Wednesday, 2016-01-20

*** shoutm has joined #openstack-keystone		00:01
openstackgerrit	henry-nash proposed openstack/keystone-specs: Add filter to control listing projects acting as domains https://review.openstack.org/269422	00:06
*** topol has quit IRC		00:07
*** doug-fish has joined #openstack-keystone		00:09
*** topol_ has joined #openstack-keystone		00:09
*** shoutm_ has joined #openstack-keystone		00:11
* jamielennox still thinks implied roles should just have been part of roles		00:13
*** doug-fish has quit IRC		00:14
*** markvoelker has quit IRC		00:14
*** shoutm has quit IRC		00:14
*** markvoelker has joined #openstack-keystone		00:17
*** shoutm_ has quit IRC		00:19
*** diazjf has joined #openstack-keystone		00:20
openstackgerrit	Jorge Munoz proposed openstack/keystone: Fix trust redelegation and associated test https://review.openstack.org/269824	00:20
*** spzala has quit IRC		00:21
*** spzala has joined #openstack-keystone		00:22
*** spzala_ has joined #openstack-keystone		00:24
*** spzala has quit IRC		00:26
*** shoutm has joined #openstack-keystone		00:26
openstackgerrit	henry-nash proposed openstack/keystone: Alloe project domain_id to be nullable at the manager level https://review.openstack.org/264533	00:28
*** spzala_ has quit IRC		00:28
openstackgerrit	Merged openstack/keystone: Implied roles driver and manager https://review.openstack.org/264260	00:58
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/269479	01:03
*** vivekd has joined #openstack-keystone		01:09
*** henrynash has quit IRC		01:11
*** EinstCrazy has joined #openstack-keystone		01:17
*** gonzalo2kx has quit IRC		01:19
*** su_zhang has quit IRC		01:24
*** harlowja has quit IRC		01:30
*** spzala has joined #openstack-keystone		01:30
*** harlowja has joined #openstack-keystone		01:30
*** david-lyle has quit IRC		01:31
*** spzala has quit IRC		01:34
*** browne has joined #openstack-keystone		01:36
*** jasonsb has joined #openstack-keystone		01:38
*** bill_az has quit IRC		01:41
*** EinstCrazy has quit IRC		01:41
*** EinstCrazy has joined #openstack-keystone		01:50
*** EinstCrazy has quit IRC		01:55
*** EinstCrazy has joined #openstack-keystone		01:55
*** davechen has joined #openstack-keystone		01:58
*** EinstCra_ has joined #openstack-keystone		02:00
*** EinstCrazy has quit IRC		02:03
openstackgerrit	Merged openstack/python-keystoneclient: Merge pep8 and bandit into linters https://review.openstack.org/269268	02:03
*** gonzalo2kx has joined #openstack-keystone		02:05
*** davechen1 has joined #openstack-keystone		02:06
*** davechen has quit IRC		02:09
stevemar	time to rebase all the things :(	02:16
*** _cjones_ has quit IRC		02:18
*** spzala has joined #openstack-keystone		02:19
openstackgerrit	Steve Martinelli proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends https://review.openstack.org/231872	02:21
*** spandhe has quit IRC		02:28
openstackgerrit	Steve Martinelli proposed openstack/keystone: Remove LDAP Role Backend https://review.openstack.org/269385	02:28
openstackgerrit	Steve Martinelli proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends https://review.openstack.org/231872	02:28
openstackgerrit	Steve Martinelli proposed openstack/keystone: Removes KVS catalog backend https://review.openstack.org/158442	02:28
*** browne has quit IRC		02:30
openstackgerrit	Steve Martinelli proposed openstack/keystone: List assignments with names https://review.openstack.org/249958	02:31
stevemar	rebase all the things!	02:32
openstackgerrit	Steve Martinelli proposed openstack/keystone: Deprecate `hash_algorithm` config option https://review.openstack.org/256260	02:33
*** shaleh has quit IRC		02:36
*** edmondsw has quit IRC		02:37
openstackgerrit	Steve Martinelli proposed openstack/keystone: Mark memcache and memcache_pool token deprecated https://review.openstack.org/269229	02:39
openstackgerrit	Steve Martinelli proposed openstack/keystone: Deprecate `hash_algorithm` config option https://review.openstack.org/256260	02:39
openstackgerrit	Steve Martinelli proposed openstack/keystone: deprecate write support for identity LDAP https://review.openstack.org/256257	02:39
*** doug-fish has joined #openstack-keystone		02:39
ayoung	lhcheng, regarding the circular deps on implied roles	02:41
ayoung	I have a patch, but it breaks some of henry's tests, and I am trying to figure out if I am OK with that	02:42
stevemar	holy smokes there are a log of conflicts	02:42
*** dansmith has quit IRC		02:42
*** markvoelker has quit IRC		02:42
lhcheng	ayoung: cool, I'll defer that to you then :)	02:43
ayoung	lhcheng, question	02:43
lhcheng	ayoung: I am addressing other comments at the moment	02:43
ayoung	in an implied role we have the prior	02:43
ayoung	like this:	02:43
ayoung	{'project_id': u'e41b973c39664b3291918c375a9a9543', 'indirect': {'role_id': u'6826ebab18cb405097add293d34e0b12'}, 'user_id': u'5adba18e351b43fc91d6843d79bb1718', 'role_id': u'01a9b0009c094fb7acb872cff5fb3820'}	02:43
*** spzala has quit IRC		02:43
ayoung	lhcheng, what if a role is both explicitly assigned and a prior role.	02:43
ayoung	SHould we have both in ther,or just the explicit	02:43
ayoung	henry has both.	02:44
*** doug-fish has quit IRC		02:44
ayoung	and if a role is implied via multiple priors, all of them are in there	02:44
ayoung	I think...I don't want that	02:44
ayoung	I think that explicit masks implicit, and implicit might be only one of the priors states	02:44
ayoung	stated	02:44
*** spzala has joined #openstack-keystone		02:45
openstackgerrit	Steve Martinelli proposed openstack/keystone: Mark memcache and memcache_pool token deprecated https://review.openstack.org/269229	02:46
ayoung	lhcheng, what do you think?	02:46
lhcheng	ayoung: I think it should also be there..	02:46
lhcheng	ayoung more for consistency	02:46
ayoung	lhcheng, I'm also worried about size	02:46
lhcheng	ayoung: if you look at the logic in here: https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L628	02:47
ayoung	lhcheng, what about it?	02:47
openstackgerrit	Steve Martinelli proposed openstack/keystone: Deprecate `hash_algorithm` config option https://review.openstack.org/256260	02:47
*** PsionTheory has quit IRC		02:47
lhcheng	even if the implied roles are already appended before, we keep on adding it just because the prior role could be different	02:48
openstackgerrit	Steve Martinelli proposed openstack/keystone: deprecate write support for identity LDAP https://review.openstack.org/256257	02:48
*** dansmith has joined #openstack-keystone		02:48
*** dansmith is now known as Guest38462		02:48
lhcheng	ayoung: that makes me think that we should return both..	02:48
lhcheng	since we are returning all anyway	02:49
ayoung	lhcheng, that is just because that is what he is doing now	02:49
stevemar	so i think i queued up all the patches properly............	02:49
stevemar	sorry for the spam everyone!	02:49
lhcheng	but yeah, the size worries me	02:49
ayoung	but...it is going to expand the size of the tokens	02:49
ayoung	and checking for role in roles means that it could be multiple...	02:49
ayoung	it should be a single entry like	02:49
lhcheng	ayoung: horizon takes the first hit with bigger token size :/	02:50
ayoung	{'project_id': u'e41b973c39664b3291918c375a9a9543', 'indirect': {'role_ids': [u'6826ebab18cb405097add293d34e0b12','icantbebotherdtorunuuidgen']}, 'user_id': u'5adba18e351b43fc91d6843d79bb1718', 'role_id': u'01a9b0009c094fb7acb872cff5fb3820'}	02:50
jamielennox	ayoung: your putting the indirects in the token?	02:50
*** topol_ is now known as topol		02:51
*** ChanServ sets mode: +v topol		02:51
lhcheng	ayoung: do you expect the prior and implied to be used in the policy file?	02:51
ayoung	lhcheng, no	02:52
ayoung	lhcheng, that is the thing, I think maybe putting it in there at all is a mistake now	02:52
lhcheng	ayoung: maybe we should not include prior	02:52
lhcheng	easier to add things later...	02:52
lhcheng	once we have it out there, we can't remove it	02:52
ayoung	lhcheng, well, it is there now...patch merged	02:52
lhcheng	ayoung: it is merged on the backend code, but not exposed yet	02:53
lhcheng	ayoung: there's still time :)	02:53
* lhcheng trying to be optimistic		02:55
ayoung	lhcheng, I think I want to talk it over with Henry tomorrow	03:00
ayoung	UI'll write up my thoughts and send an email to openstack-dev, actually.	03:01
lhcheng	ayoung: sure, thanks for raising that concern.	03:01
lhcheng	ayoung: I am trying to write a test to raise a RoleNotFound error when an implied role is created. The creation keep on passing even if the pass a dummy role_id.	03:03
ayoung	lhcheng, really?	03:03
lhcheng	ayoung: this code seems working even if I pass dummy role_ids: https://github.com/openstack/keystone/blob/master/keystone/assignment/role_backends/sql.py#L83	03:03
ayoung	SQL not checking that the role exisits>?	03:03
lhcheng	the foreign_key is not kicking-in	03:03
ayoung	lhcheng, are you running against SQLITe?	03:04
ayoung	I don;t think that enforces the integrity constraints	03:04
ayoung	try against mysql	03:04
lhcheng	yeah, against SQLite	03:04
lhcheng	ayoung: our tests run on SQLite?	03:05
*** browne has joined #openstack-keystone		03:06
ayoung	lhcheng, yeah, I think that is the onlty option thus far	03:06
ayoung	lhcheng, unit tests, not functional.	03:06
ayoung	functional should ruin against MySQL. To run unit tests against them would be prohibitive, I think	03:07
lhcheng	ayoung: if SQLite can't support foreignKey, should I skip the test for checking role existence? or perhaps do a get_role(..), before creating	03:07
*** richm has quit IRC		03:10
*** avarner_ has quit IRC		03:12
*** davechen1 is now known as davechen		03:12
ayoung	lhcheng, not worth coding explicitly for a broken DB. We need functional tests against MySQl...write a	03:13
ayoung	Write that	03:13
*** su_zhang has joined #openstack-keystone		03:16
openstackgerrit	Dave Chen proposed openstack/keystone: Create V9 version of catalog driver interface https://review.openstack.org/269455	03:17
*** davechen has quit IRC		03:17
*** davechen1 has joined #openstack-keystone		03:19
lhcheng	ayoung: agreed	03:21
*** Ephur has quit IRC		03:28
openstackgerrit	Dave Chen proposed openstack/keystone: Create V9 version of catalog driver interface https://review.openstack.org/269455	03:39
*** _cjones_ has joined #openstack-keystone		03:40
*** vivekd has quit IRC		03:42
*** vivekd has joined #openstack-keystone		03:44
*** gyee has quit IRC		03:44
*** EinstCrazy has joined #openstack-keystone		03:44
*** spzala has quit IRC		03:45
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Address comments from Implied Role manager patch https://review.openstack.org/269990	03:45
*** spzala has joined #openstack-keystone		03:45
*** woodster_ has quit IRC		03:46
*** EinstCra_ has quit IRC		03:47
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Address comments from Implied Role manager patch https://review.openstack.org/269990	03:49
*** andreaf has quit IRC		03:50
*** spzala has quit IRC		03:50
*** andreaf has joined #openstack-keystone		03:52
*** dims has quit IRC		03:54
*** dims has joined #openstack-keystone		03:59
*** flwang1 has quit IRC		04:01
gonzalo2kx	exit	04:04
