Wednesday, 2015-02-11

ayoungjamielennox, query as in  locally or remotely   will do something?  Will it return different endpoints from the same fetched service catalog depending?00:00
ayoungjamielennox, like, this test right here:
jamielennoxayoung: the fetched catalog should always be the same (ignoring endpoint filtering)00:01
jamielennoxayoung: when you ask the catalog for a url you have to ask what region you want it in00:01
ayoungIt uses the region name out of the token body, and returns differnt endpoints depending on which match00:01
ayoungthat test sets the region in response the middle of the test  and does not do a fetch from the server00:02
*** nellysmitt has joined #openstack-keystone00:04
jamielennoxso there is no region name in the token body returned from the server00:06
*** dims__ has joined #openstack-keystone00:07
jamielennoxthere was some dumb hack that was made a long time ago that i think was so that you could set the region on the catalog and then just ask for the service_type00:07
jamielennoxit meant that it didn't break what AccessInfo was doing00:07
jamielennoxi think where it's still used i've commented that it's a bit dumb00:08
*** nellysmitt has quit IRC00:08
*** samueldmq_ is now known as samueldmq00:09
*** markvoelker has quit IRC00:17
*** tqtran is now known as tqtran_afk00:29
*** dims__ has quit IRC00:31
*** atiwari has joined #openstack-keystone00:32
*** atiwari has quit IRC00:47
*** r-daneel has quit IRC00:49
*** gyee has joined #openstack-keystone00:51
*** ChanServ sets mode: +v gyee00:51
*** markvoelker has joined #openstack-keystone00:52
*** dims__ has joined #openstack-keystone00:53
*** dims_ has joined #openstack-keystone00:54
*** markvoelker has quit IRC00:56
*** markvoelker_ has joined #openstack-keystone00:56
*** dims__ has quit IRC00:58
*** carlosmarin has quit IRC01:01
*** atiwari has joined #openstack-keystone01:02
stevemarlhcheng, there was a reason for that01:03
lhchengstevemar: yeah, I saw that. :)01:05
lhchengI am thinking of removing:
lhchengif any LDAP attribute has a value of "TRUE" or "FALSE" it is automatically converted to boolean01:05
*** atiwari has quit IRC01:06
lhchengstevemar: henry reported a bug around that:
openstackLaunchpad bug 1411478 in Keystone "Any attribute that is equal to 'TRUE' or 'FALSE' is treated as boolean by LDAP drivers" [High,New] - Assigned to Lin Hua Cheng (lin-hua-cheng)01:06
ayounglhcheng, only if someone reports a bug01:06
lhchengayoung: yes :D01:06
ayoungdid you actually see that as a propblem in production?01:06
ayoungAh,, Henrynash01:07
lhchengayoung, no not yet01:07
ayoungso, yeah, that is wrong.  Mr.  True is going to be messed up by that one01:07
lhchengayoung: Heh okay, I'll remove that and add some test around it.01:08
stevemarlhcheng, yeah i think that makes sense01:08
ayoungI suspect that is in there for enabled.  You might want to special case that one01:08
stevemarif it's 'enabled' then let the enabled2py handle, everything else ldap2py (without boolean handling)01:09
lhchengayoung: stevemar took care of that :)01:09
stevemarayoung, 'enabled' is already handled separately01:09
stevemarbefore that, we were trying to decode all attributes as once, trying to convert to boolean, then int, then str... which caused problem for user ids that began with 0, since it would chop off the 001:10
stevemarwhen boolean and int handling is really only needed for 'enabled' attributes01:11
*** atiwari has joined #openstack-keystone01:17
openstackgerritwanghong proposed openstack/keystone: add missing links for v3 OS-EC2 API response
lhchengstevemar: I'll submit a patch, let's how see what other folks think.01:21
openstackgerritSteve Martinelli proposed openstack/pycadf: Add deprecation message to Audit API
stevemarlhcheng, sounds good01:24
*** david-lyle has quit IRC01:26
openstackgerritLin Hua Cheng proposed openstack/keystone: Don't try to convert LDAP attributes to boolean
*** atiwari has quit IRC01:33
*** rwsu is now known as rwsu-afk01:39
*** abhirc has quit IRC01:42
lhchengstevemar: thanks for the quick review!01:50
stevemarlhcheng, np at all01:51
openstackgerritLin Hua Cheng proposed openstack/keystone: Don't try to convert LDAP attributes to boolean
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role
*** lnxnut_ has quit IRC01:52
*** lnxnut has joined #openstack-keystone01:53
samueldmqlbragstad, you around ?01:53
*** erkules_ has joined #openstack-keystone02:02
*** nellysmitt has joined #openstack-keystone02:05
*** erkules has quit IRC02:05
*** abhirc has joined #openstack-keystone02:07
*** david-lyle has joined #openstack-keystone02:08
*** nellysmitt has quit IRC02:10
*** amerine has quit IRC02:13
*** richm has quit IRC02:16
openstackgerritLin Hua Cheng proposed openstack/keystone: Don't try to convert LDAP attributes to boolean
*** gyee has quit IRC02:31
openstackgerritIan Wienand proposed openstack/oslo.policy: Turn off missing-directory log output for default case
*** ayoung has quit IRC02:41
*** rdo has quit IRC02:45
*** david-lyle has quit IRC02:46
*** harlowja is now known as harlowja_away02:46
*** lhcheng has quit IRC02:49
*** thedodd has joined #openstack-keystone02:49
*** david-lyle has joined #openstack-keystone02:50
*** rdo has joined #openstack-keystone02:52
*** ayoung has joined #openstack-keystone02:53
*** ChanServ sets mode: +v ayoung02:53
*** diegows has quit IRC02:54
*** tqtran_afk has quit IRC02:54
*** erkules has joined #openstack-keystone03:00
*** junhongl has quit IRC03:02
*** erkules_ has quit IRC03:02
*** junhongl has joined #openstack-keystone03:09
*** ljfisher has quit IRC03:12
*** ljfisher has joined #openstack-keystone03:12
*** ljfisher has quit IRC03:13
*** junhongl has quit IRC03:22
*** krtaylor has quit IRC03:24
*** junhongl has joined #openstack-keystone03:27
*** david-lyle has quit IRC03:31
*** abhirc has quit IRC03:32
ayoungjamielennox, in the kc/ we set and read the region value from  body['token']['region_name']  is that part of the token spec?  I don't see it?03:32
jamielennoxno it's not03:33
jamielennoxayoung: somewhere it can get set on the accessinfo object03:34
jamielennoxwhich would get inherited to the service catalog03:34
ayoungjamielennox, so  if I get a token from the server, the only place I would expect to see the region is in the endpoint entry itself, right?03:34
jamielennoxand that meant you didn't need to add a region parameter to the management_url property03:34
jamielennoxwas the best i could ever figure out what the point was03:35
jamielennoxwhich is a huge part of the reason i tried to deprecate a bunch of that stuff03:35
ayoungjamielennox, I can see you pain shining through this code03:35
ayoungyour pain03:35
ayoungit really should be part of the token request.03:36
jamielennoxayoung: so long as you know i didn't write it03:36
ayoungOr, better yes, associated with the project, I would think03:36
ayoungbetter yet03:36
jamielennoxayoung: i've thought that as well - with hierarchical regions we should be able to have region as part of the auth03:36
*** krtaylor has joined #openstack-keystone03:36
ayoungof course, the way people use projects, a single project could be talking to endpoints in two regions, so we can't force it03:37
jamielennoxbut it works as an additional03:37
jamielennoxthere just isn't good enough support for hierarchical regoins03:37
ayoungso to keep this test working...03:37
ayoungI need to deal with ['token']['region_name']  being optionally in the body...03:38
ayoungOK, so long as I know why...I can make that work03:38
jamielennoxright - the wonder or the AccessInfo objects, they didn't just put new properties on the dicts they made those properties part of the items03:39
ayoungI'm cartrying that stuff forward, but isolating it into its own class03:39
jamielennoxayoung: this is kind of why i'm not sure it's worth the effort, is the new way turning out any cleaner?03:39
*** rushiagr_away is now known as rushiagr03:39
ayoungI'm down to 35 failing tests....this should knock out another 3 or 403:39
jamielennoxextract a clean subclass and put all the crap on top?03:39
ayoungthis is a good exercise for me regardless, as I've not had to deal with it03:39
jamielennoxthat was always my thought - except i didn't want to subclass dict at all at the bottom03:40
ayounglet me get the tests running and I'll post, and expect a thorough drubbing from you at that point03:40
jamielennoxit's also how i was thinking about getting rid of some old code from auth_token middleware03:40
*** BrAsS_mOnKeY has quit IRC03:42
*** marg7175 has joined #openstack-keystone03:44
*** marg7175 has quit IRC03:47
*** marg7175 has joined #openstack-keystone03:47
*** abhirc has joined #openstack-keystone03:51
*** g2` has joined #openstack-keystone03:55
*** samueldmq has quit IRC04:00
*** dims_ has quit IRC04:01
*** rushiagr is now known as rushiagr_away04:04
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role
