Friday, 2014-12-19

openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Extract the Loadable interface from a plugin https://review.openstack.org/138575	00:05
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Make session use the Loadable interface https://review.openstack.org/138576	00:05
*** _cjones_ has quit IRC		00:10
*** dims__ has joined #openstack-keystone		00:14
*** diegows has joined #openstack-keystone		00:17
lhcheng	morganfainberg: ping	00:19
morganfainberg	lhcheng: hi	00:20
lhcheng	question on: https://bugs.launchpad.net/python-keystoneclient/+bug/1393977	00:21
uvirtbot	Launchpad bug 1393977 in python-keystoneclient "name should be optional for service-create" [Low,Triaged]	00:21
lhcheng	should both keystoneclient and openstackclient be updated to make service name optional ?	00:21
*** stevemar has joined #openstack-keystone		00:22
*** ChanServ sets mode: +v stevemar		00:22
morganfainberg	lhcheng: is openstack client doing the same thing?	00:25
lhcheng	morganfainberg: yeah, openstack client complains about too few arguments if service name is not provided.	00:27
lhcheng	morganfainberg: it does make more sense to make the service name required, but it doesn't match the API. Not really sure what the best thing to do.	00:28
lhcheng	morganfainberg: I do see some value in making the service_name required.	00:28
jamielennox	morganfainberg: ok - i can do that quickly	00:29
jamielennox	oops - up + enter	00:29
morganfainberg	stevemar: ^^	00:42
morganfainberg	stevemar: re osc	00:42
morganfainberg	lhcheng: the Python client can be more opinionated than the API. We can't change the API at this point.	00:43
lhcheng	morganfainberg: I agree, the API should not change. but do we want to update the clients to match the API? (although losing some usablity, but less confusion for users)	00:44
*** _cjones_ has joined #openstack-keystone		00:45
stevemar	lhcheng, open a bug :)	00:47
lhcheng	stevemar: okay, I assume the direction is fix the client to match the API? :)	00:48
stevemar	lhcheng, yep!	00:50
lhcheng	stevemar: cool, thanks	00:50
stevemar	lhcheng, specify the args and what you think it ought to be, and if you are using v3/v2	00:50
lhcheng	stevemar: alright (thumbsup)	00:51
lhcheng	stevemar: if you get the chance(shameless plug)- https://review.openstack.org/#/c/135808/	00:51
lhcheng	stevemar: when I search for OSC launchpad, I bumped into this: https://launchpad.net/openstack-ios	00:53
*** samueldmq has joined #openstack-keystone		00:54
lhcheng	stevemar: didn't know we have an ios client?	00:54
*** dims__ has quit IRC		00:55
*** dims__ has joined #openstack-keystone		00:55
*** zzzeek has quit IRC		00:57
*** dims__ has quit IRC		00:59
*** dims__ has joined #openstack-keystone		01:00
openstackgerrit	Merged openstack/keystone: Update federation docs to point to specs.o.org https://review.openstack.org/134590	01:11
*** nellysmitt has joined #openstack-keystone		01:11
*** nellysmitt has quit IRC		01:16
*** LinstatSDR has joined #openstack-keystone		01:16
stevemar	lhcheng, https://bugs.launchpad.net/python-openstackclient	01:17
stevemar	i accept shameless plugs	01:18
*** _cjones_ has quit IRC		01:21
lhcheng	stevemar: have you heard about: https://launchpad.net/openstack-clients ?	01:35
*** samueldmq has quit IRC		01:37
*** oomichi has joined #openstack-keystone		01:39
*** avozza is now known as zz_avozza		01:40
*** zzzeek has joined #openstack-keystone		01:44
*** zzzeek has quit IRC		01:47
*** wanghong has quit IRC		01:48
*** rm_work is now known as rm_work\|away		01:51
*** samueldmq has joined #openstack-keystone		01:53
*** oomichi has quit IRC		01:55
openstackgerrit	Dave Chen proposed openstack/keystone: Remove local conf information from paste-ini https://review.openstack.org/134124	01:57
*** chrisshattuck has joined #openstack-keystone		01:59
*** gyee has quit IRC		02:03
*** wanghong has joined #openstack-keystone		02:05
openstackgerrit	Dave Chen proposed openstack/keystone: Refactor the code in SQL backend of assignment https://review.openstack.org/133135	02:06
*** chrisshattuck has quit IRC		02:08
*** chrisshattuck has joined #openstack-keystone		02:12
*** richm has quit IRC		02:14
*** ncoghlan has joined #openstack-keystone		02:18
*** wpf has joined #openstack-keystone		02:27
*** xxj has joined #openstack-keystone		02:27
*** junhongl has joined #openstack-keystone		02:28
*** Stone07 has joined #openstack-keystone		02:31
*** erkules has joined #openstack-keystone		02:45
*** erkules_ has quit IRC		02:47
*** erkules has quit IRC		02:49
*** rushiagr_away is now known as rushiagr		02:49
openstackgerrit	Dave Chen proposed openstack/keystone: Remove local conf information from paste-ini https://review.openstack.org/134125	02:49
*** erkules has joined #openstack-keystone		02:50
*** chrisshattuck has quit IRC		02:59
*** topol has joined #openstack-keystone		03:12
*** ChanServ sets mode: +v topol		03:12
*** nellysmitt has joined #openstack-keystone		03:12
*** lhcheng has quit IRC		03:14
openstackgerrit	David Stanek proposed openstack/keystone: Make the mutable default arg check very strict https://review.openstack.org/136126	03:17
openstackgerrit	David Stanek proposed openstack/keystone: Removes a Py2.6 version of inspect.getcallargs https://review.openstack.org/136210	03:17
openstackgerrit	David Stanek proposed openstack/keystone: Removes a Py2.6 version of assertSetEqual https://review.openstack.org/136211	03:17
openstackgerrit	David Stanek proposed openstack/keystone: Expanded mutable hacking checks https://review.openstack.org/136208	03:17
openstackgerrit	David Stanek proposed openstack/keystone: Removes a bit of WSGI code converts unicode to str https://review.openstack.org/136209	03:17
*** nellysmitt has quit IRC		03:17
*** ncoghlan has quit IRC		03:40
*** ncoghlan has joined #openstack-keystone		03:41
*** diegows has quit IRC		03:45
*** harlowja_ is now known as harlowja_away		03:51
*** dims__ has quit IRC		04:00
*** dims__ has joined #openstack-keystone		04:01
*** rushiagr is now known as rushiagr_away		04:02
*** dims__ has quit IRC		04:05
*** radez is now known as radez_g0n3		04:17
*** hichtakk has quit IRC		04:20
*** hichtakk has joined #openstack-keystone		04:20
*** _cjones_ has joined #openstack-keystone		04:22
*** stevemar has quit IRC		04:25
*** hichtakk has quit IRC		04:25
*** _cjones_ has quit IRC		04:26
*** rushiagr_away is now known as rushiagr		04:32
*** andreaf has quit IRC		04:44
*** andreaf has joined #openstack-keystone		04:45
*** ajayaa has joined #openstack-keystone		05:03
*** hdd has joined #openstack-keystone		05:07
*** nellysmitt has joined #openstack-keystone		05:13
*** nellysmitt has quit IRC		05:18
*** rm_work\|away is now known as rm_work		05:21
*** lhcheng has joined #openstack-keystone		05:28
*** rm_work is now known as rm_work\|away		05:43
*** hdd has quit IRC		06:02
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/136243	06:06
*** dims__ has joined #openstack-keystone		06:09
jamielennox	marekd: are you awake?	06:09
*** dims__ has quit IRC		06:13
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Allow v3 plugins to opt out of service catalog https://review.openstack.org/142991	06:15
*** jamielennox is now known as jamielennox\|away		06:25
*** k4n0 has joined #openstack-keystone		06:30
*** topol has quit IRC		06:35
openstackgerrit	wanghong proposed openstack/keystone: fix the wrong update logic of catalog kvs driver https://review.openstack.org/130180	06:40
