Friday, 2015-07-10

« Thursday, 2015-07-09 Index Saturday, 2015-07-11 »
*** Kennan2 is now known as Kennan00:11
morganfainberganteaya: if no one else has addressed the comments...i'l be looking at it here shortly00:18
*** _cjones_ has quit IRC00:27
*** dobson has quit IRC00:27
anteayathanks00:27
*** mylu has quit IRC00:30
*** mylu has joined #openstack-keystone00:31
*** darrenc is now known as darrenc_afk00:34
*** gyee has quit IRC00:36
*** dims has quit IRC00:40
*** jasonsb has quit IRC00:48
openstackgerritMerged openstack/keystone: Fixes docstring to make it more precise  https://review.openstack.org/19933800:49
*** h00327910_ has joined #openstack-keystone00:50
*** Kennan has quit IRC00:54
*** Kennan has joined #openstack-keystone00:58
*** btully has quit IRC00:59
*** darrenc_afk is now known as darrenc01:00
openstackgerritMerged openstack/keystone: Fix log message in one of the v3 create call methods.  https://review.openstack.org/19942001:01
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/19988601:01
bigjoolsdoes anyone know if the federation mapping gets consulted for every token that's generated, or is it done only once when getting the initial OK from the IdP?01:02
*** lhcheng has quit IRC01:03
*** ankita_wagh has quit IRC01:07
*** mylu has quit IRC01:13
*** piyanai has joined #openstack-keystone01:16
*** chlong has joined #openstack-keystone01:20
*** davechen has joined #openstack-keystone01:23
*** dims has joined #openstack-keystone01:24
*** stevemar has joined #openstack-keystone01:25
*** dims has quit IRC01:25
*** dims has joined #openstack-keystone01:26
*** stevemar has quit IRC01:27
*** stevemar has joined #openstack-keystone01:27
*** davechen1 has joined #openstack-keystone01:32
*** crc32 has quit IRC01:32
bigjoolsjamielennox: I don't suppose you know the answer? --^01:32
jamielennoxbigjools: off the top of my head i would expect only when getting the OK from the idp01:33
jamielennoxwith federation you always receive an unscoped token first01:33
bigjoolswe're a little concerned about performance and that was an outstanding question01:33
bigjoolsyeah, I thought the same01:34
jamielennoxgenerating the unscoped token is going to require going through mapping because you need to figure out where to put the user, but for validation etc all that information is stored to the db01:34
*** davechen has quit IRC01:34
bigjoolsright. Thanks!01:35
*** mylu has joined #openstack-keystone01:35
*** dims has quit IRC01:36
*** mylu has quit IRC01:37
*** dims has joined #openstack-keystone01:37
*** tobe has joined #openstack-keystone01:39
*** davechen has joined #openstack-keystone01:41
*** dims has quit IRC01:42
*** fangzhou has quit IRC01:43
*** davechen1 has quit IRC01:43
*** jdandrea has quit IRC01:43
*** btully has joined #openstack-keystone01:50
*** skylerberg has quit IRC01:51
*** richm has quit IRC01:54
*** btully has quit IRC01:55
*** spandhe has quit IRC02:07
*** chenhong has joined #openstack-keystone02:08
chenhongdstanek: ping02:13
*** arunkant__ has joined #openstack-keystone02:19
*** diabloneo has joined #openstack-keystone02:19
*** chenhong has quit IRC02:20
*** arunkant_ has quit IRC02:22
*** chenhong has joined #openstack-keystone02:24
*** diabloneo has quit IRC02:24
*** kiran-r has joined #openstack-keystone02:25
chenhongjamielennox:  hi, are you available to review my changes?02:25
*** dims has joined #openstack-keystone02:38
*** dims has quit IRC02:43
*** stevemar has quit IRC02:45
*** stevemar has joined #openstack-keystone02:45
*** mylu has joined #openstack-keystone02:46
dstanekchenhong: pong02:48
chenhongdstanek: hi, I want to ask you to review my two changes. Are you available now?02:49
dstanekchenhong: which ones? i can add them to my list02:50
chenhongdstanek: https://review.openstack.org/#/c/187899/  and  https://review.openstack.org/#/c/197184/02:50
chenhongdstanek: Thanks very much.02:50
dstanekchenhong: np02:51
*** mylu has quit IRC02:51
*** arunkant has joined #openstack-keystone03:01
*** arunkant__ has quit IRC03:05
*** Kennan has quit IRC03:07
*** Kennan has joined #openstack-keystone03:07
*** htruta_ has quit IRC03:11
*** rwsu has quit IRC03:11
*** lhcheng has joined #openstack-keystone03:15
*** ChanServ sets mode: +v lhcheng03:15
*** jkomg has joined #openstack-keystone03:21
*** stevemar has quit IRC03:22
*** stevemar has joined #openstack-keystone03:22
*** rushiagr_away has quit IRC03:28
*** dobson has joined #openstack-keystone03:40
*** ankita_wagh has joined #openstack-keystone03:54
*** crc32 has joined #openstack-keystone03:59
*** arunkant_ has joined #openstack-keystone04:03
*** arunkant has quit IRC04:06
*** arunkant__ has joined #openstack-keystone04:08
*** crc32 has quit IRC04:11
*** arunkant_ has quit IRC04:11
*** darrenc is now known as darrenc_afk04:15
*** piyanai has quit IRC04:24
*** darrenc_afk is now known as darrenc04:30
*** spandhe has joined #openstack-keystone04:30
*** spandhe_ has joined #openstack-keystone04:33
*** spandhe has quit IRC04:35
*** spandhe_ is now known as spandhe04:35
*** arunkant__ has quit IRC04:37
*** kiran-r has quit IRC04:37
*** tobe has quit IRC04:44
lhchenghi jamielennox04:48
jamielennoxhey lin04:48
lhchengfound your ksc patch to clean the duplicate code from keystoneauth04:49
lhchengis this okay to merge? https://review.openstack.org/#/c/196479/204:49
jamielennoxlhcheng: please do!04:50
jamielennoxthat's on a feature branch so it's not going to land in client straight away04:50
lhchengah! didn't notice that04:50
lhchengcool04:50
jamielennoxthere's no real risk there as it's all still experimental04:50
lhchenggreat04:50
lhchengquestion on osc, I know you hate the new 'os_endpoint_type' option added04:51
lhchengyou want to give your take on this: https://review.openstack.org/#/c/198506/04:51
jamielennoxlhcheng: excellent, i'm glad that's happening04:53
jamielennoxcommented, i think --os-interface is better04:53
lhchenghopefully we can rename it before the next osc release :)04:53
jamielennoxinterface-type doesn't really make sense04:53
lhchengagreed04:53
*** ajayaa has joined #openstack-keystone04:56
* stevemar releases osc right now just to piss off lhcheng and jamielennox 05:00
stevemar>>.>>05:00
stevemar<<.<<05:00
*** chenhong has quit IRC05:01
*** chenhong has joined #openstack-keystone05:01
lhchenghaha that's so mean05:03
*** dims has joined #openstack-keystone05:03
jamielennoxand largely hurting yourself05:03
*** dims_ has joined #openstack-keystone05:04
openstackgerritNing Sun proposed openstack/keystone: Corrected a typo in README  https://review.openstack.org/20037705:06
*** dims has quit IRC05:08
*** dims_ has quit IRC05:08
*** ajayaa has quit IRC05:10
openstackgerritMerged openstack/keystone: Add more Rally scenarios  https://review.openstack.org/18845705:27
*** spandhe has quit IRC05:32
*** markvoelker has quit IRC05:32
*** jbonjean has joined #openstack-keystone05:33
*** btully has joined #openstack-keystone05:33
*** spandhe has joined #openstack-keystone05:36
*** ajayaa has joined #openstack-keystone05:37
*** david-ly_ has joined #openstack-keystone05:37
*** david-lyle has quit IRC05:40
*** annasort has quit IRC05:46
*** ig0r__ has joined #openstack-keystone05:52
*** j_king has quit IRC05:53
*** j_king has joined #openstack-keystone05:54
*** ig0r_ has quit IRC05:55
*** amaretskiy has joined #openstack-keystone05:56
*** dims has joined #openstack-keystone06:01
*** Kennan has quit IRC06:02
*** Kennan has joined #openstack-keystone06:03
*** ankita_wagh has quit IRC06:04
*** Kennan2 has joined #openstack-keystone06:06
*** Kennan has quit IRC06:07
*** dims has quit IRC06:09
*** spandhe has quit IRC06:10
*** ankita_wagh has joined #openstack-keystone06:13
*** dims has joined #openstack-keystone06:13
*** dims_ has joined #openstack-keystone06:14
*** mylu has joined #openstack-keystone06:17
*** dims has quit IRC06:17
stevemarlhcheng: you found it was a mock change, now you have to fix it06:21
