Thursday, 2016-01-28

« Wednesday, 2016-01-27 Index Friday, 2016-01-29 »
*** shoutm_ has joined #openstack-keystone00:07
*** pushkaru has joined #openstack-keystone00:08
*** jbell8 has quit IRC00:10
*** shoutm has quit IRC00:10
*** _cjones__ has quit IRC00:11
*** _cjones_ has joined #openstack-keystone00:11
*** _cjones__ has joined #openstack-keystone00:15
*** _cjones_ has quit IRC00:16
*** _cjones__ has quit IRC00:17
*** _cjones_ has joined #openstack-keystone00:18
openstackgerritMerged openstack/keystone: Simplify admin_required policy  https://review.openstack.org/27319300:20
openstackgerritMerged openstack/keystone: Test hyphens instead of underscores in request attributes  https://review.openstack.org/25860100:21
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947900:25
*** daemontool has quit IRC00:26
*** _cjones_ has quit IRC00:26
*** _cjones_ has joined #openstack-keystone00:26
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947900:27
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947900:28
*** ninag has quit IRC00:28
*** _cjones_ has quit IRC00:32
*** _cjones_ has joined #openstack-keystone00:32
*** mgarza_ has quit IRC00:33
*** _cjones__ has joined #openstack-keystone00:35
*** _cjones_ has quit IRC00:35
*** _cjones_ has joined #openstack-keystone00:37
*** _cjones__ has quit IRC00:37
*** RA_ has quit IRC00:42
*** _cjones_ has quit IRC00:42
*** _cjones_ has joined #openstack-keystone00:43
*** _cjones__ has joined #openstack-keystone00:47
*** _cjones_ has quit IRC00:48
ayoungjamielennox, you know how you were saying implied roles should not be a whole different API?  You were right00:48
ayoungI'm reworking it now, it will be00:48
jamielennoxayoung: :)00:48
ayoungpath='/role/{prior_role_id}/implies/{implied_role_id}',00:49
ayoungthere is no need for prior_  in there00:49
jamielennoxayoung: is this going to affect it getting in for mitaka?00:49
ayoungnah00:49
jamielennoxi still think you should cause we'll be stuck with the api00:49
ayoungI'll submit the spec change at the same time.  I think it will be fine00:50
ayoungits justa tune up00:50
jamielennoxayoung: as an aside i don't really like the PUT /role/X/imples/Y syntax but we use it all over keystone00:50
jamielennoxi think it should just be {'role': {'id': XYZ, 'implies': [ABC, DEF]}}00:50
ayoungCan you voice why you don't like it?  There might be something there00:50
ayoungAs a PATCH to the role object?00:51
jamielennoxayoung: it doesn't give any information back00:51
jamielennoxi'd love to be using PATCH, but none of our APIs do that00:51
jamielennoxi don't know, it's not a battle i'm worried about00:52
ayoungI guess I tend to think relationally about these.  The rule is a separate entity from the role itself00:52
jamielennoxas i said we use the PUT X/imples/Y with no data no resp body format in lots of places00:52
jamielennoxbut yea, i'd love it to just be a function of the standard role api00:53
ayoungjamielennox, also, notmorgan brought up the point of priv escalation.  I put in a rule that said admin could not be implied, only explicit00:54
jamielennoxyea, there's the admin RBAC problem here00:54
ayoungIf all roles were defined via inference, then just putting a "no cycles" would be enough to stop a priv escalation00:54
ayounglimiting the inference to cloud_admin should be sufficient,00:55
*** dims_ has quit IRC00:55
jamielennoxtesting admin is probably fine, i think adding role implications should be a really priviledged call00:55
jamielennoxright00:55
ayounggyee did not like the one-off rule.  Thinking about putting a config option for roles that can't be implied00:55
ayoungwith the default being admin00:55
jamielennoxhenry is going to want to change it all for domain specific roles - i have concerns about that anyway00:55
ayoungI do, too.   Specifically, I suspect that what we want to do for domains, we are going to want to do for projects eventually too00:56
ayoungdomains should not be special00:56
ayoungbut that is the whole namespacing problem all over again00:56
jamielennoxi just think we are twisting ourself too much to match what people already have00:57
jamielennoxpolicy is still very static, i'm not sure i want everyone defining there own, yes i understand that basic roles become capabilities etc00:57
jamielennoxbut i'm still not sure that the cloud admin should define things for their cloud in sufficient detail and people use what is provided00:58
jamielennoxi go back and forth between we should make it easy for people to customize to their liking, and damn it just provide something sensible and make everyone conform00:59
*** pushkaru has quit IRC01:00
ayoungjamielennox, I tend more toward that latter myself01:02
ayoungjust that what we provide now is not there...01:02
*** EinstCrazy has joined #openstack-keystone01:15
*** davechen has joined #openstack-keystone01:18
*** EinstCrazy has quit IRC01:24
*** pushkaru has joined #openstack-keystone01:24
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/27279001:27
*** EinstCrazy has joined #openstack-keystone01:28
*** su_zhang has joined #openstack-keystone01:29
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/27282501:31
*** jasonsb has joined #openstack-keystone01:31
*** EinstCrazy has quit IRC01:32
*** EinstCrazy has joined #openstack-keystone01:35
*** EinstCrazy has quit IRC01:35
*** davechen1 has joined #openstack-keystone01:36
*** davechen has quit IRC01:37
*** davechen2 has joined #openstack-keystone01:43
*** _cjones_ has joined #openstack-keystone01:44
*** _cjones__ has quit IRC01:44
*** davechen1 has quit IRC01:44
*** EinstCrazy has joined #openstack-keystone01:46
*** davechen has joined #openstack-keystone01:55
*** davechen2 has quit IRC01:57
*** EinstCrazy has quit IRC02:07
*** _cjones_ has quit IRC02:11
*** _cjones_ has joined #openstack-keystone02:14
*** _cjones_ has quit IRC02:16
*** browne has quit IRC02:16
*** RA_ has joined #openstack-keystone02:17
*** spandhe has quit IRC02:19
*** tobe has joined #openstack-keystone02:22
*** woodster_ has quit IRC02:26
*** pushkaru has quit IRC02:36
*** fawadkhaliq has joined #openstack-keystone02:37
*** e0ne has joined #openstack-keystone02:41
*** EinstCrazy has joined #openstack-keystone02:42
*** alexvictorchan has quit IRC02:46
*** alexvictorchan has joined #openstack-keystone02:47
*** e0ne has quit IRC02:48
*** e0ne has joined #openstack-keystone02:50
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261402:54
*** e0ne_ has joined #openstack-keystone02:54
*** e0ne has quit IRC02:55
htrutaayoung, hey02:55
htrutaayoung, looks like on HMT stuff we only use the visitor pattern when we talk about the way we traverse the tree, because there isn't actually a different treatment for visiting a node02:57
ayounghtruta, heh...got you thinking!02:57
ayounghtruta, now, looking to the future.  We want to do an operation on a set of nodes under a tree...02:57
htrutaayoung, in a long long future when we have reseller, for example, we might have some different treatment for regular projects and projects acting as domains02:59
ayoungor depending on whether the reseller can see inside them or not.02:59
*** richm has quit IRC02:59
openstackgerritayoung proposed openstack/keystone-specs: Update Implied Role API  https://review.openstack.org/27332303:01
htrutaayoung, true03:02
htrutaayoung, I was wondering if you intend to discuss this with the guys in the midcycle03:03
ayounghtruta, maybe...I have a bout threee majore efforts going on right now, only one is upstream keystone03:03
*** spandhe has joined #openstack-keystone03:04
htrutaayoung, ok. I'll try to fix that by this week... lots of things here too03:04
ayoungfocus on what the others are beating you up over...I can live with this as is if needs be.  Its not make or break, but it will be better my way.  But if it means a nother round of discussions, I can punt.03:05
htrutaayoung, actually, no one is beating. We've agreed that we will have the param ?cascade, instead of the new route03:07
ayoungOK...then all good03:07
htrutaayoung, the point we were not considering was the tree policy check03:07
ayoungOK03:07
ayoungthat is the important part03:07
*** RA_ has quit IRC03:09
*** browne has joined #openstack-keystone03:21
*** EinstCrazy has quit IRC03:31
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261403:33
