Friday, 2015-02-13

« Thursday, 2015-02-12 Index Saturday, 2015-02-14 »
*** ljfisher has quit IRC00:03
*** nellysmitt has joined #openstack-keystone00:03
*** gyee has quit IRC00:04
*** tellesnobrega_ has joined #openstack-keystone00:05
*** ncoghlan has joined #openstack-keystone00:05
*** zzzeek has quit IRC00:05
*** nellysmitt has quit IRC00:08
*** krtaylor has joined #openstack-keystone00:10
*** zzzeek has joined #openstack-keystone00:12
*** atiwari1 has quit IRC00:16
*** atiwari1 has joined #openstack-keystone00:17
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Create functional test base  https://review.openstack.org/15554300:20
stevemardolphm, you need to request a new windows machine to continue your work00:20
stevemarplease consult IT00:20
*** markvoelker has quit IRC00:22
dolphmstevemar: I DID IT I DEFEATED THE MAVEN!00:22
jamielennoxnone of this is inspiring confidence that we should want to have keyczar as a dependency00:24
*** atiwari1 has quit IRC00:25
*** lnxnut has joined #openstack-keystone00:25
*** lhcheng_ has joined #openstack-keystone00:26
*** abhirc has quit IRC00:28
*** lhcheng has quit IRC00:28
*** marg7175 has quit IRC00:31
*** lnxnut has quit IRC00:33
*** david-lyle is now known as david-lyle_afk00:37
*** samueldmq_ has quit IRC00:37
*** abhirc has joined #openstack-keystone00:41
*** zzzeek has quit IRC00:41
*** abhirc has quit IRC00:42
*** gyee has joined #openstack-keystone00:42
*** ChanServ sets mode: +v gyee00:42
dolphmjamielennox: it could be better, but i'm not aware of a replacement?01:01
jamielennoxneither01:03
jamielennoxbut java...01:03
openstackgerritIan Wienand proposed openstack/oslo.policy: Deprecate default value for "policy_dirs"  https://review.openstack.org/15474201:05
*** bknudson has joined #openstack-keystone01:13
*** ChanServ sets mode: +v bknudson01:13
openstackgerritBrant Knudson proposed openstack/keystone: Move existing tests to unit  https://review.openstack.org/15553101:19
bknudsonjamielennox: making similar changes in keystone ^01:19
bknudsonwhy would we use tempest-lib in keystoneclient?01:20
jamielennoxbknudson: yea, i saw - i was going to ask you a question about it earlier but you weren't around01:20
bknudsonfor cli tests?01:20
bknudsonI was buying gas and milk.01:20
jamielennoxbknudson: i was purely following a pattern set down by novaclient, i figured most of the tests that are coming from tempest will be written that way so we may as well use it01:21
bknudsonI'll compare with the nova code.01:22
jamielennoxalso mtreinish is pushing me into it, so i figured I should go with the tempest settings01:22
bknudsonlooks like novaclient doesn't have a whole lot of functional tests yet.01:23
bknudsonwe don't even want to test the cli... should be deprecated.01:23
jamielennoxbknudson: i think it's part of the plan to get it out of tempest for now01:24
jamielennoxi agree with deprecating it, however whilst we ship it we should keep it tested01:25
bknudsonI didn't know there were keystone cli tests in tempest now.01:25
jamielennoxi don't want to write any more tests but i'm happy enough to take what exists01:25
jamielennoxbknudson: not many: https://github.com/openstack/tempest/blob/master/tempest/cli/simple_read_only/identity/test_keystone.py01:26
stevemarjust for listing i think01:26
*** lhcheng_ has quit IRC01:27
*** jsavak has quit IRC01:27
*** lhcheng has joined #openstack-keystone01:27
bknudsonnova doesn't set OS_TEST_PATH in tox.ini: http://git.openstack.org/cgit/openstack/python-novaclient/tree/tox.ini01:28
bknudsonin testenv.01:28
jamielennoxbknudson: yea, and if you do testr it runs both functional and unit tests01:30
jamielennoxi took that from nova/01:31
jamielennoxhttps://github.com/openstack/nova/blob/master/tox.ini01:31
bknudsonjamielennox: that's how I thought dstanek would implement it in keystone.01:31
*** lhcheng has quit IRC01:32
*** dims_ has joined #openstack-keystone01:32
*** dims_ has quit IRC01:32
*** dims_ has joined #openstack-keystone01:32
*** dims__ has quit IRC01:33
bknudsonjamielennox: is there a job for keystoneclient functional?01:35
bknudsonjenkins jobs01:35
jamielennoxbknudson: not yet - i was waiting for the review to merge01:35
jamielennoxumm01:35
*** dims__ has joined #openstack-keystone01:36
jamielennoxbut i hvae: http://git.openstack.org/cgit/openstack-infra/project-config/commit/?id=c4093cd6d328a87ea9a2335ac2dd4d09a598bc8e which is the novaclient one01:36
bknudsonnovaclient doesn't need one.01:36
jamielennoxi'm sceptical if keystoneclient needs one - beyond the CLI which we've deprecated i'm not sure what you want to do with functionally testing a library01:37
bknudsonwe'll have a keystone so you can do anything01:37
bknudsoncreate projects01:37
bknudsonget tokens and validate tokens01:37
jamielennoxsure, but it should be keystone's functional tests that are validating those interfaces - and so long as the interfaces are right we should be ok to simply unit test the client01:38
bknudsonthe interfaces probably aren't right, since they're not tested.01:38
jamielennoxespecially now i ripped out all that mocking and we're testing at the http layer01:38
jamielennoxtrue - problem with stubs is they always return correctly01:39
*** dims_ has quit IRC01:39
bknudsonthey always return something, not necessarily what the server would return.01:39
jamielennoxright01:39
bknudsonafter keystoneclient released there were some problems in osc, I think...01:39
bknudsonstevemar pointed me to a failure...01:40
jamielennoxstevemar: ^ ?01:40
stevemaryo.01:40
bknudsoncrap, I closed the windows01:40
stevemarbknudson, right, let me find the bug01:40
stevemarhttps://bugs.launchpad.net/python-openstackclient/+bug/142008001:40
openstackLaunchpad bug 1420080 in python-openstackclient "functional tests are failing with new keystoneclient release" [Undecided,New]01:40
jamielennoxstevemar: for OSC you can run your tests against the master version in jenkins as well - you should probably do that as well01:40
jamielennoxwe can catch these prior to release01:41
stevemarjamielennox, good call...01:41
stevemaragreed01:41
bknudsonthanks!01:41
stevemarjamielennox, making a note of that on my todo list01:41
bknudsonstevemar: is that still failing? we haven't done anything to fix it as far as I know.01:41
stevemarbknudson, i skipped the test01:42
jamielennoxstevemar: so is that a v2 thing?01:42
bknudsonI think it's related to https://review.openstack.org/#/c/145532/01:42
jamielennoxbknudson: almost certainly01:43
stevemarbknudson, probably definitely01:43
stevemarthis will also have implications on pycadf01:43
stevemarsince it needs the service catalog01:43
jamielennoxso my guess is that it's a v2/v3 mismatch01:43
jamielennoxif you do data['token'] on a v2 token you get the token_id string?01:43
jamielennoxif you do data['token'] on a v3 token you get a dictionary with the catalog as an element01:44
jamielennoxit's just surely that would have been caught somewhere prior to that01:44
jamielennoxto a functional test in OSC01:44
bknudsonthis is why we have functional tests.01:45
*** gyee has quit IRC01:45
bknudsonalso should improve unit tests to cover this somehow.01:45
jamielennoxon the up side it means that our gate is almost entirely converted to v3 :)01:45
jamielennoxthis must be causing more problems....01:46
*** davechen has joined #openstack-keystone01:46
bknudsonstevemar: what test failed? all of them?01:47
bknudsonmaybe it's easy to recreate with tox -e functional in osc.01:47
*** r-daneel has quit IRC01:48
stevemarhmm01:49
jamielennoxwe should verify this, file against keystoneclient and then i think issue a bugfix release, because that has to be biting a lot of people01:50
*** _cjones_ has quit IRC01:50
bknudsonjamielennox: I added keystoneclient01:50
bknudsonjamielennox: do you want to work on a fix?01:51
jamielennoxbknudson: great - i just got the requirements patch to bump keystoneclient merged01:51
jamielennoxbknudson: yep, i can have a look at that01:51
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/15557201:53
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/15557301:53
stevemarbknudson, sorry, was otp01:53
bknudsonI tried openstack user list --debug and no problems with the token01:54
stevemarbknudson, the problem is seen specifically with dtroyer's examples01:54
stevemarhttps://github.com/openstack/python-openstackclient/tree/master/examples01:54
jamielennoxi have to run out for a bit, but i'll see if i can reproduce this afternoon01:54
stevemarwe have functional tests that run the example files01:54
stevemarhttps://github.com/openstack/python-openstackclient/blob/master/functional/tests/test_examples.py#L26-L3201:54
stevemarobject_api.py and osc-lib.py were failing01:55
jamielennoxstevemar: i think the problem is the same01:55
jamielennoxbknudson: if you don't use --debug it won't try to print all that01:55
bknudsonI thought the --debug output was the problem.01:58
jamielennoxyea, there is an optimization in there because we process the data so much for logging to not print unless debug is enabled01:59
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/15558402:00
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role  https://review.openstack.org/15437002:01
jamielennoxalright - back later, let me know if someone fixes it otherwise i will look later02:01
*** jamielennox is now known as jamielennox|away02:01
bknudsonLooks like the v2 token has "tenant": {"description": null, "enabled": true, "id": "3824a1c2bdfb4d16a1ece8bd7f0d5950", "parent_id": null, "name": "demo"}02:02
bknudsonis it expected to have parent_id in there?02:02
bknudsonthe v2 token has ['access'] and not ['token']02:03
*** nellysmitt has joined #openstack-keystone02:04
bknudsonosc or keystone must be doing something really wacky.02:05
*** nellysmitt has quit IRC02:09
stevemarkeystone dumped the parent_project_id everywhere i think, that's gotta be a bug on the server side02:12
morganfainbergstevemar, hmm?02:13
morganfainbergoh in v2 token, no02:13
morganfainbergparent_id should not be there02:13
*** zz_avozza is now known as avozza02:13
stevemarbknudson, we (osc) do funny things with auth, not so much the token we get bcak02:14
morganfainbergand yes please lets catch those bugs before release :)02:14
* morganfainberg is finally back home.02:14
bknudsonI can propose a fix... give me a minute to try it out.02:14
morganfainbergbknudson, ++ thanks for chasing this down02:15
bknudsonI don't really know how this is happening since v2 and v3 tokens work for me.02:15
*** ayoung has joined #openstack-keystone02:16
*** ChanServ sets mode: +v ayoung02:16
bknudsonplus tokens aren't generally logged anyways, needed to force a variable to True02:16
