Monday, 2016-08-22

« Sunday, 2016-08-21 Index Tuesday, 2016-08-23 »
*** rkrum has joined #openstack-keystone00:00
*** ddieterly has quit IRC00:02
*** code-R has joined #openstack-keystone00:14
*** code-R_ has joined #openstack-keystone00:15
*** code-R has quit IRC00:19
*** markvoelker has joined #openstack-keystone00:59
*** ddieterly has joined #openstack-keystone01:02
*** markvoelker has quit IRC01:04
*** code-R_ has quit IRC01:07
*** code-R has joined #openstack-keystone01:07
*** atod has quit IRC01:26
*** atod has joined #openstack-keystone01:27
atodHi. Is anyone playing with Identity V3 and domains in Keystone?01:30
*** EinstCrazy has joined #openstack-keystone01:34
*** EinstCrazy has quit IRC01:34
*** EinstCrazy has joined #openstack-keystone01:34
*** ddieterly has quit IRC01:35
*** davechen has joined #openstack-keystone01:35
*** atod has quit IRC01:35
*** ddieterly has joined #openstack-keystone01:36
*** atod has joined #openstack-keystone01:40
*** ddieterly is now known as ddieterly[away]02:01
*** ddieterly[away] is now known as ddieterly02:03
*** EinstCra_ has joined #openstack-keystone02:06
*** EinstCrazy has quit IRC02:09
*** EinstCrazy has joined #openstack-keystone02:13
*** ddieterly has quit IRC02:13
*** EinstCra_ has quit IRC02:17
*** nkinder has quit IRC02:23
*** su_zhang has joined #openstack-keystone02:25
*** atod has quit IRC02:27
*** GB21 has joined #openstack-keystone02:39
*** GB21 has quit IRC02:47
openstackgerritMerged openstack/keystone: Add create and update methods to credential Manager  https://review.openstack.org/35505603:00
*** tqtran has joined #openstack-keystone03:02
*** tqtran has quit IRC03:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/35687203:08
stevemardolphm: i updated the meeting with stuff and things, let me know if you have any questions03:14
*** su_zhang has quit IRC03:14
*** su_zhang has joined #openstack-keystone03:15
*** su_zhang has quit IRC03:19
*** chrichip has quit IRC03:23
*** chrichip has joined #openstack-keystone03:23
*** julim has quit IRC03:27
stevemarhenrynash: ayoung can you look at https://review.openstack.org/#/c/351264/4 for a minute, since y'all know about domain specific vs implied roles03:29
ayoungstevemar, really?  Midnight on Sunday?  Oh, wait, newborn...nevermind03:29
stevemarayoung: haha, that was meant for you to read on monday morning!03:29
ayoungstevemar, is that really something we want to forbid?03:29
stevemari think a DSR from domain A should not imply a DSR from domain B03:30
openstackgerritDave Chen proposed openstack/keystone: Update `href` for keystone extensions  https://review.openstack.org/35838103:30
ayoungstevemar, I'm actually headed to Cape Cod for the week...I'll be working from there, but driving the family down in the morning.  Was just shutting down03:30
stevemarayoung: oh go go go03:31
stevemarayoung: have fun man03:31
ayoungstevemar, no problem, just finishing up03:31
ayoungI don;'t know if I think that is a real thing to avoid.03:31
ayoungI could see DSRs from one domain pointing at another being a useful thing, but confusing.03:31
ayoungWhy? Is this just being over cautious?03:32
stevemarayoung: i believe so, gyee filed the bug03:33
ayoungstevemar, meh03:33
stevemarit feels funny, but overcautious yes03:33
ayoungWhat did Henry say?03:33
stevemarhasn't seen it yet03:34
*** atod has joined #openstack-keystone03:36
ayoungstevemar, I did write up a spec you might find interesting03:40
*** atod has quit IRC03:40
ayounghttps://review.openstack.org/#/c/358131/03:41
*** ayoung has quit IRC03:43
*** mdurrant_ has joined #openstack-keystone03:44
*** chrisshattuck has joined #openstack-keystone03:45
*** mdurrant__ has quit IRC03:47
davechenstevemar: have replied to your comments, and a question for you, do you know why 'trust' and 'endpoint policy' haven't register the extension data?03:47
stevemardavechen: cause we stink at consistency :)03:48
stevemardavechen: +2'ed it03:48
davechenstevemar: I feel the api to show the info for the extension will miss them03:48
davechenstevemar: will dig into it, if this is true will try to fix it.03:49
davechenstevemar: thanks!03:49
stevemarawesome!03:49
*** chrisshattuck has quit IRC03:59
*** code-R has quit IRC04:00
*** chrisshattuck has joined #openstack-keystone04:00
*** chrisshattuck has quit IRC04:04
*** code-R has joined #openstack-keystone04:10
*** su_zhang has joined #openstack-keystone04:14
*** michauds has joined #openstack-keystone04:34
*** david-lyle has quit IRC04:37
*** pcaruana has quit IRC04:55
*** jamielennox is now known as jamielennox|away05:18
*** aswadr_ has joined #openstack-keystone05:22
*** jaosorior has joined #openstack-keystone05:23
*** links has joined #openstack-keystone05:38
*** links has quit IRC05:38
*** richm has quit IRC05:40
*** Gorian has quit IRC05:45
*** sigmavirus has quit IRC05:46
*** d34dh0r53 has quit IRC05:46
*** eglute has quit IRC05:46
*** eglute has joined #openstack-keystone05:47
*** d34dh0r53 has joined #openstack-keystone05:48
*** d34dh0r53 has quit IRC05:48
*** eglute has quit IRC05:48
*** eglute has joined #openstack-keystone05:49
*** eglute has quit IRC05:49
*** eglute has joined #openstack-keystone05:50
*** d34dh0r53 has joined #openstack-keystone05:51
*** eglute has quit IRC05:51
*** d34dh0r53 has quit IRC05:51
*** Gorian has joined #openstack-keystone05:53
*** eglute has joined #openstack-keystone05:54
*** eglute has quit IRC05:54
*** dikonoor has joined #openstack-keystone06:02
*** eglute has joined #openstack-keystone06:05
*** d34dh0r53 has joined #openstack-keystone06:06
*** michauds has quit IRC06:15
*** EinstCrazy has quit IRC06:23
*** EinstCrazy has joined #openstack-keystone06:24
*** rcernin has joined #openstack-keystone06:51
*** pcaruana has joined #openstack-keystone06:52
*** tesseract- has joined #openstack-keystone07:09
*** atod has joined #openstack-keystone07:15
*** atod has quit IRC07:16
*** atod has joined #openstack-keystone07:19
*** mkoderer__ has quit IRC07:19
*** rcernin has quit IRC07:25
*** su_zhang has quit IRC07:29
*** su_zhang has joined #openstack-keystone07:30
*** code-R has quit IRC07:31
*** code-R has joined #openstack-keystone07:32
*** rkrum has quit IRC07:34
*** su_zhang has quit IRC07:34
*** code-R has quit IRC07:37
*** su_zhang has joined #openstack-keystone07:40
*** itisha has joined #openstack-keystone07:43
*** su_zhang has quit IRC07:45
*** su_zhang has joined #openstack-keystone07:46
*** su_zhang has quit IRC07:50
*** atod has quit IRC07:54
*** atod has joined #openstack-keystone07:54
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:01
*** asettle has joined #openstack-keystone08:05
*** markvoelker has joined #openstack-keystone08:05
*** markvoelker has quit IRC08:10
*** atod has quit IRC08:24
*** atod has joined #openstack-keystone08:24
*** asettle has quit IRC08:27
*** atod has quit IRC08:29
*** jaosorior has quit IRC08:30
*** atod has joined #openstack-keystone08:31
*** jaosorior has joined #openstack-keystone08:31
*** atod has quit IRC08:35
*** asettle has joined #openstack-keystone08:35
*** atod has joined #openstack-keystone08:45
*** atod has quit IRC08:47
*** atod has joined #openstack-keystone08:48
*** code-R has joined #openstack-keystone09:00
*** markvoelker has joined #openstack-keystone09:06
*** tqtran has joined #openstack-keystone09:06
*** markvoelker has quit IRC09:11
*** tqtran has quit IRC09:11
*** sheel has joined #openstack-keystone09:22
*** atod has quit IRC09:24
bretonmorning09:29
openstackgerritKseniya Tychkova proposed openstack/oslo.policy: Apache Fortress support prototype  https://review.openstack.org/23752109:40
*** amakarov_away is now known as amakarov09:52
*** rkrum has joined #openstack-keystone09:58
*** rkrum has quit IRC10:02
*** markvoelker has joined #openstack-keystone10:07
*** richm has joined #openstack-keystone10:07
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843510:10
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843510:10
*** markvoelker has quit IRC10:12
*** david_cu has quit IRC10:13
samueldmqmorning keystone10:41
*** dikonoor has quit IRC10:52
*** EinstCrazy has quit IRC10:53
*** GB21 has joined #openstack-keystone11:02
*** openstackgerrit has quit IRC11:03
*** openstackgerrit has joined #openstack-keystone11:03
*** davechen has left #openstack-keystone11:05
*** markvoelker has joined #openstack-keystone11:08
*** tqtran has joined #openstack-keystone11:08
*** rodrigods has quit IRC11:11
*** rodrigods has joined #openstack-keystone11:11
*** markvoelker has quit IRC11:12
*** tqtran has quit IRC11:13
*** agireud has quit IRC11:16
*** gagehugo has quit IRC11:17
*** dhellmann has quit IRC11:17
*** dhellmann has joined #openstack-keystone11:17
*** nk2527 has joined #openstack-keystone11:18
*** agireud has joined #openstack-keystone11:20
*** maestropandy has joined #openstack-keystone11:28
*** nishaYadav has joined #openstack-keystone11:33
nishaYadavo/11:34
*** openstackstatus has quit IRC11:36
*** openstackstatus has joined #openstack-keystone11:38
*** ChanServ sets mode: +v openstackstatus11:38
*** woodster_ has joined #openstack-keystone11:42
*** asettle has quit IRC11:46
*** dikonoor has joined #openstack-keystone11:46
*** jaosorior has quit IRC11:50
*** jaosorior has joined #openstack-keystone11:50
*** jpena is now known as jpena|lunch11:51
*** _sigmavirus24 has joined #openstack-keystone11:52
*** maestropandy has left #openstack-keystone11:53
*** _sigmavirus24 is now known as sigmavirus11:54
*** sigmavirus has joined #openstack-keystone11:54
stevemarmorning samueldmq11:56
