Friday, 2016-06-10

« Thursday, 2016-06-09 Index Saturday, 2016-06-11 »
*** spandhe has joined #openstack-keystone00:04
*** tqtran has quit IRC00:06
*** edtubill has quit IRC00:09
*** serverascode has quit IRC00:17
*** andrewbogott has quit IRC00:17
*** DuncanT has quit IRC00:17
*** andreykurilin__ has quit IRC00:17
*** jed56 has quit IRC00:17
*** briancurtin has quit IRC00:17
*** sigmavirus24 has quit IRC00:17
*** nikhil has quit IRC00:18
*** andrewbogott has joined #openstack-keystone00:19
*** serverascode has joined #openstack-keystone00:19
*** DuncanT has joined #openstack-keystone00:19
*** jed56 has joined #openstack-keystone00:20
*** briancurtin has joined #openstack-keystone00:20
*** andreykurilin__ has joined #openstack-keystone00:21
*** nikhil has joined #openstack-keystone00:21
*** sigmavirus24 has joined #openstack-keystone00:28
*** slberger has left #openstack-keystone00:32
*** zigo has quit IRC00:37
*** ddieterly has joined #openstack-keystone00:51
*** zigo has joined #openstack-keystone01:03
*** ayoung has joined #openstack-keystone01:07
*** ChanServ sets mode: +v ayoung01:07
*** tonytan4ever has joined #openstack-keystone01:10
*** chlong has joined #openstack-keystone01:16
*** ddieterly is now known as ddieterly[away]01:24
*** ddieterly[away] is now known as ddieterly01:24
*** sdake has joined #openstack-keystone01:25
*** rk4n has quit IRC01:26
*** jorge_munoz has quit IRC01:26
*** edtubill has joined #openstack-keystone01:30
openstackgerritRyosuke Mizuno proposed openstack/keystone: Add validation rules for create token using a JSON schema  https://review.openstack.org/32508601:35
*** ddieterly has quit IRC01:50
*** iurygregory_ has quit IRC01:50
*** ddieterly has joined #openstack-keystone02:01
*** jamielennox has left #openstack-keystone02:02
*** jamielennox has joined #openstack-keystone02:02
*** ChanServ sets mode: +v jamielennox02:02
*** TxGVNN has joined #openstack-keystone02:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Consolidate user agent calculation  https://review.openstack.org/31971702:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a Config object  https://review.openstack.org/31971502:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Make audit middleware use common config object  https://review.openstack.org/32804602:02
jamielennoxgyee: for you ^02:03
*** lhcheng has quit IRC02:03
*** lhcheng has joined #openstack-keystone02:15
*** ChanServ sets mode: +v lhcheng02:15
*** ddieterly has quit IRC02:19
*** edtubill has quit IRC02:33
*** dave-mccowan has quit IRC02:34
*** sheel has joined #openstack-keystone02:46
*** richm has quit IRC02:52
*** TxGVNN has quit IRC02:53
*** tonytan4ever has quit IRC02:56
*** edtubill has joined #openstack-keystone02:58
*** neophy has joined #openstack-keystone03:13
*** markvoelker has quit IRC03:14
*** edtubill has quit IRC03:15
*** edtubill has joined #openstack-keystone03:15
*** lhcheng has quit IRC03:30
*** spandhe has quit IRC03:37
*** sdake has quit IRC03:41
*** pgbridge_ has joined #openstack-keystone03:48
*** jaosorior has joined #openstack-keystone03:48
*** pgbridge has quit IRC03:51
*** pgbridge has joined #openstack-keystone03:51
*** lhcheng has joined #openstack-keystone03:52
*** ChanServ sets mode: +v lhcheng03:52
*** pgbridge_ has quit IRC03:55
*** itisha has quit IRC04:00
*** links has joined #openstack-keystone04:00
stevemarlbragstad: dolphm nice "OSIC Performance Bot"04:20
stevemarsuccess: OSIC Performance Bot is up and running04:20
stevemar#success OSIC Performance Bot is up and running04:21
openstackstatusstevemar: Added success to Success page04:21
*** rmizuno has joined #openstack-keystone04:28
*** edtubill has quit IRC04:33
*** edtubill has joined #openstack-keystone04:35
dstanekyay, OSIC04:36
openstackgerritSteve Martinelli proposed openstack/keystone: Fix TOTP transient test failure  https://review.openstack.org/32792204:40
*** sdake has joined #openstack-keystone04:46
jamielennoxsigh, i broke my rule: don't look at audit middleware - lost pretty much the whole day04:56
gyeejamielennox, yeah, on it04:57
*** spandhe has joined #openstack-keystone04:58
jamielennoxgyee: i have a couple of nice little cleanups - and i just can't break all the test assumptions04:58
gyeejamielennox, I will abandon my other patch so I can base mine on yours04:59
jamielennoxgyee: yea, it becomes almost trivial at that point05:00
gyeeyeah05:00
stevemarjamielennox: gyee i did the same thing earlier today, i waned to make oslo.messaging required... went down that rabbit hole alright05:02
jamielennoxstevemar: oh, yea: i found that if you do that we'll change behaviour05:02
jamielennoxstevemar: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/audit.py#L42605:03
stevemaroh? i just noticed the tests were all mangled... what i miss?05:03
stevemaryep05:03
jamielennoxstevemar: so whether it emits a message or just logs it is dependant on if the library is installed05:03
stevemari figured we could check if the driver was configured... and not as 'log'05:03
stevemardriver = CONF.audit_middleware.driver05:04
stevemarif driver and driver != 'log'05:04
stevemarjust what i thought really quickly today05:04
stevemarmay not work *shrugs*05:05
jamielennoxit probably will05:05
gyeestevemar, problem is Swift wants everything to be *optional*05:05
stevemargyee: swift doesn't use keystonemiddleware05:05
jamielennoxi tried to refactor a bit and realize everything tests private methods05:06
gyeestevemar, our product have a requirement for auditing, so I am trying to make audit middleware work for Swift05:06
