Tuesday, 2016-09-20

*** itsuugo has quit IRC		00:00
*** itsuugo has joined #openstack-keystone		00:01
*** itsuugo has quit IRC		00:06
*** itsuugo has joined #openstack-keystone		00:07
*** guoshan has joined #openstack-keystone		00:11
openstackgerrit	Gage Hugo proposed openstack/keystone: Doctor check for domain specific configs https://review.openstack.org/361435	00:14
*** jamielennox is now known as jamielennox\|away		00:14
*** itsuugo has quit IRC		00:14
*** itsuugo has joined #openstack-keystone		00:15
openstackgerrit	Merged openstack/keystone: add placeholder migrations for newton https://review.openstack.org/372639	00:22
*** markvoelker has joined #openstack-keystone		00:29
*** esp has quit IRC		00:30
*** roxanaghe has quit IRC		00:30
*** adrian_otto has quit IRC		00:33
*** bjolo__ has joined #openstack-keystone		00:41
*** bjolo has quit IRC		00:41
*** roxanaghe has joined #openstack-keystone		00:43
*** asettle has joined #openstack-keystone		00:47
*** browne has quit IRC		00:48
*** itsuugo has quit IRC		00:49
*** itsuugo has joined #openstack-keystone		00:50
*** asettle has quit IRC		00:52
*** guoshan has quit IRC		00:52
*** esp has joined #openstack-keystone		00:53
*** esp has quit IRC		00:56
*** spzala has quit IRC		01:02
*** itsuugo has quit IRC		01:02
*** itsuugo has joined #openstack-keystone		01:03
*** roxanaghe has quit IRC		01:04
*** adriant has joined #openstack-keystone		01:06
*** itsuugo has quit IRC		01:13
*** itsuugo has joined #openstack-keystone		01:14
*** Marcellin__ has quit IRC		01:17
*** itsuugo has quit IRC		01:19
*** itsuugo has joined #openstack-keystone		01:20
*** guoshan has joined #openstack-keystone		01:22
*** gagehugo has quit IRC		01:26
*** davechen has joined #openstack-keystone		01:31
*** itsuugo has quit IRC		01:33
*** EinstCrazy has joined #openstack-keystone		01:33
*** itsuugo has joined #openstack-keystone		01:34
*** EinstCrazy has quit IRC		01:37
*** itsuugo has quit IRC		01:42
*** itsuugo has joined #openstack-keystone		01:43
*** nkinder has joined #openstack-keystone		01:43
*** dikonoor has joined #openstack-keystone		01:47
*** itsuugo has quit IRC		01:48
*** roxanaghe has joined #openstack-keystone		01:48
*** itsuugo has joined #openstack-keystone		01:48
*** roxanaghe has quit IRC		01:52
*** itsuugo has quit IRC		01:54
*** itsuugo has joined #openstack-keystone		01:55
*** zhangjl has joined #openstack-keystone		01:55
*** markvoelker has quit IRC		02:02
*** markvoelker has joined #openstack-keystone		02:02
openstackgerrit	Ha Van Tu proposed openstack/keystone: Fix prameters names in Keystone API v2-ext https://review.openstack.org/368618	02:04
*** itsuugo has quit IRC		02:05
*** itsuugo has joined #openstack-keystone		02:06
*** sdake has quit IRC		02:06
*** sdake has joined #openstack-keystone		02:06
*** namnh has joined #openstack-keystone		02:12
*** itsuugo has quit IRC		02:12
*** itsuugo has joined #openstack-keystone		02:13
*** roxanaghe has joined #openstack-keystone		02:16
openstackgerrit	Dave Chen proposed openstack/keystone: Handle the exception from creating request token properly https://review.openstack.org/361087	02:18
*** itsuugo has quit IRC		02:18
*** sdake has quit IRC		02:18
*** itsuugo has joined #openstack-keystone		02:20
*** jamielennox\|away is now known as jamielennox		02:20
openstackgerrit	Ha Van Tu proposed openstack/keystone: Refactor Keystone admin-endpoint API https://review.openstack.org/369808	02:21
*** itsuugo has quit IRC		02:24
*** itsuugo has joined #openstack-keystone		02:25
*** iurygregory_ has quit IRC		02:25
openstackgerrit	Ha Van Tu proposed openstack/keystone: Refactor Keystone admin-tenant API v2 https://review.openstack.org/369849	02:29
openstackgerrit	Ha Van Tu proposed openstack/keystone: Refactor Keystone admin-endpoint API https://review.openstack.org/369808	02:29
*** nkinder has quit IRC		02:35
*** itsuugo has quit IRC		02:38
stevemar	crinkle: o/	02:39
stevemar	crinkle: apparently bluebox has a bunch of documentation for k2k http://ibm-blue-box-help.github.io/help-documentation/keystone/k2k-federation/?cm_mc_uid=15636869701514730367719&cm_mc_sid_50200000=1474336429	02:39
stevemar	i didn't know this	02:39
*** roxanaghe has quit IRC		02:40
*** itsuugo has joined #openstack-keystone		02:41
*** davechen1 has joined #openstack-keystone		02:48
*** nicolasbock has joined #openstack-keystone		02:49
*** davechen has quit IRC		02:51
*** itsuugo has quit IRC		02:52
*** itsuugo has joined #openstack-keystone		02:53
*** tqtran has quit IRC		02:56
zhangjl	hey stevemar	02:56
zhangjl	i have some problem with keystone federation, could you help me ?	02:56
*** woodster_ has quit IRC		03:00
*** markvoelker has quit IRC		03:02
*** markvoelker has joined #openstack-keystone		03:02
*** spzala has joined #openstack-keystone		03:02
*** david-lyle has quit IRC		03:03
*** davechen has joined #openstack-keystone		03:06
*** spzala has quit IRC		03:07
*** itsuugo has quit IRC		03:07
*** itsuugo has joined #openstack-keystone		03:09
openstackgerrit	Dave Chen proposed openstack/keystone: Fix for unindent warning in doc build https://review.openstack.org/372796	03:09
*** davechen1 has quit IRC		03:09
*** gagehugo has joined #openstack-keystone		03:12
stevemar	zhangjl: sure, i'm off to bed soon, but let's chat, maybe someone else can jump in when i'm off	03:21
zhangjl	thanks	03:24
zhangjl	i deployed keystone federation according to the http://docs.openstack.org/developer/keystone/federation/federated_identity.html and http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo/	03:25
zhangjl	while, when i test my keystone federation , i got some errors like follows: File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 520, in post	03:26
zhangjl	return self.request(url, 'POST', **kwargs)	03:26
zhangjl	File "/usr/lib/python2.7/dist-packages/positional/__init__.py", line 94, in inner	03:26
zhangjl	return func(args, *kwargs)	03:26
zhangjl	File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 420, in request	03:26
zhangjl	raise exceptions.from_response(resp, method, url)	03:26
zhangjl	keystoneauth1.exceptions.http.InternalServerError: Internal Server Error (HTTP 500)	03:26
zhangjl	the detail is in the email with topic named [keystone]federation not working for me	03:27
zhangjl	could you give me some advice	03:28
stevemar	zhangjl: i think rodrigo's blog is out of date by now	03:31
zhangjl	thanks	03:33
zhangjl	while, according to http://docs.openstack.org/developer/keystone/federation/federated_identity.html , the keystone federation still cannot work well...	03:33
zhangjl	i have no idea about this question	03:34
