Tuesday, 2015-02-10

*** bknudson has joined #openstack-keystone00:01
*** ChanServ sets mode: +v bknudson00:01
*** dimssum__ has joined #openstack-keystone00:04
*** dimssum__ is now known as dimsum__00:04
*** dimsum__ has quit IRC00:04
*** atiwari has quit IRC00:05
*** lnxnut_ has quit IRC00:06
*** gyee has quit IRC00:06
*** markvoelker has quit IRC00:07
*** chlong has joined #openstack-keystone00:07
*** lnxnut_ has joined #openstack-keystone00:08
*** josecastroleon has quit IRC00:09
*** lnxnut_ has quit IRC00:12
*** r-daneel has quit IRC00:12
*** dims__ has joined #openstack-keystone00:14
*** gyee has joined #openstack-keystone00:14
*** ChanServ sets mode: +v gyee00:14
*** henrynash has joined #openstack-keystone00:18
*** ChanServ sets mode: +v henrynash00:18
henrynashmorganfainberg: hi…00:18
morganfainberghenrynash, one moment, writing an email up00:19
morganfainbergbe with ya in a sec :)00:19
henrynashmorganfainberg: np00:19
dstaneksamueldmq: you still around?00:19
*** ljfisher has quit IRC00:21
openstackgerritMerged openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/15427500:22
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196200:25
openstackgerritBrant Knudson proposed openstack/keystone: Change hacking check to verify all oslo imports  https://review.openstack.org/15188100:29
openstackgerritBrant Knudson proposed openstack/keystone: Change oslo.i18n to oslo_i18n  https://review.openstack.org/15188000:29
openstackgerritBrant Knudson proposed openstack/keystone: Change oslo.config to oslo_config  https://review.openstack.org/14525000:29
openstackgerritBrant Knudson proposed openstack/keystone: Change oslo.db to oslo_db  https://review.openstack.org/14802900:29
bknudsonrebased those changes... there weren't any merge conflicts so I'm not sure what that stupid bird was complaining about.00:29
gyeetwit, twit00:31
dstanekbknudson:  you may have angered the beast00:31
*** atiwari has joined #openstack-keystone00:34
morganfainbergbknudson, jgit is awful00:40
morganfainbergbknudson, that was what the bird was complaining about00:40
morganfainbergbknudson, jgit suckes when it does 3-way merges00:41
bknudsonI've seen this on our internal gerrit, too.00:41
morganfainbergit's because gerrit uses jgit instead of the c-based git you use on the CLI00:42
bknudson"JGit is a relatively full-featured implementation of Git written natively in Java"00:42
morganfainberghaha yep00:42
morganfainbergit's like handgrenades and horseshoes00:42
bknudsonseems easier to just call the cli.00:42
morganfainbergexcept then it would be java equiv to popen00:43
morganfainbergcan't have that in java00:43
bknudsonwe need a pure-python git.00:43
openstackgerritSteve Martinelli proposed openstack/keystone: Fix the syntax issue on creating table `endpoint_group`  https://review.openstack.org/15193100:43
stevemargyee, ^00:43
morganfainberghow slow would that be.00:43
gyeestevemar, thanks00:43
bknudsoncould just use pickle00:43
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430200:50
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389700:51
morganfainbergbknudson, i'm reapporving those if someone didn't beat me to it.00:51
gyeemorganfainberg, lbragstad, so we have no non-persistent solution in kilo then?00:51
morganfainberglooks like steve beatme to it00:51
bknudsonstevemar is fast.00:52
morganfainberggyee, one way or another we will get a non-persistent option into kilo00:52
stevemarbknudson, i prefer impatient00:52
morganfainberggyee, either AE or non-persistent PKI,00:52
morganfainberggyee, etc00:52
stevemari get annoyed when easy things take long00:53
gyeek, AE spec needs a deadline extension I suppose00:53
bknudsonstevemar: no wonder you're angry all the time.00:54
morganfainberggyee, AE needs to work to address the reasons it still has a -2 then an extension00:54
gyeeheh, I thought he's a nice guy!00:54
morganfainbergstevemar, hold on. i think i can review something next month for you... i know it's a 1 line fix...00:54
stevemarbknudson, as the hulk says, that's my secret00:55
bknudsonI thought the hulk says "you don't want to make me angry"00:56
bknudsonor "hulk smash!"00:56
stevemarbknudson, https://www.youtube.com/watch?v=msRaooooyds00:57
morganfainbergstevemar, what is needed to make OSC happily talk federation?00:57
morganfainbergpython-keystoneclient-federation being released?00:57
bknudsonstevemar: that was actually the best part of the movie (other than scarlett johansson)00:58
stevemarmorganfainberg, it already sort of does, marekd has the details on that one. I think the most part is authN plugins for the different federation protocols00:58
stevemarbknudson, incorrect, the whole movie was the best part00:58
*** amerine has quit IRC00:59
stevemarmorganfainberg, setup the authN env. vars for OSC, that KSC expects... and I think that's about it00:59
morganfainbergoh cool00:59
morganfainbergand to make it work nice and seamlessly w/ the new SP stuff in the catalog?00:59
stevemarmorganfainberg, marekd showed it here: https://www.youtube.com/watch?v=9ojwbnvP92k&index=2&list=FLuZvezYbRB_W6SP-1pMBCqw00:59
gyeemorganfainberg's doing dark magic https://review.openstack.org/#/c/148354/00:59
morganfainbergbursting to a remote SP00:59
morganfainberggyee, voodoo01:00
* gyee is learning01:00
stevemarmorganfainberg, that is something i don't think we want to handle, OSC is more of a per-service basis01:00
morganfainberggyee, meta programming with more metaprogramming to test metaprogramming01:00
bknudsonI heard you like metaprogramming01:00
morganfainbergstevemar, i argue you do want to handle that case01:00
stevemarif you want to use more than 1, you should use os-client-config or something01:00
stevemarthe thing dtroyer and mordred has been working on01:01
morganfainbergstevemar, what is the difference between using resources here XXX and over there YYY01:01
morganfainbergthey are both nova compute01:01
stevemarmorganfainberg, it completely changes the auth_url01:01
morganfainbergso? single toolchain is kinda nice dontchathink?01:01
morganfainbergso how does osc handle using a remote service then?01:02
stevemari agree that it would be awesome01:02
morganfainbergor is that just "never going to happen"01:02
morganfainbergbecause that is a bad answer in my book ;)01:02
morganfainbergbasically i want to consume resources on a remote SP. the stuff mordred and dtroyer are working on is awesome01:03
morganfainbergbut it leaves a huge gap in the CLI tools01:03
stevemardtroyer, ^ any ideas?01:03
morganfainbergi can't access via SAML the remote SP.01:03
morganfainbergsince the only way I do that is I auth against my local keystone then request saml for the remote one01:04
stevemarno, that's the not issue, we could probably get a token from the remote SP, that parts do-able01:04
*** marg7175_ has quit IRC01:04
morganfainbergyoiu can't just "use a different auth url"01:04
stevemarits the management / switching of things01:04
*** marg7175 has joined #openstack-keystone01:05
stevemarhenrynash, go to sleep, it's crazy late in your TZ01:05
morganfainbergstevemar, or it's crazy early01:05
henrynashstevemar: yeah, i know I know…but there’s interesting stuff to do….01:06
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: iso expires should be returned in one place  https://review.openstack.org/14098401:09
stevemareasy one for middleware ^^^01:12
stevemarconsidering we are releasing today it's a good time to review it :D01:12
*** henrynash has quit IRC01:13
gyeeI'll let jenkins do the hard work first01:14
openstackgerritBrant Knudson proposed openstack/keystone: Consistently use oslo_config.cfg.CONF  https://review.openstack.org/14736701:14
*** gokrokve has quit IRC01:14
stevemari think bknudson likes to open as much files as possible and make 2 lines changes :P01:15
stevemarthat or he really knows awk/sed/grep really well01:16
bknudsonsomebody has to do it.01:16
stevemaror or... you get a kick out of making us review all those files01:16
stevemarso many things to choose from01:16
wanghongstevemar, morning, thanks!01:17
stevemarwanghong, np!01:18
stevemarbknudson, yo, you are totally undoing your own work, lots of overlap with https://review.openstack.org/#/c/145250/01:18
bknudsonstevemar: there will be a merge conflict I'll have to resolve.01:19
stevemarwhy didnt you just build on top of that one01:19
lhchenghello! question on the keystone test_sql_upgrade.  Is it creating a temp database?01:19
* stevemar is confused01:19
bknudsonI don't think it's undoing anything.01:19
morganfainberglhcheng, it creates [iirc] in-memory db, but it is wierd01:20
bknudsonI have no idea what order people are going to review things in so I try to make it so that it can be reviewed.01:20
gyeeit clears db in tmp I think01:20
bknudsonfor some reason people seem to review new changes rather than the old ones.01:20
morganfainberggyee, i think we went to pure anonymous dbs, no filebacking01:20
morganfainbergi think that mostly is for files like paste-inis01:21
bknudsonif I kept all changes in a list then they'd probably never merge... I spend a lot of time resolving merge conflicts.01:21
lhchengmorganfainberg: I have a branch where I added migration script 64, and ran the test on that. I later switch to another branch and when I ran the test it , it is complaining about 64 version not found.01:21
bknudsonalso, reviewers seem to not notice that one review depends on another one.01:22
morganfainberglhcheng, remove the .pyc01:22
morganfainberglhcheng, hehe i do that all the time :P01:22
lhchengmorganfainberg: thanks!01:22
gyeebknudson, you have a hit list for me? :)01:22
*** gokrokve has joined #openstack-keystone01:22
gyeelhcheng, tox -e clean-my-shit01:23
bknudsongyee: I always look here : https://review.openstack.org/#/q/status:open+is:watched+label:Code-Review%253D2+label:Code-Review%253D0%252Cself+branch:master,n,z01:23
gyeeI do wish we have that command though01:23
stevemarbknudson, i know, i always go 'down the rabbit hole' of dependencies in a patch01:23
lhchengmorganfainberg: I should have asked sooner..01:23
lhchenggyee: lol01:24
stevemarbut i noticed a lot of folks don't01:24
gyeedamn, bknudson have a long dep chain01:25
stevemargyee, review it sooner and it won't be so long :)01:25
gyeewth, didn't we just remove the xml stuff? https://review.openstack.org/#/c/138918/401:26
gyeewhy are we fixing matcher?01:26
bknudsongyee: that was proposed back when we still had xml stuff.01:27
bknudsonI'll remove it... need to rebase the other ones.01:27
gyeek man01:27
openstackgerritBrant Knudson proposed openstack/keystone: Remove test PYTHONHASHSEED setting  https://review.openstack.org/13659301:30
openstackgerritBrant Knudson proposed openstack/keystone: Correct test_auth_unscoped_token_project for result ordering  https://review.openstack.org/13891901:30
openstackgerritBrant Knudson proposed openstack/keystone: Correct test_get_v3_catalog test for result ordering  https://review.openstack.org/13892001:30
openstackgerritBrant Knudson proposed openstack/keystone: Correct catalog response checker for result ordering  https://review.openstack.org/13892101:30
openstackgerritBrant Knudson proposed openstack/keystone: Correct a v3 auth test for result ordering  https://review.openstack.org/13892201:30
openstackgerritBrant Knudson proposed openstack/keystone: Correct version tests for result ordering  https://review.openstack.org/13892301:30
stevemarbknudson, \o/01:30
gyeewow that's fast01:30
gyeebknudson's a bot!01:31
stevemaryess my +2s stayed, no need to review01:31
openstackgerritMerged openstack/keystonemiddleware: Use oslo.context instead of incubator code  https://review.openstack.org/15416601:31
bknudsonstevemar: that's why I split it up.01:31
bknudsonshould be easier for reviewers01:32
gyeeduuuude, you still using matcher01:32
openstackgerritLin Hua Cheng proposed openstack/keystone: Implement validation on the Identity V3 API  https://review.openstack.org/13212201:32
bknudsonI will always use matchers!01:33
bknudsonit's the wave of the future.01:33
gyeewait, was I confused with xml matcher01:33
morganfainbergbknudson, is resp.json.keys() guarnateed order?01:33
* morganfainberg admits to not being sure about key order from .keys() suddenly01:33
bknudsonmorganfainberg: it's not... but the sets should compare equal01:33
morganfainbergoh derp01:33
lhchengbknudson, lbragstad: finally resolved the config import issue on test - https://review.openstack.org/#/c/132122/01:34
morganfainbergderpity derp derp01:34
*** atiwari has quit IRC01:34
openstackgerritMerged openstack/keystone: Deprecate LDAP Assignment Backend  https://review.openstack.org/15097001:34
stevemarthis is the most code to have been dropped in keystone in ages01:35
stevemarso much is getting done01:35
