Thursday, 2015-02-12

*** samueldmq__ has joined #openstack-keystone00:02
*** abhirc has joined #openstack-keystone00:02
*** markvoelker has quit IRC00:03
*** atiwari has joined #openstack-keystone00:04
*** dims__ has joined #openstack-keystone00:04
*** samueldmq_ has quit IRC00:05
*** atiwari has quit IRC00:06
*** gordc has quit IRC00:07
*** afazekas has quit IRC00:16
*** amerine has quit IRC00:19
*** amerine has joined #openstack-keystone00:20
tqtranstevemar: ping!00:26
*** samueldmq__ has quit IRC00:26
*** r-daneel has joined #openstack-keystone00:28
*** abhirc has quit IRC00:29
*** richm has quit IRC00:30
openstackgerritBrant Knudson proposed openstack/keystone-specs: Get service catalog should also support Service providers
openstackgerritBrant Knudson proposed openstack/keystone-specs: Get service catalog should also support Service providers
bknudsonspeaking of k2k ^00:34
*** joesavak has quit IRC00:35
*** avozza is now known as zz_avozza00:39
*** erkules has quit IRC00:46
morganfainbergbknudson, thnx00:50
*** abhirc has joined #openstack-keystone00:51
*** nellysmitt has joined #openstack-keystone00:52
*** markvoelker has joined #openstack-keystone00:52
*** erkules has joined #openstack-keystone00:53
bknudsonI think horizon might want to use it...00:54
*** atiwari has joined #openstack-keystone00:56
openstackgerritBrant Knudson proposed openstack/keystone: Update policy doc to use new rule format
openstackgerritMerged openstack/keystone-specs: Get service catalog should also support Service providers
*** nellysmitt has quit IRC00:57
*** markvoelker has quit IRC00:57
*** dims__ has quit IRC00:58
bknudsonare there 2 marekd s?00:58
*** markvoelker has joined #openstack-keystone00:59
stevemarbknudson, there is one marekd01:00
stevemarthe original01:00
bknudsongerrit was showing 2... one had gmail address01:00
*** davechen has joined #openstack-keystone01:00
openstackgerritBrant Knudson proposed openstack/keystone-specs: Correct rst
*** markvoelker has quit IRC01:04
*** lnxnut has joined #openstack-keystone01:06
stevemarbknudson, use the cern one01:09
stevemarlbragstad, has the same thing, except none of his emails worked at one point, gerrit hated him01:09
bknudsonI hope we don't promote the wrong one to core.01:09
stevemarbknudson, you never know, we might get the evil marek01:10
bknudsonhe's probably working on his goatee right now.01:11
stevemarbknudson, could you look at when you have a minute, i want your opinion on changing LOG.warning(e) instances01:11
stevemarapparently oslo.log doesn't like it when you use LOG.warning(e) or LOG.whatever(e)01:11
bknudsonwhat??? never!01:11
bknudson... I think that was mentioned somewhere else...01:12
bknudsonoh, yeah, dhellmann had a fix.01:12
stevemari think the fix was to just do LOG.warning(msg, e)01:12
bknudsonit's right here:
bknudsonLOG.warning(msg, e) isn't going to work.01:13
bknudsonI think you can do LOG.warning(msg, include_exception=True) or something...01:13
stevemaryeah, i incorporated those changes (for the most part) into the patch i linked, since it won't build without it01:13
bknudsonI'd rather the change to fix the LOG.warnings was in a separate commit.01:14
bknudsonshould also work with the old code.01:14
stevemarfair enough01:14
stevemarbknudson, so just get message_format from the exception?01:15
lbragstadstevemar: yeah, hats of to fungi for fixing that for me01:15
bknudsonstevemar: I think the message_format is going to get logged anyways, so it doesn't have to be in the message.01:15
bknudsonstevemar: doesn't dhellmann's change work?
bknudsonoh, we don't want the whole stacktrace when the exception is logged...01:17
stevemarbknudson, it does, but boris had comments in my patch set about the messages not matching up01:17
stevemaryes, there is also that aspect01:17
bknudsonstevemar: well, the logs were crap before so I don't think you need to fix that in this commit.01:18
bknudsonjust try not to make it worse.01:18
stevemarbknudson, lol01:18
bknudsonI think you should take over dhellmann's change and get that working.01:19
bknudsonthis one:
bknudsonthat one failed pretty hard for some reason.01:20
stevemarbknudson, didn't take all those changes in?01:20
bknudsonstevemar: I don't know what that means.01:26
ayoungjamielennox, do we allow arbitrary attributes on endpoints?01:27
stevemarbknudson, i pulled in dhellmann's changes into the patch that i linked you, so i'm not sure what else i can do there01:27
stevemarunless i put them in a separate patch01:27
bknudsonstevemar: there's no shame in having separate patches.01:28
jamielennoxayoung: in general we don't enforce stuff on the client01:29
jamielennoxif there are attributes there they will be ignored01:29
*** jay-lau-513 has quit IRC01:29
ayoungjamielennox, but we allow it.  I see ugly tests.  Hideous test that allow random attributes01:29
jamielennoxbut we won't blow up if we get extra data we didn't expect  because it may make sense to some people01:29
jamielennoxand rax puts a whole lot of extra crap in its catalog01:29
ayoung  /opt/stack/python-keystoneclient/keystoneclient/tests/v2_0/
*** tqtran is now known as tqtran_afk01:30
jamielennoxayoung: you should check out the rax catalog at some point, they solved the /v2.0 problem - they just put everything in there01:31
*** atiwari has quit IRC01:31
ayoungThey are probably stringing extra wire just to handle the network traffic from token validation01:31
ayoungI don't like this.01:33
jamielennoxayoung: noone does01:34
ayoungThey can put Javascript in there and call it an object broker01:34
ayoungjamielennox, well, obvious RAX does....01:37
jamielennoxi understand there point, nearly 2 years later and we still haven't got a good solution to moving people away from the /v2.0 endpoints01:37
ayoungjamielennox,  I was tilting at the window a year ago, as you might recall01:38
jamielennoxayoung: oh i have one i was hoping you'd have a quick read over01:38
jamielennoxayoung: i still am01:38
ayoungjamielennox, sure01:38
jamielennoxayoung: doesn't render so nicely on this markup01:39
*** markvoelker has joined #openstack-keystone01:40
jamielennoxwas going to clean it up and post later today01:40
ayoungTEST.JAMIELENNOX.NET  needs to resolve...stick it in /etc/hosts01:40
jamielennoxTEST.JAMIELENNOX.NET is a realm, but i know what you mean01:41
jamielennoxi said somewhere there i did freeipa with bind, so if you set /etc/resolv.conf it works01:41
ayoungits the #1 thing that messes people up when they do a new install....all the Kerberos stuff depends on it01:41
jamielennoxbut ok, will make that clear01:41
openstackgerritSteve Martinelli proposed openstack/keystone: Add documetation for key terms and basic authenticating
ayoungGah, I hate the 5000/35357 thing01:42
ayoungcan we skip the "convert Keystone to LDAP" and go right to multiple backends, or do we still have stuff that blocks it?01:43
morganfainbergwhat would block multiple backends?01:43
jamielennoxi don't know, so my intention was to be as close to an original packstack deployment as possible01:43
*** atiwari has joined #openstack-keystone01:43
morganfainbergjamielennox, i'm expecting to release -kerberos on friday.01:44
morganfainbergjamielennox, sorry for the delay01:44
jamielennoxi figured i'd write another one later with how to do multiple domains because i've been walking ccard through it a bit over the last few days01:44
jamielennoxmorganfainberg: great - that's fine01:44
ayoungjamielennox, you missed something in the thanks block, too...01:44
jamielennoxayoung: figured i'd try and explain just the kerberos changes here - but i understand dealing with the LDAP change over made a mess of what should have been easy01:44
jamielennoxayoung: i'll add you in01:44
dstanekayoung:  nice01:44
ayoungdstanek, what do you use for vim?01:45
jamielennoxayoung: by the time i got to the end i was pretty done and just throwing stuff at it01:45
dstanekayoung: vimpdb sometimes, but i usually don't use a debugger - if i see and issue i'll write a test to debug01:45
ayoungjamielennox, I need to do the multi-dom setup myself.  I hagve an internal server set up, but I dfidn't get that far...and got bogged down in this access_info thing01:46
jamielennoxmulti domain for this is easier than not, but i need to write up a bunch of stuff like service users domain before i get to that01:46
ayoungdstanek, that is probably why your code is so much better than mine01:46
*** r-daneel has quit IRC01:46
morganfainbergatiwari, some more comments in line - your spec and the AE Tokens spec are looking very similar, slightly different takes on it01:46
morganfainbergatiwari, i could see either one being a viable option provided we address the issues outstanding in them.01:47
dstanekayoung: flattery will get you nowhere01:47
jamielennoxayoung: also i think i've cracked horizon/DOA01:47
morganfainbergdstanek, but beer will get us somewhere?01:47
ayoungdstanek, actually, I think that would be considered "Damned by faint praise"01:47
ayoungjamielennox, good cracked or bad cracked?01:47
