Thursday, 2016-05-05

« Wednesday, 2016-05-04 Index Friday, 2016-05-06 »
*** lhcheng has quit IRC00:06
*** doug-fish has joined #openstack-keystone00:08
*** fawadkhaliq has quit IRC00:09
*** rbridgeman_ has quit IRC00:12
*** doug-fish has quit IRC00:13
*** doug-fish has joined #openstack-keystone00:13
*** raddaoui has quit IRC00:17
*** furface has quit IRC00:17
*** doug-fish has quit IRC00:18
*** gyee has quit IRC00:20
lbragstadmfisch fernet tokens only use revocation events, i don't think they are used with revocation lists00:36
*** amit213 has quit IRC00:42
lbragstadmfisch I don't think that piece was done yet00:43
*** gb21 has quit IRC00:55
*** roxanaghe has joined #openstack-keystone00:58
*** amrith is now known as _amrith_01:01
*** _amrith_ is now known as amrith01:02
*** roxanaghe has quit IRC01:03
*** gb21 has joined #openstack-keystone01:07
*** dan_nguyen has quit IRC01:10
*** csoukup has joined #openstack-keystone01:11
*** ozialien10 has quit IRC01:12
*** furface has joined #openstack-keystone01:13
*** amit213 has joined #openstack-keystone01:14
*** amit213 has quit IRC01:16
*** csoukup has quit IRC01:16
*** furface has quit IRC01:21
*** sdake has joined #openstack-keystone01:22
*** EinstCrazy has joined #openstack-keystone01:27
*** gb21 has quit IRC01:28
*** dims has quit IRC01:30
*** ksavich has joined #openstack-keystone01:31
*** dims has joined #openstack-keystone01:35
*** gb21 has joined #openstack-keystone01:43
*** julim has joined #openstack-keystone01:45
openstackgerritayoung proposed openstack/keystone: Replace revoke tree with linear search  https://review.openstack.org/31165201:46
*** stingaci has quit IRC01:52
*** doug-fish has joined #openstack-keystone01:53
*** doug-fish has quit IRC01:58
*** stingaci has joined #openstack-keystone02:04
*** dan_nguyen has joined #openstack-keystone02:04
*** sdake_ has joined #openstack-keystone02:08
*** dan_nguyen has quit IRC02:09
*** sdake has quit IRC02:11
*** TxGVNN has joined #openstack-keystone02:12
*** doug-fish has joined #openstack-keystone02:12
openstackgerritMatt Fischer proposed openstack/keystonemiddleware: Update config options  https://review.openstack.org/31280902:12
*** doug-fish has quit IRC02:17
openstackgerritZhiQiang Fan proposed openstack/keystone: do not search file on real environment  https://review.openstack.org/30988202:18
*** woodster_ has quit IRC02:18
openstackgerritMatt Fischer proposed openstack/keystonemiddleware: Update config options  https://review.openstack.org/31280902:18
*** tqtran has quit IRC02:19
openstackgerritZhiQiang Fan proposed openstack/keystone: do not search file on real environment  https://review.openstack.org/30988202:21
*** stingaci has quit IRC02:22
*** sdake_ has quit IRC02:27
*** jaosorior has joined #openstack-keystone02:28
*** fawadkhaliq has joined #openstack-keystone02:32
*** pushkaru has quit IRC02:36
*** pushkaru has joined #openstack-keystone02:37
*** spzala has quit IRC02:37
*** spzala has joined #openstack-keystone02:38
*** pushkaru has quit IRC02:39
*** pumarani__ has joined #openstack-keystone02:39
*** spzala has quit IRC02:42
*** pumarani__ has quit IRC02:44
*** pushkaru has joined #openstack-keystone02:46
*** TxGVNN1 has joined #openstack-keystone02:46
*** TxGVNN has quit IRC02:46
*** TxGVNN1 is now known as TxGVNN02:46
*** amrith is now known as _amrith_02:47
*** roxanaghe has joined #openstack-keystone02:47
*** jaosorior has quit IRC02:48
*** gb21 has quit IRC02:52
*** roxanaghe has quit IRC02:52
*** pushkaru has quit IRC02:53
*** spzala has joined #openstack-keystone03:03
*** lhcheng has joined #openstack-keystone03:04
*** ChanServ sets mode: +v lhcheng03:04
*** gb21 has joined #openstack-keystone03:04
*** fangxu has quit IRC03:05
*** spzala has quit IRC03:08
*** fawadkhaliq has quit IRC03:41
*** lamt has quit IRC03:45
*** pleia2 has quit IRC03:51
*** daemontool has quit IRC03:57
*** daemontool has joined #openstack-keystone03:58
*** stingaci has joined #openstack-keystone04:03
*** spzala has joined #openstack-keystone04:04
*** stingaci has quit IRC04:07
*** spzala has quit IRC04:09
*** furface has joined #openstack-keystone04:16
*** sdake has joined #openstack-keystone04:18
*** arunkant has quit IRC04:21
*** arunkant has joined #openstack-keystone04:21
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Credential Encryption  https://review.openstack.org/28495004:27
*** TxGVNN has quit IRC04:32
*** dikonoor has joined #openstack-keystone04:34
*** dikonoor has quit IRC04:39
*** dikonoor has joined #openstack-keystone04:40
*** dikonoo has joined #openstack-keystone04:41
*** dikonoo has quit IRC04:41
*** dave-mccowan has quit IRC04:45
dikonoorstevemar:hi Steve04:47
*** sdake has quit IRC04:47
*** sdake has joined #openstack-keystone04:48
dikonoorstevemar:I am trying to get some UT added for https://review.openstack.org/#/c/312126/ . This is LP bug https://bugs.launchpad.net/keystone/+bug/157780404:48
openstackLaunchpad bug 1577804 in OpenStack Identity (keystone) "/v3/users?name=<name> bypasses user_filter for LDAP" [Undecided,In progress] - Assigned to Matthew Edmonds (edmondsw)04:48
patchbotdikonoor: patch 312126 - keystone - Honor ldap_filter on filtered user list04:48
dikonoorstevemar: I can't get to figure out where the unit testcases should go into. I mean I can't locate any existing ones around user filters around LDAP.My guess is that the changes must go into test_base.py under tests/unit/identity/backends. Could you give me some clue?04:49
*** gb21 has quit IRC05:01
*** spzala has joined #openstack-keystone05:03
*** stingaci has joined #openstack-keystone05:05
*** spzala has quit IRC05:08
*** roxanaghe has joined #openstack-keystone05:08
*** stingaci has quit IRC05:09
*** roxanaghe has quit IRC05:12
*** fawadkhaliq has joined #openstack-keystone05:18
*** yolanda has joined #openstack-keystone05:26
*** lhcheng has quit IRC05:28
stevemardikonoor: hey divya! there are a few spots where ldap is tested05:45
stevemarhttps://github.com/openstack/keystone/blob/master/keystone/tests/unit/identity/backends/test_ldap.py invokes code here: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/identity/backends/test_base.py05:45
stevemarwhich does basic backend testing for identity05:45
stevemarthis suite does more specific ldap tests: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend_ldap.py05:46
stevemarand this one here tests things from more of a utility perspective: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/common/test_ldap.py05:46
stevemardikonoor: if you're looking for filter related stuff, https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend_ldap.py#L225 is a good start05:47
*** bigdogstl has joined #openstack-keystone05:51
*** bigdogstl has quit IRC05:56
*** furface has quit IRC05:58
*** openstackgerrit has quit IRC06:03
*** openstackgerrit has joined #openstack-keystone06:03
*** spzala has joined #openstack-keystone06:03
*** stingaci has joined #openstack-keystone06:06
*** vgridnev has joined #openstack-keystone06:07
*** spzala has quit IRC06:09
*** stingaci has quit IRC06:11
*** sdake has quit IRC06:32
openstackgerritMerged openstack/keystone: Add conflict validation for idp update  https://review.openstack.org/29420106:35
*** tesseract has joined #openstack-keystone06:44
*** tesseract is now known as Guest2128806:45
*** EinstCrazy has quit IRC06:46
*** EinstCrazy has joined #openstack-keystone06:46
*** pnavarro has quit IRC06:46
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/31154806:55
*** spzala has joined #openstack-keystone07:05
*** stingaci has joined #openstack-keystone07:07
*** roxanaghe has joined #openstack-keystone07:09
*** spzala has quit IRC07:10
*** stingaci has quit IRC07:12
*** roxanaghe has quit IRC07:14
*** yolanda has quit IRC07:36
*** yolanda has joined #openstack-keystone07:44
*** mvk_ has quit IRC07:44
*** dmk0202 has joined #openstack-keystone07:57
*** zzzeek has quit IRC08:00
*** dmk0202 has quit IRC08:03
*** pnavarro has joined #openstack-keystone08:03
*** zzzeek has joined #openstack-keystone08:04
*** spzala has joined #openstack-keystone08:06
*** fawadkhaliq has quit IRC08:06
*** yolanda has quit IRC08:08
*** stingaci has joined #openstack-keystone08:09
*** spzala has quit IRC08:11
*** dmk0202 has joined #openstack-keystone08:11
*** yolanda has joined #openstack-keystone08:13
*** stingaci has quit IRC08:13
*** jistr has joined #openstack-keystone08:34
*** mvk_ has joined #openstack-keystone08:39
*** jorge_munoz has joined #openstack-keystone08:49
*** spzala has joined #openstack-keystone09:07
*** stingaci has joined #openstack-keystone09:10
*** spzala has quit IRC09:12
*** stingaci has quit IRC09:14
*** vgridnev has quit IRC09:18
*** sdake has joined #openstack-keystone09:24
*** pnavarro has quit IRC09:50
*** pnavarro has joined #openstack-keystone10:02
openstackgerritGyorgy Szombathelyi proposed openstack/keystone: Allow 'domain' property for local.group  https://review.openstack.org/31014710:03