*** wanghong has quit IRC		06:41
openstackgerrit	wanghong proposed openstack/keystone: add circular check when updating region https://review.openstack.org/130474	06:45
*** ajayaa has quit IRC		06:47
*** pcaruana has joined #openstack-keystone		06:49
openstackgerrit	wanghong proposed openstack/keystone: set endpoint enabled default to True if not specified(kvs) https://review.openstack.org/142316	06:54
*** wanghong has joined #openstack-keystone		06:54
openstackgerrit	wanghong proposed openstack/keystone: set endpoint enabled default to True if not specified(kvs) https://review.openstack.org/142316	06:57
*** lhcheng has quit IRC		07:01
*** nellysmitt has joined #openstack-keystone		07:14
*** nellysmitt has quit IRC		07:19
*** hichtakk has joined #openstack-keystone		07:30
*** boris-42 has quit IRC		07:33
*** zz_avozza is now known as avozza		07:35
openstackgerrit	wanghong proposed openstack/keystone: remove duplicate matching id check when updating user https://review.openstack.org/131995	07:35
openstackgerrit	wanghong proposed openstack/keystone: remove unnecessary checks in assignment/controllers.py https://review.openstack.org/130722	07:37
openstackgerrit	wanghong proposed openstack/keystone: remove assignments for foreign actors when deleting domain https://review.openstack.org/127433	07:41
*** avozza is now known as zz_avozza		07:44
*** ajayaa has joined #openstack-keystone		07:45
*** lhcheng has joined #openstack-keystone		07:47
*** zz_avozza is now known as avozza		07:58
*** LinstatSDR has quit IRC		08:00
*** avozza is now known as zz_avozza		08:01
*** lhcheng has quit IRC		08:02
*** zz_avozza is now known as avozza		08:17
*** avozza is now known as zz_avozza		08:36
*** zz_avozza is now known as avozza		08:36
*** Shohei has quit IRC		08:44
*** Shohei has joined #openstack-keystone		08:45
*** Shohei has quit IRC		08:45
*** Shohei has joined #openstack-keystone		08:46
openstackgerrit	Andrey Pavlov proposed openstack/keystone: Handle SSL termination proxies for version list https://review.openstack.org/132235	08:48
*** nellysmitt has joined #openstack-keystone		08:52
*** ncoghlan has quit IRC		09:09
*** nellysmitt has quit IRC		09:31
*** david-ly_ has quit IRC		09:32
*** hichtakk has quit IRC		09:32
*** hichtakk has joined #openstack-keystone		09:32
*** aix has joined #openstack-keystone		09:33
*** david-lyle has joined #openstack-keystone		09:33
*** hichtakk has quit IRC		09:37
*** david-lyle has quit IRC		09:38
*** nellysmitt has joined #openstack-keystone		09:38
*** dims__ has joined #openstack-keystone		09:46
*** dims__ has quit IRC		09:50
*** Shohei has quit IRC		09:55
*** Shohei has joined #openstack-keystone		09:56
*** Shohei_ has joined #openstack-keystone		09:59
*** Shohei has quit IRC		10:00
*** andreaf has quit IRC		10:05
*** andreaf has joined #openstack-keystone		10:05
*** aix has quit IRC		11:00
*** avozza is now known as zz_avozza		11:04
*** zz_avozza is now known as avozza		11:06
*** nellysmitt has quit IRC		11:13
*** aix has joined #openstack-keystone		11:21
*** wpf has quit IRC		11:26
*** wpf has joined #openstack-keystone		11:26
*** wpf has quit IRC		11:35
*** dims__ has joined #openstack-keystone		11:37
*** nellysmitt has joined #openstack-keystone		11:38
*** wpf has joined #openstack-keystone		11:38
*** diegows has joined #openstack-keystone		11:49
*** samueldmq has quit IRC		11:50
*** nellysmitt has quit IRC		11:50
*** amakarov_away is now known as amakarov		11:57
*** dims__ has quit IRC		12:05
*** andreaf has quit IRC		12:06
*** andreaf has joined #openstack-keystone		12:08
*** dims__ has joined #openstack-keystone		12:10
openstackgerrit	Flavio Percoco proposed openstack/keystonemiddleware: Don't assume everyone uses `CONF` https://review.openstack.org/143063	12:11
*** nellysmitt has joined #openstack-keystone		12:13
*** jasondotstar is now known as jasondotstar\|afk		12:16
*** topol has joined #openstack-keystone		12:19
*** ChanServ sets mode: +v topol		12:19
*** topol has quit IRC		12:20
*** topol has joined #openstack-keystone		12:20
*** ChanServ sets mode: +v topol		12:20
*** k4n0 has quit IRC		12:23
*** Stone07 has quit IRC		12:23
*** andreaf has quit IRC		12:28
*** nellysmitt has quit IRC		12:35
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests https://review.openstack.org/137021	12:38
*** nellysmitt has joined #openstack-keystone		12:40
*** Shohei has joined #openstack-keystone		12:44
*** dguerri has quit IRC		12:45
*** jdandrea has quit IRC		12:45
*** jdandrea has joined #openstack-keystone		12:45
*** Shohei_ has quit IRC		12:47
*** wpf has quit IRC		12:47
*** dguerri has joined #openstack-keystone		12:47
*** wpf has joined #openstack-keystone		12:48
*** nellysmitt has quit IRC		13:02
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: WIP - Improve List Role Assignment Tests https://review.openstack.org/137021	13:03
*** nellysmitt has joined #openstack-keystone		13:08
marekd	jamielennox\|away: i am travelling home today, so not really online. How about you shoot me an e-mail and I will reply whenever i can?	13:20
*** lufix has quit IRC		13:29
*** topol has quit IRC		13:31
openstackgerrit	Alexander Makarov proposed openstack/keystone: Assignment sql backend create_grant refactoring https://review.openstack.org/141352	13:36
*** lufix has joined #openstack-keystone		13:37
*** boris-42 has joined #openstack-keystone		13:38
openstackgerrit	Alexander Makarov proposed openstack/keystone: Assignment sql backend create_grant refactoring https://review.openstack.org/141352	13:44
*** amakarov is now known as amakarov_away		13:54
*** r-daneel has joined #openstack-keystone		14:08
*** dims__ has quit IRC		14:12
*** dims__ has joined #openstack-keystone		14:12
*** gordc has joined #openstack-keystone		14:12
*** dims__ has quit IRC		14:16
*** r-daneel has quit IRC		14:23
*** andreaf has joined #openstack-keystone		14:25
*** ajayaa has quit IRC		14:36
*** jungleboyj has quit IRC		14:38
*** rushiagr is now known as rushiagr_away		14:38
*** zzzeek has joined #openstack-keystone		14:41
*** tellesnobrega_ has joined #openstack-keystone		14:49
*** tellesnobrega_ has quit IRC		14:51
*** avozza is now known as zz_avozza		14:53
*** ajayaa has joined #openstack-keystone		14:53
*** radez_g0n3 is now known as radez		14:57
*** flaper87 has joined #openstack-keystone		15:05
* flaper87 bows and says hi		15:05
flaper87	question: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L897-L899	15:05
flaper87	that line there is doing an http call to construct the session: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L1316-L1322	15:06
flaper87	I'm hitting a problem in Zaqar unittests where I'm passing an invalid token and expecting a 401	15:06
flaper87	however, due to the new need of a running keystone server (to create that session), the unittest is failing	15:07
flaper87	My question is: Was that made on purpose? or Is it just an unfortunate bug and we can avoid returning that head if it's an invalid token?	15:07
flaper87	or I'm missing the point and should probably stfu	15:07
flaper87	:)	15:07
flaper87	or you're all on vacation and this is just a nice monologue	15:08
gabriel-bezerra	flaper87: I am not the best person to answer this, but, how do you know whether a token is valid or not without asking the server?	15:08
