Tuesday, 2016-02-09

« Monday, 2016-02-08 Index Wednesday, 2016-02-10 »
notmorganand revoke tree was particularly bad00:00
jamielennoxwhat does json not handle in revoke tree?00:00
notmorganit thinks it is self-referential00:00
notmorganmsgpack lets me yank apart the revoke tree on serialization00:00
notmorganjson i would need to know it was a revoke tree ahead of time00:00
notmorganit's all written as 10% pure internal interfaces so we can change is as we see fit00:01
*** browne has joined #openstack-keystone00:01
notmorgan100%*00:01
*** doug-fish has joined #openstack-keystone00:01
*** jbell8 has quit IRC00:02
stevemarnotmorgan: jamielennox this should be easy peasy: https://review.openstack.org/#/c/277574/100:09
*** mylu has quit IRC00:09
jamielennoxstevemar: willing to +2 if you want to test it out live00:11
stevemarjamielennox: yeah, that's what i was hoping to hear :)00:12
jamielennoxi thought it seems to be missing something to kick off the config file generation00:12
stevemarjamielennox: if the link 404's i'll self approve a removal of the line00:12
stevemarjamielennox: thats done by the change in conf.py00:12
jamielennoxis the config opts enough?00:12
stevemarapparently00:12
jamielennoxalright, we can try it out00:12
stevemarhttps://github.com/openstack/nova/commit/9a3ed7631a7654cf7656ece6875cb09ee301f99100:13
stevemarjamielennox: ^00:13
stevemarpretty much copy pasta00:13
*** daemontool has joined #openstack-keystone00:17
*** mylu has joined #openstack-keystone00:18
openstackgerritSteve Martinelli proposed openstack/keystone: add a test that uses trusts and implies roles  https://review.openstack.org/27731900:20
*** doug-fish has quit IRC00:22
openstackgerritDavid Stanek proposed openstack/keystone: Replace exit() by sys.exit()  https://review.openstack.org/27451900:24
*** doug-fish has joined #openstack-keystone00:24
openstackgerritDavid Stanek proposed openstack/keystone: Replace exit() with sys.exit()  https://review.openstack.org/27451900:25
*** doug-fish has quit IRC00:25
*** doug-fish has joined #openstack-keystone00:26
*** doug-fish has quit IRC00:27
stevemardstanek: feel free to approve that one... ^ i won't tattle tale on you for changing 4 lines00:27
dstanekstevemar: that's twice as many as the original commit :-)00:29
stevemarhehe00:29
stevemardstanek: meh, minor00:29
dstanekstevemar: i'll let the tests run and then go ahead and approve if there's no more work to do00:29
stevemardstanek: sounds good to me boss00:29
*** doug-fish has joined #openstack-keystone00:30
*** shoutm has joined #openstack-keystone00:34
*** bill_az has quit IRC00:35
*** jasonsb has joined #openstack-keystone00:38
*** doug-fish has quit IRC00:40
openstackgerritEric Brown proposed openstack/keystone: Small typos on the ldap.url config option help  https://review.openstack.org/27763900:43
*** doug-fish has joined #openstack-keystone00:45
*** itlinux has joined #openstack-keystone00:52
*** clenimar has quit IRC00:53
*** shoutm_ has joined #openstack-keystone00:59
*** shoutm has quit IRC01:00
*** browne has quit IRC01:01
*** browne has joined #openstack-keystone01:03
*** doug-fish has quit IRC01:13
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Trying py27/34 with oslo-master  https://review.openstack.org/27764801:25
*** su_zhang has quit IRC01:25
*** clenimar has joined #openstack-keystone01:29
*** gildub has quit IRC01:35
openstackgerritSteve Martinelli proposed openstack/keystone: Avoid wrong deletion of domain assignments  https://review.openstack.org/27570601:38
stevemardstanek: it passed01:58
dstanekstevemar: approved01:59
stevemarty01:59
*** shoutm_ has quit IRC02:02
*** shoutm has joined #openstack-keystone02:02
*** gyee has quit IRC02:06
*** doug-fish has joined #openstack-keystone02:14
stevemardolphm: dstanek lbragstad notmorgan TOTP patch up, and it needs eyes on it: https://review.openstack.org/#/c/274901/302:15
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Trying py27/34 with oslo-master  https://review.openstack.org/27764802:16
*** doug-fish has quit IRC02:19
*** doug-fish has joined #openstack-keystone02:25
*** browne has quit IRC02:27
*** mylu has quit IRC02:32
notmorganstevemar: uhm... release notes makes no sense to me, it keeps erroring in less-than-useful ways02:35
stevemarnotmorgan: referring to something specific?02:35
notmorgan/home/jenkins/workspace/gate-keystone-releasenotes/releasenotes/source/unreleased.rst:96: WARNING: Definition list ends without a blank line; unexpected unindent.02:35
*** mylu has joined #openstack-keystone02:35
notmorgancan't figure out what is going on. the previous changeset works. this one doesn't. I've looked and the - > ... bit is the same as the once above it.02:36
notmorganlast time this happened a random rebase solved it... but afaict it didn't change anything02:37
stevemarnotmorgan: commented no https://review.openstack.org/#/c/277615/102:37
stevemaron*02:37
notmorgannope02:38
notmorganfixed that and it still fails locally02:38
stevemarnotmorgan: i'll pull it down02:38
notmorgannew clean venv02:38
notmorganreno does not produce useful errors :(02:39
notmorganWTF. it worked this time02:39
notmorganzero changes02:39
notmorganthe files have the same md5 hash02:39
notmorgani changed nothing and it works.02:39
openstackgerritMorgan Fainberg proposed openstack/keystone: Rollup URL_NORMALIZER middleware  https://review.openstack.org/27761502:39
* notmorgan shrugs and gives up.02:40
stevemarlol02:40
notmorganso anyway...02:40
notmorganyou have lots of deprecation code to review :P02:40
notmorganand i have one more bug fix/cleanup patch to layer on top to make S3 actually have a v3 controller02:41
stevemarnotmorgan: wat.... i am getting the same error now02:41
*** edmondsw has quit IRC02:41
notmorganstevemar: right!?02:41
notmorganthen it randomly worked.02:41
notmorganthe last time was a "update:" whas a unicode error02:42
stevemarnotmorgan: i had a comment in one of the patches, there's redundant code in middleware02:42
stevemarnotmorgan: https://github.com/openstack/keystone/blob/master/keystone/middleware/core.py#L8402:43
notmorganyeah i saw that02:43
notmorgannot sure what it was meant to be for02:43
notmorgani was planning on taking a closer look but ... i mean... does it do anything?02:43
stevemarnotmorgan: if it used, rip it out02:44
stevemarif its not* used...02:44
notmorganriht it isn't in our pipeline02:44
*** clenimar has quit IRC02:44
notmorganso i just hadn't figured out why someone would be using it02:44
notmorganmaybe its the predecessor to JsonBody?02:45
stevemarnotmorgan: oh right, the release notes only take effect once commited02:45
*** doug-fish has quit IRC02:45
notmorganstevemar: /me facepalms02:45
stevemarnotmorgan: so changing it, and running tox -e releasenotes won't fix it :)02:46
stevemargotta commit!02:46
stevemarhehe02:46
*** doug-fish has joined #openstack-keystone02:46
notmorganyeah i think PostParams is what JsonBody ended up doing + json decode02:46
*** fawadkhaliq has joined #openstack-keystone02:47
stevemarnotmorgan: poking again for https://review.openstack.org/#/c/277574/02:47
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove PostParams middleware  https://review.openstack.org/27766402:49
notmorganstevemar: ^02:49
*** doug-fish has quit IRC02:50
notmorganstevemar: sorry that is kindof deep on the stack but trying to avoid rebase for the sake of rebasing02:50
stevemarnotmorgan: np02:51
*** clenimar has joined #openstack-keystone02:51
notmorganstevemar: so that unwinds a ton of ick. next ick to unwind the @protected decorator, which now can be unwound more easily because the middleware has been unwound.02:52
stevemarnotmorgan: no desire to review the totp patch :)02:53
notmorganthe S3 one?02:53
notmorganthat one has resolved the legal stick-y-ness and also documented it so someone doesn't try and roll it back in02:53
stevemarnotmorgan: sorry, TOTP, https://review.openstack.org/#/c/274901/02:53
notmorganand break it.02:53
notmorganoh TOTP02:53
notmorganhah02:53
notmorgani need food and beer first02:53
stevemarwasn't a typo lol02:53
* notmorgan is not reading well.02:54
*** dan_nguyen has quit IRC02:55
notmorganlol i have code that looks *a lot* like that code02:57
notmorganfor my CLI google-auth thing02:57
*** lhcheng has quit IRC02:59
*** EinstCrazy has joined #openstack-keystone03:02
notmorganstevemar: the javascript "find" on the page makes me sad03:03
stevemarnotmorgan: what find?03:03
notmorganin gerrit03:04
notmorganthe javascript search03:04
notmorganvs. letting me use my browser's "search" function03:04
*** shoutm has quit IRC03:05
notmorganstevemar: reviewed totp03:07
*** EinstCrazy has quit IRC03:07
*** shoutm has joined #openstack-keystone03:10
openstackgerritSteve Martinelli proposed openstack/keystone: Missing 'region' in service and 'name' in endpoint for EndpointFilterCatalog  https://review.openstack.org/26579703:13
*** browne has joined #openstack-keystone03:13
*** mylu has quit IRC03:14
openstackgerritSteve Martinelli proposed openstack/keystone: Return 404 instead of 401 for tokens w/o roles  https://review.openstack.org/27743603:26
*** dims has joined #openstack-keystone03:27
*** dims_ has quit IRC03:28
*** dims has quit IRC03:30
*** ccard_ has joined #openstack-keystone03:31
*** doug-fish has joined #openstack-keystone03:32
*** mylu has joined #openstack-keystone03:33
*** su_zhang has joined #openstack-keystone03:34
*** ccard__ has quit IRC03:34
*** spandhe has quit IRC03:37
*** links has joined #openstack-keystone03:41
*** dims has joined #openstack-keystone03:43
*** mylu has quit IRC03:45
*** mylu has joined #openstack-keystone03:46
*** dims has quit IRC03:47
*** gildub has joined #openstack-keystone03:47
*** mylu has quit IRC03:49
*** mylu has joined #openstack-keystone03:49
*** dikonoor has joined #openstack-keystone03:51
*** diazjf has joined #openstack-keystone03:54
*** diazjf1 has joined #openstack-keystone03:55
*** doug-fish has quit IRC03:56
*** doug-fish has joined #openstack-keystone03:56
*** doug-fish has quit IRC03:57
*** diazjf has quit IRC03:58
*** diazjf1 has quit IRC03:58
*** doug-fis_ has joined #openstack-keystone04:00
*** doug-fis_ has quit IRC04:04
*** doug-fish has joined #openstack-keystone04:09
*** ayoung has quit IRC04:15
*** shoutm_ has joined #openstack-keystone04:19
*** mylu has quit IRC04:19
*** shoutm has quit IRC04:20
*** mylu has joined #openstack-keystone04:20
*** shoutm_ has quit IRC04:28
openstackgerritMerged openstack/keystone: Small typos on the ldap.url config option help  https://review.openstack.org/27763904:30
*** daemontool has quit IRC04:32
*** shoutm has joined #openstack-keystone04:32
*** daemontool has joined #openstack-keystone04:32
*** dikonoor has quit IRC04:37
*** mylu has quit IRC04:38
*** fawadkhaliq has quit IRC04:42
*** mylu has joined #openstack-keystone04:42
openstackgerritMerged openstack/keystone: Replace exit() with sys.exit()  https://review.openstack.org/27451904:45
