Tuesday, 2016-02-02

ayoungamakarov, I had made more earlier but they got dropped somehow00:06
*** ninag has joined #openstack-keystone00:07
amakarovayoung, I've noticed too: this form isn't very user-friendly00:08
*** ninag has quit IRC00:08
*** dims has quit IRC00:10
*** fpatwa has joined #openstack-keystone00:14
*** su_zhang has quit IRC00:21
*** su_zhang has joined #openstack-keystone00:21
notmorganI ... just can't ...00:21
* notmorgan falls out of chair.00:21
*** samueldmq has joined #openstack-keystone00:22
notmorganstevemar: ^ You will thank me.00:23
notmorgantopol: ^ you too.00:24
notmorgan(need a mac, don't see the cellos voice in espeak]00:24
*** raildo-afk is now known as raildo00:25
*** pushkaru has quit IRC00:28
*** lolmaster has joined #openstack-keystone00:30
*** lolmaster has left #openstack-keystone00:31
*** gildub has quit IRC00:37
shalehsomeone post a recording for us non-osx users00:37
shalehI am trying to install and run gerrit-dash-creator. But all I get is whining from PBR about "Versioning for this project requires either an sdist"00:38
shalehException: Versioning for this project requires either an sdist tarball, or access to an upstream git repository. Are you sure that git is installed?"00:38
shalehwhat more do I need beyond running python setup.py sdist, pip install -r requirements.txt, pip install dist/*.tgz?00:38
notmorganshaleh: it's reading in a vocoder-style-voice in the cello range the diff to the tune of some Edvard Grieg00:38
notmorganshaleh: the composition you'd most likely know from Grieg.00:39
notmorganok maybe you'd know peer gynt but in the hall of the mountain king being the main one00:39
shalehyeah, I wikipedia'ed it00:40
shalehI am really bad with names00:40
*** clenimar has joined #openstack-keystone00:41
*** pushkaru has joined #openstack-keystone00:42
notmorganshaleh: sometimes I forget people didn't get burnt out playing some of that stuff in highschool and college.00:43
*** fpatwa has quit IRC00:44
notmorganshaleh: so having it seared into your memory [kindof like i'm so over romeo and juliet as a play.. 15 times analysing it]....00:44
shalehheh, I hear you on Romeo et Juliet00:44
shaleh400+ years over a weekend infatuation gone wrong00:44
notmorganthe worst was doing the dramaturgical analysis00:44
notmorganand having to write up notes for a "production" to execute it00:45
notmorganit's way more fun to design/build sets and/or lighting00:45
notmorganor directing if you're so lucky00:45
notmorganthough I learned a lot when doing script analysis, especially "waiting for gadot"00:46
notmorganbut.. still not my bag really.00:46
lbragstadnotmorgan i think we're finally getting to the good stuff - https://review.openstack.org/#/c/258650/1600:48
lbragstadnotmorgan some of these look like timing issues with tests - http://logs.openstack.org/50/258650/16/check/gate-keystone-python27/7f1a7f6/testr_results.html.gz00:48
notmorganlbragstad: aye00:48
notmorganvery much so00:48
notmorganand likely easily resolvable00:48
notmorganlike 1 fix will prob, clear a bunch00:48
notmorgandolphm: i'm sad it's called freezegun and not freezeray00:49
notmorganimport freezegun as freezeray00:49
lbragstadnotmorgan fixed*00:50
notmorganthen... https://www.youtube.com/watch?v=duI-VImSH6o00:50
notmorganlbragstad: yeah.00:50
dolphmnotmorgan: lol00:51
lbragstadoh man..00:51
notmorgandolphm: you know you want to do it now.00:51
dolphmnotmorgan: can i copy the lyrics into a docstr?00:52
* lbragstad can't get it out of his head00:52
notmorgandolphm: i was going to recommend doing:00:52
notmorgandolphm: import freezegun as freezeray  # <snippet of lyrics>00:52
notmorganon each import00:52
notmorganor on each use above the use00:52
lbragstadI'd -2 that00:52
notmorganlbragstad: but... butttt....00:53
*** jasonsb has joined #openstack-keystone00:53
lbragstadnotmorgan it would no doubt be keystone's most glorious easter egg00:53
lbragstadnext to assertCloseEnoughForGovernmentWork() method00:53
notmorganlbragstad: i know someone who used to put ascii art as comments in his perl00:53
lbragstadnotmorgan gross00:54
notmorganisn't assertCloseEnoughForGovt part of testtools?00:54
notmorganlbragstad: the worst part was it actually impacted running the perl...00:54
notmorganlbragstad: cause the way perl parses to bytecode :P00:54
lbragstadnotmorgan nope - that's in our testing framework00:55
lbragstadnotmorgan you can thank dolphm00:55
notmorgandolphm: Thank you. that makes me so happy00:55
notmorgandolphm: ^_^00:55
*** jamielennox|away is now known as jamielennox00:55
notmorganlbragstad: i wonder if i can manage to get a bunch of Dr. Horrible lyrics into the commit messages for keystone >.>00:55
dolphmlbragstad: if you go to the defcore sprint, would it be a one or two night stay for you?00:55
dolphmlbragstad: i'd probably make it a one night trip00:56
notmorgandolphm: oh there is a defcore sprint?00:56
lbragstaddolphm what days does it fall on?00:56
* notmorgan should keep better track of this stuff.00:56
dolphmnotmorgan: in the same room as the keystone sprint at ibm XD00:56
notmorgandolphm: ahaa nice00:56
dolphmnotmorgan: lbragstad: March 8-900:56
notmorgandolphm: hmm... let me see how i am post this trip to Seattle00:56
notmorganmaybe i'll swing down for more BBQ00:56
notmorgancause #reasons00:56
dolphmnotmorgan: you like planes way more than i can understand00:57
notmorgandolphm: i'm driving to seattle00:57
notmorganscrew getting on a plane for that00:57
notmorganalso.. i have been on 4 planes total this year00:57
lbragstaddolphm you'd only stay on Tuesday night, and return Wednesday afterwords?00:57
dolphmnotmorgan: it's barely february00:57
notmorgani expect that to stay in the low double digits at worse00:57
dolphmlbragstad: yes00:58
dolphmlbragstad: i'd leave by 6am, i hope00:58
lbragstadyeah - i'd probably shoot for the same?00:58
dolphmlbragstad: k00:58
notmorgandolphm: i don't know if i count a layover as a big deal ewhen counting planes you've been on00:58
notmorganit was 2 flights, pdx -> MSP -> aus, aus -> SLC -> pdx00:58
*** shoutm_ has joined #openstack-keystone00:59
notmorgandolphm: considering how much i flew in 2014 and 2015...00:59
notmorganthis is pretty low00:59
*** samueldmq has quit IRC00:59
notmorganand that i didnt fly anywhere in december either.00:59
*** shoutm has quit IRC01:00
notmorgandolphm: i think i am going to hold my talk for Barcelona vs. trying to talk about suburl, auth offload, cache acceleration, etc this summit01:00
notmorgandolphm: i *think*01:00
notmorgandolphm: i have a couple hours to still decide :P01:00
* notmorgan isn't sure how close to "really working" things will be by austin summit.01:01
* notmorgan glares... S3 extension... why do you hate me so.01:02
notmorganstupid s3 extension keeps getting called and claimes it doesn't have .add_routes01:02
notmorganbut it *does*01:02
notmorgani'm trying to finish this ext -> core thing01:02
notmorganso we get that 100% cleaned up all in O cycle01:03
*** alexvictorchan has quit IRC01:05
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235801:07
*** pushkaru has quit IRC01:08
*** doug-fish has quit IRC01:10
*** doug-fish has joined #openstack-keystone01:10
*** doug-fis_ has joined #openstack-keystone01:12
*** davechen has joined #openstack-keystone01:14
*** doug-fi__ has joined #openstack-keystone01:14
*** doug-fish has quit IRC01:14
*** markvoelker has joined #openstack-keystone01:15
*** doug-fi__ has quit IRC01:15
*** doug-fish has joined #openstack-keystone01:16
*** shaleh has quit IRC01:16
*** doug-fish has quit IRC01:16
*** doug-fis_ has quit IRC01:16
*** markvoelker has quit IRC01:20
*** _cjones_ has quit IRC01:22
*** amakarov has quit IRC01:23
*** jamielennox is now known as jamielennox|away01:23
*** bill_az has quit IRC01:23
*** jbell8 has joined #openstack-keystone01:25
davechenlooks like releasenote doesn't work anymore01:30
davechennotmorgan: this impact your patch as well, http://docs-draft.openstack.org/89/274489/1/check/gate-keystone-releasenotes/8681a37//releasenotes/build/html/unreleased.html01:30
openstackgerritMerged openstack/keystone: replace tenant with project in cli.py  https://review.openstack.org/27375701:30
davechenonly a few items can be rendered correctly.01:31
*** csoukup_ has joined #openstack-keystone01:38
*** esp has quit IRC01:38
*** marekd has quit IRC01:40
*** marekd has joined #openstack-keystone01:40
notmorganso we need to revert?01:41
notmorgandavechen: happy to push that through or a quick fix if you have that handy01:41
davechennotmorgan: no, but i will investigate this.01:41
notmorgandavechen: if you know what is causing it that is01:42
notmorgandavechen: ok01:42
notmorgandavechen: also check to make sure you don't have a stale venv01:42
notmorganbecause i'm not having a lot of issues atm. but i am not checking everything to be fair01:42
davechennotmorgan: if we revert this one, it will rendered correctly,b425b9189420e9592acfe3e7f579caac85bf7bc501:42
davechennotmorgan: but it's irrelevant.01:42
notmorganwait... how does that?01:43
notmorganthat makes no sense01:43
notmorganoh it's a merge commit01:43
davechennotmorgan: yep, it just fix some testcases.01:43
notmorganyeah that doesn't make sense01:43
davechennotmorgan: but only revert this one can make it work.01:43
davechennotmorgan: so i need more time to investigate.01:43
notmorganweiiird. ok01:44
notmorganlet me know if you want me to jump in01:44
notmorganif not i'm gonna finish the last extension -> core move01:44
davechennotmorgan: cool.01:44
davechennotmorgan: i found this when i review your code.01:44
notmorganand then revert a minor change from the ldap assignment removal.01:44
notmorganannnnd thennnnnn01:45
notmorganback to dogpile.01:45
davechennotmorgan: its weird indeed.01:45
notmorganyeah def. check for a stale venv01:45
notmorganthat would be my first place it just seems "odd"01:45
davechenno, it's not rendered correctly from the gate.01:45