dstanekmorganfainberg: always01:47
jamielennoxayoung: figured out kerberos and receiving a token from somewhere else01:48
ayoungjamielennox, oh, I had those cgi and wsgi apps for you to help you along...but you should be able to figure out how to hack those fairly easily01:48
*** _cjones_ has quit IRC01:48
jamielennoxyea, i've got a litter of helper scripts to figure out s4u2 stuff01:48
ayoungI might have destroyed them, now that I think about was on that internal cloud we had that go decomissioned01:49
jamielennoxhad to dust of the php skills01:49
morganfainbergjamielennox, no don't do that01:49 cando SGI in python01:49
morganfainbergjamielennox, you'll just be opening old wounds01:49
bknudsonthere's no such thing as php skills.01:49
ayoungCGI, too01:49
morganfainbergbknudson, ++01:49
stevemarfact: bknudson lists php as his top skill in his resume01:50
jamielennoxyea, but its hard to beat a <?php phpinfo(); ?> in an index.php for doing a confirmation that it worked and dumping env variables01:50
ayoungI thought php was illegal in Australia01:50
bknudsonboth wsgi and cgi are a mistake.01:50
morganfainbergayoung, no thats NZ, in aus it's a grey area i hear01:50
bknudsonwhy translate http? just forward it.01:50
morganfainberg :P01:50
ayoungbknudson, wsgi is a mistake?  Why do you say that?01:50
bknudsonthere's no need to translate http since it can be forwarded.01:50
ayoungUm...I think, I'm missing something in your logic01:51
morganfainbergstevemar, but if you really want to make people cringe, use mod_php (cc jamielennox ) instead of the cgi/cgi-like modes01:52
ayoungjamielennox, I really just started with googleing Hello World WSGI and used that for the S4U2 test.01:52
jamielennoxmorganfainberg: i'd never deploy it... i'm not insane01:52
morganfainbergayoung, i *think* he's saying wsgi is superfluous as an abstraction from HTTP since HTTP could just be read directly... i think.01:52
ayoungActually, I did an Shell version that used CURL first01:52
morganfainbergayoung, or he's being sarcastic... i can't tell atm01:52
dstanekso if oslo.log is being used we can still use stdlib logging from most modules right?01:53
morganfainbergbknudson ;)01:53
jamielennoxayoung: me to, i ended up with curl in a shell script that called the phpinfo() from the target01:53
ayoungjamielennox, anyway, I really like the article01:53
morganfainbergdstanek, afaik yes *except* if there is some wacky formatter thing that is abstracted out01:53
bknudsonyes, wsgi is essentially just http, so why go through the work of converting one to the other?01:53
jamielennoxam going to write that one up too01:53
morganfainbergdstanek, that isn't applied to the base / root logger itself01:53
bknudsonjust run a "web server" and if you need it in apache set up what it calls "reverse proxy"01:53
bknudsonalthough it's really just passing http through.01:54
ayoungI think I did direct sql do do what you did more cleanly with the ipa user-add code...but I was hacking the DB to  change the serfice catalog anyway01:54
morganfainbergbknudson, not sure which is lower overhead tbh, HTTP or HTTP <-> wsgi01:54
dstanekmorganfainberg: that's what i thought. should we using logging in our code then as much as possible?01:54
bknudsonis the problem overhead?01:54
morganfainbergbknudson, but i could see reverse proxy being a clear alternative01:54
ayoungbknudson, envvars01:54
*** TheJulia has quit IRC01:54
bknudsonthe nice thing is now you've got apache serving static pages which it's good at01:55
morganfainbergdstanek, i'd ping dhellmann, but if we could do that i'd be happier01:55
bknudsonand your web server that's doing dynamic pages which it's good at.01:55
morganfainbergdstanek, if we really used oslo as *only* the way to configure the loggers01:55
morganfainbergdstanek, that'd be cool01:55
ayoungjamielennox, you just made me very very happy01:55
morganfainbergbknudson, pretty much the entire model nginx works on in principle01:56
ayoungjamielennox, you using stevedore in that?01:56
jamielennoxayoung: long way off done01:56
jamielennoxayoung: no, just catching ImportError01:56
ayoungI had the stevedore code in my patch.01:56
jamielennoxi don't think stevedore is a win when you are writing actual code, you already know what you want01:57
morganfainbergdstanek, i want to say there is some more magic in oslo.log than that, but my brain feels fried01:57
jamielennoxstevedore is good for getting names from config files and command line params01:57
bknudsonI used this in a previous project (C++-based) , rather than try fastcgi (for example), I was like -- why not just write HTTP to begin with?01:57
ayoungjamielennox, I suspect, though, that we are headed that way, esp with federation01:57
dstanekmorganfainberg: the only thing i can see is that using its getLogger you can use the keyword adapter to add extra context01:57
morganfainbergdstanek, ah.01:57
morganfainbergdstanek, interesting01:58
*** samueldmq_ has joined #openstack-keystone01:58
jamielennoxayoung: yea, i don't know - for horizon i think they are always going to keep a fairly tightly restricted set of protocols you can auth with01:58
morganfainbergdstanek, if we don't need that and there isn't a compelling reason to proxy the calls through oslo.log, i do like being tied to the core logger and use oslo as the config layer01:58
jamielennoxayoung: i think they'll accept more but it'll be a curated list somehow01:58
jamielennoxthough - it'd be cool if we could host the horizon kerberos requirements in keystoneclient-kerberos01:59
dstanekmorganfainberg: i think that's ok to do and what i was hoping. i'll ask doug01:59
ayoungjamielennox, fair enough....this looks good, though...less intrusive than mine01:59
ayoung if not request.is_ajax()  ?01:59
jamielennoxi have nfi01:59
morganfainbergdstanek, it looks sane, and it would def. be nicer (and easier in some regards)01:59
morganfainbergdstanek, though how will that work with the new .trace() level logging being proposed in the x-project spec02:00
openstackgerritBrant Knudson proposed openstack/keystone-specs: Deprecate keystone CLI
morganfainbergdstanek, afaik adding a new log level doesn't automatically create the equiv .<level>() named method, just allows you to use .log(<level>, <msg>)02:00
morganfainbergdstanek, and i know that isn't actually how it's called, but it conveys the poinrt02:00
ayoungjamielennox, well, if it works at all, it means we have something once again we can demo, and that is a big win02:01
ayoungthank you very much02:01
dstanekmorganfainberg: i think we would have to create a method, so that would suck02:01
morganfainbergdstanek, yeah02:01
morganfainbergdstanek, which case oslo.log would be a clear winner02:01
morganfainbergunless oslo.log did some wacky monkey-patching02:02
jamielennoxayoung: it's funny - because it's a really boring demo02:02
ayoungjamielennox, so...with the approach of putting the service catalog in the unscoped token, does it clean up that HACK message in your code?02:02
*** samueldmq has quit IRC02:02
bknudsonoslo.log already adds log.deprecated(), I think.02:02
*** samueldmq_ is now known as samueldmq02:02
ayoungalso...the unscoped->scoped only changes are now in Keystone server02:02
morganfainbergayoung, which makes me happy to see02:02
jamielennoxayoung: i saw that02:03
*** r-daneel has joined #openstack-keystone02:03
ayoungjamielennox, it is a boring standalone demo, but together with setting up an IPA server and doing all the Kerberos stuff, it is pretty fun to show02:03
jamielennoxayoung: it cleans up the hack at line 17202:03
jamielennoxbecause you need to make the /projects request at a url that doesn't have /krb02:04
jamielennoxi think the line 85 hack will have to be a config option02:04
ayoungActually, I don't think you need that.  You can kerberos protect only the /krb/auth/tokens02:05
jamielennoxayoung: right02:05
jamielennoxthat would work02:05
ayoungsub urk abnd leave all the projects ones etc as is02:05
ayoungbut in general, I think what you have there makes sense02:05
dstanekbknudson: is there a such thing as log.deprecated()?02:05
jamielennoxayoung: i'm not sure how to get there yet- but i want to make kerberos a federation plugin02:06
dstanekmorganfainberg: where is that spec documented?02:06
jamielennoxayoung: as in /OS-FEDERATION/provider/ipa/protocol/kerberos/auth/token02:06
morganfainbergdstanek, openstack/openstack-specs in gerrit02:06
morganfainbergdstanek, sec02:06
ayoungBut the CERN approach doesn't even need that....02:07
ayoungstill, it should be possible.02:07
jamielennoxayoung: it doesn't need it, but i think we should standize on just one way that we link in all these external auth mechanisms02:07
*** zzzeek has quit IRC02:08
jamielennoxbecause if you kerberize /auth/token then you can't have non-kerberized login there02:08
ayoungjamielennox, that was the original thinking behind /auth/tokens....but  we failed02:08
ayoungIt really should be /auth/<protocol>02:08
bknudsondstanek: y, it's used in keystone ...
