Wednesday, 2016-07-06

« Tuesday, 2016-07-05 Index Thursday, 2016-07-07 »
*** ddieterly has joined #openstack-keystone00:02
*** adu has joined #openstack-keystone00:04
*** TxGVNN has joined #openstack-keystone00:07
*** harlowja has quit IRC00:10
openstackgerritSam Leong proposed openstack/keystoneauth: Auth plugin for X.509 tokenless authentication  https://review.openstack.org/28390500:11
notmorganjamielennox: which is fine really00:20
notmorgandict and memorypool code are short lived, no?00:20
*** bjornar_ has quit IRC00:20
notmorganand repopulated00:20
*** spzala has quit IRC00:24
jamielennoxnotmorgan: we've gone to lengths before to not change the format in memcache and surprise deployments00:26
notmorgan*blink*00:26
notmorganwe.. have?00:26
jamielennoxit just means i thought i had figured out a nice way around the oslo.cache update - and i haven't :(00:26
notmorganuhmm.00:27
notmorgandogpile also calculates cache_keys totally differently00:27
notmorgansoooooo00:27
jamielennoxnotmorgan: i was replacing the keymangler00:27
notmorgani mean, assuming "memcache" is long-lived is *wrong*00:27
notmorganbe very careful on doing that00:27
notmorganlike i said, assuming a cache key is long-lived... is wrong00:28
notmorganthe only place we've been VERY careful on this front has been in the token data stored in the backend iirc00:28
notmorganotherwise, *shrug*.00:28
notmorganand by token data, i mean when we had the memcahce token backend00:28
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove oslo-incubator  https://review.openstack.org/33792800:30
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: WIP: Use dogpile.cache for caching  https://review.openstack.org/33792900:30
jamielennoxit'll fail tests but ^ is how00:30
*** ddieterly has quit IRC00:30
*** rderose has joined #openstack-keystone00:33
openstackgerritJamie Lennox proposed openstack/keystone: Remove accept_header from context  https://review.openstack.org/33701500:39
openstackgerritJamie Lennox proposed openstack/keystone: Use request.environ through auth and federation  https://review.openstack.org/33701700:39
openstackgerritJamie Lennox proposed openstack/keystone: Remove headers from context  https://review.openstack.org/33701600:42
*** tonytan4ever has joined #openstack-keystone00:42
*** tonytan4ever has quit IRC00:47
*** rderose has quit IRC00:57
stevemarjamielennox: thanks for the rebase on master01:06
*** harlowja has joined #openstack-keystone01:09
stevemarjamielennox: reference https://bugs.launchpad.net/keystonemiddleware/+bug/1523375 if possible01:09
openstackLaunchpad bug 1523375 in keystonemiddleware "Keystonemiddleware should switch to oslo.cache" [Low,In progress] - Assigned to Jamie Lennox (jamielennox)01:09
jamielennoxstevemar: yea, i already have a review open that attempts to do this another way, i should probably have used that - however i don't know if this is the right way to go yet01:10
*** spzala has joined #openstack-keystone01:17
gyeestevemar, would you be mad at me if I A+ this one? https://review.openstack.org/#/c/283905/01:18
patchbotgyee: patch 283905 - keystoneauth - Auth plugin for X.509 tokenless authentication01:18
gyeeonce we get this in, next stop is devstack change to make use of it01:19
jamielennoxgyee: i've been reviewing it, i just haven't had a chance to do a setup and do a real test of it01:20
jamielennoxbut the code looks fine01:20
jamielennoxi'm not sure it should ever be default in devstack though01:20
gyeejamielennox, thanks brother!01:20
gyeejamielennox, I can work on a devstack patch showing how it can be utilized01:20
gyeejamielennox, you can use the same certs from keystone-manage gen_pki01:21
jamielennoxgyee: i put a +2 on for the code, if you're satisfied it actually works in production then you can +A it01:21
gyeeor I can send you a script to generate your own PKI01:21
jamielennoxgyee: do we still have that?01:21
openstackgerritJamie Lennox proposed openstack/keystoneauth: Allow prompting for password when CLI loading  https://review.openstack.org/24852401:22
*** tqtran has quit IRC01:22
jamielennoxnotmorgan: i want to talk to you about your -2 on ^01:23
gyeejamielennox, yes, keystone-manage pki_setup still around01:23
gyeethough it may get removed by Ocata01:23
jamielennoxgyee: so there is still no solution here for how you do X-Service-Token with this which glance, swift etc rely on - so i still consider this a bit of a niche usage01:25
gyeeits a niche for now01:25
gyeeI am working on a POC on how to map certs directly to auth headers01:26
jamielennoxwhy not just do x509 federation?01:26
gyeeyes, that's the idea01:26
jamielennoxok, that's different to tokenless01:26
gyeeit can be both01:27
jamielennoxbut hey - you could actually make use of binding in that case!01:27
gyeex509 federation is already supported today :-)01:27
jamielennoxthere's no keystoneauth plugin for it afaik01:27
*** thiagolib has quit IRC01:28
gyeejamielennox, http://www.meetup.com/openstack/events/229450770/01:29
gyeetake a look at the slides01:29
gyeegotta run, have an appointment with the treadmill, be back in an hour01:32
*** wangqun has joined #openstack-keystone01:32
*** chlong has quit IRC01:40
*** spzala has quit IRC01:48
*** chlong has joined #openstack-keystone01:53
*** iurygregory_ has joined #openstack-keystone01:55
*** code-R has joined #openstack-keystone01:55
openstackgerritEric Brown proposed openstack/keystone: Add a py35 tox venv for Python 3.5 support  https://review.openstack.org/33795201:55
*** tonytan4ever has joined #openstack-keystone02:02
*** EinstCrazy has joined #openstack-keystone02:04
*** tonytan4ever has quit IRC02:07
*** code-R_ has joined #openstack-keystone02:18
*** code-R_ has quit IRC02:19
*** code-R__ has joined #openstack-keystone02:19
*** code-R has quit IRC02:20
*** EinstCrazy has quit IRC02:21
*** tqtran has joined #openstack-keystone02:21
*** tqtran has quit IRC02:26
*** EinstCrazy has joined #openstack-keystone02:27
*** tonytan4ever has joined #openstack-keystone02:31
*** amoralej|pto has quit IRC02:33
*** amoralej has joined #openstack-keystone02:33
*** roxanagh_ has joined #openstack-keystone02:43
*** roxanagh_ has quit IRC02:48
*** tonytan4ever has quit IRC02:48
*** tonytan4ever has joined #openstack-keystone02:49
*** gyee has quit IRC02:52
*** woodster_ has quit IRC02:59
*** maestropandy has joined #openstack-keystone03:03
*** roxanagh_ has joined #openstack-keystone03:06
*** tonytan_brb has joined #openstack-keystone03:06
*** gagehugo has joined #openstack-keystone03:09
*** tonytan4ever has quit IRC03:09
*** richm has quit IRC03:12
openstackgerritMerged openstack/keystone: Use request.environ through auth and federation  https://review.openstack.org/33701703:15
openstackgerritMerged openstack/keystone: Remove accept_header from context  https://review.openstack.org/33701503:19
*** julim has quit IRC03:21
*** maestropandy has quit IRC03:23
*** spzala_ has joined #openstack-keystone03:25
*** spzala_ has quit IRC03:26
*** roxanagh_ has quit IRC03:28
*** ayoung has quit IRC03:30
*** iurygregory_ has quit IRC03:43
*** code-R has joined #openstack-keystone03:48
*** code-R__ has quit IRC03:51
*** itisha has joined #openstack-keystone03:52
openstackgerritMerged openstack/keystoneauth: Auth plugin for X.509 tokenless authentication  https://review.openstack.org/28390503:53
*** GB21 has joined #openstack-keystone03:56
*** code-R has quit IRC04:01
*** roxanagh_ has joined #openstack-keystone04:01
*** code-R has joined #openstack-keystone04:01
*** chrisshattuck has joined #openstack-keystone04:02
*** gagehugo has quit IRC04:12
*** GB21 has quit IRC04:15
*** code-R_ has joined #openstack-keystone04:17
*** code-R has quit IRC04:20
*** tqtran has joined #openstack-keystone04:23
*** GB21 has joined #openstack-keystone04:28
*** tqtran has quit IRC04:28
*** kean has joined #openstack-keystone04:28
keanhi  anyone know this :openstack service create \04:29
