Thursday, 2016-05-12

*** timcline has quit IRC		00:01
*** dan_nguyen has quit IRC		00:03
*** rbridgeman has quit IRC		00:05
openstackgerrit	Arun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf https://review.openstack.org/279828	00:15
*** jgriffith has quit IRC		00:19
*** jsavak has quit IRC		00:22
*** gyee has quit IRC		00:36
*** fangxu has quit IRC		00:42
*** lifeless has quit IRC		00:46
*** lifeless has joined #openstack-keystone		00:47
*** rcernin has quit IRC		00:54
*** fangxu has joined #openstack-keystone		00:54
*** timcline has joined #openstack-keystone		00:58
*** timcline has quit IRC		01:03
*** markvoelker_ has joined #openstack-keystone		01:05
openstackgerrit	Merged openstack/keystonemiddleware: Return default value for pkg_version if missing https://review.openstack.org/222042	01:06
*** ozialien10 has quit IRC		01:14
*** stingaci has quit IRC		01:18
*** raddaoui has quit IRC		01:27
*** TxGVNN has joined #openstack-keystone		01:27
*** EinstCrazy has joined #openstack-keystone		01:30
*** BjoernT has joined #openstack-keystone		01:31
stevemar	jamielennox: it has	01:37
stevemar	morgan: awesome on https://review.openstack.org/#/c/315267/	01:37
patchbot	stevemar: patch 315267 - openstack-infra/project-config - Import ldappool into gerrit and setup project	01:37
morgan	stevemar: yeah just needs some cleanup.	01:38
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements https://review.openstack.org/314284	01:47
*** tqtran has quit IRC		01:48
*** markvoelker_ has quit IRC		01:51
*** markvoelker has joined #openstack-keystone		01:59
*** timcline has joined #openstack-keystone		01:59
*** markvoelker_ has joined #openstack-keystone		01:59
*** timcline has quit IRC		02:03
*** markvoelker has quit IRC		02:03
openstackgerrit	Merged openstack/keystone: Switch to use `new_domain_ref` for testcases https://review.openstack.org/284510	02:09
*** BjoernT has quit IRC		02:13
*** zqfan has joined #openstack-keystone		02:14
*** tonytan4ever has joined #openstack-keystone		02:21
*** markvoelker_ has quit IRC		02:31
*** spzala has quit IRC		02:35
*** daemontool has quit IRC		02:38
*** markvoelker_ has joined #openstack-keystone		02:38
*** dan_nguyen has joined #openstack-keystone		02:42
*** fangxu has quit IRC		02:56
*** spzala has joined #openstack-keystone		03:01
*** spzala has quit IRC		03:05
*** lhcheng has quit IRC		03:07
*** tonytan4ever has quit IRC		03:08
*** markvoelker_ has quit IRC		03:13
*** dan_nguyen has quit IRC		03:13
*** stingaci has joined #openstack-keystone		03:28
*** links has joined #openstack-keystone		03:34
*** julim has joined #openstack-keystone		03:40
*** richm has quit IRC		03:45
*** furface has quit IRC		03:52
*** furface has joined #openstack-keystone		03:54
*** fangxu has joined #openstack-keystone		03:58
*** EinstCrazy has quit IRC		04:01
jamielennox	stevemar: any idea if these are legit failures? https://review.openstack.org/#/c/255686/	04:02
patchbot	jamielennox: patch 255686 - keystone - Make AuthContext depend on auth_token middleware	04:02
jamielennox	have you seen them elsewhere? it was definetly passing recently	04:03
*** EinstCrazy has joined #openstack-keystone		04:03
*** julim has quit IRC		04:07
*** dan_nguyen has joined #openstack-keystone		04:11
*** lhcheng has joined #openstack-keystone		04:17
*** ChanServ sets mode: +v lhcheng		04:17
*** lhcheng_ has joined #openstack-keystone		04:23
*** pcaruana has joined #openstack-keystone		04:25
*** lhcheng has quit IRC		04:26
*** pcaruana has quit IRC		04:32
*** fangxu has quit IRC		04:34
*** dan_nguyen has quit IRC		04:40
*** furface has quit IRC		04:53
stevemar	jamielennox: i think those are transient	04:56
*** sdake has quit IRC		04:57
jamielennox	stevemar: good - they look painful to debug	04:58
*** spzala has joined #openstack-keystone		05:01
stevemar	jamielennox: ugh... a lot of things failed recently	05:02
stevemar	dammit	05:02
stevemar	a lot with: "test_roles_negative.RolesNegativeTestJSON"	05:02
*** furface has joined #openstack-keystone		05:07
*** spzala has quit IRC		05:07
*** stingaci has quit IRC		05:14
*** woodster_ has quit IRC		05:18
*** lhcheng_ has quit IRC		05:30
jamielennox	stevemar: oh, o, i'm seeing tests like tempest.api.identity.admin.v2.test_tenant_negative.TenantsNegativeTestJSON.test_update_non_existent_tenant throwing errors on random glance patches	05:44
jamielennox	what have we done?	05:44
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: WIP: generate sample config automatically https://review.openstack.org/315359	05:46
*** fangxu has joined #openstack-keystone		05:46
lifeless	jamielennox: changed something	05:46
stevemar	jamielennox: lifeless yep, we're on the hot seat	05:47
stevemar	i'll look at it in a few minutes	05:47
jamielennox	has infra etc noticed? is the whole gate affected?	05:48
stevemar	probably anyone running tempest, so yes	05:48
stevemar	havent heard much from infra	05:48
stevemar	jamielennox: maybe https://github.com/openstack/keystone/commit/ed634e8cdcdf385b749bbb9e951104989a020277 ?	05:49
jamielennox	stevemar: i thought that - but nothing is actually looking for that field in the token yet	05:50
stevemar	jamielennox: merged around when the errors started, and it is policy related	05:50
jamielennox	unless adam's things merged?	05:50
stevemar	let me dig into it in a few	05:50
stevemar	which adam's thing?	05:50
stevemar	he hasn't merged anything in a few days	05:50
stevemar	biab	05:51
jamielennox	he had a policy change to start looking at is_admin_project - but i thought he was going to wait	05:51
jamielennox	the only reference to is_admin_project in keystone is the code that adds it to the token so i don't see that we could be enforcing anything on it	05:52
jamielennox	stevemar: oh - "cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)", in cloudsample	05:53
*** furface has quit IRC		05:53
jamielennox	do we use that anywhere in gate?	05:53
*** rcernin has joined #openstack-keystone		05:54
*** furface has joined #openstack-keystone		06:01
*** spzala has joined #openstack-keystone		06:03
*** spzala has quit IRC		06:07
jamielennox	its not - maybe coicidence	06:08
*** naresht has joined #openstack-keystone		06:09
*** lhcheng has joined #openstack-keystone		06:11
*** ChanServ sets mode: +v lhcheng		06:11
*** pcaruana has joined #openstack-keystone		06:12
jamielennox	stevemar: so things are interesting as of about here: http://logs.openstack.org/89/314889/2/check/gate-tempest-dsvm-full-devstack-plugin-ceph/129bc0d/logs/apache/keystone.txt.gz#_2016-05-12_02_10_08_013	06:14
*** furface has quit IRC		06:16
stevemar	back	06:21
jamielennox	stevemar: it really might just be transient	06:23
jamielennox	and conincidence	06:23
stevemar	jamielennox: maybe more race conditions coming up by way of fernet tokens?	06:23
jamielennox	stevemar: so i was thinking that with the log i linked - but if you look at the PIDs i don't think there's a problem there	06:24
jamielennox	just coincidence that apache handed off some new workers there?	06:24
*** fangxu has quit IRC		06:25
stevemar	jamielennox: why do we list the options here: http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#configuration-options	06:26
stevemar	if they are already in the section above?	06:27
jamielennox	stevemar: no idea - those options are old	06:27
stevemar	jamielennox: if you're interested: https://review.openstack.org/#/c/315359/1	06:28
patchbot	stevemar: patch 315359 - keystonemiddleware - WIP: generate sample config automatically	06:28
jamielennox	like http_handler	06:28
jamielennox	yea, nice	06:29
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: remove old options from documentation https://review.openstack.org/315362	06:29
stevemar	jamielennox: this is what it looks like: http://docs-draft.openstack.org/59/315359/1/check/gate-keystonemiddleware-docs/4491edf//doc/build/html/middlewarearchitecture.html#configuration	06:29
stevemar	compared to: http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#configuration-options	06:29
jamielennox	stevemar: we need to update some of the samples in that file as well	06:30