*** gonzalo2kx has quit IRC		04:04
*** spzala has joined #openstack-keystone		04:05
*** links has joined #openstack-keystone		04:06
*** lhcheng has quit IRC		04:07
*** spzala has quit IRC		04:10
*** dims has quit IRC		04:13
*** markvoelker has joined #openstack-keystone		04:14
*** flwang has joined #openstack-keystone		04:14
*** lhcheng has joined #openstack-keystone		04:25
*** ChanServ sets mode: +v lhcheng		04:25
*** lhcheng has quit IRC		04:26
*** lhcheng has joined #openstack-keystone		04:26
*** ChanServ sets mode: +v lhcheng		04:26
*** henrynash has joined #openstack-keystone		04:34
*** ChanServ sets mode: +v henrynash		04:34
*** doug-fish has joined #openstack-keystone		04:42
*** su_zhang has quit IRC		04:43
*** david-lyle has joined #openstack-keystone		04:44
*** doug-fish has quit IRC		04:46
*** doug-fish has joined #openstack-keystone		04:49
*** doug-fish has quit IRC		04:53
*** Nirupama has joined #openstack-keystone		04:55
*** rderose has quit IRC		05:01
*** josecastroleon has quit IRC		05:03
*** oomichi_away has quit IRC		05:04
*** jaosorior has joined #openstack-keystone		05:06
*** spzala has joined #openstack-keystone		05:06
*** su_zhang has joined #openstack-keystone		05:07
*** oomichi has joined #openstack-keystone		05:10
*** spzala has quit IRC		05:11
*** Nirupama has quit IRC		05:16
openstackgerrit	henry-nash proposed openstack/keystone: Allow project domain_id to be nullable at the manager level https://review.openstack.org/264533	05:18
*** vivekd_ has joined #openstack-keystone		05:23
*** vivekd has quit IRC		05:23
*** vivekd_ is now known as vivekd		05:24
openstackgerrit	Dave Chen proposed openstack/keystone: Add schema for OAuth1 consumer API https://review.openstack.org/266791	05:26
stevemar	topol: around?	05:26
*** shoutm has quit IRC		05:30
*** Nirupama has joined #openstack-keystone		05:32
*** vivekd_ has joined #openstack-keystone		05:33
*** vivekd has quit IRC		05:35
*** vivekd_ is now known as vivekd		05:35
*** Nirupama has quit IRC		05:35
*** Nirupama has joined #openstack-keystone		05:36
*** shoutm has joined #openstack-keystone		05:38
*** vgridnev has joined #openstack-keystone		05:44
lhcheng	stevemar: quick question, v2 token works on v3 endpoint right? but not the other way around.	05:44
stevemar	lhcheng: yes and sometimes, if the v3 token has the default domain, then i think it'll work...	05:47
stevemar	jeez, this pip failure could not have come at a worse time -_-	05:48
lhcheng	stevemar: good pointer on reqt on having the default domain! :)	05:48
stevemar	lhcheng: this aint my first rodeo	05:48
lhcheng	stevemar: heh	05:48
lhcheng	stevemar: btw, I've responded on the comments for: https://review.openstack.org/#/c/269990/2/keystone/assignment/role_backends/sql.py	05:49
stevemar	lhcheng: yeah, i saw them	05:49
lhcheng	stevemar: tried to generate the FK error on the tests, but it doens't work :(	05:49
stevemar	lhcheng: in my email, i didn't like the answers :P	05:50
stevemar	lhcheng: hehe	05:50
stevemar	i figured something must have come up that made it hard, you're normally awesome about that	05:50
stevemar	i grumbled a bit	05:50
lhcheng	stevemar: l asked adam about that awhile ago, we'll cover those test in functional tests instead since the FK error doesn't trigger on SQLite.	05:53
lhcheng	or I could be lazy too.. since adam already came up with the response :P	05:53
stevemar	lhcheng: ah it's fine	05:54
lhcheng	stevemar: what does the magic word "recheck pep8 release" do?	05:55
stevemar	lhcheng: nothing	05:56
lhcheng	force job to use linter?	05:56
stevemar	lhcheng: starting anything with "recheck" just kicks off the job again	05:56
lhcheng	lol oh okay, job still fails	05:56
stevemar	recheck $reason	05:56
stevemar	you give a reason so that it's easily searchable in elastic recheck	05:57
stevemar	recheck wtihout a reason makes mriedem upset	05:57
lhcheng	I see. I thought its a "secret code" that stevemar uses to make test pass :)	05:58
lhcheng	gotcha	05:58
stevemar	lhcheng: nope, that's: up up, down down, left right, left right, a b a b select start	05:58
lhcheng	HAH	05:58
*** topol has quit IRC		05:58
stevemar	nooooo i got it wrong!	05:59
stevemar	https://en.wikipedia.org/wiki/Konami_Code	05:59
stevemar	it is: b, a; not a, b, a, b	05:59
stevemar	:(	05:59
lhcheng	oh the cheat also works for Gradius!	06:00
*** vgridnev has quit IRC		06:00
*** tobasco has quit IRC		06:00
lhcheng	oold games	06:00
*** topol_ has joined #openstack-keystone		06:00
stevemar	works on a a lot of konami games :O	06:01
*** roxanaghe has joined #openstack-keystone		06:01
*** tobasco has joined #openstack-keystone		06:02
*** fawadkhaliq has joined #openstack-keystone		06:02
*** spandhe has joined #openstack-keystone		06:03
*** spzala has joined #openstack-keystone		06:07
*** vgridnev has joined #openstack-keystone		06:09
*** vivekd has quit IRC		06:11
*** spzala has quit IRC		06:12
lhcheng	stevemar: I got guilty and spent more time on looking at the foreign key for sqlite.. :P	06:18
lhcheng	stevemar: looking at our code base, we don't expect the constraints to work: https://github.com/openstack/keystone/blob/af399474b2e67b023225a8abffe8933af40c1548/keystone/common/sql/migrate_repo/versions/062_drop_assignment_role_fk.py#L31	06:18
stevemar	lhcheng: lol	06:19
stevemar	well then, that settles it	06:19
lhcheng	stevemar: it can work, but it requires SQLite to be recompiled: http://docs.sqlalchemy.org/en/latest/dialects/sqlite.html#foreign-key-support	06:21
lhcheng	whew! I was worried I would find something that says "it should work"	06:22
lhcheng	lol	06:22
* lhcheng looking for sites to play contra online		06:24
*** spandhe has quit IRC		06:24
lhcheng	stevemar: I'm off, have a good night!	06:27
stevemar	lhcheng: good night sir	06:27
stevemar	lhcheng: have fun playing contra	06:27
lhcheng	:D	06:28
*** lhcheng has quit IRC		06:28
*** roxanaghe has quit IRC		06:32
stevemar	dolphm: notmorgan dstanek ayoung jamielennox marekd henrynash bknudson latest revision of the user survey, i think this is enough questions... https://etherpad.openstack.org/p/keystone-mitaka-user-survey	06:36
*** vgridnev has quit IRC		06:39
davechen1	stevemar: where is the survey sent to?	06:39
*** spandhe has joined #openstack-keystone		06:39
stevemar	davechen1: to 351 different operators!	06:39
*** davechen1 is now known as davechen		06:39
stevemar	davechen: https://www.openstack.org/assets/survey/Public-User-Survey-Report.pdf	06:40
davechen	stevemar: where is those operators come from? :)	06:40
*** jamielennox is now known as jamielennox\|away		06:40
stevemar	davechen: no idea, the openstack foundation sends out the survey	06:40
stevemar	davechen: the link i sent has some info on it, it's the most recent survey i think	06:41
davechen	stevemar: ha, they did this every release cycle.	06:41
stevemar	davechen: i think companies have representatives that they get to answer the questions	06:42
stevemar	omg the gate is finally not barfing :O	06:42
*** fawadk has joined #openstack-keystone		06:43
*** yangyapeng has joined #openstack-keystone		06:43
stevemar	while it was down i lined up all the patches to go in one at a time, so we don't have merge conflicts	06:43
stevemar	i think i'll cry if i wake up and a conflict happens	06:43
davechen	stevemar: good job!!!!	06:43
*** odyssey4me has quit IRC		06:44
*** bradjones has quit IRC		06:45
*** bradjones has joined #openstack-keystone		06:45
*** bradjones has quit IRC		06:45
*** bradjones has joined #openstack-keystone		06:45
*** fawadkhaliq has quit IRC		06:47
*** jasonsb has quit IRC		06:50
*** odyssey4me has joined #openstack-keystone		06:51
*** jasonsb has joined #openstack-keystone		06:52
*** henrynash has quit IRC		06:52
*** gildub has quit IRC		06:52
*** jaosorior has quit IRC		06:54
*** ajayaa has joined #openstack-keystone		06:55
*** jasonsb has quit IRC		06:57
ajayaa	Hi stevemar, Is the gate not behaving nicely?	06:58
stevemar	ajayaa: hasn't been behaving nicely for hours :(	06:58
ajayaa	It seems like a lot of patches are getting -1 from Jenkins.	06:58
ajayaa	okay.	06:58
ajayaa	cool	06:58
davechen	not nicely for couples of days!	06:59
ajayaa	I am looking for something to work on. Is there something I can help with now?	06:59
ajayaa	For Mitaka-2 maybe!	06:59
ajayaa	stevemar ^^	06:59
*** vivekd has joined #openstack-keystone		07:01
ajayaa	As of now just looking at patches in gerrit.	07:01
*** rcernin has joined #openstack-keystone		07:02
*** browne has quit IRC		07:02
*** spzala has joined #openstack-keystone		07:08
*** vgridnev has joined #openstack-keystone		07:09
*** markvoelker has quit IRC		07:11
*** markvoelker has joined #openstack-keystone		07:12
*** spzala has quit IRC		07:12
*** henrynash has joined #openstack-keystone		07:15
*** ChanServ sets mode: +v henrynash		07:15
stevemar	ajayaa: mitaka-2 is due tomorrow/today!	07:16
stevemar	ajayaa: so mitaka-3 :)	07:16
stevemar	ajayaa: any of the bugs here: https://launchpad.net/keystone/+milestone/mitaka-3 would be awesome	07:16
stevemar	ajayaa: or just reviewing the blueprints, good reviewing is always helpful	07:16
stevemar	jamielennox\|away: around... no you're not	07:17
*** markvoelker_ has joined #openstack-keystone		07:18
*** markvoelker has quit IRC		07:20
*** su_zhang has quit IRC		07:20
*** su_zhang has joined #openstack-keystone		07:24
*** shoutm_ has joined #openstack-keystone		07:29
*** shoutm has quit IRC		07:31
ajayaa	henrynash, I am working on https://bugs.launchpad.net/keystone/+bug/1535878. I think I should remove controller.protected decorator in the controller and in the backend fetch rows from assignment table to see if the user has a role on that project.	07:37
openstack	Launchpad bug 1535878 in OpenStack Identity (keystone) "A user with a role on a project should be able to issue a GET /project call" [Medium,Confirmed] - Assigned to Ajaya Agrawal (ajayaa)	07:37
ajayaa	Do you think I am taking a right approach?	07:37
henrynash	ajayaa: i doubt it!	07:37
ajayaa	I need to fetch user info from the context and pass it to the backend.	07:37
ajayaa	okay.	07:38
ajayaa	What would be a right way to tackle this in your opinion?	07:38
henrynash	ajayaa: why can’t we just change the policy file?	07:38
ajayaa	henrynash, That also sounds like a solution. All the access control done by policy file. That's the idea I suppose. Instead of putting it in code everywhere.	07:39
ajayaa	That's the right way to do it.	07:40
ajayaa	Thanks	07:40
henrynash	ajayaa: I was planning on fixing this tomorrow…just been busy today with the release	07:40
ajayaa	okay.	07:40
ajayaa	Can I do it today?	07:40
ajayaa	And you can jsut give a +2	07:40
*** belmoreira has joined #openstack-keystone		07:40
ajayaa	:)	07:40
ajayaa	s/jsut/just	07:41
henrynash	sure	07:41
ajayaa	Thanks!	07:41
*** su_zhang has quit IRC		07:42
*** markvoel_ has joined #openstack-keystone		07:42
*** markvoelker_ has quit IRC		07:43
openstackgerrit	henry-nash proposed openstack/keystone: Allow project domain_id to be nullable at the manager level https://review.openstack.org/264533	07:44
stevemar	henrynash: you're in charge of rechecking if the gate fails again	07:46
henrynash	stevemar: ok!	07:47
henrynash	stevemar: got it, boss	07:47
stevemar	henrynash: i rebased all the patches that were +2/+A'ed into a single chain, so as to reduce merge conflicts... https://review.openstack.org/#/c/256257/	07:47
stevemar	'deprecate write for ldap', all the way down to 'remove kvs backend'	07:48
henrynash	stevemar: ok…what was killing the gate?	07:48
stevemar	just give it a recheck once this latest run fails (they've already failed according to zuul)	07:48
stevemar	henrynash: pip v8.0.0.0 was released	07:48
stevemar	and it caused calamity	07:48
henrynash	stevemar: will do…..oh nice timing	07:48
*** spandhe has quit IRC		07:50
stevemar	henrynash: i'm forgetting, were you at the keystone meeting today?	07:56
stevemar	this day has been a blur	07:56
henrynash	stevemar: yep	07:56
stevemar	marekd: you were missing right?	07:56
marekd	i was, kind of unexpected stuff came out :(	07:57
stevemar	marekd: no big deal, just wanted to tell you that a lot of topics came up, and it might be worth reading the backlog	07:57
