Thursday, 2014-09-25

« Wednesday, 2014-09-24 Index Friday, 2014-09-26 »
*** marcoemorais has quit IRC00:02
*** marcoemorais has joined #openstack-keystone00:10
*** sigmavirus24_awa is now known as sigmavirus2400:11
*** openstackgerrit has quit IRC00:16
*** openstackgerrit has joined #openstack-keystone00:17
*** stevemar has quit IRC00:17
*** dims has quit IRC00:18
*** zzzeek has joined #openstack-keystone00:21
*** wwriverrat has joined #openstack-keystone00:26
openstackgerritRodrigo Duarte proposed a change to openstack/python-keystoneclient: Extracting common code to private method  https://review.openstack.org/12056300:35
*** cjellick has quit IRC00:38
*** Tahmina has quit IRC00:41
*** dims has joined #openstack-keystone00:48
*** wwriverrat1 has joined #openstack-keystone00:50
*** wwriverrat has quit IRC00:51
*** harlowja_ has quit IRC00:51
openstackgerritVictor Silva proposed a change to openstack/python-keystoneclient: Explicit complaint about old OpenSSL when testing  https://review.openstack.org/12361900:52
*** soulxu_ has joined #openstack-keystone00:55
*** alex_xu has quit IRC00:59
*** _cjones_ has quit IRC01:01
*** _cjones_ has joined #openstack-keystone01:01
*** marcoemorais has quit IRC01:02
*** _cjones_ has quit IRC01:05
*** thedodd_ has joined #openstack-keystone01:12
*** zzzeek has quit IRC01:12
*** thedodd_ has quit IRC01:13
*** thedodd has joined #openstack-keystone01:14
*** stevemar has joined #openstack-keystone01:14
*** marcoemorais has joined #openstack-keystone01:15
*** harlowja has joined #openstack-keystone01:18
*** marcoemorais has quit IRC01:19
*** stevemar has quit IRC01:22
*** stevemar has joined #openstack-keystone01:23
*** soulxu__ has joined #openstack-keystone01:27
*** soulxu_ has quit IRC01:31
*** thedodd has quit IRC01:40
*** wwriverrat1 has quit IRC01:43
*** diegows has quit IRC01:53
*** victsou has joined #openstack-keystone01:56
*** bknudson has quit IRC02:04
*** victsou` has joined #openstack-keystone02:10
*** victsou is now known as victsou___02:11
*** victsou` has quit IRC02:15
*** victsou has joined #openstack-keystone02:15
*** rodrigod` has joined #openstack-keystone02:15
*** rodrigods has quit IRC02:16
*** thedodd has joined #openstack-keystone02:16
*** rodrigod` has quit IRC02:19
*** rodrigods has joined #openstack-keystone02:19
*** dims has quit IRC02:23
*** victsou___ has quit IRC02:25
*** victsou___ has joined #openstack-keystone02:26
*** rodrigods_ has quit IRC02:27
*** thedodd has quit IRC02:28
*** sigmavirus24 is now known as sigmavirus24_awa02:29
*** victsou___ has quit IRC02:34
*** I has joined #openstack-keystone02:37
openstackgerritayoung proposed a change to openstack/python-keystoneclient-kerberos: Initial kerberos plugin implementation.  https://review.openstack.org/12361402:37
*** I is now known as Guest6623202:37
*** Guest66232 has quit IRC02:39
*** victsou__ has joined #openstack-keystone02:41
*** victsou has quit IRC02:42
*** victsou has joined #openstack-keystone02:42
*** marcoemorais has joined #openstack-keystone02:48
morganfainbergayoung, i finally found the source of the need to index user_id on token table.02:50
morganfainbergayoung, it makes me sad :(02:50
*** marcoemorais1 has joined #openstack-keystone02:50
*** richm has quit IRC02:52
*** marcoemorais has quit IRC02:53
*** victsou has quit IRC02:53
*** victsou has joined #openstack-keystone02:53
*** victsou__ has quit IRC02:54
*** thedodd has joined #openstack-keystone03:03
*** thedodd has quit IRC03:09
*** thedodd has joined #openstack-keystone03:09
*** thedodd has quit IRC03:10
morganfainbergdstanek, stevemar, lbragstad, so might need you guys' help to push through a sql migration change that is looking like an RC blocker.03:13
stevemarmorganfainberg, ahoy03:13
stevemarlink me!03:13
morganfainbergdstanek, stevemar, lbragstad, you know that user_id index on the token table?03:13
morganfainbergfound the root cause of why we need that index.03:13
stevemari remember some work being done around it03:14
morganfainbergwith 15k rows, a search on user_id (where clause) for delete_tokens_for_user can consume 150000000 bytes of buffer03:14
morganfainbergassuming avg size of 10k for the token body03:14
morganfainbergsince we select the data and are where clausing on an unindexed value03:14
morganfainbergso we load 15k rows and scan them03:15
morganfainbergthis is likely the fix https://review.openstack.org/#/c/10204103:15
morganfainbergbut i am sad we're migrating the token table.03:15
morganfainbergand it needs a rebase/update03:16
morganfainbergbut basically heat creates temporary users03:17
morganfainbergand deletes them03:17
morganfainberga query that results in 0 tokens returned can be 200+s03:17
morganfainbergstevemar, thoughts?03:17
stevemaryeesh that's awful03:19
morganfainbergstevemar, i can give you profile pastes for 15k select queries03:20
morganfainbergbut i'm ready to bump this to RC if you agree.03:20
morganfainbergand unabandon/un-block that fix03:21
morganfainbergi don't know if there is a good way to fix this without a token_table migration03:21
morganfainbergstevemar, the issue is https://github.com/openstack/keystone/blob/master/keystone/token/persistence/backends/sql.py#L133-L136 we might want to index trust as well03:23
*** dims has joined #openstack-keystone03:23
stevemarmorganfainberg, i don't think there is - what are the implications to the end user if we migrate the token table?03:23
stevemarwhy so gun shy about it?03:23
morganfainbergstevemar, token table migrations with tons of rows take forever03:24
morganfainberg42k rows was ~Query OK, 0 rows affected (2 min 8.90 sec)03:24
morganfainbergto add the index03:24
morganfainbergif you have millions of tokens03:24
morganfainbergugh03:24
stevemarand i'm assuming most token tables have >150K at least03:24
morganfainbergwe could do a truncate of the table.03:25
morganfainbergbefore the migrate... but not sure if that would make people happy.03:25
morganfainbergok restoring the change and bug.03:25
ayounglooking03:26
morganfainbergayoung, ++ waiting for you then before starting on it.03:26
morganfainbergayoung, stevemar, here is an example profile: http://paste.openstack.org/show/115165/03:27
morganfainbergpretty standard deployment options.03:27
morganfainbergquery 1 was the explain, 2 without index, 3 with the index03:27
morganfainbergsame dataset03:27
morganfainbergand as you can see 0 rows returned03:27
*** wanghong has quit IRC03:28
*** dims has quit IRC03:28
ayoungmorganfainberg, up the poll frequency03:29
morganfainbergayoung, on?03:29
stevemarughhhh 200s03:29
ayoungthe cleanup03:29
morganfainbergayoung, these are all valid tokens03:29
ayoungremoving expired tokens03:29
morganfainbergayoung, 15k valid tokens03:30
morganfainbergjust none for that user03:30
ayoungI guess I'm missing the problem then03:30
morganfainberg15k tokens, takes 200 seconds to return 0 rows03:30
ayoungdoing delete token?03:30
morganfainbergtrying to delete tokens for a user with no active tokens03:31
dstanekmorganfainberg: ahoy03:31
stevemardstanek, tl;dr -> we need user_id as an index in the token table03:31
ayoungso is it a select ordering problem?  We should be selecting on user_id first, and the index forces that?03:31