stevemar	zhangjl: crinkle is trying to update some of the documentation for federation: https://review.openstack.org/#/c/371210/	03:35
stevemar	zhangjl: i think the very last change is helpful, around line 460	03:35
zhangjl	Great!! I will try it later. Thanks for your help	03:37
stevemar	zhangjl: if you run into problems, leave comments in the review, maybe crinkle can add more docs :P	03:38
zhangjl	yes, i will do it	03:38
zhangjl	thank you again	03:38
stevemar	np	03:41
*** tqtran has joined #openstack-keystone		03:45
*** nicolasbock has quit IRC		03:50
*** pnavarro has quit IRC		03:51
*** guoshan has quit IRC		03:55
*** itsuugo has quit IRC		04:09
*** itsuugo has joined #openstack-keystone		04:11
*** gagehugo has quit IRC		04:13
*** itsuugo has quit IRC		04:19
*** itsuugo has joined #openstack-keystone		04:20
*** itsuugo has quit IRC		04:25
*** itsuugo has joined #openstack-keystone		04:27
*** itsuugo has quit IRC		04:32
*** itsuugo has joined #openstack-keystone		04:33
*** itsuugo has quit IRC		04:38
*** itsuugo has joined #openstack-keystone		04:39
*** dikonoor has quit IRC		04:43
*** sdake has joined #openstack-keystone		04:46
*** markvoelker has quit IRC		04:46
*** dikonoor has joined #openstack-keystone		04:48
*** tqtran has quit IRC		04:49
*** tqtran has joined #openstack-keystone		04:54
*** jaosorior has joined #openstack-keystone		04:55
*** guoshan has joined #openstack-keystone		04:56
*** GB21 has joined #openstack-keystone		04:56
openstackgerrit	Merged openstack/keystone: Refactor Keystone admin-endpoint API https://review.openstack.org/369808	04:58
*** dikonoo has joined #openstack-keystone		05:02
*** itsuugo has quit IRC		05:03
*** dikonoor has quit IRC		05:05
*** itsuugo has joined #openstack-keystone		05:05
*** jaosorior has quit IRC		05:09
*** jaosorior has joined #openstack-keystone		05:09
crinkle	stevemar: awesome	05:13
*** itsuugo has quit IRC		05:14
*** itsuugo has joined #openstack-keystone		05:15
*** dikonoor has joined #openstack-keystone		05:16
*** dikonoo has quit IRC		05:19
*** itsuugo has quit IRC		05:20
*** itsuugo has joined #openstack-keystone		05:22
*** aswadr_ has joined #openstack-keystone		05:29
*** namnh has quit IRC		05:38
*** namnh has joined #openstack-keystone		05:38
*** richm has quit IRC		05:39
*** markvoelker has joined #openstack-keystone		05:47
*** itsuugo has quit IRC		05:48
*** itsuugo has joined #openstack-keystone		05:49
openstackgerrit	Qiming Teng proposed openstack/keystone: Tweak api-ref doc for v3 users https://review.openstack.org/367767	05:51
*** markvoelker has quit IRC		05:52
*** itsuugo has quit IRC		05:54
*** itsuugo has joined #openstack-keystone		05:55
*** dikonoor has quit IRC		05:55
*** itsuugo has quit IRC		06:02
openstackgerrit	Qiming Teng proposed openstack/keystone: Tweak api-ref for v3 groups https://review.openstack.org/367793	06:02
*** itsuugo has joined #openstack-keystone		06:03
*** itsuugo has quit IRC		06:11
*** dikonoor has joined #openstack-keystone		06:12
*** itsuugo has joined #openstack-keystone		06:12
*** itsuugo has quit IRC		06:17
*** EinstCrazy has joined #openstack-keystone		06:18
*** itsuugo has joined #openstack-keystone		06:19
davechen	zhangjl: Here is how I setup K-K with the latest version, some issues I hit and how it fixed hope it helps! - http://blog.csdn.net/chenwei8280/article/details/49560963	06:22
zhangjl	thanks	06:26
*** adriant has quit IRC		06:27
zhangjl	i will try it later	06:27
*** itsuugo has quit IRC		06:31
*** itsuugo has joined #openstack-keystone		06:32
*** itsuugo has quit IRC		06:44
*** itsuugo has joined #openstack-keystone		06:45
*** markvoelker has joined #openstack-keystone		06:48
*** itsuugo has quit IRC		06:50
*** itsuugo has joined #openstack-keystone		06:50
*** pcaruana has joined #openstack-keystone		06:50
*** markvoelker has quit IRC		06:52
*** bjolo__ is now known as bjolo		06:53
*** itsuugo has quit IRC		06:59
*** tqtran has quit IRC		07:00
*** itsuugo has joined #openstack-keystone		07:00
*** itsuugo has quit IRC		07:11
*** itsuugo has joined #openstack-keystone		07:12
*** chlong has quit IRC		07:14
*** namnh has quit IRC		07:16
*** rcernin has joined #openstack-keystone		07:19
*** itsuugo has quit IRC		07:24
*** itsuugo has joined #openstack-keystone		07:25
*** itsuugo has quit IRC		07:30
*** itsuugo has joined #openstack-keystone		07:31
*** jpena\|off is now known as jpena		07:36
*** amoralej\|off is now known as amoralej		07:38
openstackgerrit	Merged openstack/keystone: Refactor Keystone admin-tenant API v2 https://review.openstack.org/369849	07:40
*** jgrassler has joined #openstack-keystone		07:43
openstackgerrit	Ha Van Tu proposed openstack/keystone: Refactor Keystone admin-tokens and admin-users v2 https://review.openstack.org/369883	07:45
jgrassler	Good morning.	07:48
*** markvoelker has joined #openstack-keystone		07:49
jgrassler	What's the best way to list roles in a domain (or even better, retrieve a role in that domain by name if there's a mechanism for that)?	07:49
jgrassler	keystoneclient.v3.roles.RoleManager.list() does not appear to do the trick: it takes a `domain` argument	07:49
jgrassler	but only returns roles with domain=None.	07:49
jgrassler	https://github.com/openstack/python-openstackclient/blob/master/openstackclient/identity/v3/role.py#L241 appears to indicate it is deprecated, but is not really clear about what the correct way to go about it is.	07:52
*** EinstCrazy has quit IRC		07:53
*** markvoelker has quit IRC		07:53
*** guoshan has quit IRC		07:54
*** itsuugo has quit IRC		07:54
*** guoshan has joined #openstack-keystone		07:54
*** itsuugo has joined #openstack-keystone		07:55
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** acoles_ is now known as acoles		08:01
*** itsuugo has quit IRC		08:02
*** itsuugo has joined #openstack-keystone		08:03
*** zhangjl1 has joined #openstack-keystone		08:10
*** jlwhite has quit IRC		08:11
openstackgerrit	Ha Van Tu proposed openstack/keystone: Fix prameters names in Keystone API v2-ext https://review.openstack.org/368618	08:12
