Tuesday, 2016-04-05

agrebennikov	:D	00:00
ayoung	agrebennikov, I just know that value is needed for ECP. I'd have to look in the client code to see how it is used...	00:00
ayoung	I can poiont you are the right place...omne sec	00:00
ayoung	agrebennikov, I know at one time all the SAML stuff was mopving to a separate repo, but I don't think that happend.	00:02
ayoung	agrebennikov, Ah	00:02
ayoung	http://git.openstack.org/cgit/openstack/keystoneauth-saml2/	00:02
ayoung	agrebennikov, do you have that?	00:02
ayoung	Ok...I need to go back into family mode	00:03
agrebennikov	wow.... seems l'll sink there))	00:03
*** jasonsb has joined #openstack-keystone		00:03
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Migrate tempest tests into keystone tree https://review.openstack.org/301398	00:03
rodrigods	ayoung, stevemar, dstanek ^ boom!	00:04
rodrigods	added a topic to tomorrow's meeting about that	00:04
ayoung	+6794, -4	00:04
ayoung	rodrigods, that is huge	00:05
rodrigods	ayoung, more than huge i'd say	00:05
*** mylu has quit IRC		00:05
ayoung	rodrigods, reinforces that I want it in a separate repo. I wonder if we could do some git magic, like a subrepo	00:05
*** henrynash has quit IRC		00:06
rodrigods	ayoung, that might work? never saw something like that in openstack though	00:06
ayoung	rodrigods, can't think about it right now,...but good work.	00:06
rodrigods	ayoung, it is just a migration and some docs/pep8 fixes :P	00:07
rodrigods	let's see what ppl will think about it tomorrow	00:07
*** mylu has joined #openstack-keystone		00:09
*** markvoelker has quit IRC		00:12
*** mylu has quit IRC		00:14
*** markvoelker has joined #openstack-keystone		00:16
*** pushkaru has joined #openstack-keystone		00:19
*** mylu has joined #openstack-keystone		00:26
*** phalmos has quit IRC		00:38
*** jamielennox\|away is now known as jamielennox		00:41
dolphm	jamielennox: o/ wanted to catch up with you on https://review.openstack.org/#/c/245629/	00:47
patchbot	dolphm: patch 245629 - openstack-specs - A common policy scenario across all projects	00:47
*** lhcheng has quit IRC		00:48
*** mylu has quit IRC		00:48
jamielennox	dolphm: yea, i'm here	00:49
jamielennox	dolphm: and i thought you would have opinions on that :0	00:49
jamielennox	:)	00:49
dolphm	jamielennox: well, i posted a pretty substantial revision and you squashed it with patchset 7 :P	00:49
jamielennox	dolphm: basically i simplified the crap out of it to get it passed	00:49
jamielennox	dolphm: i did?	00:49
dolphm	jamielennox: but it looks like your rev was substantial too	00:50
dolphm	jamielennox: yes - we both uploaded simplified versions	00:50
agrebennikov	ayoung, so do I have to go bother steve with my issue? (sorry)	00:50
dolphm	jamielennox: i'm planning to combine both our efforts with another patchset, but didn't want to get started on that before you reviewed my changes as well	00:50
jamielennox	dolphm: it's been sitting there for weeks untouched - we timed it well	00:50
dolphm	jamielennox: ++	00:50
dolphm	jamielennox: i proposed a cross-project session on the topic	00:51
jamielennox	dolphm: yea, i was thinking of that as well	00:51
dolphm	jamielennox: nova has a similar cross-project spec up as well	00:51
jamielennox	oh?	00:51
dolphm	jamielennox: no worries, i put your name on the list of presenters or whatever :P	00:51
jamielennox	dolphm: do you know the nova spec url?	00:52
dolphm	jamielennox: i can find it	00:52
dolphm	jamielennox: one sec	00:52
dolphm	jamielennox: https://review.openstack.org/#/c/290155/	00:52
patchbot	dolphm: patch 290155 - nova-specs - Embed policy defaults in code	00:52
dolphm	jamielennox: different solution, overlapping problem description	00:53
jamielennox	dolphm: yea, not directly related but relevant. having read only the first paragraph or two it would seem to be an oslo.policy spec	00:54
dolphm	jamielennox: except, the intent is to have all services conform	00:55
dolphm	jamielennox: so it was discussed as a nova spec, and then proposed as a cross-project spec	00:55
jamielennox	dolphm: ayoung and i have had discussions about something along this line as well	00:55
jamielennox	partially at the tokyo	00:56
dolphm	jamielennox: moving to conf, specifically?	00:56
jamielennox	no, but seperating what is and is not configurable policy	00:56
jamielennox	like project scoping is not something you should be able to unconfigure	00:56
dolphm	jamielennox: ++	00:56
dolphm	jamielennox: overall, moving things to conf is something i'm interested in thought experimenting with at least	00:57
jamielennox	dolphm: yep, it seems to me a start of this would be to be able to generate the policy.json files in the same way we generate oslo.config files	00:57
dolphm	jamielennox: that was exactly johnthetubaguy's thought	00:58
jamielennox	and then specify like an overlay config	00:58
dolphm	jamielennox: makes total sense to me	00:58
dolphm	jamielennox: and that's the spec lol	00:58
jamielennox	oh, right	00:58
jamielennox	well then yes, that's a good cross-project thing to have i'd be interested in being a part of	00:58
jamielennox	but they should absolutely not be the same session	00:59
dolphm	jamielennox: so, the thought was to create a long-term, cross-project backlog spec for all our issues with policy, and then add these specific changes of direction as 'sub-tasks', so to speak	00:59
*** sdake has joined #openstack-keystone		00:59
*** mylu has joined #openstack-keystone		00:59
dolphm	jamielennox: it's a big topic, for sure, but i can't imagine we'll be able to accomplish more than a session's worth of policy in one cycle, so ... prioritize, have one session, and push hard on the resutl?	01:00
dolphm	result*	01:00
*** mylu has quit IRC		01:00
jamielennox	dolphm: at least my policy spec (i haven't read your update yet - mulitasking poorly) is i'm hoping a fairly simple change that doesn't actually require code change	01:01
jamielennox	it's a community thing or something	01:01
jamielennox	but then the only debate i'm aware of on the cross-project thing is you and me as to how far it should go	01:02
jamielennox	everyone else is on board other than wording	01:02
*** mylu has joined #openstack-keystone		01:02
dolphm	jamielennox: well, we both worked to reduce the number of proposed roles	01:02
dolphm	jamielennox: but ended up with a different result	01:02
jamielennox	so yea, i think the nova thing is the big push for next cycle	01:02
dolphm	jamielennox: i was hoping to sync up with you on that today as well	01:02
*** mylu has quit IRC		01:04
*** mylu has joined #openstack-keystone		01:04
*** mylu has quit IRC		01:08
jamielennox	dolphm: so just checking i haven't missed anything - the change in the patchset you uploaded is around using global_admin and global_observer and removing the capability roles	01:09
dolphm	jamielennox: pretty much	01:09
dolphm	jamielennox: i'm not 100% sold on renaming one of the two core roles we have, but i do like explicit	01:10
jamielennox	dolphm: so i popped up on irc and was talking to people - when we first proposed this the is_admin_project stuff wasn't merged	01:10
dolphm	jamielennox: yeah, that's complicating it	01:10
dolphm	jamielennox: also 'cloud_admin' makes it complicated to implement in the v3 policy file	01:10
jamielennox	if we assume that people configure is_admin_project (and that's difficult because i don't see how we do that in a backwards compatible way) it simplifies the project or global scoping of much fo this	01:11
*** mylu has joined #openstack-keystone		01:15
*** mylu has quit IRC		01:19
*** spandhe has quit IRC		01:20
*** EinstCrazy has joined #openstack-keystone		01:23
*** mylu has joined #openstack-keystone		01:24
*** dan_nguyen has quit IRC		01:26
*** pushkaru has quit IRC		01:26
*** mylu has quit IRC		01:35
*** jamielennox is now known as jamielennox\|away		01:41
*** jamielennox\|away is now known as jamielennox		01:44
*** wwriverrat has quit IRC		01:47
*** wwriverrat has joined #openstack-keystone		01:47
*** mylu has joined #openstack-keystone		01:53
*** mylu has quit IRC		01:55
*** pushkaru has joined #openstack-keystone		01:56
*** mylu has joined #openstack-keystone		01:57
*** mylu has quit IRC		01:59
openstackgerrit	Li Yingjun proposed openstack/keystone: Fix KeyError when rename to a name is already in use https://review.openstack.org/301418	02:11
*** alex_xu has quit IRC		02:13
*** alex_xu has joined #openstack-keystone		02:16
*** EinstCra_ has joined #openstack-keystone		02:17
*** raildo has quit IRC		02:19
*** EinstCrazy has quit IRC		02:20
*** pushkaru has quit IRC		02:24
*** mylu has joined #openstack-keystone		02:25
*** woodster_ has quit IRC		02:37
*** mylu has quit IRC		02:37
*** mylu has joined #openstack-keystone		02:43
*** mylu has quit IRC		02:44
*** nkinder has quit IRC		02:48
*** nkinder has joined #openstack-keystone		02:52
*** lhcheng has joined #openstack-keystone		02:52
*** ChanServ sets mode: +v lhcheng		02:52
*** spandhe has joined #openstack-keystone		02:53
*** ankur has joined #openstack-keystone		03:00
*** tqtran has quit IRC		03:01
*** sdake has quit IRC		03:02
*** kalaswan has joined #openstack-keystone		03:03
*** fawadkhaliq has joined #openstack-keystone		03:06
*** sekrit has joined #openstack-keystone		03:11
*** fawadkhaliq has quit IRC		03:12
*** EinstCra_ is now known as EinstCrazy		03:12
*** fawadkhaliq has joined #openstack-keystone		03:13
*** alex_xu has quit IRC		03:18
*** alex_xu has joined #openstack-keystone		03:20
*** woodster_ has joined #openstack-keystone		03:21
*** fawadkhaliq has quit IRC		03:21
*** fawadkhaliq has joined #openstack-keystone		03:22
*** fawadkhaliq has quit IRC		03:22
*** fawadkhaliq has joined #openstack-keystone		03:22
*** agrebennikov has quit IRC		03:24
ayoung	dolphm, jamielennox I like what you are both proposing. I think we are getting close.	03:27
*** diazjf has joined #openstack-keystone		03:28
jamielennox	ayoung: yea, i think it's just figuring out the names and stuff now and how much we rely on the is_admin_project	03:28
*** diazjf has quit IRC		03:28
ayoung	is_admin_project is going to be painful to merge in, acknowleged. I'm working right now with Tripleo to see what we can do with policy	03:28
*** mylu has joined #openstack-keystone		03:28
ayoung	and puppet managed files	03:28
ayoung	I think it is going to be one of those transition things:	03:29
ayoung	we get an alternative policy file, use that for an iteration or two, and then make it default, for each of the projects	03:29
ayoung	which is why your current effort is good; better to do this once	03:29
ayoung	so is_admin_project and implied roles are tools to make this easier.	03:29
ayoung	Use them if they make sense..	03:30
*** mylu has quit IRC		03:30
*** spandhe_ has joined #openstack-keystone		03:30
*** spandhe has quit IRC		03:31
*** spandhe_ is now known as spandhe		03:31
ayoung	jamielennox, python question. I'm trying to unify @controller.protected and @controller.filterprotected http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n110	03:34
ayoung	and I'm trying to figure out how to get the params to be sane	03:34
ayoung	filterprotected does:	03:34
ayoung	@controller.filterprotected('domain_id', 'enabled', 'name')	03:34
jamielennox	ayoung: yea, we are going to need some way per project to specify whether it should expect is_admin_project	03:34
jamielennox	because we can't know ahead of time whether they are using that or not	03:35
ayoung	and the issue with @controller.protected is the callback	03:35
ayoung	a named parameter always has to come before a *args param, right?	03:35
ayoung	so I can't do	03:35
ayoung	oh wait	03:36
jamielennox	ergh, i've attempted that cleanup before, it's not fun	03:36
ayoung	def filterprotected(filters, *callback):	03:36
ayoung	so in that case...what happnes if some calls	03:36
jamielennox	i don't **callback is weird there	03:37
ayoung	@controller.protected(callback=_check_user_and_group_protection)	03:37
ayoung	er	03:37
ayoung	@controller.filterprotected(callback=_check_user_and_group_protection)	03:37
ayoung	there would be nothing in *filters, right?	03:37
jamielennox	**callback doesn't mean callback=XXX	03:37
jamielennox	or i've never seen it used like that	03:37
ayoung	right it is like	03:37
ayoung	callback['callbak'] = _check_user_and_group_protection	03:38
jamielennox	yea	03:38
ayoung	can I do	03:38
ayoung	@controller.protected(callback=None, *filters) ?	03:39
*** links has joined #openstack-keystone		03:39
ayoung	nope	03:40
ayoung	how about	03:40
ayoung	def filterprotected(*filters, callback=None):	03:40
ayoung	that should be OK, no?	03:40
ayoung	invalid syntax	03:41
ayoung	the thing is, we don;t actually have any combination of filterprotected and callback. I'm guessing henry put that in for completeness	03:41
ayoung	I'm so damn close here...and I want to go to bed but finish this first	03:42
jamielennox	no, not in py2	03:43
jamielennox	you pretty much have to do args, *kwargs and then interpret in manually	03:43
