Friday, 2016-02-19

« Thursday, 2016-02-18 Index Saturday, 2016-02-20 »
notmorganstevemar: -1 sorry00:00
notmorganwe went through this already.00:00
notmorganactually -2.00:00
stevemardid it screw over too many people?00:00
notmorgandeprecating it is a serious issue and yelling OMG DEPRECATED with our default shipped config is bad00:00
stevemarhmm, okay00:00
notmorganheck, i convinced ayoung to move the other warning down to only when it's configured00:00
stevemarnotmorgan: i am trying to close this bug: https://bugs.launchpad.net/keystone/+bug/154578900:01
openstackLaunchpad bug 1545789 in OpenStack Identity (keystone) "keystone ADMIN_TOKEN set by default can lead to default insecure deployment" [Medium,In progress] - Assigned to Steve Martinelli (stevemar)00:01
notmorganthat just needs the doc change00:01
stevemari guess there is nothing left to do00:01
stevemarwhich docs?00:01
notmorganshowing that if admin_token config option is not configured it wont work00:01
notmorganand that thye should use bootstrap instead00:01
ayoungnotmorgan, I think cuz I origianlly submitted the commit with Partial_Bug its not updating00:01
stevemarayoung: if it's closed, the mark it as such00:02
notmorganayoung: did you move your other one to closes-bug?00:02
*** browne has quit IRC00:02
notmorganoh yeah just close it and hit the doc change... or steve can hit the doc change w/ that patch ^^00:02
notmorganinstead of "deprecating"00:02
stevemarnotmorgan: we've got bootstrap docs here: http://docs.openstack.org/developer/keystone/configuringservices.html00:03
stevemarour docs stink00:03
ayoungnotmorgan, nah, it still said partial00:04
ayounghttp://git.openstack.org/cgit/openstack/keystone/commit/?id=37e9d6bbf14531201dc228694552dc64ac03edd000:04
ayounguse the same bug to get rid of the warning unless set to None?00:04
stevemarayoung: at this point open a new bug00:05
stevemari'm closing this one00:05
ayoungstevemar, you do it. I'm sick of this issue!00:05
stevemaryay!00:05
stevemarme too :)00:05
ayoungactually, I'm  elbow deep in Puppet right now00:05
*** tobe has quit IRC00:06
*** aginwala has quit IRC00:06
stevemarnotmorgan: https://review.openstack.org/#/c/279908/ should close out another bug00:07
patchbotstevemar: patch 279908 - keystone - handle unicode names for federated users00:07
*** browne has joined #openstack-keystone00:07
stevemarwe're so close to closing out all our bugs -_-00:08
*** fpatwa has joined #openstack-keystone00:08
stevemari'm still not clear if this is an issue: https://bugs.launchpad.net/keystone/+bug/153976600:08
openstackLaunchpad bug 1539766 in OpenStack Identity (keystone) "trust redelegation allows trustee to create a trust (with impersonation set to true) from a redelegated trust (with impersonation set to false)" [High,In progress] - Assigned to Jorge Munoz (jorge-munoz)00:08
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857000:08
*** aginwala has joined #openstack-keystone00:08
*** mylu has joined #openstack-keystone00:13
*** josecastroleon has quit IRC00:18
*** mylu has quit IRC00:19
*** josecastroleon has joined #openstack-keystone00:19
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857000:20
openstackgerritMerged openstack/keystone: Adds user_description_attribute mapping support to the LDAP backend  https://review.openstack.org/27687300:20
*** mylu has joined #openstack-keystone00:21
*** mylu has quit IRC00:22
*** mylu has joined #openstack-keystone00:22
*** mylu has quit IRC00:28
*** fpatwa has quit IRC00:29
*** fpatwa has joined #openstack-keystone00:29
*** jbell8 has quit IRC00:30
*** jbell8 has joined #openstack-keystone00:31
*** fpatwa has quit IRC00:32
*** jamielennox|away is now known as jamielennox00:33
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/28160500:34
*** gildub has left #openstack-keystone00:35
*** mylu has joined #openstack-keystone00:36
notmorganstevemar: it is an issue because it opens doors for person X to delegate to Y and then person Y to delegate being person X to person Z00:36
notmorganstevemar: and indefintiely deep00:36
notmorganimpersonation should stop with Y, redelegation can happen, just not with impersonation00:36
notmorganthough ideally, impersonation should probably be banned from ever being redelegated at all, mutual exclusion00:37
openstackgerritMerged openstack/python-keystoneclient: Add back a bandit tox job  https://review.openstack.org/28154900:37
*** roxanaghe has quit IRC00:40
*** browne has quit IRC00:41
*** shoutm has quit IRC00:44
*** shoutm has joined #openstack-keystone00:45
*** josecastroleon has quit IRC00:49
*** mylu has quit IRC00:49
*** josecastroleon has joined #openstack-keystone00:50
*** fpatwa has joined #openstack-keystone00:52
notmorganbknudson_: i am guessing we are un-merging bandit job from pep8? ^00:55
notmorganstevemar: https://bugs.launchpad.net/keystone/+bug/1541656 i just responded01:00
openstackLaunchpad bug 1541656 in OpenStack Identity (keystone) "OAuth Identity token gives Forbidden" [Undecided,New]01:00
notmorganstevemar: i think this is a mis-use of the CLI.01:00
notmorganstevemar: not a bug in Oauth01:00
notmorganstevemar: they are explicitly asking for a rescope even if it's to the same project01:01
notmorganstevemar: and if oauth tokens are explicitly unscoped we need to fix the code, but iirc they are scoped01:01
*** tobe has joined #openstack-keystone01:04
*** jbell8 has quit IRC01:16
*** jbell8 has joined #openstack-keystone01:16
*** fpatwa has quit IRC01:18
*** josecastroleon has quit IRC01:20
*** josecastroleon has joined #openstack-keystone01:21
*** davechen has joined #openstack-keystone01:22
*** mylu has joined #openstack-keystone01:23
*** mylu has quit IRC01:26
*** EinstCrazy has joined #openstack-keystone01:28
*** mylu has joined #openstack-keystone01:31
*** EinstCrazy has quit IRC01:32
*** mylu has quit IRC01:33
*** sdake_ has joined #openstack-keystone01:34
*** EinstCrazy has joined #openstack-keystone01:35
*** sdake has quit IRC01:36
*** sdake has joined #openstack-keystone01:38
*** sdake_ has quit IRC01:41
*** rk4n has quit IRC01:42
*** josecastroleon has quit IRC01:50
*** josecastroleon has joined #openstack-keystone01:52
*** aginwala has quit IRC01:54
*** chlong_ has joined #openstack-keystone01:56
*** tobe has quit IRC01:56
*** aginwala has joined #openstack-keystone01:56
*** jamielennox is now known as jamielennox|away02:02
*** david-lyle_ has joined #openstack-keystone02:04
*** david-lyle_ is now known as david-lyle02:05
*** dan_nguyen has quit IRC02:09
*** shoutm has quit IRC02:11
*** sdake_ has joined #openstack-keystone02:11
*** jbell8 has quit IRC02:12
*** sdake has quit IRC02:12
*** jamielennox|away is now known as jamielennox02:12
*** john5223 has joined #openstack-keystone02:14
*** shoutm has joined #openstack-keystone02:16
*** josecastroleon has quit IRC02:21
*** josecastroleon has joined #openstack-keystone02:22
*** jamielennox is now known as jamielennox|away02:24
*** jamielennox|away is now known as jamielennox02:25
*** jamielennox is now known as jamielennox|away02:26
*** dims has joined #openstack-keystone02:28
*** dims_ has quit IRC02:29
*** su_zhang has quit IRC02:30
*** aginwala has quit IRC02:30
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/28160102:32
*** jamielennox|away is now known as jamielennox02:33
*** markvoelker_ has quit IRC02:34
*** jamielennox is now known as jamielennox|away02:34
*** jamielennox|away is now known as jamielennox02:35
*** jamielennox is now known as jamielennox|away02:36
*** sdake_ is now known as sdake02:37
*** jbell8 has joined #openstack-keystone02:43
*** jbell8 has quit IRC02:51
*** jamielennox|away is now known as jamielennox02:51
*** josecastroleon has quit IRC02:52
*** josecastroleon has joined #openstack-keystone02:53
*** jasonsb has joined #openstack-keystone02:59
stevemarnotmorgan: i do think the oauth bug is probably CLI related, but i left it open just to make sure03:11
notmorganright just pointing out what i saw at a glance03:11
*** rderose has joined #openstack-keystone03:11
notmorgandidn't feel like testing it myself cause oauth code in keystone makes my brain hurt :(03:12
notmorganand i might be drinking a beer03:12
notmorganand beer > oauthcode03:12
stevemarnotmorgan: true that03:12
stevemarnotmorgan: i'm drinking rooibos tea03:12
notmorgani am prob gonna earl grey this up soon enough :)03:13
notmorganhad a meeting earlier today and made coffee for the first time in 5 days03:13
notmorganwas delicious.03:13
notmorganbut i over ground the beans... so... tomorrow i must also make coffee03:14
stevemarthis is a nice fix by matty edmonds https://review.openstack.org/#/c/282080/103:14
patchbotstevemar: patch 282080 - keystone - Allow user list without specifying domain03:14
stevemarnotmorgan: instant ftw03:14
stevemars/nice/clever03:14
*** lhcheng has quit IRC03:18
*** krotscheck_dr is now known as krotscheck_afk03:18
*** sdake has quit IRC03:21
*** josecastroleon has quit IRC03:23
*** josecastroleon has joined #openstack-keystone03:24
*** links has joined #openstack-keystone03:30
*** dims has quit IRC03:32
*** richm has quit IRC03:33
stevemarnotmorgan: were you at the openstack meetup in pdx?03:34
openstackgerritMerged openstack/python-keystoneclient: Implied Roles  https://review.openstack.org/28098303:34
*** markvoelker has joined #openstack-keystone03:34
*** dims has joined #openstack-keystone03:34
*** dims has quit IRC03:37
notmorganstevemar: nope03:37