notmorgansuper weird then01:46
notmorganoh oh01:46
notmorgani bet...01:46
notmorganjust touches tests01:47
notmorganhow does that impact reno?!01:47
davecheni thought you found something.01:47
notmorgani thought i might have for a second01:47
davechennot really.01:47
notmorganthis is the merge commit's "merge" https://review.openstack.org/#/c/253219/101:47
notmorganwhat it merged in01:47
notmorganso... i don't know how that affects it01:47
*** clenimar has quit IRC01:48
openstackgerritMerged openstack/python-keystoneclient: Bandit profile updates  https://review.openstack.org/26781001:48
davecheni will revert these releasenote one by one and see if what's happened then.01:49
*** jgriffith is now known as jgriffith_away01:50
*** jgriffith_away is now known as jgriffith01:53
*** lhcheng_ has joined #openstack-keystone01:55
*** lhcheng has quit IRC01:58
davechenstevemar: you know how to fix this? or what cause this issue?01:59
*** raildo is now known as raildo-afk01:59
*** jgriffith is now known as jgriffith_away02:04
*** jbell8 has quit IRC02:05
*** jbell8 has joined #openstack-keystone02:07
openstackgerritSteve Martinelli proposed openstack/keystone: Remove un-used test code  https://review.openstack.org/27492902:08
*** su_zhang has quit IRC02:11
*** dims has joined #openstack-keystone02:11
*** Nirupama has joined #openstack-keystone02:15
*** markvoelker has joined #openstack-keystone02:16
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947902:16
*** markvoelker has quit IRC02:20
openstackgerritMorgan Fainberg proposed openstack/keystone: Move s3 Extension to core  https://review.openstack.org/27497302:21
notmorganstevemar: ^ boom, ec2 is left02:21
stevemardavechen: hmmm? what happened?02:21
stevemardavechen: oh the reno notes?02:21
stevemardavechen: i opened a bug against reno for that, let me share the links02:21
stevemardavechen: patch: https://review.openstack.org/#/c/272672/ bug: https://bugs.launchpad.net/reno/+bug/153745102:22
openstackLaunchpad bug 1537451 in reno "notes missing/overridden in latest version" [High,In progress] - Assigned to Doug Hellmann (doug-hellmann)02:22
stevemari noticed it a week ago or so, i was definitely confused :)02:22
*** erlarese has joined #openstack-keystone02:23
stevemarnotmorgan: ^02:23
*** shoutm_ has quit IRC02:24
*** shoutm has joined #openstack-keystone02:25
davechenstevemar: cool!02:26
davechenthe bug of reno, it's not our fault.02:27
stevemardavechen: no sir!02:28
*** davechen1 has joined #openstack-keystone02:31
notmorganstevemar: i think trace thing is close02:31
notmorganstevemar: but ...it's spooky02:31
notmorganstevemar:  it needs another identifier saying it's the manager call trace02:31
*** davechen1 has quit IRC02:31
*** davechen1 has joined #openstack-keystone02:32
notmorganstevemar: ok bets... wine that was "left" by the last tenant in my place...02:32
notmorganstevemar: is it vinegar or "good"02:32
notmorganstevemar: :P02:32
*** davechen has quit IRC02:33
openstackgerritSteve Martinelli proposed openstack/keystone: Correct docstrings  https://review.openstack.org/27489502:35
bigjoolsif you want to see the kind of NIH Rally is doing, look no further: https://review.openstack.org/#/c/235360/902:36
notmorganbigjools: this is my shocked face </saaaaaaarcaaaassssmm>02:36
notmorgan"It is dark... you have fallen into a saaaaar-chasm"02:37
bigjoolsone of the review comments: "It looks like keystoneclient sucks and we need to import versioned clients directly."02:37
notmorganbigjools: they should use OCC and KSA02:38
notmorganoh wait... nih02:38
bigjoolswell I just submitted this, tell me if I did anything wrong and I'll fix it: https://review.openstack.org/#/c/274977/02:38
* notmorgan just told a google recruiter the magic words that means they aren't interested. [I am not really looking to go to google ftr]02:38
notmorgan"I live in Portland OR and am not looking to move unless you pay 7-figures, and somehow I don't think I bring that much to the table"02:39
notmorganshe was like "yup, we don't have offices to hire you into in Portland, OR"02:39
bigjoolsI think I did the same sort of thing02:39
bigjoolsI like working from home kthxbye02:40
notmorgani don't mind working from an office02:40
notmorgani mind leaving pacific northwest02:40
notmorganand i mind leaving portland (for now)02:40
bigjoolsI've only been up there the once and it was beautiful02:40
notmorganreally: from keystoneclient.contrib.ec2 import utils as ec2_utils02:40
notmorganthis makes me a sad panda02:40
notmorganlike... super sad panda02:41
notmorganstevemar: ^ nooooooooooooo02:41
stevemarnotmorgan: definitely vinegar02:42
notmorganstevemar: remarkably tasty Pinot Noir02:42
stevemarnotmorgan: was is the guy from google cloud?02:43
notmorganstevemar: the Rose is going to be vinegar02:43
notmorganstevemar: maybe.. was some generic recruiter02:43
stevemarrosé actually..02:43
notmorganwrong accent02:43
stevemarmy bad :)02:43
notmorgani can't easily type that on linux off the top of my head02:43
*** jamielennox|away is now known as jamielennox02:44
*** fpatwa has joined #openstack-keystone02:44
*** davechen1 is now known as davechen02:46
jamielennoxbigjools: awww, man. i kind of understand that they don't want to use the existing clients as they're inconsistent, however at least use the standard tools for like looking up service catalogs02:48
*** fpatwa has quit IRC02:48
bigjoolsjamielennox: I know right...02:48
jamielennoxmaybe we can get them to at least use keystoneauth and plugins for that bit and they can do their own manager layer02:48
notmorganjamielennox: also.. http://lists.openstack.org/pipermail/openstack-dev/2016-January/085392.html make sure you jump into the convo plx02:49
*** gildub has joined #openstack-keystone02:49
jamielennoxoh - they are creating keystoneclients, just wrapping stuff themselves02:49
notmorganjamielennox: at least rally could use tempestlib for that... :(02:49
jamielennoxnotmorgan: wait, that's my spec02:49
notmorganjamielennox: i know. i am a huge huge fan02:50
bigjoolsI never want to see or use tempest again02:50
notmorganjamielennox: and i want to make sure you're keeping up w/ the changes :)02:50
notmorganbigjools: tempestlib != tempest02:50
bigjoolsthe lib is part of tempest though?02:50
jamielennoxnotmorgan: i got pinged earlier by thingee, apparently they want to discuss it tomorrow at the cross-project02:50
jamielennoxnotmorgan: i don't think i'll be able to make it (though i'll try)02:51
jamielennoxnotmorgan: dolphm had done a revision i was going to try and enlist him to go and advocate for it02:51
openstackgerritMerged openstack/keystone: Fix nits in include names patch  https://review.openstack.org/27088402:51
dolphmjamielennox: i should be available to attend the cross-project meeting02:52
jamielennoxnotmorgan: but i don't think he's going to be around. Can you go to the cross project tomorrow or let him know02:52
jamielennoxor maybe dolphm is lurking....02:52
dolphmjamielennox: any points you wanted to make beyond what was in the spec?02:52
dolphmjamielennox: it's honestly not a spec i've thought much about between tokyo and last week02:52
jamielennoxdolphm: i put a comment on the last revision you did, i'm not sure we want to as complex as the manager/resource specific roles02:52
jamielennoxbut otherwise i'm happy just to see it discussed, i think the idea is fairly clear02:53
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947902:53
notmorgani plan to be there for catalog reasons.02:53
jamielennoxnotmorgan: catalog was approved - what do you want?02:53
notmorganjamielennox: keeping aprised of the x-project work02:54
dolphmjamielennox: why not go as far as the manager/resource specific roles?02:54
notmorganjamielennox: resource specific (aka "each api"?)02:54
notmorganjamielennox: that is something i plan on encoding in oslo.policy02:54
jamielennoxdolphm: so i guess there are two parts to a spec like this, what do we add to policy files and what do we recommend something like devstack/puppet set up on a default install02:54
notmorgana side effect of defining the entry in policy is a role can be defined to allow it02:54
jamielennoxnotmorgan: have a look at the last revision02:55
dolphmjamielennox: you mean, what roles actually exist in keystone?02:55
notmorganjamielennox: i was there when dolph pushed it02:55
jamielennoxdolphm: right - and we can't control that but we can specify a recommndation and i think would be almost universally adopted02:55
dolphmjamielennox: that's the part that doesn't matter at all, when you have a huge menu of roles defined in policy to choose from. just create and use whatever ones you need?02:55
dolphmjamielennox: agree02:56
dolphmjamielennox: so, i figured go as granular as anyone would logically go, with the exception of specialized roles that would not fit any convention02:56
ayoungdolphm, I really like your take on that spec.  Nice work.02:56
dolphmayoung: danke, sir!02:56
jamielennoxdolphm: yea, ok, as said it doesn't matter if roles that don't exist in keystone are mentioned in the spec02:57
ayoungdolphm, I suspec that we will have to enumerate the roles for the core services, but then the *aaS project will all jump in to be relevant.02:57
*** browne has quit IRC02:58
dolphmayoung: and notmorgan had an idea to help automate some of that repetitive policy definition using oslo.policy02:58
jamielennoxdolphm: ok, so i'm happy to leave them and get a discussion going about what a standard deployment is there02:59
jamielennoxyea, it would be good to have an easier way to write these files rather than have to write out each of those type_manager roles in the file02:59
ayoungdolphm, So, I wonder if we can do this in a second policy file.  I'd kindof like to leave the original policy files alone, especially the Nova one.02:59
ayoungSomething like here is the RBAC one and here is the Scope one.  Existing policy files will morph into "scope only"  if they are not already03:00
