Tuesday, 2016-03-29

« Monday, 2016-03-28 Index Wednesday, 2016-03-30 »
morganprometheanfire: because i wantt o know if i should ask if you ever sleep ;)00:00
prometheanfireI'm CDT, UTC-500:00
morganah not too bad then00:00
* morgan is Pacific time00:00
prometheanfireya00:00
prometheanfirealso, agreed, this just seems like a broken check or something00:01
openstackgerritNguyen Hung Phuong proposed openstack/keystone: Fix typos in Keystone files  https://review.openstack.org/29847100:03
*** mylu has joined #openstack-keystone00:07
*** mylu has quit IRC00:08
*** mylu has joined #openstack-keystone00:09
openstackgerritSteve Martinelli proposed openstack/keystone: Fix typos in Keystone files  https://review.openstack.org/29847100:10
*** fawadkhaliq has quit IRC00:12
morganlbragstad: pinf00:12
morganping*00:13
morganlbragstad: https://review.openstack.org/#/c/272358/37/keystone/common/validation/parameter_types.py i think the change is wrong.00:13
patchbotmorgan: patch 272358 - keystone - The name can be just white character except projec...00:13
*** fawadkhaliq has joined #openstack-keystone00:13
morganlbragstad: is it really supposed to be [\S+] not [\S]+ ?00:13
*** harlowja has quit IRC00:16
*** diazjf has joined #openstack-keystone00:17
*** dflorea has quit IRC00:20
*** maxabidi has quit IRC00:26
*** gyee has quit IRC00:26
*** morgan changes topic to "Tag bugs as rc-potential - fix more bugs! | Master is accepting code for Newton!"00:29
*** sdake_ has joined #openstack-keystone00:35
*** roxanaghe has quit IRC00:37
*** sdake has quit IRC00:38
*** fawadkhaliq has quit IRC00:40
*** diazjf has quit IRC00:40
*** fawadkhaliq has joined #openstack-keystone00:40
*** richm has quit IRC00:41
*** roxanaghe has joined #openstack-keystone00:42
*** sdake_ has quit IRC00:47
*** sdake has joined #openstack-keystone00:47
*** harlowja has joined #openstack-keystone00:51
*** roxanaghe has quit IRC00:52
*** jorge_munoz has quit IRC00:54
*** fawadkhaliq has quit IRC01:02
*** fawadkhaliq has joined #openstack-keystone01:07
*** EinstCrazy has joined #openstack-keystone01:07
*** browne has quit IRC01:10
*** tqtran has quit IRC01:14
*** fawadkhaliq has quit IRC01:14
*** lhcheng has quit IRC01:17
*** agrebennikov has quit IRC01:19
*** dan_nguyen has quit IRC01:29
*** jamielennox|away is now known as jamielennox01:29
*** csoukup has joined #openstack-keystone01:44
*** roxanaghe has joined #openstack-keystone01:53
*** browne has joined #openstack-keystone01:53
*** edmondsw has quit IRC01:56
*** woodster_ has quit IRC01:57
*** lhcheng has joined #openstack-keystone01:57
*** ChanServ sets mode: +v lhcheng01:57
*** roxanaghe has quit IRC01:58
*** harlowja has quit IRC01:59
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235802:00
*** lhcheng has quit IRC02:03
*** tqtran has joined #openstack-keystone02:12
*** tqtran has quit IRC02:17
prometheanfirestevemar: I'm guessing you are stevebot? :P02:26
* prometheanfire should probably blog that openstack mitaka is in gentoo02:27
stevemarprometheanfire: o/02:27
stevemaryes ;002:27
stevemarprometheanfire: you should!02:27
prometheanfireI mainly wanted to beat the other distros, normally I'm within a few hours of release, but they are sometimes quicker02:28
*** lhcheng has joined #openstack-keystone02:32
*** ChanServ sets mode: +v lhcheng02:32
*** lhcheng has quit IRC02:32
*** lhcheng has joined #openstack-keystone02:33
*** ChanServ sets mode: +v lhcheng02:33
prometheanfireon todo for tomorrow then02:34
stevemarprometheanfire: i'm hoping morgan finishes up the two migration issues you found, we can then release mitaka-rc202:37
stevemarprometheanfire: pretty sure both issues are postgres specific02:38
prometheanfirethe second one is too?02:38
prometheanfirethat seems like accessing a datastructure that doesn't exist02:38
prometheanfirehttps://bugs.launchpad.net/keystone/+bug/156296502:39
openstackLaunchpad bug 1562965 in OpenStack Identity (keystone) " liberty -> mitaka db migrate fails on postgresql 091 migration" [Undecided,New]02:39
*** tellesnobrega is now known as tellesnobrega_af02:40
prometheanfireswitching it to 'if row.has_key('user_password'):' should work02:41
prometheanfireI don't know the intended behavior of that piece though, so...02:41
* prometheanfire shrugs02:41
*** tellesnobrega_af is now known as tellesnobrega02:41
prometheanfireI don't think it will ever return true though02:42
prometheanfireuser_password is not in the select statement02:42
stevemarprometheanfire: i suggest pg specific since it works with mysql with our CI tests02:42
prometheanfireah02:42
stevemaror maybe you found a weird edge case in your deployment02:43
prometheanfirepossibly02:43
*** lifeless has quit IRC02:43
*** lifeless has joined #openstack-keystone02:44
ayoungprometheanfire, in python  if row['user_password']:  would evaluate to False if the row was empty02:45
ayoungprometheanfire, we split migrations into two pieces02:46
prometheanfirewhat if the key 'user_password' wasn't in row02:46
ayoungthe first creates the new table02:46
ayoungthe second migrates the data02:46
ayoungprometheanfire, I don't think that makes sense02:46
ayoungit might be Null02:46
ayoungbut the column has to exist...let me look at the prior migration02:46
prometheanfirecolumn in which table?02:46
ayoungprometheanfire, https://github.com/openstack/keystone/blob/9.0.0.0rc1/keystone/common/sql/migrate_repo/versions/090_add_local_user_and_password_tables.py02:47
ayoungprometheanfire, we are creating a new table just for passwords02:47
prometheanfireright02:47
ayoungsplitting the user table so that on user can have multiple credentials02:47
prometheanfireI have that table, and it's populated02:47
*** harlowja has joined #openstack-keystone02:47
ayoungso that column does not seem to exist02:47
prometheanfirewhich table should have the password collumn02:48
ayoung sel.execute()  is on user_table, no?02:48
ayounghttps://github.com/openstack/keystone/blob/9.0.0.0rc1/keystone/common/sql/migrate_repo/versions/091_migrate_data_to_local_user_and_password_tables.py#L4302:48
prometheanfireya02:48
ayoungah a join02:48
ayoungso a join on user_table, local_user_table]02:49
ayoungprometheanfire, maybe the mysql version is more forgiving and just skips that row?02:50
prometheanfiremaybe?02:51
ayoungprometheanfire, or maybe that row is from an older table and it has since been dropped in your databe02:51
ayoungdatabase02:51
ayoungwould help if I could ssh to my machine02:51
prometheanfirelol02:51
*** harlowja has quit IRC02:52
morganstevemar: on a plane. Will be looking at migrations tonight02:52
*** real56 has joined #openstack-keystone02:52
ayoungand why are all my VMs shutoff02:53
*** agrebennikov has joined #openstack-keystone02:53
prometheanfirethat select pulls these keys only02:53
ayoungand not starting02:53
prometheanfire             user_id              |           user_extra           | user_enabled |     user_default_project_id      | local_user_id |        local_user_user_id        | local_user_domain_id | local_user_name02:53
prometheanfiregenerated sql statement here02:53
prometheanfireELECT "user".id AS user_id, "user".extra AS user_extra, "user".enabled AS user_enabled, "user".default_project_id AS user_default_project_id, local_user.id AS local_user_id, local_user.user_id AS local_user_user_id, local_user.domain_id AS local_user_domain_id, local_user.name AS local_user_name FROM "user" JOIN local_user ON "user".id = local_user.user_id;02:54
*** sheel has joined #openstack-keystone02:54
morganstevemar: also the first bug prometheanfire found (88) is not pg specific, just happens most deploys aren't long running enough to be impacted.02:54
prometheanfirebenifit of a rolling release disto? :P02:54
morganOr detriment ;)02:55
prometheanfireindeed02:55
prometheanfirethat might be the cause here too, dunno02:55
ayoungprometheanfire, looks like it is supposed to have user_password, which I bet it does before the drops.02:56
ayounglook at the last 3 lines of the function02:56
prometheanfireya, it probably did02:56
ayounguse_labels=True02:56
ayoungI bet that autogenerates the user_ and local_user_ values02:56
ayoungprometheanfire, are you running postgresql>?02:57
prometheanfireyes, I have both ipython and pqsl open02:58
prometheanfirewhere do I put the use_labels=True ?02:58
*** EinstCrazy has quit IRC02:58
prometheanfireoh, it's already there02:58
*** EinstCra_ has joined #openstack-keystone02:58
ayoungprometheanfire, so you can run the migrations manually02:58
ayoungdo you care if you kill your data?02:58
prometheanfirenot particularly02:58
prometheanfireI think I already migrated though02:59
ayoungheh...we used to support downgrades...but not anymore02:59
prometheanfirepassword table is populated02:59
ayoungSo you could try dropping the DB, and running the migrations forward to just before this one02:59
prometheanfirein fact I think it's overpopulated02:59
ayoungkeystone-manage db-sync   soemthing...let me see02:59
prometheanfireoh, I do care about that :P02:59
prometheanfireguaranteed loss vs hopefully not loosing03:00
prometheanfireI just got this to mitaka03:00
ayoungprometheanfire, did you take a dump of the data prior to migrating?03:00
prometheanfireayoung: this seem right to you? http://paste.openstack.org/show/492182/03:01
prometheanfireayoung: no, I was stupid03:01
prometheanfireI meant to snap the VM prior to run, but it was late, etcetc03:01
ayoungprometheanfire, sure03:01
ayoungwhy not?03:01
prometheanfireI think I've repopulated that table 10x03:01
ayoungdo you do automated backups otherwise?03:01
ayoungOh yeah.  1-8...I see it now03:02
prometheanfiresometimes, not often enough, I need to move this storage backend to one of the datasets that are backed up03:02
ayoungprometheanfire, did you only have 8 users?03:02
prometheanfireI think I'm gonna drop id 8 - 8003:02
prometheanfireyes03:02
ayoungok  so my guess is you have duplicated data all through the password table now, too, right?03:03
ayoungplease don't show03:03
prometheanfireya03:03
prometheanfireI knew not to show, that's why I selected03:03
ayoungprometheanfire, dupes we can deal with03:03
prometheanfireya, it doesn't seem to be harming anything03:04
prometheanfireit repeates predictibly03:04
prometheanfirewhich is why I could just delete 9-8003:04
ayoungprometheanfire, so I wouldn't expect that migration to run a second time.  The column it migrated was dropped.  But do you still have the password fields?03:04
* ayoung hopes they migrated before the drop03:04
prometheanfireI probably tried it a bunch03:05
prometheanfirere-runing db_sync did it I think03:05