stevemar	yeah, s/keystone_authtoken/authtoken/	06:30
*** furface has joined #openstack-keystone		06:31
jamielennox	for things like Deprecated group/name - [DEFAULT]/memcache_servers we should figure out how to make that keystone_authtoken	06:31
jamielennox	cause i'm pretty sure they never came out of [DEFAULT]	06:32
jamielennox	# Deprecated group/name - [DEFAULT]/auth_plugin certainly never did	06:32
stevemar	jamielennox: these options don't appear in the generated version	06:35
stevemar	auth_admin_prefix=	06:35
stevemar	auth_url=http://127.0.0.1:35357	06:35
stevemar	auth_host=127.0.0.1	06:35
stevemar	auth_port=35357	06:35
stevemar	auth_protocol=https	06:35
stevemar	identity_uri=<None>	06:35
stevemar	admin_token=<None>	06:35
stevemar	admin_user=<None>	06:35
stevemar	admin_password=SuperSekretPassword	06:35
stevemar	admin_tenant_name=admin	06:35
stevemar	i'm assuming that's OK since thats the non-plugin way of doing things	06:35
jamielennox	yep - that's what i meant by out of date	06:36
stevemar	yay	06:36
stevemar	i should drop the WIP prefix then :)	06:36
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: generate sample config automatically https://review.openstack.org/315359	06:38
openstackgerrit	Steve Martinelli proposed openstack/keystonemiddleware: remove old options from documentation https://review.openstack.org/315362	06:38
stevemar	jamielennox: that failure is happening way too often to be transient	06:40
jamielennox	stevemar: got stats?	06:40
jamielennox	i just did a quick look through the projects i was seeing it in	06:40
stevemar	lemme hit up logstash	06:40
jamielennox	but i didn't look at like history	06:40
*** belmoreira has joined #openstack-keystone		06:44
stevemar	jamielennox: 64 failures in 6 hours	06:44
stevemar	give or take	06:45
*** furface has quit IRC		06:45
jamielennox	which failure	06:45
*** belmoreira has quit IRC		06:45
stevemar	actually, bad query...	06:45
*** knikolla has quit IRC		06:45
*** TxGVNN has quit IRC		06:46
jamielennox	but so http://logs.openstack.org/86/255686/8/check/gate-tempest-dsvm-full/fa80da2/console.html is most recent run fails 13 tests	06:47
jamielennox	http://logs.openstack.org/86/255686/8/check/gate-tempest-dsvm-full/6650d80/console.html is one before - fails 4	06:47
*** knikolla has joined #openstack-keystone		06:48
jamielennox	all in identity - but that sort of variance can't be my patch	06:48
openstackgerrit	Jamie Lennox proposed openstack/keystone: GATE TEST - DO NOT MERGE https://review.openstack.org/315374	06:50
*** belmoreira has joined #openstack-keystone		06:51
stevemar	jamielennox: i dunno man, we haven't had much merge in a while	06:52
stevemar	https://review.openstack.org/#/q/project:openstack/keystone	06:52
jamielennox	https://review.openstack.org/#/q/project:openstack/keystone+is:merged	06:53
*** jorge_munoz has quit IRC		06:53
*** knikolla has quit IRC		06:58
stevemar	logstash is taking quite a while to find the result of "query=project%3Aopenstack%2Fkeystone"	06:58
*** sudorandom has quit IRC		06:58
*** crinkle_ has joined #openstack-keystone		06:59
openstackgerrit	Ryosuke Mizuno proposed openstack/keystone: Disable user lists without a filter https://review.openstack.org/314829	06:59
*** nonameentername has quit IRC		06:59
*** kfox1111 has quit IRC		06:59
*** crinkle has quit IRC		07:00
*** kfox1111 has joined #openstack-keystone		07:00
*** crinkle_ is now known as crinkle		07:00
jamielennox	so i don't see anyway to see jenkins last votes on keystone	07:00
jamielennox	everything sorts by updated which doesn't always help	07:00
stevemar	yeah, frustrating	07:00
*** sudorandom has joined #openstack-keystone		07:00
stevemar	that includes comments	07:01
*** jorge_munoz has joined #openstack-keystone		07:01
jamielennox	but i think keystone gate is just broken, it doesn't look like anything has passed	07:01
stevemar	right	07:01
*** murali has joined #openstack-keystone		07:01
murali	Hello all	07:01
stevemar	i agree	07:01
*** knikolla has joined #openstack-keystone		07:01
stevemar	jamielennox: i hope we're not busting someone else	07:01
*** nonameentername has joined #openstack-keystone		07:02
stevemar	nova has had successful merges	07:02
jamielennox	So Switch to use `new_domain_ref` for testcases was the last thing to merge	07:02
*** murali has quit IRC		07:02
jamielennox	~5hours ago	07:03
stevemar	yep	07:03
stevemar	which was just a refactor for tests...	07:03
*** jaosorior has joined #openstack-keystone		07:03
*** itsmee has joined #openstack-keystone		07:03
stevemar	jamielennox: i'm going to propose a revert of your patch, just a gut feeling	07:03
openstackgerrit	Steve Martinelli proposed openstack/keystone: Revert "Always add is_admin_project if admin project defined" https://review.openstack.org/315379	07:04
*** spzala has joined #openstack-keystone		07:04
stevemar	jamielennox: if it fails, we'll know it's not the culprit	07:04
jamielennox	it's the only one i can see recently being an issue but i can't see why	07:04
* stevemar shrugs		07:04
stevemar	authz is weird	07:04
stevemar	jamielennox: if that patch unbreaks the gate, approve it ?	07:04
stevemar	i am off to bed	07:04
*** tesseract has joined #openstack-keystone		07:05
jamielennox	yep, night	07:05
itsmee	Hello	07:05
*** furface has joined #openstack-keystone		07:05
itsmee	Can anyone of you able to have a look at this query ? https://ask.openstack.org/en/question/92146/getting-a-extra-details-from-the-keystone-project-table-using-keystone-client/	07:05
stevemar	jamielennox: night, sorry again to you and jane :P	07:06
jamielennox	stevemar: she'll make you pay for it in barcelona	07:06
stevemar	ruh roh	07:06
jamielennox	itsmee: so i think your query is being denied by policy	07:08
jamielennox	so openstack is configured to say you need the admin role to perform the operation	07:08
itsmee	Yes obviously	07:08
*** spzala has quit IRC		07:09
itsmee	But I need to know the way to get the own tenant details	07:09
jamielennox	which is strange because the default policy is "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s"	07:09
itsmee	Even though admin and non admin user	07:09
*** tesseract has quit IRC		07:09
jamielennox	which should allow you to fetch the project details of the current project	07:09
itsmee	Using liberty version of devstack	07:10
jamielennox	so i don't know what request.user.tenant_id is because a user can be a member of multiple tenants and you will have to use the token scoped to the tenant you want to access it	07:11
jamielennox	but i don't know enough horizon to help there	07:11
itsmee	"identity:get_project": "rule:admin_required",	07:11
itsmee	"identity:list_projects": "rule:admin_required",	07:11
itsmee	"identity:list_user_projects": "rule:admin_or_owner",	07:11
itsmee	"identity:get_project": "rule:admin_required",	07:11
itsmee	"identity:list_projects": "rule:admin_required",	07:11
itsmee	"identity:list_user_projects": "rule:admin_or_owner",	07:11
itsmee	"identity:get_project": "rule:admin_required",	07:11
itsmee	"identity:list_projects": "rule:admin_required",	07:11
itsmee	"identity:list_user_projects": "rule:admin_or_owner",	07:11
itsmee	Oh Ok :(	07:11
jamielennox	ah - that's it	07:12
itsmee	Ok I will try to get help from horizon :)	07:12
jamielennox	so if you change identity:get _project to the one i said it should work	07:13
itsmee	Oh ok will try that	07:13
jamielennox	then horizon has a way of parsing policy files to know whether it should attempt to make the call	07:13
itsmee	Yes you are correct	07:15
itsmee	I will try what you suggested	07:15
itsmee	Same error :(	07:16
*** jed56 has joined #openstack-keystone		07:19
*** daemontool has joined #openstack-keystone		07:19
*** elfosardo has joined #openstack-keystone		07:22
*** dmk0202 has joined #openstack-keystone		07:40
*** gsilvis has quit IRC		07:55
*** gsilvis has joined #openstack-keystone		07:56
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:01