ayoungwith the format being an HTTP accepts header value instead02:08
jamielennoxyea, and i suggested /auth/projects which is now a pain if you kerberize /auth02:09
jamielennoxbut you're right i should change that to kerberize POST /auth/token02:09
ayoungservice catalog in the unscoped token makes more sense anyway02:09
ayoungreally splits auth url from the rest of Keystone, as it should02:09
morganfainbergok i'm going to go get a drink with some openstack folks here in LA (whoa, they exist!)02:10
jamielennoxdid that get passed? i missed a cutoff but i don't think the spec was approved02:10
ayoungbut...I want to remove tokens all together.  Just Use Kerberos or X509 or SAML right to Nova02:10
morganfainbergcatch you guys tomorrow / friday02:10
ayoungspec got approved at the mid cycle02:10
jamielennoxmorganfainberg: see ya02:10
ayoungmorganfainberg, ^^ right?02:10
dstanekbknudson: far as i know that's not in oslo.log02:10
morganfainbergayoung huh which spec?02:10
ayoungmorganfainberg, unscoped token has a sercvice catalog02:10
morganfainberguhm.. i think we said yes but we needed to look at an API change02:11
morganfainbergsomething was off - like needing to explicitly say "give me a catalog" to not break people who use no-catalog as inference of unscoped tokens02:12
morganfainbergaka doing bad things02:12
bknudsondstanek: looks like they got rid of it...
bknudsonthe latest oslo-incubator versionutils doesn't use it.02:12
bknudsonluckily stevemar did a sync...02:12
stevemarbknudson, thats why i'm here02:13
ayoungit must have passed cuz jamie has no  spec reviews open at the moment02:13
bknudsonstevemar: did you try regen the sample config file with that change?02:14
jamielennoxayoung: ok - will need to revive that patch02:15
bknudsonI'm wondering if we lose "fatal_deprecations" ?02:15
ayoungYeah, but its a step in the right direction02:15
ayoungDoes github allow you to edit right in the browser?  Could we really do collaborative editing in github?02:17
openstackgerritBrant Knudson proposed openstack/keystone-specs: Deprecate keystone CLI
*** MasterPiece has quit IRC02:19
ayoungjamielennox, what would happen if I disallowed reading arbitrary values from the endpoints in the auth ref?02:23
jamielennoxi don't know02:25
stevemarbknudson, oh you know what, i meant to try that today but i forgot02:25
stevemari think need to add the the versionutils opts02:25
*** atiwari has quit IRC02:26
*** atiwari has joined #openstack-keystone02:26
*** atiwari has quit IRC02:27
ayoungjamielennox, I'm down to 20 failing tests...I'll punt on this one for now, but ugh02:27
jamielennoxayoung: i told you this one would be ugly :)02:27
*** MasterPiece has joined #openstack-keystone02:28
ayoungjamielennox, yes you did02:28
ayoungand I believed you02:28
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve creation of expected assignments in tests
*** MasterPiece| has joined #openstack-keystone02:29
*** zzzeek has joined #openstack-keystone02:30
*** dims__ has joined #openstack-keystone02:32
*** MasterPiece has quit IRC02:33
*** erkules_ has joined #openstack-keystone02:36
*** davechen_ has joined #openstack-keystone02:37
*** erkules has quit IRC02:38
*** davechen has quit IRC02:40
*** zzzeek has quit IRC02:40
*** jay-lau-513 has joined #openstack-keystone02:47
ayoungjamielennox,   does that test need to be carried over, or was it just debugging code?02:47
jamielennoxayoung: from memory it was an edge case that bit me when i was playing with this stuff02:48
ayoungCuz that is basically reparsing data.02:48
jamielennoxno, looks like if you set auth_token from the factory then it will  be used instead of whatever comes from the token data02:49
ayoungits not terribly old02:49
jamielennoxand if you delete the override it will fallback to the one from the body02:50
ayoungright, and that is what you want.  Its just the delete part that is messing me up02:50
stevemarany takers on an oslo sync :D
jamielennoxthis was dodgy because v3 doesn't have a token_id in the body so i had to be able to do the override02:50
jamielennoxi can't remember why the del was important02:50
ayoungcuz I don't want to reparse it.  Really, if you change the state of an existing auth_ref, what are you tryiung to do in the real world?02:50
jamielennoxprobably just meant that the old value wasn't lost02:50
jamielennoxayoung: i expect that was the point though02:51
*** rodrigod` has joined #openstack-keystone02:51
ayoungI'm going to comment that out.  We can argue it out in the code review02:51
jamielennoxif you'd done auth_ref['token']['id'] at that point you wouldn't get the overriden value02:51
jamielennoxthe override only exists via the property, it shouldn't be changing the token data02:51
*** gyee has quit IRC02:52
*** bjornar has quit IRC02:52
*** rwsu has quit IRC02:52
*** rodrigods has quit IRC02:52
*** nellysmitt has joined #openstack-keystone02:53
*** gyee has joined #openstack-keystone02:57
*** ChanServ sets mode: +v gyee02:57
*** rwsu has joined #openstack-keystone02:58
*** bjornar has joined #openstack-keystone02:58
*** david-lyle is now known as david-lyle_afk02:59
*** lhcheng has quit IRC03:00
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fix error message on check on RoleV3
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Check for invalid filtering on v3/role_assignments
*** nellysmitt has quit IRC03:01
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance
samueldmqdstanek, gyee, henrynash, ^ thanks for your reviews, comments addressed03:02
*** zzzeek has joined #openstack-keystone03:04
*** samueldmq has quit IRC03:16
*** zzzeek has quit IRC03:17
*** MasterPiece| has quit IRC03:21
*** richm has joined #openstack-keystone03:24
*** tqtran_afk has quit IRC03:28
*** EmilienM is now known as EmilienM|afk03:28
*** dims__ has quit IRC03:37
*** richm has quit IRC03:39
*** MasterPiece has joined #openstack-keystone03:51
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role
*** gyee has quit IRC04:00
ayoung failures=1404:03
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info
*** spandhe has quit IRC04:05
*** rushiagr_away is now known as rushiagr04:06
*** harlowja is now known as harlowja_away04:08
*** lhcheng has joined #openstack-keystone04:21
*** ayoung has quit IRC04:34
*** MasterPiece| has joined #openstack-keystone04:38
*** MasterPiece has quit IRC04:40
*** rushiagr is now known as rushiagr_away04:48
*** marg7175 has quit IRC04:52
*** r-daneel has quit IRC04:54
*** nellysmitt has joined #openstack-keystone04:58
*** abhirc has quit IRC04:59
*** nellysmitt has quit IRC05:03
openstackgerritSteve Martinelli proposed openstack/keystone: Log exceptions safely
stevemaranyone around?05:07
openstackgerritSteve Martinelli proposed openstack/keystone: Log exceptions safely
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.log instead of incubator
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubator version of log and local
morganfainbergstevemar maybe05:17
stevemarmorganfainberg, maybe... eh05:17
stevemarmorganfainberg, was hoping to get a +3 on my oslo sync patch :)05:18
stevemari feel like i have to message people for reviews now05:18
stevemarlike a poke05:18
* stevemar doesn't like that he has to do that05:18
morganfainbergstevemar, yeah been trying to get through as many reviews as possible05:19
morganfainbergbut meeeeetings05:19
openstackgerritSteve Martinelli proposed openstack/keystone: Add documentation for key terms and basic authenticating
*** henrynash has quit IRC05:23
*** henrynash has joined #openstack-keystone05:24
*** ChanServ sets mode: +v henrynash05:24
*** jdennis has quit IRC05:29
*** jay-lau-513 has quit IRC05:30
*** jdennis has joined #openstack-keystone05:32
jamielennoxis there a reason that the change_password rule on v3policy wouldn't have admin:05:44
jamielennoxoriginal policy does:
*** nellysmitt has joined #openstack-keystone05:50
*** MasterPiece| has quit IRC05:51
openstackgerritSteve Martinelli proposed openstack/keystone: make federation part of keystone core
openstackgerritSteve Martinelli proposed openstack/keystone: Include other stable extensions in core
openstackgerritSteve Martinelli proposed openstack/keystone: Add ``service_providers`` in Service Catalog
openstackgerritJamie Lennox proposed openstack/keystone: Small cleanup of cloudsample policy
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
morganfainbergjamielennox, how can a user change their own password if it requires admin?06:04
jamielennoxmorganfainberg: it's an or rule06:04
jamielennoxit would allow an admin to change password on behalf of a user06:05
morganfainbergalso typically an admin user would update_user not change_password06:05
morganfainbergsince change_password requires the current password06:05
morganfainbergso unless admin knows the user password, change_password wont work for them06:05
jamielennoxah - so it does06:05
jamielennoxhmm, ok so probably a tempest mistake06:06
stevemarthere have definitely been fewer neutron failures in the gate lately06:16
jamielennoxwell - you went and jinxed that didn't you06:20
stevemari just saw a failed job, and it came to mind06:22
*** boris-42 has joined #openstack-keystone06:33
*** zz_avozza is now known as avozza06:34
*** dims__ has joined #openstack-keystone06:38
*** dims__ has quit IRC06:42
stevemarmorganfainberg, looks like is ded06:43
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role
morganfainbergfun times!06:43
stevemaris there a time out?06:45
openstackgerritSteve Martinelli proposed openstack/keystone: Log exceptions safely