*** g2` has quit IRC04:04
*** nellysmitt has joined #openstack-keystone04:06
*** david-lyle has joined #openstack-keystone04:09
*** nellysmitt has quit IRC04:10
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Use standard logging in oslo.policy
*** g2` has joined #openstack-keystone04:12
*** abhirc has quit IRC04:14
*** abhirc has joined #openstack-keystone04:19
*** Novtopro has joined #openstack-keystone04:20
*** Novtopro has quit IRC04:21
*** g2` has quit IRC04:22
*** Novtopro has joined #openstack-keystone04:22
*** spandhe has quit IRC04:22
*** Novtopro has quit IRC04:22
*** g2` has joined #openstack-keystone04:28
*** spandhe has joined #openstack-keystone04:31
*** lnxnut has quit IRC04:33
openstackgerritSteve Martinelli proposed openstack/oslo.policy: document the migration process and update the docs a bit
*** rushiagr_away is now known as rushiagr04:52
*** avozza is now known as zz_avozza04:55
*** zz_avozza is now known as avozza04:56
*** zzzeek has quit IRC04:59
*** dims__ has joined #openstack-keystone05:02
*** dims__ has quit IRC05:07
*** g2` has quit IRC05:24
*** krtaylor has quit IRC05:24
*** marg7175 has quit IRC05:29
*** g2` has joined #openstack-keystone05:30
*** krtaylor has joined #openstack-keystone05:38
*** 21WABATV9 has joined #openstack-keystone05:55
*** MasterPiece has joined #openstack-keystone06:05
*** nellysmitt has joined #openstack-keystone06:07
*** jay-lau-513 has joined #openstack-keystone06:09
jay-lau-513Does anyone can give some tips for how to restart keystone via devstack06:09
jay-lau-513I noticed that keystone was started by sudo tail -f /var/log/apache2/keystone.log & echo $! >/opt/stack/status/stack/; fg || echo "key failed to06:10
jay-lau-513and even if I stop the screen for keystone, and restart, the process if of keystone still does not change06:10
morganfainbergYou need to restart Apache.06:11
morganfainbergThat screen is just tailing the Apache generated log.06:11
*** nellysmitt has quit IRC06:11
morganfainbergKeystone is run under mod_wsgi in Apache.06:11
jay-lau-513so I need to "service Apache restart"?06:12
jay-lau-513I was using ubuntu06:12
morganfainbergI think that's it. Might be apache206:13
morganfainbergI honestly use tab complete ;).06:13
jay-lau-513may I know why we are using this way to run keystone?06:13
jay-lau-513unlike nova, cinder etc?06:14
morganfainbergWe rely on Apache to better manage integration with other systems. Example is federated identity relies on Apache modules to decode SAML via mod_shib06:14
morganfainbergSecond the process management tends to be better with the blocking calls that keystone does rather than coroutines via eventlet.06:15
*** MasterPiece| has joined #openstack-keystone06:16
*** MasterPiece has quit IRC06:17
jay-lau-513morganfainberg thanks for the help :)06:17
morganfainbergIn short, it's a better model. Also https works better under Apache (as the ssl layer) than python's. ;)06:17
morganfainbergSure thing!06:17
jay-lau-513I c, thanks06:19
*** ajayaa has joined #openstack-keystone06:19
*** spandhe has quit IRC06:19
stevemarmorganfainberg, great recap of the reasons :)06:20
jay-lau-513morganfainberg one more thing, so how can I debug keystone ?06:22
jay-lau-513with pdb?06:22
jay-lau-513I found that I cannot debug it in screen06:22
ajayaaHi guys. While running keystone-all I am getting an import error. log is at
jay-lau-513stevemar cool!06:23
ajayaaBut I can import 'types' in a python interpreter.06:23
ajayaaI think it's weird. Please have a look.06:23
morganfainbergajayaa: old venv?06:24
stevemarajayaa, can you run $ python -c "from oslo_config import types"06:24
morganfainbergThis looks like namespace oslo weirdness06:24
ajayaastevemar, that works.06:25
ajayaamorganfainberg, I took latest keystone yesterday and struggling.06:25
morganfainbergajayaa: are you using a venv to run keystone?06:25
ajayaaI think I should do that.06:25
morganfainbergDo you have the latest oslo.config installed?06:26
stevemarajayaa, output of $ pip freeze | grep oslo.config06:26
stevemarmorganfainberg, yeah, i was going to suggest upgrading oslo.config06:26
morganfainbergstevemar: yeah this sounds related to the namespaces.06:26
ajayaamorganfainberg, Yes. 1.6.006:26
ajayaahere is a line from keystone requirements file. "oslo.messaging>=1.6.0"06:27
stevemarwe're looking at config?06:28
stevemarnot messaging right?06:28
ajayaastevemar, nope.06:28
morganfainbergRight the error says oslo.config doesn't it?06:28
*** spandhe has joined #openstack-keystone06:28
ajayaamorganfainberg, yes.06:29
morganfainbergYeah your error says oslo_config (oslo.config) not oslo.messaging06:29
ajayaaoslo.config or oslo_config (whatever) seems to be the problem.06:29
morganfainbergRight so do you have the latest oslo.config ?06:30
ajayaamorganfainberg, yes.06:30
ajayaaI installed it from pypi.06:31
stevemar$ pip freeze | grep oslo.config ->06:31
stevemarif you're not running from a venv, and you have the latest installed, it should run06:31
ajayaaShall I try running keystone-all in a venv?06:31
stevemaryou are using the latest master branch code?06:32
ajayaastevamar, yes.06:32
morganfainbergThis is a wierd one. Like one of those errors that doesn't match.06:32
stevemarajayaa, did you set this up using devstack?06:33
ajayaastevemar, yes.06:33
stevemarwas it running at all?06:33
morganfainbergbut it's trying to import from oslo.config06:33
morganfainbergnot oslo_config06:33
morganfainbergfrom oslo.config import types06:34
ajayaaIt got stuck at the point where it waits for keystone service to start.06:34
stevemarmorganfainberg, good point, that was changed a few days ago06:34
ajayaabecause it does not start at all.06:34
stevemarajayaa, can you paste your localrc file?06:34
morganfainbergwhich is the master commit you're working from?06:35
stevemari'd recommend setting RECLONE=True in that file, to make sure everything (oslo libs and keystone is at the latest)06:35
stevemarjust make sure you backup any uncommitted code, it'll get nuked06:35
morganfainbergajayaa, this commit is the one you need to verify you have:
ajayaaI have RECLONE=yes in my localrc06:36
stevemarright, it should be yes06:36
morganfainbergi know what it is06:36
morganfainberghis bin is out of date06:36
morganfainbergkeystone-all itself is out of date06:36
stevemaruse sudo service apache2 restart,06:36
stevemarnot keystone-all06:36
morganfainberghe's useing keystone-all06:36
ajayaamorganfainberg, I have that commit.06:37
stevemarah did brant miss an oslo.config?06:37
morganfainbergbut his bin is out of date. likely a re-run of setup will solve it06:37
morganfainbergchecking but unlikely06:37
ajayaamorganfainberg, I ran "sudo python install" just now.06:37
ajayaastill the same problem while running keystone-all06:38
morganfainberghm. maybe not.06:38
ajayaaIf the gate is not broken it is some issue with my env, I guess.06:39
morganfainbergFile "/usr/local/lib/python2.7/dist-packages/oslo_config/", line 334, in <module06:39
morganfainbergthis looks wrong.06:39
morganfainberg File "/usr/local/lib/python2.7/dist-packages/oslo_config/", line 334, in <module>06:39
morganfainberg    from oslo.config import types06:39
ajayaaWhy does that look wrong? If I open file I can see comments of almost 300 lines.06:41
morganfainbergwas this an old devstack?06:41
ajayaayeah. Pypi and git are on the same line.06:41
ajayaamorganfainberg, Yes.06:41
morganfainbergthat you just updated06:41
ajayaamorganfainberg, yes06:41
morganfainbergok this is i think an issue with namespaced packages06:42
morganfainbergi'll *bet* you have mis-matched packages06:42
morganfainbergone package owns oslo namespace and one is installing oslo.config directly as a symlink06:42
morganfainbergbasically oslo/config is out of sync with the package that should own it06:42
morganfainbergit's the whole issue that led to dropping the name-space packages06:42
morganfainbergi recommend removing and reinstalling all of the oslo packages06:43
morganfainbergit's sucky :(06:43
ajayaamorganfainberg, I will do that. Thanks.06:43
morganfainbergbut pip does bad things with namespaced packages... i'll be one of them is installed in develop mode06:44
morganfainbergand the others aren't06:44
ajayaaWhat is a develop mode?06:44
morganfainbergwhere a symlink is used06:44
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.policy and delete the sync'ed version
morganfainberge.g. how devstack installs the servers06:44
morganfainbergit means if you change something in /opt/stack/<keystone> [for example] you can just restart keystone not needing to re-run setup.py06:45 it.06:45
ajayaaI have the actual code in stack/ and there is symlink from dist-packages.06:45
morganfainbergnow, if the namespace is owned in develop mode for one of the olso.<things> and the package installs olso.config06:46
morganfainbergyou get one and not the other, and one could be out of date06:46
morganfainbergit's been ugly to fix it all06:46
morganfainbergthis is a fairly common type of issue (some stuff gets out of date in wierd ways) when upgrading a devstack.06:47
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo_log instead of incubator
