Tuesday, 2016-05-10

*** pgbridge has quit IRC00:02
*** rbridgeman_ has joined #openstack-keystone00:07
*** rbridgeman__ has joined #openstack-keystone00:10
*** rbridgeman_ has quit IRC00:13
*** roxanagh_ has quit IRC00:31
*** browne has joined #openstack-keystone00:36
openstackgerritMerged openstack/keystone: replace logging with oslo.log  https://review.openstack.org/30986900:40
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/31435600:44
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/31435700:44
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/31435800:44
*** edtubill has joined #openstack-keystone00:45
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/31437200:49
*** dmellado has joined #openstack-keystone00:49
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/31433300:54
*** tqtran has quit IRC00:54
*** dan_nguyen has joined #openstack-keystone00:57
*** sdake has joined #openstack-keystone01:02
*** browne has quit IRC01:16
*** shalpin has joined #openstack-keystone01:25
*** EinstCrazy has joined #openstack-keystone01:31
shalpinHi! I'm trying to use the v3 Client, but it doesn't check the ca cert store. In V2.0 there was a cacert parameter, but not in v3. Is there some way to specify a cacert store to v3?01:31
*** dan_nguyen has quit IRC01:38
*** edtubill has quit IRC01:41
*** edtubill has joined #openstack-keystone01:42
*** roxanagh_ has joined #openstack-keystone01:48
*** BjoernT has joined #openstack-keystone01:49
*** tqtran has joined #openstack-keystone01:51
*** spzala has joined #openstack-keystone01:56
*** tqtran has quit IRC01:57
ayoungshalpin, um...is this CLI or python?01:57
ayoungjamielennox, its probably an error.  Safe to ignore, but more correct to warn.  Suspect that erroring so will break people since it is new behavior01:58
*** stingaci has quit IRC02:00
*** spzala has quit IRC02:02
*** EinstCrazy has quit IRC02:05
shalpinayoung this is via python02:05
ayoungshalpin, so there is still the ability to pass in that param.  I think it goes to the session object, though02:06
shalpinBTW I'm not very familiar with IRC, so please let me know of any ettiquette mistakes I make02:06
ayoungshalpin, NP.02:06
*** spandhe has joined #openstack-keystone02:06
ayoungNo problem02:06
*** EinstCrazy has joined #openstack-keystone02:08
ayoungshalpin, http://docs.openstack.org/developer/keystoneauth/using-sessions.html02:09
*** spandhe_ has joined #openstack-keystone02:16
shalpin+ayoung ah ... I see. I had overlooked that, looking for ca-cert02:16
shalpin+ayoung thank you02:16
*** jorge_munoz has quit IRC02:16
ayoungshalpin, you are welcome.  Spread the word to others02:16
*** ayoung has quit IRC02:17
shalpin+ayoung What that .... ayoung will solve all your problems? :) I just confirmed and it is working fine for me now02:17
*** spzala has joined #openstack-keystone02:17
*** spandhe has quit IRC02:18
*** spandhe_ is now known as spandhe02:18
*** woodster_ has quit IRC02:18
*** jorge_munoz has joined #openstack-keystone02:19
*** edtubill has quit IRC02:20
*** TxGVNN has joined #openstack-keystone02:20
*** spzala has quit IRC02:21
*** spzala has joined #openstack-keystone02:21
*** roxanagh_ has quit IRC02:21
*** spandhe_ has joined #openstack-keystone02:35
*** spandhe has quit IRC02:35
*** spandhe_ is now known as spandhe02:35
*** fangxu has quit IRC02:38
jamielennoxdamn missed ayoung - the problem is it's a user warning, there's not really anything useful about throwing up an error on the keystone side02:42
jamielennoxalso i'd be interested to see who's using it cause it's not easy02:42
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add oauth plugin to keystoneauth  https://review.openstack.org/31440102:50
jamielennoxamakarov: ^02:50
*** BjoernT has quit IRC02:53
*** sdake has quit IRC03:07
*** agrebennikov has quit IRC03:22
*** rbridgeman__ has quit IRC03:25
*** EinstCrazy has quit IRC03:28
*** EinstCrazy has joined #openstack-keystone03:28
*** links has joined #openstack-keystone03:29
*** dan_nguyen has joined #openstack-keystone03:34
*** shalpin has quit IRC03:38
*** roxanagh_ has joined #openstack-keystone03:39
openstackgerritayoung proposed openstack/keystone: WIP Remove unneeded revocation events  https://review.openstack.org/28513403:41
openstackgerritayoung proposed openstack/keystone: Replace revoke tree with linear search  https://review.openstack.org/31165203:41
*** ayoung has joined #openstack-keystone03:42
*** ChanServ sets mode: +v ayoung03:42
*** EinstCra_ has joined #openstack-keystone03:46
*** EinstCrazy has quit IRC03:48
*** tqtran has joined #openstack-keystone03:53
*** tqtran has quit IRC03:57
*** edtubill has joined #openstack-keystone04:08
*** roxanagh_ has quit IRC04:12
*** sdake has joined #openstack-keystone04:13
openstackgerritJamie Lennox proposed openstack/keystoneauth: Expose is_admin_project in AccessInfo  https://review.openstack.org/31440904:13
jamielennoxayoung: can you have a look at this one for me: https://review.openstack.org/#/c/312323/ ?04:14
patchbotjamielennox: patch 312323 - keystone - Always add is_admin_project if admin project defined04:14
*** stingaci has joined #openstack-keystone04:20
*** stingaci has quit IRC04:20
stevemarjamielennox: nice patches for oauth and ksa04:21
*** stingaci has joined #openstack-keystone04:21
jamielennoxstevemar: thanks, took me longer than i expected, oauth is a bit of a PITA04:21
jamielennoxwell, the way we do it04:21
crinklestevemar: i started poking at 311827 and i think i worked out all the py3 issues, do you mind if i push up a patchset for it?04:31
stevemarcrinkle: by all means04:32
stevemarcrinkle: what was the kicker?04:32
crinklestevemar: all utf8/str stuff04:32
stevemari imagine something in the way the connection manager?04:32
openstackgerritColleen Murphy proposed openstack/keystone: WIP: review at own risk: switch to pyldap  https://review.openstack.org/31182704:32
stevemarhmmm, i was using oslo.encodeutils in my dev env, in the same spots you highlighted :O04:33
stevemari never got around to updating fakeldap :)04:34
*** stingaci has quit IRC04:34
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add oauth plugin to keystoneauth  https://review.openstack.org/31440104:34
stevemari was using https://github.com/openstack/oslo.utils/blob/master/oslo_utils/encodeutils.py#L107-L12104:35
stevemarcrinkle: i'll pull it down and use it against our internal ldap and see what blows up :)04:38
crinklestevemar: awesome04:38
*** sheel has joined #openstack-keystone04:44
stevemarcrinkle: py34 passes :) i may tinker with it a bit more to see if the osloutils stuff works, and to clean up the pep8 fail04:45
crinklestevemar: coolbeans04:47
*** sdake has quit IRC05:06
*** dan_nguyen has quit IRC05:07
*** roxanagh_ has joined #openstack-keystone05:08
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/31435805:09
*** spzala has quit IRC05:12
*** spzala has joined #openstack-keystone05:14
*** spzala has quit IRC05:19
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/31435705:20
openstackgerritMerged openstack/keystone: Updating sample configuration file  https://review.openstack.org/31433305:27
*** roxanagh_ has quit IRC05:42
*** d0ugal has joined #openstack-keystone05:52
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/31435606:01
*** spandhe has quit IRC06:04
*** spzala has joined #openstack-keystone06:15
*** spzala has quit IRC06:21
*** rcernin has joined #openstack-keystone06:26
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/31437206:28
*** yolanda has joined #openstack-keystone06:35
*** edtubill has quit IRC06:48
*** roxanagh_ has joined #openstack-keystone07:00
*** jed56 has joined #openstack-keystone07:00
*** tesseract has joined #openstack-keystone07:03
*** jamielennox is now known as jamielennox|away07:08
*** yolanda has quit IRC07:22
*** d0ugal has quit IRC07:23
*** d0ugal has joined #openstack-keystone07:26
*** d0ugal has quit IRC07:26
*** d0ugal has joined #openstack-keystone07:26
*** yolanda has joined #openstack-keystone07:27
*** roxanagh_ has quit IRC07:33
*** josecastroleon has joined #openstack-keystone07:34
*** jamielennox|away is now known as jamielennox07:49
*** yolanda has quit IRC07:50
*** belmoreira has joined #openstack-keystone07:51
*** yolanda has joined #openstack-keystone07:58
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** jaosorior has joined #openstack-keystone08:01
