Friday, 2015-03-13

« Thursday, 2015-03-12 Index Saturday, 2015-03-14 »
dstanekah, cool. the map/list things was already fixed00:01
*** markvoelker has quit IRC00:03
dstanekmorganfainberg: i feel like i'm doing something wrong having so many +2s in a row00:03
*** iamjarvo has joined #openstack-keystone00:04
morganfainbergdstanek, lol it's cause this code has been fairly well reviewed already00:04
dstaneknice! https://review.openstack.org/#/c/163601/9/keystone/auth/plugins/core.py00:04
*** ljfisher has quit IRC00:04
dstaneki'm glad that was moved out of the Fernet package00:05
*** iamjarvo has quit IRC00:06
*** markvoelker has joined #openstack-keystone00:08
nkindermorganfainberg: I can't reproduce https://bugs.launchpad.net/keystone/+bug/140884500:14
openstackLaunchpad bug 1408845 in Keystone "Disabling user in ldap breaks user-list for project" [Undecided,New]00:14
nkindermorganfainberg: I updated the bug with the test I performed, but it all looks fine00:14
nkindersamueldmq: you were interested in this too ^^^00:14
morganfainbergnkinder, great, it's probably just "ancient version of keystone" [aka icehouse] and fixed with the combined backend00:15
nkindermorganfainberg: yeah, that's my guess too00:16
*** lhcheng has quit IRC00:17
samueldmqnkinder, nice thanks00:19
samueldmqnkinder, morganfainberg I created an automated test at test_backend_sql to try to expose the potential bug00:19
samueldmqI ran against master, everything works correctly00:20
samueldmqI download the first version I saw ldap in (keystone-2013.2.1), run the test and everything works correctly as well00:20
samueldmqs/download/downloaded s/run/ran00:23
samueldmqso I couldnt reproduce the bug as well00:23
dstaneklbragstad: thanks for moving that methods code around00:23
samueldmqmorganfainberg, so should we mark the bug as invalid? since we cant reproduce and the user who reported didnt provide further info (as requested by stevemar)00:27
morganfainbergsamueldmq, incomplete, with a request for what information would be needed for duplication00:31
morganfainbergand make sure it is not assigned to anyone00:31
morganfainbergor to a milestone00:31
morganfainbergand in 30 days it'll timeout00:32
samueldmqmorganfainberg, ack00:32
*** dims has joined #openstack-keystone00:32
morganfainbergif you aren't allowed to make those changes let me know00:32
morganfainbergand i can do it00:32
samueldmqmorganfainberg, done: marked as incomplete and added a comment explaining the reason00:36
morganfainbergthanks00:36
samueldmqnp00:36
dstanekjorge_munoz: are you still working on https://review.openstack.org/#/c/159229/ ?00:45
morganfainbergdstanek, i assume so, it is marked WIP in the commit msg00:45
morganfainbergdstanek, but it's the last outstanding patch [provided nothing goes sideways]00:46
dstanekmorganfainberg: yeah, and there is a todo list in there00:46
dstanekmorganfainberg: i'll probably just go ahead and fix my nits then00:46
morganfainbergdstanek, besure you -R review it though00:47
* morganfainberg didn't rebase when fixing nits.00:47
dstanekmorganfainberg: yep.00:47
morganfainbergas soon as we have that v2 one in, i'll work on converting a devstack run over to fernet00:48
*** radez is now known as radez_g0n300:51
morganfainbergdstanek, this should be an easy review: https://review.openstack.org/#/c/162170/00:52
morganfainbergdstanek, if you're done with the other stuff.00:52
dstanekmorganfainberg: what's the rename about in there?00:54
morganfainbergdstanek, gerrit being silly00:54
morganfainbergit thinks we renamed a file, it's because that file contains most of the same content00:54
dstanekhaha, git's funny sometimes00:57
morganfainbergyeah00:57
stevemaro/00:59
morganfainbergstevemar, oh hai01:01
stevemarmorganfainberg, oh hai to you too01:01
morganfainbergstevemar see what you miss. fernet tokens almost all approved.01:01
stevemari am seeing that01:01
stevemaralmost everything is all approved01:02
morganfainbergalso: https://review.openstack.org/#/c/164042/ if you want clear metrics on how long any keystone query takes ;)01:02
stevemari need to look at idp registration again https://review.openstack.org/#/c/152156/01:02
morganfainbergi think henry's domain_SQL thing is going to hit a roadblock...01:02
morganfainbergand i don't know how to fix it01:03
morganfainbergthe "we changed the config - now reload it"01:03
stevemarlet me try it out (the timing one)01:04
morganfainbergstevemar, it's neat01:04
morganfainbergstevemar remember the timeing is in microseconds01:05
morganfainbergnot ms01:05
stevemaroh wow01:06
stevemarthats super accurate01:06
morganfainbergwell we had the options of seconds01:06
morganfainbergor microseconds01:06
morganfainbergseconds is pretty useless01:06
*** ayoung has joined #openstack-keystone01:06
*** ChanServ sets mode: +v ayoung01:06
*** _cjones_ has quit IRC01:07
*** _cjones_ has joined #openstack-keystone01:09
*** ncoghlan has joined #openstack-keystone01:09
dstanekmorganfainberg: lgtm; the DB_INIT_VERSION is set to 1 lower than the first migration because to the code that performs the migration?01:09
dstanekmorganfainberg: where does that happen?01:10
morganfainbergthat is what is called when we do the initialize db [put it under control]01:10
morganfainbergthis would mirror [for example] a db that was updated to icehouse01:10
morganfainbergso since 044 would be icehouse, if we want to run 044, we need to be 04301:11
morganfainbergso our base init is 04301:11
morganfainbergdstanek. https://github.com/openstack/keystone/blob/master/keystone/common/sql/migration_helpers.py#L16101:11
morganfainbergwhich on line 164 will init the db if it's not already init.01:12
dstanekmorganfainberg: that's what i figured, but wasn't sure where the code was that did that01:12
morganfainberg:)01:13
*** rwsu is now known as rwsu-afk01:13
dstanekforgot to +A01:15
morganfainbergdstanek, hehe no worries01:17
*** _cjones_ has quit IRC01:18
*** gokrokve has joined #openstack-keystone01:45
ayoungmorganfainberg, looks like Ioram has been busy:  https://wiki.openstack.org/wiki/PolicyDatabase  .  We're going to massage it into Spec form, but I suspect he needed something alittle more visual for presentation sake01:45
morganfainbergayoung, yeah saw that today01:46
ayoungDNF?  I always thought that meant Did Not Finish.  That is what my professors told me.01:47
*** gokrokve_ has quit IRC01:49
ayoungmorganfainberg, I like that document.  Even if there are errors, I like that is lays it out to the degree that it is both implementable and testable01:49
*** gokrokve has quit IRC01:50
openstackgerritMerged openstack/keystone: Add JSON schema validation for service providers  https://review.openstack.org/16390301:54
*** tqtran has quit IRC01:54
*** harlowja is now known as harlowja_away02:07
*** leonchio_ has quit IRC02:09
*** david8hu has quit IRC02:10
*** david8hu has joined #openstack-keystone02:10
openstackgerritMerged openstack/keystone: Migrations squash  https://review.openstack.org/16217002:11
morganfainbergdolphm, lbragstad, i can almost taste the fernet tokens... sadly fernet liquor is disgusting in my view.02:13
*** leonchio_ has joined #openstack-keystone02:14
*** leonchio_ has joined #openstack-keystone02:14
*** dims has quit IRC02:14
*** erkules_ has joined #openstack-keystone02:26
ayoungmorganfainberg, I think I want to globally replace the rule "a group must be in the Keystone Identity store or we throw an exception"  with "If a group is not in the Keystone Identity backend, drop it "02:27
*** erkules has quit IRC02:29
*** dims has joined #openstack-keystone02:34
*** chrisshattuck has joined #openstack-keystone02:37
*** dims has quit IRC02:39
*** sigmavirus24_awa is now known as sigmavirus2402:42
*** devlaps has quit IRC02:43
samueldmqmorganfainberg, I think bug #1431015 relies on the consistency of v3/users and v3/groups API calls when domain specific backends are enabled or not02:53
openstackbug 1431015 in Keystone "v3/users or groups calls not working without domain_id" [Undecided,New] https://launchpad.net/bugs/143101502:53
samueldmqmorganfainberg, please add it to your todo list :) and then you'll be able to confirm it or not (agreeing or disagreeing with me)02:53