morganfainbergfor a dead jenkins?06:46
morganfainbergprobably not06:46
stevemarmorganfainberg, just bumped my own change out of the gate queue06:46
morganfainbergyeah but otherthings (the heat change) is still throughy jenkins0206:47
morganfainbergyou're probably going to tneed to wait until tomorrow06:47
morganfainbergas is the #2 spot nova06:47
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.log instead of incubator
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.log instead of incubator
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubator version of log and local
*** wanghong has quit IRC06:57
openstackgerritMerged openstack/keystone-specs: Correct rst
*** nellysmitt has quit IRC07:04
*** afazekas has joined #openstack-keystone07:06
*** davechen_ has quit IRC07:07
*** davechen has joined #openstack-keystone07:08
*** swartulv has quit IRC07:12
*** swartulv has joined #openstack-keystone07:16
*** jacer_huawei has joined #openstack-keystone07:16
*** jacer_huawei is now known as wanghong07:16
*** nicodemos has quit IRC07:19
*** mathias__ has joined #openstack-keystone07:32
mathias__Am I getting it right: With PKI tokens I can prevent every service from talking back to keystone to verify the token? That would be nice in a globally distributed environment with a centralized keystone cluster. Am I seeing it correctly?07:33
*** avozza is now known as zz_avozza07:33
openstackgerritMerged openstack/python-keystoneclient: Fix a comment error in
openstackgerritMerged openstack/python-keystoneclient: Move tests to the unit subdirectory
wanghongmathias__, I think you are wrong. With PKI tokens we also need talk to keystone to fetch revocation list.07:41
mathias__wanghong: ah I lsee07:41
openstackgerritwanghong proposed openstack/keystone: fix assertTableColumns
mathias__so it is best to put Keystone into every region then07:42
*** jaosorior has joined #openstack-keystone07:47
*** boris-42 has quit IRC07:49
*** boris-42 has joined #openstack-keystone07:49
*** afazekas has quit IRC07:49
*** afazekas has joined #openstack-keystone07:49
*** jaosorior has quit IRC07:49
*** jaosorior has joined #openstack-keystone07:49
marekdbknudson: if you were asking about my lp account both are mine, but cern one is one i actually use.07:50
bretonwanghong: that was a good one ;)07:59
*** stevemar has quit IRC08:04
wanghongbreton, thanks08:12
*** lsmola has joined #openstack-keystone08:12
jamielennoxmathias__: with PKI tokens you need to fetch a revocation list, but you fetch a reocation list maybe every 10 seconds per middleware so whilst you technically talk to keystone its very low impact08:13
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Enforce that some plugin options are required
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add get_communication_params interface to plugins
*** karimb has joined #openstack-keystone08:18
*** lhcheng has quit IRC08:20
openstackgerritwanghong proposed openstack/keystone: fix assertTableColumns
*** openstackgerrit has quit IRC08:21
*** openstackgerrit has joined #openstack-keystone08:21
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make tests run against original client and session
*** zz_avozza is now known as avozza08:41
*** chlong has quit IRC08:42
*** jistr|off is now known as jistr08:54
*** amerine has quit IRC08:58
*** wpf has quit IRC09:02
*** nellysmitt has joined #openstack-keystone09:05
*** mathias_1 has joined #openstack-keystone09:05
*** jistr has quit IRC09:08
*** mathias__ has quit IRC09:08
*** nellysmitt has quit IRC09:10
*** jistr has joined #openstack-keystone09:11
*** esmute has quit IRC09:14
*** esmute has joined #openstack-keystone09:16
*** mzbik has joined #openstack-keystone09:21
*** esmute has quit IRC09:23
*** esmute has joined #openstack-keystone09:24
*** mzbik_ has joined #openstack-keystone09:29
*** mzbik has quit IRC09:32
*** henrynash has quit IRC09:39
*** davechen_ has joined #openstack-keystone09:39
*** davechen has quit IRC09:41
openstackgerritAbhishek Talwar proposed openstack/python-keystoneclient: User-password-update accepts blank as password
*** avozza is now known as zz_avozza10:02
*** henrynash has joined #openstack-keystone10:08
*** ChanServ sets mode: +v henrynash10:08
*** zz_avozza is now known as avozza10:21
*** samueldmq has joined #openstack-keystone10:29
samueldmqhenrynash, ping - are we going to remove OS-INHERIT (extension mode) this cycle, right ?10:37
henrynashsamueldmq: yes……that’s on my list to do10:37
samueldmqhenrynash, nice!10:37
henrynashsamueldmq: you will still be able to turn it off, via the config switch hwoever10:37
henrynashsameuldmq: but it will be part of core10:38
openstackgerritSergey Kraynev proposed openstack/python-keystoneclient: Using correct keyword for region in v3
samueldmqhenrynash, so config.os_inherit will still exist?10:38
samueldmqhenrynash, are we just moving the code around?10:38
henrynashsamueldmq: yes, I think we’re just moving the code around for now....10:39
openstackgerritwanghong proposed openstack/keystone: remove the unused variables in indentity/
*** wanghong has quit IRC10:55
*** nellysmitt has joined #openstack-keystone11:06
*** nellysmitt has quit IRC11:10
*** dims__ has joined #openstack-keystone11:15
openstackgerrithenry-nash proposed openstack/keystone: Refactor filter and sensitivity tests in prepartion for LDAP support
*** mathias__ has joined #openstack-keystone11:20
*** Tahmina has joined #openstack-keystone11:22
*** mathias_1 has quit IRC11:23
*** dobson has quit IRC11:27
openstackgerrithenry-nash proposed openstack/keystone: Enable filtering in LDAP backend for listing entities
*** henrynash has quit IRC11:27
*** henrynash has joined #openstack-keystone11:28
*** ChanServ sets mode: +v henrynash11:28
*** henrynash has quit IRC11:29
openstackgerritrajiv proposed openstack/python-keystoneclient: No keystone Endpoint now gives a valid Error Message
*** dobson has joined #openstack-keystone11:34
*** markvoelker has quit IRC11:34
openstackgerritMerged openstack/keystone: Sync with oslo-incubator
ccarddavid-lyle: I found this:
openstackgerritMerged openstack/keystone: Imported Translations from Transifex
ccarddavid-lyle: I set auth_version=v3.0 instead of v3 and now I horizon is working for me when I login to a non-default domain11:43
*** mathias_1 has joined #openstack-keystone11:46
*** rodrigod` is now known as rodrigods11:49
*** mathias__ has quit IRC11:49
*** mathias_1 has quit IRC11:50
*** mathias__ has joined #openstack-keystone11:51
*** mathias_1 has joined #openstack-keystone11:56
*** mathias__ has quit IRC11:57
*** aix has quit IRC12:01
*** MasterPiece has joined #openstack-keystone12:05
*** dmellado has joined #openstack-keystone12:07
*** MasterPiece has quit IRC12:12
*** pnavarro is now known as pnavarro|lunch12:20
*** karimb has quit IRC12:20
*** MasterPiece has joined #openstack-keystone12:22
openstackgerritSergey Kraynev proposed openstack/python-keystoneclient: Using correct keyword for region in v3
*** henrynash has joined #openstack-keystone12:25
*** ChanServ sets mode: +v henrynash12:25
*** mathias__ has joined #openstack-keystone12:26
*** nellysmitt has joined #openstack-keystone12:27
*** mathias_1 has quit IRC12:30
*** markvoelker has joined #openstack-keystone12:35
*** tellesnobrega_ has joined #openstack-keystone12:36
*** dims_ has joined #openstack-keystone12:37
*** dims__ has quit IRC12:38
*** markvoelker has quit IRC12:40
*** amakarov_away is now known as amakarov12:46
*** Tahmina has quit IRC12:50
*** jacer_huawei has joined #openstack-keystone12:56
*** mzbik_ has quit IRC12:56
*** dims_ has quit IRC12:57
*** aix has joined #openstack-keystone12:57
*** tellesnobrega_ has quit IRC12:58
*** markvoelker has joined #openstack-keystone12:59
*** markvoelker has quit IRC13:05
*** dims__ has joined #openstack-keystone13:05
*** EmilienM|afk is now known as EmilienM13:11
*** samueldmq has quit IRC13:11
*** tellesnobrega has quit IRC13:11
*** htruta has quit IRC13:12
*** dims__ has quit IRC13:13
*** erkules_ is now known as erkules13:19
*** ljfisher has joined #openstack-keystone13:19
*** dims__ has joined #openstack-keystone13:19
*** henrynash has quit IRC13:21
*** henrynash has joined #openstack-keystone13:22
*** ChanServ sets mode: +v henrynash13:22
*** henrynash has quit IRC13:27
*** henrynash has joined #openstack-keystone13:28
*** ChanServ sets mode: +v henrynash13:28
*** karimb has joined #openstack-keystone13:31
*** henrynash has quit IRC13:31
*** tellesnobrega has joined #openstack-keystone13:37
*** mzbik has joined #openstack-keystone13:45
*** radez_g0n3 is now known as radez13:48
*** mathias__ has quit IRC13:52
*** ljfisher has quit IRC13:54
openstackgerritBrant Knudson proposed openstack/keystone: Update policy doc to use new rule format
