Monday, 2016-05-09

« Sunday, 2016-05-08 Index Tuesday, 2016-05-10 »
*** darrenc is now known as darren_afk00:09
*** fangxu has quit IRC00:12
*** timcline has joined #openstack-keystone00:15
*** timcline has quit IRC00:19
*** darren_afk is now known as darrenc00:23
*** markvoelker has quit IRC00:30
*** Guest460 is now known as mfisch00:32
*** mfisch is now known as Guest8170400:32
*** itlinux has joined #openstack-keystone00:48
*** catintheroof has joined #openstack-keystone00:55
*** itlinux has quit IRC00:57
*** lhcheng has joined #openstack-keystone01:01
*** ChanServ sets mode: +v lhcheng01:01
*** lhcheng has quit IRC01:06
*** EinstCra_ has joined #openstack-keystone01:09
*** timcline has joined #openstack-keystone01:16
*** timcline has quit IRC01:20
*** wxy has joined #openstack-keystone01:32
*** spzala has joined #openstack-keystone01:40
*** EinstCra_ is now known as EinstCrazy01:44
*** julim has quit IRC01:51
*** navidp has joined #openstack-keystone01:59
*** spzala has quit IRC02:03
*** spzala has joined #openstack-keystone02:04
*** spzala has quit IRC02:08
*** timcline has joined #openstack-keystone02:16
*** timcline has quit IRC02:21
*** itlinux has joined #openstack-keystone02:33
*** amit213 has quit IRC02:34
*** amit213 has joined #openstack-keystone02:34
openstackgerritMerged openstack/keystoneauth: Expose allow parameters for URL discovery  https://review.openstack.org/30965002:56
*** Guest81704 is now known as mfisch03:03
*** mfisch is now known as Guest3001803:04
*** GB21 has quit IRC03:12
*** sheel has joined #openstack-keystone03:14
*** timcline has joined #openstack-keystone03:17
*** timcline has quit IRC03:22
*** markvoelker has joined #openstack-keystone03:26
*** markvoel_ has joined #openstack-keystone03:29
*** markvoelker has quit IRC03:32
*** dan_nguyen has joined #openstack-keystone03:35
*** navidp has quit IRC03:37
*** links has joined #openstack-keystone03:44
*** dan_nguyen has quit IRC03:46
*** catintheroof has quit IRC03:56
*** dan_nguyen has joined #openstack-keystone04:01
*** spzala has joined #openstack-keystone04:04
*** spzala has quit IRC04:10
*** timcline has joined #openstack-keystone04:18
*** browne has joined #openstack-keystone04:21
*** timcline has quit IRC04:22
*** browne has quit IRC04:30
*** dan_nguyen has quit IRC04:52
*** TxGVNN has joined #openstack-keystone04:57
*** roxanaghe has joined #openstack-keystone05:19
*** timcline has joined #openstack-keystone05:19
*** markvoel_ has quit IRC05:20
*** roxanaghe has quit IRC05:20
*** timcline has quit IRC05:23
*** TxGVNN has quit IRC05:23
*** itlinux has quit IRC05:31
*** rcernin has joined #openstack-keystone05:40
openstackgerritRyosuke Mizuno proposed openstack/keystone: Add migration to make service type unique  https://review.openstack.org/30759305:48
*** yolanda has joined #openstack-keystone05:58
*** timcline has joined #openstack-keystone06:03
*** timcline has quit IRC06:08
*** afazekas_ is now known as afazekas06:10
*** markvoelker has joined #openstack-keystone06:14
*** markvoelker has quit IRC06:19
*** roxanaghe has joined #openstack-keystone06:21
*** roxanaghe has quit IRC06:26
*** xek__ is now known as xek06:43
*** openstackgerrit has quit IRC06:47
*** openstackgerrit has joined #openstack-keystone06:48
*** tesseract has joined #openstack-keystone07:01
*** timcline has joined #openstack-keystone07:04
*** spzala has joined #openstack-keystone07:04
*** timcline has quit IRC07:09
*** spzala has quit IRC07:09
*** yolanda has quit IRC07:17
*** yolanda has joined #openstack-keystone07:23
*** zqfan has joined #openstack-keystone07:31
*** TxGVNN has joined #openstack-keystone07:40
*** daemontool has joined #openstack-keystone07:45
*** markvoelker has joined #openstack-keystone08:03
*** timcline has joined #openstack-keystone08:05
*** markvoelker has quit IRC08:07
*** timcline has quit IRC08:09
*** roxanaghe has joined #openstack-keystone08:10
*** roxanaghe has quit IRC08:14
*** openstackgerrit has quit IRC08:17
*** openstackgerrit has joined #openstack-keystone08:17
*** jaosorior has joined #openstack-keystone08:19
*** daemontool has quit IRC08:21
*** jed56 has joined #openstack-keystone08:24
*** jistr has joined #openstack-keystone08:32
*** jamielennox is now known as jamielennox|away08:40
*** rudolfvriend has joined #openstack-keystone08:42
*** belmoreira has joined #openstack-keystone08:49
*** mkoderer__ has joined #openstack-keystone09:04
*** timcline has joined #openstack-keystone09:06
*** timcline has quit IRC09:10
*** mvk has joined #openstack-keystone09:23
*** baffle has quit IRC09:24
*** baffle has joined #openstack-keystone09:25
openstackgerrityolanda.robla proposed openstack/keystoneauth: Use betamax hooks to mask fixture results  https://review.openstack.org/31113309:28
*** daemontool has joined #openstack-keystone09:45
*** markvoelker has joined #openstack-keystone09:51
*** markvoelker has quit IRC09:56
*** timcline has joined #openstack-keystone10:06
*** timcline has quit IRC10:11
*** daemontool_ has joined #openstack-keystone10:11
*** pnavarro has joined #openstack-keystone10:11
*** daemontool has quit IRC10:14
*** EinstCrazy has quit IRC10:22
*** daemontool__ has joined #openstack-keystone10:31
*** daemontool_ has quit IRC10:34
*** ksavich has quit IRC10:35
*** daemontool has joined #openstack-keystone10:36
*** daemontool__ has quit IRC10:37
*** daemontool_ has joined #openstack-keystone10:41
*** daemontool__ has joined #openstack-keystone10:43
*** daemontool has quit IRC10:44
*** daemontool_ has quit IRC10:46
*** dmellado|off is now known as dmellado10:47
*** daemontool_ has joined #openstack-keystone10:51
*** daemontool__ has quit IRC10:55
samueldmqmorning keystone10:59
*** daemontool__ has joined #openstack-keystone10:59
*** daemontool_ has quit IRC11:03
*** daemontool has joined #openstack-keystone11:04
*** spzala has joined #openstack-keystone11:05
*** daemontool_ has joined #openstack-keystone11:06
*** timcline has joined #openstack-keystone11:07
*** rodrigods has quit IRC11:07
*** rodrigods has joined #openstack-keystone11:07
*** daemontool__ has quit IRC11:07
*** daemontool__ has joined #openstack-keystone11:08
*** spzala has quit IRC11:09
*** daemontool has quit IRC11:10
*** daemontool has joined #openstack-keystone11:11
*** timcline has quit IRC11:12
*** daemontool_ has quit IRC11:12
*** daemontool_ has joined #openstack-keystone11:14
*** daemontool__ has quit IRC11:15
*** jaosorior has quit IRC11:15
*** jaosorior has joined #openstack-keystone11:16
*** daemontool has quit IRC11:18
*** mjb has quit IRC11:24
*** mjb has joined #openstack-keystone11:27
*** gordc has joined #openstack-keystone11:28
*** jaosorior has quit IRC11:33
*** jaosorior has joined #openstack-keystone11:33
openstackgerritRodrigo Duarte proposed openstack/keystone: DO NOT MERGE: test ldap_filters in user list  https://review.openstack.org/31405511:35
