Wednesday, 2015-08-12

*** jasonsb has quit IRC		00:00
*** ankita_w_ has joined #openstack-keystone		00:02
*** david-lyle has quit IRC		00:03
*** ankita___ has joined #openstack-keystone		00:03
*** ankita_wagh has quit IRC		00:05
-openstackstatus- NOTICE: Zuul was restarted due to an error; events (such as approvals or new patchsets) since 23:01 UTC have been lost and affected changes will need to be rechecked		00:05
*** roxanaghe has quit IRC		00:06
*** ankita_w_ has quit IRC		00:06
jamielennox	dstanek: lhcheng: do you mind a review of https://review.openstack.org/#/c/188329/	00:08
jamielennox	the reliant patch has 2 +2s and i need to do some work with it	00:08
dstanek	sure	00:08
lhcheng	jamielennox: sure	00:10
*** ankita_wagh has joined #openstack-keystone		00:11
jamielennox	thanks both, it's kerberos related but really it's just refactoring the tests so we can remove the optional flag. The optional flag is only used in error reporting but it made certain tests easier to mock	00:11
jamielennox	damn, zuul restart, i was waiting on a few things	00:12
dstanek	jamielennox: that's a little strange in that it seems to have moved a test into a fixture. is the fixture reusable?	00:14
*** ankita___ has quit IRC		00:14
jamielennox	dstanek: yep, the point is to make the mocking a fixture so that it can be reused in the follow up patch	00:15
*** shadower has quit IRC		00:23
*** shadower has joined #openstack-keystone		00:23
*** piyanai has quit IRC		00:24
*** stevemar has joined #openstack-keystone		00:31
*** ChanServ sets mode: +v stevemar		00:31
*** stevemar has quit IRC		00:34
*** claudiub has quit IRC		00:34
*** stevemar has joined #openstack-keystone		00:40
*** ChanServ sets mode: +v stevemar		00:40
*** stevemar has quit IRC		00:41
*** browne1 has quit IRC		00:45
*** woodster_ has quit IRC		00:50
*** vivekd has joined #openstack-keystone		00:52
*** samueldmq has joined #openstack-keystone		00:52
*** david-lyle has joined #openstack-keystone		00:54
samueldmq	while True:	00:55
samueldmq	try:	00:55
samueldmq	ping morgan_404	00:55
samueldmq	except 404:	00:55
samueldmq	pass	00:55
samueldmq	good evening :)	00:56
openstackgerrit	Merged openstack/python-keystoneclient-kerberos: Disable optional authentication for plugin https://review.openstack.org/188329	00:59
openstackgerrit	Merged openstack/python-keystoneclient-kerberos: Federated Kerberos plugin https://review.openstack.org/173558	00:59
*** _cjones_ has quit IRC		01:00
samueldmq	ayoung, pm'd you	01:04
*** ankita_wagh has quit IRC		01:11
*** tqtran_ has quit IRC		01:24
*** davechen has joined #openstack-keystone		01:25
*** jasonsb has joined #openstack-keystone		01:34
*** ankita_wagh has joined #openstack-keystone		01:37
*** davechen1 has joined #openstack-keystone		01:38
*** tobe_ has joined #openstack-keystone		01:39
*** davechen has quit IRC		01:40
*** vivekd has quit IRC		01:45
*** davechen has joined #openstack-keystone		01:48
*** davechen1 has quit IRC		01:50
*** bknudson has quit IRC		01:51
*** piyanai has joined #openstack-keystone		01:51
*** alejandrito has quit IRC		01:55
*** marzif has quit IRC		02:06
*** stevemar has joined #openstack-keystone		02:09
*** ChanServ sets mode: +v stevemar		02:09
*** samueldmq has quit IRC		02:15
*** arif-ali has quit IRC		02:21
openstackgerrit	Henrique Truta proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	02:25
*** arif-ali has joined #openstack-keystone		02:26
*** gyee has quit IRC		02:27
*** mylu has joined #openstack-keystone		02:27
*** david-lyle has quit IRC		02:33
*** mylu has quit IRC		02:34
*** browne has joined #openstack-keystone		02:39
*** richm has quit IRC		02:43
*** jdandrea has quit IRC		02:43
openstackgerrit	Merged openstack/keystoneauth: Split plugin loading https://review.openstack.org/190594	02:43
openstackgerrit	Merged openstack/keystoneauth: Remove oslo_config from auth plugin loading https://review.openstack.org/209348	02:44
*** lhcheng has quit IRC		02:49
*** hakimo has joined #openstack-keystone		02:52
*** hakimo_ has quit IRC		02:54
*** ankita_wagh has quit IRC		02:56
*** mylu has joined #openstack-keystone		03:07
*** rm_work\|away is now known as rm_work		03:10
*** tobe_ has quit IRC		03:15
*** tobe_ has joined #openstack-keystone		03:16
*** mylu has quit IRC		03:20
*** mylu has joined #openstack-keystone		03:20
*** uvirtbot has quit IRC		03:25
*** dan has quit IRC		03:26
*** dan has joined #openstack-keystone		03:26
*** david-lyle has joined #openstack-keystone		03:30
openstackgerrit	Henrique Truta proposed openstack/keystone: Change project name constraints https://review.openstack.org/158372	03:33
openstackgerrit	Henrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name https://review.openstack.org/210600	03:33
*** htruta has quit IRC		03:36
*** dikonoor has joined #openstack-keystone		03:36
*** htruta has joined #openstack-keystone		03:38
*** htruta has quit IRC		03:40
*** htruta has joined #openstack-keystone		03:40
*** lhcheng has joined #openstack-keystone		03:42
*** ChanServ sets mode: +v lhcheng		03:42
*** mylu has quit IRC		03:43
*** piyanai has quit IRC		03:44
*** stevemar has quit IRC		03:44
*** uvirtbot has joined #openstack-keystone		03:47
*** lhcheng has quit IRC		03:48
*** lhcheng has joined #openstack-keystone		03:55
*** ChanServ sets mode: +v lhcheng		03:55
*** lhcheng_ has joined #openstack-keystone		03:56
*** lhcheng has quit IRC		03:59
*** stevemar has joined #openstack-keystone		04:00
*** ChanServ sets mode: +v stevemar		04:00
openstackgerrit	Henrique Truta proposed openstack/keystone: Limit subtree and parents queries https://review.openstack.org/209132	04:02
openstackgerrit	Henrique Truta proposed openstack/keystone: Replicate domain info in projects table https://review.openstack.org/211170	04:05
openstackgerrit	Henrique Truta proposed openstack/keystone: Creating tests for projects acting as domains https://review.openstack.org/211219	04:05
*** vivekd has joined #openstack-keystone		04:11
*** rajesht has joined #openstack-keystone		04:12
*** hrou has joined #openstack-keystone		04:17
*** morgan_404 is now known as morgan_410		04:26
*** morgan_410 is now known as morgan_404		04:26
*** ankita_wagh has joined #openstack-keystone		04:36
*** ankita_wagh has quit IRC		04:36
*** ankita_wagh has joined #openstack-keystone		04:37
*** vivekd_ has joined #openstack-keystone		04:38
*** vivekd has quit IRC		04:40
*** vivekd_ is now known as vivekd		04:40
stevemar	dstanek: burning the midnight oil too?	04:40
dstanek	stevemar: nothing else to do after midnight	04:41
*** links has joined #openstack-keystone		04:42
htruta	stevemar, dstanek, guess that makes three of us	04:44
stevemar	htruta: we shall guard the keystone fort	04:45
htruta	stevemar: lol	04:47
*** tobe_ has quit IRC		04:53
morgan_404	But... It isnt midnight yet	04:53
morgan_404	>.>	04:53
jamielennox	since everyone's around: https://review.openstack.org/#/c/180818/18 - already has a +2 from dolph	04:54
htruta	morgan_404, it is 2am :/	04:57
*** tobe_ has joined #openstack-keystone		05:04
morgan_404	is not, it's 2204 :P	05:05
morgan_404	htruta: ^ :)	05:05
morgan_404	dstanek: http://thehullabaloo.com/technology-22/lenovo-unveils-thinkpad-p50-p70-mobile-workstations-at-siggraph-815.html openstack cloud in a laptop?	05:09
*** yottatsa has joined #openstack-keystone		05:14
stevemar	jamielennox: for a "move" patch, you're introducing a lot of new code	05:29
jamielennox	stevemar: ?	05:29
jamielennox	stevemar: oh, that review?	05:30
stevemar	https://review.openstack.org/#/c/180818/18	05:30