gabriel-bezerra	how do you expect to know..	15:09
*** erkules_ has joined #openstack-keystone		15:09
gabriel-bezerra	I know the format migth be a hint, but Keystone uses many different formats of token	15:09
gabriel-bezerra	uuid, pki, pkiz	15:09
*** tellesnobrega_ has joined #openstack-keystone		15:10
flaper87	gabriel-bezerra: actually, that's a good point, by looking at the code I'm going through this path: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L881-L885	15:11
*** erkules has quit IRC		15:11
*** palendae has left #openstack-keystone		15:11
*** tellesnobrega_ has quit IRC		15:11
flaper87	basically, no token is being passed	15:11
* flaper87 could've sworn zaqar passed an invalid token		15:11
ayoung	dolphm, yoy caught me by surprise with your responses to the Security Section of the Specs. Do you have an example of one that does meet your approval?	15:13
gabriel-bezerra	flaper87: so you don't pass a X-Auth-Token header and the middleware still tries to contact the server?	15:13
flaper87	gabriel-bezerra: yup, sorry for the confusion before	15:14
*** tellesnobrega_ has joined #openstack-keystone		15:14
gabriel-bezerra	ayoung: did you work on the middleware implementation? ^	15:14
*** esmute has quit IRC		15:14
flaper87	ayoung: before you answer that, remember I can pay for beers :)	15:15
ayoung	gabriel-bezerra, that is part of jamielennox\|away discovery work	15:15
ayoung	I think that you can work around the discovery process based on the auth URL.	15:15
ayoung	its trying to determing whether to use V2 or V3	15:15
bknudson	looks like keystoneclient release broke everything.	15:15
gabriel-bezerra	ayoung: thanks a lot	15:16
*** jasondotstar\|afk has quit IRC		15:16
ayoung	bknudson, that is what we get for calling it 1.0.0	15:16
*** rushiagr_away is now known as rushiagr		15:16
bknudson	btw, I think I've got a fix for that...	15:17
bknudson	https://review.openstack.org/#/c/140765/ -- moves the code for doing the server version check	15:17
ayoung	bknudson, looking	15:17
*** esmute has joined #openstack-keystone		15:18
*** radez is now known as radez_g0n3		15:19
ayoung	bknudson, I am tempted to ask you to put if True: in place of if not self._identity_server_obj: to show what really changes in that review	15:19
*** radez_g0n3 is now known as radez		15:19
flaper87	bknudson: does your patch will require a running keystone to create an instance of it?	15:20
flaper87	sorry, I don't know the code base :(	15:20
ayoung	fortunately there is a difference between dark and light green	15:20
*** stevemar has joined #openstack-keystone		15:20
*** ChanServ sets mode: +v stevemar		15:20
bknudson	so flaper87 points to this line: self._identity_server.auth_uri	15:20
bknudson	auth_token was changed to create an _IdentityServer obj when self._identity_server is called	15:21
bknudson	and creating an _IdentityServer requires knowing the version	15:21
bknudson	with https://review.openstack.org/#/c/140765/ , the _IdentityServer obj doesn't need to know the version until it actually has to talk to keystone.	15:21
*** tellesnobrega_ has quit IRC		15:22
bknudson	I actually ran into this problem myself since I was refactoring the auth_token middleware and it called self._identity_server in the constructor.	15:22
bknudson	I should be able to move https://review.openstack.org/#/c/140765/ before https://review.openstack.org/#/c/122281/ (a review it depends on) since they should be independent.	15:24
*** jasondotstar\|afk has joined #openstack-keystone		15:24
bknudson	we should have a unit test that shows if no X-Auth-Token is given then no request is made.	15:25
ayoung	bknudson, so I can see that this is better for testing, and it is also in keeping with the philosophy of "don't require servers to be brought up in a certain order" that I tried to follow on the cert fetching code way back when	15:25
ayoung	the downside is that you don't know if something is broken until you attempt a remote call	15:25
bknudson	the reason I made the change didn't actually have anything to do with this issue... I didn't know about it... but this shows that the automagic creation of the IdentityServer obj makes thinking about how it works more difficult.	15:27
*** jungleboyj has joined #openstack-keystone		15:27
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move test_utils to keystone/tests/unit/ https://review.openstack.org/133989	15:28
openstackgerrit	Brant Knudson proposed openstack/keystone: Remove test PYTHONHASHSEED setting https://review.openstack.org/136593	15:28
openstackgerrit	Brant Knudson proposed openstack/keystone: Correct version tests for result ordering https://review.openstack.org/138923	15:28
bknudson	flaper87: did you open a bug?	15:29
*** timcline has joined #openstack-keystone		15:29
flaper87	bknudson: nope, I was double checking if that was something you guys had actually planned	15:31
bknudson	flaper87: no, it's an unexpected side-effect.	15:31
flaper87	bknudson: I can open one but I believe you have more details to put there than me	15:31
*** jorge_munoz has joined #openstack-keystone		15:31
openstackgerrit	Lance Bragstad proposed openstack/keystone: Bump hacking to be at least 0.9.4 https://review.openstack.org/138497	15:31
openstackgerrit	Marco Fargetta proposed openstack/keystone: Multiple IdP authentication URL https://review.openstack.org/142743	15:36
ayoung	bknudson, what were you trying to address?	15:38
ayoung	"preferring composition over inheritance" music to my eyes!	15:39
bknudson	ayoung: in https://review.openstack.org/#/c/102403/ , I extracted the revocation list methods in auth_token to their own class, an in order to do that needed to pass self._identity_server... but calling self._identity_server would do version discovery right in the constructor..	15:39
bknudson	and we've got tests that verify that there's no requests to keystone on construction	15:40
*** timcline has quit IRC		15:40
bknudson	so it's a similar issue, any use of self._identity_server now does version discovery.	15:40
*** timcline has joined #openstack-keystone		15:41
*** jasondotstar\|afk has quit IRC		15:41
ayoung	bknudson, so we can fix the issues people will see by fixing it all in middleware. Good.	15:41
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory https://review.openstack.org/122281	15:42
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class https://review.openstack.org/102403	15:42
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor identity version handling to strategy pattern https://review.openstack.org/140765	15:42
ayoung	neither the old view nor the new on Gerrit shows me everything I need to know. THe new view does not make clear the ordering of the patches....	15:42
bknudson	that's just changing the order.	15:42
ayoung	OK, so first we need the refactoring, 140765?	15:43
ayoung	er...disregard	15:43
*** hdd has joined #openstack-keystone		15:43
* ayoung switched to old view		15:43
lbragstad	bknudson: for your comment here: https://review.openstack.org/#/c/130591/6/keystone/tests/test_content_types.py	15:45
ayoung	bknudson, so "create identity server" does not trigger the call to identity	15:45
lbragstad	bknudson: I added another patch that shows the failure: https://review.openstack.org/#/c/142440/	15:46
ayoung	instead when you do something with the identity server, it calls the keystone server to do lookup? What was triggereing it in the old code path?	15:46
