Thursday, 2015-06-25

*** tqtran is now known as tqttran_afk00:00
*** csoukup has quit IRC00:01
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements
*** geoffarnold has joined #openstack-keystone00:03
*** geoffarn_ has joined #openstack-keystone00:04
*** david-ly_ has joined #openstack-keystone00:06
*** geoffarnold has quit IRC00:07
*** david-lyle has quit IRC00:08
*** geoffarn_ has quit IRC00:09
*** nkinder has joined #openstack-keystone00:09
*** ankita_w_ has quit IRC00:09
*** roxanaghe has joined #openstack-keystone00:11
*** dims_ has joined #openstack-keystone00:14
*** edmondsw has joined #openstack-keystone00:16
*** dims has quit IRC00:16
*** edmondsw_ has joined #openstack-keystone00:16
*** edmondsw_ has quit IRC00:17
*** gyee_ has quit IRC00:17
*** shaleh has quit IRC00:28
*** rushiagr_away is now known as rushiagr00:32
*** rwsu has quit IRC00:38
*** geoffarnold has joined #openstack-keystone00:41
*** lhcheng has quit IRC00:42
*** boris-42 has quit IRC00:42
*** edmondsw has quit IRC00:47
*** r-daneel has quit IRC00:48
*** rushiagr is now known as rushiagr_away00:49
*** jimbaker has quit IRC00:53
*** nkinder has quit IRC00:53
*** tobe has joined #openstack-keystone00:56
*** sigmavirus24 is now known as sigmavirus24_awa00:58
*** geoffarnold has quit IRC01:00
*** ankita_wagh has joined #openstack-keystone01:04
*** Rockyg has joined #openstack-keystone01:05
*** charlesw has joined #openstack-keystone01:06
*** lhcheng has joined #openstack-keystone01:17
*** ChanServ sets mode: +v lhcheng01:17
*** Kennan has left #openstack-keystone01:18
samueldmqmorganfainberg: ayoung ping - policy cache strategy, cache control01:27
ayoungsamueldmq, fire away01:30
*** davechen_away is now known as davechen01:31
samueldmqayoung: still didn't get the exact solution, I mean, how it solves the issue01:31
ayoungsamueldmq, heh...there was a lot of talk, wasn't there01:32
samueldmqayoung: cache_control is the timeout in which processes will ask keystone for the policy01:32
ayoungsamueldmq, so...I'm less worried about this than morganfainberg is.  But, I'll try to answer01:33
ayoungthe general idea is that we want to state that a certain point in time is when the policy gets changed over, so that all machines are in sync, and answer the policy questions the same way01:33
ayoungso, we want to tell machines:  if your policy is older than x Go get a new one01:34
ayoungnow, that alone won't synchronize, as the machines will time out at different times01:34
samueldmqayoung: exactly01:35
samueldmqayoung: go ahead :)01:35
ayoungso, what we want to say is something like:  ok,  make the timeout on this policy shorter than normal, cuz the next fetch will be a new policy file...or something like that01:35
ayoungit means that policy can't go in to effect immediately01:35
*** david-ly_ is now known as david-lyle01:36
ayoungfrom the client side, it just knows how long to hold on to a file before rechecking01:36
ayoungI think all the delay will happen from  the server side.01:36
samueldmqayoung: something like: keystone knows the policy is updated, so emit cache_control = 0 to this endpoint_url, so they will all update policy01:38
samueldmqayoung: when the first token gets tehre01:38
ayoungsamueldmq, something like that.01:38
ayoungsamueldmq, I was thinking the freshness header01:38
ayoungso,  say the timout is 5 minutes, now we enable a new policy, it iwll be delievers in 5 minutes01:38
*** tqttran_afk has quit IRC01:38
ayoungall of the other machines will fetch policy between now and then. But, in 5 minutes, they will be sure to get the new file01:39
samueldmqayoung: hmmm yes01:39
ayoungso we tell them all that the file expires at the same time01:39
samueldmqayoung: one can get very qucik; other can take 5 minutes01:39
samueldmqayoung: wait ... what if ..01:40
ayoungsamueldmq, stampeding herd tjhe way I described i? yeah01:40
samueldmqayoung: we will pass a very short cache_control once keystone knows there is a new policy to be syncrhonized01:41
samueldmqayoung: but what if a process get a new token (so updated cache_control, which is very low)01:41
*** _cjones_ has quit IRC01:41
samueldmqayoung: but other get an older token; which hasn't an update cache_control?01:41
ayoungsamueldmq, so..I'm not 100% sure, but we could do something like return a code saying "  a new policy file has been distributed, but is not yet active: please fetch it, too"01:44
ayoungand then policy would hold on to both..and activate the new one when the old one expired01:44
ayoungsamueldmq, you get the general idea...we can keep working to get the details down.01:45
ayoungI need to work on a demo here, so, have to checkout for a bit01:45
*** dims_ has quit IRC01:45
samueldmqayoung: yes, and tht's better than having basic fixed timeouts on the middleware01:45
samueldmqayoung: thanks01:46
*** davechen is now known as davechen_afk01:50
*** roxanaghe has quit IRC01:50
*** dims has joined #openstack-keystone01:50
samueldmqayoung: dum question, I can say 13:00 UTC and all processes will understand it01:53
samueldmqayoung: instead of communicating with timeouts ?01:54
ayoungsamueldmq, I think so.01:54
samueldmqayoung: so tokens could communicate to processes the time for the last ufpate of policy01:56
samueldmqayoung: then if now() > last_update: FETCH!01:56
*** dontalton has quit IRC01:56
samueldmqayoung: however that's similar to cache_control = 0, or something like that01:56
*** spandhe has quit IRC01:57
ayoungsamueldmq, I don't think it would be in the tokens.  All data would have to be passed in the policy fetch01:58
samueldmqayoung: cache_control is in the policy?01:59
ayoungsamueldmq, I need to work on sometjhing else right now.  Sorry02:00
samueldmqayoung: np, thanks02:00
samueldmqayoung: talk to you tomorrow02:00
*** dims has quit IRC02:04
*** stevemar has joined #openstack-keystone02:07
*** dims has joined #openstack-keystone02:10
*** fangzhou has quit IRC02:14
*** dramakri has quit IRC02:15
*** rm_work is now known as rm_work|away02:18
*** Rockyg has quit IRC02:22
*** nkinder has joined #openstack-keystone02:33
*** ankita_wagh has quit IRC02:35
*** mestery has joined #openstack-keystone02:44
*** mestery has quit IRC02:57
*** mestery has joined #openstack-keystone02:57
*** dims has quit IRC02:58
*** stevemar has joined #openstack-keystone03:03
*** ChanServ sets mode: +v stevemar03:03
*** amit213 has quit IRC03:12
*** amit213 has joined #openstack-keystone03:13
*** stevemar has quit IRC03:15
*** davechen has joined #openstack-keystone03:15
morganfainbergsamueldmq, ayoung: the cache_control would be dynamic so it always refreshes on the same interval. so say we had a cache_control of 5 min refresh, we would if asked right at the 5 min mark say 300s freshness03:18
morganfainbergsamueldmq, ayoung: if it was 2.5 minutes through the window, we'd cache_control freshness for 150s03:18
morganfainbergthe math is to slice into the windows for update, and then always ensure freshness expires at the same moment for a given policy file03:19
*** tobe has quit IRC03:26
*** mabrams has joined #openstack-keystone03:28
morganfainbergi think freshness is: (ttl_window - ((int(time.time() - upload_time) % ttl_window))))03:30
morganfainbergthat looks right03:30
morganfainbergassuming upload_time is unix_epoch03:31
morganfainbergthis could be done wiht date_time objects and deltas soo03:31
*** stevemar has joined #openstack-keystone03:31
morganfainbergsamueldmq, ayoung, ^ and that would ensure that all nodes for the given policy would refresh at the same time(well next request)03:32
*** stevemar has quit IRC03:32
morganfainbergthe last element to add is a fixed (seeded) RNG in to avoid thundering herd03:33
morganfainbergso only a given set of endpoints (URL) will refresh at that moment03:33
ayoungmorganfainberg, won't that have a stampeding herd, unless we say to also fetch the new file03:33
morganfainbergayoung: not if we box it to the url03:33
morganfainbergso RNG(seed=sha(URL)) and use that as the offset03:34
morganfainbergor something similar03:34