openstackgerritGyorgy Szombathelyi proposed openstack/keystone: Add mapping validation tests  https://review.openstack.org/31288110:03
*** spzala has joined #openstack-keystone10:08
*** yolanda has quit IRC10:09
*** vgridnev has joined #openstack-keystone10:09
*** stingaci has joined #openstack-keystone10:11
*** spzala has quit IRC10:13
*** yolanda has joined #openstack-keystone10:13
*** stingaci has quit IRC10:15
*** _amrith_ is now known as amrith10:21
*** sdake has quit IRC10:29
*** EinstCrazy has quit IRC10:41
*** roxanaghe has joined #openstack-keystone10:46
*** roxanaghe has quit IRC10:50
samueldmqmorning keystone10:57
*** links has joined #openstack-keystone11:05
*** spzala has joined #openstack-keystone11:09
*** amrith is now known as _amrith_11:12
*** stingaci has joined #openstack-keystone11:12
*** mou has joined #openstack-keystone11:13
*** spzala has quit IRC11:14
*** stingaci has quit IRC11:17
*** yolanda has quit IRC11:32
*** yolanda has joined #openstack-keystone11:38
*** mou has quit IRC11:46
*** mou has joined #openstack-keystone11:47
*** links has quit IRC11:53
*** dave-mccowan has joined #openstack-keystone11:53
*** gordc has joined #openstack-keystone11:56
*** dave-mcc_ has joined #openstack-keystone11:56
*** tellesnobrega_af is now known as tellesnobrega11:57
*** dave-mccowan has quit IRC11:58
*** ekarlso has quit IRC12:06
*** ekarlso has joined #openstack-keystone12:06
*** spzala has joined #openstack-keystone12:10
*** ChanServ sets mode: +v samueldmq12:13
*** spzala has quit IRC12:15
dstanekmorning12:16
*** rodrigods has quit IRC12:17
*** rodrigods has joined #openstack-keystone12:18
*** alee has quit IRC12:24
*** roxanaghe has joined #openstack-keystone12:34
*** ninag has joined #openstack-keystone12:37
*** roxanaghe has quit IRC12:38
*** yolanda has quit IRC12:38
*** richm has joined #openstack-keystone12:41
*** yolanda has joined #openstack-keystone12:44
*** spzala has joined #openstack-keystone12:48
*** bapalm has joined #openstack-keystone12:54
*** pauloewerton has joined #openstack-keystone12:59
*** yolanda has quit IRC13:00
*** tonytan4ever has joined #openstack-keystone13:01
*** _amrith_ is now known as amrith13:03
*** yolanda has joined #openstack-keystone13:05
*** tonytan4ever has quit IRC13:08
*** stingaci has joined #openstack-keystone13:14
*** tonytan4ever has joined #openstack-keystone13:15
*** stingaci has quit IRC13:18
*** jsavak has joined #openstack-keystone13:18
*** BjoernT has joined #openstack-keystone13:20
*** BjoernT is now known as Bjoern_zZzZzZzZ13:20
*** alee has joined #openstack-keystone13:27
*** Bjoern_zZzZzZzZ is now known as BjoernT13:35
*** daemontool_ has joined #openstack-keystone13:35
*** daemontool has quit IRC13:37
*** sigmavirus24_awa is now known as sigmavirus2413:45
*** openstackgerrit has quit IRC13:47
*** openstackgerrit has joined #openstack-keystone13:47
*** EinstCrazy has joined #openstack-keystone13:49
*** mhickey has joined #openstack-keystone13:51
*** csoukup has joined #openstack-keystone13:52
*** errr has left #openstack-keystone13:54
*** ametts has joined #openstack-keystone13:55
ayoungdstanek, morning!13:59
ayoungDo we have any best practices written up about how to transport Fernet Keys for rotation?13:59
*** pushkaru has joined #openstack-keystone14:03
ayounglbragstad, your blog is down, and many other articles reference it for Fernet key rotation.14:06
*** timcline has joined #openstack-keystone14:07
samueldmqayoung: that remembers me to resurrect mine14:07
*** links has joined #openstack-keystone14:07
ayoungsamueldmq, yes please14:07
samueldmqayoung: will try to do today, because if I leave for tomorrow, I will never do it :)14:08
*** stingaci has joined #openstack-keystone14:15
*** links has quit IRC14:16
*** pnavarro has quit IRC14:19
dstanekhmmm....i'm a bit worried about our keystoneclient unit tests14:19
*** stingaci has quit IRC14:19
dstanekfor example, this doesn't appear to test anything http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/tests/unit/v3/test_projects.py#n30114:19
lbragstadayoung thanks - i've been fighting it for a while.. I need to spend a weekend tuning it14:19
lbragstadayoung it's back up now though14:20
bknudsondstanek: we could write the same test as a functional test.14:20
ayounghttp://nukees.com/d/20160504.html14:20
ayoungLast Panel14:21
bknudsondstanek: and then have the unit tests re-implement the functional test with mock so that we can run the tests without the server, too.14:21
*** nalind has joined #openstack-keystone14:22
dstanekbknudson: that would be cool to see14:23
dstanekit looks like there are at least a few tests that are just testing out mocking system. "yep, it looks like the mock data was returned. passed."14:24
bknudsonprobably required for 100% coverage.14:24
bknudsonwhich would indicate a poor design of the code or tests.14:25
*** rm_work has quit IRC14:27
dstanekbknudson: i found hints of the issue while reviewing https://review.openstack.org/#/c/296246/814:27
patchbotdstanek: patch 296246 - python-keystoneclient - Allow send null value in extra properties14:27
*** krotscheck has quit IRC14:27
bknudsondstanek: that's a pretty bad bug, considering how long the behavior has been broken in the client.14:28
bknudsonI thought we had ways to verify the request was made correctly?14:28
*** mjb has quit IRC14:28
bknudsone.g., self.assertQueryStringIs('subtree_as_ids')14:29
*** jistr has quit IRC14:29
dstanekbknudson: i think we do14:29
dstanekbknudson: it's also a bug that discourages the use of extras :-)14:30
bknudsonoh, it's just extras, not removing description (for example)?14:30
bknudsonif so then not that big of a deal.14:31
*** pnavarro has joined #openstack-keystone14:31
lbragstadlooks like the audit id fix didn't completely fix up the gate - http://status.openstack.org/elastic-recheck/index.html14:31
dstanekbknudson: no, i think it's everything.14:31
*** slberger has joined #openstack-keystone14:31
dstanekit looks like ksc makes the assumption that you can't null out anything14:31
*** TxGVNN has joined #openstack-keystone14:32
bknudsonidentity spec says if you set it to null it's removed, right, not set to null?14:32
*** krotscheck has joined #openstack-keystone14:33
rodrigodsdstanek, the mocked test in that case only shows that ksc passes correctly the value from the underlying layer14:33
rodrigodsactually i think that's the correct way of implementing unit tests14:34
rodrigodseach layer should mock the result from the layer below it14:34
bknudsonwhen you mock things you still have to verify that the application accessed the mock as expected.14:34
*** doug-fish has joined #openstack-keystone14:35
rodrigodsbknudson, yes, didn't mean the opposite14:35
bknudsone.g., if functionA calls functionB, you mock functionB, and your test ensures functionA called functionB with the expected arguments14:35
*** mjb has joined #openstack-keystone14:35
rodrigodsbknudson, right14:35
rodrigodsthat is missing indeed14:36
bknudsonI think that's what dstanek is noticing in the keystoneclient unit tests.14:36
rodrigods++14:36
rodrigodsi can take a look in the tests to fix those kind of issues14:36
rodrigodsnot right now, but in the next couple of weeks14:37
bknudsonin a lot of cases for keystoneclient there isn't much to validate, just that the request hit the right URI.14:37
bknudsonbut if there's a request body it should validate the body.14:37
dstanekrodrigods: that test i referenced works fine without the parent_id line on 303. so i don't think it's testing anything14:37
