Thursday, 2015-08-06

« Wednesday, 2015-08-05 Index Friday, 2015-08-07 »
openstackgerritJamie Lennox proposed openstack/keystoneauth: Split plugin loading  https://review.openstack.org/19059400:10
openstackgerritJamie Lennox proposed openstack/keystoneauth: Move session loading into loading module  https://review.openstack.org/20934900:10
openstackgerritJamie Lennox proposed openstack/keystoneauth: Remove oslo_config from auth plugin loading  https://review.openstack.org/20934800:10
*** r-daneel has quit IRC00:16
*** boris-42 has quit IRC00:20
*** henrynash has quit IRC00:20
morganfainbergjamielennox: thats the thought, but we should be consistent00:22
morganfainbergjamielennox: /me looks at those ^ patches.00:22
jamielennoxmorganfainberg: i'm just moving stuff at will now, i think so long as i don't change the session or adapter interfaces then clients aren't going to notice anyway00:23
morganfainbergjamielennox: https://review.openstack.org/#/c/209302/ could use a quick +2/+A00:23
morganfainbergand then i'll approve the mirror for ksa00:23
morganfainbergerm integration branch00:23
jamielennoxmorganfainberg: simple +A https://review.openstack.org/#/c/168546/400:28
jamielennoxmorganfainberg: wait - shouldn't you be on a plane?00:28
morganfainbergtomorrow00:28
morganfainbergit's still thursday. anita was flying today00:28
morganfainbergs/was/is00:28
jamielennoxit is still thursday, my days are way off00:28
morganfainberghehe00:29
morganfainbergand I'm the one who crossed the international date line00:29
morganfainberg:P00:29
jamielennoxmorganfainberg: so i'm inclined to just scrap the keystoneauth_integration branch of keystoneclient, there was always the assumption there it was going to be a bridge between client and auth but if we're not doing that we can just remove stuff00:30
jamielennoxmake 2.0 a real split00:30
morganfainbergjamielennox: well uh. ok we could just fork that branch as is though00:30
morganfainbergi mean... we have put some work into it already00:31
jamielennoxok, sure i just mean most of what i have outstanding is like base service catalog on kestoneauth, where if that branch is to become v2 then it's just rm service_catalog00:31
morganfainbergwell i was thinking we'd just make master = 2.0 when we were done with that branch00:31
morganfainbergmerge that back to master and call it good(tm)00:32
openstackgerritDan Nguyen proposed openstack/keystone: Allow Domain Admin to get domain details  https://review.openstack.org/20808200:32
morganfainbergif you think we need to explicitly 2.0 branch instead - we can do that too00:32
jamielennoxmorganfainberg: i'm fine with the name being wrong, especially as we had to get all the requirements and test hacks in to make it work00:33
morganfainbergok so lets stick with it and when we're ready merge back to master00:33
jamielennoxi guess i should just abandon most of those patches and go chopper mode instead00:33
morganfainbergthen we can cut the 2.x branch once the merge is done.00:33
morganfainbergerm, tag00:33
morganfainbergand we'll be in the right place00:34
morganfainbergand then for L i'd like to g-r bump to >2.x00:34
morganfainbergso [sooner is better]00:34
jamielennoxL?00:34
morganfainbergliberty00:35
morganfainberg>=2.x00:35
jamielennoxi thought we said <2.0 for L and >2 for M00:35
morganfainbergwell if the interfaces work...00:35
morganfainbergwe can do it in L ;)00:35
morganfainbergif they don't we can do that for M00:35
morganfainbergeither way00:35
jamielennoxbecause they are going to be incompatible00:35
*** _cjones_ has quit IRC00:35
morganfainbergok sure00:35
morganfainbergwe can do that then00:35
morganfainberglet me g-r propose that.00:35
jamielennoxi'll be interested to see how we switch over with a big change00:36
morganfainberg99% of the change is keystoneclient -> keystoneauth100:36
morganfainbergafaict00:36
*** bapalm has joined #openstack-keystone00:37
jamielennoxmostly, we still need to transition anyone doing Client(username=)00:37
jamielennoxwhich i hope doesn't exist but you know it will00:37
morganfainbergyeah00:37
jamielennoxyea, i think we pin < 2 for liberty00:39
*** bapalm has quit IRC00:39
jamielennoxthe intent should be that the session from keystoneauth will be drop in replacable with keystoneclient.session in < 2 so we can even start moving people over to keystoneauth and just rip everything out of ksc first thing in M00:40
*** gyee has quit IRC00:41
morganfainbergyep00:41
*** btully has quit IRC00:41
morganfainbergjamielennox: https://review.openstack.org/209715   see how the -infra and -requirements folks respond to it00:43
*** zzzeek has joined #openstack-keystone00:44
morganfainbergwe might get told "wait" but I'd much prefer to *not* wait to get the 2.x.x stuff out the door00:44
jamielennoxmorganfainberg: commented, there is a comment you might want to fix up00:44
jamielennoxmorganfainberg: i expect we'll have to wait a bit for something so fundamental but it's better to start the converstaion now00:45
morganfainbergright00:45
*** mylu has joined #openstack-keystone00:45
*** mylu has quit IRC00:50
*** mylu has joined #openstack-keystone00:55
*** mylu has quit IRC00:56
*** narengan has joined #openstack-keystone00:58
*** jasonsb has joined #openstack-keystone01:01
*** mylu has joined #openstack-keystone01:03
*** browne has quit IRC01:03
*** jasonsb has quit IRC01:04
*** jasonsb_ has joined #openstack-keystone01:04
openstackgerritMerged openstack/keystone: Remove unnecessary ldap imports  https://review.openstack.org/20340201:11
*** zzzeek has quit IRC01:16
*** mylu has quit IRC01:18
*** dims_ has joined #openstack-keystone01:21
*** dims has quit IRC01:22
*** roxanaghe has quit IRC01:37
*** jdandrea has quit IRC01:39
*** narengan has quit IRC01:42
*** narengan has joined #openstack-keystone01:43
*** narengan has quit IRC01:47
*** narengan has joined #openstack-keystone01:48
openstackgerritMerged openstack/python-keystoneclient: oslo-incubator apiclient.exceptions to keystoneclient.exceptions  https://review.openstack.org/20930201:50
*** piyanai has joined #openstack-keystone01:51
openstackgerritMerged openstack/python-keystoneclient: Move apiclient.base.Resource into keystoneclient  https://review.openstack.org/20959201:53
openstackgerritMerged openstack/python-keystoneclient: Deprecate openstack.common.apiclient  https://review.openstack.org/20960901:53
morganfainberghmm01:56
*** dims has joined #openstack-keystone02:03
*** dims_ has quit IRC02:05
*** dims_ has joined #openstack-keystone02:06
*** dims has quit IRC02:09
*** btully has joined #openstack-keystone02:09
morganfainbergdolphm, lbragstad, dstanek: wooooo keystone-deploy pull request liking incoming for uwsgi :)02:09
* morganfainberg just got it all working and niceeeeely02:10
*** markvoelker has quit IRC02:11
*** markvoelker has joined #openstack-keystone02:12
*** darrenc is now known as darrenc_afk02:12
*** btully has quit IRC02:13
*** dims_ has quit IRC02:22
*** spandhe has quit IRC02:28
*** narengan has quit IRC02:43
*** narengan has joined #openstack-keystone02:43
*** lhcheng has quit IRC02:45
*** narengan has quit IRC02:48
*** stevemar has joined #openstack-keystone02:50
*** ChanServ sets mode: +v stevemar02:50
*** omkarjoshi has joined #openstack-keystone02:52
*** hakimo has joined #openstack-keystone02:52
*** hakimo_ has quit IRC02:55
openstackgerritMerged openstack/python-keystoneclient: Use UUID values in v3 test fixtures  https://review.openstack.org/16854602:55
morganfainbergdstanek, jamielennox: any thoughts on using a websocket instead of pure rest for token validation from middleware?02:56
* morganfainberg is toying with ideas.02:56
jamielennoxmorganfainberg: i would expect from a pure network performance it would be the same as now because we are doing connection pooling02:56
morganfainbergjamielennox: hmm...02:57
jamielennoxmorganfainberg: however depending on how you handled it on the server side you might see a boost02:57
jamielennoxyou could auth the channel once rather than per request02:57
morganfainbergjamielennox: that is the thought02:57
morganfainbergjamielennox: it would potentially lower overhead of middelware -> keystone since the channel is auth'd until it needs to reauth (fail/restart/etc)02:58
morganfainberginstead of needing to hold a token02:58
morganfainbergyou'd still need an initial auth - but that is assumed (and re-auth if socket closes, etc)02:58
morganfainbergit would mean we don't have to process authcontext each time [we do even with pooling]02:59
*** browne has joined #openstack-keystone03:01
jamielennoxmorganfainberg: if we switch to x509 auth for service users and do connection pooling i'd be interested what the difference is03:01
morganfainbergwe'd still need to process x509 cert03:01
morganfainbergthe difference would be the same as with a token03:01
morganfainbergiirc03:01
morganfainbergor well attrs from the x509 cert03:02
jamielennoxyou'd build the AuthContext - i don't know if you'd process it each time03:02
jamielennoxi don't know how mod_ssl handles connection pools03:02
morganfainbergeach request has to process the attrs.03:02
morganfainbergyeah i don't know either03:02
morganfainbergi wonder how it's would look if we x509 -> websocket .03:03
jamielennoxi'd be interested if it makes any difference in a setup with a useful cache03:03
*** markvoelker has quit IRC03:04
jamielennoxalso i don't know how you do websockets in mod_wsgi03:04
morganfainbergoh i'm looking at uwsgi03:04
morganfainbergwe couldn't remove the ability to do REST calls03:04
morganfainbergbut we could support [if server supports] websockets etc03:05
*** piyanai has quit IRC03:05
morganfainbergjamielennox: http://stackoverflow.com/questions/13137449/combining-websockets-and-wsgi-in-a-python-app03:05
*** omkarjoshi has quit IRC03:06
jamielennoxright - that's about what i expected, you can do it with twisted, there is some support via gevent03:06
jamielennoxbut it's an entirely different process to wsgi03:06
morganfainbergyep03:06
*** lhcheng has joined #openstack-keystone03:07
*** ChanServ sets mode: +v lhcheng03:07
morganfainberguwsgi can natively handle it as well03:07
morganfainbergit's an upgrade request03:07
morganfainbergso - by all rights doable03:07
jamielennoxi have no real idea how uwsgi works03:07
morganfainbergit's a separate process manager03:07
jamielennoxthe only time ive really looked is when i was trying to run barbican and found it to be really involved but no real look at what it's doing03:08
morganfainbergso [apache] <---[socket]--> [uwsgi [APP]]03:08
jamielennoxas opposed to mod_wsgi in daemon mode?03:08
*** stevemar has quit IRC03:09
morganfainbergyeah03:09
morganfainbergapache doesn't directly manage the workers03:09
*** stevemar has joined #openstack-keystone03:09
*** ChanServ sets mode: +v stevemar03:09
morganfainbergit means you have more control over them03:09
morganfainbergamong other things03:10
morganfainbergoh look its stevemar ! hi stevemar03:11
*** stevemar has quit IRC03:13
jamielennoxmorganfainberg: it seems like something i'd build as a seperate service03:13
jamielennoxnot seperate, but do the stable binary interfaces03:13
*** urulama has quit IRC03:13
*** urulama has joined #openstack-keystone03:14
jamielennoxand have it running either from apache or standalone in it's own service03:14
morganfainbergsure.03:14
jamielennoxi don't think relying on uwsgi will help there03:14
morganfainbergwell uwsgi can natively do the websocket part03:15
morganfainbergso you're just wiring the code up behind the protocol03:15
morganfainbergrather than needing to implement the protocol using websockets or similar lib as well as the processing code03:15
*** davechen has joined #openstack-keystone03:21
*** doug-fish has quit IRC03:26
*** doug-fish has joined #openstack-keystone03:26
*** csd has quit IRC03:27
*** boris-42 has joined #openstack-keystone03:27
*** csd has joined #openstack-keystone03:29
*** marzif__ has joined #openstack-keystone03:35
*** darrenc_afk is now known as darrenc03:36
*** ayoung has quit IRC03:56
*** jamiec has quit IRC03:57
*** jamiec has joined #openstack-keystone03:58
*** jasonsb_ has quit IRC04:01
*** jasonsb has joined #openstack-keystone04:03
*** markvoelker has joined #openstack-keystone04:04
*** jecarey has joined #openstack-keystone04:06
*** markvoelker has quit IRC04:09
*** spandhe has joined #openstack-keystone04:17
*** spandhe_ has joined #openstack-keystone04:20
*** spandhe has quit IRC04:22
*** spandhe_ is now known as spandhe04:22
*** stevemar has joined #openstack-keystone04:24
*** ChanServ sets mode: +v stevemar04:24
dstanekmorganfainberg, jamielennox: are you thinking of a websocket connection for each user?04:31
morganfainbergdstanek: was thinking for each middleware04:32
jamielennoxdstanek: not thinking of anything particular, i think morganfainberg is reading through wsgi04:32
jamielennoxuwsgi04:32
dstanekah04:32
morganfainbergdstanek: so 1-(N, one per process) if we started looking at it04:32
jamielennoxbut most likely per auth_token04:32
dstanekyou'd have to be very careful multiplexing over that connection04:33
morganfainbergdstanek: it would be per-auth_token instance not 1 per nova04:33
morganfainbergso nova might have 3 instances of ATM04:33
morganfainberg(three workers)04:33
dstanekbut won't you have multiple concurrent requests through each one?04:34
morganfainbergdepend on how eventlet trampolines04:34
dstanekotherwise you just limited the cluster to 3 concurrent requests04:34
morganfainbergperhaps, but it should still all be REQ id based.04:34
morganfainbergdoable04:34
morganfainbergjust was pondering approaches that would be interesting04:35
dstanekyeah, i just don't know how the multiplexing would work with eventlet04:35
morganfainberganyway /me is off to wander brisbane a bit04:36
morganfainbergtrying to get teh sleep schedule somehow worked out for this flight tomorrow.04:36
dstanekhave fun!04:36
bigjoolsbeen to South Bank?04:36
