Tuesday, 2016-01-19

*** _cjones_ has quit IRC00:00
*** _cjones_ has joined #openstack-keystone00:03
*** drjones has quit IRC00:03
*** drjones has joined #openstack-keystone00:07
*** _cjones_ has quit IRC00:08
*** spzala has joined #openstack-keystone00:10
*** diazjf has quit IRC00:10
*** gildub has quit IRC00:11
*** drjones has quit IRC00:12
*** _cjones_ has joined #openstack-keystone00:13
*** phalmos has joined #openstack-keystone00:19
*** lhcheng has quit IRC00:22
*** shoutm_ has joined #openstack-keystone00:33
*** phalmos has quit IRC00:34
*** shoutm has quit IRC00:35
*** _cjones_ has quit IRC00:37
*** drjones has joined #openstack-keystone00:37
notmorganstevemar: OMG it's PASSING CHECK https://review.openstack.org/#/c/231872/00:37
stevemarnotmorgan: i left a comment on it00:40
stevemarjust now00:40
notmorganLDAP role?00:40
*** _cjones_ has joined #openstack-keystone00:41
stevemarnotmorgan: it's not like it'll work without LDAP assignment and LDAP resource, but ... we never did deprecate it when we split it out00:41
notmorganwho PUT THAT IN00:41
notmorganreally?! ldap as a role store?00:42
*** drjones has quit IRC00:42
stevemarit's back when EVERYTHING was in ldap00:42
stevemarit was an all or nothing remember00:43
notmorgani don't think that'll actually work00:43
stevemarwhat won't work?00:44
notmorganit's only sortof been tested for a looong time00:44
notmorgani am expecting it to be massively broken if it's really tried00:44
notmorganthats all00:44
*** lhcheng has joined #openstack-keystone00:44
*** ChanServ sets mode: +v lhcheng00:44
notmorganalso i still disagree with the split of roles like we have it now00:45
* notmorgan sees it as relatively pointless to put roles in a separate backend still.00:45
*** _cjones_ has quit IRC00:48
*** _cjones_ has joined #openstack-keystone00:48
notmorganstevemar: replied to your comment00:53
*** diazjf has joined #openstack-keystone00:54
*** fawadkhaliq has joined #openstack-keystone01:00
*** fawadkhaliq has quit IRC01:00
*** dims has quit IRC01:01
*** diazjf has quit IRC01:03
*** _cjones_ has quit IRC01:04
*** gildub has joined #openstack-keystone01:11
*** shoutm_ has quit IRC01:12
stevemarbreton: can you create a release note for: https://review.openstack.org/#/c/233070/01:12
*** markvoelker has quit IRC01:14
*** shoutm has joined #openstack-keystone01:14
*** davechen has joined #openstack-keystone01:14
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends  https://review.openstack.org/23187201:21
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove LDAP Role Backend  https://review.openstack.org/26938501:21
*** dims has joined #openstack-keystone01:23
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove LDAP Role Backend  https://review.openstack.org/26938501:24
*** jasonsb has quit IRC01:29
*** roxanaghe has quit IRC01:36
openstackgerritayoung proposed openstack/keystone: Implied roles driver and manager  https://review.openstack.org/26426001:39
ayoung"notmorgan> who PUT THAT IN"  git blame....You'll find that I did.01:41
notmorganayoung: nope01:41
notmorganayoung: was henrynash in this case01:41
notmorganwhen he split things out01:41
ayoungnotmorgan, he just split it01:41
ayoungI put it in there in the first place01:41
notmorganayoung: yeaj not just role assigments but the ldap role backend specifically01:41
notmorganyou didn't do that i blame henry for splitting it ;)01:42
ayoungthat waws me...needed it back then01:42
*** ccard_ has quit IRC01:42
ayoungthe whole thing is ready for the  long sleep01:42
notmorganyes notice i posted a followup to remove it01:42
ayoungnotmorgan, in a test like this https://review.openstack.org/#/c/258650/14/keystone/tests/unit/test_v3_assignment.py  what user would you expect to be used to do the GET01:44
ayoungline 15101:44
ayoungadmin or this.user?01:45
notmorganno idea01:45
notmorganprob admin if i was guessing01:45
notmorganbut... that is a guess at best01:45
*** ccard_ has joined #openstack-keystone01:46
ayoungneed to fix that test to get Fernet working...but I;m not sure what the original intent was01:46
notmorganmake it up01:47
lbragstadayoung what intent?01:47
ayounglbragstad, so here is why that test fails01:47
lbragstadayoung just catching up01:47
ayounglbragstad, so the user that is used earlier in the test is the user associated with the token used to do the GET01:48
ayoungin the above stuff I pasted, user_id = 1fd3dd98bf924fd786e6c8392dcca3d501:48
ayounglbragstad, if the user got a new token, or a token for a different domain, the call would pass01:49
ayoungit fails because the token is invalid, because the user no longer has a role on the domain: the delete right before got rid of that assignment01:49
ayounglbragstad, I'd be temped to debug on master and see what happens.01:49
ayoungEither the GET origianlly was called with the admin user or the user got a new token01:50
lbragstadayoung ahh...01:52
lbragstadayoung so most of those failures were a result of the testing setup?01:53
ayounglbragstad, I was looking at the rest of the review, maybe due to the change in the v3_test.py?01:53
ayounglbragstad, but it does not look like that would change things01:53
lbragstadthis - https://review.openstack.org/#/c/258650/14/keystone/tests/unit/test_v3.py ?01:54
ayounglbragstad, It shouldn't should it?01:59
ayounglbragstad, I'm going to see what happens on master02:00
lbragstadayoung I wouldn't think so - that's just making sure a key repository exists02:00
ayounglbragstad, that is all we *think* it is doing02:00
lbragstadayoung  yeah, exactly02:01
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/26845202:04
*** dslev has joined #openstack-keystone02:08
ayounglbragstad, so the master code def gets a new token02:09
lbragstadayoung I think I just rebased all those patches today?02:10
lbragstadayoung starting with the oauth + fernet ones02:10
lbragstadayoung https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:isadmin_protection02:10
ayounglbragstad, so the problem is before the call, I think.  I think it is the test getting a new token02:18
ayoungand the new token is requesting with the domain role...02:18
ayounglet me run it again to confirm, I kindof skipped that02:18
lbragstadso the token is domain-scoped?02:18
ayounglbragstad, nope, I was wrong02:21
ayoungrequesting that token succeeds. And it is a project scoped token02:22
lbragstadbut it doesn't succeed with a domain-scoped token?02:22
*** david-lyle has joined #openstack-keystone02:22
ayounglbragstad, it builds the toke request that you see here: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3.py#n28702:28
lbragstadayoung ah - that looks project scoped02:28
ayounglbragstad, it passed02:28
ayoungthe delaty due to debugger, I think02:28
ayounglet me remove the rpdb line02:28
lbragstadayoung ok02:28
ayounglbragstad, ok that failed.  I'm going to put a sleep 1 in there02:29
lbragstadayoung do our tests get two different tokens based on time?02:29
davechenmarekd, henrynash: I will work out a patch to support v9 version of catalog driver interface to support the change for service provider filtering.02:30
davechenmarekd, henrynash: let me have a try.02:30
ayounglbragstad, yep, that passes02:30
ayounglbragstad, I think that the new token is getting marked as revoked02:30
lbragstadayoung sql datetime issues...02:31
lbragstadtruncation stuff02:31
ayounglbragstad, OK, new hypothesis02:31
*** dslev has quit IRC02:31
ayoungwhen we call: self.delete(member_url)02:31
ayoungit revokes all for the project02:32
ayoungfor that user02:32
ayoungit gets a token, and then uses it within a second02:32
ayoungand the old event is still showing it as revoked.02:32
ayoungIts the timestamp thing you were working on before02:32
lbragstadayoung yeah - but do our tests use sql or sqlite?02:33
lbragstadsqlite supports subsecond precision, right?02:33
ayounglbragstad, you know, I can't remember.  We've waffled on that so many times02:33
lbragstadayoung i completely agree that it smells very familiar02:33
ayounglbragstad, again I am shrugging02:34
lbragstadif a sleep(1) causes a different outcome that would seem to make sense02:34
ayounglbragstad, so...we order things like this:02:34
ayoung1.  make UUID use the same thing as Fernet02:34
lbragstadmaybe we focus on getting https://review.openstack.org/#/c/243742/ in?02:34
ayoung2.  Kill the unnecessary revoke events02:35
ayoung3.  Make ferent default02:35
lbragstadayoung I have patches up for all three of those02:35
lbragstadayoung  and so does jorge_munoz :)02:35
ayounglbragstad, looking02:36
lbragstad1 - https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:consolidate-fernet-provider02:37
lbragstad2 - https://review.openstack.org/#/c/253273/02:38
lbragstad3 - https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:isadmin_protection02:38
ayounglbragstad, do we need to focus on https://review.openstack.org/#/c/266052/1  frist then?02:38
lbragstadayoung  I think that was specific to the removal of the revocation events stuff02:38
ayounglbragstad, I think there are tests that have been +2ed but that can;'t go in until that one edes02:39
lbragstadayoung jorge_munoz has been digging into those a lot in the last few days - he knows more about trusts than I do at this point02:39
ayounghttps://review.openstack.org/#/c/253273/  is all he has up02:40
lbragstadthe removal of the domain id and project id from revocation events sparked the trust discussion - which led to all the refacots02:40
lbragstadayoung I think he has a couple patches locally?02:40
ayounglbragstad, those don't do us any good.02:40
lbragstadI know he was working on one today for the redelegation conversation we had friday02:41
lbragstadayoung he found another issue we redelegation, specifically with trust chaining?02:41
ayounglbragstad, OK...I'm going to put this aside for now.  lbragstad you can keep on with this patch by putting a delay in.02:42
ayoungOnce we fix the other isseus, you should be able to pull the delay02:42
lbragstadayoung I'll work with jorge_munoz tomorrow to get everything he has locally pushed up02:42
lbragstadayoung can we reconvene sometime tomorrow?02:42
ayounglbragstad, sounds good02:43
lbragstadayoung thanks for all your help02:43
ayounglbragstad, I have to make Tripleo use Keystone HTTPD....highest priority for us02:43
ayoungand I think we all agree that Eventlet needs to die, that is another anchor we can cut02:43
*** markvoelker has joined #openstack-keystone02:52
openstackgerritSteve Martinelli proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends  https://review.openstack.org/23187202:55
openstackgerritSteve Martinelli proposed openstack/keystone: Remove LDAP Role Backend  https://review.openstack.org/26938502:55
*** markvoelker_ has joined #openstack-keystone02:56
openstackgerritSteve Martinelli proposed openstack/keystone: Remove LDAP Role Backend  https://review.openstack.org/26938502:57
*** e0ne has quit IRC02:59
*** e0ne has joined #openstack-keystone03:00
*** markvoelker has quit IRC03:00
*** markvoelker_ has quit IRC03:01
*** e0ne has quit IRC03:01
stevemarlbragstad: dolphm heads up, i bumped shadow users to mitaka-303:04
*** markvoelker has joined #openstack-keystone03:06
*** avarner has quit IRC03:07
ayounglbragstad, can you please +2A the damn Implied roles patch so I can beat the rebase race with LDAP ?03:11
ayoungor at least +2 it and I'll get henrynash to +A03:11
*** dims has quit IRC03:20
stevemarlhcheng: ping, if you have a few minutes: https://review.openstack.org/#/c/257376/ you reviewed some of the previous patches from this bp, this should be the last one03:26
*** links has joined #openstack-keystone03:27
lhchengstevemar: sure will take a look03:30
*** jasonsb has joined #openstack-keystone03:31
*** ccard_ has quit IRC03:31
*** ccard_ has joined #openstack-keystone03:32
*** woodster_ has quit IRC03:36
lbragstadayoung responded in line03:45
ayounglbragstad, umm...c;mon03:47
ayoungits a nit...and that is where it is in every other SQL class03:47
ayounglbragstad, let's just put the damn thing to rest...03:47
openstackgerritLin Hua Cheng proposed openstack/keystone: Implied roles driver and manager  https://review.openstack.org/26426003:48
ayoungor we could see what Lin has for us03:48
lhchengI fixed the comment from lbragstad, and also the typo from my last comment.03:48
openstackgerrithenry-nash proposed openstack/keystone: Add support for strict url safe option on new projects and domains  https://review.openstack.org/25737603:49
ayounglhcheng, thanks.  diffed and +2ed already.  If you feel OK +2ing now...03:49
ayounglhcheng, coulda swore I made that change03:50
lhchengayoung: there were two instances from the two classes03:50
lhchengayoung: I did the comment were first on the first instance03:51
ayounglhcheng, +2 other than that?03:51
lhchengayoung: +A -ing mine and other folks comments are addressed in the latest patch03:53
ayounglhcheng, TYVM03:53
ayounglhcheng, thanks for inspiring me to refactor the tests on https://review.openstack.org/#/c/242614/53/keystone/tests/unit/test_v3_assignment.py03:56
ayoungI think they are much more readable now03:56
ayoungdid I post those for review?03:56
lhchengayoung: don't think it was me, I haven't reviewed that patch :)03:57
ayounglhcheng, it was Dave CHen...sorry...but please take a look when you can.  It is the follow on to the Driver one, and might be easier with the driver code fresh in mind03:57
lhchengayoung: I have to step out for a bit, starred the patch, will take a look first thing in the morning03:58
ayounglhcheng, thanks.03:58
openstackgerritMerged openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/26933803:59
ayounglhcheng, we have all of henrynash 's that are based on it, so I'd like to get the process moving.  THanks for your help thus far03:59
lhchengayoung: any other patch that needs immediate attention?03:59
ayoungput the time in to the API one.04:00
ayounglhcheng, there is a remove LDAP one that  I'll be rebasing now that you've helped me get mine in04:00
lhchengayoung: gotcha, will focus on the API one04:00
ayoungnotmorgan was working on it, and it removes the LDAP assignemtn driver (yay)04:01
ayounglhcheng, after that, for this path it is DOmain specific roles, which I expect to be a topic of discussion at the midcycle04:01
notmorganayoung: warning there are two and one maaaaay be grumpy at the gate, i gave up and made food instead04:01
ayoungthat is henrynash 's work, and I think its on target, but needs people's full attention.  THose are based on the role inference rules from this patch, so its a direct chain04:01
lhchengayoung: are you aware of any issue using v3 and LDAP assignment?04:02
notmorganlhcheng: ldap assignment is dead04:02
notmorganlhcheng: seriously04:02
ayounglhcheng, yeah so v3 and LDAP assignm,ent would never work anyway04:02
ayoungno domains04:02
lhchengsomeone from wiki have that issue04:02
lhchengthey're still running an older release04:02
notmorganthey already had plans to move away04:02
notmorganit was wiki and cern as the only two running ldap assignment04:03