*** zhangjl has quit IRC		08:13
*** jlwhite has joined #openstack-keystone		08:14
*** mvk has quit IRC		08:25
*** bradjones has quit IRC		08:33
*** asettle has joined #openstack-keystone		08:35
*** bradjones has joined #openstack-keystone		08:36
*** bradjones has quit IRC		08:36
*** bradjones has joined #openstack-keystone		08:36
*** itsuugo has quit IRC		08:36
*** itsuugo has joined #openstack-keystone		08:39
*** zhangjl1 has quit IRC		08:45
*** zhangjl has joined #openstack-keystone		08:45
*** markvoelker has joined #openstack-keystone		08:50
*** markvoelker has quit IRC		08:54
*** __vaishali__ has joined #openstack-keystone		08:58
*** mvk has joined #openstack-keystone		09:02
*** nk2527_ has joined #openstack-keystone		09:04
*** nk2527 has quit IRC		09:04
*** xenogear has quit IRC		09:04
*** xenogear has joined #openstack-keystone		09:04
*** itsuugo has quit IRC		09:10
*** itsuugo has joined #openstack-keystone		09:11
*** xenogear has quit IRC		09:12
*** nk2527_ has quit IRC		09:12
*** code-R has joined #openstack-keystone		09:15
*** pjm6 has joined #openstack-keystone		09:22
*** code-R_ has joined #openstack-keystone		09:23
*** itsuugo has quit IRC		09:24
*** itsuugo has joined #openstack-keystone		09:26
*** code-R has quit IRC		09:26
*** xenogear has joined #openstack-keystone		09:29
openstackgerrit	Ha Van Tu proposed openstack/keystone: Fix prameters names in Keystone API v2-ext https://review.openstack.org/368618	09:30
*** nk2527 has joined #openstack-keystone		09:30
*** zhangjl has quit IRC		09:40
*** itsuugo has quit IRC		09:41
*** itsuugo has joined #openstack-keystone		09:42
*** namnh has joined #openstack-keystone		09:43
openstackgerrit	Merged openstack/keystone: Fix for unindent warning in doc build https://review.openstack.org/372796	09:45
*** freerunner has quit IRC		09:52
*** freerunner has joined #openstack-keystone		09:52
*** itsuugo has quit IRC		10:00
*** itsuugo has joined #openstack-keystone		10:01
*** guoshan has quit IRC		10:05
*** richm1 has joined #openstack-keystone		10:11
*** zhangjl has joined #openstack-keystone		10:11
*** zhangjl has left #openstack-keystone		10:12
*** davechen has left #openstack-keystone		10:17
*** ntpttr has quit IRC		10:31
*** nicolasbock has joined #openstack-keystone		10:33
*** mvk has quit IRC		10:33
*** mvk has joined #openstack-keystone		10:35
*** jaosorior is now known as jaosorior_lunch		10:37
*** __vaishali__ has quit IRC		10:38
*** ntpttr has joined #openstack-keystone		10:39
*** dikonoor has quit IRC		10:39
*** rodrigods has quit IRC		10:41
*** rodrigods has joined #openstack-keystone		10:41
*** __vaishali__ has joined #openstack-keystone		10:42
*** itsuugo has quit IRC		10:47
*** itsuugo has joined #openstack-keystone		10:48
*** dikonoor has joined #openstack-keystone		10:53
*** itsuugo has quit IRC		10:58
*** itsuugo has joined #openstack-keystone		11:01
*** jaosorior_lunch is now known as jaosorior		11:03
*** guoshan has joined #openstack-keystone		11:06
*** code-R_ has quit IRC		11:06
*** EinstCrazy has joined #openstack-keystone		11:09
*** __vaishali__ has quit IRC		11:10
*** code-R has joined #openstack-keystone		11:11
*** __vaishali__ has joined #openstack-keystone		11:13
*** itsuugo has quit IRC		11:18
*** itsuugo has joined #openstack-keystone		11:19
*** dikonoo has joined #openstack-keystone		11:21
*** dikonoor has quit IRC		11:22
*** dikonoo has quit IRC		11:26
*** zhangjl has joined #openstack-keystone		11:27
*** zhangjl has left #openstack-keystone		11:29
*** code-R has quit IRC		11:31
*** dikonoo has joined #openstack-keystone		11:33
*** spzala has joined #openstack-keystone		11:34
*** itsuugo has quit IRC		11:37
*** itsuugo has joined #openstack-keystone		11:38
*** raildo has joined #openstack-keystone		11:38
*** code-R has joined #openstack-keystone		11:40
*** jpena is now known as jpena\|lunch		11:44
*** guoshan has quit IRC		11:44
*** guoshan has joined #openstack-keystone		11:45
*** __vaishali__ has quit IRC		11:47
jamielennox	stevemar: i think i'm going to try and sleep through tomorrows meeting, but if you don't have any volunteers remind me tomorrow and i'll look into the ksc gate	11:52
*** guoshan has quit IRC		11:54
*** itsuugo has quit IRC		11:54
*** guoshan has joined #openstack-keystone		11:55
*** GB21 has quit IRC		11:55
*** itsuugo has joined #openstack-keystone		11:56
*** xiaoyang has joined #openstack-keystone		11:58
xiaoyang	how to use redis?	11:58
*** namnh has quit IRC		11:59
*** mvk has quit IRC		12:00
*** mvk has joined #openstack-keystone		12:04
*** itsuugo has quit IRC		12:06
*** itsuugo has joined #openstack-keystone		12:07
*** namnh has joined #openstack-keystone		12:08
*** vaishali has joined #openstack-keystone		12:08
*** marekd2 has joined #openstack-keystone		12:08
*** nkinder has joined #openstack-keystone		12:09
dstanek	xiaoyang: what do you mean?	12:10
raildo	jamielennox, ping, are you around?	12:10
raildo	jamielennox, about the v3-gate issue on neutron	12:11
jamielennox	raildo: briefly, was just unlocking some stuff before bed	12:11
*** edmondsw has joined #openstack-keystone		12:12
raildo	jamielennox, so have good night, we can talk when you wake up :) it's not urgent	12:12
jamielennox	that's ok - hit me	12:12
* dstanek ducks as raildo winds up		12:13
raildo	dstanek, haha	12:13
raildo	jamielennox, so, I kind of find the issue: https://github.com/openstack/glance_store/blob/master/glance_store/_drivers/swift/connection_manager.py#L147-L159	12:13
raildo	the problem is an error when glance try to find the swift endpoint using keystone v3	12:13
jamielennox	raildo: ew, yea, i've seen the glance/swift connection before - that's worse than i remember	12:13
jamielennox	so i mean the parameters to that are right	12:15
jamielennox	it's just not many things need to extract the url like that	12:15
raildo	jamielennox, yes... I'm investigating know if we needed swift in the previous job, and why this only breaks now, since this job is running for almost a year	12:15
jamielennox	raildo: i'm guessing it's probably a config change	12:16
jamielennox	raildo: something that the glance/swift people put into devstack without actually thinking about keystone v3	12:16
raildo	jamiec, in march, we had this change on this code: https://github.com/openstack/glance_store/commit/fb77cb73c5daa9f78dbf13d9c943c91f92ba0298	12:16
raildo	jamielennox, ^	12:17
jamielennox	raildo: that doesn't make much sense	12:18
jamielennox	that function should work regardless of version	12:18
raildo	jamielennox, ++	12:18
raildo	jamielennox, we should be using session here?	12:18
jamielennox	raildo: well, always - but for some of these projects it's like banging your head against a wall	12:19
jamielennox	i found particularly with the glance_store library to fix it properly would mean changing their plugin api	12:19
raildo	jamielennox, yes, I have this patch to make glance use session: https://review.openstack.org/#/c/324100/	12:20
raildo	jamielennox, but it's almost impossible to make this right :(	12:20
*** asettle has quit IRC		12:21
raildo	jamielennox, ok, I'll take a look deeper and see what we can do. thanks for your time, sir	12:21
raildo	have a good night :)	12:21
