Wednesday, 2016-02-24

« Tuesday, 2016-02-23 Index Thursday, 2016-02-25 »
gyeedstanek, correct, we only care about the HMAC for token part00:00
gyeelet the 3rd party middleware deal with the protocol-specific part00:00
dstanekgyee: so if you wanted to remove ec2 for legal reasons you have to delete a bunch of keystone stuff and also keystone client stuff. that means any machine that uses openstack and not just the handful of keystone servers00:01
gyeedstanek, today, yes00:01
gyeebut if we make them self-contained, they become truly optional for deployers00:02
*** su_zhang has quit IRC00:02
*** su_zhang has joined #openstack-keystone00:03
*** su_zhang has quit IRC00:03
dstanekgyee: it we want it optional it has be in separate installable packages. it's not sustainable to support people deleting things out of the project00:04
*** su_zhang has joined #openstack-keystone00:04
*** sdake has quit IRC00:04
gyeedstanek, only HMAC for token belongs in Keystone00:04
gyeeeverything else is 3rd party package00:04
dstanekec2?00:05
gyee3rd party00:05
*** su_zhang has quit IRC00:05
*** darrenc_afk is now known as darrenc00:05
*** su_zhang has joined #openstack-keystone00:05
*** vilobhmm11 has joined #openstack-keystone00:06
dstanekgyee: so what is your argument for deleting auth plugin code?00:06
*** su_zhang has quit IRC00:06
gyeedstanek, one word, 'plugin'00:06
*** su_zhang has joined #openstack-keystone00:07
dstanekgyee: you are so confusing :-)00:07
gyeeplugin, by definition, is optional00:07
dstanekgyee: deleting the plugin doesn't delete the source of the algorithm.00:08
dstanekgyee: if you don't want a plugin enabled, then you don't enable it. what is the usecase for actually deleting it?00:08
gyeedstanek, what's the reason for deleting s3?00:09
dstanekyes00:09
*** rderose has quit IRC00:10
gyeenow you are confusing me :-)00:10
*** EinstCrazy has joined #openstack-keystone00:10
*** rk4n has joined #openstack-keystone00:11
dstanekgyee: you said you wanted all totp related code in the plugin module so that it can be deleted by a deployer. you've not said what the business case is for deleting anything.00:11
gyeefor some legal reasons, like S300:12
dstanekgyee: i think i see the plugin design differently. i see if as more of an adapter that allow the auth system to use the logic provided by something else.00:13
dstanekgyee: examples of that are our current oauth and mapped plugins00:13
*** EinstCrazy has quit IRC00:14
dstanekgyee: there is no totp code that you'd need to remove from keystone. if the algorithm we used is deemed patented (or whatever) then it would have to be deleted from cryptography - all our code does is call that00:14
gyeethey were meant to be self-contained, like PAM or mod_xyz00:14
*** markvoelker has quit IRC00:15
dstanekgyee: from a design perspective that doesn't make sense00:15
samueldmqdolphm: ping, re: github dotfiles repo00:15
samueldmqdolphm: if I do "git clone --recursive https://github.com/dolph/dotfiles.git ~/dotfiles", for vim the symlink should look like00:16
gyeedstanek, the keystoneauth1 plugins are designed that way too00:16
samueldmqdstanek: ln -s ~/.vim ~/dotfiles/vim00:16
dstaneksamueldmq: you should never take someones dotfiles verbatim. you should read though and steal what works for you00:17
dstanekgyee: keystone auth plugins don't really do anything00:17
dstanekgyee: what is the design principle for them being self contained?00:18
samueldmqdstanek: makes sense00:18
samueldmqdstanek: my plan was to start with that, as adjust to my needs/preferences as I go00:18
samueldmq:)00:18
*** spandhe has quit IRC00:19
*** vilobhmm11 has quit IRC00:19
*** vilobhmm11 has joined #openstack-keystone00:20
gyeedstanek, optional, on-demand, keep the lawyers happen :-)00:20
dstanekgyee: in my mind this boils down to cohesion. oauth stuff belongs in keystone.oauth1, mapping stuff in keystone.federation, etc. the auth plugins could also live in those packages, but i don't see that as strictly necessary00:20
*** vilobhmm11 has quit IRC00:21
dstanekgyee: optional and on-demand doesn't translate to delete00:21
samueldmqdstanek: but looks like building my own dev env looks more fun00:21
*** vilobhmm11 has joined #openstack-keystone00:21
gyeedstanek, optional is the same as delete00:21
samueldmqdstanek: I want to use NERDTree + some python plugin00:21
dstaneksamueldmq: the problem with starting from someone else's is that you don't know what is actually happening00:22
*** vilobhmm11 has joined #openstack-keystone00:22
samueldmqdstanek: I agree, so hard to fix something when you need00:22
gyeesamueldmq like adventure :-)00:22
dstaneksamueldmq: "why is this mapped to that?"00:23
dstaneksamueldmq: i no longer use the tree stuff and just use unite00:23
dstanekgyee: optional means that you don't have to use it. or if you want you can delete the plugin, but deleting the library code is hard.00:24
dstanekgyee: i don't think we should design for people deleting our code00:24
gyeeoptional means I don't have to ship it and deal with the lawyers00:24
dstanekgyee: that means it should be in a separate package00:25
gyeedstanek, it could00:27
*** spandhe has joined #openstack-keystone00:28
*** rk4n has quit IRC00:41
*** rk4n has joined #openstack-keystone00:42
*** markvoelker has joined #openstack-keystone00:46
*** timcline_ has joined #openstack-keystone00:52
*** fpatwa_ has joined #openstack-keystone00:53
*** timcline_ has quit IRC00:56
openstackgerritClenimar Filemon proposed openstack/keystone: Fix incorrect assumption when deleting assignments  https://review.openstack.org/28269601:07
*** su_zhang has quit IRC01:07
*** su_zhang has joined #openstack-keystone01:07
*** su_zhang has quit IRC01:08
*** su_zhang has joined #openstack-keystone01:08
*** fpatwa_ has quit IRC01:08
*** mylu has quit IRC01:17
*** su_zhang has quit IRC01:28
*** su_zhang has joined #openstack-keystone01:29
*** spandhe has quit IRC01:31
*** su_zhang has quit IRC01:33
*** spandhe has joined #openstack-keystone01:33
*** lhcheng has quit IRC01:39
*** lhcheng has joined #openstack-keystone01:40
*** ChanServ sets mode: +v lhcheng01:40
*** gyee has quit IRC01:46
*** gyee has joined #openstack-keystone01:46
*** ChanServ sets mode: +v gyee01:46
*** fpatwa_ has joined #openstack-keystone01:47
*** fpatwa_ has quit IRC01:47
*** sdake has joined #openstack-keystone01:51
*** timcline_ has joined #openstack-keystone01:53
*** timcline has quit IRC01:53
openstackgerritFangzhou Xu proposed openstack/keystone: Make getting token revocation list 9x faster on Mysql  https://review.openstack.org/28390201:55
*** rk4n has quit IRC01:55
*** sdake_ has joined #openstack-keystone01:55
*** fangxu has joined #openstack-keystone01:55
*** sdake has quit IRC01:56
*** rk4n has joined #openstack-keystone01:56
*** timcline_ has quit IRC01:57
*** dims has quit IRC01:59
*** vilobhmm11 has quit IRC01:59
*** fpatwa_ has joined #openstack-keystone02:00
*** spandhe has quit IRC02:01
*** rk4n has quit IRC02:02
*** vilobhmm11 has joined #openstack-keystone02:03
*** vilobhmm11 has quit IRC02:03
*** vilobhmm11 has joined #openstack-keystone02:03
*** rk4n has joined #openstack-keystone02:05
*** pcaruana has quit IRC02:07
openstackgerritSam Leong proposed openstack/keystoneauth: Auth plugin for X.509 tokenless authz  https://review.openstack.org/28390502:08
*** fpatwa_ has quit IRC02:08
*** sdake_ has quit IRC02:10
*** timcline has joined #openstack-keystone02:11
*** vilobhmm11 has quit IRC02:12
*** browne has quit IRC02:16
*** pcaruana has joined #openstack-keystone02:19
*** sdake has joined #openstack-keystone02:20
*** jasonsb has joined #openstack-keystone02:25
*** diazjf has joined #openstack-keystone02:30
*** diazjf1 has joined #openstack-keystone02:33
*** diazjf has quit IRC02:35
*** dan_nguyen has quit IRC02:36
*** sdake has quit IRC02:43
*** fangxu has quit IRC02:45
*** timcline_ has joined #openstack-keystone02:53
*** rk4n has quit IRC02:54
*** timcline_ has quit IRC02:58
*** vilobhmm11 has joined #openstack-keystone02:59
*** pcaruana has quit IRC03:01
*** browne has joined #openstack-keystone03:09
openstackgerritClenimar Filemon proposed openstack/keystone: Fix incorrect assumption when deleting assignments  https://review.openstack.org/28269603:11
*** lhcheng has quit IRC03:12
*** sdake has joined #openstack-keystone03:13
*** dims has joined #openstack-keystone03:13
*** pcaruana has joined #openstack-keystone03:16
*** sdake_ has joined #openstack-keystone03:16
*** sdake has quit IRC03:18
*** fpatwa_ has joined #openstack-keystone03:23
openstackgerritMerged openstack/keystone: Fixes a bug when setting a user's password to null  https://review.openstack.org/28374603:26
openstackgerritMerged openstack/keystone: Renamed TOTP passcode generation function  https://review.openstack.org/28352103:28
*** Nirupama has joined #openstack-keystone03:34
*** mylu has joined #openstack-keystone03:36
*** gyee has quit IRC03:37
openstackgerritMerged openstack/keystone: Fix project-related forbidden response messages  https://review.openstack.org/28332503:42
*** links has joined #openstack-keystone03:46
*** boris-42 has quit IRC03:54
*** timcline_ has joined #openstack-keystone03:54
*** timcline_ has quit IRC03:58
*** pcaruana has quit IRC04:01
*** sdake_ has quit IRC04:01
*** mylu has quit IRC04:02
*** fpatwa_ has quit IRC04:03
*** vilobhmm11 has quit IRC04:04
*** mylu has joined #openstack-keystone04:06
*** mylu has quit IRC04:12
*** lhcheng has joined #openstack-keystone04:15
*** ChanServ sets mode: +v lhcheng04:15
*** pcaruana has joined #openstack-keystone04:15
*** mylu has joined #openstack-keystone04:16
*** richm has quit IRC04:20
*** mylu has quit IRC04:25
*** fangxu has joined #openstack-keystone04:35
*** spzala has joined #openstack-keystone04:37
*** mylu has joined #openstack-keystone04:38
openstackgerritMerged openstack/keystone: Implied roles index with cascading delete  https://review.openstack.org/28192104:40