notmorganthey started making plans back when i sent the original email ~1yr ago04:03
notmorganso i am not worried about wiki04:03
notmorganand if they are broken, it really isn't a lot we can do to save them because LDAP assignment was pretty broken / unfixable back in juno, and has bitrotted at best since :(04:04
lhchengnotmorgan: sounds like they are sticking to it until we remove it..04:04
lhchengso they are upgrading right now to a newer version..04:04
notmorganlhcheng: well. in Mitaka ldap assigment is gone04:04
lhchengLiberty I think04:04
notmorganif my patch lands04:04
notmorganliberty it's there but they should ditch it.04:04
notmorganyou can't really do V3 with LDAP assignment04:04
lhchengI guess they should hold their move to V3 until they move out of LDAP assignment04:04
ayounglhcheng, they knew this, but then the one dev that had this all in his head left04:05
notmorganayoung: LDAP assignment is pinning for the fjords04:05
ayoungnotmorgan, its not pining its passed on04:05
ayoungbereft of life04:05
ayoungit rests in peace04:05
notmorganayoung: it's passed on, is no more, has ceaded to be, e's expired and gone to meet 'is maker04:05
ayoungjoined the bleeding choir invisibule04:06
notmorganayoung: bereft of life, rests in peiease... kicked the bucket, shuffed off the mortal coil04:06
ayoungwell...not yet.04:06
ayoungbut its been very ill04:06
notmorganthis is an EX Assignment driver04:06
* notmorgan sees himself out04:06
lhchengnotmorgan: cool, will let them know about V3 with LDAP assignment not possible. And maybe convince them to try to go away from LDAP assignment as early as now.04:06
notmorganlhcheng: ++04:06
notmorgani know i talked to ~3 different people there on this topic as ptl04:07
* notmorgan shrugs.04:07
lhchengnotmorgan: sometimes code just have to be removed to get people moving :P04:07
notmorganlhcheng: say that for https://review.openstack.org/#/c/269385/04:08
notmorganlhcheng: https://review.openstack.org/#/c/231872/17 this is the removal patch fwiw04:09
lhchengwhat is it still waiting for?04:09
ayoungnotmorgan, its not dead yet.  Its thinking of going for a walk..04:09
notmorganayoung: hah04:09
notmorganayoung: god no.04:09
notmorganayoung: i need whiskey if that is the case04:09
ayoungit feels happy!04:09
notmorganand sadly, i am bereft of whiskey04:09
ayoungnotmorgan, not I04:10
lhchengnotmorgan: ah waiting for the other patch, I have to get used to reading the dep chain in the new gerrit ui.04:10
notmorganok i feel good, i got to use bereft in a sentece today04:10
notmorganlhcheng: yeah04:10
notmorganayoung: i have plenty of wine04:10
notmorganbut i ran out of whiskey04:10
notmorganjust finished my bottle of Freya :(04:10
lhchengnotmorgan: I'll add to my review list04:10
notmorganthe balvennie i had was gone a few weeks ago04:10
notmorganayoung: and i haven't made it to a liquor store [gah oregon liquor laws suck... whyyyyyy does it have to be a state-run store]04:11
notmorganalso the really good stuff is hard to find.04:11
ayoungnotmorgan, works well in NJH04:11
notmorgani like the california model04:12
notmorganstores can sell alcohol and wine and such04:12
notmorganso go to a supermarket and you can get things like brandy or such for cooking04:12
jamielennoxnotmorgan: at some point can you have a look at https://review.openstack.org/26866404:12
notmorganjamielennox: maaaaybe04:12
notmorganwait wut, really?04:12
jamielennoxnotmorgan: afaik you're the only person who understands oslo.cache so i just want to know if that's sane04:13
notmorganoh oh oslo.cache04:13
notmorgandude i read that as oslo_config04:13
openstackgerrithenry-nash proposed openstack/keystone-specs: Add filter to control listing projects acting as domains  https://review.openstack.org/26942204:13
notmorganyour commit subject says oslo_config04:13
jamielennoxhuh, so it does, i mistyped that a lot04:13
notmorgansadly caching is freaking hard for people to understand04:14
notmorganand dogpile doesn't make a lot of steps to make that easier04:14
henrynashhtruta, samueldmq: what do you think of this: https://review.openstack.org/26942204:15
jamielennoxnotmorgan: right, and i learnt more reading the code than from the docs04:15
notmorganjamielennox: ok i'll look at that, it's going to take a bit of time04:15
notmorgancause ksm caching always makes my head hurt to begin with04:15
jamielennoxnotmorgan: well, docs are ok, but they assume you want to do MEMOIZE and i can't do that04:15
notmorganvery few people understand the kvs interface04:15
notmorganand they get the memoize cause we use it in keystone now.04:16
notmorganbut even that is pretty opaque to most folks :(04:16
jamielennoxnotmorgan: so what i know already is that i can't see any way to make it work with the paste interface04:16
notmorganyou mean as an in-line paste thing?04:16
notmorganthat really isn't doable, dogpile wasn't written for that04:17
jamielennoxswift requires it04:17
notmorganyou'd need to write something that is cache-control header aware and the like04:17
jamielennoxno, not like that04:17
notmorganwell... i could probably do horrible metaprogramming and get it04:17
notmorganoh the swift case?04:17
jamielennoxas in using the paste interface to pass options to auth_token04:17
notmorganyeah the swift case makes me sate04:17
notmorgandidn't we tell them that is going away04:18
notmorgancause it's terribad04:18
* notmorgan grumbles04:18
jamielennoxwe did, they complained, we added support back for them, they never changed04:18
notmorganso it is doable to use $random_thing_passed_from_paste$ and lazy config the region04:18
notmorganit's just expensive, complex, and painful code04:19
notmorganand will be damn near impossible to maintain04:19
notmorganbut... for swift, the special child of openstack that it is (that refuses to play like the other kids), we can do it04:19
notmorganand shove it in their tree04:19
notmorganso they have to maintain it04:19
jamielennoxthat's nice, but they wont maintain it and as we are still trying to force people off of v2 auth in 2 years we'll say wtf why is this still configured this way04:21
jamielennoxand have to change it all anyway04:21
notmorgani actually want to just tell them that if they don't maintain it, it wont continue to work04:22
notmorganif they are going to be the special "WE DONT DO IT ANY OTHER WAY" people it is on them imo04:22
notmorgannow that being said, i can wire something up. i just hate being the only one who can do this bit.04:23
notmorganor one of 2 or three at most04:23
notmorgancause... $reasons04:24
*** markvoelker has quit IRC04:39
*** markvoelker has joined #openstack-keystone04:40
jamielennoxnotmorgan: it's kind of unintuitive when oslo.cache has a memcache_servers variable to have to configure backend = as well04:50
notmorganjamielennox: yes.. and :(04:51
jamielennoxit caught me out, i assume it will for many others as well04:52
notmorganwelcome to my world04:52
notmorganalso.. my bottle of wine is far too empty to think too hard about caching04:52
jamielennoxwe can't set default backend to memcache if memcache_servers != None?04:52
notmorganwell.. that depends04:52
notmorganwhat do you want the default behavior to be04:53
notmorganlocalhost? no-op[cache nothing]? cache in memory?04:53
notmorgando something else?04:53
jamielennoxno-op would be default04:53
jamielennoxhas to be04:53
notmorganthen sure we can no-op it04:53
notmorganif you look @ keystone we pretty much no-op it in that case04:53
jamielennoxand it's noop onw04:53
notmorganpaste sucks.04:54
notmorganwhat swift really needs is a caching proxy04:55
notmorganpaste does not fill that role04:55
jamielennoxhmm, good for somethings, nice idea04:55
jamielennoxhad to rewrite the echo service to test this all, paste is a pain from scratch04:56
stevemarhenrynash: ayoung: left you guys some comments here: https://review.openstack.org/#/c/264260/26 nothing major04:56
*** lhcheng has quit IRC04:58
*** jasonsb has quit IRC05:04
openstackgerritSteve Martinelli proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends  https://review.openstack.org/23187205:06
jamielennoxayoung: still here?05:08
openstackgerritSteve Martinelli proposed openstack/keystone: Remove LDAP Role Backend  https://review.openstack.org/26938505:08
stevemarhenrynash: poke, i rebased the LDAP removal stuff, if you're so inclined05:09
stevemar(and fixed the test error)05:09
ayoungjamielennox, sort of05:10
jamielennoxayoung: was just going to write some test scripts for adding implied roles etc, thought you might have one or two handy05:10
jamielennoxayoung: no matter if not05:10
ayoungjamielennox, not yet, no05:11
ayoungwas doing everything in server thus far05:11
jamielennoxayoung: ok, i'll write some up and share them somewhere05:11
ayoungI jamielennox sounds good.05:11
ayoungjamielennox, You going to use curl against the API?05:12
jamielennoxayoung: at this point i'm probably faster at doing it against the python apis05:12
jamielennoxayoung: not going to add it to keystoneclient yet, just use session etc05:12
ayoungjamielennox, from client?  We don't have those yet05:12
ayoungah, OK05:12
ayounggot it05:12
notmorganstevemar: sorry on the test error05:14
openstackgerritSteve Martinelli proposed openstack/keystone: Enhance manager list_role_assignments to support group listing  https://review.openstack.org/26565005:15
notmorganstevemar: but food > code05:15
stevemarnotmorgan: it wasn't you, don't worry05:15
notmorganyeah but food > code05:15
stevemarits the damn relationship between assignment ldap and role functionality05:15
notmorganso i wasn't watching it05:15
notmorganstevemar: solution rebase and squash we had that all 100% working combined05:15
stevemarnotmorgan: it was this code: https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/ldap.py#L30405:16
stevemarnotmorgan: i just skipped the test in the initial patch05:16
notmorganlike i said, i had it ALL working :P05:16
stevemarand deleted them in the subsequent ones05:16
stevemarnotmorgan: yeah, taht's why i said MY FAULT!05:16
stevemarjeez no need to rub it in!05:16
notmorgani'll let you know what hotel and such im in for midcycle tomorrow05:17
notmorgando you have an address for where this is all happening?05:17
stevemarnotmorgan: it's in the email i sent out and the wiki05:19
stevemarIBM Austin - Building 904, Executive Briefing Centre 11501 Burnet Rd, Austin, TX 78758, USA05:19
notmorganyeah but ... E_WINE05:19
notmorganand i need to book travel so i was going to look @ hotels befor esleep05:20
stevemarnotmorgan: makes sense05:20
*** _cjones_ has joined #openstack-keystone05:29
*** _cjones_ has quit IRC05:29
*** _cjones_ has joined #openstack-keystone05:30
*** EinstCra_ has joined #openstack-keystone05:30
*** EinstCr__ has joined #openstack-keystone05:32
*** EinstCrazy has quit IRC05:32
*** _cjones_ has quit IRC05:33
*** EinstCra_ has quit IRC05:34
henrynashstevemar: looks good…will give it a quick look through, but initial galnce looks ncie05:35
*** jasonsb has joined #openstack-keystone05:38
*** henrynash has quit IRC05:39
*** jaosorior has joined #openstack-keystone05:45
*** EinstCr__ is now known as EinstCrazy05:47
*** vivekd has joined #openstack-keystone05:49
*** jamielennox is now known as jamielennox|away05:59
*** gildub has quit IRC06:13
*** vivekd has quit IRC06:15
*** vgridnev has joined #openstack-keystone06:22
*** tyagiprince has joined #openstack-keystone06:23
openstackgerritxu-haiwei proposed openstack/keystoneauth: HTTPError should contain 'retry_after' parameter  https://review.openstack.org/25512806:25
*** EinstCrazy has quit IRC06:37
*** EinstCrazy has joined #openstack-keystone06:37
*** vivekd has joined #openstack-keystone06:39
openstackgerritSteve Martinelli proposed openstack/keystone: deprecate write support for identity LDAP  https://review.openstack.org/25625706:42
*** vgridnev has quit IRC06:45
openstackgerritSteve Martinelli proposed openstack/keystone: Deprecate `hash_algorithm` config option  https://review.openstack.org/25626006:51
* stevemar continues to baby sit the gate06:51
*** GB21 has joined #openstack-keystone06:55
*** spzala has quit IRC06:59
*** spzala has joined #openstack-keystone07:00
openstackgerritDave Chen proposed openstack/keystone: Removes KVS catalog backend  https://review.openstack.org/15844207:03
openstackgerritDave Chen proposed openstack/keystone: Create V9 version of catalog driver interface  https://review.openstack.org/26945507:03
*** spzala has quit IRC07:04
openstackgerritMerged openstack/keystone: document the bootstrapping process  https://review.openstack.org/25973007:05
stevemardavechen: you kicked https://review.openstack.org/#/c/158442/14 out of the gate :(07:06
davechenlooks like i updated dstanek's patches. :(07:06
davecheni am sorry. :(07:06
davechenstevemar: something i did should rebase on that one, but i forgot i have rebased to the latest code.07:07
stevemardavechen: it happens, you did a rebase before merging your changes right?07:07
davechenstevemar: yep.07:07
davechenstevemar: i forgot did that before push the review. sigh.07:07
stevemardavechen: yeah, you can normally do that, but it was just about to merge :(07:07
stevemarit happens07:07
davechenstevemar: boss, could  you pls +A on that.07:08
stevemardavechen: done already07:08
davechenstevemar: okay, thanks!07:08
davechenhope dstanek haven't found this. :P07:08
*** GB21 has quit IRC07:09
davechenI think henrynash is not here.07:10
davechenso, I guess the co-author lost the power to +2 on a patch, but anyway there should be other experts kown what this patch want to address - https://review.openstack.org/#/c/269455/07:11
*** markvoelker_ has joined #openstack-keystone07:11
davechenmarekd: i will rebase your patch on this one as well. - https://review.openstack.org/#/c/269455/07:11
stevemardavechen: i would say henry can still +2 it07:12
davechenhenrynash, stevemar: i just followed the henry's example to add a new driver interface for catalog.07:13
davechenstevemar: cool.07:13
stevemardavechen: yeah, that's fine, he knows it best :P07:13
davechenstevemar: i will add you as a reviewer if you don't mind, just in the queue.07:14
stevemardavechen: sure07:14
stevemarman, the gate is SOOOO long07:14
stevemarits so backed up07:14
*** markvoelker has quit IRC07:15
davechentoo rush!07:15
davechenstevemar: looks like infra team is still working on that?07:15
stevemardavechen: nothing they can do07:15
davechennot stable so far.07:16
*** vgridnev has joined #openstack-keystone07:16
stevemardavechen: oh *that* issue07:16
davecheni saw they might have restart the server.07:16
davechenbut looks like it still doesn't work well.07:16
stevemardavechen: btw, this landed: https://review.openstack.org/#/c/268826/07:16
stevemarso those eventlet timeouts won't happen any more07:16
stevemarwell, they will still happen, but it won't stop us07:16
stevemardavechen: otherwise, it's just everyone trying to get patches in for mitaka-2 :(07:17
davechenstevemar: that's great, i think the issue will gone if the CI is gone.07:17
davechenstevemar: let's do the recheck. :)07:18
stevemardavechen: which patch?07:18