*** woodburn has quit IRC08:09
*** woodburn has joined #openstack-keystone08:13
*** mvk has quit IRC08:16
*** spzala has joined #openstack-keystone08:18
*** spzala has quit IRC08:22
*** daemontool__ is now known as daemontool08:30
*** jistr has joined #openstack-keystone08:37
*** mvk has joined #openstack-keystone08:45
*** roxanagh_ has joined #openstack-keystone08:51
*** vnogin has joined #openstack-keystone08:55
*** danielh has joined #openstack-keystone08:58
*** TxGVNN has quit IRC08:59
*** TxGVNN has joined #openstack-keystone08:59
*** sdake has joined #openstack-keystone09:01
*** woodburn has quit IRC09:13
*** woodburn has joined #openstack-keystone09:14
*** spzala has joined #openstack-keystone09:19
*** spzala has quit IRC09:24
*** roxanagh_ has quit IRC09:25
*** daemontool has quit IRC09:28
*** chlong has quit IRC09:30
*** zqfan has quit IRC09:33
*** mvk has quit IRC10:03
*** mvk has joined #openstack-keystone10:04
*** daemontool has joined #openstack-keystone10:08
*** jaosorior has quit IRC10:09
*** jaosorior has joined #openstack-keystone10:09
*** spzala has joined #openstack-keystone10:20
*** spzala has quit IRC10:24
*** EinstCra_ has quit IRC10:30
*** EinstCrazy has joined #openstack-keystone10:31
*** EinstCrazy has quit IRC10:35
*** sdake has quit IRC10:42
*** roxanagh_ has joined #openstack-keystone10:42
openstackgerritPallavi proposed openstack/keystone-specs: Added missed double quote  https://review.openstack.org/31449810:44
jamielennoxstevemar: nothing on the meeting agenda for tomorrow so i'm sleeping in10:48
*** rodrigods has quit IRC10:49
*** rodrigods has joined #openstack-keystone10:49
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor ldap_filter on filtered user list  https://review.openstack.org/31212610:50
*** sdake has joined #openstack-keystone11:07
openstackgerritMerged openstack/keystone-specs: Added missed double quote  https://review.openstack.org/31449811:10
*** roxanagh_ has quit IRC11:15
*** dims has quit IRC11:20
*** jaosorior has quit IRC11:20
*** jaosorior has joined #openstack-keystone11:20
*** spzala has joined #openstack-keystone11:20
*** tellesnobrega is now known as tellesnobrega_af11:24
*** dims has joined #openstack-keystone11:25
*** spzala has quit IRC11:25
*** gordc has joined #openstack-keystone11:26
*** TxGVNN has quit IRC11:36
*** jaosorior has quit IRC11:42
*** jaosorior has joined #openstack-keystone11:43
*** sdake has quit IRC11:56
*** sdake has joined #openstack-keystone12:02
*** ozialien10 has quit IRC12:08
*** sdake_ has joined #openstack-keystone12:08
*** ozialien10 has joined #openstack-keystone12:09
*** sdake has quit IRC12:11
*** yolanda has quit IRC12:18
*** spzala has joined #openstack-keystone12:21
*** yolanda has joined #openstack-keystone12:22
*** spzala has quit IRC12:26
*** roxanagh_ has joined #openstack-keystone12:33
*** pauloewerton has joined #openstack-keystone12:50
*** edmondsw has joined #openstack-keystone12:55
*** EinstCrazy has joined #openstack-keystone12:57
*** julim has joined #openstack-keystone12:58
*** richm has joined #openstack-keystone13:00
*** dave-mccowan has joined #openstack-keystone13:03
*** roxanagh_ has quit IRC13:06
*** spzala has joined #openstack-keystone13:08
openstackgerritAlexander Makarov proposed openstack/keystone: WIP/DNM Unified delegation assignment driver  https://review.openstack.org/29131813:11
*** edmondsw has quit IRC13:11
dstanekbknudson: i just responded to your concern about the shadow users changes13:19
*** daemontool_ has joined #openstack-keystone13:21
*** spzala has quit IRC13:23
*** links has quit IRC13:23
bknudsondstanek: see the comment in patch set 12: we will use it to shadow all backend identities13:24
*** daemontool has quit IRC13:24
bknudsonIt also breaks the keystone architecture to hav ethe shadow users SQL backend reuse the identity SQL models.13:25
bknudsonI guess I don't see the point of having the shadow users SQL driver use the identity SQL driver models. Somebody might use a their own driver for either identity backend or shadow users backend.13:26
dstanekbknudson: i think that's because shadow users is a superset of the identity user backend13:29
bknudsonto me this looks like it's just broken.13:30
dstaneki don't know what, if any, future plans exist to make the drivers more consistent13:30
bknudsonwhy is the shadow user table in identity and not in shadow_backends ?? http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/sql.py#n11313:31
dstaneki don't think anything is broken, but it streteched the architecture a bit13:31
dstaneki guess it could be there but that would mean that the dependency goes both ways13:32
bknudsonthere can't be dependencies between drivers. that's the architecture.13:32
bknudsonbecause you can replace the driver with a different implementation13:32
bknudsonit would make more sense to have shadow users not even have a driver and always be sql.13:33
dstanekyou could replace either the identity backend or the shadow users backend as it exists today13:33
bknudsonand maybe it's ok to still do that since there's no way it would work otherwise13:33
dstanekif you don't use the identity sql driver the User tables are still used if you use the shadow users SQL driver13:34
*** jsavak has joined #openstack-keystone13:40
*** edmondsw has joined #openstack-keystone13:41
*** mhickey has joined #openstack-keystone13:41
*** edtubill has joined #openstack-keystone13:42
bknudsonI don't see how the identity sql model code can work if I change out the shadow_backends sql driver for a different one. It's referring to tables that aren't getting set up: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/sql.py#n3513:43
bknudsonFederatedUser is only used by shadow_backends/sql.py, so not sure why it was ever in identity/backends/sql.py13:44
*** rderose has joined #openstack-keystone13:45
bknudsonoh, there's a foreign key on it http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/sql.py#n3813:45
dstanekit's a little funky13:51
*** yolanda has quit IRC13:56
*** TxGVNN has joined #openstack-keystone13:56
*** ametts has joined #openstack-keystone13:58
*** tonytan4ever has joined #openstack-keystone13:59
*** afazekas has quit IRC14:01
*** afazekas has joined #openstack-keystone14:01
*** yolanda has joined #openstack-keystone14:01
*** jsavak has quit IRC14:02
*** jsavak has joined #openstack-keystone14:02
*** woodburn has quit IRC14:03
*** tonytan4ever has quit IRC14:03
*** sigmavirus24_awa is now known as sigmavirus2414:04
*** TxGVNN has quit IRC14:09
*** woodburn has joined #openstack-keystone14:11
*** julim has quit IRC14:11
*** julim has joined #openstack-keystone14:12
*** jsavak has quit IRC14:16
*** dan_nguyen has joined #openstack-keystone14:16
*** jsavak has joined #openstack-keystone14:17
andreafhi - I'm looking for help on a trusts test failure I hit - anyone around who can help me?14:17
*** dan_nguyen has quit IRC14:19
lbragstadit doesn't look like our documenting in keystone-wsgi-admin and keystone-wgsi-public is correct http://cdn.pasteraw.com/bi4iygib70jv3p2dqonrarpvjbdy1ic14:21
*** phalmos has joined #openstack-keystone14:22
lbragstaddoes anyone else get that issue? ^14:23
*** jaosorior has quit IRC14:24
*** dan_nguyen has joined #openstack-keystone14:26
*** jsavak has quit IRC14:30
*** jsavak has joined #openstack-keystone14:30
*** sigmavirus24 is now known as sigmavirus24_awa14:32
*** sigmavirus24_awa is now known as sigmavirus2414:33
*** sigmavirus24 is now known as sigmavirus24_awa14:35
*** navid__ has joined #openstack-keystone14:35
*** pushkaru has joined #openstack-keystone14:37
*** navid_ has joined #openstack-keystone14:37
*** sigmavirus24_awa is now known as sigmavirus2414:37
*** tellesnobrega_af is now known as tellesnobrega14:38
stevemarlbragstad: what are you pointing out?14:39