samueldmqmorganfainberg, I added a comment there02:54
morganfainbergsamueldmq, thanks02:54
samueldmqexplaining what I think02:54
samueldmqnp02:54
morganfainbergsooooooo02:55
openstackgerritMerged openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens  https://review.openstack.org/16203102:55
morganfainbergINCOMING! /me ducks02:55
dolphm\o/02:55
openstackgerritMerged openstack/keystone: Convert audit_ids to bytes  https://review.openstack.org/16099302:55
dolphmmorganfainberg: thank you sir =)02:55
openstackgerritMerged openstack/keystone: Refactor: make Fernet token creation/validation API agnostic  https://review.openstack.org/16233802:55
openstackgerritMerged openstack/keystone: Federated token formatter  https://review.openstack.org/16138002:56
openstackgerritMerged openstack/keystone: Allow methods to be carried in Fernet tokens.  https://review.openstack.org/16360102:56
morganfainbergdolphm, boom.02:56
stevemar\o/02:56
stevemarthe peasants rejoice02:56
morganfainbergdolphm, v2.0 is all that is left, and https://review.openstack.org/#/c/164026/02:56
morganfainbergthat one i linked can happen whenever.02:57
dolphmooh02:57
dolphmah, cool that's my validate thing02:57
samueldmqthere are only 7 patches left on the priority list for keystone02:58
samueldmqo/02:58
dolphmjust need to setUp a new, non-admin user to act as the subject of those tests02:58
morganfainbergdolphm, yeah02:58
morganfainbergdolphm, was easier to just yank those out of the code.02:59
dolphmmorganfainberg: good idea02:59
morganfainbergdolphm, i think we're stupidly close to having a workable non-persistent token03:03
morganfainbergdolphm, and by workable i mean "no gaps in coverage"03:03
morganfainbergdolphm, lbragstad, jorge_munoz, AWESOME WORK!03:03
* morganfainberg is really happy about this.03:03
dolphmmorganfainberg: did you follow ayoung's thought experiment which lead towards not bothering with revocation events?03:03
morganfainbergdolphm, i did. i think we can't be there today.03:04
*** richm has quit IRC03:04
ayoungdolphm, I was just talking about for groups.  Was that how you understood it?03:04
morganfainbergdolphm, i also found something very icky happening in keystonemiddleware by default.03:04
morganfainbergdolphm, as in default behavior could net extremely poor performance.03:04
morganfainbergand inconsistent responses.03:05
dolphmayoung: that sounded like the direction you were headed03:05
dolphmmorganfainberg: ?03:05
morganfainbergdolphm, default configuration: dict-in-memory cache (~300s) for token validates.03:05
ayoungdolphm, so, yeah, we can't do group revocation for Federated tokens today.  For Fernet we are OK.  Either we leave the existing behavior or turn off revoke for all members of group03:05
morganfainbergand a purge anything that is cache timed out on every get03:05
ayoungI say leave it as is for now, no more broken than it was in the past03:06
morganfainbergso every request to an endpoint *is* caching, in thread.local and with high throughput memorycache has been shown to be just bad03:06
*** ptoohill has quit IRC03:06
* morganfainberg is leaning towards dropping dogpile in and making devstack actually use memcache for these things.03:07
morganfainbergfor gate that is.03:07
morganfainbergdolphm, so some folks i know were doing couch.db as a memcache backend, solves the replication of memcache issue03:08
morganfainbergacross servers03:08
morganfainbergerm couchbase sorry03:09
morganfainbergnot couch.db03:09
morganfainbergbah03:09
dolphmmorganfainberg: that works wherever you're willing to share security-sensitive cache03:09
morganfainbergdolphm, between keystone servers, it is good03:09
morganfainbergbetween non-keystone servers = eh no thanks03:09
morganfainbergayoung, i have some working code for dogpile that would at least [hopefully] limit the ick on cleanup for in-memory. it doesn't solve thread.local but it prevents for i in key, if key[expired] < now, del key03:11
*** ptoohill has joined #openstack-keystone03:11
dolphmmorganfainberg: how? random sampling?03:13
morganfainbergdolphm, bucketing and cleanups of the bucket with weakrefs to the values03:13
morganfainberginternally it still does an iter, but in the c not in pure python03:13
dolphmmorganfainberg: if that's a conventional technique, i'm not familiar with it at all?03:13
morganfainbergdolphm, i'm still poking at the code to prove out it doesn't suck more for performance at high volumes of keys03:14
morganfainbergdolphm, but in either case dogpile would be a better tool than oslo-incubator memorycache03:14
morganfainbergit also would remove the last oslo incubator item from ksm03:15
dolphmmorganfainberg: the "on insert, choose 5 or 10 random keys and delete the oldest before inserting new cached value" approach would certainly scale03:15
morganfainbergdolphm, that is also possible, but how do you pick a random sampling of keys?03:15
dolphmmorganfainberg: isn't there a random.choose()03:16
dolphmmorganfainberg: https://docs.python.org/2/library/random.html#random.choice03:16
morganfainbergdolphm, maybe.03:17
dolphmmorganfainberg: or random.sample(cache.keys(), 10)03:17
*** lhcheng has joined #openstack-keystone03:17
morganfainbergdolphm, here is the basic idea i had: https://bitbucket.org/morgan_fainberg/dogpile.cache/commits/166f1773b1dd6ba64b3c2730f1d71d7083a3a9ad03:18
morganfainbergdolphm, but i haven't spent much time on it.03:18
*** lhcheng_ has joined #openstack-keystone03:19
*** ptoohill has quit IRC03:20
dolphmmorganfainberg: have you benchmarked it?03:21
morganfainbergdolphm, haven't even tested that it's going to work03:21
*** samueldmq has quit IRC03:21
morganfainbergdolphm, this was a hack out code in a few minutes and stash it somewhere so i can get back to it03:21
morganfainbergdolphm, you know "i don't want to lose this thought train" commit ;)03:22
lbragstaddstanek: no problem, thanks for pointing it out and reviewing it03:22
dolphmlbragstad: \o/03:22
* lbragstad cheers! 03:22
* lbragstad is ready to be in bug-only mode! 03:23
*** lhcheng has quit IRC03:23
*** gyee has quit IRC03:23
dolphmlbragstad: it's time for v2-also mode!03:23
lbragstaddolphm: ++03:23
lbragstaddolphm: my priority tomorrow03:23
dolphmmorganfainberg: i'm just thinking it's imperfect cache invalidation, right? so i'd lean towards a simpler, also-imperfect, technique first if possible03:23
*** ptoohill has joined #openstack-keystone03:23
morganfainbergdolphm, talked to jamielennox, he thinks we are very close to being able to force everything to use v3 (even if service accounts have to be in the default domain)03:23
morganfainbergdolphm, which means... v2 deprecation is back [if that is true]03:24
jamielennoxmorganfainberg: that's not really what's been tested - i think we can have everything user facing being v3, because so many service->service users are still v2 only03:24
dolphmmorganfainberg: i'm less concerned about a formal deprecation and more concerned about making sure everything can go without v203:25
morganfainbergjamielennox, as long as we can force the issue we're good.03:25
morganfainbergjamielennox, having some expiermental gate check that can run w/o v2 and show us explosions should hopefully be not that bad/far off.03:26
dolphmaside- how long would ya'll consider to be "fast" from "nova boot" to an ssh session?03:26
morganfainbergdolphm, uhhhh03:26
morganfainbergdolphm, "fast"? 10 seconds. reasonable? 3003:26
jamielennoxyou would think - but as mentioned i've recently tried to fix ironic auth ... ughh03:26
morganfainbergslooooow 2+min03:26
*** ptoohill has quit IRC03:26
morganfainbergdolphm, assuming there is no crazy apt-magic needed and not stupid volumes of memory03:27
morganfainbergjust a base VM on with minimal services and ssh03:27
dolphmdigital ocean's "Deploy an SSD cloud server in 55 seconds!" made me wonder how quickly openstack could do it03:27
morganfainbergi think we're in the above 30s and below 2min range03:27
morganfainbergtypically03:28
morganfainbergbut last i played with that stuff is a few releases ago03:28