kean  --name keystone --description "OpenStack Identity" identity04:29
kean-bash: openstack: command not found04:29
keanI Just follow this page as a guide: http://docs.openstack.org/mitaka/install-guide-rdo/keystone-services.html04:30
*** GB21 has quit IRC04:34
keanI got this :  need to install python-openstackclient04:36
keanAnyone know this :$ export OS_URL=http://controller:35357/v304:37
keanwhat show I type for controller ?04:37
keanmy server iP ?04:37
keanERROR message:# openstack service create   --name keystone --description │04:38
kean"OpenStack Identity" identity                                                  │04:38
keanUnable to establish connection to http://192.168.0.4:35357/v3/services04:38
*** janonymous has joined #openstack-keystone04:40
*** links has joined #openstack-keystone04:48
keanhi @all04:49
*** roxanagh_ has quit IRC04:53
*** GB21 has joined #openstack-keystone04:59
*** sheel has joined #openstack-keystone05:02
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add service functional tests  https://review.openstack.org/33735105:03
*** code-R has joined #openstack-keystone05:11
*** code-R_ has quit IRC05:11
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 policies  https://review.openstack.org/33782905:16
*** chrisshattuck has quit IRC05:16
openstackgerritMerged openstack/keystone: Remove headers from context  https://review.openstack.org/33701605:21
openstackgerritShan Guo proposed openstack/keystone: Make Fernet the default token provider Edit  https://review.openstack.org/33799705:25
keananyone know how to fix this ?05:59
*** itisha has quit IRC06:00
openstackgerritShan Guo proposed openstack/keystone: Make Fernet the default token provider Edit  https://review.openstack.org/33799706:02
*** pcaruana has joined #openstack-keystone06:05
*** rcernin has joined #openstack-keystone06:09
*** tonytan_brb has quit IRC06:14
*** adu has quit IRC06:14
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add policy functional tests  https://review.openstack.org/33783606:24
-openstackstatus- NOTICE: All python 3.5 jobs are failing today, we need to build new xenial images first.06:27
*** harlowja has quit IRC06:34
*** nisha has joined #openstack-keystone06:36
*** code-R has quit IRC07:13
*** jpena|off is now known as jpena07:13
*** tonytan4ever has joined #openstack-keystone07:14
*** tonytan4ever has quit IRC07:20
*** tesseract- has joined #openstack-keystone07:21
*** GB21 has quit IRC07:24
*** yolanda has joined #openstack-keystone07:30
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 regions  https://review.openstack.org/33806307:32
openstackgerritShan Guo proposed openstack/keystone: Make Fernet the default token provider Edit  https://review.openstack.org/33799707:34
*** yolanda has quit IRC07:38
*** yolanda has joined #openstack-keystone07:38
*** nisha_ has joined #openstack-keystone07:41
*** yolanda has quit IRC07:43
*** nisha has quit IRC07:44
alogajamielennox: are you around to discuss about patch 33046507:45
patchbotaloga: https://review.openstack.org/#/c/330465/ - keystoneauth - oidc: deprecate grant_type argument07:45
alogajamielennox: ouch, not that one, I mean patch 33000607:45
patchbotaloga: https://review.openstack.org/#/c/330006/ - keystoneauth - WIP - oidc: fix OpenID Connect authorization code ...07:45
keanhi  how to understand domain of keystone ?07:47
*** nisha_ has quit IRC07:48
*** yolanda has joined #openstack-keystone07:49
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: fix OpenID Connect authorization code grant_type  https://review.openstack.org/33000607:51
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move the get_unscoped_auth_ref into the base class  https://review.openstack.org/33714007:51
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add discovery document support  https://review.openstack.org/33046407:51
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: deprecate grant_type argument  https://review.openstack.org/33046507:51
openstackgerrityuyafei proposed openstack/python-keystoneclient: Add __ne__ built-in function  https://review.openstack.org/33743507:59
*** yolanda has quit IRC07:59
*** zzzeek has quit IRC08:00
*** GB21 has joined #openstack-keystone08:00
*** zzzeek has joined #openstack-keystone08:00
*** danpawlik has joined #openstack-keystone08:03
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** pnavarro has joined #openstack-keystone08:15
*** GB21 has quit IRC08:31
*** GB21 has joined #openstack-keystone08:47
*** code-R has joined #openstack-keystone09:13
*** tonytan4ever has joined #openstack-keystone09:16
*** code-R has quit IRC09:18
*** GB21 has quit IRC09:20
*** tonytan4ever has quit IRC09:21
*** SamYaple has quit IRC09:23
*** tqtran has joined #openstack-keystone09:25
*** tqtran has quit IRC09:29
*** kean has quit IRC09:35
*** GB21 has joined #openstack-keystone09:38
*** daemontool has joined #openstack-keystone09:49
*** GB21 has quit IRC09:51
*** tonytan4ever has joined #openstack-keystone09:52
*** daemontool has quit IRC09:58
*** daemontool has joined #openstack-keystone09:58
*** links has quit IRC10:00
jamielennoxaloga: i'm here10:07
*** GB21 has joined #openstack-keystone10:08
jamielennoxhenrynash: hey - you here re your comment on https://review.openstack.org/#/c/336980/10:11
patchbotjamielennox: patch 336980 - keystone - Pass request to build_driver_hints10:11
alogajamielennox: me too10:11
henrynashjamielennox: HI10:11
jamielennoxeveryone at once10:11
henrynashIt’s a DOS attack10:12
jamielennoxaloga: so i think for now take the oidc webbrowser patch out of line and we'll discus it seperately10:12
jamielennoxaloga: you going to the midcycle?10:12
jamielennoxhenrynash: so re https://review.openstack.org/#/c/336980/2/keystone/assignment/controllers.py i want to make sure i'm not changing the behaviour at all10:13
patchbotjamielennox: patch 336980 - keystone - Pass request to build_driver_hints10:13
alogajamielennox: no I'm not10:13
alogajamielennox: I'll try to split it out, but it is a painful work10:13
jamielennoxhenrynash: i don't think i am, but i didn't understand the domain_id flag initially (and still not sure i see why it matters)10:13
jamielennoxaloga: really? the others are dependant on that?10:14
henrynashjamielennox: let me go through it again to ensure we are not changing the functionality with your modifcations10:14
alogajamielennox: nevermind, I'll try to update it10:15
jamielennoxhenrynash: so i confirmed that if i don't set domain_id=None then i do get different behaviour so i think that's right10:15
henrynashjamielennox: it’s a subtlety due to our desire to not suprise API callers who aren’t aeware fo domain specific roles10:15
alogajamielennox: however, there is no way of implementing this grant type without interacting with the browser10:15
jamielennoxaloga: actually i may have read it incorrectly and it's not in the patch chain - i really dislike this gerrit interface where you can't tell immediately what the parents are10:16
jamielennoxaloga: or maybe just the version you just uploaded and i'm looking at now doesn't have it10:17
jamielennoxhenrynash: yea, but it surprises me that you would need to force set = None, i would expect that to be the default10:17
jamielennoxlike based on the code i can't see any way that domain_id is not set (if missing its forced to =None) so why not just the backend expects that default?10:19
henrynashjamielenox: it’s in the query string, so no current API would set domain_id=None, since domain_id didn’t used to be an attribute of the role10:19
henrynashjamielennox: and we want to interpret the lack of setting domain_id in the quesry sting as the same as domain_id=None, so that we can only return those roles with domain_id=None (i.e. global roles)10:20