stevemar	marekd: if you're interested: https://etherpad.openstack.org/p/keystone-mitaka-user-survey you can add questions there	07:57
marekd	always when I am not at the meeting big things come up :(	07:58
marekd	i've seen the survey.	07:58
marekd	i will read the backlog	07:58
stevemar	marekd: hehe, no big deal, honestly. Nothing really big came up, just lots of little things	07:58
ajayaa	henrynash, A simple addition to the policy file like "or project_id:%(target.project.id)s	08:01
ajayaa	does the job	08:01
ajayaa	That is the rule I should add, I think.	08:01
henrynash	ajayaa: it should do, yes….you should modify the tests in test_v3_protection to check it works too	08:02
ajayaa	got it. Already manually tested. It works.	08:02
ajayaa	We are doing this only in V3 apis, right?	08:02
*** _cjones_ has quit IRC		08:02
*** _cjones_ has joined #openstack-keystone		08:03
henrynash	ajayaa: yes….although Iguess there is no reason not to chnage the regualr polciy file as well, and those tests too	08:03
ajayaa	henrynash, agreed. So I have to change policy.json policy.v3cloudsample.json and unit tests now.	08:05
henrynash	ajayaa: you got it	08:05
ajayaa	Thanks a ton!	08:05
*** spzala has joined #openstack-keystone		08:08
*** _cjones_ has quit IRC		08:10
*** spzala has quit IRC		08:13
*** vivekd_ has joined #openstack-keystone		08:17
*** vivekd has quit IRC		08:19
*** vivekd_ is now known as vivekd		08:19
*** fawadk has quit IRC		08:29
*** shoutm_ has quit IRC		08:33
notmorgan	boo, the supermicro board i have is not compat w/ my case :(	08:39
*** pnavarro has joined #openstack-keystone		08:39
notmorgan	i guess that means no ECC memory for my.	08:39
notmorgan	me*	08:39
* notmorgan packs things up to return.		08:40
notmorgan	on the otherside, the consumer booard has an internet bios flash capability, nifty	08:40
openstackgerrit	Ajaya Agrawal proposed openstack/keystone: Change get_project permission https://review.openstack.org/270057	08:49
*** fawadkhaliq has joined #openstack-keystone		08:51
*** fawadkhaliq has quit IRC		08:56
ajayaa	stevemar, The pycadf validation is also one of the things which is scheduled for mitaka-3. https://bugs.launchpad.net/keystone/+bug/1521844	08:57
openstack	Launchpad bug 1521844 in OpenStack Identity (keystone) "pycadf ID validation fails for multi-domain IDs" [High,Confirmed]	08:57
ajayaa	You have already a patch in https://review.openstack.org/#/c/252182/2	08:57
ajayaa	I think it only needs a bit of polishing. Am I right?	08:58
ajayaa	By that I mean address the review comments.	08:58
ajayaa	Can I pick it up?	08:58
*** fhubik has joined #openstack-keystone		09:01
*** spzala has joined #openstack-keystone		09:11
*** ChanServ sets mode: +v topol_		09:11
*** topol_ is now known as topol		09:11
*** spzala has quit IRC		09:15
*** jistr has joined #openstack-keystone		09:16
*** mhickey has joined #openstack-keystone		09:21
*** fawadkhaliq has joined #openstack-keystone		09:26
*** vgridnev has quit IRC		09:34
*** vgridnev has joined #openstack-keystone		09:37
*** vivekd_ has joined #openstack-keystone		09:52
*** davechen has left #openstack-keystone		09:54
*** vivekd has quit IRC		09:54
*** vivekd_ is now known as vivekd		09:54
*** aix has joined #openstack-keystone		09:56
*** EinstCra_ has joined #openstack-keystone		10:01
*** jaosorior has joined #openstack-keystone		10:02
*** jaosorior has quit IRC		10:04
*** jaosorior has joined #openstack-keystone		10:04
*** EinstCrazy has quit IRC		10:04
*** EinstCra_ has quit IRC		10:06
*** jaosorior_ has joined #openstack-keystone		10:09
*** jaosorior has quit IRC		10:11
*** spzala has joined #openstack-keystone		10:11
*** spzala has quit IRC		10:16
*** e0ne has joined #openstack-keystone		10:25
*** fawadkhaliq has quit IRC		10:26
*** fawadkhaliq has joined #openstack-keystone		10:26
*** links has quit IRC		10:28
openstackgerrit	Grzegorz Grasza (xek) proposed openstack/keystone: POC Online Schema Migration: Add BinaryHex field https://review.openstack.org/269693	10:34
*** jaosorior_ is now known as jaosorior		10:39
amakarov	lbragstad, it looks timezone makes it difficult for us to meet at the same time :)	10:47
*** links has joined #openstack-keystone		10:51
*** jasonsb has joined #openstack-keystone		10:54
*** fhubik is now known as fhubik_brb		10:54
*** markd_ has joined #openstack-keystone		10:57
*** jasonsb has quit IRC		10:59
*** vgridnev has quit IRC		11:01
*** rcernin has quit IRC		11:05
*** links has quit IRC		11:05
*** rcernin has joined #openstack-keystone		11:07
*** yangyapeng has quit IRC		11:11
*** ktychkova has quit IRC		11:11
*** _cjones_ has joined #openstack-keystone		11:11
*** fhubik_brb is now known as fhubik		11:13
*** rcernin is now known as rcernin\|lunch		11:13
*** vgridnev has joined #openstack-keystone		11:15
*** _cjones_ has quit IRC		11:16
*** daemontool has joined #openstack-keystone		11:21
*** EinstCrazy has joined #openstack-keystone		11:31
*** links has joined #openstack-keystone		11:32
*** links has quit IRC		11:38
-openstackstatus- NOTICE: review.openstack.org is being restarted to apply patches		11:42
*** ChanServ changes topic to "review.openstack.org is being restarted to apply patches"		11:42
*** openstackgerrit has quit IRC		11:43
*** openstackgerrit has joined #openstack-keystone		11:44
*** fhubik is now known as fhubik_brb		11:50
*** fhubik_brb is now known as fhubik		11:52
*** ChanServ changes topic to "Mitaka-2 deadline Jan 19th!!! \| MidCycle: https://wiki.openstack.org/wiki/Sprints/KeystoneMitakaSprint \| Mitaka-2: https://launchpad.net/keystone/+milestone/mitaka-2"		11:53
-openstackstatus- NOTICE: Restart done, review.openstack.org is available		11:53
*** vgridnev has quit IRC		11:54
*** vgridnev has joined #openstack-keystone		11:55
*** aix has quit IRC		11:59
*** fawadkhaliq has quit IRC		12:02
*** vgridnev has quit IRC		12:08
*** vgridnev has joined #openstack-keystone		12:10
*** spzala has joined #openstack-keystone		12:13
*** boris-42 has quit IRC		12:13
*** Nirupama has quit IRC		12:16
*** spzala has quit IRC		12:18
samueldmq	dstanek: tjcocozz : lol (on everything as admin) :)	12:20
dstanek	samueldmq: :-)	12:20
htruta	henrynash: just saw what you did at the first patch. It was on my todo list. thanks	12:22
samueldmq	dstanek: henrynash: about the split of test_backend, when do you guys plan to take a look at ?	12:23
samueldmq	midcycle ?	12:23
samueldmq	I am asking because it conflicts with too many patches (on merge conflict right now)	12:24
*** gordc has joined #openstack-keystone		12:25
*** doug-fish has joined #openstack-keystone		12:25
amakarov	samueldmq, I think if you want something done, it's always better to come up with a proposal rather than just a request. Just make it happen and let others whine afterwards if they wish :)	12:27
samueldmq	amakarov: I have the proposal already, that's exactly what I am telling above	12:32
samueldmq	amakarov: what I want to avoid is to waste my time with rebasing it (which conflicts with too many patches) if it isn't a priority review at the moment	12:33
*** aix has joined #openstack-keystone		12:33
amakarov	samueldmq, oh, give a CR link please?	12:33
*** davechen has joined #openstack-keystone		12:33
samueldmq	amakarov: https://review.openstack.org/#/c/268307/	12:33
samueldmq	amakarov: 7 patches starting there	12:34
amakarov	samueldmq, I see. Doesn't look very popular among reviewers...	12:35
samueldmq	amakarov: yes, and I had discussed this before with david and henry, that's why pinging them	12:36
samueldmq	:)	12:36
amakarov	samueldmq, I hope my +1 will help :)	12:37
samueldmq	amakarov: thanks	12:38
*** fhubik is now known as fhubik_brb		12:41
*** vgridnev has quit IRC		12:46
*** dims has joined #openstack-keystone		12:49
*** vgridnev has joined #openstack-keystone		12:55
*** pauloewerton has joined #openstack-keystone		12:59
*** rcernin\|lunch is now known as rcernin		13:07
openstackgerrit	Dave Chen proposed openstack/keystone: Address comments from Implied Role manager patch https://review.openstack.org/269990	13:09
*** henrynash has quit IRC		13:10
*** vgridnev has quit IRC		13:11
*** ktychkova has joined #openstack-keystone		13:13
*** spzala has joined #openstack-keystone		13:14
*** doug-fish has quit IRC		13:14
*** spzala has quit IRC		13:15
*** spzala has joined #openstack-keystone		13:15
*** doug-fish has joined #openstack-keystone		13:16
*** daemontool has quit IRC		13:18
*** belmoreira has quit IRC		13:19
*** vgridnev has joined #openstack-keystone		13:20
*** pumaranikar has joined #openstack-keystone		13:23
*** davechen1 has joined #openstack-keystone		13:23
*** ayoung has quit IRC		13:24
*** davechen has quit IRC		13:25
*** vgridnev has quit IRC		13:31
*** dslev has joined #openstack-keystone		13:34
*** bill_az has joined #openstack-keystone		13:37
*** dslev has quit IRC		13:43
*** haneef_ has joined #openstack-keystone		13:48
*** toddnni_ has joined #openstack-keystone		13:49
*** crinkle_ has joined #openstack-keystone		13:49
*** sshen_ has joined #openstack-keystone		13:50
*** davechen1 has left #openstack-keystone		13:50
*** baffle__ has joined #openstack-keystone		13:51
*** lifeless_ has joined #openstack-keystone		13:51
*** trevorjay has joined #openstack-keystone		13:51
*** gerhardq1x has joined #openstack-keystone		13:51
*** pauloewerton has quit IRC		13:52
*** kfox1111_ has joined #openstack-keystone		13:52
*** vgridnev has joined #openstack-keystone		13:52
*** tellesno` has joined #openstack-keystone		13:54
*** rodrigod` has joined #openstack-keystone		13:54
*** raildo` has joined #openstack-keystone		13:54
*** mc_nair_ has joined #openstack-keystone		13:54
*** raginbaj- has joined #openstack-keystone		13:55
*** electrichead has joined #openstack-keystone		13:55
*** bknudson_ has joined #openstack-keystone		13:55
*** ChanServ sets mode: +v bknudson_		13:55
*** krotscheck_ has joined #openstack-keystone		13:55
*** htruta` has joined #openstack-keystone		13:55
*** bradjones_ has joined #openstack-keystone		13:55
*** hrou_ has joined #openstack-keystone		13:55
*** mnaser_ has joined #openstack-keystone		13:55
*** electrichead is now known as Guest10164		13:55
*** bradjones_ is now known as Guest7791		13:55
*** mkoderer_ has joined #openstack-keystone		13:55
*** notmorgan has quit IRC		13:56
*** sshen has quit IRC		13:56
*** bknudson has quit IRC		13:56
*** zzzeek has quit IRC		13:56
*** d0ugal has quit IRC		13:56
*** toddnni has quit IRC		13:56
*** haneef has quit IRC		13:56
*** mnaser has quit IRC		13:56
*** trevorj has quit IRC		13:56
*** akscram has quit IRC		13:56
*** raginbajin has quit IRC		13:56
*** redrobot has quit IRC		13:56
*** anteaya has quit IRC		13:56
*** x58 has quit IRC		13:56
*** rmstar has quit IRC		13:56
*** kfox1111 has quit IRC		13:56
*** gerhardqux has quit IRC		13:56
*** raildo has quit IRC		13:56
*** htruta has quit IRC		13:56
*** rodrigods has quit IRC		13:56
*** bradjones has quit IRC		13:56
*** mc_nair has quit IRC		13:56
*** mkoderer has quit IRC		13:56
*** dulek has quit IRC		13:56
*** crinkle has quit IRC		13:56
*** clayton has quit IRC		13:56
*** mancdaz has quit IRC		13:56
*** lifeless has quit IRC		13:56
*** hrou has quit IRC		13:56
*** krotscheck has quit IRC		13:56
*** baffle has quit IRC		13:56
*** lars2 has quit IRC		13:56
*** jidar has quit IRC		13:56
*** toddnni_ is now known as toddnni		13:56
*** mnaser_ is now known as mnaser		13:56
*** krotscheck_ is now known as krotscheck		13:56
*** rmstar has joined #openstack-keystone		13:56
*** zzzeek has joined #openstack-keystone		13:56
*** dulek has joined #openstack-keystone		13:56
*** raginbaj- is now known as raginbajin		13:56
*** clayton has joined #openstack-keystone		13:57
*** mc_nair_ is now known as mc_nair		13:57
*** LukeH has joined #openstack-keystone		13:58
*** ninag has joined #openstack-keystone		14:01
*** PsionTheory has joined #openstack-keystone		14:02
*** d0ugal has joined #openstack-keystone		14:02
*** akscram has joined #openstack-keystone		14:03
*** lars2 has joined #openstack-keystone		14:03
*** anteaya has joined #openstack-keystone		14:03
*** raildo` is now known as raildo		14:04
*** x58 has joined #openstack-keystone		14:04
*** jidar has joined #openstack-keystone		14:05
*** notmorgan has joined #openstack-keystone		14:06
*** ChanServ sets mode: +v notmorgan		14:06
openstackgerrit	Grzegorz Grasza (xek) proposed openstack/keystone: POC Online Schema Migration: Add BinaryHex field https://review.openstack.org/269693	14:09