*** mvk_ has joined #openstack-keystone		08:04
*** spzala has joined #openstack-keystone		08:05
*** lhcheng_ has joined #openstack-keystone		08:07
*** pnavarro has quit IRC		08:07
*** mvk has quit IRC		08:08
*** spzala has quit IRC		08:10
*** jamielennox is now known as jamielennox\|away		08:10
*** lhcheng has quit IRC		08:10
*** lhcheng_ has quit IRC		08:18
*** mhickey has joined #openstack-keystone		08:20
Anticimex	would it be difficult to issue oauth tokens from keystone that have e.g. configurable lifetime?	08:35
*** jistr has joined #openstack-keystone		08:35
*** GB21 has joined #openstack-keystone		08:47
*** jamie_h has quit IRC		08:49
*** chaithu has joined #openstack-keystone		08:56
*** pcaruana is now known as pcaruana\|afk\|		09:01
openstackgerrit	Merged openstack/keystone: Add set_config_defaults() call to tests https://review.openstack.org/304674	09:04
*** openstackgerrit has quit IRC		09:04
*** openstackgerrit has joined #openstack-keystone		09:04
*** mvk_ has quit IRC		09:04
*** spzala has joined #openstack-keystone		09:06
*** spzala has quit IRC		09:11
*** GB21 has quit IRC		09:16
*** GB21 has joined #openstack-keystone		09:33
*** mvk_ has joined #openstack-keystone		09:35
*** mhickey has quit IRC		09:36
*** mhickey has joined #openstack-keystone		09:40
*** __zouyee has joined #openstack-keystone		09:55
*** __zouyee has quit IRC		10:00
*** TxGVNN has joined #openstack-keystone		10:02
*** GB21 has quit IRC		10:08
openstackgerrit	yolanda.robla proposed openstack/keystoneauth: Use betamax hooks to mask fixture results https://review.openstack.org/311133	10:20
*** GB21 has joined #openstack-keystone		10:25
*** EinstCrazy has quit IRC		10:30
*** EinstCrazy has joined #openstack-keystone		10:31
*** EinstCrazy has quit IRC		10:35
*** TxGVNN has quit IRC		10:37
*** chaithu has quit IRC		10:38
*** naresht has quit IRC		10:38
*** josecastroleon has quit IRC		10:47
*** josecastroleon has joined #openstack-keystone		10:55
*** GB21 has quit IRC		10:56
*** GB21 has joined #openstack-keystone		11:00
*** tellesnobrega is now known as tellesnobrega_af		11:06
*** spzala has joined #openstack-keystone		11:07
*** spzala has quit IRC		11:12
*** julim has joined #openstack-keystone		11:22
*** jaosorior has quit IRC		11:28
*** jaosorior has joined #openstack-keystone		11:29
*** gordc has joined #openstack-keystone		11:31
*** ninag has joined #openstack-keystone		11:59
openstackgerrit	yolanda.robla proposed openstack/keystoneauth: Use betamax hooks to mask fixture results https://review.openstack.org/311133	12:01
openstackgerrit	yolanda.robla proposed openstack/keystoneauth: Use betamax hooks to mask fixture results https://review.openstack.org/311133	12:04
*** ninag has quit IRC		12:05
*** spzala has joined #openstack-keystone		12:08
*** raildo-afk is now known as raildo		12:10
*** spzala has quit IRC		12:12
*** rodrigods has quit IRC		12:15
*** rodrigods has joined #openstack-keystone		12:16
*** pauloewerton has joined #openstack-keystone		12:16
*** julim has quit IRC		12:28
*** GB21 has quit IRC		12:31
*** ninag has joined #openstack-keystone		12:38
*** ninag has quit IRC		12:38
*** ninag has joined #openstack-keystone		12:38
*** julim has joined #openstack-keystone		12:57
*** pcaruana\|afk\| is now known as pcaruana		13:01
*** edmondsw has joined #openstack-keystone		13:04
openstackgerrit	henry-nash proposed openstack/keystone-specs: Improve example of project acting as a domain https://review.openstack.org/315544	13:07
*** josecastroleon has quit IRC		13:07
*** spzala has joined #openstack-keystone		13:09
*** josecastroleon has joined #openstack-keystone		13:09
*** jsavak has joined #openstack-keystone		13:11
*** nalind has joined #openstack-keystone		13:11
*** rderose has joined #openstack-keystone		13:13
*** spzala has quit IRC		13:13
*** rderose has quit IRC		13:14
*** rderose_ has joined #openstack-keystone		13:14
*** links has quit IRC		13:14
*** jsavak has quit IRC		13:16
*** spzala has joined #openstack-keystone		13:16
*** jsavak has joined #openstack-keystone		13:16
openstackgerrit	henry-nash proposed openstack/keystone-specs: Improve example of project acting as a domain https://review.openstack.org/315544	13:22
openstackgerrit	henry-nash proposed openstack/keystone-specs: Improve example of project acting as a domain https://review.openstack.org/315544	13:23
rodrigods	henrynash, almost a conversation in the review :P ^	13:26
henrynash	rodigods: ha1	13:26
henrynash	ha1	13:26
henrynash	rodigods: still not right, still twealing it	13:27
rodrigods	henrynash, yeah, think it should be clear about the cases where the parent is a regular project or not	13:27
rodrigods	the parent_id vs domain_id cases	13:27
kfox1111	in v3 validate token, how do you know if the user is_admin?	13:28
*** sigmavirus24_awa is now known as sigmavirus24		13:28
rodrigods	kfox1111, from the user roles	13:28
henrynash	rodigods: ok, let me try again!	13:28
kfox1111	so admin shows up as a role on all projects, even though it may not be explicitly?	13:29
kfox1111	like is_admin was?	13:29
rodrigods	kfox1111, hmm i might not understood your question than	13:30
kfox1111	ok. let me try and ask a different way. :)	13:30
kfox1111	in v2 verify token, if the user is a cloud admin, there is an is_admin flag set. the poplicy can be written to allow any cloud admin to do things.	13:31
kfox1111	they don't have to be a role=admin on the teproject.	13:31
rodrigods	yes	13:31
rodrigods	exactly	13:31
kfox1111	is there a way to get that info from the v3 validate token api?	13:31
rodrigods	for v3, the cloud_admin must have the correct role in the is_admin_project	13:32
kfox1111	right. so what field, in the validate token do I use to determine if that was the case?	13:32
rodrigods	kfox1111, the role vs the scope of the token (project), then keystone verifies if the project is the is_admin_project	13:33
kfox1111	is it the same? I didn't see any is_admin code in that code except in v2.	13:33
rodrigods	that's my guess, didn't implement and review the code	13:33
rodrigods	henrynash may be able to give more details ^	13:33
kfox1111	hmm... k.	13:33
kfox1111	I'm working on hooking up kubernetes to keystone. its go code, so I'm having to do stuff myself.	13:34
kfox1111	and I was hoping to get is_admin working, so that admins can administer the k8s clusters launched by users.	13:35
*** ramishra has quit IRC		13:35
dstanek	meta2-5~meta2-5~/b 26	13:35
henrynash	kfox1111: so I think we are trying not to use is_admin in v3	13:35
dstanek	^ serry	13:35
kfox1111	hmm.. ok.	13:36
kfox1111	well, we already put our admins on all tenants we create with an admin role. I guess we can do an implied role admin -> member and I think it would work that way too.	13:37
rodrigods	dstanek, lol	13:37
kfox1111	thanks.	13:37
*** ramishra has joined #openstack-keystone		13:38
henrynash	kfox1111: yep, that shoudl work…	13:39
samueldmq	dstanek: configuring weechat ? :-)	13:39
openstackgerrit	henry-nash proposed openstack/keystone-specs: Improve example of project acting as a domain https://review.openstack.org/315544	13:43
*** BjoernT has joined #openstack-keystone		13:43
*** wanghua has quit IRC		13:44
*** erhudy has joined #openstack-keystone		13:47
dstanek	samueldmq: no, some key combination on this dump mac keystone prints that mapping in weechat. not sure what i keep pressing yet	13:48
*** BjoernT has quit IRC		13:49
samueldmq	dstanek: hehe	13:55
openstackgerrit	henry-nash proposed openstack/keystone-specs: Improve example of project acting as a domain https://review.openstack.org/315544	13:56
*** pushkaru has joined #openstack-keystone		13:59
*** belmoreira has quit IRC		13:59
*** mhickey has quit IRC		14:03
*** sdake has joined #openstack-keystone		14:05
openstackgerrit	henry-nash proposed openstack/keystone-specs: Improve example of project acting as a domain https://review.openstack.org/315544	14:07
