*** markvoelker has quit IRC | 00:03 | |
*** iamjarvo has joined #openstack-keystone | 00:54 | |
*** iamjarvo has quit IRC | 00:59 | |
*** markvoelker has joined #openstack-keystone | 01:00 | |
*** xianghui has quit IRC | 01:02 | |
*** xianghui has joined #openstack-keystone | 01:04 | |
*** markvoelker has quit IRC | 01:04 | |
*** bandwidth has quit IRC | 01:11 | |
*** diegows has quit IRC | 01:15 | |
*** erkules_ has joined #openstack-keystone | 01:42 | |
*** erkules has quit IRC | 01:44 | |
*** dimsum__ has quit IRC | 01:46 | |
*** lhcheng has joined #openstack-keystone | 01:53 | |
*** markvoelker has joined #openstack-keystone | 02:00 | |
*** archers has joined #openstack-keystone | 02:01 | |
*** markvoelker has quit IRC | 02:05 | |
openstackgerrit | Boris Bobrov proposed openstack/keystone: Limit version of python-memcached https://review.openstack.org/170759 | 02:08 |
---|---|---|
*** archers has quit IRC | 02:08 | |
*** dimsum__ has joined #openstack-keystone | 02:46 | |
*** dimsum__ has quit IRC | 02:52 | |
*** chlong has joined #openstack-keystone | 03:00 | |
*** markvoelker has joined #openstack-keystone | 03:01 | |
*** markvoelker has quit IRC | 03:06 | |
*** lhcheng has quit IRC | 03:30 | |
*** angular_mike has quit IRC | 03:33 | |
*** archers has joined #openstack-keystone | 03:45 | |
*** archers has quit IRC | 03:47 | |
*** iamjarvo has joined #openstack-keystone | 03:50 | |
*** iamjarvo has quit IRC | 03:50 | |
*** iamjarvo has joined #openstack-keystone | 03:50 | |
*** markvoelker has joined #openstack-keystone | 04:02 | |
*** iamjarvo has quit IRC | 04:07 | |
*** markvoelker has quit IRC | 04:07 | |
*** alexsyip has joined #openstack-keystone | 04:11 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: WIP - Emit failure notifications for CADF audits events https://review.openstack.org/156905 | 04:22 |
*** lhcheng has joined #openstack-keystone | 04:31 | |
*** lhcheng has quit IRC | 04:35 | |
*** topol has quit IRC | 04:47 | |
*** markvoelker has joined #openstack-keystone | 05:03 | |
*** iamjarvo has joined #openstack-keystone | 05:19 | |
*** iamjarvo has quit IRC | 05:31 | |
*** lhcheng has joined #openstack-keystone | 05:32 | |
*** lhcheng has quit IRC | 05:37 | |
*** lhcheng has joined #openstack-keystone | 05:55 | |
*** alexsyip has quit IRC | 06:20 | |
*** henrynash has joined #openstack-keystone | 06:21 | |
*** ChanServ sets mode: +v henrynash | 06:21 | |
*** ParsectiX has joined #openstack-keystone | 06:38 | |
*** henrynash has quit IRC | 06:39 | |
*** ParsectiX has quit IRC | 06:43 | |
*** jamielennox|away is now known as jamielennox | 06:48 | |
*** ParsectiX has joined #openstack-keystone | 06:55 | |
*** markvoelker has quit IRC | 07:04 | |
openstackgerrit | Merged openstack/python-keystoneclient: Make non-import packages lazy https://review.openstack.org/164066 | 07:06 |
*** markvoelker has joined #openstack-keystone | 08:03 | |
*** markvoelker has quit IRC | 08:08 | |
*** therve has quit IRC | 08:21 | |
*** chlong_ has joined #openstack-keystone | 08:54 | |
*** lhcheng has quit IRC | 08:55 | |
*** chlong has quit IRC | 08:57 | |
*** markvoelker has joined #openstack-keystone | 09:04 | |
*** markvoelker has quit IRC | 09:08 | |
*** lhcheng has joined #openstack-keystone | 09:11 | |
*** lhcheng has quit IRC | 09:25 | |
openstackgerrit | Victor Sergeyev proposed openstack/keystone: Add server_default to relay_state_prefix in service_provider model https://review.openstack.org/168947 | 09:29 |
openstackgerrit | Victor Sergeyev proposed openstack/keystone: Migrate_repo init version helper https://review.openstack.org/137640 | 09:29 |
openstackgerrit | Victor Sergeyev proposed openstack/keystone: Share engine between migration helpers. https://review.openstack.org/137778 | 09:29 |
openstackgerrit | Victor Sergeyev proposed openstack/keystone: Use metadata.create_all() to fill a test database https://review.openstack.org/93558 | 09:29 |
openstackgerrit | Victor Sergeyev proposed openstack/keystone: Add index to the revocation_event.revoked_at. https://review.openstack.org/137639 | 09:29 |
openstackgerrit | Victor Sergeyev proposed openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630 | 09:29 |
openstackgerrit | Victor Sergeyev proposed openstack/keystone: Fix index name the assignment.actor_id table. https://review.openstack.org/137637 | 09:29 |
*** dimsum__ has joined #openstack-keystone | 09:56 | |
*** markvoelker has joined #openstack-keystone | 10:04 | |
*** markvoelker has quit IRC | 10:09 | |
*** chlong_ has quit IRC | 10:41 | |
*** chlong_ has joined #openstack-keystone | 10:58 | |
*** ParsectiX has quit IRC | 11:03 | |
*** chlong_ has quit IRC | 11:05 | |
*** markvoelker has joined #openstack-keystone | 11:05 | |
*** markvoelker has quit IRC | 11:10 | |
samueldmq | morning | 11:10 |
*** diegows has joined #openstack-keystone | 11:18 | |
*** ajayaa has joined #openstack-keystone | 11:24 | |
*** chlong has joined #openstack-keystone | 11:24 | |
*** amakarov_away is now known as amakarov | 11:31 | |
-openstackstatus- NOTICE: gerrit has been restarted to restore event streaming. any change events missed by zuul (between 10:56 and 11:37 utc) will need to be rechecked or have new approval votes set | 11:39 | |
breton | folks, I'd appreciate if someone set an importance to https://bugs.launchpad.net/keystone/+bug/1440493 | 11:44 |
openstack | Launchpad bug 1440493 in Keystone "Crash with python-memcached==1.54" [Undecided,In progress] - Assigned to Boris Bobrov (bbobrov) | 11:44 |
*** jamielennox is now known as jamielennox|away | 11:49 | |
*** diegows has quit IRC | 11:53 | |
*** raildo has joined #openstack-keystone | 12:03 | |
*** markvoelker has joined #openstack-keystone | 12:06 | |
*** htruta has joined #openstack-keystone | 12:06 | |
*** markvoelker has quit IRC | 12:10 | |
*** markvoelker has joined #openstack-keystone | 12:24 | |
*** dimsum__ has quit IRC | 12:25 | |
*** ayoung has joined #openstack-keystone | 12:32 | |
*** ChanServ sets mode: +v ayoung | 12:32 | |
openstackgerrit | Dave Chen proposed openstack/keystone: Fix the typo in `token/providers/fernet/core.py` https://review.openstack.org/170833 | 12:33 |
openstackgerrit | Alexander Makarov proposed openstack/keystone: Make memcache client reusable across threads https://review.openstack.org/170835 | 12:49 |
openstackgerrit | Alexander Makarov proposed openstack/keystone: Make memcache client reusable across threads https://review.openstack.org/170835 | 12:50 |
*** dimsum__ has joined #openstack-keystone | 12:51 | |
*** dimsum__ is now known as dims | 13:03 | |
*** straycat is now known as undeadcat | 13:04 | |
dstanek | yay, no travel adapter needed for going to Canada! | 13:08 |
samueldmq | dstanek, nice! o/ | 13:08 |
*** rdo has quit IRC | 13:13 | |
*** rdo has joined #openstack-keystone | 13:15 | |
raildo | dstanek, ping, Do you agree to catch a ProjectNotFound here, and raise a validationError? https://review.openstack.org/#/c/159944/24/keystone/resource/controllers.py? | 13:18 |
raildo | dstanek, and here too: https://review.openstack.org/#/c/158720/9 | 13:18 |
amakarov | dstanek, greetings! | 13:21 |
amakarov | what would you suggest for https://review.openstack.org/#/c/170835 ? | 13:21 |
*** nkinder has quit IRC | 13:21 | |
samueldmq | dolphm, looking at your keystone-deploy again ... | 13:33 |
samueldmq | dolphm, you set 'project' as project_term for v2 and 'tenant' for v3 | 13:34 |
samueldmq | dolphm, https://github.com/dolph/keystone-deploy/blob/master/test_exercises.py#L201-L217 | 13:34 |
dstanek | raildo: yes, i think that't the right thing. if morganfainberg wants this bug then i'd be happy to +A | 13:35 |
*** rdo has quit IRC | 13:35 | |
raildo | dstanek, ok, thanks for the help :) | 13:36 |
*** rdo has joined #openstack-keystone | 13:37 | |
*** ParsectiX has joined #openstack-keystone | 13:37 | |
amakarov | dstanek, ping! | 13:40 |
*** svasheka has joined #openstack-keystone | 13:41 | |
dstanek | amakarov: pong | 13:41 |
amakarov | dstanek, I'm about my patch :) Do you have any suggestion? https://review.openstack.org/#/c/170835/ | 13:42 |
amakarov | the problem is that workaroung won't work anymore. Another one needed | 13:43 |
dstanek | amakarov: hmm...let me see | 13:43 |
amakarov | dstanek, look at the bug description it solves | 13:43 |