notmorganstevemar: i forgot it was today03:37
notmorgan=/03:37
*** markvoelker has quit IRC03:39
stevemarlol03:40
stevemarnotmorgan: toronto one is next week03:41
*** david-lyle_ has joined #openstack-keystone03:42
*** david-lyle has quit IRC03:45
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857003:47
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424803:51
*** josecastroleon has quit IRC03:54
*** josecastroleon has joined #openstack-keystone03:55
*** rderose has quit IRC03:55
*** shoutm_ has joined #openstack-keystone03:56
*** lhcheng has joined #openstack-keystone03:56
*** ChanServ sets mode: +v lhcheng03:56
*** lhcheng has quit IRC03:57
*** shoutm has quit IRC03:58
*** david-lyle has joined #openstack-keystone04:00
*** david-lyle_ has quit IRC04:03
*** david_lyle__ has joined #openstack-keystone04:03
*** david-lyle has quit IRC04:04
*** gyee has quit IRC04:07
*** david_lyle__ has quit IRC04:08
*** josecastroleon has quit IRC04:24
*** josecastroleon has joined #openstack-keystone04:25
*** lhcheng has joined #openstack-keystone04:33
*** ChanServ sets mode: +v lhcheng04:33
*** dikonoor has joined #openstack-keystone04:36
*** su_zhang has joined #openstack-keystone04:40
*** shoutm_ has quit IRC04:45
*** shoutm has joined #openstack-keystone04:45
*** vivekd has joined #openstack-keystone04:47
*** josecastroleon has quit IRC04:55
*** josecastroleon has joined #openstack-keystone04:56
bigjoolshey, if I have a Client that was passed endpoint as one of the kwargs and then call client.authenticate(), it blows up because auth_url is not defined. Is this expected or a bug? I can still use the client but I just want to see if the credentials work before doing anything with it.05:00
*** GB21 has joined #openstack-keystone05:10
bigjoolsWell filed it as https://bugs.launchpad.net/python-keystoneclient/+bug/154733105:22
openstackLaunchpad bug 1547331 in python-keystoneclient "AuthorizationFailure: Authorization failed: Cannot authenticate without an auth_url" [Undecided,New]05:22
*** josecastroleon has quit IRC05:26
*** josecastroleon has joined #openstack-keystone05:27
*** dave-mccowan has quit IRC05:28
*** vivekd has quit IRC05:28
*** markvoelker has joined #openstack-keystone05:36
*** rcernin has joined #openstack-keystone05:37
*** markvoelker has quit IRC05:40
*** GB21 has quit IRC05:42
*** lhcheng_ has joined #openstack-keystone05:47
*** lhcheng has quit IRC05:47
*** su_zhang has quit IRC05:53
openstackgerritSteve Martinelli proposed openstack/keystone: Time-based One-time Password  https://review.openstack.org/27490105:54
openstackgerritSteve Martinelli proposed openstack/keystone: Time-based One-time Password  https://review.openstack.org/27490105:56
*** josecastroleon has quit IRC05:56
*** scorpio has joined #openstack-keystone05:57
*** josecastroleon has joined #openstack-keystone05:58
*** scorpio is now known as chengkunye05:58
openstackgerritSteve Martinelli proposed openstack/keystone: Time-based One-time Password  https://review.openstack.org/27490105:59
*** su_zhang has joined #openstack-keystone06:02
*** vivekd has joined #openstack-keystone06:02
*** GB21 has joined #openstack-keystone06:04
*** Nirupama has joined #openstack-keystone06:07
*** tsymanczyk has joined #openstack-keystone06:08
*** Guest49413 has quit IRC06:08
*** tsymancz2k has quit IRC06:08
*** tsymanczyk is now known as Guest1256806:08
*** tsymancz1k has joined #openstack-keystone06:13
*** GB21 has quit IRC06:14
*** GB21 has joined #openstack-keystone06:17
openstackgerritSteve Martinelli proposed openstack/keystone: Allow user list without specifying domain  https://review.openstack.org/28208006:18
*** belmoreira has joined #openstack-keystone06:23
*** dikonoor has quit IRC06:27
*** josecastroleon has quit IRC06:28
*** josecastroleon has joined #openstack-keystone06:29
*** GB21 has quit IRC06:30
*** GB21 has joined #openstack-keystone06:31
*** jaosorior has joined #openstack-keystone06:48
*** GB21 has quit IRC06:52
*** jasonsb has quit IRC06:52
*** GB21 has joined #openstack-keystone06:56
*** woodster_ has quit IRC06:56
*** EinstCra_ has joined #openstack-keystone06:57
*** EinstCrazy has quit IRC06:59
*** GB21 has quit IRC07:08
*** GB21 has joined #openstack-keystone07:10
*** GB21 has quit IRC07:22
*** GB21 has joined #openstack-keystone07:22
*** ianw has quit IRC07:30
*** ianw has joined #openstack-keystone07:31
*** henrynash has joined #openstack-keystone07:32
*** ChanServ sets mode: +v henrynash07:32
*** GB21 has quit IRC07:34
*** GB21 has joined #openstack-keystone07:34
*** markvoelker has joined #openstack-keystone07:36
*** aginwala has joined #openstack-keystone07:40
*** markvoelker has quit IRC07:40
*** chlong_ has quit IRC07:41
*** pcaruana has joined #openstack-keystone07:45
*** e0ne has joined #openstack-keystone07:49
*** EinstCra_ has quit IRC07:52
*** GB21 has quit IRC07:56
*** boris-42 has joined #openstack-keystone08:04
*** shoutm has quit IRC08:05
*** shoutm has joined #openstack-keystone08:14
henrynashmorning08:17
bretonmorning08:18
*** shoutm has quit IRC08:18
*** henrynash has quit IRC08:20
*** henrynash has joined #openstack-keystone08:35
*** ChanServ sets mode: +v henrynash08:35
*** rk4n has joined #openstack-keystone08:35
henrynashanyone know much about degugging tests in our keystoneclient library?08:36
*** GB21 has joined #openstack-keystone08:36
*** josecastroleon has quit IRC08:40
*** josecastroleon has joined #openstack-keystone08:41
*** annasort_ has joined #openstack-keystone08:45
*** e0ne_ has joined #openstack-keystone08:46
*** fhubik has joined #openstack-keystone08:48
*** e0ne has quit IRC08:48
*** annasort has quit IRC08:48
*** tsymancz1k has quit IRC08:48
*** Guest12568 has quit IRC08:48
*** annasort_ is now known as annasort08:48
*** e0ne_ has quit IRC08:48
*** tsymanczyk has joined #openstack-keystone08:51
*** tsymanczyk is now known as Guest1764708:51
*** tsymancz1k has joined #openstack-keystone08:52
*** su_zhang has quit IRC08:53
*** lhcheng_ is now known as lhcheng08:55
*** ChanServ sets mode: +v lhcheng08:55
*** henrynash has quit IRC08:57
*** lhcheng has quit IRC08:57
*** pnavarro has joined #openstack-keystone09:02
*** GB21 has quit IRC09:10
*** rk4n has quit IRC09:13
*** aginwala has quit IRC09:29
*** d0ugal has quit IRC09:30
*** d0ugal has joined #openstack-keystone09:31
*** d0ugal has quit IRC09:31
*** d0ugal has joined #openstack-keystone09:31
*** d0ugal has quit IRC09:31
*** d0ugal has joined #openstack-keystone09:32
*** d0ugal has quit IRC09:32
*** d0ugal has joined #openstack-keystone09:32
*** markvoelker has joined #openstack-keystone09:37
*** markvoelker has quit IRC09:42
*** mhickey has joined #openstack-keystone09:53
*** davechen has left #openstack-keystone09:55
*** rk4n has joined #openstack-keystone09:56
*** rk4n_ has joined #openstack-keystone10:27
*** rk4n has quit IRC10:29
*** pnavarro has quit IRC10:45
*** henrynash has joined #openstack-keystone10:50
*** ChanServ sets mode: +v henrynash10:50
*** vivekd has quit IRC11:21
*** rk4n has joined #openstack-keystone11:22
*** vivekd has joined #openstack-keystone11:24
*** rk4n_ has quit IRC11:25
*** vivekd_ has joined #openstack-keystone11:26
*** linkmark has joined #openstack-keystone11:28
*** vivekd has quit IRC11:29
*** vivekd_ is now known as vivekd11:29
*** d0ugal has quit IRC11:31
*** d0ugal has joined #openstack-keystone11:31
*** d0ugal has quit IRC11:31
*** d0ugal has joined #openstack-keystone11:31
*** rk4n_ has joined #openstack-keystone11:33
*** vivekd has quit IRC11:35
*** chengkunye has quit IRC11:35
*** rk4n has quit IRC11:36
openstackgerrithenry-nash proposed openstack/python-keystoneclient: Support creation of domain specific roles  https://review.openstack.org/28201711:36
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358511:38
*** markvoelker has joined #openstack-keystone11:38
*** josecastroleon has quit IRC11:41
*** josecastroleon has joined #openstack-keystone11:42
*** markvoelker has quit IRC11:42
openstackgerrithenry-nash proposed openstack/python-keystoneclient: Support creation of domain specific roles  https://review.openstack.org/28201711:48
*** dave-mccowan has joined #openstack-keystone11:49
*** henrynash has quit IRC11:59
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358512:06
*** chlong_ has joined #openstack-keystone12:11
*** josecastroleon has quit IRC12:11
*** josecastroleon has joined #openstack-keystone12:12
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424812:21
*** EinstCrazy has joined #openstack-keystone12:27
bigjoolsI have converted some old code to use sessions when instantiating a client, but it was depending on the service_catalog which is no longer on the client. If I use client.endpoints.list() instead, the service_type is not in the endpoints returned, but the old code needed that. Is there any way to get the service_type out of the endpoints?12:29
*** dims_ has joined #openstack-keystone12:29
bigjoolsor is there a way to access the old service_catalog with sessions?12:30
*** toddnni has quit IRC12:31
*** fpatwa has joined #openstack-keystone12:32
*** gordc has joined #openstack-keystone12:35
*** raildo-afk is now known as raildo12:35
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424812:38
*** raildo is now known as raildo-afk12:38
*** raildo-afk is now known as raildo12:39
samueldmqraildo: htruta: I gave a couple of updates on 243585 and 24424812:40