*** avozza is now known as zz_avozza14:11
*** radez is now known as radez_g0n314:15
*** richm has joined #openstack-keystone14:17
*** krykowski has joined #openstack-keystone14:22
*** gordc has joined #openstack-keystone14:24
*** joesavak has joined #openstack-keystone14:24
*** david-lyle_afk is now known as david-lyle14:25
*** samueldmq has joined #openstack-keystone14:26
*** ctina has joined #openstack-keystone14:28
*** boris-42 has quit IRC14:32
*** r-daneel has joined #openstack-keystone14:36
*** samueldmq has quit IRC14:41
*** boris-42 has joined #openstack-keystone14:42
*** htruta has joined #openstack-keystone14:42
*** dmellado has left #openstack-keystone14:51
*** tellesnobrega has quit IRC14:51
*** tellesnobrega has joined #openstack-keystone14:54
*** tellesnobrega_ has joined #openstack-keystone14:54
*** topol has joined #openstack-keystone14:55
*** ChanServ sets mode: +v topol14:55
*** tellesnobrega_ has quit IRC14:55
*** ayoung has joined #openstack-keystone14:56
*** ChanServ sets mode: +v ayoung14:56
*** jasondotstar has quit IRC14:58
*** samueldmq has joined #openstack-keystone15:02
*** krykowski has quit IRC15:03
*** samueldmq has quit IRC15:07
*** zzzeek has joined #openstack-keystone15:13
*** ljfisher has joined #openstack-keystone15:14
*** dnalezyt has quit IRC15:14
*** stevemar has joined #openstack-keystone15:15
*** ChanServ sets mode: +v stevemar15:15
openstackgerritAlexander Makarov proposed openstack/keystone: Remove excess brackets in exception creation
*** timcline has joined #openstack-keystone15:24
*** pnavarro|lunch is now known as pnavarro15:25
*** lnxnut_ has joined #openstack-keystone15:28
*** karimb has quit IRC15:28
*** lnxnut has quit IRC15:32
*** nellysmitt has quit IRC15:35
*** abhirc has joined #openstack-keystone15:37
*** lnxnut_ has quit IRC15:37
*** marg7175 has joined #openstack-keystone15:41
*** nellysmitt has joined #openstack-keystone15:43
*** nkinder has joined #openstack-keystone15:57
*** jaosorior has quit IRC16:01
*** lnxnut has joined #openstack-keystone16:07
*** lnxnut has quit IRC16:12
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.log instead of incubator
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubator version of log and local
stevemarbreton == boris? or am i getting confused16:15
*** amerine has joined #openstack-keystone16:26
openstackgerritMerged openstack/keystone: fix assertTableColumns
amakarovstevemar, yes, I was confused too :)16:29
*** andreaf has quit IRC16:30
*** andreaf has joined #openstack-keystone16:31
stevemaramakarov, i know who you are, but i don't know what 'Boris Bobrov' IRC name is :(16:31
amakarovstevemar, your guess is correct: breton - his nickname16:32
*** zz_avozza is now known as avozza16:33
*** avozza is now known as zz_avozza16:35
stevemaramakarov, excellent! says so here too: :D16:35
amakarovstevemar, what a surprize! :D16:35
stevemarbreton, so i don't know why we can't change the new KeywordsAdapter in oslo.log to change msgs to unicode16:36
*** marg7175 has quit IRC16:37
stevemarbreton, maybe dhellmann can explain why, but i suspect its to have more consistent logging across projects, or go so we stop abusing it for logging exceptions like we do now16:37
*** marg7175 has joined #openstack-keystone16:37
*** tellesnobrega_ has joined #openstack-keystone16:39
*** tellesnobrega_ has quit IRC16:39
openstackgerritLance Bragstad proposed openstack/python-keystoneclient: Remove ability to get global user roles.
openstackgerritDavid J Hu proposed openstack/keystone: Version independent token issuance pipeline
*** afazekas has quit IRC16:46
*** tellesnobrega_ has joined #openstack-keystone16:52
dstanekstevemar: did you see my comment on that review?16:53
lbragstaddavid8hu: looks like you built the access stuff into the latest iteration? ^16:54
*** gyee has joined #openstack-keystone16:54
*** ChanServ sets mode: +v gyee16:54
*** lnxnut has joined #openstack-keystone16:54
lbragstadgyee: had to rebase this one
*** dims__ has quit IRC16:56
*** dims__ has joined #openstack-keystone16:57
*** _cjones_ has joined #openstack-keystone17:04
gyeelbragstad, ack17:05
*** abhirc has quit IRC17:07
richmstevemar: ping - question about openstack role list --user $userid --project $projname17:11
richmstevemar: My problem is that $projname is the name, not the id17:11
richmso openstack has to do a search GET /v3/projects?name=services17:11
richmhowever, I have two different domains each with a services project17:12
richmand openstack says "More than one project exists with the name 'services'"17:13
stevemardstanek, i just saw it, how can i get the messages? e.message_whatever ?17:13
stevemarrichm, ughhhhhh that domain scoped names has been the bane of OSC17:13
bknudsonstevemar: _('%s'), e should do it17:14
richmyeah, it's becoming a pain for puppet-keystone v317:14
stevemarbknudson, i was thinking of six.text_type(e)17:15
richmstevemar: is there some way I can tell openstack role list to do GET /v3/projects?name=services&domain=mydomainname17:15
stevemarbut yours will work too.17:15
bknudsonstevemar: I think the problem is that the log call wanted a Message?17:16
stevemarbknudson, right now whatever is logged is pretty useless17:16
stevemarwell, thats harsh, it's not helpful17:16
dstanekyou don't need the _ because the message is already translated17:16
bknudsonstevemar: what's logged is probably worse than not logging anything, but probably not going to try to fix all that here...17:17
bknudsonlet's just try to get through the transition to oslo.log17:17
morganfainbergrichm, that would be the way i'd expect the API to work17:17
morganfainbergrichm, if it doesn't it's a gap we should close17:17
stevemarbknudson, yeah, that's what i was trying to emphasize :)17:18
bknudsonI've got a todo to try to get the logs to not be totally crappy but it's a lot of work.17:18
morganfainbergbknudson, totally not crappy logs?17:18
morganfainbergbknudson, blasphemy17:18
dstaneki actually think str(e) would work depending on how we build the message internally17:18
morganfainbergdstanek, str(e) only works if you don't have unicode values for sure17:19
stevemarbknudson, okay, i'll do as you suggested, just really want to eat my shawarma before it gets cold :D17:19
morganfainbergdstanek, if you're doing a %s17:19
dstanekmorganfainberg: do our exceptions make unicode values?17:19
morganfainbergdstanek, they could17:19
bknudsonyes, the exceptions can have unicode17:19
dstanekbknudson: but do we store it as bytes or unicode? str(e) will return the message that is being built already in the exception17:20
bknudsondstanek: that I don't know ... the contents of the message can come from the user if that helps...17:21
bknudsone.g., the contents of the message might come from the URL17:21
bknudsoncan also come from the database17:22
bknudsonalso, we've got the lazy translation so it might be a Message object that you're dealing with17:22
dstanekbknudson: that's probably a good thing because it deals with the unicode issues for us17:23
morganfainbergdstanek, ++17:23
*** tqtran_afk has joined #openstack-keystone17:23
*** tqtran_afk is now known as tqtran17:23
dstanekthis is the functionality that was removed:
*** EmilienM is now known as EmilienM|afk17:25
morganfainbergbut that wouldn't solve unicode issues17:26
*** jistr has quit IRC17:27
*** atiwari has joined #openstack-keystone17:28
dstanekmorganfainberg: but that's what's happening now that we have to replicate17:28
*** lhcheng has joined #openstack-keystone17:31
richmmorganfainberg: stevemar: I'll open a bug if needed, but right now I'm just trying to figure out if there is a way to specify the domain for role list --project17:31
dstanekmorganfainberg: for example:
morganfainbergdstanek, right17:33
morganfainbergrichm, i'll defer to stevemar here, as i need to get on the road [have an appointment to get to]17:33
stevemarrichm, it's probably a legit bug (sigh)17:35
*** spandhe has joined #openstack-keystone17:43
stevemarbknudson, still needs the _LE and _LW stuff, since it's doing variable substitution17:45
openstackLaunchpad bug 1421328 in python-openstackclient "need to specify domain with role list" [Undecided,New]17:45
*** nkinder is now known as nkinder_sick17:46
*** bknudson has quit IRC17:47
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Implements subtree_as_ids and parents_as_ids
openstackgerritSteve Martinelli proposed openstack/keystone: Log exceptions safely
dstanekstevemar: why would you use _LE()?17:51
dstanekthere isn't anything to translate17:52
stevemardstanek, i think it's needed anytime you do string substitution
dstanekstevemar: only if it has to be translated17:53
*** tellesnobrega_ has quit IRC17:53
*** david8hu has quit IRC17:54
dstanekthe _LE prioritizes translating '%s' over other things because it's logged at an error level - since there is no translation needed for %s it seems silly17:54
dstanekall the %s is doing in this case is acting similar to six.text_type() but not exactly the same since in python2 it returns a string and not a text type17:55
stevemardstanek, so it should just be: LOG.warning('%s', e)17:56
dstanekthe %s will break for unicode17:56
stevemari'm going to do six.text_type(msg) then, that's what the old logger did17:56
dstanekstevemar: yes, i think you were right earlier when you said that.17:57
stevemardstanek, i am starting to memorize the line numbers at this point ;P17:57
morganfainbergdo we lose transifex/translation w/o the _LE() wrapper?17:58
*** tellesnobrega_ has joined #openstack-keystone17:58
dstanekmorganfainberg: no, the translation is already happening in the Exception17:58
morganfainbergoh wait are we double stacking _() bits?17:59
dstanekthe _LW will translate %s to %s17:59
dstanek_LW only works on literals and not generated strings17:59
morganfainbergoh gah17:59
*** _cjones_ has quit IRC17:59
morganfainbergi really should have let this one go instead of jumping in when about to grab laptop to head out :P17:59
* morganfainberg 's brain hurts now18:00
*** aix has quit IRC18:00
stevemardstanek, seems like some of our hacking checks don't like it18:01
stevemarFile "/opt/stack/keystone/keystone/hacking/", line 314, in visit_Call18:01
stevemar    self._process_non_debug(node, method_name)18:01