stevemargyee: just dropping it in the pipeline?05:06
jamielennoxgyee: the dependency will be on keystonemiddleware, not swift05:06
gyeeproblem is Swift only support one logger05:06
gyeestevemar, its not that simple05:06
gyeeI do agree with having everything goes through oslo.messaging as it also support 'log' driver05:09
gyeeright now I am unable to make Swift use the log driver05:09
stevemargyee: so why does swift have to support oslo.messaging? you can install swift and keystonemiddleware, ksm pulls in whatever it needs, why do you care, as the deployer?05:13
*** markvoelker has joined #openstack-keystone05:15
gyeestevemar, right now oslo.messaging is optional for audit middleware, and we can't use the log driver even if its there05:15
gyeeso its a package they don't need05:15
gyeebut if we can make the log driver work then its a compelling argument05:17
*** edtubill has quit IRC05:17
*** edtubill has joined #openstack-keystone05:18
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add a fixture method to add your own token data  https://review.openstack.org/32807605:18
*** markvoelker has quit IRC05:20
*** GB21 has joined #openstack-keystone05:22
*** GB21 has quit IRC05:28
openstackgerritMerged openstack/python-keystoneclient: Add users functional tests  https://review.openstack.org/28930605:28
*** jamielennox is now known as jamielennox|away05:29
notmorgandstanek: from our earlier convo: https://twitter.com/MdrnStm/status/74113987615067340805:30
notmorganoh stevemar is around.05:31
gyeenotmorgan, first few months baby sleeps a lot so stevemar should have some free time :-)05:36
*** gyee has quit IRC05:45
*** GB21 has joined #openstack-keystone05:47
*** GB21 has quit IRC05:55
*** GB21 has joined #openstack-keystone05:55
*** GB21 has quit IRC05:55
*** GB21 has joined #openstack-keystone05:56
*** lhcheng_ has joined #openstack-keystone06:02
*** chlong has quit IRC06:03
*** GB21 has quit IRC06:03
*** lhcheng has quit IRC06:04
*** yolanda has joined #openstack-keystone06:06
*** belmoreira has joined #openstack-keystone06:12
*** GB21 has joined #openstack-keystone06:14
*** TxGVNN has joined #openstack-keystone06:16
*** lunarlamp has joined #openstack-keystone06:17
*** chlong has joined #openstack-keystone06:20
*** TxGVNN has quit IRC06:23
*** openstackgerrit has quit IRC06:32
*** openstackgerrit has joined #openstack-keystone06:32
*** edtubill has quit IRC06:33
*** chlong has quit IRC06:35
*** pcaruana has joined #openstack-keystone06:40
*** GB21 has quit IRC06:48
*** links has quit IRC06:55
*** lhcheng has joined #openstack-keystone07:05
*** ChanServ sets mode: +v lhcheng07:05
*** lhcheng_ has quit IRC07:08
*** links has joined #openstack-keystone07:10
*** spandhe has quit IRC07:10
*** permalac has joined #openstack-keystone07:15
*** markvoelker has joined #openstack-keystone07:16
*** rcernin has joined #openstack-keystone07:17
*** markvoelker has quit IRC07:21
*** GB21 has joined #openstack-keystone07:24
*** sheel has quit IRC07:26
*** sheel has joined #openstack-keystone07:27
*** tesseract has joined #openstack-keystone07:27
*** agireud has quit IRC07:32
*** openstackgerrit has quit IRC07:33
*** openstackgerrit has joined #openstack-keystone07:33
*** agireud has joined #openstack-keystone07:34
*** jamielennox|away is now known as jamielennox07:36
*** GB21 has quit IRC07:46
*** rk4n has joined #openstack-keystone07:46
*** dancn has quit IRC07:53
*** dancn has joined #openstack-keystone07:55
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Imported Translations from Zanata  https://review.openstack.org/32814207:55
*** dancn has quit IRC07:55
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** GB21 has joined #openstack-keystone08:07
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** markvoelker has joined #openstack-keystone08:17
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata  https://review.openstack.org/32816008:20
*** fhubik has joined #openstack-keystone08:21
*** markvoelker has quit IRC08:21
*** sdake has quit IRC08:21
*** pnavarro has joined #openstack-keystone08:23
*** lhcheng has quit IRC08:25
*** woodster_ has quit IRC08:28
*** nisha_ has joined #openstack-keystone08:29
*** jaosorior has quit IRC08:30
*** jaosorior has joined #openstack-keystone08:30
nisha_Good morning :)08:31
*** nisha__ has joined #openstack-keystone08:40
*** nisha_ has quit IRC08:45
*** nisha__ has quit IRC08:45
*** nisha_ has joined #openstack-keystone08:48
*** nisha__ has joined #openstack-keystone08:48
*** nisha_ has quit IRC08:50
*** nisha__ is now known as nisha_08:50
*** nisha__ has joined #openstack-keystone08:51
*** rk4n has quit IRC08:52
*** rk4n has joined #openstack-keystone08:53
*** nisha__ has quit IRC08:55
*** rk4n_ has joined #openstack-keystone08:56
*** rk4n_ has quit IRC08:57
*** rk4n has quit IRC08:57
*** daemontool has joined #openstack-keystone08:59
*** rk4n has joined #openstack-keystone09:03
*** henrynash_ has joined #openstack-keystone09:10
*** ChanServ sets mode: +v henrynash_09:10
*** mvk has joined #openstack-keystone09:22
*** GB21 has quit IRC09:35
*** fhubik has quit IRC09:39
*** GB21 has joined #openstack-keystone09:52
*** henrynash_ has quit IRC10:02
*** rk4n has quit IRC10:10
*** danpawlik has joined #openstack-keystone10:11
*** lhcheng has joined #openstack-keystone10:14
*** ChanServ sets mode: +v lhcheng10:14
*** daemontool has quit IRC10:17
*** markvoelker has joined #openstack-keystone10:18
*** lhcheng has quit IRC10:19
*** rmizuno has quit IRC10:19
*** markvoelker has quit IRC10:22
*** danpawlik has left #openstack-keystone10:23
*** neophy has quit IRC10:23
*** danpawlik has joined #openstack-keystone10:23
danpawlikhi, is somebody there?10:24