*** bknudson has joined #openstack-keystone | 13:48 | |
*** ChanServ sets mode: +v bknudson | 13:48 | |
*** ParsectiX has quit IRC | 13:51 | |
*** ParsectiX has joined #openstack-keystone | 13:51 | |
*** raildo has quit IRC | 13:53 | |
*** markvoelker has quit IRC | 13:53 | |
*** hogepodge has quit IRC | 13:53 | |
*** x58 has quit IRC | 13:53 | |
*** jamiec has quit IRC | 13:53 | |
*** xianghui has quit IRC | 13:53 | |
*** david-lyle has quit IRC | 13:53 | |
*** lsmola_ has quit IRC | 13:53 | |
*** toabctl has quit IRC | 13:53 | |
*** Qlawy has quit IRC | 13:53 | |
*** raginbajin has quit IRC | 13:53 | |
*** d0ugal has quit IRC | 13:53 | |
*** mkoderer has quit IRC | 13:53 | |
*** kibutzz has quit IRC | 13:53 | |
*** rharwood has quit IRC | 13:53 | |
*** dtroyer has quit IRC | 13:53 | |
*** hockeynut has quit IRC | 13:53 | |
*** krtaylor has quit IRC | 13:53 | |
*** mitz has quit IRC | 13:53 | |
*** mordred has quit IRC | 13:53 | |
*** cyeoh has quit IRC | 13:53 | |
*** mgagne has quit IRC | 13:53 | |
*** adam_g_out has quit IRC | 13:53 | |
*** comstud has quit IRC | 13:53 | |
*** lbragstad has quit IRC | 13:53 | |
*** gus has quit IRC | 13:53 | |
*** ekarlso has quit IRC | 13:53 | |
*** sudorandom has quit IRC | 13:53 | |
*** Trozz has quit IRC | 13:53 | |
*** dolphm has quit IRC | 13:53 | |
*** d34dh0r53 has quit IRC | 13:53 | |
*** dims has quit IRC | 13:53 | |
*** toddnni has quit IRC | 13:53 | |
*** gabriel-bezerra has quit IRC | 13:53 | |
*** sirushti has quit IRC | 13:53 | |
*** gothicmindfood has quit IRC | 13:53 | |
*** ajayaa has quit IRC | 13:53 | |
*** harlowja_away has quit IRC | 13:53 | |
*** trey has quit IRC | 13:53 | |
*** viktors has quit IRC | 13:53 | |
*** junhongl has quit IRC | 13:53 | |
*** raildo has joined #openstack-keystone | 13:54 | |
*** tellesnobrega has quit IRC | 13:54 | |
*** tellesnobrega has joined #openstack-keystone | 13:55 | |
*** dtroyer has joined #openstack-keystone | 13:55 | |
*** hockeynut has joined #openstack-keystone | 13:55 | |
*** krtaylor has joined #openstack-keystone | 13:55 | |
*** mitz has joined #openstack-keystone | 13:55 | |
*** mordred has joined #openstack-keystone | 13:55 | |
*** cyeoh has joined #openstack-keystone | 13:55 | |
*** mgagne has joined #openstack-keystone | 13:55 | |
*** adam_g_out has joined #openstack-keystone | 13:55 | |
*** lbragstad has joined #openstack-keystone | 13:55 | |
*** comstud has joined #openstack-keystone | 13:55 | |
*** gus has joined #openstack-keystone | 13:55 | |
*** ekarlso has joined #openstack-keystone | 13:55 | |
*** sudorandom has joined #openstack-keystone | 13:55 | |
*** Trozz has joined #openstack-keystone | 13:55 | |
*** dolphm has joined #openstack-keystone | 13:55 | |
*** d34dh0r53 has joined #openstack-keystone | 13:55 | |
*** sendak.freenode.net sets mode: +o dolphm | 13:55 | |
*** dims has joined #openstack-keystone | 13:56 | |
*** toddnni has joined #openstack-keystone | 13:56 | |
*** sirushti has joined #openstack-keystone | 13:56 | |
*** gabriel-bezerra has joined #openstack-keystone | 13:56 | |
*** gothicmindfood has joined #openstack-keystone | 13:56 | |
*** edmondsw has joined #openstack-keystone | 13:57 | |
*** markvoelker has joined #openstack-keystone | 13:58 | |
*** hogepodge has joined #openstack-keystone | 13:58 | |
*** x58 has joined #openstack-keystone | 13:58 | |
*** jamiec has joined #openstack-keystone | 13:58 | |
*** richm has joined #openstack-keystone | 13:58 | |
*** xianghui has joined #openstack-keystone | 13:58 | |
*** david-lyle has joined #openstack-keystone | 13:58 | |
*** lsmola_ has joined #openstack-keystone | 13:58 | |
*** toabctl has joined #openstack-keystone | 13:58 | |
*** Qlawy has joined #openstack-keystone | 13:58 | |
*** raginbajin has joined #openstack-keystone | 13:58 | |
*** d0ugal has joined #openstack-keystone | 13:58 | |
*** mkoderer has joined #openstack-keystone | 13:58 | |
*** kibutzz has joined #openstack-keystone | 13:58 | |
*** rharwood has joined #openstack-keystone | 13:58 | |
*** ajayaa has joined #openstack-keystone | 13:58 | |
*** harlowja_away has joined #openstack-keystone | 13:58 | |
*** trey has joined #openstack-keystone | 13:58 | |
*** viktors has joined #openstack-keystone | 13:58 | |
*** junhongl has joined #openstack-keystone | 13:58 | |
*** markvoelker has quit IRC | 14:00 | |
*** hogepodge has quit IRC | 14:00 | |
*** x58 has quit IRC | 14:00 | |
*** jamiec has quit IRC | 14:00 | |
dstanek | amakarov: i can't think of a way to do that right now - it may be that we have to re-implement the __init__ logic | 14:00 |
*** markvoelker has joined #openstack-keystone | 14:01 | |
*** hogepodge has joined #openstack-keystone | 14:01 | |
*** x58 has joined #openstack-keystone | 14:01 | |
*** jamiec has joined #openstack-keystone | 14:01 | |
amakarov | dstanek, tbh if we have reliable memcache pool we need our own memcache client :) Current pool handles memcache server failures very poor. | 14:04 |
dstanek | amakarov: i think the plan is to actually get rid of the tummy.com client in L | 14:05 |
amakarov | dstanek, +1 :) for example: https://review.openstack.org/#/c/150844/ | 14:05 |
dstanek | if people are using memcached for token, then they've already lost | 14:06 |
amakarov | dstanek, my patch solves the problem here and now: I admit it's not perfect but allows memcache to be used without version checking (!=1.54) | 14:07 |
*** sigmavirus24_awa is now known as sigmavirus24 | 14:08 | |
amakarov | dstanek, what is your concern about my patch? | 14:09 |
dstanek | amakarov: your patch removes the hack | 14:11 |
*** ParsectiX has quit IRC | 14:11 | |
dstanek | amakarov: you might as well just use the memcache.Client directly instead of creating the subclass | 14:12 |
dstanek | the while idea of the subclass is that threading.local is no longer in the mro. with your patch i think it's back and that means the locking behavior is back | 14:13 |
amakarov | dstanek, it replaces the hack with the same result: as you can see, it removes all threading.local logic | 14:13 |
amakarov | the same as was before | 14:13 |
dstanek | how does it remove it? | 14:13 |
amakarov | see **object.__dict__ | 14:13 |
amakarov | when new class is created it uses object's methods instead of local's | 14:14 |
amakarov | all the threading.local overrides are object's methods | 14:14 |
amakarov | and my patch removes the override leaving mro for super() to work | 14:15 |
dstanek | amakarov: it solves the traceback and puts threading.local back ... or am i missing magic somewhere? | 14:15 |
amakarov | dstanek, it returns threading.local to mro - yes, but removes all overrides threading.local does | 14:17 |
amakarov | the las parameter to type() call is a dict of methods | 14:17 |
amakarov | s/las/last/ | 14:17 |
*** iamjarvo has joined #openstack-keystone | 14:19 | |
*** nkinder has joined #openstack-keystone | 14:19 | |
dstanek | amakarov: so you are thinking you are overridding the getattribute and friends? i'll have to download the patch to test it out | 14:19 |
amakarov | this dict is made of memcache.Client's methods (including threading.local's), but **object.__dict__ overwrites all, that was changed in inherited classes (threading.local) | 14:20 |
amakarov | dstanek, I've experimented in the python console before writing this patch ) | 14:20 |
dstanek | amakarov: so what happens to the __init__? you would override that too right? | 14:22 |
amakarov | dstanek, http://paste.openstack.org/show/198519/ | 14:22 |
amakarov | dstanek, good point | 14:23 |
* amakarov doublechecking | 14:23 | |
dstanek | amakarov: that's broken | 14:24 |
amakarov | dstanek, correct: __init__ is from object too | 14:24 |
dstanek | amakarov: does this actually work for you locally? | 14:24 |
*** topol has joined #openstack-keystone | 14:24 | |
*** ChanServ sets mode: +v topol | 14:24 | |
amakarov | dstanek, unit-tests... they mock it :) | 14:25 |
amakarov | well, wip then | 14:25 |
dstanek | you could pretty easily construct the dict before making the new type, but i think that implementing the __init__ would be clearer | 14:27 |
dstanek | but i'd be interested to see what others thing | 14:27 |
dstanek | errr...think | 14:27 |
amakarov | dstanek, I'll try to figure something out ) | 14:28 |
*** carlosmarin has joined #openstack-keystone | 14:38 | |
openstackgerrit | Doug Hellmann proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call https://review.openstack.org/170858 | 14:44 |
openstackgerrit | Alexander Makarov proposed openstack/keystone: Make memcache client reusable across threads https://review.openstack.org/170835 | 14:50 |
