Friday, 2015-02-06

« Thursday, 2015-02-05 Index Saturday, 2015-02-07 »
*** nellysmitt has quit IRC00:00
kfox1111I was able to authenticate before being on a project but the dashboard kicks you out saying you have no projects.00:00
morganfainbergicehouse was a street iirc00:00
morganfainberggrizzly is the state animal00:00
lhchengstevemar: thanks for the link00:00
morganfainbergkilo was kilogram near paris00:00
lhchengmorganfainberg: yeah, icehouse is a street with a lot of historical landmarks00:01
morganfainbergkfox1111, weird.00:01
morganfainbergso once you granted a role it go.. wait did you grant the role and then got kicked out?00:02
morganfainbergdid you by chance re-auth after granting a role?00:02
morganfainberg or relogin00:02
*** zz_avozza is now known as avozza00:02
morganfainbergbecause there is some wierdness on token revocations when you add/remove roles00:02
morganfainbergnot sure when we hammered out the most recent of those bugs00:02
kfox1111I did relogin.00:04
kfox1111ok. just created another domain. sql backed. created a project/user in it. user has _member_ role on the project.00:05
kfox1111same error.00:05
kfox1111little red box in dashboard on login on overview "Error: Unauthorized: Unable to retrieve usage information."00:06
kfox1111so that rules out ldap.00:06
morganfainbergok i'm still poking at it00:07
morganfainbergoh FFS00:12
morganfainbergcentos pip does bad things00:13
morganfainberg*great*00:13
kfox1111hmm... do I need to go update nova configs to point to v3?00:15
kfox11112015-02-05 16:14:44.294 7155 INFO nova.osapi_compute.wsgi.server [-] 172.20.96.65 "GET /v2/498dc14329754911894125afda4f2730/servers/detail HTTP/1.1" status: 401 len: 259 time: 0.437727900:15
kfox1111or is the v2 there nova's api?00:15
amerineThats novas00:15
morganfainbergno thats nova's v2 api00:15
*** abhirc has joined #openstack-keystone00:16
kfox1111ok.00:16
*** samueldmq_ has joined #openstack-keystone00:16
kfox1111hmm... GET /v2.0/tokens/0fc453145fff46e3a6df6e93d748d60f HTTP/1.1" 40100:16
kfox1111in keystone's logs...00:16
morganfainberg401 means a token is expired/invalie00:17
morganfainberginvalid00:17
morganfainbergnot the token you're asking about00:17
morganfainbergthe service token.00:17
kfox1111k....00:17
morganfainbergdid you move your service users to non-default domain?00:17
morganfainberge.g. nova's user?00:17
kfox1111no. still in the default.00:17
kfox1111didn't want to break things.00:17
morganfainbergyeah there is a bug about that00:17
morganfainbergwhere keystonemiddleware [it's fixed just not released iirc] can't talk v3 for service tokens00:18
kfox1111a bug that I should move it, or I shouldnt? :)00:18
morganfainbergdon't move it ;)00:18
kfox1111ok.00:18
morganfainbergso can the nova user login to keystone?00:18
morganfainbergwith the username/password defined for middleware?00:19
morganfainbergthis is *sounding* like an issue with that user unable to validate the token[s]00:19
kfox1111if I login as admin, I can see all the instances.00:19
kfox1111in the default domain.00:19
morganfainbergtry logging in with the nova user00:19
morganfainberg's credentials00:20
kfox1111k.00:20
morganfainberglike via keystonelcient?00:20
morganfainbergor just with curl00:20
morganfainbergand i want you to do get /v2.0/tokens/<token> using X-Auth-Token from nova's user00:20
kfox1111hmm... auth_version=v2.0 is set in the config file explicitly...00:21
kfox1111do I need to set that to 3?00:21
morganfainbergnah, that should be fine00:21
kfox1111k....00:21
morganfainbergnova should be able to auth with v3 tokens i think..00:21
morganfainbergerm v200:21
morganfainbergi oh00:21
morganfainbergoh00:21
morganfainbergyeah that needs to be auth_version=3.000:21
morganfainbergif the token you're asking for information for is a v3 token on the v2 interface it wont work00:22
morganfainbergbecause v2 doesn't know about domains00:22
kfox1111hmm... k. let me try that.00:22
kfox1111the nova service user worked ok btw.00:22
*** pnavarro has quit IRC00:23
kfox1111k. set v3, restarted just openstack-nova-api,00:24
kfox1111the test user is still failing to talk to nova.00:24
morganfainbergdo you have caching enabled? e.g. memcached for middleware?00:24
morganfainbergyou might want to logout/login with that user00:25
morganfainbergnew clean token00:25
kfox1111for testing, I'm using the command line. should be fresh.00:25
morganfainbergnova cli?00:25
kfox1111openstack server list and openstack image list.00:25
kfox1111the former fails, the latter works.00:25
morganfainbergthen something is wrong with either your policy.json or the roles for the user00:25
morganfainbergwell maybe00:26
morganfainbergok check ekystone's log00:26
kfox1111possible. does nova's policy need updating?00:26
morganfainbergfor your token00:26
morganfainbergsee if keystone is still saying 40100:26
morganfainbergand it should be asking on v3 now00:26
morganfainbergfwiw, keystone shouldn't be saying 401 afaik unless the nova service user is broken / unable to auth00:27
kfox1111these are all the logs durring the openstack server list command in keystone.log00:27
kfox1111http://pastebin.com/E3mxr6xV00:27
morganfainbergcan you look in the DB and see which user token fc43d49a4d5d4698ae53f5ea54a18a47 is for?00:28
morganfainbergis that nova's user or your test user?00:28
kfox1111hmmmm.. under the neutron section of nova's config, I see:00:28
kfox1111admin_auth_url=http://172.20.96.65:35357/v2.000:28
kfox1111k.00:28
morganfainbergoh yeah nova + neutron + v3 does not work right yet00:29
morganfainbergafaik00:29
morganfainbergjamielennox can speak a bit more to that00:29
morganfainbergit is a gap.00:29
kfox1111what does that mean? :)00:29
kfox1111how wide a gap?00:29
morganfainbergit means nova can't talk to neutron with v300:29
morganfainbergv3 keystone00:29
morganfainbergit doesn't work00:29
kfox1111arg.00:29
kfox1111is there a patch?00:30
morganfainbergthere is a bug-fix somewhere to solve it00:30
kfox1111would that affefct this?00:30
*** markvoelker has quit IRC00:30
morganfainbergif nova is meant to get info back and it's getting a 40100:30
morganfainbergyeah.00:30
*** markvoelker has joined #openstack-keystone00:31
kfox1111k.00:31
kfox1111hmm....00:31
* kfox1111 searches around for the patch.00:31
morganfainbergso the fix is somewere i think in this list: https://review.openstack.org/#/q/owner:%22Jamie+Lennox%22+status:open,n,z00:31
* morganfainberg is trying to figure out which one it is00:31
morganfainbergthis might be it: https://review.openstack.org/#/c/136931/00:31
*** dims__ has quit IRC00:31
* morganfainberg did not claim this would be an easy fix00:32
morganfainbergkfox1111, it was blocked on waiting for a new neutronclient00:33
kfox1111the review makes it seem like they are working around a neutronclient bug in addition, and the comment makes it sound like they should not do the workaroud too?00:34
kfox1111in the mean time, the patch might work as is?00:34
morganfainbergkfox1111, those comments are from before the fix.00:34
morganfainbergkfox1111, probably not, as that patch is against master nova00:34
morganfainbergnot sure how diverged that is from juno00:35
morganfainbergkfox1111, before the fix / release of neutronclient00:35
morganfainbergnew neutronclient means they don't have to patch around the bug00:35
kfox1111can find out, if I can figure out how to get the patch out. :)00:35
*** markvoelker has quit IRC00:35
kfox1111the comment was about a proxy around the client though, which I took to mean the proxy itself wasnt needed if they had a new client?00:36
bknudsonjamielennox: I think v3 test_create is broken now.00:37
morganfainbergkfox1111, likely00:37
morganfainbergkfox1111, but jamielennox should know more about it00:37
morganfainbergkfox1111, sorry for the winding road to get hear >.<00:37
kfox1111sokay. making progress though. :)00:37
kfox1111lets see... I need to pull a nova git, and the patch...00:37
* morganfainberg is going to need to go run for some errands00:37
kfox1111and the company's firewall is in the way. :/00:38
bknudsonmaybe need to revert https://review.openstack.org/#/c/148499/00:38
kfox1111ok. thanks for all the help.00:38
bknudsontest_create could really use a docstring!00:38
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Revert "make req_ref doesn't require id"  https://review.openstack.org/15343300:40
bknudsonjamielennox: morganfainberg: ^00:40
morganfainbergbknudson, looking00:41
bknudsonjamielennox: morganfainberg: look at https://review.openstack.org/#/c/115770/29/keystoneclient/tests/v3/test_projects.py -- line 6800:41
morganfainbergbknudson, hm.00:42
bknudsonthe simulated server response should have "id": "whatever", so the returned project should already have a .id field.00:42
* morganfainberg comments about tracking API responses and reality in two separate repos00:43
bknudsonmore fixtures would be nice.00:43
morganfainbergbknudson, +++++++++00:43
morganfainbergand especially tests that confirm fixture looks like reality00:44
morganfainbergok i need to make a phone call. will check that patch / revert whne i'm done00:44
bknudsonI'll keep looking at it.00:44
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Revert "make req_ref doesn't require id"  https://review.openstack.org/15343300:46
bknudsonhmm... maybe that's not right... turns out everything is just broken.00:49
kfox1111ok... got the patch, got the juno version of the file, and got trunks....00:49
bknudsonmorganfainberg: jamielennox: I'm thinking that commit wasn't the problem and that test_create is just plain broken all-around.00:50
openstackgerritMerged openstack/keystonemiddleware: make audit event scoped to request session and not middleware  https://review.openstack.org/14930000:50