ayoungmorganfainberg, we do freshness + an indicator to fetch the new policy file, too, and just stagger the machines03:34
morganfainbergayoung: we'd use IMS03:34
ayoungso it holds the new policy file in readiness, but does not deploy it until the old one expires03:34
morganfainbergso what IMS does is it says "has this been modified" - yes? send the whole file, else NOT_MODIFIED(cache_control update)03:34
morganfainbergayoung: we can do that as well03:35
morganfainbergayoung: and have a "not_released_until" field, but that can be strictly inside keystone. - i don't think that needs to live at the endpoint03:35
ayoungmorganfainberg, maybe we could do it as a multipart, with each policy file being a separate part03:35
morganfainbergayoung: there are many ways to skin it.03:36
morganfainbergayoung: i'm trying to avoid needing to store local metadata at the endpoint03:36
*** richm has quit IRC03:36
ayoungmorganfainberg, I can;t help but feel I am overdesigning03:36
morganfainbergjust the policy file03:36
morganfainbergand if you don't have a TTL and fetch is enabled, you do a non-IMS fetch03:36
morganfainbergor an IMS fetch based on the m_time of the policy cache03:37
ayoungwe going to use dogpile for the cache?03:37
morganfainbergayoung: we could. we could also jsut use posix03:37
ayoungwould be nice to be able to identify that multiple requests are coming in, and they should all just block until ojne fetch of policy is done, not have each make their own03:38
morganfainbergayoung: i'm not picky how we store the cache at the endpoint. we can discuss best choices (dogpile has advantages and disadvantages)03:38
morganfainbergayoung: dogpile can do async runners to help03:38
morganfainbergit's a lot of code, we could start with simple POSIX and atomic renames03:38
ayoungyeah, I think that might be a better approach than having ATM be involved03:38
morganfainbergand then move to dogpile after. the cache_control and IMS checks [with an offset] should be enough and fairly simple logic03:38
*** tobe has joined #openstack-keystone03:39
morganfainbergand it does have the benefit of no extra metadata needs to be persisted to disk at the endpoint, just the policy cache03:40
morganfainbergs/disk/whatever cache store we use/03:40
morganfainbergayoung: but leveraging dogpile can be done, we can even use the async runner and uhmm.. they call it... uhhh basically a window, so you can say "even though this is expired, you keep using it for X seconds while i fetch the new thing"03:43
morganfainbergayoung: but it also would be easy to use the posix file-lock-method, all processes block while fetch occurs, fetch, rename, unblock IMS checks say NOT_MODIFIED03:44
morganfainbergor similar03:44
ayoungmorganfainberg, so...I would prefer it if the fetch happend asyn, and not in the thread making the request03:45
ayoungit would avoid a slowdown everytime we expire policy03:46
morganfainbergayoung: we'd need to spin off a process03:46
morganfainbergayoung: because $GIL03:46
morganfainbergbut doable03:46
*** ayoung is now known as ayoung-ZZZzzz__03:46
lifelessmorganfainberg: wait what?03:47
lifelessmorganfainberg: GIL is not the same as no concurrency, its just no concurrent bytecode03:47
morganfainberglifeless: if we are doing I/O in a blocking manner - we can't guarantee we'd yeild back to the coroutines if eventlet03:48
morganfainberglifeless: if single-process / worker models, we'd block more/less03:48
lifelessmorganfainberg: I thought you ditced eventlet ?03:48
morganfainbergif the fetch occured in-thread of the request processer03:48
morganfainberglifeless: this is something all endpoints would need to use03:48
morganfainberglifeless: not just keystone03:49
lifelesscan you summarise the blocking IO you're planning?03:49
morganfainberglifeless: it's a question of the best way to fetch a file from keystone w/o blocking everything03:49
morganfainberglifeless: TTL of the policy cache is expired, we need to do an If modified since check03:49
lifelessthats network, it isn't blocking in eventlet03:49
morganfainbergand if modified, write the new file out to our cache and reload03:50
morganfainbergthe write-out+reload would be blocking iirc03:50
*** ankita_wagh has joined #openstack-keystone03:50
morganfainbergdepending on the cache used03:50
lifelessdisk IO reads and writes will release the GIL03:50
morganfainbergif we do posix, non-issue03:50
morganfainbergif we use other options it could be an issue if it's c-based bindings03:50
lifelessanything C needs to be eventlet trampoline aware03:51
lifelessanything in CPython is fine I suspect03:51
morganfainberglifeless: so i was just hedging the statement we might need to spin out a process for a true async03:51
morganfainbergbut i didn't want to get too deep into it until we started writing code03:51
morganfainbergand evaluating how we wanted to fetch03:51
lifelessso sure03:51
morganfainbergnot sure if dbm is trampoline aware03:52
lifelessis there a spec around this03:52
morganfainbergwhich is one of the options if we didn't do straight posix write to disk, but a dogpile-background03:52
lifelessbecause its sounding a lot more complex than anything I'd have imagined03:52
morganfainberglifeless: there is, but they are being written up now based on our new liberty specific targets03:52
morganfainberglifeless: the three [4?] simple elevator pitch goals03:53
lifelesswhy an external cache at all03:53
morganfainbergin order03:53
lifelessand why synchronous expiry at all03:53
morganfainberg1: oslo.policy can merge base-line policy with overrides03:53
morganfainberglifeless: if we centralize policy and you have multiple nova-apis (think HA/master-master) on separate nodes, you need the overrides to land at the same time03:53
lifelessmorganfainberg: then you need a consensus protocol03:54
morganfainbergor you get the chance of requests being rejected / accepted inconsistently03:54
lifelessmorganfainberg: or 'same time' is not rigorously defined03:54
morganfainberglifeless: if we assume (and this is true) we'd fetch on "next request after TTL expires", we can use cache_control freshness to ensure we fetch at the same request interval03:54
morganfainberglifeless: and IMS checks to see if we have an update in a light-weight manner03:55
*** lhcheng has quit IRC03:55
morganfainbergmultiple processes on a single node currently read from the same posix file. we could just rely on that03:55
morganfainbergit's the multi-node scenario we run into issues with03:55
morganfainbergthis all stems from the fact that if we no longer use CMS to deploy a policy file (aka puppet), you don't have control over the windows (or as much) for when a file would be picked up03:56
morganfainbergin the case someone used the CRUD interface03:56
morganfainbergand it produces very very very very bad things potentially when balancing requests between nodes03:56
*** charlesw has quit IRC04:01
*** dramakri has joined #openstack-keystone04:04
*** vilobhmm has joined #openstack-keystone04:14
*** stevemar has joined #openstack-keystone04:14
*** mestery has quit IRC04:19
*** mestery_ has joined #openstack-keystone04:19
*** ncoghlan has joined #openstack-keystone04:29
*** arunkant_ has joined #openstack-keystone04:35
*** stevemar2 has joined #openstack-keystone04:37
*** ChanServ sets mode: +v stevemar204:37
*** arunkant__ has joined #openstack-keystone04:37
*** arunkant has quit IRC04:38
*** arunkant_ has quit IRC04:41
*** arunkant has joined #openstack-keystone04:42
*** arunkant__ has quit IRC04:44
*** csoukup has joined #openstack-keystone04:45
*** c_soukup has joined #openstack-keystone04:48
*** csoukup has quit IRC04:50
*** c_soukup has quit IRC04:59
*** csoukup has joined #openstack-keystone04:59
*** spandhe has joined #openstack-keystone05:04
*** dramakri has left #openstack-keystone05:05
*** stevemar has quit IRC05:06
*** stevemar has joined #openstack-keystone05:07
*** mestery_ has quit IRC05:09
*** smija has quit IRC05:12
*** rm_work|away is now known as rm_work05:13
*** henrynash has joined #openstack-keystone05:18
*** ChanServ sets mode: +v henrynash05:18
*** stevemar has quit IRC05:18
*** stevemar has joined #openstack-keystone05:19
*** lhcheng has joined #openstack-keystone05:26
*** ChanServ sets mode: +v lhcheng05:26
*** vilobhmm has quit IRC05:26
davechenstevemar: I am going to update DB scripts for the other entities, update the FK contraint to replace the 'RESTRICT' with 'CASCADE'.05:27