*** asettle has joined #openstack-keystone		12:21
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation model https://review.openstack.org/208488	12:22
*** markvoelker has joined #openstack-keystone		12:24
jamielennox	raildo: yea, i have looked at glance before and it would require an almost complete rewrite of that internal client layer they have	12:26
jamielennox	raildo: which they might even accept - i just don't want to do that	12:26
*** asettle has quit IRC		12:26
raildo	jamielennox, agreed, they talk about keystone v1 on that...	12:26
jamielennox	raildo: i am not spending as much time upstream at the moment but i will help out on this stuff hoewver i can	12:27
jamielennox	raildo: yea, swift talks about v1 as well, they made a plugin	12:27
raildo	jamielennox, I appreciate that	12:27
jamielennox	https://review.openstack.org/#/c/300697/	12:27
jamielennox	like ok - why?	12:27
*** spzala has quit IRC		12:28
raildo	jamielennox, we need just remove it, not add more complexity on this code	12:29
jamielennox	yea, but people are really unhappy when you try and replace their http layer	12:29
jamielennox	it's crap - but it's been consistently crap for the last 3 years	12:29
*** ayoung has quit IRC		12:30
*** amoralej is now known as amoralej\|lunch		12:30
raildo	jamielennox, better definition ever!	12:31
jamielennox	anyway, i support just patching glance to do v3password for now, it'd be better to do the whole plugin loading thing but we just need to keep v3 working and default	12:32
jamielennox	if you see a way to transition it properly over to keystoneauth i'll definetly chip in and help	12:32
jamielennox	and i don't see anything that saves us from swiftclient	12:32
jamielennox	i've tried a few times	12:33
*** guoshan has quit IRC		12:34
*** mvk has quit IRC		12:45
*** mvk has joined #openstack-keystone		12:46
*** jpena\|lunch is now known as jpena		12:46
*** guoshan has joined #openstack-keystone		12:49
*** asettle has joined #openstack-keystone		12:55
*** david-lyle has joined #openstack-keystone		12:56
*** wasmum has quit IRC		12:58
*** markd__ has joined #openstack-keystone		13:07
*** markd__ has quit IRC		13:08
*** jaosorior has quit IRC		13:09
*** jaosorior has joined #openstack-keystone		13:10
*** spzala has joined #openstack-keystone		13:11
*** spzala has quit IRC		13:11
*** spzala has joined #openstack-keystone		13:11
*** breton has quit IRC		13:12
*** sdake has quit IRC		13:17
*** namnh has quit IRC		13:17
*** breton has joined #openstack-keystone		13:20
*** amoralej\|lunch is now known as amoralej		13:29
*** avozza has joined #openstack-keystone		13:31
*** acoles has quit IRC		13:32
*** openstackstatus has joined #openstack-keystone		13:36
*** ChanServ sets mode: +v openstackstatus		13:36
*** vaishali has quit IRC		13:37
*** r-daneel has joined #openstack-keystone		13:38
*** guoshan has quit IRC		13:41
*** guoshan has joined #openstack-keystone		13:43
-openstackstatus- NOTICE: OpenStack Infra now has a Twitter bot, follow it at https://twitter.com/openstackinfra		13:43
edmondsw	stevemar any idea why the last keystonemiddleware release on openstack-announce was 4.0.0 when github shows we're up to 4.9.0?	13:47
stevemar	edmondsw: link?	13:47
stevemar	edmondsw: that makes no sense	13:47
edmondsw	http://lists.openstack.org/pipermail/openstack-announce/2015-December/000837.html	13:47
edmondsw	try to find a newer one	13:47
edmondsw	that's the latest I can find	13:47
edmondsw	stevemar looking at the content of that announce, it says "Changes in keystonemiddleware 3.0.0..4.0.0"	13:48
edmondsw	makes me think we're only announcing major versions?	13:48
*** sdake has joined #openstack-keystone		13:49
stevemar	oh thats from december of last year	13:49
edmondsw	yep	13:49
edmondsw	I was trying to find when 4.9.0 was released, and... well, I'm not sure where to look since it wasn't announced	13:50
*** guoshan has quit IRC		13:53
stevemar	edmondsw: lemme see	13:53
edmondsw	ty sir	13:53
stevemar	edmondsw: https://github.com/openstack/releases/blob/master/deliverables/newton/keystonemiddleware.yaml#L4	13:54
stevemar	theres your issue	13:54
edmondsw	:(	13:54
stevemar	edmondsw: http://lists.openstack.org/pipermail/openstack-dev/2016-August/thread.html	13:54
edmondsw	yep... that's wrong, though, isn't it? Shouldn't these go on openstack-announce?	13:55
*** spilla has joined #openstack-keystone		13:55
stevemar	edmondsw: ksc is going to announce, but ksm and ksa are going to -dev	13:56
*** gagehugo has joined #openstack-keystone		13:56
stevemar	dhellmann: whats the correct behaviour here? ^	13:57
*** guoshan has joined #openstack-keystone		13:57
dhellmann	stevemar : projects consumed by deployers or end users should send to -announce, others to -dev	13:57
dhellmann	stevemar : http://git.openstack.org/cgit/openstack/releases/tree/README.rst#n195	13:58
knikolla	morning o/	13:59
*** pauloewerton has joined #openstack-keystone		13:59
*** markvoelker has quit IRC		14:02
*** bjolo is now known as bjolo_afk		14:02
lbragstad	o/	14:03
lbragstad	dstanek ping	14:03
dstanek	lbragstad: pong	14:03
lbragstad	dstanek have a minute to visit about https://review.openstack.org/#/c/372655/1	14:03
*** guoshan has quit IRC		14:03
stevemar	edmondsw: sounds like middleware, auth and client should all go to announce :\	14:05
dstanek	lbragstad: sure	14:06
*** shaynek has joined #openstack-keystone		14:06
*** lamt has joined #openstack-keystone		14:07
lbragstad	dstanek so I think I got most of the sql errors I was seeing squared away	14:07
lbragstad	dstanek the failures that looked like this - http://cdn.pasteraw.com/6ewowxka9jp92sok44x2kfqlagqqecl	14:08
lbragstad	so now there are only a couple failures left - 4 are kvs related and one it trust related that I can probably fix	14:08
shaynek	Hi all, could anyone please help me to answer the question in this bug: https://bugs.launchpad.net/python-keystoneclient/+bug/1508374	14:09
openstack	Launchpad bug 1508374 in python-keystoneclient "using session construct client will miss service_catalog property" [Medium,In progress] - Assigned to Mikhail Nikolaenko (mnikolaenko)	14:09
*** markvoelker has joined #openstack-keystone		14:09
*** sdake_ has joined #openstack-keystone		14:09
lbragstad	the kvs ones are failing because we actually trying to create things in the backend prior to the test	14:09
lbragstad	dstanek which is here - https://github.com/openstack/keystone/blob/3b24a6fca67ff595b5e37fb020eea37717ab7ce1/keystone/tests/unit/token/test_backends.py#L463-L473	14:09
lbragstad	dstanek you can see that the _create_test_data method is only creating dummy values but never actually creating entities in the backend	14:10
