Tuesday, 2016-06-07

« Monday, 2016-06-06 Index Wednesday, 2016-06-08 »
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/auth/identity/v3/federated.py#n5400:00
ayoungwait not that00:00
jamielennoxyea, that's what i meant though - they should be provided you shouldn't need them in your own get_options00:01
ayoungkeystoneclient/contrib/auth/v3/saml2.py00:01
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/contrib/auth/v3/saml2.py#n6800:02
ayoungI could have hardcoded protocol to saml2....00:03
jamielennoxit'd be nice if the plugin could in some way default that00:03
jamielennoxanyway, the federated base will give you everything but idp-url, username and password00:04
*** ddieterly has joined #openstack-keystone00:04
ayoungjamielennox, yeah.  It seems strange to be building the URL out of components00:04
jamielennoxayoung: well that bit i don't have much choice over00:05
*** sdake_ has quit IRC00:05
ayoungjamielennox, right.  This was just out of trial and error. Was happy it was so easy00:05
ayoungLet me see what we have in auth right now...00:05
jamielennoxayoung: so don't pop protocol00:06
ayoungjamielennox, where are the entry points for KSA extras?00:06
ayoungyeah...vestige00:06
jamielennoxsame place in setup.cfg00:06
ayoungnot quite...something is strange00:06
jamielennoxoh, so most of them aren't there atm00:06
jamielennoxwe have a problem with listing all plugins where not all the dependencies are available which we still need to sort out00:07
ayounghttp://git.openstack.org/cgit/openstack/keystoneauth/tree/setup.cfg#n25  has something that almost looks like them00:07
ayoungcan we defer the imports until we create the objects?00:08
jamielennoxi thought the seperation between loading and object would fix it - it will help00:08
ayoungso just enumerating them will not pull in the dependencies00:08
ayoungwhen you list the objects, you pull in the dependencies.  I was doing this:00:09
jamielennoxwe can either only load the module when the plugin is invoked00:09
jamielennoxso defer the import to the plugin creation point00:09
ayoungimport pkg_resources00:09
ayoung<ayoung> >>> named_objects = {}00:09
ayoung<ayoung> >>> for ep in pkg_resources.iter_entry_points(group='keystoneclient.auth.plugin'):00:09
ayoung<ayoung> ...       named_objects.update({ep.name: ep.load()})00:09
ayoung<ayoung> >>> print named_objects['v3unscopedsaml']00:09
jamielennoxbut that means if you list everything you still see plugins you can't use00:09
ayoungI think I'm OK with that00:09
jamielennoxor we can put like an @property available on the plugins00:09
jamielennoxdefault it to true00:09
jamielennoxkerberos would set available = False whenever it can't load the deps00:10
*** dan_nguyen has left #openstack-keystone00:10
jamielennoxand the iterator would only return plugins that have available=True00:10
ayoungcan you register an entrypoint after the fact?00:10
jamielennoxand anyone doing pkg_resources looping is on their own :)00:10
ayoungjamielennox, if we don't have entrypoints for samls and Kerberos, does that mean we broke federation in Mitaka?00:10
jamielennoxayoung: i don't think so - and it wouldn't work because you could only register it then when the module was loaded00:11
jamielennoxayoung: it means we don't have an upgrade path for them to keystoneauth00:11
ayounghttps://pythonhosted.org/setuptools/pkg_resources.html   Ironic00:11
jamielennoxhowever OSC still hasn't moved00:11
jamielennoxnor has horizon00:11
jamielennox404?00:12
jamielennoxhttps://setuptools.readthedocs.io/en/latest/pkg_resources.html00:12
ayoungwas looking at this section https://setuptools.readthedocs.io/en/latest/pkg_resources.html#id900:13
ayounghttps://setuptools.readthedocs.io/en/latest/pkg_resources.html#locating-plugins00:13
jamielennoxbut to do that you would have to import the module to register the entrypoint and the whole idea is to not have to do that00:13
jamielennoxoh, find_plugins is new i think00:13
jamielennoxbut either way we are wrapping it with stevedore00:14
ayoungadd_entry(entry)00:15
jamielennoxayoung: but where would i call that from?00:16
ayoungjamielennox, no idea..this is all new to me.  It might not be what it looks like00:16
jamielennoxayoung: it would have to be called from somewhere frequently imported like base __init__.py or even loading, but that would mean trying to import all these dependencies even if they're not used00:17
jamielennoxit wouldn't fail, but it would be slow and cause problems for anyone trying to host plugins out of tree00:17
ayoungjamielennox, if we are going to put the plugin into KSA, lets enumerate all of the plugins (even extras) and then fail on loading them if the deps don't match00:17
ayoungIf people yell and scream about that, we'll split them out into their own dependency specific packages00:18
*** markvoelker has joined #openstack-keystone00:20
jamielennoxayoung: that was the KSC approach, the intent with ksa was to bring them into tree and use the extras functionality00:20
jamielennoxlike pip install keystoneauth['kerberos,saml2']00:20
ayoungis extras a thing?00:23
jamielennoxyep00:23
ayounghttp://pythonhosted.org//setuptools/setuptools.html#declaring-extras-optional-features-with-their-own-dependencies  404  Jopy00:23
jamielennoxayoung: it's moved to the readthedocs00:24
ayoungyeah, but the links are different00:24
ayoungso, that doc did not move...its not anywhere now, is it?00:24
*** markvoelker has quit IRC00:25
jamielennoxhttps://setuptools.readthedocs.io/en/latest/setuptools.html#declaring-extras-optional-features-with-their-own-dependencies00:27
ayoungjamielennox, so the entrypoints go in a text file...I don;'t see how that can be optional00:28
ayoung/usr/lib/python2.7/site-packages/python_keystoneclient_kerberos-0.2.1-py2.7.egg-info/entry_points.txt  has00:28
ayoung[keystoneclient.auth.plugin]00:29
ayoungv3kerberos = keystoneclient_kerberos.v3:Kerberos00:29
ayoungv3fedkerb = keystoneclient_kerberos.v3:FederatedKerberos00:29
ayoungeither they are there or they are not.00:29
jamielennoxdifferent concepts00:29
jamielennoxhttps://github.com/openstack/keystoneauth/blob/master/setup.cfg#L25-L3500:29
jamielennoxwe are then relying on the fact the user installed the correct extras to display the correct plugins00:30
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add available flag to plugin loaders  https://review.openstack.org/32618900:36
jamielennoxayoung, stevemar, crinkle: that ^ would let a plugin opt out of being available if it's dependencies were not met00:36
jamielennox(needs tests and a bug)00:37
ayoungjamielennox, so then do we put the entrypoints in setup.cfg, just like the others?00:37
jamielennoxayoung: yes, we have to00:38
ayoungOK00:38
jamielennoxayoung: we still need a list somewhere of the plugins we can iterate over00:38
ayoungOK..I 'm with you on this00:38
*** sdake has joined #openstack-keystone00:38
*** r-daneel has quit IRC00:39
jamielennoxi'm not sure if it should be a class property, or just a regular attribute - it probably doesn't matter00:42
ayoungjamielennox, say I wanted to use that...how would I do so?00:42
jamielennoxso taking the kerberos plugin as an examle00:42
jamielennoxtry:00:42
jamielennox    import requests_kerberos00:42
jamielennoxexcept ImportError:00:43
jamielennox    HAS_KERBEROS = False00:43
jamielennoxelse:00:43
jamielennox    HAS_KERBEROS = True00:43
jamielennoxthen from the loader00:43
jamielennox@property00:43
jamielennoxdef available(self):00:43
jamielennox    return kerberos.HAS_KERBEROS00:43
ayoungwhere is the loader?00:44
jamielennoxso this is ksa00:44
ayoungyep00:44
jamielennoxatm its https://review.openstack.org/#/c/321814/00:44
patchbotjamielennox: patch 321814 - keystoneauth - Make the kerberos plugin loadable00:44
jamielennoxit was supposed to land in the last release but we found this problem00:44
ayoungah...the one I am supposed to be revieweing instead of jabbering on...00:45
ayoungOK...let me do that00:45
jamielennoxi'm not sure why that's passing tests now00:45
ayoungrippowam puts the federation config in a wierd place00:46
jamielennoxoh, they hacked around it https://review.openstack.org/#/c/321814/7/keystoneauth1/tests/unit/loading/test_entry_points.py00:46
patchbotjamielennox: patch 321814 - keystoneauth - Make the kerberos plugin loadable00:46
ayoung/etc/httpd/conf  instead of conf.d00:46
jamielennoxso in this case available might be six.PY2 and kerberos.HAS_KERBEROS00:47
jamielennoxi chased this a while ago, i though requests_kerberos was py3 now00:48
jamielennoxi had a bug for replacing pykerberos with the gssapi one00:48
jamielennoxand pykerberos fixed itself00:48
ayoungjoy00:51
*** iurygregory_ has joined #openstack-keystone00:58
*** lhcheng has quit IRC01:07
openstackgerritTin Lam proposed openstack/keystoneauth: Fix ClientException message property not set properly  https://review.openstack.org/28575701:07
*** lhcheng has joined #openstack-keystone01:08
*** ChanServ sets mode: +v lhcheng01:08
*** harlowja has joined #openstack-keystone01:08
*** lhcheng has quit IRC01:08
*** lhcheng has joined #openstack-keystone01:09
*** ChanServ sets mode: +v lhcheng01:09
*** anteaya has quit IRC01:10
*** browne1 has quit IRC01:17
*** vint_bra has joined #openstack-keystone01:17
*** jasondotstar has quit IRC01:18
*** tqtran has quit IRC01:19
*** lhcheng has quit IRC01:24
*** ddieterly has quit IRC01:34
*** EinstCrazy has joined #openstack-keystone01:35
*** rmizuno has joined #openstack-keystone01:37
*** sdake has quit IRC01:50
jamielennoxi have no idea how to write a test for this01:54
