Monday, 2015-05-11

*** dimsum__ has joined #openstack-keystone		00:06
*** dimsum__ has quit IRC		00:14
*** dimsum__ has joined #openstack-keystone		00:39
*** trey has joined #openstack-keystone		00:43
*** fhubik_lunch has joined #openstack-keystone		01:01
*** lsmola_ has joined #openstack-keystone		01:01
openstackgerrit	Jamie Lennox proposed openstack/keystone: Make Pecan the root routing framework https://review.openstack.org/65428	01:03
*** fhubik_afk has quit IRC		01:04
*** lsmola has quit IRC		01:04
*** lsmola_ has quit IRC		01:11
*** fhubik_lunch has quit IRC		01:11
*** fhubik_lunch has joined #openstack-keystone		01:11
*** fhubik_lunch is now known as fhubik_afk		01:11
mordred	jamielennox: well, _they_ have an endpoint - but so far I've never been able to get keystone to work like the other services	01:12
*** ericksonsantos has quit IRC		01:12
mordred	jamielennox: let me try a fwe things and see if they help ...	01:12
jamielennox	mordred: my first suggestion is to print the service catalog and make sure what you're asking for lines up	01:13
mordred	jamielennox: I'm not asking for anything ... I'm trying two different ways ...	01:13
mordred	jamielennox: one is "openstack project list" with all the env vars set	01:13
mordred	jamielennox: the other is using http://git.openstack.org/cgit/openstack-infra/shade/tree/shade/__init__.py#n384 to get a client, which calls this: http://git.openstack.org/cgit/openstack-infra/shade/tree/shade/__init__.py#n706	01:14
mordred	to get the endpoint I pass to the ksc Client constructor - and then trying to run kscclient.projects.list()	01:15
mordred	both fail with the admin interface error, even though I do not pass in anything requesting the admin url in either case	01:15
*** ericksonsantos has joined #openstack-keystone		01:16
jamielennox	mordred: what does "openstack catalog list" show?	01:17
jamielennox	is there an endpoint there for identity at all?	01:17
mordred	jamielennox: yup. although it _Does_ have a different region	01:19
mordred	\| \| identity \| center \|	01:20
mordred	\| \| \| public: https://identity.api.ustack.com \|	01:20
jamielennox	it should only matter if you are asking for a region	01:21
mordred	well, I have a region configured in clouds.yaml	01:21
mordred	one sec - let me try with that region specified	01:21
jamielennox	if you say i want to be in region X it will only put it in that region, if you don't specify a region it will use whatever it can	01:21
mordred	nope	01:21
mordred	keystoneclient.openstack.common.apiclient.exceptions.EndpointNotFound: admin endpoint for identity service not found	01:21
mordred	even with center listed as region	01:21
jamielennox	is there an admin?	01:21
jamielennox	you should public in your excert	01:22
mordred	no idea. it's a public cloud	01:22
mordred	I do	01:22
mordred	everything in my code requests public	01:22
jamielennox	s/should/show	01:22
mordred	I think something in ksc is asking for admin even though I request public	01:22
mordred	but I think tht's because:	01:22
mordred	endpoint = self.keystone_session.get_endpoint(	01:22
mordred	interface=ksc_auth.AUTH_INTERFACE)	01:22
jamielennox	yea, it was one of those compatibility things that ksc always did with admin rather than public which we couldn't change	01:23
mordred	normally I'd do "get_endpoint('identity', interface='public')	01:23
mordred	gross	01:23
jamielennox	this is part of the reason for ksa, then a new ksc	01:23
jamielennox	so AUTH_INTERFACE isn't actually oging to the catalog, it's saying use the url you provided for auth - OS_AUTH_URL	01:23
jamielennox	because there are some things we need to ask when we only have an unscoped token	01:24
jamielennox	if you specify interface=public does it work?	01:24
mordred	it does not	01:24
mordred	(just tried)	01:25
*** lsmola_ has joined #openstack-keystone		01:25
mordred	jamielennox: http://paste.openstack.org/show/219395/	01:26
mordred	is what the catalog shows around identity when I just yaml the catalog	01:26
mordred	so, if I say "type='identity', interface='public'" - it returns https://identity.api.ustack.com as you'd expect -and then when I call ksc.projects.list() I still get: keystoneclient.openstack.common.apiclient.exceptions.EndpointNotFound: admin endpoint for identity service not found	01:27
jamielennox	mordred: so somewhere something is not getting the message for the public interface	01:28
jamielennox	my next step would be put a pdb statement in the get_endpoint function and see what's calling it with the wrong params	01:29
mordred	well, get_endpoint is returning the right thing	01:29
mordred	I dont thin kthat's actually making it into the guts ot ksc	01:29
mordred	of	01:29
jamielennox	it's saying though: admin endpoint for identity service not found	01:30
jamielennox	so something is still asking for admin	01:30
mordred	yah - but that's coming from inside of the traceback for projects.list() - when I do the "get_endpoint()" call myself before passing the return value into the ksc Client constructor, it's returning the expected value ... so for some reason ksc is ignoring the endpoint I'm passing to it and asking for one itself	01:31
jamielennox	mordred: http://git.openstack.org/cgit/openstack-infra/shade/tree/shade/__init__.py#n381	01:31
jamielennox	so there you probably want to specify interface=(whereever you get interface from)	01:31
mordred	ah- ok. lemme try	01:32
jamielennox	possibly region_name as well	01:32
mordred	woot!	01:32
mordred	keystoneclient.openstack.common.apiclient.exceptions.Forbidden: You are not authorized to perform the requested action, identity:list_user_projects. (HTTP 403)	01:32
mordred	that's better	01:32
mordred	so - for the other Client objects, I pass endpoint_type to keystone_session.get_endpoint() - but it seems for identity I also need to pass it to the Client constructor	01:33
mordred	cool - I've learned something	01:33
*** markvoelker has quit IRC		01:35
*** markvoelker has joined #openstack-keystone		01:36
jamielennox	mordred: so you are calling get_endpoint manually for the other clients?	01:36
mordred	jamielennox: nope. just for keystone	01:37
*** markvoelker has quit IRC		01:37
mordred	shade.exc.OpenStackCloudException: Error constructing keystone client: Not enough information to determine URL. Provide either auth_url or endpoint	01:38
mordred	that's what happens if I don't call get endpoint	01:38
jamielennox	mordred: so the same rules should apply for all the clients, you should need to pass interface to them all	01:38
jamielennox	oh, yuk, yea, i know that issue	01:38
jamielennox	need to fix that	01:38
jamielennox	really i'd just use keystoneclient.v2_0.client or v3.client directly	01:39
mordred	hrm. I may be broken for non-public endpoint too	01:39
mordred	well, but I don't know which version	01:39
jamielennox	fair enough, yes, you shouldn't really need to pass auth_url to the basic client	01:40
mordred	especially if I have a session, yeah?	01:40
jamielennox	that was made pre-session stuff and it's because it needed to know where to go to do discovery	01:40
mordred	but ... should I be passing endpoint_type to the session constructor?	01:41
jamielennox	no, it won't accept it	01:41
mordred	awesome. then I should pass it along with the session object to individual client constructors?	01:41
jamielennox	yes - all of them should accept it	01:41
mordred	ok	01:41
mordred	cool	01:41
mordred	well, not that it matters here, but I am doing that wrong and will fix	01:42