*** jaosorior has quit IRC12:40
samueldmqraildo: htruta: please take a look at +1 if you're okay with the changes12:40
raildosamueldmq: looking12:40
samueldmqstevemar: cc ^12:41
*** jaosorior has joined #openstack-keystone12:41
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424812:43
*** rodrigods has quit IRC12:43
*** sdake has joined #openstack-keystone12:43
*** rodrigods has joined #openstack-keystone12:43
samueldmqraildo: ^ one more edit on the commit message (Partially-implements should be Implements)12:43
htrutasamueldmq, stevemar: should we add the release note at the last patch of the chain?12:44
*** fpatwa has quit IRC12:45
*** jaosorior has quit IRC12:46
*** jaosorior has joined #openstack-keystone12:46
samueldmqhtruta: hmm, yes, that too12:48
samueldmqhtruta: remember to mention both update and delete operations in the release note12:51
htrutasamueldmq, stevemar: just to go with the flow: https://review.openstack.org/#/c/274836/12:53
patchbothtruta: patch 274836 - keystone-specs - Fix cascade operations documentation12:53
*** markvoelker has joined #openstack-keystone12:54
*** ninag has joined #openstack-keystone12:55
*** markvoelker has quit IRC12:58
*** rk4n_ has quit IRC13:01
*** rk4n has joined #openstack-keystone13:02
*** markvoelker has joined #openstack-keystone13:04
*** krotscheck_afk is now known as krotscheck13:05
*** vivekd has joined #openstack-keystone13:06
*** rk4n_ has joined #openstack-keystone13:06
*** mylu has joined #openstack-keystone13:08
*** mylu has quit IRC13:09
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424813:10
raildosamueldmq: htruta release note done ^13:10
*** rk4n has quit IRC13:10
*** doug-fish has joined #openstack-keystone13:26
*** dtroyer has quit IRC13:26
*** edmondsw has joined #openstack-keystone13:28
*** clenimar has joined #openstack-keystone13:29
stevemarraildo: samueldmq htruta will review the API changes today14:00
stevemarjust catching up on email ^_^14:01
raildostevemar: np. thanks sir :)14:03
*** toddnni has joined #openstack-keystone14:04
openstackgerritMatthew Edmonds proposed openstack/keystone: Update default domain's description  https://review.openstack.org/28138114:05
*** Ephur has joined #openstack-keystone14:11
*** Nirupama has quit IRC14:12
*** nkinder has joined #openstack-keystone14:18
tjcocozz_bknudson_, now that its slow around here. i like how you implemented https://review.openstack.org/#/c/202760/5 much better than mine.14:19
patchbottjcocozz_: patch 202760 - python-openstackclient - Same exception handling for gets() in find_resource (ABANDONED)14:19
*** josecastroleon has quit IRC14:21
bknudson_tjcocozz_: y, but it didn't work since there's all sorts of weird exceptions raised14:21
tjcocozz_bknudson_, probable the right exceptions though14:22
tjcocozz_probably14:22
*** josecastroleon has joined #openstack-keystone14:22
bknudson_tjcocozz_: also, looks like I was trying to fix the same issue with get() params earlier: https://review.openstack.org/#/c/202748/14:23
patchbotbknudson_: patch 202748 - python-openstackclient - Query args for get-only (ABANDONED)14:23
bknudson_back in juno14:23
bknudson_july14:23
tjcocozz_bknudson_, why are people not accepting this change?14:24
bknudson_tjcocozz_: because https://review.openstack.org/#/c/202395/ merged instead14:25
patchbotbknudson_: patch 202395 - python-openstackclient - Fix the way we call find_resource when only using ID (MERGED)14:25
stevemartjcocozz_: we are not accepting it because we don't like bknudson_14:25
bknudson_tjcocozz_: it was low priority for me so I didn't keep it up to date.14:26
tjcocozz_bknudson_, lolz if bknudson_ patches merged everyone would be in a better place14:27
bknudson_plus, openstackclient people don't like outsider non-establishment renegades like me.14:27
tjcocozz_ha i need to learn how to type that was supose to go to stevemar14:27
*** doug-fish is now known as doug_fish14:27
*** links has quit IRC14:27
stevemartjcocozz_: it's true regardless14:28
stevemarbknudson_: the osc team doesn't take kindly to renegade strangers14:28
bknudson_I'm like the Sarah Palin of openstack14:28
stevemartjcocozz_: ask newly minted OSC core, and guy who probably sits 10 feet from you, rtheis14:29
bknudson_rtheis is in sauk center!14:29
*** jsavak has joined #openstack-keystone14:30
bknudson_rtheis is new so maybe I can influence him before he learns the culture.14:30
tjcocozz_stevemar, haha whats his full name?14:30
bknudson_it's probably in the review guidelines.14:30
openstackgerritDolph Mathews proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916214:31
bknudson_tjcocozz_: do you want me to restore https://review.openstack.org/#/c/202748/ ?14:33
patchbotbknudson_: patch 202748 - python-openstackclient - Query args for get-only (ABANDONED)14:33
stevemarbknudson_: what's a sauk center?14:33
*** vivekd has quit IRC14:34
bknudson_stevemar: it's the birthplace of sinclair lewis, author of the jungle14:34
bknudson_read a book14:34
*** doug_fish is now known as doug-fish14:34
stevemarbknudson_: i picked up neuromancer and dune from our condo library14:34
*** dansmith is now known as superdan14:34
tjcocozz_bknudson_, i added some functional tests to mine to make sure it doesn't digress. also there are a lot more try catches in there now idk if it will work14:34
*** amakarov_away is now known as amakarov14:35
stevemarneuruomancer has never been taken out, and the last times dune was taken out was 2009 and 199814:35
bknudson_http://cdn.meme.am/instances/500x/53539458.jpg14:35
bknudson_both of those are classics14:35
bknudson_you'll be changing your nick to muad-dib soon enough14:36
amakarovstevemar, ayoung hi! One question: is it OK that we rely on cascaded deletion performed by third-party rdbms in implied roles?14:36
ayoungamakarov, I think so14:37
tjcocozz_bknudson_, actually if yours makes more sense.  i think you should re open it, and i will take it over if anyone has some push back.14:37
ayoungthat is what we use a database for: to enforce referential integrity14:37
ayoungI don;t want to have to reimplement all of that in the code layer,14:37
*** petertr7_away is now known as petertr714:37
bknudson_tjcocozz_: restored!14:37
ayoungwhich is one reason you see the KVS backends being removed.14:38
bknudson_amakarov: just document in the driver spec what the function needs to do.14:38
*** henrynash has joined #openstack-keystone14:38
*** ChanServ sets mode: +v henrynash14:38
amakarovbknudson_, there is a critical bug to fix: https://bugs.launchpad.net/keystone/+bug/154656214:39
openstackLaunchpad bug 1546562 in OpenStack Identity (keystone) "deleting role with implied role fails" [Critical,In progress] - Assigned to Alexander Makarov (amakarov)14:39
bknudson_what makes this critical? it's breaking the gate?14:39
amakarovstevemar, ^^14:39
amakarovbknudson_, it actually disables the feature - looks just "high" for me14:40
*** rderose has joined #openstack-keystone14:41
*** gordc has quit IRC14:42
stevemarbknudson_: critical cause i thought it was broken on all DBs14:42
*** openstackgerrit_ has quit IRC14:43
tjcocozz_bknudson_, i don't see how this bug fixes the problem it is still passing kwargs too get()14:43
tjcocozz_bknudson_, i was looking at this bug https://review.openstack.org/#/c/202760/514:43
patchbottjcocozz_: patch 202760 - python-openstackclient - Same exception handling for gets() in find_resource (ABANDONED)14:43
stevemarbeing unable to delete a role seems pretty critical to me :\14:43
*** gordc has joined #openstack-keystone14:43
bknudson_tjcocozz_: https://review.openstack.org/#/c/202760/5 doesn't fix the bug you were looking at.14:44
patchbotbknudson_: patch 202760 - python-openstackclient - Same exception handling for gets() in find_resource (ABANDONED)14:44
*** openstackgerrit_ has joined #openstack-keystone14:44
stevemarayoung: please state why you disagree with henrynash: https://review.openstack.org/#/c/282080/ :O14:45
patchbotstevemar: patch 282080 - keystone - Allow user list without specifying domain14:45
bknudson_tjcocozz_: https://review.openstack.org/#/c/202748/  might be the one14:45
patchbotbknudson_: patch 202748 - python-openstackclient - Query args for get-only14:45
tjcocozz_bknudson_, i doen't this one pass kwargs to get() as well? https://review.openstack.org/#/c/202748/2/openstackclient/common/utils.py14:45
patchbottjcocozz_: patch 202748 - python-openstackclient - Query args for get-only14:45
bknudson_tjcocozz_: it passes get_kwargs which isn't kwargs.14:46
bknudson_tjcocozz_: from https://review.openstack.org/#/c/202748/2/openstackclient/identity/v3/project.py , looks like keystone does have query params for /v3/project/<id>14:47
patchbotbknudson_: patch 202748 - python-openstackclient - Query args for get-only14:47
*** dtroyer has joined #openstack-keystone14:48
bknudson_tjcocozz_: rebase the change and fix the merge conflicts and see if it fixes the user show problem.14:48
*** roxanaghe has joined #openstack-keystone14:48
*** openstackgerrit_ has quit IRC14:49
tjcocozz_bknudson_, okay i will14:49
stevemarayoung: i appreciate your gusto in closing the mitaka bugs14:51
tjcocozz_bknudson_, i understand now. i don't this will work for get(users) since you can't pass any kwargs while in this case you are still passing an empty dictionary.14:52
*** vivekd has joined #openstack-keystone14:53
bknudson_tjcocozz_: like this? http://paste.openstack.org/show/487582/14:53