openstackgerritMerged openstack/keystone: include sample config file in docs  https://review.openstack.org/27757404:45
*** shoutm has quit IRC04:49
*** shoutm has joined #openstack-keystone04:53
*** mylu has quit IRC04:55
*** dan_nguyen has joined #openstack-keystone04:56
*** dulek has joined #openstack-keystone05:00
*** shoutm_ has joined #openstack-keystone05:00
*** roxanaghe has joined #openstack-keystone05:01
*** shoutm has quit IRC05:03
*** mylu has joined #openstack-keystone05:05
*** jgriffith is now known as jgriffith_away05:07
*** jbell8 has joined #openstack-keystone05:11
*** mylu has quit IRC05:13
*** jbell8 has quit IRC05:13
*** fawadkhaliq has joined #openstack-keystone05:14
*** fawadkhaliq has quit IRC05:14
*** fawadkhaliq has joined #openstack-keystone05:14
*** jbell8 has joined #openstack-keystone05:15
*** GB21 has joined #openstack-keystone05:19
*** mylu has joined #openstack-keystone05:20
*** daemontool_ has joined #openstack-keystone05:21
*** daemontool has quit IRC05:22
*** GB21 has quit IRC05:25
*** jbell8 has quit IRC05:34
*** jbell8 has joined #openstack-keystone05:34
*** Nirupama has joined #openstack-keystone05:36
*** GB21 has joined #openstack-keystone05:38
*** dan_nguyen has quit IRC05:40
*** roxanaghe has quit IRC05:42
*** mylu has quit IRC05:45
*** roxanaghe has joined #openstack-keystone05:46
*** mylu has joined #openstack-keystone05:46
*** doug-fish has quit IRC05:48
*** mylu has quit IRC05:49
*** clenimar has quit IRC05:49
*** mylu has joined #openstack-keystone05:53
*** jbell8 has quit IRC05:54
*** jbell8 has joined #openstack-keystone05:55
*** mylu has quit IRC05:55
*** doug-fish has joined #openstack-keystone05:55
*** shoutm_ has quit IRC05:57
*** shoutm has joined #openstack-keystone05:57
*** roxanaghe has quit IRC06:07
*** doug-fish has quit IRC06:08
*** dikonoor has joined #openstack-keystone06:09
*** shoutm has quit IRC06:20
*** shoutm has joined #openstack-keystone06:25
*** shoutm_ has joined #openstack-keystone06:36
*** roxanaghe has joined #openstack-keystone06:37
*** shoutm has quit IRC06:38
*** roxanaghe has quit IRC06:44
openstackgerritKalaswan Datta proposed openstack/keystone: Clear the project ID from user information  https://review.openstack.org/27770706:51
*** shoutm has joined #openstack-keystone06:56
openstackgerritKalaswan Datta proposed openstack/keystone: Clear the project ID from user information  https://review.openstack.org/27770706:56
*** shoutm_ has quit IRC06:58
*** rudolfvriend has joined #openstack-keystone07:27
*** jbell8 has quit IRC07:29
*** jbell8 has joined #openstack-keystone07:30
openstackgerritSteve Martinelli proposed openstack/keystone: remove link that 404s in sample config  https://review.openstack.org/27771607:32
*** richm has joined #openstack-keystone07:34
*** doug-fish has joined #openstack-keystone07:38
*** henrynash has joined #openstack-keystone07:40
*** ChanServ sets mode: +v henrynash07:40
*** belmoreira has joined #openstack-keystone07:41
*** doug-fis_ has joined #openstack-keystone07:42
*** doug-fish has quit IRC07:43
*** doug-fis_ has quit IRC07:47
*** nkinder has joined #openstack-keystone07:48
*** jbell8 has quit IRC07:51
*** jbell8 has joined #openstack-keystone07:52
*** su_zhang has quit IRC07:54
openstackgerrithenry-nash proposed openstack/keystone: Change get_project permission  https://review.openstack.org/27005707:57
*** mvk has joined #openstack-keystone08:04
*** GB21 has quit IRC08:04
*** nkinder has quit IRC08:10
*** browne has quit IRC08:18
*** pnavarro has joined #openstack-keystone08:19
*** sinese_ has joined #openstack-keystone08:24
openstackgerritSteve Martinelli proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948608:26
openstackgerritSteve Martinelli proposed openstack/keystone: Remove eventlet support  https://review.openstack.org/24948608:26
*** oomichi has quit IRC08:28
*** shoutm has quit IRC08:34
*** shoutm has joined #openstack-keystone08:35
*** jaosorior has joined #openstack-keystone08:37
*** e0ne has joined #openstack-keystone08:49
*** mvk has quit IRC08:49
*** fhubik has joined #openstack-keystone08:56
*** shoutm_ has joined #openstack-keystone08:56
*** shoutm has quit IRC08:58
*** jaosorior has quit IRC09:03
*** fhubik is now known as fhubik_brb09:04
*** jaosorior has joined #openstack-keystone09:08
*** jaosorior has quit IRC09:08
*** jaosorior has joined #openstack-keystone09:09
*** fhubik_brb is now known as fhubik09:15
*** pnavarro has quit IRC09:16
*** mvk has joined #openstack-keystone09:17
*** dikonoor has quit IRC09:17
*** dikonoor has joined #openstack-keystone09:18
*** e0ne has quit IRC09:19
*** dikonoo has joined #openstack-keystone09:19
*** dikonoor has quit IRC09:23
*** mvk has quit IRC09:29
openstackgerrithenry-nash proposed openstack/keystone: Change get_project permission  https://review.openstack.org/27005709:30
*** mvk has joined #openstack-keystone09:30
*** GB21 has joined #openstack-keystone09:32
*** pnavarro has joined #openstack-keystone09:33
*** mhickey has joined #openstack-keystone09:37
*** jsheeren has joined #openstack-keystone09:39
*** daemontool has joined #openstack-keystone09:39
*** jbell8 has quit IRC09:40
*** daemontool_ has quit IRC09:40
*** jbell8 has joined #openstack-keystone09:44
*** richm has quit IRC09:46
*** fawadkhaliq has quit IRC09:47
*** fawadkhaliq has joined #openstack-keystone09:47
*** jbell8 has quit IRC09:51
*** fhubik is now known as fhubik_brb09:52
*** fhubik_brb is now known as fhubik09:52
*** fawadkhaliq has quit IRC10:01
*** jsheeren has quit IRC10:03
*** richm has joined #openstack-keystone10:03
*** jsheeren has joined #openstack-keystone10:06
*** GB21 has quit IRC10:12
*** GB21 has joined #openstack-keystone10:12
*** e0ne has joined #openstack-keystone10:21
*** GB21 has quit IRC10:23
*** GB21 has joined #openstack-keystone10:24
*** nkinder has joined #openstack-keystone10:28
*** jaosorior has quit IRC10:29
*** jaosorior has joined #openstack-keystone10:29
*** esp has joined #openstack-keystone10:30
*** brad[] has quit IRC10:33
*** samueldmq1 has joined #openstack-keystone10:33
*** brad[] has joined #openstack-keystone10:33
*** esp has quit IRC10:37
*** samueldmq1 has quit IRC10:38
*** dims has joined #openstack-keystone10:45
*** dims has quit IRC10:49
*** dims has joined #openstack-keystone10:50
*** fawadkhaliq has joined #openstack-keystone10:50
*** richm has quit IRC11:06
*** mvk has quit IRC11:07
*** mvk has joined #openstack-keystone11:08
*** fawadkhaliq has quit IRC11:19
*** fawadkhaliq has joined #openstack-keystone11:19
*** fawadkhaliq has quit IRC11:19
*** fawadkhaliq has joined #openstack-keystone11:20
*** fhubik has quit IRC11:33
*** dims_ has joined #openstack-keystone11:40
*** dims has quit IRC11:40
*** boris-42 has quit IRC11:43
*** richm has joined #openstack-keystone11:48
*** GB21 has quit IRC11:51
*** xek_ is now known as xek11:51
*** pnavarro has quit IRC11:56
*** nkinder has quit IRC12:02
*** richm has quit IRC12:08
*** dims_ has quit IRC12:11
*** richm has joined #openstack-keystone12:13
*** nkinder has joined #openstack-keystone12:18
*** dims_ has joined #openstack-keystone12:19
*** gildub has quit IRC12:24
*** nkinder has quit IRC12:27
*** gordc has joined #openstack-keystone12:36
Anticimexhey12:38
*** openstackgerrit_ has joined #openstack-keystone12:38
Anticimextrying to make a production deployment decision of kilo or liberty based on a *hard* keystone v3 requirement (federation). what's the correct choice from keystone v3 support point of view?12:38
*** fawadkhaliq has quit IRC12:43
henrynashAnticimex: not quite sure what you mean by “correct choice from a kyetsone v3 support point of view"?12:44
*** doug-fish has joined #openstack-keystone12:45
Anticimexhi henry12:46
Anticimexi mean openstack components level of implementation of keystone v3 (domains)12:46
Anticimexeg. heat's ec2api dependency on python-novaclient leads to: https://bugs.launchpad.net/keystone/+bug/1534655  , when testing autoscaling12:47
openstackLaunchpad bug 1534655 in heat (Ubuntu) "Autoscaling auth failure in OpenStack Kilo 2015.1.2" [Undecided,Confirmed]12:47
*** doug-fish has quit IRC12:47
*** doug-fish has joined #openstack-keystone12:48
Anticimexi'm grepping in *-specs now and finding that glance is doing some keystone trust work for mitaka, otherwise many keystone v3 things seems to have been targetted for juno12:48
Anticimexceilometer had some keystone specs for kilo12:48
Anticimex(rbac)12:48
dstanekAnticimex: the newer the release the more features you will have12:49
dstanekand likely more bugs fixes. not everything is always backported12:50
Anticimexright, i checked around launchpad and it seems to agree13:00
*** pnavarro has joined #openstack-keystone13:02
*** kalaswan has joined #openstack-keystone13:06
*** woodster_ has quit IRC13:06
*** links has quit IRC13:17
*** fawadkhaliq has joined #openstack-keystone13:22
*** bill_az has joined #openstack-keystone13:25
dims_bknudson_ : stevemar : around? need input on this suggestion from sdague - https://review.openstack.org/#/c/277676/13:40
*** ninag has joined #openstack-keystone13:40
dims_bknudson_ : stevemar : so i am trying to run py27/py34 of keystone against oslo.* master as periodic jobs, there's one quirk in keystone's tox.ini's testenv:py34 which is additional deps for nose. i was trying to account for that in my project-config review above and ended up with a -1 from Sean13:42
*** daemontool has quit IRC13:42
*** henrynash has quit IRC13:51
openstackgerritTom Cocozzello proposed openstack/keystone: Deprecate Saml2 auth plugin  https://review.openstack.org/27543813:51
openstackgerritTom Cocozzello proposed openstack/keystone: Deprecate Saml2 auth plugin  https://review.openstack.org/27543813:53
*** edmondsw has joined #openstack-keystone13:56
*** openstackgerrit_ has quit IRC13:56
*** jsavak has joined #openstack-keystone13:58
*** daemontool has joined #openstack-keystone13:59
*** vgridnev has joined #openstack-keystone14:00
*** dims_ has quit IRC14:03
*** bdossant has joined #openstack-keystone14:05
*** petertr7_away is now known as petertr714:05
*** dims has joined #openstack-keystone14:10
*** shoutm_ has quit IRC14:11
*** Nirupama has quit IRC14:14
*** mylu has joined #openstack-keystone14:14
*** daemontool_ has joined #openstack-keystone14:16
*** links has joined #openstack-keystone14:16
dstanekdims: i can switch keystone from being a whitelist to a blacklist and get rid of nose14:16
openstackgerritTom Cocozzello proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414914:17