*** daemontool has joined #openstack-keystone10:38
*** nisha__ has joined #openstack-keystone10:48
*** nisha_ has quit IRC10:51
*** rk4n has joined #openstack-keystone10:53
*** ddieterly has joined #openstack-keystone11:05
*** TxGVNN has joined #openstack-keystone11:07
*** GB21 has quit IRC11:07
*** dmk0202 has joined #openstack-keystone11:10
*** GB21 has joined #openstack-keystone11:22
*** dmk0202 has quit IRC11:23
*** daemontool has quit IRC11:28
*** daemontool has joined #openstack-keystone11:28
*** GB21 has quit IRC11:35
*** dmk0202 has joined #openstack-keystone11:36
*** vnogin has quit IRC11:43
*** rk4n has joined #openstack-keystone11:45
*** ddieterly has quit IRC11:47
*** pcaruana has quit IRC11:51
*** rk4n has quit IRC11:52
*** rk4n has joined #openstack-keystone11:54
*** rodrigods has quit IRC11:55
*** rodrigods has joined #openstack-keystone11:56
*** danpawlik has quit IRC11:56
*** danpawlik has joined #openstack-keystone11:56
*** pcaruana has joined #openstack-keystone12:07
*** pcaruana has quit IRC12:13
*** pcaruana has joined #openstack-keystone12:13
*** ayoung has quit IRC12:15
*** markvoelker has joined #openstack-keystone12:18
*** ddieterly has joined #openstack-keystone12:20
*** afred312 has quit IRC12:23
*** dmk0202 has quit IRC12:25
*** EinstCrazy has joined #openstack-keystone12:25
*** lhcheng has joined #openstack-keystone12:27
*** ChanServ sets mode: +v lhcheng12:27
*** ddieterly has quit IRC12:27
*** lhcheng has quit IRC12:32
*** gordc has joined #openstack-keystone12:37
*** ddieterly has joined #openstack-keystone12:37
*** dmk0202 has joined #openstack-keystone12:39
*** ddieterly is now known as ddieterly[away]12:41
*** nisha__ has quit IRC12:47
*** nisha__ has joined #openstack-keystone12:48
*** EinstCrazy has quit IRC12:54
*** links has quit IRC12:54
*** dmk0202 has quit IRC12:58
*** dmk0202 has joined #openstack-keystone12:59
*** BjoernT has joined #openstack-keystone13:00
*** pauloewerton has joined #openstack-keystone13:00
*** EinstCrazy has joined #openstack-keystone13:02
*** rodrigods has quit IRC13:05
*** rodrigods has joined #openstack-keystone13:05
*** EinstCrazy has quit IRC13:06
*** jaosorior has quit IRC13:07
*** edmondsw has joined #openstack-keystone13:08
*** richm has joined #openstack-keystone13:10
*** EinstCrazy has joined #openstack-keystone13:10
*** EinstCrazy has quit IRC13:16
*** EinstCrazy has joined #openstack-keystone13:16
*** ayoung has joined #openstack-keystone13:16
*** ChanServ sets mode: +v ayoung13:16
*** jistr is now known as jistr|mtg13:20
*** pcaruana has quit IRC13:20
*** henrynash_ has joined #openstack-keystone13:22
*** ChanServ sets mode: +v henrynash_13:22
*** EinstCrazy has quit IRC13:25
*** sheel has quit IRC13:25
*** dmk0202 has quit IRC13:29
knikollahi o/13:31
*** gagehugo has joined #openstack-keystone13:33
*** TxGVNN has quit IRC13:33
*** dave-mccowan has joined #openstack-keystone13:33
*** links has joined #openstack-keystone13:36
*** andrewbogott has quit IRC13:38
*** andrewbogott has joined #openstack-keystone13:38
*** pcaruana has joined #openstack-keystone13:39
*** henrynash_ has quit IRC13:41
*** rderose has joined #openstack-keystone13:44
*** afred312 has joined #openstack-keystone13:47
*** darosale has joined #openstack-keystone13:55
*** nisha__ has quit IRC14:00
*** ametts has joined #openstack-keystone14:00
*** amakarov_away is now known as amakarov14:01
*** links has quit IRC14:01
*** rderose_ has joined #openstack-keystone14:07
*** jistr|mtg is now known as jistr14:09
*** rderose has quit IRC14:10
*** fesp has joined #openstack-keystone14:24
*** tonytan4ever has joined #openstack-keystone14:27
*** fesp has quit IRC14:27
*** fesp has joined #openstack-keystone14:30
*** fesp has quit IRC14:32
*** fesp has joined #openstack-keystone14:32
*** jorge_munoz has joined #openstack-keystone14:33
openstackgerritMerged openstack/keystone: Fix TOTP transient test failure  https://review.openstack.org/32792214:39
*** amrith has quit IRC14:41
*** raddaoui has joined #openstack-keystone14:42
*** amrith has joined #openstack-keystone14:42
*** timcline has joined #openstack-keystone14:45
*** timcline has quit IRC14:45
dolphmstevemar: tested that TOTP patch 9000 times over night -- it definitely fixed the issue :)14:45
patchbotdolphm: https://review.openstack.org/#/c/9000/ - keystone - Do not crash when trying to remove a user role (wi... (MERGED)14:45
*** timcline has joined #openstack-keystone14:46
stevemardolphm: nice14:46
dolphmthanks, patchbot14:46
stevemarhaha, thats awesome14:46
dolphmpatch 114:46
patchbotdolphm: https://review.openstack.org/#/c/1/ - openstack-infra/system-config - Add puppet module for ssh that installs an sshd_co... (MERGED)14:46
dolphmpatch 214:46
patchbotdolphm: https://review.openstack.org/#/c/2/14:46
stevemarpatch 9000 was a keystone patch14:46
patchbotstevemar: https://review.openstack.org/#/c/9000/ - keystone - Do not crash when trying to remove a user role (wi... (MERGED)14:46
dolphmpatch 314:46
patchbotdolphm: https://review.openstack.org/#/c/3/14:46
dolphmso helpful14:46
dolphmpatch 414:46
patchbotdolphm: https://review.openstack.org/#/c/4/ - openstack-infra/system-config - Add gerrit dev/prod servers to jenkins slave known... (MERGED)14:46
notmynamethe https://review.openstack.org/#/c/9000/ pattern works too14:46
dolphmpatch 514:47