jamielennox	mordred: so the pattern is that session and auth should be able to be reused between any number of clients that may do different things with regions and endpoints etc	01:42
jamielennox	in ksc we have adapter: http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/adapter.py	01:43
jamielennox	clients construct an adapter around a session which is like the local client state	01:43
mordred	rght - but in my model I'm creating a session up front and passing it to one or more clients, yeah?	01:43
jamielennox	yep	01:44
mordred	the confusing part is which thing owns which piece of data	01:44
mordred	like, why I'd pass endpoint_type to Client rather than session - but I'm learning each one by rote :)	01:44
jamielennox	yep, essentially if you passed an interface or region to session or auth you would be imposing that region on every client that made use of the session/auth	01:44
mordred	gotcha	01:45
*** Jarot has joined #openstack-keystone		01:45
mordred	so - fwiw - ironicclient and glanceclient still seem to want me to get an endpoint and pass it in	01:46
jamielennox	so we have to put it on client, and i've at least been trying to standardize the options that each of those clients take	01:46
mordred	the others seem fine with me passing in a session and figuring out the endpoint themselves	01:46
jamielennox	i didn't know about ironicclient, but glanceclient i knew	01:46
jamielennox	glanceclient is different to the others	01:46
mordred	of course it is	01:46
jamielennox	i've had patches up for a while, but you know... slow	01:46
mordred	because bong	01:46
mordred	jamielennox: ironicclient doesn't support session at all	01:47
jamielennox	ergh,	01:47
jamielennox	i did some stuff server side on ironic but i've never had much to do with that one	01:47
jamielennox	server side was a mess	01:47
mordred	jamielennox: this is what I'm thinking based on this conversation: http://paste.openstack.org/show/219400	01:47
jamielennox	mordred: you're not going to like this answer but be careful of endpoint_type vs interface, i don't know where the difference comes from but some clients use endpoint_type and they were moving back to interface=	01:49
jamielennox	i know keystoneclient is interface=	01:49
mordred	oh good	01:49
mordred	that's so exciting	01:49
jamielennox	the one's i've done i made sure that i just handled it on the client side	01:49
jamielennox	but that's not all of them	01:49
jamielennox	and because keystoneclient ignores unknown kwargs - because compatibility	01:50
jamielennox	so you wouldn't know you got it wrong till it didn't work	01:50
openstackgerrit	Julian Edwards proposed openstack/keystone: Improve websso documentation. https://review.openstack.org/181782	01:52
mordred	jamielennox: so I need to go look at the source of each of the constructors to see who is interface and who is endpoint_type?	01:54
jamielennox	at this point i would expect that interface= worked for all of the clients that used session, but i haven't tried that	01:54
mordred	ok. awesome - and thank you. at this point I want to go shove my head into a meat blender - so I'm going to step away from the laptop	01:57
mordred	but I believe I understand more about the situation	01:57
jamielennox	unfortunately the more you know the more appealing that blender is	01:57
mordred	so - keystoneclient is one of the three clients that I have to pass an endpoint to and that cannot just use the session	01:58
mordred	which is ... amusing	01:58
jamielennox	yea - does not apply to using v2 or v3 directly	01:59
jamielennox	but needs to be fixed for the generic one	01:59
mordred	:)	01:59
mordred	well, I have a thing that works now	01:59
lifeless	mordred: and a order in for alcohol ?	01:59
mordred	lifeless: facestab	02:01
mordred	jamielennox: "interface" is the future, right?	02:01
jamielennox	mordred: yea	02:01
mordred	jamielennox: https://review.openstack.org/181783	02:01
lifeless	mordred: thats a tad excessive.	02:01
mordred	jamielennox: I'll follow up with checking each Client to see if they want interface or endpoint_type	02:02
mordred	but for now, I wanted to get that written down so I'd remember in the morning	02:03
*** lhcheng has joined #openstack-keystone		02:11
*** ChanServ sets mode: +v lhcheng		02:11
*** dimsum__ has quit IRC		02:12
*** ericksonsantos has quit IRC		02:19
*** yasu_ has joined #openstack-keystone		02:22
*** lhcheng has quit IRC		02:23
*** davechen has joined #openstack-keystone		02:36
*** richm has quit IRC		02:38
*** lhcheng has joined #openstack-keystone		02:55
*** ChanServ sets mode: +v lhcheng		02:55
*** boris-42 has quit IRC		02:58
*** lhcheng has quit IRC		03:00
*** iamjarvo has joined #openstack-keystone		03:13
*** alex_xu has quit IRC		03:20
*** alex_xu has joined #openstack-keystone		03:21
*** Jarot has left #openstack-keystone		03:27
*** rushiagr_away is now known as rushiagr		04:06
*** lhcheng has joined #openstack-keystone		04:24
*** ChanServ sets mode: +v lhcheng		04:24
*** iamjarvo has quit IRC		04:25
*** lhcheng has quit IRC		04:28
*** markvoelker has joined #openstack-keystone		04:37
*** stevemar has joined #openstack-keystone		04:42
*** ChanServ sets mode: +v stevemar		04:42
*** rushiagr is now known as rushiagr_away		04:46
*** afazekas has joined #openstack-keystone		04:55
*** rushiagr_away is now known as rushiagr		04:55
*** rushiagr is now known as rushiagr_away		05:08
*** chlong has quit IRC		05:09
*** emagana has joined #openstack-keystone		05:15
*** ericksonsantos has joined #openstack-keystone		05:15
*** stevemar has quit IRC		05:17
*** ericksonsantos has quit IRC		05:20
*** mabrams has joined #openstack-keystone		05:33
*** rushiagr_away is now known as rushiagr		05:36
*** rushiagr is now known as rushiagr_away		05:37
*** davechen has left #openstack-keystone		05:51
*** mflobo has joined #openstack-keystone		06:06
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/179331	06:06
*** lhcheng has joined #openstack-keystone		06:13
*** ChanServ sets mode: +v lhcheng		06:13
*** lhcheng has quit IRC		06:18
*** rushiagr_away is now known as rushiagr		06:26
*** mabrams has quit IRC		06:39
*** mabrams has joined #openstack-keystone		06:42
*** jaosorior has joined #openstack-keystone		06:53
*** yasu_ has quit IRC		06:56
*** yasu_ has joined #openstack-keystone		06:56
*** browne has quit IRC		07:37
*** davechen has joined #openstack-keystone		07:50
*** fifieldt has joined #openstack-keystone		07:57
*** fifieldt has quit IRC		07:58
*** jistr has joined #openstack-keystone		07:58
*** belmoreira has joined #openstack-keystone		08:11
*** mabrams has quit IRC		08:17
*** mabrams has joined #openstack-keystone		08:18
*** pnavarro has joined #openstack-keystone		08:24
*** fhubik has joined #openstack-keystone		08:28
*** davidckennedy has joined #openstack-keystone		08:51
*** henrynash has joined #openstack-keystone		09:14
*** ChanServ sets mode: +v henrynash		09:14
*** aix has joined #openstack-keystone		09:20
*** pnavarro has quit IRC		09:32
mflobo	How can I propose a Keystone client blueprint? In http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/ I can not see anything for this	09:45
mflobo	For keystone we have http://git.openstack.org/cgit/openstack/keystone-specs/ but I don't see anything for the client	09:45
mflobo	maybe here? http://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/keystoneclient	09:50