morganfainbergayoung, yeah, so user with no tokens, delete the user, we cleanup tokens. that takes ~200s in this case bcause while we're indexed on expires and valid, we're not indexed on user, so all valid tokens = 15 or 20 or 40k and now we need to scan *all* tokens for that user's id03:32
dstanekyeah, i just got done reading up03:32
stevemarayoung, wouldn't that still search all the entries?03:32
ayoungmorganfainberg, could we do this  by rewriting the query instead?03:32
morganfainbergayoung, don't think we can.03:32
ayoungselect * from token where user_id = "balh'  so what if it isn;t indexed...03:32
morganfainbergayoung, that is the issue03:33
morganfainbergwe're loading the entire token in because of the extra blog03:33
morganfainbergblob03:33
morganfainbergthat isn't a small amount of data03:33
ayoungmorganfainberg, so unless we index on user_id we have to load the whole record?  What?03:33
morganfainbergthe query needs the token.extra03:33
morganfainbergsince tenant_id and consumer_id aren't columns03:34
morganfainbergand we use those for deletes too.03:34
dstanekdoes Justin's fix actually fix the issue?03:34
morganfainbergthis wouldn't be an issue without needing to load token.extra (~5-10k due to catalog and everything)03:34
morganfainbergdstanek, yep. we might want to index trust_id too03:34
ayoungwhy does it need extra to delete tokens?03:34
morganfainbergayoung, tenant_id is in token body, not a column.03:35
morganfainbergayoung, same with consumer_id (oauth) in cases.03:35
dstanekmorganfainberg: is that in the where clause too?03:35
morganfainbergeven still, this likely should be index even if it was a cloumn03:35
morganfainbergdstanek, no, it's just being selected03:35
morganfainbergexample with 42k tokens:03:36
morganfainbergmysql> SELECT token.id AS token_id, token.expires AS token_expires, token.extra AS token_extra, token.valid AS token_valid, token.user_id AS token_user_id, token.trust_id AS token_trust_id  FROM token  WHERE token.valid = 1 AND token.expires > '2014-09-25 02:06:09.862473' AND token.user_id = 'fed8182b6b1049c3845a14d522b80f0a';03:36
morganfainbergEmpty set (0.00 sec)03:36
ayoungis this just slow deletes that we are seeing, or some other api affected as well?03:36
morganfainbergthat is with the index03:36
morganfainbergwithout the index 208.1797282503:36
morganfainbergayoung, it locks up the entire keystone worker (in multi worker) and can cause issues with the underlying mysql buffer pool03:36
morganfainbergayoung, because SQL queries do not yeild eventlet03:36
morganfainbergayoung, mysqlDB vs pure python+socket03:37
ayoungjoy03:37
morganfainbergayoung, in single worker it's *really* bad03:37
dstanekmorganfainberg: why would you need to index trust_id too?03:37
ayoungok,  so you think index is the solution?03:37
morganfainbergdstanek, we're selecing on it to delete by trust, same issue as deleting for a user03:37
morganfainbergdstanek, less common, but still can occur03:37
ayoungadding an index will slow down writing a new token03:37
morganfainbergayoung, we could probably index(4) and be way better03:38
morganfainbergayoung, 4 byte index shouldn't be bad on slower writes, we don't need to index 6403:38
morganfainbergmy test was with an index(10)03:38
dstanekah, yeah - then we probably do need it - have you done an explain plan at all?03:38
ayoungI'll take your word on it.03:38
morganfainbergdstanek, sec03:39
morganfainbergdstanek, http://paste.openstack.org/show/115166/03:39
morganfainbergpre index03:39
morganfainbergpost index: http://paste.openstack.org/show/115167/ (index(10))03:40
morganfainbergdstanek, not even a full column index03:40
morganfainbergdstanek, so, i'm open to alternatives to touching the token table :) much rather python code to sql migration in this case.03:43
ayoungdo we even need to do it at all?03:44
ayoungis there someway we can avoid all the work?03:44
*** wanghong has joined #openstack-keystone03:45
ayoungOh, wait,  that kind of thinking lead to revocation events03:45
ayoungsorry03:45
dstanekhmmm...the issue is the range scan so i don't think you can do much in Python to stop that03:46
morganfainbergayoung, i mean, could we *only* use revocation events in keystone for this.03:46
ayoungmorganfainberg, nope03:46
morganfainbergayoung, right revocation_list03:46
dstanekmaybe select by pages and search a subset of the data to not lock everyone03:46
ayoungmorganfainberg, drop token revokations all together03:46
morganfainbergayoung, dagnabit03:46
ayoung5 minute tokens03:46
ayoungI'm serious as all hell03:46
morganfainbergayoung, i know you are, but that isn't a juno fix :(03:47
ayoungrevocations are dumb, I should never have put them in03:47
ayoungtell people to set their token time out to 5 minutes03:47
ayoungmeh03:47
ayoungmorganfainberg, is the index a fix or no?03:47
morganfainbergayoung, the index fixes the issue.03:47
ayoungdo the index03:47
morganfainbergdstanek, possible, but we could miss tokens that way03:48
ayoungindex on user_id, trust_id...any others?03:48
morganfainbergayoung, only two we don't have indexed03:49
morganfainbergwell we don't need to index 'extra' thats silly03:49
ayoungmorganfainberg, submit the fix, and lets notificy the performance people about it.  I have some at RH I can shout at03:49
morganfainbergayoung, ok restored the change and all.03:52
morganfainbergayoung, thanks.03:52
ayoungmorganfainberg, do you want to put both indexes in one migration?03:52
morganfainbergayoung, yeah, going to do it since they're both related.03:53
ayoungmorganfainberg, do you need this to go through tonight?03:53
morganfainbergayoung, let me update the patch to the correct migration id and toss in a test.03:53
morganfainbergayoung, ideally we should try and get it in tonight (well at least gating) but... we can hit it tomorrow.03:53
morganfainbergayoung, this *looks* like a RC blocker to me, and i feel back for blocking it earlier in the cycle now.03:54
ayoungmorganfainberg, its late here, and tomorrow is a Holiday.03:54
morganfainbergayoung, i'm fine with bugging stevemar and dstanek :)03:54
ayoungwhy is it now an RC blocker?03:54
ayoungwhat brought it to your attention?03:54
morganfainbergayoung, because with a nominal heat deploy this can lockup / cause failures in triple-o03:54
ayoungOK03:54
ayoungget to work...I'll check in the morning03:55
morganfainbergayoung, spent most of this afternoon looking through the infra triple-o install.03:55
morganfainbergand came up with this.03:55
stevemarmorganfainberg, either way it's gotta be done03:55
morganfainbergayoung, sounds good.  by the way on the topic of holiday, happy new year [Rosh Hashanah? or some other holiday]?03:55
ayoungYeah Rosh Hashana03:55
stevemarso i'm OK with adding this, it's one of those performance pieces we really should have03:55
morganfainbergayoung, uhmm. Shana Tovah (gah my hebrew is rusty)03:56
dstanekstevemar: i agree03:56
stevemarshouldn't you be saying shanah tovah? :)03:56
stevemargah morganfainberg beat me to it03:56
ayoungYou got it right.  Thanks, and  its a transliteration, you are both correct03:56
morganfainbergok got it to RC1 and restored.03:57
ayoungלשנה טובה03:57
stevemarmorganfainberg, yippie03:57
morganfainbergjoyous.03:57
morganfainbergjust what i wanted to do tonight :(03:57