openstackgerritSteve Martinelli proposed openstack/keystone: Refactor _send_audit_notification  https://review.openstack.org/15155102:20
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Ignore all failures removing catalog when logging token  https://review.openstack.org/15560502:20
*** avozza is now known as zz_avozza02:23
*** spandhe has quit IRC02:24
morganfainbergso interesting, I chatted with someone today who's using couchbase as the memcache backend for tokens02:25
morganfainbergor looking at it02:25
morganfainberglooks like couchbase solves a lot of the memcache-is-sucky problems02:25
morganfainbergreplication, stable store, etc02:25
openstackgerritIan Wienand proposed openstack/oslo.policy: Deprecate default value for "policy_dirs"  https://review.openstack.org/15474202:27
ayoungjamielennox|away, let me know when you are back02:29
ayoungI am unclear on how the v2 tokens catalogs are supposed to be jhandled02:30
ayoungif it comes in as 3 urls in one endpoint, should that be one endpoint or three after the fact?02:30
dstanekbknudson: jamielennox|away: ?02:31
ayoungmorganfainberg, tokens must die.02:31
ayoungWe can keep unscoped tokens around for the luddites that insist on using passwords02:31
morganfainbergayoung, tokens cannot die02:31
ayoungunscoped token plus trust ID02:31
morganfainbergayoung, we can offer alterantives02:31
ayoungTOKENS MUJST DIE!02:31
morganfainbergayoung, cant02:31
ayoungWILL!02:32
morganfainbergwe can offer much better alternatives02:32
ayoungSHALL02:32
morganfainbergi'm not going to do a V4 api02:32
morganfainbergso... they wont die02:32
ayoungWe don't need to02:32
morganfainbergyes, we would.02:32
bknudsonnext week is the OSSG meeting in san francisco02:32
ayoungYes they can...unscoped token or real authentication + header with a delegation ID02:32
morganfainbergbknudson, damn it. i am going to be in seattle i wanted to go to that02:32
bknudsonthere will be plenty of hp folks there...02:33
morganfainbergayoung, ok lets start with "Tokens wont die in Kilo" ;)02:33
ayoungCUZ HP is all about that cloud thing02:33
morganfainbergayoung, and tokens will still be around in Liberty*02:33
ayoungmorganfainberg, who cares02:34
morganfainberg* = there may be a new method to make tokens obsolete in Liberty and beyond02:34
ayoungget a better mechanism, deprecate them02:34
ayoungand stop puring good money after bad02:34
*** erkules_ has joined #openstack-keystone02:34
morganfainbergbecause i have to field questions on this stuff from many companies who freak when they hear this kind of stuff02:34
morganfainbergand saying "tokens wont be gone in kilo" is important on that02:34
ayoungunscoped token is there only to say "yes, use has handed me a password"02:34
bknudsonswitch to bitcoins02:35
morganfainbergbknudson, i like storing data in the blockchain as a secure method to ensure auditability as well02:35
ayoungHow big is a bit coin?  Bet it is bitter than a PKI token02:35
ayoungbigger02:35
morganfainbergbknudson, i'll bet we can even use the blockchain as the stable store for most userdata too.02:36
morganfainbergbknudson, i'm sold. lets do it ;)02:36
*** tellesnobrega_ has quit IRC02:36
bknudsonwe need april fools specs.02:36
morganfainbergbknudson, ++02:36
*** erkules has quit IRC02:37
*** tqtran has quit IRC02:41
bknudsonhttps://review.openstack.org/#/c/155605/ is the proposed fix for the osc test failures.02:42
morganfainbergbknudson, what was the fix to auth_token to let users not in the default domain be service users?02:47
bknudsonmorganfainberg: the fix was to support authentication plugins.02:47
bknudsonmorganfainberg: jamielennox|away did it02:48
morganfainbergbknudson, do we have documentation on how to configure auth_token that way?02:48
bknudsonhe he!02:48
bknudsonactually, there might be somewhere.02:48
morganfainbergi actually have someone asking about this02:49
morganfainbergcrap but they use neutron02:49
morganfainberg...02:49
bknudsonwe need keystonemiddleware on this list: http://docs.openstack.org/developer/openstack-projects.html02:49
* morganfainberg needs to get Jamie to fix juno nova to not explode with neutron02:49
bknudsony, I don't see it on keystonemiddleware docs... http://docs.openstack.org/developer/keystonemiddleware/02:50
bknudsonmaybe it was in keystoneclient02:50
stevemarnow to figure out how we can run osc against ksc master02:50
morganfainbergand the whole documentation is saying put configs in paste-ini it looks like02:50
bknudsonstevemar: sudo python setup.py develop02:51
morganfainberghmm, darn jamielennox|away  is away02:51
bknudsonwhere does he go?02:51
morganfainbergno idea02:52
stevemarbknudson, i meant changing project-config02:52
bknudsongrabbing a shimp of the barbie.02:52
bknudsonshrimp02:52
stevemaron*02:52
stevemaroff*02:52
bknudsonit's getting too late02:52
stevemarnot even 9pm for you02:53
stevemaryou still have a solid 4-6 hrs of work left in ya02:53
ayoungHe should be around.02:56
ayoungBut...I went through that review.  Let me pull it up02:56
*** tellesnobrega_ has joined #openstack-keystone02:57
*** topol has joined #openstack-keystone03:00
*** ChanServ sets mode: +v topol03:00
ayoungcommit e77a7a225b0902da47fc4acd643d76ebd77e68d103:01
ayoungMerge: a7beb50 bb00caf03:01
ayoungAuthor: Jenkins <jenkins@review.openstack.org>03:01
ayoungDate:   Sat Sep 27 05:16:01 2014 +000003:01
ayoung    Merge "Support service user and project in non-default domain"03:01
morganfainbergayoung, we're missing documentation03:02
morganfainbergand the test case has a gap in it03:02
*** markvoelker has joined #openstack-keystone03:02
ayounga/doc/source/middlewarearchitecture.rst03:02
morganfainbergdon't see documentation that shows how to configur with auth plugins03:03
morganfainbergand that patch from jamie doesn't include it03:03
morganfainbergi'm having to look at test cases to see what is expected03:04
ayoungbknudson, why would your patch  "Support service user and project in non-default domain"  not be enough?03:04
morganfainbergayoung, and http://paste.openstack.org/show/172566/ as shown here, we are only testing the domain_id and project_id, not project_name + domain_id03:04
morganfainbergthats form the test case03:05
ayoungmorganfainberg, that is different from your origianl question, though  " what was the fix to auth_token to let users not in the default domain be service users?"03:06
morganfainbergayoung, if you look at the whole convo i then asked about docs03:06
*** dims__ has quit IRC03:07
morganfainbergayoung, thanks! you got to that commit about when I found it.03:07
*** markvoelker has quit IRC03:07
ayoungmorganfainberg, I was still working to answer the important part "is it even possible"03:07
morganfainbergayoung, i'm actually working on setting up an environment around this theory03:08
morganfainberg:)03:08
ayoungvery nice03:08
ayoungI was supposed to be, but aside from being lost in auth_context/access_info loand, they blew up our internal cloud03:08
morganfainbergwhere SQL is the default identity store, but LDAP is the identity store for Default domain, allowing full use of V2 while service users live in v303:08
morganfainbergand then layer in some geographic replication of data.03:09
ayoungI'm supposed to do that, and then throw SSSD via Federation on top of it03:09
ayoungso...if you do this setup on a Fedora or RHEL system....03:09
ayoungI'd be happy to help you with the FreeIPA setup.03:09
ayoungI need to accept that my setup on Dreamhost is toast and restart it, too03:10
morganfainbergright now i only have an ubuntu system to work with.03:10
morganfainbergbut i'll want to setup something a bit more permanent as a POC once i have this working via devstack(s)03:10
morganfainbergwhich case using an IPA install amkes sense03:10
morganfainbergsince it makes the user management in LDAP ... well not suck - and enables us to poke at other features03:11
ayoungTell you waht...I'll loop back around on Dreamhost and get it back up and running wonce I get access_info down to 0 failing tests03:13
ayoungright now I have tto figure out what to do about the V2 catalogs, and then I think I'll be able to get the last 5-6 failures knocked off03:14
morganfainbergayoung, sounds good and i'll want to setup a "geographically" separate keystone to test some data replication stuff03:14
ayoungit will still need a huge amount of revision03:14
morganfainbergayoung, thanks for diving on the accessinfo grenande dude03:14
morganfainbergayoung, i appreciate it03:14
ayoungI need to talk over a lot of the details with Jamie.  He's had to deal with so many compteting deamns in this code base...03:15
morganfainbergayoung, yeah.03:15
morganfainbergayoung, but once we get it done i think we'll be in a much happier place03:16
*** richm has quit IRC03:16
ayoungYeah...It will standarize policy enforcement, and we can use it for building the tokens cleanly in the server, too03:16
ayoungI think it is what termie was origianlly going for with the common/models.py code, but we never quite go things unified on that03:17
ayoungI'll have to loop back around with the SQL Alchemy code and see if we can avoid duplication of all the properties between the model objects and the values into/outof the database03:18
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/15557303:19
morganfainbergayoung, yeah i think you're right on that front03:23
morganfainbergre: termie's direction03:23
*** harlowja_ is now known as harlowja_away03:27
*** tellesnobrega_ has quit IRC03:34
*** tellesnobrega_ has joined #openstack-keystone03:34
*** tellesnobrega_ has quit IRC03:34
morganfainbergtopol, found another whiskey you'd like03:38
morganfainberg"Midwinternight's Dram"03:38
morganfainbergit's great!03:38
ayoungfailures=203:42
morganfainbergayoung, nice!!03:42
stevemarayoung, almost there03:46
ayoungand I know how to fix one already...03:46
ayoungfailures=103:48
topolmorganfainberg. sounds good. will they have it in vancouver?03:49
morganfainbergtopol, eh03:50
morganfainbergtopol, it's a rye whiskey03:50
morganfainbergmaybe03:50
morganfainbergit's not super common fwiw03:50
morganfainbergbut not exactly rare either03:50
topolmorganfainberg, K03:51
topolstevemar that photo you posted was awesome03:52
stevemartopol, glad you enjoyed it03:52
topolstevemar I was one of those dumb asses03:53
ayoungRan 1026 (+1025) tests in 8.262s (+8.252s)03:54
ayoungPASSED (id=1119, skips=3)03:54
morganfainbergwoot03:54
* topol tried to get up my steep driveway without turning off the auto traction on my car. was halarious03:54
ayoungyeah...now if only he hadn't bumped all the tests down one level03:54
ayoungtopol, I just got a new set of snow tires for my Hyundai03:55