openstackgerritTom Cocozzello proposed openstack/keystone: Test list project hierarchy is correct for a large tree  https://review.openstack.org/27751214:17
openstackgerritTom Cocozzello proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591614:17
*** daemontool has quit IRC14:17
*** jgriffith_away is now known as jgriffith14:21
*** jsavak has quit IRC14:21
dimsdstanek : that would be awesome!14:21
*** esp has joined #openstack-keystone14:21
*** jsavak has joined #openstack-keystone14:22
*** esp has quit IRC14:29
dstanekdims: i can get it done in a little bit14:31
dimsawesome!14:32
*** mylu has quit IRC14:34
*** dave-mccowan has joined #openstack-keystone14:34
*** dikonoo has quit IRC14:35
*** jgriffith is now known as jgriffith_away14:35
*** mylu has joined #openstack-keystone14:35
openstackgerritTom Cocozzello proposed openstack/keystone: Deprecate Saml2 auth plugin  https://review.openstack.org/27543814:35
*** jgriffith_away is now known as jgriffith14:43
*** dikonoor has joined #openstack-keystone14:49
*** pnavarro has quit IRC14:50
*** amit213 has quit IRC14:51
*** kalaswan has quit IRC14:51
*** fawadkhaliq has quit IRC14:52
*** links has quit IRC14:54
*** timcline has joined #openstack-keystone14:56
*** mylu has quit IRC14:56
*** mylu has joined #openstack-keystone14:57
*** timcline has quit IRC15:01
*** timcline has joined #openstack-keystone15:01
*** pnavarro has joined #openstack-keystone15:03
*** nkinder has joined #openstack-keystone15:04
*** su_zhang has joined #openstack-keystone15:05
*** sigmavirus24_awa is now known as sigmavirus2415:07
*** pnavarro has quit IRC15:09
*** timcline_ has joined #openstack-keystone15:12
*** timcline has quit IRC15:13
*** timcline_ has quit IRC15:15
*** timcline has joined #openstack-keystone15:15
*** timcline_ has joined #openstack-keystone15:17
*** timcline has quit IRC15:21
*** pnavarro has joined #openstack-keystone15:22
*** rk4n has joined #openstack-keystone15:23
*** phalmos has joined #openstack-keystone15:23
*** clenimar has joined #openstack-keystone15:27
*** pushkaru has joined #openstack-keystone15:27
*** slberger has joined #openstack-keystone15:35
openstackgerritJorge Munoz proposed openstack/keystone: Add tests for trust using impersonation  https://review.openstack.org/27327915:35
*** petertr7 is now known as petertr7_away15:38
openstackgerritJorge Munoz proposed openstack/keystone: Fix trust redelegation tests  https://review.openstack.org/27323215:40
*** woodster_ has joined #openstack-keystone15:45
tjcocozzso i am stacking devstack with liberty and i am running into this problem where it is trying to install eventlet from the upper-constraints.txt file.  (https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L121)  well it turns out this does not exist in pypi (https://pypi.python.org/pypi/eventlet/0.18.1)  How do changes get applied to upper-constraints.txt ?15:51
*** jsheeren has quit IRC15:54
stevemardims: o/15:54
dstanektjcocozz: submit a review to the requirements project?15:54
dstanekdims: so i tried to get rid of nose, but it looks like it will require some really ugly keystone changes to work15:55
dimsstevemar : dstanek volunteered to help fixup the py34 tox target15:55
tjcocozzdstanek, doing it now, thanks.15:55
stevemardims: looks like it the fix didn't work :\15:56
dimsdstanek : ouch, can you please respond on that review so we can convince sdague to let things be for now?15:56
openstackgerritTom Cocozzello proposed openstack/keystone-specs: Change token method  https://review.openstack.org/27790815:58
dstanekdims: sure15:58
dstanekdims: i'm going to see if there is a way for me to limit the badness before i respond16:03
*** gokrokve has joined #openstack-keystone16:04
*** sinese_ has quit IRC16:04
dstanekdims: the problem is that there is no way to blacklist files from the test listing step16:04
*** pnavarro has quit IRC16:05
*** mvk has quit IRC16:07
*** fawadkhaliq has joined #openstack-keystone16:08
dimsdstanek : yep, we had that problem in nova too16:11
*** boris-42 has joined #openstack-keystone16:11
bknudson_dstanek: can we switch from nose to python -m unittest ?16:11
dstanekdims: what did they do to get around it? i'm mocking modules now16:12
*** daemontool__ has joined #openstack-keystone16:12
dimsdstanek : had to slowly fix it - series of patches16:12
*** daemontool__ is now known as daemontool16:13
dimsdstanek : including fixing other libs like boto etc16:13
dstanekdims: we're stuck until someone fixes ldap :-(16:13
dstanekbknudson_: the review isn't as bad as i thought - almost have all of the tests running16:13
dstanekbknudson_: i like the blacklist because that means new files are automatically tests and it's easier to see what isn't16:14
dimsdstanek : right, we use blacklist in nova as well16:14
*** hrou_ has left #openstack-keystone16:14
stevemardstanek: i would hope that by now our blacklist is shorter than our whitelist :)16:14
dstanekstevemar: i'll let you know in a minute :-)16:15
* dstanek crosses fingers16:15
*** daemontool_ has quit IRC16:15
*** nkinder has quit IRC16:16
*** petertr7_away is now known as petertr716:18
dstanekstevemar: without any blacklisting 2236 out of 5374 fail16:20
bknudson_we need to clean up the duplication in the unit tests16:21
*** jbell8 has joined #openstack-keystone16:21
*** nkinder has joined #openstack-keystone16:21
*** belmoreira has quit IRC16:21
*** diazjf has joined #openstack-keystone16:27
*** vgridnev has quit IRC16:27
*** ninag_ has joined #openstack-keystone16:29
*** ninag has quit IRC16:31
lbragstadstevemar want me to send the email for this or do you want to? https://bugs.launchpad.net/keystone/+bug/154332116:31
openstackLaunchpad bug 1543321 in OpenStack Identity (keystone) "Trusts on v2.0 are undocumented" [Undecided,New]16:31
lbragstadstevemar hopping in a meeting now16:32
*** timcline_ has quit IRC16:32
*** browne has joined #openstack-keystone16:32
*** timcline has joined #openstack-keystone16:33
openstackgerritSteve Martinelli proposed openstack/keystone: add a test that uses trusts and implies roles  https://review.openstack.org/27731916:33
openstackgerritSteve Martinelli proposed openstack/keystone: add a test that uses trusts and implies roles  https://review.openstack.org/27731916:34
stevemarlbragstad: go ahead and send it off, i trust ya :P16:35
*** petertr7 is now known as petertr7_away16:35
*** pnavarro has joined #openstack-keystone16:38
*** timcline_ has joined #openstack-keystone16:38
*** petertr7_away is now known as petertr716:38
dstanekdims: do you know how to have ostestr only run specific tests? like 'tox -e py27 -- test_cli'16:39
*** timcline_ has quit IRC16:39
*** timcline_ has joined #openstack-keystone16:40
*** timcline has quit IRC16:41
notmorgandstanek: ostestr seems to be weird to me :(16:47
*** dikonoor has quit IRC16:48
dstaneknotmorgan: if by weird you mean dumb, then yes i agree16:49
notmorganhehe16:49
bknudson_dstanek: --regex16:51
*** Raildo has joined #openstack-keystone16:55
*** Raildo is now known as raildo16:55
dstanekbknudson_: yeah, i found that, but i still can't find a way to pass testr args like '--failing'16:55
*** ninag_ has quit IRC16:56
*** ninag has joined #openstack-keystone16:56
*** jgriffith is now known as jgriffith_away16:58
*** raildo has quit IRC16:59
notmorgandstanek: ostestr seems to a be a lot less usable than testr itself17:00
*** bdossant has quit IRC17:00
dstaneknotmorgan: it is, but it adds a feature that i need for py3 (unless i want to just steal the regex logic17:00
dimsmtreinish : ^^ ostestr questions :)17:00
* notmorgan would like to see ostestr go away17:01
notmorgandstanek: stealthe logic17:01
notmorgandon't use ostestr17:01
notmorgani will be a lot less happy w/ ostestr17:01
dimsnotmorgan : OR we could fix ostestr :)17:02
*** peter-hamilton has joined #openstack-keystone17:02
dstanekdims: why not fix testr since ostestr is for fixing its bugs?17:02
dimsi've been able to get in some fixes quickly and released quickly as well17:02
notmorgandstanek: ++17:02
notmorgani would rather just fix testr17:02
dimsdstanek : ha, great question :)17:02
*** d0ugal has quit IRC17:02
notmorganseriously, i don't want keystone to use ostestr.17:02
bknudson_keystoneauth uses ostestr17:03
dstaneka lot of this feels like testr is just not designed to be a developer tool - nose is far better for my workflow17:03
notmorganbknudson_: and i want to stop it17:03
notmorganbknudson_: in fact i want that to go back to normal testr17:03
notmorganbknudson_: i just haven't gotten around to it17:03
*** raildo-afk is now known as raildo17:03
bknudson_I'm not sure why that's used... maybe it's part of the skeleton project?17:04
notmorganbknudson_: because i dont have to do as much with ksa tests [they are much simplier]17:04
*** jaosorior has quit IRC17:04
notmorganbknudson_: i think someone ported over to it17:04
notmorganbecause iirc i used testr when ksa started17:04
notmorgandstanek: i'd rather have testr/nose both be available17:04
bknudson_commit ec16789cf11717e3d04cf1beb0e27f22cc98f15617:04
bknudson_notmorgan: you can probably guess who +2d it.17:05
notmorganbknudson_: yep17:05
notmorganbknudson_: i didn't realize how much less-usable ostestr was at the time17:06
*** daemontool has quit IRC17:06
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Revert "Convert project to os-testr"  https://review.openstack.org/27796517:07
bknudson_apparently it makes error messages easier to read?17:07
*** spandhe has joined #openstack-keystone17:07
notmorganbknudson_: ^17:07
lbragstadstevemar sent17:07
dstanekbknudson_: don't make errors :-P17:07
bknudson_I'm not sure what the difference is in the error reporting ... seems to work fine in keystone17:07
*** richm has quit IRC17:07
notmorganbknudson_: agreed17:07
*** timcline has joined #openstack-keystone17:07
*** ninag has quit IRC17:07
notmorgandstanek: if you can make testr and nose play nicely together [maybe an env var?]17:08
*** dan_nguyen has joined #openstack-keystone17:08
notmorgandstanek: i'd be very happy to see it used.17:08
bknudson_what's so great about nose?17:08
notmorganbknudson_: better for isolated test runs / debugging17:08
bknudson_over, e.g., python -m unittest17:08
notmorganbknudson_: not a ton. both are good runners17:09
notmorganbknudson_: slightly different workflows.17:09
dstanekbknudson_: i'm fond of using nose+plugins17:09
notmorganthe plugins are better w/ nose17:09
bknudson_noseplugs17:09
notmorganbut baseline use, they are about the same17:09
*** timcline has quit IRC17:09
notmorganmordred: https://review.openstack.org/27796517:09
*** ninag has joined #openstack-keystone17:10
*** mylu has quit IRC17:10
*** timcline has joined #openstack-keystone17:10
dstaneknotmorgan: i'll fix to not use os-testr before i submit. maybe i'll just use is to create the massive regex17:10