*** frontrunner has quit IRC11:37
*** markvoelker has joined #openstack-keystone11:39
*** markvoelker has quit IRC11:44
*** roxanaghe has joined #openstack-keystone11:45
*** roxanaghe has quit IRC11:50
*** yolanda has quit IRC11:57
*** yolanda has joined #openstack-keystone12:02
*** raildo-afk is now known as raildo12:04
*** pauloewerton has joined #openstack-keystone12:07
*** timcline has joined #openstack-keystone12:08
*** rudolfvriend has quit IRC12:08
*** timcline has quit IRC12:12
*** dobson has quit IRC12:14
*** iurygregory has joined #openstack-keystone12:28
*** edmondsw has joined #openstack-keystone12:30
*** markvoelker has joined #openstack-keystone12:33
*** markvoelker has quit IRC12:38
*** agireud has quit IRC12:38
*** agireud has joined #openstack-keystone12:40
*** daemontool__ has joined #openstack-keystone12:41
*** jordanP has joined #openstack-keystone12:42
*** EinstCrazy has joined #openstack-keystone12:42
jordanPhi guys. I am working on a a Tempest test failure. the failing test is https://github.com/openstack/tempest/blob/master/tempest/api/identity/admin/v2/test_users_negative.py#L22812:42
jordanPit started to fail on May, 5 according to the log stash query message:"self.assertRaises(lib_exc.Unauthorized, self.users_client.list_users)"12:43
jordanPexample of a test failure here: http://logs.openstack.org/88/306788/10/check/gate-tempest-dsvm-postgres-full/bb9875c/console.html#_2016-05-09_10_57_39_18912:43
jordanPI hate to say, but it feels like a Fernet token/implementation issue12:44
*** dobson has joined #openstack-keystone12:44
jordanPI am saying that because it seems like fernet token was made the default recently (according to https://review.openstack.org/#/c/195780/)12:44
patchbotjordanP: patch 195780 - openstack-dev/devstack - Switch fernet to be the default token provider (MERGED)12:44
jordanPand I've never seen that test failing before12:45
*** daemontool_ has quit IRC12:45
*** EinstCrazy has quit IRC12:46
*** EinstCrazy has joined #openstack-keystone12:47
samueldmqjordanP: hi, morning12:48
jordanPhi samueldmq12:48
samueldmqjordanP: so the request is not using a token, and should fail with 401 right?12:48
jordanPit's using a token but that token should have been deleted (revoked) ?12:49
samueldmqjordanP: is the token the same for both self.client and self.users_client ?12:50
samueldmqjordanP: token from self.client is deleted12:50
samueldmqjordanP: and self.users_client is used to make the request12:50
*** EinstCrazy has quit IRC12:50
jordanPsamueldmq, I am not sure. I assume so, otherwise the test would fail 100% of the time12:51
samueldmqjordanP: could you doublecheck?12:52
samueldmqjordanP: oh, and it's failing randomly?12:52
jordanPyes12:52
jordanPit failed only 30 times in the last 7 days12:52
samueldmq*only* 30? hehe12:53
samueldmqjordanP: okay; e need more info to be able to debug12:54
samueldmqjordanP: is there a keystone log available,12:54
jordanPsamueldmq, here: http://logs.openstack.org/88/306788/10/check/gate-tempest-dsvm-postgres-full/bb9875c/logs/apache/keystone.txt.gz#_2016-05-09_10_43_50_47412:54
jordanPso can see the DELETE token statement12:54
jordanPand 5 lines after the GET http://127.0.0.1:35357/v2.0/users statement12:55
jordanP^^this should have returned a 401, as far as I understand12:55
samueldmqjordanP: where are those statements ? can you pass me something so I can ctrl+f ?12:56
jordanPgAAAAABXMGnluQ1tzfT1XOAIs9jn6pwTdQu8dvE6xIsxtN8aW3k8Q is the token you are interested in12:57
jordanP(wait for your browser to completely load the page)12:57
*** zzzeek has joined #openstack-keystone12:58
samueldmqjordanP: so the list_users request is arriving prior to the delete token request on keystone server12:58
*** yolanda has quit IRC12:58
samueldmqjordanP: ?12:59
jordanPno,, the list user arrived at 2016-05-09 10:43:50.53512:59
*** Ephur has joined #openstack-keystone12:59
jordanPand the delete at 2016-05-09 10:43:50.47412:59
*** EinstCrazy has joined #openstack-keystone13:01
samueldmqjordanP: is this running the defaults for devstack/tempest ?13:02
*** links has quit IRC13:02
samueldmqjordanP: I will need to spin up a vm and try to reproduce it locally13:02
jordanPyes, it's from the gate-tempest-dsvm-postgres-full job so I guess it"s the default13:03
samueldmqjordanP: my first guess would be that the tokens are different between self.client and self.users_client13:03
samueldmqjordanP: otherwise that would be a bug on the server13:03
*** yolanda has joined #openstack-keystone13:04
jordanPIt's possibly a concurrency issue, not related to postgre, logstash says the mysql job also fails on this from time to time13:04
samueldmqjordanP: likely yes, my question is whether this is a tempest bug (when handling tokens) or a keystone issue13:05
*** EinstCrazy has quit IRC13:06
jordanPyes, that's the question indeed13:06
jordanPI am not sure about the answer13:06
samueldmqit'd be useful if the tokens were logged for devstack, in the logs it shows as 'X-Auth-Token': '<omitted>'"13:06
jordanPyep, I'll try to repro locally13:06
*** timcline has joined #openstack-keystone13:08
jordanPthe Tempest code has changed lately in this area13:10
jordanP*hasn't...13:10
jordanPlol13:10
*** timcline has quit IRC13:13
*** markvoelker has joined #openstack-keystone13:13
*** EinstCrazy has joined #openstack-keystone13:14
*** zzzeek has quit IRC13:16
*** zzzeek has joined #openstack-keystone13:18
*** edmondsw has quit IRC13:20
*** rudolfvriend has joined #openstack-keystone13:29
*** jsavak has joined #openstack-keystone13:30
*** belmoreira has quit IRC13:31
*** rderose has joined #openstack-keystone13:34
*** rudolfvriend has quit IRC13:36
*** yolanda has quit IRC13:36
*** tonytan4ever has joined #openstack-keystone13:37
jordanPI couldn't reproduce locally..13:41
*** yolanda has joined #openstack-keystone13:43
*** david-lyle_ has joined #openstack-keystone13:48
openstackgerritMerged openstack/keystone: Tests clean up global ldap settings  https://review.openstack.org/30433713:49
*** david-lyle has quit IRC13:50
*** gagehugo has joined #openstack-keystone13:50
*** ametts has joined #openstack-keystone13:53
*** richm has joined #openstack-keystone13:53
*** markvoelker has quit IRC13:55
samueldmqjordanP: how do I run that single test in tempest ?13:56
samueldmqjordanP: I have a fresh devstack env running13:57
*** edmondsw has joined #openstack-keystone13:57
jordanPtox -e all -- tempest.api.identity.admin.v2.test_users_negative13:57
jordanPfrom the tempest repo13:57
jordanPthis runs all the tests in the test_users_negative file13:57
* samueldmq nods13:57
jordanPor tox -e all -- test_get_users_request_without_token13:58
jordanPif you want only that single test13:58