*** ljfisher has quit IRC00:51
*** mgarza has quit IRC00:52
kfox1111hmm.. fairly different. :/00:52
*** andreaf has quit IRC00:52
*** andreaf has joined #openstack-keystone00:53
kfox1111yeah.... the patch is pretty different then what juno's got. :/00:53
kfox1111lame. :/00:54
kfox1111alright.... well, this cloud's going to have to stay v2 then, and once we get to kilo, we can reevaluate. :/00:54
kfox1111thanks again for all the help.00:55
bknudsonkfox1111: you're disabling v3?00:59
*** sld has quit IRC01:00
*** markvoelker has joined #openstack-keystone01:01
*** topol has joined #openstack-keystone01:04
*** ChanServ sets mode: +v topol01:04
*** dims__ has joined #openstack-keystone01:05
*** markvoelker has quit IRC01:06
*** abhirc has quit IRC01:13
*** raildo_ has quit IRC01:13
jamielennoxsorry - i'm timezone challenged for the next week or so - what's up01:14
*** thedodd has quit IRC01:15
kfox1111bknudson: gota. no nova+neutron support. :/01:15
bknudsonkfox1111: so you're removing v3 from the keystone server pipeline?01:15
kfox1111no. just disabling the test domains and removing multidomain from the dashboard.01:16
jamielennoxkfox1111: i've no reason to believe that the nova to neutron patch wouldn't still work01:16
kfox1111gota figure out how to get service accounts and ldap to play nice in the same domain now. :/01:16
bknudsonjamielennox: was looking at https://review.openstack.org/#/c/115770/29/keystoneclient/tests/v3/test_projects.py (line 68) and noticed that test_create() is incorrect all around...01:16
bknudsonI thought it might be due to the recent change to test_create, but turns out it's always been broken.01:17
kfox1111jamielennox: With pure juno?01:17
kfox1111the files are pretty different.01:17
jamielennoxbknudson: there was that change recently that i remember going through and thinking it was ugly01:17
jamielennoxkfox1111: i don't know about pure juno, these service to service communication patches are the only ones i've done for nova so i don't really know where the changes are coming form01:18
bknudsonjamielennox: yes... but it's always been broken. The server is expected to return objects with the "id" set, and test_create doesn't simulate it.01:18
kfox1111the patch is against trunk. juno's api.py is quite a bit different then trunk's api.py.01:19
kfox1111I could spend a few days and try and unwind it all, but it still might not work.01:19
jamielennoxkfox1111: ok, it probably requires a more recent keystoneclient than was available at juno release timeframe as well if you're limited there too01:19
bknudsonkfox1111: are you putting the service users in the 'default' domain?01:20
kfox1111no other choice with v2 api.01:20
bknudsonhorizon doesn't support logging in with a user in a different domain?01:20
kfox1111cant use v3 with nova+neutron. :/01:20
jamielennoxbknudson: i thought that was what new_ref did, it always had a 'id' field set and for the req_ref it was popping the id - so that the return value from the request was exactly the same plus id01:20
kfox1111yeah, I think we're going to have to wait for kilo on this one. :/01:21
bknudsonjamielennox: http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/tests/v3/utils.py#n21101:21
kfox1111This particular cloud's a 6 month pilot, so its not the end of the world.01:22
kfox1111After the pilots over, we can burn it, then stand up a kilo with domains.01:22
bknudsonso with the latest change you can pass req_ref and you'll get an entity with .id....01:23
bknudsonbut then it does self.assertEntityRequestBodyIs(req_ref) -- this is wrong...01:23
bknudsonbecause the request doesn't have "id".01:23
jamielennoxbknudson: that bit's ok because you're testing request body and it shouldn't have id01:23
jamielennoxit's the response that should have it01:24
*** lhcheng has quit IRC01:24
jamielennoxbknudson: so all that stub_url stuff made sense when i was trying to smooth over the warts of httpretty, i'd almost prefer to just do it directly with requests-mock now01:24
*** tellesnobrega_ has joined #openstack-keystone01:25
jamielennoxi think it would be easier to understand01:25
bknudsonjamielennox: but it's not right -- you want the server to return "id", but the request doesn't have "id"... so self.assertEntityRequestBodyIs(req_ref) would assert that the request has "id"01:25
bknudsonthe request shouldn't have "id"01:25
jamielennoxreq_ref shouldn't have id01:26
jamielennoxreq_ref is the request dictionary so RequestBodyIs(req_ref) makes sense01:26
*** kfox1111 has quit IRC01:26
bknudsonself.stub_entity('POST', entity=req_ref, status_code=201) -- isn't req_ref going to be the server response?01:27
jamielennoxthe problem would appear to be passing entity=req_ref01:27
jamielennoxi think that should be entity=ref01:27
jamielennoxthat's what01:28
jamielennox            req_ref = ref.copy()01:28
jamielennox            req_ref.pop('id')01:28
bknudsonthat makes more sense.01:28
jamielennoxis doing01:28
jamielennoxthe request ref is the same as the returned ref minus the id field01:28
bknudsonlet me try that out.01:28
bknudsoneverything broke: NoMockAddress: No mock address: GET http://127.0.0.1:5000/v3/credentials/bd85178be8854d69aabe7cd74ae3136901:30
*** openstack has joined #openstack-keystone01:32
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Hierarchical multitenancy basic calls  https://review.openstack.org/11577001:35
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Implements subtree_as_ids and parents_as_ids  https://review.openstack.org/15007801:35
rodrigodsbknudson, ^ had to follow your refactoring suggestion :)01:35
bknudsonrodrigods: great... let me see if I can figure out what the deal is with test_create.01:36
rodrigodsbknudson, lots of pops and .copy() there01:37
rodrigodshard to follow sometimes01:37
bknudsonrodrigods: it's wrong... the server is expected to return an object with "id" in it, so you shouldn't have had to set project.id.01:38
rodrigodsbknudson, yeah... I thought that after a comment in our patch01:39
rodrigodsyour comment, actually01:39
morganfainbergbug 126008001:40
openstackbug 1260080 in OpenStack Security Advisory "[OSSA 2014-006] Trustee token revocations with memcache backend (CVE-2014-2237)" [High,Fix released] https://launchpad.net/bugs/1260080 - Assigned to Tristan Cacqueray (tristan-cacqueray)01:40
TempLPBugBotbug 1260080 in OpenStack Security Advisory "[OSSA 2014-006] Trustee token revocations with memcache backend (CVE-2014-2237)" (affected: 1, heat: 262) [High,Fix released] https://launchpad.net/bugs/1260080 - Assigned to Tristan Cacqueray (tristan-cacqueray)01:40
morganfainbergawesome temp bug bot gets to die01:40
*** TempLPBugBot has quit IRC01:41
*** abhirc has joined #openstack-keystone01:44
*** markvoelker has joined #openstack-keystone01:44
*** alex_xu has quit IRC01:44
*** alex_xu has joined #openstack-keystone01:46
*** alex_xu has quit IRC01:48
*** r-daneel has quit IRC01:51
bknudsonwell, I'm not going to be able to figure this out today... maybe tomorrow.01:51
*** rwsu is now known as rwsu-afk01:53
*** nellysmitt has joined #openstack-keystone01:56
*** nellysmitt has quit IRC02:00
openstackgerritwanghong proposed openstack/keystone-specs: implement timestamp for Project, Domain, Role  https://review.openstack.org/15311402:01
*** erkules_ has joined #openstack-keystone02:09
*** erkules has quit IRC02:12
*** davechen_ has joined #openstack-keystone02:18
*** _cjones_ has quit IRC02:25
*** _cjones_ has joined #openstack-keystone02:26
openstackgerritMerged openstack/oslo.policy: Add entry points for option discovery  https://review.openstack.org/15309002:26
*** _cjones_ has quit IRC02:30
*** tqtran has quit IRC02:30
*** ajayaa has joined #openstack-keystone02:36
openstackgerritwanghong proposed openstack/keystone-specs: implement timestamp for Project, Role  https://review.openstack.org/15311402:40
*** harlowja is now known as harlowja_away02:48
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Privatize parsing classes  https://review.openstack.org/15314902:50
*** spandhe has quit IRC02:51
*** nellysmitt has joined #openstack-keystone03:02
*** ajayaa has quit IRC03:02
*** nellysmitt has quit IRC03:06
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Make use of private modules  https://review.openstack.org/15331003:14
*** dims__ has quit IRC03:15
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Do not use global enforcer for tests  https://review.openstack.org/15332103:17
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Stop shouting test attribute names  https://review.openstack.org/15332203:18
*** ljfisher has joined #openstack-keystone03:18
*** avozza is now known as zz_avozza03:29
*** r-daneel has joined #openstack-keystone03:31
*** r-daneel has quit IRC03:35
*** mattfarina has joined #openstack-keystone03:40
*** lhcheng has joined #openstack-keystone03:44
*** r-daneel has joined #openstack-keystone03:50
*** samueldmq_ has quit IRC03:52
*** richm has quit IRC03:52
*** dobson has quit IRC04:04
*** lvh has quit IRC04:04
*** tellesnobrega_ has quit IRC04:07
*** lvh has joined #openstack-keystone04:09
*** dobson has joined #openstack-keystone04:16
*** dobson has quit IRC04:22
*** lhcheng has quit IRC04:26
*** zz_avozza is now known as avozza04:27
*** topol has quit IRC04:32
*** avozza is now known as zz_avozza04:37
*** EmilienM|afk has quit IRC04:45
*** EmilienM has joined #openstack-keystone04:46
openstackgerritMerged openstack/keystone-specs: Provide option to disable storing of extra attributes in SQL  https://review.openstack.org/15193904:47
