Tuesday, 2016-05-24

« Monday, 2016-05-23 Index Wednesday, 2016-05-25 »
*** iurygregory has joined #openstack-keystone00:00
*** jhesketh_ is now known as jhesketh00:02
*** spzala has joined #openstack-keystone00:07
*** timcline has joined #openstack-keystone00:09
*** gyee has quit IRC00:10
*** roxanagh_ has joined #openstack-keystone00:11
*** ddieterly has joined #openstack-keystone00:13
*** timcline has quit IRC00:14
*** spzala has quit IRC00:14
*** roxanagh_ has quit IRC00:16
*** neophy has joined #openstack-keystone00:16
*** rderose has joined #openstack-keystone00:17
*** samueldmq has joined #openstack-keystone00:19
*** d0ugal has joined #openstack-keystone00:19
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428400:20
*** josecastroleon has joined #openstack-keystone00:20
*** andrewbogott has joined #openstack-keystone00:21
*** ngupta has quit IRC00:24
*** shaleh has quit IRC00:36
*** browne has quit IRC00:37
*** lhcheng has quit IRC00:41
*** sheel has joined #openstack-keystone00:43
*** stingaci has quit IRC00:45
*** ngupta has joined #openstack-keystone00:57
*** brad[] has quit IRC01:03
*** brad[] has joined #openstack-keystone01:03
*** rderose has quit IRC01:10
*** timcline has joined #openstack-keystone01:10
*** furface has joined #openstack-keystone01:13
*** timcline has quit IRC01:15
*** spzala has joined #openstack-keystone01:19
*** EinstCrazy has joined #openstack-keystone01:24
*** rderose has joined #openstack-keystone01:36
*** browne has joined #openstack-keystone01:49
*** spzala has quit IRC01:52
*** ngupta has quit IRC01:55
*** tqtran has quit IRC01:59
*** EinstCrazy has quit IRC02:00
*** EinstCrazy has joined #openstack-keystone02:00
*** adu has joined #openstack-keystone02:01
openstackgerritMerged openstack/keystoneauth: Use betamax hooks to mask fixture results  https://review.openstack.org/31113302:04
*** ngupta has joined #openstack-keystone02:05
*** neophy has quit IRC02:07
*** timcline has joined #openstack-keystone02:11
*** ngupta has quit IRC02:11
*** neophy has joined #openstack-keystone02:13
*** ddieterly is now known as ddieterly[away]02:15
*** timcline has quit IRC02:16
*** hoonetorg has quit IRC02:20
*** ddieterly[away] is now known as ddieterly02:20
*** hoonetorg has joined #openstack-keystone02:20
*** markvoelker has quit IRC02:21
*** ddieterly is now known as ddieterly[away]02:24
openstackgerritwangxiyuan proposed openstack/python-keystoneclient: Allow send null value in extra properties  https://review.openstack.org/29624602:24
*** spzala has joined #openstack-keystone02:26
*** spzala has quit IRC02:26
*** spzala has joined #openstack-keystone02:27
*** ngupta has joined #openstack-keystone02:28
*** browne has quit IRC02:30
*** spzala has quit IRC02:31
*** pgreg has joined #openstack-keystone02:35
*** pgreg has quit IRC02:36
*** pgreg has joined #openstack-keystone02:37
*** adu has quit IRC02:44
*** TxGVNN has joined #openstack-keystone02:47
*** richm has quit IRC02:51
*** adu has joined #openstack-keystone02:54
*** tqtran has joined #openstack-keystone02:56
*** tqtran has quit IRC03:00
*** chenzeng has joined #openstack-keystone03:02
*** spzala has joined #openstack-keystone03:02
*** timcline has joined #openstack-keystone03:04
*** spzala has quit IRC03:08
*** timcline has quit IRC03:09
*** iurygregory_ has joined #openstack-keystone03:12
*** roxanagh_ has joined #openstack-keystone03:15
*** iurygregory has quit IRC03:18
*** roxanagh_ has quit IRC03:20
openstackgerritRon De Rose proposed openstack/keystone: Config settings to support PCI-DSS  https://review.openstack.org/31467903:20
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428403:20
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.4: User must change their password requirements  https://review.openstack.org/32015603:20
*** markvoelker has joined #openstack-keystone03:22
*** ddieterly[away] has quit IRC03:24
*** markvoelker has quit IRC03:27
*** roxanagh_ has joined #openstack-keystone03:27
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.4: User must change their password requirements  https://review.openstack.org/32015603:27
*** adu has quit IRC03:29
*** sdake_ has quit IRC03:29
*** tqtran has joined #openstack-keystone03:32
notmorganayoung: what time is rodrigods usually online?03:32
notmorganayoung: need to chat with him tomorrow.03:32
*** tqtran has quit IRC03:33
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Password strength and change password requirements  https://review.openstack.org/32015603:34
*** dave-mcc_ has quit IRC03:38
*** lhcheng has joined #openstack-keystone03:39
*** ChanServ sets mode: +v lhcheng03:39
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Password strength and change password requirements  https://review.openstack.org/32015603:40
*** roxanagh_ has quit IRC03:46
*** roxanagh_ has joined #openstack-keystone03:55
*** david-lyle_ has joined #openstack-keystone03:55
*** david-lyle has quit IRC03:57
notmorganrderose: you just going to stack up all the changes and then un wip them?03:58
rderosenotmorgan: yeah, the latest I think will really be about change password requirements03:59
rderosenotmorgan: I'm going to try to break it up into chunks; not do everything at once04:00
notmorganrderose: wfm.04:00
rderosenotmorgan: wfm??04:00
rderosenotmorgan: but yeah, each patch will be dependent on the next04:01
*** spzala has joined #openstack-keystone04:04
*** timcline has joined #openstack-keystone04:05
*** links has joined #openstack-keystone04:07
*** lhcheng has quit IRC04:08
*** timcline has quit IRC04:09
*** spzala has quit IRC04:10
*** rderose has quit IRC04:13
*** rderose has joined #openstack-keystone04:13
*** rderose has quit IRC04:17
*** sdake has joined #openstack-keystone04:17
*** sdake has quit IRC04:18
*** TxGVNN has quit IRC04:20
*** markvoelker has joined #openstack-keystone04:23
jamielennoxworks for me04:26
*** markvoelker has quit IRC04:28
*** diazjf has joined #openstack-keystone04:40
*** diazjf has quit IRC04:40
*** roxanagh_ has quit IRC04:43
*** jaosorior has joined #openstack-keystone04:56
*** GB21 has joined #openstack-keystone04:58
*** spzala has joined #openstack-keystone05:02
*** timcline has joined #openstack-keystone05:06
*** spzala has quit IRC05:06
*** timcline has quit IRC05:10
*** dmellado has quit IRC05:13
*** links has quit IRC05:14
*** dmellado has joined #openstack-keystone05:17
*** links has joined #openstack-keystone05:18
*** links has quit IRC05:24
*** markvoelker has joined #openstack-keystone05:24
*** roxanagh_ has joined #openstack-keystone05:25
*** ngupta has quit IRC05:25
*** markvoelker has quit IRC05:29
*** roxanagh_ has quit IRC05:29
*** jaosorior has quit IRC05:38
*** jaosorior has joined #openstack-keystone05:41
*** GB21 has quit IRC05:44
*** ngupta has joined #openstack-keystone05:44
*** TxGVNN has joined #openstack-keystone05:50
*** GB21 has joined #openstack-keystone05:56
*** rk4n has joined #openstack-keystone06:00
*** links has joined #openstack-keystone06:03
*** timcline has joined #openstack-keystone06:07
openstackgerritSteve Martinelli proposed openstack/keystone: Added X-Forwarding-For support.  https://review.openstack.org/30903806:07
*** rcernin has joined #openstack-keystone06:08
openstackgerritMerged openstack/keystone-specs: Cleanup 'implied roles' section of Identity API V3 spec  https://review.openstack.org/29892506:08