notmorganayoung: i told you we should continue the convo once it's posted :)03:00
notmorganayoung: ^_^03:00
dolphmayoung: i tried to leave ours backwards compatible, which should be possible (although i think i broke tests)03:00
notmorganayoung: i'm happy you like the direction03:00
ayoungdolphm, well, the default keystone poicy is hard to change without breaking things03:00
dolphmi have not looked at our test failures yet03:00
ayoungI couldn't even get is_admin_project in there cleanly03:00
notmorganayoung: that was kindof the idea of the changes, but it's something we can massage mostly03:00
dolphmayoung: that's hard compared to this :P03:00
ayoungI think we should start with v3clkoudsample and just cut over at some point03:00
dolphmayoung: i should only have been adding granularity, not changing existing role definitions or anything03:01
dolphmayoung: i need to update that file too03:01
jamielennoxayoung: so the admin role specified in the spec should be the same as what admin does now03:01
ayoungdolphm, when I was tackling this before, I was going for a pattern like this:03:01
notmorganquery ayoung03:01
ayoungrole_observer: role:observer or role:admin or role:member03:01
* notmorgan finds a / and succeeds03:02
ayoungthen you tag the API with the lowest level rule:role_observer03:02
dolphmayoung: sounds kind of like what i was doing in the last patch or two on keystone03:04
ayoungdolphm, so you can keep the rules really simple. I don't think there is any need to have "or_admin" in every rule...its implied03:04
dolphmayoung: i ended up with "identity:create_service_provider": "rule:identity_federation_manager_required or role:identity_create_service_provider"03:05
ayoungdolphm, so that was one reason why there is the kill switch in the implied roles API for expanding in the token.03:06
dolphmayoung: which i think is exactly that -- admin is rolled up into the rule:identity_federation_manager_required03:06
ayoungwe could, in theory, generate a fragment of the policy file from the implied rules03:06
stevemardolphm: i didn't get a chance to talk to you about that, isn't there a lot of push back from deployers to not not modify the policy files?03:06
dolphmor for a read-only capability: "identity:get_service_provider": "rule:identity_federation_manager_required or rule:observer_required or role:identity_get_service_provider",03:07
dolphmstevemar: bluebox expressed the same (and only) concern i've heard before - merging their policy changes into policy is a pain03:07
notmorgandolphm: and they did say it was thankfully minimal03:07
ayoungdolphm, I'd suggest dropping "required" and maybe say: all rules for actual apis will be the lowest level role name only03:07
notmorganand likely covered03:07
dolphmstevemar: give deployers a tool to stack custom policy on top of upstream defaults, or perhaps this is granular enough that this will be the "last" time they'll have to merge in their own policy03:08
notmorgandolphm: that was the other thing i wanted to add to oslo.policy the policy-merge code if it hadn't landed03:08
dolphmstevemar: i asked bluebox for an example of a custom role they used, and it was covered in this spec, so they'll just have to adapt to the new role name03:08
notmorgandolphm: so we can do policy.d type things03:08
dolphmnotmorgan: ++03:08
dolphmayoung: there seemed to be a convention of using _required to distinguish rule: from role:, so i kept that03:09
notmorgandolphm: ++03:09
dolphmrule:{role_name}_required or role:{role_name}03:09
ayoungdolphm, right...I was thinking just straight roles03:09
notmorganalso "rule" and "role" are hard to talk about fwiw03:10
ayoungI went for rule:role_{rolename}03:10
dolphmgranted there are multiple roles in each rule03:10
notmorganpeople seemed to confuse them in sound.03:10
dolphmnotmorgan: easily03:10
ayoungand thne the inference rules were all in one stanza at the top.03:10
ayoungI might have an example...03:10
ayoungI know I had one in the presentation I gave.03:11
stevemardolphm: why not create a 3rd policy file with all these bits in there?03:12
dolphmstevemar: because we should be able to add granularity without breaking backwards compatibility, and make this the new default immediately03:12
dolphm(optional) granularity03:12
*** links has joined #openstack-keystone03:15
*** davechen1 has joined #openstack-keystone03:16
ayoungdolphm, can you think of a way that we could add is_admin_project in...conditionally?03:17
*** davechen has quit IRC03:18
ayoungIf not (and I can't think how) how do we go about getting that set for people with the existing policy files as the default?03:18
notmorganstevemar: about to post the EC2 move to core03:21
notmorganstevemar: btw03:21
*** spandhe has quit IRC03:22
*** spandhe has joined #openstack-keystone03:25
*** jgriffith_away is now known as jgriffith03:26
*** ccard_ has joined #openstack-keystone03:31
dolphmayoung: what do you mean by "conditionally"?03:32
ayoungdolphm, well, people won't have that config value set today03:32
ayoungso there will be no admin project ever, and that will break things03:32
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: migrate from python-ldap to pyldap  https://review.openstack.org/27499203:33
ayoungin ordder for that value to be issued with a token, the conf file needs03:33
ayoungcfg.StrOpt('admin_project_domain_name',   and  cfg.StrOpt('admin_project_name',03:34
*** ccard__ has quit IRC03:34
ayoungdolphm, that change will have to be made across every policy file, and I've been holding off on tackling that until implied roles merged03:37
notmorganhuh.. ok this is a wierd bug03:37
stevemardolphm: i suppose deployers can choose if they want to use the new policy file after upgrade copmletes?03:37
*** spandhe has quit IRC03:37
dolphmstevemar: depends on the deploy tool03:38
dolphmstevemar: some packagers refuse to overwrite existing policy, some refuse to let you set your own, we have every extreme03:39
stevemardolphm: yeah, i recall for some apache plugins i was poking around in they just gave warnings03:39
dolphmstevemar: for the bigger deployers, they're going to have to do some work to adapt their custom policy changes into the new policy files. but word is, they've been doing that every release anyway03:39
dolphmstevemar: warning from apache about policy.json?03:39
stevemardolphm: no, about config files i had03:40
stevemardifferent topic, but same principle?03:40
notmorganw.t.f http://localhost/v2.0/users/7b190a15e87e423b9cc6e29b73d19cca/credentials/OS-EC2) = 404 when i make it a baseline extension (core)?!03:40
stevemarnotmorgan: missing port?03:41
dolphmayoung: so you need the role to exist in keystone automatically (ideally), and to assume the role definition to exist in policy?03:41
notmorganstevemar: uhmm...03:41
notmorganstevemar: this is how it falls out of our current test suite03:41
ayoungfor is_admin_project, it is not a role, it is the project that needs to be there03:41
*** esp has joined #openstack-keystone03:42
*** csoukup_ has quit IRC03:43
*** jrist has joined #openstack-keystone03:43
jamielennoxstevemar: so you know as much about the devstack v3 conversion as anyone, but do you need me doing anything there?03:44
jamielennoxstevemar: i'm a little annoyed about sean's -2, if we break that patch up there's a whole bunch of stuff in there that is safe03:45
notmorganjamielennox: i mean...03:47
notmorganannoyed i get it03:47
jamielennoxnotmorgan: i understand his frustrations03:47
notmorganbut he's right.03:47
stevemarnotmorgan: i didn't get your comment "this is how it falls out of our current test suite"03:49
stevemarjamielennox: i think we just need to start fixing the issues i outlined in the etherpad03:50
notmorganstevemar: this fails when i make it a baseline always included extension.. i don't know how though03:50
notmorganstevemar: since... why would it fail if it's included?!03:50
*** EinstCra_ has joined #openstack-keystone03:51
jamielennoxstevemar: so changing the environment variables is a big problem03:52
jamielennoxlike outputting openrc files with a changed /v2.0 -> /v3 string is going to cause problems03:52
*** dims has quit IRC03:53
stevemarjamielennox: we could probably re-propose the changes to the authtoken bits03:53
jamielennoxstevemar: auth_token bits?03:53
stevemarnotmorgan: oh.. make sure you're using the right base class03:54
notmorganstevemar: RoutersBase for this03:54
*** browne has joined #openstack-keystone03:54
notmorganwitha  minor hack03:54
notmorganbut yes03:54
notmorganalso... austin we shall revisit the "Keystone tradition of drinking Uisce beatha"03:54
notmorgancause... we skipped the last couple times03:54
notmorganand i'm disappointed03:55
*** EinstCrazy has quit IRC03:55
stevemarjamielennox: https://review.openstack.org/#/c/274703/ - i mean the changes to lib/glance lib/heat and lib/nova/ironic_plugins03:55
stevemarjamielennox: i think those are safe/fine03:55
*** erlarese has quit IRC03:56
jamielennoxstevemar: right that won't affect others03:58
jamielennoxstevemar: and to be honest i'm not sure why those still exist03:58
jamielennoxi thought we had that all fixed03:58
jamielennoxstevemar: so related i have: https://review.openstack.org/#/c/271051/03:58
jamielennoxand https://review.openstack.org/#/c/271127/03:59
jamielennoxparticularly the ec2token thing in heat - i think that will just fail04:00
*** shoutm_ has joined #openstack-keystone04:02
*** shoutm has quit IRC04:03
*** su_zhang has joined #openstack-keystone04:06
*** jamielennox is now known as jamielennox|away04:10
*** davechen has joined #openstack-keystone04:10
notmorgansteve you here?04:11
notmorganstevemar: ^ c04:11
stevemarnotmorgan: hmm?04:11
