Thursday, 2016-02-25

*** rk4n has quit IRC00:04
*** mylu has joined #openstack-keystone00:06
*** sdake has joined #openstack-keystone00:07
*** fangxu has quit IRC00:16
*** annasort has joined #openstack-keystone00:18
morgandstanek: so, not sure how to fix the DB fixture to not use the legacy engine facade00:23
morgandolphm: but that fix will apply to the other tests and we can be free of the legacy facade00:23
*** sdake has quit IRC00:23
morgandstanek: ^ cc ( dolphm ^ what i said to dstanek too)00:23
ayoungmorgan, this line is from revoking a token with no audit info.  Can you tell me why that is bad?00:23
dstanekmorgan: i'd have to take a look at see what we're doing in there00:23
ayounglbragstad, so the revoke tree looks like this {'trust_id=*': {'consumer_id=*': {'access_token_id=*': {'audit_id=*': {u'audit_chain_id=None': {'expires_at=*': {'domain_id=*': {'project_id=*': {'user_id=*': {'role_id=*': {'domain_scope_id=*': {'issued_before': datetime.datetime(2016, 2, 24, 23, 42, 57, 795165)}}}}}}}}}}}}00:23
*** henrynash has quit IRC00:24
morgandstanek: it's the reflection model->schema create bit00:24
ayoungI'll give you a hint:  * means match all00:24
morganayoung: that was compat00:24
ayoungmorgan, it just revoked ALL tokens00:24
morganayoung: drop support for it now. we have been >2cycles with audit_info00:24
morganoh. this isback to the tree being non-intuative :(00:25
morganbut yeah00:25
morgandon't do that :P00:25
morganayoung: you know that looks like something we could encode into a SQL query about as easily now :P00:25
morganayoung: if we index the revoke table00:25
ayoungmorgan, 90% of the revoke stuff is bogus now00:26
morganayoung: yeah00:26
ayoungwe need revoke by audit id and ... I think that is about it?00:26
morganayoung: prob. revoke by user00:26
morganpassword change?00:26
ayoungah for password00:26
ayoungthat is the one00:26
morganand revoke by project/domain is useful but could be skipped for revoke by user if needed00:27
morganbut beyond that i think we're pretty much audit_id, user.00:27
morganbut we can def. drop role_id. and "expires_at"00:28
morganand trust_id *shrug* i don't think we *need*00:28
morganayoung: fwiw, audit_chain_id would be the same as expires_at, but more restrictive/accurate00:29
morganprobably can also be dropped?00:30
ayoungaudit chain stays00:30
ayoungthat is pretty much the only one, as that is token specific00:30
morganaudit and audit_chain need to stay00:31
morganaudit_chain would revoke the entire chain/every token recoped or not00:32
morganaudit_id is just "this" token00:32
*** bjornar__ has quit IRC00:32
morganbut expires_at would net the same as audit_chain00:32
morganfor sure00:32
ayoungwe should use audit chaing for a Horizon logout00:32
morganayoung: we tried that, it broke long-running tasks00:32
morganfor the same basic reason why token expiration does00:33
morganftr, i don't disagree with using audit_chain for horizon logout, but we have work to do before we can00:33
morgans/don't disagree/agree00:34
*** timcline_ has joined #openstack-keystone00:34
ayoungnext release00:34
morgan(i need to work on avoiding the idiomatic "double negative")00:34
ayoungfor now can I get rid of the "with no audit info tests"00:35
morganthat can go away00:35
ayoungis there some code change that goes with that00:35
morganthat was just for transition from audit_id -> no audit_id00:35
ayoungor just drop the test00:35
morganat this point if a token doesn't have an audit id... fail the token00:35
morganmight get to remove an extra if conditional in the token provider validate call :)00:36
morganand that test likely should just check that a 401 is issued.00:36
ayoungis it possible to make a token with no audit info somehow?00:36
morganbetween i think juno and kilo?00:36
ayoungah, OK...gonna just kill the test then00:37
morganand likely should kill the provider logic around it too00:37
morgani would say that is an internal server error w/o audit_ids now... bad internal data00:37
morganso should be fine to raise up and out unexpected exception when it happens00:38
morgan(defaulkt for like KeyError etc when decoding a token)00:38
*** timcline_ has quit IRC00:38
ayoung testtools.matchers._impl.MismatchError: '2016-02-25T01:37:40Z' != '2016-02-25T01:37:40.000000Z'00:38
morganyeah you might need to squash the resolution to non-subsecond00:39
*** mylu has quit IRC00:42
*** fangxu has joined #openstack-keystone00:48
*** mylu has joined #openstack-keystone00:54
*** gyee has quit IRC01:04
*** diazjf has joined #openstack-keystone01:04
*** diazjf1 has joined #openstack-keystone01:06
*** diazjf has quit IRC01:06
*** mylu has quit IRC01:13
*** davechen has joined #openstack-keystone01:14
*** EinstCrazy has joined #openstack-keystone01:20
*** spandhe has quit IRC01:26
*** jasonsb has joined #openstack-keystone01:33
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user
*** timcline_ has joined #openstack-keystone01:35
*** lhcheng has quit IRC01:35
*** ninag has quit IRC01:38
*** timcline_ has quit IRC01:39
*** slberger has left #openstack-keystone01:39
openstackgerritMerged openstack/keystone: Remove migration_helpers.get_default_domain
openstackgerritMerged openstack/keystone: Update default domain's description
*** richm has quit IRC01:44
*** zzzeek has quit IRC01:45
*** zzzeek has joined #openstack-keystone01:45
*** zzzeek has quit IRC01:47
*** zzzeek has joined #openstack-keystone01:50
*** dims has quit IRC01:52
*** zzzeek has quit IRC01:52
*** dan_nguyen has quit IRC01:53
*** zzzeek has joined #openstack-keystone01:54
ayoungso most of the failing tests are due to failure to find policy.json02:02
*** csoukup has joined #openstack-keystone02:12
morganayoung: don't run them in isolation02:15
morganayoung: there is a bug in our test suite that causes that to fail. if you run the whole thing again, it should work02:15
ayoungmorgan, hmmm02:16
ayoungok, let's see02:16
*** csoukup has quit IRC02:16
morganayoung: i think there is even a bug open on that02:16
morgannot sure why it fails when run in isolation tbh02:16
morgani haven't looket at the setUp()s02:16
ayoungits the path it uses to search for the policy files02:17
ayoungits probably set up in some test and that is run early02:17
davechenayoung, morgan: it has been fixed by this patch -
patchbotdavechen: patch 278528 - keystone - Moves policy setup into a fixture. (MERGED)02:17
ayoungso if you run the individual tests, the path is st wrong02:17
davechenayoung: you might  need a rebase.02:17
ayoungso I should not be seeing that in this bug, but maybe I need a rebase02:18
*** fangxu has quit IRC02:21
*** vilobhmm11 has quit IRC02:24
*** vilobhmm11 has joined #openstack-keystone02:25
morgandavechen: nice.02:28
morgandavechen: thnx for the heads up02:28
davechenmorgan: np. :)02:30
