Wednesday, 2014-09-24

*** marcoemorais has quit IRC		00:00
*** marcoemorais has joined #openstack-keystone		00:00
*** Tahmina has quit IRC		00:02
dstanek	morganfainberg: haha, you never do a self. in a __getattr__! you always use getattr(self, ...)	00:02
morganfainberg	dstanek, oh derp, hahaah	00:03
*** cjellick has quit IRC		00:03
morganfainberg	dstanek, could fix it with getattr(getattr(self, 'thing'), thing)	00:03
morganfainberg	dstanek, would you prefer that?	00:03
morganfainberg	dstanek, and yes fair point i didn't see it (must have been a long day) :P	00:03
dstanek	morganfainberg: no, i think your fix is good enough	00:04
morganfainberg	dstanek, ok.	00:04
morganfainberg	dstanek, yeah. /embarassed by that one :P	00:04
dstanek	morganfainberg: happens to the best of us	00:05
dstanek	i didn't realize that gyee +2ed it too. just added the +A /cc morganfainberg	00:08
morganfainberg	dstanek, gyee, tyvm	00:08
morganfainberg	dstanek, we're just waiting on that one and the one from marek about the config option for saml and we're done short of the transifex job tonight	00:09
morganfainberg	if all goes well and no more bugs, RC complete tomorrow.	00:09
gyee	w00t!	00:10
ayoung	what have you got against infinite persistnace	00:10
morganfainberg	ayoung, nothing.	00:11
morganfainberg	ayoung, :P	00:11
dstanek	it's really the only way to know it gets stored! just continuously do it	00:11
ayoung	morganfainberg, BTW, we have a kerberos repo	00:12
morganfainberg	dstanek, forever and ever and ever and ever and ever and ever and ever and ever and ever and ever and ever and ever and ever and ever and ever and ever and ever and ever...	00:12
morganfainberg	ayoung. nice	00:12
dstanek	morganfainberg: updated, with a little more detail - https://bugs.launchpad.net/python-keystoneclient/+bug/1260495	00:12
uvirtbot	Launchpad bug 1260495 in pbr "Setting autodoc_tree_index_modules makes documentation builds fail" [Undecided,In progress]	00:12
morganfainberg	dstanek, thanks!	00:13
dstanek	morganfainberg: fyi, here is the real fix: https://review.openstack.org/#/c/120216/	00:14
morganfainberg	dstanek, nice.	00:14
*** dims has quit IRC		00:24
*** alex_xu has quit IRC		00:24
*** dims has joined #openstack-keystone		00:24
*** alex_xu has joined #openstack-keystone		00:25
*** _cjones_ has quit IRC		00:26
*** _cjones_ has joined #openstack-keystone		00:26
*** keystone_newbie has joined #openstack-keystone		00:26
keystone_newbie	Hi, I'm trying to find some information for developing a Keystone extension that adds callbacks for Project add/delete	00:27
keystone_newbie	I see that there is an example extension already in the /opt/stack/keystone/examples folder	00:27
keystone_newbie	I was wondering if somebody could point me in the right direction for enabling my custom extension	00:28
keystone_newbie	I haven't been able to find something in the documentation anywhere	00:28
*** dims has quit IRC		00:29
keystone_newbie	Sorry, the folder for example is : /opt/stack/keystone/keystone/contrib/example	00:29
morganfainberg	keystone_newbie, what release of openstack are you using?	00:29
morganfainberg	keystone_newbie, havana, icehouse, master/juno?	00:29
keystone_newbie	I'm using Icehouse	00:29
keystone_newbie	with devstack	00:29
morganfainberg	keystone_newbie, so something like https://github.com/openstack/keystone/blob/master/keystone/contrib/example/core.py#L50-L57 with the callback looking like https://github.com/openstack/keystone/blob/master/keystone/contrib/example/core.py#L61-L68 would work	00:30
keystone_newbie	Yes, that is exatcly what I'm looking to do	00:30
morganfainberg	keystone_newbie, alternatively you can directly register the callback https://github.com/openstack/keystone/blob/master/keystone/contrib/revoke/core.py#L120-L144 which is called by __init__ https://github.com/openstack/keystone/blob/master/keystone/contrib/revoke/core.py#L77	00:31
*** _cjones_ has quit IRC		00:31
keystone_newbie	My question was, what do I need to do to enable my extension?	00:31
keystone_newbie	Any changes needed in a conf file somewhere?	00:31
*** rodrigods_ has joined #openstack-keystone		00:31
morganfainberg	keystone_newbie, your extension (assuming it's adding routes/ REST API calls) needs to be added to the paste-ini	00:31
morganfainberg	keystone_newbie, https://github.com/openstack/keystone/blob/master/etc/keystone-paste.ini is the example	00:32
keystone_newbie	It would not be adding any routes/REST api calls	00:32
keystone_newbie	it would just be making rest api calls to a third party application on project create delete and update	00:32
*** alex_xu has quit IRC		00:32
morganfainberg	keystone_newbie, hm.	00:32
keystone_newbie	Would I still need to add config to keystone-paste.ini ?	00:33
morganfainberg	not sure off the top of my head how to do that, perhaps putting it in the paste pipeline just with no routes (don't create routes for it) would be the right answer	00:33
*** alex_xu has joined #openstack-keystone		00:33
keystone_newbie	ok let me try that, thanks for your help :)	00:33
morganfainberg	keystone_newbie, if it's in the paste pipeline (even if it adds no routes) it should get loaded. not sure where you'd load it without that unless you want to add it to some other subsystem.	00:33
*** gyee has quit IRC		00:41
*** Alexane_Metz has quit IRC		00:42
*** Arlene_Wolff has joined #openstack-keystone		00:43
*** gokrokve_ has quit IRC		00:44
*** marcoemorais has quit IRC		00:47
*** marcoemorais has joined #openstack-keystone		00:48
*** marcoemorais has quit IRC		00:48
*** marcoemorais has joined #openstack-keystone		00:48
*** marcoemorais has quit IRC		00:48
*** marcoemorais has joined #openstack-keystone		00:49
*** gokrokve has joined #openstack-keystone		00:49
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient-kerberos: Date: Thu Sep 11 13:49:15 2014 -0400 https://review.openstack.org/123614	00:50
*** soulxu_ has joined #openstack-keystone		00:53
*** alex_xu has quit IRC		00:55
*** r-daneel_ has quit IRC		00:56
*** rodrigods_ has quit IRC		00:56
*** soulxu__ has joined #openstack-keystone		01:04
*** gokrokve has quit IRC		01:07
*** soulxu_ has quit IRC		01:08
*** soulxu__ is now known as alex_xu		01:12
*** david-lyle has joined #openstack-keystone		01:17
*** Arlene_Wolff has quit IRC		01:25
nkinder_	ayoung: yay, first proposal against the new repo!	01:32
ayoung	nkinder_, yeah...lets see how the tests do. I think I had them running....	01:32
morganfainberg	ok thats cool to see, the extra repo for the plugin	01:39
morganfainberg	:)	01:39
nkinder_	morganfainberg: so RC is close?	01:40
nkinder_	morganfainberg: any other LDAP stuff you need an extra pair of eyes for?	01:40
morganfainberg	nkinder_, RC is now just fighting with the gate AFICT	01:40
nkinder_	awesome	01:40
nkinder_	morganfainberg: I've been testing LDAP with henrynash's multi-backend work lately, and it's working nicely	01:41
morganfainberg	https://review.openstack.org/#/c/123446/ https://review.openstack.org/#/c/123612/ and a transifex update	01:41
morganfainberg	there is another doc fix that would be nice to sneak in, but if it doesn't make it i wont complain.	01:41
morganfainberg	nkinder_, good to hear	01:41
*** Allen_DuBuque has joined #openstack-keystone		01:42
morganfainberg	and middleware similarly is fighting the gate, have 3 approved fixes and one that i'll post the update for tonight	01:43
*** KanagarajM has quit IRC		01:43
*** jdennis has quit IRC		01:48
*** zzzeek has joined #openstack-keystone		01:59
*** dims has joined #openstack-keystone		02:02
*** marcoemorais has quit IRC		02:02
*** david-lyle has quit IRC		02:05
*** david-lyle has joined #openstack-keystone		02:06
ayoung	morganfainberg, which one is the update coming for? I'll star it and check in the morning	02:07
morganfainberg	ayoung, the transifex update?	02:08
morganfainberg	ayoung, keystone	02:08
ayoung	morganfainberg, " have 3 approved fixes and one that i'll post the update for tonight"	02:08
morganfainberg	ah	02:09
*** gokrokve has joined #openstack-keystone		02:09
morganfainberg	ayoung, this chain https://review.openstack.org/#/c/123021/ and the memcache pool one for middleware https://review.openstack.org/#/c/119774/	02:09