*** sdake has joined #openstack-keystone06:11
*** timcline has quit IRC06:11
*** nikhil has quit IRC06:14
*** serverascode has quit IRC06:15
*** ctracey has quit IRC06:15
*** DuncanT has quit IRC06:15
*** nikhil has joined #openstack-keystone06:16
*** ctracey has joined #openstack-keystone06:16
*** DuncanT has joined #openstack-keystone06:18
*** dolphm has quit IRC06:21
*** med_ has quit IRC06:21
*** woodster_ has quit IRC06:22
*** dolphm has joined #openstack-keystone06:23
*** ChanServ sets mode: +o dolphm06:23
*** markvoelker has joined #openstack-keystone06:25
*** med_ has joined #openstack-keystone06:25
*** med_ has quit IRC06:25
*** med_ has joined #openstack-keystone06:25
*** sdake has quit IRC06:25
*** woodster_ has joined #openstack-keystone06:26
*** hughsaunders has quit IRC06:26
*** samueldmq has quit IRC06:27
*** samueldmq has joined #openstack-keystone06:27
*** harlowja has quit IRC06:28
*** markvoelker has quit IRC06:29
*** aloga has quit IRC06:31
*** hughsaunders has joined #openstack-keystone06:32
*** ngupta has quit IRC06:33
*** serverascode has joined #openstack-keystone06:35
*** sdake has joined #openstack-keystone06:37
openstackgerritwangxiyuan proposed openstack/python-keystoneclient: Allow send null value in extra properties  https://review.openstack.org/29624606:37
*** rk4n has joined #openstack-keystone06:39
*** neophy has quit IRC06:40
*** sdake has quit IRC06:53
*** spzala has joined #openstack-keystone07:02
*** tesseract has joined #openstack-keystone07:04
*** spzala has quit IRC07:07
*** timcline has joined #openstack-keystone07:07
*** tesseract has quit IRC07:08
*** rk4n has quit IRC07:11
*** aloga has joined #openstack-keystone07:11
*** timcline has quit IRC07:12
openstackgerritMerged openstack/keystoneauth: Add is_domain to keystoneauth token  https://review.openstack.org/28237707:16
*** rwsu has joined #openstack-keystone07:19
*** rwsu has quit IRC07:22
*** markvoelker has joined #openstack-keystone07:26
*** jaosorior is now known as jaosorior_brb07:28
*** markvoelker has quit IRC07:32
*** henrynash has joined #openstack-keystone07:32
*** ChanServ sets mode: +v henrynash07:32
*** woodster_ has quit IRC07:48
*** GB21 has quit IRC07:59
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** spzala has joined #openstack-keystone08:04
*** spzala has quit IRC08:08
*** timcline has joined #openstack-keystone08:08
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** timcline has quit IRC08:12
*** belmoreira has joined #openstack-keystone08:15
*** dmk0202 has joined #openstack-keystone08:16
*** GB21 has joined #openstack-keystone08:17
*** odyssey4me_ is now known as odyssey4me08:26
*** afazekas_ is now known as afazekas08:27
*** markvoelker has joined #openstack-keystone08:28
*** markvoelker has quit IRC08:32
*** pnavarro has joined #openstack-keystone08:34
*** EinstCrazy has quit IRC08:37
*** EinstCrazy has joined #openstack-keystone08:40
*** ig0r_ has joined #openstack-keystone08:40
*** fmarco76 has joined #openstack-keystone08:50
*** jaosorior_brb is now known as jaosorior08:50
*** fmarco76 has quit IRC08:50
*** EinstCrazy has quit IRC08:51
openstackgerritRyosuke Mizuno proposed openstack/keystone: Add name to the project deleted notification event  https://review.openstack.org/32029908:52
*** EinstCrazy has joined #openstack-keystone08:57
*** daemontool_ has joined #openstack-keystone09:00
*** timcline has joined #openstack-keystone09:09
*** timcline has quit IRC09:13
*** sdake has joined #openstack-keystone09:20
*** GB21 has quit IRC09:21
*** Dave____ is now known as Dave09:21
*** zigo_ is now known as zigo09:28
openstackgerritRyosuke Mizuno proposed openstack/keystone: Add name to the project deleted notification event  https://review.openstack.org/32029909:30
*** GB21 has joined #openstack-keystone09:37
*** iurygregory_ is now known as iurygregory09:45
*** mvk has quit IRC09:53
*** sdake has quit IRC10:01
*** spzala has joined #openstack-keystone10:05
openstackgerritwangxiyuan proposed openstack/python-keystoneclient: Allow send null value in extra properties  https://review.openstack.org/29624610:05
*** rk4n has joined #openstack-keystone10:05
*** spzala has quit IRC10:10
*** timcline has joined #openstack-keystone10:10
*** timcline has quit IRC10:14
openstackgerrityolanda.robla proposed openstack/keystoneauth: Update keystoneauth fixture to support v3  https://review.openstack.org/32034010:19
*** mvk has joined #openstack-keystone10:22
*** markvoelker has joined #openstack-keystone10:29
*** EinstCrazy has quit IRC10:32
*** EinstCrazy has joined #openstack-keystone10:32
*** markvoelker has quit IRC10:34
*** EinstCrazy has quit IRC10:37
openstackgerritDina Belova proposed openstack/keystone: Add DB operations tracing  https://review.openstack.org/29453510:45
openstackgerritDina Belova proposed openstack/keystone: == DO NOT MERGE == Add cache profiling  https://review.openstack.org/30279910:45
*** pgreg_ has joined #openstack-keystone10:48
*** pgreg has quit IRC10:51
*** spzala has joined #openstack-keystone11:06
*** spzala has quit IRC11:10
*** timcline has joined #openstack-keystone11:10
*** timcline has quit IRC11:15
*** brad[] has quit IRC11:16
*** tellesnobrega has quit IRC11:17
*** sdake has joined #openstack-keystone11:17
openstackgerritwangxiyuan proposed openstack/python-keystoneclient: Allow send null value in extra properties  https://review.openstack.org/29624611:19
*** brad[] has joined #openstack-keystone11:24
*** markvoelker has joined #openstack-keystone11:30
*** rodrigods has quit IRC11:31
*** rodrigods has joined #openstack-keystone11:31
*** tlbr_ has quit IRC11:31
*** ig0r_ has quit IRC11:34
*** markvoelker has quit IRC11:35
*** jaosorior has quit IRC11:39
*** jaosorior has joined #openstack-keystone11:40
*** jaosorior has quit IRC11:40
*** jaosorior has joined #openstack-keystone11:41
*** ddieterly has joined #openstack-keystone11:41
*** julim has joined #openstack-keystone11:45
*** sdake has quit IRC11:49
*** pgreg_ has quit IRC11:51
*** ddieterly is now known as ddieterly[away]11:55
*** brad[] has quit IRC11:56
*** ig0r_ has joined #openstack-keystone11:57
*** brad[] has joined #openstack-keystone11:57
*** tlbr has joined #openstack-keystone12:00
*** markvoelker has joined #openstack-keystone12:02
*** spzala has joined #openstack-keystone12:07
*** spzala has quit IRC12:11
*** timcline has joined #openstack-keystone12:11
*** afred312 has quit IRC12:15
*** timcline has quit IRC12:15
*** afred312 has joined #openstack-keystone12:16
*** ddieterly[away] is now known as ddieterly12:18
*** ayoung has quit IRC12:19
*** GB21 has quit IRC12:20
*** afred312 has quit IRC12:20
*** gordc has joined #openstack-keystone12:20
openstackgerritwangxiyuan proposed openstack/python-keystoneclient: Allow send null value in extra properties  https://review.openstack.org/29624612:38
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v3 docs from api-ref repo  https://review.openstack.org/32014512:40
openstackgerrithenry-nash proposed openstack/keystone-specs: Microversions  https://review.openstack.org/31518012:41
dstaneki'm going to start a mini series 'fun with shib'12:44
samueldmqdstanek: howdy, blog posts?12:44
*** ChanServ sets mode: +v samueldmq12:45
dstanekvideos!12:45
*** afred312 has joined #openstack-keystone12:45
openstackgerrithenry-nash proposed openstack/keystone-specs: Microversions  https://review.openstack.org/31518012:45
samueldmqdstanek: ++12:45
*** afred312 has quit IRC12:46
dstaneki finally took the time to make a screencast yesterday using software that i bought years ago12:46
*** afred312 has joined #openstack-keystone12:46
samueldmqdstanek: going to upload it ? :)12:46
dstaneksamueldmq: it's on youtube already....getting the link12:47
dstanekhttps://www.youtube.com/watch?v=BbDlUMaA-Zk12:47
samueldmqdstanek: cool! looking, thanks12:47
dstaneknext step is to figure out what i was seeing in that video12:47
samueldmqdstanek: segfault ? lol12:48
rodrigodsdstanek, lol12:48
dstanekyeppers12:48
*** catintheroof has joined #openstack-keystone12:49
samueldmqdstanek: that's scary12:50
samueldmqdstanek: and nice thing too, that's a very cool resource12:51
samueldmqbecause you explain the federation workflow, etc :)12:52
*** rk4n has quit IRC12:52
rodrigodsdstanek, that's why we need to use mod_auth_mellon12:52
rodrigodssamueldmq, ++12:52
*** rk4n has joined #openstack-keystone12:52
lbragstaddstanek do you have patches up for ^12:53
lbragstaddstanek also - given the email about python 3 yesterday https://review.openstack.org/#/c/207526/112:53
patchbotlbragstad: patch 207526 - keystone - WIP Fernet on Python 312:53