*** jamielennox is now known as jamielennox|away04:54
*** timcline_ has joined #openstack-keystone04:55
*** fpatwa_ has joined #openstack-keystone04:57
*** timcline_ has quit IRC04:59
*** sdake has joined #openstack-keystone04:59
*** spzala has quit IRC05:09
*** sdake has quit IRC05:14
*** zqfan has joined #openstack-keystone05:20
*** fpatwa_ has quit IRC05:25
*** diazjf1 has quit IRC05:26
*** phalmos has joined #openstack-keystone05:30
*** mylu has quit IRC05:37
*** pcaruana has quit IRC05:38
*** mylu has joined #openstack-keystone05:39
*** phalmos has quit IRC05:43
*** mylu has quit IRC05:45
*** dims has quit IRC05:48
*** pcaruana has joined #openstack-keystone05:53
*** timcline_ has joined #openstack-keystone05:56
*** timcline_ has quit IRC06:00
*** vilobhmm11 has joined #openstack-keystone06:02
*** fawadkhaliq has joined #openstack-keystone06:15
*** openstack has joined #openstack-keystone13:20
*** openstackstatus has joined #openstack-keystone13:21
*** ChanServ sets mode: +v openstackstatus13:21
*** jsavak has joined #openstack-keystone13:22
*** subscope has quit IRC13:24
*** edmondsw has joined #openstack-keystone13:27
*** lhcheng has joined #openstack-keystone13:28
*** ChanServ sets mode: +v lhcheng13:28
*** admin0 has joined #openstack-keystone13:30
*** lhcheng has quit IRC13:32
*** ninag has joined #openstack-keystone13:34
*** ninag has quit IRC13:37
*** ninag has joined #openstack-keystone13:38
*** ninag has quit IRC13:39
*** dims has joined #openstack-keystone13:40
*** ninag has joined #openstack-keystone13:40
*** ninag has quit IRC13:44
*** ninag has joined #openstack-keystone13:44
*** EinstCrazy has joined #openstack-keystone13:47
*** porunov has joined #openstack-keystone13:47
*** timcline_ has joined #openstack-keystone13:49
porunovHello everyone, I am novice and I am trying to pass tutorial "http://docs.openstack.org/liberty/install-guide-rdo/keystone-services.html" but without success. I have always the error on this step: "openstack service create  --name keystone --description "OpenStack Identity" identity" "An unexpected error prevent the server from fulfilling your request. (HTTP 500) (Request-ID: req-12dc5717-71b4-4311-87e9-b0cfd4e90837)". Can somebody help me, please?13:51
*** timcline_ has quit IRC13:53
*** gordc has joined #openstack-keystone13:55
dstanekporunov: what's in your log file?13:56
porunovFirst lines INFO about "wsgi" and then a lot of lines ERROR about keystone.common.wsgi. Can I put all log file in chan?14:00
dstanekstevemar: backward compatibility may be hard https://review.openstack.org/#/c/231289/55/keystone/resource/core.py . am i missing something?14:00
patchbotdstanek: patch 231289 - keystone - Projects acting as domains14:00
amakarovdstanek, hi! What do you think about using rally for functional testing?14:00
porunov*chat*14:00
dstanekporunov: no, use paste.openstack.org14:01
dstanekamakarov: why would we do that?14:01
amakarovdstanek, right now it looks like the only gate job that runs in devstack env AND runs the code we can submit in the keystone project itself (as a plugin)14:02
porunovdstanek: there is my keystone.log "http://paste.openstack.org/show/488023/"14:04
dstanekamakarov: we can get a gate job as soon as we have functional tests to run14:04
*** ayoung has quit IRC14:04
dstanekamakarov: actually i want to bring it up at the QA meeting this week so maybe by friday14:05
dstanekporunov: your mysql credentials don't work14:05
dstanekporunov: did you create the user and give it access to the database?14:06
*** Nirupama has quit IRC14:06
amakarovdstanek, so will it be a gate job that runs tests.functional.* in devstack env?14:06
dstanekamakarov: yes14:07
*** petertr7_away is now known as petertr714:11
porunovdstanek: Yes I have created keystone user and gave him all privileges like in tutorial: "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';"14:12
dstanekporunov: try granting using the host from the error message14:13
*** sdake has joined #openstack-keystone14:15
*** jaosorior has quit IRC14:18
*** jaosorior has joined #openstack-keystone14:19
*** woodster_ has joined #openstack-keystone14:20
porunovdstanek: now it returns this: [root@controller ~]# openstack service create --name keystone --description "OpenStack Identity" identity Missing parameter(s): Set a username with --os-username, OS_USERNAME, or auth.username Set an authentication URL, with --os-auth-url, OS_AUTH_URL or auth.auth_url Set a scope, such as a project or domain, set a project scope with --os-project-name, OS_PROJECT_NAME or auth.project_name, set a domain scope with --os-14:21
porunovdomain-name, OS_DOMAIN_NAME or auth.domain_name14:21
porunovLog file is the same14:22
dancnHello, I am still trying to debug the local tox -r -e py27 failure, due to pkg_resources.ContextualVersionConflict: (fixtures 1.2.0 [...].  This was also reproduced by dolphm in: http://cdn.pasteraw.com/lmvqwv78a8s96ur87a1lnvueurtj9qb The periodic-keystone-python27-kilo jobs does not seems to be affected by the problem, see: http://logs.openstack.org/periodic-stable/periodic-keystone-python27-kilo/a993507/console.html Since the outup of14:26
dancn"py27 installed" is the same in the local and gate, maybe the difference is in some env variable or configuration?  Any suggestion on how to spot the differences or to run tox the same way that is run in the gate?  TIA14:26
dstanekdancn: are you trying to debug to fix or just run the tests to work on something else?14:28
dstanekporunov: do you have the environment vars setup or a clouds.yml?14:28
dancndstanek: both, well for the second I have the workaround, that is to place the testtools line into requirements.txt instaead of test-requirements.txt, but I am aslo interested to find a proper fix14:29
dstanekdancn: i can't reproduce14:30
dstanekwhat OS are you running?14:30
dancndstanek: Ubuntu 14.04.4 LTS14:31
dstanekdancn: are you running on a devstack or just a keystone clone?14:31
dancndstanek: just a keystone clone14:32
dstanekdancn: ok, let me fire up a VM14:32
dolphmdstanek: dancn: i'm running it again after nuking .tox/ and .testrepository/14:33
dolphmaaand repro'd14:33
dstanekdolphm: did the venv get created?14:34
dstanekdancn: you said that 'tox -e py27 --notest' worked, but 'tox -e py27' didn't?14:34
dancndstanek: yes!14:34
marekddolphm: o/14:34
*** EinstCrazy has quit IRC14:35
porunovdstanek: yes, like in tutorial: "export OS_TOKEN=ADMIN_TOKEN" "export OS_URL=http://controller:35357/v3" "export OS_IDENTITY_API_VERSION=3"14:35
marekddolphm: I cannot see Ron online so I thought I'd ask you - so what value is going to be used as a user_id value in a token in patch: https://review.openstack.org/#/c/279162/44/keystone/identity/backends/sql.py14:35
patchbotmarekd: patch 279162 - keystone - Shadow users - Shadow federated users14:35
dancndstanek: thanks for the effort with the vm, my idea was to share a small script to reproduce the problem in a vm, instead of asking other to do manually all the steps... In fact on a bare vm you need to install the dependencies, if you need I have the list here14:35
dolphmmarekd: the top level ID in the plain "user" table14:37
dolphmmarekd: all the other IDs (federated unique ID, and the auto inc integers are internal only)14:38
dolphmdstanek: dancn: --notest doesn't actually install anything does it? it's a total dry run14:40
marekddolphm: so local_user will be local users, federateD_users well...federated users and table user will be used as a union of local and federated users?14:40
dstanekdolphm: it creates the venv and just doesn't run the test command14:40
dstanekdolphm: but it looks like the test command here is failing14:41
dolphmmarekd: not "local" as in local_user, but local as in the real "user" table, yes14:41
marekddolphm: yy, didn't get it. So whenever I will login with a federed access for the first time a new entry will be created in a federated_user table only?14:42
dstanekdancn: i have an ansible role that i just dusted off that should do everything i need14:43
*** rderose has joined #openstack-keystone14:43
dancndolphm: running tox -r -e py27 --notest install a lot of packages, leaving out the -r seems a no-op, the list in "PlanMeeting" seems the same14:43
dolphmmarekd: you'll get a record in the "user" table (your real user ID that appears in the API), along with a federated_user record14:43
dolphmbut no local_user (with a local username) and no local user password14:44
*** richm has joined #openstack-keystone14:44
dancndstanek: nice, I hope that the ansible stuff do not do some magic :-)14:44
dancndolphm: /PlanMeeting/py27 installed/, sorry14:45
*** ayoung has joined #openstack-keystone14:46
*** ChanServ sets mode: +v ayoung14:46
marekddolphm: ok, so say keystone is validating token for user_id:'abc'. It query 'user' table for user_id:'abc' and if some more info needed it will do some joins with either local_user or federated_user tables.14:48
*** timcline_ has joined #openstack-keystone14:49
*** roxanaghe has joined #openstack-keystone14:51
*** timcline_ has quit IRC14:54
*** sigmavirus24_awa is now known as sigmavirus2414:58
*** ayoung has quit IRC14:59
*** roxanaghe has quit IRC15:00
*** jsavak has quit IRC15:00
*** jsavak has joined #openstack-keystone15:02
dstanekdancn: what verison of tox are you running?15:02
*** LZ has quit IRC15:02
dancndstanek: 2.3.115:02
samueldmqraildo: htruta: this solves the issues in current code for ?cascade15:03
