Wednesday, 2016-07-27

*** dan_nguyen has quit IRC		00:01
*** browne has quit IRC		00:01
*** nkinder has quit IRC		00:11
*** jamielennox is now known as jamielennox\|away		00:12
*** Krenair has joined #openstack-keystone		00:18
adriant	Anyone able to have a quick look at one of my patches to see why python3 might be failing? I'm at a loss to see why.	00:21
*** roxanaghe has quit IRC		00:23
*** Krenair has left #openstack-keystone		00:26
*** adrian_otto has quit IRC		00:28
*** davechen has joined #openstack-keystone		00:38
*** code-R has joined #openstack-keystone		00:42
*** code-R_ has joined #openstack-keystone		00:44
*** sdake_ has quit IRC		00:45
*** code-R has quit IRC		00:47
*** sdake has joined #openstack-keystone		00:47
*** tonytan4ever has joined #openstack-keystone		00:47
stevemar	adriant: which?	00:48
*** code-R_ has quit IRC		00:48
*** code-R has joined #openstack-keystone		00:49
*** ddieterly has joined #openstack-keystone		00:49
adriant	stevemar: https://review.openstack.org/#/c/343422	00:52
patchbot	adriant: patch 343422 - keystone - adding totp support to password auth plugin	00:52
adriant	the unit tests I added don't pass python3, although based very much so on passing tests :/	00:53
*** tonytan4ever has quit IRC		00:53
*** tqtran has quit IRC		00:56
*** jrist has quit IRC		00:59
*** sdake has quit IRC		01:04
*** jrist has joined #openstack-keystone		01:11
*** nk2527 has quit IRC		01:16
*** ddieterly is now known as ddieterly[away]		01:20
*** ddieterly[away] is now known as ddieterly		01:20
*** openstackgerrit has quit IRC		01:33
*** openstackgerrit has joined #openstack-keystone		01:33
*** woodster_ has quit IRC		01:39
*** tonytan4ever has joined #openstack-keystone		01:49
rderose	adriant: should this line be user_id=self.default_domain_user['id']?	01:49
*** davechen has quit IRC		01:50
*** davechen has joined #openstack-keystone		01:51
rderose	adriant: referring to test_v3_auth.py, ln 5159	01:52
*** tonytan4ever has quit IRC		01:53
*** ddieterly has quit IRC		01:57
rderose	adriant: sorry, I see you overwrote the _make_auth_data_by_id(...) method	02:00
adriant	rderose: yeah, I was originally going to just extend the TOTP class, but by doing so it duplicated the tests it ran, so I ended up making duplicates of the helper functions	02:04
rderose	adriant: I see	02:04
rderose	adriant: yeah, so far I'm not seeing the error	02:05
*** julim has joined #openstack-keystone		02:05
adriant	Yeah, I'm confused as all hell. Unless something weird is happening in the plugin itself.	02:05
adriant	but... the password part of it obviously still works since the other tests are passing!	02:06
rderose	adriant: right	02:06
rderose	adriant: lets do a recheck just for kicks :)	02:08
adriant	rderose: fair enough. :P	02:08
adriant	although I get the same problem running it locally	02:08
rderose	adriant: hmm...	02:09
*** spandhe has joined #openstack-keystone		02:10
*** sdake has joined #openstack-keystone		02:12
*** spandhe has quit IRC		02:13
*** ebalduf has joined #openstack-keystone		02:16
*** roxanaghe has joined #openstack-keystone		02:24
*** iurygregory_ has joined #openstack-keystone		02:29
*** tonytan4ever has joined #openstack-keystone		02:35
*** jamielennox\|away is now known as jamielennox		02:41
*** ebalduf has quit IRC		02:45
*** sdake has quit IRC		02:53
*** tqtran has joined #openstack-keystone		02:55
*** ddieterly has joined #openstack-keystone		02:56
*** tqtran has quit IRC		02:59
*** gyee has quit IRC		03:03
*** ddieterly has quit IRC		03:08
adriant	rderose: I've found the issue...	03:08
adriant	passcode isn't a str, it's byte... so password+passcode does stupid shit like: 'password': "d611d450a801454195daae19d565c0a8b'249283'"	03:09
*** sdake has joined #openstack-keystone		03:12
*** thumpba has joined #openstack-keystone		03:15
*** thumpba has quit IRC		03:18
*** lamt has quit IRC		03:21
rderose	adriant: ah, that's great	03:29
rderose	adriant: glad you found it :)	03:30
adriant	rderose: yes, but I can't solve it... yet	03:30
*** adrian_otto has joined #openstack-keystone		03:31
adriant	rderose: it's so stupid and weird	03:34
adriant	the actual str value of the passcode is a byte str... but python thinks it's a str	03:35
adriant	'passcode': "b'008785'"	03:35
adriant	I'm vaguely surprised the other TOTP stuff hasn't fallen over for this same issue	03:36
rderose	adriant: wow...	03:36
adriant	I may need to talk to the person who wrote the passcode generation code as that seems to be the issue	03:37
rderose	adriant: I think you need to decode the byte	03:37
adriant	or just rewrite it myself	03:37
rderose	>>> b"abcde".decode("utf-8")	03:38
rderose	'abcde'	03:38
rderose	adriant: found that online: http://stackoverflow.com/questions/606191/convert-bytes-to-a-python-string	03:38
adriant	it's type str though	03:38
rderose	adriant: oh crap	03:38
rderose	:)	03:38
adriant	yeah	03:38
adriant	this is so very broken	03:38
adriant	I could use regex to parse it... but that's not a solution, that's a hack	03:39
rderose	yeah, seems like it. just don't know how the unit tests passed	03:39
rderose	yeah, that would be a hack. think you have to bite the bullet and just fix it.	03:40
adriant	I'll get a hold of the writer of the original TOTP patch for their input, and yeah, rewrite the passcode function	03:40
rderose	was it werner?	03:41
adriant	yeah I think so	03:41
adriant	i'll add him as reviewer to the patch as well	03:41
rderose	cool	03:41
adriant	bloody python 3	03:42
rderose	:) dam though, that was a touch one to uncover	03:42
rderose	glad you were able to find the root cause	03:42
adriant	Lots of digging, and checking all the variable outputs :/	03:43
adriant	thanks btw for trying :) This was very weird	03:44
*** dikonoor has joined #openstack-keystone		03:46
adriant	rederose: ahaha, and if I try and encode it as a byte I get this: b"b'522346'"	03:46
adriant	oh wow that is glorious	03:46
*** sheel has joined #openstack-keystone		03:48
openstackgerrit	Tin Lam proposed openstack/keystone: Add schema validation to v2 create tenant https://review.openstack.org/346594	03:48
rderose	:)	03:48
adriant	rderose: OH! I know why python3 tests are passing for TOTP	03:50
adriant	because it generates the same screwed up byte+str on both sides	03:51
adriant	and I'm only seeing the problem because I'm trying to concatenate it with a password	03:51
adriant	so the tests are passing, but the functionality is broken for python3	03:51
*** adrian_otto has quit IRC		03:52
*** links has joined #openstack-keystone		03:54
rderose	adriant: oh my goodness	03:58
rderose	adriant: yeah, that totally makes sense	03:58
*** thumpba has joined #openstack-keystone		04:00
adriant	rderose: it gets worse... open a python3 interpreter and try this: str(b'something')	04:02
*** thumpba has quit IRC		04:06
*** links has quit IRC		04:09
*** links has joined #openstack-keystone		04:12
*** jaugustine has quit IRC		04:13
*** gagehugo_ has quit IRC		04:13
*** thumpba has joined #openstack-keystone		04:15
*** NishaYadav has joined #openstack-keystone		04:15
*** NishaYadav is now known as Guest7538		04:15
*** jaugustine has joined #openstack-keystone		04:16
openstackgerrit	Adrian Turjak proposed openstack/keystone: adding totp support to password auth plugin https://review.openstack.org/343422	04:19
*** thumpba has quit IRC		04:27
*** richm has quit IRC		04:27
*** aastha has quit IRC		04:29
*** jamielennox is now known as jamielennox\|away		04:30
*** Guest7538 has quit IRC		04:32
*** nishaYadav has joined #openstack-keystone		04:32
*** thumpba has joined #openstack-keystone		04:36
*** GB21 has joined #openstack-keystone		04:39
*** iurygregory_ has quit IRC		04:43
*** davechen has quit IRC		04:45
*** adu has joined #openstack-keystone		04:48
*** jamielennox\|away is now known as jamielennox		04:51
*** gagehugo has joined #openstack-keystone		04:58
*** GB21 has quit IRC		05:03
*** GB21 has joined #openstack-keystone		05:03
*** adriant has quit IRC		05:06
*** roxanaghe has quit IRC		05:11
*** roxanaghe has joined #openstack-keystone		05:12
*** browne has joined #openstack-keystone		05:14
*** roxanaghe has quit IRC		05:17
openstackgerrit	Eric Brown proposed openstack/keystone: Invalid tls_req_cert constant as default https://review.openstack.org/347523	05:20