jamielennoxi think you'd have to patch pkg_resources, but even stevedore tests don't attempt that01:55
*** sdake has joined #openstack-keystone02:11
*** rm_work has quit IRC02:16
*** browne has joined #openstack-keystone02:18
*** sdake_ has joined #openstack-keystone02:18
*** sdake has quit IRC02:20
*** markvoelker has joined #openstack-keystone02:21
*** markvoelker has quit IRC02:26
*** jamielennox is now known as jamielennox|away02:27
*** jamielennox|away is now known as jamielennox02:35
*** TxGVNN has joined #openstack-keystone02:40
ayoungjamielennox, can we just throw it over the wall?02:44
ayoungI mean....its packaging.  it should be a functional test, not unti02:44
ayoungunti02:44
ayoungunit02:44
jamielennoxayoung: i'm thinking maybe ,i've got multiple levels of mocks going on and if stevedore changes they'll all break02:44
ayoungunionoinoioinoinoint02:44
ayoungnot worth it02:44
ayoungif this passess the tests, ship it02:45
ayoungmeaning integration tests02:45
ayoungwe have to accept that some aspect of this is going to be tested just by being deployed.02:45
jamielennoxayoung: yea, it's so close... but i don't think it's worth it02:48
*** rm_work has joined #openstack-keystone02:56
stevemarjamielennox: i probably missed some of the conversation here, but for https://review.openstack.org/#/c/326189/ -- its expected that the kerberos and saml plugins override the "available" function by checking if the import was successful?03:00
patchbotstevemar: patch 326189 - keystoneauth - Add available flag to plugin loaders03:00
jamielennoxstevemar: yes03:00
ayoungjamielennox, ok, how do I test that patch?03:00
ayounghttps://review.openstack.org/#/c/321814/03:01
patchbotayoung: patch 321814 - keystoneauth - Make the kerberos plugin loadable03:01
*** sheel has joined #openstack-keystone03:01
ayoungOK  I think I need a domain specific backend for keystone and back it to IPA?03:03
*** richm has quit IRC03:04
*** amrith is now known as _amrith_03:06
*** rm_work has quit IRC03:07
jamielennoxayoung: so for this one i think you need to add the auth_method kerberos to keystone03:07
jamielennoxumm, and then...03:07
jamielennoxi think that gets mapped to external03:07
jamielennoxthis is so long ago03:07
ayoungjamielennox, its ok...I remember this, and I have it in a blog post.  So we need a successful unscoped token request03:09
jamielennoxi'd never recommend anyone set this up this way03:09
jamielennoxi was kind of hoping this plugin could just die with the transition to ksa and we only provide the federated one03:10
jamielennoxbut whatver03:10
*** rm_work has joined #openstack-keystone03:11
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add available flag to plugin loaders  https://review.openstack.org/32618903:14
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make the kerberos plugin loadable  https://review.openstack.org/32181403:14
jamielennoxayoung: try that one03:14
openstackgerritMerged openstack/keystone: Keystone uwsgi performance tuning  https://review.openstack.org/32567703:15
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add available flag to plugin loaders  https://review.openstack.org/32618903:22
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make the kerberos plugin loadable  https://review.openstack.org/32181403:22
*** rmizuno has quit IRC03:23
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make the kerberos plugin loadable  https://review.openstack.org/32181403:29
openstackgerritJamie Lennox proposed openstack/keystoneauth: Add available flag to plugin loaders  https://review.openstack.org/32618903:32
openstackgerritJamie Lennox proposed openstack/keystoneauth: Make the kerberos plugin loadable  https://review.openstack.org/32181403:32
jamielennoxgah, ok that should be good now03:32
*** sdake_ has quit IRC03:38
*** jamielennox is now known as jamielennox|away03:44
*** links has joined #openstack-keystone03:56
*** stevemar changes topic to "Newton Deadlines: http://releases.openstack.org/newton/schedule.html | Midcycle wiki https://wiki.openstack.org/wiki/Sprints/KeystoneNewtonSprint | Meeting Etherpad https://etherpad.openstack.org/p/keystone-weekly-meeting"03:59
*** jamielennox|away is now known as jamielennox03:59
*** stevemar changes topic to "Newton Deadlines: http://releases.openstack.org/newton/schedule.html | Midcycle (July 20-22, San Jose, CA) wiki https://wiki.openstack.org/wiki/Sprints/KeystoneNewtonSprint | Meeting Etherpad https://etherpad.openstack.org/p/keystone-weekly-meeting"03:59
*** rmizuno has joined #openstack-keystone04:06
*** lhcheng has joined #openstack-keystone04:07
*** ChanServ sets mode: +v lhcheng04:07
*** TxGVNN has quit IRC04:07
*** TxGVNN has joined #openstack-keystone04:08
*** woodster_ has quit IRC04:08
*** pcaruana has joined #openstack-keystone04:11
*** markvoelker has joined #openstack-keystone04:22
*** iurygregory_ has quit IRC04:22
*** pcaruana has quit IRC04:24
*** markvoelker has quit IRC04:26
*** pcaruana has joined #openstack-keystone04:34
*** dave-mccowan has quit IRC04:35
*** pcaruana has quit IRC04:40
*** diazjf has joined #openstack-keystone04:42
*** diazjf has quit IRC04:46
*** GB21 has joined #openstack-keystone04:53
*** edtubill has joined #openstack-keystone04:58
*** TxGVNN has quit IRC04:59
*** jaosorior has joined #openstack-keystone05:05
*** GB21 has quit IRC05:12
*** henrynash_ has joined #openstack-keystone05:16
*** ChanServ sets mode: +v henrynash_05:16
ayoungjamielennox, so the kerberos plugin looks useless05:19
ayoungwe need FedKerb  like we have in KC-Kerberos,05:19
*** markvoelker has joined #openstack-keystone05:23
*** vint_bra has quit IRC05:27
*** markvoelker has quit IRC05:27
*** itisha has quit IRC05:30
*** GB21 has joined #openstack-keystone05:31
*** edtubill has quit IRC05:36
*** rcernin has joined #openstack-keystone05:36
openstackgerrithenry-nash proposed openstack/keystone: WIP - Cache fernet tokens the same way we do UUID  https://review.openstack.org/32623405:37
jamielennoxayoung: i would agree05:39
openstackgerrithenry-nash proposed openstack/keystone: WIP - Cache fernet tokens the same way we do UUID  https://review.openstack.org/32623405:39
jamielennoxayoung: i think the straight kerberos plugin like this was an experiment prior to federation working properly05:39
ayoungjamielennox, well, we also broke the ability to use Kerberos with an LDAP backend at some point05:40
ayoungI think it is ID mapping that did it, but I can't get the log file to show it yet05:40
jamielennoxayoung: sigh - how?05:41
ayoungjamielennox, not sure...I am close05:41
jamielennoxthe kerberos plugin is just the external plugin - so that means all external is broken05:41
*** edtubill has joined #openstack-keystone05:48
*** josecastroleon has joined #openstack-keystone05:49
ayoungjamielennox, not quite...I can get curl to work like this05:52
ayoungcurl   -H "Content-Type:application/json" --negotiate -u :  -d  '{ "auth": { "identity": { "methods": ["kerberos"], "kerberos":{}    }    }}' -X POST https://openstack.ayoungosp8.oslab.test/keystone/krb/v3/auth/tokens05:52
*** jaosorior has quit IRC05:52
ayoungand the same thing will work if I change the 'kerberos' method to 'external'05:52
ayoungIO just can't get it to work if I call it useing05:53
*** jaosorior has joined #openstack-keystone05:53
ayoungexport OS_AUTH_TYPE=v3kerberos05:53
ayoungexport OS_AUTH_URL=https://openstack.ayoungosp8.oslab.test/keystone/krb05:53
ayoungjamielennox, and it no longer dumps out the token request if I pass in --debug, which is really painful05:54
ayoungbut I do know it is not triggering my logging,. so no 'kerberos' in the methods, I think05:55
*** roxanaghe has joined #openstack-keystone05:57
jamielennoxwhat are you loading that with?05:57
*** roxanaghe has quit IRC05:58
jamielennoxOSC won't load it, because it's still ksc05:58
ayoungthis is OSP806:00
ayoungso Liberty06:00
ayoungIt works for FedKerb (or it did before I broke the server)06:00
ayoungOK, I need to crash06:01
openstackgerritMerged openstack/oslo.policy: Add equality operator to policy.RuleDefault  https://review.openstack.org/32124206:01
*** lhcheng has quit IRC06:03
*** lhcheng has joined #openstack-keystone06:04
*** ChanServ sets mode: +v lhcheng06:04
*** lhcheng has quit IRC06:04
*** gyee has quit IRC06:05
*** jaosorior has quit IRC06:06
*** jaosorior has joined #openstack-keystone06:07
*** jaosorior has quit IRC06:11
*** jaosorior has joined #openstack-keystone06:12
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Consolidate user agent calculation  https://review.openstack.org/31971706:12
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Simply local_oslo_config handling  https://review.openstack.org/31971606:12
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a Config object  https://review.openstack.org/31971506:12
*** lhcheng has joined #openstack-keystone06:17
*** ChanServ sets mode: +v lhcheng06:17
*** edtubill has quit IRC06:20
*** jaosorior has quit IRC06:21
*** lhcheng has quit IRC06:22
*** jaosorior has joined #openstack-keystone06:24
openstackgerrithenry-nash proposed openstack/keystone: WIP - Add caching for get roles on groups  https://review.openstack.org/32624606:29