*** su_zhang has quit IRC03:36
*** EinstCrazy has joined #openstack-keystone03:37
*** shoutm_ has quit IRC03:40
*** roxanaghe has joined #openstack-keystone03:42
*** KarthikB has joined #openstack-keystone03:43
*** yarkot has joined #openstack-keystone03:45
*** shoutm has joined #openstack-keystone03:47
*** e0ne_ has quit IRC03:48
*** EinstCrazy has quit IRC03:48
*** fawadkhaliq has quit IRC03:49
*** EinstCrazy has joined #openstack-keystone03:49
*** roxanaghe has quit IRC03:51
*** roxanaghe has joined #openstack-keystone03:52
*** jdennis1 has joined #openstack-keystone03:53
*** jdennis has quit IRC03:53
*** spandhe has quit IRC03:54
*** shoutm_ has joined #openstack-keystone04:01
*** gyee has joined #openstack-keystone04:03
*** ChanServ sets mode: +v gyee04:03
*** gyee has quit IRC04:03
*** shoutm has quit IRC04:04
*** EinstCrazy has quit IRC04:05
*** e0ne has joined #openstack-keystone04:08
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235804:13
*** su_zhang has joined #openstack-keystone04:17
*** vivekd_ has joined #openstack-keystone04:29
*** vivekd has quit IRC04:31
*** vivekd_ is now known as vivekd04:31
*** vivekd has quit IRC04:38
*** e0ne has quit IRC04:44
*** jbell8 has joined #openstack-keystone04:44
*** shoutm has joined #openstack-keystone04:46
*** shoutm_ has quit IRC04:49
*** KarthikB has quit IRC04:49
*** henrynash has joined #openstack-keystone04:53
*** ChanServ sets mode: +v henrynash04:53
*** EinstCrazy has joined #openstack-keystone04:53
*** oomichi has joined #openstack-keystone04:54
*** spandhe has joined #openstack-keystone04:57
*** EinstCrazy has quit IRC05:03
*** spandhe_ has joined #openstack-keystone05:03
*** su_zhang has quit IRC05:04
*** spandhe has quit IRC05:04
*** spandhe_ is now known as spandhe05:04
*** jamielennox is now known as jamielennox|away05:05
*** daemontool has joined #openstack-keystone05:05
openstackgerritChangBo Guo(gcb) proposed openstack/keystone: Use the oslo.utils.reflection to extract the class name  https://review.openstack.org/24149405:06
*** roxanaghe has quit IRC05:06
*** RA_ has joined #openstack-keystone05:09
*** EinstCrazy has joined #openstack-keystone05:10
*** su_zhang has joined #openstack-keystone05:14
*** jaosorior has joined #openstack-keystone05:21
*** roxanaghe has joined #openstack-keystone05:24
*** reddy has joined #openstack-keystone05:30
*** fawadkhaliq has joined #openstack-keystone05:32
*** teju has joined #openstack-keystone05:44
*** fawadkhaliq has quit IRC05:45
*** shoutm has quit IRC05:47
*** shoutm has joined #openstack-keystone05:48
*** mc_nair has quit IRC06:00
*** topol has quit IRC06:00
*** spandhe has quit IRC06:03
*** topol_ has joined #openstack-keystone06:03
*** spandhe has joined #openstack-keystone06:08
tejuhi, how to create policies in openstack kilo using openstack/keystone CLI ?06:14
*** fawadkhaliq has joined #openstack-keystone06:19
*** henrynash has quit IRC06:26
*** jbell8 has quit IRC06:27
*** spandhe has quit IRC06:27
*** jbell8 has joined #openstack-keystone06:27
*** Nirupama has joined #openstack-keystone06:28
*** jbell8 has quit IRC06:30
*** jbell8 has joined #openstack-keystone06:31
*** EinstCra_ has joined #openstack-keystone06:36
*** EinstCrazy has quit IRC06:36
*** EinstCra_ has quit IRC06:37
openstackgerritDave Chen proposed openstack/keystone: Service Providers and Projects associations  https://review.openstack.org/26485406:39
*** RA_ has quit IRC06:48
*** jaosorior has quit IRC07:03
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235807:07
*** boris-42 has joined #openstack-keystone07:17
*** jaosorior has joined #openstack-keystone07:38
*** roxanaghe has quit IRC07:38
*** su_zhang has quit IRC07:41
*** roxanaghe has joined #openstack-keystone07:41
*** _cjones_ has joined #openstack-keystone07:43
openstackgerritDave Chen proposed openstack/keystone: Service Providers and Projects associations  https://review.openstack.org/26485407:43
*** lhcheng has joined #openstack-keystone07:55
*** ChanServ sets mode: +v lhcheng07:55
*** _cjones_ has quit IRC07:58
*** belmoreira has joined #openstack-keystone07:59
*** lhcheng has quit IRC08:00
*** david8hu has quit IRC08:19
*** permalac has joined #openstack-keystone08:19
*** david8hu has joined #openstack-keystone08:20
*** pnavarro has joined #openstack-keystone08:24
openstackgerritRoxana Gherle proposed openstack/keystone: Make WebSSO trusted_dashboard hostname case-insensitive  https://review.openstack.org/27339408:45
*** roxanaghe has quit IRC08:58
*** sinese has joined #openstack-keystone09:00
*** fhubik has joined #openstack-keystone09:01
*** roxanaghe has joined #openstack-keystone09:04
*** roxanaghe has quit IRC09:04
*** browne has quit IRC09:08
*** vgridnev has joined #openstack-keystone09:14
*** jistr has joined #openstack-keystone09:16
*** fhubik is now known as fhubik_brb09:17
*** fhubik_brb is now known as fhubik09:21
*** jaosorior has quit IRC09:21
*** jaosorior has joined #openstack-keystone09:22
marekdsamueldmq: so, did you already -2 something? :-)09:22
*** EinstCrazy has joined #openstack-keystone09:31
*** jaosorior has quit IRC09:34
*** mhickey has joined #openstack-keystone09:35
*** jaosorior has joined #openstack-keystone09:35
*** pnavarro has quit IRC09:35
openstackgerritDave Chen proposed openstack/keystone: Consolidate `test_contrib_ec2.py` into `test_credential.py`  https://review.openstack.org/27188609:37
davechenmarekd: all fixed up.09:37
davechenmarekd: i am not sure if we should split the patch into smaller ones.09:38
marekddavechen: i think it's fine09:39
marekdi am actually working already on another step09:39
marekdon top of that one.09:39
marekdanyway, thanks for the help!09:39
davechenmarekd: call the api?09:39
davechento filter the sp in the token response?09:40
marekddavechen: no, service providers groups!09:40
davechenmarekd: got you.09:40
*** jistr is now known as jistr|biab09:43
marekddavechen: will add you to the reviewers list.09:43
*** wanghua has quit IRC09:44
davechenmarekd: sure.09:44
davechenmarekd: i forgot to comment on that patch.09:44
davechenmarekd: we should make all of those experimental.09:44
davechenmarekd: currently, it's not09:44
davechenmarekd: will address it later since i am going to catch up the shuttle.09:45
marekduhu09:45
davecheni think those api should be experimental at first.09:45
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235809:50
openstackgerritDave Chen proposed openstack/keystone: Service Providers and Projects associations  https://review.openstack.org/26485409:54
davechenmarekd: done09:54
marekddone what09:54
davechenmarekd: the last mins :)09:54
davechenmarked all those api as experimental09:54
*** davechen has left #openstack-keystone09:55
*** fawadkhaliq has quit IRC09:57
marekdok cool :)09:57
*** fawadkhaliq has joined #openstack-keystone09:58
*** sinese has quit IRC10:05
*** rcernin has joined #openstack-keystone10:18
openstackgerritMarek Denis proposed openstack/keystone: Service Providers Group CRUD operations.  https://review.openstack.org/27343810:23
*** aix has joined #openstack-keystone10:42
*** fawadkhaliq has quit IRC10:42
*** fawadkhaliq has joined #openstack-keystone10:42
*** jistr|biab is now known as jistr10:57
*** permalac has quit IRC10:57
*** jbell8 has quit IRC11:02
*** fhubik is now known as fhubik_brb11:07
*** fhubik_brb is now known as fhubik11:07
*** dims has joined #openstack-keystone11:07
*** fhubik is now known as fhubik_brb11:09
*** apetrov has joined #openstack-keystone11:19
*** tobe has quit IRC11:41
*** sinese has joined #openstack-keystone11:46
*** aix has quit IRC11:46
*** fhubik_brb is now known as fhubik11:47
*** jdennis1 has quit IRC11:47
*** jdennis has joined #openstack-keystone11:47
*** sinese has quit IRC11:47
*** sinese has joined #openstack-keystone11:48
*** shoutm_ has joined #openstack-keystone11:48
*** shoutm has quit IRC11:48
*** teju has quit IRC11:49
*** doug-fish has joined #openstack-keystone11:49
*** sinese has quit IRC11:53
*** roxanaghe has joined #openstack-keystone12:04
*** e0ne has joined #openstack-keystone12:06
*** roxanaghe has quit IRC12:09
*** fhubik is now known as fhubik_brb12:17
*** aix has joined #openstack-keystone12:17
*** sinese has joined #openstack-keystone12:18
*** pauloewerton has joined #openstack-keystone12:21
*** raildo-afk is now known as raildo12:25
*** e0ne has quit IRC12:27
*** daemontool_ has joined #openstack-keystone12:27
*** e0ne has joined #openstack-keystone12:27
*** daemontool has quit IRC12:28
*** tobe has joined #openstack-keystone12:41
*** fhubik_brb is now known as fhubik12:43
*** amakarov has joined #openstack-keystone12:44
*** dims has quit IRC12:47
openstackgerritAndreas Jaeger proposed openstack/python-keystoneclient: Update translation setup  https://review.openstack.org/27351012:48