*** browne has quit IRC		05:20
*** maestropandy has joined #openstack-keystone		05:21
*** GB21 has quit IRC		05:25
*** GB21 has joined #openstack-keystone		05:27
*** adu has quit IRC		05:35
*** spandhe has joined #openstack-keystone		05:45
*** GB21 has quit IRC		05:49
*** GB21 has joined #openstack-keystone		05:51
*** EinstCrazy has joined #openstack-keystone		05:53
*** maestropandy has quit IRC		05:54
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add role functional tests https://review.openstack.org/335118	05:56
*** EinstCrazy has quit IRC		05:58
*** tqtran has joined #openstack-keystone		05:58
*** EinstCrazy has joined #openstack-keystone		06:02
*** tqtran has quit IRC		06:02
*** nishaYadav has quit IRC		06:06
*** nishaYadav has joined #openstack-keystone		06:07
*** nishaYadav is now known as Guest41247		06:07
*** EinstCra_ has joined #openstack-keystone		06:12
*** code-R has quit IRC		06:12
*** code-R has joined #openstack-keystone		06:13
*** roxanaghe has joined #openstack-keystone		06:13
*** GB21 has quit IRC		06:15
*** GB21 has joined #openstack-keystone		06:16
*** EinstCrazy has quit IRC		06:16
*** sdake has quit IRC		06:16
*** roxanaghe has quit IRC		06:18
*** GB21 has quit IRC		06:21
*** spandhe has quit IRC		06:26
*** davechen has joined #openstack-keystone		06:31
*** Guest41247 is now known as nishaYadav		06:33
*** amitkqed has joined #openstack-keystone		06:35
*** amitkqed has quit IRC		06:36
*** amitkqed has joined #openstack-keystone		06:37
*** GB21 has joined #openstack-keystone		06:40
*** tesseract- has joined #openstack-keystone		06:44
*** sdake has joined #openstack-keystone		06:45
*** rcernin has joined #openstack-keystone		06:47
*** maestropandy has joined #openstack-keystone		06:48
*** jraim has quit IRC		06:49
*** zhiyan has quit IRC		06:49
*** briancurtin has quit IRC		06:49
*** jraim has joined #openstack-keystone		06:52
*** briancurtin has joined #openstack-keystone		06:52
*** zhiyan has joined #openstack-keystone		06:52
*** thumpba has quit IRC		06:53
*** sdake has quit IRC		07:01
*** danpawlik has joined #openstack-keystone		07:15
*** thumpba has joined #openstack-keystone		07:15
*** thumpba has quit IRC		07:18
*** pnavarro has joined #openstack-keystone		07:21
*** amakarov_away is now known as amakarov		07:31
*** itisha has joined #openstack-keystone		07:33
*** mtreinish has quit IRC		07:36
*** mtreinish has joined #openstack-keystone		07:36
*** gagehugo has quit IRC		07:37
*** code-R has quit IRC		07:37
*** rdo has quit IRC		07:38
*** basilAB has quit IRC		07:38
*** code-R has joined #openstack-keystone		07:38
*** maestropandy has quit IRC		07:38
*** basilAB has joined #openstack-keystone		07:39
openstackgerrit	Swapnil Kulkarni (coolsvap) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	07:46
openstackgerrit	Kseniya Tychkova proposed openstack/oslo.policy: Refactoring of Enforcer class https://review.openstack.org/346002	07:52
*** nishaYadav has quit IRC		07:57
*** tonytan4ever has quit IRC		07:58
*** GB21 has quit IRC		07:58
*** tonytan4ever has joined #openstack-keystone		07:59
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** roxanaghe has joined #openstack-keystone		08:01
*** nishaYadav has joined #openstack-keystone		08:06
*** roxanaghe has quit IRC		08:06
*** nishaYadav is now known as Guest90465		08:06
*** pgbridge has quit IRC		08:09
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	08:10
*** pgbridge has joined #openstack-keystone		08:10
*** tonytan4ever has quit IRC		08:11
*** hoonetorg has quit IRC		08:13
*** hoonetorg has joined #openstack-keystone		08:17
*** code-R has quit IRC		08:21
*** marekd2 has joined #openstack-keystone		08:33
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add project functional tests https://review.openstack.org/332871	08:41
*** Guest90465 is now known as nishaYadav		08:42
*** rdo has joined #openstack-keystone		08:44
*** EinstCra_ has quit IRC		08:45
*** EinstCrazy has joined #openstack-keystone		08:46
*** EinstCrazy has quit IRC		08:47
*** EinstCrazy has joined #openstack-keystone		08:47
*** GB21 has joined #openstack-keystone		08:53
*** roxanaghe has joined #openstack-keystone		09:00
*** tonytan4ever has joined #openstack-keystone		09:01
*** tonytan4ever has quit IRC		09:05
*** roxanaghe has quit IRC		09:06
*** GB21 has quit IRC		09:07
*** nisha_ has joined #openstack-keystone		09:08
*** nishaYadav has quit IRC		09:09
*** GB21 has joined #openstack-keystone		09:11
*** EinstCrazy has quit IRC		09:17
*** maestropandy has joined #openstack-keystone		09:19
*** GB21 has quit IRC		09:20
*** EinstCra_ has joined #openstack-keystone		09:25
*** EinstCra_ has quit IRC		09:27
*** EinstCrazy has joined #openstack-keystone		09:28
*** davechen has quit IRC		09:41
*** EinstCra_ has joined #openstack-keystone		09:42
*** EinstCrazy has quit IRC		09:43
*** rdo has quit IRC		09:45
*** tangchen has quit IRC		09:50
*** maestropandy has quit IRC		09:57
*** LarsErikP has joined #openstack-keystone		09:57
*** LarsErikP has left #openstack-keystone		09:57
*** chlong_POffice has quit IRC		09:57
*** tangchen has joined #openstack-keystone		10:04
*** hwcomcn has joined #openstack-keystone		10:06
*** mvk has quit IRC		10:07
*** chlong_POffice has joined #openstack-keystone		10:10
*** EinstCra_ has quit IRC		10:13
*** EinstCrazy has joined #openstack-keystone		10:13
*** mnikolaenko_ has quit IRC		10:17
*** davechen has joined #openstack-keystone		10:21
*** maestropandy has joined #openstack-keystone		10:27
*** mvk has joined #openstack-keystone		10:38
*** nisha_ has quit IRC		10:46
*** maestropandy has quit IRC		10:51
*** rdo has joined #openstack-keystone		11:23
*** thiagolib has joined #openstack-keystone		11:26
*** gordc has joined #openstack-keystone		11:46
*** rodrigods has quit IRC		12:09
*** rodrigods has joined #openstack-keystone		12:09
*** maestropandy has joined #openstack-keystone		12:16
*** tonytan4ever has joined #openstack-keystone		12:17
*** ddieterly has joined #openstack-keystone		12:19
*** chlong_POffice has quit IRC		12:21
*** tonytan4ever has quit IRC		12:22
*** ddieterly has quit IRC		12:22
*** sdake has joined #openstack-keystone		12:23
*** hwcomcn has quit IRC		12:25
*** chlong has joined #openstack-keystone		12:29
*** ddieterly has joined #openstack-keystone		12:39
*** EinstCrazy has quit IRC		12:40
*** lamt_ has joined #openstack-keystone		12:41
stevemar	o/	12:42
stevemar	my bouncer is having a rough time	12:42
*** ddieterly has quit IRC		12:44
*** pauloewerton has joined #openstack-keystone		12:47
*** woodster_ has joined #openstack-keystone		12:49
dstanek	stevemar: what seems to be the problem?	12:50
stevemar	dstanek: no idea, lots of disconnects	12:50
dstanek	stevemar: from you to bouncer or boucer to irc?	12:50
stevemar	dstanek: bouncer to irc	12:50
stevemar	but it seems to have settled	12:51
dstanek	i had a few disconnects early this morning, but nothing significant	12:54
*** samueldmq has joined #openstack-keystone		12:55
*** ChanServ sets mode: +v samueldmq		12:55
*** sheel has quit IRC		12:56
*** links has quit IRC		13:08
*** jsavak has joined #openstack-keystone		13:12
*** edmondsw has joined #openstack-keystone		13:17
stevemar	that fuel-ccp discussion on the mailing list o_O	13:19
breton	stevemar: which one?	13:20
breton	oh, i see	13:22
stevemar	gerrit is le slow	13:24
stevemar	breton: there's only one :P	13:24
stevemar	at least, one in my mailing list folder	13:24
*** david-lyle_ has joined #openstack-keystone		13:31
*** david-lyle_ has quit IRC		13:31
*** roxanaghe has joined #openstack-keystone		13:32
*** ebalduf has joined #openstack-keystone		13:33
*** david-lyle has quit IRC		13:34
openstackgerrit	Dolph Mathews proposed openstack/keystone: Add feature support matrix to documentation https://review.openstack.org/316118	13:35