*** mattfarina has quit IRC04:51
*** zzzeek has quit IRC04:58
*** spandhe has joined #openstack-keystone05:05
*** ChanServ changes topic to "Release Blockers: https://gist.github.com/dolph/651c6a1748f69637abd0 | Kilo Spec Proposal Freeze Has Passed | Client/Middleware Next release planned for Feb 9th, please review code."05:05
*** nellysmitt has joined #openstack-keystone05:06
*** jimbaker has quit IRC05:10
*** nellysmitt has quit IRC05:11
*** jimbaker has joined #openstack-keystone05:14
*** jimbaker has quit IRC05:14
*** jimbaker has joined #openstack-keystone05:14
*** _cjones_ has joined #openstack-keystone05:26
*** _cjones_ has quit IRC05:32
*** ajayaa has joined #openstack-keystone05:33
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Make use of private modules  https://review.openstack.org/15331005:38
*** harlowja_away has quit IRC05:38
*** ljfisher has quit IRC05:38
*** ljfisher has joined #openstack-keystone05:40
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Do not use global enforcer for tests  https://review.openstack.org/15332105:41
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Stop shouting test attribute names  https://review.openstack.org/15332205:43
*** jasondotstar has quit IRC05:43
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/15279506:04
morganfainbergstevemar, dstanek, bknudson, https://review.openstack.org/#/c/153114/4/specs/kilo/model-timestamps.rst this should be something we support [it's been on the "nice to haves" for a looong time]06:16
morganfainbergand is a relatively small changeset.06:16
morganfainbergcode wise.06:16
morganfainbergsince oslo.db already supports it.06:16
*** spandhe has quit IRC06:17
*** gsilvis has quit IRC06:18
*** gsilvis has joined #openstack-keystone06:19
*** dobson has joined #openstack-keystone06:23
*** ljfisher has quit IRC06:23
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Stop shouting test attribute names  https://review.openstack.org/15332206:27
*** rushiagr_away is now known as rushiagr06:29
*** xxj has quit IRC06:29
*** xxj has joined #openstack-keystone06:30
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Remove oslo.concurrency from requirements  https://review.openstack.org/15348006:31
*** dobson has quit IRC06:33
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Sync test-requirements with global requirements  https://review.openstack.org/15348106:34
*** openstackgerrit has quit IRC06:35
*** openstackgerrit has joined #openstack-keystone06:35
*** tsufiev_ is now known as tsufiev06:37
*** dobson has joined #openstack-keystone06:38
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Upgrade hacking to >=0.10.0  https://review.openstack.org/15348206:43
*** dobson has quit IRC06:45
*** dobson has joined #openstack-keystone06:48
stevemarmorganfainberg, yeah that one looks fine, though i don't like the fact that we are apparently losing domains :)06:49
morganfainbergstevemar, we're not "losing domains"06:49
morganfainbergor you mean in that spec?06:49
stevemari mean06:50
*** pnavarro has joined #openstack-keystone06:50
stevemarAccording to the reseller spec[2], the Domain model will be removed, so this2506:50
stevemarspec only implements timestamp for Project and Role.06:50
morganfainbergso lets fixed that verbiage06:51
morganfainberglets fix*06:51
ajayaamorganfainberg, I saw your -2 on https://review.openstack.org/#/c/148521/. The reason for this is clear. I was hoping to get some comments on the spec itself.06:51
stevemarwhats the difference between `python setup.py test` vs `python setup.py testr`06:52
morganfainbergdunno06:52
ajayaamorganfainberg, We are working on a POC of this idea.06:52
morganfainbergajayaa, sure! if it doesn't land in kilo it might be ready for L. but i am open to any of the specs that got the SPF -2 to request an exception for inclusion into kilo06:53
morganfainbergajayaa, just send a message to the dev list with that request (include [keystone] in the subject)06:53
morganfainbergajayaa, but the idea is to limit the scope of kilo to what we can accomplish and at this point we have limited time until feature freeze (m3)06:53
ajayaamorganfainberg, I don't think it will lend on kilo because it is dependent on something which is not ready yet.06:54
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Remove oslo.concurrency from requirements  https://review.openstack.org/15348006:54
morganfainbergajayaa, sounds good then i'll look for it in L :) and i'm interested to the POC as you get it done06:54
ajayaaJust few comments on the spec would be helpful.06:54
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Sync test-requirements with global requirements  https://review.openstack.org/15348106:54
ajayaamorganfainberg, thanks.06:54
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Upgrade hacking to >=0.10.0  https://review.openstack.org/15348206:54
morganfainbergmost of my comments are around NoSQL doesn't eliminate the single-point-of-failure06:55
morganfainbergbut i am open to a NoSQL driver06:55
morganfainbergi only caution you that mongodb (if that is your choice) has licensing oddities that makes it hard to use in some cases06:56
ajayaaThanks. We are hoping that we will push for NoSql driver in all the components. That's the long term plan.06:56
ajayaanope. Dynamodb like api on top of cassandra.06:56
morganfainbergapache2?06:56
ajayaaThere is stackforge project MagnetoDB.06:56
ajayaaYes.06:56
morganfainbergthat's an easy license to know is compatible06:56
morganfainbergawesome06:56
*** afazekas has joined #openstack-keystone06:57
ajayaahttps://github.com/stackforge/magnetodb06:57
ajayaamorganfainberg ^^06:57
morganfainbergwhen people say NoSQL often they mean mongo which is why called it out specifically06:57
morganfainbergyeah i'm familiar with magnetodb :)06:57
morganfainbergits definitely interesting06:57
*** r-daneel has quit IRC06:57
ajayaaThe idea is to have a generic api layer which colud be backed by any NoSql driver.06:57
ajayaaThanks for the encouraging words.06:58
ajayaa*NoSql database06:58
morganfainbergstevemar, if we fix that minor verbiage thing for that model thing mind +2ing it tonight?06:59
morganfainbergstevemar, like if i push the sentence change in a minute or two?06:59
stevemarmorganfainberg, i'd be fine with that06:59
morganfainbergi think that is a relatively uncontroversial spec to add for kilo (but i want to get it in before the deadline)06:59
stevemari wanted to also fix up some links, but that can be an add-on spec07:00
stevemarerr add-on patch07:00
morganfainbergif you have fixes reeady07:00
stevemari dont07:00
stevemarotherwise, i like the spec, and i trust wanghong to get it all in07:00
morganfainbergok will fix that in a couple minutes07:01
stevemarmorganfainberg, i'm adding a few last nits if you want to fix them07:01
*** josecastroleon has joined #openstack-keystone07:01
morganfainbergk07:01
morganfainberggit review -d 15311407:06
morganfainbergwhoopose wrong window07:06
*** henrynash has joined #openstack-keystone07:06
*** ChanServ sets mode: +v henrynash07:06
*** nellysmitt has joined #openstack-keystone07:07
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: implement timestamp for Project, Role  https://review.openstack.org/15311407:09
morganfainbergstevemar, ^^07:10
stevemari'll git review you!07:10
*** chlong has quit IRC07:12
*** nellysmitt has quit IRC07:12
*** chlong has joined #openstack-keystone07:13
*** afazekas has quit IRC07:20
openstackgerritMerged openstack/keystone-specs: implement timestamp for Project, Role  https://review.openstack.org/15311407:21
openstackgerritMerged openstack/keystone-specs: API changes for explicit unscoped  https://review.openstack.org/14351507:22
*** mzbik has joined #openstack-keystone07:26
*** lufix has joined #openstack-keystone07:32
*** pnavarro has quit IRC07:33
*** ncoghlan has quit IRC07:43
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/15279507:47
*** nkinder has joined #openstack-keystone07:56
*** henrynash has quit IRC07:57
wanghongmorganfainberg, stevemar, I was in a meeting... Thanks!:)08:02
morganfainbergwanghong, no worries :)08:02
stevemarwanghong, np08:02
morganfainbergit was minor changes, happy to get that in for ya08:03
wanghongyeah. My first bp, although it is easy. :)08:06
*** jaosorior has joined #openstack-keystone08:06
*** markvoelker has quit IRC08:12
*** markvoelker has joined #openstack-keystone08:13
*** nellysmitt has joined #openstack-keystone08:15
*** markvoelker has quit IRC08:18
*** andreaf has quit IRC08:20
*** andreaf has joined #openstack-keystone08:20
*** lufix has quit IRC08:22
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Address style and formatting comments from 153114  https://review.openstack.org/15348808:26
stevemarmorganfainberg, ^08:26
stevemarfastest review ever08:27
*** erkules_ is now known as erkules08:29
*** karimb has joined #openstack-keystone08:31
stevemarmorganfainberg, last request https://review.openstack.org/#/c/152018/08:32
stevemarnow i'm off to sleep08:32
morganfainbergstevemar, see clark's comment?08:32
stevemarmorganfainberg, yeah, i was hoping you had a better descrip08:32
morganfainbergahaha08:33
morganfainbergok08:33
stevemari've been thinking about it for a day or two08:33
stevemari'm coming up short08:33
*** henrynash has joined #openstack-keystone08:36
*** ChanServ sets mode: +v henrynash08:36
*** stevemar has quit IRC08:39
*** markvoelker has joined #openstack-keystone08:44
*** zz_avozza is now known as avozza08:44
*** markvoelker has quit IRC08:51
*** nkinder has quit IRC08:52
*** chlong has quit IRC08:53
*** nkinder has joined #openstack-keystone08:55
*** amerine_ has joined #openstack-keystone08:59
*** amerine has quit IRC09:00
*** henrynash has quit IRC09:19
*** andreaf has quit IRC09:28
*** andreaf has joined #openstack-keystone09:29
*** davechen_ has quit IRC09:29
*** nkinder has quit IRC09:33
openstackgerritwanghong proposed openstack/keystone: use tokens returned by delete_tokens to invalidate cache  https://review.openstack.org/15350109:33