morganfainbergso, FYI i'm going to be mostly off the map on thursday01:35
morganfainbergneed to go visit with some folks about their use of openstack01:35
morganfainbergso lets get more stuff in before thursday!01:36
openstackgerritMerged openstack/keystonemiddleware: Sync with oslo-incubator  https://review.openstack.org/15416801:37
morganfainbergso this one: https://review.openstack.org/#/c/138922/7/keystone/tests/test_v3_auth.py is materially changing what is going on01:39
morganfainbergit *could* change the behavior of the test.01:39
bknudsonmorganfainberg: yes, it is... hopefully it's making it better.01:39
morganfainbergbut it looks safe?01:39
bknudsonrather than only checking a single attribute it's now checking all of them.01:40
morganfainbergjust checking that was intended here01:40
bknudsonthe way it was before it essentiallly checked a random attribute.01:41
*** lhcheng is now known as lhcheng_afk01:41
bknudsonjust depending on which one turned up first in the lsit.01:41
bknudsonand sometimes the first one would be 'expires_at'01:41
morganfainbergyeah ok, +2 on it01:41
bknudsonso in some ways it's pretty much the same.01:41
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory  https://review.openstack.org/12228101:42
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240301:42
morganfainbergbknudson, once check passes on those w/ 2x+2 feel free to +A them.01:42
morganfainbergin the hashseed change list01:42
bknudsonwe'll see if that last one still passes.01:43
* morganfainberg needs to sitdown and do the revocation event stuff so we can make taht the default instead of the TRL trainwreck01:46
*** lhcheng_afk has quit IRC01:47
*** kfox1111 has quit IRC01:52
*** diegows has quit IRC01:53
*** gokrokve has quit IRC01:54
*** amerine has joined #openstack-keystone01:55
*** amerine has quit IRC02:00
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Docs for v3 credentials  https://review.openstack.org/15387502:02
*** rwsu is now known as rwsu-afk02:02
*** erkules_ has joined #openstack-keystone02:04
*** stevemar has quit IRC02:06
*** erkules has quit IRC02:06
*** stevemar has joined #openstack-keystone02:06
*** ChanServ sets mode: +v stevemar02:06
openstackgerritMerged openstack/python-keystoneclient: Switch from oslo.utils to oslo_utils  https://review.openstack.org/14596802:11
openstackgerritMerged openstack/python-keystoneclient: Change oslo.serialization to oslo_serialization  https://review.openstack.org/14863202:14
openstackgerritMerged openstack/python-keystoneclient: Change oslo.config to oslo_config  https://review.openstack.org/14525202:14
*** spandhe has quit IRC02:15
*** dims__ has quit IRC02:23
*** lnxnut has joined #openstack-keystone02:26
*** gokrokve has joined #openstack-keystone02:27
*** samueldmq_ has joined #openstack-keystone02:31
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Change hacking check to verify all oslo imports  https://review.openstack.org/15187902:35
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Change oslo.i18n to oslo_i18n  https://review.openstack.org/15187802:35
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Docs for v3 credentials  https://review.openstack.org/15387502:37
*** gyee has quit IRC02:38
*** lnxnut has quit IRC02:39
*** lnxnut has joined #openstack-keystone02:40
*** YorikSar has quit IRC02:45
*** markvoelker has joined #openstack-keystone02:47
*** gokrokve_ has joined #openstack-keystone02:49
*** gokrokve_ has quit IRC02:50
*** gokrokve_ has joined #openstack-keystone02:51
openstackgerritSteve Martinelli proposed openstack/keystone: Fix IDs names for federation router  https://review.openstack.org/15432102:52
openstackgerritMerged openstack/python-keystoneclient: Remove 404 link to novaclient in README  https://review.openstack.org/15387302:52
openstackgerritMerged openstack/python-keystoneclient: Workflow documentation is now in infra-manual  https://review.openstack.org/13937502:52
stevemar^^ i could use a quick review - it's super easy02:52
*** gokrokve has quit IRC02:52
stevemarbknudson, i have build up enough karma!02:53
stevemarthe only reason i review, so others owe me02:53
*** tqtran has quit IRC02:54
openstackgerritMerged openstack/keystonemiddleware: iso expires should be returned in one place  https://review.openstack.org/14098403:02
*** dims__ has joined #openstack-keystone03:03
*** dims__ has quit IRC03:07
*** dims__ has joined #openstack-keystone03:07
*** tqtran has joined #openstack-keystone03:11
*** rushiagr_away is now known as rushiagr03:12
*** lnxnut has quit IRC03:17
*** boris-42 has quit IRC03:22
*** gokrokve_ has quit IRC03:25
*** davechen__ has quit IRC03:28
*** david-lyle is now known as david-lyle_afk03:29
*** lnxnut has joined #openstack-keystone03:29
*** DaveChen has joined #openstack-keystone03:29
*** samueldmq_ has quit IRC03:31
ayoungjamielennox, I'm slogging through the access_info making all the dictionary based code behave using the modle...might be the most annoying code I've had to work with yet on Keystone.  You work with this every day?  I do not envy you.03:31
ayoungdown to 43 errors in tests03:31
*** ayoung is now known as ayoung_sleep03:34
*** gokrokve has joined #openstack-keystone03:42
*** dims_ has joined #openstack-keystone03:47
*** dims__ has quit IRC03:49
*** tqtran has quit IRC03:55
openstackgerritMerged openstack/python-keystoneclient: Change oslo.i18n to oslo_i18n  https://review.openstack.org/15187803:56
openstackgerritMerged openstack/python-keystoneclient: Change hacking check to verify all oslo imports  https://review.openstack.org/15187903:56
openstackgerritMerged openstack/python-keystoneclient: Docs for v3 credentials  https://review.openstack.org/15387503:57
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Turn our auth plugin into a token interface  https://review.openstack.org/13726804:15
jamielennoxi think when i add tests in future i'm going to pick a random spot in the class, otherwise you get merge conflicts as everyone is appending tests04:15
*** richm has quit IRC04:20
*** zzzeek has quit IRC04:24
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make remove_service_catalog private  https://review.openstack.org/15433404:26
*** amerine has joined #openstack-keystone04:31
*** dims_ has quit IRC04:32
*** harlowja is now known as harlowja_away04:34
openstackgerritLance Bragstad proposed openstack/python-keystoneclient: Remove ability to get global user roles.  https://review.openstack.org/15423804:42
openstackgerritLance Bragstad proposed openstack/python-keystoneclient: Remove ability to get global user roles.  https://review.openstack.org/15423804:42
*** Novtopro has joined #openstack-keystone04:45
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add get_communication_params interface to plugins  https://review.openstack.org/14126704:46
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Enforce that some plugin options are required  https://review.openstack.org/14878404:49
*** lnxnut has quit IRC04:50
openstackgerritMerged openstack/keystone: Remove XMLEquals from tests  https://review.openstack.org/15424204:50
*** lnxnut has joined #openstack-keystone04:51
openstackgerritMerged openstack/keystone: Remove unused test case  https://review.openstack.org/15421204:51
*** lnxnut has quit IRC04:56
*** gokrokve_ has joined #openstack-keystone04:56
jamielennoxstevemar: you mind having a look at https://review.openstack.org/#/c/143339/ as well?04:56
jamielennoxi'm just going through the leftovers, clean up a few old reviews that didn't move04:57
openstackgerritAbhishek Talwar proposed openstack/python-keystoneclient: User-password-update accepts blank as password  https://review.openstack.org/14739904:58
*** gokrokve has quit IRC04:59
*** Novtopro has quit IRC05:00
*** gokrokve_ has quit IRC05:00
openstackgerritMerged openstack/keystone: Fix the syntax issue on creating table `endpoint_group`  https://review.openstack.org/15193105:05
openstackgerritMerged openstack/keystone: Change oslo.db to oslo_db  https://review.openstack.org/14802905:05
openstackgerritMerged openstack/keystone: Change oslo.config to oslo_config  https://review.openstack.org/14525005:05
openstackgerritMerged openstack/keystone: Change oslo.i18n to oslo_i18n  https://review.openstack.org/15188005:05
openstackgerritMerged openstack/keystone: Change hacking check to verify all oslo imports  https://review.openstack.org/15188105:06
jamielennoxmorganfainberg: you haven't done keystonemiddleware yet?05:08
morganfainbergjamielennox, no was waiting for some stuff to land.05:08
jamielennoxmorganfainberg: this is passing if we can get it in: https://review.openstack.org/#/c/137268/05:08
jamielennoxmorganfainberg: also what i was going to prompt about was can you do ksc-kerberos sometime05:09
jamielennoxi don't think there's anything waiting there...05:09
morganfainbergjamielennox, yeah. we need to figure out how to do testing for it05:09
morganfainbergbut yes i can release that this week too05:09
jamielennoxmorganfainberg: so i've just written up a doc on how to test kerberos login, i just don't know how to work all this into a functional test for gerrit05:14
*** spandhe has joined #openstack-keystone05:15
*** lnxnut has joined #openstack-keystone05:21
*** junhongl has joined #openstack-keystone05:22
*** abhirc has quit IRC05:37
*** lnxnut has quit IRC05:38
*** ajayaa has joined #openstack-keystone05:39
openstackgerritMerged openstack/keystone: Fix downgrade test for migration 61 on non-sqlite  https://review.openstack.org/14649705:42
*** lhcheng_afk has joined #openstack-keystone05:44
*** oomichi has quit IRC05:50
*** rushiagr is now known as rushiagr_away05:53
*** marg7175 has quit IRC05:53
*** harlowja_away has quit IRC06:01
openstackgerritMerged openstack/keystone: Correct test_auth_unscoped_token_project for result ordering  https://review.openstack.org/13891906:02
openstackgerritMerged openstack/keystone: Correct test_get_v3_catalog test for result ordering  https://review.openstack.org/13892006:02
openstackgerritMerged openstack/keystone: Correct catalog response checker for result ordering  https://review.openstack.org/13892106:02
openstackgerritMerged openstack/keystone: Correct a v3 auth test for result ordering  https://review.openstack.org/13892206:03
openstackgerritMerged openstack/keystone: Correct version tests for result ordering  https://review.openstack.org/13892306:03
openstackgerritMerged openstack/keystone: Remove test PYTHONHASHSEED setting  https://review.openstack.org/13659306:03
stevemarfinally clearing up the keystone pipeline (pun intended)06:04
stevemarjamiec, sure thing, i'll take a look06:04
stevemarjamiec, sorry wrong jamie06:05
stevemarjamielennox, ^06:05
stevemarjamielennox, sorry i take so long to get back to you, i do random things at night, like laundry06:08
jamielennoxstevemar: that's ok - you know your getting into the habbit of being the last one around?06:08
stevemarjamielennox, yeah, i think i've had that honor for a while now06:09
openstackgerritAbhishek Talwar proposed openstack/python-keystoneclient: User-password-update accepts blank as password  https://review.openstack.org/14739906:12
openstackgerritJamie Lennox proposed openstack/python-keystoneclient-federation: Copy the existing federation plugins over.  https://review.openstack.org/15062706:19
jamielennoxstevemar: added bug to https://review.openstack.org/#/c/150627/ can you +2 again06:19
jamielennoxtoday has been the most code i've seen merged this year i think06:22
openstackgerritSteve Martinelli proposed openstack/keystone: Check consumer and project id before creating request token  https://review.openstack.org/14570106:28
stevemarjamielennox, wasn't it freaking fantastic06:29
morganfainbergstevemar booo06:29
morganfainbergboooooooooooo on that joke06:29
stevemarmorganfainberg, why booo?06:29
stevemarwhat joke?06:30
morganfainbergkeystone pipeline...06:30
stevemarit was funny06:30
openstackgerritSteve Martinelli proposed openstack/keystone: Provide additional detail if OAuth headers are missing  https://review.openstack.org/14219106:31
openstackgerritSteve Martinelli proposed openstack/keystone: Add links to extensions that point to api specs  https://review.openstack.org/14731106:32
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: WIP - Add openid connect client support  https://review.openstack.org/13470006:35
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.policy and delete the sync'ed version  https://review.openstack.org/14862406:36
*** krykowski has joined #openstack-keystone06:39
stevemarmorganfainberg, do i need a bug for this: https://review.openstack.org/#/c/154321/06:39
morganfainbergstevemar, ideally06:44