samueldmqhttps://review.openstack.org/#/c/283145/315:03
patchbotsamueldmq: patch 283145 - keystone - Fix/refactor policy check for cascade operations15:03
dancndstanek: I start tox from a minimal virtualenv15:03
samueldmqat least for project scoped tokens, still need to look into other formats15:03
dstanekdancn: you run tox from within a venv?15:03
samueldmqI will send a new patchset for cascade projects updating them with this ^15:04
samueldmqraildo: htruta: okay?15:04
dancndstanek: yes, is this a problem?15:04
dstanekdancn: not sure. but maybe15:04
*** gema has joined #openstack-keystone15:05
dancndstanek, well, I will try a run with the system tox: python-tox (1.6.0-1ubuntu1)15:06
*** henrynash has joined #openstack-keystone15:06
*** ChanServ sets mode: +v henrynash15:06
dstanekdancn: with the system tox i have no issues. the tests are currently running15:09
dancndstanek: the system vs virtualenv tox makes no difference, the error is the same for me!15:10
dstanekdancn: can you reproduce this on a VM and i can jump on?15:10
dolphmmarekd: yes, that's basically it15:11
dancndstanek: it may be possible to allow remote access, but it may involve some bureaucracy on my side, if you can wait, no problem15:13
samueldmqhenrynash: hi!15:13
dolphmanyone know what's up with: /home/dolph/openstack/keystone/.tox/py34/lib/python3.4/site-packages/oslo_db/sqlalchemy/enginefacade15:13
dolphm.py:1056: OsloDBDeprecationWarning: EngineFacade is deprecated; please use oslo_db.sqlalchemy.enginefacade15:13
henrynashsamueldmq: hi15:13
dancndstanek: I have an half done Vagrantfile that should build a vm with the issue, but I can work on a more generic script15:13
samueldmqhenrynash: I fixed the thing for cascade operations15:13
samueldmqhenrynash: see https://review.openstack.org/#/c/28314515:13
samueldmqhenrynash: new tests I added are now passing15:14
dstanekdancn: i'll take the vagrant file if you have it15:14
samueldmqhenrynash: however we still need to think about federated and trust tokens, I wanted you to think with me about that15:14
henrynashsamueldmq: is this patch what you will base the update/delete patch on?15:14
samueldmqhenrynash: (after you take a look at that patch)15:14
samueldmqhenrynash: I will merge this into them after I have a complete solution15:15
samueldmqhenrynash: so I just update them once :)15:15
dancndstanek: ok, will share the Vagrantfile in an hour or so, thanks for your effort15:15
henrynashsamueldmq: ok, got it…looking now15:15
dstanekdancn: np15:15
*** slberger has joined #openstack-keystone15:16
dstanekhenrynash: did you see my latest comment about the projects as domains review?15:25
henrynashdtsanek: yes….15:25
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916215:25
henrynashdtsanek: and this is something I had worried about15:25
henrynashdstanek: do you think we need to effectivey “map manager calls for projects acting as domains back on to teh legacy domain driver calls"?15:26
dstanekhenrynash: i think that patch has several backward incompatibilities for third-party drivers15:26
dstanekhenrynash: it depends on if we care about backward compat. i was just pointing out that there are issues there15:27
henrynashdtsanek: so is_domain as attribute already existed in the previous release15:27
henrynashdstanek: but we didn’t use it for anything15:27
dstanekhenrynash: morgan is more passionate about it than i am :-)15:28
dstanekhenrynash: i'm not as worried about the data as i am that the calls are now incorrect15:28
morgandstanek: don't pull me into this:P15:28
henrynashdtsanek: where what I have done breaks down is that it would work if they migrated their old data to their project table15:28
*** dims has quit IRC15:29
morganand at this point, i'm not willing to battle it, it's fine if other cores think it is fine15:29
henrynashdstanek: but if they don’t (and, say, their domain calls refence some totally differnt system ot where theystore projects)…it breaks15:29
henrynashmorgan, dtsanek: it’s a valid concern15:29
*** dims has joined #openstack-keystone15:30
henrynashmorgan, dstanek: the solution (which I did think about) is to map the project calls for projects acting as a domain back into domain driver calls all inside teh wrapper15:30
*** jsavak has quit IRC15:31
*** annasort has quit IRC15:31
dstanekhenrynash: thinking about this problem makes me wonder if most of this code should have been in the driver15:31
*** jsavak has joined #openstack-keystone15:32
dstanekhenrynash: i think at the minimum we need to document why we would expect driver writers to do.15:32
*** timcline has quit IRC15:32
dstanekhenrynash: does this code pass the legacy drivers tests?15:32
henrynashdtsanek: yes15:32
dstanekhenrynash: hmmm...i would not have expect it to since create_domain isn't called15:33
henrynashdstanek: but the wrapper is still “storeing the domain in a project entity”, so just reads it back from tehre15:34
*** ninag has quit IRC15:34
morgandolphm: yes, the legacyfacade the way we're using it is/was a poor choice: https://review.openstack.org/#/c/257458/ is the long-term fix but there is a shorter term how to get the legacyfacade in a non-deprecated way fix too15:34
patchbotmorgan: patch 257458 - keystone - Use the new enginefacade from oslo.db15:34
*** dims has quit IRC15:34
morgandolphm: that patch also allows [afaik] split reader/writer config ^15:35
dolphmmorgan: cool, thanks15:35
morgandolphm: and while that patch is beastly, it is *mostly* good. maybe some massaging and a rebase and it'll be landable.15:36
henrynashdstanek, morgan: I might have a crack at the making the legacy wrapper re-map teh calls to the domin driver calls….whcih is, I think, the correct solution15:37
dolphmmorgan: possible to land this for m3?15:37
morgandolphm: maybe? might have to ask stevemar15:37
morgandolphm: i don't see a reason why it wouldn't be besides that it is a beastly patch ;)15:38
stevemarmorning!15:38
morganstevemar: morning to you as well15:40
stevemardolphm: i'd love to land it in m315:40
dstanekhenrynash: i'd definitely be interesting in at least seeing it15:40
stevemardolphm: but as morgan said, it's a beast of a patch15:40
morgandolphm: looks like there are a couple cleanup comments, pass jenkins, and rebase - if that can be done, woot15:40
stevemari originally wanted to land it in m3, but no one was actively working on it + i checked with the oslo team and the deprecated bits won't be removed in M15:40
*** timcline has joined #openstack-keystone15:45
*** pushkaru has joined #openstack-keystone15:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358515:47
samueldmqraildo: henrynash ^ updated first patch15:47
admin0anyone here that can provide some guidiance :)15:48
dancndstanek: running the "vagrant up | tee output" to ensure the repoducibility and save the log I was hit by another bug...  UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 36: ordinal not in range(128) during pip install!  What a fragile env... now trying without tee, hopefully the current try will end soon15:48
admin0i need to upgrade only keystone from icehouse -> liberty ..  is there just some .sql files i need to use for db-sync15:48
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: API support for project cascade update  https://review.openstack.org/24358515:48
admin0without going through the whole install upgrade cycle of the whole packages15:48
*** petertr7 is now known as petertr7_away15:50
dolphmstevemar: keystone is throwing at least 3 deprecation warnings - we really shouldn't knowingly ship mitaka with deprecation warnings that deployers cannot address15:50
stevemardolphm: we were throwing that same facade deprecation warning since kilo15:51
morgandolphm: ++15:51
stevemardolphm: but yeah, i would love it if we didn't throw any!15:51
dolphmstevemar: and it's super annoying15:51
stevemardolphm: have a paste of the other 2 ?15:51
dolphmit must not use the versionutils deprecator15:52
dolphmstevemar: http://cdn.pasteraw.com/h1w7vl11hvvpueiw3fdv63ldghe7gs815:52
morgandolphm: i'm trying to rebase that patch now.15:52
dolphmstevemar: i'm generating another one with py2715:52
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: API support for project cascade delete  https://review.openstack.org/24424815:52
dolphmmorgan: does dogpile cache to disk somewhere?15:53
morgandolphm: it can15:53
dolphmmorgan: i'm getting an error running py27 after running py34 that dogpile can't find gdbm15:54
morgandolphm: if you use a DBM or custom file cache15:54
dolphmmorgan: in keystone, by default, outside tox15:54
dolphm*when run with tox*15:54
morgandolphm: uhm... maybe an issue with the python lib?15:54
dolphmmorgan: http://cdn.pasteraw.com/ikn22952390f21s4hmjwg4st98dbds915:54
morganwe're not failing gate on everything ... soo *shrug*15:55
morganbut yes, dogpile can cache to disk15:55
*** jaosorior has quit IRC15:55
morganoh15:55
morganTHAT bug15:55
morganthats testrepository15:55
dolphmlol?15:55
dolphmoh, so delete it?15:55
morganyep and tox -epy34 -r15:55
morgani think i needed to rebuild my venv too15:55
*** petertr7_away is now known as petertr715:57
*** daemontool has quit IRC15:57
samueldmqhenrynash: abandoned https://review.openstack.org/#/c/283145/ in favor of putting the logic in the patch implementing the functionality15:57
patchbotsamueldmq: patch 283145 - keystone - Fix/refactor policy check for cascade operations (ABANDONED)15:57
henrynashsauedlmq: ok…looking at teh combined patch now15:58
samueldmqhenrynash: but I replied your comments there before abandoning, please take a look at my replies15:58
samueldmqhenrynash: ^15:58
dolphmstevemar: also, sampleconfig is failing with a bunch of sqlalchemy warnings15:58