jamielennoxhenrynash: right, so why does me just leaving domain_id unset not do that by default10:20
jamielennoxaloga: if it can't be done without the browser i'm annoyed that we carry it at all10:22
henrynashjamielennox: you mean why actually update the context_dict? I think I wanted to do that so that the url we return in the collection showed the default we had applied (maybe that was the wrong thing to do…)10:23
jamielennoxhenrynash: when i removed those lines it failed10:23
henrynashjamielennox: i”m trying to remmebr why I did it this way!10:24
jamielennoxlike if i don't do         if not request.params.get('domain_id'):            hints.add_filter('domain_id', None)    it fails10:24
henrynashjamielennox: ok, let me go try and refersh my memory on why I did it this way!10:25
*** wangqun has quit IRC10:26
openstackgerritMerged openstack/keystone: Use request instead of context in v2 auth  https://review.openstack.org/33699910:27
alogajamielennox: sorry, I was in a meetting and I had to pretend I was attending10:30
alogaO:-)10:30
jamielennoxaloga: ha - yep know that feeling10:30
alogajamielennox: so, the other patches depends on it, os taking it out the chain would require a bit of work, but it's doable10:30
alogajamielennox: but, there is no way to do that without the browser, I am afraid10:31
henrynashjamielennox: ah, right!10:32
jamielennoxaloga: :(10:32
henrynashjamielennox: it’s to do with policy protection of the list_roles and list_domain_roles endpoints10:32
henrynashjamielennox: we want to be able to write policy rules that know if you are looking at global roles or not, and this is done by (effectively) looking in the query string to see if domain_id=None10:33
jamielennoxhenrynash: yep, so that's the split from the wrapper10:34
henrynashthe @controller.filterprotected() wrapper10:34
*** samueldmq has joined #openstack-keystone10:34
*** ChanServ sets mode: +v samueldmq10:34
jamielennoxhenrynash: so so long as they go through the right function the correct policy should be enforced10:34
henrynashwhich is around teh endpoints themselves….10:34
samueldmqmorning keystone10:35
henrynashyep10:35
jamielennoxhenrynash: but i don't think that should require setting the value on the contextdict10:35
henrynashwell, I think, that’s what @controller.filterprotected() uses to set the attributes that get passed to oslo.policy10:35
henrynashjamielennox: so you can write policy rules based on ths filters…AND…with our current plicy engine you can’t test for the lack of an attribute10:36
alogajamielennox: the only option that I see is using "urn:ietf:wg:oauth:2.0:oob" as the redirect URL but this requires that 1) the user goes *manually* to an URL, 2) the user gets the code from a web page, 3) the user enters the code *interactively*10:36
alogajamielennox: your brain is going to die of context switching high rate :P10:37
henrynashjamielennox: so we need be able to explictely test for domain_id = None (or not) in our policy rule for listing roles10:38
jamielennoxhenrynash: i'm not sure, because when i did the rearange to put it on the hints directly it still worked10:39
henrynashjamielennox: hmm, but something still doesn’t smell rigt10:39
jamielennoxi need to figure out which test was failing10:39
henrynashjamielennox: I’ll look into it as well10:40
*** jed56 has joined #openstack-keystone10:41
jamielennoxhenrynash: keystone.tests.unit.test_v3_assignment.DomainSpecificRoleTests.test_get_and_list_domain_specific_roles10:42
henrynashjamielennox: that failed when you did what…not change the context dict?10:43
jamielennoxhenrynash: on master10:43
jamielennoxdiff --git a/keystone/assignment/controllers.py b/keystone/assignment/controllers.py10:43
jamielennoxindex 32fa07a..f897c1c 10064410:43
jamielennox--- a/keystone/assignment/controllers.py10:43
jamielennox+++ b/keystone/assignment/controllers.py10:43
jamielennox@@ -335,11 +335,7 @@ class RoleV3(controller.V3Controller):10:43
jamielennox         # global roles, so we set the domain_id filter to None.10:43
jamielennox         # NOTE(jamielennox): this is still using context_dict because it's10:43
jamielennox         # writing to the query dict. Why is it writing to the query dict?10:43
jamielennox-        params = request.context_dict['query_string']10:43
jamielennox-        if 'domain_id' not in params:10:43
jamielennox-            request.context_dict['query_string']['domain_id'] = None10:43
jamielennox-10:43
jamielennox-        if request.context_dict['query_string']['domain_id'] is not None:10:43
jamielennox+        if request.context_dict['query_string'].get('domain_id'):10:43
jamielennox             return self.list_domain_roles(request)10:43
jamielennox         else:10:43
jamielennox             return self.list_roles(request)10:44
jamielennoxi probably shouldn't paste that but whatever10:44
jamielennoxtesttools.matchers._impl.MismatchError: 3 != 610:44
samueldmq:-)10:44
henrynashjamielennix: Ok, let me study that!10:44
samueldmqjamielennox: henrynash: are you talking about a bug ?10:44
samueldmqor just something to  be implemented ?10:45
jamielennoxsamueldmq: just an oddity i've found when rearranging some stuff10:45
samueldmqI am asking because I see you're talking about roles .... and test_implied_roles in keystoneclient FAIL when another test use a role fixture10:45
samueldmqwhich is very odd10:45
samueldmqjamielennox: kk10:46
samueldmqjamielennox: would you have any idea what's going on here ? patch 33287110:46
patchbotsamueldmq: https://review.openstack.org/#/c/332871/ - python-keystoneclient - Add project functional tests10:46
samueldmqjamielennox: I have looked at it for a bit and I don't have any clue10:46
henrynashjamielennox: are you saying it fails when you chnage that even with your additions to build_driver_hints?10:48
jamielennoxsamueldmq: so the error on that one in console.txt is to do with infra problems10:48
samueldmqjamielennox: the implied roles mismatch ?10:49
jamielennoxhenrynash: no i applied that direct to master, it should be the same outcome10:49
samueldmqjamielennox: gaah, let me get you the right logs, sorry10:49
samueldmqjamielennox: see the previous build http://logs.openstack.org/71/332871/8/check/gate-keystoneclient-dsvm-functional/b799e58/console.html.gz#_2016-06-30_10_55_54_81406310:50
henrynashjamielennox: so yes, I would expect that to fail if you just nuked those lines, since that causes our filtering to only return global roles if you have not specified a domain_id ID at all in the query…so that makes sense10:53
henrynashjamielenox: the question is whether not upating the context is safe from a policy check point of view…whcih I will now invetsigate10:53
*** TxGVNN has quit IRC10:54
jamielennoxhenrynash: yea i was just looking at that as well10:55
jamielennoxhenrynash: yes, that's my thing - why does not domain_id not default to None10:56
*** TxGVNN has joined #openstack-keystone10:57
henrynashjamielennox: your question oon defaults…do you mean in the policy checking or teh actual filtering in terms of returning the correct collection10:59
jamielennoxhenrynash: the filtering10:59
jamielennoxthe backends10:59
henrynashjamielennox: ah, but there is a difference between not specifiying domain_id and domain_id=None…teh first means get me ALL roles, the seconds means get me all global roles…so we can’t leave it to the manager layer…it’s a current API difference11:01
henrynash(since we are going to, in the end, plug these filters into an sql coammnd)11:02
jamielennoxhenrynash: i don't think you can actually specify both those things11:04
*** TxGVNN has quit IRC11:05
jamielennoxif you were to not specify the domain_id then the code sets it to None anyway11:05
*** EinstCrazy has quit IRC11:05
jamielennoxhenrynash: ok, your trying to manually trigger https://github.com/openstack/keystone/blob/master/keystone/assignment/role_backends/sql.py#L19-L2511:10