patchbotnotmyname: patch 9000 - keystone - Do not crash when trying to remove a user role (wi... (MERGED)14:47
patchbotdolphm: https://review.openstack.org/#/c/5/ - openstack-infra/system-config - Fix problem with jenkins known_hosts url. (MERGED)14:47
notmynamenotmorgan had asked for patchbot to lurk here14:47
notmynameit's my bot if you have questions/issues with it14:47
stevemarnotmyname: oh it's fine :)14:47
stevemarwacky friday fun14:47
notmynameFWIW https://github.com/notmyname/Patches14:48
dolphmnotmyname: i definitely find it useful - keeps me from clicking every code review link in irc14:48
notmynameyeah. that was the frustration that made me write it :-)14:49
*** flaper87 has quit IRC14:52
*** fesp is now known as flaper8714:52
*** flaper87 has quit IRC14:52
*** flaper87 has joined #openstack-keystone14:52
*** flaper87 has quit IRC14:55
*** flaper87 has joined #openstack-keystone14:55
*** daemontool has quit IRC14:57
notmorgannotmyname: ++15:00
notmorgannotmyname: i think i want to issue a PR for it so it has a delay in saying the same patch again15:01
notmorganpatch 115:01
patchbotnotmorgan: https://review.openstack.org/#/c/1/ - openstack-infra/system-config - Add puppet module for ssh that installs an sshd_co... (MERGED)15:01
notmorganpatch 115:01
patchbotnotmorgan: https://review.openstack.org/#/c/1/ - openstack-infra/system-config - Add puppet module for ssh that installs an sshd_co... (MERGED)15:01
notmorganpatch 115:01
patchbotnotmorgan: https://review.openstack.org/#/c/1/ - openstack-infra/system-config - Add puppet module for ssh that installs an sshd_co... (MERGED)15:01
notmorgannotmyname: like 10 or 30s15:01
notmynamesure. go for it. patches welcome :-)15:01
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password table changes  https://review.openstack.org/31428415:02
notmorgannotmyname: :)15:02
notmorgannotmyname: just realize it's going to consume a chunk more memory that way, so as long as you're ok with that15:02
notmorgannotmyname: since it needs something like an ordereddict of patches it's said in the last XXX window15:03
*** spandhe has joined #openstack-keystone15:04
bknudsonmake it so that we can update commit messages by posting commands to irc.15:05
notmorganbknudson: you should totally write that bot15:05
bknudsonand cherry-pick changes15:06
*** spandhe_ has joined #openstack-keystone15:07
*** spandhe has quit IRC15:09
*** spandhe_ is now known as spandhe15:09
*** tesseract has quit IRC15:09
*** pcaruana has quit IRC15:13
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32833915:13
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32833915:13
*** rcernin has quit IRC15:19
*** EinstCrazy has joined #openstack-keystone15:21
*** flaper87 has quit IRC15:27
dstanekwell i give up on lxd for today. back to real work15:27
*** pushkaru has joined #openstack-keystone15:30
openstackgerritMerged openstack/keystone: Change LocalUser sql model to eager loading  https://review.openstack.org/32781715:34
*** pnavarro has quit IRC15:34
bknudsondstanek: "The Legion of Extraordinary Dancers" ?15:34
dstanekbknudson: that would have been more productive i think15:35
*** belmoreira has quit IRC15:41
*** EinstCrazy has quit IRC15:44
*** EinstCrazy has joined #openstack-keystone15:44
*** KevinE_ has joined #openstack-keystone15:45
*** rk4n has quit IRC15:49
*** EinstCrazy has quit IRC15:51
*** EinstCrazy has joined #openstack-keystone15:52
*** ametts has quit IRC15:55
openstackgerritMatthew Edmonds proposed openstack/keystone: exception sensitive cache/audit changes  https://review.openstack.org/27321815:57
openstackgerritDolph Mathews proposed openstack/keystoneauth: Make the kerberos plugin loadable  https://review.openstack.org/32181415:59
*** roxanaghe has joined #openstack-keystone15:59
dstaneknotmorgan: where you still going to work on https://bugs.launchpad.net/keystone/+bug/1572341 ?16:02
openstackLaunchpad bug 1572341 in OpenStack Identity (keystone) "Failed migration 90 -> 91 Can't DROP 'ixu_user_name_domain_id'" [High,Triaged]16:02
*** ametts has joined #openstack-keystone16:08
*** EinstCrazy has quit IRC16:11
notmorgandstanek: i keep meaning to16:11
notmorgandstanek: its unfortunately a really unfun migration to fix :(16:12
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password table changes  https://review.openstack.org/31428416:17
*** afred312 has quit IRC16:18
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428416:19
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428416:23
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32833916:25
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements  https://review.openstack.org/32058616:29
*** ayoung has quit IRC16:33
*** rderose_ has quit IRC16:37
*** spandhe has quit IRC16:44
openstackgerritThomas Goirand proposed openstack/keystone: Add missing testresources build-requirement  https://review.openstack.org/32838316:45
*** rderose has joined #openstack-keystone16:46
*** rk4n has joined #openstack-keystone16:49
*** sdake has joined #openstack-keystone16:50
bretonzigo: https://bugs.launchpad.net/keystone/+bug/1572202 this looks like a duplicate of your bug16:56
openstackLaunchpad bug 1572202 in OpenStack Identity (keystone) "testresources needs to be explicitly required for tests" [Medium,In progress] - Assigned to David Stanek (dstanek)16:56
zigoIndeed.16:56
zigoThat's in fact indirectly needed by oslo.db16:57
zigoI was tempted to add a runtime depends on testresources for oslo.db, but I'm not sure if that's really what I should do.16:57