*** mattt has joined #openstack-keystone12:49
*** bill_az has joined #openstack-keystone12:52
odyssey4medolphm dstanek lbragstad notmorgan hughsaunders mattt Coming back to the discussion from https://review.openstack.org/271357 - it would appear that catalogue caching was actually implemented in Kilo and Liberty too... and we seem to be picking up similar behaviour in Kilo. This is not entirely certain yet as we're not seeing it nearly as often, but we are seeing some failures of the same sort.12:52
*** daemontool_ has quit IRC12:53
dstanekodyssey4me: you are frequently editing the catalog?12:55
odyssey4medstanek the issue arises when we're standing up a new environment - the issue shows because after setting up the services we're immediately running tests against it12:59
odyssey4methe environment is setup with multiple service hosts (ie two keystone, two glance api, etc)12:59
odyssey4mehughsaunders is digging into it13:00
*** shoutm_ has quit IRC13:03
samueldmqmorning all13:06
samueldmqmarekd: hey, not yet :)13:06
*** tobe has quit IRC13:09
*** ninag has joined #openstack-keystone13:10
marekdsamueldmq: but you are not at the midcycle, are you?13:10
samueldmqmarekd: yes I am, davechen isn't :(13:12
marekdsamueldmq: i was wondering where did this photo from Brad's tweet was coming from13:12
marekdsamueldmq: ah, cool!13:12
marekdsamueldmq: so we switched, as i am missing too this time :-)13:13
samueldmqmarekd: hehe yes he took the photo there at the midcycle13:15
*** peter-hamilton has joined #openstack-keystone13:16
samueldmqmarekd: you should go to next, which is probably going to happen in Brazil :-)13:16
marekdsamueldmq: yeah, makes sense13:16
marekdsamueldmq: wat?13:16
marekdwho said that?13:16
samueldmqmarekd: yep, that13:17
samueldmqmarekd: next midcycle in Brazil13:17
*** fawadkhaliq has quit IRC13:17
*** jsavak has joined #openstack-keystone13:17
*** jsavak has quit IRC13:17
*** fawadkhaliq has joined #openstack-keystone13:17
*** jsavak has joined #openstack-keystone13:17
marekdbut who decided that?13:17
samueldmqmarekd: well, that's the idea, see https://etherpad.openstack.org/p/keystone-mitaka-midcycle13:17
samueldmqmarekd: first topic of discussion13:18
marekdsamueldmq: what time is there now?13:20
samueldmqmarekd: 7:20 am here13:21
marekdah yes13:21
marekd7 hours diff13:21
marekdsamueldmq: i will try to dial in for the hangouts13:25
marekdstevemar: I am reading backlog from midcycle etherpad. Just a heads up that I got a feedback from some operators that they would like to see some 'user expiration' and I see shadow users are trying to somehow address that.13:26
samueldmqmarekd: cool, ayoung did this yesterday, so he could participate13:28
marekdsamueldmq: did he call in for a whole day?13:28
samueldmqmarekd: most part of it13:28
openstackgerritAndreas Jaeger proposed openstack/python-keystoneclient: Update translation setup  https://review.openstack.org/27351013:28
*** e0ne has quit IRC13:29
*** fhubik is now known as fhubik_brb13:30
marekdok, i will call in for the beginning of the day13:30
*** RA_ has joined #openstack-keystone13:31
*** Nirupama has quit IRC13:38
*** fhubik_brb is now known as fhubik13:41
*** henrynash has joined #openstack-keystone13:41
*** ChanServ sets mode: +v henrynash13:41
*** avarner has joined #openstack-keystone13:50
htrutahenrynash: hi. regarding bug 1440107. If I understand correctly, the problem is only that we should have an option to delete only group or only user assignments13:51
openstackbug 1440107 in OpenStack Identity (keystone) "Clearing up project assignments makes assumptions that domain_id != project_id" [Low,Triaged] https://launchpad.net/bugs/144010713:51
htrutaright?13:51
*** avarner has quit IRC13:52
*** RA_ has quit IRC13:52
*** amakarov has quit IRC13:52
ayoungmarekd, I called in for the whole group portion.  Once they broke down into small teams I signed off.13:57
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split assignment backend tests  https://review.openstack.org/26830713:57
*** richm has joined #openstack-keystone13:58
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split resource backend tests  https://review.openstack.org/26870213:58
*** jed56 has joined #openstack-keystone13:58
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split token backend tests  https://review.openstack.org/26911113:59
*** jsavak has quit IRC13:59
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split trust backend tests  https://review.openstack.org/26911513:59
*** jsavak has joined #openstack-keystone14:00
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split catalog backend tests  https://review.openstack.org/26912514:00
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split policy backend tests  https://review.openstack.org/26913314:01
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split identity backend tests  https://review.openstack.org/26914814:02
samueldmqtjcocozz: ^14:04
marekdayoung: cool114:04
marekdi will try calling in today14:04
*** jsavak has quit IRC14:06
*** jsavak has joined #openstack-keystone14:06
*** ericksonsantos has joined #openstack-keystone14:09
openstackgerritAndreas Jaeger proposed openstack/python-keystoneclient: Update translation setup  https://review.openstack.org/27351014:12
*** henrynash has quit IRC14:16
*** e0ne has joined #openstack-keystone14:19
*** phalmos has quit IRC14:23
ayoungbknudson, we need a better way to debug failures like this http://logs.openstack.org/14/242614/63/check/gate-keystone-python27/5f5d65c/testr_results.html.gz  comparing JSON home outputs is painful14:26
*** reddy has quit IRC14:27
*** permalac has joined #openstack-keystone14:29
*** paul-carlton2 has joined #openstack-keystone14:41
*** jsavak has quit IRC14:42
*** thiagolib has joined #openstack-keystone14:42
*** jsavak has joined #openstack-keystone14:43
*** fawadkhaliq has quit IRC14:51
*** tonytan4ever has joined #openstack-keystone14:52
*** pushkaru has joined #openstack-keystone14:52
*** amakarov has joined #openstack-keystone15:01
*** topol_ is now known as topol15:03
*** ChanServ sets mode: +v topol15:03
*** slberger has joined #openstack-keystone15:05
openstackgerrithenry-nash proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261415:07
*** sigmavirus24_awa is now known as sigmavirus2415:08
*** dims has joined #openstack-keystone15:08
tjcocozzsamueldmq, i'm on it!15:09
openstackgerrithenry-nash proposed openstack/keystone: Add tests for role management with v3policy file  https://review.openstack.org/26184615:09
bknudsonayoung: yes, the output could be better. I think I had to copy-paste the jsons into a couple text files to compare15:11
bknudsonmaybe testtools has a better way to show diffs in strings.15:11
openstackgerrithenry-nash proposed openstack/keystone: Add CRUD support for domain specific roles  https://review.openstack.org/26187015:12
bknudsonthis also happened recently when I was trying to switch the saml files from lxml to built-in xml15:12
ayoungbknudson, it happened when I converted the URLs for implied roles in the latest revision15:12
ayounghttps://review.openstack.org/#/c/242614/61..64/keystone/assignment/routers.py  bknudson15:13
*** edmondsw has joined #openstack-keystone15:14
ayoungoh probably just drop the implied from the test...15:14
bknudsonthe way we're doing JSON home validation is probably overkill now.15:14
openstackgerrithenry-nash proposed openstack/keystone: Modify rules in the v3 policy sample for domain specifc roles  https://review.openstack.org/26207815:14
openstackgerrithenry-nash proposed openstack/keystone: Modify implied roles to honor domain specific roles  https://review.openstack.org/26306415:15
openstackgerrithenry-nash proposed openstack/keystone: Modify rules for domain specific role assignments  https://review.openstack.org/26354915:15
ayoungbknudson, you guys started there, yet?15:17
bknudsonayoung: not yet15:17
bknudsonrackspace people aren't here yet15:17
edmondswayoung, henry says implied roles tests are still failing, fyi15:17