*** timcline_ has quit IRC17:10
notmorgandstanek: actually... hey can you use the .testr.conf and use a new pattern match?17:10
notmorganiirc there was a way to do that17:11
*** ninag has quit IRC17:11
*** timcline has quit IRC17:11
*** ninag has joined #openstack-keystone17:11
*** timcline has joined #openstack-keystone17:11
bknudson_is there a way to run doctest on tox -e py27 ?17:12
bknudson_that would be handy for keystoneauth / keystoneclient17:12
notmorganbknudson_: doctest?17:12
dstaneknotmorgan: my plan was to just pass it a regex. i don't want to change anything fundamental since this is only "temporary"17:12
*** gyee has joined #openstack-keystone17:12
*** ChanServ sets mode: +v gyee17:12
bknudson_notmorgan: https://docs.python.org/2/library/doctest.html17:13
notmorganoh neat17:13
notmorgandstanek: ++17:13
dstanekbknudson_: just append it to the commands list17:13
dstanekbknudson_: do we have doctests?17:13
dstanekbknudson_: normally those are considered to be bad to do17:13
bknudson_you mean do we have example code?17:13
bknudson_why is example code bad?17:14
*** nkinder has quit IRC17:14
dstanekbknudson_: a doctest is a test that is in the docstring - because you have to have the setup code in there too17:14
bknudson_y, I'm not sure how the setup code works. We'd have to do mocking somehow.17:15
dstanekbknudson_: normally that all goes in the docstring, which is why i don't like it17:15
bknudson_otherwise you'd have to set up devstack just to run the tests17:15
*** ninag has quit IRC17:16
bknudson_we need a new doctest2 that has a fixture section.17:16
*** ninag has joined #openstack-keystone17:16
bknudson_http://nose.readthedocs.org/en/latest/doc_tests/test_doctest_fixtures/doctest_fixtures.html17:16
bknudson_now I see why you love nose so much17:17
bknudson_https://bugs.python.org/issue4899 -- REJECTED17:17
bknudson_maybe we should reference the test and make sure the test is readable.17:20
bknudson_instead of embedded example code17:20
*** ninag has quit IRC17:20
*** su_zhang has quit IRC17:21
dstanekbknudson_: it's a tough balance, but that's probably not a bad idea17:21
dstanekthere are 200 people in this channel, but only ~20 actually participate :-(17:22
notmorgandstanek: wow el capitan (OS X) wont let me install git-review :(17:22
notmorgandstanek: without a reboot and disabling major security features17:22
dstaneknotmorgan: really? what features?17:22
notmorganSIP17:22
notmorganit restricts non-apple signed apps from writing to /System17:23
notmorganbasically17:23
notmorganand /usr/bin etc17:23
notmorganand git review tries to drop it's CLI in one of them17:23
notmorganvs usr/local like pip does.17:23
notmorgandstanek: even wtih root you can't write there.17:23
-openstackstatus- NOTICE: Gerrit is restarting now, to alleviate current performance impact and WebUI errors.17:24
notmorgandstanek: and you can't disable SIP at runtime, has to be done from recovery-mode17:24
notmorganfor that matter, can't enable it at runtime either17:24
notmorganit;s written to NVRAM17:24
dstaneknotmorgan: haha. mac sucks17:24
notmorgandstanek: i just grabbed the mac cause it was closer for checking in before meeting17:25
notmorganusually it's in another room17:25
notmorganand turned off17:25
*** timcline has quit IRC17:25
*** timcline has joined #openstack-keystone17:26
notmorganbknudson_: ok https://review.openstack.org/#/c/277965/ rebased17:27
*** mylu has joined #openstack-keystone17:27
*** timcline has quit IRC17:30
*** timcline has joined #openstack-keystone17:30
*** e0ne has quit IRC17:32
*** _cjones_ has joined #openstack-keystone17:34
*** mylu has quit IRC17:34
*** gokrokve_ has joined #openstack-keystone17:34
notmorgandolphm: just got the email to get scheduling for OSIC17:35
notmorgandolphm: i guess this means i need to figure out my test plan :P17:35
stevemarnotmorgan: lbragstad i put you both on the agenda for the keystone meeting: https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting#Main_Agenda17:35
notmorganstevemar:  damn it.17:36
notmorganstevemar: :P17:36
*** mylu has joined #openstack-keystone17:36
*** maxabidi has quit IRC17:37
*** gokrokve has quit IRC17:37
*** jaosorior has joined #openstack-keystone17:39
*** samueldmq has joined #openstack-keystone17:44
notmorganjamielennox: what is the status of the oslo_context ksm changes?17:45
*** browne has quit IRC17:46
*** sinese_ has joined #openstack-keystone17:46
notmorganjamielennox: and more to the point any thing i can do to help, i'd like to have that baking in mitaka17:49
notmorganjamielennox: so it's usable out the gate in newton.17:50
*** vgridnev has joined #openstack-keystone17:53
*** jaosorior has quit IRC17:53
*** mylu has quit IRC17:56
*** mylu has joined #openstack-keystone17:57
*** mylu has quit IRC17:58
*** lhcheng_ has joined #openstack-keystone17:59
*** mylu has joined #openstack-keystone18:00
dimsdstanek : what's the consensus? so i can go bug sdague :) https://review.openstack.org/#/c/277676/18:00
dstanekdims: i'm fixing in keystone, but not using ostestr18:00
dimsdstanek : cool thanks18:01
*** tsymanczyk has joined #openstack-keystone18:01
dstanekdims: ostestr doesn't appear to completely work in Py3 anyway :-(18:02
openstackgerritJorge Munoz proposed openstack/keystone: Move redelegated_trust_id out of extras  https://review.openstack.org/27647418:03
*** mylu has quit IRC18:03
*** jasonsb has quit IRC18:04
*** roxanaghe has joined #openstack-keystone18:05
*** su_zhang has joined #openstack-keystone18:05
*** woodster_ has quit IRC18:06
*** mylu has joined #openstack-keystone18:08
openstackgerritDolph Mathews proposed openstack/keystone: Introduce an identity_admin role to policy.json  https://review.openstack.org/27414318:09
*** gokrokve_ has quit IRC18:11
*** mhickey has quit IRC18:11
*** rudolfvriend has quit IRC18:15
*** e0ne has joined #openstack-keystone18:17
*** petertr7 is now known as petertr7_away18:18
edmondswdoes openstackclient not support CRUD for role assignments? I'm not seeing it in --help18:19
*** ninag has joined #openstack-keystone18:20
lbragstadedmondsw its owned under openstack role (add,remove,etc)18:20
edmondswoh, I see it now... role add... but it looks like it's only for projects and users... not domains, groups18:20
*** ninag_ has joined #openstack-keystone18:21
samueldmqedmondsw: yes, as lbragstad said.. /role_assignments is only a GET route in keystone18:21
*** jsavak has quit IRC18:21
edmondswright, I knew that... just overlooked it in the help... but why doesn't it support groups and domains?18:21
lbragstadnotmorgan could you use something like https://github.com/openstack/oslo.config/blob/master/oslo_config/cfg.py#L1164 instead of MultiStrOpt?18:22
*** ninag has quit IRC18:25
*** roxanaghe has quit IRC18:25
*** daemontool has joined #openstack-keystone18:25
*** rk4n has quit IRC18:25
*** browne has joined #openstack-keystone18:26
*** su_zhang has quit IRC18:29
*** su_zhang has joined #openstack-keystone18:29
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358518:32
*** aginwala has joined #openstack-keystone18:32
notmorganlbragstad: ugly18:33
notmorganand npo18:33
*** lhcheng_ has quit IRC18:33
notmorganno*18:33
notmorganwe don't really restrict role name character sets18:33
notmorgansoooooo18:33
*** jgriffith_away is now known as jgriffith18:34
notmorgandolphm: re: https://review.openstack.org/#/c/274973/ I 100% agree on separate repo, but i'm not volunteering to split/maintain it.18:36
notmorgandolphm: and no one else is.18:36
notmorgandolphm: aaaannnnd we will still need to carry it =/18:36
notmorgandolphm: so might as well at least finish the no-more-extension work18:36
lbragstadnotmorgan it causes a problem for people programatically determining a config because MultiStrOpt and ListOpt are both read in as lists...18:39
lbragstadand you have no way of determining what it came from18:39
cloudnull^ truth18:40
notmorganlbragstad: this was the argument against multistropt waaay back and was said "sorry we use it for reasons such as <can't deliniate boundries>".18:40
dolphmnotmorgan: why not merge the "required" middleware into a single, common middleware again? wsgi is insanely elegant, i really don't want to lose that power18:40
notmorgandolphm: it already is that .18:40
notmorgandolphm: if you look you just need to not auto-wrap the apps18:41
cloudnullnotmorgan: you can set bounds in listops18:41
cloudnullhttps://github.com/openstack/oslo.config/blob/master/oslo_config/cfg.py#L1156-L117518:41
notmorgancloudnull: not when you have no reserved characters :P18:41
notmorgandolphm: i did exactly what you're describing just one step further to auto-wrap the app-factories18:41
notmorgandolphm: _RequestHandler is middleware because i was replicating "today" behavior before changing it18:42
cloudnullthis is true, you cant define the delimiter.18:42
dolphmnotmorgan: "auto wrapping" == hardcoding the pipeline outside of paste18:42
notmorgancloudnull: that is the issue with the root_role thing. we don't have reserved characters :(18:42
notmorgandolphm: my next step was to make it not-middleware but figured it was something to cleanup once the code was done18:43
cloudnullthe issue isnt really one related to the config within the project, the issue is a deployer one.18:43
notmorgandolphm: also, i *really* didn't want middlware that "reaches into the db"18:43
cloudnullwe cant rewrite config using python18:44
cloudnullwe have to require an override for all options within a given config and rerev that on every release.18:44
notmorgandolphm: but like i said, it's not a big change to do what you're proposing18:44
cloudnullwhich is a nightmare.18:44
notmorgancloudnull: and we're backed into a corner here18:44
openstackgerritTrevor McKay proposed openstack/python-keystoneclient: Handle exception on UnicodeDecodError in logging of request  https://review.openstack.org/27802718:44
*** aginwala has quit IRC18:45
cloudnullfair enough18:45
*** mylu has quit IRC18:45
*** pnavarro has quit IRC18:45
cloudnulli mean its a problem we're going to have to learn to deal with18:45
notmorgancloudnull: :P this is a history and compatibility vs pain for conf. managment software :(18:45
cloudnullbut if it can be avoided, i'd advocate for that18:45
notmorgancloudnull: there is no good answer18:45
notmorgancloudnull: long term it'll all wash out18:45
* notmorgan wonders...18:46
notmorgani wonder if we could make multistropt read into a set() instead?18:46
notmorganoh no.18:46
notmorgannon-ordered18:46
* notmorgan grubles.18:46
cloudnulleverything is terrible. we just need the least terrible option. :)18:46
notmorgancloudnull: so in this case, i really wnat listopt18:47
*** timcline has quit IRC18:47
notmorganbut i don't think we can use it18:47
cloudnullyea if the domain can have a "," in it then its a no go18:47