bknudson	lbragstad: ok, I was just wondering why it was a 200 and not a 201.	15:46
lbragstad	bknudson: me too	15:47
lbragstad	bknudson: kinda strange isn't not 201	15:47
bknudson	ayoung: are you wondering what's triggering discovery in the current auth_token?	15:47
ayoung	bknudson, yes, please	15:47
bknudson	when you do self._identity_server	15:47
bknudson	it constructs an _IdentityServer, either _IdentityServerV2 or V3	15:48
bknudson	so it talks to the identity server to figure out the class it needs to create.	15:48
bknudson	so when a request with no token comes in, and auth_token calls _reject_auth_headers(), which does: header_val = 'Keystone uri=\'%s\'' % self._identity_server.auth_uri	15:49
bknudson	it does discovery because of the call to self._identity_server	15:49
bknudson	ayoung: does that explain it?	15:50
ayoung	so with your change we would postpone it until a call required token validation	15:51
ayoung	flaper87, but you were handing in an invalid token?	15:52
flaper87	ayoung: no, sorry about the confusion there. I was calling it w/o token	15:53
ayoung	so this will suit your needs	15:53
flaper87	w0000t	15:53
flaper87	:D	15:53
ayoung	bknudson, the code looks good. I'd like to have flaper87 test out the changes and give a thumbs up before I +2	15:53
ayoung	bknudson, does he need all three patches, or just the first one in the series	15:54
bknudson	ayoung: no, just the first one.	15:54
ayoung	just the first, I hope, or I don't understand the code as well as I thought	15:54
ayoung	good	15:54
ayoung	flaper87, deal?	15:54
flaper87	ayoung: deal, I can do that right away	15:55
bknudson	thanks!	15:55
*** chrisshattuck has joined #openstack-keystone		15:56
ayoung	bknudson, I have a JSON-HOME issue. When I split the auth router out of the huge service object, I have no way of composing JSON home anymore	15:56
ayoung	I had commented out the test in my WIP, but I think I need to address that soonest	15:56
ayoung	https://review.openstack.org/#/c/138452/	15:56
* flaper87 is confused, what's the review again?		15:57
flaper87	:D	15:57
bknudson	flaper87: https://review.openstack.org/#/c/140765/	15:57
ayoung	flaper87, added you as a reviewer, so its on your list	15:58
*** pcaruana has quit IRC		15:59
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor identity version handling to strategy pattern https://review.openstack.org/140765	16:00
flaper87	bknudson: ayoung it works http://paste.openstack.org/show/153199/	16:00
*** jasondotstar has joined #openstack-keystone		16:00
bknudson	flaper87: what was it doing before?	16:00
*** atiwari has joined #openstack-keystone		16:01
flaper87	bknudson: http://paste.openstack.org/show/153200/	16:01
flaper87	it was trying to connect	16:01
openstackgerrit	Dolph Mathews proposed openstack/keystone: refactor: use _get_project_endpoint_group_url() where applicable https://review.openstack.org/139080	16:02
bknudson	flaper87: I opened a bug https://bugs.launchpad.net/keystonemiddleware/+bug/1404294	16:03
uvirtbot	Launchpad bug 1404294 in keystonemiddleware "auth_token contacts keystone when no token" [Undecided,In progress]	16:03
openstackgerrit	Dolph Mathews proposed openstack/keystone: improve error message when tenant ID does not exist https://review.openstack.org/131255	16:03
stevemar	dolphm, ping	16:05
ayoung	bknudson, so...if auth is in its own pipeline, then this code misses them https://github.com/openstack/keystone/blob/master/keystone/controllers.py#L193	16:05
stevemar	dolphm, can you click the rebase button on https://review.openstack.org/#/c/113905/	16:05
ayoung	bknudson, and it seems to me that we could somehow work with paste to get the set of routers	16:06
bknudson	ayoung: all the V3 extensions are in their own pipeline, too.	16:06
ayoung	bknudson, right, but we don't return them in the V3 JSON Home document,	16:06
bknudson	ayoung: yes, the extensions are included in the V3 JSON Home document.	16:06
ayoung	is that intentional?	16:06
ayoung	How?	16:07
*** topol has joined #openstack-keystone		16:07
*** ChanServ sets mode: +v topol		16:07
bknudson	ayoung: I'm looking for the code... it's in ExtensionV3 or something.	16:07
ayoung	bknudson, is that in a submitted change? Cuz paste upstream is in the main pipeline	16:07
ayoung	https://github.com/openstack/keystone/blob/master/etc/keystone-paste.ini#L79	16:08
bknudson	ayoung: here it is: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/wsgi.py#n714	16:12
bknudson	the extension intercepts the JSON Home response and adds its own resources	16:12
*** ajayaa has quit IRC		16:14
ayoung	bknudson, ok, so if I split the auth routes into their own pipeline, how would I trigger code like this to happen?	16:15
*** ajayaa has joined #openstack-keystone		16:15
ayoung	Its seems like something that should be higher up in the hierarchy than the service controller	16:15
bknudson	ayoung: does it have a router?	16:15
ayoung	bknudson, its using the composing router	16:15
*** chrisshattuck has quit IRC		16:15
bknudson	it's only extensions that needed it before.	16:15
ayoung	https://review.openstack.org/#/c/138452/2/keystone/auth/routers.py	16:16
bknudson	moving it up the hierarchy makes sense.	16:16
bknudson	ayoung: that's using RoutersBase and V3ExtensionRouter already depends on RoutersBase, so should be easy to move it up.	16:17
morganfainberg	morning	16:20
openstackgerrit	Steve Martinelli proposed openstack/keystone: Provide additional detail if OAuth headers are missing https://review.openstack.org/142191	16:20
openstackgerrit	Steve Martinelli proposed openstack/keystone: switch from sample_config.sh to oslo-config-generator https://review.openstack.org/113905	16:21
*** ajayaa has quit IRC		16:21
openstackgerrit	Steve Martinelli proposed openstack/keystone: update sample conf using oslo-config-generator https://review.openstack.org/138508	16:22
openstackgerrit	Steve Martinelli proposed openstack/keystone: Remove oslo incubator's config generator https://review.openstack.org/142652	16:23
stevemar	dolphm, you took too long	16:23
*** dims__ has joined #openstack-keystone		16:24
*** dims__ has quit IRC		16:24
*** dims__ has joined #openstack-keystone		16:24
*** chrisshattuck has joined #openstack-keystone		16:28
*** chrisshattuck has quit IRC		16:29
openstackgerrit	Marco Fargetta proposed openstack/keystone: Multiple IdP authentication URL https://review.openstack.org/142743	16:30
*** boris-42 has quit IRC		16:33
ayoung	bknudson, I'm still trying to figure out how that gets triggered. Is it via the Pipeline processing?	16:35
ayoung	I think it is, in which case it does me no good. I want auth in its own paste pipeline.	16:35
bknudson	ayoung: right, all requests do __call__	16:35
*** thiagop has quit IRC		16:35
bknudson	ayoung: yes, if it's outside the normal pipeline then it won't do you any good.	16:35
bknudson	somehow the one pipeline needs to talk to the other pipeline	16:36
bknudson	I don't know how you do that other than through global variables?	16:36
bknudson	this is why paste is so crappy	16:36
bknudson	we essentially have the same problem due to the separate pipeline for public_version_api	16:37
bknudson	I believe I changed that so that it calls the other pipeline... let me see where that is.	16:37
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory https://review.openstack.org/122281	16:39
