Friday, 2016-08-26

*** roxanaghe has quit IRC		00:02
*** esp has joined #openstack-keystone		00:09
*** tqtran_ has quit IRC		00:11
*** ddieterly has joined #openstack-keystone		00:18
*** david-lyle has quit IRC		00:21
*** tqtran has joined #openstack-keystone		00:24
*** jistr has quit IRC		00:27
*** tonytan4ever has quit IRC		00:28
*** gyee has quit IRC		00:28
*** jistr has joined #openstack-keystone		00:30
*** su_zhang has quit IRC		00:30
*** dikonoor has joined #openstack-keystone		00:31
dstanek	lbragstad: nice, i'll take a look in a bit	00:42
dstanek	bknudson: jamielennox:if y'all stop giving me a hard time about federation in Python then you won't need apache :-P	00:43
jamielennox	dstanek: heh - that's not really what i'm going for here	00:45
*** Ephur has joined #openstack-keystone		00:46
dstanek	jamielennox: you opened the door... i just walked through	00:46
jamielennox	dstanek: out of interest removing apache is not a goal of your saml stuff right?	00:48
jamielennox	ie something RAX wants to do?	00:48
*** tqtran has quit IRC		00:57
dstanek	jamielennox: it's really just about getting rid of shib or mellon	01:00
dstanek	the desire is to have a much more dynamic way to control the federation configuration	01:01
*** tqtran has joined #openstack-keystone		01:08
breton	dstanek: is shibd still required?	01:10
dstanek	breton: nope	01:11
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/359513	01:11
*** dikonoor has quit IRC		01:15
openstackgerrit	Merged openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/359514	01:16
*** chlong has joined #openstack-keystone		01:18
*** code-R has joined #openstack-keystone		01:19
*** zouyapeng has joined #openstack-keystone		01:22
*** Ephur has quit IRC		01:29
*** ddieterly has quit IRC		01:31
*** davechen has joined #openstack-keystone		01:31
*** wangqun has joined #openstack-keystone		01:33
*** cheran has quit IRC		01:35
*** tonytan4ever has joined #openstack-keystone		01:35
*** tqtran has quit IRC		01:39
*** tonytan4ever has quit IRC		01:40
*** roxanaghe has joined #openstack-keystone		01:46
*** ddieterly has joined #openstack-keystone		01:48
*** jamielennox is now known as jamielennox\|away		01:50
*** roxanaghe has quit IRC		01:50
*** code-R_ has joined #openstack-keystone		01:50
*** code-R has quit IRC		01:53
*** Gorian has quit IRC		01:54
*** EinstCrazy has joined #openstack-keystone		01:54
openstackgerrit	Nam Nguyen Hoai proposed openstack/keystone: Cleaning imports in code https://review.openstack.org/360228	01:59
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Refactor audit tests to use create_middleware https://review.openstack.org/336971	02:00
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Use oslo_messaging conf fixture https://review.openstack.org/336970	02:00
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Extract oslo_messaging specific audit tests https://review.openstack.org/334296	02:00
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Return and use an app wherever possible https://review.openstack.org/336972	02:00
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Use the mocking fixture in notifier tests https://review.openstack.org/334295	02:00
*** jamielennox\|away is now known as jamielennox		02:00
*** EinstCra_ has joined #openstack-keystone		02:01
*** ddieterly has quit IRC		02:04
*** EinstCrazy has quit IRC		02:05
*** sdake_ has joined #openstack-keystone		02:08
stevemar	o/	02:08
*** guoshan has joined #openstack-keystone		02:11
*** xiaoyang has joined #openstack-keystone		02:11
*** sdake has quit IRC		02:12
*** sdake_ has quit IRC		02:17
*** ddieterly has joined #openstack-keystone		02:19
*** sdake has joined #openstack-keystone		02:19
openstackgerrit	Merged openstack/keystone: Reduce log level of Fernet key count message https://review.openstack.org/359941	02:22
*** sdake has quit IRC		02:23
*** guoshan has quit IRC		02:26
*** sdake has joined #openstack-keystone		02:29
*** lamt has joined #openstack-keystone		02:32
*** ddieterly has quit IRC		02:34
*** su_zhang has joined #openstack-keystone		02:34
*** EinstCrazy has joined #openstack-keystone		02:36
*** EinstCra_ has quit IRC		02:39
*** ddieterly has joined #openstack-keystone		02:46
*** roxanaghe has joined #openstack-keystone		02:46
*** bigdogstl has joined #openstack-keystone		02:46
*** ddieterly has quit IRC		02:46
*** mjb has quit IRC		02:47
*** rm_work has quit IRC		02:48
*** mjb has joined #openstack-keystone		02:49
*** roxanaghe has quit IRC		02:50
*** bigdogstl has quit IRC		02:51
*** rm_work has joined #openstack-keystone		02:52
*** ntpttr has quit IRC		02:53
*** rakhmerov has quit IRC		02:55
*** brad[] has quit IRC		02:55
*** briancline has quit IRC		02:55
*** bigdogstl has joined #openstack-keystone		02:56
*** jamielennox is now known as jamielennox\|away		02:56
*** briancline has joined #openstack-keystone		02:57
*** ntpttr has joined #openstack-keystone		03:00
*** bigdogstl has quit IRC		03:01
xiaoyang	The api access will be slow When a memcache server is down, if keystone use memcache_pool.	03:03
openstackgerrit	Merged openstack/keystone: Removes old, unused code https://review.openstack.org/360561	03:03
*** rakhmerov has joined #openstack-keystone		03:04
*** jamielennox\|away is now known as jamielennox		03:10
jamielennox	stevemar: so what's with library-freeze?	03:11
jamielennox	we can't push anything to libs?	03:11
stevemar	jamielennox: probably not for a little, yeah	03:11
stevemar	jamielennox: last thing we want to do it merge a big chunk of code, and then realize we have a bug we need to fix	03:12
jamielennox	how come? i don't remember this from previous cycles	03:12
jamielennox	i realize we're not going to get a new release this cycle	03:12
jamielennox	or small chunk that screws things up :)	03:12
*** sdake has quit IRC		03:12
stevemar	jamielennox: for the record ksa and ksm are freezing this week, and ksc is freezing next week	03:12
stevemar	jamielennox: i think we just need to wait until the stable/newton branches are created, shouldn't take long after freeze	03:13
*** sdake has joined #openstack-keystone		03:13
stevemar	then we can merge like caaarazy	03:13
*** brad[] has joined #openstack-keystone		03:13
jamielennox	stevemar: yea, its fine - i have things i want but nothing that is burning, i just remember us not releasing but i don't think we froze previously	03:13
*** code-R_ has quit IRC		03:14
*** adu has joined #openstack-keystone		03:14
stevemar	jamielennox: i don't recall, but i think we "froze" for a few days last dev cycle too	03:14
jamielennox	ok	03:14
stevemar	bah, forgot to release new pycadf	03:16
stevemar	just requirement bumps anyway	03:20
*** zhangyi has joined #openstack-keystone		03:28
*** adu has quit IRC		03:32
*** chlong has quit IRC		03:37
*** adu has joined #openstack-keystone		03:39
*** dikonoor has joined #openstack-keystone		03:46
*** roxanaghe has joined #openstack-keystone		03:47
*** su_zhang has quit IRC		03:49
*** su_zhang has joined #openstack-keystone		03:49
*** roxanaghe has quit IRC		03:51
*** su_zhang has quit IRC		03:54
*** sdake has quit IRC		03:56
*** links has joined #openstack-keystone		04:07
*** chlong has joined #openstack-keystone		04:10
*** su_zhang has joined #openstack-keystone		04:15
*** sheel has joined #openstack-keystone		04:20
dstanek	xiaoyang: ?	04:21