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.policy and delete the sync'ed version  https://review.openstack.org/14862406:46
*** lnxnut has joined #openstack-keystone06:51
openstackgerritSteve Martinelli proposed openstack/keystone: Fix IDs names for federation router  https://review.openstack.org/15432106:53
stevemarmorganfainberg, okay done06:54
*** jaosorior has joined #openstack-keystone06:56
*** lnxnut has quit IRC06:56
openstackgerritMerged openstack/python-keystoneclient: Reference identity plugins from __init__.py  https://review.openstack.org/14333906:59
*** lhcheng_afk has quit IRC07:08
*** mflobo has quit IRC07:09
*** mflobo has joined #openstack-keystone07:10
*** spandhe has quit IRC07:11
*** spandhe has joined #openstack-keystone07:12
*** avozza is now known as zz_avozza07:32
*** mzbik has joined #openstack-keystone07:32
*** dims__ has joined #openstack-keystone07:33
*** markvoelker has quit IRC07:33
*** markvoelker has joined #openstack-keystone07:34
*** dims__ has quit IRC07:37
*** markvoelker has quit IRC07:38
*** lnxnut has joined #openstack-keystone07:52
openstackgerritSteve Martinelli proposed openstack/keystone: Add a check to see if a federation token is being used for v2 auth  https://review.openstack.org/15436807:53
stevemarmarekd, ^07:54
*** chlong has quit IRC07:54
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role  https://review.openstack.org/15437007:55
*** mflobo has left #openstack-keystone07:56
*** lnxnut has quit IRC07:57
*** mflobo has joined #openstack-keystone07:59
openstackgerritSteve Martinelli proposed openstack/keystone: Use _VersionsEqual for a few more version tests  https://review.openstack.org/15437307:59
stevemarbknudson, ^ for you in the morning08:00
stevemarmorganfainberg, bknudson this bug could use some attention, causing check failures https://review.openstack.org/#/c/154373/08:02
*** fifieldt has joined #openstack-keystone08:03
*** markvoelker has joined #openstack-keystone08:04
*** aix has joined #openstack-keystone08:07
*** spandhe has quit IRC08:08
*** markvoelker has quit IRC08:09
*** stevemar has quit IRC08:13
bretonwow, that's a lot of merges08:14
*** karimb has joined #openstack-keystone08:15
*** oomichi_ has joined #openstack-keystone08:23
*** zz_avozza is now known as avozza08:25
ccardjamielennox: I found some stuff on using domain-specific drivers. Is it possible to configure keystone so that the internal openstack users are take from SQL and the other users from LDAP? How does keystone know which domain to lookup users in?08:28
jamielennoxccard: yes, you can do exactly that08:29
jamielennoxccard: ok, starting here: http://docs.openstack.org/juno/config-reference/content/section_keystone-domain-configs.html08:29
jamielennox(and i'm not telling you to RTFM - just no way i can remember it all)08:30
jamielennox_enabled turns it on08:30
jamielennoxthe domain_config_dir is a directory with files in it08:30
jamielennox keystone.DOMAIN_NAME.conf08:30
jamielennoxso if you create a domain name my-test-domain you create a file keystone.my-test-domain.conf08:31
jamielennoxwithin that you need to put the [identity] driver= field08:32
jamielennoxand then either the [sql] or [ldap] section - depending on driver08:32
ccardjamielennox: yes, I understand the structure of the configuration files (I was looking at http://docs.openstack.org/developer/keystone/configuration.html), but I don't see how keystone knows that a user (e.g. ccard) is in a particular domain08:32
jamielennoxso that's a fairly fundamental part of the v3 api08:33
jamielennoxall users and projects belong to a domain08:33
jamielennoxwhen you login with v3 API you either give user_id (globally unique) or username and user_domain_name08:33
jamielennox(domain names are unique)08:33
ccardok, suppose I give user_id, but the identity data for that user is in some LDAP db, how does keystone know that?08:34
jamielennoxccard: hmm - that's a good question...08:34
jamielennoxi think when you turn this stuff on it makes the user_ids really big08:35
jamielennoxso from memory the user_id becomes two uuids appended together08:35
jamielennoxand i think the idea is that it's user_id and domain_id appended08:35
jamielennoxthe idea was something like that but i honestly didn't follow the implementation closely enoguh to be certain08:36
ccardjamielennox: when I login to horizon, I just give a username (e.g. admin, or ccard) but it doesn't ask for a domain name08:36
jamielennoxright - so i know horizon was working on how to expose domains via the dashboard08:37
jamielennoxi don't know how to set that up08:37
ccardthat's not in juno then?08:37
jamielennoxccard: not sure, i don't have much to do with horizon08:38
jamielennoxi'd try in #openstack-horizon08:38
jamielennoxccard: though google gives me: https://ask.openstack.org/en/question/47220/does-domain-work-for-horizon-and-keystone/08:39
ccardjamielennox: if I create a domain-specific configuration file, is the domain name I give it arbitrary, or does it have to match an actual real domain (e.g. the suffix of the LDAP directory)?08:39
jamielennoxccard: the name is a required field when creating a domain08:40
jamielennoxopenstack domain create blah08:40
ccardjamielennox: ah, right. I'd not noticed that openstack has its own domains - still on the learning curve08:41
jamielennoxccard: np, it's a long curve08:41
ccardjamielennox: that link looks useful, thanks08:42
*** gokrokve has joined #openstack-keystone08:43
*** jistr has joined #openstack-keystone08:47
*** afazekas has joined #openstack-keystone08:52
ccardjamielennox: I can't find cli commands for domains08:53
jamielennoxccard: you using keystone or openstack cli08:53
ccardjamielennox: keystone, I don't seem to have the openstack cli on my installation08:54
jamielennoxyea, it's a seperate install08:54
*** gokrokve has quit IRC08:54
jamielennoxwe deprecated the keystone cli tool, it only supports the v2 api08:55
jamielennoxto do things with v3 try out openstack08:55
*** gokrokve has joined #openstack-keystone08:55
ccardjamielennox: thanks, I'll try that08:55
*** spandhe has joined #openstack-keystone08:56
*** gokrokve has quit IRC09:00
ccardjamielennox: I got python-openstackclient-1.0.1-1.el7.centos.noarch installed, but I see no domain commands in openstack --help09:00
jamielennoxccard: so openstackclient is a bit odd09:01
jamielennoxyou will need to either --os-identity-api-version 3 or export OS_IDENTITY_API_VERSION=309:02
jamielennoxi think if you do a v3 auth then it comes up as well09:02
ccardjamielennox: ok, thanks09:02
*** erkules_ is now known as erkules09:04
*** markvoelker has joined #openstack-keystone09:05
*** nellysmitt has joined #openstack-keystone09:10
*** markvoelker has quit IRC09:10
ccardjamielennox: I'm getting this: "openstack --os-identity-api-version 3 domain list09:11
ccardERROR: openstack Authentication failure: The resource could not be found. (HTTP 404)"09:11
ccardsimilarly for domain create09:11
jamielennoxwhat are you doing for auth?09:12
ccardenvironment variables are set, which work for other commands09:12
jamielennoxjust to test - try adding --os-url=http/keystone/v309:12
*** lsmola has quit IRC09:12
jamielennoxso if you are using v2 auth then i'm prety sure it will fail09:12
marekdmorganfainberg: so what I showed on the video was Icehouse federation only. As K2K was kinda problematic (and sadly saying incomplete in Kilo) I didn't go ahead with implementing client part for that. But the good news is it should be much easier to implement client part for K2K given the experience we now have and a code we already have.09:13
ccardjamielennox: same error09:13
ccardwhat's different for v3 auth?09:14
jamielennoxif you do username you need to specify user_domain_id09:14
jamielennoxsame with if you're using project_name you need project_domain_id09:14
ccardwhich is "default", yes?09:14
jamielennoxOSC protects you from some of this - but i don't remember what09:14
ccardjamielennox: if I set OS_USER_DOMAIN_NAME and/or OS_PROJECT_DOMAIN_NAME to default, I get the same error. If I set OS_DOMAIN_NAME I get the error "ERROR: openstack Authentication cannot be scoped to multiple targets. Pick one of: project, domain or trust"09:22
jamielennoxccard: yep - so in v3 you can scope the authentication to a domain, not just a project09:23
jamielennoxby using OS_DOMAIN_NAME you're asking for a domain scoped token, but you're also asking for a project scoped token09:23
jamielennoxUSER_DOMAIN_NAME relates to user, PROJECT_DOMAIN_NAME relates to project09:23
ccardbut setting OS_PROJECT_DOMAIN_NAME or OS_USER_DOMAIN_NAME give the "openstack Authentication failure: The resource could not be found. (HTTP 404)" error09:25
jamielennoxdoes it work if you do openstack token issue09:27
jamielennox(i think thats the command)09:27
ccard# openstack token issue09:30
ccardERROR: openstack Could not determine a suitable URL for the plugin09:30
ccard# openstack --os-identity-api-version 3 token issue09:30
ccardERROR: openstack The resource could not be found. (HTTP 404)09:30
marekdccard: what is the output for  # env | grep OS | grep -v OS_PASSWORD ?09:31
ccardmarekd: OS_REGION_NAME=RegionOne09:33
marekdccard: and you want to use v3 or v2?09:35
ccardmarekd: I'm trying to use v3 (for domain stuff) - do I need to change OS_AUTH_URL as well as supply --os-identity-api-version 3 ?09:36
marekdor export OS_IDENTITY_API=309:37
marekdyou might also make sure that openstackclient uses v3 auth plugin.09:37
marekdccard: opus, sorry = OS_IDENTITY_API_VERSION=309:39
marekdccard: should be OS_AUTH_URL=http://********:5000/v309:41
marekdv3, not v3.009:41
marekdalso i'd advise you to do # openstack -h and see vars names to be exported, as I think you might need OS_USERNAME, OS_PROJECT_NAME, OS_PROJECT_DOMAIN_NAME09:43
jamielennoxsorry, tuned out - OS_TENANT_NAME will work but it's deprecated for v3, you should use OS_PROJECT_NAME09:44
marekdand domain the projects is within.09:44
jamielennoxyou should probably specify OS_PROJECT_DOMAIN_ID however i think OSC defaults to 'default' if you don't specify anything eles09:44
ccardthanks, that did it. I set OS_PROJECT_NAME and OS_PROJECT_DOMAIN_NAME and openstack domain list worked09:45
jamielennoxccard: it's not a particularly user friendly story - but it does begin to make more sense as you understand the concepts09:48
ccardjamielennox: now to see if I can keep the internal users in SQL and use LDAP for other users, and get horizon to work with it ...09:49
*** lsmola has joined #openstack-keystone09:59
ccardjamielennox: changing horizon config to use v3 api, I can see the domains under identity, so horizon seems to be working ok with v310:04
jamielennoxcan you  login to horizon under a non-default domain?10:05
ccardI don't know, I haven't created any new domains yet10:05
*** markvoelker has joined #openstack-keystone10:06
ccardhorizon doesn't appear to support creating domains, so I'll have to use the cli10:07
*** lhcheng_afk has joined #openstack-keystone10:09
*** markvoelker has quit IRC10:11
*** lhcheng_afk has quit IRC10:14
*** bjornar has joined #openstack-keystone10:21
*** boris-42 has joined #openstack-keystone10:29
ccardjamielennox: I created a new domain, but I can't see how to add a user to the domain. Horizon doesn't support this, and "openstack user set --domain <domain> <user>" returns "ERROR: openstack Cannot change Domain ID (HTTP 400)"10:29
jamielennoxno you can't change a domain id10:30
jamielennoxnothing can be moved between domains like that, if you think about what a domain is trying to do it's segmenting openstack so it doesn't really make sense10:30
jamielennoxif you want a user in a different domain they have to be created in that domain10:30
ccardjamielennox: so I have to create a new user and set the domain as part of the create?10:31
*** ajayaa has quit IRC10:36
openstackgerritBoris Bobrov proposed openstack/keystone: Fix invalid super() usage in memcache pool  https://review.openstack.org/15409510:38