*** phalmos has joined #openstack-keystone15:17
ayoungedmondsw, yeah, the version tests.  JSON Home stuff15:18
edmondswyep15:18
ayoungworkingon that now...and tripleo at the same time15:18
ayoungedmondsw, just got it to work.  New version in a moment15:18
edmondswcool15:18
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261415:19
ayoungedmondsw, so, I didn't change the data that came back from the rest calls, just the URLs themselves.15:19
ayoungIt was not until this morning that I realized that might not have been what you meant15:19
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235815:20
edmondswI was thinking that whenever you get a role, you'd see in it's json what it implies and what is implied by it15:20
edmondswas well as changing the paths15:21
edmondswbut I haven't looked at your new changes yet15:21
*** tonytan_brb has joined #openstack-keystone15:23
*** fhubik has quit IRC15:23
*** tonytan_brb has quit IRC15:23
*** tonytan_brb has joined #openstack-keystone15:24
*** timcline has joined #openstack-keystone15:25
*** fhubik has joined #openstack-keystone15:25
notmorganodyssey4me: def. let me know what you find15:25
notmorganstevemar: https://review.openstack.org/#/c/272007/15:26
*** tonytan4ever has quit IRC15:26
*** fhubik has quit IRC15:27
*** diazjf has joined #openstack-keystone15:27
notmorganstevemar: do you have the Zetta.io folks email addrs?15:31
notmorganstevemar: or can you get me a test account so i can verify the OCC stuff?15:31
notmorgan[I can't get the SMS verify to work because... probably SMS is weird]15:31
*** raildo is now known as raildo-afk15:33
marekdstevemar: notmorgan looks like you guys are not connected to the Google hangout room15:33
*** spzala has joined #openstack-keystone15:33
*** su_zhang has joined #openstack-keystone15:33
stevemarmarekd: brad will connect15:33
marekdstevemar: OKAY15:34
marekdwhenever you want.15:34
marekdtopol: i called in Call-in: 1-888-426-6840 (21899776)15:36
marekdyet "the host has not yet arrived" ?15:36
marekdus number is fine i can use google voide15:36
marekdvoice15:37
ayoungcalling in now15:37
samueldmqtjcocozz: https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/project-tree-deletion15:37
*** AJaeger has quit IRC15:37
marekdayoung: 1-888-426-6840 ?15:37
ayoungmarekd, yeah15:38
marekdtopol: ayoung ok i am in15:39
*** jsavak has quit IRC15:39
*** jsavak has joined #openstack-keystone15:40
topolmared, ayoung, Ok good15:40
*** KarthikB has joined #openstack-keystone15:41
*** mgarza_ has joined #openstack-keystone15:45
*** alexvictorchan has quit IRC15:46
openstackgerritLance Bragstad proposed openstack/keystone: Reuse project scoped token check for trusts  https://review.openstack.org/25367215:46
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for domain scoped data creep  https://review.openstack.org/25367115:46
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for project scoped data creep to tests  https://review.openstack.org/25367015:46
*** narengan has joined #openstack-keystone16:01
*** vgridnev has quit IRC16:07
*** vgridnev has joined #openstack-keystone16:07
*** aix has quit IRC16:08
*** vgridnev has quit IRC16:12
*** browne has joined #openstack-keystone16:13
stevemarayoung: we're looking at: http://docs-draft.openstack.org/96/272396/2/check/gate-keystone-specs-docs/94c8fed//doc/build/html/specs/newton/pci-dss.html16:13
*** su_zhang has quit IRC16:25
*** shaleh has joined #openstack-keystone16:25
shalehdolphm: re: tracing metaclass for Manager instances. What are you looking for?16:26
*** clenimar has joined #openstack-keystone16:26
dolphmshaleh: i want to know when we actually hit manager methods, and what the arguments are16:27
*** KarthikB has quit IRC16:27
dolphmshaleh: in contrast to cache hits, where dogpile is crazy verbose16:27
shalehdolphm: any method of a Manager or just a certain set of them?16:27
dolphmshaleh: all of them16:27
dolphmshaleh: i just want good logging at that layer16:27
shalehdolphm: have you seen autologging? https://github.com/mzipay/Autologging you decorate the class with '@traced' and logging happens. We could probably hack that to use oslo_logging instead.16:28
*** su_zhang has joined #openstack-keystone16:28
shalehdolphm: so the question is how much more than that do we need?16:29
stevemarayoung: did i hang up?16:29
shalehdolphm: I can take this on. I just want to be sure I have captured your use cases.16:30
*** belmoreira has quit IRC16:31
*** jbell8 has joined #openstack-keystone16:32
ayoungstevemar, it is all muffled at this point16:32
marekdi am stalled as well16:32
marekdi am back now16:33
marekdstevemar:16:33
*** jbell8 has quit IRC16:35
*** fawadkhaliq has joined #openstack-keystone16:35
*** jbell8 has joined #openstack-keystone16:35
*** paul-carlton2 has quit IRC16:36
*** raildo-afk is now known as raildo16:37
*** KarthikB has joined #openstack-keystone16:38
*** clenimar has left #openstack-keystone16:42
*** clenimar_ has joined #openstack-keystone16:42
*** clenimar has joined #openstack-keystone16:45
dolphmhttp://www.isaca.org/Groups/Professional-English/pci-compliance/GroupDocuments/Meet%20PCI%20DSS%20Requirements%20with%20FOSS.pdf16:46
*** cdcasey has joined #openstack-keystone16:48
stevemarmarekd: ayoung we took a break16:50
*** amakarov_ has joined #openstack-keystone16:51
*** amakarov has quit IRC16:51
*** _cjones_ has joined #openstack-keystone16:52
*** _cjones_ has quit IRC16:54
*** _cjones_ has joined #openstack-keystone16:55
marekdstevemar: i can hear that.16:55
marekdanyways, i need to run16:55
marekdso i logged out16:55
*** spzala has quit IRC16:55
*** alexvictorchan has joined #openstack-keystone16:56
notmorganbknudson: https://review.openstack.org/25379316:57
stevemarmarekd: alrighty16:57
stevemarmarekd: thx for joining16:57
*** jed56 has quit IRC17:03
*** arunkant_ has joined #openstack-keystone17:04
*** diazjf1 has joined #openstack-keystone17:05
*** tonytan_brb has quit IRC17:07
*** csoukup has joined #openstack-keystone17:08
*** diazjf has quit IRC17:09
dstanekstevemar: http://docs.openstack.org/developer/nova/upgrade.html#process17:09
*** KarthikB has quit IRC17:10
*** tonytan4ever has joined #openstack-keystone17:11
*** su_zhang has quit IRC17:11
*** su_zhang has joined #openstack-keystone17:12
*** e0ne has quit IRC17:15
*** sigmavirus24 is now known as sigmavirus24_awa17:16
bknudsonhttps://etherpad.openstack.org/p/mitaka-crossproject-upgrades17:17
*** woodster_ has joined #openstack-keystone17:19
*** jaosorior has quit IRC17:21
*** jaosorior has joined #openstack-keystone17:22
*** KarthikB has joined #openstack-keystone17:24
*** permalac has quit IRC17:25
*** tristanC has joined #openstack-keystone17:26
tristanCbknudson: greeting sir, I've a question about bug 1490804. To fix that issue, one need both keystone and keystone middleware patch right ?17:27
openstackbug 1490804 in OpenStack Security Advisory "PKI Token Revocation Bypass (CVE-2015-7546)" [Undecided,Confirmed] https://launchpad.net/bugs/149080417:27
bknudsontristanC: yes, you need to update keystone and keystonemiddleware17:27
*** su_zhang has quit IRC17:29
tristanCbknudson: alright thanks. One more thing... I've started the ossa wrap-up, can you confirm me that so far, only the stable/kilo patch of keystone has been tagged, is this correct ?17:31
bknudsonchecking.17:31
*** raildo is now known as raildo-afk17:31
tristanCe.g.: https://review.openstack.org/#/c/273679/1/ossa/OSSA-2016-005.yaml17:31
tristanCbknudson: thank you! that's very appreciated, I often get confused by the release model of middlewares17:33
bknudsontristanC: my notes say that all the work is complete... let me check quick17:33
bknudsonoh, it might be merged but not released yet.17:33
tristanCusing git tag --contains with all merged sha1 only showed 2015.1.317:34
*** su_zhang has joined #openstack-keystone17:37
*** jistr has quit IRC17:38
bknudsontristanC: the keystonemiddleware change hasn't been released on stable/liberty or stable/kilo17:43
bknudsonstable/liberty would be 2.3.3 and stable/kilo would be 1.5.4.17:43
bknudsonthe changes are merged but not released.17:43
*** mhickey has quit IRC17:45
*** mhickey has joined #openstack-keystone17:45
tristanCnice, so OSSA version numbers are correct. thank!17:45
*** browne has quit IRC17:46
*** timcline has quit IRC17:49
openstackgerritLance Bragstad proposed openstack/keystone-specs: Time-based One-time Password  https://review.openstack.org/13037617:50
