Thursday, 2014-10-16

« Wednesday, 2014-10-15 Index Friday, 2014-10-17 »
*** samuelms_home has joined #openstack-keystone00:04
*** dims_ has quit IRC00:06
*** dims_ has joined #openstack-keystone00:06
*** dims__ has joined #openstack-keystone00:07
*** drjones has quit IRC00:07
*** _cjones_ has joined #openstack-keystone00:07
rodrigodsgyee, once it had a +2 https://review.openstack.org/#/c/117784/ =)00:10
*** dims_ has quit IRC00:11
openstackgerritA change was merged to openstack/python-keystoneclient: Use oslo.utils and oslo.serialization  https://review.openstack.org/12845400:14
gyeerodrigods, yeah00:14
rodrigodsgyee, no pressure hehe00:15
gyeejust the minor nits right?00:15
*** packet has joined #openstack-keystone00:18
gyeerodrigods, on behalf of ayoung, I sincerely apologize for making you implement this in LDAP :)00:18
rodrigodsgyee, reaaally?!00:20
rodrigodshaha00:21
gyeeah, ain't that bad00:22
rodrigodsgyee, future plans, right?00:32
*** raildo_ has joined #openstack-keystone00:35
gyeerodrigods, yeah, I still need to review the other patches, just need to find the time00:36
rodrigodsgyee, ++ the next one of the series is quite small... the biggest part are tests00:37
raildo_gyee: ++00:37
raildo_gyee: and we have to talk later about the HM session :)00:37
mfischnkinder: still want me to try that patch or will you have something different tomorrow?00:38
nkindermfisch: I have a fix now.  I was just working on a test.00:38
nkindermfisch: I can push what I have00:38
mfischI'm fine to wait, not in a rush here00:38
gyeeraildo_, yes, I am interested in the role management piece, like ownership, visibility, etc00:39
openstackgerritNathan Kinder proposed a change to openstack/keystone: Use newer python-ldap paging control API  https://review.openstack.org/12878200:39
gyeenkinder, when's jamie coming back?00:39
nkindermfisch: ^^^ try that please00:40
rodrigodsgyee, looks like you are in interested in this patch https://review.openstack.org/#/c/117787/ hehe00:40
nkindermfisch: I reproduced the problem and tested it against a real LDAP server, but a second confirmation would be good.00:40
raildo_gyee: rodrigods hahaha00:40
nkindergyee: monday I think00:40
nkindergyee: but he'll be on europe hours, as he's hanging out in the czech republic until the summit00:41
*** jacer_huawei has quit IRC00:42
gyeenkinder, how did he get all these perks :)00:42
*** marcoemorais has quit IRC00:50
morganfainberg...00:51
rodrigodsmorganfainberg, available for a tiny review? (not HM related)00:52
morganfainbergrodrigods: can take a look in a few minutes fixing my IRC client00:52
rodrigodsmorganfainberg, great00:52
morganfainberg.00:55
nkinderlooks mike morganfainberg is in morse code mode00:56
morganfainberg.. / .- -- / -. --- - / .. -. / -- --- .-. ... . / -.-. --- -.. . / -- --- -.. .00:57
morganfainbergugh. thats annoying.00:59
nkindermorganfainberg: lol, you're contradicting yourself01:00
*** jacer_huawei has joined #openstack-keystone01:02
*** packet has quit IRC01:03
*** stevemar has joined #openstack-keystone01:05
*** _cjones_ has quit IRC01:08
*** sunrenjie6 has joined #openstack-keystone01:09
*** _cjones_ has joined #openstack-keystone01:09
rodrigodsmorganfainberg, success?01:12
*** _cjones_ has quit IRC01:13
*** r1chardj0n3s is now known as r1chardj0n3s_afk01:14
mfischnkinder: +1 on your patch01:16
morganfainbergrodrigods, ping01:19
rodrigodsmorganfainberg, https://review.openstack.org/#/c/123619/ this one01:20
rodrigodsthanks01:20
morganfainbergrodrigods, cool01:20
morganfainbergi got *some* of my client fixed up01:20
morganfainbergstill needs a little work01:20
morganfainbergbut it's def. better01:20
morganfainberghad to recompile it.01:20
morganfainbergrodrigods, LGTM01:21
morganfainbergnkinder, ping01:21
rodrigodsmorganfainberg, ++01:21
morganfainbergnkinder, ok nvm. whoopse.01:21
morganfainbergrodrigods, direct another message at me in irc please01:22
rodrigodsmorganfainberg, ...01:22
morganfainbergok i can't fix that, oh well01:22
morganfainbergthanks01:23
rodrigodsmorganfainberg, which client do you use?01:23
morganfainbergrodrigods, textual01:23
morganfainbergrodrigods, https://github.com/Codeux/Textual01:23
rodrigodsmorganfainberg, beautiful, I use the regular xchat01:24
morganfainbergit's a version of Limechat01:25
morganfainbergi just am tired of waiting for the new version and the old one has bugs01:25
morganfainbergso.. i compiled it myself :)01:25
*** dims__ has quit IRC01:26
*** dims_ has joined #openstack-keystone01:27
rodrigodsmorganfainberg, brave01:27
*** gyee has quit IRC01:28
*** _kenjiro has joined #openstack-keystone01:28
rodrigodsmorganfainberg, there was a time that I almost used gentoo01:29
rodrigodsa friend of mine uses, he spends 2 days installing it01:29
*** jjulien has joined #openstack-keystone01:29
*** dims_ has quit IRC01:29
*** dims_ has joined #openstack-keystone01:30
*** _kenjiro has quit IRC01:30
*** kenjiro__ has joined #openstack-keystone01:33
morganfainberglol01:34
morganfainbergyeah no thanks01:34
samuelms_homeHi guys, as I've discussed with dolphm and dstanek  a few days ago .. I created an etherpad to list some possible improvements on keystone tests01:37
samuelms_homehttps://etherpad.openstack.org/p/Keystone_Tests_Improvement01:37
samuelms_homeI'd be glad if you could take a look at it01:37
morganfainbergsamuelms_home, nice.01:37
samuelms_homemorganfainberg, dolphm, dstanek ^01:37
*** r1chardj0n3s_afk is now known as r1chardj0n3s01:38
samuelms_homeI left a space for discussions on each section01:39
samuelms_homeLooking forwarding to having your feedback :)01:39
samuelms_homes/forwarding/forward :p01:40
openstackgerritA change was merged to openstack/python-keystoneclient: Actually test interactive password prompt  https://review.openstack.org/12877001:41
morganfainberggreat!01:41
*** alex_xu has joined #openstack-keystone01:43
openstackgerritA change was merged to openstack/keystonemiddleware: Replace httpretty with requests-mock  https://review.openstack.org/11277701:51
*** samuelms__ has joined #openstack-keystone01:53
samuelms__morganfainberg, could you take a look at 'Extract Assignment tests from IdentityTestCase'01:54
samuelms__morganfainberg, https://review.openstack.org/#/c/121653/01:54
samuelms__morganfainberg, we already have a +2 from henrynash01:54
samuelms__:)01:54
*** shakamunyi has joined #openstack-keystone01:54
*** samuelms_home has quit IRC01:56
*** samuelms__ is now known as samuelms_home01:57
*** diegows has joined #openstack-keystone02:00
*** sunrenjie6 has quit IRC02:05
*** stevemar has quit IRC02:16
*** diegows has quit IRC02:18
openstackgerritNathan Kinder proposed a change to openstack/keystone: Use newer python-ldap paging control API  https://review.openstack.org/12878202:21
nkindermorganfainberg: do you know why we're pinned to python-ldap==2.3.13 in test-requirements.txt?02:23
nkinder2.4 is on most platforms, which is what Keystone is actually using in the wild02:24
nkinderI'm running all of the tests with 2.4 locally now to see if everything is working02:24
morganfainbergProbably release02:25
morganfainbergReqs / packaging from previous release ?02:28
morganfainbergThat's my only real guess02:28
*** stevemar has joined #openstack-keystone02:30
*** topol has joined #openstack-keystone02:30
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: use keystone v3 api to fetch revocation list  https://review.openstack.org/12745902:30
*** alex_xu has quit IRC02:30
*** lhcheng has quit IRC02:31
*** zzzeek has quit IRC02:32
nkindermorganfainberg: so what's the process for juno fixes at this point?  We're going to want https://review.openstack.org/128782 backported for sure.02:32
nkindermorganfainberg: still using proposed/juno?02:32
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: call _choose_api_version in one place  https://review.openstack.org/12786602:33
morganfainbergWe add it to the known issues list, and we plan a backport to stable/Juno when we cut it02:33
nkindermorganfainberg: ok.  Where can I fill in details for known issues?02:34
*** alex_xu has joined #openstack-keystone02:34
morganfainbergThe release notes wiki page02:34
nkindermorganfainberg: there are some workarounds worth mentioning02:34
morganfainberghttps://wiki.openstack.org/wiki/ReleaseNotes/Juno02:34
nkindermorganfainberg: yep, adding it now02:35
morganfainbergCool. And yeah since there are relatively straight forward workarounds I am hesitant to say this is a massive show stopper that would require an emergency rc302:35