dstanekrodrigods: i can give that a try and see what happens - i wasn't able to get it to reload idps without restarting apache12:53
dstaneklbragstad: reviews for what?12:53
lbragstaddstanek the shib stuff?12:54
*** andrewbogott has quit IRC12:54
*** andrewbogott has joined #openstack-keystone12:54
dstaneklbragstad: no that was just testing k2k12:54
rodrigodsdstanek, btw... do you have your ansbile stuff in github?12:54
lbragstadah gotcha12:54
dstaneklbragstad: i don't think that is needed anymore, but i can check12:54
dstaneklbragstad: not yet....i really want to publish some roles on galaxy...but time :-(12:55
*** sheel has quit IRC12:55
rodrigodsdstanek, damm... was about to ask you to review something for me :)12:56
*** pauloewerton has joined #openstack-keystone12:56
*** david-lyle has joined #openstack-keystone12:57
catintheroofguys, i need to know some conceptual thing, supposing that i have only identity with LDAP and assignment with sql, the idea behind using mysql to tell which user is on what project and LDAP for auth, is that keystone just finds the user on ldap and nothing related to projects & roles & etc ?12:57
bknudsonhow do you represent in LDAP that a user has a role on a project?12:59
catintheroofbknudson, i suppose that using LDAP with assignment, but will not be my case12:59
catintheroofbknudson, so ... what im assuming is right ?13:00
*** jistr is now known as jistr|mtg13:01
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v3 docs from api-ref repo  https://review.openstack.org/32014513:01
bknudsoncatintheroof: I don't understand what you're assuming. If you think that only users and groups are in ldap, and roles, projects, and role-assignments are in sql then that's correct.13:01
*** david-lyle_ has quit IRC13:01
dstanekrodrigods: i am setting aside a few hours for reviews today. which one were you going to ask about?13:01
rodrigodsdstanek, the old tempest plugin one https://review.openstack.org/#/c/302299/ :)13:02
patchbotrodrigods: patch 302299 - keystone - Add identity providers integration tests13:02
*** ddieterly has quit IRC13:02
rodrigodsdstanek, the patch is chain is just doing basic testing in the tempest clients -> so we can write scenarios using them!13:02
catintheroofbknudson, nice, that's what im assuming, thanks for confirming. and the last one would be, in that case, when you assign a user to a project, does keystone validates that the user exists on LDAP ?13:02
dstanekrodrigods: cool...added to the list :-)13:03
rodrigodsthanks dstanek13:03
bknudsoncatintheroof: this seems like something that would be very easy for you to try out.13:03
*** edmondsw has joined #openstack-keystone13:05
openstackgerrithenry-nash proposed openstack/keystone-specs: Correct Identity spec for versions response  https://review.openstack.org/32043713:07
*** spzala has joined #openstack-keystone13:07
*** sdake has joined #openstack-keystone13:09
*** jaosorior has quit IRC13:10
dstanekrodrigods: yw....going heads-down on capstone for a little while13:12
*** timcline has joined #openstack-keystone13:12
*** spzala has quit IRC13:12
*** BjoernT has joined #openstack-keystone13:12
*** BjoernT is now known as Bjoern_zZzZzZzZ13:12
*** sdake has quit IRC13:13
*** timcline has quit IRC13:16
*** richm has joined #openstack-keystone13:17
*** afred312 has quit IRC13:22
*** _amrith_ is now known as amrith13:23
*** afred312 has joined #openstack-keystone13:23
openstackgerrithenry-nash proposed openstack/keystone-specs: Correct Identity spec for versions response  https://review.openstack.org/32043713:23
*** dave-mccowan has joined #openstack-keystone13:24
*** Bjoern_zZzZzZzZ is now known as BjoernT13:24
*** ayoung has joined #openstack-keystone13:27
*** ChanServ sets mode: +v ayoung13:27
*** afred312 has quit IRC13:27
*** jsavak has joined #openstack-keystone13:27
*** ddieterly has joined #openstack-keystone13:29
*** ngupta has joined #openstack-keystone13:29
henrynashrodigods: tahnks for the review on the microversions spec….your comment on the /v3 API call…not quite sure I understand what you are getting at there?13:36
*** fesp has joined #openstack-keystone13:36
rodrigodshenrynash, the versions call is not only to /v3, but also to /13:37
henrynashrodigods: ah, right - yep13:37
henrynashrodigods: (which doesn’t seem to be documented anywhere :-) )13:37
rodrigodshenrynash, heh so we found a doc bug!13:37
*** BigWillie has joined #openstack-keystone13:38
henrynash:-)13:38
*** fesp has quit IRC13:40
openstackgerrithenry-nash proposed openstack/keystone-specs: Microversions  https://review.openstack.org/31518013:41
*** ddieterly is now known as ddieterly[away]13:41
*** afred312 has joined #openstack-keystone13:42
*** ametts has joined #openstack-keystone13:46
*** ddieterly[away] is now known as ddieterly13:48
*** phalmos has joined #openstack-keystone13:59
*** jaugustine has joined #openstack-keystone13:59
*** phalmos_ has joined #openstack-keystone14:00
*** darosale has joined #openstack-keystone14:03
*** phalmos has quit IRC14:04
*** jistr|mtg is now known as jistr14:04
*** gagehugo has joined #openstack-keystone14:05
openstackgerrithenry-nash proposed openstack/keystone-specs: Microversions  https://review.openstack.org/31518014:06
henrynashnotmorgan, ayoung: ping14:08
ayounghenrynash, da comrade!14:09
*** afred312 has quit IRC14:09
*** ngupta has quit IRC14:09
*** woodster_ has joined #openstack-keystone14:09
henrynashayoung: :-) so as you have seen I;ve been bashing on the microversions spec…I noticed you put morgan as primary assignee….is taht because he wanted it..or just that you didn’t !?!?!14:10
ayounghenrynash, yes, he wanted it, and I wanted to make sure it was recorded14:10
ayoungyou are welcome to take it14:10
ayoungI think it is more process for process sake myself14:11
henrynashayoung: Ok, I’ll check with hime to see how we divi this out….14:11
henrynashayoung: thx14:12
*** henrynash has quit IRC14:12
*** timcline has joined #openstack-keystone14:13
*** spzala has joined #openstack-keystone14:14
*** spzala has quit IRC14:14
*** julim has quit IRC14:15
*** timcline has quit IRC14:17
*** sheel has joined #openstack-keystone14:18
*** spzala has joined #openstack-keystone14:18
*** afred312_ has joined #openstack-keystone14:24
notmorganI want to point out Henry needs an IRC bouncer.14:29
notmorganHe is almost never online with overlap with me so when he asks these questions it is by proxy.14:30
rodrigods++14:31
*** ddieterly is now known as ddieterly[away]14:33
*** rk4n_ has joined #openstack-keystone14:35
*** rk4n has quit IRC14:36
*** zzzeek has quit IRC14:40
*** afred312_ has quit IRC14:42
*** BjoernT has quit IRC14:42
*** david-lyle has quit IRC14:42
*** mvk has quit IRC14:42
*** josecastroleon has quit IRC14:42
*** hugokuo has quit IRC14:42
*** dolphm has quit IRC14:42
*** pushkaru has joined #openstack-keystone14:43
*** phalmos_ has quit IRC14:44
*** _d34dh0r53_ is now known as d34dh0r5314:45
*** rcernin has quit IRC14:47
SamYapledid the reseller domains-are-projects stuff get implemented in time for mitaka?14:48
rodrigodsSamYaple, yes sir14:49
*** sdake has joined #openstack-keystone14:49
*** edtubill has joined #openstack-keystone14:49
SamYaplerodrigods: ok sweet. i have some experimenting to do then. thanks14:50
rodrigodsSamYaple, it might help you: https://review.openstack.org/#/c/285541/14:50
patchbotrodrigods: patch 285541 - tempest - Add parent_id to create_project14:50
SamYaplethanks rodrigods looking. might pop back with a question or two14:52
rodrigodsSamYaple, yw :)14:53
*** ngupta has joined #openstack-keystone14:54
*** ddieterly[away] is now known as ddieterly14:55
SamYaplerodrigods: do you know how well this plays with ldap and multi-domains?14:55
rodrigodsSamYaple, ldap for identity?14:55
SamYapleyea14:55
rodrigodsshould have no difference at all14:56
SamYaplecool14:56