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class https://review.openstack.org/102403	16:39
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor identity version handling to strategy pattern https://review.openstack.org/140765	16:39
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Add a test to ensure no HTTP call for no token https://review.openstack.org/143134	16:39
*** _cjones_ has joined #openstack-keystone		16:39
bknudson	ayoung: it's here in get_versions -- http://git.openstack.org/cgit/openstack/keystone/tree/keystone/controllers.py#n168	16:41
bknudson	ayoung: see it does a request of /v3: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/controllers.py#n48	16:41
bknudson	so if the auth pipeline supported a GET / request that returned JSON Home then it could be called by the version router	16:42
*** thedodd has joined #openstack-keystone		16:43
*** nellysmitt has quit IRC		16:45
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory https://review.openstack.org/122281	16:53
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class https://review.openstack.org/102403	16:53
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Fix auth_token does version request for no token https://review.openstack.org/140765	16:53
*** dims__ is now known as dimsum__		16:56
*** gyee has joined #openstack-keystone		16:58
*** ChanServ sets mode: +v gyee		16:58
flaper87	morganfainberg: bknudson ayoung are you guys going to release a minor with the fix ?	17:01
*** rm_work\|away is now known as rm_work		17:03
bknudson	flaper87: good question ... needs to merge first, and then I guess morganfainberg does the release	17:03
flaper87	awesome, as long as there will be a release, I'm happy :D	17:04
*** nellysmitt has joined #openstack-keystone		17:05
*** nellysmitt has quit IRC		17:08
*** LinstatSDR has joined #openstack-keystone		17:26
*** _cjones_ has quit IRC		17:27
*** aix has quit IRC		17:30
morganfainberg	bknudson, yeah that is exactly how it works	17:33
*** hichtakk has joined #openstack-keystone		17:34
*** f13o has quit IRC		17:36
*** atiwari has quit IRC		17:37
morganfainberg	bknudson, people are still doing magic replacement of middleware?	17:38
morganfainberg	for unit tests that is	17:39
*** _cjones_ has joined #openstack-keystone		17:40
morganfainberg	bknudson, is that really a 1.0.0 release issue vs 1.3.0?	17:42
*** _cjones_ has quit IRC		17:49
*** _cjones_ has joined #openstack-keystone		17:49
*** raildo_away has quit IRC		17:54
*** lhcheng has joined #openstack-keystone		17:56
openstackgerrit	David Stanek proposed openstack/keystone: Support for running functional federation tests https://review.openstack.org/139137	18:01
openstackgerrit	David Stanek proposed openstack/keystone: Use bashate to run_tests.sh https://review.openstack.org/143148	18:01
openstackgerrit	David Stanek proposed openstack/keystone: Be more precise with flake8 filename matches https://review.openstack.org/143149	18:01
openstackgerrit	David Stanek proposed openstack/keystone: Adds a wip decorator for tests https://review.openstack.org/131516	18:03
*** harlowja_away is now known as harlowja_		18:05
ayoung	bknudson, I'm almost thinking that the right solution is to split identity, assignment, etc into separate pipelines as well	18:06
ayoung	at least at the V3 level	18:06
ayoung	and then instead of	18:06
ayoung	v3_json_home = request_v3_json_home('/v3')	18:07
gabriel-bezerra	dstanek: have you got the attributes to be passed in the assertion? I'm investigating pysaml2 source code since wednesday looking for that.	18:07
ayoung	it would be the union of	18:07
ayoung	for s in 'identity' .... v3_json_home += request_v3_json_home('/v3/%s' % s)	18:07
ayoung	I recall trying that once, and getting tripped up by something...I think the fact that the extensions hack on additional routes to identity, but I bet I can work around that	18:08
gabriel-bezerra	dstanek: how did you discover about the sign_response and sign_assertion configuration parameters?	18:12
*** timcline has quit IRC		18:16
*** _cjones_ has quit IRC		18:16
openstackgerrit	David Stanek proposed openstack/keystone: Fixes a type check to make it work in Python 3 https://review.openstack.org/125410	18:17
openstackgerrit	David Stanek proposed openstack/keystone: Updates Python3 requirements https://review.openstack.org/130579	18:17
openstackgerrit	David Stanek proposed openstack/keystone: Mocks out the memcache library for tests https://review.openstack.org/125409	18:17
openstackgerrit	David Stanek proposed openstack/keystone: Adds a fork of python-ldap for Py3 testing https://review.openstack.org/95827	18:17
*** hdd has quit IRC		18:18
dstanek	gabriel-bezerra: i rigged it to be working, but i'll have it figured out soon	18:22
dstanek	gabriel-bezerra: i read through the code to find those	18:22
*** hichtakk has quit IRC		18:38
*** hichtakk has joined #openstack-keystone		18:39
*** hdd has joined #openstack-keystone		18:39
*** erkules has joined #openstack-keystone		18:42
*** erkules_ has quit IRC		18:43
openstackgerrit	David Stanek proposed openstack/keystone: region.description is optional and can be null https://review.openstack.org/117611	18:45
*** htruta has quit IRC		18:47
*** thedodd has quit IRC		18:49
*** r-daneel has joined #openstack-keystone		18:52
*** _cjones_ has joined #openstack-keystone		18:53
*** timcline_ has joined #openstack-keystone		18:55
*** r-daneel has quit IRC		18:57
*** _cjones_ has quit IRC		18:58
*** lhcheng has quit IRC		19:00
*** lhcheng has joined #openstack-keystone		19:00
*** lhcheng has quit IRC		19:00
*** lhcheng has joined #openstack-keystone		19:01
*** openstack has joined #openstack-keystone		19:08
*** hichtakk has quit IRC		19:08
*** hichtakk has joined #openstack-keystone		19:08
*** stevemar2 has joined #openstack-keystone		19:08
*** ChanServ sets mode: +v stevemar2		19:08
*** zz_avozza is now known as avozza		19:08
*** hichtakk has quit IRC		19:08
*** hichtakk has joined #openstack-keystone		19:08
*** harlowja_ is now known as harlowja_away		19:08
*** harlowja_away is now known as harlowja_		19:08
*** erkules_ has joined #openstack-keystone		19:08
*** mancdaz_ has joined #openstack-keystone		19:08
*** erkules has quit IRC		19:08
*** nellysmitt has joined #openstack-keystone		19:08
*** mancdaz_ is now known as mancdaz		19:08
*** thedodd has joined #openstack-keystone		19:08
*** jimbaker has joined #openstack-keystone		19:09
*** Ephur has joined #openstack-keystone		19:09
*** jimbaker has quit IRC		19:09
*** jimbaker has joined #openstack-keystone		19:09
*** openstackstatus has joined #openstack-keystone		19:09
*** ChanServ sets mode: +v openstackstatus		19:09
*** dougwig has joined #openstack-keystone		19:09
*** erkules has joined #openstack-keystone		19:12
*** stevemar2 is now known as stevemar		19:13
stevemar	dolphm, maybe you know... for v2 service create, which args are required vs optional http://developer.openstack.org/api-ref-identity-v2.html	19:13
dolphm	stevemar: eek, type is definitely required	19:13
stevemar	ah	19:13
dolphm	stevemar: i've always thought of name as required, but apparently it's not, according to the implementation?	19:13
*** erkules_ has quit IRC		19:14
dolphm	stevemar: or maybe name is required, but not unique?	19:14
stevemar	dolphm, not sure about the impl, lemme look	19:14