morganfainbergAnd we'll definitely have the fix quickly into stable.02:36
openstackgerritwanghong proposed a change to openstack/keystone: fix the wrong order of assertEqual args in test_v3  https://review.openstack.org/12711002:37
morganfainbergI am more and more disappointed that these libraries are making changes like this with point releases.  :(02:37
openstackgerritwanghong proposed a change to openstack/keystone: use expected_length parameter to assert expected length  https://review.openstack.org/12819702:38
morganfainbergnkinder: if you talk to jamielennox let him know I pushed the initial pass at the client session to sched. He should let me know (email works) if we need to change it02:38
nkindermorganfainberg: ok, will do.02:39
nkindermorganfainberg: it's not a massive show stopper.  It only happens when paging is enabled, so that could be turned off, or python-ldap can be downgraded.02:40
*** lhcheng has joined #openstack-keystone02:40
nkindermorganfainberg: that will hold people over until it's backported to stable/juno02:40
morganfainbergYep. Exactly02:40
*** renlt has joined #openstack-keystone02:40
mfischnkinder: I'm confused as to whether your new test actually does anything02:45
nkindermorganfainberg: https://wiki.openstack.org/wiki/ReleaseNotes/Juno#Known_Issues_502:45
nkindermfisch: it does.  I backed out the fix and watched it fail02:45
nkindermfisch: ...but, test-requirements.txt is pinning it to python-ldap 2.3.x02:46
nkindermfisch: So the test will never fail unless you update python-ldap in your venv using pip (or tweak test-requirements.txt)02:46
mfischnkinder: well I'm dumb, I didnt scroll down, now I see useful stuff ;)02:47
nkindermfisch: It never actually processes a paged results control though.  It just exercises the API that we use to create the control02:47
mfischgood enough for this one02:47
nkinderyeah02:47
*** raildo_ has quit IRC02:47
*** wpf has quit IRC02:48
nkindermfisch: doh!  I added a semicolon at the end of a line in the test though02:48
nkinderold habits die hard (lots of C programming)02:49
mfischlooks like you also forgot to free your pointers there02:49
openstackgerritNathan Kinder proposed a change to openstack/keystone: Use newer python-ldap paging control API  https://review.openstack.org/12878202:49
mfischnkinder: why not change the requirements to be >= 2.3?02:50
nkindermfisch: doing that in a separate patch02:50
mfischwfm02:50
nkindermfisch: that way I can cleanly propose this for backport02:50
nkinderjust verified that all tests pass with 2.4.x too02:50
morganfainbergnkinder: c / perl. Yes old habits die hard.02:53
*** wpf has joined #openstack-keystone02:54
morganfainbergnkinder: from __future__ import braces02:54
mfischwhenever my code is incomprehensible I'm thinking well there's your old perl shining through and when it crashes spectacularly I think of C02:55
nkindermorganfainberg: haha.  Hadn't seen that before02:56
morganfainbergmfisch: if you can get Python to segfault in pure Python (not ctypes or c bindings) you can claim your Python works like c ;)02:57
mfischI've been dealing with some non-enjoyable openvswitch segfaults this week already02:57
morganfainbergBe glad it isn't multithreaded coroutines. Yes, that was a past life of debugging. GDB is awful at coroutine boost debugging.02:58
morganfainbergAnd don't try to understand multithreaded coroutine as a concept.02:59
mfischwell there's some good news about being an operator, part of a failure like this is calling someone else03:00
mfischI still get the pages though03:00
*** dims_ has quit IRC03:01
morganfainbergAlso my past life. It's why I develop software now instead. I much rather debug that be called in the middle of the night (as the front line)03:02
*** dims_ has joined #openstack-keystone03:02
mfischits a different experience for sure03:02
morganfainbergmfisch: https://twitter.com/mdrnstm/status/52258360669976985703:04
mfischis that the large hole at the top?03:05
*** dims_ has quit IRC03:06
morganfainbergMaybe.03:10
openstackgerritNathan Kinder proposed a change to openstack/keystone: Update python-ldap version used for testing  https://review.openstack.org/12881603:14
morganfainbergnkinder: that have a requirements (global) change?03:15
morganfainbergnkinder: if it's already in global reqs the bot should auto propose the change.03:16
nkindermorganfainberg: nope, it must be coming from there - https://github.com/openstack/requirements/blob/master/global-requirements.txt03:17
rodrigodsmorganfainberg, nkinder, did you see https://bugs.launchpad.net/keystone/+bug/1381843 ?03:17
uvirtbotLaunchpad bug 1381843 in keystone "keystone isn't compatible with python-ldap 2.4.* when enable paging" [Undecided,New]03:17
morganfainbergrodrigods: yep.03:17
rodrigodsor are you talking about it and I just interrupting ?03:17
nkinderrodrigods: looks like a dupe of https://bugs.launchpad.net/keystone/+bug/138176803:17
uvirtbotLaunchpad bug 1381768 in keystone "AttributeError: 'module' object has no attribute 'LDAP_CONTROL_PAGE_OID' with python-ldap 2.4" [Undecided,In progress]03:17
morganfainbergNot interrupting but is has been discussed.03:17
nkinderrodrigods: which I just fixed03:18
morganfainbergnkinder: ++ yep03:18
rodrigodsmorganfainberg, nkinder, cool =)03:18
nkindermorganfainberg: so I need to propose a change to global-requirements.txt, right?03:18
morganfainbergnkinder: yeah.03:18
nkindermorganfainberg: does that mean I shoudl abandon my patch for test-requirements.txt?03:18
morganfainbergYeah the bot should auto propose once global reqs are updated.03:19
morganfainbergYou can bring the patch back if bot gets dumb. But it can't gate until the global reqs are updated.03:19
morganfainbergrodrigods: I'll make that bug as a dupe.03:20
rodrigodsmorganfainberg, ++03:20
rodrigodswas checking out lbragstad tracking site03:20
morganfainbergAh someone beat me to marking as dupe.03:21
nkindermorganfainberg: https://review.openstack.org/#/c/128817/03:23
morganfainbergnkinder: so your patch to keystone needs to merge before that one right?03:27
*** harlowja is now known as harlowja_away03:32
morganfainbergnkinder: sadly we don't gate against ldap03:32
*** harlowja_away is now known as harlowja03:34
openstackgerritA change was merged to openstack/python-keystoneclient: Explicit complaint about old OpenSSL when testing  https://review.openstack.org/12361903:37
*** richm has quit IRC03:52
*** lhcheng has quit IRC04:19
*** lhcheng has joined #openstack-keystone04:19
*** marcoemorais has joined #openstack-keystone04:22
*** lhcheng has quit IRC04:24
*** marcoemorais1 has joined #openstack-keystone04:24
*** marcoemorais has quit IRC04:27
nkindermorganfainberg: I don't think the merge order matters04:39
nkindermorganfainberg: my new test passes with version 2.3 or 2.404:39
nkindermorganfainberg: the existing tree doesn't have a test that fails in 2.4 since it doesn't cover paged results04:40
nkindermorganfainberg: so we *should* be good either way in terms of the gate04:40
openstackgerritNathan Kinder proposed a change to openstack/keystone: Use newer python-ldap paging control API  https://review.openstack.org/12878204:43
morganfainbergOk04:59
*** lhcheng has joined #openstack-keystone05:05
*** lhcheng has quit IRC05:08
*** lhcheng has joined #openstack-keystone05:09
*** alex_xu has quit IRC05:12
*** _cjones_ has joined #openstack-keystone05:13
*** drjones has joined #openstack-keystone05:14
*** swamireddy has joined #openstack-keystone05:15
*** _cjones_ has quit IRC05:18
*** drjones has quit IRC05:20
*** _cjones_ has joined #openstack-keystone05:20
*** _cjones_ has quit IRC05:25
*** k4n0 has joined #openstack-keystone05:29
*** HenryG has quit IRC05:36
*** harlowja is now known as harlowja_away05:41
*** dims_ has joined #openstack-keystone06:03
*** swamireddy has quit IRC06:03
*** renlt has quit IRC06:06
*** dims_ has quit IRC06:07
*** topol has quit IRC06:19
stevemarnkinder you certainly bring a point of view that the rest of us don't seem to have06:23
*** lufix has joined #openstack-keystone06:28
*** lhcheng has quit IRC06:29
*** lhcheng has joined #openstack-keystone06:45
*** shakamunyi has quit IRC06:46
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Fix mappings.Mapping docstring  https://review.openstack.org/12861506:49