*** david-lyle has quit IRC		02:10
ayoung	morganfainberg, OK I'll check for them in the morning.	02:12
ayoung	morganfainberg, BTW, are you planning on getting a commercial PyCharm license?	02:12
morganfainberg	already have one	02:13
morganfainberg	have had one for ~2yrs	02:13
ayoung	so not the "openstack developers license"	02:13
nkinder_	ayoung: https://jdennis.fedorapeople.org/aaa-sssd/index.html	02:13
ayoung	nkinder_, what did he call me?	02:13
nkinder_	ayoung: that's John's WIP for documenting the mod_lookup_identity/SSSD approach for OpenDaylight	02:13
nkinder_	ayoung: AAA == Adams An ...? :)	02:14
ayoung	ssssssss	02:14
ayoung	nkinder_, I still think we should hack in socket activation for Java to systemd	02:15
nkinder_	ayoung: this will likely be a very comprehensive doc that can help to describe the approach for Keystone too	02:15
ayoung	I already wrote that	02:15
ayoung	heh	02:15
ayoung	but not nearly as nicely or verbosely as John, of course	02:15
morganfainberg	ayoung, nope, because previously i didn't qualify for the OpenStack developer license (at metacloud)	02:15
morganfainberg	and it looks like i still don't at HP	02:16
ayoung	nkinder_, http://adam.younglogic.com/2014/05/mod_lookup_identity/	02:16
nkinder_	ayoung: yep, I've read it. I need to set it up myself next.	02:16
ayoung	nkinder_, I wonder what the right approach is for Mac?	02:17
nkinder_	ayoung: I've just been able to use puppet to deploy keystone in httpd using Rich's puppet-keystone and packstack changes	02:17
nkinder_	ayoung: you mean for developers running on mac?	02:18
ayoung	Ideally mod_lookup_identity would use whatever is reasonable for native	02:18
nkinder_	ayoung: is it likely that people developing locally on mac are even running a live LDAP server?	02:18
nkinder_	I mean, sure it's possible	02:18
nkinder_	...but not the norm	02:19
ayoung	nkinder_, I would think so..most Unix tools run on Mac	02:19
ayoung	I'd assume that getting openldap to run on a Mac would be well trodden ground.	02:19
nkinder_	ayoung: it's definitely possible	02:20
ayoung	morganfainberg, when you develop, you run on a mac, but do everything in a VM, right?	02:20
nkinder_	ayoung: I don't think lack of sssd on mac is a blocker for the approach	02:20
ayoung	and the VM is running Ubuntu or Fedora?	02:20
morganfainberg	ayoung, sometimes, depends on what i'm testing	02:20
morganfainberg	ayoung, and i switch between fedora and ubuntu depending on which one i have built	02:21
morganfainberg	occasionally i'll run keystone locally if i'm testing say token provider change?	02:21
morganfainberg	but if it's more in depth than a sing;e API i usually run in a VM	02:21
ayoung	nkinder_, I'd just like it to be a non-issue. We've not done anything linux specific so far. I know people do develop on OSX.	02:21
nkinder_	wouldn't we need D-Bus too for the IFP	02:22
nkinder_	?	02:22
*** diegows has quit IRC		02:22
ayoung	I would think so, yes	02:22
ayoung	http://krypted.com/mac-security/starting-openldap-on-mac-os-x-client/ looks like it is there by default?	02:23
nkinder_	ayoung: yeah, but who on the keystone team develops against that regularly?	02:23
nkinder_	ayoung: in an ideal world, we would have sssd and dbus and ldap on mac	02:23
nkinder_	ayoung: but I don't see it as a requirement by any means	02:24
ayoung	nkinder_, don't look at me, I'm a Linux purist.	02:24
nkinder_	ayoung: don't make me start assigning AD bugs to you... ;)	02:24
ayoung	nkinder_, it was also part of a conversation with dpal about mod_lookup_identity in general, getting it to be a baseline apache tool	02:24
nkinder_	ayoung: yes, there is talk about making it work in windows	02:24
nkinder_	ayoung: I think mac would fit in there too	02:25
ayoung	nkinder_, yeah, and I think for Mac it would probably be easiest to use the Linux toolchain: sssd and dbus	02:26
ayoung	question is whether there is something more appropriate. I have a friend at Apple in security, maybe I'll bug him.	02:26
nkinder_	ayoung: where is the best reference on policy.json syntax?	02:29
ayoung	nkinder_, you are talking to it	02:30
ayoung	its oral tradition only	02:30
nkinder_	ayoung: hmm, I can't forward you to somebody in e-mail (or it would at least be painful)	02:30
ayoung	we inherited it from oslo, so unless they have it	02:30
ayoung	I usually look at the python code in the openstackcommon/policy.py	02:31
nkinder_	ayoung: so when a rule is empty, what is the behavior?	02:31
*** gokrokve has quit IRC		02:31
nkinder_	ayoung: the "default"?	02:31
nkinder_	http://docs.openstack.org/trunk/config-reference/content/section_keystone-policy.json.html	02:31
*** gokrokve has joined #openstack-keystone		02:32
ayoung	OK, so if the rul is blank, there is not resitrctions.	02:32
ayoung	The problme is that most of hte projects use auth_token middleware, and so you must at least have a token in order to get through	02:32
nkinder_	ayoung: none at all? So in that example, delete_trust can be done by anyone?	02:32
ayoung	so there is no "unauthenticated" way to get at an API	02:32
*** zzzeek has quit IRC		02:33
ayoung	nkinder_, those might be enforced inside the code base	02:33
nkinder_	ayoung: those ones do look like it	02:33
ayoung	I was kindof paranoid when writing them	02:33
nkinder_	ayoung: for example...	02:34
nkinder_	def get_trust(self, context, trust_id):	02:34
nkinder_	_trustor_trustee_only(trust, user_id)	02:34
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/trust/controllers.py#n34 gets stuck on a bunch	02:34
ayoung	yep	02:34
nkinder_	ayoung: so why have policy settings if they are hard coded?	02:34
ayoung	we didn't want people changing policy and making trusts into a huge security hole	02:34
ayoung	and we still don't	02:34
nkinder_	those trust policies vs. what's hard coded is something I'm explicitly being asked about	02:34
nkinder_	ayoung: ok, so we shouldn't even advertise those as possible in policy.json	02:35
nkinder_	otherwise it's confusing	02:35
*** dims has quit IRC		02:35
ayoung	I think we have to, though	02:35
ayoung	@controller.protected() needs arule or it rejects	02:35
ayoung	the default is in the top of policy,json	02:35
*** dims has joined #openstack-keystone		02:35
ayoung	I think	02:35
*** gokrokve has quit IRC		02:36
*** harlowja is now known as harlowja_away		02:36
nkinder_	ayoung: I would think it would tolerate a missing rule	02:38
nkinder_	ayoung: but perhaps not	02:38
ayoung	the default is	02:38
ayoung	"default": "rule:admin_required",	02:38
nkinder_	ayoung: it should be documented that these are not controlled by policy at least	02:38
nkinder_	Yeah, so how does the default work?	02:38
*** Allen_DuBuque has quit IRC		02:38
ayoung	nkinder_, hmmm, might also be a config option	02:39
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/openstack/common/policy.py#n97	02:39
*** dims has quit IRC		02:39
openstackgerrit	Victor Silva proposed a change to openstack/python-keystoneclient: Explicit complaint about old OpenSSL when testing https://review.openstack.org/123619	02:40
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/openstack/common/policy.py#n137	02:40
ayoung	this is new to me...	02:40
ayoung	hadn't really looked at that before	02:40
ayoung	#policy_default_rule=default	02:41
ayoung	so there is a conf setting that says the default rule name is "default"	02:41
ayoung	and when policy.json is processed use that rule if none is specified	02:42
nkinder_	ayoung: ok, so not listed in the file means "use the default"	02:42
ayoung	yes	02:42
nkinder_	ayoung: and an empty rule means "any authenticated user"	02:42
ayoung	yeah...that is in policy.py AS WELL...ONE SEC	02:42
nkinder_	ayoung: so leaving out the trust stuff that is hard-coded would be less confusing than listing them as empty rules	02:42
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/openstack/common/policy.py#n349	02:42
ayoung	@ is frowned upon	02:43
*** rodrigods_ has joined #openstack-keystone		02:43
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/openstack/common/policy.py#n496	02:43
ayoung	I think the "" value works becauser it matches nothing when it parses...I recall I origianlly had @ in where I wanted explicit passes and we conformed to the norm	02:44