ajayaamorganfainberg, I have removed everything starting with oslo. Now If I run it should install everything correctly, I guess.06:48
morganfainbergi'd use pip06:48
morganfainbergbut setup *should* work06:49
morganfainbergpip install -e <path to keystone>06:49
morganfainbergor pip install <path to keystone>06:49
morganfainbergthe -e is "develop mode"06:49
morganfainbergpip does better dep resolving somehow06:49
ajayaaJust did that.06:49
ajayaasame issue.06:52
ajayaanot solved yet.06:53
*** topol has joined #openstack-keystone07:01
*** ChanServ sets mode: +v topol07:01
*** afazekas has joined #openstack-keystone07:03
*** spandhe has quit IRC07:05
ajayaastevemar, I am still stuck with weird thing.07:10
ajayaaTrying all kind of crazy things.07:11
stevemarajayaa, theres definitely a library mismatch going on :(07:12
stevemaruninstall all the things!07:13
ajayaaI have uninstalled everything oslo related packages07:13
ajayaaIs it a good idea to remove everything in dist-packages?07:13
*** mzbik has joined #openstack-keystone07:21
stevemarajayaa, i wouldn't go that far07:23
stevemaruninstalling the oslo related ones is good07:23
*** markvoelker_ has quit IRC07:28
*** marg7175 has joined #openstack-keystone07:29
*** marg7175 has quit IRC07:34
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo_log instead of incubator
*** jay-lau-513 has quit IRC07:36
stevemarcmonnn patch, i'm rooting for you07:37
*** jay-lau-513 has joined #openstack-keystone07:37
*** thedodd has quit IRC07:40
*** DaveChen has quit IRC07:42
*** avozza is now known as zz_avozza07:44
*** topol has quit IRC07:52
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role
*** chlong has quit IRC08:00
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Move tests to the unit subdirectory
openstackgerritSteve Martinelli proposed openstack/keystone: Sync with oslo-incubator
*** nellysmitt has joined #openstack-keystone08:07
*** 21WABATV9 has quit IRC08:10
*** nellysmitt has quit IRC08:12
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.log instead of incubator
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubator version of log and local
*** zz_avozza is now known as avozza08:16
*** pnavarro has joined #openstack-keystone08:37
*** jistr has joined #openstack-keystone08:58
*** guimaluf has quit IRC09:00
*** ajayaa has quit IRC09:01
*** mflobo has left #openstack-keystone09:04
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.log instead of incubator
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubator version of log and local
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role
*** mflobo has joined #openstack-keystone09:10
*** henrynash has joined #openstack-keystone09:10
*** ChanServ sets mode: +v henrynash09:10
*** nellysmitt has joined #openstack-keystone09:10
*** guimaluf has joined #openstack-keystone09:12
*** ncoghlan has quit IRC09:12
*** ajayaa has joined #openstack-keystone09:16
*** lsmola has joined #openstack-keystone09:21
jay-lau-513does anyone know why keystone notification is setting context={}?09:29
jay-lau-513Just filed a bug for this:
openstackLaunchpad bug 1420688 in Keystone "keystone notification context is empty" [Undecided,New]09:29
*** marg7175 has joined #openstack-keystone09:30
*** karimb has joined #openstack-keystone09:31
stevemarjay-lau-513, those notifications are really for internal events, they shouldn't be used for auditing09:31
jay-lau-513stevemar i want to get those notification from nova09:32
ajayaastevemar, found the issue. There was a oslo directory in /usr/lib/python2.7/dist-packages which was some old oslo.config09:32
ajayaaAnd now new stuff was going to /usr/local/lib09:32
jay-lau-513stevemar as there is no project_id and user_id, so the deserialize will be failed09:32
jay-lau-513failed in nova site09:32
ajayaaAnd I think the path /usr/lib comes before /usr/local/lib09:33
ajayaaWhen python looks for packages.09:33
stevemarajayaa, glad it's all figured out :)09:33
ajayaastevemar, not without frustration. :)09:33
jay-lau-513stevemar if we do not add project_id and user_id to context, then other componments cannot consume notification from keystone09:35
stevemarjay-lau-513, we are working on adding CADF notifications.... which should have at least user_id09:35
*** marg7175 has quit IRC09:35
stevemarjay-lau-513, looks like i know what i'm working on tomorrow09:35
jay-lau-513stevemar What i cared is only for tenant and user operations, such as create tenant, delete tenant etc, but seems all of those operations are usingn ManagerNotificationWrapper09:36
jay-lau-513 stevemar but not cadf notifications09:36
openstackgerritSteve Martinelli proposed openstack/keystone: Sync with oslo-incubator
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.log instead of incubator
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.log instead of incubator
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubator version of log and local
stevemarjay-lau-513, i'm off the the day09:39
jay-lau-513stevemar ok, thx, we can discuss tomorrow09:40
stevemarjay-lau-513, but i doubt we will be updating the 'basic' notifications that are currently used09:40
jay-lau-513I have filed a but09:40
stevemarwe are aiming to be CADF compliant09:40
jay-lau-513stevemar so you mean we can add two decorators for create_project?09:41
stevemarjay-lau-513, nah, we will probably have a switch in the config file, for which type of notification you want emitted09:41
jay-lau-513cool, that's what I want ;-)09:42
*** stevemar has quit IRC09:47
ccarddavid-lyle: did you find the bug id? I've tried looking for it, but I can't find anything likely (partly because I'm not quite sure what I'm looking for, or which part of openstack to look in)09:52
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing
*** aix has joined #openstack-keystone10:31
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Improves support for sample data script with ssl
*** MasterPiece| has quit IRC10:34
*** dims__ has joined #openstack-keystone10:37
*** samueldmq-away is now known as samueldmq11:01
samueldmqhenrynash, hi - any suggestions on ?11:02
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Improves support for sample data script with ssl
*** jay-lau-513 has quit IRC11:07
henrynashsamueldmq: so my python’s not good enough to come up with the right answer for a generaic soltuion other than required named params (which I assum will work?  kwargs always a starneg beast, imho)11:07
*** jay-lau-513 has joined #openstack-keystone11:08
henrynashsamueldmq: which is why I wrote the original calls without trying to be generic11:09
henrynashsamueldmq: so we have to cahneg this….what’s teh rationale for moving away from the current solution?11:10
henrynashsamueldmq: (so DO we have to change this...)11:11
samueldmqhenrynash, well, it would save us some code, since all similar checks would repeat the logic11:12
samueldmqhenrynash, I could assert kwargs has len > 1, but raise 500 internal error if not ?11:13
samueldmqhenrynash, nahh, looks bad11:13
henrynashsamueldmq: will named params work?11:14
henrynashsamueldmq: (I know there’s an issue with that in that I don’t think we can enforce that someone is calling it in that way)11:15
samueldmqhenrynash, if I keep the generic check, no.11:15
samueldmqhenrynash, or we go for something generic or we go for one method for each check combination we need11:16
henrynashsamuedmq: hmmm…in general, I’d take clarity over code saving in most cases (not everyone will agree with that view)….11:17
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests
openstackgerrithenry-nash proposed openstack/keystone: Support project hierarchies in data driver tests
samueldmqhenrynash, ok, makes sense, I'll see how it would look like without something generic11:19
samueldmqhenrynash, I'll take some time today to review your data driven tests11:19
samueldmqhenrynash, you're reviewing my patches, but I'm not doing yours, sorry11:19
*** f13o has quit IRC11:19
henrynashsamueldmq: np….11:20
*** henrynash has quit IRC11:20
*** fmarco76 has joined #openstack-keystone11:31
*** f13o has joined #openstack-keystone11:43
*** boris-42 has quit IRC11:52
*** boris-42 has joined #openstack-keystone12:28
*** topol has joined #openstack-keystone12:33
*** ChanServ sets mode: +v topol12:33
*** davechen has joined #openstack-keystone12:37
*** sluo_wfh has quit IRC12:39
*** sluo_wfh has joined #openstack-keystone12:39
*** jistr has quit IRC12:43
*** jistr has joined #openstack-keystone12:46
*** jistr has quit IRC12:47
*** jistr has joined #openstack-keystone12:48
*** markvoelker has joined #openstack-keystone12:51
*** henrynash has joined #openstack-keystone12:55
*** ChanServ sets mode: +v henrynash12:55
*** rushiagr is now known as rushiagr_away12:59
samueldmqdstanek, you around ?13:12
dstaneksamueldmq: yes13:13
samueldmqdstanek, nice :) I need an advice13:13
samueldmqdstanek, please look at gyee's comment on
samueldmqdstanek, and let me know what you think13:13
dstaneksamueldmq: his first comment?13:15