*** lhcheng has joined #openstack-keystone06:42
*** ChanServ sets mode: +v lhcheng06:42
*** roxanaghe has joined #openstack-keystone06:58
*** jaosorior has quit IRC07:00
*** jaosorior has joined #openstack-keystone07:00
*** jaosorior has quit IRC07:01
*** roxanaghe has quit IRC07:03
*** markvoelker has joined #openstack-keystone07:23
*** jaosorior has joined #openstack-keystone07:24
*** markvoelker has quit IRC07:28
*** zqfan has joined #openstack-keystone07:28
*** jed56 has joined #openstack-keystone07:34
*** yolanda has joined #openstack-keystone07:52
*** zzzeek has quit IRC08:00
*** roxanaghe has joined #openstack-keystone08:00
*** zzzeek has joined #openstack-keystone08:00
*** roxanaghe has quit IRC08:04
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
openstackgerrithenry-nash proposed openstack/keystone: WIP - Add caching for get roles on groups  https://review.openstack.org/32624608:12
*** lhcheng has quit IRC08:18
*** mvk has quit IRC08:22
*** jaosorior has quit IRC08:23
*** jaosorior has joined #openstack-keystone08:24
*** aurelien__ has joined #openstack-keystone08:28
*** nisha has joined #openstack-keystone08:30
nishahey all!08:31
*** achatterjee has left #openstack-keystone08:34
*** nisha has quit IRC08:42
*** nisha has joined #openstack-keystone08:43
*** wanghua has quit IRC08:45
nishaI am an intern and I am stil learning. I would like to know more about - How keystone server provides its services (HTTP APis) and how keystoneclient queries those APIs (by creating the URLs and doing requsets to keystone server) .08:46
nishaCan someone please suggest a direction for a newcomer to get more familiar with the keystoneclient and above?08:47
*** mvk has joined #openstack-keystone08:50
*** tesseract has joined #openstack-keystone08:50
*** nisha_ has joined #openstack-keystone08:56
*** nisha has quit IRC08:59
*** nisha_ is now known as nisha09:02
amakarovnisha, welcome, newcomer :) You can review this patch: https://review.openstack.org/#/c/317529/ - despite it's not perfect, it'll give you the understanding of the architecture: how API request is handled09:04
patchbotamakarov: patch 317529 - keystone - Added app for policy enforcement09:04
*** dmk0202 has joined #openstack-keystone09:05
*** TxGVNN has joined #openstack-keystone09:09
odyssey4melbragstad bknudson henrynash_ with regards to https://github.com/openstack/openstack-ansible-os_keystone/blob/master/templates/keystone.conf.j2#L101-L107 the issue we saw, resulting in that being patched in, was only seen on a multi-node keystone build... effectively the catalog cache wasn't flushed/expired from memcache on both nodes when a new catalog entry was written... it was only flushed on the same node09:13
odyssey4me that wrote the new catalog entry09:13
*** aurelien__ has quit IRC09:17
nishaamakarov, thank you, going through it :)09:19
*** markvoelker has joined #openstack-keystone09:24
*** markvoelker has quit IRC09:29
samueldmqmorning keystone09:44
*** mvk has quit IRC09:46
*** mvk has joined #openstack-keystone09:47
*** permalac has joined #openstack-keystone09:57
*** TxGVNN has quit IRC10:02
*** nisha_ has joined #openstack-keystone10:19
*** nisha has quit IRC10:20
*** TxGVNN has joined #openstack-keystone10:20
*** _amrith_ is now known as amrith10:24
*** jed56 has quit IRC10:25
openstackgerritMerged openstack/keystone: Let setup.py compile_catalog process all language files  https://review.openstack.org/31926010:35
*** dave-mccowan has joined #openstack-keystone10:35
*** julim has joined #openstack-keystone10:40
*** GB21 has quit IRC10:45
*** rk4n has joined #openstack-keystone10:46
*** rk4n_ has joined #openstack-keystone10:49
*** GB21 has joined #openstack-keystone10:52
*** rk4n has quit IRC10:53
*** nisha_ is now known as nisha11:12
openstackgerrithenry-nash proposed openstack/keystone: WIP - Add caching for get roles on groups  https://review.openstack.org/32624611:18
*** henrynash_ has quit IRC11:19
*** markvoelker has joined #openstack-keystone11:25
*** yolanda has quit IRC11:28
*** markvoelker has quit IRC11:29
*** nisha_ has joined #openstack-keystone11:30
*** nisha has quit IRC11:31
*** yolanda has joined #openstack-keystone11:31
crinklejamielennox: 321814 is still trying to do kerberos things on py3 :(11:34
crinkleayoung: jamielennox I was using https://review.openstack.org/#/c/276350/ to test the plugin loading11:34
patchbotcrinkle: patch 276350 - python-openstackclient - Moving authentication from keystoneclient to keyst...11:34
*** TxGVNN has quit IRC11:43
*** TxGVNN has joined #openstack-keystone11:44
*** markvoelker has joined #openstack-keystone12:06
*** rodrigods has quit IRC12:09
*** rodrigods has joined #openstack-keystone12:09
*** rk4n_ has quit IRC12:10
*** zqfan has quit IRC12:13
*** nisha_ has quit IRC12:19
*** nisha_ has joined #openstack-keystone12:19
*** rk4n has joined #openstack-keystone12:23
*** GB21 has quit IRC12:23
*** amrith is now known as _amrith_12:35
samueldmqcrinkle: hi12:36
*** gordc has joined #openstack-keystone12:36
samueldmqcrinkle: that's odd, you evaluate six.PY2 to define the value of 'available' property for the plugin12:37
samueldmqcrinkle: so it shouldn't be running on py312:37
*** EinstCrazy has quit IRC12:41
*** EinstCrazy has joined #openstack-keystone12:41
*** EinstCrazy has quit IRC12:46
*** links has quit IRC12:51
*** links has joined #openstack-keystone12:52
*** pauloewerton has joined #openstack-keystone12:55
*** edmondsw has joined #openstack-keystone13:01
samueldmqcrinkle: https://review.openstack.org/#/c/321814/11/keystoneauth1/extras/kerberos/__init__.py was raising ImportError at import time before13:04
patchbotsamueldmq: patch 321814 - keystoneauth - Make the kerberos plugin loadable13:04
samueldmqcrinkle: and isn't anymore13:04
samueldmqcrinkle: ImportError was caught here https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/tests/unit/extras/kerberos/test_v3.py13:04
samueldmqwhich was skipping the tests for py313:04
*** richm has joined #openstack-keystone13:07
*** edtubill has joined #openstack-keystone13:09
*** r-daneel has joined #openstack-keystone13:11
bknudsonodyssey4me: the cache is never flushed on multi-nodes. This is just how caching works.13:12
bknudsononly the node where the change happened sees the change until the cache timeout13:12
*** jaosorior has quit IRC13:15
*** jaosorior has joined #openstack-keystone13:16
*** r-daneel has quit IRC13:24
*** doug-fish has joined #openstack-keystone13:25
*** sdake has joined #openstack-keystone13:27
*** nisha has joined #openstack-keystone13:28
*** frontrunner has joined #openstack-keystone13:29
*** nisha_ has quit IRC13:30
*** richm has quit IRC13:30
*** henrynash_ has joined #openstack-keystone13:32
*** ChanServ sets mode: +v henrynash_13:32
henrynash_lbragstad: hi13:33
*** sdake_ has joined #openstack-keystone13:34
*** sdake has quit IRC13:36
*** r-daneel has joined #openstack-keystone13:36
*** edtubill has quit IRC13:39
*** nisha has quit IRC13:43
*** vint_bra has joined #openstack-keystone13:52
*** vint_bra has quit IRC13:53
*** ametts has joined #openstack-keystone13:53
odyssey4mebknudson yeah, so the trouble is that when you add a new catalog entry, no other nodes can see the new entry until the cache timeout13:53
*** rderose has joined #openstack-keystone13:59
*** _amrith_ is now known as amrith14:02
*** richm has joined #openstack-keystone14:02
shewlesshello. I'm trying to create an identity provider in keystone. I'm getting this error.. I'm using shibboleth as my sp to my enterprise ip. Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. Internal Server Error (HTTP 500)14:05
shewlesswould someone be able to help?14:06
*** edtubill has joined #openstack-keystone14:09
dstanekshewless: you'll have to look in the keystone log to find the error14:09
*** jed56 has joined #openstack-keystone14:11
shewless+dstanek: I'm looking at /var/log/*.log and I don't see anything logged when I get this error.14:12
shewlesssorry.. /var/log/keystone/keystone*.log14:13
*** edtubill has quit IRC14:13
shewless+dstanek ..maybe it's in the apache logs? Since I'm using mitaka and wsgi?14:14
dstanekshewless: yes, if you are using apache you likely have /var/log/apache/keystone.log14:15
dstanekerrr...apache2 that is14:16
henrynashsamueldmq: hi14:16
*** chlong has quit IRC14:16
shewless+dstanek: problem loading keystone-wsgi-admin... not sure what this means: http://paste.ubuntu.com/1708926814:17
*** tonytan4ever has joined #openstack-keystone14:17
dstanekshewless: what is /usr/bin/keystone-wsgi-admin on your system?14:18
dstanekoh, and the args already parsed thing. i don't remember what that was14:19
samueldmqhenrynash: hi14:20
shewless+dstanek: not sure what you mean.. the file exists and 'file' says: /usr/bin/keystone-wsgi-admin: Python script, ASCII text executable14:23
henrynash_samueldmq: your comment on https://review.openstack.org/#/c/326246/ - just checking what you were meaning regarding hierarchy changes?14:23
patchbothenrynash_: patch 326246 - keystone - WIP - Add caching for get roles on groups14:23
lbragstadhenrynash_ o/14:24
henrynash_lbragstad: hi14:24
samueldmqhenrynash_: if there is an inherited assignment for a group on a parent project14:25
samueldmqhenrynash_: it will be expanded to its children14:25