dolphmerr, genconfig whatever it's called15:58
*** admin0 has quit IRC15:59
samueldmqhenrynash: we still need tests for domain scoped tokens; and to think about trusts and federated authz16:00
*** daemontool has joined #openstack-keystone16:02
morgandolphm: ok almost done rebasing that enginefacade change.16:02
morgandolphm: will push an update as soon as it's done.16:02
morgandolphm: hopefully it can pass gate, if so we can make stevemar review it and +2 it ;)16:02
*** dims has joined #openstack-keystone16:03
henrynashsamuedlmq: just added the comment abour domain scoped tokens!16:03
stevemardolphm: it worked a week ago...16:03
morganstevemar: i hope it's just a rebase.16:03
*** tomoiaga has quit IRC16:03
morganstevemar: but... we'll see.16:03
morgan~10 merge conflicts16:04
dolphmmorgan: oh sweet16:04
*** phalmos has joined #openstack-keystone16:05
samueldmqhenrynash: replying my view in a bit16:05
stevemardolphm: i ran tox -e genconfig from a cloned master and no issue16:06
stevemardolphm: you trying to scare me?16:06
samueldmqhenrynash: replied, I agree with you16:07
samueldmqhenrynash: what about federated tokens and/or trust scoped tokens?16:07
*** phalmos has quit IRC16:08
*** browne has joined #openstack-keystone16:08
henrynashsamueldmq: hmm, that’s harder!16:08
samueldmqhenrynash: yes, but ..16:09
samueldmqhenrynash: I based that logic for building creds on https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L5916:10
stevemarsamueldmq: henrynash you guys talking about reseller or proejct delete?16:10
henrynashsamuedlqm: wouldn’t a trust just be the same as a regula token?16:10
henrynashstevemar: prject delete16:10
samueldmqhenrynash: for trusts should just copy https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L82-L8616:10
samueldmqstevemar: cascade16:10
samueldmqhenrynash: that's easy, it's basically to build the creds from the exisitng info, based on the method token_to_auth_context16:11
samueldmqhenrynash: I mean, should be easy16:11
samueldmqstevemar: https://review.openstack.org/#/c/243585/23/keystone/common/controller.py16:11
patchbotsamueldmq: patch 243585 - keystone - API support for project cascade update16:11
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916216:11
morgandolphm: need to run tox a second time through, but otherwise this looks good.16:12
samueldmqstevemar: it's now truly enforcing policy for each subproject in the tree16:12
stevemarhenrynash: samueldmq why would federation and trusts affect project cascade16:12
morgandolphm: and fixing 2-3 minor test failures16:12
samueldmqstevemar: we just need to make sure trust and federated tokens work too16:12
samueldmqstevemar: because in my current proposal, I only took care about regular proj scoped tokens16:12
samueldmqstevemar: and then I built creds similarly16:12
henrynashsamuedlmq: hmm…maybe not, can’t a trust delegage just some of the roles a trustor has on a given project….we couldn’t then assume they can have ALL the roles on a subproject16:13
samueldmqhenrynash: hmm, you're correct, if you have a trust scoped token in projet X16:13
samueldmqit doesn't mean you can have a trust scoped token in the children16:14
*** annasort has joined #openstack-keystone16:14
samueldmqhenrynash: so maybe we should just look for regular assignments (as we're doing today?)16:14
morgandolphm: related to testrepository, i am surprised it uses a shared .testrepository location across python versions =/ it probably should isolate16:14
*** annasort_ has joined #openstack-keystone16:15
henrynashsamueldmq: I *could* argue the case that, in the limit, what we are doing for regular projects is too much…e.g. what if I build an auth plugin that did MFA for different projects or levels of teh hierarchy...16:15
samueldmqhenrynash: yeah, maybe we can't guess what kind of auth can be done in the children16:16
samueldmqhenrynash: maybe a new policy entry could be the simpler solution? we need to think a bit more carefully about this16:17
henrynashsamueldmq: i.e. teh assumtion that if I can get a scoped token to project X, that I could therfore get a token to a sibproject of X (with all the existing role assignments) may not be sound16:17
samueldmqhenrynash: stevemar: sorry I need to go afk for a bit16:17
samueldmqcatch on you later16:17
henrynashsamuedlmq: ok16:18
*** spandhe has joined #openstack-keystone16:18
stevemarsamueldmq: see ya16:18
*** annasort has quit IRC16:19
*** annasort_ is now known as annasort16:19
*** ayoung has joined #openstack-keystone16:20
*** ChanServ sets mode: +v ayoung16:20
openstackgerritMorgan Fainberg proposed openstack/keystone: Use the new enginefacade from oslo.db  https://review.openstack.org/25745816:20
morgandolphm, stevemar: ^16:20
morganrebase and removed the "unrelated" changes16:20
*** spandhe has quit IRC16:22
dolphmstevemar: output from my py27 run btw http://cdn.pasteraw.com/kszk6dye3zolws01npnrmisly6m147a16:27
dolphmmorgan: sweet16:27
*** dan_nguyen has joined #openstack-keystone16:28
*** belmoreira has quit IRC16:31
*** bjornar__ has joined #openstack-keystone16:32
*** jsavak has quit IRC16:34
*** jsavak has joined #openstack-keystone16:34
*** v1k0d3n has joined #openstack-keystone16:36
stevemardolphm: for another message: https://review.openstack.org/#/c/284242/16:37
patchbotstevemar: patch 284242 - oslo.log - use log.warning instead of log.warn16:37
*** petertr7 is now known as petertr7_away16:38
*** fawadkhaliq has joined #openstack-keystone16:38
stevemardolphm: don't know how to fix that oslo_middleware.ssl warning...16:38
openstackgerritBrant Knudson proposed openstack/keystone: Move admin_token_auth before build_auth_context in sample paste.ini  https://review.openstack.org/28137216:38
morganstevemar: is that the urllib one?16:39
*** jsavak has quit IRC16:39
*** afred312 has joined #openstack-keystone16:39
morganbasically you can monkeypatch16:39
morganthere is an infra lib to help with it...but,..16:39
*** jsavak has joined #openstack-keystone16:39
morganuh16:39
morganugh16:39
stevemarmorgan: nope16:40
stevemarmorgan: oslo_middleware/ssl.py:28: Deprecation[30;43mWarn[0ming: The 'oslo_middleware.ssl' module usage is deprecated, please use oslo_middleware.http_proxy_to_wsgi16:40
morganoh16:40
morganjoy16:41
stevemarbut i don't see where we're using that...16:41
morganremove oslo.middleware things form keystone ;)16:41
morganrequest_id?16:41
stevemarpossibly16:41
morgansize_limit middleware?16:41
stevemarwe only have it in size limit and request id16:41
stevemardhellmann / dims ^ know where that comes from?16:41
*** 32NAAC6RR has quit IRC16:42
stevemari guess i could use codesearch :)16:42
morganstevemar: yep16:42
stevemarmaybe its coming from something else16:42
morgancodesearch ++16:42
*** gyee has joined #openstack-keystone16:43
*** ChanServ sets mode: +v gyee16:43
*** diazjf has joined #openstack-keystone16:44
*** lbragstad_ has joined #openstack-keystone16:45
*** jistr has quit IRC16:45
stevemarmorgan: i think it's coming from init.py?16:45
*** petertr7_away is now known as petertr716:45
*** vilobhmm11 has joined #openstack-keystone16:46
*** lbragstad_ has quit IRC16:47
*** timcline_ has joined #openstack-keystone16:51
*** timcline_ has quit IRC16:55
*** Guest51435 is now known as mgagne16:56
*** mgagne has quit IRC16:56
*** mgagne has joined #openstack-keystone16:56
*** lbragstad has quit IRC16:58
*** lbragstad_ has joined #openstack-keystone16:58
*** lbragstad_ has left #openstack-keystone16:59
*** lbragstad_ has joined #openstack-keystone16:59
*** dims has quit IRC17:00
*** lbragstad_ has quit IRC17:00
*** lbragstad has joined #openstack-keystone17:02
*** ninag has joined #openstack-keystone17:02
*** dims has joined #openstack-keystone17:03
*** petertr7 is now known as petertr7_away17:04
*** jsavak has quit IRC17:05
*** jsavak has joined #openstack-keystone17:06
*** belmoreira has joined #openstack-keystone17:06
arunkantdims: ping17:07
*** jorge_munoz has joined #openstack-keystone17:07
dimsarunkant : pong17:07
arunkantdims: Hi..can you please look into review: https://review.openstack.org/#/c/279828/ . I have made the changes as per earlier discussion and tested them.17:08
patchbotarunkant: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...17:08
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916217:11
dimsarunkant : almost there, some minor tweaks17:16
arunkantdims: thanks. I will make those changes.17:17
*** mvk has quit IRC17:22
*** edmondsw has quit IRC17:23
arunkantdims: One clarification around topic. Do we need to have topics as there is only one notification driver..Notifier api only takes one topic http://git.openstack.org/cgit/openstack/oslo.messaging/tree/oslo_messaging/notify/notifier.py#n14617:23
*** gyee has quit IRC17:25
dimsarunkant : i believe it kicks in here - http://git.openstack.org/cgit/openstack/oslo.messaging/tree/oslo_messaging/notify/messaging.py#n4417:26
morganstevemar: i think the sql facade is going to pass.17:27
stevemarmorgan: probably, i don't think that was the complete fix to remove all the deprecation warnings though17:27
morganbut it paves the way to eliminate the sql ones17:28
morganat the very least very close comparatively17:28
*** admin0 has joined #openstack-keystone17:31
*** spandhe has joined #openstack-keystone17:34
*** josecastroleon1 has quit IRC17:34
*** jasonsb has quit IRC17:39
*** admin0 has quit IRC17:39
openstackgerritBrant Knudson proposed openstack/keystone: Reference config values at runtime  https://review.openstack.org/28384217:40
*** spzala has quit IRC17:42
*** spzala has joined #openstack-keystone17:42
*** spzala has quit IRC17:43
morganstevemar: want to hold on the +A on the enginefacade change when it passes or push it through?17:43
