Monday, 2016-01-18

« Sunday, 2016-01-17 Index Tuesday, 2016-01-19 »
*** EinstCrazy has quit IRC00:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Return default value for pkg_version if missing  https://review.openstack.org/22204200:03
*** henrynash has joined #openstack-keystone00:32
*** ChanServ sets mode: +v henrynash00:32
henrynashstevemar: do you know how to debug gate-tempest-dsvm-keystone-eventlet-full (or even where to look at what the test actually does)?00:36
henrynashstevemar: I see my patch (which changes doc strings) continually fail on it….due to a timeout…looks at first glance to be a dubious check in the test for the length of time the test dhold run00:36
stevemarhenrynash: i normally start with console.log to see what failed00:36
henrynashstevemar; yep, did that00:37
stevemarhenrynash: the eventlet run has been super buggy lately00:37
henrynashstevemar: all tests pass, but then it seems to say the test had already timedout by the time t checks to see if it shodl have completed00:37
henrynashstevemar: example: http://logs.openstack.org/68/264068/6/check/gate-tempest-dsvm-keystone-eventlet-full/f575b16/console.html00:38
stevemarjamielennox: yeah, i think it just timed out... http://logs.openstack.org/68/264068/6/check/gate-tempest-dsvm-keystone-eventlet-full/947b46b/console.html#_2016-01-17_21_42_48_60000:38
stevemartime when it ended ... 21:42:48.60000:38
stevemarhenrynash: job started -> 19:46:40.96300:38
stevemari guess theres a 2h limit00:39
*** dims has joined #openstack-keystone00:39
henrynashstevemar: II;ve rechecked 6 or 7 times….so thinking we may need to fix the test!00:39
stevemarhenrynash: i don't think theres a specific single test that's causing it00:40
stevemarhenrynash: i think tempest has a timeout condition, let me check00:40
henrynashstevemar: oh, you mean it may be a tempest thing….no test shlat run more than 2hrs...00:40
stevemarhenrynash: https://github.com/openstack-infra/project-config/blob/a3dcb17a7cf70ca8478486c82ff819e74f1f148c/jenkins/jobs/devstack-gate.yaml#L1890-L189500:41
stevemartimeout 125 minutes00:41
henrynashstevemar: close…very close….00:42
henrynash.stevemar: …adn actually, shold really have failed, since test ran for 115 mins00:42
henrynashshouldn’t really have....00:43
stevemari think that includes the setup too00:43
stevemarcouldn't hurt to propose a change to bump it, i'll whip up a change 1 sec00:43
stevemarhenrynash: i think someone has been adding tempest tests00:43
*** shoutm has joined #openstack-keystone00:45
henrynashok00:45
stevemarhenrynash: oh there's also this: https://github.com/openstack-infra/project-config/blob/a3dcb17a7cf70ca8478486c82ff819e74f1f148c/jenkins/jobs/devstack-gate.yaml#L190700:46
henrynashstevemar: not sure which wins…00:48
stevemarhenrynash: https://review.openstack.org/#/c/268826/00:54
henrynashstevemar: grt, +100:54
*** dims has quit IRC01:01
*** EinstCrazy has joined #openstack-keystone01:19
*** shoutm_ has joined #openstack-keystone01:40
*** shoutm has quit IRC01:40
*** davechen has joined #openstack-keystone02:06
*** jamielennox is now known as jamielennox|away02:14
*** PsionTheory has quit IRC02:24
*** markvoelker_ has quit IRC02:26
*** shoutm_ has quit IRC02:36
*** gsilvis has quit IRC02:37
ayoungcan someone please +2A https://review.openstack.org/#/c/264260/22  ?  stevemar jamielennox|away marekd ?02:38
*** shoutm has joined #openstack-keystone02:39
*** dims has joined #openstack-keystone02:52
*** GB21 has joined #openstack-keystone03:21
*** EinstCrazy has quit IRC03:22
openstackgerritjaveme proposed openstack/python-keystoneclient: Encode the url parameters for base.CrudManager  https://review.openstack.org/25415403:23
*** EinstCrazy has joined #openstack-keystone03:23
*** EinstCrazy has quit IRC03:24
*** EinstCrazy has joined #openstack-keystone03:24
openstackgerritjaveme proposed openstack/python-keystoneclient: Encode the url parameters for base.CrudManager  https://review.openstack.org/25415403:26
*** links has joined #openstack-keystone03:26
*** GB21 has quit IRC03:27
*** EinstCra_ has joined #openstack-keystone03:29
*** EinstCrazy has quit IRC03:29
*** EinstCra_ has quit IRC03:30
*** EinstCrazy has joined #openstack-keystone03:30
*** EinstCrazy has quit IRC03:32
*** EinstCrazy has joined #openstack-keystone03:32
*** EinstCrazy has quit IRC03:34
*** EinstCrazy has joined #openstack-keystone03:35
*** EinstCrazy has quit IRC03:39
*** EinstCrazy has joined #openstack-keystone03:41
*** EinstCrazy has quit IRC03:43
*** EinstCrazy has joined #openstack-keystone03:43
*** EinstCrazy has quit IRC03:44
*** EinstCrazy has joined #openstack-keystone03:44
*** EinstCra_ has joined #openstack-keystone03:45
stevemarayoung: was gonna give that a nice long look first thing tomorrow03:46
ayoungstevemar, that will work03:46
*** EinstCrazy has quit IRC03:48
*** nkinder has joined #openstack-keystone03:51
*** nkinder has quit IRC03:58
*** shoutm has quit IRC04:19
*** shoutm has joined #openstack-keystone04:21
*** fawadkhaliq has joined #openstack-keystone04:23
*** EinstCra_ has quit IRC04:27
*** EinstCrazy has joined #openstack-keystone04:28
*** vivekd has joined #openstack-keystone04:29
*** oomichi has joined #openstack-keystone04:31
*** vivekd has quit IRC04:36
*** shoutm has quit IRC04:40
*** fawadkhaliq has quit IRC04:44
*** shoutm has joined #openstack-keystone04:45
*** oomichi has quit IRC04:50
*** lhcheng has joined #openstack-keystone04:50
*** ChanServ sets mode: +v lhcheng04:50
*** dims has quit IRC04:58
*** spandhe has joined #openstack-keystone05:07
*** lhcheng has quit IRC05:07
stevemarhenrynash: wanna give this a quite look over, it'll help mark a blueprint as completed :) https://review.openstack.org/#/c/259730/05:08
*** daemontool has quit IRC05:27
*** daemontool has joined #openstack-keystone05:27
*** henrynash has quit IRC05:30
*** lhcheng has joined #openstack-keystone05:30
*** ChanServ sets mode: +v lhcheng05:30
openstackgerritSteve Martinelli proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948605:31
*** daemontool has quit IRC05:33
*** fawadkhaliq has joined #openstack-keystone05:34
*** lhcheng has quit IRC05:35
*** jaosorior has joined #openstack-keystone05:41
*** henrynash has joined #openstack-keystone05:49
*** ChanServ sets mode: +v henrynash05:49
*** shoutm_ has joined #openstack-keystone05:50
openstackgerritMerged openstack/keystone: Correct docstrings for federation driver interface  https://review.openstack.org/26406805:50
*** jasonsb has joined #openstack-keystone05:50
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26434605:51
*** shoutm has quit IRC05:52
openstackgerritSteve Martinelli proposed openstack/keystone: document the bootstrapping process  https://review.openstack.org/25973005:59
openstackgerritSteve Martinelli proposed openstack/keystone: Make sure the assignment creation use the right arguments  https://review.openstack.org/26873806:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/26856706:05
*** spandhe has quit IRC06:14
*** Nirupama has joined #openstack-keystone06:32
openstackgerritDave Chen proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261406:37
davechenstevemar: thank you!06:38
* davechen the gating make me sick!06:38
*** lhcheng has joined #openstack-keystone06:39
*** ChanServ sets mode: +v lhcheng06:39
*** jasonsb has quit IRC06:45
*** EinstCra_ has joined #openstack-keystone06:49
*** shoutm_ has quit IRC06:50
*** shoutm has joined #openstack-keystone06:52
*** EinstCrazy has quit IRC06:53
stevemardavechen: yeah :(06:57
stevemardavechen: i'll work with the infra team tomorrow on what the issue is06:57
stevemarlooks like it started on the 15th06:57
*** chlong has quit IRC07:00
*** EinstCrazy has joined #openstack-keystone07:20
*** gildub has quit IRC07:20
davechenstevemar: cool!  hope infra team can release us from "recheck". :)07:21
*** EinstCra_ has quit IRC07:24
*** e0ne has joined #openstack-keystone07:25
*** Nirupama has quit IRC07:25
*** rcernin has joined #openstack-keystone07:41
*** EinstCrazy has quit IRC07:48
*** daemontool has joined #openstack-keystone07:48
*** shoutm_ has joined #openstack-keystone07:48
*** shoutm has quit IRC07:51
*** EinstCrazy has joined #openstack-keystone07:52
*** Nirupama has joined #openstack-keystone07:52
*** henrynash has quit IRC07:57
*** daemontool has quit IRC07:58
*** Nirupama has quit IRC08:10
*** belmoreira has joined #openstack-keystone08:11
*** fawadkhaliq has quit IRC08:12
*** fawadkhaliq has joined #openstack-keystone08:13
*** e0ne has quit IRC08:20
*** oomichi has joined #openstack-keystone08:23
*** Nirupama has joined #openstack-keystone08:29
*** jaosorior has quit IRC08:29
*** jaosorior has joined #openstack-keystone08:30
*** fhubik has joined #openstack-keystone08:35
*** gildub has joined #openstack-keystone08:36
*** jed56 has joined #openstack-keystone08:38
*** comstud has joined #openstack-keystone08:40
*** pnavarro has joined #openstack-keystone08:42
marekdayoung: i added it to my list.08:53
*** fawadkhaliq has quit IRC09:01
*** fawadkhaliq has joined #openstack-keystone09:01
*** daemontool has joined #openstack-keystone09:02
*** daemontool has quit IRC09:03
*** daemontool has joined #openstack-keystone09:03
*** daemontool_ has joined #openstack-keystone09:04
*** shoutm has joined #openstack-keystone09:05
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: Unit test for checking cross-version migrations compatibility  https://review.openstack.org/24160309:06
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: Online schema migration documentation  https://review.openstack.org/26525209:06
*** shoutm_ has quit IRC09:07
*** daemontool has quit IRC09:08
*** daemontool_ is now known as daemontool09:11
*** jistr has joined #openstack-keystone09:14
*** jaosorior has quit IRC09:17
*** jaosorior has joined #openstack-keystone09:18
*** aix has joined #openstack-keystone09:28
*** lhcheng has quit IRC09:38
*** fhubik is now known as fhubik_brb09:39
*** davechen has left #openstack-keystone09:54
*** fhubik_brb is now known as fhubik09:56
*** Nirupama has quit IRC10:07
*** e0ne has joined #openstack-keystone10:11
*** shoutm has quit IRC10:27
*** shoutm has joined #openstack-keystone10:31
*** bradjones has quit IRC10:38
*** bradjones has joined #openstack-keystone10:40
*** bradjones has quit IRC10:40
*** bradjones has joined #openstack-keystone10:40
*** gildub has quit IRC10:43
*** mhickey has joined #openstack-keystone10:45
*** dims has joined #openstack-keystone10:54
*** shoutm has quit IRC11:08
*** flaper87 has quit IRC11:11
*** flaper87 has joined #openstack-keystone11:11
*** Nirupama has joined #openstack-keystone11:24
*** lhcheng has joined #openstack-keystone11:26
*** ChanServ sets mode: +v lhcheng11:26
*** Nirupama has quit IRC11:27
*** Nirupama has joined #openstack-keystone11:27
*** lhcheng has quit IRC11:31
*** oomichi is now known as oomichi_away11:51
samueldmqmorning all11:56