ayoung	but ! is short for FalseCheck and @ is short for True check	02:44
*** Alena66 has joined #openstack-keystone		02:51
*** rodrigods_ has quit IRC		02:52
ayoung	nkinder_, I remember the code around trusts and the policy for it as being different. I should git blame it to see it this was added later	02:53
ayoung	I recall working on the code that flattened the payload so we could enforce, for example, that the trustor id = the user creating the trust only	02:53
*** comstud has quit IRC		03:07
*** cyeoh has quit IRC		03:07
*** vishy has quit IRC		03:08
*** radez_g0n3 is now known as radez		03:19
*** radez is now known as radez_g0n3		03:25
*** wanghong has quit IRC		03:28
*** rodrigods_ has joined #openstack-keystone		03:33
*** miqui has joined #openstack-keystone		03:35
*** Alena66 has quit IRC		03:39
*** wanghong has joined #openstack-keystone		03:40
*** Avis6 has joined #openstack-keystone		03:41
*** stevemar has joined #openstack-keystone		03:46
*** rodrigods_ has quit IRC		03:53
*** marcoemorais has joined #openstack-keystone		03:55
*** marcoemorais1 has joined #openstack-keystone		03:57
*** marcoemorais has quit IRC		04:00
*** _cjones_ has joined #openstack-keystone		04:13
*** Avis6 has quit IRC		04:18
*** vishy has joined #openstack-keystone		04:21
*** comstud has joined #openstack-keystone		04:21
*** rushiagr_away is now known as rushiagr		04:23
*** vishy has quit IRC		04:34
*** comstud has quit IRC		04:35
*** richm has quit IRC		04:35
*** vishy has joined #openstack-keystone		04:38
*** comstud has joined #openstack-keystone		04:38
*** vishy has quit IRC		04:44
*** comstud has quit IRC		04:45
*** stevemar has quit IRC		04:54
*** stevemar has joined #openstack-keystone		04:54
*** gokrokve has joined #openstack-keystone		05:00
*** saipandi has joined #openstack-keystone		05:07
*** saipandi has quit IRC		05:08
*** KanagarajM has joined #openstack-keystone		05:10
*** comstud has joined #openstack-keystone		05:18
*** vishy has joined #openstack-keystone		05:19
*** _cjones_ has quit IRC		05:24
*** _cjones_ has joined #openstack-keystone		05:24
*** stevemar has quit IRC		05:31
*** afazekas has joined #openstack-keystone		05:35
*** _cjones_ has quit IRC		05:43
*** _cjones_ has joined #openstack-keystone		05:43
*** _cjones_ has quit IRC		05:48
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystonemiddleware: Add an optional advanced pool of memcached clients https://review.openstack.org/119774	05:51
*** miqui has quit IRC		05:52
*** gokrokve_ has joined #openstack-keystone		05:58
*** gokrokve has quit IRC		06:01
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/123637	06:01
*** gokrokve_ has quit IRC		06:02
*** YorikSar has quit IRC		06:06
*** YorikSar has joined #openstack-keystone		06:08
*** k4n0 has joined #openstack-keystone		06:09
*** ajayaa has joined #openstack-keystone		06:15
*** amcrn has quit IRC		06:15
*** ayoung has quit IRC		06:19
*** KanagarajM has quit IRC		06:21
*** gokrokve has joined #openstack-keystone		06:28
*** gokrokve has quit IRC		06:29
*** gokrokve has joined #openstack-keystone		06:30
*** gokrokve has quit IRC		06:35
*** ukalifon1 has joined #openstack-keystone		06:40
*** ayoung has joined #openstack-keystone		06:40
*** garcianavalon has joined #openstack-keystone		07:09
*** gokrokve has joined #openstack-keystone		07:31
*** soulxu_ has joined #openstack-keystone		07:34
*** gokrokve has quit IRC		07:35
*** alex_xu has quit IRC		07:37
*** lufix has joined #openstack-keystone		08:12
*** marekd\|away is now known as marekd		08:28
*** gokrokve has joined #openstack-keystone		08:28
*** gokrokve has quit IRC		08:33
*** BAKfr has joined #openstack-keystone		08:36
*** marcoemorais1 has quit IRC		08:41
*** andreaf_ is now known as andreaf		08:47
*** lufix2 has joined #openstack-keystone		08:52
*** lufix has quit IRC		08:52
*** YorikSar has quit IRC		08:59
*** soulxu_ has quit IRC		09:01
*** YorikSar has joined #openstack-keystone		09:01
*** lufix2 has quit IRC		09:04
*** alex_xu has joined #openstack-keystone		09:06
*** openstack has joined #openstack-keystone		09:23
*** gokrokve has joined #openstack-keystone		09:28
*** gokrokve has quit IRC		09:29
*** gokrokve has joined #openstack-keystone		09:30
*** alex_xu has quit IRC		09:32
*** gokrokve has quit IRC		09:35
*** henrynash has quit IRC		09:35
*** bdossant has joined #openstack-keystone		09:42
*** henrynash has joined #openstack-keystone		09:57
*** topol has joined #openstack-keystone		10:03
*** diegows has joined #openstack-keystone		10:15
*** cbkyeoh has joined #openstack-keystone		10:19
*** cbkyeoh is now known as cyeoh		10:24
*** aix has joined #openstack-keystone		10:27
*** gokrokve has joined #openstack-keystone		10:28
*** gokrokve has quit IRC		10:33
*** henrynash has quit IRC		10:35
*** topol has quit IRC		10:35
*** rushiagr is now known as rushiagr_away		10:40
*** rushiagr_away is now known as rushiagr		10:43
*** dims has joined #openstack-keystone		10:48
*** alex_xu has joined #openstack-keystone		11:04
*** ajayaa has quit IRC		11:17
openstackgerrit	A change was merged to openstack/python-keystoneclient: Enumerate Projects with Unscoped Tokens https://review.openstack.org/106838	11:25
*** gokrokve has joined #openstack-keystone		11:28
*** gokrokve has quit IRC		11:33
*** soulxu_ has joined #openstack-keystone		11:34
*** alex_xu has quit IRC		11:38
*** ajayaa has joined #openstack-keystone		11:40
*** soulxu__ has joined #openstack-keystone		11:42
*** soulxu_ has quit IRC		11:45
*** rodrigods_ has joined #openstack-keystone		11:48
*** rodrigods_ has quit IRC		12:02
*** richm has joined #openstack-keystone		12:03
*** bdossant has quit IRC		12:03
*** dims has quit IRC		12:05
*** dims has joined #openstack-keystone		12:05
*** soulxu_ has joined #openstack-keystone		12:08
*** HenryG_afk is now known as HenryG		12:09
*** soulxu__ has quit IRC		12:12
*** soulxu_ is now known as alex_xu		12:14
*** gokrokve has joined #openstack-keystone		12:28
*** gokrokve has quit IRC		12:33
*** henrynash has joined #openstack-keystone		12:34
openstackgerrit	ayoung proposed a change to openstack/keystone-specs: Client Creation Interface https://review.openstack.org/123715	12:39
marekd	morganfainberg: I just added one proposal to the design summit etherpad. It's in "Cross Project Sessions Driven By Keystone", point 9. I am not sure it's the right section, so feel free to move it.	12:49
marekd	morganfainberg: btw, what's "DNS SERV record Lookup for Keystone?" about? Use-case, what problems it solves etc?	12:54
*** gordc has joined #openstack-keystone		12:55
*** ayoung has quit IRC		12:57
chmouel	this should be fixed by now http://logs.openstack.org/51/123451/1/check/gate-keystonemiddleware-python26/06f82d1/console.html right?	12:58
*** jasondotstar has joined #openstack-keystone		13:03
*** aix has quit IRC		13:03
*** zzzeek has joined #openstack-keystone		13:08
*** radez_g0n3 is now known as radez		13:11
*** miqui has joined #openstack-keystone		13:11
openstackgerrit	ayoung proposed a change to openstack/keystone-specs: Token Constraints https://review.openstack.org/123726	13:16
thiagop	Hello everyone	13:26
thiagop	quick question: Can I set multiple nova's endpoints in the same region?	13:26
*** joesavak has joined #openstack-keystone		13:26
*** gokrokve has joined #openstack-keystone		13:28
*** bknudson has joined #openstack-keystone		13:30
*** gokrokve has quit IRC		13:33
*** saipandi has joined #openstack-keystone		13:34
*** lbragstad1 has quit IRC		13:36
lbragstad	thiagop: you can sent the `region_id` attribute on an endpoint if you're using V3 https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#endpoints-v3endpoints	13:42
thiagop	lbragstad: so, it is possible to have two nova services in the same region without crashing anything, right?	13:44
*** samuelmz has joined #openstack-keystone		13:45
*** r-daneel_ has joined #openstack-keystone		13:59
*** garcianavalon has quit IRC		14:01
*** vhoward has joined #openstack-keystone		14:02
*** sigmavirus24_awa is now known as sigmavirus24		14:02
*** gokrokve has joined #openstack-keystone		14:03
*** gokrokve has quit IRC		14:03
*** gokrokve has joined #openstack-keystone		14:03
*** gokrokve has quit IRC		14:03
*** gokrokve has joined #openstack-keystone		14:04
lbragstad	thiagop: yes, as long as the endpoint urls are different	14:06