*** spzala has joined #openstack-keystone17:43
openstackgerritArun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf  https://review.openstack.org/27982817:43
*** petertr7_away is now known as petertr717:45
*** nllrte has joined #openstack-keystone17:46
stevemarmorgan: lemme see17:46
morganstevemar: it's a big change but it touches enough that rebase is not going to be friendly17:47
*** edmondsw has joined #openstack-keystone17:47
nllrtehi, does keystone store LDAP names somewhere in it's database when using LDAP as the auth backend??17:47
morganand it should remove the enginefacase deprecation warnings.17:47
stevemarnllrte: nope, gets it from backend17:48
*** admin0 has joined #openstack-keystone17:48
stevemarmorgan: let me look over it once again17:48
nllrtestevemar: so each time I do openstack user show and it return the name field, it's banging on LDAP for that info?17:48
morgannllrte: yep, unless you have caching enabled, which it'll use cached values.17:49
morgannllrte: enabled+configured that is17:49
stevemarnllrte: i believe so, its recommended to use caching and ldappool for better performance17:49
*** admin0 has quit IRC17:50
nllrtehmm...that would explain why our LDAP cluster is constantly overwelmed with requests coming from keystone17:51
openstackgerritArun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf  https://review.openstack.org/27982817:51
nllrtethanks stevemar and morgan17:51
*** timcline_ has joined #openstack-keystone17:52
*** knikolla has joined #openstack-keystone17:52
stevemarmorgan: so we just rebased that change, we didn't make any of the changes that zzzeek suggested, right?17:52
stevemarmorgan: i assume you are of the opinion that those can be fixed up later?17:52
morganstevemar: correct17:52
stevemarand getting rid of deprecation warnings is more important at this point17:53
stevemarokay17:53
stevemari can dig it17:53
arunkantdims: Notifier expects single topic as per http://git.openstack.org/cgit/openstack/oslo.messaging/tree/oslo_messaging/notify/notifier.py#n178 . So does not look like I can use list opt for topic.17:53
*** lhcheng has joined #openstack-keystone17:55
*** ChanServ sets mode: +v lhcheng17:55
*** petertr7 is now known as petertr7_away17:55
dancndstanek: well now I have a completely different error... I am almost lost... Anyway in the virtualenv the tests run correcly.   Here is my Vagrantfile: http://paste.openstack.org/show/488065/ the head of the output at http://paste.openstack.org/show/488068/ (see the new error at 18:46:49) I will go home in a few mins, if you have some early question please ask, if not see you tomorrow and thanks again17:55
*** timcline_ has quit IRC17:56
*** gyee has joined #openstack-keystone17:58
*** ChanServ sets mode: +v gyee17:58
*** admin0 has joined #openstack-keystone17:59
*** henrynash has quit IRC17:59
dimsarunkant : looks like we have to fix oslo_messaging18:01
*** sigmavirus24 is now known as sigmavirus24_awa18:01
*** admin0 has quit IRC18:02
arunkantdims: yes. I have made changes as per review comments. Please check.18:02
dstanekdancn: that timestamp isn't in the paste18:03
morganstevemar: you should poke devstack folks to land https://review.openstack.org/#/c/283231/1 so we can drop eventlet18:03
patchbotmorgan: patch 283231 - openstack-dev/devstack - Fix uwsgi keystone18:03
morganstevemar: since that looks to be the fix for our uwsgi job18:03
dancndstanek: let me check if all the output is there18:04
*** diazjf has quit IRC18:04
dancndstanek: it was cut... not sure why, let me upload the next part18:05
*** fangxu has quit IRC18:05
stevemarmorgan: i think i'll drop eventlet in N, too late at this point18:06
stevemar:(18:06
morganstevemar: well you could drop the non-vote job at least cause... it's the slowest part of keystone's check queue ;)18:06
morganif uwsgi is running18:06
morganthat is18:06
*** porunov has quit IRC18:07
morganstevemar, dolphm, dstanek: db enginefacade is gating18:10
dstanekmorgan: nice18:11
morganrderose: sorry for the rebase ick coming your way :(18:11
morganrderose: ^ cc18:11
dancndstanek: after few paste of partial output (without any warning from the site) the interesting part is at: http://paste.openstack.org/show/488072/ error is at "18:46:49 O: ==> default: ERROR:   py27: could not install deps" and few lines the tox in the venv starts correcly18:12
dancndstanek: also now also finished correcly18:14
dstanekdancn: the docutils thing is sort of interesting, but it looks like no conflict18:15
dimsarunkant : will this work for you? https://review.openstack.org/#/c/284330/1/oslo_messaging/notify/notifier.py18:16
patchbotdims: patch 284330 - oslo.messaging - Allow Notifier to have multiple topics18:16
dancndstanek: sure, that is the reason of my surprise, no more conflict but another problem... tomorrow I will try to diff again the 'py installed' output, best18:17
dstanekdancn: looks like it actually created the venv and ran the test though18:18
daemontool stevemar or anyone can I have some help with http://paste.openstack.org/show/488073/18:19
daemontoolgetting issues with saml2 federation, mellon and mappings18:19
dancndstanek: yes, the system tox fails with the docutils problem (where I was expecting the conflict), the tox in the venv run correcly (where I was expecting the same conflict)18:19
daemontoolstevemar,  this is the json mapping http://paste.openstack.org/show/488074/18:20
dstanekdancn: it may be that the system tox is just too old. so when you run with a modern tox all is good?18:20
dancndstanek: in this newborn vm seems so18:21
daemontoolstevemar,  saml xml response with attributes only> http://paste.openstack.org/show/488075/18:22
dstanekdancn: i suspected it was just an issue with your other vm. so now you can just go ahead and develop :-)18:22
dancndstanek: I can not think of some resonable cause for the different error in the older vm, since the setup was made in the same way... anywhay yes, let's move on!  Thanks again18:23
*** belmoreira has quit IRC18:23
*** jsavak has quit IRC18:23
*** fhubik has joined #openstack-keystone18:23
*** jsavak has joined #openstack-keystone18:24
stevemardaemontool: looks like you need a group to dump all your federated users into18:24
stevemardstanek: we were just holding off to see what jenkins said about the enginefacade patch18:25
*** fhubik has quit IRC18:25
stevemarmorgan: dstanek dolphm we sure that fixed the deprecation warnings? http://logs.openstack.org/58/257458/5/check/gate-keystone-python34/a339e4d/console.html seeing a lot of them here18:26
daemontoolstevemar, ok18:26
daemontoolty18:26
stevemardaemontool: we have a few examples here: http://docs.openstack.org/developer/keystone/mapping_combinations.html#mappings-examples18:27
*** diazjf has joined #openstack-keystone18:27
morganstevemar: we may need to make something lazy, but it's 100 hits in that file fwiw18:27
stevemargenerally speaking, you need a group to dump all your federated users into18:27
morganstevemar: so, it is likely isolated and test specific18:27
stevemarmorgan: 100? i saw 600+18:28
morganah misread the search18:28
stevemar"EngineFacade is deprecated; please use oslo_db.sqlalchemy"18:28
morganyeah18:28
dimsLOL18:28
morganthis was required anyway.18:28
morganstevemar: couldn't fix that error w/o this change anyway18:28
stevemaryep18:28
stevemari get that18:29
stevemarmorgan: do you know where this new one is coming from? i can post a quick patch18:29
morganlooking18:29
morganstevemar: that might be from oslo.db itself18:30
stevemarwut18:30
morganaha18:32
morganwtf..18:32
morganfound it18:32
stevemarhehe18:32
stevemardont leave me in suspense18:32
morganstevemar:  look for keystone.common.sql.[core.].get_engine and .get_session18:33
morganthose are the legacy facades18:33
morganit's used in _sync_common_repo, _sync_extension_repo, get_db_version18:33
morganand in the database fixture18:33
morganand uh 2 tests in test_sql_upgrade18:33
morganthe database fixture is the bulk of the issue18:34
stevemarbknudson: i'll never this funny ever again on twitter18:34
bknudsonstevemar: the expectations are now very high18:34
stevemarbknudson: gorram reavers18:34
stevemarbknudson: i've peaked18:34
stevemari can't top it18:35
morganstevemar: so fix test_sql_upgrade and the DB fixture and the warnings go away18:36
morganstevemar: this only affects our unit tests18:36
morganstevemar: so we solved the "run in production" warnings18:36
stevemar\o/18:36
stevemarlet me poke around then18:37
morganin ~25 mins it should land btw18:37
*** jsavak has quit IRC18:37
*** jsavak has joined #openstack-keystone18:38
*** josecastroleon has joined #openstack-keystone18:39
stevemaryep18:39
daemontoolstevemar,  I've added the groups, but I'm getting the same error http://paste.openstack.org/show/488077/18:41
daemontoolquite stuck on this :(18:41
daemontoolstevemar,  solved :)18:42
stevemardaemontool: woo hoo18:42
stevemardaemontool: i was just opening all your links18:42
stevemardaemontool: a slight mapping change?18:43
daemontoolstevemar,  http://paste.openstack.org/show/488078/ remote type changed to MELLON_id18:44
daemontoolthat var is taken from mellon, it's an env var18:44
*** mylu has joined #openstack-keystone18:44
daemontoolI've been 2 days on this....18:45
daemontoolty anyway :)18:45
stevemardaemontool: it's pretty common for the apache plugins to prefix things :|18:45
daemontoolmellon add MELLON_ prefix to all the fields that came from the assertion data18:45
daemontoolwell good to know :)18:46
daemontoolthat needs to be added to the mappings18:46
daemontoolon remote18:46