*** lhcheng has joined #openstack-keystone		09:51
*** ChanServ sets mode: +v lhcheng		09:51
jamielennox	mflobo: yes, there's a keystoneclient folder in keystone-specs	09:52
mflobo	jamielennox, so, for a keystoneclient library blueprint (not the CLI) I should put it there	09:53
mflobo	jamielennox, thanks	09:54
jamielennox	ues	09:54
*** davechen has left #openstack-keystone		09:54
*** lhcheng has quit IRC		09:55
*** dimsum__ has joined #openstack-keystone		10:02
*** pnavarro has joined #openstack-keystone		10:03
*** topol has joined #openstack-keystone		10:15
*** ChanServ sets mode: +v topol		10:15
*** topol has quit IRC		10:20
*** samueldmq has joined #openstack-keystone		10:33
samueldmq	morning	10:33
*** yogeshwars1 has joined #openstack-keystone		10:35
*** ajayaa has joined #openstack-keystone		10:35
*** belmoreira has quit IRC		10:48
*** nanz has joined #openstack-keystone		11:06
nanz	hey	11:06
nanz	bhai reply karo	11:08
nanz	keystone ?	11:08
*** nanz has left #openstack-keystone		11:08
samueldmq	nanz, hi, english only please :)	11:08
samueldmq	bye	11:09
openstackgerrit	Merged openstack/keystone: Use stevedore for backend drivers https://review.openstack.org/166543	11:17
openstackgerrit	Merged openstack/keystone: Use short names for drivers https://review.openstack.org/166622	11:18
openstackgerrit	Merged openstack/keystone: Remove unnecessary oauth_api check https://review.openstack.org/177603	11:18
*** fhubik has quit IRC		11:19
*** fhubik_afk has quit IRC		11:19
*** fhubik has joined #openstack-keystone		11:21
*** fhubik is now known as fhubik_afk		11:26
*** EmilienM\|afk is now known as EmilienM		11:28
*** henrynash has quit IRC		11:53
*** henrynash has joined #openstack-keystone		11:58
*** ChanServ sets mode: +v henrynash		11:58
*** fhubik_afk is now known as fhubik		11:58
*** gordc has joined #openstack-keystone		12:01
*** dimsum__ has quit IRC		12:03
*** boris-42 has joined #openstack-keystone		12:04
*** _dguerri is now known as dguerri		12:13
*** lmtaylor has joined #openstack-keystone		12:18
*** fhubik has quit IRC		12:18
*** fhubik has joined #openstack-keystone		12:18
*** raildo has joined #openstack-keystone		12:19
*** htruta has joined #openstack-keystone		12:19
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Adds inherited column to RoleAssignment PK https://review.openstack.org/142472	12:20
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Adds inherited column to RoleAssignment PK https://review.openstack.org/142472	12:23
samueldmq	bknudson, hi, thanks for your review on 'Adds inherited column to RoleAssignment PK'	12:29
samueldmq	bknudson, what about adding a DB2 job to our gate ?	12:29
bknudson	samueldmq: we're working on getting the DB2 job working again	12:44
*** dobson has quit IRC		12:56
samueldmq	bknudson, nice, let me know if you need a hand	12:56
samueldmq	bknudson, I am not an expert on gate jobs, but I am learning as I go (identity v3 only job for example)	12:56
*** dobson has joined #openstack-keystone		12:57
*** bknudson has quit IRC		13:01
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Adds inherited column to RoleAssignment PK https://review.openstack.org/142472	13:03
*** vhoward has joined #openstack-keystone		13:07
*** rushiagr is now known as rushiagr_away		13:07
*** sigmavirus24_awa is now known as sigmavirus24		13:11
*** lmtaylor has quit IRC		13:13
*** henrynash has quit IRC		13:15
*** fifieldt has joined #openstack-keystone		13:17
*** fifieldt has quit IRC		13:17
davidckennedy	dstanek lbragstad any chance of a re-review on https://review.openstack.org//#/c/167675 it's been becalmed a little of late :)	13:18
lbragstad	davidckennedy: sure thing, thanks for the reminder.	13:18
davidckennedy	(just hope you like it now I've asked...)	13:19
*** josecastroleon has joined #openstack-keystone		13:21
*** bknudson has joined #openstack-keystone		13:22
*** ChanServ sets mode: +v bknudson		13:22
*** chlong has joined #openstack-keystone		13:22
*** lhcheng has joined #openstack-keystone		13:28
*** ChanServ sets mode: +v lhcheng		13:28
*** davechen has joined #openstack-keystone		13:30
*** lhcheng has quit IRC		13:32
*** iurygregory has joined #openstack-keystone		13:34
*** dimsum__ has joined #openstack-keystone		13:39
*** iurygregory has quit IRC		13:40
*** _1_Julio has joined #openstack-keystone		13:41
*** emagana has quit IRC		13:43
*** blewis has joined #openstack-keystone		13:45
*** richm has joined #openstack-keystone		13:46
*** lmtaylor has joined #openstack-keystone		13:47
*** ajayaa has quit IRC		13:48
*** dimsum__ has quit IRC		13:53
*** mattfarina has joined #openstack-keystone		13:54
*** markvoelker has quit IRC		13:56
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/179904	13:58
*** stevemar has joined #openstack-keystone		14:01
*** ChanServ sets mode: +v stevemar		14:01
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient-saml2: Updated from global requirements https://review.openstack.org/161588	14:04
*** openstackgerrit has quit IRC		14:06
*** openstackgerrit has joined #openstack-keystone		14:07
stevemar	marekd, what time works for you on wednesday?	14:08
marekd	stevemar: as early as possible, so i guess 18UTC would work for our tzs ?	14:12
stevemar	marekd, that should work for everyone	14:15
*** dims has joined #openstack-keystone		14:16
marekd	stevemar: hope so.	14:16
*** zzzeek has joined #openstack-keystone		14:18
*** openstack has joined #openstack-keystone		14:18
*** fhubik has quit IRC		14:19
*** yasu_ has quit IRC		14:20
*** blewis` has joined #openstack-keystone		14:25
*** blewis has quit IRC		14:26
*** blewis` has quit IRC		14:27
openstackgerrit	Brant Knudson proposed openstack/keystone: Move bandit requirement to test-requirements-bandit.txt https://review.openstack.org/171772	14:30
stevemar	marekd, rodrigods, morganfainberg fyi - i created an outline for our presentation, would appreciate some help in filling in the content :)	14:30
stevemar	let me know if you don't have the links	14:30
openstackgerrit	Brant Knudson proposed openstack/keystone: Move bandit requirement to test-requirements-bandit.txt https://review.openstack.org/171772	14:30
rodrigods	stevemar, great! did you use the etherpad link? I think I lost it	14:31
stevemar	rodrigods, nope, i'll pM it to you	14:31
rodrigods	stevemar, thx	14:31
marekd	stevemar: google doc link?	14:34
*** jsavak has joined #openstack-keystone		14:38
*** mestery has quit IRC		14:38
stevemar	marekd, yeah, i sent it out	14:40
*** emagana has joined #openstack-keystone		14:42
*** anteaya has joined #openstack-keystone		14:46
*** davechen has left #openstack-keystone		14:47
dolphm	marekd: stevemar: according to the spec, each protocol has an 'id' attribute https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#list-all-protocol-and-attribute-mappings-of-an-identity-provider but the client tests aren't creating such an attribute https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/unit/v3/test_federation.py#L144-L148 and	14:55
dolphm	instead create a 'protocol_id' attribute ... which is correct? i'm hoping the client tests are wrong...	14:55
*** mabrams has quit IRC		15:00
dolphm	marekd: stevemar: the server seems to implement the spec correctly... https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L136-L137	15:00
stevemar	dolphm, the client tests seem wrong	15:01
morganfainberg	stevemar: cool. Will be looking at it soon.	15:02
dolphm	stevemar: thanks, i'll file a bug then	15:02