*** henrynash has joined #openstack-keystone09:37
*** ChanServ sets mode: +v henrynash09:37
openstackgerritBob Thyne proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware  https://review.openstack.org/15329609:43
*** markvoelker has joined #openstack-keystone09:46
openstackgerritBob Thyne proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware  https://review.openstack.org/15329609:47
*** nkinder has joined #openstack-keystone09:50
*** markvoelker has quit IRC09:51
*** henrynash has quit IRC09:51
*** henrynash has joined #openstack-keystone09:51
*** ChanServ sets mode: +v henrynash09:51
*** raildo has quit IRC09:53
*** henrynash has quit IRC09:59
*** dobson has quit IRC10:04
*** raildo has joined #openstack-keystone10:06
*** chlong has joined #openstack-keystone10:08
*** kibutzz has joined #openstack-keystone10:09
*** avozza is now known as zz_avozza10:13
*** aix has joined #openstack-keystone10:16
*** tellesnobrega_ has joined #openstack-keystone10:18
*** tellesnobrega_ has quit IRC10:28
*** zz_avozza is now known as avozza10:31
*** avozza is now known as zz_avozza10:34
*** nkinder has quit IRC10:36
*** tellesnobrega_ has joined #openstack-keystone10:37
*** tellesnobrega_ has quit IRC10:45
*** markvoelker has joined #openstack-keystone10:47
*** markvoelker has quit IRC10:52
*** dims__ has joined #openstack-keystone10:54
*** Tahmina has joined #openstack-keystone11:18
*** henrynash has joined #openstack-keystone11:32
*** ChanServ sets mode: +v henrynash11:32
*** zigo has quit IRC11:42
*** markvoelker has joined #openstack-keystone11:48
*** henrynash has quit IRC11:53
*** henrynash has joined #openstack-keystone11:54
*** ChanServ sets mode: +v henrynash11:54
*** markvoelker has quit IRC11:54
*** mzbik_ has joined #openstack-keystone11:54
*** nkinder has joined #openstack-keystone11:55
*** mzbik has quit IRC11:57
openstackgerrithenry-nash proposed openstack/keystone: My First ABAC: An example alternative assignment engine  https://review.openstack.org/14355711:58
*** henrynash has quit IRC12:00
*** henrynash has joined #openstack-keystone12:01
*** ChanServ sets mode: +v henrynash12:01
*** nellysmi_ has joined #openstack-keystone12:04
*** nellysmitt has quit IRC12:06
*** d34dh0r53 has quit IRC12:06
*** d34dh0r53 has joined #openstack-keystone12:08
*** xxj has quit IRC12:09
*** junhongl has quit IRC12:09
*** wpf1 has quit IRC12:09
*** alex_xu has joined #openstack-keystone12:09
*** breton__ has joined #openstack-keystone12:13
*** karimb has quit IRC12:19
*** esmute has quit IRC12:19
*** therve has quit IRC12:19
*** dougwig has quit IRC12:19
*** breton has quit IRC12:19
*** comstud has quit IRC12:19
*** dtroyer has quit IRC12:19
*** cyeoh has quit IRC12:19
*** mgagne has quit IRC12:19
*** aslaen has quit IRC12:19
*** esmute has joined #openstack-keystone12:20
*** therve has joined #openstack-keystone12:20
*** dougwig has joined #openstack-keystone12:20
*** comstud has joined #openstack-keystone12:20
*** dtroyer has joined #openstack-keystone12:20
*** cyeoh has joined #openstack-keystone12:20
*** mgagne has joined #openstack-keystone12:20
*** aslaen has joined #openstack-keystone12:20
*** karimb has joined #openstack-keystone12:21
openstackgerrithenry-nash proposed openstack/keystone: Allow use of our test fixtures with alternate assignment models  https://review.openstack.org/15353512:27
*** henrynash has quit IRC12:28
*** kromanenko has joined #openstack-keystone12:29
*** breton__ is now known as breton12:44
*** MasterPiece has joined #openstack-keystone12:47
*** markvoelker has joined #openstack-keystone12:50
*** markvoelker has quit IRC12:54
*** markvoelker has joined #openstack-keystone13:04
*** topol has joined #openstack-keystone13:05
*** ChanServ sets mode: +v topol13:05
*** pnavarro has joined #openstack-keystone13:06
*** rushiagr is now known as rushiagr_away13:10
*** dims__ has quit IRC13:17
*** dims_ has joined #openstack-keystone13:25
*** bknudson has quit IRC13:28
*** karimb has quit IRC13:33
*** henrynash has joined #openstack-keystone13:37
*** ChanServ sets mode: +v henrynash13:37
*** MasterPiece has quit IRC13:38
*** gordc has joined #openstack-keystone13:40
*** pnavarro has quit IRC13:44
samueldmqmorning13:48
samueldmqhenrynash, hi13:48
henrynashsamueldmq: hi13:48
samueldmqhenrynash, so the rest of the work on assignment backend will stay for k3 (list assignments refctoring, metadata removal, etc ) ..13:49
henrynashsamueldmq: yes13:49
samueldmqhenrynash, I was wondering something about grants vs role_assignmetns apis13:49
samueldmqhenrynash, do you have a minute (or two ) ?13:49
*** rushiagr_away is now known as rushiagr13:50
henrynashsamueldmq: actually…not right now….but if you have some ideas….you feel free to email me and I’ll respond...13:50
henrynashsamueldmq:…and am reviewing the list_role_assignemtns change to data as well13:51
samueldmqhenrynash, great! will do, thanks13:51
*** nkinder has quit IRC13:51
*** henrynash has quit IRC13:52
*** mzbik_ has quit IRC13:54
*** andreaf has quit IRC13:56
*** andreaf has joined #openstack-keystone13:57
*** nkinder has joined #openstack-keystone14:02
*** richm has joined #openstack-keystone14:03
*** jaosorior has quit IRC14:06
*** bjornar has quit IRC14:07
*** ajayaa has quit IRC14:10
*** radez_g0n3 is now known as radez14:11
*** topol has quit IRC14:11
*** henrynash has joined #openstack-keystone14:14
*** ChanServ sets mode: +v henrynash14:14
*** rm_work|away is now known as rm_work14:17
*** joesavak has joined #openstack-keystone14:20
*** obutenko has joined #openstack-keystone14:25
*** bjornar has joined #openstack-keystone14:29
*** amakarov_away is now known as amakarov14:29
*** Ctina_ has joined #openstack-keystone14:31
*** mattfarina has joined #openstack-keystone14:32
openstackgerrithenry-nash proposed openstack/keystone: Fix places where role API calls still called assignment_api  https://review.openstack.org/15358014:34
*** bknudson has joined #openstack-keystone14:39
*** ChanServ sets mode: +v bknudson14:39
*** Tahmina has quit IRC14:49
*** henrynash has quit IRC14:52
*** alex_xu has quit IRC14:52
*** xu_alex has joined #openstack-keystone14:53
*** r-daneel has joined #openstack-keystone15:03
*** ajayaa has joined #openstack-keystone15:05
*** rushiagr is now known as rushiagr_away15:15
openstackgerritAlistair Coles proposed openstack/keystonemiddleware: Delay denial when service token is invalid  https://review.openstack.org/15324715:16
*** stevemar has joined #openstack-keystone15:17
*** ChanServ sets mode: +v stevemar15:17
*** timcline has joined #openstack-keystone15:20
*** topol has joined #openstack-keystone15:28
*** ChanServ sets mode: +v topol15:28
*** kromanenko has quit IRC15:29
*** jaosorior has joined #openstack-keystone15:31
*** nkinder has quit IRC15:34
*** nkinder has joined #openstack-keystone15:36
*** davidckennedy has joined #openstack-keystone15:40
davidckennedyHello, I've run into an issue setting up ssl for my dev machine.  I run keystone-manage ssl_setup and so forth, then making requests via the keystone client I can set up projects etc.15:42
davidckennedyBut sample_data.sh won't succeed because of subjectAltName warnings in the keystone responses.15:42
davidckennedyIt seems that the subjectAltName is not present in the certs and python doesn't like it - see something along these lines in https://github.com/shazow/urllib3/issues/52315:44
davidckennedyanybody encountered this?15:44
*** lnxnut has joined #openstack-keystone15:54
*** ljfisher has joined #openstack-keystone16:01
*** jorge_munoz has quit IRC16:04
*** kfox1111 has joined #openstack-keystone16:06
*** jorge_munoz has joined #openstack-keystone16:06
kfox1111question. If your primarily using the v2 api everywhere but you use v3 to add a group to a user and a role to a project on the group, does loging in and using nova via the v2 api honor the group permission?16:07
*** david-lyle_afk is now known as david-lyle16:07
bknudsonkfox1111: it should.16:21
*** openstackgerrit has quit IRC16:21
*** openstackgerrit has joined #openstack-keystone16:21
bknudsonif it didn't then that would be a bug.16:22
*** thedodd has joined #openstack-keystone16:25
*** MasterPieceF has joined #openstack-keystone16:26
*** nkinder has quit IRC16:31
morganfainbergUnless the user is v316:32
morganfainbergAnd not in the default domain.16:33
morganfainbergSince v316:33
morganfainbergErm v2 cannot work outside the default domain.16:33
*** nkinder has joined #openstack-keystone16:33
*** dims_ is now known as dimsum__16:39
* stevemar forgot to log into vpn until now16:40
stevemarit's weird when making sure your irc client is up and running is higher priority16:40
*** zzzeek has joined #openstack-keystone16:42
morganfainbergstevemar: hahaha16:42
raildostevemar, can you help me to make this API calls as experimental? https://review.openstack.org/#/c/153007/ what I have to do?16:45
stevemarraildo, commenting now16:46
raildostevemar, thanks :)16:47
stevemarraildo, i think it's fine for now, we can update https://review.openstack.org/#/c/146793/ when that is merged16:48
stevemarwe still don't have a set way of marking things experimental yet16:49
*** dhellmann_ has quit IRC16:53
*** dhellmann_ has joined #openstack-keystone16:54
raildostevemar, ok, I'll follow this patch, just to stay attention with this. thanks16:54
*** dhellmann_ has quit IRC16:56
*** josecastroleon has quit IRC16:57
*** dhellmann_ has joined #openstack-keystone16:57
*** BAKfr has quit IRC16:58
*** dhellmann_ has quit IRC16:59
*** dhellmann_ has joined #openstack-keystone16:59
*** BAKfr has joined #openstack-keystone17:01
kfox1111bknudson: cool. thanks.17:02