*** dims_ has quit IRC06:21
lhchengstevemar: testing it now on my local :)06:22
*** mylu has quit IRC06:22
*** dims has joined #openstack-keystone06:22
*** dims has quit IRC06:27
*** markvoelker has joined #openstack-keystone06:32
*** markvoelker has quit IRC06:37
*** lufix3 has joined #openstack-keystone06:40
*** afazekas has joined #openstack-keystone06:44
*** stevemar has quit IRC06:44
*** tobe has joined #openstack-keystone06:45
*** stevemar has joined #openstack-keystone06:45
*** stevemar has quit IRC06:50
*** ajayaa has quit IRC06:58
*** jkomg has quit IRC06:58
*** ajayaa has joined #openstack-keystone06:59
*** lhcheng has quit IRC07:02
*** lhcheng has joined #openstack-keystone07:02
*** ChanServ sets mode: +v lhcheng07:02
*** browne has quit IRC07:03
*** rharwood has quit IRC07:08
*** rharwood has joined #openstack-keystone07:11
*** jistr has joined #openstack-keystone07:16
*** jamielennox is now known as jamielennox|away07:17
*** hrou has quit IRC07:19
*** cloudnull has quit IRC07:26
*** sigmavirus24_awa has quit IRC07:27
*** fhubik has joined #openstack-keystone07:27
*** d34dh0r53 has quit IRC07:30
*** eglute has quit IRC07:30
*** dolphm has quit IRC07:30
*** odyssey4me has quit IRC07:45
*** stevemar has joined #openstack-keystone07:46
*** ankita_wagh has quit IRC07:48
*** stevemar has quit IRC07:50
*** henrynash has quit IRC07:52
*** rletrocquer has joined #openstack-keystone08:01
*** rletrocquer has quit IRC08:02
*** rletrocquer has joined #openstack-keystone08:02
*** odyssey4me has joined #openstack-keystone08:07
*** chlong has quit IRC08:10
*** chenhong has quit IRC08:18
*** chenhong has joined #openstack-keystone08:18
*** christx2 has joined #openstack-keystone08:18
*** ccard has joined #openstack-keystone08:19
*** WormMan has quit IRC08:21
*** WormMan has joined #openstack-keystone08:22
*** Pawel__ has joined #openstack-keystone08:22
*** henrynash has joined #openstack-keystone08:25
*** ChanServ sets mode: +v henrynash08:25
*** christx2 has quit IRC08:25
*** christx2 has joined #openstack-keystone08:26
*** markvoelker has joined #openstack-keystone08:34
*** josecastroleon has joined #openstack-keystone08:36
*** btully has quit IRC08:38
*** markvoelker has quit IRC08:38
*** dims has joined #openstack-keystone08:40
*** odyssey4me_ has joined #openstack-keystone08:42
*** dims has quit IRC08:45
*** odyssey4me_ has quit IRC08:47
*** stevemar has joined #openstack-keystone08:47
*** stevemar has quit IRC08:51
*** lhcheng has quit IRC08:52
*** chenhong has quit IRC08:59
*** chenhong has joined #openstack-keystone08:59
*** jistr has quit IRC09:00
*** jistr has joined #openstack-keystone09:16
openstackgerrithenry-nash proposed openstack/keystone-specs: Provide config option to direct inheritance rules  https://review.openstack.org/20043409:27
*** bdossant has joined #openstack-keystone09:35
*** lhcheng has joined #openstack-keystone09:39
*** ChanServ sets mode: +v lhcheng09:39
*** e0ne has joined #openstack-keystone09:51
*** davechen has left #openstack-keystone09:54
*** fhubik is now known as fhubik_afk09:58
*** gordc has joined #openstack-keystone10:26
*** dims has joined #openstack-keystone10:28
*** dhague_ has joined #openstack-keystone10:29
*** dims_ has joined #openstack-keystone10:29
*** lhcheng has quit IRC10:32
*** dims has quit IRC10:33
*** arunkant__ has joined #openstack-keystone10:34
*** dims_ has quit IRC10:34
*** markvoelker has joined #openstack-keystone10:35
*** stevemar has joined #openstack-keystone10:36
*** markvoelker has quit IRC10:39
*** stevemar has quit IRC10:40
*** arunkant__ has quit IRC10:41
*** dhague_ has quit IRC10:41
samueldmqmorning10:44
chenhongsamueldmq: evening, :-)10:46
samueldmqchenhong: hehe, good evening then :)10:47
*** e0ne is now known as e0ne_10:49
samueldmqhenrynash: hi, just looking at 'config option to direct inheritance rules' ...10:51
henrynashsamueldmq: hi10:52
samueldmqhenrynash: why not just put the default as being applying to parent + children ?10:52
samueldmqhenrynash: having config option would be still more complex to use (inherited role assignments are complex by themselves ... )10:52
henrynashsamuedmq:…becasue that would change existing beahviour10:52
samueldmqhenrynash: that would be compatible with the existing behavior .. I'd say it'd extend the existing behavior10:53
*** eglute has joined #openstack-keystone10:53
*** dolphm has joined #openstack-keystone10:53
*** ChanServ sets mode: +o dolphm10:53
samueldmqhenrynash: notice that the assignment would be expanded to the children anyway, but just considering the root entity instead of droping it10:54
henrynashsamueldmq: I don’t think we want to (on an update) suddenly include roles in tokens taht were not there before10:54
*** jamielennox|away is now known as jamielennox10:54
*** d34dh0r53 has joined #openstack-keystone10:54
samueldmqhenrynash: yes, that is an interesting point, we can't just disconsider that :(10:58
samueldmqhenrynash: are we trying to fix the fact that 'inherited' maps better to 'me and my children' ?10:58
henrynashyep10:58
henrynashbut I think we need to be cautous10:58
samueldmqhenrynash: wouldn't we have a better name for what we have today?10:59
samueldmqhenrynash: yes we need ++10:59
openstackgerritSamuel de Medeiros Queiroz proposed openstack/oslo.policy: Dynamic Policies Overlay  https://review.openstack.org/20025710:59
*** e0ne_ is now known as e0ne11:01
openstackgerrithenry-nash proposed openstack/keystone-specs: Provide config option to direct inheritance rules  https://review.openstack.org/20043411:12
*** tobe has quit IRC11:15
*** chenhong has quit IRC11:16
*** tobe has joined #openstack-keystone11:16
samueldmqhenrynash: in a near future .. will there be any distinction between domain and project assignments ?11:17
samueldmqhenrynash: how do you see this ?11:17
henrynashsamueldmq: no, I think there are just assignments11:18
henrynashsamueldmq: it will be upto the policy file to decide is an assignment on a project where is_domain=True means something different11:19
henrynashimho11:19
samueldmqhenrynash: so just project assignments, it doesn't matter if it is is_domain or not in the server side11:19
henrynashsamueldmq: I *think* that’s correct11:20
*** odyssey4me has quit IRC11:20
samueldmqhenrynash: k so one with a role in a domain would have that role in its project .. so domain 'admin' would become a project 'admin' as well (besides the admin of the is_domain project, which is the domain .. )11:22
henrynashsamuedmq: so maybe…it would depend on policy, a project admin rule *might* specifi that project admin only applied to projects with is_doman=False, in which case no, they wouldn’t also be a project admin11:24
samueldmqhenrynash: yes, but I am thinking in the bad policies we have today, where admin anywhere is admin everywhere11:25
samueldmqhenrynash: but I think this is a separate concern11:25
*** fhubik_afk is now known as fhubik11:26
henrynashtrue11:26
henrynashbe offline for a bit, back on later11:26
samueldmqsure11:27