*** davechen has joined #openstack-keystone		13:36
*** davechen has left #openstack-keystone		13:36
*** roxanaghe has quit IRC		13:37
*** code-R has joined #openstack-keystone		13:37
*** richm has joined #openstack-keystone		13:37
*** ayoung has joined #openstack-keystone		13:41
*** ChanServ sets mode: +v ayoung		13:41
*** maestropandy has left #openstack-keystone		13:42
*** jsavak has quit IRC		13:46
*** jsavak has joined #openstack-keystone		13:47
*** code-R_ has joined #openstack-keystone		13:49
*** spandhe has joined #openstack-keystone		13:50
*** code-R has quit IRC		13:52
-openstackstatus- NOTICE: Gerrit is being restarted now to relieve performance degradation		13:52
lbragstad	^ that explains it	13:52
lbragstad	luckily I saved the novel of a comment I was about to leave!	13:53
openstackgerrit	Merged openstack/keystone-specs: move old APIs to the attic https://review.openstack.org/342399	13:53
*** dikonoor has quit IRC		13:58
lbragstad	here are a couple easy ones in case anyone is looking for a review - https://review.openstack.org/#/c/345686/	14:01
patchbot	lbragstad: patch 345686 - keystone - Make AuthWithTrust testable against uuid and fernet	14:01
lbragstad	and https://review.openstack.org/#/c/345687/	14:01
patchbot	lbragstad: patch 345687 - keystone - Allow V2TestCase to be tested against fernet and uuid	14:01
*** gagehugo has joined #openstack-keystone		14:02
*** code-R_ has quit IRC		14:05
*** code-R has joined #openstack-keystone		14:05
*** raildo has joined #openstack-keystone		14:06
*** code-R_ has joined #openstack-keystone		14:07
*** code-R has quit IRC		14:11
*** aswadr_ has joined #openstack-keystone		14:11
*** nishaYadav has joined #openstack-keystone		14:13
*** ravelar159 has joined #openstack-keystone		14:15
*** TxGVNN has joined #openstack-keystone		14:16
*** tonytan4ever has joined #openstack-keystone		14:17
openstackgerrit	Dolph Mathews proposed openstack/keystone: Add token feature support matrix to documentation https://review.openstack.org/316118	14:17
*** spandhe has quit IRC		14:18
*** jsavak has quit IRC		14:27
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add region functional tests https://review.openstack.org/339158	14:28
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 endpoints https://review.openstack.org/339468	14:30
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add endpoint functional tests https://review.openstack.org/340418	14:30
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 roles https://review.openstack.org/334546	14:31
openstackgerrit	Boris Bobrov proposed openstack/keystone: Eagerly load passwords for local users https://review.openstack.org/347552	14:31
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add role functional tests https://review.openstack.org/335118	14:32
openstackgerrit	Boris Bobrov proposed openstack/keystone: test https://review.openstack.org/347876	14:35
openstackgerrit	Dolph Mathews proposed openstack/keystone: Add token feature support matrix to documentation https://review.openstack.org/316118	14:40
*** ebalduf has quit IRC		14:42
*** jsavak has joined #openstack-keystone		14:42
*** michauds has joined #openstack-keystone		14:46
lbragstad	crinkle looks like i was able to recreate what you were seeing on rderose's patch - https://review.openstack.org/#/c/340074/29	14:49
patchbot	lbragstad: patch 340074 - keystone - PCI-DSS Lockout requirements	14:49
lbragstad	crinkle good catch	14:49
lbragstad	crinkle although - i have no idea how that error message gets logged (?!)	14:49
*** ebalduf has joined #openstack-keystone		14:50
*** code-R_ has quit IRC		14:52
*** code-R has joined #openstack-keystone		14:52
*** ddieterly has joined #openstack-keystone		14:54
*** jistr is now known as jistr\|call		15:00
*** nk2527_ has joined #openstack-keystone		15:01
*** nk2527_ has quit IRC		15:03
*** nk2527_ has joined #openstack-keystone		15:03
*** ravelar159 has quit IRC		15:04
*** nk2527_ is now known as nk2527		15:05
*** slberger has joined #openstack-keystone		15:07
*** KevinE has joined #openstack-keystone		15:07
*** KevinE has quit IRC		15:07
*** ravelar159 has joined #openstack-keystone		15:07
*** aastha has joined #openstack-keystone		15:10
*** nkinder has joined #openstack-keystone		15:15
*** pcaruana has quit IRC		15:17
*** danpawlik has quit IRC		15:18
*** akscram has quit IRC		15:20
*** roxanaghe has joined #openstack-keystone		15:20
*** jdennis has quit IRC		15:23
*** rcernin has quit IRC		15:24
*** roxanaghe has quit IRC		15:25
*** GB21 has joined #openstack-keystone		15:27
*** code-R has quit IRC		15:28
crinkle	lbragstad: yeah i could not figure that out	15:29
*** ravelar159 has quit IRC		15:29
lbragstad	crinkle you see the UserDisabled exception below it?	15:29
*** samueldmq has quit IRC		15:30
crinkle	lbragstad: yep, and that one doesn't have the same issue	15:30
lbragstad	crinkle that's what I thought, too	15:30
lbragstad	but it turns out when a user is disabled this is thrown instead - https://github.com/openstack/keystone/blob/9d54eb33c1d74ff39c947af6ff984ef2e0bf4be4/keystone/identity/core.py#L902	15:30
lbragstad	crinkle which is a totally different beast	15:30
lbragstad	when it comes to rendering the error message	15:31
crinkle	lbragstad: oh right i remember this, i think i commented that it's doing that validation in an entirely different place	15:32
lbragstad	crinkle it looks like user.enabled validation is done in the manager	15:32
lbragstad	and the account lockout stuff is done in the driver	15:33
*** ebalduf has quit IRC		15:34
*** nk2527_ has joined #openstack-keystone		15:35
*** jistr\|call is now known as jistr		15:35
crinkle	but since the lockout feature is specific to the sql backend i would expect the driver to be the right place for that validation	15:35
lbragstad	crinkle agree - but the exceptions threw me for a loop	15:36
lbragstad	since i expected the sql driver to throw the UserDisabled exception	15:36
*** nk2527 has quit IRC		15:37
crinkle	yep	15:37
*** pnavarro has quit IRC		15:37
*** tqtran has joined #openstack-keystone		15:38
*** samueldmq has joined #openstack-keystone		15:39
*** ChanServ sets mode: +v samueldmq		15:39
rderose	crinkle lbragstad: yeah, I think it's strange we're checking that the user is enabled at the plugin level (the method eventually gets called by mapped and password plugins)	15:43
*** david-lyle has joined #openstack-keystone		15:43
rderose	crinkle lbragstad: not sure I want to change it and didn't want to remove the check from the driver	15:44
*** code-R has joined #openstack-keystone		15:44
lbragstad	rderose is there ever a case where the UserDisabled exception from the driver is raised instead of the one in the identity Manager()?	15:44
*** ravelar159 has joined #openstack-keystone		15:45
rderose	lbragstad: I don't think so because it is based on sql backend and gets checked at password plugin	15:45
*** adrian_otto has joined #openstack-keystone		15:46
rderose	lbragstad: while i'm checking during auth in the driver, the validation really happens in the sql model	15:46
lbragstad	rderose interesting - I wonder if we should remove that line that raises a UserDIsabled exception	15:47
lbragstad	or push that validation from the identity manager into the driver()	15:47
*** ninag has joined #openstack-keystone		15:47
*** adrian_otto has quit IRC		15:49
dstanek	lbragstad: i'm not sure you want to push validation into the driver unless it truly is specific to that driver	15:49
rderose	lbragstad: like I said though, I'd don't believe the manager code is doing the validation, it's being called from the plugins	15:50
lbragstad	rderose sure - that makes sense	15:50
*** nul0op has joined #openstack-keystone		15:50
rderose	lbragstad dstanek: disable inactive users is specific to that driver	15:50
lbragstad	rderose dstanek the tricky part that crinkle and I started tripping over was where the exception was being raised.	15:51
rderose	lbragstad: yeah, I'll dig into that this morning; push out a new patch soon.	15:51
lbragstad	rderose dstanek this is what we found - https://review.openstack.org/#/c/340074/29/keystone/identity/backends/sql.py	15:51
patchbot	lbragstad: patch 340074 - keystone - PCI-DSS Lockout requirements	15:51