stevemardavechen: which others are you thinking05:28
davechenstevemar: Have replied to your comments.05:28
davechenstevemar: a lot of.05:28
davechenstevemar: endpoint/service, endpoint/service05:28
davechenyep, I am wondering whether there is a need to address them all.05:29
stevemari think the access tokens / consumers are cleaned up decently05:29
davechenstevemar: but as to your comments for that patch, I think it's covered since we use SQLITE by default.05:29
davechenstevemar: I will check them later.05:30
davechennot covered, sorry.05:30
davechenjust suppose one day, we will enable MYSQL, DB2 etc, then the testcase will be tested well.05:31
mfischdolphm: lbragstad fernet is in prod05:31
mfischautomation worked like a champ05:31
mfisch16s downtime all due to upgrading the packages05:31
davechenstevemar: If there is not big mistake, or silly mistake in that patch, let me propose other patches for other entities.05:32
stevemarmfisch: thats insanely good05:33
stevemardavechen: sure, it couldn't hurt, thanks for working on this stuff05:33
davechenstevemar: your MAC is back to work? :)05:33
stevemardavechen: almost :\ still getting the hang of it05:34
davechenstevemar: dont say that, I must thank you for instruct me such things to do.05:34
stevemarits all good :)05:35
davechenstevemar: it must be a long day, for your valueable MAC book. :)05:35
stevemardavechen: trying to get our corporate mail all set up05:36
stevemarproving to be difficult...05:36
stevemardavechen: worse, notes hehe05:37
davechenstevemar: take care, man!05:37
*** markvoelker has quit IRC05:43
*** browne has quit IRC06:01
marekdmorganfainberg: hey, hopefully i will get to the point where i will start (finally!) implement functional tests for OS-FEDERATION.06:01
marekdmorganfainberg: (re co your valid comment on )06:01
*** raildo has quit IRC06:04
*** samueldmq has quit IRC06:04
*** iurygregory has quit IRC06:05
*** tellesnobrega has quit IRC06:05
*** ericksonsantos has quit IRC06:05
*** pnavarro|off has quit IRC06:08
*** stevemar has quit IRC06:09
*** tobe has quit IRC06:14
*** arunkant_ has joined #openstack-keystone06:17
*** arunkant__ has joined #openstack-keystone06:18
*** csoukup has quit IRC06:18
*** arunkant has quit IRC06:20
marekdstevemar2: good evening sir!06:21
marekdstevemar2: need your help on . I added bug reference so I hope i can count on a +2!06:21
*** arunkant_ has quit IRC06:22
*** tobe has joined #openstack-keystone06:33
openstackgerritDave Chen proposed openstack/keystone: Show friendly message when request body is empty
*** toddnni has quit IRC06:41
*** toddnni_ has joined #openstack-keystone06:41
*** jaosorior has joined #openstack-keystone06:41
*** toddnni_ is now known as toddnni06:41
*** ankita_wagh has quit IRC06:42
*** markvoelker has joined #openstack-keystone06:43
*** markvoelker has quit IRC06:49
*** stevemar has joined #openstack-keystone06:50
*** belmoreira has joined #openstack-keystone06:53
*** stevemar has quit IRC06:54
*** stevemar has joined #openstack-keystone06:54
*** stevemar has quit IRC06:56
*** aix has joined #openstack-keystone06:56
*** spandhe has quit IRC06:58
*** bradjones has quit IRC07:02
*** bradjones has joined #openstack-keystone07:04
*** bradjones has quit IRC07:04
*** bradjones has joined #openstack-keystone07:04
*** stevemar2 has quit IRC07:13
*** rlt_ has joined #openstack-keystone07:15
*** lsmola has joined #openstack-keystone07:28
*** ankita_wagh has joined #openstack-keystone07:36
*** tobe has quit IRC07:48
*** tobe has joined #openstack-keystone08:04
*** ankita_wagh has quit IRC08:09
*** dguerri` is now known as dguerri08:21
*** lhcheng has quit IRC08:24
openstackgerritDave Chen proposed openstack/keystone: Move resource(domain, project) testcase into their own module
*** e0ne has joined #openstack-keystone08:32
openstackgerritDave Chen proposed openstack/keystone: Move resource related testcase into their own module
*** markvoelker has joined #openstack-keystone08:32
*** e0ne has quit IRC08:37
*** markvoelker has quit IRC08:37
openstackgerritDave Chen proposed openstack/keystone: Move resource related testcase into their own module
openstackgerritDave Chen proposed openstack/keystone: Move resource related testcase into their own module
*** henrynash has quit IRC09:09
*** e0ne has joined #openstack-keystone09:10
*** fhubik has joined #openstack-keystone09:10
*** ncoghlan has quit IRC09:13
*** e0ne is now known as e0ne_09:16
*** e0ne_ has quit IRC09:22
*** henrynash has joined #openstack-keystone09:24
*** ChanServ sets mode: +v henrynash09:24
*** henrynash has quit IRC09:30
*** e0ne has joined #openstack-keystone09:33
*** lufix has joined #openstack-keystone09:37
*** henrynash has joined #openstack-keystone09:38
*** ChanServ sets mode: +v henrynash09:38
*** fhubik is now known as fhubik_afk09:43
*** stevemar has joined #openstack-keystone09:44
*** fhubik_afk is now known as fhubik09:45
*** stevemar has quit IRC09:45
*** davechen has left #openstack-keystone09:51
*** amakarov_away is now known as amakarov09:54
*** henrynash has quit IRC10:00
*** nkinder has quit IRC10:03
*** nkinder has joined #openstack-keystone10:04
*** edmondsw has joined #openstack-keystone10:06
*** edmondsw has quit IRC10:06
*** edmondsw has joined #openstack-keystone10:07
*** dims has joined #openstack-keystone10:14
*** husanu3 has joined #openstack-keystone10:19
*** markvoelker has joined #openstack-keystone10:21
*** fhubik is now known as fhubik_afk10:23
*** husanu3 has quit IRC10:25
*** markvoelker has quit IRC10:25
*** fhubik_afk is now known as fhubik10:25
*** husanu1 has joined #openstack-keystone10:26
*** nkinder has quit IRC10:28
*** husanu1 has quit IRC10:28
openstackgerritMarek Denis proposed openstack/keystone: OS-FEDERATION no longer extension in docs
*** husanu4 has joined #openstack-keystone10:30
*** husanu4 has quit IRC10:31
openstackgerritMarek Denis proposed openstack/keystone: Update federation driver name in documentation
*** e0ne is now known as e0ne_10:31
*** jasondot_ has joined #openstack-keystone10:32
*** e0ne_ has quit IRC10:36
*** jasondot_ is now known as jasondotstar10:37
*** nkinder has joined #openstack-keystone10:47
*** e0ne has joined #openstack-keystone10:55
*** fhubik is now known as fhubik_afk11:01
*** dims has quit IRC11:02
*** dims has joined #openstack-keystone11:05
*** evrardjp has quit IRC11:07
*** dims_ has joined #openstack-keystone11:10
*** dims has quit IRC11:11
*** tobe has quit IRC11:11
*** evrardjp has joined #openstack-keystone11:11
*** e0ne is now known as e0ne_11:15
*** dims_ has quit IRC11:16
*** david-lyle has quit IRC11:17
*** fhubik_afk is now known as fhubik11:19
*** fhubik is now known as fhubik_afk11:20
*** dims has joined #openstack-keystone11:21
*** david-lyle has joined #openstack-keystone11:21
*** e0ne_ has quit IRC11:26
*** e0ne has joined #openstack-keystone11:28
*** ericksonsantos has joined #openstack-keystone11:33
*** tellesnobrega has joined #openstack-keystone11:36
*** markvoelker has joined #openstack-keystone11:37
*** samueldmq has joined #openstack-keystone11:37
*** bradjones has quit IRC11:38
*** EmilienM|off is now known as EmilienM11:38
*** bradjones has joined #openstack-keystone11:41
*** bradjones has quit IRC11:41
*** bradjones has joined #openstack-keystone11:41
*** markvoelker has quit IRC11:41
marekdsamueldmq: hello11:49
marekdsamueldmq: i have a question - can you update me quickly on status of HMT and reseller in Keystone?11:50
marekdwhat's already landed and what will be landed in L ?11:50
*** jasondotstar has quit IRC11:50
samueldmqmarekd: I know the support for Hierarchical Projects was landed in K11:54
samueldmqmarekd: Reseller itself (hierarchical domains) and the way we get tokens in that hierarchy is being addressed in L11:55