*** sdake has joined #openstack-keystone		04:22
*** esp has quit IRC		04:33
*** jaosorior has joined #openstack-keystone		04:46
*** tonytan4ever has joined #openstack-keystone		04:52
*** code-R has joined #openstack-keystone		04:56
*** tonytan4ever has quit IRC		04:57
*** su_zhang has quit IRC		04:58
*** su_zhang has joined #openstack-keystone		04:59
*** gb21 has quit IRC		05:01
*** code-R has quit IRC		05:01
*** code-R has joined #openstack-keystone		05:02
*** su_zhang has quit IRC		05:03
*** Gorian has joined #openstack-keystone		05:06
*** code-R has quit IRC		05:06
*** code-R has joined #openstack-keystone		05:11
*** roxanaghe has joined #openstack-keystone		05:18
*** chlong has quit IRC		05:21
*** roxanaghe has quit IRC		05:22
*** richm has quit IRC		05:39
*** code-R has quit IRC		05:40
*** code-R has joined #openstack-keystone		05:41
*** gb21 has joined #openstack-keystone		05:42
*** code-R has quit IRC		05:46
*** gb21 has quit IRC		05:47
*** code-R has joined #openstack-keystone		05:47
*** adu has quit IRC		05:57
*** EinstCra_ has joined #openstack-keystone		05:59
*** EinstCrazy has quit IRC		06:03
*** code-R has quit IRC		06:16
openstackgerrit	Anh Tran proposed openstack/keystone: TrivialFix: Remove logging import unused https://review.openstack.org/360915	06:21
*** rcernin has joined #openstack-keystone		06:25
*** bjolo has quit IRC		06:30
*** bjolo has joined #openstack-keystone		06:31
*** EinstCra_ has quit IRC		06:36
*** EinstCrazy has joined #openstack-keystone		06:37
*** tesseract- has joined #openstack-keystone		06:44
*** adriant has quit IRC		06:53
*** roxanaghe has joined #openstack-keystone		07:06
*** roxanaghe has quit IRC		07:10
*** jaosorior is now known as jaosorior_brb		07:22
*** asettle has joined #openstack-keystone		07:23
*** asettle has quit IRC		07:28
*** anteaya has quit IRC		07:38
*** zzzeek has quit IRC		08:00
openstackgerrit	Dave Chen proposed openstack/keystone: Handle the exception from creating access token properly https://review.openstack.org/359795	08:00
*** zzzeek has joined #openstack-keystone		08:00
*** sdake has quit IRC		08:05
*** sdake has joined #openstack-keystone		08:05
*** zhangyi has quit IRC		08:06
*** zhangyi has joined #openstack-keystone		08:07
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	08:10
*** openstackgerrit has quit IRC		08:18
*** openstackgerrit has joined #openstack-keystone		08:18
*** amakarov_away is now known as amakarov		08:21
*** asettle has joined #openstack-keystone		08:38
*** asettle has quit IRC		08:38
*** asettle has joined #openstack-keystone		08:39
*** tqtran has joined #openstack-keystone		08:39
*** tqtran has quit IRC		08:43
*** sdake has quit IRC		08:48
*** jpena_ has joined #openstack-keystone		08:48
*** roxanaghe has joined #openstack-keystone		08:54
*** tonytan4ever has joined #openstack-keystone		08:54
*** marekd2 has joined #openstack-keystone		08:54
*** tonytan4ever has quit IRC		08:58
*** roxanaghe has quit IRC		08:59
*** jaosorior_brb is now known as jaosorior		08:59
*** jhesketh has quit IRC		09:06
*** gus has quit IRC		09:06
*** darrenc has quit IRC		09:06
openstackgerrit	venkatamahesh proposed openstack/keystone: Fix the Attribute ERROR https://review.openstack.org/361005	09:06
*** darrenc has joined #openstack-keystone		09:06
*** gus has joined #openstack-keystone		09:08
*** jhesketh has joined #openstack-keystone		09:09
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/361017	09:11
*** gb21 has joined #openstack-keystone		09:13
*** gb21 has quit IRC		09:26
*** ddeja has joined #openstack-keystone		09:33
ddeja	Hi, I'm creating a keystoneclient based on trust id. Then from this client I'm getting the auth_token. Then I'm trying to re-create the keystone client based on this auth_token, but I get 403 from keystone service. What I am doing wrong?	09:35
*** gb21 has joined #openstack-keystone		09:38
amakarov	ddeja, Hi. New client tries to auth using the token you pass, i.e. exchange the token for a new one. Since it's trust scoped token it can't be exchanged for regular one for security reasons.	09:40
ddeja	amakarov: thanks. I'm passing the auth_token through the RPC. I should pass the trust_id instead?	09:43
ddeja	and create the client one I really need to use it? (get endpoints in my case)	09:43
amakarov	ddeja, if it's possible, use the client created using trust	09:45
*** xek has joined #openstack-keystone		09:47
*** xek has quit IRC		09:47
*** xek has joined #openstack-keystone		09:48
ddeja	amakarov: I see. OK, thank you very much. I was wondering since yesterday why I cannot create new keystone client, but now I understand	09:48
amakarov	ddeja, yw	09:49
openstackgerrit	Alexander Makarov proposed openstack/keystone: Move dependency-related trust logic to manager https://review.openstack.org/360735	09:53
*** code-R has joined #openstack-keystone		09:53
openstackgerrit	Merged openstack/keystone: Cleaning imports in code https://review.openstack.org/360228	09:54
openstackgerrit	henry-nash proposed openstack/keystone: Update developer docs for new rolling upgrade repos https://review.openstack.org/359383	09:55
*** gb21 has quit IRC		09:55
*** code-R_ has joined #openstack-keystone		09:59
*** NishaYadav has joined #openstack-keystone		10:01
*** code-R has quit IRC		10:02
*** davechen has left #openstack-keystone		10:09
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	10:10
*** richm has joined #openstack-keystone		10:11
*** code-R has joined #openstack-keystone		10:15
*** code-R_ has quit IRC		10:15
*** xiaoyang has quit IRC		10:20
*** EinstCrazy has quit IRC		10:22
*** EinstCrazy has joined #openstack-keystone		10:22
*** EinstCrazy has quit IRC		10:27
*** roxanaghe has joined #openstack-keystone		10:42
*** gb21 has joined #openstack-keystone		10:45
*** roxanaghe has quit IRC		10:47
*** gb21 has quit IRC		10:53
*** wangqun has quit IRC		10:53
*** code-R_ has joined #openstack-keystone		11:00
*** maestropandy has joined #openstack-keystone		11:01
*** code-R has quit IRC		11:02
*** NishaYadav has quit IRC		11:10
openstackgerrit	Dave Chen proposed openstack/keystone: WIP - Handle the exception from creating request token properly https://review.openstack.org/361087	11:10
openstackgerrit	Pierre-André MOREY proposed openstack/keystone: Fix some typos in comments https://review.openstack.org/361091	11:16
*** kickinz1 has joined #openstack-keystone		11:22
*** kickinz1 is now known as pmorey		11:29
*** pmorey is now known as kickinz1		11:30
*** asettle has quit IRC		11:32
*** gb21 has joined #openstack-keystone		11:47
openstackgerrit	Mikhail Nikolaenko proposed openstack/keystone: [WIP] Move fernet utils to backend https://review.openstack.org/356499	11:53
*** ddeja has left #openstack-keystone		11:53
*** jaosorior has quit IRC		11:53
*** jaosorior has joined #openstack-keystone		11:54
*** tonytan4ever has joined #openstack-keystone		11:55
*** tonytan4ever has quit IRC		12:00
*** jpena_ is now known as jpena\|lunch		12:01
*** gb21_ has joined #openstack-keystone		12:05
*** gb21_ has quit IRC		12:06
*** gb21 has quit IRC		12:06
*** tonytan4ever has joined #openstack-keystone		12:09
*** asettle has joined #openstack-keystone		12:10
samueldmq	morning keystone	12:13