samueldmqdstanek, the problem is that we can't ensure kwargs lenght there ... bit it's an internal method and we should have tests for the caller13:16
dstaneksamueldmq: the way i read that code is that you are checking all provided kwargs to find that only 1 has a value, but 1 must have a value - is that correct?13:16
samueldmqdstanek, yes13:17
samueldmqdstanek, but gyee's concern is about calling that method without any argument, then the message would be 'Specify one of '13:17
samueldmqdstanek, however the problem is not in the message, but in the way you're calling an internal method13:18
dstanekthen the only problem is that you will not tell the user all possible keys for a given call because they may not be there13:18
dstanekfor example, you build a dict and pass it in like _assert_single_arg(**some_dict)13:19
*** dims__ has quit IRC13:19
samueldmqwe will not tell to the developer ...13:19
dstaneksamueldmq: if there any reason you are trying to make these generic instead of leaving the specific named methods?13:20
samueldmqdstanek, just saving code13:20
*** dims__ has joined #openstack-keystone13:20
samueldmqdstanek, like that we don't need separate methods for (domain, project) (user, groups) and for validations on list role assignments filters (in next patch)13:21
dstaneki don't think this makes it more readable and it makes the error messages different13:21
*** henrynash has quit IRC13:22
samueldmqdstanek, ok so : + saving code - readbility = not worth it13:23
dstanekyes, code is cheap, but our time is expensive - i can see this being one of those things that someone spends a few hours looking at only to have an 'ah ha' moment13:24
samueldmqdstanek, lesson learned13:25
samueldmqdstanek, thanks13:25
samueldmqdstanek, makes sense to me13:25
dstaneksamueldmq: np13:25
marekddstanek: so i guess this is one of success-factors of Python13:26
dstanekmarekd: one of many :-)13:28
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Refactor check of targets and actors on RoleV3
samueldmqdstanek, ^13:38
dstaneksamueldmq: why move it up a level? is it used my multple controllers now?13:48
*** bknudson has joined #openstack-keystone13:49
*** ChanServ sets mode: +v bknudson13:49
*** jaosorior has joined #openstack-keystone13:50
samueldmqdstanek, the next patch set will need _assert_domain_nand_project , that can be reused there13:53
samueldmqdstanek, see
samueldmqdstanek, this is in the context of listing role assingments, where you can filter by domain or project or none of them, but not both13:53
dstaneksamueldmq: i'm sure what yet, but something is wrong with out object structure in that it's forcing us to expose things like that13:55
*** ajayaa has quit IRC13:56
dstaneksamueldmq: i can see why you are trying to fix it13:56
samueldmqdstanek, now (without something generic) the only reason is: fix the message that says to not provide both even if none were provided13:57
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Check for invalid filtering on v3/role_assignments
samueldmqdstanek, and ..13:58
samueldmqdstanek, do code reuse here
samueldmqdstanek, if domain_id and project_id:13:58
samueldmq            msg = _('Specify a domain or project, not both')13:58
samueldmq            raise exception.ValidationError(msg)13:58
samueldmqdstanek, but we obviously can have it in the separate controllers13:59
dstaneksamueldmq: what will reuse that code outside of the assignment controller?13:59
samueldmqdstanek, RoleAssignmentV3 controller will call _assert_domain_nand_project and _assert_user_nand_group14:00
samueldmqdstanek, and RoleV3 _require_domain_xor_project and _require_user_xor_group14:01
samueldmqdstanek, in which _assert* can be reused by _require*14:01
dstaneksamueldmq: but that's in the assignment package right?14:01
samueldmqdstanek, yes14:01
samueldmqdstanek, but we have different controllers14:02
dstaneki don't think that those methods should go into the parent controller in common since no other package will (or should) use them14:03
samueldmqdstanek, got it.. so I can put them at assingment/controllers.py14:03
samueldmqdstanek, outside the scope of classes14:03
samueldmqdstanek, right?14:03
dstanekif those methods are all needed by multiple controllers either a new base should be created (probably not in this case) or they should be turned into validation functions14:03
dstaneksamueldmq: that sums up my long winded response nicely, yes :-)14:04
samueldmqdstanek, yes, agreed !14:04
samueldmqdstanek, thanks14:04
*** ljfisher has joined #openstack-keystone14:06
dstaneksamueldmq: my pleasure. thanks for fixing the funk!14:06
*** lnxnut has joined #openstack-keystone14:10
*** abhirc has quit IRC14:14
*** lnxnut has quit IRC14:14
*** mzbik has quit IRC14:18
*** joesavak has joined #openstack-keystone14:23
dstanekbknudson: you there?14:24
bknudsondstanek: y14:24
bknudsondstanek: where?14:24
*** radez is now known as radez_g0n314:25
dstaneklooking at again. won't they take warnings from stderr and add them to logging?14:25
bknudsondstanek: yes, exactly14:26
bknudsonwhen running a daemon there's no place for stderr.14:26
dstanekso it would generate extra logging, but at the warning level. would that impact deployers?14:26
bknudsonI hope it will convince them to not use deprecated functions.14:27
bknudsonand report bugs if keystone is using deprecated functions14:27
openstackgerritBoris Bobrov proposed openstack/keystone: oslo_log
*** ctina has joined #openstack-keystone14:30
*** zzzeek has joined #openstack-keystone14:34
*** gordc has joined #openstack-keystone14:36
*** r-daneel has joined #openstack-keystone14:48
*** unixlike has joined #openstack-keystone14:53
unixlikeHi there !14:54
unixlikeDoes someone see something like that "AttributeError: 'Token' object has no attribute 'get_events' " in /var/log/keystone/keystone.log14:55
unixlikeI  have this message after running keystone token-get14:55
unixlikei unset OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT  in my bash environment before running this command14:56
unixlikeAlso please exсuse me for my speaking14:57
ayoungunixlike, weeeird14:57
ayoungany more context around that error unixlike ?14:57
unixlikei was try to find answer in google but it was not any positive result15:00
unixlikesorry i made an mistake15:02
unixlikei see that error after running keystone tenant-list15:03
*** richm has joined #openstack-keystone15:04
unixlikekeystone  --os-username ... token-get is exiting without errors and shows me new token15:05
dstanekunixlike: is it possible that you have a token driver configured for the revocation backend?15:06
lbragstadsamueldmq: o/15:12
*** mflobo has quit IRC15:12
*** ajayaa has joined #openstack-keystone15:13
*** mflobo has joined #openstack-keystone15:13
unixlikea have following driver in keystone.conf under section [token]15:14
unixlikedriver = keystone.token.persistence.backends.sql.Token15:14
dstanekunixlike: what do you have under 'revoke'?15:15
unixlikedriver = keystone.token.persistence.backends.sql.Token15:15
unixlikethis in section [revoke]15:15
dstanekthat won't work. you need to use a revoke backend. it's like putting a round peg in a square hole.15:16
*** amakarov_away is now known as amakarov15:17
unixlikeBig thanks !, will try to use your solution15:17
dstanekunixlike: here is the default -
amakarovlbragstad, hi! Can you please look at ? It's a fix for revocation.15:18
lbragstadamakarov: sure15:18
*** krtaylor has quit IRC15:21
*** unixlike has left #openstack-keystone15:21
*** fmarco76 has left #openstack-keystone15:24
*** topol has quit IRC15:25
*** timcline has joined #openstack-keystone15:26
*** unixlike has joined #openstack-keystone15:31
*** krtaylor has joined #openstack-keystone15:34
*** ayoung has quit IRC15:34
*** carlosmarin has joined #openstack-keystone15:42
openstackgerritAlexander Makarov proposed openstack/keystone: Correct initialization order for logging to use eventlet locks
openstackgerritMarek Denis proposed openstack/keystone: Add local rules in the federation mapping tests.
openstackgerritAlexander Makarov proposed openstack/keystone: Correct initialization order for logging to use eventlet locks
*** TheJulia has joined #openstack-keystone15:48
*** atiwari has joined #openstack-keystone15:50
*** rushiagr_away is now known as rushiagr16:03
*** rwsu-afk is now known as rwsu16:04
*** david-lyle_ has joined #openstack-keystone16:06
*** marg7175 has joined #openstack-keystone16:07
*** marg7175 has quit IRC16:07
*** marg7175 has joined #openstack-keystone16:08
*** marg7175 has quit IRC16:09
*** nicodemos has joined #openstack-keystone16:10
*** marg7175 has joined #openstack-keystone16:11
*** david-lyle_ has quit IRC16:11
*** topol has joined #openstack-keystone16:12
*** ChanServ sets mode: +v topol16:12
*** lnxnut has joined #openstack-keystone16:13
openstackgerritMarek Denis proposed openstack/keystone: Add a domain to federated users
openstackgerritMarek Denis proposed openstack/keystone: Make user an object in mapping engine.
