is now known as rushiagr_away19:08
*** jasonsb has quit IRC19:09
henrynashbknudson: ping19:09
bknudsonhenrynash: what's up?19:09
rodrigodssamuelmz, would be nice to add lbragstad patch as dependency of yours19:10
henrynashbknudson: just wanted to get you view on the sql driver detection….maybe my concern in my response is unfounded?19:10
*** ukalifon has quit IRC19:11
bknudsonhenrynash: which one?19:13
samuelmzlbragstad, do you agree with rodrigods? I think the TODO you've added is enough19:13
lbragstadnkinder: I might keep the member_url stuff in the tests just because it makes the self.head/delete/put calls easier with the expected_status assertions19:13
nkinderlbragstad: yes, I was just looking to see if expected_status was supported as a kwarg there (it's not)19:13
lbragstadnkinder: that's handy to have for validating the outcome of the call19:14
*** harlowja has quit IRC19:14
*** harlowja_ has joined #openstack-keystone19:14
bknudsonhenrynash: my point was that what you have there isn't correct... it doesn't detect if someone provides their own sql backend.19:14
lbragstadsamuelmz: I don't think that linking the my patch as a dep is necessary,19:14
henrynashbknudson: as to whether instaed of checking for ‘backends,sql’ in the driver name, your suggestion about adding a call to the driver….my concern is that means you have to load the driver in order to call it…can that means the __init__() method gets called, and (at least conceptually) a driver’s __init__() method might mess up someone elses sql...19:15
bknudsonhenrynash: also, if there's some concern about loading 2 sql backends, if you do that then the server should be exiting anyways.19:15
henrynashbknduson: but I guess we could say,  the only time we would do that - we are going to exception out anyway19:15
lbragstadthe information/problem is reflected in the bug (
uvirtbotLaunchpad bug 1367778 in keystone "Extract Assignment related tests from IdentityTestCase" [Low,In progress]19:16
henrynashbknusdon: now that we have made it an exception, not a warning…maybe that’s OK19:16
bknudsonis it just random combinations of bknudson?19:16
henrynashjust seeing which one is awake19:16
bknudsonbk<tab> works for me19:17
henrynashbknudson: OK, right, yep…I think you’re right…now it’s an exception, we can do what you suggest…I’ll post that as a change later tonight19:17
bknudsonhenrynash: great, thanks19:17
*** marcoemorais has quit IRC19:18
*** marcoemorais has joined #openstack-keystone19:18
samuelmzlbragstad, ok thanks19:26
lbragstadsamuelmz: no problem19:27
*** marcoemorais has quit IRC19:28
*** marcoemorais has joined #openstack-keystone19:28
*** morgan_remote_ has quit IRC19:30
*** marcoemorais has quit IRC19:31
*** marcoemorais has joined #openstack-keystone19:32
*** gyee has joined #openstack-keystone19:40
*** jasonsb has joined #openstack-keystone19:41
morganfainbergdstanek, that is a first crack at it sans cleaner thread19:45
*** topol has quit IRC19:46
dstanekmorganfainberg: nice, thanks!19:46
morganfainbergdstanek, haven't passed unit tests yet and i haven't added new tests. but it's a start.19:46
morganfainbergdstanek, i also haven't solve the functools.partial bit19:47
morganfainbergdstanek, should i post this with a new changeId so we can compare? or i guess if we don't like it is is trivial to resubmit the old changeset19:51
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add a pool of memcached clients
*** ayoung has quit IRC19:53
morganfainbergdstanek, ^19:54
morganfainbergthere it is posted to gerrit19:54
*** jasonsb has quit IRC20:00
*** jraim has quit IRC20:00
*** jraim has joined #openstack-keystone20:00
*** jasonsb has joined #openstack-keystone20:02
*** joesavak has joined #openstack-keystone20:05
*** jsavak has quit IRC20:08
*** nkinder has quit IRC20:24
ekarlsodstanek: got a look at that patch ? ;)20:25
*** gokrokve has quit IRC20:32
*** gokrokve has joined #openstack-keystone20:32
*** dims has quit IRC20:34
*** dims has joined #openstack-keystone20:34
*** ayoung has joined #openstack-keystone20:35
*** dims has quit IRC20:39
*** harlowja_ is now known as harlowja_away20:49
openstackgerritDavid Stanek proposed a change to openstack/python-keystoneclient: Removes temporary fix for doc generation
stevemardstanek, does this change work for you? if you do it in keystone?