*** spzala has quit IRC18:46
*** spzala has joined #openstack-keystone18:46
*** fangxu has joined #openstack-keystone18:48
daemontooland now I'm going home, bye :P18:50
*** timcline_ has joined #openstack-keystone18:52
stevemardaemontool: see ya18:54
*** sdake has quit IRC18:55
*** daemontool has quit IRC18:55
*** timcline_ has quit IRC18:56
*** jsavak has quit IRC18:58
*** ninag has quit IRC18:59
openstackgerritSteve Martinelli proposed openstack/keystone: Update default domain's description  https://review.openstack.org/28138118:59
*** ninag has joined #openstack-keystone19:00
dimssileht : dhellmann : this look ok? https://review.openstack.org/#/c/284330/ i can add tests if its worth it. it was noticed by arunkant in https://review.openstack.org/#/c/279828/ over in keystone channel19:00
patchbotdims: patch 284330 - oslo.messaging - Allow Notifier to have multiple topics19:00
patchbotdims: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...19:00
openstackgerritSteve Martinelli proposed openstack/keystone: Update default domain's description  https://review.openstack.org/28138119:01
*** josecastroleon has quit IRC19:09
*** sdake has joined #openstack-keystone19:09
dolphmrderose: dstanek: do we have a test suite somewhere where we could show that you can assign roles and group memberships to shadowed federated users?19:11
*** browne has quit IRC19:11
*** sigmavirus24_awa is now known as sigmavirus2419:11
*** petertr7_away is now known as petertr719:12
openstackgerritMerged openstack/keystone: Use the new enginefacade from oslo.db  https://review.openstack.org/25745819:14
rderosedolphm: no, currently not and that's something I wanted to talk to you about19:15
*** rodrigods has quit IRC19:16
lbragstadmorgan you had a string of patches around for the request local caching stuff, right?19:16
*** rodrigods has joined #openstack-keystone19:16
lbragstadmorgan or did that merge?19:16
morganlbragstad: they need to be rebased19:16
morganlbragstad: https://review.openstack.org/#/c/272007/ and https://review.openstack.org/#/c/277198/ but that second one needs to work like19:17
patchbotmorgan: patch 272007 - keystone - Use requst local in-process cache per request19:17
patchbotmorgan: patch 277198 - keystone - Default caching to on for request-local caching.19:17
morganlbragstad: the new oslo_config thing19:17
ayoungDoes anyone actually understand our logging setup?19:17
rderosedolphm: allowing concrete role assignments for federated users, I have planned in a separate patch.  But again, wanted to discuss with you first.19:18
lbragstadmorgan ok - is that something we want to land before m-3?19:18
morganlbragstad: sec19:18
dolphmrderose: i haven't totally reviewed this patch yet - is that not supported yet?19:18
rderosedolphm: would you have time to meet on shadow users tomorrow?19:18
dolphmrderose: let's talk now19:18
rderosedolphm: okay19:18
ayoungJust got a downstream bug reported, and it seems to be something people are hitting upstream, but no one has reported it.  Not sure if it is Keystone or oslo.config:19:18
ayoung/bin/sh -c "keystone-manage db_sync" keystone19:19
ayoungWe get error19:19
ayoungNo handlers could be found for logger "oslo_config.cfg"19:19
ayoungthen workaround seems to be setting verbose = False in the config file19:19
rderosedolphm: in this patch, I'm only shadowing federated users.  I haven't refactored the code to support concrete role assignments.19:19
*** ninag has quit IRC19:19
rderosedolphm: was thinking that could  be a separate patch19:20
*** belmoreira has joined #openstack-keystone19:20
rderosedolphm: and I'm thinking that this might be a good stopping point for mitaka319:21
ayoungdolphm, rderose, who decides if it is OK to link two credentials to the same user? And what happens if a user gets deactivated?19:21
dolphmrderose: what is left to do to support role assignments?19:22
dolphmrderose: also agree on scope for mitaka19:22
*** jsavak has joined #openstack-keystone19:22
ayoungfor example, lets say I have an account from saml.redhat.com on RAX.  Then, I log in from home using Google credentials.  I assume that the two accounts are going to be kept separate.19:23
stevemarreview request for https://review.openstack.org/#/c/281381/419:23
patchbotstevemar: patch 281381 - keystone - Update default domain's description19:23
stevemardolphm: rderose i agree, that is a good stopping point for mitaka19:24
rderosedolphm: regarding what's left, let me research this some more and get back to you.  as I recall they were several places where emphmeral was being checked and likely need some refactoring in each case.19:25
dolphmrderose: ah, hrm. can you start with a functional test?19:26
openstackgerritBrant Knudson proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128919:26
rderoseayoung: if a user gets deactivated, then they shouldn't be able to access via federation19:27
rderosedolphm: hrm??19:27
dolphmrderose: lol, "hrm" as in a surprised "hmm"19:28
dolphmhttp://www.urbandictionary.com/define.php?term=hrm19:28
rderosedolphm: :)  sure I can start with a test (and you mean a unit test, right?)19:28
dolphmrderose: i'd just prefer as close to the HTTP API as possible as this is the basic use case we're chasing19:29
rderosedolphm: ah, so changing the API?19:30
dolphmrderose: no no, just exercising it with a new use case19:30
lbragstadbknudson I know you just opened https://bugs.launchpad.net/keystone/+bug/1549371 and it says "In Progress".19:32
openstackLaunchpad bug 1549371 in OpenStack Identity (keystone) "Deprecation message when using default keystone-paste.ini" [Medium,In progress] - Assigned to Brant Knudson (blk-u)19:32
rderosedolphm: sorry, you mean to create a functional test as close to the HTTP API as possible19:32
*** jsavak has quit IRC19:33
lbragstadbknudson it's also targeted to m-3, you don't have a patch up for review yet do you (if so, I was going to review it)?19:33
bknudsonlbragstad: I do have a patch up.19:33
bknudsonI thought there was a bot that updated the bug?19:33
lbragstadbknudson ah - strange. it wasn't linked in the bug report19:33
bknudsonlbragstad: https://review.openstack.org/#/c/281372/19:34
patchbotbknudson: patch 281372 - keystone - Move admin_token_auth before build_auth_context in...19:34
dolphmrderose: yes19:34
rderosedolphm: got it19:35
dolphmrderose: i don't know what our tests look like around federation though - we certainly don't stand up mod_shib and pass it saml docs in our own test suite, but that'd be the ultimate test (assigning roles to the resulting identity).19:35
*** browne has joined #openstack-keystone19:37
dolphmrderose: authenticate via saml -> get back a user ID -> have an admin user directly assign that user a role in a project -> have the federated user get a token for the project -> show that it's a regular, non-federated token that contains the assigned tenant + role pair19:37
lbragstadbknudson admin_token_auth is deprecated regardless of it being before or after build_auth_context, right?19:37
bknudsonlbragstad: admin_token_auth is deprecated?19:38
dolphmi think it was just undeprecated19:38
bknudsonI don't get a message saying admin_token_auth is deprecated when I start keystone using devstack19:38
lbragstadbknudson ah - nevermind.. I read that wrong19:38
bknudsonI get a message saying it's unsafe to use admin_token_auth19:39
lbragstadI missed this part "Update keystone-paste.ini so that admin_token_auth is before build_auth_context in the paste pipelines."19:39
lbragstadthe entire deprecation message is kind of misleading. Only because it seems to suggest two different things.19:39
rderosedolphm: sounds good.  and just so we are on the same page, this would be in the next patch for create concrete role assignments, correct?19:39
rderose*creating19:40
bknudsonlbragstad: hrm, maybe it can be cleaned up19:40
lbragstadbknudson as an operator should I remove admin_token_auth or should I just move it in the pipeline?19:40
bknudsonI guess we say hrm now.19:40
dolphmrderose: you can work it in a separate patch, but i'm also not clear on how much extra work is involved to make the test pass. if it's not much, we can decide to merge it into one patch later19:40
*** fawadkhaliq has quit IRC19:40
rderosedolphm: sounds good19:40
bknudsonlbragstad: you might not be able to remove admin_token_auth because your apps use it19:40
lbragstadbknudson hm - so then this would scare me " Deprecated: Auth context checking for the admin token is deprecated as of the Mitaka release and will be removed in the O release."19:41
dolphmrderose: i'd also be hesitant to merge the current patch without such a test passing in at least a subsequent commit19:41
dolphmrderose: happy to see the current patch stabilize though - less churn is better there at this point :P19:41
bknudsonlbragstad: y, probably, since you're probably not aware what auth context is and how it's different from admin_token_auth...19:42
lbragstadbknudson right19:42
rderosedolphm: thanks, me too.  let me investigate how much work is needed and get back to you.19:42
rderoseayoung: I haven't thought through all of the account linking scenarios, but if a user is deactivated (enabled == false), then authentication should fail19:42
lbragstadbknudson unless the term "admin token" is referring to something other than "admin_token_auth"?19:43
bknudsonlbragstad: but the instructions for how to fix it are clear?19:43
rderoseayoung: the current implementation would support this19:43
ayoungrderose, who can decide to link two accounts?19:43
bknudsonlbragstad: yes, admin token is different from admin_token_auth19:43
dolphmayoung: question for newton :P19:43
ayoungrderose, are we not supporting that in Mitaka?19:43