henrynash_samueldmq: ah, right, sure….I thought you meant tree structureal chanegs (which I don’t think we support yet?)14:25
samueldmqhenrynash_: if another project is added to its children, the response will change, and by consequence the cache needs to be invalidated14:25
samueldmqhenrynash_: like moving parts of the tree?14:25
samueldmqhenrynash_: no I didn't mean that :)14:26
henrynash_samueldmq: ok, fine…I’m with you then14:26
*** nisha_ has joined #openstack-keystone14:26
samueldmqhenrynash_: ++ thanks for asking14:27
henrynash_lbragstad: any chance you could try out those WIP patches I put up on fernet caching on your performance set up?14:27
lbragstadhenrynash_ yep - I could do that14:27
henrynash_lbragstad: https://review.openstack.org/#/c/326234/ and https://review.openstack.org/#/c/326246/ (which are alternative attempts to fix the same problem)14:28
patchbothenrynash_: patch 326234 - keystone - WIP - Cache fernet tokens the same way we do UUID14:28
patchbothenrynash_: patch 326246 - keystone - WIP - Add caching for get roles on groups14:28
lbragstadhenrynash_ sweet14:29
lbragstadhenrynash i'll give them a shot14:29
*** woodster_ has joined #openstack-keystone14:30
henrynash_lbragstad: great! They’d both need some more work in order to merge, but as they are should show us whether they are curing the issue14:30
lbragstadthat works14:30
dstanekshewless: someone else in here may remember what the args already processed error means and if not i can take a look after my meeting14:30
*** chlong has joined #openstack-keystone14:32
*** frontrunner has quit IRC14:33
*** tonytan4ever has quit IRC14:33
*** KevinE has joined #openstack-keystone14:34
*** sheel has quit IRC14:35
*** sdake_ has quit IRC14:36
*** raddaoui has joined #openstack-keystone14:39
*** mfisch has joined #openstack-keystone14:40
*** mfisch has quit IRC14:40
*** mfisch has joined #openstack-keystone14:40
shewlessanyone remember what this error means: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option?14:49
*** timcline has joined #openstack-keystone14:50
*** frontrunner has joined #openstack-keystone14:53
zigoWhen trying to do:14:55
zigo$ OS_TOKEN=$(openstack token issue -c id -f value) openstack endpoint create --region regionOne keystone public http://117.121.243.212:5000/v2.0 --os-url http://localhost:5000/v314:55
zigoI get: "Unable to establish connection to http://localhost:5000/v3/endpoints"14:55
zigoHas the way to bootstrap keystone changed in Newton b1?14:55
EmilienMnothing changed on this side afik, we didn't change anything in puppet module at least14:59
openstackgerritMerged openstack/keystone: Add caching config for federation  https://review.openstack.org/32551415:01
shewless+dstanek: looks like I might have to wait for you..15:03
*** vint_bra has joined #openstack-keystone15:06
shewlessit's quite possible I'm leaving out some information when attempting to create a provider.. this is what I'm doing:  openstack identity provider create testshib --enable15:07
shewlessdid I miss anything?15:07
dhellmannjamielennox, ayoung : I noticed mention of testing plugins in the scrollback. stevedore includes a class to be used to replace managers in tests, so you can inject the plugins you want. You shouldn't mock pkg_resources, that's too low level. Drop by #openstack-oslo if you have questions.15:08
*** rk4n_ has joined #openstack-keystone15:09
*** vnogin has joined #openstack-keystone15:10
*** rk4n has quit IRC15:12
rodrigodsrderose, are you ok with marking "concrete role assignments" patch as WIP while the fixes aren't ready?15:12
*** vnogin1 has quit IRC15:12
*** tonytan4ever has joined #openstack-keystone15:14
*** rcernin has quit IRC15:17
rderoserodrigods: still thinking about next steps15:17
*** sheel has joined #openstack-keystone15:17
rodrigodsrderose, seems it depends on some fixes?15:17
rderoserodrigods: may decide to move forward with this patch and address boris's issue in a subsequent patch15:18
rderoserodrigods: but will look at it today and decide15:18
rderoserodrigods: what are your thoughts on this?15:18
rderoserodrigods: OS-FEDERATION/projects should be deprecated soon I would think15:19
rodrigodsrderose, we can't merge something that will leave keystone breaking, even if it has a subsequente patch to fix it15:19
*** edtubill has joined #openstack-keystone15:19
rodrigodsrderose, need to check when it has been marked as deprecated15:20
rderoserodrigods: hmm... it wouldn't break keystone15:20
*** itisha has joined #openstack-keystone15:20
rodrigodsrderose, won't it? looks like it breaks websso15:20
rderoserodrigods: yeah, I don't know about Horizon.  But if you assign a federated users a role, the issue is, is that its not reflected in OS-FEDERATION/projects15:21
rderoserodrigods: but it would be in auth/projects15:22
rodrigodsrderose, right, the problem is that it breaks the response of that API15:22
rodrigodseven if it is deprecated, we can't break it15:22
rodrigodsthe fix can be fix OS-FEDERATION/projects or remove it, but needs to land before your patch15:23
rderoserodrigods: does it break, or does it simply returns a valid response saying the user doesn't have any projects?15:23
rodrigodsrderose, OS-FEDERATION/project should mirror auth/projects15:24
rodrigodsfor this use case, i mean15:24
rderoserodrigods: true.  and keep in mind that shadowing federated users has already been merged and technically, you could still assign a federated user a role.  it just won't work.15:24
rodrigodsrderose, it doesn't work already?15:25
rodrigodsugh15:25
rodrigodsah, ok15:25
rodrigodsgot it15:25
rodrigodslet's check if it can be removed15:25
rodrigodsrderose, yes, it can be removed15:26
rderoserodrigods: removed?15:26
rodrigodsrderose, https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#whats-new-in-version-1115:26
*** links has quit IRC15:26
rderoserodrigods: OS-FEDERATION/projects can be removed?15:27
rodrigodsrderose, yes15:27
rderoserodrigods: SWEET!!!15:27
rodrigodsrderose, let's just confirm in today's meeting and fix python-keystoneclient (and others) that are currently using it15:27
rodrigodsand then remove it15:27
rderoserodrigods: sounds good15:28
*** sdake has joined #openstack-keystone15:28
henrynash_redrose, rodigods: so I do have a bit of worry about all this….I had imagined that shadow users would be optional….i.e. would only have to use them if I wanted direect user assignment bia the keystone API. if we do enahnce the mapper to created projects/roles….I wonder if we could do all this with the unique user_id assiged by the mapper, without needing shadow users…15:31
henrynash_redrose, rodigods: my concern is that today we can use federation tokens and NOT have to have a big user table that would require replication in a multi-datacentre configruation…but now we are forcing people to do this15:32
*** jbell8 has joined #openstack-keystone15:36
*** lifeless has quit IRC15:37
*** GB21 has joined #openstack-keystone15:45
*** lifeless has joined #openstack-keystone15:49
*** BjoernT has joined #openstack-keystone15:51
samueldmqhenrynash: that's also a topic in the meeting today right ?15:52
henrynash_samuedlmq: yep15:53
samueldmqhenrynash_: nice15:53
notmorganhenrynash_: FYI even though i am opposed to the bandaid cache fix because it doesn't go far enough, I'd like to just see us commit to a wider fix.15:56
notmorganhenrynash_: and would support the fix as is if we do.15:56
notmorgan(with invalidation code/test added)15:56
henrynash_notmorgan: yep, totally undestand15:57
bknudsonnotmorgan: btw, this change made a huge difference in performance - https://review.openstack.org/#/c/272007/15:57
patchbotbknudson: patch 272007 - keystone - Use requst local in-process cache per request (MERGED)15:57
bknudsonit's like 3x better after that one.15:58
notmorganbknudson: not surprised at all15:58
notmorganbknudson: it's just insane we have ot battle performance bugs in two code paths.15:58
notmorganbknudson: so we should cache, we should also fix it so we don't have to battle bugs across multiple paths.15:59
bknudsonit's insane to have 2 code paths to begin with15:59
notmorganbknudson: exactly.15:59
bknudsonnot sure if there's a better way to do development. seems like we just take whatever garbage is posted and then hope to fix it up later.16:00
notmorganbknudson: well part of the acceptance of fernet was that we align code for token issuance/validation16:00
bknudsonmaybe we need to take better code to begin with16:00
notmorganbknudson: and that hasn't happened.16:00
rderoserodrigods: you still there?16:01
bknudsony, requiring something to happen in future hasn't been working16:01
*** GB21 has quit IRC16:01
*** gokrokve has joined #openstack-keystone16:02
*** frontrunner has quit IRC16:09
*** frontrunner has joined #openstack-keystone16:12
*** tesseract has quit IRC16:13
*** nisha_ has quit IRC16:17
*** r-daneel has quit IRC16:17
*** nisha_ has joined #openstack-keystone16:18
*** jaosorior has quit IRC16:24
*** jaosorior has joined #openstack-keystone16:24
*** jaosorior has quit IRC16:26
*** r-daneel has joined #openstack-keystone16:26
*** dmk0202 has quit IRC16:30
bretonrderose: rodrigods: wow, lets at least add support to keystoneclient. And then remove in the next cycle. No one has been using /v3/auth/projects for federated tokens since the deprecation, because everybody uses keystoneclient and keystoneclient calls to OS-FEDERATION/projects16:37