lbragstad	which is why my patch was failing because it tries to rebuild the token from scratch	14:11
*** sdake has quit IRC		14:11
lbragstad	so - I guess my question is does the TokenCacheInvalidation test class make sense anymore since it's pretty similar to test_auth.py	14:12
*** woodster_ has joined #openstack-keystone		14:12
dstanek	lbragstad: i'd be happy just create the real data in the test methods and getting rid of that	14:14
dstanek	lbragstad: unless there is a lot of test methods to be changed. then there should be a new test class with common setup	14:14
lbragstad	dstanek right now that only consists of a few tests	14:14
lbragstad	but it's run against a bunch of backends	14:14
dstanek	lbragstad: that class definitely needs to be fixed or replaced now that we need the real data in the backends	14:14
*** ayoung has joined #openstack-keystone		14:15
*** ChanServ sets mode: +v ayoung		14:15
*** rob_d has joined #openstack-keystone		14:15
lbragstad	dstanek right - we were able to write it like that before because the uuid provider never validated any of that information	14:15
lbragstad	dstanek but we apparently run these tests against kvs, too	14:16
lbragstad	and those fail because we can't really write to them	14:16
dstanek	lbragstad: why not?	14:16
dstanek	what kvs is left?	14:16
lbragstad	dstanek http://cdn.pasteraw.com/onfbtt5dfccdv4t08dezf06kiqxyznz	14:16
lbragstad	actually - here is the entire list but you can ignore the sql failures since I already fixed those http://logs.openstack.org/55/372655/1/check/gate-keystone-python27-db-ubuntu-xenial/15d3627/testr_results.html.gz	14:17
dstanek	lbragstad: so can't find default domain is weird. is that not created by the common setup?	14:18
lbragstad	dstanek from somewhere in this chain it should be https://github.com/openstack/keystone/blob/3b24a6fca67ff595b5e37fb020eea37717ab7ce1/keystone/tests/unit/test_backend_sql.py#L51	14:20
rob_d	...a sys admin is trying WebSSO on Mitaka (works great), having problems with retrieving role assignments in services like murano+sahara.. ok to patch keystone with https://review.openstack.org/#/c/284943/63 ? thanks all	14:20
rodrigods	stevemar, did the last recheck today as last attempt of something be wonky in the infra	14:20
rodrigods	stevemar, will try to run them locally to check what's going on	14:21
stevemar	rodrigods: cool, it was an announcement for everyone on the team, but you and i have been rechecking ;)	14:21
edmondsw	stevemar, so followup question... any idea when the next release of keystonemiddleware will be?	14:22
rodrigods	stevemar, sure :)	14:22
stevemar	edmondsw: i'm tempted to say the release announcements are correct as-is :(	14:22
stevemar	edmondsw: i didn't think anything merged that was significant enough to release?	14:22
dstanek	lbragstad: have you been able to figure out why the domain isn't being created?	14:22
stevemar	edmondsw: i think maybe 2 or 3 things merged?	14:22
lbragstad	dstanek I haven't	14:23
edmondsw	stevemar I'm specifically waiting on the translation enablement, though I doubt things have actually been translated anyway	14:23
lbragstad	dstanek but the error surprised me because it was at first buried in sql errors before I fixed them and I didn't think we supported kvs anymore	14:23
edmondsw	stevemar, but you think announcing ksm and ksa to dev is correct now?	14:23
stevemar	edmondsw: https://github.com/openstack/keystonemiddleware/compare/4.9.0...master yeah, divyas change is the only one	14:24
*** spedione\|AWAY is now known as spedione		14:24
edmondsw	maybe ksm, but ksa is consumed by end users, surely	14:24
stevemar	edmondsw: i mean, i could release it, but do you mind waiting til we have more in the release?	14:25
edmondsw	no, I don't mind waiting, just wondered what the plan was	14:25
*** Guest14517 is now known as med_		14:26
*** med_ has quit IRC		14:26
*** med_ has joined #openstack-keystone		14:26
*** adrian_otto has joined #openstack-keystone		14:26
*** chrisshattuck has joined #openstack-keystone		14:30
stevemar	edmondsw: i think jamielennox has a few more patches he wants to land, so i'll wait for those to merge, if anything i'll release if it's more than 4-6 weeks has gone by	14:31
edmondsw	sounds good, tx	14:31
*** BjoernT has joined #openstack-keystone		14:33
*** spedione is now known as spedione\|AWAY		14:34
stevemar	edmondsw: back to the -dev or -announce thing	14:35
stevemar	edmondsw: i can see an argument for both...	14:35
*** ravelar has joined #openstack-keystone		14:36
edmondsw	ksm is probably just openstack-dev... I think that makes sense	14:36
stevemar	edmondsw: you were looking for ksm in -announce :)	14:36
edmondsw	yeah... I didn't realize we split some things into openstack-dev until dhellman's explanation above... which makes sense, I guess	14:37
edmondsw	so I won't argue that	14:37
edmondsw	but you said ksa is also going to openstack-dev, and that seems wrong	14:37
*** afred312 has quit IRC		14:37
edmondsw	an enduser would need ksa to script to our APIs	14:37
*** jaugustine has joined #openstack-keystone		14:38
*** acoles has joined #openstack-keystone		14:40
stevemar	edmondsw: i would think ksm should go to announce to then	14:40
stevemar	the upgrade changes that ksm and ksa have are impactful for the end users, than dev i would think	14:41
edmondsw	your call	14:41
*** adrian_otto has quit IRC		14:48
*** chrisshattuck has quit IRC		14:49
*** shaynek has quit IRC		14:52
*** slberger has joined #openstack-keystone		14:55
*** adrian_otto has joined #openstack-keystone		14:56
*** adrian_otto has quit IRC		14:57
*** edtubill has joined #openstack-keystone		14:57
*** spedione\|AWAY is now known as spedione		14:58
*** dikonoo has quit IRC		14:59
*** chrisshattuck has joined #openstack-keystone		14:59
stevemar	edmondsw: i don't think it's my call :P	15:01
edmondsw	well, it's probably not mine :P	15:02
*** slberger has quit IRC		15:02
mfisch	stevemar: dstanek so far so good in my virtual environment over night, deploying to lab environment in about an hour	15:02
mfisch	will let you kno	15:02
*** slberger has joined #openstack-keystone		15:03
*** nk2527 has quit IRC		15:05
edmondsw	stevemar, ask mfisch what he thinks... there's a deployer / end-user for you :)	15:05
mfisch	so whats the question?	15:06
edmondsw	whether keystonemiddleware and keystoneauth should be announced on openstack-dev or openstack-announce	15:06
edmondsw	openstack-dev is where internal things are announced, whereas things that deployers / end-users care about should be announced on openstack-announce	15:07
dstanek	mfisch: great, thanks	15:07