rderoseayoung: no19:43
dolphmayoung: correct, not at all in mitaka19:43
ayoungdolphm, rderose ok.  I think there might be some trickiness there, glad to have time to sort it19:44
*** mylu has quit IRC19:44
*** mylu has joined #openstack-keystone19:44
*** mylu has quit IRC19:46
lbragstadbknudson left a comment - https://review.openstack.org/#/c/281372/219:48
patchbotlbragstad: patch 281372 - keystone - Move admin_token_auth before build_auth_context in...19:48
*** ninag has joined #openstack-keystone19:48
*** mylu has joined #openstack-keystone19:48
ayoungmorgan, dolphm, starting to look at  Fernet-default again.  test_revoke_by_audit_chain_id_chained_token fails, but it looks like it was never exposed to the outside world. Am I correct in understanding that there is not enough info in the signed body of the token to support revoke by chained audit ids?  Is it ok to comment out that code for now?19:48
dolphmjorge_munoz: ^19:49
dolphmjorge_munoz: oh nvm, i saw "chained" and thought trusts19:49
dolphmayoung: both audit IDs should be included in Fernet19:50
*** petertr7 is now known as petertr7_away19:50
*** henrynash has joined #openstack-keystone19:50
*** ChanServ sets mode: +v henrynash19:50
ayoungdolphm, so we can fix that one?  OK...I'll look in to it19:50
*** ninag has quit IRC19:52
*** timcline_ has joined #openstack-keystone19:53
*** ninag has joined #openstack-keystone19:53
openstackgerritBrant Knudson proposed openstack/keystone: Move admin_token_auth before build_auth_context in sample paste.ini  https://review.openstack.org/28137219:55
bknudsonlbragstad: ^ how's that?19:55
*** petertr7_away is now known as petertr719:55
lbragstadbknudson works for me19:57
lbragstadbknudson thanks!19:57
bknudsonno problem19:57
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users  https://review.openstack.org/27916219:57
*** timcline_ has quit IRC19:57
dolphmrderose: did you look at that patch i said would conflict with shadow users earlier?19:58
rderosedolphm: I did and fixed the conflict19:58
dolphmrderose: i left a bunch of comments on the last patchset too19:58
rderosedolphm: didn't see those, looking now19:59
rderosedolphm: The current mapped auth plugin gets an "id" and "name" as input, which I am mapping to "unique_id" and "display_name" in the federated_user table.20:00
stevemarrderose: it's looking good20:01
dolphmmorgan: weren't you working on keystone-manage bootstrap somewhere?20:01
rderosestevemar: thanks :)20:01
stevemardolphm: whats the issue with it?20:01
morgandolphm: uhm, define working on it?20:01
morganDevstack uses it now ;)20:01
rderosedolphm: should we change the api to support unique_id and display_name?20:01
morganIt probably could use improvements but it def covers MVP atm20:02
dolphmmorgan: don't recall; i thought i looked at a patch regarding it a couple days ago20:02
dolphmrderose: which API?20:02
morganNot from me.20:02
stevemardolphm: you dreaming20:03
rderosedolphm: good question, I assume there is a user api out there for federation that allows id and name as input20:03
rderosedolphm: and since unique_id and display_name are new, we would need to update the api some where :)20:04
rderosedolphm: to let the client know these are now required.  Or, as I said, are we mapping id to unqiue_id and name to display_name?20:05
dolphmmorgan: attach request local caching patch to https://bugs.launchpad.net/keystone/+bug/1259827 ?20:05
openstackLaunchpad bug 1259827 in OpenStack Identity (keystone) "keystone execute SQL statements so many times?" [Medium,Triaged] - Assigned to David Stanek (dstanek)20:05
dolphmrderose: is that not the "setup_username()" method?20:06
dolphmrderose: the mapping is that "api" i suppose, we wouldn't / shouldn't be impacting how you write your mapping20:06
rderosesetup_username just maps a username to id and/or name depending on what the client passed in20:07
dolphmthe same output is required from mapping, we just do something new with the resulting data (lookup or create a shadow user)20:07
dolphmrderose: isn't that code called after the mapping engine is called?20:07
*** petertr7 is now known as petertr7_away20:08
rderosedolphm: sorry, by mapping I just mean that take an id or username passed in from the client and sets the user.id, user.name values20:09
dolphmrderose: how are they passed in?20:10
*** jsavak has joined #openstack-keystone20:10
rderosedolphm: through mapped authentication, from the context20:11
dolphmstevemar: any chance you have a link to that tempest + keystone bug about how repeated runtimes of tempest get slower and slower because the revocation table fills up?20:11
*** zqfan has quit IRC20:12
dolphmrderose: the client in that case is mod_shib / mod_mellon handling a SAML doc20:12
openstackgerritSam Leong proposed openstack/keystoneauth: Auth plugin for X.509 tokenless authz  https://review.openstack.org/28390520:12
dolphmrderose: the results are passed through CGI / WSGI environment variables20:12
*** slberger has quit IRC20:13
rderosedolphm: ahhh20:13
rderosedolphm: okay, so should I assume the id passed in from mod_shib... is the unqiue_id and name is the display_name?20:15
dolphmrderose: that is my thinking, yes20:15
rderosedolphm: cool20:15
dolphmrderose: but the setup_username() code has some wonky edge cases where ID might not be passed in (i swear it was the one thing we mandated), etc, so it tries to handle all those cases20:16
* dolphm steps away for a bit20:16
samueldmqhenrynash: hi, still about ?cascade thing20:17
samueldmqhenrynash: have you thought more about it?20:18
*** gordc has quit IRC20:18
morgandolphm: sure on adding it to that bug20:19
*** mylu has quit IRC20:20
*** henrynash has quit IRC20:20
*** mylu has joined #openstack-keystone20:22
*** fangxu has quit IRC20:24
*** fangxu has joined #openstack-keystone20:26
*** rk4n has quit IRC20:26
*** petertr7_away is now known as petertr720:31
*** jsavak has quit IRC20:32
*** timcline_ has joined #openstack-keystone20:33
*** JBenson has joined #openstack-keystone20:36
*** jsavak has joined #openstack-keystone20:36
*** spzala has quit IRC20:40
*** rderose has quit IRC20:46
*** gordc has joined #openstack-keystone20:47
*** slberger has joined #openstack-keystone20:51
*** boris-42 has joined #openstack-keystone20:53
*** belmoreira has quit IRC20:53
stevemardolphm: sorry, was otp, did you find the bug?20:59
stevemardolphm: https://bugs.launchpad.net/keystone/+bug/1471665 ?21:04
openstackLaunchpad bug 1471665 in OpenStack Identity (keystone) "Successive runs of identity tempest tests take more and more time to finish" [Low,Confirmed]21:04
dolphmmorgan: does dogpile.cache work on generators?21:04
morgandolphm: uhmm...21:04
dolphmstevemar: yes, that's it! thank you21:04
morgandolphm: don't think you can memoize a generator21:04
stevemardolphm: yw :]21:04
morgandolphm: by definition a generator isn't memoizable - it results in a side-effect of running the funciton/method vs a static object21:05
stevemardolphm: the amount of bugs related to performance and revocation is TOO DAMN HIGHT https://bugs.launchpad.net/keystone/+bugs?field.tag=performance21:05
morgandolphm: if you can serialize a generator (don't think this is really possible), then you can memoize it. i mean, barring the in-memory dict cache [bad idea]21:06
*** nllrte has quit IRC21:06
*** timcline_ has quit IRC21:06
morgandolphm: heck does copy.deepcopy really work well on generators?21:06
stevemarmorgan dolphm https://bugs.launchpad.net/keystone/+bug/1259827 I think we can close this one now? cause caching?21:06
openstackLaunchpad bug 1259827 in OpenStack Identity (keystone) "keystone execute SQL statements so many times?" [Medium,Triaged] - Assigned to David Stanek (dstanek)21:06
openstackgerritMerged openstack/keystone: db_sync doesn't create default domain  https://review.openstack.org/28204221:06
*** timcline_ has joined #openstack-keystone21:07
morganstevemar: nope, you can close that with the request local cache.21:07
morganstevemar: and only partially close really, it doesn't "stop" the queries, it just limits them21:07
stevemarmorgan: feel like rebasing that bad boy?21:07
morganstevemar: if you want it to land i can. it's not a hard rebase.21:07
dstanekmorgan: stevemar: with local cache we are just hacking around the problem, but i guess the bug would go away21:08
morganbasically it solves the bug but doesn't solve the root cause21:08
morganlong term we need a real fix.21:08
*** annasort has quit IRC21:08
morganalso the request local thing was blocking on the oslo_config change dhellmann pushed through for non-standard default opts21:09
*** mylu has quit IRC21:09
*** mylu has joined #openstack-keystone21:09
*** jsavak has quit IRC21:10
*** pcaruana has quit IRC21:10
*** timcline_ has quit IRC21:11
openstackgerritRaildo Mascena proposed openstack/keystone: Return 404 instead of 401 for tokens w/o roles  https://review.openstack.org/27743621:13
ayoungdolphm, stevemar did we drop  'expires_at' from the revocation events?21:19
morganstevemar, dolphm: almost done rebasing the local cache21:21
morganjust running unit tests, will add in the default cache config stuff after21:22
*** mylu has quit IRC21:24
*** pauloewerton has quit IRC21:27
*** ekarlso- has quit IRC21:34
*** ekarlso- has joined #openstack-keystone21:34
openstackgerritMorgan Fainberg proposed openstack/keystone: Use requst local in-process cache per request  https://review.openstack.org/27200721:34
morganstevemar, dstanek, dolphm: ^ rebased21:35
*** jsavak has joined #openstack-keystone21:42
dolphmayoung: i don't know21:46
ayoungdolphm, the Fernet patch is failing because one of the explicit revokes is lookiomng at the events, and is trying to match on expires21:47