samueldmqnishaYadav: stevemar: o/11:57
*** asettle has joined #openstack-keystone11:57
*** maestropandy1 has joined #openstack-keystone12:03
*** maestropandy1 has left #openstack-keystone12:04
*** alex_xu has quit IRC12:08
rodrigodsrderose, can you check my replies at https://review.openstack.org/#/c/357950/5 ?12:08
*** markvoelker has joined #openstack-keystone12:09
*** alex_xu has joined #openstack-keystone12:09
*** markvoelker has quit IRC12:13
*** asettle has quit IRC12:19
*** markvoelker has joined #openstack-keystone12:20
*** nishaYadav has quit IRC12:21
*** nishaYadav has joined #openstack-keystone12:21
*** dstanek_ has quit IRC12:25
*** dstanek has joined #openstack-keystone12:26
*** ChanServ sets mode: +v dstanek12:26
*** jaosorior is now known as jaosorior_brb12:26
*** dstanek has quit IRC12:27
*** dstanek has joined #openstack-keystone12:27
*** ChanServ sets mode: +v dstanek12:27
*** asettle has joined #openstack-keystone12:29
dstanekgood morning all12:30
*** edmondsw has joined #openstack-keystone12:30
*** dstanek has quit IRC12:33
henrynashdstaneK; morning...quick pythony question for you....is there any way a function that you monkeypatch in to replace an existing function can know the name of the function it has replaced? (I doubt it, somehow)12:33
*** dstanek has joined #openstack-keystone12:33
*** ChanServ sets mode: +v dstanek12:33
*** GB21 has quit IRC12:43
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Disables TCP_KEEPCNT when using Windows Subsystem for Linux  https://review.openstack.org/35745212:46
stevemarjamielennox|away: if you're still around: https://review.openstack.org/#/c/357452/612:47
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Allow specifying client and service info to user_agent  https://review.openstack.org/35763312:49
*** Marcellin_ has joined #openstack-keystone12:56
*** raildo has joined #openstack-keystone12:57
*** clenimar has joined #openstack-keystone12:58
*** mgagne_ has quit IRC13:00
*** mgagne_ has joined #openstack-keystone13:00
*** jpena|lunch is now known as jpena13:06
*** edmondsw has quit IRC13:09
*** ddieterly has joined #openstack-keystone13:10
*** ddieterly has quit IRC13:14
*** julim has joined #openstack-keystone13:18
*** Guest37793 is now known as zeus13:24
*** zeus has joined #openstack-keystone13:24
openstackgerritLance Bragstad proposed openstack/keystone: Add key repository uniqueness check to doctor  https://review.openstack.org/35808313:29
dikonoordstanek:dolphm: Hi13:30
dikonoordstanek:dolphm: I am running into an error like this and I think this is a bug..but I am not sure..LEt me explain the usecase >> Conflict occurred attempting to store nonlocal_user - Duplicate Entry (HTTP 409)13:31
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystoneauth: Disables TCP_KEEPCNT when using Windows Subsystem for Linux  https://review.openstack.org/35745213:32
samueldmqstevemar: ^13:32
dikonoor dstanek:dolphm: This is in the context of shadow users. I tried with LDAP user..13:32
samueldmqstevemar: let me know if it's good enough13:32
dikonoor dstanek:dolphm:rderose: Use case is : I have two ldaps - LDAP1 and LDAP2. Both of them have a specific user with the same name ..Let's call the user ABC. I now configure keystone with LDAP1 and then when the user is authenticated, there's an entry created in the nonlocal_user table with primary_key combination as domain and username ABC13:34
*** melwitt_ is now known as melwitt13:34
dikonoordstanek:dolphm:rderose: I now reconfigure the same instance of keystone with LDAP2, which also has a user with the same name.. SO, now when I try to authenticate user ABC (from LDAP2), it gives me a conflicting user error because the nonlocal_user table already has en entry with the same domain+username combination13:35
dikonoordstanek: dolphm: rderose: So, even though my user ABC from LDAP2 is actually a valid user, the authentication fails13:36
dstanekdikonoor: this is likely caused by the bug that is accidentally creating local_users13:36
dstaneki'm guessing that once the fix gets in it will work13:36
dikonoordstanek: dolphm: rderose: But this conflict occurs in the nonlocal_user table13:37
dstanekdikonoor: ah, then another bug?13:37
dikonoordstanek:dolphm:rderose: and even if with the fix to not insert in local_user, this will happen13:37
dstanekdikonoor: are you trying to use the same domain for both ldaps?13:37
dikonoordstanek: yes..same domain13:37
dstaneki don't think that can work13:37
dikonoordstanek : which is a supported usecase..13:38
dstanekdikonoor: is it supported?13:38
dikonoordstanek: I don't see any reason it shouldn't be..If I were a customer and my LDAP1 crashed for some reason and I want to switch to my backup LDAP2, I would want to use the same domain13:38
dikonoordstanek: So, I think this would be a bug.. This can be reproduced in other ways as well even with the use of a single LDAP13:40
dstanekdikonoor: how can it be done with a single LDAP server?13:40
dstanekdikonoor: i don't think having 2 different LDAP servers under a single domain is possible because of name collision issues (which is what you are seeing)13:41
dikonoordstanek: for eg. Let's say I have just one LDAP and I configure keystone to user it such that the user-id-mapping is set to cn (for eg. cn=abc@abc.com)..now I authenticate..everything works fine13:41
dstaneki could be wrong, but i wouldn't actually expect it to work13:41
dikonoordstanek: now let me reconfigure keystone with the same LDAP such that user-id-mapping is set to uid (for eg. uid=3764836)..When keystone is restarted after this configuration, a new entry gets created in the id_mapping table and then when you try to authenticate , it will cause the same conflict user error at the nonlocal_user..13:43
dikonoordstanek: This is caused because in both the cases the user name attribute used for configuration is the same ..and after the first configuration when the user authenticates, an entry is made in the nonlocal_user table with domain+user_name combination13:44
dstanekdikonoor: i'm not sure if reconfiguring like that is a bug or not, but i suggest you file it and see what others think13:45
dikonoordstanek: ok..Let me file a bug..but the first scenario of two different LDAPs and same user/domain would be a valid usecase in my opinion.. I will file a bug..Wanted to know what rderose and dolphm thought as well13:46
dikonoordstanek: The other query I have would be around deletions in the keystone db for these users13:46
*** sdake has joined #openstack-keystone13:46
dstanekdikonoor: if your usecase for the first once is redundancy on the ldap server i think there are better ways to do that13:47
*** bigdogstl has joined #openstack-keystone13:48
lbragstadhenrynash quick question on the database migration repos. Did we ever determine a location for tests that span the entire upgrade?13:50
*** sdake_ has joined #openstack-keystone13:50
dikonoordstanek: well..there might be other ways..but I don't think it would be right to give a conflict user error in the usecases I explained..but let's see..I will open a bug..I am not sure if these db entries are ever cleaned up..so there could be other usecases where we could hit this error13:50
dikonoordstanek: The other query I have is around the "last_active_at" column in the user table13:51
*** briancurtin has quit IRC13:51
samueldmqstevemar: dstanek: do we really need to have kerberos as mandatory extra dps for our testing env ?13:51
samueldmqhttps://github.com/openstack/keystoneauth/blob/master/tox.ini#L1513:51
dstaneki don't think they are cleaned up at all - the idea (i believe) is that the information from LDAP should be unique enough to create a user13:51
*** tonytan4ever has joined #openstack-keystone13:51
samueldmqstevemar: I had to "sudo apt-get install libkrb5-dev" just to be able to tox -e venv -- reno new bug-161468813:52
samueldmq:/13:52
*** briancurtin has joined #openstack-keystone13:52
dikonoordstanek : but when we switch between LDAPs , wouldn't it make sense to clean it up ? OR perhaps clean it up if the "last_active_at" column shows that the user hasn't been active for ages ?13:52
dstaneksamueldmq: hmmm, we could probably make those tests skipped is kerberos isn't installed, but i'd rather not13:53
*** bigdogstl has quit IRC13:53
dikonoorbut "last_active_at" column, I see always has a value of NULL..Not sure if this is intentional ?13:53
dikonooror a bug13:53
*** sdake has quit IRC13:53
dstanekdikonoor: maybe? but that may lead to having to clean up lots of stuff. you may have things in the cloud pointing to users that don't exist13:54
dikonoordstanek: that's true..i mean what you say references of non-existent users ..would be a problem with the auditing support as well13:54
rderoserodrigods: so what's the purpose of the controller in your opinion?13:55
dstanekthere's rderose!13:55
samueldmqdstanek: well, I am not complaining about the tests ... jsut about needing to install that for running reno13:56
samueldmqdstanek: :(13:56
henrynashlbragstad: good question, not sure we have a class for that...although the contract test class in test_sql_upgrade forces all the migrations phases before it runs....so that is one options13:56
rderosedstanek: good morning :)13:56