jamielennox	yea	05:30
jamielennox	all tests	05:30
stevemar	+214, -59	05:30
stevemar	ahhh]	05:30
jamielennox	because i now need to test the behaviour of the base class i'm moving it to independantly of the original class	05:30
*** ayoung has quit IRC		05:30
morgan_404	stevemar: don't complain about tests unless the tests suck.. then complain about tests loudly	05:41
morgan_404	:P	05:41
stevemar	morgan_404: i wasn't complaining :P	05:41
morgan_404	;)	05:41
stevemar	jamielennox: +A	05:47
*** henrynash has joined #openstack-keystone		05:48
*** ChanServ sets mode: +v henrynash		05:48
*** henrynash has quit IRC		05:50
jamielennox	stevemar: \o/ - i haven't had a middleware patch from that chain go through in ages	05:54
jamielennox	it moved fairly well for a couple of weeks then just stopped	05:54
stevemar	jamielennox: my reviewing was down for the last few weeks	05:54
jamielennox	stevemar: mine too, actually it seemed like everyone slowed down for a bit there	05:54
stevemar	1 to 2? busy with internal shtufff	05:54
stevemar	yeah	05:54
stevemar	agreed	05:55
openstackgerrit	Merged openstack/keystone: Validate domain ownership for v2 tokens https://review.openstack.org/208069	05:55
jamielennox	morgan_404 and stevemar: the following patch is fairly easy to understand but a bit of a change in thinking: https://review.openstack.org/#/c/190941/	05:56
*** hrou has quit IRC		05:59
*** josecastroleon has joined #openstack-keystone		06:00
*** browne has quit IRC		06:07
*** ankita_w_ has joined #openstack-keystone		06:08
*** ankita_wagh has quit IRC		06:10
morgan_404	jamielennox: i think that it makes sense to avoid caching in the case of pki and in-memory	06:13
morgan_404	but does it make sense if they explicitly configure memcache?	06:13
jamielennox	morgan_404: well at the moement it will cache to memory righ?	06:16
morgan_404	yes	06:16
morgan_404	this is a case where I think the cache-to-memory is dumb	06:16
morgan_404	(by default)	06:16
morgan_404	I'd rather force deployers to explicitly configure cache if they want it vs. "we do something sortof weird that will produce inconsistent results"	06:17
morgan_404	so - I'd favour changing the default to "no cache explicitly configured, no caching"	06:17
morgan_404	instead of just skipping for PKI	06:17
jamielennox	right, that in-memory cache is dumb	06:17
morgan_404	let them do the in-mem thing if they really want	06:18
jamielennox	morgan_404: i'd love to know if there's a difference	06:18
jamielennox	like do the crypto vs the memcache	06:18
morgan_404	sure. but make it explicit in all cases	06:18
jamielennox	kind of just guessing but i don't think i'd take the memory hit	06:18
morgan_404	vs. "we just do this for you unless you turn it off"	06:18
morgan_404	i would turn off in-memcache	06:18
morgan_404	but thats me	06:18
jamielennox	morgan_404: so is there a compat issue with me doing a patch that disables the in-memory caching altogether	06:20
jamielennox	wait - we discussed this, i had to wait for oslo.cache or something	06:20
morgan_404	yes. we can't remove it. we should be able to default it to off	06:20
morgan_404	unless you explicitly turn it on	06:20
morgan_404	i'm ok with that release note personally	06:20
jamielennox	hmm, ok, so that kind of puts a hault on that one	06:21
morgan_404	so change the patch to default caching off	06:21
morgan_404	for tokens	06:21
morgan_404	don't just exempt PKI	06:22
morgan_404	you just can't "remove" in-memory caching	06:22
morgan_404	if someone wants to do that with PKI tokens, let them	06:22
*** e0ne has joined #openstack-keystone		06:22
morgan_404	but we can say "this is a baaaaad idea... infact the whole in-memcache is a bad idea"	06:22
morgan_404	sorry in-mem-dict-cache	06:23
*** lhcheng has joined #openstack-keystone		06:25
*** ChanServ sets mode: +v lhcheng		06:25
jamielennox	morgan_404: that's a bit more than modifying that patch	06:26
jamielennox	it's modifying the base auth_token to not use a cache if not configured then leave the PKI situation alone	06:27
jamielennox	which is fine	06:27
jamielennox	i'm not sure how it will affect the keystone side yet	06:27
*** ParsectiX has joined #openstack-keystone		06:28
*** lhcheng_ has quit IRC		06:29
*** vivekd has quit IRC		06:31
*** stevemar has quit IRC		06:36
*** stevemar has joined #openstack-keystone		06:36
*** ChanServ sets mode: +v stevemar		06:36
*** e0ne has quit IRC		06:39
*** stevemar has quit IRC		06:40
*** e0ne has joined #openstack-keystone		06:40
*** Nirupama has joined #openstack-keystone		06:44
*** e0ne has quit IRC		06:45
*** rdo has quit IRC		06:49
*** e0ne has joined #openstack-keystone		06:49
*** rdo has joined #openstack-keystone		06:51
*** e0ne has quit IRC		06:54
openstackgerrit	Merged openstack/keystonemiddleware: Move common request processing to base class https://review.openstack.org/180818	06:56
*** lhcheng has quit IRC		06:56
*** yottatsa has quit IRC		06:57
openstackgerrit	Merged openstack/keystoneauth: Remove service_type requirement from catalog searching https://review.openstack.org/210268	06:58
openstackgerrit	Dave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core https://review.openstack.org/186988	07:04
openstackgerrit	Dave Chen proposed openstack/keystone: Move endpoint filter into keystone core https://review.openstack.org/183377	07:04
*** henrynash has joined #openstack-keystone		07:07
*** ChanServ sets mode: +v henrynash		07:07
*** ankita_w_ has quit IRC		07:11
*** ig0r_ has joined #openstack-keystone		07:15
*** henrynash has quit IRC		07:16
*** ankita_wagh has joined #openstack-keystone		07:17
openstackgerrit	Dave Chen proposed openstack/keystone: Fix the misspelling and grammar issue https://review.openstack.org/211876	07:24
openstackgerrit	Merged openstack/keystoneauth: Replace endpoint_type with interface in catalog https://review.openstack.org/210269	07:25
*** afazekas has joined #openstack-keystone		07:31
*** ankita_wagh has quit IRC		07:35
*** stevemar has joined #openstack-keystone		07:37
*** ChanServ sets mode: +v stevemar		07:37
*** rdo has quit IRC		07:38
*** ig0r__ has joined #openstack-keystone		07:38
openstackgerrit	Rajesh Tailor proposed openstack/keystone: Fix typo in doc-string https://review.openstack.org/211881	07:38
*** stevemar has quit IRC		07:40
*** ig0r_ has quit IRC		07:41
*** tsubic has joined #openstack-keystone		07:43
*** tobe_ has quit IRC		07:44
*** rdo has joined #openstack-keystone		07:45
*** boris-42 has quit IRC		07:50
*** tobe_ has joined #openstack-keystone		07:50
*** fhubik has joined #openstack-keystone		07:53
*** tobe_ has quit IRC		08:00
*** fhubik has quit IRC		08:02
*** claudiub has joined #openstack-keystone		08:03
*** tobe_ has joined #openstack-keystone		08:05
*** dguerri` is now known as dguerri		08:09
*** ig0r__ has quit IRC		08:13
*** ig0r_ has joined #openstack-keystone		08:17
*** ig0r_ has quit IRC		08:19
*** jistr has joined #openstack-keystone		08:21
*** fhubik has joined #openstack-keystone		08:33
*** shunliz_ has joined #openstack-keystone		08:34
*** hafe has joined #openstack-keystone		08:35
openstackgerrit	Dave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core https://review.openstack.org/186988	08:45
openstackgerrit	Dave Chen proposed openstack/keystone: Move endpoint filter into keystone core https://review.openstack.org/183377	08:45