*** woodburn has joined #openstack-keystone13:58
*** thiagolib has joined #openstack-keystone14:00
*** catintheroof has joined #openstack-keystone14:03
samueldmqjordanP: I can't reproduce it locally either14:04
openstackgerritMerged openstack/keystone: Clean up test_receive_identityId  https://review.openstack.org/30984214:05
*** spzala has joined #openstack-keystone14:05
*** TemporalBeing1 has left #openstack-keystone14:05
samueldmqjordanP: if tempest allowed us to see the token used ... that would be helpful14:05
samueldmqhttps://github.com/openstack/tempest-lib/blob/master/tempest_lib/common/rest_client.py#L397-L41414:05
jordanPok, will submit a patch for this14:06
jordanPgive me 10 min :)14:06
jordanPand then 50min to let to tests pass obviously14:06
samueldmqjordanP: nice14:06
*** sigmavirus24_awa is now known as sigmavirus2414:06
jordanPI am 95% sure it's not a bug in Tempest :)14:07
jordanPhehe, we will see14:07
*** d0ugal has quit IRC14:07
samueldmqjordanP: let's see ... we will be sure if the tests fail, otherwise we can't say anything14:08
samueldmqlet's see14:08
*** jaugustine has joined #openstack-keystone14:08
*** ramishra has quit IRC14:08
*** links has joined #openstack-keystone14:08
jordanPit's super unlikely that the test will fail. But we can see if the same token is used14:08
jordanPand it should be used14:08
samueldmqjordanP: notice that other tests also failed when that one failed14:08
jordanPyeah that's because the cleanup is not properly done14:09
jordanPthis is a tempest bug14:09
jordanPfor sure14:09
*** timcline has joined #openstack-keystone14:09
*** ramishra has joined #openstack-keystone14:09
*** spzala has quit IRC14:09
samueldmqjordanP: kk, brb14:10
*** spzala has joined #openstack-keystone14:10
samueldmqjordanP: let me know once you have a patch up14:10
jordanPyes14:10
*** csoukup has joined #openstack-keystone14:11
*** links has quit IRC14:11
bknudson#success The keystone CLI is finally gone. Long live openstack CLI.14:11
openstackstatusbknudson: Added success to Success page14:11
bknudsonI hope this sticks.14:12
*** navidp has joined #openstack-keystone14:13
*** timcline has quit IRC14:14
*** jorge_munoz has joined #openstack-keystone14:15
*** navidp has quit IRC14:17
*** rderose has quit IRC14:19
*** jorge_munoz_ has joined #openstack-keystone14:19
*** jorge_munoz has quit IRC14:21
*** jorge_munoz_ is now known as jorge_munoz14:21
*** andrewbogott has quit IRC14:22
*** andrewbogott has joined #openstack-keystone14:22
openstackgerritRon De Rose proposed openstack/keystone: Move identity.backends.sql model code to sql_model.py  https://review.openstack.org/29261114:27
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users  https://review.openstack.org/30548714:27
*** slberger has joined #openstack-keystone14:28
morganayoung, lbragstad: https://review.openstack.org/#/c/311652/6 don't use for/else14:30
patchbotmorgan: patch 311652 - keystone - Replace revoke tree with linear search14:30
*** navidp has joined #openstack-keystone14:31
lbragstadmorgan ah ha - nice14:32
ayoungmorgan, can I do that in a follow on.  This is an attempt to move the test code on over to master as-is14:33
ayoungthe test code has been run in parallel since the trust code started using the tree14:33
ayoungand, while I don't love it, I want to do all changes in a step by step way.  So..I can submite a follow on patch with that change14:34
morganayoung: i'll be a -1 on for/else unless you have a followup posted14:35
morgani draw a hard line on for/else while/else useage14:35
morganif we're fixing things, that gets fixed too.14:35
bknudsonwe need to be consistent on how we do our reviews, so if for/else / while/else is not allowed that needs to be documented14:35
ayoungmorgan, I can work with that.   Two patches, one as is,. one with the for/else cleanup, and any other cleanups we want to be linked with it14:35
morganayoung: ++14:36
morganbknudson: i think we had a hacking change by dstanek specifically to deal with that14:36
*** sdake has joined #openstack-keystone14:36
morganbknudson: and i want to revisit it.14:36
morganbknudson: it is unreasonable to ask everyone to review / know "for/else" is banned in keystone14:36
morganbknudson: i think it needed a fix in our tests, but i'll check with dstanek today and get that re-worked.14:36
bknudsonprobably because the test that ayoung is copying does it.14:37
morganbknudson: yep.14:37
*** navidp has quit IRC14:37
morganit wont be hard to remove all traces of for/else and while/else from keystone and then make the hacking change a thing.14:38
ayoungbknudson, I think he is right that the logic of if/else is confusing.  I remember learning it when the original patch was posted, as I had not seen it before.14:38
stevemaro/14:38
ayoungI mean for/else14:38
morganstevemar: oh hai.14:38
bknudsonayoung: I hope if/else isn't too confusing! he he14:38
*** pgbridge has joined #openstack-keystone14:38
bknudsonif / return or raise / else is kind of confusing.14:39
morganbknudson: dude, if you can't do it with while/break on everything14:39
morganbknudson: you're not trying14:39
morganno if/else14:39
morgan:P14:39
bknudsonbreak? I goto.14:39
morganbknudson: ++14:39
dstanekbknudson: long live the cli!14:39
ayoungDoes python support goto?14:39
morganbknudson: i just write C and make python dynamically call out to GCC to compile the shared object before loading it in14:40
dstanekmorgan: i did make that, but at one of the mid-cycles it was decided that we didn't need/want it14:40
morgandstanek: well i think i want to bring it back up.14:40
morgandstanek: because regardless i'm going to keep -1ing every instance of for/else i find.14:40
stevemarwho is ready for when folks bring out their pitch forks? https://pypi.python.org/pypi/python-keystoneclient/3.0.0 ?!14:42
morgandstanek: i really do think it is the wrong construct to use and the only place (outside of testing) we really used it was the revoke tree14:42
morganstevemar: oh uh... sure? i have my fire resistant suit today14:42
ayoungstevemar, its OK.  I have the heavy machine guns already set up in a support by fire position.  Let them bring their farming implements14:42
openstackgerritRon De Rose proposed openstack/keystone: Move the federation abstract base class out of core  https://review.openstack.org/31413714:43
dstanekmorgan: i find it useful for avoiding extra nesting or and extra 'if', but since it confuses everyone I'm ok with not using it14:44
morgandstanek: if it wasn't such a weird construct that has to be explained over and over, i'd agree with you14:44
morgandstanek: but i would rather the code not need extra explinations / comments every time for some convenience.14:44
dstanekmorgan: unfortunate :-(, but i agree14:45
openstackgerritRon De Rose proposed openstack/keystone: Move the federation abstract base class out of core  https://review.openstack.org/31413714:46