stevemar  File "/opt/stack/keystone/keystone/hacking/", line 338, in _process_non_debug18:01
stevemar    func_name = msg.func.id18:01
stevemarpep8 still passes18:01
dstaneki wonder why the hacking check wouldn't like it18:02
dstanekmaybe six.text_type is something stupid?18:02
*** david8hu has joined #openstack-keystone18:02
*** lsmola has quit IRC18:04
dstanekmorganfainberg: good question for you
stevemardstanek, it's definitely checking the LOG calls there, >> Look for the 'LOG.*' calls.18:08
* morganfainberg looks then goes to get to lunch meeting18:09
dstanekmorganfainberg: not critical18:09
morganfainbergoooh another "implementation" vs "documentation" question18:09
dstanekstevemar: actually did you update hacking to know about the new logger?18:10
morganfainbergi think this is a case where we explicitly design keystone to say "no global roles", we can probably fix the documentation here18:10
stevemardstanek, i have never touched hacking, so no18:10
morganfainbergnow... removing capability from ksc vs. getting a failure...18:11
morganfainbergthat might be a harder bit to fix18:11
*** mzbik has quit IRC18:12
stevemardstanek, i didn't think i would need to change it18:12
dstanekstevemar: it shouldn't check the lines using the new logger18:13
*** bknudson has joined #openstack-keystone18:13
*** ChanServ sets mode: +v bknudson18:13
morganfainbergdstanek, commented on that patch18:13
morganfainbergdstanek, the bigger concern is breaking people using that method in ksc by changing the signature18:14
stevemardstanek, i'm still on the logging exceptions patch, i think you're a bit ahead18:14
dstanekstevemar: it looks for them by fully qualified module name18:14
morganfainbergeven if we wont support the functionality in keystone18:14
stevemardstanek, yeah, i'll need to do that in the 2nd patch of the chain, you're ahead :)18:14
dstanekstevemar: haha, ok18:14
*** afazekas has joined #openstack-keystone18:17
*** _cjones_ has joined #openstack-keystone18:17
bretonyes, I am Boris Bobrov on gerrit :)18:20
stevemarbreton, good to know :D18:20
bretonstevemar: I don't know why that coercion is gone either and would really love to hear dhellmann's opinion. Passing something coercable to text seems normal to me.18:20
*** harlowja_away is now known as harlowja18:21
*** EmilienM|afk is now known as EmilienM18:22
*** MasterPiece has quit IRC18:23
openstackgerritSteve Martinelli proposed openstack/keystone: Log exceptions safely
bretonin fact, I've seen the commit that does that18:23
stevemardstanek, i gave up on trying to fix hacking ^18:23
stevemarcould you please look at it, since you wrote all of hacking :)18:24
dstanekstevemar: i can take a crack at it.18:24
dstanekis your change breaking or just trying to fix hacking breaking?18:24
stevemardstanek, pep8 is still passing, but an exception comes up in the bg18:24
dstanekhave you pushed?18:25
dstanekbreton: what commit is that?18:26
bretonthe coercion was added here:
bretonin fact, all comments in are relevant18:27
breton*all commits18:28
stevemarbreton, ahhh, 'third party code can't log with the same formatter'18:29
*** zz_avozza is now known as avozza18:30
*** tellesnobrega_ has quit IRC18:31
*** boris-42 has quit IRC18:32
dstanekgrrr... we should wait for dhellmann - hacking should break on this because it shouldn't be able to know the difference between this use an a bad one18:32
dstanekstevemar: ^18:32
* dhellmann perks up his ears18:33
dstanekthe hacking option would be to LOG.error(e.as_string()) or something like that18:33
dstanekhey dhellmann - we're discussing the safe exception change for oslo.log18:33
dstanekthis guy -
openstackgerritLance Bragstad proposed openstack/keystone: AE Tokens
dhellmanndstanek: yeah18:34
openstackgerritSteve Martinelli proposed openstack/keystone: Add documentation for key terms and basic authenticating
dstanekdhellmann: the question breton brought up is why did the coercion go away?18:35
dhellmannso the thing that triggers that error is you have an Exception() containing a _Message() and when you do str(e) it ends up doing str(e.message) which is not allowed because it bypasses translation18:35
stevemardstanek, reason for coersion removal is here
*** tellesnobrega_ has joined #openstack-keystone18:35
dhellmannright, the coersion used to be done in the context adapter, but we're using a handler instead now so we don't catch the error18:36
dhellmannwe used to call unicode(e) which is allowed18:36
bretonstevemar: no, the coercion was added as a part of the bp :)18:36
dstanekdhellmann: that's what we changed the code to do 'six.text_type(e)', but that makes our hacking rules unhappy18:37
dhellmannso you could, theoretically, call unicode(e) yourself instead of inserting literal messages, but in some cases you were actually logging the same text twice (LOG.exception(e)) so I just put in some literals18:37
bretonstevemar: have a look at second commit on the "whiteboard"18:37
*** raildo has joined #openstack-keystone18:37
dhellmanndstanek: I don't know why anything would be objecting to that. what's the rule?18:38
bretonok, maybe not added, but at least fixed.18:38
dstanekdhellmann: i wrote a custom rule to enforce translation18:39
dstanekdhellmann: we spent too much time commenting on logging issues so i added this:
dhellmanndstanek: the problem is the stdlib is coercing to str() not unicode(), so you have to pass a unicode object of some sort to the function. Are you objecting to that, or are you just trying to understand the history?18:41
dstanekdhellmann: no, we were wondering why the functionality was being removed18:42
dstanekdhellmann: do you think calling 'LOG.error(six.text_type(e))' is a good solution for us since it just replicates the existing behavior?18:43
*** abhirc has joined #openstack-keystone18:43
dhellmannthe thing that was doing the coercion sat at a different point in the logging stack. the blueprint stevemar linked above should have the details of why we removed it, but the tl;dr is with a handler instead of an adapter we're able to log context information when third-party libs log and our libs don't have to rely on using oslo.log.getLogger()18:43
*** avozza is now known as zz_avozza18:44
*** zz_avozza is now known as avozza18:44
*** abhirc has quit IRC18:44
dhellmanndstanek: I guess it's a reasonable alternative, but you're logging errors that might not include enough information about what is failing, which is why I thought adding literal messages was better. It's up to you all, though.18:45
dstanekdhellmann: our exceptions have messages in them that are very similar to what you added - so we'd be maintaining that info twice18:46
dhellmannfor example, I think some of those could be triggered by KeyError or TypeError exceptions, and those wouldn't say what was failing just that something was wrong18:46
*** samueldmq has joined #openstack-keystone18:47
dhellmanndstanek: ok, that's fine -- if you're confident that you're logging enough info, you don't need the literals18:47
dhellmannthat wasn't clear to me, so I erred on the side of adding information18:47
*** abhirc has joined #openstack-keystone18:47
dstanekdhellmann: there is one file,, that catches non-Keystone exceptions explicitly that we should really look at18:48
*** MasterPiece has joined #openstack-keystone18:49
dstanekso now i have to figure out how to fix this hacking rule18:49
dhellmanndstanek: you should feel free to either take over that patch or write a new one -- if you do the latter and want to abandon mine, that's fine.18:50
dstanekdhellmann: stevemar's been updating yours, so i think we'll stick with it - i don't see any reason to change that18:50
dhellmanndstanek: ok, cool, I hadn't noticed that18:50
dhellmannstevemar: thanks :-)18:51
dstanekok, late lunch time!18:51
stevemardhellmann, np, was hoping you didn't mind :)18:51
samueldmqgyee, I replied your comments on the list role assignments chain, thanks18:52
*** abhirc has quit IRC18:53
*** avozza is now known as zz_avozza18:59
*** _cjones_ has quit IRC19:00
gyeesamueldmq, k, I'll take a look later in the afternoon, got a meeting to attend19:01
amakarovstevemar, I have a fix for revocation Can you please look at it? You've already commented there... last year :)19:03
*** _cjones_ has joined #openstack-keystone19:03
stevemarlast yer19:03
*** utahcon has joined #openstack-keystone19:03
amakarovstevemar, it's incorrect to say "a year ago" ))19:04
*** thedodd has joined #openstack-keystone19:06
utahconI am having trouble with tokens and keystone
utahconI generate a token with user/pass, but then get a bad request when I try to get a session based on that token19:07
utahconv2.Token() seems to work just fine... not sure what I am doing wrong.19:07
amakarovutahcon, what's the origin of provider['OS_TOKEN_ID'] ?19:09
utahconamakarov: if you look at my paste, line 4... it is just the string id19:10
utahconI have triple checked that is waht I am passing19:10
amakarovare you sure that token there is valid? I don't see where is provider initialized?19:11
amakarovutahcon, provider['OS_TOKEN_ID'] from line 8 == token from line 4?19:12
utahconsorry these are two different pieces of code shown in one paste19:14
amakarovutahcon, do you have some script to toy with?19:18
*** abhirc has joined #openstack-keystone19:18
amakarovI'd like to try your code and I need imports at least19:20
amakarovTo be sure19:20
amakarovI can guess what is v2 and session in your example...19:23
lbragstaddstanek: do you happen to know where these are generated from ?