morganfainbergdstanek, do we index the whole column or do a partial index?03:57
stevemarayoung, testing out bidi and double bye characters of irc clients everywhere :)03:57
stevemarbyte03:58
morganfainbergdstanek, whole column is quicker to write.03:58
ayoungwhole column03:58
morganfainbergk03:58
dstanekyeah, i agree03:58
ayoungget the patch in, and we'll let the DB folks argue it out.03:58
dstanekmorganfainberg: are you just going to restore the existing patch?04:03
morganfainbergdstanek, yep04:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Adding an index on token.user_id and token.trust_id  https://review.openstack.org/10204104:05
morganfainbergprobably needs tests too...04:05
morganfainbergi guess04:05
morganfainbergdstanek, stevemar , does that really need tests? i'm happy to add them if it does.04:07
dstanekmorganfainberg: what would you test?04:07
morganfainbergthat the indexes were created / deleted04:08
morganfainberg*shrug*04:08
morganfainbergi mean. eh04:08
ayoungthe existing tests are probably sufficient04:08
ayoungheaded to bed.  good luck04:09
morganfainbergayoung, g'night!04:09
morganfainbergayoung, oh sent some HP folks your way for the token constraints spec04:09
morganfainbergayoung, was bobt, he's interested  in the endpoint binding, told him we'd love to have the collaboration :)04:10
morganfainbergayoung, anyway, g'night04:10
stevemarmaybe some for just the db table structure04:10
morganfainbergstevemar, thats the only test i can think of it needed / benefitting from04:11
morganfainbergcould go either way on it myself.04:11
stevemarmorganfainberg, yep, that's all i was asking for when the change was proposed04:11
stevemarmorganfainberg, it's more red tape than anything else04:11
morganfainbergyeah04:11
morganfainbergyou know, if we fix the migration test(s) in K that red-tape might be easy to make go away04:12
morganfainbergthe structure type tests that is04:12
stevemarmorganfainberg, how would we 'fix' migration tests?04:13
morganfainbergmove to something like nova's and do the model == schema test04:14
stevemarhmm neat04:15
stevemari'll have to look into that04:15
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Adding an index on token.user_id and token.trust_id  https://review.openstack.org/10204104:19
morganfainbergstevemar, dstanek, ^04:19
morganfainbergadded structural tests04:19
morganfainbergok i need to go get food.04:26
morganfainberglong since past my dinner time04:27
dstanekmorganfainberg: noted one thing on the review04:27
dstaneki can fix and push it back up - it's a copy-pasta error04:27
morganfainbergdstanek, ah i have it here04:28
morganfainbergeasy fix04:28
dstanekk04:28
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Adding an index on token.user_id and token.trust_id  https://review.openstack.org/10204104:28
morganfainbergfixed04:29
dstanekthx04:29
*** gokrokve has joined #openstack-keystone04:35
*** morgan_remote_ has joined #openstack-keystone04:39
morgan_remote_Ok. Let me know if you need anything else.04:39
*** yasu_ has joined #openstack-keystone04:41
stevemarlookin now04:42
stevemarmorganfainberg, dstanek 2 stray comments04:45
*** amcrn has quit IRC04:46
morgan_remote_stevemar: yah valid comments.04:52
morgan_remote_stevemar: will fix unless you get to it first.04:54
*** lsmola has quit IRC04:57
nkinder_morgan_remote_: the identity API docs still say that successful HEAD requests should return 204.  That's supposed to be 200 now, right?05:01
nkinder_morgan_remote_: that changed during the whole GET vs. HEAD fiasco when we switched to httpd in the gate IIRC05:02
morgan_remote_nkinder_: sounds right.05:02
nkinder_morgan_remote_: Ok, I'll look at updating it tomorrow.  Crash time for me.05:03
morgan_remote_Thanks05:03
*** kashyap has joined #openstack-keystone05:03
*** gokrokve has quit IRC05:04
*** lsmola has joined #openstack-keystone05:11
openstackgerritA change was merged to openstack/keystone: Prevent infinite recursion on persistence core on init  https://review.openstack.org/12361205:12
*** oomichi has joined #openstack-keystone05:19
morgan_remote_Yay.05:21
*** _cjones_ has joined #openstack-keystone05:33
*** _cjones_ has quit IRC05:37
*** _cjones_ has joined #openstack-keystone05:38
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update 'Configuring Services' documentation  https://review.openstack.org/12393305:41
*** harlowja is now known as harlowja_away05:53
*** amcrn has joined #openstack-keystone05:55
*** ajayaa has joined #openstack-keystone05:57
openstackgerritA change was merged to openstack/keystonemiddleware: Work toward Python 3.4 support and testing  https://review.openstack.org/11877906:02
*** vdreamarkitex has quit IRC06:08
*** vdreamarkitex has joined #openstack-keystone06:09
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update architecture documentation  https://review.openstack.org/12393806:13
*** ajayaa has quit IRC06:14
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/12394106:18
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Adding an index on token.user_id and token.trust_id  https://review.openstack.org/10204106:19
morganfainbergstevemar, dstanek ^06:19
morganfainbergstevemar, darn cant get a second +2/+A on this tonight06:21
morganfainbergwas hoping it would be in gate while we sleep06:21
stevemarmorganfainberg, i figured we would want the db guys to look at it anyway06:22
morganfainbergstevemar, i don't think there's much to say about it :P06:22
morganfainbergbut sure06:22
*** andreaf has quit IRC06:23
stevemarmorganfainberg, i think we're out of luck for tonight, the rest are snoozing06:23
morganfainbergstevemar, yeah i know06:23
*** ajayaa has joined #openstack-keystone06:34
*** k4n0 has joined #openstack-keystone06:37
marekdmorning all06:39
morganfainbergallo marekd and... good night :P06:51
*** ukalifon has joined #openstack-keystone06:54
*** lufix has joined #openstack-keystone06:58
openstackgerritDave Chen proposed a change to openstack/keystone: local configuration should be allowed in "keystone-paste.ini"  https://review.openstack.org/12143906:59
marekdmorganfainberg: yeah, good night :-)07:00
openstackgerritAnkit Agrawal proposed a change to openstack/python-keystoneclient: Redact x-subject-token from response headers  https://review.openstack.org/12395407:01
morganfainbergoh marekd, stevemar, nkinder_ was asking about what parts of K2K federation actually landed, I tried to answer, but you may want to follow up and check to make sure i covered it all.07:02
marekdmorganfainberg: it's on the channel some ml thread or somewhere else?07:03
stevemarmarekd, on the channel07:03
morganfainbergmarekd, was here07:03
marekdOK07:03
marekdi guess he is asleep right now.07:03
morganfainbergmarekd, might hit him up later today07:03
morganfainbergyeah07:03
morganfainberghe's in the bay area iirc (so same timezone as me, california)07:04
marekdmorganfainberg: ok, so late afternoon.07:04
*** ankit_ag has joined #openstack-keystone07:04
morganfainbergmarekd, probably07:04
morganfainbergmarekd, oh also will bug you in a couple days to figure out visiting CERN :) if thats still an option07:05
marekdmorganfainberg: it is :-)07:05
morganfainbergpost summit07:05