ayoungit should not have.  There is a table that says the current version03:05
prometheanfireor manual fiddling03:05
ayoungwhat do you get if you run: sudo keystone-manage db_version03:06
prometheanfire9503:06
ayoungso that comes from a table that is stored in the same database. Running the migrations again should be a no-op03:06
ayoungprometheanfire, so...I just jumped in without context.  Are you OK, or do you still need help?03:07
prometheanfireI manually edited the files to get it to pass, before that I tried running db_sync multiple times03:07
prometheanfireI'm good now03:08
prometheanfireI think I just need to clean up that table03:08
ayoungprometheanfire, and probably the password table.  maybe localuser as well03:08
prometheanfirelocal_user has these columns and only 8 entries03:09
prometheanfire id |             user_id              | domain_id |      name03:09
ayoungthat looks right03:09
prometheanfireezpz cleanup03:10
prometheanfiredelete from password where id > 8;03:10
prometheanfireI did test with select first03:10
ayoungheh03:10
ayoungI still don't like that it executed multiple times.  Did you somehow run the migration directly, or the sql from it, without using keystone-manage?03:11
prometheanfiresafer would be to delete non-unique ignoring the id03:11
prometheanfireyes03:11
prometheanfireI've been playing in ipython and probably did that03:11
*** tqtran has joined #openstack-keystone03:13
ayoungok...ON YOUR LIVE DATASET WITHOUT BACKUPS?03:13
ayoungDude.03:13
ayoungBad Cop.  No Donut./03:13
*** links has joined #openstack-keystone03:13
morganprometheanfire: noooo not ipython03:14
prometheanfirewat03:14
prometheanfireI said I didn't make an initial backup03:14
prometheanfireI've made one since then03:15
morganhehe03:15
morganannnnyway03:15
morganayoung: i just don't ask questions yanno03:15
*** harlowja_at_home has quit IRC03:15
morganayoung: especially ones i don't want to know the answer to03:15
ayoungmorgan, I was really hoping I was going to get him to rerun the migrations forward from 003:16
morganayoung: i had already asked03:16
ayoungcuz I don't have postgresql setup03:16
* ayoung misses postgres03:16
morgani expect i'll pgsql-ing it up tomorrow03:16
morgani dn't mis postgres03:16
morgani wish we could pick a RDBMS and tell folks "this is the one we support, others you are on your own for"03:16
prometheanfirenode03-zp00/custom-vms@mitaka-complete03:17
prometheanfiresee, snapshot :P03:17
ayoungmorgan, me too, and I want that one to be postgres03:17
morganayoung: db2!03:17
prometheanfireayoung: :D03:17
morganayoung: MS SQL!03:17
morganayoung: ORACLE!!!!03:17
prometheanfiremorgan: coming soon to linux03:17
ayoungmorgan, I've done DB2.  I'll take Postgresq03:17
ayoungdone all of them03:17
ayoungand Access03:17
ayoungXBase03:17
morgansybase was the most annoying (before it became MSSQL03:17
prometheanfireexcell03:17
*** tqtran has quit IRC03:17
morganesp. with raw partition support03:17
ayoungAccess rewrote my working sql into a format it could no longer execute03:18
morgani need... i need a working mysql db to figure out this stupid migration03:18
ayoungFoxpro was so much better.  But then MS bought it and buried it03:18
morganhttps://review.openstack.org/#/c/298402/ it is failing in wierd ways03:18
patchbotmorgan: patch 298402 - keystone - Correct `role_name` constraint dropping03:18
prometheanfireso03:19
morganmostly i am not sure why i'm matching more than one constraint atm03:19
ayoungoh mein gott im himmel...03:19
prometheanfirewhat should remain in the user table (not the local_user table)03:19
* morgan glares at airport wifis03:19
morgan400ms-2800ms latency :(03:20
morganoooh i wonder if c.columns is an iter03:20
morganvs. a list/tuple/thing03:20
*** pushkaru has joined #openstack-keystone03:24
prometheanfireso, if someone could tell me what columns remain in the user table that'd be nice :P03:24
*** harlowja has joined #openstack-keystone03:29
morganprometheanfire: after 91?03:32
prometheanfireya03:32
morgandolphm: I wish I had a macbook retina ATM, so I could use it w/o needing to put it away for takeoff03:33
*** ayoung has quit IRC03:46
openstackgerritSteve Martinelli proposed openstack/keystone-specs: prep repo for newton release  https://review.openstack.org/29851403:57
*** roxanaghe has joined #openstack-keystone04:00
*** real56 has quit IRC04:03
*** harlowja has quit IRC04:06
*** harlowja has joined #openstack-keystone04:09
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller  https://review.openstack.org/26118804:10
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add release notes for return-request-id-to-caller  https://review.openstack.org/27664404:15
*** fawadkhaliq has joined #openstack-keystone04:20
*** fawadk has joined #openstack-keystone04:21
*** fawadkhaliq has quit IRC04:25
*** csoukup has quit IRC04:37
*** dpippenger has joined #openstack-keystone04:40
*** mylu has quit IRC04:46
*** mylu has joined #openstack-keystone04:47
*** spandhe_ has joined #openstack-keystone04:48
*** spandhe has quit IRC04:49
*** spandhe_ is now known as spandhe04:49
*** fawadk has quit IRC05:00
*** roxanaghe has quit IRC05:02
*** mylu has quit IRC05:03
*** roxanaghe has joined #openstack-keystone05:05
*** pcaruana has quit IRC05:09
openstackgerritMerged openstack/keystone: Fix typos in Keystone files  https://review.openstack.org/29847105:15
*** lhcheng has quit IRC05:17
*** mylu has joined #openstack-keystone05:27
*** roxanaghe has quit IRC05:35
*** gangadhar has joined #openstack-keystone05:37
*** fawadkhaliq has joined #openstack-keystone05:38
*** GB21 has joined #openstack-keystone05:39
*** lhcheng has joined #openstack-keystone05:43
*** ChanServ sets mode: +v lhcheng05:43
*** Nirupama has joined #openstack-keystone05:47
*** furface has quit IRC05:50
*** sdake_ has joined #openstack-keystone05:51
*** sdake has quit IRC05:52
*** pushkaru has quit IRC05:54
*** spandhe has quit IRC06:06
*** agrebennikov has quit IRC06:07
*** jaosorior has joined #openstack-keystone06:08
*** mylu has quit IRC06:11
openstackgerritMerged openstack/keystone: Add `patch_cover` to keystone  https://review.openstack.org/29418906:13
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v3)  https://review.openstack.org/26745606:17
*** tesseract has joined #openstack-keystone06:19
*** harlowja has quit IRC06:19
*** tesseract is now known as Guest5878206:19
*** furface has joined #openstack-keystone06:20
*** markvoelker has joined #openstack-keystone06:22
*** markvoelker_ has joined #openstack-keystone06:23
*** lhcheng has quit IRC06:25
*** markvoelker has quit IRC06:27
*** harlowja has joined #openstack-keystone06:32
openstackgerritMorgan Fainberg proposed openstack/keystone: Correct `role_name` constraint dropping  https://review.openstack.org/29840206:33
*** roxanaghe has joined #openstack-keystone06:36
*** roxanaghe has quit IRC06:41
*** markvoelker_ has quit IRC06:43
*** markvoelker has joined #openstack-keystone06:44
*** henrynash has joined #openstack-keystone06:45
*** ChanServ sets mode: +v henrynash06:45
*** lmiccini has quit IRC06:46
*** fawadkhaliq has quit IRC06:49
*** lmiccini has joined #openstack-keystone06:50
*** GB21 has quit IRC07:05
*** bjornar has joined #openstack-keystone07:12
*** markvoelker has quit IRC07:12
*** tqtran has joined #openstack-keystone07:14
*** GB21 has joined #openstack-keystone07:17
*** tqtran has quit IRC07:18
*** pgreg has joined #openstack-keystone07:21
*** sdake_ has quit IRC07:22
*** pgreg has quit IRC07:23
*** bjornar has quit IRC07:24
*** sdake has joined #openstack-keystone07:25
naresht"$openstack domain list"  this command giving an ERROR: openstack Authentication cannot be scoped to multiple targets. Pick one of: project, domain or trust07:27
*** pgreg has joined #openstack-keystone07:27
nareshtCould anyone help me here ?07:27
nareshtprintenv | grep OS_ gives http://paste.openstack.org/show/492206/07:29
*** rcernin has joined #openstack-keystone07:36
*** martinus__ has joined #openstack-keystone07:40
*** browne has quit IRC07:45
*** pcaruana has joined #openstack-keystone07:48
*** daemontool has joined #openstack-keystone07:50
*** daemontool_ has joined #openstack-keystone07:58
*** daemontool has quit IRC08:02
*** markvoelker has joined #openstack-keystone08:13
*** markvoelker has quit IRC08:17
*** jistr has joined #openstack-keystone08:23
*** roxanaghe has joined #openstack-keystone08:24
*** dims has quit IRC08:26
*** roxanaghe has quit IRC08:29
*** dims has joined #openstack-keystone08:31
*** dpippenger has quit IRC08:32
marekdnaresht: try without OS_DOMAIN_NAME08:32
marekdnaresht: also, you can remote OS_TENANT_NAME as you have PROJECT already08:33
marekds/remote/remove/08:33
nareshtI tried with OS_DOMAIN_NAME, OS_TENANT_NAME  ..same error we are getting08:42
*** daemontool_ has quit IRC08:43
*** daemontool_ has joined #openstack-keystone08:43
naresht+marekd: What is this "s/remote/remove/"08:44
marekdregular expresssion08:44
marekdnaresht: i told you to REMOVE OS_DOMAIN_NAME08:44
*** rk4n has joined #openstack-keystone08:45
*** gangadhar has quit IRC08:45
*** mvk has joined #openstack-keystone08:46
nareshtsorry ..!!  I tried without OS_DOMAIN_NAME08:46
naresht+marekd:08:48
naresht+marekd: here is the openrc file http://paste.openstack.org/show/492215/08:53
*** GB21 has quit IRC08:54
marekdnaresht: looks good08:56
marekdwhich version are you using?08:56
marekdis it devstack?08:56
nareshtYes devstack kilo08:56
marekdnaresht: is it rc file generated by devstack ?08:57
nareshtYes08:58
naresht+marekd: domain list is not working after I configured keystone as SP. I followed this link http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo/08:59
marekdnaresht: so you are oing to use k2k and list dmains or somethinf like that?08:59
marekdwhich authentication plugin are you using right now?09:00
marekdfederation ?09:00
nareshtShibboleth09:01
marekdlol09:01
marekdnaresht: ok, try first with normal auth09:01
marekdusername and password.09:01
marekdand see if it works09:02
nareshtI want create group, project and assign role to member with openstack command... but it is not working09:03
naresht+marekd: ok09:03
marekdnaresht: man09:03
marekdnaresht: you are trying to access openstck via federation and configure it....09:03
marekdthis is not how it should work.09:04
marekdgo to page 0 and make sure you can access it without federated accesss.09:04
marekdonce ou have it, configure project and group09:04
marekdI will even advise you to actually make sure it works with an external IdP09:04
marekdand only then it's best to configure it with k2k09:05