*** davechen1 has quit IRC04:12
*** shoutm_ has quit IRC04:15
*** ErwanJ has joined #openstack-keystone04:16
*** woodster_ has quit IRC04:16
*** markvoelker has joined #openstack-keystone04:17
*** markvoelker has quit IRC04:21
ErwanJHi all, I've been trying to allow users in my liberty deployment to create their own projects.  I started off by allowing all users in the /etc/keystone/policy.json and /etc/openstack-dashboard/keystone_policy.json files to create projects.  This exposed the 'create project' icon in horizon.  But then if I clicked it as a user it told me I was unauthorized. Enabled users access to all project related polclies and still04:22
ErwanJI enabeld debug on keystone and the logs all show Authorization granted, I don't see anything about unauthorized or denied etc.04:22
ErwanJWhere can i go to find out what policy is being checked against that may be failing when a user tries to create a project?04:23
*** shoutm has joined #openstack-keystone04:23
*** spandhe has joined #openstack-keystone04:34
notmorganErwanJ: this is a tough one. so part of the issue is default policy sucks [badly], and if you just allow creation it's going to make all sorts of headaches04:37
*** spandhe_ has joined #openstack-keystone04:37
notmorganErwanJ: the best bet is to resolve the issues in your deployment to use the cloudv3 policy and give a user a domian they can have any number of projects under04:38
notmorganErwanJ: then the domain is the entry point04:38
notmorganthis however, requires V3 auth support04:38
notmorganas an FYI04:38
ErwanJOK great thanks notmorgan, will look more into domains and v3 auth support04:38
notmorganthe v3policy.json is close to what you're looking for04:38
notmorganErwanJ: :)04:39
notmorganhappy to help04:39
notmorganErwanJ: for the record, it'll only get better as we drive towards mitaka and Newton releases.04:39
*** spandhe has quit IRC04:39
*** spandhe_ is now known as spandhe04:39
notmorganbecause we're trying to get everything V3 auth/keystone enabled ASAP04:39
notmorgan[we're close]04:39
*** jamielennox|away is now known as jamielennox04:39
notmorganand then this will be the default-ish mode04:40
*** shoutm_ has joined #openstack-keystone04:40
*** shoutm has quit IRC04:41
ErwanJOk good to hear!04:44
notmorganit's been a really slow march, but we're getting there04:44
*** fpatwa has joined #openstack-keystone04:45
*** roxanagh_ has joined #openstack-keystone04:49
*** fpatwa has quit IRC04:50
*** esp has quit IRC04:55
openstackgerritMerged openstack/keystone: Update mod_wsgi + cache config docs  https://review.openstack.org/27131104:58
openstackgerritMerged openstack/keystone: Remove un-used test code  https://review.openstack.org/27492904:59
openstackgerritMerged openstack/keystone: Correct docstrings  https://review.openstack.org/27489504:59
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947905:00
*** topol has quit IRC05:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947905:01
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947905:03
*** ErwanJ has quit IRC05:03
*** topol_ has joined #openstack-keystone05:05
*** jamielennox is now known as jamielennox|away05:13
*** Nirupama has quit IRC05:32
*** gyee has quit IRC05:32
*** sileht has quit IRC05:44
*** Nirupama has joined #openstack-keystone05:47
*** Guest51478 has quit IRC05:48
*** shoutm has joined #openstack-keystone05:50
*** shoutm_ has quit IRC05:51
*** vivekd has joined #openstack-keystone05:57
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: migrate from python-ldap to pyldap  https://review.openstack.org/27499205:59
*** oomichi has joined #openstack-keystone06:04
*** vgridnev has joined #openstack-keystone06:06
*** lhcheng_ has quit IRC06:07
*** fawadkhaliq has joined #openstack-keystone06:11
*** gildub has quit IRC06:11
*** fawadkhaliq has quit IRC06:11
*** markvoelker has joined #openstack-keystone06:18
openstackgerritDave Chen proposed openstack/keystone: Add schema for OAuth1 consumer API  https://review.openstack.org/26679106:21
*** rcernin has joined #openstack-keystone06:22
*** markvoelker has quit IRC06:22
*** roxanagh_ has quit IRC06:23
*** boris-42 has quit IRC06:23
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: migrate from python-ldap to pyldap  https://review.openstack.org/27499206:27
*** csoukup_ has joined #openstack-keystone06:39
*** vgridnev has quit IRC06:40
*** vgridnev has joined #openstack-keystone06:41
*** vgridnev has quit IRC06:41
*** csoukup_ has quit IRC06:43
*** fpatwa has joined #openstack-keystone06:46
*** rcernin has quit IRC06:46
*** fpatwa has quit IRC06:50
*** richm has joined #openstack-keystone06:52
*** jbell8 has quit IRC06:53
*** jbell8 has joined #openstack-keystone06:54
stevemardamn ldappool06:55
*** richm has quit IRC06:59
*** spandhe has quit IRC07:12
*** spandhe has joined #openstack-keystone07:13
*** jbell8 has quit IRC07:19
*** jbell8 has joined #openstack-keystone07:19
*** spandhe has quit IRC07:22
*** spandhe has joined #openstack-keystone07:23
*** sileht_ has joined #openstack-keystone07:29
*** spandhe_ has joined #openstack-keystone07:34
*** sileht_ is now known as sileht07:35
*** spandhe has quit IRC07:36
*** spandhe_ is now known as spandhe07:36
stevemarjamielennox|away: around? or LCA'ing?07:43
*** belmoreira has joined #openstack-keystone07:44
*** spandhe has quit IRC07:44
*** spandhe has joined #openstack-keystone07:45
*** fhubik has joined #openstack-keystone07:49
*** sileht has quit IRC07:50
*** sileht has joined #openstack-keystone07:51
*** su_zhang has quit IRC07:52
*** lhcheng has joined #openstack-keystone07:55
*** ChanServ sets mode: +v lhcheng07:55
openstackgerritSteve Martinelli proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948607:57
*** lhcheng has quit IRC08:01
*** fhubik has quit IRC08:05
*** spandhe_ has joined #openstack-keystone08:08
*** spandhe has quit IRC08:10
*** spandhe_ is now known as spandhe08:10
*** agireud has quit IRC08:10
*** jistr has joined #openstack-keystone08:11
*** topol_ has quit IRC08:12
*** agireud has joined #openstack-keystone08:12
*** oomichi has quit IRC08:12
*** oomichi has joined #openstack-keystone08:13
*** topol_ has joined #openstack-keystone08:13
*** jbell8 has quit IRC08:16
*** vivekd has quit IRC08:16
*** boris-42 has joined #openstack-keystone08:17
*** markvoelker has joined #openstack-keystone08:18
*** fhubik has joined #openstack-keystone08:20
*** vivekd has joined #openstack-keystone08:22
*** markvoelker has quit IRC08:22
stevemardavechen: an easy one: https://review.openstack.org/#/c/264937/508:23
*** spandhe has quit IRC08:23
*** Nirupama has quit IRC08:25
*** sinese has joined #openstack-keystone08:25
*** tobe has joined #openstack-keystone08:28
*** jbell8 has joined #openstack-keystone08:31
*** jbell8 has quit IRC08:33
*** jbell8 has joined #openstack-keystone08:35
*** fhubik_real has joined #openstack-keystone08:37
*** e0ne has joined #openstack-keystone08:38
*** fhubik has quit IRC08:40
*** Nirupama has joined #openstack-keystone08:41
*** fhubik_real has quit IRC08:42
*** vivekd has quit IRC08:43
*** shoutm has quit IRC08:46
*** browne has quit IRC08:47
*** fpatwa has joined #openstack-keystone08:47
*** vivekd has joined #openstack-keystone08:48
*** marekd has quit IRC08:50
*** fpatwa has quit IRC08:51
*** marekd has joined #openstack-keystone08:52
*** ChanServ sets mode: +v marekd08:54
*** shoutm has joined #openstack-keystone09:00
*** marekd has quit IRC09:01
*** richm has joined #openstack-keystone09:03
*** vgridnev has joined #openstack-keystone09:10
*** marekd has joined #openstack-keystone09:13
*** ChanServ sets mode: +v marekd09:13
*** marekd has quit IRC09:14
*** marekd has joined #openstack-keystone09:15
*** ChanServ sets mode: +v marekd09:15
openstackgerritMerged openstack/keystone: Enhance manager list_role_assignments to support group listing  https://review.openstack.org/26565009:16
*** tobe has quit IRC09:16
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947909:17
*** shoutm_ has joined #openstack-keystone09:18
*** shoutm has quit IRC09:20
*** mhickey_ has joined #openstack-keystone09:26
*** EinstCra_ has quit IRC09:28
*** EinstCrazy has joined #openstack-keystone09:28
*** vivekd has quit IRC09:33
*** vivekd_ has joined #openstack-keystone09:33
*** vivekd_ is now known as vivekd09:33
*** markd_ has joined #openstack-keystone09:40
*** mdavidson has quit IRC09:41
*** markd_ has quit IRC09:41
*** mdavidson has joined #openstack-keystone09:41
openstackgerritzhongshengping proposed openstack/keystone: Replace deprecated LOG.warn with warning  https://review.openstack.org/27509109:47
*** davechen has left #openstack-keystone09:54
*** vivekd has quit IRC10:03
*** mvk has joined #openstack-keystone10:05
*** openstackgerrit has quit IRC10:17
*** openstackgerrit has joined #openstack-keystone10:17
*** markvoelker has joined #openstack-keystone10:19
*** alexvictorchan has joined #openstack-keystone10:22
*** markvoelker has quit IRC10:23
*** vivekd has joined #openstack-keystone10:33
*** jbell8 has quit IRC10:35
*** EinstCrazy has quit IRC10:41
*** EinstCrazy has joined #openstack-keystone10:42
*** fpatwa has joined #openstack-keystone10:48
*** EinstCrazy has quit IRC10:50
*** fpatwa has quit IRC10:52
*** EinstCrazy has joined #openstack-keystone10:57
*** dims_ has joined #openstack-keystone11:02
*** samueldmq has joined #openstack-keystone11:16
*** jistr has quit IRC11:22
*** agireud has quit IRC11:27
*** amakarov has joined #openstack-keystone11:28
*** rodrigods has quit IRC11:29
*** agireud has joined #openstack-keystone11:29
*** rodrigods has joined #openstack-keystone11:29
*** thebloggu has joined #openstack-keystone11:35
theblogguI'm using python-keystoneclient to try and get my service catalog but when I call service_catalog.get_data() I only get one of the two endpoints I've set for one of my services. can someone help me?11:38
*** esp has joined #openstack-keystone11:46
*** gus_ is now known as gus11:47
*** esp has quit IRC11:53
*** raildo-afk is now known as raildo12:12
*** markvoelker has joined #openstack-keystone12:20
*** amakarov has quit IRC12:21
htrutaayoung: have you seen this: https://review.openstack.org/#/c/243585/8 ?12:22