* morganfainberg just enjoyed t-shirt and shorts weather today.03:55
stevemartopol, winter tires ftw!03:55
morganfainberg~92F03:55
topolsnow tires, what are those03:55
stevemarbigger tire tread03:55
morganfainbergfelt like summer03:55
topol:-)03:55
stevemarmorganfainberg, i hate you03:56
ayoungmorganfainberg, aren't you headed to NYC soon.  Might want to rethink that move if you are prone to gloating.03:56
morganfainbergayoung, wont be till post summit03:56
stevemarit wasn't slushy outside today, but damn it was a biting cold03:56
morganfainbergat the earliest03:56
topolIm to NH on Monday  :-(03:56
morganfainbergand i'd gloat about cold weather too03:56
morganfainbergcause.. for me i pref cold weather03:56
morganfainbergactually next week in seattle03:56
morganfainbergstevemar, i might be late to the keystone meeting03:57
morganfainbergmind running it for me?03:57
stevemarsure03:57
morganfainbergi'l be landing around the time it starts03:57
morganfainbergthanks03:57
stevemarnp, i get to wield the power03:57
morganfainbergcrap03:57
stevemarskip topics i don't like03:57
morganfainbergtopol, you want to run the meeting instead, dunno if we can trust stevemar w/ the power03:58
morganfainberg;)03:58
stevemaryou can always trust the canadian03:58
ayounglooks like git handles merges that include directory moves OK...fingers crossed he03:59
ayounghere03:59
topolIF he doesnt behave we can force feed him ketchup chips03:59
ayoung2 failures03:59
morganfainbergwhat... are.. you know i probably don't want to know what ketchup chips are03:59
topolask the knooK03:59
morganfainbergignorance is bliss04:00
topolstevemar^04:02
stevemarmorganfainberg, we had a whole twitter discussion about them04:02
* morganfainberg ignores said twitter convo04:02
stevemarapparently that flavor is only sold north of the border04:03
stevemari had no idea04:03
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info  https://review.openstack.org/13851904:03
stevemarbknudson, heard about them04:03
ayoung<geddy lee>Thank you very kindly, good night!</geddy lee>04:03
*** ayoung is now known as ayoung_ZZZzzzZZZ04:03
topolrush?04:04
*** markvoelker has joined #openstack-keystone04:04
stevemarapparently04:05
*** nellysmitt has joined #openstack-keystone04:05
openstackgerritSteve Martinelli proposed openstack/keystone: Add CADF notifications for most resources  https://review.openstack.org/15113704:06
*** dims__ has joined #openstack-keystone04:07
*** markvoelker has quit IRC04:08
*** nellysmitt has quit IRC04:10
*** dims__ has quit IRC04:12
*** topol has quit IRC04:25
openstackgerritSteve Martinelli proposed openstack/keystone: Add CADF notifications for most resources  https://review.openstack.org/15113704:26
openstackgerritSteve Martinelli proposed openstack/keystone: Publicize region/endpoint/policy/service events  https://review.openstack.org/15177404:27
openstackgerritSteve Martinelli proposed openstack/keystone: Add CADF notification handling for policy/region/service/endpoint  https://review.openstack.org/15178604:27
openstackgerritSteve Martinelli proposed openstack/keystone: Add a test for create_domain in notifications  https://review.openstack.org/15179104:27
*** lhcheng has joined #openstack-keystone04:29
openstackgerritSteve Martinelli proposed openstack/keystone: Add a test for create_domain in notifications  https://review.openstack.org/15179104:32
openstackgerritSteve Martinelli proposed openstack/keystone: Revamp the documentation surrounding notifications  https://review.openstack.org/12618004:37
*** _cjones_ has joined #openstack-keystone04:51
*** _cjones_ has quit IRC04:51
*** _cjones_ has joined #openstack-keystone04:52
*** _cjones_ has quit IRC04:56
*** ajayaa has joined #openstack-keystone05:10
openstackgerritSteve Martinelli proposed openstack/keystone: Revamp the documentation surrounding notifications  https://review.openstack.org/12618005:18
*** jacer_huawei has quit IRC05:19
stevemarmorganfainberg, around?05:59
morganfainbergSortof06:00
stevemarmorganfainberg, with grenade, if it pulled down .06 for a library, cause that's what it's capped at, for the N-1 install.06:02
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/15565006:03
stevemarthen during the update to N, in the requirements repo, the library is lower bounded by 0.6, but has newer versions out there... it's not going to upgrade it will it?06:03
morganfainbergI think that's right06:03
*** nellysmitt has joined #openstack-keystone06:06
stevemarstinks06:07
stevemarmorganfainberg, -> Bump pycadf to 0.7.1  https://review.openstack.org/15565206:07
*** nellysmitt has quit IRC06:11
*** lhcheng_ has joined #openstack-keystone06:21
*** spandhe has joined #openstack-keystone06:21
*** lhcheng has quit IRC06:23
*** zz_avozza is now known as avozza06:37
*** abhirc has joined #openstack-keystone06:37
*** ajayaa has quit IRC06:38
*** jamielennox|away is now known as jamielennox06:44
*** afazekas_ has joined #openstack-keystone06:47
jamielennoxmorganfainberg: you still looking for me?06:48
morganfainbergjamielennox: yeah. We don't have any documentation on configuring middleware to work with service users outside of he default domain.06:49
jamielennoxumm, hmm... you may be right06:49
morganfainbergI also noticed the test looks like it is testing user_id and domain_id06:49
morganfainbergNot username.06:49
jamielennoxwhich test?06:49
morganfainbergThe one in ksm that was added with the domain handling bits.06:50
jamielennoxmorganfainberg: there's nothing really domain handling... that's kind of the point so long as the plugin works ksm doesn't care06:51
morganfainbergRight. But domain_id and project_id doesn't help does it?06:51
morganfainbergSince project id is unique. Only time domain would be needed is with project name.06:52
morganfainbergRight?06:52
jamielennoxsure06:54
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Create functional test base  https://review.openstack.org/15554306:55
openstackgerritSteve Martinelli proposed openstack/keystone: Get initiator from manager and send to controller  https://review.openstack.org/15566006:57
openstackgerritSteve Martinelli proposed openstack/keystone: WIP - Add CADF notifications for trusts  https://review.openstack.org/15186707:01
*** avozza is now known as zz_avozza07:03
*** dims__ has joined #openstack-keystone07:10
*** dims__ has quit IRC07:15
*** jacer_huawei has joined #openstack-keystone07:17
*** jacer_huawei is now known as wanghong07:17
openstackgerritSteve Martinelli proposed openstack/keystone: Log exceptions safely  https://review.openstack.org/15302907:24
stevemardstanek, just for you bud ^07:25
*** ajayaa has joined #openstack-keystone07:25
*** abhirc has quit IRC07:26
*** pnavarro has joined #openstack-keystone07:36
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: [WIP] Add subject token token to user token plugin  https://review.openstack.org/14161407:41
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add subject token token to user token plugin  https://review.openstack.org/14161407:47
*** nellysmitt has joined #openstack-keystone07:49
*** zz_avozza is now known as avozza07:53
*** stevemar has quit IRC07:56
*** nellysmitt has quit IRC07:58
*** krykowski has joined #openstack-keystone07:58
*** lhcheng_ has quit IRC07:59
*** markvoelker has joined #openstack-keystone08:09
*** spandhe has quit IRC08:13
*** markvoelker has quit IRC08:14
*** mzbik has joined #openstack-keystone08:14
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add service token token to user token plugin  https://review.openstack.org/14161408:20
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add Request ID to outbound calls when set  https://review.openstack.org/15567208:20
*** ncoghlan has quit IRC08:22
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add Request ID to outbound calls when set  https://review.openstack.org/15567208:22
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add Request ID to outbound calls when set  https://review.openstack.org/15567208:22
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add service token to user token plugin  https://review.openstack.org/14161408:22
jamielennoxugh08:22
*** yanfengxi has joined #openstack-keystone08:33
*** yanfengxi has quit IRC08:36
openstackgerritMerged openstack/python-keystoneclient: Ignore all failures removing catalog when logging token  https://review.openstack.org/15560508:37
*** openstackgerrit has quit IRC08:42
*** openstackgerrit has joined #openstack-keystone08:42
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/15557208:49
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/15565008:50
*** lhcheng has joined #openstack-keystone08:59
*** MasterPiece has joined #openstack-keystone09:05
ajayaarodrigods, raildo, Hi.09:09
*** markvoelker has joined #openstack-keystone09:10
ajayaaRight now it so happens that user's are contained inside a domain. When hmt comes into place, what happens to the users?09:10
*** MasterPiece has quit IRC09:11
*** markvoelker has quit IRC09:14
*** henrynash has joined #openstack-keystone09:16
*** ChanServ sets mode: +v henrynash09:16
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196209:16
*** jistr has joined #openstack-keystone09:16
*** lhcheng has quit IRC09:16
*** karimb has joined #openstack-keystone09:18
*** wanghong is now known as wanghong|away09:19
*** wanghong|away has quit IRC09:26
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430209:30
*** obutenko has joined #openstack-keystone09:45
*** chlong has quit IRC09:49
*** davechen has quit IRC09:50
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917809:56
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162309:57
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196210:01
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430210:05
*** MasterPiece has joined #openstack-keystone10:09
*** markvoelker has joined #openstack-keystone10:11
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389710:11
*** dims__ has joined #openstack-keystone10:12
*** markvoelker has quit IRC10:15
*** dims__ has quit IRC10:17
*** karimb has quit IRC10:21
*** bdossant has joined #openstack-keystone10:25
openstackgerrithenry-nash proposed openstack/keystone: Support project hierarchies in data driver tests  https://review.openstack.org/15448510:29
openstackgerrithenry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899510:32