*** roxanaghe has joined #openstack-keystone		14:10
*** doug-fish has joined #openstack-keystone		14:11
*** roxanaghe has quit IRC		14:13
*** d0ugal has quit IRC		14:14
*** roxanaghe has joined #openstack-keystone		14:14
*** d0ugal has joined #openstack-keystone		14:16
*** mhickey has joined #openstack-keystone		14:17
*** roxanaghe has quit IRC		14:19
*** d0ugal has quit IRC		14:23
*** josecastroleon has quit IRC		14:23
*** flaper87 has quit IRC		14:24
*** josecastroleon has joined #openstack-keystone		14:24
*** ksavich has quit IRC		14:25
*** ksavich has joined #openstack-keystone		14:26
*** josecastroleon has quit IRC		14:26
*** flaper87 has joined #openstack-keystone		14:27
*** flaper87 has quit IRC		14:27
*** flaper87 has joined #openstack-keystone		14:27
*** mou1 has quit IRC		14:28
*** mou has joined #openstack-keystone		14:29
morgan	stevemar: about to finish cleanup on import for ldappool. hope to land that soon.	14:33
lbragstad	dolphm dstanek i got my patch in tempest to fail with added logging https://review.openstack.org/#/c/314330/3	14:35
patchbot	lbragstad: patch 314330 - tempest - Do not merge - add logging for bug 1578866	14:35
openstack	bug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,Confirmed] https://launchpad.net/bugs/1578866	14:35
*** sdake has quit IRC		14:35
*** links has joined #openstack-keystone		14:36
*** GB21 has joined #openstack-keystone		14:36
*** raddaoui has joined #openstack-keystone		14:41
*** GB21 has quit IRC		14:42
morgan	dstanek: going to bug you for a hacking change soon (review) to make sure we don't ever add oslo namespaced stuff to ldappool. will ping you when ready	14:46
*** timcline has joined #openstack-keystone		14:47
*** phalmos has joined #openstack-keystone		14:51
*** tonytan4ever has joined #openstack-keystone		14:51
bknudson	we're doing something wrong if we're developing libraries that other projects are prohibited to use.	14:56
morgan	bknudson: oslo is terrible to include in things outside of openstack	14:57
morgan	bknudson: i wouldn't include any oslo libs in a library we adopt	14:57
morgan	bknudson: oslo is ok for openstack specific things, but it adds a lot of things we shouldn't force on others.	14:57
*** marekd has joined #openstack-keystone		14:58
*** ChanServ sets mode: +v marekd		14:58
morgan	bknudson: and since we're adopting ldappool, i view it in that category.	14:58
morgan	converting to PBR is about as far as i want to go compared to other things	14:58
*** thiagolib has quit IRC		15:01
*** mhickey has quit IRC		15:01
*** josecastroleon has joined #openstack-keystone		15:03
bknudson	PBR TTR	15:04
bknudson	(to the rescue)	15:04
*** haplo37 has joined #openstack-keystone		15:04
*** jaugustine has joined #openstack-keystone		15:05
*** agrebennikov has joined #openstack-keystone		15:07
*** agrebennikov has quit IRC		15:11
dstanek	morgan: sounds good	15:13
dstanek	lbragstad: nice	15:13
*** edtubill has joined #openstack-keystone		15:14
*** mhickey has joined #openstack-keystone		15:15
lbragstad	dstanek yeah - trying to multi-task and putting the events in order	15:15
*** sdake has joined #openstack-keystone		15:17
*** d0ugal has joined #openstack-keystone		15:17
*** dan_nguyen has joined #openstack-keystone		15:19
*** catintheroof has joined #openstack-keystone		15:26
*** catintheroof has quit IRC		15:27
*** catintheroof has joined #openstack-keystone		15:29
*** links has quit IRC		15:32
*** spzala has quit IRC		15:34
*** dmk0202 has quit IRC		15:35
*** dmk0202 has joined #openstack-keystone		15:36
rodrigods	bknudson, dstanek, lbragstad: have some time to take another look at https://review.openstack.org/#/c/302299/ ?	15:41
patchbot	rodrigods: patch 302299 - keystone - Add identity providers integration tests	15:41
*** josecastroleon has quit IRC		15:48
*** GB21 has joined #openstack-keystone		15:49
*** josecastroleon has joined #openstack-keystone		15:54
*** ninag has quit IRC		15:59
*** spzala has joined #openstack-keystone		16:00
*** doug-fis_ has joined #openstack-keystone		16:01
*** doug-fi__ has joined #openstack-keystone		16:03
*** doug-fish has quit IRC		16:05
*** doug-fis_ has quit IRC		16:06
*** jaosorior has quit IRC		16:06
*** doug-fi__ has quit IRC		16:08
*** rbridgeman has joined #openstack-keystone		16:08
*** GB21 has quit IRC		16:09
openstackgerrit	Elvin Tubillara proposed openstack/keystone: Config changes to support PCI-DSS https://review.openstack.org/314679	16:12
*** sdake has quit IRC		16:13
*** mkoderer__ has quit IRC		16:14
*** dmk0202 has quit IRC		16:15
*** dan_nguyen has quit IRC		16:18
*** d0ugal has quit IRC		16:20
*** d0ugal has joined #openstack-keystone		16:21
*** josecastroleon has quit IRC		16:24
*** gb21 has joined #openstack-keystone		16:24
*** tellesnobrega_af is now known as tellesnobrega		16:27
*** d0ugal has quit IRC		16:27
morgan	stevemar: https://review.openstack.org/#/c/315267/ and https://github.com/morganfainberg/ldappool ready for initial import - we'll apply the outstanding PRs and the fixes from you and crinkle once it is in gerrit	16:27
patchbot	morgan: patch 315267 - openstack-infra/project-config - Import ldappool into gerrit and setup project	16:27
*** mkoderer__ has joined #openstack-keystone		16:28
morgan	stevemar, crinkle: let me know if i missed something insane when prepping that repo (if you have a few moments)	16:28
stevemar	morgan: it'll also need a requirements.txt, but yeah	16:29
morgan	stevemar: did you look at https://github.com/morganfainberg/ldappool ?	16:30
*** spzala has quit IRC		16:30
stevemar	morgan: only at the 1st of the PRs, give me 1 sec :)	16:31
morgan	stevemar: since i'm importing from my fork of he repo	16:32
stevemar	morgan: looks fantastic	16:32
stevemar	we can iterate on it from this point on	16:32
morgan	exactly	16:33
morgan	and it passes pep8/py27.	16:33
stevemar	morgan: anyway to give a non-voting py34 job?	16:34
morgan	stevemar: lets add that after import.	16:35
*** agrebennikov has joined #openstack-keystone		16:35
stevemar	morgan: okie dokie	16:35
stevemar	morgan: does the license in ldappool init have to change?	16:35
morgan	stevemar: nope. we're keeping MPL	16:35
stevemar	alrighty	16:35
morgan	stevemar: just easier	16:36
*** spzala has joined #openstack-keystone		16:36
morgan	we'll need to add a proper license file, and then we'll need to get RTFD working for it	16:36
morgan	all doable post import	16:36
stevemar	Package Index Owner: mdrnstm, tarek	16:36
stevemar	Package Index Maintainer: openstackci	16:36
stevemar	morgan want to take a quick peek at https://review.openstack.org/#/c/315359/	16:38
patchbot	stevemar: patch 315359 - keystonemiddleware - generate sample config automatically	16:38
*** lhcheng has joined #openstack-keystone		16:39
*** ChanServ sets mode: +v lhcheng		16:39
*** spzala has quit IRC		16:40
*** d0ugal has joined #openstack-keystone		16:42
stevemar	rderose_: o/	16:42
*** doug-fish has joined #openstack-keystone		16:43
*** TxGVNN has joined #openstack-keystone		16:44
*** fangxu has joined #openstack-keystone		16:44
*** josecastroleon has joined #openstack-keystone		16:45
*** arunkant_ has joined #openstack-keystone		16:45
rderose_	stevemar: o/	16:45
rderose_	stevemar: what's up?	16:46
stevemar	rderose_: still wondering about what the migration story will be for pci	16:47
*** gyee has joined #openstack-keystone		16:47
*** ChanServ sets mode: +v gyee		16:47
*** doug-fish has quit IRC		16:48
*** spzala has joined #openstack-keystone		16:48
rderose_	stevemar: okay, what are you thinking?	16:48
stevemar	rderose_: if i upgrade to N, these options will now have a default value of 90 days before lock out, and as a deployers, i didn't want this feature... in 90 days, i'll have locked out users :P	16:48
morgan	stevemar: will look.	16:49
morgan	stevemar: might be when i land in PDX though	16:49
*** sdake has joined #openstack-keystone		16:49
stevemar	morgan: stop traveling so much	16:49
*** alex_xu has quit IRC		16:49
morgan	stevemar: TRYING TO GET HOME!	16:49
rderose_	well, we can make default value to be none, so that you have to purposely opt in	16:50
rderose_	stevemar: ^	16:50
stevemar	rderose_: right, which is kinda wonky UX	16:50
rderose_	stevemar: hmm...	16:50
stevemar	the all or nothing switch isn't nice if someone doesn't want to rotate passwords, but just wants stronger password support	16:51