openstackgerritLance Bragstad proposed openstack/keystone-specs: Add spec for multifactor authentication  https://review.openstack.org/27228717:50
*** diazjf1 has quit IRC17:50
*** mhickey has quit IRC17:53
*** diazjf has joined #openstack-keystone17:56
*** narengan has quit IRC17:56
*** diazjf has quit IRC17:57
*** diazjf has joined #openstack-keystone18:02
*** rodrigods has quit IRC18:03
*** rodrigods has joined #openstack-keystone18:03
clenimarsamueldmq, hey there!18:07
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261418:07
clenimarsamueldmq, have you seen last comment on bug #1294735?18:08
openstackbug 1294735 in OpenStack Identity (keystone) "Disable domain doesn't disable users in the domain" [Medium,Triaged] https://launchpad.net/bugs/129473518:08
*** SpamapS has joined #openstack-keystone18:09
SpamapSnotmorgan: here I mean. :)18:09
notmorganyessss18:09
notmorganSpamapS: so ftr you're seeing mod_wsgi only occupy 5 HTTPD workers no matter how many backend processes are running?18:09
notmorganand how are the mod_wsgi workers looking (load wise)?18:10
SpamapSnotmorgan: all of them are using about 110 - 120 % CPU18:10
SpamapSso the threads are a little busy18:10
notmorganand 3rd bit of info, this is neutron+nova hammering keystone with effectively unlimited resources18:10
notmorgan(insane cpu/ram controller node)18:10
SpamapS128G ram, 48 cores18:10
notmorganok and running memcache?18:11
SpamapSneutron-server is set to have 8 worker processes18:11
SpamapSyeah memcache is primarily what they're doing18:11
SpamapSI mean, from an I/O standpoint18:11
notmorganright18:11
notmorganexpected.18:11
notmorganhmm. how does the memcache process health/connection count look?18:11
notmorgannot hitting like nofile limit there or anything?18:12
SpamapSno, I did check that18:12
SpamapSit's humming along18:12
notmorgancool. i figured but worth asking18:12
SpamapSNot that many connections really, couple hundred18:12
notmorganok. thats quite reasonable18:13
*** edmondsw has quit IRC18:13
notmorganso the question is how come we're pegging a small number of HTTPd processes when there are a bunch more running [load isn't being shared around much]?18:13
*** boris-42 has quit IRC18:13
notmorganbut the mod_wsgi workers are all receiving reaosnable load [sorry for re-iterating, trying to shift brain context from code -> ops]18:14
SpamapSYeah I'd expect there to be like, 8 or nine, all under 100%18:14
notmorganand you said ~70 HTTPD workers or so active on the system18:14
SpamapSlet me fire up the test again so I can see the load18:14
notmorganok18:14
notmorgancool18:14
*** timothy_3ymanczy has joined #openstack-keystone18:14
SpamapSas far as "what is the cloud doing"... 30 threads spinning up and deleting 3000 vms18:15
SpamapSin 300 projects18:15
notmorganright18:15
notmorganthat is not unreasonable by any stretch of the imagination18:15
SpamapSwith 1000 fake hypervisors18:15
notmorganright18:15
SpamapSOh there's a midcycle going on18:16
notmorganyesh18:16
SpamapSso you can discuss w/ peers! ;-)18:16
notmorganexactly!18:16
SpamapShappy to give anyone qualified root on these boxes to poke around18:17
notmorgani'm sitting here at the IBM offices in austin chatting over lunch now18:17
notmorganooh i'll take that access! ;)18:17
SpamapSwhich mid cycle is htat?18:17
notmorganKeystone's18:17
notmorgani mean... it's totally the right one18:17
SpamapSawesome18:17
SpamapSso18:17
SpamapSfunny storry18:17
SpamapSstory18:18
SpamapSit's not happening anymore18:18
notmorganAHA18:18
SpamapSall the httpd's are being used18:18
notmorganhehe18:18
notmorganwell if it starts happening again i def. want to know!18:18
notmorganmaybe something lingering was hanging on to the old processes/config?18:18
SpamapSI kind of wonder if just aggressively restarting httpd didn't solve it while things were busy18:18
SpamapSYeah thats what I wonder18:19
SpamapSwe're back to being limited by the number of nova-scheduler's18:19
notmorganohhhh yeah https aggressive restarts are... wonky under load18:19
SpamapSwell I tried gracefu18:19
SpamapSgraceful18:19
notmorganyeah that isn't going to help for a LOOONG run18:19
notmorganyou need to be much more aggressive with mod_wsgi underload18:19
SpamapSI'd think it would, since it closes even kept alive connections18:19
notmorganit will hang onto things for a looooooong time18:19
notmorganmod_wsgi is weird18:20
SpamapSoh does mod_wsgi change the graceful handling?18:20
notmorgansortof18:20
notmorganapache does a bad job of owning subordinate non-httpd processes18:20
notmorganthis is the reason why in gate we have a apache-stop, sleep, apache-start vs an apache-restart18:20
SpamapSmakes perfect sense18:21
notmorganand some folks here were having the exact same issue18:21
SpamapSnotmorgan: I kind of wonder sometimes if bad signal handling is the reason containers are so popular. ;)18:22
notmorganmod_wsgi is a great "production capable" reference wsgi impl18:22
notmorganit just has edge cases that have been around since apache 1.218:22
notmorganand it's not easy to solve18:22
notmorganbut you also don't really hit them until load+scale18:22
notmorganmost dpeloyments of apache don't do this model or are small enough to see it infrequently18:22
SpamapSI didn't realize it didn't just run inside an httpd space like mod_php does18:23
SpamapSI've got no ops experience with mod_wsgi. mod_php I know how to make fly (well.. I did.. until fastcgi got so good there's no reason to use mod_php ;)18:23
notmorganit is a separate process18:23
notmorgansince we use daemon mod18:23
notmorganmode*18:23
notmorganwe can do it like mod_php but there are lots and lots of issues18:23
notmorganmod_python is aslo terribad compared to mod_php18:24
SpamapSPython's a very different animal. :)18:24
notmorganexactly18:24
SpamapSanyway18:24
SpamapSthis felt very corner case too18:24
SpamapSin our production deploy, we actually just spin up lots of keystone vms to handle this stuff18:24
SpamapSeach one with processes=5 and threads=518:24
SpamapSand 8 vcpu, 16G of RAM18:25
SpamapSso that's likely why we haven't seen it in our usual scale testing18:25
notmorganyar18:25
*** timcline has joined #openstack-keystone18:25
notmorganalso, new change to keystone landing soon(ish) should make keystone improve token throughput more18:26
*** fawadkhaliq has quit IRC18:26
notmorganwell two changes18:26
notmorganso we'll mve even further down the stack of "bottlenecks"18:26
*** timothy_3ymanczy is now known as tsymanczyk18:27
samueldmqayoung: could you check my comment on https://review.openstack.org/#/c/27332318:29
ayoungsamueldmq, in this case it does not read right as roles18:30
ayoungthe role (prior role id) implies the role (implied role id)18:30
ayoungsamueldmq, especially for this API it is a singular18:31
*** ajmiller has quit IRC18:31
ayoungsamueldmq, but for all these APIs, the singular makes sense since it is more closely associated with the first id, and they are all one to one or one to many relations18:31
*** csoukup has quit IRC18:33
*** browne has joined #openstack-keystone18:33
*** e0ne has joined #openstack-keystone18:34
*** jaosorior has quit IRC18:35
*** timcline has quit IRC18:35
*** jaosorior has joined #openstack-keystone18:35
*** spandhe has joined #openstack-keystone18:35
samueldmqayoung: for me, /roles is a set of roles18:37
*** jsavak has quit IRC18:37
samueldmqayoung: /roles/{id} is a singular thing18:37
ayoungsamueldmq, in this case, it is an association between one and the other18:37
samueldmqayoung: so /roles/{id}/implies... does make sense18:37
ayoungroles implies a collection18:37
ayoungit doesn't read right18:37
ayoungEngineers Sam talks to Adam...?18:38
openstackgerrithenry-nash proposed openstack/keystone: Add tests for role management with v3policy file  https://review.openstack.org/26184618:38
ayoungtaking one lefts18:38
ayoungit would make sense if it were /roles/a+b+c/imply/d18:39
samueldmqayoung: but we already have: give me ROLES X18:39
*** jsavak has joined #openstack-keystone18:39
ayoungno, give me all roles implied by role x18:40
samueldmqayoung: give me ENGINEERS a18:40
samueldmqthat's what we have18:40
ayoungsamueldmq, I'd be more prone to change elsewhere...18:40
ayounglets see.18:40
*** diazjf has left #openstack-keystone18:40
*** diazjf has joined #openstack-keystone18:40
*** diazjf has quit IRC18:41
ayoungsamueldmq, we have GET /role/{prior_role_id}/implies18:41