*** richm has joined #openstack-keystone14:54
tjcocozz_bknudson_, oh that makes sense since it is an empty dictionary of positional arguments14:54
bknudson_tjcocozz_: that should have been **{}, but it works either way14:55
tjcocozz_bknudson_, i undersand you point though.14:55
bknudson_tjcocozz_: if you look at the docstring for find_resource it doesn't match how the function works.14:56
bknudson_the docstring says :param kwargs: To be used in calling .find()14:56
bknudson_put kwargs was also used in the call to get()14:56
*** roxanaghe has quit IRC14:57
*** roxanagh_ has joined #openstack-keystone14:57
tjcocozz_bknudson_, haha good eyes, i didn't notice that.14:57
*** openstackgerrit_ has joined #openstack-keystone14:57
*** openstackgerrit_ has quit IRC14:59
tjcocozz_bknudson_, what if other people are relying on passing their values for the get() through **kwargs?15:00
*** openstackgerrit_ has joined #openstack-keystone15:00
bknudson_tjcocozz_: then there are going to be a lot of bugs15:00
tjcocozz_bknudson_, i think somewhere in here you need to call  manager.get(int(name_or_id), **kwargs)15:00
tjcocozz_bknudson_, i think somewhere in here you need to call  manager.get(name_or_id, **kwargs)15:00
*** linkmark has quit IRC15:02
bknudson_openstackclient makes a lot of assumptions about how the managers work15:03
*** su_zhang has joined #openstack-keystone15:04
tjcocozz_bknudson_, agreed. its hard to follow sometimes15:05
*** jasonsb has joined #openstack-keystone15:10
*** dave-mccowan has quit IRC15:11
*** vivekd has quit IRC15:12
stevemartjcocozz_: tell that rtheis guy to fix it15:12
tjcocozz_stevemar, i may have too15:13
*** links has joined #openstack-keystone15:13
*** roxanagh_ has quit IRC15:13
*** slberger has joined #openstack-keystone15:15
*** dhellmann has quit IRC15:16
openstackgerritClenimar Filemon proposed openstack/keystoneauth: Add is_domain to keystoneauth token  https://review.openstack.org/28237715:16
*** dhellmann has joined #openstack-keystone15:19
*** phalmos has joined #openstack-keystone15:19
*** sigmavirus24_awa is now known as sigmavirus2415:19
openstackgerritMarek Denis proposed openstack/keystoneauth: Fix docstring in identity.v3.oidc module  https://review.openstack.org/28238015:21
*** dave-mccowan has joined #openstack-keystone15:25
openstackgerritBrant Knudson proposed openstack/keystone: Remove setting class variable  https://review.openstack.org/28238315:27
*** josecastroleon has quit IRC15:27
*** dims_ has quit IRC15:27
*** su_zhang has quit IRC15:27
*** tcline has joined #openstack-keystone15:27
*** dan_nguyen has joined #openstack-keystone15:28
*** su_zhang has joined #openstack-keystone15:28
*** timcline has quit IRC15:28
*** josecastroleon has joined #openstack-keystone15:29
*** tcline has left #openstack-keystone15:29
*** timcline has joined #openstack-keystone15:30
*** sdake_ has joined #openstack-keystone15:30
*** jbell8 has joined #openstack-keystone15:31
*** sdake has quit IRC15:31
*** jsavak has quit IRC15:32
*** jsavak has joined #openstack-keystone15:32
*** su_zhang has quit IRC15:32
*** spzala has joined #openstack-keystone15:35
*** mvk has quit IRC15:36
openstackgerritBrant Knudson proposed openstack/keystone-specs: Cleanup formatting  https://review.openstack.org/28239315:40
*** jaosorior has quit IRC15:44
*** rk4n_ has quit IRC15:44
openstackgerritMerged openstack/keystone-specs: Cleanup formatting  https://review.openstack.org/28239315:46
*** annasort has quit IRC15:53
*** annasort has joined #openstack-keystone15:53
*** jsavak has quit IRC15:57
*** jsavak has joined #openstack-keystone15:59
openstackgerritClenimar Filemon proposed openstack/keystoneauth: Add is_domain to keystoneauth token  https://review.openstack.org/28237716:01
*** clenimar has quit IRC16:04
*** pushkaru has joined #openstack-keystone16:09
*** pcaruana has quit IRC16:10
*** jsavak has quit IRC16:11
*** jsavak has joined #openstack-keystone16:12
openstackgerritwerner mendizabal proposed openstack/keystone: Time-based One-time Password  https://review.openstack.org/27490116:13
*** vivekd has joined #openstack-keystone16:14
*** woodster_ has joined #openstack-keystone16:15
*** mhickey has quit IRC16:21
*** jasonsb has quit IRC16:23
*** mylu has joined #openstack-keystone16:25
*** jbell8 has quit IRC16:25
*** jbell8_ has joined #openstack-keystone16:25
*** diazjf has joined #openstack-keystone16:26
*** phalmos has quit IRC16:27
*** fhubik has quit IRC16:32
*** su_zhang has joined #openstack-keystone16:33
*** belmoreira has quit IRC16:35
*** rderose has quit IRC16:36
*** phalmos has joined #openstack-keystone16:38
*** diazjf has quit IRC16:39
*** josecastroleon has quit IRC16:40
*** josecastroleon has joined #openstack-keystone16:41
notmorganoh hai16:42
*** mylu has quit IRC16:48
*** gyee has joined #openstack-keystone16:48
*** ChanServ sets mode: +v gyee16:48
amakarovayoung, do keystone support sqlite as a backend?16:51
*** su_zhang_ has joined #openstack-keystone16:53
*** links has quit IRC16:53
*** don_nalezyty has joined #openstack-keystone16:54
*** diazjf has joined #openstack-keystone16:55
*** su_zhang has quit IRC16:56
*** jsavak has quit IRC16:56
*** jsavak has joined #openstack-keystone16:57
*** rcernin has quit IRC16:58
ayoungamakarov, not in production16:59
stevemaramakarov: only in tests17:00
*** rderose has joined #openstack-keystone17:02
*** e0ne has joined #openstack-keystone17:02
*** su_zhang_ has quit IRC17:02
notmorganit would be nice if we didnt even need to use it in tests17:03
stevemarnotmorgan: yep17:04
stevemaramakarov and ayoung did one of you want to toss up a new patch for https://review.openstack.org/#/c/281921/ ?17:05
patchbotstevemar: patch 281921 - keystone - Implied roles index with cascading update/delete17:05
amakarovstevemar, working on it17:06
notmorganstevemar: ok patchbot just saved me having to look at the thing to know what it was.17:06
notmorganwoo17:06
stevemaramakarov: cool - just wanted to know, i was about to pull it down :D17:06
stevemari'll review the API support for project cascade instead ^_^17:06
raildoyay17:07
*** mylu has joined #openstack-keystone17:08
*** lhcheng has joined #openstack-keystone17:08
*** ChanServ sets mode: +v lhcheng17:08
*** lhcheng_ has joined #openstack-keystone17:10
*** lhcheng has quit IRC17:10
notmorgan!!17:14
openstacknotmorgan: Error: "!" is not a valid command.17:14
notmorgan>.>17:14
*** josecastroleon has quit IRC17:15
*** josecastroleon has joined #openstack-keystone17:17
*** phalmos has quit IRC17:18
*** lhcheng_ has quit IRC17:23
*** lhcheng has joined #openstack-keystone17:23
*** ChanServ sets mode: +v lhcheng17:23
*** jsavak has quit IRC17:25
openstackgerritBrant Knudson proposed openstack/keystone: Don't mutate input parameter  https://review.openstack.org/28243917:28
openstackgerritBrant Knudson proposed openstack/keystone: Fix inconsistencies between Oauth1DriverV8 interface and driver  https://review.openstack.org/28244017:28
*** jsavak has joined #openstack-keystone17:28
*** rcernin has joined #openstack-keystone17:30
openstackgerritBrant Knudson proposed openstack/keystone: Fix inconsistencies between Oauth1DriverV8 interface and driver  https://review.openstack.org/28244017:30
*** doug-fish is now known as doug_fish17:31
notmorganbknudson_: commented on https://review.openstack.org/#/c/282439/117:31
patchbotnotmorgan: patch 282439 - keystone - Don't mutate input parameter17:31
*** doug_fish is now known as doug-fish17:31
bknudson_bikeshedding!!!17:32
notmorganbknudson_: yep. :) but figured i'd point out that the copy might be superfluous.17:32
stevemarbknudson_: openstack is all about the bikeshedding17:32
notmorgannot that i'd -1 over it.17:32
notmorgan:)17:33
* notmorgan know bknudson_ likes clean code.17:33
openstackgerritMerged openstack/keystone: Allow user list without specifying domain  https://review.openstack.org/28208017:33
bknudson_I'll give it a shot.17:34
bknudson_notmorgan: for this one, it's probably the caller that should have set the consumer secret (the manager)17:34
notmorganbknudson_: likely17:34
bknudson_rather than having this done in the driver17:34
notmorganbknudson_: in fact, i'd support moving that up to the manager more than having the driver set it17:35
bknudson_ok, let me try that instead.17:35
*** Ephur has quit IRC17:35
notmorganthat seems like business logic not "prepare data to store it" logic17:35
*** dims has joined #openstack-keystone17:35
bknudson_somebody might say that's not backwards-compatible17:35
*** jsavak has quit IRC17:37
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/28160517:37
notmorganbknudson_: actually, i think it would be17:37
*** GB21 has joined #openstack-keystone17:38
notmorganbknudson_: if they overrid the logic in the driver, it's still overridden17:38
notmorganif they don't the value is still set17:38
*** su_zhang has joined #openstack-keystone17:38
*** jsavak has joined #openstack-keystone17:38
bknudson_you're right.17:38
*** su_zhang has quit IRC17:40
*** su_zhang has joined #openstack-keystone17:41
*** jbell8_ has quit IRC17:41
*** jsavak has quit IRC17:41
*** jsavak has joined #openstack-keystone17:42
*** josecastroleon has quit IRC17:46
openstackgerritMerged openstack/keystone: handle unicode names for federated users  https://review.openstack.org/27990817:47
*** josecastroleon has joined #openstack-keystone17:47
stevemarnotmorgan: bknudson_ can you guys take a peek at https://review.openstack.org/#/c/277436/ ?17:48