*** richm has quit IRC		14:08
*** zzzeek has quit IRC		14:08
thiagop	lbragstad: thanks.	14:10
*** richm has joined #openstack-keystone		14:11
*** topol has joined #openstack-keystone		14:18
dhellmann	morganfainberg: https://review.openstack.org/#/c/112920/1 looks ok to me as a backport, but I haven't been keeping up with the schedule. Are we frozen now?	14:23
*** edmondsw has joined #openstack-keystone		14:24
morganfainberg	dhellmann, dunno	14:30
morganfainberg	dhellmann, will need to poke at some stable folks, but that thing has been lingering around and needs to get added if we want to support limited use trusts in icehouse at all under galera+mysql (common deployment)	14:31
*** david-lyle has joined #openstack-keystone		14:31
*** david-lyle has quit IRC		14:31
morganfainberg	marekd, DNS serv record would be a discovery	14:31
*** david-lyle has joined #openstack-keystone		14:32
morganfainberg	marekd, basically being able to specify just the dns name of the cloud provider and not need to "know" the auth url.	14:32
morganfainberg	marekd, it's a minor optimisation	14:33
*** david-lyle has quit IRC		14:33
*** david-lyle has joined #openstack-keystone		14:34
*** david-lyle has quit IRC		14:34
*** david-lyle has joined #openstack-keystone		14:35
*** ukalifon1 has quit IRC		14:35
*** andreaf_ has joined #openstack-keystone		14:36
*** andreaf has quit IRC		14:36
*** andreaf_ is now known as andreaf		14:36
*** andreaf_ has joined #openstack-keystone		14:36
*** stevemar has joined #openstack-keystone		14:40
openstackgerrit	A change was merged to openstack/keystone: Read idp_metadata_path value from CONF.saml https://review.openstack.org/123446	14:42
*** andreaf has quit IRC		14:43
dhellmann	morganfainberg: count on my +2 if we can confirm that's not going to cause trouble	14:44
dhellmann	morganfainberg: I don't see apevec online at the moment	14:44
*** aix has joined #openstack-keystone		14:44
*** jorge_munoz has joined #openstack-keystone		14:47
*** andreaf has joined #openstack-keystone		14:57
*** afazekas has quit IRC		15:00
dstanek	well, you learn something new everyday	15:06
dstanek	i didn't realize that you could do this: https://bugs.launchpad.net/python-keystoneclient/+bug/1367868	15:07
uvirtbot	Launchpad bug 1367868 in python-keystoneclient "List inherited role assignments for domains available on keystone API but not on client" [Undecided,In progress]	15:07
*** aix has quit IRC		15:11
morganfainberg	dstanek, i'll fix that memcache lazy import shortly	15:18
morganfainberg	dstanek, hopefully we can get the last of these reviews through the gate today.	15:19
nkinder_	morganfainberg, dhellmann: I just pinged apevec and let him know you want his review on https://review.openstack.org/#/c/112920/1	15:19
dhellmann	nkinder_: thanks	15:19
morganfainberg	nkinder_, ah thanks. i have no idea where apevec lurks or I'd have done the same	15:19
nkinder_	morganfainberg: he lurks on internal IRC here, so you would have had a tough time pinging him that way :)	15:20
morganfainberg	lahh	15:20
morganfainberg	ahh*	15:20
dstanek	morganfainberg: we can only hope	15:20
*** aix has joined #openstack-keystone		15:23
morganfainberg	dstanek, already had to recheck one of the keystone blockers (the infitine recursion one)	15:25
*** david-ly_ has joined #openstack-keystone		15:25
bknudson	dstanek: https://bugs.launchpad.net/python-keystoneclient/+bug/1367868 is marked as in progress but no review?	15:26
uvirtbot	Launchpad bug 1367868 in python-keystoneclient "List inherited role assignments for domains available on keystone API but not on client" [Undecided,In progress]	15:26
openstackgerrit	ayoung proposed a change to openstack/keystone-specs: rescope tokens unscoped to scoped only https://review.openstack.org/123760	15:26
*** david-lyle has quit IRC		15:27
nkinder_	morganfainberg: speaking of stable/icehouse, I'd like this to get in - https://review.openstack.org/#/c/120959/	15:27
nkinder_	morganfainberg: I'll talk with apevec about it, but additional keystone core reviews would be good	15:27
morganfainberg	nkinder_, sounds good.	15:27
nkinder_	it's a mostly straight cherry-pick (one tweak was needed for the tests)	15:27
morganfainberg	nkinder_, yeah i was waiting for the master one to land on that	15:28
*** ajayaa has quit IRC		15:28
morganfainberg	nkinder_, which it did yesterday	15:28
lbragstad	stevemar: I think you were wanted in -sdks earlier?	15:28
nkinder_	yep	15:28
*** rushiagr is now known as rushiagr_away		15:29
*** ayoung has joined #openstack-keystone		15:30
morganfainberg	nkinder_, +2, waiting on Alan to comment of course.	15:31
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystonemiddleware: Add an optional advanced pool of memcached clients https://review.openstack.org/119774	15:32
morganfainberg	dstanek, ^ I think that should do it.	15:32
morganfainberg	actually i don't like that.	15:32
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystonemiddleware: Add an optional advanced pool of memcached clients https://review.openstack.org/119774	15:33
morganfainberg	there we go	15:33
*** rushiagr_away is now known as rushiagr		15:37
stevemar	lbragstad, cool, i'll see whats going on	15:37
*** cjellick has joined #openstack-keystone		15:42
*** _cjones_ has joined #openstack-keystone		15:43
*** _cjones_ has quit IRC		15:44
*** _cjones_ has joined #openstack-keystone		15:45
dstanek	morganfainberg: this seems too complex for most Python programmers https://review.openstack.org/#/c/80630/66/keystone/tests/test_sync_migrations.py ; what do you think?	15:46
morganfainberg	dstanek, ooo meta programming	15:50
morganfainberg	dstanek, guaranteed most people wont understand it	15:50
*** _cjones_ has quit IRC		15:50
morganfainberg	also aren't metaclasses supposed to be based on type not object?	15:50
*** _cjones_ has joined #openstack-keystone		15:52
*** wwriverrat has joined #openstack-keystone		15:53
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient-kerberos: Initial kerberos plugin implementation. https://review.openstack.org/123614	15:56
*** wwriverrat1 has joined #openstack-keystone		15:57
*** wwriverrat1 has left #openstack-keystone		15:57
*** wwriverrat has quit IRC		15:57
*** jsavak has joined #openstack-keystone		16:00
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: token signing support alternative message digest https://review.openstack.org/117372	16:01
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Change cms_sign_data to use sha256 message digest https://review.openstack.org/117371	16:01
*** joesavak has quit IRC		16:02
*** k4n0 has quit IRC		16:03
*** amerine_ has joined #openstack-keystone		16:13
*** amerine has quit IRC		16:14
*** larsks has quit IRC		16:19
*** stevemar has quit IRC		16:20
openstackgerrit	ayoung proposed a change to openstack/keystone-specs: multiple signing certificate https://review.openstack.org/123782	16:23
openstackgerrit	Rodrigo Duarte proposed a change to openstack/python-keystoneclient: Creating parameter to list inherited role assignments https://review.openstack.org/117300	16:23
*** larsks has joined #openstack-keystone		16:29
openstackgerrit	A change was merged to openstack/keystonemiddleware: Fix test failure after discovery hack https://review.openstack.org/123021	16:30
openstackgerrit	A change was merged to openstack/keystonemiddleware: Add composite authentication support https://review.openstack.org/108384	16:30
openstackgerrit	A change was merged to openstack/keystonemiddleware: Fix auth_token for old oslo.config https://review.openstack.org/123250	16:30
*** r-daneel_ has quit IRC		16:33
*** afazekas has joined #openstack-keystone		16:33
*** radez is now known as radez_g0n3		16:34
morganfainberg	wooot	16:35
*** openstackgerrit has quit IRC		16:35
morganfainberg	middleware stuff finally went in.	16:35
*** BAKfr has quit IRC		16:37
dstanek	morganfainberg: looks like gyee is nitting you to death there	16:42
morganfainberg	dstanek, fixed	16:46
morganfainberg	dstanek, just posted the changes	16:46
*** afazekas has quit IRC		16:47
dstanek	morganfainberg: lgtm	16:47
morganfainberg	cool	16:47