ayoung	jamielennox, I think this is a better approach: def filterprotected(filters=None, callback=None): and then conver the calls to filterprocted(filters=[one,two,tree])	03:43
jamielennox	although positional() might give you something there	03:43
ayoung	what do you think of ^^	03:43
jamielennox	i think it's fine	03:44
ayoung	OK..let me do that. That unifies the interface	03:44
*** prosun has joined #openstack-keystone		03:46
*** dan_nguyen has joined #openstack-keystone		03:47
*** alex_xu has quit IRC		03:58
*** tqtran has joined #openstack-keystone		03:59
*** alex_xu has joined #openstack-keystone		04:01
*** tqtran has quit IRC		04:03
prosun	How can I change my keystone configuration to use Indentity API version V2.0? I am using devstack. I updated IDENTITY_API_VERSION:-2.0 from 3 in my openrc file (i was using version 3). I then source the openrc file (using command source openrc admin admin). I was expecting that it changes my local environment variable OS_IDENTITY_API_VERSION to 2.0. and by default use V2.0. But it does not. Anything else I need to	04:05
*** dave-mccowan has quit IRC		04:07
openstackgerrit	ayoung proposed openstack/keystone: Extract enforcement logic to its own method https://review.openstack.org/279263	04:09
*** dan_nguyen has quit IRC		04:11
*** wwriverrat has quit IRC		04:15
*** Nirupama has joined #openstack-keystone		04:19
jamielennox	prosun: what variables does that end up setting?	04:31
jamielennox	like: env \| grep OS_	04:31
*** mylu has joined #openstack-keystone		04:37
*** spandhe has quit IRC		04:41
stevemar	prosun: if you are source'ing openrc at the end, you are likely over-riding the work you did setting your version to 2	04:42
* stevemar waves at jamielennox:		04:42
*** spandhe has joined #openstack-keystone		04:42
jamielennox	stevemar: howdy	04:43
jamielennox	stevemar: hey - you think anyone uses the ENV cache thing in auth_token?	04:43
jamielennox	something something swift right?	04:44
notmyname	what's the ENV cache thing? is that where we use the cache callback in the wsgi env?	04:45
notmyname	IIRC keystone middleware uses one if it's provided already	04:45
stevemar	notmyname: jamielennox: yeah, not entierly what you're referring to, link?	04:46
stevemar	this thing? https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_cache.py#L42-L51	04:47
*** GB21 has joined #openstack-keystone		04:49
*** spzala has quit IRC		04:49
*** GB21 has quit IRC		04:53
*** mylu has quit IRC		05:00
*** tqtran has joined #openstack-keystone		05:00
*** tqtran has quit IRC		05:04
*** dave-mccowan has joined #openstack-keystone		05:05
*** dave-mcc_ has joined #openstack-keystone		05:07
*** mylu has joined #openstack-keystone		05:07
*** dave-mccowan has quit IRC		05:10
*** GB21 has joined #openstack-keystone		05:12
*** rk4n has joined #openstack-keystone		05:22
*** rk4n has quit IRC		05:23
*** rk4n has joined #openstack-keystone		05:24
*** jamielennox is now known as jamielennox\|away		05:27
*** rk4n has quit IRC		05:29
*** markvoelker has quit IRC		05:30
*** mylu has quit IRC		05:31
*** dave-mcc_ has quit IRC		05:31
*** richm has quit IRC		05:35
*** EinstCra_ has joined #openstack-keystone		05:38
*** EinstCrazy has quit IRC		05:41
*** spzala has joined #openstack-keystone		05:50
*** rcernin has joined #openstack-keystone		05:51
*** spzala has quit IRC		05:56
*** furface has quit IRC		05:56
*** josecastroleon has joined #openstack-keystone		06:00
*** fawadkhaliq has quit IRC		06:02
*** vgridnev has joined #openstack-keystone		06:08
*** lhcheng has quit IRC		06:10
*** rdo has quit IRC		06:12
*** spandhe has quit IRC		06:12
morgan	stevemar: oh huh	06:15
morgan	whoa i see notmyname in this channel	06:15
*** henrynash has joined #openstack-keystone		06:18
*** ChanServ sets mode: +v henrynash		06:18
*** henrynash has quit IRC		06:29
*** henrynash has joined #openstack-keystone		06:30
*** ChanServ sets mode: +v henrynash		06:30
*** markvoelker has joined #openstack-keystone		06:31
*** furface has joined #openstack-keystone		06:40
*** naresht has joined #openstack-keystone		06:43
*** vgridnev has quit IRC		06:47
*** spzala has joined #openstack-keystone		06:52
*** GB21 has quit IRC		06:56
*** spzala has quit IRC		06:56
*** henrynash has quit IRC		07:02
*** markvoelker has quit IRC		07:06
*** jaosorior has joined #openstack-keystone		07:21
openstackgerrit	Li Yingjun proposed openstack/keystone: Fix KeyError when rename to a name is already in use https://review.openstack.org/301418	07:29
openstackgerrit	Li Yingjun proposed openstack/keystone: Fix KeyError when rename to a name is already in use https://review.openstack.org/301418	07:33
*** pcaruana has joined #openstack-keystone		07:37
*** sheel has joined #openstack-keystone		07:38
*** lhcheng has joined #openstack-keystone		07:43
*** ChanServ sets mode: +v lhcheng		07:43
*** jistr has joined #openstack-keystone		07:44
*** jaosorior has quit IRC		07:46
*** jaosorior has joined #openstack-keystone		07:47
*** spzala has joined #openstack-keystone		07:53
*** furface has quit IRC		07:54
*** lhcheng has quit IRC		07:54
*** furface has joined #openstack-keystone		07:56
*** spzala has quit IRC		07:57
*** tqtran has joined #openstack-keystone		08:01
*** jistr has quit IRC		08:01
*** jistr has joined #openstack-keystone		08:01
*** markvoelker has joined #openstack-keystone		08:02
*** GB21 has joined #openstack-keystone		08:05
*** tqtran has quit IRC		08:05
*** mvk_ has quit IRC		08:19
*** daemontool has joined #openstack-keystone		08:31
*** nisha_ has joined #openstack-keystone		08:34
*** markvoelker has quit IRC		08:35
*** chlong has quit IRC		08:35
*** nisha_ has quit IRC		08:36
*** e0ne has joined #openstack-keystone		08:37
breton	bug 1566188 looks to me as invalid	08:38
openstack	bug 1566188 in OpenStack Identity (keystone) "keystone client reports 500 error if database service is not running" [Undecided,New] https://launchpad.net/bugs/1566188 - Assigned to Mark (rocky-asdf)	08:38
*** rdo has joined #openstack-keystone		08:38
*** mvk_ has joined #openstack-keystone		08:45
*** spzala has joined #openstack-keystone		08:54
*** kalaswan has quit IRC		08:55
*** furface has quit IRC		08:56
*** woodster_ has quit IRC		08:57
*** spzala has quit IRC		09:00
*** rk4n has joined #openstack-keystone		09:03
*** rk4n has quit IRC		09:07
*** rk4n has joined #openstack-keystone		09:12
*** rk4n has quit IRC		09:13
*** GB21 has quit IRC		09:15
*** EinstCrazy has joined #openstack-keystone		09:23
*** EinstCra_ has quit IRC		09:26
*** GB21 has joined #openstack-keystone		09:32
*** markvoelker has joined #openstack-keystone		09:32
*** GB21 has quit IRC		09:56
*** spzala has joined #openstack-keystone		09:58
*** spzala has quit IRC		10:03
*** markvoelker has quit IRC		10:06
*** rk4n has joined #openstack-keystone		10:08
*** richm has joined #openstack-keystone		10:08
*** EinstCrazy has quit IRC		10:14
*** EinstCrazy has joined #openstack-keystone		10:14
*** EinstCrazy has quit IRC		10:18
*** rk4n has quit IRC		10:21
*** jsheeren has joined #openstack-keystone		10:23
breton	yay, https://review.openstack.org/#/c/292894/	10:29
patchbot	breton: patch 292894 - openstack-infra/project-config - Changing gate on devstack identity v3 only voting (MERGED)	10:29
*** spzala has joined #openstack-keystone		10:59
*** sdake has joined #openstack-keystone		11:00
*** furface has joined #openstack-keystone		11:03
*** markvoelker has joined #openstack-keystone		11:03
*** spzala has quit IRC		11:04
*** tellesnobrega is now known as tellesnobrega_af		11:16
*** jsheeren has quit IRC		11:17
*** rk4n has joined #openstack-keystone		11:25
*** rk4n has quit IRC		11:29
*** rodrigods has quit IRC		11:32
*** rodrigods has joined #openstack-keystone		11:32
*** rk4n has joined #openstack-keystone		11:35
*** trown\|outtypewww is now known as trown		11:35
*** markvoelker has quit IRC		11:35
*** mvk_ has quit IRC		11:35
*** rk4n has quit IRC		11:41
*** rk4n has joined #openstack-keystone		11:47
*** mvk_ has joined #openstack-keystone		11:48
*** raildo-afk is now known as raildo		11:54
*** sdake_ has joined #openstack-keystone		11:54
*** sdake has quit IRC		11:55
*** spzala has joined #openstack-keystone		12:00
*** spzala has quit IRC		12:06
*** rk4n has quit IRC		12:10
*** rk4n has joined #openstack-keystone		12:11
*** Nirupama has quit IRC		12:15
*** rk4n has quit IRC		12:16
morgan	Oh nice ^	12:16
*** EinstCrazy has joined #openstack-keystone		12:20
*** markvoelker has joined #openstack-keystone		12:26
*** rk4n has joined #openstack-keystone		12:32
*** edmondsw has joined #openstack-keystone		12:35
*** ankur has quit IRC		12:41
*** gordc has joined #openstack-keystone		12:46
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Migrate tempest tests into keystone tree https://review.openstack.org/301398	12:53
*** rk4n has quit IRC		12:55
samueldmq	dstanek: bknudson: rodrigods: I wonder if such tests ^ could be rewritten in an agnostic way	12:56
samueldmq	so that we could use them for both tempest nd our local functional tests	12:56
samueldmq	much easier now they will be under /keystone	12:56
*** rk4n has joined #openstack-keystone		12:56
edmondsw	is there any way to have policy.json check that a query param was NOT specified?	12:56
*** sdake_ has quit IRC		12:57
samueldmq	edmondsw: I think so, let me check	12:57
dstanek	samueldmq: maybe, but i'd almost rather see v3 tests move there any only run them through tempest and leave the unit tests to keystone	12:57
edmondsw	samueldmq thanks!	12:57
dstanek	too many ways to do the same thing is confusing	12:57
rodrigods	samueldmq, dstanek correct... the tests are only run via tempest	12:58
samueldmq	edmondsw: yes there is https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L68-L72	12:58
rodrigods	you can't run them using "only" keystone	12:58
edmondsw	samueldmq I don't think that'll do what I'm looking for	12:58
samueldmq	dstanek: I agree, but I thought we had an agreement at some point to make it possible ot run the tests locally too	12:59
samueldmq	rodrigods: ^	12:59
dstanek	samueldmq: why can't you run tempest test locally?	12:59
samueldmq	dstanek: is it possible to run those tests against keystone using tox ?	13:00
edmondsw	samueldmq I want to check that someone didn't specify a domain_id query param... and "not domain_id:%(domain_id)s" wouldn't do that... I assume I can't just say "not domain_id" but maybe I can?	13:00
rodrigods	samueldmq, dstanek they are all integration	13:00
rodrigods	need a running cloud/devstack to run them	13:00
dstanek	samueldmq: not sure, but to me that's not really all that useful. i just want the tests.	13:01
samueldmq	edmondsw: maybe, worth it to try	13:01
*** spzala has joined #openstack-keystone		13:01
dstanek	samueldmq: my opinion on how to do this has been shifting as the QA group has been adding tools to make it easier	13:01
samueldmq	edmondsw: just be careful, I don't remind exactly if the query param comes in the first domain_id or in %(domain_id)s	13:02
rodrigods	yes... they continue to be "tempest tests", but they are located in the interested components	13:02
rodrigods	the main idea is like: to not run keystone crud tests in nova	13:02
samueldmq	okay, looks like what's in my mind is some old idea	13:02
samueldmq	although it would be lovely if we could run them locally using tox :)	13:03
rodrigods	samueldmq, it may be possible though, but need some work to make it happen (like... setting up an env before the run)	13:04
rodrigods	but there is something that can improve a lot keystone testing, that is requiring the integration test as we currently require the unit ones	13:05
rodrigods	since it the tests are in our tree	13:05
edmondsw	samueldmq, hey, "not domain_id" actually did work... tx!	13:05
samueldmq	edmondsw: nice! glad to know, welcome	13:05
samueldmq	rodrigods: yes, lots of things will be improved now	13:06
samueldmq	as now we're the ones taking care of them	13:06
samueldmq	I mean, it is under our repository :	13:06
*** pauloewerton has joined #openstack-keystone		13:07
samueldmq	bknudson: dstanek: have you heard about bindep?	13:07
*** spzala has quit IRC		13:07
rodrigods	samueldmq, ++	13:08
samueldmq	#link https://github.com/openstack-infra/bindep	13:08
samueldmq	it takes care of installing system dependencies	13:08
samueldmq	the idea is that we have an other-requirements.txt file specifying such requirements	13:09
samueldmq	and then : `sudo [apt-get \| yum] install $(bindep -b)`	13:09
samueldmq	it's an openstack tool, which makes set up environments go smoothly	13:10
edmondsw	samueldmq, well, I take that back... I don't think it's working after all	13:10
samueldmq	edmondsw: :(	13:10
edmondsw	just always passes	13:10
samueldmq	edmondsw: what exactly do you want to do ?	13:11