*** henrynash has quit IRC10:33
*** lhcheng has joined #openstack-keystone10:39
*** amakarov_away is now known as amakarov10:44
*** erkules_ is now known as erkules10:48
*** karimb has joined #openstack-keystone10:51
*** markvoelker has joined #openstack-keystone11:12
*** dims__ has joined #openstack-keystone11:12
*** lhcheng has quit IRC11:12
*** markvoelker has quit IRC11:16
*** jacer_huawei has joined #openstack-keystone11:27
*** aix has joined #openstack-keystone11:27
*** karimb has quit IRC11:30
*** karimb has joined #openstack-keystone11:33
*** aix has quit IRC11:38
*** dims__ has quit IRC12:01
*** dims__ has joined #openstack-keystone12:02
*** aix has joined #openstack-keystone12:04
*** dims__ has quit IRC12:06
*** dims__ has joined #openstack-keystone12:07
*** markvoelker has joined #openstack-keystone12:13
*** htruta has quit IRC12:15
*** lsmola has joined #openstack-keystone12:16
*** markvoelker has quit IRC12:17
*** htruta has joined #openstack-keystone12:19
*** dims__ has quit IRC12:32
raildoajayaa, hi12:39
ajayaaraildo , hi.12:39
ajayaaI assume that you saw my question.12:39
raildoajayaa, Domains continue will be the container of users12:40
raildowe will not change that12:40
raildoWe are just add the possibility to create users in root domains and now in projects with the domains features12:40
ajayaaSo basically, in the new terminology, root of a project is an owner of all users.12:40
raildoajayaa, so  you can distribute your users in the hierarchy instead all users in one single domain12:41
ajayaaThe column name there I am assuming in user table would be renamed to root_project(or something similar)12:42
ajayaaThere is a column called domain_id in project and user table.12:42
raildoajayaa, hum... for now, we will not change this.12:42
raildousers keeps owned by a domain... we are not removing domain... we are just change how the Keystone storage a domain12:44
ajayaaraildo, got that.12:44
raildoajayaa, now domain is a project with a flag "is_domain" = True....12:44
ajayaaraildo, well I was hoping that there would be no namespace for users and authentication would happen with user_id instead of name.12:45
raildoajayaa, but for the API and the other features, this is a normal domain... we can create users, groups, use domain specific backend, feedration....12:45
ajayaaBut that is a major change.12:45
raildoajayaa, I think that is out of scope in our change... but we can discuss this for the next release :)12:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Re-use list_role_assignments wherever is possible  https://review.openstack.org/15573312:47
ajayaaraildo, Is there a flag in db called 'is_domain' in project table?12:48
raildoajayaa, We will create this flag :)12:49
raildoajayaa, in fact, I intend send a patch today with this change12:49
ajayaaraildo, You could just check for domains with "give me all the projects where project_id is null".12:53
ajayaaAre we differentiating between a root project and domain?12:53
*** jaosorior has joined #openstack-keystone12:57
samueldmqmorning12:58
samueldmqdstanek, ping - there is a patch with 2x +2 waiting for you to see the latest changes :-)12:58
samueldmqdstanek, https://review.openstack.org/#/c/14454412:58
ajayaaraildo, there?13:00
samueldmqajayaa, sorry he just needed to go afk for a bit (grabbing a coffe) ...13:00
samueldmqcoffee*13:00
ajayaasamueldmq, Okay. np13:01
ajayaaDo you sit in the same office?13:01
samueldmqajayaa, yes, we're like 1.5 meter away13:02
ajayaacool13:02
samueldmq:-)13:02
dstaneksamueldmq: so link vs. url? why the change?13:04
*** bdossant_ has joined #openstack-keystone13:07
*** markvoelker has joined #openstack-keystone13:10
*** bdossant has quit IRC13:11
raildoajayaa, I'm back now, sorry.13:11
ajayaaraildo, np man.13:11
raildoajayaa, do you read the reseller spec?13:12
ajayaaI read a bunch of spec related to hmt. Is it in Juno?13:13
*** dims__ has joined #openstack-keystone13:13
raildoajayaa, no, its a new spec, for kilo. just one minute13:14
raildoajayaa, https://review.openstack.org/#/c/139824/29/specs/kilo/reseller.rst13:14
ajayaaraildo, Thanks man. I will read it.13:15
raildoajayaa, and that is some more clarifications  here: http://raildo.me/hierarchical-multitenancy-in-openstack/13:15
raildoajayaa, no problem, any questions I'm available.13:16
*** dims___ has joined #openstack-keystone13:16
ajayaaI saw your blog post earlier. It has undergone modification, I think. :)13:16
*** atiwari has joined #openstack-keystone13:17
raildoajayaa, yes... I need to write other :)13:17
raildoajayaa, I think here its more clean, to read the spec https://github.com/openstack/keystone-specs/blob/master/specs/kilo/reseller.rst13:17
*** atiwari has quit IRC13:17
*** dims__ has quit IRC13:17
ajayaaSomebody should make gerrit understand rst.13:19
*** EmilienM|afk is now known as EmilienM13:19
*** ccard has quit IRC13:24
*** ccard has joined #openstack-keystone13:28
*** henrynash has joined #openstack-keystone13:30
*** ChanServ sets mode: +v henrynash13:30
*** mzbik has quit IRC13:36
*** bdossant has joined #openstack-keystone13:46
openstackgerritBrant Knudson proposed openstack/keystone: Use subunit-trace from tempest-lib  https://review.openstack.org/14560713:47
*** htruta has quit IRC13:47
*** karimb has quit IRC13:48
*** karimb has joined #openstack-keystone13:48
*** bdossant_ has quit IRC13:49
*** ajayaa has quit IRC13:53
*** pnavarro is now known as pnavarro|mtg13:58
*** htruta has joined #openstack-keystone14:05
*** radez_g0n3 is now known as radez14:15
*** krykowski has quit IRC14:19
*** karimb has quit IRC14:22
*** david-lyle_afk is now known as david-lyle14:22
*** richm has joined #openstack-keystone14:23
*** joesavak has joined #openstack-keystone14:34
openstackgerritDirk Mueller proposed openstack/python-keystoneclient: Avoid message concatenation in error path  https://review.openstack.org/15575814:37
*** abhirc has joined #openstack-keystone14:40
openstackgerritMerged openstack/keystone: Improve creation of expected assignments in tests  https://review.openstack.org/14454414:45
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430214:45
openstackgerritMerged openstack/keystone: Fix error message on check on RoleV3  https://review.openstack.org/14470214:47
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389714:47
openstackgerrithenry-nash proposed openstack/keystone: Support project hierarchies in data driver tests  https://review.openstack.org/15448514:49
openstackgerrithenry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899514:51
*** stevemar has joined #openstack-keystone14:54
*** ChanServ sets mode: +v stevemar14:54
*** r-daneel has joined #openstack-keystone15:00
bknudsonwe have to decide whether we're going to do https://review.openstack.org/#/c/155531/ or something else for functional testing, because if it's not merged quickly it's going to be constant rebasing.15:01
henrynashbknduson: (aside): when you have a momentm I responded to your comment on https://review.openstack.org/#/c/151930/15:06
stevemarbknudson, doesn't dstanek have a similar patch15:08
*** topol has joined #openstack-keystone15:08
*** ChanServ sets mode: +v topol15:08
*** marg7175 has joined #openstack-keystone15:09
henrynashbknudson: also, what’s teh thinking behind the /unit/unit/ naming....15:10
*** ayoung_ZZZzzzZZZ is now known as ayoung15:10
bknudsonhenrynash: in nova, python-keystoneclient, etc., the unit tests are in nova.tests.unit , and the funcational tests are in nova.tests.functional15:11
bknudsonthis is so it's easy to have a tox env for functional tests that runs the tests in nova.tests.funcational15:12
bknudsonhenrynash: I don't see the point to cleaning up a comment when the comment is just going to be made redundant.15:12
henrynashbknudson: no issue with moving things to unit….it just looks odd to have /unit/unit/ in the path15:13
*** marg7175 has quit IRC15:13
bknudsonhenrynash: I agree with unit.unit... I can move things around in the current patch or propose a separate patch to move things out of unit.unit.15:13
bknudson(or anyone could propose a patch to move things around)15:13
*** MasterPiece has quit IRC15:14
*** MasterPiece has joined #openstack-keystone15:15
*** dims___ is now known as dimsum__15:15
henrynashbknudson: so let’s only move things once….the rebasing is bad enough as it is….15:15
bknudsonhenrynash: ok, I can work on getting rid of unit.unit.15:16
henrynashbbknudson: ok…15:17
*** samueldmq is now known as samueldmq-away15:18
dstanekunit.unit?15:18
bknudsondstanek: https://review.openstack.org/#/c/155531/  has unit.unit15:19
bknudsonkeystoneclient.tests.unit.unit15:19
bknudsonsince all the existing tests are moved wholesale into keystoneclient.tests.unit15:19
dstanekwhat's the point of that?15:19
bknudsonit was easy to git mv everything and then the plan was to clean it up in separate commits.15:20
dstanekcouldn't you just 'git mv keystoneclient/tests/*py keystoneclient/tests/unit/'?15:20
bknudsonthere are directories in keystone.tests that are only unit-test related.15:21
bknudsonI could try keystoneclient/tests/*py instead.15:22
dstanekor do what you did and follow it up with a 'git mv unit/unit/ unit/'15:22
dstanekwe have enough cores here that we can push this through quickly15:23
bknudsonlet me just try to rebase it as it is then.15:24
bknudsonmoving unit.unit tests back shouldn't be as disruptive.15:24
openstackgerritBrant Knudson proposed openstack/keystone: Move existing tests to unit  https://review.openstack.org/15553115:25
bknudsonit's only gerrit that had a problem with merge conflict resolution.15:25
stevemarthanks dolphm15:26
bknudsonwe could probably have a separate directory for the "live" tests, next to unit and functional15:27
bknudsonor maybe "live" tests don't fit in with the new testing model15:27
dstanekbknudson: what is the difference between a live test and a functional test?15:28
*** timcline has joined #openstack-keystone15:28
bknudsondstanek: the "live" tests run the unit tests against a real database... I think we've got them for the dbs and ldap.15:29
*** avozza is now known as zz_avozza15:29
bknudsonprobably no need for this if we have functional tests with enough coverage.15:30
dstanektrue15:30
*** zz_avozza is now known as avozza15:30
dstanekin my ideal world the unit tests would never actually use a database - anything that needs one would be a functional test15:33
bknudsondstanek: we'll get there!15:36
lbragstaddstanek: ++15:37
*** carlosmarin has joined #openstack-keystone15:37
*** josecastroleon has joined #openstack-keystone15:40
*** jorge_munoz has joined #openstack-keystone15:41
*** mzbik has joined #openstack-keystone15:44
*** MasterPiece has quit IRC15:48
*** marg7175 has joined #openstack-keystone15:51
*** nkinder_sick has quit IRC15:51
*** josecastroleon has quit IRC15:52
*** marg7175 has quit IRC15:52
*** marg7175 has joined #openstack-keystone15:53
bknudsonthere might actually be an infra issue causing the merge conflicts on rename... there was no merge conflict locally...  I'll ask about it.15:53