zigoWith apache2, I can make keystone to work, but with uwsgi, it doesn't (ie: openstack endpoint list fails to connect, for a reason)16:38
zigoCould anyone give me a keystone's uwsgi .ini content to look at?16:38
rderosebreton: yeah, actually I don't think we'll be able to remove OS-FEDERATION/projects API16:39
zigoAlso, this doc: http://docs.openstack.org/developer/keystone/configuringservices.html doesn't provide any path after the hostname. Should we ommit the /v3 at the end of URLs from now on?16:39
rderosebreton: however, I think we can simply fix this by including not only the group projects, but the assigned projects as well16:39
rderoserderose: and fixing it in keystone should automatically fix it in keystoneclient, don't you think?16:40
rderose*breton16:40
rderose:)16:40
*** _cjones_ has joined #openstack-keystone16:41
*** tonytan4ever has quit IRC16:41
*** _cjones_ has quit IRC16:41
zigonotmorgan: ^16:42
notmorganzigo: uhm. what error are you seeing, also might recommend doing mod_proxy in front of uwsgi.16:44
*** vint_bra1 has joined #openstack-keystone16:44
zigonotmorgan: The client complains that it cannot connect to /v3/endpoints16:44
notmorganzigo: but i did do a simple uwsgi without the need of a specific ini16:44
notmorganzigo: and it worked.16:44
*** vint_bra2 has joined #openstack-keystone16:44
zigoThough "openstack token issue" works.16:44
rodrigodsbreton, rderose i'm back16:45
zigonotmorgan: What was the command line that you used?16:45
rodrigodswhat's up16:45
notmorganzigo: do you have a keystone entry point in the catalog?16:45
notmorganzigo: s/entry/endpoint16:45
zigonotmorgan: Yup.16:45
notmorgantoken issue works... but the rest doesnt...16:45
notmorganODD.16:45
zigo$ openstack endpoint list16:46
zigoUnable to establish connection to http://127.0.0.1:5000/v3/auth/tokens16:46
zigoThat's what I'm getting, even though the endpoints are on the public IP.16:46
notmorgando you have a uwsgi running on port 5000?16:46
zigoYup.16:46
notmorganand on 35357?16:46
zigoI got 2 instances of UWSGI.16:46
notmorganah16:46
zigoOne for admin, one for public.16:46
notmorganugh.16:46
rderoserodrigods: I sent you a message16:47
* notmorgan wants that to die so hard16:47
notmorgan:P16:47
zigo:)16:47
notmorganbut that aside16:47
notmorganlet me find my uwsgi line16:47
rderoserodrigods: I think I have a fix for concrete role assignments, just need to create a new test case for OS-FEDERATION/projects API16:47
zigohttp://paste.openstack.org/show/508721/ <--- That's what I'm getting.16:47
rodrigodsrderose, great16:48
*** vint_bra has quit IRC16:48
notmorganzigo: netstat -plant | grep 35357 (as root)?16:48
zigouwsgi has 767 options !!! :)16:48
*** vint_bra1 has quit IRC16:48
zigonotmorgan: It's there, and port 5000 too.16:48
notmorganzigo: yes, uwsgi has a bazillion options.16:48
zigoOf course, I checked for that ...16:48
notmorganzigo: on that ip? or internal?16:48
notmorganand 2x check iptalbes?16:49
zigoOn 0.0.0.016:49
notmorganok16:49
zigoWhich is exactly what I wish to do.16:49
notmorgancool16:49
*** rk4n_ has quit IRC16:49
notmorganright, i figure you have it right, but doesn't hurt to 2x check :)16:49
zigoSure! :)16:49
zigoThanks for helping.16:49
notmorganand stupid question, no typos in the IP address in the endpoints in the db?16:49
zigoNop, as it works with apache.16:50
zigoSo, really, the issue should be my uwsgi params.16:50
notmorganok hm.16:50
*** rk4n has joined #openstack-keystone16:50
notmorganyeah sec. then16:50
notmorganand not using mod_proxy in front of uwsgi?16:50
notmorganjust plain uwsgi?16:50
zigoThe point here, is that I'm using plain uwsgi, so that the daemon starts and I can do stuff in the .postinst to setup endpoints and such.16:50
zigoBut later on, users can modify the .ini to do what they want, and push apache in front.16:51
notmorganso it sounds like the 35357 one is having an issue16:51
notmorganbecause 5000 is where you're getting the token from16:51
zigoI'm using a .ini as it's a CONFFILE, and its config will stay over upgrades, while params in the config file would have been stored in a script, which is less convenient.16:51
notmorganright16:51
notmorganthats fine.16:51
notmorganit shouldn't matter if you're using .ini or cli16:52
notmorgantbh16:52
zigoLooks like uwsgi supports both the same way, indeed.16:52
notmorganmy command line is: uwsgi --wsgi-file <keystone-wsgi-file> --http-socket <correct args for binding> -p <processes>16:53
notmorganit was very very simple16:53
zigoWhats -p for?16:53
notmorgannumber of processes/workers16:53
notmorgane.g. 2 or 4 or whatever16:53
zigoThis looks like a uwsgi 1.x command line, as you don't need a --plugin python option.16:53
zigoAh, right.16:53
zigoI got that too...16:53
notmorgan2.0.13.116:53
zigonotmorgan: Was this on top of Trusty?16:53
zigoAh... :/16:54
zigoThat's Xenial.16:54
notmorganno opensuse, tumbleweed16:54
zigoOh ok.16:54
zigoAnyway, that's 2.x like me.16:54
notmorganals pip installed16:54
notmorganvs packaged.16:54
notmorganwhich i kindof like that uwsgi can just be pip installed :)16:54
zigoI got 2.0.1216:54
zigoSo, close enough.16:54
notmorgancool. close enough16:54
notmorganyeah16:54
zigo:/16:54
notmorganif you give me a few minutes i can setup a venv for this16:54
notmorganand actually try it.16:54
zigoThat's not helping ...16:55
zigo:(16:55
notmorgani've been working on zuul/nodepool.16:55
zigoWell, thanks, but I don't think that will help.16:55
zigoI'll investigate further alone, IMO.16:55
notmorganok. lmk if i can can help, maybe replicate your ini/env?16:55
openstackgerritMerged openstack/oslo.policy: Add sample file generation script and helper methods  https://review.openstack.org/31424416:56
zigonotmorgan: That's what I have: http://paste.openstack.org/show/508723/16:59
*** r-daneel has quit IRC17:02
stevemarzigo: while you're around... mind commenting on https://review.openstack.org/#/c/326152/17:06
patchbotstevemar: patch 326152 - keystone - Revert "Install necessary files in etc/"17:06
zigostevemar: Would you think that's normal to package config files in /usr/etc ?17:06
zigostevemar: Monty wrote that adding stuff in /etc using PBR is a *bug*, we shouldn't do that.17:07
stevemarzigo: /usr/etc is clearly not right, but i don't disagree with jd about installing keystone in a virtualenv17:10
zigostevemar: Then fight for JD's https://review.openstack.org/#/c/274077/ to be approved first.17:10
patchbotzigo: patch 274077 - openstack-dev/pbr - Add --sysconfdir option to install command (ABANDONED)17:10
*** mvk has quit IRC17:11
zigostevemar: Until it's done, then https://review.openstack.org/#/c/320880/ broke absolutely all downstream distributions: RDO, SuSE, Ubuntu, Debian, Gentoo ...17:11
patchbotzigo: patch 320880 - keystone - Install necessary files in etc/ (MERGED)17:11
zigostevemar: IMO, the solution is to get 274077 merged, as it looks like it takes too long to get it done "upper in the stack"17:13
*** tonytan4ever has joined #openstack-keystone17:13
zigostevemar: Also, it's likely that Robert Collins wont -2 a patch anywhere again (or did he find another employer after HP?).17:14
*** r-daneel has joined #openstack-keystone17:15
*** jbell8 has quit IRC17:16
*** roxanaghe has joined #openstack-keystone17:18
stevemarzigo: not sure what lifeless' situation is; what do other projects do with these files and virtualenvs?17:24
*** jbell8 has joined #openstack-keystone17:37
*** tonytan4ever has quit IRC17:44
*** lhcheng has joined #openstack-keystone17:47
*** ChanServ sets mode: +v lhcheng17:47
*** lhcheng has quit IRC17:52
*** mvk has joined #openstack-keystone17:53
*** shaleh has joined #openstack-keystone17:56
*** lhcheng has joined #openstack-keystone17:56
*** ChanServ sets mode: +v lhcheng17:56
*** jbell8 has quit IRC17:58
samueldmqcourtesy ping to ajayaa, amakarov, ayoung, breton, browne, crinkle, claudiub, davechen, david8hu, dolphm, dstanek, edmondsw, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, jorge_munoz, knikolla, lbragstad, lhcheng, marekd, MaxPC, morgan, nkinder, notmorgan, raildo, rodrigods, rderose, roxanaghe, samleon, samueldmq, shaleh, stevemar, tjcocozz, tsymanczyk, topol, vivekd, wanghong, xek18:00
*** TxGVNN has quit IRC18:00
*** ebalduf_ has joined #openstack-keystone18:06
*** nisha_ has quit IRC18:06
*** jorge_munoz has joined #openstack-keystone18:09
*** gyee has joined #openstack-keystone18:11
*** ChanServ sets mode: +v gyee18:11
*** mvk_ has joined #openstack-keystone18:14
shewless+dstanek: there?18:15
*** doug-fis_ has joined #openstack-keystone18:15
*** mvk has quit IRC18:17
shewlessI still get this error in keystone.log: http://paste.ubuntu.com/17089268/ after running this command: openstack identity provider create testshib --enable.  I'm not sure if this is a bug or if I'm doing something wrong.  It's been mentioned that there is some bug or known issue with the error.18:18
shewlessThe error seems to be related to "ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option\"18:18
*** doug-fish has quit IRC18:18
*** lucas___ has joined #openstack-keystone18:20
*** lhcheng has quit IRC18:23
*** jbell8 has joined #openstack-keystone18:24
*** rk4n has quit IRC18:25
*** ametts has quit IRC18:27
*** lhcheng has joined #openstack-keystone18:27
*** ChanServ sets mode: +v lhcheng18:27
KevinEhow annoying is it to merge something just to see how jenkins/mirantis fails it and logs it? Is that a pretty standard thing?18:32