morganfainberg	dstanek, i really don't like this pool tbh in the way it's working for middleware (mostly because of the python-memcache lib)	16:48
morganfainberg	dstanek, looking forward to moving to pymemcached	16:48
*** wwriverrat has joined #openstack-keystone		16:48
dstanek	the pool idea had scared me since the beginning :-)	16:48
dstanek	morganfainberg: did you see the new queue implemention is something like 40% faster?	16:49
morganfainberg	dstanek, is it really?	16:49
morganfainberg	wow	16:49
morganfainberg	thats cool	16:49
morganfainberg	i hadn't done any real testing beyond functional "does this actually work"	16:49
dstanek	morganfainberg: i think it's because we got rid of the extra busy-wait in our code - so that's a bonus	16:50
morganfainberg	and made sure it wasn't massively slower	16:50
morganfainberg	yeah i like it	16:50
morganfainberg	very glad we droppped that busy wait	16:50
*** richm has quit IRC		16:53
ayoung	morganfainberg, the "pool of memcache servers" approach rings alarm bells. The calling code should not be aware of that abstraction	16:54
ayoung	its one thing in keystone where it is a cache	16:54
ayoung	in Auth Token....hmmm	16:54
morganfainberg	same issue occurs in auth_token though	16:54
*** dtroyer has quit IRC		16:54
*** jamielennox has joined #openstack-keystone		16:55
ayoung	morganfainberg, true....my concern is that it makes the whole thing useless	16:55
morganfainberg	ayoung, makes the whole what thing useless?	16:55
ayoung	the memcache server should be just a single server	16:55
*** arborism has joined #openstack-keystone		16:55
ayoung	if one goes away, and its whole cache with it....	16:55
ayoung	then you start using a second...then the second goes away	16:56
ayoung	even if the frist comes back, nothing is cached	16:56
morganfainberg	ayoung, sure, it doesn't mean you don't spiral out of control with client objects in auth_token as well.	16:56
morganfainberg	ayoung, nature of using memcached	16:56
ayoung	it should be handled by a load balancer, not by keystone specific code	16:56
*** dtroyer has joined #openstack-keystone		16:56
*** harlowja_away is now known as harlowja		16:56
ayoung	or HA proxy	16:56
morganfainberg	ayoung, except that doesn't solve the issue either	16:56
morganfainberg	because you're only writing to 1 memcache server	16:57
morganfainberg	and memcached doesn't replicate on the back end	16:57
*** sigmavirus24 is now known as sigmavirus24_awa		16:57
ayoung	HA proxy would bascially do the same thing	16:57
morganfainberg	the point of the pool in auth_token is to avoid endless numbers of client connections from spinning up	16:57
morganfainberg	and re-use those objects	16:57
ayoung	That I am OK with	16:58
ayoung	its the list of memcache servers aspect that bothers me	16:58
morganfainberg	the multi-server stuff was already supported in the old system.	16:58
ayoung	not to the point that I want to derail, just...bothers me	16:58
ayoung	agreed	16:58
morganfainberg	ayoung, memcached bothers me ;)	16:58
ayoung	the pool should be a python library, we've already agreed that we are going there in the next release. But that doesn';t handle the multiple servers part	16:59
morganfainberg	ayoung, yes and in Kilo that is the plan.	16:59
morganfainberg	ayoung, in Kilo i want to rip it out and make it dogpile based anyway.	16:59
ayoung	that said...need me to +2 thatlast version of the patch? What is different about it ? Gerrit is merging your changes with the upstream	16:59
morganfainberg	ayoung, if you're ok with the change, +2 would be good. that should be the last outstanding middleware patch	17:00
* ayoung broke his gertty setup		17:00
ayoung	whats the diff between 8 and 9 of that patch?>	17:00
morganfainberg	ayoung, solving gyee's nits	17:00
morganfainberg	ayoung, changing some args to kwargs, changing the capitilzation on some options.	17:01
morganfainberg	ayoung, and fixing a logic inversion of "if cache is not not" to "if cache is none"	17:01
ayoung	BTW 5 * 60 was probably me	17:01
ayoung	I tend to do that. Don't trust meself to do math	17:01
morganfainberg	ayoung, hehe whoopse, i meant to fix that one too shrug.	17:01
*** stevemar has joined #openstack-keystone		17:02
ayoung	technically you were right. It is a memcache server, with memcached bing the daemon process for that server	17:02
ayoung	wow. nits	17:03
morganfainberg	yeah	17:03
*** f13o has quit IRC		17:03
*** rwsu has quit IRC		17:03
ayoung	+A	17:03
morganfainberg	ayoung, tyvm sir	17:03
ayoung	morganfainberg, posted 4 WIP spec reviews. I want these to be real collaborations.	17:03
morganfainberg	ayoung, also we're getting the -federation plugin repo today	17:03
morganfainberg	ayoung, the -kerb ones or the spec ones?	17:04
ayoung	made them WIP so people don't go correcting spleeling misteaks	17:04
ayoung	no, specs	17:04
ayoung	for the summit and Kilo	17:04
morganfainberg	ayoung, right-o cool	17:04
ayoung	I think you will like the constraints one	17:04
morganfainberg	ayoung, just checking before i go looking in the wrong place ;)	17:04
ayoung	it collapses endpoint binding in with object ids etc	17:04
*** arborism has quit IRC		17:05
ayoung	several of them will need to be split over server and client. I don't really like that	17:05
morganfainberg	ayoung, yeah i am a fan of this concept if we can figure a way to make it workable for the deployer/cloud admin/end user.	17:05
*** amcrn has joined #openstack-keystone		17:05
morganfainberg	ayoung, the constraints one that is	17:05
ayoung	I think we should have specs that have a server component and a client component	17:05
*** rwsu has joined #openstack-keystone		17:06
ayoung	morganfainberg, so, the rule will be if a constraint is specified, it must be met. If it is not specified, the token can be used for any of that type	17:06
ayoung	so if no endpoints are specified, the token is good everywhere	17:06
ayoung	it allows us to get the mechanism in place without anyone having to use it	17:06
morganfainberg	ayoung, sure and that's great, i'm thinking of how we make it friendly for someone to set the constraint in a sane way.	17:06
ayoung	I see a lot of that being done by the client	17:07
morganfainberg	ayoung, i have zero issue with the enforcement front working like that	17:07
ayoung	say you are calling create VM with imageid = X	17:07
ayoung	then the client can be smart and say "hey, let me get a token specific to that "	17:07
*** richm has joined #openstack-keystone		17:07
morganfainberg	right	17:07
ayoung	I see the ordering of features like this	17:08
ayoung	one explicit unscoped	17:08
ayoung	two unscoped to scoped only	17:08
ayoung	three constraints	17:08
ayoung	each of those will put some onus on the client,	17:08
*** rushiagr is now known as rushiagr_away		17:08
*** zzzeek has joined #openstack-keystone		17:08
morganfainberg	that makes sense	17:08
morganfainberg	also https://review.openstack.org/#/c/123715/1/specs/keystoneclient/creation-interface.rst yes we def. need to solve that	17:09
morganfainberg	how do you consume say cinderclient today, it's ugly	17:09
*** _cjones_ has quit IRC		17:12
*** _cjones_ has joined #openstack-keystone		17:13
morganfainberg	https://review.openstack.org/123637 and https://review.openstack.org/123612 should be the last of the keystone patches.	17:14
*** _cjones_ has quit IRC		17:17
*** andreaf has quit IRC		17:17
*** andreaf has joined #openstack-keystone		17:18
*** _cjones_ has joined #openstack-keystone		17:19
*** richm has quit IRC		17:19
ayoung	morganfainberg, looking	17:21
morganfainberg	ayoung, just keep your eyes on them.	17:21
morganfainberg	ayoung, they should be gating. / check+gate	17:21
ayoung	yep....will do	17:22
morganfainberg	ayoung, cool.	17:22
* morganfainberg has to go find a printer to fill out paperwork today. I think i'll do that post lunch.		17:23
morganfainberg	never realize how little you print things until you haven't had a printer for.. uh... 3 years	17:23
*** openstackgerrit has joined #openstack-keystone		17:23
*** ayoung has quit IRC		17:26
openstackgerrit	Andre Aranha proposed a change to openstack/keystone: Creating a policy sample https://review.openstack.org/123509	17:26