*** timcline has quit IRC15:55
openstackgerritMerged openstack/python-keystoneclient: Create functional test base  https://review.openstack.org/15554315:56
openstackgerritMerged openstack/keystone: remove the unused variables in indentity/core.py  https://review.openstack.org/15524715:57
*** MasterPiece has joined #openstack-keystone15:57
*** timcline has joined #openstack-keystone16:01
*** mflobo has quit IRC16:01
*** cyeoh has quit IRC16:10
openstackgerritMerged openstack/keystone: Integrate logging with the warnings module  https://review.openstack.org/14318816:11
*** topol has quit IRC16:12
*** bknudson has quit IRC16:12
*** cyeoh has joined #openstack-keystone16:13
*** topol has joined #openstack-keystone16:14
*** ChanServ sets mode: +v topol16:14
*** marg7175 has quit IRC16:15
openstackgerritMerged openstack/keystone: Log exceptions safely  https://review.openstack.org/15302916:16
*** marg7175 has joined #openstack-keystone16:16
*** thedodd has joined #openstack-keystone16:20
*** MasterPiece has quit IRC16:20
*** MasterPiece has joined #openstack-keystone16:24
*** timcline has quit IRC16:25
*** timcline has joined #openstack-keystone16:26
*** radez is now known as radez_g0n316:27
*** bknudson has joined #openstack-keystone16:27
*** ChanServ sets mode: +v bknudson16:27
openstackgerritBrant Knudson proposed openstack/keystone: Move existing tests to unit  https://review.openstack.org/15553116:30
*** bdossant_ has joined #openstack-keystone16:32
*** bdossant_ has quit IRC16:33
*** bdossant_ has joined #openstack-keystone16:34
*** zzzeek has joined #openstack-keystone16:35
*** pnavarro|mtg is now known as pnavarro|afk16:36
*** bdossant has quit IRC16:36
stevemardolphm is alive!16:37
bknudsonthings are so much better when dolphm is here.16:38
openstackgerritMerged openstack/python-keystoneclient: Make remove_service_catalog private  https://review.openstack.org/15433416:38
*** bdossant_ has quit IRC16:42
stevemarbknudson, things are better when there are more people :D16:44
*** timcline_ has joined #openstack-keystone16:45
openstackgerritBrant Knudson proposed openstack/keystone: Move existing tests to unit  https://review.openstack.org/15553116:46
bknudsonturns out the merge conflicts caused by renaming files aren't that big of a deal... it's only gerrit's merging that has a problem with it.16:46
stevemarbknudson, it's that damn birds fault again16:48
*** _cjones_ has joined #openstack-keystone16:48
*** timcline has quit IRC16:48
bknudsonstevemar: why does that stupid bird get its picture in gerrit and nobody else does.16:49
stevemarbknudson, we should all get little logos16:53
*** afazekas_ has quit IRC16:53
dstanekweird that they tests even exist https://review.openstack.org/#/c/144946/1/keystone/tests/test_associate_project_endpoint_extension.py16:53
*** MasterPiece has quit IRC16:55
*** EmilienM is now known as EmilienM|afk16:56
openstackgerritMerged openstack/pycadf: Add deprecation message to Audit API  https://review.openstack.org/15472116:57
*** MasterPiece has joined #openstack-keystone17:00
openstackgerrithenry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899517:03
*** radez_g0n3 is now known as radez17:03
openstackgerritMerged openstack/keystone: Fix evaluation logic of federation mapping rules  https://review.openstack.org/15110917:04
openstackgerritMerged openstack/keystone: Don't try to convert LDAP attributes to boolean  https://review.openstack.org/15472217:05
openstackgerritMerged openstack/keystone: Add new "RoleAssignment" exception  https://review.openstack.org/13362817:05
openstackgerritMerged openstack/keystone: Update policy doc to use new rule format  https://review.openstack.org/15513617:05
*** MasterPiece has quit IRC17:10
openstackgerritMerged openstack/keystone: Don't coerce port config values  https://review.openstack.org/15387217:10
openstackgerritMerged openstack/keystone: Add local rules in the federation mapping tests.  https://review.openstack.org/15491617:11
*** stevemar has quit IRC17:11
openstackgerritMerged openstack/keystone: Updates Python3 requirements  https://review.openstack.org/13057917:12
bretonit's that merges time again17:12
openstackgerritMerged openstack/keystone: Adds a fork of python-ldap for Py3 testing  https://review.openstack.org/9582717:18
openstackgerritMerged openstack/keystone: Use subunit-trace from tempest-lib  https://review.openstack.org/14560717:19
openstackgerritMerged openstack/keystone: Remove unused testscenarios requirement  https://review.openstack.org/13694017:19
*** gyee has joined #openstack-keystone17:22
*** ChanServ sets mode: +v gyee17:22
ayoungOK....this is still stupid.  WHen we install, to avoid breaking old clients, we need AUTH_URL to end with V2.0   can we please make it so we ignore this from the client?  And default the client to using v3 api?17:23
ayoungIts an RDO install, but Its Juno...not that old17:23
openstackgerrithenry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899517:23
*** ekarlso has quit IRC17:25
*** ekarlso has joined #openstack-keystone17:25
openstackgerritMerged openstack/keystone: Small cleanup of cloudsample policy  https://review.openstack.org/15519217:26
openstackgerritMerged openstack/keystone: Refactor _send_audit_notification  https://review.openstack.org/15155117:27
*** alex_xu_ has joined #openstack-keystone17:30
*** xu_alex has quit IRC17:32
morganfainbergayoung, didn't jamielennox do work to "fix" that?17:33
ayoungmorganfainberg, maybe the common client doesn't honor that?  There are enough other things that need to be set that it really is kindof minor.  Horizon does handle it, which is the most important, I guess17:34
ayoungmorganfainberg, I'm redoing horizon.younglogic.net17:34
ayoungI'lll have LDAP in a separate domain in a moment17:34
*** lhcheng has joined #openstack-keystone17:36
*** jistr has quit IRC17:41
*** jacer_huawei has quit IRC17:42
*** lsmola has quit IRC17:42
*** harlowja_away is now known as harlowja_17:48
*** stevemar has joined #openstack-keystone17:54
*** ChanServ sets mode: +v stevemar17:54
openstackgerritMerged openstack/keystone: Remove excess brackets in exception creation  https://review.openstack.org/15535117:55
*** MasterPiece has joined #openstack-keystone17:55
*** spandhe has joined #openstack-keystone18:00
morganfainbergayoung: cool.18:02
*** amakarov is now known as amakarov_away18:08
*** jaosorior has quit IRC18:21
*** tqtran has joined #openstack-keystone18:22
*** jaosorior has joined #openstack-keystone18:29
*** EmilienM|afk is now known as EmilienM18:32
dstanekwho does Dave Chen work for?18:32
*** aix has quit IRC18:34
*** ccard has quit IRC18:35
morganfainbergdstanek, intel?18:35
dstanekmorganfainberg: yeah, just found him http://www.openstack.org/community/members/profile/2462218:35
morganfainbergdstanek: wei.d.chen@intel.com on his proposed patches18:36
openstackgerritMerged openstack/keystone: make federation part of keystone core  https://review.openstack.org/15381518:41
openstackgerritBrant Knudson proposed openstack/keystone: Cleanup tests to not set multiple workers.  https://review.openstack.org/15151118:49
openstackgerritBrant Knudson proposed openstack/keystone: Move eventlet server options to a config section  https://review.openstack.org/13096218:49
openstackgerritBrant Knudson proposed openstack/keystone: Move existing tests to unit  https://review.openstack.org/15553118:50
gyeemorganfainberg, I am still on the hook to more endpoint filtering to core right?18:53
gyees/more/move18:53
morganfainberggyee, collapse the SQL catalog drivers18:54
morganfainberggyee, iirc18:54
gyeek, on it18:54
morganfainberggyee, and make endpoint filtering core / not an extension18:54
*** MasterPiece has quit IRC18:54
openstackgerritBrant Knudson proposed openstack/keystone: Regenerate sample config file  https://review.openstack.org/15256318:54
lbragstadayoung: loc doubled? https://review.openstack.org/#/c/138519/718:54
gyeemorganfainberg, you got it sir18:54
morganfainberggyee, but the collapse of the drivers is the important part18:54
gyeeyou want two separate reviews then?18:55
morganfainberggyee, so move logic from the extesnion sql_driver to the base sql driver and make the extension sql driver just be a deprecated reference to the main one18:55
morganfainberggyee, yes please18:55
gyeek man18:55
morganfainberggyee, should help keep loc count down and reviewability up18:55
gyeek18:55
morganfainbergstevemar, ping: see my comment on https://review.openstack.org/#/c/154742/ and let me know if i'm crazy18:57
morganfainbergdolphm, lbragstad, ping re: AE Token Spec.18:59
lbragstadmorganfainberg: dolphm o/19:00
morganfainberglbragstad, dolphm, any news on addressing the federation issue and requesting an SPFE?19:00
lbragstadyeah, that's next on my list.19:00
lbragstadmorganfainberg: I'm just wrapping up some reviews19:00
morganfainbergthe SPFE is *really* important to send ASAP if you want it19:00
*** MasterPiece has joined #openstack-keystone19:01
morganfainbergthe fixing the spec can come after that request is sent.19:01
morganfainbergjust outline what is outstanding to unblock the spec19:01
morganfainbergand please include reference to the POC code you have.19:01
lbragstadthe only thing I see as blocking is the federation case19:01
lbragstadbut I can work on drafting something up19:01
morganfainbergyes, please do not wait on the sPFE email19:02
morganfainbergif we dont except it soon i don't see it happening in kilo19:02
lbragstadok19:02
morganfainbergwe are really running out of time for m3 code.19:03
morganfainbergso let me rephrase it, i wont consider the exception unless we have the email today ;)19:03
morganfainbergeven if the spec needs an update before it's approved. you have working code - that makes granting the exception easier19:03
lbragstadsure, I'll get something rolling19:03
*** radez is now known as radez_g0n319:04
openstackgerritBrant Knudson proposed openstack/keystone: Consistently use oslo_config.cfg.CONF  https://review.openstack.org/14736719:05
*** mzbik_ has joined #openstack-keystone19:06
*** abhirc has quit IRC19:08
*** mzbik has quit IRC19:09
*** stevemar has quit IRC19:13
ayounglbragstad, mostly due to tests, but also service catalog work.  There is a lot of hacckishness in that patch to deal with backwards compat, and I expect a lot of shouting from jamielennox about it19:13
lbragstadayoung: ok19:14
ayoungmorganfainberg, I think we've painted ourselves into a corner with LDAP and multi-domain.  I have a new domain, but I have no way, using the existing tools, of assign a user to a role in that domain.  I can't a-priori assign users to roles, because they have no user ids...due to our id_mapping thing19:14
