jodah | trying one more time to reproduce this.. | 00:01 |
---|---|---|
morganfainberg | bknudson, gyee, we should introduce, if anything, a window beyond expiry to maintain the cache | 00:01 |
jodah | the last time i hit it a few months ago was on a new devstack setup on a new VM. installing ntp resolves it. | 00:02 |
morganfainberg | vs. relying on strict LRU | 00:02 |
gyee | morganfainberg, a window beyond expiry? | 00:08 |
jodah | Ok - reproducing again. just stopped ntp, forced clock back, restarted keystone, grabbed new token. | 00:08 |
morganfainberg | gyee, cache, and expire from cache after X window assume it's safe to remove from cache | 00:08 |
morganfainberg | vs. just waiting for cache timeout | 00:08 |
morganfainberg | or LRU | 00:08 |
jodah | also resatrted Trove, which houses the middleware I'm hitting | 00:08 |
jodah | Should I file something for this? | 00:09 |
gyee | jodah, no crime scene, no crime :D | 00:09 |
*** chrisshattuck has quit IRC | 00:09 | |
jodah | what do you mean - i can reproduce it now? haha | 00:09 |
gyee | let see | 00:10 |
*** jell has joined #openstack-keystone | 00:10 | |
*** jell is now known as Guest18524 | 00:10 | |
gyee | morganfainberg, bknudson just verified it, expiry time has no effect on cache | 00:11 |
gyee | we always use cache_time | 00:11 |
morganfainberg | right | 00:11 |
*** Guest18524 is now known as jell | 00:12 | |
*** dims has quit IRC | 00:13 | |
bknudson | we also have a cache entry for invalid tokens. potential dos. | 00:15 |
bknudson | not sure what we could do about it except limit the number of invalid tokens stored. or rate limiting. | 00:16 |
morganfainberg | bknudson, limiting the number of cached tokens is [short of more housekeeping code] kind of ugly | 00:17 |
morganfainberg | ratlimiting is probably better | 00:17 |
gyee | ++ | 00:17 |
jodah | Filed this: https://bugs.launchpad.net/keystonemiddleware/+bug/1415687 | 00:18 |
TempLPBugBot | Launchpad bug 1415687 in keystonemiddleware "Keystone middleware intermittently rejects a token based on expiration" (affected: 1, heat: 6) [Undecided,New] | 00:18 |
gyee | jodah, only way I think you can reproduce that bug is that your keystone and trove instances are completely out of sync | 00:18 |
jodah | hope it helps | 00:18 |
jodah | in terms of system clocks? | 00:19 |
gyee | yes, and the trove instances are not sharing the same cache | 00:19 |
jodah | the services are started at separate times... potentially | 00:19 |
jodah | i only have 1 trove API instance | 00:19 |
jodah | in this case | 00:19 |
gyee | only 1 trove instance? | 00:20 |
jodah | api instance, yes | 00:20 |
jodah | On a different system than the rest of devstack/keystone | 00:20 |
gyee | in that case, I can't explain how it would flopping between valid and invalid | 00:20 |
gyee | for the same token | 00:20 |
*** openstackgerrit has quit IRC | 00:21 | |
jodah | The middleware log i attached is coming from a single trove instance, with auth flapping back and forth for the same token | 00:21 |
*** openstackgerrit has joined #openstack-keystone | 00:21 | |
*** packet has quit IRC | 00:21 | |
bknudson | if it was cached as valid in one thread and cached as invalid in another thread then you'd see the flopping. | 00:21 |
jodah | jeez - is that bug you mentioned? | 00:21 |
gyee | bknudson, can't happen like that, its the same cache | 00:21 |
bknudson | when using the in-memory cache there's one cache per thread. | 00:22 |
gyee | oh, this is inmemory? | 00:22 |
*** dims has joined #openstack-keystone | 00:22 | |
bknudson | the default is in-memory | 00:22 |
gyee | but two different threads can have two different system time though | 00:22 |
gyee | can't | 00:22 |
bknudson | I think it would require the token becoming invalid during the cache time | 00:23 |
bknudson | but then that could happen even if the clocks were out of sync | 00:23 |
bknudson | I mean even if the clocks are in sync | 00:24 |
jodah | Anything else I can provide with my bug report before I restart ntp and move on for now? :) | 00:24 |
gyee | right, but for a single instance, I would expect the token to stay invalid once it is invalid | 00:24 |
gyee | not flopping back and forth | 00:24 |
bknudson | but if the clocks were in sync then that would require the token is invalidated. | 00:24 |
bknudson | gyee: the problem is that there's one cache per thread... most of the api servers are multi-threaded. | 00:25 |
bknudson | I don't know about trove but nova-api is multi-threaded. | 00:25 |
gyee | right, but isn't all the thread share the system clock? | 00:26 |
bknudson | a request could get a thread that cached it as valid , or a request could get a thread that cached it as invalid | 00:26 |
jodah | so is there a cache per thread? | 00:26 |
bknudson | jodah: yes. | 00:26 |
gyee | that still does not explain the flopping | 00:26 |
bknudson | a request could get a thread that cached it as valid , next one gets a thread where it's invalid, next one gets a thread where it's valid | 00:27 |
bknudson | so it looks like flopping. | 00:27 |
gyee | how does it cache as invalid to begin with? | 00:27 |
bknudson | it hits a thread that doesn't have the token cached so it talks to keystone server and it's invalid. | 00:28 |
*** david-lyle is now known as david-lyle_afk | 00:28 | |
bknudson | it's easy to try with nova. use a valid token, then invalidate it. | 00:29 |
morganfainberg | and the clock skew forces keystone to indicate a token is invalid outside of the window you'd expect with a long cache comparitively | 00:29 |
gyee | bknudson, ok, I see what you mean | 00:29 |
gyee | bknudson, so in theory, when the threads are saturated, all the subsequent calls will become invalid | 00:30 |
bknudson | gyee: they'll all be correct once the cache time has passed. | 00:31 |
jodah | bknudson: Is it difficult to just share a cache across threasd? | 00:31 |
bknudson | it's an artifact of caching. The weird thing is that a single server can have multiple caches. | 00:31 |
jodah | would seem ideal | 00:32 |
bknudson | jodah: I actually don't know why it works the way it does. Seems like a waste of resources. | 00:32 |
bknudson | we get the in-memory cache from oslo. | 00:32 |
jodah | That, and just exposes things to these kinds of errors, among other possible races | 00:32 |
gyee | 1) use memcache; and 2) use ntpd; 3) spend more time at the beach | 00:33 |
jodah | I'll work on #3 | 00:33 |
jodah | :) thanks gents | 00:33 |
bknudson | http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/openstack/common/memorycache.py -- it's pretty small | 00:34 |
bknudson | it doesn't do anything on purpose to have a separate cache per thread... I think it just winds up that way. | 00:34 |
bknudson | since there will be multiple instances of the pipeline and thus multiple instances of auth_token ? | 00:34 |
gyee | we run keystone with apache2, and configure multiple process rather than multiple threads | 00:35 |
jodah | maybe the oslo folks can be poked to provide caches that are not thread local | 00:37 |
gyee | memecache | 00:38 |
morganfainberg | jodah, memcache is the only real option on that front | 00:38 |
morganfainberg | or redis | 00:38 |
jodah | is this a python limitation? | 00:38 |
gyee | not a python thing | 00:39 |
morganfainberg | it's more of a introducing a lot of locking and other issues within eventlet running systems. in short, we shouldn't be doing that | 00:39 |
morganfainberg | if we want caching that isn't threadlocal we should be looking at tools that do it better | 00:39 |
gyee | don't mess with the GIL man :) | 00:39 |
jodah | pssh, yea | 00:40 |
jodah | i think the native data structures are all threadsafe though | 00:40 |
jodah | so memcache seems no diff from just using a dict | 00:40 |
morganfainberg | eventlet means it's *not* really threads | 00:40 |
jodah | sure, but if it's 1 or more threads, reading/writing from the same dict should be fine afaik | 00:41 |
morganfainberg | this is solving the problem in the wrong place. local in-memory cache is a bad idea | 00:41 |
jodah | for a clustered service, yea :) | 00:41 |
morganfainberg | no in general | 00:41 |
morganfainberg | think of the housekeeping logic needed for dicrt | 00:41 |
morganfainberg | in python | 00:41 |
jodah | in general... for python? | 00:42 |
jodah | not familiar with the housekeeping | 00:42 |
morganfainberg | python dicts do not auto expire, there is a lot of extra code needed to make it work | 00:42 |
jodah | ah.. tea | 00:42 |
jodah | yea | 00:42 |
morganfainberg | if you put something in a dict, when does that go away? | 00:42 |
jodah | memcache is a convenience then | 00:42 |
morganfainberg | not just a convenience. | 00:42 |
morganfainberg | better at solving the task | 00:42 |
morganfainberg | honestly i recommend redis | 00:43 |
jodah | i don't know if there are expiring dict-like things in python? i assumed there were | 00:44 |
morganfainberg | not really | 00:44 |
morganfainberg | i mean i can program them. | 00:44 |
morganfainberg | and i've seen people do it. | 00:44 |
morganfainberg | but it's always goign to be a lot of extra and relatively fragile code | 00:44 |
jodah | there are a few for the JVM and other platforms. one i wrote uses a single thread to expire entries | 00:44 |
jodah | why fragile? | 00:45 |
morganfainberg | because if you *dont* expire properly - it opens the door for a dos | 00:45 |
morganfainberg | or worse a memory leak | 00:45 |
jodah | don't know if i'd say fragile, just important :) | 00:45 |
morganfainberg | developing an in-process-space cache is the wrong place for this. | 00:46 |
morganfainberg | memcache, redis, etc have solved a lot of this [especially when you're talking about sharing cache across threads] | 00:46 |
morganfainberg | we already have memory issues and performance issues with the thread.local in-memory cache people use from oslo-incubator | 00:47 |
jodah | sure - was just curious about this problem in general in the python ecosystem | 00:47 |
morganfainberg | typically the solution is use tools that do it better in python :) | 00:47 |
jodah | haha | 00:47 |
morganfainberg | in this case - memcache is waaaaaaay better at it | 00:47 |
morganfainberg | and not a high barrier to entry | 00:47 |
*** markvoelker has quit IRC | 00:48 | |
morganfainberg | especially since it already does LRU, automatic timeouts, etc | 00:48 |
morganfainberg | :) | 00:48 |
lhcheng | hello, got an ldap backend related question.. | 00:52 |
lhcheng | so.. I am working on this bug: https://bugs.launchpad.net/keystone/+bug/1411478 | 00:52 |
TempLPBugBot | Launchpad bug 1411478 in Keystone "Any attribute that is equal to 'TRUE' or 'FALSE' is treated as boolean by LDAP drivers" (affected: 1, heat: 12) [High,New] - Assigned to Lin Hua Cheng (lin-hua-cheng) | 00:52 |
morganfainberg | jodah, we use dogpile.cache for this - i expect oslo will help move to that as well for other caching cases, which should make it easier to use in-memory, memcache, redis, etc for all the differing use-cases - meaning you could do a non-thread.local driver trivially if you wanted | 00:52 |
jodah | cool | 00:53 |
morganfainberg | jodah, in keystone we use dogpile.cache that is. and there is a spec to make oslo.cache available that does config/wrapper for it in openstack | 00:53 |
lhcheng | I finish adding the user/group schema, and added the validation to the controller classes. Where else do I need to add the validation to solve the bug for ldap backend? | 00:53 |
morganfainberg | lhcheng, didn't... we already solve this? or is that another bug. some of these are blurring together :P | 00:53 |
morganfainberg | lhcheng, so that aside. | 00:55 |
morganfainberg | lhcheng, the issue is we aren't sure the data is converted to <type> when going to the backend or being retrieved? or both? | 00:56 |
lhcheng | morganfainberg: hmm I think the bug is actually asking for two things :P 1. add the schema 2. fix the ldap backend retrieve | 00:57 |
morganfainberg | lhcheng, so both | 00:58 |
morganfainberg | lhcheng, hm. | 00:58 |
lhcheng | morganfainberg: so the data will be rejected if it doesn't match the schema | 00:58 |
lhcheng | morganfainberg: yeah | 00:58 |
morganfainberg | i don't think we have something that does the validate at the schema level *from* the backend | 00:58 |
morganfainberg | and this doesn't really seem like an issue with the controller. | 00:58 |