*** daemontool has quit IRC11:58
*** daemontool has joined #openstack-keystone11:59
*** daemontool_ has joined #openstack-keystone12:04
*** daemontool has quit IRC12:07
*** dims has quit IRC12:10
*** Nirupama has quit IRC12:11
samueldmqI hit that issue with the eventlet job this weekend12:12
samueldmqstevemar: may tht mean our tests are slower ? or something else related to our code vs infra ?12:13
*** fawadkhaliq has quit IRC12:13
*** raildo-afk is now known as raildo12:15
*** josecastroleon has joined #openstack-keystone12:15
*** daemontool_ has quit IRC12:24
*** daemontool_ has joined #openstack-keystone12:25
*** daemontool_ has quit IRC12:25
*** fhubik is now known as fhubik_brb12:25
*** fhubik_brb is now known as fhubik12:25
*** daemontool_ has joined #openstack-keystone12:25
*** bradjones has quit IRC12:30
*** daemontool_ has quit IRC12:31
*** gordc has joined #openstack-keystone12:33
*** fhubik is now known as fhubik_brb12:34
*** chlong has joined #openstack-keystone12:36
*** fawadkhaliq has joined #openstack-keystone12:40
*** pauloewerton has joined #openstack-keystone13:03
*** doug-fish has joined #openstack-keystone13:04
*** dims has joined #openstack-keystone13:11
*** edmondsw has joined #openstack-keystone13:12
*** rcernin has quit IRC13:19
*** iurygregory has joined #openstack-keystone13:19
*** daemontool has joined #openstack-keystone13:21
*** aix has quit IRC13:21
*** fhubik_brb is now known as fhubik13:23
*** links has quit IRC13:33
*** fawadkhaliq has quit IRC13:34
*** lhcheng has joined #openstack-keystone13:40
*** ChanServ sets mode: +v lhcheng13:40
*** lhcheng has quit IRC13:44
*** aix has joined #openstack-keystone13:47
*** edmondsw has quit IRC14:02
*** tjcocozz has joined #openstack-keystone14:07
lbragstadtjcocozz o/14:08
lbragstadtjcocozz mornin'!14:08
tjcocozzgood morning lbragstad14:08
lbragstadtjcocozz sorry I didn't get to your ping last friday regarding https://review.openstack.org/#/c/267649/14:08
lbragstadtjcocozz I had every intention to, but got tied up with a bunch of things14:08
tjcocozzlbragstad, it was small so its not a big deal.14:09
lbragstadtjcocozz still want to walk through that change - I want to make sure I've addressed your comments, too14:09
tjcocozzlbragstad, that would be awesome!14:09
lbragstadtjcocozz cool!14:10
lbragstadtjcocozz so right now - I guess the current bug is that https://github.com/openstack/keystone/blob/1baa32afd0b43887125e35cfba4597556fc187df/keystone/common/authorization.py#L98-L99 are set on every request, regardless of the request using oauth or not14:11
lbragstadso, auth_context['consumer_id'] will be None on every request14:12
lbragstadnot sure how much you can do with that, but...14:12
tjcocozzlbragstad, but what about the method that it calls... it checks if it is scoped before it returns the consumer_id https://github.com/openstack/keystone/blob/d250e82462426f23e1833d6d77b70f998cbe1094/keystone/models/token_model.py#L27114:13
lbragstadtjcocozz yeah - so it should return None, right?14:14
lbragstadhttps://github.com/openstack/keystone/blob/d250e82462426f23e1833d6d77b70f998cbe1094/keystone/models/token_model.py#L27414:14
tjcocozzyes14:14
tjcocozzlbragstad, but it doesn't?14:14
lbragstadoh...14:15
lbragstadtjcocozz I think I know what you're saying14:15
tjcocozzlbragstad, sorry i'm not to good with my words :-)14:15
lbragstadtjcocozz technically - we don't need the else statement here - https://review.openstack.org/#/c/267649/4/keystone/common/authorization.py14:15
lbragstadtjcocozz right?14:16
tjcocozzlbragstad, thats what i am thinking exactly14:16
lbragstadtjcocozz ++ that makes sense14:16
tjcocozzlbragstad, but it is much more readable14:16
lbragstadtjcocozz because we would just be setting auth_context['consumer_id'] and auth_context['access_token_id'] to None, just like we do now14:17
tjcocozzlbragstad, yes sir.14:17
lbragstadtjcocozz so - we seem to do that with some of the other things in that method but I don't think it's 100% consistent14:18
lbragstadtjcocozz for example - we follow that pattern with the trust auth variables but not with the federated group ids.14:18
tjcocozzlbragstad, in token_model.py?14:18
lbragstadin authorization.py14:18
lbragstadthe pattern being - if we are dealing with trust scope we set the trust variables, else we explicitly set them to None.14:20
tjcocozzyeah, in this block of code none of the methods return none.  https://github.com/openstack/keystone/blob/68b7c6c098bcec7635d3c17b7908643aad0bb638/keystone/common/authorization.py#L82-L90 I think you should keep what your doing just so it is easier to understand the code.  Otherwise at mimimum a comment should be added.14:23
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865014:25
tjcocozzlbragstad, do you think the commit message should be updated?14:28
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865014:29
openstackgerritLance Bragstad proposed openstack/keystone: Fix indentation for oauth context  https://review.openstack.org/26764914:29
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet work with oauth1 authentication  https://review.openstack.org/26778114:29
lbragstadtjcocozz does that work? ^14:29
tjcocozzlbragstad, works for me.14:29
lbragstadtjcocozz awesome - thanks!14:29
tjcocozzlbragstad, :-)14:31
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Extract token backend tests  https://review.openstack.org/26911114:32
*** daemontool has quit IRC14:35
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865014:36
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet work with oauth1 authentication  https://review.openstack.org/26778114:36
*** fawadkhaliq has joined #openstack-keystone14:38
*** daemontool has joined #openstack-keystone14:41
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Extract trust backend tests  https://review.openstack.org/26911514:41
*** petertr7_away is now known as petertr714:44
dstanekanyone know why we seem to be having a hard time getting things through the gate?14:50
dstanekbreton: are you still wanting to push forward on https://review.openstack.org/#/c/167594/ ?14:51
samueldmqdstanek: eventlet gate failing ?14:51
samueldmqdstanek: https://review.openstack.org/#/c/268826/14:52
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Extract trust backend tests  https://review.openstack.org/26911514:52
dstaneksamueldmq: i'd have to look and see which one it is14:52
*** superdan is now known as dansmith14:54
samueldmqdstanek: afaik most of the known failures are related to this, see stevemar's patch above14:54
dstaneksamueldmq: has anyone figured out why yet?14:54
dstanekthat and i'm still getting 503s periodically14:55
*** sigmavirus24_awa is now known as sigmavirus2414:55
samueldmqdstanek: well, stevemar's patch proposes to bump timeout for the gate14:55
dstanekso we probably need to figure out the root cause :-(14:56
samueldmqdstanek: but AJaeger left a comment there ...14:56
samueldmqdstanek: exactly, rather than just bumping and forgetting it for a bit14:56
samueldmqdstanek: I agree with you, and I am also getting 503s from times to times14:56
tjcocozzsamueldmq, dstanek the 503's are annoying and they seem random too.14:58
*** lhcheng has joined #openstack-keystone14:58
*** ChanServ sets mode: +v lhcheng14:58
*** fhubik is now known as fhubik_brb14:59
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Extract catalog backend tests  https://review.openstack.org/26912515:03
*** fhubik_brb is now known as fhubik15:12
samueldmqtjcocozz: dstanek: yeah I guess it's related to a server (behind proxy?) having issues (eg hitting 100% cpu)15:16
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Extract policy backend tests  https://review.openstack.org/26913315:16
*** timcline has joined #openstack-keystone15:18
tjcocozzsamueldmq, we need to throw more computers at it! lol15:20
dstaneksamueldmq: it looks like the slowness may be just a few tests that are super slow15:26
*** med_ has quit IRC15:28
samueldmqdstanek: yes I agree that may be the root cause, are investigating that ?15:28
samueldmqtjcocozz: haha yes, and remove the failing ones :)15:29
dstaneksamueldmq: yep, llooking for what is slow15:29
samueldmqdstanek: nice, let me know if you need a hand15:30
samueldmqdstanek: running the tests and listing their time should make it easy to identify who's takin a day to run :)15:30
samueldmqdstanek: but it can be tempest tests vs our own suite15:30
*** petertr7 is now known as petertr7_away15:31
*** chlong has quit IRC15:31
dstaneksamueldmq: none of these tests are ours. it's all tempest15:31
dstaneksamueldmq: running all of the tests would be too slow :-)15:32
samueldmqdstanek: harder to debug then15:32
samueldmqdstanek: yep15:32
*** gsilvis has joined #openstack-keystone15:32
samueldmqdstanek: btw I have something to sync with you regarding reorganizing test_backend.py15:33
*** petertr7_away is now known as petertr715:33
samueldmqdstanek: I've discussed with henrynash and I am uploading patches accordingly15:33
samueldmqdstanek: whenever you have some time15:33
dstaneksamueldmq: sure what's up?15:33
samueldmqdstanek: basically splitting test_backend.py, which is too big15:34
samueldmqdstanek: tests should go into their own backend, eg assignment tests will go to unit/backend/assignment/core.py15:34
samueldmqdstanek: and so on15:34
samueldmqdstanek: like https://review.openstack.org/#/c/268307/15:35
dstaneksamueldmq: i agree - i am in the process of doing that to catalog tests https://review.openstack.org/#/c/267297/15:35
dstanekadding real tests to get coverage over the backends15:35
lbragstaddstanek you didn't have a patch for this did you - https://review.openstack.org/#/c/215715/ ?15:36