amakarov | dstanek, ^^ what about this way? | 14:51 |
openstackgerrit | Henrique Truta proposed openstack/python-keystoneclient: Inherited role domain calls on keystoneclient v3 https://review.openstack.org/116081 | 14:51 |
*** ajayaa has quit IRC | 14:52 | |
dstanek | amakarov: that's probably good, just a few small things to fix | 14:56 |
amakarov | dstanek, ? | 14:56 |
dstanek | i commented on the review | 14:56 |
*** chlong has quit IRC | 15:00 | |
openstackgerrit | Alexander Makarov proposed openstack/keystone: Make memcache client reusable across threads https://review.openstack.org/170835 | 15:03 |
amakarov | dstanek, ^^ | 15:03 |
*** packet has joined #openstack-keystone | 15:07 | |
*** zzzeek has joined #openstack-keystone | 15:07 | |
*** packet has quit IRC | 15:20 | |
*** rwsu has joined #openstack-keystone | 15:37 | |
*** gyee has joined #openstack-keystone | 15:45 | |
*** ChanServ sets mode: +v gyee | 15:45 | |
*** david-lyle_ has joined #openstack-keystone | 15:46 | |
raildo | morganfainberg, ping, I saw that the reseller spec was migrated for the backlog, so I don't need change anything more about this, right? | 15:49 |
morganfainberg | raildo: you need to repropose (move the spec to the liberty directory) as described in my email, include what has been completed for that spec, and use the commit tag in the message indicating it was previously approved for kilo | 15:51 |
*** mattamizer has joined #openstack-keystone | 15:54 | |
*** mattamizer has quit IRC | 15:54 | |
*** _cjones_ has joined #openstack-keystone | 15:56 | |
*** dougwig has left #openstack-keystone | 16:00 | |
*** _cjones_ has quit IRC | 16:01 | |
*** stevemar has joined #openstack-keystone | 16:02 | |
*** ChanServ sets mode: +v stevemar | 16:02 | |
*** iamjarvo has quit IRC | 16:03 | |
*** lhcheng has joined #openstack-keystone | 16:04 | |
*** tqtran has joined #openstack-keystone | 16:04 | |
*** alexsyip has joined #openstack-keystone | 16:09 | |
*** adam_g_out is now known as adam_g | 16:12 | |
*** ajayaa has joined #openstack-keystone | 16:14 | |
raildo | morganfainberg, right, but doesn't exist yes a Liberty directory in the keystone specs, so I must need create this directory? | 16:25 |
stevemar | raildo, yep | 16:25 |
raildo | stevemar, ok, thanks | 16:26 |
morganfainberg | The priority today and tomorrow are be bugs on https://launchpad.net/keystone/+milestone/kilo-rc1 | 16:29 |
morganfainberg | Please help to review / get them gating. | 16:29 |
morganfainberg | We have 7 left | 16:29 |
morganfainberg | Most should be pretty straight forward. I can remove 1 or two more if we don't have the majority gating by tonight. | 16:30 |
morganfainberg | Please, please, please prioritize these reviews over new code/other fixes, etc. it is important we have a complete rc list by tomorrow. | 16:32 |
amakarov | https://review.openstack.org/#/c/141854/ is ready and waiting for some time already | 16:32 |
openstackgerrit | Henrique Truta proposed openstack/python-keystoneclient: Inherited role domain calls on keystoneclient v3 https://review.openstack.org/116081 | 16:41 |
*** david-lyle_ has quit IRC | 16:43 | |
*** erkules_ is now known as erkules | 16:47 | |
*** erkules has joined #openstack-keystone | 16:47 | |
*** spandhe has joined #openstack-keystone | 16:47 | |
*** iamjarvo has joined #openstack-keystone | 16:55 | |
*** iamjarvo has quit IRC | 16:55 | |
*** iamjarvo has joined #openstack-keystone | 16:56 | |
*** iamjarvo has quit IRC | 17:01 | |
openstackgerrit | Merged openstack/keystone: Fix the typo in `token/providers/fernet/core.py` https://review.openstack.org/170833 | 17:02 |
morganfainberg | amakarov: I need to run a test but it looks like we won't be doing the token delete from the persistence backend with your new logic. | 17:02 |
*** iamjarvo has joined #openstack-keystone | 17:02 | |
*** iamjarvo has quit IRC | 17:02 | |
*** iamjarvo has joined #openstack-keystone | 17:03 | |
morganfainberg | amakarov: we will only issue the revocation event. That is unfortunately not api compatible, we must also delete the tokens. Which I think means we cannot fix this set of bugs for all cases. | 17:03 |
*** iamjarvo has quit IRC | 17:03 | |
morganfainberg | amakarov: in short, your fix is good, but when the token revocation list is enabled, everything will still need to be revoked. | 17:04 |
amakarov | morganfainberg, well, what if I add token deletion? | 17:04 |
*** iamjarvo has joined #openstack-keystone | 17:04 | |
morganfainberg | amakarov: you can't easily do so, without doing a whole text scan of every token. | 17:04 |
amakarov | morganfainberg, >< | 17:04 |
morganfainberg | amakarov: yeah. I know :( | 17:04 |
morganfainberg | amakarov: let's circle back on this and improve the logic in liberty so we can separate "delete from persistence" and "issue revocation event". | 17:05 |
amakarov | morganfainberg, so it remains a "known issue" until Fernet tokens? | 17:05 |
morganfainberg | Meaning we can solve the issue and make the TRL specifically the problem vs the meshed up set of actions. | 17:06 |
morganfainberg | Known issue when using the TRL. You can turn off using the TRL today and only use revocation events. This issue will be known until liberty and if you use the TRL. | 17:07 |
morganfainberg | amakarov: :(. I like the fix, but we can't break compatibility. | 17:07 |
morganfainberg | amakarov: isolating the issuance of an event from the TRL might even be back portable | 17:07 |
openstackgerrit | Raildo Mascena de Sousa Filho proposed openstack/keystone-specs: Move reseller spec for Liberty release https://review.openstack.org/170926 | 17:08 |
morganfainberg | So let's really focus on isolating persistence delete from revocation event in liberty, then we can test having TRL disabled and make sure we don't have this issue. And verify we don't break compat when TRL is enabled. | 17:08 |
morganfainberg | amakarov: with that said, I'm moving the bugs to l-1. We can talk through the change once rc is cut and get a better implementation :) | 17:09 |
morganfainberg | amakarov: and I'm optimistic on the backport for it if we are careful about the fix(es) | 17:10 |
morganfainberg | amakarov: I do appreciate the work you've put in on it. | 17:10 |
amakarov | morganfainberg, ok, so in short: group revocation do not delete tokens from persistence and it causes revoked tokens not appear in TRL if one is requested? | 17:10 |
morganfainberg | It looks like with your fix that is the case. | 17:11 |
morganfainberg | The TRL is dumb, it is very limited in what it can revoke (must be an index) | 17:11 |
morganfainberg | Groups and roles are not an index. | 17:11 |
amakarov | morganfainberg, I understand we cannot just drop functionality people rely on | 17:12 |
morganfainberg | Yep. | 17:12 |
amakarov | So can we just deny revocation by group as a temporary solution? | 17:13 |
* amakarov thinks we cannot :( | 17:13 | |
amakarov | morganfainberg, how much time do I have to think about it? | 17:14 |
amakarov | or just postpone it until next release? | 17:15 |
morganfainberg | amakarov: rc is being cut this week. I want everything merged by tomorrow. | 17:15 |
morganfainberg | amakarov: let's postpone and try and do a backport to k/j | 17:15 |
amakarov | morganfainberg, safety first :) | 17:15 |
morganfainberg | amakarov: I think this is significant enough ux issue that it warrants a backport. But it's also a long standing issue. | 17:16 |
morganfainberg | amakarov: exactly. :) | 17:16 |
amakarov | morganfainberg, I think there is no problem: Horizon guys rate it as low severity | 17:17 |
morganfainberg | Ack. Good to know horizon priority | 17:17 |
amakarov | morganfainberg, more to say: afaik they have their own workaround | 17:18 |
*** ajayaa has quit IRC | 17:18 | |
*** rm_work is now known as rm_work|away | 17:29 | |
samueldmq | breton, ping - you around ? can you give me a hand with DatabaseAlreadyControlledError ? | 17:30 |
*** stevemar has quit IRC | 17:30 | |
*** stevemar has joined #openstack-keystone | 17:31 | |
*** ChanServ sets mode: +v stevemar | 17:31 | |
*** amakarov is now known as amakarov_away | 17:31 | |
ayoung | morganfainberg, so...looking out to the future, one thing that is going to mess us up with Federation is that people are not going to be able to manage the groups coming in. The only way to do fine grained role assignments will be via the mapping, and the domain admins can't yet be trusted to do their own mappins | 17:43 |