marekdreally, use password first09:05
marekdand make sure everything is okay.09:05
marekdif not, and you are short on time you can remove and reinstall devstack :)09:05
*** sileht has quit IRC09:07
naresht+marekd: ok, Thanks09:08
marekdnaresht: don't attempt to do everyhing at once09:08
*** mhickey has joined #openstack-keystone09:08
marekdbecause it's easy to make a mistake and hard to debug where09:08
*** rm_work has quit IRC09:08
*** mgagne has quit IRC09:08
marekdstep by step.09:09
*** EinstCra_ is now known as EinstCrazy09:09
marekddid you have devstack ready and did you login there?09:09
*** pumaranikar has quit IRC09:09
*** dtroyer has quit IRC09:10
*** mjb has quit IRC09:11
*** comstud has quit IRC09:11
*** sileht has joined #openstack-keystone09:13
*** dtroyer has joined #openstack-keystone09:13
*** comstud has joined #openstack-keystone09:13
*** rm_work has joined #openstack-keystone09:13
*** mjb has joined #openstack-keystone09:14
*** mgagne has joined #openstack-keystone09:14
*** mgagne is now known as Guest6891009:14
*** pumaranikar has joined #openstack-keystone09:14
naresht+marekd: yes I'm ready with devstack09:15
marekdnaresht: cool!09:15
marekdcan you login with user and password?09:15
nareshtYes09:16
marekdnaresht: did you configure project, groups and role assignments?09:16
*** e0ne has joined #openstack-keystone09:18
naresht+marekd: No need to change api V2 to V309:18
naresht?09:18
marekdneed to change API to V309:18
nareshtOk09:18
naresht+marekd: yes created group and project and role assignments09:21
*** bjornar has joined #openstack-keystone09:23
naresht+ marekd: mapping need to do after configuring keystone as SP right ?09:25
marekdbefore09:27
nareshtok09:27
*** dpippenger has joined #openstack-keystone09:31
*** dpippenger has quit IRC09:32
*** lifeless has quit IRC09:39
*** lifeless has joined #openstack-keystone09:40
*** Nirupama has quit IRC09:49
*** daemontool_ has quit IRC09:55
*** daemontool_ has joined #openstack-keystone09:55
*** daemontool_ has quit IRC09:56
*** daemontool_ has joined #openstack-keystone09:56
*** henrynash has quit IRC09:57
*** pgreg has quit IRC10:04
*** Nirupama has joined #openstack-keystone10:05
*** sdake has quit IRC10:10
*** roxanaghe has joined #openstack-keystone10:12
*** markvoelker has joined #openstack-keystone10:14
*** tqtran has joined #openstack-keystone10:15
*** roxanaghe has quit IRC10:17
*** tqtran has quit IRC10:20
*** markvoelker has quit IRC10:20
*** shangxdy has joined #openstack-keystone10:33
*** flaper87 has quit IRC10:36
*** flaper87 has joined #openstack-keystone10:36
*** EinstCrazy has quit IRC10:52
*** tellesnobrega is now known as tellesnobrega_af11:05
*** shangxdy has quit IRC11:08
*** mvk_ has joined #openstack-keystone11:15
*** markvoelker has joined #openstack-keystone11:16
*** mvk has quit IRC11:19
*** markvoelker has quit IRC11:21
*** Nirupama has quit IRC11:26
*** gordc has joined #openstack-keystone11:30
*** dpippenger has joined #openstack-keystone11:32
*** dpippenger has quit IRC11:33
*** Nirupama has joined #openstack-keystone11:42
*** rodrigods has quit IRC11:42
*** rodrigods has joined #openstack-keystone11:42
*** henrynash has joined #openstack-keystone11:44
*** ChanServ sets mode: +v henrynash11:44
*** naresht has quit IRC11:56
*** roxanaghe has joined #openstack-keystone12:01
*** trown|PTO is now known as trown12:01
*** roxanaghe has quit IRC12:05
*** pauloewerton has joined #openstack-keystone12:06
*** henrynash has quit IRC12:11
*** markvoelker has joined #openstack-keystone12:17
*** raildo-afk is now known as raildo12:20
*** markvoelker has quit IRC12:22
*** EinstCrazy has joined #openstack-keystone12:27
*** jaosorior has quit IRC12:38
*** jaosorior has joined #openstack-keystone12:39
*** jaosorior has quit IRC12:42
*** jaosorior has joined #openstack-keystone12:43
*** EinstCrazy has quit IRC12:48
*** Nirupama has quit IRC12:51
*** links has quit IRC13:02
*** ninag has joined #openstack-keystone13:03
*** EinstCrazy has joined #openstack-keystone13:06
*** edmondsw has joined #openstack-keystone13:09
*** ayoung has joined #openstack-keystone13:09
*** ChanServ sets mode: +v ayoung13:09
*** pushkaru has joined #openstack-keystone13:18
*** markvoelker has joined #openstack-keystone13:18
*** ametts has joined #openstack-keystone13:22
*** markvoelker has quit IRC13:22
*** markvoelker has joined #openstack-keystone13:23
*** EinstCrazy has quit IRC13:24
*** markvoelker_ has joined #openstack-keystone13:28
*** jsavak has joined #openstack-keystone13:30
*** mylu has joined #openstack-keystone13:30
*** markvoelker has quit IRC13:32
*** woodster_ has joined #openstack-keystone13:32
*** mylu has quit IRC13:32
*** dpippenger has joined #openstack-keystone13:32
*** mylu has joined #openstack-keystone13:32
openstackgerritKalaswan Datta proposed openstack/keystone: Clear the project ID from user information  https://review.openstack.org/27770713:32
*** dpippenger has quit IRC13:35
openstackgerritLance Bragstad proposed openstack/keystone: Refactor to allow for service provider caching  https://review.openstack.org/29874813:35
*** naresht has joined #openstack-keystone13:41
*** henrynash has joined #openstack-keystone13:46
*** ChanServ sets mode: +v henrynash13:46
*** roxanaghe has joined #openstack-keystone13:49
*** mylu has quit IRC13:50
*** roxanaghe has quit IRC13:53
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Add users functional tests  https://review.openstack.org/28930613:56
samueldmqbknudson: rodrigods: ^ all comments addressed, thanks for reviewing13:57
*** sigmavirus24_awa is now known as sigmavirus2413:57
*** mylu has joined #openstack-keystone13:58
*** mkoderer__ has quit IRC13:59
*** richm has joined #openstack-keystone14:02
*** mkoderer__ has joined #openstack-keystone14:02
*** daemontool_ is now known as daemontool14:06
*** markvoelker_ has quit IRC14:15
*** jmlowe has joined #openstack-keystone14:16
*** tqtran has joined #openstack-keystone14:17
*** slberger has joined #openstack-keystone14:18
jmloweAre ec2 credentials supposed to work against v3 keystone credentials with domains in Liberty?14:18
*** tellesnobrega_af is now known as tellesnobrega14:19
*** tqtran has quit IRC14:21
*** sdake has joined #openstack-keystone14:27
*** sdake_ has joined #openstack-keystone14:30
*** sdake has quit IRC14:32
*** dan_nguyen has joined #openstack-keystone14:34
*** sdake_ is now known as sdake14:37
*** doug-fish has joined #openstack-keystone14:38
henrynashayoung, stevemar: if you have a moment, perhaps one of you could take a peek at: https://review.openstack.org/#/c/290223/14:40
patchbothenrynash: patch 290223 - keystone - Make modifications to domain config atomic14:40
stevemarhenrynash: consider it added to the list14:40
henrynashstevemar: thx14:40
openstackgerritayoung proposed openstack/keystone-specs: Fetch Policy by URL  https://review.openstack.org/29878814:41
*** david_cu has joined #openstack-keystone14:41
ayounghenrynash, looking14:41
henrynashayoung: thx14:41
ayounghenrynash, your commit titles are too verbose.14:42
ayoungh nevermind14:42
ayoung I misparsed. it is fine14:42
henrynashayoung: :-)14:42
ayounghenrynash, coulda swornd I approved that one already14:42
henrynashayoung: np14:43
ayounghenrynash, as Keystone gets more mature, I expect us to rely more and more on the database for atomicity like this change does14:44
ayoungwish we had a real database....14:44
henrynashayoung: agreed….you mean our support for MyQuicheSQL ?14:44
ayoungHeh14:45
ayounghenrynash, +2A14:45
*** jorge_munoz has joined #openstack-keystone14:45
henrynashayoung: thx14:45
jmloweI can't seem to get ec2 credentials to work with anything other than the default domain, is that expected behavior?14:45
*** rderose has joined #openstack-keystone14:46
*** toddnni has quit IRC14:46
ayoungjmlowe, No idea...but it is probably time I learned this14:47
ayoungjmlowe, what are you doing?14:47
jmloweI've got more users than I would have guessed trying to use keystone generated ec2 credentials on Liberty, my read of the ec2token keystone middleware leads me to think it should work for all users but only the ones in the default domain work leading me to believe it's only able to issue v2 tokens14:48
*** henrynash has quit IRC14:49
ayoungjmlowe, could be.  let me dig a bit14:49
*** roxanaghe has joined #openstack-keystone14:49
*** GB21 has joined #openstack-keystone14:50
raildojmlowe: I thick ec2 credentials only works with API v2.0, so my guess for this is yes. this should works only in the default domain14:51
jmloweec2token keystone middleware looks v3 ready, is the v2.0 happening somewhere else?14:53
*** bjornar has quit IRC14:53
morganbknudson: will fix the comments on the 88 migration shortly14:53
morganbknudson: the reason for 96 and 101 is because as prometheanfire said, some people may have manually "fixed" their migration (comment) and moved on. this is really being overly cautious14:54
*** roxanaghe has quit IRC14:54
ayoungjmlowe, wheredo you see that?14:54
bknudsonmorgan: ok, the comment should say that14:54
morganbknudson: i thought i put that in there14:54
* morgan 2x checks14:55
ayounghttp://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/ec2_token.py looks kinda v2 specific to me14:55
bknudsonmorgan: also, the code can probably be clearer... could just check if the index exists already14:55
morganbknudson: it's one of those cases where you have to do programatic lookup of the index14:55
morganbknudson: because you have no idea what the index is named14:55
morganbknudson: it could be named at least 2 different things if not some automatic magic names too14:56
prometheanfiremorgan: ya, it was a pain to debug :|14:56
morganbknudson: basically dropping unique constraints should never rely on the "name" in our codebase (as crappy as that is)14:56
bknudsonoh, never mind, I thought 96 and 101 were recreating the other index, but it's just dropping the old one14:57
morganyeah14:57
prometheanfirethe column recreation should be behind a check14:58
prometheanfiremost things should be when dealing with migrations imo :P14:58
*** mylu has quit IRC14:58
*** mylu has joined #openstack-keystone14:59
*** mylu_ has joined #openstack-keystone15:00
ayoungjmlowe, but you are right that the keystone server seems to be V3 capable for ec215:00
ayoungso jmlowe maybe the URL is wrong15:01
openstackgerritMerged openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235815:01
*** mylu has quit IRC15:01
*** knikolla has joined #openstack-keystone15:01
morganoooh.15:02
morganuhm...15:02
morganbknudson: ok i have to do something ugly here...15:02