lbragstadstevemar I can't specify a port to run on list the help says14:40
lbragstad--port 35357 doesn't work14:40
lbragstadeven though the help says it's possible14:40
*** belmoreira has quit IRC14:40
lbragstad(unless i'm computering wrong)14:40
stevemarohhh interesting14:40
*** navid__ has quit IRC14:41
lbragstadthe same story for keystone-wsgi-public (because it's the same script)14:41
*** spandhe has joined #openstack-keystone14:41
openstackgerritRon De Rose proposed openstack/keystone: Move identity.backends.sql model code to sql_model.py  https://review.openstack.org/29261114:42
*** jamie_h has joined #openstack-keystone14:42
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users  https://review.openstack.org/30548714:45
bknudsonlbragstad: you need https://review.openstack.org/#/c/296061/14:46
patchbotbknudson: patch 296061 - openstack-dev/pbr - Fix wsgiref script use with oslo.config (MERGED)14:46
bknudsonlooks like it's not in a release yet -- http://git.openstack.org/cgit/openstack-dev/pbr/log/14:47
lbragstadbknudson ah - i just rebuilt keystone on master so we must have to bump our version once it's released14:47
rodrigodsfor a federated user authenticate, we still need the role assignment entry in the keystone side, right?14:48
*** ramishra_ has quit IRC14:49
rodrigodsdstanek, regarding https://review.openstack.org/#/c/311652/14:51
patchbotrodrigods: patch 311652 - keystone - Replace revoke tree with linear search14:51
rodrigodssee lbragstad previous comments14:51
*** pcaruana has joined #openstack-keystone14:53
*** slberger has joined #openstack-keystone14:53
*** jorge_munoz_ has joined #openstack-keystone14:53
*** jorge_munoz has quit IRC14:54
*** jorge_munoz_ is now known as jorge_munoz14:54
*** rderose has quit IRC14:58
*** jsavak has quit IRC14:58
*** jsavak has joined #openstack-keystone14:59
*** navid__ has joined #openstack-keystone15:01
*** navid_ has quit IRC15:05
*** navid_ has joined #openstack-keystone15:05
*** rderose has joined #openstack-keystone15:06
*** navid_ has quit IRC15:07
*** gagehugo has joined #openstack-keystone15:07
*** navid__ has quit IRC15:08
*** navidp has joined #openstack-keystone15:09
*** mou1 has joined #openstack-keystone15:11
*** mou has quit IRC15:13
openstackgerritRon De Rose proposed openstack/keystone: WIP - Database changes to support PCI-DSS  https://review.openstack.org/31428415:15
*** mhickey has quit IRC15:15
openstackgerritRon De Rose proposed openstack/keystone: WIP - Database changes to support PCI-DSS  https://review.openstack.org/31428415:17
openstackgerritwerner mendizabal proposed openstack/keystone: Update documentation to remove keystone-all  https://review.openstack.org/31462815:17
openstackgerritwerner mendizabal proposed openstack/keystone: Update documentation to remove keystone-all  https://review.openstack.org/31462815:20
*** timcline has joined #openstack-keystone15:22
edtubillrderose, stevemar: Hi, I haven't really worked on keystone too much and haven't really worked with multiple people on the same bp. Is there sometime of workflow you guys use? I'm not sure how co-authoring works.15:23
stevemaredtubill: review the code as if it were you own, and i can walk you through adding a follow on patch15:24
stevemaredtubill: try and stay in contact with rderose, see if you two can logically split the work, i can help you out with any git rebasing madness15:25
edtubillstevemar: ok thx15:25
rderoseedtubill: feel free to create new patch re: db design15:26
*** tellesnobrega is now known as tellesnobrega_af15:26
rderoseedtubill: but yeah, lets talk as well15:26
stevemarrderose: db design meaning the models and backend?15:26
rderosestevemar, edtubill: sorry, regarding db design for the PCI stuff15:27
edtubillrderose: yeah. I saw you already started on the migration scripts... I tested it on my local system.15:27
stevemarrderose: edtubill just make sure the two of you are on the same page about how the solution should look like...15:27
stevemarrderose: myself and edtubill had written out a straw man here: https://etherpad.openstack.org/p/keystone-newton-pci-dss15:27
rderosestevemar, edtubill: sounds good15:27
rderosestevemar: saw that; added a comment15:28
stevemarwe can have a hangout to talk about splitting the work :)15:28
stevemarif rderose isn't having connectivity issues this time around :)15:28
rderosestevemar: yep, I figured once we agree on the db changes, we could start splitting the work15:28
rderosestevemar: :)15:29
edtubillstevemar, rderose: hangout sounds like a good idea.15:29
rderosestevemar: have you seen this patch: https://review.openstack.org/#/c/314284/?15:29
patchbotrderose: patch 314284 - keystone - WIP - Database changes to support PCI-DSS15:29
stevemaredtubill: point is, this shouldn't impact or slow you down... toss up whatever code you got when it's ready. and *review review review review review*15:29
edtubillrderose: I just put comments/questions on the patch.15:30
rderoseedtubill: cool, I'll take a look15:30
edtubillstevemar, rderose: so I guess we should agree on the database and then split the work? I was going to look into where to put the config options.15:31
rderoseedtubill: agree15:32
*** navid_ has joined #openstack-keystone15:32
*** navidp has quit IRC15:35
*** pgbridge has joined #openstack-keystone15:35
stevemaredtubill: working on the config options sounds like a good start15:36
edtubillstevemar: okay.15:37
*** rderose has quit IRC15:38
arunkantstevemar: Can you look into this review. https://review.openstack.org/#/c/279828/ . Trying to get attention on this for a while.15:40
patchbotarunkant: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...15:40
stevemararunkant: will do15:40
*** woodster_ has joined #openstack-keystone15:46
*** tellesnobrega_af is now known as tellesnobrega15:47
*** sdake_ has quit IRC15:47
*** yolanda has quit IRC15:48
*** ktychkova_ has joined #openstack-keystone15:48
*** agrebennikov has joined #openstack-keystone15:49
*** sdake has joined #openstack-keystone15:50
*** ktychkova has quit IRC15:51
*** tesseract has quit IRC15:52
*** sdake_ has joined #openstack-keystone15:54
*** sdake has quit IRC15:57
*** erhudy has joined #openstack-keystone15:58
*** jsavak has quit IRC16:04
*** jsavak has joined #openstack-keystone16:05
*** ericksonsantos has joined #openstack-keystone16:06
*** rderose has joined #openstack-keystone16:08
*** zqfan has joined #openstack-keystone16:09
*** ramishra has joined #openstack-keystone16:11
*** daemontool_ has quit IRC16:13
*** spzala has joined #openstack-keystone16:14
*** TxGVNN has joined #openstack-keystone16:16
*** Raildo_ has joined #openstack-keystone16:24
*** fangxu has joined #openstack-keystone16:26
*** tqtran has joined #openstack-keystone16:26
*** stingaci has joined #openstack-keystone16:31
*** ksavich has joined #openstack-keystone16:34
*** sdake_ is now known as sdake16:38
lbragstadstevemar looks like https://bugs.launchpad.net/keystone/+bug/1523664 affects stable/liberty, do we want to backport the fix?16:39
openstackLaunchpad bug 1523664 in OpenStack Identity (keystone) "Token operations fail when fernet key repository isn't writeable" [Undecided,Fix released] - Assigned to Ron De Rose (ronald-de-rose)16:39
stevemarlbragstad: sure, makes sense to do so16:40
lbragstadcc ksavich ^16:40
lbragstadstevemar updated https://bugs.launchpad.net/keystone/+bug/152366416:42
openstackLaunchpad bug 1523664 in OpenStack Identity (keystone) "Token operations fail when fernet key repository isn't writeable" [Undecided,Fix released] - Assigned to Ron De Rose (ronald-de-rose)16:42
*** mou1 has quit IRC16:42
lbragstadstevemar ksavich posted https://review.openstack.org/#/c/314672/16:42
patchbotlbragstad: patch 314672 - keystone (stable/liberty) - Changed the key repo validation to allow read only16:42