*** harlowja has quit IRC		17:27
*** harlowja has joined #openstack-keystone		17:27
*** richm has joined #openstack-keystone		17:32
*** marcoemorais has joined #openstack-keystone		17:35
*** alex_xu has quit IRC		17:38
*** ayoung has joined #openstack-keystone		17:41
*** gokrokve has quit IRC		17:46
*** openstackgerrit has quit IRC		17:51
*** openstackgerrit has joined #openstack-keystone		17:51
*** henrynash has quit IRC		17:54
*** sigmavirus24_awa is now known as sigmavirus24		17:57
*** edmondsw has quit IRC		17:59
*** henrynash has joined #openstack-keystone		18:00
raildo	ayoung, I really appreciated the proposal of Token Constraints	18:03
*** radez_g0n3 is now known as radez		18:06
*** gokrokve has joined #openstack-keystone		18:08
*** vhoward has left #openstack-keystone		18:16
*** keystone_newbie has quit IRC		18:22
*** zigo has quit IRC		18:26
*** zigo has joined #openstack-keystone		18:28
openstackgerrit	A change was merged to openstack/keystone: Fix Policy backend driver documentation https://review.openstack.org/118443	18:29
openstackgerrit	A change was merged to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/123637	18:29
*** lsmola has quit IRC		18:31
*** lsmola has joined #openstack-keystone		18:31
*** vhoward has joined #openstack-keystone		18:33
*** marcoemorais has quit IRC		18:34
*** marcoemorais has joined #openstack-keystone		18:35
*** marcoemorais has quit IRC		18:36
*** marcoemorais has joined #openstack-keystone		18:37
*** marcoemorais has quit IRC		18:37
*** marcoemorais has joined #openstack-keystone		18:37
*** marcoemorais has quit IRC		18:38
*** marcoemorais has joined #openstack-keystone		18:38
*** andreaf has quit IRC		18:38
*** andreaf has joined #openstack-keystone		18:39
ayoung	raildo, cool...help make it bullet proof	18:43
openstackgerrit	Brant Knudson proposed a change to openstack/keystonemiddleware: Convert authentication into a plugin https://review.openstack.org/115857	18:44
morganfainberg	and... down to one.	18:48
morganfainberg	which is in the gate queue	18:48
nkinder_	So what actually landed in Juno for keystone->keystone federation?	18:49
nkinder_	I know there is a blueprint that says "implemented" here - https://blueprints.launchpad.net/keystone/+spec/keystone-to-keystone-federation	18:50
*** andreaf has quit IRC		18:50
*** Delair has joined #openstack-keystone		18:51
*** andreaf has joined #openstack-keystone		18:51
morganfainberg	nkinder_, i think we have the ability to setup the K2K federation, and issue the SAML2 assertion that is consumed by the SP, and the SP can consume the SAML2 assertion (mod_shib) and turn it into a token	18:51
Delair	@All Hi Can anybody tell me that how can i enable "Multiple keystone-all worker process"	18:52
morganfainberg	nkinder_, https://github.com/openstack/keystone/blob/master/doc/source/configure_federation.rst#keystone-as-an-identity-provider-idp	18:52
Delair	keystone-all is a single threated application and cant process well in big environment..	18:52
morganfainberg	Delair, which release of OpenStack (Icehouse? Master/Juno? Havana? Earlier)?	18:53
Delair	@morgan icehouse	18:53
morganfainberg	Delair if you're using the latest version (Juno/Master) of Keystone that functionality is there by setting the admin_worker and public_worker settings in the keystone.conf https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L62-L70	18:53
Delair	can we update any patch to enable it in ICEHOUSE	18:54
bknudson	I've been looking at https://review.openstack.org/#/c/115857/ (Jamie's Convert authentication into a plugin) compared to my Support service user and project in non-default domain (https://review.openstack.org/#/c/123011/)	18:54
morganfainberg	Delair, unfortunately, before Juno that code isn't available. so the best bet would be to deploy keystone behind apache if you want multiple workers.	18:54
bknudson	I don't think Jamie's work is doing what gyee was asking about... it's still not building the plugin from the config	18:54
bknudson	using some automatic method	18:54
bknudson	so I think the 2 implementations are complementary	18:55
bknudson	and one could be based on the other one or not.	18:55
nkinder_	Delair: you can also just run Keystone in apache	18:55
Delair	we cant to Juno without proper testing ..	18:55
morganfainberg	nkinder_, ++	18:55
bknudson	so if we take https://review.openstack.org/#/c/123011/ first, I'll just rebase https://review.openstack.org/#/c/115857/ on it or vice-versa	18:55
Delair	when you say apache you mean some sort of proxy ?	18:56
Delair	and enable multiple connection from there ?	18:56
morganfainberg	Delair, it is possible to run keystone under mod_wsgi	18:56
bknudson	I'd like to have https://review.openstack.org/#/c/123011/ available soon because per-domain backends are essentially useless without it IMO.	18:56
morganfainberg	Delair, we, in-fact recommend that deployment mode (all gating in Juno uses apache + mod_wsgi deployed keystone)	18:56
morganfainberg	Delair, that does get you the same effect as multiple workers	18:56
Delair	so which the best solution you can recommend .. The problem is that we cant go to Juno right away and we have production to run very soon on incehouse	18:57
Delair	and this is the big issue we are facing	18:57
morganfainberg	Delair, there is the document https://github.com/openstack/keystone/blob/stable/icehouse/doc/source/apache-httpd.rst for icehouse that should help, and you can take a look at what devstack (for master) is doing: https://github.com/openstack-dev/devstack/blob/master/lib/keystone#L117-L144	18:58
morganfainberg	Delair, i'd recommend (if possible) running ekystone under apache + mod_wsgi	18:58
Delair	as soon as we run multiple accounts the keystone process goes close to 100%	18:58
morganfainberg	Delair, i you could also run multiple keystone processes behind HAProxy	18:59
morganfainberg	Delair or similar loadbalancer	18:59
Delair	ok awesome Thanks Morgan	19:00
bknudson	Delair: I was able to backport the multiple workers code to earlier releases... wasn't that difficult and seemed to work.	19:00
Delair	Let me do some search that how can i do that	19:00
*** marcoemorais has quit IRC		19:00
morganfainberg	bknudson, iirc the original code could land against icehouse	19:00
morganfainberg	bknudson, or was meant to	19:00
morganfainberg	bknudson, so makes sense	19:00
Delair	Do you know of any link of how i use apache + mod_wsgi	19:00
nkinder_	Delair: https://github.com/openstack/keystone/blob/stable/icehouse/doc/source/apache-httpd.rst	19:01
bknudson	Delair: check out how devstack does it.	19:01
*** marcoemorais has joined #openstack-keystone		19:01
Delair	Thanks Guys @ Morgan, nkinder and bknudson	19:01
*** morganfainberg is now known as morgan		19:02
morgan	Delair, no problem	19:02
*** morgan is now known as morganfainberg		19:03
nkinder_	Delair: there is also support being added to puppet-keystone to deploy in httpd - https://review.openstack.org/#/c/109676/	19:08
bknudson	I don't see a review in they keystonemiddleware reviews from Jamie for getting the auth token from the config options.	19:08
nkinder_	Delair: it's not fully accepted/merged yet, but I tested it last night and it's working nicely.	19:08
Delair	ok let me check that out .. actually it will be good becuase we do use puppet for our openstack deployment	19:08
*** amerine_ is now known as amerine		19:09
bknudson	The closest one seems to be https://review.openstack.org/#/c/115451/ , which is trying to get paste config options into CONF, so that would be a prereq for getting auth plugin from config.	19:09
bknudson	and that one's an obvious WIP	19:09
*** marcoemorais1 has joined #openstack-keystone		19:14
*** marcoemorais has quit IRC		19:15
*** radez is now known as radez_g0n3		19:15
nkinder_	bknudson: have you seem this? https://bugs.launchpad.net/python-keystoneclient/+bug/1371355	19:15
uvirtbot	Launchpad bug 1371355 in python-keystoneclient "Keystone client logs x-subject-token at the debug log level" [Undecided,In progress]	19:15
nkinder_	bknudson: it looks like the response side of the TOKEN_REDACTED work you did for request logging	19:16
bknudson	nkinder_: y, interesting.	19:17
bknudson	nkinder_: probably because I was only testing with keystone CLI and not nova CLI.	19:18