stevemar	dolphm, https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/unit/v3/test_federation.py#L147 should just be 'id'	15:02
dolphm	stevemar: ++ tjat	15:03
dolphm	stevemar: that's* what i figured	15:03
morganfainberg	samueldmq: ping - was looking at your devstack change and I think it needs to be split into 2 things. - 1: always use v3 to setup devstack, never use v2 apis. 2: the bit about honoring the v3 only flag.	15:03
dolphm	stevemar: i wrote a new test that applied to every API, and they all passed except for everything on /protocols	15:03
*** markvoelker has joined #openstack-keystone		15:03
marekd	dolphm: stevemar: protocol's create call is:	15:04
marekd	https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/contrib/federation/protocols.py#L60	15:04
marekd	which expect arg protocol_id	15:04
*** pnavarro has quit IRC		15:09
stevemar	gah	15:09
dolphm	marekd: but that's not an object reference. protocol_id is perfect for routing purposes in URLS	15:10
dolphm	marekd: but that protocol_id gets persisted as just an id https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/backends/sql.py#L226	15:10
dolphm	marekd: which all looks correct to me (in the server)	15:10
dolphm	marekd: stevemar: filed a bug btw https://bugs.launchpad.net/python-keystoneclient/+bug/1453847	15:11
openstack	Launchpad bug 1453847 in python-keystoneclient "Federation /protocols tests mistakenly use 'protocol_id' instead of 'id'" [Medium,Confirmed] - Assigned to Dolph Mathews (dolph)	15:11
*** dims has quit IRC		15:12
*** aix has quit IRC		15:12
*** henrynash has joined #openstack-keystone		15:15
*** ChanServ sets mode: +v henrynash		15:15
marekd	dolphm: allrighty then.	15:19
*** fifieldt has joined #openstack-keystone		15:22
*** fifieldt has quit IRC		15:23
marekd	dolphm: need to clarify something - do you expect 'id' (protocol id) to be sent in the request body?	15:25
*** Zanatoz has joined #openstack-keystone		15:26
dolphm	marekd: in what request body?	15:26
marekd	for instance creating a protocol	15:27
*** blewis has joined #openstack-keystone		15:27
marekd	PUT /v3/OS-FEDERATION/identity_providers/idp/protocols/saml2	15:28
dolphm	marekd: you create a protocol using a PUT request which is routed with a 'protocol_id' for clarity, which is then persisted as the protocol reference's "id" attribute and returned as the "id" in the response https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#add-a-protocol-and-attribute-mapping-to-an-identity-provider	15:28
marekd	yep	15:29
dolphm	there is no protocol id of any kind in the request body there (nor should there be, because it's in the URL)	15:29
*** rushiagr_away is now known as rushiagr		15:29
marekd	yep.	15:29
dolphm	marekd: the spec also asserts that you reference a mapping with a 'mapping_id' (see that same link)... and the tests are using something called a 'mapping' =(	15:30
marekd	allrighty, thought you were expect id in the request body there.	15:30
dolphm	none of these unit tests would work if they were functional tests - because the server is implementing something totally different	15:32
dolphm	which makes all the unit tests completely pointless... because the client does the right thing anyway, right?	15:32
openstackgerrit	David Charles Kennedy proposed openstack/keystone: Add subjectAltName to generated ssl cert https://review.openstack.org/154074	15:33
marekd	dolphm: let me see.	15:35
bknudson	devstack change to use stevedore entrypoints: https://review.openstack.org/#/c/181937/	15:35
marekd	dolphm: i recall there was some 'parameter names splitting' or glueing	15:35
dolphm	so, it looks like all three attributes in ProtocolsTests.new_ref()'s implementation doesn't follow the HTTP API as it does in other test modules, so the entire test pattern used in other modules had to be re-invented to accomidate it.	15:38
*** gyee has joined #openstack-keystone		15:41
*** ChanServ sets mode: +v gyee		15:41
*** atiwari2 has quit IRC		15:42
openstackgerrit	Dolph Mathews proposed openstack/python-keystoneclient: Use 'id' instead of 'protocol_id' in federation protocol tests https://review.openstack.org/181945	15:45
*** markvoelker has quit IRC		15:45
*** topol has joined #openstack-keystone		15:47
*** ChanServ sets mode: +v topol		15:48
*** rwsu has joined #openstack-keystone		15:48
rodrigods	stevemar, marekd ping... did you see this error before? http://paste.openstack.org/raw/219966/	15:50
*** lhcheng has joined #openstack-keystone		15:52
*** ChanServ sets mode: +v lhcheng		15:52
marekd	rodrigods: very likely, but this paste doesn't gve much information to point us to the right direction :/	15:53
rodrigods	marekd, it is after being redirected by the SP	15:53
rodrigods	and trying to get the unscoped token	15:53
marekd	what's has changed from the last version you had?	15:53
stevemar	rodrigods, unsupported method... did you enable saml2 auth in config	15:54
rodrigods	marekd, the code that I have here works for a Juno SP	15:54
rodrigods	stevemar, hmm true!	15:54
rodrigods	stevemar, forgot about it	15:54
marekd	rodrigods: didn't you have similar thing few weeks ago?	15:54
rodrigods	marekd, it was similar, but in the other way around	15:55
marekd	rodrigods: nah that was 'token' auth method.	15:55
rodrigods	yeah	15:55
*** esp has joined #openstack-keystone		15:55
*** e0ne has joined #openstack-keystone		15:57
*** e0ne is now known as e0ne_		15:58
rodrigods	marekd, stevemar my keystone.conf was missing the saml2 entry	15:58
*** e0ne_ is now known as e0ne		15:58
rodrigods	thx!	15:58
stevemar	rodrigods, we got your back ;)	15:59
rodrigods	++	15:59
*** _cjones_ has joined #openstack-keystone		16:04
*** _cjones_ has quit IRC		16:05
*** _cjones_ has joined #openstack-keystone		16:07
*** rdo has quit IRC		16:08
*** rdo has joined #openstack-keystone		16:10
*** browne has joined #openstack-keystone		16:13
openstackgerrit	Dolph Mathews proposed openstack/python-keystoneclient: Use 'mapping_id' instead of 'mapping' in federation protocol tests https://review.openstack.org/181963	16:15
*** jistr has quit IRC		16:17
*** alexsyip has joined #openstack-keystone		16:18
*** _1_Julio has quit IRC		16:19
*** rdo has quit IRC		16:19
*** rdo has joined #openstack-keystone		16:21
*** henrynash has quit IRC		16:25
*** gothicmindfood has quit IRC		16:29
*** davidckennedy has quit IRC		16:30
*** gothicmindfood has joined #openstack-keystone		16:31
*** ajayaa has joined #openstack-keystone		16:36
*** browne has quit IRC		16:39
samueldmq	morganfainberg, hi, I am back now	16:49
morganfainberg	samueldmq: I can take a crack at splitting up your devstack change if you want.	16:49
morganfainberg	Just getting food right now.	16:50
samueldmq	morganfainberg, ++ feel free to split it	16:50
samueldmq	morganfainberg, but I am not sure I understood how you want to split, ping me once you're back	16:51
*** pnavarro has joined #openstack-keystone		16:51
*** haneef has quit IRC		16:53
*** rushiagr is now known as rushiagr_away		16:53
samueldmq	mfisch, why ? https://review.openstack.org/#/c/169747/ :(	16:54
*** afazekas has quit IRC		16:55
mfisch	lol	16:57
mfisch	mainly because it's buggy. I've been using it and still have not won the lottery, so I think the code might have a subtle bug	16:58
*** jsavak has quit IRC		16:59
samueldmq	mfisch, fair enough :)	16:59
*** jsavak has joined #openstack-keystone		17:00
morganfainberg	mfisch: if you do win the lottery ... Share it with us :P	17:02
mfisch	I'm going to hire steve as my personal keystone dev	17:11