ayoungI think we need a utility to calculate what  userid a user will be assigned in a new domain19:15
openstackgerritMerged openstack/keystone: Add a check to see if a federation token is being used for v2 auth  https://review.openstack.org/15436819:15
ayoungor group id, even19:16
*** radez_g0n3 is now known as radez19:16
morganfainbergayoung, not painted into a corner, just need a little extra code to solve it ;)19:16
ayoungmorganfainberg, need to wait for the paint to dry19:16
morganfainbergayoung, so we need a minor enhancement to the mapping/assignemnt bits to make it possible19:17
morganfainbergayoung, shouldn't be too onerous to write19:17
ayoungyes, but we don't have it today.19:18
morganfainbergayoung, worth classifying it as a bug and considering it for backport to juno - it should be something we can address via the API not need something totally new for19:18
ayoungTHe nice thing is that it can be done out of tree to start19:18
morganfainbergayoung, probably doesn't need to be out-of-tree fwiw19:19
ayoungto start..meaning I can write a utility that people can use now19:19
ayounglets see...19:19
morganfainbergsince this is a real feature for juno, this feels like a bug not a new feature fwiw19:19
ayoungwe just need this one:  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/id_generators/sha256.py19:20
morganfainbergthe question is can we bake that into the API.19:20
morganfainbergs/./?19:20
bknudson2015-02-13 13:20:33.632 INFO eventlet.wsgi.server [-] 192.168.122.176 - - [13/Feb/2015 13:20:33] "GET /v2.0/OS-KSADM/services/keystone HTTP/1.1" 404 252 0.01022019:21
bknudsonsomething in devstack is still using v219:21
morganfainbergbknudson, makes me cry a little19:21
morganfainbergbknudson, or a lot19:21
morganfainbergbknudson, not sure...19:22
bknudsonlet's cry a lot19:22
morganfainbergbknudson, sounds good to me19:22
bknudsonsomeone was asking me if the "owner" rule really has any effect in "identity:check_token", validate_token, validate_token_head, and revoke_token... so will be digging into that.19:23
lbragstadbknudson: I just saw a review that was using something with respect to that19:24
*** htruta has quit IRC19:24
lbragstadbknudson: something to do with the credential api and non-owners being able to grab credentials even though they weren't the owner? Something like that19:24
bknudsonlbragstad: yes, I think there's a review up for that... didn't look into it closely yet.19:25
*** ctina has joined #openstack-keystone19:26
bknudsonif I get a token as admin I can delete the token using the token, but if I get a token as a regular user I can't delete the token using the token.19:31
bknudsonseems like I should always be able to delete the token using the token19:31
*** stevemar has joined #openstack-keystone19:33
*** ChanServ sets mode: +v stevemar19:33
*** ctina has quit IRC19:34
bknudsonlooks like the policy should be user_id:%(target.token.user_id)s19:36
*** saltsa has quit IRC19:37
*** jacer_huawei has joined #openstack-keystone19:43
*** saltsa has joined #openstack-keystone19:44
*** carlosmarin has quit IRC19:46
*** carlosmarin has joined #openstack-keystone19:46
bknudsonAnother option is we could put the x-subject-token values in the context as "user", rather than as "target.token.user_id".19:48
openstackgerritMerged openstack/keystone: Add schema for endpoint group  https://review.openstack.org/15029219:51
*** radez is now known as radez_g0n319:51
openstackgerritMerged openstack/keystone: Minor fix in RestfulTestCase  https://review.openstack.org/14736120:00
*** MasterPiece has quit IRC20:04
ayoungmorganfainberg, something like http://paste.openstack.org/show/173162/20:07
morganfainbergayoung, that looks about right.20:07
morganfainbergwithout testing it of course20:07
ayoungmorganfainberg, I'll test it here shortly.20:11
ayoungmorganfainberg, a utility that requests an unscoped token for a user would do the same thing.20:12
morganfainbergright20:13
ayounghand in domain name and user name and get back the userid.  But that means my set up is not right20:13
ayoungwait...I'm trying for a domain scoped token....20:13
ayoungnope20:14
*** diegows has joined #openstack-keystone20:18
*** MasterPiece has joined #openstack-keystone20:18
lhchengmorganfainberg, ping: do you think we should fix https://bugs.launchpad.net/keystone/+bug/1156298 ? It has been there for awhile, just wanted to confirm I start working on it.20:24
openstackLaunchpad bug 1156298 in Keystone "templated Catalog backend does not support listing services or endpoints" [Medium,Confirmed] - Assigned to Lin Hua Cheng (lin-hua-cheng)20:24
morganfainberglhcheng, looking20:24
morganfainberghm.20:24
morganfainbergi mean - we kindof need our catalog to be the same regardless of the backend20:25
lhchengmorganfainberg: I agree20:25
morganfainbergso i'd say yes.. we do need to support that/fix it20:25
morganfainberghowever *** it's been broken for a looong time.20:25
morganfainbergso lets be careful we don't break peiople using the templated catalog in the process of fixing this20:26
lhchengmorganfainberg: heh that's why I wondered if this should still be fix since it's been sitting there for a loong time20:26
morganfainbergyep20:26
morganfainbergthe key is to ensure we don't break people in the process of fixing this20:27
morganfainbergbug20:27
lhchengmorganfainberg: sure, will definitely be on the lookout for that20:27
morganfainberggyee, was https://bugs.launchpad.net/keystone/+bug/1409635 fixed with the other bug fix that referenced the DIT?20:28
openstackLaunchpad bug 1409635 in Keystone "keystone fails to authenticate users when LDAP project_id_attribute is not CN" [Undecided,New] - Assigned to Adam Young (ayoung)20:28
lhchengmorganfainberg: thanks for checking20:28
ayoungnot doing anything for assignment in ldap20:28
morganfainberggyee, nkinder, ayoung, bknudson, ping re: https://bugs.launchpad.net/keystone/+bug/140884520:28
openstackLaunchpad bug 1408845 in Keystone "Disabling user in ldap breaks user-list for project" [Undecided,New]20:28
ayoungnkinder is out with pewmonia20:29
*** timcline_ has quit IRC20:29
morganfainbergayoung, doh, that was LDAP assignment, yeah gonna smuch that other bug20:29
*** lhcheng is now known as lhcheng_afk20:29
morganfainberg^^ that disabled user in ldap looks like an issue20:29
morganfainbergthough20:29
*** timcline has joined #openstack-keystone20:29
ayounguser_project_metadata?  that might be old...20:29
morganfainbergyeah20:30
*** lnxnut has joined #openstack-keystone20:33
morganfainbergayoung, i unassigned you from that bug (the LDAP assignment one) so it can time out if the answers to my questions are "yep we'll move to SQL assignment"20:34
morganfainbergif it's assigned to anyone it wont auto-timeout20:35
morganfainberg(yay LP wierdness)20:35
morganfainbergstevemar, ping: re https://bugs.launchpad.net/keystone/+bug/142068820:36
openstackLaunchpad bug 1420688 in Keystone "keystone notification context is empty" [Undecided,New]20:36
morganfainbergstevemar, can you confirm / look into that please20:36
stevemarmorganfainberg, i can confirm that it's correct20:36
bknudsonhttps://review.openstack.org/#/c/155531/ -- would be nice to get merged so we can make progress on functional testing, and also so I don't have to rebase all the time.20:36
bknudsongerrit's auto-rebase is weak.20:36
morganfainbergbknudson, looking20:36
stevemarmorganfainberg, the 'basic' notifications, the ones we've been emiting for a while, the context was always set to {} for some unknown silly reason20:37
morganfainbergstevemar, feel free to say the cadf notifications will solve it and close it20:37
morganfainbergstevemar, or classify/prioritize the bug.20:37
morganfainbergbknudson, +2 that was an easy review btw20:38
stevemarmorganfainberg, oh i remember why, people were complaining that the context is too big to send all the way to the manager layer20:38
bknudsonmorganfainberg: that's the goal, easy reviews.20:39
*** radez_g0n3 is now known as radez20:39
morganfainbergbknudson, looks like stevemar +3'd it20:39
bknudsonprogress!20:39
stevemarbknudson, so whats the deal with 'this doesn't look like core to me' https://review.openstack.org/#/c/153842/20:40
*** abhirc has joined #openstack-keystone20:40
stevemarbknudson, i think that's what morganfainberg wanted with his 'replace extensions' spec20:40
bknudsonstevemar: I don't see how something is core if someone can just remove it from the paste pipeline.20:41
morganfainbergbknudson, so someone could remove assignment from the pipeline20:41
stevemarbknudson, oh, i suppose thats true20:41
morganfainbergbknudson, :P20:41
*** lnxnut has quit IRC20:41
bknudsonhow can you remove assignment from the pipeline?20:41
morganfainbergbknudson, it's just routers.20:41
stevemarmorganfainberg, i don't think you can remove assignment20:41
*** lnxnut has joined #openstack-keystone20:41
stevemarbut i know what you mean20:41
morganfainbergyou *could*20:41
morganfainbergit doens't mean keystone would work20:42
stevemarmaybe call it 'enable endpoint filter and endpoint policy by default :)'20:42
morganfainbergbknudson, the way i see this working is step 1) enable things by default, 2) migrate things out of contrib20:42
morganfainbergbknudson, if some verbiage changes are needed i'm sure we can accomodate it20:42
bknudsonIf we documented somewhere that the "endpoint_policy_extension", etc., MUST be in the paste pipeline and the server failed to start without it then I'd be fine with the change.20:43
*** lnxnut_ has joined #openstack-keystone20:43
morganfainbergbknudson, long term that stuff should just be merged into the main systems they were "Extending"20:43
morganfainbergbknudson, federation being the slightly wierd one because it's sortof-somewhere intwined with a lot of things20:43
morganfainbergsame with revoke_api20:44
bknudsonmorganfainberg: and that's what I consider "Include other stable extensions in core", but until then the stable extensions aren't in core.20:44
bknudsonwe can call them "required extensions"20:44
morganfainbergbknudson, so, mark this as "enable by default" and the next step is merging them which = include in core20:44
morganfainbergjust as the 2-step process to make sure we're not doing massive restructuring and turning on default behavior at once20:45
morganfainbergbknudson, that sound like a sane plan ?20:45
morganfainbergstevemar, ^^20:45
bknudsonmorganfainberg: yes, I'm fine with that.20:45
morganfainbergbknudson, cool :)20:45
stevemarmorganfainberg, bknudson i'm totally against it20:46