*** ninag has joined #openstack-keystone15:36
lbragstaddstanek I meant to follow up with you on that one15:36
samueldmqdstanek: I have one just moving code around, yours is doing more than that right?15:36
samueldmqdstanek: you think yours could be rebased on https://review.openstack.org/#/c/269125/ ?15:37
samueldmqand I am glad you agree too :)15:37
dstaneksamueldmq: no, not yet - in my working copy i have almost fixed the tests to run against sql and templated catalogs15:37
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Remove keyring as a test-requiremnet  https://review.openstack.org/26914615:37
dstaneklbragstad: i never had the time to actually finish :-(15:37
lbragstaddstanek no worries! i just didn't want to lose track of it15:37
samueldmqdstanek: nice, after moving the backend tests into their own backend dires15:38
dstaneklbragstad: it's on my trello board. although it seems that there is so much stuff in progress that trello is almost irrelevant now15:38
dstaneklbragstad: also we are down to about 260 bugs on keystone server!15:38
lbragstaddstanek ++15:39
samueldmqdstanek: the idea is to remove test_backend_sql.py in favor of, let's say, backend/identity/test_sql.py and backend/assignment/test_sql.py and so on15:39
dstaneksamueldmq: checkout my patch. i don't think that is the right thing to do15:39
lbragstaddstanek that's surprising because jorge_munoz and I opened a bunch last week ;)15:39
*** nkinder has joined #openstack-keystone15:39
*** phalmos has joined #openstack-keystone15:40
dstaneklbragstad: we've been kicking a** on Friday's (and lots in between :)15:41
samueldmqdstanek: I see, the difference is that we propose to put your BaseTests in backend/catalog/core.py and each backend into their own files (test_sql, test_ldap)15:41
* notmorgan wishes templated catalogs could die15:41
samueldmqdstanek: vs everything inside a test_backends.py file together15:42
notmorgan=/15:42
samueldmqdstanek: is that really different ? :)15:42
notmorganwe should just deprecate templated catalog.15:42
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Extract identity backend tests  https://review.openstack.org/26914815:42
dstaneksamueldmq: no. i'd rather see just test_backends.py for each subsystem15:42
lbragstaddstanek hoping that it's been closing irrelevant/invalid bugs earlier too15:42
dstaneksamueldmq: as much as possible i want to make a class (or classes) that hold test cases. then have classes that subclass that and provide backend specific setup15:44
dstaneksamueldmq: of course, skipping tests that can't be implemented15:44
samueldmqdstanek: that's the same in the other proposal15:45
samueldmqdstanek: it's just a matter of where we put the common tests15:45
samueldmqdstanek: and where we put the subclasses (for sql, ldap, ..)15:45
dstaneksamueldmq: i'm saying i'd rather now explode the number of files if we don't need to15:45
dstaneks/now/not/15:46
samueldmqdstanek: makes sense too, and yours is closer to how we organize the code itself15:46
dstanekit's like going from one extreme (very few huge files) to the other (tons of tiny ones) - i'd rather take baby steps15:47
samueldmqdstanek: let's discuss that with henrynash when he's back, so that we will all be in the same page15:47
dstaneksamueldmq: my latest is a little different. i have spit the catalog tests into two classes in a core.py15:47
samueldmqdstanek: yes, but we all agree we should split them based on the module (assignments, identity, etc)15:47
openstackgerritayoung proposed openstack/keystone: Implied roles driver and manager  https://review.openstack.org/26426015:48
*** lhcheng has quit IRC15:48
dstaneksamueldmq: not necessarily module, but along subsystem boundries15:48
samueldmqdstanek: assignment, catalog, endpoint_policy, federation, oauth1, trust, auth, identity, resource, credential, policy, revoke, token15:49
samueldmqdstanek: if those are sybsystem boundries, we're talking the same :)15:49
dstaneksamueldmq: yep. i just want to make sure we are using more precise language to reduce ambiguity15:50
*** pgbridge has quit IRC15:50
samueldmqdstanek: good, what's your definiton of module/submodule ? something standalone ?15:51
dstaneksamueldmq: it's not my definition. in Python a .py file is a module15:52
samueldmqdstanek: so assignment or identity can't be a module, now I understand your point15:53
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Time-based One-time Password  https://review.openstack.org/13037615:53
* samueldmq 's hungry, brb after lunch15:53
dstaneksamueldmq: you could saying they are a package since a package in Python is basically a directory with an __init__.py15:53
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261415:53
dstaneksamueldmq: but i think subsystem is more architecturally accurate15:54
*** josecastroleon has quit IRC15:58
*** josecastroleon has joined #openstack-keystone15:59
*** links has joined #openstack-keystone16:00
*** diazjf has joined #openstack-keystone16:09
*** petertr7 is now known as petertr7_away16:10
*** vivekd has joined #openstack-keystone16:12
*** edmondsw has joined #openstack-keystone16:16
*** slberger has joined #openstack-keystone16:20
*** belmoreira has quit IRC16:22
*** links has quit IRC16:23
*** woodster_ has joined #openstack-keystone16:27
*** tonytan4ever has joined #openstack-keystone16:27
*** josecastroleon has quit IRC16:29
*** josecastroleon has joined #openstack-keystone16:30
*** jaosorior has quit IRC16:34
*** jaosorior has joined #openstack-keystone16:35
*** med_ has joined #openstack-keystone16:37
*** med_ is now known as Guest5121716:37
*** amakarov has joined #openstack-keystone16:39
*** henrynash has joined #openstack-keystone16:42
*** ChanServ sets mode: +v henrynash16:42
*** peter-hamilton has joined #openstack-keystone16:44
*** jaosorior has quit IRC16:46
*** jaosorior has joined #openstack-keystone16:47
bknudson_notmorgan: I thought you'd like templated catalog since it's static.16:47
notmorganbknudson_: difference between static on disk and changing based on auth context16:48
*** _cjones_ has joined #openstack-keystone16:48
notmorganbknudson_: the templated catalog wouldn't be bad except that it requires a lot of overhead to add/remove/change endpoints at an administration level. [i would prefer things be CMS in this regard, but that is a battle i can't win]16:48
-openstackstatus- NOTICE: Gerrit is restarting quickly as a workaround for performance degradation16:49
bknudson_let's change the backend to just store a json blob16:49
*** narengan has joined #openstack-keystone16:49
notmorganwell if that is the case we should also use pgsql, cause it has a json storage type that is better than our hacky one16:50
*** pgbridge has joined #openstack-keystone16:50
notmorganbknudson_: or we could use mongo db, i head document storage and nosql is all the rage16:50
notmorgans/head/hear16:50
bknudson_nice. webscale.16:50
bretondstanek: since we're going to have fernet by default, no.16:54
openstackgerritAlexander Makarov proposed openstack/keystone: SQLAlchemy column type for materialized path  https://review.openstack.org/25144516:54
bretonmemcache for tokens worked not so bad btw.16:55
notmorganbreton: memcache backend?16:57
notmorganugh16:57
notmorgannooooooo16:57
notmorgannever use that16:57
bretonmemcache_pool16:57
notmorgannever use that16:57
notmorgan:P16:57
bretonnope, it was good before fernet16:57
notmorgannever use memcache as a stable storage16:57
notmorganever16:57
notmorganit was a bad idea in grizzly16:57
notmorganit was a bad idea in folsom16:58
notmorganit continues to be a bad idea in mitaka16:58
notmorganit was never a good choice16:58
notmorganusing memcache for stable storage is a terrible idea. memcache_pool did not make it a less terrible idea16:58
bretonnothing else worked on 100 requests per second, and people wanted it.16:58
bretonwhy are tokens a stable storage?16:59
notmorganbecause they are needed to be referenced by keystone16:59
notmorganthey are not really ephemeral until fernet16:59
notmorganand i would say that anyone using memcache is asking for their openstack to fall over in weird ways17:00
*** josecastroleon has quit IRC17:00
notmorganit always caused a ton of issues, sue 100 requests per second... until you issued too many tokens, then you never could auth until tokens expired17:00
bretonwhat's too many tokens?17:01
notmorganmemcache is the worst token backend to use [that is even remotely production possible]. and people "wanting" it means they didn't understand the issues with it / ran at a small enough scale that it didn't matter17:01
notmorganbreton: about 1000 active tokens for a user.17:01
*** josecastroleon has joined #openstack-keystone17:01
notmorgandepending on token size17:01
notmorgancould be more if they used pki17:01
notmorganerm less17:01
notmorgana lot less17:01
bretonwhat's the problem with having 1000 active tokens for a user?17:02
bretonin memcache17:02
notmorganyou exceed the slab size17:02
notmorganfor a given key17:02
notmorganyou can't issue any more tokens until you prune the data in the slab/dump it17:02
notmorganmemcache is not meant to hold giant objects17:02
notmorganwe have to track all the tokens for a given user, so we need an active list of all tokens17:03
notmorganthis all comes down to token revocation hell.17:03
notmorganbecause if a user wants to change password we need to know all the tokens to revoke [even if we don't put them in the revocation list]17:04
notmorganwe have to lookup the list of tokens to delete from memcache, or you never remove a token unless it expires17:04
notmorganor worse.. LRUs out17:04
notmorganif it LRUs out before expiry, you now have actions that should succeed fail because the backend dumped data randomly17:05
notmorganmemcache is not stable storage, tokens need to be in stable storage unless fernet is used17:05
*** sweetJeebus has joined #openstack-keystone17:05
*** dims_ has joined #openstack-keystone17:05
*** vivekd has quit IRC17:08
*** dims has quit IRC17:08
*** hockeynut_afk has joined #openstack-keystone17:10
*** mhickey has quit IRC17:11
*** fhubik is now known as fhubik_brb17:13
*** fhubik_brb is now known as fhubik17:14
*** timcline has quit IRC17:14
*** fhubik has quit IRC17:14
*** timcline has joined #openstack-keystone17:15
sweetJeebusHi. @dolphm, do you have a couple of minutes for a quick chat?17:15