shewlessmy "wsgi-keystone-public" configuration says: WSGIProcessGroup keystone-admin18:32
shewlessIs that the right group?18:32
*** gokrokve has quit IRC18:32
KevinEoops wrong channel but I guess someone'll still know18:32
edtubillstevemar: So for django_openstack_auth k2k I added tests for the patch https://review.openstack.org/#/c/159910/. Also, I thought of a different way of approaching k2k authentication in horizon: https://review.openstack.org/#/c/325901. I was wondering if I could get your thoughts on it.18:34
patchbotedtubill: patch 159910 - django_openstack_auth - K2K federation18:34
stevemaredtubill: it's on my list of things to look at18:35
edtubillstevemar: cool.18:36
*** rk4n has joined #openstack-keystone18:37
*** lucas___ has quit IRC18:38
*** lucas___ has joined #openstack-keystone18:39
*** ametts has joined #openstack-keystone18:40
*** lucas___ has quit IRC18:44
*** vint_bra2 has quit IRC18:44
jamielennoxayoung: i haven't got a full list of things but mellon is lacking a lot of functionality from shib18:45
jamielennoxayoung: to the point where i consider them for different use cases18:45
rodrigodsjamielennox, is shib still active?18:47
rodrigodsits development, i mean18:47
shewlessokay guys. If I change /etc/keystone.conf and comment out [auth] methods =  external,password,token,oauth1,mapped,openid then I can create domains, and run openstack commands18:47
jamielennoxrodrigods: afaik yes18:48
shewlessIf I add that "[auth] methods= external,password,token,oauth1,mapped,openid" then I can no longer create domains or really do much.. I keep getting the error "Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. Internal Server Error (HTTP 500)"18:48
shewlessany ideas why that would be? I am attempting to "federate" and I'm following the instructions here: http://docs.openstack.org/developer/keystone/federation/federated_identity.html18:48
dstanekshaleh: i'm planning on trying to push as much as i can upstream to pysaml - so we'll see what happens there18:49
shalehdstanek: yeah, upstreaming can be hard18:49
dstanekshewless: our keystone meeting is almost over - have you been able to get past you args issue?18:49
stevemarshaleh: the pysaml author is pretty good about accepting PRs18:50
ayoungjamielennox, you got a general summary of the differences?18:51
shalehstevemar: good to hear. Some upstreams are no fun to interact with18:51
shewless+dstanek: thanks for asking.  the args issue is directly related to what I posted above. that "[auth] methods = " line in keystone.conf appears to be indirectly cuasing the args issue18:51
*** shaleh has quit IRC18:51
ayoungby commenting out "[auth] methods" ye get the defaults18:52
shewless+ayoung: yup18:52
ayoungdstanek, apparently mod_auth_mellon can talk to Shib.  What if we had a better configuration tool to make that happen?18:52
shewless+dstantek and +ayoung: so doing this seems to have worked: methods = external,password,token,oauth1,saml2 saml2 = keystone.auth.plugins.mapped.Mapped18:52
ayoungshewless, that looks like a sane config to me18:53
*** shaleh has joined #openstack-keystone18:53
shewless+ayoung it's right from the docs..18:53
dstanekshewless: odd that having openid in there would cause an issue18:53
shewless+dstanek: it's not the openid (I tried with and without)18:53
shewless+dstanek: it's the fact that I tried to put "mapped" on the methods line instead of "saml2" and then call out that "saml2" uses the Mapped plugin18:54
jamielennoxayoung: mostly it's how dynamic they are, so shib will do things like call out to the IDP and fetch all the data you need and refresh all that18:54
jamielennoxayoung: mellon's data is all configured in apache config18:54
*** lucas___ has joined #openstack-keystone18:54
jamielennoxayoung: also shib spawns of a daemon to do all it's actual work and there is a small amount of things you can do without restarting apache18:55
shewlessDid I find a bug? Or maybe it's just a "not yet supported feature"? this documenation is just wrong: http://docs.openstack.org/developer/keystone/federation/federated_identity.html18:55
shewlessyou cannot set methods = "mapped" without bad stuff happening18:55
jamielennoxayoung: so if you're running like 1 IDP that really doesn't change much for your org then mellon is great, if you're integrating with a number shib seems to be better18:55
ayoungjamielennox, right, but I think that you can tell apache to reread config for new connections without actually restartying it18:55
*** frontrunner has quit IRC18:58
knikollaayoung: quick question. when a user is removed from a project/role is the token revoked?18:59
dstanekshewless: no idea. i'll have to experiment with it a little18:59
dstanekshewless: but at least you can proceed now19:00
gyeenotmorgan, come to think of it, actually not a bad idea, get the foundation to do a drawing at the end of the cycle for a free trip19:00
gyeethe number of entries is based on the number of code reviews19:00
dstanekshewless: if it's a bug i'll create a bug on launchpad and fix it19:00
notmorgangyee: eh.19:00
notmorgangyee: nope i'm mostly against that.19:00
*** doug-fis_ has quit IRC19:00
dstanekshewless: or you can fix it if you are up for it :-)19:00
notmorgangyee: but you can ask tom fefeild (sp?)19:00
notmorgangyee: he could talk more about that.19:00
gyeeheck we get to draw starbuck gift card for filling out surveys :-)19:00
*** doug-fish has joined #openstack-keystone19:01
*** doug-fish has quit IRC19:01
gyeelittle carrots here and there19:01
*** henrynash_ has quit IRC19:01
*** shaleh has quit IRC19:01
*** doug-fish has joined #openstack-keystone19:01
rodrigodsknikolla, yes ^19:05
*** sheel has quit IRC19:05
*** amrith is now known as _amrith_19:06
knikollarodrigods: cool. thanks, some folks here are doing some security research on keystone and that's what i assumed happens, but wasn't entirely sure.19:06
rodrigodsknikolla, cool, let us know of the results :)19:07
knikollarodrigods: sure :)19:08
*** frontrunner has joined #openstack-keystone19:15
*** lucas___ has quit IRC19:16
*** raddaoui has quit IRC19:17
dstanekshewless: are you able to post your keystone.log file somewhere? or at least the portions with any tracebacks19:18
*** lucas___ has joined #openstack-keystone19:19
*** jayh has joined #openstack-keystone19:20
*** lucas____ has joined #openstack-keystone19:21
*** timcline has quit IRC19:22
*** timcline has joined #openstack-keystone19:23
*** lucas___ has quit IRC19:24
*** lucas____ has quit IRC19:25
*** timcline has quit IRC19:27
*** raddaoui has joined #openstack-keystone19:28
openstackgerritRoxana Gherle proposed openstack/keystone: Return 404 instead of 401 for tokens w/o roles  https://review.openstack.org/32228019:28
*** diazjf has joined #openstack-keystone19:29
jayhrodrigods,ayoung: do you know which function to look at to see when the revocation happens after removing a role?19:31
ayoungjayh, you can always look in the database19:31
ayoungthere is no exrternal exposed API19:31
ayoungwell...depnds on what version you mean19:32
ayoungactually do we still have the list revocation evetns api?  don't recall19:32
*** lucas___ has joined #openstack-keystone19:34
*** permalac has quit IRC19:36
*** diazjf has quit IRC19:39
*** diazjf has joined #openstack-keystone19:41
*** timcline has joined #openstack-keystone19:43
*** mkrcmari__ has joined #openstack-keystone19:44
*** rk4n has quit IRC19:44
*** timcline has quit IRC19:45
*** timcline has joined #openstack-keystone19:45
*** mvk_ has quit IRC19:47
*** dan_nguyen has joined #openstack-keystone19:51
*** tqtran has joined #openstack-keystone19:51
*** lucas___ has quit IRC19:52
*** lucas___ has joined #openstack-keystone19:55
*** lucas___ has quit IRC19:57
*** lucas___ has joined #openstack-keystone19:59
ayoungdstanek, your middleware approach is based on the pain you've had dealing with adding an additioanl IdP to a keystone deployment, right?20:01
*** mvk_ has joined #openstack-keystone20:01
dstanekayoung: basically yes20:02
*** clenimar has joined #openstack-keystone20:04
jayhayoung: I'm not sure I follow re: your DB comment. There is an exlpicit revocation API (http://developer.openstack.org/api-ref-identity-v3.html#revokeTokens), but I am trying to find where things like "DELETE /v3/projects/​{project_id}​/groups/​{group_id}​/roles/​{role_id}​" call it. Any suggestions?20:04
*** mkrcmari__ has quit IRC20:05
*** edtubill has quit IRC20:06
*** lucas___ has quit IRC20:06
ayoungjayh, I'd have to look at the code to rembmer20:07
ayoungdstanek, so, lets split apart the issues20:07
ayoungYou want to be able to dynamically add a new Idp/protocol (not just saml remember) when it becomes available20:08
ayoungthis means setting up all the metadata, registering the sp with the Idp before you ever tell the webserver anything20:08
ayoungstep to is telling the webserver about the new Idp, which for apache means "copy files and restart"20:09
dstanekayoung: i'm not looking to tell the webserver anything20:09
ayoungif we can drop the "restart" step and instead do a "reread config" it would be better20:09
ayoungdstanek, yes you are20:09
ayoungthe Webserver or whatever processes saml needs config info20:09