morganfainbergstevemar, shhh20:46
stevemar:D20:46
stevemarbknudson, yeah it was always meant to be a 2 step process20:46
stevemarwe'll pull them out of contrib soon20:46
bknudsonwhat's the second step if they're already core?20:46
*** lnxnut has quit IRC20:46
bknudson"really make them core"20:46
morganfainbergstevemar, bknudson, topol, jamielennox, henrynash, ayoung, dolphm, dstanek, gyee, http://lists.openstack.org/pipermail/openstack-dev/2015-February/056914.html please review and respond.20:46
stevemarpull the out of contrib20:46
morganfainbergbknudson, they should be mostly re-homed out of contrib... contrib should go away20:47
morganfainbergbknudson, it's a silly construct w/o extensions20:47
stevemarthat should be the only real change left20:47
morganfainbergstevemar, and that'll be a 1-cycle deprecation or 2 w/ references to not break deployers20:47
stevemarmorganfainberg, your comment here https://review.openstack.org/#/c/154742/3/oslo_policy/policy.py about oslo.policy being at 1.0.0 really confused me :P20:48
morganfainbergstevemar, in pypi it claimed it was 1.0.020:48
stevemarmorganfainberg, da fack20:48
morganfainbergstevemar, yeah20:48
morganfainbergright?!20:48
stevemari have no idea why it says that20:48
stevemarthere are no downloads in pypi so thats okay20:48
morganfainberghttps://pypi.python.org/pypi/oslo.policy/1.0.020:49
stevemarmaybe it just defaulted to that20:49
morganfainberg97 downloads this month20:49
stevemarhehe20:49
* stevemar shrus20:49
* stevemar shrugs*20:49
morganfainbergpypi is high20:49
morganfainbergbut i based it upon that20:49
stevemarnah, not released yet20:50
bknudsonam I wrong in thinking that AE tokens are going to require revocation event support/20:50
*** jacer_huawei has quit IRC20:50
bknudsonand also that it requires other work regarding refactoring the token code...20:51
mtreinishmorganfainberg: I think it's because of all the pypi mirrors that the numbers end up high20:52
morganfainbergbknudson, correct20:52
morganfainbergbknudson, RE code is already supported in keystone, keystonemiddleware needs to support it for cached tokens20:52
morganfainbergbknudson, but since it's a UUID workflow w/o caching it queries keystone directly20:53
stevemari imagine keystonemiddleware will some additional work for AE tokens20:53
bknudsonmorganfainberg: y, you're right... so AE doesn't require revocation events.20:54
bknudsoncould take advantage of it, I guess.20:54
bknudsonmight be a security vulnerability if it did, though...20:54
morganfainbergbknudson, AE doesn't require it, but def. would be better with it since it then allows caching to be properly handled in middleware20:54
openstackgerritSteve Martinelli proposed openstack/keystone: Enable endpoint_policy, endpoint_filter and oauth by default  https://review.openstack.org/15384220:54
morganfainbergbknudson, right now with AE tokens, caching the tokens at the endpoint in middleware = you'd miss revocations20:54
morganfainbergso, not a hard requirement but... realllllly should be fixed to be able to consume RE vs TRL20:55
bknudsonyou'd have to validate cached tokens against keystone... far from ideal.20:55
bknudsonalso, we didn't fix the TRL to use audit IDs.20:56
stevemarbknudson, i just changed the commit msg for the other extensions20:57
bknudsonwell, I would like to see AE tokens in Kilo, but have little hope that all this stuff is going to get done, especially considering there's been no progress since the summit (either on AE tokens or the prereqs).21:00
morganfainbergbknudson, i talked with lbragstad and re-ordering AE tokens to proceed the provider cleanup wouldn't be too bad21:01
morganfainbergthe provider cleanup can happen afterwards as well21:01
morganfainbergbknudson, and lbragstad [in his email] has POC code, so i think this is doable.21:02
morganfainbergbknudson, in in either case please respond to the email thread w/ reasons for/against the exception [or conditions for/against accepting it]21:02
morganfainbergayoung, you indicated you'd life the -2 if everyone was willing to take this on, is that still the case - and yes specifically it wouldn't be accepted unless it supported federation and all current token mechanics21:03
bknudsonbtw, I opened a bug for the sample policy and revoking / validating tokens : https://bugs.launchpad.net/keystone/+bug/142182521:03
openstackLaunchpad bug 1421825 in Keystone "Sample policy should allow user to validate and revoke own token" [Undecided,New] - Assigned to Brant Knudson (blk-u)21:03
ayoungmorganfainberg, hasn't changed21:03
morganfainbergayoung, ok. cool just making sure.21:04
ayoungmorganfainberg, I have some concerns about keyczar21:04
morganfainbergayoung, i wont accept it if it doesn't meet same functionality of PKI or UUID tokens, which i think lance has addressed in the email.21:04
morganfainbergayoung, ok please voice those.21:04
ayoungspecifically, I don't think it is necessary, and I'm kindof surprised they are pursuing it21:04
morganfainbergayoung, fair enough.21:05
*** david8hu has quit IRC21:05
ayoungIIUC only the keystone server needs to symmetric key, making keyczar somewhat questionable in requirement...I could see it being useful in the sync case21:05
bknudsonLooks like Anchor is going to obsolete keystone -- https://wiki.openstack.org/wiki/Security/Projects/Anchor21:05
ayoungbut it should not be a required piece21:05
morganfainbergahahaha21:05
bknudsonshould find out more about it at the OSSG meetup21:06
morganfainbergbknudson, please let me know more21:06
morganfainbergif i wasn't elsewhere i would be very interested to have made it to OSSG21:06
ayoungephemeral PKI21:06
morganfainbergw.t.f. does this mean: enable cryptographic trust in OpenStack services in a way that doesn't rely on broken provisioning and revocation mechanisms that undermine most PKI deployments21:06
ayoungrevocation....heh21:06
ayoungit means short term PKI keys21:06
morganfainbergisn't that... a flaw in PKI21:07
ayoungif by flaw you mean logical necessity then yes21:07
bknudsonmorganfainberg: you should know rob clark.21:07
morganfainbergbknudson, i dont21:08
morganfainbergayoung, it sounds like this is doing somewhat what certmonger is also doing?21:08
bknudsonmorganfainberg: bryan payne?21:08
ayoungmorganfainberg, he's an HPer21:08
morganfainbergbknudson, i'm looking at the readme and code, not sure where it's going yet.21:08
morganfainbergbknudson, nope, don't know any of the names there21:08
morganfainbergayoung, ^^21:08
bknudsonOSSG needs to get out more.21:08
morganfainbergayoung, hp is also massive :P21:08
ayoungnkinder went to that presentation, I think21:09
morganfainbergbknudson, i know 2 OSSG people, you and nkinder21:09
ayoungI'll stay with X509 for now21:09
bknudsonat least HP has a cloud security team, unlike just having half of me.21:09
morganfainbergbknudson, true. i haven't met most of them though :(21:09
lbragstadit you have to meet the security team, it's usually bad, right?21:10
lbragstadif*21:10
bknudsonI thought nkinder was going to be at the OSSG meetup but if he's got pneumonia.21:10
stevemarhow has no one made an 'anchors away' joke yet21:11
bknudsonhe should stay out of california or he'll get measels or polio or some other disease we thought was eradicated.21:12
ayoungstevemar, its an Army thing to ignore all Navy references.21:12
gyeemorganfainberg, responded21:12
stevemarzing!21:14
gyeestevemar, good man! you made endpoint filter core21:15
stevemargyee, begrudgingly21:16
stevemari was none to happen about that sql migration error21:16
stevemarhappy*21:16
stevemarbut i reviewed the patch, so some of it is on me21:17
gyeewe still need to consolidate the sql backend21:17
gyeewhich I'll work on21:17
gyeebknudson, that's because it doesn't snow around here. The cool will surly kill the measels :)21:19
*** topol has quit IRC21:19
gyeecold21:19
openstackgerritMerged openstack/keystone: Cleanup tests to not set multiple workers.  https://review.openstack.org/15151121:19
morganfainbergayoung, tell nkinder it is unacceptable for him to get pneumonia.21:25
morganfainbergayoung, :P21:25
ayoungboth lungs21:25
ayounghe was in Brno at devconf21:25
*** timcline_ has joined #openstack-keystone21:26
dstanekyay AE tokens!21:26
morganfainbergayoung, yeah.21:26
bknudsonhe's probably wishing he had more fat to burn through.21:28
*** timcline has quit IRC21:30
*** lnxnut_ has quit IRC21:31
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.log instead of incubator  https://review.openstack.org/15269921:31
stevemarthat was not the most painful rebase, but it was up there ^21:32
stevemarbknudson, dolphm ^21:32
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubator version of log and local  https://review.openstack.org/15478321:32
dolphmstevemar: wait, let me merge this other thing first21:32
* stevemar stabs dolphm through the computer21:33
bknudsonhe he21:33
morganfainbergdolphm, it's ok bknudson's test change will force steve to rebase again21:33
stevemarlbragstad, can you nerf dolphm please21:33
stevemarmorganfainberg, i know, i know...21:33
dolphmlbragstad: sucker, i'm in austin21:33
stevemari approved it too21:33
lbragstaddamnit!21:33
stevemarbut i can't hold bknudson back21:33
morganfainbergdolphm, and i'm sure i'll approve something else between now and when i approve that rebase21:33
morganfainberg>.>21:33
* morganfainberg goes to look for things to make steve rebase more21:34
stevemarhopefully the jenkins bird is smarter for me than for bknudson, and will do the tests move fine21:34
* lbragstad looks for a nerf gun that can shoot to Austin21:34
bknudsondo we have a bunch of log tests?21:35
morganfainberglbragstad, you just need a drone that can shoot nerf that is controlled via the internet21:35
morganfainberglbragstad, send it to austin office21:35
morganfainbergwe *have* the technology21:35
dolphmmorganfainberg: they're called predators21:35
morganfainbergdolphm, predators don't shoot nerf last i checked ;)21:36
dolphmmorganfainberg: it's all in the branding21:36
morganfainbergahahah21:36
dolphmmorganfainberg: http://static.fjcdn.com/pictures/Ballistic+nerf+missile+found+this+doing+some+research+online+i_fa46b6_3538962.jpg21:37
morganfainbergahahah21:37
morganfainbergyeaaah don't think that's really nerf :P21:37
lbragstadomg...21:38
lbragstadhttp://www.instructables.com/id/Nerf-longshot-50-cal/21:38
morganfainbergyou hasven't seen that lbragstad ?21:38
*** lhcheng_afk is now known as lhcheng21:38
lbragstadmorganfainberg: my nerf knowledge is sad21:39
dolphmstevemar: https://review.openstack.org/#/c/152699/19/keystone/tests/unit/test_core.py21:41