*** markvoelker has quit IRC12:24
*** pauloewerton has joined #openstack-keystone12:26
*** gordc has joined #openstack-keystone12:35
*** josecastroleon has joined #openstack-keystone12:36
*** DuncanT has quit IRC12:36
*** josecastroleon1 has quit IRC12:36
*** alexvictorchan has quit IRC12:36
*** ccard_ has quit IRC12:36
*** links has quit IRC12:36
*** ptoohill has quit IRC12:36
*** DuncanT has joined #openstack-keystone12:37
*** ptoohill has joined #openstack-keystone12:38
*** ccard_ has joined #openstack-keystone12:38
*** links has joined #openstack-keystone12:39
*** shoutm_ has quit IRC12:43
*** boris-42 has quit IRC12:43
*** shoutm has joined #openstack-keystone12:45
*** fpatwa has joined #openstack-keystone12:49
*** esp has joined #openstack-keystone12:50
*** fpatwa has quit IRC12:53
*** shoutm has quit IRC12:53
*** esp has quit IRC12:57
*** anteaya has joined #openstack-keystone12:59
*** shoutm has joined #openstack-keystone13:04
*** oomichi has quit IRC13:05
*** ayoung has quit IRC13:05
*** anteaya has quit IRC13:06
*** EinstCrazy has quit IRC13:07
*** doug-fish has joined #openstack-keystone13:07
*** shoutm has quit IRC13:08
*** EinstCrazy has joined #openstack-keystone13:11
*** markvoelker has joined #openstack-keystone13:21
*** markvoelker has quit IRC13:26
*** markvoelker_ has joined #openstack-keystone13:26
*** vivekd has quit IRC13:31
*** erlarese has joined #openstack-keystone13:31
*** ChanServ sets mode: +v topol_13:33
*** topol_ is now known as topol13:33
*** vivekd has joined #openstack-keystone13:33
*** samueldmq has quit IRC13:33
*** samueldmq has joined #openstack-keystone13:36
*** edmondsw has joined #openstack-keystone13:37
*** bill_az has joined #openstack-keystone13:41
*** su_zhang has joined #openstack-keystone13:41
*** cdent has joined #openstack-keystone13:49
cdentbknudson: can you help me decide if my solution to this bug is correct/okay: https://bugs.launchpad.net/keystonemiddleware/+bug/154002213:49
openstackLaunchpad bug 1540022 in keystonemiddleware "The oslo_config_config conf option cannot be used because it gets clobbered" [Undecided,In progress] - Assigned to Chris Dent (cdent)13:49
cdent(or anyone else)13:53
*** Nirupama has quit IRC13:53
openstackgerritMarek Denis proposed openstack/keystone: Service Providers Group CRUD operations.  https://review.openstack.org/27343813:54
*** jgriffith is now known as jgriffith_away13:58
bknudsoncdent: if you can write a test for it that can show that it's not working right then that would help13:59
cdentbknudson: yeah, that was kind of my plan, but interpreting the existing tests made my head swim at the time (it was about 2 in the morning) I thought I'd come crawling for some advice.14:00
cdentNow that I'm a bit more awake, might be able to make some headway on that.14:01
*** woodster_ has joined #openstack-keystone14:01
bknudsontake a look at it. You don't need to use the existing tests.14:01
cdentI'll locate some coffee and give it go14:01
bknudsonthere are a lot of issues with the tests... they've turned into mostly integration tests where component tests would be easier to work with14:02
* cdent nods14:02
cdentthanks, bknudson, I'll push something up later today14:03
*** cdent has quit IRC14:04
*** amakarov has joined #openstack-keystone14:07
*** petertr7_away is now known as petertr714:17
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358514:19
*** jsavak has joined #openstack-keystone14:23
*** apetrov has joined #openstack-keystone14:25
*** EinstCrazy has quit IRC14:29
*** apetrov has quit IRC14:29
*** jistr has joined #openstack-keystone14:31
*** jsavak has quit IRC14:33
*** apetrov has joined #openstack-keystone14:34
erlaresenotmorgan jamielennox - this method: keystoneclient.service_catalog.ServiceCatalog.factory(dict) used to convert a catalog dictionary to object14:34
erlaresedo you know what the equivalent method in keystoneauth1 is now?14:34
erlarese(or anyone else?)14:34
*** ninag has joined #openstack-keystone14:40
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358514:48
*** fpatwa has joined #openstack-keystone14:49
*** jsavak has joined #openstack-keystone14:51
*** fpatwa has quit IRC14:54
*** mvk has quit IRC14:56
*** mdavidson has quit IRC14:59
*** jimbaker has quit IRC15:00
*** pushkaru has joined #openstack-keystone15:06
*** sigmavirus24_awa is now known as sigmavirus2415:10
*** links has quit IRC15:11
*** jbell8 has joined #openstack-keystone15:13
*** jed56 has joined #openstack-keystone15:14
*** slberger has joined #openstack-keystone15:20
*** ayoung has joined #openstack-keystone15:20
*** ChanServ sets mode: +v ayoung15:20
*** jaosorior has joined #openstack-keystone15:23
*** timcline has joined #openstack-keystone15:26
*** csoukup_ has joined #openstack-keystone15:28
*** EinstCrazy has joined #openstack-keystone15:29
*** EinstCrazy has quit IRC15:35
*** petertr7 is now known as petertr7_away15:39
openstackgerritMorgan Fainberg proposed openstack/keystone: Move EC2 extension to core  https://review.openstack.org/27528015:39
openstackgerritMorgan Fainberg proposed openstack/keystone: Move EC2 extension to core  https://review.openstack.org/27528015:43
*** esp has joined #openstack-keystone15:46
*** bill_az has quit IRC15:47
*** esp has quit IRC15:50
*** petertr7_away is now known as petertr715:51
*** bill_az has joined #openstack-keystone15:52
*** jbell8 has quit IRC15:53
*** dims has joined #openstack-keystone15:54
*** dims_ has quit IRC15:54
*** mgarza has joined #openstack-keystone15:57
*** clenimar has joined #openstack-keystone16:00
*** david-lyle has joined #openstack-keystone16:02
*** jsavak has quit IRC16:02
*** jsavak has joined #openstack-keystone16:03
*** su_zhang has quit IRC16:08
*** jbell8 has joined #openstack-keystone16:08
*** su_zhang has joined #openstack-keystone16:13
*** gokrokve has joined #openstack-keystone16:13
*** sinese has quit IRC16:13
*** vgridnev has quit IRC16:14
*** diazjf has joined #openstack-keystone16:16
*** diazjf has quit IRC16:16
*** diazjf has joined #openstack-keystone16:17
openstackgerritMorgan Fainberg proposed openstack/keystone: Add in TRACE logging for the manager  https://review.openstack.org/27408516:20
openstackgerritMorgan Fainberg proposed openstack/keystone: Add in TRACE logging for the manager  https://review.openstack.org/27408516:21
*** browne has joined #openstack-keystone16:23
*** belmoreira has quit IRC16:25
*** woodster_ has quit IRC16:26
*** fesp has joined #openstack-keystone16:29
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358516:29
*** agireud has quit IRC16:36
*** cdcasey has joined #openstack-keystone16:37
*** agireud has joined #openstack-keystone16:37
bretonwe have a problem in keystoneclient repo16:38
bretonour latest tag is 2.1.1, right?16:38
bretonbreton@bbobrov-pc ~/src/openstack/python-keystoneclient (master*) $ git describe --abbrev=016:38
bretontag 2.1.1 points to d20b300, while it should probably point to f5fb64316:40
samueldmqayoung: hi16:40
samueldmqayoung: what about removing the scope checks from the policy file and put them in the code16:40
ayoungsamueldmq, Good morning16:40
samueldmqayoung: morning16:40
samueldmqayoung: and only leave the role check in the policy16:40
bretonstevemar: jamielennox|away: ^16:40
ayoungsamueldmq, yeah, I think that should be a possbility, but not the keystone team's responsibility, except for Keystone16:41
samueldmqayoung: we could start for project operations16:41
ayoungor is that what you were suggesting?16:41
samueldmqayoung: sure sir, I am suggesting for keystone16:41
samueldmqayoung: I believe nova already does that16:41
ayoungsamueldmq, yep, I think that would work.  But it still doesn't give us a way to communicate this to the other services16:41
samueldmqayoung: so easy, I may start with APIs that need a project scoped check16:41
samueldmqayoung: and if global admin is needed, we now have the admin_project anyways16:42
ayoungbut, I guess the other services could do it with a config flag, too16:42
ayoungsamueldmq, OK,  I think you are on track16:42
samueldmqayoung: perfect16:42
ayoungwe can discuss in the meeting16:42
ayoungnot sure if we can do that in Mitaka, but we can shoot for Newton with it16:42
*** fesp has quit IRC16:42
samueldmqayoung: nice, I am adding a topic there16:42
samueldmqwith our names16:43
samueldmqoh, you have a topic there that perhaps may include it ?16:43
samueldmqayoung: ^16:43
ayoungsamueldmq, yeah,. and feel free to add you name16:43
bretonbtw, how do we set tags to the repo? Via gerrit or somehow manually?16:43
samueldmqayoung: "Can existing policy files should be limited to scope checks"16:44
samueldmqayoung: I think you meant the opposite in that sentence right ?16:44
samueldmqayoung: i.e "Should existing policy files be limited to ROLE checks"16:44
dstanekbreton: does it matter?16:46
dstanekbreton: git claims that dims was the tagger16:46
openstackgerritMorgan Fainberg proposed openstack/keystone: Add in TRACE logging for the manager  https://review.openstack.org/27408516:47
bretondstanek: it does, our packagers suffer. I don't have the details though, I asked them to submit a bugreport.16:47
*** dims_ has joined #openstack-keystone16:47
samueldmqnotmorgan: about this TRACE change ^16:48
notmorgansamueldmq: yeah?16:48
samueldmqnotmorgan: when logging is disabled, does the manager calls still enter the wrapper ? or does it bypass and goes to the manager code directly?16:48
notmorganstill enters the wrapper but it doesn't to the expensive work16:48
*** jaosorior has quit IRC16:49
notmorganthat is part of the "if do_trace"16:49
*** dims has quit IRC16:49
samueldmqnotmorgan: so shouldn't add signficant overhead to manager calls16:50
notmorganunless you enable "TRACE" logging... which case it'll slow things down massively16:50