*** vivekd has joined #openstack-keystone04:39
*** btully has joined #openstack-keystone04:54
*** yottatsa has joined #openstack-keystone05:01
*** ankita_wagh has joined #openstack-keystone05:02
*** topol has quit IRC05:04
*** topol has joined #openstack-keystone05:07
*** ChanServ sets mode: +v topol05:07
*** hrou has quit IRC05:10
morganfainbergbigjools: a bunch. :P05:17
bigjoolsmorganfainberg: I'm guessing you didn't take a swim at the city beach? :)05:17
morganfainbergHaha. No05:17
morganfainbergI was at the beach the day before I came here. Santa Monica beach > Brisbane city beach :P05:18
bigjoolsyeah but you have to travel to the coast!05:19
morganfainbergIts not that far.05:19
morganfainbergAnd if i don't move away from socal, ill05:20
morganfainbergMove back to the coast.05:20
bigjoolsThe Sunshine Coast has awesome beaches05:20
* bigjools goes back to beating Tempest into shape05:22
*** Nirupama has joined #openstack-keystone05:29
openstackgerritMerged openstack/keystone: Fix typos of RoleAssignmentV3._format_entity doc  https://review.openstack.org/20886405:31
stevemarmorganfainberg: oh hai o/05:32
morganfainbergShhhhh05:32
morganfainberg;)05:32
morganfainberg^_^05:34
stevemarmorganfainberg: oh okay05:37
stevemartopol: oh hai o/05:37
morganfainbergWhats up?05:37
stevemarmorganfainberg: i guess i'll just chat with herr doctor05:38
morganfainbergBesides insomnia for you?05:38
*** jecarey has quit IRC05:38
* morganfainberg is having a beer w/05:38
morganfainbergFlavio05:38
stevemarmorganfainberg: oh i like him05:38
topolhi stevemar05:38
stevemartopol: pm'ing you!05:38
morganfainbergtopol: teh doctor is in?05:38
topolI am here. what time is it05:38
morganfainberg1539 by my clock05:39
morganfainbergSo early.05:39
morganfainbergOr late. Or is is tomorrow?05:40
*** lsmola has joined #openstack-keystone05:43
*** omkarjoshi has joined #openstack-keystone05:44
*** omkarjoshi has quit IRC05:44
*** urulama has quit IRC05:47
*** urulama has joined #openstack-keystone05:47
*** markvoelker has joined #openstack-keystone05:51
*** josecastroleon has joined #openstack-keystone05:55
*** markvoelker has quit IRC05:56
*** sileht has joined #openstack-keystone06:01
*** yottatsa has quit IRC06:01
*** dims has joined #openstack-keystone06:03
*** dims has quit IRC06:09
*** topol has quit IRC06:12
*** ParsectiX has joined #openstack-keystone06:18
openstackgerritEdgar Magana proposed openstack/keystone: Replace / by proper syntax that was not in the original fix  https://review.openstack.org/20976806:19
*** boris-42 has quit IRC06:20
*** e0ne has joined #openstack-keystone06:21
*** vivekd has quit IRC06:24
*** vivekd has joined #openstack-keystone06:24
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/20882306:28
openstackgerritMehdi Abaakouk (sileht) proposed openstack/keystonemiddleware: Allow to use oslo.config without global CONF  https://review.openstack.org/20896506:37
*** afazekas_ has joined #openstack-keystone06:37
openstackgerritMehdi Abaakouk (sileht) proposed openstack/keystonemiddleware: Allow to use oslo.config without global CONF  https://review.openstack.org/20896506:39
*** marzif__ has quit IRC06:39
openstackgerritMehdi Abaakouk (sileht) proposed openstack/keystonemiddleware: Allow to use oslo.config without global CONF  https://review.openstack.org/20896506:39
openstackgerritEdgar Magana proposed openstack/keystone: Replace / by proper syntax that was not in the original fix  https://review.openstack.org/20976806:40
*** stevemar has quit IRC06:42
openstackgerritMerged openstack/keystone: Fix unbound error in federation _sign_assertion  https://review.openstack.org/20816306:45
*** lhcheng has quit IRC06:49
*** belmoreira has joined #openstack-keystone06:52
*** e0ne has quit IRC07:00
*** blogan has quit IRC07:03
*** ankita_wagh has quit IRC07:04
*** blogan has joined #openstack-keystone07:04
*** e0ne has joined #openstack-keystone07:11
*** spandhe has quit IRC07:16
*** spandhe has joined #openstack-keystone07:17
*** e0ne has quit IRC07:26
*** browne has quit IRC07:27
*** btully has quit IRC07:30
*** spandhe has quit IRC07:31
*** henrynash has joined #openstack-keystone07:37
*** ChanServ sets mode: +v henrynash07:37
morganfainbergHey henrynash how goes?07:42
henrynashmorganfainberg: excellent…you?  Back in the USA?07:43
morganfainbergNah tomorrow07:43
morganfainbergStill in the wonderful land of Brisbane07:44
*** yottatsa has joined #openstack-keystone07:44
morganfainbergLong %^# flight ensues at 1030a tomorroe and i land at 0630a tomorrow. :P07:44
*** yottatsa has quit IRC07:48
*** markvoelker has joined #openstack-keystone07:52
*** markvoelker has quit IRC07:56
*** fhubik has joined #openstack-keystone07:57
*** spandhe has joined #openstack-keystone07:58
*** RA_ has quit IRC08:04
*** kiran-r has joined #openstack-keystone08:10
*** jistr has joined #openstack-keystone08:14
*** e0ne has joined #openstack-keystone08:22
openstackgerrithenry-nash proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720208:26
*** fhubik is now known as fhubik_afk08:30
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917808:33
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162308:35
morganfainbergjamielennox: holy crap Guilty Rogue nachos. It's not often the food wins for spicy as heck.08:36
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196208:36
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430208:37
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389708:37
*** lhcheng has joined #openstack-keystone08:38
*** ChanServ sets mode: +v lhcheng08:38
openstackgerrithenry-nash proposed openstack/keystone: Support project hierarchies in data driver tests  https://review.openstack.org/15448508:39
openstackgerrithenry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899508:39
*** fhubik_afk is now known as fhubik08:40
*** e0ne has quit IRC08:41
*** lhcheng has quit IRC08:43
jamielennoxmorganfainberg: really? i don't think i've ever eaten there08:50
*** fhubik is now known as fhubik_afk08:50
morganfainbergYeah was super tasty too08:52
morganfainbergBut dear god. Spicy08:52
*** marzif__ has joined #openstack-keystone08:54
*** fhubik_afk is now known as fhubik08:55
*** fhubik is now known as fhubik_afk08:55
jamielennoxmorganfainberg: have you figured out the plan for staying awake all night?08:57
morganfainbergLots and lots and lots and lots and lots and lots and lots and lots and lots and lots and lots of coffee08:58
*** e0ne has joined #openstack-keystone08:58
morganfainbergOr well do what I do most nights and get lost reading into cool08:59
morganfainbergTechnology08:59
morganfainbergAs long as I'm08:59
morganfainbergTired enough to sleep from bne -> lax I'm happy08:59
jamielennoxit's a long flight, i'm pretty sure you will09:03
*** fhubik_afk is now known as fhubik09:08
*** yottatsa has joined #openstack-keystone09:14
*** btully has joined #openstack-keystone09:17
*** btully has quit IRC09:22
*** yottatsa has quit IRC09:25
*** bdossant has joined #openstack-keystone09:25
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/20882309:29
*** yottatsa has joined #openstack-keystone09:36
*** vince_ has joined #openstack-keystone09:39
*** vince_ has quit IRC09:40
*** vincep has joined #openstack-keystone09:40
*** yottatsa has quit IRC09:41
*** e0ne has quit IRC09:43
*** yottatsa has joined #openstack-keystone09:43
*** yottatsa has quit IRC09:48
*** dims has joined #openstack-keystone09:49
*** yottatsa has joined #openstack-keystone09:49
openstackgerrithenry-nash proposed openstack/keystone: Raises exception if domain_id not specified in create call  https://review.openstack.org/20984809:51
*** markvoelker has joined #openstack-keystone09:53
*** davechen has left #openstack-keystone09:53
*** markvoelker has quit IRC09:57
dimsjamielennox: hi09:58
jamielennoxdims: hello09:58
*** hakimo has quit IRC09:58
*** e0ne has joined #openstack-keystone09:59
*** hakimo has joined #openstack-keystone09:59
dimsjamielennox: in Nova's neutronv2/api.py we use the keystonemiddleware v2 auth plugin, so one cannot use keystone v3 url it seems10:00
dimsjamielennox: https://bugs.launchpad.net/nova/+bug/148187210:01
openstackLaunchpad bug 1481872 in OpenStack Compute (nova) "[neutron]admin_auth_url does not support keystone v3 API" [Undecided,New]10:01
dimsjamielennox: i tried to use generic.Password - https://review.openstack.org/#/c/209599/4/nova/network/neutronv2/api.py,cm10:01
dimsjamielennox: but when i specify v3 api in devstack (https://review.openstack.org/#/c/209566/) - it still fails10:02
dimsjamielennox: example - http://logs.openstack.org/66/209566/2/check/gate-tempest-dsvm-neutron-full/4213a0f/logs/screen-n-api.txt.gz?level=ERROR10:02
dimsany ideas?10:03
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767510:04
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Remove services with no endpoints from catalog  https://review.openstack.org/17638310:04
*** yottatsa has quit IRC10:04
jamielennoxdims: in and out cooking dinner, i'm guessing it was quicker to make the old options work than to do this properly accepting any plugin10:06
dimsjamielennox: ack, y, no one looked at it for a year :)10:07
dimsjamielennox: thanks, no hurries as such, if you get some time tomorrow you can take a look and let me know10:07
jamielennoxdims: so the real solution is not to use generic, but to look at loading any plugin from conf10:08
jamielennoxand deprecating all those old arguments10:08
dimsjamielennox: has any projedt done this right? so i can look at how they did it?10:10
openstackgerrithenry-nash proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720210:11
jamielennoxdims: almost eveyone hacks this is some way for backwards compat10:12
jamielennoxincluding auth_token which would otherwise be the one to show10:13
openstackgerrithenry-nash proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720210:13
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917810:13
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162310:14
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196210:14
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430210:14
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389710:14
openstackgerrithenry-nash proposed openstack/keystone: Support project hierarchies in data driver tests  https://review.openstack.org/15448510:14
jamielennoxdims: i would have to look and find something, in general we don't want services doing there own auth so there isn't that much10:14
openstackgerrithenry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899510:14
dimsjamielennox: ack. fwiw, i am trying to find gaps where v2 is currently used and should be switched to v310:15
jamielennoxdims: that's awesome - i've been doing the same thing10:16
jamielennoxi'm currently trying to get glance_store passing so that we can have a real gate job for it10:16
dimsgot a bug jamielennox? so i can subscribe10:17
*** btully has joined #openstack-keystone10:18
*** spandhe has quit IRC10:19
bretondims: I've found this: https://review.openstack.org/#/c/113735/210:19
bretondims: it seems to be doint the same thing you are tryin to do10:19
jamielennoxdims: not a global bug, i've been pushing it via gate jobs10:22
jamielennoxso we have10:22
dims@breton - good find!10:22
dimsjamielennox: ack10:22
*** btully has quit IRC10:22
jamielennoxi haven't looked at this part for ages10:23
jamielennoxdims: so if you look at https://review.openstack.org/#/c/209351/ there is a gate job called gate-tempest-dsvm-neutron-identity-v3-only-full  in check-experimental10:23
jamielennoxdims: that actually turns off v2 authentication, but currently devstack doesn't complete10:24
jamielennoxdims: that patch i *think* is the last one that is required10:24
dimsjamielennox: ack looking10:24
jamielennoxonce we can get tempest running we should get a good idea of everything that is failing from v210:24
*** yottatsa has joined #openstack-keystone10:25
*** eandersson has joined #openstack-keystone10:26
dimsjamielennox: gotcha10:26
jamielennoxdims: that patch is what i'm playing with right now, just trying to find out what's failing in swiftclient because it works in my devstack10:27
dimsha! cool10:27
*** lhcheng has joined #openstack-keystone10:27
*** ChanServ sets mode: +v lhcheng10:27
*** fhubik is now known as fhubik_brb10:30
*** lhcheng has quit IRC10:32
silehtjamielennox, hi, what do you think of https://review.openstack.org/#/c/208965/ , aodh and gnocchi doesn't use oslo.config global object and relies on terrible hack to make keystonemiddleware working, I try to find a clean solution to fix the issue10:35
*** josecastroleon has quit IRC10:36
jamielennoxsileht: hmm, i had a long way around to getting to that point10:37
jamielennoxbut it was a really long way10:37
jamielennoxsileht: how would i use this, it doesn't seem obvious10:37
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Omit services with no endpoint from token response  https://review.openstack.org/17638310:38
silehtjamielennox, for example I don't want to merge this: https://review.openstack.org/#/c/208632/10:42
silehtjamielennox, instead I would like to do https://review.openstack.org/#/c/208989/ with this keystonemiddleware change: https://review.openstack.org/#/c/208965/10:42
jamielennoxsileht: so i don't want to merge that either10:43
dimsjamielennox: breton: i added info what we talked about https://etherpad.openstack.org/p/keystone-v3-adoption-barriers in case it helps track things10:44
silehtjamielennox, you means the ugly hack ?10:44
jamielennoxlet me look quickly what aodh is, and why it's different to every other service10:44
jamielennoxsileht: no, the aodh thing, i can see no reason why it has to do it's own variable registration10:44
silehtjamielennox, because it doesn't setup/use cfg.CONF10:44
jamielennoxat al?10:45
jamielennoxat all?10:45
silehtat all10:45
silehtjamielennox, keystonemiddleware just don't work wihtout cfg.CONF10:45