*** shakamunyi has joined #openstack-keystone06:49
*** shakamunyi has quit IRC06:56
*** nellysmitt has joined #openstack-keystone07:01
*** alex_xu has joined #openstack-keystone07:06
*** afazekas has joined #openstack-keystone07:17
*** lhcheng has quit IRC07:20
*** HenryG has joined #openstack-keystone07:20
*** lhcheng has joined #openstack-keystone07:21
*** samuelms_home has quit IRC07:25
*** lhcheng has quit IRC07:26
*** lufix has quit IRC07:46
*** stevemar has quit IRC07:54
*** henrynash has joined #openstack-keystone07:55
*** henrynash has quit IRC08:08
*** jistr has joined #openstack-keystone08:09
*** henrynash has joined #openstack-keystone08:15
*** henrynash has quit IRC08:16
*** henrynash has joined #openstack-keystone08:17
*** vb has quit IRC08:33
*** vb has joined #openstack-keystone08:33
*** renlt has joined #openstack-keystone09:17
*** alex_xu has quit IRC09:18
*** bdossant has joined #openstack-keystone09:36
*** aix has joined #openstack-keystone09:38
openstackgerritChristian Berendt proposed a change to openstack/keystone: Log the username when using an invalid username or password  https://review.openstack.org/12886009:44
*** kenjiro__ has quit IRC09:46
*** renlt has quit IRC10:03
*** shikui_ has joined #openstack-keystone10:05
*** Kui has quit IRC10:08
*** nellysmitt has quit IRC10:08
*** nellysmitt has joined #openstack-keystone10:09
*** renlt has joined #openstack-keystone10:12
*** nellysmitt has quit IRC10:13
*** topol has joined #openstack-keystone10:13
*** openstackgerrit has quit IRC10:19
*** openstackgerrit has joined #openstack-keystone10:19
*** renlt has quit IRC10:31
*** dims_ has joined #openstack-keystone10:58
*** amakarov_away is now known as amakarov11:02
*** marcoemorais1 has quit IRC11:11
openstackgerritChristian Berendt proposed a change to openstack/keystone: Log the username when using an invalid username or password  https://review.openstack.org/12886011:11
*** shikui__ has joined #openstack-keystone11:33
*** shikui_ has quit IRC11:36
*** diegows has joined #openstack-keystone11:47
*** radez_g0n3 is now known as radez12:04
*** topol has quit IRC12:32
*** diegows has quit IRC12:35
*** bknudson has joined #openstack-keystone12:47
*** miqui has joined #openstack-keystone13:01
*** ayoung has joined #openstack-keystone13:06
rodrigodsbknudson, there? do you have some time to check the HM patch again? https://review.openstack.org/#/c/117784/13:07
bknudsonrodrigods: not today13:08
rodrigodsbknudson, ok, another day then, thanks13:09
*** ayoung has quit IRC13:12
*** thiagop has joined #openstack-keystone13:14
*** r-daneel has joined #openstack-keystone13:15
*** richm has joined #openstack-keystone13:23
thiagopHi henrynash !13:24
*** vhoward has joined #openstack-keystone13:24
thiagophenrynash: our team has finished a PoC of using the endpoint policy to enforce rules on Horizon. Do you want to take a look? Maybe you have some insights to help us to improve this to a usable approach... :)13:25
henrynashthiagop: yes..would love to take a look13:25
thiagophenrynash: It's very crude. I put it on my github so you can look/clone: https://github.com/tpborion/horizon/compare/poc-endpoint-policy?expand=113:27
henrynashwill go through it later….thanks13:27
thiagophenrynash: Some assumptions made in this design are here: https://etherpad.openstack.org/p/poc-endpoint-policy-horizon13:31
*** shikui__ has quit IRC13:34
*** ayoung has joined #openstack-keystone13:36
*** ayoung has quit IRC13:36
*** thedodd has joined #openstack-keystone13:42
*** gordc has joined #openstack-keystone13:45
*** shufflebot has quit IRC13:48
*** zzzeek has joined #openstack-keystone13:55
*** sigmavirus24_awa is now known as sigmavirus2413:56
*** sigmavirus24 has left #openstack-keystone13:59
*** nellysmitt has joined #openstack-keystone14:05
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Merge tag '2014.2'  https://review.openstack.org/12893014:05
*** henrynash has quit IRC14:14
*** david-lyle has joined #openstack-keystone14:16
*** henrynash has joined #openstack-keystone14:16
*** amerine_ has joined #openstack-keystone14:17
*** amerine has quit IRC14:17
*** zarric has quit IRC14:18
*** packet has joined #openstack-keystone14:22
*** ayoung has joined #openstack-keystone14:26
bknudsonwhat are these ^?14:27
henrynashthiagop: yeh, that’s neat!14:29
*** thedodd has quit IRC14:29
*** thedodd has joined #openstack-keystone14:31
ayoung thiagop is there a way to get Django to reread and reinitialize its config without dropping connections?  If so, then the "IT WILL NOT BE RELOADED"  will use that to reread the policies?14:32
*** k4n0 has quit IRC14:40
thiagopayoung: I use an option in L76 that disables the reloading. By today's implementation of policy.py from oslo, the only reload that can be made is if the policy is a file.14:41
ayoungthiagop, what happens if I restart  Horizon'sweb server?14:41
thiagopayoung: It gets reloaded, yes.14:42
ayoungthiagop, does the response from fetching the policy URL get held in memory or on disk14:42
thiagopayoung: in memory.14:43
ayoungthiagop, so each user logging in will re-request the file from Keystone?14:43
* ayoung not sure of the HTTPD threading model in effect14:43
ayoungdoes that code get run before the users request thread forks off14:44
ayoung clones to be pedantic14:44
ayoung?14:44
thiagopayoung: good question. I thought that it was loaded once and used to all users, but the threading can prevent that14:45
ayoungthiagop, just worth keeping in mind.   Caching and refreshing is always a concern when one service calls another14:46
ayoungthiagop, for example, we don't currently have a good cache invalidation strategy for the certs used in PKI tokens14:46
ayoungnot a problem until your certs expire14:47
thiagopayoung: currently, we are working in a way to notify horizon if a policy was changed in keystone. It's a 3rd step on our plans.14:47
*** amakarov has quit IRC14:47
*** amakarov has joined #openstack-keystone14:48
ayoungthiagop, thanks for doing this...this is vital to Keystone14:48
*** openstackgerrit has quit IRC14:48
*** openstackgerrit has joined #openstack-keystone14:49
thiagopayoung: do you think there is a too huge impact on keystone's performance if the policy is probed when each individual user logs in?14:49
ayoungthiagop, alone, no, but the aggregate of calls from Horizon to Keystone might get excessive14:49
ayoungjust keep it in mind;  we can always work on optimizing it once we get things working14:50
thiagopayoung: absolutely. ;)14:51
ayoungthiagop, it really depends on the scale of the deployment, too.  If this is a single Horizon and a single Keystone, Nova, Glance etc, and its not getting hammered, it really doesn't matter14:51
openstackgerritLance Bragstad proposed a change to openstack/keystone: Remove XML support  https://review.openstack.org/12573814:51
*** stevemar has joined #openstack-keystone14:51
ayoungif it is at scale, then there will be load balancing and session affinity issues to keep in mind.14:51
ayoungDrive on,  I'm just making sure I understand what is going on, and my Horizon-Fu is still in the White-Belt stage (to mix terms from different Martial Arts)14:52
amakarovayoung, could you please look as well at https://review.openstack.org/#/c/118590/ and https://review.openstack.org/#/c/120043/ ?14:53
thiagopayoung: Mine is kinda yellow belt. But I'm making the exam to green shortly. :)14:53
ayoungamakarov, depends.  What have you done for me recently?14:53
ayoungamakarov, Ah, you did those reviews for me.  Yes and Yes!14:53
amakarovayoung, tomorrow we discussed trust delegations14:53
ayoungamakarov, BTW, there is something else we can do to shrink tokens that will have an even bigger impact14:54
ayoungamakarov, with PKIZ  it turns out that the signing is still done in an ASCII format (PEM) instead of DER.  I have yet to figure out how to get Python 3's POpen to honor the binary output14:55
amakarovayoung, that'd be nice but for now my only idea is packing token somehow more compact than base64 encoding :)14:56
ayoungamakarov, 25%  reduction for unscoped, 50% for scoped14:56
ayoungamakarov, https://review.openstack.org/#/c/127533/14:57
ayoungdstanek, any idea how to make that work?14:57
amakarovayoung, so I'm to research how to replace PEM with DER?14:57
ayoungdstanek, I want to popen a file, and get binary output from the pipe14:58
ayoungamakarov, if you are so drive, yes!14:58
ayoungamakarov, I've also bugged gsilvis to work on the issue, as he is doing a bunch of stuff with the PKIZ tokens: figuring out which cert to use in a multiple cert use case14:59
ayoungamakarov, http://adam.younglogic.com/2014/10/who-signed-that-token/14:59
*** jorge_munoz has joined #openstack-keystone14:59
*** zarric has joined #openstack-keystone15:00
amakarovayoung, so sertification changes and unnecessary spaces removal may be joined? Or it's better to do one thing at a time?15:01