jmlowemy keystone_ec2_url in nova.conf is https://<controller>:5000/v2.0/ec2tokens, I don't think it worked if I switched to /v3/ec2tokens15:02
morganbknudson: i cant just try/except around the domain_id column being created...15:02
morganbknudson: because the exception is different based upon the driver (pymysql, mysqldb, psgql, etc)15:03
morganugh15:03
bknudsonthey don't have a common base class?15:03
morganchecking but it looks like it isn't.15:03
morganDBError: (pymysql.err.InternalError)15:04
morganthat is being raised by pymysql.err15:04
morganin the migration15:04
jmloweayoung: should it do the right thing or do I need to try to get a url with v3 to work?15:04
morgannot by sql-a15:04
bknudsonInternalError doesn't seem accurate15:04
morgan=/15:04
morganDBError: (pymysql.err.InternalError) (1060, u"Duplicate column name 'domain_id'") [SQL: u"\nALTER TABLE role ADD domain_id VARCHAR(64) NOT NULL DEFAULT '<<null>>'"]15:04
morganthat is the full line from db_sync15:04
ayoungjmlowe, I don't know. I'm making this up as I go along.15:04
jmloweayoung: aren't we all?15:05
ayoungjmlowe, what is the URL you haveright now?15:05
morganok, let me query the table directly and figure out if it has the column *ugh*15:05
jmloweayoung: https://<controller>:5000/v2.0/ec2tokens15:05
bknudsonmorgan: doing introspection of the table isn't the worst thing15:05
morganbknudson: no just... annoying :(15:05
ayoungjmlowe, OK, so that is v2 specific.  I would expect us to use a non v2 url for v2/v3. But then again, some of the other auth does allow v3 in v2, but onloy default domain,  which sounds like what you are seing.15:06
ayoungLet me see if it wil honor a v3 based URL...15:06
*** openstackgerrit has quit IRC15:06
morganah role_Table.columns15:06
jmloweayoung: I sat next to you in the HPC bof in Vancouver, it may interest you to know that this is the project I'm working on http://jetstream-cloud.org15:06
morgansometimes the ORM is ice.15:06
morgannice*15:06
*** openstackgerrit has joined #openstack-keystone15:06
ayoung"LATency...its the Nemisis of HPC...that is why you job runs endlessly....your process gates on latency...."15:08
*** diazjf has joined #openstack-keystone15:09
openstackgerritMorgan Fainberg proposed openstack/keystone: Correct `role_name` constraint dropping  https://review.openstack.org/29840215:09
morganbknudson: ^ comments addressed.15:10
morganand duplicate of patch pushed for stable/mitaka as well15:10
jmloweayoung: at this point we'd be happy if the bioinformaticists would stop writing O(n!) code in perl15:10
bknudsonmorgan: still no tests15:10
*** jaugustine has joined #openstack-keystone15:11
ayoungjmlowe, http://adam.younglogic.com/2012/07/latency/15:11
*** tellesnobrega is now known as tellesnobrega_af15:12
morganbknudson: unfortuately i can't do tests today =/ I have a ton of things to take care of :( notably finding a new job related :( so- i can generate tests tomorrow if stevemar doesn't mind holding up RC.15:12
jmloweayoung: I love it15:12
openstackgerritTom Cocozzello proposed openstack/keystone: Run federation tests under Python 3  https://review.openstack.org/29479715:12
morganbknudson: or i'm happy to have someone else do the tests. but just reality of being unemployed :(15:12
bknudsonwhen you're unemployed there's no vacation15:12
morganbknudson: when you're unemployed and have interviews/calls/etc, you can't code at the same time :P15:13
*** toddnni has joined #openstack-keystone15:14
morganbknudson: anyway. happy to write tests but i need to run and deal with stuff for the majority of the day. (also these tests are def. gonna be ugly cause they have to do the same work as the migration just to do the migration)15:14
jmloweayoung: is there something special I have to do to get that to show up under v3, I get 404 when I try to curl15:18
jmloweayoung: some paste config?15:18
ayoungjmlowe, so, something recylced my current test cluster...let me see if I can bring it back up and try myself.15:18
ayoungjmlowe, I have actually never dealt with the EC2 API thus far15:19
jmloweayoung: I didn't think anybody would use it, clearly I was wrong15:21
*** gordc has quit IRC15:23
*** rcernin has quit IRC15:27
*** Ephur has joined #openstack-keystone15:27
openstackgerritRon De Rose proposed openstack/keystone: Cleaning up identity.core  https://review.openstack.org/29614015:30
*** links has joined #openstack-keystone15:32
*** arunkant has joined #openstack-keystone15:32
bknudsonmorgan: good luck on the interviews by the way15:34
morganbknudson: thnx :)15:34
*** roxanaghe has joined #openstack-keystone15:34
*** dpippenger has joined #openstack-keystone15:34
*** dpippenger has quit IRC15:36
*** gyee has joined #openstack-keystone15:41
*** ChanServ sets mode: +v gyee15:41
*** harlowja has quit IRC15:41
*** gordc has joined #openstack-keystone15:46
*** henrynash has joined #openstack-keystone15:49
*** ChanServ sets mode: +v henrynash15:49
*** roxanagh_ has joined #openstack-keystone15:50
*** roxanagh_ has quit IRC15:55
*** agrebennikov has joined #openstack-keystone15:55
jmloweayoung: totally missed the fact that only POST method would work for that url, now 400 bad request, so I guess I need to actually figure out how to use the api15:56
ayoungjmlowe, curl should work15:58
ayoungdoes it work with a V2 request first?15:58
*** gokrokve has joined #openstack-keystone15:59
*** ametts has quit IRC15:59
ayoungsamueldmq, so I wrote up "fetchpolicy by Endpoing URL" as a spec, but I don;t know what that API would look like.  You can't really embed a URL into a GET request16:01
*** Guest58782 has quit IRC16:03
*** links has quit IRC16:04
lbragstadrderose quick follow up question here - https://review.openstack.org/#/c/292611/216:04
patchbotlbragstad: patch 292611 - keystone - Move identity.backends.sql model code to sql_model.py16:04
rderoselbragstad: sure16:04
lbragstadrderose I left a comment to your response https://review.openstack.org/#/c/292611/2/keystone/identity/backends/model.py16:05
patchbotlbragstad: patch 292611 - keystone - Move identity.backends.sql model code to sql_model.py16:05
*** agrebennikov has quit IRC16:05
jmloweayoung: I get the same 400 bad request error with both, so at least it's being routed properly16:05
rderoselbragstad: You are correct in your comment. When an ldap user authenticates, we'll store a ldap_user record in SQL.16:06
lbragstadrderose ok - cool16:06
ayoungrderose, what is going to happen with the id_mapping stuff?16:07
ayoungIs the meeting in 53 minutes or 113 minnutes?16:08
rderoseayoung: we'll refactor the mapping engine to remove tech debt once we've shadowed ldap users16:09
ayoungrderose, that is not tech debt16:09
ayoungrderose, it is a very hard fought over compromise16:10
ayoungand it should have been the heart of the shadow user approach16:10
ayoungrderose, the issue is, if a user has never authenticated  to Keystone, how can we find out her userid to assign her a role?16:10
rderoseayoung: okay, point taken. to be honest, I'm still getting familiar with this code base. lets chat once I start shadowing ldap users16:11
ayoungheh16:11
ayoungrderose, cool.  Lot to be done here. Are you going to Austin?16:11
lbragstadrderose I left a couple more comments on the latest patch set - it's lookin' good though!16:12
rderoseayoung: yeah, I'll be there :)  would be great for us to get together to work on this.16:12
rderoselbragstad: cool16:12
*** browne has joined #openstack-keystone16:12
*** mylu_ has quit IRC16:13
*** mylu has joined #openstack-keystone16:13
knikollaaccording to my calendar the meeting is in ~107 minutes16:13
*** jistr has quit IRC16:14
*** lhcheng has joined #openstack-keystone16:14
*** ChanServ sets mode: +v lhcheng16:14
ayoungknikolla, yeah, but that whole Daylight savings thing16:15
ayoungjmlowe, OK,  I have a new deployment up16:15
ayoungI need to learn EC2....16:15
*** naresht has quit IRC16:16
knikollaayoung, i'm subscribed to http://eavesdrop.openstack.org/irc-meetings.ical16:16
*** tellesnobrega_af is now known as tellesnobrega16:16
knikollaso i figure it autohandles that16:16
*** agrebennikov has joined #openstack-keystone16:23
*** jsavak has quit IRC16:26
*** dpippenger has joined #openstack-keystone16:27
*** agrebennikov has quit IRC16:28
*** harlowja has joined #openstack-keystone16:29
*** dpippenger has quit IRC16:29
*** jsavak has joined #openstack-keystone16:29
*** tqtran has joined #openstack-keystone16:30
*** e0ne has quit IRC16:31
*** mylu has quit IRC16:34
*** mylu has joined #openstack-keystone16:34
*** mylu has quit IRC16:34
*** mylu has joined #openstack-keystone16:34
*** mylu has quit IRC16:35
*** Guest68910 is now known as mgagne16:38
*** mgagne has quit IRC16:38
*** mgagne has joined #openstack-keystone16:38
*** timcline has joined #openstack-keystone16:40
*** agrebennikov has joined #openstack-keystone16:41
*** nisha_ has joined #openstack-keystone16:44
*** pcaruana has quit IRC16:48
*** david_cu has quit IRC16:50
*** diazjf has quit IRC16:50
*** mvk_ has quit IRC16:56
*** ametts has joined #openstack-keystone16:57
*** harlowja_ has joined #openstack-keystone16:58
*** nisha__ has joined #openstack-keystone16:59
*** harlowja has quit IRC17:00
*** mgagne_ has joined #openstack-keystone17:06
*** dtroyer has quit IRC17:07
*** zhiyan has quit IRC17:07
*** ryanpetrello has quit IRC17:07
*** patchbot has quit IRC17:07
*** rha has quit IRC17:07
*** sudorandom has quit IRC17:07
*** blogan has quit IRC17:07
*** gsilvis has quit IRC17:07
*** BrAsS_mOnKeY has quit IRC17:07
*** tpeoples has quit IRC17:07
*** adam_g has quit IRC17:07
*** jasondotstar has quit IRC17:07
*** baffle has quit IRC17:07
*** ametts has quit IRC17:07
*** roxanaghe has quit IRC17:07
*** mjb has quit IRC17:07
*** mgagne has quit IRC17:07
*** comstud has quit IRC17:07
*** hockeynut has quit IRC17:07
*** dhellmann has quit IRC17:07
*** kfox1111 has quit IRC17:07
*** zzzeek has quit IRC17:07
*** samueldmq has quit IRC17:07
*** darrenc has quit IRC17:07
*** sigmavirus24 has quit IRC17:07
*** eglute has quit IRC17:07
*** gus has quit IRC17:07
*** Nakato has quit IRC17:07
*** cloudnull has quit IRC17:07
*** mhu has quit IRC17:07
*** jamielennox has quit IRC17:07
*** Anticimex has quit IRC17:07
*** mfisch has quit IRC17:07
*** d34dh0r53 has quit IRC17:07
*** eglute has joined #openstack-keystone17:07
*** dtroyer has joined #openstack-keystone17:07
*** comstud has joined #openstack-keystone17:07
*** d34dh0r53 has joined #openstack-keystone17:07
*** sdake_ has joined #openstack-keystone17:07
ayoungsamueldmq, is your Policy fetch policy Proof of concept posted anywhere?17:07