morganfainberg | this looks, based on the bug, to be something in how we do py2ldap or ldap2py | 00:58 |
*** markvoelker has joined #openstack-keystone | 00:59 | |
*** oomichi has joined #openstack-keystone | 01:00 | |
*** tqtran is now known as tqtran_afk | 01:00 | |
lhcheng | morganfainberg: argh.. yeah.. | 01:00 |
lhcheng | morganfainberg: been working on the user/group schema and test today since it was mentioned on the bug :P | 01:01 |
morganfainberg | right | 01:01 |
morganfainberg | i think there are really 2 bugs here | 01:01 |
morganfainberg | 1: we don't have schema for user/group | 01:01 |
morganfainberg | buuuut.. that isn't this bug | 01:01 |
morganfainberg | 2: py2ldap and ldap2py | 01:01 |
lhcheng | morganfainberg: I can open the bug for #1, I already have the code. :P | 01:02 |
morganfainberg | sounds good | 01:02 |
lhcheng | morganfainberg: yeah, that clarifies things now | 01:02 |
morganfainberg | glad to help :P wish it was better help thought | 01:02 |
morganfainberg | though* | 01:02 |
lhcheng | morganfainberg: I'll dig into that py2ldap and ldap2py thing later then | 01:03 |
lhcheng | morganfainberg: thanks! :D | 01:03 |
*** openstackgerrit has quit IRC | 01:05 | |
*** openstackgerrit has joined #openstack-keystone | 01:05 | |
openstackgerrit | Morgan Fainberg proposed openstack/keystone: Deprecate LDAP Assignment Backend https://review.openstack.org/150970 | 01:06 |
*** dims has quit IRC | 01:10 | |
openstackgerrit | Lin Hua Cheng proposed openstack/keystone: Add schema for user and group https://review.openstack.org/151064 | 01:11 |
*** gyee has quit IRC | 01:12 | |
openstackgerrit | Lin Hua Cheng proposed openstack/keystone: Add schema for endpoint group https://review.openstack.org/150292 | 01:12 |
*** samueldmq_ has joined #openstack-keystone | 01:14 | |
openstackgerrit | David J Hu proposed openstack/keystone: Version independent token issuance pipeline https://review.openstack.org/150629 | 01:14 |
*** tellesnobrega_ has quit IRC | 01:15 | |
*** jodah has left #openstack-keystone | 01:18 | |
davechen_ | bknudson: Hi Brant, | 01:26 |
*** markvoelker has quit IRC | 01:57 | |
*** markvoelker has joined #openstack-keystone | 01:58 | |
*** markvoelker has quit IRC | 02:02 | |
*** junhongl has quit IRC | 02:06 | |
*** tqtran_afk has quit IRC | 02:09 | |
*** marg7175 has quit IRC | 02:11 | |
*** rwsu is now known as rwsu-afk | 02:13 | |
*** samueldmq_ has quit IRC | 02:18 | |
*** junhongl has joined #openstack-keystone | 02:20 | |
*** openstackgerrit has quit IRC | 02:20 | |
*** openstackgerrit has joined #openstack-keystone | 02:20 | |
*** erkules_ has joined #openstack-keystone | 02:21 | |
*** erkules has quit IRC | 02:23 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Add WebSSO support for federation https://review.openstack.org/136177 | 02:36 |
stevemar | lhcheng, ^^ thanks for the review :) | 02:36 |
*** wpf has quit IRC | 02:36 | |
*** wpf has joined #openstack-keystone | 02:37 | |
lhcheng | stevemar: looking good, it's almost ready :D | 02:37 |
stevemar | lhcheng, when that lands i will do a happy dance | 02:38 |
lhcheng | lol | 02:38 |
stevemar | lhcheng, i need to think about tests for it though... | 02:38 |
stevemar | at least ones that exercise the config options, and route | 02:39 |
lhcheng | stevemar: writing test is the hardest part of coding :) | 02:40 |
*** tellesnobrega_ has joined #openstack-keystone | 02:43 | |
*** dims has joined #openstack-keystone | 02:45 | |
*** lhcheng has quit IRC | 02:59 | |
*** jodah has joined #openstack-keystone | 03:04 | |
*** radez_g0n3 is now known as radez | 03:04 | |
*** rushiagr_away is now known as rushiagr | 03:06 | |
*** openstackgerrit has quit IRC | 03:20 | |
*** openstackgerrit has joined #openstack-keystone | 03:20 | |
*** avozza is now known as zz_avozza | 03:24 | |
openstackgerrit | Merged openstack/keystone: Remove list_user_projects method from assignment https://review.openstack.org/150574 | 03:31 |
*** xxj has quit IRC | 03:43 | |
*** junhongl has quit IRC | 03:43 | |
*** wpf has quit IRC | 03:43 | |
*** rushiagr is now known as rushiagr_away | 03:45 | |
*** jimbaker has quit IRC | 03:51 | |
*** richm has quit IRC | 03:52 | |
*** jimbaker has joined #openstack-keystone | 03:52 | |
*** jimbaker has quit IRC | 03:52 | |
*** jimbaker has joined #openstack-keystone | 03:52 | |
*** wpf has joined #openstack-keystone | 03:59 | |
*** junhongl has joined #openstack-keystone | 04:00 | |
*** xxj has joined #openstack-keystone | 04:00 | |
*** oomichi has quit IRC | 04:01 | |
*** gordc has joined #openstack-keystone | 04:02 | |
*** radez is now known as radez_g0n3 | 04:04 | |
*** dims has quit IRC | 04:08 | |
*** dims has joined #openstack-keystone | 04:09 | |
*** junhongl has quit IRC | 04:09 | |
*** wpf has quit IRC | 04:10 | |
*** xxj has quit IRC | 04:10 | |
*** boris-42 has quit IRC | 04:13 | |
*** markvoelker has joined #openstack-keystone | 04:21 | |
*** junhongl has joined #openstack-keystone | 04:22 | |
*** wpf has joined #openstack-keystone | 04:23 | |
*** xxj has joined #openstack-keystone | 04:23 | |
*** dims has quit IRC | 04:23 | |
*** lhcheng has joined #openstack-keystone | 04:29 | |
*** marg7175 has joined #openstack-keystone | 04:42 | |
*** stevemar has quit IRC | 04:43 | |
*** stevemar has joined #openstack-keystone | 04:44 | |
*** ChanServ sets mode: +v stevemar | 04:44 | |
*** tellesnobrega_ has quit IRC | 04:46 | |
*** gordc has quit IRC | 04:47 | |
*** gordc has joined #openstack-keystone | 04:47 | |
*** harlowja is now known as harlowja_away | 04:48 | |
*** rushiagr_away is now known as rushiagr | 04:49 | |
*** markvoelker has quit IRC | 04:53 | |
*** markvoelker_ has joined #openstack-keystone | 04:53 | |
*** andreaf has quit IRC | 04:56 | |
*** andreaf has joined #openstack-keystone | 04:56 | |
*** f13o has quit IRC | 05:00 | |
openstackgerrit | Lin Hua Cheng proposed openstack/keystone: Add schema for endpoint group https://review.openstack.org/150292 | 05:00 |
*** zzzeek has quit IRC | 05:12 | |
*** f13o has joined #openstack-keystone | 05:13 | |
*** markvoelker_ has quit IRC | 05:16 | |
*** markvoelker has joined #openstack-keystone | 05:16 | |
*** markvoelker has quit IRC | 05:22 | |
*** dims has joined #openstack-keystone | 05:24 | |
*** marg7175 has quit IRC | 05:25 | |
*** dims has quit IRC | 05:28 | |
openstackgerrit | Zhiyuan Cai proposed openstack/keystone: Fix evaluation logic of federation mapping rules https://review.openstack.org/151109 | 05:29 |
*** markvoelker has joined #openstack-keystone | 05:47 | |
*** markvoelker has quit IRC | 05:52 | |
*** oomichi_ has joined #openstack-keystone | 05:57 | |
*** oomichi_ has quit IRC | 05:57 | |
*** josecastroleon_ has joined #openstack-keystone | 06:00 | |
*** josecastroleon has quit IRC | 06:03 | |
*** josecastroleon__ has joined #openstack-keystone | 06:05 | |
*** gordc has quit IRC | 06:08 | |
*** josecastroleon_ has quit IRC | 06:09 | |
*** jaosorior has joined #openstack-keystone | 06:17 | |
openstackgerrit | Merged openstack/keystone: Remove unnecessary code block of exception handling https://review.openstack.org/149956 | 06:18 |
*** wpf has quit IRC | 06:19 | |
*** wpf has joined #openstack-keystone | 06:21 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/149158 | 06:23 |
*** gtt116__ has joined #openstack-keystone | 06:44 | |
gtt116__ | morganfainberg, Hi, around? | 06:44 |
gtt116__ | morganfainberg, does dogpile just a cache for token, we still need some real storage backend (mysql). Can I just use redis for a storage backend, without MySQL or memcache? | 06:45 |
*** markvoelker has joined #openstack-keystone | 06:48 | |
*** afazekas has joined #openstack-keystone | 06:51 | |
*** markvoelker has quit IRC | 06:52 | |
*** xxj has quit IRC | 06:54 | |
*** xxj has joined #openstack-keystone | 06:54 | |
*** stevemar has quit IRC | 06:55 | |
*** stevemar has joined #openstack-keystone | 06:55 | |
*** ChanServ sets mode: +v stevemar | 06:55 | |
morganfainberg | gtt116__, so you can use dogpile + memcache for a store | 07:03 |
morganfainberg | gtt116__, but i recommend using redis instead | 07:03 |
morganfainberg | gtt116__, but you can def. avoid using mysql for tokens | 07:04 |
*** ksavich_ has quit IRC | 07:05 | |
*** markvoelker has joined #openstack-keystone | 07:21 | |
*** markvoelker has quit IRC | 07:27 | |
*** oomichi has joined #openstack-keystone | 07:33 | |
*** henrynash has joined #openstack-keystone | 07:45 | |
*** ChanServ sets mode: +v henrynash | 07:45 | |
*** lhcheng has quit IRC | 07:48 | |
*** lhcheng has joined #openstack-keystone | 07:48 | |
*** pnavarro has joined #openstack-keystone | 07:52 | |
*** lhcheng has quit IRC | 07:53 | |
*** andreaf has quit IRC | 07:56 | |
*** andreaf has joined #openstack-keystone | 07:56 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Add CADF notifications for most resources https://review.openstack.org/151137 | 07:58 |
*** f13o has quit IRC | 07:58 | |
*** stevemar has quit IRC | 08:12 | |
*** f13o has joined #openstack-keystone | 08:16 | |
*** markvoelker has joined #openstack-keystone | 08:25 | |
*** gtt116__ has quit IRC | 08:29 | |
*** gtt116__ has joined #openstack-keystone | 08:29 | |
*** markvoelker has quit IRC | 08:31 | |
marekd | henrynash: hi. Do you fancy looking at: https://review.openstack.org/#/c/110858/ ? | 08:35 |
*** nellysmitt has joined #openstack-keystone | 08:35 | |
henrynash | marekd: sure…will do in a bit | 08:36 |
*** chlong has quit IRC | 08:36 | |
*** zz_avozza is now known as avozza | 08:36 | |
marekd | henrynash: whenever you can :-) | 08:46 |
openstackgerrit | Marek Denis proposed openstack/keystone: Implements whitelist and blacklist mapping rules https://review.openstack.org/142573 | 08:51 |
marekd | henrynash: thanks. | 08:53 |
henrynash | marked: np….see my comment on adding something to the docs….could be done in a follow on patch, if needed | 08:54 |
marekd | henrynash: answered in the patch. I agree. | 08:55 |
henrynash | marked: ok | 08:55 |
*** avozza is now known as zz_avozza | 09:05 | |
*** rushiagr is now known as rushiagr_away | 09:07 | |
*** rushiagr_away is now known as rushiagr | 09:10 | |
openstackgerrit | Merged openstack/keystone-specs: Improve list role assignments filters performance https://review.openstack.org/148700 | 09:12 |
*** jistr has joined #openstack-keystone | 09:16 | |
*** erkules_ is now known as erkules | 09:24 | |
*** zz_avozza is now known as avozza | 09:25 | |
*** markvoelker has joined #openstack-keystone | 09:28 | |
openstackgerrit | henry-nash proposed openstack/keystone: Support data-driven backend assignment testing https://review.openstack.org/149178 | 09:30 |
*** markvoelker has quit IRC | 09:34 | |
openstackgerrit | henry-nash proposed openstack/keystone: Support data-driven backend assignment testing https://review.openstack.org/149178 | 09:39 |
*** andreaf has quit IRC | 09:51 | |
*** andreaf has joined #openstack-keystone | 09:51 | |
*** breton has joined #openstack-keystone | 10:04 | |
*** chlong has joined #openstack-keystone | 10:13 | |
*** tellesnobrega_ has joined #openstack-keystone | 10:17 | |
*** chlong has quit IRC | 10:27 | |
*** markvoelker has joined #openstack-keystone | 10:30 | |
*** markvoelker has quit IRC | 10:34 | |
*** harlowja_away has quit IRC | 10:36 | |
*** tellesnobrega_ has quit IRC | 10:43 | |
*** andreaf has quit IRC | 10:44 | |
*** chlong has joined #openstack-keystone | 10:44 | |
*** andreaf has joined #openstack-keystone | 10:44 | |
openstackgerrit | henry-nash proposed openstack/keystone: Support data-driven backend assignment testing https://review.openstack.org/149178 | 10:52 |
*** ajayaa has joined #openstack-keystone | 10:53 | |
openstackgerrit | Igor Milovanovic proposed openstack/python-keystoneclient: Updated oslo import namespace to remove deprecation message https://review.openstack.org/151174 | 10:55 |
samueldmq | morning | 10:55 |
samueldmq | henrynash, hi | 10:55 |
henrynash | samueldmq: hi | 10:55 |
samueldmq | henrynash, just saw your comment on that patch ... can't we filter inherited and effective? | 10:56 |
samueldmq | henrynash, I just made it possible few patches ago, since inherited info *is in* entities in the returned list when we use effective | 10:56 |
samueldmq | henrynash, that should mean get *only* assignments from inheritance | 10:57 |
samueldmq | henrynash, if you only wanna get assignment that *will* be inherited, apply inherited filter without effective | 10:57 |