rodrigodsdstanek, yeah, it is missing to verify the parameters called14:38
rodrigodsthe body, as bknudson said ^14:39
bknudsondstanek has eyes like an eagle.14:39
rodrigods++14:41
rodrigodsbknudson, our uwsgi job runs all tempest tests, right?14:42
bknudsonyes, it's the same as the regular gate tempest.14:42
rodrigodscool14:42
bknudsonexcept it's uwsgi rather than apache mod_wsgi14:43
stevemarfor some reason i have 3 meetings in 17 minutes14:43
rodrigodsbknudson, we may want to add our plugin tests there, but when we have at least 114:44
rodrigodsstevemar, lol14:44
lbragstaddolphm some more recent failures - http://status.openstack.org/elastic-recheck/index.html14:45
lbragstaddolphm scroll down to Bug 1577558 - v2.0 fernet tokens audit ids are inconsistent14:45
openstackbug 1577558 in OpenStack Security Advisory "v2.0 fernet tokens audit ids are inconsistent" [Undecided,Incomplete] https://launchpad.net/bugs/157755814:45
*** diazjf has joined #openstack-keystone14:46
*** ramishra has quit IRC14:47
openstackgerritMerged openstack/python-keystoneclient: Add federation related tests  https://review.openstack.org/29304014:48
bknudsonI wonder if we could write a gate job that would remove non-test changes and verify that the tests fail?14:48
bknudsonthat's something I wind up doing manually pretty often14:49
*** ramishra has joined #openstack-keystone14:49
*** slberger has left #openstack-keystone14:49
*** sdake has joined #openstack-keystone14:50
openstackgerritMerged openstack/python-keystoneclient: Replace tempest-lib with tempest.lib  https://review.openstack.org/31091114:50
*** rderose has joined #openstack-keystone14:50
*** jistr has joined #openstack-keystone14:51
dstanekbknudson: i have a few helper scripts i use to do that. i can clean them up and maybe they'd be of value to others?14:51
bknudsondstanek: I wouldn't mind seeing it.14:51
bknudsonmaybe we could get a reviewer-tools repository14:52
dstanekbknudson: i'll pull it together later today and let you know when it's there14:53
dstaneki'll gist it or something14:53
*** jorge_munoz_ has joined #openstack-keystone14:56
*** ayoung has quit IRC14:59
*** diazjf has quit IRC14:59
*** jorge_munoz has quit IRC14:59
*** jorge_munoz_ is now known as jorge_munoz14:59
*** diazjf has joined #openstack-keystone15:02
*** jaosorior has joined #openstack-keystone15:02
*** phalmos has joined #openstack-keystone15:03
stevemardstanek: can you review https://review.openstack.org/#/c/310147/15:03
patchbotstevemar: patch 310147 - keystone - Allow 'domain' property for local.group15:03
dstanekstevemar: shore15:04
*** pnavarro has quit IRC15:04
*** jaosorior has quit IRC15:06
*** lhcheng has joined #openstack-keystone15:06
*** ChanServ sets mode: +v lhcheng15:06
*** BjoernT has quit IRC15:09
*** arunkant_ has joined #openstack-keystone15:12
*** pleia2 has joined #openstack-keystone15:15
dstanekstevemar: in the bug there is an assertion that we a group either needs an id or (name and domain) - is that true?15:17
arunkant_dstanek : Can you review https://review.openstack.org/#/c/279828/ as it has been pending for a while.15:18
patchbotarunkant_: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...15:18
rodrigodsbknudson, dstanek at least for bugs, if we split the bug exposing test and the fix, we could use git revisions15:18
rodrigodsbut for gate... have no idea15:19
dstanekarunkant_: i should be able to look at it today15:19
dstanekrodrigods: i don't know that i'd want to enforce that. too much of a pain for contributors15:20
bknudsonrodrigods: y, I wish more contributors would do that since it would help with reviews and also we'd know what the old behavior was (maybe it was correct)15:21
bknudsonand it would also show that the code is testaable.15:21
rodrigods++15:21
rodrigodsdstanek, contributors like more commits :)15:21
*** julim has quit IRC15:22
dstanekrodrigods: why? i would guess that is just the few that care abot stats and not getting work done15:22
rodrigodsdstanek, just kidding15:22
*** basilAB has quit IRC15:23
*** basilAB has joined #openstack-keystone15:23
*** arunkant has quit IRC15:23
*** med_ has quit IRC15:23
*** med_ has joined #openstack-keystone15:24
*** med_ is now known as Guest8250615:24
*** julim has joined #openstack-keystone15:24
rodrigodsdstanek, if we start to write patches like that, new contributors will tend to copy the behavior15:24
*** TemporalBeing1 has joined #openstack-keystone15:25
*** agrebennikov__ has joined #openstack-keystone15:25
*** Guest82506 is now known as medberry15:25
*** medberry has quit IRC15:25
*** medberry has joined #openstack-keystone15:25
rodrigodsshouldn't be mandatory but preferable15:25
bknudsondo we have an onboarding doc?15:26
bknudsonif not we should15:26
rodrigodsbknudson, samueldmq had a patch for that15:26
rodrigodshttps://review.openstack.org/#/c/302789/15:26
patchbotrodrigods: patch 302789 - keystone - Add API Change Tutorial15:26
rodrigodsit is only for new changes, though15:27
bknudsonthat would be part of an onboarding doc.15:27
rodrigodsa great addition for it would be "fixing bugs"15:27
bknudsonHere: http://docs.openstack.org/developer/keystone/community.html15:27
bknudsonneeds more info15:27
rodrigodshmm15:27
rodrigods++15:27
bknudsonalthough I'm not sure if that would be part of an onboarding doc or the onboarding doc itself.15:28
bknudsonthe getting started section on http://docs.openstack.org/developer/keystone/ is probably where people would go to start.15:28
*** arunkant has joined #openstack-keystone15:29
TemporalBeing1I am trying to figure out how OS-KSCATALOG works so I can implement the functionality for Mimic. I see the information at http://developer.openstack.org/api-ref-identity-v2-ext.html but it's not nearly as complete as I need, at least per the End Point Templates (no real examples, especially with %tenant_id% substitution or what exactly is required).15:29
TemporalBeing1Where can I find the code for the OS-KSCATALOG extension? I don't see anything in related to "OS-KSCATALOG" in https://github.com/openstack/keystone15:29
rodrigodsbknudson, yes, i started from here: http://docs.openstack.org/developer/keystone/devref/development.environment.html15:30
*** slberger has joined #openstack-keystone15:30
bknudsondoesn't really tell you everything either. It would at least have to tell contributors how to get a launchpad ID, and where gerrit is and stuff.15:31
bknudsonassume they don't know anything.15:32
*** ayoung has joined #openstack-keystone15:32
*** ChanServ sets mode: +v ayoung15:32
rodrigodsbknudson, http://docs.openstack.org/infra/manual/developers.html15:33
samueldmqstevemar: about bug 157505715:37
openstackbug 1575057 in OpenStack Identity (keystone) "'domain' is not honored in local.group mapping" [Medium,In progress] https://launchpad.net/bugs/1575057 - Assigned to György Szombathelyi (gyurco)15:37
dstaneksamueldmq: what about it?15:38
samueldmqstevemar: how does it reflect to an end user perspective ?15:38
samueldmqdstanek:  ^15:38
samueldmqif a mapping contained a domain, we expected a domain in there, right ?15:38
*** dmk0202 has quit IRC15:38
stevemarsamueldmq: i think it was worse than that15:38
samueldmqreplace first "domain" by group15:39
dstaneksamueldmq: no, if a mapping contains a group with a name then it also needs a domain15:39
stevemarsamueldmq: what dstanek said15:39
dstaneksamueldmq: i think it will blow up every time the mapping is evaluated15:39
*** pgbridge has joined #openstack-keystone15:39
stevemaryep...15:39
samueldmqstevemar: dstanek: so mapping using a group ID was working fine, but with group name ... no15:39
stevemarsamueldmq: tests were passing because we were not calling the schema validator (where it was blowing up)15:40
samueldmqit's weird no one hit that before (it's been there sine mitaka)15:40
samueldmq:(15:40
samueldmqdstanek: nice find on the docs example15:41
dstaneksamueldmq: fixing that now :-)15:41
rodrigodsi had, but forgot to open bug / fix it15:41
rodrigodsthe docs are wrong too, as pointed by dstanek15:42
samueldmqrodrigods: :(15:42
samueldmqdstanek: nice man! looking forward to see it :)15:42
openstackgerrityolanda.robla proposed openstack/keystoneauth: Use betamax hooks to mask fixture results  https://review.openstack.org/31113315:44