jamielennoxright - it's not really designed to10:45
jamielennoxso swift is the only other project i've heard of that doesn't use oslo.config10:45
jamielennoxand i argue that it just should, but whatever10:45
silehtjamielennox, aodh use oslo.config but not cfg.CONF, it creates its own cfg.ConfigOpts() object10:46
jamielennoxumm,10:47
jamielennoxdoes it work to do AuthProtocol(app, dict(cfg['keystone_authtoken']))10:47
jamielennoxi think zaqar does something like that10:47
silehtjamielennox, yes but you can't do than if you use pastedeploy10:47
jamielennox...10:48
jamielennoxumm, so if you configure authtoken in the paste config in the authtoken section that will work10:49
jamielennoxthough we do consider that old behavoiur10:49
silehtyes, sure, but that deprecated so10:49
jamielennoxsileht: so i don't disagree with wanting to pass a config object if you are creating the AuthProtocol object directly10:50
jamielennoxi'm not sure i want to have an override section from config10:50
jamielennoxbecause you are still reading your options from config10:50
*** dims_ has joined #openstack-keystone10:51
bretonI thought there is already a patch that removes requirement to use CONF10:51
silehtI don't want to create the AuthProtocol object manually, we use paste-deploy to allows people to remove it10:51
*** lhcheng has joined #openstack-keystone10:51
*** ChanServ sets mode: +v lhcheng10:51
*** e0ne has quit IRC10:52
jamielennoxbreton: flavio had one wa while ago10:52
jamielennoxsileht: right10:52
jamielennoxumm, how do you construct the cfg.Conf object that isn't global from paste?10:52
silehtthe flavio one doesn't fix the same issue10:52
bretonhttps://review.openstack.org/#/c/143063/10:52
jamielennoxyea10:52
bretonoh, ok10:53
silehtjamielennox, that was https://review.openstack.org/#/c/208965/ do10:53
*** dims has quit IRC10:53
*** markvoelker has joined #openstack-keystone10:54
jamielennoxsileht: so i think it's something we should allow to pass your own oslo.config object, i don't want to support changing the keystone_authtoken section name10:54
silehtjamielennox, if pass the 'oslo_config_project' to a cfg.ConfigOpts() object that find and load the application configuration file magically10:54
jamielennoxi think10:54
*** e0ne has joined #openstack-keystone10:54
jamielennoxi don't see why we'd support changing that unless you want to run multiple auth_token middleware's in the same process - which i don't htink makes sense10:55
silehtjamielennox, we don't change the keystone_authtoken, we just want the middleware read the configuration itself10:55
*** lhcheng has quit IRC10:56
silehtjamielennox, fyi not just keystonemiddleware have this issue, but also many oslo.middleware middlewares10:56
jamielennoxsileht: right - for better or worse we generally assume that oslo.config is global10:57
silehtglobal are just worse10:57
jamielennoxi had this argument, maybe 18 months ago, gave up on that10:58
*** markvoelker has quit IRC10:58
jamielennoxsileht: so is there a reaon you have to specify another whole file just to avoid the global issue?10:59
jamielennoxis there a reason why you would want to have multiple values for this10:59
silehtjamielennox, the file path is optional, it's just in case deployer doesn't use one of the discoverable location that oslo.config look for11:01
silehtjamielennox, at this end, the application and the middleware will read the same file with my change11:01
jamielennoxsileht: so if we could figure out some way of letting you manage the Config objects and have it passed in that would be acceptable11:02
jamielennoxi would prefer to decrease our reliance on oslo.config rather than increase it11:02
silehtjamielennox, with paste-deploy 'passed in' a python object is just not possible11:02
silehtthat why the middleware have to create it11:03
jamielennoxsileht: i'll have to think about it but i'm not a fan11:04
*** fhubik_brb is now known as fhubik11:04
jamielennoxthe advantage of oslo.config being global is that we can rely on it and don't have to worry about configuring things via paste options11:05
jamielennoxif we don't have global config then we don't have config at paste time and you have to supply options via paste11:05
jamielennoxthis is some weird hybrid where we would construct the conf, and the reconstruct it later11:06
silehtjamielennox, I really don't to see aodh the only application that doesn't use paste for config option11:06
silehtdon't/don't want11:06
silehtrephrase, I really don't want to see aodh the only application that use paste for config option11:07
jamielennoxmany things don't use conf, aodh is the first thing i've seen that wants to use paste - but not want to use paste for config11:07
jamielennoxit kind of defeats the purpose of middleware that is independant of the app11:07
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces  https://review.openstack.org/20952411:07
*** josecastroleon has joined #openstack-keystone11:09
silehtjamielennox, your are currently strongly dependent of the setup BY the application of the global cfg.CONF11:09
silehtjamielennox, my change removes this deps by making keystone middleware reading its config from an olso.config object (global or not) by its own11:10
silehtkeystonemiddleware config via paste config is the past, using the global cfg.CONF is the past too11:11
jamielennoxi'm inclined to think you should use paste's inbuilt config, or handle constructing the middleware yourself11:13
silehtI don't this deployer will like that ...11:14
silehtanyways, jamielennox thx for your times, I will try to write something on the ML about this, because many other middlewares have this issue11:15
jamielennoxsileht: yea, do the ML, and bring it up at the keystone meeting as well if you don't find enough info11:16
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin for hierarchical models  https://review.openstack.org/19841811:25
*** gordc has joined #openstack-keystone11:28
*** eandersson has quit IRC11:35
*** eandersson has joined #openstack-keystone11:36
*** fhubik is now known as fhubik_brb11:38
*** e0ne has quit IRC11:41
*** fhubik_brb is now known as fhubik11:42
samueldmqdstanek: hi, just saw your message from yesterday11:42
samueldmqbtw, morning :)11:42
samueldmqdstanek: so we control the cache on both sides, server defines the freshness, and middleware properly honor the cache values11:42
samueldmqdstanek: instead of implementing the cache control client side in ksmiddleware, we then decided to add such support with ksclient11:44
*** e0ne has joined #openstack-keystone11:44
samueldmqdstanek: your message was : "why do you need to do client side freshness at all?"11:44
*** vivekd has quit IRC12:08
*** henrynash has quit IRC12:12
*** henrynash has joined #openstack-keystone12:14
*** ChanServ sets mode: +v henrynash12:14
*** henrynash has quit IRC12:15
*** markvoelker has joined #openstack-keystone12:16
*** dims has joined #openstack-keystone12:24
*** dims_ has quit IRC12:27
*** jdandrea has joined #openstack-keystone12:30
*** jungler has quit IRC12:31
*** edmondsw has joined #openstack-keystone12:36
*** raildo has joined #openstack-keystone12:39
*** bapalm has joined #openstack-keystone12:44
*** afazekas_ has quit IRC12:50
*** marzif__ has quit IRC12:53
*** marzif__ has joined #openstack-keystone12:54
*** diazjf has joined #openstack-keystone12:56
*** Nirupama has quit IRC12:57
*** diazjf1 has joined #openstack-keystone13:03
*** diazjf has quit IRC13:05
*** kiran-r has quit IRC13:11
*** browne has joined #openstack-keystone13:15
*** yottatsa has quit IRC13:19
*** hrou has joined #openstack-keystone13:21
*** yottatsa has joined #openstack-keystone13:26
*** TheIntern has joined #openstack-keystone13:29
*** btully has joined #openstack-keystone13:29
*** vinsh has quit IRC13:29
*** petertr7_away is now known as petertr713:31
*** mestery has quit IRC13:32
*** davidckennedy has joined #openstack-keystone13:33
*** davidckennedy has quit IRC13:36
*** mestery has joined #openstack-keystone13:38
*** ayoung has joined #openstack-keystone13:39
*** ChanServ sets mode: +v ayoung13:40
*** davidckennedy has joined #openstack-keystone13:40
*** zzzeek has joined #openstack-keystone13:40
openstackgerritMerged openstack/pycadf: Updated from global requirements  https://review.openstack.org/20872613:44
*** bknudson has joined #openstack-keystone13:44
*** ChanServ sets mode: +v bknudson13:44
davidckennedyHello there, looking for reviews on bug fix reviews for #1410543 and the follow up #1436704 That's moving endpoint filtering to default driver and omitting services with no endpoints from the token response https://review.openstack.org/#/c/167675/25 and https://review.openstack.org/#/c/176383/ be nice to get them merged :)13:45
*** diazjf has joined #openstack-keystone13:45
*** edmondsw has quit IRC13:46
*** diazjf1 has quit IRC13:47
*** yottatsa has quit IRC13:49
*** vincep has quit IRC13:50
lbragstadmorganfainberg: around?13:52
lbragstadhttps://github.com/openstack/keystone/blob/4a5a12c19f9be7e09f544d7264d496268ca0a851/keystone/token/provider.py#L370-L377 I have a question on that stuff13:53
lbragstadwhere do the 'invalidate' parts get implemented?13:53
*** jecarey has joined #openstack-keystone13:54
*** sigmavirus24_awa is now known as sigmavirus2413:55
lbragstadmorganfainberg: because with https://review.openstack.org/#/c/196877/16 I'm not sure we really need to have https://github.com/openstack/keystone/blob/4a5a12c19f9be7e09f544d7264d496268ca0a851/keystone/token/provider.py#L264-L266 anymore?13:55
marekdlbragstad: i think he's on a plane now13:55
lbragstad^ or anyone who has input on the token provider stuff,13:55
openstackgerritayoung proposed openstack/keystone-specs: Whitelist IdPs  https://review.openstack.org/20994113:55
lbragstadmarekd: yeah, I figured he might be out (he was in AUS?)13:55
marekdyes13:56
*** diazjf1 has joined #openstack-keystone13:56
lbragstadthat would be a fun trip13:56
marekdin business class - maybe13:56
lbragstadmarekd: that's how morganfainberg rolls13:56
marekdlbragstad: really?13:56
*** diazjf has quit IRC13:56
marekdso now i am officially jealous13:56
* lbragstad has no idea 13:56
lbragstadbut props to morganfainberg if he is in business class13:57
marekdprops to HP :P13:57
lbragstadlol, good point13:57
*** vincep has joined #openstack-keystone13:57
*** yottatsa has joined #openstack-keystone13:59
*** diazjf has joined #openstack-keystone13:59
*** TheIntern is now known as TheIntern_awa14:00
*** diazjf1 has quit IRC14:00
*** r-daneel has joined #openstack-keystone14:01
ayounglbragstad, let me look,  I should be more up on that than I am....14:01
lbragstadayoung: thanks!14:01
ayounglbragstad, so, one hack you could do is run the coverage tests and see if anything calls that function....14:02
lbragstadayoung: I'm just trying to piece together this code path consolidation thing, and it seems like have have a bunch of validate_token(), validate_v3_token(), _validate_token(), etc...14:02
*** ParsectiX has quit IRC14:02
lbragstadayoung: running it now14:03
ayounglbragstad, yeah.  The issue is that we were, at some point, using the body of the PKI tokens to validate them14:03
ayoungand UUID token stored the whole body in the DB14:03
lbragstadah, right14:03
*** fhubik has quit IRC14:03
*** diazjf1 has joined #openstack-keystone14:03
ayounglbragstad, actually, a pretty good hack would be to change the UUID token to store the body of what you get from a  Fernet token14:03
ayoungthen treat everything else the same14:04
marekdayoung: what would be win for fernet?14:04
ayoungmarekd, none14:04
ayoungmarekd, the win would be for UUID14:04
lbragstadayoung: so then we only pass the id or the token around, versus the entire "token_ref"14:04
ayoungand getting rid of multiple code paths14:04
marekdayoung: thought you don't care about uuid14:04
*** diazjf has quit IRC14:05
ayoungmarekd, I don't care about anything14:05
*** TheIntern_awa has quit IRC14:05
marekdayoung: wise14:05
ayoungmarekd, nah, I was meaning that we could get rid of the duplicate paths.  UUID, Fernet, and PKI should all have the same core.14:05
lbragstad++14:06
ayoungPKI can't, obviously, today, but we could, in the future, replace the Sym crypto with asym.14:06
marekdayoung: preferably alons with refactoring token related code.14:06
lbragstadthat would be awesome because then we could start consolidating all the test code, too14:06
marekdit's really a pain to read it.14:06
ayoungalonsy!14:06
*** diazjf has joined #openstack-keystone14:06
marekdalong14:06
ayoungalongy!14:06
marekdalongy!14:06
dolphmayoung, that would be an interesting experiment... but still use UUID strings as the token IDs?14:07
lbragstadayoung: do you need a coffee?14:07
ayoungdolphm, yeah, still use UUID strings14:07
* lbragstad hands ayoung more coffee14:07
ayounglbragstad, I've had one cup.  Dunkins Donut.  Decent coffee, but served in styrofoam.14:07
ayoungMaybe time for a second.14:07
*** diazjf1 has quit IRC14:08
lbragstadayoung: it doesn't matter what you drink it out of as long as it isn't scotch out of a paper cup (#fail)14:08
ayounglbragstad, paper is still preferabl to styrofoam to my palate14:08
*** diazjf1 has joined #openstack-keystone14:09
ayoungits not the paper that is the problem, but the wax they put on it.14:09
ayoungI carved a couple wooden cups, which, while nicely accentuate the flavor of scotch, tend to get drieds out and crack from the alcohol.  Its sad when i happens:  loud pop, followed by a frantically trying to keep from losing the rest of the scotch.14:09
*** chris_19 has joined #openstack-keystone14:10
*** diazjf has quit IRC14:11
*** diazjf has joined #openstack-keystone14:11
ayoungdolphm, in order to do the uuid via  fernet  bodies, we should probably get tehe externial token format indicator back on the fernet tokens.  That got dropeed, I learend at the midcycle, in favor of putting the format inside the signed body.  I understand the rationale, but we really should make the format exteranlly readable without decrypting14:11