notmorgandolphm: https://review.openstack.org/#/c/277570/1/keystone/version/service.py look at line 103, "new" side.18:48
notmorgandolphm: break that out and you have _RequestHandler as a middleware [prob. make it non-private]18:48
notmorgancloudnull: it's "role name" in this case18:48
notmorgancloudnull: but same thing18:48
cloudnullcan a role name be straight unicode ?18:49
notmorgandolphm: for each factory that is.18:49
notmorgancloudnull: i think it's pretty much unrestricted18:49
notmorgancloudnull: i mean... non-printing characters would be hard... and ASCII bell would be evil18:49
*** aginwala has joined #openstack-keystone18:49
cloudnullhow many deployments to we think are in the wild with "," in the role name?18:51
cloudnullis this more or less fencing around the possibility or is it something that is known to exist  ?18:52
notmorgancloudnull: unknown18:53
notmorgancloudnull: impossible to know18:53
cloudnullthats fair18:53
notmorgancloudnull: and how many would use root_roles18:54
notmorganeven more impossible to know18:54
notmorgansince it's a new feature ;)18:54
* cloudnull walks off cursing MultiStrOps18:54
*** lhcheng has joined #openstack-keystone18:54
*** ChanServ sets mode: +v lhcheng18:54
notmorgancloudnull: hehe18:54
notmorgancloudnull: sorry :(18:54
cloudnullits really your only option which sucks18:54
cloudnullbut i understand it18:55
cloudnullill figure something out eventually18:55
cloudnullits just a matter of time and coffee18:55
*** tmckay has joined #openstack-keystone18:56
mtreinishdims, dstanek, notmorgan: are you looking for: https://review.openstack.org/#/c/267824/18:56
tmckayHi folks. I just submitted https://review.openstack.org/#/c/278027, it was breaking me in Sahara :) I figured I would take a shot18:56
notmorganmtreinish: that would be nice. i basically don't want to use os-testr because some of that.18:57
tmckayplease be harsh, I wanted to get the ball rolling again after the issue was abandoned a few months ago18:57
notmorganmtreinish: but i also don't see the real benefit to os-testr over fixing issues in testr18:57
lbragstadso we want to document the behavior that we want, right?18:57
notmorganmtreinish: that fix will make it so i am less likely to say "no os-testr" after my experience with it in ksa18:57
lbragstaddo we want to do that in jorge_munoz's code review?18:58
mtreinishnotmorgan: I agree, a lot of the stuff in os-testr is has upstream bugs filed18:58
*** timcline has joined #openstack-keystone18:58
notmorganmtreinish: depending on how fast you land that will depend on how fast i remove os-testr from ksa/not remove it18:58
notmorganmtreinish: ;)18:58
*** timcline has quit IRC18:58
notmorganmtreinish: land and get it out the door. (as in i can wait if it's going to happen soon-ish)18:59
*** timcline has joined #openstack-keystone18:59
notmorganmtreinish: but if it's going to be a looooooooonnnnnnggggg delay, i'll unrevert the revert when we get it :)18:59
dimsmtreinish : +2'ed18:59
*** timcline has quit IRC19:00
*** ninag_ has quit IRC19:00
mtreinishdims: heh, might as well +A it, we're the only 2 active cores on os-testr :)19:00
dimsmtreinish : done :)19:00
*** timcline has joined #openstack-keystone19:01
dstanekmtreinish: that's getting better (i don't fully understand how that works though)19:01
jorge_munozamakarov: If i want to redelegated the initial trust i should be abled to find it thru the redelegated_trust_id. The trustor is the trustee_user is the test.19:01
dstanekmtreinish: someone should fix testr's biggest design flaw - the need to parse all files all the time19:01
*** jsavak has joined #openstack-keystone19:01
jorge_munozamakarov: Setting it to self.user would just help bypass the policy file.19:01
notmorgandolphm: so, due to deadlines and all that for other things, if you want to rebase/unwind those couple things to make it a sane single filter i'm 100% in support of it19:02
*** raildo is now known as raildo-afk19:02
*** ninag has joined #openstack-keystone19:02
notmorgandolphm:  i just don't expect to get back to this anytime within mitaka or newton personally :(. this was a diversion while i mulled over some other fixes.19:03
amakarovjorge_munoz, entire trust chain should have the same trustor19:03
amakarovjorge_munoz, this is the workflow19:03
lbragstadamakarov why?19:03
lbragstadthat's not a chain19:03
lbragstadit's a web19:03
mtreinishdstanek: that's how unittest test discovery works19:03
mtreinishnose does basically the same thing19:04
*** fawadkhaliq has quit IRC19:06
amakarovlbragstad, that's how it works: to redelegate my trust from admin to user I need to specify that the new trust is between admin and user AND it was created using my trust19:06
notmorgandolphm: that are higher on my prio list19:06
mtreinishdstanek: you can get around it by defining a static list of tests (either in code or outside) and using that instead19:06
amakarovlbragstad, If I create a trust from me to user, it's just a trust from me to that user19:06
dstanekmtreinish: you mean using the --blacklist option?19:06
lbragstadamakarov but when you do that with impersonation and redelegation it creates a new trust between the original trustor and the newest trustee... which isn't a chain19:07
dstanekmtreinish: that doesn't work because if doesn't happen before the "list tests" step19:07
mtreinishdstanek: no that still does discovery. You can use --subunit/--no-discover to skip discovery for a single test19:07
amakarovlbragstad, chain is maintained via redelegated_trust_id19:07
mtreinishor use --load-list19:07
*** jsavak has quit IRC19:08
mtreinish(which will only work after the passthrough patch lands)19:08
*** jsavak has joined #openstack-keystone19:08
amakarovlbragstad, btw "chain" isn't the term I used in the spec :)19:08
dstanekmtreinish: last time i tried load-list it still imported stuff that broke me. maybe it's better now. i've changed keystone to use the blacklist model though19:09
amakarovlbragstad, well, I used it, but not as a feature name19:09
*** daemontool_ has joined #openstack-keystone19:10
jorge_munozamakarov: So you can’t redelegate without impersonation?19:10
mtreinishdstanek: the blacklist model is much easier to use. --load-list needs a full python path for each test object (module, class, or method) like you use for directly calling a runner without discvoer19:10
mtreinishit doesn't do discovery because of that19:10
lbragstadamakarov ok - lets define the API. jorge_munoz has a lot of questions on the intended behavior and at this point, knows more about trusts than I do. So, can we define the use cases that are actually *need* (not the ones that are possible)?19:11
lbragstad*needed*?19:11
amakarovjorge_munoz, why? Let me just double check the code, but I don't remember such restriction19:11
*** daemontool__ has joined #openstack-keystone19:11
*** mylu has joined #openstack-keystone19:12
*** ninag_ has joined #openstack-keystone19:12
*** daemontool has quit IRC19:12
amakarovjorge_munoz, from what I see create_trust manager method doesn't care about impersonation19:13
*** daemontool_ has quit IRC19:14
jorge_munozamakarov: Sorry, what i meant to say is, is you have a chain of redelegated trust then a user can’ t impersonate. And to redelegate a chain of trust with impersonation set to true is done then all trust in the chain have to be match the original trustor.19:14
*** ninag has quit IRC19:15
amakarovjorge_munoz, and it whould be great to check if trust works with impersonation=False as create_trust controller method calls _require_user_is_trustor, which doesn't look good...19:15
*** alex_xu has quit IRC19:15
*** mylu has quit IRC19:17
mfischlbragstad: ಠ_ಠ http://i.imgur.com/p0S7TKY.jpg19:17
*** dims_ has joined #openstack-keystone19:17
amakarovjorge_munoz, I see, what you are trying to do: you want to create a trust from user1 to user2, then from user2 to user3 and call it a chain - this will NOT work :)19:17
*** dims has quit IRC19:17
*** alex_xu has joined #openstack-keystone19:18
jorge_munozamakarov: Is that not redelegation?19:19
amakarovjorge_munoz, the logic is following: create a trust from user1 to user2, authN/authZ as user2 using created trust, and then create a trust from user1 to user3 specifying that you are redelegating that initial trust19:19
mtreinishdstanek: actually I think you might be right, load-lists might still do discovery, although I don't think that's the intent19:19
mtreinishI need to dig some more, it might be a bug19:20
*** mylu has joined #openstack-keystone19:20
amakarovIt's like user1 created a trust to user3 himself19:20
lbragstadmfisch ah -19:20
lbragstaddigging for you link19:20
lbragstadmfisch sorry19:20
jorge_munozamakarov: That is what the test does19:20
dstanekmtreinish: testr is just too compilcated. all i want to do is hack keystone :-(19:20
mfischlbragstad: lol19:21
amakarovjorge_munoz, looking...19:21
lbragstaddolphm amakarov jorge_munoz what if we start defining the use cases and API here - https://etherpad.openstack.org/p/keystone-trust-behavior19:21
mtreinishdstanek: ++, well s/keystone/the projects I work on/19:21
lbragstadmfisch where is the speaker bio pulled from?19:23
mfischI think its your openstack.org bio19:24
*** mylu has quit IRC19:24
mfischlbragstad: https://www.openstack.org/profile/speaker19:24
mfischI'd just upload a picture and say "quinoa, guns, openstack"19:25
lbragstadmfisch ++ what else do you need?19:25
*** dims_ has quit IRC19:27
mfischlol19:27
openstackgerritTrevor McKay proposed openstack/python-keystoneclient: Handle exception on UnicodeDecodError in logging of request  https://review.openstack.org/27802719:28
amakarovjorge_munoz, double-checked your test: I'm still pretty sure my comment is valid.19:29
*** su_zhang has quit IRC19:29
*** dims has joined #openstack-keystone19:30
*** su_zhang has joined #openstack-keystone19:32
jorge_munozamakarov: Ok, so a user should not be allow create a trust with impersonation from a redeleated trust that did not have impersonation to true?19:35
stevemarmfisch: rookie move lbragstad19:36
*** ayoung has joined #openstack-keystone19:37
*** ChanServ sets mode: +v ayoung19:37
jorge_munozamakarov: Also, for a chain of trust(impersonation=True) should the redelegated_trust_id be required?19:37
openstackgerritDavid Stanek proposed openstack/keystone: Uses open context manager for templated catalogs  https://review.openstack.org/27805319:37
openstackgerritDavid Stanek proposed openstack/keystone: Stop using nose as a Python3 test runner  https://review.openstack.org/27805419:37
openstackgerritDavid Stanek proposed openstack/keystone: Enables token_data_helper tests for Python3  https://review.openstack.org/27805519:37
amakarovjorge_munoz, redelegated trust is the trust from the token - it's extracted automatically19:39