openstackgerrit	Rakesh H S proposed openstack/pycadf: Enable cadf support for Heat https://review.openstack.org/270206	14:11
*** Ephur has joined #openstack-keystone		14:13
raildo	dstanek: ping, I need help with your python knowledge on this patch https://review.openstack.org/#/c/134095/15/keystone/tests/unit/test_sql_upgrade.py, do you have some minutes, sir?	14:19
*** Ephur has quit IRC		14:19
*** pauloewerton has joined #openstack-keystone		14:20
*** LukeH has quit IRC		14:27
*** edmondsw has joined #openstack-keystone		14:33
*** petertr7_away is now known as petertr7		14:40
*** richm has joined #openstack-keystone		14:50
*** su_zhang has joined #openstack-keystone		15:02
*** daemontool has joined #openstack-keystone		15:02
*** avarner_ has joined #openstack-keystone		15:02
*** rodrigod` is now known as rodrigods		15:02
*** josecastroleon has joined #openstack-keystone		15:04
*** jaosorior has quit IRC		15:06
*** petertr7 is now known as petertr7_away		15:06
*** tellesno` is now known as tellesnobrega		15:06
*** daemontool has quit IRC		15:07
*** daemontool has joined #openstack-keystone		15:07
*** jsavak has joined #openstack-keystone		15:08
*** mancdaz has joined #openstack-keystone		15:08
*** tellesnobrega has left #openstack-keystone		15:09
*** rderose has joined #openstack-keystone		15:10
ajayaa	dstanek, since this is one of the priorities for mitaka-3 https://review.openstack.org/#/c/252182/2, I am working on this. Since stevemar has given a -1 workflow on the patch, should I create a different review altogether for this?	15:11
ajayaa	or just slap a new patchset on top of the existing one?	15:12
*** phalmos has joined #openstack-keystone		15:12
*** daemontool has quit IRC		15:13
*** su_zhang has quit IRC		15:13
*** sigmavirus24_awa is now known as sigmavirus24		15:13
*** boris-42 has joined #openstack-keystone		15:16
*** hrou_ has quit IRC		15:19
*** rderose has quit IRC		15:20
*** hrou has joined #openstack-keystone		15:20
*** spandhe has joined #openstack-keystone		15:22
*** spandhe has quit IRC		15:23
*** EinstCrazy has quit IRC		15:24
*** markvoel_ has quit IRC		15:25
*** fhubik_brb is now known as fhubik		15:27
*** rderose has joined #openstack-keystone		15:29
*** tonytan4ever has joined #openstack-keystone		15:32
*** fhubik is now known as fhubik_brb		15:35
*** vgridnev has quit IRC		15:35
*** pushkaru has joined #openstack-keystone		15:40
*** spzala has quit IRC		15:41
*** fhubik_brb is now known as fhubik		15:41
*** spzala has joined #openstack-keystone		15:42
*** ninag has quit IRC		15:43
*** spzala has quit IRC		15:46
*** markvoelker_ has joined #openstack-keystone		15:46
*** avarner_ has quit IRC		15:48
*** jbell8 has joined #openstack-keystone		15:49
*** Guest10164 is now known as redrobot		15:49
*** ninag has joined #openstack-keystone		15:51
*** vivekd has quit IRC		15:53
*** spzala has joined #openstack-keystone		16:01
*** roxanaghe has joined #openstack-keystone		16:01
*** bigjools has quit IRC		16:05
*** bigjools has joined #openstack-keystone		16:07
*** jaosorior has joined #openstack-keystone		16:08
*** roxanaghe has quit IRC		16:09
*** jaosorior has quit IRC		16:11
breton	raildo: ask the question to the channel please. I'd like to try to answer that too.	16:15
raildo	breton: sure, on that file (line 882-886) we made an assert to verify that when the de raise a duplicateEntry, the log error message was called. this tests works on python 2.7 but it is failed on python 3.4, and I don't know why...	16:18
raildo	breton: https://review.openstack.org/#/c/134095/15/keystone/tests/unit/test_sql_upgrade.py	16:18
raildo	"AssertionError: False is not true" on the last assert	16:19
breton	> There was an error when trying to create the unique constraint at the endpoint table: "None". There might be duplicate endpoint entries. Please remove them before upgrading.	16:19
* breton is pulling the patch		16:20
stevemar	ajayaa: thanks for asking in advance, feel free to stomp all over my patch and put up a new one	16:21
stevemar	on top, or separate, doesn't bother me either way	16:22
*** slberger has joined #openstack-keystone		16:22
*** diazjf has joined #openstack-keystone		16:22
*** spandhe has joined #openstack-keystone		16:23
*** rcernin has quit IRC		16:25
breton	Detected a distutils installed project ('argparse') which we cannot uninstall. The metadata provided by distutils does not contain a list of files which have been installed, so pip does not know which files to uninstall.	16:27
* breton sighs		16:27
raildo	breton: it was on that patch?	16:28
breton	raildo: wel, yes, but it's unrelated	16:28
breton	py34 installdeps: -r/home/breton/src/openstack/keystone/test-requirements.txt, nose, .[memcache,mongodb]	16:29
breton	oh, no ldap for py34 yet	16:30
breton	:(	16:30
*** vgridnev has joined #openstack-keystone		16:30
*** slberger has quit IRC		16:31
*** slberger has joined #openstack-keystone		16:34
*** henrynash has joined #openstack-keystone		16:35
*** ChanServ sets mode: +v henrynash		16:35
breton	can't I run a single test with tox -e py34? :(	16:36
lbragstad	amakarov around?	16:37
amakarov	o/	16:38
lbragstad	amakarov have a few minutes for trust questions?	16:38
amakarov	lbragstad, sure, ask away	16:39
*** fawadkhaliq has joined #openstack-keystone		16:39
lbragstad	amakarov ok, what exactly does redelegation mean? Does redelegation mean that if you are the trustor and I am the trustee, you've created a trust with role1 on project1 and allow redelegation	16:40
lbragstad	can i take that trust.id and redelegate role1 on project1 to jorge_munoz ?	16:40
lbragstad	creating a new trust?	16:40
amakarov	that's right	16:40
lbragstad	ok, so creating a trust with a role(s) on a project and a redelgated trust id should never happen, right?	16:41
lbragstad	you should either create a trust with a role and a project, or a redelegated trust id	16:42
amakarov	let's put it this way: you are trusted with role1 and role2 on project1	16:42
*** su_zhang has joined #openstack-keystone		16:43
amakarov	you can redelegate role1 on project1 to jorge_munoz with the reference to initial trust you are redelegating	16:43
amakarov	so you can redelegate the scope not extending that you was delegated	16:44
raildo	breton: I have this problem too :P	16:44
lbragstad	amakarov ah, ok	16:45
amakarov	so a trust always has the scope	16:45
lbragstad	amakarov so, there is a possibility to pass a role.id, project.id, and redelegated_trust_id to create a new trust	16:45
breton	raildo: which one? Running a single test?	16:46
raildo	breton: yes	16:46
lbragstad	if you pass a redelegated_trust_id, and not a role.id or project.id, does the trust api just assume the role.id and project.id from the redelegated_trust?	16:46
amakarov	lbragstad, I'd say everything besides redelegated_trust_id is required	16:46
amakarov	redelegated_trust_id is required in case you are not admin	16:47
breton	raildo: .tox/py34/bin/nosetests keystone.tests.unit.test_sql_upgrade -m test_endpoint_unique_constraint_fails_if_duplicates	16:47
lbragstad	amakarov why is that?	16:47
breton	raildo: but the funny thing is	16:47
breton	raildo: that it won't fail this way	16:47
breton	raildo: the test fails only when run with other tests	16:48
*** fawadkhaliq has quit IRC		16:48
raildo	breton: that what i saw here :P	16:48
*** fawadkhaliq has joined #openstack-keystone		16:48
amakarov	lbragstad, sorry, I'm wrong: redelegated_trust_id is required if you redelegating scope trusted to you	16:49
amakarov	not assigned	16:49
lbragstad	amakarov ok, so an example would be	16:49
amakarov	lbragstad, you can create your own initial trust if you are assigned the scope you want to trust	16:49
lbragstad	you are an admin and you create a trust with role1 and role2 on project1 between the two of us	16:50
amakarov	and if you are trusted this scope, you must reference the trust you are using	16:50
amakarov	ok	16:50
*** fawadkhaliq has quit IRC		16:50
lbragstad	then, in order for me to create a trust between me and jorge_munoz - i have to pass in either role1 or role2, project1 and the redelegated trust id you gave me, right?	16:50
amakarov	right. of course you can trust both roles too	16:51
lbragstad	ok, makes sense	16:51
lbragstad	amakarov ok, so lets say that jorge_munoz wants to redelegate role1 to ayoung on project1	16:54
lbragstad	and - let's say that I don't have actual role assignments on project1 (the only role assignments I have are from the trust you gave me)	16:54
lbragstad	then, in order for jorge_munoz to be able to successfully create a redelegated trust for ayoung, the entire redelegation trust chain needs to be traversed until it gets to you, then it checks to make sure that you actually have role1 on project 1, right?	16:55
amakarov	lbragstad, then he creates trust with role1 to ayoung on project1 and gives a reference to the trust between you and himself	16:56
lbragstad	amakarov yep - is that a valid use case	16:56
lbragstad	?	16:56
lbragstad	where the api needs to traverse the entire trust chain in order to verify that you (the original trustor) has role1 on project1?	16:57
amakarov	traversal is needed to validate trust chain if needed	16:57
lbragstad	amakarov ok cool -	16:57
lbragstad	amakarov I think that is what jorge_munoz is doing here -	16:57
lbragstad	https://review.openstack.org/#/c/269824/4/keystone/trust/controllers.py	16:57
amakarov	lbragstad, that's a matter of consistency	16:57
amakarov	lbragstad, will you be on mid-cycle?	16:58
lbragstad	amakarov yes	16:58
amakarov	I want to sort out this assingment/trust mess	16:59
amakarov	https://review.openstack.org/#/c/189816/	16:59
*** belmoreira has joined #openstack-keystone		16:59
*** browne has joined #openstack-keystone		17:01
lbragstad	amakarov jorge_munoz is getting a bunch of context around trusts built up. Does that spec have to land in order for some of this stuff to get fixed?	17:02
lbragstad	amakarov I sat down with ayoung a couple nights ago and we determined that some of this trust works blocks making fernet the default token provider in keystone	17:03
*** jsavak has quit IRC		17:03
breton	raildo: at the moment when _LE() is called, it is not yet mocked	17:03
*** jsavak has joined #openstack-keystone		17:03
*** jistr has quit IRC		17:04
amakarov	lbragstad, I'm looking forward to discuss the situation	17:04
*** lhcheng has joined #openstack-keystone		17:04
*** ChanServ sets mode: +v lhcheng		17:04
raildo	breton: we tried follow this code https://github.com/openstack/keystone/blob/da3cd2dc4deed0093662e5ce098d8c022f654bc2/keystone/tests/unit/backend/domain_config/core.py#L493	17:04
*** avarner_ has joined #openstack-keystone		17:05
breton	if I move `from keystone.i18n import _LE` inside upgrade(), it works	17:05