bretonyou've seen https://review.openstack.org/#/c/307878/, right?16:57
patchbotbreton: patch 307878 - keystone - Explicitly require testresources for tests (ABANDONED)16:57
dstanekbreton: zigo: i should probably mark that bug as closed16:59
zigoRight.16:59
rodrigodsdstanek, ping... do you have a Mitaka (or more recent) federation setup ready?16:59
dstanekrodrigods: define ready?17:00
rodrigodsdstanek, somehow working heh17:00
*** rderose_ has joined #openstack-keystone17:01
bretonrodrigods: i have. Need anything to test?17:02
rodrigodsbreton, yeah, think I've found a bug here, but shadow users should have fixed it (i'm using liberty)17:02
dstanekrodrigods: i have a node that works against testshib17:03
rodrigodsdstanek, breton in a meeting, back in a hour or so to explain the issue :)17:04
dstanekzigo: breton: what's the other bug?17:04
*** rderose has quit IRC17:05
bretondstanek: https://bugs.launchpad.net/bugs/159128117:06
openstackLaunchpad bug 1591281 in OpenStack Identity (keystone) "Missing test-requirement: testresources" [Undecided,In progress] - Assigned to Thomas Goirand (thomas-goirand)17:06
*** ebalduf_ has joined #openstack-keystone17:06
*** rderose_ has quit IRC17:08
dstanekbreton: does updating tox fix the issue?17:09
*** ayoung has joined #openstack-keystone17:14
*** ChanServ sets mode: +v ayoung17:14
bretondstanek: i don't know. Please ask zigo. I just saw that it's a duplicate.17:16
*** Guest5 has joined #openstack-keystone17:17
*** dan_nguyen has joined #openstack-keystone17:19
dstanekzigo: ^?17:19
zigo#159128117:21
zigoThat's my bug.17:21
zigo#1572202 the other one17:22
*** ebalduf_ has quit IRC17:22
*** sdake has quit IRC17:22
dstanekzigo: does having an updated tox fix the issue?17:23
zigoNot in downstream distros.17:23
*** afred312 has joined #openstack-keystone17:25
*** spandhe has joined #openstack-keystone17:34
*** rderose has joined #openstack-keystone17:38
*** gyee has joined #openstack-keystone17:44
*** ChanServ sets mode: +v gyee17:44
*** amakarov is now known as amakarov_away17:45
*** pushkaru has quit IRC17:49
rodrigodsdstanek, breton, so... I have a mapping that looks like that: https://paste.fedoraproject.org/377179/14655787/ - it maps to a user by its id. And it results in a unscoped token like that: https://paste.fedoraproject.org/377182/55789851/ . The local user with that ID has access to project 6da4ec769c904fd7b89378328b704792, but when I try to scope the token, I receive: User 4629ae2d7298417ea38d005361c75b20 has no access to project 6da4ec769c917:50
rodrigods04fd7b89378328b70479217:50
rodrigodsdstanek, breton looks like this error: https://bugs.launchpad.net/keystone/+bug/159042617:52
openstackLaunchpad bug 1590426 in OpenStack Identity (keystone) "Keystone Federated Identity assertion name not included in token" [Undecided,New] - Assigned to Adam Young (ayoung)17:52
*** permalac has quit IRC17:54
*** catintheroof has joined #openstack-keystone17:59
dstanekrodrigods: does that user or group have roles on the project?17:59
rodrigodsdstanek, the user has, the group... let me check17:59
dstanekrodrigods: how to you know the federated user's id ahead of time18:00
rodrigodsdstanek, the group doesn't18:00
rodrigodsdstanek, just wanted to map to a local user18:00
*** gyee has quit IRC18:00
rodrigodsdstanek, let me add a role to the group18:01
dstanekrodrigods: is this k2k and you have the same user ids on both sides?18:01
rodrigodsdstanek, no... regular federation, I was hoping that providing a user_id, it would map to an existing user18:02
rodrigodsnot create an ephemeral one... but you right18:02
rodrigodsmissing group assignment should be the cause18:02
dstanekrodrigods: i'd be interested to know if that use could be a scoped token when logging in  directly to keystone18:03
rodrigodsdstanek, anyway... the issue is that... If I list projects via /auth/projects using that token (without the group assignment), the project is returned18:03
*** rk4n has quit IRC18:03
rodrigodsdstanek, keystone messes up the ephemeral user and the local user because the ID18:04
*** lhcheng has joined #openstack-keystone18:13
*** ChanServ sets mode: +v lhcheng18:13
*** lhcheng has quit IRC18:13
*** lhcheng has joined #openstack-keystone18:13
*** barjavel.freenode.net sets mode: +v lhcheng18:13
*** lhcheng_ has joined #openstack-keystone18:17
*** lhcheng has quit IRC18:17
*** browne has joined #openstack-keystone18:21
*** roxanaghe has quit IRC18:21
openstackgerritMatthew Edmonds proposed openstack/keystone: fix ldap delete_user group member cleanup  https://review.openstack.org/32735818:21
openstackgerritDolph Mathews proposed openstack/keystonemiddleware: Create a Config object  https://review.openstack.org/31971518:22
edmondswdolphm, addressed your _LW comment18:22
edmondswgood catch, tx18:22
openstackgerritDolph Mathews proposed openstack/keystonemiddleware: Consolidate user agent calculation  https://review.openstack.org/31971718:22
openstackgerritDolph Mathews proposed openstack/keystonemiddleware: Make audit middleware use common config object  https://review.openstack.org/32804618:23
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements  https://review.openstack.org/32844718:25
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements  https://review.openstack.org/32844718:26