stevemardavechen: they should all be gating, the approved ones anway07:18
davechenstevemar: i meant if your patch is not landing, we will keep the recheck.07:18
stevemardavechen: as punishment for removing the kvs backend patch, you must review this one: https://review.openstack.org/#/c/265650/ :)07:19
stevemarremoving the kvs backend patch from the gate... *07:20
davechenstevemar: :) sure07:20
davechenhenry works too hard in those days.07:21
stevemardavechen: btw, there's the meeting tomorrow, i have most of the agenda up already: https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting is there anything you wanted to talk about07:21
stevemardavechen: i feel bad since it's hard for you to attend, so you can ping me now for any questions07:22
davechenstevemar: you are so nice.07:22
davechenstevemar: it's pain for me if i want to talk someting in the meeting.07:22
davechenstevemar: unless take one leave and got my boss's approval if i want to join in the meeting from my region.07:23
stevemardavechen: don't worry about that for now. if it's easy we can have a short one on one time now, i don't mind a few questions07:24
stevemarif you have questions about the topics or any thing you want to bring up, i can mention it tomorrow07:24
davechenstevemar: no question so far, but i think i will have question in the future, so if you don't mind pls expect my ping to you.07:24
stevemardavechen: i don't mind at all07:25
davechenwhat's liaison we have?07:25
*** GB21 has joined #openstack-keystone07:26
davechenoslo? nova? or ..07:26
*** sshen_ has quit IRC07:27
*** sshen has joined #openstack-keystone07:27
davechenstevemar: i will take a look at the liaison, and see if there is anything i can help.07:30
stevemardavechen: so there are a lot of "liaison" positions07:30
stevemardavechen: they're all here: https://wiki.openstack.org/wiki/CrossProjectLiaisons07:30
davechenstevemar: yep, too many07:30
stevemari think the most active ones are oslo, release, qa, stable, docs, vmt07:31
davechenand the api07:31
stevemardavechen: bknudson does oslo, i do release, stable is a mix of us07:31
davechenstevemar: got you, thanks for the info.07:32
stevemardavechen: the API group is not as busy, you can ask dolphm about it, i don't know how much work it is07:32
davechenstevemar: okay.07:32
stevemardavechen: and now there's a new one "cross-proejct", someone to review these specs: http://specs.openstack.org/openstack/openstack-specs/ i think...07:33
davechenthis is the spec for all the projects i think.07:33
openstackgerritSteve Martinelli proposed openstack/keystone: Deprecate `hash_algorithm` config option  https://review.openstack.org/25626007:36
*** GB21 has quit IRC07:37
*** EinstCrazy has quit IRC07:39
*** EinstCrazy has joined #openstack-keystone07:39
*** GB21 has joined #openstack-keystone07:40
*** tyagiprince has quit IRC07:41
*** tyagiprince has joined #openstack-keystone07:42
*** vgridnev has quit IRC07:49
*** ajayaa has joined #openstack-keystone07:51
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947907:52
*** roxanaghe has joined #openstack-keystone07:55
*** GB21 has quit IRC07:56
*** markvoelker_ has quit IRC07:57
*** EinstCrazy has quit IRC07:57
*** roxanaghe has quit IRC08:00
*** spzala has joined #openstack-keystone08:00
*** rcernin has joined #openstack-keystone08:01
*** EinstCrazy has joined #openstack-keystone08:02
*** EinstCrazy has quit IRC08:02
*** EinstCrazy has joined #openstack-keystone08:02
openstackgerritDave Chen proposed openstack/keystone: Create V9 version of catalog driver interface  https://review.openstack.org/26945508:02
*** spzala has quit IRC08:05
*** dancn has quit IRC08:06
*** Nirupama has joined #openstack-keystone08:14
*** tyagiprince has quit IRC08:14
*** vgridnev has joined #openstack-keystone08:19
*** wanghua has joined #openstack-keystone08:19
openstackgerritSteve Martinelli proposed openstack/keystone: Replace tenant for project in resource files  https://review.openstack.org/24829508:20
*** chlong has quit IRC08:27
*** pnavarro has joined #openstack-keystone08:27
*** Nirupama has quit IRC08:28
*** vivekd has quit IRC08:32
*** markvoelker has joined #openstack-keystone08:38
*** daemontool has joined #openstack-keystone08:41
*** vivekd has joined #openstack-keystone08:42
*** markvoelker has quit IRC08:43
*** markvoelker has joined #openstack-keystone08:46
*** tyagiprince has joined #openstack-keystone08:49
*** fhubik has joined #openstack-keystone08:54
*** fhubik is now known as fhubik_brb08:54
*** Nirupama has joined #openstack-keystone08:56
*** vivekd has quit IRC08:59
*** fhubik_brb is now known as fhubik09:01
*** dancn has joined #openstack-keystone09:01
*** spzala has joined #openstack-keystone09:02
*** markvoelker has quit IRC09:02
*** daemontool has quit IRC09:02
*** e0ne has joined #openstack-keystone09:03
*** daemontool has joined #openstack-keystone09:03
*** vivekd has joined #openstack-keystone09:04
*** fhubik is now known as fhubik_brb09:04
*** spzala has quit IRC09:08
*** markvoelker has joined #openstack-keystone09:19
*** jistr has joined #openstack-keystone09:20
*** fhubik_brb is now known as fhubik09:23
*** markvoelker has quit IRC09:24
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: Unit test for checking cross-version migrations compatibility  https://review.openstack.org/24160309:24
*** mhickey has joined #openstack-keystone09:25
*** e0ne has quit IRC09:34
*** aix has joined #openstack-keystone09:39
*** daemontool has quit IRC09:39
*** daemontool has joined #openstack-keystone09:39
*** markvoelker has joined #openstack-keystone09:40
*** fhubik is now known as fhubik_brb09:40
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: Unit test for checking cross-version migrations compatibility  https://review.openstack.org/24160309:40
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: Online schema migration documentation  https://review.openstack.org/26525209:40
openstackgerritSteve Martinelli proposed openstack/keystone: Replace tenant for project in resource files  https://review.openstack.org/24829509:41
*** boris-42 has quit IRC09:43
*** aix_ has joined #openstack-keystone09:44
*** markvoelker has quit IRC09:45
*** fhubik_brb is now known as fhubik09:46
*** aix_ has quit IRC09:46
*** fhubik is now known as fhubik_brb09:47
*** e0ne has joined #openstack-keystone09:48
*** davechen has left #openstack-keystone09:55
*** e0ne has quit IRC09:57
*** spzala has joined #openstack-keystone10:04
*** vgridnev has quit IRC10:06
*** vgridnev has joined #openstack-keystone10:07
*** daemontool has quit IRC10:08
*** daemontool has joined #openstack-keystone10:08
*** mdavidson has joined #openstack-keystone10:08
*** spzala has quit IRC10:09
*** fhubik_brb is now known as fhubik10:10
*** daemontool has quit IRC10:11
*** daemontool has joined #openstack-keystone10:11
*** vgridnev has quit IRC10:13
*** markvoelker has joined #openstack-keystone10:16
*** daemontool has quit IRC10:17
*** daemontool has joined #openstack-keystone10:17
*** daemontool has quit IRC10:19
*** daemontool has joined #openstack-keystone10:19
*** markvoelker has quit IRC10:21
*** aix has quit IRC10:23
*** aix has joined #openstack-keystone10:26
*** vgridnev has joined #openstack-keystone10:26
*** daemontool has quit IRC10:38
*** daemontool has joined #openstack-keystone10:42
*** roxanaghe has joined #openstack-keystone10:44
*** markvoelker has joined #openstack-keystone10:44
*** aix has quit IRC10:46
*** dims has joined #openstack-keystone10:48
*** vgridnev has quit IRC10:49
*** roxanaghe has quit IRC10:49
*** tyagiprince has quit IRC10:49
*** markvoelker has quit IRC10:49
*** aix has joined #openstack-keystone10:56
openstackgerritMerged openstack/keystone: Merge pep8 and bandit test environments  https://review.openstack.org/26514810:59
*** tyagiprince has joined #openstack-keystone11:03
*** spzala has joined #openstack-keystone11:05
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947911:10
*** spzala has quit IRC11:10
*** markvoelker has joined #openstack-keystone11:14
*** vgridnev has joined #openstack-keystone11:15
tyagiprinceHey people.. I want to know which module does openstack uses for command line interaction with the services?11:18
tyagiprinceIs it using cliff?11:18
*** markvoelker has quit IRC11:20
*** jaosorior has quit IRC11:22
*** jaosorior has joined #openstack-keystone11:22
*** fhubik has quit IRC11:27
*** markvoelker has joined #openstack-keystone11:32
*** ericksonsantos has joined #openstack-keystone11:36
*** markvoelker has quit IRC11:36
amakarovlbragstad, hi! What questions do you have?11:38
*** e0ne has joined #openstack-keystone11:38
*** pauloewerton has joined #openstack-keystone12:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/26932112:03
*** daemontool has quit IRC12:05
*** daemontool has joined #openstack-keystone12:06
samueldmqtyagiprince: I don't know, but perhaps #openstack-sdks is a better place to ask12:06
*** aix has quit IRC12:06
*** spzala has joined #openstack-keystone12:06
*** EinstCrazy has quit IRC12:06
openstackgerritMerged openstack/keystone: Make sure the assignment creation use the right arguments  https://review.openstack.org/26873812:09
*** vivekd_ has joined #openstack-keystone12:11
*** spzala has quit IRC12:11
*** markvoelker has joined #openstack-keystone12:11
*** vivekd has quit IRC12:11
*** vivekd_ is now known as vivekd12:11
*** vivekd_ has joined #openstack-keystone12:12
*** vivekd has quit IRC12:16
*** vivekd_ is now known as vivekd12:16
*** markvoelker has quit IRC12:16
*** tyagiprince has quit IRC12:17
*** aix has joined #openstack-keystone12:18
*** tyagiprince has joined #openstack-keystone12:19
*** raildo-afk is now known as raildo12:27
samueldmqayoung: hi, about implied roles spec12:29
*** davechen has joined #openstack-keystone12:30
*** roxanaghe has joined #openstack-keystone12:32
*** Nirupama has quit IRC12:34
*** tyagiprince has quit IRC12:37
*** roxanaghe has quit IRC12:37
rodrigodsdstanek ping, regarding functional tests... let me know when you are available to talk about it :)12:40
dstanekrodrigods: i'm here now12:42
rodrigodsdstanek so, has been a while that I don't follow the functional tests efforts12:43
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Fixes implied roles example  https://review.openstack.org/26960412:43
dstanekrodrigods: there has not been much movement on it12:43
samueldmqayoung: this ^, just a nit on the spec12:43
rodrigodsdstanek what are the current blockers?12:44
dstanekrodrigods: i wanted to have all the work rebase and fixed up before the mid-cycle - just trying to knock out some reviews first12:44
*** shoutm_ has joined #openstack-keystone12:44
rodrigodsdstanek can you point me to them?12:44
*** shoutm has quit IRC12:45
*** links has quit IRC12:46
samueldmqayoung: revisited the spec, now at12:46
samueldmqImplied roles driver and manager12:46
dstanekrodrigods: the most recently published ones are https://review.openstack.org/#/c/151310/8 . i still have to push up some local changes12:46
dstanekrodrigods: if you are interested in this i can do that today12:47
rodrigodsdstanek I am :) I will take a look in the reviews to be aware about the big picture to help you out with it12:48
*** markvoelker has joined #openstack-keystone12:49
*** markvoelker has quit IRC12:54
openstackgerritDave Chen proposed openstack/keystone: Create V9 version of catalog driver interface  https://review.openstack.org/26945512:57
*** spzala has joined #openstack-keystone13:07
*** markvoelker has joined #openstack-keystone13:10
*** daemontool_ has joined #openstack-keystone13:10
*** daemontool has quit IRC13:11
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947913:11
*** gordc has joined #openstack-keystone13:11
*** spzala has quit IRC13:12
*** vgridnev has quit IRC13:12
*** alejandrito has joined #openstack-keystone13:14
*** vgridnev has joined #openstack-keystone13:14
*** markvoelker has quit IRC13:15
samueldmqayoung: what about limiting the height of a implied roles hierarchy ?13:17
samueldmqayoung: I saw in the spec there were some concerns about perfomance13:17
samueldmqayoung: and this is basically what we did for hierarchical projects13:18
*** ekarlso has quit IRC13:18
*** ekarlso has joined #openstack-keystone13:18
*** ninag has joined #openstack-keystone13:21
raildodstanek: regarding about your comment on v2.0 deprecation patch, are you saying that it will be returned this message on that case, right? https://github.com/openstack/oslo.log/blob/master/oslo_log/versionutils.py#L13513:23
dstanekraildo: yes13:23
raildodstanek: right, so I'll remove that part of the message, thanks :)13:24
dstanekraildo: np13:24
*** dslev has joined #openstack-keystone13:30
*** edmondsw has joined #openstack-keystone13:30
mnaserI've tried searching around but wasn't successful in finding answers, what happens to projects (or tenants in v2 terms) that are created under a domain using the v3 api when accesing them via the v2 api?13:32
mnaserare they simply just not visible at all via the v2 api?13:32
samueldmqayoung: stevemar: sorry for the -1 on https://review.openstack.org/#/c/264260/13:34
samueldmqayoung: stevemar: let me know if you agree with some of the comments and I can submit a followon patch if needed13:35
mnasermy bad, i just ran into this - https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-v2-comparison.rst13:35
openstackgerritMerged openstack/keystone: Test enabled emulation with special user_tree_dn  https://review.openstack.org/26546213:35
openstackgerritMerged openstack/keystone: Escape DN in enabled query  https://review.openstack.org/26233413:36
openstackgerritMerged openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/26856713:37
*** vivekd_ has joined #openstack-keystone13:42
*** vivekd has quit IRC13:45
*** vivekd_ is now known as vivekd13:45
*** EinstCrazy has joined #openstack-keystone13:46
*** spzala has joined #openstack-keystone13:46
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/26932113:48
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/26845313:48
*** jaosorior has quit IRC13:48
*** jaosorior has joined #openstack-keystone13:48
*** roxanaghe has joined #openstack-keystone13:49
*** daemontool__ has joined #openstack-keystone13:49
*** daemontool_ has quit IRC13:50
*** markvoelker has joined #openstack-keystone13:52
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/26964313:52
*** roxanaghe has quit IRC13:53
*** daemontool__ is now known as daemontool13:54
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947913:55
*** Ephur has joined #openstack-keystone13:56
openstackgerritRaildo Mascena proposed openstack/keystone: Deprecating API v2.0  https://review.openstack.org/25153013:56
*** markvoelker has quit IRC13:57
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947913:57
openstackgerritRaildo Mascena proposed openstack/keystone: Deprecating API v2.0  https://review.openstack.org/25153013:57
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947913:59
*** markvoelker has joined #openstack-keystone14:00
dstanekstevemar: doesn't look like there is a lot planned for the midcycle. is there other stuff on your radar?14:00