*** timcline has joined #openstack-keystone		17:05
amakarov	lbragstad, right now I'm preparing a chain of patches that can at least be a demo for unified delegation. Can you give me a link to the problem you a talking about?	17:05
lbragstad	amakarov I want to get fernet to be the default this cycle	17:05
*** gyee has joined #openstack-keystone		17:06
*** ChanServ sets mode: +v gyee		17:06
raildo	breton: hum... interesting	17:06
lbragstad	amakarov and that is dependent on merging the uuid/fernet code paths, consolidating testing, and some other refactors that include trusts	17:06
amakarov	lbragstad, an that impersonation issue is all that blocks fernet?	17:06
lbragstad	amakarov it's one of them	17:06
breton	wait	17:08
breton	lbragstad: I thought I fixed that	17:08
lbragstad	breton fixed what exactly?	17:08
breton	an issue with impersonation in fernet	17:08
* breton is not sure if it's the bug you're talking about		17:08
amakarov	lbragstad, btw, can we add delegation_id to the token in the future? It will boost the validation speed	17:08
breton	lbragstad: is there a bugreport?	17:09
lbragstad	breton jorge_munoz and i were working on consolidating a bunch of the auth behavior tests - https://review.openstack.org/#/q/topic:265931	17:10
lbragstad	so that we can ensure we have consistent behavior when we switch from uuid to fernet	17:10
lbragstad	and it exposed a trust + fernet bug	17:10
lbragstad	https://review.openstack.org/#/c/265455/	17:10
lbragstad	and in the process, we've been trying to consolidate the behaviors of the trust stuff so that we can have all the auth behaviors running successfully with fernet	17:11
lbragstad	which is something that we've also touched on with https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:consolidate-fernet-provider because it makes both uuid and fernet use similar code paths	17:12
breton	I fixed a problem related to trusts already in https://review.openstack.org/#/c/257478/	17:13
*** e0ne has quit IRC		17:13
breton	(maybe I broke something with it, haven't looked at your patch good enough yet)	17:14
lbragstad	breton they might be unrelated	17:16
*** dims has quit IRC		17:16
lbragstad	regardless - jorge_munoz was the one doing a bunch of the testing refactor - which uncovered a bunch of questions around trust redelgation behavior - which has led us to his patch here https://review.openstack.org/#/c/269824	17:17
*** _cjones_ has joined #openstack-keystone		17:17
openstackgerrit	Ron De Rose proposed openstack/keystone: Shadow users: unified identity - Separate user identities https://review.openstack.org/262045	17:18
nkinder	stevemar: why isn't 8.0.1 mentioned in the timeline or available for source download here? https://launchpad.net/keystone/liberty/	17:18
stevemar	nkinder: we do things a bit differently now	17:19
stevemar	nkinder: you want the tarballs?	17:19
stevemar	http://docs.openstack.org/releases/	17:19
stevemar	http://docs.openstack.org/releases/releases/mitaka.html#mitaka-keystone	17:19
stevemar	http://docs.openstack.org/releases/releases/liberty.html#liberty-keystone	17:20
nkinder	stevemar: ok, thanks. Looks like I have some tooling to update that expected the old locations.	17:20
stevemar	nkinder: you could bug dhellmann about it in #openstack-release	17:21
stevemar	but this release has definitely changed things up	17:22
openstackgerrit	Ron De Rose proposed openstack/keystone: Shadow users: unified identity - Separate user identities https://review.openstack.org/262045	17:24
*** vgridnev has quit IRC		17:25
*** tonytan4ever has quit IRC		17:25
*** chris_19 has joined #openstack-keystone		17:26
*** dims has joined #openstack-keystone		17:26
chris_19	In the keystone log, what's the number that comes between the time and the log level?	17:27
stevemar	chris_19: example?	17:27
chris_19	2016-01-20 00:38:13.743 22289 INFO	17:27
amakarov	stevemar, hi! One colleague just asked me about adding an API call for self-testing. What do you think about the idea?	17:27
amakarov	stevemar, is it worthy to add it to etherpad for midcycle discussion?	17:28
stevemar	amakarov: self-testing? can you explain a bit more what that means?	17:29
amakarov	stevemar, curl /v3/self_test	17:30
amakarov	a call that checks health of runnig instance	17:30
amakarov	for ex. if database is available as given in config	17:30
amakarov	or memcaches are up	17:31
amakarov	rabbit is available	17:31
amakarov	stevemar, may be it's more a question to the oslo team...	17:32
stevemar	amakarov: my argument to that is, any API call will by default check if the database and rabbit is up :P	17:32
stevemar	amakarov: potentially, yes, or cross-project	17:32
stevemar	it's a good idea	17:32
stevemar	like diagnosing the health of a system	17:32
gyee	stevemar, https://bugs.launchpad.net/python-openstackclient/+bug/1536278	17:33
openstack	Launchpad bug 1536278 in python-openstackclient "domain scoped token is broken in openstackclient " [Undecided,New]	17:33
gyee	what is os_client_config part of?	17:33
amakarov	stevemar, right - it may ease a life of dev-ops a bit	17:33
gyee	mordred, https://bugs.launchpad.net/python-openstackclient/+bug/1536278	17:33
stevemar	gyee: it's just a separate library, not a part of any project	17:33
*** daemontool has joined #openstack-keystone		17:34
stevemar	i think it's under the osc umbrella	17:34
gyee	stevemar, do we need to move that bug?	17:34
stevemar	gyee: haven't looked at it yet, busy with mitaka-2	17:34
gyee	domain scoped token is broken right now	17:34
mordred	what's the probelm?	17:34
mordred	I pushed up a patch for it	17:35
gyee	mordred, it broken domain-scoped token	17:35
mordred	oh.	17:35
mordred	zomg	17:35
mordred	so - there is aNOTHER bug for this	17:35
mordred	we removed this from the osc bug list yesterday	17:35
mordred	https://review.openstack.org/#/c/269704/	17:35
mordred	this fixes it	17:35
stevemar	https://review.openstack.org/#/c/269704/	17:35
stevemar	heyooo	17:35
gyee	nice!	17:36
stevemar	gyee: can you test that out and see if it resolves your issue?	17:36
gyee	stevemar, most def'ly	17:36
stevemar	mordred: so that's the bit that does the scoping?	17:37
stevemar	mordred: we need one more scope case, where the scope can be a trust ID	17:37
mordred	stevemar: I do not believe there is any support in occ for anything related to trusts at all	17:38
stevemar	mordred: the one hitch in trusts is that the "scope" is a trust ID, not a project or domain	17:38
stevemar	mordred: if you point me to the right lines to change, i'll happily put up a patch	17:38
*** su_zhang has quit IRC		17:38
gyee	stevemar, so we can mark the bug as dup then?	17:39
mordred	stevemar: I'm not sure I know the right lines to change - as I'm not sure I understand the workflow with trusts	17:40
mordred	stevemar: do you provide neither a domain-id nor a project-id as part of your auth rcredentials to ksa?	17:40
*** belmoreira has quit IRC		17:43
chris_19	So in the following log entry, is "22286" like a PID or something that can be tracked along other entries?	17:44
chris_19	2016-01-20 00:38:10.405 22286 WARNING keystone.middleware.custom [req-0fb390f2-59de-451e-a4bc-1907d9e82e90 - - - - -] Bypassing the request to keystone	17:44
*** daemontool has quit IRC		17:44
stevemar	mordred: correct, you provide neither or those, instead you provide a third, a trust_id	17:44
stevemar	mordred: looks like: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-trust-ext.html#consuming-a-trust	17:45
mordred	stevemar: SO - as long as the ksa password plugin groks trust id params, it should just work	17:45
gyee	mordred, stevemar, that patch works!	17:45
mordred	stevemar: the problem with occ in this case is that we were doing incomplete magic with inferring project_domain_name from domain_name	17:46
gyee	mordred, what's the release for os_client_config like?	17:46
mordred	which conflicts with how domain-scoped trusts in osc	17:46
mordred	gyee: we just need to land that patch, then we can cut a release easy peasy	17:46
gyee	mordred, cool, thanks!	17:46
stevemar	gyee: yay	17:46
*** ayoung has joined #openstack-keystone		17:47
*** ChanServ sets mode: +v ayoung		17:47
stevemar	gyee: you can turn the fire alarms off now	17:47
gyee	stevemar, hah	17:47
*** spzala has quit IRC		17:48
*** rderose has quit IRC		17:48
*** spzala has joined #openstack-keystone		17:49
*** spzala has quit IRC		17:53
*** vgridnev has joined #openstack-keystone		17:54
*** avarner_ has quit IRC		17:55
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Address comments from Implied Role manager patch https://review.openstack.org/269990	17:55
*** jsavak has quit IRC		18:00
*** jsavak has joined #openstack-keystone		18:01
*** tonytan4ever has joined #openstack-keystone		18:01
*** crinkle_ is now known as crinkle		18:04
*** browne has quit IRC		18:05
dstanek	i forgot to startup textual this morning :-) i was wondering why it was so quiet	18:08
dstanek	do we have an etherpad/gis/etc with the most important things to review?	18:08
gyee	dstanek, M3 you mean, M2 was yesterday	18:11
*** lifeless_ is now known as lifeless		18:12
*** markd_ has quit IRC		18:12
dstanek	gyee: yep, i currently have dozens of reviews on my list and no real way to prioritize them	18:12
*** avarner_ has joined #openstack-keystone		18:13
ayoung	henrynash, so...I get what you were doing, and why your version of the expand implied roles was so different from mine. I think you were thinking ahead to DSR, too. The questION: If a role is both direct and indirect, do we really need this info in the token?	18:13
*** jsavak has quit IRC		18:13
ayoung	And, if a role is indirect from multiple priors, do we really need them all? My suspicion is that we should err on the side of terseness in the token: keep them small	18:14
*** jsavak has joined #openstack-keystone		18:14
*** diazjf has quit IRC		18:14
*** xek_ has joined #openstack-keystone		18:14
openstackgerrit	Andreas Jaeger proposed openstack/keystoneauth: Remove argparse from requirements https://review.openstack.org/270370	18:16
gyee	ayoung, what do you mean "indirect", isn't that implied roles about?	18:17
*** kfox1111 has joined #openstack-keystone		18:17
*** henrynash_ has joined #openstack-keystone		18:17
*** ChanServ sets mode: +v henrynash_		18:17
*** kragniz_ has joined #openstack-keystone		18:17
*** e0ne has joined #openstack-keystone		18:18
*** wasmum- has joined #openstack-keystone		18:19
ayoung	gyee, yeah. The question is how much info to provide inthe token	18:19
*** chris_19 has left #openstack-keystone		18:19
ayoung	if a role is implied, and implied from multiple priors, do we really need to tlee that to the end application?	18:19
ayoung	I think the rule of thumb to go by here is only provider information that we want people to act upon	18:20
*** su_zhang has joined #openstack-keystone		18:20
openstackgerrit	Andreas Jaeger proposed openstack/python-keystoneclient: Remove argparse from requirements https://review.openstack.org/270386	18:20
ayoung	so, while a user should be able to say "how did I get this role" it does not need to be in the token	18:20
*** a2hill has joined #openstack-keystone		18:21
gyee	ayoung, we need to entire chain in the token	18:21
gyee	otherwise, implied role itself is useless	18:21
*** diazjf has joined #openstack-keystone		18:21
*** clayton_ has joined #openstack-keystone		18:21
*** errr_ has joined #openstack-keystone		18:21
ayoung	gyee, it is not useless, but youobviosuly have a need for the other info...what is it?	18:21
*** henrynash has quit IRC		18:22
*** clayton has quit IRC		18:22
*** kfox1111_ has quit IRC		18:22
*** med_ has quit IRC		18:22
*** amakarov has quit IRC		18:22
*** arif-ali has quit IRC		18:22
*** xek has quit IRC		18:22
*** wasmum has quit IRC		18:22
*** sudorandom has quit IRC		18:22
*** ptoohill has quit IRC		18:22
*** kragniz has quit IRC		18:22
*** errr has quit IRC		18:22
*** henrynash_ is now known as henrynash		18:22
gyee	everyone still there? connections just drop like flies	18:22
