Wednesday, 2015-09-02

gyeemarekd, let me know if you want to talk https://review.openstack.org/#/c/156870/00:00
*** darrenc is now known as darrenc_afk00:12
*** ankita_wagh has joined #openstack-keystone00:13
*** ankita_wagh has quit IRC00:15
*** dims__ has quit IRC00:16
openstackgerritMerged openstack/keystoneauth: Update k2k plugin with related code comments  https://review.openstack.org/20967100:18
*** shoutm has quit IRC00:19
*** shadower has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** shoutm has joined #openstack-keystone00:23
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add session and auth loading to loading.__init__  https://review.openstack.org/21946300:27
openstackgerritJamie Lennox proposed openstack/keystoneauth: Return oslo.config opts from config loading  https://review.openstack.org/21946700:27
openstackgerritJamie Lennox proposed openstack/keystoneauth: Use auth_type instead of auth_plugin by default  https://review.openstack.org/21952000:27
openstackgerritJamie Lennox proposed openstack/keystoneauth: Provide combined register and loading functions  https://review.openstack.org/21952100:27
*** darrenc_afk is now known as darrenc00:29
openstackgerritJamie Lennox proposed openstack/keystoneauth: Auth-url is required for identity plugins  https://review.openstack.org/21911100:31
*** claudiub has quit IRC00:39
*** vivekd has quit IRC00:40
*** lhcheng has quit IRC00:49
*** wwwjfy has joined #openstack-keystone00:49
*** dims__ has joined #openstack-keystone00:51
*** henrynash has quit IRC00:52
*** spandhe has joined #openstack-keystone00:52
*** dims__ has quit IRC00:56
openstackgerritLin Hua Cheng proposed openstack/keystone: Deprecate LDAP Resource Backend  https://review.openstack.org/20374801:02
*** r-daneel has quit IRC01:04
*** browne has quit IRC01:04
*** bknudson has quit IRC01:04
*** roxanaghe has joined #openstack-keystone01:07
*** roxanaghe has quit IRC01:08
openstackgerritMerged openstack/keystoneauth: Remove deprecated options from identity base plugin  https://review.openstack.org/21908701:08
*** roxanaghe has joined #openstack-keystone01:11
*** stevemar has joined #openstack-keystone01:15
*** ChanServ sets mode: +v stevemar01:15
*** vivekd has joined #openstack-keystone01:16
*** btully has joined #openstack-keystone01:17
openstackgerritMerged openstack/keystoneauth: Move admin_token to base _plugins dir  https://review.openstack.org/21872701:28
*** roxanaghe has quit IRC01:29
*** diazjf has quit IRC01:35
*** vivekd has quit IRC01:39
*** samleon has quit IRC01:41
*** roxanagh_ has joined #openstack-keystone01:42
morgangyee: or we could always just return port 5000 ? Make v3 standardize on that? Will take a second look at that review in a moment01:48
*** roxanagh_ has quit IRC01:49
*** vivekd has joined #openstack-keystone01:50
gyeemorgan, let me double check with Haneef, he mentioned always returning public won't work for him01:56
morganBecause long term we're killing the need for 5000 and 3535701:57
morganSo you'll only need 500001:57
gyeewell, public URL has extra cost because it may have extra SSL hops, whereas internal services does not need to go through that01:58
gyeeat least we still want to retain that flexibility01:58
morganSo token validation but the rest could use public.01:59
morgan?01:59
*** spandhe has quit IRC02:00
morganWhich should be fine.02:00
gyeenot just that, Horizon could use the admin port as well02:00
morganNewer horizon is moving towards javascript02:00
gyeesince both are behind the firewall02:00
gyeeoh02:00
morganWhich would mean it will be the browser directly02:00
gyeeI see02:01
morganThis is why we're doing the CORS stuff02:01
gyeemake sense02:02
morganWhich reminds02:04
morganMe. I need to review krotscheck's patch02:04
morganBy the time we kill 35357 horizon prob. Will be significantly browser based (ish)02:06
gyeethe angular stuff right?02:07
morganYah02:07
gyeemorgan, so for fernet token to work currently, Horizon needs to enable session caching, either in DB or memcached02:08
gyeewould that change with browser based approach?02:08
morganWhy? The token sizes are small enough they *should* fit into cookies02:08
gyeeI don't know, they basically hashing the token if its greater than certain length, 256 I think02:09
openstackgerritMerged openstack/keystoneauth: Provide has_scope_parameters function on plugins  https://review.openstack.org/21908902:09
gyeeor was it 64? I'll need to double check the code02:09
gyeenevermind, that was old code02:11
*** davechen has joined #openstack-keystone02:11
morganI think it is 1k-ish02:12
morganOr so.02:12
*** hrou has joined #openstack-keystone02:17
openstackgerritHenrique Truta proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185402:19
openstackgerritHenrique Truta proposed openstack/keystone: Remove domain table references  https://review.openstack.org/16593602:19
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain in token response  https://review.openstack.org/19733102:20
*** davechen1 has joined #openstack-keystone02:23
stevemar+1 to killing 3535702:25
*** davechen has quit IRC02:26
gyeestevemar, unless you don't want deployment flexibility :)02:28
ayoungjamielennox, would you expect the keystoneclient py34 tests to run?02:28
jamielennoxayoung: i would guess02:29
jamielennoxayoung: they seem to in gate02:29
dstanekmorgan: you hanging around?02:31
morgandstanek: im lurking ;)02:31
ayoungmorgan, always return relative urls02:31
*** cloud_zhanglei has joined #openstack-keystone02:31
*** cloud_zhanglei is now known as leizhang02:31
*** richm has quit IRC02:31
ayoungif the request comes in on 35357, 5000 whatever, it returns the right thing02:31
dstanekmorgan: Liberty is the 12th release, but will be released a keystone 9.0 right?02:32
morganYes02:32
morganErm02:32
morganNo02:32
morgan8.002:32
dstanekshould i change my versioned api patches to be v8 then?02:33
ayoungjamielennox, Ran 1124 tests in 4.945s02:33
ayoungFAILED (id=0, failures=36, skips=4)02:33
ayoungthat is a clean repo...could it be the deprecation warnings making things fail?02:33
jamielennoxayoung: i've no idea02:34
morganHmm02:34
morgandstanek: sure? I dont care what version we start with02:34
morganIf you want it tied to the keystone version, yes02:34
morganI support any version... Even version 1 :P02:35
dstanekmorgan: it's nice if it matches our release02:35
jamielennoxdstanek: versioned like the response in /02:36
jamielennox?02:36
morganI expect to not see a version every release. This one probably wouldn't have one for uhmm i'm sure one of the backends02:36
dstanekjamielennox: no, versioned drivers02:36
* morgan will support any of them02:36
jamielennoxok02:36
dstanekjamielennox: https://review.openstack.org/#/c/218481/602:36
morgandstanek: your choice, i 100% back it ;)02:37
ayoungdstanek, you running on fedora now?02:37
gyeedstanek, DriverV12.0.0, see morgan still back it :)02:38
morgangyee: you'd probably break python02:38
morganSo cant merge it02:38
gyeehah02:38
dstanekayoung: yes, on one laptop. once i get around to it and can afford the downtime i'm going to install it on my air02:38
ayoungdstanek, f22?  Can you tell me if a python-keystoneclient tox -epy34 runs clean for you?02:39
dstanekayoung: if you give me a few i can - i have to fire up a VM. i'm in Texas now and only have my air02:39
ayoungdstanek, no problem...just wondering...02:40
ayoungmine is failing, and I don't want to move ahead with broken tests02:40
dstanekayoung: do you have a paste of the output already?02:41
ayoungdstanek, I can post02:41
ayoungdstanek, http://paste.openstack.org/show/439523/02:43
ayoungthat is one of the failing tests...keeping the output to a minimun02:43
*** lhcheng has joined #openstack-keystone02:43
*** ChanServ sets mode: +v lhcheng02:43
dstanekmorgan: you don't want your stable driver interface spec for this release?02:45
morganHmm?02:45
dstanekdidn't see it on the launchpad list02:45
morganOh it was probably missed.02:46
morganLets add it. But honestly, we will need a FFE probably *or* finish in mitaka02:46
morganAfter the basic scafolding02:47
morganFeature freeze is like 2 days out :(02:47
*** gyee has quit IRC02:47
dstanektests are so slooow without this: https://review.openstack.org/#/c/219323/02:48
morgandstanek: that is an easy +A02:49
ayoungdamn too slow02:49
morganHehe02:49
*** hakimo_ has joined #openstack-keystone02:52
*** spandhe has joined #openstack-keystone02:52
*** hakimo has quit IRC02:54
*** leizhang has quit IRC02:55
ayoungwhat does tox use to run the tests?  I thought it was testr?02:55
*** fangzhou has quit IRC02:57
*** spandhe has quit IRC02:59
lifelesswill someone fixup the bad mock import there?03:01
openstackgerritHenrique Truta proposed openstack/keystone: Change policy to comply with is_domain in token  https://review.openstack.org/20606303:02
lifeless(it looks to be the same pattern that broke Ironic a couple weeks back)03:02
lifelessayoung: I'd presume so03:03
htrutatox is really fast on here: Ran: 5745 tests in 1490.0000 sec03:05
lifelesshrou: thats slow03:05
lifelessbah03:05
lifelesshtruta: ^03:05
htrutalifeless: that was sarcasm heh03:06
htrutaam I the only one who liked run_tests? :/03:06
dstanekhtruta: yes03:07
ayoungno he's not03:07
dstanekayoung: :-)03:08
ayoungWe've fucked up testing.  Lets not beat around the bush03:08
dstanekit just became a bad wrapper around tox03:08
ayoungif unit tests take too long to run, the whole development process is busted03:08
dstanekayoung: i've been saying that for a while. that's why i spent so much time cleaning them up03:08
*** dave-mccowan has quit IRC03:08
ayoungdstanek, ++03:08
htrutadstanek ++03:08
lifelessa few seconds is about right03:09
htrutais this patch of yours supposed to make the faster again?03:09
dstanekhtruta: yes03:09
dstanekit's only fair since i made them slower by using entry points03:09
ayoungwhen I had sqlite running on top of a memory based file it was not too bad.03:09
ayoungRan 456 tests in 27.262s03:10
ayounghttp://adam.younglogic.com/2012/06/sqlite-unit-tests/03:10
ayoungcrap was tghat really 3 years ago?03:10
htrutaayoung: long time ago03:10
ayoungwhat am I doing with my life03:10
htrutalol03:10
dstanekayoung: ++03:10
dstaneki can't believe it's been 2 years for me03:10
ayoungKC is Ran 1124 tests in 15.719s (+10.246s)03:10
ayounghow many tests in that run htruta ?03:11
htruta 5745 tests in 1490.0000 sec03:11
dstanekhtruta: my patch should cut your test runtine in half if not more03:11
htrutaon an i7, 8GB ram03:11
htrutadstanek: awesome03:11
ayoungit should be about one minute03:12
ayoungthe two things slowing it down are the web connections and the database accesses03:12
htrutasometimes i just run the test_backend stuff... it's taking about 5 minutes03:13
ayoungdstanek, jamielennox it is definietly the deprecation warning that is breaking my 3.4 run03:21
dstanekayoung: your traceback is pretty strange03:21
ayoungdstanek, I just rpdb set_trace03:21
dstanekayoung: is that in a new tox venv?03:22
ayoungdstanek, yep03:22
ayoungkeystoneclient/v3/client.py line 19003:22
dstaneklifeless: i have patches to clean most of that py3 mocking garbage out of our tests03:25
lifelessdstanek: cool03:26
lifelessdstanek: if you need an eyeball on them lemme know03:26
dstaneklifeless: sure, thx. i've have them on hold until we get through all of this release stuff. so tonight or tomorrow i'll probably push. most of it is really just deleting the code now that the libraries work in py303:27
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/v3/client.py#n19303:28
ayoung warnings.warn(  is acting like raise03:28
lifelessdstanek: dunno if you saw your grammatical error in https://review.openstack.org/#/c/219323/03:28
lifelessayoung: warnings.warn will do that if a raise handler is set03:28
dstaneklifeless: yeah, i'll push a follow up. needed to get this in so that our tests speed back up.03:29
ayounglifeless, and how would that have happened?03:29
dstanekayoung: yeah, we do that on purpose03:29
ayoungdstanek, then how does anything pass gate?03:29
lifelessayoung: ^^ as dstanek says, but also various test runners do it too03:29
ayoungcan we not do that?03:29
dstanekayoung: i think we do it in keystone.tests.unit.core...03:31
ayoungthis is KC03:31
lifelessayoung: why?03:31
dstanekayoung: oh, then i don't knw03:31
ayounglifeless, because we have failing unit tests due to warnings03:32
ayoungthat is wrong03:32
ayoungand if it is intentional, we should stop03:32
lifelessayoung: deprecation warnings, or some others?>03:32