dikonoordstanek : but in a huge cloud deployment with LDAP servers carrying lakhs of users , where users are authenticating in and out, it would be an overkill not to delete any entries13:56
dikonoorrderose: Good Morning :D13:56
lbragstadhenrynash hmm13:57
lbragstadhenrynash is there any way to control which repos run in the test?13:57
rderosedikonoor: good morning :)13:57
dikonoorrderose: dstanek and I were discussing about a specific usecase around LDAP conflicting user problem in nonlocal_user table13:58
dstaneksamueldmq: stevemar: our dev docs no longer say what system packages need to be installed :-(13:58
rderosedikonoor: reading...13:58
henrynashlbragstad: so there is a test class for expand, migrate and contract (as well as the legacy), each one ensures any previous phases are run as part of its setup13:58
stevemardstanek: indeed!13:58
stevemardstanek: they say to use bindep13:58
samueldmqstevemar: ++13:58
stevemarand "other-requrements.txt"13:58
samueldmqexactly, we need to add that to other repos too13:58
samueldmqlooks like it's only in keystone server repo13:59
dstanekstevemar: where?13:59
samueldmqstevemar: now it's named 'bindep.txt'13:59
dstaneki'm looking st http://docs.openstack.org/developer/keystone/devref/development.environment.html13:59
samueldmqstevemar: dstanek : https://github.com/openstack/keystone/blob/master/bindep.txt13:59
lbragstadhenrynash interesting - i'm trying to test https://review.openstack.org/#/c/355618/9 and I want to make sure you can't issue some sort of credential write during the upgrade (so, testing the triggers that make credentials read-only).13:59
samueldmqdstanek: in the Development environment section, it tells you to go to http://docs.openstack.org/project-team-guide/project-setup/python.html14:00
*** spedione|AWAY is now known as spedione14:00
samueldmqthere it talks about bindep14:00
stevemardstanek: "For setting up the Python development environment and running tox testing environments, please refer to the Project Team Guide: Python Project Guide, the OpenStack guide on wide standard practices around the use of Python.""14:00
*** ddieterly has joined #openstack-keystone14:00
samueldmqwhich is a common thing to all projects, so we didn't need to c&p the docs :)14:00
stevemarpip install bindep; sudo [apt-get | yum] install $(bindep -b)14:01
dstanekleave it to openstack to keep making things more and more complicated :-)14:01
samueldmqwe had to maintain a different list of packages depending on distro, now it's just those commands ^14:02
dstanekstevemar: do we support using multiple LDAP servers attached to the same domain?14:02
dikonoorrderose: 3 things 1) conflicting user problem 2) last_active_at NULL in User table (I see default_project_id also as NULL) 3) Deletion of stale entries14:03
dstanekdikonoor: at this point i doubt we would try to delete stale entries14:04
stevemardstanek: i don't believe so14:04
*** ddieterly is now known as ddieterly[away]14:04
rderosedikonoor dstanek dolphm: 1) yeah, as dstanek was saying, I'm not sure we support multiple LDAP servers with the same domain. If we do, the obvious fix would be to remove the constraint.14:04
rderosedikonoor: what's your question regarding 2) last_active_at?14:05
dikonoorstevemar: do we support using multiple LDAP servers attached to the same domain such that only one LDAP is configured at a time ..if LDAP1 that was setup with domain1 was unavailable for some reason, using ldap2 with the same domain is not supported?14:06
rderosestevemar dstanek dikonoor: okay, then we probably can remove that constraint, as long as the user ID will be unique across the LDAP servers14:07
stevemardikonoor: do ldap1 and ldap2 have the same data?14:07
rderosestevemar dstanek dikonoor: I'll have to looks at the id mapping logic and see14:07
*** edmondsw has joined #openstack-keystone14:07
dikonoorstevemar : both ldaps could have users with the same name14:07
stevemardikonoor: if it's a failover ldap, sure... but if it's an entirely different set of users i dont think so14:08
dikonoorrderose: "last_active_at" - what exactly is it used for..14:08
*** ddieterly[away] is now known as ddieterly14:08
rderosedikonoor: it's for new security compliance feature for disabling inactive users14:09
*** lamt has quit IRC14:09
dikonoorrderose : ok..makes sense..currently the values are NULL for all LDAP entries I have..Is it a bug?14:10
rderosedikonoor: no, this setting is only supported with SQL identities14:10
dstanekdikonoor: ah yes, that's for PCI compliance support14:11
*** tqtran has joined #openstack-keystone14:11
*** haplo37__ has joined #openstack-keystone14:11
dikonoordstanek: ok..got it..Also the default_project_id column14:11
dikonoorrderose: what's that for..That's also seen as null14:12
dikonoorrderose: Is it also something specific to sql and PCI-DSS compliance14:12
rderosedikonoor: yes, but it's not for PCI, default_project_id has been there for a while for SQL identities14:14
dikonoorrderose: not sure if it's actually getting used.. (I didn't see any functional problems) but they are NULL14:14
rderosedikonoor: it wouldn't be used for LDAP identities14:15
*** tqtran has quit IRC14:15
dikonoordstanek : rderose: stevemar: On the original problem of conflicting user , we can hit that problem even if a case we switch between keystone identity drivers (from ldap to custom and vice versa), where both the backends have users with the same name and both drivers were used in the same domain; the other case is the failover scenario of the two ldaps with same set of users and we switch over to the second14:17
rderosedikonoor: regarding 3) deletion of stale entries, we've discussed this, but currently we do not have a mechanism for deleting stale users14:17
dstaneki thought default_project_id was just a v2 thing. i'd have to double check how it's used though14:17
*** sdake_ is now known as sdake14:18
dikonoorrderose: yeah..we don't have a mechanism and dstanek also mentioned the problem around the non-existent user.14:19
dstanekdikonoor: i don't think we can easily support switching drivers in a domain14:19
openstackgerritMerged openstack/keystoneauth: Allow identity plugins to discover relative version urls  https://review.openstack.org/35680814:19
*** su_zhang has joined #openstack-keystone14:19
dstanekdikonoor: i'm curious how the failover is failing since the public_ids and user name should be the same between the servers14:20
rderosedstanek dikonoor: yeah, if the user ID is the same across LDAP servers, than shouldn't fail14:22
rodrigodsrderose, see.. i get your point, but for that specific check i'm not sure we want to implement it in the manager layer - we may even change the behavior in the future to make the type filed immutable just using JSON schema14:22
dikonoordstanek: ok.but the userid is different but the user name is same , then it would14:23
dstanekdikonoor: in your example where both ldap servers exactly the same?14:23
rodrigodsrderose, sorry to jump into the discussion with a totally different topic :)14:23
dstanekdikonoor: yes, we can't support that14:23
dstanekdikonoor: that is two different sets of users14:23
rderoserodrigods: :)14:23
dikonoordstanek : ok..let's forget the multiple ldap problem for a minute.. This can be reproduced with a single ldap as well.. I ran into this problem when i configured my ldap incorrectly the first time and then configured it correctly and then couldn't authenticate14:24
dstanekdikonoor: i'm not sure how we can handle that case. i think you'd have to manually delete the user records.14:25
dstanekif you change how you uniquely identify users then all your previous data is incorrect14:25
*** sheel has quit IRC14:26
dstanekamakarov: are you around?14:26
*** ravelar has joined #openstack-keystone14:26
amakarovdstanek, hi!14:26
rderoserodrigods: okay, I'm not sure why we wouldn't want to put that in the manager layer.  And to be honest, I think the only reason why we are doing schema validation in the controller layer is to take advantage of JSON validation.  Otherwise, this would likely be in the manager layer as well.14:27
dikonoorrderose: dstanek : yes..all previous data is incorrect.. and then I would have to manually remove all the entries from the table14:27
dikonoorrderose: dstanek : Let's say I have just one LDAP and I configure keystone to user it such that the user-id-mapping is set to cn (for eg. cn=abc@abc.com)..now I authenticate..everything works fine14:27
dikonoor. now let me reconfigure keystone with the same LDAP such that user-id-mapping is set to uid (for eg. uid=3764836)..When keystone is restarted after this configuration, a new entry gets created in the id_mapping table and then when you try to authenticate , it will cause the same conflict user error at the nonlocal_user..14:27
dikonoorrderose : Above is what I tried when I ran into the problem14:27
rderosedikonoor: I see, hmm...14:28
rodrigodsrderose, hmm you are right... i would like to have the controller layer handling only JSON parsing (dict -> JSON) and query parameters14:29
dstanekamakarov: hey....just thinking about your comment about get_or_create for cache keys and i had a thought14:29
rodrigodsrderose, will put it in the manager - the tricky part are the tests though14:29
dstanekdikonoor: i understand the usecase, but i don't think there is anything we can do about it. you would just ahve to delete your users and start over.14:29