*** links has quit IRC14:57
*** GB21 has joined #openstack-keystone14:57
*** ddieterly is now known as ddieterly[away]14:57
*** rcernin has joined #openstack-keystone14:59
*** julim has joined #openstack-keystone15:00
openstackgerritMikhail Nikolaenko proposed openstack/keystone: Added app for policy enforcement  https://review.openstack.org/31752915:01
*** mou has joined #openstack-keystone15:02
*** zzzeek has joined #openstack-keystone15:03
*** jistr is now known as jistr|mtg15:04
*** phalmos_ has joined #openstack-keystone15:04
*** timcline has joined #openstack-keystone15:13
*** Junhongl_ has joined #openstack-keystone15:14
*** diazjf has joined #openstack-keystone15:14
*** jrist has quit IRC15:15
*** diazjf has quit IRC15:15
yolandanotmorgan, i prepared a new patch for keystoneauth: https://review.openstack.org/32034015:17
*** amrith is now known as _amrith_15:17
notmorganyolanda: cool.15:18
*** timcline has quit IRC15:18
*** rderose has joined #openstack-keystone15:18
notmorganyolanda: oh much better not using re.sub15:19
*** Junhongl_ has left #openstack-keystone15:20
*** henrynash has joined #openstack-keystone15:22
*** ChanServ sets mode: +v henrynash15:22
yolandanotmorgan, i prefer that way also15:23
henrynashnotmorgan: I know I need an irc bouncer….just never manage to make it work15:24
notmorganhenrynash: ask stevemar, he helped topol set one up15:25
bknudsonhenrynash: I've got an irc bouncer on a softlayer. I tried to set one up on BlueMix but I always get errors.15:25
topolhenrynash, stevemar I think wrote an opentech article on how to do this15:26
henrynashtopol: nice!15:26
samueldmqI just have tmux + weechat on a server15:26
topolhenrynash https://developer.ibm.com/opentech/2016/02/16/creating-a-new-virtual-machine-on-bluemix/15:26
lbragstadhenrynash https://github.com/dhellmann/ansible-znc-on-znc15:27
topolhenrynash whoops! This one: https://developer.ibm.com/opentech/2016/01/21/openstack-development-tips-setting-up-a-znc-bouncer/15:27
*** jaosorior has joined #openstack-keystone15:27
henrynashnotmorgan: so (in non irc bouncer mode….aka…RT)….wanted to check in with you to see if you are looking to drive the microversions…or if you wanted someone else to…I’ve basically re-written the spec (i.e. translated the niva approach into a keystone one)15:28
* topol I'm a littletoo fast on the trigger today15:28
henrynashtopol, lbragstad: thx15:28
notmorganhenrynash: unfortunately i wont have time to write it15:28
notmorganhenrynash: i am working to ramp up on zuul and nodepool.15:28
notmorganhenrynash: as that is my "what i am being paid for" job15:29
henrynashnotmorgan: Ok, I’m up for it (since I need the functionality for the changes I want)….so OK if I take it?15:29
notmorganhenrynash: please do15:29
henrynashnotmorgan: Ok, will do15:29
*** tonytan4ever has joined #openstack-keystone15:31
*** ngupta has quit IRC15:33
openstackgerrithenry-nash proposed openstack/keystone-specs: Microversions  https://review.openstack.org/31518015:33
*** links has joined #openstack-keystone15:36
*** julim has quit IRC15:37
*** dmk0202 has quit IRC15:38
*** dmk0202 has joined #openstack-keystone15:38
*** rk4n_ has quit IRC15:39
*** julim has joined #openstack-keystone15:40
*** jistr|mtg is now known as jistr15:40
*** dolphm has joined #openstack-keystone15:40
*** wilhelm.freenode.net sets mode: +o dolphm15:40
*** Junhongl_ has joined #openstack-keystone15:40
*** Junhongl_ has quit IRC15:44
*** Junhongl_ has joined #openstack-keystone15:44
*** diazjf has joined #openstack-keystone15:45
*** afred312_ has joined #openstack-keystone15:45
*** BjoernT has joined #openstack-keystone15:45
*** david-lyle has joined #openstack-keystone15:45
*** mvk has joined #openstack-keystone15:45
*** josecastroleon has joined #openstack-keystone15:45
*** hugokuo has joined #openstack-keystone15:45
*** jrist has joined #openstack-keystone15:46
*** Junhongl_ has quit IRC15:47
*** jrist has quit IRC15:47
*** jrist has joined #openstack-keystone15:48
*** Junhongl has joined #openstack-keystone15:48
*** belmoreira has quit IRC15:51
*** Junhongl has quit IRC15:51
*** gyee has joined #openstack-keystone15:53
*** ChanServ sets mode: +v gyee15:53
*** jsavak has quit IRC15:54
*** phalmos has joined #openstack-keystone15:55
*** timcline has joined #openstack-keystone15:56
*** timcline has quit IRC15:56
*** ngupta has joined #openstack-keystone15:56
*** timcline has joined #openstack-keystone15:57
*** phalmos has quit IRC15:57
*** jrist has quit IRC15:57
*** afred312_ has quit IRC15:57
*** BjoernT has quit IRC15:57
*** david-lyle has quit IRC15:57
*** mvk has quit IRC15:57
*** josecastroleon has quit IRC15:57
*** hugokuo has quit IRC15:57
*** ddieterly[away] has quit IRC15:57
*** phalmos_ has quit IRC15:59
*** jaosorior has quit IRC16:01
*** ddieterly has joined #openstack-keystone16:02
*** ngupta has quit IRC16:03
*** phalmos has joined #openstack-keystone16:06
*** jrist has joined #openstack-keystone16:06
*** david-lyle has joined #openstack-keystone16:06
*** mvk has joined #openstack-keystone16:06
*** josecastroleon has joined #openstack-keystone16:06
*** hugokuo has joined #openstack-keystone16:06
*** ngupta has joined #openstack-keystone16:06
ayoungnotmorgan, are you following up on the tempest failures on the Tree Killer patch?>16:12
notmorganayoung: been looking at it. something weird. i think tempest is doing something fundamentally wrong16:13
ayoungnotmorgan, but it passed without caching, right?16:13
notmorganayoung: since its not consistent, it's ~4-5 failures.16:13
notmorganayoung: not sure actually.16:13
ayoungnotmorgan, patch set 9 had no cache, and it passed16:13
ayoungI think it is us16:13
ayoungwhat would cause the token to be improperly marked as revoked, but only if it is cached?16:14
notmorganayoung: only if the events are cached.16:14
ayoungso lets look at the types of revocations in the failing tests...16:14
ayoungare they all in teardown?  It means the token for the admin user running the test is invalid at the end16:15
notmorgannope.16:15
notmorganmostly in setup16:15
notmorganafaict16:15
ayounghttp://logs.openstack.org/52/311652/16/check/gate-tempest-dsvm-full/861709f/console.html16:16
ayoungits in tear down, one failure16:16
*** GB21 has quit IRC16:16
notmorganlooking at the others it was mostly setup16:16
notmorganmeh screw it16:16
notmorganjust kill the caching16:16
* notmorgan is done battling this.16:16
ayounghttp://logs.openstack.org/52/311652/16/check/gate-tempest-dsvm-postgres-full/df5e8a1/console.html was a mix16:17
ayoungcaching should be viable here.16:18
notmorgansnd drive towards direct SQL queries.16:18
*** GB21 has joined #openstack-keystone16:18
*** rk4n has joined #openstack-keystone16:18
notmorganwe can deal with adding caching back in at that point16:18
ayoungnotmorgan, OK, I'll take this one back over16:19
notmorganjust reset to pre-caching fix16:19
notmorganand get it to pass.16:19
ayoungI think I can fixthe caching.  Give me a few minutes16:19
notmorgannot worth it really if we're moving towards direct sql16:20
ayoungI think it is bleed over between tests.  But how does caching  do that16:20
ayoungnotmorgan, we are not 100% in agreement there yet16:20
notmorganin tempest state is preserved16:20
ayoungI have my doubts still16:20
notmorgannot between tests but in the services16:20
ayoungright, and that should be acceptable.  Caching should not break things16:20
notmorganand a DB query is low cost if you are matching indexes.16:21
notmorganloading the events into ram and making python string match isn't going to be that effective.16:21
notmorganits simpler to just lean on sql.16:22
notmorganor well the driver16:22
notmorganthe logic sholdn't be in the manager16:22
notmorganlet the driver implement the matching, either in python *or* in sql query16:22
notmorganjust push that logic out of the manager: .is_revoked(token_data)16:23
ayoungnotmorgan, that's the Problem!  The query flushes expired events.  Caching holds on to them16:23
ayoungwe are matching events that should be expired....let me look at the logic16:24
notmorganwhich means... we aren't properly matching events16:24
*** dmk0202 has quit IRC16:24
*** ig0r_ has quit IRC16:24
ayoungnotmorgan, right16:25