*** jraim_ has joined #openstack-keystone		13:14
*** dutsmoc has joined #openstack-keystone		13:20
*** mgagne_ has joined #openstack-keystone		13:20
*** _d34dh0r53_ has joined #openstack-keystone		13:20
*** edmondsw has quit IRC		13:21
*** agireud has quit IRC		13:21
*** zzzeek has quit IRC		13:21
*** ayoung has quit IRC		13:21
*** topol has quit IRC		13:21
*** BlackDex has quit IRC		13:21
*** jraim has quit IRC		13:21
*** mgagne has quit IRC		13:21
*** ericksonsantos has quit IRC		13:21
*** darrenc has quit IRC		13:21
*** cloudnull has quit IRC		13:21
*** comstud has quit IRC		13:21
*** d34dh0r53 has quit IRC		13:21
*** dtroyer has quit IRC		13:21
*** eglute has quit IRC		13:21
*** tjcocozz has quit IRC		13:21
*** pleia2 has quit IRC		13:21
*** smurke has quit IRC		13:21
*** clayton has quit IRC		13:21
*** naresht has quit IRC		13:21
*** prosun has quit IRC		13:21
*** pauloewerton has quit IRC		13:21
*** daemontool has quit IRC		13:21
*** klindgren has quit IRC		13:21
*** nonameentername has quit IRC		13:21
*** amit213 has quit IRC		13:21
*** mtreinish has quit IRC		13:21
*** dstanek has quit IRC		13:21
*** lunarlamp has quit IRC		13:21
*** rcernin has quit IRC		13:21
*** harlowja has quit IRC		13:21
*** raginbajin has quit IRC		13:21
*** odyssey4me has quit IRC		13:21
*** lbragstad has quit IRC		13:21
*** timburke has quit IRC		13:21
*** trey has quit IRC		13:21
*** e0ne has quit IRC		13:21
*** josecastroleon has quit IRC		13:21
*** zqfan has quit IRC		13:21
*** mdavidson has quit IRC		13:21
*** BrAsS_mOnKeY has quit IRC		13:21
*** sileht has quit IRC		13:21
*** andrewbogott has quit IRC		13:21
*** haneef has quit IRC		13:21
*** afazekas has quit IRC		13:21
*** DuncanT has quit IRC		13:21
*** dancn has quit IRC		13:21
*** yarkot has quit IRC		13:21
*** bradjones has quit IRC		13:21
*** johnthetubaguy has quit IRC		13:21
*** trown has quit IRC		13:21
*** ianw has quit IRC		13:21
*** EmilienM has quit IRC		13:21
*** briancurtin has quit IRC		13:21
*** errr has quit IRC		13:21
*** navidp has quit IRC		13:21
*** hughsaunders has quit IRC		13:21
*** bapalm has quit IRC		13:21
*** jmlowe has quit IRC		13:21
*** krotscheck has quit IRC		13:21
*** adam_g has quit IRC		13:21
*** ryanpetrello has quit IRC		13:21
*** sigmavirus24_awa has quit IRC		13:21
*** Nakato has quit IRC		13:21
*** pumaranikar has quit IRC		13:21
*** flaper87 has quit IRC		13:21
*** ctracey has quit IRC		13:21
*** dobson has quit IRC		13:21
*** tristanC has quit IRC		13:21
*** zeus has quit IRC		13:21
*** _fortis has quit IRC		13:21
*** huats_ has quit IRC		13:21
*** gerhardqux has quit IRC		13:21
*** gordc has quit IRC		13:21
*** pcaruana has quit IRC		13:21
*** arunkant has quit IRC		13:21
*** Ephur has quit IRC		13:21
*** openstackgerrit has quit IRC		13:21
*** charz has quit IRC		13:21
*** hogepodge has quit IRC		13:21
*** rha has quit IRC		13:21
*** hockeynut has quit IRC		13:21
*** brad[] has quit IRC		13:21
*** BAKfr has quit IRC		13:21
*** lupine has quit IRC		13:21
*** rk4n has quit IRC		13:21
*** markvoelker has quit IRC		13:21
*** EinstCrazy has quit IRC		13:21
*** mvk_ has quit IRC		13:21
*** alex_xu has quit IRC		13:21
*** nkinder has quit IRC		13:21
*** Trident has quit IRC		13:21
*** baffle has quit IRC		13:21
*** dims has quit IRC		13:21
*** redrobot has quit IRC		13:21
*** hugokuo has quit IRC		13:21
*** mordred has quit IRC		13:21
*** dansmith has quit IRC		13:21
*** andreaf has quit IRC		13:21
*** wolsen has quit IRC		13:21
*** john5223 has quit IRC		13:21
*** jaosorior has quit IRC		13:21
*** patchbot has quit IRC		13:21
*** mkoderer__ has quit IRC		13:21
*** toddnni has quit IRC		13:21
*** martinus__ has quit IRC		13:21
*** amakarov has quit IRC		13:21
*** dolphm has quit IRC		13:21
*** rmstar has quit IRC		13:21
*** raildo has quit IRC		13:21
*** notmyname has quit IRC		13:21
*** DinaBelova has quit IRC		13:21
*** SpamapS has quit IRC		13:21
*** boltR has quit IRC		13:21
*** zigo has quit IRC		13:21
*** x58 has quit IRC		13:21
*** bknudson has quit IRC		13:21
*** sekrit has quit IRC		13:21
*** ChanServ has quit IRC		13:21
*** david-lyle has quit IRC		13:21
*** samueldmq has quit IRC		13:21
*** dgonzalez has quit IRC		13:22
*** mnaser has quit IRC		13:22
*** lifeless has quit IRC		13:22
*** mugsie has quit IRC		13:22
*** frickler has quit IRC		13:22
*** breton has quit IRC		13:22
*** stevemar has quit IRC		13:22
*** ktychkova has quit IRC		13:22
*** serverascode has quit IRC		13:22
*** rvba has quit IRC		13:22
*** wanghua has quit IRC		13:22
*** zhiyan has quit IRC		13:22
*** jasondotstar has quit IRC		13:22
*** mfisch has quit IRC		13:22
*** kfox1111 has quit IRC		13:22
*** boris-42 has quit IRC		13:22
*** andreykurilin__ has quit IRC		13:22
*** rodrigods has quit IRC		13:22
*** jistr has quit IRC		13:22
*** jdennis has quit IRC		13:22
*** Anticimex has quit IRC		13:22
*** Daviey_ has quit IRC		13:22
*** iurygregory has quit IRC		13:22
*** anteaya has quit IRC		13:22
*** Dave has quit IRC		13:22
*** kevinbenton has quit IRC		13:22
*** crinkle has quit IRC		13:22
*** skoude has quit IRC		13:22
*** opilotte- has quit IRC		13:22
*** tellesnobrega_af has quit IRC		13:22
*** morgan has quit IRC		13:22
*** freerunner has quit IRC		13:22
*** htruta has quit IRC		13:22
*** sshen has quit IRC		13:22
*** sheel has quit IRC		13:22
*** woodburn has quit IRC		13:22
*** bigjools has quit IRC		13:22
*** xek has quit IRC		13:22
*** wxy has quit IRC		13:22
*** mancdaz has quit IRC		13:22
*** fungi has quit IRC		13:22
*** gsilvis_ has quit IRC		13:22
*** med_ has quit IRC		13:22
*** furface has quit IRC		13:22
*** rdo has quit IRC		13:22
*** jasonsb has quit IRC		13:22
*** jrist has quit IRC		13:22
*** jlvillal has quit IRC		13:22
*** lmiccini has quit IRC		13:22
*** ekarlso- has quit IRC		13:22
*** kragniz has quit IRC		13:22
*** mc_nair has quit IRC		13:22
*** jidar has quit IRC		13:22
*** SamYaple has quit IRC		13:22
*** jraim_ is now known as jraim		13:22
*** eglute has joined #openstack-keystone		13:23
*** EinstCrazy has joined #openstack-keystone		13:24
*** spzala has joined #openstack-keystone		13:24
*** zzzeek_ has joined #openstack-keystone		13:24
*** topol_ has joined #openstack-keystone		13:24
*** dtroyer_zz has joined #openstack-keystone		13:24
*** BlackDex_ has joined #openstack-keystone		13:24
*** darrenc_ has joined #openstack-keystone		13:24
*** pauloewerton has joined #openstack-keystone		13:24
*** rk4n has joined #openstack-keystone		13:24
*** gordc has joined #openstack-keystone		13:24
*** markvoelker has joined #openstack-keystone		13:24
*** mvk_ has joined #openstack-keystone		13:24
*** rodrigods has joined #openstack-keystone		13:24
*** furface has joined #openstack-keystone		13:24
*** rdo has joined #openstack-keystone		13:24
*** e0ne has joined #openstack-keystone		13:24
*** daemontool has joined #openstack-keystone		13:24
*** jistr has joined #openstack-keystone		13:24
*** jaosorior has joined #openstack-keystone		13:24
*** sheel has joined #openstack-keystone		13:24
*** pcaruana has joined #openstack-keystone		13:24
*** naresht has joined #openstack-keystone		13:24
*** josecastroleon has joined #openstack-keystone		13:24
*** rcernin has joined #openstack-keystone		13:24
*** alex_xu has joined #openstack-keystone		13:24
*** prosun has joined #openstack-keystone		13:24
*** sekrit has joined #openstack-keystone		13:24
*** nkinder has joined #openstack-keystone		13:24
*** jasonsb has joined #openstack-keystone		13:24
*** david-lyle has joined #openstack-keystone		13:24
*** zqfan has joined #openstack-keystone		13:24
*** jdennis has joined #openstack-keystone		13:24
*** notmyname has joined #openstack-keystone		13:24
*** arunkant has joined #openstack-keystone		13:24
*** Ephur has joined #openstack-keystone		13:24
*** klindgren has joined #openstack-keystone		13:24
*** woodburn has joined #openstack-keystone		13:24
*** dgonzalez has joined #openstack-keystone		13:24
*** tjcocozz has joined #openstack-keystone		13:24
*** openstackgerrit has joined #openstack-keystone		13:24
*** mdavidson has joined #openstack-keystone		13:24
*** bigjools has joined #openstack-keystone		13:24
*** charz has joined #openstack-keystone		13:24
*** samueldmq has joined #openstack-keystone		13:24
*** xek has joined #openstack-keystone		13:24
*** wolfe.freenode.net sets mode: +v samueldmq		13:24
*** bapalm has joined #openstack-keystone		13:24
*** nonameentername has joined #openstack-keystone		13:24
*** Anticimex has joined #openstack-keystone		13:24
*** Trident has joined #openstack-keystone		13:24
*** amit213 has joined #openstack-keystone		13:24
*** stevemar has joined #openstack-keystone		13:24
*** jmlowe has joined #openstack-keystone		13:24
*** jrist has joined #openstack-keystone		13:24
*** BrAsS_mOnKeY has joined #openstack-keystone		13:24
*** baffle has joined #openstack-keystone		13:24
*** harlowja has joined #openstack-keystone		13:24
*** fungi has joined #openstack-keystone		13:24
*** dims has joined #openstack-keystone		13:24
*** ktychkova has joined #openstack-keystone		13:24
*** mtreinish has joined #openstack-keystone		13:24
*** sileht has joined #openstack-keystone		13:24
*** mugsie has joined #openstack-keystone		13:24
*** hogepodge has joined #openstack-keystone		13:24
*** patchbot has joined #openstack-keystone		13:24
*** dstanek has joined #openstack-keystone		13:24
*** redrobot has joined #openstack-keystone		13:24
*** jlvillal has joined #openstack-keystone		13:24
*** serverascode has joined #openstack-keystone		13:24
*** andrewbogott has joined #openstack-keystone		13:24
*** rvba has joined #openstack-keystone		13:24
*** wxy has joined #openstack-keystone		13:24
*** mancdaz has joined #openstack-keystone		13:24
*** krotscheck has joined #openstack-keystone		13:24
*** Daviey_ has joined #openstack-keystone		13:24
*** pleia2 has joined #openstack-keystone		13:24
*** hugokuo has joined #openstack-keystone		13:24
*** bknudson has joined #openstack-keystone		13:24
*** iurygregory has joined #openstack-keystone		13:24
*** mkoderer__ has joined #openstack-keystone		13:24
*** wanghua has joined #openstack-keystone		13:24
*** mnaser has joined #openstack-keystone		13:24
*** raginbajin has joined #openstack-keystone		13:24
*** haneef has joined #openstack-keystone		13:24
*** zhiyan has joined #openstack-keystone		13:24
*** toddnni has joined #openstack-keystone		13:24
*** rha has joined #openstack-keystone		13:24
*** sigmavirus24_awa has joined #openstack-keystone		13:24
*** jasondotstar has joined #openstack-keystone		13:24
*** mfisch has joined #openstack-keystone		13:24
*** adam_g has joined #openstack-keystone		13:24
*** wolfe.freenode.net sets mode: +ovv stevemar dstanek bknudson		13:24
*** kfox1111 has joined #openstack-keystone		13:24
*** ryanpetrello has joined #openstack-keystone		13:24
*** gsilvis_ has joined #openstack-keystone		13:24
*** hockeynut has joined #openstack-keystone		13:24
*** Nakato has joined #openstack-keystone		13:24
*** lifeless has joined #openstack-keystone		13:24
*** pumaranikar has joined #openstack-keystone		13:24
*** martinus__ has joined #openstack-keystone		13:24
*** lmiccini has joined #openstack-keystone		13:24
*** amakarov has joined #openstack-keystone		13:24
*** flaper87 has joined #openstack-keystone		13:24
*** afazekas has joined #openstack-keystone		13:24
*** ctracey has joined #openstack-keystone		13:24
*** DuncanT has joined #openstack-keystone		13:24
*** clayton has joined #openstack-keystone		13:24
*** smurke has joined #openstack-keystone		13:24
*** odyssey4me has joined #openstack-keystone		13:24
*** hughsaunders has joined #openstack-keystone		13:24
*** brad[] has joined #openstack-keystone		13:24
*** dobson has joined #openstack-keystone		13:24
*** tristanC has joined #openstack-keystone		13:24
*** zeus has joined #openstack-keystone		13:24
*** dancn has joined #openstack-keystone		13:24
*** dolphm has joined #openstack-keystone		13:24
*** mordred has joined #openstack-keystone		13:24
*** dansmith has joined #openstack-keystone		13:24
*** rmstar has joined #openstack-keystone		13:24
*** ekarlso- has joined #openstack-keystone		13:24
*** boris-42 has joined #openstack-keystone		13:24
*** yarkot has joined #openstack-keystone		13:24
*** BAKfr has joined #openstack-keystone		13:24
*** _fortis has joined #openstack-keystone		13:24
*** huats_ has joined #openstack-keystone		13:24
*** andreaf has joined #openstack-keystone		13:24
*** lbragstad has joined #openstack-keystone		13:24
*** raildo has joined #openstack-keystone		13:24
*** bradjones has joined #openstack-keystone		13:24
*** lupine has joined #openstack-keystone		13:24
*** anteaya has joined #openstack-keystone		13:24
*** ianw has joined #openstack-keystone		13:24
*** johnthetubaguy has joined #openstack-keystone		13:24
*** trown has joined #openstack-keystone		13:24
*** lunarlamp has joined #openstack-keystone		13:24
*** timburke has joined #openstack-keystone		13:24
*** EmilienM has joined #openstack-keystone		13:24
*** wolfe.freenode.net sets mode: +o dolphm		13:24
*** andreykurilin__ has joined #openstack-keystone		13:24
*** trey has joined #openstack-keystone		13:24
*** gerhardqux has joined #openstack-keystone		13:24
*** med_ has joined #openstack-keystone		13:24
*** kragniz has joined #openstack-keystone		13:24
*** DinaBelova has joined #openstack-keystone		13:24
*** wolsen has joined #openstack-keystone		13:24
*** frickler has joined #openstack-keystone		13:24
*** Dave has joined #openstack-keystone		13:24
*** breton has joined #openstack-keystone		13:24
*** john5223 has joined #openstack-keystone		13:24
*** briancurtin has joined #openstack-keystone		13:24
*** navidp has joined #openstack-keystone		13:24
*** errr has joined #openstack-keystone		13:24
*** SpamapS has joined #openstack-keystone		13:24
*** kevinbenton has joined #openstack-keystone		13:24
*** crinkle has joined #openstack-keystone		13:24
*** skoude has joined #openstack-keystone		13:24
*** boltR has joined #openstack-keystone		13:24
*** opilotte- has joined #openstack-keystone		13:24
*** zigo has joined #openstack-keystone		13:24
*** mc_nair has joined #openstack-keystone		13:24
*** x58 has joined #openstack-keystone		13:24
*** jidar has joined #openstack-keystone		13:24
*** tellesnobrega_af has joined #openstack-keystone		13:24
*** morgan has joined #openstack-keystone		13:24
*** SamYaple has joined #openstack-keystone		13:24
*** freerunner has joined #openstack-keystone		13:24
*** htruta has joined #openstack-keystone		13:24
*** sshen has joined #openstack-keystone		13:24
*** ChanServ has joined #openstack-keystone		13:24
*** wolfe.freenode.net sets mode: +oo morgan ChanServ		13:24
*** jraim has quit IRC		13:24
*** jraim has joined #openstack-keystone		13:24
* breton shrugs		13:24