ayoungsamueldmq, now, if it were: GET /roles/implied_by/{prior_role_id}  I'd agree with you18:42
ayoungor18:42
ayoungGET /roles?implied_by={prior_role_id}  I'd agree with you18:42
*** sigmavirus24_awa is now known as sigmavirus2418:42
*** diazjf has joined #openstack-keystone18:42
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591618:43
ayoungsamueldmq, ya dig?18:44
openstackgerritLance Bragstad proposed openstack/keystone-specs: Time-based One-time Password  https://review.openstack.org/13037618:44
openstackgerritLance Bragstad proposed openstack/keystone-specs: Add spec for multifactor authentication  https://review.openstack.org/27228718:44
samueldmqayoung: I agree with those too, but actually that still makes sense to me18:45
ayoungsamueldmq, I'd ask you to remove the -1 on that, but lets hold off on merging it until the Applied Role API change itself is approved, to ensure that I reflects what is implemented18:46
samueldmqayoung: because that's how we're doing for all entities18:46
samueldmqayoung: yes, and let's see other's opinions on that too18:46
ayoungsamueldmq, for most API, is is singular for a single entity and plural for lists18:46
samueldmqayoung: henry looks to be in agreement with me18:46
samueldmqayoung: roles/{id} users/{id} are both a single entity18:47
samueldmqayoung: and are in plural18:47
samueldmqbrb18:47
ayoungsamueldmq, you are right...I'll fix18:49
openstackgerritayoung proposed openstack/keystone-specs: Update Implied Role API  https://review.openstack.org/27332318:52
*** timcline has joined #openstack-keystone18:53
clenimarsamueldmq, have you seen last comment on bug #1294735? I've reproduced it here and although the enabled flag remains true, I'm not able to get a new token. Looks like an invalid bug to me, right?18:55
openstackbug 1294735 in OpenStack Identity (keystone) "Disable domain doesn't disable users in the domain" [Medium,Triaged] https://launchpad.net/bugs/129473518:55
openstackgerritMerged openstack/keystonemiddleware: Remove unnecessary _reject_request function  https://review.openstack.org/26854618:55
*** tsymanczyk has quit IRC18:56
*** su_zhang_ has joined #openstack-keystone18:57
samueldmqclenimar: hi, will take a look now18:59
samueldmqayoung: good, thanks sir18:59
ayoungsamueldmq, fixing the code now18:59
samueldmqayoung: perfect18:59
*** su_zhang has quit IRC19:01
openstackgerritBrant Knudson proposed openstack/keystone: More validation of roles for domain-scoped tokens  https://review.openstack.org/27371319:01
openstackgerritMerged openstack/keystone: Improves domain name case sensitivity tests  https://review.openstack.org/23610319:02
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261419:02
samueldmqclenimar: disabling a domain doesn't need to disable all the users, this is by design19:05
*** tsymancz1k has joined #openstack-keystone19:05
samueldmqclenimar: we block users (yes, enabled users) in that domain to get a token in token issuance time19:05
samueldmqclenimar: looks to be invalid, just let me recheck all the comments in there19:05
*** mgarza_ has quit IRC19:09
*** mgarza_ has joined #openstack-keystone19:10
*** rodrigods has quit IRC19:10
*** rodrigods has joined #openstack-keystone19:11
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261419:11
samueldmqayoung: nice, will get to this ^ later, the spec change looks gret19:13
ayoungsamueldmq, thanks19:13
ayoungsamueldmq, it needs a couple more revisions.  I'm going for the record here.19:14
ayoungstevemar, what is the record for most revisison for a review now?19:14
*** diazjf has quit IRC19:14
*** diazjf has joined #openstack-keystone19:14
*** cdcasey has quit IRC19:15
clenimarsamueldmq, okay. thank you :)19:15
htrutaany core to an easy WF on this: https://review.openstack.org/#/c/248295/  ?19:20
ayoungsamueldmq, what time are things restarting?19:26
ayounghtruta, that makes me happy19:29
ayoung+2A and lets see what breaks19:29
*** _cjones_ has quit IRC19:30
openstackgerritLance Bragstad proposed openstack/keystone: Reuse project scoped token check for trusts  https://review.openstack.org/25367219:30
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for domain scoped data creep  https://review.openstack.org/25367119:30
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for project scoped data creep to tests  https://review.openstack.org/25367019:30
*** sshen_ has quit IRC19:30
lbragstadbknudson I rolled your changes into ^19:30
lbragstadbknudson thanks!19:30
bknudsonnice.19:30
*** pushkaru has quit IRC19:30
htrutaayoung: awesome. I don't believe it'll break much things...19:31
*** pushkaru has joined #openstack-keystone19:31
*** sshen has joined #openstack-keystone19:31
htrutahtruta: keep smiling!19:31
*** _cjones_ has joined #openstack-keystone19:31
htrutaayoung: ^19:31
*** pushkaru has quit IRC19:31
ayounghtruta, yeah, it shouldn't.  THere reason it was all tenant was due to the V2 API, and we couldn't break things there, but I think we are insulated enough from it.  Unit tests should have broken if it changed things19:31
*** jsavak has quit IRC19:31
*** pushkaru has joined #openstack-keystone19:32
*** narengan has joined #openstack-keystone19:32
htrutaayoung: exactly. the one that removes it from the assignment directory in on progress. let's get rid of tenant19:32
htrutathe assignment one will be a little bit more complicated. but no reason to not be happy19:33
ayoungstevemar, samueldmq bknudson things starting there again?  I have to run an errand at 319:33
notmorganayoung: yes.19:33
bknudsonayoung: yes, delegated roles19:33
bknudsonunified delegation19:33
ayoungnotmorgan, I tried calling in19:33
ayounggot kicked out19:33
ayoungtopol, dial in please19:35
topolayoung dialing19:35
shalehsamueldmq: overall, good work on the unit tests! One question. In the final review you remove keystone/tests/unit/test_backend.py from tox.ini but you do not add back in the new name or any of the other new files you added.19:35
ayoungstevemar, samueldmq bknudson is he showing slides?19:37
bknudsonayoung: yes, we're seeing some slides19:37
bknudsonayoung: https://docs.google.com/presentation/d/1JFKGYp9r2rh2mF1OCMvrxxnzq_n7WhGCKm4owK6THJ4/edit#slide=id.p19:38
bknudsonslide 519:38
notmorganayoung: you typing?19:39
lbragstadtypey typey19:39
ayoungnotmorgan, muted19:39
notmorganayoung: cool thnx wasn't super loud wasn't sure if it was typing or just distortion :)19:39
ayoungwhat slide #?19:39
notmorgan5? 6?19:39
notmorganit's the "example workflow"19:40
samueldmqshaleh: good question, we doesn't need to because those are tests definitions, notice that the classes inherited from object19:42
samueldmqshaleh: however the subclasses inheriting from them (inside, for example: test_backend_sql) need to19:42
samueldmqshaleh: makes sense ?19:42
openstackgerritLance Bragstad proposed openstack/keystone: Reuse project scoped token check for trusts  https://review.openstack.org/25367219:43
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for domain scoped data creep  https://review.openstack.org/25367119:43
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for project scoped data creep to tests  https://review.openstack.org/25367019:43
shalehsamueldmq: not seeing the connection between what you said (which is valid) and what is in the list of tox.ini python files.19:43
lbragstadbknudson missed your last comment - updated ^19:44
samueldmqshaleh: perhaps even if no tests were run it would make sense o put them in the list ?19:44
samueldmqshaleh: just to make sure it's valid py34 syntax ?19:44
samueldmqshaleh: even if not running the tests themselves .... makes sense ?19:45
shalehsamueldmq: if the goal is clarity, having seeming random files in the tox.ini list is not helping is it?19:46
samueldmqshaleh: yes, need to check with someone else wht the goal of that list is19:47
samueldmqbknudson: what should be in the list of files of py34 tox env ?19:47
samueldmqbknudson: any file that passes py34 syntax check ?19:48
bknudsonsamueldmq: all the files that pass with python 3.419:48
shalehbknudson: the goal is all of the unit tests eventually, right?19:48
bknudsonshaleh: yes, eventually that will be all the files and then we're done (and can switch to testr?)19:48
lbragstaddstanek https://review.openstack.org/#/c/253671/13 and https://review.openstack.org/#/c/253670/12 close a bug19:48