*** knikolla has left #openstack-keystone16:25
*** knikolla has joined #openstack-keystone16:26
lbragstadso making the is_revoked() method a driver call16:27
notmorganayoung: i think you need to check the issued_before earlier16:27
lbragstadand smarteer16:27
notmorganayoung: and this might be back to subsecond issues16:28
*** catintheroof has quit IRC16:28
notmorganayoung: or just do a if now > event.expires_at return false?16:29
notmorganlbragstad: that is my view.16:29
rodrigodsnotmorgan, ayoung, log the reason why the event is being revoked?16:29
rodrigodsalong the values16:29
notmorganlbragstad: so the driver can do something like .query()16:30
notmorganayoung: ... waht is this line: event.role_id != role for role in roles16:31
notmorganis that just an optimisation to avoid another nested for?16:31
notmorganoh its in all()16:31
notmorgannvm16:31
notmorganayoung: are you sue all() is correct not any() in a bunch of these cases?16:32
notmorganayoung: e.g.16:33
notmorganf all(event.user_id != token_values[attribute_name]16:33
notmorgan               for attribute_name in ['user_id', 'trustor_id', 'trustee_id']):16:33
notmorgan            return False16:33
notmorganor is it because you;'re doing a !=?16:33
*** phalmos has quit IRC16:33
*** phalmos has joined #openstack-keystone16:34
*** TxGVNN has quit IRC16:35
*** alex_xu has quit IRC16:35
*** sdake_ has joined #openstack-keystone16:35
*** GB21 has quit IRC16:36
*** GB21 has joined #openstack-keystone16:37
*** cheran has joined #openstack-keystone16:38
*** sdake has quit IRC16:38
ayoungnotmorgan, dmanit now you have me thinking in circles16:38
notmorganayoung: sorry, just kill the cache to start.16:38
notmorganayoung: lets just readd it later.16:38
ayoungnotmorgan, nah, its the list going in.  I can fix this.16:38
*** alex_xu has joined #openstack-keystone16:38
rodrigodsayoung, all attributes are set in toke_values[]?16:40
rodrigodsit may result in a key error16:40
ayoungrodrigods, maybe, but I bet this is it16:41
ayounghmmmm16:41
ayoungnotmorgan, does tempest do any flushing of the database tables, like revoke events, or anything like that?  It doesn't, right?16:44
notmorganno16:44
notmorganit does not16:44
ayoungtoken expire is not going to be an issue.16:44
*** mvk has quit IRC16:45
ayoungwhat is the query we do to refetch...http://git.openstack.org/cgit/openstack/keystone/tree/keystone/revoke/backends/sql.py#n6616:46
ayoungso we might have deleted an old event16:46
openstackgerritRon De Rose proposed openstack/keystone: Config settings to support PCI-DSS  https://review.openstack.org/31467916:47
notmorganayoung: but that shouldn't matter. when we issue a new event we invalidate the cache16:47
notmorgan(after new event, and after _prune)16:47
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements  https://review.openstack.org/31428416:48
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Password strength and change password requirements  https://review.openstack.org/32015616:48
notmorganayoung:     def revoke(self, event):16:48
notmorgan        self.driver.revoke(event)16:48
notmorgan        REVOKE_REGION.invalidate()16:48
*** daemontool_ has quit IRC16:49
notmorganayoung: so we revoke, which prunes, then invalidates16:49
notmorganunless you must rely on event_list being pre-filtered ? but that seems... incorrect?16:49
*** daemontool_ has joined #openstack-keystone16:49
ayoungnotmorgan, we still prune on fetch16:49
notmorganno. we don't16:49
notmorganif we do, then we have a regression16:49
ayoungOk16:49
ayoungum16:50
ayounghmmm16:50
notmorganunless we use last_fetch16:50
notmorganand afict we dont16:50
ayoungthe cache might be right, and the cacheless might be in error16:50
ayounglast_fetch...16:51
notmorganthat was the api thing16:51
ayoungthat was assuming there was a built list16:51
ayoungright16:51
notmorganlike i said, don't think we use it16:51
ayoungneed to ignore that16:51
*** harlowja has joined #openstack-keystone16:51
notmorganso, i don't know how the cache is wrong and the .... wait.16:51
ayoungwe might have been dropping events16:51
notmorganlet me try something.16:52
*** daemontool_ has quit IRC16:53
openstackgerritMorgan Fainberg proposed openstack/keystone: Replace revoke tree with linear search  https://review.openstack.org/31165216:54
openstackgerritMorgan Fainberg proposed openstack/keystone: WIP TESTING  https://review.openstack.org/32057316:54
notmorganayoung: ^ i'm disabling the context cache there16:54
notmorganif that passes the issue is in serialize/deserialize of the event.16:54
notmorganayoung: also... free rebase.16:54
notmorganon your patch16:54
notmorganwe need to wait for zuul now.16:55
*** tonytan4ever has quit IRC16:55
ayoungnotmorgan, yep, I would believe it was serialize/deserialize16:55
notmorganayoung: which means if we don't use the .to_dict() bit instead properly serialize the datetime object it should be fine16:56
ayoungif that is the case, I should be able to write serialization tests that show it16:56
notmorgansince msgpack can properly handle a datetime object16:56
*** diazjf has quit IRC16:57
*** ddieterly is now known as ddieterly[away]16:58
*** roxanaghe_ has joined #openstack-keystone16:58
*** roxanaghe has quit IRC17:01
*** ddieterly[away] is now known as ddieterly17:02
ayoungnotmorgan, ok, I see how to_dict is to blam17:04
ayounge17:04
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users  https://review.openstack.org/30548717:04
*** darosale has quit IRC17:05
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users  https://review.openstack.org/30548717:05
ayoungnotmorgan, and the solution hase fewer line of code17:06
notmorganayoung: anyway.17:07
ayoungnotmorgan, I need to get used to running tox -epy34 ...17:08
notmorganayoung: i had to compile py34 :(17:08
notmorganayoung: my laptop has 35 only, though afaik py34 -> 35 is compat17:08
notmorganbut 35 -> 34 isn't17:08
notmorgan(always)17:09
ayoungImportError: No module named 'ldap'17:09
ayoungso I need pyldap in my venv17:09
*** afred312 has joined #openstack-keystone17:09
notmorganpossibly17:09
openstackgerritayoung proposed openstack/keystone: Replace revoke tree with linear search  https://review.openstack.org/31165217:11
*** roxanaghe__ has joined #openstack-keystone17:11
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Change password requirements  https://review.openstack.org/32015617:12
notmorganayoung: we'll see17:12
*** pnavarro has quit IRC17:12
*** roxanaghe_ has quit IRC17:15
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Change password requirements  https://review.openstack.org/32015617:19
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS 8.2.3: Password strength requirements  https://review.openstack.org/32058617:21
*** ayoung has quit IRC17:22
*** ayoung has joined #openstack-keystone17:23
*** ChanServ sets mode: +v ayoung17:23
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.3: Password strength requirements  https://review.openstack.org/32058617:24
*** GB21 has quit IRC17:25
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Password strength requirements  https://review.openstack.org/32058617:28
*** darosale has joined #openstack-keystone17:28
openstackgerritMerged openstack/keystone-specs: Correct Identity spec for versions response  https://review.openstack.org/32043717:29
*** lhcheng has joined #openstack-keystone17:30
*** ChanServ sets mode: +v lhcheng17:30
*** ayoung has quit IRC17:35
*** ayoung has joined #openstack-keystone17:36
*** ChanServ sets mode: +v ayoung17:36
*** ddieterly is now known as ddieterly[away]17:39
*** lamt has joined #openstack-keystone17:57
notmorganit's that time ...17:58
notmorganajayaa, amakarov, ayoung, breton, browne, crinkle, claudiub, davechen, david8hu, dolphm, dstanek, edmondsw, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, jorge_munoz, knikolla, lbragstad, lhcheng, marekd, MaxPC, morgan, nkinder, notmorgan, raildo, rodrigods, rderose, roxanaghe, samleon, samueldmq, shaleh, stevemar, tjcocozz, tsymanczyk, topol, vivekd, wanghong, xek17:58