openstackgerritClenimar Filemon Sousa proposed openstack/keystone: Avoid wrong deletion of domain assignments  https://review.openstack.org/27570619:39
amakarovjorge_munoz, redelegated_trust_id should not be passed in the create trust request19:40
*** can8dnSix has joined #openstack-keystone19:41
amakarovjorge_munoz, please read this carefully: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-trust-ext.html19:41
*** dims has quit IRC19:41
*** dims has joined #openstack-keystone19:42
jorge_munozamakarov: ok, I think i understand the workflow of trust now. Its read-only, but i was able to pass it throu the request on trust creation.19:42
amakarovjorge_munoz, I think existing redelegation tests may halp you understand what's going on there19:45
amakarovs/halp/help/19:45
*** dims_ has joined #openstack-keystone19:46
*** mylu has joined #openstack-keystone19:46
*** timcline has quit IRC19:47
*** timcline has joined #openstack-keystone19:48
*** su_zhang has quit IRC19:48
*** su_zhang has joined #openstack-keystone19:48
*** dims has quit IRC19:49
*** e0ne has quit IRC19:49
*** su_zhang has quit IRC19:49
*** aginwala has quit IRC19:49
jorge_munozamakarov: Thanks, one last quick quiestion. All test in redelegation use impersonation. Should a user be allow to redelegate without impersonation?19:50
*** su_zhang has joined #openstack-keystone19:50
*** ninag_ has quit IRC19:50
*** ninag has joined #openstack-keystone19:50
*** ninag has quit IRC19:51
*** ninag has joined #openstack-keystone19:51
*** su_zhang has quit IRC19:51
amakarovjorge_munoz, in ideal case - yes. I don't remember if we agreed about this restriction or this just eluded our attention, but currently I can't recall the goal of it.19:51
*** su_zhang has joined #openstack-keystone19:52
*** mylu has quit IRC19:53
amakarovjorge_munoz, I assume impersonated trust should be allowed to create non-impersonated and impersonated both, while non-impersonated should allow creation of non-impersonated only19:53
amakarovjorge_munoz, I believe this is a minor bug to fix19:54
*** aginwala has joined #openstack-keystone19:55
jorge_munozamakarov: Perfect, thanks. I’ll start looking at that.19:55
amakarovjorge_munoz, yw19:55
*** amakarov is now known as amakarov_away19:55
*** su_zhang has quit IRC19:57
stevemaronly ayoung could somehow get his bio in another font than *every other presentation* https://www.openstack.org/summit/austin-2016/vote-for-speakers/presentation/687319:57
*** dims_ has quit IRC19:57
stevemar:]19:57
ayoungstevemar, they filterd out my blink tag, though19:58
stevemarlol19:58
ayoungI seriously have no clue how that happened.  I cut and pasted it from the Vancouver summit site19:58
*** ninag has quit IRC19:59
*** can8dnSix has quit IRC19:59
*** ninag has joined #openstack-keystone20:00
ayounghttps://www.openstack.org/summit/austin-2016/vote-for-speakers/presentation/8652  "Alternative implementation of Keystone in Haskell"  Yehaw!20:00
cloudnullrated 0.. if there was -1 i'd rate it that.20:02
*** ninag has quit IRC20:04
*** jgriffith has quit IRC20:05
tmckayping tjcocozz20:06
tjcocozzhi20:06
gyeelbragstad, whenever you have a chance https://review.openstack.org/#/c/226464/20:06
bknudson_haskell must be pretty great... don't even need to test anymore.20:06
*** jgriffith has joined #openstack-keystone20:06
tmckayHey there! I was bitten by this during Sahara testing, so I decided to try to fix it :)20:06
*** jgriffith is now known as Guest5542120:06
*** petertr7_away is now known as petertr720:07
tmckaytjcocozz, I copied the test code from an abandoned review, I'll go ahead and tweak it.  Thanks!20:07
tjcocozztmckay, thanks for fixing it!20:07
tmckayplease be harsh, I am a guest in keystone ;-) All respect to the keymasters20:07
*** rcernin has joined #openstack-keystone20:08
tmckayonce in a while I lack to dabble in other projects, :)20:08
tjcocozztmckay, lolz then your going to want someone else to review it... queue bknudson_ ^^20:08
tmckayack. I'll have another review up in a few with tweaks (minor change though it is)20:08
*** jsavak has quit IRC20:09
tjcocozztmckay, thanks!20:10
*** jsavak has joined #openstack-keystone20:12
openstackgerritClenimar Filemon Sousa proposed openstack/keystone: Avoid wrong deletion of domain assignments  https://review.openstack.org/27570620:13
*** ninag has joined #openstack-keystone20:17
*** ninag_ has joined #openstack-keystone20:19
*** ninag has quit IRC20:21
ayounghttps://www.openstack.org/summit/austin-2016/vote-for-speakers/presentation/7903  Vote for that one so henry and I can sit in the back and snipe!20:22
ayoung"Security concerns? We’ve got your back and RBAC"20:22
openstackgerritTrevor McKay proposed openstack/python-keystoneclient: Handle exception on UnicodeDecodError in logging of request  https://review.openstack.org/27802720:23
*** Guest55421 is now known as jgriffith20:24
*** su_zhang has joined #openstack-keystone20:28
*** ninag_ has quit IRC20:28
*** mylu has joined #openstack-keystone20:29
*** raildo-afk is now known as raildo20:29
openstackgerritTrevor McKay proposed openstack/python-keystoneclient: Handle exception on UnicodeDecodError in logging of request  https://review.openstack.org/27802720:30
*** su_zhang has quit IRC20:32
*** esp has joined #openstack-keystone20:35
raildoayoung, awesome title!20:36
ayoungraildo, Meh20:37
ayoungtoo cutesy20:37
*** esp has quit IRC20:39
*** mylu has quit IRC20:40
*** mylu has joined #openstack-keystone20:40
*** aginwala has quit IRC20:40
*** aginwala has joined #openstack-keystone20:43
*** su_zhang has joined #openstack-keystone20:44
notmorganheh20:44
notmorgan(Keep in mind that the first 100 characters are what will wind up in the YouTube description.20:44
notmorgansomeone missed deleting that.20:45
*** esp has joined #openstack-keystone20:47
krotscheckHey, any cores out there able to look at https://review.openstack.org/#/c/241317/ for me? Keystone's the only remaining core openstack service that doesn't support it.20:47
*** mylu has quit IRC20:48
notmorganayoung: for newton, i would like to get implied roles to require you [the person setting the implied role] to have the role (admin role being magic)20:48
notmorganayoung: not needed this cycle clearly.20:48
ayoung++++20:48
notmorganayoung: i think having that would have eliminated the security hole you had to change policy for20:49
notmorganayoung: but this has to be iterative :)20:49
*** esp has quit IRC20:51
ayoungnope20:51
notmorganayoung: i'm thinking implied roles are going to only ever really be an admin thing actually.20:53
notmorganayoung: the more i think about it20:53
notmorgansince implied role is not scope specific20:53
notmorganand shouldn't be20:53
*** jsavak has quit IRC20:53
notmorganthis is ignoring domain-roles. i mean just the core of implied roles20:54
*** jsavak has joined #openstack-keystone20:54
*** henrynash has joined #openstack-keystone20:55
*** ChanServ sets mode: +v henrynash20:55
dolphmjamielennox: henrynash: available for today's cross project meeting?20:56
jamielennoxdolphm: yep20:56
dolphmayoung: ^ if you're interested20:56
henrynashdolphm: I’m can’t do it today, sorry20:56
ayoungdolphm, yes20:56
henrynashdolphm: althoough I may lurk for a while....20:57
openstackgerritMichael Krotscheck proposed openstack/keystone: Added CORS support to Keystone  https://review.openstack.org/24131720:57
*** su_zhang has quit IRC20:57
*** aginwala has quit IRC20:57
henrynashdolphm: in the regualr meeting irc channel?20:58
jamielennoxhenrynash: #openstack-meeting-cp20:58
dolphmhenrynash: #openstack-meeting-cp20:58
dolphmin 2 minuets20:58
jamielennoxjinx20:58
samueldmqhenrynash: #openstack-meeting-cp20:58
krotscheckstevemar: Where's keystone's config generation script?20:58
henrynashok, thx20:58
krotscheckstevemar: I don't see a bash script or a genconfig hook anywhere.20:59
ayoungnotmorgan, notmorgan meaning "only admins will set up role inference rules" absolutely yes21:00
samueldmqkrotscheck: tox -e genconfig21:00
notmorganayoung: only cloud-admin type folks. or explicitly delegated :can make these roles:21:01
notmorganayoung: erm implied roles not "make these roles"21:01
notmorgan(aka explicit role for the apis)21:01
ayoungnotmorgan, yeah.  DSRs will be more free to use21:01
ayoungdomain specific roles I should say21:01
*** daemontool has joined #openstack-keystone21:02
ayoungas we've some acronym class there I've been told21:02
krotschecksamueldmq: Ah, yes. I am blind.21:02
*** daemontool__ has quit IRC21:02
samueldmqkrotscheck: :)21:03
samueldmqkrotscheck: nah that happens21:03
krotschecksamueldmq: Answered stevemar's quesiton :D21:03
krotscheckTurns out oslo.middleware's already in the config generator.21:03
*** dims has joined #openstack-keystone21:03
krotscheckaaanyway21:03
*** krotscheck is now known as krotscheck_dcm21:03
*** e0ne has joined #openstack-keystone21:03
openstackgerritBrant Knudson proposed openstack/keystone: AuthContextMiddleware admin token handling  https://review.openstack.org/19893121:06
notmorganbknudson_: can we merge the work from https://review.openstack.org/#/c/275443/ into that ^ or extract it and rebase on yours?21:13
notmorganbknudson_: i would prefer to evict admin_token_auth from the pipeline vs just moving it21:13
notmorganas default21:13
bknudson_notmorgan: I'll put https://review.openstack.org/#/c/198931/ on https://review.openstack.org/#/c/275443/21:14
notmorganmine needs to be yanked out of the chain21:15
notmorganwould be better to just extrace the deprecation bits and add to yours or rebase on top of yours?21:15
notmorganbknudson_: mine was deep in the pipeline cleanup chain, and that chain is broken up now cause ec2/s3 changes are squashed/not happening21:16
bknudson_deprecating admin_token_auth shouldn't depend on ec2/s3 changes.21:17
notmorganbknudson_: code structure wise was hard to do them independantly21:17
notmorgansince the ec2/s3 thing isn't happening, it needs to be pulled out21:17
notmorgani picked the ec2/s3 first order since i was cleaning up .contrib first21:17
notmorganso i'm guessing i am asking should i just rebase on top of yours? or ??21:18
stevemarsamueldmq: thanks for answering krotscheck_dcm's question :)21:18
bknudson_notmorgan: no, I'd rather the admin_token deprecation happened first21:19
notmorganok21:19
bknudson_then I don't have to mention any deprecation in mine, since it's already going away21:19
notmorganok21:19
openstackgerritJorge Munoz proposed openstack/keystone: Fix trust chain/redelegation tests  https://review.openstack.org/27323221:19
notmorgani'll either rebase mind later tonight or you can if you'd like. if i do it later i'll place yours on mind and drop the deprecation verbiage21:19
stevemarhenrynash: ping if you're still around21:20