*** ayoung has quit IRC15:46
*** Guest21288 has quit IRC15:46
*** stingaci has joined #openstack-keystone15:48
openstackgerritMarcos Fermín Lobo proposed openstack/python-keystoneclient: Added endpoint group filter manager methods  https://review.openstack.org/18265815:52
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystonemiddleware: Fix D401 PEP257 violation and enable H403  https://review.openstack.org/31276715:52
openstackgerritDavid Stanek proposed openstack/keystone: Fixes example in the mapping combinations docs  https://review.openstack.org/31303415:53
*** lhcheng has quit IRC15:56
samueldmqdstanek: domain_id isn't always a UUID?15:56
*** lhcheng has joined #openstack-keystone15:56
*** ChanServ sets mode: +v lhcheng15:56
dstanekdid anyone start adding federation stuff to the keystone client?15:57
dstanekactually, i guess osc. adding ipds and stuff...15:57
samueldmqdstanek: nvm, those docs already reference to domain_id as something like "abc1234"15:57
rodrigodsdstanek, yes15:57
samueldmqdstanek: hmm not sure about osc, looks like ksc already supports it ?15:57
dstanekrodrigods: is that you?15:58
rodrigodshm?15:58
*** edtubill has joined #openstack-keystone15:58
samueldmqrodrigods: who is implementing federation stuff  in osc15:59
dstanekrodrigods: yes, what samueldmq said :-)15:59
rodrigodssamueldmq, marek implemented a lot of it15:59
rodrigodsthe CRUD operations and also authentication15:59
samueldmqdstanek:  ^15:59
samueldmqconversation in cycles15:59
samueldmqhehe :D16:00
*** stingaci has quit IRC16:00
dstanekrodrigods: i didn't see it in the osc help, maybe i'm just missing something16:00
*** jsavak has quit IRC16:00
*** jsavak has joined #openstack-keystone16:00
rodrigodsdstanek, me neither16:01
rodrigodsthat's odd, i was sure it was there16:01
rodrigodslet me check the code16:01
dstaneki was going to add it last night when i was fixing my k2k ansible role, but thought i'd ask here before putting in the work16:01
rodrigodsdstanek, https://github.com/openstack/python-openstackclient/blob/master/openstackclient/identity/v3/identity_provider.py16:01
rodrigodshttps://github.com/openstack/python-openstackclient/blob/master/openstackclient/identity/v3/service_provider.py16:01
rodrigodsdstanek, do you use rippowam? :)16:02
dstanekrodrigods: what is that?16:02
rodrigodsdstanek, https://github.com/admiyo/rippowam16:02
rodrigodssince when we suggest httpd over eventlet? i mean, the cycle16:04
rodrigodskilo?16:04
*** woodster_ has joined #openstack-keystone16:07
dstanekrodrigods: that's been the recommentation for quite a while. not it's now even possible to use eventlet.16:07
edtubilldstanek, rderose, stevemar: Hey guys, here is the etherpad for the PCI password stuff: https://etherpad.openstack.org/p/keystone-newton-pci-dss   . Please look/add stuff if needed.16:08
dstanekedtubill: here is some work i did on password rotation http://bit.ly/1SRrhxn16:11
samueldmqis auth_type a valid config option yet ?16:11
samueldmqlooks like it was removed in favor of auth_plugin16:12
samueldmqcan anyone confirm that ?16:12
edtubilldstanek: cool, I'll add that to the etherpad.16:12
*** medberry is now known as med_16:14
*** browne has joined #openstack-keystone16:14
*** vgridnev has quit IRC16:15
*** roxanaghe has joined #openstack-keystone16:15
dstanekedtubill: i not finding the password complexity enforcement stuff right now16:15
edtubilldstanek: kk, just add it to the etherpad if you do happen to find it and thx!16:19
*** vgridnev has joined #openstack-keystone16:21
*** vgridnev has quit IRC16:21
*** navidp has joined #openstack-keystone16:21
stevemardstanek: i dont think you ever commited that16:23
dstanekstevemar: no, but i thought i submitted it16:23
dstanekstevemar: all the password stuff was rejected :-(16:24
*** yolanda has quit IRC16:25
stevemardstanek: not anymore!16:26
dstaneki feel vindicated!16:27
*** csoukup has quit IRC16:27
lbragstadbetter late than never, right?16:27
*** sdake_ has joined #openstack-keystone16:28
*** mhickey has quit IRC16:29
*** yolanda has joined #openstack-keystone16:30
*** sdake has quit IRC16:31
*** dan_nguyen has joined #openstack-keystone16:33
*** fangxu has joined #openstack-keystone16:36
*** henrynash has joined #openstack-keystone16:40
*** ChanServ sets mode: +v henrynash16:40
openstackgerritNavid Pustchi proposed openstack/keystonemiddleware: Fix D400 PEP257 violation  https://review.openstack.org/31305216:42
*** agrebennikov__ has quit IRC16:45
dstanekrodrigods: i wonder if i just have an old version of osc16:47
rodrigodsdstanek, i have a fresh devstack install here and the commands don't appear too16:48
rodrigodsmaybe they weren't added to the correct files16:48
rodrigodsin osc16:48
dstanekrodrigods: ok, well then i guess i'll have to dig in a bit :-(16:48
rodrigods=(16:48
rodrigodsit is also annoying to figure out the commands16:49
*** TxGVNN has quit IRC16:49
*** timcline has quit IRC16:51
*** roxanaghe_ has joined #openstack-keystone16:54
*** roxanaghe has quit IRC16:54
*** roxanaghe__ has joined #openstack-keystone16:55
*** navid_ has joined #openstack-keystone16:57
*** roxanaghe_ has quit IRC16:59
*** sdake_ has quit IRC17:00
*** navidp has quit IRC17:00
*** stingaci has joined #openstack-keystone17:01
dstanekrodrigods: haha, i just took a look17:03
samueldmqstevemar: ping17:03
dstanekthey only show up when you ask for the v3 api17:03
samueldmqstevemar: ksclient config options are also listed at middleware config file, right ?17:03
samueldmqdstanek: ^17:03
dstanekrodrigods: openstack --os-identity-api-version=317:03
dstaneksamueldmq: what options?17:04
samueldmqdstanek: eg auth_plugin17:04
dstaneksamueldmq: i wouldn't have thought so, but maybe. why?17:04
samueldmqdstanek: patch 31280917:05
patchbotsamueldmq: https://review.openstack.org/#/c/312809/ - keystonemiddleware - Update config options17:05
samueldmqdstanek: when reviewing, the only place I was able to find defining auth_section and auth_plugin was keystoneclient17:06
samueldmqso my understanding is that it will appear in middleware config file (as the client is used by it)17:07
*** yolanda has quit IRC17:07
*** yolanda has joined #openstack-keystone17:07
*** rbridgeman_ has joined #openstack-keystone17:09
dstaneksamueldmq: isn't that configured by the services?17:09
dstaneksamueldmq: like http://docs.openstack.org/developer/nova/sample_config.html (the keystone_authtoken section, etc)17:10
*** diazjf has quit IRC17:10
*** hoonetorg has joined #openstack-keystone17:11
samueldmqdstanek: yes it is17:13
samueldmqdstanek: my question is where auth_type option is defined, I couldn't find it anywhere17:13
*** jsavak has quit IRC17:14
samueldmqdstanek: auth_section appears inside middleware config (in the nova example you showed above), and it's defined in keystone client17:14
samueldmqhowever I can't find auth_type :(17:15
*** jsavak has joined #openstack-keystone17:15
*** henrynash has quit IRC17:15
dstanekauth_type is in there as well. looks like it is marked as deprecated17:15
samueldmqdstanek: https://github.com/openstack/python-keystoneclient/search?utf8=%E2%9C%93&q=auth_type17:16
samueldmqreturns me nothing17:16
*** dan_nguyen has quit IRC17:17
*** jistr has quit IRC17:17
*** timcline has joined #openstack-keystone17:18
dstaneksamueldmq: i have no idea what, if anything, uses that17:18
samueldmqdstanek: ok, me neither, I will dig a bit more on it17:19
dstaneksamueldmq: where were you seeing if referenced?17:19
samueldmqsomething's smelling bad there17:19
dstanekthe only auth_type i remember is the environment var17:19
samueldmqdstanek: maybe it is always from an envvar, and has never been a config option17:20
*** gyee has joined #openstack-keystone17:21
*** ChanServ sets mode: +v gyee17:21
*** timcline has quit IRC17:22
samueldmqdstanek: so my question is why we document it in the configuration file, if it's an environment var17:22
*** timcline has joined #openstack-keystone17:22
*** tqtran has joined #openstack-keystone17:23
*** alee has left #openstack-keystone17:23
*** timcline has quit IRC17:23
openstackgerritMerged openstack/keystone: Allow 'domain' property for local.group  https://review.openstack.org/31014717:23