*** openstackstatus has quit IRC		13:24
*** mgagne_ has quit IRC		13:24
*** mgagne_ has joined #openstack-keystone		13:24
breton	maybe this is the wrong place to add my tests	13:24
breton	(and a bunch of not my tests should be moved out of there too)	13:25
breton	looks like it.	13:26
*** openstackstatus has joined #openstack-keystone		13:26
*** ChanServ sets mode: +v openstackstatus		13:26
*** agireud has joined #openstack-keystone		13:27
*** ericksonsantos has joined #openstack-keystone		13:28
dstanek	breton: which ones?	13:28
*** ayoung has joined #openstack-keystone		13:29
*** ChanServ sets mode: +v ayoung		13:29
*** cloudnull has joined #openstack-keystone		13:29
breton	dstanek: test_shadow_federated_user. I will propose a patch to move it.	13:29
*** edmondsw has joined #openstack-keystone		13:29
dstanek	breton: why should it be moved?	13:30
*** jsavak has joined #openstack-keystone		13:31
breton	dstanek: because all tests there are REST tests	13:31
breton	dstanek: and test_shadow_federated_user tests the manager	13:31
dstanek	breton: yep, those should definitely be moved :-) feel free to add me to the review so i can star it	13:32
*** mylu has joined #openstack-keystone		13:33
rodrigods	dstanek, btw... are you in favor of this patch: https://review.openstack.org/#/c/301398/	13:33
patchbot	rodrigods: patch 301398 - keystone - Migrate tempest tests into keystone tree	13:33
*** tqtran has joined #openstack-keystone		13:33
rodrigods	this seems to be common direction among the projects	13:34
dstanek	rodrigods: is that what was discussed in the QA meeting 2 weeks ago?	13:34
rodrigods	dstanek, yes	13:35
*** links has quit IRC		13:35
rodrigods	next step is to have this merged: https://review.openstack.org/#/c/298696/	13:35
patchbot	rodrigods: patch 298696 - openstack-infra/project-config - Enable non-voting keystone tempest plugin tests	13:35
rodrigods	observe its stability, make it voting and remove keystone API tests from tempest tree	13:36
*** rk4n has quit IRC		13:36
dstanek	rodrigods: then yes i'm for it, i haven't looked at your specific patch just yet	13:37
rodrigods	dstanek, np, thanks	13:37
rodrigods	i added a topic for today's meeting to check other opinions as well	13:37
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/300626	13:37
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/300764	13:37
*** tqtran has quit IRC		13:38
*** rk4n has joined #openstack-keystone		13:38
*** jsavak has quit IRC		13:41
*** sheel has quit IRC		13:41
*** jsavak has joined #openstack-keystone		13:42
*** ametts has joined #openstack-keystone		13:42
*** spzala has quit IRC		13:43
*** anush_ has joined #openstack-keystone		13:45
*** rderose has joined #openstack-keystone		13:46
*** gordc has quit IRC		13:50
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Migrate tempest tests into keystone tree https://review.openstack.org/301398	13:53
*** sigmavirus24_awa is now known as sigmavirus24		13:56
*** gordc has joined #openstack-keystone		13:57
*** rk4n has quit IRC		13:57
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Migrate tempest tests into keystone tree https://review.openstack.org/301398	13:58
*** spzala has joined #openstack-keystone		13:58
*** rk4n has joined #openstack-keystone		14:01
*** pushkaru has joined #openstack-keystone		14:02
*** BlackDex_ is now known as BlackDex		14:02
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Migrate tempest tests into keystone tree https://review.openstack.org/301398	14:03
*** knikolla has joined #openstack-keystone		14:03
*** pushkaru has quit IRC		14:04
*** pushkaru has joined #openstack-keystone		14:04
*** jsavak has quit IRC		14:08
*** slberger has joined #openstack-keystone		14:08
*** jsavak has joined #openstack-keystone		14:09
samueldmq	do we have tests for the abstract drivers ? (not the ones using the apis, just the drivers instead)	14:12
samueldmq	I wrote some of those tests in patch 212957 and patch 212006	14:12
patchbot	samueldmq: https://review.openstack.org/#/c/212957/ - keystone - Create unit tests for the policy drivers	14:12
patchbot	samueldmq: https://review.openstack.org/#/c/212006/ - keystone - Create unit tests for endpoint policy drivers	14:12
samueldmq	I wonder where I should place them	14:13
*** rderose has quit IRC		14:13
*** mylu has quit IRC		14:13
*** mylu has joined #openstack-keystone		14:14
*** sdake has joined #openstack-keystone		14:15
*** mylu has quit IRC		14:18
morgan	dstanek: in tests caching is on by default. If the test is failing with caching on, the code is not cache compatible (failing to invalidate, etc)	14:21
morgan	breton: ^cv	14:21
morgan	Cc*	14:21
morgan	Or the test is making a bad assumption	14:21
morgan	But we only cach @memioze decorated functions	14:22
dstanek	morgan: that's super odd for unit tests	14:22
morgan	It was needed at the time/still is or people write cache incompatible code	14:23
morgan	We would need to run tests twice, with/without cache	14:23
morgan	It was safer to run with cache, as that is the harder case, without cache it is noop, basically invalidates don't matter	14:24
morgan	But this is also because our unit tests aren't really unit test s	14:24
*** mylu has joined #openstack-keystone		14:25
morgan	They are more "functional"	14:25
dstanek	unit tests shouldn't be testing caching. that's very strange because changing fixture won't change the returned data?	14:25
rodrigods	what are the keystone* ppl that have experience in creating gate jobs?	14:25
morgan	rodrigods: Brant, myself, Steve, Dolph, and jamielennox\|away . not sure who else for sure. But I am sure there are more.	14:26
dstanek	morgan: maybe in our v3 tests i can see caching being on, but not for unit tests	14:26
rodrigods	morgan, thanks, will add you to https://review.openstack.org/#/c/298696/	14:26
patchbot	rodrigods: patch 298696 - openstack-infra/project-config - Enable non-voting keystone tempest plugin tests	14:26
breton	morgan: we have "get-or-create" functions. Is it ok that they are cached?	14:26
*** tellesnobrega_af is now known as tellesnobrega		14:27
knikolla	dstanek, are you still working on this? https://review.openstack.org/#/c/151310/	14:27
patchbot	knikolla: patch 151310 - keystone - adds a devstack plugin for running a pysaml2 IdP	14:27
morgan	dstanek: iirc we have caching defaulted to on in our tests. At least we did.	14:27
morgan	breton: it should be OK. Doest mean it is correct to be cached.	14:28
morgan	As dstanek is highlighting.	14:28
dstanek	knikolla: sorta, before my vacation i was experimenting with another way to do it	14:28
dstanek	knikolla: did you have an interest in that?	14:29
*** naresht has quit IRC		14:29
*** rk4n has quit IRC		14:29
rodrigods	dstanek, another possibility for these tests is to add the infra and run them using our tempest plugins	14:31
dstanek	rodrigods: what tests?	14:31
rodrigods	dstanek, federation related	14:32
knikolla	dstanek, yeah. we want to setup a federation gate.	14:32
rodrigods	http://lists.openstack.org/pipermail/openstack-dev/2016-March/091055.html	14:32
rodrigods	knikolla, ^ talking about that?	14:32
knikolla	rodrigods, yeah	14:32
dstanek	rodrigods: those reviews are to setup the infra	14:33
dstanek	knikolla: i don't think the pysaml idp was working all that well	14:33
dstanek	definitely not a good long term thing	14:33
dstanek	but it was cheap and easy	14:33
rodrigods	dstanek, i know... but the federation gate idea is to have something definitive using the recommended tools	14:34
rodrigods	like shib and mellon	14:34
rodrigods	and for gate jobs, it is to run the tests using the tempest code	14:34
dstanek	rodrigods: i'm fine with that	14:35
rodrigods	dstanek, knikolla cool, we just need to sync the efforts :)	14:35
knikolla	dstanek, rodrigods: wanna start an etherpad?	14:36
rodrigods	knikolla, ++	14:36
rodrigods	knikolla, going to Austin? this is something we can discuss there too	14:36
rodrigods	dstanek, you are going, right?	14:37
knikolla	rodrigods, yeah, i'll be there.	14:37
dstanek	yes, i'll be there	14:37
rodrigods	cool	14:37
*** _d34dh0r53_ is now known as d34dh0r53		14:39
knikolla	rodrigods, dstanek: https://etherpad.openstack.org/p/Keystone-Federation-Testing	14:40
knikolla	i'm all new to this etherpad thing	14:40
rodrigods	we can add this link to keystone's etherpad too	14:41
rodrigods	the summit etherpad i mean, let try to find it	14:41
*** Don_Nalezyty has joined #openstack-keystone		14:42
knikolla	rodrigods, https://etherpad.openstack.org/p/keystone-newton-summit-brainstorm	14:42
rodrigods	knikolla, thanks	14:43
*** spandhe has joined #openstack-keystone		14:45
knikolla	mylu, ping	14:46
mylu	knikolla: ?	14:46
*** sheel has joined #openstack-keystone		14:49
*** rderose has joined #openstack-keystone		14:53
*** sdake_ has joined #openstack-keystone		14:54
*** josecastroleon has quit IRC		14:54
*** mylu has quit IRC		14:57
*** sdake has quit IRC		14:57
*** ametts has quit IRC		15:00
*** mkoderer__ has quit IRC		15:02
*** mylu has joined #openstack-keystone		15:03
*** pcaruana has quit IRC		15:06
*** tellesnobrega is now known as tellesnobrega_af		15:06
*** markvoelker has quit IRC		15:12
*** markvoelker has joined #openstack-keystone		15:13
*** ametts has joined #openstack-keystone		15:14
*** phalmos has joined #openstack-keystone		15:14
*** links has joined #openstack-keystone		15:14
*** mkoderer__ has joined #openstack-keystone		15:15
prosun	jamielennox\|away: I am checking for the OS_IDENTITY_API_VERSION and OS_AUTH_URL variables (using env command)	15:17
*** diazjf has joined #openstack-keystone		15:18
*** rderose has quit IRC		15:19
*** david_cu has joined #openstack-keystone		15:22
stevemar	breton: still online?	15:23
stevemar	this bug looks nasty: https://bugs.launchpad.net/keystone/+bug/1566282	15:23
openstack	Launchpad bug 1566282 in OpenStack Identity (keystone) "Returning federated user fails to authenticate with HTTP 500" [Undecided,New] - Assigned to Boris Bobrov (bbobrov)	15:23
*** links has quit IRC		15:25
prosun	stevemar: what would be the right order of using Identity API 2.0? I tried editing the openrc file (updating export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-2.0}) then restarting the keystone service (by restarting apache server)	15:26
*** dave-mccowan has joined #openstack-keystone		15:27
*** sdake_ has quit IRC		15:27
*** sdake has joined #openstack-keystone		15:27
stevemar	prosun: no need to restart apache, just edit your RC file and source it	15:27
prosun	stevemar: okay.	15:29
*** anush_ has quit IRC		15:30
*** mvk_ has quit IRC		15:37
*** rk4n has joined #openstack-keystone		15:39
*** tellesnobrega_af is now known as tellesnobrega		15:41
breton	stevemar: yes	15:42
breton	stevemar: i am working on that bug now	15:42
morgan	stevemar: looks like https://review.openstack.org/#/c/103368/48 is mostly ready to go	15:42
patchbot	morgan: patch 103368 - keystone - Integrate OSprofiler in Keystone	15:42
morgan	stevemar: FYI.	15:42
morgan	havent finished the full review, but it's at the point where they've solved all the issues and we just need to decide to land/not land (before net merge conflict)	15:43
morgan	so if we want osprofiler... we should land it	15:43
morgan	(soonish)	15:43
*** sigmavirus24 is now known as sigmavirus24_awa		15:43
*** sigmavirus24_awa is now known as sigmavirus24		15:43
*** rk4n has quit IRC		15:44
*** daemontool has quit IRC		15:45
*** jaosorior has quit IRC		15:46
*** rk4n has joined #openstack-keystone		15:47
*** jaosorior has joined #openstack-keystone		15:47
*** csoukup has joined #openstack-keystone		15:49
*** spandhe has quit IRC		15:52
bknudson	the keystone.tests.unit.test_v3_auth.TestAuthTOTP.test_with_multiple_users test fails randomly	15:54