morganfainbergawesome!07:05
* morganfainberg is super excited about that.07:05
marekd:D07:06
marekdstevemar: are you also planning to stay in the area after the summit?07:06
morganfainbergseriously, makes me feel like a kid knowing i get to visit one of the places doing science in stuff I am super interested in.07:07
stevemarmarekd, sadly i'm not staying :(07:07
marekdmorganfainberg: we will try to get you 100m underground so you can see everything :-)07:08
marekdstevemar: :(((((07:08
morganfainbergmarekd, woohoo!07:08
morganfainbergstevemar, bah, change your plans stay longer... bring the gf...or the wife... whichever :P i mean...07:08
marekd...or both :P07:08
morganfainberglol07:09
morganfainbergmarekd, i really hope she's looking over his shoulder right about now.07:09
morganfainberg:)07:09
* marekd was obviously joking07:09
morganfainbergmarekd, of course, same here.07:09
morganfainbergoh no, maybe she was looking... what has happened to poor stevemar !!  ok ok... gnight i'm getting punchy07:10
marekdsee ya07:10
stevemarhhaa07:11
stevemarnah, i have to get back for personal stuff, i might be back in europe in december, we'll see07:11
marekdstevemar: cool07:11
marekdvisiting italy?07:11
*** ankit_ag has left #openstack-keystone07:12
*** ajayaa has quit IRC07:12
stevemarmarekd, nah, heading right back home07:15
marekdin dec07:15
stevemarmarekd, oh then, i dunno, that's TBD07:15
stevemarmarekd, wherever my lady wants to go07:15
marekdstevemar: sure :-)07:16
marekdif they are happy we are happy :-)07:17
stevemarprecisely07:19
stevemarwe are thinking somewhere in europe or somewhere in the states... don't know yet07:19
stevemartbh, i really liked san antonio when we were there, maybe i'll go back07:19
marekduhm07:20
stevemarmarekd, i guess you didn't like it as much :)07:20
*** ajayaa has joined #openstack-keystone07:20
marekdstevemar: why would you think that?07:21
stevemarmarekd, you said 'uhm'07:21
marekdstevemar: ah, no, i liked it :-)07:21
stevemarmarekd, ahhh07:21
*** BAKfr has joined #openstack-keystone07:21
marekdmaybe a little bit too hot, but since i don't have to work as a farmer i didn't mind that much.07:22
stevemarmarekd, yeah but in december the warmth will be appreciated :D07:22
marekdstevemar: yep07:22
*** soulxu_ has joined #openstack-keystone07:29
*** ajayaa has quit IRC07:32
*** soulxu__ has quit IRC07:32
*** ukalifon has quit IRC07:33
*** ajayaa has joined #openstack-keystone07:34
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Clean up the Configuration documentation  https://review.openstack.org/12396007:52
*** YorikSar has joined #openstack-keystone07:56
*** rushiagr_away is now known as rushiagr08:00
openstackgerritA change was merged to openstack/keystonemiddleware: Add an optional advanced pool of memcached clients  https://review.openstack.org/11977408:01
*** soulxu_ has quit IRC08:04
*** morgan_remote_ has quit IRC08:10
openstackgerritSteve Martinelli proposed a change to openstack/keystone: New section for CLI examples in docs  https://review.openstack.org/12396908:16
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Clean up the Configuration documentation  https://review.openstack.org/12396008:17
openstackgerritSteve Martinelli proposed a change to openstack/keystone: New section for CLI examples in docs  https://review.openstack.org/12396908:17
*** stevemar has quit IRC08:23
*** alex_xu has joined #openstack-keystone08:32
*** marcoemorais1 has quit IRC08:38
*** afazekas has joined #openstack-keystone08:39
*** andreaf_ is now known as andreaf08:39
*** _cjones_ has quit IRC08:44
*** _cjones_ has joined #openstack-keystone08:44
*** openstackgerrit has quit IRC08:48
*** _cjones_ has quit IRC08:48
*** rushiagr is now known as rushiagr_away08:52
*** Dafna has joined #openstack-keystone09:17
*** rushiagr_away is now known as rushiagr09:56
*** diegows has joined #openstack-keystone09:56
*** dims has joined #openstack-keystone10:09
*** dims has quit IRC10:14
*** f13o has joined #openstack-keystone10:20
*** junhongl_ has joined #openstack-keystone10:46
*** junhongl_ has quit IRC11:01
samuelmzhenrynash, just saw your comments on review #12358511:08
henrynashsamuelmz: I’m just testing a modified patch…sorry to jump on this…but it is more serious than it appears…and I updated the bug report as well11:09
samuelmzhenrynash, ok np11:09
henrynashsamuelz: I’ll add testing for the specific issue to the main patch11:09
henrynashsamuelmz: thanks for kicking this off…we’d never have found it otherwise11:10
samuelmzhenrynash, np :)11:10
samuelmzhenrynash, I found that when creating tests for role grants on backends .. we don't have any tests ...11:11
samuelmzhenrynash, bug #136748011:11
uvirtbotLaunchpad bug 1367480 in keystone "Add test for grant CRUD on test_backend" [Low,In progress] https://launchpad.net/bugs/136748011:12
henrynashsamuelmz: so that’d not quite true…we have quite a few…what happens is that they are skipped for ldap!11:12
samuelmzhenrynash, I mean grant crud tests ... on test_backend11:12
samuelmzhenrynash, I think we have tests on test_v3_identity11:12
henrynashsamuelmz: yes, there are lots in there....11:12
henrynashsamuelmz: in test_backend...11:13
henrynashsamuelmz: e.g. test_get_and_remove_role_grant_by_group_and_domain11:13
samuelmzhenrynash, I haven't realized that .. so the bug #1367480 is invalid ...11:15
uvirtbotLaunchpad bug 1367480 in keystone "Add test for grant CRUD on test_backend" [Low,In progress] https://launchpad.net/bugs/136748011:15
samuelmzhenrynash, thanks ..11:16
henrynashsamuelmz: yes…but what I did do was add: https://bugs.launchpad.net/keystone/+bug/137386511:16
uvirtbotLaunchpad bug 1373865 in keystone "Refactor domain usage in test_backend" [Wishlist,New]11:16
samuelmzhenrynash, actually I think we should stop skipping tests ..11:16
henrynashsamuelmz: absolutely!11:17
samuelmzhenrynash, take a look at lines 260-263 at https://review.openstack.org/#/c/123590/1/keystone/tests/test_backend_ldap.py11:18
*** jasondotstar has joined #openstack-keystone11:20
henrynashmorganfainberg: fyi, I think we need to get this into RC1: https://review.openstack.org/#/c/123585/11:34
samuelmzhenrynash, I'd vote +2 if I could :p11:36
henrynashsamuelmz: :-)11:38
*** dims has joined #openstack-keystone11:41
*** dims has quit IRC11:46
*** henrynash has quit IRC11:55
*** alex_xu has quit IRC12:06
*** alex_xu has joined #openstack-keystone12:06
*** dims has joined #openstack-keystone12:07
*** amcrn has quit IRC12:10
*** soulxu_ has joined #openstack-keystone12:12
*** rodrigods_ has joined #openstack-keystone12:15
*** alex_xu has quit IRC12:15
*** rodrigods_ has quit IRC12:15
*** soulxu__ has joined #openstack-keystone12:18
*** soulxu_ has quit IRC12:21
*** soulxu_ has joined #openstack-keystone12:25
*** victsou is now known as I12:26
*** rushiagr is now known as rushiagr_away12:26
*** I is now known as victsou12:26
*** htruta has left #openstack-keystone12:28
*** rushiagr_away is now known as rushiagr12:28
*** soulxu__ has quit IRC12:29
*** yasu_ has quit IRC12:30
*** soulxu_ has quit IRC12:30
*** soulxu_ has joined #openstack-keystone12:31
*** soulxu__ has joined #openstack-keystone12:37
*** soulxu_ has quit IRC12:40
*** soulxu_ has joined #openstack-keystone12:42
*** soulxu__ has quit IRC12:45
thiagopmorganfainberg: Thanks for the doc links yesterday. It appears that my googles didn't help that much in finding something in our docs. I'll try to look more carefully in the future.12:49