marekdsamueldmq: but this only allows us to build hierarchy of the projects.11:55
samueldmqmarekd: I can't tell you more details, the other guys here can tell you more11:55
*** raildo has joined #openstack-keystone11:56
samueldmqmarekd: they've been working on this subject as their primary priority11:56
samueldmqmarekd: raildo! ^11:56
marekdaha, i thought you were too11:56
marekdrodrigods: raildo ^^11:56
raildoi need read the log... 1 min11:56
samueldmqraildo: marek wants a quick update on status of HMT and reseller in Keystone?11:56
samueldmqraildo: what's already landed and what will be landed in L ?11:56
samueldmqraildo: that's all :-)11:57
raildook :) thanks11:57
samueldmqmarekd: I am focused on the dyanmic policies things, I know what is going on with reseller and stuff, but not in very details11:57
raildowe have the implementation ready, if you want to review:,n,z11:58
*** markvoelker has joined #openstack-keystone11:58
raildoand now, we are just waiting the henrynash's spec about add is_domain to tokens for projects acting as a domain be approved, to implement with this other patches.11:58
raildomarekd, ^11:59
marekdraildo: Thanks. OK, so HMT basically gives us only a projec hierarchy, right?12:01
marekdand all this project-domain thing is a Reseller stuff12:01
raildoHMT project hierarchy + inherited roles assignment for this hierarchy12:02
marekdis HMT somehow usable without Reseller ?12:02
raildomarekd, we see some use cases, like if you want to organize a departmental division for a company and distribute the resources in subprojects12:03
marekdlet's say i have a big department in my company and i want to offload the governance of their resouces (squeezed in one domain) to them. HTM without reseller will let me do that?12:04
raildoor if you want to provide inherited role assignments for a group of projects, so you can assign a role in just in a part of the hierarchy12:04
*** fhubik_afk is now known as fhubik12:04
*** henrynash has joined #openstack-keystone12:05
*** ChanServ sets mode: +v henrynash12:05
raildohum... with only the HMT implementation, you need to create a different domain for this department12:05
marekdraildo: yeah, sure12:06
marekdsay i have 4 big independent  experiments  at CERN12:06
marekdand i don't want to have to allsign quotas/add/rm users12:07
marekdi want to let them do this by themselves.12:07
raildook... only with HMT, you have to create a domain for each department and create a domain_admin . the problem is to control this domain, (if you want in a future, delete this resources) you must need to be domain_admin too.12:09
raildoor a cloud_admin12:09
raildowith reseller will be easier to control this, since you can create like a subdomain...12:09
marekdraildo: ok, takeaway message is projects will be domains12:10
raildomarekd, with reseller you will be able to create: domain  -> subdomain -> subdomain -> project - subproject ...12:12
raildomarekd, when I say subdomain is project.is_domain=True :P12:12
*** htruta has joined #openstack-keystone12:12
raildoso, you can isolate the users in each subdomain ( you can manage subdomains or not, but by default you can't manage)12:13
marekd -> already got 2x+2 from IBM. Can I get +A on this?12:14
marekdraildo: it's too complicated to mee :P12:15
* raildo need to find a way to explain this in a easy way12:16
samueldmqmorganfainberg: I'll be writing that policy fetch + cache approach in the spec today12:17
samueldmqmorganfainberg: so I have things to discuss/confirm with you :-)12:17
*** bknudson has joined #openstack-keystone12:19
*** ChanServ sets mode: +v bknudson12:19
samueldmqmorganfainberg: basically we have a TTL for a policy (aka freshness), and when this TTL expires, we do an IMS request to keystone12:20
samueldmqmorganfainberg: however, this doesn't guarantee that TTL will be expiring at the same time in different processess12:21
*** fhubik is now known as fhubik_afk12:22
samueldmqmorganfainberg: because they'll time out at different times12:23
*** fhubik_afk is now known as fhubik12:26
*** btully has quit IRC12:28
*** btully has joined #openstack-keystone12:28
samueldmqmorganfainberg: unless, as Keystone, I know the policy was updated as 12:00 UTC, and I know TTL is 300 seconds, so I tell that policy cannot be used before 12:05 UTC12:31
*** dims has quit IRC12:31
*** dims has joined #openstack-keystone12:31
*** david-ly_ has joined #openstack-keystone12:35
*** david-lyle has quit IRC12:39
*** jasondotstar has joined #openstack-keystone12:46
*** iurygregory has joined #openstack-keystone12:47
*** bradjones has quit IRC12:47
*** bradjones has joined #openstack-keystone12:50
*** bradjones has quit IRC12:50
*** bradjones has joined #openstack-keystone12:50
*** ajayaa has joined #openstack-keystone12:50
*** husanu1 has joined #openstack-keystone12:50
*** husanu1 has quit IRC12:52
*** tellesnobrega_ has joined #openstack-keystone12:55
*** Ctina has joined #openstack-keystone12:56
*** husanu5 has joined #openstack-keystone12:56
ajayaaHi guys. Can I use domain scoped tokens with Keystoneclient? I am passing username, user_domain_name and password argument to Client object.12:59
ajayaaWhen I try to list users, I get EndpointNotFound exception.12:59
ajayaaAm I doing something wrong?13:00
*** husanu5 has quit IRC13:00
lbragstad mfisch congrats!13:03
lbragstadmfisch: any issues?13:03
*** e0ne is now known as e0ne_13:04
*** e0ne_ is now known as e0ne13:04
*** belmoreira has quit IRC13:05
*** afazekas has joined #openstack-keystone13:08
*** radez is now known as radez_g0n313:08
*** pnavarro has joined #openstack-keystone13:09
*** husanux1 has joined #openstack-keystone13:13
*** husanux1 has quit IRC13:13
*** husanux3 has joined #openstack-keystone13:14
*** husanux3 has quit IRC13:18
*** husanux6 has joined #openstack-keystone13:20
ajayaalbragstad, any idea on the above question?13:20
*** e0ne is now known as e0ne_13:20
lbragstadajayaa: what if you pass a project to scope to in the client instead/13:21
*** husanux6 has quit IRC13:21
*** stevemar has joined #openstack-keystone13:21
ajayaaI concluded that project scoped token does not contain domain information.13:21
lbragstadajayaa: can you confirm that the user has access to the project?13:21
ajayaaI can see that in mysql.13:21
*** e0ne_ is now known as e0ne13:22
lbragstadajayaa: so you tried passing the id of the project you have an assignment on here?.
ajayaaI passed project_name13:23
lbragstadajayaa: I could be wrong, but if you pass project name you might have to pass in the domain id/name of that project too13:23
lbragstadajayaa: try using the project id,13:24
ajayaalbragstad, You are right.13:24
lbragstadsince that is globally unique13:24
lbragstad(in a deployment)13:24
*** stevemar has quit IRC13:24
*** husanux0 has joined #openstack-keystone13:25
ajayaaYou do have to pass that.13:25
lbragstadajayaa: is everything created under your 'default' domain?13:25
*** husanux0 has quit IRC13:29
ajayaalbragstad, No.13:29
ajayaaThere is an admin domain.13:29
lbragstadok, and that is separate from the CONF.identity.default_domain_id that you have specified?13:30
lbragstadand you have a project created under that domain?13:30
ajayaaWhen I pass a domain scoped token using curl, I can do a list user. I want to be able to do the same thing using python-keystoneclient. In stead I get Endpointnotfound exception. (Just to clarify my question.)13:31
openstackgerritSean Dague proposed openstack/keystone: WIP: Expose functions for wsgi_scripts support
ajayaalbragstad, Yes, I do have a project created under that domain.13:31
lbragstadajayaa: hmmm interesting... let me see if I can recreate that locally.13:32
ajayaalbragstad, Thanks. That will be helpful.13:32
ajayaalbragstad, What I am trying to do is write some functional tests using keystoneclient since tempest tests are practically useless if you change the policies.13:33
ajayaatempest identity tests*13:33
*** liusheng has quit IRC13:35
lbragstadajayaa: are you using the v3 or the v2 client?13:38