notmorganmeeting!17:58
*** diazjf has joined #openstack-keystone18:01
*** ngupta has quit IRC18:03
*** sdake_ is now known as sdake18:11
*** david-lyle_ has joined #openstack-keystone18:12
*** josecastroleon1 has joined #openstack-keystone18:14
*** jrist has quit IRC18:15
*** jrist has joined #openstack-keystone18:16
*** david-lyle has quit IRC18:16
*** josecastroleon has quit IRC18:16
*** ig0r_ has joined #openstack-keystone18:23
*** shaleh has joined #openstack-keystone18:24
*** ddieterly[away] is now known as ddieterly18:26
*** rcernin has quit IRC18:29
breton_knikolla: sorry, lets talk after the meeting. I need to run away for 30 minutes now.18:30
knikollabreton_: sure, i’ll be here.18:30
breton_knikolla: (we shall probably not have time at the meeting anyway, because i forgot to add it to agenda)18:30
knikollabreton_: no worries, too many topics already.18:31
*** clenimar has joined #openstack-keystone18:39
samueldmqrodrigods: congrats, well deserved18:40
rodrigodsthanks samueldmq :)18:43
*** pushkaru has quit IRC18:45
*** pushkaru has joined #openstack-keystone18:46
*** links has quit IRC18:48
*** ddieterly is now known as ddieterly[away]18:51
*** markvoelker_ has joined #openstack-keystone18:57
*** markvoelker has quit IRC18:59
*** markvoelker has joined #openstack-keystone19:00
ayounglbragstad, OK, so the FAQ misses the critical question:  how do you transport keys19:01
jamielennoxayoung: you think it's a reasonable request to have user's specify ids?19:01
lbragstadayoung we can certainly add it19:01
shalehdstanek: I could see a workflow driven by Puppet / Ansible that adds a new project / role / whatever and triggers a DB push to remote regions19:01
ayoungjamielennox, and admin user?  yes19:01
gyee++19:01
jamielennoxshaleh: that's way too much like doing our own replication hadnling19:01
ayoungjamielennox, its an administrative workflow, and I could see making a separate microservice to do it19:01
agrebennikovayoung, jamielennox it worked in v219:01
*** tonytan4ever has joined #openstack-keystone19:01
jamielennoxagrebennikov: it did?19:01
agrebennikovyea19:02
ayoungjamielennox, yep19:02
shalehjamielennox: but Keystone would not be part of it19:02
shaleh100% external to it19:02
agrebennikovso one of our largest customes uses exactly this workflow19:02
ayoungjamielennox, tenantId was an optional param19:02
*** markvoelker_ has quit IRC19:02
agrebennikovright19:02
bknudsonDid you consider K2K federation for multi datacenter?19:02
bknudsonor even regular federation19:03
ayoungso, lets say we do it as a seprate service.  Would anything call it besides keystone/CMS?19:03
agrebennikovbknudson, I don't need it in this particular case since I'm usually allowed to directly call to ldap19:03
ayoungbknudson, K2K needs this.  Otherwise, you end up with users but no projects in the remote keystone19:03
agrebennikovayoung, federation brings much more mess19:04
gyeewhat's stopping you from mapping projects?19:04
ayounggyee, to what?  There are none there until you create them19:04
ayoungand we have no autoprovisioning workflow19:04
gyeeayoung, you saying shadowing projects?19:04
agrebennikovfederation unfortunately is only about auth19:04
jamielennoxagrebennikov: so what's the harm with replicating databases to the datacenter?19:04
bknudsonI'm thinking essentially what gyee is. The projects don't have to have the same ID.19:05
*** ddieterly[away] is now known as ddieterly19:05
*** diazjf has quit IRC19:05
agrebennikovjamielennox, again as I said - we want to keep dbs as separate as possible. You may break one peer and it will replicate error to anothers19:06
shalehbut how often are you adding / removing projects? Once a day? an hour?19:06
agrebennikovdepends19:06
agrebennikovif there is a CI set up - quite often19:06
shalehagrebennikov: ok, so DB is separate but somehow in sync?19:06
bknudsonuse K2K then you can keep your dbs totally separate19:06
*** diazjf has joined #openstack-keystone19:06
gyeeexactly19:06
openstackgerritKristi Nikolla proposed openstack/keystone: WIP - Devstack plugin for Federation  https://review.openstack.org/32062319:06
gyeek2k gives you the flexibility in upgrade as well, upgrade each datacenter *separately*19:07
agrebennikovafaik they just create projects from some central point19:07
agrebennikovk2k what?19:07
amakarovagrebennikov, keystone to keystone federation19:08
shalehagrebennikov: right. Call that "home". Once home is tested you initiate a push to remote regions. Where is the issue?19:08
dstanekagrebennikov: how do you prevent propagating bad data even if you use a manual sync process?19:08
breton_knikolla: nice stuff ^19:08
agrebennikovdstanek, because I do not deal with the DB directly - I just make api calls19:08
knikollabreton_ thanks!19:09
agrebennikovand I cannot bring the entire thing down19:09
dstanekagrebennikov: what do you mean y 'bring it down'?19:09
knikollabreton_: i’ve been working from my local git repo till now.19:09
breton_knikolla: have you seen my stuff? https://github.com/bretonium/devstack-plugin-federation-test19:10
*** BigWillie has quit IRC19:10
breton_knikolla: i will join you starting monday19:11
agrebennikovbreak keystone db across all regions because something happened in one19:12
knikollabreton_: i’m checking it now.19:12
dstanekagrebennikov: 'break' meaning bad data?19:12
shalehagrebennikov: right. The process would be: add project to Keystone. Test it exists. Initiate DB sync using external process.19:12
shalehagrebennikov: this is wrapped in Puppet / Ansible / whatever to provide sanity and automation19:13
breton_knikolla: the config files there are bad and really just placeholders19:13
knikollabreton_: i see that that is quite a bit of overlap.19:14
agrebennikovdstanek, yeah. Our folks had a downtime across 80 regions because something went wrong in one of them and all global keystone db got broken19:14
knikollabreton_: there*19:14
knikollabreton_: i started from existing automation in ansible/python, so it wasn’t too hard.19:14
shalehagrebennikov: failure in testing19:14
*** tqtran has joined #openstack-keystone19:14
agrebennikovdstanek, this is why they decided to Not replicate keystone db ever anymore19:14
knikollabreton_: and devstack had some pretty amazing functions.19:14
dstanekagrebennikov: so if you insert bad data and then replication bad data over *APIs* how are you safe?19:15
*** sheel has quit IRC19:15
breton_knikolla: we have existing automation in ansible in the gates?19:15
*** shaleh is now known as shaleh|away19:15
agrebennikovdstanek, no, if you have the db issue in one place it doesn't affect others - we only use api calls to keystone since that time19:16
*** mfisch has joined #openstack-keystone19:16
*** mfisch is now known as Guest9293719:16
knikollabreton_: https://github.com/knikolla/ansible-k2k nope, my scripts19:16
dstanekagrebennikov: what kind of DB issue did you have?19:16
dstanekknikolla: oh, interesting. i have something similar19:16
*** rderose_ has joined #openstack-keystone19:16
bknudsonhttps://review.openstack.org/#/c/193894/24/lib/keystone is gating on devstack, so the catalog will have keystone on /identity rather than :500019:16
patchbotbknudson: patch 193894 - openstack-dev/devstack - Use path-mounted keystone when running in httpd19:16
agrebennikovdstanek, you need technical details? :)19:16
dstanekagrebennikov: yes, otherwise i can't help19:17
bknudsonagrebennikov: are you talking about a distributed galera?19:17
*** rk4n has quit IRC19:17
agrebennikovdstanek, that is not my personal area of responsibility.... bknudson yeah19:17
breton_knikolla: have you been at the summit?19:17
knikollabreton_: yes19:18
bknudsonwe have had issues here with distributed galera too.19:18
*** rk4n has joined #openstack-keystone19:18
*** Guest92937 is now known as mfisch19:18
agrebennikovdstanek, but it ended up with keystone to stop responding across all sites19:18