*** yasu_ has joined #openstack-keystone12:53
*** soulxu__ has joined #openstack-keystone12:58
*** diegows has quit IRC12:59
*** andreaf is now known as andreaf_12:59
*** soulxu_ has quit IRC13:02
*** soulxu__ has quit IRC13:03
*** soulxu__ has joined #openstack-keystone13:04
*** richm has joined #openstack-keystone13:08
*** sigmavirus24_awa is now known as sigmavirus2413:08
*** yasu_ has quit IRC13:09
*** marcoemorais has joined #openstack-keystone13:09
*** dhellmann has quit IRC13:10
*** soulxu_ has joined #openstack-keystone13:10
*** dhellmann has joined #openstack-keystone13:11
*** marcoemorais1 has joined #openstack-keystone13:11
*** openstackgerrit has joined #openstack-keystone13:12
*** openstackgerrit has quit IRC13:12
*** nkinder_ has quit IRC13:12
*** soulxu__ has quit IRC13:13
*** marcoemorais has quit IRC13:14
*** soulxu__ has joined #openstack-keystone13:20
*** soulxu_ has quit IRC13:23
*** soulxu_ has joined #openstack-keystone13:26
*** oomichi has quit IRC13:26
*** soulxu__ has quit IRC13:29
*** soulxu__ has joined #openstack-keystone13:32
*** soulxu_ has quit IRC13:35
*** soulxu_ has joined #openstack-keystone13:38
*** radez_g0n3 is now known as radez13:38
*** soulxu__ has quit IRC13:40
*** soulxu__ has joined #openstack-keystone13:43
*** diegows has joined #openstack-keystone13:45
*** soulxu_ has quit IRC13:47
*** soulxu_ has joined #openstack-keystone13:49
*** soulxu__ has quit IRC13:52
*** soulxu__ has joined #openstack-keystone13:55
*** joesavak has joined #openstack-keystone13:55
*** sigmavirus24 is now known as sigmavirus24_awa13:56
*** soulxu_ has quit IRC13:58
*** morgan_remote_ has joined #openstack-keystone13:59
*** radez is now known as radez_g0n313:59
*** soulxu_ has joined #openstack-keystone14:01
*** gokrokve has joined #openstack-keystone14:02
*** soulxu__ has quit IRC14:03
*** soulxu_ has quit IRC14:06
*** soulxu_ has joined #openstack-keystone14:06
*** nkinder_ has joined #openstack-keystone14:07
*** sigmavirus24_awa is now known as sigmavirus2414:08
*** dims has quit IRC14:08
*** dims has joined #openstack-keystone14:09
*** soulxu__ has joined #openstack-keystone14:12
*** gokrokve has quit IRC14:14
*** gokrokve has joined #openstack-keystone14:14
*** openstackgerrit has joined #openstack-keystone14:15
*** soulxu_ has quit IRC14:15
*** stevemar has joined #openstack-keystone14:16
*** henrynash has joined #openstack-keystone14:17
*** bknudson has joined #openstack-keystone14:19
*** soulxu__ is now known as alex_xu14:20
henrynashmorganfainberg, dolphm: not sure how to add something to the RC1 blocker list…14:21
*** david-lyle has joined #openstack-keystone14:24
lbragstadhenrynash: what review?14:25
lbragstadlink?14:25
henrynashlbragstad: https://review.openstack.org/#/c/123585/14:25
*** david-ly_ has joined #openstack-keystone14:27
*** david-lyle has quit IRC14:29
bknudsonat some point we need to consider what gate tests are running for keystone changes.14:37
bknudsonare keystone changes really going to break check-tempest-dsvm-neutron-heat-slow ?14:37
*** henrynash has quit IRC14:37
bknudsonand, have we ever broken check-tempest-dsvm-neutron-full ?14:37
dstaneki think it will get there the next time the script runs14:38
*** openstackgerrit has quit IRC14:40
*** openstackgerrit has joined #openstack-keystone14:41
openstackgerritSteve Martinelli proposed a change to openstack/keystone: New section for CLI examples in docs  https://review.openstack.org/12396914:41
*** marcoemorais1 has quit IRC14:46
*** radez_g0n3 is now known as radez14:47
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update 'Configuring Services' documentation  https://review.openstack.org/12393314:47
*** andreaf_ is now known as andreaf14:52
*** david-ly_ has quit IRC14:52
*** david-lyle has joined #openstack-keystone14:53
*** bdossant has joined #openstack-keystone14:56
*** joesavak has quit IRC14:57
*** joesavak has joined #openstack-keystone15:01
*** andreaf is now known as andreaf_15:01
*** jsavak has joined #openstack-keystone15:09
*** henrynash has joined #openstack-keystone15:10
*** joesavak has quit IRC15:12
*** TemporalBeing has joined #openstack-keystone15:12
*** r-daneel has joined #openstack-keystone15:14
*** bdossant has quit IRC15:14
marekdi have a function f(argument): do sth with argument; return new_argument15:16
*** zzzeek has joined #openstack-keystone15:16
marekdnow i want to write a test using mock.patch where my f() will behave like def f(argument): return argument15:16
*** ericpeterson has joined #openstack-keystone15:16
marekdhow do i make mock simply return what was received in the function arg?15:16
*** ericpeterson has left #openstack-keystone15:16
dstanekmarekd: how about "patch('thing.to.patch.f', lambda a: a)"?15:17
morganfainbergmarekd, you can use mock.patch.object and provide a new function to replace the old one15:17
morganfainbergdstanek, ++15:17
dstaneki'd have to see the code to know the exact thing to use, but when patching you can provide the thing mock will use to patch15:18
*** bdossant has joined #openstack-keystone15:19
*** bdossant has quit IRC15:20
marekddstanek: https://github.com/openstack/keystone/blob/master/keystone/tests/test_v3_federation.py#L1682so this is what i have now, and what i need is to patch _sign_assertion so it simply returns what it gets.15:20
bknudsonmod_wsgi isn't going to invoke bash is it?15:21
bknudsonI wouldn't think so.15:21
dstanekbknudson: ?15:22
marekddstanek: bash vuln.15:22
bknudsonmarekd: you should be able to use side_effect: lambda x: x15:22
marekdbknudson: so: with ock.patch.object(keystone_idp, '_sign_assertion', side_effect=lambda x:x): (...)  ??15:24
dstanekbknudson: we use invoke subprocesses, but I'm not sure if we use the shell15:25
bknudsonmarekd: http://www.voidspace.org.uk/python/mock/mock.html#mock.Mock.side_effect15:25
*** joesavak has joined #openstack-keystone15:26
bknudsondstanek: y, if we invoke subprocess we could be vulnerable, but I believe the vuln also requires accepting env var values from the user. I don't think we do that when signing tokens, etc.15:26
*** _cjones_ has joined #openstack-keystone15:26
bknudsonmarekd: so, yes, your example looks like it would do it to me.15:26
marekdbknudson: it does, thanks!15:27
*** _cjones_ has quit IRC15:27
*** _cjones_ has joined #openstack-keystone15:28
*** jsavak has quit IRC15:28
*** andreaf has joined #openstack-keystone15:30
*** _cjones_ has quit IRC15:32
*** rwsu has quit IRC15:33
*** diegows has quit IRC15:37
*** andreaf has quit IRC15:37
*** andreaf has joined #openstack-keystone15:38
nkinder_dstanek, bknudson: subprocess.Popen() will inherit the environment of the parent process unless the 'env' arg is set15:41
nkinder_I don't see anywhere that we pass a different env in15:41
dstaneknkinder_: yeah, i couldn't either15:42
*** wwriverrat has joined #openstack-keystone15:42
bknudsonnkinder_: y, I can't think of any reason we would unless the application we're calling used env vars rather than command-line args.15:42