*** gyee has joined #openstack-keystone18:27
*** ChanServ sets mode: +v gyee18:27
*** julim has quit IRC18:46
*** roxanagh_ has joined #openstack-keystone18:47
*** yolanda has quit IRC18:53
*** pushkaru has joined #openstack-keystone18:54
*** edmondsw has quit IRC18:56
*** darosale has quit IRC18:58
*** spandhe has quit IRC18:59
*** yolanda has joined #openstack-keystone19:03
*** amrith is now known as _amrith_19:06
samueldmqayoung: henrynash: could anyone of you look at patch 327358 ? I have a question there about expected behavior of LDAP query19:12
patchbotsamueldmq: https://review.openstack.org/#/c/327358/ - keystone - fix ldap delete_user group member cleanup19:12
*** mvk_ has joined #openstack-keystone19:12
ayoungsamueldmq, um...hate that19:14
ayoungDon't use Keystone to manage LDAP19:14
samueldmqayoung: we already do, that just fixes what we're supposed to provide :)19:15
ayoungsamueldmq, you are right, that section he removed is needs to be put back19:15
*** mvk has quit IRC19:16
dolphmnonameentername: can you review this? https://review.openstack.org/#/c/281086/19:16
patchbotdolphm: patch 281086 - keystoneauth - Support TOTP auth plugin19:16
nonameenternamedolphm: yeah, I'll take a look at it19:17
samueldmqayoung: thanks, group_filter needs to always be honored, that's what I thought19:18
samueldmqayoung: left a review I checked this with you, thanks19:18
ayoungsamueldmq, I really want to do away with LDAP and move to using SSSD.  It makes LDAP just another form of Federation.19:19
*** pnavarro has joined #openstack-keystone19:23
*** ddieterly has joined #openstack-keystone19:25
notmorganayoung: SSSD, unfortunately, still (haven't tried 16.04) did not work well on non-redhat systems.19:27
ayoungnotmorgan, so I heard, but I've not tried to run it myself19:27
notmorganayoung: it seems to have a nice suite of packages for suse, but suse is a lot closer to rhel than debian/ubuntu19:28
ayoungnotmorgan, I just mean that for the deploys that my team does, and our customers19:28
notmorganayoung: right. which, unless we get sssd working well, likely means carrying your own plugins.19:28
ayoungI think mod_lookup_identity can actually do straight LDAP, too, but have not tried19:28
notmorganayoung: i would rather have it work well and be testable fwiw19:28
ayoungnotmorgan, nope.  No need to .  Generic Federation works fine19:29
ayoungKerberos + SSSD uses the FedKerb plugin19:29
notmorganayoung: *shrug*. also writable ldap... when do we get to delete that?19:29
ayoungnotmorgan, not soon enough19:29
* notmorgan asks because of that ^ patch.19:29
notmorganugh, after newton :(19:30
notmorganboo.19:30
* notmorgan was looking forward to rm-rfing more ldap things.19:30
ayoungnotmorgan, I think that patch is probably a mistake...19:31
notmorgani was about to -2 it but... it is a legitimate bug that likely should have a fix backported to liberty where this was supported19:31
notmorgan"supported"19:32
* notmorgan adds air quotes.19:32
notmorganayoung: if it was strictly a fix for newton i'd just say "not worth it"19:32
ayoungnotmorgan, why is it a legitimate bug?19:32
notmorganayoung: but if we're dealing with a backportable fix to where this is "supported" we might need to handle this case.19:33
ayoungthe only way I can see anyone getting in that situation is by either dpoing direct LDAP manipulation or messing up thei ldap config19:33
ayoungso...meh19:33
ayoungwon't hold it up, won't +219:33
notmorganpretty much i am willing to say for liberty backport i'll suport it if it is really an issue19:34
notmorganbut if otherwise not a winner of a path to go down.19:34
notmorganayoung: i just commented on the patch19:39
notmorganayoung: i think the unfiltered group get is a broken thing.19:40
notmorganayoung: *think*19:40
ayoungnotmorgan, yeah, that part is spurious19:40
notmorganthe filter remove is bad and justified for a -1 in the list19:41
*** browne has quit IRC19:42
*** rk4n has joined #openstack-keystone19:44
dolphmdstanek: your follow up is requested on https://review.openstack.org/#/c/261188/19:47
patchbotdolphm: patch 261188 - python-keystoneclient - Add wrapper classes for return-request-id-to-caller19:47
*** sdake has joined #openstack-keystone19:52
*** mvk has joined #openstack-keystone19:55
*** mvk_ has quit IRC19:58
*** lhcheng has joined #openstack-keystone19:59
*** ChanServ sets mode: +v lhcheng19:59
*** lhcheng_ has quit IRC19:59
*** ametts has quit IRC20:00
dstanekdolphm: shore20:01
dstanekdolphm: i still think that's a terrible idea20:02
dolphmdstanek: the approach or the idea?20:02
dstanekdolphm: the idea of adding an attribute to a builtin type20:03
dstaneki think it was bknudson that had the idea to have different return values based on a flag to the client. then deprecate the old way20:03
*** pnavarro has quit IRC20:03
dstaneknot only is it terrible OOP, but imo it would be too easy to keep creating bugs like list(list_with_id)20:04
*** julim has joined #openstack-keystone20:07
dolphmdstanek: different return values?20:08
*** roxanagh_ has quit IRC20:08
dstaneka list or boolean for backward compat, but a response object of some sort if you ask for it20:09
dstanekthat way we can properly relay metadata like: was this a cached response, etc20:10
notmorganthe adding of attributes to base objects in python just makes me cry a little20:10
shewlessdstanek: hey I didn't forget about you. I just haven't had much luck. I hacked the metadata to say port 5000 for everything and I get a slightly different error but mostly just banging into brick walls20:12
*** ametts has joined #openstack-keystone20:15
*** lhcheng has quit IRC20:17
*** lhcheng has joined #openstack-keystone20:19
*** ChanServ sets mode: +v lhcheng20:19
dstanekshewless: why not try to get a public instance working against testshib as a starting point?20:21