dstanek	morning samueldmq	12:13
samueldmq	dstanek: o/	12:13
*** pece has joined #openstack-keystone		12:16
*** gb21 has joined #openstack-keystone		12:20
*** maestropandy has quit IRC		12:22
*** code-R_ has quit IRC		12:23
*** code-R has joined #openstack-keystone		12:25
*** pauloewerton has joined #openstack-keystone		12:26
*** code-R has quit IRC		12:27
*** code-R has joined #openstack-keystone		12:28
*** roxanaghe has joined #openstack-keystone		12:30
*** kickinz1 has quit IRC		12:32
*** zhangyi has quit IRC		12:34
*** woodster_ has joined #openstack-keystone		12:34
*** roxanaghe has quit IRC		12:35
*** nkinder has joined #openstack-keystone		12:37
*** gb21 has quit IRC		12:38
*** jed56 has joined #openstack-keystone		12:40
*** tqtran has joined #openstack-keystone		12:41
*** kickinz1 has joined #openstack-keystone		12:44
*** kickinz1 has quit IRC		12:44
*** kickinz1 has joined #openstack-keystone		12:44
*** tqtran has quit IRC		12:45
samueldmq	dstanek: ping - got some questions on keystone & memcached	12:50
samueldmq	or breton ^	12:51
*** EinstCrazy has joined #openstack-keystone		12:51
breton	samueldmq: shoot	12:51
samueldmq	breton: so, let's say we have a single keystone server, running 2 processes	12:52
samueldmq	and a memcache server running in a separate host	12:52
dstanek	samueldmq: what's up?	12:52
samueldmq	dstanek: ^	12:52
samueldmq	when one of the processes delete something and invalidates the cache	12:53
samueldmq	when we say "invalidates the cache": does the process invalidate its internal cache (process cache), or something in memcache?	12:53
dstanek	samueldmq: with my patch, memcached	12:53
samueldmq	I can't see how that would be an issue to the other process, if the value in the memcache, changed	12:53
dstanek	dogpile itself does only process specific invalidation (this is completely unexpected IME)	12:54
samueldmq	dstanek: ok, but even with the same key always, doesn't the other process always go to the memcache server?	12:54
dstanek	samueldmq: yes	12:54
samueldmq	dstanek: thus it would be getting the new value set by the other process	12:54
samueldmq	(I am talking about the old way)	12:54
breton	samueldmq: "invalidate the cache in region" does not change things in memcached	12:55
dstanek	samueldmq: region invalidation in dogpile doesn't update the memcached server IIRC	12:55
dstanek	it's also technically not even process based. it's based on the instance of the CacheRegion class. so you can have two instance with the same name where the invalidation of one doesn't effect the other	12:56
dstanek	samueldmq: your questions reflect the WTF moment I had while debugging this. the behavior doesn't make any sense.	12:56
samueldmq	dstanek: hehe	12:56
samueldmq	dstanek: so, we have a keystone process, and that process has a local process cache, that reflects (or not) what's in the memcache server	12:57
samueldmq	is this right?	12:57
dstanek	samueldmq: not exactly	12:57
samueldmq	I am wondering where the incosistence occurs	12:57
breton	samueldmq: invalidation in dogpile.cache is this: https://bitbucket.org/zzzeek/dogpile.cache/src/669582c2e5bf12b1303f50c4b7ba3dad308eb1cc/dogpile/cache/region.py?at=master&fileviewer=file-view-default#region.py-169	12:57
samueldmq	can you give me an example?	12:57
dstanek	the cache region in dogpile asks for a value. that value actually has the expiration and the real value.	12:57
samueldmq	like in a real scenario	12:57
samueldmq	dstanek: yes...	12:58
dstanek	dogpile evaluates that for us. it doesn't actually store things in a local cache	12:58
breton	samueldmq: so invalidation is just setting 2 varibles, that's it.	12:58
dstanek	you would assume that invalidating a region would create that region, but as you can see it doesn't. so other processes can still get the value from the cache	12:58
breton	samueldmq: which are then checked like "value = memcached.get(key); if value.date < invalidated_date: return NO_VALUE"	12:59
samueldmq	ok, but the other process called invalidate	13:00
samueldmq	then invalidated_date is something	13:00
samueldmq	when the other process calls the get, the invalidated_date is set, then NO_VALUE is returned	13:01
dstanek	to make matters worse it seems like people don't understand memcache and deploy a separate instance on each node.	13:01
*** ruoyu has joined #openstack-keystone		13:01
dstanek	samueldmq: the date is only set on the instance	13:01
breton	samueldmq: but in the other process invalidated_date is still None	13:01
samueldmq	dstanek: and each process has an instance of the region?	13:01
breton	samueldmq: yep	13:02
samueldmq	and that region is valid	13:02
dstanek	at least one	13:02
samueldmq	because the name still matches with the memcache server	13:02
samueldmq	so you change the name to make that region invalid, because you can't set invalidate for it	13:02
dstanek	so r0 = Region('test'); r1 = Region('test'); r0.invalidate(); r1's entries won't know about an invalidation	13:03
dstanek	samueldmq: yes, hacking the key value is my solution	13:03
samueldmq	dstanek: so you effectively "delete" the region "test" in the server	13:03
samueldmq	so r1 won't be valid anymore	13:03
dstanek	all instances of the region will get the same extra data for the key and if you change that extra data from any process the region's won't look for that key anymore	13:04
samueldmq	you actually renames it, and the region will be "recreated" for whom is using r1	13:04
dstanek	^ that's my patch	13:04
dstanek	samueldmq: exactly	13:04
samueldmq	WTF	13:04
dstanek	?	13:04
samueldmq	about the default behavior	13:05
samueldmq	so broken	13:05
dstanek	yes, very	13:05
dstanek	where i used to work we took this to the extreme (we didn't use dogpile, just python-memcached)	13:05
samueldmq	dstanek: last thing: so when using a region it checks the region actually exists in the memcache server	13:05
samueldmq	that's why your solution works	13:05
dstanek	a customer may have a list of orders, preferences and other stuff that are cached	13:05
*** jpena\|lunch is now known as jpena_		13:05
dstanek	we would use a customer key to old random data to "invalidate" all customer related things for instance	13:06
dstanek	so by setting the 'customer-1234' key to a new value the data would be refreshed	13:06
dstanek	samueldmq: yep, we always go back the the memcached server for the region info	13:07
samueldmq	dstanek: perfect	13:07
samueldmq	workaround is very smart tbh	13:07
dstanek	samueldmq: there is an alternative proposal by amakarov that uses the same soft/hard invalidation, but uses memcached to store the information instead of the local instance	13:07
dstanek	i like the idea, but it's got a fatal flaw in that the invalidation is stored as a key and could be lost making invalidations useless	13:08
dstanek	in my solution a missing key means the data isn't cached and you have to go back to the source to get it	13:08
samueldmq	kk, so yours is more complete	13:08
samueldmq	I like it (and now fully understand it)	13:08
samueldmq	I just have a few comments there and I am a +2	13:09
samueldmq	dstanek: I can give it an update if you want	13:09