*** gyee has quit IRC17:07
*** nisha_ has quit IRC17:07
*** patchbot` has joined #openstack-keystone17:07
*** sdake has quit IRC17:07
*** trown is now known as trown|lunch17:07
*** roxanaghe_ has joined #openstack-keystone17:07
*** patchbot` is now known as patchbot17:07
*** bjornar has joined #openstack-keystone17:07
*** Nakato_ has joined #openstack-keystone17:07
*** baffle_ has joined #openstack-keystone17:07
*** dflorea has joined #openstack-keystone17:07
*** hockeynut_afk has joined #openstack-keystone17:07
*** gsilvis_ has joined #openstack-keystone17:07
*** ryanpetrello_ has joined #openstack-keystone17:07
*** kfox1111_ has joined #openstack-keystone17:07
*** Anticime1 has joined #openstack-keystone17:07
*** sudorandom_ has joined #openstack-keystone17:07
*** samueldm1 has joined #openstack-keystone17:07
*** ametts_ has joined #openstack-keystone17:07
*** sudorandom_ is now known as sudorandom17:07
*** ryanpetrello_ is now known as ryanpetrello17:07
*** BrAsS_mO- has joined #openstack-keystone17:07
*** adam_g` has joined #openstack-keystone17:07
*** dhellmann has joined #openstack-keystone17:07
*** mjb has joined #openstack-keystone17:07
*** mfisch has joined #openstack-keystone17:07
*** hockeynut_afk is now known as hockeynut17:07
*** mgagne_ has quit IRC17:07
*** mgagne_ has joined #openstack-keystone17:07
*** mfisch is now known as Guest2804917:08
*** blogan has joined #openstack-keystone17:08
*** jasondotstar has joined #openstack-keystone17:08
*** cloudnull has joined #openstack-keystone17:08
*** darrenc has joined #openstack-keystone17:08
*** adam_g` is now known as adam_g17:08
*** adam_g has quit IRC17:08
*** adam_g has joined #openstack-keystone17:08
*** zzzeek has joined #openstack-keystone17:08
*** gus has joined #openstack-keystone17:09
*** rderose has quit IRC17:09
*** _sigmavirus24 has joined #openstack-keystone17:10
*** dflorea has quit IRC17:11
*** rha has joined #openstack-keystone17:11
*** dflorea has joined #openstack-keystone17:12
stevemarayoung: its in 47 minutes now :)17:12
*** jamielennox has joined #openstack-keystone17:12
*** ChanServ sets mode: +v jamielennox17:12
jmloweayoung: awesome17:12
ayoungjmlowe, so the old keystone CLI does not seem to be happy...maybe a V2 vs v3 thing...I'll convert to a V2 URL...17:13
*** toddnni_ has joined #openstack-keystone17:13
*** toddnni has quit IRC17:13
*** toddnni_ is now known as toddnni17:14
*** daemontool has quit IRC17:14
*** _sigmavirus24 is now known as sigmavirus2417:14
*** sigmavirus24 has joined #openstack-keystone17:14
*** mgagne_ is now known as mgagne17:15
*** zhiyan has joined #openstack-keystone17:17
ayoungjmlowe, hmmm17:18
ayoungjmlowe, so, as an authed user, I should be able to just run:  keystone     --insecure ec2-credentials-create17:19
ayoungno args, and get a credential for that project for the current user, no?17:19
*** tpeoples has joined #openstack-keystone17:19
ayoungand that seems to be unhappy on my system...17:20
*** shaleh has joined #openstack-keystone17:20
*** harlowja has joined #openstack-keystone17:20
ayoungjmlowe, its not reporting an error, but there is nothing created, nothing stored in the DB.17:21
shalehayoung: what is holding up the OSC changes for implied roles?17:21
ayoungshaleh, incompetane on my part?17:21
samueldm1ayoung: you can sha(url)17:21
ayoungshaleh, want to make it happen?17:21
ayoungsamueldm1, ?17:21
samueldm1ayoung: and also query the list filtering by the url17:21
shalehayoung: I started on it yesterday afternoon :-)17:22
ayoungsamueldm1, yeah, I was thinking sha(url)17:22
ayoungbut that is kinda nasty17:22
ayoungshaleh, take it17:22
samueldm1ayoung: wait it's not my original myself17:22
shalehayoung: I submitted a bug because the spec does not match keystone output17:22
samueldm1wait17:22
*** samueldm1 has quit IRC17:22
*** samueldmq has joined #openstack-keystone17:22
*** harlowja_ has quit IRC17:22
stevemaranyone feel like adding unit tests to https://review.openstack.org/#/c/298402 ?17:22
*** ChanServ sets mode: +v samueldmq17:22
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Add users functional tests  https://review.openstack.org/28930617:23
samueldmqayoung: yeah but we don't have lots of options besides that17:23
ayoungsamueldmq, is the endpoint ID approach really so  bad?17:23
ayoungI guess it means a restart17:23
ayoung and with the URL we could avoid that17:23
ayoungif we made the endpoint ID the sha(url)....17:23
samueldmqayoung: the only fact of the ID is that you don't know it ahead of time17:23
ayoungman, I like hashing17:24
jmloweayoung: that's what I thought, I used the "openstack" client "openstack ec2 create <uid> <pid>"17:24
ayoungjmlowe, pid?17:24
ayoungah17:24
jmloweproject17:24
ayoungjmlowe, let me try that17:24
shalehstevemar: that does not sound like fun coding :-)17:25
jmlowedebugging with ha is the bane of my existance, I'm going to capture the http going back and forth as soon as I can isolate it to one keysone17:26
shalehjmlowe: no joke17:26
shalehjmlowe: add in some ssl for even less fun17:26
stevemarknikolla: here's your very own blueprint! https://blueprints.launchpad.net/keystone/+spec/ldap317:26
*** spandhe has joined #openstack-keystone17:27
jmlowesysdig keeps my sanity17:27
ayoungjmlowe, and that API only exists if I use a V2.0 AUTH URL and ID API version 2.0...17:27
knikollastevemar, yay!17:27
jmloweayoung: does it matter as long as you get the id's straight?17:28
*** dpippenger has joined #openstack-keystone17:28
stevemarshaleh: it's gotta get done!17:28
shalehjmlowe: sysdig looks interesting. is it container specific?17:28
*** dflorea has quit IRC17:29
stevemarbknudson: did you want to create the unit tests? i can work on them for a bit17:29
*** Daviey has joined #openstack-keystone17:29
bknudsonstevemar: I don't think I'd be able to get to it until tomorrow17:29
stevemarokay17:29
stevemari can work on them today17:29
jmloweshaleh: nope, I don't do containers really, but if you are working with them it's the only tool I know of that can really dissect them, it's more that its so powerful that you can use it when working with containers17:31
openstackgerritMerged openstack/keystone-specs: prep repo for newton release  https://review.openstack.org/29851417:31
*** spandhe has quit IRC17:31
*** dflorea has joined #openstack-keystone17:32
*** sdake has joined #openstack-keystone17:33
ayoungjmlowe, so, nothing seems to be working right.  I might need to go into debug mode to figure out what is wrong, but I assume it is not what you problem is.17:33
*** sdake_ has quit IRC17:34
jmloweayoung: atm I only get 400 errors out of the v3/ec2token endpoint when using nova-api ec217:36
*** roxanaghe has joined #openstack-keystone17:38
*** gokrokve has quit IRC17:39
*** ebalduf_ has joined #openstack-keystone17:40
ayoungjmlowe, if you ue the --deug option from the CLI, it gives you the JSON.  You can do stuff like: http://adam.younglogic.com/2013/09/keystone-v3-api-examples/  and http://adam.younglogic.com/2013/11/policy-enforcement-openstack/17:41
*** spandhe has joined #openstack-keystone17:41
ayoungfind out what does and does not work17:41
jmloweayoung: looks like keystone gives back a valid token, so this is looking more like the ec2 part of nova-api can't handle v3 tokens17:41
ayoungjmlowe, that might be keystonemiddleware, though17:41
ayoungcheckto see if it is an open bug17:42
*** roxanaghe has quit IRC17:43
jmlowehttp://paste.openstack.org/show/492334/17:45
*** e0ne has joined #openstack-keystone17:47
*** haneef has joined #openstack-keystone17:48
*** jmlowe has quit IRC17:49
*** jmlowe has joined #openstack-keystone17:55
*** rderose has joined #openstack-keystone17:55
*** sdake has quit IRC17:57
*** e0ne has quit IRC17:58
*** real56 has joined #openstack-keystone17:58
*** mhickey has quit IRC17:59
jmlowethat last paste was the response to http://paste.openstack.org/show/492336/17:59
*** gagehugo has joined #openstack-keystone18:00
*** pcaruana has joined #openstack-keystone18:02
*** sdake has joined #openstack-keystone18:02
*** dflorea has quit IRC18:03
jmloweayoung: based on those captures would you concur that the ec2 part of nova-api is choking on v3 tokens18:03
ayoungjmlowe, nope18:05
ayoungjmlowe, I think it is keystonemiddelware, not ec218:05
ayoungbut to you...it would look the same18:05
ayoungjmlowe, there are unit tests in middleware that look like they are V2 only.  I don't think middleware can handle the v3 token formate18:06
jmlowe<- doesn't really understand keystone middleware18:06
*** gmmaha has left #openstack-keystone18:06
*** rk4n has quit IRC18:06
*** rk4n has joined #openstack-keystone18:06
*** dflorea has joined #openstack-keystone18:07
*** diazjf has joined #openstack-keystone18:07
*** sdake has quit IRC18:08
*** sdake_ has joined #openstack-keystone18:08
*** dflorea has quit IRC18:12
*** trown|lunch is now known as trown18:12
openstackgerritMerged openstack/keystone: Make modifications to domain config atomic  https://review.openstack.org/29022318:13
*** e0ne has joined #openstack-keystone18:13
jmloweayoung: maybe I have a gross conceptual error, how can it be keystone if a v3 token is returned to the requesting service, that should successfully complete the transaction no?18:15
ayoungjmlowe, keystonemiddleware runs in the nova server18:15
jmlowegross conceptual error it is then18:16
ayoungjmlowe, do you have acces to the nova server?  Can you look at the paste pipeline,  and see what middleware filters are run?18:17
jmloweI do, nova paste filters?18:17
*** jaosorior has quit IRC18:18
ayoungyep18:18
ayounglook in /etc/nova18:18
ayoungI think18:18
jmlowefor reference centos 7, rdo bits18:18
ayoung/etc/nova/api-paste.ini18:19
morgansamueldmq: to write the tests you need a test that migrates to 87, then changes the constraint name, then runs 88 (success); failure is migrate to 87, injects another constraint then fails to migration to 88 (fail), 96 and 101 need to migrate to N-1, inject the constraint and then migrate to N18:20
morgansamueldmq: they're going to be relatively ugly tests to write.18:20
morgansamueldmq: but def. feel free to jump on them and write them :)18:20
jmlowejust the ec2 parts?18:20
jmlowehttp://paste.openstack.org/show/492341/18:21
samueldmqmorgan: cool, thanks for sharing the test plan18:21
samueldmqmorgan: I am making sure I understand the issue completely, then will jump on the tests18:22
*** e0ne has quit IRC18:25
*** iurygregory has quit IRC18:29
*** david_cu has joined #openstack-keystone18:30
openstackgerritSean Perry proposed openstack/keystone-specs: Cleanup 'implied roles' section of Identity API V3 spec  https://review.openstack.org/29892518:31