henrynashjamielennox: gotta drop off as off to dentist…but will look at this later11:13
*** henrynash has quit IRC11:13
*** code-R has joined #openstack-keystone11:14
*** TxGVNN has joined #openstack-keystone11:14
*** code-R has quit IRC11:19
*** links has joined #openstack-keystone11:24
openstackgerritJamie Lennox proposed openstack/keystone: Handle role filtering in the backend  https://review.openstack.org/33819211:30
jamielennoxhenrynash_: is ^ equivalent?11:31
*** rodrigods has quit IRC11:41
*** rodrigods has joined #openstack-keystone11:41
*** amoralej is now known as amoralej|lunch12:01
*** permalac has joined #openstack-keystone12:02
*** raildo-afk is now known as raildo12:14
*** jpena is now known as jpena|lunch12:23
openstackgerritMerged openstack/python-keystoneclient: Add service functional tests  https://review.openstack.org/33735112:25
*** pnavarro has quit IRC12:27
*** tonytan4ever has quit IRC12:27
*** henrynash has joined #openstack-keystone12:32
*** ChanServ sets mode: +v henrynash12:32
openstackgerritMerged openstack/python-keystoneclient: Improve docs for v3 policies  https://review.openstack.org/33782912:34
*** GB21 has quit IRC12:35
*** tonytan4ever has joined #openstack-keystone12:38
*** henrynash has quit IRC12:45
openstackgerritMerged openstack/python-keystoneclient: Add policy functional tests  https://review.openstack.org/33783612:45
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Add project functional tests  https://review.openstack.org/33287112:45
*** nisha has joined #openstack-keystone12:46
*** woodster_ has joined #openstack-keystone13:04
*** maestropandy has joined #openstack-keystone13:10
stevemaro/13:13
nishao/13:14
*** amoralej|lunch is now known as amoralej13:14
*** code-R has joined #openstack-keystone13:15
*** pauloewerton has joined #openstack-keystone13:16
rodrigodsnisha, samueldmq, hey... found the issue in test_project13:16
rodrigodsthe actual issue13:16
nisharodrigods, yeah, I was reading your comments13:17
nisharodrigods, thank you, can you explain a bit please13:17
rodrigodsi mean, what causes that test to interfere in test_implied_roles13:17
rodrigodsnisha, do you have a ready devstack setup where you can run the tests?13:17
nisharodrigods, yes, I have13:19
rodrigodsnisha, ok, so first remove your .testrepository folder inside "python-keystoneclient" (after checking out this patch: https://review.openstack.org/#/c/332871/)13:20
patchbotrodrigods: patch 332871 - python-keystoneclient - Add project functional tests13:20
*** code-R has quit IRC13:20
nisharodrigods, checking out patch, meaning downloading the patch(thus, moving into req. branch)?13:22
rodrigodsnisha, yes! :)13:23
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: fix OpenID Connect authorization code grant_type  https://review.openstack.org/33000613:23
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move the get_unscoped_auth_ref into the base class  https://review.openstack.org/33714013:23
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add discovery document support  https://review.openstack.org/33046413:23
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: deprecate grant_type argument  https://review.openstack.org/33046513:23
*** sigmavirus_away is now known as sigmavirus13:24
nisharodrigods, will do it in 5 min, I am in middle of follow up patch for policies13:25
*** pnavarro has joined #openstack-keystone13:25
*** tonytan4ever has quit IRC13:26
*** tqtran has joined #openstack-keystone13:26
rodrigodsnisha, https://review.openstack.org/#/c/332871/9 commented there with the details13:26
patchbotrodrigods: patch 332871 - python-keystoneclient - Add project functional tests13:26
rodrigodssamueldmq, ^13:26
*** tonytan4ever has joined #openstack-keystone13:27
bretonoh wow13:27
*** tonytan_brb has joined #openstack-keystone13:27
rodrigodsbreton, referring to that ^?13:27
bretonnisha: are you planning to code functional tests for assignments?13:27
bretonrodrigods: yep13:27
*** tonytan4ever has quit IRC13:28
nishabreton, yeah role_assignments too13:28
*** M00nr41n has quit IRC13:29
bretonnisha: any ETA? I was planning to do the same, but if you do it, i'll swtich to catalog tests13:29
rodrigodsbreton, note that are ksc tests, not keystone13:30
bretonoh.13:30
bretonooh.13:30
bretonrodrigods: thanks13:30
bretonnisha: nevermind then13:30
*** tqtran has quit IRC13:30
bretonnisha: thanks for working on it though13:30
stevemarjamielennox: rebase the saml keystoneauth one?13:32
nishabreton, I am working as an Outreachy intern for May-Aug with Samuel as my mentor. We are working on writing client functional tests and improving docs for the same :)13:32
nishabreton, your suggestions are welcome :)13:32
*** ametts has joined #openstack-keystone13:33
*** jpena|lunch is now known as jpena13:35
*** ayoung has joined #openstack-keystone13:38
*** ChanServ sets mode: +v ayoung13:38
*** itisha has joined #openstack-keystone13:39
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: fix OpenID Connect authorization code grant_type  https://review.openstack.org/33000613:43
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move the get_unscoped_auth_ref into the base class  https://review.openstack.org/33714013:43
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add discovery document support  https://review.openstack.org/33046413:43
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: deprecate grant_type argument  https://review.openstack.org/33046513:43
*** richm has joined #openstack-keystone13:43
*** AJaeger has joined #openstack-keystone13:44
AJaegerkeystone stable cores, could you approve these backports of adding other-requirements, please? https://review.openstack.org/335814 and https://review.openstack.org/335813 . Those help us to keep the list of default package installs small. Thanks, stevemar for your +2 already.13:45
stevemarbknudson_: dolphm notmorgan ^13:46
stevemari think we need another stable core =\13:46
stevemarwith notmorgan and bknudson_ a bit side tracked these days13:46
openstackgerritMerged openstack/keystone: Make assert_admin work with a request  https://review.openstack.org/33702213:47
dstanekstevemar: what's up with bknudson_ these days?13:49
openstackgerritDavid Stanek proposed openstack/keystone: Deprecate the AdminTokenAuthMiddleware  https://review.openstack.org/30528713:51
jdennishas there been a decision in which release python-keystoneclient will no longer be shipped?13:52
AJaegerjdennis: we still need the library, don't we?13:52
samueldmqdstanek: see my comment https://review.openstack.org/#/c/305287/2/etc/keystone-paste.ini13:53
patchbotsamueldmq: patch 305287 - keystone - Deprecate the AdminTokenAuthMiddleware13:53
jdennisto be more specific, when will the keystone cli cease to exist?13:53
*** GB21 has joined #openstack-keystone13:54
dstanekjdennis: i don't think we plan to stop shipping that. we just don't support the CLI anymore13:54
dstaneksamueldmq: good find. i'll change that comment. we never actually deprecated anything13:55
dstaneksamueldmq: i'm in the process of updating that again anyway to add a release note13:57
samueldmqdstanek: nice13:57
*** links has quit IRC13:57
jdennisdstanek: fair enough, let me rephrase: if you were telling a customer they needed to stop using the keystone cli and they had to switch to the openstack cli in which Openstack release would say they *must* make the switch?14:01
*** code-R has joined #openstack-keystone14:01
dstanekjdennis: isn't it already gone?14:03
*** julim has joined #openstack-keystone14:03
dstanekjdennis: http://docs.openstack.org/developer/python-keystoneclient/history.html#id314:04