*** andreaf_ has quit IRC10:47
*** wpf has quit IRC10:47
*** wpf has joined #openstack-keystone10:48
*** ajayaa has joined #openstack-keystone10:56
*** spandhe has quit IRC11:01
*** oomichi_ has left #openstack-keystone11:07
*** markvoelker has joined #openstack-keystone11:07
*** markvoelker has quit IRC11:12
*** EmilienM|afk is now known as EmilienM11:21
*** MasterPiece has joined #openstack-keystone11:23
*** dims__ has joined #openstack-keystone11:23
*** aix has quit IRC11:26
*** diegows has joined #openstack-keystone11:26
*** jaosorior has quit IRC11:31
*** diegows has quit IRC11:32
*** henrynash has joined #openstack-keystone11:50
*** ChanServ sets mode: +v henrynash11:50
*** rushiagr_away is now known as rushiagr11:56
*** chlong has joined #openstack-keystone11:59
*** markvoelker has joined #openstack-keystone12:08
*** avozza is now known as zz_avozza12:10
*** aix has joined #openstack-keystone12:11
*** markvoelker has quit IRC12:13
*** henrynash has quit IRC12:17
*** aix has quit IRC12:20
*** karimb is now known as karimb|lunch12:32
*** bjornar has quit IRC12:34
*** bjornar has joined #openstack-keystone12:36
*** henrynash has joined #openstack-keystone12:49
*** ChanServ sets mode: +v henrynash12:49
*** jasondotstar has quit IRC12:49
*** jasondotstar has joined #openstack-keystone12:50
*** lnxnut has joined #openstack-keystone12:53
*** radez_g0n3 is now known as radez12:55
*** lnxnut has quit IRC12:58
*** zz_avozza is now known as avozza13:05
*** markvoelker has joined #openstack-keystone13:05
*** raildo has quit IRC13:21
*** raildo has joined #openstack-keystone13:22
bretonsomeone broke the gate, right?13:23
*** raildo has quit IRC13:27
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196213:27
*** gordc has joined #openstack-keystone13:30
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430213:30
*** raildo has joined #openstack-keystone13:31
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389713:34
*** karimb|lunch is now known as karim13:39
*** karim is now known as Guest2480913:39
*** bknudson has quit IRC13:41
*** amakarov_away is now known as amakarov13:42
*** rushiagr is now known as rushiagr_away13:54
*** radez is now known as radez_g0n313:58
*** nicodemos has joined #openstack-keystone13:59
*** bknudson has joined #openstack-keystone14:00
*** ChanServ sets mode: +v bknudson14:00
*** fifieldt has quit IRC14:02
*** avozza is now known as zz_avozza14:05
david-lyle_afkccard: Horizon does support domains, you have to set the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True in the openstack_dashboard/local/local_settings.py file  https://github.com/openstack/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L4314:06
*** david-lyle_afk is now known as david-lyle14:07
openstackgerrithenry-nash proposed openstack/keystone: Support project hierarchies in data driver tests  https://review.openstack.org/15448514:08
openstackgerritBrant Knudson proposed openstack/keystone: Use _VersionsEqual for a few more version tests  https://review.openstack.org/15437314:08
*** zz_avozza is now known as avozza14:08
*** richm has joined #openstack-keystone14:09
henrynashsamueldmq: fyi, last piece of the data driven tests is now in place - supporting project hierarchies (seems to pass :-) ) - see https://review.openstack.org/#/c/154485/114:09
*** ajayaa has quit IRC14:10
*** jaosorior has joined #openstack-keystone14:10
bknudsonlooks like apevec is seeing a problem in keystoneclient icehouse tests... I'm going to try it out myself.14:12
*** ctina has joined #openstack-keystone14:14
*** jasondot_ has joined #openstack-keystone14:14
bknudsonI got a bunch of "ImportError: No module named oslo_utils" on the first run...14:14
*** lnxnut has joined #openstack-keystone14:17
bknudsonstill getting "ImportError: No module named oslo_utils" after rebuilding tox.14:20
*** lnxnut has quit IRC14:22
bknudsonalso got a "FAIL: keystone.tests.test_token_provider.TestPKIProviderWithStdlib.test_get_token_id_error_handling" -- "ImportError: cannot import name access"14:22
*** radez_g0n3 is now known as radez14:23
bknudsonit's because oslo.config is capped in stable... so I think we need to also cap python-keystoneclient.14:32
bknudsonalternatively, we could have keystoneclient support old oslo.config14:33
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller  https://review.openstack.org/13263414:36
*** abhirc has joined #openstack-keystone14:36
*** MasterPiece has quit IRC14:36
*** rushiagr_away is now known as rushiagr14:40
*** dims__ has quit IRC14:43
*** dims__ has joined #openstack-keystone14:43
*** dims__ has quit IRC14:43
*** joesavak has joined #openstack-keystone14:44
*** dims__ has joined #openstack-keystone14:44
*** esmute has quit IRC14:45
*** radez is now known as radez_g0n314:45
*** esmute has joined #openstack-keystone14:47
*** aix has joined #openstack-keystone14:48
*** r-daneel has joined #openstack-keystone15:00
ccarddavid-lyle_afk: yes, I found that, and horizon is now allowing me to create domains etc. But I'm hitting another problem now.15:01
ccardI've created a domain and and project and user within the domain, but when I login to horizon as this domain+user I get an error "Error: Unauthorised: Unable to retrieve usage information."15:02
*** topol has joined #openstack-keystone15:03
ccardI've turned on debug logging and I can see that this request is failing: "http://*********:8774/v2/c9d2aa14dff040d49fffa115697895fc/extensions"15:03
*** ChanServ sets mode: +v topol15:03
*** esmute has quit IRC15:04
ccardI suspect that this ought to be going to v3 rather than v2, and I've changed all the configuration I can find which was pointing at v2, and restarted everything, but I can't get past this error15:04
*** radez_g0n3 is now known as radez15:05
david-lyleccard, indeed that's that part about projects in other domains that fails to work and why domains aren't the default in Horizon15:05
david-lylemy understanding was that the keystone team had fixed this, but I haven't had time to verify15:05
*** radez is now known as radez_g0n315:05
david-lyleccard: are you installing from master, or an older release?15:06
*** esmute has joined #openstack-keystone15:06
ccarddavid-lyle: good question. I installed this openstack a couple of months ago, using packstack. It is juno, so not master I guess.15:07
*** zzzeek has joined #openstack-keystone15:07
david-lylethat may have something to with it. I will verify locally15:07
ccarddavid-lyle: is there a bug report somewhere for this?15:07
*** thedodd has joined #openstack-keystone15:11
david-lyleccard: it actually works on trunk now15:15
david-lylejust verfied15:15
david-lyleI'm not sure if there is backport potential for whatever the fix was15:15
david-lylethere was a bug, but I am unsure of the id right now15:15
*** gokrokve has joined #openstack-keystone15:21
*** esmute has quit IRC15:23
*** mzbik has quit IRC15:25
*** ctina has quit IRC15:25
*** esmute has joined #openstack-keystone15:25
*** jdennis has joined #openstack-keystone15:27
ccarddavid-lyle: thanks. Will trunk make it into kilo?15:27
*** lnxnut has joined #openstack-keystone15:29
*** lnxnut has quit IRC15:29
*** marg7175 has joined #openstack-keystone15:30
*** timcline has joined #openstack-keystone15:30
*** lnxnut has joined #openstack-keystone15:30
*** marg7175 has quit IRC15:31
*** marg7175 has joined #openstack-keystone15:31
david-lyleccard: it already is :)15:32
*** marg7175_ has joined #openstack-keystone15:33
*** marg7175 has quit IRC15:36
*** ctina has joined #openstack-keystone15:39
*** henrynash has quit IRC15:39
*** stevemar has joined #openstack-keystone15:48
*** ChanServ sets mode: +v stevemar15:48
*** rwsu-afk is now known as rwsu15:52
stevemargordc, i just changed the commit msg!15:54
gordcstevemar: i don't understand.15:56
gordcstevemar: is this related to my 'bro' review?15:56
stevemargordc, haha yes15:56
stevemargordc, the only diff between the new patches was the commit msg15:56
stevemari just changed it in the gerrit editor15:57
gordcstevemar: are you telling me i shouldn't have reviewed it?15:57
gordcstevemar: i won't lie, my brain is not on. you need to spell this out for me.15:57
stevemargordc, i guess it wouldn't have been obvious it was just the commit msg, but yes i'll get to the whatever things you are talking about soon, mom15:58
gordcstevemar: good! and clean up your da** room.15:58
*** esmute has quit IRC16:04
*** esmute has joined #openstack-keystone16:07
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720216:12
bknudsonthis one fixes random py27 failures: https://review.openstack.org/15437316:19
*** esmute has quit IRC16:23
*** abhirc_ has joined #openstack-keystone16:24
*** esmute has joined #openstack-keystone16:26
*** abhirc has quit IRC16:27
stevemarany takers? ^16:29
*** chlong has quit IRC16:30
*** esmute has quit IRC16:43
*** ayoung_sleep is now known as ayoung16:43
*** esmute has joined #openstack-keystone16:45
*** gyee has joined #openstack-keystone16:51
*** ChanServ sets mode: +v gyee16:51
*** tqtran has joined #openstack-keystone16:51
*** Guest24809 has quit IRC16:52
*** atiwari has joined #openstack-keystone16:55
*** afazekas has quit IRC16:56
*** marg7175_ has quit IRC17:05
*** spandhe has joined #openstack-keystone17:06
*** jistr has quit IRC17:07
*** krykowski has quit IRC17:07
*** gokrokve_ has joined #openstack-keystone17:09
*** gokrokve has quit IRC17:12
openstackgerritDolph Mathews proposed openstack/keystone: AE Tokens  https://review.openstack.org/14531717:13
*** spandhe_ has joined #openstack-keystone17:14
*** jodah has joined #openstack-keystone17:16
*** jodah has left #openstack-keystone17:16
*** spandhe has quit IRC17:17
*** spandhe_ is now known as spandhe17:17
*** marg7175 has joined #openstack-keystone17:18
*** lhcheng_afk has joined #openstack-keystone17:19
*** ljfisher has joined #openstack-keystone17:23
*** atiwari has quit IRC17:24
*** esmute has quit IRC17:25
*** esmute has joined #openstack-keystone17:25
openstackgerritMerged openstack/keystone: Use _VersionsEqual for a few more version tests  https://review.openstack.org/15437317:28
*** jasondot_ has quit IRC17:31
openstackgerritLin Hua Cheng proposed openstack/keystone: On creation default service name to empty string  https://review.openstack.org/14696217:36
*** lsmola has quit IRC17:36
marekdmorganfainberg: re: direct users mapping. Had a chat with Steve and (as he replied) new keyword seems the best idea. Do you think I can carry on with that?17:37
morganfainbergmarekd, yeah. that works for me17:37
marekdmorganfainberg: thanks.17:37
openstackgerritMerged openstack/keystone-specs: Correct rst in federation  https://review.openstack.org/15387417:38
*** lnxnut_ has joined #openstack-keystone17:41
*** esmute has quit IRC17:42
*** esmute has joined #openstack-keystone17:44
*** lnxnut has quit IRC17:44
*** aix has quit IRC17:47
*** marg7175 has quit IRC17:48
morganfainbergmarekd, http://lists.openstack.org/pipermail/openstack-dev/2015-February/056478.html17:51
gyeemarekd, congrats! :)17:52
*** avozza is now known as zz_avozza17:54
rodrigodscongrats marekd!17:54
raildomarekd, congrats!17:55
marekdthanks guys :-)17:56
marekdbut, i'd better wait for Feb 13th :P17:57
gyeeFriday the 13th? I don't know17:58
samueldmqmarekd, hey, I'll be glad to have you as a core :)18:00
*** lhcheng_afk is now known as lhcheng18:00
samueldmqmarekd, congrats for the work you did so far, you deserved this :)18:00
marekdsamueldmq: thanks, i will try to help as much as possible :-)18:00
*** henrynash has joined #openstack-keystone18:01
*** ChanServ sets mode: +v henrynash18:01
*** henrynash has quit IRC18:02
*** henrynash has joined #openstack-keystone18:02
*** ChanServ sets mode: +v henrynash18:02
*** openstac_ has joined #openstack-keystone18:02
*** openstac_ is now known as amolock18:03
dstanekhenrynash: ....E.... 8 passing, 1 error18:05
henrynashdstanek: ?18:06
dstanekhenrynash: you said test...so i did18:06
henrynashdstanek: which patch…the data driven test stuff?18:07
*** gokrokve_ has quit IRC18:07
*** nellysmitt has quit IRC18:09
*** harlowja has joined #openstack-keystone18:10
*** arunkant has quit IRC18:10
dolphmmorganfainberg: i want to see https://review.openstack.org/#/c/129736/ target k3, but i'm confused about your message: "This one will have an exception proposed next week with related updates (or AE Token will need to receive an exception)" is there already an exception being made?18:11
*** thedodd has quit IRC18:13
*** abhirc_ has quit IRC18:14
*** abhirc has joined #openstack-keystone18:14
*** diegows has joined #openstack-keystone18:16
*** diegows has quit IRC18:18
*** thedodd has joined #openstack-keystone18:19
morganfainbergdolphm, after meeting18:22
*** openstackgerrit has quit IRC18:22
*** openstackgerrit has joined #openstack-keystone18:22
*** esmute has quit IRC18:23
*** thedodd has quit IRC18:24
gyeeis stable juno gate broken or just my imagination?18:24
lbragstadgyee: there a ml thread on it18:24
morganfainberggyee, did you read the ML?18:25
lbragstadgyee: ^^18:25
gyeeI'll stop rechecking it to infinity then18:25
*** thedodd has joined #openstack-keystone18:25
gyeegrasseyass amigo!18:26
*** esmute has joined #openstack-keystone18:26
*** atiwari has joined #openstack-keystone18:29
ayoungjamielennox, meeting time?18:29
openstackgerritayoung proposed openstack/keystone-specs: Default Policy  https://review.openstack.org/13465718:30
*** atiwari has quit IRC18:34
openstackgerritayoung proposed openstack/keystone-specs: Token Constraints  https://review.openstack.org/12372618:34