henrynash | samueldmq: well, it’s kind of a weird filter….maybe…thinking | 10:58 |
*** tellesnobrega_ has joined #openstack-keystone | 11:00 | |
henrynash | samueldmq: ok, so I guess it makes sense….but probably give a coconut to the first customer who works out what the results are meant to be :-) | 11:00 |
samueldmq | henrynash, haha :-) | 11:01 |
samueldmq | henrynash, after all this work, I intend to read all inherited roles documentation to make sure everything is up to date | 11:01 |
samueldmq | henrynash, we changed *a lot* with hierarchical projects :-) | 11:02 |
henrynash | samueldmq: and if you said effective=True AND inherited=False……what woudl that mean, I think that would mean all direct roles and all expand group roles? | 11:02 |
samueldmq | henrynash, exactly | 11:02 |
samueldmq | henrynash, we should have a test for those as well ... could you please add on your patch | 11:03 |
henrynash | samueldmq: ok, I’ll order the coconuts…this is going to be interesting… | 11:03 |
samueldmq | henrynash, haha, one for me please sir :-) | 11:03 |
henrynash | samueldmq: yes…I’m going to add some dependant patches which add more and mroe tests | 11:03 |
henrynash | samueldmq: I’ll work on that today | 11:03 |
samueldmq | henrynash, great! so now it looks we have things working properly | 11:04 |
samueldmq | henrynash, thanks for your last comments, but as I said yesterday, I'll go through that chain and improve docs, check for nits (as I do for other people patches) | 11:04 |
henrynash | samueldmq: yep, just posted a new version of my tests that just clearned the docstring errors - but have run it locally and it all passed | 11:04 |
henrynash | samueldmq: sure, np | 11:04 |
samueldmq | henrynash, I just needed to have some time away from this patch .. needed to cleanup my cache, the missrate was high in it :-) | 11:05 |
henrynash | samueldmq: :-) | 11:06 |
*** tellesnobrega_ has quit IRC | 11:06 | |
samueldmq | henrynash, I plan to get a blog up to next week, my first interesting post will be a benchmark of this refactoring (: | 11:06 |
henrynash | samueldmq: nice! | 11:07 |
*** tellesnobrega_ has joined #openstack-keystone | 11:07 | |
samueldmq | henrynash, if I added you as co-author on that patch, was I revoking your right to do reviews? | 11:08 |
*** oomichi has quit IRC | 11:08 | |
henrynash | samueldmq: well, it would probably revoke my right to +2 it | 11:09 |
samueldmq | henrynash, but +2s will come from others, once they see your +1 :) | 11:09 |
henrynash | samueldmq: sure, ho head | 11:09 |
henrynash | go ahead | 11:09 |
samueldmq | henrynash, will add you, no need to explain, you just did things work, thx | 11:10 |
henrynash | (can’t type this morning) | 11:10 |
henrynash | thx | 11:10 |
samueldmq | np, so busy? | 11:10 |
*** tellesnobrega_ has quit IRC | 11:11 | |
*** oomichi_ has joined #openstack-keystone | 11:27 | |
*** markvoelker has joined #openstack-keystone | 11:31 | |
*** KanagarajM2 has joined #openstack-keystone | 11:34 | |
*** markvoelker has quit IRC | 11:35 | |
*** chlong has quit IRC | 11:39 | |
*** aix has joined #openstack-keystone | 11:40 | |
*** breton has quit IRC | 11:50 | |
*** breton has joined #openstack-keystone | 11:50 | |
*** oomichi_ has quit IRC | 11:59 | |
*** chlong has joined #openstack-keystone | 12:05 | |
*** radez_g0n3 is now known as radez | 12:08 | |
*** raildo has joined #openstack-keystone | 12:14 | |
*** oomichi_ has joined #openstack-keystone | 12:16 | |
*** KanagarajM2 has quit IRC | 12:25 | |
*** markvoelker has joined #openstack-keystone | 12:31 | |
*** markvoelker has quit IRC | 12:36 | |
*** avozza is now known as zz_avozza | 12:46 | |
*** zz_avozza is now known as avozza | 12:53 | |
*** adam_g is now known as adam_g_out | 12:57 | |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Remove extra semicolon from mapping fixtures https://review.openstack.org/148080 | 13:01 |
*** BobBall has joined #openstack-keystone | 13:13 | |
*** oomichi_ has quit IRC | 13:14 | |
*** EmilienM|afk is now known as EmilienM | 13:14 | |
*** radez is now known as radez_g0n3 | 13:19 | |
*** bknudson has quit IRC | 13:26 | |
*** boris-42 has joined #openstack-keystone | 13:31 | |
rodrigods | - | 13:32 |
*** markvoelker has joined #openstack-keystone | 13:33 | |
*** markvoelker has quit IRC | 13:35 | |
*** markvoelker_ has joined #openstack-keystone | 13:35 | |
dstanek | + | 13:35 |
rodrigods | dstanek, haha | 13:36 |
dstanek | rodrigods: room felt unbalanced | 13:36 |
rodrigods | dstanek, lots of ++ need -- | 13:38 |
*** rushiagr is now known as rushiagr_away | 13:40 | |
*** gordc has joined #openstack-keystone | 13:46 | |
*** bknudson has joined #openstack-keystone | 13:48 | |
*** ChanServ sets mode: +v bknudson | 13:48 | |
*** marg7175 has joined #openstack-keystone | 13:53 | |
*** Ctina__ has joined #openstack-keystone | 13:55 | |
*** jistr has quit IRC | 13:58 | |
*** jistr has joined #openstack-keystone | 14:00 | |
*** avozza is now known as zz_avozza | 14:04 | |
*** Ctina___ has joined #openstack-keystone | 14:08 | |
*** Ctina___ has quit IRC | 14:09 | |
*** Ctina__ has quit IRC | 14:09 | |
*** dims has joined #openstack-keystone | 14:10 | |
*** sriram has joined #openstack-keystone | 14:13 | |
*** marg7175 has quit IRC | 14:14 | |
*** dims has quit IRC | 14:14 | |
*** nkinder has quit IRC | 14:21 | |
*** zzzeek has joined #openstack-keystone | 14:22 | |
openstackgerrit | Alexander Makarov proposed openstack/keystone: Chain a trust with a role specified by name https://review.openstack.org/148642 | 14:27 |
openstackgerrit | henry-nash proposed openstack/keystone: My First ABAC: An example alternative assignment engine https://review.openstack.org/143557 | 14:28 |
rodrigods | henrynash, thx for the review in the reseller spec, replied your comments there :) sorry if with more questions than solutions hehe | 14:29 |
henrynash | rodigods: ok, will check…:-) | 14:29 |
*** bdossant has joined #openstack-keystone | 14:32 | |
*** mattfarina has joined #openstack-keystone | 14:33 | |
*** rushiagr_away is now known as rushiagr | 14:33 | |
*** richm has joined #openstack-keystone | 14:33 | |
*** jasondot_ has joined #openstack-keystone | 14:34 | |
*** gordc has quit IRC | 14:34 | |
*** zzzeek has quit IRC | 14:39 | |
*** dims has joined #openstack-keystone | 14:41 | |
*** jasondot_ has quit IRC | 14:45 | |
openstackgerrit | henry-nash proposed openstack/keystone: Move projects and domains to their own backend https://review.openstack.org/144824 | 14:45 |
openstackgerrit | henry-nash proposed openstack/keystone: Remove unused pointer to assignment in identity driver https://review.openstack.org/145022 | 14:47 |
openstackgerrit | henry-nash proposed openstack/keystone: Make controllers and managers reference new resource manager https://review.openstack.org/133525 | 14:47 |
openstackgerrit | henry-nash proposed openstack/keystone: Make unit tests call the new resource manager https://review.openstack.org/130954 | 14:48 |
openstackgerrit | Marco Fargetta proposed openstack/keystone: Multiple IDP authentication URL https://review.openstack.org/142743 | 14:50 |
*** r-daneel has joined #openstack-keystone | 14:51 | |
*** ajayaa has quit IRC | 14:52 | |
*** topol has joined #openstack-keystone | 14:57 | |
*** ChanServ sets mode: +v topol | 14:57 | |
*** markvoelker_ has quit IRC | 15:03 | |
*** zz_avozza is now known as avozza | 15:05 | |
*** nkinder has joined #openstack-keystone | 15:07 | |
*** jistr has quit IRC | 15:10 | |
*** gordc has joined #openstack-keystone | 15:11 | |
*** jistr has joined #openstack-keystone | 15:12 | |
*** timcline has joined #openstack-keystone | 15:23 | |
*** avozza is now known as zz_avozza | 15:24 | |
*** mattfarina has quit IRC | 15:25 | |
*** radez_g0n3 is now known as radez | 15:26 | |
*** zz_avozza is now known as avozza | 15:26 | |
openstackgerrit | Merged openstack/keystone-specs: Remove URL field from regions https://review.openstack.org/150109 | 15:30 |
morganfainberg | ayoung, dstanek, bknudson, lbragstad, topol, henrynash, dolphm, gyee, jamielennox|away, http://lists.openstack.org/pipermail/openstack-dev/2015-January/055531.html | 15:34 |
*** packet has joined #openstack-keystone | 15:35 | |
ayoung | morganfainberg, and that is why we post this to the big mailing list | 15:35 |
morganfainberg | yep | 15:36 |
dstanek | morganfainberg: hmmm... | 15:36 |
dolphm | morganfainberg: i've actually been testing galera across DC's recently, and it performs quite well | 15:36 |
morganfainberg | i do like that there is claim they've been making modifications to "make it work" but i've seen no relfection in that contributions back to us | 15:37 |
*** mattfarina has joined #openstack-keystone | 15:37 | |
morganfainberg | dolphm, replication across WAN with galera is scary. not that it doesn't work well until it breaks. | 15:37 |
lbragstad | interesting... | 15:37 |
morganfainberg | dolphm, but it could be a workable solution | 15:37 |
morganfainberg | dolphm, depends on the latency though. | 15:38 |
dolphm | morganfainberg: response times fall off as you add more remote DC's, but i have a 5 node galera cluster right now that has a node in washington DC, chicago, dallas, hong kong, and sydney and i'm "only" getting an *extra* 280ms response times for token creates as a result, considering it's such an extreme example | 15:38 |
lbragstad | dolphm: do you still have those results published on that gist? | 15:38 |
dolphm | lbragstad: i *just* reset all my numbers to start over on tuning everything | 15:38 |
morganfainberg | dolphm, that sounds about right. the big issue is massive traffic and the need for galera to do a "all confirm before commit". | 15:38 |
dolphm | lbragstad: but yes, you can go back a few commits | 15:38 |
bknudson | are assignments changing so quickly that sql replication can't work? | 15:39 |
morganfainberg | bknudson, nah. | 15:39 |
morganfainberg | you could totally do SQL replication | 15:39 |
dolphm | all my benchmarking stuff is here if anyone is interested https://gist.github.com/dolph/02c6d37f49596b3f4298 | 15:39 |
morganfainberg | it's just when it breaks w/ a massively distributed replication like dolphm is running it gets scary. it is totally workable with people keeping an eye on it | 15:40 |
bknudson | multi-master replication seems like overkill | 15:40 |
dolphm | bknudson: but fun | 15:40 |
morganfainberg | bknudson, mysql multi-master is bad, galera is good :) | 15:40 |
*** stevemar has joined #openstack-keystone | 15:41 | |
*** ChanServ sets mode: +v stevemar | 15:41 | |
dolphm | galera is basically mysql multimaster now | 15:41 |
dolphm | s/is basically/basically is/ ? | 15:41 |
dolphm | lbragstad: anyway, i'm spending today doing more methodical tuning | 15:42 |
dolphm | morganfainberg: maybe i should write an article about the results? | 15:42 |
lbragstad | dolphm: ++ | 15:42 |
dstanek | dolphm: yes, that would be cool to see | 15:42 |
lbragstad | dolphm: I'd be will to help with that | 15:42 |
dolphm | lbragstad: (hence the reset) | 15:42 |
dolphm | lbragstad: i'll head to the office then | 15:42 |
morganfainberg | dolphm, please do! | 15:43 |
bknudson | The issue isn't just that it's unmaintained, but if we're going to have it then it constrains what we can do with assignments in general | 15:43 |
morganfainberg | dolphm, it would be great to have it! | 15:43 |
dolphm | morganfainberg: happy to | 15:43 |
bknudson | unless they really think that everything that you can do in sql you can do in ldap | 15:43 |
richm | I'm working on the puppet keystone code - in puppet keystone, puppet uses the admin_token for auth to do the bootstrap config - this works fine with v2 - however, with v3 policy, once v3 policy is enabled and activated, admin_token auth doesn't work. Is there some way to configure the v3 policy to allow admin_token to continue to have "superuser" access over all of the domains? | 15:43 |
dstanek | bknudson: i'd rather then prove it and get it up to speed out of tree so we can keep moving forward | 15:43 |
morganfainberg | dolphm, galera is sortof multumaster, it "fixes" multi-master by not sucking like mysql replication does ;) | 15:44 |
morganfainberg | dolphm, but galera even says [last i saw] you *really* should only write to one node. under heavy load it gets a bit wonky writing to any note | 15:44 |
morganfainberg | node* | 15:44 |