*** lhcheng has joined #openstack-keystone		08:45
*** ChanServ sets mode: +v lhcheng		08:45
*** lhcheng has quit IRC		08:50
*** katkapilatova has joined #openstack-keystone		09:14
*** stevemar has joined #openstack-keystone		09:38
*** ChanServ sets mode: +v stevemar		09:38
*** stevemar has quit IRC		09:41
*** Kennan2 is now known as Kennan		09:42
*** dikonoo has joined #openstack-keystone		09:44
*** divya__ has joined #openstack-keystone		09:44
*** dikonoo has quit IRC		09:44
*** davechen has left #openstack-keystone		09:46
*** dikonoor has quit IRC		09:48
*** claudiub has quit IRC		10:03
*** marzif has joined #openstack-keystone		10:05
*** ig0r_ has joined #openstack-keystone		10:10
*** claudiub has joined #openstack-keystone		10:19
*** samueldmq has joined #openstack-keystone		10:22
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/192319	10:35
*** eandersson has joined #openstack-keystone		10:37
*** yottatsa has joined #openstack-keystone		10:44
*** ig0r_ has quit IRC		10:46
*** fhubik is now known as fhubik_brb		10:57
*** tobe_ has quit IRC		11:03
*** tobe_ has joined #openstack-keystone		11:04
*** tobe_ has quit IRC		11:09
*** therve has joined #openstack-keystone		11:25
therve	Heya	11:25
therve	I have a question about https://github.com/openstack/keystone/commit/4d2bbe0e7c4e08c372e229f5622b9cfc2c25c3c6 if someone knows about it	11:25
therve	dolphm maybe?	11:25
therve	samleon ?	11:28
*** ramishra has joined #openstack-keystone		11:29
breton	you should just ask	11:31
breton	in the channel	11:31
breton	maybe someone knows the answer	11:31
therve	Okay	11:32
therve	It seems it broke ec2tokens usage for Heat	11:32
*** fhubik_brb is now known as fhubik		11:32
therve	Authentication is just failing	11:32
*** tobe_ has joined #openstack-keystone		11:33
breton	file a bugreport please	11:36
therve	Okay	11:38
*** stevemar has joined #openstack-keystone		11:39
*** ChanServ sets mode: +v stevemar		11:39
*** tobe_ has quit IRC		11:39
*** stevemar has quit IRC		11:42
*** gordc has joined #openstack-keystone		11:49
*** hafe has quit IRC		12:01
*** hafe has joined #openstack-keystone		12:02
*** tellesnobrega_ has joined #openstack-keystone		12:08
*** fhubik is now known as fhubik_brb		12:10
*** fhubik_brb is now known as fhubik		12:10
*** fhubik is now known as fhubik_brb		12:11
*** shunliz_ has quit IRC		12:15
*** tellesnobrega_ has quit IRC		12:16
*** yottatsa has quit IRC		12:23
*** raildo-afk is now known as raildo		12:26
*** yottatsa has joined #openstack-keystone		12:27
*** bapalm has joined #openstack-keystone		12:31
*** yottatsa has quit IRC		12:32
*** henrynash has joined #openstack-keystone		12:38
*** ChanServ sets mode: +v henrynash		12:38
*** yottatsa has joined #openstack-keystone		12:40
*** edmondsw has joined #openstack-keystone		12:41
samueldmq	henrynash, morning	12:41
*** yottatsa has quit IRC		12:42
henrynash	samueldmq: hi	12:42
*** yottatsa has joined #openstack-keystone		12:42
samueldmq	henrynash, as you and dolphm requested, I am adding unit tests for the endpoint-policy sql driver	12:43
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: WIP: Unit tests for endpoint-policy SQL driver https://review.openstack.org/212006	12:43
henrynash	samueldmq: ok…	12:43
samueldmq	henrynash, this is a WIP, and shows the general structure I will be following, I'd like just a sanity check from you	12:43
samueldmq	henrynash, ^ see the patch I just submitted above	12:43
*** yottatsa has quit IRC		12:43
henrynash	samueldmq: I’lltake a look this afternoon…	12:44
samueldmq	henrynash, basically I created a DriverBypasser, who make direct calls to the tables without using the sal driver	12:44
samueldmq	henrynash, so I can validate the changes made by the driver itself	12:44
samueldmq	henrynash, sure	12:45
samueldmq	henrynash, thanks :)	12:46
*** jsavak has joined #openstack-keystone		12:46
*** yottatsa has joined #openstack-keystone		12:48
*** ParsectiX has quit IRC		12:49
*** henrynash has quit IRC		12:51
*** tjcocozz has joined #openstack-keystone		12:51
*** ParsectiX has joined #openstack-keystone		12:52
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	12:56
*** josecastroleon has quit IRC		12:59
therve	breton, Opened https://bugs.launchpad.net/keystone/+bug/1484086 FWIW, we're skipping those tests for now	13:00
openstack	Launchpad bug 1484086 in Keystone "ec2tokens authentication is failing during Heat tests" [Undecided,New]	13:00
breton	therve: thank you. Which tests in heat fail?	13:02
breton	because of this issue	13:02
therve	breton, Integration tests, where ceilometer talks to heat	13:02
therve	It uses the CFN API, which in turns uses ec2 authentication	13:02
openstackgerrit	Claudiu Belu proposed openstack/python-keystoneclient: Fixes missing socket attribute error during init_poolmanager https://review.openstack.org/211686	13:02
*** josecastroleon has joined #openstack-keystone		13:04
*** elmiko has joined #openstack-keystone		13:06
*** jecarey has joined #openstack-keystone		13:07
*** Nirupama has quit IRC		13:09
*** richm has joined #openstack-keystone		13:17
*** petertr7_away is now known as petertr7		13:21
*** edmondsw has quit IRC		13:24
openstackgerrit	Corey Bryant proposed openstack/python-keystoneclient: Iterate over copy of session.adapters keys in Python2/3 https://review.openstack.org/211731	13:28
*** ayoung has joined #openstack-keystone		13:36
*** ChanServ sets mode: +v ayoung		13:36
*** zzzeek has joined #openstack-keystone		13:36
*** hafe has quit IRC		13:39
*** hrou has joined #openstack-keystone		13:39
*** stevemar has joined #openstack-keystone		13:39
*** ChanServ sets mode: +v stevemar		13:39
*** tellesnobrega has quit IRC		13:41
*** tellesnobrega has joined #openstack-keystone		13:42
*** stevemar has quit IRC		13:43
*** petertr7 is now known as petertr7_away		13:45
openstackgerrit	Olivier Pilotte proposed openstack/keystone: Accepts Group IDs from the IdP without domain https://review.openstack.org/210581	13:48
*** links has quit IRC		13:51
*** annasort has quit IRC		13:51
*** annasort has joined #openstack-keystone		13:51
*** edmondsw has joined #openstack-keystone		13:52
*** fhubik_brb is now known as fhubik		13:54
*** petertr7_away is now known as petertr7		13:54
*** jistr is now known as jistr\|mtg		13:57
breton	therve: I don't quite understand who makes the request and what paramaters are passed here: https://github.com/openstack/heat/blob/master/heat/api/aws/ec2token.py#L130	13:57
breton	therve: got a hint?	13:58
*** hafe has joined #openstack-keystone		13:59
*** tjcocozz has quit IRC		14:01
*** tjcocozz has joined #openstack-keystone		14:01
therve	breton, Maybe? This is a wsgi middleware, so it's intercepting requests made the the heat-cfn service	14:02
breton	yeah, and who makes the request to heat-cfn?	14:03
therve	It depends, but in this case ceilometer, using a webhook	14:03
therve	We build the request in heat ourselves	14:03
therve	Here: https://github.com/openstack/heat/blob/master/heat/engine/resources/signal_responder.py#L78	14:04
*** annasort has quit IRC		14:04
*** ParsectiX has quit IRC		14:07
*** narengan has joined #openstack-keystone		14:08
therve	breton, It's very possible that the user is specific domain indeed	14:12
*** narengan has quit IRC		14:12
*** narengan has joined #openstack-keystone		14:13
*** sigmavirus24_awa is now known as sigmavirus24		14:13
*** narengan_ has joined #openstack-keystone		14:15
*** narengan has quit IRC		14:17
*** narengan_ has quit IRC		14:22
*** narengan has joined #openstack-keystone		14:23
samueldmq	dstanek, hi, morning	14:26
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: WIP: Unit tests for endpoint-policy SQL driver https://review.openstack.org/212006	14:26