*** vilobhmm11 has quit IRC02:35
*** timcline_ has joined #openstack-keystone02:35
*** Ephur has quit IRC02:36
*** vilobhmm11 has joined #openstack-keystone02:36
*** vilobhmm11 has quit IRC02:37
*** timcline_ has quit IRC02:40
*** links has joined #openstack-keystone02:47
ayoung20 failed tests02:51
*** diazjf1 has quit IRC02:58
openstackgerritayoung proposed openstack/keystone: [WIP]Make fernet default token provider
*** boris-42 has quit IRC03:04
*** edmondsw has quit IRC03:07
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users
openstackgerritDave Chen proposed openstack/keystone: Switch to use `new_domain_ref` for testcases
morganstevemar, dstanek: i think i have most of the enginefacade warnings smashed.03:18
morganstevemar, dstanek: proposing the fix in a moment03:19
ayoungare trust tokens even working with Fernet?03:20
morganayoung: v2 or v3?03:20
morganayoung: cause v3 should be working, v2? i don't think so03:20
ayoungah...test_auth is all V2 isn't it03:20
morganaye03:20  that is...03:21
ayoung3 fails:03:21
morganthats not too bad03:21
morgan@skip_if_fernet('we do not care about v2... or your v2 trust tokens l2v3authonly')03:22
ayoungmorgan, ugh...nah, it is a security hole03:24
ayoung def test_delete_trust_revokes_token(self):03:24
ayoung def test_token_from_trust_cant_get_another_token(self):03:24
ayoungWe need to proactively prevent V2 TOkens from trusts if we are going to do this03:24
morgancrap ... just smashed my face and scratched the hell out of my glasses :(03:27
*** timcline has quit IRC03:28
morganfunny the glasses with the heavier frames keep scratching, the ones with no frames hjave not been scratched... wtf.03:29
openstackgerritMorgan Fainberg proposed openstack/keystone: No more legacy engine facade in tests
morganstevemar, davechen, dstanek: ^03:31
morgandolphm: ^03:31
morgani should probably have run pep8 on that before pushing it03:31
openstackgerritMorgan Fainberg proposed openstack/keystone: No more legacy engine facade in tests
*** links has quit IRC03:34
*** timcline has joined #openstack-keystone03:36
openstackgerritDave Chen proposed openstack/keystone: Switch to use `new_domain_ref` for testcases
*** timcline has quit IRC03:40
openstackgerritMorgan Fainberg proposed openstack/keystone: No more legacy engine facade in tests
*** timcline has joined #openstack-keystone03:47
*** chlong_ has quit IRC03:47
*** davechen is now known as davechen_afk03:49
*** chlong_ has joined #openstack-keystone03:49
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove get_session and get_engine
morgandavechen_afk, dstanek, stevemar: ^ remove the .get_session and .get_engine so that people do not re-introduce the use of LegacyEngineFacade03:50
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove get_session and get_engine
openstackgerritMorgan Fainberg proposed openstack/keystone: Followup for LDAP removal
*** woodster_ has quit IRC03:56
*** lhcheng has joined #openstack-keystone04:13
*** ChanServ sets mode: +v lhcheng04:13
openstackgerritMorgan Fainberg proposed openstack/keystone: Default caching to on for request-local caching.
*** links has joined #openstack-keystone04:29
*** timcline_ has joined #openstack-keystone04:37
*** timcline_ has quit IRC04:42
*** davechen_afk is now known as davechen04:48
*** Nirupama has joined #openstack-keystone04:53
*** lhcheng has quit IRC04:53
morganstevemar: uhm... not sure why devstack failed the enginefacade things... actually ... hmm04:55
morganayoung: do you need/want me to take a crack at the caching issues with fernet?05:07
morganprobably is some silly assumption05:07
morganayoung: oh . i know what is up w/ the cache invalidation tests >.>05:09
morgan:P oi05:09
*** diazjf has joined #openstack-keystone05:12
*** belmoreira has joined #openstack-keystone05:12
*** sdake has joined #openstack-keystone05:17
davechenmorgan: the failed CI has nothing to do with your change, so push it through. :)05:20
*** sdake has quit IRC05:22
stevemarmorgan: everything is le failing05:31
*** fpatwa_ has joined #openstack-keystone05:31
morganstevemar: FIX IT OMG :P05:31
*** timcline_ has joined #openstack-keystone05:38
*** timcline_ has quit IRC05:42
jamielennoxso there's no default domain anymore unless you keystone-manage bootstrap?05:50
stevemarjamielennox: i think that's the idea that bknudson was thinking..05:51
jamielennoxstevemar: more i was surprised that it broken my automation and i'm probably not the only one05:51
stevemarjamielennox: did it break keystone-manage db_sync?05:51
jamielennoxstevemar: no, but i'm doing initial automation05:52
stevemarjamielennox: i was worried about that part...05:52
jamielennoxstevemar: so install, run db_sync05:52
*** dims has joined #openstack-keystone05:52
jamielennoxthen using the ADMIN_TOKEN the first thing you do is try to create users05:52
jamielennoxyou get05:52
jamielennox Could not find domain: default (HTTP 404) (Request-ID: req-18507ed5-a3ef-44af-a3c2-1cb48090154f)05:52
jamielennoxi can obviously get around it (though i'm going to check how idempotent the bootstrap is), but i think we'll get some pushback05:53
*** afred312 has quit IRC05:55
patchbotstevemar: patch 282042 - keystone - db_sync doesn't create default domain (MERGED)05:57
stevemarjamielennox: ^05:57
jamielennoxstevemar: i don't know if we have the option to not support v205:58
stevemarjamielennox: we're not supporting *new* v2s05:59
stevemarjamielennox: only folks installing keystone for the first time are going to hit this issue05:59
*** doug-fish has joined #openstack-keystone06:00
*** fpatwa_ has quit IRC06:00
stevemarjamielennox: hit that revert button06:00
jamielennoxstevemar: that includes any of the automation projects that rely on this06:00
jamielennoxstevemar: you should ensure that puppet etc are all ready06:00
stevemarjamielennox: i asked early on "won't we be forcing folks to a) must use the bootstrap command or b) if they go the ADMIN_TOKEN route, they must now create a domain before migrating?"06:00
jamielennoxespecially because we are telling people to run bootstrap anyway06:01
stevemarjamielennox: if bootstrap is run, things should be fine06:01
jamielennoxright, because all the ansible < 2 stuff uses API v206:01
jamielennoxso it was working now doesn't06:01
openstackgerritSteve Martinelli proposed openstack/keystone: Revert "db_sync doesn't create default domain"
jamielennoxit appears running bootstrap multiple times is fine06:02
jamielennoxjust something we should discuss06:02
*** v1k0d3n has quit IRC06:05
openstackgerritMorgan Fainberg proposed openstack/keystone: [WIP]Make fernet default token provider
morganayoung: ^ that should resolve all but the Trust and the weird error you're seeing06:18
morganstevemar, jamielennox: default domain should be created on demand iirc. maybe we're missing that step.06:19