*** EinstCrazy has quit IRC16:42
lbragstadksavich good find16:42
ksavichwas ayoung and nkinder really16:43
edtubillstevemar: I made some config changes to keystone for compliance and I want to push it up. I tried setting the branch to /bp/pci-dss (same as rderose's) but I'm getting: "failed to push some refs" because it's missing the change-id. Am I missing something? Am I supposed to pull down the previous code and put a commit on top of that?16:43
ayoungfernet repo should not be writable16:43
*** rbridgeman has joined #openstack-keystone16:43
lbragstadayoung yeah - looks like we fixed that in mitaka but never backported the fix16:43
dstanekedtubill: a missing change id sounds like git-review isn't setup16:44
lbragstadayoung backport here https://review.openstack.org/#/c/314672/16:44
patchbotlbragstad: patch 314672 - keystone (stable/liberty) - Changed the key repo validation to allow read only16:44
rderoseedtubill: were you trying to put a patch on top of my patch or a new patch?16:44
edtubilldstanek: I've been able to to do it before, maybe I'll check the settings again.16:44
edtubillrderose: I was trying to push up a new patch.16:45
ayoungksavich, nice work.16:45
ksavichayoung - np, thanks for your help16:45
*** flaper87 has quit IRC16:46
*** flaper87 has joined #openstack-keystone16:46
morganstevemar: going through and doing lots of keystone reviews today FYI, expect to see a bunch of things hit (i'm hoping to review every open patch for our projects today)16:46
edtubilldstanek: it seems `git review -s` doesn't throw an error16:46
dstanekedtubill: it's very odd that it didn't add the change id for you16:47
*** navidp has joined #openstack-keystone16:49
edtubilldstanek: I'm thinking that I need to cherry pick my commit on top of rderose's branch. not sure what the workflow is.16:49
dstanekedtubill: i don't think that error means that16:50
dstanekedtubill: there may be a fancy way to do this, but you can just 'git review -d ####' and then chrrry-pick your commit16:51
dstanekedtubill: try making a simple change to master and see if you get the change id16:51
*** navid_ has quit IRC16:52
edtubilldstanek: It's a new patch on a new branch.16:52
dstanekalso your .git/hooks/commit-msg should have code to add the change id16:52
dstanekedtubill: if you made the commit msg before you setup git-review then you can just edit the commit message to force it to add a chnage id16:53
*** navid_ has joined #openstack-keystone16:53
*** rbridgeman has quit IRC16:54
*** navidp has quit IRC16:56
*** mvk has quit IRC16:57
openstackgerritElvin Tubillara proposed openstack/keystone: WIP - Config changes to support PCI-DSS  https://review.openstack.org/31467916:58
edtubilldstanek: thanks! I guess I forgot to do git review -s for keystone :p16:58
dstanekedtubill: ah. :-)16:59
*** jaugustine has joined #openstack-keystone17:00
*** daemontool_ has joined #openstack-keystone17:00
samueldmqlbragstad: howdy, you available ?17:05
samueldmqlbragstad: quick question on patch 30808817:05
patchbotsamueldmq: https://review.openstack.org/#/c/308088/ - keystone - Separate protocol schema17:05
samueldmqlbragstad: other than that, it looks good to go :)17:05
*** jsavak has quit IRC17:08
*** gagehugo has quit IRC17:18
*** gagehugo has joined #openstack-keystone17:19
*** BAKfr has quit IRC17:20
*** BAKfr has joined #openstack-keystone17:20
*** jistr has quit IRC17:21
*** stingaci has quit IRC17:23
*** daemontool_ has quit IRC17:25
*** navid_ has quit IRC17:26
stevemarmorgan: more power to you17:27
morganstevemar: hehe.17:28
stevemarseems like no one wants to have meetings anymore!!?17:28
morgannothing on the agenda again?17:28
samueldmqdoes tha mean keystone is done?17:29
samueldmqthat* :B17:30
dstanekstick a fork in it17:31
openstackgerrithenry-nash proposed openstack/keystone-specs: Relax the project name uniqueness constraints  https://review.openstack.org/31004817:32
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add sample file generation script  https://review.openstack.org/31424417:32
openstackgerrithenry-nash proposed openstack/keystone-specs: Relax the project name uniqueness constraints  https://review.openstack.org/31004817:34
stevemarmorgan: samueldmq dstanek i added a few topics :)17:34
samueldmqstevemar: phew! thanks :)17:35
*** eandersson has joined #openstack-keystone17:35
stevemarmorgan: if you're going through: https://review.openstack.org/#/c/314672/17:36
patchbotstevemar: patch 314672 - keystone (stable/liberty) - Changed the key repo validation to allow read only17:36
morganstevemar: sure17:36
morgani'm actually hitting every backlogged patchset as well17:37
morganeven if it is just a comment of "do we still need this?"17:37
morganbecause the next round if no one answers some of those is abandon.17:37
morgan155 open reviews and no movement on a number of them is too much17:37
morgan(keystone server)17:37
stevemarmorgan: i appreciate you doing that17:37
*** spandhe has quit IRC17:38
morganstevemar: gotta keep up holding a high review spot in keystone ;)17:38
stevemarmorgan: i wouldn't know what that's like17:38
morganstevemar: nope...17:39
morganstevemar: never you... ever... EVAR17:39
*** rderose has quit IRC17:40
*** rderose_ has joined #openstack-keystone17:40
stevemarmorgan: bknudson has the most keystone reviews of all time17:40
stevemarwith dolphm not far behind17:40
eanderssonSorry back with question on upgrading from Kilo to Liberty again!17:41
eanderssonThe fernet token changes that happened, are those only related to the cached one (e.g. in memcached), or do they also affect the ones stored on disk?17:41
eanderssonThe padding changes in Liberty I believe.17:42
dstanekmorgan: i have a bunch that i need to revisit17:42
morganeandersson: fernet tokens are not stored to disk.17:43
eanderssonsorry, the fernet keys17:43
morganeandersson: the fernet keys themselves did not change17:43
morganjust the tokens have no padding17:43
eanderssonand the fernet tokens are stored in memcached right?17:43
eanderssonor are they stored in mysql as well?17:43
lbragstadeandersson nope17:44
lbragstadthey are not persisted in sql17:44
stevemarhow can i tell if i'm running devstack under py3? i added "USE_PYTHON3=true" to my local.conf17:44
*** neophy has joined #openstack-keystone17:46
dolphmeandersson: fernet tokens are not stored at all. fernet keys, used to create and validate fernet tokens, are stored on disk.17:46
*** shaleh has joined #openstack-keystone17:49
shalehdstanek: have you experiment with mypy any?17:50
dstanekshaleh: just a tiny bit before i started typist17:51
shalehdstanek: I had not realized that python3 accepted type annotations but ignores them.17:52
shalehdef foo(a: int) -> int: return a + 117:52
shalehthat is totally valid Python3 today17:52
dstanekshaleh: they are not specifically for types - you can do other things too17:53
dstaneki wrote a blog post back in the day with a decorator that did the same thing for py2x17:53
openstackgerrithenry-nash proposed openstack/keystone-specs: Relax the project name uniqueness constraints  https://review.openstack.org/31004817:53
morganstevemar: punted the liberty fix through17:57
*** rderose_ has quit IRC17:57
eanderssondolphm: What I am trying to figure out is the least disruptive fix for the following error after a liberty upgrade http://paste.openstack.org/show/EjCP7wwSdDO6MzFWYvBx/17:57
eanderssonwhich sounds like simply restarting memcached?17:58
*** henrynash has joined #openstack-keystone18:00
*** ChanServ sets mode: +v henrynash18:00
dolphmeandersson: i don't think restarting memcached will help you there. that looks like a bug we solved back in stable/kilo? are you using the version of keystone in whatever stable/* branch you're on?18:00
eanderssonThat is after upgrading to liberty18:00
*** jaugustine_ has joined #openstack-keystone18:01
dolphmeandersson: but where are you starting from - an old version of kilo?18:01