*** narengan has quit IRC		14:27
samueldmq	dstanek, I am creating some unit tests for a SQL driver (above ^)	14:27
samueldmq	dstanek, and I'd like to check with you if what I am doing looks sane	14:28
samueldmq	dstanek, should be a quick look, there is just a bit of code in there for now (wip)	14:28
dstanek	samueldmq: what is the bypasser for?	14:30
*** stevemar has joined #openstack-keystone		14:30
*** ChanServ sets mode: +v stevemar		14:30
openstackgerrit	Olivier Pilotte proposed openstack/keystone: Accepts Group IDs from the IdP without domain https://review.openstack.org/210581	14:31
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	14:31
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Unit tests for is_domain field in project's table https://review.openstack.org/212045	14:31
rodrigods	dstanek, ^	14:32
rodrigods	put the tests first	14:32
dstanek	rodrigods: nice	14:32
openstackgerrit	Paweł Pamuła proposed openstack/keystone: IdP deletion triggers token revocation https://review.openstack.org/212047	14:34
rodrigods	dstanek, let's assume we used TDD heh	14:34
*** jistr\|mtg is now known as jistr		14:38
*** thedodd has joined #openstack-keystone		14:39
openstackgerrit	Paweł Pamuła proposed openstack/keystone: IdP deletion triggers token revocation https://review.openstack.org/210456	14:42
samueldmq	dstanek, it is a driver bypasser	14:43
breton	therve: where are users and creds are created for the test?	14:43
samueldmq	dstanek, it does CRUD against SQL, bypassing the driver	14:43
samueldmq	dstanek, if I do a create with the driver, I check it with a get using the bypasser	14:43
samueldmq	dstanek, adding some docs to that class	14:44
samueldmq	dstanek, let me know if you have a better name for it :)	14:44
*** afazekas has quit IRC		14:44
therve	breton, https://github.com/openstack/heat/blob/master/heat/engine/resources/stack_user.py#L36	14:44
dstanek	rodrigods: so is is_domain required for project operations now?	14:44
dstanek	samueldmq: why create a new fake driver?	14:44
samueldmq	dstanek, I am not creating a fake driver, I am creating a way to access the tables directly	14:45
rodrigods	dstanek, not really, we just add it so the assert() is valid later	14:45
samueldmq	dstanek, so I can check that the driver's handling on them was correct	14:45
samueldmq	dstanek, without using the driver itself	14:45
samueldmq	dstanek, if that makes sense .. so I am not using the driver's get to check if the driver's create is correct	14:46
samueldmq	dstanek, since both could be wrong and the test would think both are correct	14:47
dstanek	samueldmq: if the test is testing the driver then you can use a fake backend, but you need to test the driver. if you are testing the backends then i would probably do it through the driver so you can write to that interface and swtich backends to run the same set of tests against any number of them	14:47
dstanek	rodrigods: so why change all of the tenant fixture data?	14:48
*** doug-fish has joined #openstack-keystone		14:50
*** jsavak has quit IRC		14:51
samueldmq	dstanek, so I am testing the driver (in most of cases we have one driver for sql and another for ldap)	14:51
samueldmq	dstanek, in this case the SQL driver, which make actions on SQL tables	14:51
samueldmq	dstanek, I do calls in the driver, and check the results against the tables directly	14:51
*** jsavak has joined #openstack-keystone		14:51
dstanek	samueldmq: i don't think you should do any SQL stuff in test code. use the object you are testing to do things and check that they happened	14:53
dstanek	samueldmq: for example you could do a driver.create() and the a driver.list()	14:53
samueldmq	dstanek, and how do I know the sql driver is actually touching the tables it is supposed to ?	14:53
dstanek	samueldmq: this way you can use the tests against all backends and not have to write lots of logic for each one	14:53
*** jdandrea has joined #openstack-keystone		14:54
dstanek	samueldmq: if it's that important (which i don't think it is) you would mock sqlalchemy for a test and make sure it was called	14:55
dstanek	samueldmq: the database portion of the tests should get caught in functional or tempest tests	14:55
dstanek	in a unit test you are testing the logic and should not recreate the logic you are testing in the test itself	14:55
*** jsavak has quit IRC		14:56
samueldmq	dstanek, so I it looks like I am being too paranoid at this point, like not trusting in the tested code at all	14:56
*** jsavak has joined #openstack-keystone		14:56
dstanek	samueldmq: i think you are just testing too much. test the driver here and focus on it doing the right thing by using its interface	14:57
dstanek	in my idea world a unit test would not hit the disk, database, network, etc. ever	14:57
*** browne has joined #openstack-keystone		14:58
samueldmq	dstanek, always using mocks?	14:58
lbragstad	just having everything in memory	14:58
*** katkapilatova has left #openstack-keystone		14:58
dstanek	samueldmq: i'd rather use fakes	14:59
dstanek	lbragstad: exactly	14:59
samueldmq	dstanek, so what are fakes? as you see them	15:00
*** jdandrea has left #openstack-keystone		15:00
elmiko	hi folks, was there a change in keystone that makes `openstack endpoint list` return an empty list?	15:01
* samueldmq is pulling knowledge from dstanek and lbragstad's brains		15:01
*** piyanai has joined #openstack-keystone		15:01
dstanek	samueldmq: a mock is something you query to see if the calls were correct...mock.called or to check the call args	15:02
dstanek	samueldmq: a fake is closer is a real imple of something	15:02
dstanek	samueldmq: i'm nostly satisfied with in memory sqlite being a good enough fake	15:02
samueldmq	dstanek, if I tell the mock the return_value or side_effect, isn't it a fake ?	15:03
dstanek	samueldmq: good background reading: http://martinfowler.com/articles/mocksArentStubs.html	15:03
samueldmq	dstanek, gonna look ..	15:03
dstanek	samueldmq: not really and now your test code implements or has assumptions in it	15:03
samueldmq	dstanek, btw, in that case, what would I fake ?	15:03
dstanek	samueldmq: in your case using the in-memory sqlite fixture is enough	15:04
dstanek	samueldmq: no think of it this way	15:04
*** phalmos has joined #openstack-keystone		15:05
*** rm_work has quit IRC		15:05
*** flwang has quit IRC		15:06
*** serverascode has quit IRC		15:06
dstanek	samueldmq: when you use a mock object you are checking explicitly that the calls are being made and you have to know the implementation of the thing you are testing	15:06
*** gus has quit IRC		15:06
dstanek	samueldmq: when you use a fake you now the interface and expected behavior of the thing you are testing. makes refactoring easier.	15:06
samueldmq	dstanek, I think I got it, fakes are perfect for read/update/delete tests	15:07
samueldmq	dstanek, I know there are in the db, I just do the check	15:07
dstanek	samueldmq: on the other hand if you use fakes it may be necessary to add methods either to the object-under-test of the fake to do some state verification	15:07
samueldmq	dstanek, but how to test create ?	15:07
samueldmq	dstanek, you agree with me ?	15:07
dstanek	samueldmq: if you create and then do a get are you not testing the create?	15:08
*** gus has joined #openstack-keystone		15:08
samueldmq	dstanek, how do I know the driver didn't stored the object into a variable instead of in sql?	15:08
samueldmq	didn't store*	15:08
*** hafe has quit IRC		15:09
dstanek	samueldmq: i wouldn't worry about that for these kinds of test. that will show up late it that's indeed the case	15:09