openstackgerritMarek Denis proposed openstack/keystone: Make user an object in mapping engine
*** MasterPiece has joined #openstack-keystone16:23
*** atiwari has quit IRC16:24
*** atiwari has joined #openstack-keystone16:24
*** radez_g0n3 is now known as radez16:25
*** atiwari has quit IRC16:26
*** stevemar has joined #openstack-keystone16:26
*** ChanServ sets mode: +v stevemar16:26
*** atiwari has joined #openstack-keystone16:29
*** ayoung has joined #openstack-keystone16:29
*** ChanServ sets mode: +v ayoung16:29
amakarovayoung, hi! We've found a bug locking keystone under high load. I have a quick solution, it works, but I'm not sure if it nice and sexy enough to propose :) Can you look at it? Bug is definitely nasty!16:34
ayoungamakarov, is the :if monkeypath_thread check necessary?  shouldn't that code alwyas be called?16:35
ayoungand shouldn't there be a partnered removal of the line where it is called now?16:36
amakarovayoung, that is the question: I'm not sure if it even can be false16:36
ayoungamakarov, I think you are on the right path, but need to handle the non-eventlet code path in your patch16:36
amakarovayoung, that's the problem: logging is already used before patching :)16:37
ayounglet me see....16:37
amakarovand after the patching logging system needs reloading to use patched locks16:37
amakarovWe run into this on 100 nodes environment (3 controllers) under rally load testing16:38
ayoungamakarov, probably should be in here
amakarovayoung, eventlet patching?16:40
*** MasterPiece has quit IRC16:40
ayoungamakarov, read the code.16:40
ayoungthat whole directory is supposed to handle the eventlet/wsgi  differences16:40
*** MasterPiece has joined #openstack-keystone16:40
ayoungthat is called very early on16:41
amakarovit's clear to me16:41
ayoungstart here:  and compare with
ayoungcool.  nice detective work16:41
amakarovthe issue is that patching must be ASAP16:42
ayoung you mean before logging starts, yes16:42
stevemarayoung, heads up there is a trust related question on the ML, with an aptly named subject [keystone][nova]16:42
amakarovand before initializing the log16:42
*** unixlike has quit IRC16:45
ayoungamakarov, you are close.  Just bump it to the function that calls the eventlet code and I think you will have it.16:47
amakarovayoung, I'm lost :) Bump what? )))16:48
amakarovlogging setup?16:49
ayoungamakarov, you always need to initialize logging16:49
ayoungnot just in the eventlet case16:49
ayoungjust make sure it is done after the eventlet mokeypatch call would have been done, but before the first logging cal and you will have the same effect16:49
amakarovayoung, the problem is that the first logging call is done just before eventlet monkeypatching16:50
*** _cjones_ has joined #openstack-keystone16:50
ayoungso move it later16:50
*** thedodd has joined #openstack-keystone16:50
ayoungwhat line16:52
ayoungamakarov, that is for debugging, and is a fatal error, so not aproblem16:53
ayoungyou can leave that16:53
amakarovayoung, exactly my question :) If we can ignore tis particular log then everything is fine!16:54
*** MasterPiece has quit IRC16:55
openstackgerritAlexander Makarov proposed openstack/keystone: Correct initialization order for logging to use eventlet locks
amakarovayoung, ^^ :)16:56
*** amerine has joined #openstack-keystone16:57
*** _cjones_ has quit IRC16:58
*** ayoung has quit IRC17:00
amakarovstevemar, I'll contact that Nova guy about trust issue17:00
*** _cjones_ has joined #openstack-keystone17:01
amakarovbtw, can you please recheck: ?17:01
stevemaramakarov, cool17:01
*** MasterPiece has joined #openstack-keystone17:03
*** gyee has joined #openstack-keystone17:04
*** ChanServ sets mode: +v gyee17:04
*** MasterPiece has quit IRC17:07
*** guimaluf has quit IRC17:07
*** MasterPiece has joined #openstack-keystone17:08
openstackgerritDonagh McCabe proposed openstack/keystonemiddleware: Delay denial when service token is invalid
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.log instead of incubator
*** EmilienM is now known as EmilienM|afk17:10
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubator version of log and local
*** ctina has quit IRC17:11
*** lhcheng has joined #openstack-keystone17:11
*** karimb has quit IRC17:12
openstackgerritAlexander Makarov proposed openstack/keystone: Correct initialization order for logging to use eventlet locks
*** ctina has joined #openstack-keystone17:14
*** krtaylor has quit IRC17:15
*** lnxnut has quit IRC17:18
*** lnxnut has joined #openstack-keystone17:19
*** lnxnut_ has joined #openstack-keystone17:22
openstackgerritSteve Martinelli proposed openstack/oslo.policy: document the migration process and update the docs a bit
*** lnxnut has quit IRC17:23
*** davechen has quit IRC17:24
*** atiwari has quit IRC17:25
*** jistr is now known as jistr|off17:25
*** lnxnut_ has quit IRC17:27
*** afazekas has quit IRC17:27
*** tqtran_afk has joined #openstack-keystone17:28
*** tqtran_afk is now known as tqtran17:28
*** krtaylor has joined #openstack-keystone17:28
*** krtaylor has quit IRC17:33
*** _cjones_ has quit IRC17:33
*** _cjones_ has joined #openstack-keystone17:34
*** akuznetsova has joined #openstack-keystone17:34
*** lnxnut has joined #openstack-keystone17:35
samueldmqakuznetsova, hi :-)17:36
akuznetsovasamueldmq, I have a question about v317:36
samueldmqakuznetsova, sure, here is the right place to ask, so please do it17:36
*** marg7175 has quit IRC17:37
akuznetsovawhen I am trying to execute some command via cli to /v3 enpoint I get 404 error and Auth token not in the request header. in the log17:37
akuznetsovabut with token from v2.0 it works17:38
samueldmqakuznetsova, cli you mean keystone client? like keystone user-list, keystone tenant-list17:38
akuznetsovasamueldmq, yes17:39
samueldmqakuznetsova, we don't support v3 there17:39
samueldmqakuznetsova, in addition I think it is deprecated .... bknudson can confirm ?17:40
bknudsonopenstack unified CLI supports identity v3.17:40
samueldmqbknudson, ^17:40
samueldmqbknudson, ++ yes, openstack user list ... and so on17:40
bknudsonkeystone CLI isn't officially deprecated ... maybe "pending deprecation" ?17:40
samueldmqbknudson, maybe, I'm not sure17:40
samueldmqakuznetsova, so you should you openstack unified cli17:41
*** atiwari has joined #openstack-keystone17:41
bknudsonI think we just need confirmation that the unified CLI is supported.17:41
stevemarbknudson, it's supported17:41
stevemardoes that not work?17:41
bknudsonstevemar: let's deprecate keystone CLI then17:41
stevemarit's had v2 parity for a while,17:42
bknudsonI think for a long time dtroyer wasn't willing to say that the interface is stable...17:42
*** _cjones_ has quit IRC17:42
stevemarbknudson, the only downside is that on ubuntu 12.04, the only supported release is an old version of OSC17:42
*** _cjones_ has joined #openstack-keystone17:42
samueldmqakuznetsova, the keystone cli you're using doesnt support v3, as we said17:43
stevemarbknudson, and they aren't going to ship a new one, cause it's lts17:43
bknudsonstevemar: is keystone CLI also old?17:43
stevemarbknudson, yeah, but the one that was shipped in 12.04 was still a bit buggy17:43
bknudsonthis is why nobody uses ubuntu anymore.17:43
*** MasterPiece has quit IRC17:45
stevemarbknudson, yeah that is a pretty silly reason, i tried asking for a refresh of the library, but nope17:46
*** lsmola has quit IRC17:46
stevemarfwiw, someone set it up in a private repo17:46
stevemarthe latest version17:46
bknudsonstevemar: I was asking if keystone CLI is also old on ubuntu 12.04 ... are they updating keystone CLI?17:47
dtroyerbknudson: FWIW, as of the 1.0.0 release we made the commitment to a backward-compatability process for CLI changes…17:47
*** harlowja_away is now known as harlowja17:47
stevemarbknudson, probably not17:47
akuznetsovaactually it is not my initial problem17:47
*** ayoung has joined #openstack-keystone17:48
*** ChanServ sets mode: +v ayoung17:48
dtroyer… in OpenStackClient17:48
samueldmqakuznetsova, we found a solution for your problem17:48
bknudsonI think we can deprecate keystone CLI then... probably needs a blueprint or a spec is all17:48
samueldmqakuznetsova, keystone cli ..... doesnt support v3, just v217:48
samueldmqakuznetsova, you cant use v3 urls there17:48
akuznetsovawe are using v3 in Mistral and when I am trying to call some keystone command via keystoneclient, I seeKeystoneAction.users.list failed: <class 'keystoneclient.openstack.common.apiclient.exceptions.EndpointNotFound'>:17:48
samueldmqakuznetsova, to use identity api (keystone) v3, please use openstack unified cli17:49
stevemarbknudson, the latest they have on 14.04 is ksc 1.0.7, and osc 0.3017:49
stevemar and
akuznetsovasamueldmq, and the same message Auth token not in the request header. Will not build auth context.17:50
bknudsonthere is no 1.0.7 tag as far as I can tell.17:50
stevemarbknudson, it's probably 0.7.117:51
samueldmqakuznetsova, using the OpenStackClient ? you should be able to use v3 with it17:51
samueldmqakuznetsova, please red the docs17:51
stevemarbknudson, don't know why there is a 1: prepended17:51