*** henrynash has quit IRC11:28
*** e0ne is now known as e0ne_11:35
*** markvoelker has joined #openstack-keystone11:35
*** markvoelker has quit IRC11:40
*** piyanai has joined #openstack-keystone11:41
*** piyanai has quit IRC11:41
*** tobe has quit IRC11:45
*** ankita_wagh has joined #openstack-keystone11:48
*** ankita_wagh has quit IRC11:53
*** radez is now known as radez_g0n311:57
*** christx2 has quit IRC11:57
*** bknudson has joined #openstack-keystone12:07
*** ChanServ sets mode: +v bknudson12:07
*** markvoelker has joined #openstack-keystone12:07
openstackgerritDavid Stanek proposed openstack/keystone: Fixes some grammar in the httpd README  https://review.openstack.org/20049212:08
openstackgerritDavid Stanek proposed openstack/keystone: Fixes grammar in the httpd README  https://review.openstack.org/20049212:08
*** christx2 has joined #openstack-keystone12:09
*** dims has joined #openstack-keystone12:15
*** ig0r__ has quit IRC12:17
*** mylu has joined #openstack-keystone12:19
*** dims has quit IRC12:20
*** e0ne_ is now known as e0ne12:21
*** henrynash has joined #openstack-keystone12:22
*** ChanServ sets mode: +v henrynash12:22
*** ig0r_ has joined #openstack-keystone12:23
*** mylu has quit IRC12:24
*** stevemar has joined #openstack-keystone12:25
*** david-lyle has joined #openstack-keystone12:28
*** chlong has joined #openstack-keystone12:28
*** stevemar has quit IRC12:28
*** david-ly_ has quit IRC12:30
*** edmondsw has joined #openstack-keystone12:32
*** hockeynut has quit IRC12:38
*** dims has joined #openstack-keystone12:41
*** hockeynut has joined #openstack-keystone12:42
dstanekhenrynash: you around?12:43
dstanekhenrynash: is there a security risk to scoping to the wrong project?12:44
bretondstanek: you put +2a to https://review.openstack.org/#/c/187899/ , but -1 to a dependency :)12:44
dstanekbreton: yes, its code looked fine, but i dep needs to change12:45
*** e0ne is now known as e0ne_12:46
dstanekbreton: although how i now want it to change will impact that review so i should probably remove the +a12:46
*** chenhong has joined #openstack-keystone12:47
*** odyssey4me has joined #openstack-keystone12:47
*** e0ne_ is now known as e0ne12:47
henrynashdstanek: hi12:49
*** raildo_ has joined #openstack-keystone12:50
dstanekhenrynash: hi12:50
henrynashdstanek: well, it’s only a risk if you already have a role on it (i.e. if you have no role on the project acting as a domain, then you won’t be able to scope to it)12:50
*** raildo_ has quit IRC12:51
dstanekhenrynash: what happens if you have a token scoped to a project X valid for some long period of time; then X is turned into an is_domain project with X as a sub-project? will the user be getting access to the sub-project now?12:51
henrynashdstanek: in which case you would be able to get a domain scoped token for it12:51
henrynashdstanek: is_domain is immuatble12:52
chenhongdstanek: hi, thanks for you review.12:52
henrynashdstanek: i.e. one is set to either true or false, you can’t change it…there is no ability to “upgrade” a project toa domain12:52
dstanekhenrynash: what will that existing token be scope to?12:53
chenhongdstanek:  I think add one extra utils class for assignment related test is a good idea. What do you think about the class name AssignmentTestMixin?12:54
henrynashdtsanek: sorry, not sure  i follow….12:54
*** jsavak has joined #openstack-keystone12:54
dstanekchenhong: i'd take out the 'Test'' from the name12:55
henrynashdstanek: btw, I agree with you on teh V2 point…12:56
dstanekhenrynash: hmmm...misspoke. i was typing and thinking two different things at the same time12:56
henrynashdstanek: a dangerous thing to do….think and type12:57
dstanekhenrynash: i mean existing scripts/things would now be broken since they have to know they are looking for a domain12:57
openstackgerritjiaxi proposed openstack/keystone: Invalid URLs are not suppressed when create endpoint  https://review.openstack.org/20051212:57
dstanekthey'll successfully get a token scope to the wrong thing - how would they know?12:57
chenhongdstanek: I just follow the name AuthTestMixin. Is it clear to have a Test in the name? AssignmentMixin or AssignmentTestMixin, I prefer to the second one.12:58
dstanekhenrynash: since you must hear me i'll stop thinking12:58
henrynashdstanek: well. no, since if they are after teh domain the would have to be explictly asking for a domain scoped token…and this works exactly as it does now….if they are lookig for project they ONLY expect a regualr project12:58
dstanekhenrynash: right, but in my example the admin changed X to a domain and created another X project under it.12:59
*** amakarov_away is now known as amakarov12:59
henrynashdstanek: so, to do that, they wold have to first delete X and re-create13:00
henrynashdtsanek: in which case all the assignment will be deleted as well13:00
henrynashdstanek: since is_domain is immuatble13:00
*** raildo_ has joined #openstack-keystone13:01
*** hrou has joined #openstack-keystone13:01
*** jdandrea has joined #openstack-keystone13:02
dstanekhenrynash: hmm...ok. i didn't know that. in doing that they'd lose access to their cloud resources anyway.13:02
dstanekhenrynash: i'll un-object to that part. do you know if we document this behavior anywhere?13:04
henrynashdstanek: I think the API species is_domain is immuatble13:05
*** richm has joined #openstack-keystone13:06
*** Pawel__ has quit IRC13:08
*** jsavak has quit IRC13:08
*** cloudnull has joined #openstack-keystone13:09
*** jamielennox is now known as jamielennox|away13:09
dstanekhenrynash: is there any reason to allow project scoping to a domain at all?13:12
henrynashdstanek: so that we can get rid of doamin scoped tokens!!!13:12
*** arunkant has joined #openstack-keystone13:13
henrynashdstanek: See: https://review.openstack.org/#/c/193543/13:13
dstanekhenrynash: but you lose the ability to scope to it if you have a sub-project with the same name right?13:13
henrynashdtsanek: scoping by name, yes, you can setill scope by ID13:14
dstanekhenrynash: haha, ok. this is why everyone yells at me when i tell them i work on keystone.13:16
henrynashdstanek: and my goal is so that people yell at you less....13:16
*** jsavak has joined #openstack-keystone13:16
*** stevemar has joined #openstack-keystone13:16
dstanekhenrynash: i appreciate that!13:17
henrynashdstanek: :-)13:17
openstackgerritChenhong Liu proposed openstack/keystone: Centralizing build_role_assignment_* functions  https://review.openstack.org/19718413:17
chenhongdstanek: I just submit a new patchset. Can you take a look at it now?13:19
openstackgerritChenhong Liu proposed openstack/keystone: Add testcases for list_role_assignments of v3 domains  https://review.openstack.org/18789913:19
*** fhubik has quit IRC13:20
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Standardize documentation at Service Managers  https://review.openstack.org/15809413:20
samueldmqbknudson: ^ addressed your comments in this centenary patch :)13:20
samueldmqhenrynash: cc ^13:20
*** radez_g0n3 is now known as radez13:21
*** TheIntern has joined #openstack-keystone13:22
samueldmqdstanek: do you know why all our tests are under a 'unit' directory if most of them aren't unit tests ?13:22
dstaneksamueldmq: they are not unit tests according to the classical definition, but they are what we consider to be unit tests13:23
*** fhubik has joined #openstack-keystone13:23
dstanekthe exception is the V3 style tests where we spin up a server - those will eventually turn into something else13:24
samueldmqdstanek: hmm, and what we consider to be unit tests ? is there any documentation about them ?13:24
dstaneksamueldmq: lets say small, semi-isolated tests13:24
chenhongsameuldmq: I'm curious, too. It's hard to write purely unit test case, now. hah13:25
samueldmqchenhong: :-)13:25
dstanekchenhong: it's not hard because of our existing tests though, it's hard because of our existing code13:25