morganjamielennox: running bootstrap many times should be 100% ok. it's designed to be idempotent if the arguments are the same06:19
jamielennoxmorgan: yep, i can change my stuff to use bootstrap, but it's not creating the domain on deman06:19
morganjamielennox: we might need to make it do the "on demand" bit or move the "on demand" bit. it shouldn't be baked into the SQL migrations for sure06:20
morganif we can avoid that06:20
morganor whatever.06:21
*** miguelgrinberg has quit IRC06:25
*** miguelgrinberg has joined #openstack-keystone06:27
*** timcline_ has joined #openstack-keystone06:38
*** lhcheng has joined #openstack-keystone06:42
*** ChanServ sets mode: +v lhcheng06:42
*** timcline_ has quit IRC06:43
*** dims has quit IRC06:43
*** dave-mccowan has quit IRC06:45
*** lhcheng has quit IRC06:46
*** josecastroleon has joined #openstack-keystone06:49
*** fawadkhaliq has joined #openstack-keystone06:50
*** belmoreira has quit IRC06:53
*** fangxu has joined #openstack-keystone06:54
*** doug-fish has quit IRC06:54
*** zzzeek has quit IRC06:56
*** zzzeek has joined #openstack-keystone06:59
*** jasonsb has quit IRC07:02
*** zzzeek has quit IRC07:10
*** henrynash has joined #openstack-keystone07:11
*** ChanServ sets mode: +v henrynash07:11
*** henrynash has quit IRC07:12
*** diazjf has quit IRC07:12
*** tomoiaga has joined #openstack-keystone07:16
*** tomoiaga has quit IRC07:21
*** timcline_ has joined #openstack-keystone07:39
*** timcline_ has quit IRC07:44
*** belmoreira has joined #openstack-keystone07:51
*** fawadkhaliq has quit IRC07:51
*** belmoreira has quit IRC07:58
*** belmoreira has joined #openstack-keystone08:00
*** belmoreira has quit IRC08:06
*** rk4n has joined #openstack-keystone08:11
*** Oku_OS has quit IRC08:18
*** browne has quit IRC08:19
*** rk4n has quit IRC08:20
*** rk4n has joined #openstack-keystone08:22
*** vinm213 has joined #openstack-keystone08:29
vinm213Good morning all08:29
vinm213Have u ever faced issue with keystone while installing devstack on ubuntu 14.0408:38
*** timcline_ has joined #openstack-keystone08:40
vinm213particularly the error
*** timcline_ has quit IRC08:42
*** timclin__ has joined #openstack-keystone08:42
*** timclin__ has quit IRC08:46
*** rk4n has quit IRC08:47
*** boris-42 has joined #openstack-keystone08:52
*** tomoiaga has joined #openstack-keystone08:53
*** jistr has joined #openstack-keystone09:01
*** mvk has joined #openstack-keystone09:09
*** esp has joined #openstack-keystone09:10
*** Oku_OS has joined #openstack-keystone09:10
*** samueldmq1 has joined #openstack-keystone09:11
*** esp has quit IRC09:14
*** samueldmq1 has quit IRC09:15
*** fawadkhaliq has joined #openstack-keystone09:17
*** fawadkhaliq has quit IRC09:29
*** pnavarro has joined #openstack-keystone09:36
*** timcline_ has joined #openstack-keystone09:43
*** timcline_ has quit IRC09:47
*** davechen has left #openstack-keystone09:53
*** grassy is now known as davechen_afk09:53
*** mvk has quit IRC10:01
*** EinstCrazy has quit IRC10:07
*** daemontool has joined #openstack-keystone10:07
*** EinstCrazy has joined #openstack-keystone10:07
*** EinstCrazy has quit IRC10:12
*** rk4n has joined #openstack-keystone10:16
*** lhcheng has joined #openstack-keystone10:20
*** ChanServ sets mode: +v lhcheng10:20
*** daemontool has quit IRC10:21
*** daemontool has joined #openstack-keystone10:24
*** pcaruana has joined #openstack-keystone10:42
openstackLaunchpad bug 1549726 in OpenStack Identity (keystone) "Race condition in keystone domain config" [Undecided,New] - Assigned to Divya K Konoor (dikonoor)10:42
bretonvery nice find10:43
*** timcline_ has joined #openstack-keystone10:44
*** timcline_ has quit IRC10:48
*** belmoreira has joined #openstack-keystone10:49
samueldmqmorning all10:51
*** sdake has joined #openstack-keystone10:58
*** lhcheng has quit IRC11:16
*** fawadkhaliq has joined #openstack-keystone11:27
*** sdake_ has joined #openstack-keystone11:29
*** sdake has quit IRC11:30
openstackgerritBoris Bobrov proposed openstack/python-keystoneclient: Support `truncated` flag returned by keystone
*** sdake_ has quit IRC11:37
openstackgerritBoris Bobrov proposed openstack/python-keystoneclient: Support `truncated` flag returned by identity service
*** EinstCrazy has joined #openstack-keystone11:43
*** timcline_ has joined #openstack-keystone11:44
*** josecastroleon has quit IRC11:45
*** timcline_ has quit IRC11:48
*** fpatwa_ has joined #openstack-keystone11:49
*** fpatwa_ has quit IRC12:13
*** raildo-afk is now known as raildo12:37
*** fawadkhaliq has quit IRC12:42
*** daemontool_ has joined #openstack-keystone12:43
*** fawadkhaliq has joined #openstack-keystone12:43
*** timcline_ has joined #openstack-keystone12:45
*** daemontool has quit IRC12:46
*** fawadkhaliq has quit IRC12:47
*** daemontool_ has quit IRC12:47
*** timcline_ has quit IRC12:49
*** woodster_ has joined #openstack-keystone12:52
*** gordc has joined #openstack-keystone12:54
*** ninag has joined #openstack-keystone12:54
*** pcaruana has quit IRC12:55
*** dave-mccowan has joined #openstack-keystone12:56
*** daemontool has joined #openstack-keystone13:01
*** edmondsw has joined #openstack-keystone13:04
*** lhcheng has joined #openstack-keystone13:05
*** ChanServ sets mode: +v lhcheng13:05
*** pcaruana has joined #openstack-keystone13:09
*** lhcheng has quit IRC13:10
*** links has quit IRC13:26
*** josecastroleon has joined #openstack-keystone13:31
*** Nirupama has quit IRC13:44
dstanekmorgan: we have now made the simplest webapp i've ever worked on use database in the most complicated way i've ever seen :-(13:45
*** timcline_ has joined #openstack-keystone13:46
*** dims has joined #openstack-keystone13:47
*** henrynash has joined #openstack-keystone13:48
*** ChanServ sets mode: +v henrynash13:48
*** timcline_ has quit IRC13:50
*** fawadkhaliq has joined #openstack-keystone13:53
*** zzzeek has joined #openstack-keystone13:57
*** zzzeek has quit IRC13:57
*** zzzeek has joined #openstack-keystone13:58
*** daemontool_ has joined #openstack-keystone13:59
amakarovhenrynash, good day! what's the difference between resource.backends and resource.V8_backends?14:00
henrynashamakarov: the V8 one is a copy of our old V8 driver, used only for testing purposes to ensure we can support legacy drivers14:01
henrynashamakarov: resource.backends contain the latest (currently V9) version14:01
amakarovhenrynash, thank you! I'll make my changes there14:02
*** daemontool has quit IRC14:02
vinm213Hello all14:06
vinm213i just trying to install devstack14:06
vinm213and facing issues14:06
*** links has joined #openstack-keystone14:07
vinm213hope thiwith keystone14:07
*** petertr7_away is now known as petertr714:15
*** pauloewerton has joined #openstack-keystone14:17
*** fawadkhaliq has quit IRC14:20
lbragstadayoung reviewing you fernet patch today14:21