*** mfisch has quit IRC19:18
*** mfisch has joined #openstack-keystone19:18
agrebennikovdstanek, this is not the current point though19:18
amakarovbknudson, galera was made for zero lag envs19:18
dstanekbknudson: what is IBM doing now in their public cloud?19:19
breton_knikolla: i wasn't :) so i was wondering what you decided there19:19
*** rderose has quit IRC19:19
bknudsondstanek: my understanding is we still have distributed galera but there's a master datacenter and the rest are read-only. I haven't totally figured out the architecture yet.19:19
bknudsonin the previous incarnation we tried to have multiple masters and wound up split-brain when australia links went away19:20
*** sdake has quit IRC19:21
agrebennikovbknudson, in general case everybody is allowed to write and the write will be replicated to all members. bknudson this is a second challenge^^19:21
agrebennikovusually in one dc you have 3 members of galera19:21
knikollabreton_: https://etherpad.openstack.org/p/newton-keystone-testing the notes are here. it wasn’t entirely clear, as is usual with design sessions. but basically we decided to build the plugins for devstack. and for some reason k2k and federation were treated as separate things regarding the plugins.19:21
agrebennikovnow if you have 2 dcs you have 6 members19:21
*** sdake has joined #openstack-keystone19:21
agrebennikovbknudson, if you lose connectivity betveen the dcs for some reason - boom19:22
bknudsonagrebennikov: right, this is exactly what the charts showed for us... maybe it was a reference architecture.19:22
agrebennikovbknudson, this is why you have to introduce arbitrators etc19:22
knikollabreton_: then, there would be a single gate which tested everything. (i’m not entirely convinced by this)19:23
agrebennikovand then you have only one main dc when all others get frozen if they are disconnected19:23
bknudsonso if there's a break in the 2 dcs you have 2 groups of 3 and no quorum19:23
agrebennikovbknudson, exactly19:23
bknudsonI believe we've chosen the one main dc architecture since split-brain was too painful19:23
gyeewe had to use arbitrators for mongo as well19:24
agrebennikovbknudson, this is why it was decided to demolish global galera and replicate stuff through api (create and delete)19:24
*** rk4n has quit IRC19:24
bknudsonansible should make it pretty easy to replicate across dcs19:24
agrebennikovthis is how you can guarantee that dcs are independent19:25
bknudsonif you use k2k then ansible can set up the mapping, etc.19:25
knikollalong live ansible!19:25
bknudsonI haven't tried any of this so am speculating.19:25
breton_knikolla: that's what we decided at the previous meeting19:26
agrebennikovbknudson, we don't want to introduce federation at this point. It is very unclear for the customer, while direct connection to ldap is much more straightforward19:26
breton_knikolla: before the summit19:26
bknudsonit's not federation of IDs it's federation of keystone tokens19:26
breton_knikolla: ok then! i'll be back in a week and will review/code some things regarding it19:26
bknudsonyou take a token in DC1 and translate it into a token in DC219:27
*** mvk has joined #openstack-keystone19:27
breton_knikolla: nice to see that i am not the only one working on it!19:27
agrebennikovbknudson, so this is trusts then19:27
agrebennikovno?19:27
knikollabreton_: thanks! that would be really helpful!19:27
knikollabreton_: enjoy your time ff19:27
bknudsonagrebennikov: you have to set up a trust relationship between the two DCs.19:27
knikollaoff*19:27
bknudsonand a mapping between stuff in DC1 to stuff in DC2.19:28
gyeebknudson, we need to make one more enhancement to federation, right now you cannot directly get a project-scoped token19:28
gyeeit has to start with an unscoped token first19:28
agrebennikovbknudson, don't you think keeping same project ids across dcs in much easier? ;)19:28
knikollagyee: true, but keystoneauth abstracts that.19:29
gyeeknikolla, not really, user cannot directly specify a project-scoped in one shot19:29
bknudsonagrebennikov: Having the same project IDs would make things easier...19:29
bknudsonyou can always make that happen by sneaking into the db.19:30
agrebennikovbknudson, oh, please!19:30
gyeehahahah, sneaking into the db?!!19:30
agrebennikovI have a couple of thousands projects and CI systems on the top19:30
*** sdake has quit IRC19:30
bknudsonif you've got CI then you're in good shape.19:31
*** sdake has joined #openstack-keystone19:31
agrebennikovbknudson, I can agree when you do a PoC env (like I did to make sure same project IDs allow you to bring tokens to other DC)19:31
knikollagyee: through the api that is correct. i was talking about the keystoneauth python library. It makes multiple calls and gets the scoped token after getting the unscoped one. http://paste.openstack.org/show/486755/19:31
agrebennikovbknudson, but I would never allow you to touch the DB in prod19:31
agrebennikovso ayoung, would you like to revisit your review and make custom project IDs working please?19:32
bknudsonwould you call a function in keystone that adds projects?19:34
agrebennikovyes sir19:35
rderose_jamielennox: got a minute?19:36
bknudsonHere's the function: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/resource/core.py#n18919:36
dstanekbknudson: so we're done?19:36
jamielennoxrderose_: yea19:36
rderose_jamielennox: I'm working on a PCI patch that would require a user to change their password if it was expired.  So authentication would fail, Unauthorized("Change password required..."). Something like that.19:36
rderose_jamielennox: But then the client would need to be able to change their password without a token (because authentication fails > expired password).19:36
ayoungagrebennikov, I'm not the one you need to convince.19:36
rderose_jamielennox: I can change the policy.json for the change_password api, but I think the client would still need a token, correct?19:37
ayoungagrebennikov, it was -2ed due to needing a spec etc19:37
jamielennoxrderose_: so the client would default to trying to get a token19:37
jamielennoxrderose_: just because that's what it expects to do19:37
agrebennikovayoung, spec for api feature you mean?19:38
ayoungagrebennikov, yep19:38
rderose_jamielennox: but of course, getting a token would fail because auth failed due to expired password19:38
amakarovrderose_, do you have a patch disabling users after 6 unsuccessfull attempts?19:38
jamielennoxrderose_:  you can pass, authenticated=False and interface=AUTH_INTERFACE to get around that19:38
ayoungagrebennikov, pull up my review and look at dolphm 's comment.19:38
jamielennoxso authenticated=False is don't pass a token to the request19:38
agrebennikovayoung, I saw that19:38
rderose_amakarov: not yet19:39
gyeeknikolla, that's good, if we can reduce it to a single roundtrip that would be better19:39
jamielennoxand interface=AUTH_INTERFACE means use the auth_url for the plugin instead of the url from the service catalog19:39
agrebennikovayoung, and this is weird since it was always there until v319:39
rderose_jamielennox: ah, okay19:39
agrebennikovayoung, and now for some reason the wheel has to be reinvented19:39
*** diazjf has quit IRC19:39
*** ig0r_ has quit IRC19:39
ayoungagrebennikov, round and round19:39
amakarovrderose_, I have an urgent customer request for this function, so would you mind if I come up with a CR or some concept?19:40
jamielennoxrderose_: i don't think we've ever had anything in keystoneclient want to use authenticated=False so you might need to plumb that through the manager layer19:40
agrebennikovayoung, sometimes it seems to me you guys are slowing down yourselves just because "bureaucracy should already exist"19:41
rderose_jamielennox: okay19:41
rderose_jamielennox: let me dig into this approach then19:41
knikollagyee: does that need a spec?19:41
jamielennoxsounds good, i'm going to go back to bed for a bit, bug ping me with a review if you get there19:42
rderose_jamielennox: cool, thx19:42