samueldmqdstanek: some time ago I was looking more at our tests .. I think they could be re-organized13:26
dstanekit's not really designed in a modular way, but we've been moving that way slowly13:26
samueldmqdstanek: like some files are too big, etc13:26
samueldmqdstanek: yeah, we're a big project, getting better every day :)13:26
*** gordc has quit IRC13:28
openstackgerritjiaxi proposed openstack/keystone: Invalid URLs are not suppressed when create endpoint  https://review.openstack.org/20051213:28
chenhongdsstanek: yes, it's hard to isolate code logic. I know we have a spec about functional test.13:28
*** raildo has quit IRC13:28
*** aix has quit IRC13:29
*** fhubik has quit IRC13:30
*** raildo_ has quit IRC13:30
*** raildo has joined #openstack-keystone13:30
*** lufix3 has quit IRC13:32
openstackgerritChenhong Liu proposed openstack/keystone: Add testcases for list_role_assignments of v3 domains  https://review.openstack.org/18789913:33
*** woodster_ has joined #openstack-keystone13:36
*** arunkant has quit IRC13:36
samueldmqayoung: would you be OK if I created another BP to dinamic-policies-delivery ?13:38
samueldmqayoung: this would only contain the subset of things we're addressing in L (the dynamic delivery, ofc) :-)13:39
ayoungsamueldmq, go for it13:39
samueldmqayoung: thanks ... I think people people will be less scared than looking and seeing just dynamic-policy, which is much more general13:40
samueldmqayoung: btw, did you see my patch to oslo.policy ? that was simples than I thought13:40
ayoungsamueldmq, not yet....we have a bit of a fire going on here13:40
*** arunkant has joined #openstack-keystone13:40
samueldmqayoung: sure, get your fire extinguisher and good luck sir ! o/13:41
*** mylu has joined #openstack-keystone13:42
*** kiran-r has joined #openstack-keystone13:44
*** henrynash has quit IRC13:45
openstackgerritChenhong Liu proposed openstack/keystone: Centralizing build_role_assignment_* functions  https://review.openstack.org/19718413:46
*** henrynash has joined #openstack-keystone13:46
*** ChanServ sets mode: +v henrynash13:46
openstackgerritChenhong Liu proposed openstack/keystone: Add testcases for list_role_assignments of v3 domains  https://review.openstack.org/18789913:47
dstanekwell, today is a vacation day for me so i should start acting like i'm on vacation13:48
chenhongdstanek: I update the changes. https://review.openstack.org/197184 and https://review.openstack.org/#/c/187899/ . Please add them to your review list.13:49
chenhongdstanek: Enjoy your vacation.13:49
*** afazekas has quit IRC13:53
*** gordc has joined #openstack-keystone13:56
*** aix has joined #openstack-keystone13:59
*** jsavak has quit IRC14:02
*** sigmavirus24_awa has joined #openstack-keystone14:04
*** sigmavirus24_awa is now known as sigmavirus2414:04
*** sigmavirus24 is now known as sigmavirus24_awa14:05
*** annasort has joined #openstack-keystone14:05
dolphmdstanek: vacation harderer14:05
*** sigmavirus24_awa is now known as sigmavirus2414:05
sigmavirus24I second dolphm's suggestion dstanek14:06
dstanekdolphm: i keep seeing reviews i want to comment on!14:06
dolphmdstanek: yeah, you're doing the vacation thing completely wrong14:06
*** mestery has quit IRC14:07
dstanekdolphm: no surprise there. my 13yo says i do everything wrong14:07
sigmavirus24dstanek: "sudo echo "::1 review.openstack.org" >> /etc/hosts"14:07
sigmavirus24dstanek: 13 year olds are usually correct14:07
dstaneksigmavirus24: IME it doesn't even matter :-)14:09
*** fangzhou has joined #openstack-keystone14:09
sigmavirus24dstanek: how do you mean?14:09
sigmavirus24dolphm: here's an idea: Temporarily remove dstanek from the keystone-core gerrit group14:09
sigmavirus24That way all he can do is +/- 114:10
dolphmvacation mode!14:10
*** chenhong has left #openstack-keystone14:10
*** chenhong has joined #openstack-keystone14:10
dstanek...or...you can help me figure out how to make a google docs template so i can get away from my computer!14:10
*** kiran-r has quit IRC14:10
dstaneki can't find the 'submit to template gallery' in the new interface14:11
dolphmgoogle docs supports templates?14:11
*** chenhong has quit IRC14:11
*** chenhong has joined #openstack-keystone14:11
dstanekit did in 2013 before the redesign. event their docs say the old way to do things14:11
bknudsondid they finally add the ribbon interface?14:11
*** mylu has quit IRC14:11
dstanekwhat's the ribbon interface?14:14
*** mylu has joined #openstack-keystone14:14
bknudsondstanek: https://www.google.com/search?q=microsoft+word+ribbon&tbm=isch&imgil=i7kBfUYW3UYQlM%253A%253BFlGt2zwKqvMscM%253Bhttps%25253A%25252F%25252Fmsdn.microsoft.com%25252Fen-us%25252Flibrary%25252Fwindows%25252Fdesktop%25252Fdn742393%28v%2525253Dvs.85%29.aspx&source=iu&pf=m&fir=i7kBfUYW3UYQlM%253A%252CFlGt2zwKqvMscM%252C_&biw=1784&bih=897&usg=__XBrnz268oVveXpJfmQkMJ24v9ow%3D&ved=0CCgQyjc&ei=fdOfVcPtMpb6oQTE5rqoBg#imgrc14:15
*** jsavak has joined #openstack-keystone14:15
bknudsonhttps://msdn.microsoft.com/en-us/library/windows/desktop/dn742393%28v=vs.85%29.aspx14:16
dstanekgdocs isn't nearly as complicated or crowded14:17
*** diabloneo has joined #openstack-keystone14:17
diabloneodstanek: https://drive.google.com/templates?view=author14:17
diabloneodstanek: you can find a link 'Submit a template', I hope this can help you.14:17
bknudsonnot yet.14:17
*** chenhong has quit IRC14:17
dstanekdiabloneo: no button for me :-(14:18
dstanekdiabloneo: the old way was to select the file in the fist and the more menu had a 'submit a template' option14:19
*** diabloneo has quit IRC14:19
*** gordc has quit IRC14:19
*** chenhong has joined #openstack-keystone14:20
chenhongdstanek: https://drive.google.com/templates?view=author14:20
chenhongdstanek: you can find a link 'Submit a template', I hope this can help you.14:20
bknudsondstanek: The page says "You haven't submitted any templates to the gallery yet. Submit a template"14:21
bknudsonand there's also "Submit a template" in the upper-right14:21
*** jistr is now known as jistr|mtg14:22
dstanekmaybe my domain has some bit turned off because there's no way to submit14:22
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Project tree deletion  https://review.openstack.org/14873014:23
bknudsondstanek: what does the page say? just "You haven't submitted any templates to the gallery yet." ?14:23
dstanekbknudson: yes14:23
*** afazekas has joined #openstack-keystone14:25
*** btully has joined #openstack-keystone14:25
*** gordc has joined #openstack-keystone14:25
dstanekbknudson: more specifically https://www.dropbox.com/s/fzf107xppbqm479/Screenshot%202015-07-10%2010.25.20.png?dl=014:25
*** kiran-r has joined #openstack-keystone14:25
bknudsonMine has different tabs. I've got "My Templates"14:26
chenhongdstanek: I have three tabs, Public Templates Templates I've used, My Templates14:27
chenhongbknudson: Mine is like yours.14:27
*** chenhong has quit IRC14:29
*** mylu has quit IRC14:30
*** fangzhou has quit IRC14:38
dstanekthanks for the help everyone. seems like my domain is messed up. but the domain for my wife's non-profit is fine, which is why i was doing this anyway14:39