lbragstaddid our coverage recently drop?14:12
*** diazjf1 has quit IRC14:13
openstackgerritDoug Fish proposed openstack/keystoneauth: Update k2k plugin with related code comments  https://review.openstack.org/20967114:13
*** diazjf1 has joined #openstack-keystone14:13
lbragstadayoung: dolphm yeah https://github.com/openstack/keystone/blob/4a5a12c19f9be7e09f544d7264d496268ca0a851/keystone/token/provider.py#L264-L266 isn't actually tested14:13
ayounglbragstad, yank it!14:14
openstackgerritMarek Denis proposed openstack/keystone: Fernet payloads for federated scoped tokens.  https://review.openstack.org/20217614:15
*** diazjf has quit IRC14:15
ayoungmarekd, do we have trust tokens still with Fernet?14:16
*** diazjf has joined #openstack-keystone14:16
marekdayoung: i think so?14:16
marekdhttps://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L11114:17
ayoungmarekd, cool.  Thanks14:17
*** diazjf1 has quit IRC14:17
lbragstadyeah, i'm going to pull it and run tests...14:18
marekdlbragstad: you have some machines with federation configured somewhere?14:18
marekdmine must boot.14:18
marekdand i destroyed them yesterday14:18
lbragstadmarekd: yes sir, I can deploy federation for you *instantly*14:18
*** diazjf1 has joined #openstack-keystone14:18
* lbragstad is really proud of that14:18
marekdlbragstad: wow, must be that famous western technology! :-)14:19
lbragstadmarekd: lol14:19
*** piyanai has joined #openstack-keystone14:19
*** elmiko has joined #openstack-keystone14:20
elmikohey keystoners /me giggles14:20
*** diazjf has quit IRC14:20
elmikoi'm messing with Session based clients, i'm curious what the thoughts are on manually setting user_id and project_id in my client objects14:21
*** diazjf has joined #openstack-keystone14:21
elmikois this permitted, advisable, verboten, etc?14:21
marekdlbragstad: dolphm my thought experiment exposes some minor problem with fernet and federation token. A mapping rule can spcify a id and the name of the ephemeral user. And this will be reflected in the JSON response of the *unscoped* token, whereas later, when the response of the *scoped* token is built based on fernet payload (where we keep only user_id), it will be basically user_id and old,14:21
marekdcustom user_name will not be preserverd.14:21
*** topol has joined #openstack-keystone14:21
*** ChanServ sets mode: +v topol14:21
marekdHow about we disable setting custom user names?14:21
elmikoi can see that user_id and project_id will accept changes, tenant_id not so much, are there any plans to make user_id and project_id read-only?14:22
*** diazjf2 has joined #openstack-keystone14:22
*** diazjf1 has quit IRC14:23
*** urulama has quit IRC14:23
ayoungelmiko, make everything read only14:23
openstackgerritDoug Fish proposed openstack/python-keystoneclient: Add Keystone2Keystone auth plugin for K2K  https://review.openstack.org/20758514:23
*** urulama has joined #openstack-keystone14:23
elmikoayoung, is that a future plan for Client objects?14:23
ayoungelmiko, do it now14:23
ayoungLDAP is already assumed to be read only14:24
petertr7Hi! I'm using python-keystone client v2. I was wondering if anyone could help illuminate some issues I've encountered.14:24
ayoungwell,  I assume it is14:24
elmikoayoung, no no, i don't want to. i want to set user_id and project_id for Session/Auth based clients since they don't get set14:24
elmikoayoung, so, i make a client with Client(session=Session, auth=Auth), now user_id isn't set14:24
elmikoayoung, and apparently i can only determine it with the Auth object14:25
*** diazjf has quit IRC14:25
elmikoayoung, so, should i be passing Auth objects around instead of Client objects when i need to know a user_id?14:25
ayoungAuth object doesn't refetch token unless it needs to, and sets, internally the Auth context, which includes the user name14:25
*** dims has quit IRC14:25
ayoungelmiko, accodrind to jamielennox you should be.  jamielennox is smart.  I'd listen to him14:26
elmikoayoung, ok, so pass Auth plugin objects around, and only get a Client when needed?14:26
*** dims has joined #openstack-keystone14:26
*** diazjf has joined #openstack-keystone14:26
elmikoayoung, +1 about jamielennox == smart14:26
ayoungelmiko, yep.  Even better, passaround sessions14:26
*** diazjf2 has quit IRC14:26
elmikoayoung, but i want to separate Sessions from Auths14:27
ayoungelmiko, let me restart:  if possible, pass around sessions14:27
elmikoayoung, fair14:27
ayoungelmiko, I'm closer to swarthy, but have not been out in the sun enough the summer to really justify the  term14:27
*** afazekas_ has joined #openstack-keystone14:27
elmikoayoung, arrr ?14:28
* elmiko makes pirate face14:28
*** edmondsw has joined #openstack-keystone14:28
ayoungelmiko, yeah, but I'm from New England.  Around here, pirates say aaaaaahhhh.14:28
elmikoayoung, lol, ahh that poor R14:28
elmikoayoung, need to go bucaneering to get it back ;)14:29
elmikoayoung, thanks for the advice14:29
*** diazjf1 has joined #openstack-keystone14:30
*** diazjf has quit IRC14:31
samueldmqare there any integration tests for osclient -> ksclient ?14:31
*** stevemar has joined #openstack-keystone14:31
*** ChanServ sets mode: +v stevemar14:31
*** yottatsa has quit IRC14:33
*** diazjf has joined #openstack-keystone14:33
*** diazjf1 has quit IRC14:34
stevemardstanek: dolphm morganfainberg lbragstad ayoung marekd: need a non-ibmer on this one: https://review.openstack.org/#/c/168521/14:35
marekdstevemar: let me check14:35
*** yottatsa has joined #openstack-keystone14:35
*** diazjf1 has joined #openstack-keystone14:36
dstanekstevemar: i love the test there14:38
*** diazjf has quit IRC14:38
*** jasondot_ is now known as jasondotstar14:38
stevemardstanek: i love it because only bknudson would add a test for docs <314:39
marekdstevemar: so why are _grant_resources used the way they are used? :-)14:39
*** diazjf has joined #openstack-keystone14:40
bretonhttps://review.openstack.org/#/c/102958/ -- why was audit middleware merged to stable/juno after release, but to stable/juno branch? Was ksm juno out of sync with other juno components?14:40
breton*was merged after release, but to stable/juno branch?14:41
*** diazjf1 has quit IRC14:41
*** phalmos has joined #openstack-keystone14:41
bretongordc:14:41
gordcbreton: i don't get it. your link points to master14:43
*** marzif__ has quit IRC14:43
*** diazjf1 has joined #openstack-keystone14:43
*** afazekas_ has quit IRC14:43
bretonit is to master. But audit.py is included in stable/juno.14:44
*** marzif__ has joined #openstack-keystone14:44
*** diazjf has quit IRC14:44
bretonby that commit14:45
*** kiran-r has joined #openstack-keystone14:45
*** diazjf has joined #openstack-keystone14:47
*** diazjf1 has quit IRC14:48
*** tqtran-afk has joined #openstack-keystone14:49
*** dsirrine has quit IRC14:49
bretonjuno was released in october. The merge happened in december to master, however the change is still in stable/juno. How could that happen?14:49
bknudsonstevemar: dstanek: you can write a test for anything14:50
dstanekdamn... marekd beat me to it :-(14:51
bretonyou can even write a test for a test.14:51
dstanekbreton: i actually just did something like that...actually a test for the test setUp14:51
*** diazjf1 has joined #openstack-keystone14:52
gordcbreton: i assume it's because the requirements for juno are capped beyond the keystonemiddleware release which includes audit14:52
*** e0ne has quit IRC14:52
*** TheIntern has joined #openstack-keystone14:53
*** diazjf has quit IRC14:54
bknudsonjamielennox: got a minute? https://review.openstack.org/#/c/168546/ for keystoneauth14:55
*** diazjf has joined #openstack-keystone14:55
*** diazjf1 has quit IRC14:56
*** e0ne has joined #openstack-keystone14:57
*** r-daneel has quit IRC14:58
*** tqtran-afk is now known as tqtran14:59
*** kiran-r has quit IRC14:59
*** bapalm_ has joined #openstack-keystone15:00
*** narengan has joined #openstack-keystone15:00
*** r-daneel has joined #openstack-keystone15:01
*** bapalm has quit IRC15:01
*** diazjf has quit IRC15:01
*** diazjf has joined #openstack-keystone15:01
*** phalmos has quit IRC15:01
*** mylu has joined #openstack-keystone15:04
*** narengan has quit IRC15:07
*** spandhe has joined #openstack-keystone15:07
*** narengan has joined #openstack-keystone15:07
*** diazjf1 has joined #openstack-keystone15:08
*** diazjf has quit IRC15:09
marekddstanek: btw, how are functional tests going? :-)15:09
marekddstanek: i must confess i haven't worked much recently on that15:09
marekdtomorrow maybe ?15:10
*** phalmos has joined #openstack-keystone15:10
*** spandhe_ has joined #openstack-keystone15:10
dstanekmarekd: i only have a tiny bit...been distracted with other things15:10
*** narengan has quit IRC15:12
*** spandhe has quit IRC15:12
*** spandhe_ is now known as spandhe15:12
*** diazjf has joined #openstack-keystone15:12
*** diazjf1 has quit IRC15:12
*** narengan has joined #openstack-keystone15:13
*** gyee has joined #openstack-keystone15:14
*** ChanServ sets mode: +v gyee15:14
*** narengan has quit IRC15:15
*** narengan has joined #openstack-keystone15:16
*** narengan_ has joined #openstack-keystone15:17
*** yottatsa has quit IRC15:18
*** diazjf1 has joined #openstack-keystone15:19
*** diazjf has quit IRC15:19
*** narengan has quit IRC15:21
*** diazjf has joined #openstack-keystone15:23
*** diazjf1 has quit IRC15:25
*** chris_19 has left #openstack-keystone15:26
*** diazjf1 has joined #openstack-keystone15:29
*** roxanaghe has joined #openstack-keystone15:29
*** diazjf has quit IRC15:29
*** diazjf has joined #openstack-keystone15:31
*** diazjf1 has quit IRC15:33
*** diazjf1 has joined #openstack-keystone15:34
*** diazjf has quit IRC15:35
stevemarmarekd: dstaneki have also been distracted15:40
*** kiran-r has joined #openstack-keystone15:40
stevemari'll help tomorrow if were all doing something15:40
marekdstevemar: would be cool15:40
*** mylu has quit IRC15:42
*** diazjf has joined #openstack-keystone15:42
*** mylu has joined #openstack-keystone15:42
*** diazjf1 has quit IRC15:43
openstackgerritBrant Knudson proposed openstack/keystoneauth: Update .gitignore  https://review.openstack.org/20999615:45
stevemarbknudson: sorry about the twins15:46
*** diazjf1 has joined #openstack-keystone15:46
bknudsonstevemar: I don't think it's fair to bring in a bunch of ringers just before the series.15:47
stevemarbknudson: its probably not, but i'm too selfish to care15:47
stevemarwe really need them for the yanks on thursday, the series against the twins was to warm them up15:48
*** diazjf has quit IRC15:48
*** diazjf has joined #openstack-keystone15:49
*** dguerri` is now known as dguerri15:50
*** btully has quit IRC15:50
openstackgerritEdgar Magana proposed openstack/keystone: Replace / by proper syntax that was not in the original fix  https://review.openstack.org/20976815:50
*** mylu has quit IRC15:51
*** diazjf1 has quit IRC15:51
*** TheIntern has quit IRC15:51
*** urulama has quit IRC15:52
*** mylu has joined #openstack-keystone15:52
*** petertr7 is now known as petertr7_away15:52
*** urulama has joined #openstack-keystone15:52
*** diazjf1 has joined #openstack-keystone15:52
*** phalmos has quit IRC15:53
*** diazjf has quit IRC15:53
openstackgerritAlexander Makarov proposed openstack/keystone: Make application initialization a critical section  https://review.openstack.org/21000115:54
*** _cjones_ has joined #openstack-keystone15:55
*** diazjf has joined #openstack-keystone15:55
*** diazjf1 has quit IRC15:57
bknudsonstevemar: looks like there's other changes missing from keystoneauth that were made to keystoneclient fixtures...15:58
*** diazjf1 has joined #openstack-keystone15:58
bknudsonstevemar: http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/fixture/v3.py#n408 -- that stuff is in keystoneclient but not in keystoneauth15:59
bknudsonso when we switch to keystoneauth we're going to lose a bunch of fixes.15:59
*** TheIntern has joined #openstack-keystone15:59
*** diazjf has quit IRC16:00
*** diazjf has joined #openstack-keystone16:01
*** rm_work is now known as rm_work|away16:02
*** marzif__ has quit IRC16:03
stevemarbknudson: i think that was a while ago...16:03
*** diazjf1 has quit IRC16:03
*** belmoreira has quit IRC16:03
*** diazjf1 has joined #openstack-keystone16:04
*** phalmos has joined #openstack-keystone16:04
*** ParsectiX has joined #openstack-keystone16:05
*** vincep has quit IRC16:05
*** diazjf has quit IRC16:06
*** hogepodge has quit IRC16:06
*** hogepodge has joined #openstack-keystone16:07
openstackgerritEdgar Magana proposed openstack/keystone: Fix explicit line joining with backslash  https://review.openstack.org/20976816:09
*** geoffarnold has joined #openstack-keystone16:09
openstackgerritMerged openstack/keystone: Document policy target for operation  https://review.openstack.org/16852116:11
*** diazjf has joined #openstack-keystone16:11
*** jistr has quit IRC16:12
*** kiran-r has quit IRC16:12
*** ParsectiX has quit IRC16:12
*** diazjf1 has quit IRC16:13
*** TheIntern has quit IRC16:15
openstackgerritBrant Knudson proposed openstack/keystoneauth: Add role_ids, role_names to v3 fixture  https://review.openstack.org/21001016:16
*** diazjf1 has joined #openstack-keystone16:16
openstackgerritBrant Knudson proposed openstack/keystoneauth: Add role_ids, role_names to v3 fixture  https://review.openstack.org/21001016:17
*** diazjf has quit IRC16:18
*** diazjf has joined #openstack-keystone16:19
*** spandhe has quit IRC16:19
*** diazjf1 has quit IRC16:21
*** phalmos has quit IRC16:27
*** lhcheng has joined #openstack-keystone16:32
*** ChanServ sets mode: +v lhcheng16:32
*** vivekd has joined #openstack-keystone16:33
*** davidckennedy has quit IRC16:37
*** jdandrea has quit IRC16:38
*** jdandrea has joined #openstack-keystone16:39
*** dguerri is now known as dguerri`16:40
*** bdossant has quit IRC16:41
*** phalmos has joined #openstack-keystone16:43
*** iamjarvo has joined #openstack-keystone16:43
gyeeamakarov, left you some comment on the materialized path patch, see if they make sense16:44