gyeeknikolla, yeah, I was going to write one, but time disagrees with me the last few weeks19:43
rderose_amakarov: I'm okay with you working on this, but I'd like you to say with in my design19:43
*** zqfan has quit IRC19:43
amakarovrderose_, ack. which spec should I follow?19:43
rderose_amakarov: #link https://review.openstack.org/#/c/320586/19:44
patchbotrderose_: patch 320586 - keystone - WIP - PCI-DSS Password strength requirements19:44
amakarovrderose_, thanks19:44
rderose_amakarov: so I imagine it should be part of the PasswordValidator class19:44
rderose_amakarov: but let me know if you have other ideas19:44
amakarovrderose_, the problem is that auth is not stateless anymore19:45
amakarovso we have to have a place to store auth states per user19:46
*** diazjf has joined #openstack-keystone19:46
amakarovand we can't extend user model as it's not necessare sql19:46
*** tonytan4ever has quit IRC19:46
amakarovs/necessare/necessary/19:46
*** prometheanfire has joined #openstack-keystone19:47
rderose_amakarov: hmm...  I thought this would be very sql specific19:47
prometheanfire9.0.1 should be on tarballs.openstack.org right?19:47
rderose_amakarov: especially since we won't be writing to ldap19:47
*** gyee has quit IRC19:47
amakarovrderose_, so there are no plans for LDAP?19:48
rderose_amakarov: no, not that I am aware of19:48
bknudsonprometheanfire: 9.0.1 is the latest release according to http://git.openstack.org/cgit/openstack/keystone/?h=stable%2Fmitaka19:48
bknudsonprometheanfire: I think this is a question for #openstack-release19:49
prometheanfirebknudson: the tarball is missing from tarballs.openstack.org19:49
amakarovrderose_, LDAP is widely used, so we can't declare PCI without it19:49
prometheanfirebknudson: ok, I did bring it up in -infra as well19:49
*** timcline has quit IRC19:49
rderose_amakarov: yeah, but again, we're stopping writing to ldap19:49
rderose_amakarov: ldap will be read-only19:49
rderose_so you can be PCI compliant via Federation or sql19:49
rderose_amakarov: it's likely that folks that have LDAP will use federation19:50
rderose_amakarov: once we make federation more powerful that is19:50
amakarovrderose_, let's hope, but right now nobody uses federation in production besides CERN19:50
rderose_amakarov: understand19:51
rderose_amakarov: there will be some PCI options for ldap, auto disable inactive users for example19:52
rderose_amakarov: but not password history rules or change expired passwords because ldap is read-only19:52
amakarovrderose_, yeah, I'll look for a non-keystone solution too19:52
rderose_amakarov: hopefully, we solve much of our federation issues in Newton, so not too far off19:53
*** dmk0202 has joined #openstack-keystone19:54
knikollagyee: i could work on that19:54
amakarovrderose_, the big issue of federation is "overcomplicated" and it's not going to be solved in Newton :)19:55
rderose_amakarov: not totally, but we're hoping to make some big changes.  dstanek is working on this as well19:56
rderose_:)19:56
amakarovrderose_, that's good :)19:57
*** amakarov is now known as amakarov_away19:57
*** prometheanfire has left #openstack-keystone19:58
*** diazjf has quit IRC20:00
*** sdake_ has joined #openstack-keystone20:02
*** sdake has quit IRC20:05
*** jaugustine has quit IRC20:05
*** ddieterly is now known as ddieterly[away]20:06
*** rk4n has joined #openstack-keystone20:07
*** tonytan4ever has joined #openstack-keystone20:10
*** ayoung has quit IRC20:21
*** timcline has joined #openstack-keystone20:23
*** diazjf has joined #openstack-keystone20:25
*** ddieterly[away] is now known as ddieterly20:29
*** rderose_ has quit IRC20:31
*** julim has quit IRC20:35
*** rderose_ has joined #openstack-keystone20:38
*** pushkaru has quit IRC20:40
*** pushkaru has joined #openstack-keystone20:40
*** shaleh|away has quit IRC20:41
rderose_amakarov: I totally misread your message in IRC, I thought you were talking about password history rules, but you were referring to the locking the user after x amount failed attempts20:45
*** gyee has joined #openstack-keystone20:45
*** ChanServ sets mode: +v gyee20:45
rderose_amakarov: sorry, doing too many things at once20:45
rderose_amakarov: this would be included for LDAP and I haven't started it20:46
rderose_amakarov: so feel free to propose something20:46
rderose_amakarov: the only thing we've done for this is set the configuration:20:47
rderose_#link https://review.openstack.org/#/c/314679/20:47
patchbotrderose_: patch 314679 - keystone - Config settings to support PCI-DSS20:47
*** phalmos_ has joined #openstack-keystone20:49
*** diazjf has quit IRC20:50
*** phalmos has quit IRC20:53
*** mou has quit IRC20:55
openstackgerritSean Perry proposed openstack/keystoneauth: Apply a heuristic for product name if a user_agent is not provided  https://review.openstack.org/28817520:56
openstackgerritguang-yee proposed openstack/keystonemiddleware: Determine project name from oslo_config or local config  https://review.openstack.org/32012320:59
*** rcernin has joined #openstack-keystone21:03
*** _amrith_ is now known as amrith21:03
*** ayoung has joined #openstack-keystone21:05
*** ChanServ sets mode: +v ayoung21:05
*** phalmos_ has quit IRC21:06
*** pauloewerton has quit IRC21:06
*** phalmos has joined #openstack-keystone21:07
openstackgerritSean Perry proposed openstack/keystoneauth: Show deprecation when a user_agent is not set  https://review.openstack.org/28964521:08
*** ddieterly is now known as ddieterly[away]21:09
*** gordc has quit IRC21:13
*** haplo37_ has joined #openstack-keystone21:19
*** pushkaru has quit IRC21:19
*** pushkaru has joined #openstack-keystone21:20
*** ddieterly[away] is now known as ddieterly21:20
*** amrith is now known as _amrith_21:20
*** ddieterly has quit IRC21:21
bknudsonhttps://review.openstack.org/#/c/320670/ in stable/mitaka fixes a problem where the tarballs aren't getting uploaded.21:21
patchbotbknudson: patch 320670 - keystone (stable/mitaka) - Fix post jobs21:21
*** haplo37_ has quit IRC21:24
*** gagehugo has quit IRC21:25
*** dmk0202 has quit IRC21:32
*** sdake has joined #openstack-keystone21:34
*** edtubill has quit IRC21:34
*** ametts has quit IRC21:35
*** dmk0202 has joined #openstack-keystone21:37
*** sdake_ has quit IRC21:38
*** henrynash has quit IRC21:43
*** rcernin has quit IRC21:43
bknudsonhttps://review.openstack.org/#/c/320670/ is +A already so don't bother.21:55
patchbotbknudson: patch 320670 - keystone (stable/mitaka) - Fix post jobs21:55
*** flwang has joined #openstack-keystone21:58
*** timcline has quit IRC22:06
*** dmk0202 has quit IRC22:09
*** darrenc is now known as darrenc_afk22:09
*** sdake has quit IRC22:09
*** pushkaru has quit IRC22:09
*** pushkaru has joined #openstack-keystone22:13
*** darrenc_afk is now known as darrenc22:16
*** sdake has joined #openstack-keystone22:19
*** spzala has quit IRC22:22
*** spzala has joined #openstack-keystone22:22
openstackgerritwerner mendizabal proposed openstack/keystone: Support encryption of credentials in Keystone  https://review.openstack.org/31716922:24
*** darosale has quit IRC22:26
*** spzala has quit IRC22:27
stevemarayoung: poke: https://review.openstack.org/#/c/271135/ needs one last check22:34
patchbotstevemar: patch 271135 - keystone - remove deprecated revoke_by_expiration function22:34
*** rk4n has quit IRC22:42
*** spzala has joined #openstack-keystone22:43
*** edmondsw has quit IRC22:50
*** pushkaru has quit IRC22:53
*** openstackgerrit has quit IRC23:03
*** openstackgerrit has joined #openstack-keystone23:03
*** amakarov_away has quit IRC23:07
*** amakarov_away has joined #openstack-keystone23:07
*** markvoelker has quit IRC23:11
*** david-lyle_ is now known as david-lyle23:12
*** rbridgeman has joined #openstack-keystone23:19
*** roxanaghe__ has quit IRC23:25
*** rderose_ has quit IRC23:32
*** zqfan has joined #openstack-keystone23:38
*** rbridgeman has quit IRC23:48
*** sdake has quit IRC23:55
« Monday, 2016-05-23 Index Wednesday, 2016-05-25 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!