*** kiran-r has quit IRC14:39
*** mylu has joined #openstack-keystone14:39
*** dims has quit IRC14:40
*** mylu has quit IRC14:40
*** mylu has joined #openstack-keystone14:44
*** gordc has quit IRC14:45
*** markvoelker has quit IRC14:48
*** fifieldt has quit IRC14:49
*** gordc has joined #openstack-keystone14:50
*** jecarey has joined #openstack-keystone14:50
*** chlong is now known as chlong-weekend14:54
*** fangzhou has joined #openstack-keystone14:56
*** jkomg has joined #openstack-keystone14:57
*** jsavak has quit IRC15:02
*** mflobo has quit IRC15:03
*** jsavak has joined #openstack-keystone15:04
*** geoffarnold has joined #openstack-keystone15:05
*** dims has joined #openstack-keystone15:07
*** dims_ has joined #openstack-keystone15:07
*** alex_xu has quit IRC15:08
*** geoffarnold has quit IRC15:08
*** alex_xu has joined #openstack-keystone15:10
*** csoukup has joined #openstack-keystone15:10
*** jsavak has quit IRC15:11
*** csoukup has quit IRC15:11
*** geoffarnold has joined #openstack-keystone15:11
*** dims has quit IRC15:11
*** mestery has joined #openstack-keystone15:14
*** r-daneel has joined #openstack-keystone15:16
morganfainbergWait dstanek is on vacation?!15:18
* morganfainberg glares him off IRC.15:18
*** browne has joined #openstack-keystone15:19
*** ig0r__ has joined #openstack-keystone15:19
*** ig0r_ has quit IRC15:22
*** anhhuynx has joined #openstack-keystone15:23
*** jsavak has joined #openstack-keystone15:23
*** fangzhou has quit IRC15:25
*** chlong-weekend has quit IRC15:26
*** e0ne is now known as e0ne_15:28
*** e0ne_ is now known as e0ne15:29
*** jistr|mtg is now known as jistr15:30
*** hrou has quit IRC15:38
*** sp4wnr0ot_ has quit IRC15:38
*** diazjf has joined #openstack-keystone15:40
*** ajayaa has quit IRC15:42
anhhuynxdstanek: Can the API accept more than one query currently?15:51
anhhuynxdstanek: Whenever I tried to pass more than two queries to the API it just omits the second one15:52
*** rwsu has joined #openstack-keystone15:52
*** jistr has quit IRC15:55
*** jkomg has quit IRC15:55
morganfainberganhhuynx: what do you mean more than one query? And dstanek is on vacation today. Someone else here will probably be able to answer for you :)15:57
anhhuynxoh ok :)15:57
*** bdossant has quit IRC15:57
anhhuynxmorganfainberg: so when I do /v3/user?name="blah"&enabled="true" it will not take the second query enabled15:58
anhhuynxit will always omit it15:58
anhhuynxthis is GET btw15:58
morganfainbergOh. Hmm that might be a bug in the filtering code then.15:58
morganfainbergIf you switch the request is name omitted?15:58
*** chenhong has joined #openstack-keystone15:58
anhhuynxthen enabled will be accepted but not name15:58
morganfainbergJust confirming15:58
morganfainbergMaking sure enabled wasnt acting special.15:59
anhhuynxi've tried this with credentials also15:59
anhhuynxwith different params15:59
anhhuynxbut no luck15:59
anhhuynxcan you try it too? just to make sure it's not my end15:59
samueldmqdoes enabled accept "true" with quotes ?15:59
morganfainbergIts likely our query param code has a bug then.15:59
anhhuynxyes, enabled takes a string15:59
morganfainberganhhuynx: ill need to standup a test environment. What version are you using?16:00
samueldmqmorganfainberg: I remember to have fixed a bug exactly like this ... let me find the patch16:00
morganfainbergOf keystone that is.16:00
*** mylu has quit IRC16:00
morganfainbergIf it is icehouse or earlier, we cant fix it :(. Since those are EOL.16:00
anhhuynxI'm using Liberty16:00
anhhuynxand devstack16:00
morganfainbergOk cool.16:01
morganfainberganhhuynx: feel free to open a bug on this and link it here. We can do some testing and confirm. Adding your results will help too.16:01
anhhuynxok16:01
morganfainberganhhuynx: samueldmq might already have a fix or somethkng close too. Would make it easy ;)16:02
*** mylu has joined #openstack-keystone16:02
*** stevemar has quit IRC16:02
anhhuynxhopefully :)16:02
samueldmqmorganfainberg: anhhuynx found it ..16:03
samueldmqhttps://review.openstack.org/#/c/161702/16:03
morganfainbergPaste the link to the bug here in channel once you open it.16:03
morganfainbergOrrrr16:03
samueldmqfixing but https://bugs.launchpad.net/keystone/+bug/142474516:03
openstackLaunchpad bug 1424745 in Keystone "SQL/LDAP are not able to honor multiple filters in driver_hints.Hints()" [Medium,Fix released] - Assigned to Samuel de Medeiros Queiroz (samueldmq)16:03
*** lhcheng has joined #openstack-keystone16:03
morganfainbergHmm16:03
*** ChanServ sets mode: +v lhcheng16:03
morganfainbergThat shpuld be in liberty16:03
morganfainbergOk we might need to revisit16:03
morganfainberganhhuynx: lets get a new bug, reference the old one and paste your duplication / results.16:04
morganfainbergWe can dig into it.16:04
anhhuynxalright16:04
morganfainbergYou can just say "this looks like a repeat of bug xxxx"16:05
samueldmq++16:05
morganfainbergIt might be something different.16:05
*** browne has quit IRC16:05
anhhuynxhttps://bugs.launchpad.net/keystone/+bug/147348916:06
openstackLaunchpad bug 1473489 in Keystone "Identity API v3 does not accept more than one query" [Undecided,New]16:07
samueldmqanhhuynx: thanks16:07
anhhuynxman, my original low hanging fruit bug sure has blown out of proportion ;)16:07
morganfainbergLol. Its always a rabbithole you end up going down.16:08
morganfainbergAnd then you look around and wonder how you got there.16:08
anhhuynxhaha16:08
anhhuynxhow should I go about investigating this?16:09
*** mgarza has joined #openstack-keystone16:09
*** amaretskiy has left #openstack-keystone16:10
*** e0ne has quit IRC16:11
samueldmqanhhuynx: get the code, run the tests .. see tests in test_v3_filters16:11
samueldmqanhhuynx: you could create a test that exposes this bug16:11
*** mylu has quit IRC16:15
chenhonghi, I got a jenkins check failed whose name is check-tempest-dsvm-full. Any one know why?16:15
*** hrou has joined #openstack-keystone16:23
samueldmqdstanek: what do I need to run functional tests tox env ?16:24
samueldmqdstanek: does it need something pre-installed ? (a devstack in the current machine ?)16:24
*** chenhong_ has joined #openstack-keystone16:24
samueldmqdstanek: or simply 'tox -efunctional'16:24
*** ankita_wagh has joined #openstack-keystone16:25
anhhuynxisn't dstanek on vacation today?16:26
*** chenhong has quit IRC16:26
samueldmqanhhuynx: dunno, I should not disturb him if that is true :)16:27
anhhuynxmorganfainberg said he is16:28
*** chenhong_ has quit IRC16:28
samueldmqdstanek: enjoy your vacation! o/16:29
*** markvoelker has joined #openstack-keystone16:31
*** fangzhou has joined #openstack-keystone16:31
*** mylu has joined #openstack-keystone16:32
*** chenhong has joined #openstack-keystone16:32
anhhuynxwhat is a functional test vs a unit test?16:32
bknudsonanhhuynx: functional tests run against a running keystone (for example, running under devstack)16:33
bknudsonyou should also be able to run the functional tests against a production deployment.16:33
*** mestery has quit IRC16:34
anhhuynxthank you16:34
anhhuynxsamueldmq: there is a test_multiple_filters in here16:36
samueldmqanhhuynx: yes but in the setup it's running, possibly it isn't testing things correctly16:37
samueldmqanhhuynx: I mean ... it filters by name + enabled16:38
anhhuynxi see that it does /domain?enabled&name="xxx"16:38
samueldmqanhhuynx: but if there is only that user with such name, and it's enabled, we aren't testing anything :(16:38
anhhuynxbut16:38
anhhuynxbut the thing is16:39
anhhuynxif you try doing /v3/domain?enabled="true"&name="blah" it won't work i think16:39
anhhuynxi'll try that now actually16:39
*** mylu has quit IRC16:40
*** mylu has joined #openstack-keystone16:41
chenhongmorganfainberg: do you know about check-tempest-dsvm-full job in jenkins?16:45
*** dims_ has quit IRC16:46
*** tqtran has joined #openstack-keystone16:46
*** _cjones_ has joined #openstack-keystone16:46
morganfainbergUhm? What about it chenhong?16:46