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Log token with sha1 https://review.openstack.org/123819	19:25
bknudson	nkinder_: looks like this debug line is coming from the middleware.	19:27
nkinder_	bknudson: interesting. I didn't get a chance to dig into the code yet.	19:28
nkinder_	bknudson: Somebody assigned the bug to themselves, but I don't know how quickly they are going to get to it.	19:28
bknudson	nkinder_: I'll just fix it... should only take a couple minutes.	19:29
ayoung	dstanek, is mock stdlib or third party? When I run tox -epep8 it tells me it is stdlib, but the gerrit run said third party	19:29
nkinder_	bknudson: Sure, or just point out the offending code in the bug to give them a chance if they want to contribute	19:29
ayoung	(uuid and mock from stdlib are separated by whitespace)	19:29
dstanek	ayoung: third party	19:29
nkinder_	bknudson: if they don't get to it in a day or so, then just fix it.	19:30
bknudson	I think there's a mock in py3.	19:30
ayoung	dstanek, what is flake8 picking up then	19:30
dstanek	bknudson: yeah, i think unittest.mock	19:30
ayoung	but not a top level	19:30
*** andreaf has quit IRC		19:31
*** andreaf has joined #openstack-keystone		19:32
dstanek	ayoung: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_wsgi.py	19:32
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient-kerberos: Initial kerberos plugin implementation. https://review.openstack.org/123614	19:32
bknudson	nkinder_: updated the bug and will work on something else instead.	19:32
nkinder_	bknudson: thanks! Always good to encourage a new contributor.	19:33
dstanek	bknudson: this is what i had to do for py3 support because hacking is too eager: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/__init__.py#n26	19:33
ayoung	dstanek, pep8 vs flake 8?	19:33
ayoung	And, should we switch tox to run pep8 if that is what gerrit is going to run?	19:33
dstanek	ayoung: maybe, but flake8 uses pep8 to some extent	19:33
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient-kerberos: Initial kerberos plugin implementation. https://review.openstack.org/123614	19:34
ayoung	lets see if that passes	19:34
dstanek	ayoung: no, because i don't think the hacking rules would work	19:34
*** gyee has joined #openstack-keystone		19:34
ayoung	Oh...probably can remove more of the fixtures from that.	19:35
dstanek	ayoung: i think jenkins just runs tox -e pep8 like we do	19:35
ayoung	2014-09-24 17:35:08.165 \| + tox -v -epep8	19:36
ayoung	yep	19:36
dstanek	ah, so it looks like you had 4 groups in rev4 and that mad hacking mad	19:36
*** wwriverrat has joined #openstack-keystone		19:38
ayoung	well well	19:39
ayoung	$ ls /usr/lib64/python2.7/mock.*	19:39
ayoung	/usr/lib64/python2.7/mock.py /usr/lib64/python2.7/mock.pyo	19:39
ayoung	/usr/lib64/python2.7/mock.pyc	19:39
ayoung	$ rpmquery -f /usr/lib64/python2.7/mock.py	19:39
ayoung	file /usr/lib64/python2.7/mock.py is not owned by any package	19:39
ayoung	sudo rm /usr/lib64/python2.7/mock.*	19:40
ayoung	and now it succeeds	19:40
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient-kerberos: Initial kerberos plugin implementation. https://review.openstack.org/123614	19:41
*** radez_g0n3 is now known as radez		19:41
*** wwriverrat has quit IRC		19:43
*** wwriverrat has joined #openstack-keystone		19:43
larsks	Is there any sample code out there that uses Ec2 credentials to acquire a keystone token?	19:45
*** openstackgerrit has quit IRC		19:46
*** openstackgerrit has joined #openstack-keystone		19:47
*** wwriverrat1 has joined #openstack-keystone		19:47
*** _cjones_ has quit IRC		19:47
*** wwriverrat1 has left #openstack-keystone		19:47
*** _cjones_ has joined #openstack-keystone		19:47
*** _cjones_ has quit IRC		19:48
*** _cjones_ has joined #openstack-keystone		19:48
*** wwriverrat has quit IRC		19:48
nkinder_	does this look hosed for anyone else? https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-trust-ext.md	19:51
nkinder_	seems like github might be having some problems	19:52
nkinder_	ayoung, morganfainberg: I just wrote up a bug related to the way policy works for the trusts API, but the more I think about it, the more I'm thinking it's not a bug...	19:56
nkinder_	ayoung, morganfainberg: would you mind reading over this real quick and giving me your thoughts? http://paste.openstack.org/show/115079/	19:56
ayoung	lookinh	19:56
nkinder_	It seems like it might just be something that we need to clearly document	19:57
ayoung	your write up looks accurate	19:57
ayoung	one problem with the json format is there is no way to do a comment	19:58
ayoung	I would love to have that initial comment in policy.json	19:58
*** david-ly_ is now known as david-lyle		19:58
nkinder_	ayoung: yeah, me too :(	19:59
ayoung	nkinder_, its the one reason so many people chose YAML over JSON	19:59
nkinder_	ayoung: having it documented elsewhere means I'll need to point people to the doc when they come to me with questions	19:59
ayoung	nkinder_, http://git.openstack.org/cgit/openstack/keystone/tree/doc/source/configuration.rst#n908 near there?	20:00
nkinder_	ayoung: are extensions (like trusts) supposed to go into that document too?	20:02
nkinder_	ayoung: A general purpose comment in that document could be useful saying that some operations have hard-coded restrictions that can't be made less restrictive via policy.	20:03
*** marcoemorais1 has quit IRC		20:04
*** marcoemorais has joined #openstack-keystone		20:04
*** marcoemorais has quit IRC		20:05
*** marcoemorais has joined #openstack-keystone		20:05
*** packet has joined #openstack-keystone		20:07
nkinder_	ayoung: https://bugs.launchpad.net/keystone/+bug/1373599	20:11
uvirtbot	Launchpad bug 1373599 in keystone "Trust operations in policy.json are misleading" [Undecided,New]	20:11
nkinder_	ayoung: trust extension documentation is completely missing right now :(	20:12
ayoung	nkinder_, lets make them part of the core API then	20:13
ayoung	:)	20:13
*** kashyap has quit IRC		20:13
*** keystone-dev has joined #openstack-keystone		20:15
keystone-dev	Hi, I'm trying to develop a keystone extension that gets called whenever a project is created and passes on the project information to a third party api	20:16
keystone-dev	The callback is working but I don't get the project JSON for the newly created project	20:16
keystone-dev	All that the callback gets is the project id	20:17
keystone-dev	Any ideas on how I can get the full JSON?	20:17
*** marcoemorais has quit IRC		20:18
keystone-dev	I want to avoid calling the openstack API because that would require access to the user's credentials	20:18
*** marcoemorais has joined #openstack-keystone		20:18
*** marcoemorais has quit IRC		20:18
*** marcoemorais has joined #openstack-keystone		20:18
*** Delair has quit IRC		20:24
*** packet has quit IRC		20:27
*** packet has joined #openstack-keystone		20:28
*** _cjones_ has quit IRC		20:28
*** _cjones_ has joined #openstack-keystone		20:28
*** packet has quit IRC		20:29
*** packet has joined #openstack-keystone		20:30
*** Tahmina has joined #openstack-keystone		20:31
*** YorikSar has quit IRC		20:34
*** keystone-dev has quit IRC		20:35
*** radez is now known as radez_g0n3		20:46
stevemar	not sure where keystone-dev went, but sounds like this issue: http://markmail.org/message/f7ezjoi4rioutcqv#query:+page:1+mid:nlq3vox3ahm74avn+state:results	20:47
stevemar	nkinder_, i was hoping to put anything extension related under http://docs.openstack.org/developer/keystone/enabling_extensions.html	20:49
nkinder_	stevemar: yeah, that makes sense	20:49
stevemar	probably just rename that section to "Everything is awesome with Extensions" and just have configuration / enabling bits there	20:49
stevemar	nkinder_, the main configuration section is way too overloaded	20:50
nkinder_	stevemar: I'm going to submit a first patch to clarify the say an empty policy rule and a missing policy rule work this afteroon.	20:50
nkinder_	Something general and applicable to everything	20:50
stevemar	that's cool	20:50
nkinder_	extension stuff around trusts should be separated out	20:50
stevemar	yep	20:50
nkinder_	stevemar: sounds like you've been watching the lego movie... :)	20:51
stevemar	nkinder_, it's a great source for inspiration	20:52