utahconamakarov: from keystoneclient.auth.identity import v219:24
utahconfrom keystoneclient import session19:24
amakarovutahcon, ok, thanks19:24
utahconwell, ok, it isn't failing on session now ... wtf19:26
utahconif that all worked, I should just pass the session to nova client, and it would work right?19:26
amakarovutahcon, I'm not yet an expert in Nova, sorry :)19:29
utahconlol -- no worries19:29
utahconat this point I am really confused. all worked a week back19:30
utahconnow... not so much19:30
utahconlike I hit a wall and lost it all19:30
utahconI guess the root of my issues are... how do I know if v2.Token() worked, and if session.Session() worked?19:31
utahconwill they throw exceptions if they don't or fail quietly?19:31
utahconbecause, now it is appearing to work, but I pass the session off to nova and get BadRequests... argh19:31
amakarovIt raises exception19:34
utahconok, that is great then19:34
*** atiwari has quit IRC19:36
utahconthanks amakarov you have helped me to the next step then :D19:37
amakarovutahcon, good luck then!19:37
*** ctina has quit IRC19:38
*** atiwari has joined #openstack-keystone19:39
*** lnxnut has quit IRC19:47
*** dims__ has quit IRC19:48
*** amakarov is now known as amakarov_away19:49
*** dims__ has joined #openstack-keystone19:50
*** _cjones_ has quit IRC19:52
*** zz_avozza is now known as avozza19:54
openstackgerritDolph Mathews proposed openstack/keystone: Authenticated Encryption (AE) tokens
*** jsavak has joined #openstack-keystone20:00
*** joesavak has quit IRC20:02
stevemardolphm, i hope AE tokens land and become default :)20:02
stevemardown with token tables20:02
dolphmstevemar: ++20:03
dolphmstevemar: working on it :)20:03
dolphmstevemar: i'll let you know when they're ready for review20:04
stevemardolphm, lookin forward to reviewing it20:05
*** briancurtin has quit IRC20:07
*** henrynash has joined #openstack-keystone20:07
*** ChanServ sets mode: +v henrynash20:07
dolphmlbragstad: have some sort of diff on switching from encryption to signing?20:07
*** serverascode has quit IRC20:07
dolphmlbragstad: or was that just in an interactive session or something20:07
lbragstaddolphm: set CONF.ae_tokens.use_encrption = False20:08
lbragstadand restart keystone20:08
*** zhiyan has quit IRC20:08
dolphmlbragstad: oh poo you pushed a patchset20:08
*** ctracey has quit IRC20:08
dolphmlbragstad: i just stomped on it20:09
lbragstaddolphm: were you working on it20:09
*** jraim has quit IRC20:09
dolphmlbragstad: non stop20:09
dolphmlbragstad: added ae_setup, key rotation, restored the default key dir to /etc/keystone/keys, and used ae setup in tests20:09
lbragstaddolphm: cool!20:10
lbragstaddolphm: so I need to pull down the latest patch set and reapply what I did20:10
dolphmlbragstad: well, it's my fault -- i'd be happy to do the merging20:11
lbragstaddolphm: there should be much conflict,20:11
lbragstaddolphm: I just added the signing case and test cases for it20:11
dolphmlbragstad: we both touched common.config20:11
lbragstaddolphm: the only thing I added was a config option for encryption20:12
lbragstaddolphm: which shouldn't break the ae_setup stuff by default becuase it is set to True20:12
dolphmlbragstad: have you already started merging?20:14
lbragstaddolphm: I was reading gyee comments20:14
lbragstaddolphm: working on it20:14
dolphmlbragstad: wait!20:14
dolphmlbragstad: i have a couple uncommitted changes i can include too, let me fix it20:14
*** nellysmitt has quit IRC20:14
*** jraim has joined #openstack-keystone20:15
openstackgerritSteve Martinelli proposed openstack/keystone: Log exceptions safely
stevemardstanek, ^20:16
stevemarthat one should pass pep8 hacking check and tests20:16
*** ctracey has joined #openstack-keystone20:16
*** _cjones_ has joined #openstack-keystone20:16
*** briancurtin has joined #openstack-keystone20:17
*** zhiyan has joined #openstack-keystone20:18
*** serverascode has joined #openstack-keystone20:19
*** gyee has quit IRC20:20
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing
*** abhirc has quit IRC20:24
henrynashstevemar: on the log exception patch…what’s the change to hacking doing?20:26
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests
*** nellysmitt has joined #openstack-keystone20:35
stevemarhenrynash, i need dstanek to take a look at that, it was the only way i could get pep8 to not toss up an exception20:38
stevemarhenrynash, i suspect it looks to see if LOG.warning(msg) has an equivalent id and name in the .po backend?20:39
stevemarbut i could be wrong20:39
dolphmlbragstad: you removed L182-L186 ?
*** atiwari has quit IRC20:40
*** tellesnobrega_ has quit IRC20:41
lbragstaddolphm: the init for StandardTokenFormmater?20:41
*** markvoelker has joined #openstack-keystone20:41
*** atiwari has joined #openstack-keystone20:41
*** atiwari has quit IRC20:41
dolphmlbragstad: L182 in the left file20:42
lbragstaddolphm: I moved it from the formatter to ae/core.py20:43
*** spandhe has quit IRC20:44
*** spandhe has joined #openstack-keystone20:45
*** topol has quit IRC20:46
*** abhirc has joined #openstack-keystone20:47
ayoung failures=1220:50
openstackgerritBoris Pavlovic proposed openstack/keystone: [do not merge] Test patch under load
dolphmlbragstad: stop uploading pep8 violations!20:51
ayoungdolphm, what makes use of the fact that the Service catalog can have arbitrary data associated with the endpoint?  I see we have a client side test that checks that an endpoint can have additional attributes, and the example is tenantId20:51
lbragstaddolphm: oops20:52
dolphmayoung: uhh, there was a concept of API version metadata being included as explicit attributes in the endpoint, but we never used that20:52
dolphmayoung: unless you mean IN the endpoint URL itself?20:52
ayoungdolphm, no, it is an additional attribute20:52
dolphmayoung: like, in the endpoint dict?20:53
dolphmayoung: i have no idea, that's weird.20:53
ayoungI'll link20:55
lbragstadayoung: what are you working on?20:57
ayounglbragstad, unified access info20:57
ayounglbragstad, yeah20:57
ayoungI'm down to failures=1220:58
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing
*** joesavak has joined #openstack-keystone21:01
*** jsavak has quit IRC21:04
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests
dolphmlbragstad: so i wrote a test that just passes UUIDs to the AE token validator which has passed just fine (expecting Unauthorized)...21:09
dolphmlbragstad: but it just failed with a fun transient error, keyczar raised: BadVersionError: Received a bad version number: 22521:09
*** boris-42 has joined #openstack-keystone21:09
lbragstaddolphm: paste your test case?21:10
dolphmlbragstad: oh, it's failing consistently now21:13
lbragstaddolphm: see line 17621:13
dolphmlbragstad: it's because it's bypassing where you moved the token format check to21:13
lbragstadnad 16321:13
dolphmlbragstad: why does that not belong in the token formatter?21:14
lbragstadso, I was thinking it should be in the provider, which has a map of formatters21:14
dolphmlbragstad: ah, i see that now21:14
lbragstadthe provider needs the format21:15
lbragstadin order to pass it to the formatter that knows how to deal with it21:15
dolphmlbragstad: so the test should run against the Provider?21:15
lbragstadI need to do that yet,21:15
lbragstadI'm trying to think of the best way to lay out the tests21:15
lbragstadso, testing the formatter should just verify the information in the formatters and validate that the formatters are doing what they are suppose to21:16
lbragstadbut testing the provider should only really handle the mapping,21:16
lbragstadlike, I have an AE00 token, that means I pass it to this guy21:16
lbragstador validating that something without a matching token format should throw your "Unrecognized AE format" exception21:17
openstackgerritDolph Mathews proposed openstack/keystone: Authenticated Encryption (AE) tokens
dolphmlbragstad: ^^21:17
lbragstaddolphm: do I need to run ae_setup before running tests?21:19
dolphmlbragstad: no, the tests should always create a temp directory, configure it as the key directory, run ae_setup on it, and go21:19
openstackgerritSteve Martinelli proposed openstack/oslo.policy: Remove symlinked file from tests
*** MasterPiece has quit IRC21:20
dolphmlbragstad: expecting /etc/keystone to exist when the tests are running is a bad idea21:20