*** dims has joined #openstack-keystone16:46
*** dims has quit IRC16:47
*** dims has joined #openstack-keystone16:47
chenhongmorganfainberg: One of my change can not pass jenkins test, failed in 'check-tempest-dsvm-full'16:47
chenhongmorganfainberg: I think it's not caused by my patch set. Do you know why? My change is https://review.openstack.org/#/c/197184/16:48
morganfainbergUnlikely to be your change because youre updating tests only.16:49
morganfainbergMight just be a transient error.16:49
*** ankita_wagh has quit IRC16:50
chenhongmorganfainberg: Can I  trigger jenkins checking by comment a 'recheck' to resolve this?16:50
morganfainbergchenhong: i already triggered a recheck for you16:50
morganfainbergbut yes16:51
*** stevemar has joined #openstack-keystone16:51
chenhongmorganfainberg: Thanks. You are so nice.16:51
morganfainbergchenhong: happy to help16:51
chenhongmorganfainberg: B.T.W, may I ask you to review this change?16:52
morganfainbergchenhong: i'll take a look at it a bit later today. i have some stuff i need to take care of before I get to code review today16:52
*** shaleh has joined #openstack-keystone16:52
chenhongmorganfainberg: Thank you very much.16:53
chenhongIt's midnight in China and I'm going to sleep. Have a good day, everyone. :-)16:54
openstackgerrithenry-nash proposed openstack/keystone-specs: Clarify project hierachy and parent usage within the API  https://review.openstack.org/20062416:54
*** chenhong has quit IRC16:54
anhhuynxsamueldmq: it seems like if you do /v3/domains?enabled&name="admin" it won't take name="admin" at all16:55
anhhuynxsamuelmq: can you reproduce this on your end?16:55
openstackgerrithenry-nash proposed openstack/keystone-specs: Clarify project hierachy and parent usage within the API  https://review.openstack.org/20062416:56
*** gyee has joined #openstack-keystone16:57
*** ChanServ sets mode: +v gyee16:57
openstackgerrithenry-nash proposed openstack/keystone-specs: Clarify project hierachy and parent usage within the API  https://review.openstack.org/20062416:59
*** spandhe has joined #openstack-keystone17:00
*** bitblt has joined #openstack-keystone17:01
*** janonymous has joined #openstack-keystone17:10
*** ankita_wagh has joined #openstack-keystone17:14
openstackgerritHenrique Truta proposed openstack/keystone: Changing excpetion type to ValidationError instead of Forbidden  https://review.openstack.org/20029517:14
*** browne has joined #openstack-keystone17:16
openstackgerritHenrique Truta proposed openstack/keystone: Changing exception type to ValidationError instead of Forbidden  https://review.openstack.org/20029517:16
openstackgerritMerged openstack/keystone: Fixes grammar in the httpd README  https://review.openstack.org/20049217:17
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742717:18
openstackgerritMerged openstack/keystonemiddleware: Fixes modules index generated by Sphinx  https://review.openstack.org/19972417:25
*** e0ne has joined #openstack-keystone17:28
*** arunkant has quit IRC17:29
*** radez is now known as radez_g0n317:30
*** diazjf has quit IRC17:31
*** arunkant has joined #openstack-keystone17:32
openstackgerrithenry-nash proposed openstack/keystone-specs: Clarify project hierachy and parent usage within the API  https://review.openstack.org/20062417:35
openstackgerrithenry-nash proposed openstack/keystone-specs: Clarify project hierachy and parent usage within the API  https://review.openstack.org/20062417:36
*** mestery has joined #openstack-keystone17:42
*** mylu has quit IRC17:51
*** mylu has joined #openstack-keystone17:52
*** e0ne has quit IRC17:52
*** raildo_ has joined #openstack-keystone17:52
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742717:53
*** e0ne has joined #openstack-keystone17:54
*** e0ne has quit IRC17:58
*** raildo has quit IRC17:59
*** raildo has joined #openstack-keystone17:59
*** tqtran is now known as tqtran-afk18:02
*** geoffarnold has quit IRC18:03
*** raildo_ has quit IRC18:09
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies with Custom IDs  https://review.openstack.org/19800018:09
*** mylu has quit IRC18:10
*** mylu has joined #openstack-keystone18:10
*** boris-42 has quit IRC18:12
*** geoffarnold has joined #openstack-keystone18:12
*** mylu has quit IRC18:17
*** jsavak has quit IRC18:19
openstackgerritguang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint  https://review.openstack.org/17766118:20
*** aix has quit IRC18:21
*** jsavak has joined #openstack-keystone18:21
*** vilobhmm has joined #openstack-keystone18:26
*** dims has quit IRC18:29
*** csoukup has joined #openstack-keystone18:29
*** mylu has joined #openstack-keystone18:29
lbragstadstevemar: ping18:31
stevemarlbragstad: ahoy matey18:31
lbragstadstevemar: happy friday!18:31
stevemarlbragstad: true that18:31
lbragstadstevemar: quick federation + keystone ssl + osc question for you if you have a minute18:31
lbragstadI have two separate keystone nodes up and running, one is the identity provider and the other is the service provider. Both are configured to use ssl. I can confirm the ssl connection is working by passing the cacert for the respective keystone node in curl.18:33
lbragstadlike curl --cacert /path/to/cert.pem https://<keystone-sp-ip>/18:34
lbragstadand I get the version information back, so that's all good18:34
lbragstadnow I'm trying to get osc to connect to that same keystone instance18:34
stevemarlbragstad: hmm, never tried federation with ssl and osc18:35
lbragstadstevemar: so, this is what I have exported http://cdn.pasteraw.com/9ar9f4yce5ojvy2fbktct9r9b3kbh4s18:35
*** arunkant_ has joined #openstack-keystone18:36
lbragstadstevemar: so far so good,18:36
lbragstadthen I go to use the openstack cli18:36
lbragstadand when I do a 'user list' I get a bunch of http://cdn.pasteraw.com/3anzwzz6hvfkad1p5pry71u3lt9efxd18:37
lbragstadstevemar: any ideas or should I just keep tinkering?18:38
stevemarlbragstad: try adding --debug to see whats going on18:38
*** arunkant has quit IRC18:39
*** mylu has quit IRC18:40
lbragstadstevemar: ahh, EndpointNotFound18:40
*** mylu has joined #openstack-keystone18:41
lbragstadstevemar: it does look like it's trying to use v2 over v3 though18:42
gyeelbragstad, you can try setting OS_IDENTITY_API_VERSION to 318:45
*** geoffarnold has quit IRC18:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies Delivering Mechanism  https://review.openstack.org/19798018:46
lbragstadgyee: hey hey!18:46
lbragstadgyee: stevemar that worked!18:46
gyeelook like there will be rain in Boston next week18:46
gyeethat 0.6 mile walk in the rain is going to feel like a 2 mile walk instead :)18:46
*** harlowja_ has quit IRC18:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies Delivering Mechanism  https://review.openstack.org/19798018:49
*** radez_g0n3 is now known as radez18:50
*** harlowja has joined #openstack-keystone18:50
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies with Custom IDs  https://review.openstack.org/19800018:53
*** mylu has quit IRC18:54
*** mylu has joined #openstack-keystone18:54
*** geoffarnold has joined #openstack-keystone18:54
*** mylu has quit IRC18:58
stevemarlbragstad: yay19:00
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Dynamic Policies Fetch and Cache  https://review.openstack.org/13465519:01
stevemargyee: goot cactch with the no OS_IDENTITY_API_VERSION set19:01
openstackgerritMerged openstack/keystone: Add test showing password logged  https://review.openstack.org/19370319:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/20067519:03
gyeestevemar, yay19:03
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/19725419:04
gyeelbragstad, did you have a patch to fix fernet token time sync issue?19:04