*** k4n0 has quit IRC15:43
*** rwsu has joined #openstack-keystone15:45
*** cjellick has joined #openstack-keystone15:47
*** bdossant has joined #openstack-keystone15:51
*** gokrokve_ has joined #openstack-keystone15:52
*** gokrokve has quit IRC15:55
*** marcoemorais has joined #openstack-keystone15:55
*** diegows has joined #openstack-keystone15:56
*** gokrokve_ has quit IRC15:56
openstackgerritMarek Denis proposed a change to openstack/keystone: Add version attribute to the SAML2 Assertion object.  https://review.openstack.org/12409215:58
*** bdossant has quit IRC15:58
morganfainbergmarekd, how important is that change? ^15:59
morganfainbergmarekd, as in.. does it break things badly if it's not there?15:59
marekdmorganfainberg: sadly yes.15:59
marekdmy SP will not even talk to me.15:59
morganfainbergugh15:59
*** wwriverrat has left #openstack-keystone16:00
*** lufix has quit IRC16:00
*** ajayaa has quit IRC16:03
stevemarmarekd, thanks for reporting it16:05
marekdstevemar: sure, no problem.16:05
marekdstevemar: regarding your comment: why would you think issue_instant would become redundant?16:05
morganfainbergmarekd, i think he meant the next line down16:06
morganfainbergversion 2.016:06
stevemarmarekd, just making sure16:06
morganfainberg?16:06
dstanekmarekd: was there a change in something that made our code not work?16:06
marekddstanek: yes, in k2k16:06
marekdhttps://review.openstack.org/12409216:06
marekddstanek: ^^16:06
morganfainbergdstanek, part of the problem of not having a real mod_shib gate check.16:07
marekdmorganfainberg: ++16:07
dstanekhmm...so this was never working?16:07
morganfainbergdstanek, looks like it couldn't have been16:07
morganfainbergnot that our code was wrong, just mod_shib would reject it16:08
*** ukalifon has joined #openstack-keystone16:08
morganfainbergin Kilo we definitely need real tests for this stuff.16:08
dstanekmorganfainberg: k. i was just worried that we were testing on mod_shib and a new version (or something) changed and that caused this to change16:09
marekdmorganfainberg: that's what I added to the Kilo etherpad..16:09
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the CLI examples to use openstackclient  https://review.openstack.org/12409516:09
morganfainbergmarekd, ++ yeah on the long list of CI stuff we need to do16:09
morganfainbergdstanek, yeah if we had been gating on mod_shib i'd have been shocked and wondering how things broke suddenly.16:10
*** morgan_remote_ has quit IRC16:10
marekdmorganfainberg: i have some floating ideas about that, but i don't know ye how to add such testsuites (both technically and politicaly) so they are in jenkins. But I also might be allowed to work on it next cycle.16:11
dstaneki won't lie. i'm a little frightened that this code has never been used with mod_shib16:11
*** rushiagr is now known as rushiagr_away16:11
morganfainbergmarekd, this is something we can probably stand up with the functional testing and an apache deployed keystone16:11
*** lsmola has quit IRC16:12
marekdmorganfainberg: i will bug you somewhere around summit about that.16:12
morganfainbergmarekd, sounds good. and with that fix, can you confirm that k2k is working as expected?16:12
marekdmorganfainberg: no, i can't. I have another bug that i found today, also one liner.16:13
morganfainbergthis worries me.16:14
morganfainberga lot.16:14
stevemarwhat's the bug?16:14
*** Dafna has quit IRC16:14
marekdstevemar: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L265 this should be rather CONF.saml.entity_id16:16
marekdotherwise entity_id value from WSGI might be something like https://<IPv4>:5000/blah/bla16:16
marekdand entityID from assertion in metadata must be equal.16:17
stevemarmarekd, yeah, good call.16:18
stevemarmarekd, yeah, i was using that one before the config option was around, we should use the config option instead of the public url16:19
morganfainbergdstanek, marekd, stevemar, does it make sense to pull the K2K stuff and re-land it in Kilo when we're not under the wire and can get real drive time on it?16:22
morganfainbergdstanek, marekd, stevemar, or at the least mark it as "expirimental enable at your own risk"?16:22
*** _cjones_ has joined #openstack-keystone16:23
morganfainbergi don't particularly want broken code lingering around in keystone generating bug reports, but this feature is a good feature to have as well.16:23
dstanekmorganfainberg: i'm think experimental would be good enough because we haven't successfully run this yet - can we just remove it from the docs and leave the code in?16:23
stevemarmorganfainberg, et all, i say keep and mark experimental - as it has very few branches to other code16:24
morganfainbergdstanek, I'd be ok with that or at least toss the big ..warning blocks like we had for the multi-id backend stuff16:24
stevemarit's just the router16:24
stevemarmorganfainberg, definitely big warning blocks16:24
morganfainbergstevemar, can you propose a doc fix for that please so we can get that in.16:24
stevemarmorganfainberg, okie16:25
marekdmorganfainberg: stevemar dstanek ++16:25
marekdok for experimental.16:25
morganfainbergmarekd, cool.16:26
*** packet has joined #openstack-keystone16:26
marekdmorganfainberg: so, assuming this would become experimental as from now I should still file bugs (in case i find something) or fix it on my own branch and wait for K-1 ?16:26
morganfainbergmarekd, i've tagged the version 2.0 bug as RC1. Yeah, that would be good.16:26
morganfainbergif it's a small number of fixes we can look at backporting to Juno if they end up being invasive we might only get them for Kilo and beyond.16:27
morganfainbergdstanek, any concerns about holding https://review.openstack.org/#/c/88207/ till K1?16:29
morganfainbergi'm thinking thats a nice to have but nothing required.16:29
dstaneknot from me - it's just a developer thing16:29
morganfainbergk16:29
morganfainbergdstanek, stevemar, i'm approving https://review.openstack.org/#/c/123938/ since it would be nice to have up-to-date docs if it can land.16:31
*** marekd is now known as marekd|away16:31
stevemarmorganfainberg, theres a bunch more16:31
stevemarbut they are all non-critical16:31
morganfainbergstevemar, a bunch more as in... easier to wait for K?16:31
*** aix has quit IRC16:31
stevemaras in https://review.openstack.org/#/c/123960/ and https://review.openstack.org/#/c/123933/ and https://review.openstack.org/#/c/123969/16:32
stevemarbut they all change docs.openstack.org/developer/keystone/ so they can go in after RC16:33
morganfainbergright16:33
stevemarwhen the K branch opens16:33
*** openstackgerrit has quit IRC16:33
*** gyee has joined #openstack-keystone16:34
*** edmondsw has joined #openstack-keystone16:35
*** packet has quit IRC16:35
stevemardstanek, marekd|away morganfainberg https://review.openstack.org/#/c/124107/16:36
henrynashstevemar: quick question on those docs…the link to teh cli_eamples….that should .html as you have it, right?16:36
stevemarhenrynash, yep, .html is correct there16:36
henrynashstevemar: ok16:36
*** packet has joined #openstack-keystone16:36
morganfainbergstevemar, that looks good to me.16:36
henrynashstevemar: nice job on thise….and GREAT to get openstack client examples!!!!16:37