*** clayton_ is now known as clayton		18:22
*** gyee has quit IRC		18:22
*** clayton has quit IRC		18:22
*** gyee has joined #openstack-keystone		18:23
*** ChanServ sets mode: +v gyee		18:23
*** med_ has joined #openstack-keystone		18:23
*** med_ is now known as Guest65103		18:23
ayoung	gyee, still here	18:23
*** clayton has joined #openstack-keystone		18:23
gyee	ayoung, say, A implies B	18:23
*** arif-ali has joined #openstack-keystone		18:23
gyee	and my policy teeing off on B	18:23
*** mhickey has quit IRC		18:23
ayoung	gyee, why do we need the entier chain in the token? Why not enforce RBAC on the roles, regardless of implied or not?	18:23
gyee	ayoung, say A implies B	18:24
gyee	I have a policy that permits B	18:24
gyee	that policy doesn't know anything about A yet	18:24
ayoung	right	18:24
*** sudorandom has joined #openstack-keystone		18:24
gyee	if B is not in the token, I don't have access	18:24
ayoung	correct	18:25
gyee	so both A and B needs to be in the token	18:25
ayoung	gyee, why Does A need to be in there?	18:25
ayoung	And, why does the token need to say "A implies B"	18:25
ayoung	if the roels weree just ['A','B'] RBAC would proceed as it does now	18:26
gyee	token just need to contain all the aggregates	18:26
gyee	a list of roles the user have	18:26
ayoung	gyee, token needs only those roles that are appropriate for the requested operation. In the future I want someone that has both A nand B to create a a token with just B to limit exposure	18:26
gyee	ayoung, that's your limited scoped BP?	18:28
ayoung	gyee, does that make sense? I think what you were saying is "don't drop A if I am going to do something that needs A'	18:28
ayoung	gyee, yes it is that BP	18:28
*** amakarov has joined #openstack-keystone		18:28
ayoung	https://review.openstack.org/#/c/186979/ gyee that one	18:28
ayoung	gyee, I wonder if even having the prior role indicated in the token is giving away too much information.	18:29
ayoung	gyee, and...I don't see it in the specs yet, either.	18:29
gyee	ayoung, if I understand you correctly, say we have A -> B, you want to ability to include A but excludes B?	18:29
ayoung	gyee, not really. I was saying the other way around	18:30
ayoung	If a-> b I want to have a token with just B and not A...that is the more common	18:30
gyee	yes, that's how it works today right?	18:31
gyee	we only walk down the chain	18:31
ayoung	gyee, todoay you get everything, everytime	18:31
ayoung	you ask for a token with all the roles you are assigned on the project	18:31
gyee	say a->b->c, if you are assigned b, you'll only get b and c	18:31
ayoung	right, that is what works today	18:32
ayoung	as of last night, I assume...did it merge?	18:32
ayoung	https://review.openstack.org/#/c/264260/	18:32
ayoung	merged . w00t!	18:32
gyee	right, lhcheng's followon patch to address the nits	18:33
lhcheng	added some more tests too	18:34
lhcheng	ayoung: when you get the chance: https://review.openstack.org/#/c/269990/	18:34
gyee	lhcheng, can you please change that debug log to error?	18:34
*** sudorandom has quit IRC		18:35
lhcheng	gyee: thought I included that, sure I'll add it.	18:35
gyee	lhcheng, thanks!	18:36
ayoung	lhcheng, I just wrote this https://bugs.launchpad.net/keystone/+bug/1536321	18:36
openstack	Launchpad bug 1536321 in OpenStack Identity (keystone) "cyclic dependencies in implied roles" [Undecided,New]	18:36
ayoung	that is the most important thing to fix. But We kindof need henrynash here to figure out how to fix it	18:36
*** ayoung has quit IRC		18:37
openstackgerrit	Jorge Munoz proposed openstack/keystone: Fix trust redelegation and associated test https://review.openstack.org/269824	18:37
*** ayoung has joined #openstack-keystone		18:37
*** sudorandom has joined #openstack-keystone		18:37
*** ChanServ sets mode: +v ayoung		18:37
henrynash	ayoung: will look at it shortly	18:38
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Address comments from Implied Role manager patch https://review.openstack.org/269990	18:40
ayoung	henrynash, short version. Can we drop "indirect" : {"role_id":"ABCD"} from the role entry in the token?	18:40
ayoung	henrynash, I'm mostly concerned about keeping the token small.	18:41
henrynash	ayoung: that doesn’t go in the tokwn anyway	18:41
henrynash	ayoung: that’s just for the result of list_role_assignments API	18:41
henrynash	ayoung: internally when we call teh manager list_role_assignments() method for token creation, we just extract the role_id’s form the list	18:42
lhcheng	henrynash: let me know if you want help on tacking the cyclic issue on implied roles	18:42
lhcheng	tacking/tackling	18:43
henrynash	ayoung: see: get_roles_for_user_and_project() in assignment/core.py, which is actually what our token building calls	18:43
henrynash	lhcheng: thx!	18:44
*** jasonsb has joined #openstack-keystone		18:46
henrynash	ayoung: and do you think we should prevent circular implied roles when they are created, or evaluated, or both?	18:47
*** fhubik has quit IRC		18:48
*** sudorandom has quit IRC		18:48
*** sudorandom has joined #openstack-keystone		18:48
bknudson_	stevemar: you didn't get your bonus for landing that feature?	18:49
*** pnavarro has quit IRC		18:49
ayoung	henrynash, AH.	18:49
ayoung	henrynash, ok...so, I think we need to tweak tyhat API slightly	18:49
*** doug-fish has quit IRC		18:49
ayoung	what if...	18:50
ayoung	we collect up all of the indirect roles into a single role	18:50
ayoung	and add a qway to indicate , outside of that, that a role is direct , too	18:50
ayoung	so we have	18:50
*** jasonsb has quit IRC		18:51
ayoung	henrynash, I'll code it up and paste it, one sec	18:52
henrynash	ayoung: (as an aside, I’m not sure the rights or wrongs of that API help us solve the circular dependency issue….but I’ll hold fire!)	18:52
ayoung	henrynash, this will help...that is what I am trying toslve, but I don't want to break this part while I solve it	18:53
henrynash	ayoung: remember we use the indrirect{} construct for group membership and inheritence already for how we shold where you got your effective roles from	18:53
*** browne has joined #openstack-keystone		18:53
ayoung	henrynash, right...but what if something is both direct and indirect?	18:53
henrynash	(for how we show where….)	18:53
*** doug-fish has joined #openstack-keystone		18:53
ayoung	we should not have a separate entry in the role list for both, just a way of showing it	18:54
ayoung	like	18:54
* ayoung types in paste...		18:54
*** flaper87 has quit IRC		18:54
*** flaper87 has joined #openstack-keystone		18:54
henrynash	ayoung: then you see two entries in the response to list_role_assignments() - at least I think you do….	18:54
ayoung	henrynash, that is what we have prior to the last commit... http://git.openstack.org/cgit/openstack/keystone-specs/tree/api/v3/identity-api-v3.rst#n6383	18:54
ayoung	henrynash, OK...so if we have multiple in the list, then when we make the token, we just have to deduplicate...	18:54
ayoung	I think I am IOK with that...OK...I got this	18:55
ayoung	I was going to do	18:55
henrynash	ayoung: and we do that already…see: get_roles_for_user_and_project()	18:55
openstackgerrit	Tom Cocozzello proposed openstack/python-keystoneclient: set up incude names for list role assignments https://review.openstack.org/255392	18:55
ayoung	role: indirect{[r1, r2]} but if it is just in the list, then yeah, lets leave them separate	18:55
ayoung	then the token only gets the single value.	18:56
*** mc_nair has quit IRC		18:57
*** mc_nair has joined #openstack-keystone		18:57
*** edmondsw has quit IRC		18:57
*** edmondsw has joined #openstack-keystone		18:57
*** boris-42 has quit IRC		18:57
*** boris-42 has joined #openstack-keystone		18:57
*** hrou has quit IRC		18:57
*** hrou has joined #openstack-keystone		18:57
*** ninag has quit IRC		18:57
*** ninag has joined #openstack-keystone		18:57
*** spandhe has quit IRC		18:58
*** spandhe has joined #openstack-keystone		18:58
*** doug-fish has quit IRC		18:58
ayoung	henrynash, gyee we're good. I'll post a fix to the cycles later on today or early tomorrow, as well as an updated implied roles patch.	18:58
*** avarner_ has quit IRC		18:58
*** avarner_ has joined #openstack-keystone		18:58
*** sudorandom has quit IRC		18:59
*** wasmum- has quit IRC		18:59
*** wasmum- has joined #openstack-keystone		18:59
*** ayoung has quit IRC		18:59
*** ayoung has joined #openstack-keystone		18:59
*** weber.freenode.net sets mode: +v ayoung		18:59
*** ninag has quit IRC		19:00
*** browne has quit IRC		19:01
*** ninag has joined #openstack-keystone		19:02
*** browne has joined #openstack-keystone		19:02
*** ninag_ has joined #openstack-keystone		19:03
*** woodster_ has joined #openstack-keystone		19:03
*** ninag has quit IRC		19:07
*** spzala has joined #openstack-keystone		19:07
*** ninag_ has quit IRC		19:08
*** RichardRaseley has joined #openstack-keystone		19:08
*** ninag has joined #openstack-keystone		19:08
*** ninag has quit IRC		19:08
RichardRaseley	What is the best way to gracefully close a `keystoneclient.v3.Client` object?	19:09
*** doug-fish has joined #openstack-keystone		19:09
*** doug-fis_ has joined #openstack-keystone		19:10
RichardRaseley	I was looking for something like keystone.v3.Client.disconnect, or somesuch.	19:10
*** doug-fish has quit IRC		19:14
gyee	ayoung, ack	19:16
*** aix has quit IRC		19:16
openstackgerrit	henry-nash proposed openstack/keystone: Change project unique constraint https://review.openstack.org/158372	19:20
openstackgerrit	henry-nash proposed openstack/keystone: Change project unique constraint https://review.openstack.org/158372	19:24
*** tonytan4ever has quit IRC		19:30
*** diazjf has quit IRC		19:35
stevemar	bknudson_: bone-us? i'm not familiar with that term	19:36
notmorgan	stevemar: will be looking at the followup stuff, but feeling icky atm, just finished @ the dentist	19:42
lbragstad	xek_ I think this is looking pretty good, I only gave a +1 because I had a couple outstanding questions - https://review.openstack.org/#/c/265252/3	19:42
notmorgan	stevemar: so might be slow to get the stuff rollex up	19:42
lbragstad	xek_ I'd be have to upgrade that to a +2 though	19:42
stevemar	notmorgan: that's fine	19:45
stevemar	bknudson_: thoughts on that ksm bug?	19:45
stevemar	http://lists.openstack.org/pipermail/openstack-dev/2016-January/084496.html	19:46
*** diazjf has joined #openstack-keystone		19:47
*** timothy_symanczy has joined #openstack-keystone		19:49
notmorgan	xek_: I want to apologize for being hard on the binary uuid column	19:49
notmorgan	xek_: but there are other places that could use love before we muck with datatypes for speculative/small wins	19:50
*** timothy_symanczy is now known as tsymanczyk		19:50
notmorgan	stevemar: which ksm bug?	19:50
stevemar	notmorgan: the one in ML 3 lines up	19:50
stevemar	no bug yet, sorry, just reported regression	19:51
notmorgan	...	19:51
notmorgan	ahh	19:51
notmorgan	ok	19:51
ajayaa	stevemar, looks like we need to return hex value of a UUID object, not the UUID object.	19:51
notmorgan	because i was triaging bugs	19:51
notmorgan	and was surprised a new bug showed up in the last few hours	19:51
ajayaa	btw, I am referring to https://review.openstack.org/#/c/252182/	19:52
stevemar	ajayaa: i think you're right	19:52
stevemar	notmorgan: i think https://github.com/openstack/keystonemiddleware/commit/f27d7f776e8556d976f75d07c99373455106de52 may be the issue?	19:52
notmorgan	yep.	19:52