rderose_	stevemar: I guess I think we should have a reasonable default value; not necessarily PCI compliant	16:51
stevemar	rderose_: I guess None default for each, and we can recommend options	16:51
stevemar	let me see what other projects do	16:51
rderose_	stevemar: I'm okay with that	16:51
stevemar	rderose_: just keep that in mind :P	16:51
*** spzala has quit IRC		16:52
*** woodster_ has joined #openstack-keystone		16:52
*** alex_xu has joined #openstack-keystone		16:52
rderose_	stevemar: okay, will do. thx	16:52
stevemar	rderose_: if we stick with None defaults, theres going to be a lot of "if CONF.constraint.blah: "	16:53
lbragstad	dstanek dolphm here is a snippet of the log from https://review.openstack.org/#/c/314330/3	16:54
patchbot	lbragstad: patch 314330 - tempest - Do not merge - add logging for bug 1578866	16:54
openstack	bug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,Confirmed] https://launchpad.net/bugs/1578866	16:54
rderose_	stevemar: sure, but we have to support none, whether it's default or not	16:54
lbragstad	http://cdn.pasteraw.com/hwx4nnbrj6eumttoypfadx52wr6oa8t	16:54
*** elfosardo has quit IRC		16:56
*** mkoderer__ has quit IRC		16:57
rderose_	heading to lunch...	16:58
*** rderose_ has quit IRC		16:58
*** spzala has joined #openstack-keystone		17:00
*** TxGVNN has quit IRC		17:00
*** mhickey has quit IRC		17:01
*** mvk_ has quit IRC		17:04
*** mkoderer__ has joined #openstack-keystone		17:04
*** spzala has quit IRC		17:04
dstanek	lbragstad: that's failing on the check that old tokens won't work, right?	17:07
lbragstad	dstanek it's failing the test because the test expects the token to be invalid (404), but instead keystone validates it successfully	17:08
lbragstad	which fails the assertion	17:08
dstanek	lbragstad: but it should be invalid because the password was updated...is this a revocation issue of some sort?	17:08
kfox1111	can token validation work with pki tokens too?	17:09
kfox1111	so you can always just use remote validation?	17:09
lbragstad	dstanek right - the token should be invalid but it's failing this assertion https://github.com/openstack/tempest/blob/master/tempest/api/identity/v3/test_users.py#L69-L72	17:09
lbragstad	dstanek i have a feeling it is related	17:09
lbragstad	dstanek but the weird part is that it's transient	17:09
lbragstad	and very "racey"	17:10
lbragstad	which is why i attempted to add timestamps to various client operations in tempest to see if the race was there (i.e. the token validation was faster than the token revocation from a client perspective)	17:10
dstanek	lbragstad: what is that time.sleep there? the token should be invalid because of the password reset and not the timestamp	17:11
lbragstad	dstanek that's because fernet is only precise to the second	17:11
dstanek	lbragstad: right, but why would that come into play with this test?	17:11
lbragstad	dstanek and revocation events are stored in sql, meaning that event.issued_before is also truncated to only be second precise	17:11
*** spzala has joined #openstack-keystone		17:11
dstanek	ah	17:12
lbragstad	so - in keystone, when we hit that case we bail saying it's an invalid token	17:12
lbragstad	so - if we get a token that has an issued_at time as the same second as the revocation events issued_before time, then we err on the side of security and say it's an invalid token	17:13
openstackgerrit	Arun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf https://review.openstack.org/279828	17:13
lbragstad	either though you may have changed your password at 10:52:15.02 and got a new token at 10:52:15.05	17:13
lbragstad	even*	17:13
*** stingaci has joined #openstack-keystone		17:13
dstanek	lbragstad: the logging doesn't seem to have the issued_before gate logged	17:14
*** josecastroleon has quit IRC		17:15
lbragstad	dstanek not that I can tell - my patch only logs the before and after when a client did a particular thing	17:15
lbragstad	like - the user is going to change their password (timestamp) -> request is sent -> user has changed their password (timestamp + x)	17:15
lbragstad	dstanek but this is interesting http://logs.openstack.org/30/314330/3/check/gate-tempest-dsvm-neutron-dvr/3d9272f/logs/apache/keystone_access.txt.gz	17:15
lbragstad	^ that is the keystone access log from the failed test	17:16
*** spzala has quit IRC		17:16
lbragstad	dstanek you should be able to search for '14aee731a93845d8ac34b9e8403e659b' - that is the user id of the user in the test that failed	17:16
*** roxanaghe has joined #openstack-keystone		17:18
*** fangxu has quit IRC		17:20
*** doug-fish has joined #openstack-keystone		17:22
*** doug-fish has quit IRC		17:23
*** spzala has joined #openstack-keystone		17:23
*** jaugustine has quit IRC		17:23
*** doug-fish has joined #openstack-keystone		17:24
*** jistr has quit IRC		17:24
dstanek	lbragstad: i think we need logging in keystone where we do that comparison. i can't find it in http://logs.openstack.org/30/314330/3/check/gate-tempest-dsvm-neutron-dvr/3d9272f/logs/apache/keystone.txt.gz	17:24
*** doug-fish has quit IRC		17:28
*** spzala has quit IRC		17:28
lbragstad	dstanek since keystone errors on the side of security when a token issued_at and a revocations issued_before are too close	17:28
lbragstad	the only thing I can think of is that the revocation is taking too long	17:29
lbragstad	and the validation is getting to keystone before the revocation is stored	17:29
dstanek	lbragstad: debug logging around that revocation would be very helpful if we don't already have it	17:29
lbragstad	dstanek I'll have to check - but i'm not seeing any sort of revocation logging through tempest	17:31
*** fangxu has joined #openstack-keystone		17:32
dstanek	lbragstad: it logs in debug mode because i'm seeing tons and tons of logging	17:32
dstanek	b 26	17:32
dstanek	i'm terrible at thiis	17:32
*** gb21 has quit IRC		17:33
*** d0ugal has quit IRC		17:34
*** julim has quit IRC		17:35
*** gyee has quit IRC		17:35
*** NellyK has joined #openstack-keystone		17:36
*** spzala has joined #openstack-keystone		17:37
*** alex_xu has quit IRC		17:38
*** rdo has quit IRC		17:38
*** rderose has joined #openstack-keystone		17:40
*** spzala has quit IRC		17:41
*** markvoelker has joined #openstack-keystone		17:41
*** ninag has joined #openstack-keystone		17:46
*** rdo has joined #openstack-keystone		17:46
*** ninag has quit IRC		17:46
*** doug-fis_ has joined #openstack-keystone		17:48
*** ninag has joined #openstack-keystone		17:48
*** spzala has joined #openstack-keystone		17:49
*** stingaci has quit IRC		17:50
samueldmq	ayoung: hey	17:50
samueldmq	ayoung: could you take a look at patch 302789 again ?	17:50
patchbot	samueldmq: https://review.openstack.org/#/c/302789/ - keystone - Add API Change Tutorial	17:50
samueldmq	cc stevemar morgan ^	17:50
*** ninag_ has joined #openstack-keystone		17:50
*** stingaci has joined #openstack-keystone		17:50
stevemar	API change tutorial...	17:51
samueldmq	stevemar: sounds a good idea ? :)	17:51
ayoung	samueldmq, will do	17:52
samueldmq	ayoung: thanks	17:52
*** d0ugal has joined #openstack-keystone		17:52
*** ninag has quit IRC		17:53
*** NellyK has quit IRC		17:53
*** spzala has quit IRC		17:53
*** spzala has joined #openstack-keystone		17:54
*** doug-fis_ has quit IRC		17:54
lbragstad	dolphm not sure if you see all the conversation up there ^	17:57
*** tqtran has joined #openstack-keystone		17:58
dolphm	lbragstad: actually, i don't -- i'm not using znc properly today	17:58
lbragstad	dolphm ah - ok	17:58
dolphm	should i go read eavesdrop?	17:58
*** pcaruana has quit IRC		17:58
lbragstad	dolphm naw - i'll walk through it again	17:59
lbragstad	(hopefully it helps?)	17:59
dolphm	if it hurts, try again	17:59
dolphm	-doctor topol	18:00
lbragstad	dolphm so in keystone, when we compare token data against revocation events, if a revocation event's issued_before time is greater than or equal too the token's issued_at time, we consider it revoked	18:00
lbragstad	https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L223	18:00
topol	dolphm, yes Im here	18:00