ayoungdeprecation in this case03:32
lifelessayoung: because, 'that is wrong' is far to facile an answer.03:32
ayounglifeless, somehow, I am triggereing it on this machine.  I suspect that we are not doing this intentioanlly03:33
lifelessayoung: upstream opinion on deprecation warnings is that they shouldn't be shown to users by default; they should trap errors at test time, and be shown in interactive shells03:33
ayounglifeless, "<dstanek> ayoung: yeah, we do that on purpose"  was what I meant was wrong03:33
lifelessayoung: I think dstanek meant 'we convert the to errors on purpose', not 'we trigger the warning on purpose'03:33
*** fangzhou has joined #openstack-keystone03:33
ayounglifeless, tox -epy 27 runs fine, but 34 does not... I don;'t think that is intentional, whatever we are planning on doing with deprecations03:34
ayounglifeless, are you suggesting that as soon as we deprecate something we should stop running a unit test on it?03:34
ayoungCUz...I know that you are not03:34
jamielennoxayoung: ok, did you figure it out?03:34
ayoungjamielennox, not really03:35
lifelessayoung: the pattern is that tests of deprecated things would reset the handler themselves03:35
dstaneklifeless: right, i think we turn warnings into errors. deprecation warnings for sure03:35
ayoungdstanek, only for py34?03:35
lifelessayoung: so yes, we should keep testing deprecated things. We should turn off warning->error for them alone03:35
dstanekayoung: no, should be for everything. running the tests right now in f2203:36
ayoungso..I should be runnign tox with some magic switch that turns off the "treat warnings as errors"?03:36
*** btully has quit IRC03:36
lifelessayoung: what thing that is deprecated is being triggered?03:38
*** woodster_ has quit IRC03:39
ayounglifeless,  http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/v3/client.py#n19303:39
dstanekayoung: in keystone server we only treat sqlalchemy warnings and deprecation warnings as errors; not sure about client yet03:39
lifelessok, so its not something in the stdlib03:39
dstanekayoung: getting crazy gcc errors running tox :-(03:40
ayoungdstanek, its only for py3 tests, too03:40
ayoungdstanek, you are missing rpms03:40
ayoungrpobably ldap-devel and mysql-devel03:40
dstanekthis is so not helpful03:41
dstanekdnf install all-the-f*ing-rpms!03:42
dstaneknot sure what netifaces actually is03:42
ayoungdstanek, get the list from devstack03:42
ayounghttp://git.openstack.org/cgit/openstack-dev/devstack/tree/files/rpms/keystone03:44
ayounghttp://git.openstack.org/cgit/openstack-dev/devstack/tree/files/rpms/devlibs03:44
ayounghttp://git.openstack.org/cgit/openstack-dev/devstack/tree/files/rpms/general03:44
dstanekayoung: i'm just stacking now so it does the dirty work03:44
dstanekinstalling 131 rpms!03:45
lifelessthere's a bindep repo you can use03:47
lifelesshttps://rbtcollins.wordpress.com/2015/07/12/bootstrapping-developer-environments-for-openstack/03:47
lifelesshttp://git.openstack.org/cgit/openstack-infra/project-config/plain/jenkins/data/bindep-fallback.txt03:47
*** dikonoor has joined #openstack-keystone03:48
*** links has joined #openstack-keystone03:48
dstaneklifeless: that's interesting. i'll have to give that a try later.03:50
openstackgerritDavid Stanek proposed openstack/keystone: Stable Keystone Driver Interfaces  https://review.openstack.org/20952403:51
openstackgerritDavid Stanek proposed openstack/keystone: Initial support for versioned driver classes  https://review.openstack.org/21848103:51
dstanekachievement unlocked: commited, tested and pushed patchsets while eating french toast at cracker barrel!03:52
*** diazjf has joined #openstack-keystone03:53
*** dikonoor has quit IRC03:56
*** dikonoor has joined #openstack-keystone03:57
*** ankita_wagh has joined #openstack-keystone03:58
*** roxanaghe has joined #openstack-keystone04:03
*** dims__ has joined #openstack-keystone04:03
*** csoukup has joined #openstack-keystone04:04
*** csoukup has quit IRC04:05
*** fangzhou has quit IRC04:06
dstanekayoung: yeah, i don't know how these tests work - the fix that in breaking me was committed here: http://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=803eb23504:13
ayoungdstanek, looks like it is passing in gate, though04:14
*** dims__ is now known as dims04:17
*** davechen has joined #openstack-keystone04:19
*** davechen1 has quit IRC04:22
*** spandhe has joined #openstack-keystone04:22
*** hrou has quit IRC04:22
dstanekyeah, i don't get it04:23
*** dims has quit IRC04:24
*** spandhe_ has joined #openstack-keystone04:25
*** stevemar has quit IRC04:25
*** spandhe has quit IRC04:26
*** fangzhou has joined #openstack-keystone04:27
*** spandhe_ has quit IRC04:29
dstaneklhcheng: you hanging out?04:31
lhchengdstanek:  hey04:31
lhchengdstanek: just finishing up some stuff04:32
lhchengdstanek: what's up?04:32
*** fangzhou has quit IRC04:32
*** fangzhou has joined #openstack-keystone04:33
dstaneklhcheng: were you able to test out https://review.openstack.org/#/c/214766 with DOA?04:33
*** btully has joined #openstack-keystone04:33
*** topol has joined #openstack-keystone04:34
*** ChanServ sets mode: +v topol04:34
*** mylu has joined #openstack-keystone04:35
lhchengdstanek: still having some problem with my keystone federation env, trying to update it from kilo to L.04:37
lhchengmostly tested it separately04:37
dstaneklhcheng: i'll call that a yes then :-) thx04:37
lhchengdstanek: do you know if I can update devstack env in such a way it would not wipe my keystone db?04:37
*** btully has quit IRC04:37
dstaneklhcheng: i usually unstack, update devstack (and repos) and stack; never noticed the DB being wiped04:38
dstaneklhcheng: you could always just take a backup, just in case04:39
lhchengdstanek: I've done some minimal testing, hence adding a fix in PS6.04:39
lhchengdstanek: good idea04:39
lhchengwould be easier than just trying to upgrade keystone manually.04:40
lhchengdstanek: that reminds me, I have to bug people to review the DOA change.04:42
dstanekevery time is see that i think dead on arrival04:43
*** Nirupama has joined #openstack-keystone04:44
lhchenglol yeah, it's not the best acronym04:44
*** mtreinish has quit IRC04:57
dstanekthese should be relatively simple https://review.openstack.org/#/c/218481/704:57
*** mtreinish has joined #openstack-keystone05:04
dstanekayoung: it also fails on my brand new ubuntu vm05:05
ayoungdstanek, I wonder how it passes gate?05:06
*** markvoelker has joined #openstack-keystone05:06
lhchengdstanek: where does the V8 come from? is that the keystone release #?05:08
*** ayoung is now known as ayoung_ZZzz05:08
lhchengdstanek: >> CatalogDriverV805:08
dstaneklhcheng: yes, that's the keystone release number05:08
*** markvoelker has quit IRC05:11
*** markvoelker has joined #openstack-keystone05:12
*** mylu has quit IRC05:13
*** diazjf has left #openstack-keystone05:21
*** btully has joined #openstack-keystone05:45
*** btully has quit IRC05:49
*** topol has quit IRC05:52
*** topol has joined #openstack-keystone05:54
*** ChanServ sets mode: +v topol05:54
morganWe should stop using acronyms05:55
morganKsc, ksa, ks, doa, etc all raises the barrier to entry for new contributors. /late night thoughts05:55
*** topol has quit IRC05:57
*** roxanaghe has quit IRC06:05
*** lhcheng has quit IRC06:08
*** ParsectiX has joined #openstack-keystone06:11
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces  https://review.openstack.org/20952406:13
*** browne has joined #openstack-keystone06:23
*** markvoelker has quit IRC06:23
*** sdake has joined #openstack-keystone06:24
*** lhcheng has joined #openstack-keystone06:27
*** ChanServ sets mode: +v lhcheng06:27
*** lhcheng has quit IRC06:32
*** browne has quit IRC06:34
*** stevemar has joined #openstack-keystone06:38
*** ChanServ sets mode: +v stevemar06:38
*** roxanaghe has joined #openstack-keystone06:42
*** stevemar has quit IRC06:42
*** roxanaghe has quit IRC06:43
*** ankita_wagh has quit IRC06:44
*** roxanaghe has joined #openstack-keystone06:45
*** ankita_wagh has joined #openstack-keystone06:45
*** roxanaghe has quit IRC06:49
*** ankita_wagh has quit IRC06:49
*** exploreshaifali has joined #openstack-keystone06:50
*** dims has joined #openstack-keystone06:50
*** ParsectiX has quit IRC06:51
*** afazekas__ has joined #openstack-keystone06:52
*** dims has quit IRC06:54
*** ankita_wagh has joined #openstack-keystone07:05
*** ankita_wagh has quit IRC07:05
*** ankita_wagh has joined #openstack-keystone07:06
*** ParsectiX has joined #openstack-keystone07:13
openstackgerritDave Chen proposed openstack/keystonemiddleware: update middlewarearchitecture.rst  https://review.openstack.org/21916207:23
*** vivekd has quit IRC07:28
*** fhubik has joined #openstack-keystone07:41
*** henrynash has joined #openstack-keystone07:44
*** ChanServ sets mode: +v henrynash07:44
*** dims has joined #openstack-keystone07:44
*** ankita_wagh has quit IRC07:46
*** roxanaghe has joined #openstack-keystone07:46
*** dims has quit IRC07:49
*** roxanaghe has quit IRC07:51
*** fhubik has quit IRC07:57
*** e0ne has joined #openstack-keystone08:01
*** pnavarro|afk has joined #openstack-keystone08:01
*** topol has joined #openstack-keystone08:09
*** ChanServ sets mode: +v topol08:09
*** jistr has joined #openstack-keystone08:11
*** e0ne has quit IRC08:13
*** topol has quit IRC08:14
*** lhcheng has joined #openstack-keystone08:16
*** ChanServ sets mode: +v lhcheng08:16
*** pnavarro|afk is now known as pnavarro08:19
*** pnavarro has quit IRC08:19
*** pnavarro has joined #openstack-keystone08:20
*** lhcheng has quit IRC08:21
*** vivekd has joined #openstack-keystone08:23
*** EinstCrazy has joined #openstack-keystone08:25
*** fhubik has joined #openstack-keystone08:27
*** shoutm has quit IRC08:36
*** ParsectiX has quit IRC08:37
*** dims has joined #openstack-keystone08:38
*** marzif has joined #openstack-keystone08:43
*** dims has quit IRC08:43
*** exploreshaifali has quit IRC08:48
*** davechen has left #openstack-keystone08:56
*** markvoelker has joined #openstack-keystone08:57
*** martinus__ has joined #openstack-keystone09:01
*** markvoelker has quit IRC09:02
martinus__Hi there, is someone can take a look at my question at http://pastebin.com/njJ6DHDd ? (ask.openstack.org says it's spam...)09:03
martinus__dstanek, henrynash , jamielennox or marekd maybe ?09:04
*** shoutm has joined #openstack-keystone09:11
*** ParsectiX has joined #openstack-keystone09:15
*** kiran-r has joined #openstack-keystone09:20
*** ParsectiX has quit IRC09:20
*** marzif has quit IRC09:22
marekdmartinus__: DEBUG (shell:914) Unable to establish connection to http://localhost:5000/v2.0/tokens ?09:24
martinus__yes,09:24
marekdmake sure you can get through with some nmap, nc or whatever :-)09:24
martinus__marekd the host is not localhost as explained09:25
martinus__the API answers localhost09:25
marekdmartinus__: also, what version of openstack is that?09:25
marekdis it grizzly too ?09:25
marekdor it's just openrc09:25
martinus__my openrc client is ubuntu09:25
martinus__15.0409:25
martinus__my openstack installation is grizzly09:25
marekdand on this 'old debian box' ?09:26
martinus__it is one of the server of the grizzly cluster09:26
marekdgrizzly seems to be very old, so I'd suspect some troubles here.09:26
martinus__ok maybe I will never know what is the issue. I just can't use my python clients from my ubuntu 15.0409:27
martinus__not cool :(09:27
marekdwhat's the debug from this 'old box' ?09:27
martinus__I going to pastebin it09:28
marekdyou know, we usually tr to be backwards compatible, but we sometimes deprecate some options etc. Usually when something is deprecated it stays for at least 2 cycles. Grizzly is far beyong 2 cycles09:28
martinus__marekd, here it is http://pastebin.com/9ZhwkF2009:31
*** e0ne has joined #openstack-keystone09:32
martinus__it is run from that debian wheezy box09:32
martinus__you see there is a POST curl09:32
*** dims has joined #openstack-keystone09:32
marekdmartinus__: try openstack commandline09:33
marekdopenstack server list for instance09:33
marekd$ openstack --debug server list09:33
marekdor maybe you can paste openrc?09:34
jamielennoxwow - grizzly, there are a whole bunch of things that will have changed since then09:35
marekdjamielennox: ++09:35
martinus__marekd, jamielennox : ahah, it works with openstack command !09:36
jamielennoxmy first guess though is that it's querying GET / from keystone09:36
marekdmartinus__: openstack cli is a new way to utilize openstack instead of glance,nova,cinder etc.09:36