bknudsonstevemar: that's confusing.17:52
stevemarsamueldmq, actually, better docs are here:
akuznetsovasamueldmq, no, we just import keystoneclient.v3 and initialize it17:52
akuznetsovasamueldmq, ok, thanks17:52
stevemarbknudson, the world of packaging ¯\_(ツ)_/¯17:52
bknudsonshould be a table flip17:52
morganfainbergYay packaging >.>17:53
*** MasterPiece has joined #openstack-keystone17:53
*** MasterPiece| has joined #openstack-keystone17:54
stevemarmorganfainberg, what are your thoughts on deprecating the cli?17:55
stevemarwe have to visit this topic at least once per release17:55
bknudsonis devstack still using it?17:56
*** nellysmitt has quit IRC17:57
stevemarbknudson, yup17:57
stevemarfor keystone operations17:57
*** nellysmitt has joined #openstack-keystone17:58
stevemarand i think for swift ops too... i should go back and try to replace all the cinder commands17:58
*** MasterPiece has quit IRC17:58
*** nellysmitt has quit IRC18:02
morganfainbergstevemar: honestly I think that was the point of the "where do we put backwards incompatible changes" and we were told "sdk".18:04
*** samueldmq_ has joined #openstack-keystone18:07
*** krtaylor has joined #openstack-keystone18:09
*** spandhe has joined #openstack-keystone18:10
*** timcline has quit IRC18:11
*** timcline has joined #openstack-keystone18:11
richmIn the default v3 policy, almost every rule allows rule:cloud_admin except for identity:list_user_projects and identity:list_groups_for_user - why?18:13
*** timcline has quit IRC18:16
*** ajayaa has quit IRC18:22
*** atiwari has quit IRC18:23
mfischmorganfainberg: I'm happy to help review or draft policies/suggestions on prepping for db upgrades or recovering from a bad one18:26
morganfainbergmfisch, great any help is of course welcome!18:27
mfischWe have some real world failures occur due to a mysql bug that caused mysql to abort during migrations18:27
mfischso that was fun18:27
mfischin dev env which mititgated18:27
*** rushiagr is now known as rushiagr_away18:29
*** pnavarro has quit IRC18:30
*** david-lyle is now known as david-lyle_afk18:31
morganfainbergmfisch, i just tossed you into a comment on the downgrade spec saying you indicated you'd help with the documentation18:32
*** avozza is now known as zz_avozza18:33
mfischoh man ok18:33
mfischhave we had anyone come forward and say "hey downgrades are a great idea!"?18:34
morganfainbergmfisch, no. the only concerns are "well what if we ran for a while then determined we need to downgrade because XXX is broken"18:34
morganfainbergto be fair i've never heard of someone actually doing that18:35
morganfainbergjust the theoretical18:35
morganfainberg"it could be something people want"18:35
mfischat that point, I'd claim that a downgrade doesnt help18:35
mfischyou'd have to nuke all resources created in between18:35
mfischmay as well nuke and go back to a backup18:36
morganfainbergand the statement from mikal is "well i dont want to nuke the vms that were created there, what harm is it in letting them run"18:36
morganfainberghonestly i don't have an argument, afaict, that will win that.18:36
mfischmight have issues deleteing them I guess18:36
morganfainbergnot even deleting them18:36
morganfainbergthe question is why do they need to be deleted18:37
morganfainbergmy view is if something is that broken i wouldn't trust anything created during that timeframe18:37
morganfainbergre: new feature magic, etc18:37
mfischyeah me either18:37
mfischcattle etc etc18:37
mfischjust nuke it18:37
morganfainbergespecially because a downgrade is more likely to totally break something than it is to let things keep working18:38
morganfainbergso, my problem is i've run large scale deployments and we'd either fix the issue, or rollback to a known-good point18:38
morganfainbergwe wouldn't try to "revert all the data manipulation" and hope for the best18:38
mfischmy first goal is to get out of the outage, the shortest path there is restore18:38
morganfainbergespecially if new data was added to the system18:38
mfischif I find it the next morning, then I might investigate more18:38
stevemarbknudson, can you elaborate on your comment here: - how would i go about deprecating the old ones?18:38
morganfainbergmfisch, yes.18:39
morganfainbergmfisch, so i want more info on what mikal wants before we try and respin the spec/fix the issues18:39
mfischif its something like some odd corner case boot option doesnt work, I'd just try to fix18:39
morganfainbergthen we can address those concerns somewhat18:39
*** atiwari has joined #openstack-keystone18:39
*** EmilienM|afk is now known as EmilienM18:39
mfischa tool nobody uses and nobody invests in is just plain dangerous18:39
mfischmore info from him would be good18:39
*** atiwari has quit IRC18:40
morganfainbergbut in general when you're involving migrations either a) you're QAing the hell out of this and shouldn't release without confidence the core features work - so minor bugs aren't catestrophic18:40
morganfainbergand b) you'd roll forward for a fix if something is really that broken / employ someone who could at least tack a fix in until a real fix rolls down the line18:40
morganfainbergit's how you'd handle an issue with apache webserver afaik18:41
morganfainbergexcept this doesn't require recompiling a binary ;)18:41
mfischwe let it stew in dev, staging, etc until we're sure its oka18:41
mfischlet the team and tests bang on it18:41
*** jaosorior has quit IRC18:41
morganfainbergso lets see what mikal comes up with and then we can address it in the spec18:42
morganfainbergand work on docs.18:42
*** timcline has joined #openstack-keystone18:42
bknudsonanybody else find --debug output from keystone-manage db_sync in devstack useful?
morganfainbergand i'll add you to the spec as on the hook for some doc writing next revision18:42
bknudsonotherwise I'll just abandon it.18:42
morganfainbergbknudson, i hate migration debugging18:42
morganfainbergthis could be useful in general18:43
mfischbknudson: when we had the mysql crashes, we 1) turned off every service, 2) enabled query logging, 3) ran the migrations18:43
bknudsonmorganfainberg: y, I always just modify my lib/keystone to enable it.18:43
mfischwe didn't use --debug18:43
morganfainbergbknudson, i usually don't use devstack to debug migrations though18:43
morganfainbergbknudson, i always run migrations isolated environment18:43
morganfainbergin an*18:44
lhchengmorganfainberg, stevemar: did you guys figured out the oslo.config import issue that ajayaa had last night?18:44
mfischsame morganfainberg18:44
*** timcline has quit IRC18:44
bknudsonok, I'll abandon the devstack patch.18:44
mfischwe have a vagrant based mutli-node env that simulates our prod/stagng envs18:44
morganfainberglhcheng, old devstack - namespace packages vs non-namespace packages18:44
*** timcline has joined #openstack-keystone18:44
morganfainberglhcheng, so one installtion owned the oslo/config and one owned oslo.config symlink or such18:44
lhchengmorganfainberg: ugh!18:45
morganfainberglhcheng, the solution was either a) new devstack or b) remove oslo libs and re-install18:45
morganfainberglhcheng, it was the core reason we're removing namespace packages18:45
*** atiwari has joined #openstack-keystone18:45
lhchengmorganfainberg: cool, good to know.18:46
lhchengmorganfainberg: sometimes it is just faster to have a create new devstack than to debug issue. :P18:48
*** atiwari has quit IRC18:49
gordcmorganfainberg: since your name is on oslo graduation page... is there an oslo.cache lib hidden somewhere?18:49
*** raildo has quit IRC18:50
*** samueldmq has quit IRC18:50
*** atiwari has joined #openstack-keystone18:50
*** nicodemos has quit IRC18:50
*** htruta has quit IRC18:50
*** henrique_ has quit IRC18:50
*** abrito has quit IRC18:50
*** tellesnobrega has quit IRC18:50
*** atiwari has quit IRC18:52
*** atiwari has joined #openstack-keystone18:54
morganfainberggordc, nope there is a spec for it18:56
morganfainberggordc, but i haven't had time to write the code :(18:56
gordcmorganfainberg: cool cool. so i guess cache code in oslo-incubator was prematurely marked as deprecated18:59
*** atiwari has quit IRC18:59
morganfainbergwell sortof.18:59
*** MasterPiece| has quit IRC19:00
*** atiwari has joined #openstack-keystone19:00
*** _cjones_ has quit IRC19:00
*** _cjones_ has joined #openstack-keystone19:01
*** atiwari has quit IRC19:03
*** MasterPiece| has joined #openstack-keystone19:04
*** zz_avozza is now known as avozza19:06
*** marg7175 has joined #openstack-keystone19:08
*** marg7175 has quit IRC19:09
*** marg7175 has joined #openstack-keystone19:10
*** atiwari has joined #openstack-keystone19:10
david8humorganfainberg:  On the token provider cleanup topic, I called persistence.create_token with token_id and AccessInfo object, but persistence.get_token returns dict object as oppose to AccessInfo object.19:11
*** atiwari has quit IRC19:12
david8humorganfainberg:  Why would persistence manager get_token strip out AccessInfo related stuff, and how did it do it?  Maybe I need to look at how persistence manager works.19:13
*** amakarov is now known as amakarov_away19:13
morganfainbergin a meeting19:13
