Wednesday, 2015-08-12

*** jasonsb has quit IRC00:00
*** ankita_w_ has joined #openstack-keystone00:02
*** david-lyle has quit IRC00:03
*** ankita___ has joined #openstack-keystone00:03
*** ankita_wagh has quit IRC00:05
-openstackstatus- NOTICE: Zuul was restarted due to an error; events (such as approvals or new patchsets) since 23:01 UTC have been lost and affected changes will need to be rechecked00:05
*** roxanaghe has quit IRC00:06
*** ankita_w_ has quit IRC00:06
jamielennoxdstanek: lhcheng: do you mind a review of https://review.openstack.org/#/c/188329/00:08
jamielennoxthe reliant patch has 2 +2s and i need to do some work with it00:08
dstaneksure00:08
lhchengjamielennox: sure00:10
*** ankita_wagh has joined #openstack-keystone00:11
jamielennoxthanks both, it's kerberos related but really it's just refactoring the tests so we can remove the optional flag. The optional flag is only used in error reporting but it made certain tests easier to mock00:11
jamielennoxdamn, zuul restart, i was waiting on a few things00:12
dstanekjamielennox: that's a little strange in that it seems to have moved a test into a fixture. is the fixture reusable?00:14
*** ankita___ has quit IRC00:14
jamielennoxdstanek: yep, the point is to make the mocking a fixture so that it can be reused in the follow up patch00:15
*** shadower has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** piyanai has quit IRC00:24
*** stevemar has joined #openstack-keystone00:31
*** ChanServ sets mode: +v stevemar00:31
*** stevemar has quit IRC00:34
*** claudiub has quit IRC00:34
*** stevemar has joined #openstack-keystone00:40
*** ChanServ sets mode: +v stevemar00:40
*** stevemar has quit IRC00:41
*** browne1 has quit IRC00:45
*** woodster_ has quit IRC00:50
*** vivekd has joined #openstack-keystone00:52
*** samueldmq has joined #openstack-keystone00:52
*** david-lyle has joined #openstack-keystone00:54
samueldmqwhile True:00:55
samueldmq    try:00:55
samueldmq        ping morgan_40400:55
samueldmq    except 404:00:55
samueldmq        pass00:55
samueldmqgood evening :)00:56
openstackgerritMerged openstack/python-keystoneclient-kerberos: Disable optional authentication for plugin  https://review.openstack.org/18832900:59
openstackgerritMerged openstack/python-keystoneclient-kerberos: Federated Kerberos plugin  https://review.openstack.org/17355800:59
*** _cjones_ has quit IRC01:00
samueldmqayoung, pm'd you01:04
*** ankita_wagh has quit IRC01:11
*** tqtran_ has quit IRC01:24
*** davechen has joined #openstack-keystone01:25
*** jasonsb has joined #openstack-keystone01:34
*** ankita_wagh has joined #openstack-keystone01:37
*** davechen1 has joined #openstack-keystone01:38
*** tobe_ has joined #openstack-keystone01:39
*** davechen has quit IRC01:40
*** vivekd has quit IRC01:45
*** davechen has joined #openstack-keystone01:48
*** davechen1 has quit IRC01:50
*** bknudson has quit IRC01:51
*** piyanai has joined #openstack-keystone01:51
*** alejandrito has quit IRC01:55
*** marzif has quit IRC02:06
*** stevemar has joined #openstack-keystone02:09
*** ChanServ sets mode: +v stevemar02:09
*** samueldmq has quit IRC02:15
*** arif-ali has quit IRC02:21
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742702:25
*** arif-ali has joined #openstack-keystone02:26
*** gyee has quit IRC02:27
*** mylu has joined #openstack-keystone02:27
*** david-lyle has quit IRC02:33
*** mylu has quit IRC02:34
*** browne has joined #openstack-keystone02:39
*** richm has quit IRC02:43
*** jdandrea has quit IRC02:43
openstackgerritMerged openstack/keystoneauth: Split plugin loading  https://review.openstack.org/19059402:43
openstackgerritMerged openstack/keystoneauth: Remove oslo_config from auth plugin loading  https://review.openstack.org/20934802:44
*** lhcheng has quit IRC02:49
*** hakimo has joined #openstack-keystone02:52
*** hakimo_ has quit IRC02:54
*** ankita_wagh has quit IRC02:56
*** mylu has joined #openstack-keystone03:07
*** rm_work|away is now known as rm_work03:10
*** tobe_ has quit IRC03:15
*** tobe_ has joined #openstack-keystone03:16
*** mylu has quit IRC03:20
*** mylu has joined #openstack-keystone03:20
*** uvirtbot has quit IRC03:25
*** dan has quit IRC03:26
*** dan has joined #openstack-keystone03:26
*** david-lyle has joined #openstack-keystone03:30
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraints  https://review.openstack.org/15837203:33
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name  https://review.openstack.org/21060003:33
*** htruta has quit IRC03:36
*** dikonoor has joined #openstack-keystone03:36
*** htruta has joined #openstack-keystone03:38
*** htruta has quit IRC03:40
*** htruta has joined #openstack-keystone03:40
*** lhcheng has joined #openstack-keystone03:42
*** ChanServ sets mode: +v lhcheng03:42
*** mylu has quit IRC03:43
*** piyanai has quit IRC03:44
*** stevemar has quit IRC03:44
*** uvirtbot has joined #openstack-keystone03:47
*** lhcheng has quit IRC03:48
*** lhcheng has joined #openstack-keystone03:55
*** ChanServ sets mode: +v lhcheng03:55
*** lhcheng_ has joined #openstack-keystone03:56
*** lhcheng has quit IRC03:59
*** stevemar has joined #openstack-keystone04:00
*** ChanServ sets mode: +v stevemar04:00
openstackgerritHenrique Truta proposed openstack/keystone: Limit subtree and parents queries  https://review.openstack.org/20913204:02
openstackgerritHenrique Truta proposed openstack/keystone: Replicate domain info in projects table  https://review.openstack.org/21117004:05
openstackgerritHenrique Truta proposed openstack/keystone: Creating tests for projects acting as domains  https://review.openstack.org/21121904:05
*** vivekd has joined #openstack-keystone04:11
*** rajesht has joined #openstack-keystone04:12
*** hrou has joined #openstack-keystone04:17
*** morgan_404 is now known as morgan_41004:26
*** morgan_410 is now known as morgan_40404:26
*** ankita_wagh has joined #openstack-keystone04:36
*** ankita_wagh has quit IRC04:36
*** ankita_wagh has joined #openstack-keystone04:37
*** vivekd_ has joined #openstack-keystone04:38
*** vivekd has quit IRC04:40
*** vivekd_ is now known as vivekd04:40
stevemardstanek: burning the midnight oil too?04:40
dstanekstevemar: nothing else to do after midnight04:41
*** links has joined #openstack-keystone04:42
htrutastevemar, dstanek, guess that makes three of us04:44
stevemarhtruta: we shall guard the keystone fort04:45
htrutastevemar: lol04:47
*** tobe_ has quit IRC04:53
morgan_404But... It isnt midnight yet04:53
morgan_404>.>04:53
jamielennoxsince everyone's around: https://review.openstack.org/#/c/180818/18 - already has a +2 from dolph04:54
htrutamorgan_404, it is 2am :/04:57
*** tobe_ has joined #openstack-keystone05:04
morgan_404is not, it's 2204 :P05:05
morgan_404htruta: ^ :)05:05
morgan_404dstanek: http://thehullabaloo.com/technology-22/lenovo-unveils-thinkpad-p50-p70-mobile-workstations-at-siggraph-815.html openstack cloud in a laptop?05:09
*** yottatsa has joined #openstack-keystone05:14
stevemarjamielennox: for a "move" patch, you're introducing a lot of new code05:29
jamielennoxstevemar: ?05:29
jamielennoxstevemar: oh, that review?05:30
stevemarhttps://review.openstack.org/#/c/180818/1805:30
jamielennoxyea05:30
jamielennoxall tests05:30
stevemar+214, -5905:30