jamielennoxbecause something is getting back a version list, and you probably want to set like admin_host and public_host in keystone.conf on the server to something real09:36
marekdmartinus__: i don't know why nova didn't work (and why GET instead of POST), but i'd bother that much - rather upgrade grizzly to something else :-)09:36
marekdi wouldn't bother *09:37
martinus__marekd, I'm sorry I was really not aware of that new way09:37
marekdmartinus__: no problem09:37
marekdnova should work i think09:37
*** dims has quit IRC09:37
martinus__nova python clien don't, glance one neither09:37
marekddunno09:37
marekdmartinus__: just switch to openstack cli09:38
*** stevemar has joined #openstack-keystone09:38
*** ChanServ sets mode: +v stevemar09:38
* marekd pokes stevemar09:38
*** stevemar has quit IRC09:42
*** e0ne has quit IRC09:46
*** EinstCrazy has quit IRC09:46
martinus__marekd, thank you for your help09:49
martinus__jamielennox, the same for you ;)09:49
marekdmartinus__: you are welcome09:49
jamielennoxmartinus__: np09:49
*** e0ne has joined #openstack-keystone09:55
jamielennoxmarekd: so i want to understand the security issue of not having remote_id a bit better09:56
jamielennoxmarekd: to my mind when you set up an apache mod for a url you almost always limit what can be accepted there09:57
jamielennoxwith SAML you provide an idp metadata file, so only relevant assertions are allowed09:57
silehtHi folks, does a new liberty keystonemiddleware release is planned ?09:57
jamielennoxwith kerberos you provide a keytab09:58
jamielennoxsileht: not specifically that i know of09:58
jamielennoxsileht: but i think its been a while so you could probably get one if you're waiting for something09:58
jamielennoxmy understanding is that if you want it to be in libery g-r it has to be out soon09:58
*** katkapilatova has joined #openstack-keystone09:59
silehtjamielennox, yes I'm waiting for a fix for aodh09:59
jamielennoxsileht: did that merge?09:59
silehtjamielennox, yes09:59
jamielennoxok09:59
marekdjamielennox: if you can configure mellon/whatever so only cola IdP is allowed for identity_providers/cola/protocols/saml2/auth and only pepsi idp is allowed for identity_providers/pepsi/protocols/saml2/auth then you are good. You will never end in a situation where cola guy says he wants to use identity_providers/pepsi/protocols/saml2/auth09:59
silehtwe currently use a workaround to pass our gate, but we want to release liberty without the workaround09:59
jamielennoxsileht: so morgan is the person to talk to about a new release - he's based in california10:00
silehtjamielennox, ok thanks10:00
*** fhubik is now known as fhubik_brb10:00
*** fhubik_brb is now known as fhubik10:00
*** fhubik is now known as fhubik_brb10:00
marekdjamielennox: if you, on the other hand, specify one protected url like identity_providers/*/protocols/saml2/auth then it will be usedfor both pepsi and cola. Now, shib will trust both of them and will pass the request forward, and keystone , without remote_id doesn't know who was really originating IdP.10:01
marekdso cola guy can say he is from pepsi and cola manager is  surely not a pepsi manager.10:01
jamielennoxmarekd: if there is a conflict like that then keystone will error out wont it?10:02
jamielennoxoh - no, i guess it wont10:02
marekdjamielennox: which conflict?10:02
marekdremote_id is a value stored in the assertion (so also accessible for keystone) that identifies issuing IdP.10:03
jamielennoxso i guess i've never  liked the * as part of apache, but i can see why people use it10:03
marekdjamielennox: you can leave without remote ids but you should make sure you make such protection in mellon config, so specify which idp will be accepted for which urls.10:03
marekdjamielennox: s/leave/live10:04
marekdsorry10:04
jamielennoxyea, i don't know how that works in mellon - if you wanted to do that you'd configure apache the full way10:05
*** lhcheng has joined #openstack-keystone10:05
*** ChanServ sets mode: +v lhcheng10:05
marekdjamielennox: so my point was we should make docs clear that somewhere it must be configured, otherwise admins are exposing themselves to some security risks.10:06
*** marzif has joined #openstack-keystone10:06
jamielennoxmarekd: yep, is there a way we can check that case for people?10:06
jamielennoxa remote_id_required conf or something10:06
jamielennoxproblem with that is if you understand the need for the conf option you know the problem you are trying to avoid10:07
marekdwhat do you mean by 'check the case' ?10:08
jamielennoxbut we could turn it on by default as i think they are currently required10:08
marekdyou can turn of remote_id validation10:08
jamielennoxwe have that flag?10:09
marekdhttps://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L21710:09
*** lhcheng has quit IRC10:10
marekdCONF.federation.remote_id_attribute just set this to ''10:10
jamielennoxhmm10:10
jamielennoxnot sure if that's the default10:11
marekdhttps://github.com/openstack/keystone/blob/master/keystone/common/config.py#L51410:11
marekdyeah, i think it's not10:11
marekdi cannot remember why10:11
marekdmaybe we concluded we should not expose this by default.10:11
jamielennoxok, so the default would trigger that10:11
marekdbut it should be mandatory10:11
*** ParsectiX has joined #openstack-keystone10:13
marekd^^ i mean that was the intention beforehand10:13
openstackgerritMerged openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917810:14
jamielennoxmarekd: yea, that's not a good default given the way we tell people to configure federation at the moment10:16
marekddefault set to ''  ?10:16
jamielennoxyea10:16
*** kiran-r has quit IRC10:19
marekdjamielennox: i thnk at the beginning it was also due to backwards compatibility issues10:19
*** shoutm has quit IRC10:19
marekdjamielennox: or maybe not10:19
*** dims has joined #openstack-keystone10:26
*** lhcheng has joined #openstack-keystone10:28
*** ChanServ sets mode: +v lhcheng10:28
*** dims has quit IRC10:31
*** lhcheng has quit IRC10:33
*** chmouel has quit IRC10:40
*** chmouel has joined #openstack-keystone10:41
*** fhubik_brb is now known as fhubik10:46
*** daemontool_ has joined #openstack-keystone10:50
openstackgerritMerged openstack/python-keystoneclient: Deprecate create HTTPClient without session  https://review.openstack.org/20583210:51
*** dave-mccowan has joined #openstack-keystone10:51
openstackgerritMerged openstack/python-keystoneclient: Proper deprecation for httpclient.USER_AGENT  https://review.openstack.org/20583310:52
openstackgerritMerged openstack/python-keystoneclient: Update deprecation text for Session properties  https://review.openstack.org/19151110:52
*** fhubik is now known as fhubik_brb10:56
*** fhubik_brb is now known as fhubik10:56
*** claudiub has joined #openstack-keystone10:57
*** pnavarro is now known as pnavarro|lunch11:06
*** ftco has joined #openstack-keystone11:06
ftcoHi every body...11:15
ftcoI have two installation of openstack. Is it possible merge them in one dashboard?11:19
*** fhubik has quit IRC11:20
*** fhubik has joined #openstack-keystone11:20
*** dims has joined #openstack-keystone11:21
*** kiran-r has joined #openstack-keystone11:21
*** henrynash has quit IRC11:22
*** martinus__ has quit IRC11:23
*** dims has quit IRC11:26
*** hrou has joined #openstack-keystone11:32
*** aix has quit IRC11:36
*** gordc has joined #openstack-keystone11:38
*** tjcocozz_ has quit IRC11:42
*** bapalm has quit IRC11:43
openstackgerritMarek Denis proposed openstack/keystone: IdP deletion triggers token revocation  https://review.openstack.org/21045611:45
odyssey4meftco see the answer in #openstack11:45
*** ankita_wagh has joined #openstack-keystone11:46
*** samueldmq has joined #openstack-keystone11:47
samueldmqmorning11:47
*** tjcocozz has joined #openstack-keystone11:48
*** bapalm has joined #openstack-keystone11:49
*** ankita_wagh has quit IRC11:51
openstackgerritMarek Denis proposed openstack/keystone: IdP deletion triggers token revocation  https://review.openstack.org/21045611:52
*** amakarov_away is now known as amakarov11:54
*** petertr7_away is now known as petertr712:03
*** stevemar has joined #openstack-keystone12:05
*** ChanServ sets mode: +v stevemar12:05
*** sigmavirus24_awa is now known as sigmavirus2412:08
*** aix has joined #openstack-keystone12:09
*** stevemar has quit IRC12:09
*** petertr7 is now known as petertr7_away12:17
*** pnavarro|lunch is now known as pnavarro12:19
*** ankita_wagh has joined #openstack-keystone12:22
*** petertr7_away is now known as petertr712:23
*** david-lyle has quit IRC12:27
*** mordred has quit IRC12:27
*** david-lyle has joined #openstack-keystone12:28
*** raildo-afk is now known as raildo12:29
*** ankita_wagh has quit IRC12:29
*** nicodemos has joined #openstack-keystone12:38
*** claudiub has quit IRC12:38
*** Nirupama has quit IRC12:38
*** _kiran_ has joined #openstack-keystone12:41
*** kiran-r has quit IRC12:42
*** jiaxi has joined #openstack-keystone12:43
*** _kiran_ is now known as kiran-r12:43
*** sigmavirus24 is now known as sigmavirus24_awa12:45
*** jiaxi has quit IRC12:47
*** NM has joined #openstack-keystone12:48
*** dims has joined #openstack-keystone12:48
*** e0ne has quit IRC12:53
marekdste13:01
*** kiran-r has quit IRC13:02
*** vivekd has quit IRC13:04
*** roxanaghe has joined #openstack-keystone13:06
*** vivekd has joined #openstack-keystone13:06
*** dsirrine has joined #openstack-keystone13:08
*** roxanaghe has quit IRC13:10
openstackgerritHenrique Truta proposed openstack/keystone: Restricting domain_id update  https://review.openstack.org/20721813:13
*** wwwjfy has quit IRC13:16
*** wwwjfy has joined #openstack-keystone13:16
*** links has quit IRC13:17
*** dims_ has joined #openstack-keystone13:17
openstackgerritMerged openstack/keystone: Validate Mapped User object.  https://review.openstack.org/21704913:20
*** dims has quit IRC13:21
lbragstaddstanek: do you know if there was a DOA change for https://review.openstack.org/#/c/214766 ?13:22
*** A-Morgan has joined #openstack-keystone13:23
A-MorganHello there13:23
A-Morgancan anyone in advance help me for some issues with keystone ove SSL13:23
*** vivekd_ has joined #openstack-keystone13:25
*** vivekd has quit IRC13:25
*** vivekd_ is now known as vivekd13:26
A-Morganis anyone there for help13:26
A-Morgan????13:26
*** henrynash has joined #openstack-keystone13:29
*** ChanServ sets mode: +v henrynash13:29
larsksA-Morgan: probably more folks around once more of the US is awake and @ work.  This channel is mostly for development discussion; try #openstack for help (but same comment there about people being around).13:30
*** A-Morgan has left #openstack-keystone13:31
htrutaping henrynash, a few minutes to talk about this bug https://review.openstack.org/#/c/213448/11/keystone/tests/unit/test_v3.py that is not a bug?13:33
*** henrynash has quit IRC13:33
*** mordred has joined #openstack-keystone13:34
*** richm has joined #openstack-keystone13:34
*** henrynash has joined #openstack-keystone13:35
*** ChanServ sets mode: +v henrynash13:35
henrynashhtuta: hi13:35
henrynashhtruta: hi13:36
htrutahey, I don't think this is a bug... before this patch (Manager support for projects acting as domains), we didn't allow domain_id passed as None in the schema13:36
htrutahenrynash: now we'me made it nullable, so, we should change the None domain_id in this same patch13:36
henrynashhtruta: ah!13:37
henrynashhtruta: yep, think you are correct then….we have removed that check, so we should fix it - although I would think in theory we shoudl fix it in the patch we made domain_id nullable13:38
htrutahenrynash: we made it nullable in the schame in this one... and nullable at sql backend at a follow up13:38
htrutahenrynash: I think this one is the right place for it13:39
henrynashhtruta: ok, yep, I agree13:39
*** fhubik has quit IRC13:39
htrutahenrynash: cool. I'll make that change and mark the bug as invalid13:40
*** fhubik has joined #openstack-keystone13:40
henrynashhtruta: ++13:40
*** henrynash has quit IRC13:40
*** edmondsw has joined #openstack-keystone13:41
*** markvoelker has joined #openstack-keystone14:01
*** petertr7 is now known as petertr7_away14:02
*** petertr7_away is now known as petertr714:05
*** marzif has quit IRC14:05
*** markvoelker has quit IRC14:06
*** marzif has joined #openstack-keystone14:06
*** kiran-r has joined #openstack-keystone14:09
*** vivekd_ has joined #openstack-keystone14:09
*** _kiran_ has joined #openstack-keystone14:09
*** _kiran_ has quit IRC14:10
*** _kiran_ has joined #openstack-keystone14:11
*** phalmos has joined #openstack-keystone14:11
*** ParsectiX has quit IRC14:11
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for projects acting as domains  https://review.openstack.org/21344814:11