dstanek	samueldmq: great, thanks. i'll take a look	13:09
*** code-R has quit IRC		13:11
*** sdake has joined #openstack-keystone		13:14
*** sdake_ has joined #openstack-keystone		13:15
*** ruoyu has quit IRC		13:15
*** sdake has quit IRC		13:19
samueldmq	dstanek: get_or_create always go to the memcache server, right?	13:21
dstanek	samueldmq: yes, it's just a short cut for the 'v = get(); if not v: v = create(); set(v)' pattern - with protection with a lock	13:22
samueldmq	dstanek: ++	13:22
*** aswadr_ has joined #openstack-keystone		13:28
samueldmq	dstanek: this is probably what was breaking the revocations and making those tempest tests fail with fernet	13:28
samueldmq	at least related to that	13:28
*** anteaya has joined #openstack-keystone		13:29
dstanek	samueldmq: definitely could be. anything that depended on invalidation what essentially broken	13:30
samueldmq	dstanek: yes, and that is a cache issue (disabling cache was "fixing" the issue)	13:30
samueldmq	dstanek: I will rebase 345688 in your change	13:31
*** roxanaghe has joined #openstack-keystone		13:31
samueldmq	and see what happens	13:31
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Switch fernet to be the default token provider. https://review.openstack.org/345688	13:33
samueldmq	lbragstad: ^	13:34
*** roxanaghe has quit IRC		13:36
*** sdake_ has quit IRC		13:37
*** dikonoor has quit IRC		13:38
*** code-R has joined #openstack-keystone		13:38
*** BjoernT has joined #openstack-keystone		13:39
*** BjoernT is now known as Bjoern_zZzZzZzZ		13:39
*** sdake has joined #openstack-keystone		13:40
openstackgerrit	Boris Bobrov proposed openstack/keystone: Faster id mapping lookup https://review.openstack.org/339294	13:40
*** links has quit IRC		13:45
*** Bjoern_zZzZzZzZ is now known as BjoernT		13:46
openstackgerrit	David Stanek proposed openstack/keystone: Distributed cache namespace to invalidate regions https://review.openstack.org/349704	13:52
dstanek	samueldmq: ^	13:52
*** ddieterly has joined #openstack-keystone		13:52
*** ddieterly has quit IRC		13:54
*** ddieterly has joined #openstack-keystone		13:55
*** pece has quit IRC		13:56
*** code-R_ has joined #openstack-keystone		14:06
*** thiagolib has quit IRC		14:08
*** code-R has quit IRC		14:08
mfisch	dolphm: lbragstad dstanek good luck guys	14:14
mfisch	http://ir.rackspace.com/phoenix.zhtml?c=221673&p=irol-newsArticle&ID=2197686	14:14
dolphm	mfisch: how do you know about these things before i do?!	14:15
mfisch	I follow Cloud Opinion on Twitter	14:15
mfisch	and I dont mean good luck in a bad way	14:15
dolphm	mfisch: lol thank you	14:16
*** su_zhang has joined #openstack-keystone		14:18
*** michauds has joined #openstack-keystone		14:18
*** kickinz1 has quit IRC		14:19
bknudson	notmorgan: I changed uwsgi to listen on http, then changed my test to go directly to the uwsgi server. No change, still seeing the error.	14:21
bknudson	at least the setup is getting simpler... no threads even.	14:22
bknudson	I'll try to recreate with a single client... that would be even simpler.	14:22
*** slberger has joined #openstack-keystone		14:25
*** auggy has quit IRC		14:26
*** ddieterly has quit IRC		14:26
*** auggy has joined #openstack-keystone		14:26
*** su_zhang has quit IRC		14:28
*** su_zhang has joined #openstack-keystone		14:29
*** jpena_ has quit IRC		14:30
*** roxanaghe has joined #openstack-keystone		14:32
stevemar	o/	14:32
* stevemar can't find his glasses		14:32
*** chlong has joined #openstack-keystone		14:32
openstackgerrit	Marek Denis proposed openstack/keystone: Update mapping schema in the docs. https://review.openstack.org/361252	14:33
*** jpena_ has joined #openstack-keystone		14:33
*** su_zhang has quit IRC		14:33
*** roxanaghe has quit IRC		14:36
bknudson	not seeing any errors with single client.	14:37
*** ravelar has joined #openstack-keystone		14:37
*** ddieterly has joined #openstack-keystone		14:39
*** spedione\|AWAY is now known as spedione		14:43
openstackgerrit	Marek Denis proposed openstack/keystone: Update mapping schema in the docs. https://review.openstack.org/361252	14:43
*** jpena_ has quit IRC		14:49
*** ddieterly is now known as ddieterly[away]		14:51
*** barclaac_ has quit IRC		14:52
*** IgorYozhikov has left #openstack-keystone		14:54
*** barclaac has joined #openstack-keystone		14:55
*** dobson has quit IRC		14:55
openstackgerrit	Mikhail Nikolaenko proposed openstack/python-keystoneclient: Fix missing service_catalog parameter in Client object https://review.openstack.org/339150	14:56
*** HenryG has quit IRC		14:56
*** code-R_ has quit IRC		14:56
*** code-R has joined #openstack-keystone		14:57
*** code-R_ has joined #openstack-keystone		14:58
stevemar	dolphm: lbragstad dstanek also good luck! i love you rackers and hope all changes are for the best	15:00
*** ddieterly[away] is now known as ddieterly		15:00
*** tonytan4ever has quit IRC		15:01
*** jistr is now known as jistr\|call		15:01
*** tonytan4ever has joined #openstack-keystone		15:01
*** HenryG has joined #openstack-keystone		15:01
*** nk2527 has quit IRC		15:02
*** jaugustine has quit IRC		15:02
*** xenogear has quit IRC		15:02
*** gagehugo_ has quit IRC		15:02
*** code-R has quit IRC		15:02
*** hockeynut has joined #openstack-keystone		15:03
*** Gorian\|work has joined #openstack-keystone		15:04
*** rcernin has quit IRC		15:04
*** dobson has joined #openstack-keystone		15:05
*** ddieterly has quit IRC		15:05
*** Gorian\|work has quit IRC		15:07
*** Gorian\|work has joined #openstack-keystone		15:07
*** Gorian\|work has quit IRC		15:08
*** Gorian\|work has joined #openstack-keystone		15:09
*** Gorian\|work has quit IRC		15:09
*** Gorian\|work has joined #openstack-keystone		15:10
*** Gorian\|work has quit IRC		15:10
*** Gorian\|work has joined #openstack-keystone		15:10
*** code-R_ has quit IRC		15:11
*** sdake_ has joined #openstack-keystone		15:11
*** code-R has joined #openstack-keystone		15:11
*** nk2527 has joined #openstack-keystone		15:12
*** gagehugo has joined #openstack-keystone		15:12
*** jistr\|call is now known as jistr		15:12
*** Gorian\|work has quit IRC		15:13
*** Gorian\|work has joined #openstack-keystone		15:14
*** Gorian\|work has quit IRC		15:14
*** Gorian\|work has joined #openstack-keystone		15:14
*** sdake has quit IRC		15:15
*** Gorian\|work has quit IRC		15:15
*** Gorian\|work has joined #openstack-keystone		15:15
*** code-R has quit IRC		15:16
*** xenogear has joined #openstack-keystone		15:16
*** Gorian\|work has quit IRC		15:17
*** Gorian\|work has joined #openstack-keystone		15:17
*** Gorian\|work has quit IRC		15:19
*** Gorian\|work has joined #openstack-keystone		15:19
*** browne has joined #openstack-keystone		15:20
*** Gorian\|work has quit IRC		15:20
*** Gorian\|work has joined #openstack-keystone		15:20
dstanek	mfisch: stevemar: thanks	15:22
lbragstad	dstanek mfisch stevemar ++	15:22
*** Gorian\|work has quit IRC		15:23
*** Gorian\|work has joined #openstack-keystone		15:23
*** Gorian\|work has quit IRC		15:24
*** Gorian\|work has joined #openstack-keystone		15:24
*** gagehugo has quit IRC		15:25
*** Gorian\|work has quit IRC		15:26
*** Gorian\|work has joined #openstack-keystone		15:26
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	15:27