ayoungmiddleware is still webserver20:10
dstanekayoung: i'm not sure i like the idea of having our APIs rewrite configs and then restart the service20:10
*** lucas___ has joined #openstack-keystone20:10
ayoungdstanek, are you sure this should be an API call?20:12
*** _amrith_ is now known as amrith20:12
dstanekayoung: i want to have APIs to add the IdP for real (metadata, etc) that way a domain admin can add an IdP and not have to be a cloud admin20:13
*** diazjf has quit IRC20:13
ayoungdstanek, so there is a whole set of applications that are doing just this.  ADFS for example20:14
ayoungI'd rather just remove Keystone all together if we  do that, and let a dedicated app talk direct to nova20:15
ayoungdstanek, that is what Keycloak and Ipsilon were both doing, too.  THis idea of protocol translation.20:17
*** diazjf has joined #openstack-keystone20:18
dstanekayoung: in that world what gets a token?20:20
*** lucas___ has quit IRC20:21
*** lucas___ has joined #openstack-keystone20:22
ayoungdstanek, tokens are really just another protocol, a crappy one at that.  I would drop them, and have a user go SAML direct to Nova,. then mnova just list mapping and roles for the Idp that came in in process.  Remove Keystone from the users view20:23
ayoungdstanek, the question here is how can we do less inside Keystone itself, and make more general purpose solutions20:23
bknudsonit would be interesting if someone else could recreate what I'm seeing -- when I turn on token caching it looks like the token is never found in the cache for the call to _validate_v3_token, but it is for _validate_token.20:23
ayoungKeystone is way to hard coded into the way people use Openstack, but that also prevents people from using the Keystone DATA in other applications20:24
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494320:24
shewless+dstanek: do you need more then this: http://paste.ubuntu.com/17089268/20:26
*** roxanaghe has quit IRC20:27
shewless+dstanek: once I've got my openstack a bit further on I plan on contributing where I can.  For now there is a lot to learn!20:27
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494320:28
*** diazjf has quit IRC20:28
shewlesson that note is there any "more complete" documentation on federation then this: http://docs.openstack.org/developer/keystone/federation/federated_identity.html20:30
shewlessI'm finding this documentation better in a lot of ways.. but it's still lacking: https://www.ibm.com/support/knowledgecenter/SST55W_4.3.0/liaca/liaca_creating_mappings_for_keystone_service_provider.html20:30
ayoungdstanek, I don;t want to stop you hard here, but I think what you are shooting for is outside of what we should do in Keystone proper.  I feel pretty strongly about this, but want to solve the same problem that you do.  Just in a more general pattern.  I know you area python guy, and thus are pursuing a Python based solution.  mod_mellon is C and Apache specific code.  And Mellon does not have aDB backend, which makes it20:31
ayoung tricker as well, and there would be no API...but this should not be an API problem, everywhere...but IO agree it should be an API in Keystone.20:31
ayoungWhat we have does not scale.20:32
*** dan_nguyen has quit IRC20:32
ayoungdstanek, we also have to remember that we have this issue with openidc.   It would scope creep on us.20:33
ayoungwith any other protocols20:33
*** BjoernT has quit IRC20:33
dstanekayoung: it's possible that this could/should grow up to be a standalone replacement for shib/mellon, but first things first. we need something to talk about20:36
dstanekayoung: do you know if you need to use sticky sessions for shib/mellon?20:36
knikolladstanek: whatever direction this goes, i'd love to help.20:36
ayoungdstanek, I do not know.  jdennis ?20:37
dstanekayoung: my goal right now is to get this to work and then get as much out of keystone as possible. then we go from there20:37
ayoungdstanek, my goal it to get everything protocol specifc out of Keystone20:38
ayoungwell, one of my goals20:38
dstanekayoung: i also want to solve world hunger and become a minecraft expert20:39
ayoungI can help you on the latter20:39
ayounghttp://shop.oreilly.com/product/0636920036562.do  is awesome20:39
jdennisdstanek: can you define what you mean by sticky session?20:39
*** lucas___ has quit IRC20:40
ayoungdstanek, I just got the call that I am on Kid duty...I will promise to think deeply about this and come up with a way to not roadblock you.20:40
*** lucas___ has joined #openstack-keystone20:40
*** lucas___ has quit IRC20:40
dstanekjdennis: where a load balancer always sends you to the same node20:41
*** rk4n has joined #openstack-keystone20:42
dstanekjdennis: i was wondering how shib prevents replay attacks without the service providers having to share any state20:44
bknudsondevstack configured keystone to connect to memcache on the IP address of the machine, but memcache was only listening on loopback... and there's nothing that tells you that memcache wasn't working at all.20:44
*** ayoung has quit IRC20:44
bknudsonso the performance testing I've been doing for the past few days has been useless.20:45
jdennisdstanek: at the moment mellon only supports sessions in one process, so yes it would have to go back to the same apache instance, but we've talked about adding interprocess session support via something like memcache20:45
dstanekbknudson: memcached is designed to work and not work at the same time. lots o'fail there20:45
bknudsonyes, makes sense but also hard to debug.20:46
dstanekjdennis: i wouldn't use memcache unless it's ok for sessions to be dropped20:46
dstanekbknudson: this is why you get paid the big bucks20:46
dstanekjdennis: ok, that's what i figured20:47
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494320:47
dstanekjdennis: what do you like about mellon over shib?20:48
jdennisdstanek: yeah, memcache has it's problems but there are other solutions20:48
*** frontrunner has quit IRC20:49
*** pauloewerton has quit IRC20:50
jdennisdstanek: the decision to use mellon was made prior to my involvement20:53
shewlesshmm. I'm trying to get an unscoped token now and I'm seeing this error. Any ideas? {"error": {"message": "Attempted to authenticate with an unsupported method.", "code": 401, "identity": {"methods": ["external", "password", "token", "oauth1", "saml2"]}, "title": "Unauthorized"}}20:53
*** lucas___ has joined #openstack-keystone20:53
*** lucas____ has joined #openstack-keystone20:54
*** lucas____ has quit IRC20:55
jdennisdstanek: if I recall correctly (always a liability) the primary reason is we wanted to use the same code base for both SP and IdP20:55
*** lucas has joined #openstack-keystone20:56
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494320:56
jdennisdstanek: mellon is based on the Lasso library, so is Ipsilon (an IdP we developed)20:56
jdennisdstanek: there were concerns on the IdP side about supporting a massive Java deployment20:57
*** roxanaghe has joined #openstack-keystone20:58
*** lucas___ has quit IRC20:58
openstackgerritMerged openstack/keystone: Updating sample configuration file  https://review.openstack.org/32659420:59
*** lhcheng has quit IRC21:00
*** lucas has quit IRC21:00
*** lucas has joined #openstack-keystone21:02
*** clenimar has quit IRC21:02
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32558921:03
*** doug-fish has quit IRC21:03
*** lhcheng has joined #openstack-keystone21:03
*** ChanServ sets mode: +v lhcheng21:03
*** doug-fish has joined #openstack-keystone21:04
*** ayoung has joined #openstack-keystone21:04
*** ChanServ sets mode: +v ayoung21:04
*** doug-fish has quit IRC21:05
*** doug-fish has joined #openstack-keystone21:05
*** lucas has quit IRC21:06
*** diazjf has joined #openstack-keystone21:06
*** edtubill has joined #openstack-keystone21:09
KevinEHow do you get a commit to link a blueprint correctly? Do you just put the link in and have gerrit fix formatting?21:09
*** r-daneel has quit IRC21:09
*** ebalduf_ has quit IRC21:10
*** spandhe has joined #openstack-keystone21:12
*** edtubill has quit IRC21:12
*** edtubill has joined #openstack-keystone21:13
notmorganKevinE: "bp: <bp-name>"21:15
notmorganKevinE: gerrit has magic formatters for that21:15
KevinEnotmorgan: awesome, and what's the format for multiple blueprints on one commit?21:15
notmorganKevinE: one per line21:16
notmorganbp: <bp1>21:16
notmorganbp: <bp2>21:16
KevinEOh I don't do implements: ?21:16
rderosebreton: check out the new patch, it should that issue with OS-FEDERATION/projects: https://review.openstack.org/#/c/284943/21:16
patchbotrderose: patch 284943 - keystone - Concrete role assignments for federated users21:16
*** rderose has quit IRC21:17
*** frontrunner has joined #openstack-keystone21:19
bknudsonlbragstad: I just tried comparing uuid with fernet with memcache configured correctly and now the perf is the same.21:19
bknudsonso I take back everything I said21:20
lbragstadbknudson hah!21:20
lbragstadbknudson just against master?21:20
lbragstador did you test a patch21:20
bknudsonlbragstad: haven't tried master yet. I've got liberty with some extra patches backported.21:20
lbragstadok21:21
lbragstadbknudson so validation is the same?21:21
bknudsonI'll get around to master but would be interesting to see if someone can get the same #s.21:21