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: review at own risk: switch to pyldap  https://review.openstack.org/31182718:01
stevemaroh noes!18:01
dolphmeandersson: you're missing lots of fernet bug fixes in 2015.1.1 and up. i imagine you wouldn't be seeing that at all if you had started from updated code :(18:02
eanderssonYea, so the plan is to go from 2015.1.0 to 2015.1.4 and then finally to Liberty18:02
*** rderose has joined #openstack-keystone18:04
*** jaugustine has quit IRC18:04
*** stingaci has joined #openstack-keystone18:06
*** lhcheng has joined #openstack-keystone18:06
*** ChanServ sets mode: +v lhcheng18:06
*** tonytan4ever has joined #openstack-keystone18:07
*** jorge_munoz has quit IRC18:13
*** rcernin has quit IRC18:13
*** jorge_munoz has joined #openstack-keystone18:16
*** mvk has joined #openstack-keystone18:17
*** pushkaru has quit IRC18:18
*** navid_ has joined #openstack-keystone18:21
openstackgerritwerner mendizabal proposed openstack/keystone: Update documentation to remove keystone-all  https://review.openstack.org/31462818:22
*** spzala has quit IRC18:23
*** spzala has joined #openstack-keystone18:23
*** spzala has quit IRC18:25
*** spzala has joined #openstack-keystone18:25
*** haplo37 has joined #openstack-keystone18:26
*** navid__ has joined #openstack-keystone18:31
*** gyee has joined #openstack-keystone18:34
*** ChanServ sets mode: +v gyee18:34
*** navid_ has quit IRC18:34
*** navid__ has quit IRC18:37
*** arunkant has quit IRC18:39
*** haplo37 has quit IRC18:40
*** gagehugo has quit IRC18:41
*** gagehugo has joined #openstack-keystone18:41
*** lhcheng has quit IRC18:42
*** lhcheng has joined #openstack-keystone18:42
*** verne.freenode.net sets mode: +v lhcheng18:42
*** rcernin has joined #openstack-keystone18:43
*** TxGVNN has quit IRC18:51
*** sdake has quit IRC18:52
*** pushkaru has joined #openstack-keystone18:53
stevemarlbragstad: liberty gate is busted i think?18:53
*** jaugustine_ has quit IRC18:56
morganstevemar: oh noes!18:59
*** navidp has joined #openstack-keystone19:00
lbragstadstevemar possibly? I didn't really investigate it19:00
*** jaugustine has joined #openstack-keystone19:00
stevemarlbragstad: the failure was with oslo policy raising an exception instead of true/false19:00
stevemarso think so19:00
ayoungdtroyer, why is the API version number returned not sufficient?19:01
stevemarbknudson: lbragstad: morgan i think we need to backport https://review.openstack.org/#/c/311804/ to mitaka and liberty19:01
patchbotstevemar: patch 311804 - keystone - Remove test_invalid_policy_raises_error (MERGED)19:01
lbragstadstevemar ah - does that mean stable/liberty is missing a dependency version or something?19:01
morganstevemar: oh possibly19:01
dtroyerayoung: it is… I thought I saw something about adding something without changing the version19:01
stevemari proposed them, we'll see how it goes19:02
bknudsonstevemar: are there failures? I didn't see anything posted to the stable status list?19:02
bknudson(probably because we're using upper-constraints?)19:02
lbragstadbknudson just this https://review.openstack.org/#/c/314672/19:02
patchbotlbragstad: patch 314672 - keystone (stable/liberty) - Changed the key repo validation to allow read only19:02
stevemarbknudson: https://review.openstack.org/#/c/314672/19:02
patchbotstevemar: patch 314672 - keystone (stable/liberty) - Changed the key repo validation to allow read only19:02
bknudsonthe damn coverage job!19:02
bknudsondo we need that job on stable? seems like a waste.19:02
ayoungmorgan, so, to be clear, lets say that henrynash 's change  goes into  3.8.  Is saying we hold the API version to 3.7 until it merges sufficient?19:03
*** spandhe has joined #openstack-keystone19:03
morganayoung: uhm.. each change i think is monotonic increase of api version19:06
morganayoung: we should conferr with dtroyer and sdague to be sure on the right way (consistent) of doing this in openstack19:07
bknudsonI haven't looked at nova -- do they use flask or something better than the mess that we have in keystone?19:08
ayoungmorgan, so, I guess I don't see why this is really any more of a change than adding a new API.  We probably need to have ameans to approve a change to the API without giving it an explicit version until it is implemented, then bump the version assigned to the feature19:08
bknudsonkeystone doesn't currently support a way for the client to say "give me the 3.5 version of the API"19:08
*** navidp has quit IRC19:09
dtroyerthe biggest change with microversions is mental.  No more semver, and bumps happen more frequently for smaller reasons rather than batching them up19:09
bknudsonwe've hardly been able to handle supporting v2 and v3 together.19:10
dtroyerbut you've handled 3.1, 3.2, 3.3, etc…19:11
*** pcaruana has quit IRC19:12
bknudsondtroyer: we don't handle them together. Once we go to 3.3 that's what the server supports for v319:12
bknudsonSee http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/provider.py#n31219:12
bknudsonwe've got validate_v2_token and validate_v3_token19:13
bknudsonnow we'll have validate_v3_1_token , validate_v3_2_token19:13
bknudsonissue_v3_1_token, issue_v3_2_token19:13
*** jorge_munoz has quit IRC19:13
morganbknudson: i think we need to make "auth" paths special.19:14
dtroyerwhy?  does that change every microversion?  there is a difference between v2 and v3 almost _everywhere_.19:14
morganeven with microversions... as in explicitly excluded19:14
bknudsonI'd be happy to see the auth paths versioned separately19:14
bknudsonrather than have validate_v*_token there should be a single validate_token and the translation happens in the controller19:15
dtroyermorgan: I think you need to keep everything under the endpoint versioned, maybe this is what the 5000/35357 split _should_ have been?19:15
*** jorge_munoz has joined #openstack-keystone19:16
ayoungdtroyer, sortofbutnah?19:16
ayoung5000/35357 was just immature19:16
morgandtroyer: eh, maybe?19:16
ayoungit really needed to be two different interfaces: one internal one external. At least that was the intention way back when19:16
morgandtroyer: well i mean, we *neveR* change the auth path19:16
morganregardless of the microversion19:16
morganan accepted convention because... *auth*19:16
dtroyerayoung: from a versioning standpoint…  if you want /tokens versioned separately, it should be a separate endpoint19:17
morgandtroyer: i have a spec to move auth to /auth/19:17
morgandtroyer: instead of /v3/auth19:17
morgandtroyer: and this is one of the many reasons for that19:17
ayoungdtroyer, auth versus managment of the identity Service? Yep19:17
dtroyermorgan: +++++19:17
morgandtroyer: and i was just going to wire /v3/auth up to the /auth routes internally. but it's a lot of code shuffle.19:18
ayoungmorgan, yes!19:18
ayoungand since it is not under /v3, that, too will be an API break.19:18
morgandtroyer: it's on my "in my spare time" initiatives (might hack it out one monday night or something)19:18
morganayoung: we would keep the old routes19:18
ayoungToo late for coffee, to early for Beer19:18
morganayoung: just wire them up to the new code path(s) in a compat way19:19
ayoung"Just" is my trigger word19:19
dtroyerlike 'smop'19:19
dtroyer'small matter of programming'19:19
morganayoung: if you look at the spec, it really already lined that up19:20
*** jsavak has joined #openstack-keystone19:20
*** fangxu has quit IRC19:20
morganayoung, dtroyer: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/decouple-auth-from-api-version.html19:21
dtroyermorgan: that hit the things I would worry about (so far), looks good!19:23
morgandtroyer: i spent a lot of tim thinking about that.19:24
*** neophy has quit IRC19:24
dtroyermordred: so would you expect $AUTH_URL to include '/auth' at the end?19:25
*** julim has quit IRC19:26
mordreddtroyer: never19:26
mordredor, rather19:26
mordredI have never seen it include that19:26
*** jaugustine_ has joined #openstack-keystone19:26
mordredthe BEST clouds give me auth_urls that don't have versions either19:26