*** mylu has quit IRC16:44
*** mylu has joined #openstack-keystone16:45
*** mylu has quit IRC16:47
amakarovgyee, hi! You've stated the very same concerns I have :) I16:47
amakarovI'll explain now in the comments16:47
*** diazjf1 has joined #openstack-keystone16:47
*** diazjf has quit IRC16:47
*** btully has joined #openstack-keystone16:48
*** diazjf1 has left #openstack-keystone16:48
*** ParsectiX has joined #openstack-keystone16:48
gyeeamakarov, and this patch https://review.openstack.org/#/c/210001/116:49
openstackgerritArun Kant proposed openstack/pycadf: Adding barbican specific base resources.  https://review.openstack.org/21002316:49
*** mylu has joined #openstack-keystone16:49
gyeedo you actually use multithreading instead of multiprocess when running in Apache?16:50
gyeeI am not sure what benefits we get out of multithreading16:50
*** urulama has quit IRC16:50
*** urulama has joined #openstack-keystone16:50
amakarovgyee, yes, and I don't like it too, but we still use persistent tokens, so we have to use token storage backend16:51
openstackgerritArun Kant proposed openstack/pycadf: Adding barbican specific base resources.  https://review.openstack.org/21002316:51
amakarovto reduce failover time memcache pool must be shared16:51
*** btully has quit IRC16:52
amakarovgyee, if we run keystone in several processes, every process keeps it's own information of memcached servers availability16:53
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces  https://review.openstack.org/20952416:53
*** spandhe has joined #openstack-keystone16:54
gyeeamakarov, memcached is shared right? only in-process cache is not16:54
amakarovgyee, so it's possible that process1 places a token in memcached1 while process2, which is asked to validate that token, looks for it on memcache316:54
*** ankita_wagh has joined #openstack-keystone16:55
amakarovgyee, the cache itself - yes16:55
amakarovthe information about which memcached servers are down - no16:55
amakarovgyee, HA suffers a lot16:56
*** iamjarvo has quit IRC16:56
*** josecastroleon has quit IRC16:56
gyeeamakarov, yeah, we don't use memcached for token persistence, we use mongo16:56
*** phalmos has quit IRC16:56
gyeewhich replicates16:56
gyeebut yeah, I can see how memcache suffers16:57
amakarovgyee, that's risky16:57
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Inhrerit roles project calls on keystoneclient v3  https://review.openstack.org/16761316:57
amakarovgyee, but not riskier than memcache though :)16:58
htruta_hey lhcheng, looks like we had some rebase problems and the patch could not be merged: https://review.openstack.org/16761316:58
htruta_could you workflow it again?16:58
lhchenghtruta_: sure16:58
htruta_lhcheng: cool. thanks16:59
lhchenghtruta_: np16:59
*** htruta has quit IRC17:00
*** htruta_ has quit IRC17:00
*** htruta has joined #openstack-keystone17:01
*** bapalm_ has quit IRC17:01
openstackgerritRoxana Gherle proposed openstack/keystone: Fernet 'expires' value loses 'ms' after validation  https://review.openstack.org/21003717:05
*** gyee has quit IRC17:05
*** piyanai has quit IRC17:05
*** petertr7_away is now known as petertr717:08
*** piyanai has joined #openstack-keystone17:09
*** vivekd has quit IRC17:10
*** ParsectiX has quit IRC17:10
*** ParsectiX has joined #openstack-keystone17:12
*** chlong has quit IRC17:14
*** iamjarvo has joined #openstack-keystone17:18
*** yottatsa has joined #openstack-keystone17:21
openstackgerritRoxana Gherle proposed openstack/keystone: Fernet 'expires' value loses 'ms' after validation  https://review.openstack.org/21003717:21
*** ParsectiX has quit IRC17:21
*** piyanai_ has joined #openstack-keystone17:25
openstackgerritDolph Mathews proposed openstack/keystone: Test the claimed expires_at & created_at timestamps for Fernet  https://review.openstack.org/20802117:27
*** piyanai has quit IRC17:28
*** piyanai_ is now known as piyanai17:28
*** iamjarvo has quit IRC17:28
openstackgerritDolph Mathews proposed openstack/keystone: Test the claimed expires_at & created_at timestamps for Fernet  https://review.openstack.org/21004917:28
*** samleon has quit IRC17:30
*** samleon has joined #openstack-keystone17:31
bretonsamleon: ping17:31
openstackgerritDolph Mathews proposed openstack/keystone: Validate domain ownership for v2 tokens  https://review.openstack.org/20806917:32
openstackgerritDolph Mathews proposed openstack/keystone: Fix the claimed expires_at & created_at timestamps for Fernet  https://review.openstack.org/20802117:32
samleonbreton: how's going?17:33
bretonsamleon: cool! I'm testing the x.509 stuff now and ran into an issue17:34
bretondefault devstack + x.509 patch17:34
bretonhttp://paste.openstack.org/show/411219/ -- apache config17:34
*** petertr7 is now known as petertr7_away17:34
samleonbreton: looking17:35
*** petertr7_away is now known as petertr717:35
notmynamemay I have some review love on https://review.openstack.org/#/c/179777/. It's affecting some customers and I'd like to see it land soon17:35
*** henrynash has joined #openstack-keystone17:35
*** ChanServ sets mode: +v henrynash17:35
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687717:36
bretonwhen I create an idp I get http://paste.openstack.org/show/411221/17:36
bretonin keystone log there is this: http://paste.openstack.org/show/411222/17:37
samleonbreton: looks like you using v2 api, only v3 supports it17:37
bretonsamleon: I put OS_IDENTITY_API_VERSION=3 there. And even if I set OS_AUTH_URL to /v3/, it still fails.17:38
samleonis it the sam message?17:39
bretonWARNING: keystoneclient.auth.identity.base Failed to contact the endpoint at http://10.0.2.15:35357/v2.0 for discovery. Fallback to using that endpoint as the base url.17:40
bretonERROR: openstack Bad Request (HTTP 400)17:40
bretonyes, the same17:40
samleonwhat request did you make?17:40
bretonOS_AUTH_URL=https://localhost:35357/v3/ OS_IDENTITY_API_VERSION=3 openstack --insecure identity provider create --description "IdP for x.509 fixed" --enable ab4908e6bb4950dd99f1d715d1a7bc723e01d138920219e96027c73141f0698617:40
samleonok, so you are trying to create a idp17:41
bretonyes, and I did "source openrc admin admin" before it.17:42
bretonoooh!17:43
bretonsamleon: I know!17:43
*** markvoelker has quit IRC17:44
*** mylu has quit IRC17:44
* lhcheng waiting for the answer :)17:44
samleonbreton, that did not work, you can try just using curl, that's what i use17:44
bretonsamleon: https://review.openstack.org/#/c/156870/48/keystone/middleware/core.py17:44
lhchengbreton: what's the issue? :)17:44
bretonwhen I try to authenticate with my username/password, I don't have AUTH_TOKEN_HEADER yet17:45
*** roxanaghe has quit IRC17:46
lhchengbreton: not sure if that is related..17:46
lhchengbreton: did you set your public_endpoint in the keystone.conf to point to  https://../v3?17:47
*** eandersson has quit IRC17:47
bretonnope, I didn't. I'll do that now...17:47
samleonbreton, yeah, that' still not x509 related yet. but you will need to get your token with your username/password before you can validate a subject_auth token17:47
lhchengI think the issue you hit is something in the internal discovery code of ksc17:47
bretonlhcheng: #public_endpoint = <None>17:48
bretonshould I change it?17:48
*** urulama has quit IRC17:48
*** urulama has joined #openstack-keystone17:48
*** TheIntern has joined #openstack-keystone17:49
lhchengbreton: yeah, see if it helps17:49
lhchengbreton: I've also used straight up curl when I created the IdP17:49
bretonlhcheng: how did you auth to create an idp?17:49
bretonhttp://paste.openstack.org/show/411224/ -- this are the headers right before the check17:51
breton*these17:51
lhchengbreton: http://paste.openstack.org/show/411226/17:52
bretonlhcheng: yes. X-Auth-Token:$admin_token.17:52
bretonlhcheng: and I try to do it with admin account17:52
samleonbreton: i would suggest to just use curl, it will give you better cure if any issues17:52
openstackgerrithenry-nash proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720217:53
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917817:54
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162317:54
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196217:54
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430217:54
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389717:54
openstackgerrithenry-nash proposed openstack/keystone: Support project hierarchies in data driver tests  https://review.openstack.org/15448517:54
openstackgerrithenry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899517:54
bretonfolks, it is impossible to get a token by credentials, because AUTH_TOKEN_HEADER is not in the env when user sends his username and password. Look, the token is not headers: http://paste.openstack.org/show/411224/. And there is a check that says "if the token is there, build a context with it. If not, check that x.509 is enabled. If not, tell him to go away"17:55
*** mylu has joined #openstack-keystone17:56
*** mylu has quit IRC17:57
samleonbreton: i have some curl commands to create idp, protocol and mapping here, it may help http://paste.openstack.org/show/411227/17:57
openstackgerritLance Bragstad proposed openstack/keystone: Removed WIP tests for Fernet  https://review.openstack.org/21006817:57
bretonsamleon: try to authenticate a user by username/password with your patch.17:59
lbragstaddolphm: I can run that ^ locally and get past those two failures17:59
lbragstadlooks likethe fernet provider is successfully passing those tests new17:59
lbragstadnow*17:59
*** narengan_ has quit IRC18:00
samleonbreton: you suppose don't need to user username/password to authenticate with my patch18:00
*** narengan has joined #openstack-keystone18:00
samleonbreton: the user case would be: 1. client user uses username/password to authenticate to get a token like the general case18:01
henrynashdstanek: thanks for your comments on https://review.openstack.org/#/c/137202/ , I answered for fixed them…see my note on testing…and whether you are happy with that plan…18:02
samleonbreton: 2. you try to verify this token with the provided client certificate18:03
*** bapalm has joined #openstack-keystone18:04
samleonbreton: let me send you the curl command i use for token validation18:04
*** narengan has quit IRC18:05
*** markvoelker has joined #openstack-keystone18:05
*** phalmos has joined #openstack-keystone18:06
bretonhm.18:06
bretonI think you are right.18:06
*** mylu has joined #openstack-keystone18:06
bretonsorry about the hassle.18:06
henrynashstevemar, lbragstad: gentle nudge if you have any time to look at: https://review.openstack.org/#/c/137202/ , trying to get this in to unblock other things….18:07
bretonI guess this is indeed something weird with osc discovery.18:08
samleonbreton: here are some examples to get the client token, validate the token with a general way and with a x509 way, http://paste.openstack.org/show/411228/18:08
samleonbreton: hope this helps18:08
bretonsamleon: thank you!18:09
samleonbreton: you are welcome!18:09
lbragstadhenrynash: sounds good, thanks!18:09
samleonlhcheng: are you still reviewing my patch ;-)?18:10
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin for hierarchical models  https://review.openstack.org/19841818:11
lhchengsamleon: I haven't got the chance to review it again, internal work getting in the way :-)18:12
samleonlhcheng: no problem. appreciate for your time when you have a chance again ;-)18:13
lhchengsamleon: I've looked at the core code  seems pretty close, just haven't gone through the tests.18:13
samleonlhcheng: or i will come over to your office to bug you, haha ;-)18:13
dstanekhenrynash: cool, looking now18:15
lhchengsamleon: lol18:15
henrynashdstanek: thx18:15
*** yottatsa_ has joined #openstack-keystone18:16
*** phalmos has quit IRC18:16
dstanekhenrynash: for that domain_id comment. should be raise an exception saying domain role assignments are now supported? otherwise you'd never know and think the empty list is correct18:17
*** phalmos has joined #openstack-keystone18:17
*** yottatsa has quit IRC18:19
henrynashdstanek: domain assignments are still not support (with the LDAP backend)….and an empty list is what you woudl get today with the filtering in the controller…so we were trying to keep it the same18:19
dstanekhenrynash: ah, i see. fair enough18:19
*** amakarov is now known as amakarov_away18:22
*** josecastroleon has joined #openstack-keystone18:23
openstackgerritBrant Knudson proposed openstack/keystone: Documentation for other services  https://review.openstack.org/20480118:24
*** narengan has joined #openstack-keystone18:24
*** narengan has quit IRC18:24
*** narengan has joined #openstack-keystone18:25
dstanekhenrynash: there appears to be logic removed from the controller (lots of stuff with OS-INHERIT) - was that not needed anymore18:27
henrynashdstanek: that has all moved to the manager18:27
*** tqtran has quit IRC18:27
henrynashdstanek: the old logic was….get me all the assignmenst in teh system, then post process them to filter what you want18:28
henrynashdstanek: the new logic (in the manager) is: only ask the DB for those assignmnets that could affect the output based on the filters specified…and then exapand any of those18:28
*** narengan has quit IRC18:29
openstackgerrithenry-nash proposed openstack/keystone: Raises exception if domain_id not specified in create call  https://review.openstack.org/20984818:30
dstanekhenrynash: i don't see any os-inherit stuff in core at all.18:31
henrynashdstanek: so teh OS-INHERIT extension is about to move to core…but not sure that is your question..doyou mean in the new code you dont see where this is handled?18:32