openstackgerritRaildo Mascena proposed openstack/keystone: Deprecating API v2.0  https://review.openstack.org/25153014:00
*** markvoelker_ has joined #openstack-keystone14:01
*** EinstCrazy has quit IRC14:02
*** EinstCrazy has joined #openstack-keystone14:02
*** markvoelker has quit IRC14:05
*** daemontool has quit IRC14:06
*** daemontool has joined #openstack-keystone14:07
*** doug-fish has joined #openstack-keystone14:10
*** EinstCrazy has quit IRC14:10
*** EinstCrazy has joined #openstack-keystone14:10
*** vivekd has quit IRC14:16
*** vivekd has joined #openstack-keystone14:16
*** EinstCrazy has quit IRC14:17
*** EinstCrazy has joined #openstack-keystone14:18
*** EinstCrazy has quit IRC14:18
*** EinstCrazy has joined #openstack-keystone14:18
*** petertr7_away is now known as petertr714:19
*** jsavak has joined #openstack-keystone14:23
notmorganmnaser: yeah you found it :)14:24
notmorganmnaser: but yes, projects/tenants not in the default domain are not really visible in v2 [by design]14:24
mnasernotmorgan: evaluating switching from single user + single project assigned to it to a domain based system14:24
mnaserand mostly worried about things breaking for customers that depend on it, it doesn't look feasible at the moment14:25
notmorganmnaser: so, the best bet is to offer a domain in conjunction with the default domain project. new users could be v3 only [v2/v3 exist side-by-side, it's not mtually exclusive]14:26
notmorganmnaser: projects can't be moved to new domains (for security reasons), so it lets customers migrate on their own.14:27
notmorganmnaser: you could also [for v3 only users] not offer quota in the default domain.14:27
mnaseryeah, we have a bit more flexibility because we're moving to horizon now14:27
notmorganmnaser: if you offered a domain setup, i'd totally jump on board using it fwiw :)14:27
mnasermy only other concern in this big switch up is SSO14:27
notmorganmnaser: right.14:28
mnaserSSO works nice for web auth like openid connect, but right now we're creating a "group" per user and then the mapping rules map said user to that group14:28
mnaserwhich has access to the tenant/project14:28
mnaserthis works for our existing setup.. but, i'm not sure how API access would work in this case14:29
mnaserthis is where domains would be nice because customers could just come in and create their own users..14:29
*** daemontool_ has joined #openstack-keystone14:30
mnaserso this is where we're a bit stuck in terms of decision making or how to do this in the best way possible14:30
*** daemontool has quit IRC14:31
notmorganthis is a bit harder for me to provide a recommendation on =/ i'd have to spend some time talking over your deployment to offer much help.14:31
mnaseryeah.. it's a tad bit hard14:32
mnaserand finally one last thing is how keystone falls over with mappings, it just prints out a json error to the screen, be nice if there was a bit more control (or even an html page template)14:32
mnaserbut that's all just noise.. still quite a bit far from getting properly up and running14:33
*** davechen has left #openstack-keystone14:34
*** daemontool_ has quit IRC14:34
*** daemontool_ has joined #openstack-keystone14:34
ayoungsamueldmq, -1 won't stop the merge.  Submit what you want as a follow on patch, please14:34
*** gordc has quit IRC14:36
*** daemontool_ has quit IRC14:37
*** daemontool_ has joined #openstack-keystone14:37
*** shoutm_ has quit IRC14:38
*** vivekd_ has joined #openstack-keystone14:39
*** fhubik has joined #openstack-keystone14:41
*** vivekd has quit IRC14:42
*** vivekd_ is now known as vivekd14:42
*** gordc has joined #openstack-keystone14:48
*** notmorgan has quit IRC14:51
*** richm has joined #openstack-keystone14:53
*** notmorgan has joined #openstack-keystone15:00
*** notmorgan has joined #openstack-keystone15:00
*** ChanServ sets mode: +v notmorgan15:00
*** notmorgan has quit IRC15:01
*** notmorgan has joined #openstack-keystone15:01
*** notmorgan has quit IRC15:01
*** notmorgan has joined #openstack-keystone15:01
*** ChanServ sets mode: +v notmorgan15:01
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: Add binary UUID field  https://review.openstack.org/26969315:03
*** pumaranikar has joined #openstack-keystone15:03
*** dslev has quit IRC15:11
*** daemontool_ has quit IRC15:12
*** vivekd has quit IRC15:13
*** tonytan4ever has joined #openstack-keystone15:14
*** rderose has joined #openstack-keystone15:19
stevemardstanek: i haven't given it much thought since i posted the schedule15:23
stevemardstanek: we normally have to go through specs, but it's so late that we have no specs to go through15:24
*** daemontool_ has joined #openstack-keystone15:24
bknudsonwe can get started on specs for N15:26
*** timcline has joined #openstack-keystone15:27
*** EinstCrazy has quit IRC15:27
*** EinstCrazy has joined #openstack-keystone15:28
*** woodster_ has joined #openstack-keystone15:29
bknudsonat the security summit we followed unconference where we proposed topics then voted on topics then the topics with the most votes got slots15:29
*** EinstCrazy has quit IRC15:30
dstanekbknudson: i like that idea in principle, but it doesn't give me time to prepare15:30
lbragstadrderose o/15:30
lbragstadrderose stevemar had a few questions yesterday around shadow users.15:31
bknudsonit would be nice to have the topics voted on in advance so people can prepare if they want15:31
*** sigmavirus24_awa is now known as sigmavirus2415:31
lbragstaddstanek you've had some good ideas around refactoring keystone to not have so many db calls - maybe we can work on that?15:32
dstaneklbragstad: i'd love to pair with someone on that15:32
dstanekbknudson: ++15:32
lbragstaddstanek I'd like to do that15:32
bknudsonI've got my list of things that are my priority items... maybe everyone else has a list too and we can see how they match up.15:33
*** henrynash has joined #openstack-keystone15:33
stevemarbknudson: specs for N, oh you are ambitious15:33
*** ChanServ sets mode: +v henrynash15:33
stevemarbknudson: i thought we all agreed that there will be no specs for N :P15:33
notmorganstevemar: i just -2'd a move to use Binary uuid field in SQL, this could cause a lot of strange behaviors / breakages.15:33
notmorganstevemar: just an fyi https://review.openstack.org/#/c/269693/15:33
bknudsonlet's take a release off.15:33
bknudsonsee if anyone complains15:34
stevemarbknudson: hehe15:34
stevemarbknudson: maybe we should just fix our bugs15:34
stevemarand you know, include functionality in our clients15:34
stevemarsince we have a ton of crap in server that no one can use15:34
rderoselbragstad okay15:34
dstanekstevemar: we are getting much better on the bug front15:35
lbragstadstevemar not sure if you still have questions on the shadow user stuff, or if i addressed them yesterday15:35
stevemarrderose lbragstad the only question i had was if there is more work to be done in the blueprint after that initial patch?15:35
stevemarrderose: lbragstad i assume there has to be some re-wiring of the create calls to actually call and save stuff in the newly made database tables?15:35
rderosestevemar yes, the initial patch is to just break up the user table into identity and password tables. more work still needs to be done on federated identity15:36
rderosestevemar the current patch will write to the new identity and password tables, but again, still have work to do on the new federated table15:37
stevemarlbragstad: rderose: alright, that's what i thought, based on that I've bumped this to mitaka-315:39
lbragstadjorge_munoz not sure if you saw the scroll back yet - but ayoung and I had a long discussion last night around the restructuring of all the patches we have up15:39
dstaneklbragstad: i was actually going to ask dolphm about shadow users; the progress and if help was needed15:39
lbragstadjorge_munoz the conversation started here - http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2016-01-18.log.html#t2016-01-18T21:45:0415:40
lbragstaddstanek i've just been trying to stay up on the reviews for it - i think the code is looking pretty good.15:40
lbragstaddstanek i think rderose probably has a better idea of what is left15:40
dstaneklbragstad: where's the starting point?15:40
lbragstaddstanek let me grab you a link15:40
openstackgerritMerged openstack/keystone-specs: Fixes implied roles example  https://review.openstack.org/26960415:41
*** narengan12 has joined #openstack-keystone15:41
lbragstaddstanek here is the first/only patch - https://review.openstack.org/#/c/262045/15:41
dstaneklbragstad: cool, added to the top of the pile :-)15:41
openstackstatuslbragstad: Added success to Success page15:42
*** jbell8 has joined #openstack-keystone15:42
bknudson#success browns got rid of johnny football15:43
openstackstatusbknudson: Added success to Success page15:43
rderoselbragstad dstanek Mostly what's left is to modify the underlying code to utitlize the new shadow table for mapping LDAP and federated users to local identities.15:45
lbragstadrderose so, that would be the rewiring that stevemar was talking about15:45
bknudsonis there another mapping backend?15:45
stevemarmy reaction when i see that bknudson is pulled into the same meeting as me: https://s-media-cache-ak0.pinimg.com/originals/c8/43/ca/c843ca5082f66324508f63c7ef045b26.gif15:46
ayounglbragstad, let me know if jorge_munoz shows up.15:46
bknudsonthe inmates are running the asylum15:46
lbragstadjorge_munoz more context - http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2016-01-19.log.html#t2016-01-19T01:46:5715:46
ayoungjorge_munoz, lbragstad had updated the "Make fernet default" review15:47
ayoungbut its failing due to, it looks like15:47
ayoungsubsecond revoke issues15:47
ayoungsame kind of things we saw15:47
ayoungjorge_munoz, and that gets at the fact that we are revoking on way too many different events15:48
ayoungbut before we can revoke on fewer events, we need uuid to use the same rules as Fernet in validation15:48
rderoselbragstad I don't know if rewiring is correct, but essentially we now need to "shadow" federated and ldap users in the new federated table15:48
ayoungjorge_munoz, so there is an ordering that we can infer15:49
jorge_munozah yes, but for revocation events, we were only working on enabled object. We still need revocation events for tokens.15:49
jorge_munozenabled check*15:49
notmorganstevemar: i am thining https://bugs.launchpad.net/keystone/+bug/1524124 needs to be a wont fix15:49
openstackLaunchpad bug 1524124 in OpenStack Identity (keystone) "unscalable database schema design" [Undecided,New] - Assigned to Grzegorz Grasza (xek)15:50
ayoungjorge_munoz, lbragstad and that starts with the commit to redo UUID tokens to store only the same subset of data that a Fernet token contains, and to reconstitute the whole access_info structure upon validation15:50
notmorganstevemar: the problem statement / proposed fix would be highly backwards incompat15:50
ayoungjorge_munoz, while it would be strange, we have to assume somone is using revocation events with UUID15:50
notmorganayoung: i thought we decided to just stop doing subsecond on tokens.15:51
ayoungeven PKI could work this way;  ignore the body of the token, and reconstitute the data upon validation15:51
ayoungnotmorgan, and then unit tests fail15:51
notmorganayoung: because fernet doesn't and it is no longer neeed15:51
ayoungnotmorgan,  we 've alwasy done subsecond due to unit tests15:51
notmorganno we didn't we added it when we added pki15:51
*** markvoelker_ has quit IRC15:51
notmorganbecause we needed unique "data"15:51
ayoungissue, revoke, issue, validate fails15:51
ayoungnotmorgan, revoke events recreates that need.  We revoke based on time15:52
notmorgani am sure i had unwound this at somepoint15:52
notmorganin the unit tests15:52
notmorganit might have been a heavy dose of mock15:52
notmorganto adjust time15:52
lbragstadjorge_munoz how many patches do you have locally for the trust issues?15:52
notmorganwhen issuing a test rev event15:52
ayoungnotmorgan, well it is possible you broke something, but this is kindof a law of nature15:52
bknudsonwe've got a mock to control the clock. tests shouldn't depend on the external environment15:52
stevemarbknudson: yay we're inmates!15:52
lbragstadjorge_munoz s/trust/redelegation/15:52
notmorganbknudson: +++++++15:53
lbragstadbknudson dolphm had a patch for using freezegun to do that15:53
ayoungI balk as using mock to control the clock.15:53
bknudsonfreezegun looks like a neat library15:53
jorge_munozlbragstad: I was just finishing up fixing redelegation, I still need to work fixing the policy file. Also, we need to handle trust when someone tries to using redelegation with impersonation.15:53
notmorganayoung: relying on the external environment when you want tests to run fast and have clock based things is a bit insane15:53
stevemardstanek: oh btw, in here: https://review.openstack.org/#/c/231872/ we don't remove default_assignment_driver cause we never deprecated that function15:54
lbragstadjorge_munoz and that stuff is required to consolidate the trust tests, right?15:54
notmorganayoung: also we are locked into not using subsecond for fernet, so lets fix the issue that make us need subsecond15:54
notmorgansince fernet is the way forward15:54
ayoungnotmorgan, this will break things in the real world15:54
stevemardstanek: let me try running the tests with sql as the default for assignment15:54
ayoungif you revoke, issue and validate too fast, things will break.  AUtomated operations tend to do things like that15:54
jorge_munozlbragstad: Yes, I don’t think trust is being tested correctly.15:55
openstackgerritBrant Knudson proposed openstack/keystone: More validation of unscoped token attributes  https://review.openstack.org/26972515:55
stevemardstanek: notmorgan can tell you that https://review.openstack.org/#/c/231872/ has been a real toughie to unwind15:55
dstanekstevemar: should it be deprecated then? if we don't use if we've effectively removed it anyway15:55
notmorganayoung: we already have to solve this.15:55
notmorganayoung: with non-subsecond tokens.15:55
lbragstadayoung notmorgan i thought we asked operators if they cared about this in tokyo?15:56
bknudsonlbragstad: what do you think about merging https://review.openstack.org/#/c/269725/ into the parent?15:56
*** Ephur has quit IRC15:56
notmorganlbragstad: care about waht? subsecond?15:56
ayoungnotmorgan  well...regardless, the ordering is still what I suggest:15:56
lbragstadbknudson yes - i would be totally fine with that15:56
ayoungmake UUID use the Fernet mechanism, remove revocation events for disabled/deleted objects, make fernet the default15:56
ayoungthe time thing...I really don't care about, if we have abetter way to solve15:57
bknudsonlbragstad: alright, I'll just squash it.15:57
lbragstadnotmorgan yes - i thought we asked operators if they are ok with not being able to do those operations within a second (i.e. just try again if you get a 401).15:57
lbragstadbknudson thanks!15:57