samueldmqshaleh: it may not execute the tests and still pass py34 syntax19:49
samueldmq?19:49
shalehsamueldmq: might be worth adding all of them, run the tests and remove the failures we cannot help19:49
shalehsamueldmq: seeing as it USED to work, because it was in the list19:49
samueldmqshaleh: yes, just to keep as it was before19:49
bknudsondon't remove anything from the list19:49
samueldmqshaleh: ++19:49
samueldmqshaleh: will do, as I need to do a rebase anyways :-(19:50
samueldmqbknudson: ++19:50
shalehbknudson: samueldmq is refactoring. A file no longer exists so he removed it19:50
samueldmqbknudson: but I will add the other new files that replace the old one19:50
shalehbknudson: I asked him because he pulled pieces of the file into other files along the way19:50
dstanekbknudson: yes, once the tests can run move to testr19:50
bknudsonoh, hopefully those files work with py34 otherwise we've lost some coverage.19:51
dstanekthe files not currently in the list are there because they don't work in Python 319:51
samueldmqbknudson: they will, I am only moving code around19:51
samueldmqdstanek: I split file A into B, C and D (then A no longer exists)19:52
samueldmqdstanek: I removed A from the list in tox but didn't add B C and D19:52
samueldmqthat's my fault and I am fixing it in the pacthes (still under review)19:52
openstackgerritMerged openstack/keystone: Add caching to role assignments  https://review.openstack.org/21571519:53
*** fpatwa has joined #openstack-keystone19:53
dstaneksamueldmq: yeah, we definitely want to do that19:53
shalehsamueldmq: it MIGHT be worth doing all of the tox.ini editing in the last review19:53
shalehotherwise you have 6 reviews trying to add a line in the same place and that may confuse things19:53
shalehsamueldmq: I did not -1 along the way for this little concern. Especially since you have to rebase all of them anyways :-)19:54
samueldmqshaleh: but that way we would ensure coverage is kept in every review19:54
shalehbut now my name is on the review so I can follow along19:54
samueldmqshaleh: and I need to rebase that anyways :-(19:54
samueldmqshaleh: I am working on this19:55
shalehsamueldmq: try and do it per review. if it causes a hassle doing it in the last one19:55
samueldmqshaleh: ++19:55
samueldmqshaleh: gonna be much easier than the rebase itself :-)19:56
shalehjust make a comment somewhere that it is happening on the last one if needed19:56
shalehsamueldmq: you have my sympathy. I played this game for weeks with my unit test cleanup.19:56
*** ayoung has quit IRC19:56
samueldmqshaleh: eheh19:56
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947919:57
*** amakarov_ has quit IRC19:58
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947919:59
*** _cjones_ has quit IRC20:05
*** tsufiev has quit IRC20:07
*** lhcheng has joined #openstack-keystone20:07
*** ChanServ sets mode: +v lhcheng20:07
*** tsufiev has joined #openstack-keystone20:07
*** _cjones_ has joined #openstack-keystone20:08
*** tsymancz1k has quit IRC20:08
dstanekdolphm: http://paste.openstack.org/show/485312/20:09
*** lhcheng_ has joined #openstack-keystone20:09
*** jsavak has joined #openstack-keystone20:12
*** tsymanczyk has joined #openstack-keystone20:12
*** lhcheng has quit IRC20:12
*** tsymanczyk is now known as Guest7188420:12
jidarhow would one go about creating a role that grants non _admin_ users of a project access to create images?20:14
*** drjones has joined #openstack-keystone20:15
*** _cjones_ has quit IRC20:15
dolphmnotmorgan: http://paste.openstack.org/show/485311/ + http://cdn.pasteraw.com/53surl8k5hlt5jn3wpva2wy6rvm499b + http://cdn.pasteraw.com/r0plw03p360i9ll87trvqid4j0tj5qs20:17
*** amakarov has joined #openstack-keystone20:18
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Manager support for project cascade update  https://review.openstack.org/24358420:20
*** alexpro has joined #openstack-keystone20:20
*** ayoung has joined #openstack-keystone20:22
*** ChanServ sets mode: +v ayoung20:22
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Manager support for project cascade update  https://review.openstack.org/24358420:22
*** narengan has quit IRC20:22
ayoungamakarov_, suspect that we need to get beyond the materialized path review in order for you to make any progress20:22
*** fpatwa has quit IRC20:23
openstackgerritHenrique Truta proposed openstack/keystone: Replace tenant for project in resource files  https://review.openstack.org/24829520:26
*** diazjf has quit IRC20:26
*** lhcheng_ has quit IRC20:26
htrutaayoung: we got a merge problem. Can you +A it again? https://review.openstack.org/#/c/248295/20:26
ayounghtruta, looking20:26
ayounghtruta, why'd get_project_by_name move?20:28
ayoungit was in base an now is in v8?20:28
*** jsavak has quit IRC20:30
*** jsavak has joined #openstack-keystone20:30
ayoungbknudson, are we once again in small group mode?  I got kicked off the dial in, can't tell what is going on/20:31
*** diazjf has joined #openstack-keystone20:31
bknudsonayoung: yes, working in small groups for the afternoon20:31
ayoungbknudson, can you ask people to update etherpad with what they are workign on?20:31
*** jbell8 has quit IRC20:32
ayoungamakarov, can you summarize on etherpad any outcomes from the unified delegation discussion?20:32
htrutaayoung: because we changed the signature, and it could break some places that call it using kwarg20:32
ayounghtruta, Aha!20:32
ayoungthat is kindof what I was worried about20:32
ayoungwho caught that?20:32
htrutaayoung: I guess it was bknudson20:33
htrutawho else?20:33
ayounghtruta, I'd guess  jamielennox20:34
ayoungbut it is early for him.  Still, I don';t think we use kwargs when calling backend anywhere, not anywhere sane anyways.20:34
ayoungI'll let it pass the Zuul check before re +A though20:34
htrutaayoung: it was really bknudson. look in patch set 3 comments20:35
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity - Separate user identities  https://review.openstack.org/26204520:37
*** vgridnev has joined #openstack-keystone20:37
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity - Separate user identities  https://review.openstack.org/26204520:37
openstackgerritSteve Martinelli proposed openstack/keystone: AuthContextMiddleware admin token handling  https://review.openstack.org/19893120:39
*** su_zhang_ has quit IRC20:41
*** jaosorior has quit IRC20:41
*** timcline_ has joined #openstack-keystone20:48
*** Guest71884 has quit IRC20:48
*** timcline_ has quit IRC20:48
*** alexpro has quit IRC20:49
*** timcline has quit IRC20:51
samueldmqclenimar: what was your test related to that bug ?20:51
samueldmqclenimar: I saw that it wasn't possible to get a token to the scoped domain20:51
*** drjones has quit IRC20:51
samueldmqclenimar: but OLD tokens still worked20:51
samueldmqclenimar: that means they weren't invalidated20:51
samueldmq(or revoked)20:52
samueldmqrevoked would be a better word in this context20:52
htrutasamueldmq, in his tests, the old ones didn't work either20:52
htrutasamueldmq: and, even if they do, it seems like another bug. right?20:52
*** timcline has joined #openstack-keystone20:53
*** cdcasey has joined #openstack-keystone20:58
*** cdcasey has quit IRC20:58
openstackgerritSteve Martinelli proposed openstack/keystone: Add tests for role management with v3policy file  https://review.openstack.org/26184621:01
*** rcernin has quit IRC21:02
*** jsavak has quit IRC21:05
openstackgerritSteve Martinelli proposed openstack/keystone: replace tenant with project in cli.py  https://review.openstack.org/27375721:10
*** gildub has joined #openstack-keystone21:10
*** RichardRaseley has joined #openstack-keystone21:11
stevemarsamueldmq: notmorgan https://review.openstack.org/#/c/273757/21:11
stevemarbknudson: https://review.openstack.org/#/c/272134/21:13
samueldmqhtruta: yes it's different bug we could just adapt the description/title of that bug21:14
samueldmqstevemar: neat21:15
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split assignment backend tests  https://review.openstack.org/26830721:16
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split resource backend tests  https://review.openstack.org/26870221:16
*** EinstCrazy has quit IRC21:16
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split token backend tests  https://review.openstack.org/26911121:17