morganfainbergjamielennox, anyway lets make it so devstack can disable v2 keystone :)03:29
dolphmi timed a 2gb server at 40s on rackspace public cloud without doing anything to minimize overhead03:29
dolphmjust wondering how much room for improvement there could be in OS03:29
morganfainbergjamielennox, then get an expirimental gate job that runs devstack-gate-full in that mode.03:29
jamielennoxmorganfainberg: yea, i've got fixes for tempest to work that way too03:29
morganfainbergjamielennox, see what all explodes.03:29
morganfainbergofc w/ tempest not checking v2 :P03:29
haneefjamielennox: what happened to nova to neutron auth patch? Is  that approved. In HP alteast we are still stuck with v2 for that03:34
jamielennoxhaneef: i've been pushing that and i went to the meeting today to get it looked at03:34
jamielennoxit seems to work just fine03:34
jamielennoxi just need to get someone on nova to push the button03:34
jamielennoxyep, still only one +2 https://review.openstack.org/#/c/136931/03:35
jamielennoxif that misses k-3 i'll be pissed03:35
*** samueldmq has joined #openstack-keystone03:35
*** ptoohill has joined #openstack-keystone03:35
haneefI'm too waiting for that patch03:35
jamielennoxi had that as a WIP waiting for kilo to open rather than submit close to the deadline of Juno03:37
*** diegows has quit IRC03:38
stevemarjamielennox, lemme bug mriedeman about it03:38
haneefstevemar: assertions doesn't work with fernet tokens03:39
stevemarhaneef, noooo03:39
stevemarhaneef, whats up with them?03:39
haneefhttps://bugs.launchpad.net/keystone/+bug/143166903:39
openstackLaunchpad bug 1431669 in Keystone "Create saml assertion doesn't work with fernet token" [Undecided,New]03:40
*** zzzeek has quit IRC03:40
stevemarhaneef, can you print out what the token_id is?03:40
*** samueldmq has quit IRC03:40
stevemari don't think dolphm or lbragstad have a federated environment handy03:40
stevemarany info at all would be super helpful03:41
dstanekhaneef, stevemar: that may be related to https://review.openstack.org/#/c/159229/ where we were discussing the oddity of v2 tokens being unicode instead of bytes03:41
haneefadded in the comment03:42
lbragstaddstanek: yes, that looks similar03:42
*** gokrokve has joined #openstack-keystone03:53
openstackgerritJoe Gordon proposed openstack/python-keystoneclient: Revert "Imports to fix build warnings"  https://review.openstack.org/16406603:55
*** rushiagr_away is now known as rushiagr03:59
haneeflbragstad: Does fernet try decryption with each key in case of key rotation? How does it know which key was used to encrypt the original token?04:06
lbragstadhaneef: http://lbragstad.com/?p=13304:06
dolphmhaneef: fernet keys contain both a signing key and an encryption key - it brute forces the available signing keys until it finds a match, then uses the corresponding encryption key to decrypt04:07
lbragstadhaneef: yep, nm ignore that link, I misread your questio04:07
lbragstadquestion*04:07
*** gokrokve has quit IRC04:09
haneefdoplh: couple more questions on fernet.  Is the key generated 256 bit key?   How can I know which is signign key and which is encryption key from the keys generated by fernet_setup04:09
dolphmhaneef: the first half is one 128-bit key, and the second half is another 128-bit key. one is for AES, one is for SHA256 HMAC. i forget the order, check the spec04:10
haneefSo the key generated by fernet_setup which is filesystem is concatenation of 2  keys. Is that correct?04:11
dolphmhaneef: yes04:11
dolphmhaneef: one encryption key + one HMAC key == one "fernet" key04:12
haneefThanks. that helps04:12
dolphmlbragstad: just benchmarked SHA256 HMACs on my laptop to see how many keys you could feasibly keep in rotation before you see appreciable performance degredation....04:17
lbragstad...04:17
dolphmlbragstad: average out to be 0.00001203745 seconds per SHA256 HMAC.04:17
lbragstadand that is per key tried?04:18
dolphm(of a 128 byte message with a 32 byte key)04:18
lbragstaddolphm: so this is with the brute force method?04:20
dolphmsorry, not a 32 byte key, a 128 bit key**04:20
dolphmlbragstad: one message, one key, a million iterations04:21
lbragstaddolphm: gotcha04:21
dolphmlbragstad: http://cdn.pasteraw.com/2uyoj4j6xhj1pa09dc1l1tgog3wylt804:22
jamielennoxstevemar: https://review.openstack.org/164071 is an alternative to DOA plugins04:23
jamielennoxstevemar: with it i could write https://github.com/jamielennox/django-openstack-auth-kerberos and maintain it completely seperate to DOA04:24
jamielennoxstevemar: i think this is a better idea than plugins04:24
lbragstaddolphm: interesting04:26
openstackgerritSteve Martinelli proposed openstack/keystone: Instructions to install IETF ABFAB federation protocol on Keystone  https://review.openstack.org/16387804:44
openstackgerritSteve Martinelli proposed openstack/keystone: Instructions to install IETF ABFAB federation protocol on Keystone  https://review.openstack.org/16387804:47
*** ayoung has quit IRC04:47
*** mhu has quit IRC04:57
*** mhu has joined #openstack-keystone04:59
*** chrisshattuck has quit IRC05:28
openstackgerritSteve Martinelli proposed openstack/keystone: Document websso setup  https://review.openstack.org/16401205:43
stevemarlhcheng_, ^05:43
morganfainberghaneef: thanks for the bug on saml + fernet tokens.06:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/16370506:09
*** markvoelker has quit IRC06:11
*** markvoelker has joined #openstack-keystone06:12
*** markvoelker has quit IRC06:16
haneefmorganfainberg:  Without this domain scope token won't work.  https://bugs.launchpad.net/keystone/+bug/143043306:17
openstackLaunchpad bug 1430433 in Keystone "Fernet token validation doesn't return catalog and role information for domain scoped tokens" [Undecided,New] - Assigned to Boris Bobrov (bbobrov)06:18
morganfainberghaneef: yep.06:18
morganfainberghaneef: I'm glad people are excited about the fernet tokens and helping to knock them into shape.06:19
morganfainbergMore work to do on them tomorrow.06:21
haneefYes. We are06:21
*** stevemar has quit IRC06:22
*** stevemar has joined #openstack-keystone06:35
*** ChanServ sets mode: +v stevemar06:35
*** markvoelker has joined #openstack-keystone06:42
*** stevemar has quit IRC06:44
*** rushiagr is now known as rushiagr_away06:45
marekd|awayMorning06:46
*** marekd|away is now known as marekd06:46
*** markvoelker has quit IRC06:47
*** ncoghlan has quit IRC06:53
*** browne has quit IRC06:57
*** afazekas has joined #openstack-keystone07:04
*** dims has joined #openstack-keystone07:23
*** dims has quit IRC07:27
*** jamielennox has quit IRC07:31
*** jamielennox has joined #openstack-keystone07:34
*** ChanServ sets mode: +v jamielennox07:34
*** jamielennox has quit IRC07:39
*** markvoelker has joined #openstack-keystone07:43
*** markvoelker has quit IRC07:48
*** jamielennox|away has joined #openstack-keystone07:55
*** jamielennox|away is now known as jamielennox07:55
*** ChanServ sets mode: +v jamielennox07:55
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Add a FederatedBase v3 plugin  https://review.openstack.org/16327108:08
*** chlong has quit IRC08:09
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/16370508:11
*** jistr has joined #openstack-keystone08:12
davechenmarek, ping?08:13
*** pnavarro|off has joined #openstack-keystone08:17
*** openstackgerrit has quit IRC08:21
*** openstackgerrit has joined #openstack-keystone08:21
openstackgerritMerged openstack/keystonemiddleware: Move unit tests into tests.unit  https://review.openstack.org/16248208:29
openstackgerritMerged openstack/keystone: Remove unnecessary import  https://review.openstack.org/16154108:34
*** markvoelker has joined #openstack-keystone08:44
*** jistr has quit IRC08:46
*** markvoelker has quit IRC08:48
*** henrynash has joined #openstack-keystone08:54
*** ChanServ sets mode: +v henrynash08:54
*** erkules_ is now known as erkules08:57
*** erkules has quit IRC08:57
*** erkules has joined #openstack-keystone08:57
*** trey has quit IRC09:00
*** trey has joined #openstack-keystone09:01
*** henrynash has quit IRC09:04
*** jistr has joined #openstack-keystone09:04
marekddavechen: hi09:11