ayoungIn the past, I thought all evetns held expires_at so we could purge them21:47
ayoungI am not certain if this check is still necsessary, but I am reluctant to just drop it21:48
dolphmayoung: i thought so too21:48
dolphmayoung: or maybe not expires at, but they have some date attached to them for sure21:49
ayoungissued_at?21:49
dolphmayoung: or is it just event date + token lifespan == when revoke events are no longer useful21:49
dolphmissued_at + token lifespan21:50
dolphmthat sounds right21:50
ayoungso not hacing expires_at in a revocation event should not be a deal breaker, so long as the rest works21:50
ayoungI think I'll just remove the check21:50
*** sdake has quit IRC21:51
*** sdake has joined #openstack-keystone21:52
*** mylu has joined #openstack-keystone21:53
stevemarayoung: we did not21:54
stevemarayoung: i had a patch but abandoned it21:54
openstackgerritMorgan Fainberg proposed openstack/keystone: Default caching to on for request-local caching.  https://review.openstack.org/27719821:55
ayoungstevemar, I'm guessing the change happened in the token provider chain somewhere.  I don't think it is an important check, but I am seeing a later failure that looks like our old race condition21:56
ayounglet me confirm...21:56
stevemarayoung: here was my patch to remove it (abandoned) https://review.openstack.org/#/c/271135/21:56
patchbotstevemar: patch 271135 - keystone - remove deprecated revoke_by_expiration function (ABANDONED)21:56
ayoungstevemar, bring it back to life21:57
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Trying latest oslo.* from master  https://review.openstack.org/28415521:57
ayoungIt can hang out until Newton opens up21:58
stevemarayoung: the tests were a pain in the you know where21:58
ayoungbut it is the right idea21:58
ayoungstevemar, I'll get them.21:58
stevemarayoung: IT'S ALIVE!21:58
ayoungcool21:58
*** jsavak has quit IRC22:01
*** ninag has quit IRC22:02
*** jsavak has joined #openstack-keystone22:02
*** david-lyle has joined #openstack-keystone22:03
* stevemar should head out and go to the local openstack meetup22:05
*** knikolla has quit IRC22:05
stevemardolphm ayoung morgan dstanek i have to allocate the fishbowl / work rooms for austin soon, want to just go with what we did last year22:07
*** timcline_ has joined #openstack-keystone22:07
stevemardolphm ayoung morgan dstanek for reference, last year we had 7 fishbowls, and 3 work rooms in tokyo22:07
dolphmstevemar: how about a session to workshop known security "weaknesses"?22:07
ayoungTokyo was a good balance, I think22:07
stevemardolphm: this is just allocating numbers for now22:08
dolphmoh22:08
dolphmstevemar: well then i want 1 fishbowl then22:08
stevemarshould i request one more of each? feel like we didn't have enough time?22:08
stevemarlol22:08
stevemarjust 1? why?22:08
ayoungone just for dolphm  to yell at people22:09
dolphmstevemar: because i can only think of 1 topic off hand22:09
dolphmstevemar: make it two, i forgot about my yelling session22:09
ayoungwhat were the defs of fishbowls vs workrooms, and are they going to be the same here?22:09
dolphmthanks ayoung22:09
dolphmayoung: the work rooms were the big conference table rooms on friday22:10
stevemarayoung: more or less the same as tokyo... the fishbowls have a proejctor and usually one or two people in the front guiding the session22:10
ayoungSo...cross project on roles should be Fishbowl?22:10
morganfishbowls can hold a lot more people22:10
stevemarayoung: the workroom is a big table and usually a flip chart22:10
dolphmayoung: yes22:11
stevemarfishbowls are more for discussion22:11
*** petertr7 is now known as petertr7_away22:11
*** daemontool has joined #openstack-keystone22:11
*** timcline_ has quit IRC22:11
dstanekdolphm: https://gist.github.com/anonymous/ee333c34e5943fd1b47a22:11
ayoungseems like most of the big things are cross-project22:12
morgandolphm: https://eero.com/ just ordered a set of these. yay real mesh networking @ home.22:12
morgandolphm: figured i'd share, because ugh been battling wifi hell lately22:12
*** sdake has quit IRC22:13
dolphmmorgan: ooh, let me know how it goes22:13
ayoung20 tests failing on Fernet...how long do I have to fix this?22:13
stevemarheading out to meetup22:13
dolphmlbragstad: ^22:13
lbragstadayoung is that on your switch to fernet default patch?22:13
morganwill do, i know mordred also got some, so ask him too in a couple weeks.22:13
morgandolphm: ^22:13
ayounglbragstad, yeah22:13
ayounglbragstad, I've fixed 2 issues22:14
lbragstadayoung I think most of those are going to be timing things22:14
ayounglbragstad, that is what I am starting to see22:14
morganmordred: telling people to ask you about eero btw, you didn't do anything :P22:14
*** dims has quit IRC22:14
lbragstadayoung morgan had an elegant want to fix that22:14
ayounglbragstad, what are we doing about thsoe?  Introducing delays?22:14
morganlbragstad: i did what?22:14
ayoungchange the clock?22:14
lbragstadayoung no - we talked about using freezegun at the midcycle22:14
ayoungmorgan, timing bug in a test22:14
morganayoung: change the clock.22:14
morganayoung: don't add a delay unless its in tempest22:15
ayounglbragstad, there examples of that in the review already?22:15
lbragstadayoung no22:15
lbragstadnot that I am aware of22:15
ayoungok...how do I do that, then?22:15
lbragstadayoung let me see if I can dig up a review22:15
morganwe have some examples of using mock, though i hear freezegun is way cooler22:15
ayoungmorgan, if it is a new dependency, is it kosher to pull in?22:16
morganayoung: it's already in g-r and should be fine to add22:16
morganas long as the patch lands pre m-322:16
morganto add it that is22:17
ayoungbknudson, you know about Freezegun?  I see you added it to reqs.22:17
bknudsonayoung: dolphm suggested it22:17
lbragstadayoung https://review.openstack.org/#/c/228603/22:17
patchbotlbragstad: patch 228603 - requirements - Add freezegun to global requirements (MERGED)22:17
ayoungyeah...now how do I use it...22:18
lbragstaddolphm do you still have that patch lingering around that uses freeze gun to mock the clock for ferent22:18
bknudsonayoung: it looks like a "cool" idea. I don't think it's used yet.22:18
*** spzala has joined #openstack-keystone22:18
bknudsonayoung: there's some code in oslo for clock handling, too. But I think freezegun covers more apis22:18
bknudsonoslotest22:18
*** raildo is now known as raildo-afk22:19
dolphmayoung: i have a patch for freezegun somewhere22:19
ayoungdolphm, is it the right tool for dealing with the tokne/.time issues?22:19
dolphmayoung: yes22:19
dolphmayoung: it lets you control the clock in any python library, basically22:19
ayoungdolphm, OK, i think I have a failure right here due to it...22:19
dolphmayoung: https://review.openstack.org/#/c/227995/22:20
patchbotdolphm: patch 227995 - keystone - Test revocation race conditions22:20
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_auth.py#n64322:20
*** spzala has quit IRC22:20
* dolphm is out for the day22:23
*** daemontool has quit IRC22:23
ayoungdolphm, GAH22:23
ayoungonly person that has used freezegun is you dolphm22:23
ayoungdon't leave me now!22:24
ayoungI think I can do it without Freezegun, actually22:25
ayoungwe advance the time elsewhere already...22:25
lbragstadayoung it has to work across python libraries I think too22:26
*** jorge_munoz has quit IRC22:26
lbragstadsince cryptography is the thing that creates the timestamp we go off of22:26
*** csoukup has joined #openstack-keystone22:27
ayounglbragstad, you are still in family mode for a while, right?22:29
lbragstadayoung just got back last night22:29
ayounglbragstad, OK.  Let me see if I can find why this last one is failing, and I'll post my changes22:30
*** mylu has quit IRC22:36
*** ninag has joined #openstack-keystone22:37
*** mylu has joined #openstack-keystone22:38
*** gordc has quit IRC22:38
openstackgerritMerged openstack/keystone: Reference config values at runtime  https://review.openstack.org/28384222:44
*** henrynash has joined #openstack-keystone22:45
*** ChanServ sets mode: +v henrynash22:45
*** sigmavirus24 is now known as sigmavirus24_awa22:54
*** fangxu has quit IRC22:55
*** fangxu has joined #openstack-keystone22:58
*** dims has joined #openstack-keystone23:08
*** timcline_ has joined #openstack-keystone23:08
*** timcline_ has quit IRC23:12
*** sdake has joined #openstack-keystone23:12
*** david-lyle has quit IRC23:13
*** csoukup has quit IRC23:15
*** diazjf has quit IRC23:16
*** jsavak has quit IRC23:17
*** dan_nguyen has left #openstack-keystone23:17
*** jsavak has joined #openstack-keystone23:17
*** pushkaru has quit IRC23:18
*** rk4n has joined #openstack-keystone23:18
*** jsavak has quit IRC23:22
*** sdake has quit IRC23:25
*** vilobhmm11 has quit IRC23:25
*** vilobhmm11 has joined #openstack-keystone23:25
*** timcline_ has joined #openstack-keystone23:33
*** dan_nguyen has joined #openstack-keystone23:36
*** timcline_ has quit IRC23:37
*** mylu has quit IRC23:44
*** pushkaru has joined #openstack-keystone23:45
*** mylu has joined #openstack-keystone23:48
*** mylu has quit IRC23:50
*** pushkaru has quit IRC23:52
ayounglbragstad, so the revoke tree looks like this {'trust_id=*': {'consumer_id=*': {'access_token_id=*': {'audit_id=*': {u'audit_chain_id=None': {'expires_at=*': {'domain_id=*': {'project_id=*': {'user_id=*': {'role_id=*': {'domain_scope_id=*': {'issued_before': datetime.datetime(2016, 2, 24, 23, 42, 57, 795165)}}}}}}}}}}}}23:54
ayoung {u'audit_chain_id=None'  ?23:55
« Tuesday, 2016-02-23 Index Thursday, 2016-02-25 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!