*** rderose has joined #openstack-keystone16:50
*** fpatwa has joined #openstack-keystone16:50
samueldmqnotmorgan: got it16:50
samueldmqnotmorgan: starred, will "review -d" and test it later, thanks16:51
*** su_zhang has quit IRC16:52
*** jistr has quit IRC16:53
*** mvk has joined #openstack-keystone16:54
*** fpatwa has quit IRC16:54
*** clenimar has quit IRC16:55
*** e0ne has quit IRC16:55
bknudsonbreton: the tags are described in the releases repo: http://git.openstack.org/cgit/openstack/releases/tree/deliverables/mitaka/python-keystoneclient.yaml16:59
*** vivekd has quit IRC17:00
*** stevemar sets mode: +o samueldmq17:01
*** ChanServ sets mode: -o samueldmq17:01
bretonbknudson: thanks. So, to move the tag I need to propose a change for openstack/releases?17:02
*** vivekd has joined #openstack-keystone17:02
bknudsonI don't think tags can be changed. We'd have to do another release.17:02
bknudsonanyone can propose changes to the repo to request a new release17:03
*** cdent has joined #openstack-keystone17:03
*** jsavak has quit IRC17:04
*** jsavak has joined #openstack-keystone17:04
*** clenimar has joined #openstack-keystone17:04
*** timcline has quit IRC17:05
*** stevemar sets mode: +v samueldmq17:05
*** clenimar has quit IRC17:09
*** esp has joined #openstack-keystone17:10
*** fesp has joined #openstack-keystone17:11
*** fesp has quit IRC17:12
dolphmmarekd: i know you abandoned https://review.openstack.org/#/c/244694/ but IIRC from tokyo, we agreed it made sense to pursue a PoC first, then go back to the spec. any traction on that?17:16
samueldmqbknudson: does stevemar proposal make sense to you here https://review.openstack.org/#/c/208215 ?17:17
*** sinese has joined #openstack-keystone17:17
samueldmqstevemar: are you going to propose a follow-on patch for this ? I may do it if you want17:20
stevemarsamueldmq: go ahead and post a follow on patch, then maybe bknudson will +2 the original :)17:20
samueldmqstevemar: ++17:20
openstackgerritChris Dent proposed openstack/keystonemiddleware: Remove clobbering of passed oslo_config_config  https://review.openstack.org/27439617:21
cdentbknudson: ^17:21
cdent(and anyone else)17:21
openstackgerritMorgan Fainberg proposed openstack/keystone: Add RENO update for simple_cert_extension deprecation  https://review.openstack.org/27533317:22
notmorganstevemar: full chain of extensions-to-core complete17:23
notmorganstevemar: that will wind down all extensions. next step merging in the middlewares so someone can't "break" keystone17:23
stevemarnotmorgan: yeah, whats your plan there for ec2 in ksm?17:24
notmorganstevemar: ec2? support it17:24
notmorganlike we do today17:24
notmorganadd more testing around it *shrug*17:25
notmorganthe "middleware" i mean the keystone versions17:25
notmorgannot the KSM stuff17:25
notmorganin the keystone paste-ini17:25
stevemarnotmorgan: i find it funny that we have ec2 related stuff in keystone, ksm, ksc17:26
notmorganwell KSM makese sense17:26
notmorganksm needs to know how to auth the token things on the endpoints17:27
notmorganin theory17:27
notmorganin keystone it's the APIs to set it all up17:27
notmorganin ksc... uhg common place some of the functions live17:27
notmorganbut at the very least "pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body service_v3" is looking better17:27
raildostevemar: ++ I discovered that we had ec2 stuffs on keystone in the v2.0 deprecation17:28
notmorganstevemar: i also formalized the the S3 and EC2 things in keystone were "aws" compat17:28
notmorganin tree structure17:28
notmorgandidn't really know where else to stick them.17:28
notmorgankeystone.ec2 and keystone.s3 felt "wrong"17:29
stevemarnotmorgan: good call17:29
stevemari'll pull them down today and play17:29
stevemarnotmorgan: bknudson also has a patch for changing the pipeline around: https://review.openstack.org/#/c/198931/17:29
*** mgarza has quit IRC17:30
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Do not assign admin to service users  https://review.openstack.org/27533517:30
samueldmqstevemar: ayoung: dstanek ^17:31
*** jasonsb has quit IRC17:32
*** openstackgerrit has quit IRC17:32
*** openstackgerrit has joined #openstack-keystone17:32
*** cdcasey has quit IRC17:32
*** mgarza_ has joined #openstack-keystone17:33
*** EinstCrazy has joined #openstack-keystone17:33
notmorganstevemar: i am working on a patch to deprecate/remove auth_token_admin17:36
notmorganerm.. you know the order of that17:36
notmorgansince bootstrap is a thing17:36
*** EinstCrazy has quit IRC17:38
stevemarwow, 20 minutes til meeting, where did the time go17:39
samueldmqstevemar: :-)17:41
samueldmqstevemar: please tell me once you find it out hehe17:41
*** sinese has quit IRC17:44
*** sinese has joined #openstack-keystone17:44
*** browne has quit IRC17:46
*** _cjones_ has joined #openstack-keystone17:50
*** rderose has quit IRC17:50
*** _cjones_ has quit IRC17:51
*** _cjones_ has joined #openstack-keystone17:51
marekddolphm: i abandoned as I found another way of overcoming some problems that keystone-saml2 was going to solve. I also saw lots of "no"s from jamie or adam etc. I didnt focus on poc recently.17:53
*** tsymanczyk has joined #openstack-keystone17:53
*** rderose has joined #openstack-keystone17:53
stevemarmarekd: what did you abandon?17:54
marekdstevemar: https://review.openstack.org/#/c/244694/17:54
marekdstevemar: nothing you wouldn't know :-)17:54
stevemardidn't get the notice in email yet, just got it now17:54
stevemari see whats going on17:55
marekdstevemar: not that i abandoned it (like formally abandon the spec), dolphm meant that there is no consensus and progress on it.17:55
*** lhcheng has joined #openstack-keystone17:56
*** ChanServ sets mode: +v lhcheng17:56
ayoungsamueldmq, I don't know if we can avoid that yet17:57
ayoungthere are other services that still need it, it is one of the things to clean up17:57
samueldmqayoung: other services that need admin powers ?17:57
*** drjones has joined #openstack-keystone17:57
samueldmqayoung: could you give an example ?17:57
*** _cjones_ has quit IRC17:57
ayoungsamueldmq, yes17:57
ayoungsamueldmq, it has to do with long lived callbacks17:57
ayoungwhen we did the proof of concept, you can ask jamielennox|away if he remembers the details , buit one was Neutron calling back to Nova17:58
ayoungI think a volume attach also fell into that category17:58
*** richm has quit IRC17:59
stevemarcourtesy ping ajayaa, amakarov, ayoung, breton, browne, davechen, david8hu, dolphm, dstanek, ericksonsantos, geoffarnold, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, lbragstad, lhcheng, marekd, morganfainberg, nkinder, raildo, rodrigods, roxanaghe, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, claudiub, rderose, samleon, xek, MaxPC, tjcocozz17:59
stevemardolphm: that's right, i do it in both channels!18:00
*** mhickey_ has quit IRC18:00
dolphmstevemar: but you don't even tell anyone what you're pinging about in this channel18:00
stevemardolphm: good, keep everyone surprised18:01
*** henrynash has joined #openstack-keystone18:03
*** ChanServ sets mode: +v henrynash18:03
*** sigmavirus24 is now known as sigmavirus24_awa18:03
*** simondodsley has joined #openstack-keystone18:03
*** petertr7 is now known as petertr7_away18:04
*** timcline has joined #openstack-keystone18:06
*** jsavak has quit IRC18:09
*** jsavak has joined #openstack-keystone18:10
*** timcline has quit IRC18:11
*** anteaya has joined #openstack-keystone18:14
*** c_soukup has joined #openstack-keystone18:14
*** csoukup_ has quit IRC18:18
*** su_zhang has joined #openstack-keystone18:20
*** su_zhang has quit IRC18:22
*** su_zhang has joined #openstack-keystone18:22
*** clenimar has joined #openstack-keystone18:24
*** jsavak has quit IRC18:25
*** timcline has joined #openstack-keystone18:26
*** vivekd has quit IRC18:29
*** gokrokve has quit IRC18:29
*** browne has joined #openstack-keystone18:29
*** timcline has quit IRC18:32
*** gyee has joined #openstack-keystone18:37
*** ChanServ sets mode: +v gyee18:37
*** jsavak has joined #openstack-keystone18:41
*** jbell8 has quit IRC18:43
*** fpatwa has joined #openstack-keystone18:51
*** samueldmq has quit IRC18:51
andrewbogottHow does /v2.0/tenants/​{tenantId}​/users relate to roles?  Is a ‘user’ anyone that has /any/ role in the specified tenant?18:53
*** petertr7_away is now known as petertr718:55
*** fpatwa has quit IRC18:56
bknudsonandrewbogott: yes, any role and you're a user..19:00
andrewbogottok, makes sense, thanks19:00
*** jsavak has quit IRC19:02
*** jsavak has joined #openstack-keystone19:03
*** ThomasHsiao has joined #openstack-keystone19:04
*** henrynash_ has joined #openstack-keystone19:04
*** ChanServ sets mode: +v henrynash_19:04
*** crinkle_ has joined #openstack-keystone19:05
*** ThomasHsiao has quit IRC19:05
* stevemar pokes dolphm and notmorgan 19:06
notmorganstevemar: ohai19:06
*** crinkle has quit IRC19:06
*** timcline has joined #openstack-keystone19:07
*** crinkle_ is now known as crinkle19:07
*** jbell8 has joined #openstack-keystone19:08
rodrigodshtruta, ping19:09
rodrigodsayoung, ^19:09
ayoungrodrigods, c'mon, give him some context19:10
*** petertr7_away has joined #openstack-keystone19:10
rodrigodsayoung, he knows :P19:10
*** opilotte| has joined #openstack-keystone19:10
*** hrou_ has joined #openstack-keystone19:10
*** lbragstad_ has joined #openstack-keystone19:11
*** bknudson_ has joined #openstack-keystone19:11
*** ChanServ sets mode: +v bknudson_19:11
*** htruta` has joined #openstack-keystone19:11
*** miguelgrinberg_ has joined #openstack-keystone19:11
*** _nonameentername has joined #openstack-keystone19:11
*** charz has joined #openstack-keystone19:11
*** henrynash has quit IRC19:12
*** Ephur has quit IRC19:12
*** hogepodge has quit IRC19:12
*** arunkant has quit IRC19:12
*** mordred has quit IRC19:12
*** bknudson has quit IRC19:12
*** hrou has quit IRC19:12
*** htruta has quit IRC19:12
*** martinus__ has quit IRC19:12
*** nonameentername has quit IRC19:12
*** pkarikh has quit IRC19:12
*** petertr7 has quit IRC19:12
*** charz_ has quit IRC19:12
*** lbragstad has quit IRC19:12
*** opilotte- has quit IRC19:12
*** miguelgrinberg has quit IRC19:12
*** lbragstad_ is now known as lbragstad19:12
*** miguelgrinberg_ is now known as miguelgrinberg19:12
*** petertr7_away is now known as petertr719:12
*** henrynash_ is now known as henrynash19:12
*** martinus__ has joined #openstack-keystone19:12
*** pkarikh has joined #openstack-keystone19:13
*** htruta` is now known as htruta19:14
*** mordred has joined #openstack-keystone19:15
ayoungrodrigods, ah well. what did you want to discuss anyway?19:16