*** fedruantine has quit IRC17:24
*** fangxu has quit IRC17:25
*** timcline has joined #openstack-keystone17:25
dstaneksamueldmq: did you check keystoneauth? if anything uses it i would expect that to be it17:25
samueldmqdstanek: good catch17:26
samueldmqdstanek: I had forgot about it, I need to put my love on keystoneauth too17:27
*** aginwala has joined #openstack-keystone17:28
samueldmqdstanek: thanks17:30
samueldmqdstanek: the way it reads from http://docs.openstack.org/developer/nova/sample_config.html17:30
samueldmq# Deprecated group/name - [DEFAULT]/auth_plugin17:30
samueldmq#auth_type = <None>17:30
samueldmqIt means auth_type is deprecated in favor of auth_plugin right?17:30
openstackgerritMerged openstack/keystone: do not search file on real environment  https://review.openstack.org/30988217:30
*** tonytan4ever has quit IRC17:31
*** lhcheng has quit IRC17:31
*** lhcheng has joined #openstack-keystone17:31
*** ChanServ sets mode: +v lhcheng17:31
*** jsavak has quit IRC17:31
*** nikhil has quit IRC17:31
*** csoukup has joined #openstack-keystone17:31
*** nikhil has joined #openstack-keystone17:32
*** ayoung has joined #openstack-keystone17:33
*** ChanServ sets mode: +v ayoung17:33
*** tonytan4ever has joined #openstack-keystone17:34
*** fangxu has joined #openstack-keystone17:38
hoonetorghi17:39
openstackgerrityolanda.robla proposed openstack/keystoneauth: Use betamax hooks to mask fixture results  https://review.openstack.org/31113317:39
hoonetorgdoes the admin user need the _member_ role or can it be removed?17:40
yolandamorgan,keystone-cores... that change should be ready to go finally17:40
hoonetorgthat is what the salt-formula-keystone actually does.17:40
*** jsavak has joined #openstack-keystone17:41
hoonetorgso is it enough, that the admin user has !only! the admin role?17:41
yolandathx sigmavirus24 for the betamax release, and your help with that17:41
*** rm_work has joined #openstack-keystone17:51
*** itlinux has joined #openstack-keystone17:52
openstackgerritMerged openstack/keystone: Fixes example in the mapping combinations docs  https://review.openstack.org/31303417:58
openstackgerritGyorgy Szombathelyi proposed openstack/keystone: Add mapping validation tests  https://review.openstack.org/31288118:02
*** lhcheng has quit IRC18:04
*** lhcheng has joined #openstack-keystone18:04
*** ChanServ sets mode: +v lhcheng18:04
openstackgerritMerged openstack/keystonemiddleware: Fix D401 PEP257 violation and enable H403  https://review.openstack.org/31276718:07
*** aginwala has quit IRC18:07
*** jasonsb has joined #openstack-keystone18:07
*** aginwala has joined #openstack-keystone18:07
*** navid_ has quit IRC18:09
*** pushkaru has quit IRC18:10
*** lhcheng has quit IRC18:11
openstackgerritGyorgy Szombathelyi proposed openstack/keystone: Add mapping validation tests  https://review.openstack.org/31288118:11
*** lhcheng has joined #openstack-keystone18:11
*** ChanServ sets mode: +v lhcheng18:11
*** aginwala has quit IRC18:11
*** yolanda has quit IRC18:15
*** Nakato has quit IRC18:19
*** Nakato has joined #openstack-keystone18:22
*** jsavak has quit IRC18:26
*** ninag has quit IRC18:30
*** ninag has joined #openstack-keystone18:30
*** doug-fis_ has joined #openstack-keystone18:31
openstackgerritMerged openstack/keystonemiddleware: Update config options  https://review.openstack.org/31280918:32
*** doug-fi__ has joined #openstack-keystone18:32
*** ninag_ has joined #openstack-keystone18:32
*** ninag_ has quit IRC18:32
*** ninag_ has joined #openstack-keystone18:33
*** doug-fish has quit IRC18:34
*** ninag has quit IRC18:35
*** doug-fis_ has quit IRC18:35
*** dan_nguyen has joined #openstack-keystone18:36
*** doug-fi__ has quit IRC18:37
*** ninag_ has quit IRC18:38
*** doug-fish has joined #openstack-keystone18:42
*** doug-fish has quit IRC18:42
*** doug-fish has joined #openstack-keystone18:43
stevemargerrit is sloowwww today18:43
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Fix D400 PEP257 violation  https://review.openstack.org/31305218:43
*** doug-fish has quit IRC18:43
sigmavirus24stevemar: seconded18:43
*** doug-fish has joined #openstack-keystone18:43
*** doug-fish has quit IRC18:44
*** tqtran has quit IRC18:44
*** doug-fish has joined #openstack-keystone18:44
*** jsavak has joined #openstack-keystone18:46
*** sdake has joined #openstack-keystone18:48
rodrigodsdstanek, ahh true, it hides based on the api version18:48
*** doug-fish has quit IRC18:49
bknudsongerrit gives proxy error for me.18:49
*** doug-fish has joined #openstack-keystone18:50
*** tqtran has joined #openstack-keystone18:50
*** ninag has joined #openstack-keystone18:53
*** mvk_ has quit IRC18:54
*** pushkaru has joined #openstack-keystone18:54
*** sdake_ has joined #openstack-keystone18:55
*** aginwala has joined #openstack-keystone18:55
*** diazjf has joined #openstack-keystone18:56
*** ninag has quit IRC18:56
*** sdake has quit IRC18:57
*** aginwala has quit IRC18:59
*** aginwala has joined #openstack-keystone19:02
stevemarbknudson: guess you can't work today :)19:02
*** haplo37 has joined #openstack-keystone19:04
dstanekbknudson: refresh. it's only transient for me19:04
*** doug-fish has quit IRC19:08
*** aginwala has quit IRC19:08
*** dikonoor has quit IRC19:09
*** pushkaru has quit IRC19:15
-openstackstatus- NOTICE: Gerrit is restarting to address performance issues related to a suspected memory leak19:21
*** fangxu has quit IRC19:22
bknudsonanybody use vagrant to do their openstack dev?19:23
openstackgerritDivya K Konoor proposed openstack/keystone: Honor ldap_filter on filtered user list  https://review.openstack.org/31212619:26
lbragstadbknudson I use to19:26
*** navid_ has joined #openstack-keystone19:28
openstackgerritDivya K Konoor proposed openstack/keystone: Honor ldap_filter on filtered user list  https://review.openstack.org/31212619:28
bknudsonpeople might find this interesting: https://review.openstack.org/#/c/291817/12/files/apache-keystone-uwsgi-proxy.template19:29
patchbotbknudson: patch 291817 - openstack-dev/devstack - Deploy keystone running in uwsgi proxy by apache19:29
bknudsonkeystone under uwsgi listens on a unix socket19:29
*** ninag has joined #openstack-keystone19:29
bknudsonProxyPass /identity unix:/tmp/keystone-public-uwsgi.sock|http://identity/ retry=019:30
bknudsonI tried using uwsgi protocol but that didn't work for some reason, but http worked.19:30
bknudsonthis required ubuntu 16.0419:30
*** doug-fish has joined #openstack-keystone19:31
bknudsonlooks like OSA is set up for ports -- http://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/tree/templates/keystone-httpd.conf.j2 :(19:31
bknudsonand uses mod_wsgi :(19:32
dolphmbknudson: for now!19:32
*** mvk_ has joined #openstack-keystone19:32
stevemarbknudson: i think we know some folks over in OSA land that can fix that19:32
odyssey4melol19:32
odyssey4meI wonder who that would be.19:33
dolphmbknudson: stevemar: are we going to change our documented recommendation to be nginx + uwsgi this cycle?19:33
bknudsondolphm: I'm hoping that will happen this cycle. Didn't get any pushback in the cross-project session.19:34
odyssey4mehmm, that'll make operators hurl rocks at you19:34
stevemardolphm: probably not nginx since we don't have that gating yet, and it doesn't have fun federation plugins19:34
odyssey4mehow does that affect the federation implementations?19:34
stevemardolphm: but apache + uwsgi for sure19:34
stevemarodyssey4me: greatly!19:35
bknudsonnobody has given a good reason for switching to nginx.19:35
dstanekstevemar: shib supports nginx now19:35
bknudsonit's trendier...19:35
stevemardstanek: we haven't tested enough on nginx to claim it's 100% supported19:35
odyssey4mewell, for us we could aid the transition - most of our deployers implement keystone in containers so we can just ditch the container and rebuild it in the upgrade process... but that's not a fun proposition19:35
stevemarby enough, i mean at all19:35
*** ninag has quit IRC19:36
*** doug-fish has quit IRC19:36
odyssey4mewell, why use uwsgi instead of mod_wsgi ?19:36
dstanekstevemar: testing is something we just need some time for, but it's there19:37
bknudsonit keeps keystone out of the apache process.19:37
odyssey4mewe can implement options and carry them for a cycle or two to give time for transition19:37