*** sigmavirus24 is now known as sigmavirus24_awa09:24
*** dims has joined #openstack-keystone09:42
*** markvoelker has joined #openstack-keystone09:45
*** dims has quit IRC09:47
*** markvoelker has quit IRC09:49
*** dims has joined #openstack-keystone09:54
davechenmarekd: sorry, I must leave, ping you later.09:56
davechenmarekd: have a good weekend09:56
*** lhcheng_ has quit IRC10:01
*** sluo_wfh has quit IRC10:08
*** henrynash has joined #openstack-keystone10:09
*** ChanServ sets mode: +v henrynash10:09
marekddavechen: ok10:16
*** nellysmitt has joined #openstack-keystone10:17
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003210:35
*** henrynash has quit IRC10:38
*** Ephur_ has quit IRC10:39
*** aix has joined #openstack-keystone10:44
*** henrynash has joined #openstack-keystone10:44
*** ChanServ sets mode: +v henrynash10:44
*** markvoelker has joined #openstack-keystone10:46
*** henrynash has quit IRC10:47
*** amakarov_away is now known as amakarov10:47
*** markvoelker has quit IRC10:50
*** samueldmq has joined #openstack-keystone10:55
*** jamielennox has quit IRC10:55
*** harlowja_away has quit IRC10:59
*** jamielennox|away has joined #openstack-keystone11:02
*** jamielennox|away is now known as jamielennox11:02
*** ChanServ sets mode: +v jamielennox11:02
*** jamielennox has quit IRC11:14
*** davechen_ has joined #openstack-keystone11:23
*** jamielennox|away has joined #openstack-keystone11:24
*** jamielennox|away is now known as jamielennox11:24
*** ChanServ sets mode: +v jamielennox11:24
*** krykowski has joined #openstack-keystone11:26
*** markvoelker has joined #openstack-keystone11:46
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839811:50
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Creating domain and filtering by parent_id  https://review.openstack.org/16137811:51
*** markvoelker has quit IRC11:51
*** diegows has joined #openstack-keystone11:57
*** ljfisher has joined #openstack-keystone11:58
*** nicodemos has quit IRC12:01
*** markvoelker has joined #openstack-keystone12:07
*** bknudson has joined #openstack-keystone12:21
*** ChanServ sets mode: +v bknudson12:21
*** radez_g0n3 is now known as radez12:22
*** chlong has joined #openstack-keystone12:24
*** raildo has joined #openstack-keystone12:28
*** openstackgerrit_ has joined #openstack-keystone13:01
*** openstackgerrit_ has quit IRC13:01
*** mattfarina has joined #openstack-keystone13:02
*** gordc has joined #openstack-keystone13:09
*** radez is now known as radez_g0n313:10
*** markvoelker has quit IRC13:16
*** markvoelker has joined #openstack-keystone13:17
*** jdennis has quit IRC13:25
*** jdennis has joined #openstack-keystone13:32
*** ljfisher has quit IRC13:39
*** richm has joined #openstack-keystone13:41
*** richm1 has joined #openstack-keystone13:49
*** richm has quit IRC13:49
*** richm1 is now known as richm13:49
*** ljfisher has joined #openstack-keystone13:51
*** obutenko_ has joined #openstack-keystone13:54
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: [WIP]Update inherited role assignments behavior  https://review.openstack.org/16418013:56
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: [WIP]Update inherited role assignments behavior  https://review.openstack.org/16418013:56
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Move _memcache_pool into auth_token  https://review.openstack.org/16248014:00
*** gordc has quit IRC14:00
*** gordc has joined #openstack-keystone14:01
*** radez_g0n3 is now known as radez14:02
*** elowing has joined #openstack-keystone14:03
*** r-daneel has joined #openstack-keystone14:06
*** dims has quit IRC14:06
*** mattamizer has joined #openstack-keystone14:07
*** dims has joined #openstack-keystone14:07
*** mattamizer has quit IRC14:08
*** elowing has quit IRC14:08
*** elowing has joined #openstack-keystone14:09
*** carlosmarin has joined #openstack-keystone14:12
*** csoukup has joined #openstack-keystone14:16
openstackgerritDave Chen proposed openstack/keystone: More content for core components of DB migration  https://review.openstack.org/16418814:16
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix service provider table nullable constraints  https://review.openstack.org/16418914:18
*** afazekas has quit IRC14:18
rodrigodsmarekd, ^14:18
rodrigods:)14:18
*** dims is now known as dimsum__14:21
elowingmorning y'all. trying to hide the admin dashboard for domain admins upon login. this should be configured through dashboard permissions in my overrides, no?14:23
elowingex. admin_dashboard.permissions = tuple('openstack.roles.my_role')14:24
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix nullable constraints in service provider table  https://review.openstack.org/16418914:25
*** davechen_ has quit IRC14:28
*** Nakato has quit IRC14:33
*** Nakato has joined #openstack-keystone14:34
*** thedodd has joined #openstack-keystone14:36
*** thedodd has quit IRC14:48
*** samueldmq_ has joined #openstack-keystone14:52
*** thedodd has joined #openstack-keystone14:53
lbragstadbreton: around?14:55
lbragstadI had a quick question on https://bugs.launchpad.net/keystone/+bug/143143414:55
openstackLaunchpad bug 1431434 in Keystone "user creation with fernet tokens results in 401" [High,New]14:55
lbragstadbreton: were you able to recreate that with an "admin-scoped" fernet token, instead of using the ADMIN_TOKEN?14:56
*** samueldmq_ has quit IRC14:57
*** elowing has quit IRC14:58
*** elowing has joined #openstack-keystone15:00
*** radez is now known as radez_g0n315:02
*** gokrokve has joined #openstack-keystone15:04
*** radez_g0n3 is now known as radez15:05
*** chrisshattuck has joined #openstack-keystone15:06
*** thedodd has quit IRC15:06
*** elowing has quit IRC15:09
*** _cjones_ has joined #openstack-keystone15:10
*** elowing has joined #openstack-keystone15:10
*** nellysmitt has quit IRC15:12
*** bknudson has quit IRC15:13
haneeflbragstad:  I can create user with  fernet token , token is project scoped token15:15
lbragstadhaneef: so, everything is working properly for you/15:16
lbragstad?15:16
haneefLet me check with  ADMIN_TOKEN and get back to you15:16
lbragstadhaneef: ok, I'm firing up an env to see if I can recreate breton's issue15:17
*** browne has joined #openstack-keystone15:18
openstackgerritYuki Nishiwaki proposed openstack/python-keystoneclient: Enable to specify auth plugin as full class name  https://review.openstack.org/16116415:19
*** stevemar has joined #openstack-keystone15:19
*** ChanServ sets mode: +v stevemar15:19
haneefI can do with both ADMIN token (hardcoded one), and normal project scoped token.  domain scoped token has problem, which I think is due to the other bug taht I raised, where domain scoped tokens doesn't have any roles15:19
dolphmhaneef: that might be resolved in the latest master15:21
dolphmhaneef: as of 12 hours ago, or so15:22
haneefMy code base is  is 8:00 PM PST yesterday. I will try today's version15:25
*** david-lyle_afk is now known as david-lyle15:33
*** fmarco76 has joined #openstack-keystone15:33
*** zzzeek has joined #openstack-keystone15:35
*** thedodd has joined #openstack-keystone15:39
haneefdolph: I just checked  current version, and we still don't get roles for domain scoped token. I have your last night merges15:42
dolphmhaneef: for a newly created domain scoped token, correct?15:42
haneefyes15:42
*** arunkant has joined #openstack-keystone15:43
*** ayoung has joined #openstack-keystone15:44
*** ChanServ sets mode: +v ayoung15:44
*** bknudson has joined #openstack-keystone15:45
*** ChanServ sets mode: +v bknudson15:45
*** thedodd has quit IRC15:49
*** chrisshattuck has quit IRC15:50
*** chrisshattuck has joined #openstack-keystone15:51
*** thedodd has joined #openstack-keystone15:57
openstackgerritKamil Rykowski proposed openstack/python-keystoneclient: tenant-list updated to output Tenant Description  https://review.openstack.org/14096216:00
openstackgerritKamil Rykowski proposed openstack/python-keystoneclient: tenant-list updated to output Tenant Description  https://review.openstack.org/14096216:01