dolphm | morganfainberg: i mean it has effectively deprecated traditional replication | 15:45 |
morganfainberg | dolphm, it's all usable and doable, just needs people to keep eyes on it [operations] | 15:45 |
morganfainberg | dolphm, in my experience. | 15:45 |
*** markvoelker has joined #openstack-keystone | 15:45 | |
dolphm | morganfainberg: i'll be benchmarking that too :) | 15:45 |
marekd | galera is mysql successor? | 15:45 |
morganfainberg | dolphm, awesome | 15:45 |
morganfainberg | marekd, it's a clustering technology that layers in to the mysql engine | 15:45 |
morganfainberg | marekd, like innodb plugin | 15:45 |
dolphm | morganfainberg: eventually going to stand up 2 or 3 galera nodes per DC (so 15 nodes total), with HA proxy in front of them, and keystone nodes in every DC | 15:45 |
dolphm | marekd: it's more like a replication driver for mysql | 15:46 |
*** dims has quit IRC | 15:46 | |
samueldmq | dolphm, what operations are you interested on benchmarking ? | 15:47 |
samueldmq | dolphm, have you considered to use rally ? | 15:47 |
bknudson | does rally have a benchmark that shows how long it takes to get a token? | 15:47 |
morganfainberg | bknudson, maybe? i think we have that one running now | 15:48 |
samueldmq | bknudson, let me check what operations they support, but I think so | 15:48 |
*** dims has joined #openstack-keystone | 15:48 | |
samueldmq | bknudson, well, from default scenarios they provide, it's clear it can benchmark user/project creation (https://github.com/stackforge/rally/tree/master/samples/tasks/scenarios/keystone) | 15:52 |
samueldmq | bknudson, you can even set sla for them (https://github.com/stackforge/rally/blob/master/samples/tasks/sla/create-and-delete-user.yaml) | 15:52 |
samueldmq | bknudson, not sure about tokens | 15:52 |
bknudson | richm: I think the is_admin:True flag is used in the policy to allow the admin token. | 15:52 |
richm | bknudson: Is this documented somewhere? | 15:53 |
openstackgerrit | henry-nash proposed openstack/keystone: Make role manager refer to role cache config options https://review.openstack.org/151292 | 15:54 |
bknudson | richm: it's in the code! | 15:55 |
richm | bknudson: ack | 15:55 |
bknudson | richm: nkinder was working on some dev docs. | 15:55 |
*** dims has quit IRC | 15:59 | |
openstackgerrit | henry-nash proposed openstack/keystone: Move projects and domains to their own backend https://review.openstack.org/144824 | 16:03 |
samueldmq | henrynash, need to rebase the whole chain :-) | 16:04 |
henrynash | samueldmq: i know…underway | 16:04 |
*** thedodd has joined #openstack-keystone | 16:04 | |
openstackgerrit | henry-nash proposed openstack/keystone: Remove unused pointer to assignment in identity driver https://review.openstack.org/145022 | 16:05 |
openstackgerrit | henry-nash proposed openstack/keystone: Make controllers and managers reference new resource manager https://review.openstack.org/133525 | 16:06 |
openstackgerrit | henry-nash proposed openstack/keystone: Make unit tests call the new resource manager https://review.openstack.org/130954 | 16:06 |
openstackgerrit | henry-nash proposed openstack/keystone: Split the assignments controller https://review.openstack.org/132634 | 16:07 |
openstackgerrit | Kamil Rykowski proposed openstack/keystone: Documentation fix for Keystone Architecture https://review.openstack.org/151294 | 16:09 |
*** avozza is now known as zz_avozza | 16:10 | |
*** bdossant has quit IRC | 16:11 | |
*** joesavak has joined #openstack-keystone | 16:12 | |
morganfainberg | henrynash, OMG SPAM! | 16:13 |
morganfainberg | henrynash, ;) | 16:13 |
morganfainberg | henrynash, i am very slowly making it through that review. | 16:14 |
morganfainberg | henrynash, i think i'm half way through | 16:14 |
*** mattfarina has quit IRC | 16:14 | |
henrynash | morganfainberg: ok! | 16:17 |
henrynash | bknudson: ping | 16:17 |
bknudson | henrynash: what's up? | 16:17 |
openstackgerrit | Marco Fargetta proposed openstack/keystone: Multiple IDP authentication URL https://review.openstack.org/142743 | 16:17 |
richm | nkinder: ping - do you have documentation about keystone v3 policy? | 16:18 |
henrynash | bknudson: so your question on unit tests for the role caching..so there are tests already taht test that that caching works…there in test_backend.py | 16:18 |
richm | bknudson: would you happen to know how/where is_admin:True is specified in the policy? | 16:19 |
bknudson | henrynash: but they must not be using the new config option? | 16:19 |
nkinder | richm: yes, I have some reviews out for some of that | 16:19 |
nkinder | richm: let me find links... | 16:19 |
bknudson | henrynash: it was broken and the tests still passed. | 16:19 |
henrynash | bknudson: so do any of the caching tests actually vary the individual config cache options? | 16:19 |
nkinder | richm: here's some general policy syntax docs - https://review.openstack.org/#/c/150953/ | 16:20 |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Multiple IDP authentication URL https://review.openstack.org/142743 | 16:20 |
nkinder | richm: here's keystone specific - https://review.openstack.org/#/c/123862/ | 16:20 |
rodrigods | morganfainberg, so... reseller, have some time to discuss? | 16:21 |
bknudson | henrynash: there's a bunch of tests that do skip_if_cache_disabled -- http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_backend.py#n3074 -- maybe they're all skipped? | 16:21 |
morganfainberg | rodrigods, not until post coffee | 16:21 |
morganfainberg | rodrigods, but yes today | 16:21 |
rodrigods | morganfainberg, great! please ping us whenever you have a moment :) | 16:21 |
richm | I don't see "is_admin" in either of those docs | 16:21 |
bknudson | henrynash: morganfainberg probably knows more about the cache testing. | 16:21 |
morganfainberg | bknudson, hmm? cache testing? | 16:22 |
henrynash | bknudson: the tests in test_backend check the the caching is working…they don’t actually manipulate teh config vlaues | 16:22 |
bknudson | morganfainberg: e.g., tests for this change: https://review.openstack.org/#/c/151292/ | 16:22 |
* morganfainberg looks | 16:23 | |
bknudson | henrynash: caching is disabled by default... so it must manipulate the config values in order to test it | 16:23 |
*** bdossant has joined #openstack-keystone | 16:24 | |
bknudson | henrynash: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_backend.py#n3218 looks like tests for role crud. | 16:24 |
henrynash | bknudson: the role tests will pass either way…since its a functional cache test…so as long as caching is on, it wil work | 16:24 |
morganfainberg | bknudson, yes if we're changing the config values to be looked at, the tests must (in setup or .config_override) change to use the correct config values. however, caching for a specific section is enabled by default | 16:24 |
morganfainberg | global caching is disabled | 16:24 |
*** abhirc has quit IRC | 16:24 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Add WebSSO support for federation https://review.openstack.org/136177 | 16:24 |
morganfainberg | *usually* just turning on global caching is enough | 16:24 |
morganfainberg | most tests already do that | 16:24 |
rodrigods | stevemar, ^ wow | 16:24 |
bknudson | should http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_backend.py#n3218 be @tests.skip_if_cache_disabled('role') ? | 16:25 |
henrynash | bknudosn: so, yes, that’s it (and I shoudl change the disabled wrapped to reference ‘role’) | 16:25 |
henrynash | bknudson: yes, agreed | 16:25 |
morganfainberg | henrynash, and yes those should be updated. | 16:25 |
*** zzzeek has joined #openstack-keystone | 16:25 | |
stevemar | rodrigods, whats up? | 16:25 |
bknudson | henrynash: ok, that answers my question. that change will work for me. | 16:25 |
henrynash | bknudson: ok, I’ll make that change and re-submit | 16:26 |
rodrigods | stevemar, didn't know there was already an implementation for websso going on :) | 16:26 |
richm | I see - it's like in the v2 policy "admin_required": "role:admin or is_admin:1", | 16:27 |
*** bdossant_ has joined #openstack-keystone | 16:27 | |
bknudson | I assume several of the @tests.skip_if_cache_disabled('assignment') get updated when the projects and domains are moved to resources. | 16:27 |
stevemar | rodrigods, i think the CERN guys had this 6 months ago | 16:28 |
morganfainberg | bknudson, or could be fixed in a quick-follow-on patch. | 16:28 |
bknudson | @tests.skip_if_cache_disabled('assignment') -> @tests.skip_if_cache_disabled('resources') at http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_backend.py#n3164 | 16:28 |
stevemar | rodrigods, we're just slow :) | 16:28 |
openstackgerrit | henry-nash proposed openstack/keystone: Make role manager refer to role cache config options https://review.openstack.org/151292 | 16:29 |
henrynash | bknudson: yep, that one too | 16:29 |
*** bdossant has quit IRC | 16:30 | |
*** dims has joined #openstack-keystone | 16:32 | |
*** dims has quit IRC | 16:34 | |
*** dims has joined #openstack-keystone | 16:38 | |
*** chrisshattuck has joined #openstack-keystone | 16:38 | |
openstackgerrit | henry-nash proposed openstack/keystone: Move projects and domains to their own backend https://review.openstack.org/144824 | 16:40 |
*** mattfarina has joined #openstack-keystone | 16:43 | |
openstackgerrit | henry-nash proposed openstack/keystone: Remove unused pointer to assignment in identity driver https://review.openstack.org/145022 | 16:45 |
*** bdossant_ has quit IRC | 16:47 | |
openstackgerrit | David Stanek proposed openstack/keystone: Support for running functional federation tests https://review.openstack.org/139137 | 16:47 |
openstackgerrit | David Stanek proposed openstack/keystone: enables bashate checking on upcoming dsvm code https://review.openstack.org/151309 | 16:47 |
openstackgerrit | David Stanek proposed openstack/keystone: adds a devstack plugin for running a pysaml2 IdP https://review.openstack.org/151310 | 16:47 |
openstackgerrit | David Stanek proposed openstack/keystone: adds a devstack plugin for setting up federation https://review.openstack.org/151311 | 16:47 |
*** henrynash has quit IRC | 16:47 | |
*** packet has quit IRC | 16:49 | |
*** henrynash has joined #openstack-keystone | 16:49 | |
*** ChanServ sets mode: +v henrynash | 16:49 | |
*** david-lyle_afk is now known as david-lyle | 16:49 | |
*** ljfisher has joined #openstack-keystone | 16:51 | |
*** ajayaa has joined #openstack-keystone | 16:53 | |
openstackgerrit | henry-nash proposed openstack/keystone: Make controllers and managers reference new resource manager https://review.openstack.org/133525 | 16:53 |
*** jsavak has joined #openstack-keystone | 16:53 | |
openstackgerrit | henry-nash proposed openstack/keystone: Make unit tests call the new resource manager https://review.openstack.org/130954 | 16:53 |
*** rwsu-afk is now known as rwsu | 16:55 | |
*** bdossant has joined #openstack-keystone | 16:57 | |
*** joesavak has quit IRC | 16:57 | |
*** packet has joined #openstack-keystone | 16:57 | |
*** angelamolock has joined #openstack-keystone | 16:57 | |
openstackgerrit | henry-nash proposed openstack/keystone: Split the assignments controller https://review.openstack.org/132634 | 16:59 |
*** markvoelker has quit IRC | 17:03 | |
*** marg7175 has joined #openstack-keystone | 17:05 | |
*** afazekas has quit IRC | 17:07 | |
*** _cjones_ has joined #openstack-keystone | 17:10 | |
*** nellysmitt has quit IRC | 17:11 | |
*** bdossant has quit IRC | 17:12 | |
*** jsavak has quit IRC | 17:18 | |
*** lhcheng has joined #openstack-keystone | 17:24 | |
*** EmilienM is now known as EmilienM|afk | 17:27 | |
*** joesavak has joined #openstack-keystone | 17:29 | |
*** markvoelker has joined #openstack-keystone | 17:30 | |
*** jistr has quit IRC | 17:31 | |
openstackgerrit | Alexander Makarov proposed openstack/keystone: Redis token backend https://review.openstack.org/150844 | 17:31 |
*** afazekas has joined #openstack-keystone | 17:34 | |
*** jodah has left #openstack-keystone | 17:36 | |
marekd | ayoung: Hi. I am just wondering - do you see any usecase for being able to actually map ephemeral users to an existing domain? | 17:37 |
marekd | ayoung: for some metering, billing purposes maybe? | 17:37 |
*** breton has quit IRC | 17:38 | |
ayoung | marekd, "existing" | 17:40 |
*** nellysmitt has joined #openstack-keystone | 17:40 | |
ayoung | marekd, groups | 17:40 |