ayoungone at a time15:04
amakarovayoung, btw what's the point of signing with openssl using Popen? Is't there any library to do that?15:04
dstanekayoung: catching up - are you talking about that review?15:05
ayoungamakarov, changing the underlying formate of the PKIZ tokens might have side effects if deployment is done out of order, so we want to make sure we get it right before commiting anyway15:05
ayoungdstanek, the reason the py3 test failed15:05
ayoungdstanek, the openssl popen puts der format (binary) into std out15:05
ayoungdstanek, let me see if I can show you the erroneous output15:06
amakarovayoung, definitely a thing to consider15:06
ayoungdstanek, http://logs.openstack.org/33/127533/1/check/gate-python-keystoneclient-python33/54d4355/testr_results.html.gz15:07
dstanekayoung: just pulled your change so i can run it locally15:07
ayoungdstanek, so the failing tests are15:07
ayoungtest_cached_revoked_pkiz15:07
ayoungetc15:07
ayoungdstanek, I might be able to set you up with a better test env, too, lets see15:08
dstanekayoung: so you are expected a 401 unauthorized, but the actual response is 200 OK?15:09
ayoungdstanek, I tend to use the code in python-keystoneclient/examples/pki/gen_cmsz.py15:09
ayoungdstanek, the 200 is a scary failure mode15:10
ayoungsince the token should be invalid...15:10
dstanekayoung: yeah, that's what i was thinking too15:10
ayoungthat is a separate issue, though15:10
ayounga 401 would mask the problem.  I'd almost prefer a 500 at this point15:11
*** zarric has quit IRC15:13
ayoungdstanek, ok,  so to run the code, I've activated the py3 venv from tox and then15:15
ayoungpython3 -mpdb gen_cmsz.py15:15
ayoungputting a break point at15:15
ayoungline 10515:15
ayoung encoded = cms.pkiz_sign(text,15:15
ayoungdstanek, OK, maybe I am jumping the conclusion gun15:18
ayoung/opt/stack/python-keystoneclient/keystoneclient/common/cms.py(205)pkiz_sign()15:18
ayoung(Pdb) print signed15:18
ayoungb'0\x82\x07\15:18
* ayoung removed the endless debugging, but you can see it is in binary form15:19
dstanekayoung: in that test inform is set to DER - is that correct?15:19
ayoungyes15:19
ayoungdstanek, cms_sign_data(text, is called with15:19
ayoungPKIZ_CMS_FORM)15:19
dstanekwhen i run that same test in 27 it's PEM15:19
ayoung(Pdb) print PKIZ_CMS_FORM15:19
ayoung'DER'15:19
ayoungdstanek, you have the wrong version of the patch15:20
ayoungif you are seeing PEM you have what is in  master15:20
ayoungoh, wait15:20
ayoungI'm not in the test, I'm in the cmsz code15:20
ayoungdstanek, are you seeing that in the verify or the sign call?15:21
ayoung  py33: commands succeeded15:22
ayounggah15:22
*** gyee has joined #openstack-keystone15:24
*** nellysmitt has quit IRC15:24
*** nellysmitt has joined #openstack-keystone15:25
dstanekthat15:25
dstanek's  the verify15:25
ayoungdstanek, OK,  it might be old data, but then the verify should fall back to dealing with PEM anyway15:25
ayoungdstanek, see the code line 142 if formatted.startswith(CMS_PREFIX)15:26
ayounghttps://review.openstack.org/#/c/127533/1/keystoneclient/common/cms.py,cm15:27
dstanekayoung: it doesn't ever get to that 'if'15:29
ayoung?15:29
*** nellysmitt has quit IRC15:29
ayoungdstanek, I just ran the unit tests successfully using tox -epy3315:29
dstanekformatted seems to be bytes in Python315:29
dstanekwhat did you change?15:29
ayoungdstanek, no clue15:30
ayounglet me git clean15:30
dstanekthe problem i am having is the mixing of bytes and strings15:30
ayoungRan 976 tests in 2.943s (-0.570s)15:31
ayoungPASSED (id=330, skips=315:31
ayoungdstanek, so the check  if isinstance(formatted, six.string_types):  is returning false for you and bypassing the next block, because the data is in binary?15:32
ayoungFedora vs Ubuntu difference in Python verisions?15:33
ayoungPython 3.3.2  for me15:33
dstanekayoung: yes - so it used the DER inform because that is passed into the function15:33
ayoungdstanek, what used the DER inform?15:34
ayoungwhich function?15:34
dstanekcms_verify15:35
ayoungdstanek, does your file match the code https://review.openstack.org/#/c/127533/1/keystoneclient/common/cms.py,cm15:35
ayoungso you are saying what happens after?15:36
ayoungyou are saying that formatted is not a six.string type so it doesn't change the inform and so on?15:36
stevemarlbragstad, you get my thanks for taking on the xml removal support and not complaining15:36
lbragstadstevemar: hah, it's not over yet :)15:37
dstanekayoung: yes, it's a byte string15:37
ayoungdstanek, ok...I think I need to merge in the test data changes with the code changes15:37
ayounghttps://review.openstack.org/#/c/127534/15:37
dstanekwhy is the test data string data instead of byte data?15:37
ayoungnow that I look at that review, it only fails when check-tempest-dsvm-neutron-icehouse15:37
ayoungbut...15:37
ayoungI think that is dangerous,  so I will rework my patch so that it passes even with the old sample data...OK I think I know what I need to do15:38
ayoungthanks15:38
*** shakamunyi has joined #openstack-keystone15:38
dstanekayoung: at runtine does that data come in as bytes in Python3?15:39
*** jistr has quit IRC15:40
dstanekoh, wait. we probably don't have anyone using that middleware in Python3 yet15:40
ayoungdstanek, I think I was fooling myself that it did15:40
ayoungdstanek, I don't think I ran the tests with the old, pre-recreated sample data15:40
ayoungso I was getting a false negative when I ran...I ran with the wrong review15:41
ayoungnow that I have the right one, I see the failure.15:41
ayoungI can fix and rebase15:41
dstanekit's not the data that's broken. the fixture reads the data in as strings for the sample data, but generates bytes15:41
*** richm has quit IRC15:42
ayoungdstanek, OK,   so if I have bytes...how should I be doing the comparison?15:42
ayoungdstanek, how are you running the tests in a debugger?15:44
ayoungactivate the venv and then run...?15:44
ayoungtestr?  nose?15:45
dstanektox -e py33 -- test_cached_revoked_pkiz15:45
ayoungdstanek, and import pdb;  pdb.set_trace()  ?15:45
dstaneki was just doing: raise Exception(repr(formatted))15:46
dstanekbut pdb would work doo15:46
dstanektoo15:46
ayoungdstanek, I did that, and saw no information15:49
ayoungDOH scrolled off the screen15:50
* ayoung needs more cofffeeeee15:50
ayoungno,  I don't get a stack trace15:51
*** thedodd has quit IRC15:53
ayoungdstanek, you are just running tox -e py33 -- test_cached_revoked_pkiz  and you see a trace that shows the result of raise Exception(repr(formatted))  in the first line or so of cms_verify15:53
ayoungI get bupkis15:54
*** david-lyle has quit IRC15:54
ayoung http://paste.openstack.org/show/121500/15:54
dstanekreally? i put it as the first line of the function so that i know it was executed15:54
*** richm has joined #openstack-keystone15:55
ayounghow does the venv find the code?  I thought it was a symlink to  the git repo15:55
ayoungI did a git clean -xdf15:55
*** jorge_munoz has quit IRC15:55
ayoungand the .pyc files are generated when I run tox15:56
ayoungbut pdb doesn't work either15:56
ayounghttp://paste.openstack.org/show/121501/  just that  change15:56
*** jistr has joined #openstack-keystone16:00
stevemardstanek, ping16:02
*** jorge_munoz has joined #openstack-keystone16:03
dstanekayoung: hacking on this a little now to understand it16:03
dstanekstevemar: heya16:03
ayoungstevemar, no, don't please don't kidnap dstanek on me!16:04
stevemardstanek, i was wondering if you could check https://review.openstack.org/#/c/128788/ to see why PolicyJsonTestCase is not catching the diff. But... it looks like it the 2 policy files have been different for a while now16:05
stevemarI can dig into it on my own16:05
stevemarayoung, he's all yours16:05
ayoungthanks16:05
ayoungdstanek, OK,  running with nose gets me more info, but pdb still doesn't work...16:06
*** _cjones_ has joined #openstack-keystone16:07
ayoungbut the raise call now shows output16:07
dstaneknose with --pdb?16:07
*** aix has quit IRC16:07
ayoungdstanek, ah, not import pdb; pdb.set_trace()16:07
ayounglet me try with the switch. too16:07
samuelmsdstanek, I wrote an etherpad listing some possible improvements on tests .. as we've discussed some days ago16:08
samuelmsdstanek,16:08
samuelmsdstanek, https://etherpad.openstack.org/p/Keystone_Tests_Improvement16:08
dstanekayoung:  you have to still set_trace, but you need to tell nose you are going to do it with --pdb16:08