stevemarhenrynash, click on the gate-keystone-docs job link to check out the generated docs :)16:37
henrynashstevemar: ah yes, I keep forgetting where to find that…duh...16:38
stevemarhenrynash, i'm on a mission to eliminate the word tenant from our docs - once and for all16:40
henrynashstevemar: “tenants…just say no, you know it makes sense”16:40
*** TemporalBeing has left #openstack-keystone16:42
stevemarhenrynash, i wanted to put the openstackclient examples in a separate patch, in case the team wasn't too keen on changing it all over16:44
morganfainbergstevemar, can we add something about feedback for the IdP in the message?16:44
morganfainbergstevemar, we had this message for rhe per-domain stuff: This feature is experimental and unsupported in Havana (with several known issues that will not be fixed). Feedback welcome for Icehouse!16:44
morganfainbergyou don't need to add the "known issues".16:44
morganfainbergbut maybe just "Feedback welcome on this feature."16:45
morganfainbergstevemar, if you think that is overkill i'm fine with it as is16:45
*** gokrokve has joined #openstack-keystone16:45
stevemarmorganfainberg, i'll change it super quickly16:46
morganfainbergstevemar, ++16:46
stevemarmorganfainberg, henrynash new version of experimental warning is up16:47
*** rushiagr_away is now known as rushiagr16:48
stevemarafk for a bit16:48
*** BAKfr has quit IRC16:49
*** bdossant has joined #openstack-keystone16:50
*** bdossant_ has joined #openstack-keystone16:51
morganfainberghenrynash, this look good to you? https://review.openstack.org/#/c/124107/16:52
*** openstackgerrit has joined #openstack-keystone16:52
henrynashmorganfainberg: yep, +2/A's16:53
*** ukalifon has quit IRC16:53
*** bdossant has quit IRC16:54
*** arunkant has joined #openstack-keystone16:55
*** diegows has quit IRC17:02
*** packet has left #openstack-keystone17:03
*** packet has joined #openstack-keystone17:03
*** lufix has joined #openstack-keystone17:06
*** _cjones_ has quit IRC17:09
*** _cjones_ has joined #openstack-keystone17:09
openstackgerritAndre Aranha proposed a change to openstack/keystone: Creating a policy sample  https://review.openstack.org/12350917:11
*** harlowja_away is now known as harlowja17:12
*** _cjones_ has quit IRC17:14
*** _cjones_ has joined #openstack-keystone17:16
*** lufix has quit IRC17:17
*** swartulv has quit IRC17:23
*** diegows has joined #openstack-keystone17:24
*** swartulv has joined #openstack-keystone17:29
*** openstackgerrit has quit IRC17:33
*** afazekas has quit IRC17:38
*** openstackgerrit has joined #openstack-keystone17:39
*** morgan_remote_ has joined #openstack-keystone17:40
dimsdolphm: other keystone-cores... we were looking at  ./openstack/common/crypto/utils.py over in oslo-incubator and wondering if anyone needs or uses it17:59
morganfainbergdimsm, hm18:00
morganfainbergdims, not sure.18:00
openstackgerritA change was merged to openstack/keystone: Fix a spelling mistake in keystone/common/utils.py  https://review.openstack.org/12385718:01
morganfainbergdims, keystone, keystoneclient, and keystonemiddleware don't use it18:01
dimsmorganfainberg: k. worst case it will still be in oslo-incubator juno stable branch if anyone needs it for later, we may just not turn it into a library18:01
dimsmorganfainberg: y i checked the usual suspects :)18:01
dimsthanks for looking!18:01
morganfainbergah, sec18:02
morganfainbergdid we conver the memcache_crypt to use something else?18:02
morganfainbergi guess we did18:02
morganfainbergwe use hmac directly18:02
morganfainbergand Crypto.Cipher18:02
morganfainbergok18:02
morganfainbergyeah i think we're not using it for sure then18:03
dimscool18:03
*** jasondotstar has quit IRC18:04
*** Daviey has quit IRC18:07
*** marcoemorais has quit IRC18:20
*** marcoemorais has joined #openstack-keystone18:20
*** marcoemorais has quit IRC18:20
*** rushiagr is now known as rushiagr_away18:20
*** Daviey has joined #openstack-keystone18:21
*** marcoemorais has joined #openstack-keystone18:21
stevemarhenrynash, great suggestions for the docs, i can't believe i forgot to actually update the configuration.rst portion hehe18:41
*** mikedillion has joined #openstack-keystone18:48
*** topol has joined #openstack-keystone18:54
*** andreaf has quit IRC18:59
*** andreaf has joined #openstack-keystone19:00
*** marcoemorais has quit IRC19:01
*** marcoemorais has joined #openstack-keystone19:01
*** marcoemorais has quit IRC19:02
*** marcoemorais has joined #openstack-keystone19:03
*** marcoemorais has quit IRC19:04
*** marcoemorais has joined #openstack-keystone19:04
*** marcoemorais has quit IRC19:04
*** marcoemorais has joined #openstack-keystone19:05
*** amcrn has joined #openstack-keystone19:17
*** soulxu_ has joined #openstack-keystone19:25
*** alex_xu has quit IRC19:28
*** thedodd has joined #openstack-keystone19:34
*** nkinder_ has quit IRC19:34
*** marcoemorais1 has joined #openstack-keystone19:39
*** marcoemorais has quit IRC19:41
*** zzzeek has quit IRC19:42
*** zzzeek has joined #openstack-keystone19:45
*** _cjones_ has quit IRC19:46
*** _cjones_ has joined #openstack-keystone19:46
*** gyee has quit IRC19:50
*** morgan_remote_ has quit IRC19:50
*** _cjones_ has quit IRC19:51
*** gordc has quit IRC19:56
*** gordc has joined #openstack-keystone19:57
*** marcoemorais1 has quit IRC19:59
*** marcoemorais has joined #openstack-keystone19:59
*** marcoemorais has quit IRC19:59
*** marcoemorais has joined #openstack-keystone20:00
*** marcoemorais has quit IRC20:00
*** marcoemorais has joined #openstack-keystone20:01
*** marcoemorais has quit IRC20:01
*** marcoemorais has joined #openstack-keystone20:01
*** marcoemorais has quit IRC20:02
*** marcoemorais has joined #openstack-keystone20:02
*** marcoemorais has quit IRC20:07
*** radez is now known as radez_g0n320:08
*** radez_g0n3 is now known as radez20:10
*** radez is now known as radez_g0n320:11
*** jdandrea has joined #openstack-keystone20:13
*** mikedillion has quit IRC20:15
*** _cjones_ has joined #openstack-keystone20:17
*** andreaf has quit IRC20:23
*** andreaf has joined #openstack-keystone20:23
openstackgerritMarek Denis proposed a change to openstack/keystone: Set issuer value to CONF.saml.idp_entity_id.  https://review.openstack.org/12417620:24
*** dhellmann is now known as dhellmann_20:29
*** edmondsw has quit IRC20:31
*** sigmavirus24 is now known as sigmavirus24_awa20:33
*** david-lyle has quit IRC20:37
*** _cjones_ has quit IRC20:38
*** _cjones_ has joined #openstack-keystone20:38
*** gyee has joined #openstack-keystone20:52
*** HenryG has quit IRC20:53
*** nkinder_ has joined #openstack-keystone20:53
*** thedodd has quit IRC20:54
*** gyee has quit IRC20:54
*** gokrokve has quit IRC20:54
*** thedodd has joined #openstack-keystone20:54
*** gokrokve has joined #openstack-keystone20:54
*** thedodd has quit IRC20:55
*** thedodd has joined #openstack-keystone20:56
*** thedodd has quit IRC20:56
*** thedodd has joined #openstack-keystone20:56
*** comstud has quit IRC20:56
*** thedodd has quit IRC21:00
*** thedodd has joined #openstack-keystone21:00
*** gyee has joined #openstack-keystone21:00
*** thedodd has quit IRC21:01
*** thedodd has joined #openstack-keystone21:06
*** david-lyle has joined #openstack-keystone21:06
*** david-ly_ has joined #openstack-keystone21:08
*** david-lyle has quit IRC21:11
*** _cjones_ has quit IRC21:14
*** _cjones_ has joined #openstack-keystone21:15
*** boltR has joined #openstack-keystone21:18
*** _cjones_ has quit IRC21:18
*** _cjones_ has joined #openstack-keystone21:18
boltRhello, if I wanted single sign on for horizon, I just need to configure keystone to do the mappings right?21:19