*** spzala has joined #openstack-keystone19:16
*** arunkant has joined #openstack-keystone19:16
htrutaayoung, rodrigods: hi19:16
rodrigodsayoung, htruta, do not use query parameter, but stay with /cascade in the URLs19:16
htrutalooks like we have another plot twist in /cascade x ?cascade19:16
ayounghtruta, yeah... rodrigods had a point19:17
htrutaayoung: fyi, raildo implemented it with ?cascade=true and it is in gerrit19:17
ayoungI think I can work with it either way19:18
htrutabut I've mentioned rodrigods point that filters only make sense in GET/HEAD19:18
ayoungmy thinking was that cascade would be a reusable filter, for any hierarchy19:18
* raildo want to use jokenpo to decide19:18
ayoungI think it makes sense for DELETE too, right?19:19
*** boris-42 has joined #openstack-keystone19:19
stevemarnotmorgan: we chatting?19:19
ayoungDELETE https://host/resource?cascade=True19:19
raildoayoung: yes19:19
ayoungwhy not?19:19
rodrigodssince DELETE https://host/resource?cascade=false is the same of no query param19:19
htrutaayoung: I don't see as a filter, I see as another operation19:19
edmondswnotmorgan, did you see the question from erlarese earlier?19:19
ayounghtruta, it means for any operation that can be performed on a resource, we need a whole nother resource to specify that.  The API increase will  be, potentially, factorial i for each fileter like this19:20
stevemaredmondsw: you may have to repeat the question19:21
edmondswthis method: keystoneclient.service_catalog.ServiceCatalog.factory(dict) used to convert a catalog dictionary to object. do you know what the equivalent method in keystoneauth1 is now?19:21
stevemaredmondsw: ah19:21
edmondswnova's got some code that is hardcoding to use ServiceCatalogV2... ugh19:22
rodrigodsayoung, yeah... but this is not the current situation19:22
htrutaayoung: partially agreed.19:22
raildoayoung: do you see any similarity between cascade operation and inherited roles?19:22
rodrigodsayoung, if we ever reach that point, we would need to change the API19:22
edmondswtrying to fix that to not be version specific, and the factory seems to have been removed19:22
htrutathe problem is that we have the CRUD and another type of update AND another type of delete19:23
ayoungedmondsw, do you have a suggested API replacement for implied roles?19:23
raildoayoung: like... why we didn't made inherited roles like a query string?19:23
*** rderose has quit IRC19:23
edmondswayoung, I had suggested a replacement in my initial commens. I haven't had a chance to throw up a proposed change on the spec as you were asking for19:23
*** hogepodge has joined #openstack-keystone19:24
ayoungraildo, so...if I were to liken it to file system operations,  we have rm -rf or rmdir19:24
ayoungrmdir is directory specific19:24
ayoung rm -rf is "kill it all die die die"19:24
ayoungrm was supposed to be file only19:24
ayoungbut we use it for cascade operations19:24
ayoungif you don't have access to a subdir...you end up with it 1/2 completed19:24
ayoungall the directories before the failure are gone19:25
ayoungdamn I love POSIX19:25
ayoungno I don't19:25
htrutaayoung: rm is awesome. but aren't rest apis a little bit different?19:27
ayounghtruta, so, as I said, i can work with it either way19:27
ayoungI think the filter is more correct19:27
*** esp_ has joined #openstack-keystone19:27
htrutaayoung: I mean... this is a filter, not an argument19:28
htrutaI'm ok with both too19:28
rodrigodsayoung, htruta use /cascade19:28
htrutaayoung: and I know that you'll be happy if we have the policy enforcement in each node (which we did)19:28
rodrigodslet's not enter in a infinite discussion :)19:28
ayoungrodrigods, so, for a post,  you don't usually have an instance19:28
ayoungfor PUT, you do19:28
rodrigodsayoung, instance?19:28
ayoungand, if that PUT is the parent resource, /cascade does not make sense19:28
notmorganoh i have an idea. lets make a FUSE driver that mounts the keystone backends as a POSIX filesystem then we can just do system operations19:29
ayoungrodrigods, users/  versus usreser/123FEEDBABECAF19:29
notmorganinstead of needing APIs19:29
ayoungrodrigods, users/  versus users/123FEEDBABECAF19:29
stevemarnotmorgan: i like it, screw these apis19:29
rodrigodsayoung, why doesn't make sense?19:29
rodrigodsthe /cascade19:29
notmorganstevemar: EXACTLY19:29
stevemarnotmorgan: i think dolphm got wrapped up in a meeting19:29
stevemarhe isn't replying on any medium19:30
notmorganhe always is in a meeting19:30
rodrigodsis just the semantics of what is going to happen19:30
ayoungrodrigods, you are using the URL to specify an operation19:30
ayoungwell...not even19:30
ayoungits just weird19:30
rodrigodsayoung, yes... I agree19:30
rodrigodswe don't have a meaningful HTTP method for this case...19:31
rodrigodsbut query params are filters19:31
*** mgarza_ has quit IRC19:31
ayoungso..is there any compelling reason to use /cascade?  I mean, from a poilcy perspective, we should be using the policy on the individual objects19:31
rodrigodsayoung, first... it is not against REST19:31
*** su_zhang has quit IRC19:32
rodrigodssecond, we would end with two URLs that means the same19:32
*** su_zhang has joined #openstack-keystone19:32
rodrigodsfor example PUT /abc/123?cascade=false is equal to just PUT /abc/12319:32
*** su_zhang has quit IRC19:34
htrutarodrigods: but we already have that in GET /projects?subtree, for example19:34
*** esp_ has quit IRC19:34
*** su_zhang has joined #openstack-keystone19:34
rodrigodshtruta, GET is a GET19:34
htrutarodrigods: agreed19:35
*** vgridnev has joined #openstack-keystone19:36
htrutarodrigods, ayoung: anyway, I think using /cascade is the safer option, once it is approved in the spec, making the policy enforcement in each node19:38
rodrigodshtruta, can't it behave like hierarchical quotas?19:38
rodrigodspolicy enforcement happening only in the target node? with a different policy rule?19:38
rodrigodsit is a branch operation19:39
htrutarodrigods: ayoung would be a great -2 on that. He believes we need to enforce it in all tree nodes, otherwise, no operation is made19:40
rodrigodswhere is the ownership behavior than? :(19:40
openstackgerritwerner mendizabal proposed openstack/keystone: Time-based One-time Password  https://review.openstack.org/27490119:42
*** su_zhang has quit IRC19:43
*** EinstCrazy has joined #openstack-keystone19:43
*** su_zhang has joined #openstack-keystone19:43
*** timcline_ has joined #openstack-keystone19:45
*** su_zhang has quit IRC19:46
*** su_zhang has joined #openstack-keystone19:47
*** EinstCrazy has quit IRC19:48
*** mvk_ has joined #openstack-keystone19:48
*** ccard__ has joined #openstack-keystone19:48
*** simondodsley_ has joined #openstack-keystone19:50
ayounghtruta, rodrigods I don't really care *that* much19:50
ayoungjust wanted to make sure Iunderstood, an provided my feedback19:50
*** timcline has quit IRC19:51
*** simondodsley has quit IRC19:51
*** mvk has quit IRC19:51
*** apetrov has quit IRC19:51
*** ccard_ has quit IRC19:51
*** simondodsley_ is now known as simondodsley19:51
htrutaanother plot twist here.19:53
*** su_zhang has quit IRC19:53
htrutaayoung: does that mean you'd still be happy with a new policy rule?19:53
*** su_zhang has joined #openstack-keystone19:53
htrutaayoung: if so, I suggest we just follow what was approved in the spec (which is /cascade + new rule)19:55
*** gyee has quit IRC19:57
ayounghtruta, I have other fish to fry19:59
*** thebloggu has quit IRC20:05
*** su_zhang has quit IRC20:06
*** jsavak has quit IRC20:08
*** jsavak has joined #openstack-keystone20:09
*** mhickey_ has joined #openstack-keystone20:20
*** jgriffith_away is now known as jgriffith20:21
*** jbell8_ has joined #openstack-keystone20:22
*** jbell8 has quit IRC20:22
*** petertr7 is now known as petertr7_away20:22
stevemardstanek: can you comment/change status on https://blueprints.launchpad.net/keystone/+spec/more-code-style-automation20:22
stevemarit seems done20:22
*** jbell8_ has quit IRC20:23
dstanekstevemar: sure20:23
stevemardstanek: umm, also this one: https://blueprints.launchpad.net/keystone/+spec/restructuring-tests20:23
*** jbell8 has joined #openstack-keystone20:23
dstanekstevemar: there are probably a few more too20:23
stevemardstanek: if they are finished mark them as superseded, if they are no longer valid, then obsolete. this option is under 'definition'20:24
stevemardolphm: not around?20:27
dolphmstevemar: in a meeting for another 1.5 hours :(20:27
ryanpetrellokeeps track of them with self.workers20:37
ryanpetrellobah, wrong chatroom :o20:38
*** simondodsley has quit IRC20:38
*** spzala has quit IRC20:44
*** spzala has joined #openstack-keystone20:45
*** spzala_ has joined #openstack-keystone20:47
*** timcline_ has quit IRC20:49
*** spzala has quit IRC20:49
*** fpatwa has joined #openstack-keystone20:52
*** spzala_ has quit IRC20:52
*** raildo is now known as raildo-afk20:54
*** csoukup_ has joined #openstack-keystone20:55
ayoungstevemar, so...I'm working on killing Keystone Eventlet in Tripleo....where else are we stuck with it still?20:55
stevemarayoung: no where else AFAIK20:55
ayoungstevemar, I had it working for non-HA...and I think I solved the next two problems with HA just now...we'll see what CI says20:56