ayoung | I thin that needs to be brainstormed big time in Vancouver | 17:43 |
samueldmq | breton, I found the workaroung on the logs ... TEST_RUN_CONCURRENCY=1 | 17:44 |
samueldmq | breton, thnaks | 17:44 |
morganfainberg | ayoung: yep | 17:50 |
ayoung | morganfainberg, I slipped a line to that effect into the planning etherpad | 17:51 |
morganfainberg | ayoung: thanks. | 17:51 |
morganfainberg | 4 bugs for rc. Woo | 17:53 |
*** lhcheng is now known as lhcheng_afk | 17:55 | |
*** undeadcat is now known as straycat | 17:58 | |
ayoung | https://bugs.launchpad.net/keystone/+bug/1435174 morganfainberg so debian is going to keep pimping Eventlet? | 18:01 |
openstack | Launchpad bug 1435174 in Keystone "SSLTestCase errors when building Debian package" [Medium,Triaged] | 18:01 |
ayoung | ah...its from the tests... | 18:02 |
openstackgerrit | Raildo Mascena de Sousa Filho proposed openstack/keystone-specs: Move reseller spec for Liberty release https://review.openstack.org/170926 | 18:03 |
ayoung | morganfainberg, https://bugs.launchpad.net/keystone/+bug/1261468 looks like a KC bug, not Keystone server. However...domain scoped tokens should probably not have a service catalog associated with them, or at least a SC that matches the omne we are planning on putting on unscoped tokenms | 18:06 |
openstack | Launchpad bug 1261468 in Keystone "domain-scoped token has "None" for tenant_id replacement" [Medium,In progress] - Assigned to Dave Chen (wei-d-chen) | 18:06 |
ayoung | wioll add that to the bug report | 18:06 |
morganfainberg | ayoung: it could be filtered at the ksc level but we shouldn't be issuing the subbed urls if the values aren't there to sub in. | 18:07 |
ayoung | morganfainberg, well...right. Hmmm....once we get proper HMT setup, wehere the domains ARE proejhcts, we'll not have to deal with this, either | 18:08 |
ayoung | OK...I'll give the patch a revuiew | 18:08 |
morganfainberg | Thanks. | 18:08 |
openstackgerrit | Merged openstack/keystone: Document websso setup https://review.openstack.org/164012 | 18:10 |
*** harlowja_away is now known as harlowja | 18:11 | |
ayoung | morganfainberg, +2A. | 18:16 |
morganfainberg | Awesome. | 18:16 |
morganfainberg | I'll circle back on the security one and the other catalog one post coffee. | 18:17 |
morganfainberg | The SSL test case one is a bit odd. Need to bug zigo about that one. | 18:18 |
*** rm_work|away is now known as rm_work | 18:24 | |
*** iamjarvo has quit IRC | 18:27 | |
*** rm_work is now known as rm_work|away | 18:28 | |
*** iamjarvo has joined #openstack-keystone | 18:33 | |
*** rm_work|away is now known as rm_work | 18:34 | |
*** iamjarvo has quit IRC | 18:34 | |
*** iamjarvo has joined #openstack-keystone | 18:34 | |
samueldmq | morganfainberg, I am concerned about migration 067, that merged recently | 18:37 |
samueldmq | morganfainberg, first, why are we dropping that index when we still have it in the table declaration ? | 18:38 |
samueldmq | morganfainberg, https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/sql.py#L402 | 18:38 |
samueldmq | morganfainberg, also, maybe this is not the cause of having 'Database models differs from migrations' | 18:40 |
samueldmq | morganfainberg, I think it is because we create that index as 'ix_actor_id' at 054_add_actor_id_index.py | 18:40 |
morganfainberg | We are iirc dropping the explicit fk index | 18:40 |
samueldmq | morganfainberg, we are dropping all the indexes for role_id from the assignment table, right? | 18:42 |
morganfainberg | Yes role_id | 18:42 |
morganfainberg | Not actor_id | 18:42 |
samueldmq | morganfainberg, I thought we wanted it, since we explicitly add it on 054 | 18:42 |
* samueldmq facepalm | 18:43 | |
morganfainberg | We also drop the fk https://github.com/openstack/keystone/blob/master/keystone/common/sql/migrate_repo/versions/062_drop_assignment_role_fk.py | 18:43 |
morganfainberg | So the fk-index should be removed. | 18:44 |
samueldmq | morganfainberg, ++ | 18:46 |
*** pnavarro|off has joined #openstack-keystone | 18:48 | |
samueldmq | morganfainberg, are you working on bug #1403539 ? | 18:49 |
openstack | bug 1403539 in Keystone "Can't create both inherited and direct role assignment on same entities" [Medium,In progress] https://launchpad.net/bugs/1403539 - Assigned to Morgan Fainberg (mdrnstm) | 18:49 |
morganfainberg | samueldmq: no. Just was rebasing for you | 18:56 |
samueldmq | morganfainberg, k, I am gonna work on that tonight, thanks | 19:06 |
morganfainberg | Fwiw we need to get that gating today/tomorrow. If I get a chance to solve the issue with pgsql I will today. If not we'll get it dealt with tomorrow after your next pass. | 19:08 |
*** lhcheng_afk is now known as lhcheng | 19:13 | |
samueldmq | morganfainberg, k I will ping you once I am effectively working on this tonight | 19:16 |
*** boris-42 has quit IRC | 19:18 | |
*** uschreiber_ has joined #openstack-keystone | 19:18 | |
*** iamjarvo has quit IRC | 19:23 | |
*** uschreiber_ has quit IRC | 19:23 | |
*** iamjarvo has joined #openstack-keystone | 19:28 | |
raildo | lhcheng, Do you have same time to see my answers here? https://review.openstack.org/#/c/157427/ :) | 19:34 |
lhcheng | raildo: looking | 19:34 |
lhcheng | thought I looked at it this morning, didn't notice the question :) | 19:35 |
lhcheng | raildo: ah, this one : https://review.openstack.org/#/c/157427/38/keystone/resource/core.py ? | 19:36 |
raildo | lhcheng, yeap | 19:36 |
lhcheng | raildo: I missed it, will post a reply. :) | 19:36 |
raildo | lhcheng, thanks | 19:37 |
dstanek | will any of you guys be at pycon? | 19:41 |
morganfainberg | Not I. But I think stevemar will be | 19:42 |
dstanek | yeah, stevemar will be there | 19:43 |
morganfainberg | I couldn't justify being there (not giving a talk etc) | 19:43 |
stevemar | morganfainberg, just say you are PTL, that should be enough | 19:46 |
morganfainberg | stevemar, hah | 19:46 |
bknudson | why have a conference for a single programming language? seems weird. | 19:51 |
dstanek | it's more of a support group | 19:52 |
bknudson | "My name is David Stanek and I use python" | 19:52 |
bknudson | "Hi David" | 19:52 |
lbragstad | lol | 19:52 |
*** Guest48074 is now known as redrobot | 19:55 | |
morganfainberg | "Hi my name is morganfainberg, and I feel violated by the dependency resolution in pip and pypi" | 19:56 |
dstanek | you may need SVU and a therapist | 20:05 |
morganfainberg | dstanek, hehe | 20:07 |
morganfainberg | right?! | 20:07 |
morganfainberg | can we just re-write everything in Go and Rust? | 20:07 |
bknudson | is there a godev conference? | 20:11 |
openstackgerrit | ayoung proposed openstack/oslo.policy: CLI Policy Check tool https://review.openstack.org/170978 | 20:16 |
*** iamjarvo has quit IRC | 20:17 | |
ayoung | Go and Rust? | 20:18 |
morganfainberg | ayoung, going to -1 that cli, but only based on it should be code we can re-use and become an entry-point CLI script | 20:18 |
morganfainberg | ayoung, otherwise i like the ide. | 20:18 |
morganfainberg | idea* | 20:18 |
ayoung | morganfainberg, really I just wanted a publicly available link to it | 20:18 |
ayoung | and why not keep the conversation in Gerrit! | 20:19 |
morganfainberg | ayoung, i will, just letting you know right now :) | 20:19 |
ayoung | entrypoint CLI script is probably the right direction | 20:19 |
ayoung | morganfainberg, I've been running it against the Nova policy file. | 20:20 |
morganfainberg | ayoung, :) | 20:20 |
ayoung | there are so many things I want to change... | 20:21 |
ayoung | is_admin must die | 20:21 |
morganfainberg | ayoung, it's a good idea especially with how complex it is for people to understand policy | 20:21 |
ayoung | I think that, instead, we should provide a way to make an admin user get a token scoped to whatever it is they need to adminify | 20:21 |
morganfainberg | ayoung, and crafting their own. TBH i kind of want policy.json to die.... | 20:21 |
ayoung | the idea that certain tokens can change all things everywhere is evil | 20:21 |
morganfainberg | ayoung, service scoped tokens. | 20:22 |
ayoung | morganfainberg, what I would like to see out of policy.json is a reduction of what we put in there: | 20:22 |
ayoung | ire areally should be just the bottom role of the inherited-roles tree per api entrypoint | 20:22 |
*** raildo is now known as raildo|away | 20:23 | |
*** iamjarvo has joined #openstack-keystone | 20:24 | |
ayoung | morganfainberg, so I got a public demo of Kerberos / SSSD federation working last Friday. TOday it seems to be somewhat degraded | 20:24 |