*** ayoung has quit IRC18:34
henrynashdstanek: in the new patch, the controller still formats the response (for instance putting in links to the OS-INHERIT api), but the manager does the filtering logic18:34
dstanekhenrynash: in the old code it's looking for OS-INHERIT:inherited_to in the scope and then expands the project_ids. is that in the new code hidden somewhere?18:36
*** btully has joined #openstack-keystone18:36
*** e0ne has quit IRC18:37
*** mtreinish has quit IRC18:37
dolphmis Roxana Gherle in IRC?18:39
henrynashdstanek: so in terms of the filter specified, we still process that (see line 617 on controller)18:39
lbragstaddolphm: I thought they were in here earlier, but I can't seem to find the nick18:39
*** mtreinish has joined #openstack-keystone18:39
*** jasonsb has quit IRC18:40
*** btully has quit IRC18:40
*** gyee has joined #openstack-keystone18:40
*** ChanServ sets mode: +v gyee18:40
*** jasonsb has joined #openstack-keystone18:40
henrynashdstanek:and the formating part in the old controller code was “sefl generated”…i.e. format_entity irst processed the lsit from the manager, and then expand_indiertect_assignments() used that formatting18:43
henrynashdtsaneK: nipping off line, be back on later18:43
dstanekhenrynash: ok, coverage running now18:43
henrynashdstanek: and take a look at all teh data driven test patches that follow to beef up the maanger level testing18:44
*** jasonsb has quit IRC18:45
*** iamjarvo has joined #openstack-keystone18:46
*** navid__ has joined #openstack-keystone18:47
dstanekhenrynash: will do18:49
*** narengan has joined #openstack-keystone18:52
lbragstaddolphm: curious what your thoughts are on the last comment I left here. https://review.openstack.org/#/c/210049/18:52
*** josecastroleon has quit IRC18:53
*** phalmos has quit IRC18:53
*** harlowja has quit IRC18:56
*** narengan_ has joined #openstack-keystone18:59
dstaneklbragstad: s/comment/dissertation/19:00
dolphmlbragstad, "When we validate, we are using the creation timestamp that is created by cryptography, which might be ever so slightly different." why could it be different?19:00
dolphmlbragstad, the creation timestamp persisted into the token by cryptography should be exactly what we're using everywhere19:01
*** narengan has quit IRC19:01
*** phalmos has joined #openstack-keystone19:02
lbragstaddolphm: cryptography runs https://github.com/pyca/cryptography/blob/master/src/cryptography/fernet.py#L49 at a different time than we do,19:03
lbragstadthey also cast it to an integer19:03
lbragstadwhich is where we lose the microsecond precision19:03
lbragstadwe do this: https://github.com/openstack/keystone/blob/74575a66f1113ac0452da9982b345dec18ec0f32/keystone/token/providers/common.py#L41519:03
dolphmlbragstad, ah, i see what you mean. we should pull that timestamp out and use that19:03
dolphmlbragstad, otherwise, we have a transient error19:03
bknudsongood catch, lbragstad!19:04
dolphmlbragstad, I COULD NOT FIND THAT LINE OF CODE the other day UGH. i saw the behavior occurring but could not find it.19:04
*** roxanaghe has joined #openstack-keystone19:04
*** iamjarvo has quit IRC19:04
lbragstadso, I think we have to go with least common denominator;19:04
dolphmlbragstad, that line is an infuriating bug lol19:04
lbragstaddolphm: :)19:05
lbragstadbknudson: thanks!19:05
*** narengan_ has quit IRC19:05
lbragstadso because we rely on validating (and re-inflating) the creation time from the fernet token, we have to be fine with microsecond precision loss19:05
*** narengan has joined #openstack-keystone19:05
dolphmlbragstad, agree, but Roxana made a comment that i want to investigate.. she said that although the fernet creation timestamp is an integer, we're putting a float expiration in the token. so creation must be .00000Z but expiration could be a non-zero microsecond19:07
stevemarlhcheng: osc meeting if you want :)19:07
lhchengstevemar: thanks for the reminder!19:08
lbragstaddolphm: yeah, for expiration that would work, we could maintain microsecond precision because we have control over it19:09
lbragstadbut for issued at, we don't19:09
*** piyanai has quit IRC19:09
dolphmlbragstad, but is that statement true? we store a float in the payload for expiration19:09
*** piyanai has joined #openstack-keystone19:09
dolphmlbragstad, that would explain why her fix works, i believe19:10
samueldmqnext-review; echo $?19:10
samueldmq19519:10
samueldmqomb19:10
samueldmqomg*19:10
dstanekhmmm... somehow keystone.db is back19:11
dstanekand these ldap tests *always* fail for me!19:11
openstackgerritDavid Stanek proposed openstack/keystone: Fixes an issue with data ordering in the tests  https://review.openstack.org/21008619:12
openstackgerritDavid Stanek proposed openstack/keystone: Adds backend check to setup of LDAP tests  https://review.openstack.org/21008719:12
openstackgerritDavid Stanek proposed openstack/keystone: Creates a fixture representing as LDAP database  https://review.openstack.org/21008819:12
dstanekforgot to push those up yesterday...19:12
*** piyanai has quit IRC19:12
dolphmsamueldmq, :)19:13
dolphmdstanek, really?19:13
samueldmqstevemar, henrynash, lhcheng : I'd appreciate your eyes on 2 osclient patches related to inherited roles (https://review.openstack.org/#/c/209980/ and https://review.openstack.org/#/c/122179/)19:13
dstanekyep19:13
* bknudson wonders what else dstanek has hiding in his local repos.19:14
lbragstaddolphm: after roxana's patch we will store a float in the fernet payload19:14
dstanekdolphm: that data ordering patch shows what i'm experiencing19:14
lbragstadbknudson: you should look at his git stash repo sometime...19:14
samueldmqdolphm: yeah, there's a ton of reviews to be done, I need to dust my reviewer hat and start reviewing again19:14
samueldmq:)19:14
*** iamjarvo has joined #openstack-keystone19:15
lbragstaddolphm: I think one of the issues is that we calculate the issued at time in keystone, but then we rely on fernet for the issued_at time when we validate the token.19:15
dstaneklbragstad: it's not that bad19:16
lbragstadI think it's what causes the inconsistency between microsecond precision when validating a token19:17
* lhcheng samueldmq adding to my review list19:17
samueldmqlhcheng: appreciate, thanks19:17
*** ankita_w_ has joined #openstack-keystone19:17
dstaneklbragstad: i have probably 50 things stashed on this VM, not sure about my other two19:17
bknudson50 patches and keystone is back to being perfect.19:19
dolphmmorganfainberg, i know you're in a crazy timezone, but if you get this... i saw you comment the other day that you wished auth was not tied to the API versioning... i have some questions about that, when you have time. primarily: do you consider token validation to be part of "auth" that you wished was version-less?19:19
dolphmbknudson, link? ;)19:19
bknudsondolphm: they're stashed in dstanek's git repo19:19
dolphmoh dstanek's stuff lol19:19
bknudsonmaybe you can wring them out of him19:19
morganfainbergZzz so the way I see it validation would also ask for the form19:20
dolphmsamueldmq, how do you find next-review? i actually stopped using it because i find myself more closely focused on a subset of reviews, for better or worse19:20
samueldmqdolphm: on that conversation, I think we can infer the token version based on its format, so we can validate it19:20
*** ankita_w_ has quit IRC19:20
dstanekbknudson: i wish it was only 50 patches away from being perfect19:20
*** ankita_wagh has quit IRC19:20
morganfainbergEg: I want this token validated as v2 or v3. If not specified whatever the default is19:20
*** ankita_wagh has joined #openstack-keystone19:20
morganfainbergWe should never remove a form of auth validation (except v2, cause... $reasons)19:21
samueldmqdolphm: actually, I get to a change and then look at the related in the chain, when a chain is done, next-review again, if that makes sense19:21
morganfainbergdolphm: will be in non crazy timezone in about 19hrs19:21
*** piyanai has joined #openstack-keystone19:21
*** mylu has quit IRC19:21
dolphmsamueldmq: so you go up the chain and review from there?19:22
samueldmqdolphm: although if time's short, we can just prioritize ourselves and get the subset of reviews that is more convenient at the time19:22
*** jasonsb has joined #openstack-keystone19:22
dolphmmorganfainberg: then if you're busy (or dead tired) now, consider it food for thought later19:22
samueldmqdolphm: yeah, so if next-review supported that would be nice, i.e always start at the beggining of the chain, and next will give the next one in the chain, if not reviewed yet19:22
dolphmsamueldmq: do you star reviews that you're interested in? or consider priority19:23
*** yottatsa_ has quit IRC19:23
morganfainbergdolphm: read up in the backscroll. I think I answered your question. But yes validation is part of auth19:23
samueldmqdolphm: no I don't star reviews .. but look to be a good thing19:24
*** e0ne has joined #openstack-keystone19:24
* samueldmq is sharing his thoughts, he hasn't been being a great reviewer in the last couple of weeks ...19:24
*** lhcheng is now known as lhcheng_away19:24
*** mylu has joined #openstack-keystone19:25
dolphmmorganfainberg: the major difference between v2 and v3 token validation is whether the token is included in the URL (and thus logged everywhere) or is included as a header, so the calls are inherently different before ever making the request... without versioning, would you just proposing introduce a second parallel API?19:26
samueldmqI wonder if gerrit allowed us to create 'packages' of reviews, i.e we approve the whole chain and they get merged together, maybe that's possible with topic + depends-on19:27
samueldmqso we don't get partial-things being merged19:27
morganfainbergThis would all be under the new /auth api (not versioned)19:27
samueldmqI heard horizon was suffering of this the last times ... cc lhcheng_away19:27
morganfainbergVs /v3/auth or /v2/token/<id>19:27
dolphmmorganfainberg: so, introduce a third API to avoid versioning?19:27
morganfainbergsince the spec says all auth would be broken out from the crud interfaces, validation is part of that19:28
dolphmmorganfainberg: wait, there's a spec written for this? /me goes to gerrit19:28
morganfainbergOn the backlog19:28
morganfainbergAt specs.openstack.org19:29
lbragstadhttps://github.com/openstack/keystone-specs/blob/master/specs/backlog/decouple-auth-from-api-version.rst19:29
lbragstaddolphm: ^19:29
morganfainberghttp://specs.openstack.org/openstack/keystone-specs/specs/backlog/decouple-auth-from-api-version.html19:29
lbragstadmorganfainberg: so, token validation would included an attribute in the post body that would specify what version the token is?19:35
lbragstadso if I have a v2.0 token, I have to tell keystone to validate it as a v2.0 token?19:35
dolphmi... don't see any benefit here. i'm also not sure how seriously to take the spec when the second sentence has a glaring mistake, and then follows by asserting that the newly introduced API is versioned in a unique manner and thus doubles the existing API complexity, in addition to adding an unversioned "default" response, making everything a surprise to the client.19:37
*** boris-42 has joined #openstack-keystone19:39
*** fifieldt_ has joined #openstack-keystone19:39
lbragstaddolphm: " This means that we use /v3/auth and /v2.0/tokens as the respective locations for authentication." ?19:39
lbragstadthat's true isn't it?19:40
*** narengan has quit IRC19:40
dolphm /v3/auth isn't a resource19:40
*** narengan has joined #openstack-keystone19:40
lbragstadoh, v3/tokens19:40
dolphmor if it is, it's not documented in the API spec19:40
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/auth/routers.py#L2519:41
dolphmright, /v3/auth/tokens is the API I assume it's intending to compare against /v2.0/tokens19:42
morganfainbergIn all honesty i wrote the spec expecting more commentary before it was approved19:42
*** fifieldt has quit IRC19:42
lbragstadi have a feeling a whole lotta "filgtm" went on there19:43
dolphmthere's not a proposed API doc impact anyway, so there's not much to comment on19:43
morganfainbergThe api doc was explicitly left off with a note since I did not want to lock in. This is a backlog spec19:43
morganfainbergMeaning, it needs to be fleshed out before work is done19:44
openstackgerritEdgar Magana proposed openstack/keystone: Fix explicit line joining with backslash  https://review.openstack.org/20976819:44
lbragstaddolphm: are you thinking we should amend the spec and implement it?19:44
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Stop using .keys() on dicts where not needed  https://review.openstack.org/19489419:44
*** iamjarvo has quit IRC19:44
morganfainbergIt is strictly an idea that can be picked up19:44
dstaneki gave that a +2 because in concept we need to something and it seemed reasonable enough to backlog19:44
morganfainbergBut it isn't "final". It is a concept only19:44
morganfainbergAs are all backlog specs19:44
dstanekthe bar to backlog is much lower than if it was proposed against a release19:45
lbragstaddstanek: ++19:45
dolphmmorganfainberg: so what's the difference between backlog/ and WIP?19:45
morganfainbergBacklog isn't in gerrit waiting for someone to approve.  It is somethig the core team likes the idea of19:45
morganfainbergSo a contributor knows it is worth time spending on.19:45
morganfainbergIt still needs work usually, but it is not going to end (in most cases) with "that's not even worth talking about"19:46
morganfainbergThen again, I greatly dislike the whole spec process in OpenStack at this point personally and would kill it in keystone for everything tracked in bugs if we had a single extra "approved" status in LP19:47
dstanekif we were doing kanban putting something in backlog is like putting a card on the wall - a wip is like asking if it's good enough to get on the wall19:47
morganfainbergdstanek: ++19:47
dolphmmorganfainberg: how did storyboard die?19:47