ayoung | marekd, I could see users coming out of saml, but groups being managed on the Keystone side | 17:41 |
marekd | ayoung: so this is today's situation. | 17:42 |
marekd | ephemeral users, groups completely managed by Keystone... | 17:43 |
marekd | ayoung: https://review.openstack.org/#/c/104623/ Service Providers implementation, please :-) | 17:44 |
ayoung | marekd, the problem with this is there is no quid-pro-quo. I have patches from last March, but even if you review, you can't +2. We need to make you guys that keep beating me up for reviews core so we can beat you up for +as. | 17:46 |
*** gabriel-bezerra has quit IRC | 17:47 | |
rodrigods | ayoung, ^ this is our dream here in the university :P | 17:48 |
rodrigods | really tough to get stuff merged sometimes | 17:49 |
*** ayoung is now known as misanthrope | 17:49 | |
*** misanthrope is now known as ayoung | 17:49 | |
raildo | rodrigods, ++ | 17:49 |
marekd | ayoung: yes, go ahead :] | 17:50 |
*** marg7175 has quit IRC | 17:50 | |
ayoung | marekd, rodrigods sorry, but morganfainberg has to do that | 17:50 |
marekd | ayoung: i am not asking for anything! I don't actually like asking for anything! | 17:51 |
rodrigods | marekd, ayoung, yep... maybe one day :P | 17:51 |
rodrigods | marekd, I like to ask sometimes | 17:51 |
morganfainberg | Hmm? What do I need to do? | 17:51 |
marekd | morganfainberg: nothing. | 17:52 |
ayoung | morganfainberg, promote everyone to core | 17:52 |
rodrigods | lol | 17:52 |
raildo | ayoung, I like the idea hahaha | 17:52 |
samueldmq | then we would need a core-core group | 17:52 |
marekd | i dont | 17:52 |
ayoung | marekd, I don't either. Being core is probably the single biggest impediment to me getting things done. | 17:53 |
rodrigods | ayoung, reviews? | 17:53 |
ayoung | that too | 17:53 |
ayoung | rodrigods, conversations in IRC. | 17:53 |
* ayoung just as guilty as all others | 17:53 | |
*** marg7175 has joined #openstack-keystone | 17:53 | |
rodrigods | ayoung, oops =( | 17:53 |
ayoung | rodrigods, I've been meaning to sit down and unify the AccessInfo changes for two weeks now | 17:54 |
ayoung | I just got as far as "rebase origin/master" | 17:54 |
rodrigods | ayoung, :( just be happy that us (keystone n00bs) are really thankful for your help in IRC | 17:55 |
ayoung | rodrigods, and without you guys, nothing would get done | 17:55 |
ayoung | and you guys are awesome | 17:55 |
rodrigods | thanks! we try to be helpful too | 17:55 |
ayoung | its just keeping me from doing my direct assigned tasks, not from actually making progress | 17:56 |
*** angelamolock has quit IRC | 17:56 | |
* ayoung just whingeing | 17:56 | |
ayoung | rodrigods, it was also the internal IRC message about yet another customer-mysql-token-flush issue | 17:56 |
ayoung | and my expense report I still haven't done from last week | 17:57 |
morganfainberg | being core/ptl is a big drain on time. | 17:57 |
ayoung | and the million other little details that keep coming up, and I really just want to write code | 17:57 |
morganfainberg | if you want to develop a lot of code, core is not the place to be :P | 17:57 |
ayoung | morganfainberg, Amen | 17:57 |
morganfainberg | if you want to review a lot and direct the project so others can develop | 17:57 |
morganfainberg | core is the right place | 17:57 |
rodrigods | morganfainberg, ayoung the responsibility sounds about right to me | 17:58 |
morganfainberg | rodrigods, notice how much code i've written this cycle | 17:58 |
morganfainberg | compared to even last | 17:58 |
rodrigods | the biggest advantage of being core IMO, is to keep changes flowing | 17:58 |
rodrigods | morganfainberg, yep... I did notice that | 17:58 |
* morganfainberg has more bug triage to do before writing code today | 17:59 | |
rodrigods | in linux kernel, +A counts as patches to the approver heh | 17:59 |
rodrigods | Linus has something about 2k patches last year | 17:59 |
rodrigods | the thing is that we are taking some demands that I believe would need core status in near future (to keeps things flowing so our stuff could flow quickly as well) | 18:00 |
*** radez is now known as radez_g0n3 | 18:00 | |
rodrigods | samueldmq, raildo ^ | 18:01 |
morganfainberg | rodrigods, so what was the reseller thing | 18:01 |
morganfainberg | then i'm actually off to go get coffee | 18:01 |
morganfainberg | *finally* | 18:01 |
* marekd lol | 18:01 | |
raildo | rodrigods, I totally agree with you :) | 18:01 |
*** rushiagr is now known as rushiagr_away | 18:02 | |
rodrigods | morganfainberg, heh, sorry about that | 18:03 |
*** afazekas_ has joined #openstack-keystone | 18:03 | |
rodrigods | did you have the change to look our comments in the spec? https://review.openstack.org/#/c/139824/24/specs/kilo/reseller.rst | 18:03 |
rodrigods | chance* | 18:03 |
morganfainberg | looking now | 18:03 |
morganfainberg | i've read it previously | 18:03 |
morganfainberg | but yes i have read it | 18:04 |
stevemar | rodrigods, nice review of the websso patch :) | 18:05 |
rodrigods | stevemar, ++ | 18:05 |
*** f13o has quit IRC | 18:06 | |
rodrigods | morganfainberg, so... 1 question: I remember that you cited once that we need to keep compatibility with the v3 API and list_domains would return only root domains... I didn't get why :( | 18:06 |
morganfainberg | what is a non-root domain to the standard V3 API ? | 18:07 |
morganfainberg | assuming something doesn't get HMT at all? | 18:07 |
rodrigods | if it doesn't get HMT at all, it would never have non-root domains | 18:07 |
morganfainberg | if you can answer that for me clearly, i can be convinced all domains should be in the list. | 18:07 |
morganfainberg | something consuming keystone data | 18:08 |
morganfainberg | not keystone itself | 18:08 |
*** f13o has joined #openstack-keystone | 18:08 | |
morganfainberg | if .list_domains returns HMT data, what does that mean to something that has no concept of the hierarchy | 18:08 |
rodrigods | can't imagine use cases where they should be aware about the hierarchy | 18:08 |
rodrigods | they would see as separate domains, as far as I can imagine | 18:09 |
morganfainberg | i'm concerned a flat view of domains would cause issues. | 18:09 |
morganfainberg | thats all | 18:09 |
morganfainberg | i can be convinced that is a non-issue. but there are a lot of assumptions about HMT being made in general when non-keystone things are consuming data. | 18:09 |
rodrigods | ok... I get your point, just don't know how can we justify it clearly in the spec... | 18:09 |
rodrigods | and I can't imagine real issues of considering as separate domains (even if there is a hierarchy going on there) | 18:10 |
rodrigods | henrynash, ^ | 18:11 |
morganfainberg | rodrigods, i'm not set against showing all domains just explain [lightly] what the behavior should be - treat the domain isolated? etc. | 18:11 |
rodrigods | morganfainberg, ++ makes sense to me | 18:11 |
morganfainberg | what does it mean for projects inside projects then unless you're HMT aware | 18:11 |
rodrigods | ok, we'll try to be clear about that point | 18:12 |
samueldmq | morganfainberg, another option would be to keep list_domains to root domains and then have an api list_subdomains(domain_id) | 18:12 |
morganfainberg | samueldmq, correct | 18:12 |
morganfainberg | i just want to be able to provide clear direction to those consuming HMT enabled keystone | 18:12 |
morganfainberg | you shoudl handle this like X | 18:12 |
morganfainberg | regardless of what X is. | 18:12 |
morganfainberg | [and that we don't break current v3] | 18:13 |
raildo | organfainberg, but we are thinking that a subdomain is a project with domain-ness flag, so we are thinking in implementing this in the project API | 18:13 |
*** angelamolock has joined #openstack-keystone | 18:14 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Add WebSSO support for federation https://review.openstack.org/136177 | 18:15 |
morganfainberg | raildo, ok so... when i do .list_domains, what do i get back? | 18:15 |
morganfainberg | raildo, is it *all domains* or just root-level domains | 18:15 |
morganfainberg | raildo, remember v3 api knows about domains. | 18:16 |
raildo | morganfainberg, so, if we need to following what you explain before, in list domains we will just return the root-level domain, and can return the project domain-ness in the project list | 18:16 |
morganfainberg | it is perfectly fine to say the domain API is really for top-level / root domains | 18:16 |
morganfainberg | ayoung, henrynash, topol, ^ any thoughts | 18:17 |
morganfainberg | stevemar, bknudson, dstanek, ^ | 18:17 |
ayoung | morganfainberg, root level | 18:17 |
ayoung | list_domains needs a namespace | 18:17 |
morganfainberg | ayoung, that is my thought | 18:18 |
ayoung | if none is specified, assume the default namespace | 18:18 |
ayoung | now...if the user has a domain scoped token, you could argue that is like doing ls . | 18:18 |
ayoung | and you should list all domains under the current namespace, but I'd argue we should stop inferring from the token | 18:18 |
*** abhirc has joined #openstack-keystone | 18:19 | |
morganfainberg | ayoung, yes inferring from the token is bad | 18:19 |
morganfainberg | imo | 18:19 |
ayoung | so list_domains --parent=domid | 18:19 |
ayoung | or | 18:19 |
ayoung | so list_domains --parent=dom1/dom2/dom3 | 18:19 |
ayoung | probably make that first | 18:19 |
ayoung | so list_domains --parent_id=domid | 18:19 |
ayoung | we should make it a point to work with the good names if possible | 18:20 |
ayoung | by default, and resort to Ids only when necessary | 18:20 |
ayoung | and make it explicit that we are using Ids, but for most things that ship already sailed | 18:20 |
raildo | , just to say that.rodrigods had a little problem in your pc, adn he'll back in a few minutes :) | 18:20 |
rodrigods | I'm back | 18:21 |
rodrigods | ayoung, makes sense to me | 18:21 |
rodrigods | if we do not provide a parent_id, means we are asking for parent_id=null | 18:21 |
rodrigods | which are root domains | 18:21 |
raildo | ayoung, we discuss something like that i the spec, right now... to get a token for a subdomain, maybe we need to specify the parent domain_id | 18:22 |
rodrigods | morganfainberg, right ^ ? | 18:22 |
ayoung | raildo, and also to provide a way for specifying the parent by nested name | 18:22 |
ayoung | dom1/dom2/dom2 | 18:22 |
morganfainberg | ayoung, ++ | 18:22 |
ayoung | dom dom dom dom DOMMMMM! | 18:22 |
raildo | ayoung, ++ | 18:22 |
samueldmq | makes sense to me | 18:22 |
samueldmq | as well | 18:22 |
rodrigods | ok... so we have a conclusion in the first topic | 18:23 |
rodrigods | the second is token scoping | 18:23 |
rodrigods | I've made a comment that includes figures and etc here https://review.openstack.org/#/c/139824/24/specs/kilo/reseller.rst (comments in line 169) | 18:24 |
rodrigods | think that being able to provide the namespace of a domain, can solve the issue where we have several domains with the same name in the hierarchy | 18:25 |
rodrigods | what about dual scoped tokens, does it make sense to add a flag in the token request? | 18:26 |
morganfainberg | dual scoped? | 18:26 |
morganfainberg | what is a dual scoped token | 18:26 |
rodrigods | morganfainberg, a token with a domain and a project scope hehe | 18:26 |
dstanek | ++ to what ayoung said about list_domains and the optional param to specify a root | 18:26 |
morganfainberg | rodrigods, there should be zero effect if you are domain and project scoped at any given time. | 18:26 |
raildo | morganfainberg, do you don't remember that we decided this in the summit? lol | 18:27 |
rodrigods | morganfainberg, and having both scopes? | 18:27 |
rodrigods | if we have both assignments, of course | 18:27 |
morganfainberg | rodrigods, correct. in the case of being on a domain - scoped to both is a non... | 18:27 |
rodrigods | USER_DOMAIN and USER_PROJECT | 18:27 |
morganfainberg | rodrigods, it's the same assignment | 18:27 |
morganfainberg | you could collapse them | 18:27 |
morganfainberg | since domain == project | 18:27 |
morganfainberg | sorry domain.isa(project) | 18:27 |
openstackgerrit | Arun Kant proposed openstack/keystone-specs: Spec for adding Barbican service as Keystone credential backend. https://review.openstack.org/148672 | 18:28 |
rodrigods | so once we add the domain-ness feature to a project | 18:28 |
*** thedodd has quit IRC | 18:28 | |
rodrigods | we replicate all assignments with the USER_DOMAIN and GROUP_DOMAIN type? | 18:28 |