*** vivekd has quit IRC14:12
*** vivekd_ is now known as vivekd14:12
*** rbak has joined #openstack-keystone14:13
*** kiran-r has quit IRC14:13
breton_jamielennox: hey! Do you remember what issues happened with non-thread-safety on https://github.com/openstack/nova/blob/stable/kilo/nova/network/neutronv2/api.py#L195 ?14:14
*** raildo is now known as raildo-afk14:16
*** raildo-afk is now known as raildo14:17
*** _kiran_ has quit IRC14:18
*** kiran-r has joined #openstack-keystone14:18
*** phalmos has quit IRC14:20
*** thiagop has joined #openstack-keystone14:22
*** sdake has quit IRC14:28
*** fhubik has quit IRC14:29
*** jsavak has joined #openstack-keystone14:30
*** fangzhou_ has joined #openstack-keystone14:30
*** kiran-r has quit IRC14:30
*** fangzhou has quit IRC14:31
*** fangzhou_ is now known as fangzhou14:31
*** afazekas__ has quit IRC14:31
*** sdake has joined #openstack-keystone14:32
*** jsavak has quit IRC14:34
*** roxanaghe has joined #openstack-keystone14:38
*** phalmos has joined #openstack-keystone14:39
*** e0ne has joined #openstack-keystone14:39
*** jsavak has joined #openstack-keystone14:42
*** markvoelker has joined #openstack-keystone14:42
*** markvoelker has quit IRC14:42
*** petertr7 is now known as petertr7_away14:42
*** markvoelker has joined #openstack-keystone14:43
*** browne has joined #openstack-keystone14:43
*** roxanaghe has quit IRC14:49
*** zzzeek has joined #openstack-keystone14:50
*** diazjf has joined #openstack-keystone14:53
*** djc_ has joined #openstack-keystone14:55
*** krotscheck is now known as kro_afk14:59
*** vivekd has quit IRC15:00
*** KarthikB has joined #openstack-keystone15:01
KarthikBGood morning all15:02
*** topol has joined #openstack-keystone15:03
*** ChanServ sets mode: +v topol15:03
*** dave-mccowan has quit IRC15:03
KarthikBI work for IBM and I'm currently working on using external identity(IBM) with Keystone15:04
*** kro_afk is now known as krotscheck15:04
KarthikBI've followed this http://docs.openstack.org/developer/keystone/external-auth.html post and created a middleware which sets REMOTE_USER to some user name and the same user name has been created in keystone as well15:05
KarthikBbut When I make a call I'm still getting  the following error15:06
KarthikB2015-09-02 09:41:47.365 7783 DEBUG keystone.token.persistence.backends.kvs [-] <keystone.common.kvs.core.KeyValueStore object at 0x7f1cb2e6fed0> _get_key /usr/lib/python2.7/site-packages/keystone/token/persistence/backends/kvs.py:78 2015-09-02 09:41:47.367 7783 WARNING keystone.common.controller [-] RBAC: Invalid token 2015-09-02 09:41:47.367 7783 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authenti15:06
KarthikBPlease can someone help me to sort out the issue?15:07
*** dims_ has quit IRC15:12
*** jistr is now known as jistr|call15:12
*** phalmos has quit IRC15:12
*** richm has quit IRC15:14
*** phalmos has joined #openstack-keystone15:15
*** slberger has joined #openstack-keystone15:15
*** dave-mccowan has joined #openstack-keystone15:16
*** Ephur has joined #openstack-keystone15:22
KarthikBRe-posting my query15:23
KarthikBKarthikB  I work for IBM and I'm currently working on using external identity(IBM) with Keystone 10:04:46 AM  kro_afk is now known as krotscheck. I've followed this http://docs.openstack.org/developer/keystone/external-auth.html post and created a middleware which sets REMOTE_USER to some user name and the same user name has been created in keystone as well, but When I make a call I'm still getting  the following error 2015-09-02 09:41:47.365 715:25
KarthikBI work for IBM and I'm currently working on using external identity(IBM) with Keystone15:25
*** vmbrasseur has left #openstack-keystone15:26
*** samueldmq has quit IRC15:29
*** yottatsa has joined #openstack-keystone15:29
*** richm has joined #openstack-keystone15:30
*** yottatsa has quit IRC15:30
*** katkapilatova has left #openstack-keystone15:33
*** jsavak has quit IRC15:36
*** geoffarnold has joined #openstack-keystone15:36
*** ayoung_ZZzz is now known as ayoung15:36
*** tonytan4ever has joined #openstack-keystone15:37
*** geoffarnold has quit IRC15:38
*** jistr|call is now known as jistr15:38
*** geoffarnold has joined #openstack-keystone15:39
*** yottatsa has joined #openstack-keystone15:43
*** djc_ has quit IRC15:44
*** roxanaghe has joined #openstack-keystone15:44
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token()  https://review.openstack.org/19687715:48
ayoungKarthikB, you trying to do Kerberos?15:48
*** jsavak has joined #openstack-keystone15:48
openstackgerritLance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token()  https://review.openstack.org/19764715:48
KarthikBno @ayoung15:49
ayoungKarthikB, what are you trying to do?15:49
*** yottatsa has quit IRC15:51
KarthikBjust a mysql identity backend15:51
ayoungKarthikB, password and basic-auth?15:51
*** dims has joined #openstack-keystone15:51
ayoungKarthikB, what API call are you making that gives you  RBAC: Invalid token?15:52
KarthikBWe are currently working on making bluemix as our external identity and while trying to achieve that we are running into few issues.  Here are some of the assumptions made and work done.  1) Every request to Keystone identity will have bluemix token.  2) Developed a middle-ware to receive the token from the request, make a call to UAA to get the detailed user information and assign the user name to REMOTE_USER env variable.  3) Modified the Pip15:52
*** yottatsa has joined #openstack-keystone15:53
ayoungUAA? Pip?15:53
KarthikB@ayoung that is what I'm trying to do15:53
KarthikBUAA15:53
*** kiran-r has joined #openstack-keystone15:53
ayoungKarthikB, I know nothing about bluemix.  Define your terms, please.15:53
*** yottatsa has quit IRC15:53
ayoungKarthikB, and no need for an @ in IRC.  This predates twitter :)15:54
*** browne has quit IRC15:55
KarthikBcurl -k -v -H "X-Auth-Token: bearer TOKEN"  https://169.55.28.133:5000/v3/users/3bb02a91a3524ddf868ec7c445a4055015:55
KarthikBthis is the call I'm making15:55
KarthikBok :-)15:56
*** gyee has joined #openstack-keystone15:57
*** ChanServ sets mode: +v gyee15:57
ayoung bearer TOKEN was something issued by Keystone?15:58
KarthikBbluemix is where I have the user info, According to the openstack post that I've mentioned previously. I've created a custom middleware which could make a call to bluemix to get the user information and set the REMOTE_USER variable.15:59
ayoungKarthikB, so, unless you;ve done more magic, Keystone still needs a Keystone Issued token for most operations15:59
ayoungtop bypass that, look at the the Tokenless work  gyee and company are working on15:59
KarthikBNo Young, that was issued by bluemix15:59
ayoungREMOTE_USER is only used when creating a keystone token16:00
*** jsavak has quit IRC16:00
*** jsavak has joined #openstack-keystone16:00
ayoungKarthikB, but see https://review.openstack.org/#/c/156870/  for how the other TOkenless work is being done16:00
KarthikBI'm assuming the user is already authenticated and having is user token which bluemix can understand, I don't want keystone to perform one more validation.16:02
*** dims has quit IRC16:02
*** kiran-r has quit IRC16:02
*** dims has joined #openstack-keystone16:03
*** markvoelker has quit IRC16:03
*** dims_ has joined #openstack-keystone16:04
*** petertr7_away is now known as petertr716:04
*** browne has joined #openstack-keystone16:05
gyeeayoung, KarthikB, sorry I didn't catch the whole conversation, speaking of that patch, I need to talk to marekd16:05
*** bknudson has joined #openstack-keystone16:06
*** ChanServ sets mode: +v bknudson16:06
gyeemarekd, you still awake?16:06
*** dims has quit IRC16:07
ayoungKarthikB, all of the workflow in OpemnStack assume you are passing around Keystone tokens.  All that external does is let you use an exterenal identity provider to get the token.  THe token provuides the openstack relevcant access informtation.  So, while it is a little dumb that you need it to do work on Keystone, that is how things are designed16:07
ayoungso, try getting a scoped keystone token first, and I think the rest should work for you16:07
KarthikBthanks for you input ayoung16:08
KarthikBayoung: there is no other way to pass token that aren't provided by keystone?16:10
ayoungKarthikB, http://adam.younglogic.com/2015/08/tokenless-keystone/16:10
*** stevemar has joined #openstack-keystone16:11
*** ChanServ sets mode: +v stevemar16:11
morganayoung: we need to approve the last x509 patch today if possible. But it hasnt been updated from the -1s16:11
morgangyee: ^cc16:11
ayoungmorgan, it ain't gonna happen16:11
morganBecause otherwise it isnt landing in liberty16:11
ayoungneeds too much work16:11
morganThen im punting it to mitaka16:11
gyeemorgan, yes, I'll update the patch if Sam don't time to get to it16:12
gyeewas hoping I can answer marekd's concern16:12
ayoungmorgan, I'll stay on it in terms of reviewing16:12
morgangyee: update in the next hour16:12
gyeek16:12
gyeeright away sir16:12
*** shoutm has joined #openstack-keystone16:12
KarthikBThanks for your time ayoung, let me go through that16:12
ayoungmorgan, you know me; the perfect is the enemy of the good.  I'm OK with a sub-perfect patch for an experimental feature16:12
ayoungso long as it can be turned off, I'd rather have people beating on it16:13
morgangyee: it has to be gating yesterday if we want it without a FFE and im going to say i am -1 on FFEs to begin with. Especially with the general unresponsiveness to questions on patcches we have had this cycle16:13
gyeeayoung, you want perfect, and you want workable software?! :)16:13
morganBut at this point im ready to let everything slide to mitaka.16:14
gyeemorgan, that's fine if noone's going to review it16:15
morgangyee: the issue isnt just reviews. It has been even with reviews no responses16:15
morganSo everything has been yet again pushed to the last minute16:15
gyeemorgan, lemme update it16:15
morganOk.16:15
gyeeI was hoping to catch marekd so I can address his concerns here16:16
*** afazekas__ has joined #openstack-keystone16:16
morganThose concerns have been there for a week now?16:16
*** devlaps has joined #openstack-keystone16:16
gyeeyesterday16:16
gyeeSam's been active in updating it I think16:16
morganOk so why did it wait until the last week to get work done on it?16:16
*** pkholkin has joined #openstack-keystone16:17
gyeeI think he's been updating it, just the reviews come slowly16:17
morganI've seen these patches sit for a significant amount of time with -1s16:17
morganAnd no updates. Not just this one of others too16:17
morganI am rather irritated that we are a day before feature freeze and cramming this in.16:18
*** tdurakov has joined #openstack-keystone16:18
tdurakovjamielennox, hi, are you around?16:18
gyeemorgan, that patch's been review thoroughly and tested by multiple folks16:19
gyeeI think we are at the bike shedding land right now16:19
gyeeanyway, let me update16:19
tdurakovjamielennox, got question about your note: https://github.com/openstack/nova/blob/master/nova/network/neutronv2/api.py#L20516:20
*** petertr7 is now known as petertr7_away16:21
*** jsavak has quit IRC16:23
*** jsavak has joined #openstack-keystone16:24
stevemarhmm no lhcheng16:25
stevemardang!16:25
KarthikBayoung quick question a section "Developing a WSGI middleware for authentication" in http://docs.openstack.org/developer/keystone/external-auth.html post will not work?16:26
ayoungKarthikB, that is just to get a keystone token16:26
*** afazekas__ has quit IRC16:35
*** pnavarro is now known as pnavarro|afk16:36
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate create Discover without session  https://review.openstack.org/20582916:39
*** marzif has quit IRC16:43
*** marzif has joined #openstack-keystone16:43
*** samleon has joined #openstack-keystone16:44
*** jistr has quit IRC16:44
*** fangzhou has quit IRC16:45
openstackgerritguang-yee proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687016:45
*** afazekas__ has joined #openstack-keystone16:48
*** hrou has quit IRC16:49
*** henrynash has joined #openstack-keystone16:54
*** ChanServ sets mode: +v henrynash16:54
*** tonytan4ever has quit IRC16:57
KarthikBayoung Yes, I just want to get the keystone token since I already authenticated the user with third party provider. I'm passing the third party issued token just to get the user information in keystone middleware, and that user name is already created in keystone with appropriate access.16:57