stevemarahhh]05:30
jamielennoxbecause i now need to test the behaviour of the base class i'm moving it to independantly of the original class05:30
*** ayoung has quit IRC05:30
morgan_404stevemar: don't complain about tests unless the tests suck.. then complain about tests loudly05:41
morgan_404:P05:41
stevemarmorgan_404: i wasn't complaining :P05:41
morgan_404;)05:41
stevemarjamielennox: +A05:47
*** henrynash has joined #openstack-keystone05:48
*** ChanServ sets mode: +v henrynash05:48
*** henrynash has quit IRC05:50
jamielennoxstevemar: \o/ - i haven't had a middleware patch from that chain go through in ages05:54
jamielennoxit moved fairly well for a couple of weeks then just stopped05:54
stevemarjamielennox: my reviewing was down for the last few weeks05:54
jamielennoxstevemar: mine too, actually it seemed like everyone slowed down for a bit there05:54
stevemar1 to 2? busy with internal shtufff05:54
stevemaryeah05:54
stevemaragreed05:55
openstackgerritMerged openstack/keystone: Validate domain ownership for v2 tokens  https://review.openstack.org/20806905:55
jamielennoxmorgan_404 and stevemar: the following patch is fairly easy to understand but a bit of a change in thinking: https://review.openstack.org/#/c/190941/05:56
*** hrou has quit IRC05:59
*** josecastroleon has joined #openstack-keystone06:00
*** browne has quit IRC06:07
*** ankita_w_ has joined #openstack-keystone06:08
*** ankita_wagh has quit IRC06:10
morgan_404jamielennox: i think that it makes sense to avoid caching in the case of pki and in-memory06:13
morgan_404but does it make sense if they explicitly configure memcache?06:13
jamielennoxmorgan_404: well at the moement it will cache to memory righ?06:16
morgan_404yes06:16
morgan_404this is a case where I think the cache-to-memory is dumb06:16
morgan_404(by default)06:16
morgan_404I'd rather force deployers to explicitly configure cache if they want it vs. "we do something sortof weird that will produce inconsistent results"06:17
morgan_404so - I'd favour changing the default to "no cache explicitly configured, no caching"06:17
morgan_404instead of just skipping for PKI06:17
jamielennoxright, that in-memory cache is dumb06:17
morgan_404let them do the in-mem thing if they *really* want06:18
jamielennoxmorgan_404: i'd love to know if there's a difference06:18
jamielennoxlike do the crypto vs the memcache06:18
morgan_404sure. but make it explicit in all cases06:18
jamielennoxkind of just guessing but i don't think i'd take the memory hit06:18
morgan_404vs. "we just do this for you unless you turn it off"06:18
morgan_404i would turn off in-memcache06:18
morgan_404but thats me06:18
jamielennoxmorgan_404: so is there a compat issue with me doing a patch that disables the in-memory caching altogether06:20
jamielennoxwait - we discussed this, i had to wait for oslo.cache or something06:20
morgan_404yes. we can't remove it. we should be able to default it to off06:20
morgan_404unless you explicitly turn it on06:20
morgan_404i'm ok with that release note personally06:20
jamielennoxhmm, ok, so that kind of puts a hault on that one06:21
morgan_404so change the patch to default caching off06:21
morgan_404for tokens06:21
morgan_404don't just exempt PKI06:22
morgan_404you just can't "remove" in-memory caching06:22
morgan_404if someone wants to do that with PKI tokens, let them06:22
*** e0ne has joined #openstack-keystone06:22
morgan_404but we can say "this is a baaaaad idea... infact the whole in-memcache is a bad idea"06:22
morgan_404sorry in-mem-dict-cache06:23
*** lhcheng has joined #openstack-keystone06:25
*** ChanServ sets mode: +v lhcheng06:25
jamielennoxmorgan_404: that's a bit more than modifying that patch06:26
jamielennoxit's modifying the base auth_token to not use a cache if not configured then leave the PKI situation alone06:27
jamielennoxwhich is fine06:27
jamielennoxi'm not sure how it will affect the keystone side yet06:27
*** ParsectiX has joined #openstack-keystone06:28
*** lhcheng_ has quit IRC06:29
*** vivekd has quit IRC06:31
*** stevemar has quit IRC06:36
*** stevemar has joined #openstack-keystone06:36
*** ChanServ sets mode: +v stevemar06:36
*** e0ne has quit IRC06:39
*** stevemar has quit IRC06:40
*** e0ne has joined #openstack-keystone06:40
*** Nirupama has joined #openstack-keystone06:44
*** e0ne has quit IRC06:45
*** rdo has quit IRC06:49
*** e0ne has joined #openstack-keystone06:49
*** rdo has joined #openstack-keystone06:51
*** e0ne has quit IRC06:54
openstackgerritMerged openstack/keystonemiddleware: Move common request processing to base class  https://review.openstack.org/18081806:56
*** lhcheng has quit IRC06:56
*** yottatsa has quit IRC06:57
openstackgerritMerged openstack/keystoneauth: Remove service_type requirement from catalog searching  https://review.openstack.org/21026806:58
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core  https://review.openstack.org/18698807:04
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core  https://review.openstack.org/18337707:04
*** henrynash has joined #openstack-keystone07:07
*** ChanServ sets mode: +v henrynash07:07
*** ankita_w_ has quit IRC07:11
*** ig0r_ has joined #openstack-keystone07:15
*** henrynash has quit IRC07:16
*** ankita_wagh has joined #openstack-keystone07:17
openstackgerritDave Chen proposed openstack/keystone: Fix the misspelling and grammar issue  https://review.openstack.org/21187607:24
openstackgerritMerged openstack/keystoneauth: Replace endpoint_type with interface in catalog  https://review.openstack.org/21026907:25
*** afazekas has joined #openstack-keystone07:31
*** ankita_wagh has quit IRC07:35
*** stevemar has joined #openstack-keystone07:37
*** ChanServ sets mode: +v stevemar07:37
*** rdo has quit IRC07:38
*** ig0r__ has joined #openstack-keystone07:38
openstackgerritRajesh Tailor proposed openstack/keystone: Fix typo in doc-string  https://review.openstack.org/21188107:38
*** stevemar has quit IRC07:40
*** ig0r_ has quit IRC07:41
*** tsubic has joined #openstack-keystone07:43
*** tobe_ has quit IRC07:44
*** rdo has joined #openstack-keystone07:45
*** boris-42 has quit IRC07:50
*** tobe_ has joined #openstack-keystone07:50
*** fhubik has joined #openstack-keystone07:53
*** tobe_ has quit IRC08:00
*** fhubik has quit IRC08:02
*** claudiub has joined #openstack-keystone08:03
*** tobe_ has joined #openstack-keystone08:05
*** dguerri` is now known as dguerri08:09
*** ig0r__ has quit IRC08:13
*** ig0r_ has joined #openstack-keystone08:17
*** ig0r_ has quit IRC08:19
*** jistr has joined #openstack-keystone08:21
*** fhubik has joined #openstack-keystone08:33
*** shunliz_ has joined #openstack-keystone08:34
*** hafe has joined #openstack-keystone08:35
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core  https://review.openstack.org/18698808:45
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core  https://review.openstack.org/18337708:45