dikonoorrderose: there could be other permutations and combinations where we could run into this and the only way to get out of this is to manually delete the entries from the nonlocal_user table14:29
rodrigodsrderose, we don't have a test_core for credential, yet14:29
*** slberger has joined #openstack-keystone14:30
dstanekamakarov: https://review.openstack.org/#/c/349704/6/keystone/common/cache/core.py14:30
dstanekamakarov: it seems that get_or_create isn't actually locking between processes so i don't think it helps14:31
dikonoorrderose: dstanek: so I guess there's nothing much to do about it :(14:31
dstanekamakarov: but what is the initial value for the region key what just the region name?14:31
rderosedikonoor dstanek stevemar: what would be the problem is we removed the domain/name constraint for shadowing nonlocal users (ldap, custom)?14:31
rodrigodsrderose, i could create one, but would be better to wait the encrypt credentials work land first14:31
*** nishaYadav has quit IRC14:32
rderoserodrigods: agree14:32
dstanekrderose: if someone tries to login with username/domain what would happen?14:32
amakarovdstanek, get_or_create uses Lock. I'll double check14:32
rderosedstanek: as long as the user id is unique, it would create a new entry in the nonlocal_user table14:33
rderosein dikonoor case, you would have 2 entries for the same user14:33
*** bigdogstl has joined #openstack-keystone14:33
*** code-R has quit IRC14:34
dstanekamakarov: it uses a Lock object that is implemented using the threading module14:34
*** code-R has joined #openstack-keystone14:34
dstanekrderose: tbh...we made this so confusing that i have no idea what'll happen14:36
rderosedstanek: ha ha ha :)14:36
rderosedstanek: alright, let me think this through14:36
amakarovdstanek, it uses backend mutex14:37
dstanekrderose: in the case of nonlocaluser what is the name?14:37
amakarovdstanek, https://bitbucket.org/zzzeek/dogpile.cache/src/669582c2e5bf12b1303f50c4b7ba3dad308eb1cc/dogpile/cache/backends/memcached.py?at=master&fileviewer=file-view-default14:38
amakarovin case of memcache backend ^^14:39
rderosedstanek: nonlocal_user, just means non-SQL, so LDAP and custom driver14:39
*** roxanaghe has joined #openstack-keystone14:39
rderosedstanek: the name is the username14:39
breton[A[A14:40
dstanekamakarov: how does that get wired in when the code expicitly uses Lock?14:40
dstanekrderose: right, but where does it come from and how is it used?14:40
*** ayoung has joined #openstack-keystone14:41
*** ChanServ sets mode: +v ayoung14:41
rderosedstanek: it would come from LDAP (configurable) and it's only used to map the LDAP identity to a local identity14:41
bretonoh wow14:42
amakarovdstanek, https://bitbucket.org/zzzeek/dogpile.cache/src/669582c2e5bf12b1303f50c4b7ba3dad308eb1cc/dogpile/cache/region.py?at=master&fileviewer=file-view-default#region.py-47514:42
*** lamt has joined #openstack-keystone14:42
amakarovdstanek, and https://bitbucket.org/zzzeek/dogpile.cache/src/669582c2e5bf12b1303f50c4b7ba3dad308eb1cc/dogpile/cache/region.py?at=master&fileviewer=file-view-default#region.py-82114:42
dstanekhmmm...i wonder why that's not working for me14:42
*** bigdogstl has quit IRC14:43
dstanekamakarov: i'm still not sure i can use it without recreating it. let me publish some code so i can explain14:43
*** roxanaghe has quit IRC14:44
rderosedikonoor: so do we have a bug?14:44
rderosedikonoor: other than, we still need to solve removing stale users and possibly issues around multiple identity drivers14:44
zzzeekamakarov: just spin up zookeeper :)14:46
dstanekzzzeek: too many things!14:47
zzzeekdstanek: distributed locks in memcached have the kind of big problem that values in memcached can just vanish14:47
zzzeeki dont recall how this is ameliorated by the lock here if at all14:48
dstanekzzzeek: in our case it's not too big a deal. a race condition or vanishing lock would just mean that data isn't cached as long as it could be. not sure it even matters.14:48
zzzeekdstanek: i have a dim recollection of some more serious side effect but...well it's too dim for me to remember :)14:49
*** BjoernT has joined #openstack-keystone14:51
*** hockeynut has joined #openstack-keystone14:58
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Minor docstring fix in mappings.py  https://review.openstack.org/35869814:58
*** ayoung has quit IRC14:59
*** jaosorior_brb is now known as jaosorior15:00
*** code-R has quit IRC15:08
*** asettle has quit IRC15:08
dstanekstevemar: is it better to reopen https://bugs.launchpad.net/keystone/+bug/1537617 or create another bug?15:09
openstackLaunchpad bug 1537617 in OpenStack Identity (keystone) "caching of the catalog does not invalidate across processes" [High,Fix released] - Assigned to Morgan Fainberg (mdrnstm)15:09
*** woodburn has quit IRC15:11
openstackgerritDavid Stanek proposed openstack/keystone: Distributed cache namespace to invalidate regions  https://review.openstack.org/34970415:11
dstanekzzzeek: if you have a sec take a quick peek at that. i'd love to get your opinion.15:12
dstanekamakarov: ^15:12
zzzeekdstanek: sure15:12
dstanekamakarov: so if i wanted to use get_or_create i would have to have a region subclass that deals with the key function for the decorator and a backend proxy that deals with the dynamic key names15:14
*** bigdogstl has joined #openstack-keystone15:14
dstanekamakarov: while it's possible it isn't as clean15:14
dstanekamakarov: the reason for the proxy is that get_or_create uses self.backend.* effectively bypassing the region key logic15:16
dstanekamakarov: after i add a few more test cases i can show what that code would look like15:16
*** woodburn has joined #openstack-keystone15:17
*** erhudy has joined #openstack-keystone15:19
amakarovdstanek, I understand task may seem complex, though I'd like to have this solution built to last even in next releases as I like it more than mine. We'll just have to move it to oslo.cache eventually.15:20
dstanekamakarov: or better yet, in dogpile directly15:20
amakarovdstanek, I agree. I'll take a closer look if it can be done as invalidation strategy15:21
dstanekamakarov: invalidation strategy?15:24
amakarovdstanek, yes: https://bitbucket.org/zzzeek/dogpile.cache/src/669582c2e5bf12b1303f50c4b7ba3dad308eb1cc/dogpile/cache/region.py?at=master&fileviewer=file-view-default#region.py-2815:24
amakarovit's new for dogpile.cache 0.6.215:24
dstanekamakarov: ah that. it doesn't allow you to intercept keys15:25
zzzeekdstanek: this review is not how I'd do it.15:26
zzzeekdstanek: subclassing region should never be needed.15:27
zzzeekdstanek: the thing that _add_region_key_qualfiier is doing should be with the key_mangler15:27
amakarovdstanek, yes, but keys can be changed by function passed to region15:28
*** code-R has joined #openstack-keystone15:28
amakarovfunction_key_generator15:28
dstanekzzzeek: i initially did that but ran into something....15:28
*** code-R has quit IRC15:29
dstanekzzzeek: oh, right. i was having issues with the region key, but i could probably solve that by special casing a key...if it starts with <<region>> then don't add the region id15:29
*** atod has joined #openstack-keystone15:30
*** code-R has joined #openstack-keystone15:30
zzzeekdstanek: there is also proxybackend15:30
dstanekamakarov: i may try zzzeek's suggestion again and try to use an invalidation strategy15:31
amakarovdstanek, invalidation strategy can't be used for stable/* releases15:31
amakarovas dogpile.cache capped there15:31
dstanekamakarov: oh right. we need to backport15:31
dstanekugg15:32
*** bigdogstl has quit IRC15:32
dstanekamakarov: i'll submit a second patch for that then15:32
bknudsondogpile.cache is not capped: http://git.openstack.org/cgit/openstack/keystone/tree/requirements.txt?h=stable/mitaka#n3615:32
*** bigdogstl has joined #openstack-keystone15:33
dstanekbknudson: we had a discussion last week about using some of the new fangled things and the conclusion was we couldn't15:33
amakarovbknudson, so if I install Liberty, it will use latest dogpile.cache?15:33
dstaneki don't remember why though15:33
bknudsonyou can install the latest dogpile.cache with liberty.15:33
bknudsonyou can use any version newer than 0.5.715:34
*** woodburn has quit IRC15:34
dstanekamakarov: zzzeek: respinning with some changes15:34
*** code-R has quit IRC15:35
amakarovdstanek, here is my patch using inv. strategy approach: https://review.openstack.org/#/c/354831/15:35
*** Administrator__ has quit IRC15:36
*** Administrator__ has joined #openstack-keystone15:37
bknudsonamakarov: oh, you were asking about liberty -- it dogpile.cache>=0.5.4 on liberty.15:37
amakarovbknudson, good to know: we can backport my approach then if dstanek will not succeed for some reason15:38
*** gyee has joined #openstack-keystone15:39
*** asettle has joined #openstack-keystone15:39
amakarovbknudson, dstanek can you please help with gate-oslo.cache-requirements? Looks like oslo.cache don't like dogpile.cache>=0.6.215:41
dstanekamakarov: why not?15:42
openstackgerrithenry-nash proposed openstack/keystone: Modify sql banned opreations for each of the new repos  https://review.openstack.org/35872315:42
dstanekfg15:43
dstaneklol15:43
bknudsonamakarov: you can't change requirements for any project. requirements changes have to be made to global requirements repo.15:43