openstackgerritayoung proposed openstack/keystone-specs: certmonger  https://review.openstack.org/13409918:35
openstackgerritayoung proposed openstack/keystone-specs: Hierarchical Roles  https://review.openstack.org/12570418:37
openstackgerritayoung proposed openstack/keystone-specs: Fetch policy.json from server  https://review.openstack.org/13465518:37
openstackgerritayoung proposed openstack/keystone-specs: Policy rules mangaged from a database  https://review.openstack.org/13381418:37
openstackgerritayoung proposed openstack/keystone-specs: unified policy file  https://review.openstack.org/13465618:37
openstackgerritayoung proposed openstack/keystone-specs: Enforce policy from keystoneclient  https://review.openstack.org/13348018:37
openstackgerritayoung proposed openstack/keystone-specs: Default Policy  https://review.openstack.org/13465718:37
ayoungGAH  I said no REBASE dagnabit18:37
samueldmqgyee, ping - would like to talk about your review on 'Refactor check of targets and actors on RoleV3'18:41
dolphmmorganfainberg: it's after meeting18:41
gyeesamueldmq, that code is hard to read18:41
samueldmqgyee, https://review.openstack.org/#/c/144702/16/keystone/common/controller.py18:41
morganfainbergdolphm, in short *either* i need to send the exception email or AE tokens needs it18:42
morganfainbergi think i'd rather have AE token get the exception18:42
samueldmqgyee, the message should be, for example: 'Specify one of domain or project'18:42
gyeeAE token!18:42
samueldmqgyee, doesn't that make sense?18:42
gyeemorganfainberg, pleeeeeease18:42
morganfainbergdolphm, as long as you guys can get the -2 from ayoung off that spec18:42
bknudsonthere's a lot of work going on around token handling so it would be great if the common parts were in their own spec.18:42
gyeebribe him!18:43
dolphmmorganfainberg: alrighty, that's pretty old18:43
dolphmmorganfainberg: do i have a deadline?18:43
morganfainbergdolphm, asap :)18:43
dolphmayoung: what's the nearest brewery to your house that delivers?18:43
morganfainbergdolphm, but asking for the exception on the ML should be done this week.18:43
bknudsonsend a snowblower.18:43
morganfainbergdolphm, even if you're still working on removing the -218:43
dolphmmorganfainberg: ack18:43
samueldmqgyee, .. :/18:44
gyeesamueldmq, "if not provided_args:" means there's nothing there right?18:44
*** esmute has quit IRC18:44
gyeeso you'll get "Specify one of "18:44
morganfainbergoh and please look at rodrigods's request for a SPF exception (cc dolphm, bknudson, henrynash, gyee, topol, stevemar, jamielennox, dstanek, lbragstad, ayoung)18:44
morganfainbergsent to the ML already18:44
dolphmayoung: i assume you went away to review code :) i'm going to grab food and i'll poke you later this afternoon18:45
samueldmqgyee, yes, the code is wrong, that should be the keys from kwargs18:45
*** esmute has joined #openstack-keystone18:45
henrynashmorganfainberg: ok18:45
henrynash(as in, ok, will look)18:45
ayoungdolphm, about AE?  Have you made a breakthrough?18:45
samueldmqgyee, that's why I think we should assert error messages on tests18:45
gyeeayoung, the perf stat look awesome for AE18:45
samueldmqgyee, great catch!18:45
ayounggyee, do we have a plan to support the issues we discussed at the midcycle?18:46
gyeesamueldmq, happy coding :)18:46
gyeeayoung, yeah, there'll be at most one group per federated token right now18:46
gyeeso its pretty static18:46
samueldmqgyee, thanks, will ping you in a few minutes to get your +1 (probably +2) there :=_18:46
ayounggyee, that sounds good18:46
ayoungand what about roles?18:47
lhchengbknudson: I have a follow-up question on https://review.openstack.org/#/c/132122/18:47
*** gokrokve has joined #openstack-keystone18:47
ayounger...delegations..trusts and oauth?18:47
dolphmayoung: there's an implementation in review that seems to work, and in our nightmare deployment scenario, it runs 85% faster than UUID tokens18:47
dolphmayoung: no solution for federation though, afaik18:47
*** htruta has quit IRC18:47
morganfainbergdolphm, nightmare scenario, what is the token size?18:47
lhchengbknudson: I was able to pass the test and pep8, with this change: https://review.openstack.org/#/c/132122/9/keystone/tests/core.py18:47
dolphmayoung: https://review.openstack.org/#/c/145317/218:47
morganfainbergdolphm, and we'd need to solve federation issues.18:47
ayoungno solution for federation is a show stopper18:47
ayoungwhy not?18:47
morganfainbergayoung, maybe they hadn't gotten to that yet. but i agree federation is a show stopper here.18:48
gyeedolphm, federation shouldn't be a problem, IdP section is fixed length18:48
*** htruta has joined #openstack-keystone18:48
dolphmayoung: it's dependent on https://review.openstack.org/#/c/154590/ though18:48
lhchengbknudson: but the docs and devstack are failing now. :(18:48
dolphmmorganfainberg: nightmare scenario multiple globally distributed regions that need to validate each other's tokens18:48
marekdgyee: but groups list is not.18:48
morganfainbergdolphm, nice18:48
bknudsonlhcheng: did you check the logs?18:48
gyeemarekd, but we only have one group right now18:49
*** amolock has quit IRC18:49
*** arunkant has joined #openstack-keystone18:49
gyeethat won't expend anytime soon18:49
dolphmmarekd: i have an idea on that, but it'd take a bit of work that i don't want to land in kilo18:49
lhchengbknudson: yeah, it is still related to CONF being read when imports is triggered.18:49
*** amakarov is now known as amakarov_away18:49
marekddolphm: i know you do.18:49
dolphmmarekd: unless someone has a super elegant solution to federation in kilo, i'd like to make it as viable as we can, and simply document the limits on number of groups we can support in a token18:50
dolphmmarekd: lol18:50
*** henrique_ has joined #openstack-keystone18:50
bknudsonlhcheng: the CONF work doesn't happen until the server starts, so CONF can't be read at import time.18:50
lhchengbknudson: I got another option, that seems to pass the tests and docs in my local. http://paste.openstack.org/show/170875/18:50
dolphmmarekd: i have a list of tricks i'd like to try to make AE tokens as efficient as possible18:50
gyeehierarchical groups! :D18:50
morganfainbergif we limit the number of groups someone is mapped to... OR ^^18:50
morganfainbergwhat gyee said.18:50
dolphmmorganfainberg: yeah that would help too18:50
morganfainbergbut we do need a story to support federated identity in AE Tokens if we're landing it in K18:51
samueldmqhenrynash, ping - Check for invalid filtering on v3/role_assignments18:51
bknudsonlhcheng: why would http://paste.openstack.org/show/170875/ work?18:51
dolphmmorganfainberg: i have a crazy idea that would let us support an unbounded group list though18:51
morganfainbergdolphm, ok what is the crazy idea?18:51
dolphmmorganfainberg: but again, it's not viable for kilo18:51
henrynashsamueldmq: yes....18:51
dolphmmorganfainberg: i'll save it :)18:51
marekddolphm: 1) i was responding to gyee, 2) i said long time ago, we can make AE tokens as-is (or with some limitations) and assume it's not fully working with federation now.18:51
lhchengbknudson: the schema needs to read the CONF though to get the max_password_length18:51
samueldmqhenrynash, non-effective, domain and inherited would return inherited assignments on that domain (directly), wouldnt?18:51
morganfainbergmarekd, "not fully working with federation" is bad :(18:51
bknudsonlhcheng: ok, so _user_properties can't be created at import time... create it after CONF() is done.18:52
lhchengbknudson: I doesn't throw an error if the CONF hasn't been loaded18:52
gyees/not fully working/half-ass/18:52
henrynashsamueldmq: yes18:52
marekdmorganfainberg: dolph is going to kill me now :(18:52
morganfainbergthat precludes working with a number of deployments that are wanting to support federated identity18:52
henrynashsamueldmq: non expanded18:52
samueldmqhenrynash, the meaning would be assignments that will be inherited by someone, and not that were inherited from someone (for this ask for effective)18:52
morganfainbergand AE Token would be a huge win for them18:52
henrynashsameuldmq: yes18:52
samueldmqhenrynash, exactly18:52
samueldmqhenrynash, so the answer for your question on https://review.openstack.org/#/c/144703/19/keystone/assignment/controllers.py is n18:53
samueldmqhenrynash, no18:53
marekdmorganfainberg: let's make basic AE tokens and later add extra layer that fixes federation.18:53
dolphmmarekd: oh no, i'm fine with that, i'd just like to do the best we can in kilo and document the limitations18:53
gyeesamueldmq, I need to step out for an hour or so, just amend the patch and I'll do the needful18:53
marekddolphm: ++18:53
dolphmmarekd: single region unfederated deployments are far more prevelant right now in the real world, so i'd like to cater to them first18:53
lhchengbknudson: how do I create that after CONF() is done? is there a method I can plugin it to?18:53
samueldmqgyee, great! thanks18:53
morganfainbergso what will be broken with federation using the AETokens18:54
henrynashsameuldmq: by jove….I think you may be right!18:54
morganfainbergas it stands18:54
samueldmqhenrynash, so that comes to that problem I said other day18:54
marekdmorganfainberg: you need to keep list of your groups in a token.18:54
bknudsonlhcheng: CONF() happens here: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/server/common.py#n3018:54
dolphmlbragstad: ^18:54
morganfainberggive me the 3-5 bullet points18:54
ayoungI'm willing to sign off on an AE implementation that does not reduce the functionality of tokens.  It rteally is that simple.  If we are there, I'd be thrilled.  I need a confirmation of that from others that do not have a vested interest in the AE implementation before removingmy -2.18:54
samueldmqhenrynash, from the entity, you can't distinguish if an assignment *was* inherited or *is to be* inherited18:54
openstackgerritDavid Stanek proposed openstack/keystone: exclude functional tests from unit test runs  https://review.openstack.org/15052718:54
openstackgerritDavid Stanek proposed openstack/keystone: Support for running functional federation tests  https://review.openstack.org/13913718:54
openstackgerritDavid Stanek proposed openstack/keystone: enables bashate checking on upcoming dsvm code  https://review.openstack.org/15130918:54
openstackgerritDavid Stanek proposed openstack/keystone: adds a devstack plugin for running a pysaml2 IdP  https://review.openstack.org/15131018:54
openstackgerritDavid Stanek proposed openstack/keystone: adds a devstack plugin for setting up federation  https://review.openstack.org/15131118:54
openstackgerritDavid Stanek proposed openstack/keystone: adds a tox target for functional tests  https://review.openstack.org/15052818:54
samueldmqhenrynash, just from the call, but anyway, I just said to put this on your mind, and you can think about18:55
morganfainbergis it really just the tokens could be huge w/ federated identity?18:55
morganfainbergis that the *only* really broken bit?18:55
marekdmorganfainberg: yes.18:55
*** nellysmitt has joined #openstack-keystone18:55
dolphmmorganfainberg: i *really* don't want them to go over 255 chars, ever18:55
morganfainbergdolphm, so if we let them over 255 characters [i agree] in the cases that are needed for federation to make sure it works 100% of the time18:55
henrynashsamueldmq: I still think you can…can you give me a concrete example of the entity structure retunred by a given API (internal or public) where we can’t determine the difference?18:56
morganfainbergand we fix it / improve it to never go over 255 in L18:56
morganfainbergis that good in your book?18:56
morganfainbergi just don't want a token format that excludes federation.18:56
dolphmmorganfainberg: i never want to cross that line :(18:56
dolphmmorganfainberg: let me spend the next day or two breaking the AE implementation and i'll get back to you18:56
dolphmayoung: you too ^18:57
dolphmmorganfainberg: i'll answer with unit tests :)18:57
samueldmqhenrynash, ok, you can, but the way we do is not so intuitive or with a good ux18:57
morganfainbergexplciitly saying "this doesn't work with federation" is really an awful approach. i'd rather delay AE unti L if we can't support it and push PKI to the non-persistent.18:57
samueldmqhenrynash, let me give an example18:57
lhchengbknudson: so I have to defer setting the _user_properties at all instance after config.configure() is called?18:57
morganfainbergbut at this point AE would be my preference in all cases for non-persistent core provider18:58
bknudsonlhcheng: yes.18:58
morganfainbergeven if none of the rest of the token provider cleanup lands until next cycle18:58