sweetJeebusOr perhaps anyone else who knows a lot about the future direction of keystone?17:16
stevemarsweetJeebus: i'm sure any number of us could answer, whats up17:18
sweetJeebusThanks!17:18
*** e0ne has quit IRC17:19
sweetJeebusWe're looking at the project we've been taking on in which I'm trying to get v3 Identity API running alongside a mixed environment of icehouse and kilo17:19
sweetJeebusand liberty17:19
sweetJeebusand we're wondering if its even worth it.17:19
openstackgerritAlexander Makarov proposed openstack/keystone: SQLAlchemy column type for materialized path  https://review.openstack.org/25144517:19
*** timcline has quit IRC17:19
sweetJeebusWe're talking about getting everything updated to kilo and beyond first, then coming back to this17:20
sweetJeebusbut after a long winded conversation, I need to know one thing in particular17:20
stevemardolphm: dstanek ayoung henrynash marekd jamielennox|away breton look for that nasty eventlet job to be made non-voting, change is being merged now17:20
sweetJeebushow long is v2 expected to be supported? Is there a plan to deprecate it anytime?17:20
notmorganstevemar: dolphm dstanek breton bknudson_ henrynash marekd jamielennox|away i still vote remove eventlet job17:20
notmorgansweetJeebus: as soon as we can.17:21
raildosweetJeebus: https://review.openstack.org/#/c/251530/17:21
notmorgansweetJeebus: ideally mitaka17:21
stevemarsweetJeebus: the plan is still deprecate v2.0 APIs in M17:21
notmorgansweetJeebus: we are very close to having everything happily running v3 all the time17:21
bknudson_notmorgan: do you think we should have a uwsgi job?17:21
sweetJeebusha. That was precise.17:21
sweetJeebusThanks :)17:21
stevemarsweetJeebus: the CRUD APIs will be around for another 4 releases, things like user create, project delete, those things17:21
notmorganbknudson_: i think we can probably do a uwsgi/suburl job for everything17:21
bknudson_notmorgan: I'm working on devstack change and gave for a uwsgi job.17:21
bknudson_gave -> gate17:22
notmorganbknudson_: not just keystone.17:22
stevemarsweetJeebus: the auth APIs, like POST /tokens, we will keep around for a loooong time17:22
notmorganbknudson_: but we should do a uwsgi job imo.17:22
sweetJeebus@stevemar: thanks. I'm going to go suggest we get everything upgraded and then flip to v317:22
stevemarsweetJeebus: ++17:22
sweetJeebusI was already thinking to do that17:22
bknudson_notmorgan: I'd like to see that too but baby steps17:22
stevemarsweetJeebus: glad we could give you a precise answer17:23
notmorganbknudson_: yeah so, lets plan a uwsgi job for keystone/horizon[maybe swift since it is also apache/mod_wsgi supported]17:23
sweetJeebus@stevemar: me too. Thanks17:23
notmorganbknudson_: lets ask the swift folks on that. and then we can look at spinning sub-url on top of that work17:23
notmorganbut def. keystone/horizon in uwsgi17:23
*** vivekd has joined #openstack-keystone17:27
*** itlinux has joined #openstack-keystone17:27
*** daemontool has quit IRC17:30
*** josecastroleon has quit IRC17:31
*** daemontool has joined #openstack-keystone17:31
*** josecastroleon has joined #openstack-keystone17:32
*** petertr7_away is now known as petertr717:33
*** itlinux has quit IRC17:35
*** BrAsS_mOnKeY is now known as g2`17:36
*** daemontool has quit IRC17:38
*** daemontool has joined #openstack-keystone17:39
*** tonytan4ever has quit IRC17:40
*** avarner__ has joined #openstack-keystone17:47
*** avarner__ is now known as avarner17:47
avarnerDoes anyone know how to find a project's parent id, from the command line?17:48
notmorganavarner: if it is anywhere it's in openstack client17:50
notmorgankeystoneclient cli does not work with v317:50
notmorganbut not sure where in openstackclient that is17:50
raildoavarner: if you are using openstack client if v3 enabled, you just need do a 'openstack project get'17:50
*** sweetJeebus has quit IRC17:51
avarnerraildo, thanks, that must mean I don't have v3 enabled17:51
avarnerDo you know how to enable it?17:51
avarnerI just ran the devstack last week, so it should have recent versions of software.17:51
dstanekbreton: i still don't mind deprecating it and the pool in favor of anything else :-)17:51
notmorgandstanek: fernet!17:51
notmorgan:)17:52
dstaneknotmorgan: ++17:52
raildoavarner: you must need set the auth url for v3, for example: 'export OS_AUTH_URL=http://keystone:5000/v3' and the identity api version 'export OS_IDENTITY_API_VERSION=3'17:53
raildoavarner: there is other ways to do that... there is a great post blog for ayoung explaining it: http://adam.younglogic.com/2013/09/keystone-v3-api-examples/17:54
ayoungraildo, that works, but the common CLI should work17:55
ayoungand is easier17:55
raildoayoung: sure17:56
openstackgerrithenry-nash proposed openstack/keystone: Enhance manager list_role_assignments to support group listing  https://review.openstack.org/26565017:57
*** petertr7 is now known as petertr7_away17:58
samueldmqhenrynash: hi17:58
henrynashsamueldmq: hi17:58
*** jaosorior has quit IRC17:59
dstanekayoung: oldy-but-goody https://bugs.launchpad.net/keystone/+bug/1268751 :-)17:59
openstackLaunchpad bug 1268751 in OpenStack Identity (keystone) "Potential token revocation abuse via group membership" [High,Triaged] - Assigned to Lance Bragstad (lbragstad)17:59
avarnerraildo, I set the environmental variables, and `openstack project list` works (but doesn't give parent id's)17:59
avarnerBut when I do 'openstack project get`, it says: openstack: 'project' is not an openstack command. See 'openstack --help'.17:59
ayoungdstanek, if we change over to revocation events, I think that one is closed implicitly18:00
ayoungdstanek, so...depends on Fernet being default, and the work to have uuid and fernet use the same code base and all that....let's target it for this release, and see if we can make it happen18:00
ayoungdstanek, bascially what I said in https://bugs.launchpad.net/keystone/+bug/1268751/comments/2818:01
openstackLaunchpad bug 1268751 in OpenStack Identity (keystone) "Potential token revocation abuse via group membership" [High,Triaged] - Assigned to Lance Bragstad (lbragstad)18:01
samueldmqhenrynash: so, I was talking to dstanek earlier today about spliting test_backend.py18:02
*** josecastroleon has quit IRC18:02
henrynashsamueldmqL ok....18:02
samueldmqhenrynash: he has a different proposal, le me get a link18:02
*** itlinux has joined #openstack-keystone18:02
henrynashsamueldmq: had a feeling he might!18:02
*** josecastroleon has joined #openstack-keystone18:03
samueldmqhenrynash:  hehe https://review.openstack.org/#/c/267297/18:03
samueldmqhenrynash: basically we create a {subsystem} dir inside unit, and then create a test_backends.py to hold the test code18:03
raildoavarner: ops, sorry. try 'openstack project show <project_id>'18:04
samueldmqhenrynash: vs backend/{subsystem}/[core.py, test_sql, ..]18:04
samueldmqhenrynash: which makes sense to me too18:04
avarnerraildo, thanks! working now18:04
raildoavarner: nice :)18:05
dstanekhenrynash: not much different. just want to limit the explosion of files until we need it18:05
avarnercreate works also, i can make child projects18:05
henrynashsamueldmq: so I’m ok with that approach too…..although do we need a test_backend_sql as well?18:05
henrynashsamueldmq: always thouse “test_backend” was a duplicative use of the word test….since we don’t actualluy run teh tests directly in it and it’s already in a test hierarchy!18:06
samueldmqhenrynash: we'd put Base(), SQLTests(Base) and LDAPTests(Base) inside the same test_backend file18:06
*** fawadkhaliq has quit IRC18:06
openstackgerritMorgan Fainberg proposed openstack/keystone: Mark memcache and memcache_pool token deprecated  https://review.openstack.org/26922918:06
samueldmqhenrynash: I meant test_backends.py; them all together18:07
samueldmqhenrynash: since test_backend_sql and test_backend_ldap would be too small files18:07
henrynashsamueldmq: ok, I guess that workds…thinking…..18:07
samueldmqhenrynash: just inheriting from Base and overriding the dirver18:07
notmorgandstanek: ^18:08
*** tyagiprince has joined #openstack-keystone18:08
henrynashsameuldmq: actually, need to drop off for a while…but bascially I trust dstanek’s ideas for tests probably more than my own ;-)18:08
samueldmqdstanek: yes, I agree with you in avoiding the explosion of files18:08
samueldmqhenrynash: nice sir, I also like his proposal, thanks18:09
*** fawadkhaliq has joined #openstack-keystone18:10
dstaneknotmorgan: no plans on removing?18:10
dstanekhenrynash: samueldmq: let's get this done!18:10
tyagiprinceHii.. can someone tell me which python module is there in keystone code for routing purpose? Is it webob?18:10
*** fawadkhaliq has quit IRC18:11
notmorgandstanek: i can't say we can remove it until we have plans to remove uuid tokens too18:11
*** lhcheng has joined #openstack-keystone18:11
*** ChanServ sets mode: +v lhcheng18:11
notmorgandstanek: people, sadly, want to use it and we shouldn't take their toys away as much as i don't want anyone using it18:11
dstanektyagiprince: there are many routers.py files that hold our routes. webob is just for request/response objects18:11
samueldmqdstanek: nice, my plans are to do this as a 2-step process18:12
samueldmqdstanek: 1) split test_backend.py into {subsystem}/test_backends.py, putting only the base test classes for now18:12
samueldmqdstanek: 2) move test_backend_[sql|ldap|...].py into {subsystem}/test_backends.py18:13
dstaneksamueldmq: be careful to only put backend tests in test_backends.py; so nothing that does web requests18:14
dstaneki want that stuff split out into test_v3_api.py and test_v2_api.py18:14
samueldmqdstanek: yes, only backend tests18:14
samueldmqdstanek: I guess all webrequests-based tests are in test_v3*18:15
samueldmqdstanek: and yes, need to be looked separately; btw most of them may be used as functional tests, right ?18:15
*** timcline has joined #openstack-keystone18:15
dstaneksamueldmq: maybe used as functional tests - not entirely sure18:17
*** jistr has quit IRC18:17
* stevemar is finish with lunch and ready for more keystone!18:17