*** lhcheng has joined #openstack-keystone08:45
*** ChanServ sets mode: +v lhcheng08:45
*** lhcheng has quit IRC08:50
*** katkapilatova has joined #openstack-keystone09:14
*** stevemar has joined #openstack-keystone09:38
*** ChanServ sets mode: +v stevemar09:38
*** stevemar has quit IRC09:41
*** Kennan2 is now known as Kennan09:42
*** dikonoo has joined #openstack-keystone09:44
*** divya__ has joined #openstack-keystone09:44
*** dikonoo has quit IRC09:44
*** davechen has left #openstack-keystone09:46
*** dikonoor has quit IRC09:48
*** claudiub has quit IRC10:03
*** marzif has joined #openstack-keystone10:05
*** ig0r_ has joined #openstack-keystone10:10
*** claudiub has joined #openstack-keystone10:19
*** samueldmq has joined #openstack-keystone10:22
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/19231910:35
*** eandersson has joined #openstack-keystone10:37
*** yottatsa has joined #openstack-keystone10:44
*** ig0r_ has quit IRC10:46
*** fhubik is now known as fhubik_brb10:57
*** tobe_ has quit IRC11:03
*** tobe_ has joined #openstack-keystone11:04
*** tobe_ has quit IRC11:09
*** therve has joined #openstack-keystone11:25
therveHeya11:25
therveI have a question about https://github.com/openstack/keystone/commit/4d2bbe0e7c4e08c372e229f5622b9cfc2c25c3c6 if someone knows about it11:25
thervedolphm maybe?11:25
thervesamleon ?11:28
*** ramishra has joined #openstack-keystone11:29
bretonyou should just ask11:31
bretonin the channel11:31
bretonmaybe someone knows the answer11:31
therveOkay11:32
therveIt seems it broke ec2tokens usage for Heat11:32
*** fhubik_brb is now known as fhubik11:32
therveAuthentication is just failing11:32
*** tobe_ has joined #openstack-keystone11:33
bretonfile a bugreport please11:36
therveOkay11:38
*** stevemar has joined #openstack-keystone11:39
*** ChanServ sets mode: +v stevemar11:39
*** tobe_ has quit IRC11:39
*** stevemar has quit IRC11:42
*** gordc has joined #openstack-keystone11:49
*** hafe has quit IRC12:01
*** hafe has joined #openstack-keystone12:02
*** tellesnobrega_ has joined #openstack-keystone12:08
*** fhubik is now known as fhubik_brb12:10
*** fhubik_brb is now known as fhubik12:10
*** fhubik is now known as fhubik_brb12:11
*** shunliz_ has quit IRC12:15
*** tellesnobrega_ has quit IRC12:16
*** yottatsa has quit IRC12:23
*** raildo-afk is now known as raildo12:26
*** yottatsa has joined #openstack-keystone12:27
*** bapalm has joined #openstack-keystone12:31
*** yottatsa has quit IRC12:32
*** henrynash has joined #openstack-keystone12:38
*** ChanServ sets mode: +v henrynash12:38
*** yottatsa has joined #openstack-keystone12:40
*** edmondsw has joined #openstack-keystone12:41
samueldmqhenrynash, morning12:41
*** yottatsa has quit IRC12:42
henrynashsamueldmq: hi12:42
*** yottatsa has joined #openstack-keystone12:42
samueldmqhenrynash, as you and dolphm requested, I am adding unit tests for the endpoint-policy sql driver12:43
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: WIP: Unit tests for endpoint-policy SQL driver  https://review.openstack.org/21200612:43
henrynashsamueldmq: ok…12:43
samueldmqhenrynash, this is a WIP, and shows the general structure I will be following, I'd like just a sanity check from you12:43
samueldmqhenrynash, ^ see the patch I just submitted above12:43
*** yottatsa has quit IRC12:43
henrynashsamueldmq: I’lltake a look this afternoon…12:44
samueldmqhenrynash, basically I created a DriverBypasser, who make direct calls to the tables without using the sal driver12:44
samueldmqhenrynash, so I can validate the changes made by the driver itself12:44
samueldmqhenrynash, sure12:45
samueldmqhenrynash, thanks :)12:46
*** jsavak has joined #openstack-keystone12:46
*** yottatsa has joined #openstack-keystone12:48
*** ParsectiX has quit IRC12:49
*** henrynash has quit IRC12:51
*** tjcocozz has joined #openstack-keystone12:51
*** ParsectiX has joined #openstack-keystone12:52
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742712:56
*** josecastroleon has quit IRC12:59
thervebreton, Opened https://bugs.launchpad.net/keystone/+bug/1484086 FWIW, we're skipping those tests for now13:00
openstackLaunchpad bug 1484086 in Keystone "ec2tokens authentication is failing during Heat tests" [Undecided,New]13:00
bretontherve: thank you. Which tests in heat fail?13:02
bretonbecause of this issue13:02
thervebreton, Integration tests, where ceilometer talks to heat13:02
therveIt uses the CFN API, which in turns uses ec2 authentication13:02
openstackgerritClaudiu Belu proposed openstack/python-keystoneclient: Fixes missing socket attribute error during init_poolmanager  https://review.openstack.org/21168613:02
*** josecastroleon has joined #openstack-keystone13:04
*** elmiko has joined #openstack-keystone13:06
*** jecarey has joined #openstack-keystone13:07
*** Nirupama has quit IRC13:09
*** richm has joined #openstack-keystone13:17
*** petertr7_away is now known as petertr713:21
*** edmondsw has quit IRC13:24
openstackgerritCorey Bryant proposed openstack/python-keystoneclient: Iterate over copy of session.adapters keys in Python2/3  https://review.openstack.org/21173113:28
*** ayoung has joined #openstack-keystone13:36
*** ChanServ sets mode: +v ayoung13:36
*** zzzeek has joined #openstack-keystone13:36
*** hafe has quit IRC13:39
*** hrou has joined #openstack-keystone13:39
*** stevemar has joined #openstack-keystone13:39
*** ChanServ sets mode: +v stevemar13:39
*** tellesnobrega has quit IRC13:41
*** tellesnobrega has joined #openstack-keystone13:42
*** stevemar has quit IRC13:43
*** petertr7 is now known as petertr7_away13:45
openstackgerritOlivier Pilotte proposed openstack/keystone: Accepts Group IDs from the IdP without domain  https://review.openstack.org/21058113:48
*** links has quit IRC13:51
*** annasort has quit IRC13:51
*** annasort has joined #openstack-keystone13:51
*** edmondsw has joined #openstack-keystone13:52
*** fhubik_brb is now known as fhubik13:54
*** petertr7_away is now known as petertr713:54
*** jistr is now known as jistr|mtg13:57
bretontherve: I don't quite understand who makes the request and what paramaters are passed here: https://github.com/openstack/heat/blob/master/heat/api/aws/ec2token.py#L13013:57
bretontherve: got a hint?13:58
*** hafe has joined #openstack-keystone13:59
*** tjcocozz has quit IRC14:01
*** tjcocozz has joined #openstack-keystone14:01
thervebreton, Maybe? This is a wsgi middleware, so it's intercepting requests made the the heat-cfn service14:02
bretonyeah, and who makes the request to heat-cfn?14:03
therveIt depends, but in this case ceilometer, using a webhook14:03
therveWe build the request in heat ourselves14:03
therveHere: https://github.com/openstack/heat/blob/master/heat/engine/resources/signal_responder.py#L7814:04
*** annasort has quit IRC14:04
*** ParsectiX has quit IRC14:07
*** narengan has joined #openstack-keystone14:08
thervebreton, It's very possible that the user is specific domain indeed14:12
*** narengan has quit IRC14:12
*** narengan has joined #openstack-keystone14:13
*** sigmavirus24_awa is now known as sigmavirus2414:13
*** narengan_ has joined #openstack-keystone14:15
*** narengan has quit IRC14:17
*** narengan_ has quit IRC14:22
*** narengan has joined #openstack-keystone14:23
samueldmqdstanek, hi, morning14:26
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: WIP: Unit tests for endpoint-policy SQL driver  https://review.openstack.org/21200614:26
*** narengan has quit IRC14:27
samueldmqdstanek, I am creating some unit tests for a SQL driver (above ^)14:27
samueldmqdstanek, and I'd like to check with you if what I am doing looks sane14:28