stevemar	bknudson: yay	15:57
stevemar	bknudson: whats the error when it fails?	15:57
bknudson	stevemar: webtest.app.AppError: Bad response: 401 Unauthorized (not 201)	16:00
bknudson	http://logs.openstack.org/37/300237/5/check/gate-keystone-python27-db/4b35c7a/console.html#_2016-04-04_19_46_00_307	16:00
openstackgerrit	Boris Bobrov proposed openstack/keystone: Update federated user display name with shadow_users_api https://review.openstack.org/301795	16:01
*** tellesnobrega is now known as tellesnobrega_af		16:02
bknudson	if I put a sleep() in the test it fails. So I assume it's a timing error.	16:03
bknudson	just bad luck getting a code right before it expires	16:03
*** lhcheng has joined #openstack-keystone		16:03
*** ChanServ sets mode: +v lhcheng		16:03
*** dan_nguyen has joined #openstack-keystone		16:05
*** rderose has joined #openstack-keystone		16:06
stevemar	time to evaluate if https://review.openstack.org/#/c/301795/ is an RC blocker \o/	16:11
patchbot	stevemar: patch 301795 - keystone - Update federated user display name with shadow_use...	16:11
ayoung	samueldmq, so close	16:11
openstackgerrit	ayoung proposed openstack/keystone: Extract enforcement logic to its own method https://review.openstack.org/279263	16:12
*** mvk_ has joined #openstack-keystone		16:14
ayoung	once more with feeling	16:14
openstackgerrit	ayoung proposed openstack/keystone: Extract enforcement logic to its own method https://review.openstack.org/279263	16:15
*** tellesnobrega_af is now known as tellesnobrega		16:17
*** mylu has quit IRC		16:18
ayoung	samueldmq, so ^^ still is not quite there. Need to unify the two decorators, and I could not quite get that	16:19
*** woodburn has quit IRC		16:20
*** fawadkhaliq has joined #openstack-keystone		16:21
*** fawadkhaliq has quit IRC		16:22
*** jasonsb has quit IRC		16:22
*** agrebennikov has joined #openstack-keystone		16:24
agrebennikov	stevemar, if you have time today - could you please guide me a little bit through groups usage in case of federation?	16:25
agrebennikov	yesterday we discussed it with ayoung and it seems there are very few people in the world who really use it	16:26
stevemar	agrebennikov: sure	16:26
stevemar	agrebennikov: yep, that's certainly the case	16:26
agrebennikov	stevemar, :) are you aware of Anybody actually>	16:26
agrebennikov	?	16:26
stevemar	agrebennikov: there are definitely a few places using it	16:27
agrebennikov	marekd in CERN?	16:27
stevemar	agrebennikov: more than just him :)	16:27
agrebennikov	do you personally have practical experience?	16:27
*** dflorea has joined #openstack-keystone		16:28
stevemar	i've set it up a few times	16:28
stevemar	haven't in a while :(	16:28
agrebennikov	as a POC as usually? ;)	16:28
*** woodburn has joined #openstack-keystone		16:28
agrebennikov	I mean like almost everybody is doing it	16:28
*** spandhe has joined #openstack-keystone		16:28
stevemar	yeah, my experience is as a PoC	16:29
*** jaugustine has joined #openstack-keystone		16:29
agrebennikov	"lets create a local group and assign it to the tenant. now map all federated users to this local group. done"	16:29
*** rderose has quit IRC		16:29
agrebennikov	stevemar, so my question now is - what is the proper way of manipulating with remote groups and assignments in general	16:29
agrebennikov	in case of federation	16:29
*** wxy has quit IRC		16:30
*** anush_ has joined #openstack-keystone		16:30
agrebennikov	because how it looks to me right now - all remote groups should be always replicated to the local system	16:30
*** dflorea_ has joined #openstack-keystone		16:30
*** rderose has joined #openstack-keystone		16:30
agrebennikov	in order to assign them to the projects	16:30
*** dflorea has quit IRC		16:30
agrebennikov	stevemar, right?	16:30
stevemar	agrebennikov: initially that was the thinking yes, but we're slowly decoupling that	16:31
agrebennikov	stevemar, things like shadow users?	16:32
stevemar	agrebennikov: i guess you want every federated user to have their own tenant/project?	16:32
agrebennikov	stevemar, groups actually	16:32
agrebennikov	users don't make any sense	16:32
agrebennikov	but usually in production we advise users to manipulate with groups	16:32
stevemar	agrebennikov: oh? i had a request to do that at the user level	16:32
stevemar	okay	16:33
agrebennikov	stevemar, how do you then share tenants?	16:33
agrebennikov	stevemar, there is almost 0 real customers who are willing to do the same job twice	16:33
agrebennikov	stevemar, everybody wants to add the user to the group (remotely) in order to allow the access	16:34
stevemar	agrebennikov: the use case i was being desscribed asked for each user to have their own project, i think they were trying to have a public cloud use case	16:34
agrebennikov	stevemar, that's why when you guys decided to remove ldap assignments......	16:34
agrebennikov	we were EXTREMELLYYYYYY disappointed	16:34
agrebennikov	stevemar, yes, for the public it makes kind of sense	16:35
stevemar	agrebennikov: it was deprecated for a year and we sent out multiple notices... we didn't hear anything :\	16:35
agrebennikov	but we are still in a private cloud, arent we? ;)	16:35
stevemar	anyway, different argument	16:35
agrebennikov	stevemar, this is why this time in Austin I'll definitely visit your gang and tell you a couple of words regarding real usecases)))	16:35
*** anush_ has quit IRC		16:35
stevemar	agrebennikov: would love it	16:36
agrebennikov	stevemar, wanted to do it last year..... didn't happen	16:36
agrebennikov	stevemar, so per groups	16:37
stevemar	agrebennikov: i guess your issue is you don't want to create the groups in keystone	16:37
agrebennikov	stevemar, for sure	16:37
agrebennikov	nobody wants it	16:37
stevemar	agrebennikov: cause, for the mapping, you don't need to specify the groups, there is a shortcut you can do if you give them the same name as the remote groups	16:38
agrebennikov	stevemar, but in this case it will say "no such group"	16:39
agrebennikov	no?	16:39
*** anush_ has joined #openstack-keystone		16:39
stevemar	agrebennikov: yes, unless you have the created on the keystone side	16:40
*** nisha has joined #openstack-keystone		16:40
stevemar	agrebennikov: this is basically one of the main issues we have in federated identity, we need to translate properties from one side to the other	16:41
agrebennikov	right	16:41
stevemar	agrebennikov: are you familiar with the shadow user work that was done in mitaka?	16:41
agrebennikov	stevemar, not very deep telling the truth	16:42
dolphm	is there not a sched.org page for the summit schedule?	16:42
*** mhickey has joined #openstack-keystone		16:42
dolphm	all i can find is https://www.openstack.org/summit/austin-2016/summit-schedule/	16:42
agrebennikov	how I understand it - they are just transferred to the mysql	16:43
agrebennikov	on the first auth attempt	16:43
*** trown is now known as trown\|lunch		16:43
agrebennikov	kind of	16:43
stevemar	agrebennikov: basically, yes	16:45
stevemar	agrebennikov: if a federated user comes in, we store a copy of the user in mysql with attributes like their identity provider and name	16:46
stevemar	agrebennikov: i am wondering if we need a similar mechanism for groups, where we store all the groups a federated user comes in with, this would reduce the need for creating the groups remotely	16:47
agrebennikov	stevemar, right, but this is what probably cannot be applied to the groups	16:47
raildo	dolphm: you can create your schedule on this link, but I think we don't have sched.org this time :(	16:47
stevemar	agrebennikov: why do you say that?	16:48
agrebennikov	stevemar, per groups - I'd prefer to store all them based on the filter	16:48
agrebennikov	since the admin may want to assign the group Before the user comes in))	16:48
breton	stevemar: this would mean that the user will get unauthorized first time he comes	16:49
*** diazjf has quit IRC		16:50
stevemar	hmm, nasty problem	16:51
breton	stevemar: i wonder where operators expect assignments to come from in the case where there are neither groups nor users	16:51
agrebennikov	stevemar, not even first. The workflow will be ugly: 1. user tries to authorize, fails (but the group comes in); 2. admin assigns the group; 3. user authorizes successfully	16:51
stevemar	breton: we had an operator say their user had no groups, that wasn't fun	16:52
stevemar	scratch that idea then :P	16:52
agrebennikov	stevemar, so yes, we need groups before	16:53
* breton things about fortress		16:53
breton	*thinks	16:53
stevemar	back in a bit	16:53
breton	still won't work for cases where all identity is in okta/3rd-party-idp	16:54
*** dflorea_ has quit IRC		16:57
nisha	hey all :)	16:58
*** tellesnobrega is now known as tellesnobrega_af		16:59
*** dflorea has joined #openstack-keystone		17:00
*** mhickey has quit IRC		17:02
samueldmq	ayoung: cool, looking	17:03
*** dflorea has quit IRC		17:04
samueldmq	yay nisha, congrats on getting a devstack machine working quickly :)	17:05
samueldmq	(for keystone client functional tests)	17:05
nisha	samueldmq, thanks :)	17:06
*** StefanPaetowJisc has joined #openstack-keystone		17:07
*** jsavak has quit IRC		17:08
*** sdake_ has joined #openstack-keystone		17:10
samueldmq	ayoung: do we really need to change that filters=[] thing at that commit ?	17:10
ayoung	samueldmq, see how that makes the signatures of the two decorators the same?	17:10
ayoung	samueldmq, the goal is to drop filterprotected and merge it into protected	17:10
*** sdake has quit IRC		17:10
ayoung	filterprotected doesn't do everything that filter does yet	17:11
*** nisha_ has joined #openstack-keystone		17:11
*** EinstCrazy has quit IRC		17:11
ayoung	samueldmq, so the next thing I did was replaced the body of filterprotected with the body of protected...and that is where things fell apart	17:12
*** zqfan has quit IRC		17:12
*** nisha has quit IRC		17:14
notmyname	morgan: yeah, I was working on some keystone/swift interactions with timburke, and we had questions. so instead of just join/part all the time, I never left :-)	17:18
morgan	notmyname: hehe	17:19
morgan	notmyname: welcome! :)	17:19
*** tellesnobrega_af is now known as tellesnobrega		17:20
notmyname	morgan: of course, this also means you need to stick with "morgan" ;-)	17:20
*** morgan is now known as notnotmyname		17:21
notnotmyname	notmyname: :P	17:21
*** notnotmyname is now known as morgan		17:21
*** pgreg has joined #openstack-keystone		17:21
morgan	notmyname: it's kindof 50/50 depends on netsplits. i end up switching between morgan/notmorgan :P	17:22
morgan	stevemar: i might/mightnot be at the meeting today.	17:23
morgan	stevemar: will be on an airplane around that time	17:23
*** browne has joined #openstack-keystone		17:24
*** jistr has quit IRC		17:24
stevemar	morgan: rgr	17:27
*** tellesnobrega is now known as tellesnobrega_af		17:33
*** tellesnobrega_af is now known as tellesnobrega		17:33
*** jsavak has joined #openstack-keystone		17:34
*** tellesnobrega is now known as tellesnobrega_af		17:34
*** nisha_ has quit IRC		17:34
*** tellesnobrega_af is now known as tellesnobrega		17:35
*** rderose has quit IRC		17:37
*** tqtran has joined #openstack-keystone		17:37
morgan	stevemar: anything on the agenda o	17:37
morgan	I should toss $0.02 on now?	17:38
*** rderose has joined #openstack-keystone		17:38
*** nisha has joined #openstack-keystone		17:38
*** dflorea has joined #openstack-keystone		17:40
samueldmq	bknudson: in tests/unit/identity	17:40
samueldmq	bknudson: what's the difference between test_backends and test_core ,	17:41
samueldmq	?	17:41
*** jsavak has quit IRC		17:41
bknudson	test_backends contains tests for classes in keystone/identity/backends.py, test_core contains tests for classes in keystone/identity/core.py	17:41
bknudson	that's how it should be anyways	17:41
*** jsavak has joined #openstack-keystone		17:42
*** dflorea has quit IRC		17:42
samueldmq	bknudson: test_backends still use the core.py code (resource_api, identity_api, etc)	17:44
*** dflorea has joined #openstack-keystone		17:44
samueldmq	bknudson: wouldn't it be beter to only use drivers (backends) code when testing them ?	17:44
bknudson	the keystone test structure is really crappy	17:45
samueldmq	let's fix it	17:45
bknudson	I'm trying.	17:45
stevemar	morgan: there is something on the agenda...	17:46
samueldmq	bknudson: for example, patch 212006	17:46
patchbot	samueldmq: https://review.openstack.org/#/c/212006/ - keystone - Create unit tests for endpoint policy drivers	17:46
dstanek	bknudson: i just want to be able to infer where tests are located by the filename	17:46
samueldmq	bknudson: it contains tests for the endpoint policy backends, and it only uses the drivers, not the APIs	17:46
stevemar	morgan: just tests, rodrigods made the change to the agenda	17:46
morgan	stevemar: oh the code of conduct thing too.	17:46
*** mylu has joined #openstack-keystone		17:46
bknudson	samueldmq: added it to my list	17:46
stevemar	morgan: ayoung and i can speak to that	17:47