lbragstad	rderose i started hacking on it locally to see if I could post a diff	15:51
lbragstad	but I haven't gotten the AccountLocked exception to work yet (without displaying the programmer error message)	15:52
*** brancaleone has joined #openstack-keystone		15:54
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password expires validation https://review.openstack.org/333360	15:55
rderose	lbragstad: hmm... okay	15:56
lbragstad	rderose do those comments in https://review.openstack.org/#/c/340074/29/keystone/identity/backends/sql.py make sense?	15:56
patchbot	lbragstad: patch 340074 - keystone - PCI-DSS Lockout requirements	15:56
*** adrian_otto has joined #openstack-keystone		15:57
dstanek	lbragstad: do you have a stack trace for the missing kwargs error?	15:57
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password expires validation https://review.openstack.org/333360	15:58
lbragstad	dstanek yeah - in the comment https://review.openstack.org/#/c/340074/29/keystone/identity/backends/sql.py	15:58
patchbot	lbragstad: patch 340074 - keystone - PCI-DSS Lockout requirements	15:58
nul0op	hello guys. I was hit by https://bugs.launchpad.net/horizon/+bug/1297130 ... I did a mistake by removing the default project in an HP Helion openstack instance. project named 'service', I lost all communication since then and not able to connect to the Horizon portal.	15:59
openstack	Launchpad bug 1297130 in OpenStack Dashboard (Horizon) "prevent default tenant deletion" [Wishlist,Confirmed]	15:59
breton	sqlalchemy has events that are emitted on actions. Is there an event to listen to for selects that happen when Fk are accessed?	16:00
breton	or just an event to listen to all selects?	16:00
dstanek	lbragstad: i don't see a stacktrace anywhere	16:00
nul0op	the bug sched some light on a possible solution: fix the database by adding back missing rows. i tried to did it. fixed project table, assignment table for user admin and required roles. (taking time to use the correct id each time of course)	16:00
nul0op	but still without success in restoring the console. I think i have to do it not only for admin user, but also for 'neutron', 'heat','cinder', ... users	16:01
*** code-R has quit IRC		16:01
*** brancaleone has quit IRC		16:01
*** ninag has quit IRC		16:01
nul0op	anyone here knowledgeable about this N?	16:01
rderose	lbragstad: yeah, make sense. has to be something with how I'm logging the error	16:02
dstanek	lbragstad: rderose: i can't duplicate manually using the exception directly	16:02
rderose	hmm...	16:04
rderose	what the heck is happening then...	16:04
dstanek	how do i reproduce with keystone.... just fail login too many times?	16:04
*** jsavak has quit IRC		16:04
*** jsavak has joined #openstack-keystone		16:05
* lbragstad dstanek rderose looks like the programming error is thrown here - https://github.com/openstack/keystone/blob/9d54eb33c1d74ff39c947af6ff984ef2e0bf4be4/keystone/common/wsgi.py#L229-L232		16:05
dstanek	lbragstad: that code looks ok, the keys match the expected keys. what makes you think it is there?	16:07
dstanek	lbragstad: or are you saying the str(e) is what causes the error?	16:07
*** itlinux has quit IRC		16:13
lbragstad	dstanek i'm not sure - i dropped into a debugger and noticed that the programming error is logged at that line	16:13
lbragstad	because I couldn't figure out when it was happening	16:13
*** brancaleone has joined #openstack-keystone		16:14
*** code-R has joined #openstack-keystone		16:15
*** roxanaghe has joined #openstack-keystone		16:17
dstanek	lbragstad: my guess is that it's the str(e) - so whatever throws that exception isn't providing the correct kwargs	16:18
lbragstad	dstanek rderose the weird part is that when I debug it locally - I can see if rendered properly once, then the exception is thrown without any kwargs...	16:19
lbragstad	which is where the error is coming from I assume	16:19
dstanek	lbragstad: i'm trying to reproduce now too, but to better debug the source of the error set keystone.exception._FATAL_EXCEPTION_FORMAT_ERRORS = True	16:19
dstanek	that will cause the error as soon as it happens and not wait for it to be rendered later	16:20
lbragstad	dstanek are you using apache or eventlet?	16:20
lbragstad	er - keystone-wsgi-admin?	16:20
dstanek	apache...eventlet is gone	16:20
dstanek	lbragstad: i haven't gotten that far though... just created a test user and i'm in the process of locking it out	16:21
*** roxanaghe has quit IRC		16:21
dstanek	lbragstad: rderose: the only way this should be possible is if there is an untested code path	16:22
dstanek	unit test would have caught this otherwise	16:22
openstackgerrit	Gage Hugo proposed openstack/keystone: Add schema validation to create service in v2 https://review.openstack.org/346962	16:22
lbragstad	dstanek you mean the only way for the `missing exception kwargs (programmer error)` to happen/	16:23
*** KevinE has joined #openstack-keystone		16:24
rderose	dstanek: really? I thought it may have something to do with the SecurityError code here: https://github.com/openstack/keystone/blob/master/keystone/exception.py#L176	16:24
lbragstad	rderose specifically the _build_message() method?	16:25
dstanek	lbragstad: yes	16:25
dstanek	rderose: not sure i follow	16:25
rderose	yeah	16:25
rderose	dstanek: this error is logged when the exception is thrown and the exception is based off of the SecurityError class	16:27
lbragstad	the Error class also has a _build_message() method	16:27
*** dritux has joined #openstack-keystone		16:27
rderose	dstanek: and I'm not exactly sure what _build_message is doing, but wondering if that is causing this	16:27
dstanek	rderose: i don't think it is logged when it is thrown	16:27
lbragstad	the SecurityError._build_message() method just makes it more secure when logging	16:28
rderose	lbragstad: I see	16:28
*** david-lyle has quit IRC		16:28
*** dikonoor has joined #openstack-keystone		16:29
*** ddieterly is now known as ddieterly[away]		16:30
lbragstad	dstanek rderose fwiw - if i set _FATAL_EXCEPTION_FORMAT_ERRORS = True I can't recreate the issue	16:31
lbragstad	https://github.com/openstack/keystone/blob/master/keystone/exception.py#L63	16:31
*** roxanaghe has joined #openstack-keystone		16:32
dstanek	lbragstad: i don't see that error message when logging into a locked account	16:32
lbragstad	dstanek do you have _FATAL_EXCEPTION_FORMAT_ERRORS = False?	16:33
*** slberger1 has joined #openstack-keystone		16:33
dstanek	oh wait lol....jas	16:33
*** code-R_ has joined #openstack-keystone		16:34
*** slberger has quit IRC		16:34
lbragstad	When I set _FATAL_EXCEPTION_FORMAT_ERRORS at False and lock a user out i hit https://github.com/openstack/keystone/blob/master/keystone/exception.py#L61	16:35
lbragstad	which explains when https://github.com/openstack/keystone/blob/master/keystone/exception.py#L66 is logged	16:35
lbragstad	but in that case my kwargs = {} (which is where the KeyError comes from)	16:36
lbragstad	and my message variable is = u'The account is locked for user: 73e00ad54377426e88b91c9eebd7bba5'	16:36
lbragstad	which it looks like the substitution has already taken place	16:37
lbragstad	http://cdn.pasteraw.com/km3kq2jn1xs51s9656yft8915a9r7nc	16:37
*** code-R has quit IRC		16:37
rderose	ah ha! is it because SecurityError already did the substitution?	16:39
*** dan_nguyen has joined #openstack-keystone		16:39
*** roxanaghe has quit IRC		16:39
lbragstad	rderose possibly	16:39
*** mvk has quit IRC		16:39
dstanek	i think i may have found a security problem in this patch	16:40
lbragstad	then we should technically see the same thing with https://github.com/openstack/keystone/blob/master/keystone/exception.py#L214-L216	16:40
dstanek	nope...close, but i don't think a user can see different behviour with a good password vs. a bad one	16:43
dstanek	rderose: do we check for lockout after we validate password?	16:43
rderose	lbragstad: it has to be coming from SecurityError._build_message(...)	16:43
rderose	dstanek: no, before	16:44
rderose	dstanek: why?	16:45