ayoung | I wrote up the steps here: http://adam.younglogic.com/2015/04/horizon-websso-sssd/ | 20:25 |
ayoung | Let me recheck the demo, but if any of y'all want to see it... | 20:26 |
zigo | morganfainberg: Are you around? | 20:26 |
zigo | How may I help to find out what the issue is? | 20:27 |
richm | stevemar: dtroyer: is there some reason that v2 endpoint create supports --description but not v3? | 20:27 |
*** krtaylor has quit IRC | 20:28 | |
stevemar | richm, it's not in the API http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#endpoints-v3-endpoints | 20:28 |
morganfainberg | zigo, i am not sure where to start here. i'm wondering if it's some lib debian version that is out of sync w/ ubuntu 14.04 | 20:28 |
stevemar | richm, that was created before i was ever a part of keystone :( | 20:28 |
dtroyer | richm: IIRC the v3 API doesn't have it. | 20:28 |
zigo | morganfainberg: Like which lib? | 20:28 |
morganfainberg | zigo, thats where i'm stuck. | 20:28 |
stevemar | dtroyer, ding ding ding | 20:28 |
morganfainberg | zigo, i need to circle back around to that bug today | 20:29 |
zigo | morganfainberg: Mostly, Debian is always leading the way, and Ubuntu lagging behind, so that'd be a new lib version of something. | 20:29 |
* dtroyer drops back into hiding | 20:29 | |
morganfainberg | zigo, i haven't stood up debian in a lonnnng time | 20:29 |
morganfainberg | zigo, so ... | 20:29 |
stevemar | dtroyer, pffft, good luck | 20:29 |
morganfainberg | dtroyer, you can't hide in this channel >.> | 20:30 |
zigo | morganfainberg: Could this be related to Python itself? | 20:30 |
zigo | morganfainberg: Jessie got version 2.7.9. | 20:30 |
morganfainberg | zigo, maybe, or might be a new version of somerthing else | 20:31 |
stevemar | ayoung, in your blog post: s/devdtackbdoes/devstack does | 20:31 |
ayoung | stevemar, hanks | 20:31 |
ayoung | :) | 20:31 |
zigo | morganfainberg: FYI, a full trace is available here: https://kilo-jessie.pkgs.mirantis.com/job/keystone/24/consoleFull | 20:31 |
morganfainberg | ah thanks | 20:31 |
ayoung | stevemar, got the public demo here http://keystone.younglogic.net/project/instances/ | 20:31 |
ayoung | stevemar, lemm know if you want to try it out. I had to rebuild the IPA server | 20:32 |
ayoung | So everyone needs new accouns | 20:32 |
morganfainberg | zigo, oh god | 20:32 |
zigo | !?! | 20:32 |
openstack | zigo: Error: "?!" is not a valid command. | 20:32 |
morganfainberg | zigo, i am scared... i see greenlet stuff | 20:33 |
zigo | Arg! :) | 20:33 |
morganfainberg | zigo, never makes me happy when i see greenlet stuff in tracebacks | 20:33 |
richm | stevemar: dtroyer: sorry, I meant "service create", and it looks like description was added some time after 1.0.1 | 20:33 |
*** krtaylor has joined #openstack-keystone | 20:33 | |
morganfainberg | zigo, there is a reason we're going to drop eventlet ;) that way we don't ever worry about wierd interactions. | 20:33 |
ayoung | DIE DIE EVENTLET DIE | 20:33 |
morganfainberg | zigo, i don't think that is the case here. just always makes me uneasy when greenlet ends up in the traceback | 20:33 |
zigo | morganfainberg: I'm really annoyed by Eventlet braking its own API every 2nd week btw. | 20:34 |
morganfainberg | oooor this might actually be eventlet. | 20:34 |
morganfainberg | ugh | 20:34 |
zigo | The global-requirements.txt regarding this is a huge pain for me. | 20:34 |
morganfainberg | zigo, is this correct: python-eventlet (0.16.1-1~bpo80+1 | 20:35 |
morganfainberg | the version there? | 20:35 |
zigo | morganfainberg: What did you expect? | 20:35 |
zigo | 0.16.1 is what is in the global reqs, no? | 20:35 |
stevemar | ayoung, hook me up with a uname/passwd | 20:35 |
morganfainberg | zigo, i'm making sure i have the correct version when i start poking at this | 20:35 |
ayoung | stevemar, under wat | 20:35 |
ayoung | way | 20:36 |
zigo | -1 <--- means first Debian release, and ~bpo80+1 means backport to Jessie. | 20:36 |
morganfainberg | zigo, just confirming that that was in-fact the version you're hitting (based on the trace you gave me) | 20:36 |
morganfainberg | zigo, ack. | 20:36 |
zigo | So, it's just 0.16.1 in fact. | 20:36 |
morganfainberg | zigo, ok | 20:36 |
morganfainberg | zigo, no extra silly patches etc? | 20:36 |
zigo | morganfainberg: There's only patches in the unit test suite. | 20:37 |
morganfainberg | crap, looks like this is 2.7.9 | 20:37 |
zigo | (I just checked) | 20:37 |
morganfainberg | zigo, thanks | 20:37 |
*** obedmr has joined #openstack-keystone | 20:38 | |
morganfainberg | zigo, can you confirm the version of OpenSSL in jessie? | 20:38 |
zigo | morganfainberg: Could this be related to the removal of SSLv3 in Debian as well? | 20:39 |
morganfainberg | zigo, might be. | 20:39 |
zigo | Jessie has 1.0.1k | 20:39 |
morganfainberg | zigo, though i thought we already addressed this in ubuntu a while back. | 20:39 |
zigo | Well, I believe I did. | 20:39 |
zigo | And each time I saw some SSLv3, it was rather explicit. | 20:40 |
zigo | However, the error here is in self._sslobj.do_handshake() | 20:40 |
morganfainberg | http://www.openwall.com/lists/oss-security/2015/03/14/4 | 20:40 |
obedmr | hi all, question, when setting keystone with HTTPD, what do you do for granting access over /etc/keystone/keystone.conf to the httpd user? adding it to keystone group? or adding keystone to httpd group? or? thank you | 20:40 |
openstackgerrit | Merged openstack/keystone: Don't add unformatted project-specific endpoints to catalog https://review.openstack.org/144860 | 20:41 |
*** pnavarro|off has quit IRC | 20:41 | |
morganfainberg | zigo, i'm thinking this is related to some hack around SNI for OpenSSL that is/isn't/changed in jessie | 20:42 |
morganfainberg | and python 2.7.9 triggers it | 20:43 |
zigo | morganfainberg: I don't even know what SNI is! :) | 20:45 |
morganfainberg | http://en.wikipedia.org/wiki/Server_Name_Indication | 20:45 |
zigo | Oh, that stuff to provide real vhosts over SSL? | 20:45 |
morganfainberg | yeah | 20:46 |
morganfainberg | annnnnd we're down into the icky internals of eventlet | 20:46 |
morganfainberg | *sigh* | 20:46 |
zigo | :/ | 20:46 |
morganfainberg | https://github.com/openstack/keystone/blob/master/keystone/common/environment/__init__.py#L67 | 20:46 |
morganfainberg | https://github.com/openstack/keystone/blob/master/keystone/common/environment/__init__.py#L88 | 20:46 |
zigo | .oO(reading this makes me feel sick indeed...) | 20:47 |
zigo | So, eventlet is embedding the httplib / ssl.py of Python?!? | 20:48 |
zigo | WTF !!! | 20:48 |
morganfainberg | well no. | 20:48 |
morganfainberg | it't patches it for greenlet trampoline | 20:48 |
morganfainberg | so you can coroutine/yield | 20:48 |
zigo | Ah... | 20:48 |
zigo | I'm not sure I want to know about all of this! :) | 20:48 |
morganfainberg | fwiw, the docker folks said [similar issue] they recommend a rollback to 2.7.8 :P | 20:49 |
morganfainberg | not an option here | 20:49 |
morganfainberg | . | 20:49 |
bknudson | maybe the ssl tests as they're written aren't worth it | 20:49 |
morganfainberg | i'll bet that if i spin up a jessie node and test w/o eventlet it'll work. | 20:49 |
bknudson | really we just want to know if we set up ssl | 20:49 |
zigo | 20 days from the release of Jessie, indeed, that's not an option. | 20:49 |
bknudson | could do that just as well with mocks. | 20:49 |
zigo | Cause, if you didn't know, the release team announced that Jessie would be out on the 25th of this month. | 20:50 |
morganfainberg | bknudson, doesn't mean this wont break in spectacular ways in debian in production though | 20:50 |
morganfainberg | zigo, i wouldn't recommend rolling back python version | 20:50 |
*** topol has quit IRC | 20:50 | |
morganfainberg | zigo, just saying how docker folks handled it | 20:50 |
bknudson | morganfainberg: that would be a bug in debian. | 20:50 |
zigo | Sure. | 20:50 |
morganfainberg | bknudson, it might be a bug in py2.7.9 | 20:50 |
morganfainberg | bknudson, and 14.04, iirc uses something else | 20:51 |
morganfainberg | bknudson, meaning we'd miss it in gate. | 20:51 |
bknudson | gate should be running with ssl | 20:51 |
bknudson | tls | 20:51 |
morganfainberg | bknudson, this is why i want to chase this before saying "dump the tests out" | 20:52 |