*** lhcheng has quit IRC20:24
shewlessdstanek: I suppose that may be a good idea. any recommendations of a free cloud service to use? :)20:24
*** ametts has quit IRC20:30
dstanekshewless: i don't know of any free ones. i work at rackspace so i use theirs.20:33
dstanekshewless: you should be able to experiment for just a few bucks though20:33
shewlessdstanek: cool. I might just create a shib IDP at my work so I can own both sides.. we'll see. thanks for all of your help so far20:40
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428420:41
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428420:42
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements  https://review.openstack.org/32833920:42
*** iurygregory has quit IRC20:43
*** ayoung has quit IRC20:49
*** pauloewerton has quit IRC20:49
*** adrian_otto has joined #openstack-keystone20:52
*** tonytan_brb has joined #openstack-keystone20:53
*** tonytan4ever has quit IRC20:54
*** tonytan_brb is now known as tonytan4ever20:54
*** roxanaghe has joined #openstack-keystone20:55
*** lhcheng has joined #openstack-keystone21:00
*** ChanServ sets mode: +v lhcheng21:00
*** edmondsw has joined #openstack-keystone21:00
edmondswayoung notmorgan samueldmq I think everyone's misunderstanding https://review.openstack.org/#/c/32735821:01
edmondswplease see my response21:01
notmorganedmondsw: if list_user_groups is ever called outside of delete, you can't remove the filter21:02
notmorganedmondsw: you can provide a swtich to not filter where you need it21:02
notmorganedmondsw: but iirc that is not something we can just dump filter on.21:02
edmondswnotmorgan, a) it's not and b) that would depend on how this theoretical caller worked21:02
*** roxanaghe has quit IRC21:02
notmorganedmondsw: also i do want to ask, is this a bug in liberty as well?21:03
edmondswyes21:03
*** roxanaghe has joined #openstack-keystone21:03
notmorganblah21:03
*** KevinE_ has quit IRC21:03
notmorganif it was only newton/mitaka i'd probably say "meh"21:03
*** lhcheng has quit IRC21:05
edmondswnotmorgan looks like it's even in kilo21:05
notmorganyeah but kilo is EOLing21:06
notmorganso, i don't think we'll land the patch before kilo is dead.21:07
edmondswlist_user_groups_filtered is the method you should call (and that other places do call) when you want filtering...21:07
notmorganso see my comment. i reversed my -121:07
edmondswyou don't have to pass hints to call that... if you don't want hints, say None21:07
notmorganbasically i think this is a clear mixed use backend/manually edited/managed so keystone isn't really being authoritative to it's data store21:08
notmorgani can see how you land here but ugh.21:08
edmondswyeah, I agree with that21:08
edmondsweasiest way to land here would be to run one way for a while, then at some point change the group_filter conf setting21:08
notmorganedmondsw: yeah as i said in my comment21:09
notmorganwhich... is very likely to just totally hork everything anyway21:09
notmorganedmondsw: are you really hitting this?21:10
notmorganedmondsw: i mean, you've seen this in the wild?21:10
edmondswno, I saw it while I was fixing something different that I was hitting, and thought I was trying to be a good citizen21:10
notmorganedmondsw: phew21:10
notmorgan:)21:10
notmorganok21:10
notmorgani was worried that we had a bigger issue21:10
edmondswI'm not stupid enough to use keystone for read/write LDAP... ;)21:11
notmorganso i'm inclined to accept this for the logging / not bail out stuff.21:11
notmorganbut if someone hits this in the wild i'm going to ask how broken their systems are / have been21:11
notmorgan;)21:11
edmondswsure :)21:11
stevemaredmondsw: i was wondering why you brought up that bug :)21:11
notmorganedmondsw: i was also going to prod you on how you got wedged into that scenario if you were really troubleshooting it from a "broken prod system"21:12
edmondswNext time I should probably start the bug with NOTE: I'M NOT STUPID ENOUGH TO ACTUALLY GET MYSELF INTO THIS SITUATION BUT I NOTICED...21:12
stevemar:)21:12
stevemarits all we ask!21:12
notmorganedmondsw: so, i would easily +2 just the logging fixes not bail out- and i'm "ok" with accepting the fix as is.21:12
notmorganbut fwiw it's very edge-case-y21:13
edmondswsure21:13
*** itlinux has quit IRC21:13
notmorganand i would say "lets not even bother backporting" unless you feel very strongly about it. which means... do we need to fix it?21:13
notmorganand if you're feeling strong enough about it to warrant a real fix + backports. i'll say "sure"21:13
notmorgan(and you're going to backport it)21:14
* notmorgan lets edmondsw decide :)21:14
notmorganstevemar: (see what i did there? :P)21:14
edmondswI just wanted to throw up the fix, as I said, to be a good citizen.21:15
stevemarlet's just accept it :)21:15
edmondswpersonally I would merge it into master, so we have it and don't have someone else seeing this either in review or in the field21:15
notmorganstevemar: wfm, though someone else has to backport21:15
edmondswbut not backport... it can get backported if someone actually hits it and needs it backported21:16
notmorgani'll thats my contingency for accepting it.21:16
*** gagehugo has quit IRC21:16
notmorganbecause lets be fair, write ldap dies next cycle ;)21:16
edmondswfinally!21:16
notmorgannow... if steve +2s you don't need my approval21:16
notmorganand no backport needed, since dolph +2'd21:16
edmondswcome on stevemar!21:17