morganfainbergwill answer when done19:13
*** tellesnobrega has joined #openstack-keystone19:16
*** atiwari has joined #openstack-keystone19:18
*** atiwari has quit IRC19:18
openstackgerritMerged openstack/keystone: Split the assignments controller
*** atiwari has joined #openstack-keystone19:19
ayoungdavid8hu, ^^19:20
ayoungthat is how close I am to having unified access info for you to use in the token provider cleanup19:20
david8huayoung: lol19:21
ayoungIt was 35 this morning...spiked up to 50+ when I broken summat19:21
*** _cjones_ has quit IRC19:21
*** atiwari has quit IRC19:22
david8huayoung:  Better not 100+ tomorrow :)19:22
ayoungdavid8hu, actually, jumps in the count usually come from me having to add functionality for one thing that breaks across all token parsings19:22
ayoungthose are easy.  It is the ones like this:19:23
ayoung  File "keystoneclient/models/", line 243, in auth_url19:23
ayoung    if self._service_catalog:19:23
ayoungAttributeError: 'AuthContext' object has no attribute '_service_catalog'19:23
*** atiwari has joined #openstack-keystone19:23
ayoungactually...that looks pretty easy to fix...19:24
morganfainbergok done now19:24
morganfainbergdavid8hu yes, because .get_token has only *really* been used to issue stuff to the wire. places that do the other level of work convert to access_info type object (model) in the auth_context manager19:25
*** raildo has joined #openstack-keystone19:26
morganfainbergdavid8hu, erm auth_context middleware19:26
*** samueldmq has joined #openstack-keystone19:26
david8humorganfainberg:  Perhaps, I can call AccessInfo factory right after get_token.  That will work.19:28
morganfainbergdavid8hu, right. - we can adjust things and make it better as we move forward19:29
morganfainbergremember do the work in bite-sized peices19:29
morganfainbergeasier to review19:29
morganfainbergeven if it takes more patches, it'll be easier to understand some of the changes.19:30
*** atiwari has quit IRC19:30
david8humorganfainberg:  Will keep it under 299 loc.19:30
david8humorganfainberg:  lol19:30
*** boris-42 has quit IRC19:32
morganfainbergdavid8hu, sometimes it's easy to let patches get out of hand.19:33
*** nicodemos has joined #openstack-keystone19:34
david8humorganfainberg:  ok.  wild patch on the loose19:36
*** jsavak has joined #openstack-keystone19:37
*** joesavak has quit IRC19:40
morganfainbergayoung, nice19:44
morganfainbergayoung, thanks for slogging through this.19:44
ayoungmorganfainberg, I'm learning a lot of stuff I wish I didn't know.19:45
ayoungpoor jamielennox19:45
morganfainbergayoung, this is also why doing it is good.19:45
*** aix has quit IRC19:45
morganfainbergwe have more people identifying the cruft we have and thinking about making it better19:45
ayoungall of the cruft should be isolated to one facade called auth_context19:45
morganfainbergwhich is *WAY* better ;)19:45
morganfainbergand it means we can work on making that as good as can be - being that it has cruft19:46
ayoungyeah, I know.  I just wish we could do all of this in one project.  DOing it in the client and then having to make a relelase, and then using it in the server seems like it is going to have along turn around time19:46
morganfainbergayoung, i'm fine with releasing client as soon as this is done19:46
morganfainbergthe hard part will be the global req bump19:47
ayoungBut, I think it is going to be the start of a long push toward moving as much of the business logic into the client as we can19:47
morganfainbergactually i want to move this stuff out of client - into keystone.common - or such [just like session shouldn't be in client really]19:47
morganfainbergbut thats a different conversation19:47
ayoungyeah, common19:48
*** diegows has joined #openstack-keystone19:49
*** diegows has quit IRC19:50
*** david-lyle_afk is now known as david-lyle19:51
*** joesavak has joined #openstack-keystone19:52
*** lhcheng has quit IRC19:54
*** jsavak has quit IRC19:54
*** atiwari has joined #openstack-keystone19:56
*** nellysmitt has joined #openstack-keystone19:58
*** afazekas has joined #openstack-keystone20:00
*** _cjones_ has joined #openstack-keystone20:01
*** jsavak has joined #openstack-keystone20:01
*** lhcheng_ has joined #openstack-keystone20:01
ayoungmorganfainberg, instead of us all spending a metric ton on cognac in Vancouver, how about we have a night where each person brings a bottle of their favorite label?20:02
*** joesavak has quit IRC20:02
morganfainbergayoung, i'm thinking i might bring the bottle of Cachaça with me.20:03
*** htruta has joined #openstack-keystone20:03
ayoungGlenmorngie or something like that for me20:03
*** nellysmitt has quit IRC20:03
morganfainbergatiwari, can you clarify your comment on ?20:04
morganfainbergatiwari, i'd like to know more of the security gap you see.20:04
atiwarisure give me 5 mins20:05
*** pnavarro has joined #openstack-keystone20:05
atiwariin a nutshell encryption is not needed and the message on which the signature generated is weak20:05
atiwariI will explain in 5 min20:06
morganfainbergatiwari, yeah no worries.20:06
morganfainbergatiwari, added a comment in the spec as well asking for more clarification. thanks - take your time writing it up :)20:06
atiwarinp, did you look at my proposal ?20:07
morganfainbergatiwari, i've looked over some of it, but been swamped with meetings yesterday/today20:08
*** samueldmq_ has quit IRC20:08
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.log instead of incubator
openstackgerritSteve Martinelli proposed openstack/keystone: Sync with oslo-incubator
*** jsavak has quit IRC20:09
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubator version of log and local
samueldmqdstanek, ping - regarding your comment on the '/%s/%s/%s/%s/%s/%s' thing :p20:10
samueldmqdstanek, yes that work, tests in the same patch are using that call, and they pass20:11
*** atiwari has quit IRC20:11
*** atiwari has joined #openstack-keystone20:14
*** krtaylor has quit IRC20:15
*** dnalezyt has joined #openstack-keystone20:21
dstaneksamueldmq: really? i'll have to download the patch to check - if you run '%s/%s' % ('something') Python should fail with an exception20:23
bretonmorganfainberg: excuse me, but what's with Why is it not -2 anymore?20:24
morganfainbergWas re proposed against the backlog.20:25
morganfainbergIf it is accepted to the backlog it is a spec we want. But has not been targeted to a release. Someone can pick it up.20:25
morganfainbergbreton: ^^20:25
bretonerr, well, ok, but I have an implementation of it already20:26
morganfainbergRight. We were waiting on oslo.db right?20:26
bretonas we discussed on the meeting, we are waiting for oslo.db20:26
morganfainbergYeah so we could Accept it to the backlog and as soon as oslo.db with fixes is released we can move it to the next appropriate keystone release. (Probably l)20:27
morganfainbergThe idea behind the backlog is "we want this but for whatever reason we haven't targeted a specific release yet)20:28
bretonoh, ok then.20:28
*** krtaylor has joined #openstack-keystone20:28
dstanekmorganfainberg: how Agile of you!20:28
*** nellysmitt has joined #openstack-keystone20:28
morganfainbergIn general it lowers the barrier to entry for those who want to contribute but don't have a specific idea or want to work on something we've already decided we like.20:28
morganfainbergdstanek: *sigh* :P20:29
openstackgerritBoris Bobrov proposed openstack/keystone: Fix invalid super() usage in memcache pool
dstaneknext thing you know we'll have kanban boards!20:29
*** aix has joined #openstack-keystone20:30
bretonI have not seen anything in the backlog for the last 3 months I'm here ;)20:30
morganfainbergYeah we've been slow to use it.20:31
morganfainbergIt's fairly new.20:31
ayoungagile good20:31
*** lnxnut has quit IRC20:31
ayoungbacklog good20:31
dstanekayoung: would you like a bowl of SOA with your Agile?20:32
ayoungSOA  was tainted by a consultant from a company to remain nameless20:32
openstackgerritSteve Martinelli proposed openstack/keystone: Add a check to see if a federation token is being used for v2 auth
ayoungdstanek, I thought to make an object act like a dictionary I needed to implemtn get and  __getitem_-  but is there anything else?20:34
morganfainbergIf you want a set __setitem__20:35
morganfainbergand an __iter__ if you want it to be an iter able.20:35
ayoungI don't want __setitem__20:35
dstanekyep, and there are other dunders depending on what you want to do20:36
morganfainbergDo you need iteritems or iterkeys it itervalues?20:36
ayoungI'm getting a failure  on20:36
ayoung'token' not in <keystoneclient.models.auth_context.AuthContext object at 0x7f2aa4dd64d0>20:36
morganfainbergOr items/keys/values methods.20:36
samueldmqdstanek, just if number of provided params are not enough to match with %s20:36
samueldmqdstanek, yes please try it20:36
ayoungsomething doing  a['token']20:36
ayoungbut that should be a regular property of my object20:36
morganfainberg__getitem__ should be sufficient for a lookup like that.20:37
dstaneksamueldmq: isn't that the case in your patch?20:37