*** jsavak has quit IRC14:46
*** ChanServ changes topic to "Midcycle Planning Thread: http://lists.openstack.org/pipermail/openstack-dev/2016-April/092298.html"14:48
openstackgerritRon De Rose proposed openstack/keystone: Move the federation abstract base class out of core  https://review.openstack.org/31413714:49
*** woodster_ has joined #openstack-keystone14:49
*** dancn has joined #openstack-keystone14:52
*** TxGVNN has quit IRC14:53
*** raddaoui has joined #openstack-keystone14:53
*** d0ugal has joined #openstack-keystone14:55
*** phalmos has joined #openstack-keystone14:55
lbragstaddolphm bknudson talking with jordanP in #openstack-qa about https://bugs.launchpad.net/keystone/+bug/1578866 if you're interested14:57
openstackLaunchpad bug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,Confirmed]14:57
zzzeekheya morgan my CI is getting a bunch of these http://paste.openstack.org/show/496467/ all the sudden14:57
morganzzzeek: looking14:57
zzzeekmorgan: there's a lot of dogpile in the logs too, not sure if that's related, let me put a bigger segment14:58
morganzzzeek: nah that looks like a pyldap issue14:58
morganzzzeek: python-ldap*14:58
morganand set_option being bad.14:58
zzzeekmorgan: http://paste.openstack.org/show/496468/14:58
*** jsavak has joined #openstack-keystone14:58
zzzeekOK so my CI env is not totally standard maybe if i wipe and rebuild ?14:59
morganzzzeek: have to jump into a meeting. maybe, but unlikely i'll look in an hour or so :)14:59
*** Guest30018 is now known as mfisch14:59
zzzeekmorgan: np14:59
*** mfisch is now known as Guest5645914:59
openstackgerritRon De Rose proposed openstack/keystone: Move the federation abstract base class out of core  https://review.openstack.org/31413715:03
*** tonytan4ever has quit IRC15:03
*** haplo37 has joined #openstack-keystone15:04
*** clenimar has joined #openstack-keystone15:04
*** spzala has quit IRC15:06
*** spzala has joined #openstack-keystone15:07
*** jsavak has quit IRC15:08
*** d0ugal has quit IRC15:08
*** edtubill has joined #openstack-keystone15:09
*** yolanda has quit IRC15:09
*** timcline has joined #openstack-keystone15:10
*** timcline_ has joined #openstack-keystone15:13
*** spzala has quit IRC15:13
*** timcline has quit IRC15:13
*** timcline_ has quit IRC15:14
*** timcline has joined #openstack-keystone15:14
*** EinstCrazy has quit IRC15:18
*** yolanda has joined #openstack-keystone15:19
*** roxanaghe has joined #openstack-keystone15:22
ayoungdstanek, looking more closely at the for/elses in https://review.openstack.org/#/c/311652/6/keystone/models/revoke_model.py  sepcifically the one at line 180...can that ever be hit?15:22
patchbotayoung: patch 311652 - keystone - Replace revoke tree with linear search15:22
ayoungfor attribute_name in ['identity_domain_id', 'assignment_domain_id']:  would never trigger an else, right?15:22
*** pnavarro has quit IRC15:24
*** d0ugal has joined #openstack-keystone15:25
*** diazjf has joined #openstack-keystone15:26
ayoungOK...I'm forgetting what else means in a for loop.  that def needs to die15:26
*** roxanaghe has quit IRC15:26
dstanekayoung: the 'else' will be executed if the 'break' is not executed15:27
ayoungdstanek, right...which makes this logic the perfect candidate for using it.15:28
ayoungExcpet for that fact that only a python guru would understand that15:28
dstanekayoung: :-)15:28
ayoungI am not a python guru, so I clearly cannot chose the goblet in front of me15:28
dstanekayoung: it's one of those language constructs that's really useful, but so infrequently used that it's hard to remember what it does15:30
ayoungdstanek, and also more obscure by the attempt to not require addtional language keywords15:30
*** tonytan4ever has joined #openstack-keystone15:32
*** jistr has quit IRC15:33
dstanekayoung: yeah, i've started to replace it with 'if all(somefilter...)' when i can in some of the other projects i hack on15:34
*** jed56 has quit IRC15:34
ayoungooh15:34
ayoungI think I can do that here15:34
*** navidp has joined #openstack-keystone15:34
ayoungdstanek, for example15:36
ayoung        if all(event.user_id == token_values[attribute_name]15:36
ayoung               for attribute_name in ['user_id', 'trustor_id', 'trustee_id']):15:36
ayoung            return False15:36
rodrigods^ really odd15:37
rodrigodsi can't read what's going on15:37
dstanekayoung: yeah, something like that should work. if your expression gets too long you can just make it a function and give it a name15:38
dstanekayoung: actually i think you want any() instead of all()15:38
morgandstanek: ++15:39
ayoungdstanek, nope15:39
dstanekrodrigods: it's easier to ready that the for-else because that just confuses people15:39
ayoungif they all pass, it means that the event can't match, and thus short circuit15:39
ayoungif any one of them match, the event can still potentially match the token, and keep on checking15:40
dstanekayoung: in that original code if any of them match then the loop is aborted and the 'else' is not executed15:40
*** daemontool__ has quit IRC15:41
ayoungdstanek, right.  and in the original code, it is the else that does the return15:41
rodrigodsactually, i can't read either way... have to stop and think a bit for both15:41
rodrigodsi usually do that with an external bool15:42
ayoungrodrigods, False means "token is not revoked by this event" and passes through a series of checks.  It is only revoked it if passes through all of the checks, so we want a quick return for the normal case15:44
rodrigodsayoung, right... what don't split in several methods that return True if matches?15:45
rodrigodsif any of the methods return False, short circuit15:45
ayoungrodrigods, I'm not certain it makes it any clearer.15:45
ayoungI'll have the updated code posted for review shortly15:46
rodrigodsayoung, yeah... not sure either15:46
rodrigodsjust brainstorming15:46
openstackgerritMorgan Fainberg proposed openstack/keystone: Change to use json instead of msgpack in request_local cache  https://review.openstack.org/31418815:46
morganayoung: ^ move to json from msgpack in request local15:47
morganayoung: lets see how it goes.15:47
ayoungdstanek, OK you are right...I had it backwards.  any is the right test15:47
ayoungdstanek, but I need to swap ==  to !=15:47
ayoungno...wait...15:48
rodrigodsayoung no...15:48
ayoungI don't need to swap here15:48
rodrigodskeep the ==15:48
rodrigodsyeah15:48
ayoungum15:49
ayoungI think it is15:49
ayoungif all (  != )15:49
rodrigodsisn't any( == )?15:49
ayoungrodrigods, if any( == ) then continue15:49
rodrigodsyes15:49
ayoungif all ( != ) then return False15:50
rodrigodsif all ( != ) return False15:50
rodrigodsexactly15:50
ayoungso the short circuit logic is15:50
ayoungif any ( == ): NOOP else return False15:50