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split trust backend tests  https://review.openstack.org/26911521:17
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split catalog backend tests  https://review.openstack.org/26912521:17
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split policy backend tests  https://review.openstack.org/26913321:17
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Split identity backend tests  https://review.openstack.org/26914821:17
*** _cjones_ has joined #openstack-keystone21:17
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414921:17
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591621:17
*** EinstCrazy has joined #openstack-keystone21:17
*** pauloewerton has quit IRC21:20
*** jasonsb has quit IRC21:21
*** ayoung has quit IRC21:24
*** timcline has quit IRC21:27
*** rcernin has joined #openstack-keystone21:28
*** ebalduf has joined #openstack-keystone21:29
*** timcline_ has joined #openstack-keystone21:30
*** jsavak has joined #openstack-keystone21:31
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity - Separate user identities  https://review.openstack.org/26204521:31
*** EinstCra_ has joined #openstack-keystone21:32
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity - Separate user identities  https://review.openstack.org/26204521:32
*** EinstCrazy has quit IRC21:32
openstackgerritSteve Martinelli proposed openstack/keystone: Relax the schema validation to accept empty request body  https://review.openstack.org/23744821:36
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261421:38
*** tsymancz1k has joined #openstack-keystone21:38
openstackgerritguang-yee proposed openstack/keystone: wsgi: fix base_url finding  https://review.openstack.org/22646421:38
openstackgerritRoxana Gherle proposed openstack/keystone: Make WebSSO trusted_dashboard hostname case-insensitive  https://review.openstack.org/27339421:39
*** topol has quit IRC21:40
*** topol_ has joined #openstack-keystone21:41
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity - Separate user identities  https://review.openstack.org/26204521:42
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity - Separate user identities  https://review.openstack.org/26204521:42
*** peter-hamilton has quit IRC21:44
*** ayoung has joined #openstack-keystone21:47
*** ChanServ sets mode: +v ayoung21:47
openstackgerritBrant Knudson proposed openstack/keystone: AuthContextMiddleware admin token handling  https://review.openstack.org/19893121:47
openstackgerritSteve Martinelli proposed openstack/keystone: Relax the schema validation to accept empty request body  https://review.openstack.org/23744821:49
openstackgerritSteve Martinelli proposed openstack/keystone: Remove the duplicated testcase  https://review.openstack.org/27240121:49
*** _cjones_ has quit IRC21:50
*** _cjones_ has joined #openstack-keystone21:51
*** vgridnev has quit IRC21:55
openstackgerritMorgan Fainberg proposed openstack/keystone: Use requst local in-process cache per request  https://review.openstack.org/27200721:57
notmorganstevemar: ^21:57
openstackgerritSteve Martinelli proposed openstack/keystone: Relax the schema validation to accept empty request body  https://review.openstack.org/23744822:05
*** edmondsw has joined #openstack-keystone22:08
*** su_zhang has joined #openstack-keystone22:09
*** jsavak has quit IRC22:11
openstackgerritBrant Knudson proposed openstack/keystone: Fix schema validation to use JSONSchema for empty entity  https://review.openstack.org/23744822:14
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Unified delegation  https://review.openstack.org/18981622:15
*** KarthikB has quit IRC22:18
openstackgerritSteve Martinelli proposed openstack/keystone: replace tenant with project in cli.py  https://review.openstack.org/27375722:19
stevemardolphm: https://review.openstack.org/#/c/265504/22:20
*** ayoung has quit IRC22:21
*** e0ne has quit IRC22:22
* lbragstad sets https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bug/1224273 on the desk next to stevemar and walks away22:25
*** KarthikB has joined #openstack-keystone22:26
htrutasamueldmq, I'd rather have a separate discussion on that, to make it cleaner22:27
*** timcline_ has quit IRC22:28
*** ebalduf has quit IRC22:30
*** topol_ is now known as topol22:32
*** ChanServ sets mode: +v topol22:32
*** RA_ has joined #openstack-keystone22:32
tjcocozzhtruta, hey do you mind if is submit another patch for this: https://review.openstack.org/#/c/244149/ It looks like you have a broken rebase. And i also optimized your code22:33
htrutatjcocozz, absolutely not. go ahead :)22:34
tjcocozzhtruta, thanks!22:34
htrutatjcocozz, thank you22:35
openstackgerritTom Cocozzello proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414922:36
*** phalmos has quit IRC22:38
openstackgerrithenry-nash proposed openstack/keystone: Add tests for role management with v3policy file  https://review.openstack.org/26184622:44
openstackgerrithenry-nash proposed openstack/keystone: Add CRUD support for domain specific roles  https://review.openstack.org/26187022:44
openstackgerrithenry-nash proposed openstack/keystone: Modify rules in the v3 policy sample for domain specifc roles  https://review.openstack.org/26207822:45
openstackgerrithenry-nash proposed openstack/keystone: Modify implied roles to honor domain specific roles  https://review.openstack.org/26306422:45
openstackgerrithenry-nash proposed openstack/keystone: Modify rules for domain specific role assignments  https://review.openstack.org/26354922:46
*** tonytan4ever has quit IRC22:47
htrutatjcocozz, just saw your modification. I have a concern about the way you're creating the project_ids array22:48
tjcocozzhtruta, yeah? whats going on?22:48
tjcocozzhtruta, would it be easier to leave comments?22:48
htrutaI did it that way because I'm not sure that list_projects_in_subtree is ordered according to the project level22:49
tjcocozzhtruta, me and same looked through the code and it looks like it is to us.22:49
tjcocozzhttps://github.com/openstack/keystone/blob/b664fa91e3dd8b8902f6c6b8c87a648bfbfd1a9b/keystone/resource/V8_backends/sql.py#L9322:50
tjcocozzhtruta, i am making a test with a tree with 8 nodes. let me finish and we will see if i broke it ;-)22:50
htrutatjcocozz, hm... I see. that makes sense, then.22:52
*** e0ne has joined #openstack-keystone22:56
*** shaleh has quit IRC22:57
*** shaleh has joined #openstack-keystone22:58
*** diazjf1 has joined #openstack-keystone22:58
stevemarnotmorgan: poke22:58
notmorganhmm?22:58
stevemarnotmorgan: can you comment on https://bugs.launchpad.net/keystone/+bug/1519210 and mark it as invalid if you think it is such22:58
openstackLaunchpad bug 1519210 in OpenStack Identity (keystone) "opt-out of certain notifications" [Wishlist,In progress] - Assigned to Fernando Diaz (diazjf)22:58
notmorganstevemar: uhmm. sure......22:59
openstackgerritMatthew Edmonds proposed openstack/keystone: invalidate cache immediately  https://review.openstack.org/27321822:59
stevemarnotmorgan: doing bug triage/maint23:00
*** e0ne_ has joined #openstack-keystone23:00
*** diazjf has quit IRC23:01
*** e0ne has quit IRC23:02
*** RA__ has joined #openstack-keystone23:06
*** RA_ has quit IRC23:06
*** timcline has joined #openstack-keystone23:08
*** KarthikB has quit IRC23:09
*** RA__ has quit IRC23:13
bigjoolshey, what's the official line on catalog URLs, should they have the API version or not?23:14
*** Guest94234 is now known as jgriffith23:14
*** diazjf1 has quit IRC23:17
*** shaleh has quit IRC23:17
*** RA_ has joined #openstack-keystone23:20
*** su_zhang has quit IRC23:20
*** edmondsw has quit IRC23:23
*** amakarov has quit IRC23:25
*** sinese has quit IRC23:26
*** e0ne_ has quit IRC23:27
*** chlong has quit IRC23:32
*** ayoung has joined #openstack-keystone23:33
*** ChanServ sets mode: +v ayoung23:33
*** gordc has quit IRC23:38
*** su_zhang has joined #openstack-keystone23:44
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261423:45
*** su_zhang has quit IRC23:46
*** su_zhang has joined #openstack-keystone23:47
*** slberger has left #openstack-keystone23:48
*** ayoung has quit IRC23:50
*** zqfan has joined #openstack-keystone23:52
*** pushkaru has quit IRC23:54
*** sigmavirus24 is now known as sigmavirus24_awa23:56
*** mgarza_ has quit IRC23:56
« Wednesday, 2016-01-27 Index Friday, 2016-01-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!