dstanek	mfisch: your session sounds very interesting - about the push->pray alternative	17:11
mfisch	its a pretty broad talk but might still be interesting	17:12
dstanek	mfisch: i've actually been using OSAD more and more to develop Keystone without using devstack	17:13
*** e0ne has quit IRC		17:13
mfisch	we use vagrant based virtual environments to bring up whatever we need	17:13
mfisch	keystone or a full cluster + lbs and control nodes	17:13
mfisch	etc	17:13
*** jsavak has quit IRC		17:14
*** jsavak has joined #openstack-keystone		17:14
dstanek	a full all-in-one - similar to devstack, but much easier with change deployment options	17:14
mfisch	ours are standalones that mimic our environment	17:14
*** browne has joined #openstack-keystone		17:14
mfisch	starting from the puppet master	17:14
*** turul has joined #openstack-keystone		17:15
dstanek	it's basically the same idea - OSAD is what Rax private cloud uses to deploy	17:15
*** turul is now known as afazekas		17:15
*** samleon has joined #openstack-keystone		17:16
*** blewis has quit IRC		17:16
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	17:18
*** rushiagr_away is now known as rushiagr		17:21
*** ankita_wagh has joined #openstack-keystone		17:23
*** emagana has quit IRC		17:24
dstanek	two x-project policy sessions at the same time!	17:25
gyee	dstanek, how's le weekend? I had le big mac to celebrate le win!	17:25
*** emagana has joined #openstack-keystone		17:26
morganfainberg	dstanek: crap! :P	17:26
dstanek	gyee: i don't really follow the Cavs. i lost interest in basketball when Jordan left (the first time) and never got it back	17:27
topol	what's the policy for choosing between the two x-project policy sessions? :-)	17:29
stevemar	topol, depends on who has the admin role :P	17:29
*** larsks has joined #openstack-keystone		17:29
gyee	let congress decide	17:29
topol	stevemar, choose between milli or vanilli?	17:30
*** esp has quit IRC		17:30
topol	doh	17:30
stevemar	i wont be letting you forget that one	17:30
topol	between the silence on that and spzala letting me know how great it was not having standups for two weeks :-) Heck of a morning	17:32
*** rushiagr is now known as rushiagr_away		17:36
-openstackstatus- NOTICE: We have discovered post-upgrade issues with Gerrit affecting nova (and potentially other projects). Some changes will not appear and some actions, such as queries, may return an error. We are continuing to investigate.		17:38
*** ChanServ changes topic to "We have discovered post-upgrade issues with Gerrit affecting nova (and potentially other projects). Some changes will not appear and some actions, such as queries, may return an error. We are continuing to investigate."		17:38
*** mestery has joined #openstack-keystone		17:41
samleon	stevemar, how's going? just like to see if you will have a chance to do another review for the x.509 patch since you've been one of the nice folks have a closed look at this patch ;-) https://review.openstack.org//#/c/156870/	17:43
samleon	stevemar, so far got a +2 from ayoung, that made me a day! ;-) so hopefully this can be merged soon	17:43
*** mestery has quit IRC		17:44
stevemar	samleon, i'll try and squeeze in a review this week	17:45
stevemar	super busy in preparation for the summit :(	17:45
samleon	stevemar, that's great! sure, I kow that, thx	17:45
*** mestery has joined #openstack-keystone		17:46
morganfainberg	samleon: if we don't get the review in here before summit, it's def. on the list for @ the summit	17:53
*** mestery has quit IRC		17:56
*** rushiagr_away is now known as rushiagr		18:02
samleon	morganfainberg, that's great! can't wait to see all you guys over there ;-)	18:08
*** emagana has quit IRC		18:15
*** emagana has joined #openstack-keystone		18:17
morganfainberg	ayoung: ping	18:19
morganfainberg	ayoung: we might have an issue with token v2 <-> v3 interop	18:19
ayoung	caught yourself there....	18:19
dolphm	if you squint, i'm pretty sure this is morganfainberg https://twitter.com/arthurberezin	18:19
morganfainberg	ayoung: notably we are probably issuing inconsistent expires_at for the tokens due to a failure to properly format the string	18:19
morganfainberg	dolphm: hah no	18:20
ayoung	dolphm, , not if you sawthem side by sid or heard them speak	18:20
dolphm	morganfainberg: my first thought was "morganfainberg looks different somehow"	18:20
morganfainberg	ayoung: so ... this is highlighted by https://review.openstack.org/#/c/180355/ - i was about to say "no we are not changing that validation string" but in looking it looks like we have a bug where it is possible to get v2 tokens with microsecond expires_at	18:21
ayoung	looking	18:21
ayoung	morganfainberg, is there a bug for " issuing inconsistent expires_at for the tokens due to a failure to properly format the string"	18:22
*** ankita_w_ has joined #openstack-keystone		18:22
ayoung	dolphm, so Arthur has thick Israeli accent, and body mass is about 2 morganfainbergs	18:23
*** ankita_wagh has quit IRC		18:23
*** ankita_wagh has joined #openstack-keystone		18:24
*** pnavarro has quit IRC		18:25
*** lsmola_ has quit IRC		18:25
*** Guest64787 has quit IRC		18:25
*** smallbig has quit IRC		18:25
*** morganfainberg has quit IRC		18:25
*** tsufiev has quit IRC		18:25
*** samueldmq_ has joined #openstack-keystone		18:26
*** larsks\|alt has joined #openstack-keystone		18:26
*** topol_ has joined #openstack-keystone		18:26
*** emagana has quit IRC		18:26
*** jimbaker has quit IRC		18:26
*** larsks has quit IRC		18:26
*** topol has quit IRC		18:26
*** samueldmq has quit IRC		18:26
*** x58 has quit IRC		18:26
*** htruta has quit IRC		18:26
*** svasheka has quit IRC		18:26
*** miguelgrinberg has quit IRC		18:26
*** topol_ is now known as topol		18:26
*** ChanServ sets mode: +v topol		18:26
*** ankita_wagh has quit IRC		18:26
*** samueldmq_ is now known as samueldmq		18:26
*** x58 has joined #openstack-keystone		18:26
*** jimbaker has joined #openstack-keystone		18:27
*** jimbaker has quit IRC		18:27
*** jimbaker has joined #openstack-keystone		18:27
*** miguelgrinberg_ has joined #openstack-keystone		18:27
*** ankita_w_ has quit IRC		18:27
*** ankita_wagh has joined #openstack-keystone		18:27
*** pnavarro has joined #openstack-keystone		18:27
*** lsmola_ has joined #openstack-keystone		18:27
*** smallbig has joined #openstack-keystone		18:27
*** morganfainberg has joined #openstack-keystone		18:27
*** tsufiev has joined #openstack-keystone		18:27
*** sendak.freenode.net sets mode: +v morganfainberg		18:27
*** htruta has joined #openstack-keystone		18:27
hogepodge	morganfainberg: it's a problem for them	18:27
*** svasheka has joined #openstack-keystone		18:27
hogepodge	morganfainberg: from what I understand, they're not running keystone proper, though.	18:27
*** emagana has joined #openstack-keystone		18:28
*** larsks\|alt is now known as larsks		18:28
*** dan\| has joined #openstack-keystone		18:29
morganfainberg	dolphm: how awful is it going to be for RAX if we say v2 tokens cannot have microsecond resolution for expires_at? (sorry was netsplit)	18:29
morganfainberg	cc dstanek, lbragstad ^	18:29
morganfainberg	hogepodge: right and i'm asking the RAX folks about it ;)	18:29
morganfainberg	dolphm: because https://review.openstack.org/#/c/180355/ is waaaay too broad a change	18:29
morganfainberg	but we are potentially inconsistent.	18:29
morganfainberg	as is	18:29