bknudsonfor devs it should be nicer since it's easy to restart keystone process and use pdb.19:37
dstanekbknudson: ++ a much better model19:37
*** ninag has joined #openstack-keystone19:37
odyssey4meconsidering that we're carrying Ubuntu Trusty and Ubuntu Xenial combined support for two cycles, maybe this should go with it - when we kill trusty support we also kill an older model19:38
odyssey4meso basically when you change the OS version you also change the model19:38
bknudsonfrom what I've seen it's not going to be easy to support trusty and xenial together.19:39
stevemarodyssey4me: using uwsgi is nice since: 1) you can use pdb instead of rpdb and 2) you can restart uwsgi alone and not the web server (so you don't have to restart everything just for keystone)19:39
odyssey4meperhaps - we'll see, we're on that work now already and should have much of it done by Newton-219:40
bknudsonthe xenial mod_proxy at least support unix sockets. So I was asked to wait for xenial for the uwsgi devstack19:40
bknudsonwhich I was told we'd have for the gate in a couple of weeks19:41
odyssey4mestevemar ok, so (1) nice for dev troubleshooting and (2) nice for co-located services (which we don't advocate)19:41
*** navid_ has quit IRC19:42
odyssey4mebut considering we have a growing developer use case I think we can add it as an option19:42
dstanekodyssey4me: it also allows you to scale the apache and application server processes independently19:42
*** harbor has quit IRC19:42
bknudsonif you're not colocating services then I'd suggest running uwsgi rather than bothering with apache.19:43
odyssey4mebknudson but then no federation, or any other hand-off auth options19:43
bknudsonthen have apache/haproxy on other machines.19:43
dstanekbknudson: that is the model i used for a high traffic webapp. machines running apaches were actually separate from the machines running the python processes19:44
*** doug-fish has joined #openstack-keystone19:44
odyssey4mealright, well we'd love to hear alternative deployment models and are happy to discuss and work together to implement something in OSA19:45
odyssey4meto be responsible we'd have to allow an opt-in model for a cycle, then change the default for a cycle, then drop the next cycle19:46
odyssey4methat gives plenty of time to test and transition19:46
odyssey4meand this cycle is a good time to introduce changes like that19:46
bknudsonthe other services (nova-api) aren't using mod_wsgi are they?19:47
odyssey4mewhatever is implemented needs to support federation because we have consumers of that already19:47
odyssey4meno, for now apache is only used for keystone and horizon19:47
bknudsonseparate apache should support federation just fine... it's apache that does the saml work and passes headers to the uwsgi19:48
odyssey4meI'd like to transition other projects to use a similar model as it scales better, and scale is important to us.19:48
odyssey4meyup, agreed19:48
*** doug-fish has quit IRC19:49
bknudsonyou'll probably get this working before I can get it in devstack.19:49
*** amrith has left #openstack-keystone19:49
odyssey4medolphm or lbragstad are you guys going to take a crack at a IP review to get it done?19:49
odyssey4me*WIP19:49
*** doug-fish has joined #openstack-keystone19:50
bknudsonso the model would be there's a set of apache roles that forward requests to the individual service APIs, e.g., /identity -> keystone , /compute -> nova-api, etc.19:50
bknudsonthe apache nodes can also do :5000, etc., too.19:50
lbragstadodyssey4me WIP review for deploying keystone differently?19:51
dolphmodyssey4me: in OSA?19:52
odyssey4meyup, in the keystone role19:52
odyssey4meie are you alright taking a go at it or do you need assistance making it happen?19:52
dolphmodyssey4me: i'd be interested for the sake of capstone, but i'm more interested in moving keystone to dstanek's federation implementation first, then switching to uwsgi as our reference deployment19:53
dolphmodyssey4me: in terms of timelines, we'd need assistance to make that happen anytime soon. putting v3 in public cloud production would certainly take precedence for the next month or two :)19:54
dolphmodyssey4me: after that, perhaps mid newton, and we might have bandwidth to pursue it19:55
bknudsonhopefully by mid-newton we'll have this deployment model in the gate.19:55
bknudsonat least for keystone19:56
dolphmbknudson: OSA basically follows the upstream recommendations wherever possible, so i'd think an upstream gate would be required before merging a similar change to OSA19:56
hoonetorghi bknudson: i asked about an exception when starting keystone with wsgi ^^^ and you answered i should create my own wsgi scripts19:57
odyssey4mealright, would it be possible to outline the general implementation and any known configurations in an etherpad then I'd be happy to work on getting it into the keystone role for OSA which is consumed by capstone19:57
hoonetorgist was on centos/el7 with mitaka from centos repos19:57
dolphmbknudson: and unfortunately that means we're going to be deploying mitaka in public cloud on mod_wsgi :(19:57
hoonetorgthe solution was simple chown keystone:keystone /var/log/keystone19:57
hoonetorg*the solution was simple chown keystone:keystone /var/log/keystone/keystone.log19:58
bknudsonhoonetorg: apache must have been configured to run as keystone or something.19:58
hoonetorgyep it is19:58
dolphmodyssey4me: http://docs.openstack.org/developer/keystone/apache-httpd.html#mod-proxy-uwsgi19:59
dolphmodyssey4me: https://github.com/openstack/keystone/blob/master/httpd/keystone-uwsgi-admin.ini19:59
dolphmodyssey4me: https://github.com/openstack/keystone/blob/master/httpd/uwsgi-keystone.conf19:59
dolphmodyssey4me: not nginx, but that's half the battle ^19:59
hoonetorgbknudson: WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}20:00
dolphmodyssey4me: i suspect federation support will be the only tricky bit in switching OSA to nginx20:00
odyssey4medolphm alright, let me take a look into it and see what I can do20:00
dolphmodyssey4me: any idea how many people are using the federation support in OSA?20:01
*** daemontool_ has quit IRC20:01
odyssey4methe easiest short term option will obviously be to keep apache and just switch the back-end - from there we can try adding nginx20:01
dolphmodyssey4me: ++20:02
odyssey4medolphm I know that Belnet (where evrardjp comes from) was using it, and Comcast has also been testing it for production needs.20:02
dolphmodyssey4me: that where the biggest win is right now, as well20:02
dolphmthat would be where*20:02
evrardjptrue20:02
*** dan_nguyen has quit IRC20:02
dolphmevrardjp: awesome; complaints?20:03
hoonetorgbknudson: on a fresh install there is no /var/log/keystone/keystone.log when i run then keystone-manage db_sync this log file is created as root:root20:03
evrardjpfederation? Lots of complaints20:03
evrardjpas usual20:03
evrardjp:D20:03
bknudsonhoonetorg: I think other people have run into that too.20:03
evrardjpparticularily to OSA, not that much20:03
dolphmevrardjp: how about on the spectrum from "it doesn't work" to "mapping is painful"?20:03
hoonetorgbknudson: i believe so too20:04
odyssey4meit's 9pm for me so I'm outta here for the day - will chat a bit more about this in the next week or two20:04
bknudsonhoonetorg: maybe the correct thing to do is run keystone-manage db_sync as keystone user, too?20:05
hoonetorgi will fix that in my fork of the salt-formula-keystone and write a small comment on this20:05
hoonetorgyes that's the idea: let keystone-manage db_sync run as keystone user20:05
bknudsonhoonetorg: does salt set up keystone to run under uwsgi?20:06
hoonetorgonly in my fork20:06
hoonetorgi implemented it lately20:06
hoonetorghttps://github.com/hoonetorg/salt-formula-keystone20:06
evrardjpmapping is painful is certainly something they said20:07
*** dan_nguyen has joined #openstack-keystone20:08
hoonetorgbknudson: https://github.com/hoonetorg/salt-formula-keystone/blob/develop/keystone/server.sls#L142-L17420:08
hoonetorg(without the fix)20:09
bknudsonhoonetorg: looks like that's running in mod_wsgi and not under uwsgi with mod_proxy20:10
*** ayoung has quit IRC20:10
hoonetorgah sorry20:10
hoonetorgonly read wsgi20:10