*** timcline has quit IRC18:18
*** timcline_ has joined #openstack-keystone18:18
stevemarnotmorgan: remove memcache pool in 0?18:18
dstaneknotmorgan: in this case their toys are fundamentally broken18:18
notmorgandstanek: i'm happy to do a remove in +218:19
notmorganjust figured i'd start conservative18:19
notmorganstevemar: ^ see my comment to dstanek as to why18:19
stevemarnotmorgan: hmm, okay18:19
openstackgerritSteve Martinelli proposed openstack/keystone: Mark memcache and memcache_pool token deprecated  https://review.openstack.org/26922918:22
stevemardstanek: i changed up https://review.openstack.org/#/c/269229/2 you can rubber stamp it now18:22
dstanekstevemar: notmorgan: stamped18:23
*** david-lyle has quit IRC18:23
stevemarnotmorgan: dstanek oh actually... are there any config options that are specific to memcache and memcache_pool for tokens?18:23
tyagiprincedstanek: I see many files in common directory. and there is router.py file which is being imported to other routers.py files.18:24
tyagiprincedstanek: Is there any documentation which shows me a path to understanding the keystone code?18:26
*** timcline_ has quit IRC18:27
dstanektyagiprince: not really. wsgi.py is basically the starting point for the web requests. the routers.py file have the actually URL -> code mapping18:28
*** timcline has joined #openstack-keystone18:30
stevemarlbragstad: dolphm got a minute to talk about shadow users?18:31
openstackgerritSteve Martinelli proposed openstack/keystone: Make sure the assignment creation use the right arguments  https://review.openstack.org/26873818:32
*** henrynash has quit IRC18:32
stevemarnotmorgan: dstanek wanna help finish the bootstrapping spec? https://review.openstack.org/#/c/268738/3 and https://review.openstack.org/#/c/259730/ should be gating and i can mark it done18:32
*** josecastroleon has quit IRC18:32
dstanekstevemar: sure. popping some lunch in the over, but i'll get on it after18:33
stevemardstanek: cool18:33
*** josecastroleon has joined #openstack-keystone18:33
notmorgandstanek, stevemar we can adjust that down the road once fernet is the default18:35
lbragstadstevemar I can try - but rderose is probably the guy you need18:35
stevemarlbragstad: but he ain't online :O18:35
lbragstadstevemar yeah I just noticed that18:35
stevemarlbragstad: even if https://review.openstack.org/#/c/262045 lands, there's still more work right?18:36
stevemarlbragstad: like making sure the controller create entries in the identity table, and so forth18:36
notmorganhm18:37
lbragstadstevemar yes, I believe so18:37
notmorganstevemar: i am ok with that fix to bootstrap, though we probably should invert the logic for user/project get and do a .get_by_name first and then try and create after? /shrug18:37
*** lhcheng has quit IRC18:39
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split assignment backend tests  https://review.openstack.org/26830718:39
stevemarnotmorgan: you're the one that did it that way :P18:39
*** david-lyle has joined #openstack-keystone18:39
stevemarnotmorgan: potatoe, potato18:39
notmorganstevemar: i know, like i said we maaaaaaaaay want to invert that18:39
notmorganbut for now.18:40
notmorganit's fine18:40
stevemarnotmorgan: just trying to mark BPs complete in launchpad :)18:40
stevemarnotmorgan: and last one: https://review.openstack.org/#/c/259730/18:40
notmorganstevemar: we should say "admin_token" method is not recommended18:41
notmorganbut that can be a followup18:41
*** aix has quit IRC18:42
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split assignment backend tests  https://review.openstack.org/26830718:42
samueldmqdstanek: this one ^ should be in the format we discussed18:42
notmorganstevemar: https://review.openstack.org/#/c/231872/ needs love :(18:43
*** doug-fish has quit IRC18:43
stevemarnotmorgan: ugh, i know!18:43
stevemari can't untangle it!18:43
*** hockeynut_afk is now known as hockeynut18:43
stevemarnotmorgan: tbh, that was gonna be my goal for the hackathon :P18:43
notmorganoh god.18:43
notmorganthe merge conflicts THE MERGE CONFLICTS18:44
* notmorgan shuffles off back into the cathedral18:44
notmorganstevemar: hope you got the hunchback of notre dame reference there. :P18:46
*** david-lyle has quit IRC18:46
stevemarnotmorgan: i didn't :(18:46
notmorganstevemar: not the disney movie thing either :P18:47
stevemarnotmorgan: when i hear cathedral, i think act 1 in diablo 218:47
notmorganhe says "The Bells... THE BELLS"18:47
notmorganannnnyway18:47
*** jdennis1 has joined #openstack-keystone18:47
*** jdennis has quit IRC18:47
stevemarnotmorgan: oh, did you get approval? i don't need to know, just making talk18:48
notmorganstevemar: oh yeah i need to book flight/hotel though18:48
stevemarwow that came out poorly18:48
stevemaryay!18:48
notmorganwhich is super painful since... <14days18:48
notmorganand i need to book manchester uk trip too.18:48
*** petertr7_away is now known as petertr718:50
notmorganstevemar: i am going to rework the revocation events code a bunch here shortly18:51
stevemarnotmorgan: that's a bold move18:51
dstanekraildo: htruta: any thoughts on https://review.openstack.org/#/c/134095 - seems like it should be easy to fix it up and close another bug18:51
notmorganstevemar: it's speculative but we're doing a lot of work in python we probably don't need to do.18:52
notmorganstevemar: our tests are slooooooowwwwwwwwwwwww18:52
raildodstanek: sure, I'll fix it today :)18:53
stevemarnotmorgan: they are frightfully slow18:53
notmorganstevemar: not as abad as nova's18:53
notmorganbut getting there18:53
stevemardolphm: ping when you're back please18:53
notmorganif we stopped spinning up/down a whole keystone server for things [maybe spin up one per thread and just keep it around and make the tests isolated via another mechanism]18:53
notmorganit would be better18:54
notmorganbut i am betting a ton of the time is evenlet spinup/down18:54
dstaneknotmorgan: i have some patches i am working on to do just that18:54
notmorgandstanek: yay18:54
dstaneki've also been moving things into fixtures18:55
notmorgani mean.. we have SOME things that need their own server, like when we swap out backends.18:55
dstanekand reducing when they are used18:55
* notmorgan nods.18:55
*** tyagiprince has quit IRC18:55
notmorganif i can unwind this ldap thing, i'm gonna push to get it landed today18:55
notmorgansorry if it makes your stuff harder.18:55
notmorganstevemar: omg18:56
notmorganstevemar: this thing moved up to 542 failed tests :(18:56
notmorganoh i see why18:56
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split resource backend tests  https://review.openstack.org/26870218:58
stevemarnotmorgan: i would be SOOOO HAPPY if you could unwind the ldap crap18:58
*** peter-hamilton has quit IRC19:00
dstaneknotmorgan: stevemar: thoughts on a fixture here? https://review.openstack.org/#/c/266396/219:01
dstaneklbragstad: i'll fix up https://review.openstack.org/#/c/266397/2 to make it more obvious. initially that code was doing more work, but i cut it down19:03
*** josecastroleon has quit IRC19:04
lbragstaddstanek ++ works for me; i'm happy with the change. my comment was more of a question than anything else19:04
*** josecastroleon has joined #openstack-keystone19:05
*** avarner has quit IRC19:06
stevemardstanek: rubber stamped19:06
notmorgandstanek: doesn't look bad to me19:07
samueldmqstevemar: https://review.openstack.org/#/c/265650 closes another bp (assignment-maanger-cleanup)19:07
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends  https://review.openstack.org/23187219:07
notmorganstevemar: ^ that is just a rebase, and down to 11 failures19:07
notmorganstill wip/unwinding it19:08
*** itlinux has quit IRC19:08
stevemarnotmorgan: cool, bknudson_ had concerns about removing a public function we didn't deprecate19:08
stevemarnotmorgan: if you're seeing the comments in the history19:08
notmorgannope19:08
notmorganwhich function?19:08
notmorgannope19:09
stevemarnotmorgan: https://review.openstack.org/#/c/231872/9/keystone/assignment/backends/sql.py19:09
notmorgani disagree since we just don't ever call it19:09
*** tyagiprince has joined #openstack-keystone19:09
notmorganbut we could just make it return nothing useful.19:09
notmorganor conf.19:09
notmorganas well19:09
lbragstadsamueldmq question for you on a test19:09
stevemaryeah, i think that's what he is saying19:09
stevemarnotmorgan:19:09
stevemar^19:09
*** pnavarro has quit IRC19:10
dstanekbackward compat is overrated19:10
lbragstaddstanek ++19:10
notmorganlet me deal with the other failures before dealing with the relative nitpicking on removal of things19:10
notmorganthat we don't call anymore19:10
*** david-lyle has joined #openstack-keystone19:10
dstanekstevemar: topol: read the o'reilly book yesterday - well written19:11
topoldstanek, Thanks!  That means a lot coming from you!!!19:11
lbragstadsamueldmq  (or anyone up for a test behavior question) this shouldn't return a 200 should it? https://github.com/openstack/keystone/blob/1baa32afd0b43887125e35cfba4597556fc187df/keystone/tests/unit/test_v3_assignment.py#L15119:12
*** lhcheng has joined #openstack-keystone19:12
*** ChanServ sets mode: +v lhcheng19:12
stevemardstanek: hopefully it was nothing new for you :)19:12
*** tonytan4ever has joined #openstack-keystone19:12
stevemardstanek: but thanks!19:12
*** AJaeger has joined #openstack-keystone19:12
dstanekstevemar: nice refresher :-)  it was a quick read which was nice19:13
AJaegerHi keystone cores, I'd like to merge bandit and pep8 targets and have two alternative proposals: https://review.openstack.org/261993 and https://review.openstack.org/265148 . Merging these into one "linter" target (one names it pep8, the other linters) allows us to reduce our CI load. Could you tell me which way you prefer and merge, please? I'll take care of related projects and project-config19:15
AJaegerchange...19:15
notmorganwhat is... _set_default_is_domain_project !?19:15
bknudson_AJaeger: whichever one you prefer works for me.19:16
notmorganit seems to only ever be used in test_backend_ldap19:16
notmorganAJaeger: i'll trust your preference.19:16
notmorganAJaeger: either works for me19:16
stevemarAJaeger: i like dolph's suggestion of just naming it pep819:16
stevemarsince, we're used to that19:16