*** jsavak has quit IRC18:31
rodrigodsbknudson, ping... regarding https://review.openstack.org/#/c/294201/3/keystone/tests/unit/backend/legacy_drivers/federation/V8/api_v3.py (can we change the v8 backend method to handle the conflict?)18:31
patchbotrodrigods: patch 294201 - keystone - Add conflict validation for idp update18:31
*** jsavak has joined #openstack-keystone18:32
*** GB21 has quit IRC18:35
*** iurygregory has joined #openstack-keystone18:37
*** e0ne has joined #openstack-keystone18:37
*** rk4n has quit IRC18:39
openstackgerritMerged openstack/keystone: Cleanup LDAP models  https://review.openstack.org/28530118:43
*** david-lyle has quit IRC18:45
*** david-lyle has joined #openstack-keystone18:46
*** rderose has quit IRC18:55
*** e0ne has quit IRC18:59
ayoungmorgan, so, I think that is the general idea19:00
ayoungat least, in a deployment19:01
morgani mean upstream19:01
jamielennoxmorgan: right, i don't know if you'd maintain it upstream though19:01
morganwe publish the base policy files and it can be packaged19:01
ayoungyou would seed the repo with the policy files from the various projects, then customize19:01
*** Guest28049 is now known as mfisch19:01
ayoungand, part of that would be making the policy files consistent19:01
*** sdake_ is now known as sdake19:01
ayoungwe would find that ther are common stanzas19:01
*** mfisch is now known as Guest8245419:01
ayoungand then people are going to wanta tool (or build a tool) to generate policy files from fragments19:01
morganayoung: and it can be just installed as part of devstack or as an rpm19:02
morganetc19:02
morganand we just handle overrides via the CMS?19:02
ayoungmorgan, do you remember me getting harangued about unified policy about a year ago?19:02
morganayoung: yeah.19:02
morganayoung: lets try and push on auto-gen policy [as nova asked]19:02
morganwith puppet19:02
*** Guest82454 has quit IRC19:02
*** Guest82454 has joined #openstack-keystone19:02
morganas the deploy mechanism19:02
ayoungmorgan, so, I'm going for "Art of the possible" here19:02
morganfor things.19:03
*** Guest82454 is now known as mfisch19:03
jamielennoxyou could even gate on that making some sort of sense19:03
morganand then see about improving things for "central publish"19:03
morganjamielennox: yes.19:03
jamielennoxthat policy was consistent across at least the main projects19:03
morganjamielennox: that is the idea.19:03
ayoungmorgan, I'd be interested in seeing what nova comes up with19:03
jamielennoxi don't know if publishing makes sense19:03
morganjamielennox: probably would need to be published [at least as a doc]19:03
*** e0ne has joined #openstack-keystone19:03
*** e0ne has quit IRC19:03
jamielennoxmorgan: right, but i don't see it being a repo or anything19:03
ayoungmorgan, but,  at my level, it is still an input to the config process19:04
*** e0ne has joined #openstack-keystone19:04
morganjamielennox: depends on if you want it to be something easily consumed by <<UI/UX>>19:04
morganayoung: right.19:04
morganayoung: i think we're mostly on the same page19:04
ayoungmorgan, so, I know that in Tripleo, I have a blank page19:04
morganayoung: i also think we made a big mistake trying to wedge things into the current keystone policy API :(19:04
ayoungTripleo uses the puppet-keystone etc19:05
*** jmlowe has quit IRC19:05
ayoungand Kolla uses ansible19:05
morganayoung: so, lets start with improving CMS deploy things.19:05
ayoungbut in both cases, they don';t have a repo of policy to pull from19:05
morganayoung: and go from there.19:05
ayoungmorgan, I would be OK with this:19:05
ayoungpolicy is held in files in /etc/keystone/policy19:05
ayoungand indexed by the sha19:05
ayoungand then Puppet syncs from there19:06
bknudsonrodrigods: we can change the v8 backend to raise a useful exception if the original exception was unexpected error.19:06
morganin [backend], (file would be the first one)19:06
morganayoung: ++19:06
morganayoung: i could see that19:06
ayoungmorgan, then query is a passthrough19:06
morganbknudson: ++ yeah useful exception > unexpected19:06
ayoungand the database stuff for assignemnt19:06
ayoungpolicy to endpoint19:06
morganayoung: which could strictly be used for UI.19:07
ayoungis in SQL, and, if it gets out of date...puppet could kick it19:07
ayoungright19:07
rodrigodsbknudson, got it... will do that19:07
rodrigodsthx19:07
morganhmmmm...19:07
ayoungmorgan, that works for all but initial install19:07
*** e0ne has quit IRC19:07
ayoungon an intial install, we would need to get the policy file prior to the keystone server being up....19:07
ayounghmm19:07
*** krotscheck is now known as krotscheck_dcm19:07
morganlets talk more on the index by sha.19:07
morganand how that works.19:07
morganand how we get inita.. yes initial policy19:08
ayoungmorgan, we could do the hash thing now...and we should19:08
*** dflorea has joined #openstack-keystone19:08
ayoungI have  spec for that/19:08
morganok, lets see...19:08
morganoslo.policy can crunch all these things for us.19:08
ayounghttps://review.openstack.org/#/c/297897/19:08
patchbotayoung: patch 297897 - keystone-specs - Identify Policy by Hash19:08
*** jmlowe has joined #openstack-keystone19:09
morganso lets start with: endpoint -> policy file crunching in oslo.policy (identified by hash or not)19:09
morganwhich could be placed anywhere [not asking for code just talking it through]19:10
ayoungmorgan, I had the idea back when people were asking about project specific policy (about 3 years ago?) and we could even put the hash inthe token validation response if we really wanted.19:10
openstackgerritRaildo Mascena proposed openstack/keystone: [WIP]Make fernet default token provider  https://review.openstack.org/25865019:10
jamielennoxwhen done with this i'd like some advice on the cross project policy spec19:10
ayoungmorgan, ok...lets start with that19:10
ayoungjamielennox, yes, please...19:10
morganthen we end up with a tool that can look at a token and policy files and know what the person can do19:10
morgancool19:10
jmloweayoung: my connection has been flapping, was that paste sufficient or did you want to see more?19:10
*** doug-fis_ has joined #openstack-keystone19:10
ayoungmorgan, we have a tool that can do it given the JSON now19:10
morganright19:11
ayoungjmlowe, I'm on other issues ATM19:11
morganbut it's cli iirc not method things19:11
raildoayoung: lbragstad ^ only 6 failed tests :)19:11
morganbut anyway19:11
ayoungmorgan, hosting that CLI somewhere is easyish19:11
morganthats fine.19:11
ayoungmorgan, the issue is getting that pesky mountainto mohammad19:11
ayoungOr, in this case, collecting the policy files19:11
morganwe're back to the hard part of policy files collected19:11
*** nisha__ has quit IRC19:12
jmloweayoung: ack, didn't want to miss something, my connection is comcastic!19:12
*** raildo is now known as raildo-afk19:12
*** pauloewerton has quit IRC19:12
*** real56 has quit IRC19:12
ayoungmorgan, so, we can, I think, have puppet do the heavy lifting19:12
*** dflorea has quit IRC19:12
*** doug-fish has quit IRC19:12
morganok i think we're being silly actually19:13
ayoungin an intial instll, puppet could pull the files from the RPM locations and stick them in Keystone around when it creates the initial service entry19:13
morganinitial install we don't care about19:13
morganexcept for keystone.19:13
ayoungmorgan, I do19:13
morganno, you don't. ;)19:13
ayoungmorgan, I have to make this workwith Tripleo19:13
morganhold on19:13
ayoungmorgan, I do in my day job19:13
morganhold up! :)19:13
*** akscram has quit IRC19:14
morganintiall install is no different EXCEPT in the keystone phase19:14
morganfor bootstrapping19:14
ayoungOK.19:14
morgantreat it all 100% the same.19:14
morganadding a nova node is adding a nova node is adding a nova node19:14
ayoungyou mean Keystone bootstrap has to do something19:14
ayoungbecaue we need a policy file before we cando anything with keystone?19:14
morganright19:14
morgankeystone can't do things past keystone-bootstrap without a policy file19:15
morganonce we have that bit done, it's all 100% the same no matter what we're doing19:15
jamielennoxwhy is that different to any other service?19:15
morganadd another nova api, add a cinder api, add a glance api19:15
*** akscram has joined #openstack-keystone19:15
ayoungjamielennox, only if Keystone is the system of record19:15
morganwe process it the same way in initial setup as if you were expanding.19:15
ayoungjamielennox, if Nova needs a policy file from Keystone,no problem19:15
morganso your CMS would do the lifting19:15
ayoungif Keystone needs a policy file from keystone and keystone is not running...bootstrap19:16
morganit's not even forcing keystone to be the system of record19:16
ayoungmorgan, so, what if a deployer wants to customize policy for one endpoint?19:16
ayoungI would thinkg it would be:19:16
ayounguploade to keystone,19:16
ayoungset the endpoijnt-poicy mapping19:16
jamielennoxi missed the bit where we went back to keystone maintaining these19:16
ayoungand then tell puppet resync19:17
morganjamielennox: i'm trying to avoid that19:17
jamielennoxright - so why is keystone different19:17
ayoungjamielennox, so, if it is not Keystone, it is going to be a repo that does what Keystone does19:17
morganayoung: or - update policy for endpoint, puppet does sync (to keystone and to endpoint)19:17
morganjamielennox: only ebcause keystone has a naieve bootstrap step19:17
morganjamielennox: you can't have a rich policy file with bootstrap today (in most cases)19:17
jamielennoxthat gets you around policy19:18
morganjamielennox: so you need bootstrap - + minor things / config, then rich policy19:18
ayoungmorgan, right.  So, in tripleo terms, we would stage the policy to a directory on the undercloud19:18
ayoungmorgan, and, actually, I have a services guy who built something like that with SSH for the sync19:19
morganjamielennox: long term, bootstrap will become smart enough to not need the slightly more wiggle room19:19
samueldmqmorgan: re: patch 29840219:19
patchbotsamueldmq: https://review.openstack.org/#/c/298402/ - keystone - Correct `role_name` constraint dropping19:19
morganayoung: now you're getting it.19:19
jamielennoxmorgan: what's in your wriggle room?19:19
samueldmqmorgan: why do we need both 96 and 101 ?19:19
ayoungmorgan, nah, I knew that was an option19:19
samueldmqmorgan: you may end this convo first :)19:19
morganjamielennox: mostly setup of any extra domains/etc19:19
morganjamielennox: that are needed for your "rich" policy19:19