ayoung	added it to the agenda already	17:47
samueldmq	bknudson: thanks, that needs an update, probably should be in test_backends.py	17:47
morgan	I'll try and be there for that.	17:47
samueldmq	bknudson: I will do that, then you will get it updated when it reach the top of your queue :)	17:47
samueldmq	reaches	17:47
bknudson	samueldmq: here's my attempt at identity driver tests -- https://review.openstack.org/#/c/291950/	17:48
patchbot	bknudson: patch 291950 - keystone - Define identity interface - easy cases	17:48
bknudson	samueldmq: note that it can also test against live databases (mysql and postresql)	17:48
bknudson	postgresql	17:48
samueldmq	bknudson: cool, that's what I was talking about	17:49
samueldmq	bknudson: testing the driver's interface	17:50
*** dflorea has quit IRC		17:50
*** nisha_ has joined #openstack-keystone		17:51
*** dflorea has joined #openstack-keystone		17:52
*** nisha has quit IRC		17:55
*** dflorea has quit IRC		17:56
*** dflorea has joined #openstack-keystone		17:57
*** shaleh has joined #openstack-keystone		17:57
*** dflorea has quit IRC		17:58
*** jsavak has quit IRC		17:59
*** jsavak has joined #openstack-keystone		17:59
*** dflorea has joined #openstack-keystone		18:02
*** trown\|lunch is now known as trown		18:02
*** dflorea has quit IRC		18:03
*** dflorea has joined #openstack-keystone		18:03
*** timcline has joined #openstack-keystone		18:04
*** mylu has quit IRC		18:05
*** jsavak has quit IRC		18:06
*** jsavak has joined #openstack-keystone		18:06
*** e0ne has quit IRC		18:10
*** nisha_ is now known as nisha		18:12
*** diazjf has joined #openstack-keystone		18:12
nisha	samueldmq, I added the line in local.conf file and ran ./stack.sh again successfully	18:14
nisha	samueldmq, what can I do next? :)	18:14
samueldmq	nisha: great	18:14
samueldmq	nisha: go to your python-keystoneclient dir	18:15
samueldmq	nisha: and download https://review.openstack.org/#/c/289306/	18:15
patchbot	samueldmq: patch 289306 - python-keystoneclient - Add users functional tests	18:15
*** pushkaru has quit IRC		18:15
nisha	samueldmq, yeah sure! doing it	18:16
nisha	samueldmq, where is it located ? sorry it doesn't show up on doing ls -a in devstack dir	18:18
samueldmq	nisha: it's at the same level as devstack is	18:19
samueldmq	nisha: should be ~/python-keystoneclient	18:19
*** pgreg has quit IRC		18:22
nisha	samueldmq, I think I did something wrong earlier, have a look please http://paste.openstack.org/show/493047/	18:24
*** dflorea has quit IRC		18:26
*** pushkaru has joined #openstack-keystone		18:27
*** StefanPaetowJisc has quit IRC		18:29
samueldmq	nisha: did you create the user called stack ?	18:31
*** StefanPaetowJisc has joined #openstack-keystone		18:32
*** StefanPaetowJisc has left #openstack-keystone		18:33
*** dflorea has joined #openstack-keystone		18:33
*** jsavak has quit IRC		18:33
*** jsavak has joined #openstack-keystone		18:34
*** dflorea has quit IRC		18:38
nisha	samueldmq, yes i did	18:38
*** stingaci has joined #openstack-keystone		18:39
nisha	using $ groupadd stack and $ useradd -g stack -s /bin/bash -d /opt/stack -m stack	18:39
*** dflorea has joined #openstack-keystone		18:39
samueldmq	nisha: I normally log in with that user	18:39
samueldmq	nisha: and run ./stack.sh with it	18:39
samueldmq	nisha: python-keystoneclient should be in stack's home	18:40
nisha	how should I log in ? can you tell that part again please	18:40
*** rcernin has quit IRC		18:41
samueldmq	nisha: like you login as nisha	18:42
samueldmq	nisha: are you connecting via ssh ?	18:43
samueldmq	nisha: is it a virtual machine ?	18:43
*** dflorea has quit IRC		18:44
*** Don_Nalezyty has quit IRC		18:44
nisha	Yes, i am using an ubuntu vm	18:44
samueldmq	nisha: you connect to it with something like: 'ssh nisha@x.x.x.x' right ?	18:46
nisha	hmm, I did that long back, yup	18:48
nisha	samueldmq, when I ran ./stack.sh command it completed after saying The default users are: admin and demo and it gave me a password	18:50
nisha	samueldmq, should i be using that here to login	18:50
samueldmq	nisha: no, I am talking about log in in the vm, not log in in the cloud	18:52
samueldmq	nisha: when you created stack user, you created its home	18:52
samueldmq	nisha: look at /opt/stack	18:52
nisha	samueldmq, hmm okay	18:52
*** AJaeger has joined #openstack-keystone		18:52
samueldmq	nisha: and see if python-keystoneclient is in there	18:52
AJaeger	keystone team, I fear your mitaka branch is broken, have a look at https://review.openstack.org/300953 - the keystone-coverage-db job is failing there.	18:53
nisha	samueldmq, yup it is there	18:53
AJaeger	keystone team,should the job run on that branch at all?	18:53
stevemar	AJaeger: looking	18:54
*** phalmos has quit IRC		18:54
samueldmq	nisha: cool, you should go there and download that patch	18:54
nisha	samueldmq, alright! thanks	18:54
AJaeger	thanks, stevemar. Might be an unrelated issue as well, I couldn't figure it out ;(	18:54
samueldmq	nisha: do a 'ls -l' there and see if it belongs to nisha or stack user	18:54
samueldmq	nisha: if stack, you can switch to that user with 'su stack'	18:55
knikolla	roxanaghe, yes, but not until we have a way to mock ldap.	18:55
samueldmq	(if it still doesnt' have a password, create it with 'sudo passwd stack')	18:55
samueldmq	nisha: ^	18:55
*** e0ne has joined #openstack-keystone		18:55
roxanaghe	knikolla, I was looking at the existing fakeldap and I think it could be refactored a little bit to be suitable for ldap3 mocking as well	18:56
stevemar	AJaeger: this is weird: http://logs.openstack.org/53/300953/1/check/keystone-coverage-db/3c59c4a/console.html#_2016-04-04_12_07_05_460	18:56
stevemar	AJaeger: there was a 25 minute gap with no logging	18:56
AJaeger	stevemar: argh ;(	18:56
stevemar	AJaeger: timeout?	18:56
roxanaghe	bknudson, ayoung any opinion on refactoring fakeldap to suit ldap3 mocking as well?	18:57
AJaeger	stevemar: might be - let's recheck again?	18:57
stevemar	AJaeger: done	18:57
morgan	AJaeger: that is a weird one	18:57
AJaeger	thanks	18:57
morgan	roxanaghe: I wish it was easier to just mock at the socket level for LDAP data.	18:58
ayoung	roxanaghe, you really want me to take that on, don't you?	18:58
morgan	Since I am on a plane all tomorrow I might see if it is possible.	18:59
roxanaghe	ayoung, nop	18:59
ayoung	morgan, and some form of in-memory LDAP server written in Python that could respond	18:59
morgan	Then we could test any LDAP server	18:59
nisha	samueldmq, it belongs to nisha user not stack user	18:59
morgan	ayoung: yeah. I was thinking something like betamax that can record real transactions and then replay them.	18:59
ayoung	roxanaghe, have you made a stab at it yet? WHat kind of issues would there be?	18:59
samueldmq	nisha: ok so just keep using nisha :)	19:00
morgan	Or similar.	19:00
samueldmq	nisha: go in there and download the patch	19:00
*** AJaeger has left #openstack-keystone		19:00
stevemar	breton: for https://review.openstack.org/#/c/301795/1 does it happen regardless of user name change? cc dolphm	19:01
patchbot	stevemar: patch 301795 - keystone - Update federated user display name with shadow_use...	19:01
nisha	samueldmq, will do that !	19:01
knikolla	stevemar, rodrigods want to add this to the meeting next week? https://etherpad.openstack.org/p/Keystone-Federation-Testing	19:03
stevemar	knikolla: sure, you know how to update the agenda?	19:03
rodrigods	knikolla, sure, if we figure out the steps :)	19:03
roxanaghe	ayoung, no unmanageable issues yet, fakeldap uses a dictionary underneath so should work for another ldap lib in theory	19:03
knikolla	stevemar, i think i can figure that out	19:04
*** e0ne has quit IRC		19:05
ayoung	roxanaghe, IF you can port fake as is, I think it is the surest path forward. We can also plan on replacing fake in the future with a better mocking tool if we discover it, but lets assume that we are stuck with fake	19:05
stevemar	knikolla: i have the utmost belief that you can!	19:05
morgan	We are stuck with fakeldap for now.	19:05
morgan	ayoung: unless we write a tool.	19:05
knikolla	stevemar, if OpenID allowed me to login though, i just get a blank page	19:05
stevemar	knikolla: :)	19:05
stevemar	knikolla: as a heads up, there is a security question now when you save your changes, it's at the top of the page	19:06
ayoung	morgan, So I just got my tftp server working in Rust. Maybe I could adapt that?	19:06
ayoung	its read only	19:06
morgan	Nah. I'd look at a real socket mock for our unit tests instead of running another server -- if it is really a unit test	19:07
morgan	Vs functional.	19:07
samueldmq	nisha: after you do that, just run 'tox -e functional' inside python-keystoneclient	19:07
samueldmq	nisha: and funcitonal tests will run against the cloud devstack created :)	19:08
nisha	samueldmq, okay sir :)	19:08
openstackgerrit	Dolph Mathews proposed openstack/keystone: Update federated user display name with shadow_users_api https://review.openstack.org/301795	19:09
*** stingaci has quit IRC		19:10
dolphm	stevemar: rderose: ^	19:11
rderose	dolphm: just saw your latest patch	19:11
dolphm	stevemar: rderose: i added some assertions to the tests, and was surprised that they didn't pass	19:11
knikolla	ayoung, morgan, removing the fake part, could i theoretically run the unit tests as functional tests?	19:12
dolphm	stevemar: rderose: i would have just left a code review, but given this is potentially a last minute RC blocker	19:12
knikolla	for ldap	19:12
*** stingaci has joined #openstack-keystone		19:12
morgan	Maybe?	19:12
rderose	dolphm: let me see where it's failing	19:12
rodrigods	bknudson, dstanek, ayoung, stevemar, are you in -qa?	19:13
dstanek	rodrigods: yes	19:13
rodrigods	mtreinish has some thoughts about the keystone tempest plugin	19:13
breton	stevemar: yes, regardless	19:13
stevemar	breton: damn	19:13
stevemar	breton: new patch btw: https://review.openstack.org/#/c/301795/2/keystone/tests/unit/test_v3_identity.py	19:14
patchbot	stevemar: patch 301795 - keystone - Update federated user display name with shadow_use...	19:14
stevemar	rodrigods: i'm a bit occupied with the rc bug atm, i'll have to settle with reading the scrollback in -qa	19:14
breton	stevemar: this is the another bug dolphm is talking about	19:15
breton	stevemar: and it deserves a separate bugreport	19:15
*** rderose_ has joined #openstack-keystone		19:15
stevemar	yes	19:15
bknudson	rodrigods: I am in qa	19:16
rodrigods	stevemar, np, think we are covered with bknudson and dstanek :)	19:16
rodrigods	thanks	19:16
*** rderose has quit IRC		19:16
breton	Code Review - Error	19:16
breton	Server Unavailable	19:17
breton	:(	19:17
*** ametts has quit IRC		19:17
*** stingaci_ has joined #openstack-keystone		19:17
*** e0ne has joined #openstack-keystone		19:18
dolphm	breton: so, handle my comment in a separate bug report?	19:18
*** stingaci has quit IRC		19:18
stevemar	breton: dolphm: not updating the display name is a much lower priority bug and not an rc blocker	19:18
dolphm	stevemar: ++	19:19
breton	dolphm: agreed. Will file now	19:19
stevemar	breton: want to file... thanks! :)	19:19
stevemar	dolphm: update the patch with the new bug number and let's land this sucker	19:20
stevemar	rderose_: are you good with the patch? you are mr. shadow user	19:20
dolphm	i like that	19:20
rderose_	stevemar: yes	19:20
dolphm	rdeshadow	19:20
stevemar	we have a game plan	19:20
rderose_	dolphm: :)	19:21
openstackgerrit	werner mendizabal proposed openstack/keystone-specs: Credential Encryption https://review.openstack.org/284950	19:21
dolphm	breton: still fails on the third call as well, for me	19:21
rderose_	stevemar dolphm: just trying to figure out the separate issue dolph uncovered	19:21
breton	dolphm: oh.	19:21
dolphm	breton: i added a third call http://cdn.pasteraw.com/fvpvbj9pjjunfczjgetwcmihhzzs3s9	19:22
dolphm	breton: and the failure: http://cdn.pasteraw.com/n14dwccymednh6euzqdysfp4bcohjt4	19:22
stevemar	dolphm: the ID changes if the user logs in 3 times?	19:23
stevemar	oh thats the name, just a UUID, duh	19:24
dolphm	stevemar: right	19:25
stevemar	breton: file that bug :P	19:25
breton	dolphm: is it even correct after the first call?	19:25
dolphm	breton: let me double check that	19:25
stevemar	breton: we just need a number for now, to write in the patch	19:25
dolphm	breton: oh, i already had an assertion to test exactly that, so yes	19:26
*** phalmos has joined #openstack-keystone		19:26
stevemar	its going to take a few hours to make this merge in master and stable/mitaka	19:28
dolphm	breton: stevemar: i left a +2 and a comment - i have to run to a dentist appointment and i'll be back shortly	19:28
stevemar	then release	19:29
stevemar	dolphm: thanks	19:29
breton	stevemar: https://bugs.launchpad.net/keystone/+bug/1566494	19:29
openstack	Launchpad bug 1566494 in OpenStack Identity (keystone) "Federated user's name is not updated if changed in idp" [Undecided,New]	19:29