*** krykowski has quit IRC16:05
*** samueldmq_ has joined #openstack-keystone16:09
*** browne has quit IRC16:11
*** rwsu-afk is now known as rwsu16:15
*** samueldmq_ has quit IRC16:17
*** fmarco76 has quit IRC16:20
*** elowing has quit IRC16:22
*** tqtran has joined #openstack-keystone16:33
lbragstadhaneef: dolphm this is what I get with a domain scoped curl request http://cdn.pasteraw.com/le33atp4dptqzk9jlyevi4olpjlw6q216:34
bretonlbragstad: I will try now16:34
lbragstadhaneef: dolphm I'm on master 55d940c70be405e6dcf48eaa4aed0c2d766aadeb16:35
*** chrisshattuck has quit IRC16:35
lbragstadhaneef: this is what my auth request looks like http://cdn.pasteraw.com/f6y2zbkko7fxevpyo78p5tot0z7k5tb16:38
lbragstadhaneef: the data was populated in keystone using https://gist.github.com/dolph/02c6d37f49596b3f4298#file-bootstrap-py16:39
*** chrisshattuck has joined #openstack-keystone16:43
bretonlbragstad: is domain a required field?16:48
*** iamjarvo has joined #openstack-keystone16:48
*** mestery has quit IRC16:50
*** mestery has joined #openstack-keystone16:51
haneeflbragstad: is this fernet or uuid token?16:51
lbragstadhaneef: those are fernet tokens16:56
lbragstadbreton: no, domain isn't required, but that request will give you a domain-scoped token16:56
*** harlowja has joined #openstack-keystone16:57
*** chrisshattuck has quit IRC16:58
haneeflbragstad:  I just tried, it doesn't return roles for fernet and returns for uuid. same commit in the master16:59
*** chrisshattuck has joined #openstack-keystone16:59
*** chrisshattuck has quit IRC16:59
bretonlbragstad: well, http://paste.openstack.org/show/192139/ fails for me17:00
bretonand doesn't fail if I pass domain to users.create()17:00
*** chrisshattuck has joined #openstack-keystone17:00
*** chrisshattuck has quit IRC17:00
lbragstadbreton: so you can create a user?17:01
haneeflbragstad:  Can you try to validate that fernet token. My  bug is about token validation and not token response17:01
lbragstadhaneef: can you post what you're sending to Keystone?17:01
*** chrisshattuck has joined #openstack-keystone17:01
bretonlbragstad: no without domain, yes with domain17:01
*** chrisshattuck has quit IRC17:01
bretonoh, I'm getting the same results with uuid17:02
lbragstadbreton: ok, I'm using domain too, so that's consistent17:02
haneeflbragstad:  This is waht I was trying , curl -k -H "X-Auth-Token:ADMIN" -H "X-Subject-Token:$FD" http://localhost:35357/v3/auth/tokens  | python -mjson.tool17:02
haneefwhere FD is domain scoped fernet token17:02
*** chrisshattuck has joined #openstack-keystone17:02
*** chrisshattuck has quit IRC17:02
lbragstadhaneef: ok, let me try that quick17:03
*** chrisshattuck has joined #openstack-keystone17:03
*** carlosmarin has quit IRC17:05
*** carlosmarin has joined #openstack-keystone17:05
*** _cjones_ has quit IRC17:05
*** browne has joined #openstack-keystone17:07
mtreinishdimsum__: I had a question, how do I go about logging request ids with oslo log. I added the req-id middleware to the pipeline, but I'm not sure what the next step would be17:08
*** iamjarvo has quit IRC17:08
*** elowing has joined #openstack-keystone17:09
bretonso, I still don't understand. Is it normal that a user cannot be created without a domain using admin_token?17:10
*** timcline has joined #openstack-keystone17:11
rodrigodsbreton, you are making a create_user request where the domain is not provided?17:11
haneefbrenton: domain is required field for user creation, if u are using v3 clients. v2 will default to "defauk" domain17:12
bretonrodrigods: yes. I am trying this: http://paste.openstack.org/show/192139/17:13
bretonhaneef: where can I read about it?17:13
bretonand why doesn't it fail with some sane message?17:14
lbragstadbreton: https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L65717:14
openstackgerritEric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support  https://review.openstack.org/16003117:14
*** iamjarvo has joined #openstack-keystone17:14
dimsum__mtreinish: in keystone?17:15
mtreinishyes17:15
dimsum__mtreinish: the review already merged? (with middleware)17:15
*** timcline has quit IRC17:15
openstackgerritWill Foster proposed openstack/keystone:     skip assignment rows migrate if duplicate entry exists.  https://review.openstack.org/16426717:15
mtreinishdimsum__: http://git.openstack.org/cgit/openstack/keystone/commit/?id=d333eac4ef2c98974fb717979281c96a1264f32717:15
bretonlbragstad: thanks17:16
lbragstadbreton: what error do you get when you try to create a user without the domain_id?17:16
rodrigodsbreton, lbragstad thought the controller always adds the domain_id (set to the Default when not present)17:17
rodrigodshttps://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L8217:17
*** _cjones_ has joined #openstack-keystone17:18
dimsum__mtreinish: looking17:18
bretonlbragstad: "The request you have made requires authentication."17:18
lbragstadrodrigods: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L702-L70617:18
lbragstadrodrigods: it does that on user create for v317:19
bretonand it says that even with stable/juno17:19
lbragstadbreton: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L681-L68917:20
lbragstadon user create for v3 it will try and resolve the domain id using that code17:20
haneeflbragstad: that is only for domain scoped token. context won't have domain_id for project scoped token17:20
bretonlbragstad: nope, it doesn't get to that section17:21
lbragstadhaneef: it looks like it tries populating the token_ref17:21
lbragstadfrom the KeystoneToken model17:22
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: WIP: Bye bye domain table  https://review.openstack.org/16185417:23
haneeflbragstad:  https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L58.  domain_id will be there only if it is domain scoped token17:29
dimsum__mtreinish: don't see keystone using oslo_context's RequestContext?17:31
*** jistr has quit IRC17:31
lbragstadhaneef: gotcha17:35
*** elowing has quit IRC17:35
dimsum__oslo.log picks up request id from the context17:35
bknudsonoslo.context isn't documented: http://docs.openstack.org/developer/openstack-projects.html17:36
*** ayoung has quit IRC17:36
stevemarbknudson, it exists http://docs.openstack.org/developer/oslo.context/17:37
rodrigodsbknudson, regarding your comment in the subtree_as_ids and parent_as_ids patch in ksc, do you have any suggestion on how to make that code prettier?17:37
bknudsonrodrigods: provide a little function that builds query parameters from arguments17:38
rodrigodsbknudson, hm... ok17:38
bknudsonactualy, python probably has one already17:38
rodrigodsbknudson, it does, but it doesn't build key only params17:39
rodrigodssince this approach is not very RESTy17:39
*** lhcheng has joined #openstack-keystone17:39
bknudsonrodrigods: what's not RESTy about it?17:40
rodrigodsbknudson, it is recommended to always have a key and a value17:40
*** lhcheng_ has joined #openstack-keystone17:41
*** ayoung has joined #openstack-keystone17:43
*** ChanServ sets mode: +v ayoung17:43
*** lhcheng has quit IRC17:44
*** lhcheng_ is now known as lhcheng17:44
ayoungAnyone that cares about Federation (and that is everyone)  there is an Ipsilon test day going on;  see #fedora-test-day if you are interested17:45
mtreinishdimsum__: ah, ok that's where I got too. I guess I'll jsut have to figure out how to use oslo.context in keystone17:48
stevemarayoung, today?17:50
ayounglooks like it17:50
ayoungGah...nope17:50
ayoungwas yesterday...how can I have missed that!17:50
ayoungstevemar, still, the instructions are, by far, the most valuable part17:50
ayounghttps://fedoraproject.org/wiki/Test_Day:2015-03-12_Ipsilon17:51
*** rushiagr_away is now known as rushiagr17:51
stevemarayoung, that looks like it was fun17:52
ayoungstevemar, for my team, most days are Ipsilon test days these days17:53
*** gokrokve has quit IRC17:54
bknudsonstevemar: what's up with https://review.openstack.org/#/c/156905/ ? is this needed for bp cadf-everywhere?17:55
stevemarbknudson, it's not needed for it, i will strike that from the commit msg17:57
stevemarbknudson, it was a 'nice to have' / stretch goal17:57
bknudsonok, thanks.17:57
stevemari'll file a bug17:57