*** david-lyle has quit IRC21:42
*** david-lyle has joined #openstack-keystone21:42
ayoungtrying to debug Keystone in HTTPD from an RPM install.  I'm trying to do the injection of an rpdb breakpoint.  But the httpd server doesn't seem to be picking up the edited python source file.  I removed the .pyc file in that directory.  Where else could it be cached?21:43
*** _cjones_ has quit IRC21:43
*** lnxnut has joined #openstack-keystone21:44
dolphmayoung: is keystone installed or fake installed?21:44
morganfainbergdolphm, fake installed?21:45
dolphmmorganfainberg: python setup.py develop / pip install -e .21:45
morganfainbergah21:45
morganfainbergyeah21:45
*** stevemar has quit IRC21:45
*** timcline_ has quit IRC21:46
ayoungdolphm, real installed....puppet21:46
*** david-lyle has quit IRC21:47
dolphmayoung: puppet can do it either way21:47
*** timcline has joined #openstack-keystone21:47
ayoungpuppet and rpm21:47
dolphmayoung: it's a matter of where the source ends up living after you "install" it21:47
ayoungdolphm, there is a stack trace referreing to the file in /usr/lib/python2721:47
dolphmayoung: point is you might just be editing the wrong "source" file21:47
dstanekbknudson: it appears that subunit-trace hides errors :-) i had to edit pretty_tox.sh to find out what was happening21:48
*** timcline has quit IRC21:48
ayoung2015-02-13 21:48:16.285 17951 TRACE keystone.auth.plugins.password   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 600, in get_user_by_name21:48
bknudsondstanek: revert it? maybe nova has a fix for it already?21:48
ayoungthat is the file I am trying to edit, and I've removed the pyc file in the same directory21:48
bknudsonor, if we can fix it then might also be able to contribute to nova.21:49
ayoungAHA!21:49
ayoungmight be that systemctl restart  httpd service is not the right thing21:49
dstanekbknudson: not sure - the problem was that i had a syntax error so testr crapped itself21:50
ayoungOh no...we are still doing eventlet21:50
ayoungsob21:50
bknudsondstanek: don't have syntax errors.21:50
morganfainbergayoung, wait what?21:50
morganfainbergyou're still doing eventlet? *cry*21:50
ayoungJuno  based RDO21:50
bknudsonlots of crying today21:51
morganfainbergayoung, double cry21:51
ayoungthe puppet modules hadn't caught up.21:51
bknudsonmust be friday the 13th21:51
*** _cjones_ has joined #openstack-keystone21:52
openstackgerritBrant Knudson proposed openstack/keystone: Move existing tests to unit  https://review.openstack.org/15553121:54
bknudsonresolved merge conflict ^21:54
bknudson(note that there was no merge conflict locally... not sure why jenkins has such a hard time)21:55
bknudsonI think it's configured to not use all conflict resolution algos.21:55
morganfainbergbknudson, jgit21:56
morganfainbergbknudson, at least i blame jgit21:57
bknudson2015-02-13T16:07:09  <fungi> bknudson: so after some futzing, it looks like it needs either the subtree or recursive merge strategies. octopus and resolve don't work21:58
bknudsonmorganfainberg: ^ is what I got back on -infra when I complained.21:58
bknudsonI think they cripple their git merge strategies... maybe it's safer.21:58
*** pnavarro|afk has quit IRC21:59
*** lnxnut has quit IRC21:59
morganfainbergit probably is21:59
morganfainbergyou can wind up in baaaaad places with wierd strategies21:59
bknudsonany merge is dangerous without tests anyways.22:00
*** lnxnut has joined #openstack-keystone22:00
ayoungmorganfainberg, OK,  we're good.  If a user requests a token, and they have never been into Keystone before, they get an entry in id_mapping, and a failed token request.  Then you can add them22:03
ayoungno need for a new utility22:03
ayoungits a little schlocky. but it works22:04
ayoungOK, and I have a proof of concept LDAP in non-default-domain up and running22:04
*** lnxnut has quit IRC22:04
openstackgerritMatthew Treinish proposed openstack/keystone: Add oslo request id middleware to keystone paste pipeline  https://review.openstack.org/15590122:06
mtreinishmorganfainberg: ^^^ not sure if that'll work22:06
mtreinishalso the commit msg is a mess22:06
mtreinishbut it'll be a good test22:07
dstanekmtreinish: are you trying to add it to the default pipeline?22:19
morganfainbergmtreinish, yrah that wont actually add it to the pipeline22:21
mtreinishdstanek: yeah22:21
mtreinishok, that's why I wasn't sure it was going to work :)22:21
morganfainbergmtreinish, you'd need to put it in [pipeline:api_v3] and the pipeline:public etc22:22
morganfainbergmtreinish, as well22:22
dstanekmtreinish: in that same file there are a few pipelines that are basically a list of filters - you'd have tp add it there22:22
mtreinishmorganfainberg: ok will do22:22
morganfainbergso __call__ is run for the request22:22
*** harlowja_ is now known as harlowja_away22:24
mtreinishdstanek, morganfainberg: like this?: http://paste.openstack.org/show/173234/22:25
morganfainbergmy guess is you're going to want that before build_auth_context22:26
morganfainbergor just after22:26
morganfainbergvs at the very end22:26
mtreinishoh yeah I forgot that order matters :)22:26
morganfainbergotherwise you wont have the request id prior to hitting the other routers22:26
mtreinishguess it's after 5 on a friday22:26
morganfainberghahaha22:26
morganfainbergdude, it's friday22:26
morganfainbergand it's been a loooong week22:26
ayoungmorganfainberg, what do you think about the idea that if you do user list or group list with a domain specific backend you should get the entries that are in the mapped_id table?22:27
ayoungid_mapping table22:27
ayoungIt will let us do limits like sql22:28
*** harlowja_away is now known as harlowja_22:28
ayoungmtreinish, the last entry is not a filter.  It has to be one before last, and after all the magic filters...22:29
openstackgerritMatthew Treinish proposed openstack/keystone: Add oslo request id middleware to keystone paste pipeline  https://review.openstack.org/15590122:29
*** gyee has quit IRC22:30
*** lnxnut has joined #openstack-keystone22:30
*** lnxnut has quit IRC22:31
*** gordc has quit IRC22:35
bknudsonit's not going to be easy to make it so that a user can invalidate their own token using v2.22:36
bknudsoncan we just leave that broken?22:36
*** jaosorior has quit IRC22:41
*** radez is now known as radez_g0n322:42
morganfainbergbknudson, how long has it been broken so far?22:43
bknudsonmorganfainberg: I assume forever.22:43
morganfainbergbknudson, then we can probably leave it as i22:44
morganfainbergs22:44
*** jacer_huawei has joined #openstack-keystone22:51
bknudson2015-02-13 16:51:21.022 INFO keystone.common.wsgi [-] POST /endpoints?endpoint=%7Bu%27adminurl%27%3A+u%27http%3A%2F%2F192.168.122.176%3A35357%2Fv2.0%27%2C+u%27service_id%27%3A+u%2748ad0fbc3c81456daee92a8a8a54965d%27%2C+u%27region%27%3A+u%27RegionOne%27%2C+u%27internalurl%27%3A+u%27http%3A%2F%2F192.168.122.176%3A5000%2Fv2.0%27%2C+u%27publicurl%27%3A+u%27http%3A%2F%2F192.168.122.176%3A5000%2Fv2.0%27%7D22:53
bknudsonwtf22:53
morganfainbergi..22:53
morganfainbergwow22:53
morganfainbergthats awesome22:53
morganfainbergbknudson, wtf is right22:53
bknudsonhttps://review.openstack.org/#/c/155531/ passed jenkins again.22:58
morganfainbergbknudson, still LGTM22:59
*** abhirc has quit IRC23:01
*** abhirc has joined #openstack-keystone23:02
*** mzbik_ has quit IRC23:06
*** r-daneel has quit IRC23:06
*** clayg has joined #openstack-keystone23:08
claygplease help me, i am *so* very stupid -> https://gist.github.com/clayg/9677d81cf17348e9a08423:08
*** abhirc has quit IRC23:08
*** junhongl has quit IRC23:08
claygi feel like it says the domain exists, but then it says it *doesn't* exist and ./devstack/stack.sh gives me a "ERROR: openstack Internal Server Error (HTTP 500)"23:09
claygfollowed later by a "[ERROR] /home/vagrant/devstack/functions-common:642 Failure creating swift_tenant_test4"23:09
*** joesavak has quit IRC23:12
*** carlosmarin has quit IRC23:15
*** topol has joined #openstack-keystone23:16
*** ChanServ sets mode: +v topol23:17
openstackgerritBrant Knudson proposed openstack/keystone: Fix sample policy allows user to revoke or check own token  https://review.openstack.org/15591623:24
openstackgerritBrant Knudson proposed openstack/keystone: Fix sample policy allows user to revoke or check own token  https://review.openstack.org/15591623:24
bknudsonwhat do you think about policy in yaml rather than JSON?23:26
bknudsonso we can have some comments.23:26
*** zigo has quit IRC23:27
*** zigo has joined #openstack-keystone23:28
bknudsonactually, we can kind of have comments in json... can use something like "#": "Whatever"23:28
topolbknudson, I like yaml23:34
bknudsonI'll try adding comments to the json ...23:34
topoluse it for the Heat Translator templates. Works well23:34
openstackgerritBrant Knudson proposed openstack/keystone: Comments for sample policy.json  https://review.openstack.org/15591923:35
bknudsonhere's an example ^23:35
*** topol has quit IRC23:36
*** henrynash has quit IRC23:36
*** MasterPiece has quit IRC23:42
*** topol has joined #openstack-keystone23:43
*** ChanServ sets mode: +v topol23:43
claygheh, comments in json - nice23:46
claygcould anyone point me to what might cause a 500 response reported as returned from keystone by the openstack client when setting up devstack?23:46
claygit seems to not like the way I'm trying to add a v3 project to a domain -> https://gist.github.com/clayg/9677d81cf17348e9a084 but I'm rather sure it's just a usage issue :\23:47
claygunrelated, crockford on "comments in JSON" -> https://plus.google.com/+DouglasCrockfordEsq/posts/RK8qyGVaGSr23:48
*** quack_quack_ has joined #openstack-keystone23:49
bknudsonI guess we could stick jsmin in front of the parser.23:51
claygbknudson: I thought the '#' trick was sorta cute!23:51
bknudsonclayg: nothing you can do as a user should cause the server to return a 500 response.23:52
bknudsonI haven't seen the error but I don't run much in devstack.23:53
claygbknudson: i'm not entirely sure I trust openstack client saying it got a 50023:53
claygi do feel like the part where I say show domain and it sees it, then I try to create a project and it says "no such project" is sorta strange tho23:54
*** markvoelker has quit IRC23:54
* clayg expects PEBCAK23:54
*** markvoelker has joined #openstack-keystone23:55
clayger.. rahter it says "No domain with a name or ID of '1bd6893f4fae46b4b57c65c242cdc336' exists"23:55
*** dimsum__ has quit IRC23:57
*** tqtran is now known as tqtran_afk23:58
*** quack_quack_ has left #openstack-keystone23:59
*** markvoelker has quit IRC23:59
bknudsonI don't see how that could be caused by anything you would do.23:59
« Thursday, 2015-02-12 Index Saturday, 2015-02-14 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!