*** su_zhang has quit IRC15:43
bknudsonamakarov: http://git.openstack.org/cgit/openstack/requirements/tree/global-requirements.txt15:43
*** su_zhang has joined #openstack-keystone15:43
*** su_zhang has quit IRC15:44
*** su_zhang has joined #openstack-keystone15:44
amakarovbknudson, thank you. I'll remove my requirement and see then15:45
*** thiagolib has joined #openstack-keystone15:45
*** bigdogstl has quit IRC15:48
*** su_zhang has quit IRC15:49
*** michauds has joined #openstack-keystone15:50
openstackgerrithenry-nash proposed openstack/keystone: Fix issue of password created_at being left as nullable  https://review.openstack.org/35778915:53
*** sdake has quit IRC15:54
*** sdake has joined #openstack-keystone15:55
henrynashstevemar: on https://review.openstack.org/#/c/357789/, not sure grok your questions...15:56
*** bigdogstl has joined #openstack-keystone15:56
*** Ephur has joined #openstack-keystone15:57
*** chrisshattuck has joined #openstack-keystone15:59
*** dgonzalez has quit IRC16:03
*** bradjones has quit IRC16:03
*** tonytan_brb has joined #openstack-keystone16:03
*** tlbr_ has quit IRC16:04
*** dgonzalez has joined #openstack-keystone16:05
*** tonytan4ever has quit IRC16:05
*** frickler has quit IRC16:06
*** bradjones has joined #openstack-keystone16:06
*** bradjones has quit IRC16:06
*** bradjones has joined #openstack-keystone16:06
*** atod has quit IRC16:07
*** amakarov has quit IRC16:07
*** frickler has joined #openstack-keystone16:07
*** amakarov has joined #openstack-keystone16:07
*** asettle has quit IRC16:11
*** bigdogstl has quit IRC16:12
openstackgerritDavid Stanek proposed openstack/keystone: Distributed cache namespace to invalidate regions  https://review.openstack.org/34970416:12
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest  https://review.openstack.org/35561816:12
*** tlbr has joined #openstack-keystone16:13
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449716:13
*** bigdogstl has joined #openstack-keystone16:14
openstackgerritDavid Stanek proposed openstack/keystone: Distributed cache namespace to invalidate regions  https://review.openstack.org/34970416:14
lbragstadhenrynash dolphm dstanek I added some migration tests to https://review.openstack.org/#/c/355618/10 but I'm still unable to figure out why the SqlLite tests fail16:14
*** woodburn has joined #openstack-keystone16:14
lbragstadso far - the only thing that is making the implementation of credential encryption fail the gate is this test - http://cdn.pasteraw.com/6zaqyxiupmfikpeqbzn86wwicgqcni316:15
dstaneklbragstad: is the migration not happening?16:17
lbragstaddstanek I tested it locally and with the new tests I wrote and it seems to be working for the sql case16:17
lbragstaddstanek something seems to be messed up with sqlite though16:17
henrynashlbragstad: also see https://review.openstack.org/35778916:18
lbragstadit's failing to walk the versions in the expand repo because it doesn't think the credential table exists16:18
dstaneklbragstad: i looks like other tests fail16:18
dstaneklbragstad: look at henrynash's patch. you guys are using the same versions so your migrations probably are not applied?16:19
lbragstaddstanek neither of them have merged though?16:19
*** asettle has joined #openstack-keystone16:23
stevemaro/16:26
stevemarhenrynash: https://review.openstack.org/#/c/358723/ is looking crazy16:28
*** tesseract- has quit IRC16:28
*** asettle has quit IRC16:28
stevemarhenrynash: for the follow on patch... is it sqlalchemy magic that know to use the postgres trigger when using postgres?16:28
*** pcaruana has quit IRC16:29
lbragstadhenrynash how are the triggers applied?16:30
lbragstadhenrynash are they applied based on the naming + the sql implementation being used?16:30
openstackgerritAlexander Makarov proposed openstack/keystone: Pre-cache new tokens  https://review.openstack.org/30914616:31
*** chrisshattuck has quit IRC16:32
*** slberger has quit IRC16:32
*** chrisshattuck has joined #openstack-keystone16:32
stevemarhenrynash: yeah, what lbragstad is asking16:32
*** slberger has joined #openstack-keystone16:34
*** chrisshattuck has quit IRC16:35
*** bigdogstl has quit IRC16:36
*** jmccrory_away is now known as jmccrory16:37
lbragstadstevemar FYI - this is what we were talking about in the meeting a couple weeks ago http://lists.openstack.org/pipermail/openstack-dev/2016-August/102059.html16:40
lbragstadlooks like the templates are proposed16:40
henrynashlbragstad: so sqlalchemy migrate will execute a file named '%03d_<name_of_db>_<upgrade or downgrade>.sql16:46
henrynashlbragstad: if that doesn't exist, it will, I think, execute the non dababase specific version16:47
henrynashstevemar: yes, just have to learn the magic of each DB language (yuk)16:48
henrynashstevemar: crazy in what way (on https://review.openstack.org/#/c/358723/)16:49
stevemarhenrynash: all the lambdas!16:49
stevemarhenrynash: cool, i didn't know <name_of_db> was magic16:49
stevemarTIL16:49
*** gagehugo has joined #openstack-keystone16:51
henrynashstevemar: yeah...exsiting version is actually broken....since it tries to pass in a parameter to the function being called in the lambda...which doesn't work since the variable isn't fixed at the time of setting up the lambda16:51
*** gagehugo has quit IRC16:51
*** gagehugo has joined #openstack-keystone16:52
henrynashstevemar: i.e. current version says lambda *a, **k: self._explode(resource, 'alter'))...but since resource variable gets changed after the monkeypatch, this is actually wrong16:53
henrynashstevemar: I couldn't think of a better way round the problem than the yucky duplication of lambdas16:53
stevemarhenrynash: oh i'm sure it works, i just don't like seeing it :P16:54
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Support domain-specific configuration management  https://review.openstack.org/35877016:54
*** dims has quit IRC16:54
* stevemar is a special sort of exhausted today16:54
rodrigodshenrynash, ^16:54
henrynashrodigods: cool...will look in a while, thanks for picking this up...16:55
rodrigodshenrynash, created a different change since i did some big modifications in the code and i'd like your feedback :)16:55
*** jaosorior has quit IRC16:55
stevemarrodrigods: i like your print statements $$$$$$$$$$$$$$$$$16:55
rodrigodsstevemar, lol16:55
rodrigodswill remove16:55
henrynashrodigods: gotta stand out, right16:56
*** dims has joined #openstack-keystone16:56
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Support domain-specific configuration management  https://review.openstack.org/35877016:56
*** woodburn has quit IRC16:58
henrynashstevemar: definitely open to suggestions on the lambdas....first one to admit I'm pretty much a lambda virgin (which I guess is marginally better than being a lama virgin...)16:58
stevemarlol16:59
*** su_zhang has joined #openstack-keystone17:01
*** su_zhang has quit IRC17:01
*** su_zhang has joined #openstack-keystone17:01
*** tonytan4ever has joined #openstack-keystone17:06
*** tonytan_brb has quit IRC17:08
*** bigdogstl has joined #openstack-keystone17:10
*** tqtran has joined #openstack-keystone17:13
openstackgerritDavid Stanek proposed openstack/keystone: Distributed cache namespace to invalidate regions  https://review.openstack.org/34970417:16
*** bigdogstl has quit IRC17:16
*** tqtran has quit IRC17:17
*** code-R has joined #openstack-keystone17:19
*** atod has joined #openstack-keystone17:20
*** code-R_ has joined #openstack-keystone17:22
*** gagehugo has quit IRC17:23
*** gagehugo has joined #openstack-keystone17:23
*** edtubill has joined #openstack-keystone17:24
*** atod has quit IRC17:25
*** code-R has quit IRC17:25
*** asettle has joined #openstack-keystone17:25
*** ddieterly is now known as ddieterly[away]17:25
stevemardstanek: thanks again for working on the cache issues17:26
stevemarlet me know when you want me to formally transfer the title of cache-master from notmorgan to you :D17:27
dikonoorrderose: hi, was away. Will open a bug for the conflicting user problem17:27
dikonoorrderose: let me open ..17:28
*** lamt has quit IRC17:28
dstanekdikonoor: for the misconfiguration problem?17:29
dikonoordstanek : "rderose> dikonoor: so do we have a bug?" >> I thought this is for the conflict user problem17:31
*** asettle has quit IRC17:31
*** code-R_ has quit IRC17:31
dstanekdikonoor: i would vote for a won't fix on a bug where during the initial setup the configuration was messed up17:31
dstaneki don't think there is really anything we can do about that17:32
*** code-R has joined #openstack-keystone17:35
dikonoordstanek: ok.. rderose around? I get your point..17:35
*** tqtran has joined #openstack-keystone17:35
*** code-R has quit IRC17:40
notmorganso glad it's someone else's headache to deal with caching now.17:40
*** code-R has joined #openstack-keystone17:42
dstanekzzzeek: ah, i implemented in terms of a key_mangler and i found the problem again. it's that the key_mangler isn't used by the memoize decorator so i have to also provide a function_key_generator17:43
*** haplo37__ has quit IRC17:49
lbragstadhenrynash when this class is setup - does it run the legacy migrations first?17:49
lbragstadhttps://github.com/openstack/keystone/blob/0cd732b2b0d3e18cbdbceecf66a83cd378c27717/keystone/tests/unit/test_sql_banned_operations.py#L21117:49
amakarovdstanek, I think you function_key_generator is the thing - key_mangler is just sha1 encoder17:50
amakarovs/you//17:50