*** roxanaghe has joined #openstack-keystone		16:45
dstanek	rderose: that message only seems to appear in the log when i login to a locked account with a good password and not when i use a bad one	16:47
rderose	dstanek: hmm... that's interesting	16:48
*** ddieterly[away] is now known as ddieterly		16:48
lbragstad	dstanek the programming error message only appears when you use a good password?	16:48
rderose	dstanek: http://paste.openstack.org/show/542663/	16:49
dstanek	lbragstad: pretty sure...i have so many auths happening that it's hard to say for sure :-(	16:49
rderose	dstanek: if account is locked, password check should never be reached	16:49
dstanek	fg	16:50
dstanek	lol	16:50
lbragstad	to recreate this i do:	16:50
lbragstad	- create new user	16:50
lbragstad	- create rc file with a bad password	16:50
lbragstad	and auth repeatedly	16:50
lbragstad	just doing an `openstack token issue`	16:50
dritux	hello openstackers. help me, please.	16:52
dritux	When the horizon is configured for multi region, It is necessary to authenticate when you select another region	16:52
dritux	Does anyone know a transparent solution. I don't need to re-authenticate in keystone.	16:52
rderose	lbragstad: I think the error is coming from here: https://github.com/openstack/keystone/blob/master/keystone/exception.py#L193	16:52
rderose	the keyerror	16:52
openstackgerrit	Steve Martinelli proposed openstack/keystone: [api] add blurb about experimental status https://review.openstack.org/347947	16:52
dstanek	rderose: it is, but the question is why	16:53
dstanek	rderose: it appears to me that the exception is getting rendered twice some how	16:55
*** roxanaghe has quit IRC		16:55
lbragstad	dstanek yes, that what I think too	16:56
rderose	lbragstad: if you are still looking at this, can you replace that line and just return _format_with_unicode_kwargs(message, kwargs)	16:57
rderose	the line above	16:57
rderose	https://github.com/openstack/keystone/blob/master/keystone/exception.py#L192	16:57
*** dan_nguyen has quit IRC		16:58
*** gyee has joined #openstack-keystone		17:03
*** ChanServ sets mode: +v gyee		17:03
*** jsavak has quit IRC		17:03
*** nul0op has quit IRC		17:04
*** jsavak has joined #openstack-keystone		17:04
lbragstad	rderose yeah - one sec	17:06
dstanek	rderose: that doesn't fix it does it?	17:07
rderose	dstanek: not sure, my devstack is hosed	17:08
dstanek	i would not expect that to	17:08
lbragstad	rderose this? http://cdn.pasteraw.com/kdhxhvq2rn51g502jxrlsvlnnauiiqw	17:09
dstanek	oh, shit.....	17:09
rderose	lbragstad: yeah, but just return message	17:10
lbragstad	rderose like this? http://cdn.pasteraw.com/904j6bxyyobd2cbrt7xz0ezb04mnekg	17:10
rderose	lbragstad: yeah	17:11
*** dan_nguyen has joined #openstack-keystone		17:11
lbragstad	rderose nope that didn't fix it	17:11
lbragstad	http://cdn.pasteraw.com/bwi1n1qu9fd2mh16ccfxnqsi6z6wmfl	17:11
rderose	hmm... yeah, if it's getting called twice, it wouldn't...	17:12
rderose	thx	17:12
lbragstad	np	17:12
*** ddieterly is now known as ddieterly[away]		17:13
*** tesseract- has quit IRC		17:13
*** ebalduf has joined #openstack-keystone		17:13
*** Gorian_ has joined #openstack-keystone		17:13
*** roxanaghe has joined #openstack-keystone		17:15
*** links has joined #openstack-keystone		17:15
*** sdake has quit IRC		17:15
dstanek	found one interesting (maybe related error) that i'm going to push a patch for....we are using super in our exception module and exceptions are not new-style classes	17:17
breton	stevemar: rderose: the bug with N queries for list users stopped to reproduce for me on master :(	17:18
breton	stevemar: rderose: i even starting to think that it never reproduced	17:18
rderose	breton stevermar: are you saying that you are unable to reproduce this in master	17:19
*** spandhe has joined #openstack-keystone		17:19
breton	stevemar: rderose: yep	17:19
rderose	breton stevemar: it's because of this patch: https://review.openstack.org/#/c/327817/	17:20
patchbot	rderose: patch 327817 - keystone - Change LocalUser sql model to eager loading (MERGED)	17:20
*** akscram has joined #openstack-keystone		17:20
breton	rderose: yep	17:20
rderose	breton stevemar: which wasn't in mitaka	17:20
*** david-lyle has joined #openstack-keystone		17:20
breton	rderose: so lets just backport it	17:20
stevemar	rderose: ahh	17:20
stevemar	rderose: breton i mentioned that in your review :P	17:20
rderose	breton: agree	17:20
rderose	stevemar: missed that	17:21
stevemar	click that backport button!	17:21
breton	i've actually wrote a test	17:21
breton	that counts number of queries	17:21
stevemar	breton: submit the test in a separate patch	17:21
lbragstad	dstanek rderose the interesting part is that the exception returned by the client is "The account is locked for user: 73e00ad54377426e88b91c9eebd7bba5 "	17:22
stevemar	rderose: breton, either of you want to backport this sucker? https://review.openstack.org/#/c/327817/ it doesnt backport automagically	17:22
patchbot	stevemar: patch 327817 - keystone - Change LocalUser sql model to eager loading (MERGED)	17:22
lbragstad	but the logs say "Authorization failed. The account is locked for user: %(user_id)s"	17:23
breton	stevemar: yep, i started to figure out why it doesn't work and... figured out that it works.	17:23
stevemar	breton: :)	17:23
rderose	stevemar breton: I can do this (backport)	17:23
*** TxGVNN has quit IRC		17:23
*** david-lyle has quit IRC		17:23
*** david-lyle_ has joined #openstack-keystone		17:23
stevemar	rderose: cool, just make sure to mention "Closes-Bug: 1606426" in the commit message	17:24
openstack	bug 1606426 in OpenStack Identity (keystone) mitaka "user list is much slower in mitaka and newton" [Critical,In progress] https://launchpad.net/bugs/1606426 - Assigned to Boris Bobrov (bbobrov)	17:24
lbragstad	so I wonder if the AccountLocked exception is being called once for raising the exception and once for logging it (or if that is even possible)?	17:24
stevemar	rderose: let me know if you need help backporting it	17:24
*** david-lyle_ is now known as david-lyle		17:24
stevemar	rderose: i wrote scrappy notes on how to do it here: https://gist.github.com/stevemart/06ace005f82691435d0b#backporting-a-patch	17:24
rderose	stevemar: cool, thx	17:25
*** david-lyle_ has joined #openstack-keystone		17:25
rderose	stevemar: what's this do? git review -x <patch #>	17:25
rderose	stevemar: I wouldn't have a patch number, just checkout stable mitaka, right?	17:26
lbragstad	rderose that cherry-picks a patch from gerrit to whatever branch you have locally	17:26
lbragstad	rderose you'd need to checkout stable/mitaka locally then cherry-pick the patch from gerrit (which merged to master i'm assuming)	17:26
stevemar	rderose: its the patch number you want to cherry pick	17:26
stevemar	lbragstad: correctamundo	17:27
*** ebalduf has quit IRC		17:27
rderose	stevemar lbragstad: sorry, don't I just need to checkout stable mitaka, make the change and commit?	17:27
* breton uses awesome `git ready` suggested by dolphm		17:27
lbragstad	rderose it's very similar to `git review -d <patch #>` but -d will actually perform a checkout - which drops you on the exact point in time that patch was proposed	17:28
stevemar	rderose whatever works for you, i guess for a small change it's easy enough	17:28
lbragstad	rderose or use `git-ready`	17:28
stevemar	rderose: but for something 100s of lines..	17:28
lbragstad	`git-ready stable/mitaka` I think?	17:28
lbragstad	breton is that ^ how you checkout stable branches?	17:28
*** david-lyle has quit IRC		17:29
openstackgerrit	Boris Bobrov proposed openstack/keystone: Test number of queries on list_users https://review.openstack.org/347967	17:29
breton	lbragstad: yep	17:29
breton	lbragstad: without the '-'	17:29
lbragstad	breton ah - nice.. I have a different bin name for it	17:30
lbragstad	dstanek rderose alright - i am going to break for lunch. Want to keep debugging this logging thing this afternoon?	17:31
rderose	sounds good	17:31
*** ebalduf has joined #openstack-keystone		17:31
rderose	thx lbragstad and dstanek	17:31