dolphm	there was a bug on name over the summer	19:14
stevemar	service and endpoint is so scrambled	19:14
dolphm	stevemar: yeah, i really wanted to see it flattened for v3, but someone made a pretty strong argument that it was more difficult to manage if you flattened them. shrug	19:15
stevemar	apparently nothing is required	19:15
stevemar	oh wait, theres a schema, maybe only for v3..	19:16
stevemar	dolphm, yeah, pretty sure nothing is required https://github.com/openstack/keystone/blob/master/keystone/catalog/controllers.py#L53-L60	19:17
*** erkules has quit IRC		19:17
dolphm	stevemar: maybe something in the sql schema will balk?	19:17
dolphm	stevemar: nonnull type maybe?	19:17
stevemar	dolphm, yeah, validation goes down to the SQL column types	19:18
stevemar	https://github.com/openstack/keystone/blob/master/keystone/catalog/backends/sql.py#L57-L65	19:18
stevemar	name isn't even an arg for starters	19:18
dolphm	stevemar: but even type isn't nullable=False	19:18
stevemar	might default to that	19:18
dolphm	stevemar: only because there was no reason to index on name, i suppose? other than it should arguably be unique	19:19
dolphm	stevemar: i think nullable=True is the default	19:19
dolphm	hence the explicit nullable=False's	19:19
*** erkules has joined #openstack-keystone		19:19
*** hichtakk has quit IRC		19:19
*** hichtakk has joined #openstack-keystone		19:19
dolphm	stevemar: "nullable – If set to the default of True, indicates the column will be rendered as allowing NULL, else it’s rendered as NOT NULL. This parameter is only used when issuing CREATE TABLE statements."	19:19
stevemar	so it can be null, so we can create a service in v2 with just {'service':{}}	19:20
dolphm	stevemar: fun!	19:20
stevemar	id is assigned, and enabled is defaulted to true	19:20
dolphm	stevemar: try it lol	19:20
stevemar	trying now	19:20
dolphm	stevemar: http://pasteraw.com/dz5r155lce7d6ncm0unvgatgo0gzw97	19:22
stevemar	dolphm, yep!	19:23
stevemar	http://paste.openstack.org/show/153253/	19:23
stevemar	welp!	19:25
*** lhcheng has quit IRC		19:25
stevemar	lhcheng, ^^	19:25
*** jorge_munoz has quit IRC		19:25
stevemar	see what you've gone and done now lhcheng	19:25
*** jorge_munoz has joined #openstack-keystone		19:25
*** lhcheng has joined #openstack-keystone		19:25
*** shakamunyi has joined #openstack-keystone		19:25
stevemar	dolphm, so type can't/shouldn't be nullable	19:25
*** lhcheng_ has joined #openstack-keystone		19:27
dolphm	stevemar: a null service type makes zero sense to me	19:28
stevemar	dolphm, right, so seems like a bug in v2.0	19:29
stevemar	lemme see what the heck we're doing for OSC	19:29
stevemar	apparently we take a name arg	19:29
*** lhcheng has quit IRC		19:30
stevemar	and no enabled param	19:30
stevemar	type, is optional	19:30
stevemar	cause well, nullable	19:30
stevemar	ugh, KSC isn't much better https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v2_0/services.py#L38-L43	19:31
stevemar	apparently all 3 are required	19:31
*** hichtakk has quit IRC		19:32
*** lhcheng_ has quit IRC		19:32
*** lhcheng has joined #openstack-keystone		19:33
stevemar	i think 'name' is probably stored in the 'extra' args sql column	19:35
stevemar	which is wonky as heck	19:35
*** packet has joined #openstack-keystone		19:35
stevemar	cause the service catalog always gives a name	19:35
stevemar	ughhhh	19:35
morganfainberg	so, which way do we resolve this?	19:38
*** packet has quit IRC		19:38
morganfainberg	the catalog backend is... weird	19:38
morganfainberg	also templeated ugh	19:38
*** _cjones_ has joined #openstack-keystone		19:40
*** avozza is now known as zz_avozza		19:42
stevemar	dolphm, https://bugs.launchpad.net/keystone/+bug/1404073	19:51
uvirtbot	Launchpad bug 1404073 in python-openstackclient "type should be required for v2.0 service create" [Undecided,New]	19:51
stevemar	morganfainberg, ^	19:51
stevemar	ya welcome!	19:51
morganfainberg	hehe	19:51
stevemar	morganfainberg, easy fix, deprecate v2	19:51
stevemar	morganfainberg, you're still on a plane!?	19:52
*** timcline_ has quit IRC		19:55
*** timcline has joined #openstack-keystone		19:55
*** rushiagr is now known as rushiagr_away		19:55
morganfainberg	hah	19:56
morganfainberg	no, i'm home. but jetlagged	19:56
*** _cjones_ has quit IRC		19:59
*** timcline_ has joined #openstack-keystone		20:00
*** stevemar has quit IRC		20:03
*** stevemar has joined #openstack-keystone		20:03
*** ChanServ sets mode: +v stevemar		20:03
*** timcline has quit IRC		20:04
*** zz_avozza is now known as avozza		20:05
openstackgerrit	henry-nash proposed openstack/keystone: Split the assignments manager/driver. https://review.openstack.org/130954	20:07
gabriel-bezerra	dstanek: this file seems to be promising about the attributes: https://github.com/rohe/pysaml2/blob/25704a9faeaaa22f88bd2126b3152274702446c7/tests/test_37_entity_categories.py	20:08
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix to not use empty IN clause https://review.openstack.org/143175	20:13
morganfainberg	stevemar, i'm going to address bknudson's comments in the no-more-extensions spec. can i get you to review it once i've done that?	20:13
*** henrynash has joined #openstack-keystone		20:13
*** ChanServ sets mode: +v henrynash		20:13
henrynash	stevemar: ping	20:14
stevemar	henrynash, ahoy	20:14
morganfainberg	henrynash, hey, i'll respin the extensions-no-more spec to address the outstanding comments later today	20:14
stevemar	morganfainberg, shore	20:14
henrynash	steevmar: so on the oslo.conf thing…what I meant was that if someone tries update the the config file once that patch goes in, but before the other one…then it will look totally different…and it will be odd doing a commit with that changes conf file in there	20:15
henrynash	morganfainberg: soudns great	20:15
henrynash	stevemar: I’d have just thought we would want to keep the change ‘atomic'	20:16
stevemar	henrynash, ah i see what you mean...	20:18
stevemar	do you want me to merge the two patches?	20:18
henrynash	stevemar: I;d have thought that would be the simplest thing	20:18
stevemar	alrighty, dolphm heads up, i'm merging your two oslo.config patches	20:19
*** avozza is now known as zz_avozza		20:21
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix to not use empty IN clause https://review.openstack.org/143175	20:22
ayoung	bknudson, I think I am going to bail on splitting out /auth ...what do you think of getting rid of Paste instead? Is there any good argument for keeping it around?	20:22
dstanek	gabriel-bezerra: i just removed some of my hacks and i am getting this in my assertion - http://paste.openstack.org/show/153258/	20:23
bknudson	ayoung: what's the alternative to no paste?	20:23
dstanek	gabriel-bezerra: i'm not sure what i should be gettig	20:23
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix to not use empty IN clause https://review.openstack.org/143175	20:24
dstanek	what's with this neutron bug? driving me crazy	20:26
stevemar	dstanek, that's funny stuff in an assertion	20:31
dstanek	stevemar: what should be there?	20:32
stevemar	dstanek, well ideally edupersontargetedid should be openstack_user or something	20:32
stevemar	and one!for!all should be the user's name	20:32
stevemar	the rest looks OK thought	20:33
stevemar	though*	20:33
openstackgerrit	Steve Martinelli proposed openstack/keystone: switch from sample_config.sh to oslo-config-generator https://review.openstack.org/113905	20:35