samueldmqdstanek, should be a quick look, there is just a bit of code in there for now (wip)14:28
dstaneksamueldmq: what is the bypasser for?14:30
*** stevemar has joined #openstack-keystone14:30
*** ChanServ sets mode: +v stevemar14:30
openstackgerritOlivier Pilotte proposed openstack/keystone: Accepts Group IDs from the IdP without domain  https://review.openstack.org/21058114:31
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742714:31
openstackgerritRodrigo Duarte proposed openstack/keystone: Unit tests for is_domain field in project's table  https://review.openstack.org/21204514:31
rodrigodsdstanek, ^14:32
rodrigodsput the tests first14:32
dstanekrodrigods: nice14:32
openstackgerritPaweł Pamuła proposed openstack/keystone: IdP deletion triggers token revocation  https://review.openstack.org/21204714:34
rodrigodsdstanek, let's assume we used TDD heh14:34
*** jistr|mtg is now known as jistr14:38
*** thedodd has joined #openstack-keystone14:39
openstackgerritPaweł Pamuła proposed openstack/keystone: IdP deletion triggers token revocation  https://review.openstack.org/21045614:42
samueldmqdstanek, it is a driver bypasser14:43
bretontherve: where are users and creds are created for the test?14:43
samueldmqdstanek, it does CRUD against SQL, bypassing the driver14:43
samueldmqdstanek, if I do a create with the driver, I check it with a get using the bypasser14:43
samueldmqdstanek, adding some docs to that class14:44
samueldmqdstanek, let me know if you have a better name for it :)14:44
*** afazekas has quit IRC14:44
thervebreton, https://github.com/openstack/heat/blob/master/heat/engine/resources/stack_user.py#L3614:44
dstanekrodrigods: so is is_domain required for project operations now?14:44
dstaneksamueldmq: why create a new fake driver?14:44
samueldmqdstanek, I am not creating a fake driver, I am creating a way to access the tables directly14:45
rodrigodsdstanek, not really, we just add it so the assert() is valid later14:45
samueldmqdstanek, so I can check that the driver's handling on them was correct14:45
samueldmqdstanek, without using the driver itself14:45
samueldmqdstanek, if that makes sense .. so I am not using the driver's get to check if the driver's create is correct14:46
samueldmqdstanek, since both could be wrong and the test would think both are correct14:47
dstaneksamueldmq: if the test is testing the driver then you can use a fake backend, but you need to test the driver. if you are testing the backends then i would probably do it through the driver so you can write to that interface and swtich backends to run the same set of tests against any number of them14:47
dstanekrodrigods: so why change all of the tenant fixture data?14:48
*** doug-fish has joined #openstack-keystone14:50
*** jsavak has quit IRC14:51
samueldmqdstanek, so I am testing the driver (in most of cases we have one driver for sql and another for ldap)14:51
samueldmqdstanek, in this case the SQL driver, which make actions on SQL tables14:51
samueldmqdstanek, I do calls in the driver, and check the results against the tables directly14:51
*** jsavak has joined #openstack-keystone14:51
dstaneksamueldmq: i don't think you should do any SQL stuff in test code. use the object you are testing to do things and check that they happened14:53
dstaneksamueldmq: for example you could do a driver.create() and the a driver.list()14:53
samueldmqdstanek, and how do I know the sql driver is actually touching the tables it is supposed to  ?14:53
dstaneksamueldmq: this way you can use the tests against all backends and not have to write lots of logic for each one14:53
*** jdandrea has joined #openstack-keystone14:54
dstaneksamueldmq: if it's that important (which i don't think it is) you would mock sqlalchemy for a test and make sure it was called14:55
dstaneksamueldmq: the database portion of the tests should get caught in functional or tempest tests14:55
dstanekin a unit test you are testing the logic and should not recreate the logic you are testing in the test itself14:55
*** jsavak has quit IRC14:56
samueldmqdstanek, so I it looks like I am being too paranoid at this point, like not trusting in the tested code at all14:56
*** jsavak has joined #openstack-keystone14:56
dstaneksamueldmq: i think you are just testing too much. test the driver here and focus on it doing the right thing by using its interface14:57
dstanekin my idea world a unit test would not hit the disk, database, network, etc. ever14:57
*** browne has joined #openstack-keystone14:58
samueldmqdstanek, always using mocks?14:58
lbragstadjust having everything in memory14:58
*** katkapilatova has left #openstack-keystone14:58
dstaneksamueldmq: i'd rather use fakes14:59
dstaneklbragstad: exactly14:59
samueldmqdstanek, so what are fakes? as you see them15:00
*** jdandrea has left #openstack-keystone15:00
elmikohi folks, was there a change in keystone that makes `openstack endpoint list` return an empty list?15:01
* samueldmq is pulling knowledge from dstanek and lbragstad's brains15:01
*** piyanai has joined #openstack-keystone15:01
dstaneksamueldmq: a mock is something you query to see if the calls were correct...mock.called or to check the call args15:02
dstaneksamueldmq: a fake is closer is a real imple of something15:02
dstaneksamueldmq: i'm nostly satisfied with in memory sqlite being a good enough fake15:02
samueldmqdstanek, if I tell the mock the return_value or side_effect, isn't it a fake ?15:03
dstaneksamueldmq: good background reading: http://martinfowler.com/articles/mocksArentStubs.html15:03
samueldmqdstanek, gonna look ..15:03
dstaneksamueldmq: not really and now your test code implements or has assumptions in it15:03
samueldmqdstanek, btw, in that case, what would I fake ?15:03
dstaneksamueldmq: in your case using the in-memory sqlite fixture is enough15:04
dstaneksamueldmq: no think of it this way15:04
*** phalmos has joined #openstack-keystone15:05
*** rm_work has quit IRC15:05
*** flwang has quit IRC15:06
*** serverascode has quit IRC15:06
dstaneksamueldmq: when you use a mock object you are checking explicitly that the calls are being made and you have to know the implementation of the thing you are testing15:06
*** gus has quit IRC15:06
dstaneksamueldmq: when you use a fake you now the interface and expected behavior of the thing you are testing. makes refactoring easier.15:06
samueldmqdstanek, I think I got it, fakes are perfect for read/update/delete tests15:07
samueldmqdstanek, I know there are in the db, I just do the check15:07
dstaneksamueldmq: on the other hand if you use fakes it may be necessary to add methods either to the object-under-test of the fake to do some state verification15:07
samueldmqdstanek, but how to test create ?15:07
samueldmqdstanek, you agree with me ?15:07
dstaneksamueldmq: if you create and then do a get are you not testing the create?15:08
*** gus has joined #openstack-keystone15:08
samueldmqdstanek, how do I know the driver didn't stored the object into a variable instead of in sql?15:08
samueldmqdidn't store*15:08
*** hafe has quit IRC15:09
dstaneksamueldmq: i wouldn't worry about that for these kinds of test. that will show up late it that's indeed the case15:09