*** jsavak has quit IRC		19:29
*** jsavak has joined #openstack-keystone		19:29
*** clenimar has joined #openstack-keystone		19:31
*** ametts has joined #openstack-keystone		19:31
*** sdake_ has quit IRC		19:31
*** gordc has quit IRC		19:33
*** nisha has quit IRC		19:34
*** e0ne has quit IRC		19:35
stevemar	dolphm: rderose_ breton okay, merging...	19:36
breton	wait	19:36
breton	stevemar:	19:37
rderose_	stevemar: I'm okay, but working on the new issue...	19:37
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix totp test fails randomly https://review.openstack.org/301881	19:37
*** jsavak has quit IRC		19:37
*** stingaci_ has quit IRC		19:38
*** dflorea has joined #openstack-keystone		19:38
stevemar	breton: ?	19:39
breton	stevemar: we shall have to fix the tests before backporting	19:39
breton	if we are not going to backport that display_name issue	19:39
breton	otherwise ok	19:39
stevemar	breton: the tests are passing in jenkins, we can backport the display name issue in the next mitaka release	19:40
*** sdake has joined #openstack-keystone		19:40
stevemar	breton: the display_name fix will land in 9.0.0.1, does that make sense?	19:42
*** david_cu has quit IRC		19:42
*** dflorea has quit IRC		19:43
breton	yep	19:43
*** sdake has quit IRC		19:44
*** sdake has joined #openstack-keystone		19:46
*** jaosorior has quit IRC		19:54
bknudson	rodrigods: btw, thanks for actually proposing tempest tests for keystone function	19:54
*** gordc has joined #openstack-keystone		19:54
rodrigods	bknudson, np... i really want to close the feature/tests gap here	19:54
rodrigods	i still think that having them in our tree is valuable, but i'm fine with whatever conclusion you make :)	19:55
bknudson	rodrigods: I can sure see why you'd propose moving tests to keystone if you're abandoning useful tests in tempest.	19:57
rodrigods	yeah :(	19:58
*** sdake_ has joined #openstack-keystone		19:58
mtreinish	rodrigods: I never said all testing should exclusively happen in tempest. You should have in tree tests too, it's about making a testing pyramid	19:59
mtreinish	I just said doing it via a tempest plugin in-tree wasn't what I viewed as a good approach	19:59
rodrigods	mtreinish, sure, and will ping you a lot whenever such doubts happen :)	19:59
rodrigods	thanks!	19:59
rodrigods	have to leave here, will be back in a hour or so	19:59
*** diazjf has quit IRC		20:00
*** david_cu has joined #openstack-keystone		20:00
*** jsavak has joined #openstack-keystone		20:00
*** sdake has quit IRC		20:01
ayoung	mtreinish, Do you have a rule of thumb about what tests should be in tempest versus what should be in Keystone?	20:03
mtreinish	ayoung: mriedem quoted some of my thoughts on that on the ML (well talking about nova) here: http://lists.openstack.org/pipermail/openstack-dev/2015-October/078025.html	20:05
*** mylu has joined #openstack-keystone		20:05
ayoung	mtreinish, reading	20:05
mtreinish	it's a convenient link when that question gets asked :)	20:05
*** csoukup has quit IRC		20:06
mtreinish	that quote is more or less the biggest thought in my head when I'm debating whether something belongs in tempest	20:06
*** tqtran has quit IRC		20:06
*** pushkaru has quit IRC		20:06
ayoung	mtreinish, So, Keystone is kindof the highest point on the hill. It all rolls downhill from there.	20:07
*** pushkaru has joined #openstack-keystone		20:08
ayoung	SO, we have things that call into Keystone, Keystone does not call into anything else in OpenStack, with the exception of notifications	20:08
ayoung	We have a need for LDAP and real MySQL tests	20:08
ayoung	And Federation	20:08
dstanek	ayoung: except for k2k or federation tests	20:08
mtreinish	ayoung: right, which makes keystone a bit different for somethings with that nova example	20:09
ayoung	dstanek, K2K is stil Keystone. Doesn't need any other services. And Federation is outside of OpenStack, too; so, right.	20:09
mtreinish	and personally because of it's importance as the base req in openstack I'm more open to adding keystone tests to tempest	20:09
ayoung	mtreinish, we have a simple echo server that we can use to test things like middleware and we have the client and auth code that we should be testing against a live server	20:09
dstanek	ayoung: outside of openstack sure. i was thinking outside of the SUT	20:10
ayoung	So where do we draw the line?	20:10
ayoung	dstanek, right...I agree with you. I was making a different distinction. We change, we might break nova. But OpenLDAP does not care if they break us.	20:10
mtreinish	ayoung: I think the fundamental question is flawed. Duplication here isn't a bad thing, you should be asking what do we want in tempest (given the external testing and stuff I mentioned in that link)	20:11
ayoung	If Notifications changed, or oslo-* in generakl, it might break us	20:11
mtreinish	but you should strive to have in tree testing that covers everything	20:11
mtreinish	the whole testing pyramid I was mentioning before	20:11
mtreinish	you don't need devstack to spin up a working keystone, have lower level tests in tree that spin up a keystone with different backends and do requests	20:12
bknudson	the pyramid is the most powerful shape	20:12
mtreinish	(look at nova's api tests neutron's full stack, etc)	20:12
ayoung	mtreinish, yeah, but you have to watch out for those danged stargates	20:12
lbragstad	bknudson it's a super shape	20:12
*** sdake_ has quit IRC		20:12
mtreinish	ayoung: just call the asgard in that case :)	20:12
*** sdake has joined #openstack-keystone		20:13
ayoung	So it is still not clear to me what we consider contract. We have a pretty strict contract with the Keystone API (especially v3) that we assume must continue to be honored	20:14
ayoung	that is the taoke issue validation part, but much more, it is all the admin for Keystone	20:15
ayoung	create user, assign role, set policy	20:15
ayoung	If we change that, the only thing that will notice is Horizon.	20:15
*** spzala has quit IRC		20:15
ayoung	nova, glance just care about token issue and validation	20:15
ayoung	Now, personally, I've wanted to have better functional testing in Keystone for a while, so I am happy to take on the whole kit-and-kaboodle	20:16
ayoung	but now the question is "who should be able to approve test changes?"	20:16
*** david_cu has quit IRC		20:17
ayoung	are we treating Tempest as the "other accountant" for a double set of books?	20:17
ayoung	or do we trust the Keystone code review process to be stringent enough?	20:17
mtreinish	ayoung: double book accounting is a good analogy (I've used it before for describing this)	20:18
ayoung	One reason I would like the Keystone tests to be in a separate repo, even if it is managed by the Keystone team is that it makes changes to test a deliberate, and separate, step from changing code.	20:18
mtreinish	ayoung: right, that's one of the advantages of doing it in tempest	20:18
mtreinish	I know we've more than a few breaking api changes in keystone because of that	20:19
ayoung	mtreinish, well, I've also seen Tempest tests that lock us into decisions that are not what Keystone is committed to supporting.	20:22
ayoung	Like, just because we create a domain called "default" does not mean that there needs to be one.	20:22
ayoung	And from a "understand the system" perspective, we can do so much more in depth testing of keystone service than the Tempest team can, and it makes more sens for Keystone folks to review the test plans.	20:23
ayoung	Now, you might suggest that we come over to tempest land to review.	20:23
mtreinish	ayoung: a bit of both actually. I just was pushign for you to have intree tests that are more exhaustive and also have tests in tempest (which lock you hard)	20:24
mtreinish	and for tempest stuff I know I bug keystone core people if I'm unsure of something	20:25
*** dflorea has joined #openstack-keystone		20:25
*** stingaci has joined #openstack-keystone		20:26
mtreinish	fwiw, the domain support in tempest is kinda a mess. Just ask jamielennox\|away he was playing with it for a while :)	20:26
*** david_cu has joined #openstack-keystone		20:26
*** david-lyle_ has joined #openstack-keystone		20:28
*** david-lyle has quit IRC		20:29
*** david-lyle_ is now known as david-lyle		20:29
knikolla	stevemar, well, apparently they don't allow new accounts in the wiki so I can't edit it.	20:32
*** mylu has quit IRC		20:32
*** vgridnev_ has joined #openstack-keystone		20:32
mtreinish	knikolla: the wiki is being pretty heavily spammed right now, so they've locked it down and also added a really annoying captcha	20:33
*** david_cu has quit IRC		20:33
mtreinish	there's a longish thread on the -infra ML about it	20:33
knikolla	mtreinish, yeah, i asked on infra about that.	20:34
*** tqtran has joined #openstack-keystone		20:34
*** stingaci_ has joined #openstack-keystone		20:39
*** stingaci has quit IRC		20:39
*** vgridnev_ has quit IRC		20:42
*** mylu has joined #openstack-keystone		20:43
*** dflorea has quit IRC		20:44
*** sheel has quit IRC		20:47
*** diazjf has joined #openstack-keystone		20:47
*** jamielennox\|away is now known as jamielennox		20:49
*** dflorea has joined #openstack-keystone		20:51
*** stingaci_ has quit IRC		20:52
*** raildo is now known as raildo-afk		20:54
*** ChanServ sets mode: +v topol_		20:55
*** topol_ is now known as topol		20:55
lbragstad	breton have a couple free minutes to check the response to https://review.openstack.org/#/c/294305/ ?	20:59
patchbot	lbragstad: patch 294305 - keystone - Moved name formatting (clean) out of the driver	20:59
*** trown is now known as trown\|outtypewww		20:59
*** stingaci has joined #openstack-keystone		21:00
*** vgridnev_ has joined #openstack-keystone		21:01
*** pauloewerton has quit IRC		21:03
*** darrenc_ is now known as darrenc		21:05
breton	lbragstad: in 1h, sorry for long silence	21:05
lbragstad	breton no worries - just a friendly reminder :)	21:06
*** lhcheng has quit IRC		21:06
*** jaugustine has quit IRC		21:07
*** dflorea has quit IRC		21:09
*** dflorea has joined #openstack-keystone		21:09
*** lhcheng has joined #openstack-keystone		21:11
*** ChanServ sets mode: +v lhcheng		21:11
*** knikolla has quit IRC		21:20
*** david_cu has joined #openstack-keystone		21:20
*** dflorea has quit IRC		21:21
mfisch	stevemar: hey PTL, question for you. Why don't I see CVE or OSSN references in the git commit logs? That would be useful	21:21
mfisch	maybe a good reason...	21:22
*** dflorea has joined #openstack-keystone		21:22
*** dflorea has quit IRC		21:23
*** stingaci has quit IRC		21:24
*** rk4n has quit IRC		21:26
*** mylu has quit IRC		21:26
*** pushkaru has quit IRC		21:26
*** diazjf has quit IRC		21:27
*** rk4n has joined #openstack-keystone		21:30
*** sdake_ has joined #openstack-keystone		21:30
*** diazjf has joined #openstack-keystone		21:30
*** sdake has quit IRC		21:33
*** mylu has joined #openstack-keystone		21:36
*** sdake_ has quit IRC		21:37
*** sdake has joined #openstack-keystone		21:38
*** sdake has quit IRC		21:39
*** knikolla has joined #openstack-keystone		21:39
openstackgerrit	Merged openstack/keystone: Update federated user display name with shadow_users_api https://review.openstack.org/301795	21:41
*** dflorea has joined #openstack-keystone		21:46
*** rk4n has quit IRC		21:46
*** anush_ has quit IRC		21:46
*** clayton has quit IRC		21:47
*** clayton has joined #openstack-keystone		21:47
*** tjcocozz has quit IRC		21:48
*** jdandrea has joined #openstack-keystone		21:48
*** tjcocozz has joined #openstack-keystone		21:49
*** mylu_ has joined #openstack-keystone		21:49
*** mylu has quit IRC		21:50
dolphm	mfisch: the fixes are landed before the OSSN goes out	21:50
dolphm	mfisch: there should be a CVE reference available, but then there'd be a race between "hey, this commit references a CVE i can't read, and there's no OSSN published?!"	21:51
*** dave-mccowan has quit IRC		21:55
*** jsavak has quit IRC		21:55
*** david_cu has quit IRC		21:55
*** david_cu has joined #openstack-keystone		21:56
openstackgerrit	Arun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf https://review.openstack.org/279828	21:57
*** mylu_ has quit IRC		21:57
rodrigods	ayoung, dstanek, bknudson, are we going to move the keystone tempest plugin thing forward?	22:00
*** diazjf has quit IRC		22:00
*** dflorea has quit IRC		22:00
*** david_cu has quit IRC		22:01
ayoung	rodrigods, I thought we had agreed that we were. Is it still not clear? Is there some other point that I missed?	22:01
*** sigmavirus24 is now known as sigmavirus24_awa		22:01
rodrigods	ayoung, after the whole discussion today in -qa i wasn't sure anymore :)	22:02
bknudson	we can always undo whatever we do in this space so might as well go ahead. We shouldn't get blocked waiting on a summit discussion	22:02
ayoung	rodrigods, I don't think it fundamentally changed anything .	22:02
ayoung	rodrigods, what bknudson just said	22:02
*** dave-mccowan has joined #openstack-keystone		22:02
*** slberger has left #openstack-keystone		22:02
*** dflorea has joined #openstack-keystone		22:02
ayoung	rodrigods, so what you are areally asking is for me to approve your 7K line patch?	22:03