lbragstadgyee: I think morganfainberg had one for that?19:04
*** mylu has joined #openstack-keystone19:04
lbragstadI had a few that needed to be rebased on that once it merged19:04
gyeebasically, the sub seconds were left out on validation19:04
lbragstadgyee: I think according to morganfainberg and dolphm it's because the subseconds are included on auth19:05
*** d34dh0r53 is now known as th31nt3rn19:05
gyeelbragstad, I mean issued_at and expires_at19:06
*** mylu has quit IRC19:06
gyeeon validation, the sub seconds are rounded to zeros19:06
*** mylu has joined #openstack-keystone19:07
lbragstadgyee: yep19:07
lbragstadgyee: but on auth, they aren't19:07
gyeenot sure if I understand, that's token data returned from token validation API19:09
gyeeso there shouldn't be inconsistency on those two fields19:10
lbragstadgyee: I'm not 100% I know the right answer, but I thought it was suppose to be that the auth api should round it in the first place19:11
lbragstadI *think*?19:11
*** rm_work is now known as rm_work|away19:11
*** dims has joined #openstack-keystone19:12
gyeelbragstad, let me do some code diving. I would expect the time stamps are embedded in the fernet token ID19:12
gyeeand return as is on validation19:12
lbragstadgyee: yep they are19:13
lbragstadgyee: the token creation is actually done by the cryptography library19:13
lbragstadgyee:  the token expiration is packed in to the token schema19:13
gyeeso the time stampes should be exactly the same on both creation and validation19:13
lbragstadgyee: https://github.com/openstack/keystone/blob/8e7bb573fb2414a4d0253a2d50714ef8cdc6adf3/keystone/token/providers/fernet/token_formatters.py#L33919:14
lbragstadgyee: yes19:14
lbragstadgyee: but... that can't be because we take the expiration at tmp stamp and convert it to an integer19:14
lbragstadwhich is where we lose the subsecond calculation19:14
gyeeahhh19:14
gyeeI would expect that to be a bug, no?19:15
lbragstadgyee: which is how all of this kinda came into light :)19:15
lbragstadgyee: what part?19:15
gyeeloosing the subseconds19:15
lbragstadgyee: I'd probably consider it the other way around,19:15
gyeeCADF is matching the entire timestamp right?19:16
*** mylu has quit IRC19:16
lbragstadat least for the fernet provider19:16
*** dims has quit IRC19:17
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742719:17
*** dims has joined #openstack-keystone19:17
*** ig0r__ has quit IRC19:19
*** ig0r_ has joined #openstack-keystone19:19
*** ankita_wagh has quit IRC19:21
*** mylu has joined #openstack-keystone19:23
*** stevemar has quit IRC19:25
*** stevemar has joined #openstack-keystone19:25
*** raildo has quit IRC19:26
*** ankita_w_ has joined #openstack-keystone19:26
*** raildo has joined #openstack-keystone19:26
openstackgerritSolomon proposed openstack/keystone: Adds script that checks for etc/keystone.conf  https://review.openstack.org/19975819:26
*** topol has joined #openstack-keystone19:29
*** ChanServ sets mode: +v topol19:29
gyeelbragstad, you saying we should round the subseconds at token creation time? I am fine with that too so as long as they are consistent19:30
*** ankita_wagh has joined #openstack-keystone19:33
*** raildo has quit IRC19:33
bknudsonyour token will be valid before the current time19:34
bknudsonthat seems strange19:34
*** annasort has quit IRC19:35
lbragstadgyee: same here19:35
lbragstadgyee: maybe we can bring it up at the meetup?19:35
gyeeyeah19:36
*** raildo has joined #openstack-keystone19:36
gyeelets make them consistent19:36
*** ankita_w_ has quit IRC19:36
*** odyssey4me has quit IRC19:37
gyeebknudson, actually it won't be a problem if we always round them down19:38
pgbridgei have probably a very confused question, mind if i ask y'all here?19:38
bknudsonif you round the issued_at time down then the service could get a token that's issued_at before the current time.19:39
bknudsonif it takes < 1 second19:39
bknudsonoh, wait, that's normal19:39
gyeeright, should work19:40
bknudsonbtw - we also have to consider revocation events19:40
gyeerevocation events is also based on cut off time19:40
pgbridgeeh nm19:40
bknudsonsince revocation event might have issued_after19:40
gyeeright, issued_after should work fine if we round them down19:40
bknudsonif it's issued_after time 1:15.5 and the token has issued_at 1:1519:41
bknudsonthen it won't be revoked19:41
openstackgerritMerged openstack/keystone: Tests for correct key removed  https://review.openstack.org/19438819:41
*** jsavak has quit IRC19:41
openstackgerritMerged openstack/keystone: Simplify fernet rotation code  https://review.openstack.org/19433519:41
bknudsonit must be issued_before in revocation events19:41
bknudsonso that would be fine, too19:41
gyeeyeah19:41
bknudsonunless the revocation events are truncated too ?19:42
gyeeI hope not, they should be token format agnostic19:43
*** raildo_ has joined #openstack-keystone19:44
*** th31nt3rn is now known as d34dh0r5319:45
*** topol is now known as topol_oldme19:46
*** fangzhou has quit IRC19:47
*** topol has joined #openstack-keystone19:48
*** ChanServ sets mode: +v topol19:48
*** topol_oldme has quit IRC19:49
*** jsavak has joined #openstack-keystone19:54
*** topol has quit IRC19:54
*** topol has joined #openstack-keystone19:54
*** ChanServ sets mode: +v topol19:54
*** topol has quit IRC19:58
*** topol has joined #openstack-keystone19:58
*** ChanServ sets mode: +v topol19:58
*** rwsu has quit IRC19:58
*** Kupo24z has joined #openstack-keystone19:58
*** geoffarnold has quit IRC19:59
Kupo24zHey all, does keystone currently support redis cache backend? I've seen this https://blueprints.launchpad.net/keystone/+spec/redis-storage-backend but its not implemented19:59
*** geoffarnold has joined #openstack-keystone19:59
*** gordc has quit IRC20:00
openstackgerritMerged openstack/keystonemiddleware: Separate the fetch and validate parts of auth_token  https://review.openstack.org/19094020:02
*** jecarey has quit IRC20:04
*** jsavak has quit IRC20:04
*** jsavak has joined #openstack-keystone20:05
*** mylu has quit IRC20:07
*** topol has quit IRC20:08
*** topol has joined #openstack-keystone20:08
*** ChanServ sets mode: +v topol20:08
*** harlowja has quit IRC20:09
*** harlowja has joined #openstack-keystone20:09
*** topol has quit IRC20:09
*** topol_oldme has joined #openstack-keystone20:10
*** ChanServ sets mode: +v topol_oldme20:10
*** topol_oldme is now known as topol20:10
*** mylu has joined #openstack-keystone20:10
*** topol has quit IRC20:11
*** Kiall has quit IRC20:11
*** Kiall has joined #openstack-keystone20:12
*** topol has joined #openstack-keystone20:12
*** topol is now known as Guest1363720:12
*** bitblt has quit IRC20:14
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/20067520:20
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/19725420:21
*** Guest13637 has quit IRC20:21
*** amakarov has quit IRC20:21
*** harry51s has joined #openstack-keystone20:26
openstackgerritMerged openstack/keystone: Decouple notifications from DI  https://review.openstack.org/16276920:28
openstackgerritMerged openstack/keystone: Removed optional dependency support  https://review.openstack.org/16277020:29
openstackgerritBrant Knudson proposed openstack/keystone: Federation API provides method to evaluate rules  https://review.openstack.org/19630820:32
openstackgerritBrant Knudson proposed openstack/keystone: Move constants out of federation.core  https://review.openstack.org/20070620:32
openstackgerritBrant Knudson proposed openstack/keystone: Federation API provides method to evaluate rules  https://review.openstack.org/19630820:34