*** davidckennedy has quit IRC17:05
*** lhcheng has joined #openstack-keystone17:06
*** thedodd has quit IRC17:06
*** thedodd has joined #openstack-keystone17:09
*** rwsu-afk is now known as rwsu17:09
morganfainbergstevemar, bknudson, topol, dstanek , ayoung , jamielennox: http://logs.openstack.org/26/153426/2/gate/gate-tempest-dsvm-nova-v21-full/c80cf2c//logs/apache/keystone.txt.gz#_2015-02-06_15_27_17_988 we have a bug17:11
morganfainbergon creation of the default role17:11
morganfainbergit can race17:11
bknudsonI think the way we handle this in other places is to catch the conflict exception and ignore it.17:12
morganfainbergbknudson, yeah simple bug17:12
morganfainbergjust we're missing the try/except17:12
bknudsonthis isn't new code is it?17:12
bknudsonI think dolphm had a similar change in review...17:12
morganfainbergi think dolphm fixed it to create the role based on the config17:13
morganfainbergor that review was up17:13
morganfainbergbknudson, yes17:13
morganfainbergbewfore it was *always* creating a randome uuid not a fixed uuid17:13
morganfainbergfor the default role17:13
morganfainbergalso turns out we weren't indexing keystone logs from apache :(17:14
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Recursive deletion and project disabling  https://review.openstack.org/14873017:14
kfox1111is the neutron + nova thing considered a bug and thus immune from feature freeze?17:16
morganfainbergkfox1111, i'll argue it is not a feature where needed17:16
morganfainbergkfox1111, and a bug fix17:17
morganfainbergbut it might need that argument to happen17:17
*** abhirc has quit IRC17:17
kfox1111should someone request a feature freeze exception just to be on the safe side?17:17
morganfainbergjamielennox, what is the status of Nova + Neutron and Keystone V3?17:17
morganfainbergjamielennox, ^ CC [and are we going to need to push a FFE?]17:18
*** ajayaa has quit IRC17:19
*** nkinder has quit IRC17:19
openstackgerritMerged openstack/oslo.policy: Privatize parsing classes  https://review.openstack.org/15314917:19
morganfainbergbknudson, https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L256-L26117:19
morganfainbergbknudson, yep just need another try/except around it17:20
morganfainbergwe can race w/ many processes running17:20
morganfainbergit's causing some gate failures17:20
*** raildo has quit IRC17:20
*** rwsu has quit IRC17:20
bknudsonmorganfainberg: here's dolphm's change https://review.openstack.org/#/c/142897/ (not merged)17:21
morganfainbergbknudson, that doesnt' solve the issue17:21
morganfainbergbut it does mean the config is honored17:22
*** nicodemos has joined #openstack-keystone17:23
*** nkinder has joined #openstack-keystone17:23
*** dobson has joined #openstack-keystone17:24
*** raildo has joined #openstack-keystone17:24
*** _cjones_ has joined #openstack-keystone17:30
*** thedodd has quit IRC17:31
*** thedodd has joined #openstack-keystone17:31
*** ccard has joined #openstack-keystone17:33
ccardI'm investigating how to use our existing LDAP directory as the identity backend for keystone17:34
*** obutenko has quit IRC17:34
ccardI assume that I will have to add the internal openstack users (e.g. admin, cinder etc. which are currently returned by the keystone user-list command) to the directory for openstack to continue working - is that assumption correct?17:36
*** _cjones_ has quit IRC17:39
kfox1111if you don't use domains.17:39
kfox1111otherwise, you can have a domain for the services, and a domain for ldap users.17:39
*** _cjones_ has joined #openstack-keystone17:39
kfox1111though it doesnt work if your using neutron+nova at the moment. :/17:39
*** _cjones_ has quit IRC17:40
*** _cjones_ has joined #openstack-keystone17:41
morganfainbergbknudson, any reason this is not https://review.openstack.org/#/c/115770/30 going through yet?17:41
ccardkfox1111 I'll take a look at domains, thanks. But assuming I'm not using domains, can I make the [ldap] parameter user_objectclass blank and simply use the user_filter to ensure that the correct users are returned from LDAP?17:42
*** radez is now known as radez_g0n317:43
kfox1111I think I had to set user_objectclass. I haven't figured out exactly how user_filter works, but all examples I've found it was static.17:44
ccardkfox1111 The problem is that my existing LDAP users are in objectClass posixAccount which I can't see a way to make compatible with the service users17:44
kfox1111its just an initial filter to reduce the search space to a subset, and then it uses user_objectclass and... user_name_attribute I think to filter to the exact user.17:44
ccardso it doesn't include the objectclass and the username in the filter sent to LDAP then?17:45
kfox1111I think that should still work... let me thing...17:45
kfox1111it does sometimes I think...17:45
ccardI understand LDAP pretty well, but I'm new to openstack / keystone17:46
kfox1111hmm... can you use person instead?17:47
*** spandhe has joined #openstack-keystone17:47
openstackgerritLin Hua Cheng proposed openstack/keystone: On creation default service name to empty string  https://review.openstack.org/14696217:47
kfox1111you can use uid for user_name_attribute then.17:47
ccardI can't change the objectclass used for the existing users, and I want to have them included in the keystone user-list output17:47
*** amakarov is now known as amakarov_away17:48
*** nkinder has quit IRC17:48
kfox1111posixaccount doens't have usernames though... just uid/gid stuff.17:48
kfox1111what all object classes do the existing users have?17:49
*** rwsu has joined #openstack-keystone17:49
ccardI could make the service users have posixAccount and (say) person, but then I'd have to add the compulsory posixAccount attributes (uidNumber, gidNumber, homeDirectory)17:49
ccardthe existing users are in posixAccount, account, ldapPublicKey and shadowAccount17:50
kfox1111yeah. that would work I think.17:50
kfox1111hmm... havent seen account before...17:50
ccardit would probably work, but I've no idea what values to give to those compulsory attributes. Maybe it doesn't matter though17:50
ccardcosine.ldif:olcObjectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCT17:51
ccardcosine.ldif- URAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationNam17:51
ccardcosine.ldif- e $ organizationalUnitName $ host ) )17:51
ccard(sorry, a bit garbled)17:52
kfox1111keystone's not going to use uid/gid/home. so probably doesn't matter.17:52
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300717:52
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Recursive deletion and project disabling  https://review.openstack.org/14873017:52
kfox1111ah. so http://www.zytrax.com/books/ldap/ape/cosine.html#account17:52
ccardit might confuse other things though17:53
kfox1111so account userid is the string used as the login name to the system?17:53
ccardI'm not sure why it's there to be honest, but I can't change it. We only use the userid attribute, which is an alias for uid anyway17:54
ccardas far as I can see17:54
kfox1111hmm... I thought uid was a person property. guess not.17:55
ccardI'll try going with posixAccount for now, though it seems a bit messy17:55
kfox1111k.17:55
rodrigodsmorganfainberg, think that client change hasn't received +A because both henrynash and bknudson are from the same company, otherwise I believe it is ready17:56
kfox1111I think you might be able to use account, and set17:56
morganfainbergrodrigods, figured it looks good to me17:56
morganfainbergbut i wanted to check before +A17:56
kfox1111user_name_attribute to userid17:57
rodrigodsmorganfainberg, cool17:57
kfox1111and user_id_attribute to cn17:57
ccardand set user_objectclass to account, yes that might work17:57
kfox1111yeah.17:58
ccardexcept account doesn't have cn :(18:00
*** dobson has quit IRC18:00
ekarlsojamielennox: did you ever come up with a solution for the experimental stuff ?18:01
kfox1111hmm...18:01
ccardback to posixAccount ...18:02
kfox1111how about commonName?18:02
kfox1111does that map back to cn?18:02
kfox1111says its a may contain.18:02
kfox1111really, you might just be able to use userid for both fields.18:03
*** gyee has joined #openstack-keystone18:03
*** ChanServ sets mode: +v gyee18:03
kfox1111so long as your using a recent enough keystone to do id mapping.18:03
ccardwe're on juno at the moment18:05
*** thedodd has quit IRC18:06
kfox1111that should work.18:07
kfox1111I think.18:07
kfox1111it uses a sha of the id property as the uuid.18:08
kfox1111so, so long as the id property is unique, I think its ok.18:08
rodrigodsmorganfainberg, thinking about the API changes for reseller, are we going to return project objects in list_domains? Or we wrap the project fields in the domain object?18:11
*** dobson has joined #openstack-keystone18:12
*** harlowja has joined #openstack-keystone18:15
*** dobson has quit IRC18:27
*** _cjones_ has quit IRC18:32
*** _cjones_ has joined #openstack-keystone18:33
*** _cjones_ has quit IRC18:37
bknudsonmorganfainberg: I didn't approve it because I was the only +2.18:38
bknudsonI don't know why henrynash didn't approve it... maybe because jamielennox had comments on a previous patch set?18:38
*** dobson has joined #openstack-keystone18:39
openstackgerritEndre Karlson proposed openstack/python-keystoneclient: Allow for other then STABLE api version  https://review.openstack.org/13015918:44
*** _cjones_ has joined #openstack-keystone18:44
*** _cjones_ has quit IRC18:46
*** _cjones_ has joined #openstack-keystone18:46
dolphmprotip: if you recompile ApacheBench, it can handle PKI/Z tokens! sound familiar, morganfainberg ?18:47