jamielennoxas i see it you deploy with rich policy immediately, your rich policy should support what is being bootstrapped19:20
jamielennoxbootstrap itself is not affected by policy19:20
morganjamielennox: except bootstrap is super super naieve19:20
morganjamielennox: we need to improve bootstrap some more for that. that is all19:20
morganjamielennox: i expect initally we will have a slightly different method for keystone and it'll become more streamlined as we improve this policy story19:20
morganso we support the cases we need to support to be flexible enough for rich policy options19:21
morganit's a chicken-egg scenario, and i'd rather err on the side of "good user story" vs "wedging the user story into what we implemented" on the policy ditribution19:21
morgansamueldmq: 96 is in case someone "fixed" the db or the migraton [we have at least one person who has done it]19:22
morgansamueldmq: and 101 is if they have used the "placeholder" migration already in their deployment19:22
*** timcline has quit IRC19:22
morgansamueldmq: so if they are already past 96 because theyt're running newton things, we need to still apply the "fix" logic to make sure only one constraint (domain_id, name) is in place19:23
*** timcline has joined #openstack-keystone19:23
*** ericksonsantos has quit IRC19:23
morgananyway i need to drop off for a bit19:23
ayoungmorgan, jamielennox so the short is that I need to build something for Tripleo19:24
ayoungeither something specific to it, or something within the domain of Keystone19:24
*** iurygregory has quit IRC19:24
*** nisha has joined #openstack-keystone19:24
samueldmqmorgan: how are they supposed to use the placehold migration?19:24
samueldmqmorgan: I thought that was only reserved for backports ?19:25
morgansamueldmq: this is a backport19:25
morganwe already cut the branch19:25
morganthe only weird part here is 88 is also being "fixed"19:25
jamielennoxayoung: and tripleo is doing pre-baked images of the controller nodes right?19:25
ayoungjamielennox, no19:26
samueldmqmorgan: yes, do we really need to fix it too?19:26
morgansamueldmq: so look at it like 101 is the "fix", 96 is the backport, and 88 is a "make sure we don't break people going forward"19:26
ayoungjamielennox, its stll building them at some point19:26
morgansamueldmq: yes we do.19:26
morganif we hadn't cut the branch yet, this would have been easier19:26
ayoungjamielennox, and...if policy is done in Puppet, we need to change each and every puppet module19:26
samueldmqmorgan: I got it19:26
morgansamueldmq: a deployment can fail migration 88, so we fix it19:26
jamielennoxayoung: ah, yea, sorry i mispoke19:26
*** roxanaghe has joined #openstack-keystone19:26
ayounghowever, if we did it dynamcially, we still need to tweak something19:26
morgansamueldmq: a deployment may have "fixed" the migration in the wrong way, so we supply 96 [mitaka]19:27
samueldmqmorgan: 101 and 96 is fix who is broken19:27
jamielennoxayoung: and puppet is building the images19:27
morgansamueldmq:  and 101 is fixing people on master19:27
ayoungI was hoping to have it down to "drop this URL into the auth_token section"19:27
samueldmqmorgan: 88 is dont let other get broken19:27
morgansamueldmq: yep19:27
samueldmqmorgan: people on master don't get the placeholders right?19:27
morgansamueldmq: they have already run them19:27
samueldmqmorgan: it's like they've already run the 9619:27
morganright19:27
samueldmqmorgan: kk got it19:28
morganthey have run the no-op 9619:28
*** timcline has quit IRC19:28
morganand therefore can't run it again19:28
morgan(ok ok shouldn't run it again)19:28
openstackgerritRodrigo Duarte proposed openstack/keystone: Add conflict validation for idp update  https://review.openstack.org/29420119:28
ayoungjamielennox, I think that an image can be updated after deploy anyway, as it is just a VM, and running openstack overcloud deploy would repply any cahnges19:28
ayoungchanges19:28
jamielennoxyea, it just means you can't override the puppet, from an ansible perspective i think you can create a new template at a higher level and it would be taken in preference19:29
*** rk4n has joined #openstack-keystone19:30
ayoungjamielennox, I asked the Kolla folks.  You need to restart the container for them.19:30
ayoungjamielennox, ah, ansible, I think we could pull from a user defined repo19:30
jamielennoxayoung: i'd expect you need to rebuild the container from them19:30
ayoungI would probably have Ansible populate the repo19:30
*** nisha has quit IRC19:30
ayoungjamielennox, its not a complete rebuild...they seemed to think it was pretty light19:30
ayoungjamielennox, anyway, that is another argument in favor of let the CMS handle it19:31
ayoungnot sure what would happen in a container based deploy with a file change19:31
*** roxanaghe has quit IRC19:31
*** jmlowe has quit IRC19:31
*** jsavak has quit IRC19:32
*** mylu has joined #openstack-keystone19:32
*** jmlowe has joined #openstack-keystone19:32
*** mylu has quit IRC19:33
ayoungjamielennox, so, in ansible, I can totally see how to drive the policy from the Keystone database.  I'm less clear in the Puppet case, but I am sure I can make it happen.19:37
*** daemontool has joined #openstack-keystone19:38
ayoungjamielennox, want to talk about your crossproject spec now?19:38
ayoungor do you need to go back to sleep?19:38
jamielennoxayoung: heh, both19:39
jamielennoxjust noticed some project-config stuff merged so was looking at conflicts there19:39
jamielennoxhttps://review.openstack.org/#/c/245629/19:39
patchbotjamielennox: patch 245629 - openstack-specs - A common policy scenario across all projects19:39
jamielennoxayoung, morgan, stevemar, bknudson et al19:40
jamielennoxi'm basically coming down to do i want to strip out the project- parts of this and let the admin_project check do that work19:40
jamielennoxit didn't exist at the time of first writing but i've come around to it19:41
jamielennoxif we assume deploys are using the admin_project flag in policy then i don't need to worry about distinguishing between the admin-observer and the project-observer19:42
jamielennoxwe just define an observer role and use the is_admin_project to handle the rest19:42
ayoungjamielennox, you mean is_admin_project?19:42
ayoungyep19:42
jamielennoxwhich turns it into a really short spec involving like 3 roles19:42
ayoungjamielennox, so as an aside, need to get that enforceable...I thought oslo-context was sufficient19:42
ayoungbut bknudson had a comment that each of the projects reimplemtns19:43
ayoungjamielennox, I like that19:43
jamielennoxas i think we are ditching '{service_type}_{api_capability}' roles19:43
ayoungjamielennox, so, one aspect I've seen that people want to be able to tune is neutron19:43
ayoungsome place want member to be able to make changes there, some don't19:43
jamielennoxayoung: yea, i was working on a new version and it just seemed redundant having both and the is_admin_project19:43
morganbknudson: shouldn't the opportunistic testing use pymysql?19:44
jamielennoxthe problem is i'm not sure how far people have made it enforcable19:44
morganbknudson: +2/+A on your patch anyway.. but we can revisit mysql vs pymysql as needed19:44
ayoungjamielennox, I think that we make this spec depend on that being enfroceable19:44
jamielennoxayoung: it would simplify it a lo t19:44
ayounginstead of trying to duplicate effort19:44
*** mylu has joined #openstack-keystone19:44
jamielennoxi need to have a look at who else is using the is_admin_project flag19:45
bknudsonmorgan: there's other fixes that have to merge first19:45
*** raildo-afk is now known as raildo19:45
*** dflorea has joined #openstack-keystone19:45
morganbknudson: ah19:45
ayoungok  so the general divide is "can a Member do this, or should they be a project-admin"  on any given api19:45
morganbknudson: yeah doing the chain now.19:45
bknudsonmorgan: oslo.db does PyMySQL -- http://git.openstack.org/cgit/openstack/oslo.db/tree/setup.cfg#n2119:45
ayoungandthen for the more sensitive APIs, reserve it for is_admin_project but the distinctio nstill applies19:46
morganright but your test requirements were mysql?19:46
jamielennoxayoung: more or less, there's some observer stuff and {service_type)_admin but that's pretty easy19:46
jamielennoxright19:46
jamielennoxthe problem is only then on services that don't use is_admin_project because we've made 3 more global roles19:46
bknudsonmorgan: oslo.db[mysql] will bring in PyMySQL>=0.6.219:46
ayoungok...so  basic roles are admin, member, observer.  Assuming is_admin_project is enforces19:46
morganbknudson: aahhh19:46
morganok19:47
ayoungand service_admin for the one offs?19:47
morgananyway the chian should be all +2/+A now19:47
bknudsonI didn't look at mysql-c ... if that's even a db that infra installs.19:47
jamielennoxayoung: service_observer as well, but they are both really easy because you put them in a rule up top of a policy file19:47
bknudsonwell, I guess the db would be there, but I didn't see that oslo.db has a fixture for it.19:47
jamielennoxlike admin = role:admin or role:identity_admin -- in the correct syntax19:47
morganyeah19:48
ayoungjamielennox, or implied roles19:48
morganok anyway19:48
morganbouncing out for a bit to deal with things.19:48
ayounglets try to keep the policy files as simple as possible19:48
jamielennoxayoung: maybe, not sure how that would interact with a default policy19:48
jamielennoxbut it won't hurt19:48
jamielennoxyou'll just end up with both roles19:49
ayoungjamielennox, so, admin implies member, membver implies observer19:49
ayoungthat is the basic one19:49
ayoungservice_admin is its own thing, I think19:49
ayoungwe could do admin implies service admin, but then that muddies things for the projects19:50
jamielennoxayoung: i think for the policy files i would still need to write it out19:50
ayoungjamielennox, why?19:50
ayoungthis is exactly what implied roles are for19:50
ayoungyou specify the lowest role needed to perform the operation19:50
ayounglet implied roles fill in the links from the users actual role assignment19:51
jamielennoxwouldn't it cut out anyone with an existing setup19:51
ayoungjamielennox, getting default implied roles would be part of your spec19:51
jamielennoxayoung: whoa, i can barely get this passed and i want to create a role that everyone is asking for19:51
ayoungjamielennox, we are looking to define the basic set of roles19:52
ayoungimplied roles is already merged19:52
ayounggetting the basic set of roles defined should include the inference rules19:52
jamielennoxi think implied roles helps here but i'm not concerned if it requires doing conditionals in the policy files19:52