lbragstad	topol sweet - you can help, too!	18:00
topol	lbragstad, anything for oyu	18:01
dolphm	lbragstad: right	18:01
lbragstad	dolphm topol make sense?	18:01
lbragstad	so - in the keystone + fernet + devstack case	18:01
dolphm	revocation events apply to tokens issued in the past	18:01
lbragstad	keystone tokens are only going to have second precision when it comes to issued_at	18:02
lbragstad	so - if you get a token at 10:52:25.000004, your token response is going to say 10:52:25.000000	18:02
dolphm	and when we create a revocation event, is the limited-precision timestamp truncated, rounded up/down, or is it up to the db?	18:02
lbragstad	dolphm I think it is rounded down	18:03
dolphm	by python or by the db?	18:03
lbragstad	dolphm in some cases python - https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L87-L90	18:04
ayoung	samueldmq, responded. I like it. Tried to make some constructive additions	18:04
lbragstad	but that's the expires_at	18:05
*** doug-fish has joined #openstack-keystone		18:05
*** dave-mccowan has quit IRC		18:05
dolphm	lbragstad: hmm, why don't we do the same for other timestamps?	18:06
dolphm	lbragstad: what ends up in the db for those values?	18:06
lbragstad	dolphm i'm not entirely sure	18:06
dolphm	lbragstad: if we're comparing two timestamps with different levels of precision, then you have an opportunity for a race condition	18:07
lbragstad	yeah	18:07
dolphm	lbragstad: or even if the precision was manipulated in different ways (rounding vs truncating)	18:08
*** d0ugal has quit IRC		18:08
*** doug-fis_ has joined #openstack-keystone		18:08
*** rcernin has quit IRC		18:09
lbragstad	dolphm I think the is_revoked login in keystone was written to assume second precision	18:09
lbragstad	for example, if a token's issued_at time is equal to a revocation events issued_before time, we error on the side of security and say that the token is revoked	18:10
*** doug-fish has quit IRC		18:10
ayoung	lbragstad, it needs to be a second granularity either way. But I also think that we can reduce the number of revoke events	18:11
ayoung	lbragstad, I am working through this change	18:11
ayoung	https://review.openstack.org/#/c/285134/	18:11
patchbot	ayoung: patch 285134 - keystone - WIP Remove unneeded revocation events	18:11
ayoung	I have made a little progress, but getting hung up on the Federation tokens	18:12
ayoung	I have a Tripleo task I need to finish first, and some hotfix patches for RPMs I should be doing, and then get back to that	18:12
topol	lbragstad, dolphm is it possible to add a second to the revocation issued_before time to ensure rounding errors can't have an impact/	18:12
*** doug-fis_ has quit IRC		18:13
*** ninag_ has quit IRC		18:13
*** jistr has joined #openstack-keystone		18:15
*** lhcheng has quit IRC		18:15
*** jistr is now known as jistr\|afk		18:15
*** ninag has joined #openstack-keystone		18:15
*** stingaci has quit IRC		18:15
samueldmq	ayoung: nice, thanks for the comments, I will update it accordingly	18:16
dolphm	topol: i tried several variations of that a few months back - and i was only met with even more test failures	18:16
ayoung	samueldmq, thanks	18:16
*** julim has joined #openstack-keystone		18:17
topol	dolphm, ugggh	18:17
lbragstad	http://stackoverflow.com/questions/29711102/sqlalchemy-mysql-millisecond-or-microsecond-precision	18:17
dolphm	lbragstad: if you write microsecond precision to mysql 5.5, it'll silently truncate everything beyond seconds	18:17
lbragstad	dolphm yeah - that sounds familiar	18:18
*** openstackgerrit has quit IRC		18:18
dolphm	lbragstad: OH, that example shows it rounding UP!	18:18
lbragstad	yes it is...	18:18
*** openstackgerrit has joined #openstack-keystone		18:18
*** markvoelker_ has joined #openstack-keystone		18:19
dolphm	lbragstad: should we ask mike?	18:19
lbragstad	dolphm i'm trying to find out which version of mysql my patch ran against	18:20
lbragstad	dolphm and yes	18:20
dolphm	lbragstad: i'd bet he's got a general pattern that he recommends to avoid that behavior - or maybe there's something we can turn on in sqlalchemy to have it blow up if we give it too much precision	18:20
lbragstad	dolphm or we can patch keystone to always truncate - like fernet does	18:20
lbragstad	or round down	18:21
*** markvoelker has quit IRC		18:22
dolphm	zzzeek: we're experiencing a race condition, likely due to a loss of precision of timestamps somewhere between our app, sqlalchemy, the db, and when they're later compared to totally different timestamps. we're happy to just have second-level precision, but is there a way to have sqlalchemy throw a backtrace if we give it more precision that the db is expecting / capable of handling accurately?	18:22
zzzeek	dolphm: yes you'd want to intercept the data at the type level	18:23
zzzeek	dolphm: examples of that knid of thing: http://docs.sqlalchemy.org/en/rel_1_0/core/custom_types.html#coercing-encoded-strings-to-unicode	18:24
zzzeek	dolphm: also you can, when you look into doing the comparison, render a SQL expression like a CAST or similar that ensures both sides of the expression are of the same precision	18:25
clenimar	hi there	18:25
clenimar	is admin_url param deprecated?	18:25
dolphm	zzzeek: perfect, thanks! we'll have to play with that recipe	18:26
dolphm	clenimar: only in that it's only relevant to the v2 API, and the v2 API itself is basically deprecated. we still support other services have admin URLs in the service catalog, however	18:27
dolphm	lbragstad: we could use something like that recipe above to ensure all timestamps end up exactly the same before hitting the db	18:29
openstackgerrit	Andrew Laski proposed openstack/oslo.policy: Add __str__ to PolicyOpt https://review.openstack.org/315712	18:29
clenimar	thank you, dolphm	18:29
lbragstad	dolphm yeah - that makes sense	18:30
lbragstad	dolphm where would be a good place for that to live in keystone?	18:30
*** erhudy has quit IRC		18:31
*** BjoernT has joined #openstack-keystone		18:33
*** belmoreira has joined #openstack-keystone		18:34
*** ninag has quit IRC		18:35
*** ninag has joined #openstack-keystone		18:35
*** ninag has quit IRC		18:35
lbragstad	dolphm sweet - looks like we do this already with JsonBlobs	18:35
*** ninag has joined #openstack-keystone		18:36
*** spzala has quit IRC		18:38
*** rderose has quit IRC		18:38
*** ninag has quit IRC		18:39
*** rderose has joined #openstack-keystone		18:40
*** stingaci has joined #openstack-keystone		18:40
*** BjoernT has quit IRC		18:42
*** spzala has joined #openstack-keystone		18:44
*** sdake has quit IRC		18:44
dolphm	lbragstad: so, i assume that means we'll have to swap a bunch of model definitions with this new, wrapped class?	18:45
openstackgerrit	Ron De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements https://review.openstack.org/314284	18:46
*** ninag has joined #openstack-keystone		18:46
lbragstad	dolphm yep	18:46
*** dmk0202 has joined #openstack-keystone		18:47
*** spzala has quit IRC		18:48
dolphm	lbragstad: still can't reproduce outside of the gate, right?	18:50
lbragstad	dolphm right	18:50
lbragstad	dolphm so maybe i'm using a different version of mysql that truncates and the gate is using something else?	18:50
dolphm	lbragstad: that means that even if we implement a new column type just to see if it fixes the issue, we'll have to merge it just to see if it works :-/	18:50
dolphm	lbragstad: what version of mysql are you on?	18:51
*** ninag has quit IRC		18:51
lbragstad	dolphm I nuked the devstack box that I was using - I can setup again though	18:51
dolphm	lbragstad: 5.6.3 to 5.6.4 is the magic version barrier with support for subsecond precision changed radically	18:52
dolphm	mysql 5.6.3 vs 5.6.4	18:52
lbragstad	locally i have 5.6.25-0ubuntu0.15.04.1	18:59
*** rderose_ has joined #openstack-keystone		18:59
*** lhcheng has joined #openstack-keystone		19:01
*** ChanServ sets mode: +v lhcheng		19:01
*** lhcheng_ has joined #openstack-keystone		19:02
*** lhcheng has quit IRC		19:02
*** d0ugal has joined #openstack-keystone		19:02
*** rderose has quit IRC		19:03
*** slberger has joined #openstack-keystone		19:03
openstackgerrit	Merged openstack/keystone: Move the assignment abstract base class out of core https://review.openstack.org/299635	19:06