*** david-lyle_ has quit IRC		17:34
*** david-lyle_ has joined #openstack-keystone		17:34
stevemar	breton: so how many calls should it have?	17:35
stevemar	referring to https://review.openstack.org/#/c/347967/1/keystone/tests/unit/test_backend_sql.py	17:35
patchbot	stevemar: patch 347967 - keystone - Test number of queries on list_users	17:35
*** tonytan_brb has joined #openstack-keystone		17:36
breton	stevemar: 9	17:37
*** browne has joined #openstack-keystone		17:37
breton	if 'joined' is used instead of 'subquery' it becomes 6 or 7 (don't remember exactly)	17:38
*** tonytan4ever has quit IRC		17:38
*** dritux has left #openstack-keystone		17:38
*** david-lyle_ has quit IRC		17:42
breton	oh wow	17:42
breton	i changed all `subquery` to `joined` and now there is only 1 query	17:42
breton	and user_list takes 0.352	17:43
samueldmq	breton: yep, question is whether 1 big join is going to be better than multiple direct queries	17:44
samueldmq	breton: maybe a single can be better, even if it does multiple joins, but we'd have to test it	17:44
*** slberger1 has quit IRC		17:44
samueldmq	breton: that's very interesting though...	17:44
*** dikonoor has quit IRC		17:48
openstackgerrit	Boris Bobrov proposed openstack/keystone: Make fetching all foreign keys in a join https://review.openstack.org/347972	17:48
*** slberger has joined #openstack-keystone		17:50
*** spandhe has quit IRC		17:53
*** spandhe has joined #openstack-keystone		17:53
*** spandhe has quit IRC		17:54
*** TxGVNN has joined #openstack-keystone		17:54
*** links has quit IRC		17:54
*** marekd2 has quit IRC		17:56
*** marekd2 has joined #openstack-keystone		17:56
*** mvk has joined #openstack-keystone		17:58
*** TxGVNN has quit IRC		17:59
rderose	stevemar breton: https://review.openstack.org/#/c/347975/	17:59
patchbot	rderose: patch 347975 - keystone (stable/mitaka) - Change LocalUser sql model to eager loading	17:59
*** marekd2 has quit IRC		18:01
stevemar	breton: propose the patch i suppose	18:04
stevemar	oh you did	18:04
stevemar	doh	18:04
stevemar	rderose: so one thing about backports	18:06
stevemar	rderose: it has to have the same change ID as the original	18:06
stevemar	i'll tweak it real quick	18:06
rderose	stevemar: ah, okay thanks	18:09
rderose	stevemar: the original change id for stable/mitaka?	18:10
*** jamielennox is now known as jamielennox\|away		18:10
stevemar	rderose: yeah, the backport should match the change id from master	18:10
stevemar	dolphm: take a look at https://review.openstack.org/#/c/347975/	18:10
patchbot	stevemar: patch 347975 - keystone (stable/mitaka) - Change LocalUser sql model to eager loading	18:10
*** adrian_otto has quit IRC		18:11
*** ddieterly[away] has quit IRC		18:13
*** nisha_ has joined #openstack-keystone		18:14
*** nishaYadav has quit IRC		18:16
*** ddieterly has joined #openstack-keystone		18:22
*** ayoung has quit IRC		18:25
dolphm	stevemar: +A cc- rderose	18:25
dolphm	rderose: next time you have a bug fix that should apply to a stable branch as well, be sure to propose a backport!	18:26
lbragstad	dstanek rderose i traced the `missing exception kwargs (programmer error)` here - https://hg.python.org/cpython/file/2.7/Lib/logging/__init__.py#l1456	18:29
lbragstad	looks like that is where it is actually logged	18:29
rderose	dolphm: are you referring to the original bug fix?	18:30
dolphm	rderose: yes	18:30
lbragstad	dstanek rderose http://cdn.pasteraw.com/dtrndze6enkkh30umoffk7kzq3n5s9x	18:30
dolphm	lbragstad: that sounds like an error from keystone.exception.Exception	18:30
lbragstad	dstanek rderose dstanek a bit more context - http://cdn.pasteraw.com/s941506uzfwbyo058a9rra8bz67nzse	18:31
dolphm	lbragstad: the keystone exception class you're using has required keyword arguments that you're not passing	18:31
lbragstad	dolphm but we seem to passing them in here - https://review.openstack.org/#/c/340074/29/keystone/identity/backends/sql.py	18:32
patchbot	lbragstad: patch 340074 - keystone - PCI-DSS Lockout requirements	18:32
rderose	dolphm: ah, to propose backport, I would add Mitaka potential to the commit message?	18:32
lbragstad	see line 62	18:32
dolphm	rderose: not quite, mitaka-backport-potential would be a valid tag on the launchpad bug	18:32
rderose	dolphm: okay, cool	18:32
dolphm	rderose: but after the patch to master merges, cherry pick it to a stable branch with $ git checkout stable/mitaka && git review -X <review number from master>	18:33
dolphm	rderose: and then git-review that, after any conflict resolution	18:33
dstanek	dolphm: so i created a fix the removes use of super in keystone.exception, but i'm still seeing the error :-(	18:33
rderose	dolphm: I see	18:33
dstanek	just got back from lunch so i'm going to start looking again	18:34
*** jsavak has quit IRC		18:34
dolphm	dstanek: this is the error you're seeing https://github.com/openstack/keystone/blob/master/keystone/exception.py#L66	18:34
dstanek	dolphm: yes	18:35
*** jsavak has joined #openstack-keystone		18:35
dolphm	oh, lance linked it	18:35
dstanek	dolphm: it looks like the object is created twice...just have to figure out why	18:35
*** spandhe has joined #openstack-keystone		18:36
lbragstad	dstanek I was digging in the i18n stuff and oslo_log but I don't think those have anything to do with it	18:36
dolphm	dstanek: lbragstad: maybe remove that try/except -- you could be seeing a different KeyError	18:36
dolphm	dstanek: lbragstad: the code in the try block is much more complicated than it was when that try / except was written	18:37
lbragstad	dolphm you mean this? https://github.com/openstack/keystone/blob/master/keystone/exception.py#L59-L67	18:38
dolphm	lbragstad: yes	18:38
dolphm	lbragstad: maybe it's an unexpected keyerror in your case	18:38
*** nisha_ has quit IRC		18:39
dstanek	dolphm: it's not. what seems to be happening is AccountLocked(user_id=...) is called and then shortly later it appears to be called again, but with the rendered string from the original	18:39
*** nisha_ has joined #openstack-keystone		18:39
dstanek	almost list AccountLocked(str(AccountLocked(user_id=...)))	18:40
dstanek	s/list/like/	18:40
lbragstad	when the programmer error message is logged - the message variable is the rendered string and the kwargs are empty	18:40
dolphm	lbragstad: what's the actual message you're seeing in the logs after that?	18:41
lbragstad	dstanek exactly - so the inner AccountLocked() is actually working properly	18:41
lbragstad	dolphm grabbing a trace	18:41
dstanek	lbragstad: yes	18:41
dolphm	"Authorization failed. The account is locked for user: %(user_id)s from 127.0.0.1"	18:42
dstanek	also exceptions in exceptions seem to get swallowed somewhere	18:42
lbragstad	dolphm yes	18:42
lbragstad	http://cdn.pasteraw.com/oaglrgcvkeu8h628qz4r8txhx15ibf5	18:42
lbragstad	fwiw - if I drop a break point here http://cdn.pasteraw.com/4tjasujkku80pw2wpxlyqdu67rtb9aw I hit the AccountLocked() thing twice	18:43
lbragstad	almost exactly like what dstanek described	18:43
*** ericksonsantos has quit IRC		18:44
dolphm	lbragstad: the "Authorization failed. " part of the error message makes it look like one exception is wrapping another, if that's what you mean	18:44
*** tonytan_brb has quit IRC		18:44
lbragstad	here are the variable states in each occurrence - http://cdn.pasteraw.com/pq6umrz0l0phjp2l9rkeg6wealmm0u1	18:46
*** slberger has quit IRC		18:47
*** slberger has joined #openstack-keystone		18:48
dstanek	dolphm: the 'authorizaiton failed' is actually coming from keystone.common.wsgi	18:49
dstanek	it's just part of the log message	18:49
dolphm	dstanek: ah, that makes more sense	18:50
*** jdennis has joined #openstack-keystone		18:53
*** timcline has joined #openstack-keystone		18:55
lbragstad	dstanek we do raise the exception again in the notification module	18:56
*** timcline_ has joined #openstack-keystone		18:57
*** david-lyle_ has joined #openstack-keystone		18:57
lbragstad	https://github.com/openstack/keystone/blob/master/keystone/notifications.py#L489-L494	18:57
dolphm	lbragstad: L494? that's a blind raise	18:57
dolphm	lbragstad: it's just passing the object along, it shouldn't build a message	18:58