* notmorgan tosses stevemar under that bus.21:17
stevemaredmondsw: i haven't looked at the code yet, just glanced at the bug and i assumed you fixed it21:18
stevemaredmondsw: give me a few, i21:18
edmondswnp21:18
stevemari'm setting up a new slack channel, again21:18
*** lhcheng has joined #openstack-keystone21:20
*** ChanServ sets mode: +v lhcheng21:20
mnaseris there any way of creating a token under a certain user/tenant without access to their credentials (as an admin of course)21:22
*** browne has joined #openstack-keystone21:24
*** roxanaghe has quit IRC21:25
stevemarmnaser: not really21:25
edmondswmnaser I sure hope not21:25
stevemarmnaser: like if i was an admin, i could create a token for you and hand it over?21:26
lbragstadlike "as an admin, i'm going to create a token for user john.smith and give it to them"?21:27
*** jorge_munoz has quit IRC21:28
dolphmmnaser: trusts with impersonation let you do that, but the resulting tokens are flagged as such21:29
mnasercorrect to what lbragstad said21:30
*** itlinux has joined #openstack-keystone21:30
mnaseri guess the use case is we want to pass on a token to our control panel for it to do what it has to do21:30
mnaserand the user is already authenticated by our billing system, and we know user A => tenant ABC21:30
*** Guest5 has quit IRC21:32
mnaseri guess unless we implement an auth driver to auth with our billing, but i prefer not to touch internals of keystone21:33
mnaseralso another use case is when we terminate tenants, we have a very (annoying and risky) system that gets all resources by using things like all_tenants and then filtering down, this could be ultra scary if something goes wrong21:35
*** ddieterly is now known as ddieterly[away]21:35
mnaserif we can scope in as a user, life would be much easier21:35
*** sdake has quit IRC21:36
*** sdake has joined #openstack-keystone21:41
edmondswnotmorgan, since you brought up backporting... here's the review for my backport of the much more significant issue that led me to the LDAP read/write one were were just discussing21:42
edmondswhttps://review.openstack.org/#/c/327703/21:42
patchbotedmondsw: patch 327703 - keystone (stable/mitaka) - Honor ldap_filter on filtered group list21:42
dstanekshewless: i think i can get my hands on an adfs server for testing. i'll let you know if i have trouble21:43
*** sdake_ has joined #openstack-keystone21:43
*** sdake has quit IRC21:45
*** sigmavirus24 is now known as sigmavirus24_awa21:49
*** itlinux has quit IRC21:50
*** spandhe has joined #openstack-keystone21:51
*** rderose has quit IRC21:53
*** edmondsw has quit IRC21:53
*** roxanaghe has joined #openstack-keystone21:58
*** gabriel-bezerra has joined #openstack-keystone21:59
gabriel-bezerrahi folks, I'm trying to run a devstack with kilo version for some backporting work but am facing an issue with pycadf version21:59
gabriel-bezerraThe 'pycadf<0.9.0,>=0.8.0' distribution was not found and is required by keystone22:00
*** ddieterly[away] is now known as ddieterly22:00
gabriel-bezerrapip search pycadf shows version 2.3.0 installed22:01
*** dave-mccowan has quit IRC22:02
bknudsonthat's way too new22:05
bknudsongabriel-bezerra: I think you might have to check out the right level of /opt/stack/requirements? I had this problem earlier this week but already forgot how I worked around it.22:05
*** catintheroof has quit IRC22:06
bknudsonI probably tried pip installing the right version... but then I feel like that didn't work...22:06
gabriel-bezerrabknudson: I could just find this conflict...22:07
gabriel-bezerra/opt/stack/keystone/requirements.txt:35:pycadf<0.9.0,>=0.8.022:07
gabriel-bezerra/opt/stack/requirements/global-requirements.txt:143:pycadf>=1.1.0,!=2.0.0  # Apache-2.022:07
gabriel-bezerrayes, pip installing didn't work :(22:07
gabriel-bezerraI'll check if my branch version for requirments is right22:08
*** pushkaru has quit IRC22:08
gabriel-bezerrathanks for the suggestion, bknudson22:08
*** pushkaru has joined #openstack-keystone22:08
bknudsony, look there.22:08
*** pushkaru has quit IRC22:14
stevemargabriel-bezerra: looks like your requirements aren't from the kilo version22:15
gabriel-bezerrastevemar: yes, right that. I've just found how to specify requirements branch in local.conf22:18
gabriel-bezerraI'll try that now22:18
gabriel-bezerrathanks22:18
*** adrian_otto has quit IRC22:22
*** lhcheng has quit IRC22:30
*** pushkaru has joined #openstack-keystone22:33
*** julim has quit IRC22:39
*** vgridnev_ has joined #openstack-keystone22:41
*** scarlisle has quit IRC22:44
*** BjoernT has quit IRC22:46
*** henrynash_ has joined #openstack-keystone22:49
*** ChanServ sets mode: +v henrynash_22:49
*** timcline has quit IRC22:50
*** timcline has joined #openstack-keystone22:51
*** timcline has quit IRC22:55
stevemarlbragstad: thank you for responding to the perf. comments on the mailing list22:57
*** pushkaru has quit IRC22:59
notmorganlbragstad: i added some stuff on top to flesh out a bit more in the responses.22:59
notmorganlbragstad: also thanks for doing the work!22:59
notmorganstevemar: ^ cc22:59
* stevemar nods at notmorgan23:00
*** ddieterly has quit IRC23:00
* notmorgan wants to go for a run...23:03
*** adrian_otto has joined #openstack-keystone23:16
*** gordc has quit IRC23:22
*** tonytan4ever has quit IRC23:27
*** spandhe has quit IRC23:35
*** spandhe has joined #openstack-keystone23:43
*** spandhe has quit IRC23:52
*** pgbridge has quit IRC23:55
« Thursday, 2016-06-09 Index Saturday, 2016-06-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!