patchbotstevemar: patch 277436 - keystone - Return 404 instead of 401 for tokens w/o roles17:48
stevemarlooks like it needs love17:49
stevemarlbragstad is out for a few days17:49
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/28160517:49
notmorganstevemar: -2, taking the ball and going home :P oh i mean.. yeah i'll look at it17:49
openstackgerritAlexander Makarov proposed openstack/keystone: Implied roles index with cascading update/delete  https://review.openstack.org/28192117:50
notmorganhuh17:50
notmorganwhy did he add ._get_token_id ?17:50
notmorganoh.. oh... ick17:51
notmorganstevemar: this is.. euuwww.17:51
bknudson_ick pretty much covers all the token generation code17:51
*** phalmos has joined #openstack-keystone17:51
notmorganbknudson_: it's better than what we had in havana17:52
notmorganbknudson_: but ... thats not saying much17:52
stevemarnotmorgan: i asked you since you did all that token refactoring business :\17:52
notmorgan'damnation through faint praise'17:52
amakarovayoung, I have a stupid question: what's the proper way to run keystone functional tests?17:53
stevemarheeh17:53
lbragstad_what's up? sounds like questions on the token provider stuff?17:53
stevemarayoung: amakarov: we dont have functional tests for keystone set up yet :(17:53
notmorganlbragstad_: oh hi. yes. also if youre driving, get off irc :)17:53
notmorganstevemar: you put the FUN in functional :P17:54
lbragstad_notmorgan lol not currently17:55
notmorganlbragstad_: ok. then you can stay ;)17:55
lbragstad_notmorgan what can I help with?17:55
ayoungdstanek, ^^  amakarov has a question for you17:55
*** petertr7 is now known as petertr7_away17:55
amakarovstevemar, well, I assume, I have to convince others that this works by betting my word on that? :)17:55
notmorganlbragstad_: https://review.openstack.org/#/c/277436/3 test failing!17:55
patchbotnotmorgan: patch 277436 - keystone - Return 404 instead of 401 for tokens w/o roles17:55
notmorganlbragstad_: it's all 'splody17:55
openstackgerritBrant Knudson proposed openstack/keystone: Fix inconsistencies between Oauth1DriverV8 interface and driver  https://review.openstack.org/28244017:56
openstackgerritBrant Knudson proposed openstack/keystone: Oauth1 manager sets consumer secret  https://review.openstack.org/28243917:56
*** annasort has quit IRC17:56
amakarovdstanek, can you please help me with functional testing here: https://review.openstack.org/#/c/281921/ ?17:56
patchbotamakarov: patch 281921 - keystone - Implied roles index with cascading update/delete17:56
*** annasort has joined #openstack-keystone17:56
stevemaramakarov: yeah, not sure what to do about that18:01
stevemarnotmorgan: advice?18:01
notmorganstevemar: i have none18:01
stevemardamn18:01
*** jsavak has quit IRC18:01
stevemari could pull it down and test it, but... that doesn't scale well :)18:01
notmorganoh wait i do. don't use sqlite18:02
notmorgan:P18:02
*** jsavak has joined #openstack-keystone18:03
amakarovnotmorgan, you saved my day! ))18:03
stevemari'm kinda excited about all the networking commands we added to osc this release :)18:04
stevemarit's pretty slick18:04
stevemarhttps://github.com/openstack/python-openstackclient/blob/master/setup.cfg#L326-L34518:04
amakarovstevemar, maybe try creating rally scenario? We have non-voting job...18:04
stevemaramakarov: true18:05
notmorganstevemar: experimental18:05
stevemaryep18:05
notmorganamakarov: ^18:05
stevemari knows18:05
stevemaroh, i wonder how our uwsgi job is doing?!18:05
stevemarbknudson_: that merged18:05
stevemarbknudson_: gate-tempest-dsvm-keystone-uwsgi-full-nvNOT_REGISTERED (non-voting)18:06
stevemarwomp womp18:06
notmorganhttp://logs.openstack.org/83/282383/1/check/gate-tempest-dsvm-keystone-uwsgi-full-nv/446fb00/18:06
*** jbell8 has joined #openstack-keystone18:07
lbragstad_notmorgan raildo gyee responded - https://review.openstack.org/#/c/277436/318:07
patchbotlbragstad_: patch 277436 - keystone - Return 404 instead of 401 for tokens w/o roles18:07
lbragstad_that's new18:07
notmorganlbragstad_: yep18:07
raildolbragstad_: thanks lbragstad_ :)18:08
raildoso many repetitions... sorry18:08
lbragstad_raildo no problem - I didn't get around to refactoring the tests, but that shouldn't be too bad. I would assume most of that work is just changing the exception to match NotFound instead of Unauthorized.18:09
stevemarnotmorgan: i also +2'ed TOTP, so that happened18:09
notmorganwuuuuuut!?18:10
notmorgan:P18:10
gyeelbragstad, I think moving that check higher up would be able to catch all18:12
gyeenotmorgan, stevemar, so I want to test the totp patch along with my keystoneauth1 plugin18:12
gyeeproblem is openstack client still loading the plugins from keystoneclient namespace18:13
stevemargyee: i am OK with you +2/+W the TOTP patch18:13
stevemarif you think it's ready18:13
gyeewhen are we expect to switch over to keystoneauth1 namespace?18:13
stevemargyee: when someone does the work?18:13
gyeestevemar, hah18:13
notmorgangyee: when osc moves to ksa?18:13
gyeestevarmar, yeah, the totp patch looks good now18:13
gyeenotmorgan, right18:14
gyeeright now its still loading the plugins from keystoneclient namespace18:14
stevemargyee: you bet it does!18:14
lbragstad_gyee works for me - I'll try and get another version uploaded... I've moved to to WIP until then18:14
gyeelbragstad_, thank you sir18:14
stevemargyee:  i wanted to look into that this week, but things came up18:14
gyeestevemar, notmorgan, it its OK to park the totp auth plugin in keystoneauth for now18:15
gyee?18:15
stevemargyee: of course18:15
notmorganyep18:15
gyeeallllrighty then18:15
stevemargyee: i didn't want the totp in keystoneauth merged, just a strategy for it18:16
*** arunkant has quit IRC18:16
*** vivekd has quit IRC18:16
*** arunkant has joined #openstack-keystone18:16
raildolbragstad_: that was i thought, if want some help, I can work on it18:17
*** josecastroleon has quit IRC18:17
*** chlong_ has quit IRC18:18
stevemarraildo: lbragstad_ is away for a few days, if you want to post a new version, please do18:18
*** josecastroleon has joined #openstack-keystone18:18
raildostevemar: so, I will, thanks18:19
stevemargyee: oops, the TOTP fail is a legit fail18:19
*** aginwala has joined #openstack-keystone18:20
*** mylu has quit IRC18:20
gyeestevemar, ah shucks, let me see18:20
stevemargyee: commented18:21
stevemarman i got really hungry all of a sudden18:21
*** dims_ has joined #openstack-keystone18:22
gyeefoood18:22
*** browne has joined #openstack-keystone18:23
*** dims has quit IRC18:25
*** Dave has quit IRC18:25
*** david8hu has quit IRC18:25
*** mariusv has quit IRC18:25
*** haneef has quit IRC18:25
*** sshen has quit IRC18:25
*** krotscheck has quit IRC18:25
*** dobson has quit IRC18:25
*** marekd has quit IRC18:25
*** clayton has quit IRC18:25
*** mkoderer__ has quit IRC18:25
*** aginwala has quit IRC18:25
*** krotscheck has joined #openstack-keystone18:25
*** haneef has joined #openstack-keystone18:25
*** david8hu has joined #openstack-keystone18:25
*** Dave_____ has joined #openstack-keystone18:26
*** sshen has joined #openstack-keystone18:26
*** clayton has joined #openstack-keystone18:26
*** dobson has joined #openstack-keystone18:26
*** mkoderer__ has joined #openstack-keystone18:27
*** marekd has joined #openstack-keystone18:27
*** gordc has quit IRC18:27
*** miguelgrinberg has quit IRC18:27
*** bradjones has quit IRC18:27
*** raginbajin has quit IRC18:27
*** SamYaple has quit IRC18:27
*** blogan has quit IRC18:27
*** jdennis has quit IRC18:27
*** lifeless has quit IRC18:27
*** SamYaple has joined #openstack-keystone18:27
*** raginbaj- has joined #openstack-keystone18:27
*** blogan has joined #openstack-keystone18:27
*** lifeless has joined #openstack-keystone18:27
*** david-lyle has joined #openstack-keystone18:27
*** jdennis has joined #openstack-keystone18:28
*** bradjones has joined #openstack-keystone18:28
*** bradjones has quit IRC18:28
*** bradjones has joined #openstack-keystone18:28
*** clayton_ has joined #openstack-keystone18:28
*** miguelgrinberg has joined #openstack-keystone18:28
*** clayton has quit IRC18:28
*** raginbaj- is now known as raginbajin18:29
*** flaper87 has quit IRC18:29
*** flaper87 has joined #openstack-keystone18:29
*** gordc has joined #openstack-keystone18:29
*** clayton_ is now known as clayton18:29
openstackgerritMerged openstack/keystoneauth: Fix docstring in identity.v3.oidc module  https://review.openstack.org/28238018:30
*** wanghua has quit IRC18:30
*** jdennis has quit IRC18:33
*** lhcheng has quit IRC18:35
*** lhcheng has joined #openstack-keystone18:35
*** ChanServ sets mode: +v lhcheng18:35
*** wanghua has joined #openstack-keystone18:36
*** pushkaru has quit IRC18:36
dstanekamakarov: did you get your question answered?18:37
amakarovdstanek, no.18:37
* amakarov digging into rally18:38
dstanekgyee: are you working on https://review.openstack.org/#/c/274901 ? i have a few more changes to push18:38
dstanekamakarov: what's the question?18:38
amakarovhow to run functional tests18:38
dstanekamakarov: tox -e functional18:39
amakarovdstanek, do we have it in gerrit?18:40
dstanekamakarov: nothing in jenkins runs that yet. i think there are still outstanding reviews for stuff.18:40
amakarovdstanek, ok, understood18:40
gyeedstanek, yeah, just need to catch the TypeError in the plugin when base32 decode fail18:41
gyeedstanek, maybe you can just that line18:42