*** michauds has quit IRC		15:27
lbragstad	dolphm ok - that ^ one should pass all tests (i forgot to add the KeyRepository fixture to a few of the tests - which explains why it failed in gerrit)	15:28
*** gagehugo has joined #openstack-keystone		15:29
*** Gorian\|work has quit IRC		15:30
*** Gorian\|work has joined #openstack-keystone		15:30
*** roxanaghe has joined #openstack-keystone		15:33
*** asettle has quit IRC		15:33
*** pcaruana has quit IRC		15:33
*** jaugustine has joined #openstack-keystone		15:37
*** roxanaghe has quit IRC		15:37
*** tesseract- has quit IRC		15:38
*** gyee has joined #openstack-keystone		15:41
*** sheel has quit IRC		15:46
*** ruoyu has joined #openstack-keystone		15:47
*** code-R has joined #openstack-keystone		15:52
*** code-R_ has joined #openstack-keystone		15:53
*** code-R_ has quit IRC		15:55
*** code-R_ has joined #openstack-keystone		15:56
*** code-R has quit IRC		15:56
*** chrisshattuck has joined #openstack-keystone		15:57
*** NishaYadav has joined #openstack-keystone		15:57
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	15:57
NishaYadav	o/	15:57
marekd	stevemar: i have a super easy rev for ya: https://review.openstack.org/#/c/361252/ :-)	15:58
*** michauds has joined #openstack-keystone		15:58
*** jaosorior has quit IRC		15:58
*** tqtran has joined #openstack-keystone		16:07
*** chlong has quit IRC		16:07
*** edtubill has joined #openstack-keystone		16:08
stevemar	marekd: it's on my list ;)	16:10
*** tqtran has quit IRC		16:11
*** Gorian\|work has quit IRC		16:12
*** Gorian\|work has joined #openstack-keystone		16:12
*** mnikolaenko_ has joined #openstack-keystone		16:14
*** chrisshattuck has quit IRC		16:14
*** nkinder has quit IRC		16:15
*** EinstCrazy has quit IRC		16:17
*** itisha has joined #openstack-keystone		16:18
*** chlong has joined #openstack-keystone		16:19
*** hockeynut has quit IRC		16:28
*** ruoyu has quit IRC		16:29
*** roxanaghe has joined #openstack-keystone		16:30
*** chrisshattuck has joined #openstack-keystone		16:34
*** david-lyle has joined #openstack-keystone		16:36
*** rcernin has joined #openstack-keystone		16:44
*** links has joined #openstack-keystone		16:45
*** nkinder has joined #openstack-keystone		16:46
rderose	marekd: I've got a review for you: https://review.openstack.org/#/c/358111/ :)	16:46
*** esp has joined #openstack-keystone		16:52
*** chrisshattuck has quit IRC		16:54
*** marekd2 has quit IRC		16:58
*** marekd2 has joined #openstack-keystone		16:58
*** dikonoor has joined #openstack-keystone		16:58
*** jpena is now known as jpena\|off		16:59
openstackgerrit	Ha Van Tu proposed openstack/keystone: Repair link in Keystone documentation https://review.openstack.org/361033	17:01
*** raildo has quit IRC		17:01
openstackgerrit	Mikhail Nikolaenko proposed openstack/python-keystoneclient: Fix missing service_catalog parameter in Client object https://review.openstack.org/339150	17:01
*** chlong has quit IRC		17:02
*** su_zhang has joined #openstack-keystone		17:03
*** marekd2 has quit IRC		17:03
*** nkinder has quit IRC		17:04
*** slberger has left #openstack-keystone		17:05
stevemar	zzzeek: can you re-ask here so dolphm is looped in ?	17:05
stevemar	i just realized he wasn't in -oslo	17:05
zzzeek	sure	17:05
zzzeek	stevemar: how does https://review.openstack.org/#/c/355618/26 do zero downtime ? it looks like the migration 1. adds new columns 2. migrates existing data from the old to the new columns 3. adds triggers to raise an error if the old columns are written towards. What happens when an old keystone API server is running while this happens ?	17:05
dstanek	zzzeek: it will keep on putting data in the old locations and the triggers/migration will make sure it's in sync	17:06
dstanek	once the data is in sync new code can be run	17:06
dstanek	and then you can start shutting down old code	17:07
zzzeek	dstanek: where is the trigger that makes sure data is in sync?	17:07
dstanek	zzzeek: the expand repo should be adding the trigger and the contract repo should be removing them	17:08
dstanek	zzzeek: https://review.openstack.org/#/c/355618/26/keystone/common/sql/expand_repo/versions/002_add_key_hash_and_encrypted_blob_to_credential.py	17:08
zzzeek	dstanek: I see a lot of triggers that look like they are all intended to raise an error and nothing else	17:08
dstanek	zzzeek: oh right. for that particular one we are doing readonly for the credentials since we can't do encryption via triggers	17:09
dstanek	the same model would be used for other things that can be massaged in triggers	17:10
zzzeek	dstanek: right. So old keystone API is running, trigger gets put in, what happens ?	17:10
dstanek	insert/update for credentials would have an error. i don't remember which one exactly. i was in favor of doing this in policy, but i think the just fail won out	17:11
zzzeek	dstanek: OK so this particular migration is also benefitting from the fact that the old API shouldn't be doing "the thing" anyway, I guess	17:11
dstanek	zzzeek: yes	17:12
zzzeek	stevemar: so yeah this is an even easier trigger :)	17:13
*** ruoyu has joined #openstack-keystone		17:13
zzzeek	hit trigger-> boom.	17:13
stevemar	:)	17:14
*** gagehugo_ has joined #openstack-keystone		17:14
*** ruoyu has quit IRC		17:15
stevemar	zzzeek: the 'created_at' for password one a pinch trickier :P	17:15
zzzeek	stevemar: yeah also that one might not even need a trigger	17:16
stevemar	oh?	17:16
zzzeek	yeah you can just set an insert default here	17:17
stevemar	zzzeek: so, that's what we did in migration 105, but i think there was concern about a race condition	17:17
*** gagehugo_ has quit IRC		17:17
stevemar	(at least i think thats what we did)	17:17
zzzeek	stevemar: a server side default is more atomic than the trigger	17:18
*** gagehugo_ has joined #openstack-keystone		17:18
*** gagehugo has quit IRC		17:18
stevemar	zzzeek: https://github.com/openstack/keystone/blob/master/keystone/common/sql/migrate_repo/versions/105_add_password_date_columns.py	17:18
*** gagehugo_ has quit IRC		17:18
*** gagehugo has joined #openstack-keystone		17:18
zzzeek	stevemar: yeah those are lacking a server default	17:19
stevemar	doh	17:19
stevemar	so... migration 110 and make sure we add a server_default to created_at? ... i think	17:20
zzzeek	stevemar: thnking mysql might put up a fight here if this col is not already TIMESTAMP let me just add the comment	17:21
stevemar	zzzeek: cool	17:21
*** rcernin has quit IRC		17:22
zzzeek	stevemar: works fine	17:23
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/361017	17:23
*** code-R has joined #openstack-keystone		17:25
stevemar	henrynash: so maybe some good news for you ^	17:28
dstanek	zzzeek: awesome, thx	17:29
*** code-R_ has quit IRC		17:29
*** Gorian\|work has quit IRC		17:29
*** spedione is now known as spedione\|AWAY		17:31
*** aswadr_ has quit IRC		17:31
stevemar	dolphm: i'm be a bit harder to reach in the afternoon, but i like the feedback we got on the ML and from zzzeek in the patches, so hopefully we don't have to retarget that work for O	17:37
*** slberger has joined #openstack-keystone		17:38
stevemar	dstanek: you good on the cache front?	17:38
zzzeek	stevemar: a DB level default is non-controversial :)	17:38
*** code-R has quit IRC		17:39
stevemar	zzzeek: yep!	17:39