dolphmmorganfainberg: agree, ttiab18:58
* dolphm buries head in sand.18:58
bknudsonlhcheng: or the _user_properties could be modified after CONF() ? That might work, too.18:58
samueldmqhenrynash, {user:{id:123},scope:{project:x,inherited_to:projects},role:{id:k},links:{assignment:/users/123/projects/y/roles/k}}18:59
samueldmqhenrynash, how do you know it was inherited from a parent of project x or if it was assigned on project x to be inherited by its subprojects?18:59
lhchengbknudson: is there a central method that is called after CONF()?19:00
henrynashsamueldmq: becuase if you asked for effective mode then it is the former, non-effective mode the later?19:00
*** gyee has quit IRC19:00
bknudsonlhcheng: I don't think we've needed one yet since we've only got one thing to do after CONF(), which is the logging setup.19:01
*** esmute has quit IRC19:01
samueldmqhenrynash, and without knowing the way you asked ? (effective or not)19:01
lhchengbknudson: the code you pasted was on just server start, have to make it work on tests/doc/keystone-manage too19:01
henrynashsamueldmq: ah, no…that’s much harder…but is that a requirement?19:01
lhchengbknudson: oh.. lucky me :)19:01
samueldmqhenrynash, no, what we have today works19:01
samueldmqhenrynash, but we have a way to do so19:01
samueldmqhenrynash, the only way to do that is comparing the project id in [links][assignment] with the project id in [scope]19:01
bknudsonlhcheng: maybe the tests can be changed to call that function?19:02
samueldmqhenrynash, if they are different, that assignment was inherited19:02
henrynashsamueldmq: usre…I get it…but we shouldn’t publish that as a way to tell teh difference….we should say that you interpret the results dependant on whetehr you asked for effective assignments or now19:02
*** dims__ has quit IRC19:02
*** dims__ has joined #openstack-keystone19:03
samueldmqhenrynash, I was not arguing the way we do it doesnt work, but the way we define the entity could make it clearer19:03
henrynashstevemar: ping19:03
samueldmqhenrynash, yes makes sense, but it could be:19:03
*** esmute has joined #openstack-keystone19:03
samueldmqhenrynash, {user:{id:123},scope:{project:x,INHERITED_FROM:y},role:{id:k},links:{assignment:/users/123/projects/y/roles/k}}19:03
*** atiwari has joined #openstack-keystone19:03
morganfainbergayoung, i'll clear -2s off reproposed specs today/tonight19:04
morganfainbergayoung, the ones against backlog that is.19:04
*** dims_ has joined #openstack-keystone19:04
samueldmqhenrynash, I don't know if it's worth it to change this, I'm just proposing something that would make our model easier to understand19:04
bknudsonanybody have concerns with backporting https://review.openstack.org/#/c/136636/ to stable/juno and /icehouse? This is "Keystoneclient tests from venv-installed client"19:04
morganfainbergbknudson, no concerns19:04
morganfainbergbknudson, in fact. where can i +2 that change19:04
samueldmqhenrynash, worth it in terms of api change, since it was already published on a stable version19:04
bknudsonstable/icehouse keystone is broken without something like this.19:04
samueldmqhenrynash, and this is not a bu19:05
samueldmqhenrynash, bug*19:05
morganfainbergbknudson, *please* backport it :)19:05
bknudsonI'll work on backporting it.19:05
morganfainbergbknudson, tyvm19:05
henrynashsamueldmq: agree that we *could* do that…..I guess without the need, I’m less incluine d to change…and certainly not for K (unless you feel strongly enough about it to ask for special approval post-freeze)19:05
morganfainbergcburgess, ^^ re venv keystoneclient19:05
morganfainbergcburgess, because i know you hit this19:05
morganfainbergin icehouse19:05
cburgessThis is the whole tests needing to do a git clone thing?19:05
cburgessSo its gone in K right?19:06
cburgessAt least as far as I can tell from the most recent commits.19:06
*** rushiagr is now known as rushiagr_away19:06
bknudsoncburgess: git clone is gone in k19:06
samueldmqhenrynash, we should at least put that on the backlog ...19:06
morganfainbergand bknudson  is backporting to to j and i19:06
cburgessBackport would be *nice*, but at least the way we work not required.19:07
*** dims__ has quit IRC19:07
henrynashsamueldmq: if you feel it is important, sure...19:08
*** tonny has joined #openstack-keystone19:08
morganfainbergtopol, i need you to review something19:08
morganfainbergtopol, thismorning if possible19:08
morganfainbergtopol, https://review.openstack.org/#/c/149405/7/keystonemiddleware/audit.py19:09
morganfainbergtopol, i want a second pair of pycadf eyes [i trust steve but you are also pycadf] on it19:09
topolmorganfainber, sure can do it rightnow19:09
stevemartopol, get ready, it's a big one19:09
samueldmqhenrynash, I dont see it as a requirement ... if you dont feel it's important, I don't want to struggle with you (really) :-)19:09
morganfainbergi've looke dthrough it and it looks ok19:09
morganfainbergbut... ugh.19:09
tonnyhi, im installing openstack identity service, how can i prompt dpkg to create tenant and  endpoint? it didnt come automaticaly, "im using debian 7 and did dpkg-reconfigure keystone but didnt help"19:09
lhchengbknudson:  so I probably have to add a new function like setup_schema() in keystone.config that will update the _user_properties to set the max_password_lenght19:10
morganfainbergtonny, i am unsure how dpkg does that or if it does19:10
morganfainbergtonny, you'd need to ask zigo about the packaging19:10
*** atiwari has quit IRC19:10
henrynashsamueldmq: :-)19:10
tonnymorganfainberg, alright thanks19:10
topolmorganfainberg, stevemar. Its a gig-Nash-tic :-)19:11
henrynashsamueldmq: but as I said, I could be wrong (frequently am)…so if you do feel it is important, put it in the backlog19:11
morganfainbergtonny, there are docs on how to bootstrap the basic info into keystone [devstack does this]19:11
*** EmilienM is now known as EmilienM|afk19:11
morganfainbergtonny, and there is this document that might help some: http://docs.openstack.org/developer/keystone/configuringservices.html19:11
morganfainbergtonny, and http://docs.openstack.org/developer/keystone/configuration.html19:12
*** marg7175 has joined #openstack-keystone19:12
henrynashtopol: topol has clearly been listening to 70’s hit radio agin19:12
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Refactor check of targets and actors on RoleV3  https://review.openstack.org/14470219:12
morganfainbergtonny, but afaik dpkg doesn't do a much setup by design - since it's highly deployment specific on what you'd run in keystone19:12
topolhenrynash, I love the 70's music!19:13
stevemarhenrynash, all his presets are 70s stations19:13
henrynashtopol: salt of the earth, salt of the earth19:13
tonny<morganfainberg, thanks alot for the helps and greate suggestions, i have done installing openstack with ubuntu, i can do it with keystone commands, just was wondering why no prompts19:13
topolhenrynash, Im guessing you made it to Studio 54 once or twice19:13
morganfainbergtonny, probably because it's highly deployment specific. the pkg doesn't really have the capability to know what you'd expect it to do19:13
*** marg7175 has quit IRC19:13
henrynashtopol: confession time: my first two albums I bought were….Emerson, Lake and Palmer….and The Wombles…19:14
morganfainberghenrynash, https://review.openstack.org/#/c/137268/11 did you have any real material concerns on the patch?19:14
henrynashtopol: I have forever sinned….19:14
morganfainberghenrynash, or just the nits?19:14
morganfainberghenrynash, also really? ELP? REALL?!19:14
tonny<morganfainberg>, yeah but how it worked for alot others :D? i have set the priority even on low, to prompt every little detail but no luck19:14
henrynashmorganfainberg: they’re nits..can be cleaned up later19:15
*** marg7175 has joined #openstack-keystone19:15
henrynashmorganfainberg: Tarkus, my friend, Tarkus19:15
morganfainbergtonny, well packaging is outside of the scope of what keystone would do. - zigo packaages things, we don't maintain (nor do we want to) the packaging info in keystone19:15
topolhenrynash, how about when KISS went through its disco phase?  I have seen them in concert twice in raleigh the past two years19:15
openstackgerritMerged openstack/pycadf: Do not depend on endpoint id existing in the service catalog  https://review.openstack.org/10906019:16
morganfainbergtopol, if that patch looks good i'll wait for it to merge then release middleware19:16
morganfainbergwith it19:16
morganfainbergtopol, if there are any concerns, that'll land next release of middleware19:16
tonny<morganfainberg>, oh ok, ty :-)19:16
henrynashtopol: Robbie Williams: “Every morning when I wake up, I feel like KISS but without the makeup…”19:16
tonny<morganfainberg> sorry for the trouble19:16
morganfainbergtopol, it's no trouble at all :)19:16
morganfainbergtonny, i mean you, it's no trouble at all19:16
tonny<morganfainberg> ;)19:17
morganfainbergtopol, disregard that message that was meant for tonny19:17
*** tonny has quit IRC19:17
*** dims__ has joined #openstack-keystone19:18
henrynashstevemar: if you get a chance could you relook at: https://review.openstack.org/#/c/132634/ - I answered your comments (a few patches ago)…let me know if you have more questins19:18
stevemarhenrynash, i'll keep it open in a tab, in the middle of other things atm19:19
topolmorganfainberg, give me 5 mins19:20
*** ljfisher has quit IRC19:20
morganfainbergtopol, no worries. take your time. i wont release middleware till 1500pacific anyway19:21
morganfainbergtopol, at the earliest19:21
*** dims_ has quit IRC19:21
henrynashstevemar: np19:21
*** esmute has quit IRC19:23
*** esmute has joined #openstack-keystone19:26
*** atiwari has joined #openstack-keystone19:28
samueldmqlbragstad, found your comments on json schema interesting, will ping you later to talk about19:32
lbragstadsamueldmq: ok19:32
samueldmqlbragstad, I have a meeting now ... but overall I think if we have adopted that on keystone (we 're effectively using it) I should change how I am doing that19:33
samueldmqlbragstad, otherwise, we could merge and then address every validation together19:33
samueldmqlbragstad, I'd be able to help with that19:33
*** samueldmq is now known as samueldmq-away19:34
samueldmq-awaylbragstad, sorry gotta to go19:34
lbragstadsamueldmq-away: no worries, https://github.com/openstack/keystone/blob/15fb5d68cd871a9d05f3bc332139e808d47af2a8/keystone/assignment/controllers.py#L489 is already being used in the assignment controller, so some of the ground work is already done19:35
*** atiwari has quit IRC19:43
openstackgerritayoung proposed openstack/keystone-specs: Hierarchical Roles  https://review.openstack.org/12570419:43
openstackgerritayoung proposed openstack/keystone-specs: Fetch policy.json from server  https://review.openstack.org/13465519:43
openstackgerritayoung proposed openstack/keystone-specs: Policy rules mangaged from a database  https://review.openstack.org/13381419:43
openstackgerritayoung proposed openstack/keystone-specs: unified policy file  https://review.openstack.org/13465619:43
openstackgerritayoung proposed openstack/keystone-specs: Enforce policy from keystoneclient  https://review.openstack.org/13348019:43
openstackgerritayoung proposed openstack/keystone-specs: Default Policy  https://review.openstack.org/13465719:43
lhchengbknudson: http://paste.openstack.org/show/170908/ <- this fixes the issue by avoiding reading CONF when it is not ready yet. what do you think?19:43
bknudsonwe seem to have a lot of people posting WIPs to stable keystone branches today.19:46
*** atiwari has joined #openstack-keystone19:46
*** atiwari has quit IRC19:47
stevemarWIP it, WIP it good19:47
*** atiwari has joined #openstack-keystone19:48
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Use standard logging in oslo.policy  https://review.openstack.org/15463519:50
stevemarmorganfainberg, yessum...19:50
morganfainbergstevemar, no Devo for you19:50
stevemarscrew you all, i'm going home19:50
morganfainbergunless you are posting pics of you wearing an energy dome hat as well.19:50
morganfainbergwhile saying WIP it WIP it good19:50
* morganfainberg had a college buddy with the official devo energy dome hat19:51
stevemarofficial, thats fancy19:51
morganfainbergyeah... came off a box of cerial iirc.. you know mail-in style from the 80s19:51
*** jaosorior has quit IRC19:51
morganfainbergstevemar, so.. http://www.swag-inc.com/shop/devo/devo-energy-dome-red.html next summit19:52
morganfainbergiexpect you to be wearing that19:52
openstackgerritMerged openstack/keystonemiddleware: Refactor auth_uri handling  https://review.openstack.org/15388019:55
tqtranstevemar: is it safe to assume that token authentication is currently only use for websso? or should that check not be there?19:56