notmorgan	which btw, that was not really doing anything useful	19:52
stevemar	jamielennox\|away: not around yet?	19:52
notmorgan	i can speak to that a lot	19:53
notmorgan	it basically produced broken behavior	19:53
stevemar	notmorgan: yeah, but now we have no caching :(	19:53
notmorgan	so lets turn on memcache for devstack	19:53
notmorgan	and do it right vs. wrong	19:53
notmorgan	in-memory cache would actually [and likey has] procduced transient failures in the gate	19:54
notmorgan	because each process has it's own unbounded cache	19:54
notmorgan	i'm happy to roll up a change to get ksm stashing tokens in memcache in devstack today	19:54
notmorgan	as the "correct" fix	19:54
notmorgan	but basically you can query <api> and get different validation responses because sometimes it's cached, sometimes not	19:54
stevemar	notmorgan: if you can do it in a day, go ahead	19:55
notmorgan	based on what process you hit	19:55
notmorgan	yeah i can probably have it rolled up in a couple hours	19:55
notmorgan	it's not a big change, we already have memcache enable possible, so we just need to add a new ksm directive for each service	19:55
notmorgan	in the config	19:55
notmorgan	and it likely will be a bigger speedup because all services will share the validation cache	19:55
notmorgan	let me respond to that thread.	19:56
notmorgan	and i'll spin up the devstack change	19:56
stevemar	++	19:56
*** pushkaru has quit IRC		19:58
notmorgan	just responded to the ML	20:00
stevemar	ajayaa: commented	20:02
*** spzala has quit IRC		20:04
*** su_zhang has quit IRC		20:04
*** spzala has joined #openstack-keystone		20:05
*** spzala_ has joined #openstack-keystone		20:06
*** ninag has joined #openstack-keystone		20:07
bknudson_	stevemar: I was wondering if the change to use audit_ids wouldn't also slow things down.	20:07
notmorgan	bknudson_: it will.	20:07
bknudson_	because now keystone has to fetch the extra fields	20:07
bknudson_	and this was an issue for a while	20:08
notmorgan	bknudson_: but that should be minima	20:08
notmorgan	l	20:08
notmorgan	bknudson_: comparitive to the no-caching on the service side	20:08
bknudson_	so a bit of follow-on work is to put the audit IDs into a field in the table so we don't need the whole blob	20:08
bknudson_	another bit of work is to get auth_token using oslo.cache...	20:09
bknudson_	I wouldn't have a problem with reverting the no-caching change and find another way to get that done	20:09
*** spzala has quit IRC		20:09
*** spzala has joined #openstack-keystone		20:10
*** spzala_ has quit IRC		20:11
bknudson_	were they ever able to show that reverting that change helped?	20:12
stevemar	ayoung: can you undo your +A on https://review.openstack.org/#/c/269990/ - just for a day	20:12
notmorgan	bknudson_: there is a patch to use oslo.cache, needs review	20:12
notmorgan	bknudson_: it's on my list for today/tomorrow	20:12
stevemar	ayoung: it conflicts with some of the stuff that is gating and i would like to get those in conflict free	20:13
notmorgan	bknudson_: the audit_ids moved to a proper column makes sense.	20:13
ayoung	stevemar, will do	20:13
ayoung	stevemar, is that sufficient?	20:14
bknudson_	notmorgan: do you think it should be a string column with audit1, audit2 ; or separate columns so that it's searchable? I haven't thought about it much yet.	20:14
*** spzala has quit IRC		20:14
notmorgan	bknudson_: i don't think we need to search on audit_id	20:14
notmorgan	bknudson_: tbh	20:14
notmorgan	bknudson_: but i'd be ok with it either way. the overhead of 2 columns vs 1 is minimal	20:15
notmorgan	future proofing says "might be nice to break it into two columns"	20:15
notmorgan	now, remember in fernet world... it doesn't matter	20:15
notmorgan	so we still need the logic to handle the array packed.	20:15
bknudson_	I'll try 2 columns. y, for future proofing.	20:15
stevemar	ayoung: i think so, i'll approve it when it's all in, or you can, whatever	20:16
notmorgan	and hopefully uuid tokens become a think of the past/compat-but-not-used-in-production	20:16
notmorgan	bknudson_: so, shrug	20:16
ayoung	stevemar, its all good. We have a bit of work to do on implied roles, but I think I know how to make it all happen now....try to at least get the updated patches in the next day or so	20:16
*** sudorandom has joined #openstack-keystone		20:18
*** sudorandom has quit IRC		20:28
*** jsavak has quit IRC		20:33
*** diazjf1 has joined #openstack-keystone		20:35
*** jsavak has joined #openstack-keystone		20:35
*** diazjf has quit IRC		20:37
*** sudorandom has joined #openstack-keystone		20:42
*** boris-42 has quit IRC		20:43
*** bknudson_ has quit IRC		20:46
*** bknudson has joined #openstack-keystone		20:47
*** ChanServ sets mode: +v bknudson		20:47
*** timcline has quit IRC		20:51
*** timcline has joined #openstack-keystone		20:52
*** sudorandom has quit IRC		20:53
*** timcline has quit IRC		20:56
*** tonytan4ever has joined #openstack-keystone		20:57
*** timcline has joined #openstack-keystone		20:58
*** spandhe has quit IRC		20:59
*** jsavak has quit IRC		21:01
*** spandhe has joined #openstack-keystone		21:03
*** jsavak has joined #openstack-keystone		21:05
*** ninag has quit IRC		21:06
lbragstad	dolphm since you and rderose are familiar with this - just curious if you've reviewed it yet https://review.openstack.org/#/c/251455/8/keystone/common/sql/core.py	21:07
*** raildo is now known as raildo-afk		21:14
*** pauloewerton has quit IRC		21:15
RichardRaseley	What is the best way to gracefully close a `keystoneclient.v3.Client` object?	21:17
RichardRaseley	I was looking for something like keystone.v3.Client.disconnect, or somesuch.	21:17
dolphm	lbragstad: i haven't reviewed anything related to hierarchical multitenancy in a long time :-/	21:17
dolphm	RichardRaseley: clients don't maintain connections - there's nothing to worry about closing :)	21:17
RichardRaseley	dolphm: OK, good to know. Just trying to be good and clean up my mess. =]	21:18
dolphm	RichardRaseley: at least, keystoneclient doesn't. i imagine glance or swift could?	21:18
dolphm	RichardRaseley: ++	21:18
bknudson	the session might keep the connection open if the server supports it	21:18
dolphm	lbragstad: there's also no spec for the associated blueprint	21:18
bknudson	RichardRaseley: you can close a requests session ; http://docs.python-requests.org/en/latest/api/#requests.Session.close	21:19
*** diazjf1 has quit IRC		21:19
RichardRaseley	bknudson: That is Python requests, right? I am not directly using that library...	21:20
lbragstad	dolphm yeah, I noticed that	21:20
dolphm	!	21:20
bknudson	RichardRaseley: keystoneauth / keystoneclient sessions are built on requests session, so if you were using that interface you could close it... not sure that you can close if you're not using a session	21:20
bknudson	btw - not using a session is deprecated.	21:21
RichardRaseley	bknudson: I am using Keystone sessions, but I didn't realize that was related to Python Requests. Thank you.	21:21
notmorgan	RichardRaseley: :)	21:21
*** diazjf has joined #openstack-keystone		21:22
notmorgan	RichardRaseley: the keystone session can almost [should actually be able to] be used interchangably with requests	21:22
bknudson	I've got to admit I've never heard of anyone closing the session.	21:22
notmorgan	RichardRaseley: with a little work.	21:22
notmorgan	bknudson: depends on how long runing things are.	21:22
bknudson	we did get a complaint that servers weren't shutting down because auth_token held the connections open.	21:22
notmorgan	bknudson: yeah that is a slightly different issue	21:23
notmorgan	but somewhat related...	21:23
bknudson	but that was a bug in the servers... they should shut down.	21:23
notmorgan	yep	21:23
dolphm	lbragstad: dstanek: p.s. tested rderose's patch on top of the live migration one and it passes	21:23
RichardRaseley	I also have a question around error handling. I have my keystone client wrapped in a try / except block (e.g. 'ks_client = keystone.v3.Client(session=s)`). Do I also have to wrap operations against that in their own try / except block? (e.g around ks_client.roles.list() )?	21:23
bknudson	exceptions can happen at any time.	21:23
dstanek	dolphm: does that mean the live migration patch is broken?	21:24
*** ayoung has quit IRC		21:24
*** Ephur has joined #openstack-keystone		21:24
dstanek	dolphm: oh wait, we never delete the old users table do we?	21:24
RichardRaseley	Sure, but I didn't know if those exceptions would be caught as part of the block around ks_client or if each operation would need its own try / except block	21:24
lbragstad	dolphm the live migration patch has a tests to check the db operations, right?	21:24
lbragstad	dolphm is that what you mean by test?	21:24
*** ninag has joined #openstack-keystone		21:25
dolphm	lbragstad: yes	21:26
dolphm	lbragstad: the new unit tests pass against ron's new migrations	21:27
*** roxanaghe has joined #openstack-keystone		21:27
*** vgridnev has quit IRC		21:28
openstackgerrit	henry-nash proposed openstack/keystone: Change project unique constraint https://review.openstack.org/158372	21:32
lbragstad	dolphm do you know if there is a way to query gerrit to not give you things you've already reviewed?	21:34
dolphm	lbragstad: yep!	21:34
dolphm	lbragstad: label:Code-Review<=+2,self	21:35
dolphm	lbragstad: rather, NOT label:Code-Review<=+2,self	21:35
lbragstad	dolphm glorious, thanks!	21:35
lbragstad	dolphm and NOT label:Code-Review<=+2,self is technically equivalent to -label:Code-Review<=+2,self right?	21:36
dolphm	lbragstad: yes	21:36
*** pnavarro has joined #openstack-keystone		21:37
*** htruta` is now known as htruta		21:38
*** henrynash has quit IRC		21:41
*** sudorandom has joined #openstack-keystone		21:47
*** su_zhang has joined #openstack-keystone		21:47
dstanek	dolphm: actually even if we dropped the table i don't know that it would be picked up	21:50
dolphm	dstanek: L49? https://review.openstack.org/#/c/241603/13/keystone/tests/unit/test_sql_banned_operations.py	21:57
dolphm	dstanek: and test_table L66	21:57
dstanek	dolphm: do you know if ron plans on dropping the user table then?	21:58
openstackgerrit	Jorge Munoz proposed openstack/keystone: Fix trust redelegation and associated test https://review.openstack.org/269824	21:59
dolphm	dstanek: under the online migrations guidelines, he can write the migration now, but we can't totally kill it until newton	21:59
dstanek	dolphm: oh wow. so we have to keep that table around that long?	22:00
dolphm	dstanek: yes, all tables and columns have have a N+1 cycle to be dropped	22:00
*** spandhe has quit IRC		22:00
dolphm	dstanek: basically we have to support N-1 and N service versions running against an N version database schema	22:02
dstanek	dolphm: do we need to keep the data? i'm worried that if may be confusing to operators that the data lives in two places	22:03
dstanek	dolphm: at the same time?	22:03
dolphm	dstanek: that's the deal	22:03
dstanek	dolphm: that would be really bad if someone actually did that	22:04
lbragstad	jorge_munoz - https://github.com/openstack/gerrit-dash-creator	22:05
dstanek	lbragstad: jorge_munoz: that's how i created bit.ly/dstanek-review	22:06
dolphm	dstanek: actually did what?	22:06
dstanek	dolphm: ran N-1 and N against the same database	22:07
bknudson	dstanek: how else are you going to do on-line upgrade?	22:08
dstanek	bknudson: i'm not sure you can in many cases; take the shadows users as an example	22:09
bknudson	you wouldn't be able to use the new feature until everything was at N	22:10
dstanek	bknudson: with shadow users we are moving data to a new table. so any data added by N will not be readable by N-1	22:10