*** mtreinish has joined #openstack-keystone18:51
*** abhirc has joined #openstack-keystone18:52
*** _cjones_ has quit IRC18:52
*** _cjones_ has joined #openstack-keystone18:53
morganfainbergdolphm: hmmmmmmm18:54
*** dobson has quit IRC18:54
lbragstadmorganfainberg: did you use apachebench with PKI tokens before?18:55
bretongyee: nice catch with the bug, left a comment there18:55
morganfainberglbragstad: maybe.18:55
gyeebreton, that's morganfainberg's catch18:55
morganfainbergI *think* I might have.18:55
gyeeI am just helping out :)18:55
*** _cjones_ has quit IRC18:57
openstackgerritguang-yee proposed openstack/keystone: fix a potential race condition with member role creation and assignment  https://review.openstack.org/15365418:57
bretonoh, ok ;)18:58
openstackgerritMatthew Treinish proposed openstack/keystone: Fix race on default role creation  https://review.openstack.org/15365618:58
*** _cjones_ has joined #openstack-keystone18:58
gyeemorganfainberg, breton, https://review.openstack.org/15365418:58
bretonand 15365618:58
*** dhellmann has quit IRC18:58
*** dhellmann_ is now known as dhellmann18:58
*** zz_avozza is now known as avozza18:59
gyeebreton, we need to handle both cases18:59
gyeeboth creation and assignment18:59
*** dhellmann_ has joined #openstack-keystone18:59
bretonI like gyee's patch and Matthew's description ;)19:00
gyeelemme combine :)19:00
*** dhellmann_ has quit IRC19:01
*** dhellmann_ has joined #openstack-keystone19:01
*** ljfisher has quit IRC19:02
bknudsonhttps://review.openstack.org/#/c/153656/ and https://review.openstack.org/#/c/153654/ are essentially the same change19:03
openstackgerritMatthew Treinish proposed openstack/keystone: Fix race on default role creation  https://review.openstack.org/15365619:03
*** mattfarina has quit IRC19:04
*** mattfarina has joined #openstack-keystone19:04
gyeebknudson, yeah, let me abandon mine19:04
samueldmqbknudson, and one is older than other by 1 minute19:04
gyeejust use Mathew's19:04
samueldmqgyee, great :)19:05
*** Ctina_ is now known as Ctina19:05
*** ljfisher has joined #openstack-keystone19:05
stevemarmorganfainberg, hey, what do you advise on this one: https://review.openstack.org/#/c/152659/19:07
stevemarbknudson, i could use your expertise on that one too, ^^^ for handling dependencies19:08
gyeebknudson, samueldmq, morganfainberg, breton, I am not sure that's the *right* fix as I think creating the __member__ role should be part of bootstrap19:09
*** _cjones_ has quit IRC19:09
*** dhellmann has quit IRC19:09
*** dhellmann_ is now known as dhellmann19:09
gyeedoing it as part of assignment seem inefficient19:09
*** _cjones_ has joined #openstack-keystone19:09
bknudsonit's a little late for bootstrapping now?19:10
bknudsonor are you saying add a migration?19:10
gyeeI mean create it once, at startup19:10
*** ajayaa has joined #openstack-keystone19:10
gyeeright, or migration19:10
*** thedodd has joined #openstack-keystone19:12
*** _cjones_ has quit IRC19:14
*** jaosorior has quit IRC19:16
*** nicodemos has quit IRC19:29
morganfainbergNot sure why it isn't a migration like default domain is.19:30
*** tqtran has joined #openstack-keystone19:31
*** avozza is now known as zz_avozza19:34
*** thedodd has quit IRC19:34
*** henrynash has joined #openstack-keystone19:38
*** ChanServ sets mode: +v henrynash19:38
*** _cjones_ has joined #openstack-keystone19:39
openstackgerritMerged openstack/pycadf: Use oslo namespaces  https://review.openstack.org/15280219:45
*** _cjones_ has quit IRC19:47
*** _cjones_ has joined #openstack-keystone19:48
openstackgerritMatthew Treinish proposed openstack/keystone: Fix race on default role creation  https://review.openstack.org/15365619:48
*** Ctina has quit IRC19:50
*** radez_g0n3 is now known as radez19:50
*** dobson has joined #openstack-keystone19:51
*** _cjones_ has quit IRC19:52
*** ctina has joined #openstack-keystone19:53
*** dobson has quit IRC19:55
*** ajayaa has quit IRC19:55
*** _cjones_ has joined #openstack-keystone19:57
*** ctina has left #openstack-keystone19:59
*** ctina has joined #openstack-keystone19:59
dolphmcongratulations to everyone at HP on that cloud thing http://www.theonion.com/video/hp-on-that-cloud-thing-that-everyone-else-is-talki,28789/20:00
*** thedodd has joined #openstack-keystone20:02
raildolol20:02
*** dobson has joined #openstack-keystone20:03
*** ctina has quit IRC20:05
morganfainberghaha20:06
*** rhbear has joined #openstack-keystone20:06
*** raildo has quit IRC20:07
ayoungmorganfainberg, do we have code for normalizing the service catalog, and converting between a V2 and V3 version?20:18
morganfainbergayoung, in middleware jamie does some of this20:18
morganfainbergv3 -> v220:18
morganfainbergspecifically20:18
*** dobson has quit IRC20:20
ayoungAh..but not the reverse20:24
bknudsonI think there's some v2 -> v3 token code in the server20:24
ayoungmorganfainberg, trying to treat both V2 and V3 the same...yukness20:24
ayoungbknudson, in the server they have access to the original service catalog20:24
ayoungI think we cheat there20:24
morganfainbergayoung most services assumed v2 catalog extraction20:25
rodrigodsmorganfainberg, bknudson, seems like it can be approved https://review.openstack.org/#/c/115770/ ?20:25
morganfainbergso jamielennox opted for v3 -> v220:25
ayoungBTW,  you guys reserved hotels for Vancouver yet?20:25
morganfainbergrodrigods, yes.20:25
morganfainbergayoung, nope. not yet20:25
lbragstadnot yet20:25
rodrigodsayoung, already?20:25
rodrigods:O20:25
morganfainbergayoung, but its on the list to do this weekend.20:25
ayoungrodrigods, hotel list came out20:25
ayounghttps://www.openstack.org/summit/vancouver-2015/hotels/20:25
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/catalog/core.py#n43120:25
rodrigodsayoung, great!20:26
*** nellysmi_ has quit IRC20:27
*** dobson has joined #openstack-keystone20:27
rodrigodsmorganfainberg, thx!20:28
boris-42morganfainberg: lol20:36
boris-42morganfainberg: hi there20:36
morganfainbergboris-42, hey20:36
boris-42morganfainberg: did you see my latest comment?20:36
boris-42morganfainberg: I am not sure where things start being unclear=)20:37
boris-42morganfainberg: maybe that "trace-id" is unique per point not per request?20:37
*** stevemar has quit IRC20:37
morganfainbergboris-42, that is not clear in the spec at all20:37
morganfainbergboris-42, i'm not the only one who missed that intention20:37
*** stevemar has joined #openstack-keystone20:38
*** ChanServ sets mode: +v stevemar20:38
boris-42morganfainberg: ah so if I say that it will be a bit more clear?)20:38
stevemarayoung, i think most ibmers will be at the delta vancouver suites20:38
ayoungstevemar, good to know20:38
morganfainbergboris-42, i think you could unified a single request id and utilize the file/lineno as the info of where the trace was called from20:38
ayoungyou in that group stevemar topol bknudson ?20:38
morganfainbergboris-42, that has the added benefit that you *could* avoid needing to capture everything such as the whole SQL query [which is part of the security issues that will prevent osprofiler from landing in keystone]20:39
boris-42morganfainberg: I don't need to capture whole SQL query20:40
morganfainbergboris-42, but you do at the moment20:40
morganfainbergas well as a lot of other info20:40
boris-42morganfainberg: because I think it's usefull information=)20:40
morganfainbergyou shouldn't be capturing the context, the sql query, etc20:40
boris-42morganfainberg: it depend on purpose20:40
morganfainbergwe shouldn't need to filter in every place someone is hooking into to prevent sensitive info from leaking20:40
boris-42morganfainberg:  if you are man that is tuning SQL request20:40
boris-42morganfainberg: it help a lot20:41
morganfainbergyou can look at the SQL-A debug for that20:41
stevemardolphm, oh man that was great20:41
morganfainbergyou don't need it in the profiler capture20:41
morganfainbergor you can look at the SQL-A lines called20:41
boris-42morganfainberg:  okay let me expalin full pictutrue20:41
morganfainbergboris-42, but let me be blunt, as long as you're capturing sensitive info explicitly, i'm -1 on osprofiler20:41
boris-42morganfainberg: I can just remove 1 line20:41
bknudsonayoung: yes, I'm at the delta ... it was in the tool we use.20:41
boris-42morganfainberg: that is doing that*20:42
*** dobson has quit IRC20:42
bknudsonand looked close enough20:42
boris-42morganfainberg: and it won't caputre sensitive data20:42
boris-42morganfainberg: or we can make it turned of by default and allow developer to turn it ON if they need that20:42
morganfainbergboris-42, as it stands osprofiler is a security hole20:42
boris-42morganfainberg: everything is security hole20:42
boris-42morganfainberg: getting access on only one compute node20:42
boris-42morganfainberg: and it's all20:43
morganfainbergthis one is leaking sensitive information outside by design20:43
boris-42morganfainberg: nope if you don't add point*20:43
boris-42morganfainberg: that leaks*20:43
boris-42morganfainberg: we can put only SQL request data without actually values20:43
boris-42morganfainberg: for example20:43
morganfainbergthe query often has information that is sensitive in it currently.20:43
boris-42morganfainberg: or at all remove that part20:44
morganfainberge.g. token ids.20:44
boris-42morganfainberg: nope it hasn't that20:44
boris-42morganfainberg: it has SQL token = %s20:44
boris-42morganfainberg: %s is not leaking20:44
boris-42anything imho20:44
boris-42until it is render20:44
morganfainbergboris-42, you're not capturing the actual query to the backend, it looks like you are20:44
morganfainberganyway20:44