*** spzala has joined #openstack-keystone14:22
raildolbragstad: I'm working on it too :) right now we only have 8 faled tests14:27
*** vinm213 has quit IRC14:28
*** rk4n has quit IRC14:36
*** rk4n has joined #openstack-keystone14:36
*** rk4n has quit IRC14:38
openstackgerrithenry-nash proposed openstack/keystone: Projects acting as domains
*** petertr7 is now known as petertr7_away14:45
henrynashdstanek: if you are above, take a look at the new patch I posted for - it has the code in to map projects acting as a domain back onto the underlying legacy driver domain methods14:50
*** woodster_ has quit IRC14:56
lbragstadraildo that's awesome!14:58
lbragstadraildo ayoung trying to wrap a couple things up but I want to get around to reviewing that today14:59
*** petertr7_away is now known as petertr715:01
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users
*** pushkaru has joined #openstack-keystone15:02
*** PsionTheory has joined #openstack-keystone15:04
*** daemontool__ has joined #openstack-keystone15:10
*** roxanaghe has joined #openstack-keystone15:12
*** links has quit IRC15:12
*** e0ne has joined #openstack-keystone15:14
*** daemontool_ has quit IRC15:14
*** sigmavirus24_awa is now known as sigmavirus2415:15
*** knikolla has joined #openstack-keystone15:16
*** roxanaghe has quit IRC15:16
*** roxanaghe has joined #openstack-keystone15:18
dstanekhenrynash: awesome! i'll take another look15:18
*** rk4n has joined #openstack-keystone15:19
*** rk4n has quit IRC15:20
*** rk4n has joined #openstack-keystone15:20
*** su_zhang has joined #openstack-keystone15:22
*** roxanaghe has quit IRC15:23
henrynashdstanek: thx15:25
*** woodster_ has joined #openstack-keystone15:25
*** henrynash has quit IRC15:25
*** PsionTheory has quit IRC15:26
*** timcline_ has joined #openstack-keystone15:26
*** csoukup has joined #openstack-keystone15:27
*** jsavak has joined #openstack-keystone15:29
*** sdake has joined #openstack-keystone15:37
*** petertr7 is now known as petertr7_away15:39
*** e0ne has quit IRC15:40
*** e0ne_ has joined #openstack-keystone15:41
morgandstanek: heh15:41
*** sdake_ has joined #openstack-keystone15:41
*** jsavak has quit IRC15:42
*** sdake has quit IRC15:42
morganayoung: hopefully my additions to the fernet patch help get you closer15:42
*** jsavak has joined #openstack-keystone15:43
*** dan_nguyen has joined #openstack-keystone15:43
*** knikolla has quit IRC15:43
*** tomoiaga has quit IRC15:46
ayoungmorgan, that is what I hoped would happen here:  people that know each of these things tackling them.  THanks so mucjh15:49
ayounglbragstad, I might be able to focus a few things for you to look at;15:50
morganNP. I probably could have resolved the other tests but it was late :(15:50
ayoungin b/keystone/token/providers/fernet/core.py15:50
ayoungaround line 150: -            audit_ids = provider.audit_info(parent_audit_id)15:50
ayoung             if parent_audit_id:15:50
ayoung+                audit_ids = provider.audit_info(parent_audit_id)15:50
ayoungI had that as a stand alone change, but it was not testabel without rewriting the tests:15:51
ayoungthat gets the entire audit chain into the Fernet token15:51
dolphmayoung: "entire"? there should only be two IDs, max, right?15:51
*** e0ne_ has quit IRC15:52
dolphmayoung: the original parent and the current ID15:52
morganayoung: the chain id is shared with all tokens15:52
ayoungdolphm, right15:52
ayoung"both" would be more correct15:52
* dolphm wipes sweat from brow.15:52
morgandolphm: ++15:52
ayoungit was actually getting garbage in there due to a None Value15:52
ayoungI think the logic I modified could actually be cleaned up even more.15:53
morganAn original non rescoped token only had its id15:53
morganAnd a rescoped token would then have a chain ID. That was the original design15:53
ayounglbragstad, dolphm the other change had to do with the exception returned duriong token validation.  Since we are depending on code that was used in other paths, we ened to convert some exceptions15:53
ayoungfor example15:54
ayoungkeystone/token/ line 24415:54
samueldmqdstanek: hi, I'd like to see your view on something15:54
ayoungwrapped it in a try block, raise  exception.TokenNotFound(_('Failed to validate token'))15:54
samueldmqdstanek: cascade operations on a project hierarchy, specifically how authz would work15:54
ayoungI think those we the only changes I made in the production code15:54
morganSo the chain id needs to be the audit ID of the original non-rescoped token15:55
openstackgerritBrant Knudson proposed openstack/keystone: V2 operations create default domain on demand
bknudsonmorgan: is work in progress but what do you think?15:55
patchbotbknudson: patch 284778 - keystone - V2 operations create default domain on demand15:55
ayoungmorgan, right and we had the data, we were just over writing it with garbage.15:55
bknudsonstill needs to handle create project, etc.15:55
morganbknudson: +1 on the idea15:56
ayoungbknudson, Oooh....I like that idea!15:56
morganBetter than the revert and relying on the SQL migration15:56
* ayoung thinks bknudson is wicked smaht15:56
morganI put a +1 on it already ;)15:56
bknudsonayoung: great!15:56
*** jorge_munoz has joined #openstack-keystone15:57
*** sdake has joined #openstack-keystone15:57
*** sdake_ has quit IRC15:58
*** knikolla has joined #openstack-keystone15:59
*** jasonsb has joined #openstack-keystone15:59
bknudsonayoung: morgan: I'll keep working on it, thanks!15:59
*** dims has quit IRC16:06
*** mylu has joined #openstack-keystone16:08
ayounglbragstad, so the most concerning test failures are the Trust ones.  We have two choices16:11
*** sdake_ has joined #openstack-keystone16:11
*** sdake has quit IRC16:11
*** sdake_ has joined #openstack-keystone16:12
ayoungeither explicitly prevent all trust tokens on V2 or make sure trust tokens work for V2.  Since we are headed toward the first alternative, I am going to give that a quick try.  It means that the V2 trust tests will be replaced with a test that ensures they are always rejected16:12
ayoungI'm still worried that this is going to break people16:12
raildolbragstad: great, let me know if there is anything I can help you16:14
lbragstadayoung right16:14
*** pnavarro has quit IRC16:15
lbragstadayoung i have a patch
patchbotlbragstad: patch 278802 - keystone - Remove support for trust scoped tokens in v2.016:15
ayounglbragstad, it seems to me that a V2.0 Fernet based trust token would not be hard.  Why are we making such an effort to get rid of them?16:15
ayounglbragstad, is the problem that we don't want to record the token version in the payload?16:16
*** daemontool__ has quit IRC16:16
ayoungbut...we already do, no?  Wouldn't it be the same payload as a v3 trust, but a different version number indicating it was originally a v2 token?16:16