*** rm_work has joined #openstack-keystone15:10
*** rm_work has quit IRC15:10
*** rm_work has joined #openstack-keystone15:10
rodrigodsdstanek, for this reason, so in the assert() it won't fail (because the is_domain field is default to False in the backend and returned)15:10
*** serverascode has joined #openstack-keystone15:11
samueldmqdstanek, k looks fair15:12
samueldmqdstanek, and fakes are already pre-loaded in the db when the test starts, right?15:12
*** nkinder has joined #openstack-keystone15:12
dstaneksamueldmq: you get a DB fake when you use the Database fixture15:12
*** flwang has joined #openstack-keystone15:13
samueldmqdstanek, yeah the fake db like sqlite15:14
samueldmqdstanek, and is the fake data pre-loaded into the fake db?15:14
dstaneksamueldmq: you can load the default fixture if you want15:14
samueldmqdstanek, like .. fake data == db fixtures?15:14
dstanekrodrigods: so you changed the new_project_ref to always include the is_domain. are there tests to show that it still works when not specified?15:15
mfischcan someone point me to where policy is checked on API calls?15:16
*** annasort has joined #openstack-keystone15:16
rodrigodsdstanek, yes, tehre is15:17
rodrigodsdstanek, https://review.openstack.org/#/c/212045/1/keystone/tests/unit/test_backend.py line 228215:17
*** petertr7 is now known as petertr7_away15:17
*** woodster_ has joined #openstack-keystone15:18
*** petertr7_away is now known as petertr715:18
dstanekrodrigods: awesome, thx15:20
*** dguerri is now known as dguerri`15:23
stevemarelmiko: can you paste the output of `openstack endpoint list --debug` ?15:28
elmikostevemar, sure thing, 1 sec15:28
elmikostevemar, http://paste.openstack.org/show/412719/15:30
*** HT_sergio has joined #openstack-keystone15:31
samueldmqdstanek, reading that article (still reading), but I think I am getting the point you were telling me about15:33
*** narengan has joined #openstack-keystone15:34
samueldmqdstanek, when testing the driver, I am not testing the db was touched or whatever, I am testing that it really does the operations it should do (ex CRUD user)15:34
samueldmqdstanek, i.e, the user I created can be retrieved and so on15:34
dstaneksamueldmq: exactly15:35
samueldmqdstanek, I just need to care about its behavior, how it implements the behavior (db, ldap, whatelse) does not matter at all15:35
samueldmqdstanek, I just want it to do the right tasks15:35
samueldmqdstanek, and that's why you told me to write in a generic way, so I can switch the backends, and re-use the tests15:35
*** tqtran has joined #openstack-keystone15:37
dstaneksamueldmq: yes, that's already a sorta pattern we use in our tests15:37
openstackgerritClaudiu Belu proposed openstack/python-keystoneclient: Fixes missing socket attribute error during init_poolmanager  https://review.openstack.org/21168615:38
samueldmqdstanek, if  I want to assert what is called in the underlying layer, I can then use mocks, in that case mocking sqlalchemy15:38
dstaneksamueldmq: yep, but most likely you don't want to do tht15:38
samueldmqyeah I saw, we have test_backend and test_backend_sql, for example15:38
samueldmqdstanek, yes, looks like so paranoid15:38
mfischlbragstad: you around?15:39
*** petertr7 is now known as petertr7_away15:39
samueldmqdstanek, thanks15:39
lbragstadmfisch: yep15:39
mfischlbragstad: looking back at this thread: http://lists.openstack.org/pipermail/openstack-operators/2015-January/006057.html15:40
mfischlbragstad: is it correct that policy.json can make API calls more restrictive? I'd like, for example, to require a special role AND admin to delete a project15:40
*** petertr7_away is now known as petertr715:41
mfischthe docs state there you cannot make them less restrictive since the code has some assert_admins in it15:41
lbragstadmfisch: ah, yep that would make sense15:42
*** jsavak has quit IRC15:42
lbragstadlike here - https://github.com/openstack/keystone/blob/b3e969c065f991b8de180330f8f69d94012c6915/keystone/catalog/controllers.py#L36-L3915:42
mfischyep15:42
mfischso using this snippet15:43
mfisch"delete_allowed": "role:deleter",15:43
mfisch"identity:delete_project": "rule:delete_allowed",15:43
*** marzif has quit IRC15:43
mfischthe only role I have is admin15:43
mfischand I can still delete projects15:43
*** jsavak has joined #openstack-keystone15:43
mfischso that contradicts that I can make things more restrictive15:43
*** haneef_ has joined #openstack-keystone15:43
*** marzif has joined #openstack-keystone15:44
lbragstadbut can you delete projects when you only have the deleter role?15:44
*** geoffarnold has joined #openstack-keystone15:44
mfischI'd like for that to be true15:45
mfischbut right now I can delete projects without that role15:45
mfischkeystone user-role-list ... "admin"15:46
mfischkeystone tenant-delete matt15:46
mfisch(works015:46
*** josecastroleon has quit IRC15:46
*** rajesht has quit IRC15:46
elmikostevemar, any thoughts?15:46
*** josecastroleon has joined #openstack-keystone15:47
lbragstadmfisch: right, but that's because you have the admin role assigned to your user15:47
mfischlbragstad: so thats my question, it seems that admin trumps everything in policy.json15:47
*** nkinder has quit IRC15:47
lbragstadmfisch: I think that is also because there are assertions built into the cod e15:47
lbragstadaround asserting admin to do some operations15:47
mfischI thought based on that convo that the code would 1st check policy then do the admin check15:48
mfischwhich would allow me to restrict it more15:48
mfischbut perhaps if you have the admin role it skips the policy ...15:48
mfischoh15:48
mfischduh15:48
lbragstadyep15:48
mfischthe logs are full of skipping RBAC lines15:48
mfischb/c admin15:48
lbragstadwhich is kinda highlighted in the last sentence of my response15:49
*** bapalm has quit IRC15:49
samueldmqdstanek, creating the bypasser, I was putting great deal of effort for buying too little15:49
*** bapalm has joined #openstack-keystone15:49
mfischlbragstad: that second review you referenced (which admittedly never merged) says: "It should be noted that certain API calls may have additional hard-coded15:50
mfischauthorization restrictions that are enforced after the RBAC policy is checked.15:50
mfischThe policy rules in the JSON policy file are not able to override these15:50
mfischhard-coded authorization restrictions, though the policy rules can make these15:50
mfischAPI calls more restricted."15:50
mfisch(sorry for the flood)15:50
mfischWARNING keystone.common.controller [-] RBAC: Bypassing authorization...15:51
mfischand found the code now too15:52
mfischthanks lbragstad15:52
lbragstadmfisch: it might be possible to make them more restrictive by adding another condition to having the admin role15:52
*** tjcocozz_ has joined #openstack-keystone15:52
*** tjcocozz has quit IRC15:52
mfischlbragstad: the code does this15:52
mfischif 'is_admin' in context and context['is_admin']:15:52
*** piyanai has quit IRC15:53
mfischwhere does that come from?15:53
lbragstadmfisch: you mean where does 'is_admin' get set?15:53
mfischyeah15:53
lbragstadlet me see if I can dig it out15:53
lbragstadfor some reason I thought gyee would know15:53