dstaneksamuelms: yes, i read over them briefly, but i haven't had a chance to think about them16:09
dstaneksamuelms: some of them seem like fix the code (like many of the NotImplemented calls)16:09
samuelmsdolphm, henrynash ^16:09
ayoung nosetests --pdb  keystoneclient.tests.test_auth_token_middleware.v3AuthTokenMiddlewareTest16:09
dstaneksamuelms: and there are some reviews for those now16:09
ayoungand I get16:09
ayoungE> /usr/lib64/python3.3/pdb.py(1587)post_mortem()16:09
ayoung-> raise ValueError("A valid traceback must be passed if no "16:09
*** lhcheng has joined #openstack-keystone16:10
samuelmsdstanek, hmm.. I'll look for those submitted bugs related to those proposals16:11
*** nellysmitt has joined #openstack-keystone16:11
samuelmsI left a space for discussions on each section .. feel free to add your comments there16:11
*** openstackstatus has joined #openstack-keystone16:13
*** ChanServ sets mode: +v openstackstatus16:13
*** marcoemorais has joined #openstack-keystone16:14
samuelmsbknudson, thanks for your comments on 'skipping tests'16:15
ayoungdstanek, well, now I got the tests to pass for Python3 but fail for 216:16
ayoungum...yay?16:16
samuelmsbknudson, I don't understand why it takes longer to write code ..16:16
samuelmsbknudson, we just should use assertRaises instead of skip ..16:16
-openstackstatus- NOTICE: An error in a configuration change to mitigate the poodle vulnerability caused a brief outage of git.openstack.org from 16:06-16:12. The problem has been corrected and git.openstack.org is working again.16:19
*** david-lyle has joined #openstack-keystone16:21
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Honor the inform and outform parameters  https://review.openstack.org/12753316:22
*** lsmola has quit IRC16:29
*** shakamunyi has quit IRC16:30
*** sigmavirus24 has joined #openstack-keystone16:34
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Fixes sample data for PKIZ format  https://review.openstack.org/12753416:34
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Updates sample data for PKIZ format  https://review.openstack.org/12753416:35
*** wwriverrat has joined #openstack-keystone16:36
*** wwriverrat has left #openstack-keystone16:36
*** jorge_munoz has quit IRC16:36
*** jorge_munoz has joined #openstack-keystone16:40
*** lsmola has joined #openstack-keystone16:44
bknudsonsamuelms: it takes longer if I -1 a change and then have to wait for a new patch set.16:45
bknudsonthis is what people complain about all the time.16:45
morganfainbergmornin16:54
*** dims_ has quit IRC16:55
*** dims_ has joined #openstack-keystone16:55
dstanekstevemar: still having that issue?17:01
*** bdossant has quit IRC17:03
samuelmsbknudson, yes .. that's true17:04
*** bdossant has joined #openstack-keystone17:05
*** _cjones_ has quit IRC17:06
*** _cjones_ has joined #openstack-keystone17:06
*** topol has joined #openstack-keystone17:07
*** _cjones_ has quit IRC17:07
*** _cjones_ has joined #openstack-keystone17:07
*** bdossant has quit IRC17:10
*** drjones has joined #openstack-keystone17:12
*** _cjones_ has quit IRC17:12
rodrigodshenrynash, there?17:12
*** thedodd has joined #openstack-keystone17:18
*** harlowja_away is now known as harlowja17:19
stevemardstanek, yo17:26
stevemardstanek, so i'm not sure, turns out the test only checks to see if the *keys* are the same, not the *values*17:27
stevemari'm not sure if we should be testing values or not17:27
stevemarthoughts?17:27
dstaneki think when i wrote the test the values were not the same17:27
dstaneki remember someone saying that they need a rule for each key, but the rules would differ17:28
dstanekbecause if they didn't, then there would be no need to have two files17:28
dstanekstevemar: ^17:28
stevemardstanek, that makes sense17:29
stevemarthank you sir17:29
dstanekstevemar: ma, pleasure17:29
stevemari'll stop going down that rabbit hole17:29
amakarovayoung, about token signing: why use Popen to spawn openssl CLI while openssl library can be used via python ctypes?17:31
*** jorge_munoz has quit IRC17:32
henrynashrodigods: hi17:33
dstanekamakarov: there was some trouble doing that IIRC17:34
*** bdossant has joined #openstack-keystone17:34
amakarovdstanek, so it's a temporary solution?17:35
dstanekamakarov: it's permanent until someone creates a better way17:35
amakarovdstanek, noted :)17:36
dstanekamakarov: ayoung might better remember the troubles he was having17:36
rodrigodshenrynash, are you ok with using a for loop to avoid loops in the HM methods?17:37
amakarovdstanek, thank you, I'll ask him17:37
henrynashrodigods: depends what the condition is to terminate :-)17:38
rodrigodshenrynash, we have a max_tree_depth config17:38
*** bdossant has quit IRC17:39
rodrigodswe can use it, just need to get the code from the third patch to the second17:39
henrynashrodigods: so that’s one way…17:39
henrynashrodigods: isn’t a another to just check if the child you get is already in the list of ids you’vre already seen?17:40
rodrigodshenrynash, I'm not an absolute fan of that approach, because we add a new O(n) in the method complexity17:41
henrynashO(n)17:41
henrynash?17:41
rodrigodshenrynash, wait... we can use set(), right? =)17:41
*** dims_ has quit IRC17:42
*** dims_ has joined #openstack-keystone17:42
henrynashrodigods: not sure if that stops the infinte recusion…17:45
henrynashrodigods: what’s wrong with:17:46
henrynashif ref in children:17:46
henrynash    if ref in subtree:17:46
henrynash        raise error17:46
*** thedodd has quit IRC17:47
henrynashsorry whould be a for loopon teh first line…I’ll add it as a suggestion to the review and then you can shoot it down :-)17:47
openstackgerritAndre Aranha proposed a change to openstack/keystone: Extracting Method  https://review.openstack.org/12900917:47
rodrigodshenrynash, ++17:47
*** arborism has joined #openstack-keystone17:47
*** arborism has quit IRC17:48
*** leonchio_ has joined #openstack-keystone17:52
henrynashrodigods: added17:53
rodrigodshenrynash, thanks17:56
*** thedodd has joined #openstack-keystone18:05
rodrigodshenrynash, suggestion for the error that will be raised?18:12
henrynashrodigods: so I wrote one similar somewhere…let me find it…18:13
*** bdossant has joined #openstack-keystone18:13
openstackgerritA change was merged to openstack/keystone: Restrict certain APIs to cloud admin in domain-aware policy  https://review.openstack.org/12878818:16
*** bdossant has quit IRC18:17
henrynashrodigods:  so I did one in contrib/endpoint_policy/core.py18:18
henrynash                if region_id in regions_examined:18:18
henrynash                    msg = _LE('Circular reference or a repeated entry found '18:18
henrynash                              'in region tree - %(region_id)s.')18:18
henrynash                    LOG.error(msg, {'region_id': ref.region_id})18:18
henrynash                    return18:18
henrynashi.e. log an error and break out of teh while loop18:18
rodrigodshenrynash, ++18:18
*** gsilvis has quit IRC18:19
rodrigodsthanks18:19
*** lvh has quit IRC18:20
openstackgerritAndre Aranha proposed a change to openstack/keystone: Refactor: create a helper function to create users  https://review.openstack.org/12900918:20
*** lvh has joined #openstack-keystone18:22
openstackgerritAndre Aranha proposed a change to openstack/keystone: Refactor: create a helper function to create users  https://review.openstack.org/12900918:25
ayoungamakarov, http://adam.younglogic.com/2014/06/why-popen-for-openssl-calls/18:25
ayoungamakarov, I'm willing to listen to a better suggestion.  Especially now that HTTPD is the default18:27
morganfainbergayoung: there *has* to be a better option.18:28
morganfainbergBut popen works for us for now.18:28
ayoungmorganfainberg, I think Popen makes the most sense for Eventlet, but a ctypes approach for HTTPD would be fine, so long as it does not lock the gil18:29
morganfainbergIt doesn't make sense for event let really. Iirc popen doesn't yeield.18:29
morganfainbergOh god ctypes. Scary18:29
amakarovayoung, I understand C-extentions to Python have some problems running in greenlet environments. There is cffi to use instead of ctypes. They promise to support PyPy, so I hope it may be the chance18:30
morganfainbergamakarov: it's why mysqldb locks up the event let worker.18:30
ayoungamakarov, do your homework and I'll be more than happy to endorce a reasonable replacement18:30
amakarovbut I haven't done any research yet18:30
morganfainbergayoung: if Python wasn't so bad at crypto I'd advocate pure python impl18:32
ayoungI'd smack you ith a wet sock fullof flour18:33