openstackgerritSteve Martinelli proposed openstack/keystone: Emit failure notifications for CADF audits events  https://review.openstack.org/15690517:59
dimsum__mtreinish: AuthContext seems like the closest...18:00
*** elowing has joined #openstack-keystone18:00
*** gokrokve has joined #openstack-keystone18:01
*** leonchio_ has quit IRC18:01
*** leonchio_ has joined #openstack-keystone18:02
*** mattamizer has joined #openstack-keystone18:10
*** straycat is now known as sadcat_18:11
openstackgerritEric Brown proposed openstack/keystone: Replace exec calls with cryptography library  https://review.openstack.org/16308818:14
stevemarnow that is a cool patch ^18:18
bknudsonwe need eric brown to hang out in irc18:18
stevemarbknudson, for sure18:21
stevemarmorganfainberg, ping18:21
morganfainbergstevemar, ponnnnnng18:21
stevemarmorganfainberg, feel like putting abfab back into K release ? https://review.openstack.org/#/c/163878/18:21
morganfainbergstevemar, if it's a documentation only change, wont matter. if its more than a doc change... i need to see the code ready to go today.18:22
morganfainbergstevemar, or see an FFE with associated code18:22
bknudsonare we going to document every apache mod?18:23
stevemarmorganfainberg, they claim it's just a doc change18:24
stevemarbknudson, we have 2 doc'ed so far, abfab would be the 3rd18:25
stevemarit's rather essential to doc these things for federation :(18:25
bknudsonthe apache modules should be documenting how to work with keystone, not the other way around!18:25
stevemarbknudson, you are certainly drinking the openstack koolaid18:26
*** amakarov is now known as amakarov_away18:26
bknudsonif we don't have tests for it I'd rather not have it documented like it's supported18:27
stevemarbknudson, the tests would just be exercising the mapping engine and auth config options18:28
bknudsonright, what if we change the mapping engine or how auth config options work and it breaks the instructions...18:28
stevemarmaybe have a header that says it's best effort?18:28
bknudsonnow we have to maintain these instructions?18:29
bknudsonalso, these are developer docs, so not sure why developers care how to set this up.18:29
iamjarvodoes ldap support multidomain with out adding specific domain confs?18:30
bknudsoniamjarvo: it doesn't.18:30
iamjarvoi am narrowing on the answer no18:30
iamjarvobknudson thank18:30
iamjarvothank you*18:31
nkinderstevemar: if I grab the websso horizon patches (plus the websso stuff you got into keystone), should everything work for federated auth to Horizon in devstack?18:33
nkinderstevemar: I'm about to test it out, but wanted to check if there is some known missing piece still18:33
stevemarnkinder, i believe it should :)18:34
stevemarnkinder, https://review.openstack.org/#/c/164012/18:34
stevemarnkinder, make sure you have DOA set as 'install from git' in devstack18:35
stevemarotherwise it gets wonky when you download the patch18:35
stevemarthere is 1 horizon patch and 1 DOA patch18:36
*** drjones has joined #openstack-keystone18:42
*** ayoung has quit IRC18:42
*** ayoung has joined #openstack-keystone18:43
*** ChanServ sets mode: +v ayoung18:43
*** _cjones_ has quit IRC18:43
nkinderstevemar: ok thanks.  I'll give it a shot.18:43
openstackgerritayoung proposed openstack/keystone: ignore unknown groups  https://review.openstack.org/16278818:44
*** lhcheng has quit IRC18:47
*** drjones has quit IRC18:49
*** _cjones_ has joined #openstack-keystone18:50
lbragstadhaneef: I'm able to validate unscoped, domain-scoped, and project scoped tokens with my admin token.18:51
lbragstadhaneef: are you still having issues with it?18:51
haneeflbragstad: when you validate, what is the response you are getting. Does the response token body have role?18:52
lbragstadhaneef: with which token?18:53
haneeffernet token, if you execute the curl command I posted, it should return token response, whcih doesn't have role18:53
lbragstadhaneef: with a domain-scoped fernet token?18:53
haneeffernet token, domain scoped18:53
lbragstadhaneef: ok, checking quick18:54
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Implements subtree_as_ids and parents_as_ids  https://review.openstack.org/15007818:54
dolphmhaneef: can you post the raw token value and the fernet key used to create it?18:54
rodrigodsbknudson, ^tried to address your comments, some of them I responded instead. let me know if you are ok with them18:55
lbragstadhaneef: this is what I get http://cdn.pasteraw.com/o4te8rf20it6gs33lxmjl54k9n7z8jt18:55
lbragstadcc dolphm18:55
lbragstadhaneef: recreating with a uuid token18:55
haneefyes. that is the one. It is missing roles18:55
dolphmhaneef: what is the value of $SUBJECT_TOKEN and what is the fernet key?18:57
lbragstadhaneef: uuid response http://cdn.pasteraw.com/eqw4n3vh0bb0xnv6y195flz7zb0u33q18:59
lbragstadhaneef: fernet response http://cdn.pasteraw.com/7kmeev9y0cssyk7puri1v47nlclleuv18:59
haneefdolphm:  https://gist.github.com/haneefs/278148638adb32476a7518:59
morganfainberghaneef, is that via v2.0 or via v3?19:01
haneefv3, using openstack token issue19:01
*** henrynash has joined #openstack-keystone19:02
*** ChanServ sets mode: +v henrynash19:02
lbragstadso, it looks like domain-scoped fernet responses are missing the token['catalog'], token['roles'], and token['domain'] dictionaries19:03
lbragstadcompared to uuid responses19:04
dolphmhaneef: lbragstad: it's payload version 1, so it's definitely a domain scoped token http://cdn.pasteraw.com/o6iygbunnimdx6rtuigunkl0xuc7lch19:04
dolphmi was thinking maybe it was getting packed as unscoped or something19:04
dolphmlbragstad: that also looks like a non-integer time being encoded == wasted bytes!19:06
dolphm(expiration)19:06
*** gordc has quit IRC19:06
lbragstadmsgpack should know to convert that19:06
lbragstadI *think*?19:06
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003219:06
lbragstadbernardo-silva would know the answer to that19:07
lbragstaddolphm: haneef also, when we validate, this is what we're using to build the context on the way out https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/core.py#L175-L18319:07
dolphmlbragstad: i didn't pack it correctly19:07
openstackgerritMerged openstack/keystone: Rename get_events to list_events on the Revoke API  https://review.openstack.org/16281719:07
dolphmlbragstad: i meant to pass it an int, not a float19:08
dolphmlbragstad: i probably got lost in timeutils19:08
stevemarbknudson, as badly named as it is, the 'developer' docs have becomes the central resource for configuration19:09
lbragstadhaneef: dolphm figured it out...19:10
lbragstadhaneef: dolphm we're going to have to do a major rewrite to fix it though :(19:10
morganfainberglbragstad, what is it?19:10
*** jaosorior has joined #openstack-keystone19:10
morganfainbergdolphm, ^19:10
lbragstadmorganfainberg: dolphm haneef this is the response, it matches what we get for uuid19:11
lbragstadbut we're going to have to apply the following :(19:11
bknudsonstevemar: we should be pushing contributors to the admin guide. http://docs.openstack.org/admin-guide-cloud/content/19:11
dolphmlbragstad: wut19:11
*** henrynash has quit IRC19:11
lbragstaddolphm: haneef morganfainberg this is gonna suck19:11
lbragstaddolphm: haneef morganfainberg http://cdn.pasteraw.com/7aklvpeuajaxsi7ztsowce2jhkrtoby19:12
*** thedodd has quit IRC19:12
* lbragstad ducks19:12
dolphmlbragstad: how the hell did that get dropped?!19:13
* dolphm hates rebase loops19:13
dolphmlbragstad: put it in gerrit!19:13
*** ljfisher has quit IRC19:13
morganfainberglbragstad, wait ... really?19:13
lbragstadmorganfainberg: ;)19:14
morganfainbergthat's it?19:14
lbragstadlol yeah, no big deal... it must have gotten lost in the rebase hell we were in19:14
lbragstadI'll push a patch for it19:14
morganfainberghtanks19:14
lbragstadhaneef: ^ that should solve your issue19:14
*** lhcheng has joined #openstack-keystone19:16
*** tqtran is now known as tqtran_afk19:16
haneefYes. that solves it. I have verified it19:17
ayoungstevemar, looking at the webssso patch, I don't see how Horizon can redirect to Keystone without knowing the protocol.  Did you assume that the protocol was selected before hitting Keystone?19:21