*** fhubik is now known as fhubik_afk13:38
ajayaalbragstad, v3.13:39
*** zzzeek has joined #openstack-keystone13:39
ajayaav2 only works with default domain, I suppose.13:39
ajayaaI am planning to move our stuff to v3 completely.13:39
*** henrynash has quit IRC13:40
*** charlesw has joined #openstack-keystone13:47
*** samueldmq has quit IRC13:51
*** iurygregory has quit IRC13:51
*** tellesnobrega has quit IRC13:51
*** tellesnobrega_ has quit IRC13:51
*** ericksonsantos has quit IRC13:51
*** raildo has quit IRC13:51
*** htruta has quit IRC13:51
ajayaalbragstad, you there?13:58
*** iamjarvo has joined #openstack-keystone13:59
*** tellesnobrega has joined #openstack-keystone14:01
*** stevemar has joined #openstack-keystone14:06
*** ChanServ sets mode: +v stevemar14:06
*** stevemar_ has joined #openstack-keystone14:06
*** r-daneel has joined #openstack-keystone14:09
lbragstadajayaa: yep, still trying to recreate14:10
*** ajayaa has quit IRC14:10
*** tellesnobrega has quit IRC14:11
*** e0ne is now known as e0ne_14:13
*** tellesnobrega has joined #openstack-keystone14:14
*** tellesnobrega_ has joined #openstack-keystone14:21
*** e0ne_ has quit IRC14:23
*** tellesnobrega has quit IRC14:24
*** richm has joined #openstack-keystone14:24
*** raildo has joined #openstack-keystone14:28
*** fhubik_afk is now known as fhubik14:30
*** fhubik is now known as fhubik_afk14:32
*** htruta has joined #openstack-keystone14:33
*** vilobhmm has joined #openstack-keystone14:33
*** samueldmq has joined #openstack-keystone14:33
samueldmqmorganfainberg: I think I finally got it14:34
samueldmqmorganfainberg: keystone knows cache_timeout for endpoints on url nova_url is 5 minutes14:35
morganfainbergsamueldmq: spend less time on how we refresh cache. There are many ways to do it14:35
morganfainbergJust that we need to do it.14:35
samueldmqmorganfainberg: yes, I just got it, just want to confirm :(14:35
samueldmqmorganfainberg: I am going to update the spec with the solution14:35
morganfainbergSort of. Let's just focus on the other stuff and at mid cycle hash this caching stuff out.14:36
*** e0ne has joined #openstack-keystone14:36
morganfainbergIt'll be easier to draw out.14:36
samueldmqmorganfainberg: I will write it in the spec, so we can have a formal and clear definition of the solution (or at least one possibility)14:37
samueldmqmorganfainberg: and if we kind of agree on that, I can implement in my 'fetch and cache policy from middleware' patch14:38
samueldmqmorganfainberg: midcycle is ~1 month, I will ping you once I have something14:38
morganfainbergsamueldmq: sure. But like I said the other bits are really important.14:38
morganfainbergFetch and cache does nothing without the changes to Oslo.policy14:39
samueldmqmorganfainberg: like associating the policy with an URL?14:39
samueldmqmorganfainberg: oslo.policy doing the overlay14:39
morganfainbergAssociating with a url likewise isn't useful without the overlay capability14:39
morganfainbergSee what my priority is ? :)14:39
samueldmqmorganfainberg: yes, what I just said above ^ :-)14:39
samueldmqmorganfainberg: sure, we need to have clear specs for all them though14:40
samueldmqmorganfainberg: and the priority for implementation is the oslo.policy change, for sure14:40
samueldmqmorganfainberg: I got what you say, thanks14:40
*** woodster_ has joined #openstack-keystone14:42
samueldmqmorganfainberg: when are you planning to talk to other folks with this scope we defined for L ? (sdague and nova guys, specifically)?14:43
*** csoukup has joined #openstack-keystone14:43
samueldmqmorganfainberg: I mean, once we have a consistent minimum of specs defined (well defined), that's easier to get it to them14:43
samueldmqI am going to start with the needed work on the specs today, then implemnetation of overlay in oslo.policy14:44
samueldmqayoung-ZZZzzz__: cc ^14:44
*** iurygregory has joined #openstack-keystone14:46
morganfainbergsamueldmq: cool.14:51
morganfainbergsamueldmq: just expect that some of this fetch stuff etc is all going to be hashed out at mid cycle.14:52
morganfainbergsamueldmq: because we need to look at the design.14:52
morganfainbergAnd make sure we're not over/under designing it14:52
*** stevemar has quit IRC14:55
bknudsonmorganfainberg: -infra asked that I also give somebody auth to merge the feature branch back to master --
*** fhubik_afk is now known as fhubik14:55
*** mestery has joined #openstack-keystone14:56
morganfainbergbknudson: will +1 that shortly14:57
*** browne has joined #openstack-keystone14:59
*** mabrams has quit IRC15:00
*** fifieldt has joined #openstack-keystone15:00
*** david-ly_ is now known as david-lyle15:01
*** fifieldt has quit IRC15:01
*** thedodd has joined #openstack-keystone15:01
*** fifieldt has joined #openstack-keystone15:01
*** ajayaa has joined #openstack-keystone15:02
*** charlesw_ has joined #openstack-keystone15:03
*** ayoung-ZZZzzz__ is now known as ayoung15:04
*** charlesw has quit IRC15:05
*** charlesw_ is now known as charlesw15:05
*** iamjarvo has quit IRC15:10
*** jasondotstar has quit IRC15:10
*** diazjf has joined #openstack-keystone15:12
*** iamjarvo has joined #openstack-keystone15:15
*** edmondsw has quit IRC15:16
*** ayoung is now known as ayoung-afk15:18
*** ajayaa has quit IRC15:23
morganfainbergbknudson: +115:25
*** edmondsw has joined #openstack-keystone15:25
*** charlesw has quit IRC15:28
*** henrynash has joined #openstack-keystone15:30
*** ChanServ sets mode: +v henrynash15:30
*** e0ne is now known as e0ne_15:35
*** e0ne_ is now known as e0ne15:37
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Expand endpoint filters to service providers
*** jasondotstar has joined #openstack-keystone15:45
*** ajayaa has joined #openstack-keystone15:46
rodrigodshenrynash, should be approved today, right?15:48
*** pballand has joined #openstack-keystone15:49
diazjfmarekd, rodrigods, fixed up the mapping documentation. Can you take a look when you have a chance.
diazjfthanks :)15:50
*** vilobhmm has quit IRC15:51
rodrigodsdiazjf, of course, thx15:51
*** crc32 has joined #openstack-keystone15:52
lbragstadajayaa: I ended up getting forbidden issues after I created a new domain that contained a new project15:53
lbragstadajayaa: I assigned a new user a role on that domain and I was able to get a domain scoped token,15:53
lbragstadajayaa: but when I passed it to the Client() as token, it returned forbidden when I did any sort of operation15:53
ajayaaDid you try a curl with the domain scoped token?15:55
ajayaalbragstad ^^15:55
lbragstadajayaa: curl as in validate via curl or get users via curl?15:56
lbragstadno i didn't15:56
*** e0ne is now known as e0ne_15:56
lbragstadI just tried passing it to the Client()15:56
ajayaacurl http://localhost:5000/v3/users -H "X-Auth-Token: $TOKEN"15:57
ajayaaI didn't pass it to client. Tried with curl and it worked.15:57
lbragstadok, i feel like that'd be a question for jamielennox|away15:57
henrynashrodigods: don’t see why not!15:59
*** lufix has quit IRC15:59
*** arunkant_ has joined #openstack-keystone15:59
ajayaalbragstad, I passed token to the client now and tried 'users.list()'. It gave EndpointNotFound exception again.16:00
ajayaaI will ask him jamielennox when he comes online.16:01
*** arunkant__ has quit IRC16:03
*** e0ne_ has quit IRC16:06
openstackgerritDolph Mathews proposed openstack/keystone-specs: User groups in token bodies
*** e0ne has joined #openstack-keystone16:11
*** samueldmq has quit IRC16:12
*** iurygregory has quit IRC16:12
*** htruta has quit IRC16:12
*** tellesnobrega_ has quit IRC16:12
*** raildo has quit IRC16:12
crc32Something in devstack is cloning keystone into /opt/stack/keystone but then inserts a bunch of changes into requirments.txt and test-requirments.txt . The changes break the install of devstack  When I went to the git logs the changes appear to be made by me at the time I attempted to so I'm guessing devstack just decided to stick a bunch of version changes into keystone. How do I prevent this since the16:13
crc32 is_projects_in_txts function seems broken.16:13