bknudson_AJaeger: not sure why you proposed both?19:16
AJaegerdolphm: gave a -1 on 261993 (which was using name linters)19:16
AJaegerbknudson_: I proposed 261993 first and then offered the alternative ;)19:17
notmorganAJaeger: having been part of the original discussion, i don't really care which. i like "linter" vs "linters"19:17
notmorganAJaeger: but i'm also fine leaving itpep819:17
bknudson_delint19:17
bknudson_or just lint . I'm lazy19:17
dstanekAJaeger: i like linters better, but i'd be happy with whatever you do19:17
AJaegerwe had some lengthy discussion on #openstack-infra that everybody is used to pep8 but it's named wrongly, it's our target where all lin like jobs are added and somebody proposed linters and we went with that.19:17
bknudson_what happens if there's only one linter?19:17
dstanekbknudson_: ++ to lint19:17
notmorganbknudson_: the job is a linter job, doesn't matter how many19:18
AJaegerIf you want to stay with pep8, fine with me. If we rename, let's use linters ;)19:18
notmorganyou don't call it a "tests" job its a "test" job19:18
notmorgan;)19:18
* notmorgan stops arguing grammar in naming for CS things19:18
dstanekAJaeger: i'd go with linters then if others are moving in that direction anyway19:19
AJaegerdstanek: we're trying to mov slowly in the direction of linters. So, that's a preference but not a hard rule19:20
bknudson_we can modify pep8 and then add linters as an alias, I assume19:20
bknudson_and eventually remove pep819:20
notmorganbknudson_: ++19:21
AJaegerbknudson_: like 261993? Or do you have a better proposal?19:21
notmorganw...t...f19:21
bknudson_AJaeger: like https://review.openstack.org/#/c/265148/1/tox.ini19:21
bknudson_ok, my preference is for https://review.openstack.org/#/c/265148/ since it reuses pep8 which people are used to.19:22
AJaegerbknudson_: will not work - pep8 uses {posargs} and tox is broken, it will not expand19:22
bknudson_I have never passed an arg to tox -e pep819:23
AJaegerbknudson_: ARgh, that's my change - let me double check it ;)19:23
AJaegersure, that works - but if you use the same aliasing for commands as well to alias linters and pep8 it might fail19:24
AJaegerbknudson_: so, the aliasing of pep8 completly to linters - not sure how that works with tox ;(19:26
openstackgerritMerged openstack/keystoneauth: Remove keyring as a test-requiremnet  https://review.openstack.org/26914619:26
*** david-lyle_ has joined #openstack-keystone19:27
*** dslev has joined #openstack-keystone19:28
bknudson_AJaeger: can you do commands={[testenv:pep8]commands}  like you do with deps?19:28
bknudson_echo "Use tox -e linters instead" {[testenv:linters]commands}19:29
AJaegerbknudson_: YEs - unless commands uses {posargs}, then it breaks19:29
AJaegerAnd pep8 currently uses posargs. We can remove it from flake8 and be fine ;)19:29
AJaegershall I update 265148 in this direction (after testing ;) ?19:30
bknudson_AJaeger: I'm fine with 265148 as-is. The renaming can be done in a follow-on.19:30
*** david-lyle has quit IRC19:31
AJaegerthen let me provide a followup for that one...19:32
*** fawadkhaliq has joined #openstack-keystone19:35
*** josecastroleon has quit IRC19:35
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends  https://review.openstack.org/23187219:35
notmorganstevemar: ^ down to three failures19:36
*** josecastroleon has joined #openstack-keystone19:36
stevemarnotmorgan: nice19:37
stevemardstanek: wow, i forgot we even had a non-sql backend for this: https://review.openstack.org/#/c/267777/19:37
*** david-lyle_ has quit IRC19:37
stevemardstanek: are there any more kvs backends?!19:37
dstanekstevemar: i don't think so19:37
openstackgerritAndreas Jaeger proposed openstack/keystone: Add linters environment, keep pep8 as alias  https://review.openstack.org/26924819:37
AJaegerHere's the suggested followup, works fine locally ^19:38
* AJaeger adds some comments to tox.ini19:38
dstanekstevemar: token persistence19:38
notmorganyeah that is a bit special19:38
notmorgananyway19:38
notmorgandstanek: lol19:38
notmorganyou know... if those two kvs backends die, we cna just drop the dogpile_kvs code19:38
notmorganstevemar: 2 more tests to unwind!19:38
*** david-lyle has joined #openstack-keystone19:39
openstackgerritAndreas Jaeger proposed openstack/keystone: Add linters environment, keep pep8 as alias  https://review.openstack.org/26924819:39
AJaegeranybody else wants to +2A 265148? I'll work on the infra change then...19:39
AJaegerWait, on infra change after 269248 is in...19:40
notmorganoh these tests are synthetic and not valid. ldap did magic and automatically just defaulted domain_id=default_domain19:41
notmorganstevemar: i might have this all unwound19:42
notmorganstevemar: running fiull tests to make sure19:42
openstackgerritAndreas Jaeger proposed openstack/keystone: Add linters environment, keep pep8 as alias  https://review.openstack.org/26924819:43
AJaegerbknudson_: updated as suggested ^19:43
lbragstadin the process of switching fernet to be the default - I'm seeing a lot of strange assignment issues.19:43
notmorganAJaeger: oh neat19:43
lbragstadamakarov o/ jorge_munoz and I have some trust redelegation questions for you19:44
bknudson_AJaeger: I get errors saying that echo isn't a valid command.19:44
AJaegerbknudson_: I added whitelist_externals19:45
AJaegernow it's fine for me19:45
bknudson_when I run tox -e pep8 it says "WARNING:test command found but not installed in testenv" cmd: /bin/bash19:46
*** itlinux has joined #openstack-keystone19:46
*** david-lyle has quit IRC19:46
bknudson_it's not echo it's bash19:46
AJaegerbknudson_: indeed, found in backcsroll, will fix19:47
bknudson_happens with tox -e pep8, too19:47
AJaegerbknudson_: I noticed echo first, fix it and now it's bash ;/19:48
bknudson_maybe it overrode other whitelist19:49
bknudson_{[testenv]whitelist}19:49
openstackgerritAndreas Jaeger proposed openstack/keystone: Add linters environment, keep pep8 as alias  https://review.openstack.org/26924819:52
AJaegerworks now for me... ^19:52
AJaegerinfra change: https://review.openstack.org/26199419:52
*** timcline has quit IRC19:54
*** timcline has joined #openstack-keystone19:54
AJaegeronce these changes are in and working for a few days, I update the other keystone projects in the same way.19:55
AJaegerIf anything breaks, please ping me and I'll fix19:55
*** fawadkhaliq has quit IRC19:56
bknudson_AJaeger: you're going to remove the bandit job?19:56
*** e0ne has joined #openstack-keystone19:56
AJaegeryes, bknudson_19:57
*** narengan12 has joined #openstack-keystone19:57
*** narengan has quit IRC19:57
*** timcline has quit IRC19:58
AJaegerbknudson_: it first needs the infra job to merge, so added a depends-on...20:00
openstackgerritAndreas Jaeger proposed openstack/keystone: Remove bandit tox environment  https://review.openstack.org/26925320:00
*** spandhe has joined #openstack-keystone20:06
*** josecastroleon has quit IRC20:06
*** josecastroleon has joined #openstack-keystone20:07
*** timcline has joined #openstack-keystone20:08
*** spzala has joined #openstack-keystone20:13
openstackgerritAndreas Jaeger proposed openstack/keystonemiddleware: Merge pep8 and bandit into linters  https://review.openstack.org/26925920:17
openstackgerritAndreas Jaeger proposed openstack/keystonemiddleware: Remove bandit tox environment  https://review.openstack.org/26926020:17
*** tonytan4ever has quit IRC20:19
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends  https://review.openstack.org/23187220:20
notmorganstevemar: ^ that should be a complete unwind of all the issues20:21
samueldmqnotmorgan: passing jenkins ?20:21
notmorgansamueldmq: it should once i push the pep8 fix20:21
samueldmqnotmorgan: well, at least tox ens locally20:21
samueldmqnotmorgan: nice!20:22
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends  https://review.openstack.org/23187220:22
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261420:22
notmorganyes locally it is passing20:22
openstackgerritayoung proposed openstack/keystone: Implied roles driver and manager  https://review.openstack.org/26426020:22
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261420:22
ayoungnotmorgan, Dangit20:23
samueldmq+60, -1295, beautiful numbers20:23
ayoungthat is going to conflict with my commit, as I had to no-op things in that backend20:23
notmorganayoung: yeah sorry :(20:23
ayoungnotmorgan, If you +2AS mine, I'll do the work to strip it out of yours20:24
notmorganayoung: uhhhhhh20:24
ayoung:)20:24
ayoungnotmorgan, just let mine go through...I'm happy to rebase yours manuyally once it does20:24
notmorganayoung: i'll offer the inverse actually.20:25
notmorganayoung: this one has been a nightmare of rebase hell over and over20:25
notmorganayoung: since a rebase for yours will likely be a git rm <file>20:25
ayoungnotmorgan, I'm, happy to rebase it for you20:25
*** tonytan4ever has joined #openstack-keystone20:25
notmorganayoung: if you were just no-oping things in a driver20:25
ayoungI was responsible for the LDAP code, I'd not mind being part of giving it the old Yeller treatment20:25
ayoungimplied roles backend is ready to go20:26
ayoungnotmorgan, I'll rebase yours now, if you don't mind20:26
notmorganayoung: actually can you let it just sit and pass jenkins20:26
*** petertr7 is now known as petertr7_away20:26
ayoungnotmorgan, happy to20:27
notmorganayoung: i'd really like to know if i caught everything20:27
notmorganayoung: i'll make a deal with you, whichever lands first the other of us rebases the other patchset20:27
notmorganor whichever starts gate first20:27
ayoungnotmorgan, I'd rather rebase mine on yours and you +220:27
notmorganthat is, we just do the rebase on top and call it a day20:27
ayounggetting the +2 on mine is hardest20:27
notmorganwell i'm also not in a real "review code" mind set atm20:27
*** doug-fish has joined #openstack-keystone20:28
notmorganwill be a few hours after chasing that horrible rebase down20:28
notmorganbrain is fried20:28
*** jasonsb has joined #openstack-keystone20:29
*** gildub has joined #openstack-keystone20:31
notmorganstevemar: https://review.openstack.org/#/c/265023/ - this needs your decision20:31
*** jasonsb has quit IRC20:31
*** jasonsb has joined #openstack-keystone20:31
notmorganstevemar: either we need to decide to break environments that use this and revert the revert in master, or we need to land the backports20:32