lbragstadhenrynash if we weren't running the legacy migrations that would explain why this fails in my patch - http://cdn.pasteraw.com/6zaqyxiupmfikpeqbzn86wwicgqcni317:50
dolphmhenrynash: still around?17:50
dstanekamakarov: zzzeek mentioned in terms of using the key_mangler earlier, which is what i originally wanted to do. unfortunately it isn't used by the decorator17:51
lbragstadsince the credential table is created by a migration in another repo?17:51
dstanekamakarov: function_key_generator is only used by the decorator. so both have to be provided17:51
zzzeekdstanek: key mangler is used by the decorator, because the decorator calls get_or_create()17:51
*** Gorian|work has joined #openstack-keystone17:52
amakarovdstanek, iiuc key_mangler is just to keep keys short17:52
zzzeekamakarov: key_mangler is for whatever you need the keys to look like17:52
dstanekzzzeek: the key mangler is used by Region.get and get_or_create uses self.backend.get17:52
notmorgandstanek: key_mangler is used by the decorator, not used by .get/.set17:52
dstanekamakarov: it's a good hook to change the key17:53
bknudsonI was worried that the sha1 key mangler was causing collisions but that doesn't seem to be the case.17:53
dstaneknotmorgan: https://bitbucket.org/zzzeek/dogpile.cache/src/669582c2e5bf12b1303f50c4b7ba3dad308eb1cc/dogpile/cache/region.py?at=master&fileviewer=file-view-default#region.py-62417:53
notmorgandstanek: without the keymangler the memoization can't work in keystone, we exceed the keysize allowed by memcache17:53
notmorgandstanek: because we concat func name, class, and arguments17:54
bknudsonwon't work with pki tokens for sure17:54
* zzzeek hoorays notmorgan is here :)17:54
dstaneknotmorgan: bknudson: maybe that is the cause of the bug then? i really don't see it being used in the decorator17:54
dstanekhttps://bitbucket.org/zzzeek/dogpile.cache/src/669582c2e5bf12b1303f50c4b7ba3dad308eb1cc/dogpile/cache/region.py?at=master&fileviewer=file-view-default#region.py-78017:54
bknudsondstanek: what bug?17:54
stevemaruh oh, did notmorgan punch a hole in the bug / patch? :\17:55
amakarovbtw, backend may have own key_mangler :)17:55
amakarovhttps://bitbucket.org/zzzeek/dogpile.cache/src/669582c2e5bf12b1303f50c4b7ba3dad308eb1cc/dogpile/cache/region.py?at=master&fileviewer=file-view-default#region.py-43217:55
dstanekbknudson: the one you were trying to solve by fixing the sha117:55
stevemarbknudson: this one: https://bugs.launchpad.net/bugs/1600393 and https://bugs.launchpad.net/bugs/160039417:55
openstackLaunchpad bug 1600393 in OpenStack Identity (keystone) "v2.0 catalog seen in v3 token" [Critical,Confirmed] - Assigned to David Stanek (dstanek)17:55
openstackLaunchpad bug 1600394 in OpenStack Identity (keystone) "memcache raising "too many values to unpack"" [Critical,Confirmed] - Assigned to David Stanek (dstanek)17:55
*** code-R has quit IRC17:55
notmorgandstanek: in get_or_create which is what the decorator uses17:55
notmorganhttps://bitbucket.org/zzzeek/dogpile.cache/src/669582c2e5bf12b1303f50c4b7ba3dad308eb1cc/dogpile/cache/region.py?at=master&fileviewer=file-view-default#region.py-77717:55
bknudsondstanek: right, I tried changing the mangler to sha256 but browne tried it and still hit the errors.17:55
notmorganbknudson: sha1 shouldn't be colliding17:56
bknudsonalso I tried to see if I could cause a collision with sha1 and couldn't.17:56
notmorganwhat is the error?17:56
bknudsoncomputer ran out of memory17:56
notmorganlol17:56
bknudsonnotmorgan: the error is that keystone gets a value from the cache that's obviously not what was put in there.17:56
notmorganuhm17:56
dstaneknotmorgan: it looks like the cache is returning random object. like a list instead of a user, etc.17:57
notmorganbknudson: in what context, where?17:57
bknudsonnotmorgan: here's where we saw it: https://bugs.launchpad.net/keystone/+bug/160956617:58
openstackLaunchpad bug 1609566 in OpenStack Identity (keystone) "500 error from revocation event deserialize" [Medium,Incomplete] - Assigned to Brant Knudson (blk-u)17:58
notmorganrevocation events serialize badly and always have17:58
bknudsonthen there's this one from someone else: https://bugs.launchpad.net/keystone/+bug/160039417:59
openstackLaunchpad bug 1600394 in OpenStack Identity (keystone) "memcache raising "too many values to unpack"" [Critical,Confirmed] - Assigned to David Stanek (dstanek)17:59
notmorganit's been a horrible series of hacks to get around that17:59
notmorganok give me a few minutes let me get to my other machine and i'll look at it17:59
bknudsonand this is another issue that looks similar: https://bugs.launchpad.net/keystone/+bug/160039317:59
openstackLaunchpad bug 1600393 in OpenStack Identity (keystone) "v2.0 catalog seen in v3 token" [Critical,Confirmed] - Assigned to David Stanek (dstanek)17:59
stevemarnotmorgan: yes, bknudson has listed the trifecta of similar looking caching bugs18:00
notmorgani expect this is due to the cache code reshuffle that occured.18:00
dstanekstevemar: i haven't even started looking at those yet. just finally got all the tests written for invalidation this morning18:01
* notmorgan rapidly feels like the answer is rm -rf keystone/common/cache18:01
*** roxanaghe has joined #openstack-keystone18:01
dstaneknotmorgan: lol18:01
dstanekwe made this so much harder than it needed to be18:01
notmorganthen just rip out the decorator and use .get/set directly18:01
notmorganseriously18:01
notmorganmake it simple if that will be easier to manage18:02
notmorgan:)18:02
notmorgani'll look at those bugs in a moment.18:02
dstaneknotmorgan: that may be simplier than the docorator. we have an osic task to look at that. i'm just working on invalidation now.18:03
notmorganthe __init__ thing is a fail in where someone changed the instantiation with msgpack18:03
notmorganbug 160956618:03
openstackbug 1609566 in OpenStack Identity (keystone) "500 error from revocation event deserialize" [Medium,Incomplete] https://launchpad.net/bugs/1609566 - Assigned to Brant Knudson (blk-u)18:03
notmorganthat one i've seen and can probably isolate in a few moments. it's simply a bad refactor when folks removed the revocation tree18:04
stevemarnotmorgan: by all means, that would be awesome...18:04
notmorganthe reinstantiation with **kwargs is a stupid pattern18:04
notmorganand i'm sorry i used it as a workaround18:05
lbragstadlunch - brb18:06
notmorganbug 1600394 is erroring in memcache library18:06
openstackbug 1600394 in OpenStack Identity (keystone) "memcache raising "too many values to unpack"" [Critical,Confirmed] https://launchpad.net/bugs/1600394 - Assigned to David Stanek (dstanek)18:06
notmorgan"/usr/lib/python2.7/dist-packages/memcache.py", line 1211, in _expectvalue18:06
notmorgansome how bad data is being passed into memcache itself.18:07
notmorganpython lib18:07
notmorganthis could be a memcache python bug, a bug in dogpile or a bug in our code18:07
notmorganunrelated18:07
notmorganto the previous one18:08
notmorganbug 1600393 just is an issue where we need to transform the catalog because of $STUPID_CATALOG_IS_PART_OF_THE_TOKEN_BODY_AND_Is_A_CONTRACT$ issues, and we cache the response whole-sale. likely unrelated to the other two bugs18:09
openstackbug 1600393 in OpenStack Identity (keystone) "v2.0 catalog seen in v3 token" [Critical,Confirmed] https://launchpad.net/bugs/1600393 - Assigned to David Stanek (dstanek)18:09
bknudson1600394 is the one that makes me wonder if this is a threading issue or something18:09
notmorganmaybe18:10
notmorganbut i'm going to guess it's just simply bad code.18:10
notmorganbefore i blame threading18:10
notmorganalso memcache explicitly uses thread.local18:11
notmorganso we had to hack around that, we might have introduced buggyness there18:11
*** Ephur has quit IRC18:12
*** Ephur has joined #openstack-keystone18:14
*** ddieterly[away] has quit IRC18:26
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix credential update to ec2 type  https://review.openstack.org/35795018:28
*** amakarov is now known as amakarov_away18:28
*** sdake has quit IRC18:29
*** ddieterly has joined #openstack-keystone18:31
*** markvoelker has quit IRC18:33
*** ddieterly is now known as ddieterly[away]18:34
rderosedikonoor: you still there?18:41
*** woodburn has joined #openstack-keystone18:41
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix credential update to ec2 type  https://review.openstack.org/35795018:45
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix credential update to ec2 type  https://review.openstack.org/35795018:46
openstackgerritDavid Stanek proposed openstack/keystone: Distributed cache namespace to invalidate regions  https://review.openstack.org/35881218:47
*** dikonoor has quit IRC18:47
*** su_zhang has quit IRC18:49
*** ddieterly[away] is now known as ddieterly18:56
*** haplo37__ has joined #openstack-keystone18:57
openstackgerritMerged openstack/python-keystoneclient: Do not send user ids as payload  https://review.openstack.org/34888119:06
*** lamt has joined #openstack-keystone19:07
*** gagehugo has quit IRC19:13
dstanekamakarov_away: let me know when you are back. i'm wondering if we need to try to implement hard/soft invalidation or just complete descructive invalidation like i'm doing19:13
*** Ephur has quit IRC19:18
*** su_zhang has joined #openstack-keystone19:19
notmorgandstanek: fwiw, i think you can probably get away with just supplying a smarter key mangler19:21