*** RichardRaseley has joined #openstack-keystone16:17
*** geoffarnold has joined #openstack-keystone16:19
*** fhubik is now known as fhubik_afk16:20
*** tellesnobrega has joined #openstack-keystone16:22
*** geoffarnold has quit IRC16:23
*** afazekas has quit IRC16:23
*** geoffarnold has joined #openstack-keystone16:24
*** raildo has joined #openstack-keystone16:27
*** diazjf has quit IRC16:30
*** diazjf has joined #openstack-keystone16:35
*** jaosorior has quit IRC16:35
*** lufix has joined #openstack-keystone16:37
*** radez_g0n3 is now known as radez16:38
*** fhubik_afk is now known as fhubik16:40
*** kiranr has joined #openstack-keystone16:42
*** htruta has joined #openstack-keystone16:43
*** kiranr has quit IRC16:43
*** lufix has quit IRC16:46
*** rwsu has joined #openstack-keystone16:52
*** jasondotstar has quit IRC16:55
*** _cjones_ has joined #openstack-keystone16:58
*** roxanaghe has joined #openstack-keystone17:00
*** stevemar_ has quit IRC17:00
*** stevemar has joined #openstack-keystone17:01
*** henrynash has quit IRC17:01
*** henrynash has joined #openstack-keystone17:03
*** ChanServ sets mode: +v henrynash17:03
*** lhcheng has joined #openstack-keystone17:03
*** ChanServ sets mode: +v lhcheng17:03
*** htruta has quit IRC17:04
*** raildo has quit IRC17:05
*** jasondotstar has joined #openstack-keystone17:08
*** e0ne has quit IRC17:08
*** lhcheng has quit IRC17:09
*** tellesnobrega has quit IRC17:10
*** _cjones_ has quit IRC17:17
*** _cjones_ has joined #openstack-keystone17:17
dstanekcrc32: you're seeing something change the keystone code after it is cloned? or did you change the code?17:19
crc32+dstanek no not the code. Something is mangling the requirments.txt and test-requirments.txt after cloning so that pthon egg_info breaks. I think its devstack trying to "auto sync" requirments or something. case when I git diff the keystone directory it shows a bunch of uncommitted changes as If I had changed the files. This is in relation to
openstackLaunchpad bug 1468808 in devstack " downgrades pbr" [Undecided,Confirmed]17:22
dstanekcrc32: i've not seen that behavior, but i'll see if i can reproduce17:26
*** bradjones has quit IRC17:26
*** spandhe has joined #openstack-keystone17:28
*** ankita_wagh has joined #openstack-keystone17:28
*** bradjones has joined #openstack-keystone17:28
*** bradjones has quit IRC17:28
*** bradjones has joined #openstack-keystone17:28
*** Ctina_ has joined #openstack-keystone17:31
*** jasondotstar has quit IRC17:34
*** Ctina has quit IRC17:35
*** Ctina_ has quit IRC17:36
*** jasondotstar has joined #openstack-keystone17:39
*** fangzhou has joined #openstack-keystone17:41
*** samueldmq has joined #openstack-keystone17:41
*** dguerri is now known as dguerri`17:43
*** pnavarro has quit IRC17:43
*** dramakri has joined #openstack-keystone17:49
*** afazekas has joined #openstack-keystone17:49
*** fhubik has quit IRC17:50
samueldmqthe set of specs we need for our current scope are : i) policy overlay at oslo.policy; ii) fetch and cache of policy by ksmiddleware , iii) granular CRUD of policy on keystone server, allowing changes in a single rule, if needed17:51
samueldmqiv) allow associoation of policy per endpoint_url (already started by ayoung-afk)17:51
samueldmqmaybe iii) and iv) will be in a single spec17:51
samueldmqmorganfainberg: ayoung-afk cc ^17:51
*** ayoung-afk is now known as ayoung17:53
ayoungsamueldmq,  "granular CRUD of policy on keystone server, allowing changes in a single rule" won't be Liberty17:54
*** boris-42 has joined #openstack-keystone17:54
*** lhcheng has joined #openstack-keystone17:54
*** ChanServ sets mode: +v lhcheng17:54
samueldmqayoung: so we only allow handling a blob in Liberty ?17:54
ayoungsamueldmq, yes17:54
ayoungsamueldmq, long story there17:54
samueldmqayoung: we could allow POST (the whole blob), PUT (add a new rule there), DELETE and UPDATE (both the whole or a single API)17:55
*** afazekas has quit IRC17:55
*** diazjf has quit IRC17:55
*** rlt_ has quit IRC17:56
ayoungsamueldmq, yes17:56
*** tellesnobrega has joined #openstack-keystone17:56
ayoungsamueldmq, need to continually make progress here17:57
samueldmqayoung: what if I come wiht a spec for that ? to modify the current policy api to allow granular changes ?17:57
ayoungmake it possible to fetch policy from Keystone, then make it easier to manage on the Keystone side17:57
samueldmqayoung: do you thing that's too much effort, and really can't be addressed in l?17:57
ayoungsamueldmq, you would be competing with specs that are there already.  See the work that Iorem is working on17:57
samueldmqayoung: sure, I agree, that spec is the last one in ths roadmap of 4 specs17:57
ayoungOnce again, the breadth of what Dchadwick is proposing makes it a little hard to map to what we are doing in Keystone today, but their DB drive n tool is probably the right way to go,  just need to close the gaps17:58
samueldmqayoung: k so this point need to be discussed later17:59
samueldmqayoung: however I think their tooling would be like a backend, we needed to expose that granular CRUD on keystone anyway17:59
ayoungsamueldmq, so, I think what you and I can do is prepare something for the midcycle, stating the overall vision, the steps to take, and the timing for each of thos steps.  I think we have the absolute basics fior Liberty sketched out18:00
ayoungtying in to the Kent work is part of that18:00
samueldmqayoung: k so the work on the granular policy api has to take into account their proposal, which somehting that brings some discussion18:01
samueldmqayoung: yes, so I agree the basic fetch/caching from keysotne is the core18:02
samueldmqayoung: the UX can be improved later, as we go in the road18:02
*** husanu91 has joined #openstack-keystone18:02
samueldmqayoung: k got it, so ...18:02
*** dontalton has joined #openstack-keystone18:02
samueldmqayoung: i) policy overlay at oslo.policy; ii) fetch and cache of policy by ksmiddleware and iii) allow associoation of policy per endpoint_url18:02
samueldmqayoung: those three we need for the core support ^, you agree ?18:03
samueldmqayoung: ii and iii are already started, but need to be updated, i needs to be created18:03
ayoungsamueldmq, I is an oslo policy spec, not Keystone, btw18:04
*** jasondotstar has quit IRC18:05
samueldmqayoung: great, nice to know, I was plannig to submit it against keystone-specs18:07
samueldmqayoung: thanks18:07
samueldmqayoung: yep, we have oslo-specs repo18:07
*** husanu91 has quit IRC18:14
*** lsmola has quit IRC18:19
*** jasondotstar has joined #openstack-keystone18:19
samueldmqayoung: can I grab/update those specs ?18:23
samueldmqayoung: or are you planning to be updating them yourself ?18:23
ayoungsamueldmq, take them18:23
samueldmqayoung: I am asking to tell my managers what I will be doing18:24
samueldmqayoung: great, thanks18:24
ayoungI'll let you know when I return to working on this stuff, and check to see what you have in flight samueldmq18:24
*** diazjf has joined #openstack-keystone18:24
david8husamueldmq,  Let me know if you need any help.  We can get something going quickly.18:25
*** ducttape_ has joined #openstack-keystone18:26
ducttape_mfisch ping18:26
morganfainbergsamueldmq: the oslo-spec should be really easy to land fwiw.18:26
morganfainbergit's not a crazy set of changes18:26
mfischducttape_: yo18:26
samueldmqmorganfainberg: nice18:26
* ducttape_ hopes mfisch shares a linky linky18:26
mfischyeah 1s18:26
*** med_ has joined #openstack-keystone18:27
samueldmqmorganfainberg: so starting by that one may be the best approach18:27
mfischFernet tokens: the real story:
samueldmqmorganfainberg: then update the others18:27
morganfainbergsamueldmq: yep18:27
samueldmqayoung: looks good!18:27
ayoungmfisch, you need to chase that down with some Keystone Light.18:28
samueldmqdavid8hu: sure! looking at and giving some feedback on how clear/ what we could add/remove from there would be very useful18:28
ducttape_when keystone light is the better drink available, it says some things about your decisions in life18:28
morganfainbergducttape_: At least it isn't PBR18:28