*** radez has joined #openstack-keystone		18:30
dolphm	morganfainberg: i was investigating that the other day - depends on whether it's allowed / expected to be an integer or if a .000 floating point is acceptable	18:30
lbragstad	dolphm: you had a commit up to fix that, right?	18:30
morganfainberg	dolphm: today it is not acceptible for microsecond resolution, meaingin v3 -> v2 token validate fails	18:30
*** jsavak has quit IRC		18:32
morganfainberg	so i've tossed a -1 on that patch	18:32
morganfainberg	basically i'd be ok with seing a validate that allowed either microsecond resolution or non-microsecond resolution, but "any ISO8601 format" is not really what I'd like to have to support	18:33
dolphm	lbragstad: i had a commit somewhere -- not sure if it went to gerrit	18:33
gyee	we have a bunch of unit tests for v2, v3 interop	18:33
morganfainberg	because you can get crazy with iso8601	18:33
gyee	I would expect those tests to fail	18:33
dolphm	morganfainberg: why are they dropping utcnow() in that patch in favor of now()	18:33
*** jsavak has joined #openstack-keystone		18:33
morganfainberg	dolphm: because they want to allow lots of variations	18:34
morganfainberg	the author is going to come back and say "The spec says 8601 format, so we should support all of those"	18:34
dolphm	morganfainberg: i think they just wanted to allow for variation between 0 and 0.000 and 0.00000	18:34
*** e0ne has joined #openstack-keystone		18:35
dolphm	morganfainberg: i'm not convinced we really have a use case for any floating point seconds anymore	18:35
dolphm	but that's an aside	18:35
morganfainberg	they are also allowing all tz-variations	18:35
dolphm	that's sort of alarming and i'd like to know why	18:35
morganfainberg	dolphm: so if we move to pure 8601 format handling in keystone i'd be ok with switching this but today we use an 8601-like format	18:37
dolphm	morganfainberg: non-pure in v3?	18:37
morganfainberg	we do st = at.strftime(_ISO8601_TIME_FORMAT	18:38
morganfainberg	if not subsecond	18:38
morganfainberg	else _ISO8601_TIME_FORMAT_SUBSECOND)	18:38
morganfainberg	which is explicit: _ISO8601_TIME_FORMAT_SUBSECOND = '%Y-%m-%dT%H:%M:%S.%f'	18:38
morganfainberg	_ISO8601_TIME_FORMAT = '%Y-%m-%dT%H:%M:%S'	18:38
morganfainberg	this is not using 8601 module so we can't be sure we're going to capture lots of variations	18:38
morganfainberg	8601 can do W for weeks, etc.	18:39
morganfainberg	so we're doing iso8601-like formatting	18:39
dolphm	don't we include Z (zulu tz) everywhere?	18:39
dolphm	(they're not in your format examples)	18:40
morganfainberg	yeah we do	18:40
morganfainberg	in some cases	18:40
dolphm	"if it strictly validated for microsecond and/or non-microsecond resolution expires_at in tokens for v2" so, EXPIRY_DATE_FORMATS = ['%Y-%m-%dT%H:%M:%SZ', '%Y-%m-%dT%H:%M:%S.%fZ'] in v2 then?	18:40
morganfainberg	i think we explicitly append it	18:40
morganfainberg	dolphm: yah that would be fine i think.	18:40
dolphm	morganfainberg: that would cover your #2 thing, i think (v3 token validated by v2)	18:41
morganfainberg	yeah	18:41
morganfainberg	hm. maybe timeutils has gotten a bit smarter	18:42
morganfainberg	it does use .parse_iso8601	18:42
morganfainberg	from iso8601 now that I look at ti	18:42
morganfainberg	it*	18:42
morganfainberg	bleh. i still don't like allowing servers to issue any 8601-valid format	18:42
radez	stevemar: ping, it was suggested a little while ago to talk to you about integrating TryStack.orgkeystone with openstackid.org once we	18:43
radez	got kilo installed an happy	18:43
radez	I noticed oauth in keystone is v1 and openstackid.org is v2	18:44
radez	would we have to do some patching to get oauth2 support for openstackid.org?	18:44
*** ajayaa has quit IRC		18:45
morganfainberg	radez: openstackid supports openid connect though, right?	18:45
*** Zanatoz has quit IRC		18:45
radez	morganfainberg: not sure, I've just circled back to this today.	18:45
* radez looks for openid connect support		18:45
openstackgerrit	Merged openstack/python-keystoneclient: Use 'id' instead of 'protocol_id' in federation protocol tests https://review.openstack.org/181945	18:46
morganfainberg	radez: because keystone can consume OIDC	18:47
radez	morganfainberg: I see docs for that, I'll ask infra if there is oidc support for openstackid.org	18:48
morganfainberg	ayoung: what were we going to call that extra fishbowl (cc jamielennox )?	18:49
*** dan\| has quit IRC		18:49
*** Zanatoz has joined #openstack-keystone		18:50
ayoung	morganfainberg, the one where we talkg about access info, consuming the products of auth plugins etc	18:51
morganfainberg	yeah	18:51
radez	morganfainberg: there's not oauth2 support in keystone correct?	18:51
morganfainberg	what was the title we wanted to call that?	18:51
morganfainberg	radez: not afaik	18:51
ayoung	radez, oauth was 1.3a explicitly	18:52
radez	kk, thx	18:52
*** harlowja has quit IRC		18:52
ayoung	radez, out of curioustity why do you ask	18:52
*** harlowja has joined #openstack-keystone		18:52
radez	ayoung: trying to integrate TryStack with openstackid.org	18:53
ayoung	radez, ah...and openstackid only does oauth2?	18:54
*** jsavak has quit IRC		18:54
ayoung	radez, ok...so, that doesn't matter	18:54
radez	afaik yes	18:54
ayoung	why you are about is if Keystone for trystack consumes oauth2?	18:54
*** jsavak has joined #openstack-keystone		18:54
ayoung	radez, the short answer is: it is another federation integration	18:54
*** dan_ has joined #openstack-keystone		18:54
ayoung	I think we can make that happend	18:54
*** dan_ is now known as Guest25580		18:55
ayoung	morganfainberg, we need to clarify what we mean by ouath support....	18:55
*** esp has joined #openstack-keystone		18:55
radez	ayoung: meaning there's support that could make it happen now or that would be a feature req?	18:55
morganfainberg	ayoung: i usually say OIDC is the right approach vs strict oauth in this case.	18:55
ayoung	radez, let me see if there is an apache module we can use. We wanted to use mello for saml, but I thoguth we had an oauith2 approach, too	18:55
morganfainberg	if at all possible	18:55
morganfainberg	ayoung: http://libertydesignsummit.sched.org/event/5c44b68fe95ff66d85c3a805787fc9e7 is that about right?	18:56
ayoung	morganfainberg, so first hit was https://github.com/pingidentity/mod_auth_openidc	18:56
radez	ayoung: cool, thx!	18:56
ayoung	morganfainberg, looks about right	18:56
morganfainberg	ayoung: we can easily do OIDC stevemar made that all work	18:56
morganfainberg	ayoung: oauth2 is a bit different though	18:56
ayoung	morganfainberg, stevemar putting something in front of Apache, right?	18:57
morganfainberg	it's using an apache mod iirc	18:57
morganfainberg	but yes	18:57
ayoung	morganfainberg, it really depends on what openstackid.org supports	18:57
*** topol has quit IRC		18:57
morganfainberg	ayoung: i know it supports traditional OpenID, just not sure about OIDC	18:59
ayoung	morganfainberg, did he document it anywhere?	18:59
morganfainberg	stevemar: help us stevemar, you're our only hope	19:00
ayoung	http://docs.openstack.org/developer/keystone/extensions/openidc.html	19:00
ayoung	radez, http://docs.openstack.org/developer/keystone/extensions/openidc.html	19:00
radez	ayoung: yea I read that, but they don't support oidc	19:00
stevemar	ayoung, morganfainberg radez sorry, i was away. looks like ayoung pulled up the right doc links and apache module	19:00
ayoung	radez, openstackid does not?	19:01
radez	ayoung: nope	19:01