dstanek	lbragstad: actually i think that's it....that's where i am in rpdb right now	18:58
lbragstad	dstanek if you go a bit farther you'll end up in keysotne/common/wsgi.py:230	18:59
*** timcline has quit IRC		18:59
lbragstad	which is where we except exception.Unauthorized and attempt to log a warning about failed auth	18:59
lbragstad	e	19:00
*** ebalduf has quit IRC		19:00
lbragstad	in that case - e.message is u'The account is locked for user: 73e00ad54377426e88b91c9eebd7bba5'	19:00
dolphm	lbragstad: but it only logs	19:00
lbragstad	which is already substituted (?)	19:00
lbragstad	dolphm right - I think we only see this error in the logs	19:01
dolphm	lbragstad: that's just catching the AccountLocked instance and rendering it as a string	19:01
dolphm	lbragstad: that's the intent in keystone.exception	19:01
dolphm	although, as the author of the (programmer error) message, this really, really doesn't smell like the intended use case	19:01
dstanek	dolphm: lbragstad: ok, the issue is oslo_i18n	19:03
dstanek	it recreates the object	19:03
dstanek	see http://paste.openstack.org/show/542682/ _reconstruct	19:03
*** slberger has quit IRC		19:04
dolphm	dstanek: wat	19:05
lbragstad	dstanek what is `param` in copy.deepcopy(param) ?	19:05
dolphm	copy ... deepcopy ... an exception?!	19:05
dolphm	lbragstad: dstanek: copy.deepcopy https://github.com/openstack/oslo.i18n/blob/master/oslo_i18n/_message.py#L219-L225	19:06
*** david-lyle_ is now known as david-lyle		19:07
lbragstad	http://cdn.pasteraw.com/2yv2uk7fu1vc6290sk8qwdk70afiell	19:08
lbragstad	yeah - it's an exception	19:08
*** fifieldt has quit IRC		19:08
lbragstad	exception.Unauthorized specifically	19:08
*** haplo37__ has joined #openstack-keystone		19:09
dstanek	that's like super awesome fail	19:11
lbragstad	the params here end up being https://github.com/openstack/oslo.i18n/blob/master/oslo_i18n/_message.py#L216	19:11
dolphm	lbragstad: where did THAT exception get created?	19:11
lbragstad	{'exception': Unauthorized(u'The request you have made requires authentication.',), 'remote_addr': '127.0.0.1'}	19:12
lbragstad	dolphm I think that Unauthorized exception is the same one that is excepted here - https://github.com/openstack/keystone/blob/9d54eb33c1d74ff39c947af6ff984ef2e0bf4be4/keystone/common/wsgi.py#L228	19:13
lbragstad	but I can't be sure	19:13
lbragstad	well - i'm not sure yet	19:13
*** jsavak has quit IRC		19:14
*** samueldmq has quit IRC		19:15
*** slberger has joined #openstack-keystone		19:15
*** tonytan4ever has joined #openstack-keystone		19:17
*** brancaleone has quit IRC		19:17
*** fifieldt has joined #openstack-keystone		19:18
*** michauds has quit IRC		19:20
*** ddieterly is now known as ddieterly[away]		19:22
*** nisha_ has quit IRC		19:22
*** michauds has joined #openstack-keystone		19:22
*** sdake has joined #openstack-keystone		19:25
*** jsavak has joined #openstack-keystone		19:27
*** ebalduf has joined #openstack-keystone		19:29
openstackgerrit	Dolph Mathews proposed openstack/keystone: Add token feature support matrix to documentation https://review.openstack.org/316118	19:29
*** jsavak has quit IRC		19:32
*** roxanaghe has quit IRC		19:39
*** ebalduf has quit IRC		19:41
*** gordc has quit IRC		19:41
*** sdake has quit IRC		19:43
lbragstad	dolphm dstanek rderose crinkle this seems to fix the (programming error) for me locally - http://cdn.pasteraw.com/7d38iizi836gvfyk4ncuq6x6m7nkgah	19:46
dolphm	lbragstad: how about unicode(e) instead of e?	19:47
*** ddieterly[away] is now known as ddieterly		19:47
lbragstad	dolphm let me try that	19:47
lbragstad	dolphm yep - http://cdn.pasteraw.com/bxtpgziuj7cbq4gqickwu9el2ymiouw works too	19:48
lbragstad	here are the logs with that patch	19:48
crinkle	lbragstad: neat	19:48
dolphm	lbragstad: the .message will throw it's own deprecation warnings in ... some ... version of python	19:48
dolphm	lbragstad: but, the fix actually makes sense! good eye	19:49
lbragstad	http://cdn.pasteraw.com/a5dyaifypzq3x6ig4puly7kuri8hnfs	19:49
*** slberger has quit IRC		19:49
*** ebalduf has joined #openstack-keystone		19:50
*** ntpttr- has quit IRC		19:50
*** ntpttr- has joined #openstack-keystone		19:51
*** slberger has joined #openstack-keystone		19:53
*** sdake has joined #openstack-keystone		19:53
lbragstad	alright - i'm going to refill coffee	19:54
*** jsavak has joined #openstack-keystone		19:54
*** afred312 has joined #openstack-keystone		19:56
*** jsavak has quit IRC		19:59
*** jsavak has joined #openstack-keystone		19:59
dstanek	this feels like a bandaid	20:02
bknudson	keystone is a pile of bandaids.	20:03
dstanek	in the course of using an object how it's meant to be used we have a situation where a hard to debug error it raised	20:03
*** ebalduf has quit IRC		20:03
bknudson	at least it's not spaghetti code.	20:03
stevemar	bknudson: let me get the guaze	20:04
dstanek	bknudson: it's at least close	20:04
stevemar	dstanek: depends on the module :P	20:04
*** brancaleone has joined #openstack-keystone		20:09
*** roxanaghe has joined #openstack-keystone		20:09
lbragstad	dstanek it looks like this only happens when we have an exception and we try to log it	20:12
lbragstad	dstanek shouldn't we be passing the string that we want to log anyway?	20:12
dstanek	lbragstad: maybe? but this seems to be a common pattern based on how exceptions are supposed to work	20:15
dstanek	lbragstad: trying to see why olso_i18n is doing that copying	20:16
*** tangchen has quit IRC		20:17
dstanek	lbragstad: i have an alternative fix that i'm trying to evaluate	20:17
lbragstad	ok	20:18
*** michauds has quit IRC		20:18
*** tangchen has joined #openstack-keystone		20:19
*** ericksonsantos has joined #openstack-keystone		20:20
dstanek	do we have tests for internationalization right now?	20:21
lbragstad	dstanek that's a good question	20:21
*** michauds has joined #openstack-keystone		20:27
lbragstad	dstanek it doesn't look like it	20:27
*** aswadr_ has quit IRC		20:31
stevemar	dolphm: around-ish?	20:32
*** adrian_otto has joined #openstack-keystone		20:33
*** MadOtis has joined #openstack-keystone		20:33
lbragstad	dstanek let me know when/if you get a patch up for the exception logging thing - i'm curious to see your fix	20:36
MadOtis	Hello, all... I'm having a hard time with wht I believe may be a keystone problem. I'm trying to install swift on a new Centos 7 cluster and so far, all services are running fine. When I get to install swift, I am getting an error with the validation of the swift services.	20:37
dstanek	lbragstad: just trying to reproduce the error in a test	20:38
MadOtis	When executing the "swift stat" validation, I get an error 503 returned back. The swift logs show authentication errors, and I've tripple-checked the swift proxy configuration and shared it with the gang in the #os-swift channel.	20:39
MadOtis	They seem to think the issue may be coming from keystone.	20:39
MadOtis	The error I'm getting is: Account HEAD failed: http://controller:8080/v1/AUTH_bc82ecd267e34d91bc775867adb94bc7 503 Service Unavailable	20:40
notmyname	MadOtis: wait. you said you were getting a 401. I thought we fixed the 503	20:40
*** roxanaghe has quit IRC		20:41
MadOtis	notmyname: there were some service issues that were resolved according to the logs. But this problem still remains.	20:42
MadOtis	The services had some issues that I was able to work out in the #os-swift channel, so I'm trying to fix this remaining issue.	20:43
MadOtis	Here is a paste of what is in the logs, now: http://paste.openstack.org/show/542692/	20:43
dstanek	MadOtis: is the 503 coming from swift or keystone?	20:45
*** adrian_otto has quit IRC		20:45
MadOtis	dstanek: I believe it's coming from swift, but I was told in the swift channel that it could be keystone.	20:46
*** sdake has quit IRC		20:46
*** adrian_otto has joined #openstack-keystone		20:46
openstackgerrit	Gage Hugo proposed openstack/keystone: Add schema validation to create service in v2 https://review.openstack.org/346962	20:48
dstanek	MadOtis: do you have access to the logs to check definitively?	20:49
dstanek	lbragstad: hmmm....i don't know how to reproduce this in a test	20:49