*** rm_work has joined #openstack-keystone		15:10
*** rm_work has quit IRC		15:10
*** rm_work has joined #openstack-keystone		15:10
rodrigods	dstanek, for this reason, so in the assert() it won't fail (because the is_domain field is default to False in the backend and returned)	15:10
*** serverascode has joined #openstack-keystone		15:11
samueldmq	dstanek, k looks fair	15:12
samueldmq	dstanek, and fakes are already pre-loaded in the db when the test starts, right?	15:12
*** nkinder has joined #openstack-keystone		15:12
dstanek	samueldmq: you get a DB fake when you use the Database fixture	15:12
*** flwang has joined #openstack-keystone		15:13
samueldmq	dstanek, yeah the fake db like sqlite	15:14
samueldmq	dstanek, and is the fake data pre-loaded into the fake db?	15:14
dstanek	samueldmq: you can load the default fixture if you want	15:14
samueldmq	dstanek, like .. fake data == db fixtures?	15:14
dstanek	rodrigods: so you changed the new_project_ref to always include the is_domain. are there tests to show that it still works when not specified?	15:15
mfisch	can someone point me to where policy is checked on API calls?	15:16
*** annasort has joined #openstack-keystone		15:16
rodrigods	dstanek, yes, tehre is	15:17
rodrigods	dstanek, https://review.openstack.org/#/c/212045/1/keystone/tests/unit/test_backend.py line 2282	15:17
*** petertr7 is now known as petertr7_away		15:17
*** woodster_ has joined #openstack-keystone		15:18
*** petertr7_away is now known as petertr7		15:18
dstanek	rodrigods: awesome, thx	15:20
*** dguerri is now known as dguerri`		15:23
stevemar	elmiko: can you paste the output of `openstack endpoint list --debug` ?	15:28
elmiko	stevemar, sure thing, 1 sec	15:28
elmiko	stevemar, http://paste.openstack.org/show/412719/	15:30
*** HT_sergio has joined #openstack-keystone		15:31
samueldmq	dstanek, reading that article (still reading), but I think I am getting the point you were telling me about	15:33
*** narengan has joined #openstack-keystone		15:34
samueldmq	dstanek, when testing the driver, I am not testing the db was touched or whatever, I am testing that it really does the operations it should do (ex CRUD user)	15:34
samueldmq	dstanek, i.e, the user I created can be retrieved and so on	15:34
dstanek	samueldmq: exactly	15:35
samueldmq	dstanek, I just need to care about its behavior, how it implements the behavior (db, ldap, whatelse) does not matter at all	15:35
samueldmq	dstanek, I just want it to do the right tasks	15:35
samueldmq	dstanek, and that's why you told me to write in a generic way, so I can switch the backends, and re-use the tests	15:35
*** tqtran has joined #openstack-keystone		15:37
dstanek	samueldmq: yes, that's already a sorta pattern we use in our tests	15:37
openstackgerrit	Claudiu Belu proposed openstack/python-keystoneclient: Fixes missing socket attribute error during init_poolmanager https://review.openstack.org/211686	15:38
samueldmq	dstanek, if I want to assert what is called in the underlying layer, I can then use mocks, in that case mocking sqlalchemy	15:38
dstanek	samueldmq: yep, but most likely you don't want to do tht	15:38
samueldmq	yeah I saw, we have test_backend and test_backend_sql, for example	15:38
samueldmq	dstanek, yes, looks like so paranoid	15:38
mfisch	lbragstad: you around?	15:39
*** petertr7 is now known as petertr7_away		15:39
samueldmq	dstanek, thanks	15:39
lbragstad	mfisch: yep	15:39
mfisch	lbragstad: looking back at this thread: http://lists.openstack.org/pipermail/openstack-operators/2015-January/006057.html	15:40
mfisch	lbragstad: is it correct that policy.json can make API calls more restrictive? I'd like, for example, to require a special role AND admin to delete a project	15:40
*** petertr7_away is now known as petertr7		15:41
mfisch	the docs state there you cannot make them less restrictive since the code has some assert_admins in it	15:41
lbragstad	mfisch: ah, yep that would make sense	15:42
*** jsavak has quit IRC		15:42
lbragstad	like here - https://github.com/openstack/keystone/blob/b3e969c065f991b8de180330f8f69d94012c6915/keystone/catalog/controllers.py#L36-L39	15:42
mfisch	yep	15:42
mfisch	so using this snippet	15:43
mfisch	"delete_allowed": "role:deleter",	15:43
mfisch	"identity:delete_project": "rule:delete_allowed",	15:43
*** marzif has quit IRC		15:43
mfisch	the only role I have is admin	15:43
mfisch	and I can still delete projects	15:43
*** jsavak has joined #openstack-keystone		15:43
mfisch	so that contradicts that I can make things more restrictive	15:43
*** haneef_ has joined #openstack-keystone		15:43
*** marzif has joined #openstack-keystone		15:44
lbragstad	but can you delete projects when you only have the deleter role?	15:44
*** geoffarnold has joined #openstack-keystone		15:44
mfisch	I'd like for that to be true	15:45
mfisch	but right now I can delete projects without that role	15:45
mfisch	keystone user-role-list ... "admin"	15:46
mfisch	keystone tenant-delete matt	15:46
mfisch	(works0	15:46
*** josecastroleon has quit IRC		15:46
*** rajesht has quit IRC		15:46
elmiko	stevemar, any thoughts?	15:46
*** josecastroleon has joined #openstack-keystone		15:47
lbragstad	mfisch: right, but that's because you have the admin role assigned to your user	15:47
mfisch	lbragstad: so thats my question, it seems that admin trumps everything in policy.json	15:47
*** nkinder has quit IRC		15:47
lbragstad	mfisch: I think that is also because there are assertions built into the cod e	15:47
lbragstad	around asserting admin to do some operations	15:47
mfisch	I thought based on that convo that the code would 1st check policy then do the admin check	15:48
mfisch	which would allow me to restrict it more	15:48
mfisch	but perhaps if you have the admin role it skips the policy ...	15:48
mfisch	oh	15:48
mfisch	duh	15:48
lbragstad	yep	15:48
mfisch	the logs are full of skipping RBAC lines	15:48
mfisch	b/c admin	15:48
lbragstad	which is kinda highlighted in the last sentence of my response	15:49
*** bapalm has quit IRC		15:49
samueldmq	dstanek, creating the bypasser, I was putting great deal of effort for buying too little	15:49
*** bapalm has joined #openstack-keystone		15:49
mfisch	lbragstad: that second review you referenced (which admittedly never merged) says: "It should be noted that certain API calls may have additional hard-coded	15:50
mfisch	authorization restrictions that are enforced after the RBAC policy is checked.	15:50
mfisch	The policy rules in the JSON policy file are not able to override these	15:50
mfisch	hard-coded authorization restrictions, though the policy rules can make these	15:50
mfisch	API calls more restricted."	15:50
mfisch	(sorry for the flood)	15:50
mfisch	WARNING keystone.common.controller [-] RBAC: Bypassing authorization...	15:51
mfisch	and found the code now too	15:52
mfisch	thanks lbragstad	15:52
lbragstad	mfisch: it might be possible to make them more restrictive by adding another condition to having the admin role	15:52
*** tjcocozz_ has joined #openstack-keystone		15:52
*** tjcocozz has quit IRC		15:52
mfisch	lbragstad: the code does this	15:52
mfisch	if 'is_admin' in context and context['is_admin']:	15:52
*** piyanai has quit IRC		15:53
mfisch	where does that come from?	15:53
lbragstad	mfisch: you mean where does 'is_admin' get set?	15:53
mfisch	yeah	15:53
lbragstad	let me see if I can dig it out	15:53
lbragstad	for some reason I thought gyee would know	15:53