*** jgriffith is now known as jgriffith_away20:56
*** fpatwa has quit IRC20:57
*** timcline has joined #openstack-keystone20:58
*** c_soukup has quit IRC20:58
*** mhickey_ has quit IRC20:59
*** mhickey_ has joined #openstack-keystone21:00
*** petertr7_away is now known as petertr721:00
notmorganalmost under 200 open bugs for keystone just by cleaning up backlog of clearly invalid/wont fixes21:02
notmorgandstanek, dolphm ^21:02
cdentayoung, stevemar, notmorgan: If any of you have some comments on https://review.openstack.org/#/c/274396/ that would be awesome. The bug is going to block me sooner or later21:03
*** jsavak has quit IRC21:03
*** clenimar has quit IRC21:03
*** vgridnev has quit IRC21:04
*** jsavak has joined #openstack-keystone21:04
ayoungcdent, can you 'splain that to me using the ten hundred most common words?21:04
notmorganayoung: ++21:05
cdentayoung: you can't pass olso_config_config in conf to AuthProtocol and expect it to work21:05
notmorgancdent: what is the case that happens more to the point21:05
ayoungcdent, so what21:05
* ayoung breaindead right now21:05
notmorgancdent: i'm fine with a fix, but when do you pass that in?21:05
notmorgansince you can explain it fast rather than me digging21:06
ayoungcdent, yeah, where do you want to do this?  What use case does the current behavior break?21:06
notmorganbut totally cool with fixing it for a real case :)21:06
cdentnotmorgan: the goal is to be able to use the oslo conf I have already read, in a non-global fashion, in my service that is using the middleware and _not_  using paste21:06
cdentI don't want to pass the config file, I just want to pass the config21:07
cdentbecause why read it again? and because in some cases I don't really know where the file came from (if it was passed as an argument instead of coming from a default location)21:07
notmorganah also people souldn't be putting middleware opts in paste anyway21:08
notmorganayoung: ^ this sounds like a real use-case to me21:09
cdentthe code appears to want this use case to work, but it was broken21:09
ayoungcdent, I think I like what you are saying21:09
cdent(I think because whoever wrote it had some confusion about ConfigOpts objects work)(21:09
ayoungcdent, but I am also a little wary.  RIght now, we have a bug, reported by you, fixed by you, where you are the only responder, and I don't undertand the code.21:11
ayoungI want at least someone that knows this to chime in, and that means jamielennox|away21:12
cdentayoung: ulenderstandab21:12
ayoungI like that word21:12
cdenttrackpad fail21:12
ayoungulenderstandab is pro nounce ooo lender stan dab21:12
ayoungwhat does the call to self._local_oslo_config(  actually do?21:13
cdentthe first thing it does is clear() the existing ConfigOpts and reset it to something new, by reading from either the default files or a named file, for a particular project21:14
ayoungno, where is the code it calls21:15
cdentyes, that21:15
*** spzala has joined #openstack-keystone21:16
cdent(parsing what oslo_config gets up to is ... challenging)21:16
ayoungOK, so the first part of your change looks like it is just doing the same logic as before21:16
ayoungself._local_oslo_config = conf['oslo_config_config']  in the if,  and the else is the21:16
ayoung self._local_oslo_config = cfg.ConfigOpts()21:16
ayoungso now you are defaulting21:16
ayoungself._local_oslo_config.project = conf['oslo_config_project']  but only in the first case21:17
cdentthat gets set in the second case21:17
ayoungand skipping the rest of the __call__21:17
ayoungyeah, it gets set but inside the __call__21:17
cdentin the first case no _new_ ConfigOpts is created21:17
cdentin the second, one is, and it is set to values from the file passed in or the default file for that project21:17
ayoungso before if if conf.get('oslo_config_config') would return None, we do the _call_ but in this case we don't because your logic is that the _call_ clobbers what you are holding in memory?21:19
ayoungin cfg.ConfigOpts()21:19
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity - Shadow federated users  https://review.openstack.org/27476121:19
cdentthe __call__ clobbers what came in21:20
ayoungcdent, so you are saying that if conf['oslo_config_config'] is set, we don't want to do the initilization code?21:20
*** su_zhang has joined #openstack-keystone21:20
*** spzala has quit IRC21:20
*** pauloewerton has quit IRC21:21
*** spzala has joined #openstack-keystone21:21
cdent(because we've already got a config that is the one we want to use)21:21
*** gyee has joined #openstack-keystone21:22
*** ChanServ sets mode: +v gyee21:22
*** gyee has quit IRC21:22
*** ubuntu has joined #openstack-keystone21:23
*** ubuntu is now known as Guest4084821:23
*** jsavak has quit IRC21:23
ayoungcdent, yeah...sorry, I really need to defer to jamielennox|away on this one.   It just looks too much like “I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.”21:24
*** su_zhang has quit IRC21:25
cdentayoung: It may be that my fix is wrong, but is definitely the case that the code on master is wrong.21:25
cdentas there is currently no way for oslo_config_config to get used21:25
ayounganything named _config_config is suspect anyway21:26
cdentIt's a super useful feature, if we can get it to work21:26
*** jsavak has joined #openstack-keystone21:27
*** jsavak has quit IRC21:29
*** jsavak has joined #openstack-keystone21:30
*** su_zhang has joined #openstack-keystone21:32
bknudson_cdent: did you see https://review.openstack.org/#/c/255661/ ?21:36
bknudson_it looks related21:36
*** gyee has joined #openstack-keystone21:37
*** ChanServ sets mode: +v gyee21:37
cdentbknudson_: is news to me21:37
* cdent looks21:37
cdentthat does look related, especially to my comment in the test, but not directly related21:37
stevemarnotmorgan: morgan 'the-bug-smasher' fainberg21:39
notmorganstevemar: heh21:39
*** tsymanczyk has quit IRC21:42
*** jbell8 has quit IRC21:49
*** ayoung has quit IRC21:51
*** ThomasHsiao has joined #openstack-keystone21:53
notmorganbknudson_: i think we need to just do a new LDAP driver that is R/O and is ldap3 based21:59
notmorganbknudson_: far easier than retrofitting everything21:59
notmorganbknudson_: and it can be all isolated away from keystone.common21:59
*** jsavak has quit IRC22:04
*** edmondsw has quit IRC22:05
openstackgerritwerner mendizabal proposed openstack/keystone: Time-based One-time Password  https://review.openstack.org/27490122:07
openstackgerritChris Dent proposed openstack/keystonemiddleware: Remove clobbering of passed oslo_config_config  https://review.openstack.org/27439622:08
cdentbknudson_: ^ that might be better22:09
*** jsavak has joined #openstack-keystone22:11
*** erlarese has quit IRC22:13
*** timcline has quit IRC22:21
*** itlinux has quit IRC22:22
*** petertr7 is now known as petertr7_away22:23
*** itlinux has joined #openstack-keystone22:24
*** mhickey_ has quit IRC22:30
*** mhickey_ has joined #openstack-keystone22:30
bknudson_502 proxy error22:30
*** e0ne has joined #openstack-keystone22:31
*** jsavak has quit IRC22:34
cdentgerrit be slow22:34
*** jamielennox|away is now known as jamielennox22:41
*** e0ne has quit IRC22:43
*** itlinux_ has joined #openstack-keystone22:44
*** itlinux has quit IRC22:47
*** EinstCrazy has joined #openstack-keystone22:48
*** drjones has quit IRC22:49
*** _cjones_ has joined #openstack-keystone22:51
*** EinstCrazy has quit IRC22:52
*** fpatwa has joined #openstack-keystone22:53
*** ayoung has joined #openstack-keystone22:53
*** ChanServ sets mode: +v ayoung22:53
*** itlinux_ has quit IRC22:54
*** itlinux has joined #openstack-keystone22:55
*** slberger has left #openstack-keystone22:56
*** fpatwa has quit IRC22:58
*** sinese has quit IRC23:00
*** jamielennox is now known as jamielennox|away23:05
*** cdent has quit IRC23:07
*** su_zhang has quit IRC23:11
*** su_zhang has joined #openstack-keystone23:12
*** mhickey_ has quit IRC23:13
*** mhickey_ has joined #openstack-keystone23:14
notmorganstevemar, bknudson_: about to push a patch to deprecate 'admin_token_auth'23:15
notmorganneed to fix one test.23:16
*** clenimar has joined #openstack-keystone23:16
tjcocozzdoes anyone know how long gerrit will be down?23:17
tjcocozzlooks like just long enough for me to write out that question :-)23:18
openstackgerritTom Cocozzello proposed openstack/keystone: WIP Depricate Saml2  https://review.openstack.org/27543823:18
*** e0ne has joined #openstack-keystone23:19
*** ThomasHsiao has quit IRC23:21
*** pushkaru has quit IRC23:27
*** e0ne has quit IRC23:28
*** pumarani__ has joined #openstack-keystone23:28
*** mhickey_ has quit IRC23:29
*** pumarani__ has quit IRC23:30
*** pushkaru has joined #openstack-keystone23:30
*** pumarani__ has joined #openstack-keystone23:32
*** gordc has quit IRC23:33
*** pushkaru has quit IRC23:33
*** clenimar has quit IRC23:43
openstackgerritMorgan Fainberg proposed openstack/keystone: Move EC2 extension to core  https://review.openstack.org/27528023:47
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate simple_cert extension  https://review.openstack.org/27447923:48
openstackgerritMorgan Fainberg proposed openstack/keystone: Move user and admin crud to core  https://review.openstack.org/27448923:48
openstackgerritMorgan Fainberg proposed openstack/keystone: Move s3 Extension to core  https://review.openstack.org/27497323:48
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate admin_token_auth  https://review.openstack.org/27544323:48
notmorganstevemar, bknudson_, dolphm, ^ move all the things to core, deprecate more things23:49
notmorganSpamapS: ^ like that [re "things that need to just get "done""]23:50
*** su_zhang has quit IRC23:51
*** su_zhang has joined #openstack-keystone23:51
*** boris-42 has quit IRC23:53
*** gildub has joined #openstack-keystone23:58
*** csoukup_ has quit IRC23:58
*** pumarani__ has quit IRC23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!