ayoung	radez, do you have a link to what they do support?	19:01
radez	mrmartin \| radez: just plane openid and oauth	19:01
stevemar	thats weird	19:01
radez	specifically oauth2	19:02
*** rushiagr is now known as rushiagr_away		19:02
stevemar	radez, i believe mod_auth_openidc works with plain old openid + oauth anyway	19:02
stevemar	so the docs should still be valid	19:02
*** Rockyg has joined #openstack-keystone		19:03
radez	stevemar: oh cool, ok I'll try and do the openid integration according to that doc	19:03
radez	thx guys	19:03
stevemar	radez, np. make sure you turn on debug logging on keystone, once you see the environment variables from mod_auth_openidc in the keystone logs, you know you're getting close	19:04
ayoung	radez, please ask questions. And please use Kilo code	19:04
radez	ayoung: stevemar: ack, thx guys I'l be in touch with progress	19:04
stevemar	radez, also, websso works for openidc, but not so much keystoneclient support - but i have someone actively working on getting that in	19:05
ayoung	There are often ricks to getting the mapping layer set up correctly	19:05
*** emagana has quit IRC		19:05
ayoung	stevemar, is an auth plugin?	19:05
*** emagana has joined #openstack-keystone		19:05
* ayoung hopes that was rhetorical		19:05
stevemar	ayoung, come again?	19:05
ayoung	stevemar, the client support you just mentioned	19:06
stevemar	ayoung, 'as in an auth plugin' -- yes	19:06
ayoung	stevemar, cool. Doesn't it feel like it is all coming together...	19:06
stevemar	certainly has the feel to it now, finally.	19:07
stevemar	that blog you pointed out was a nice ego boost	19:07
*** dguerri is now known as _dguerri		19:12
gyee	ayoung, morganfainberg, you guys cool with this? https://review.openstack.org/#/c/174799/	19:13
gyee	if you guys good with the spec, David and I can work on the code next	19:13
*** topol has joined #openstack-keystone		19:14
*** ChanServ sets mode: +v topol		19:14
*** miguelgrinberg_ is now known as miguelgrinberg		19:21
*** iamjarvo has joined #openstack-keystone		19:22
*** e0ne has quit IRC		19:22
morganfainberg	gyee: i'd rather see the endpoint binding filter always be installed and be something we can disable via config fwiw	19:24
morganfainberg	gyee: than asking people to update paste-ini to enable things	19:24
morganfainberg	gyee: trying to get out of the habit of "change the paste pipeline" reocmmendation to "turn things on"	19:24
morganfainberg	gyee: since it's not going to be part of auth_token itself.	19:24
morganfainberg	(btw: when did that change?)	19:25
dstanek	morganfainberg: looks like you got your answer on the timestamp thing	19:26
morganfainberg	dstanek: ?	19:27
dstanek	i finally went through the summit schedule. too much to do and not enough time	19:27
morganfainberg	dstanek: oh yeah	19:27
morganfainberg	dstanek: hehe	19:29
morganfainberg	dstanek: i really did try and keep our sessions light	19:30
openstackgerrit	Brant Knudson proposed openstack/keystone: Remove identity_api from AuthInfo dependencies https://review.openstack.org/182032	19:30
morganfainberg	because we should be interfacing with other teams more this summit	19:30
openstackgerrit	Roxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone https://review.openstack.org/180769	19:32
*** nkinder has joined #openstack-keystone		19:32
*** pnavarro has quit IRC		19:34
dstanek	morganfainberg: i'm planning on hitting up some QA stuff	19:35
morganfainberg	cool	19:35
*** _dguerri is now known as dguerri		19:38
ayoung	gyee, morganfainberg nah, separate middleware	19:44
ayoung	gyee, lest sort this now...since I was part of the whipsaw	19:45
ayoung	morganfainberg, I wonder if we can avoid another config option	19:45
morganfainberg	ayoung: config option > edit paste pipeline	19:45
ayoung	what I would like is endpoint binding be the start of moving policy to a middleware	19:45
ayoung	and not just endpouintbinding	19:46
ayoung	but all policy enforcement	19:46
morganfainberg	ayoung: i don't think that is something that can land this cycle tbh	19:46
ayoung	and...that feels like it should be its own middleware	19:46
ayoung	no, not completely	19:46
morganfainberg	we're too far from having a view of policy	19:46
morganfainberg	clear view	19:46
ayoung	agreed not completetly	19:46
morganfainberg	we could merge it down once we have a clearer view	19:46
morganfainberg	but this likely needs to be separate until we're closer on the policy front	19:47
ayoung	morganfainberg, my design goal is that endpoint binding should be a policy decision. We should use the same mechanism for policy enforcement as we do for endpoint binding	19:47
morganfainberg	ayoung: we could also morph the new pipeline entry	19:57
morganfainberg	ayoung: if we are smart about it	19:58
ayoung	morganfainberg, yes, that was my thought	19:58
ayoung	morganfainberg, OTOH, maybe auth token should be both.	19:58
morganfainberg	ayoung: more summit convos.	19:58
ayoung	both "expand the token" and "check the policy"	19:58
ayoung	all in one would probably be less surprising. Therei s also the fact that expanding the token has to happen before the policy check, and I would not want to have an implied ordering dependcey there	19:59
openstackgerrit	Merged openstack/python-keystoneclient: Use 'mapping_id' instead of 'mapping' in federation protocol tests https://review.openstack.org/181963	19:59
*** lhcheng has quit IRC		20:02
*** dims has joined #openstack-keystone		20:03
openstackgerrit	Merged openstack/keystone: De-duplicate auth methods https://review.openstack.org/177604	20:05
openstackgerrit	Merged openstack/keystone: Use [] where a value is required https://review.openstack.org/171907	20:07
dstanek	this review is creating a log jam! https://review.openstack.org//#/c/177411/	20:10
gyee	morganfainberg, ayoung, sorry I had to step out, I am fine with it being a separate middleware, I think it will converage into one	20:17
gyee	with a general purpose enforcement middleware	20:17
gyee	scrolling back, if I read you guys correct, we now want it in auth_token?	20:20
*** ankita_w_ has joined #openstack-keystone		20:31
*** ankita_wagh has quit IRC		20:31
*** radez is now known as radez_g0n3		20:36
*** iamjarvo has quit IRC		20:37
*** lhcheng has joined #openstack-keystone		20:41
*** ChanServ sets mode: +v lhcheng		20:41
*** iamjarvo has joined #openstack-keystone		20:43
*** openstackgerrit_ has joined #openstack-keystone		20:44
*** topol has quit IRC		20:52
*** htruta has quit IRC		21:00
*** htruta has joined #openstack-keystone		21:01
ayoung	gyee, we have not come to a conclusion. Suggest we hash this out next week, as part of the policy discussion.	21:03
ayoung	I need to finish my presentation before I can have a clear brain on this	21:03
*** jsavak has quit IRC		21:06
*** iamjarvo has quit IRC		21:09
morganfainberg	gyee: ^^ what ayoung said	21:15
morganfainberg	gyee: I am not opposed to it either being in auth_token or a separate middleware	21:15
morganfainberg	gyee: or part of policy	21:16
ayoung	dstanek, +2A	21:18
ayoung	gyee, I think if you start as a separate middleware, it will be easier to merge it in to auth token . Domn;t think We should start with it in one middleware	21:18
ayoung	if you need somthing to drive on with to get started	21:19
gyee	ayoung, morganfainberg, sure	21:20
dstanek	ayoung: thx	21:21
*** vhoward has left #openstack-keystone		21:26
*** spandhe has joined #openstack-keystone		21:32
morganfainberg	stevemar dtroyer: so i think i found a flaw in openstackclient	21:33