*** tjcocozz_ has quit IRC		15:54
*** tjcocozz has joined #openstack-keystone		15:54
*** piyanai has joined #openstack-keystone		15:54
*** morganfainberg_ has quit IRC		15:55
stevemar	elmiko: sry, was caught up in a discussion, looking now	15:55
elmiko	stevemar, ack, thanks. i appreciate the help =)	15:56
stevemar	elmiko: i think the cause is the mixing of auth version and api version	15:57
stevemar	try adding: --os-identity-api-version 3	15:57
elmiko	stevemar, ok, i'll give that a try. i'm not sure i understand though, are you saying it defaults to v2 but i added /v3/ to my endpoint?	15:58
stevemar	sort of	15:58
*** fhubik is now known as fhubik_brb		15:58
stevemar	the endpoint used for authentication and the endpoint used for the apis are different	15:59
elmiko	ahh, ok	15:59
elmiko	that did work, btw	15:59
*** gyee has joined #openstack-keystone		16:00
*** ChanServ sets mode: +v gyee		16:00
elmiko	stevemar, so, another question. when i switch back to the /v2.0/ endpoint for auth-url, i again get nothing. is this a similar issue?	16:01
*** jsavak has quit IRC		16:03
*** piyanai has quit IRC		16:03
*** jsavak has joined #openstack-keystone		16:04
*** piyanai has joined #openstack-keystone		16:08
*** tjcocozz has quit IRC		16:09
*** tjcocozz has joined #openstack-keystone		16:09
stevemar	elmiko: yeah, mixing the identity-version and the version at the end of auth_url, is #NoBueno	16:12
elmiko	hehe	16:12
elmiko	stevemar, what i'm confused about though is that the default identity-version is 2, and when i craft my openstack command to allow that i still get nothing from the endpoint list	16:13
*** jistr has quit IRC		16:13
elmiko	for example,	16:13
elmiko	$ openstack --os-username=admin --os-password=openstack --os-project-name=admin --os-auth-url=http://192.168.122.2:5000/v2.0/ --os-identity-api-version=2 endpoint list	16:13
elmiko	returns nothing for me	16:13
*** fhubik_brb is now known as fhubik		16:15
*** diazjf has joined #openstack-keystone		16:15
stevemar	elmiko that one should work :\	16:18
*** sigmavirus24 is now known as sigmavirus24_awa		16:18
elmiko	stevemar, i share your :\	16:18
*** petertr7 is now known as petertr7_away		16:18
elmiko	this started happening for me a day or 2 ago, and i can't figure out why the v2 stuff doesn't work	16:19
therve	elmiko, FWIW I've seen that behavior too, so it's not just you	16:19
*** petertr7_away is now known as petertr7		16:19
elmiko	therve, cool, thanks for the confirmation. perhaps i'll dig a little more.	16:19
therve	It was a couple of weeks back though	16:19
elmiko	maybe my devstack is just in a weird state	16:19
*** tjcocozz has quit IRC		16:21
*** tjcocozz has joined #openstack-keystone		16:21
*** josecastroleon has quit IRC		16:23
elmiko	stevemar, thanks again for the advice!	16:24
*** sigmavirus24_awa is now known as sigmavirus24		16:25
*** _cjones_ has joined #openstack-keystone		16:26
*** tjcocozz has quit IRC		16:26
*** josecastroleon has joined #openstack-keystone		16:26
*** lhcheng has joined #openstack-keystone		16:29
*** ChanServ sets mode: +v lhcheng		16:29
*** phalmos has quit IRC		16:29
*** henrynash has joined #openstack-keystone		16:34
*** ChanServ sets mode: +v henrynash		16:34
*** jsavak has quit IRC		16:37
*** jsavak has joined #openstack-keystone		16:37
*** piyanai has quit IRC		16:39
rodrigods	henrynash, we split the first patch from reseller chain into tests and implementation	16:41
*** petertr7 is now known as petertr7_away		16:48
*** roxanaghe has joined #openstack-keystone		16:52
morgan_404	is anyone else besides gyee, david8hu, roxanaghe, samleon, and the other folks i clearly can't remember IRC names from our office (pre coffee) going to the ops midcycle?	16:52
*** bapalm has quit IRC		16:52
*** piyanai has joined #openstack-keystone		16:54
david8hu	morgan_404, haneef might be going	16:55
morgan_404	david8hu: that would be another person who i couldn't remember IRC name from the HP office	16:55
morgan_404	looking for non-HP or non-bay area HP	16:55
* morgan_404 is gauging benefit of rebooking a bunch of travel to go to ops mid cycle then seattle day		16:56
*** henrynash has quit IRC		16:57
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: WIP: Unit tests for endpoint-policy SQL driver https://review.openstack.org/212006	16:58
samueldmq	dstanek, could you take another look ? ^	16:58
samueldmq	dstanek, the only point now is wheter I need to be "exhaustive" by using _list_target_combinations(..) in there	16:58
*** tsymanczyk has joined #openstack-keystone		16:59
*** tsymanczyk is now known as Guest84576		16:59
*** henrynash has joined #openstack-keystone		17:00
*** ChanServ sets mode: +v henrynash		17:00
haneef_	elmko: Did u register endpoints using v3 api? If so it will list only if you use v3 endpoint list	17:02
samueldmq	haneef_, ++	17:02
gyee	morgan_404, you coming to the ops midcycle?	17:02
*** josecastroleon has quit IRC		17:03
morgan_404	gyee: depends on what our representation looks like	17:03
morgan_404	gyee: it's a headache to rebook flights	17:03
gyee	yeah, forget Seattle man, just come party with us :)	17:03
*** piyanai has quit IRC		17:05
*** josecastroleon has joined #openstack-keystone		17:05
gyee	haneef_, now I am curious, v2 and v3 endpoints should be interchangeable, lemme take a look at the code	17:06
*** piyanai has joined #openstack-keystone		17:06
samueldmq	gyee, in v2 different interfaces (internalurl, publicurl, adminurl) had the same endpoint id	17:07
haneef_	gyee: It is api compatibility. We only support backward compatability not forward. If you did something with v2 you can see it via v3 and not vice versa	17:07
samueldmq	gyee, in v3 they have their own id, so 3 interfaces = 3 ids, so no way to map them back to the same entity	17:08
gyee	ah, right	17:08
gyee	I forgot they have different IDs	17:08
*** eandersson has quit IRC		17:08
gyee	but from v2 to v3, all three endpoints have the same ID?	17:08
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token() https://review.openstack.org/197647	17:09
openstackgerrit	Lance Bragstad proposed openstack/keystone: Refactor _supports_bind method https://review.openstack.org/197699	17:09
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token() https://review.openstack.org/196877	17:09
samueldmq	gyee, I don't know, maybe, and would sound weird	17:10
*** fhubik has quit IRC		17:11
*** marzif has quit IRC		17:14
*** _cjones_ has quit IRC		17:16
*** drjones has joined #openstack-keystone		17:16
*** piyanai has quit IRC		17:16
*** belmoreira has joined #openstack-keystone		17:19
*** narengan has quit IRC		17:19
*** narengan has joined #openstack-keystone		17:19
*** belmoreira has quit IRC		17:21
*** ankita_wagh has joined #openstack-keystone		17:21
*** narengan has quit IRC		17:24
*** annasort has quit IRC		17:24
*** narengan has joined #openstack-keystone		17:28
gyee	samueldmq, haneef_, let this 'legacy_endpoint_id' trick we are using :)	17:29
samueldmq	gyee, lol really ? so we add that to v2 endpoints listed with v3?	17:29
gyee	endpoints created using v3 have no legacy_endpoint_id, and therefore won't show up in v2	17:30
samueldmq	gyee, ++	17:30
gyee	https://github.com/openstack/keystone/blob/master/keystone/catalog/controllers.py#L72	17:30
gyee	endpoints created using v2 have both endpoint_id and legacy_endpoint_id	17:31
*** piyanai has joined #openstack-keystone		17:31
*** nkinder has joined #openstack-keystone		17:32
*** narengan has quit IRC		17:33
gyee	samueldmq, but that's an interesting problem though, say you fetch policy by endpoint ID	17:33
*** narengan has joined #openstack-keystone		17:33
gyee	if you get a V2 catalog, only the legacy endpoint ID is there	17:33