morganfainbergayoung: but right now it isn't worth the effort to make that really viable.18:33
morganfainbergLet alone the other issues associated with it.18:33
ayoungits not just that python is bad a crypto18:33
*** afazekas has quit IRC18:33
ayoungits that we want to use the best reviewed implementation of the crypto algorithms18:33
ayoungof course, OpenSSL is kindof hurting repuatation these days18:33
ayoungbut to be fair, POODLE was not openssl specific, was it18:34
morganfainbergThat was the implication18:34
morganfainbergI dunno. It might be OpenSSL specific18:34
morganfainbergNot many things rely on that version, so it might be a hold over.18:35
morganfainbergBut I am guessing poodle was not OpenSSL specific18:35
amakarovFor now I didn't see any rocket science in ssl usages18:35
*** wpf has quit IRC18:39
*** wpf has joined #openstack-keystone18:44
*** diegows has joined #openstack-keystone18:45
dstanekmorganfainberg: our own impl of a crypto algorithm shouldn't get past a security review18:47
dstanekstevemar: i can't parse that email18:48
rodrigodsmorganfainberg,  feature branch needs rebase https://review.openstack.org/#/c/117784/ ?18:48
morganfainbergdstanek, no i was thinking pure python = something out there that is well reviewed and maintained18:52
morganfainbergdstanek, not something we implement here.18:52
morganfainbergdstanek, and only for us18:52
morganfainbergdstanek, but i don't think it'll ever happen18:52
morganfainbergrodrigods, i'll try and get that rebased today.18:53
morganfainbergrodrigods, for you.18:53
dstanekit would be nice to get this stuff into the cryptography library18:53
amakarovayoung, I have a crazy idea: what if we wrap libssl & libcrypto in a service? Daemon with HTTP(or simplier) interface whitten in C?18:53
ayoungamakarov, I addressed that in my blog post.18:54
ayoungit doesn't solve anything18:54
stevemardstanek, my email or OPs?18:54
morganfainbergamakarov, it's a whole lot worse than we have now actually, it implies less control18:54
dstanekstevemar: the OPs18:54
amakarovayoung, oops, continue reading )18:54
ayoungwelll, not as a service, but then, you'd  lost all sense of trust18:54
morganfainbergayoung, ++18:54
ayoungamakarov, I talk about having a dedicated project18:54
ayoungprocess18:55
stevemardstanek, oh theres a follow up18:55
ayoungand that serializes things you don't want serialized.  A stand alone services would still have that problem18:55
dstaneki don't see that - just the OP and your response18:55
ayoungamakarov, but keep up the thought experiments.18:55
morganfainbergayoung, hm.18:56
morganfainbergayoung, i have a fleeting thought let me try something18:56
ayoungamakarov, I'd really like to be able to swap in NSS for OpenSSL, too, and be able to use  the versions that made common criteria and FIPS 1** compliance18:56
ayounguh oh18:56
dstanekstevemar: does he just want to use Kerveros and LDAP?18:57
*** gsilvis has joined #openstack-keystone18:57
rodrigodsmorganfainberg, ++ thanks18:57
*** jistr has quit IRC18:59
*** boris-42 has quit IRC19:02
stevemardstanek, i honestly can19:02
stevemarcan't tell19:02
*** marcoemorais has quit IRC19:03
dstanekbased on the follow up i think yes19:03
*** marcoemorais has joined #openstack-keystone19:03
*** boris-42 has joined #openstack-keystone19:04
morganfainbergbleh, hate it when fleeting thoughts / brain storms end up being more of a light drizzle... just enough to make things damp and annoyting19:05
dstanekstevemar: isn't this just the external plugin?19:05
thiagopguys, do we have an option on python-keystoneclient so as to get a token with "nocatalog"?19:06
morganfainbergthiagop, from the CLI or as a library?19:06
thiagopmorganfainberg: lib19:06
morganfainbergthiagop, i am fairly certain it should support that19:07
*** bdossant has joined #openstack-keystone19:07
bknudsonI don't think there's really a way in the client to get a token... there's auth plugins19:07
bknudsonand I think there's a get_raw_token...19:07
thiagopI couldn't find anything on the docs nor on a shallow look on the code...19:08
thiagopit seems useful since it will reduce the size of the token being transmitted to some services in some cases19:09
morganfainberghuh did we not merge a way for ksc to avoid getting a catalog?19:09
ayoungnkinder, so...I've been beating on openstack common client using the Kerberos auth plugin.  So far, no go:19:09
bknudsonthis has gotten to be a huge mess because rather than implementing a low level api for getting a token we've only got the plugins.19:09
ayoung$/usr/bin/openstack --insecure --os-auth-plugin kerberos   --os-project-name demo  --os-project-domain-name Default       hypervisor list19:10
ayoung ERROR: openstack 'username'19:10
bknudsonwhat you would think is a low level api (get_raw_token_from_identity_service) is implemented using plugins19:10
ayoungthere seems to be some weirdness with Stevedore, and I had to hack the Pbr version thing again, too19:10
ayoungbknudson, ?19:11
*** bdossant has quit IRC19:11
ayoungget_raw_token_from_identity_service  uses the plugin to populate the request19:11
ayoungthe HTTP call is handled by the session.19:12
ayoungbknudson, I had to hack in a call "force_reauthenticate" in Django openstack auth that does what you are complaining about:19:12
bknudsonayoung: that does ?nocatalog ?19:13
ayoungbknudson, https://review.openstack.org/#/c/121281/6/openstack_auth/utils.py,cm19:13
ayoungbknudson, nope, but I think I need the catalog19:13
ayoungbknudson, although, good point that ?nocatalog would make sense for initial authentication19:13
bknudsonauth_token middleware has an option to not request the catalog, so it can't be implemented using keystoneclient.19:14
ayoungbknudson, I don't understand19:14
ayoungbknudson, http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token.py#n1431  ?19:15
bknudsonayoung: yes. auth_token gets a token but it's not using keystoneclient to do it.19:16
bknudsonand auth_token can't use keystoneclient since keystoneclient doesn't provide a way to ?nocatalog19:16
ayoungbknudson, there is a fix posted for that19:16
*** gsilvis has quit IRC19:16
bknudsonayoung: to have keystoneclient support ?nocatalog ?19:17
ayoungbknudson, so first we add nocatalog as an option to client, and then19:17
ayoungyep...19:17
ayoungah, no19:17
ayoungthere is a fix to make auth_token use KC19:17
ayoungnot sure if it deals with nocatalog or not...looking19:17
bknudsonok... I wonder how it supports ?nocatalog.19:17
ayoungbknudson, https://review.openstack.org/#/c/115857/19:18
ayoungbknudson, we need jamie back...19:19
bknudsonayoung: tell mrs jamie19:19
bknudsonayoung: https://review.openstack.org/#/c/115857/3/keystonemiddleware/auth_token.py is still not using auth plugin19:20
*** david-lyle_ has joined #openstack-keystone19:20
*** david-lyle has quit IRC19:20
ayoungbknudson, no, I know...I was mis-remembering how far things got19:20
bknudsonit eventually does: response = self._session.request(path, method, **kwargs)19:20
bknudsonso the request goes through a session now.19:21
ayounggyee, on https://review.openstack.org/#/c/115857/  will you OK it if we do your suggesting as a follow on change?19:21
*** gsilvis has joined #openstack-keystone19:22
dstanekso can you not use the external password with the ldap identity backend?19:24
gyeeayoung, yes, that's what auth plugin is for19:25
ayounggyee, so this change can go through?19:25
ayoungremove your -119:25
ayoungor are you saying this change *must* support the config option?19:26
gyeeayoung, see https://review.openstack.org/#/c/113735/19:26
gyeethat's how Jamie approach it19:26
ayounggyee, you are in a rush, and you are confusing me19:26
*** david-lyle_ is now known as david-lyle19:27
ayoungwhat jamie's patch is doing is prep work for the config option you suggest.  I think you are right, just that can be a follow on patch19:27
*** amakarov is now known as amakarov_away19:28
gyeeayoung, that's the end goal, if we want to get there in steps, I am fine with it19:30
ayoung++19:31
ayounggyee, I'm a +2 a it then.  Didn't want you to think I was ignoring you19:31
gyeeayoung, lemme remove the -119:31
bknudsonfile a wishlist bug so we don't forget19:32
gyeebkundson, ++19:33
gyeesorry I mean bknudson19:33
ayoungbknudson, will do.  I think I need it for Kerberos support, and gyee will want it for X50919:33
gyeeayoung, hell yeah! :)19:33
ayounggyee, I'll do a recheck first anyway19:33
gyeek19:33
ayoungah,  needs a manual rebase.19:34