samueldmqstevemar: np21:21
henrynashstevemar: I’m lurking in the xproject meeting21:22
stevemarhenrynash: oh, it can wait til that's over21:22
*** browne has quit IRC21:24
*** daemontool_ has joined #openstack-keystone21:24
*** ninag has joined #openstack-keystone21:25
*** daemontool has quit IRC21:27
*** jbell8 has quit IRC21:30
*** ninag has quit IRC21:30
*** jgriffith is now known as jgriffith_away21:31
*** browne has joined #openstack-keystone21:34
dimsdstanek : https://review.openstack.org/#/c/278054/ looks good.21:35
dimsstevemar : bknudson_ : can we please get that in? :)21:35
bknudson_dims: we'll see what jenkins has to say21:35
*** jsavak has quit IRC21:36
*** jsavak has joined #openstack-keystone21:37
*** vgridnev has quit IRC21:40
dstanekbknudson_: jenkins can eat it :-)21:40
*** jsavak has quit IRC21:41
dimshaha21:45
*** jsavak has joined #openstack-keystone21:46
bknudson_don't make jenkins angry21:47
bknudson_we'll probably have to sacrifice some animals now.21:47
*** ninag has joined #openstack-keystone21:47
stevemarbknudson_: i'm okay with sacrificing a core21:48
stevemari'm glad to see our blacklist is getting smaller21:49
*** raildo is now known as raildo-afk21:49
stevemarbknudson_: also part of that chain: https://review.openstack.org/#/c/278053/121:50
henrynashstevemar: hi, what’s up21:53
stevemardims: i don't see the os-testr library used?21:54
dstanekstevemar: i have a few more python3 reviews to crank out and then i'm start working through the m3 reviews!21:54
stevemardstanek: awesome21:54
dstanekstevemar: os-testr is the test running21:54
stevemarhenrynash: howdy, wanted to chat about dsr21:54
dstaneks/running/runner/21:54
henrynashstevemar: dsr….ok…21:54
henrynashstevemar: (dynamic super rodents)?21:55
*** petertr7 is now known as petertr7_away21:55
stevemarhenrynash: :)21:55
*** su_zhang has joined #openstack-keystone21:55
stevemarhenrynash: just wanted to know if you think the domain specific roles stuff is still worth looking at? i know you've had the code posted for a while21:55
dstanekdirty scoundrels rotten21:56
stevemarhenrynash: there's still some question marks about if this is the best approach for more fine grained policy21:56
henrynashstevemar: I just don’t buy that, no standard system can every suit all parties and domain admins can’t modify policy files21:57
henrynashstevemar: in fact, dsr becomes MORE relevant, when you have fined granined roles (since that’s where it gets it’s power)21:57
stevemarhenrynash: alright, maybe i just need to refresh myself on the spec21:59
stevemarlooks like ayoung and gyee have reviewed it, that's good21:59
henrynashayoung: could you look at my fixes to the dsr patch….think I covered almost all the points you made22:00
ayounghenrynash, so to repeat:   the way I've started thinking of things is in 3 levels.  The top level is "here is the job you are assigned to do"  the middle level is "here are the set of workflows you need to perform for your job" and the bottom level is "here are the permissions  on the resources you need to perform the workflows"22:00
*** jsavak has quit IRC22:00
ayoungand henrynash your DSR is the top level22:00
ayoungso jamielennox 's proposal should probably be "workflows"  and dolph's "end permissions"22:01
henrynashayoung: certainly one way of looking at it22:01
ayoungI am a little worried that with really fine grained permissions and impolied roles we will expand the auth data too much22:01
stevemarhenrynash: ayoung how does DSR play with https://review.openstack.org/#/c/245629/ ? can the two co-exist?22:01
ayoungI'd rather have that level expanded in the policy file itself22:02
ayoungstevemar, looking22:02
henrynashayoung: it’s true, you gcould get lots of roles22:02
ayoungstevemar, the co-exisit22:02
stevemargotta run the shop real quick, brb, i'll read the scroll back22:02
stevemarhenrynash: i'll buckle down and actually review the code22:02
jamielennoxayoung: are you putting implied roles in the tokeN?22:03
ayoungstevemar, for example, henrynash goes and create a DSR called "distinguished-enigneer" which we assign to topol  to make him feel good.  Its really only given the "observer" role so he can't do an damage, though22:03
henrynashstevemar: thx22:03
ayoungwell, miminal damage22:03
jamielennoxsorry, the umbrella roles22:03
ayoungjamielennox, so, right now, yes. But we can shut that off with a config option22:03
ayoungI put that in there so we could convert to a dynamic policy approach in the future22:03
jamielennoxayoung: can we just start with it off22:04
ayoungjamielennox, nope22:04
ayoungjamielennox, I mean, we can do anything,22:04
jamielennoxi don't see why if you have a role that implies other roles - the end roles are the more specific ones you would enforce on22:04
ayoungjamielennox, I want "admin implies member" at a minimum22:04
jamielennoxeverything implies member22:05
ayoungno22:05
ayoungI want that, and then I want the follow on patch that says "get a token with a subset of roles"22:05
ayoungso if you are an admin you can get a member token22:05
ayoungso youi don't swing your admin creds around everywhere22:05
jamielennoxyou are going to try and enforce from code what people put into the database22:06
jamielennoxhaving admin is kind of a mess, what if we got to the point there was no admin role22:06
jamielennoxsomeone got clever and renamed it global_admin22:06
jamielennoxhow do you expect to enforce a relationship22:06
ayoungheh, if they name it global_admin they will break every other service out there22:07
ayoungadmin is like, hardcoded I found out the hard way22:08
*** ninag has quit IRC22:08
ayoungjamielennox, "what if we got to the point there was no admin role"  I will be sooooo happpy22:08
*** mylu has joined #openstack-keystone22:08
ayoungjamielennox, so, why do you want it off?22:08
jamielennoxfor some services like glance the admin_role is specified in conf22:08
jamielennoxthe role is just a label, it's a hard concept to kill but you can probably relabel it22:09
*** mylu has quit IRC22:09
jamielennoxit's the same problem that keystone can't provide any roles by default. we don't control that, we can't22:09
jamielennoxwe can specify what we think you should do and influence devstack22:09
jamielennoxi'd like the role subset for a different reason, but i don't think you can just say admin implies something else22:10
ayoungjamielennox, OK, so the nice thing about implied roles is it gives us a way to move forward22:11
ayoungwe can now change a policy file and people can unbreak things with implied roles22:11
ayoungsay we add in the detailed roles you want, but they had not assigned them to anyone22:12
*** sinese_ has quit IRC22:12
ayoungyou can start by saying "admin implies all these smaller ones" and get them in the tokens22:12
ayoungthen, start removing admin and adding explicit assignments to people22:12
jamielennoxmaybe we should have left implied roles as there own concept as they are similar to domain specific roles except global22:13
*** clenimar has quit IRC22:13
ayoungthe rules are their own concept.  THe roles are roles22:13
jamielennoxie - they are a grouping mechanism not something i think you should be able to write policy against22:13
ayoungso, I could see you using them to generate policy in the future22:13
ayoung"we have too many roles, tokens are too big"22:14
ayoungso we generate a fragment of a policy file that gets included into the other projects22:14
ayoungjamielennox, here's what I really want to do22:16
ayoung1.  Leave the exisitng policy files alone22:16
ayoung2. Write a bunch of rules that check policy against URLS, not policy  identity_blah keys22:17
ayoung3. Enforce these in middleware22:17
ayoung4. Fetch them from a database22:17
notmorganjamielennox: that is what i'd have preferred22:17
ayoungWe do all that, then, yes, we can turn off the role expansion in the tokens22:18
ayoungbut right now, its all or nothing22:18
ayoungthere is no way to break a big role down into a little role22:18
ayoungand delegate a subset of what you have22:18
ayoungAnd that is a huge attack surface22:19
ayoungshow me some other way to mitigate that22:19
ayoungsomething we can, practically speaking, make progress on.22:19
*** mylu has joined #openstack-keystone22:19
*** henrynash has quit IRC22:19
jamielennoxso i'm fine with breaking down policy files22:20
jamielennoxthe more config management i do the less i want to have the services doing smart updating though22:20
ayoungjamielennox, I tried that22:20
ayoungit died in committee22:20
*** diazjf has quit IRC22:20
jamielennoxan ansible job that updates policy through out an entire cloud is slightly risky but not that hard to do for something you'll update infrequently22:21
ayoungjamielennox, dead end22:22
ayoung"policy is a file that comes out of upstream openstack and we won't edit it"22:22
ayoungI started that way22:22
*** tmckay has left #openstack-keystone22:22
ayoungjamielennox, this was the smallest change I could make.22:23
jamielennoxi don't care if it comes from upstream openstack22:23
ayoungjamielennox, everyone else does22:23
jamielennoxthis was the point of that cp spec, i wanted to make it a minimum better not solve everything for everyone22:23
ayoungand we can't go from what people deploy now to that spec without implied roles22:24
ayoungno practical path forward22:24
ayoungI think that spec is awesome22:24
*** jbell8 has joined #openstack-keystone22:24
ayoungand if we can make it happen, fantastic22:24
ayoungbut we still need a way to transition people today to another policy file22:25
jamielennoxayoung: we can absolutely get to that spec now22:28
jamielennoxayoung: i essentially left admin as it was, added a bunch of new stuff22:28
jamielennoxand when people get accustomed to having more roles than admin we make them fix whatever is hardcoded22:28
ayoungand no one will have any of those roles22:28
jamielennoxso? they can add them22:29
jamielennoxand if they don't add them it will never match policy22:29
ayoungso you will have policy files with "role:specific-thing or role:member"22:29
jamielennoxadding roles that don't exist to policy files has no effect22:29
ayoung"adding roles that don't exist to policy files has no effect"22:29
ayoungexactly22:29
jamielennoxassuming you don't require them - but we're not going to do anything backwards incompatible22:29
jamielennoxyep, so you add them, then you get benefits22:30
ayoungjamielennox, lets get the roles laid out as you want them.  We can write up example policy files of how to use them22:31
jamielennoxdolphm, ayoung: if there's an ops midcycle somewhere next week i'd really like someone to put it to them22:32
ayoungif, down the road, we want to get rid of the expanding of the roles in the token and do it in policy22:32