*** avozza has quit IRC		15:09
mfisch	edmondsw: personally its fine to get them but I also dont care	15:09
mfisch	unless there's some major bug I need to be fixed	15:10
edmondsw	:)	15:10
mfisch	we don't upgrade middleware generally, its part of a holisitic service, like neutron or nova	15:10
stevemar	mfisch: you track both -announce and the [release] tag in -dev? i assume?	15:10
mfisch	I think only announce	15:10
mfisch	for dev I track keystone, trove, and puppet	15:11
mfisch	and maybe 1-2 others	15:11
*** roxanaghe has joined #openstack-keystone		15:22
*** slberger has quit IRC		15:32
ayoung	stevemar, checkout the new nova default policy file. It looks like this	15:34
ayoung	{}	15:34
stevemar	ayoung: they've had it like that for a while i thought?	15:34
stevemar	ayoung: ever since they landed the one that alaski worked on, to generate it from code	15:35
*** tung_doan has joined #openstack-keystone		15:35
*** slberger has joined #openstack-keystone		15:35
ayoung	stevemar, yeah, but I only just looked at it. And now everyone that customizes policy has to go and look for the tool to generate the default rules. SHould have at least put a comment in there how to do that.	15:35
stevemar	ayoung: yay for json and not allowing comments :)	15:36
stevemar	ayoung: https://github.com/openstack/nova/blob/master/tox.ini#L60-L61	15:36
stevemar	they treat it like they do the sample config file	15:36
stevemar	reasonable defaults, and if you want to customize, generate the file and tweak it	15:36
stevemar	i don't know if i agree with that, but it's what they've decided	15:37
bknudson	I was supposed to add support for yaml policy files but got reassigned so didn't work on it.	15:37
*** roxanaghe has quit IRC		15:37
ayoung	stevemar, "comment" : "to generate the rulesfile run the command oslopolicy-policy-generator --namespace nova --output-file policy.json" is valid json	15:38
stevemar	ayoung: true	15:39
stevemar	ayoung: propose it :)	15:39
ayoung	stevemar, I alrayd have afull page of rejected reviews. Not going to add to it until I do some house keeping	15:39
stevemar	do no nova peeps hang out in keystone?	15:40
stevemar	mr<tab> fail, sd<tab> fail	15:40
*** jaosorior has quit IRC		15:40
ayoung	stevemar, I already talked with the nova guys about it. They are the ones that gave me the policy gen commands.	15:43
ayoung	right now I am just trying to figure out a plan to manage policy dynamically so we can, eventually, get to a sane policy approach across the services	15:44
bknudson	keystone just works so other devs haven't felt the need to join	15:44
stevemar	bknudson: that's not the opinion of some folks :P	15:44
*** ezpz_ has joined #openstack-keystone		15:49
*** ezpz_ is now known as ezpz		15:49
*** EinstCrazy has quit IRC		15:50
lbragstad	should https://github.com/openstack/keystone/blob/3b24a6fca67ff595b5e37fb020eea37717ab7ce1/keystone/tests/unit/test_v3_trust.py#L243 be the inverse?	15:53
*** adrian_otto has joined #openstack-keystone		15:54
*** mvk has quit IRC		15:55
*** Marcellin__ has joined #openstack-keystone		15:58
*** gyee has joined #openstack-keystone		15:58
*** roxanaghe has joined #openstack-keystone		16:03
*** code-R has quit IRC		16:05
*** code-R has joined #openstack-keystone		16:06
*** code-R has quit IRC		16:07
*** roxanaghe has quit IRC		16:08
*** browne has joined #openstack-keystone		16:08
*** marekd2 has quit IRC		16:16
*** marekd2 has joined #openstack-keystone		16:16
*** marekd2_ has joined #openstack-keystone		16:19
*** marekd2 has quit IRC		16:19
*** marekd2_ has quit IRC		16:20
*** avozza has joined #openstack-keystone		16:23
openstackgerrit	Lance Bragstad proposed openstack/keystone: Ensure all v2.0 tokens are validated the same way https://review.openstack.org/372655	16:24
openstackgerrit	Lance Bragstad proposed openstack/keystone: Make sure all v3 tokens are validated the same way https://review.openstack.org/371083	16:24
lbragstad	dstanek dolphm y'all were right - just needed to populate the data for the kvs tests ^	16:24
rodrigods	anyone has a fresh devstack deployment handy?	16:24
dstanek	:)	16:24
rodrigods	i want to confirm something	16:24
rderose	rodrigods: how fresh?	16:25
rderose	rodrigods: mine's yesterday	16:25
rodrigods	rderose, hmm should be good enough	16:25
rodrigods	rderose, can you try https://adam.younglogic.com/2013/09/keystone-v3-api-examples/ ?	16:25
rodrigods	rderose, get a token like that, and then fetch the domains list	16:25
rderose	sure, give me a few	16:26
rderose	rodrigods: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}	16:32
rodrigods	rderose, same here	16:32
rodrigods	rderose, i guess we have a bug	16:32
rderose	hmm... yeah	16:32
rodrigods	stevemar, ^ the reason ksc tests are failing	16:32
dstanek	lbragstad: if you can limit the data created to only what you actually use in the tests	16:33
*** code-R has joined #openstack-keystone		16:35
lbragstad	dstanek ah - good point	16:36
lbragstad	i think there the only thing that matters is that a default domain exists	16:36
*** code-R_ has joined #openstack-keystone		16:36
*** code-R has quit IRC		16:40
lbragstad	dstanek actually - it looks like load_fixtures creates everything we need, so I should be able to reuse most of that instead	16:41
*** asettle has quit IRC		16:41
*** asettle has joined #openstack-keystone		16:42
rderose	rodrigods: sorry, put in the wrong password	16:43
rderose	rodrigods: this did work	16:43
rderose	rodrigods: actually...	16:44
rderose	hold on	16:44
rderose	rodrigods: nope, confirmed doesn't work: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}	16:45
rodrigods	rderose, here i've did ". openrc admin admin", then 'openstack token issue' and it worked	16:46
rderose	hmm...	16:47
*** asettle has quit IRC		16:47
rderose	http://paste.openstack.org/show/582286/	16:47
rderose	curl -si -H"X-Auth-Token:9880b87020fd4a14920779aea80c3ec3" -H "Content-type: application/json" http://localhost:35357/v3/domains	16:47
rderose	rodrigods: ^ okay, this worked	16:48
*** ravelar has quit IRC		16:48
rodrigods	rderose, so the error was in the syntax after all :)	16:48
rderose	yeah, looks like it :)	16:49
*** ravelar has joined #openstack-keystone		16:52
*** gyee_ has joined #openstack-keystone		16:53
*** roxanaghe has joined #openstack-keystone		16:53
*** mvk has joined #openstack-keystone		16:55
*** rcernin has quit IRC		16:55
*** ravelar has quit IRC		16:55
*** EinstCrazy has joined #openstack-keystone		16:56
*** adrian_otto has quit IRC		16:56
*** gyee has quit IRC		16:57
*** itsuugo has quit IRC		17:02
*** BjoernT has quit IRC		17:02
*** itsuugo has joined #openstack-keystone		17:03
*** tung_doan has quit IRC		17:04
*** jpena is now known as jpena\|off		17:06
*** pcaruana has quit IRC		17:14
*** amoralej is now known as amoralej\|off		17:17
openstackgerrit	Lance Bragstad proposed openstack/keystone: Ensure all v2.0 tokens are validated the same way https://review.openstack.org/372655	17:17