*** tjcocozz_ has quit IRC15:54
*** tjcocozz has joined #openstack-keystone15:54
*** piyanai has joined #openstack-keystone15:54
*** morganfainberg_ has quit IRC15:55
stevemarelmiko: sry, was caught up in a discussion, looking now15:55
elmikostevemar, ack, thanks. i appreciate the help =)15:56
stevemarelmiko: i think the cause is the mixing of auth version and api version15:57
stevemartry adding: --os-identity-api-version 315:57
elmikostevemar, ok, i'll give that a try. i'm not sure i understand though, are you saying it defaults to v2 but i added /v3/ to my endpoint?15:58
stevemarsort of15:58
*** fhubik is now known as fhubik_brb15:58
stevemarthe endpoint used for authentication and the endpoint used for the apis are different15:59
elmikoahh, ok15:59
elmikothat did work, btw15:59
*** gyee has joined #openstack-keystone16:00
*** ChanServ sets mode: +v gyee16:00
elmikostevemar, so, another question. when i switch back to the /v2.0/ endpoint for auth-url, i again get nothing. is this a similar issue?16:01
*** jsavak has quit IRC16:03
*** piyanai has quit IRC16:03
*** jsavak has joined #openstack-keystone16:04
*** piyanai has joined #openstack-keystone16:08
*** tjcocozz has quit IRC16:09
*** tjcocozz has joined #openstack-keystone16:09
stevemarelmiko: yeah, mixing the identity-version and the version at the end of auth_url, is #NoBueno16:12
elmikohehe16:12
elmikostevemar, what i'm confused about though is that the default identity-version is 2, and when i craft my openstack command to allow that i still get nothing from the endpoint list16:13
*** jistr has quit IRC16:13
elmikofor example,16:13
elmiko$ openstack --os-username=admin --os-password=openstack --os-project-name=admin --os-auth-url=http://192.168.122.2:5000/v2.0/ --os-identity-api-version=2  endpoint list16:13
elmikoreturns nothing for me16:13
*** fhubik_brb is now known as fhubik16:15
*** diazjf has joined #openstack-keystone16:15
stevemarelmiko that one should work :\16:18
*** sigmavirus24 is now known as sigmavirus24_awa16:18
elmikostevemar, i share your :\16:18
*** petertr7 is now known as petertr7_away16:18
elmikothis started happening for me a day or 2 ago, and i can't figure out why the v2 stuff doesn't work16:19
therveelmiko, FWIW I've seen that behavior too, so it's not just you16:19
*** petertr7_away is now known as petertr716:19
elmikotherve, cool, thanks for the confirmation. perhaps i'll dig a little more.16:19
therveIt was a couple of weeks back though16:19
elmikomaybe my devstack is just in a weird state16:19
*** tjcocozz has quit IRC16:21
*** tjcocozz has joined #openstack-keystone16:21
*** josecastroleon has quit IRC16:23
elmikostevemar, thanks again for the advice!16:24
*** sigmavirus24_awa is now known as sigmavirus2416:25
*** _cjones_ has joined #openstack-keystone16:26
*** tjcocozz has quit IRC16:26
*** josecastroleon has joined #openstack-keystone16:26
*** lhcheng has joined #openstack-keystone16:29
*** ChanServ sets mode: +v lhcheng16:29
*** phalmos has quit IRC16:29
*** henrynash has joined #openstack-keystone16:34
*** ChanServ sets mode: +v henrynash16:34
*** jsavak has quit IRC16:37
*** jsavak has joined #openstack-keystone16:37
*** piyanai has quit IRC16:39
rodrigodshenrynash, we split the first patch from reseller chain into tests and implementation16:41
*** petertr7 is now known as petertr7_away16:48
*** roxanaghe has joined #openstack-keystone16:52
morgan_404is anyone else besides gyee, david8hu, roxanaghe, samleon, and the other folks i clearly can't remember IRC names from our office (pre coffee) going to the ops midcycle?16:52
*** bapalm has quit IRC16:52
*** piyanai has joined #openstack-keystone16:54
david8humorgan_404, haneef might be going16:55
morgan_404david8hu: that would be another person who i couldn't remember IRC name from the HP office16:55
morgan_404looking for non-HP or non-bay area HP16:55
* morgan_404 is gauging benefit of rebooking a bunch of travel to go to ops mid cycle *then* seattle day16:56
*** henrynash has quit IRC16:57
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: WIP: Unit tests for endpoint-policy SQL driver  https://review.openstack.org/21200616:58
samueldmqdstanek, could you take another look ? ^16:58
samueldmqdstanek, the only point now is wheter I need to be "exhaustive" by using _list_target_combinations(..) in there16:58
*** tsymanczyk has joined #openstack-keystone16:59
*** tsymanczyk is now known as Guest8457616:59
*** henrynash has joined #openstack-keystone17:00
*** ChanServ sets mode: +v henrynash17:00
haneef_elmko: Did u register endpoints using v3 api? If so it will list only if you use v3  endpoint list17:02
samueldmqhaneef_, ++17:02
gyeemorgan_404, you coming to the ops midcycle?17:02
*** josecastroleon has quit IRC17:03
morgan_404gyee: depends on what our representation looks like17:03
morgan_404gyee: it's a headache to rebook flights17:03
gyeeyeah, forget Seattle man, just come party with us :)17:03
*** piyanai has quit IRC17:05
*** josecastroleon has joined #openstack-keystone17:05
gyeehaneef_, now I am curious, v2 and v3 endpoints should be interchangeable, lemme take a look at the code17:06
*** piyanai has joined #openstack-keystone17:06
samueldmqgyee, in v2 different interfaces (internalurl, publicurl, adminurl) had the same endpoint id17:07
haneef_gyee: It is api compatibility. We only support backward compatability not forward. If you did something with v2 you can see it via v3 and not vice versa17:07
samueldmqgyee, in v3 they have their own id, so 3 interfaces = 3 ids, so no way to map them back to the same entity17:08
gyeeah, right17:08
gyeeI forgot they have different IDs17:08
*** eandersson has quit IRC17:08
gyeebut from v2 to v3, all three endpoints have the same ID?17:08
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()  https://review.openstack.org/19764717:09
openstackgerritLance Bragstad proposed openstack/keystone: Refactor _supports_bind method  https://review.openstack.org/19769917:09
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687717:09
samueldmqgyee, I don't know, maybe, and would sound weird17:10
*** fhubik has quit IRC17:11
*** marzif has quit IRC17:14
*** _cjones_ has quit IRC17:16
*** drjones has joined #openstack-keystone17:16
*** piyanai has quit IRC17:16
*** belmoreira has joined #openstack-keystone17:19
*** narengan has quit IRC17:19
*** narengan has joined #openstack-keystone17:19
*** belmoreira has quit IRC17:21
*** ankita_wagh has joined #openstack-keystone17:21
*** narengan has quit IRC17:24
*** annasort has quit IRC17:24
*** narengan has joined #openstack-keystone17:28
gyeesamueldmq, haneef_, let this 'legacy_endpoint_id' trick we are using :)17:29
samueldmqgyee, lol really ? so we add that to v2 endpoints listed with v3?17:29
gyeeendpoints created using v3 have no legacy_endpoint_id, and therefore won't show up in v217:30
samueldmqgyee, ++17:30
gyeehttps://github.com/openstack/keystone/blob/master/keystone/catalog/controllers.py#L7217:30
gyeeendpoints created using v2 have both endpoint_id and legacy_endpoint_id17:31
*** piyanai has joined #openstack-keystone17:31
*** nkinder has joined #openstack-keystone17:32
*** narengan has quit IRC17:33
gyeesamueldmq, but that's an interesting problem though, say you fetch policy by endpoint ID17:33
*** narengan has joined #openstack-keystone17:33
gyeeif you get a V2 catalog, only the legacy endpoint ID is there17:33