*** nellysmitt has quit IRC19:56
tqtranif 'token' in request.POST: or if websso_enabled and 'token' in request.POST:19:56
topolmorganfainberg, Looks good to me. Merge it!!!19:56
topolmorganfainberg, stevemar I saw on the grammys one of the devo guys dies this year.. No reunion tour :-(19:58
stevemartqtran, hmmm, theoretically token auth could be used for other non-websso operations19:59
stevemarbut i don't see how a user would know that19:59
stevemari think if 'token' in request.POST is good enough20:00
tqtranstevemar: ok, sounds good20:00
*** marg7175 has quit IRC20:00
*** esmute has quit IRC20:02
*** atiwari has quit IRC20:02
lbragstaddstanek: do you happen to know when the kvs driver will be pulled out?20:03
lbragstaddstanek: looking for the official deprecation statement20:03
*** esmute has joined #openstack-keystone20:03
*** marg7175 has joined #openstack-keystone20:04
lbragstaddstanek: nevermind, found it20:04
*** marg7175_ has joined #openstack-keystone20:05
*** marg7175_ has quit IRC20:05
*** marg7175_ has joined #openstack-keystone20:05
*** atiwari has joined #openstack-keystone20:06
openstackgerritLin Hua Cheng proposed openstack/keystone: Implement validation on the Identity V3 API  https://review.openstack.org/13212220:07
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory  https://review.openstack.org/12228120:07
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240320:07
*** marg7175 has quit IRC20:08
*** atiwari has quit IRC20:11
*** marg7175 has joined #openstack-keystone20:12
openstackgerritLin Hua Cheng proposed openstack/keystone: Implement validation on the Identity V3 API  https://review.openstack.org/13212220:12
openstackgerritMerged openstack/keystonemiddleware: Turn our auth plugin into a token interface  https://review.openstack.org/13726820:13
*** marg7175_ has quit IRC20:14
dstaneklbragstad: which kvs driver? i have a patch to remove the catalog one almost ready to post20:15
lbragstaddstanek: yeah I was curious about the catalog one20:15
lbragstadI already found it and linked it a review you'd commented on e20:16
lbragstads/on e/on/20:16
*** atiwari has joined #openstack-keystone20:16
*** atiwari has quit IRC20:16
*** esmute has quit IRC20:19
*** zz_avozza is now known as avozza20:23
*** esmute has joined #openstack-keystone20:23
*** guimaluf has joined #openstack-keystone20:24
guimalufHey guys, I've setup HAProxy ssl passtrhough to keystone. Using curl I can access keystone api with -k and passing --cacert. but with keystone client, even with OS_CACERT, I can't run any command without the --insecure flag...20:25
guimalufmy keystone endpoints points to https://haproxy:5000/v2.0, https://haproxy:35357/v2.020:25
guimalufI don't know if this is an issue of my setup or keystoneclient...20:25
guimalufI've got this error: Authorization Failed: <attribute 'message' of 'exceptions.BaseException' objects> (HTTP Unable to establish connection to https:20:25
*** EmilienM|afk is now known as EmilienM20:35
*** nellysmitt has joined #openstack-keystone20:42
openstackgerritLin Hua Cheng proposed openstack/keystone: Add schema for endpoint group  https://review.openstack.org/15029220:43
*** ctina has quit IRC20:46
*** gokrokve has quit IRC20:46
*** gokrokve has joined #openstack-keystone20:46
*** gokrokve has quit IRC20:51
*** g2` has quit IRC20:51
dims__hey all, do any of the check/gate jobs use keystone-all?20:53
morganfainberg"L" = OpenStack Liberty20:54
morganfainbergdims__, postgres one20:54
morganfainbergdims__, though i want to drop eventlet support eventually :P20:54
*** nicodemos has quit IRC20:54
dims__morganfainberg: yep, working towards it20:55
*** marg7175 has quit IRC20:57
*** esmute has quit IRC20:59
*** marg7175 has joined #openstack-keystone21:02
morganfainbergx-project meeting in #openstack-meeting21:03
morganfainbergif anyone is planning on joining21:03
morganfainbergCPLs specifically21:03
*** esmute has joined #openstack-keystone21:08
*** esmute has quit IRC21:12
*** esmute has joined #openstack-keystone21:14
*** stevemar has quit IRC21:14
*** marg7175 has quit IRC21:15
*** radez_g0n3 is now known as radez21:20
*** marg7175 has joined #openstack-keystone21:22
*** atiwari has joined #openstack-keystone21:23
*** atiwari has quit IRC21:25
*** pnavarro has quit IRC21:25
*** atiwari has joined #openstack-keystone21:26
*** jsavak has joined #openstack-keystone21:35
openstackgerritLance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens  https://review.openstack.org/13005021:35
*** joesavak has quit IRC21:38
*** atiwari has quit IRC21:38
*** atiwari has joined #openstack-keystone21:40
dolphmmorganfainberg: at lance's suggestion, added keystone-specs to https://gist.github.com/dolph/651c6a1748f69637abd021:40
morganfainbergah ty21:40
*** atiwari has quit IRC21:41
*** atiwari has joined #openstack-keystone21:42
openstackgerritayoung proposed openstack/keystone-specs: Alembic for SQL migrations  https://review.openstack.org/13153121:44
*** gyee has joined #openstack-keystone21:51
*** ChanServ sets mode: +v gyee21:51
lbragstadmorganfainberg: do we have a list of specs we know we want to get in still, or have ffs exceptions for?21:51
lbragstadI'm trying to go through and star some of them21:51
*** samueldmq_ has joined #openstack-keystone21:59
*** topol has quit IRC22:00
morganfainberglbragstad, only 1, rodrigos22:01
morganfainbergfor the SPFE22:01
*** spandhe has quit IRC22:02
*** nellysmitt has quit IRC22:03
morganfainberglbragstad, and AE if someone sends an email requesting it >.>22:05
*** joesavak has joined #openstack-keystone22:09
guimalufhey guy, I really need help... my production environment is down for two days and I can't fixit. I had 3 keystone+swiftproxy nodes, balanced with DNS-RR and endpoints pointing to DNS; keystone running on 5000/35357 and swift on 443, both with self-signed certificate and native ssl; Then I've changed the swiftproxy to run on port 8080, disable the native SSL, set up HAProxy(real LB with healthcheck and SSL passthrough)22:11
guimalufredirecting tcp connections to keystone/swiftproxy nodes and changed keystone endpoints pointing to HAProxy hostname with specific ports. What is happening now: Using curl I can access keystone api with -k and passing --cacert. but with keystoneclient, even with OS_CACERT, I can't run any command without the --insecure flag; swift just don't work, through API or swiftclient. Someone could help me please?22:11
*** jsavak has quit IRC22:12
gyeeguimaluf, can you tell you have the right cert?22:13
gyeeopenssl s_client --debug <host>:<port>22:13
gyeethat should tell you which cert you are dealing with22:14
guimalufgyee, what should I expectec to see? accessing keystone ports I can see the diferent nodes certificates...22:16
*** thedodd has quit IRC22:17
guimalufgyee, hmmm verify error:num=20:unable to get local issuer certificate; verify error:num=21:unable to verify the first certificate; Verify return code: 21 (unable to verify the first certificate)22:17
guimalufi think this is an error right?22:17
lhchengmorganfainberg: Should this bug cover all extension entities? https://bugs.launchpad.net/keystone/+bug/141661522:18
openstackLaunchpad bug 1416615 in Keystone "add schema for some extension entities" [Wishlist,Confirmed] - Assigned to Lin Hua Cheng (lin-hua-cheng)22:18
*** atiwari has quit IRC22:18
morganfainbergzigo, ping22:18
gyeeguimaluf, right, what do you have in OS_CACERT?22:18
zigomorganfainberg: Hi.22:18
gyeeI mean what's in that file?22:18
gyeeopenssl x509 -in <cacert_file> -text -noout22:19
morganfainbergzigo, someone was asking me why this https://gist.github.com/cburgess/34945e855e504c3fb199 was in the ubuntu package for keystone, any idea if this is something they do commonly?22:19
gyeedoes it match the self-signed cert?22:19
morganfainbergzigo, in icehouse i think22:19
*** atiwari has joined #openstack-keystone22:19
guimalufgyee, the intermediate.pem certificate....22:19
gyeek, do this22:19
guimalufgyee, when I pass this to curl it works, but to keystoneclient no22:19
morganfainbergzigo, it's nothing major, just... surprised me. figured you'd be the best person to ask if you knew if this was commonplace22:20
gyeeopenssl s_client -CAfile <cacert> -connect <host:port>22:20
gyeesee if you see any errors22:20
guimalufverify error:num=2:unable to get issuer certificate; Verify return code: 2 (unable to get issuer certificate)22:21
gyeethere ya go :)22:21
zigomorganfainberg: What is this commit about?22:21
morganfainbergit's not a commit22:21
morganfainbergit's a patch aparantly carried in the ubuntu package for keystone (icehouse release)22:21
zigoOh, a patch...22:21
zigomorganfainberg: Well, I don't maintain stuff in Ubuntu, I do in Debian.22:21
zigomorganfainberg: You'll have to ask people from Canonical.22:22
morganfainbergright, just wondering if you'd seen this type of stuff before22:22
zigoI don't have such a patch in Debian.22:22
guimalufgyee, what I should do next? I really don't know....22:22
*** darrenc is now known as darrenc_afk22:22
morganfainbergzigo, cool - it seems wierd to add an x-distribution header to *every* bloody request22:22
guimalufgyee, why it works with curl?!22:23
gyeeguimaluf, did you use 'curl -k'?22:23
morganfainbergzigo, i mean i can't stop them from doing it but... kind of w.t.f.22:23
zigomorganfainberg: It's kind of "please, I'm distribution X, with Y security hole, please hack me..."22:24
morganfainbergzigo, right?!22:24
zigoAnd yeah, it's also a w.t.f thing ... :)22:24
zigomorganfainberg: This reminds me the Horizon theme from Ubuntu which was completely broken ! :)22:25
zigohint: switch to Debian... :)22:25
ayoungmorganfainberg, let me state right now that we are having a session at the Vancouver summit called Death to Tokens.22:25
morganfainbergayoung, LOL22:26
ayoungmaybe an Ops summit session called Death By Tokens as well.22:26
zigoayoung: Will you have a session called "death to python-memcache" ?22:26
morganfainbergzigo, actually..22:26
guimalufgyee, with curl -k and with curl --cacert intermediate.pem22:26
ayoungzigo, Nah.  Memcache isnot the problem, eventlet is the problem22:26
*** stevemar has joined #openstack-keystone22:26
*** ChanServ sets mode: +v stevemar22:26
zigoayoung: Or do I need to annoy everyone about it for 3 more cycles before someone does something! :)22:26
morganfainbergreminds me we should get the other one in global reqs and move over to it22:26
morganfainbergzigo, what is your complaint about python-memcache?22:27
morganfainbergzigo, specifically.22:27
morganfainbergzigo, because either i'll make you happy or very sad22:27
zigoayoung: Do you remember what Sean Dague told me when I asked "what's the process for removing a bad module from our dependencies" ?22:27
ayoungzigo, get people off Eventlet and the hackiness it does with threading.  Or someone needs to bite the bullet and make an Eventlet specific hack to python-memcache that deals with greenthreads22:27
gyeeguimaluf, means curl is ignoring signer errors most likely22:27
morganfainbergayoung, there is another memcache lib that solves the issues... but it's not drop-in replacement.22:28
zigomorganfainberg: Specifically, it's SHIT (look at the code, seriously...), and it is the major blocker for having the possibility for me to support Python 3.22:28
guimalufgyee, probably keystoneclient is not, right?!22:28
guimalufgyee, what else do I  need to make this cert work....?22:28
ayoungmorganfainberg, does it work with Apache, or are we forced into an "either or"  situation?22:28
morganfainbergzigo, ok good then the answer is we need the pintrest? the otherone in global reqs22:28
morganfainbergayoung, it removes thread.local issues but otherwise would work with apache22:29
morganfainbergayoung, it's actually well written22:29
ayoungand py3 compat?22:29
zigomorganfainberg: pymemcache is not bad, actually.22:29
zigo(used by Ceilometer)22:29
morganfainbergzigo, thats the one22:29
zigoClean code, clean classes.22:29
openstackgerritLance Bragstad proposed openstack/keystone: Allow for periods in id_strings on validation  https://review.openstack.org/14502422:29
morganfainbergif it's in global reqs then that is the one we should be moving to22:29
* ayoung happy to let others lead on that22:29
morganfainbergalso dogpile maintainer said he wanted to move to that as well22:29
morganfainbergzigo, so you really don't have arguments from people here ;)22:29
morganfainbergzigo, i almost forked python-memcache to do a rewrite before seeing pymemcache around the end of juno cycle22:30
morganfainbergzigo, because python-memcache is so bad22:30
zigomorganfainberg: Rewriting it (and just keeping its API) would be a good way to go as well !22:31