openstackgerrit	Steve Martinelli proposed openstack/keystone: Remove oslo incubator's config generator https://review.openstack.org/142652	20:36
dstanek	stevemar: i can fix the user data to have openstack_user - this is the default idp user data https://github.com/rohe/pysaml2/blob/master/example/idp2/idp_user.py	20:36
openstackgerrit	Brant Knudson proposed openstack/keystone: Don't allow deprecations during testing https://review.openstack.org/143183	20:37
stevemar	henrynash, should be to your liking now sir	20:37
*** erkules_ has joined #openstack-keystone		20:38
stevemar	dstanek, were you using that as your input? cause then it seems fine	20:38
*** erkules has quit IRC		20:39
*** gyee has quit IRC		20:39
*** _cjones_ has joined #openstack-keystone		20:41
*** _cjones_ has quit IRC		20:42
*** _cjones_ has joined #openstack-keystone		20:42
dstanek	stevemar: yes, that's the default	20:42
gabriel-bezerra	dstanek: that's exactly what I'm getting, but the problem is that haho0032 (the user you are using, right?) has much more data in the idp_user.py's dictionary	20:48
gabriel-bezerra	dstanek: and those attributes are not comming in the assertion	20:48
gabriel-bezerra	s/comming/coming/	20:49
*** _cjones_ has quit IRC		20:50
*** zz_avozza is now known as avozza		20:54
*** gyee has joined #openstack-keystone		20:55
*** ChanServ sets mode: +v gyee		20:55
*** nellysmitt has quit IRC		20:58
*** hdd has quit IRC		20:59
openstackgerrit	Brant Knudson proposed openstack/keystone: Integrate logging with the warnings module https://review.openstack.org/143188	20:59
ayoung	bknudson, we can do all of the stuff paste does in Python.	20:59
*** raildo has joined #openstack-keystone		20:59
ayoung	The only thing I see us telling end users to do is remove the admin token filter once the thing is set up	21:00
ayoung	it is a config file that we don't really need	21:00
ayoung	I'll do some research, but I'm sure there is a better way	21:00
*** nellysmitt has joined #openstack-keystone		21:00
*** stevemar has quit IRC		21:01
ayoung	we might be able to do the paste config in python code as a first step	21:01
ayoung	really just removing the Paste Deploy part.	21:01
dstanek	gabriel-bezerra: yeah :-( let's see why	21:02
*** _cjones_ has joined #openstack-keystone		21:02
ayoung	dstanek, is there a competing project to paste.deploy we should consider?	21:04
dstanek	ayoung: for building the pipeline?	21:04
ayoung	dstanek, yes. I'd like to build it in Python, not a config file	21:04
ayoung	dstanek, there is very little in paste that an end use should touch.	21:05
dstanek	ayoung: if you do it in Python you don't need a project - you just construct the objects	21:05
dstanek	that'll make us much different from everyone else so we should start socializing that kind of change	21:05
dstanek	unless other projects are going that route already	21:06
ayoung	dstanek, OK, so PasteDeploy seems to be something we are working around as opposed to working with	21:07
ayoung	for example, we lump all of the routers together into a single one and call it the v3 api	21:07
*** raildo has quit IRC		21:07
ayoung	everything we have needs an ever-growing set of filters	21:08
ayoung	at least one per extension...	21:08
dstanek	ayoung: i don't think we are working around it - we use it to construct the object	21:08
ayoung	we work around pastedeploy	21:08
ayoung	dstanek, I just tried splitting out /auth into its own pipeline. Its not possible without rearchitecting our code	21:09
dstanek	ayoung: why not?	21:10
ayoung	dstanek, the big thing was the JSON Home,	21:11
ayoung	which assumes we have a single tree	21:11
ayoung	and addressing that means that we would have to split out /auth, /identity, /assignemtn	21:11
ayoung	ets	21:11
ayoung	actuall, it is not /identity	21:11
ayoung	it is /user and /users and /group and /groups	21:11
dstanek	ayoung: sounds like you would have to re-architect then - paste-deploy shouldn't matter here	21:11
ayoung	nah	21:12
ayoung	I could do everything I need inside of the current code, and then paste is just being ignored	21:12
ayoung	so....why continue to use it if it is just dead weight	21:12
ayoung	more specifically, why put out a file nominally as a config file, but that the user should not touch or they will break the application?	21:13
*** _cjones_ has quit IRC		21:15
dstanek	ayoung: our docs all over the place tell people to modify that config file	21:15
dstanek	ayoung: that's also an extension point for deployers to add their own middleware	21:16
*** hichtakk has joined #openstack-keystone		21:22
*** henrynash has quit IRC		21:22
morganfainberg	ayoung, the value of deployers being able to add thier own middleware in can't be underestimated	21:29
ayoung	morganfainberg, to do what?	21:30
morganfainberg	ayoung, now... we could collapse everything else down if we wanted - and probably not break anything too much	21:30
morganfainberg	ayoung, so the deployer can still add their middleware / extension but we can avoid them "breaking" things by removing something important	21:30
morganfainberg	not saying we shoul.d	21:31
morganfainberg	ayoung, middleware/extensions etc. deployers do things that are custom - and we've supported it. so we need to continue to do so	21:31
ayoung	morganfainberg, is this actually done, or is it theoretical? Would it really make sense to add middleware (extensions are a different story)	21:31
morganfainberg	i've talked with people who have done it. and metacloud has done it	21:32
ayoung	what kind of middleware?	21:32
morganfainberg	middleware/extensions are the same thing from paste-perspective	21:32
*** hichtakk has quit IRC		21:33
morganfainberg	metacloud did some in-line data extration/injection for some cases [at least there was code to do so, not sure how widely used it was]	21:33
morganfainberg	and extensions are used.	21:33
*** hichtakk has joined #openstack-keystone		21:33
*** _cjones_ has joined #openstack-keystone		21:33
morganfainberg	and not waht we call an extension in-tree ;)	21:33
*** jungleboyj has quit IRC		21:33
*** nellysmitt has quit IRC		21:34
ayoung	morganfainberg, extensions, at least things like S3 and OAUTH are in their own subtrees. If we were using paste as it was intended, they would be their own pipelines	21:36
*** erkules has joined #openstack-keystone		21:36
ayoung	we just seem to be in this odd place, and I'm trying to do something I thought would be trivial	21:36
ayoung	and finding that it really is not	21:36
ayoung	paste deploy seems to be stagnating as a project. I like the idea, but it needs some more work.	21:37
*** erkules_ has quit IRC		21:37
dstanek	ayoung: i like building the pipeline from a config, but not the rest of paste*	21:37
ayoung	and, before I try to contribute to paste deploy, I want to know if it is in our interest to continue to use it	21:37
dstanek	ayoung: i actually wrong a small snippet to load them without having to depend on paste	21:37
*** hichtakk has quit IRC		21:38
ayoung	dstanek, so one thing I would do if I go the "contribute to paste" approach is to make a filter composable from other filters	21:38
ayoung	Now, I could collapse them in code, too	21:38
dstanek	why would you want to do that?	21:39
dstanek	ayoung: why compose filters in that way i mean	21:39
rodrigods	morganfainberg, ayoung, so we a final +2 here: https://review.openstack.org/#/c/140161/	21:40