dtroyerand duh, I meant morgan… but yeah, you'll have an opinion here too mordred ;)19:26
bknudsonwould it be on /identity/auth or on /auth?19:26
morganbknudson: it would be <prefix>/auth19:27
dtroyerI would want to use $AUTH_URL/auth to get the auth versions supported19:27
dtroyerand go from there19:27
morganinstead of /v3/auth19:27
morganand i would make it support (if we do versioned auth) /auth/version/19:28
dtroyerand it sounds like $AUTH_URL == $KEYSTONE_ENDPOINT still?19:28
rodrigodshttps://review.openstack.org/#/c/303471/ anyone willing to +A it?19:28
patchbotrodrigods: patch 303471 - keystone-specs - Add note about service provider fields19:28
dtroyerie, '/' to the keystone server19:28
*** jaugustine has quit IRC19:28
morgandtroyer: i also would make it discoverable on the JSON_home or / or whatever19:29
bknudsonit would be easy enough to create another entrypoint for pbr for it and then make that available as /auth on apache19:29
*** neophy has joined #openstack-keystone19:30
*** slberger1 has joined #openstack-keystone19:36
*** slberger has quit IRC19:36
morganbknudson: yeah that is one thought19:36
morganbknudson: i'll propose moving that spec over to active by next week.19:36
*** rcernin has quit IRC19:51
*** daemontool_ has joined #openstack-keystone19:51
stevemarayoung: did you just fork ldappool? https://github.com/admiyo/ldappool19:52
ayoungstevemar, I sure did!19:52
stevemarayoung: i've been tweaking a fork in my github :)19:52
ayoungstevemar, setting up a venv to try and run the existing tests19:52
ayoungstevemar, looking19:52
stevemarmine should be py3 friendly in about 2 seconds19:53
stevemarayoung: and now master has py3 support (in my fork)19:53
ayounghow'd you test it?19:54
*** rcernin has joined #openstack-keystone19:59
stevemarayoung: just ran nosetests so far20:00
ayoungstevemar, venv?20:00
ayoungOK...got it20:01
stevemarayoung: haven't updated the ldappool unit tests, that's next on the list20:01
ayoungstevemar, so runmning tests against master using python 3.4 worked. I'm guessing the tests are useless?20:03
ayoungnot against your master, the fork from the original20:03
stevemarayoung: maybe not useless... but there certainly are not a lot of tests,20:04
stevemarwhats that weird requirements syntax for using a repo instead of the latest version of something?20:05
stevemarmaybe lbragstad knows, he did it for fernet tokens?20:06
*** daemontool_ has quit IRC20:06
bknudsonstevemar: you can just pip install -U to your venv20:06
*** haplo37 has joined #openstack-keystone20:12
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: use forked ldappool + pyldap for ldap  https://review.openstack.org/31475520:24
*** rderose has quit IRC20:25
openstackgerritRon De Rose proposed openstack/keystone: WIP - Database changes to support PCI-DSS  https://review.openstack.org/31428420:30
openstackgerritRon De Rose proposed openstack/keystone: WIP - Database changes to support PCI-DSS  https://review.openstack.org/31428420:31
*** slberger has joined #openstack-keystone20:33
*** slberger1 has quit IRC20:33
openstackgerritRon De Rose proposed openstack/keystone: WIP - Database changes to support PCI-DSS  https://review.openstack.org/31428420:35
stevemarbknudson: looks like it's not allowed in setup.cfg: https://review.openstack.org/#/c/314755/1/setup.cfg :\20:35
patchbotstevemar: patch 314755 - keystone - WIP: use forked ldappool + pyldap for ldap20:35
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add policy registration  https://review.openstack.org/31314120:35
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add authorize method to Enforcer  https://review.openstack.org/31314220:35
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add sample file generation script  https://review.openstack.org/31424420:36
bknudsonstevemar: you are a nut!20:36
stevemarbknudson: never!20:37
bknudsonwhat's it say?20:37
bknudsonwhat's the error?20:37
rcerninwhile checking catalog list in Mitaka/Liberty, was there a change in openstack cli that handles --os-token << http://paste.openstack.org/show/496623/ >> unexpected keyword argument 'token'20:37
stevemarbknudson: "Invalid marker: '(//github.com/stevemart/ldappool.git)', parse error at '//github'"20:37
stevemarbknudson: and if i move it to test-reqs: "Could not satisfy constraints for 'ldappool': installation from path or url cannot be constrained to a version"20:38
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add sample file generation script  https://review.openstack.org/31424420:38
bknudsonprobably because it uses : for splitting out the version stuff: ldappool>=1.0:python_version=='2.7'20:39
bknudsonso can't have a url with : in it.20:39
bknudsonmaybe there's a workaround20:39
bknudsonquotes or something20:39
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: use forked ldappool + pyldap for ldap  https://review.openstack.org/31475520:41
openstackgerritRon De Rose proposed openstack/keystone: Database changes to meet PCI-DSS change password requirements  https://review.openstack.org/31428420:42
openstackgerritRon De Rose proposed openstack/keystone: New password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428420:43
stevemarbknudson: still failed with quotes20:44
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428420:44
stevemarmorgan: looks like we got a reply :)20:45
morganstevemar: cool20:45
morganstevemar: just replied again20:49
*** spzala has quit IRC20:50
stevemarmorgan: good news all around20:51
stevemarno need to fork or bring in tree :O20:51
morganand we'll just import it into gerrit20:52
morgani'll handle that as soon as he replies again. woot.20:52
morganstevemar: this is all around great news for ldapool and us.. meakes it way easier.20:54
*** spzala has joined #openstack-keystone20:54
morgancool. we should have that all up and in place maybe tomorrow20:54
morganor at least proposed so infra can let it all in/happen :)20:55
morganstevemar: do you want keystone-core to own it or a separate group?20:55
* tellesnobrega is away: I'm busy20:55
stevemarmorgan: keystone-core sounds fair to me20:57
morganstevemar: wfm20:57
stevemarwe just gotta remember to not pull in oslo stuff20:58
morganoh that's easy...20:58
morganwe'll make an in-tree hacking hceck to prevent that20:58
stevemarwe can start looking at the old PRs that are open against it too20:58
morganlike i said, i'll handle all of that as soon as we get the pypi bits transferred over20:59
morganhopefully tomorrow20:59
* morgan likes when people ar ehappy to see their projects live on20:59
*** arunkant has joined #openstack-keystone20:59
*** vgridnev has joined #openstack-keystone20:59
*** spzala has quit IRC21:00
dstanekstevemar: morgan: that's really good news21:02
dstanekis the license staying as-is then?21:02
morganhe offered to re-release as ASLv221:03
morgani said that would be ideal, but happy to take it as is21:03
ayounggyee, https://adam.younglogic.com/2016/05/logging-certmonger/21:03
bknudsonjust saw this in a book I'm reading -- "A skipped test that remains skipped     for too long is a bad smell."21:03
stevemarbknudson: probably smells like fish21:04
stevemarmorgan: dstanek ASL would be aweomeo21:04
*** rderose has joined #openstack-keystone21:06
*** jsavak has quit IRC21:08
*** spzala has joined #openstack-keystone21:09
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add helper methods for generating policy info  https://review.openstack.org/31477421:09
dstanekbknudson: which book is that?21:11
stevemarlbragstad: i rebased https://review.openstack.org/#/c/314672/2 on the oslo.policy fix for the gate21:11
patchbotstevemar: patch 314672 - keystone (stable/liberty) - Changed the key repo validation to allow read only21:11
lbragstadstevemar danke21:11
bknudsondstanek: Jenkins: The Definitive Guide21:12
bknudsonlast week it was learning ansible and vagrant, this week it's jenkins21:12
bknudsonI couldn't figure out how to get vagrant to use libvirt... I guess there's a plugin but it didn't install easy on 14.0421:13