*** gagehugo has quit IRC		17:19
*** gagehugo has joined #openstack-keystone		17:20
lbragstad	dstanek cleaned up by using the existing data that's created by load_fixtures instead of creating new stuff ^	17:26
*** gyee_ has quit IRC		17:28
rodrigods	dstanek, hmm think something is odd in the cache	17:34
dstanek	rodrigods: ?	17:34
rodrigods	dstanek, to delete a domain we need to disable it first and sometimes the deletion fails because the domains was still enabled	17:34
rodrigods	but not really	17:35
rodrigods	it has been disabled first	17:35
dstanek	internal checks like that should not be using cached data. sounds like a bug	17:35
*** code-R_ has quit IRC		17:36
*** itsuugo has quit IRC		17:36
rodrigods	dstanek, pasting the logs here	17:37
rodrigods	dstanek, http://paste.openstack.org/raw/582290/	17:38
*** itsuugo has joined #openstack-keystone		17:38
openstackgerrit	Merged openstack/keystone: Fix prameters names in Keystone API v2-ext https://review.openstack.org/368618	17:40
rodrigods	dstanek, the error is also intermittent, sometimes the error is due authorization not being granted, i think it is related to cache too	17:40
dstanek	rodrigods: so the 'delete_domain' manager method gets the domain directly from the driver - so it is not getting cached data	17:41
*** acoles is now known as acoles_		17:42
*** shaleh has joined #openstack-keystone		17:43
rodrigods	dstanek, yeah, saw that... cache was the first guess when i saw the logs	17:44
*** itsuugo has quit IRC		17:45
*** itsuugo has joined #openstack-keystone		17:46
*** tqtran has joined #openstack-keystone		17:47
*** asettle has joined #openstack-keystone		17:49
shaleh	dstanek, rodrigods: have you hammered out an understanding regarding my review 339558?	17:50
rodrigods	shaleh, dstanek one sec	17:52
rodrigods	shaleh, dstanek changed the score, not approving since i still think that would be better doing something as suggested	17:53
shaleh	rodrigods: why? explicit versus implicit is a tenant of Python coding. Hiding the assert buries the test.	17:53
rodrigods	shaleh, "hiding" was a suggestion to not redo the setup in test_put()	17:54
shaleh	But why are you opposed to the explicit, specific set up of the implied role?	17:55
*** nk2527 has joined #openstack-keystone		17:55
rodrigods	shaleh, we do something similar in ksc functional tests, the difference is that we redo the setup in the test for the create action	17:55
shaleh	The truly common things like roles and users are being done in setUp()	17:55
shaleh	true. But as dstanek pointed out, the attempt at being overly DRY is leading to wasted code which slows down the test suite.	17:57
dstanek	rodrigods: hopefully you won't be dissapointed, but i have been and have plans to continue making our tests more like this	17:57
shaleh	When C derives from B derives from A and all of the setUp()s are creating things there is wasted effort	17:58
rodrigods	dstanek, i saw some of the changes in this direction	17:58
rodrigods	dstanek, i really like them, but it is exactly the same call in the setup for this test and i don't think we use inheritance there	17:59
rodrigods	so...	17:59
rodrigods	anyway	17:59
openstackgerrit	Andrew Laski proposed openstack/oslo.policy: Perform basic checks on policy definitions https://review.openstack.org/373491	17:59
*** adrian_otto has joined #openstack-keystone		18:04
*** adrian_otto has quit IRC		18:08
*** acoles_ is now known as acoles		18:12
*** code-R has joined #openstack-keystone		18:13
*** code-R has quit IRC		18:14
*** chrisshattuck has quit IRC		18:16
*** aswadr_ has quit IRC		18:22
*** NishaYadav has joined #openstack-keystone		18:22
*** NishaYadav is now known as Guest29436		18:22
*** Guest29436 has quit IRC		18:25
*** nisha_ has joined #openstack-keystone		18:25
*** asettle has quit IRC		18:25
*** ravelar has joined #openstack-keystone		18:28
*** adrian_otto has joined #openstack-keystone		18:35
*** acoles is now known as acoles_		18:40
*** itsuugo has quit IRC		18:49
*** sdake_ is now known as sdake		18:50
*** itsuugo has joined #openstack-keystone		18:51
*** chrisshattuck has joined #openstack-keystone		18:52
openstackgerrit	Alexander Makarov proposed openstack/keystone: Verbose 401/403 debug responses https://review.openstack.org/372433	18:59
*** markvoelker has quit IRC		19:03
dstanek	rodrigods: a wise man once said, "setting up something for failure works now, but eventually fails"	19:03
dstanek	rodrigods: besides i'd just have to clean it up in my next round of test fixes	19:03
shaleh	339558 now needs a final +A. Does someone have time to kick it?	19:05
rodrigods	dstanek, ++	19:05
*** markvoelker has joined #openstack-keystone		19:07
*** shaleh is now known as shaleh\|away		19:07
knikolla	so, what will be the new scope of the service providers change? what i got out from the meeting is that there is a desire to also remove the sp information from the catalog in the token.	19:07
knikolla	alongside all the client changes that that will require.	19:08
*** itsuugo has quit IRC		19:12
*** nisha_ has quit IRC		19:13
*** itsuugo has joined #openstack-keystone		19:14
*** gagehugo has quit IRC		19:17
*** gagehugo has joined #openstack-keystone		19:18
*** itsuugo has quit IRC		19:28
*** itsuugo has joined #openstack-keystone		19:29
*** mfisch has quit IRC		19:32
*** mfisch has joined #openstack-keystone		19:33
*** mfisch has quit IRC		19:33
*** mfisch has joined #openstack-keystone		19:33
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation model https://review.openstack.org/208488	19:33
*** itsuugo has quit IRC		19:36
*** shaleh\|away is now known as shaleh		19:37
*** itsuugo has joined #openstack-keystone		19:37
*** itsuugo has quit IRC		19:44
*** itsuugo has joined #openstack-keystone		19:45
*** avozza has quit IRC		19:50
*** slberger has quit IRC		19:54
*** slberger has joined #openstack-keystone		19:55
*** EinstCrazy has quit IRC		19:56
*** itsuugo has quit IRC		20:01
*** adrian_otto has quit IRC		20:02
*** itsuugo has joined #openstack-keystone		20:03
openstackgerrit	Richard Avelar proposed openstack/keystone: POC sql query revoked tokens https://review.openstack.org/359371	20:04
*** mdurrant has joined #openstack-keystone		20:04
*** nk2527 has quit IRC		20:05
openstackgerrit	Samuel Pilla proposed openstack/keystone: Domain included for role in list_role_assignment https://review.openstack.org/373516	20:08