ayoungjamielennox, there is...we have someone attending22:32
ayounghttps://wiki.openstack.org/wiki/Sprints22:33
notmorganjamielennox: in manchester UK22:33
notmorganjamielennox: i was going to go, but have had other things come up22:33
ayoungManchester, UK22:33
notmorgannot sure who from keystone is going22:33
notmorganif anyone22:33
*** aginwala has joined #openstack-keystone22:33
ayounghenry just left22:34
ayoungI think it is a bit of a trip for him, though22:34
*** nkinder has joined #openstack-keystone22:35
jamielennoxengland is small - but not that small22:37
*** dims_ has joined #openstack-keystone22:39
*** henrynash has joined #openstack-keystone22:39
*** ChanServ sets mode: +v henrynash22:39
bknudson_3 hours from bristol to manchester22:40
*** dims has quit IRC22:40
bknudson_that's a short drive in my opinion22:41
bknudson_I wish I could get anywhere in 3 hours22:41
henrynashbknudson_: who’s driving from Bristol to Manchester?22:42
jamielennoxhenrynash: you hopefully22:44
jamielennoxhenrynash: are you going to the ops midcycle next week?22:44
henrynashjamielennox: :-) so I was planning to…expect it’s full and they won;t let me have a ticket!!!22:45
notmorganhenrynash: you should reach out to the organiser22:45
henrynashnotmorgan: done that, no joy22:45
jamielennoxhenrynash: ok, we want someone to present the policy scenarios spec to the ops and get some input22:45
notmorganlae22:45
notmorganlame*22:45
henrynashnotmorgan, jamielennox: agreed….I was stunned when they bascaialy turned me down!22:46
bknudson_we should all go and protest in front of the meetup22:48
bknudson_dstanek: you played with fire -- https://review.openstack.org/#/c/278053/22:48
henrynashnotmorgan, jamielennix: if anyone knows Lauren Sell <lauren@openstack.org> then feel free to lobby her!22:51
openstackgerritBrant Knudson proposed openstack/keystone: Switch bandit to no-config  https://review.openstack.org/27813622:51
notmorgani know Lauren22:51
notmorganbut i don't think i am going to be much help22:51
henrynashnotmorgan: I think they just are out of space…they didn’t book a big enough venue22:52
notmorganif she was the one to turn you down [you made a case for it being about core represenatation] then they're really out of space22:52
henrynashnotmorgan: yep…I think they just underestimated the interest in the UK22:52
notmorganyeah22:52
notmorgani figured it was community organiser not foundation organiser22:53
henrynashok…well, gonna hit the sack...22:53
notmorgansee ya22:53
*** henrynash has quit IRC22:53
bknudson_dstanek: might be related to new eventlet!22:55
bknudson_dstanek: https://github.com/eventlet/eventlet/commit/5bf0a6f32b3e4459b38ad1895c9eb4b0b483dae1#commitcomment-1598761322:55
notmorganjamielennox: have a few moments?22:56
*** mylu has quit IRC22:56
jamielennoxnotmorgan: sure..22:56
notmorganjamielennox: just ran across this https://github.com/openstack/python-cinderclient/blob/master/cinderclient/tests/unit/fixture_data/keystone_client.py22:57
jamielennoxnotmorgan: oh - wow, ok22:57
*** tsymanczyk has quit IRC22:58
notmorganjamielennox: trying to figure out the best way to unwind that in the ksa way... because it's breaking discovery in the cinderclient tests in some... subtleway22:58
jamielennoxwell that's a fairly easy fix22:58
*** rcernin has quit IRC22:58
*** su_zhang has quit IRC22:58
*** su_zhang_ has joined #openstack-keystone22:58
notmorganjamielennox: yeah i figured i'd ask you and have the easy answer or muddle through a harder answer22:58
jamielennoxnotmorgan: it looks like everything in there can be replaced with a ksa fixture22:58
dstanekbknudson_: yeah, it looks like i got burned22:58
notmorganit's the last of the things i think i need to fix for cinderclient -> ksa22:58
bknudson_dstanek: fails the same way for me locally -- hangs22:59
jamielennoxnotmorgan: do you know what's wrong with their fixtures22:59
jamielennoxnotmorgan: i don't know if i want to know, just so long as we haven't made a compatibility mistake somewhere between ksa and ksc22:59
*** mylu has joined #openstack-keystone22:59
dstanekbknudson_: i wonder if i have a different version of eventlet locally22:59
dstaneki'm regenerating my venv now and trying it out22:59
bknudson_dstanek: .tox/py34/bin/pip install -U eventlet22:59
*** su_zhang_ has quit IRC22:59
*** su_zhang has joined #openstack-keystone23:00
*** su_zhang has quit IRC23:00
*** su_zhang has joined #openstack-keystone23:00
openstackgerritDina Belova proposed openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336823:01
notmorganjamielennox: it might be in their code23:01
notmorganactually23:01
jamielennoxnotmorgan: i'm guessing it is, i just want to know someone checked it23:02
jamielennoxsomeone in this case being...23:02
*** daemontool__ has joined #openstack-keystone23:03
*** tsymanczyk has joined #openstack-keystone23:03
notmorganjamielennox: here is the breakage https://github.com/openstack/python-cinderclient/blob/master/cinderclient/shell.py#L772-L80023:03
notmorganthe resulting path is '/' in *some* cases23:03
notmorgannot all23:03
notmorganaround line 79023:03
*** tsymanczyk is now known as Guest1284023:03
dstanekbknudson_: https://review.openstack.org/#/c/277912/1 screwed me i think23:03
notmorgani'm guessing this is also something we can eliminate a chunk of.23:04
jamielennoxnotmorgan: gah, yea if you are replacing that with ksa's discovery then just remove it23:04
dstanekit works find with 17.0.423:04
notmorganjamielennox: replace the whole function?23:04
notmorganjamielennox: or just the extra bits.23:04
jamielennoxnotmorgan: you should be able to do it with a get_endpoint call23:04
notmorganhmm.23:04
jamielennoxor better yet just let the client do it23:04
*** daemontool_ has quit IRC23:04
jamielennoxthere's no reason for cinder to inspect that23:05
jamielennoxcinder CLI23:05
notmorgan        (v2_auth_url, v3_auth_url) = self._discover_auth_versions(23:06
notmorgan            session=ks_session,23:06
notmorgan            auth_url=self.options.os_auth_url)23:06
notmorganthat looks like where we can make this less icky23:06
notmorgani'm trying to do minimal changes to get them on KSA then do larger cleanups23:06
notmorgansince on ksa = much much better sooner23:07
notmorganand likely to land quicker23:07
*** timcline has quit IRC23:07
notmorganreally.. we do the same check like 3 times23:07
* notmorgan sighs.23:07
dims_dstanek : got a log? (eventlet break)23:08
dstanekdims_: http://logs.openstack.org/53/278053/1/check/gate-keystone-python34/cf3e9e3/console.html23:08
notmorganjamielennox: ok https://github.com/openstack/python-cinderclient/blob/master/cinderclient/shell.py#L802 this just needs to become loading thing23:08
dstaneklooking to see if i can just disable a test or two23:08
notmorganjamielennox: thanks.23:09
dims_dstanek : ah wsgi, here's a fix that nova folks made https://review.openstack.org/#/c/278089/23:10
dims_dstanek : they switched the tests to use requests23:10
*** peter-hamilton has quit IRC23:10
notmorganjamielennox: wow, cinder has it's own authplugin framework.23:12
jamielennoxnotmorgan: :(23:12
notmorganjamielennox: oh for non-keystone auth23:12
notmorganphew23:12
jamielennoxnotmorgan: is it the one that novaclient tried23:12
notmorganPHEW23:12
notmorganyeah23:12
jamielennoxnotmorgan: so i was never successful in doing a bridge between that and the new plugins, can't remember why23:12
notmorgandon't worry23:13
jamielennoxthere was something weird they did23:13
notmorganthey only fall back on it when keystone != auth_system23:13
notmorganso we aren't used anyway23:13
*** aginwala has quit IRC23:14
dstanekdims_: this is an error on the server side it seems23:15
*** aginwala has joined #openstack-keystone23:16
*** phalmos has quit IRC23:16
*** gokrokve has joined #openstack-keystone23:19
dims_dstanek : +1 to skip these tests, we can ping haypo has he submitted some of these changes in eventlet tomorrow morning europe time23:19
dstanekdims_: i think i got it now; i suspect this is starting to fail all of our py3 tests, but luckily they are not voting23:20
*** daemontool_ has joined #openstack-keystone23:20
dims_dstanek : ok23:20
*** daemontool__ has quit IRC23:22
*** gokrokve has quit IRC23:23
*** daemontool_ has quit IRC23:28
*** daemontool has joined #openstack-keystone23:29
*** slberger has left #openstack-keystone23:32
bigjoolsis there any kind of test double/fake or actual test fixture that can be re-used outside of keystone tests in other projects?23:34
openstackgerritDavid Stanek proposed openstack/keystone: Disable the ipv6 tests  https://review.openstack.org/27814723:36
dstanekbknudson_: try that ^23:36
dstanekbigjools: what are you trying to do?23:38
bigjoolsdstanek: for my sins, I'm adding better v3 support in Rally but their tests are mocked like crazy and extremely brittle. I was wondering if I could use a real fixture instead.23:38
*** gordc has quit IRC23:39
dstanekbigjools: for keystone you may be able to use some of ours, but i doubt it. they are very specific to how we setup our unit tess23:39
dstanekbigjools: how are they brittle?23:39
bigjoolsyeah I figured as much23:39
bigjoolsbrittle because almost every aspect of creating a client is a mock and depends on implementation details, so you can't re-implement a function (to do the same thing) without breaking a test.23:40
*** pushkaru has quit IRC23:40
bigjoolsI'd love to see oslo.fakes or oslo.fixtures23:40
dstanekbigjools: yeah, that sounds like they are doing it wrong. do you have a link i can look at?23:40
bigjoolsI'll point you at some of their tests, one sec23:41
dstanekbigjools: there are generic fixtures23:41
*** pushkaru has joined #openstack-keystone23:41
bigjoolsdstanek: here's an example. The mocks are all set up in the test base class (another anti-pattern :( )  https://github.com/openstack/rally/blob/master/tests/unit/plugins/openstack/scenarios/keystone/test_utils.py23:43
dstanekbigjools: keystone specific: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/ksfixtures ; olso.test fixtures can be mostly found here: http://git.openstack.org/cgit/openstack/oslotest/tree/oslotest23:43
bigjoolslooking, thanks23:44
dstanekbigjools: wow,mocking uuid?23:44
dstanekbigjools: you can start migrating that setup code into fixtures23:44
bigjoolsI'm saying nothing :)23:44
bigjoolsI just started hacking on rally a week ago23:45
*** pushkaru has quit IRC23:45
dstanekbigjools: good luck with that :-)23:46
bigjoolsdstanek: yeah thanks :)23:46
*** su_zhang has quit IRC23:47
*** sigmavirus24 is now known as sigmavirus24_awa23:51
*** shoutm has joined #openstack-keystone23:57
*** su_zhang has joined #openstack-keystone23:58
« Monday, 2016-02-08 Index Wednesday, 2016-02-10 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!