bknudsonthis is with fernet (1000 validations * 4 threads): P50/P90: 0.0102944374084/0.0142611265182 min/max: 0.00701904296875/0.503746986389 total: 45.90666008 wall: 11.582424879121:21
bknudsonthis is with uuid: P50/P90: 0.0117950439453/0.0166970491409 min/max: 0.00753307342529/0.0266060829163 total: 49.5508112907 wall: 12.475324869221:21
bknudsonso fernet is a little faster21:21
lbragstadsweet21:22
lbragstadbknudson how were we not getting that before?21:22
notmorganKevinE: meh you can do implements, "bp" is the nbeeded part21:22
lbragstadbknudson what were we doing wrong with caching?21:22
bknudsonlbragstad: memcache was not working at all.21:22
lbragstadbknudson in keystone or configuring it?21:22
bknudsonlbragstad: the system had keystone configured to use hostname:11211 but memcached was only listening on localhost21:22
bknudsonand there's nothing in the logs.21:23
lbragstadhmm - and that is something we do by default?21:23
openstackgerritguang-yee proposed openstack/keystonemiddleware: Support local config options  https://review.openstack.org/32188221:23
bknudsonlbragstad: since this is liberty I had to muck with devstack. Haven't had a chance to see what master does.21:23
bknudsonif master devstack has this same issue21:24
lbragstadbknudson actually - i think dolphm has a bug opened against devstack for that?21:25
bknudsonlbragstad: I don't see any reviews posted in devstack... should be a 1 line change.21:26
*** dan_nguyen has joined #openstack-keystone21:27
*** r-daneel has joined #openstack-keystone21:30
*** dan_nguyen has quit IRC21:31
bknudsonlbragstad: Not sure if this is mentioned already, but I think henrynash change in https://review.openstack.org/#/c/326234/ actually fixes a regression21:31
patchbotbknudson: patch 326234 - keystone - WIP - Cache fernet tokens the same way we do UUID21:31
bknudsonbecause in stable/liberty fernet tokens would be cached just like uuid tokens21:31
*** mvk has joined #openstack-keystone21:33
*** diazjf has quit IRC21:33
*** jbell8 has quit IRC21:34
*** mkrcmari__ has joined #openstack-keystone21:34
*** doug-fish has quit IRC21:34
zigostevemar: It happens in other projects, and then it got reverted.21:34
zigoJust like I'm proposing.21:34
*** mkrcmari__ has quit IRC21:35
*** r-daneel has quit IRC21:35
*** mvk_ has quit IRC21:35
lbragstadbknudson why would that be a regression again?21:36
bknudsonlbragstad: because we used to cache fernet tokens just like uuid tokens; and then something changed to not do that.21:36
*** diazjf has joined #openstack-keystone21:36
lbragstadbknudson hmmm21:36
*** mvk has quit IRC21:37
lbragstaddolphm https://github.com/lbragstad/keystone-performance/issues/121:38
bknudsonlbragstad: in liberty, validate_v3_token just called self._validate_v3_token which has @MEMOIZE21:38
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/provider.py?h=stable/liberty#n23221:38
lbragstadoh...21:39
bknudsonat some point it changed to call self.validate_non_persistent_token which is not MEMOIZEd21:39
bknudsonso henrynash is adding that back https://review.openstack.org/#/c/326234/2/keystone/token/provider.py21:39
patchbotbknudson: patch 326234 - keystone - WIP - Cache fernet tokens the same way we do UUID21:39
*** doug-fish has joined #openstack-keystone21:40
lbragstadls21:40
bknudson. ..21:41
*** rk4n has quit IRC21:41
bknudsonlbragstad: this is why we need the performance tests so we can catch regressions like this21:43
lbragstadbknudson ++21:43
lbragstadbknudson dolphm and I just made some good progress on the bare metal nodes21:43
bknudsonthey're even more metal21:43
lbragstadexactly21:43
lbragstadmoar metal plz21:44
bknudsonturn it up to 11!21:44
*** doug-fis_ has joined #openstack-keystone21:46
*** jbell8 has joined #openstack-keystone21:48
*** r-daneel has joined #openstack-keystone21:48
*** rk4n has joined #openstack-keystone21:49
*** doug-fish has quit IRC21:50
*** doug-fis_ has quit IRC21:51
*** roxanaghe has quit IRC21:52
*** rk4n has quit IRC21:52
*** ayoung has quit IRC21:54
*** frontrunner has quit IRC21:54
*** edtubill has quit IRC21:55
*** gordc has quit IRC21:57
*** edtubill has joined #openstack-keystone21:57
*** jbell8 has quit IRC21:58
*** jbell8 has joined #openstack-keystone22:00
*** rderose has joined #openstack-keystone22:01
lbragstaddolphm https://github.com/openstack/openstack-ansible-os_keystone/blob/master/meta/main.yml#L41-L4422:01
bknudsonlbragstad: mitaka has the regression. just tried it and fernet performance is worse22:02
bknudson24.6582419872 vs 16.890053987522:02
*** edtubill has quit IRC22:03
*** sdake_ has joined #openstack-keystone22:03
*** doug-fish has joined #openstack-keystone22:04
lbragstadbknudson ok - that's consistent with what mfisch said too22:05
lbragstaddolphm http://docs.ansible.com/ansible/playbooks_conditionals.html#applying-when-to-roles-and-includes22:05
*** sdake has quit IRC22:06
*** diazjf has quit IRC22:06
*** henrynash_ has joined #openstack-keystone22:06
*** ChanServ sets mode: +v henrynash_22:06
*** sdake has joined #openstack-keystone22:06
*** rderose has quit IRC22:08
*** ayoung has joined #openstack-keystone22:08
*** ChanServ sets mode: +v ayoung22:08
dolphmlbragstad: https://review.openstack.org/#/c/326748/ ?22:09
patchbotdolphm: patch 326748 - openstack-ansible-os_keystone - Always use memcached22:09
*** doug-fish has quit IRC22:09
bknudson127.0.0.1 ... smart22:09
*** sdake_ has quit IRC22:10
*** rderose has joined #openstack-keystone22:10
*** edtubill has joined #openstack-keystone22:11
bknudsonlbragstad henrynash: backported  https://review.openstack.org/#/c/326234/2/keystone/token/provider.py to mitaka and it fixes performance regression22:14
patchbotbknudson: patch 326234 - keystone - WIP - Cache fernet tokens the same way we do UUID22:14
mfischis that going to land?22:17
mfischsecurity team want me to fix that token revoke issue but Im still on L22:17
*** r-daneel has quit IRC22:17
bknudsonmfisch: I'll work on it if henrynash isn't.22:17
mfischk22:17
*** KevinE has quit IRC22:18
bknudsonwe'll need it to (also still on L)22:18
bknudsontoo22:18
mfischi could test that in M maybe tomorrow or later this week22:22
*** rderose has quit IRC22:24
*** lhcheng has quit IRC22:25
*** BjoernT has joined #openstack-keystone22:26
*** timcline has quit IRC22:27
*** timcline has joined #openstack-keystone22:28
*** fawadkhaliq has joined #openstack-keystone22:28
*** itisha has quit IRC22:30
*** ametts has quit IRC22:30
*** lhcheng has joined #openstack-keystone22:31
*** ChanServ sets mode: +v lhcheng22:31
*** timcline has quit IRC22:32
henrynash_bknudson, mfisch: great that it fixed the regression…..I’ll work on it for invalidations, asap22:39
bknudsonhenrynash_: thanks. I was just working on the devstack change.22:39
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494322:40
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: clean up test_resource_uuid  https://review.openstack.org/28154622:40
*** sdake has quit IRC22:43
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494322:43
bknudsondevstack change to enable keystone to use memcached:22:44
bknudsonhttps://review.openstack.org/#/c/326756/22:44
patchbotbknudson: patch 326756 - openstack-dev/devstack - Correct keystone memcached host setting22:44
*** henrynash_ has quit IRC22:45
*** edmondsw has quit IRC22:47
*** dan_nguyen has joined #openstack-keystone22:49
bknudsonhenrynash: I opened a bug: https://bugs.launchpad.net/keystone/+bug/159017922:49
openstackLaunchpad bug 1590179 in OpenStack Identity (keystone) "fernet memcache performance regression" [Undecided,New]22:49
*** frontrunner has joined #openstack-keystone22:55
*** iurygregory_ has joined #openstack-keystone22:59
bknudsonran my validation test using henrynash's patch and it improves the fernet validation perf.23:01
lbragstadbknudson sweet!23:01
lbragstadbknudson I would like to use henrynash 's patch to test the perf CI23:02
*** edtubill has quit IRC23:08
*** sdake has joined #openstack-keystone23:12
*** roxanaghe has joined #openstack-keystone23:13
*** markvoelker has quit IRC23:13
*** lhcheng has quit IRC23:16
*** BjoernT has quit IRC23:16
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058623:16
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058623:19
*** henrynash_ has joined #openstack-keystone23:21
*** ChanServ sets mode: +v henrynash_23:21
*** lucas has joined #openstack-keystone23:23
*** lucas has quit IRC23:23
*** lucas has joined #openstack-keystone23:24
*** lucas has quit IRC23:28
*** lucas has joined #openstack-keystone23:30
openstackgerritguang-yee proposed openstack/keystoneauth: Support TOTP auth plugin  https://review.openstack.org/28108623:32
*** lucas___ has joined #openstack-keystone23:32
*** furface has joined #openstack-keystone23:33
*** lucas has quit IRC23:35
*** mvk has joined #openstack-keystone23:36
*** lucas___ has quit IRC23:37
*** fawadkhaliq has quit IRC23:37
*** furface has quit IRC23:43
*** henrynash_ has quit IRC23:45
*** sdake has quit IRC23:46
*** clenimar has joined #openstack-keystone23:49
*** fawadkhaliq has joined #openstack-keystone23:52
openstackgerritEric Brown proposed openstack/keystone: Update the keystone-manage man page options  https://review.openstack.org/32676423:52
*** fawadkhaliq has quit IRC23:56
« Monday, 2016-06-06 Index Wednesday, 2016-06-08 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!