morganfainberg | gyee, can i ask you do to me a huge favor today? | 20:52 |
morganfainberg | bknudson, it might also be an issue with how we generated the cert | 20:53 |
bknudson | morganfainberg: I'd rather mock than rely on how we generated the cert working on every os. | 20:53 |
morganfainberg | bknudson, sure, but if it's just a cert generation error i'm content with saying that mock is the right answer | 20:54 |
morganfainberg | if it is something more systemic ... | 20:54 |
morganfainberg | bknudson, basically i just want to be sure before we change how the tests work. | 20:54 |
morganfainberg | zigo, ok this is my lack of knowing debian... do i just install testing? | 20:57 |
morganfainberg | zigo, is that close enough / what jessie is? | 20:57 |
morganfainberg | zigo, or is there some other magic i need to do. | 20:57 |
zigo | morganfainberg: Jessie currently IS testing, but you will need some more stuff. | 20:58 |
zigo | morganfainberg: Jessie doesn't have Kilo. | 20:59 |
morganfainberg | zigo, not worried about that, going to pull down via git. | 20:59 |
morganfainberg | zigo, unless there are other associated libs that are an issue | 20:59 |
zigo | morganfainberg: http://openstack.alioth.debian.org/ | 20:59 |
zigo | You can use that, if you're ok with using sbuild. | 20:59 |
morganfainberg | zigo, not actually looking to build the package | 21:00 |
morganfainberg | looking to test with a few versions / changes in tree | 21:00 |
zigo | The first bits is for upstream... | 21:00 |
morganfainberg | so i'm going to just run tox | 21:00 |
morganfainberg | isolate to the problematic tests and confirm it's an issue with either the SSL certs or something deeper | 21:00 |
morganfainberg | e.g. version of eventlet | 21:00 |
morganfainberg | or openssl | 21:00 |
zigo | morganfainberg: You can use tox, but I would advise you to just use the packaged stuff if you want to keep the same env. | 21:01 |
morganfainberg | zigo, start with tox and then unwind. if it happens w/ the pip installed / mainline stuff | 21:01 |
morganfainberg | we have a bigger issue :) | 21:01 |
zigo | deb http://kilo-jessie.pkgs.mirantis.com/debian/ jessie-kilo-backports main | 21:01 |
zigo | deb http://kilo-jessie.pkgs.mirantis.com/debian/ jessie-kilo-backports-nochange main | 21:01 |
zigo | deb-src http://kilo-jessie.pkgs.mirantis.com/debian/ jessie-kilo-backports main | 21:01 |
zigo | deb-src http://kilo-jessie.pkgs.mirantis.com/debian/ jessie-kilo-backports-nochange main | 21:01 |
zigo | then apt-get build-dep keystone | 21:01 |
morganfainberg | thanks | 21:02 |
zigo | FYI, schroot is a very nice stuff to have throwable envs. | 21:02 |
morganfainberg | and now i get annoyed with installers not letting me skip the "create a non-root account" bit | 21:04 |
zigo | morganfainberg: If we need eventlet 0.17.1 or 0.17.2, I can switch to it. | 21:04 |
* morganfainberg grumbles. "for a stupid one-off VM... just let me skip the extra crap" | 21:04 | |
morganfainberg | really... you can't select regions not your own with netinstall for clock. | 21:05 |
morganfainberg | wow. | 21:05 |
zigo | I guess the gate is currently using 0.17.2, since we have eventlet>=0.16.1,!=0.17.0 in the global reqs. | 21:05 |
* morganfainberg is suddenly saddened by this install. | 21:05 | |
zigo | morganfainberg: Of course you can, but maybe only in the expert mode. | 21:06 |
zigo | I *always* use the expert mode. | 21:06 |
morganfainberg | zigo, even with expert it looks like the netinstall is a little hamstrung | 21:06 |
morganfainberg | zigo, anyways..... no big deal doesn't matter | 21:07 |
zigo | The debian-installer team is really understaffed, be my guess and fix stuff if you have time! :) | 21:07 |
zigo | Nearly nobody cares about contributing to it. | 21:07 |
morganfainberg | zigo, which is sad, because the install is the first experience lots of people have with a distro | 21:07 |
morganfainberg | zigo, but i get it | 21:07 |
morganfainberg | zigo, lets hope this is just "keystone has a bad cert generated" | 21:10 |
morganfainberg | zigo, that is the easiest fix | 21:10 |
zigo | Oh, btw, I managed to get this done for Jessie: http://cdimage.debian.org/cdimage/openstack/testing/ | 21:10 |
morganfainberg | nice! | 21:11 |
zigo | The OpenStack image is now generated at the same time as the ISO images! :) | 21:11 |
zigo | I'm just pointing at it if you want to use that instead of setting-up a distro by hand ... | 21:12 |
morganfainberg | zigo, rioght now i'm using VMWare | 21:12 |
morganfainberg | so it's a conversion in either case | 21:12 |
morganfainberg | about as much work w/o all the tools to convert raw/qcow over | 21:13 |
morganfainberg | as installing | 21:13 |
zigo | Ah, right, and you'd be annoyed by cloud-init and friends. | 21:13 |
morganfainberg | eh. cloud-init is annoying | 21:13 |
morganfainberg | but it'd be ok | 21:13 |
*** Bsony has joined #openstack-keystone | 21:14 | |
morganfainberg | i've done it before i just would rather just do it the install way so i can multi-task | 21:14 |
openstackgerrit | ayoung proposed openstack/oslo.policy: CLI Policy Check tool https://review.openstack.org/170978 | 21:17 |
ayoung | morganfainberg, there ya go! | 21:18 |
morganfainberg | ayoung, nice | 21:19 |
*** iamjarvo has quit IRC | 21:19 | |
ayoung | morganfainberg, you can test it like this | 21:20 |
ayoung | .tox/py27/bin/policytool --policy /opt/stack/nova/etc/nova/policy.json --access sample_data/auth_v3_token_admin.json --is_admin=true | 21:20 |
*** edmondsw has quit IRC | 21:20 | |
ayoung | morganfainberg, pretty sure the name policytool is going to conflict with something else in the distribution | 21:27 |
morganfainberg | yeah | 21:27 |
*** iamjarvo has joined #openstack-keystone | 21:27 | |
morganfainberg | probably going to need to name it something else | 21:27 |
*** Bsony has quit IRC | 21:28 | |
ayoung | morganfainberg, think its ok to just call it oslo_policy ? | 21:29 |
ayoung | or oslo_policy_tool? | 21:29 |
stevemar | i predict mfisch will ask a question about logging... very very soon | 21:32 |
mfisch | lol | 21:32 |
mfisch | I'm about to commute though, so probably tomorrow morning | 21:32 |
morganfainberg | ayoung, i'd call it oslo-policytool probably | 21:33 |
morganfainberg | ... | 21:34 |
morganfainberg | /usr/bin/ld: cannot find -lz | 21:34 |
morganfainberg | really | 21:34 |
morganfainberg | REALLY?! | 21:34 |
morganfainberg | so bloody useful | 21:34 |
ayoung | morganfainberg, so, hyphens are problematic, and I'ma call it oslopolicy | 21:35 |
morganfainberg | ayoung, hyphens are problematic in python, not in bash :P | 21:35 |
morganfainberg | ;) | 21:35 |
ayoung | morganfainberg, and setup.cfg is python and hates me | 21:35 |
morganfainberg | zigo: http://paste.openstack.org/show/198827/ | 21:36 |
zigo | morganfainberg: When building what? | 21:36 |
morganfainberg | lxml | 21:36 |
zigo | morganfainberg: How come you're rebuilding lxml? | 21:37 |
morganfainberg | tox | 21:37 |
zigo | !!! | 21:37 |
openstack | zigo: Error: "!!" is not a valid command. | 21:37 |
*** iamjarvo has quit IRC | 21:37 | |
morganfainberg | it is building python-lxml | 21:37 |
morganfainberg | it's how this all works | 21:37 |
zigo | morganfainberg: You're missing libgzip dev or something. | 21:37 |
morganfainberg | yrah | 21:38 |
zigo | -lz ... | 21:38 |
morganfainberg | thats what i'm trying to figure out which one i'm missing | 21:38 |
* morganfainberg facepalms | 21:38 | |
morganfainberg | there is a reason i don't do packaging ;) | 21:38 |
zigo | apt-get install zlib1g-dev | 21:38 |
zigo | That's one of the very few libs which has a name that doesn't start by lib. | 21:39 |
morganfainberg | zigo, yeah | 21:39 |
zigo | I believe we have that one and the libc6, and that's it. :) | 21:39 |
morganfainberg | zigo, was trying to find it. keep forgetting how it ends up getting named. | 21:39 |
* morganfainberg hides in the "I'm not a system-engineer/devops/sysadmin" corner | 21:40 | |
* morganfainberg tries to forget said past life. | 21:40 | |
zigo | I still think it's a non-sense to rebuild lxml from source. | 21:41 |
morganfainberg | zigo, that is how tox/pip works | 21:41 |
morganfainberg | zigo, by default | 21:41 |
zigo | tox is slowly becoming FreeBSD /usr/ports... | 21:41 |
morganfainberg | zigo, slowly? | 21:41 |
zigo | :) | 21:42 |
zigo | make world ... | 21:42 |
morganfainberg | emerge world | 21:42 |
* morganfainberg hides the gentoo-ism under the rug | 21:42 | |