samueldmqdavid8hu: we can also work together on the specs, making improvements to them18:28
morganfainbergducttape_: you don't have to worry about being judged on both your taste in beer and how much of a hipster you are18:29
samueldmqdavid8hu: I'll start with the spec on oslo.policy, after that we can synchronize better18:29
samueldmqdavid8hu: if that makes sense to you :-)18:29
david8husamueldmq, sounds good.  It is always good to have something written so we can discuss it.  You are already doing that.  Thanks!18:30
morganfainbergmfisch: you.. actually drank Fernet18:33
morganfainbergmfisch... wow, i wouldn't wish that on anyone (it is "ok" when mixed sometimes)18:33
mfischI consdiered mixing with coke but wanted to try the real thing, so thats off the list now18:34
morganfainbergmfisch: yeahhh *shudder*18:34
mfischIf it was Keystone Light I'd have special lined cans18:35
ducttape_it's really horrible.   the taste won't leave my mouth18:35
samueldmqmorganfainberg: mfisch I thought you were kidding .. but now, there is a real drink called Keystone Light :-)18:35
ducttape_the token switch was much less painful, compared to the drink18:35
mfischsamueldmq: a terrible cheap beer that I drank in college18:36
mfischducttape_: I went and rinsed my mouth out18:36
bknudson45 open reviews in keystone-specs18:36
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Project tree deletion
samueldmqmfisch: hehe :-)18:36
*** ericksonsantos has joined #openstack-keystone18:37
*** ericksonsantos has quit IRC18:37
samueldmqbknudson: that's a lot!18:37
bknudsony, people are signing up for a lot of work18:37
*** ericksonsantos has joined #openstack-keystone18:38
samueldmqbknudson: I suppose they need love (reviews)18:38
morganfainbergbknudson: a lot of those specs are targeted to backlog18:38
*** timsim has joined #openstack-keystone18:38
morganfainbergbknudson: at least last i saw18:38
*** samueldmq has quit IRC18:43
*** ericksonsantos has quit IRC18:43
*** ayoung has quit IRC18:43
*** dontalton has quit IRC18:44
*** jasondotstar has quit IRC18:47
*** ROT26 has joined #openstack-keystone18:52
*** lastops has joined #openstack-keystone18:54
*** r-daneel has quit IRC18:54
*** r-daneel has joined #openstack-keystone18:55
*** dguerri` is now known as dguerri18:55
morganfainberghmm. so close.18:55
*** ericksonsantos has joined #openstack-keystone18:56
bknudsonmorganfainberg: somebody out there loves using keystone CLI!18:57
bknudsonoh, it's our own functional tests18:57
morganfainbergbknudson: yep18:57
morganfainbergbknudson: this is good news imo18:57
morganfainbergproposing fixes for that now18:57
*** RichardRaseley has quit IRC18:58
bknudsonwe're going to be short on functional tests18:58
morganfainbergand the merge from master needs to happen for bandit18:59
bknudsonmorganfainberg: I'M WORKING ON IT18:59
morganfainbergbknudson: hehe I know. ^_^18:59
bknudsonfor some reason the -infra change failed19:00
bknudsonand it appears to still be failing19:00
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Expand endpoint filters to service providers
morganfainberglet me take a gander19:00
morganfainbergissues with the build taking too long19:01
morganfainbergnot anything wrong with your change19:01
morganfainbergbknudson: or the get_httpd. it looks external to your change19:02
morganfainbergesp. since the dependant change passed19:02
bknudsonit's taking an inordinate amount of time for that review to finish jenkins19:02
bknudsonI was waiting for it but maybe it's not going to finish19:03
*** ericksonsantos has quit IRC19:03
bknudsonI've got the merge commit in my command window waiting to push it. (like salt n pepa)19:04
*** Raildo has joined #openstack-keystone19:04
morganfainbergthen we'll have some rebase hell19:04
morganfainbergand should be in a good place19:04
bknudsonwe'll need to merge every once in a while.19:04
morganfainbergneed to finish the last couple ksa patches.19:05
bknudsonmaybe weekly19:05
morganfainbergbknudson: probably19:05
morganfainbergwe should be close to releasing KSA now.19:05
morganfainbergneed to poke jamielennox|away though19:05
*** ducttape_ has quit IRC19:05
bknudsonmorganfainberg: the merge conflict was with
bknudsonso exceptions was changed to use exceptions from keystoneauth19:06
bknudsonand also changed to add name parameter19:06
*** jasondotstar has joined #openstack-keystone19:07
dstanekso many specs and so little time19:07
bknudsonso after the merge merges somebody needs to take a look at that file19:07
bknudsonI resolved the conflict the way I thought it needs to be19:07
bknudsonand the tests passed for me.19:07
bknudsonso assuming we have test coverage I did it right19:07
morganfainbergbknudson: we'll get jamielennox|away to 2x check19:07
morganfainbergbu i think it should be fine if you're passing19:08
bknudsonnot my first time resolving merge conflicts19:08
*** tellesnobrega has quit IRC19:10
*** htruta has joined #openstack-keystone19:13
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Project tree deletion
*** ayoung has joined #openstack-keystone19:22
*** ChanServ sets mode: +v ayoung19:22
Raildohenrynash, do you think that we can approve this until tomorrow or I send SPF excetion for it?19:23
Raildomorganfainberg, ^19:23
*** Raildo is now known as raildo19:23
morganfainberguhh wtf19:24
morganfainberghow did a keystoneclient directory end up in keystoneauth19:24
morganfainbergoh ust local19:24
morganfainbergor.. not19:24
bknudsonthere's 1 file19:25
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Remove keystoneclient lingering files.
morganfainbergbknudson: ^19:25
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Remove catalog/translation targets from tox.ini
*** tellesnobrega has joined #openstack-keystone19:29
*** rushiagr_away is now known as rushiagr19:32
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Remove catalog/translation targets from tox.ini
*** tellesnobrega has quit IRC19:35
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Move to the keystoneauth1 namespace
morganfainbergjamielennox|away: ^19:36
morganfainbergmordred: ^ CC on ksa patches19:36
*** ajayaa has quit IRC19:38
*** Ephur has joined #openstack-keystone19:42
*** Ephur has quit IRC19:47
marekddiazjf: ok19:49
bknudsonThis is what's annoying about reviewing specs:
bknudsonI spend time reading it and it turns out it's not even complete.19:51
morganfainbergbknudson: yeah i usually scroll to the bottom first now and see if everything is filled out at a glance19:52
morganfainbergbknudson: marked that one as WIP so other people can skip, sorry about the time waste19:52
*** ayoung has quit IRC19:55
morganfainbergstevemar: o/20:02
*** lhcheng has quit IRC20:06
stevemarmorganfainberg: o/20:07
morganfainbergstevemar: i forgot what i was going to ask20:07
morganfainbergstevemar: darn it20:07
* stevemar shrugs20:07
*** gabriel-bezerra has quit IRC20:17
*** gabriel-bezerra has joined #openstack-keystone20:20
*** jasondotstar has quit IRC20:39
*** afazekas has joined #openstack-keystone20:41
*** slberger has joined #openstack-keystone20:45
*** RichardRaseley has joined #openstack-keystone20:55
*** ayoung has joined #openstack-keystone20:56
*** ChanServ sets mode: +v ayoung20:56
*** arunkant__ has joined #openstack-keystone20:57
*** arunkant_ has quit IRC21:01
*** rm_work is now known as rm_work|away21:02
*** ankita_wagh has quit IRC21:03
*** stevemar has quit IRC21:04
*** stevemar has joined #openstack-keystone21:04
*** RichardRaseley has quit IRC21:05
*** e0ne has joined #openstack-keystone21:05
openstackgerritFernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations
*** rm_work|away is now known as rm_work21:06
*** stevemar has quit IRC21:07
*** pballand has quit IRC21:12
openstackgerritFernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations
*** pballand has joined #openstack-keystone21:12
*** RichardRaseley has joined #openstack-keystone21:15
*** ankita_wagh has joined #openstack-keystone21:16
htrutahey morganfainberg, henrynash will we need an SPF for is_domain project tokens?