lbragstadayoung I did it both ways - I have a patch for both
patchbotlbragstad: patch 278693 - keystone - Make fernet support trust auth against v2.016:18
ayounglbragstad, that is the lower risk option.  Any reason not to go with that?16:18
lbragstadayoung depends on what the rest of the team wants to do, I think I'm fine with either16:19
lbragstadayoung we just have to get either of those passing and merge16:19
lbragstadbut I wanted to get both up so that we could see what it looked like16:19
ayounglbragstad, ok.  I'm going to state quite strongly that we should still support v2 trust tokens.  Until v2 goes away, we don't know who we will break16:19
lbragstadI didn't mind the "remove trust support from v2.0" path because it was more explicit16:19
ayounglooking at that review...16:19
ayoungtest_delete_trust_revokes_token  is the same kind of failure we are seeing in the "default fernet" patch16:20
ayoungand the next one,...FernetAuthWithTrust.test_trust_get_token_fails_if_trustee_disabled16:20
*** jsavak has quit IRC16:21
ayoungthat one is an exception wrapping16:21
ayounglbragstad, when you see keystone.exception.Forbidden: You are not authorized to perform the requested action.16:21
ayoungthat means that the wrong exception was thrown, I think16:21
ayoungor...maybe it means that the timer was not fixed?16:22
ayoungLet me look at that smells like the other issues I was seeing last night.  There is something wonkly with revoke-by-token in the tree/fernet case.  And I suspect an error in the tree..16:22
ayoungthat tree needs to die16:22
lbragstadayoung ++16:22
lbragstadayoung make it die16:22
ayounglbragstad, is uuid using the stame path as fernet now?16:23
ayoungand..if  it is not, do we care?16:23
*** jsavak has joined #openstack-keystone16:23
bknudsonI like this comment --
lbragstadayoung I think we do because it might help us in killing uuid later?16:26
bknudson# NOTE(termie): i can't imagine that this really wants all the data about every single user in the system...16:26
lbragstadayoung I have a patch up for that too16:26
lbragstadayoung the last piece we have to complete is consolidating validate_v2_token() for the fernet and uuid paths16:27
ayounglbragstad, OK....I think I had a version of the patch for killing all of the tree but the simplest cases...might be invasive16:27
ayoungOne sec16:27
lbragstadayoung and that is dependent on figuring out what we need to do with trusts16:27
*** belmoreira has quit IRC16:27
*** jsavak has quit IRC16:28
*** mylu has quit IRC16:30
lbragstadayoung here is the *last* token provider consolidation patch -
patchbotlbragstad: patch 197706 - keystone - Consolidate the fernet provider validate_v2_token()16:31
lbragstadayoung and it's dependent on the decision we have to make with trusts16:31
*** mylu has joined #openstack-keystone16:31
lbragstadand v2.016:31
ayounglbragstad, OK. I'll look in a bit.  We have our work cut out for us. Might be tight, and we might be asking for an extension.16:31
ayoungneed to think how to prioritize this to minimize what we need for Mitaka16:31
*** jsavak has joined #openstack-keystone16:33
*** sdake_ is now known as sdake16:36
morganIf the v2 fernet trust patch works and doesn't impact other things, just merge it instead. Less question on breaking people16:36
morganThen charge forward on the other things.16:36
ayoungmorgan, for password changes, do we still need to revoke trust tokens?  On both trustor and trustee, or just trustee?16:38
morganI think so, unfortunately.16:38
morganBut, not 100% sure16:39
ayoungmorgan, but just trustee, right?16:39
morganWait... No we don't for trustor16:39
ayoungIf I create a trust to you, and then you execute it, then I change my password, the trust is still good, so don't revoke trust tokens16:39
bjornarWhat could be causing: _list_services() missing 1 required positional argument: 'hints'16:39
ayoungthere has been no violation16:39
morganayoung: right16:39
bjornarthis is v3 when doing openstack service list16:39
*** silos has joined #openstack-keystone16:39
morganIf the trustee changes password, only trustee tokens are jnvalid16:39
*** jsavak has quit IRC16:39
morganAnd same logic applies to trustor password change16:40
*** jsavak has joined #openstack-keystone16:40
morganOnly the user changing password's token is affected16:41
*** gyee has joined #openstack-keystone16:41
*** ChanServ sets mode: +v gyee16:41
dstaneksamueldmq: what's up?16:42
stevemargerrit is slooooowwww16:44
*** EinstCrazy has quit IRC16:46
morganstevemar: a watched gerrit never loads :p16:47
openstackgerritMerged openstack/keystone: Switch to configless bandit
*** josecastroleon has quit IRC16:49
*** diazjf has joined #openstack-keystone16:51
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file
*** mylu has quit IRC16:53
*** dims has joined #openstack-keystone16:54
*** mylu has joined #openstack-keystone16:54
*** browne has joined #openstack-keystone16:55
*** petertr7_away is now known as petertr717:01
*** richm has joined #openstack-keystone17:01
krotscheckmorgan: Hey, that oslo-config default override update that was mentioned on the list - do you happen to have a patch that uses that already put together?17:07
morganMine does it the wrong way because oslo,.cache doesn't support it elegantly17:08
krotscheckI see.17:08
morganBut I can show you the basic mechanism17:08
krotscheckThat'd be super helpful :)17:08
patchbotmorgan: patch 277198 - keystone - Default caching to on for request-local caching.17:08
*** jistr has quit IRC17:08
krotscheckmorgan: ok, lemme dig through that and see if I can apply that to ironic.17:10
openstackgerritBoris Bobrov proposed openstack/python-keystoneclient: Support `truncated` flag returned by identity service
krotscheckmorgan: Actually, let me do this on keystone first.17:12
*** mylu has quit IRC17:22
*** su_zhang has quit IRC17:26
*** su_zhang has joined #openstack-keystone17:26
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users
krotscheckmorgan: did you already update global requirements?17:30
krotscheckmorgan: The config generation thing17:30
morganUhm.. No17:30
morganNew config gen will do it, old config gen won't but you can still override the default17:30
*** su_zhang has quit IRC17:30
morganOverriding the default is independent of the generator consuming the entry point17:31
*** david-lyle has joined #openstack-keystone17:31
morganSo didn't bother updating g-r17:31
krotscheckGotcha. I need new configgen17:31
morganYah. Should just be an updated Oslo.config in your venv17:32
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Shadow federated users
*** sdake_ has joined #openstack-keystone17:34
krotscheckWell, first I have to figure out which version it's in.17:36