*** achampio1 has joined #openstack-keystone20:56
dstanekstevemar: almost; if you make it 'find keystone' i would be OK with it20:56
dstanekstevemar: otherwise it'll run through the tox dirs and others i have locally and take a while20:57
stevemardstanek, when i try the change, it complains that find isn't installed in my venv20:57
stevemardstanek, the only way I can get it to work is if i prefix it with bash -c <blah>20:58
*** achampion has quit IRC20:58
dstanekstevemar: you have to tell tox it's cool20:59
*** fifieldt_ has joined #openstack-keystone20:59
stevemarjust add find to that i suppose?20:59
dstanekstevemar: yes, iirc tox treats that as a list field like commands21:01
stevemardstanek, gotcha, ty21:01
*** fifieldt has quit IRC21:03
*** raildo has quit IRC21:07
*** joesavak has quit IRC21:07
*** nkinder has joined #openstack-keystone21:08
*** richm has quit IRC21:12
*** ayoung has quit IRC21:12
*** richm has joined #openstack-keystone21:13
stevemardstanek, i think bknudson just replied to the ML with the ultimate answer21:14
dstanekstevemar: no . though!21:16
stevemarof course :)21:16
dstaneki wonder what platform doesn't have the -delete21:16
dstaneki thought you could just use --delete any any modern platform21:17
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add a pool of memcached clients
morganfainbergdstanek, ok confirmed that patch ^ works21:26
morganfainbergdstanek, the only 2 things left are tests and fixing the functools.partial21:26
morganfainbergany thoughts on how to handle the latter bit21:26
morganfainbergi mean i guess we don't need to wrap in functools.partial, not sure what it's buying us.21:28
*** dims has joined #openstack-keystone21:29
*** dims_ has joined #openstack-keystone21:31
dstanekmorganfainberg: you mean the partial in the client proxy?21:32
morganfainbergdstanek, yeah21:32
morganfainbergdstanek, it was the part you were worried about being brittle21:32
dstanekmorganfainberg: the pattern we already use for this type of thing is here:
dstaneki think that would work find with methods, but not properties because of the setattr21:33
morganfainbergdstanek, right, but we can't setattr in this case, because we're throwing out the proxy object since the underlying connection will change21:34
dstanekbut if that line was deleted it would be fine21:34
morganfainbergdue to it being a pool21:34
*** dims has quit IRC21:34
dstaneki think 'return getattr(self.client_pool, name)' would be enough21:35
morganfainbergooh i see what is going on here21:35
morganfainbergit needs to be done in a context manager21:35
morganfainbergotherwise you don't free the connection backt o the pool21:35
morganfainbergdstanek, hm.21:37
morganfainbergso we can't just use .get21:37
morganfainbergi think functools partial might be the easiest way to ensure the context21:38
*** radez is now known as radez_g0n321:38
dstanekmorganfainberg: context?21:40
morganfainbergdstanek, .get() needs to be called in a context manager21:40
morganfainbergit means that as soon as the request is done we free the connection back to the pool21:40
morganfainbergwhich is what _run_method with functools.partial is doing21:41
dstanekmorganfainberg: hmm...yeah that may unfortunately be true in this case21:41
dstanekmaybe __getattr__ just needs to be a little more robust21:41
dstanekor we can be explicit in what methods we support21:42
*** rkofman has quit IRC21:44
*** rkofman has joined #openstack-keystone21:44
morganfainbergdstanek, i'm *mostly* ok with this as is.21:46
morganfainbergdstanek, zzzeek just pointed out we could run the TTL reap on a mod of the time instead of every acquire21:46
morganfainbergcould save some looping overhead21:46
ekarlsodstanek: ?21:47
morganfainbergdstanek, this is hard to test.. because a lot of it requires eventlet for the threading stuff.21:48
morganfainbergand actual load to cause a slowdown.21:50
morganfainbergoh. crud. this would break string freeze21:50
morganfainbergneed to downgrade the log.exception to debug.21:50
openstackgerrithenry-nash proposed a change to openstack/keystone: Ensure identity sql driver supports domain-specific configuration.