*** RichardRaseley has quit IRC21:23
*** iamjarvo has quit IRC21:25
*** dguerri is now known as dguerri`21:28
*** hogepodge has quit IRC21:38
*** e0ne is now known as e0ne_21:39
*** e0ne_ is now known as e0ne21:41
*** diazjf has left #openstack-keystone21:56
*** slberger has quit IRC21:58
*** rushiagr is now known as rushiagr_away22:03
*** Rockyg has joined #openstack-keystone22:04
*** zzzeek has quit IRC22:07
*** david8hu has quit IRC22:07
*** rm_work is now known as rm_work|away22:09
gyeeayoung, left you a comment,
gyeeayoung, I suppose there's no way to make mod_lookup_identity to convey the domain information?22:12
gyeenkinder, is mellon ready for prime time?22:14
bigjoolsdoes mellon have an IdP?22:15
gyeenot sure22:15
gyeeI am trying to make it work with the existing IdPs22:15
bigjoolsI am in the process of choosing an IdP, just wondered22:16
gyeeIdP's that talk SAML2?22:16
*** jdennis has quit IRC22:20
*** iamjarvo has joined #openstack-keystone22:22
openstackgerritMerged openstack/keystone-specs: Moved driver interface from backlog to liberty
dolphmfrom #openstack-horizon: <ducttape_>   - we've been drinking for some time.  Enjoy fernet tokens!!!22:24
*** e0ne has quit IRC22:26
*** edmondsw has quit IRC22:27
*** dims has quit IRC22:30
*** dontalton has joined #openstack-keystone22:32
*** jdennis has joined #openstack-keystone22:32
bknudsonlet's make fernet tokens the default for devstack22:34
*** rm_work|away is now known as rm_work22:36
openstackgerritBrant Knudson proposed openstack/keystone: Document httpd for accept on /identity, /identity_admin
*** dims_ has joined #openstack-keystone22:38
gyee++! fernet da default!22:40
bknudsonI'll take a look at it22:41
bknudsonat least just supporting it22:41
gyeebknudson, btw, do you know of anybody have a driver that talk SCIM?22:43
bknudsongyee: I've never seen SCIM in action22:45
gyeek, I was just curious22:45
bknudsongyee: ask topol or stevemar22:45
gyeebknudson, we need a better default Keystone IdP22:45
bknudsongyee: better than what?22:45
gyeeor don't have one at all22:45
bknudsonthere's a default Keystone IdP?22:45
gyeekeystone/identity sql driver22:45
*** dontalton has quit IRC22:45
bknudsonoh, sure22:46
bknudsonwe need to get rid of sql driver.22:46
gyeesure, we either going to have a decent one or we don't22:46
bknudsonLooks like all I need to do for fernet in devstack is fernet_setup.22:46
bknudsonoh, man, there must be something wrong since there are no tokens in my database.22:48
bknudsonit's always gAAAA22:49
bknudsonshould have called them gAAAA tokens22:50
*** rm_work is now known as rm_work|away22:52
*** iamjarvo has quit IRC22:55
*** hogepodge has joined #openstack-keystone22:58
bknudson -- try that if you want -- should set up your system with fernet23:00
*** roxanaghe has quit IRC23:06
bretonno, we should keep sql for service users23:07
gyeebknudson, where's the part you changed the default provider?23:07
*** mestery has quit IRC23:07
bknudsongyee: I don't think we should make it the default in devstack23:07
bknudsondevstack should use keystone's default23:07
bknudsonfor its default23:08
gyeeoh, so its a two part change23:08
gyeei c23:08
bknudsonthe other change is just there to see if it works23:08
bknudsonif fernet works let's get a gate job running it.23:08
bknudsonI think we've got one doing pki tokens?23:09
gyeenot sure23:09
*** csoukup has quit IRC23:10
gyeebreton, I am sure you have fun rotating passwords for the service users? :)23:10
bknudsony, service users should use X.50923:11
*** thedodd has quit IRC23:16
*** raildo has quit IRC23:20
*** markvoelker has quit IRC23:24
morganfainbergbknudson: i like the gAAAAAAAA tokens23:32
morganfainbergbknudson: and yes. fernet default in devstack23:33
bknudsonmorganfainberg: we should change the default in keystone then23:33
bknudsonthat would require another devstack change since it doesn't do fernet_setup23:34
morganfainbergbknudson: not sure about that one - my worry is that it can't work out of the box w/ just SQL then... but i guess that isn't the end of the world23:34
morganfainbergbknudson: yeah.23:34
bknudsonwe used to default to pki tokens23:34
bknudsonwhich required pki_setup23:34
bknudsonwe've got too many token formats23:35
morganfainbergwe could make the change to devstack all at once23:35
morganfainbergadn then fix our default down the line23:35
bknudsonit doesn't hurt to run fernet_setup23:35
bknudsonwe might be running pki_setup all the time still, unless token format was explicitly set it runs pki_setup23:36
bknudsonthat's the current devstack behavior23:36
morganfainbergi think that is only run w/ PKI tokens set23:36
bknudsonso if KEYSTONE_TOKEN_FORMAT == "" it's going to run pki_setup23:37
* morganfainberg wonders if we can deprecate PKI tokens next cycle.23:37
morganfainbergprobably not23:37
bknudsonwe've got check-tempest-dsvm-full , check-tempest-dsvm-postgres-full , check-tempest-dsvm-neutron-full23:38
bknudsonso we could put one of those on fernet?23:38
morganfainbergnah lets just default over to fernet23:39
morganfainbergswitch one of those to UUID if we really want the coverage23:39
bknudsonwe still want a job on UUID?23:39
bknudsony, I think we need a job for UUID, PKIZ, and UUID23:39
bknudsonand fernet23:39
morganfainbergi am not convinced we need PKIZ23:39
* morganfainberg looks for more reasons to make it go away23:39
bknudsonas long as we support it I think we'll need it23:40
morganfainbergi think we can move these to functional testing tbh23:40
bknudsonespecially if we're making changes to auth_token for fernet23:40
bknudsony, they should really be functional tests23:40
morganfainbergand we should make devstack default to the best option, fernet23:40
bknudsonwe've got a lot of perf #s in the tempest jobs23:40
bknudsonwould be interesting if we set check-tempest-dsvm-neutron-full to fernet and it's a lot faster23:41
bknudsonsince that's the slowest now23:41
morganfainbergbknudson: so lets switch the devstack default23:41
morganfainbergbknudson: and then look at either functional testing uuid and pkiz *or* converting the other test over23:42
dstanekwill it be possible to eventually get rid of pki[z] completely?23:42
morganfainbergdstanek: i'd like to. not sure23:42
bknudsonI'm not sure if the jobs set KEYSTONE_TOKEN_FORMAT explicitly23:42
bknudsonhave to check the logs23:42
morganfainbergdstanek: my worry is PKI(Z) is used by people to offload the work to the endpoints instead of on keystone23:43
morganfainbergdstanek: and i don't know how wide spread that is / if fernet solves their use-cases23:43
morganfainbergit *should* but people are weird sometimes23:43
dstanekthat would be very unfortunate23:43
bknudsonthey can step up to support it then23:43
bknudsonput it in stackforge23:44
morganfainbergdstanek, bknudson: lets make fernet the default everywhere23:44
morganfainbergthen look at [once it's baked through liberty] removal of PKI (inc. user survey data, etc)23:45
morganfainbergif we can also ditch uuid, more better23:45
* morganfainberg would love a migration: DROP TABLE TOKEN23:45
bknudsonwe've got a deployment now that's reporting issues due to the token table23:46
bknudsondisabling a project takes forever23:46
bknudsonbecause it's going through the tokens trying to disable tokens23:46
morganfainbergbknudson: i've had ~10+ deployments across 2 employers complaining about it23:46
morganfainbergbknudson: it is a real issue23:47
bknudsonand there's no project_id column, so it has to go through all tokens23:47
morganfainbergbknudson: they on Kilo?23:47
bknudsonthis is icehouse still23:47
morganfainbergbknudson: ouch.23:47
morganfainbergbknudson: at least not grizzly23:47
bknudsonthey just upgraded23:47
morganfainbergbknudson: upgrade them to Kilo Keystone ;)23:48
bknudsonit was grizzly for a while23:48
*** lhcheng has joined #openstack-keystone23:48
*** ChanServ sets mode: +v lhcheng23:48
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Move to the keystoneauth1 namespace
bknudsonI still think clouds.yaml is the greatest thing since sliced bread --
morganfainbergbknudson: there was talk of moving clouds.yaml over into keystoneauth's purview23:51
morganfainbergand yes clouds.yaml is awesome23:51
dstanekbknudson: i totally agree - and ansible's new os_server uses it for auth info23:52
bknudsonI don't know if it belongs in keystoneauth or maybe in a hall of fame somewhere.23:52
bknudsonin the next presidential election I will write in clouds.yaml.23:53
dstaneki use it in all my scripts now too23:53
morganfainbergdstanek: i'd like you to take a look at something and tell me what you think23:54
*** stevemar has joined #openstack-keystone23:54
morganfainbergbknudson: you too - strictly from a "is this service a lot of overhead" perspective (put on your ops/would i want to work with this thing hat)23:54
morganfainbergdstanek, bknudson: https://consul.io23:54
bknudsonmorganfainberg: you're trying to put keystone out of business23:55
morganfainbergbknudson: is that a bad thing?23:55
bknudsonmorganfainberg: why doesn't keystone have a fancy web site?23:56
dstaneki've not looked at consul, but i've started a little prototype for using DSN to replace the catalog23:56
morganfainbergdstanek: thinking of using consul for that specific case23:56
morganfainbergdstanek: it also gives us a DNS interface (wheeeee) for free23:56
bknudsonwe should eventually be running everything in apache23:56
bknudsoncan we do that with consul?23:57
morganfainbergbknudson: mod_keystone23:57
morganfainbergbknudson: consul is like etcd or zookeeper23:57
morganfainbergso, no. it's standalone23:57
*** stevemar has quit IRC23:57
bknudsonI mean can consul give you endpoints under apache?23:57
bknudsonor is it just ip addrs?23:57
*** Rockyg has quit IRC23:57
morganfainbergbknudson: it also has a KVS - so you could map DNS info out to the key-value23:58
dstanekbknudson: if it's like what i'm dong it'll give you the endpoint23:58
dstanekthere is an rfc for this23:58
morganfainbergbknudson: i haven't looked to see if you can get a SRV record out of it23:58
morganfainbergbknudson: but that would be the logical enhancement i'd be looking to contribute to them long term if it was missing it23:58
morganfainbergbknudson: SRV or other TXT based record23:59
gyeegolang impl, fancy23:59
gyeeI mean consul is in golang23:59
morganfainberg"For standard services queries, both A and SRV records are supported. SRV records provide the port that a service is registered on, enabling clients to avoid relying on well-known ports. SRV records are only served if the client specifically requests them, like so:"23:59

Generated by 2.14.0 by Marius Gedminas - find it at!