*** spzala has joined #openstack-keystone		19:10
*** spzala has quit IRC		19:11
*** spzala has joined #openstack-keystone		19:11
samueldmq	ayoung: about your comment in https://review.openstack.org/#/c/302789/4/doc/source/api_change_tutorial.rst	19:14
patchbot	samueldmq: patch 302789 - keystone - Add API Change Tutorial	19:14
samueldmq	ayoung: what is ""	19:14
ayoung	samueldmq, yes?	19:14
samueldmq	also edit the API doc in (path..) to show the effect of the new change, and make sure you bump the version number etc.	19:14
samueldmq	oops ^	19:15
samueldmq	in yours first comment	19:15
samueldmq	your* (arrgh)	19:15
stevemar	morgan: looks like we need a .gitreview file in ldappool :)	19:17
morgan	Yep.	19:18
morgan	Propose it stevemar:) I'll get the core group setup as soon as I am home.	19:18
openstackgerrit	Matthew Edmonds proposed openstack/keystone: admin gets is_admin_project by default https://review.openstack.org/311203	19:19
stevemar	morgan: but... i can't push new patches until a .gitreview file exists :O	19:19
morgan	stevemar: propose a patch with gitreview.	19:19
morgan	Then it works!	19:19
stevemar	ah	19:19
stevemar	didn't know that	19:19
samueldmq	propose a pull request ?	19:19
stevemar	neato	19:19
morgan	With the .gitreview file.	19:20
morgan	Since it just looks locally for it.	19:20
samueldmq	nice	19:20
morgan	I expect this next version should be 2.0 fwiw stevemar	19:20
openstackgerrit	Steve Martinelli proposed openstack/ldappool: make ldappool py3 compatible https://review.openstack.org/315728	19:20
stevemar	morgan: oh for sure	19:21
morgan	Since we are adding py3	19:21
stevemar	we'll be switching the main requirement	19:21
morgan	Make it work with both	19:21
morgan	If possible.	19:21
morgan	I mean, it should be possible.	19:21
openstackgerrit	Steve Martinelli proposed openstack/ldappool: additional files to ignore in .gitignore https://review.openstack.org/315729	19:25
openstackgerrit	Steve Martinelli proposed openstack/ldappool: add .gitreview https://review.openstack.org/315731	19:26
openstackgerrit	Steve Martinelli proposed openstack/ldappool: additional files to ignore in .gitignore https://review.openstack.org/315729	19:27
openstackgerrit	Steve Martinelli proposed openstack/ldappool: make ldappool py3 compatible https://review.openstack.org/315728	19:28
*** rderose has joined #openstack-keystone		19:28
*** r-daneel has joined #openstack-keystone		19:28
openstackgerrit	Lance Bragstad proposed openstack/keystone: Avoid datetime rounding issues https://review.openstack.org/315735	19:29
*** rderose_ has quit IRC		19:31
stevemar	morgan: want to push https://review.openstack.org/#/c/315731/1 through? it just adds the necessary .gitreview file	19:32
patchbot	stevemar: patch 315731 - ldappool - add .gitreview	19:32
stevemar	morgan: i'm not sure it can work with both python-ldap and pyldap, they are installed in the same namespace	19:32
morgan	Ahh ok	19:32
morgan	That's fine. We might want a separate test job for python-ldap	19:33
*** rderose has quit IRC		19:33
*** rderose has joined #openstack-keystone		19:34
*** fangxu has quit IRC		19:34
openstackgerrit	Monty Taylor proposed openstack/ldappool: Add gitreview file https://review.openstack.org/315738	19:35
openstackgerrit	Monty Taylor proposed openstack/ldappool: Fix license in setup.py https://review.openstack.org/315739	19:35
openstackgerrit	henry-nash proposed openstack/keystone: Create V9 driver for identity backend https://review.openstack.org/305315	19:36
morgan	mordred: stevemar beat you to the .gitreview file ;)	19:37
*** ninag has joined #openstack-keystone		19:38
stevemar	morgan: you added HP boilerplate to setup.py?	19:38
stevemar	mordred: ^	19:38
morgan	stevemar: i did not.	19:38
stevemar	"Copyright (c) 2013 Hewlett-Packard Development Company, L.P."	19:38
*** ninag has quit IRC		19:41
morgan	stevemar: it's i think in the cookiecutter repo like that	19:42
*** ninag has joined #openstack-keystone		19:42
morgan	stevemar: ok who should be on the hook for ldappool?	19:42
morgan	stevemar: you, me? all of keystone-core?	19:42
stevemar	morgan: obviously just crinkle :P	19:43
morgan	lol	19:43
crinkle	:O	19:43
stevemar	morgan: i dunno, any volunteers?	19:43
morgan	done, though i'm totally letting her blame you.	19:43
crinkle	-_-	19:43
stevemar	anyone who has touched it at all?	19:43
morgan	ok anyway you and crinkle added to core on ldappool now	19:43
stevemar	yee haw	19:44
* crinkle swims in ldap pools		19:44
stevemar	lol	19:44
morgan	crinkle: be careful, i hear they're poluted.	19:44
*** ninag has quit IRC		19:45
morgan	you both are also in the -release group. we'll get the release things worked out later (once 2.0.0 with the changes rolls out)	19:46
morgan	but we can make keystone py3...ish now! :)	19:46
morgan	(don't look at the memcache thing)	19:46
morgan	hm.. where is gyee.	19:49
morgan	stevemar: i'll send out a "are you going to keystone midcycle" thing tomorrow	19:50
morgan	stevemar: so we can get real numbers	19:50
stevemar	++	19:50
morgan	stevemar: google form good? or ... wiki?	19:50
stevemar	morgan: docs job failed :(	19:50
* morgan leans towards form		19:51
stevemar	google form	19:51
morgan	stevemar: which docs job?	19:51
stevemar	morgan: ldappool	19:51
morgan	uhm... there... shouldn't be a docs job in gate?	19:51
morgan	or you mean you ran tox -edocs	19:52
morgan	?	19:52
*** jistr\|afk has quit IRC		19:52
morgan	oh crud. forgot docs was part of the template	19:52
morgan	uhm. going to make it no-op for the moment.	19:52
*** belmoreira has quit IRC		19:54
stevemar	morgan: i can cook up a working docs change as part of git review	19:54
*** rbridgeman has quit IRC		19:54
morgan	stevemar: if you want to.	19:55
morgan	stevemar: i have RTFD integration on my short list for it too	19:55
*** pauloewerton has quit IRC		19:55
morgan	stevemar: either way wfm	19:57
stevemar	morgan: let me run all the jobs now and make sure it works	19:57
stevemar	may be a new patch	19:57
morgan	k	19:58
*** josecastroleon has joined #openstack-keystone		20:02
openstackgerrit	Steve Martinelli proposed openstack/ldappool: add .gitreview and fix ldappool gate https://review.openstack.org/315747	20:02
stevemar	morgan: OK, now it should be good	20:03
*** rbridgeman has joined #openstack-keystone		20:04
morgan	stevemar: okie	20:07
openstackgerrit	Morgan Fainberg proposed openstack/ldappool: Fix license in setup.py https://review.openstack.org/315739	20:09
lbragstad	dolphm dstanek started working on the mysql datetime fix - https://review.openstack.org/#/c/315735/	20:14
patchbot	lbragstad: patch 315735 - keystone - Avoid datetime rounding issues	20:14
lbragstad	but I think i'm going to have to fix the bigger timestamp problem	20:15
*** martinus__ has quit IRC		20:15
dolphm	lbragstad: bigger?	20:15
morgan	stevemar: oh.. should probably spin up the bug pages and such for ldappool	20:16
* morgan does this		20:16
*** belmoreira has joined #openstack-keystone		20:16
*** spzala_ has joined #openstack-keystone		20:16
*** martinus__ has joined #openstack-keystone		20:18
*** spzala has quit IRC		20:18
lbragstad	dolphm i think some of the token formats return different precision than others	20:19
lbragstad	and that might vary from v2 to v3	20:20
*** ayoung has quit IRC		20:20
dolphm	lbragstad: the v2 vs v3 thing is definitely true. we added microsecond precision in v3, but it'd be API compatible to store second-level precision as long as we return .00000Z	20:20
dolphm	.000000Z	20:20
lbragstad	yeah	20:21
lbragstad	I think that's what we're going to have to do	20:21
morgan	stevemar: https://launchpad.net/ldappool created.	20:23
*** rbridgeman_ has joined #openstack-keystone		20:23
mordred	morgan: oh. piddle. let me abaondon/rebase away from my gitreview patch	20:24