stevemar	zzzeek: and the other trigger is more defensive i suppose	17:39
*** ericksonsantos has quit IRC		17:43
*** mnikolaenko_ has quit IRC		17:47
*** gyee has quit IRC		17:50
*** jed56 has quit IRC		17:55
*** adu has joined #openstack-keystone		17:57
*** sdake_ has quit IRC		18:02
*** tqtran has joined #openstack-keystone		18:04
openstackgerrit	Steve Martinelli proposed openstack/keystone-specs: redirect old api pages to new ones https://review.openstack.org/361401	18:07
openstackgerrit	Alexander Makarov proposed openstack/keystone: Move dependency-related trust logic to manager https://review.openstack.org/360735	18:10
*** amakarov is now known as amakarov_away		18:11
openstackgerrit	Sean Perry proposed openstack/keystone: Impose a min and a max on time values in CONF.token https://review.openstack.org/361406	18:19
openstackgerrit	Sean Perry proposed openstack/keystone: Impose a min and a max on time values in CONF.token https://review.openstack.org/361406	18:20
*** ruoyu has joined #openstack-keystone		18:24
dstanek	stevemar: i think so	18:24
dstanek	some crazy jenkins problem though...	18:26
*** ntpttr has quit IRC		18:27
*** ntpttr has joined #openstack-keystone		18:28
*** ntpttr has quit IRC		18:28
*** ntpttr- has joined #openstack-keystone		18:28
*** mordred has quit IRC		18:31
*** NishaYadav has quit IRC		18:34
lbragstad	dstanek just noticed this in the credential encryption stuff - http://logs.openstack.org/18/355618/26/check/gate-keystone-python34-db/24c9a56/console.html#_2016-08-26_16_30_26_993108	18:35
lbragstad	py3 related?	18:35
*** asettle has joined #openstack-keystone		18:36
ruoyu	Hello! Our team want to get realtime user information from keystone logs. Logging_context_format_string should print user id in the logs but it doesn’t work. For an example, when I log in with a wrong password, in keystone I only got log message like “2016-08-22 17:00:15.396 2707 WARNING keystone.common.wsgi [req-c9ab9248-4f94-4ed0-9005-10fe3c5e5486 - - - - -] Authorization failed. The request you have made require	18:39
ruoyu	s authentication. from 10.14.37.215”. We think the user id should be next to the request id but we only got ‘-‘. Any instruction is greatly appreciated. Thank you very much!	18:39
dstanek	ruoyu: i don't think we put that in the logging context anywhere	18:39
dstanek	lbragstad: hmm....	18:39
* dolphm is reading back		18:40
*** su_zhang has quit IRC		18:40
*** Gorian\|work has joined #openstack-keystone		18:40
dstanek	stevemar: it seems that i'm not getting all the the CONF.cache settings, so i have to put something together for that	18:41
*** mordred has joined #openstack-keystone		18:41
ruoyu	Hi dstanek, thanks for the response! this is the logging context part in keystone.conf file: logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s	18:42
dolphm	zzzeek: thank you for all your feedback!	18:42
dstanek	ruoyu: something has to put a value for user_identity in the logging context and i don't think we do that	18:43
*** Gorian\|work has quit IRC		18:43
dstanek	oslo.log and olso.context both have a lot of references to that and nothing in keystone. not sure where it's supposed to come from	18:44
dstanek	ruoyu: ^	18:44
*** asettle has quit IRC		18:45
*** Gorian\|work has joined #openstack-keystone		18:45
*** slberger has quit IRC		18:45
ruoyu	Is that means keystone log message has a field called '(user_identity)s' but actually it doesn't write any content to this field?	18:46
dstanek	ruoyu: that format should be getting data from a logging context. i don't know what is supposed to add that value to the context.	18:46
*** slberger has joined #openstack-keystone		18:47
dstanek	a quick grep of the keystone code shows that nothing uses the string 'user_identity', but it does appear in olso.log and olso.context	18:48
dstanek	samueldmq: i have a fix coming for that caching review - tests are running now	18:53
samueldmq	dstanek: nice, let's work to get that in	18:53
samueldmq	dstanek: I am looking forward to test fernet with that	18:53
ruoyu	@dstanek Is it a bug? Keystone should have user information in it because keystone do authentication job, can we grab user info in keystone and write it to logs?	18:53
dstanek	ruoyu: i have no idea how it's supposed to work	18:55
*** dikonoor has quit IRC		18:56
*** tqtran has quit IRC		18:56
gsilvis	When you're using keystone federation, just before you scope, you get a list of things you can scope to. Does keystoneauth1.identity expose this list in any way?	18:56
ruoyu	dstanek: Okay, thanks!	18:57
*** markvoelker has quit IRC		18:57
*** tqtran has joined #openstack-keystone		18:57
openstackgerrit	Merged openstack/keystone: TrivialFix: Remove logging import unused https://review.openstack.org/360915	18:58
*** markvoelker has joined #openstack-keystone		19:00
henrynash	stevemar, zzzeek: the reason a server side default was not put in at migration 105 is that rderose found he couldn't get sqla to work right across all three supported DBs (rderose could you expand on that?)	19:02
henrynash	stevemar, zzzeek: and sure, if we can find a way of doing that, then this fix become nice and simple!	19:02
rderose	henrynash stevemar zzzeek: sure	19:03
openstackgerrit	Merged openstack/keystone: Fix some typos in comments https://review.openstack.org/361091	19:03
rderose	henrynash stevemar zzzeek: essentially, I tried adding a default datetime value to the new column; tried the following:	19:03
rderose	* default=datetime.datetime.utcnow	19:04
rderose	* default=sql.func.now()	19:04
rderose	* server_default=sql.func.now()	19:04
rderose	* # there was also a timestamp option I think	19:04
rderose	but essentially, I'd get it working with mysql, but it wouldn't work with sqlite	19:04
rderose	And I believe server_default only works for table creates; not for table alters.	19:05
henrynash	rderose: never quite understood the last bit, not sure what would be true	19:06
henrynash	(...why that would be true)	19:06
*** Ephur has joined #openstack-keystone		19:07
rderose	henrynash: when adding a new table, you can set a server_default for the columns. however, if you are adding a column to an existing table (alter table), you can't set the server_default value	19:07
rderose	henrynash: not sure, something I read when researching this	19:07
henrynash	rderose: you mean it just gives an error if you add server_default to the new column definition?	19:08
rderose	henrynash: it wouldn't give an error, just wouldn't set the default value	19:08
henrynash	rderose: ah, right!	19:09
*** browne has quit IRC		19:09
*** su_zhang has joined #openstack-keystone		19:11
openstackgerrit	David Stanek proposed openstack/keystone: Distributed cache namespace to invalidate regions https://review.openstack.org/349704	19:12
dstanek	ruoyu: if you find out please report back. i'm interested to know	19:12
rderose	henrynash stevemar zzzeek: I tried many different options and couldn't get this to work; couldn't find an example in openstack code base as well.	19:13
*** su_zhang has quit IRC		19:16
ruoyu	dstanek: Sure, no problem!	19:16