samueldmqgyee, and the policy isn't associated with the legacy_id17:34
gyeek, that's good17:34
samueldmqgyee, oh, so use v3 endpoints!17:34
samueldmqforget about v217:34
samueldmq:)17:34
gyeehell yeah17:34
*** jsavak has quit IRC17:35
samueldmqgyee, also, that endpoint process may have multiple ids in keystone server right,17:35
samueldmqgyee, so we make deployers to specify one id, so it's up to them to choose what id (and then policy) to use17:35
samueldmqgyee, as opposed to letting them to specify the 3 ids (from the 3 interface types) and then having an issue if more than a policy could be fetched (multiple endpoint ids)17:36
samueldmqgyee, the issue would be: what policy to use..17:36
*** jsavak has joined #openstack-keystone17:39
gyeesamueldmq, can't we walk the hierarchy? endpoint -> service -> region17:39
gyeeif they want all three, obvious they want service17:39
gyeeobviously17:39
*** narengan has quit IRC17:40
*** fhubik has joined #openstack-keystone17:40
*** narengan has joined #openstack-keystone17:40
samueldmqgyee, that makes sense, although I am for adding support for fetching by the endpoint_id17:42
*** josecastroleon has quit IRC17:42
samueldmqgyee, for now17:42
samueldmqgyee, and lookin if we are going to fix the endpoint model or anything else, or add fetch by service/region directly next cycle17:42
gyeesamueldmq, isn't that how our endpoint policy work today? you can park a policy anywhere in the hierarchy17:43
*** rajesht has joined #openstack-keystone17:43
*** josecastroleon has joined #openstack-keystone17:43
samueldmqgyee, actually, specifying the endpoint_id, we will fallback to service/region if there is no policy for that endpoint id directly17:43
samueldmqgyee, I think so, let me recheck17:43
gyeesamueldmq, region is a bit scary, its hierarchical :)17:44
samueldmqgyee, yes we do https://github.com/openstack/keystone/blob/master/keystone/endpoint_policy/core.py#L20417:44
gyeeregion -> subregion -> subregion ...17:44
samueldmqgyee, so if we only do policy by region/service, it really doesn't matter what endpoint id (interface) one has specified17:44
*** fhubik has quit IRC17:44
samueldmqgyee, you're so damn smart :p17:44
gyeeif you park a policy at the service level, any endpoints for that service will get it17:45
samueldmqgyee, yes17:45
samueldmq:)17:45
*** divya__ has quit IRC17:45
*** Guest84576 is now known as tsymanczyk17:46
*** rajesht has quit IRC17:47
samueldmqgyee, the only thing I was trying to realize was if allowing to specify a single endpoint_id wasn't going to interfere in the endpoint contrainst you are working on17:51
*** nkinder has quit IRC17:54
samueldmqgyee, is it possible to specify multiple ids like: "token.catalog.endpoints.id:%(endpoint_ids)s"17:55
samueldmqgyee, where endpoint_ids would be a list of the endpoint ids (all interfaces)17:55
samueldmqgyee, ,17:55
samueldmq?17:55
*** phalmos has joined #openstack-keystone17:56
gyeeI don't think oslo.policy can match a list17:58
*** piyanai has quit IRC17:58
samueldmqgyee, but we can't restrict endpoint matching to a single id, since we allow multiple18:01
samueldmqgyee, if that makes sense to you, operators have to choose, and maybe...18:01
samueldmqgyee, heey, nevermind, we can do that18:01
samueldmqgyee, "token.catalog.endpoints.id:%(public_id)s or token.catalog.endpoints.id:%(internal_id)s or token.catalog.endpoints.id:%(admin_id)s"18:02
samueldmqgyee, o/18:02
lbragstadmorgan_404: want me to address these comments?18:02
lbragstadhttps://review.openstack.org/#/c/196475/18:02
gyeesure, in that case, why not just use service_id18:02
morgan_404lbragstad: sure18:03
gyeesamueldmq, "token.catalog.endpoint.service_id:%(service_id)s"18:03
samueldmqgyee, service_id isn't enoguh, you may have access to the same service in another region/endpoints18:03
samueldmqgyee, service_id *may not* be enough18:03
samueldmqgyee, it all depends on the level of restriction the operators want to have18:03
gyeesamueldmq, sure, then add region to the rule if you want to further restrict it18:04
*** narengan has quit IRC18:06
*** piyanai has joined #openstack-keystone18:06
*** narengan has joined #openstack-keystone18:07
*** narengan_ has joined #openstack-keystone18:07
*** _hrou_ has joined #openstack-keystone18:09
*** hrou has quit IRC18:09
*** narengan has quit IRC18:11
*** yottatsa has quit IRC18:14
*** bapalm_ has joined #openstack-keystone18:14
*** piyanai has quit IRC18:15
samueldmqgyee, yes, then looks good18:15
openstackgerritLance Bragstad proposed openstack/keystone: Maintain the expiry of v2 fernet tokens  https://review.openstack.org/19647518:16
*** piyanai has joined #openstack-keystone18:16
openstackgerritLance Bragstad proposed openstack/keystone: Maintain the expiry of v2 fernet tokens  https://review.openstack.org/19647518:19
openstackgerritLance Bragstad proposed openstack/keystone: Do not require the token_id for converting v3 to v2 tokens  https://review.openstack.org/19647618:19
openstackgerritLance Bragstad proposed openstack/keystone: When validating a V3 token as V2, use the v3_to_v2 conversion  https://review.openstack.org/19648318:19
*** josecastroleon has quit IRC18:19
*** josecastroleon has joined #openstack-keystone18:21
*** bapalm has joined #openstack-keystone18:23
openstackgerritLance Bragstad proposed openstack/keystone: Maintain the expiry of v2 fernet tokens  https://review.openstack.org/19647518:24
openstackgerritLance Bragstad proposed openstack/keystone: Do not require the token_id for converting v3 to v2 tokens  https://review.openstack.org/19647618:24
*** bapalm has quit IRC18:24
openstackgerritLance Bragstad proposed openstack/keystone: When validating a V3 token as V2, use the v3_to_v2 conversion  https://review.openstack.org/19648318:24
*** piyanai has quit IRC18:27
*** ayoung has quit IRC18:32
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()  https://review.openstack.org/19764718:32
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687718:32
*** annasort has joined #openstack-keystone18:34
*** piyanai has joined #openstack-keystone18:38
*** jsavak has quit IRC18:49
*** jsavak has joined #openstack-keystone18:50
*** boris-42 has joined #openstack-keystone18:54
*** jsavak has quit IRC18:57
*** jsavak has joined #openstack-keystone18:58
*** petertr7_away is now known as petertr719:02
*** tqtran is now known as tqtran-afk19:03
*** jsavak has quit IRC19:05
*** jsavak has joined #openstack-keystone19:06
*** hafe has joined #openstack-keystone19:18
openstackgerritClaudiu Belu proposed openstack/python-keystoneclient: Fixes missing socket attribute error during init_poolmanager  https://review.openstack.org/21168619:23
elmikoare you guys still actively maintaining the API reference docs in the keystone-specs repo?19:25
*** BAKfr has quit IRC19:25
elmikoi'm working on a spec for a new version of sahara's API and i like the way you have collected the keystone stuff, but i'm wondering if there are any opinions/suggestions about other projects following this lead?19:26
*** BAKfr has joined #openstack-keystone19:30
stevemarelmiko: yes, we actively maintain it19:33