bknudsonI think with the change to requests-mock it's going to need a rebase19:34
ayoungI'll let jamie field it then,  but gyee please remove the -119:34
gyeeayoung, done19:35
ayoungbknudson, do you understand stevedore and how entrypoints get registered?  I'm having erratic results using the kerberos keystone auth plugin that is out of tree19:35
bknudsonayoung: it's been on my list of things to look at for some time and I haven't had a chance.19:36
stevemardolphm, https://review.openstack.org/#/c/128747/19:36
ayoungbknudson, it ties in with the auth plugin thing in that patch:  we should be using entrypoints to enumerate plugins, but sometimes the out-of-tree plugin doesn't seem to get registered, and sometimes it does19:37
bknudsonayoung: scary.19:37
ayoungbknudson, not too mention PBR19:37
morganfainbergayoung, they are in the egg info, you then query the libs: https://pythonhosted.org/setuptools/pkg_resources.html#entry-points19:38
gyeebknudson, this is october, it suppose to be scary :)19:38
morganfainbergayoung, it's part of setuptools and pkg_resources19:38
morganfainbergpbr just makes extensive use of it, as does stevedore19:38
ayoungmorganfainberg, what determines which eggs get queried for entrypoints on a given run?19:39
morganfainbergayoung, it queries *all* eggs iirc19:39
ayoungmorganfainberg, I wish it were that simple19:39
morganfainbergfor a specific entry point group19:39
ayoungmorganfainberg, sometimes, depending on how I call it, it finds the kerberos plugin, and sometimes it doesn't19:39
morganfainbergstevedore or pkg_resources19:39
ayoungif I import keystoneclient_kerberos it always finds it19:39
morganfainberglook at pkg_resources19:40
dhellmannayoung: the egg containing the entry point has to be installed in sys.path19:40
morganfainbergdhellmann, to the rescue!19:40
ayoungthe DOA code seems to be finding it reliably19:40
dhellmannayoung: https://pypi.python.org/pypi/entry_point_inspector may help you debug19:40
ayoungdhellmann, I did sudo pip install -e .19:40
ayoungfrom inside the python-keystoneclient-kerberos repo19:41
dhellmannayoung: which python package does that install into? (the dir name under site-packages)19:41
dhellmanni.e., is keystoneclient a namespace package?19:41
*** bdossant has joined #openstack-keystone19:41
ayoung$cat /usr/lib/python2.7/site-packages/python-keystoneclient-kerberos.egg-link19:42
ayoung/opt/stack/python-keystoneclient-kerberos19:42
ayoung$cat /opt/stack/python-keystoneclient-kerberos/python_keystoneclient_kerberos.egg-info/entry_points.txt19:43
ayoung[keystoneclient.auth.plugin]19:43
ayoungkerberos = keystoneclient_kerberos.kerberos:Kerberos19:43
dhellmannayoung: ok, so you say "from keystoneclient_kerberos import something"?19:43
ayoungdhellmann, or just import keystoneclient_kerberos and it works19:43
dhellmannayoung: ok, I'm trying to understand the code layout19:44
ayoungdhellmann, so we have this little thing called the openstack common client.  You might have heard mention of it19:44
ayoungheh19:44
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Add a specification for revamping the documentation  https://review.openstack.org/12874719:44
dhellmannayoung: what does "epi group show keystoneclient.auth.plugin" give you?19:45
ayounglet me install epi19:45
ayoungdhellmann, where's epi come from?19:46
*** bdossant has quit IRC19:46
ayoungpip install entry_point_inspector19:46
dhellmannayoung: pip install entry_point_inspector19:46
ayoungdhellmann, its in there19:47
ayounglast line is19:47
ayoung| kerberos       | keystoneclient_kerberos.kerberos     | Kerberos           | python-keystoneclient-kerberos 0.0.1.dev3.g263148b |       |19:47
dhellmannayoung: and how are you running the thing that can't find it?19:47
ayoungdhellmann, varies,  but  it seems to be maybe a new shell thing?19:47
dhellmannayoung: do you have code for loading the plugins that I can look at?19:47
ayounglet me try that19:47
ayoungdhellmann, I have a review19:48
ayoungdhellmann, https://review.openstack.org/#/c/115463/6/openstack_auth/utils.py,cm19:48
ayoungdhellmann, let me try a new shell...19:48
ayoungdhellmann, try this19:50
ayounggit clone the repo, pip install -e .19:50
ayoungand then19:50
ayoung/usr/bin/openstack --insecure --os-auth-plugin kerberos   --os-project-name demo  --os-project-domain-name Default       hypervisor list19:50
ayoungsomething is whack with PBR, too19:51
ayoungI keep getting19:51
ayoung    raise Exception("Versioning for this project requires either an sdist"19:51
ayoungException: Versioning for this project requires either an sdist tarball, or access to an upstream git repository. Are you sure that git is installed?19:51
ayoungdhellmann, OK,  bet this is related19:56
ayoungI just did a new ssh tothe machine, then19:56
ayoungpython19:56
ayoungand in the interpreter19:56
ayoungimport pbr.version19:56
ayoungpbr.version.VersionInfo( 'keystoneclient_kerberos').version_string()19:56
ayoungraise Exception("Versioning for this project requires either an sdist"19:57
ayoungException: Versioning for this project requires either an sdist tarball, or access to an upstream git repository. Are you sure that git is installed?19:57
ayoungI'm going to try just install the thing without pip19:57
ayoungnope...same problem19:58
dhellmannayoung: that pbr error might be causing an import error, but I don't know why you are getting that19:58
ayoungdhellmann, so I did sudo python setup.py install19:58
ayoungsame problem19:59
dhellmanndid you uninstall the editable version first?19:59
ayoungno, let me do that19:59
dhellmannayoung: which version of pbr do you have?19:59
ayoung1.10 something19:59
ayoung pbr==0.10.1.dev8.g81c200019:59
dhellmannyou might be hitting https://bugs.launchpad.net/pbr/+bug/126562220:00
uvirtbotLaunchpad bug 1265622 in pbr "pbr running in git context when it shouldn't" [Undecided,New]20:00
ayoungsure sounds like it20:01
ayoung dhellmann not sure why only the new plugin is showing this behavior20:02
dhellmannayoung: I'm looking at your plugin code now20:02
ayoung| kerberos       | keystoneclient_kerberos.kerberos     | Kerberos           | python-keystoneclient-kerberos 0.0.1.dev3.g263148b | Versioning for this project requires either an sdist tarball, or access to an upstream git repository. Are you sure that git is installed? |20:03
ayoungdhellmann, you need the version from review...20:03
dhellmannayoung: which review?20:03
*** shikui__ has joined #openstack-keystone20:03
ayounghttps://review.openstack.org/#/c/123614/20:03
ayoungdhellmann, the repo is just an empty repo, until that gets in20:03
dhellmannayoung: yeah, saw20:04
*** david-lyle_ has joined #openstack-keystone20:04
dhellmannayoung: which system packages do I need for this plugin to work?20:04
ayoungrequests-kerberos20:05
ayoungthat might pull in all of the kerberos libraries20:05
ayoungprolly kerb-workstation or something like that20:05
*** david-lyle has quit IRC20:06
dhellmanntox -e py27 -r fixed it20:06
ayoungdhellmann, suspect that if you exited out and then back in you would see the problem again20:07
dhellmannI don't have a devstack setup to test this against, but the plugin setup code looks ok20:07
ayoungits pbr.  It can't seem to find the package info20:07
dhellmannayoung: what does this give you: python -c 'import keystoneclient_kerberos; print keystoneclient_kerberos'20:08
ayoung    raise Exception("Versioning for this project requires either an sdist"20:09
ayoungException: Versioning for this project requires either an sdist tarball, or access to an upstream git repository. Are you sure that git is installed?20:09
dhellmannayoung: do you have git installed?20:09
ayoungdhellmann, yep20:09
dhellmannayoung: ok, let's clean out the installed stuff you have for that lib and make sure it's not there at all, then reinstall it not in editable mode and see what that does20:10
dhellmannayoung: you might also want to try installing pbr 0.10.0 instead of the dev version you have20:10
ayoungdhellmann, something is wrong with the package name20:11
dhellmannayoung: we could also try setting this up in a virtualenv to see if your system site-packages is borked20:11
ayoung$ sudo pip uninstall python-keystoneclient-kerberos20:11
ayoungCan't uninstall 'python-keystoneclient-kerberos'. No files were found to uninstall.20:11
ayoung-sh-4.2$ sudo pip uninstall python_keystoneclient_kerberos20:11
ayoungCan't uninstall 'python-keystoneclient-kerberos'. No files were found to uninstall.20:11
dhellmannayoung: how did you install it?20:11
*** mpath-rax has left #openstack-keystone20:11
ayoung/usr/lib/python2.7/site-packages/keystoneclient_kerberos/20:12