dstaneknotmorgan: my last review does that, but still needed a custom invalidate method. i could do it via the new interface though19:24
dstaneknotmorgan: https://review.openstack.org/#/c/358812/1/keystone/common/cache/core.py19:24
notmorgandstanek: i would much much rather not see a subclass of region need to be implemented just for this19:25
dstaneknotmorgan: then i have to use the new interface19:25
notmorgani would much prefer that if we could19:25
*** su_zhang has quit IRC19:26
dstaneknotmorgan: halfway through testing that option19:26
notmorgani do get we might need what you've implemented here for backporting19:26
* notmorgan nods.19:26
*** haplo37__ has quit IRC19:26
notmorganfwiw, i wont block this implementation, just trying to limit the level of stuff we have to carry/override19:27
*** david-lyle has joined #openstack-keystone19:30
*** markvoelker has joined #openstack-keystone19:32
openstackgerritDavid Stanek proposed openstack/keystone: Distributed cache namespace to invalidate regions  https://review.openstack.org/35882619:33
*** markvoelker_ has joined #openstack-keystone19:34
dstaneknotmorgan: here is the other impl https://review.openstack.org/#/c/358826/1/keystone/common/cache/core.py19:34
dstanekthe worry there was backporting19:34
dstanekit would require older keystone installations to update their dogpile.cache19:35
*** markvoelker has quit IRC19:37
*** rcernin has joined #openstack-keystone19:41
*** david-lyle has quit IRC19:42
*** sdake has joined #openstack-keystone19:42
*** david-lyle has joined #openstack-keystone19:46
*** markvoelker has joined #openstack-keystone19:48
*** markvoelker_ has quit IRC19:51
*** asettle has joined #openstack-keystone19:59
*** asettle has quit IRC19:59
*** tonytan4ever has quit IRC19:59
*** tonytan4ever has joined #openstack-keystone20:00
*** ayoung has joined #openstack-keystone20:03
*** ChanServ sets mode: +v ayoung20:03
*** ddieterly is now known as ddieterly[away]20:05
*** su_zhang has joined #openstack-keystone20:08
*** tqtran has quit IRC20:09
*** ddieterly[away] is now known as ddieterly20:12
*** tqtran has joined #openstack-keystone20:13
*** markvoelker has quit IRC20:14
*** sdake has quit IRC20:21
dstanekzzzeek: thoughts on this nugget of goodness when you have a few https://review.openstack.org/#/c/358826/1/keystone/common/cache/core.py20:28
*** sdake has joined #openstack-keystone20:35
*** david-lyle has quit IRC20:38
*** david-lyle has joined #openstack-keystone20:39
*** ddieterly has quit IRC20:43
*** david-lyle has quit IRC20:44
*** david-lyle_ has joined #openstack-keystone20:44
*** david-lyle_ has quit IRC20:44
*** chrisshattuck has joined #openstack-keystone20:54
*** chrisshattuck has quit IRC20:55
*** chrisshattuck has joined #openstack-keystone20:56
*** chrisshattuck has quit IRC20:56
*** atod has joined #openstack-keystone20:57
*** chrisshattuck has joined #openstack-keystone20:57
*** raildo has quit IRC20:58
*** dgonzalez has quit IRC21:01
*** atod has quit IRC21:01
*** dgonzalez has joined #openstack-keystone21:03
notmorgandstanek: ... i think i already fixed 1609566   at one point21:03
notmorganthis feels super familiar21:03
notmorganlike... i already debugged it?21:03
*** julim has quit IRC21:05
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/35687221:08
openstackgerritMerged openstack/keystone: Create unit tests for the policy drivers  https://review.openstack.org/21295721:09
*** chrisshattuck has quit IRC21:10
notmorganoh.21:12
notmorganHah21:12
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest  https://review.openstack.org/35561821:12
notmorgani am almost positive i know exactly what is the cause the the keywords must be strings21:12
notmorganrolling a fix now.21:12
lbragstaddolphm checkout the last test I added here - https://review.openstack.org/#/c/355618/11/keystone/tests/unit/test_sql_upgrade.py21:13
lbragstaddolphm per our discussion early21:13
lbragstadthat passes for me locally21:13
dolphmlbragstad: looking21:13
dolphmlbragstad: what's up with this patch btw? https://review.openstack.org/#/c/317169/21:16
dolphmlbragstad: same commit summary21:16
lbragstaddolphm ah - i ended up working the bits we were going to keep into a separate commit - i must have forgot to update the change-id of nonameentername's patch when i submitted21:17
*** gagehugo has joined #openstack-keystone21:19
*** david-lyle_ has joined #openstack-keystone21:19
notmorgandolphm, ayoung: ugh I can't ever seem to remember atm "continue" or "next" -- hazards of working with multiple languages :P21:21
ayoungnotmorgan, what tool?21:21
ayounggit rebase --continue?21:22
notmorganayoung: no in python21:23
notmorganayoung: in loops21:23
notmorgansome languages use "continue" some are "next" etc21:23
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Support domain-specific configuration management  https://review.openstack.org/35877021:25
notmorganayoung: somehow I got roped into looking at cache code again21:26
dolphmlbragstad: is the credential_migrate command still useful?21:27
lbragstaddolphm I think we will still need that for operators to make sure all credentials encrypted with the same key before rotating credential keys21:28
dolphmlbragstad: ooooh21:29
lbragstadin other words - make sure all credentials are migrated to the latest primary key before doing a rotation to make sure we don't get rid of a secondary key that is still needed to decrypt a credential21:29
dolphmlbragstad: gotcha21:31
lbragstaddolphm i have a section on that in the docs for credential encryption21:32
*** Ephur has joined #openstack-keystone21:33
*** david-lyle_ has quit IRC21:34
*** adriant has joined #openstack-keystone21:35
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest  https://review.openstack.org/35561821:37
zzzeekdstanek: does it work ?21:38
*** edtubill has quit IRC21:40
openstackgerritMorgan Fainberg proposed openstack/keystone: Filter data when deserializing RevokeEvents  https://review.openstack.org/35887221:40
notmorganstevemar, dstanek: ^ cleanup bad serialization if it occurs21:41
dolphmlbragstad: i think you need more triggers and more complicated triggers :(21:46
lbragstaddolphm outside of the 3 in the 002 expand script?21:48
dolphmlbragstad: yeah...21:48
dolphmlbragstad: you need to block both INSERTs and UPDATEs, right?21:49
lbragstaddolphm oh - good point21:49
lbragstadi didn't think about that21:49
dolphmlbragstad: which means your data migration step will be rejected21:49
*** pauloewerton has quit IRC21:49
lbragstaddolphm ah21:50
dolphmlbragstad: which means you need more complicated triggers21:50
*** markvoelker has joined #openstack-keystone21:52
lbragstadhmmm21:54
*** lamt has quit IRC21:55
dolphmlbragstad: just posted a review with what i was thinking21:57
lbragstaddolphm sweet - thanks for the review22:05
*** jdennis has quit IRC22:09
*** edmondsw has quit IRC22:10
*** bigdogst_ has joined #openstack-keystone22:10
*** jdennis has joined #openstack-keystone22:10
*** bigdogst_ has quit IRC22:14
*** spedione is now known as spedione|AWAY22:15
*** jamielennox|away is now known as jamielennox22:15
*** itisha has quit IRC22:20
*** slberger has left #openstack-keystone22:32
jamielennoxstevemar: wow, wo https://review.openstack.org/#/c/357633/ has a +A already22:35
jamielennoxstevemar: i was going to check with you, dtroyer_zz, and mordred if you think it's sufficient to have just two additional components to the user_agent22:36
jamielennoxto me that's the basic, nova/X glanceclient/X keystoneauth...22:36
*** david-lyle_ has joined #openstack-keystone22:37
jamielennoxbut i'm wondering if there's ever a need for more there, do we want to report an os-c-c version, or an osc-lib version?22:37
jamielennoxor anything else22:37
*** markvoelker has quit IRC22:39
*** tqtran has quit IRC22:41
*** tqtran has joined #openstack-keystone22:44
*** IgorYozhikov has joined #openstack-keystone22:45
IgorYozhikovHi, I have a question about openstackclient v3.x.x22:45
IgorYozhikovhow could help me22:45
IgorYozhikovI faced issues with token auth22:46
IgorYozhikovwhen I'm trying to query keystone using python-openstackclient v 3.0.0 || 3.0.1 - I see this: openstack --os-token=ADMIN --os-url=http://127.0.0.1:35357/v3 user list22:47
IgorYozhikovMissing parameter(s):22:47
IgorYozhikovSet a username with --os-username, OS_USERNAME, or auth.username22:47
IgorYozhikovSet an authentication URL, with --os-auth-url, OS_AUTH_URL or auth.auth_url22:47
IgorYozhikovand when I'm switching back to v2.6.0 - everything works fine22:48
*** david-lyle has joined #openstack-keystone22:49
*** BjoernT has quit IRC22:52
*** david-lyle_ has quit IRC22:52
*** Ephur has quit IRC22:53
*** dkehn_ has quit IRC22:55
*** hockeynut has quit IRC23:00
*** asettle has joined #openstack-keystone23:02
*** david-lyle has quit IRC23:02
*** dkehn_ has joined #openstack-keystone23:08
*** asettle has quit IRC23:10
*** ravelar has quit IRC23:11
*** hockeynut has joined #openstack-keystone23:14
mordredjamielennox: I don't think we need to report an os-c-c version23:15
mordredjamielennox: ksa seems to be the most important thing, and/or novaclient and friends if they are driving ksa23:15
mordredjamielennox: I could see an argument for reportin osc-lib or shade if those are driving *client23:16
jamielennoxmordred: i thought it was being a little pedantic, it's just annoying if as soon as we start using these features someone tells me they want more stuff in it23:16