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add a pool of memcached clients
dstanekekarlso: looking now21:52
dstanekekarlso: testr has worthless output so i'm looking with nose21:53
dstanekekarlso: i gets lots of failures21:53
*** _cjones_ has joined #openstack-keystone21:57
ekarlsodstanek: I get 121:57
_cjones_Can I ask some keystone devs a question? Anyone around?21:57
_cjones_Trying to figure out what the status of this blueprint is:
dstanekekarlso: i think you are using this backwards...
morganfainberg_cjones_, i think that is related to the heirarchical multitenancy stuff that is going into a feature branch for Juno (that is to say, not part of Juno but development is being done to afford quick merging into Kilo when the cycle opens up)21:59
morganfainbergi *think*21:59
ekarlsodstanek: wehere ?22:00
dstanekmorganfainberg, _cjones_: that doesn't appear to specify any keystone work22:00
_cjones_morganfainberg So this going to be a dual effort between keystone & neutron folks.22:00
_cjones_dstanek: Mostly Neutron work.22:00
morganfainberg_cjones_, it is going to be based on stuff in keystone but there isn't much for us to do, mostly neutron and nova22:01
*** amerine has joined #openstack-keystone22:01
dstanekekarlso: both place where you added it?22:02
_cjones_morganfainberg: I'm just concerned about the 1:1 project:vpc mapping. That's not correct.22:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add a pool of memcached clients
morganfainberg_cjones_, that is why i *think* it's meant to use the heirarchy22:03
dstanekekarlso: look at the doc link from above22:03
ekarlsodstanek: ya22:04
_cjones_morganfainberg: Do you know who in Neutron would be best to talk to about this?22:04
morganfainberg_cjones_, sorry :( no.22:04
_cjones_mf: Thanks man. I'll enquire there.22:04
openstackgerritEndre Karlson proposed a change to openstack/python-keystoneclient: Make Keystone use CLI Plugin
morganfainberg_cjones_, best bet is asking in #openstack-neutron22:04
ekarlsothat fixed that thing dstanek :)22:04
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add a pool of memcached clients
morganfainbergi swear i'll get the pep8 fix right one of these times /me needs food22:06
morganfainbergok going to a late lunch22:06
morganfainbergmight help concentration ;)22:06
*** david-lyle has quit IRC22:06
*** david-lyle has joined #openstack-keystone22:07
dstanekmorganfainberg: have fun - just about to start dinnering22:10
*** jamielennox|away is now known as jamielennox22:11
*** richm has quit IRC22:11
*** richm has joined #openstack-keystone22:12
*** ayoung has joined #openstack-keystone22:13
*** sigmavirus24 is now known as sigmavirus24_awa22:17
*** bknudson has quit IRC22:21
*** henrynash has quit IRC22:24
*** harlowja_away is now known as harlowja_22:24
*** gokrokve has quit IRC22:26
*** achampio1 has quit IRC22:33
*** achampion has joined #openstack-keystone22:35
*** gordc has quit IRC22:37
*** bjornar_ has quit IRC22:39
*** DavidHu has joined #openstack-keystone22:46
*** jorge_munoz has quit IRC22:53
*** david-lyle has quit IRC22:53
*** dims_ has quit IRC23:09
*** richm has quit IRC23:20
*** diegows has quit IRC23:32
openstackgerritRyan Hsu proposed a change to openstack/keystone: DO NOT MERGE - Squashed commit of the following:
*** mflobo_ has joined #openstack-keystone23:43
*** _cjones_ has quit IRC23:46
*** andreaf has joined #openstack-keystone23:48
*** r-daneel__ has quit IRC23:52
*** andreaf_ has quit IRC23:52
*** mflobo has quit IRC23:52
*** diegows has joined #openstack-keystone23:55
*** dims has joined #openstack-keystone23:57
*** zzzeek has quit IRC23:59

Generated by 2.14.0 by Marius Gedminas - find it at!