dstanekgyee: ok, i'll wait for you then18:42
dstanekgit st18:42
dstaneklol18:42
openstackgerritguang-yee proposed openstack/keystone: Time-based One-time Password  https://review.openstack.org/27490118:42
gyeedstanek, she's all yours18:42
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/28160118:43
dstanekgyee: thx18:44
dstanekgyee: did you add a test showing the typeerror?18:45
amakarovdstanek, waht does it mean: "db type could not be determined" ?18:45
dstanekamakarov: you have to delete your .testrepository directory18:45
gyeedstanek, no, its the same test for corrupted cred18:46
dstanektest tools in python 3 doesn't work when it is create with python218:46
dstanekgyee: that triggered a typeerror?18:46
gyeedstanek, yes, for py2718:46
gyeebut not py3418:46
*** petertr7_away is now known as petertr718:47
dstanekhmm...that's strange because the tests passed without it18:47
gyeedecode returns either TypeError or ValueError18:47
bknudson_stevemar: I just did what they told me to do!18:48
*** josecastroleon has quit IRC18:48
*** doug-fish has quit IRC18:48
gyeeI think TypeError is return if detects a non-base32 digit, ValueError for incorrect padding maybe18:48
gyeeI'll need to check the doc18:48
notmorgandstanek: *shrug*18:49
dstanekgyee: did you actually see a TypeError raised or is it caught somewhere?18:49
dstaneknotmorgan: ?18:49
*** josecastroleon has joined #openstack-keystone18:49
dstanekgyee: i was actually thinking of dropping the except keyerror, valueerror since nothing actually triggers it18:50
rodrigodsgyee, ping... about x509. Does it has support in keystonemiddleware already?18:50
*** doug-fish has joined #openstack-keystone18:50
*** sdake_ is now known as sdake18:50
dstanekgyee: actually coverage is showing me that it is, but the method never fails18:51
gyeerodrigods, not yet, Sam's working on it18:52
gyeedstanek, strange, I can reproduce the failure in my dev env18:52
rodrigodsgyee, so tokenless auth can't be used yet by service users, right? or is there a hack that we can do?18:52
rodrigodstokenless auth with x50918:53
*** browne has quit IRC18:53
dstanekgyee: can you give me the stacktrace?18:53
gyeedstanek, http://paste.openstack.org/show/487613/18:54
*** doug-fish has quit IRC18:55
*** EinstCrazy has quit IRC18:56
*** rcernin has quit IRC18:56
dstaneknonameentername: you around?18:56
dstanekgyee: yeah, i can see that block being hit now18:57
gyeedstanek, I don't think we need that padding code18:57
gyeeif base32 decode fail, we bail18:58
gyeeno need for artificial padding18:58
dstanekgyee: we do only because in the documentation we are telling users to strip out the padding18:58
gyeewhy?18:59
dstanekgyee: not sure18:59
*** spzala has quit IRC18:59
dstaneki would have to defer to nonameentername18:59
gyeetotp credential should be done via provisioning18:59
gyeeno need to manually manipulate it at all18:59
dstanekgyee: i don't follow. the user won't be able to manage credentials themselves?19:00
gyeerodrigods, right, Sam's working on an X.509 auth plugin right now, he'll post a WIP patch soon19:00
rodrigodsgyee, got it... thanks! please add me as reviewer :)19:00
gyeerodrigods, sure, I'll let him know19:01
gyeedstanek, they can, but that's usually done via a provisioning tool, like openstack CLI or UI19:01
gyeethey don't have to do the base32 dance themselves19:01
*** petertr7 is now known as petertr7_away19:02
*** jsavak has quit IRC19:02
*** jsavak has joined #openstack-keystone19:03
*** browne has joined #openstack-keystone19:03
gyeerodrigods, actuall, https://review.openstack.org/#/c/246615/19:05
patchbotgyee: patch 246615 - python-keystoneclient - Auth plugin for X.509 tokenless authz (ABANDONED)19:05
gyeebut he'll have a better version up soon19:05
rodrigodsgyee, i saw that, was trying to find the keystoneauth one19:05
rodrigods:)19:05
gyeeyeah, he's working that one19:06
*** mylu has joined #openstack-keystone19:08
*** ktychkova has quit IRC19:09
openstackgerritSteve Martinelli proposed openstack/keystone: Implied roles index with cascading update/delete  https://review.openstack.org/28192119:11
openstackgerritBrant Knudson proposed openstack/keystone: Remove useless {} from __table_args__  https://review.openstack.org/28251019:11
stevemarayoung: not sure we can do a functional test for https://review.openstack.org/#/c/281921/19:12
patchbotstevemar: patch 281921 - keystone - Implied roles index with cascading update/delete19:12
stevemarbut we need the fix, i tested it manually and it works19:12
ayoungstevemar, good to know.  Lets put in a bug for the functional test and drive on with this19:13
ayoungstevemar, first functional test should be moving our migration tests to MySQL19:14
stevemarayoung: alright -- meh to the bug for this specific issue, i'd say it's part of the larger overall effort to not use sqlite19:14
stevemaryep19:14
ayoungstevemar, without a functional test this is untested, so bug for this one, I'd say19:15
stevemaralrighty19:16
stevemarayoung: my counter to that is all our FKs and casades are untested :)19:16
*** mariusv has joined #openstack-keystone19:17
*** mariusv is now known as Guest6173619:17
*** e0ne has quit IRC19:18
ayoungstevemar, that would be a good name for the bug19:18
*** josecastroleon has quit IRC19:19
*** josecastroleon has joined #openstack-keystone19:20
dstanekgyee: do you think i should remove the padding then and just expect people to supply the padding if they use the credentials api?19:21
*** rcernin has joined #openstack-keystone19:23
*** e0ne has joined #openstack-keystone19:23
*** e0ne has quit IRC19:25
*** petertr7_away is now known as petertr719:26
*** timcline_ has joined #openstack-keystone19:26
stevemarayoung: dolphm getting a poke internally about this bug: https://bugs.launchpad.net/keystone/+bug/150331219:27
openstackLaunchpad bug 1503312 in OpenStack Identity (keystone) "Optimization: Don't rebuild revoke-tree in each validate-token call" [Medium,In progress] - Assigned to Sonali (sonali-pitre)19:27
stevemarlooks like memoize doesn't work on a multi-node keystone19:28
dolphmnotmorgan: ^19:29
notmorganstevemar: memoize works fine19:30
notmorganstevemar: you must share a common memcache backen19:30
notmorgand19:30
notmorganon the multi-node keystone19:30
stevemarnotmorgan: looks like they did that, according to the bug report?19:30
notmorgannope clearly not.19:30
notmorganthe tree is still rebuilt, just the DB query is not19:31
stevemarnotmorgan: https://bugs.launchpad.net/keystone/+bug/1503312/comments/1519:32
openstackLaunchpad bug 1503312 in OpenStack Identity (keystone) "Optimization: Don't rebuild revoke-tree in each validate-token call" [Medium,In progress] - Assigned to Sonali (sonali-pitre)19:32
notmorganorthey have something else going on19:32
notmorganOR the revoke event is generally not cachable because the query is different19:32
notmorganbasically, the revoke tree is icky and hard to cache.19:32
stevemarnotmorgan: so it could still be a legit bug?19:33
ayoungstevemar, as I said, it is supposed to use Memoize. I don't know how you could avoid rebuilding the tree without that19:33
gyeedstanek, I think we should remove the padding19:33
notmorganunlikely19:34
ayoungand dropping a slew of the revocation events would also reduce it19:34
notmorganit is unlikely a real bug19:34
dstanekgyee: ok, i'll do that an update the docs19:34
gyeeI think it was there to help curl testing19:34
ayoungso...meh?19:34
dstanekgyee: why do you think that?19:34
gyeelike 'I hate to encode the '=' in curl!' :_19:34
gyee:)19:34
notmorganstevemar: also, remember depending on what version of keystone, there was the kvs backend that wasn't really using memoize correctly19:35
notmorganstevemar: i am guessing they are doing master-master-master keystone19:36
stevemarnotmorgan: ayoung, is there anything in the config that should be changed?19:36
notmorganand galera gets granky19:36
notmorgancranky*19:36
notmorganthe deadlocks are likely a sign of that19:36
gyeedstanek, we'll need to update the docs when the auth plugin and openstackclient patches land19:36
notmorganalso are we using select for update? /me should check19:36
notmorgancause that results in a deadlock that you need to rollback in galera19:36
*** mylu has quit IRC19:36
notmorgandeadlock is the error: rollback fixes19:37
ayoungstevemar, I don't know.  I have not really thought about that in a long time.  I could see the "stale tree" thing happening19:37
notmorganthen retry19:37
ayoungso, cache timeout needs to be relatively short.  But not rebuild every time19:37
stevemarayoung: according to the bug, its 120019:37
ayoungstevemar, I commented on the review and there was no follow up19:38
notmorganstevemar: the best thing they can do is put a null revoke driver in for uuid19:38
notmorganthat just does no revocation event storage and returns empty lists19:39
notmorganstevemar: that will eliminate their problem19:39
ayoungstevemar, note that I said "Is the MEMOIZE the problem? If So, remove the decorator code as well."19:39
notmorganayoung: memoize is not the problem.19:39
notmorganayoung: they're getting deadlocks in the db19:39
ayoungnotmorgan, and then the rest of my comment stands19:39
notmorganayoung: among other things19:39
ayoungok19:39
notmorgani'm almost certain they are doing master-master-master all writing to the local dbs in galera19:40
notmorganbased on the info19:40
notmorganwhich will net weird behaviors19:40