ayoungI know this is premature optimization, but this is the fast path15:51
dstanekthis looks like code by committee :-)15:51
*** d0ugal has quit IRC15:51
ayoungmaybe not pre-mature15:51
ayoungdstanek, nah, it looks like hand tuned performance code15:51
bknudsonpair-programming15:53
bknudsonvery agile15:53
morganbknudson: s/pair/3+ people/15:53
ayoungrodrigods, dstanek   here is my current thinking (untested as of yet) https://paste.fedoraproject.org/364305/14628092/15:54
bknudsonwe need a shared display where we can all type15:54
bknudsonetherpad, I guess15:54
*** jistr has joined #openstack-keystone15:54
ayoungI guess I can reverse that...the pass is not going to be any more performant15:55
dstanekbknudson: etherpad needs vim bindings15:55
morganbknudson: programming via google docs?15:55
ayoungso this https://paste.fedoraproject.org/364306/14628093/15:56
dstanekmorgan: when i interviewed with Google that's what they did15:56
rodrigodsayoung the second one by far15:56
rodrigodsdstanek morgan yes15:56
rodrigodsthey do that15:56
bknudsonVaaS (vim as a service)15:56
ayoungrodrigods, yeah.  I think they have exactly the same execution path.15:57
*** rderose has joined #openstack-keystone16:01
*** tesseract has quit IRC16:01
*** ramishra_ has joined #openstack-keystone16:04
*** jsavak has joined #openstack-keystone16:05
*** rcernin has quit IRC16:06
*** d0ugal has joined #openstack-keystone16:06
*** ramishra has quit IRC16:07
*** roxanaghe has joined #openstack-keystone16:07
*** spzala has joined #openstack-keystone16:08
*** dan_nguyen has joined #openstack-keystone16:12
*** agrebennikov has joined #openstack-keystone16:13
*** spzala has quit IRC16:15
*** dan_nguyen has quit IRC16:16
*** gyee has joined #openstack-keystone16:22
*** ChanServ sets mode: +v gyee16:22
*** tonytan4ever has quit IRC16:22
*** diazjf has quit IRC16:24
*** tonytan4ever has joined #openstack-keystone16:24
yolandahi morgan, sigmavirus24 , can you take a look at my new keystoneauth + betamax patch ?https://review.openstack.org/#/c/311133/16:26
patchbotyolanda: patch 311133 - keystoneauth - Use betamax hooks to mask fixture results16:26
morganyolanda: will do. on my list for today :)16:26
yolandamorgan, there was some concern from sigmavirus24 related to the way we use betamax for unit testing16:27
* sigmavirus24 nods16:27
sigmavirus24I was looking for shade's issue tracker but the storyboard for it looks dead and outdated16:27
*** rbridgeman has joined #openstack-keystone16:29
morgansigmavirus24: welllll16:32
morgansigmavirus24: it's supposed to be in storyboard...16:32
morgansigmavirus24: what is the concern?16:32
*** fangxu has joined #openstack-keystone16:33
sigmavirus24morgan: so the way I understood it, y'all are going to record cassettes and then use those with mocks?16:33
morganbasically we plan to record real cloud interactions, then use the replay as part of the testing16:33
morgansigmavirus24: the reason is to ensure we don't regress/break the ... large number of variations from what clouds.yaml provides.16:33
morgansigmavirus24: with changes to shade/ksa/etc16:34
morgansigmavirus24: if a cloud changes their responses, we need to update the cassette16:34
sigmavirus24Right16:34
morganbut that seems to be less common than us changing code in shade16:34
sigmavirus24It just sounded like y'all were going to just update your current unit testing/mocking with cassette data16:34
morganafaik it's adding a ton more testing16:34
sigmavirus24Cool16:34
morgannot replacing tests16:34
*** jsavak has quit IRC16:35
morganyolanda: ^ correct me if i'm wrong.16:35
morgansigmavirus24: we might replace *some* very synthetic mocks with cassettes16:35
*** rbridgeman_ has joined #openstack-keystone16:35
sigmavirus24col16:35
yolandayep, not replacing tests, but make the unit tests use the recorded data to mock server16:35
sigmavirus24*cool16:35
sigmavirus24Ignore me then :)16:35
morgansigmavirus24: but i don't want to ignore you :P16:35
*** jsavak has joined #openstack-keystone16:35
sigmavirus24either way, I'm no longer concerned16:36
morganokiue16:36
morganokie816:36
morganugh... i can't type16:36
*** rcernin has joined #openstack-keystone16:37
*** tonytan4ever has quit IRC16:37
*** rbridgeman has quit IRC16:38
yolandamorgan, so what i did following sigmavirus24 advice, is to replace with placeholders16:39
yolandathen on shade, we can replace these placeholders with real cloud data16:39
yolandai'm thinking in adding a placeholder as well for the url, because for example, my devstack endpoints change on each run, so that's going to cause to record different fixtures per environment, that should not happen16:40
morganyolanda: ++16:40
sigmavirus24Oh, can I suggest different test classes for different providers (including devstack)16:41
sigmavirus24They can share common tests, but they should preferably be different test case classes to be safe :)16:41
openstackgerritZhiQiang Fan proposed openstack/keystone: replace logging with oslo.log  https://review.openstack.org/30986916:42
morgansigmavirus24: sure. or something that programtically creates the test classes based upon the registered cassettes...oer whatever16:42
sigmavirus24right16:43
yolandayep, at the moment only using devstack, but the idea is to have fixtures per proviers16:44
yolandaproviders16:44
*** david-lyle_ is now known as david-lyle16:45
*** fangxu has quit IRC16:45
arunkantdstanek: Can you review: https://review.openstack.org/#/c/279828/16:49
patchbotarunkant: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...16:49
*** jordanP has quit IRC16:51
*** pnavarro has joined #openstack-keystone16:51
*** jsavak has quit IRC16:51
*** roxanagh_ has joined #openstack-keystone16:53
*** jaosorior has quit IRC16:58
*** sdake has quit IRC17:00
*** jsavak has joined #openstack-keystone17:00
*** sdake has joined #openstack-keystone17:01
*** fangxu has joined #openstack-keystone17:02
*** diazjf has joined #openstack-keystone17:02
*** jistr has quit IRC17:02
*** TxGVNN has joined #openstack-keystone17:03
*** fangxu has quit IRC17:03
*** yolanda has quit IRC17:06
*** daemontool__ has joined #openstack-keystone17:09
*** pgbridge has quit IRC17:10
*** spzala has joined #openstack-keystone17:11
*** yolanda has joined #openstack-keystone17:12
*** fangxu has joined #openstack-keystone17:14
*** spzala has quit IRC17:16
*** sdake_ has joined #openstack-keystone17:18
*** rderose has quit IRC17:20
*** sdake has quit IRC17:21
*** sdake_ has quit IRC17:25
*** roxanagh_ has quit IRC17:26
*** sdake has joined #openstack-keystone17:27
*** jaugustine has quit IRC17:30
*** gagehugo has quit IRC17:30
*** rderose has joined #openstack-keystone17:31
*** stingaci has joined #openstack-keystone17:36
*** pgbridge has joined #openstack-keystone17:36
*** diazjf has quit IRC17:38
*** diazjf has joined #openstack-keystone17:38
*** spzala has joined #openstack-keystone17:39
*** jsavak has quit IRC17:42
*** jsavak has joined #openstack-keystone17:43
*** navidp has quit IRC17:46
*** harlowja has joined #openstack-keystone17:48
*** TxGVNN has quit IRC17:58
*** sdake_ has joined #openstack-keystone17:58
*** sdake has quit IRC18:01
*** julim has joined #openstack-keystone18:01
*** csoukup has quit IRC18:02
*** jsavak has quit IRC18:05
*** jsavak has joined #openstack-keystone18:05
*** navidp has joined #openstack-keystone18:06
openstackgerritayoung proposed openstack/keystone: Replace revoke tree with linear search  https://review.openstack.org/31165218:11