hoonetorgyes, no ahem: apache + mod_wsgi20:10
hoonetorgthe problem will probably be the same if uwsgi runs as keystone20:11
*** auggy has joined #openstack-keystone20:11
bknudsonyou'll want the uwsgi process to run as keystone user.20:11
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add policy registration  https://review.openstack.org/31314120:11
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add authorize method to Enforcer  https://review.openstack.org/31314220:12
bknudsonso you'd have the same problem if you do db_sync as root20:12
auggysigmavirus24: thanks!20:12
stevemarevrardjp: i'd love to hear about ideas to make mapping and federation less painful :) cc dolphm20:12
hoonetorgthought on doing the same with nginx+uwsgi, but found a performance comparison where apache+mod_wsgi was faster20:12
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add policy registration  https://review.openstack.org/31314120:13
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add authorize method to Enforcer  https://review.openstack.org/31314220:13
*** vgridnev has joined #openstack-keystone20:13
hoonetorgyep, remind: do run keystone-manage db_sync as keystone user when using *wsgi* or check that the permissions of the logfile are correct20:14
hoonetorgthe puppet and ansible guys have/had probably the same problem20:14
*** alex_xu has quit IRC20:18
*** aginwala has joined #openstack-keystone20:19
*** alex_xu has joined #openstack-keystone20:22
*** pushkaru has joined #openstack-keystone20:24
*** rha has quit IRC20:25
*** rha has joined #openstack-keystone20:28
*** rha has quit IRC20:28
*** rha has joined #openstack-keystone20:28
-openstackstatus- NOTICE: Gerrit is restarting to revert incorrect changes to test result displays20:29
*** dmk0202 has joined #openstack-keystone20:29
*** tonytan4ever has quit IRC20:31
*** tonytan4ever has joined #openstack-keystone20:32
*** daemontool_ has joined #openstack-keystone20:35
*** sdake has joined #openstack-keystone20:35
*** sdake_ has quit IRC20:36
*** aginwala has quit IRC20:48
*** fangxu has joined #openstack-keystone20:49
*** amit213 has joined #openstack-keystone20:50
*** aginwala has joined #openstack-keystone20:51
*** neophy has joined #openstack-keystone20:55
*** haplo37 has quit IRC20:57
*** aginwala has quit IRC21:03
*** fawadkhaliq has joined #openstack-keystone21:04
*** rcernin has joined #openstack-keystone21:05
*** raddaoui has joined #openstack-keystone21:09
*** raildo is now known as raildo-afk21:11
bknudsonlbragstad: why did you stop using vagrant?21:14
*** aginwala has joined #openstack-keystone21:14
*** aginwala has quit IRC21:16
*** roxanaghe__ has quit IRC21:17
*** roxanaghe has joined #openstack-keystone21:17
*** csoukup has quit IRC21:18
*** timcline has quit IRC21:20
lbragstadbknudson I was doing weird things mounting drives and had issues with it.21:22
lbragstadbknudson so i switched completely to vim and do everything on a vm21:22
bknudsonlbragstad: ok. I haven't tried vagrant yet. What you're doing sounds like how I work.21:23
bknudsonlooks like vagrant mounts your local directories somehow.21:23
*** jdennis1 has joined #openstack-keystone21:23
lbragstadbknudson you mount drives to a virtual box and run tests and everything from there?21:23
lbragstadbknudson yeah - you can supply a mapping in your vagrant file21:24
bknudsonoh, no, I never figured out how to mount drives on the vm.21:24
lbragstadi was using it so that I could run my ide locally and the changes would be seen in the vm21:24
*** jdennis has quit IRC21:24
bknudsonI tried fuse with sshfs but that was a disaster.21:24
lbragstadi've never tried that21:24
bknudsondid you ever do any ansible on the vagrant?21:24
bknudsonlooks like vagrant can do ansible automatically21:25
lbragstadbknudson mm a couple times, mostly testing boostrap operations21:25
lbragstadbut i haven't done much with the integration between vagrant and ansible21:25
*** pushkaru has quit IRC21:26
*** vgridnev has quit IRC21:29
*** fawadkhaliq has quit IRC21:33
bknudsonI'd probably do all my editing and even tox - epy27 on the main system and then for devstack use the vagrant21:34
*** ametts has quit IRC21:34
*** aginwala has joined #openstack-keystone21:37
rderoseedtubill: thanks, I'll review and update the etherpad21:37
*** pauloewerton has quit IRC21:42
*** aginwala has quit IRC21:44
*** aginwala has joined #openstack-keystone21:45
*** aginwala_ has joined #openstack-keystone21:47
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers  https://review.openstack.org/21200621:49
*** sdake has quit IRC21:50
*** aginwala has quit IRC21:50
samueldmqbknudson: everything addressed ^ thanks for all valuable comments21:50
*** sdake has joined #openstack-keystone21:51
*** jasonsb has quit IRC21:55
*** sdake has quit IRC21:56
*** aginwala has joined #openstack-keystone21:56
*** ametts has joined #openstack-keystone21:56
*** jasonsb has joined #openstack-keystone21:58
*** aginwala_ has quit IRC21:59
*** nalind has quit IRC22:02
*** Ephur has joined #openstack-keystone22:02
*** ayoung has joined #openstack-keystone22:03
*** ChanServ sets mode: +v ayoung22:03
*** spzala has quit IRC22:04
*** spzala has joined #openstack-keystone22:04
*** ninag has quit IRC22:05
*** ninag has joined #openstack-keystone22:06
*** aginwala has quit IRC22:07
*** spzala has quit IRC22:09
*** ninag has quit IRC22:10
*** aginwala has joined #openstack-keystone22:13
*** furface has joined #openstack-keystone22:13
*** slberger has left #openstack-keystone22:14
*** sigmavirus24 is now known as sigmavirus24_awa22:14
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: PoC: share tests  https://review.openstack.org/31317522:15
bknudsondstanek: an example of what I was talking about earlier today ^22:16
bknudsonsharing tests between functional and unit.22:16
*** aginwala has quit IRC22:17
bknudsonof course the goal would be to get rid of duplicate unit tests.22:20
*** phalmos has quit IRC22:21
*** timcline has joined #openstack-keystone22:21
*** timcline has quit IRC22:25
*** jsavak has quit IRC22:26
*** rcernin has quit IRC22:29
*** edtubill has quit IRC22:30
rodrigodsbknudson, ^ nice!22:31
bknudsonrodrigods: thanks. Maybe we have few enough functional tests that we could do this to all of them.22:32
*** jsavak has joined #openstack-keystone22:32
rodrigodsbknudson, yes, totally doable22:32
bknudsonmaybe test_access wasn't the best choice... that one does import of tempest.lib whereas test_federation doesn't.22:33
bknudsonoh, the other ones use os_client_config22:33
*** diazjf has quit IRC22:34
bknudsonmaybe could mock out base.get_client or something22:34
rodrigodsbknudson, ++22:34
rodrigodswe could... but as we discussed earlier22:35
*** ninag has joined #openstack-keystone22:35
*** ametts has quit IRC22:35
rodrigodsthere are some kind of mocked tests that need specific checks22:35
rodrigodslike to check if the underlying layer was called with the correct parameters22:35
rodrigodsso the "body" of the tests would differ22:36
rodrigodsfrom unit to fuctional22:36
bknudsonwe'd probably wind up implementing a new implementation of base.ClientTestCase22:36
bknudsonI should add request body validation to https://review.openstack.org/#/c/313175/1/keystoneclient/tests/unit/test_access.py22:37
patchbotbknudson: patch 313175 - python-keystoneclient - PoC: share tests22:37
rodrigodsbknudson, how this would work with the functional one?22:38
bknudsonrodrigods: the functional test doesn't change: https://review.openstack.org/#/c/313175/1/keystoneclient/tests/functional/test_access.py22:38
patchbotbknudson: patch 313175 - python-keystoneclient - PoC: share tests22:38
bknudsonit's the same as before.22:38
*** aginwala has joined #openstack-keystone22:38
bknudsononly the unit test mocks out the server22:38
*** ninag has quit IRC22:39
*** aginwala has quit IRC22:40
rodrigodsbknudson, got it22:40
rodrigodsthink it looks good22:41
bknudsonthe advantage is 1) we can run the unit tests more easily than functional tests, 2) no duplication of functional and unit tests22:41
rodrigodsbknudson, sometimes we would have tests that only makes sense in one of these layers22:42
*** aginwala has joined #openstack-keystone22:42
rodrigodsbut... most of them seem to fit in both cases22:42