stevemarnotmorgan: can you comment in the bug? just a few lines19:40
openstackgerritAlexander Makarov proposed openstack/keystone: Implied roles index with cascading update/delete  https://review.openstack.org/28192119:40
notmorgangalera recommends write to one place.19:40
*** su_zhang has quit IRC19:41
amakarovstevemar, oops :) ^^19:41
stevemaramakarov: it's OK :)19:41
*** su_zhang has joined #openstack-keystone19:41
amakarovstevemar, if rally test fails we can fix it later19:41
stevemaramakarov: yep19:42
*** mylu has joined #openstack-keystone19:43
notmorganstevemar: commented19:45
*** rcernin has quit IRC19:45
notmorganstevemar: but basically, i moved it back to incomplete19:45
notmorganthere are 2-3 reports of things going on19:46
*** su_zhang has quit IRC19:46
notmorganthis is not a confined bug "we have an issue rebuilding the tree all the time", "we have db deadlocks", etc19:46
*** mylu has quit IRC19:48
*** josecastroleon has quit IRC19:50
*** jsavak has quit IRC19:50
*** josecastroleon has joined #openstack-keystone19:50
*** jsavak has joined #openstack-keystone19:51
notmorganstevemar: -2 on that patch19:51
notmorganstevemar: addressing @memoize issue if there are any will result in the -2 being lifted19:52
notmorganstevemar: but i am very very very against implementing an in-process cache like they are doing.19:52
openstackgerritBrant Knudson proposed openstack/keystoneauth: Cleanup docstrings in session module  https://review.openstack.org/28251819:52
notmorganit's the wrong approach.19:52
notmorgandolphm: ^ cc19:52
dolphmstevemar: what was the internal poke you got, anyway?19:53
dolphmstevemar: did someone reproduce the issue? that's what was i really waiting to hear on the bug report, because otherwise i agree with notmorgan and ayoung19:54
notmorgani am guessing they are causing invalidate churn19:54
stevemardolphm: just a poke about the status of the bug and the patch, i hadn't been following it too closely so i wasn't aware of the desire for feedback from y'all19:54
notmorgandolphm: basically deleting tokens.19:54
dolphmstevemar: but why did someone care about the bug?19:54
notmorganwhich will invalidate cache issue a new one.19:55
notmorgannew event*19:55
stevemardolphm: cause they filed it?19:55
dolphmstevemar: oh, i assumed you meant someone not in the bug discussion19:55
dolphmwhen you said "internal" poke19:55
stevemardolphm: no, they were actually waiting for more feedback19:55
stevemardolphm: they poked me!19:55
stevemardolphm: looks like it was a holding pattern :)19:56
notmorganso, my guess is: logout/delete of token explicitly19:57
notmorganand their "fix" wont "fix" the issue19:58
notmorganor, #2, their memcache server is wildly underspec on memory and is LRUing out the pages.19:58
*** jsavak has quit IRC19:59
*** jsavak has joined #openstack-keystone20:00
*** gordc has quit IRC20:02
*** diazjf has quit IRC20:11
*** Dave_____ is now known as Dave20:13
*** su_zhang has joined #openstack-keystone20:14
samueldmqhtruta: raildo: you guys updating 244248 ?20:17
raildosamueldmq: working on it20:17
*** nkinder has quit IRC20:17
samueldmqraildo: perfect!20:18
*** su_zhang has quit IRC20:18
*** josecastroleon has quit IRC20:20
*** josecastroleon has joined #openstack-keystone20:22
samueldmqraildo: htruta: tjcocozz_: I actually liked the API examples we had in 27483620:23
* tjcocozz_ is looking20:23
htrutasamueldmq: but those were endpoints. Now we don't have endpoints20:24
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424820:24
samueldmqhtruta: why can't we just have modified it to PATCH /projects/{project_id}?cascade20:26
samueldmqhtruta: it's still an endpoint being executed with a query param, isn't it ?20:26
htrutasamueldmq: it is not the template of it. The sections are for specific calls20:26
samueldmqhtruta: I am not against it, but I think it's more useful and clearer if we have examples20:26
htrutasamueldmq: a query param does not create a new endpoint20:27
samueldmqhtruta: so add ?cascade to the examples of PATCH /projects/{id}20:28
samueldmqwhich is an endpint and has examples ?20:28
htrutasamueldmq: that makes total sense!! good idea20:28
samueldmqhtruta: ++20:28
*** dims_ has quit IRC20:31
*** jsavak has quit IRC20:34
*** jsavak has joined #openstack-keystone20:35
openstackgerritBrant Knudson proposed openstack/keystoneauth: Cleanup docstrings in session module  https://review.openstack.org/28251820:37
notmorganstevemar: some dude in australia keeps trying to take over my IRC account :P20:37
notmorganstevemar: [misconfigured client i think]20:38
notmorganbut endless nickserv auth failures and SASL auth failures20:38
notmorganhehe20:38
openstackgerritBrant Knudson proposed openstack/keystoneauth: Cleanup docstrings  https://review.openstack.org/28251820:39
openstackgerritBrant Knudson proposed openstack/keystoneauth: Cleanup docstrings  https://review.openstack.org/28251820:42
*** diazjf has joined #openstack-keystone20:42
*** sdake has quit IRC20:44
*** diazjf has quit IRC20:48
*** josecastroleon has quit IRC20:51
*** ayoung has quit IRC20:52
*** josecastroleon has joined #openstack-keystone20:53
*** diazjf has joined #openstack-keystone20:54
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Separate user identities  https://review.openstack.org/27857020:56
*** jasonsb has joined #openstack-keystone20:58
*** timcline_ has quit IRC21:04
*** su_zhang has joined #openstack-keystone21:11
*** notmorgan is now known as morgan21:13
*** e0ne has joined #openstack-keystone21:16
*** e0ne has quit IRC21:21
*** jbell8 has quit IRC21:22
*** josecastroleon has quit IRC21:22
*** jbell8 has joined #openstack-keystone21:23
*** Ephur has joined #openstack-keystone21:23
*** josecastroleon has joined #openstack-keystone21:24
*** jasonsb has quit IRC21:24
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916221:25
*** lucas_ has joined #openstack-keystone21:25
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916221:26
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424821:30
raildorodrigods, ^ =D21:31
bretonnotmorgan should complaint not to stevemar, but to jamielennox. he is Australia-core.21:34
morganhm?21:34
stevemarhaha21:34
rodrigodsraildo, great!21:34
morganoh21:34
morganhah21:34
stevemar:)21:34
stevemarwe can get jamielennox to find this fake morgan21:34
morganstevemar: cuse clearly jamielennox knows everyone in australia21:34
raildorodrigods, now, let's get a beer and enjoy the weekend \o/21:35
stevemarraildo: rodrigods i'll be doing the same!21:35
stevemarmorgan: obviously21:35
raildostevemar, yay =D21:35
rodrigodsraildo, stevemar cheers21:35
bretontomorrow is a normal business day in russia21:36
kfox1111seeing a very weird problem with our neutron server. I'm contimplating trying switching from pki tokens to uuid ones. can this be done on the fly without restarting/reconfiguring all the openstack services?21:36
rodrigodsbreton, whaaat?21:36
bretonbut then monday and tuesday are holidays21:37
rodrigodshmm nice21:37
stevemarkfox1111: probably need to restart keystone21:37
kfox1111yeah. was assuming that one. but will the clients automatically switch over to uuid processing?21:38
kfox1111basically just stop keystone, switch backend to uuid, delete * from tokens, and restart keystone?21:39
stevemarkfox1111: they should... a bunch won't be validated21:39
stevemarkfox1111: what you said, yes21:39
stevemarkfox1111: the clients (keystonemiddleware) shouldn't need to change i think21:39
stevemarlet me take a quick look21:40
kfox1111(the problem at the moment seems to be neutron spawning off openssl processes faster then it can feed them, which is causing retransmits, and then more processes forked... neutron's basically broken... not sure if this is a cause or an effect, but an issue)21:41
morgankfox1111: you'll need to restart neutron unfortunately, keystone can't validate multiple types of tokens at once, so if there is any fall back to asking keystone action, you'll fail.21:41
kfox1111(kind of wonder if switching to uuid tokens will speed things back up enogh to clear things)21:41
stevemarkfox1111: might have to unset a few config options in keystonemiddleware (like keyfile / certfile)21:42
morganmiddleware should just work even with certs still in config though if it gets a uuid token it should be sane. - the issue depends on what version a few versions of ksm did a bad job of handling a broken service token21:43
stevemarerr signing_dir actually21:43
morganswitching token formats really isn't an "on-the-fly" kind of thing afaik21:43
kfox1111yeah, signing_dir is set...21:43
kfox1111was afraid of that...21:43
*** edmondsw has quit IRC21:44
kfox1111the existing production services hosted out of the cloud are still working....21:44
*** dave-mccowan has quit IRC21:44
kfox1111really don't want to restart neutron-openvswitch-agent21:44
*** timcline has quit IRC21:46
kfox1111it would probably work on the fly if we were going from uuid->fernet... but the pki one.... :/21:46
*** e0ne has joined #openstack-keystone21:47
kfox1111so the middleware doesn't pick the processing path based on something in the token?21:47
kfox1111the config determines if its pki or uuid?21:47
*** e0ne has quit IRC21:48
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424821:48
morgankfox1111: it's from the token, but some versions of KSM don't handle as well when you invalidate their token out frm under them21:49