zigo | Well, Gentoo has maintained packages, I can't say the same thing for FreeBSD. :0 | 21:42 |
morganfainberg | zigo, sooooortof maintained | 21:43 |
zigo | BTW, has anyone ever tried OpenStack on Gentoo? | 21:43 |
zigo | :) | 21:43 |
morganfainberg | don't tempt fate man | 21:43 |
morganfainberg | seriously | 21:43 |
morganfainberg | "bug: this doesn't work on gentoo" = "mark bug as closed 'not only i wont fix, but i'm laughing the whole way'" | 21:44 |
zigo | :) | 21:47 |
bknudson | hard to believe we can't get rid of the lxml requirement. | 21:49 |
dstanek | is it optional now that only federation needs it? | 21:49 |
bknudson | it's in test-requirements.txt for federation tests. | 21:50 |
stevemar | yeah, it's only for the tests | 21:51 |
*** dims has quit IRC | 21:52 | |
sigmavirus24 | morganfainberg: zigo actually there is someone who maintains packages for Gentoo | 21:53 |
* sigmavirus24 knows all of the people who make really bad life decisions | 21:53 | |
morganfainberg | sigmavirus24, hahah | 21:53 |
zigo | sigmavirus24: I know, and I'm a bit curious about it. | 21:53 |
sigmavirus24 | zigo: they swear the packages work | 21:54 |
*** dims has joined #openstack-keystone | 21:54 | |
*** dims has quit IRC | 21:54 | |
*** dims has joined #openstack-keystone | 21:55 | |
*** carlosmarin has quit IRC | 21:55 | |
dstanek | sigmavirus24: everyone thinks their crap works | 22:00 |
sigmavirus24 | dstanek: bingo | 22:00 |
dstanek | do i get a prize? | 22:01 |
sigmavirus24 | nope | 22:01 |
stevemar | fwiw, doesn't look like pysaml2 requires lxml either, https://github.com/rohe/pysaml2/blob/master/setup.py#L25-L34 | 22:03 |
morganfainberg | zigo, oh FFS. | 22:04 |
morganfainberg | zigo, eventlet explicitly sets context to SSLv23_METHOD | 22:04 |
morganfainberg | with no way to override. | 22:04 |
zigo | !!! | 22:04 |
openstack | zigo: Error: "!!" is not a valid command. | 22:04 |
zigo | There we go ... | 22:04 |
morganfainberg | ugh | 22:04 |
zigo | Good catch. | 22:04 |
dstanek | stevemar: it looks like it needs either that or elementtree https://github.com/rohe/pysaml2/blob/master/src/saml2/__init__.py | 22:04 |
zigo | morganfainberg: I may patch eventlet if needed. | 22:05 |
zigo | morganfainberg: Where does it do that? | 22:05 |
morganfainberg | hmmm | 22:05 |
morganfainberg | wait a sec. | 22:05 |
morganfainberg | try/except/else ... brain not working | 22:05 |
morganfainberg | that means try and if we don't get an exception do the else? | 22:05 |
morganfainberg | zigo, it's deeeeeep in eventlet | 22:06 |
morganfainberg | http://paste.openstack.org/show/198839/ | 22:06 |
zigo | morganfainberg: Where's that code? | 22:06 |
morganfainberg | eventlet.convienence | 22:06 |
morganfainberg | but basically we can pass anything we damn well please to the wrap_ssl | 22:06 |
morganfainberg | and it doesn't care | 22:06 |
morganfainberg | wow this is naive code | 22:07 |
morganfainberg | let me make sure i have the newest eventlet | 22:07 |
morganfainberg | 0.17.1 | 22:08 |
morganfainberg | should be new enough | 22:08 |
morganfainberg | nothing changed | 22:08 |
zigo | morganfainberg: There's a 0.17.2 in PyPi. | 22:08 |
morganfainberg | not materially different | 22:08 |
morganfainberg | let me poke at the HTTPSConnetion to make sure we're ok | 22:08 |
morganfainberg | but basically, the server is set to use v2/v3 hard coded so the client is just doing the sane thing | 22:09 |
morganfainberg | and using v3 | 22:09 |
morganfainberg | well httplib.HTTPSConnection | 22:09 |
morganfainberg | afaict | 22:09 |
morganfainberg | this is a rabbit hole | 22:09 |
morganfainberg | annnnd httpsconnection can't force ssl versions | 22:10 |
morganfainberg | w.t.f.f. | 22:10 |
morganfainberg | let me change that value in eventlet and see if it solves the issue | 22:11 |
bknudson | SSLv23 typically means it allows all SSL protocols | 22:11 |
morganfainberg | bknudson, and debian explicitly disallows v3 | 22:12 |
stevemar | dstanek, that's the standard lib, xml | 22:12 |
stevemar | not lxml | 22:12 |
morganfainberg | and then httpconnection goes "oh you claim to support this" and bails out | 22:12 |
bknudson | python really doesn't have a way to say all protocols but v3. | 22:13 |
morganfainberg | because debian has no support for v3 built into the OpenSSL bin | 22:13 |
bknudson | requires some newer python | 22:13 |
morganfainberg | i'm looking at forcing TLS v1_2 | 22:13 |
zigo | morganfainberg: As much as I know, SSLv23 is ok with Debian. | 22:13 |
morganfainberg | since that is the recommendation, or at least v1.1 | 22:13 |
zigo | It shouldn't just break ... | 22:13 |
morganfainberg | zigo, it's an issue with the eventlet allowing v3 and advertising it on the server side and the client being unable to use it | 22:14 |
morganfainberg | or not | 22:14 |
morganfainberg | hm. | 22:14 |
morganfainberg | maybe it's httplib side | 22:14 |
morganfainberg | anyway | 22:14 |
morganfainberg | this is debian ripped out support for something and things don't play nice without that support | 22:15 |
zigo | In Debian, we *explicitely* patched OpenSSL to *remove* SSLv3 support, for damned good security reasons. | 22:15 |
morganfainberg | and they successfully broke things | 22:15 |
zigo | Right. | 22:15 |
zigo | But for good. | 22:15 |
bknudson | what does SSLv23 give you when SSLv3 is disabled? | 22:15 |
bknudson | and, I assume SSLv2 | 22:16 |
bknudson | There's a table here: https://docs.python.org/2/library/ssl.html#ssl.wrap_socket | 22:16 |
morganfainberg | zigo, removing support in incompatible ways for "damn good reasons" is still an awful way of doing things | 22:16 |
morganfainberg | zigo, especially when it horribly breaks stuff | 22:16 |
zigo | morganfainberg: What's broken, IMO, is to still support known bad protocols. | 22:16 |
zigo | That is what is horrible. | 22:17 |
morganfainberg | zigo, the answer is using python3 | 22:17 |
morganfainberg | zigo, i'm looking at what we can do to fix this... but it's going to bite us again | 22:17 |
morganfainberg | somewhere | 22:17 |
zigo | You'll see, there's going to be soon some new exploit due to SSLv3, and Debian wont have the issue ... :) | 22:17 |
bknudson | does keystone start and TLS works on debian? | 22:17 |
morganfainberg | bknudson, not with eventlet afaict | 22:17 |
morganfainberg | bknudson, eventlet is just broken. | 22:18 |
bknudson | or is it just the tests that fail? | 22:18 |
zigo | bknudson: TLS is what everyone should be using, yes, not the stupid SSLv3 which is completely backward old. | 22:18 |
bknudson | morganfainberg: you can't run any eventlet server on debian? | 22:18 |
morganfainberg | bknudson, i think eventlet is unable to specify what versions it uses | 22:18 |
morganfainberg | bknudson, so if the client is stupid and uses v3 and your one debian you're effed | 22:18 |
morganfainberg | s/one/on | 22:18 |
bknudson | what client is using sslv3 only? | 22:19 |
morganfainberg | bknudson, reason #121022314441 not to terminate SSL in eventlet | 22:19 |
zigo | Oh, so does this means that, by default, on non-debian systems, the client will end up using sslv3 ??? | 22:19 |
morganfainberg | bknudson, eventlet patched httplib | 22:19 |
zigo | That's a HUGE security concern then! | 22:19 |
morganfainberg | zigo, if it is allowed. | 22:19 |
morganfainberg | zigo, if you don't advertise it (e.g. disable in your ssl terminator) it should be fine | 22:19 |
bknudson | it's python, we can monkeypatch it. | 22:19 |
zigo | morganfainberg: But what you're saying is that it's going to be the default? | 22:20 |
morganfainberg | zigo, it's a dumb default that is impacted by a monkeypatched httplib from eventlet | 22:20 |
morganfainberg | zigo, so in *most* cases you'd never hit this | 22:20 |
morganfainberg | you know... unelss you're running something in a server patched with eventlet | 22:20 |
bknudson | morganfainberg: where are you seeing this? | 22:20 |
morganfainberg | bknudson, this is digging through eventlet's code | 22:21 |
zigo | morganfainberg: So, basically, you're saying that we could have a man-in-the-middle downgrade attack? | 22:21 |
morganfainberg | the failure *looks* to be that eventlet wrap explicitly wraps v23 | 22:21 |
morganfainberg | and the httplib.HTTPConnection is also patched | 22:21 |
morganfainberg | when you monkey patch eventlet in | 22:21 |
bknudson | wraps v23 so that it only uses sslv3? | 22:21 |
morganfainberg | bknudson, nah | 22:22 |