bknudson	one of the problems with summits is things get blocked for weeks in advance	22:03
rodrigods	bknudson, ayoung, good, i just need the cores blessing :P	22:03
*** mylu has joined #openstack-keystone		22:03
rodrigods	ayoung, nope, i want to write some new tests asap, and would be nice to know where to target them	22:04
bknudson	new tests should be targeted to tempest anyways	22:04
*** dflorea has quit IRC		22:04
bknudson	if they don't want it then we'll put it in keystone	22:04
ayoung	rodrigods, what tests. I am not certain I agreee with bknudson on Tempest first	22:05
rodrigods	bknudson, yeah... it is just matter of who is going to review them i suppose	22:05
ayoung	I think Keystone first	22:05
rodrigods	ayoung, federation CRUD: idps, mappings, sps, protocols	22:06
ayoung	We can always add tests.	22:06
ayoung	Yeah, start with Keystone, and, if Tempest wants them, they can grab them	22:06
bknudson	I can review changes in tempest.	22:06
*** stingaci has joined #openstack-keystone		22:06
*** dflorea has joined #openstack-keystone		22:06
ayoung	less overhead, and more subject matter expertise in Keystone. bknudson can review, but I won't see them there	22:06
rodrigods	ok	22:07
ayoung	I think we should treat Tempest as a "promotion" of a functional test/	22:07
ayoung	"we want this one to stand the test of time..."	22:07
rodrigods	ayoung, yeah! that was my thinking too	22:07
*** dflorea has quit IRC		22:07
ayoung	whereas In Keystone is it "we want to make sure this works now"	22:07
rodrigods	+++++	22:07
breton	lbragstad: /me shrugs	22:08
breton	lbragstad: now i would ask to de-deplicate the bugreport, because now there are 2 issues in 1 report	22:08
breton	one about the behavior, another about cleaning up the code	22:09
*** dflorea has joined #openstack-keystone		22:09
*** vgridnev_ has quit IRC		22:09
rodrigods	ayoung, bknudson, btw, regarding https://review.openstack.org/#/c/301398/, we don't import from tempest.services, we need to copy	22:09
patchbot	rodrigods: patch 301398 - keystone - Migrate tempest tests into keystone tree	22:09
ayoung	rodrigods, that is the Tempest Client?	22:10
rodrigods	yes	22:10
breton	lbragstad: +1d	22:11
knikolla	ayoung, can you give an example of what would be enough as a functional test, and what would need to be in tempest to stand the test of time?	22:11
ayoung	knikolla, No I can't. I've been trying to frame that in my head for a while now.	22:11
*** mylu has quit IRC		22:11
ayoung	knikolla, LDAP would not be "test of time"	22:11
ayoung	LDAP is backend, and that should be able to vary	22:11
breton	i guess the worst part is setup of functional tests	22:12
*** dflorea has quit IRC		22:12
knikolla	ayoung, in a generic way, not only for LDAP. I think we need to define a clear dividing line.	22:12
bknudson	being able to get a token and validate a token	22:12
ayoung	breton, right, which is part of the reason we don't have an LDAP functional test yet	22:12
breton	there was a [atch by dstanek	22:13
breton	*patch	22:13
ayoung	knikolla, so, we put tests into Keystone, and its up to Tempest to steal them from us.	22:13
breton	with devstack setup with help of plugins	22:13
*** mylu has joined #openstack-keystone		22:13
breton	i am actually planning to restore it	22:13
*** browne has quit IRC		22:14
*** dflorea has joined #openstack-keystone		22:14
knikolla	hmmmm...	22:14
bknudson	it should be pretty easy to have a tempest ldap job in keystone	22:15
bknudson	since devstack already supports it	22:15
bknudson	but then, I also thought it would be easy to have a tempest fernet job.	22:16
morgan	you now it's nice being home...	22:16
* morgan waves at folks.		22:16
breton	bknudson: are there examples how to add such jobs with special config? What to read about it?	22:16
rodrigods	breton, this is a really common doubt	22:17
rodrigods	i have it myself	22:17
*** timcline has quit IRC		22:17
bknudson	breton: https://review.openstack.org/#/c/264991/ might be a good example	22:18
patchbot	bknudson: patch 264991 - openstack-infra/project-config - Keystone-only uwsgi job (MERGED)	22:18
bknudson	it sets some devstack options	22:18
*** timcline has joined #openstack-keystone		22:18
bknudson	not sure how you would enable ldap service, but couldn't be too hard.	22:18
breton	ok, so i googled before	22:19
breton	but only now ran into https://wiki.openstack.org/wiki/Neutron/FunctionalGateSetup	22:19
*** gordc has quit IRC		22:19
rodrigods	bknudson, ^ that's the part i don't know	22:19
rodrigods	and adding new dsvms types might need extra resources?	22:19
rodrigods	not sure	22:19
bknudson	infra might complain that we've got too many jobs.	22:20
bknudson	we could probably combine some if we get too many.	22:20
bknudson	for example, make the uwsgi job that we're already running use ldap	22:20
rodrigods	hmm true	22:20
dstanek	bknudson: it should be as simple as setting a few more variables to setup ldap	22:21
*** dflorea has quit IRC		22:21
knikolla	would devstack in that case install and configure a real LDAP server?	22:22
breton	in neutron example above they do things by setting shell variables	22:22
dstanek	knikolla: yes, it can do that now	22:23
*** timcline has quit IRC		22:23
breton	knikolla: yes	22:23
ayoung	I tricked topol into doing LDAP in Devstack years ago.	22:23
ayoung	its like MySQL. You add it it to the list of services...lets seee it is	22:24
bknudson	he wanted to do it	22:24
ayoung	default are ENABLED_SERVICES=key,n-api,n-cpu,n-net,n-cond,n-sch,n-novnc,n-crt,n-cauth,g-api,g-reg,c-sch,c-api,c-vol,horizon,rabbit,tempest,mysql,dstat	22:24
ayoung	I think you can just add ldap to that list	22:25
knikolla	ayoung, yeah, i remember doing that, adding ldap to the list worked, my emphasis was on real ldap server.	22:25
bknudson	you'll need to add ldap to the list and also set the passwords	22:25
bknudson	openldap burn!!	22:25
ayoung	http://git.openstack.org/cgit/openstack-dev/devstack/tree/stack.sh#n667	22:26
ayoung	I would not set # set ``KEYSTONE_IDENTITY_BACKEND`` to ``ldap``	22:26
*** jamielennox is now known as jamielennox\|away		22:26
ayoung	instead, create a domain, and use a domain specific backend	22:26
bknudson	I don't think devstack supports that setup	22:27
bknudson	yet	22:27
ayoung	bknudson, you can do it after the fact	22:27
dstanek	knikolla: this is my template from ansible http://paste.openstack.org/show/493087/	22:27
ayoung	bknudson, need to do something like this: http://adam.younglogic.com/2016/03/v3fromv2/ and then use the V3 API	22:27
dstanek	ayoung: i always set KEYSTONE_IDENTITY_BACKEND to ldap	22:28
bknudson	keystone.rc -- is that like clouds.yaml?	22:28
dstanek	bknudson: keystone.rc?	22:28
bknudson	dstanek: regarding http://adam.younglogic.com/2016/03/v3fromv2/	22:29
knikolla	ayoung, https://github.com/knikolla/ansible-k2k/blob/master/roles/devstack/scripts/modify_rcfile.sh	22:29
*** dflorea has joined #openstack-keystone		22:29
dstanek	bknudson: that's the first i've seen of that :-)	22:30
bknudson	seems like every deployer creates a shell script to source.	22:30
bknudson	someday they'll switch to clouds.yaml.	22:31
knikolla	bknudson, i've never worked with a cloud.yaml file before, interestingly enough.	22:31
bknudson	knikolla: you're missing out. It's awesome.	22:32
bknudson	devstack updates clouds.yaml	22:32
dstanek	knikolla: you should convert. much better experience.	22:32
*** mylu has quit IRC		22:33
knikolla	bknudson, dstanek: probably will.	22:33
*** dflorea has quit IRC		22:34
*** woodster_ has joined #openstack-keystone		22:34
bknudson	dstanek: you use ansible to drive devstack?	22:35
dstanek	yessir	22:35
knikolla	ansible is awesome	22:36
dstanek	bknudson: i've been working on publishing my stuff, but there is still too many nsfw comments and passwords	22:36
dstanek	i use ansible to setup my macbook air and dell laptops	22:36
* breton thinks about moving to guix for these kind of things		22:38
*** mylu has joined #openstack-keystone		22:41
dstanek	breton: isn't guix an alternative package manager? iirc it's not a configuration management system	22:41
*** dflorea has joined #openstack-keystone		22:42
*** mylu has quit IRC		22:42
*** Ephur has quit IRC		22:44
openstackgerrit	Merged openstack/keystone: remove endpoint_policy from contrib https://review.openstack.org/294816	22:50
*** knikolla has quit IRC		22:52
*** mylu has joined #openstack-keystone		22:53
*** mylu has quit IRC		22:57
*** ametts has quit IRC		22:58
*** knikolla has joined #openstack-keystone		23:04
*** mylu has joined #openstack-keystone		23:04
ayoung	knikolla, you need domains too	23:08
knikolla	ayoung, btw, what is the correct way to integrate an existing software (not part of openstack) so that it can use keystone for authentication?	23:11
ayoung	knikolla, don't	23:11
ayoung	keystone is dumb	23:11
ayoung	integrate directly with the IdP instead	23:11
knikolla	ayoung, we have different services which need a common way to auth. Using keystone and having it use an LDAP backed would save us the need to write auth logic for each one.	23:13
ayoung	knikolla, use Kerberos off LDAP instead	23:13
ayoung	or use X509 CLient auth	23:13
ayoung	or Use SAML	23:14
ayoung	knikolla, with FreeIPA, I would recommend Kerberos, and mod_lookup_identity as the baseline	23:14
knikolla	ayoung, i'll investigate those.	23:16
ayoung	knikolla, I have blog posts that might help	23:16
ayoung	https://adam.younglogic.com/2014/05/keystone-federation-via-mod_lookup_identity/	23:16
knikolla	ayoung, hmmm. so in that case apache would talk with FreeIPA instead of the application?	23:19
ayoung	knikolla, yep. You can always fall back to direct LDAP,	23:19
ayoung	but then you end up dealing with LDAP configuration on all of the remote systems	23:20
ayoung	and mod_auth_ldap is pretty static	23:20
*** stingaci has quit IRC		23:21
knikolla	ayoung, i see, similar to how mod_shib understands saml.	23:21
ayoung	yep	23:21
ayoung	https://www.adelton.com/apache/mod_lookup_identity/	23:21
ayoung	knikolla, the idea is that SSSD is a daemon designed to register the system with FreeIPA and manage system identity, so you don't reimplement in each application	23:22
*** phalmos has quit IRC		23:22
ayoung	it lets you unify ssh, X509 and other access control type things all together. And DNS	23:22
*** sdake has joined #openstack-keystone		23:23
*** jamielennox\|away is now known as jamielennox		23:23
knikolla	ayoung, and in the simplest possible case that would reduce federation between the different applications to having the same FreeIPA.	23:24
ayoung	knikolla, so, Federation is a little different. For Federation, you need to figure out what protocols to support. IODeally, yeah, you would leave all the decisoin about that to FreeIPA, but I don't thin that is practical. For our stuff, we are using mod_mellon for SAML	23:26
ayoung	The way CERN wen is that they use ADFS. Then everythign is SAML	23:26
ayoung	and their ADFS server convers thirf party saml to CERN specific saml	23:26
ayoung	knikolla, if you go to http://openstack.cern.ch/ you get redirected to https://login.cern.ch/adfs and from ther you have the ability to login in many different service providers	23:27
ayoung	er, make that identity Providers	23:27
knikolla	ayoung, all the different ways you can do authentication are fascinating.	23:29
ayoung	knikolla, so, Ideally, yeah, I would like to see soemthing in Keystone or Horizon play that role, but we don't have it right now, and no real plans to make it happen. We could, potentially, do something like that with the K2K code we have, but Keystone thus far has done no UI	23:29
ayoung	knikolla, so, another team here at Red Hat is on the JBoss side, and they have a product that I am working on testing the Fedration with as well. Its called Keycloak. They did openID COnnect first, and now we are helping them close the gap on SAML	23:30
ayoung	http://keycloak.jboss.org/	23:30
ayoung	It has a lot of features, but I don't really know it that well yet	23:30
knikolla	ayoung, that looks interesting. will look into that.	23:32
knikolla	ayoung, alongside convincing people that integrating keystone into our service is not a good idea.	23:36
ayoung	knikolla, Keystone should never have been. The idea of a bearer token providing a proxy to both authentication and authorization is a bad pattern	23:37
knikolla	ayoung, There still is a place for keystone. At least as a service catalog, authorization service.	23:38
knikolla	ayoung, but seeing the mod_lookup_identity post i got the same insight.	23:38
knikolla	ayoung, do you have any books to recommend on the topic of identity patterns?	23:40
*** mylu has quit IRC		23:43
*** dflorea has quit IRC		23:44
*** mylu has joined #openstack-keystone		23:49
*** jamielennox is now known as jamielennox\|away		23:51
*** sdake_ has joined #openstack-keystone		23:53
*** stingaci has joined #openstack-keystone		23:54
*** sdake has quit IRC		23:56
*** dflorea has joined #openstack-keystone		23:58
*** jamielennox\|away is now known as jamielennox		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!