*** diazjf has joined #openstack-keystone14:06
lbragstadnotmorgan bknudson_ henrynash_ dolphm with https://review.openstack.org/#/c/336268/1 , when do options get registered?14:08
patchbotlbragstad: patch 336268 - keystone - Do not register options on import (MERGED)14:08
*** SamYaple has joined #openstack-keystone14:08
*** diazjf has quit IRC14:09
*** henrynash has joined #openstack-keystone14:11
*** roxanaghe has quit IRC14:11
*** ChanServ sets mode: +v henrynash14:11
*** roxanaghe has joined #openstack-keystone14:11
*** bjornar_ has joined #openstack-keystone14:12
openstackgerritDavid Stanek proposed openstack/keystone: Deprecate the AdminTokenAuthMiddleware  https://review.openstack.org/30528714:14
*** code-R_ has joined #openstack-keystone14:16
SamYapledstanek: about https://review.openstack.org/305287 , can we bootstrap ldap domains now without the admin token?14:17
openstackgerritDavid Stanek proposed openstack/keystone: Deprecate the AdminTokenAuthMiddleware  https://review.openstack.org/30528714:18
*** code-R has quit IRC14:18
dstanekSamYaple: you can use bootstrap to create an admin that can use the API to do whatever14:19
*** diazjf has joined #openstack-keystone14:19
SamYapleso it will still require at least one mysql backed domain14:20
lbragstaddstanek thoughts on my comment here? https://review.openstack.org/#/c/334673/1/keystone/common/validation/parameter_types.py14:21
patchbotlbragstad: patch 334673 - keystone - Allow id string validation to be configurable14:21
*** nisha is now known as Guest1961014:21
*** Guest19610 has quit IRC14:22
*** nisha_ has joined #openstack-keystone14:23
henrynash_jamielennix: you still around?14:24
dstaneklbragstad: commented on the review14:24
lbragstaddstanek sweet - thanks14:26
lbragstaddstanek you mean create a decorator for get_id_string() or just a factory?14:26
*** BjoernT has joined #openstack-keystone14:26
dstanekyou'll need to create a new validation decorator and a factory for schema14:27
dstaneklbragstad: or possibly allow the exising one to accept a callable, but i like separate better if we can14:27
lbragstaddstanek so the factory will live in keystone/common/parameter_types.py14:27
dstaneklbragstad: yeah, the challenge is that anything that uses it will need to be a factory. no more declarative, module level schemas14:28
*** phalmos has joined #openstack-keystone14:29
*** gordc has joined #openstack-keystone14:31
*** ravelar159 has joined #openstack-keystone14:31
lbragstaddstanek got it - the factory part makes sense14:32
*** jaugustine has joined #openstack-keystone14:32
lbragstaddstanek let me post what i have and mark it as wip14:32
*** sdake has joined #openstack-keystone14:33
dolphmlbragstad: options get registered when keystone.conf.configure() is explicitly called https://github.com/openstack/keystone/blob/master/keystone/conf/__init__.py#L134-L13514:33
lbragstaddolphm ah - so it looks like that is called from keystone/server/common.py14:35
dolphmlbragstad: 95% of it yes14:35
lbragstader - that's one of the three places it is called14:35
dolphmlbragstad: right, tests, keystone-manage, and the wsgi module all call .configure()14:36
lbragstadok - cool14:36
dolphmlbragstad: i'd like to look at doing it a bit more like nova, but hopefully without reintroducing a race condition14:36
lbragstaddolphm how does nova do it?14:36
stevemarjdennis: dstanek yes, it's already gone14:37
stevemari think we removed it in the mitaka dev cycle14:37
dolphmlbragstad: that's the thing - pretty much like i was doing it, so nova has the race condition too14:37
lbragstaddolphm ah - interesting14:37
lbragstaddolphm I was going to say, it looked like we were doing exactly what they were doing14:38
stevemarjdennis: we did a major version jump when we released the new keystoneclient14:38
dolphmlbragstad: notmorgan and bknudson_ said they avoid the race condition from being a problem with diligent code reviewing :(14:38
stevemarjdennis: http://releases.openstack.org/teams/keystone.html14:38
stevemarjdennis: so *very* beginning of newton we dropped it14:38
stevemarjdennis: we cut 3.0.0 of keystoneclient14:38
lbragstaddolphm so - they make sure they don't introduce a race condition by not merging anything that can cause one?14:39
dstanekstevemar: yep, 3.0.0 was where we dropped it14:39
dolphmlbragstad: correct14:39
lbragstaddolphm hm14:39
dolphmlbragstad: like, they would have caught your patch like brant did14:39
dolphmlbragstad: not exactly fool-proof14:39
*** woodburn has joined #openstack-keystone14:39
*** henrynash has quit IRC14:39
*** nisha_ has quit IRC14:39
lbragstadthat sounds like a big foot-gun/tribal knowledge14:39
*** nisha_ has joined #openstack-keystone14:40
dolphmlbragstad: yep14:40
*** pushkaru has joined #openstack-keystone14:42
stevemardolphm: have a quick minute for simple backports?14:42
stevemardolphm: https://review.openstack.org/#/c/335814/ and https://review.openstack.org/#/c/335813/ for AJaeger14:42
patchbotstevemar: patch 335814 - python-keystoneclient (stable/liberty) - List system dependencies for running common tests14:42
patchbotstevemar: patch 335813 - python-keystoneclient (stable/mitaka) - List system dependencies for running common tests14:42
AJaegerthanks, stevemar for pinging on my behalf14:43
dolphmstevemar: yes14:48
*** nisha__ has joined #openstack-keystone14:54
*** KevinE has joined #openstack-keystone14:55
*** nisha_ has quit IRC14:56
*** KevinE has quit IRC14:56
*** GB21 has quit IRC14:56
*** nisha__ is now known as nisha_14:56
*** KevinE has joined #openstack-keystone14:56
*** thumpba has joined #openstack-keystone15:01
*** diazjf has quit IRC15:01
*** diazjf has joined #openstack-keystone15:01
*** ddieterly has joined #openstack-keystone15:05
*** pcaruana has quit IRC15:06
*** harlowja has joined #openstack-keystone15:07
*** code-R_ has quit IRC15:07
*** code-R has joined #openstack-keystone15:08
*** timcline has joined #openstack-keystone15:08
*** chrisshattuck has joined #openstack-keystone15:09
*** rcernin has quit IRC15:10
*** maestropandy has quit IRC15:12
*** aastha has joined #openstack-keystone15:13
*** jaugustine has quit IRC15:14
*** gsilvis_ is now known as gsilvis15:14
*** KevinE has quit IRC15:15
*** jaugustine has joined #openstack-keystone15:16
openstackgerritLance Bragstad proposed openstack/keystone: Allow id string validation to be configurable  https://review.openstack.org/33467315:17
*** maestropandy has joined #openstack-keystone15:18
*** thiagolib has joined #openstack-keystone15:18
*** tonytan_brb is now known as tonytan4ever15:18
*** pushkaru has quit IRC15:24
dolphmstevemar: AJaeger: is there a bug / spec to track the platform dependencies work? i've seen it in a few other projects, but haven't read up on it15:25
lbragstaddstanek updated https://review.openstack.org/#/c/334673/2 and marked as wip15:26
patchbotlbragstad: patch 334673 - keystone - Allow id string validation to be configurable15:26
lbragstaddstanek I added the factory to parameter_types, but the other part would be adding another decorator here - https://github.com/openstack/keystone/blob/46b76a3d8e302f47daf04c739066f70b7438e0da/keystone/common/validation/__init__.py#L22 ?15:27
*** code-R has quit IRC15:29
*** KevinE has joined #openstack-keystone15:35
dstaneksamueldmq meet lbragstad; lbragstad meet samueldmq; you guys may be working toward resolving the same race condition bug15:37
samueldmqdstanek: yes we have been working on that together :-)15:38
samueldmqbut haven't been updating each other recently15:38
samueldmq(I looked at that again yesterday)15:38
samueldmqlbragstad: hi, nice to meet you15:38
lbragstadsamueldmq where you able to recreate any of those issues since ayoung's patch landed15:38
lbragstadsamueldmq o/15:38
samueldmqlbragstad: yes15:38
samueldmqlbragstad: at a given patchset of ayoung's patch (one without that cache!), the tests passed15:39