notmorganstevemar: i do not disagree that it re-introduces the issue, but it is a behavior we have people in the wild relying on.20:32
notmorganstevemar: and it is expected to re-introduce the behavior [it's the whole point of the revert]20:32
*** tyagiprince has quit IRC20:33
*** petertr7_away is now known as petertr720:34
*** vgridnev has joined #openstack-keystone20:36
stevemarnotmorgan: grumble grumble20:36
stevemareither way, someone is gonna be broken20:36
notmorganstevemar: with the revert, very low impact20:36
stevemarnotmorgan: waiting for dolphm to resurface20:36
notmorganswift and swift has already said don't use V2 specific api20:36
notmorganerm middleware w/ name-based20:37
notmorganacls20:37
*** sigmavirus24 is now known as sigmavirus24_awa20:37
notmorganback in like 201420:37
*** josecastroleon has quit IRC20:37
notmorganor so.20:37
*** sigmavirus24_awa is now known as sigmavirus2420:37
notmorgankeystone definitely does not rely on username for anything from the token, and most everyone else uses it at most for "display" [horizon?] type purposes20:38
*** josecastroleon has joined #openstack-keystone20:38
notmorganbased on that, i'll take breaking people relying on username [since that is changable anyway]20:38
*** markvoelker has joined #openstack-keystone20:38
AJaegerbknudson_: is there anything I should do for 269253?20:38
notmorganheck if you use username ACLs and someone's username changes and another person gets it, you're screwed anyway20:38
* notmorgan sticks with the general view that username ACLs with keystoneauth is dumb20:39
bknudson_AJaeger: I think it's going to fail until the bandit job is removed (for example, remove gate-keystone-tox-bandit from https://review.openstack.org/#/c/261994/ )20:40
AJaegerbknudson_: exactly20:40
AJaegerthere's nothing we can do now for that - I commented already20:40
AJaegerjust wanted to know whether I can do anything, e.g. update commit message?20:40
AJaegerOr should I mark as WIP for now?20:41
bknudson_AJaeger: https://review.openstack.org/#/c/261994/4/zuul/layout.yaml doesn't remove gate-keystone-tox-bandit gate20:41
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split assignment backend tests  https://review.openstack.org/26830720:41
AJaegerbknudson_: it does - it runs it only on liberty20:41
bknudson_AJaeger: oh, that makes sense.20:42
AJaegerif we backport my changes, we can remove it completely20:42
stevemarnotmorgan: btw, ldap patch is failing 2 tests: https://jenkins03.openstack.org/job/gate-keystone-python27/1375/console20:42
* AJaeger prefers small steps here20:42
bknudson_I don't know if it's worth it to backport or not.20:42
notmorganthat was passing locally20:43
AJaegerbknudson_: makes infra setup easier ;) but we do not need to backport20:43
notmorganstevemar:20:43
notmorganstevemar:  our tests suck.20:44
notmorganstevemar: this was passing locally :(20:44
AJaegerbknudson_: let's fix master first and then see whether backporting is worth it20:44
*** _cjones_ has quit IRC20:45
*** _cjones_ has joined #openstack-keystone20:45
*** drjones has joined #openstack-keystone20:47
*** _cjones_ has quit IRC20:47
*** mhickey has joined #openstack-keystone20:47
*** henrynash has joined #openstack-keystone20:49
*** ChanServ sets mode: +v henrynash20:49
*** thiagolib has quit IRC20:49
*** vivekd has quit IRC20:50
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split resource backend tests  https://review.openstack.org/26870220:54
*** phalmos has quit IRC20:55
*** phalmos has joined #openstack-keystone20:57
*** stack_ has joined #openstack-keystone20:57
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends  https://review.openstack.org/23187220:58
*** vgridnev has quit IRC20:58
notmorganstevemar: ^ that should fix those two tests now20:58
openstackgerritAndreas Jaeger proposed openstack/python-keystoneclient: Merge pep8 and bandit into linters  https://review.openstack.org/26926820:59
openstackgerritAndreas Jaeger proposed openstack/python-keystoneclient: Remove bandit tox environment  https://review.openstack.org/26926920:59
*** AJaeger has left #openstack-keystone21:01
*** narengan12 has quit IRC21:01
*** Guest31270 is now known as tsymanczyk21:01
*** raildo is now known as raildo-afk21:01
*** stack_ is now known as narengan21:02
*** pauloewerton has quit IRC21:04
*** josecastroleon has quit IRC21:08
*** daemontool has quit IRC21:08
openstackgerritSteve Martinelli proposed openstack/keystone: Mark memcache and memcache_pool token deprecated  https://review.openstack.org/26922921:08
openstackgerritTom Cocozzello proposed openstack/keystone: List assignments with names  https://review.openstack.org/24995821:09
stevemarnotmorgan: fixed up https://review.openstack.org/#/c/269229/3 for you, it was failing pep8, i re-approved21:09
*** josecastroleon has joined #openstack-keystone21:09
notmorganok21:10
notmorgancool thnx21:10
stevemarnotmorgan: np, just trying to clear our patch backlog :)21:10
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split token backend tests  https://review.openstack.org/26911121:14
notmorganoh hah21:17
notmorganit's supposed to be a holiday today21:18
* notmorgan facepalms.21:18
notmorgani was supposed to not work :P or something21:18
*** phalmos has quit IRC21:20
*** tonytan4ever has quit IRC21:20
*** avarner has joined #openstack-keystone21:24
*** lhcheng has quit IRC21:24
*** vgridnev has joined #openstack-keystone21:25
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split trust backend tests  https://review.openstack.org/26911521:27
*** petertr7 is now known as petertr7_away21:37
*** tonytan4ever has joined #openstack-keystone21:38
*** josecastroleon has quit IRC21:39
*** josecastroleon has joined #openstack-keystone21:40
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split catalog backend tests  https://review.openstack.org/26912521:42
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet default token provider  https://review.openstack.org/25865021:45
lbragstadayoung ^ that's not going to pass but I'm hitting strange assignment issues - mind giving it a once over?21:45
ayounglbragstad, sure21:45
lbragstadayoung thanks21:46
ayounglbragstad, what are you seeing?21:46
lbragstadayoung https://review.openstack.org/#/c/258650/14/keystone/tests/unit/test_v3_assignment.py21:46
lbragstadayoung  for example - i'm not sure how test_crud_user_domain_role_grants passed before21:47
ayounglbragstad, well, the failure might be due to a change on the admin user21:47
lbragstadayoung yeah, that's a possibility21:48
lbragstadbut why would that work with UUID and not with Fernet21:48
ayoungthe UNAUTHORIZED response is that the user making the request is unauthorized...is that supposed to be theadmin user here?21:48
lbragstadwhatever self.user is21:48
ayounglbragstad, kneejerk reaction:  revocation evetns21:48
lbragstadI think that is the user making the self.post, self.get, self.delete, self.patch requests21:48
ayoungthe admin user token got revoked?21:48
lbragstadayoung I don't think it got revoked,21:49
ayounglbragstad, in deleting the role assignment...21:49
lbragstadayoung I was wondering if it was something related to building the role assignments21:49
lbragstadon every auth/validate call21:49
openstackgerritTom Cocozzello proposed openstack/keystone: List assignments with names  https://review.openstack.org/24995821:50
*** ericksonsantos has quit IRC21:51
lbragstadayoung if you run that locally - there are about 20-some patches that fail21:52
lbragstads/patches/tests/21:53
ayoungI'll give it a run21:53
lbragstadayoung and most of them are in keystone/tests/unit/test_auth.py21:53
lbragstadspecifically around trusts and v221:53
*** vgridnev has quit IRC21:53
lbragstadwell, trusts + v2 + fernet21:53
ayounglbragstad, can you +2A this damn one and put it to bed https://review.openstack.org/#/c/26426021:53
dstaneklbragstad: what is self.token_properties here: https://review.openstack.org/#/c/253670/3/keystone/tests/unit/test_v3.py ?21:53
lbragstadayoung yes, i'll review21:54
lbragstaddstanek self.token_properties are the properties the make up unscoped, domain-scoped, project-scoped, and trust-scoped tokens21:55
dstaneklbragstad: why is that being modified in an assertion method?21:56
lbragstaddstanek it could be modified elsewhere, I made self.token_properties as general as a could and then in cases where we need to check for specific scoped, i modified it to include the properties required for that scope.21:57
dstaneklbragstad: i'll have to dig a little deeper. it's being modified there, but not being used so it's not clear why that change is being made21:58
lbragstaddstanek self.token_properties isn't being used?21:59
ayounglbragstad, the ones I am seeing fail are all trusts21:59
lbragstaddstanek line 677 uses self.token_properties22:00
lbragstadayoung yeah - trusts with v2, right?22:00
*** mhickey has quit IRC22:00
dstaneklbragstad: ah i see, you are dynamically creating that schema22:01
lbragstaddstanek yep22:01
ayounglbragstad, looks like it22:01
ayounglbragstad, test_auth is V222:01
lbragstaddstanek since we assert different token properties depending on the scope22:01
lbragstadayoung yeah - that's what I was thinking22:01
ayoungtest_v3_auth is v3.  THere is a little bleed over22:01
ayounglbragstad, let me look at the one you commendted out though22:02
lbragstadayoung i'm not real sure what the correct behavior is in some of those cases.22:02
*** bknudson_ has quit IRC22:02
*** edmondsw has quit IRC22:02
*** diazjf has quit IRC22:03
*** mhickey has joined #openstack-keystone22:04
*** jamielennox|away is now known as jamielennox22:09
*** josecastroleon has quit IRC22:10
*** gildub has quit IRC22:10
*** josecastroleon has joined #openstack-keystone22:11
openstackgerritTom Cocozzello proposed openstack/keystone: List assignments with names  https://review.openstack.org/24995822:12
*** chlong has joined #openstack-keystone22:12
ayounglbragstad, sooooostrange thing.Ran it in the debugger and it succeeded.  I wonder if there is arace condition somewhere in the validation path.22:13
lbragstadayoung ?!22:13
lbragstadreally?22:13
ayounglbragstad, I wouldn't put too much credence in it yet22:14