bknudson	unless N updates both the new data and the data read by N-1.	22:11
*** kragniz_ is now known as kragniz		22:12
dstanek	bknudson: currently it doesn't	22:12
*** jsavak has quit IRC		22:12
bknudson	sounds like it's broken	22:12
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Get revocation list with only audit ids https://review.openstack.org/260196	22:14
*** su_zhang has quit IRC		22:15
notmorgan	so the only way schema stuff works afaik is "N can work with n-1 database" not "n-1 works with N database"	22:15
*** su_zhang has joined #openstack-keystone		22:15
notmorgan	so you can upgrade everything to N, then roll the schema forward	22:15
notmorgan	but trying to do the otherway is insantiy	22:15
bknudson	the only way N can work with N-1 is if we've got 2 models	22:16
bknudson	that's an sqlalchemy limitation	22:16
bknudson	also, then N would have to some how figure out when the db was migrated	22:17
dolphm	notmorgan: oh yeah, i think i worded that poorly	22:19
dolphm	so, mitaka codebase must work with both the mitaka and liberty database schemas	22:19
notmorgan	yesh	22:19
notmorgan	that would make sense	22:20
notmorgan	:)	22:20
bknudson	how is mitaka supposed to work with L? it's got the models for M	22:20
*** ayoung has joined #openstack-keystone		22:20
*** ChanServ sets mode: +v ayoung		22:20
bknudson	this is why we need to switch to mongodb	22:20
dstanek	bknudson: right, that was one of the points i brought up last time we talked about online schema migrations	22:21
dolphm	lol, sqlalchemy has some tricks we're not using yet	22:21
dstanek	dolphm: really?	22:21
*** edmondsw has quit IRC		22:21
dolphm	dstanek: there's a cinder patch that demonstrates sqlalchemy handling two columns as one	22:22
notmorgan	bknudson: i heard we can be webscale that way	22:22
dolphm	which is 90% of what we need, i think	22:22
bknudson	he he	22:22
dstanek	dolphm: would that work with data moving between models?	22:22
dolphm	all i care about is reliable tests for this	22:22
dolphm	dstanek: one model object has to understand both new and old schema	22:23
dstanek	dolphm: are you talking about using a @property with the real name that can access either column?	22:23
*** boris-42 has joined #openstack-keystone		22:23
dolphm	dstanek: basically	22:24
dstanek	that's basically what the shadow users patch does	22:24
*** dims has quit IRC		22:24
*** pnavarro has quit IRC		22:24
dstanek	having keystone<n> understand both database<n> and database<n-1> makes more sense :-)	22:25
*** timcline has quit IRC		22:26
bknudson	so how does the upgrade go in that case?	22:26
dstanek	rolling upgrade of keystone instances - expand database migrations - migrate data - contract database migrations?	22:27
dstanek	i don't really get the migration and contract parts yet	22:27
*** spandhe has joined #openstack-keystone		22:27
bknudson	how does keystone know that the data is migrated?	22:28
bknudson	you could restart them again or send a signal or something?	22:28
dstanek	i'm guessing restart, but i'm trying to find some references	22:29
dstanek	i also don't know when you'd run the contractions because that would be downtime	22:29
bknudson	the alternative is -- keystone-manage db_sync to N+1, rolling upgrade	22:29
dstanek	also adding an index to a large table is downtime	22:29
bknudson	the contractions happen on N+2	22:29
*** dims has joined #openstack-keystone		22:30
dstanek	bknudson: but there would be downtime for each release (except the first since there are no contractions)	22:30
bknudson	what's the downtime?	22:30
*** csoukup has joined #openstack-keystone		22:31
bknudson	you mean you've got some running N and some running N+1 and some running N+2?	22:32
dstanek	the locking of tables will cause service disruption	22:32
bknudson	who's locking tables?	22:32
notmorgan	also table locking doesn't really work in real deployments	22:33
notmorgan	because $galera	22:33
dstanek	the database - mysql locks tables with doing certain (all) alters	22:33
notmorgan	unless you're only doing one write master	22:33
bknudson	this is why nobody uses mysql	22:33
notmorgan	or maybe it was only row locks that don't get replicated?	22:33
notmorgan	bknudson: right. clearly that is the issue	22:34
notmorgan	bknudson: you're sarcastic today man	22:34
dstanek	bknudson: i wish :-( i really wish	22:34
bknudson	what does mysql think is a large table?	22:34
bknudson	I think nova thinks they've solved this problem somehow, so maybe it would be best to ask them.	22:36
dstanek	it's not that mysql thinks the table is large it's that the larger table you have the longer the lock may be held - i don't really think it would be terribly long, but i have not measured	22:36
dstanek	bknudson: yeah, i'm reading their spec now	22:36
dstanek	if you're interested https://specs.openstack.org/openstack/nova-specs/specs/kilo/approved/online-schema-changes.html	22:37
bknudson	dstanek: nova-manage db doesn't have a contract like the spec says according to the help output	22:40
bknudson	at least when you run keystone-manage it doesn't say `Option "verbose" from group "DEFAULT" is deprecated for removal. Its value may be silently ignored in the future.` every time.	22:41
*** phalmos has quit IRC		22:41
*** BAKfr has joined #openstack-keystone		22:43
*** tonytan4ever has quit IRC		22:45
*** doug-fis_ has quit IRC		22:46
*** jamielennox\|away is now known as jamielennox		22:47
openstackgerrit	Ajaya Agrawal proposed openstack/keystone: Ensure pycadf initiator IDs are UUID https://review.openstack.org/252182	22:47
*** BAKfr has quit IRC		22:47
jamielennox	stevemar: what's up?	22:48
*** avarner_ has quit IRC		22:49
openstackgerrit	Ajaya Agrawal proposed openstack/keystone: Change get_project permissions https://review.openstack.org/270513	22:54
*** sigmavirus24 is now known as sigmavirus24_awa		22:54
openstackgerrit	Ajaya Agrawal proposed openstack/keystone: Ensure pycadf initiator IDs are UUID https://review.openstack.org/252182	22:58
*** henrynash has joined #openstack-keystone		22:59
*** ChanServ sets mode: +v henrynash		22:59
*** ninag has quit IRC		23:02
*** slberger has left #openstack-keystone		23:02
*** doug-fish has joined #openstack-keystone		23:03
*** mordred has quit IRC		23:04
*** lhcheng_ has joined #openstack-keystone		23:05
*** mordred has joined #openstack-keystone		23:05
*** lhcheng__ has joined #openstack-keystone		23:06
*** zhiyan has quit IRC		23:06
*** e0ne has quit IRC		23:07
*** lhcheng has quit IRC		23:07
*** dims has quit IRC		23:07
*** doug-fish has quit IRC		23:08
*** zhiyan has joined #openstack-keystone		23:08
*** lhcheng_ has quit IRC		23:09
*** jbell8 has quit IRC		23:13
*** johnthetubaguy has quit IRC		23:13
*** johnthetubaguy has joined #openstack-keystone		23:16
*** su_zhang has quit IRC		23:16
hogepodge	Does anyone have pointers on how to integrate Keystone with OpenID Connect?	23:17
*** gordc has quit IRC		23:19
notmorgan	hogepodge: /me looks towards stevemar and marekd before answering or even trying to answer	23:20
openstackgerrit	Ajaya Agrawal proposed openstack/keystone: Change get_project permission https://review.openstack.org/270057	23:20
ajayaa	henrynash, fixed in the old changeID.	23:20
*** su_zhang has joined #openstack-keystone		23:21
*** diazjf has quit IRC		23:22
hogepodge	notmorgan: asking for a friend	23:23
hogepodge	that friend being TryStack	23:24
*** gildub has joined #openstack-keystone		23:30
*** dims has joined #openstack-keystone		23:32
openstackgerrit	Eric Brown proposed openstack/keystone: Remove unused ProjectLdapStructureMixin class https://review.openstack.org/270530	23:35
*** lhcheng__ has quit IRC		23:38
*** ajayaa has quit IRC		23:39
jamielennox	damn, i really didn't think anyone would get hit by the stop memory caching tokens thing	23:39
jamielennox	even in devstack i thought it was configured to use memcache	23:39
*** lhcheng has joined #openstack-keystone		23:41
*** ChanServ sets mode: +v lhcheng		23:41
dolphm	notmorgan: nit! https://review.openstack.org/#/c/270474/4/lib/keystone	23:41
notmorgan	it works either way	23:42
notmorgan	jamielennox: nope	23:42
notmorgan	jamielennox: but this is a real improvement fwiw	23:42
notmorgan	dolphm: i'm gonna just roll my eyes at that option name change	23:43
dolphm	notmorgan: that is understandable	23:44
*** gildub has quit IRC		23:44
notmorgan	dolphm: in-fact.. i kinda want to smack someones hands for that now	23:44
dolphm	notmorgan: but, i'm more concerned about the dependency issue	23:44
notmorgan	that devstack requires memcache?	23:44
notmorgan	meh	23:44
notmorgan	and this should reduce devstack memory footprint	23:44
notmorgan	ugh	23:45
notmorgan	https://github.com/openstack/keystonemiddleware/commit/a23793a64455f8fdff740e190496d3fecaa7b7b1 that patch... CHANGED OPTION NAMES	23:45
notmorgan	oh wait	23:45
notmorgan	no.	23:45
notmorgan	https://github.com/openstack/keystonemiddleware/commit/4810b626658e9f578c55ebd21895360b0167d54c that one	23:45
notmorgan	really?	23:45
notmorgan	why	23:46
*** sigmavirus24_awa is now known as sigmavirus24		23:46
notmorgan	to get ATC?	23:46
notmorgan	oh to fix for oslo.cache... that could have waited.	23:46
*** BAKfr has joined #openstack-keystone		23:47
notmorgan	still eyeroll	23:47
notmorgan	dolphm: anyway, this should be a netwin for devstack runs, since now instead of duplicating the cache all over many processes and being inconsistent on caching the validation, one validate caches for sunbsequent services down the line too	23:47
dolphm	notmorgan: will your patch work on a multi node devstack deploy? because it looks like it's installing memcache where keystone is installed, not where keystonemiddleware is used	23:49
notmorgan	dolphm: will need to check, it isn't causing failures/extended times with multinode	23:49
notmorgan	dolphm: are you splitting API services with multinode at the moment or just compute	23:50
notmorgan	i think it's the latter	23:50
dolphm	notmorgan: we can do it either way - we design for a 27+ node control plane :P	23:50
notmorgan	and we should add some variables in next to allow setting the memcache host.	23:50
*** csoukup has quit IRC		23:50
notmorgan	dolphm: in devstack?	23:50
dolphm	notmorgan: no, in the real world	23:50
notmorgan	dolphm: right and in realworld it works just fine to specify $memcache_host	23:51
notmorgan	or whatever your breakdown is	23:51
dolphm	++	23:51
notmorgan	:)	23:51
dolphm	to be clear, i think your fix should work, but it's working slightly based on coincidence, not design :P	23:51
notmorgan	it is working in the scope of "devstack"	23:52
notmorgan	which is all it's meant to do.	23:52
notmorgan	which, is by design.	23:52
dolphm	fair enough	23:52
dolphm	so, you want to roll with the deprecated name?	23:52
notmorgan	i'll fix it will a followup to make memcache more configurable	23:52
dolphm	i assume there's a new warning emitted somewhere	23:52
notmorgan	so you can get benefits of multinode in the future with devstack	23:53
*** shoutm has joined #openstack-keystone		23:53
notmorgan	i think we squash middleware warnings in devstack runs :P	23:53
dolphm	alright, +1	23:53
notmorgan	it passes devstack check, so clearly the warning is hiding	23:54
notmorgan	if being emitted at all	23:54
*** jbell8 has joined #openstack-keystone		23:56
openstackgerrit	Brant Knudson proposed openstack/keystone: Parameter to return audit ids only in revocation list https://review.openstack.org/260153	23:57
openstackgerrit	Eric Brown proposed openstack/keystone: Remove more ldap project references https://review.openstack.org/270530	23:59
*** sigmavirus24 is now known as sigmavirus24_awa		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!