openstackgerritMerged openstack/oslo.policy: Use standard logging in oslo.policy
dstaneksamueldmq: ah, i see what you are doing. that's way confusing20:38
ayoungself.assertThat(haystack, Contains(needle), message)20:39
*** lhcheng_ is now known as lhcheng20:39
samueldmqdstanek, I'm feeling bad now, because it looks like all my patches are confusing20:39
*** _cjones_ has quit IRC20:39
dstaneksamueldmq: it looks like you've been playing with lisp20:39
ayoung if self.needle not in matchee:20:40
samueldmqdstanek, ahha, no :p20:40
samueldmqdstanek, I'll change that and do in the conventional way: if domain_id: url += /domains/domain_id , etc20:40
ayoungwhat is the in operator doing in this case?  Do I need the __iter__ for this?20:40
morganfainbergayoung not sure what magic method is needed for "x in y" notation. And I think the marchers use that.20:40
atiwarimorganfainberg, added my comments in specs20:40
ayounghub 2 3 420:41
morganfainbergatiwari: appreciate it.20:41
ayoungOh, I think you meant matchers20:41
atiwarimorganfainberg, yrw20:41
ayoungmorganfainberg, that is exactly the issue. I'm guessing I need an __iter__20:41
morganfainbergDamn that autocorrect.20:41
samueldmqdstanek, guideline: don't try to be *too* smart on coding .... stop at the point where legibility is being highly decreased20:43
samueldmqdstanek, unless you're coding in lisp :p20:43
*** nellysmitt has quit IRC20:46
*** atiwari has quit IRC20:46
*** lhcheng has quit IRC20:47
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments
*** nellysmitt has joined #openstack-keystone20:48
*** _cjones_ has joined #openstack-keystone20:48
*** henrynash has joined #openstack-keystone20:49
*** ChanServ sets mode: +v henrynash20:49
ayoungdstanek, what does the 'in' operator do?  I can see that the code is calling __getattr__ but the attribute being passed in is 020:49
dstanekayoung: it iterates over something looking for a match20:49
dstanekshould call __len__ and __getitem__20:50
dstanekor i think it can call __iter__ if that is defined20:50
ayoungdstanek, so if I don't implement __len__?20:50
ayoungOK,  so to act like a dict, I should implement __iter__ and return the names of the attributes?20:50
*** nellysmitt has quit IRC20:51
dstanekif you want 'in' for your dict i think you should implement __iter__ and return the keys as a generator20:51
ayoungdstanek, I'll try that.20:52
ayoungdstanek, so I have a bunch of @properties that don't show up in __dict__, but dir(self)  returns too many things.  Is there a just-right approach?20:54
dstanekdo you have an example of what you are trying to do?20:55
*** marg7175 has quit IRC20:56
ayoungdstanek, well, I am trying to make the access_info class I showed way back when act like a dict20:57
*** htruta has quit IRC20:57
*** samueldmq has quit IRC20:57
ayoungdstanek, I have an old review up. one sec20:57
*** raildo has quit IRC20:57
*** tellesnobrega has quit IRC20:57
ayoungdstanek, argh...but that is so old it doesn't show what I am now battling20:58
ayoungdstanek, let me post my lates20:58
*** htruta has joined #openstack-keystone20:58
*** tellesnobrega has joined #openstack-keystone21:00
ayoung failures=2321:04
*** joesavak has joined #openstack-keystone21:06
*** krtaylor has quit IRC21:09
*** gyee has quit IRC21:09
openstackgerritMerged openstack/pycadf: Use oslo_context
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a type check to make it work in Python 3
openstackgerritDavid Stanek proposed openstack/keystone: Updates Python3 requirements
openstackgerritDavid Stanek proposed openstack/keystone: Mocks out the memcache library for tests
openstackgerritDavid Stanek proposed openstack/keystone: Adds a fork of python-ldap for Py3 testing
*** samueldmq has joined #openstack-keystone21:13
ayoung failures=2121:19
*** marg7175 has joined #openstack-keystone21:20
*** henrynash has quit IRC21:21
*** krtaylor has joined #openstack-keystone21:22
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info
*** atiwari has joined #openstack-keystone21:23
*** marg7175 has quit IRC21:23
ayoungdstanek,   see __iter__ in,cm21:23
*** marg7175 has joined #openstack-keystone21:24
*** Tahmina has joined #openstack-keystone21:31
stevemarfor those brave enough:
stevemaruse oslo.log instead of incubated log21:36
stevemarit's got some finnicky parts21:36
dstanekayoung: that's interesting21:40
ayoungdstanek, in a chinese fortune sort of way21:40
dstanekayoung:  so you only want to @properties?21:40
ayoungnah, I also want the actual properties21:40
bretonstevemar: in progress ;)21:40
ayoungjust not the __ named ones21:40
stevemarbreton, ty!21:41
*** atiwari has quit IRC21:44
dstanekayoung: i have a hack if you want to play with it21:44
ayoungdstanek, sure21:45
dstanekayoung: let me type it up and pastebin it21:45
ayoungdstanek, thanks.  Good to know what I am asking is non-trivial enough that I should not have found it from the google21:46
dstanekayoung: something like that should work, but i don't really like it21:47
dstanekayoung: another approach would be a customer property decorator21:48
ayoungshouldn't there be a yield there?21:48
dstanekthat i need to actually test the code i write :-)21:49
dstanekactually i don't think that would actually work without lots of harmful magic since a property doesn't know the object on which it was defined21:50
ayoungdstanek, BTW, thanks for the pointer to rpdb.  I use it  exclusively now21:51
ayoungworks nicely with gud inside emacs.21:52
dstanekhopefully that saved you some time21:52
ayoungdstanek, I'm going write a blog post on it.  You can use it to debug into a live server...its flipping grand21:52
openstackgerritMerged openstack/keystone: log wsgi requests at INFO level
ayoung failures=2021:56
*** ctina has quit IRC22:02
*** lhcheng has joined #openstack-keystone22:06
*** henrynash has joined #openstack-keystone22:06
*** ChanServ sets mode: +v henrynash22:06
*** samueldmq_ has joined #openstack-keystone22:07
*** radez is now known as radez_g0n322:16
*** topol has quit IRC22:17
*** timcline has quit IRC22:18
*** joesavak has quit IRC22:19
*** atiwari has joined #openstack-keystone22:19
ayoungdstanek, what do you use for integrated debugging in vi?22:21
*** r-daneel has quit IRC22:31
*** atiwari has quit IRC22:31
stevemarwe all love oslo syncs right?
dstanekayoung: vimpdb sometimes, but i usually don't use a debugger - if i see and issue i'll write a test to debug22:35
*** darrenc is now known as darrenc_afk22:42
*** ljfisher has quit IRC22:43
*** Tahmina has quit IRC22:44
*** __TheDodd__ has joined #openstack-keystone22:47
*** thedodd has quit IRC22:47
*** nellysmitt has joined #openstack-keystone22:51
morganfainbergrodrigods, you know your blog on k2k federation is getting a lot of references ;)22:51
morganfainbergrodrigods, i keep sending people to it as part of the reference material when takling about k2k stuf22:52
*** gyee has joined #openstack-keystone22:54
*** ChanServ sets mode: +v gyee22:54
*** nellysmitt has quit IRC22:56
*** atiwari has joined #openstack-keystone22:59
*** __TheDodd__ has quit IRC22:59
*** jorge_munoz has quit IRC23:02
*** abhirc has joined #openstack-keystone23:03
*** darrenc_afk is now known as darrenc23:04
*** spandhe has quit IRC23:06
*** carlosmarin has quit IRC23:07
*** spandhe has joined #openstack-keystone23:09
*** erkules has quit IRC23:14
openstackgerritBob Thyne proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware
*** abhirc has quit IRC23:20
*** abhirc has joined #openstack-keystone23:24
*** erkules has joined #openstack-keystone23:26
bretonmorganfainberg: could you send me to it too please?23:29
bretonnevermind, found it23:30
rodrigodslooking forward to write the Kilo version :)23:31
rodrigodsbreton, you don't need to deactivate shibboleth's security policy anymore, gyee has fixed that issue :)23:31
*** nicodemos has quit IRC23:35
*** atiwari has quit IRC23:37
bretonyes, I'd really appreciate Kilo version to understand what's going on there now23:37
*** atiwari has joined #openstack-keystone23:37
*** chlong has joined #openstack-keystone23:37
*** atiwari has quit IRC23:39
*** MasterPiece| is now known as MasterPiece23:40
*** abhirc has quit IRC23:42
*** erkules has quit IRC23:46
stevemarmorganfainberg, it really was an awesome blog, good job rodrigods :)23:46
stevemarrodrigods, except you need to update the mapping example :)23:46
morganfainbergbreton, almost 100% the same23:47
morganfainbergbreton, but the nullsecurity thing si fixed and the IDP is changing how we represent the SPs in the catalog23:47
rodrigodsthanks stevemar , you are right, will update it23:47
openstackgerritMerged openstack/oslo.policy: document the migration process and update the docs a bit
*** nicodemos has joined #openstack-keystone23:48
*** dims__ has quit IRC23:49
*** dims__ has joined #openstack-keystone23:50
*** erkules has joined #openstack-keystone23:52
*** joesavak has joined #openstack-keystone23:53
*** dims__ has quit IRC23:54
openstackgerritSteve Martinelli proposed openstack/keystone: Add a check to see if a federation token is being used for v2 auth

Generated by 2.14.0 by Marius Gedminas - find it at!