samueldmq	gyee, and the policy isn't associated with the legacy_id	17:34
gyee	k, that's good	17:34
samueldmq	gyee, oh, so use v3 endpoints!	17:34
samueldmq	forget about v2	17:34
samueldmq	:)	17:34
gyee	hell yeah	17:34
*** jsavak has quit IRC		17:35
samueldmq	gyee, also, that endpoint process may have multiple ids in keystone server right,	17:35
samueldmq	gyee, so we make deployers to specify one id, so it's up to them to choose what id (and then policy) to use	17:35
samueldmq	gyee, as opposed to letting them to specify the 3 ids (from the 3 interface types) and then having an issue if more than a policy could be fetched (multiple endpoint ids)	17:36
samueldmq	gyee, the issue would be: what policy to use..	17:36
*** jsavak has joined #openstack-keystone		17:39
gyee	samueldmq, can't we walk the hierarchy? endpoint -> service -> region	17:39
gyee	if they want all three, obvious they want service	17:39
gyee	obviously	17:39
*** narengan has quit IRC		17:40
*** fhubik has joined #openstack-keystone		17:40
*** narengan has joined #openstack-keystone		17:40
samueldmq	gyee, that makes sense, although I am for adding support for fetching by the endpoint_id	17:42
*** josecastroleon has quit IRC		17:42
samueldmq	gyee, for now	17:42
samueldmq	gyee, and lookin if we are going to fix the endpoint model or anything else, or add fetch by service/region directly next cycle	17:42
gyee	samueldmq, isn't that how our endpoint policy work today? you can park a policy anywhere in the hierarchy	17:43
*** rajesht has joined #openstack-keystone		17:43
*** josecastroleon has joined #openstack-keystone		17:43
samueldmq	gyee, actually, specifying the endpoint_id, we will fallback to service/region if there is no policy for that endpoint id directly	17:43
samueldmq	gyee, I think so, let me recheck	17:43
gyee	samueldmq, region is a bit scary, its hierarchical :)	17:44
samueldmq	gyee, yes we do https://github.com/openstack/keystone/blob/master/keystone/endpoint_policy/core.py#L204	17:44
gyee	region -> subregion -> subregion ...	17:44
samueldmq	gyee, so if we only do policy by region/service, it really doesn't matter what endpoint id (interface) one has specified	17:44
*** fhubik has quit IRC		17:44
samueldmq	gyee, you're so damn smart :p	17:44
gyee	if you park a policy at the service level, any endpoints for that service will get it	17:45
samueldmq	gyee, yes	17:45
samueldmq	:)	17:45
*** divya__ has quit IRC		17:45
*** Guest84576 is now known as tsymanczyk		17:46
*** rajesht has quit IRC		17:47
samueldmq	gyee, the only thing I was trying to realize was if allowing to specify a single endpoint_id wasn't going to interfere in the endpoint contrainst you are working on	17:51
*** nkinder has quit IRC		17:54
samueldmq	gyee, is it possible to specify multiple ids like: "token.catalog.endpoints.id:%(endpoint_ids)s"	17:55
samueldmq	gyee, where endpoint_ids would be a list of the endpoint ids (all interfaces)	17:55
samueldmq	gyee, ,	17:55
samueldmq	?	17:55
*** phalmos has joined #openstack-keystone		17:56
gyee	I don't think oslo.policy can match a list	17:58
*** piyanai has quit IRC		17:58
samueldmq	gyee, but we can't restrict endpoint matching to a single id, since we allow multiple	18:01
samueldmq	gyee, if that makes sense to you, operators have to choose, and maybe...	18:01
samueldmq	gyee, heey, nevermind, we can do that	18:01
samueldmq	gyee, "token.catalog.endpoints.id:%(public_id)s or token.catalog.endpoints.id:%(internal_id)s or token.catalog.endpoints.id:%(admin_id)s"	18:02
samueldmq	gyee, o/	18:02
lbragstad	morgan_404: want me to address these comments?	18:02
lbragstad	https://review.openstack.org/#/c/196475/	18:02
gyee	sure, in that case, why not just use service_id	18:02
morgan_404	lbragstad: sure	18:03
gyee	samueldmq, "token.catalog.endpoint.service_id:%(service_id)s"	18:03
samueldmq	gyee, service_id isn't enoguh, you may have access to the same service in another region/endpoints	18:03
samueldmq	gyee, service_id may not be enough	18:03
samueldmq	gyee, it all depends on the level of restriction the operators want to have	18:03
gyee	samueldmq, sure, then add region to the rule if you want to further restrict it	18:04
*** narengan has quit IRC		18:06
*** piyanai has joined #openstack-keystone		18:06
*** narengan has joined #openstack-keystone		18:07
*** narengan_ has joined #openstack-keystone		18:07
*** _hrou_ has joined #openstack-keystone		18:09
*** hrou has quit IRC		18:09
*** narengan has quit IRC		18:11
*** yottatsa has quit IRC		18:14
*** bapalm_ has joined #openstack-keystone		18:14
*** piyanai has quit IRC		18:15
samueldmq	gyee, yes, then looks good	18:15
openstackgerrit	Lance Bragstad proposed openstack/keystone: Maintain the expiry of v2 fernet tokens https://review.openstack.org/196475	18:16
*** piyanai has joined #openstack-keystone		18:16
openstackgerrit	Lance Bragstad proposed openstack/keystone: Maintain the expiry of v2 fernet tokens https://review.openstack.org/196475	18:19
openstackgerrit	Lance Bragstad proposed openstack/keystone: Do not require the token_id for converting v3 to v2 tokens https://review.openstack.org/196476	18:19
openstackgerrit	Lance Bragstad proposed openstack/keystone: When validating a V3 token as V2, use the v3_to_v2 conversion https://review.openstack.org/196483	18:19
*** josecastroleon has quit IRC		18:19
*** josecastroleon has joined #openstack-keystone		18:21
*** bapalm has joined #openstack-keystone		18:23
openstackgerrit	Lance Bragstad proposed openstack/keystone: Maintain the expiry of v2 fernet tokens https://review.openstack.org/196475	18:24
openstackgerrit	Lance Bragstad proposed openstack/keystone: Do not require the token_id for converting v3 to v2 tokens https://review.openstack.org/196476	18:24
*** bapalm has quit IRC		18:24
openstackgerrit	Lance Bragstad proposed openstack/keystone: When validating a V3 token as V2, use the v3_to_v2 conversion https://review.openstack.org/196483	18:24
*** piyanai has quit IRC		18:27
*** ayoung has quit IRC		18:32
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token() https://review.openstack.org/197647	18:32
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token() https://review.openstack.org/196877	18:32
*** annasort has joined #openstack-keystone		18:34
*** piyanai has joined #openstack-keystone		18:38
*** jsavak has quit IRC		18:49
*** jsavak has joined #openstack-keystone		18:50
*** boris-42 has joined #openstack-keystone		18:54
*** jsavak has quit IRC		18:57
*** jsavak has joined #openstack-keystone		18:58
*** petertr7_away is now known as petertr7		19:02
*** tqtran is now known as tqtran-afk		19:03
*** jsavak has quit IRC		19:05
*** jsavak has joined #openstack-keystone		19:06
*** hafe has joined #openstack-keystone		19:18
openstackgerrit	Claudiu Belu proposed openstack/python-keystoneclient: Fixes missing socket attribute error during init_poolmanager https://review.openstack.org/211686	19:23
elmiko	are you guys still actively maintaining the API reference docs in the keystone-specs repo?	19:25
*** BAKfr has quit IRC		19:25
elmiko	i'm working on a spec for a new version of sahara's API and i like the way you have collected the keystone stuff, but i'm wondering if there are any opinions/suggestions about other projects following this lead?	19:26
*** BAKfr has joined #openstack-keystone		19:30
stevemar	elmiko: yes, we actively maintain it	19:33
*** jasonsb has quit IRC		19:33
stevemar	the reasoning is that when someone proposes a new spec, they can also propose the API changes too, to the same repo, in the same patch	19:33