ayoungmorgan, I decided I liked how the new code looked so much better than the original that I decided to merge it in to the main patch18:11
*** mvk has quit IRC18:12
ayoungyolanda, I love that patch number.  I read it as EIIIEE!18:12
morganayoung: ++18:13
ayoungyolanda, looks like the tests are comparing two lists, and the ordering is changing, even though the lists contain the same set of items.  You could probably sort them and then compare18:15
ayoung self.assertEqual(cassette.placeholders, expected_placeholders)18:15
*** sdake_ is now known as sdake18:15
bknudsonassertItemsEqual18:15
*** timcline has quit IRC18:15
ayoungbknudson, RIGHT...  actually I think DictEqual now that I look18:16
ayounghttp://logs.openstack.org/33/311133/7/check/gate-keystoneauth-python27/e078b70/console.html  at 2016-05-09 09:33:09.04918:16
bknudsonI think I wrote a thing to compare xml...18:17
bknudsonit's not perfect since there's no way for it to have all the info it needs18:18
*** roxanagh_ has joined #openstack-keystone18:23
ayoungbknudson, actually, looking at the test it is a list, and one that she constructs manually.  Could be handled just by reordering the elements, but it looks like it should be a dict test18:24
*** diazjf1 has joined #openstack-keystone18:26
*** diazjf has quit IRC18:26
*** sdake has quit IRC18:27
*** openstackgerrit has quit IRC18:33
*** openstackgerrit has joined #openstack-keystone18:33
*** timcline has joined #openstack-keystone18:34
*** timcline has quit IRC18:34
*** timcline has joined #openstack-keystone18:35
*** browne has joined #openstack-keystone18:38
*** browne has quit IRC18:41
*** ozialien10 has quit IRC18:43
*** ozialien10 has joined #openstack-keystone18:44
*** ozialien10 has quit IRC18:44
*** tqtran has joined #openstack-keystone18:45
*** ozialien10 has joined #openstack-keystone18:45
*** julim has quit IRC18:46
*** dmellado has quit IRC18:47
*** spzala has quit IRC18:49
*** sdake has joined #openstack-keystone18:49
*** neophy has joined #openstack-keystone18:49
*** yolanda has quit IRC18:51
*** cloudnul- has joined #openstack-keystone18:55
*** roxanagh_ has quit IRC18:57
*** cloudnul- has quit IRC18:57
*** dan_nguyen has joined #openstack-keystone19:00
*** sdake_ has joined #openstack-keystone19:06
*** sdake has quit IRC19:07
*** rderose has quit IRC19:08
*** spandhe has joined #openstack-keystone19:08
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add sample file generation script  https://review.openstack.org/31424419:18
*** dan_nguyen has quit IRC19:26
bknudsonamazingly no pitchforks about removal of keystone CLI yet.19:26
*** diazjf1 has left #openstack-keystone19:27
*** dan_nguyen has joined #openstack-keystone19:31
*** navid_ has joined #openstack-keystone19:33
*** navidp has quit IRC19:36
stevemarbknudson: no one noticed yet19:45
stevemaranyone want to punt https://review.openstack.org/#/c/309869/3 through?19:45
patchbotstevemar: patch 309869 - keystone - replace logging with oslo.log19:45
*** tonytan4ever has joined #openstack-keystone19:49
lbragstadmorgan quick token caching question19:49
lbragstadmorgan we cache both fernet and uuid tokens19:50
morganlbragstad: ack19:50
morganYes19:50
*** tonytan_brb has joined #openstack-keystone19:51
lbragstadbut do we only invalidate the token cache by using _invalidate_individual_token_cache() ?19:51
morganYes.19:51
lbragstadthat method is only used keystone/token/persistence/core.py19:51
morganThat invalidatws the specific ID.19:51
lbragstadso do we never invalidate the token cache when a fernet token is revoked?19:51
*** spzala has joined #openstack-keystone19:52
morganstevemar: done19:52
morganlbragstad: hmm.19:52
morganFernet was not initially doing revoke by id19:52
morganSo we need to expand its use (that invalidate function)19:53
morganThe Rev event should catch the token cache though19:53
morganIirx19:53
morganIirc*19:53
lbragstadmorgan i would think so because we have fernet tests in keystone that go through the password change scenario19:53
*** jsavak has quit IRC19:54
morganSo, we don't invalidate the cache, we rely on rev events.19:54
morganWith fernet.19:54
lbragstadmorgan yes - I would assume that to be true19:54
morganThat's fine.19:54
*** tonytan4ever has quit IRC19:54
morganThis is because uuid uses a column in the db to determine revocation (rev list)19:54
lbragstadmorgan so this is tested by fernet19:55
lbragstadhttps://github.com/openstack/keystone/blob/b155387cdd470a038387495cdcd082728cd645f9/keystone/tests/unit/test_v3_auth.py#L253-L26319:55
lbragstadwhich means that it would *have* to be handled by revocation events19:56
lbragstadmorgan we seem to still have an issue in the gate19:57
*** spzala has quit IRC19:57
lbragstadwhere a token is created, revoked and validated19:57
lbragstadand the validation succeeds19:57
morganHmm.19:58
morganWeird.19:58
lbragstadbut only everyone once in a while19:58
lbragstadso it's not consistent19:58
morganOh. Timing issue.19:58
morganBoi19:58
morganBoo*19:58
lbragstadso let's say we cross the threshold into a new second19:58
lbragstadand get a fernet token at 0.2 of that second19:59
morganIt's when you're in the same second.19:59
lbragstadthe issued_at of that token will be X.0 because of the int(time.time()) thing fernet does19:59
morganThat the issue occurs I think19:59
morganYes19:59
lbragstadbut when we issue the recovation event19:59
morganSame issue. Doh.19:59
lbragstadif that rev event is stored in sql within the same second20:00
lbragstadit's going to truncate the subsecond precision20:00
lbragstadwhich means the revocation_event['issued_before' will also be X.020:00
lbragstadwhich is the exact same as the token_data['issued_at']20:00
lbragstadbut we protect ourself against that here - https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L22320:01
lbragstadwhich is why I'm starting to get super confused because we error on the side of invalidation in the event the revocation event and token issued_at time are in the same second20:01
lbragstadso - given that information.. how is it that we are still validating tokens if we err on the side of invalidation?20:03