boltRthere doesn't need to be anything done on the Horizon side other than using the keystone server I configured?21:19
*** david-ly_ has quit IRC21:23
*** dims has quit IRC21:41
*** dims has joined #openstack-keystone21:42
*** dims has quit IRC21:46
*** packet has quit IRC21:55
*** rkofman has quit IRC21:56
*** rkofman has joined #openstack-keystone21:57
*** joesavak has quit IRC21:59
*** gordc has quit IRC22:04
dolphmayoung: stevemar: marekd|away: ^22:08
dolphmboltR: the short answer is that horizon is not quite there yet :( those mentioned above can fill you in on the details better than i if you'd like to contribute on the horizon side22:09
stevemardolphm, what am i looking at?22:10
dolphmstevemar: an SSO question from boltR22:11
*** gokrokve has quit IRC22:12
stevemarboltR as dolphm suggests SSO isn't *quite* there yet22:12
*** morgan_remote_ has joined #openstack-keystone22:12
boltRstevemar: dolphm thanks for responding22:13
*** gokrokve has joined #openstack-keystone22:13
boltRi've been looking at some emails in the openstack-dev list22:13
boltRand see people having been suggesting different approaches22:13
stevemarboltR, https://www.mail-archive.com/openstack-dev@lists.openstack.org/msg35326.html22:14
stevemarboltR, yeah, that's kind of been the issue22:14
stevemarboltR, that most recent suggestion on the mailing list makes the most sense to me, at the moment22:15
*** marcoemorais has joined #openstack-keystone22:15
*** gokrokve has quit IRC22:18
boltRstevemar: thanks for the link22:19
stevemarboltR, if you are familiar with SSO technologies let us know :) respond to the mailing list if possible22:19
stevemarboltR, we're at a lack of SSO experts around here22:19
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add placeholders for reserved migrations  https://review.openstack.org/12420422:25
*** joesavak has joined #openstack-keystone22:26
*** thedodd has quit IRC22:30
*** bknudson has quit IRC22:31
morganfainbergdolphm, you're alive! :)22:33
dolphmmorganfainberg: a bit!22:33
morganfainbergdolphm, hehe22:33
dolphmmorganfainberg: been trying to go through the last couple weeks of bug activity, but it's really boring when everything is already taken care of :P22:34
morganfainbergdolphm, at least it's the right kind of boring ;)22:35
* morganfainberg glares at the gate queue22:35
*** andreaf has quit IRC22:38
*** andreaf has joined #openstack-keystone22:39
dolphmmorganfainberg: the gate queue is the wrong kind of boring22:40
morganfainbergdolphm, yes22:40
morganfainbergdolphm, oh ooh something merged! i saw it move...22:40
morganfainbergor.. failed to merge22:40
morganfainbergdolphm, why does this list not go down faster https://gist.github.com/dolph/651c6a1748f69637abd0 :(22:41
*** gokrokve has joined #openstack-keystone22:42
dolphmsince when does centos use LP?22:43
dolphmhttps://bugs.launchpad.net/centos/+bug/136203922:43
uvirtbotLaunchpad bug 1362039 in centos "Cannot Upgrade from Keystone Essex to Keystone Icehouse" [Undecided,New]22:43
morganfainbergdolphm, lol22:43
morganfainbergdolphm, no idea.22:43
*** gokrokve_ has joined #openstack-keystone22:44
*** gokrokve has quit IRC22:45
*** sigmavirus24_awa is now known as sigmavirus2422:47
*** gokrokve_ has quit IRC22:50
boltRstevemar: i'm kind of curious, why are people suggesting to use AJAX/CORS to do the token exchange?22:51
boltRversus redirects22:51
*** soulxu__ has joined #openstack-keystone22:54
stevemarboltR, not sure tbh...22:57
*** soulxu_ has quit IRC22:57
*** HenryG has joined #openstack-keystone22:59
*** joesavak has quit IRC23:01
*** jorge_munoz has quit IRC23:02
*** HenryG has quit IRC23:04
*** joesavak has joined #openstack-keystone23:05
*** gokrokve has joined #openstack-keystone23:06
*** HenryG has joined #openstack-keystone23:07
*** marcoemorais has quit IRC23:10
*** marcoemorais has joined #openstack-keystone23:10
*** marcoemorais has quit IRC23:10
*** marcoemorais has joined #openstack-keystone23:11
*** marcoemorais has quit IRC23:11
*** marcoemorais has joined #openstack-keystone23:11
*** marcoemorais has quit IRC23:17
*** marcoemorais has joined #openstack-keystone23:17
*** gyee has quit IRC23:21
*** sigmavirus24 is now known as sigmavirus24_awa23:24
*** gyee has joined #openstack-keystone23:25
*** _cjones_ has quit IRC23:27
*** _cjones_ has joined #openstack-keystone23:27
morganfainbergstevemar, ping re: https://bugs.launchpad.net/keystone/+bug/137162023:28
uvirtbotLaunchpad bug 1371620 in keystone "Setting up database schema with db_sync fails with OperationalError: (OperationalError) database is locked u'DELETE FROM user_project_metadata' ()" [Undecided,New]23:28
morganfainbergstevemar, was your comment here a "i've confirmed this" or just a "i see what the issue looks like"?23:29
*** _cjones_ has quit IRC23:32
*** marcoemorais has quit IRC23:33
stevemarmorganfainberg, the latter23:33
*** marcoemorais has joined #openstack-keystone23:33
*** marcoemorais has quit IRC23:33
stevemardefinitely not confirming it, just wanted to narrow down the stack trace23:33
*** marcoemorais has joined #openstack-keystone23:33
morganfainbergstevemar, ok i guess this means i need to stand up a 12.04 box and try to duplicate23:34
morganfainbergstevemar, i'd hate for that to be something we ship as a bug.23:34
morganfainbergbut i don't think it is or we'd have a lot more complaining23:35
*** dims has joined #openstack-keystone23:35
stevemarmorganfainberg, the author hasn't given back much info23:35
morganfainbergstevemar, well i'll take a pass at it tonight sometime after OpenStack LA meetup23:36
morganfainbergstevemar, worst scenario, i'll incomplete it.23:36
morganfainbergerm best.23:36
morganfainbergworst we have another blocker. but like i said i think we'd have a lot of complaining on that one23:36
*** david-lyle has joined #openstack-keystone23:37
*** HenryG has quit IRC23:37
*** david-lyle has quit IRC23:38
*** bknudson has joined #openstack-keystone23:41
*** _cjones_ has joined #openstack-keystone23:41
*** boris-42 has quit IRC23:47
*** boris-42 has joined #openstack-keystone23:48
*** soulxu__ is now known as alex_xu23:50
*** gokrokve has quit IRC23:51
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor extract class for signing directory  https://review.openstack.org/12228123:52
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Auth token tests create temp cert directory  https://review.openstack.org/12228023:52
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240323:52
*** joesavak has quit IRC23:53
boltRI think I understand why AJAX is needed now23:57
boltRfor doing a SAML exchange for horizon23:58
boltRi'm guessing it's because there's no way to redirect from keystone back to Horizon23:58
*** bknudson1 has joined #openstack-keystone23:59
« Wednesday, 2014-09-24 Index Friday, 2014-09-26 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!