stevemarKarthikB: same Karthik that sent me an email two days ago?16:57
KarthikBHi Stevev16:58
stevemari am just looking at it now :)16:58
KarthikBSteve* yes, same Karthik16:58
stevemarwe can chat here, is there anything new info that you can add - did you get any further?16:58
stevemari was thinking... i16:58
stevemaryou may need to enable logging to get more info here, and make sure that the new middleware is being invoked16:59
stevemarcause i'm not seeing that in the log you pasted16:59
openstackgerritMerged openstack/keystoneauth: Auth-url is required for identity plugins  https://review.openstack.org/21911116:59
openstackgerritMerged openstack/keystoneauth: Return oslo.config opts from config loading  https://review.openstack.org/21946717:00
KarthikByes, my middleware is getting triggered and it is successfully able to make a call to UAA to get the use information and sets the REMOTE_USER variable as well17:00
KarthikBstevemar17:00
KarthikBCan I paste the log here stevemar?17:01
stevemaryou can PM if you want, doesn't much matter to me17:03
*** woodster_ has joined #openstack-keystone17:03
openstackgerrithenry-nash proposed openstack/keystone: Support project hierarchies in data driver tests  https://review.openstack.org/15448517:04
*** lhcheng has joined #openstack-keystone17:05
*** ChanServ sets mode: +v lhcheng17:05
openstackgerrithenry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899517:07
*** mylu has joined #openstack-keystone17:10
*** mylu has quit IRC17:10
*** e0ne has quit IRC17:12
*** afazekas__ has quit IRC17:14
*** phalmos has quit IRC17:17
*** wwwjfy has quit IRC17:18
*** roxanaghe has quit IRC17:19
*** roxanaghe has joined #openstack-keystone17:19
*** marzif has quit IRC17:20
morgangyee: questions on x509.17:23
*** fangzhou has joined #openstack-keystone17:23
morganAnd one thing that needs a followup patch to fix. Log level in one case should not be warn17:24
gyeemorgan, sure17:25
gyeelet me check17:25
*** spandhe has joined #openstack-keystone17:31
*** dims_ has quit IRC17:33
mordredmorgan: is keystone still a special case in the catalog?17:34
morganmordred: i believe so (sorry)17:34
mordredmorgan: k. so I need to keep this still https://github.com/openstack-infra/shade/blob/master/shade/__init__.py#L758-L76817:35
lhchengjamielennox stevemar lbragstad: when you get the chance, this is the patch in django_openstack_auth for the IDP specific websso: https://review.openstack.org/#/c/219041/17:35
*** markvoelker has joined #openstack-keystone17:35
*** markvoelker has quit IRC17:35
*** dims has joined #openstack-keystone17:35
morganlbragstad: why are we changing responses here? https://review.openstack.org/#/c/196877/21/keystone/tests/unit/test_v3_auth.py 404 should be still returned for invalid tokens?17:36
*** markvoelker has joined #openstack-keystone17:36
morganWhy is github's mobile site so useless. The line number stuff doesnt work because they dont render line numbers /rage17:36
morganAnd you have to scroll to the bottom of the page to get the "desktop" site.17:37
morganStupid design is stupid...17:37
morganmordred: yes likely you need to keep that.17:38
openstackgerritvenkatamahesh proposed openstack/keystone: Fix the http link for JSON schema  https://review.openstack.org/21731917:38
mordredmorgan: okie!17:39
*** aix has quit IRC17:40
*** jsavak has quit IRC17:41
lbragstadmorgan: there was a comment on the patch set; specifically pointing to https://review.openstack.org/#/c/205554/17:42
lbragstadit was on PS 12 and it was made by Vladimir17:42
morganlbragstad: but you are changing 404 to 400?17:42
*** slberger has quit IRC17:43
* morgan needs to look more closely on non-mobile device i guess.17:43
lbragstadmorgan: I think that is because of https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L22817:43
morganWhich is wrong17:44
morganShould be a 40417:44
*** dikonoor has quit IRC17:44
lbragstadmorgan: the fernet.core:Provider.validate_v3_token method use to except that and return 404 https://review.openstack.org/#/c/196877/21/keystone/token/providers/fernet/core.py17:44
morganWe need to be consistent in what invalid tokens do.17:44
lbragstadmorgan: I can roll that into a new patch17:44
morganAh17:45
morganYeah ok.17:45
morganHard to see that from a mobile device17:45
morganNot sure of the benefit to alway rerolling a 400 to a 40417:45
morganProb should clean that up in a follow up then.17:45
lbragstadmorgan: I left a comment, I can respin if you want, or address in the follow up..17:46
lbragstadmorgan: up to you17:46
morganDont respin17:46
lbragstadmorgan: alright, i'll address in a follow on patch17:46
morganAs long as 404 is alway emitted (except if auth-token is invalid) to the user it doesnt matter much17:46
morganWe can bike shed about internals later.17:46
morganDont rush on the follow up either ;)17:47
morganIt can wait as long as users only see 404 or 401 as expected17:47
gyeemorgan, I told Sam to keep looking at the patch, he's not allowed to take any shnaps today :)17:48
mordredmorgan: cool - so, I think I'm not going to land the ksa change to shade until ksa releases 1.0 (so that I cna go ahead and make th requirements line ">=1.0.0") - but the change is ready to fly17:48
morganmordred: ++17:48
morgangyee: good. Please rally some more reviewers. I want that to land if we can.17:48
morganI can hold the rel team a day to land it if it is gating17:49
gyeemorgan, yeah, lhcheng will review it once more17:49
gyeethanks17:49
morganBut if it isnt gating by this afternoon, ffe or mitaka17:49
gyeestevemar, pleeeease if you have cycle17:49
morganSo you have 3-4 hours to get 2x+2 on it17:49
gyeeayoung, free beer on me?17:49
morganAnd it looks good to me, as long as that warning is addressed in a followup17:50
ayounggyee, TANSTAAFB17:50
*** jsavak has joined #openstack-keystone17:50
morganSo you have 1x+2 if you post that followup17:50
ayounggyee, is it ready for review?17:50
morganayoung: it should be.17:50
*** spandhe has quit IRC17:50
gyeeayoung, yes17:50
gyeedstanek, if you review it, I'll fixup Manziel17:51
ayoungmorgan, yes  DNs can have spaces17:52
morganmordred: there are ~2 patches to ksa that could use another +2/+A and we need to check with jamielennox as he asked for another day17:52
ayoungis that a deal breaker?17:52
morganayoung: no. But we need to file it as a bug and fix it post L317:52
gyeeayoung, could be a bug in mod_ssl, seem like it is stripping the spaces17:52
morganKnown limitation is fine17:52
ayounghmm17:52
gyeewe can remove it once mod_ssl is fixed17:52
gyeeremove that comment from the doc I mean17:52
morgangyee: even in the middle of a dn element?17:53
ayoungwhy no spaces?17:53
gyeemorgan, that's what Sam's seeing17:53
morganStrip spaces or convert spaces?17:53
morganHmm so dn=morgan fainberg becomes dn=morganfainberg ?17:53
morganFor example?17:53
gyeestrips the spaces according to Sam17:53
gyeeright17:53
morgan(Fwiw this sounds broken)17:53
gyeejust the DN17:54
gyeeindividual attributes seem fine17:54
morganWeird17:55
morganBecause dn=thing one, ... Should be distinct from dn=thingone, ...17:55
morganWonder if nginx does the same thing17:56
gyeewe haven't try nginx17:56
ayounggyee, https://review.openstack.org/#/c/156870/59/keystone/middleware/core.py,cm  how do I turn it off?17:57
gyeeany case, I'll ask Sam to file a bug for mod_ssl17:57
gyeeayoung, it is off by default if you don't specify a trusted_issuer in keystone.conf17:57
morganMaybe the rfc is thst spaces are ignored17:57
* morgan looks.17:57
morganIf that is the case, it makes life easier, we can collapse spaces ourselves.17:58
ayoungmorgan, why only +1?17:59
gyeemorgan, yes, I'll push  a follow-on patch to make it easier to configure trusted issuer using 'keystone-manage' cli17:59
morganayoung: the inline questions and followup need for the warning downgrade17:59
morganayoung: +2 after those things.17:59
*** yottatsa has joined #openstack-keystone18:00
ayoungmorgan, OK...I'll +1 as well.  gyee we going to get an update with those in time?18:00
morgangyee: looking at cert dn rfc now. Trying to determine relevance of spaces18:00
gyeeayoung, no, I won't be able to do the keystone-manage stuff today18:01
*** yottatsa has quit IRC18:02
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687018:02
gyeeSam can address the minor comments if needed18:02
*** yottatsa has joined #openstack-keystone18:02
morgangyee: ayoung https://tools.ietf.org/html/rfc5280#section-4.1.2.4 looking at what the string types are18:03
*** spandhe has joined #openstack-keystone18:03
morganThis is a seriously dense rfc even compared to most18:03
gyeeright its printable string so space should be allowed18:04
*** yottatsa_ has joined #openstack-keystone18:04
*** yottatsa has quit IRC18:04
*** jsavak has quit IRC18:04
lhchenggyee: what happened to the "ephemeral_user" config for x509?18:05
*** jsavak has joined #openstack-keystone18:05
*** markvoelker has quit IRC18:05
gyeelhcheng, no need, it is supported by mapping now18:06
samleonlhcheng: we changed that in the mapping18:06
samleonin the mapping, it supports ephemeral user as marek pointed out18:06
samleonso no need in the config option anymore18:06
samleongyee, yeah a patch just up18:07
morganExcept apache is assuming issuer is dns compatible as common name is typically so via RFC281818:08
morganEuuw18:08
openstackgerritMerged openstack/keystone: Adds caching to paste deploy's egg lookup  https://review.openstack.org/21932318:08
morganApache might be extracting common name not pure dn18:09
*** marzif has joined #openstack-keystone18:09
morganWhich case it makes some assumptions. And they are kindof not rfc compliant18:09
morganIt looks like18:09
gyeesamleon, lets file a bug for mod_ssl to see what they think18:10
*** mylu has joined #openstack-keystone18:10
samleonyeah, will do that18:11
lhchenggyee, samleon: cool, got it.  will continue to look at the recent changes.18:11
morganAnyway lets add a minor line that ondicate apache strips spaces from the middle of the value of the attribute18:12
morganAs why the no spaces are needed18:12
morganThis can be a followup patch18:12
gyeesamleon, ^^^18:12
samleonlhcheng, be aware that ephemeral user is the default one in the mapping for some reasons, so you will have define 'local' if want it a regular user18:12
samleonmorgan, yep18:13
morganThat should identify/squash any worries about "whhhyyyy is it like this"18:13
morganIt is crappy but no one can complain this way.18:13
morganWell they can but we dont need to justify it further18:14
*** sdake_ has joined #openstack-keystone18:14
*** csoukup has joined #openstack-keystone18:16
*** __dstanek__ has joined #openstack-keystone18:16
*** sdake has quit IRC18:17
*** sdake has joined #openstack-keystone18:21
*** marzif has quit IRC18:22
*** tonytan4ever has joined #openstack-keystone18:22
*** henrynash has quit IRC18:22
*** marzif has joined #openstack-keystone18:22
*** roxanaghe has quit IRC18:22
*** dsirrine has quit IRC18:25
*** sdake_ has quit IRC18:25
*** marzif has quit IRC18:28
openstackgerritMonty Taylor proposed openstack/keystoneauth: Add session and auth loading to loading.__init__  https://review.openstack.org/21946318:29
openstackgerritMonty Taylor proposed openstack/keystoneauth: Use auth_type instead of auth_plugin by default  https://review.openstack.org/21952018:29
mordredmorgan: ^^ I just fixed those two that jamielennox had outstanding (merge conflict and 2 duplicate lines)18:30
*** phalmos has joined #openstack-keystone18:30
*** jasonsb has quit IRC18:32
*** aix has joined #openstack-keystone18:34
*** petertr7_away is now known as petertr718:38
*** dsirrine has joined #openstack-keystone18:39
*** phalmos has quit IRC18:39
*** phalmos has joined #openstack-keystone18:41
*** sdake_ has joined #openstack-keystone18:41
*** jsavak has quit IRC18:42
*** e0ne has joined #openstack-keystone18:42
*** __dstanek__ has quit IRC18:42
*** jsavak has joined #openstack-keystone18:43
*** slberger has joined #openstack-keystone18:44
*** sdake has quit IRC18:45
*** amakarov is now known as amakarov_away18:46
*** jecarey has joined #openstack-keystone18:46
*** btully has joined #openstack-keystone18:52
*** yottatsa_ has quit IRC18:52
lhchengsamleon: added some comments on the x509 patch, it can be addressed as follow-up. Not worth re-submitting.18:53