morganfainbergzigo, unfortunately that is more work than i want to do, pymemcache would be a better choice.22:32
zigomorganfainberg: I can't see pymemcache in the global-reqs for Juno anymore ... :(22:32
morganfainbergzigo, look for master ;)22:32
morganfainbergzigo, we couldn't backport a change of lib to juno if we wanted to22:32
zigomorganfainberg: I don't want to backport that, I would like that someone fixes keystoneclient so that I can get rid of python-memcache from the build-depends, which is the only blocker for Python 3 support.22:33
zigoSo we can FINALLY move forward.22:33
morganfainbergzigo, that is probably a ways out22:34
morganfainbergzigo, as auth_token in keystonelcient is frozen until ... well...22:34
zigoNot that I *did* try to have some kind of compat with Python 3 in python-memcache, but failed to do so (the code is too ugly, and each time I touch something, something else breaks...)22:34
morganfainbergi haven't been able to pin people down on how to remove it.22:34
morganfainbergand maintain compat.22:34
morganfainbergbut at least until all projects are using keystonemiddleware22:34
morganfainbergand that would be juno. so in the L release maaaaybe we can ditch it22:35
openstackgerritMerged openstack/keystonemiddleware: move add event creation logic to keystonemiddleware  https://review.openstack.org/14940522:35
morganfainbergok i'm going to go get food (finally)22:36
*** marg7175 has quit IRC22:36
morganfainbergand then i'm going to release middleware and client22:36
morganfainbergmiddleware and write up release emails.22:36
morganfainberggod is it only tuesday?22:36
zigomorganfainberg: The thing is, python-memcache is blocking keystoneclient support to Python3, then because of that, everything else is blocked (because everything else uses keystoneclient).22:36
morganfainbergzigo, i can't remove auth_token from keystoneclient at this point22:37
morganfainbergzigo. i would if i could22:37
zigoI'd like to have at least some hope to release Python3 packages for OpenStack for Stretch (the Debian release after Jessie...).22:37
morganfainbergso remove the tests that require memcache in ksc :P22:38
zigomorganfainberg: Well, maybe not, but could you switch it to pymemcache ? :)22:38
morganfainbergi'm trying very hard to avoid touching that code at all.22:38
morganfainbergi've been trying to figure out how to drop it22:38
*** ljfisher has joined #openstack-keystone22:38
morganfainbergthere is one possibility to drop it. and i'm tempted to do it...22:39
morganfainbergbut it requires splitting some code out of keystoneclient22:39
zigoNever mind, I'll just be winning more for 2 or 3 more cycles, as I wrote ! :D22:39
morganfainbergif we moved session and cms out of keystoneclient to a keystone.common module22:39
morganfainbergi could invert the dependency of ksc and ksm22:40
morganfainbergthen we could make ksc just hold a ref to the ksm middleware22:40
morganfainbergand ksm can easily be updated to pymemcache22:40
zigoActually, it seems it's even in keystoneclient/openstack/common/memorycache.py22:40
zigoSo is that oslo-incubator?22:40
morganfainbergjamielennox, we might want to split the common stuff out of client (revisit)22:40
morganfainbergzigo, oh yeah thats incubator stuff no one should be using :P22:41
stevemarbknudson, can you take a quick look at https://review.openstack.org/#/c/153877/22:41
morganfainbergbut people do22:41
morganfainbergand that is only there in support of middleware which is deprecated in ksc22:41
zigoWell, why is it there if we can't use it? :)22:41
morganfainbergzigo, it's pretty bad code22:41
guimalufgyee, no more hints for today? :/22:41
morganfainbergzigo, it's there because we haven't (I haven't) had time to make oslo.cache a reality22:42
morganfainbergor oslo_cache or whatever you want to call it22:42
zigomorganfainberg: We've setteled to call foo as oslo.foo, even if we use oslo_foo. That's silly, but that's our choice ! :)22:42
*** darrenc_afk is now known as darrenc22:42
morganfainbergzigo, right.22:43
morganfainbergzigo, so in short - if we can remove auth_token from keystoneclient all these complaints go away22:43
*** diegows has joined #openstack-keystone22:43
*** marg7175 has joined #openstack-keystone22:43
morganfainbergit's the reason we split auth_token to it's own package22:43
zigoIt got me pretty dizzy in fact.22:43
morganfainbergjamielennox, ping22:43
bknudsonwhen can we remove auth_token from keystoneclient?22:44
morganfainbergjamielennox, can we revisit the pain of moving common code out of keystoneclient and into keystone.common22:44
morganfainbergbknudson, as of today... next release maybe?22:44
zigomorganfainberg: Is the auth_token code that you're talking about the thing which all projects use in the [keystone:auth_token] in .conf files?22:44
morganfainbergbknudson, or we split session and cms out of ksc into ks.common22:44
morganfainbergbknudson, and make it better this cycle22:44
zigo(yes, I do *not* have time to investigate this kind of stuff, sorry for being stupidly ignorant...)22:44
stevemarbknudson, that should definitely be removed asap, most services/projects are using ksm22:44
bknudsonI like "make it better"22:44
morganfainbergzigo, yes, as of juno everyone should be using keystonemiddleware22:45
zigomorganfainberg: Got ya.22:45
openstackgerritMerged openstack/keystone-specs: Fix up federation rst headers  https://review.openstack.org/15387722:45
morganfainbergbknudson, it would invert the dependency of ksc, so instead of ksm importing ksc, you'd have ksm import common code and ksc import common and kscm22:45
morganfainbergbknudson, and then we'd just do a reference to the ksm midleware in keystoneclient.middleware22:45
morganfainbergbknudson, if that made sense.22:45
bknudsonthat's usually a good way to avoid a circular dependency.22:46
bknudsonwhy would ksc import keystonemiddleware?22:46
bknudsonseems like it should always be ksm -> ksc22:46
morganfainbergbknudson, because ksc can't reference code in ksm in it's middleware location22:47
bknudsonoh, I was hoping we'd just delete the copy in ksc and not worry about ref'ing keystonemiddleware.22:47
morganfainbergbknudson, we can't22:47
bknudsonwe can never do that?22:48
morganfainbergbknudson, well we might be able to22:49
bknudsononce it's been through the deprecation period we can remove it.22:49
stevemargordc, what's the next version # of pycadf?22:49
stevemarwe're at 0.7.1, we calling this one .8 or .7.222:49
morganfainbergbknudson, the issue is deprecation for *client is very much undefined22:50
stevemarbknudson, never, Love22:50
bknudsonmorganfainberg: we need keystoneclient222:50
bknudsoncross-repo dependencies??!!!22:51
*** esmute has quit IRC22:52
bknudsonwouldn't help with cross-repo deps on keystoneclient, since we need a release and requirements update.22:53
*** timcline has quit IRC22:53
gordcstevemar: no clue... anything important?22:53
*** marg7175 has quit IRC22:54
morganfainbergbknudson, if keystone.common existed22:54
morganfainbergthe implied dependency for keystoneclient w/ references to keystone.common code22:55
stevemargordc, just trying to make a patch for deprecation warning for audit api22:55
morganfainbergwould be sufficient for most projects, but it would be a global req update for keystone.common22:55
stevemargordc, since that merges with ksm, and will be alive today/tomorrow22:56
gordcstevemar: cool cool. i'll check later... heading home for now.22:56
*** marg7175 has joined #openstack-keystone22:56
morganfainbergbknudson, it also *could* mean that instead of needing all of keystoneclient and our CLI for other tools to work, they could just use the keystone.common package long term22:57
*** esmute has joined #openstack-keystone22:58
bknudsonmaybe could put a cross-project ref on global-requirements?22:59
morganfainbergis it wrong to want to make auth_token in ksc at least reference the modern auth_token?23:00
*** henrynash has quit IRC23:00
morganfainbergso we can ditch broken/old/bitrotting stuff23:00
morganfainberghonestly i don't know if that code is really working :(23:00
morganfainbergthe deprecated auth_token in ksc23:01
bknudsonmaybe just change it to import and don't even bother adding to requirements.txt23:01
*** gordc has quit IRC23:01
*** bknudson has quit IRC23:01
morganfainbergjamielennox, how awful would it be to split common objects out of keystoneclient (e.g. session, cms, etc)?23:03
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Kilo Spec Proposal Freeze Has Passed | Review Code!"23:12
*** joesavak has quit IRC23:12
morganfainbergdolphm, i think your review page is b0rked23:13
dolphmmorganfainberg: o/23:13
morganfainbergit is claiming https://review.openstack.org/132634 is part of keystone-specs23:13
dolphmmorganfainberg: lol23:13
morganfainbergand keystone is missing from there now ;)23:13
*** esmute has quit IRC23:14
dolphmmorganfainberg: looks like it's just missing a line break23:14
dolphmmorganfainberg: all better23:14
morganfainbergKSM released. i'm going to go get food before i passout23:15
morganfainbergthen i'll write the emails up23:15
*** esmute has joined #openstack-keystone23:17
*** atiwari has quit IRC23:20
tqtranstevemar: thanks for the review steve! its almost ready teddy23:20
tqtrani just have to add the discovery stuff, and we should be gtg23:21
*** atiwari has joined #openstack-keystone23:26
*** gyee has quit IRC23:28
*** esmute has quit IRC23:31
*** atiwari has quit IRC23:33
lhchengQuestion for someone familiar with the LDAP code..  When converting ldap values to python, does anybody recall why the values is tested against string boolean values?23:35
lhchengHere is the related code: https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L133-L13523:35
*** BrAsS_mOnKeY has joined #openstack-keystone23:36
lhchengThere is already a separate method enabled2py() that performs the translation from LDAP boolean to python boolean, wondering why the same logic is in ldap2py().23:36
*** esmute has joined #openstack-keystone23:37
jamielennoxmorganfainberg: mmm, i'm still going to go for a run before i come on here... the basics are easy, session shouldn't be too hard23:38
jamielennoxthere are some complications around exceptions caused primarily by OSC, it's fixed in master but it's a difficult thing to resolve completely23:39
*** chlong has joined #openstack-keystone23:39
jamielennoxi don't know why you want CMS to be in there23:39
morganfainbergjamielennox, because ksm needs cms23:39
morganfainbergas does keystone23:39
jamielennoxright - but ksm needs ksc, as does keystone23:40
morganfainbergmy thought is ks.common is where we put that stuff that ksm/keystone needs23:40
morganfainbergthen keystone doesn't need ksc imported23:40
jamielennoxmorganfainberg: ah - ok that's different then23:40
morganfainbergand ksc can import ksm and reference auth_token23:40
jamielennoxi'm thinking like client common for session23:40
jamielennoxit's not keystone specific23:40
morganfainbergand other clients can reference session etc w/o needing ksc23:40
morganfainbergcms is stupid utility code that, being in ksc reaally doesn't win us a lot23:41
morganfainbergheck it could move to ksm23:41
jamielennoxi don't mind doing both23:42
jamielennoxso it's dumb - but a major reason for not creating client common yet is the lack of a name23:42
morganfainbergjamielennox, sure. lets chat about what it would take to make this a reality when i'm back.23:42
jamielennoxthis will be the first package people import for everything to do with clients to create a session23:42
morganfainbergand you're done w/ teh run23:42
jamielennoxfrom commonclient import session23:42
*** ncoghlan has joined #openstack-keystone23:43
morganfainbergjamielennox, fyi i just registered https://pypi.python.org/pypi/commonclient in case you wanted to use that.23:44
morganfainbergjamielennox, happy to transfer it over to you if you decide to23:44
morganfainbergand/or infra23:44
*** spandhe has joined #openstack-keystone23:45
jamielennoxmorganfainberg: lol23:45
*** spandhe_ has joined #openstack-keystone23:45
jamielennoxwas an example...23:46
*** dims_ has joined #openstack-keystone23:46
jamielennoxbesides it'd have to be python-commonclient23:46
*** dims__ has quit IRC23:47
*** marg7175 has quit IRC23:48
*** spandhe has quit IRC23:49
*** spandhe_ is now known as spandhe23:49
*** dims_ has quit IRC23:50
jamielennoxmorganfainberg: looks like i'm not getting to that run for a bit23:58
ayoungjamielennox, the client side parsing of the serevice catalog is region aware?23:59
jamielennoxayoung: what do you mean by region aware - it knows it's there but it wont act on it till you query the catalog23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!