*** ebalduf has joined #openstack-keystone		20:49
lbragstad	dstanek you'd have to capture the logs wouldn't you?	20:50
MadOtis	+dstranek: Yes, here is a paste from the controller and the 2 object nodes grepped on one of the UID's passed in: http://paste.openstack.org/show/542693/	20:51
dstanek	mordred: those 503s are definitly coming from swift. do they think that keystone is cause swift to 503?	20:53
MadOtis	I'm talking to notmyname in swift, now. Thank you	20:55
*** ayoung has joined #openstack-keystone		20:55
*** ChanServ sets mode: +v ayoung		20:55
dstanek	MadOtis: np	20:55
dstanek	lbragstad: shouldn't have to because that boolean is set for the tests so an exception should be raised	20:56
*** roxanaghe has joined #openstack-keystone		21:00
openstackgerrit	Billy Olsen proposed openstack/keystone: Maintain ordered list for KVS token persistence https://review.openstack.org/348040	21:01
*** MadOtis has left #openstack-keystone		21:01
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password expires validation https://review.openstack.org/333360	21:04
mordred	dstanek: aroo?	21:04
* mordred reads		21:04
mordred	dstanek: no clue - notmyname is a much better human to talk to	21:06
dstanek	mordred: oops...it looks like i invoked you on accident	21:07
mordred	phew	21:07
*** clenimar has quit IRC		21:08
dstanek	mordred: i was helping MadOtis and i think i had a tab completion failure	21:09
*** raildo has quit IRC		21:09
*** gagehugo has quit IRC		21:09
mordred	dstanek: I was just worried that I was supposed to know something	21:10
*** pauloewerton has quit IRC		21:11
*** roxanaghe has quit IRC		21:12
*** ebalduf has quit IRC		21:13
*** roxanaghe has joined #openstack-keystone		21:15
*** jamielennox\|away is now known as jamielennox		21:17
bknudson	jamielennox is back.	21:17
* jamielennox is still in san jose		21:17
bknudson	still in meetings?	21:18
jamielennox	bknudson: meetings are mostly done, watching and helping with some training today, ansible stuff tomorrow then home on saturday	21:19
bknudson	jamielennox: are you at almaden research lab?	21:19
jamielennox	bknudson: i'm watching spencer try to convince people to run from master	21:19
jamielennox	bknudson: umm, i don't think so, the one at the very top of Nth 1st st	21:19
bknudson	jamielennox: that isn't an easy sell.	21:19
jamielennox	he's pretty good, though talks quite fast, at least most people have some openstack experience	21:20
bknudson	jamielennox: who are you presenting to now?	21:20
jamielennox	bknudson: i don't think there's one group, there's a few people working on octavia stuff, then some IBM stuff i've never heard of that is supposed to be in cloud :(	21:21
openstackgerrit	Lance Bragstad proposed openstack/keystone: Don't log exception objects https://review.openstack.org/348047	21:22
lbragstad	dstanek my hack-tastic fix ^	21:22
bknudson	jamielennox: when I saw you signing on at 4pm I thought that meant you were in oz.	21:22
jamielennox	bknudson: next week, trying to put off the flight for as long as i can	21:23
*** david-lyle has quit IRC		21:25
dstanek	lbragstad: i figured out my testing issue	21:43
openstackgerrit	henry-nash proposed openstack/keystone-specs: Add rolling upgrade steps to keystone-manage https://review.openstack.org/337680	21:43
lbragstad	dstanek yeah?	21:43
henrynash	dstanek, btopol: henry-nash proposed openstack/keystone-specs: Add rolling upgrade steps to keystone-manage https://review.openstack.org/337680	21:43
henrynash	topol: henry-nash proposed openstack/keystone-specs: Add rolling upgrade steps to keystone-manage https://review.openstack.org/337680	21:44
*** ravelar159 has quit IRC		21:46
*** spandhe has left #openstack-keystone		21:50
lbragstad	dstanek what was the issue?	21:50
*** tonytan4ever has quit IRC		21:51
dstanek	lbragstad: crazyness with the debug-mode/logging/ect	21:51
dstanek	working on docs for my patch now	21:51
*** haplo37__ has quit IRC		21:52
openstackgerrit	henry-nash proposed openstack/keystone-specs: Add rolling upgrade steps to keystone-manage https://review.openstack.org/337680	21:54
*** adriant has joined #openstack-keystone		21:55
*** ddieterly is now known as ddieterly[away]		22:01
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Lockout requirements https://review.openstack.org/340074	22:01
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Lockout requirements https://review.openstack.org/340074	22:01
*** adrian_otto1 has joined #openstack-keystone		22:06
*** KevinE has quit IRC		22:06
*** adrian_otto1 has quit IRC		22:07
*** adrian_otto has quit IRC		22:07
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Lockout requirements https://review.openstack.org/340074	22:08
*** kswiatek_ has joined #openstack-keystone		22:11
openstackgerrit	Jamie Lennox proposed openstack/keystone: Implement Views and convert credentials https://review.openstack.org/335423	22:13
*** kswiatek has quit IRC		22:13
*** jsavak has quit IRC		22:20
*** david-lyle has joined #openstack-keystone		22:22
*** edmondsw has quit IRC		22:25
*** david-lyle has quit IRC		22:25
*** david-lyle has joined #openstack-keystone		22:25
*** ddieterly[away] is now known as ddieterly		22:25
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Lockout requirements https://review.openstack.org/340074	22:26
*** michauds has quit IRC		22:30
*** ddieterly has quit IRC		22:34
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Lockout requirements https://review.openstack.org/340074	22:37
*** jamielennox is now known as jamielennox\|away		22:45
*** slberger has left #openstack-keystone		22:48
*** david-lyle has quit IRC		22:50
*** david-lyle_ has joined #openstack-keystone		22:50
*** timcline_ has quit IRC		22:55
*** Gorian_ has quit IRC		22:59
*** david-lyle_ has quit IRC		23:01
*** sdake has joined #openstack-keystone		23:17
*** sdake has quit IRC		23:25
*** ravelar159 has joined #openstack-keystone		23:26
openstackgerrit	Adrian Turjak proposed openstack/keystone: TOTP auth not functional in python3 https://review.openstack.org/348081	23:26
*** ravelar159 has quit IRC		23:30
*** bill_az has joined #openstack-keystone		23:38
*** chlong has quit IRC		23:38
*** ddieterly has joined #openstack-keystone		23:42
*** ddieterly has quit IRC		23:42
*** nkinder has quit IRC		23:43
*** ddieterly has joined #openstack-keystone		23:45
openstackgerrit	David Stanek proposed openstack/keystone: WIP: Adds test for SecurityError's translation behavior https://review.openstack.org/348085	23:46
openstackgerrit	David Stanek proposed openstack/keystone: WIP: Adds a custom deepcopy handler https://review.openstack.org/348086	23:46
dstanek	lbragstad: ^	23:46
openstackgerrit	Ron De Rose proposed openstack/keystone: Test number of queries on list_users https://review.openstack.org/347967	23:53
dstanek	adriant: just responded on your review. let me know if you have any questions. i may be heading to the gym soon, but i'll be around	23:54
adriant	Hey, main question is one about the unittests	23:55
adriant	currently, by setting the password_totp as default in the cfg file, ALL the tests run with it as the password auth	23:56
dstanek	adriant: besides your new unit tests what did you want to run?	23:56
adriant	which confirms that it works exactly as intended as a replacement	23:56
*** code-R_ has quit IRC		23:56
openstackgerrit	Ron De Rose proposed openstack/keystone: Make fetching all foreign keys in a join https://review.openstack.org/347972	23:56
adriant	if not, then we need to write a lot more tests to just confirm that, which would be silly.	23:56
dstanek	adriant: what tests are missing to confirm that?	23:57
adriant	when there are already a ton of tests which validate the password auth	23:57
dstanek	i think what you have is probably enough to cover the usecases. are there cases you don't think are covered?	23:57
*** adu has joined #openstack-keystone		23:57
adriant	Actually... let me test something. I have a feeling with the cfg unchanged my unit tests fail as they would instead run against the old plugin	23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!