lhchenggyee: ^18:53
openstackgerritTerry Howe proposed openstack/keystoneauth: Change auth plugin help text to auth type  https://review.openstack.org/21983818:54
*** harlowja has quit IRC18:54
gyeelhcheng, thanks!18:54
*** harlowja has joined #openstack-keystone18:58
*** markvoelker has joined #openstack-keystone19:00
*** yottatsa has joined #openstack-keystone19:00
*** Ephur has quit IRC19:00
gsilvisstevemar: hey, I'm here now, if you want to talk19:01
*** phalmos has quit IRC19:01
*** mylu has quit IRC19:02
*** mylu has joined #openstack-keystone19:02
stevemargsilvis: i punted over stuff in an email instead19:05
stevemargsilvis: its something for the two dude in the email to bug you about, i was just playing liaison to get them in the right direction :)19:06
gsilvisstevemar: yeah, I noticed that just after I said that19:06
gsilvisstevemar: okay, I'll be ready with possible answers :)19:06
morgandstanek: followup patch for stable interfaces +2/+A19:07
morgandstanek: is that bp "implemented" as far as liberty is concerned?19:08
morgannow19:08
gyeeyay!19:08
stevemargsilvis: haha, cool. thanks dude! it sounds very very familiar to what y'all were doing with cinder/nova, just place that with swift/barbican19:08
gsilvisstevemar: yup, and there's a lot of the same subtleties too, I bet19:08
slbergerHas anyone run into trouble making concurrent requests when using fernet_tokens?  like any more than 10 and you get unauthorized statuses intermittently19:09
*** yottatsa has quit IRC19:10
lbragstadslberger: hmmm, what's your client look like/19:10
*** yottatsa has joined #openstack-keystone19:10
slbergerlbragstad, I don't understand the question19:10
*** yottatsa has quit IRC19:10
lbragstadslberger: FYI, dolphm and I have used this for bench marking before - https://gist.github.com/dolph/02c6d37f49596b3f4298#file-benchmark-sh19:10
lbragstadslberger: you're simulating 10 or more users hitting the keystone server, creating and validating tokens right?19:11
*** yottatsa has joined #openstack-keystone19:12
*** phalmos has joined #openstack-keystone19:12
*** e0ne has quit IRC19:12
*** hrou has joined #openstack-keystone19:13
slbergerlbragstad, yea, this has shown in a few tests our performance team has been running that just tries to boot nova instances19:17
openstackgerritLance Bragstad proposed openstack/keystone: Allow Fernet to return TokenNotFound  https://review.openstack.org/21984819:17
lbragstadmorgan: ^19:17
lbragstadslberger: are you able to pin it down to a specific error message?19:18
slbergerUnauthorized: The request you have made requires authentication. (HTTP 401)19:20
slbergerit happens very sporatically19:20
lbragstadyour performance team isn't attempting a key rotation during the tests are they?19:21
*** yottatsa has quit IRC19:22
lbragstaddolphm: you don't remember anything around that do you? I thought we hit something similar but not towards the end of our testing ^^19:22
slbergerlbragstad, I mean they are testing in an environment with rotation in place19:22
lbragstadslberger: so rotation is being done automatically?19:23
slbergeryea19:23
slbergerevery 15 minutes19:23
lbragstadbut the 401s happen intermittently around that?19:23
slbergerim not sure19:24
slbergerlbragstad, they say the tests only last 5 minutes19:24
lbragstadok, I'd probably check and see if there is a correlation there at all19:24
lbragstadoh...19:24
*** yottatsa has joined #openstack-keystone19:24
lbragstadso it shouldn't even hit the first rotation19:24
slbergerlbragstad, ok I can ask them to check19:24
lbragstadslberger: are they able to run the tests with one user?19:25
lbragstadslberger: these are the validate token results we got with 100 concurrent users - https://gist.github.com/dolph/02c6d37f49596b3f4298#file-validate_token_concurrent-L1519:26
slbergerlbragstad, not sure I think they might be using just one user, they are running tests through rally19:26
jdennisI could use some help, I'm debugging an incorrect URL used for ECP in Saml2UnscopedToken._send_idp_saml2_authn_request()19:27
lbragstadslberger: hmm, if they are running the test with only one user, it wouldn't be concurrent, would it?19:27
jdennisit's sending it to self.identity_provider_url which is set in the Saml2UnscopedToken.__init__(), but for the life of me I can't find where this object is created19:28
jdennisand hence who is providing the identity_provider_url19:29
*** yottatsa has quit IRC19:29
slbergerlbragstad, yea I guess you are right.19:29
*** hideme has quit IRC19:30
lbragstadslberger: is there a load balancer in the equation at all?19:30
lbragstador a cluster of keystone nodes?19:30
*** Guest16076 has joined #openstack-keystone19:30
slbergeryes there is a load balancer19:30
slbergerlbragstad, ^19:31
lbragstadslberger: can they verify that all the keys on the hosts are consistent?19:32
*** chris_19 has joined #openstack-keystone19:32
slbergerlbragstad, from my testing the keys are being synced across all of the keystone instances, but I'm not sure what kind of latency there is between the rotation and sync19:33
lbragstadslberger: ok, that's good19:34
*** roxanaghe has joined #openstack-keystone19:34
mordredmorgan: oh! I may have found a new break19:35
morgan?19:35
mordredin ksa19:35
mordredinterface break - that might break people in the wild using ansible - one sec - lemme see if I can work around it19:36
lbragstadlatency shouldn't be a real problem as long as the staged key is there19:36
mordred(in moving to ksa that is)19:36
lbragstadmfisch: you haven't hit anything like what slberger has, have you?19:37
mfischwe dont rotate much but no issues so fr19:37
mfischfar19:37
mfischwe do the rotation with puppet and ansible19:38
mfischand can have up to 6 hours where keys are mixed19:38
lbragstadmfisch: have you hit issues with concurrent (or non-concurrent) users getting 401s?19:38
mfischI dont think so19:38
mfischI dont hammer the crap out of keystone during rotations19:39
mfischa rotated key may slow perf?19:40
mfischbecause the initial decode will fail19:40
mfischright?19:40
*** jasonsb_ has joined #openstack-keystone19:41
lbragstadwhy would the initial one fail?19:42
*** gyee has quit IRC19:44
*** mylu has quit IRC19:45
mordredmorgan: how do I get the service catalog with ksa?19:45
morganmordred: sec.19:45
mordredin ksc, I did this:19:45
mordred        return self.keystone_session.auth.get_access(19:45
mordred            self.keystone_session).service_catalog.get_data()19:45
*** mylu has joined #openstack-keystone19:45
morganmordred:  right and with KSA i think you need to convert to the access info thing: https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/access/access.py#L6219:47
morganlet me 2x check that though.19:47
* morgan is context switching from a phone call with family :P19:47
mordredmorgan: actually - .service_catalog gets it from the AccessInfo - but there doesn't seem to be a way to get the raw catalog19:49
morganah.19:49
mordredfrom the ServiceCatalog oject19:49
morganlooking because i know https://github.com/openstack/keystoneauth/blob/master/doc/source/using-sessions.rst#service-discovery also exists.. but you want the complete catalog19:49
*** mylu has quit IRC19:50
mordredyea - mainly because the task I want to do right now is "print out the catalog"19:51
mordred(this is also a feature we have exposed in the os_auth module for ansible19:51
morganok we don't have that in KSA19:52
morganafaict19:52
morganwe can list all endpoints for a service19:52
morganall urls19:52
mordredk. mind if I add an accessor method to ServiceCatalog ?19:52
morgan[seems we can't enumerate services]19:52
morganwould it make sense to enumerate services and the allow enumeration of the endpoints/urls for the services?19:53
morganor you need <raw_catalog>?19:53
mordredyeah - kinda want raw_catalog19:53
morganok. i'm not opposed to that19:53
mordredI mean, that's what we're returning in the catalog field in os_auth19:53
morganjust seeing if we can abstract it19:53
mordrednow - having methods to do the things on it is what I want for real things19:54
morganyeah we can add an accessor method19:54
morganlets just be clear in the docs for that method that it should be avoided where possible. - raw data access opens doors for people to abuse the underlying structure19:55
morganand we are trying to fix that abuse by abstracting the access out to these other methods19:56
morganjamielennox: ^ cc19:56
slbergerlbragstad, wouldn't the initial one fail after a rotation because it would be using an old token19:57
*** erhudy has joined #openstack-keystone20:00
morgansamleon: https://review.openstack.org/#/c/156870/ pep8 failure20:01
morgansamleon: otherwise looks pretty good.20:02
mordredmorgan: yea - just me accessing _catalog in shade gets me what I was looking for there20:02
openstackgerritguang-yee proposed openstack/keystone: Return correct endpoint URL in /v3 response  https://review.openstack.org/20816820:02
morganmordred: ok lets add the method you need.20:02
*** geoffarnold is now known as geoffarnoldX20:03
morgandstanek: does it make sense to roll all of keystone's routers into a single entry in paste-ini and then just deprecate/stub the current ones prior to flask? it means we can shuffle things around a bit more easily?20:05
openstackgerritMonty Taylor proposed openstack/keystoneauth: Add accessor method for raw catalog content  https://review.openstack.org/21986220:05
mordredmorgan: ^^20:05
mordredthere you go20:05
morganmordred: +2 added terry and jamielennox for review though20:06
morganmordred: in case there is a better way that I missed.. you know :)20:06
*** gyee has joined #openstack-keystone20:06
*** ChanServ sets mode: +v gyee20:06
*** roxanaghe has quit IRC20:08
*** roxanaghe has joined #openstack-keystone20:08
jdenniswhois marekd20:10
morganjdennis: marek dennis - from cern20:11
morgan;)20:11
morganjdennis: sorry couldn't resist. i am sure you meant /whois20:11
*** petertr7 is now known as petertr7_away20:12
jdennismorgan: thanks, I forgot the / in front of whois, btw there seems to be a conceptual error in the saml2 code, marek doesn't seem to be around, anyone else I should ping?20:13
morganjdennis: stevemar is a great resource20:13
lbragstadslberger: as long as the key that the token was encrypted with hasn't been pruned from the key repository, it should be able to decrypt it20:13
* morgan tosses stevemar under the bus. :P20:13
stevemaro/20:13
jdennisstevemar: ok you're on the hot seat now :-) it looks to me in keystoneclient/contrib/auth/v3/saml2.py there is only one url for the identity provider20:15
*** sdake_ is now known as sdake20:15
jdennisi.e. the config option identity-provider-url20:16
jdennisbut in SAML an IdP may have many URL for endpoints which can only be know by fetching the IdP metadata20:16
*** roxanaghe has quit IRC20:17
jdennisI don't see code to fetch the metadata and find the appropriate endpoint URL, is it there?20:17
*** roxanaghe has joined #openstack-keystone20:17
*** roxanaghe has quit IRC20:18
*** roxanaghe has joined #openstack-keystone20:18
*** geoffarnoldX is now known as geoffarnold20:19
stevemarlooking... 1 sec20:19
*** roxanaghe has quit IRC20:20
*** roxanaghe has joined #openstack-keystone20:20
samleonmorgan: got it, fixing it now20:21
morgansamleon: cool20:21
*** markvoelker has quit IRC20:21
lhchengsamleon: maybe you can also incorporate my comments to use _LI() for log.info msg since the pep8 failure is in that area too. :)20:23
stevemarjdennis: so its been a while since i've looked at this20:25
stevemarwhat line are you looking at in https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py20:25
rodrigodsjdennis, stevemar we setup the identity_provider_url upfront20:26
*** Ephur has joined #openstack-keystone20:26
rodrigodswe don't exchange the IdP metadata20:26
jdennisstevemar: now to the nitty gritty details, I'm debugging ECP failures and Saml2UnscoptedToken tries to post to self.identity_provider_url20:27
samleonlhcheng, that's what's i'm working on now ;-)20:28
jdennisbut that concept doesn't exist in saml, there isn't a single URL, there are many URL's potentially one per <service,binding> pair on the IdP, you have to know the service and binding to know the URL20:28
*** jsavak has quit IRC20:29
jdennisone looks up the <service,binding> pair in the IdP metadata20:29
openstackgerritTerry Howe proposed openstack/keystoneauth: Raise exception for v2 with domain scope  https://review.openstack.org/21688320:29