*** crc32 has joined #openstack-keystone20:40
*** fangzhou has joined #openstack-keystone20:44
openstackgerritBrant Knudson proposed openstack/keystone: AuthContextMiddleware admin token handling  https://review.openstack.org/19893120:46
*** topol has joined #openstack-keystone20:46
*** ChanServ sets mode: +v topol20:46
*** crc32 has quit IRC20:49
*** crc32 has joined #openstack-keystone20:50
*** rm_work|away is now known as rm_work20:53
*** topol has quit IRC20:56
*** htruta has quit IRC20:57
*** topol has joined #openstack-keystone20:57
openstackgerritBrant Knudson proposed openstack/keystone: AuthContextMiddleware admin token handling  https://review.openstack.org/19893120:57
*** topol is now known as Guest2224020:58
*** mylu has quit IRC20:58
*** mylu has joined #openstack-keystone20:58
*** Guest22240 has quit IRC21:00
*** blewis has joined #openstack-keystone21:00
-openstackstatus- NOTICE: Gerrit will be unavailable from 22:00 to 22:30 UTC for project renames21:02
*** gabriel-bezerra has quit IRC21:10
*** ig0r_ has quit IRC21:10
*** iurygregory has quit IRC21:12
*** samueldmq has quit IRC21:12
*** ericksonsantos has quit IRC21:12
*** raildo has quit IRC21:12
*** tellesnobrega has quit IRC21:12
*** raildo_ has quit IRC21:13
openstackgerritguang-yee proposed openstack/python-keystoneclient: Change default endpoint type for Keystone v3 to 'public'  https://review.openstack.org/18520021:17
browneFernet token question:  i ran tempest on a kilo keystone (installed from ubuntu packages) and several of the negative tests that verify unauthorized after a token is revoked fail.  any clues on this?21:17
*** mylu has quit IRC21:17
brownelike test_delete_role_request_without_token21:18
browneit behaves as if the token is not revoked.  gets a 204 instead of Unauthorized21:19
openstackgerritBrant Knudson proposed openstack/keystone: Clean up notifications type checking  https://review.openstack.org/20073321:19
*** solomondg has joined #openstack-keystone21:19
*** jsavak has quit IRC21:24
openstackgerritBrant Knudson proposed openstack/keystone: Clean up code to use .items()  https://review.openstack.org/20073421:27
*** tqtran-afk has quit IRC21:30
bknudsonbrowne: you can also see https://review.openstack.org/#/c/195780/21:35
bknudsonsame failures?21:36
brownelet me see21:36
*** stevemar has quit IRC21:36
*** hrou has quit IRC21:38
brownebknudson: yes, it does look like at least test_list_roles_request_without_token was the same error.  Is this a known issue?21:39
bknudsonbrowne: it is now!21:39
browneha21:39
brownebknudson: will you open a bug or should i?21:40
bknudsonbrowne: I haven't had a chance to open a bug.21:40
bknudsonbrowne: if you're planning to work on it go ahead and open the bug21:41
gyeecritical!21:42
bknudsonotherwise it's on my todo list21:42
bknudsonIMO fernet tokens are experimental at this point anyways21:42
brownebknudson: i'll open the bug and whoever fixes it first is welcome to it21:42
bknudsonso not critical21:42
*** rwsu has joined #openstack-keystone21:43
brownebknudson: do we label fernet as experimental anywhere.  just want to know whether i'm using something too bleeding edge21:43
gyeebknudson, revocation is broken is not critical?21:43
*** henrynash has quit IRC21:44
bknudsonbrowne: if it's not labeled as experimental then that's a critical bug.21:44
bknudsongyee: if revocation was broken then that would be critical since we support and test revocation21:44
gyeebut isn't that's the case here? role deletion does not constitute revocation21:45
bknudsongyee: revocation for fernet tokens isn't critical since fernet tokens are experimental21:46
*** gabriel-bezerra has joined #openstack-keystone21:51
brownegyee, bknudson: https://bugs.launchpad.net/keystone/+bug/147356721:53
openstackLaunchpad bug 1473567 in Keystone "Fernet tokens fail tempest runs" [Undecided,New]21:53
gyeebrowne, thanks21:53
*** edmondsw has quit IRC21:53
*** raildo has joined #openstack-keystone21:55
*** tellesnobrega has joined #openstack-keystone21:55
*** ericksonsantos has joined #openstack-keystone21:55
*** iurygregory has joined #openstack-keystone21:55
-openstackstatus- NOTICE: Gerrit is unavailable from approximately 22:00 to 22:30 UTC for project renames21:58
*** csoukup has quit IRC21:58
*** ChanServ changes topic to "Gerrit is unavailable from approximately 22:00 to 22:30 UTC for project renames"21:58
bknudsonwe should change keystone so that you have to shut it down every time you rename something21:59
morganfainbergbknudson: i like it21:59
morganfainbergbknudson: +2+2+A21:59
*** solomondg has quit IRC22:00
*** solomondg has joined #openstack-keystone22:02
*** christx2 has quit IRC22:06
gyeebknudson, FTW!22:07
*** harlowja_ has joined #openstack-keystone22:09
*** harlowja has quit IRC22:10
*** samueldmq has joined #openstack-keystone22:10
*** boris-42 has joined #openstack-keystone22:15
solomondgQuick question: When I copy (line by line) the code from keystone/keystone/cmd/manage.py into the Python2.7 Interactive Prompt, then print dev_conf, it appears to be using /usr/etc/keystone.conf and/or /etc/keystone.conf as the location to the keystone.conf file. Considering that there isn't a keystone.conf in either of those locations, did I confi22:16
solomondggure something wrong? The only keystone.conf scripts I know of are in etc/keystone/keystone.conf and /opt/stack/keystone/etc/keystone.conf22:16
*** anhhuynx has quit IRC22:18
*** radez is now known as radez_g0n322:22
*** mgarza has quit IRC22:23
morganfainbergsolomondg: thats a bit weird, but you should be able to specify the config file directory22:28
morganfainbergsolomondg: oh you're doing like a pip install?22:29
morganfainbergsolomondg: yeah you'll need to specify the location of the config files, but if it's a full devstack, it should put files in /etc/keystone22:29
*** ChanServ changes topic to "| Review Code, Specs, Etc | Keystone MidCycle 15, 16, 17 | US Independence Day is observed 7/3 (Friday)"22:30
*** dsirrine has quit IRC22:30
solomondgmorgamfainberg: Huh, okay. Thanks.22:31
*** topol has joined #openstack-keystone22:39
*** ChanServ sets mode: +v topol22:40
*** alex_xu has quit IRC22:43
*** alex_xu has joined #openstack-keystone22:43
*** ankita_w_ has joined #openstack-keystone22:47
*** ankita_wagh has quit IRC22:47
*** krykowski has quit IRC22:52
*** krykowski has joined #openstack-keystone22:53
*** dhellmann has quit IRC22:54
*** andreaf has quit IRC22:54
*** navid_ has quit IRC22:54
*** navid_ has joined #openstack-keystone22:55
*** dhellmann has joined #openstack-keystone22:56
*** andreaf has joined #openstack-keystone22:57
*** ntpttr has joined #openstack-keystone23:10
*** josecastroleon has quit IRC23:12
*** dims has quit IRC23:13
*** josecastroleon has joined #openstack-keystone23:13
*** ntpttr has quit IRC23:14
*** dims has joined #openstack-keystone23:17
*** rm_work is now known as rm_work|away23:20
*** gyee has quit IRC23:21
openstackgerritBrant Knudson proposed openstack/keystone: Use dict.items() rather than six.iteritems()  https://review.openstack.org/20076223:24
*** spandhe has quit IRC23:29
*** TheIntern has quit IRC23:36
*** hrou has joined #openstack-keystone23:37
*** solomondg has quit IRC23:38
*** openstackgerrit has quit IRC23:39
*** openstackgerrit has joined #openstack-keystone23:40
*** shaleh has quit IRC23:43
*** guest123 has joined #openstack-keystone23:48
*** blewis has quit IRC23:50
*** geoffarnold has quit IRC23:53
*** rwsu has quit IRC23:54
*** r-daneel has quit IRC23:55
« Thursday, 2015-07-09 Index Saturday, 2015-07-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!