ayoung	dstanek, to avoid duplicating them in multiple pipeliens	21:40
rodrigods	we need*	21:40
dstanek	ayoung: you mean the duplication of the pipeline string itself?	21:41
ayoung	yeah	21:41
ayoung	dstanek, was looking for the code...one sec	21:42
ayoung	OK, so the whole "factory is blah" then "factory goes here in the pipeline" is ... sort of right, and sort of wrong	21:42
ayoung	dstanek, I would rather do the thing you were showing at the summit for that	21:43
ayoung	Dependency Injection	21:43
ayoung	sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body is repeated at least 3 times. And when I went to split out /auth it would have been almost repeated again	21:43
*** hichtakk has joined #openstack-keystone		21:44
ayoung	Actually, I would have been...I was thinking I would have removed token_auth, but even that is still needed for validation.	21:44
ayoung	I was trying to make multiple auth pipelines, one of which would be used for X509, one for Kerberos, one for SAML etc	21:45
ayoung	now, maybe this is the wrong approach, but what struck was how hard it was to do	21:45
ayoung	and, if the whole thing were either in paste deploy format, or the whole thing were in python, it would be easier. Its this split-brained approach that makes it hard to address	21:46
*** hdd has joined #openstack-keystone		21:46
ayoung	I guess I don't really need the whole AUTH_URL. All I need is to be able to do POST /auth/tokens.	21:50
ayoung	I could make a separate router that only supports that, and put it in the paste file sans any other calls	21:51
ayoung	... so long as we support jamielennox\|away 's approach of putting a service catalog into an unscoped token	21:51
*** Tahmina has joined #openstack-keystone		21:58
*** chrisshattuck has joined #openstack-keystone		22:05
*** chrisshattuck has quit IRC		22:08
flaper87	morganfainberg: https://review.openstack.org/#/c/140765/ +2 ?	22:09
flaper87	zaqar's gate is blocked on that :(	22:10
morganfainberg	Earlier it hasn't passed check (when I looked). +2 now. Will release a dot fix either tonight or Sunday evening.	22:12
morganfainberg	flaper87: ^	22:12
*** avozza is now known as zz_avozza		22:12
flaper87	morganfainberg: awesone, thanks a lot! :D	22:13
*** _cjones_ has quit IRC		22:14
*** _cjones_ has joined #openstack-keystone		22:14
morganfainberg	chances are id trather release Sunday night if that won't block you up too badly. I would rather avoid having to jump on fixes over the weekend.	22:18
morganfainberg	If we introduce some other bug by accident.	22:18
morganfainberg	flaper87: ^	22:18
flaper87	morganfainberg: sure, we can wait 'til then	22:19
flaper87	we can use keystonemiddleware from git 'til the new version is out	22:19
*** dimsum__ has quit IRC		22:23
*** timcline_ has quit IRC		22:25
*** jungleboyj has joined #openstack-keystone		22:29
morganfainberg	Great.	22:30
morganfainberg	I'm going to a friends wedding starting tonight, don't want to have things blow up when that is going on.	22:31
*** henrynash has joined #openstack-keystone		22:33
*** ChanServ sets mode: +v henrynash		22:33
*** erkules has quit IRC		22:38
*** topol has quit IRC		22:39
*** erkules has joined #openstack-keystone		22:42
*** radez is now known as radez_g0n3		22:46
ayoung	flaper87, ah you still here?	22:49
ayoung	flaper87, you oslo core? Can you approve https://review.openstack.org/#/c/140161/	22:49
*** henrynash has quit IRC		22:52
flaper87	ayoung: yup	22:52
* flaper87 clicks		22:52
ayoung	flaper87, thanks!	22:52
ayoung	flaper87, once that goes through, we need....	22:53
ayoung	https://review.openstack.org/#/c/142813/	22:53
ayoung	so, thanks, you are helping to move along an essential issue that it outside of our control	22:54
flaper87	ayoung: done	22:54
ayoung	flaper87, I think we are at Beer parity here	22:54
flaper87	ayoung: I added a comment with +1 on the second one	22:54
ayoung	++	22:54
*** timcline has joined #openstack-keystone		22:56
ayoung	OK, time to be dad	22:57
*** ayoung has quit IRC		22:57
*** timcline has quit IRC		23:00
rodrigods	morganfainberg, graduation spec merged \o/	23:01
openstackgerrit	Cedric Brandily proposed openstack/python-keystoneclient: Use textwrap instead of home made implementation https://review.openstack.org/139032	23:03
morganfainberg	rodrigods, nice!	23:05
*** chrisshattuck has joined #openstack-keystone		23:11
*** zz_avozza is now known as avozza		23:15
lhcheng	hello, is there a way to run python-keystoneclient CLI without installing it on my system? I am working on a bug and figuring out how to test the CLI.	23:16
morganfainberg	lhcheng, you could use a VENV and install it there instead of overridding the system libs/system install	23:16
morganfainberg	lhcheng, venv = virtualenv	23:17
morganfainberg	lhcheng, so virtualenv <path> then source <path>/bin/activate	23:17
lhcheng	morganfainberg: activate from venv	23:17
lhcheng	morganfainberg: okay	23:17
morganfainberg	lhcheng, then you can pip install etc the keystoneclient without overriding your system stuff	23:17
*** gordc has quit IRC		23:18
lhcheng	morganfainberg: I see, then create a symlink from the venv to my keystoneclient code?	23:19
morganfainberg	lhcheng, nope you should just install (once the VENV is active) the keystoneclient	23:19
morganfainberg	lhcheng, the VENV should put it's bin dir ahead of your normal path, meaning that running `keystone` should use the one from the venv	23:19
*** rm_work is now known as rm_work\|away		23:20
*** Tahmina has quit IRC		23:20
*** chrisshattuck has quit IRC		23:21
lhcheng	morganfainberg: Ah. I don't want to run the keystoneclient from pypi, but run the keystoneclient that I am currently working on.	23:23
morganfainberg	lhcheng, yo can install a local keystoneclient via pip <path>	23:23
morganfainberg	lhcheng, you could also use setup	23:23
morganfainberg	i recomment using pip -e <path to your keystoneclient you're working on>	23:24
*** chrisshattuck has joined #openstack-keystone		23:24
morganfainberg	so that any changes you make to the keystoneclient code is immediate, you don't need to reinstall (it uses symlinks, like "develop" mode in setup.py)	23:24
lhcheng	morganfainberg: do I have to install the requirements.txt prior to pip -e <path to your keystoneclient you're working on>	23:25
morganfainberg	lhcheng, i usually do personally, but i think it does the install like you'd expect	23:25
lhcheng	morganfainberg: good stuff, forgot I can pip install from source	23:25
morganfainberg	lhcheng :)	23:25
lhcheng	morganfainberg: this should get me going	23:26
lhcheng	morganfainberg: thanks for help! :)	23:26
lhcheng	morganfainberg: so yeah, pip was smart enough to inspect the requirements.txt and install it in venv. Cool!	23:28
morganfainberg	happy to help	23:28
*** nellysmitt has joined #openstack-keystone		23:34
*** chrisshattuck has quit IRC		23:37
*** nellysmitt has quit IRC		23:39
*** dimsum__ has joined #openstack-keystone		23:41
*** _cjones_ has quit IRC		23:42
*** jungleboyj has quit IRC		23:43
openstackgerrit	Merged openstack/keystone: Use bashate to run_tests.sh https://review.openstack.org/143148	23:45
*** avozza is now known as zz_avozza		23:47
*** timcline has joined #openstack-keystone		23:57
*** timcline has quit IRC		23:59
*** timcline_ has joined #openstack-keystone		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!