*** mpmsimo has joined #openstack-keystone20:29
*** jsavak has joined #openstack-keystone20:30
lhchengsamleon: great20:30
jdennisrodrigods: why isn't the metadata fetched from the IdP?20:30
*** hrou has quit IRC20:30
rodrigodsjdennis, actually... it is, we just don't look at the URLs there20:30
jdennisrodrigods: where is the metadata loaded (in the code) and why isn't it parsed?20:32
rodrigodsjdennis, we generate the IdP metadata using a keystone cli tool20:32
*** topol has quit IRC20:32
stevemarwhich is fetchable through a url20:33
rodrigodsstevemar, ++20:33
rodrigodswe than set this URL in the service provider20:33
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687020:34
*** jsavak has quit IRC20:35
*** jdandrea has joined #openstack-keystone20:35
*** e0ne has joined #openstack-keystone20:35
jdennisrodrigods: I'm still confused, what service provider? With ECP the SP does not determine the IdP, and in any event there isn't one URL with SAML so how can you set a single URL?20:36
*** jsavak has joined #openstack-keystone20:36
rodrigodsjdennis, we do some stuff over ECP20:36
rodrigodswe don't strictly follow it20:36
jdandreaWhen I have a Keystone V2 Client, what's the proper way to tell if the session is expired (e.g., token expired)? Do I use client_obj.session.verify or do I do date arithmetic on auth_ref['token']['expires']? (Trying to locate docs for this.)20:37
*** markvoelker has joined #openstack-keystone20:37
rodrigodsfor example, in k2k the conversation is started by the IdP by sending an ECP wrapped SAML assertion to the service provider20:37
stevemarjdennis: i think the metadata that we configure is only usable for keystone 2 keystone20:38
openstackgerritguang-yee proposed openstack/keystone: Return correct endpoint URL in /v3 response  https://review.openstack.org/20816820:39
*** roxanaghe has quit IRC20:41
*** roxanaghe has joined #openstack-keystone20:41
*** raildo is now known as raildo-afk20:43
*** raildo-afk is now known as raildo20:43
*** spandhe has quit IRC20:45
*** harlowja has quit IRC20:45
morganjdennis: in keystone2keystone it's IDP originated, so you skip the SP -> redirect to IDP -> redirect back to SP dance20:46
morganjdennis: you tell the IDP, "hey i am going to SP, give me an assertion" and then go to the SP20:46
*** roxanaghe has quit IRC20:47
morganjdennis: in theory you could go a step further, but we didn't support the full-featured IDP within keystone, we assumed if you wanted a real IDP you'd point at something like FreeIPA or ADFS. It felt odd to make keystone an IDP for something other than another keystone.20:48
*** markvoelker has quit IRC20:48
morganjdennis: we also didn't rule out moving to where keystone was a full featured IdP.20:48
jdennismorgan: that's all well and good, but how do you know which endpoint at the IdP to post the SOAP Samlp:AuthRequest to?20:49
morganjdennis: this was an intentional choice to start with.20:49
morganit's part of the service catalog20:49
*** roxanaghe has joined #openstack-keystone20:49
morganand you are exchanging your token for an assertion with the knowledge of the SPs url you post to20:49
morganyou don't have to post to the IdP in keystone2keystone in this case.20:50
morganpost SamlP:AuthRequest in the strict SAML sense20:50
morganit's a keystone token.20:50
morganif you are doing keystone as an SP this is very different.20:51
morganand is more like a normal SAML workflow, where based upon your valid IdP selection (There is an enumeration/apriori knowledge depending on sso/non-sso/public/non-public iirc) which does the normal redirect dance20:51
jdennismorgan: is ECP ever used to get an Assertion from an external IdP or is the ECP usage in Keystone strictly limited to k2k?20:55
morganI believe we need ECP in the standard federation as well.20:56
morgani *think*?20:56
morganstevemar: ^20:56
*** slberger has quit IRC20:57
*** slberger has joined #openstack-keystone20:59
*** stevemar has quit IRC21:00
*** petertr7_away is now known as petertr721:04
*** btully has quit IRC21:04
jdennismorgan: http://ur1.ca/nnd7f  here is what I was asked to debug, is this an example of k2k?21:06
morganjdennis: not sure at a glance21:06
morganof course... stevemar just disconnected21:07
*** raildo is now known as raildo-afk21:07
morganjamielennox, marekd: ^ jdennis' question21:07
jdennismorgan: yeah, he knew what was coming :-)21:07
jdennismorgan: ha, jamie asked me to debug this :-)21:07
morganlol21:08
morganstevemar and marekd are the resources I would need to direct you to21:08
morganbut jamielennox can tell you if it's k2k vs non-k2k21:08
jdennismorgan: ok, many thanks for your help21:08
*** stevemar has joined #openstack-keystone21:09
*** ChanServ sets mode: +v stevemar21:09
jdennisstevemar: oh good you're back :-) can you answer my question above with the pastebin, is this k2k or not?21:10
stevemarjdennis: oy vei, i am getting it from all sides :)21:11
stevemarjdennis: paste me brah!21:11
jdennisit's hell being the smartest guy in the room21:11
jdennisstevemar: http://ur1.ca/nnd7f21:12
stevemarjdennis: i tricked everyone21:12
*** dave-mccowan has quit IRC21:14
stevemarjdennis: what about `openstack list federation projects`21:14
jdennisstevemar: is that supposed to be an openstack cli command? If so my openstack cli doesn't know what that means21:17
stevemarjdennis: it should be21:17
marekdjdennis: hi, i am on a suuuuper slow and unstable internet wire, so if i don't respond or hang - sorry, not my fault :( Yes, we are using ECP in a standard federation as well as for k2k.21:18
*** chutwig has joined #openstack-keystone21:18
stevemarhttps://github.com/openstack/python-openstackclient/blob/master/setup.cfg#L26321:18
marekdhowever, i'd suggest investigating keystoneauth and keystoneauth-saml221:18
*** tonytan4ever has quit IRC21:18
*** diazjf has left #openstack-keystone21:18
marekdthere are the plugins with the proper shape.21:18
stevemarthe full command is: `openstack federation_project_list`21:19
*** petertr7 is now known as petertr7_away21:19
stevemarwithout the underscores21:19
*** dims has quit IRC21:19
stevemari'm not sure token issue will work21:19
stevemarit might...21:19
marekdstevemar: jdennis make sure you export OS_IDENTITY_API_VERSION=3 and check whether you have this option in $ openstack -h21:19
stevemareither way, that url looks awful funny21:19
*** dims has joined #openstack-keystone21:19
stevemarPOST /idp/saml2/SSO/21:20
*** petertr7_away is now known as petertr721:20
stevemari dont recall that being in our API http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html21:20
*** spandhe has joined #openstack-keystone21:20
*** harlowja has joined #openstack-keystone21:21
*** edmondsw has quit IRC21:21
*** chutwig is now known as erhudy121:22
*** fangzhou_ has joined #openstack-keystone21:22
*** fangzhou has quit IRC21:23
*** fangzhou_ is now known as fangzhou21:23
jdennismarekd: yes, I'm usiing the v3 API21:23
gyeelbragstad, lhcheng, is session caching required in Horizon in order for Fernet token to work? I would think not, but just want to 2x confirm21:23
*** dims has quit IRC21:24
jdennismarekd: http://ur1.ca/nnd7f  can you look this paste please, is this k2k or an example of Keystone trying use ECP to authn the user?21:25
*** henrynash has joined #openstack-keystone21:25
*** ChanServ sets mode: +v henrynash21:25
lhchenggyee: if you're running on V3. you definitely need a db/memcache session backend.21:26
marekdjdennis: given that this is using keystoneclient it cannot be k2k, because there is no k2k plugin in keystoneclient (there is one in keystoneauth).21:26
*** tonytan4ever has joined #openstack-keystone21:26
*** stevemar has quit IRC21:26
marekdjdennis: but as stevemar mentioned - it's kind of strange url.21:26
gyeelhcheng, that for /v3 in general, or specific to fernet tokens?21:27
marekdjdennis: ah, i think it's IdP's url so i cannot comment on that.21:27
jdennismarekd: the url is strange for two reasons, for some reason the scheme and host are omitted, and second is that jamie gave it to me :-)21:27
marekdjdennis: and now you are giving it to me...but dennis or denis..doesn't really matter :-)21:28
jdennismarekd: it's supposed to go to our IdP, but our IdP has many different endpoints as defined in our metadata, and this is not going to the SingleSignOn SOAP endpoint, it's going to the HTTP-POST endpoint21:28
lhchenggyee: v3 in general.. because horizon stores the catalog in session and the v3 catalog is bigger. I had a proposal to fix that, but folks suggested to just use db/memche session to workaround the issue :(21:29
morgansamleon, gyee: https://review.openstack.org/#/c/156870/ needs to be marked experimental21:29
marekdjdennis: i think so too, but i cannot advise on your idp setup as I don't even know what you are even using.21:29
morgansamleon, gyee: sorry should have seen that earlier21:29
jdennismarekd: so what I don't understand at the moment is why Saml2UnscopedToken is initialized with just one URL instead of being passed the metadata?21:30
marekdgyee: you didn't respond to my question regarding x509 - what do i get in response when i present my certificate. Is it a token?21:30
gyeemorgan, sure21:30
morganmarekd: the idea is you can either get a token or directly interact with keystone21:30
gyeemarekd, you don't need a token when using certs21:31
morganmarekd: if you auth as you would expect you'd get a token. if you use the x509 cert you can interact with keystone w/o a token [or at least that was the initial design]21:31
marekdmorgan: ok, because i couldn't find that exact explanation in the spec or nowhere.21:31
lhchengmorgan: how do we mark services as experimental? Is that just a doc thing.21:32
*** HT_sergio has quit IRC21:32
*** e0ne has quit IRC21:32
morganlhcheng: mostly21:32
gyeelhcheng, gotcha21:32
morganif it's an extension that goes into JSON home there is more stuff that happens21:32
marekdmorgan: and this is why i wasa asking why doing all this kind of stuff (groups, roles, mapping) sooooo early in the pipeline21:32
morganit is added to the experimental block21:32
lhchenggyee: are you guys testing fernet with v2 or v3 setup?21:32
lhchengmorgan: cool, good to know.21:33
morgansince this is in the auth pipeline, it is just a doc thing.21:33
gyeelhcheng, both21:33
*** e0ne has joined #openstack-keystone21:33
morgandeployers are warned this is experimental and use / enable at their own risk21:33
gyeemorgan, samleon may be taking a shnap at the moment21:33
gyeelet me update21:33
morganwe try to not introduce bad code, but it hasn't had a lot of eyes/pounding on it21:33
marekdjdennis: whose metadata? idp's metadata?21:34
lhchengmorgan: ah so that's the "status=json_home.Status.EXPERIMENTAL" in the router.  nice.21:34
morganyep21:34
morgan:)21:34
jdennismarekd: yes, the IdP's metadata so it can find the URL matching the <SingleSignOn,SOAP> pair, or is it expected whoever configures identity_provider_url has already done that and knows apriori that URL will only ever be used for SingleSignOn,SOAP21:35
marekdidentity_provider_url should be that link and you should know that apriori.21:36
*** mpmsimo has quit IRC21:36
marekdjdennis: i don't say it's the best, but .... you want to store all the metadata files locally? or instead of the ECP endpoint store url with the metadata?21:37
gyeemarekd, you cool with the explanation? your satisfaction is guaranteed21:37
jdennismarekd: and identity_provider_url will never ever be used for any other SAML operations?21:37
marekdgyee: kind of.21:37
marekdjdennis: it's where you send SAML request (comming from the SP) to the IdP for the first time.21:38
marekdidentity_provider_url ^^21:38
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate LDAP Resource Backend  https://review.openstack.org/20374821:39
marekdidentity_provider_url is a kind of "ask you admin" parameter.21:39
jdennismarekd: what I'm not understanding is that many different SAML requests which could be sent, each may have their own endpoint URL21:39
marekddifferent == because i may want to use different idp ?21:40
*** jsavak has quit IRC21:40
jdennismarekd: no, because depending on the SAML profile you're using you have to find the endpoint at the IdP21:40
*** e0ne has quit IRC21:41
henrynashdstanek: hi…there are a couple more of those data driven assignment tests that you looked at before which are now ready to go in….if you have a moment, perhaps you could do the honors….starting at: https://review.openstack.org/#/c/151962/21:41
marekdjdennis: can we have different ECP profiles?21:42