morganfainbergNo contributors among other things19:48
morganfainbergBut the simple lack of people working on it mostly did it in.19:48
dolphmmorganfainberg: well that's a simple enough problem19:49
*** ayoung has joined #openstack-keystone19:49
*** ChanServ sets mode: +v ayoung19:49
dolphmmorganfainberg: what were the other things, if you're aware of them?19:49
morganfainbergI know there were other things. But that is the one I heard the most about19:50
morganfainbergIt was 2-3 people from19:50
morganfainbergHp working on it. Then 1 person. Then none19:50
*** topol has quit IRC19:50
*** ankita_wagh has quit IRC19:51
morganfainbergThe other bit is there are a lot of bug trackers out there.19:51
morganfainbergWhy reinvent the wheel19:51
dolphmbecause we're dependent on a broken, dieing, unsupported bug tracker today19:52
*** urulama has quit IRC19:52
morganfainbergSo pick one that is supported. Implement it19:53
*** urulama has joined #openstack-keystone19:53
morganfainbergVs try to build one from scratch19:53
morganfainbergI wasn't saying we should stick with LP.19:53
dolphmi think we did option 1 and there were no alternatives19:53
morganfainbergThere were no "perfect" alternatives19:53
dolphmnothing integrates the way we want it to or has the feature set we need19:54
morganfainbergThey (infra/tc) I think are reevaluating now19:54
morganfainbergThe problem with volunteer work is things like storyboard sometimes don't get the volunteers19:54
dstanekis there a lost of integrations that are needed? maybe hacking on something like roundup is good enough19:54
morganfainbergAnd open source is volunteer work19:54
morganfainbergEven if OpenStack is not normal open source19:55
dolphmdstanek: what's roundup?19:55
morganfainbergdstanek: I think that is the kind of idea19:55
morganfainbergdolphm: a weed killer by Monsanto?19:55
morganfainberg:P19:56
dolphmhttp://roundup.sourceforge.net/19:56
morganfainbergdstanek: I don't know where the evaluation is at now. But iirc something like that is being looked at last I heard.19:57
dstanekroundup is what Python uses - http://bugs.python.org/19:57
*** ankita_wagh has joined #openstack-keystone19:58
*** TheIntern has quit IRC20:00
bknudsonI've heard talk of phabricator20:00
dolphmdstanek: ah, i hate that UI ;)20:05
dolphmdstanek: definitely UI-by-programmer20:06
dstanekyeah, but that's easier to fix than writing a bug tracker20:06
bknudsonhttp://phabricator.org/20:07
dolphmis the bug tracking portion of github open source?20:08
dolphmconsidering that's the only bug tracker i've ever seen where people are obsessively passionate about it, i'd start there20:08
*** _hrou_ has joined #openstack-keystone20:09
rodrigodsbknudson, gstreamer is migrating to phabricator20:09
dstaneki doubt it - that's a part of their enterprise offereing; gitlab is opensource20:09
bknudsongitlab has issue tracking20:10
* lbragstad just deployed a gitlab server20:10
*** daemontool_ has joined #openstack-keystone20:10
bknudsonlbragstad: why didn't you use phabricator?20:11
*** raildo has quit IRC20:11
*** raildo has joined #openstack-keystone20:11
lbragstadbknudson: I didn't know about it20:11
*** hrou has quit IRC20:12
*** marzif has quit IRC20:12
*** piyanai has quit IRC20:13
*** spandhe has quit IRC20:14
*** mylu has quit IRC20:15
*** iamjarvo has joined #openstack-keystone20:16
lbragstaddolphm: any idea what you want to do about the versionless auth spec?20:16
lbragstaddolphm: or were you thinking about using that as a way to fix some of the fernet/token bugs in general?20:17
*** marzif has joined #openstack-keystone20:17
*** mylu has joined #openstack-keystone20:23
*** dguerri` is now known as dguerri20:23
*** dims_ has joined #openstack-keystone20:23
*** dims_ has quit IRC20:24
*** btully has joined #openstack-keystone20:24
*** e0ne has quit IRC20:24
*** dims_ has joined #openstack-keystone20:25
*** dims has quit IRC20:26
*** piyanai has joined #openstack-keystone20:26
*** mylu has quit IRC20:27
dolphmlbragstad: wasn't looking at it as a solution, but was hoping to solve a related problem soon20:28
*** maanak has joined #openstack-keystone20:28
*** btully has quit IRC20:28
*** rm_work|away is now known as rm_work20:28
dolphmroxanaghe: o/20:30
dolphmroxanaghe: just replied to you on LP https://bugs.launchpad.net/keystone/+bug/1459790/comments/1320:31
openstackLaunchpad bug 1459790 in Keystone "With fernet tokens, validate token loses the ms on 'expires' value " [Low,In progress] - Assigned to Dolph Mathews (dolph)20:31
*** maanak has quit IRC20:32
*** piyanai has quit IRC20:32
roxanaghedolphm, hi, thanks :) I am investigating the failures now20:33
dolphmroxanaghe: lbragstad replied in your review as well20:33
roxanaghecan I just remove the @wip directives for the Fernet tests in my patch?20:33
*** jecarey has quit IRC20:34
dolphmroxanaghe: on the tests that are overridden by the child class?20:34
roxanaghe@dolphm, yes, I saw that - I think we have another problem with issued_at microseconds20:34
dolphmroxanaghe: you can just delete them, actually. they're only overridden to be marked as WIP20:34
roxanaghedolphm, yes20:34
roxanagheoh I see, so they will be ran with the Fernet setup as well if we remove them. got it20:35
dolphmroxanaghe: the only gotcha is that you might need to include my change from L265, which looks like a bad test to me https://review.openstack.org/#/c/210049/1/keystone/tests/unit/test_v3_auth.py,unified20:35
dolphmroxanaghe: correct20:35
*** maanakgupta has joined #openstack-keystone20:36
roxanaghe@dolphm, right let me try including that20:37
*** maanakgupta has quit IRC20:38
lbragstadroxanaghe: I'm working on a patch now that might help you with a couple of the failing assertions20:42
*** piyanai has joined #openstack-keystone20:43
*** mylu has joined #openstack-keystone20:44
*** atiwari has joined #openstack-keystone20:46
*** narengan has quit IRC20:47
dolphmlbragstad: the last patch you uploaded didn't pass py27 ;)20:47
*** narengan has joined #openstack-keystone20:48
dolphmlbragstad: be thorough before you upload new patchsets for other authors!20:48
*** bapalm has quit IRC20:50
openstackgerritLance Bragstad proposed openstack/keystone: Use token creation ts from Fernet  https://review.openstack.org/21006820:50
*** spandhe has joined #openstack-keystone20:50
roxanaghelbragstad: so if you put Depends-On tag it runs the tests on top of my patch?20:50
*** dguerri is now known as dguerri`20:51
*** narengan has quit IRC20:52
lbragstadroxanaghe: I'm not exactly sure how the depends-on tag works, but if I propose a patch set that is dependent on your, the tests will run with your changes as well as mine.20:52
roxanaghelbragstad: uh, cool20:53
dolphmroxanaghe: Depends-On is primarily design to test patches together *across projects*20:55
dolphmroxanaghe: so a change to a client could Depend-On a corresponding new API patch in the service20:56
dolphmlbragstad: roxanaghe: within a single project, you only need to rebase one patch onto another20:56
dolphm(to have the second tested with the first)20:57
*** raildo has quit IRC20:57
roxanaghedolphm, understood, thanks20:59
*** generic has joined #openstack-keystone21:00
*** generic is now known as opiotte21:00
openstackgerritLance Bragstad proposed openstack/keystone: Use token creation ts from Fernet  https://review.openstack.org/21006821:01
*** ankita_w_ has joined #openstack-keystone21:01
opiottequestion about Federation21:01
lbragstaddolphm: that failed on the issued_at assertion, which should be fixed in the latest patch that I just pushed, I can run all the test_v3_auth.py and fernet unit tests locally without them failing21:01
opiottei'm trying to map multiple groups to different domains21:01
opiottebasically, the IdP would return a list of groups on different domains21:02
opiotteis that possible?21:02
lbragstaddolphm: your failures here look to be ts related -- https://review.openstack.org/#/c/210049/21:03
*** ankita_wagh has quit IRC21:04
*** mylu has quit IRC21:06
*** lhcheng_away has quit IRC21:06
*** spandhe has quit IRC21:06
*** petertr7 is now known as petertr7_away21:06
dolphmlbragstad: as in, my tests are bad?21:07
*** rm_work is now known as rm_work|away21:07
*** e0ne has joined #openstack-keystone21:09
lbragstaddolphm: I don't think so, I think it's just because of the issued_at assertions21:11
*** ayoung has quit IRC21:11
lbragstadand the subsecond precision21:11
lbragstaddolphm: you only removed the wip decorators in your patch and the overridden tests. so, worst case, it's just showing that patches prior to your patch don't quite address everything21:12
lbragstadfrom a test coverage perspective21:12
dolphmlbragstad: i only saw one failure when i ran those tests against roxanaghe's patch... now there's several failures21:13
lbragstaddolphm: you ran locally, right?21:14
lbragstadlooks like Jenkins failed on about 14 of them21:14
lbragstaddolphm: did you run the keystone/tests/unit/token/test_fernet_provider.py unit tests?21:15
lbragstadbecause I think you're missing this: https://review.openstack.org/#/c/210068/3/keystone/tests/unit/token/test_fernet_provider.py21:15
*** e0ne has quit IRC21:16
*** ankita_wagh has joined #openstack-keystone21:16
*** iamjarvo has quit IRC21:18
*** piyanai has quit IRC21:19
*** ankita_w_ has quit IRC21:20
dolphmlbragstad: yes, locally. i definitely didn't run with that patch21:20
openstackgerritMerged openstack/python-keystoneclient: Inhrerit roles project calls on keystoneclient v3  https://review.openstack.org/16761321:20
lbragstaddolphm: you did run the unit tests in keystone/tests/unit/token/test_fernet_provider.py?21:21
lbragstador just the functional tests in test_v3_auth.py?21:21
dolphmlbragstad: for your change in https://review.openstack.org/#/c/210068/3/keystone/token/providers/common.py,unified -- i think the fernet provider should override the parent class' issue_v3_token() to manipulate token_data['token']['issued_at']21:22
dolphmlbragstad: basically, the common class should be oblivious to the behaviors of the individual implementations21:22
dolphmlbragstad: and yeah, i ran test_v3_auth, actually, because that's the only place i touched tests21:22
*** markvoelker has quit IRC21:22
lbragstaddolphm: so, pull the issue_v3_token method back out21:22
dolphmlbragstad: not the whole thing, just wrap it21:22
dolphmresult = super(); result[expires] = new expires; return result21:23
lbragstadok, I can do that21:23
lbragstaddolphm: btw, I just ran tox with the latest everything (including my patch) and everything passed21:23
* lbragstad shrug21:23
roxanaghelbragstad, so I guess I need this https://review.openstack.org/#/c/210068/3/keystone/tests/unit/token/test_fernet_provider.py for my patch as well? because I think a lot of the failures for y patch are exactly about that?21:23
lbragstadroxanaghe: yep, I think so21:24
dolphmroxanaghe: i think so21:24
dolphmlbragstad: roxanaghe: despite proposing subsequent commits to share code, i'd like to see roxanaghe's patch have the complete solution & test cases21:24
roxanaghelbragstad, dolphm: so what's the process? I am confused...21:25
lbragstaddolphm: I agree,21:25
dolphm(i'd rather abandon my patch)21:25
lbragstadsame here..21:25
*** btully has joined #openstack-keystone21:25
dolphmroxanaghe: i'm just sharing code using gerrit to discuss your patch - let's ensure your patch is sufficient to be marked as Closes-Bug! steal whatever you need from our commits21:26
*** dguerri` is now known as dguerri21:26
lbragstad++21:26
*** lhcheng_away has joined #openstack-keystone21:27
roxanaghedolphm, ok let me steal some code then :)21:27
*** lhcheng_away has quit IRC21:27
*** lhcheng_away has joined #openstack-keystone21:27
*** lhcheng_away is now known as lhcheng21:28
*** ChanServ sets mode: +v lhcheng21:28
*** dguerri is now known as dguerri`21:28
roxanaghelbragstad: hm, I will need the issued_at fix as well, do you want me to mark that wip and let your patch fix it?21:28
*** ankita_wagh has quit IRC21:28
*** ankita_w_ has joined #openstack-keystone21:28
dolphmroxanaghe: what timezone are you in, btw?21:29
dolphmroxanaghe: this bit? https://review.openstack.org/#/c/210068/3/keystone/token/providers/fernet/core.py21:29
*** btully has quit IRC21:29
roxanaghedolphm, Pacific TZ21:30
roxanaghelbragstad, yes.21:31
roxanaghedolphm, actually ^^ yes, that bit21:32
*** ankita_w_ has quit IRC21:32
*** ankita_wagh has joined #openstack-keystone21:32
dolphmroxanaghe: that solves in for v2, but you also need the v3 fix here https://review.openstack.org/#/c/210068/3/keystone/token/providers/common.py ... and i think the v3 fix needs to be moved into the fernet provider, rather than being an edge case in the common module21:34
*** phalmos has quit IRC21:34
*** harlowja has joined #openstack-keystone21:34
dolphmroxanaghe: so, if you scroll back 10 minutes ago or so, that was my suggestion to wrap issue_v3_token() in the fernet provider with something like "result = super(); result[expires] = new expires; return result"21:35
*** belmoreira has joined #openstack-keystone21:35
roxanaghedolphm, ok - I agree21:39
*** harlowja has quit IRC21:39
*** harlowja has joined #openstack-keystone21:39
*** mylu has joined #openstack-keystone21:40
lbragstadworking on that now21:41
*** opiotte has quit IRC21:41
dolphmlbragstad: work with roxanaghe :)21:43
lbragstadroxanaghe: here is a diff of what I've done if you'd like it: http://cdn.pasteraw.com/ju8q7jrx4ufvbmg1nnj8e3m8j1vm8ri21:44
openstackgerritLance Bragstad proposed openstack/keystone: Use token creation ts from Fernet  https://review.openstack.org/21006821:47
*** jecarey has joined #openstack-keystone21:48
*** mylu has quit IRC21:49
*** mylu has joined #openstack-keystone21:49
*** mylu has quit IRC21:49
dolphmlbragstad: the "If..." comment is no longer conditional lol https://review.openstack.org/#/c/210068/4/keystone/token/providers/fernet/core.py,unified21:50