boris-42morganfainberg: anyway what about request-id unfification?20:44
boris-42morganfainberg: I think it's not what I should work on imho20:44
boris-42agree disagree?20:45
morganfainbergboris-42, i think you have very little support for the profiler in the current state [based on the review]20:45
boris-42morganfainberg: it is already merged in few projects*20:45
morganfainbergboris-42, i can't tell you what you should work on/not work on though.20:45
boris-42morganfainberg:  some not important project=)20:46
morganfainbergboris-42, and i think you're going to have a hard time getting it into the other projects.20:46
boris-42morganfainberg: I have hard time since the beggign lon20:46
boris-42lol20:46
morganfainbergboris-42, it's because it has a lot of questions about it. i'd boil it down to bare-minimum20:46
morganfainbergand you can talk about the performance issues here20:47
morganfainbergwe're not taking this to a private channel20:47
morganfainbergit is well known there are performance issues in keystone and we are happy to talk about it.20:47
boris-42morganfainberg: what if some big cloud managers are reading this?)20:48
morganfainbergthen they know we're aware of it20:48
morganfainbergthis is the nature of opensource20:48
boris-42morganfainberg: ok20:48
morganfainbergmost of the big cloud managers *do* know there are performance issues in keystone20:48
boris-42morganfainberg: so do you remember I show some bad graphs to you in rally jobs in gates?20:49
morganfainbergmost of them are interested in seeing it solved.20:49
boris-42morganfainberg: https://review.openstack.org/#/c/136485/20:49
morganfainberglets be open about the issues [unless it's a direct security concern, today it is not]20:49
boris-42morganfainberg: ?20:49
boris-42morganfainberg: not sure that I get the last one=)20:49
boris-42morganfainberg: if it is not secure not interesting?)20:50
morganfainbergit was the reasoning behind why i want it in this channel20:50
morganfainbergnot private20:50
boris-42morganfainberg: ah ok20:50
morganfainbergopen and transparent20:50
boris-42morganfainberg: so it's not secure20:50
morganfainbergif it's security related we can rtake it private (e.g. exploits etc)20:50
morganfainbergthats all20:50
boris-42morganfainberg: just performance and DDOS by authenticate20:50
boris-42morganfainberg: http://logs.openstack.org/85/136485/3/check/gate-rally-dsvm-keystone/93012ee/rally-plot/results.html.gz20:50
boris-42morganfainberg:  so for some reason this stuff is happening even with memcahced driver under load20:50
morganfainbergso let me explain what i see as helping osprofiler land20:50
morganfainbergregardless of keystone's point20:51
boris-42morganfainberg: that will be super usefull20:51
morganfainbergand the memcache driver has a *ton* of housekeeping in it20:51
morganfainbergthat can be eliminated this cycle [i hope]20:51
*** andreaf has quit IRC20:51
morganfainbergalso look at the AEToken work lbragstad has been working on20:51
morganfainbergmuch much much much better performance20:51
morganfainberg~400% before caching20:51
morganfainbergand no token table bloat. we're working on those peices. they are a real concern20:52
morganfainbergso here is how i'd approach osprofiler20:52
morganfainbergthis is likely to help things land:20:52
morganfainbergmake osprofiler really do *very* basic profiling to start. seriously "started at place X, took time x" don't capture the extra data - quantify the overhead with profiling enabled or disabled.20:53
morganfainbergif you go with the babysteps it's easier to add more information in20:53
morganfainbergi'd look at the unique id generation - maybe it's a requestid + tracepoint ID20:53
boris-42morganfainberg: SO first point (not caputre too much) is super simple20:54
morganfainbergbut the goal is to make it easy to digest what it is capturing, what it is sending to the wire, and what the performance impact is per-tracepoint (roughly)20:54
morganfainbergboris-42, that will help you sell it imo20:54
boris-42morganfainberg: okay I will do that20:55
morganfainbergright now you're trying to do everything at once and 1) it's overwhelming20:55
boris-42morganfainberg: it's really simple (I mean whey you are speicfing point) you can send any info*20:55
morganfainbergand 2) there are questions on implementation because the impacts are unknown20:55
*** _cjones_ has quit IRC20:55
boris-42morganfainberg: okay let me rework the spec20:55
*** pnavarro has joined #openstack-keystone20:55
morganfainbergand specifcying specific tracepoints that should be starting should help20:55
*** htruta has quit IRC20:55
boris-42morganfainberg: in the baby step20:55
boris-42way20:55
morganfainbergso i'd pick 1 or 2 specific tracepoints (ignore oslo.db) and say thats where you want to start20:55
morganfainberge.g. controller / request layer20:56
morganfainbergand if you land the code / have landed in oslo.db that is another point20:56
boris-42morganfainberg: we shouldn't land in oslo.db tracing code*20:56
morganfainbergas you go further in you can get more tracepoints added, but people will be more comfortable20:56
boris-42morganfainberg: it creates dependency hells=)20:57
morganfainbergboris-42, maybe there should be a hook-point in oslo.db [optionally used?]20:57
boris-42morganfainberg: so it should be in the place where I added it20:57
boris-42morganfainberg: I spoke with oslo.db guys20:57
boris-42morganfainberg: they suggested that20:57
morganfainbergbut anyway, pick a specific starting point you want to profile from20:57
boris-42morganfainberg: so when we are getting engine20:57
morganfainbergthe biggest bang, which is probably the controller / wsgi layer20:57
boris-42morganfainberg: add one more handler20:57
morganfainbergso each request can be profiled20:57
boris-42morganfainberg: only if you know HMAC key20:58
morganfainbergthen you can work to add sub-parts of those requests20:58
morganfainbergboris-42, i'm talking about approach, i don't care about implementation20:58
boris-42morganfainberg: sure I will do it in very baby steps20:58
morganfainbergboris-42, i think that will make it much easier to sell the whole spec to the community20:58
boris-42morganfainberg: let me just update stuff & patches20:58
morganfainbergand it has the added bonus that you have a clear target to hit everywhere not just "where we stick tracepoints"20:59
morganfainbergthe unclear nature and general unease with knowing how many tracepoints / impact each tracepoint has is what led to the monkeypatch vs explicit traces vs other implementation options21:00
boris-42morganfainberg: ok I will rework that part, hope my new version of spec will address all comments21:01
morganfainbergboris-42, does that help you some? smaller steps are easier to argue merits/flaws with, and build upon it rather than trying to dump in a "fix everything at once" deal21:01
boris-42morganfainberg: heh actually I think that whole osprofiler is small tiny and very simple feature=)21:02
morganfainbergand realize it may prove that at scale the implementation eneds to change to monkeypatch or something else due to overhead - it might end up being the long view21:02
boris-42morganfainberg: maybe because I wrote it..21:02
morganfainbergboris-42, profiling is never a "small feature"21:02
morganfainberg;)21:02
boris-42=)21:02
boris-42morganfainberg: I hope some day I will get this done+)21:02
morganfainbergit has a lot of implications and can do things in bad ways e.g. capturing sensitive info, performance impacts that weren't seen21:02
morganfainbergand those two things scare folks21:03
morganfainbergand the only other comment, off by default21:03
morganfainbergopt-in21:03
morganfainbergdevstack can enable it by default but all projects should not be "on" by default.21:03
morganfainbergonce it's proven, that may warrant a change.21:04
boris-42morganfainberg: I am thinking about another stuff21:05
boris-42morganfainberg: making it disabled by default even in DevStack21:05
openstackgerritMerged openstack/python-keystoneclient: Hierarchical multitenancy basic calls  https://review.openstack.org/11577021:05
boris-42morganfainberg: adding argument PROFILING_ENABLED=TRUE/FALSE21:05
boris-42morganfainberg: if it is TRUE it sets all services21:05
openstackgerritSean Dague proposed openstack/keystone: wip: log wsgi requests at INFO level  https://review.openstack.org/15369221:06
morganfainbergboris-42, sure.21:10
*** pnavarro has quit IRC21:20
*** topol has quit IRC21:27
morganfainbergmtreinish, i bug bknudson, topol, or stevemar when it comes to db2 ci21:27
morganfainbergmtreinish, they know the right people21:28
mtreinishmorganfainberg: cool thanks21:28
morganfainbergmtreinish, it *should* also be on the 3rd party ci wiki21:28
mtreinishoh, yeah that's a thing21:29
mtreinishI always forget about that21:29
morganfainberggyee, tagging that fix from mtreinish for backport to Juno and Icehouse21:31
*** radez is now known as radez_g0n321:31
gyeenice21:32
morganfainbergit should be a clean cherry-pick21:33
morganfainbergas soon as it merges to master backports will be spun up21:33
gyeesounds good, you guys need help out on backporting?21:34
morganfainberggyee, if you do the back port i can +221:40
openstackgerritSean Dague proposed openstack/keystone: log wsgi requests at INFO level  https://review.openstack.org/15369221:41
*** henrynash has quit IRC21:41
gyeeyou got it man21:43
openstackgerritSean Dague proposed openstack/keystone: log wsgi requests at INFO level  https://review.openstack.org/15369221:48
morganfainberghey marekd, is the temperature from iron ions in the LHC accurate in this graph: http://i.imgur.com/iHW7Dwh.png ;)21:54
morganfainbergmarekd, 5,500,000,000,000C21:55