morganfainberg | the destinction of a grant to a domain and a grant to a project is irrelevant except in the token | 18:28 |
morganfainberg | and auth_context [which could go away internal to keystone] | 18:28 |
morganfainberg | you could, absolutely | 18:29 |
morganfainberg | but check with henrynash if he sees pitfalls in that | 18:29 |
*** jsavak has joined #openstack-keystone | 18:29 | |
morganfainberg | i don't think we need the distinction anymore | 18:29 |
rodrigods | morganfainberg, ++ in a first phase we would create mirrored assignment types for domains | 18:30 |
rodrigods | and in a second phase, change it to USER_TENANT and GROUP_TENANT? | 18:30 |
rodrigods | and if a entity is both (project and domain) we always return a dual scoped token? | 18:30 |
morganfainberg | rodrigods, why mirrored? | 18:30 |
*** joesavak has quit IRC | 18:30 | |
morganfainberg | rodrigods, why do we need to duplicate data each step of the way? | 18:31 |
morganfainberg | though to be fair - there is only one issue, downgrade = lossy if we collapse domain grants to project grants | 18:31 |
rodrigods | morganfainberg, I meant once we add the domain-ness flag, we'd create USER_DOMAIN assignments for all USER_PROJECT | 18:31 |
rodrigods | morganfainberg, that's true | 18:32 |
* morganfainberg is becoming skeptical that SQL downgrades are ever a good idea. | 18:32 | |
morganfainberg | dstanek, i'm concerned about even purporting we support a SQL downgrade that is lossy | 18:33 |
morganfainberg | dstanek, to be clearly stated: upgrade changes data adn there is no way to downgrade to the previous state. | 18:34 |
henrynash | morganfainberg, rodigods: sorry, been afk.... | 18:34 |
rodrigods | henrynash, np, can you catch up with the discussion reading the log? | 18:34 |
morganfainberg | dstanek, any thoughts on that, (cc dolphm, henrynash) ^ | 18:34 |
henrynash | reading | 18:34 |
samueldmq | no need to duplicate assignments data, just keep project assignmtns | 18:35 |
samueldmq | and then expand to dual scope if the project.isa(domain) when list_role_assignments | 18:35 |
rodrigods | ++ | 18:35 |
samueldmq | when migrating, besides creating one project for each domain , we should migrate that domain role assignemnts to project ones | 18:36 |
*** EmilienM|afk is now known as EmilienM | 18:36 | |
samueldmq | to that domain-ness project | 18:36 |
rodrigods | ++ so we'd always have just one type of assingment that would be USER_PROJECT | 18:36 |
rodrigods | and we return a dual scoped token when we request for a domain token | 18:36 |
morganfainberg | marekd, https://review.openstack.org/#/c/104623/ +1, needs a couple things addressed - all can be followup patches | 18:37 |
raildo | sounds good to me | 18:37 |
morganfainberg | marekd, but without the followup i can't +2 / added to that patch. | 18:37 |
morganfainberg | marekd, the code and tests themselves look good. - i assume we will see some extra catalog work done following this patchset? | 18:37 |
*** marg7175 has quit IRC | 18:38 | |
marekd | morganfainberg: yes, it's another workitem. | 18:38 |
*** harlowja has joined #openstack-keystone | 18:38 | |
marekd | morganfainberg: thanks | 18:38 |
morganfainberg | marekd, but yeah that code looks good. | 18:38 |
*** marg7175 has joined #openstack-keystone | 18:38 | |
nkinder | marekd: I added a few minor comments/nits to https://review.openstack.org/#/c/148229/ | 18:40 |
dstanek | reading up | 18:40 |
nkinder | marekd: it looks good IMHO though, so I gave it a +1 and you can adjust later. | 18:40 |
marekd | nkinder: thanks. | 18:40 |
nkinder | marekd: I don't want to stall the momentum on +2's :) | 18:40 |
rodrigods | morganfainberg, one concern here... since a domain-ness project doesn't contain itself, how can this dual scoped token work? | 18:40 |
rodrigods | morganfainberg, is that a problem? | 18:40 |
morganfainberg | rodrigods, not an issue you're asking for the scope of the domain or project, return both - you know if it's a domain and project easily | 18:41 |
marekd | nkinder: morganfainberg so, today i wanted to move remote_ids to Protocol object, but since Protocol's PK is (id, idp_id), we would block ourselves with websso stuff :( | 18:41 |
morganfainberg | rodrigods, assuming no other issues | 18:41 |
dstanek | so generally speaking i would argue that you can't have a lossy downgrade because the expectations of the deployer | 18:41 |
morganfainberg | dstanek, exactly. which makes this collapse icky | 18:42 |
rodrigods | morganfainberg, but if we request for a project token, we need to specify a domain of a higher level of the hierarchy, right? | 18:42 |
morganfainberg | i guess we could carry domain and project assignments | 18:42 |
*** harlowja_ has joined #openstack-keystone | 18:42 | |
morganfainberg | rodrigods, only if you're scoping to the name, id is fixed system wide | 18:42 |
rodrigods | morganfainberg, yep | 18:42 |
morganfainberg | rodrigods, and you'd be explicitly scoping to a target, still a non-issue | 18:43 |
rodrigods | morganfainberg, if we are scoping using names, we'd need to add the full namespace if there are several entities with the same name in the hierarchy, correct? | 18:43 |
nkinder | marekd: I think it's very important to keep websso moving forward | 18:43 |
morganfainberg | rodrigods, you know what someone is scoping to, scope there, in this case if it's a domain (project flagged as domain) - you return dual scope, same object | 18:43 |
* morganfainberg tries to kill "domain-ness" that is an awful word | 18:44 | |
morganfainberg | and i will start -2ing patches with it :P | 18:44 |
nkinder | marekd: is the idea for moving it to the protocol to avoid some of the config settings? | 18:44 |
nkinder | domain-mess | 18:44 |
morganfainberg | nkinder, hey! HEY! | 18:44 |
* nkinder hides | 18:44 | |
* morganfainberg stamps -2 on nkinder | 18:44 | |
henrynash | morganfainberg, rodigods: so why do we need a dual scoped token…what’s wroung with one scoped to the specific request (either project or domain, even if their IDs are the same) | 18:44 |
rodrigods | henrynash, we'd ease a lot the work on HOrizon side, for example | 18:45 |
marekd | nkinder: no, to specify set of remote ids per idp/per protocol | 18:45 |
marekd | not per idp. | 18:45 |
raildo | rodrigods, and for nested quotas in nova.... | 18:45 |
marekd | but this would mean significant change in protocol ids. | 18:45 |
*** dims has quit IRC | 18:46 | |
nkinder | morganfainberg: I really DO like domains. It's just switching people over to them that's painful. | 18:46 |
*** harlowja has quit IRC | 18:46 | |
morganfainberg | nkinder, and we're not getting rid of them. | 18:46 |
morganfainberg | nkinder, just making them less "over in the corner" | 18:46 |
morganfainberg | nkinder, i agree. | 18:46 |
rodrigods | morganfainberg, nkinder we are just making them more beautiful :) | 18:46 |
rodrigods | and flexible | 18:46 |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Add WebSSO support for federation https://review.openstack.org/136177 | 18:46 |
henrynash | rodigods: so this isn’t because we think we need to make our current proposal work…it is to satisfy different/new requirements (from Horizon, Nova etc.) | 18:46 |
rodrigods | morganfainberg, did you see the comment above? regarding specifying full namespace when request a token using the names | 18:47 |
stevemar | marekd, i rebased on top of marcos work (finally) | 18:47 |
nkinder | marekd: ok, to allow the values to be different per protocol (the attribute is already protocol specific in the config via remote_id_attribute), right? | 18:47 |
samueldmq | henrynash, yes | 18:47 |
rodrigods | henrynash, don't think so... we'd keep things more generic | 18:47 |
rodrigods | and easy to handle | 18:47 |
*** dims has joined #openstack-keystone | 18:47 | |
rodrigods | henrynash, also... we'd finally ease other components to enter the domain world (if it is desirable) :) | 18:49 |
openstackgerrit | Merged openstack/keystone: Make role manager refer to role cache config options https://review.openstack.org/151292 | 18:50 |
*** openstackgerrit has quit IRC | 18:50 | |
*** openstackgerrit has joined #openstack-keystone | 18:51 | |
marekd | stevemar: thanks, but we still need to wait for his next patch with multiple remote_ids. | 18:51 |
marekd | stevemar: oh, with remote_ids in general. | 18:51 |
morganfainberg | henrynash, and yes we could just scope domain or project as requested. *shrug* we could also just always ignore domain scope in tokens and keep it for compat down the line [once project == domain] | 18:51 |
marekd | he says he wants to carry on with the patch. | 18:51 |
morganfainberg | erm domain.is_a(project) | 18:51 |
stevemar | marekd, carry on with it? | 18:52 |
stevemar | marekd, more to do? | 18:52 |
stevemar | oh i guess remote_id per protocol? | 18:52 |
marekd | stevemar: so, his current patch assumes there is one remote_id for idp. | 18:53 |
marekd | we need remote_idps | 18:53 |
nkinder | you mean remote_ids? | 18:53 |
marekd | nkinder: yes. | 18:53 |
*** ayoung has quit IRC | 18:53 | |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Implements parents_as_ids query param https://review.openstack.org/148567 | 18:54 |
nkinder | marekd: which patch/review is this? | 18:54 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Implements subtree_as_ids query param https://review.openstack.org/148618 | 18:54 |
stevemar | marekd, use cfg.MultiStrOpt :) | 18:54 |
henrynash | rodigods: so picking up on a few other questions from the irc log, so once the migration is over and I want to create a new domain that is not a top level domain, I would do PUT /domain {……parent_id=parent_domain/project_id}? | 18:54 |
rodrigods | henrynash, would do PATCH /projects/<project_id> passing the "domain-ness" flag as True | 18:55 |
rodrigods | henrynash, ah, ok... | 18:55 |
rodrigods | didn't get that you were talking about create | 18:55 |
rodrigods | henrynash, yes... something like that | 18:56 |
rodrigods | raildo, any thoughts? ^ | 18:56 |
marekd | stevemar: it may be confusing but if you look at the spec it mentiones *remote_ids* whereas in the current impl in the code there is remote_id. | 18:57 |
marekd | nkinder: ^^ | 18:57 |
marekd | nkinder: it's https://review.openstack.org/#/c/148229/ | 18:57 |
raildo | henrynash, rodrigods I think that you have to use POST /project set the parent_id, domain_id, and set the domain-ness flag as True | 18:58 |
marekd | and the impl is mentioned somewhere in the references. | 18:58 |
nkinder | marekd: Thanks. Didn't see there was an implementation review for that spec | 18:58 |
marekd | nkinder: look at the bottom. In fact, this spec somehow evolved from the impl which was a fix for a bug :-) | 18:59 |
marekd | we need it to make users life easier and to make websso doable. | 18:59 |
nkinder | marekd: yes, I remember the bug. I need to write an OSSN for it. | 18:59 |
marekd | nkinder: yep :-) | 18:59 |
marekd | stevemar: so, in general there will be yet another patch on top of marcos work :-) | 18:59 |
marekd | it's a tl;dr | 18:59 |
nkinder | marekd: So is there anything else holding yup the spec, or just one more +2? | 19:00 |
marekd | nkinder: imho yet another +2 | 19:00 |
nkinder | yeah, it seems complete to me | 19:00 |
marekd | unless we want a revolution in OS-FEDERATION :-) | 19:01 |
henrynash | rodigods, raildo: so we should probably think about what the conceptual model we want to end up with…and so we can be taking steps towards it... | 19:01 |
marekd | but i'dont want | 19:01 |
rodrigods | henrynash, yes | 19:01 |
raildo | henrynash, sure | 19:01 |
rodrigods | raildo was arguing that we may drop the /domains API someday? | 19:01 |
stevemar | marekd, i'm just eager to get this done :) | 19:02 |
nkinder | marekd: I just want to push what we have forward so it's a complete solution across Horizon. No revolutions please. :) | 19:02 |
rodrigods | there is also the option to support both ways | 19:02 |
henrynash | raildo: (for clarity, meaning no time soon, but) you mean everything would be done via the project API, and the is_domain flag? | 19:03 |
raildo | henrynash, for now, I believe that we can keep create root domain in the domain API (we can maintain the compatibility) | 19:04 |
raildo | henrynash, and i want to create project domain-ness in the project API | 19:04 |