lbragstadsamueldmq so - we're still susceptible to it even though we have revocation events in a linear search?15:39
samueldmqlbragstad: with cache (it merged with cache), it's been failing15:39
samueldmqlbragstad: https://review.openstack.org/#/c/319497/15:39
patchbotsamueldmq: patch 319497 - keystone - DO NOT MERGE: Test fix for fernet race condition15:39
samueldmqlbragstad: yes, still the same situation15:39
ayoungsamueldmq, where is the patch that does the caching correctly?15:40
lbragstadugh - are you able to recreate any of the failures locally?15:40
lbragstadsamueldmq or is it only in the gate?15:40
samueldmqlbragstad: in the gate15:40
dstanekcan it be reproduced locally?15:40
samueldmqayoung: you patch for linear search, one of the versions you had removed cache15:40
samueldmqayoung: and my test passed15:41
lbragstaddstanek bknudson_ samueldmq and myself were unable to recreate it locally15:41
lbragstadvia a host of different methods15:41
ayoungsamueldmq, nah, there was a follow on, I thought you wrote, that did the caching better15:41
*** diazjf has quit IRC15:41
lbragstadit only seems to be an issue in the gate15:41
samueldmqayoung: see rechecks of patchset 1 in https://review.openstack.org/#/c/319497/15:41
patchbotsamueldmq: patch 319497 - keystone - DO NOT MERGE: Test fix for fernet race condition15:41
samueldmqayoung: ah yes, even with revoking the cache, it fails :(15:41
dstanekmaybe the fourth try is the charm15:41
lbragstaddstanek that's what we said the second and third time too ;)15:42
samueldmqayoung: lbragstad I thought https://review.openstack.org/#/c/316991/ would fix it15:42
samueldmqbut not15:42
patchbotsamueldmq: patch 316991 - keystone - Invalidate token cache after token delete15:42
*** KevinE has quit IRC15:42
samueldmqI rebased https://review.openstack.org/#/c/319497/  on this potential fix ^, but it still failed, no luck15:43
patchbotsamueldmq: patch 319497 - keystone - DO NOT MERGE: Test fix for fernet race condition15:43
ayoungsamueldmq, I think it needs to be invalidated at other times, too15:43
ayoungsamueldmq, lets look at the failing test...might be due to a different side effect15:43
ayounggate-keystone-python35-db-nv FAILURE in 2m 13s (non-voting)15:44
ayoungthat was all that failed, right?15:44
samueldmqno15:44
samueldmqI am talking about the patch that testes fernet15:44
samueldmqgate-tempest-dsvm-full failed there, for eg15:44
samueldmqsee this patch https://review.openstack.org/#/c/319497/15:44
patchbotsamueldmq: patch 319497 - keystone - DO NOT MERGE: Test fix for fernet race condition15:44
samueldmqayoung: http://logs.openstack.org/97/319497/2/check/gate-tempest-dsvm-full/9a25562/console.html#_2016-07-05_17_11_41_87923115:45
ayoungsamueldmq, ok...but  316991 should go in, right?15:45
samueldmqayoung: it goes, there is a Depends-On: I496531a30559f0cf021c4478404093a99f2fbe3d15:46
*** maestropandy has quit IRC15:46
samueldmqwhich is 31699115:46
*** rcernin has joined #openstack-keystone15:49
*** slberger has joined #openstack-keystone15:51
openstackgerritDavid Stanek proposed openstack/keystone: Limits config fixture usage to where it's needed  https://review.openstack.org/26639915:54
*** nisha_ has quit IRC15:55
samueldmqayoung: I could submit a patch removing the cache on validate_token15:55
samueldmqayoung: and make the test patch depends on it15:55
*** nisha_ has joined #openstack-keystone15:55
samueldmqayoung: if it passes, we're missing to invalidate that somewhere15:55
ayoungsamueldmq, ++15:56
*** roxanagh_ has joined #openstack-keystone15:56
*** code-R has joined #openstack-keystone15:57
*** code-R_ has joined #openstack-keystone15:59
*** ddieterly is now known as ddieterly[away]15:59
*** ayoung has quit IRC16:00
*** code-R has quit IRC16:02
*** ddieterly[away] is now known as ddieterly16:05
dstaneksamueldmq: do you still have a link to that tempest test that fails?16:07
*** jaugustine has quit IRC16:08
*** shaleh has joined #openstack-keystone16:11
*** ravelar159 has quit IRC16:12
*** ddieterly is now known as ddieterly[away]16:12
*** ravelar159 has joined #openstack-keystone16:12
*** jaugustine has joined #openstack-keystone16:12
*** alex_xu has quit IRC16:15
*** ayoung has joined #openstack-keystone16:15
*** ChanServ sets mode: +v ayoung16:15
*** jaugustine has quit IRC16:17
*** bjornar_ has quit IRC16:18
*** ravelar_159 has joined #openstack-keystone16:19
*** ravelar159 has quit IRC16:20
*** gyee has joined #openstack-keystone16:21
*** ChanServ sets mode: +v gyee16:21
lbragstadhenrynash_ around?16:23
lbragstadhenrynash_ is domain specific backends designed to work with multiple domains in each "backend"? https://bugs.launchpad.net/keystone/+bug/155562916:23
openstackLaunchpad bug 1555629 in OpenStack Identity (keystone) "v3/users reports all users in all domains excepts when domain_specific_drivers_enabled is set to true." [Undecided,New]16:23
*** KevinE has joined #openstack-keystone16:24
*** KevinE has quit IRC16:25
*** KevinE has joined #openstack-keystone16:26
dstaneklbragstad: i don't think so, if i understand what you are asking. i think you just make a config for a domain and specify a backend and configuration for it.16:29
dstanekyou may use the same backend code, but you'd get different instances of the driver for different domains16:29
lbragstaddstanek in that bug report - they are seeing an API behavior issue when they have multiple domains in a single backend and the domain_specific_drivers_enabled options is True16:30
*** david-lyle_ has joined #openstack-keystone16:30
dstaneklbragstad: looking16:30
lbragstadit makes me think we need to document that use of domain specific backends16:31
*** david-lyle_ is now known as david-lyle16:32
lbragstadIt would probably clear up some confusion if we answered the question "Is domain specific backends designed to work with multiple domains in each backend, or only a single domain in each backend?"16:32
*** clenimar has joined #openstack-keystone16:33
*** KevinE has quit IRC16:33
*** nisha_ has quit IRC16:34
*** KevinE has joined #openstack-keystone16:34
dstaneklbragstad: one of the comments pointed to the docs that describe this behavior16:35
dstanekhttps://bugs.launchpad.net/keystone/+bug/1555629/comments/416:35
openstackLaunchpad bug 1555629 in OpenStack Identity (keystone) "v3/users reports all users in all domains excepts when domain_specific_drivers_enabled is set to true." [Undecided,New]16:35
*** ddieterly[away] is now known as ddieterly16:35
lbragstaddstanek so we could close that bug?16:38
*** david-lyle has quit IRC16:39
lbragstaddstanek but jesse brings up a good point in comment #916:39
dstanekif domain specific backends is enabled i don't think we can list users or groups efficiently. you'd have to iterate over all configured drivers, for which a user has authz on, and pull the lists, squash them together, etc16:40
dstaneki don't think real users will ever list all users in all domains. i think that would be cloud operators and they should not be surprised that the feature is enabled16:41
lbragstadthat's a good point16:42
dstaneki'll add my viewpoint to the bug16:43
*** gyee has quit IRC16:45
dstanekcommented16:48
*** amoralej is now known as amoralej|off16:49
*** tesseract- has quit IRC16:49
dstanekstevemar: take a look at https://bugs.launchpad.net/keystone/+bug/1555629 again? i think we should mark it as WONTFIX16:52
openstackLaunchpad bug 1555629 in OpenStack Identity (keystone) "v3/users reports all users in all domains excepts when domain_specific_drivers_enabled is set to true." [Undecided,New]16:52