*** henrynash has joined #openstack-keystone17:36
*** ChanServ sets mode: +v henrynash17:36
*** sdake has quit IRC17:36
*** jasonsb has quit IRC17:41
*** arunkant_ has joined #openstack-keystone17:42
*** mylu has joined #openstack-keystone17:43
*** gordc has quit IRC17:44
*** sdake_ is now known as sdake17:46
*** petertr7 is now known as petertr7_away17:47
*** timcline_ has quit IRC17:47
*** browne has quit IRC17:54
openstackgerrithenry-nash proposed openstack/keystone: Projects acting as domains
*** henrynash has quit IRC18:01
*** sdake_ has joined #openstack-keystone18:01
*** mylu has quit IRC18:02
*** bjornar__ has joined #openstack-keystone18:02
*** sdake has quit IRC18:03
*** spzala has quit IRC18:05
*** spzala has joined #openstack-keystone18:06
morgankrotscheck: latest version18:09
krotscheckmorgan: 3.7.018:10
morganWas just released not too long ago ( week or so )18:10
krotscheckmorgan: Latest is 3.918:10
krotscheckThere have been things.18:10
krotscheck*hand wavey*18:10
morganOh did we have bug fixes?18:10
* morgan shrugs18:10
*** spzala has quit IRC18:11
patchbotkrotscheck: patch 284837 - requirements - Updated oslo.config to 3.7.018:11
*** gyee has quit IRC18:11
krotscheckHi there, patchbot!18:11
morganI like the patchbot18:11
*** jsavak has quit IRC18:12
*** spandhe has joined #openstack-keystone18:15
*** su_zhang has joined #openstack-keystone18:15
*** Ephur has joined #openstack-keystone18:16
*** silos has quit IRC18:16
*** annasort has quit IRC18:19
*** rk4n has quit IRC18:20
*** Ephur has quit IRC18:20
*** spzala has joined #openstack-keystone18:25
*** gyee has joined #openstack-keystone18:33
*** roxanaghe has joined #openstack-keystone18:33
*** ChanServ sets mode: +v gyee18:33
*** jsavak has joined #openstack-keystone18:34
*** gyee has quit IRC18:37
*** rodrigods has quit IRC18:40
*** rodrigods has joined #openstack-keystone18:40
*** gordc has joined #openstack-keystone18:47
*** nllrte has joined #openstack-keystone18:48
*** lhcheng has joined #openstack-keystone18:48
*** ChanServ sets mode: +v lhcheng18:48
stevemarmorgan: oslo.log was released too, one less deprecation warning for everyone with my latest patch18:51
dimsstevemar : yay thanks :)18:52
stevemardolphm: have a minute to look at:
openstackLaunchpad bug 1549705 in OpenStack Identity (keystone) "migrate DB failed due to password cannot be null" [Undecided,New] - Assigned to Dave Chen (wei-d-chen)18:52
stevemardims: np :)18:52
*** mvk has joined #openstack-keystone18:54
dstanekhtruta: you around?19:02
htrutadstanek: yep19:02
dstanekhtruta: i'm trying to wrap my head around something in the 'Projects as Domain' review19:03
dstanekhtruta: there is a new method `list_projects_acting_as_domain`, but why isn't `list_domains` doing that?19:03
htrutadstanek: I'd say that it returns project refs instead of domain refs19:04
htrutadstanek: but I'll take a look at the code to be sure19:05
*** D4RKS1D3 has joined #openstack-keystone19:05
D4RKS1D3Hi, someone can helpme? How can I create tenants via API? Thanks19:05
dstanekhtruta: i would have expected `list_domains` to pull from project and return entities that look like domains19:05
*** josecastroleon has joined #openstack-keystone19:06
dstanekD4RKS1D3: v2 or v3?19:06
htrutadstanek: that's what it does. It pulls from project and convert it to the domain ref structure19:06
*** vilobhmm11 has joined #openstack-keystone19:06
*** jsavak has quit IRC19:06
htrutadstanek: and the list_projects_acting_as_comain returns at the project ref struct19:06
dstanekhtruta: where do you see that? i'm looking at line 235 here:
patchbotdstanek: patch 231289 - keystone - Projects acting as domains19:07
*** silos has joined #openstack-keystone19:08
htrutadstanek: sorry! my bad. we stopped using every domain call in this patch, and we're just using the project ones19:08
htrutadstanek: And in the next patch, we'll remove the domain methods from the backends, including the list_domains19:09
*** silos has left #openstack-keystone19:09
dstanekhtruta: ok, so the patch i'm looking at is very limited19:11
htrutadstanek: why do you think so?19:11
openstackgerritMerged openstack/keystone: No more legacy engine facade in tests
dstanekhtruta: so i really don't think we can delete all those methods19:12
dstanekhtruta: why are we not just reimplementing the driver to put the data into the project table?19:13
*** jsavak has joined #openstack-keystone19:13
openstackgerritLance Bragstad proposed openstack/keystone: Remove support for trust scoped tokens in v2.0
lbragstadayoung ^19:13
htrutadstanek: that would be to much redundant. We already do this reimplementation in manager19:14
dstanekhtruta: that's what i don't like. it's not backward compatible19:14
htrutadstanek: and we're only removing it from the V9 driver19:14
D4RKS1D3dstanek, I will prefer V219:17
*** jsavak has quit IRC19:18
dstanekD4RKS1D3: have you see ?19:18
*** phalmos has joined #openstack-keystone19:18
D4RKS1D3but only I can list tenants19:19
D4RKS1D3and show details19:19
dstanekD4RKS1D3: because of a policy?19:19
D4RKS1D3I need this, but not in python, via api19:20
*** fangxu has quit IRC19:21
*** fawadkhaliq has joined #openstack-keystone19:22
*** phalmos has quit IRC19:23
dstanekhtruta: i'm struggling to figure out what happens when a domain is created.19:24
dstanekhtruta: i don't see the wrapper in there anymore19:26
htrutadstanek: in manager?19:26
dstanekin keystone.resource.core19:26
ayounglbragstad, I'm in the midst of doing unspeakable things to revocations...I think you will like.  Net reduction of lines in the high numbers.19:27
htrutadstanek: a wrapper to the create_domain driver call, you mean?19:27
ayoungD4RKS1D3, I can help  but V3 which is better anyway19:28
lbragstadayoung nice19:28
*** timcline has quit IRC19:28
D4RKS1D3ayoung, v3 has this option?19:29
dstanekhtruta: ok, so if a user POSTs to /domains in the future that will make a project record with is_domain = true?19:29
htrutadstanek: yes19:29
htrutadstanek: see L97
patchbothtruta: patch 231289 - keystone - Projects acting as domains19:29
D4RKS1D3thanks ayoung19:29
ayoungD4RKS1D3, please say No to  V2.19:30
dstanekhtruta: ok, so /domain maps to controller.create_domain which calls manager.create_domain which calls driver._create_project?19:30
D4RKS1D3No to V2 :P jajajaja19:30
htrutadstanek: exactly19:30
ayoungIt is old and tired and just is waiting for acceptance to Valhalla19:30
dstanekhtruta: that's not backward compatible19:30
ayoungThe Valkyrie is on its way even as we speak19:30
dstanekhtruta: existing drivers expect their create_domain method to be called to create a domain - that's why i think the work really belongs in the driver19:31
morganayoung, lbragstad: it would be easier to just support trust in v2 fernet and we wont break anyone that way19:31