morgankfox1111: it's a lot safer to restart services.21:49
morgankfox1111: even uuid -> fernet isn't really guaranteed21:49
*** josecastroleon has quit IRC21:53
*** josecastroleon has joined #openstack-keystone21:54
*** dave-mccowan has joined #openstack-keystone21:57
*** phalmos has quit IRC22:01
*** timcline has joined #openstack-keystone22:03
*** lucas_ has quit IRC22:04
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358522:04
samueldmqstevemar: ping22:06
kfox1111morgan: oh, really? ok. I was considering migrating to uuid so later I could switch seamlessly to fernet.22:07
kfox1111but I'll just skip the uuid step then.22:07
morgankfox1111: might be easier22:08
morgankfox1111: you'll likely run into much the same issues. if moving between pki -> uuid is painful, moving uuid->fernet will be different painful22:08
dolphmmorgan: reading back... but not seeing the uuid->fernet pain you're referring to?22:09
*** jsavak has quit IRC22:09
kfox1111so far, it seems like it was a neutron + file descrptor limit + nova-api retry's and pki validation all working badly together.22:09
morgandolphm: just in general, moving between token formats is going to be painful22:09
kfox1111neutron server was spawning openssl processes, zombies started piling up, then enough openssl processes stacked up, they starved out even reading, then ran out of file descriptors. :/22:09
dolphmmorgan: afaik, ksm should just start calling back to keystone when it's not clearly a PKI token22:10
dolphmmorgan: this is a good question for mfisch22:10
morgandolphm: should. but there were versions of ksm that were really broken22:10
*** annasort has quit IRC22:10
dolphmmorgan: oh22:10
dolphmwas not aware22:10
mfischwhats up?22:10
morgandolphm: i've never seen a clean change token format w/o restarting services play22:10
mfischwe bounced everything22:10
dolphmmfisch: in your experience, did you have to restart other services (i.e. keystonemiddleware.auth_token) when switching to fernet?22:10
morganit might work in some cases, but i don't think we;ve ever tested it...sooooooo22:10
mfischyes22:11
morganso "if it isn't tested it is broken"22:11
dolphmmfisch: what was the consequence if you didn't?22:11
mfischand the reason why is that I had an old middleware that couldnt handle invalid tokens22:11
morgangonna stand by this one22:11
mfischthat was supposed to be fixed22:11
dolphmah22:11
mfischIIRC my old middleware kept tokens for an hour22:11
morgandolphm: :) but we still don't test swapping token formats22:11
mfischbouncing API services is pretty meh for us22:11
morganso i make no warranties and will recommend bouncing things22:11
kfox1111:)22:11
mfischI thought recent middleware would say "hey this token isnt working, better get a new one!"22:11
mfischwhich would just "work"22:12
morganmfisch: it should22:12
kfox1111if neutron could bounce services without dropping thigns off the network, it would be just fine with us.22:12
mfischso I agree it should and I didnt try it22:12
mfischkfox1111: you can restart neutron-server all day long bro22:12
kfox1111I've rarely seen that happen though. :/22:12
dolphmoooh, the middleware *own* token... not tokens it was trying to validate.22:12
mfischkfox1111: dont bounce the ovs-plugin or l3 agent22:12
morganbut .. we don't test swapping the token format out :P so by that token... it's broken in openstack, or likely to be broken randomly22:12
mfischdolphm: yep22:12
morgandolphm: yeah it's the ksm's own token22:12
mfischthe service's own personal token22:12
mfischWe have a list of "safe" services to restart, for stuff like this or when rabbit dies22:13
dolphmi'd hope things based on keystoneauth are now solid22:13
kfox1111oh, thats right... openvswitch-agent probably doesn't use a keystone token...22:13
mfischyep22:13
kfox1111probabl l3-agent too...22:13
mfischprobably only neutron-server22:13
kfox1111ok. cool. that should be safe then.22:13
*** petertr7 is now known as petertr7_away22:13
morganuntil we start testing swap token format out mid-flight i just am not comfortable recommending people swap formats w/o bouncing the services22:13
morganit likely isn't a bad test to write22:13
*** jsavak has joined #openstack-keystone22:13
mfischkfox1111: for neutron we ONLY did neutron-server22:13
kfox1111we're going to have to bounce things when we do liberty soon, so I'll just do it then.22:13
morganand yeah only neton-server i think has ksm22:14
mfischwould be cool to see if it just worked if you have a newish keystone middleware22:14
kfox1111just didn't want to bounds things on a friday when things were kind of broken.22:14
kfox1111if the issue really was just invalid token handling bugs,22:14
kfox1111then you could just test for that case.22:14
mfischkfox1111: we dont touch neutron-dhcp-agent neutron-metadata-agent neutron-l3-agent or neutron-plugin-openvswitch-agent22:14
kfox1111cool. that helps. :)22:15
mfischonce on fernet the only real change to a service like neutron is that the token it has suddenly is broken22:15
mfischkfox1111: let me post my whole list, its probably over kill for a token format swap22:15
mfischkfox1111: https://gist.github.com/matthewfischer/6c564366b7538a422feb22:16
mfischagain thats overkill but safeish22:16
mfischalso good for when rabbit has a problem22:16
mfischkfox1111: if you decide not to restart stuff let me know what happens please22:16
openstackgerritRaildo Mascena proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424822:20
openstackgerritMerged openstack/keystone: Oauth1 manager sets consumer secret  https://review.openstack.org/28243922:20
kfox1111mfisch: aweseome. thanks. :)22:20
mfischgood luck22:20
mfischits nowhere NEAR as bad as upgrading rabbit or openstack22:21
kfox1111mfisch: I think I got the error cleared for now. I'm going to push mgmt to let me get to liberty, then I'll enable fernet at the same time.22:21
kfox1111I'm running fernet tokens fine in prod with one of our liberty clouds. not sure I want to try it on kilo.22:21
mfischwe've only run it on kilo so far22:21
mfischwe're not on L yet22:21
mfischexcept for a few services22:22
kfox1111oh. run into any issues?22:22
mfischIIRC we needed soemthing in horizon22:22
mfischbut we run horizon pretty close to master22:22
mfischno other issues22:22
mfischservices mostly dont care what the token is, could be a cat picture for all they care22:22
kfox1111yeah, I thought I remember a fernet token issue. which was why I was waiting for liberty.22:23
kfox1111but I could run liberty horizon too, with kilo everything else.22:23
mfischour horizon guy says "certain version of django openstack auth needed from approx > Feb 2015"22:23
kfox1111sounds about right.22:24
*** josecastroleon has quit IRC22:24
*** browne has quit IRC22:25
*** josecastroleon has joined #openstack-keystone22:25
*** browne has joined #openstack-keystone22:26
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/28160122:27
*** jbell8 has quit IRC22:27
*** annasort has joined #openstack-keystone22:28
*** henrynash has quit IRC22:31
*** mylu has joined #openstack-keystone22:31
*** annasort has quit IRC22:32
*** mylu has quit IRC22:32
*** mylu has joined #openstack-keystone22:32
*** sdake has joined #openstack-keystone22:34
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/28160522:34
*** dims has joined #openstack-keystone22:36
*** diazjf1 has joined #openstack-keystone22:36
*** diazjf has quit IRC22:38
*** ninag has quit IRC22:39
*** annasort has joined #openstack-keystone22:41
*** annasort has quit IRC22:45
openstackgerritMerged openstack/keystone: Fix inconsistencies between Oauth1DriverV8 interface and driver  https://review.openstack.org/28244022:49
*** su_zhang has quit IRC22:50
openstackgerritMerged openstack/keystoneauth: Cleanup docstrings  https://review.openstack.org/28251822:50
*** su_zhang has joined #openstack-keystone22:50
*** david-lyle has quit IRC22:50
*** david-lyle has joined #openstack-keystone22:51
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/28160522:51
*** su_zhang has quit IRC22:52
*** su_zhang has joined #openstack-keystone22:52
*** david-lyle has quit IRC22:54
*** david-lyle has joined #openstack-keystone22:54
*** josecastroleon has quit IRC22:55
*** josecastroleon has joined #openstack-keystone22:57
*** mylu has quit IRC23:05
*** mylu has joined #openstack-keystone23:08
*** annasort has joined #openstack-keystone23:13
*** slberger has left #openstack-keystone23:14
*** annasort has quit IRC23:18
*** roxanaghe has joined #openstack-keystone23:22
*** sigmavirus24 is now known as sigmavirus24_awa23:22
*** mylu has quit IRC23:24
*** jsavak has quit IRC23:26
*** josecastroleon has quit IRC23:26
*** roxanagh_ has joined #openstack-keystone23:27
*** pushkaru has joined #openstack-keystone23:27
*** josecastroleon has joined #openstack-keystone23:27
*** mylu has joined #openstack-keystone23:29
*** david-lyle_ has joined #openstack-keystone23:29
*** david-lyle has quit IRC23:30
*** roxanaghe has quit IRC23:30
*** mylu has quit IRC23:30
*** mylu has joined #openstack-keystone23:30
*** sdake has quit IRC23:35
*** annasort has joined #openstack-keystone23:35
*** mylu has quit IRC23:39
*** annasort has quit IRC23:39
*** don_nalezyty has quit IRC23:43
*** josecastroleon has quit IRC23:57
*** pushkaru has quit IRC23:58
*** josecastroleon has joined #openstack-keystone23:58
« Thursday, 2016-02-18 Index Saturday, 2016-02-20 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!