mordredjamielennox: although I'm obviously not passing you anything from shade at the moment to make that actually do anything23:16
mordredjamielennox: so ....23:16
jamielennoxactually yea, i could see shade being useful23:16
mordredjamielennox: I may not be tracking teh whole thing ... what's the feature?23:16
*** sdake has quit IRC23:16
jamielennoxwith like an ansible version or something23:17
mordredyah23:17
*** michauds has quit IRC23:17
jamielennoxmordred: so we've needed a better way to do user-agent generation for a while23:17
jamielennoxhttps://review.openstack.org/#/c/357633/  adds a service_name, service_version to the session23:17
mordredoh! I see the patch23:17
jamielennoxand a client_name, client_version in the adapter23:17
jamielennoxclients make the adapter internally so can fill that out23:17
jamielennoxand which ever service creates the session can fill that part out23:18
jamielennoxthen we get a useful user agent23:18
jamielennoxi'm not a fan of sean's thing that tries to figure out the current process name from a stack23:18
mordredI'm not sure I'd be a fan of that either23:19
openstackgerritMerged openstack/keystone: Add entrypoint for mapped auth method  https://review.openstack.org/35815923:19
mordredjamielennox: so - in your current patch, I assume I'd pass shade to service_name and shade.__version__ to service_version?23:20
mordredjamielennox: (of session)23:20
jamielennoxyea, but shade is interesting because you might want to pass what created shade23:20
jamielennoxmy scenarios were basically to end up with nova/X glanceclient/Y keystonauth/Z23:21
jamielennoxand openstackclient would be the same23:21
mordredyah - but we could end up with nodepool/X shade/Y novaclient/Z keystoneauth/bunny23:21
jamielennoxbut i want to figure out if i need to put an extensible list in there instead of just service_name, service_version23:21
mordredI could totally grok a desire for a stack23:21
mordredand also a desire for not a stack23:21
mordredi'm definitely interested in passing along info once there is a thing to pass it along to23:22
mordredI suppose you could end up with a similar thing for CLIs - osc/X osc_lib/Y novaclient/Z ksa/bunny ... and nova/X novaclient/X ksa/bunny23:22
jamielennoxso the other thing i could do is just add an additional_user_agent list to the session and shade or whatever could add to it manually23:22
mordred(which would give a sense as to whether or not someone is using the nova cli or the novaclient lib)23:23
jamielennoxright - that's my question - do we care about osc_lib version in a user-agent? or shade in the user-agent?23:23
mordreddunno23:23
jamielennoxneither :)23:23
mordred:)23:23
mordredso - shade does contain logic around things, as I think does osc_lib23:24
jamielennoxanything is better than now, just don't want to rewrite it again in a few months and have two ways to do it23:24
mordredso honestly information as to whether an issue is being caused by shade trying to be too smart23:24
mordredmight be useful23:24
mordred"zomg why does list_servers get called so much??? oh, shade"23:24
jamielennoxyea, but do we thing the user agent is the place for that? if you have the server version that called it and probably the originating IP would we expect ops to just go and figure this stuff out23:25
*** tonytan4ever has quit IRC23:25
mordredpossibly - BUT - there's all these appdev folks writing shade things now23:25
*** dkehn_ has quit IRC23:25
mordredshould their programs report "my_fun_script"? or "shade"23:25
mordredand then would we like to see "my_fun_script shade" and "my_other_fun_script openstacksdk"? ... like, do we learn anything?23:26
jamielennoxprobably my_fun_script23:26
mordred(totally just tlaking out loud)23:26
jamielennoxi expect we'd need to make shade and osc_lib take a server_name, server_version parameter that they pass to ksa23:26
jamielennoxbut yea, at that point shade is probably a useful thing to have in the user-agent23:27
mordredyah23:27
mordredso - if we wanted to be minimal ... I could take service_name|version in shade ... and then pass along if I get something, or pass shade if I don't23:28
mordredso most one-off scripts would just show "shade"23:28
mordredbut ansible and nodepool would show ansible and nodepool23:28
mordredsince those are big enough to bother23:28
jamielennoxso the original case for this was once we went to keystoneauth everyone just had the ksa user agent string, which meant when you had some service hammering for tokens you didn't know what it was23:28
jamielennoxpassing shade is better but still obstructs what's doing the calling23:29
mordredyah23:29
mordredI think you're selling me ona stack :)23:29
mordredI think there are overlapping things to learn23:29
jamielennoxyea, i think a list as well, just need to figure out a nice way to pass that23:30
mordredlike, shade makes a ton of calls to get extra_specs for flavors when it does a flavor list ... that's a shade excess ... not a user script nor a novaclient23:30
mordredso fi that was a problem for folks, seeing "my_fun_script" would not help figure out23:30
jamielennoxi don't think you'd want to change user_agent per request, but seeing shade in there is useful23:31
*** sdake has joined #openstack-keystone23:33
mordredwell, if novaclient made an adapter, and glanceclient made an adapter23:34
mordredand I pass shade to the session23:34
mordredthen we should get novaclient+shade and glanceclient+shade naturally, right?23:34
jamielennoxyea23:34
jamielennoxi meant there's no way you would want to drop the my_fun_script part for requests that are internal to shade23:35
mordredoh - yeah. totally agree23:35
mordredthat's still the originator, even if it doesn't know it23:35
mordredhere's a weird question for you ...23:35
mordred(trying to pull out the most curveball thing I can)23:36
mordredat some point in the not too distant future we'll start replacing python*client with either sdk or just ksa adapter23:36
mordredbut it'll be piecemeal23:36
mordredso I suppose that means we could have "my_fun_script shade(session) shade(adapter) ksa"23:37
*** su_zhang has quit IRC23:37
mordredand maybe that's fine?23:37
jamielennoxi haven't looked at sdk for a while23:37
jamielennoxboth the service_name and client_name stuff are added to the user-agent if they're available23:38
*** su_zhang has joined #openstack-keystone23:38
jamielennoxso you'd probably drop the adapter part if you weren't using a client23:38
*** dkehn_ has joined #openstack-keystone23:38
jamielennoxbut for SDK, sdk would always be the client/adapter23:38
jamielennoxif you go direct to an adapter then using shade as the adapter would make sense23:39
mordredand just drop service_name in that case23:39
jamielennoxclient=adapter from a ksa sense23:39
mordredwe should probably write a document that explains client, service, etc. :)23:39
jamielennoxwell service is probably my_fun_script which could therefore do with a better name23:39
* mordred imagines telling someone "go read the IRC log from that chat jamielennox and I had ...23:40
jamielennoxand then have them try to parse the above23:40
mordredas long as we don't have server AND service ...23:40
mordredjamielennox: you could just called them "adapter_agent" and "session_agent" and "$something_agent" :)23:42
jamielennoxwell session_agent is now a list of tuples23:43
jamielennoxthough maybe we do go back to the additional_agent list and leave service_agent and service_version alone23:44
*** Gorian|work has quit IRC23:44
jamielennoxi know, and will probably end up writing, the only things that would ever expect to use additional_agent23:44
mordred:)23:45
jamielennoxbut service_name and service_version should probably be app_name and app_version or somethign23:45
ayoungIgorYozhikov, sometimes the error reporting is spotty.  I wonder if something else is failing and it isjust reporting the first thing, which is the username23:48
IgorYozhikovayoung, I need to use token based auth and can't23:48
IgorYozhikovI found similar error message in a bug and add my comments there - https://bugs.launchpad.net/python-openstackclient/+bug/161511023:49
openstackLaunchpad bug 1615110 in python-openstackclient "Incorrect usage message" [Undecided,New]23:49
ayoungIgorYozhikov, did setting OS_CLOUD work for you?23:52
*** sdake has quit IRC23:55
IgorYozhikovayoung, it is require to setup clouds.yaml file with additional parameters including password. Also this will lead to changes in puppet code too. According to documentation using token auth method with set up OS_TOKEN and OS_URL takes precedence over authentication plugins.23:55
ayoungIgorYozhikov, did you find a successful way to auth?23:56
IgorYozhikovayoung, frankly - no23:56
IgorYozhikovI switched back to 2.6.023:57
IgorYozhikovand it works fine23:57
ayoungIgorYozhikov, even with V3 Keystone API?23:57
*** Marcellin_ has quit IRC23:57
IgorYozhikovyep23:57
openstackgerritJamie Lennox proposed openstack/keystoneauth: Allow specifying client and service info to user_agent  https://review.openstack.org/35763323:57
jamielennoxmordred, stevemar, dtroyer_zz: ^^23:57
IgorYozhikov openstack --os-token=ADMIN --os-url=http://127.0.0.1:35357/v3 user list -f value -c Name23:58
IgorYozhikovadmin23:58
« Sunday, 2016-08-21 Index Tuesday, 2016-08-23 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!