ayoungbknudson, that is 100% backwards IIUC15:57
notmorganlbragstad: fairly certain everyone was ok with it... but.15:57
ayoungbknudson, is that checking the data, or just the format?15:58
notmorganayoung: uuid use the fernet mechanism?15:58
ayoungnotmorgan, yeah;15:58
notmorganayoung: as in.. change what is stored in the DB?15:58
ayoungnotmorgan, instead of copying the token to the database15:58
*** phalmos has joined #openstack-keystone15:58
notmorganand reconstruct like fernet?15:58
ayoungonly store the subset required by fernet15:58
bknudsonayoung: what is 100% backwards?15:58
ayoungyes 100%15:58
ayoungbknudson, nevermind15:58
*** bradjones has joined #openstack-keystone15:58
*** bradjones has quit IRC15:58
*** bradjones has joined #openstack-keystone15:58
notmorganthat is in line with what i wanted to do anywa15:58
ayoungI realize you are just talking format...I thouht you meant data in that patch15:59
notmorgandoesn't change that we need to solve the subsecond thing.15:59
lbragstadnotmorgan make it so that uuid tokens rebuild context15:59
notmorganlbragstad: yeah thats 100% in line with what i'd like to see.15:59
lbragstadnotmorgan note that we will see a performance hit15:59
ayoungnotmorgan, yeah...and it might mean that the ordering is less essential.  It might give lbragstad a path forward with the fernet-as-default now15:59
notmorgani'm fine with it.15:59
notmorganit means we can focus on improving that performance across the board16:00
ayounglbragstad, we'll not likely see a performance hit.  All that data should be held in cache16:00
lbragstadnotmorgan it won't be as bad once https://review.openstack.org/#/c/215715/ merges16:00
lbragstadayoung ^ that needs to merge16:00
ayounga recently issued token will be based on data fetched from the DB16:00
notmorgani also want to point out it doesn't matter much.16:00
*** diazjf has joined #openstack-keystone16:01
lbragstadayoung I was waiting on something from dstanek though16:02
ayounglbragstad, he's right about the assignment dependency16:02
notmorganayoung: are pki tokens slated for removal or just deprecated with no plans for removal?16:02
notmorgancc stevemar ^16:02
ayoungnotmorgan, if we don't have a fixed time to kill them, we should16:02
*** jbell8 has quit IRC16:02
dstaneklbragstad: maybe we can add it in there and just take it out later?16:03
lbragstaddstanek add what in where?16:03
bknudsonfor PKI tokens there's an alternative... not sure we even have to deprecate.16:03
dstaneklbragstad: the dependency16:03
*** jbell8 has joined #openstack-keystone16:03
*** boris-42 has joined #openstack-keystone16:03
lbragstaddstanek ah - right16:03
lbragstaddstanek that's up to you16:03
ayoungbknudson, you talking about the fix revoke by audit id?16:03
*** jsavak has quit IRC16:03
bknudsonI mean, not deprecate, just remove PKI tokens and have the server use whatever.16:04
notmorganbknudson: we did deprecate already16:04
lbragstaddstanek i just want to make sure your concerns are addressed.16:04
bknudsoncould use UUID or fernet16:04
notmorganbknudson: i agree... but that breaks the deprecation contract16:04
bknudsonPKI tokens aren't an API16:05
notmorgandstanek: responded to your comments onthe LDAP thing-a-ma-bob16:05
bknudsonthere's no migration required to switch from PKI to UUID16:05
notmorganbknudson: it isn't. but just like we have to be careful about not breaking deployments on upgrade16:05
*** aix has quit IRC16:05
notmorganbknudson: this is similar. there are deployments that use PKI tokens for keystone offload16:05
bknudsondeprecating is nice, so might as well follow it.16:05
notmorganand would be unhappy if it just disappeared16:06
notmorganat least this way we are communicating "fernet, no really fernet...use fernet"16:06
*** ninag has quit IRC16:06
*** rderose has quit IRC16:07
notmorganayoung: so https://review.openstack.org/#/c/265023/ - sadly we have broken people and made it so their deployments no longer work.16:08
dstaneknotmorgan: can the resource backend be different from assignment?16:08
notmorgandstanek: yes it can. in practice it never is16:08
bknudsonif the resource backend can't be different from assignment then why split them up.16:09
dstaneknotmorgan: that's why i thought the default could be changed. instead of hard coding the default in code it would be in the config16:09
notmorganayoung: i am not happy about the "regression" but breaking people in production for a not-really-security issue [username is mutable, don't use it] and the only place you see duplicate names is in the token body, you can't auth with a username that isn't in the defualt domain via v216:10
bknudsondstanek: didn't we deprecate the hard-coded default?16:10
notmorgandstanek: i guess we could do the same treatment.16:10
notmorgandstanek: i can roll that as a followup16:10
ayoungnotmorgan, no16:11
notmorgani really don't want to add more into that patch due to the hell that is there.16:11
dstanekbknudson: not for resource. that patch does that for identity16:11
notmorgandstanek: in the unrolling16:11
ayoungnotmorgan, how did it ever work?16:11
dstaneknotmorgan: i'm happy with that16:11
ayoungV2 should do nothing domain wise16:11
notmorganayoung: you can validate a v3 token with a project or user not in the default domain via v216:11
notmorganthat is all that the hole was. we didn't check16:11
notmorganso people wrote code to rely on that behavior16:11
notmorganand use it.16:12
ayoungnotmorgan, but the result is garbage16:12
ayoungdoes it have the domain data in there?16:12
notmorganbut the scope is still by id16:12
notmorganso security outside of keystone is fine.16:12
notmorganand user_id is globally unique16:12
notmorganhas to be16:12
bknudsonare any other projects using domain ID in the policy.json?16:13
dstanekbknudson: did you want a final word before i +A? https://review.openstack.org/#/c/231872/1816:13
notmorganbknudson: heat?16:13
notmorganbut they use v316:13
ayoungbknudson, nope16:13
ayoungbknudson, none user username either16:13
notmorganand keystone uses ids for any authz16:13
bknudsondstanek: I can take a look at https://review.openstack.org/#/c/231872/ in a couple minutes.16:13
notmorganayoung: so i 100% agree this is a sucky situation, i don't think we can break behavior =/16:13
lbragstadajayaa do you have any outstanding issues with https://review.openstack.org/#/c/215715/ ?16:13
notmorganayoung: so the revert makes sense and we keep driving at v2 needs to die16:14
openstackgerritBrant Knudson proposed openstack/keystone: Add checks for token data creep using jsonschema  https://review.openstack.org/25425816:14
notmorganayoung: so we can walk away from the v2<->v3 intermix issues16:14
notmorgan[at least v2 auth is slated for death, crud interfaces... who knows]16:14
ayoungnotmorgan, tell you what...get dolphm here to discuss.  You convince him, I'll go along16:14
ayoungnotmorgan, and if he abstains...I'll think long and hard about it16:14
notmorganayoung: i've just pointed steve to make a call here.16:14
openstackgerritBrant Knudson proposed openstack/keystone: Add checks for token data creep using jsonschema  https://review.openstack.org/25425816:14
notmorganayoung: because we have people on opposite sides of the fense16:15
notmorganthis is more of a PTL call at this point16:15
*** fhubik is now known as fhubik_brb16:15
*** fhubik_brb is now known as fhubik16:15
notmorganeither push the reverts to stable or revert the revert in master and tell people that we are sorry they are broken16:15
ayoungnotmorgan, OK...let's talk this through.16:15
ayoungA user gets a V3 token, somehow16:15
ayoungpasses it to a servciie that only knows V216:15
notmorganfor a user not in default domain.16:15
ayoungand the token is valid...so far so good16:16
ayoungthe only things that are wonky is that now she is going to see names without domain scoping on them...but all resources should be accessed by ID.16:16
*** jsavak has joined #openstack-keystone16:16
ayoungTHe question is "are all those assumptions valid across the board"16:16
*** slberger has joined #openstack-keystone16:16
notmorganthey are.16:16
notmorganwith one exception16:17
notmorganswift supports username ACLs.16:17
ayoungfuck swift16:17
ayoungthat is bad16:17
notmorganbut that was an issue and the answer was "don't use v2 only middleware with username acls"16:17
notmorganso that is addressed16:17
notmorganand that was swift's official answer when you look at the bug16:17
ayoungnotmorgan, is there a deprecation date on the V2 validation API?16:18
*** avarner has joined #openstack-keystone16:18
notmorganayoung: there is a patch up to deprecate v2 auth this cycle16:18
notmorgan4 cycle run to removal16:18
ayoungnotmorgan, OK...I can back this16:18
notmorganayoung: yeah i did circles with a number of folks on the security implications16:18
notmorganand it really was "eh, it's weird but nothing stands out"16:18
ayoungnotmorgan, I'm not core on stable16:19
notmorganayoung: i know, there aren't many of us16:19
ayoungnotmorgan, who else can +2 it?16:19
notmorgansadly steve and I are the most common stavle reviewers iirc16:19
notmorganayoung: dolphm or the stable-core [global]16:19
notmorgani think there is one other stable core, bknudson maybe16:19
dstaneknot it!16:20
notmorganayoung: unrelated to all this. going to push a change to make it so keystone can use read slaves later this week16:21
notmorganand fix some use of deprecated things in oslo_db16:21
notmorganwhile i wait for your rev. event unwinds before changing the sql stuff16:21
dstanekthere aren't that many high priority bugs left on the server16:22
notmorganbknudson: and you are working on the devstack uwsgi thing? [don't want to duplicate effort if you are]16:22
*** petertr7 is now known as petertr7_away16:23
bknudsonnotmorgan: here's the proposal for uwsgi deploy -- https://review.openstack.org/#/c/257571/16:23
notmorganlooking at it shorty16:23
bknudsonit's got a -1 and so I'm going to do some refactoring.16:23
*** jbell8 has quit IRC16:24
bknudson(when I get to it... I need to spend more time doing reviews)16:24
notmorganah not a terrible set of comments16:24
notmorganlooks pretty straightforward. also nice!16:24
*** fawadkhaliq has joined #openstack-keystone16:24
stevemarbknudson: apparently dstanek wants you to have a last look at: https://review.openstack.org/#/c/231872/ :)16:24
dstanekstevemar: yeah, i already poked him here :-)16:25
bknudsonalso, it takes a lot of time to respond to pings on irc.16:25
stevemarbknudson: ping ping ping16:25
stevemarbknudson: maybe you like sametime pings instead ?16:26
lbragstadmmmm sametime16:26
stevemardstanek: i approved it, if bknudson has issues with it, i'll pull it out of the queue16:26
dstanekstevemar: sounds good to me16:26
stevemardstanek: at this rate, it's taking nearly 20hrs to get things in16:26
dstanekstevemar: what exactly is happening?16:27
stevemardstanek: big last minute push by all projects to get things in16:27
bknudsonand this change can't wait 21 hours!16:27
stevemarbknudson: damn straight it can't (i know you're being sarcastic)16:27
dstanekstevemar: let's see if we can get enough stuff int he queue today to beak it all!16:28
dstaneki think today is when all of the quality happens16:28
stevemardstanek: hahaha16:28
bknudsonregarding https://review.openstack.org/#/c/231872/18/keystone/assignment/core.py -- I don't see why we can get rid of getting the assignment driver from the identity driver?16:31
bknudsonwe never deprecated that.16:32
bknudsonand deployments might be relying on it16:32
*** usr2 has joined #openstack-keystone16:33
notmorganbknudson: i am unsure if that is really the case.16:33
bknudsonif we don't know then we should go the conservative route and deprecate it before removing it.16:34
notmorganbknudson: i can add that back in as a followup, already have another followup to do.16:34
bknudsonnotmorgan: ok.16:34
notmorgani'm just trying to avoid another round of review/check/check/review/check/fail/recheck/fail/recheck on that patch ;)16:34
notmorganalso easier to see that things are added back in in a smaller re-add patch. [make sure to comment this and i'll tack it back in]16:35
notmorganayoung: could use eyes on this https://bugs.launchpad.net/keystoneauth/+bug/1469847 (cc jamielennox|away )16:35
openstackLaunchpad bug 1469847 in keystoneauth "authenticating with kerberos (via openstack token issue) reports Error with "Success" followed by non-ascii chracters" [Undecided,New]16:35
*** markvoelker has joined #openstack-keystone16:36
ayoungnotmorgan, oh god. not those...16:40
notmorganayoung: feel free to squash the bug as "we don't care..." but......16:40
notmorganfigured you were the best person to ask about that16:41
*** alejandrito has quit IRC16:41
ayoungnotmorgan, there are many ways GSSAPI can fail, and reporting the errors through to Keystone could be maddening16:41
ayoungI'm not sure16:41
ayoungI have a Kerberos person I can pass it on to, but he's heads down working a platform  release atm..16:42
notmorganthats fine16:42
notmorganjust doing the triage for ksa and ksm16:42
notmorganayoung: oh neat https://review.openstack.org/#/c/251530/ v2auth deprecation is gating16:44
bknudsonstevemar: I posted my comments on https://review.openstack.org/#/c/231872/18 . You can decide if it should be corrected before merged or not.16:44
stevemarayoung: henrynash quite a few comments on https://review.openstack.org/#/c/264260/26 please don't forget to submit a follow on16:45
notmorganbknudson: stevemar +A'd it, i'll roll a followup few patches for things today16:45
*** henrynash has quit IRC16:46
stevemarbknudson: btw, your comment here: https://review.openstack.org/#/c/231872/18/keystone/tests/unit/backend/role/test_ldap.py16:46
stevemarbknudson: we can't get rid of the file unless we get rid of the ldap role backend as well16:46
stevemarso it's removed in a follow up16:47
notmorganbknudson: see followup patch ;)16:47
bknudsonwell then the comment is wrong.16:47
bknudsonsince it's not testing in an all-LDAP configuration16:47
notmorganbknudson: it was split because the official in-code deprecation was missed when the original email was sent16:47
bknudsonThe docstring says it's testing in an all-LDAP configuration, which apparently it's not since there is no all-LDAP configuration16:48
notmorganthat is historical from the split henry did16:48
notmorganthat should have been updated back then.16:48
notmorganwe can either fix it or remove it as i've proposed16:49
*** stack_ has joined #openstack-keystone16:49
stevemarnotmorgan: it's probably from here: https://github.com/openstack/keystone/tree/diablo-eol/keystone/backends/ldap/api16:51
notmorgankindof ancient16:51
stevemarthen it got combined into all in one: https://github.com/openstack/keystone/blob/essex-eol/keystone/identity/backends/ldap/core.py :(16:51
*** avarner has quit IRC16:52
stevemarand now we've come full circle by splitting them back out16:52