morganfainberg | bknudson, this should impact only cases where you terminate SSL in eventlet | 22:22 |
*** sigmavirus24 is now known as sigmavirus24_awa | 22:22 | |
morganfainberg | *and* use patched eventlet httpsconnection | 22:22 |
morganfainberg | afaict | 22:22 |
* morganfainberg is still chasing a rabbit down a hole here | 22:22 | |
dstanek | stevemar: hmmm...i read that as lxml. looks like i need a break | 22:23 |
morganfainberg | bknudson, this comes down to httplib being dum,b | 22:23 |
morganfainberg | dumb* | 22:23 |
bknudson | morganfainberg: doesn't get much dumber than not supporting TLS | 22:23 |
stevemar | dstanek, you had me concerned for there for a minute | 22:24 |
zigo | morganfainberg: SSLv23 means that TLSv1 can be used, right? | 22:24 |
dstanek | morganfainberg: bknudson: i was having problems on debian using our bundled test certs and the openssl command line tools | 22:24 |
morganfainberg | zigo, yeah it should | 22:24 |
bknudson | dstanek: did it work with other certs? | 22:24 |
morganfainberg | can a cert say "no sslv3"? | 22:25 |
morganfainberg | or TLSv1+ only? | 22:25 |
morganfainberg | afaict protocol is not in the purview of the cert itself | 22:25 |
morganfainberg | it's under the terminator (e.g. apache) | 22:25 |
zigo | Yeah, that's what I believe as well. | 22:26 |
zigo | Certs have other issues (like type of hash and so on...) | 22:26 |
morganfainberg | i mean: https://wiki.openstack.org/wiki/OSSN/OSSN-0039 | 22:26 |
morganfainberg | The OpenStack services and python clients do not currently have a configuration option for the SSL/TLS protocol version. Therefore, the best way to avoid SSLv3 with OpenStack code today is to ensure that the underlying SSL/TLS library (OpenSSL in this case) is compiled without SSLv3 support, as described above. | 22:27 |
morganfainberg | which debian does | 22:27 |
zigo | morganfainberg: Are you using keystone over WSGI? Or are you using the keystone daemon? | 22:27 |
morganfainberg | and things breaks. | 22:27 |
morganfainberg | zigo, this is in eventlet like our tests run | 22:27 |
morganfainberg | annnd: https://bugs.launchpad.net/keystone/+bug/1381365 | 22:28 |
openstack | Launchpad bug 1381365 in Keystone "SSL Version and cipher selection not possible" [Wishlist,Confirmed] | 22:28 |
morganfainberg | no options in eventlet | 22:28 |
zigo | I'm quite sure there's the issues in other daemons. | 22:29 |
morganfainberg | so | 22:29 |
morganfainberg | i think the answer is we rip out these tests | 22:29 |
zigo | I haven't reported it, but I clearly remember I saw it not only in keystone. | 22:29 |
morganfainberg | and stand by "don't terminate SSL in eventlet" | 22:29 |
bknudson | if you want a secure configuration you're not going to be running keystone-all. | 22:29 |
morganfainberg | bknudson, exactly | 22:29 |
morganfainberg | ok | 22:29 |
zigo | Well, in that case, kill keystone-all ! | 22:29 |
morganfainberg | so i'm ok ripping out these tests... or at list marking them with @wip so we can move them to the functional suite | 22:30 |
morganfainberg | zigo, working on it | 22:30 |
zigo | Providing something which is broken is very dangerous. | 22:30 |
morganfainberg | zigo, M-cycle slated for release | 22:30 |
morganfainberg | zigo, can't remove it without deprecation | 22:30 |
morganfainberg | zigo, and it isn't "broken" | 22:30 |
*** _cjones_ has joined #openstack-keystone | 22:30 | |
zigo | Ok. | 22:30 |
zigo | Fair enough. | 22:30 |
bknudson | you can't run it on an untrusted network. | 22:30 |
morganfainberg | bknudson, and we say as much | 22:30 |
morganfainberg | ok so i'll patch out these tests with @wip | 22:30 |
morganfainberg | so we can keep them for functional (we should support them against apache when/if ssl is configured) | 22:31 |
morganfainberg | actually... i'm going to skip_test them | 22:31 |
zigo | morganfainberg: Just make sure you provide enough comments to explain why it's still @wip ... | 22:31 |
morganfainberg | since behavior will be different on differtent platforms | 22:31 |
morganfainberg | zigo, oh don't worry there will be a massive comment here. | 22:31 |
morganfainberg | bknudson, you good with this approach? | 22:31 |
zigo | BTW, I still like having HTTP daemons with services. | 22:32 |
zigo | I don't really care about encryption, but having the daemons is useful. | 22:32 |
bknudson | morganfainberg: I'm fine with skipping the tests as a fix... can always revisit. | 22:32 |
zigo | Everyone uses Apache/Nginx/HAProxy anyway. | 22:32 |
morganfainberg | bknudson, cool. | 22:32 |
*** Bsony has joined #openstack-keystone | 22:34 | |
zigo | morganfainberg: Please make sure to add me on the review, so that I get the link to it, so I can include that when reporting against other openstack projects. | 22:36 |
dstanek | bknudson: I didn't try any other certs. just the bundled and the ones created by our gen script | 22:39 |
bknudson | dstanek: did the certs generated by the gen script work? | 22:39 |
*** __afazekas has quit IRC | 22:39 | |
*** Bsony has quit IRC | 22:39 | |
dstanek | nope | 22:40 |
dstanek | there was a message about an error from the server output. no real details though | 22:41 |
openstackgerrit | Morgan Fainberg proposed openstack/keystone: Skip SSL tests because some platforms do not enable SSLv3 https://review.openstack.org/171001 | 22:44 |
*** sigmavirus24_awa is now known as sigmavirus24 | 22:45 | |
morganfainberg | zigo, bknudson, ^ | 22:45 |
bknudson | morganfainberg: I thought it was only the 2-way tests that didn't work? | 22:46 |
morganfainberg | bknudson, 1-way tests also were failing | 22:46 |
bknudson | test_2way_ssl_fail probably passed. | 22:47 |
morganfainberg | not according to https://kilo-jessie.pkgs.mirantis.com/job/keystone/24/consoleFull | 22:47 |
zigo | morganfainberg: Cheers! Bookmarked, and I'll add it to Keystone beta 3 tomorrow first thing in the morning. | 22:47 |
morganfainberg | bknudson, oh 2way fail? | 22:47 |
morganfainberg | haha | 22:47 |
morganfainberg | yeah | 22:47 |
morganfainberg | maybve | 22:47 |
zigo | morganfainberg: Do you know when the next RC will be out? | 22:47 |
morganfainberg | zigo, RC is slated for this week | 22:48 |
morganfainberg | zigo, rc1 | 22:48 |
zigo | Cool. | 22:48 |
bknudson | there's 4 failures and 5 tests... was wondering what passed. | 22:48 |
zigo | I might as well be lazy and just wait then! :) | 22:48 |
morganfainberg | bknudson, probably the failure test | 22:48 |
morganfainberg | bknudson, :P | 22:48 |
morganfainberg | or test_2way_ssl_with_ipv6_ok | 22:48 |
bknudson | FAIL: keystone.tests.unit.test_ssl.SSLTestCase.test_2way_ssl_with_ipv6_ok according to https://bugs.launchpad.net/keystone/+bug/1435174 | 22:49 |
openstack | Launchpad bug 1435174 in Keystone "SSLTestCase errors when building Debian package" [Medium,In progress] - Assigned to Morgan Fainberg (mdrnstm) | 22:49 |
morganfainberg | so probably the "failure" case succeeded | 22:49 |
morganfainberg | anyway | 22:49 |
morganfainberg | we're getting rid of eventlet | 22:50 |
zigo | Ok, will test tomorrow then. | 22:50 |
morganfainberg | zigo, ran on a jessie install locally | 22:50 |
zigo | If I still get some FAILED, I'll let you know in the bug report. | 22:50 |
morganfainberg | should be good | 22:50 |
zigo | Cool. | 22:50 |
bknudson | zigo: failed SSL tests? they're all skipped now. | 22:51 |
*** nkinder has quit IRC | 22:51 | |
zigo | Yeah. | 22:51 |
zigo | Got that point! :) | 22:51 |
morganfainberg | bknudson, yeah "if", don't think there will be more based on the build log | 22:51 |
*** markvoelker has quit IRC | 22:52 | |
*** devlaps has joined #openstack-keystone | 22:59 | |
*** topol has joined #openstack-keystone | 23:06 | |
*** ChanServ sets mode: +v topol | 23:06 | |
*** jamielennox|away is now known as jamielennox | 23:07 | |
*** bknudson has quit IRC | 23:10 | |
*** chlong has joined #openstack-keystone | 23:10 | |
*** henrynash has joined #openstack-keystone | 23:10 | |
*** ChanServ sets mode: +v henrynash | 23:10 | |
*** henrynash has quit IRC | 23:10 | |
*** _cjones_ has quit IRC | 23:13 | |
*** topol has quit IRC | 23:18 | |
*** sigmavirus24 is now known as sigmavirus24_awa | 23:21 | |
*** _cjones_ has joined #openstack-keystone | 23:24 | |
*** markvoelker has joined #openstack-keystone | 23:27 | |
*** obedmr has left #openstack-keystone | 23:31 | |
*** markvoelker has quit IRC | 23:53 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!