morganayoung, lbragstad: and we could just merge it and move on19:31
ayoungmorgan, yep19:31
lbragstadmorgan working on rebasing that patch now19:32
ayoungmorgan, he has a patch for that, higher up19:32
morganlooks like the patch is an easy rebase.19:32
lbragstadayoung ^19:32
morganlbragstad: lets just squash the "remove trust from v2" and run with "add trust to v2 fernet"19:32
morganas much as i would prefer the inverse19:32
dstanekhtruta: this doesn't break the interface from a pure method standpoint, but it breaks the semantics on how the drivers work19:34
ayounggetting rid of all these revocation events is very therapeutic.19:34
*** petertr7_away is now known as petertr719:35
*** su_zhang has quit IRC19:35
*** jsavak has joined #openstack-keystone19:35
*** josecastroleon has quit IRC19:35
*** su_zhang has joined #openstack-keystone19:36
htrutadstanek: but if we'll get rid of the domain table, shouldn't the driver go away too?19:36
morganhtruta: still has projects in the resource backend.19:36
morganhtruta: and the .get_domain method will still do the same thing19:36
htrutamorgan: the domain driver, I mean19:36
morganhtruta: as it did before. the "domain table going away" is an implementation detail in the driver19:36
dstanekhtruta: my customer resource driver is now broken19:36
morgandoes not affect the manager interfaces19:37
dstanekhtruta: the domain table should be in our sql driver and not anywhere else19:37
dstanekhtruta: you're not getting rid of the concept of domains, you are just changing how they are stored in our database19:37
htrutadstanek, morgan: so, the domain driver should work as a wrapper, in the same way as the manager is wrapping domains to projects?19:38
morganhtruta: no the driver is the same19:38
morganhtruta: ok [manager] -.19:38
morgan[manage].get_domain -> [driver].get_domain19:38
morgandriver .get_domain does the lookup in wherever the domain is stored19:38
morganmanager.get_domain wont change even if the DB schema does19:39
morganbecause the manager doesn't care how the driver stores it19:39
morgananyone who wants to get a domain will still use .get_domain19:39
morgannot .get_project19:39
morganit's not a wrapper, it's an unchanged interface19:39
morganif the driver changes where things are stored, the manager doesn't care, it's still asking for the return of .get_domain19:40
*** su_zhang has quit IRC19:40
htrutamorgan: I see19:40
morgandomains could be stored in a text file on disk, as long as the value returned  from .get_domain is what is expected.19:40
morganso we've just changed some implementation details in the driver itself, but the public interfaces remain unchanged.19:40
htrutamorgan, dstanek: I get it. I'll put this in my todo list here. Please leave a comment in the patch19:41
*** timcline has joined #openstack-keystone19:41
dstanekhtruta: i'll put a note on the projects as domains patch19:42
*** su_zhang has joined #openstack-keystone19:42
morganlbragstad: +2 on when it's rebased.19:42
patchbotmorgan: patch 278693 - keystone - Make fernet support trust auth against v2.019:42
lbragstadmorgan cool - working on the last test failure now19:43
morganlbragstad: and i -2'd the remove v2 trust fyi19:44
lbragstadmorgan cool19:44
*** nllrte has quit IRC19:46
*** krotscheck is now known as krotscheck_dcm19:50
*** ayoung has quit IRC19:51
*** fangxu has joined #openstack-keystone20:01
*** rk4n has joined #openstack-keystone20:01
*** fangxu has quit IRC20:03
*** petertr7 is now known as petertr7_away20:04
*** fangxu has joined #openstack-keystone20:05
*** su_zhang has quit IRC20:12
*** su_zhang has joined #openstack-keystone20:13
*** fawadkhaliq has quit IRC20:13
*** fawadkhaliq has joined #openstack-keystone20:13
*** su_zhang has quit IRC20:15
*** su_zhang has joined #openstack-keystone20:15
*** annasort has joined #openstack-keystone20:15
lbragstadmorgan I think i figured out the issue with the fernet + v2.0 support patch20:19
lbragstadmorgan let me push what I have20:19
morgansounds good20:19
lbragstadI need some extra eyes20:19
openstackgerritJorge Munoz proposed openstack/keystone: Reduce revoke events for disabled domains and projects.
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet support trust auth against v2.0
lbragstadmorgan ^20:24
lbragstadmorgan see my comment,unified on line 130020:25
patchbotlbragstad: patch 278693 - keystone - Make fernet support trust auth against v2.020:25
morganlooks about right actually20:25
morganrevoke the token cache? nah20:26
lbragstadmorgan so - do we have a way to reach in and invalidate the v2 token cache from the trust_api's delete_trust() method?20:26
morganjust insert a revocation event. isn't rev event handled outside o fhte cache?20:26
lbragstadmorgan yes - it should be20:27
morganiirc we don't cache below revocation events, so we don't need to pop the cache we need to either issue an appropriate event20:27
morganlet it ride.20:27
morgannew tokens can't be issued20:27
morgancurrent trust tokens remain outstanding20:27
* morgan is ok in either20:28
morganshort of invalidating all tokens for <trustee>20:28
morganso, eh20:28
morgani'd go with either.20:28
*** su_zhang has quit IRC20:30
openstackgerritBrant Knudson proposed openstack/keystone: V2 operations create default domain on demand
*** su_zhang has joined #openstack-keystone20:30
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet support trust auth against v2.0
lbragstadmorgan ok - that gets the test passing20:33
*** su_zhang has quit IRC20:35
*** petertr7_away is now known as petertr720:35
*** fpatwa_ has joined #openstack-keystone20:38
*** phalmos has joined #openstack-keystone20:44
*** phalmos has quit IRC20:45
*** phalmos has joined #openstack-keystone20:46
*** Ephur has joined #openstack-keystone20:47
*** porunov has joined #openstack-keystone20:48
*** browne has joined #openstack-keystone20:49
*** rk4n has quit IRC20:50
*** fpatwa_ has quit IRC20:51
*** mylu has joined #openstack-keystone20:57
*** fpatwa_ has joined #openstack-keystone20:57
*** fpatwa_ has quit IRC20:58
*** gyee has joined #openstack-keystone21:00
*** ChanServ sets mode: +v gyee21:00
*** raildo is now known as raildo-afk21:04
*** daemontool has joined #openstack-keystone21:05
*** pauloewerton has quit IRC21:09
*** fawadkhaliq has quit IRC21:20
*** su_zhang has joined #openstack-keystone21:23
*** annasort has quit IRC21:25
*** browne has quit IRC21:27
*** silos has joined #openstack-keystone21:27
*** phalmos has quit IRC21:27
*** su_zhang has quit IRC21:28
*** annasort has joined #openstack-keystone21:28
*** phalmos has joined #openstack-keystone21:30
*** rk4n has joined #openstack-keystone21:32
*** sdake_ is now known as sdake21:35
openstackgerritBrant Knudson proposed openstack/keystone: Move resource manager tests out of test_backend