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428421:13
*** pauloewerton has quit IRC21:15
*** jaugustine_ has quit IRC21:15
dstanekbknudson: cool, nice to stay edu-macated21:16
bknudsonit's all stuff I should know21:16
*** ametts has quit IRC21:17
*** phalmos has quit IRC21:21
*** jsavak has joined #openstack-keystone21:24
*** rderose has quit IRC21:29
*** rderose has joined #openstack-keystone21:30
stevemarbknudson: i already assume you know everything21:32
bknudsonnot even close21:33
stevemarbknudson: i kinda thought you were a really advanced version of watson21:34
*** daemontool_ has joined #openstack-keystone21:35
bknudsonI know some things watson doesn't21:35
andreafhi - sorry if I jump in the middle of a conversation, I'm looking for some help on trusts and token scope for this tempest patch - https://review.openstack.org/#/c/221020/32 - is anyone around who can help me?21:37
patchbotandreaf: patch 221020 - tempest - Use scope in v3 identity client21:37
* stevemar tags in ayoung ^21:38
ayoungandreaf, I'll take a look21:38
ayoungoooh. um21:39
stevemarbknudson: so the answer to that jeaopardy question is chicago right21:39
ayoungandreaf, hold on a bit, though, I am helping someone else at the moment21:39
ayoungping me in about 20 minutes if I don't context switch andreaf21:39
stevemar"Its largest airport is named for a World War II hero; its second largest, for a World War II battle"21:39
andreafayoung: ok, thanks21:39
stevemartoronto's 2 airports are named after ww2 folks21:40
stevemareasy to see why it was confused :P21:40
bknudsonstevemar: midway is a battle.21:40
bknudsonnot sure who a'hare is21:40
bknudsono'hare is21:40
bknudsonayoung would know21:41
*** rderose has quit IRC21:41
stevemarbknudson: wiki says a ww2 ace!21:41
*** henrynash has quit IRC21:42
stevemarthey dont go giving away "ace" designations to anyone21:42
stevemarprobably comes with a cool jacket21:42
lbragstadkinda like that funny green jacket they hand out when people play golf21:42
bknudsonI think it only takes 5 kills to be an ace21:43
lbragstadi'd be lucky if i could figure out how to get in a fighter jet21:44
ayoung the first naval recipient of the Medal of Honor in World War II.21:44
*** gagehugo has quit IRC21:45
*** neophy has quit IRC21:45
bknudsonstevemar: wikipedia says pearson was a ww121:46
*** edmondsw has quit IRC21:49
*** Ephur has quit IRC21:52
*** daemontool_ has quit IRC21:55
*** edtubill has quit IRC21:58
*** slberger has left #openstack-keystone22:01
andreafayoung: is it now a better time?22:05
ayoungandreaf, sure. My coworker just gave up in disgust.22:05
andreafI'm trying to teach Tempest how to use domain scoped tokens (or unscoped ones)22:06
andreafas of now it only deals with project scoped ones, which is a limitation I'd like to remove22:06
openstackgerritwerner mendizabal proposed openstack/keystone: Update documentation to remove keystone-all  https://review.openstack.org/31462822:06
andreafin doing that I came across two issues here https://review.openstack.org/#/c/221020/3222:07
patchbotandreaf: patch 221020 - tempest - Use scope in v3 identity client22:07
ayoungandreaf, ok so22:07
ayoungandreaf, yeah...I wish domain scoped tokens would die in a fire22:08
andreafok, good to know - I guess that's because of domain now being a special type of project?22:08
ayoungThis is a scary statement "Modify the v3 client managers used to obtain v3 admin idenity clients to always request the domain scope."22:08
ayoungandreaf, yes22:08
*** shaleh has quit IRC22:08
ayoungandreaf, but...lets assume they are here to stay.22:09
andreafayoung: well the way I'm implementing it is to have a default behaviour and then tests can always override the token scope22:09
ayoungso, you are saying that all of the APIs you are aclling require domains scoped tokens...22:10
*** markvoelker_ has joined #openstack-keystone22:10
andreaflike in https://review.openstack.org/#/c/221020/32/tempest/api/identity/admin/v3/test_trusts.py L27122:10
patchbotandreaf: patch 221020 - tempest - Use scope in v3 identity client22:10
ayoungthat might be true...22:10
andreafayoung: well it depends on the keystone policy really22:10
*** sigmavirus24 is now known as sigmavirus24_awa22:10
ayoungBut I don't think so22:10
andreafayoung: in devstack it works fine with project scope22:10
ayoungso...users, and groups sure22:10
ayoungyeah but devstack uses base policy22:10
andreafstill even with the default policy domain scoped tokens seems to work fine22:12
andreafso it seems to me that using them would broaden the number of clouds that can be tested with tempest22:12
ayoungandreaf, it really depends on the policy file.  If domain scoped work, it might be by accident22:13
morganstevemar: i'm going to start punting a few things through the gate22:14
morganstevemar: FYI22:14
*** sheel has quit IRC22:15
andreafayoung: well for instance listing trusts seems not to be working unless I set a project scope, but I get back 401, if it's a policy issue I would expect 40322:15
andreafwhich is why I need https://review.openstack.org/#/c/221020/32/tempest/api/identity/admin/v3/test_trusts.py L271, and I wanted to check with you if this makes sense22:16
patchbotandreaf: patch 221020 - tempest - Use scope in v3 identity client22:16
andreafand the other issue I get is that on liberty all v3 admin tests fail when using domain scoped tokens, telling me that the user has no access to domain 'default' which is strange because I give them an admin role on the domain (which works in mitaka and newton)  http://logs.openstack.org/20/221020/32/check/gate-tempest-dsvm-full-liberty/3ba83e2/logs/testr_results.html.gz22:18
andreafayoung: ^^^22:20
*** sdake has joined #openstack-keystone22:22
morganzzzeek: ping - re dogpile things22:23
morganzzzeek: would like to get your read on the kwargs keygen and the merge dogpile.core in PRs22:23
*** haplo37 has quit IRC22:24
*** pgbridge has quit IRC22:25
zzzeekmorgan: it's a little late for me here and i have to run some errands....but also i havent gotten the openstack CI going due to taht keystone error22:30
morganzzzeek: ah nod. i promised i'd look at that too22:30
*** markvoelker_ has quit IRC22:32
gyeeayoung, so on my ubuntu trusty boyx, 'getcert add-ca' says not supported22:33
gyeedoesn't appear 'add-ca' is a supported option for getcert22:33
gyeeI am testing out my helper script, its much easier than I thought22:34
*** gordc has quit IRC22:34
ayounggyee, getcert-add-ca22:37
ayoungall one command22:37
ayounger for the man page22:37
ayoungand maybe that is not installed on your box?22:38
*** raildo is now known as raildo-afk22:38
*** pgbridge has joined #openstack-keystone22:38
gyeeok, the doc is outdated then22:39
ayounggyee, maybe getcert -s add-ca  for doing it as session22:39
ayoungit has to be there...its old code22:39
gyeegetcert add-ca -c CAName /path/to/helper/script22:40
gyeethat's according to the doc22:40
ayoung getcert add-ca -c remoter -e /home/ayoung/bin/remote_certmonger.sh22:40
ayoungInsufficient access.  Please retry operation as root.22:40
gyeewhich version of certmonger are you using?22:41
gyeesudo getcert add-ca -c Test -p /home/gyee/anchor.py22:42
gyeeadd-ca: unrecognized command22:42
ayounggyee, what version are you running?22:42
ayounggyee, it might be that in older versions you were expected to edit the files by hand22:43
gyeeI got certmonger from apt-get22:43
*** edtubill has joined #openstack-keystone22:44
ayounggyee, git blame shows that went in22:44
ayoung75153e03 (Nalin Dahyabhai 2015-04-23 17:18:18 -0400 4336)               help(argv0, "add-ca");22:44
ayoungso it is possible .74 predates it22:45
gyeemaybe apt-get repo is way out of date?22:45
ayoungbut it looks like that was popt22:45
ayounggyee, you can probably edit the files by hand, and then restart certmonger and see the changes22:46
ayoungjust clone one of the other ones22:46
gyeeyeah, I can try that next22:46
gyeejust need to go through it once, then automate the steps in devstack22:46