openstackgerritJoshua Harlow proposed openstack/oslo.policy: Have the enforcer have its own file cache  https://review.openstack.org/20965621:50
roxanaghelbragstad, thanks! looking at it :)21:54
*** piyanai has joined #openstack-keystone21:56
*** piyanai has quit IRC21:57
*** piyanai has joined #openstack-keystone21:58
dstanekdo we have a way to add optional features to ksc? i don't believe the lib has it's own config or anything like that22:02
*** marzif has quit IRC22:07
*** gordc has quit IRC22:08
bknudsondstanek: monkey-patch it22:09
dstanekbknudson: i added the feature, but i was trying to find a pattern in there for turning things on and off22:11
*** ankita_wagh has quit IRC22:11
dstaneki don't see anything relevant22:11
*** ankita_wagh has joined #openstack-keystone22:11
*** henrynash has quit IRC22:15
*** edmondsw has quit IRC22:20
jamielennoxbknudson: have you seen today's ML thread about middleware?22:23
*** bknudson has quit IRC22:23
dolphmdstanek: besides auth plugins? what's the integration point you're looking for22:24
*** jecarey has quit IRC22:25
dolphmjamielennox: sdague, annegentle and i were also discussing your nova->cinder and nova->neutron work in #openstack-dev an hour or two ago.22:25
dstanekdolphm: yeah, i've made some changes to enable http caching22:25
dolphmdstanek: why would that be optional?22:25
dolphmdstanek: cache all the things in all the places plzkthx22:25
dstanekdolphm: i would consider it experimental and some things should probably be configurable22:25
dstanekbig one being the file system directory22:26
jamielennoxdolphm: looking but anything in particular?22:26
dolphmdstanek: ~/.cache/keystoneclient/ or something?22:26
jamielennoxdolphm: i haven't looked at those for a while as i was stuck on a glance_store issue for v322:26
dolphmdstanek: or /tmp ?22:26
dolphmjamielennox: specifically discussing "volumev2" -> "volume", a path towards dropping versioned endpoints in keystone's catalog, and a path towards dropping endpoint_template overrides in nova.conf for cinder, neutron and glance in favor of something centralized into keystone's catalog in the short term22:27
jamielennoxdolphm: so lots of things22:28
dolphmjamielennox: do you have a patch you can put up as WIP for glance?22:28
jamielennox:)22:28
dolphmjamielennox: for nova->glance*22:28
openstackgerritMerged openstack/python-keystoneclient: Remove confusing deprecation comment from token_to_cms  https://review.openstack.org/19151022:28
jamielennoxdolphm: i had one WIP for nova->glance but i think that's where the glance_store patch was required22:28
jamielennoxi can't remember if i posted it or was just testing it22:29
dolphmjamielennox: if it's something you need, send me a link22:29
dolphmjamielennox: ** if it's in gerrit22:29
jamielennoxdolphm: it appears not, i'll see if i still have the VM around - but it wasn't a difficult patch22:29
jamielennoxdolphm: oh - that's right, it requires session in glanceclient which has merged now but has not been released22:31
dolphmjamielennox: when was the last glanceclient release?22:31
jamielennox2015-07-1622:32
dolphmjamielennox: link to your patch?22:32
jamielennoxdolphm: yea, it's not up22:32
dolphmjamielennox: i mean the patch that merged to glanceclient22:32
jamielennoxoh22:32
jamielennoxdolphm: https://review.openstack.org/#/c/141994/22:32
jamielennoxjun 1222:33
dstanekdolphm: i could just pick one, but i thought making it configurable would be nice22:33
jamielennox... maybe it is out22:33
*** stevemar has quit IRC22:33
dolphmjamielennox: wait, but that wasn't included in the 7/16 release?22:33
dolphmjamielennox: oh, okay22:33
openstackgerritRoxana Gherle proposed openstack/keystone: Fernet 'expires' value loses 'ms' after validation  https://review.openstack.org/21003722:35
dolphmlbragstad: ^22:35
jamielennoxpip install glanceclient tells me it downloaded 0.19, but session is not there22:36
roxanaghedolphm, lbragstad : all changes together ^^22:36
*** HT_sergio has quit IRC22:37
jamielennoxdolphm: ok, i don't know what happened but even though the session would have merged prior to release the tagged 0.19 doesn't contain the session patches22:37
jamielennoxhttps://github.com/openstack/python-glanceclient/tree/0.19.0/glanceclient22:37
jamielennoxpip says the latest version is 0.17.222:38
jamielennoxsomeone made a mess22:38
dolphmjamielennox: 0.19.0 was made on june 10, actually22:39
jamielennoxdolphm: yea, i pinched that from https://pypi.python.org/pypi/python-glanceclient22:40
dolphmjamielennox: so i'm really confused22:40
jamielennoxwhich doesn't show 0.19 at all22:40
*** _hrou_ has quit IRC22:41
jamielennoxthey must have backported to 0.17 on 16/722:41
jamielennoxdolphm: either way we need a release, which works out well because i'm currently pressuring flavio to release glance_store for me22:41
dstanek0.19 is still listed in PyPI22:42
*** marzif has joined #openstack-keystone22:42
dolphmsigmavirus24: o/22:42
dstanekhttps://pypi.python.org/simple/python-glanceclient/22:42
sigmavirus24hello22:42
sigmavirus24what's up?22:43
jamielennoxdstanek: why doesn't that show as the newest version on https://pypi.python.org/pypi/python-glanceclient22:43
dolphmsigmavirus24: any idea why pypi/python-glanceclient would show that 0.17.2 was released on july 16, when git shows that 0.19.0 was tagged on june 10?22:43
jamielennoxdstanek: or becaues 0.17.2 was release after 0.19 pypi decides that 0.17.2 is more important22:43
dstanekjamielennox: not sure. maybe they tried to delete it22:43
dolphmdstanek: 0.19 is in pypi?22:43
dstanekjamielennox: that could be22:43
dstanekdobson: yeah, see my link above22:44
dstanekerrr....not dobson i meant dolphm22:44
dolphmdstanek: i'm over here22:44
dstaneki no good at typey typey22:44
dolphmsigmavirus24: is pypi showing 0.17.2 as the latest by date, rather than by semver?22:45
*** ankita_wagh has quit IRC22:46
*** stevemar has joined #openstack-keystone22:47
*** ChanServ sets mode: +v stevemar22:47
lhchengsamueldmq: horizon uses ksc under the hood for authentication, if keystone move to version-less auth and keystoneauth exposes that, should be an easy transition for horizon.22:47
jamielennoxdolphm: anyway i'll find that patch or write it again, but we need the glanceclient release22:48
sigmavirus24dolphm: that's plausible22:48
jamielennoxi found yesterday that Depends-On doesn't work for clients22:48
dolphmjamielennox: wtf22:48
*** iamjarvo has joined #openstack-keystone22:48
lhchengsamueldmq: or we're you asking about patch dependency? ping me again when you're back :)22:49
jamielennoxsomething, something dependencies etc22:49
dolphmjamielennox: you can't depend on a patch to a service?22:49
dolphmjamielennox: it should work across any two projects22:49
jamielennoxdolphm: i can depend on a patch to a service, there's no way i can gate a patch on a client library that isn't on pypi22:49
samueldmqlhcheng: hey I was talking about patch dependency22:49
samueldmqlhcheng: :)22:50
*** dims_ has quit IRC22:50
*** markvoelker has joined #openstack-keystone22:50
lhchengsamueldmq: ah okay, I'm not sure if there is really an issue for horizon. everyone have to go through rebase if they have patch dependency.  just people complaining more rather than following the process :)22:53
dolphmroxanaghe: LGTM!22:54
samueldmqlhcheng: yeah, but I think one guy from my team (pauloewerton) had mentioned that people there were complaining about partial-features being merged22:56
samueldmqlhcheng: when the rest would take long to merge22:56
samueldmqlhcheng: maybe I misunderstood :-)22:56
*** Ephur has quit IRC22:57
lhchengsamueldmq: yeah, something like that :-)22:58
roxanaghedolphm, thanks. agreed for the comment :D I'll upload a new patch22:59
dolphmroxanaghe: i'll keep an eye out!23:00
*** marzif has quit IRC23:01
*** dims_ has joined #openstack-keystone23:10
*** topol has joined #openstack-keystone23:12
*** ChanServ sets mode: +v topol23:12
*** btully has joined #openstack-keystone23:13
*** ankita_wagh has joined #openstack-keystone23:14
*** vmbrasseur has joined #openstack-keystone23:16
*** r-daneel has quit IRC23:17
*** topol has quit IRC23:17
*** btully has quit IRC23:17
lbragstadroxanaghe: great work combining the patches23:23
roxanaghedolphm, lbragstad: so with this new patch we will have the issued_at value missing microseconds for both creation and validation23:23
*** drjones has joined #openstack-keystone23:24
lbragstadroxanaghe: I think the microseconds will be there, but they will be .000000Z (give or take a 0)23:24
*** stevemar has quit IRC23:25
roxanagheso are we ok with that? it wil be something like: 2015-08-07T00:16:38.000000Z23:25
*** Daviey has quit IRC23:25
*** _cjones_ has quit IRC23:25
roxanaghelbragstad, shoudl we include microseconds at all then?23:25
roxanaghesince they will be always empty23:26
*** Daviey has joined #openstack-keystone23:26
lbragstadroxanaghe: I'd probably defer that to dolphm23:26
lbragstadroxanaghe: I think there is some requirements in defcore that *require* microseconds in the timestamp23:26
lbragstadif so, then we'll have to keep it23:27
lbragstadI know dolphm is more familiar with that than I am though, (cc: morganfainberg is, too!)23:27
roxanagheok, I see and so there is no way to get them from the Fernet token format? should I play with that more?23:28
lbragstadroxanaghe: unfortunately, not at the moment. here is the cryptography code23:28
* lbragstad digs23:28
*** drjones has quit IRC23:28
dolphmroxanaghe: to make it easier for clients to consistently have a single format to decipher: yes23:28
*** samleon has quit IRC23:28
dolphmroxanaghe: as soon as the format changes, i consider that an API change (hence tempest is failing against Fernet, because the kilo+fernet is an API change vs juno+uuid)23:29
dolphmlbragstad: morganfainberg is on a flight home, i believe23:29
lbragstaddolphm: i figured, i know he was doing some traveling23:30
dolphmroxanaghe: fernet only includes second-level precision, not microsecond-level23:30
morganfainbergSoon23:30
dolphmroxanaghe: for creation timestamps23:30
lbragstadroxanaghe: here is where we call into the cryptography package -- https://github.com/openstack/keystone/blob/74575a66f1113ac0452da9982b345dec18ec0f32/keystone/token/providers/fernet/token_formatters.py#L7023:30
dolphmmorganfainberg: shh, i'm trying to cover for you23:30
lbragstaddolphm: busted!23:31
lbragstadroxanaghe: here are the bits in cryptography that generated the timestamp - https://github.com/pyca/cryptography/blob/master/src/cryptography/fernet.py#L4923:31
* morganfainberg isnt really here. Just a robot.23:31
*** morganfainberg is now known as morgan_50323:31
lbragstadroxanaghe: there doesn't seem to be a way to pass in a creation time to that methods.23:32
lbragstads/methods/method/23:32
dolphmlbragstad: but this is how we get the creation timestamp out of a fernet token (not the payload) https://github.com/openstack/keystone/blob/74575a66f1113ac0452da9982b345dec18ec0f32/keystone/token/providers/fernet/token_formatters.py#L82-L10523:32
dolphmroxanaghe: ^23:32
lbragstadoh...23:32
lbragstadsure23:32
dolphmlbragstad: oh, right. you can't pass it in. even the ttl is passed in on validation23:32
dolphmmorgan_503: ++23:32
lbragstaddolphm: hm, we could do surgery on the token after it's created23:33
lbragstadbut we would still hit this - https://github.com/pyca/cryptography/blob/master/src/cryptography/fernet.py#L7723:33
lbragstadwhere the cryptography packages puts it back into an int on decrypt23:33
dolphmlbragstad: please no :(23:33
roxanaghehttps://github.com/openstack/keystone/blob/74575a66f1113ac0452da9982b345dec18ec0f32/keystone/token/providers/fernet/token_formatters.py#L100  if we can get here the microseconds as well it would be cool23:34
lbragstadif we really want to have the subsecond accuracy, out best bet would be to put it in the payload23:34
dolphmroxanaghe: but we don't control the datasource there23:34
dolphmroxanaghe: the structure we're unpacking is owned by pypi/cryptography and/or github.com/fernet23:35
*** bknudson has joined #openstack-keystone23:35
*** ChanServ sets mode: +v bknudson23:35
roxanaghedolphm, ok, so it's just not stored in the Fernet format including microseconds? I just want to make sure that it's not when we read the data that we are converting it into int23:36
dolphmroxanaghe: correct. the creation timestamp is stored by fernet in fernet as an integer23:36
lbragstadroxanaghe: it looks like the creation time is converted to an int in cryptography23:36
roxanagheoh yes: current_time = int(time.time()) damn23:37
dolphmroxanaghe: conversely, we store the expiration timestamp in the payload (and i think you said that was a float, not an integer as i remembered)23:37
lbragstadroxanaghe: yep, ++23:37
lbragstadso, we can have microsecond precision in both the issued at and expires at times, but only the issued at will always be 000000Z (or something)23:38
roxanaghedolphm, yes that's correct: expiration is a float23:38
dolphmlbragstad: ++23:39
* dolphm heads to food23:39
*** btully has joined #openstack-keystone23:41
lbragstaddolphm: o/23:42
lbragstadroxanaghe: i'll keep an eye out for another revision, until then +2 on the one you have23:45
roxanaghelbragstad, dolphm - cool thanks for your help on this23:47
*** iamjarvo has quit IRC23:47
lbragstadroxanaghe: thanks for putting everything together!23:47
lbragstadroxanaghe: thanks for the tip on microseconds with floats, too.. i wasn't aware of that23:48
roxanaghelbragstad - sure, my pleasure: sometimes it's an advantage to not know the code cause then you test every possibility :)23:49
lbragstadroxanaghe: ++23:49
*** HT_sergio has joined #openstack-keystone23:52
jamielennoxthe federated login ML has completely broken zimbra's threading view, i've no idea what's happening any more or who said what23:58
*** jasonsb has quit IRC23:58
« Wednesday, 2015-08-05 Index Friday, 2015-08-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!