stevemarayoung, yessir, it's part of a drop down menu19:22
ayoungstevemar, um...that is a mistake19:22
ayoungstevemar, pretty sure the flowe is like this19:22
stevemaroh?19:22
ayounghorizon -> keystone with no protocol selelcte19:22
ayoungkeystone to discovery19:22
ayoungin disvcoverly, select protocol and idp19:23
ayoungredirect user to idp,  and then back to keystone19:23
ayoungstevemar, I did a wget against the cern one.  Their first redirect to keystone has not Idp in it19:23
stevemarayoung, better comment on the horizon patch soon then :\19:24
ayoungstevemar, Is the Horizon patch doing discovery?19:24
ayoungI'm, OK if they end up building discovery into Horizon, but there is some issue with horionz nad Keystione syncing the Idp list19:24
ayoungor are they only doing protocol selection19:25
ayoungstevemar, ?19:26
*** atiwari has joined #openstack-keystone19:27
stevemarayoung, let me find the patch19:27
ayounghttps://review.openstack.org/#/c/151842/19:27
ayoungtqtran_afk, probably asleep19:28
ayoungstevemar, with his patch, how do you select IdP?19:29
nkinderayoung: horizon does protocol selection19:29
nkinderat least that's how I understood the patches19:29
stevemarayoung, it's based off the 'remote_id' that the idp sees19:29
ayoungnkinder, who selects IdP19:29
nkinderyou select saml2 or openid19:29
nkinderkeystone, or a discovery service19:29
stevemarerr that apache sees19:29
*** nonameentername has joined #openstack-keystone19:32
openstackgerritLance Bragstad proposed openstack/keystone: Build domain scope for Fernet tokens  https://review.openstack.org/16431519:33
lbragstadhaneef: dolphm morganfainberg fixed ^19:33
morganfainberglbragstad, thanks for the test too19:34
lbragstadmorganfainberg: sure thing19:35
openstackgerritBrant Knudson proposed openstack/keystone: Prefer . to setattr()  https://review.openstack.org/16431819:35
*** gordc has joined #openstack-keystone19:36
*** kashyap has joined #openstack-keystone19:39
kashyapHi, any hints why I see this w/ current Keystone git w/ DevStack:19:40
kashyap2015-03-13 19:23:47.597 | Authorization Failed: type object 'HTTPHeaderDict' has no attribute 'from_httplib'19:40
*** radez is now known as radez_g0n319:40
stevemarkashyap, never seen that one before19:40
*** iamjarvo has quit IRC19:40
morganfainbergkashyap, that is a new one to me19:41
dstanekkashyap: that's coming from Keystone?19:41
kashyapandreaf, consequently,  TOKEN=$(keystone token-get | grep ' id ' | get_field 2) fails19:41
ayoungkashyap, sounds like a version of a library issue19:41
kashyapUgh, I meant, "And".   Sorry Andrea :-(19:41
ayounghhtplib19:41
kashyapayoung, Hmm, there's no RPM for suire.19:41
ayoungkashyap, you on F22 by any chance?19:41
kashyapayoung, Not yet - on F21, all updated.  F22 update on a different machine in progress (to reproduce it)19:42
ayoungkashyap, httplib is the native, maybe that is the disconnect19:42
kashyapdstanek, You can see the contextual code where it's failing  -- http://paste.openstack.org/show/192165/19:42
kashyapayoung, I really despise pip (poop!) sometimes, it's notorious when it has to interact w/ RPM19:43
dstanekfrom_httplib appears in requests19:43
ayoungnkinder, the thing is, if you select a discover service, I don't think we have a way in Keystone to handle that yet.19:43
ayoungI think we ened the same thing as is the WEBSSO/{protocol} url but without the {rptotcol}19:43
morganfainbergkashyap, sadly fedora lets pip install in the same place rpms install, it should do what ubuntu does and use /usr/local/ with the sys.path meant to look in /usr/local first..19:44
kashyapOutput of $ find / -name *httplib*   -- http://paste.openstack.org/show/192166/19:44
ayoungkashyap, if devstack fails there, you should be able to still see what is happening in Keystone.19:44
kashyapmorganfainberg, The reason for that is, Fedora doesn't want to diverge from upstream. And, I think that reason is sensible.19:44
ayoungTry doing a token-get by hand, and you can debug19:44
dstanekkashyap: the symbol from_httplib is from requests19:44
kashyapayoung, Yeah, loooking for logs, thought I'll go get some food, but this is blocking me :-)19:45
ayoungI tend toi use rpdb  but for this straight pdb shouold work fine19:45
ayoungkashyap, if it is an internal machine I can see, and if you are still blocked after food, I'd be happy to take a look19:45
morganfainbergkashyap, except you totally break everything in some cases and you can't back it out by removing a file. it would replace your RPM installed python libs in cases19:45
kashyapayoung, Unfortunately, it's my laptop. My remote installs works just fine.  I don't want to blow away the VM, as I'm on a very slow network19:46
morganfainbergkashyap, pip simply installing in a place that isn't the same as your packaging is just good practice. overwriting what the rpm installs is very silly.19:46
morganfainbergkashyap, but thats my opinion.19:46
kashyapmorganfainberg, Understood.19:47
ayoungkashyap, do not to devstacks on your laptop.  I sure hope you mean "a vm on my laptop"19:47
kashyapayoung, Yes, of course. :-)19:47
kashyapSorry for being reckless w/ words.19:47
ayoungkashyap, I know you well enough that I figured you had it right19:47
kashyapHmm, I do have a few dev environments on remote f21 VMs. But I just want to see if I can get this VM going locally.19:48
ayoungkashyap, I've a F21 devstack and I have not seen that.  How long ago did you install?19:48
ayoungkashyap, also, what version of the python requests is you system using?19:49
kashyapayoung, The VM? I don't recall, but less than a month ago, and I updated it to F21 completely19:49
ayoungkashyap, unstack and stack,  with the option to reclone19:49
kashyapThat's my ultra small config -  https://kashyapc.fedorapeople.org/virt/openstack/Minimal-DevStack-local.conf19:49
ayoungno, when did you install devstack?19:50
kashyapayoung, RECLONE=yes in local.conf?  That proved detrimental as it was mucking around deleting tracking branches, so I gave it the axe.19:50
lbragstadI'm doing some perusing in our test code. Does anyone know if there is a way to enter a test case (obviously after setUp() has run) do some stuff, and rerun setUp() with config overrides to start keystone differently and then continue on with the same test case?19:50
kashyapayoung, DevStack this afternoon19:50
ayoungexport YUM=dnf  is the only thing suspect19:50
kashyapayoung, It had a FrankenDevStack previously19:50
ayoungthat should be pointing at the same repos19:50
kashyapayoung, Oh, not at all, really? It just gives me 10 minutes of speedup, on the contrary assuming you have all the dependent packages installed.19:51
ayoungkashyap, go with a clean VM if its not too much trouble.19:51
openstackgerritBrant Knudson proposed openstack/keystone: Prefer . to setattr()/getattr()  https://review.openstack.org/16431819:51
kashyapYep, I'll try a bit more before I give up. I already do have a woring env.19:51
kashyapworking*19:51
ayoungis  that warring or whoring?19:51
ayoungAh19:51
kashyap:-) Language please. . .19:52
ayoungYeah...19:52
ayoungDon't tell mismo on me19:52
kashyapOne day, I hope DevStack can be installed w/ no root privs19:52
kashyapThanks all.19:53
*** thedodd has joined #openstack-keystone19:53
dstaneklbragstad: no, that mean you are doing it wrong19:54
dstaneklbragstad: i19:54
dstaneklbragstad: i'm guess because all of our crazy subclassing19:54
lbragstaddstanek: ok, so a better solution would be to create a new test class that inherits the tests that you want to run and makes the same assertions?19:54
*** tqtran_afk is now known as tqtran19:55
dstaneklbragstad: if you need to share the tests, but have different setup then you want a subclass of object to hold the test cases and two different TestCase subclasses that do the right setup19:55
lbragstaddstanek: ok, makes sense19:56
lbragstaddstanek: thanks!19:56
*** stevemar has quit IRC19:56
*** ljfisher has joined #openstack-keystone19:57
*** rushiagr is now known as rushiagr_away19:57
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Implements subtree_as_ids and parents_as_ids  https://review.openstack.org/15007820:00