bknudsonthe functional tests should cover the entire client path from start to end.22:43
bknudsoncomponent-type unit tests should just test the individual component22:44
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: PoC: share tests  https://review.openstack.org/31317522:47
bknudsonrodrigods: added request body validation to https://review.openstack.org/#/c/313175/2/keystoneclient/tests/unit/test_access.py22:47
patchbotbknudson: patch 313175 - python-keystoneclient - PoC: share tests22:47
*** jsavak has quit IRC22:49
*** neophy has quit IRC22:50
rodrigodsbknudson, couldn't we just pass the expected body prior the call?22:50
rodrigodsand it would fail there?22:50
bknudsondoes requests_mock support that?22:50
rodrigodsbknudson, have no idea :)22:50
*** david-lyle has quit IRC22:51
bknudsonrodrigods: I don't see in the docs you can match on the request body: http://requests-mock.readthedocs.io/en/latest/matching.html22:52
rodrigodsbknudson, me neither, was looking there too22:52
*** gordc has quit IRC22:52
bknudsonmight be a little easier if it was possible.22:52
rodrigodsyeah22:52
rodrigodsjust a register_body()22:53
bknudsonthen I could just match the response to the body22:53
*** david-lyle has joined #openstack-keystone22:53
rodrigodsbknudson, have just one concern though... i don't think that functional test is a good example22:57
*** aginwala has quit IRC22:57
rodrigodsideally, we would try to use that auth_ref to perform a call22:57
rodrigodsin the test22:57
rodrigodsand that would not fit the "unit test" version22:57
*** david-lyle has quit IRC22:58
bknudsonthe unit test runs the same code as the functional test22:58
bknudsonit just runs test_access_audit_id()22:58
rodrigodsbknudson, i know22:58
rodrigodstalking about the meaning of unit vs functional tests in general22:59
bknudsonmaybe you're saying the functional test is mostly useless22:59
bknudsonthere's several kinds of unit tests22:59
bknudsonthere's component tests and there's cross-layer tests and there's functional-style unit tests22:59
*** aginwala has joined #openstack-keystone22:59
bknudsonthey're all valid and have their uses23:00
rodrigodsof course23:00
rodrigodswhat i mean for that specific test23:00
*** rbridgeman_ has quit IRC23:00
rodrigodsis, its functional version, would not only try to get the scoped_auth_ref23:00
rodrigodsbut also would try to use it23:00
bknudsonoh, sure, the test maybe isn't that useful23:00
bknudsonI would like to see our functional tests cover larger scenarios... maybe call them "scenario" tests.23:01
bknudsonthat essentially follow the steps that an application would.23:01
rodrigodsbknudson, ++23:01
bknudsone.g., for federation create an idp, create a mapping, etc., all the way through getting a federated token.23:02
rodrigodsbknudson, exactly!23:02
rodrigodsand we can go even further23:02
rodrigodslike using the federated token to create an instance in nova23:02
bknudsonyes, then you're getting into tempest23:02
rodrigodsyes23:03
rodrigodsbknudson, that test you just described is what i'm doing in the next couple of weeks23:03
rodrigodswithout the nova part, and will submit to the keystone tree23:04
bknudsonthat'll be interesting to see.23:04
rodrigodsbknudson, would need to wait for the federated gate, but still...23:05
rodrigodswe could run in custom deployments23:05
bknudsonrodrigods: that's going to be kind of tricky since it requires setting up stuff in apache, too.23:06
bknudsonI guess the test just assumes that stuff is set up already23:06
rodrigodsyes23:06
*** ayoung has quit IRC23:07
bknudsonwe're a little short on functional tests now: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/functional23:07
rodrigodsbknudson, aren't we going to place them in keystone_tempest_plugin?23:08
bknudsonoh, right, I forgot they're http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/functional23:08
bknudsonoops23:08
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/keystone_tempest_plugin23:08
rodrigodsbknudson, but you are right, we are short on that23:08
bknudsonthere's already a scenario -- http://git.openstack.org/cgit/openstack/keystone/tree/keystone_tempest_plugin/tests/scenario23:08
rodrigodsyes23:08
bknudsonmight want to start with a simple scenario where we get a token and do something and validate it23:09
rodrigodsbknudson, that federation scenario is the reason why i started by testing the federation CRUD23:09
bknudsonin the keystoneclient?23:09
rodrigodsin keystone23:09
bknudsonthe scenario tests aren't going to use keystoneclient, though23:09
rodrigodshttps://review.openstack.org/#/c/302299/23:09
patchbotrodrigods: patch 302299 - keystone - Add identity providers integration tests23:09
rodrigodsand the follow up patches23:09
bknudsony, and I'm not sure which is the more valuable, the scenario test or tests for the individual apis.23:10
rodrigodsmy line of thinking was: test the APIs -> test a scenario that will use the APIs23:10
*** GB21 has joined #openstack-keystone23:10
bknudsonsince you're not going to have functional tests to cover the entire behavior of the api... we've got unit tests for that.23:11
rodrigodsbknudson, yes, added a couple too (found some bugs)23:11
bknudsonso I'd lean towards scenario tests being more useful23:11
bknudsonok, well, I guess our unit tests aren't that great either23:12
rodrigodsbknudson, another reason to add these "simple" API tests was to have some tests running in our gate job23:12
rodrigodsand have a "base" ready for ppl to start developing23:13
bknudsonscenario tests don't need to be super complicated23:13
bknudsonand having a more simple one would still be interesting23:13
rodrigodsyeah, agree23:13
rodrigodsbknudson, ahh... another reason23:15
rodrigodsactually, the main reason23:15
rodrigodswas to have the clients23:15
rodrigodsidp_client, sp_client, mapping_client23:15
rodrigodsin the plugin, so we could use them in the scenario :P23:15
*** fangxu has quit IRC23:15
bknudsonsure. I'm not a big fan of the clients but that's the way tempest does it.23:16
rodrigodsand... would not make sense to add the clients, without testing them a bit23:16
rodrigodsbknudson, yeah, this makes me think of using only keystoneclient23:16
bknudsonwhat the tests are doing shouldn't be complicated enough to require more classes.23:16
bknudsonjust doing request.get/post,etc., should be easy enough.23:17
rodrigodsbut we need to verify the get/posts before advancing the test23:18
rodrigodshaving them verified elsewhere makes sense to me23:18
bknudsonif I was writing an application, I'd either do requests directly or use keystoneclient. I wouldn't write a new client.23:19
rodrigodsbknudson, really? sometimes such wrappers can ease a lot some stuff23:20
rodrigodslike default headers, tokens :), and so on..23:20
bknudsonrodrigods: I'm saying if I needed a wrapper I'd use keystoneclient.23:20
rodrigodsah, of course23:20
*** stingaci has quit IRC23:20
bknudsonit's easy to set default headers in requests (use a session)23:20
rodrigodsi'm not sure why tempest does not use the clients23:21
rodrigodssince the actual consumers of the servers APIs are the clients23:21
rodrigodsmaybe to verify stuff while it is not in the client yet23:21
*** timcline has joined #openstack-keystone23:22
bknudsonthe servers also have to support clients other than the python API, for example I should be able to curl directly.23:22
rodrigodsbknudson, hmm23:22
bknudsonso I agree that tempest shouldn't rely on keystoneclient for all its testing.23:22
rodrigodstrue23:22
bknudsonso what that boils down to is I think that the keystone functional tests should do requests directly.23:26
*** timcline has quit IRC23:26
*** GB21 has quit IRC23:28
*** fangxu has joined #openstack-keystone23:29
*** krotscheck has quit IRC23:31
*** krotscheck has joined #openstack-keystone23:31
*** GB21 has joined #openstack-keystone23:32
*** lhcheng has quit IRC23:41
*** tqtran has quit IRC23:41
*** dmk0202 has quit IRC23:42
*** EinstCrazy has quit IRC23:48
*** roxanaghe has quit IRC23:51
*** ayoung has joined #openstack-keystone23:53
*** ChanServ sets mode: +v ayoung23:53
*** arunkant_ has quit IRC23:57
« Wednesday, 2016-05-04 Index Friday, 2016-05-06 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!