*** TxGVNN has quit IRC16:54
*** ravelar_159 has quit IRC16:55
*** ravelar159 has joined #openstack-keystone16:59
*** gyee has joined #openstack-keystone17:00
*** ChanServ sets mode: +v gyee17:00
*** dan_nguyen has joined #openstack-keystone17:02
*** ayoung has quit IRC17:06
*** browne has joined #openstack-keystone17:07
*** jpena is now known as jpena|off17:10
*** jlk has quit IRC17:11
*** jlk has joined #openstack-keystone17:12
*** jlk has joined #openstack-keystone17:12
*** ddieterly is now known as ddieterly[away]17:13
*** dan_nguyen has quit IRC17:14
harlowjawhere's adam :-P17:14
harlowjacome back adam17:14
harlowjalol17:14
AJaegerdolphm: I've added the links to the review. The nova change was done in reaction to a new keyring release that needed additional dependencies installed on all images. For the change that added this to infra there was no bug ;(17:16
dolphmAJaeger: thanks, i recognize it's probably necessary for stable/* but i'd like to follow up for my own sake17:17
*** ddieterly[away] is now known as ddieterly17:17
*** daemontool has quit IRC17:18
AJaegerdolphm: sure, what can I help there?17:18
*** ayoung has joined #openstack-keystone17:19
*** ChanServ sets mode: +v ayoung17:19
notmorganeeuuuwww more keyring issues :(17:23
*** jaugustine has joined #openstack-keystone17:24
*** tqtran has joined #openstack-keystone17:27
*** bjornar_ has joined #openstack-keystone17:48
*** ddieterly is now known as ddieterly[away]17:49
openstackgerritwerner mendizabal proposed openstack/keystone: Support encryption of credentials in Keystone  https://review.openstack.org/31716917:53
*** sdake has quit IRC17:55
openstackgerritRoxana Gherle proposed openstack/keystone: Fix the username value in federated tokens  https://review.openstack.org/33561717:55
*** sdake has joined #openstack-keystone17:56
*** jaugustine has quit IRC17:57
openstackgerritwerner mendizabal proposed openstack/keystone: Support encryption of credentials in Keystone  https://review.openstack.org/31716917:59
*** browne1 has joined #openstack-keystone18:00
*** browne has quit IRC18:00
*** sdake has quit IRC18:02
*** browne1 has quit IRC18:03
*** browne has joined #openstack-keystone18:05
*** diazjf has joined #openstack-keystone18:06
*** sdake has joined #openstack-keystone18:08
*** sdake has quit IRC18:08
*** sdake has joined #openstack-keystone18:08
*** permalac has quit IRC18:09
*** AJaeger has left #openstack-keystone18:17
stevemardstanek: looking18:19
samueldmqdstanek: ahve you found the link you were looking for ?18:20
samueldmqdstanek: https://review.openstack.org/#/c/319497/18:20
patchbotsamueldmq: patch 319497 - keystone - DO NOT MERGE: Test fix for fernet race condition18:20
dstanekstevemar: both dolphm and lbragstad have mixed opinions on the subject18:21
stevemardstanek: why not just check if we have multiple backends before changing the behaviour18:21
dstanekstevemar: what do you mean?18:22
dstanekif you have multiple backends you get a different behavior18:22
stevemardstanek: right, even if you don't have any18:22
stevemardstanek: the behaviour changes if "domain_specific_drivers_enabled" is set to T/F18:23
stevemarregardless if you have any domain specific drivers18:23
dstanekstevemar: that doesn't address Jessie's concern with I think is more important to have an official stance on18:24
*** jed56 has quit IRC18:25
stevemardstanek: he wants to list all the users even though he has multiple domains18:25
lbragstadIf I'm reading Jesse's comment correctly, he wants it so that when a user lists all users from keystone, they get all users regardless of the domain they are in and regardless of multiple domain backends18:25
dstanekthat's how i read it as well18:26
lbragstadin order to do that, we would have to get all the domains the user making the request has access to, list all users for those domains, then compile all the sets and return that in the response18:26
openstackgerritSean Perry proposed openstack/keystoneauth: Show deprecation when a user_agent is not set  https://review.openstack.org/28964518:27
lbragstadright?18:27
stevemar#success http://developer.openstack.org/api-ref.html now shows keystone's in-tree APIs !18:27
openstackstatusstevemar: Added success to Success page18:27
stevemarsamueldmq: ^18:27
lbragstador... we just return all users for all domains18:27
lbragstadall the time...18:27
samueldmqsamueldmq: woot, that's great18:28
samueldmqopps18:28
samueldmqstevemar: ^ not myself18:28
dstaneklbragstad: you still have to check access to you don't give out user data to someone that is not allowed to see it18:28
dstaneknot coke's admin can see pepsi's users? or is this just for cloud ops?18:28
dstaneks/not/now/18:29
*** dan_nguyen has joined #openstack-keystone18:31
lbragstaddstanek yeah - that's a good point18:32
lbragstadreturning all users regardless doesn't seem like the right solution18:32
*** ddieterly[away] is now known as ddieterly18:34
*** ayoung has quit IRC18:35
*** diazjf has quit IRC18:36
*** jaugustine has joined #openstack-keystone18:38
openstackgerritSean Perry proposed openstack/keystoneauth: Show deprecation when a user_agent is not set  https://review.openstack.org/28964518:39
*** jaugustine has quit IRC18:42
*** diazjf has joined #openstack-keystone18:43
*** esumerfd has joined #openstack-keystone18:54
*** sheel has quit IRC18:55
*** ddieterly is now known as ddieterly[away]18:57
*** ddieterly[away] is now known as ddieterly19:02
openstackgerritAndrew Laski proposed openstack/oslo.policy: Fix mispelled method name in setup.cfg  https://review.openstack.org/33850319:10
*** esumerfd has left #openstack-keystone19:10
*** nk2527 has joined #openstack-keystone19:12
*** diazjf has quit IRC19:17
*** samueldmq has quit IRC19:23
openstackgerritSean Perry proposed openstack/keystone: Order revocation query to prevent deadlocks  https://review.openstack.org/33850719:26
lbragstadgyee mind if i mark https://bugs.launchpad.net/keystone/+bug/1553324 as a duplicate of https://bugs.launchpad.net/keystone/+bug/147166519:27
openstackLaunchpad bug 1553324 in OpenStack Security Notes "potential DOS with revoke by id or audit_id" [Undecided,New] - Assigned to Luke Hinds (lhinds)19:27
openstackLaunchpad bug 1471665 in OpenStack Identity (keystone) "Successive runs of identity tempest tests take more and more time to finish" [Low,Confirmed]19:27
*** adu has joined #openstack-keystone19:34
*** adu has quit IRC19:37
*** gagehugo has joined #openstack-keystone19:39
*** diazjf has joined #openstack-keystone19:41
*** ddieterly is now known as ddieterly[away]19:44
*** ayoung has joined #openstack-keystone19:56
*** ChanServ sets mode: +v ayoung19:56
*** ravelar159 has quit IRC19:56
*** alex_xu has joined #openstack-keystone19:58
*** diazjf has quit IRC20:01
*** julim has quit IRC20:01
*** diazjf has joined #openstack-keystone20:02
*** julim has joined #openstack-keystone20:05
*** rcernin_ has joined #openstack-keystone20:06
*** dan_nguyen has quit IRC20:06
*** pnavarro has quit IRC20:07
*** ddieterly[away] is now known as ddieterly20:08
*** rcernin_ has quit IRC20:10
openstackgerritShawn Berger proposed openstack/keystone: Added name to duplicate entry error message.  https://review.openstack.org/33789220:10
*** sdake has quit IRC20:12
*** rcernin_ has joined #openstack-keystone20:15
*** rcernin_ has quit IRC20:19
*** sdake has joined #openstack-keystone20:19
*** rcernin_ has joined #openstack-keystone20:19
*** rcernin_ has quit IRC20:20
*** ravelar159 has joined #openstack-keystone20:22
*** ravelar159 has quit IRC20:22
*** ravelar159 has joined #openstack-keystone20:23
*** pnavarro has joined #openstack-keystone20:23
*** rcernin has quit IRC20:24
*** rcernin has joined #openstack-keystone20:25
*** rcernin has quit IRC20:25
*** rcernin has joined #openstack-keystone20:25
dstanek2/b 2520:27
*** ddieterly is now known as ddieterly[away]20:33
*** samueldmq has joined #openstack-keystone20:36
*** ChanServ sets mode: +v samueldmq20:36
*** ddieterly[away] is now known as ddieterly20:36
*** rcernin has quit IRC20:38
*** rcernin has joined #openstack-keystone20:39
*** jaugustine has joined #openstack-keystone20:39
gyeelbragstad, yes, they are related, still require OSSN nevertheless20:42