raildo | henrynash, so in a future is more ease drop the domain API or something like that, makes sense? | 19:05 |
henrynash | raildo: ok, so the conceptual proposal is (just trying to understand it): If you are manipulation a top level domain, you sus ethe domain API, for subdomains you MUST use the project API ? | 19:06 |
raildo | henrynash, yes... you call subdomains, I think in project domain-ness , but yes :) | 19:07 |
morganfainberg | topol, http://lists.openstack.org/pipermail/openstack-dev/2015-January/055586.html | 19:07 |
*** gtt116__ has quit IRC | 19:07 | |
rodrigods | raildo, henrynash I'd argue to use both... | 19:07 |
rodrigods | so we'd drop one of them in the future | 19:08 |
rodrigods | depending on how things evolve | 19:08 |
*** gtt116 has joined #openstack-keystone | 19:08 | |
morganfainberg | dstanek, http://lists.openstack.org/pipermail/openstack-dev/2015-January/055586.html re migrations | 19:08 |
raildo | henrynash, its a alternative... and internally for both API calls we create a project domain-ness.. | 19:09 |
morganfainberg | henrynash, raildo, can i ask a huge favor | 19:09 |
morganfainberg | stop using the word domain-ness | 19:10 |
morganfainberg | i'm serious | 19:10 |
henrynash | morganfaiberg: I didn’t :-) | 19:10 |
*** nkinder has quit IRC | 19:10 | |
morganfainberg | it's an awful word | 19:10 |
rodrigods | morganfainberg, ++ can with the "is_domain" flag? | 19:10 |
rodrigods | heh | 19:10 |
morganfainberg | perfect | 19:10 |
henrynash | morganfainberg: even though I am to blame for coining it origionally... | 19:10 |
morganfainberg | waaay better and easier to explain to people | 19:10 |
rodrigods | morganfainberg, right | 19:11 |
rodrigods | is_domain ftw | 19:11 |
raildo | morganfainberg, ok :) | 19:11 |
rodrigods | morganfainberg, what do you think about the ability to create subdomains via both /domains and /projects API? | 19:11 |
dstanek | morganfainberg: totally agree | 19:12 |
*** sriram has left #openstack-keystone | 19:12 | |
henrynash | rodigods, morganfainberg: it seems to me that the conceptual future model is that you create a project and optionally mark it as is_domain=True, so the current Domain API would eventually eb deprecated…so not sure if we want to extend the current one | 19:13 |
rodrigods | henrynash, sounds good to me | 19:14 |
rodrigods | and if you cores and our PTL morganfainberg agree with that assumption for now, I think we have lots of remaining points of the reseller spec covered | 19:15 |
morganfainberg | henrynash, that was my view | 19:16 |
morganfainberg | though removing V3 domain specific stuff is a much much different thing that i didn't want to tackle today (or even tomorrow) | 19:16 |
morganfainberg | OMG I STILL HAVENT HAD COFFEE | 19:16 |
* morganfainberg grumps | 19:16 | |
raildo | lol | 19:16 |
rodrigods | if we could send images via IRC, we'd send a huge picture of a coffee mug here | 19:16 |
henrynash | morganfainberg: agrred…this is future…no deprecation in J | 19:17 |
henrynash | oops, i mean K | 19:17 |
rodrigods | ++ | 19:18 |
henrynash | I’m off to mull on this whole issue a bit more…. | 19:19 |
rodrigods | we are going to update the spec and than ask for you guys to see if it is ok | 19:20 |
rodrigods | hope it makes the kilo 2 deadline | 19:20 |
*** henrynash has quit IRC | 19:20 | |
*** breton_ has joined #openstack-keystone | 19:20 | |
*** breton_ is now known as breton | 19:21 | |
lhcheng | hey folks, does keystoneclient shell supposed to support keyring? It keeps on asking me for password even if I have keyring setup, wondering if that is by design or bug. | 19:22 |
lhcheng | Triaging this bug: https://bugs.launchpad.net/python-keystoneclient/+bug/1357567 | 19:22 |
TempLPBugBot | Launchpad bug 1357567 in python-keystoneclient "auth_ref caching/retrieving is failing - user needs to provide password for every command" (affected: 1, heat: 8) [Undecided,New] - Assigned to Shraddha Pandhe (shraddha-pandhe) | 19:22 |
*** dims has quit IRC | 19:26 | |
morganfainberg | rodrigods, i *think* that is totally possible. | 19:28 |
*** henrynash has joined #openstack-keystone | 19:32 | |
*** ChanServ sets mode: +v henrynash | 19:32 | |
morganfainberg | rodrigods, we can work through the last isseus with the spec today/tomorrow | 19:33 |
*** aix has quit IRC | 19:35 | |
*** dims has joined #openstack-keystone | 19:36 | |
*** dutsmoc has quit IRC | 19:38 | |
*** comstud has joined #openstack-keystone | 19:38 | |
rodrigods | morganfainberg, great! already working on it | 19:40 |
raildo | morganfainberg, :D | 19:40 |
mfisch | everytime I get an email from morganfainberg I realize too late that its a trick question and he's going to take away a feature ;) | 19:42 |
morganfainberg | mfisch, *note to self, send scary emails to mfisch directly* | 19:42 |
mfisch | "hey so I'm curious, do you really use your basement?" (next week morgan moves in) | 19:43 |
mfisch | actually I'm with you on downgrades morganfainberg, just trying to amuse myself after an interesting day | 19:43 |
morganfainberg | mfisch, hey this time i proposed up front we should remove it (in the dev thread) AND linked that in the operator thread | 19:43 |
mfisch | I would be surprised if anyone does rollbacks | 19:43 |
morganfainberg | mfisch, the only thing i ask is if oyu agree please say so, more voices in this case may make things better / easier for everyone | 19:44 |
mfisch | I did reply | 19:44 |
morganfainberg | ah haven't seen it yet then | 19:44 |
morganfainberg | :) | 19:44 |
morganfainberg | mfisch, thanks! :) | 19:44 |
morganfainberg | i would call someone crazy for doing a rollback tbh | 19:44 |
mfisch | its like rolling back an os package | 19:45 |
mfisch | it might work, but you'd be the first to try it | 19:45 |
mfisch | good luck | 19:45 |
morganfainberg | because RPM does such a good job of that | 19:45 |
morganfainberg | or even deb | 19:45 |
morganfainberg | no really | 19:45 |
morganfainberg | try it | 19:45 |
morganfainberg | :P | 19:45 |
mfisch | when we do an upgrade we just halt the db on the cluster, leave one node up | 19:46 |
mfisch | and only rejoin those when we know is good | 19:46 |
* mfisch has been fighting db issues all morning so this is fresh | 19:46 | |
*** stevemar2 has joined #openstack-keystone | 19:47 | |
*** ChanServ sets mode: +v stevemar2 | 19:47 | |
*** ajayaa has quit IRC | 19:47 | |
*** stevemar has quit IRC | 19:47 | |
morganfainberg | yep | 19:47 |
*** arif-ali_ has joined #openstack-keystone | 19:49 | |
*** breton_ has joined #openstack-keystone | 19:49 | |
*** SpamapS_ has joined #openstack-keystone | 19:51 | |
*** henrynash has quit IRC | 19:53 | |
*** atiwari1 has joined #openstack-keystone | 19:54 | |
*** dims_ has joined #openstack-keystone | 19:56 | |
*** rodrigod` has joined #openstack-keystone | 19:56 | |
*** arif-ali has quit IRC | 19:56 | |
*** breton has quit IRC | 19:56 | |
*** SpamapS has quit IRC | 19:56 | |
*** rodrigods has quit IRC | 19:56 | |
*** a2hill has quit IRC | 19:56 | |
*** atiwari has quit IRC | 19:56 | |
*** arif-ali_ is now known as arif-ali | 19:56 | |
*** ptoohill has joined #openstack-keystone | 19:56 | |
*** dims has quit IRC | 19:58 | |
*** thedodd has joined #openstack-keystone | 20:00 | |
*** dims_ has quit IRC | 20:00 | |
*** andreaf has quit IRC | 20:00 | |
*** zz_avozza is now known as avozza | 20:02 | |
*** openstackgerrit has quit IRC | 20:04 | |
*** openstackgerrit has joined #openstack-keystone | 20:04 | |
*** nellysmitt has quit IRC | 20:07 | |
*** gabriel-bezerra has joined #openstack-keystone | 20:07 | |
*** _cjones_ has quit IRC | 20:07 | |
*** nellysmitt has joined #openstack-keystone | 20:07 | |
*** nellysmitt has quit IRC | 20:12 | |
*** jsavak has quit IRC | 20:14 | |
morganfainberg | stevemar2: wow shady there man. How can I be sure who I'm talking to? What did you do to stevemar? ;) | 20:18 |
stevemar2 | morganfainberg, i took his isp and made is even more terrible | 20:19 |
stevemar2 | it* | 20:19 |
morganfainberg | Oh. Kind of like my phone from att uverse | 20:20 |
morganfainberg | zzzeek: thanks for the reply! I figured you'd jump in :) | 20:23 |
zzzeek | sure | 20:23 |
*** SpamapS_ is now known as SpamapS | 20:23 | |
morganfainberg | And I figured that would be your response ;) | 20:23 |
*** fifieldt has quit IRC | 20:24 | |
*** SpamapS has quit IRC | 20:24 | |
*** SpamapS has joined #openstack-keystone | 20:24 | |
*** fifieldt has joined #openstack-keystone | 20:24 | |
morganfainberg | mfisch: the cruft below the line is insane. I feel bad when companies mandate that stuff. :( | 20:26 |
morganfainberg | /comfort | 20:26 |
morganfainberg | Because somehow i bet that those disclaimers have about as many teeth as a blog post saying "don't read this" | 20:27 |
mfisch | yeah, its pretty terrible and embarassing | 20:27 |
morganfainberg | That is one reason I use gmail for my OpenStack email. | 20:28 |
morganfainberg | Not that hp mandates it today. | 20:28 |
openstackgerrit | Morgan Fainberg proposed openstack/keystone: Remove deprecated methods and functions in token subsystem https://review.openstack.org/151381 | 20:57 |
*** henrynash has joined #openstack-keystone | 21:00 | |
*** ChanServ sets mode: +v henrynash | 21:00 | |
morganfainberg | hmm | 21:04 |
morganfainberg | I'm really digging rust | 21:04 |
morganfainberg | kindof want to see where it goes | 21:04 |
*** henrynash has quit IRC | 21:04 | |
topol | morganfainberg, why did you want me to look at http://lists.openstack.org/pipermail/openstack-dev/2015-January/055586.html I wasnt sure of the context | 21:04 |
morganfainberg | topol, you have all the context by reading it. | 21:04 |
morganfainberg | topol, downgrades kindof suck | 21:04 |
morganfainberg | esp. from a data perspective | 21:05 |
topol | Ok. I will read | 21:05 |
*** stevemar2 has quit IRC | 21:05 | |
*** stevemar2 has joined #openstack-keystone | 21:06 | |
*** ChanServ sets mode: +v stevemar2 | 21:06 | |
morganfainberg | this has ... almost everything i want python to have: http://www.rust-lang.org | 21:07 |
morganfainberg | kindof sexy all around. can't wait to see 1.0 | 21:08 |
bknudson | "threads without data races" -- I'm sure. | 21:08 |
morganfainberg | * In theory. Rust is a work-in-progress and may do anything it likes up to and including eating your laundry. | 21:09 |
*** dims has joined #openstack-keystone | 21:09 | |
bknudson | "all sorting in O(1)"! | 21:09 |
dstanek | bknudson: sounds like magic | 21:12 |
bknudson | "all programs guaranteed to terminate" | 21:13 |
dstanek | i've never seen one that doesn't :-) | 21:13 |
*** dims has quit IRC | 21:14 | |
*** _cjones_ has joined #openstack-keystone | 21:19 | |
*** pnavarro has quit IRC | 21:25 | |
*** rodrigod` is now known as rodrigods | 21:31 | |
*** rodrigods has quit IRC | 21:31 | |
*** rodrigods has joined #openstack-keystone | 21:31 | |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone-specs: Reseller https://review.openstack.org/139824 | 21:32 |
*** radez_g0n3 is now known as radez | 21:32 | |
rodrigods | morganfainberg, thanks for the conversation today, tried to add all points there ^ | 21:32 |
*** topol has quit IRC | 21:38 | |
*** dims has joined #openstack-keystone | 21:39 | |
*** dims has quit IRC | 21:40 | |
*** afazekas_ has quit IRC | 21:46 | |
*** gabriel-bezerra has quit IRC | 21:52 | |
*** nkinder has joined #openstack-keystone | 21:55 | |
*** gabriel-bezerra has joined #openstack-keystone | 21:56 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Change oslo.utils to oslo_utils https://review.openstack.org/148019 | 21:58 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Change oslo.serialization to oslo_serialization https://review.openstack.org/148025 | 21:58 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Change oslo.config to oslo_config https://review.openstack.org/145250 | 21:59 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Change oslo.db to oslo_db https://review.openstack.org/148029 | 21:59 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Change oslo.messaging to oslo_messaging https://review.openstack.org/148028 | 21:59 |
*** radez is now known as radez_g0n3 | 22:00 | |
*** jamielennox|away is now known as jamielennox | 22:03 | |
*** gabriel-bezerra has quit IRC | 22:04 | |
*** joesavak has joined #openstack-keystone | 22:07 | |
rodrigods | long day -> beer day | 22:08 |