*** d34dh0r53 is now known as th3r34ld0n4ld7ru20:05
*** th3r34ld0n4ld7ru is now known as therealmajorhayd20:05
*** spzala has joined #openstack-keystone20:06
*** therealmajorhayd is now known as d34dh0r5320:07
*** maxabidi has joined #openstack-keystone20:07
*** dan_nguyen has quit IRC20:08
*** spandhe has quit IRC20:11
openstackgerritRon De Rose proposed openstack/keystone: Move identity.backends.sql model code to sql_model.py  https://review.openstack.org/29261120:13
*** rderose has joined #openstack-keystone20:13
*** roxanagh_ has joined #openstack-keystone20:14
*** rcernin has quit IRC20:15
*** tonytan4ever has joined #openstack-keystone20:21
openstackgerritRon De Rose proposed openstack/keystone: Move identity.backends.sql model code to sql_model.py  https://review.openstack.org/29261120:22
*** tonytan_brb has quit IRC20:25
*** spzala has quit IRC20:38
openstackgerritMatthew Edmonds proposed openstack/keystone: (WIP) Honor ldap_filter on filtered user list  https://review.openstack.org/31212620:40
edmondswrodrigods, you were right that the tests weren't working properly. I fixed a couple issues, but I'm stumped on the last one20:41
edmondswrodrigods, the fix itself actually does work, I've verified it in manual testing, but I just can't get the UT right20:41
rodrigodsedmondsw, hmm how so?20:42
edmondswrodrigods, I pushed up my changes to the UT... if you have a minute, take a look and see if you can figure out what's going on20:42
edmondswhttps://review.openstack.org/#/c/312126/20:42
patchbotedmondsw: patch 312126 - keystone - (WIP) Honor ldap_filter on filtered user list20:42
rodrigodsedmondsw, sure20:42
edmondswtx20:43
rodrigodswill do today, ok?20:43
edmondswgreat20:43
edmondswat this point I've got the UT trying 2 things... that if can see the user when it matches user_filter in conf, and that it can't when it does not20:43
edmondswunfortunately the first of those isn't working (second is)20:44
*** sdake has joined #openstack-keystone20:44
*** jsavak has joined #openstack-keystone20:45
edmondswrodrigods, I've verified that the 2nd of those 2 things works with my change and fails without it, addressing your earlier comment20:45
edmondswbut I have no idea why the first isn't passing20:45
rodrigodsedmondsw, the second works without your change, at least for the unit tests20:46
*** ksavich has joined #openstack-keystone20:46
edmondswrodrigods?20:46
rodrigodsedmondsw, not exposing the user if the filter doesn't match, even using the name as hint20:46
*** sdake_ has quit IRC20:47
rodrigodsedmondsw, here https://review.openstack.org/#/c/314055/20:47
patchbotrodrigods: patch 314055 - keystone - DO NOT MERGE: test ldap_filters in user list20:47
morganstevemar: i should have the details for midcycle tomorrow. Hanging at the Cisco office in Pasadena and bugging them :)20:47
*** roxanagh_ has quit IRC20:48
dstanekmorgan: yay!20:48
edmondswrodrigods... huh... it was working... I must have messed it up trying to get the first test working20:48
morgandstanek: :)20:48
dstanekmorgan: do we all get routers as a door prize?20:48
edmondswrodrigods, or I'm losing my mind... ;)20:49
rodrigodsyou should all get a visa to visit Brazil20:49
rodrigodsedmondsw, it doesn't work in your env, right?20:49
edmondswrodrigods, yeah, it's messed up in mine as well20:49
rodrigodscan you confirm that listing all users (without the name query) it works fine?20:50
rodrigodsso the bug is *only* when you pass the name query20:50
edmondswwithout the code fix, the UT fails on line 268. With the fix it fails on 25520:50
*** BjoernT has joined #openstack-keystone20:50
rodrigodsedmondsw, the first one should pass if the filter works or not20:52
edmondswrodrigods, that actually makes more sense...20:52
*** neophy has quit IRC20:53
edmondswoh, wait... we want that second check to fail without my code fix... I am losing my mind20:54
edmondswrodrigods ^20:54
edmondswthe point of adding the UT is for it to fail when the code is broken, which it is without the fix in the ldap driver20:54
edmondswbeen a long day20:54
rodrigodsedmondsw, the second must fail without your fix, exactly20:54
rodrigodsand the first one should pass with or without it20:55
edmondswand it does, so that's good20:55
edmondswright20:55
rodrigodsbut... i wouldn't rely in the first one since you may be writing the filter wrong20:55
rodrigodslet me check something here20:55
*** mvk has joined #openstack-keystone20:57
rodrigodsayoung, ping... there? could use some ldap expertise here20:58
ayoungUh oh.  rodrigods I'll see if I can find some20:58
ayoungrodrigods, to anser the question, yes, edmondsw is losing his mind. Completely gone.20:58
rodrigodsso... we have this bug: https://bugs.launchpad.net/keystone/+bug/157780420:58
openstackLaunchpad bug 1577804 in OpenStack Identity (keystone) "/v3/users?name=<name> bypasses user_filter for LDAP" [Undecided,In progress] - Assigned to Matthew Edmonds (edmondsw)20:59
rodrigodslol20:59
edmondswtx ayoung :)20:59
edmondswnice to have confirmation20:59
rodrigodsayoung, and we have this fix/test: https://review.openstack.org/#/c/312126/820:59
patchbotrodrigods: patch 312126 - keystone - (WIP) Honor ldap_filter on filtered user list20:59
ayoungedmondsw, is that version the one you are asking about, or still in your repo?21:00
edmondswayoung, that's it21:01
edmondswayoung rodrigods line 250... is "uid" supposed to be something else?21:01
edmondswtried cn, didn't do any better21:01
edmondswnot sure what is being mocked in these tests for user id attribute21:02
ayoungedmondsw, no clue.  I dumped all that info long ago...let me see if I can remember21:03
rodrigodsdn=cn=40231843b1c547359f566d9102b5771e,ou=Users,cn=example,cn=com, attrs=[('objectClass', ['person', 'inetOrgPerson']), ('cn', ['40231843b1c547359f566d9102b5771e']), ('sn', ['REQ_ADMIN']), ('enabled', ['TRUE']), ('userPassword', ['password'])]21:04
bknudsonI assume the tests use the defaults21:04
ayoungedmondsw, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/config.py#n63221:04
ayoung'user_id_attribute', default='cn',21:04
ayoungedmondsw, but....21:05
ayoungthat is not the same as the cn attribute for a user21:05
ayoungthe dn is built from that attribute and the tree21:05
edmondswyeah, it's using cn21:05
* ayoung slowly remembering all this21:06
edmondswI dumped driver.user.id_attr and it was 'cn'21:06
ayoungedmondsw, this is some of the ugliest code in existence21:06
ayoungsort of21:06
edmondswno kidding21:06
rodrigodsedmondsw, http://paste.openstack.org/show/496508/21:06
edmondswI've spent 5x the time to fix the problem trying to get a UT to work21:06
edmondswat least21:06
rodrigodsnow it fails on the last check21:06
rodrigodswhy? no clue21:07
* rodrigods going insane too21:07
ayoungrodrigods, edmondsw look at the code that builds a dn21:07