*** jasonsb has quit IRC19:33
stevemarthe reasoning is that when someone proposes a new spec, they can also propose the API changes too, to the same repo, in the same patch19:33
*** hafe has quit IRC19:33
elmikonice, i like that19:33
stevemar:)19:34
elmikowhat about the api-ref site?19:34
elmikodo you then create WADL to go up there>19:34
elmiko?19:34
*** jasonsb has joined #openstack-keystone19:34
stevemarthats a constant battle19:34
elmikough... don't i know19:34
elmikoi'd like to recommend keystone's model for sahara19:34
stevemarelmiko: the api-ref site is very very out of date for keystone APIs19:35
elmikostevemar, ack, good to know19:35
*** piyanai has quit IRC19:35
stevemarwhen i link folks to the keystone APIs, it's always to spec.o.org19:35
*** piyanai has joined #openstack-keystone19:35
elmikomakes sense19:35
*** piyanai has quit IRC19:36
stevemarit'll be cool to actually update the api-ref site one day, maybe as a day long push19:36
elmikowell, imo, i think it would be cool for api-ref to move away from WADL to something like Swagger19:38
elmikobut that's a whole other can of worms19:38
*** jasonsb has quit IRC19:38
*** hafe has joined #openstack-keystone19:41
*** piyanai has joined #openstack-keystone19:43
*** ayoung has joined #openstack-keystone19:49
*** ChanServ sets mode: +v ayoung19:49
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy SQL driver  https://review.openstack.org/21200619:53
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes query.one() return usage in endpoint-policy  https://review.openstack.org/20860919:55
samueldmqhenrynash, dolphm added tests to the endpoint-policy backend, as you asked ^19:55
*** tqtran-afk has quit IRC19:56
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Enable Cache-Control HTTP values in responses  https://review.openstack.org/21127119:59
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create Cached Policy Table  https://review.openstack.org/21167919:59
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Centralized Policies Distribution Mechanism  https://review.openstack.org/20969519:59
*** geoffarnold has quit IRC20:00
*** jsavak has quit IRC20:00
*** jsavak has joined #openstack-keystone20:01
*** geoffarnold has joined #openstack-keystone20:01
*** Ephur has joined #openstack-keystone20:03
*** piyanai has quit IRC20:06
*** piyanai has joined #openstack-keystone20:07
*** jsavak has quit IRC20:07
rodrigodshtruta is anxious to fix anything you may find in the first patches of Reseller, cc: henrynash, dstanek :)20:07
*** jsavak has joined #openstack-keystone20:08
*** tellesnobrega is now known as tellesnobrega_af20:13
*** piyanai has quit IRC20:14
*** piyanai has joined #openstack-keystone20:17
opilotteAccepts Group IDs from the IdP without domain reference: https://review.openstack.org/#/c/210581/20:18
hafequestion about keystoneclient behavior in a multi site prototype, see http://pastebin.com/Yq3GSzuG20:25
*** piyanai has quit IRC20:29
*** piyanai has joined #openstack-keystone20:29
*** piyanai has quit IRC20:32
stevemarhafe: i'm not following what the error is,20:35
*** jasonsb has joined #openstack-keystone20:36
hafestevemar: that keystoneclient suddenly decides to go to the "remote" keystone server20:36
hafefor token validation, why?20:36
*** roxanaghe has quit IRC20:39
*** gyee has quit IRC20:39
*** fangzhou has joined #openstack-keystone20:39
hafestevemar: it is not an error, the glance command functionally works.  It just produces "inter region" keystone traffic which is the goal of the prototype to get rid of20:41
*** diazjf has left #openstack-keystone20:49
*** haneef_ has quit IRC20:54
*** haneef_ has joined #openstack-keystone20:55
*** baker has joined #openstack-keystone20:55
*** stevemar has quit IRC20:57
*** baker has quit IRC21:03
*** petertr7 is now known as petertr7_away21:29
*** jsavak has quit IRC21:41
*** roxanaghe has joined #openstack-keystone21:49
*** narengan_ has quit IRC21:50
*** narengan has joined #openstack-keystone21:51
*** narengan has quit IRC21:55
*** HT_sergio has quit IRC21:58
*** henrynash has quit IRC21:58
*** ankita_wagh has quit IRC21:58
*** navid__ has joined #openstack-keystone21:59
*** ankita_wagh has joined #openstack-keystone21:59
*** asdasd has joined #openstack-keystone22:00
*** ankita_wagh has quit IRC22:00
*** ankita_wagh has joined #openstack-keystone22:00
*** asdasd has quit IRC22:04
*** edmondsw has quit IRC22:06
*** gyee has joined #openstack-keystone22:14
*** ChanServ sets mode: +v gyee22:14
*** jecarey has quit IRC22:18
*** gordc has quit IRC22:31
*** wasmum has quit IRC22:31
*** ankita_wagh has quit IRC22:32
*** ankita_wagh has joined #openstack-keystone22:32
*** navid__ has joined #openstack-keystone22:33
*** navid__ has quit IRC22:34
*** ankita_wagh has quit IRC22:34
*** ankita_wagh has joined #openstack-keystone22:34
*** marekd is now known as marekd_40422:36
*** dguerri` is now known as dguerri22:39
*** dguerri is now known as dguerri`22:43
*** devlaps has joined #openstack-keystone22:44
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687022:49
*** _hrou_ has quit IRC22:55
*** mylu has joined #openstack-keystone23:11
*** markvoelker has quit IRC23:14
lbragstadgyee: I rebased and addressed comments here, which cleared your +2 https://review.openstack.org/#/c/196475/23:14
*** claudiub has quit IRC23:16
*** wasmum has joined #openstack-keystone23:17
*** doug-fish has left #openstack-keystone23:21
*** chlong has quit IRC23:25
gyeelbragstad, merge it! before I change my mind :)23:26
lbragstadgyee: I can't! I pushed a few patch sets23:27
gyeemorgan_404, you want to A+ it?23:30
morgan_404gyee: sec23:30
morgan_404need to finish rebooking travel for ops midcycle23:30
lbragstadmorgan_404: oh, where is that?23:31
gyeeBay Area23:31
lbragstadnice23:31
morgan_404gyee: so I arrive bay area on monday, ops mid cycle tuesday, fly to SEA tuesday night, then in SEA until frida23:32
morgan_404y23:32
gyeewow23:32
gyeethat's some serious travel23:32
gyeemorgan_404, I am thinking Specialized Sirrus Elite Carbon Disc, that a good entry level bike?23:33
morgan_404hm.23:33
morgan_404link?23:33
gyeehttp://www.specialized.com/us/en/bikes/multi-use/sirrus/sirrus-elite-carbon-disc23:34
gyeelike a weekend afternoon ride23:34
lbragstadentry level bike?23:35
gyeeyeah23:35
gyeeroad bike23:35
gyeeyikes, its flat bar23:36
gyeeand disc break23:36
*** phalmos has quit IRC23:37
lbragstadgyee: I don't know much about bikes, but it looks nice :)23:38
gyeeits on sale for $120023:38
lbragstadO.o - you said it was entry level?23:39
gyeehah23:40
gyeelike entry level BMW23:40
lhchenglol23:40
gyeefor comfort, damn it!23:40
* lhcheng wonders what gyee buys when he gets serious23:40
lbragstadlhcheng: lol23:41
*** geoffarnold has quit IRC23:41
gyeeI need some loose coins23:41
lbragstadgyee: when you get serious about road bikes it better have a motor ;)23:41
gyeelbragstad, lcheng, https://phunkeeduck.com/23:42
gyeethat's a nice ride in the office hallways23:43
lhchenggyee: http://boostedboards.com/ this have the juice to go up hill in SF23:44
* lbragstad wonders what all these new things are!23:45
*** geoffarnold has joined #openstack-keystone23:45
*** geoffarnold has quit IRC23:45
gyeenice!, looks like extra wide wheels on those boards23:46

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!