*** narengan12 has quit IRC16:52
*** avarner has joined #openstack-keystone16:52
*** gyee has joined #openstack-keystone16:53
*** ChanServ sets mode: +v gyee16:53
*** rderose has joined #openstack-keystone16:53
*** rcernin has quit IRC16:53
openstackgerritFernando Diaz proposed openstack/keystone: Strengthen Mapping Validation in Federation Mappings  https://review.openstack.org/25016216:54
notmorganstevemar: got to get those LOC metrics up :P16:55
stevemarfor sure16:55
openstackgerritLance Bragstad proposed openstack/keystone: Reuse project scoped token check for trusts  https://review.openstack.org/25367216:55
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for domain scoped data creep  https://review.openstack.org/25367116:55
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for project scoped data creep to tests  https://review.openstack.org/25367016:55
lbragstadbknudson rebased all the other patches on the first one you just updated ^16:55
*** Ephur has joined #openstack-keystone16:55
lbragstaddolphm addressed your 'additionalProperties' comment and included it into all the patches ^16:56
bknudsonlbragstad: btw, I tried to set minItems for methods to 1 but somehow there are some tests that generated 0 methods. I thought that was weird.16:57
bknudsonI didn't look into it much. looked like it had to do with external.16:57
*** stack_ is now known as narengan1216:58
*** david-lyle has quit IRC16:58
*** jsavak has quit IRC17:00
*** jsavak has joined #openstack-keystone17:00
*** e0ne has quit IRC17:01
*** diazjf has quit IRC17:03
*** david-lyle has joined #openstack-keystone17:06
openstackgerritSteve Martinelli proposed openstack/keystone: deprecate write support for identity LDAP  https://review.openstack.org/25625717:08
stevemarnotmorgan: ayoung dstanek ^17:08
*** rcernin has joined #openstack-keystone17:09
samueldmqayoung: okay, I will add a cyclic reference check and address a few nits in a follow-on patch17:13
ayoungsamueldmq, thanks.  Long chain of patches depends on that one17:13
*** lhcheng has joined #openstack-keystone17:13
*** ChanServ sets mode: +v lhcheng17:13
samueldmqayoung: yes, I will get throught them today/tomorrow, reviewing them carefully takes time17:14
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split identity backend tests  https://review.openstack.org/26914817:14
*** diazjf has joined #openstack-keystone17:16
openstackgerritMerged openstack/keystone: Add linters environment, keep pep8 as alias  https://review.openstack.org/26924817:18
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947917:19
stevemardstanek: i improved https://etherpad.openstack.org/p/keystone-mitaka-midcycle a bit, with a list of possible things to do17:24
openstackgerritSteve Martinelli proposed openstack/keystone: deprecate write support for identity LDAP  https://review.openstack.org/25625717:29
*** petertr7_away is now known as petertr717:30
openstackgerritSteve Martinelli proposed openstack/keystone: Deprecate `hash_algorithm` config option  https://review.openstack.org/25626017:31
stevemarlhcheng: dstanek ayoung i fixed up https://review.openstack.org/#/c/256257/4 and https://review.openstack.org/#/c/256260/4 so the "deprecated_reason" matches17:31
* stevemar needs food before keystone meeting!17:32
lhchengstevemar: thanks!17:32
stevemarmarekd: rodrigods head up that i moved https://blueprints.launchpad.net/keystone/+spec/service-provider-filters to mitaka 317:35
*** ninag has joined #openstack-keystone17:35
stevemarthanks guys!17:41
*** henrynash has joined #openstack-keystone17:41
*** ChanServ sets mode: +v henrynash17:41
openstackgerritMerged openstack/keystone: Add release note for revert of c4723550aa95be403ff591dd132c9024549eff10  https://review.openstack.org/26502417:45
openstackgerritMerged openstack/keystone: Fix indentation for oauth context  https://review.openstack.org/26764917:45
openstackgerritMerged openstack/keystone: Enable `id`, `enabled` attributes filtering for list IdP API  https://review.openstack.org/21504117:45
lbragstaddstanek can i update https://review.openstack.org/#/c/215715/ with a FIXME comment saying that we will remove the dependency?17:47
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947917:47
dstaneklbragstad: yes, thx!17:48
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947917:48
*** jistr has quit IRC17:48
*** pnavarro has quit IRC17:49
openstackgerritLance Bragstad proposed openstack/keystone: Add caching to role assignments  https://review.openstack.org/21571517:50
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947917:50
lbragstaddstanek done ^17:50
dstaneklbragstad: +2ed. thx17:53
mnaseri know it's a bit of a deadline and devs might be busy, but I was wondering if anyone had ideas on the best way to hook into keystone's federated login process?  when using websso, we'd ideally like to provision a domain for the user if it does not exist, however, i can't seem to run into a clean way of doing this17:53
ayoungmnaser, there is none17:54
ayoungmnaser, I was trying to get people to discuss that last summit17:54
mnaseralright, i'll look at other alternatives in this case17:54
ayoungmnaser, it is not a keystone only problem17:54
lbragstaddstanek thank you17:54
dstanekmnaser: you want a different domain for each user?17:54
ayoungas there are other resources to provision that are not Keysrtone specific17:54
mnasermy domain ID is the users oidc_sub, but i dont have that info until the user signs in the first time.. so its a a bit of an iffy weird thing17:54
mnaserdstanek: ideally yes, each user has a domain where they can create their own projects, users, etc. (public cloud setup)17:55
ayounghe wants HMT17:55
notmorgannot really that17:55
notmorganjust a customer has a domain with SSO login17:55
notmorganthat is not HMT17:55
ayoungnotmorgan, coming from the same OIDC?17:56
mnaseryes, same oidc17:56
notmorganmnaser: for the customer's users?17:56
ayoungstill think we should do 1 to 1 IdP to domain for users17:56
mnaserthe customers (domain) users would just be keystone users that can access it directly without sso/oidc17:57
notmorganmnaser: thats what i thought17:57
mnaserreally, in our case, only the "domain admin" logs in using oidc17:57
*** _cjones_ has joined #openstack-keystone17:57
notmorganayoung: ^17:57
openstackgerritguang-yee proposed openstack/keystone: wsgi: fix base_url finding  https://review.openstack.org/22646417:58
ayoungmnaser, so the auto provisioning thing....17:58
notmorganyou might need to provision the domain directly vs on login.17:58
ayoungassuming you can listned for a keystone notification, you could get something that tells you when a user logs in.17:58
*** usr2 has quit IRC17:58
ayoungI don't think we have a part that says :this is a new user never in before17:58
mnaserayoung: the problem is the login fails in keystone with "failed to map user"17:59
*** shaleh has joined #openstack-keystone17:59
mnaserso the domain must exist before hand17:59
stevemarmeeting time soon :)17:59
mnasermy oidc provider sub value isn't accessible beforehand17:59
stevemarcourtesy ping for ajayaa, amakarov, ayoung, breton, browne, davechen, david8hu, dolphm, dstanek, ericksonsantos, geoffarnold, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, lbragstad, lhcheng, marekd, morganfainberg, nkinder, raildo, rodrigods, roxanaghe, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, claudiub, rderose, samleon, xek, MaxPC, tjcocozz17:59
notmorganmnaser: let me think on this for a moment. i might have a solution... might...18:00
notmorganmnaser: but meeting first, so back in like an hour18:00
mnasernotmorgan: sure :)18:00
samueldmqhenrynash: may we talk post-meeting about how to deal with circular references there ?18:00
samueldmqayoung: ^18:00
henrynashsamueldmq: sure18:00
ayoungsamueldmq, circular is dealt with alrady18:00
samueldmqhenrynash: ayoung: it's hard because we allow duplicates we expanding the lists, so we might want to avoid them at all (checking at creation time ?)18:01
*** fawadkhaliq has quit IRC18:08
*** e0ne has joined #openstack-keystone18:16
*** narengan12 has quit IRC18:23
*** mhickey has quit IRC18:23
*** spandhe has joined #openstack-keystone18:25
openstackgerritFernando Diaz proposed openstack/keystone: Strengthen Mapping Validation in Federation Mappings  https://review.openstack.org/25016218:28
*** fhubik has quit IRC18:30
*** zhiyan has quit IRC18:33
*** odyssey4me has quit IRC18:33
openstackgerritFernando Diaz proposed openstack/keystone: Strengthen Mapping Validation in Federation Mappings  https://review.openstack.org/25016218:34
*** tpeoples has quit IRC18:34
*** woodster_ has quit IRC18:34
*** jraim has quit IRC18:34
*** pumarani- has quit IRC18:35
*** hockeynut has quit IRC18:36
*** odyssey4me has joined #openstack-keystone18:36
*** tpeoples has joined #openstack-keystone18:36
*** zhiyan has joined #openstack-keystone18:36
*** hockeynut has joined #openstack-keystone18:36
*** jraim has joined #openstack-keystone18:37
*** woodster_ has joined #openstack-keystone18:37
*** jsavak has quit IRC18:44
*** jsavak has joined #openstack-keystone18:44
*** avarner_ has joined #openstack-keystone18:47
*** avarner has quit IRC18:50
*** narengan12 has joined #openstack-keystone18:53
*** boris-42 has quit IRC18:53
*** petertr7 is now known as petertr7_away18:56
gyeeif we allow service users to lookup project that should do it right?19:00
*** jgregor has joined #openstack-keystone19:00
ayounghenrynash, I will +1 https://review.openstack.org/#/c/242614/ for your changes.  Please +2 the overall review19:00
notmorgansamueldmq: you shouldn't ever allow a circular reference19:00
notmorgansamueldmq: just catching up on your ^ above convo19:00
ayoungnotmorgan, if he is talking about implied roles, then the issue is handled19:00
notmorganayoung: in whichever context ;)19:01
samueldmqnotmorgan: yes that's the point, so we should avoid the circular reference at creation time19:01
ayoungeven if there is a circular reference, building the implied roles set will not be a problem.19:01
gyeeayoung, how, that while loop will go forever19:01
lhchenggyee: yup, that's what cinder is looking for: either allow the project query or add the parent_id in the token.19:01
samueldmqnotmorgan: what I think we DON'T do for hierarchical projects19:01
ayounggyee, nope...only follow a new node, not onw you;ve seen before19:01
raildolhcheng: ++19:01
notmorganeh we could also just do an "entry ref" and break but19:01
samueldmqgyee: yes19:01
mc_nairayoung:didn't realize about the parent_id being immutable.  So the caching would help.  My understanding is that we could then make this work if we just let a non-admin of the current project do a get_project19:01
ayoungwe are building a set.  Add the explicit roles to the set,  then follow each.  If that one is not in the set, add it and follow19:02
ayoungmc_nair, implied roles!19:02
notmorgansamueldmq: hierarchical projects has anti circular code already19:02
ayoungmc_nair, we get implied roles implemented, we fix a lot of brokeness19:02
gyeeayoung, that while loop will keep appending roles for circular reference, that's what samueldmq's seeing19:02
notmorgansamueldmq: but that is cause it would be broken to have a circular ref there, conceptually19:02
ayoungor at least have the tool to fix it19:03
samueldmqnotmorgan: only to avoid staying in the loop, but they can be created I think19:03
ayounggyee, nope19:03
mc_nairayoung: I have zero Keystone experience, so other than sounding like total magic to me I don't understand how it solves grabbing the project for non-admin user19:03
gyeeayoung, I'll rest my case with a test case :)19:03
samueldmqnotmorgan: eg https://github.com/openstack/keystone/blob/master/keystone/resource/backends/sql.py#L114-L13219:03
notmorgansamueldmq: if they can be created, it was a bug in the logic. i remember creation was meant to prevent that. and parent_id is immutable19:03
*** jsavak has quit IRC19:03
raildoayoung: by default, a member role, will be a subset for admin, right?19:03
ayoungmc_nair, with iplied roles, we can easily make more fine grained roles, and make rules that say "if you are memeber, you also get projectreader"19:03
notmorgansamueldmq: we also added in creation code.19:03
ayoungraildo, that is the plan!19:04
gyeelcheung, ++, lets relax the policy19:04
*** alex_xu has quit IRC19:04
ayoungsamueldmq, let me walk youy through it19:04
samueldmqnotmorgan: did we ? https://github.com/openstack/keystone/blob/master/keystone/resource/backends/sql.py#L140-L14619:04
raildoayoung: right, but if on keystone the get_project operation is enforced just for admin, how the member user (using implied roles) will do the operation without change the policy?19:04
*** gonzalo2kx has joined #openstack-keystone19:04
samueldmqnotmorgan: and https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L179-L21219:05
ayounghttps://review.openstack.org/#/c/264260/24/keystone/assignment/core.py  samueldmq start here on line 62119:05
samueldmqnotmorgan: I don't think we did19:05
mc_nairayoung: ok, that helps some.   Couldn't we already do something like that with a role like this in policy.json - https://github.com/openstack/cinder/blob/master/etc/cinder/policy.json#L319:05
gonzalo2kxHello everyone19:05
notmorgansamueldmq: then someone screwed up. because that was a requirement to be added for landing HMT19:05
ayoungmc_nair, so implied roles are going to be served out by keystone, you will see them in the token19:05
samueldmqnotmorgan: bug ?19:05
notmorgansamueldmq: it was one of the minimal things i required for accepting it19:05
henrynashmc_nair: I *think* we all agree that someone with a role on a project should be able to do a get_project on it19:05
rodrigodsit is impossible to create circular references in hierarchical projects, it needs a update19:05
notmorgansamueldmq: no idea if there is a bug. but this means yet again someone just skipped on writing code.19:05
ayoungmc_nair, I started off by trying to do them in the policy files, but it failed under the weight of organizational inertia19:05
rodrigodsand update of parent_id is not possible19:06
notmorganrodrigods: right.19:06
gonzalo2kxCould someone aid me on how I could change the endpoint IP for Keystone V3?19:06
notmorganrodrigods: i was almost sure that was impossible.19:06
samueldmqnotmorgan: yes so this need to be revisited and fixed accordingly19:06
notmorgansamueldmq: it is impossible19:06
notmorgansamueldmq: you can't ever update parent_id19:06
ayoungsamueldmq, OK,  so lets say that we have the loop R1->R2->R3->R119:06
gonzalo2kxI am able to change the v2 enpoins on mysql but no clue on how to change the v3s endpoints19:06
notmorgansamueldmq: you can't create a project with a child19:06
notmorgansamueldmq: you can't make a circular loop19:06
ayoungsamueldmq, and...say R3 is implicitly assigned19:06
samueldmqayoung: they will also be appended to the ending of the list, then revisited19:06
ayounghold on19:06
*** alex_xu has joined #openstack-keystone19:07
ayoungrefs_to_check  is the set of ones that we followe19:07
notmorganrodrigods: phew, i was gonna get upset. :P19:07
ayoungthat gets initialized at 62219:07
notmorganrodrigods: i was sure we made sure you can't make circular refs in hierarchical projects19:07