lbragstaddolphm: so this is neat, http://cdn.pasteraw.com/lt7vpp43jqvcndfzghbylm2rahmgw3320:02
dstaneklbragstad: np20:02
lbragstaddolphm: ^ that is all the test_v3_auth.py:TestAuth tests run with Fernet setup.20:02
dolphmlbragstad: what is token instead?20:02
dstaneklbragstad: byes again?20:03
lbragstaddolphm: token instead?20:03
dolphmlbragstad: type(token)20:03
lbragstaddolphm: the fernet token should be a string20:04
*** iamjarvo has joined #openstack-keystone20:04
dolphmlbragstad: what is it actually?20:04
lbragstaddolphm: let me check20:04
lbragstad(Pdb) type(token)20:08
lbragstad<type 'str'>20:08
lbragstaddolphm: ^20:08
lbragstaddolphm: thats the token type for a v3 token on the validate path20:11
*** gordc has quit IRC20:11
lbragstaddstanek: byes?20:12
*** iamjarvo has quit IRC20:19
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Inherited role domain calls on keystoneclient v3  https://review.openstack.org/11608120:22
dstaneklbragstad: oops, meant bytes20:27
lbragstaddstanek: gotcha, digging into the test case now20:27
*** henrique_ has quit IRC20:28
lbragstaddstanek: found it...20:28
openstackgerritBrant Knudson proposed openstack/keystone: Cleanup tests don't keep engine  https://review.openstack.org/16434020:28
lbragstaddstanek: in this test case20:29
lbragstadhttps://github.com/openstack/keystone/blob/24bc6a1bf03e0ef71b16b2e973120aa9a8131778/keystone/tests/unit/test_v3_auth.py#L2600-L261020:29
lbragstadthe type(token_id) here is unicode https://github.com/openstack/keystone/blob/24bc6a1bf03e0ef71b16b2e973120aa9a8131778/keystone/auth/plugins/token.py#L3920:30
lbragstadwhich is where it breaks20:30
*** mattamizer has quit IRC20:39
*** ljfisher has quit IRC20:40
*** ljfisher has joined #openstack-keystone20:41
lbragstaddstanek: dolphm actually, when we get auth here, the token_id comes in as a unicode string http://cdn.pasteraw.com/dtvq4wk6bdgmfzlsmic52ovsz0f7wk220:41
lbragstadhttps://github.com/openstack/keystone/blob/24bc6a1bf03e0ef71b16b2e973120aa9a8131778/keystone/auth/controllers.py#L36920:41
*** ljfisher has quit IRC20:43
openstackgerritLin Hua Cheng proposed openstack/keystone: On creation default service name to empty string  https://review.openstack.org/14696220:47
*** stevemar has joined #openstack-keystone20:52
*** ChanServ sets mode: +v stevemar20:52
dstaneklbragstad: are you going to try to keep it bytes?20:54
kashyapayoung, I reverted to a VM snapshot (it's super quick on SSDs :-)  )20:54
lbragstaddstanek: I was curious if the test would pass if I wrapped it in str() and it did20:54
lbragstaddstanek: I'm going to push the commit that I have locally to get some eyes on it.20:54
dstanek use six instead of str20:55
ayoungkashyap, make a difference?20:56
*** harlowja has quit IRC21:00
openstackgerritLance Bragstad proposed openstack/keystone: Use existing token test for Fernet tokens.  https://review.openstack.org/16434821:00
lhchengbknudson: I had to cleanup all pyc files to get the test migration working again in my local.21:01
morganfainberglhcheng, migrations and .pycs are finacky21:01
bknudsonlhcheng: I thought I tried that, will give it another go.21:01
lhchengmorganfainberg:  I learned that lesson before, you helped me figure it out last time :P21:02
*** elowing has quit IRC21:03
lhchengbknudson: when you get the chance https://review.openstack.org/#/c/156867/ - this is related to the bug you opened that we had the parent_id included in the token response.21:04
lbragstaddstanek: using https://pythonhosted.org/six/#six.string_types ?21:04
*** raildo has quit IRC21:05
*** harlowja has joined #openstack-keystone21:06
dstaneklbragstad: six.binary_type21:10
*** iamjarvo has joined #openstack-keystone21:14
*** diegows has quit IRC21:14
*** csoukup has quit IRC21:15
*** mattfarina has quit IRC21:15
openstackgerritLance Bragstad proposed openstack/keystone: Use existing token test for Fernet tokens.  https://review.openstack.org/16434821:17
ayoungnkinder, are we ok with Horizon setting the Protocol?21:17
ayoungAnd I still don't see how we are going to keep the IdPs in sync21:18
kashyapayoung, Sorry, was afk - since it rolled back in time, some `dnf update` in progress21:21
*** bknudson has quit IRC21:35
*** iamjarvo has quit IRC21:39
*** iamjarvo has joined #openstack-keystone21:39
*** bknudson has joined #openstack-keystone21:41
*** ChanServ sets mode: +v bknudson21:41
openstackgerritMerged openstack/keystone: Crosslink to other sites that are owned by Keystone  https://review.openstack.org/16149021:41
*** tqtran is now known as tqtran_afk21:44
*** rushiagr_away is now known as rushiagr21:44
*** iamjarvo has quit IRC21:46
*** rwsu has quit IRC22:00
*** harlowja has quit IRC22:04
lbragstadjorge_munoz: I added one more comment here; https://review.openstack.org/#/c/159229/29/keystone/token/providers/fernet/core.py22:04
lbragstadjorge_munoz: which includes the fix that dstanek recommended on my patch22:04
*** gokrokve has quit IRC22:05
*** gokrokve has joined #openstack-keystone22:05
*** harlowja has joined #openstack-keystone22:06
*** gokrokve has quit IRC22:06
*** harlowja has quit IRC22:06
*** gokrokve has joined #openstack-keystone22:06
*** harlowja has joined #openstack-keystone22:06
*** pnavarro|off has quit IRC22:10
jorge_munozlbragstad: ok22:10
nkinderayoung: yeah, that's fine for now22:10
jorge_munozlbragstad: ’ll add the change22:11
nkinderayoung: For the single IdP per protocol case, that will work just fine.22:11
nkinderayoung: for the multiple IdP case, I think the discovery service will be needed.22:11
ayoungnkinder, that will have to be in the Lzard release22:14
nkinderayoung: that's fine I think22:14
*** csoukup has joined #openstack-keystone22:15
nkinderayoung: better to have the single IdP case working in Kilo than nothing22:15
ayoungnkinder, I' tryin to get the last patch done, which is the "don't blow up if a mapped group is not in the backend"22:15
ayoungthe code is simple...thetest is a PITA22:15
*** henrynash has joined #openstack-keystone22:20
*** ChanServ sets mode: +v henrynash22:20
*** henrynash has quit IRC22:22
*** stevemar has quit IRC22:24
*** chrisshattuck has quit IRC22:26
openstackgerritBrant Knudson proposed openstack/keystone: Refactor sql filter code for clarity  https://review.openstack.org/16436222:32
*** rwsu has joined #openstack-keystone22:33
*** tqtran_afk is now known as tqtran22:42
*** thedodd has quit IRC22:43
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove parent_id in v2 token response  https://review.openstack.org/15686722:51
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove parent_id in v2 tenant response  https://review.openstack.org/16436722:51
*** markvoelker has quit IRC22:56
kashyapayoung, Just to tie up the loose end, yes - it did make a difference. Yay, qcow2 snapshots!23:03
*** browne has quit IRC23:03
kashyapHave a nice weekend, all!23:04
lhchengbknudson: ping23:15
*** _cjones_ has quit IRC23:24
*** timcline has joined #openstack-keystone23:26
*** timcline has quit IRC23:28
*** timcline has joined #openstack-keystone23:28
*** david-lyle is now known as david-lyle_afk23:29
*** carlosmarin has quit IRC23:30
*** timcline has quit IRC23:31
*** jaosorior has quit IRC23:32
*** rwsu has quit IRC23:35
*** rwsu has joined #openstack-keystone23:38
*** csoukup has quit IRC23:41
openstackgerritJorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens  https://review.openstack.org/15922923:43
*** dimsum__ has quit IRC23:52
*** _cjones_ has joined #openstack-keystone23:53
*** _cjones_ has quit IRC23:55
*** dims_ has joined #openstack-keystone23:55
*** topol has joined #openstack-keystone23:56
*** ChanServ sets mode: +v topol23:56
*** markvoelker has joined #openstack-keystone23:57
*** dims_ has quit IRC23:57
*** dims_ has joined #openstack-keystone23:57
openstackgerritJorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens  https://review.openstack.org/15922923:57
*** mattamizer has joined #openstack-keystone23:59
« Thursday, 2015-03-12 Index Saturday, 2015-03-14 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!