*** michauds has quit IRC		19:18
*** michauds has joined #openstack-keystone		19:18
*** rodrigods has quit IRC		19:21
*** rodrigods has joined #openstack-keystone		19:21
*** lamt has quit IRC		19:22
*** michauds has quit IRC		19:22
*** michauds has joined #openstack-keystone		19:23
zzzeek	Henrynash: server_default=func.now() should work on all three . SQLite has no date type but the string format should be compatible	19:23
zzzeek	Henrynash: never seen anyone use a trigger for this use case , and that would have the same issue in SQLite anyway if NOW() were string incompatible	19:24
henrynash	zzzeeK: i kind of agree with you...worst case, we should have beeen able to set the server default in SQL directly. But we didn't. I'll invetsigate further and re-test the assumption we had from 105	19:27
*** browne has joined #openstack-keystone		19:31
lbragstad	dstanek is there any reason why self.crypto.decrypt(bytes(credential)).decode('utf-8') would not work on py3?	19:31
lbragstad	line 86 here - https://review.openstack.org/#/c/355618/26/keystone/credential/providers/fernet/core.py	19:32
openstackgerrit	Gage Hugo proposed openstack/keystone: [WIP] doctor check for domain specific configs https://review.openstack.org/361435	19:33
*** links has quit IRC		19:33
marekd	rderose: ok, let me chec :-)	19:34
dstanek	lbragstad: we should be logging the actual error. that message is completely useless to anyone debugging	19:34
lbragstad	dstanek it looks like this - http://stackoverflow.com/questions/31161243/python-string-argument-without-an-encoding ?	19:34
lbragstad	dstanek it's in the trace - http://cdn.pasteraw.com/80tg264lq18635pikv8i43phfppzhva	19:35
lbragstad	'TypeError: string argument without an encoding'	19:36
lbragstad	do we use bytearray() or is there a six utility for that?	19:36
dstanek	lbragstad: yes, you can't pass a string to bytes unless you tell it what it is	19:36
dstanek	lbragstad: you can contintue to use bytes	19:37
dstanek	bytes('abc') should fail	19:37
dstanek	whereas bytes('abc', 'ascii') should not	19:37
lbragstad	dstanek do we need ascii here?	19:37
lbragstad	we end up decoding it to utf-8	19:37
dstanek	lbragstad: utf-8 is probably better because you are already encoding to it	19:38
lbragstad	dstanek cool - rerunning my tests	19:38
*** tqtran has quit IRC		19:42
*** tqtran has joined #openstack-keystone		19:42
*** gyee has joined #openstack-keystone		19:44
lbragstad	dstanek sweet	19:46
lbragstad	dstanek only one py34 test failed and it seems to be related - http://cdn.pasteraw.com/2knpd6eoji8egdx5o8ycmaxfokft9uu	19:46
*** raildo has joined #openstack-keystone		19:49
*** gagehugo has quit IRC		19:53
dstanek	lbragstad: so the conversion to bytes failed?	19:53
lbragstad	dstanek looks like it	19:54
samueldmq	dstanek: MemcachedKeyCharacterError: Control/space characters not allowed (key='<<<region>>>:shared default')	19:54
dstanek	samueldmq: that's strange. i would have expected that to be handled by the existing mangler	19:56
samueldmq	dstanek: let's just replace spaces with _ ?	19:56
samueldmq	dstanek: or is it also referring to < and > as control chars	19:57
samueldmq	never know	19:57
lbragstad	dstanek there are the types of blob and encrypted_blob	19:57
lbragstad	http://cdn.pasteraw.com/9pypfzymuryvfdg5dkqumqf1ynvr7us	19:57
dstanek	samueldmq: yeah, but i want to know why	19:57
dstanek	lbragstad: is it already bytes?	19:57
lbragstad	dstanek it fails in decrypt() with the encrypted_blob	19:57
samueldmq	dstanek: maybe it's just a rule in memcache rule ?	19:57
samueldmq	not related to manglers ?	19:57
lbragstad	dstanek yeah - it looks like it	19:57
* lbragstad b'gAAAAABXwJ71HOw5vF7xqZvPj5ac5a2o8rKJwyGk_GQlmTZ6HhBizYKS6G-tnFrOQGqktINwl-uA6Sbdj0j_py1NJMsx-9goo8x0CNPasQtgHEdIxwaYFNefHomTRPjCCwmRjdb2oIfV'		19:57
* lbragstad <class 'bytes'>		19:57
bknudson	gAAAAA	19:58
*** asettle has joined #openstack-keystone		19:59
dstanek	samueldmq: it's definitely the space http://paste.openstack.org/show/564055/	20:00
dstanek	raw memcache commands agree	20:00
dstanek	i'll look at why it's not getting mangled. we should be getting the default mangler and wrapping it	20:01
* samueldmq nods		20:01
dstanek	samueldmq: it's odd because i think it gets setup in oslo.cache. not sure why it isn't being passed through	20:02
*** jraim has quit IRC		20:02
samueldmq	dstanek: are we using oslo.cache to create the regions ?	20:02
*** zhiyan has quit IRC		20:03
lbragstad	dstanek this apparently fixes it - http://cdn.pasteraw.com/21can262fonp5t19xzyhrxgkp95eja5	20:03
lbragstad	rerunning all the py34 tests now	20:03
*** su_zhang has joined #openstack-keystone		20:03
*** ctracey has quit IRC		20:04
*** lamt has joined #openstack-keystone		20:04
*** serverascode has quit IRC		20:04
lbragstad	dstanek not sure if that's the best fix	20:05
*** slberger has quit IRC		20:06
*** su_zhang has quit IRC		20:08
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	20:10
*** tonytan_brb has joined #openstack-keystone		20:13
*** roxanaghe has quit IRC		20:15
*** tonytan4ever has quit IRC		20:16
*** su_zhang has joined #openstack-keystone		20:17
*** roxanaghe has joined #openstack-keystone		20:23
*** su_zhang has quit IRC		20:27
*** dkehn_ has quit IRC		20:34
*** jraim has joined #openstack-keystone		20:35
*** esp has quit IRC		20:38
*** ctracey has joined #openstack-keystone		20:40
*** serverascode has joined #openstack-keystone		20:43
notmorgan	rderose: lets just drop sqlite completely ;)	20:43
notmorgan	lbragstad: i love bytes... =/ (not really)	20:43
rderose	notmorgan: yeah!!!	20:44
notmorgan	lbragstad: http://paste.openstack.org/show/564061/ #TheMoreYouKnow	20:44
*** zhiyan has joined #openstack-keystone		20:45
*** roxanaghe has quit IRC		20:46
*** edtubill has quit IRC		20:50
*** adu has quit IRC		20:53
lbragstad	notmorgan nice	20:53
*** slberger has joined #openstack-keystone		20:56
*** marekd2 has joined #openstack-keystone		20:59
*** ayoung has joined #openstack-keystone		20:59
*** ChanServ sets mode: +v ayoung		20:59
*** clenimar has quit IRC		21:01
*** sdake has joined #openstack-keystone		21:02
*** marekd2 has quit IRC		21:04
*** raildo has quit IRC		21:06
*** iurygregory has quit IRC		21:07
*** pauloewerton has quit IRC		21:10
*** marekd2 has joined #openstack-keystone		21:12
*** tqtran has quit IRC		21:14
*** su_zhang has joined #openstack-keystone		21:17
*** marekd2 has quit IRC		21:17
lbragstad	dolphm thanks for the review - I can address those comments	21:18
lbragstad	dolphm i responded here - https://review.openstack.org/#/c/355618/26/keystone/common/sql/data_migration_repo/versions/002_migrate_unencrypted_credentials.py	21:18
dolphm	lbragstad: i just realized i was reviewing the old patchset, i'm continuing with the new one now	21:19
dolphm	lbragstad: think "while select(10): for row in select: encrypt(row)"	21:19
*** ruoyu has quit IRC		21:20
*** su_zhang has quit IRC		21:22
*** tqtran has joined #openstack-keystone		21:26
*** roxanaghe has joined #openstack-keystone		21:26
*** Ephur has quit IRC		21:26
lbragstad	dolphm that's not user initiated, is it?	21:27
*** su_zhang has joined #openstack-keystone		21:27
*** roxanaghe has quit IRC		21:27
*** roxanaghe has joined #openstack-keystone		21:29
lbragstad	ugh - for some reason py2 and py3 can't agree on strings with the decrypt method	21:29