ayoungits possible that the debugger did something else wonky22:14
ayoungthis was in the log, though22:14
ayoung    RBAC: Invalid token22:14
ayoung    The request you have made requires authentication.22:14
lbragstadayoung yeah I'm getting a few of those too22:14
*** jlk has left #openstack-keystone22:15
lbragstadayoung I think at this point it all edge-cases22:15
ayoungthat is from22:15
ayoungeystone/common/controller.py:84:        LOG.warning(_LW('RBAC: Invalid token'))22:15
ayoungBinary file keystone/common/controller.pyc matches22:15
ayoungkeystone/middleware/auth.py:58:            LOG.warning(_LW('RBAC: Invalid token'))22:15
ayoungone of those two places22:15
ayounglet me change one and see...22:15
slbergerDoes anyone know how I can disable TRACE in the keystone apache configuration?  TraceEnable off only works for apache and not wsgi22:15
ayoung    RBAC: Invalid token passed to middleware22:16
*** dims has joined #openstack-keystone22:17
ayoungslberger, did you make the change in keystone.conf?22:17
ayounglbragstad, so let me see what middleware is seeing...22:17
lbragstadayoung ok22:17
*** narengan has quit IRC22:17
slberger@ayoung, is there a configuration option for that?22:18
*** dims_ has quit IRC22:18
slbergerI did it in /etc/httpd/conf.d/keystone.conf22:18
*** narengan has joined #openstack-keystone22:18
ayoungslberger, yes, it isn /etc./keystone....22:18
ayoungis in22:18
slberger@ayoung, ok let me check. I was unaware that was an option.22:19
slberger@ayoung, you wouldn't happen to know what section it would be in would you?22:20
ayoungslberger, I'd have to look22:20
ayoungslberger, http://git.openstack.org/cgit/openstack/keystone/tree/doc/source/configuration.rst22:21
ayoungslberger, http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n10722:22
slbergerayoung, its in the oslo.log section? seems weird22:25
ayoungslberger, start with degug off22:25
slbergersorry read it wrong22:25
ayounglbragstad, this is failing             token_ref = token_model.KeystoneToken(22:25
ayoung                token_id=token_id,22:25
ayoung                token_data=self.token_provider_api.validate_token(token_id))22:25
*** timcline has quit IRC22:26
*** tsymanczyk has quit IRC22:27
lbragstadayoung why would that fail?22:27
lbragstadi assume it's the validate_token()22:27
ayounglbragstad, no idea, does not log beyond that...still digginh22:27
notmorganayoung: i'm going to be re-writing revoke to leverage SQL rather than python to validate if a token is ok [speculative change] and check performance. this is since we've removed the KVS backend and i know that the rev. backend is slow22:30
notmorganayoung: will ping ya when i get it cleaned up. but with only a SQL backend, the in-python validation seems less optimal.22:30
*** doug-fish has quit IRC22:31
ayoungnotmorgan, I need more context22:31
notmorganayoung: as you scale up, and have more rev. events22:31
notmorganit gets slower and slower22:31
ayoungtrue, and we are, right now, screen against too many22:31
*** doug-fish has joined #openstack-keystone22:31
ayoungwe only need to screen against the explicit ID22:32
notmorganso, instead, i'm going to roll a speculative change to validate that leverages SQL for these lookups.22:32
ayoungall of the invalid X,Y,Z ones are irrelevant now if we check the DB for active users etc22:32
ayoungnotmorgan, premature22:32
ayoungnotmorgan, I'm not saying no22:32
ayoungI'm saying lets do the other first22:32
notmorganthe tree stuff needs to die imo22:32
ayoungregardless22:32
notmorganand the kvs backend is being removed22:33
ayoungpremature optimization...we can;t do what you are saying until both token formate use the same path22:33
notmorganwe have too much logic22:33
ayoungwe need UUID to do the same thing as Fernet22:33
notmorgani'm pushing the logic down to the driver where it belonds22:33
notmorganbelongs*22:33
lbragstadayoung ++22:33
ayoungthat is fine22:33
notmorganso, by doing so i'll just drop a lot of the stuff on the floor.22:33
ayoungbut let's get lbragstad 's done, thne drop the other events, and then do that22:33
notmorganwait what other events are we dropping?22:33
ayoungyou don't need to carry revoke by domain etc22:34
ayoungmost of them22:34
*** doug-fis_ has joined #openstack-keystone22:34
notmorganwhat is the list?22:34
*** narengan12 has joined #openstack-keystone22:34
notmorganwe're keeping then?22:34
ayoungnotmorgan, let me do other things right now...just accept that we are doing this and we can then drop them22:34
ayoungI';m pushed about 3 deep in the stack right now22:34
ayoungtryihng to help lance, and need to work on a critical issue for in house.22:35
ayoungnotmorgan, we'll kill all but revoke by tokenid and a few others that are like it22:35
notmorganok that wont really change what i'm doing so. i'm still out to do the change, it can be rebased on top of whatever you're doing22:36
ayounglbragstad, self.token_provider_api.validate_token  .is that not in token/provider.py?22:36
*** doug-fish has quit IRC22:36
ayoungnotmorgan, that is fine, and I fgully support the effort22:36
*** doug-fish has joined #openstack-keystone22:36
*** spandhe_ has joined #openstack-keystone22:37
lbragstadayoung it might be in common.py22:37
*** narengan has quit IRC22:37
*** spandhe has quit IRC22:38
*** spandhe_ is now known as spandhe22:38
*** doug-fis_ has quit IRC22:38
lbragstadayoung nope it should be in keystone/token/provider.py:204:22:39
ayoungyeah, my logging was truipping me up22:40
*** spzala has quit IRC22:40
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split policy backend tests  https://review.openstack.org/26913322:40
lbragstadI gotta relocate quick, I'll be on tonight though22:40
*** roxanaghe has joined #openstack-keystone22:40
*** spzala has joined #openstack-keystone22:40
ayounglbragstad, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/provider.py#n210  this fails22:41
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/26932122:41
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/26845222:41
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/26845322:41
*** josecastroleon has quit IRC22:41
*** _cjones_ has joined #openstack-keystone22:41
*** josecastroleon has joined #openstack-keystone22:42
*** drjones has quit IRC22:42
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split policy backend tests  https://review.openstack.org/26913322:43
*** dims has quit IRC22:44
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/26933822:45
*** spzala has quit IRC22:45
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/26851322:45
*** spandhe has quit IRC22:46
*** dims has joined #openstack-keystone22:47
*** drjones has joined #openstack-keystone22:47
*** _cjones_ has quit IRC22:48
*** lhcheng has joined #openstack-keystone22:49
*** ChanServ sets mode: +v lhcheng22:49
*** narengan12 has quit IRC22:51
*** mhickey has quit IRC22:53
*** drjones has quit IRC22:55
*** _cjones_ has joined #openstack-keystone22:56
*** tonytan4ever has quit IRC22:56
*** gildub has joined #openstack-keystone22:59
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split identity backend tests  https://review.openstack.org/26914822:59
samueldmqhenrynash: dstanek: split of test_backend should be reviewable now22:59
samueldmqhenrynash: dstanek: starting at https://review.openstack.org/#/c/268307/22:59
ayoungnotmorgan, I think the thin that ias tripping up lbragstad 's test is exactly what we were just talking about23:00
* samueldmq is checking out for today23:00
*** jasonsb has quit IRC23:00
ayoungdeleting a role assignement invalidate all tokens that had that assignement (I think)23:01
*** jasonsb has joined #openstack-keystone23:01
ayoungthat can now go away, but it needs to go away for both UUID and Fernet at the same time23:01
*** bknudson has joined #openstack-keystone23:05
*** ChanServ sets mode: +v bknudson23:05
*** dims has quit IRC23:05
*** dims has joined #openstack-keystone23:07
*** _cjones_ has quit IRC23:08
ayounglbragstad, when you get back:  look at http://paste.openstack.org/show/484216/23:10
ayounglbragstad, the DELETE is for revoke_grant(user_id=1fd3dd98bf924fd786e6c8392dcca3d5, domain_id=9f7e2137b05544e0aa172068acff04b7, role_id=6c33300ec10147d48113870b2c509edb)23:11
ayoungthe token revoke debugging I posted shows that a match with the token that is being rejected:23:11
ayoungREVOKE:name=role_id: key = 6c33300ec10147d48113870b2c509edb23:11
ayoung    REVOKE:name=user_id: key = 1fd3dd98bf924fd786e6c8392dcca3d523:11
ayoungREVOKE:name=domain_id: key = 9f7e2137b05544e0aa172068acff04b723:12
*** josecastroleon has quit IRC23:12
ayoungthe * are wild cards that will match any token23:12
*** _cjones_ has joined #openstack-keystone23:13
*** josecastroleon has joined #openstack-keystone23:13
ayounglbragstad, so the wrong token is being used to make the call. I have not looked at the rest of the patch to see if you changed which token should be used by accident23:14
ayounglbragstad, but this is the change I made http://paste.fedoraproject.org/312164/14531589/23:15
*** sigmavirus24 is now known as sigmavirus24_awa23:15
*** diazjf has joined #openstack-keystone23:26
*** john5223 has quit IRC23:26
*** john5223 has joined #openstack-keystone23:28
*** doug-fish has quit IRC23:28
*** phalmos has joined #openstack-keystone23:30
*** ninag has quit IRC23:30
*** phalmos has quit IRC23:31
*** tsufiev has quit IRC23:32
*** gordc has quit IRC23:34
*** dims has quit IRC23:35
*** gildub has quit IRC23:35
*** _cjones_ has quit IRC23:37
*** _cjones_ has joined #openstack-keystone23:38
*** tsufiev has joined #openstack-keystone23:39
*** dims has joined #openstack-keystone23:39
*** dslev has quit IRC23:40
*** spzala has joined #openstack-keystone23:41
*** _cjones_ has quit IRC23:43
*** drjones has joined #openstack-keystone23:43
*** spzala has quit IRC23:46
*** drjones has quit IRC23:48
*** _cjones_ has joined #openstack-keystone23:48
*** shoutm has joined #openstack-keystone23:49
*** slberger has left #openstack-keystone23:51
*** _cjones_ has quit IRC23:54
*** _cjones_ has joined #openstack-keystone23:55
*** gildub has joined #openstack-keystone23:57
*** drjones has joined #openstack-keystone23:59
« Sunday, 2016-01-17 Index Tuesday, 2016-01-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!