ayoungfor session they are in ~/.config/certmonger/cas/22:46
ayounggyee, maybe there is another .deb you need.  check in apt-cache22:46
ayoungalthough...that seems strnage..22:47
ayounggyee, ok yeah, 74 is kindof old22:47
ayounglast commit in 0.74.9422:48
gyeedo I need to point to a different repo?22:48
ayounggyee, is there an update for ubuntu?  Maybe. But lets work with what we get out of the box, and worry about upgrade later22:49
ayounggyee, commit 280f97ac70d769ff68b919e4ebd513af01df317922:50
ayoungAuthor: Nalin Dahyabhai <nalin@redhat.com>22:50
ayoungDate:   Tue Feb 24 16:41:06 2015 -050022:50
ayoung    Add getcert add-ca/add-scep-ca/modify-ca/remove-ca22:50
ayoungso, yeah, that stuff was added afterwards.  Its nice housecleaning stuff, but not essential22:50
gyeedoes getcert has to be executed with sudo? for devstack, it should be local user right?22:51
ayounggyee, I think is should be as a local user, which means session, but lets make sure that Ubuntu supports that22:55
ayoungit uses dbus...let me see...22:55
ayounggyee, http://adam.younglogic.com/2014/03/certmonger-session/22:55
ayoungexport DBUS_SESSION_BUS_ADDRESS=`dbus-daemon --session --fork --print-address`22:56
morganstevemar: did we kill the materialized path thing?22:56
ayoungthen getcert list-cas -s22:56
ayoungmorgan, yes22:56
ayoungmorgan, its not dead dead, just mostly dead22:56
*** edtubill has quit IRC22:56
ayoungso, not yet time to go through its pockets looking for spare change22:56
morganso 251455 is dead?22:57
morganerm patch 25145522:57
patchbotmorgan: https://review.openstack.org/#/c/251455/ - keystone - Materialized path convenience wrapper22:57
ayoungmorgan, yeah22:57
ayoungmorgan, we see it as a performance tune we can go to if desperately needed, but do not expect it to be so22:57
ayoungmorgan, I suspect it is something we could do better in the caching layer22:58
morganayoung: i am just administratively abandoning it for now.22:59
*** edtubill has joined #openstack-keystone22:59
gyee"administratively abandoning" sounds like good band name :-)23:00
ayounggyee, so you are working on a certmonger helper app for Anchor?23:02
gyeeayoung, yet, code is pretty trivial23:03
gyeejust a single http request, no polling23:03
ayounggyee, cool.23:03
ayounggyee, it automatically creates the cert, and does not store it localling in the anchor server, right?23:03
*** tonytan4ever has quit IRC23:03
gyeemy plan is to get it working locally, then figure out how to do it in devstack23:03
gyeehttp request return the cert in the payload23:04
gyeecertmonger generates the CSR23:04
gyeeall I have to do is POST the CSR to Anchor23:04
*** edtubill has quit IRC23:05
gyeewe also need to figure out bootstrapping as Anchor can authenticate using a local username/password, LDAP, or Keystone23:05
gyeeanyway, baby steps :-)23:05
*** edtubill has joined #openstack-keystone23:07
*** jamielennox is now known as jamielennox|away23:13
*** edtubill has quit IRC23:14
*** d0ugal has quit IRC23:21
*** jamielennox|away is now known as jamielennox23:21
jamielennoxayoung: left a response on https://review.openstack.org/#/c/312323/23:23
patchbotjamielennox: patch 312323 - keystone - Always add is_admin_project if admin project defined23:23
jamielennoxayoung: because we default to True if nothing is set then always setting True in the token doesn't actually buy us anything new23:23
jamielennox(and if they came across twice it's cause i got disconnected and weren't sure they got sent)23:23
stevemarbknudson: yep, my mistake, pearson and billy bishop were both ww123:23
*** timcline has quit IRC23:24
*** ChanServ sets mode: +o morgan23:26
*** jsavak has quit IRC23:28
*** morgan changes topic to "Keystone Midcycle Update: http://lists.openstack.org/pipermail/openstack-dev/2016-May/094574.html | Hosted By Cicso, July 20-22, 170 W Tasman Dr, San Jose, CA 95134"23:28
*** furface has joined #openstack-keystone23:28
*** rcernin has quit IRC23:28
*** morgan sets mode: -o morgan23:28
morganstevemar: ^23:29
*** sdake has quit IRC23:30
*** spandhe has quit IRC23:36
*** d0ugal has joined #openstack-keystone23:36
*** spandhe has joined #openstack-keystone23:38
*** sdake has joined #openstack-keystone23:38
*** dan_nguyen has quit IRC23:40
*** roxanaghe has quit IRC23:46
ayoungjamielennox, it does. It buys us the ability to turn off "is_admin_project"  once the policy files are rewritten23:49
morganstevemar: omg. 158 open reviews in openstack-keystone (reviewed down to 80ish)23:49
morganstevemar: ^_^23:49
jamielennoxayoung: i don't follow, when do we expect to turn that off?23:50
ayoungjamielennox, during an actual live deployment23:50
ayoungjamielennox, we can drop "always add" in about 2 cycles23:50
ayoungjamielennox, look at why this review failed23:51
patchbotayoung: patch 257636 - keystone - Add is_admin_project check to policy.json23:51
jamielennoxayoung: gah, that's because you are going direct to the token23:51
ayoungjamielennox, nope23:51
jamielennoxayoung: keystone is the only service that does that and it shouldn't23:52
ayoungjamielennox, its because everything expects that policy file to continue working23:52
ayoungjamielennox, right..and we can deal with that, too23:52
ayoungbut that is not the issue23:52
jamielennoxayoung: so the way services should deal with this is auth_token middleware sets an X_IS_ADMIN_PROJECT flag in headers23:52
*** edtubill has joined #openstack-keystone23:52
jamielennoxbecause we tell the services not to inspect the token directly23:52
ayoungjamielennox, sure, that is fine, and we can get that to work23:52
ayoungso we do that23:53
jamielennoxauth_token middleware relies on keystoneauth23:53
*** edtubill has quit IRC23:53
ayoungjamielennox, I'm with you 100% on the context stuff23:53
jamielennoxthis https://review.openstack.org/#/c/314409/1/keystoneauth1/access/access.py23:53
patchbotjamielennox: patch 314409 - keystoneauth - Expose is_admin_project in AccessInfo23:53
ayoungnone of that is the issue yet23:53
jamielennoxdefaults to True if not set23:53
jamielennoxso the problem is the way you're trying to implement it in policy, not that it's unset23:53
ayoungah...ok, so you were doing the same thing, just in a different layer23:54
ayoungthe next effect would have been the same23:54
jamielennoxayoung: there is a sequence to this stuff :)23:54
jamielennoxfor non-keystone projects anyway23:54
jamielennoxthough my use auth_token in keystone patch got +Aed so maybe we can make keystone behave nicely soon as well23:54
ayoungjamielennox, ok, we have the same target, just coming from different directions23:55
*** fangxu has joined #openstack-keystone23:55
jamielennoxayoung: yep, just that oslo.policy assumes a missing value to be False where you need it to be true23:55
*** crinkle has quit IRC23:55
ayoungjamielennox, I see where you are going.  I'll let you drive, but we need to fix cloudsample, too then23:55
ayoungOK...that will work23:55
jamielennoxayoung: well we need to pass is_admin_project as a specific value, rather than using oslo.policy to pull random fields out of a token23:56
*** chlong has joined #openstack-keystone23:56
ayoungjamielennox, I just +2Aed your patch23:57
jamielennoxayoung: thank you sir23:57
patchbotayoung: patch 312323 - keystone - Always add is_admin_project if admin project defined23:57
*** pumarani__ has joined #openstack-keystone23:57
ayoungjamielennox, I might need to make a T-Shirt for you.23:58
jamielennoxayoung: heh, it's proving difficult and we haven't got to the point of figuring out where horizon or anything breaks yet :)23:58
*** pushkaru has quit IRC23:59
ayoungLet's get a full solution implemented in Keystone.23:59
jamielennoxayoung: also i looked at rippowam again because i want to figure out what is happening with the saml and kerberos plugins and i'm not sure if i can still use it, there's a few overcloud/undercloud references that seem specific to new stuff23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!