ayoungno conditionals required19:53
ayoungpolicy file just specifies the lowest rule on the chain.  Period19:53
ayoungso if it I need observer, and I have member, it will work19:53
jamielennoxok, it is simpler, i'll do it that way and see if i get push back19:54
ayoungbecause member implies observer, and that ends up in the token19:54
ayoungjamielennox, the question is whether there are more granular roles than those three that people need.19:55
*** sdake_ has joined #openstack-keystone19:55
jamielennoxany way, that was essentially what i was thinking i needed to remove the admin/project specific roles and use is_admin_project i just wanted to make sure it made sense19:55
jamielennoxayoung: i bet there are, but i want to pass something to at least get the services who do nothing up to scratch19:55
jamielennoxayoung: we can increment it from there19:56
ayoungjamielennox, ++  I'm with you19:56
*** sheel has quit IRC19:57
*** dflorea has quit IRC19:57
*** sdake has quit IRC19:58
samueldmqall keystone config options are in common/config.py right ?20:00
*** iurygregory has joined #openstack-keystone20:00
*** dflorea has joined #openstack-keystone20:01
*** dflorea has quit IRC20:01
*** gokrokve has joined #openstack-keystone20:02
*** sdake_ is now known as sdake20:02
*** rderose has joined #openstack-keystone20:07
*** gokrokve has quit IRC20:08
*** dflorea has joined #openstack-keystone20:08
*** slberger has quit IRC20:11
*** slberger has joined #openstack-keystone20:12
*** dflorea has quit IRC20:12
*** jsavak has joined #openstack-keystone20:13
ayoungsamueldmq, yes20:13
ayoungsamueldmq, at one point, we flirted with moving extension configs into the extensions/.  That never happened, and we rolled extensions into main anyhow20:14
*** ericksonsantos has joined #openstack-keystone20:19
samueldmqayoung: ++20:20
samueldmqmorgan: stevemar: we are officially in newton right? so patch 298402 is officially going on newton20:22
patchbotsamueldmq: https://review.openstack.org/#/c/298402/ - keystone - Correct `role_name` constraint dropping20:22
samueldmqonly the backports (to be submitted) will apply to mitaka20:22
morgansamueldmq: yes20:22
samueldmqmorgan: ++20:22
morgansamueldmq: there is a cherry pick of that proposed to stable/mitaka already20:22
samueldmqmorgan: nice20:23
*** timcline has joined #openstack-keystone20:23
samueldmqmorgan: I see it now20:23
*** timcline has quit IRC20:23
stevemarsamueldmq: what morgan said20:23
*** timcline has joined #openstack-keystone20:24
openstackgerritRon De Rose proposed openstack/keystone: Cleaning up identity.core  https://review.openstack.org/29614020:26
openstackgerritRon De Rose proposed openstack/keystone: Remove backend interface and common code out of identity.core  https://review.openstack.org/29614020:29
*** gokrokve has joined #openstack-keystone20:29
tjcocozzHas anyone had any problems when running tox -e debug and it gets stuck on installing deps?20:30
*** diazjf has quit IRC20:30
tjcocozzfor some reason it is only working when i install dependecies with sudo... It gets stuck trying to install oslo.service.20:30
*** diazjf has joined #openstack-keystone20:32
tjcocozzI will take the silence as, “I am the only one facing this problem” :P20:32
*** gyee has joined #openstack-keystone20:32
*** ChanServ sets mode: +v gyee20:32
openstackgerritTom Cocozzello proposed openstack/keystone: Random project should return positive numbers  https://review.openstack.org/29897020:34
*** gokrokve has quit IRC20:34
*** dflorea has joined #openstack-keystone20:35
*** slberger has quit IRC20:36
knikollatjcocozz, try removing the .tox folder and try again20:36
*** sigmavirus24 is now known as sigmavirus24_awa20:37
*** sigmavirus24_awa is now known as sigmavirus2420:37
tjcocozzknikolla, tried that, and tried delete my venv too. Happens in py27 and debug20:37
*** dflorea has quit IRC20:39
*** dflorea has joined #openstack-keystone20:39
*** slberger has joined #openstack-keystone20:39
samueldmqmorgan: not sure how we can test 96 and 101, since to get there we need to run 88 anyways20:45
samueldmq:-)20:45
morganYou need to inject the constraint again after 8820:46
bknudsonsamueldmq: the unit test can make changes to the schema.20:46
*** raildo is now known as raildo-afk20:47
*** gokrokve has joined #openstack-keystone20:48
samueldmqmorgan: bknudson: got it20:49
*** ayoung has quit IRC20:54
*** dflorea has quit IRC20:54
*** agrebennikov has quit IRC20:55
*** ebalduf_ has quit IRC20:57
*** gagehugo has quit IRC21:00
*** dflorea has joined #openstack-keystone21:01
*** ebalduf has joined #openstack-keystone21:03
samueldmqfrom the cp-meeting21:06
samueldmqdhellmann | for newton, all official project teams will use the openstack/releases repo to request and document releases21:06
samueldmqcc stevemar ^21:06
*** ninag has quit IRC21:06
samueldmqjust in the case we're not doing it yet ^21:06
dhellmannsamueldmq : you can see if I had to make any changes to acls for keystone deliverables by looking at https://review.openstack.org/29886621:06
*** trown is now known as trown|outtypewww21:07
samueldmqdhellmann: ++ thanks21:08
*** rk4n has quit IRC21:08
samueldmqdhellmann: where may I check if we had more than one release liason for keystone in Mitaka ?21:08
samueldmqdhellmann: to check if we need to fix it21:09
dhellmannsamueldmq : that wasn't a problem for keystone21:09
samueldmqdhellmann: perfect, just checking21:10
samueldmqdhellmann: thanks21:10
*** agrebennikov has joined #openstack-keystone21:10
*** edmondsw has quit IRC21:12
*** mhickey has joined #openstack-keystone21:15
openstackgerritRon De Rose proposed openstack/keystone: Remove backend interface and common code out of identity.core  https://review.openstack.org/29614021:20
*** rk4n has joined #openstack-keystone21:23
*** dflorea has quit IRC21:26
*** dflorea has joined #openstack-keystone21:27
*** diazjf has quit IRC21:29
*** jaugustine has quit IRC21:30
*** mhickey has quit IRC21:31
*** sdake_ has joined #openstack-keystone21:35
*** ebalduf has quit IRC21:36
*** sdake has quit IRC21:38
*** knikolla has quit IRC21:43
*** fawadkhaliq has joined #openstack-keystone21:44
*** dflorea has quit IRC21:46
*** sigmavirus24 is now known as sigmavirus24_awa21:47
*** ayoung has joined #openstack-keystone21:48
*** ChanServ sets mode: +v ayoung21:48
*** mylu has quit IRC21:49
*** mylu has joined #openstack-keystone21:50
*** dflorea has joined #openstack-keystone21:52
*** dflorea has quit IRC21:57
*** jsavak has quit IRC21:59
*** ninag has joined #openstack-keystone22:00
*** fawadkhaliq has quit IRC22:01
*** gokrokve has quit IRC22:01
*** fawadkhaliq has joined #openstack-keystone22:02
*** gokrokve has joined #openstack-keystone22:02
stevemarsamueldmq: thanks for looking at it, i think we're good for release stuff for now, all our projects should be set up22:04
*** dflorea has joined #openstack-keystone22:05
*** daemontool has quit IRC22:05
*** diazjf has joined #openstack-keystone22:06
samueldmqstevemar: sure, just making sure to share the info from cp-meeting :)22:06
stevemar;)22:06
*** gokrokve has quit IRC22:07
*** gokrokve has joined #openstack-keystone22:07
*** david_cu has quit IRC22:08
*** diazjf has quit IRC22:09
*** bjornar has quit IRC22:12
*** mylu has quit IRC22:12
*** dflorea has quit IRC22:12
*** markvoelker has joined #openstack-keystone22:13
*** ametts_ has quit IRC22:15
*** dflorea has joined #openstack-keystone22:15
*** roxanaghe has joined #openstack-keystone22:15
*** fawadkhaliq has quit IRC22:15
*** fawadkhaliq has joined #openstack-keystone22:16
*** diazjf has joined #openstack-keystone22:17
*** diazjf has quit IRC22:18
*** mylu has joined #openstack-keystone22:19
*** slberger has left #openstack-keystone22:19
*** roxanaghe has quit IRC22:19
*** mylu has quit IRC22:20
*** markvoelker has quit IRC22:20
*** markvoelker has joined #openstack-keystone22:21
*** diazjf has joined #openstack-keystone22:21
*** markvoelker_ has joined #openstack-keystone22:22
*** diazjf has quit IRC22:22
*** dflorea has quit IRC22:23
*** markvoelker has quit IRC22:26
*** sdake has joined #openstack-keystone22:26
*** sdake_ has quit IRC22:28
samueldmqmorgan: I am finding something weird while creating the test22:32
samueldmqhttp://paste.openstack.org/show/492372/22:32
samueldmqthis code works, that means that the name constraint hasn't been dropped after upgrading to 8822:32
morganI'll look in a few.22:33
*** mylu has joined #openstack-keystone22:33
samueldmqmorgan: also, not sure I am supposed to change the constraint name that way22:34
samueldmqmorgan: whevener you can :)22:34
*** mylu has quit IRC22:34
samueldmqah, and that test is in test_sql_upgrade22:36
*** ninag has quit IRC22:38
*** markvoelker_ has quit IRC22:39
*** ninag has joined #openstack-keystone22:41
*** ninag has quit IRC22:41
*** mylu has joined #openstack-keystone22:41
*** fawadkhaliq has quit IRC22:44
*** fawadkhaliq has joined #openstack-keystone22:44
*** fawadkhaliq has quit IRC22:46
*** gordc has quit IRC22:51
*** fawadkhaliq has joined #openstack-keystone22:52
*** rk4n has quit IRC22:54
*** dflorea has joined #openstack-keystone22:54
openstackgerritRon De Rose proposed openstack/keystone: WIP - Remove backend interface out of assignment.core  https://review.openstack.org/29901822:56
*** dflorea has quit IRC22:57
*** timcline has quit IRC22:59
*** timcline has joined #openstack-keystone22:59
*** rderose has quit IRC23:00
*** dflorea has joined #openstack-keystone23:00
*** timcline has quit IRC23:04
*** gokrokve has quit IRC23:07
*** timcline has joined #openstack-keystone23:10
*** jorge_munoz has quit IRC23:15
*** dpippenger has quit IRC23:18
*** fawadkhaliq has quit IRC23:18
*** fawadkhaliq has joined #openstack-keystone23:20
*** fawadkhaliq has quit IRC23:22
*** rdo has quit IRC23:25
*** mylu has quit IRC23:28
*** gokrokve has joined #openstack-keystone23:33
*** rdo has joined #openstack-keystone23:33
*** gokrokve has quit IRC23:37
*** fawadkhaliq has joined #openstack-keystone23:41
*** gokrokve has joined #openstack-keystone23:41
openstackgerritColleen Murphy proposed openstack/keystone: Improve error message for schema validation  https://review.openstack.org/29903623:43
*** timcline has quit IRC23:43
*** sdake has quit IRC23:43
*** sdake has joined #openstack-keystone23:44
*** sdake has quit IRC23:44
*** sdake has joined #openstack-keystone23:44
*** pushkaru has quit IRC23:50
*** gokrokve has quit IRC23:55
*** dflorea has quit IRC23:55
*** mylu has joined #openstack-keystone23:58
« Monday, 2016-03-28 Index Wednesday, 2016-03-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!