marekdbecause ksc is all constrained to ECP21:42
*** e0ne has joined #openstack-keystone21:43
jdennismarekd: ksc?21:43
marekdjdennis: keystoneclient21:44
*** marzif has joined #openstack-keystone21:44
*** chris_19 has quit IRC21:44
*** dave-mccowan has joined #openstack-keystone21:45
jdennismarekd: if it's only ever going to contact the IdP using ECP then there is only one URL, the name of the parameter (identity_provider_url) makes it sound like a generic URL to the IdP, not something specific to ECP exclusively21:46
*** petertr7 is now known as petertr7_away21:46
jdennismarekd: specifically it's <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="XXX"/>21:49
marekdjdennis: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L11321:49
marekdand above that it says it's a client using ecp21:49
jamielennoxjdennis: yea, we always provide the POST url upfront - i don't know why this was long before i had a way of testing this stuff and i was under the impression there was no way to get it otherwise21:50
marekdi am not saying i am completely clean with that...i am saying i am not completely wrong21:50
*** lhcheng_ has joined #openstack-keystone21:51
marekdjamielennox: what post? where?21:51
jdennismarekd: no problem, just trying to sort this out as somebody not familar with keystone but very familar with SAML21:51
jamielennoxidentity_provider_url21:51
*** lhcheng_ has quit IRC21:51
marekdit's post because you are already sending saml2 request from the SP21:51
marekdjdennis: sure21:51
*** lhcheng_ has joined #openstack-keystone21:51
jamielennoxmy understanding is that we get the ecp autnrequest from the protect route in keystone - but we don't look at it at all we always POST to a predefined location21:52
marekdjamielennox: yes we do21:52
*** e0ne has quit IRC21:52
jamielennoxi was under the impression that was because there wsan't a way to determine the IDP url otherwise - but it means we should never have ambiguous URLs because we provide the URL21:53
samleonmorgan, hey I'm not sure I understood what needs to be updated in routers.py21:53
*** lhcheng has quit IRC21:54
samleonmorgan, thats for experimental thing21:54
marekdjamielennox: there wasn't a way to determine the idp url21:55
marekdno service discover in ecp afaik -> no automatic idp url21:55
jdennismarekd: its' in the metadata once you know the IdP21:56
marekdi still need to know at least generic idp's url.21:56
marekdapriori21:56
marekdjdennis: we can put that url in the idnetity provider object in keystone21:56
marekdjdennis: ah, no we cannot.21:57
*** henrynash has quit IRC21:57
jdennisin saml there is only one generic url for an IdP, the one you can fetch the metadata from21:57
marekdhow do i know it?21:57
ayounggyee, you handling making the tokenless experimental?21:57
marekdi need to know it apriori, right?21:57
*** pnavarro|afk has quit IRC21:57
marekdlike i do have to know identity_provider_url apriori now.21:57
*** zzzeek has quit IRC21:58
marekdjdennis: see, the problem is also that one url identity_provider/edugain/protocols/saml2/auth can be 'responsib;e' for whole federations - so you create one identity provier object and tell all 500 folkd within your federation "use that link"21:58
jdennisthat's a great question, I'm not sure this is correct but have you ever noticed the convention that the IdP entityid is the url to it's metadata?21:59
marekdotherwise, you would have to create 500 objects and make nice names for their idp21:59
marekdjdennis: i haven't until now22:00
marekdbut that may be true.22:00
marekdneverthe less, i still need to know apriori what idp i am going to use.22:01
marekdjdennis: i connect to identity_providers/edugain/protocols/saml2/auth and i still need to know that my org is CERN22:01
marekdnot ETH or MIT22:01
jdennismarekd: but there isn't one link unless you restrict yourself to exactly one <service,binding> pair22:01
marekdjdennis: with keystoneclient i can only use ECP22:02
marekdare ther emany profiles of ECP? If so, which one shall I use?22:02
marekdand based on what  algo shall I choose the best one?22:02
marekdi see what you are trying to say: use Metadata, and choose the right endpoint22:02
marekdwe could probably work on that22:03
marekdbut what would be the real added value?22:03
jdennismarekd: that you haven't boxed yourself into a corner and prevented any other use of SAML22:03
jamielennoxmordred: i put a -1 on https://review.openstack.org/#/c/219862/ which would be an easy change if you agree22:04
marekdjdennis: can you specify other use of SAML with regard to  keystoneclient ?22:04
marekdi don't see we can use websso for instance22:04
*** spandhe has quit IRC22:04
marekdso HTTP/POST profiles are out, right?22:05
marekdjdennis: anyway, we could probably add such metadata parsin - i like it :-)22:05
*** jsavak has joined #openstack-keystone22:07
jdennismarekd: yes, you can't use any of the other profiles the way this is set up, maybe that's ok, but as soon as someone has a need for a different profile then identity_provider_url won't work, it's future proofing22:08
marekdjdennis: ok,i understand22:09
*** btully has joined #openstack-keystone22:09
marekdyou are probably right22:09
*** spandhe has joined #openstack-keystone22:09
*** NM has quit IRC22:09
*** HT_sergio has joined #openstack-keystone22:10
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687022:11
*** roxanaghe has quit IRC22:11
*** roxanaghe has joined #openstack-keystone22:12
*** roxanaghe has quit IRC22:12
*** jsavak has quit IRC22:13
*** roxanaghe has joined #openstack-keystone22:13
*** slberger has left #openstack-keystone22:13
*** jsavak has joined #openstack-keystone22:13
*** btully has quit IRC22:13
*** shoutm has quit IRC22:14
*** KarthikB has quit IRC22:14
*** roxanaghe has quit IRC22:15
*** roxanaghe has joined #openstack-keystone22:16
*** roxanaghe has quit IRC22:17
*** roxanaghe has joined #openstack-keystone22:18
*** marzif has quit IRC22:18
*** roxanaghe has quit IRC22:18
*** roxanaghe has joined #openstack-keystone22:19
*** roxanaghe has quit IRC22:19
dstanekhow goes it keystoners?22:19
*** roxanaghe has joined #openstack-keystone22:20
*** roxanaghe has quit IRC22:20
*** roxanaghe has joined #openstack-keystone22:21
*** roxanaghe has quit IRC22:21
*** roxanaghe has joined #openstack-keystone22:22
*** roxanaghe has quit IRC22:22
*** roxanaghe has joined #openstack-keystone22:23
*** sigmavirus24_awa is now known as sigmavirus2422:23
*** roxanaghe has quit IRC22:23
dstaneklbragstad: marekd: anyone working on https://bugs.launchpad.net/keystone/+bug/1482701 ?22:24
openstackLaunchpad bug 1482701 in Keystone "Federation: user's name in rules not respected" [Medium,In progress] - Assigned to Marek Denis (marek-denis)22:24
*** roxanaghe has joined #openstack-keystone22:24
*** roxanaghe has quit IRC22:24
*** tonytan4ever has quit IRC22:24
*** roxanaghe has joined #openstack-keystone22:25
*** jecarey has quit IRC22:25
*** roxanaghe has quit IRC22:25
*** jecarey has joined #openstack-keystone22:25
*** roxanaghe has joined #openstack-keystone22:26
*** roxanaghe has quit IRC22:26
*** roxanaghe has joined #openstack-keystone22:26
*** jsavak has quit IRC22:27
*** roxanaghe has quit IRC22:28
gyeeayoung, samleon just updated it22:28
*** roxanaghe has joined #openstack-keystone22:28
*** roxanaghe has quit IRC22:29
*** roxanaghe has joined #openstack-keystone22:29
marekddstanek: i think there were some nasty things with fernet22:30
*** btully has joined #openstack-keystone22:31
*** thiagop has quit IRC22:31
dstanekmarekd: is there already a code review for it?22:32
marekddstanek: there was a code review for this: https://review.openstack.org/#/c/211093/22:34
marekdbut it didn't fix fernet22:34
marekdscoped fernet*22:34
*** btully has quit IRC22:35
*** phalmos has quit IRC22:35
*** gordc has quit IRC22:36
dstanekmarekd: thx22:37
dstanekso there is still some work to be done for that bug?22:38
marekdi think i got on hold with that after some convos with dolph about dropping name entirely22:40
* marekd should start writing down his thoughts22:40
*** dsirrine has quit IRC22:42
*** spandhe has quit IRC22:43
*** spandhe has joined #openstack-keystone22:45
*** HT_sergio has quit IRC22:46
*** csoukup has quit IRC22:47
openstackgerritDavid Stanek proposed openstack/keystone: Deprecate LDAP Resource Backend  https://review.openstack.org/20374822:52
*** rbak has quit IRC22:53
*** ayoung has quit IRC22:53
*** roxanaghe has quit IRC22:53
*** roxanaghe has joined #openstack-keystone22:54
*** roxanaghe has quit IRC22:54
openstackgerritDavid Stanek proposed openstack/keystone: Fixes confusing deprecation message  https://review.openstack.org/21990622:55
morgandstanek: you're here now!22:56
morgandstanek: so... silly question22:56
dstanekmorgan: yeah, today was a team outing. i'm in SAT this week22:56
morgandstanek: does it make sense to roll up all the routers into a single entry in paste before flask?22:56
morgandstanek: and just stub all the ones we have22:56
dstanekmorgan: no, because that'll mess up what i'm already doing. is that something you needed to do?22:57
morganand deprecate them too22:57
morganno, just figuring out order of things22:57
morganwas pondering if that would make things easier to shuffle things around22:57
morganthats all22:58
morgandstanek: random thoughts22:58
dstanekmorgan: ah, i see22:58
*** dsirrine has joined #openstack-keystone22:59
openstackgerritMerged openstack/keystone: Correct docstrings in resource/core.py  https://review.openstack.org/21740022:59
dstaneki'm trying to get some reviews done tonight before i start getting ready for tomorrow's bug day22:59
openstackgerritMerged openstack/keystone: Provide new_xyz_ref functions in tests.core  https://review.openstack.org/7052022:59
morganright22:59
morganwait what bug day?22:59
openstackgerritMerged openstack/keystone: Change JSON Home for OS-FEDERATION to use /auth/projects|domains  https://review.openstack.org/21905923:00
dstanekit's a rax initiative for our team23:00
*** annasort has quit IRC23:01
dstanekmorgan: how's the gate been?23:02
morgandstanek: sloooooooow23:02
morganbut haven't seen lots of failures23:02
dstanekcool, could be worse then23:02
morganyah23:03
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a typo in a comment  https://review.openstack.org/21990723:03
*** spandhe has quit IRC23:07
*** ayoung has joined #openstack-keystone23:09
*** ChanServ sets mode: +v ayoung23:09
dstanekayoung: did you ever ask bknudson about those client test failures in py34?23:12
*** sdake has quit IRC23:15
*** hrou has joined #openstack-keystone23:17
*** spandhe has joined #openstack-keystone23:19
*** erhudy has quit IRC23:19
bknudsondstanek: nobody asked me about client test failures in py34.23:20
*** bknudson has left #openstack-keystone23:20
*** bknudson has joined #openstack-keystone23:20
*** ChanServ sets mode: +v bknudson23:20
dstanekthat was sorta like a mic drop23:20
dstanekwe were getting failures because of some deprecation warnings23:21
bknudsonthere are a lot of things that were deprecated in ksc but didn't generate warnings... now they generate warnings23:23
*** roxanaghe has joined #openstack-keystone23:23
dstanekbknudson: here is some sample output http://paste.openstack.org/show/442763/23:27
dstanekbknudson: i haven't looked, just thought you might know23:27
*** sdake has joined #openstack-keystone23:28
bknudsondstanek: this fails when you run it on your system, but doesn't fail in the gate?23:28
bknudsonI don't run the py34 tests very often.23:28
bknudsondstanek: I get a lot of output but no warnings23:30
bknudsonsys:1: ResourceWarning: unclosed file <_io.FileIO name=1 mode='wb'>23:30
bknudsonthat looks bad.23:30
dstanekbknudson: very odd. yeah, works in the gate, but not on my machine23:30
dstanekmaybe i have a missing dep23:30
dstanekwas running it because ayoung said it was failing for him23:31
*** krotscheck is now known as kro_paternity23:34
*** harlowja has quit IRC23:42
*** harlowja has joined #openstack-keystone23:43
gyeemorgan, ayoung, dstanek, https://review.openstack.org/#/c/156870/23:44
gyeehelp a brother out please23:44
*** wwwjfy has joined #openstack-keystone23:45
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/21949323:45
*** markvoelker has joined #openstack-keystone23:46
*** shoutm has joined #openstack-keystone23:49
*** topol has joined #openstack-keystone23:55
*** ChanServ sets mode: +v topol23:55
*** markvoelker has quit IRC23:58
*** topol has quit IRC23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!