*** emagana has quit IRC		21:34
morganfainberg	stevemar dtroyer: I can't get any information on the commands w/o authenticating with an openstack keystone. there is no way to see the params needed for 'openstack service create'	21:34
morganfainberg	for example	21:34
morganfainberg	w/o actually trying to use it.	21:34
dtroyer	morganfainberg: which version do you have?	21:34
morganfainberg	1.2.0	21:34
dtroyer	this crept back in recently and was fixed again.	21:35
*** emagana has joined #openstack-keystone		21:35
dtroyer	so if you do an actual help command it'll do what you expect	21:35
dtroyer	openstack help service create	21:35
morganfainberg	dtroyerahhh	21:35
morganfainberg	ahh	21:35
dtroyer	I'll have to dig in to see why we want to auth before checking the comamnd args	21:35
morganfainberg	yeah that isn't intuitive at all	21:36
dtroyer	the auth should be absolute last minute	21:36
morganfainberg	but sure.	21:36
morganfainberg	thanks	21:36
dtroyer	this also might vary by command/api lib	21:36
dtroyer	because, you know, they're all different	21:36
morganfainberg	hah	21:36
morganfainberg	yeah trying to figure out how to make devstack rely on zero keystone v2 apis	21:37
openstackgerrit	Merged openstack/keystone: Update sample config file https://review.openstack.org/171860	21:38
stevemar	morganfainberg, yo, i'm not here for the meeting tmrw	21:38
morganfainberg	stevemar: slacker ;)	21:38
morganfainberg	stevemar: no worries	21:38
*** Rockyg has quit IRC		21:39
stevemar	morganfainberg, apparently i'm seeing a doctor that is impossible to get an appointment with	21:39
morganfainberg	stevemar: doctors are strange like that	21:39
bknudson	stevemar: #welcomeToObamacare!	21:40
dtroyer	bknudson: he wishes he had the awesome US healthcare system…	21:40
stevemar	bknudson, pfft we've had it since 1950s	21:41
*** mattfarina has quit IRC		21:42
dtroyer	yeah, but we have the proverbial last-mover advantage	21:42
dtroyer	you know, see how everyone else did it wrong and make even bigger mistakes	21:42
* dtroyer crawls back into cave		21:43
stevemar	hey 'last-mover advatage' does work sometimes	21:43
lbragstad	do we know if keystonemiddleware's gerrit repo is ok after the gerrit migration?	21:52
lbragstad	is that one of the repos that's having issues?	21:52
lbragstad	and being investigated?	21:52
*** lmtaylor has quit IRC		21:53
morganfainberg	lbragstad: is it?	21:53
morganfainberg	lbragstad: i hadn't heard which ones were off	21:53
morganfainberg	lbragstad: i recommend asking -infra	21:53
lbragstad	morganfainberg: well, I'm redeploying a cluster of keystone nodes and I can't seem to checkout source from keystonemiddleware	21:54
lbragstad	I can checkout source for keystone and python-keystoneclient	21:54
lbragstad	but not keystonemiddleware	21:54
lbragstad	I switched to using github and it works fine	21:55
lbragstad	previous, I get something like http://cdn.pasteraw.com/6berhj5m63x2ylpsqpp8lmy8g4l76l7	21:55
morganfainberg	lbragstad: i just cloned from https://git.openstack.org just fine	21:55
lbragstad	morganfainberg: from keystone middleware?	21:55
morganfainberg	yeah	21:56
lbragstad	what about stable kilo branch?	21:56
lbragstad	this is the steps that's failing	21:57
lbragstad	https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/keystone/tasks/main.yaml#L12-L20	21:57
lbragstad	git clone https://review.openstack.org/openstack/keystonemiddleware.git	21:57
lbragstad	when I do that, locally, it fails as well.	21:58
lbragstad	http://cdn.pasteraw.com/pc4j2ko7ir0n6qirc587497p0c5k1w1	21:58
*** stevemar has quit IRC		21:59
*** emagana has quit IRC		22:00
*** emagana has joined #openstack-keystone		22:05
openstackgerrit	Brant Knudson proposed openstack/keystone: Use stevedore for auth drivers https://review.openstack.org/182102	22:06
openstackgerrit	Brant Knudson proposed openstack/keystone: Use stevedore for auth drivers https://review.openstack.org/182102	22:08
*** ericksonsantos has joined #openstack-keystone		22:09
*** esp has quit IRC		22:14
openstackgerrit	Merged openstack/keystone: Handles Python3 builtin changes https://review.openstack.org/177411	22:16
*** esp has joined #openstack-keystone		22:19
mfisch	proposed avatar for bknudson: http://publicradio1.wpengine.netdna-cdn.com/statewide/files/2014/05/4056_FARGO_104-1.jpg	22:24
*** rwsu has quit IRC		22:25
bknudson	mfisch: surprisingly accurate... although the default avatar is accurate too.	22:25
mfisch	I saw UND and Minnaepolis, I knew you had a hat like that	22:26
openstackgerrit	Merged openstack/keystone: Handles modules that moved in Python3 https://review.openstack.org/177412	22:26
openstackgerrit	Merged openstack/keystone: Fixes a whitespace issue https://review.openstack.org/177413	22:26
*** erickson has joined #openstack-keystone		22:31
openstackgerrit	Merged openstack/keystone: Add mocking for ldappool for Python3 tests https://review.openstack.org/177414	22:33
*** ericksonsantos has quit IRC		22:34
*** rharwood has quit IRC		22:34
*** rharwood has joined #openstack-keystone		22:36
*** nkinder has quit IRC		22:37
openstackgerrit	Brant Knudson proposed openstack/keystone: Default auth plugin https://review.openstack.org/182107	22:47
*** diegows has joined #openstack-keystone		22:50
*** trey has quit IRC		22:50
openstackgerrit	Brant Knudson proposed openstack/keystone: Short names for auth plugins https://review.openstack.org/182107	22:52
*** trey has joined #openstack-keystone		22:56
*** bknudson has quit IRC		22:56
*** gordc has quit IRC		23:01
*** emagana has quit IRC		23:03
jamielennox	oh, o - review.openstack.org gives 50	23:04
jamielennox	3	23:04
morganfainberg	jamielennox: infra is working on it	23:05
morganfainberg	jamielennox: it's not pretty - but they're trying to resolve things related to fallout from the gerrit upgrade	23:05
morganfainberg	jamielennox: keep an eye on -infra channel	23:05
morganfainberg	jamielennox: for updates.	23:05
jamielennox	morganfainberg: interesting, will look in	23:05
morganfainberg	jamielennox: also http://libertydesignsummit.sched.org/event/5c44b68fe95ff66d85c3a805787fc9e7	23:06
morganfainberg	jamielennox: let me know if anything needs to be changed	23:06
jamielennox	morganfainberg: looks good	23:07
*** jaosorior has quit IRC		23:12
*** blewis has joined #openstack-keystone		23:18
openstackgerrit	Roxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone https://review.openstack.org/180769	23:25
*** arif-ali has quit IRC		23:28
*** arif-ali has joined #openstack-keystone		23:29
*** dims has quit IRC		23:34
*** dims has joined #openstack-keystone		23:39
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Handle sessions correctly in convenience client https://review.openstack.org/182118	23:42
*** dims has quit IRC		23:43
openstackgerrit	Jamie Lennox proposed openstack/keystone: Move endpoint_policy migrations into keystone core https://review.openstack.org/171916	23:45
openstackgerrit	Jamie Lennox proposed openstack/keystone: Move endpoint policy into keystone core https://review.openstack.org/171448	23:45
*** nkinder has joined #openstack-keystone		23:46
*** Raildo_ has joined #openstack-keystone		23:49
-openstackstatus- NOTICE: Gerrit is going offline while we perform an emergency downgrade to version 2.8.		23:54
*** ChanServ changes topic to "Gerrit is going offline while we perform an emergency downgrade to version 2.8."		23:54

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!