lbragstaddolphm: I just pulled it down and ran the tests,21:20
dolphmlbragstad: which ones?21:21
dolphmlbragstad: oops, i see that too21:24
dolphmlbragstad: okay, have a fix, let me clean it up21:25
lbragstaddolphm: I think only 8 fail for me because I have existing keyczar repositories scattered around21:27
*** atiwari has joined #openstack-keystone21:27
openstackgerritDolph Mathews proposed openstack/keystone: Authenticated Encryption (AE) tokens
*** timcline has quit IRC21:29
*** timcline has joined #openstack-keystone21:30
dolphmlbragstad: refactored with a fix
lbragstaddolphm: yeah, tests on the latest patch pass21:30
dolphmlbragstad: actually the create_key_directory() in that new class can be removed21:32
lbragstaddolphm: checking21:32
openstackgerritDolph Mathews proposed openstack/keystone: Authenticated Encryption (AE) tokens
lbragstaddolphm: oh, right21:34
openstackgerritDolph Mathews proposed openstack/keystone: Authenticated Encryption (AE) tokens
lbragstaddolphm: yeah I see it now... create_key_directory() is only if we specify the key_repository but tests will always use a tmpdir21:34
dolphmlbragstad: which they've already created21:35
lbragstaddolphm: nice catch, makes sense21:35
dolphmlbragstad: could have the tests generate a temp dir name, and then exercise that code... if we wanted to21:35
lbragstadyeah, thats an idea21:36
dolphmlbragstad: i think i'm done iterating on this for the moment, if there's changes you want to make21:38
dolphmlbragstad: i'm going to play with signed tokens21:38
dolphmlbragstad: tempted to run a benchmark :P but i'm sure they'll come out within a margin of error as full encryption21:39
lbragstaddolphm: sounds good, running a benchmark against signed tokens?21:39
lbragstador encrypted tokens?21:39
dolphmlbragstad: oh, also need to figure out another way to check if the formatter is using a crypter or a signer - i left FIXME's21:40
dolphmlbragstad: yes21:40
lbragstaddolphm: checking21:40
dolphmlbragstad: regarding my fixme's, maybe check for isinstance() of something in keyczar land instead of formatter.purpose21:40
lbragstadso, that should make the key repo stuff completely dependent on how it's set up initially21:41
lbragstadand nothing Keystone Config wise should know about it21:41
dolphmlbragstad: but it's dependent on keystone.conf ?21:41
lbragstadright now, when we want to use signing, we specify use_encryption = False in the keystone.conf21:42
lbragstadwhich tells the baseFormatter to use a signing object from keyczar, instead of an encrypting class21:42
dolphmlbragstad: right. instead just try to encrypt or sign a string using the repo and see what works :)21:43
dolphmlbragstad: and then set crypter to that21:43
dolphmlbragstad: and then move the keystone.conf option to a keystone-manage ae_setup --option21:43
lbragstaddolphm: sure, that works21:44
dolphmlbragstad: (i can't think of a reason for that to be in conf forever)21:44
dolphmlbragstad: bbiab21:44
lbragstaddolphm: agreed21:44
*** pnavarro has quit IRC21:45
lbragstaddolphm: I'm going to work on that quick, in case you're pushing anything for review21:49
stevemardstanek, not sure if you are back from your late lunch :) but i updated the exception logging patch if you want to take a look at the changes to hacking21:50
*** jsavak has joined #openstack-keystone21:54
ayoungdolphm, well lookee here:   looks like we allow a slew of fields I never knew about21:55
*** joesavak has quit IRC21:55
*** joesavak has joined #openstack-keystone21:57
*** jsavak has quit IRC22:00
*** nellysmitt has quit IRC22:03
*** spandhe has quit IRC22:09
*** spandhe has joined #openstack-keystone22:12
openstackgerritBoris Pavlovic proposed openstack/keystone: [do not merge] Test patch under load
*** _cjones_ has quit IRC22:16
*** harlowja_ has joined #openstack-keystone22:18
*** atiwari1 has joined #openstack-keystone22:19
dolphmayoung: yeah, the version* ones i've never seen anyone use22:19
*** _cjones_ has joined #openstack-keystone22:19
*** atiwari has quit IRC22:21
*** harlowja has quit IRC22:21
*** thedodd has quit IRC22:24
ayoungdolphm, don't matter...I'll support them if they are documented...just keep them as optional22:26
*** timcline has quit IRC22:28
*** thedodd has joined #openstack-keystone22:36
*** henrynash has quit IRC22:36
*** thedodd has quit IRC22:37
*** tellesnobrega_ has joined #openstack-keystone22:39
openstackgerritAlistair Coles proposed openstack/keystonemiddleware: Delay denial when service token is invalid
bretonhow's keystone configured in the gate?22:41
bretonwhere can I find keystone.conf from there?22:41
stevemarbreton, ^22:44
stevemarclick on the logs of any dsvm job, and find logs/etc/keystone22:44
stevemarif you want the details look into devstack-gate project22:45
bretonoh, ok, thank you22:47
*** zzzeek_ has joined #openstack-keystone22:49
openstackgerritMerged openstack/oslo.policy: Remove symlinked file from tests
*** zzzeek has quit IRC22:51
*** zzzeek_ is now known as zzzeek22:51
mgagneguys, which policy file should I use? or And what's the difference?23:00
*** jsavak has joined #openstack-keystone23:01
*** joesavak has quit IRC23:04
* lbragstad just got nerf'd23:05
* lbragstad needs to invest in desk protection devices!23:05
stevemarlbragstad, best shield for protection
lbragstadstevemar: taking notes23:08
lbragstadstevemar: I guess I have to research Nerf product23:09
stevemarjust start throwing hammers23:09
stevemarwe'll see who stops23:09
*** avozza is now known as zz_avozza23:13
stevemarthat'll do23:15
lbragstadstevemar: I'll have to bolt it to the desk23:15
*** chlong has joined #openstack-keystone23:17
*** zzzeek_ has joined #openstack-keystone23:22
*** zzzeek has quit IRC23:24
*** zzzeek_ is now known as zzzeek23:24
*** andreaf_ has joined #openstack-keystone23:27
*** gyee has joined #openstack-keystone23:29
*** ChanServ sets mode: +v gyee23:29
ayoungmorganfainberg, if we were to say we wanted datetimes in one format, it would it be TZ aware, right, not
openstackgerritBrant Knudson proposed openstack/keystone: Move existing tests to unit
bknudsonoops, pep823:31
openstackgerritBrant Knudson proposed openstack/keystone: Move existing tests to unit
*** gyee has quit IRC23:33
*** andreaf_ has quit IRC23:35
*** EmilienM is now known as EmilienM|afk23:35
*** gyee has joined #openstack-keystone23:35
*** ChanServ sets mode: +v gyee23:35
*** gyee has quit IRC23:35
*** gyee has joined #openstack-keystone23:36
*** gyee has quit IRC23:38
*** gyee has joined #openstack-keystone23:38
*** ChanServ sets mode: +v gyee23:38
*** tellesnobrega_ has quit IRC23:39
*** openstack has joined #openstack-keystone23:40
*** bknudson has quit IRC23:42
*** andreaf_ has joined #openstack-keystone23:44
*** samueldmq_ has joined #openstack-keystone23:46
lbragstaddolphm: took a stab at removing use_encryption and building it into keystone-manage23:46
lbragstaddolphm: pushing a new patch now if you're working on anything23:46
dolphmlbragstad: i'm relearning how to java23:46
lbragstaddolphm: ...23:46
dolphmlbragstad: cloned keyczar23:46
*** andreaf_ has quit IRC23:47
ayoungdolphm, we have (or had) a crypto maestor here that I wanted to ask about keyczar, but I can't seem to find him.  Wondering if he left the company23:47
dolphmlbragstad: i have a safe workaround in our code, but i figured i'd try to contribute a fix23:48
dolphmayoung: well i found a security-related bug in keyczar if you find him :)23:48
dolphmlbragstad: i think i need to maven how do you maven23:48
dolphmlbragstad: also how to java?23:49
lbragstadjacorob: teach us to maven!23:49
ayoungNope, he's still here...just couldn't remember how to spell his name...23:50
dolphmlbragstad: the instructions to build keyczar starts with: 1. Select the "File" menu, then the "Import" item.23:54
dolphmlbragstad: can you show me where the "File" menu is?
lbragstaddolphm: use your windows button23:55
*** krtaylor has quit IRC23:57
*** ayoung has quit IRC23:57
openstackgerritLance Bragstad proposed openstack/keystone: Authenticated Encryption (AE) tokens
dolphmlbragstad: is that one of these?
lbragstaddolphm: new patch ^23:58
lbragstaddolphm: relocating home23:58
*** _cjones_ has quit IRC23:59
*** _cjones_ has joined #openstack-keystone23:59

Generated by 2.14.0 by Marius Gedminas - find it at!