*** chlong has quit IRC | 22:08 | |
*** nellysmitt has joined #openstack-keystone | 22:08 | |
*** nellysmitt has quit IRC | 22:13 | |
*** samueldmq_ has joined #openstack-keystone | 22:18 | |
stevemar2 | lhcheng, if you're around i'd like your eyes on a patch :) | 22:20 |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Add CADF notifications for most resources https://review.openstack.org/151137 | 22:22 |
stevemar2 | this one ^ | 22:22 |
*** r-daneel has quit IRC | 22:22 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Add CADF notifications for most resources https://review.openstack.org/151137 | 22:23 |
*** timcline has quit IRC | 22:26 | |
*** timcline has joined #openstack-keystone | 22:26 | |
openstackgerrit | gordon chung proposed openstack/keystonemiddleware: make audit event scoped to request session and not middleware https://review.openstack.org/149300 | 22:28 |
openstackgerrit | gordon chung proposed openstack/keystonemiddleware: make audit event scoped to request session and not middleware https://review.openstack.org/149300 | 22:30 |
*** timcline has quit IRC | 22:31 | |
lhcheng | stevemar2: aha so... I wonder why you're also up, there's actually two stevemar... :P | 22:32 |
*** mattfarina has quit IRC | 22:32 | |
stevemar2 | lhcheng, that other one is a jerk | 22:32 |
lhcheng | lol, so he's in charge of doing reviews? :) | 22:32 |
stevemar2 | hehe | 22:33 |
lhcheng | jamielennox: when you get the chance, can you look at: https://bugs.launchpad.net/python-keystoneclient/+bug/1357567 | 22:34 |
TempLPBugBot | Launchpad bug 1357567 in python-keystoneclient "auth_ref caching/retrieving is failing - user needs to provide password for every command" (affected: 1, heat: 8) [Undecided,New] - Assigned to Shraddha Pandhe (shraddha-pandhe) | 22:34 |
lhcheng | jamielennox: the keyring doesn't work with shell, just wanted to confirm if by design or bug | 22:35 |
jamielennox | lhcheng: it's not by design but i'm not surprised | 22:35 |
jamielennox | that code was always a little flaky | 22:35 |
*** timcline has joined #openstack-keystone | 22:36 | |
openstackgerrit | Morgan Fainberg proposed openstack/keystone: Remove deprecated methods and functions in token subsystem https://review.openstack.org/151381 | 22:36 |
lhcheng | jamielennox: we got a patch internally to fix that, the dev was just waiting for someone to confirm it is was a valid bug. | 22:36 |
lhcheng | jamielennox: we'll have a patch up soon! | 22:37 |
jamielennox | lhcheng: sure put up the patch | 22:37 |
stevemar2 | lhcheng, keyring support is flakey at best | 22:38 |
*** abhirc has quit IRC | 22:40 | |
*** timcline has quit IRC | 22:40 | |
lhcheng | stevemar2: hehe figured.. openstackclient will be better! :D | 22:43 |
*** markvoelker has quit IRC | 22:46 | |
jamielennox | stevemar2: does OSC support any keyring stuff? | 22:46 |
*** markvoelker_ has joined #openstack-keystone | 22:47 | |
stevemar2 | jamielennox, nope, precisely for the reasons stated above, flakeyness | 22:47 |
*** avozza is now known as zz_avozza | 22:47 | |
*** henrynash has joined #openstack-keystone | 22:48 | |
*** ChanServ sets mode: +v henrynash | 22:48 | |
jamielennox | stevemar2: tought so | 22:48 |
jamielennox | stevemar2: check out https://review.openstack.org/#/c/149175/ i'm not finished with it but its how i think keyring support will work | 22:48 |
jamielennox | or at least be based on | 22:48 |
stevemar2 | jamielennox, though i think that, or at least per-user-configs is next on the horizon | 22:49 |
jamielennox | yea, i think dtroyer is keen to offload a lot of this stuff to os-cloud-config | 22:50 |
stevemar2 | jamielennox, like maybe a dot file with some user-data, or something related to 'cloud config' | 22:50 |
stevemar2 | yeah | 22:50 |
jamielennox | it's just shifting the load though, there's still not a good answer yet | 22:50 |
stevemar2 | jamielennox, and of course now that we have a half-decent built-in API, i think the plan is to add neutron support | 22:50 |
jamielennox | stevemar2: cool, i was just going to write something that needed to create a network from the cli | 22:51 |
jamielennox | stevemar2: wherever possible i default to using OSC for that now | 22:51 |
*** openstackgerrit has quit IRC | 22:51 | |
*** openstackgerrit has joined #openstack-keystone | 22:51 | |
jamielennox | that sort of work | 22:51 |
*** tellesnobrega_ has joined #openstack-keystone | 22:51 | |
stevemar2 | jamielennox, oh nice, yeah support for a the | 22:52 |
stevemar2 | 'network' resource is there | 22:52 |
stevemar2 | but not much else | 22:52 |
*** marg7175 has quit IRC | 22:53 | |
*** henrynash has quit IRC | 22:53 | |
openstackgerrit | gordon chung proposed openstack/keystonemiddleware: move add event creation logic to keystonemiddleware https://review.openstack.org/149405 | 22:53 |
openstackgerrit | gordon chung proposed openstack/keystonemiddleware: move add event creation logic to keystonemiddleware https://review.openstack.org/149405 | 22:56 |
*** henrynash has joined #openstack-keystone | 23:00 | |
*** ChanServ sets mode: +v henrynash | 23:00 | |
*** henrynash has quit IRC | 23:01 | |
*** zz_avozza is now known as avozza | 23:03 | |
*** gordc has quit IRC | 23:03 | |
marekd | stevemar2: nkinder it's always a question whether we should just do things or maybe we should do small revolution today in order to avoid big revolution tomorrow :) | 23:05 |
stevemar2 | marekd, big revolutions all the tiem! | 23:06 |
stevemar2 | marekd, why are you up at this hour? | 23:06 |
marekd | had a dinner w/ friends today and they just left :-) | 23:07 |
marekd | it's pretty standard work hour for you, isn't it? :-) | 23:08 |
marekd | stevemar2: btw, looks like oidc also support something like remote_id (http://openid.net/specs/openid-connect-basic-1_0.html#IDToken ,see iss), so we are safe to go. | 23:08 |
openstackgerrit | Merged openstack/keystone: Fix up _ldap_res_to_model for ldap identity backend https://review.openstack.org/150631 | 23:08 |
stevemar2 | marekd, ++ | 23:09 |
openstackgerrit | Merged openstack/keystone: Imported Translations from Transifex https://review.openstack.org/149158 | 23:09 |
*** marg7175 has joined #openstack-keystone | 23:10 | |
*** spandhe has joined #openstack-keystone | 23:12 | |
spandhe | hey lhcheng! wanted to discuss https://bugs.launchpad.net/python-keystoneclient/+bug/1357567 : issue with keyring caching | 23:14 |
TempLPBugBot | Launchpad bug 1357567 in python-keystoneclient "auth_ref caching/retrieving is failing - user needs to provide password for every command" (affected: 1, heat: 8) [Undecided,New] - Assigned to Shraddha Pandhe (shraddha-pandhe) | 23:14 |
spandhe | Hi jamielennox ! I work with lhcheng.. wanted to discuss https://bugs.launchpad.net/python-keystoneclient/+bug/1357567 with you guys.. Is it confirmed that its a valid bug? | 23:15 |
TempLPBugBot | Launchpad bug 1357567 in python-keystoneclient "auth_ref caching/retrieving is failing - user needs to provide password for every command" (affected: 1, heat: 8) [Undecided,New] - Assigned to Shraddha Pandhe (shraddha-pandhe) | 23:15 |
spandhe | I will update the links in the description | 23:15 |
jamielennox | spandhe: i haven't confirmed it, but i'm pretty sure you're right | 23:16 |
jamielennox | it was always in the wrong position, keyring should be part of the shell and not part of the client | 23:16 |
lhcheng | hey spandhe! yeah, most likely it is broken lol | 23:16 |
spandhe | jamielennox: ok.. thanks.. I fixed it internally with a patch.. I wil send it out for review in some time.. | 23:17 |
jamielennox | spandhe: sounds good | 23:17 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Consistently use oslo_config.cfg.CONF https://review.openstack.org/147367 | 23:17 |
*** dims has joined #openstack-keystone | 23:22 | |
*** dims has quit IRC | 23:25 | |
*** dims has joined #openstack-keystone | 23:25 | |
*** marg7175 has quit IRC | 23:26 | |
*** marg7175 has joined #openstack-keystone | 23:35 | |
morganfainberg | jamielennox, we should revisit pecan if we can | 23:39 |
morganfainberg | jamielennox, https://review.openstack.org/#/c/150821/ would be so easy to add to keystone as well | 23:39 |
jamielennox | morganfainberg: ok, i agree | 23:39 |
morganfainberg | trivial microversioning would be a win doe us. | 23:39 |
jamielennox | it was a really hard rebase last time i looked | 23:40 |
morganfainberg | s/doe/for | 23:40 |
morganfainberg | yeah :( | 23:40 |
morganfainberg | lets target post k2 | 23:40 |
jamielennox | hmm, not sure i agree on the microversioning concept | 23:40 |
morganfainberg | jamielennox, we're going to need it. | 23:40 |
jamielennox | ok, i have a few things on my plate first but i'll try and redo that patch | 23:40 |
morganfainberg | jamielennox, i am not going to increment a major api version *ever* again if i have anything to say about it | 23:40 |
morganfainberg | no rush | 23:40 |
morganfainberg | like i said, lets look post k2 | 23:40 |
jamielennox | i'll let you konw when i do, because it touches so much it really needs to get a propose then +A or you are always rebasing | 23:41 |
morganfainberg | worst case we aim it to land first thing in L | 23:41 |
morganfainberg | so we Freeze, deal with bugs, and as soon as we have RC land it | 23:41 |
*** thedodd has quit IRC | 23:41 | |
*** dims has quit IRC | 23:41 | |
jamielennox | microversioning is going to make openstack so much harder to deal with | 23:41 |
morganfainberg | i know | 23:41 |
*** dims has joined #openstack-keystone | 23:42 | |
morganfainberg | i expect to use it extremely infrequently for us | 23:42 |
morganfainberg | but frankly we need an answer to "how do we change APIs" | 23:42 |
morganfainberg | short of keystone2 | 23:42 |
morganfainberg | [which also is likely off the table] | 23:42 |
jamielennox | my hope was that all this auth plugin and unversioned endpoints stuff would be ready before this was needed | 23:42 |
jamielennox | then we had a story for how to progress through major API versions | 23:42 |
morganfainberg | the issue isn't the endpoints though... or even versioning | 23:43 |
morganfainberg | it's the lack of x-version support | 23:43 |
jamielennox | i don't believe semver solves all problems, but it is a nice way of communication things if you are willing to bump majors every now and the | 23:43 |
jamielennox | n | 23:43 |
morganfainberg | and how much work it is to integrate with the "next great version of X" | 23:43 |
morganfainberg | fair point, but lets just say if we had keystone 3.5.x and moving to 4.x, even slightly breaking would be a big deal :( | 23:44 |
morganfainberg | look how hard it's been to get to v3 | 23:44 |
morganfainberg | and that has stayed the same for a looong time [the parts people would have been using] | 23:44 |
jamielennox | right integration is the problem - and i know that python is not the only set of clients but if we fix that story then everyone else would have to adapt as well | 23:44 |
jamielennox | the problem with v3 wasn't the new api though | 23:44 |
jamielennox | still sin't | 23:44 |
morganfainberg | well, indirectly it was | 23:45 |
morganfainberg | anyway | 23:45 |
morganfainberg | something to do not-this-week | 23:45 |
*** marg7175 has quit IRC | 23:47 | |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient: Add validate token for v3 https://review.openstack.org/142147 | 23:47 |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient: Tests use keep_blank_values when parse_qs https://review.openstack.org/151471 | 23:47 |
openstackgerrit | Merged openstack/keystone: Documentation fix for Keystone Architecture https://review.openstack.org/151294 | 23:48 |
openstackgerrit | Merged openstack/keystone: Use RequestBodySizeLimiter from oslo.middleware https://review.openstack.org/144697 | 23:48 |
*** chrisshattuck has quit IRC | 23:49 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Add CADF notifications for most resources https://review.openstack.org/151137 | 23:51 |
stevemar2 | morganfainberg, just a heads up - submitted cadf everywhere patch ^ | 23:51 |
stevemar2 | so some of that conflicts with henrynashs restructure work | 23:52 |
stevemar2 | well, it will anyway, i need the context from some of the functions | 23:53 |
*** chlong has joined #openstack-keystone | 23:53 | |
*** abhirc has joined #openstack-keystone | 23:56 | |
*** bknudson has quit IRC | 23:57 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!