raildonotmorgan: yeap, we have tests for this case19:08
*** petertr7_away is now known as petertr719:08
rodrigodsnotmorgan, yep... we discussed this a lot19:08
notmorganraildo: ++ :)19:08
rodrigodsthe check in list was just to make sure that anyone has messed up the DB19:08
notmorganrodrigods: yeah that is why i was starting to be worried.19:08
*** jsavak has joined #openstack-keystone19:08
samueldmqcool, sorry for the confusion, I was looking at the create logic and not considering that update wasn't possible19:08
samueldmqnotmorgan: :-)19:08
notmorgansamueldmq: :)19:08
*** timcline has quit IRC19:08
lbragstaddolphm fyi - http://gatewatch.dolphm.com/ is down19:09
*** timcline has joined #openstack-keystone19:09
samueldmqayoung: sorry, available now19:09
dolphmlbragstad: i didn't know it was still running19:09
*** timcline has quit IRC19:10
*** timcline has joined #openstack-keystone19:10
lbragstaddolphm oh - were you planning on taking it down?19:10
ayoungsamueldmq, let me map this back to how I originally wrote it.  Something has changed, and you might be right19:10
samueldmqayoung: exactly19:10
raildoayoung: gyee, lhcheng so, what we will decide? I can create a poc to add parent_id on token, or we can discuss relax the policy, or any other option?19:10
dolphmlbragstad: gerrit dashboards have mostly superseded it for me19:10
samueldmqayoung: the algorithm you described above works ^ which add only new nods to the list in the loop19:10
gyeeraildo, I think relaxing the policy is a better option19:11
notmorgandolphm: ++19:11
bretonhas opensdk-meeting moved somewhere?19:11
lbragstaddolphm gotcha - i always use it to figure out what the gate wait time is19:11
samueldmqayoung: however I agree with notmorgan that we should not even allow creating loops, even if we don't see an issue at a glance19:11
lbragstaddolphm but I suppose I can get that from zuul19:11
bknudsonsuccess - it got up to 0 degrees F.19:12
notmorganit would be better if we don't allow loop creation, it avoids a whole slew of other things such as ending with weirdly orphaned roles19:12
dolphmlbragstad: oh, there was a bug in the calculation that made it uselessly inaccurate when the gate went past 24 hours19:12
mc_nairhenrynash: ok cool. So then would you be against me making a change to the policy.v3cloudsample.json to allow member of current project to grab it by adding role like this - "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",19:12
dolphmlbragstad: that was the useful bit, for sure though19:12
*** timcline_ has joined #openstack-keystone19:12
dolphmlbragstad: i should trim it down to just that19:12
dolphmlbragstad: and put that back up..19:12
ayoungsamueldmq, I used to have this line:19:12
ayoungif implied_id in checked_roles: continue19:12
lbragstaddolphm it certainly isn't a priority - just curious19:13
notmorganbut i think we can survive with circular refs in the implied roles19:13
henrynashmc_nair: there are a number of changes in lfight for this…I’ll integrate a proposal for this into the mix19:13
notmorganjust it opens a lot of extra complexity19:13
notmorganand edge cases to handle19:13
raildohenrynash: ++ thanks for that19:13
mc_nairhenrynash: sounds good.  Thank you19:14
lhchenghenrynash: thanks for taking care of that19:14
*** jsavak has quit IRC19:14
samueldmq#vote henrynash19:14
*** timcline has quit IRC19:15
lbragstadayoung is there any requirements on who is allowed to delete a trust?19:15
lbragstadayoung only the trustor, right?19:15
dolphmlbragstad: if you want the 72 hour gate load graph, it's basically this http://graphite.openstack.org/render/?from=-72hours&width=1920&height=1080&margin=0&hideLegend=true&hideAxes=true&hideGrid=true&target=color(stats.gauges.zuul.pipeline.gate.current_changes,%20%27000000%27)19:15
ayounglbragstad, that was the original logic.  Maybe an admin for an override, but better then to disable the user if there is some reason to think they will just recreate it19:16
ayounghenrynash, I think you broke it19:16
ayoungand I should have caught that19:16
henrynashhtruta, samueldmq: seperate subject, on projects as a domain, I have reworked the key patch for this (combining the one for tests and the one for implementing it)….and am going to rebase the whole chain on teh removal of resource ldap backend for simplicity….so expect a reposting of all the patches soon19:17
htrutahenrynash: great19:17
ayounghenrynash, I bet you thought I caught circular references on creation, but I was just paranoid that I would get it wrong, and wanted to catch them when expanding out in the token19:17
lbragstadjorge_munoz is what ayoung just described what you're seeing?19:17
htrutahenrynash: I wonder how big this patch got19:17
gonzalo2kxCould someone aid me on how I could change the endpoint IP for Keystone V3?19:18
lbragstaddolphm ah, thanks!19:18
dolphmlbragstad: or for the black on white look, http://graphite.openstack.org/render/?from=-72hours&width=720&height=240&margin=0&hideLegend=true&hideAxes=true&hideGrid=true&target=color(stats.gauges.zuul.pipeline.gate.current_changes,%20%27white%27)&bgcolor=black19:18
lbragstadjorge_munoz can you push what you have locally for right now - even if it's not passing all the tests?19:19
lbragstadjorge_munoz that way ayoung  and I can take a quick look19:19
henrynashhtruta: so it only went up by 100 lines, since I separated out the idea of using parent_id (with domain_id) to dictate where in the hierachy you should create, plus simplifcaition of some of the changes to teh tests….and then without LDAP and assuming we do https://review.openstack.org/#/c/269422 (ahead of time) we simplfiy the tests more….we’ll be down lower than just the implmentation patch was to start19:21
raildohenrynash: you're the guy! I owe you a pint :)19:24
henrynashmc_nair: sure19:24
ayounghenrynash, what am I missing?  As you pioint out, we have an explicit test...19:24
htrutahenrynash: awesome19:24
henrynashayoung: i’mnot sure what you are missing!19:24
*** jaosorior has quit IRC19:25
ayounghenrynash, there used to be logic that prevented endlessly following circular references in the role inference code19:25
ayounghenrynash, I'm not seeing it now19:25
lbragstadayoung dolphm think i could get a quick review on - https://review.openstack.org/#/c/215715/19:25
*** jaosorior has joined #openstack-keystone19:25
lbragstaddolphm fyi dstanek already +2 so we'll require ayoung's vote19:26
henrynashayoung: could it be that when I refactored it to work inside list_role_assignments, I removed it in error?19:26
ayounglbragstad, gah..hate the cross backend code there19:26
ayounghenrynash, I think so...19:26
ayoungbut do we then still have that test?19:26
lbragstadjorge_munoz here ya go - https://bugs.launchpad.net/keystone/+bug/153483419:27
openstackLaunchpad bug 1534834 in OpenStack Identity (keystone) "Policy check forces impersonation for redelgation of trust" [Undecided,Confirmed]19:27
ayounghenrynash, yeah, I think we lost a check19:27
ayounghenrynash, I'll add a test and see if it breaks19:28
ayounglbragstad, I really don't like that code19:28
ayounglbragstad, I don't want the id backend to notify the assignement backend, because we should not do anything that does not work for Federation first off19:28
lbragstadayoung alright - i can try and sit down with dstanek to figure out how he wanted to fix it19:29
ayounglbragstad is the goal to cache role assignments for a specific user by pre-cacluating the role assignments for a group?19:29
*** jgregor has quit IRC19:30
henrynashayoung: the test I wrote (and I commented about) was about showing we could have different parents and so would (and should) have “duplicates” in the resulting list from a list_role_assignmnets perspective19:30
lbragstadayoung the goal is to cache roles for a user + project and cache roles for a user + domain19:30
ayounghenrynash, ah,  no, not the same thing.  I just read through that test and realized19:30
henrynashayoung: agreed, I wasn’t trying to test circularity19:31
ayounghenrynash, I should have had a circularity test in there19:32
openstackgerritJorge Munoz proposed openstack/keystone: Fix trust redelegation and associated test  https://review.openstack.org/26982419:33
ayounghenrynash, its hard to test, as you really need the "expand" code in there, but that really only gets tested from the assignment tests19:33
ayoungnot backend19:33
*** jsavak has joined #openstack-keystone19:35
henrynashhey, heads up…all our jenkins are failing on the new ”linters” tests - can’t build/find the environment19:35
openstackgerritJorge Munoz proposed openstack/keystone: Fix trust redelegation and associated test  https://review.openstack.org/26982419:35
lhchenggonzalo2kx: have you tried using the openstackclient command "openstack endpoint set .. <endpoint_id>" ?19:35
lhchenggonzalo2kx: https://github.com/openstack/python-openstackclient/blob/master/doc/source/command-objects/endpoint.rst#endpoint-set19:35
openstackgerritJorge Munoz proposed openstack/keystone: Fix trust redelegation and associated test  https://review.openstack.org/26982419:36
henrynashwho added the linters job?19:37
bknudsonhenrynash: ajaeger19:37
bknudson(it's in the git history)19:37
henrynashbknudson: thx19:38
lbragstadamakarov are you around?19:40
*** jsavak has quit IRC19:40
*** jsavak has joined #openstack-keystone19:42
*** jsavak has quit IRC19:43
*** dslev has joined #openstack-keystone19:47
*** gyee has quit IRC19:49
henrynashmc_nair: are you rdmcnair?19:49
*** petertr7 is now known as petertr7_away19:52
*** jsavak has joined #openstack-keystone19:54
*** petertr7_away is now known as petertr719:56
*** PsionTheory has joined #openstack-keystone19:56
*** jsavak has quit IRC20:00
*** jsavak has joined #openstack-keystone20:01
*** tonytan4ever has quit IRC20:02
*** diazjf1 has joined #openstack-keystone20:03
*** rderose has quit IRC20:04
*** e0ne has quit IRC20:04
*** diazjf has quit IRC20:05
samueldmqbknudson: so, about the cross-project liaison role, are you available now ?20:06
bknudsonsamueldmq: yes20:06
henrynashstevemar, ayoung: would be good to slip in https://review.openstack.org/#/c/265650/ into m2, means final part of a multi-patch blueprint, that we could then mark as complete20:07
bknudsonsamueldmq: btw, there might be a cross-project meeting in an hour20:07
samueldmqbknudson: so, first I looked at http://docs.openstack.org/project-team-guide/cross-project.html#cross-project-specification-liaisons20:07
samueldmqbknudson: yes, that was one question, I was looking at https://wiki.openstack.org/wiki/Meetings/CrossProjectMeeting20:07
samueldmqand it isn't updated20:07
*** jaosorior has quit IRC20:08
samueldmqbknudson: oh it is, "public weekly cross-project meeting"20:08
bknudsonthe cross-project meetings are often canceled due to no topics20:08
bknudsonsamueldmq: looks like it's skipped this week - http://lists.openstack.org/pipermail/openstack-dev/2016-January/084367.html20:09
samueldmqbknudson: from what I understand, I need to pay attention to all cross-proejct themes and20:10
samueldmqi) see how it applies to keystone20:10
samueldmqii) how we can help other projects/get help from20:10
*** rderose has joined #openstack-keystone20:10
stevemarhenrynash: yeah, that's on my list20:12
samueldmqhenrynash: ++ assignment ackend looks much clearner/performant and beutiful now :)20:15
henrynashsamueldmq: getting there!20:15
*** tonytan4ever has joined #openstack-keystone20:15
bknudsonsamueldmq: I think you're expected to review the proposed cross-project specs with an eye towards if this is going to cause problems for keystone20:16
stevemarhenrynash: ayoung implied roles should land any minute now!20:16
ayoungstevemar, yeah..I'm watching it20:16
henrynashstevemar: yep20:16
bknudsonsamueldmq: and also notify keystone via the meeting if there's a new spec that we might be interested in.20:16
samueldmqbknudson: perfect, got it, basically just adding another repo to review :)20:17
bknudsonsamueldmq: yes, and tell keystone devs if there's anything in that repo others might be interested in.20:18
notmorgan./me glares at jenkins errors.20:19
samueldmqbknudson: nice, thanks for sharing20:19
stevemarsamueldmq: i believe the meeting is in 40 minutes :)20:20
samueldmqstevemar: they skipped it http://lists.openstack.org/pipermail/openstack-dev/2016-January/084367.html20:21
*** e0ne has joined #openstack-keystone20:22
mc_nairhenrynash: correct.  mc_nair is rdmcnair.... need to update that somewhere :)20:22
henrynashmc_nair: ok. np…!20:22
*** e0ne has quit IRC20:22
*** narengan12 has quit IRC20:25
*** slberger has quit IRC20:28
*** slberger has joined #openstack-keystone20:29
samueldmqayoung: you working on this circular reference thing ?20:33
samueldmqhenrynash: perhaps you might look at https://review.openstack.org/#/c/253219/ ?20:34
samueldmqhenrynash: should be an easy approval20:34
stevemarsamueldmq: this is why you are the liaison and i'm not :P20:34
ayoungsamueldmq, yes20:34
samueldmqhenrynash: dstanek: regarding test_backend split, patches are up to review20:35
samueldmqhenrynash: dstanek: it would be nice if we could put some priority on them (if possible) because they will conflict a lot with others, for sure20:35
samueldmqat worst, perhaps at midcycle ? :)20:35
samueldmqayoung: nice20:35
samueldmqstevemar: hehe20:35
henrynashsamueldmq: yep, they’re achalleng to get in!20:36
samueldmqhenrynash: ++ and the challenge starts at https://review.openstack.org/#/c/26830720:37
*** gildub has joined #openstack-keystone20:39
openstackgerritTom Cocozzello proposed openstack/keystone: List assignments with names  https://review.openstack.org/24995820:41
*** boris-42 has joined #openstack-keystone20:42
ayoungstevemar, and back to 1 hr 27 min...for a patch that only failed due to a transient error at that20:46
openstackgerrithenry-nash proposed openstack/keystone: Add is_domain parameter to get_project_by_name  https://review.openstack.org/21060020:47
samueldmqhenrynash: thanks20:50
openstackgerritTom Cocozzello proposed openstack/keystone: List assignments with names  https://review.openstack.org/24995820:50
*** jasonsb has quit IRC20:54
samueldmqhenrynash: quick question about driver interface ...20:54
henrynashsamueldmq: yep20:54
*** dslev has quit IRC20:55
samueldmqhenrynash: does the implementer need to follow var names for the function params ?20:55
*** vgridnev has quit IRC20:56
stevemarayoung: https://review.openstack.org/#/c/242614/38 hasn't been +2'ed yet, and it looks like it's the other half of implied roles20:56
stevemarayoung: based on that, i'm gonna bump it to mitaka-3, but the sooner it lands the better, given that DSR depends on it20:57
*** mhickey has joined #openstack-keystone20:57
ayoungstevemar, fine by me20:57
ayoungstevemar, so long as it makes mitaka final20:57
henrynashsamueldmq: so you mean, if we change a parameter name, does that require a driver version change…I’d have said no, but bknduson pointed out that IF every wrote some poor code in the manager that used parameter naming (even though it was not a positional paramater), then it would not work with anolder driver20:57