*** TemporalBeing has quit IRC20:12
dhellmannayoung: what command did you use to install it?20:12
ayoungsudo python setup.py install20:12
dhellmannok, you'll have to remove it by hand then20:12
ayoungdhellmann, OK, guessing something in setup.cfg is wrong20:13
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient-kerberos/tree/setup.cfg20:13
dhellmannayoung: if you don't install it with pip, it doesn't look the same so pip doesn't know how to uninstall it20:13
ayoungwell, its gone now20:13
*** bknudson has quit IRC20:14
dhellmannok, install it again with "pip install ."20:14
ayoung-sh-4.2$ pip freeze | grep kerb20:15
ayoung-e git://git.openstack.org/openstack/django_openstack_auth.git@ff6d7a52cb1067121b77bc389244eab674989149#egg=django_openstack_auth-kerberos20:15
ayoungkerberos==1.1.120:15
ayoung-e git+https://git.openstack.org/openstack/python-keystoneclient-kerberos@263148b11b4585448ec4bdea83405a407ece406a#egg=python_keystoneclient_kerberos-plugin20:15
ayoungrequests-kerberos==0.520:15
dhellmanndid you install it with "pip install -e"?20:15
ayoungnot this time20:15
ayoungdhellmann, let me see if there are vestiges hiding elsewhere20:16
dhellmannok, uninstall it and run pip freeze again -- that -e line says it's looking at your source20:16
dhellmannyeah, it's in a .pth file20:16
ayoungwhere?20:16
dhellmannhang on20:16
dhellmannayoung: /usr/local/lib/python2.7/*-packages/easy-install.pth20:17
ayoungdhellmann, that got rid of one of them20:19
dhellmannayoung: ok, now try installing with "pip install ." again and let's see if pbr still tries to get version info from git20:20
ayoungdhellmann, I still have20:20
ayoung-e git://git.openstack.org/openstack/django_openstack_auth.git@ff6d7a52cb1067121b77bc389244eab674989149#egg=django_openstack_auth-kerberos20:20
ayoungah, disregard20:20
ayoungthat is DOA20:21
ayoungNope20:21
ayoungdhellmann, OK,  so it works immediately after pip install, but if I start a new session (log out and back in) it fails same way20:22
ayounglets see what I have20:22
dhellmannayoung: I have no idea why your login session would have anything to do with python's import machinery20:22
ayoungdhellmann, cuz something loaded it into something that is cached, or a python path, or something20:22
ayoung/usr/lib/python2.7/site-packages/python_keystoneclient_kerberos-0.0.1.dev3.g263148b-py2.7.egg-info/20:23
dhellmannayoung: python doesn't cache things in your shell environment, though20:23
ayoungliar20:23
ayounglet see20:23
ayoung dhellmann I just got a hunch20:27
ayoungdhellmann, I bet it is the _ in the name that is f)(*Y it up20:27
ayounglets take a lookssssseeeee20:27
dhellmannayoung: that shouldn't matter either; why do you think?20:28
ayoungdhellmann, hunch20:28
*** shikui__ has quit IRC20:28
ayoungdhellmann, it does all sorts of string matching, that is why I think the _ is the culprit20:32
ayoungdhellmann, (Pdb) print requirement                                                                    |=>          provider = pkg_resources.get_provider(requirement)20:33
ayoungkeystoneclient-kerberos20:33
ayoungI bet the _  to - transform is messing it up20:33
dhellmannayoung: ah! so it's not just that there is a _, but that there are 2 forms of the name that don't match?20:34
*** nellysmitt has quit IRC20:34
ayoungdhellmann, failing at  /usr/lib/python2.7/site-packages/pbr/version.py  line 43520:34
ayoungprovider = pkg_resources.get_provider(requirement)20:35
dhellmannok, that's not pbr then20:35
*** nellysmitt has joined #openstack-keystone20:35
*** bdossant has joined #openstack-keystone20:36
ayoungdhellmann, as I said, I think it is setup.cfg20:37
ayoungbut, yes, it is pbr20:37
dhellmannayoung: it's not the - to _, it's the "python-" missing from the front20:37
ayoungcuz pbr is a nosy bastid20:37
ayoungthat should not be in the registered name, shoud it20:37
dhellmannhrm, or maybe not20:37
dhellmannnovaclient does the same thing20:37
ayoungname = python-keystoneclient-kerberos20:38
ayoungthat seems just wrong20:38
ayoungbut keystoneclient does the same thing, too20:38
ayoungI think it is the _to-20:38
*** nellysmitt has quit IRC20:39
ayoungdhellmann, why does this even exist?20:39
ayoungwhy does __init__.py need to say anything about version20:39
dhellmannayoung: I have no idea, I thought you wanted that20:40
ayounggod no20:40
ayoungit is all over the place20:40
dhellmannif you change __name__ to 'python-keystoneclient-kerberos' in your __init__ that will fix it20:40
dhellmannthat's what novaclient does20:41
ayoungdhellmann, http://legacy.python.org/dev/peps/pep-0008/#version-bookkeeping20:41
dhellmannayoung: meh. I use pkg_resources to ask for versions when I want them, I don't depend on having it in the lib20:41
ayoungdhellmann, PBR needs to die20:42
dhellmannayoung: anyway, the fix is to use the right name for the distribution ^^20:42
ayoungor at least pbr.version20:42
ayoungno difference20:44
dhellmannfixed it for me, did you re-install?20:44
ayoungI removed the installed version and went back to pip install -e .20:44
dhellmann:-|20:44
dhellmannayoung: is this a box I can login to?20:45
ayoungdhellmann, it should work20:45
ayoungnope.  internal20:45
dhellmannas much fun as playing 20 questions with you is...20:45
ayoungheh20:45
ayoungI think I'ma kill PBR20:45
ayoungin this case20:45
ayounglets see if that allows the entrypoint registry20:46
dhellmannit's time for me to leave my current location, but I'll watch for an update later20:46
*** david-lyle_ is now known as david-lyle20:48
ayoungdhellmann, killing pbr made it work20:50
ayoungnow I get an error on the openstack client20:50
ayoung[ayoung@horizon ~(keystone_demo)]$/usr/bin/openstack --insecure --os-auth-plugin kerberos   --os-project-name demo  --os-project-domain-name Default       hypervisor list20:50
ayoung/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:730: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html (This warning will only appear once by default.)20:50
ayoung  InsecureRequestWarning)20:50
ayoungERROR: openstack 'username'20:50
ayoungooh, think I can drop insecure...let me see20:50
dhellmannayoung: add --debug for a full traceback20:51
ayoungah, thanks20:51
ayoungdhellmann, OK,  I think the problem is that the kerberos approach doesn't use username from the request20:51
ayoung  File "/opt/stack/python-openstackclient/openstackclient/common/clientmanager.py", line 54, in __getattr__20:52
ayoung    return self._auth_params[name[1:]]20:52
ayoungKeyError: 'username20:52
*** amcrn has joined #openstack-keystone20:53
*** gsilvis has quit IRC20:56
*** raildo is now known as raildo_away20:59
*** thedodd has quit IRC21:03
*** thiagop has quit IRC21:08
*** topol has quit IRC21:09
*** andreaf has joined #openstack-keystone21:23
*** stevemar has quit IRC21:32
*** drjones has quit IRC21:43
*** _cjones_ has joined #openstack-keystone21:44
*** thedodd has joined #openstack-keystone21:47
*** drjones has joined #openstack-keystone21:48
*** david-lyle has quit IRC21:49
*** _cjones_ has quit IRC21:51
*** radez is now known as radez_g0n322:04
*** david-lyle has joined #openstack-keystone22:05
*** rwsu has quit IRC22:07
*** bdossant_ has joined #openstack-keystone22:09
*** packet has quit IRC22:09
*** bdossant has quit IRC22:12
*** Tahmina has joined #openstack-keystone22:23
*** david-lyle has quit IRC22:24
*** htruta has quit IRC22:24
*** afaranha has quit IRC22:24
*** sigmavirus24 is now known as sigmavirus24_awa22:28
*** htruta has joined #openstack-keystone22:29
*** afaranha has joined #openstack-keystone22:30
*** Kui has joined #openstack-keystone22:32
*** thedodd has quit IRC22:35
*** sigmavirus24_awa is now known as sigmavirus2422:37
*** gordc has quit IRC22:44
*** Tahmina has quit IRC23:01
*** zzzeek_ has joined #openstack-keystone23:05
*** zzzeek has quit IRC23:08
*** zzzeek has joined #openstack-keystone23:09
*** zzzeek_ has quit IRC23:09
*** zzzeek has quit IRC23:14
*** zzzeek has joined #openstack-keystone23:18
*** drjones has quit IRC23:19
*** _cjones_ has joined #openstack-keystone23:20
*** arunkant_work has quit IRC23:24
*** dims__ has joined #openstack-keystone23:30
*** dims__ has quit IRC23:33
*** dims_ has quit IRC23:33
*** dims_ has joined #openstack-keystone23:34
*** Tahmina has joined #openstack-keystone23:37
*** alex_xu has joined #openstack-keystone23:52
*** sigmavirus24 is now known as sigmavirus24_awa23:52
« Wednesday, 2014-10-15 Index Friday, 2014-10-17 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!