morganfainberg;)21:55
*** _cjones_ has joined #openstack-keystone21:55
*** spandhe has quit IRC21:58
*** _cjones_ has quit IRC21:59
*** _cjones_ has joined #openstack-keystone21:59
*** rhbear has quit IRC22:01
openstackgerritMerged openstack/keystone: Fix race on default role creation  https://review.openstack.org/15365622:02
*** mattfarina has quit IRC22:02
morganfainberggyee, ^^22:03
*** abhirc has quit IRC22:05
*** spandhe has joined #openstack-keystone22:05
stevemarmorganfainberg, tis but a hot day22:09
*** mattfarina has joined #openstack-keystone22:10
*** mattfarina has quit IRC22:10
*** zigo has joined #openstack-keystone22:11
*** joesavak has quit IRC22:13
*** bknudson has quit IRC22:13
*** gordc has quit IRC22:18
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Remove globals that were introduced for compatibility  https://review.openstack.org/15371422:18
*** MasterPieceF has quit IRC22:19
kfox1111is keystone ldap just too slow to throw a few hundred users at?22:19
gyeemorganfainberg, looks like juno does not do auto member role creation22:20
stevemarkfox1111, what do you mean by 'throw'?22:20
stevemarkfox1111, normally the issue is retrieving users from ldap, unless you have special paging permission then you are out of luck retrieving 1000s of users, it'll timeout22:21
kfox1111hmm.. stil tryingto get all services switched over, but things seem kind of slow.22:22
kfox1111just wondering if having so many users will cause problems.22:22
gyeeor return you the famous "Server is unwilling perform" error :)22:22
kfox1111I enabled paging and it seems to work.22:22
stevemarkfox1111, now that you mention it, i do recall it being a bit slower when i was backed by ldap22:23
kfox1111time cinder list took 20 seconds.22:23
stevemarkfox1111, try `keystone token-get`22:24
kfox1111I'm not sure if thats ldap related, or the fact I had services down for a while while switching ldap backend on, and maybe rabbits backed up or something.22:24
stevemarcinder list will basically do a token-get, then pass the token to cinder and perform the list, so you'll at least get a better picture of where the slow down is happening22:25
kfox1111ok. token-get only took like 1 second.22:25
stevemarweird22:25
kfox1111ok. maybe I try restarting rabbit....22:26
*** stevemar has quit IRC22:26
kfox1111cinder list 1 second after rabbit restart.22:27
kfox1111that must have been it.22:27
*** stevemar has joined #openstack-keystone22:27
*** ChanServ sets mode: +v stevemar22:27
*** nellysmitt has joined #openstack-keystone22:27
morganfainberggyee you sure22:28
morganfainberglooked like it did to me22:28
mtreinishmorganfainberg: I did a git blame before I wrote the patch, I think some of that was fairly recent22:29
morganfainberggyee, https://github.com/openstack/keystone/blob/stable/juno/keystone/assignment/core.py#L262-L27322:29
mtreinishoh, but that was something else, ignore me22:29
morganfainberggyee, and https://github.com/openstack/keystone/blob/stable/icehouse/keystone/assignment/core.py#L243-L25322:29
morganfainbergmtreinish, yeah henrynash did some massive restructuring in the code22:30
*** nellysmitt has quit IRC22:32
gyeemorganfainberg, oh, maybe I was staring at the wrong code22:33
gyeesecond round :)22:34
*** henrynash has joined #openstack-keystone22:34
*** ChanServ sets mode: +v henrynash22:34
*** lnxnut has quit IRC22:35
stevemarkfox1111, any luck?22:35
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917822:38
kfox1111yeah. I think i finally got it working. missed a username in nova's conf.22:38
*** abhirc has joined #openstack-keystone22:39
stevemarkfox1111, ah good, whats the time now, something sane?22:40
kfox1111another error... trying to add user a role on project UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in position 19: ordinal not in range(128)22:41
kfox1111nova list is still failing.... ERROR (CommandError): Invalid OpenStack Nova credentials.22:44
kfox1111I think that role thing may be a bug?22:46
openstackgerritSteve Martinelli proposed openstack/pycadf: Do not depend on endpoint id existing in the service catalog  https://review.openstack.org/10906022:46
kfox1111File "/usr/lib/python2.7/site-packages/keystone/identity/id_generators/sha256.py", line 27, in generate_public_ID22:46
openstackgerritPriti Desai proposed openstack/keystone: Fix for listing role assignments by project admin  https://review.openstack.org/15372322:46
*** joesavak has joined #openstack-keystone22:47
openstackgerritPriti Desai proposed openstack/keystone: Fix for listing role assignments by project admin  https://review.openstack.org/15372322:49
*** jsavak has joined #openstack-keystone22:49
kfox1111hmm... keystone user-list has the same exception.22:52
stevemarruh roh22:52
*** joesavak has quit IRC22:53
stevemarkfox1111, can you get any other info about the exception22:53
kfox1111sure. just a sec...22:53
kfox1111http://pastebin.com/XMkF5NPW22:54
kfox1111I'm guessing one of the ldap users has a funny character in its cn.22:54
*** tellesnobrega_ has joined #openstack-keystone22:54
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162322:54
*** wanghong has quit IRC22:54
*** wanghong has joined #openstack-keystone22:55
kfox1111ah... yeah... there's a group with 'Communiqué' in the name.22:57
stevemarthat'll do it22:58
kfox1111so.. thats a valid thing I guess. how do we fix that?23:00
stevemargood question :)23:00
kfox1111I was afraid of that. :)23:01
morganfainbergutf8 handling in python is a nightmare23:02
morganfainbergnot even utf823:02
morganfainbergmulti-byte characters23:03
stevemarwe need to figure out what exactly 'local_entity' is here: https://github.com/openstack/keystone/blob/c4c8d0b99a0404f4dcdb2f87c48fe15ee1526197/keystone/identity/mapping_backends/sql.py#L6623:03
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196223:04
*** jsavak has quit IRC23:09
kfox1111its: {'local_id': u'^PNNL T&Q Communiqu\xe9', 'domain_id': 'default', 'entity_type': 'user'}23:12
*** abhirc has quit IRC23:15
*** bknudson has joined #openstack-keystone23:25
*** ChanServ sets mode: +v bknudson23:25
*** thedodd has quit IRC23:25
*** hichtakk has joined #openstack-keystone23:30
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917823:31
stevemarkfox1111, oh nice, that looks super messed up23:31
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162323:32
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196223:32
kfox1111yeah...23:34
stevemarmorganfainberg, keystone default role is _member_ or Member?23:37
stevemargyee, bknudson ^ ?23:37
*** abhirc has joined #openstack-keystone23:37
mgagnestevemar: I wanna know the answer to that one, has been bothering me for months23:38
stevemari want to say _member_, since it's here in keystone.conf :) https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L72-L8023:38
mgagnestevemar: what about the one found in local_settings.py in Horizon? =)23:39
stevemarmgagne, it seems to match: https://github.com/openstack/horizon/blob/f112869e8b18d3c0835e75c9776b084a2fd2ca1b/openstack_dashboard/settings.py#L21323:40
kfox1111ok, filed bug: https://bugs.launchpad.net/keystone/+bug/141918723:42
openstackLaunchpad bug 1419187 in Keystone "ldap unicode issue" [Undecided,New]23:42
mgagnestevemar: hehe https://github.com/openstack/horizon/commit/0faeb80a26b484f8fb09ed95f749c2f627c1b0d123:42
*** nkinder has joined #openstack-keystone23:44
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Remove globals that were introduced for compatibility  https://review.openstack.org/15371423:46
*** hichtakk has quit IRC23:46
stevemarmgagne, looks like it should have been _member_ for a while23:47
*** timcline has quit IRC23:48
mgagnestevemar: looks like it, unfortunately I didn't take the time to check and only had the POV of puppet modules which had the wrong value for too long23:48
gyeestevemar, __member__ role is designed for migration23:48
gyeefrom V2 to V323:49
gyeein V2, you can add user to a project without role assignment, that's no longer the case in V3, therefore, we have to use the __member__ role to bridge the gap23:49
mgagnegyee: so it's gonna add the _member_ role during the migration. If you start from V3, you could use whatever role you wish right? And I guess you can already do once the migration done.23:51
gyeeright, with V3, you can have any role23:51
mgagne_member_ isn't pretty in a UI tbh23:51
gyeeits not designed to be pretty :)23:52
gyeebut its configurable though23:52
gyeeso I suppose deployers can beautify it23:52
mgagnehehe, I'll for sure, gonna be an ascii art =)23:53
gyeemgagne, ++!23:54
richmin fact, you have to do that when using an ldap identity backend23:55
openstackgerritLin Hua Cheng proposed openstack/keystone: On creation default service name to empty string  https://review.openstack.org/14696223:55
morganfainbergkfox1111, i want to say we had a fix land in kilo about that issue23:55
morganfainbergkfox1111, LDAP unicode that is23:55
morganfainbergkfox1111, now that i'm reading more into it...23:55
kfox1111do I just need to .encode('utf8') in the right place?23:56
*** stevemar has quit IRC23:56
morganfainbergkfox1111, it was not that easy of a fix iirc. let me find it.23:56
*** nkinder has quit IRC23:56
morganfainbergdang it, nkinder isn't here23:56
morganfainberghe did a bunch of work on that stuff23:56
*** abhirc has quit IRC23:56
gyeewhat was the issue?23:56
morganfainberghttps://bugs.launchpad.net/keystone/+bug/141918723:57
openstackLaunchpad bug 1419187 in Keystone "ldap unicode issue" [Undecided,New]23:57
morganfainberggyee, ^23:57
morganfainberggyee, and kfox1111 is on juno23:57
« Thursday, 2015-02-05 Index Saturday, 2015-02-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!