stevemarayoung: should be fine, this is just procedural20:58
stevemarjust for me to keep things organized20:58
samueldmqhenrynash: see https://review.openstack.org/#/c/248295/20:58
stevemarhttps://review.openstack.org/#/c/249958/ and https://review.openstack.org/#/c/265650/ are the only two that can make mitaka-2 and have a spec :O20:59
stevemartjcocozz: thats you buddy! ^20:59
*** daemontool_ has quit IRC20:59
samueldmqhenrynash: that was my point, if we do call driver functions with named parameters20:59
samueldmqhenrynash: it might not work sometimes, in the case we rename params as in this patch ^20:59
tjcocozzstevemar, i've got this!!20:59
stevemartjcocozz: looks like dstanek and i have reviewed it the most21:00
tjcocozzstevemar, yes!  1 more fix coming out right now.21:00
openstackgerritTom Cocozzello proposed openstack/keystone: List assignments with names  https://review.openstack.org/24995821:01
henrynashsamueldmq: so probably something we should get a combo of stevemar, dstanek and bknudson to chime in on….for me it seems a little overkill to require driver versioing…but given we already have nearly all the divers versioned, probably no harm to do the param swap in the wrapper21:01
dstanekstevemar: which review?21:01
stevemardstanek: https://review.openstack.org/#/c/249958/21:01
stevemardstanek: about your comment in the commit msg21:02
samueldmqhenrynash: yes, or simply don't call driver funcions with named params ?21:02
stevemardstanek: the API is here: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#list-effective-role-assignments21:02
stevemardstanek: look for "include_names"21:02
stevemartjcocozz: dstanek: we're *not* including the entire entity21:03
dstanekstevemar: the code is not or we do not want to?21:03
stevemartjcocozz: dstanek referring to the discussion here: https://review.openstack.org/#/c/249958/29..31//COMMIT_MSG21:03
tjcocozzstevemar, dstanek not entire entity21:03
stevemardstanek: the code isn't and the spec isn't21:03
stevemardstanek: the code just adds names21:03
stevemardstanek: the spec just has the names21:03
stevemarand extra properties like description/enabled/links are not included21:04
stevemarin spec or code21:04
tjcocozzstevemar, before i was adding the entity inside list_role_assignments()21:04
tjcocozznow it is added in _format_entity()21:04
stevemartjcocozz: hmm? i tried it out and it was just names for me21:04
stevemartjcocozz: ah okay, you modified it recently to just emit names?21:04
dstanekstevemar: the code looked like it took the entity and just directly used it; not pulling the name out of it21:05
stevemarcause i tried this late last night and it was working fine21:05
*** pauloewerton has quit IRC21:05
dstanekstevemar: tjcocozz: i guess the question i have is where do we pull id and name out of the entity?21:06
henrynashhtruta, rodigods, sameuldmq: first of the projects-as-a-domain rebased patches: https://review.openstack.org/#/c/210600/47 - I simplified this one by using a sub methods to do the caching, so we didnt have to change everywhere get_project_name() was called21:06
tjcocozzstevemar, dstanek i was formatting it to what the bp wanted https://review.openstack.org/#/c/240466/10/api/v3/identity-api-v3.rst21:06
stevemartjcocozz: lemme take another look at the whole thing21:06
stevemartjcocozz: ah you were doing it in _format_role_data21:07
*** vgridnev has joined #openstack-keystone21:08
stevemarwhereas now you're creating entities with fields like 'group_name', 'group_domain_name', etc...21:08
tjcocozzstevemar, thanks!  yes i was.  I thought it was getting to cluttered in _format_entity()21:08
henrynashstevemar, gyee: little tweak to filtering of GET /projects to ensure no api result impact to projects acting as a domain: https://review.openstack.org/#/c/269422/21:08
stevemarhenrynash: SPECS!21:09
dstanektjcocozz: ah, nm. you updated it since the last time i looked21:09
stevemarhenrynash: we're talking about practice21:09
dstanekstevemar: what i was talking about was the changes starting on 516 here https://review.openstack.org/#/c/249958/29..32/keystone/assignment/controllers.py21:09
tjcocozzdstanek, yes i did.  I think it what you are looking for21:10
dstanekstevemar: the last time i really looked it was just using the entire entity21:10
dstanektjcocozz: that's exactly it, just name and id21:10
dstanekotherwise include_names doesn't make sense21:10
tjcocozzdstanek, it was using the entire entity becasue it was formatted and put into the entity in list_role_assignemnts (or atleast it used to be)21:11
dstanektjcocozz: the probliem is that is list_role_assignments changes do to some requirement then you may get extra fields21:12
dstanektjcocozz: stevemar: also it may be important to note that this will be an extremely heavy call compared to the include_names=False version21:15
stevemardstanek: the hope is that the caching helps21:15
henrynashstevemar: teh reseller spec always include filtering of rpojects (teh code is already up), however, to me this seems liek a better filter21:15
*** gildub has quit IRC21:17
*** gyee has joined #openstack-keystone21:17
*** ChanServ sets mode: +v gyee21:17
*** vgridnev has quit IRC21:19
*** henrynash has quit IRC21:19
*** vgridnev has joined #openstack-keystone21:19
*** rderose has quit IRC21:20
*** vgridnev has quit IRC21:20
dstanektjcocozz: i'm a little confused still; can the domain information be in there multiple times now? once in project and one in user for example21:22
dstanektjcocozz: i was thinking that this would just add name to the dicts that only had ids21:22
*** e0ne has joined #openstack-keystone21:23
tjcocozzdstanek, you have the project domain and the users domain.  like it is here in the response https://review.openstack.org/#/c/240466/10/api/v3/identity-api-v3.rst21:23
dstanektjcocozz: very strange that the include_names=False response is so much different; oh well, it was probably thought through by the spec reviewers21:26
bknudsondstanek: specs aren't written in stone21:26
tjcocozzdstanek, i asked the same question.21:26
dstanektjcocozz: what was the answer?21:26
tjcocozzbknudson, we can't go back now ;)21:27
dstanekbknudson: true, but the question is if it's worth the energy to see if it's correct or not :-)21:27
tjcocozzdstanek, exactly what you said.  If people reviewed it... its what keystone needs21:27
dstanekstevemar: ^?21:28
tjcocozzdstanek, if you think it should be changed i am all for it21:28
bknudsonspec reviewers don't have the advantage of seeing the code21:28
dstanekbknudson: true, but just looking at the spec you see the wierdness of the response21:28
dstanekin the original response we didn't care about adding domain to everything, but adding include_names=True now adds the names and adds domain in many different places21:29
bknudsondstanek: just getting the user name is useless... you need the domain, too.21:30
bknudsonsame for project21:31
*** gordc has quit IRC21:31
dstanekbknudson: right i get that because they are not globally unique, but this now feels asymmetrical21:32
dstanekbknudson: that's why i said i'd trust the original reviews21:33
bknudsonif you've got a better solution then propose it.21:33
samueldmqayoung: new gerrit ui confuses me21:33
*** e0ne has quit IRC21:33
samueldmqayoung: I just spent time reviewing https://review.openstack.org/#/c/242614/3821:33
samueldmqayoung: note the /38 at the end21:33
ayoungsamueldmq, YEAH, That got me a time or two, too21:34
dstaneksamueldmq: i have the same issue21:34
samueldmqayoung: dstanek: :(21:35
samueldmqlooks like the version number is part of the url/cookie21:36
samueldmqdon't know, but something is weird and I am no used to it yet :(21:36
*** jasonsb has joined #openstack-keystone21:38
samueldmqayoung: omg, that changed a LOT from 38 to 5221:38
dstanektjcocozz: i'm not entirely convinced of the coverage, but this code really isn't all the testable right now (the original, not just your changes)21:41
ayoungsamueldmq, OK, I think I know how henry misunderstood my intenion in the origianal code.  Good eyes;  his cache was, I thought, the same thing as I was originally doing21:41
tjcocozzdstanek, I checked it a couple times.  What do you think isn't covered?21:41
ayoungthe mistake I made was in  not having a unit test for the cycles.  My rationale was; if it fails, it runs forever, but that is a bad rationale21:42
lbragstadjorge_munoz added a few comments to https://review.openstack.org/#/c/269824/3 but wouldn't be opposed to ayoung and amakarov giving it a once over, too21:42
dstanektjcocozz: the reason i say that is the number from coverage.py will tell you if the block if covered and even the cases in a single construct if you ask it, but i don't think if looks at all of the combinations of all of the if statements21:42
tjcocozzdstanek, oh i see what you are saying21:43
ayounglbragstad, does that hande the check for trustor==user?21:43
*** jasonsb has quit IRC21:43
jorge_munozlbragstad: Thanks, I’ll take a look.21:44
*** dslev has joined #openstack-keystone21:45
tjcocozzdstanek, i think my code has good coverage just from the fact that i am making sure the exact response that is formatted is returned.21:47
bknudsonpics from the security meetup - https://photos.google.com/share/AF1QipNeswyo7oYY4kN7mFpi2v4u5LMfgOSOisvg4wwTnIMAROHBOsSMuvXXxQ5o6Ohckw?key=THVhZ254Y1hLd0VDODlWLXFnQjNvMEloWFNUZVdR21:47
samueldmqayoung: yes, so we have a potential inifinite-loop right ,21:47
ayoungsamueldmq, right now, yes21:48
ayoungsamueldmq, I have a test, but I have not gotten the logic right to expand the roles yet21:48
*** jsavak has quit IRC21:48
*** jsavak has joined #openstack-keystone21:48
ayoungI'm off by one ATM21:48
samueldmqayoung: I am aware of that logic, I may help you if you want21:49
dstanektopol: see if my answer makes sense to you21:51
*** spzala has quit IRC21:52
ayoungsamueldmq, GAH...so the problem is that if you have a role both implicit and explicit...what should you see in the token?21:53
*** spzala has joined #openstack-keystone21:53
samueldmqayoung: does it matter ? do we add information of where that role came from ? or just we add 'roles': [...] in the token ?21:54
ayoungsamueldmq, yeah, if a role is implied we put in21:54
ayoung'indirect': {'role_id': u'0f5b38020fbf45959d36e4efe67aecd8'}21:54
ayoungto point to the parent21:55
ayoungand henry's tests look for both being in the token21:55
samueldmqayoung: so we either duplicate in the token (which is bad) or remove this info21:55
*** cburgess has quit IRC21:56
samueldmqayoung: also, what if it was implied by multiple prior role s?21:56
tjcocozzdstanek, stevemar here is what the output from the openstack client looks like if you were wondering: http://paste.openstack.org/show/484345/21:56
ayoungsamueldmq, and...if it was added by two different implied roles, I think both would be in the token the way he wrote the tests21:56
stevemaroh nice job tjcocozz21:57
*** cburgess has joined #openstack-keystone21:57
*** spzala has quit IRC21:57
samueldmqtjcocozz: too many admin assingments, be careful21:58
samueldmqayoung: I am tired, need some rest and will give a more detailed look at that patch tomorrow morning21:59
samueldmqayoung: I just left a review there, see my comments21:59
*** Guest51217 is now known as med_22:00
*** med_ has quit IRC22:00
*** med_ has joined #openstack-keystone22:00
*** lhcheng has quit IRC22:04
*** alejandrito has joined #openstack-keystone22:05
*** lhcheng has joined #openstack-keystone22:05
*** ChanServ sets mode: +v lhcheng22:05
*** jsavak has quit IRC22:06
*** su_zhang has joined #openstack-keystone22:11
*** mhickey has quit IRC22:15
*** gildub has joined #openstack-keystone22:17
dstanektjcocozz: that's pretty neat22:18
tjcocozzstevemar, dstanek thanks!22:18
tjcocozzsamueldmq, i like living on the edge ... jk22:19
dstaneksamueldmq: do everything as admin in openstack; like you to everything as root on unix22:20
*** rcernin has quit IRC22:21
*** diazjf1 has quit IRC22:25
*** spzala has joined #openstack-keystone22:27
*** spzala has quit IRC22:28
*** spzala has joined #openstack-keystone22:28
*** ninag has quit IRC22:28
*** petertr7 is now known as petertr7_away22:32
*** jamielennox|away is now known as jamielennox22:35
*** tonytan4ever has quit IRC22:38
jamielennoxstevemar: wow, the OSC spec merged :O22:41
jamielennoxayoung: oh, implied roles merged as well!22:45
jamielennoxoh, just backend22:47
openstackgerritBrant Knudson proposed openstack/keystone: Fix docstring  https://review.openstack.org/26989922:51
*** alejandrito has quit IRC22:51
*** rderose has joined #openstack-keystone22:52
*** rderose has quit IRC22:54
*** rderose has joined #openstack-keystone22:55
openstackgerritMerged openstack/keystone: Add support for strict url safe option on new projects and domains  https://review.openstack.org/25737622:58
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947923:01
*** dslev has quit IRC23:07
*** timcline_ has quit IRC23:10
*** phalmos has quit IRC23:15
*** ajayaa has quit IRC23:15
stevemartjcocozz: did you have to make any changes to keystoneclient to get the list with name in osc?23:21
*** lhcheng has quit IRC23:21
stevemartjcocozz: yeah, ya did :( https://review.openstack.org/#/c/255392/4/keystoneclient/v3/role_assignments.py23:21
stevemarstinks that we just don't have that as **kwargs there23:22
stevemarwe could just pass in "include_name=True" and append23:22
jamielennoxstevemar: people complained a lot about having kwargs for those23:22
stevemarbut that probably opens up a whole can of worms23:22
stevemarjamielennox: yeah23:22
stevemarjamielennox: o hai!23:22
jamielennoxoh o23:22
*** lhcheng has joined #openstack-keystone23:23
*** ChanServ sets mode: +v lhcheng23:23
*** lhcheng has quit IRC23:23
jamielennoxi don't know how it happens dolphm but using keystone-deploy leads to a keystone that doesn't list the v3 version on the admin interface, which causes many problems23:27
jamielennoxno idea if you still use that23:27
*** alex_xu has quit IRC23:30
*** alex_xu has joined #openstack-keystone23:31
*** lhcheng has joined #openstack-keystone23:32
*** ChanServ sets mode: +v lhcheng23:32
*** sigmavirus24 is now known as sigmavirus24_awa23:33
*** lhcheng_ has joined #openstack-keystone23:33
*** lhcheng has quit IRC23:36
*** bill_az has joined #openstack-keystone23:38
*** doug-fish has quit IRC23:39
*** lhcheng_ has quit IRC23:40
jamielennoxdolphm: something is wrong with the paste file you deploy23:40
*** lhcheng has joined #openstack-keystone23:41
*** ChanServ sets mode: +v lhcheng23:41
jamielennoxayoung: is https://review.openstack.org/#/c/242614/ the whole crud?23:48
*** slberger has left #openstack-keystone23:48
*** henrynash has joined #openstack-keystone23:49
*** ChanServ sets mode: +v henrynash23:49
*** doug-fish has joined #openstack-keystone23:49
*** pumaranikar has quit IRC23:51
*** pumaranikar has joined #openstack-keystone23:52
*** doug-fish has quit IRC23:54
*** pumaranikar has quit IRC23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!