*** hafe has quit IRC		19:33
elmiko	nice, i like that	19:33
stevemar	:)	19:34
elmiko	what about the api-ref site?	19:34
elmiko	do you then create WADL to go up there>	19:34
elmiko	?	19:34
*** jasonsb has joined #openstack-keystone		19:34
stevemar	thats a constant battle	19:34
elmiko	ugh... don't i know	19:34
elmiko	i'd like to recommend keystone's model for sahara	19:34
stevemar	elmiko: the api-ref site is very very out of date for keystone APIs	19:35
elmiko	stevemar, ack, good to know	19:35
*** piyanai has quit IRC		19:35
stevemar	when i link folks to the keystone APIs, it's always to spec.o.org	19:35
*** piyanai has joined #openstack-keystone		19:35
elmiko	makes sense	19:35
*** piyanai has quit IRC		19:36
stevemar	it'll be cool to actually update the api-ref site one day, maybe as a day long push	19:36
elmiko	well, imo, i think it would be cool for api-ref to move away from WADL to something like Swagger	19:38
elmiko	but that's a whole other can of worms	19:38
*** jasonsb has quit IRC		19:38
*** hafe has joined #openstack-keystone		19:41
*** piyanai has joined #openstack-keystone		19:43
*** ayoung has joined #openstack-keystone		19:49
*** ChanServ sets mode: +v ayoung		19:49
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy SQL driver https://review.openstack.org/212006	19:53
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Fixes query.one() return usage in endpoint-policy https://review.openstack.org/208609	19:55
samueldmq	henrynash, dolphm added tests to the endpoint-policy backend, as you asked ^	19:55
*** tqtran-afk has quit IRC		19:56
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Enable Cache-Control HTTP values in responses https://review.openstack.org/211271	19:59
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Create Cached Policy Table https://review.openstack.org/211679	19:59
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Centralized Policies Distribution Mechanism https://review.openstack.org/209695	19:59
*** geoffarnold has quit IRC		20:00
*** jsavak has quit IRC		20:00
*** jsavak has joined #openstack-keystone		20:01
*** geoffarnold has joined #openstack-keystone		20:01
*** Ephur has joined #openstack-keystone		20:03
*** piyanai has quit IRC		20:06
*** piyanai has joined #openstack-keystone		20:07
*** jsavak has quit IRC		20:07
rodrigods	htruta is anxious to fix anything you may find in the first patches of Reseller, cc: henrynash, dstanek :)	20:07
*** jsavak has joined #openstack-keystone		20:08
*** tellesnobrega is now known as tellesnobrega_af		20:13
*** piyanai has quit IRC		20:14
*** piyanai has joined #openstack-keystone		20:17
opilotte	Accepts Group IDs from the IdP without domain reference: https://review.openstack.org/#/c/210581/	20:18
hafe	question about keystoneclient behavior in a multi site prototype, see http://pastebin.com/Yq3GSzuG	20:25
*** piyanai has quit IRC		20:29
*** piyanai has joined #openstack-keystone		20:29
*** piyanai has quit IRC		20:32
stevemar	hafe: i'm not following what the error is,	20:35
*** jasonsb has joined #openstack-keystone		20:36
hafe	stevemar: that keystoneclient suddenly decides to go to the "remote" keystone server	20:36
hafe	for token validation, why?	20:36
*** roxanaghe has quit IRC		20:39
*** gyee has quit IRC		20:39
*** fangzhou has joined #openstack-keystone		20:39
hafe	stevemar: it is not an error, the glance command functionally works. It just produces "inter region" keystone traffic which is the goal of the prototype to get rid of	20:41
*** diazjf has left #openstack-keystone		20:49
*** haneef_ has quit IRC		20:54
*** haneef_ has joined #openstack-keystone		20:55
*** baker has joined #openstack-keystone		20:55
*** stevemar has quit IRC		20:57
*** baker has quit IRC		21:03
*** petertr7 is now known as petertr7_away		21:29
*** jsavak has quit IRC		21:41
*** roxanaghe has joined #openstack-keystone		21:49
*** narengan_ has quit IRC		21:50
*** narengan has joined #openstack-keystone		21:51
*** narengan has quit IRC		21:55
*** HT_sergio has quit IRC		21:58
*** henrynash has quit IRC		21:58
*** ankita_wagh has quit IRC		21:58
*** navid__ has joined #openstack-keystone		21:59
*** ankita_wagh has joined #openstack-keystone		21:59
*** asdasd has joined #openstack-keystone		22:00
*** ankita_wagh has quit IRC		22:00
*** ankita_wagh has joined #openstack-keystone		22:00
*** asdasd has quit IRC		22:04
*** edmondsw has quit IRC		22:06
*** gyee has joined #openstack-keystone		22:14
*** ChanServ sets mode: +v gyee		22:14
*** jecarey has quit IRC		22:18
*** gordc has quit IRC		22:31
*** wasmum has quit IRC		22:31
*** ankita_wagh has quit IRC		22:32
*** ankita_wagh has joined #openstack-keystone		22:32
*** navid__ has joined #openstack-keystone		22:33
*** navid__ has quit IRC		22:34
*** ankita_wagh has quit IRC		22:34
*** ankita_wagh has joined #openstack-keystone		22:34
*** marekd is now known as marekd_404		22:36
*** dguerri` is now known as dguerri		22:39
*** dguerri is now known as dguerri`		22:43
*** devlaps has joined #openstack-keystone		22:44
openstackgerrit	Sam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870	22:49
*** _hrou_ has quit IRC		22:55
*** mylu has joined #openstack-keystone		23:11
*** markvoelker has quit IRC		23:14
lbragstad	gyee: I rebased and addressed comments here, which cleared your +2 https://review.openstack.org/#/c/196475/	23:14
*** claudiub has quit IRC		23:16
*** wasmum has joined #openstack-keystone		23:17
*** doug-fish has left #openstack-keystone		23:21
*** chlong has quit IRC		23:25
gyee	lbragstad, merge it! before I change my mind :)	23:26
lbragstad	gyee: I can't! I pushed a few patch sets	23:27
gyee	morgan_404, you want to A+ it?	23:30
morgan_404	gyee: sec	23:30
morgan_404	need to finish rebooking travel for ops midcycle	23:30
lbragstad	morgan_404: oh, where is that?	23:31
gyee	Bay Area	23:31
lbragstad	nice	23:31
morgan_404	gyee: so I arrive bay area on monday, ops mid cycle tuesday, fly to SEA tuesday night, then in SEA until frida	23:32
morgan_404	y	23:32
gyee	wow	23:32
gyee	that's some serious travel	23:32
gyee	morgan_404, I am thinking Specialized Sirrus Elite Carbon Disc, that a good entry level bike?	23:33
morgan_404	hm.	23:33
morgan_404	link?	23:33
gyee	http://www.specialized.com/us/en/bikes/multi-use/sirrus/sirrus-elite-carbon-disc	23:34
gyee	like a weekend afternoon ride	23:34
lbragstad	entry level bike?	23:35
gyee	yeah	23:35
gyee	road bike	23:35
gyee	yikes, its flat bar	23:36
gyee	and disc break	23:36
*** phalmos has quit IRC		23:37
lbragstad	gyee: I don't know much about bikes, but it looks nice :)	23:38
gyee	its on sale for $1200	23:38
lbragstad	O.o - you said it was entry level?	23:39
gyee	hah	23:40
gyee	like entry level BMW	23:40
lhcheng	lol	23:40
gyee	for comfort, damn it!	23:40
* lhcheng wonders what gyee buys when he gets serious		23:40
lbragstad	lhcheng: lol	23:41
*** geoffarnold has quit IRC		23:41
gyee	I need some loose coins	23:41
lbragstad	gyee: when you get serious about road bikes it better have a motor ;)	23:41
gyee	lbragstad, lcheng, https://phunkeeduck.com/	23:42
gyee	that's a nice ride in the office hallways	23:43
lhcheng	gyee: http://boostedboards.com/ this have the juice to go up hill in SF	23:44
* lbragstad wonders what all these new things are!		23:45
*** geoffarnold has joined #openstack-keystone		23:45
*** geoffarnold has quit IRC		23:45
gyee	nice!, looks like extra wide wheels on those boards	23:46

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!