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n129721:08
ayounguse that, pass in the id, get back the DN, and use that for the LDAP query21:08
edmondswdo I care about dn? shouldn't the user filter just match the part of the dn that I specify?21:09
ayoungedmondsw, nope21:09
ayoungedmondsw, DN is kindof an attributer but not really21:09
ayoungthink of the DN as a string match that just happens to be built out of attributes21:09
ayoungthey look the same, but they are not the same21:09
rodrigodsso is there a change that we don't have a bug?21:09
ayoungrodrigods, its called "Replace LDAP identity backend with SSSD"21:10
openstackgerritRon De Rose proposed openstack/keystone: WIP - Database changes to support PCI-DSS  https://review.openstack.org/31428421:10
rodrigodslol21:10
ayoungits not a bug, its a feature21:10
ayounghttp://barelybad.com/images/feature_bug01.jpg21:11
edmondswrodrigods, I think what you did there was an invalid filter, so who knows what will happen there21:11
ayoungNote that out unit tests go through the wonderful FakeLDAP code, too, which essentially returns back what it was given, so, I think it will only match the full DN...I think21:12
edmondswayoung, so should we just put the fix in without a UT?21:12
rderoseedtubill: started on the db changes for PCI-DSS:21:13
rderosehttps://review.openstack.org/#/c/314284/21:13
patchbotrderose: patch 314284 - keystone - WIP - Database changes to support PCI-DSS21:13
rodrigodsedmondsw, there is also https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py#L28621:13
rodrigodsseems that it isn't enforcing the ldap_filter too21:13
edmondswrodrigods, actually I think that's intentional there21:13
edmondswsee ayoung's earlier comment about this being the worst code ever21:14
edtubillrderose: cool, I'll look at it later.21:15
*** Guest56459 is now known as mfisch21:15
rderoseedtubill: sounds good21:15
*** sheel has quit IRC21:15
*** mfisch is now known as Guest8708521:15
rodrigodsedmondsw, lol21:16
*** pauloewerton has quit IRC21:17
*** spandhe has joined #openstack-keystone21:17
rodrigodsedmondsw, see https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py#L37721:17
rodrigodsedmondsw, seems like the "group" code is correct21:18
edmondswrodrigods what about L377?21:18
edmondswyes, the group code is fine21:19
rodrigodsedmondsw, the query format21:19
edmondswrodrigods yes, the query format there is correct (and matches what I'm doing)21:19
*** Guest87085 is now known as mfisch21:19
edmondswrodrigods you were missing parenthesis in what you tried21:19
*** mfisch has quit IRC21:20
*** mfisch has joined #openstack-keystone21:20
openstackgerritMatthew Edmonds proposed openstack/keystone: Honor ldap_filter on filtered user list  https://review.openstack.org/31212621:23
edmondswrodrigods, I just removed that part of the test... still better than it used to be21:23
edmondswayoung ^21:23
edmondswit now passes with my code fix, and this UT would fail without my code fix... done21:24
rodrigodsedmondsw, suggestion: add another patch with a test where we try to list everything but we use the filters21:24
rodrigodsthe only test we have for it tries an invalid filter, so we have no idea if it actually works21:25
edmondswrodrigods, I don't know how much we want to invest in this if this ldap driver is going to be replaced in newton21:25
edmondswrodrigods, and I've exhausted the time I have to spend on this21:25
edmondsw(and then some)21:26
rodrigodsedmondsw, but the tests will remain :)21:26
rodrigodsbut, fair enough21:26
*** d0ugal has quit IRC21:26
edmondswrodrigods tx for your time21:26
rodrigodsnp :) it was fun21:27
*** edmondsw has quit IRC21:29
*** gyee has quit IRC21:33
*** navid__ has joined #openstack-keystone21:37
openstackgerritRon De Rose proposed openstack/keystone: WIP - Database changes to support PCI-DSS  https://review.openstack.org/31428421:37
*** navid_ has quit IRC21:38
*** browne has joined #openstack-keystone21:39
bknudsonthis ironic change is surprising for stable: https://review.openstack.org/#/c/287134/21:39
patchbotbknudson: patch 287134 - ironic (stable/liberty) - Use wsgi from oslo.service for Ironic API21:39
openstackgerritRon De Rose proposed openstack/keystone: WIP - Database changes to support PCI-DSS  https://review.openstack.org/31428421:40
bknudsonoops, wrong channel21:40
openstackgerritRon De Rose proposed openstack/keystone: WIP - Database changes to support PCI-DSS  https://review.openstack.org/31428421:43
*** slberger has left #openstack-keystone21:45
*** rderose has quit IRC21:47
*** spzala_ has joined #openstack-keystone21:56
*** jsavak has quit IRC21:57
*** catintheroof has quit IRC22:01
*** sdake has quit IRC22:02
*** roxanagh_ has joined #openstack-keystone22:05
*** tonytan4ever has quit IRC22:05
*** phalmos has quit IRC22:06
*** browne has quit IRC22:10
*** navid__ has quit IRC22:18
*** fangxu has quit IRC22:18
*** haplo37 has quit IRC22:22
*** dave-mccowan has quit IRC22:22
*** sigmavirus24 is now known as sigmavirus24_awa22:24
*** gordc has quit IRC22:25
*** edtubill has quit IRC22:29
*** ksavich has quit IRC22:30
*** rbridgeman_ has quit IRC22:33
*** jamielennox|away is now known as jamielennox22:35
*** julim has joined #openstack-keystone22:38
*** roxanagh_ has quit IRC22:39
*** BjoernT has quit IRC22:40
*** tonytan4ever has joined #openstack-keystone22:46
*** edtubill has joined #openstack-keystone22:47
*** tonytan4ever has quit IRC22:52
*** fangxu has joined #openstack-keystone22:55
*** edtubill has quit IRC22:58
*** fangxu has quit IRC22:58
*** ametts has quit IRC22:58
*** timcline has quit IRC23:04
*** julim has quit IRC23:08
*** spzala has joined #openstack-keystone23:08
*** spzala_ has quit IRC23:12
*** BjoernT has joined #openstack-keystone23:24
*** fangxu has joined #openstack-keystone23:26
*** BjoernT is now known as Bjoern_zZzZzZzZ23:30
*** chlong has joined #openstack-keystone23:33
*** Bjoern_zZzZzZzZ is now known as BjoernT23:33
*** BjoernT has quit IRC23:38
openstackgerritMerged openstack/keystone: Fixes incorrect deprecation warning for IdentityDriverV8  https://review.openstack.org/30530123:38
*** spandhe has quit IRC23:39
jamielennoxquestion for the group, if using oauth you pass a scoping project or domain it is ignored, however just based on the way v3 auth works it's legal23:45
*** spzala has quit IRC23:45
*** spzala has joined #openstack-keystone23:46
jamielennoxshould the auth plugin try to prevent people from passing project scope etc, or just be a regular plugin and the server ignores the additional data23:46
*** richm has quit IRC23:47
*** spzala has quit IRC23:51
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/31433323:56
*** roxanagh_ has joined #openstack-keystone23:57
« Sunday, 2016-05-08 Index Tuesday, 2016-05-10 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!