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Allow concrete role assignments for federated users
*** annasort has quit IRC21:44
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Allow concrete role assignments for federated users
bknudsonthe eventlet gate is pretty unhappy now. the uwsgi one is working.21:45
bknudsonsql transaction errors... I wonder if it has to do with the recent oslo.db changes?21:46
openstackgerritRon De Rose proposed openstack/keystone: Shadow users - Concrete role assignments for federated users
bknudsonmaybe we're not monkeypatching correctly21:46
*** daemontool has quit IRC21:48
*** annasort has joined #openstack-keystone21:50
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Credential Encryption
*** spzala has quit IRC21:59
*** porunov has quit IRC22:01
*** browne has joined #openstack-keystone22:01
*** phalmos has quit IRC22:02
*** mylu has quit IRC22:10
*** jorge_munoz has quit IRC22:12
*** knikolla has quit IRC22:13
openstackgerritLance Bragstad proposed openstack/keystone: Make fernet support trust auth against v2.0
lbragstadmorgan done ^22:15
*** mylu has joined #openstack-keystone22:17
*** daemontool has joined #openstack-keystone22:17
*** fawadkhaliq has joined #openstack-keystone22:19
*** petertr7 is now known as petertr7_away22:22
*** su_zhang has joined #openstack-keystone22:23
lbragstadraildo-afk let a few comments on - do you want me to address them?22:24
patchbotlbragstad: patch 277436 - keystone - Return 404 instead of 401 for tokens w/o roles22:24
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Delay using threading.local()
*** silos has left #openstack-keystone22:28
*** jsavak has quit IRC22:32
*** mylu has quit IRC22:35
*** jsavak has joined #openstack-keystone22:37
*** mylu has joined #openstack-keystone22:42
*** annasort has quit IRC22:43
*** mylu has quit IRC22:44
*** mylu has joined #openstack-keystone22:44
*** jsavak has quit IRC22:46
morganlbragstad: commented22:47
morgandims, stevemar ^ commented on that patch22:48
morgandims, stevemar: I really would rather push on removing eventlet since uwsgi is passing [and make uwsgi voting] than carry more "eventlet-specific" code.22:50
*** fpatwa_ has joined #openstack-keystone22:59
*** vilobhmm11 has quit IRC23:01
*** jsavak has joined #openstack-keystone23:02
*** vilobhmm11 has joined #openstack-keystone23:02
*** vilobhmm11 has quit IRC23:03
*** fpatwa_ has quit IRC23:03
*** ayoung has joined #openstack-keystone23:03
*** ChanServ sets mode: +v ayoung23:03
*** vilobhmm11 has joined #openstack-keystone23:05
*** diazjf has quit IRC23:08
*** csoukup has quit IRC23:09
*** edmondsw has quit IRC23:11
*** xek_ has joined #openstack-keystone23:18
*** xek has quit IRC23:19
*** sigmavirus24 is now known as sigmavirus24_awa23:23
*** jsavak has quit IRC23:24
*** bjornar__ has quit IRC23:26
*** gordc has quit IRC23:29
stevemarmorgan: ugh23:29
*** timcline has quit IRC23:30
jamielennoxmorgan: so i think that keystone-manage bootstrap should be able to create a identity catalog entry23:30
morganjamielennox: i agree23:30
morganjamielennox: would be easy to add23:31
jamielennoxmorgan: i bootstrapped and changed all my other calls to use user/pass and they fail because they don't have a catalog entry point23:31
jamielennoxi think you can fix this ansible>=2, but not <223:31
morganjamielennox: you still need a token to start.23:31
morganso you do username/pass -> token, token -> endpoint create like the amdin token23:31
morganso.. add an argument to create the endpoint entries for keystone :)23:32
jamielennoxright, but all calls for keystone like that still go via catalog23:32
morgani'm sure devstack and other folks will appreciate it23:32
morganopenstack token issue works w/o a catalog23:32
morganand you can use openstack with the endpoint override23:32
jamielennoxmorgan: ergh, thats kinda hard to work into ansible, not impossible but a pain23:32
morganjust like you do today with an admin token23:32
jamielennoxok, i can have a look at that23:33
morganso seriously, add the argument to bootstrap identity and the endpoint for identity :)23:33
morgani'll +223:33
morganit totally should do that23:33
morganthen you should make devstack do that as well. much cleaner23:33
* jamielennox misses when you could give ideas to morgan and he'd have them done before you could come up with a plan :p23:34
morganjamielennox: hey i already did a bunch of that! :P23:35
morgani can't write all the code in keystone :P23:35
jamielennoxmorgan: server side *shudder*23:35
morganbah, bootstrap is easy23:35
morgancompared ot most server things23:35
jamielennoxmorgan: i'm on it23:35
jamielennoxwell sometime today23:35
morganit's mor elike writing ksc23:35
morganbut seriously, since bootstrap hasn't landed in a release it would be good to expand it now. and fix devstack to do it right too :)23:36
*** RichardRaseley has joined #openstack-keystone23:39
*** timcline has joined #openstack-keystone23:43
*** fawadkhaliq has quit IRC23:47
stevemarjamielennox: create just the identity service, we can't create the endpoints23:53
jamielennoxstevemar: why23:53
stevemardon't know what the urls will be?23:53
jamielennoxstevemar: take them from input23:53
jamielennoxi was going to do it optionally23:53
jamielennoxso if opts.public_url: etc23:54
stevemarjamielennox: bootstrap --admin-url, --public-url, --internal-url,...23:54
morganstevemar: ugh23:54
stevemarthat'll get long23:54
morganbut yeah23:54
*** shoutm has joined #openstack-keystone23:54
jamielennoxmorgan: what's the other choice?23:54
morganjamielennox: there isn't one23:54
jamielennoxstevemar: in my thing i'm doing it via env, but yea23:54
morganjust make sure they are optional and have ENV vars that can be used instead too23:54
stevemarzomg check queue is over 30023:55
morganstevemar: MILESTONE 3!23:55
stevemarget everything in NOW!!!23:56
morganstevemar: OMG LAST MINUTE!23:56
morganstevemar: so.. can we make uwsgi voting and just drop eventlet?23:56
morganstevemar: cause....23:56
morganotherwise we really do need to accept dims patch and carry more eventlet code23:57
*** su_zhang has quit IRC23:57
stevemarmorgan: i don't feel comfortable doing that23:57
stevemarwe can certainly make uwsgi voting23:57
morganwe should drop the eventlet job :P23:57
morganin either case23:57
*** su_zhang has joined #openstack-keystone23:57
stevemarmeh, doesn't buy us much, except a shorter job time23:57
morganbut if we aren't dropping eventlet support, we need dims patch23:57
stevemarmorgan: i promise that by the summit, in the master branch we'll have N removed :)23:58
stevemarerrr eventlet removed!!23:58
morganrm -rf /keystone23:58
stevemarwatching the news and RC = brain fart23:58
*** shoutm_ has joined #openstack-keystone23:59

Generated by 2.14.0 by Marius Gedminas - find it at!