*** samueldmq has quit IRC20:44
*** jaugustine has quit IRC20:45
*** thumpba has quit IRC20:46
*** raildo is now known as raildo-afk20:51
*** sdake has quit IRC20:53
*** timcline has quit IRC20:58
*** timcline has joined #openstack-keystone20:58
*** dan_nguyen has joined #openstack-keystone20:58
*** ravelar159 has quit IRC21:01
openstackgerritEric Brown proposed openstack/keystone: Add a py35 tox venv for Python 3.5 support  https://review.openstack.org/33795221:01
*** sdake has joined #openstack-keystone21:03
*** rcernin has quit IRC21:03
*** rcernin has joined #openstack-keystone21:04
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: fix OpenID Connect authorization code grant_type  https://review.openstack.org/33000621:05
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move the get_unscoped_auth_ref into the base class  https://review.openstack.org/33714021:05
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add discovery document support  https://review.openstack.org/33046421:05
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: deprecate grant_type argument  https://review.openstack.org/33046521:05
*** julim has quit IRC21:07
*** diazjf has quit IRC21:07
*** rcernin has quit IRC21:07
*** rcernin has joined #openstack-keystone21:07
*** pauloewerton has quit IRC21:19
openstackgerritMerged openstack/oslo.policy: Fix mispelled method name in setup.cfg  https://review.openstack.org/33850321:28
jamielennoxbknudson_: can you have a look at https://review.openstack.org/#/c/301918/ when you have a sec21:31
patchbotjamielennox: patch 301918 - oslo.context - Add oslo.context name attributes matching ids21:31
jamielennoxbknudson_: shouldn't be that difficult i just want to get some movement on context21:31
*** rcernin has quit IRC21:37
*** pnavarro has quit IRC21:37
*** ddieterly is now known as ddieterly[away]21:40
*** dan_nguyen has quit IRC21:44
*** gordc has quit IRC21:44
openstackgerritLance Bragstad proposed openstack/keystone: Add test coverage for trust tokens and domains  https://review.openstack.org/26545521:44
*** rvba has quit IRC21:48
*** sigmavirus is now known as sigmavirus_away21:52
*** gyee has quit IRC21:54
*** timcline has quit IRC21:56
*** diazjf has joined #openstack-keystone21:56
*** diazjf has quit IRC22:00
*** spzala has joined #openstack-keystone22:00
*** ametts has quit IRC22:02
*** ddieterly[away] is now known as ddieterly22:03
*** gagehugo has quit IRC22:05
openstackgerritEric Brown proposed openstack/keystone: Add a py35 tox venv for Python 3.5 support  https://review.openstack.org/33795222:12
*** bjornar_ has quit IRC22:18
openstackgerritEric Brown proposed openstack/keystone: Add a py35 tox venv for Python 3.5 support  https://review.openstack.org/33795222:20
*** david-lyle_ has joined #openstack-keystone22:21
*** KevinE has quit IRC22:25
*** david-lyle__ has joined #openstack-keystone22:26
*** timcline has joined #openstack-keystone22:26
*** timcline_ has joined #openstack-keystone22:29
*** timcline has quit IRC22:31
*** timcline_ has quit IRC22:33
*** david-lyle_ is now known as david-lyle22:35
*** david-lyle__ has quit IRC22:36
*** thiagolib has quit IRC22:38
*** slberger has left #openstack-keystone22:38
*** spzala has quit IRC22:38
*** spzala has joined #openstack-keystone22:39
*** spzala has quit IRC22:45
*** jgos1 has joined #openstack-keystone22:49
*** ddieterly is now known as ddieterly[away]22:52
*** ddieterly[away] is now known as ddieterly22:52
*** ddieterly has quit IRC22:52
openstackgerritRoxana Gherle proposed openstack/keystone: Fix the username value in federated tokens  https://review.openstack.org/33561722:57
*** BjoernT has quit IRC22:58
*** phalmos has quit IRC23:00
openstackgerritRoxana Gherle proposed openstack/keystone: Fix the username value in federated tokens  https://review.openstack.org/33561723:03
*** pushkaru has joined #openstack-keystone23:05
*** spzala has joined #openstack-keystone23:06
*** spzala has quit IRC23:10
jamielennoxnotmorgan: herre?23:14
*** code-R_ has quit IRC23:18
*** chrisshattuck has quit IRC23:20
*** timcline has joined #openstack-keystone23:23
*** timcline has quit IRC23:27
*** roxanagh_ has quit IRC23:27
*** pushkaru has quit IRC23:35
*** jgos1 has quit IRC23:36
*** ravelar159 has joined #openstack-keystone23:39
*** itisha has quit IRC23:40
*** ravelar159 has quit IRC23:40
*** sdake has quit IRC23:43
*** code-R has joined #openstack-keystone23:45
notmorganjamielennox: sortof23:50
jamielennoxnotmorgan: want to debate your -2 on https://review.openstack.org/#/c/248524/23:50
patchbotjamielennox: patch 248524 - keystoneauth - Allow prompting for password when CLI loading23:50
jamielennoxi left a comment with most of it23:50
jamielennoxbut i don't expect people to see those after a -223:50
notmorgani would argue occ and osc should do the prompting23:51
notmorgannot KSA23:51
jamielennoxnotmorgan: they will, os-c-c uses the opts to do it's own loading23:51
jamielennoxthis would give the opts the prompt param so they know to prompt23:51
jamielennoxand then in the case where ksa is handling the cli loading (rare, it'll be done via os-c-c) will let it prompt23:52
notmorganit's the getpass.getpass i don't want ksa to provide prompting code23:52
notmorgani would _much_ rather let OSC/OCC do that part23:52
notmorganand set the values before passing to KSA23:52
jamielennoxi consider the ksa cli loading a reference implementation at this point23:52
jamielennoxnotmorgan: os-c-c doesn't hit that path23:52
jamielennoxthey would have to handle prompting as they see fit23:53
notmorganagain, i just don't think prompting code that actually interrupts runtim for user-input-from-stdin belongs in ksa23:53
notmorganthats where i'm having an issue.23:53
notmorgani'm fine with documenting it, i don't want someone consuming this directly from ksa, if that makes sense.23:54
jamielennoxnotmorgan: so that code only gets triggered when ksa is told to load options from a parsed CLI argparse.namespace - which is not how os-c-c does it23:54
*** roxanagh_ has joined #openstack-keystone23:54
jamielennoxwe need the option on Opt either way23:54
jamielennoxbut it seems silly to me to have this functionality unused by the most basic implementation23:54
jamielennoxagain, anyone using OSC/os-c-c will not hit this path23:55
notmorganthen why do we need it?23:55
notmorganwhy do we need keystoneauth to specifically prompt a user for input23:55
jamielennoxbecause there are older scripts that do, and because most people look at that code when doing there own thing23:56
notmorgandocument it, provide examples on "how to". but i view KSA as not-providing-direct-user-interaction23:56
jamielennoxnotmorgan: you're basically arguing that keystoneauth1/loading/cli.py shouldn't exist - and that's ok we've had that before23:56
notmorganpretty much.23:56
jamielennoxnotmorgan: but it does exist and it seems dumb to hamstring it now23:56
*** jdennis1 has joined #openstack-keystone23:56
notmorganhere is the deal. get mordred and stevemar to agree with you [even "eh, sure"] and i'm willing to rescind the -223:57
notmorganmostly because mordred and I discussed this a bit and both agreed that ksa shouldn't be getting into the prompting business23:58
notmorganand stevemar being the ptl.23:58
notmorganmordred also is a big consumer of KSA and sees where is has/is being used.23:58
*** jdennis has quit IRC23:59
notmorganjamielennox: i'm willing to give in. i just think this is a bad(tm) idea to implement23:59
jamielennoxalright, then either way i need to split that patch23:59
jamielennoxbecause i thought we got the prompt= param on Opts ages ago23:59
« Tuesday, 2016-07-05 Index Thursday, 2016-07-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!