*** rcernin has joined #openstack-keystone		20:24
openstackgerrit	Monty Taylor proposed openstack/ldappool: Fix license in setup.py https://review.openstack.org/315739	20:25
morgan	mordred: i already rebased :P	20:25
morgan	mordred: but okie.	20:25
morgan	mordred: or i think i did? ... shrugs	20:26
mordred	(I had some things piled up in buffers from plane landing)	20:26
morgan	ah yesh	20:26
*** rbridgeman has quit IRC		20:26
morgan	stevemar: oooh got a test failure happening	20:27
morgan	stevemar: =/	20:27
stevemar	morgan: yeah :\	20:27
morgan	(this worked in devstack^wlocally)	20:27
stevemar	ran fine locally....	20:27
morgan	yeah	20:27
morgan	might be concurrency?	20:27
stevemar	morgan: its a racey test	20:27
stevemar	morgan: it does call threading	20:28
morgan	yar	20:28
morgan	we should fix that	20:28
stevemar	yeah its all kinds of racy	20:29
stevemar	morgan: https://github.com/openstack/ldappool/blob/master/ldappool/tests/test_ldappool.py#L152-L202	20:29
morgan	oh boy.	20:30
morgan	well, code needs cleanup. so do tests	20:30
*** josecastroleon has quit IRC		20:32
*** belmoreira has quit IRC		20:34
*** ericksonsantos has quit IRC		20:35
*** ninag has joined #openstack-keystone		20:36
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/315764	20:36
*** raildo is now known as raildo-afk		20:41
*** gyee has joined #openstack-keystone		20:44
*** ChanServ sets mode: +v gyee		20:44
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add service providers integration tests https://review.openstack.org/303502	20:49
openstackgerrit	Steve Martinelli proposed openstack/ldappool: add .gitreview and fix ldappool gate https://review.openstack.org/315747	20:50
openstackgerrit	Steve Martinelli proposed openstack/ldappool: Fix license in setup.py https://review.openstack.org/315739	20:51
openstackgerrit	Steve Martinelli proposed openstack/ldappool: additional files to ignore in .gitignore https://review.openstack.org/315729	20:52
openstackgerrit	Steve Martinelli proposed openstack/ldappool: make ldappool py3 compatible https://review.openstack.org/315728	20:52
*** fangxu has joined #openstack-keystone		21:00
*** pushkaru has quit IRC		21:00
*** sdake has joined #openstack-keystone		21:04
*** yolanda has quit IRC		21:04
arunkant_	rodrigods, Thanks for review on https://review.openstack.org/#/c/279828 . I have answered your last comment. In short, it was verified against devstack deployment. Please check	21:04
*** yolanda has joined #openstack-keystone		21:04
rodrigods	arunkant_, awesome, thanks for that	21:05
rodrigods	will check in a minute	21:05
*** spzala_ has quit IRC		21:06
rodrigods	arunkant, hmm great, somehow i've missed that	21:07
rodrigods	looks good :)	21:07
stevemar	morgan: gotta head out, but the ldappool gate should be fixed	21:07
morgan	ok watching the gate	21:07
lbragstad	dolphm if mysql rounded up in the storage of the revocation events - that would only help us, right?	21:11
*** xek has quit IRC		21:11
lbragstad	dolphm if a user gets a fernet token at 10:52:25.000002, fernet will store it as 10:52:25.000000	21:12
openstackgerrit	Merged openstack/ldappool: add .gitreview and fix ldappool gate https://review.openstack.org/315747	21:12
*** pushkaru has joined #openstack-keystone		21:12
openstackgerrit	Merged openstack/ldappool: Fix license in setup.py https://review.openstack.org/315739	21:12
*** xek has joined #openstack-keystone		21:12
lbragstad	if a user changes their password at 10:52:25.005000 and it's stored in sql as 10:52:26, would that still be caught in the revocation api?	21:13
lbragstad	because the token's issued_at time would be 10:52:25.000000 and the revocation event's issued_before time would be 10:52:26.000000	21:14
openstackgerrit	Merged openstack/ldappool: additional files to ignore in .gitignore https://review.openstack.org/315729	21:15
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add service providers integration tests https://review.openstack.org/303502	21:15
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Add API Change Tutorial https://review.openstack.org/302789	21:19
*** nalind has quit IRC		21:24
*** sdake_ has joined #openstack-keystone		21:24
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Add users functional tests https://review.openstack.org/289306	21:25
*** haplo37 has quit IRC		21:28
*** sdake has quit IRC		21:28
*** sdake has joined #openstack-keystone		21:31
*** sdake_ has quit IRC		21:32
*** ametts has quit IRC		21:33
*** doug-fish has joined #openstack-keystone		21:43
openstackgerrit	Merged openstack/keystone: Add mapping validation tests https://review.openstack.org/312881	21:45
*** gordc has quit IRC		21:45
*** doug-fish has quit IRC		21:48
*** mou has quit IRC		21:50
*** ninag has quit IRC		21:50
*** mou has joined #openstack-keystone		21:50
*** pushkaru has quit IRC		21:52
*** sigmavirus24 is now known as sigmavirus24_awa		22:00
*** dmk0202 has quit IRC		22:00
*** jsavak has quit IRC		22:09
*** edtubill has quit IRC		22:09
morgan	stevemar, crinkle: do we want to make ldappool adhere to global requirements? it is not currently doing so.	22:10
crinkle	morgan: i would think so? it has to be installable with keystone	22:12
morgan	ok	22:12
morgan	will fix that	22:12
morgan	crinkle: i just bounced the py3 fix for ldappool out of the gate, will get pyldap in g-r and make it gate on g-r things before re-approving.	22:13
crinkle	ok	22:14
*** phalmos has quit IRC		22:15
*** timcline has quit IRC		22:15
*** stingaci has quit IRC		22:22
*** stingaci has joined #openstack-keystone		22:22
*** pushkaru has joined #openstack-keystone		22:22
*** jamielennox\|away is now known as jamielennox		22:24
*** ayoung has joined #openstack-keystone		22:25
*** ChanServ sets mode: +v ayoung		22:25
*** markvoelker_ has quit IRC		22:25
*** edtubill has joined #openstack-keystone		22:27
openstackgerrit	Morgan Fainberg proposed openstack/ldappool: make ldappool py3 compatible https://review.openstack.org/315728	22:28
morgan	crinkle: ^ ok needs a re +2 when you have a few moments to confirm it looks correct still. :) thnx	22:28
crinkle	morgan: done	22:30
*** dave-mccowan has joined #openstack-keystone		22:34
*** dave-mcc_ has joined #openstack-keystone		22:36
lbragstad	dolphm I have a devstack setup with the same exact mysql versions of everything - trying to recreate locally	22:39
*** dave-mccowan has quit IRC		22:40
*** dan_nguyen has joined #openstack-keystone		22:41
*** pushkaru has quit IRC		22:46
jamielennox	do we know what's happening with the gate, are the problems from yesterday still a thing?	22:48
lbragstad	jamielennox yes	22:48
jamielennox	is it a timing thing?	22:50
lbragstad	jamielennox it has to be..	22:50
lbragstad	jamielennox https://bugs.launchpad.net/keystone/+bug/1578866	22:50
openstack	Launchpad bug 1578866 in OpenStack Identity (keystone) "test_user_update_own_password failing intermittently" [High,In progress] - Assigned to Lance Bragstad (lbragstad)	22:50
jamielennox	yea, i saw that autorecheck had tagged it as that	22:51
lbragstad	jamielennox check my last comment	22:51
*** ninag has joined #openstack-keystone		22:52
*** spzala has joined #openstack-keystone		22:52
*** rbridgeman_ has quit IRC		22:53
jamielennox	yea, that makes sense - it's not the failure i was looking at	22:56
*** ninag has quit IRC		22:57
lbragstad	jamielennox oh - different failure?	22:57
jamielennox	yep it was in the tempest negative tenant tests, but i can't remember where it came from	22:57
jamielennox	which i thought was the same timing issue, but it looks like it was coming from test setup	22:58
*** spzala has quit IRC		23:02
*** ayoung has quit IRC		23:03
*** dave-mcc_ has quit IRC		23:06
*** slberger has left #openstack-keystone		23:07
*** tonytan4ever has quit IRC		23:09
lbragstad	jamielennox yeah - i'm not sure where this timing issue is coming from anymore	23:16
*** markvoelker has joined #openstack-keystone		23:26
*** r-daneel has quit IRC		23:27
*** markvoelker has quit IRC		23:31
*** chlong has quit IRC		23:35
*** stingaci has quit IRC		23:38
*** arunkant_ has quit IRC		23:48

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!