*** cher has joined #openstack-keystone		21:38
*** slberger has quit IRC		21:41
*** slberger has joined #openstack-keystone		21:44
*** Gorian\|work has quit IRC		21:50
*** Gorian\|work has joined #openstack-keystone		21:52
*** lamt has quit IRC		21:54
*** ravelar has quit IRC		21:58
*** sdake_ has joined #openstack-keystone		22:01
*** su_zhang has quit IRC		22:02
*** sdake has quit IRC		22:03
*** lamt has joined #openstack-keystone		22:05
*** su_zhang has joined #openstack-keystone		22:05
*** lamt has quit IRC		22:05
notmorgan	lbragstad: example?	22:08
notmorgan	lbragstad: because there is absolutely no reason py3 should break a py2 encrypted string	22:08
lbragstad	notmorgan latest failures here - https://review.openstack.org/#/c/355618/26	22:09
lbragstad	py2 is failing with the if statement i put in the decrypt method	22:09
lbragstad	seems strange	22:09
notmorgan	in which file? just so i can find it more quickly	22:09
notmorgan	you added the if statement	22:09
notmorgan	fernet/core?	22:09
lbragstad	notmorgan keystone/credential/providers/fernet/core.py	22:10
notmorgan	oh hah i was on an old patch	22:10
notmorgan	i was very confused	22:10
notmorgan	#HATEGERRITUI	22:10
notmorgan	so, you're sometimes getting bytes and sometimes not?	22:11
lbragstad	notmorgan apparently?	22:11
notmorgan	wait	22:12
notmorgan	which side of the if statement is failing?	22:12
notmorgan	that is not clear here. let me test locally.	22:13
*** chrisshattuck has joined #openstack-keystone		22:13
notmorgan	lbragstad: ok so it's failing in the bytes() converted one (first part of the if block)	22:16
lbragstad	notmorgan that same if statement passes on py34	22:17
*** adrian_otto has joined #openstack-keystone		22:17
notmorgan	lbragstad: i think i found it	22:18
notmorgan	sec	22:18
notmorgan	yep	22:18
*** Gorian\|work has quit IRC		22:19
notmorgan	bytes(<Value>, <encoding>) is not valid on py2	22:19
notmorgan	because str == bytes in py2	22:19
notmorgan	str() takes at most 1 argument (2 given)	22:19
lbragstad	hmm	22:19
notmorgan	you need to use something more like .encode('utf-8')	22:19
notmorgan	vs explicit cast to bytes()	22:19
notmorgan	assuming this is to mitigate a str vs bytes in py3	22:19
notmorgan	or just if six.PY3 gate the conversion to bytes	22:20
lbragstad	notmorgan so don't use bytes period?	22:20
notmorgan	str.encode() will return bytes() object	22:20
lbragstad	make self.crypto.decrypt(bytes(credential)).decode('utf-8') this self.crypto.decrypt(credential).decode('utf-8')	22:20
*** Gorian\|work has joined #openstack-keystone		22:20
notmorgan	>>> 'aaaa'.encode('utf-8')	22:21
notmorgan	b'aaaa'	22:21
notmorgan	(in py3)	22:21
notmorgan	for extreme safety.	22:21
notmorgan	self.crypt.decrypt(credential.encode('utf-8)).decode('utf-8')	22:22
notmorgan	if it's a STR and not bytes	22:22
*** Gorian\|work has quit IRC		22:22
notmorgan	if it's bytes you can't use "encode" in py3 (py2 it works still)	22:22
lbragstad	ah	22:23
lbragstad	weird	22:23
notmorgan	so: if six.PY3 and isinstance(credential, str): return self.crypto.decrypt(credential.encode('utf-8')).decode('utf-8') else return self.crypto.decrypt(credential).decode('utf-8')	22:23
notmorgan	or similar	22:24
notmorgan	this is a result of in py2, str == bytes	22:24
notmorgan	and in py3 bytes is it's own classification independant of str (which is now ~= u'')...	22:24
notmorgan	I greatly dislike python's handling of bytes vs strings.	22:24
*** Gorian\|work has joined #openstack-keystone		22:24
notmorgan	lbragstad: i would also split the statements for decrypt and decoding into multiple lines	22:25
*** michauds has quit IRC		22:25
notmorgan	just for clarity / ease of reading (but that is nitpicking)	22:25
*** Gorian\|work has quit IRC		22:26
lbragstad	notmorgan got it	22:26
lbragstad	running tests now	22:26
* dolphm is back, sort of		22:26
* notmorgan shooos dolphm off until he's "really" back ;)		22:27
dolphm	i got up at 3, but i have this delicious coffee to keep me awake	22:27
lbragstad	:1691	22:28
notmorgan	dolphm: what kind of coffee and method of brewing?	22:28
lbragstad	ugh	22:28
lbragstad	sorry	22:28
notmorgan	lbragstad: :1134	22:28
notmorgan	lbragstad: see i can do that too!	22:28
*** Gorian\|work has joined #openstack-keystone		22:29
notmorgan	dolphm: you should order some coffee from Coava ... it is ah-maaaaaze-ing http://coavacoffee.com/	22:29
* notmorgan needs to start cold brewing coffee.		22:29
lbragstad	my wife ordered some dark roast for peet's	22:30
lbragstad	we're digging that	22:30
dolphm	notmorgan: cold brew from a san antonio roaster (Merit) & coffee shop (Local)	22:30
notmorgan	lbragstad: get her to order from coava.	22:30
notmorgan	lbragstad: it's pricy but worth it	22:30
*** tqtran has quit IRC		22:30
dolphm	notmorgan: http://coavacoffee.com/pages/shop	22:30
dolphm	notmorgan: oh, i got a 404 a second ago	22:30
notmorgan	PNW small roasters is totally different than the peets/starbucks	22:31
notmorgan	dolphm: yeah it did that for me once i figured it was on my end	22:31
* notmorgan loves tryig the local roasters in every city		22:31
notmorgan	Coava is my fav. one of the places we went on Tokyo was also just amazing	22:32
*** chrisshattuck has quit IRC		22:32
dolphm	lbragstad: did you notice that local uses your metal (aluminum?) hario?	22:33
dolphm	notmorgan: i really like the vending machine across from the train station	22:33
*** slberger has left #openstack-keystone		22:33
*** Gorian\|work has quit IRC		22:34
*** tqtran has joined #openstack-keystone		22:34
notmorgan	:)	22:37
notmorgan	we found this tiny little coffee shop that was on a back-street/alley. the most hilarious part was it was advertising (flyers) for a Portland Festival in Tokyo	22:37
notmorgan	dolphm: ^	22:37
lbragstad	dolphm i did :)	22:38
dolphm	notmorgan: Portland Festival in tokyo must be the best	22:38
notmorgan	i ... yeah i admit I didn't go	22:39
dolphm	lbragstad: you should review the patches that yours depends on btw :P	22:39
notmorgan	Tokyo might have higher concentration of hipsters than PDX does.	22:39
*** BjoernT has quit IRC		22:39
*** itisha has quit IRC		22:40
lbragstad	dolphm will do	22:43
*** edmondsw has quit IRC		22:44
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	22:51
notmorgan	lbragstad: commented on your latest patch.. real nit-picky but...	22:53
notmorgan	just a thought on how to make it easier to read	22:53
lbragstad	notmorgan awesome - thanks	22:57
*** serverascode has quit IRC		23:01
*** ctracey has quit IRC		23:01
*** zhiyan has quit IRC		23:02
*** bapalm_ has quit IRC		23:06
*** jraim has quit IRC		23:09
*** bapalm has joined #openstack-keystone		23:11
*** ctracey has joined #openstack-keystone		23:15
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	23:15
lbragstad	notmorgan done ^	23:15
lbragstad	notmorgan thanks for the review :)	23:15
*** serverascode has joined #openstack-keystone		23:20
*** zhiyan has joined #openstack-keystone		23:28
*** ctracey has quit IRC		23:46
*** zhiyan has quit IRC		23:46
*** serverascode has quit IRC		23:46
*** su_zhang has quit IRC		23:51
*** su_zhang has joined #openstack-keystone		23:56
*** su_zhang has quit IRC		23:56
*** su_zhang has joined #openstack-keystone		23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!