stevemar	'Configuring Services to work with Keystone' should be split up between 'Initial Keystone Setup' and 'Keystone Auth Token Middleware Setup'	20:56
*** marcoemorais has quit IRC		21:06
*** marcoemorais has joined #openstack-keystone		21:06
*** marcoemorais has quit IRC		21:07
*** marcoemorais has joined #openstack-keystone		21:07
*** marcoemorais has quit IRC		21:08
*** marcoemorais has joined #openstack-keystone		21:10
*** marcoemorais has quit IRC		21:10
*** marcoemorais has joined #openstack-keystone		21:10
*** marcoemorais has quit IRC		21:11
*** marcoemorais has joined #openstack-keystone		21:11
*** morgan_remote_ has joined #openstack-keystone		21:14
thiagop	henrynash: Hi! I'm trying to test the new endpoint policy with something I'm working on but I'm not able to use the REST calls to OS-ENDPOINT-POLICY (404). Do I have to set something besides uncomment the driver configuration in keystone.conf to make it work?	21:16
thiagop	s/not able/unable	21:17
*** topol has quit IRC		21:27
openstackgerrit	TAHMINA AHMED proposed a change to openstack/keystone: Closes-Bug: 1372287 https://review.openstack.org/123857	21:29
*** saipandi has quit IRC		21:30
henrynash	thiagop: you put the extension into the pipeline?	21:41
thiagop	henrynash: I reached the same conclusion. Now it's working.	21:42
henrynash	thiagop: ok, good!	21:42
*** marcoemorais has quit IRC		21:43
thiagop	henrynash: The docs should be more specific on the need to put this on the pipeline (and sync the database). If I haven't worked with federation before, I'd never figured it out without your help.	21:45
*** harlowja has quit IRC		21:47
*** harlowja has joined #openstack-keystone		21:47
openstackgerrit	Nathan Kinder proposed a change to openstack/keystone: Improve documentation of RBAC policy behavior https://review.openstack.org/123862	21:50
morganfainberg	nkinder_, always a fan of doc improvements	21:50
nkinder_	:)	21:50
nkinder_	morganfainberg: what's the best way to render/convert that to html to make sure it looks OK?	21:51
morganfainberg	nkinder_, wait for the jobs to run, click on the "doc" job in gerrit	21:51
nkinder_	heh, ok.	21:51
morganfainberg	example: http://docs-draft.openstack.org/74/119774/9/check/gate-keystonemiddleware-docs/608b200/doc/build/html/	21:52
morganfainberg	you can run tox -edocs	21:52
morganfainberg	and look at the build dir and see, but i usually look at the results directly as well.	21:52
morganfainberg	dstanek, ayoung, jenkins uses whaterver we define as tox -epep8	21:54
morganfainberg	similarly docs are tox -edocs	21:55
*** dims_ has joined #openstack-keystone		21:55
*** rkofman has quit IRC		21:55
*** rkofman has joined #openstack-keystone		21:56
*** dims__ has joined #openstack-keystone		21:58
-openstackstatus- NOTICE: The openstack-infra/config repo will be frozen for project-configuration changes starting at 00:01 UTC. If you have a pending configuration change that has not merged or is not in the queue, please see us in #openstack-infra.		21:58
*** dims has quit IRC		21:59
*** dims_ has quit IRC		22:00
*** david-lyle has quit IRC		22:00
*** david-lyle has joined #openstack-keystone		22:01
*** harlowja has quit IRC		22:03
*** harlowja has joined #openstack-keystone		22:03
openstackgerrit	TAHMINA AHMED proposed a change to openstack/keystone: Implements: Fix spelling mistake in doc string.\n Closes Bug: 1372287 https://review.openstack.org/123869	22:05
*** harlowja has quit IRC		22:09
*** harlowja_ has joined #openstack-keystone		22:09
*** rodrigods_ has joined #openstack-keystone		22:12
*** rodrigods_ has quit IRC		22:13
*** marcoemorais has joined #openstack-keystone		22:14
*** sigmavirus24 is now known as sigmavirus24_awa		22:15
*** raildo_ has joined #openstack-keystone		22:19
henrynash	thiagop: so there is documentation on this (see: https://github.com/openstack/keystone/blob/master/doc/source/extensions/endpoint_policy.rst)…not quite sure where this gets linked into the pulblished docs	22:20
*** jasondotstar has quit IRC		22:21
morganfainberg	henrynash, thiagop http://docs.openstack.org/developer/keystone/	22:23
morganfainberg	specifically http://docs.openstack.org/developer/keystone/enabling_extensions.html#endpoint-policy	22:23
morganfainberg	which i think is http://docs.openstack.org/developer/keystone/extensions/endpoint_policy.html	22:24
openstackgerrit	TAHMINA AHMED proposed a change to openstack/keystone: Implements: Fix a minor spelling mistake in keystone/common/utils.py https://review.openstack.org/123857	22:29
*** joesavak has joined #openstack-keystone		22:35
openstackgerrit	TAHMINA AHMED proposed a change to openstack/keystone: Closes-Bug: 1372287 https://review.openstack.org/123857	22:36
*** bknudson has quit IRC		22:36
*** jsavak has quit IRC		22:38
openstackgerrit	TAHMINA AHMED proposed a change to openstack/keystone: Fix a spelling mistake in keystone/common/utils.py https://review.openstack.org/123857	22:40
*** openstackgerrit has quit IRC		22:47
*** openstackgerrit_ has joined #openstack-keystone		22:47
*** openstackgerrit_ is now known as openstackgerrit		22:48
*** david-lyle has quit IRC		22:59
openstackgerrit	Tim Goddard proposed a change to openstack/keystone: Allow policies to inspect dictionaries on the target using dot syntax https://review.openstack.org/123883	23:06
*** joesavak has quit IRC		23:08
*** packet has quit IRC		23:10
openstackgerrit	Tim Goddard proposed a change to openstack/keystone: Allow policies to inspect dictionaries in the credentials using dot syntax https://review.openstack.org/123883	23:10
rm_work	hey morganfainberg, I assume this was pushed to K+? https://blueprints.launchpad.net/keystonemiddleware/+spec/service-tokens	23:11
rm_work	oh wait, no there's a CR link in there	23:11
morganfainberg	rm_work, no that is completed and merged in middleware	23:12
morganfainberg	looks like the commit missed the bp link though	23:12
rm_work	awesome, yeah	23:12
morganfainberg	or the LP sync missed	23:12
rm_work	hmm	23:12
rm_work	yeah was confused since there were no other updates on it	23:12
rm_work	cool, thanks :)	23:13
morganfainberg	rm_work there targeted to the correct milestone and all now	23:14
rm_work	thanks	23:14
*** _cjones_ has quit IRC		23:15
morganfainberg	rm_work np!	23:15
*** _cjones_ has joined #openstack-keystone		23:15
*** morgan_remote_ has quit IRC		23:20
*** dims__ has quit IRC		23:22
*** zzzeek has quit IRC		23:24
*** marcoemorais has quit IRC		23:27
*** marcoemorais has joined #openstack-keystone		23:28
*** marcoemorais has quit IRC		23:28
*** zzzeek has joined #openstack-keystone		23:28
*** marcoemorais has joined #openstack-keystone		23:29
*** marcoemorais has quit IRC		23:29
*** rodrigods_ has joined #openstack-keystone		23:29
*** marcoemorais has joined #openstack-keystone		23:29
*** arunkant has quit IRC		23:33
openstackgerrit	Nathan Kinder proposed a change to openstack/keystone: Improve documentation of RBAC policy behavior https://review.openstack.org/123862	23:33
*** bknudson has joined #openstack-keystone		23:36
*** bknudson has quit IRC		23:36
*** dims has joined #openstack-keystone		23:37
*** junhongl has quit IRC		23:38
*** rodrigods_ has quit IRC		23:38
morganfainberg	ok audit ids in the keystone log are nice.	23:38
morganfainberg	<KeystoneToken (audit_id=hlP7b2paQpa6TtddoC7DPA, audit_chain_id=hlP7b2paQpa6TtddoC7DPA) at 0x7f281b8ccd08>	23:38
morganfainberg	can track tokens.	23:39
*** bknudson has joined #openstack-keystone		23:39
*** junhongl has joined #openstack-keystone		23:40
*** gyee has quit IRC		23:45
*** zzzeek has quit IRC		23:46
*** raildo_ has quit IRC		23:50
*** alex_xu has joined #openstack-keystone		23:51
nkinder_	rodrigods: let me know if my reply to your policy file review comment makes sense	23:51
*** openstackstatus has quit IRC		23:55
*** openstack has joined #openstack-keystone		23:55
*** gokrokve has quit IRC		23:55
*** openstackstatus has joined #openstack-keystone		23:56
*** ChanServ sets mode: +v openstackstatus		23:56
*** rodrigods_ has joined #openstack-keystone		23:56
*** bknudson has quit IRC		23:56
*** bknudson has joined #openstack-keystone		23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!