*** ravelar has quit IRC		20:13
dstanek	knikolla: i would think that first we create a usable API to get the information and then fix clients to start using it from there instead of the catalog and then deprecated the entries in the catalog	20:15
dstanek	they probably have to stay in the catalog for quite some time unless we use a config option or something to remove them	20:16
knikolla	dstanek: sure.	20:16
knikolla	dstanek: would the api be of the form OS-EXT?	20:16
dstanek	i personally don't like that extension style of APIs. i'd rather it just be a first class API like anything else.	20:17
knikolla	++	20:18
nicolasbock	Hi! I am trying to understand domains in keystone. From the Security Guide for example I read that 'Domains are high-level containers for projects, users and groups'	20:18
nicolasbock	How should I interpret that statement?	20:18
nicolasbock	Are domains a superclass of projects?	20:18
nicolasbock	I mean, is there a hierarchy in which domains are at the top, and projects live underneath them?	20:19
dstanek	nicolasbock: more or less yes	20:19
knikolla	dstanek: what relation would it have to /v3/OS-FEDERATION/service_providers?	20:19
nicolasbock	dstanek, then does the 'Default' domain have any special meaning?	20:19
nicolasbock	or is it hierarchically speaking equivalent to other domains	20:20
dstanek	nicolasbock: it's used by v2 because that version is not API aware	20:20
dstanek	sometimes admin users/projects are put there (maybe because it's easy)	20:20
nicolasbock	dstanek, but in the database, the default domain doesn't have a standard id	20:21
dstanek	knikolla: that's a good question... without worrying too much about the URL i think you should document what APIs we need	20:21
dstanek	nicolasbock: it can be configured so that keystone knows what it is	20:22
bknudson	the default domain is used for v2 operations	20:22
dstanek	nicolasbock: http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n934 'default' is the default	20:22
bknudson	if you're not using v2 then there's no need for a default domain.	20:22
knikolla	dstanek: yep, i'll do that	20:23
dstanek	bknudson: that's a good point. it has no special meaning in v3	20:23
nicolasbock	bknudson, dstanek, so in the case of v3, the domains are all hierarchically equal	20:23
nicolasbock	and I could put the service users in a domain other than Default	20:24
bknudson	you can put service users in a domain other than the default.	20:24
nicolasbock	v2 doesn't understand domains, right?	20:26
*** chrisshattuck has quit IRC		20:26
bknudson	right, domains is a v3 concept	20:26
nicolasbock	which means that if I want to support v2 and v3, I need to make the default domain the one in which my users live	20:26
bknudson	that's right.	20:27
stevemar	finally back	20:27
nicolasbock	ok, thanks, I think things are a little clearer now :)	20:27
stevemar	dstanek: thanks for covering	20:27
stevemar	dstanek: whats with the TA for the VMT thing?	20:28
dstanek	stevemar: ma pleasure	20:28
dstanek	TA?	20:28
nicolasbock	bknudson, one more question: Suppose I want to change the default domain: Is that just a matter of setting 'default_domain_id'?	20:28
bknudson	nicolasbock: as far as keystone is concerned, that's all you need to do.	20:29
dstanek	nicolasbock: if you have existing resouces in a domain that is currently the default things might now work as expected	20:29
nicolasbock	bknudson, you mean for v2 users?	20:29
bknudson	nicolasbock: if you change the default_domain_id then v2 ops are going to look there for users and stuff.	20:30
nicolasbock	bknudson, ok, that makes sense.	20:30
nicolasbock	bknudson, thanks so much for all your help!	20:30
bknudson	no problem	20:30
dstanek	nicolasbock: bknudson: right so users might not be able to login anymore through v2	20:30
nicolasbock	dstanek, thanks, so I just have to convince everyone to switch to v3 :)	20:30
dstanek	nicolasbock: ++	20:31
dstanek	breaking v2.0 will likely do that :-)	20:31
dstanek	(or get you fired)	20:31
nicolasbock	dstanek, very subtle :)	20:31
nicolasbock	I'll blame it on upstream :)	20:31
dstanek	happy to help :-)	20:32
*** spilla has quit IRC		20:33
*** roxanaghe has quit IRC		20:39
*** roxanaghe has joined #openstack-keystone		20:40
*** slberger has quit IRC		20:44
stevemar	dstanek: TA == threat analysis	20:45
breton	stevemar: flu got me since Thu, so i don't have patches to backport. Tomorrow maybe.	20:45
stevemar	breton: get better soon, let me know sooner rather than later, i want to cut a new version this week	20:46
breton	stevemar: will do	20:47
*** asettle has joined #openstack-keystone		20:49
*** roxanaghe has quit IRC		20:52
*** spedione is now known as spedione\|AWAY		20:52
*** slberger has joined #openstack-keystone		20:52
*** roxanaghe has joined #openstack-keystone		20:52
dstanek	stevemar: i have to read the docs a little and come up with a task list for getting all of our projects managed under the VMT	20:55
*** LamT_ has joined #openstack-keystone		20:55
*** roxanaghe has quit IRC		20:57
stevemar	dstanek: okay, is this a cross-project initiative, or mandated by someone / something ? :)	20:57
stevemar	dstanek: let me know if we're stretching you too thin, with reviews and vmt, and other bits	20:57
dstanek	stevemar: i just want to get the list of tasks together. then i'm hoping to get others to help out :-)	20:59
stevemar	dstanek: ಠ_ಠ	21:01
stevemar	lbragstad: don't worry about the bug from the meeting today, i already verified it doesn't happen in master	21:02
*** gagehugo has quit IRC		21:02
lbragstad	stevemar ah	21:02
stevemar	lbragstad: looks like a misconfiguration	21:02
lbragstad	stevemar sounds good - I was just starting a devstack build	21:02
lbragstad	stevemar so it will probably be closed then?	21:03
*** gagehugo has joined #openstack-keystone		21:03
*** jaugustine has quit IRC		21:03
lbragstad	or marked as invalid?	21:03
stevemar	lbragstad: probably, its open against nova atm	21:03
mfisch	stevemar: about 8 hours in and no issues	21:04
*** gyee has joined #openstack-keystone		21:04
*** ChanServ sets mode: +v gyee		21:04
*** lamt has quit IRC		21:05
stevemar	mfisch: i'm guessing it would have happened by now?	21:06
mfisch	it should have yeah, Im off tomorrow but will look again on thu	21:06
mfisch	by then for sure	21:06
stevemar	mfisch: if that patch also fixed the v2 catalog in v3 token bug, i'd be sooooo happy	21:07
mfisch	no KeyErrors in any logs in my lab in the last 3 days	21:07
mfisch	i know before we had thousands	21:07
stevemar	mfisch: stupid question, but you re-enabled caching right? :)	21:07
mfisch	yeah	21:08
stevemar	mfisch: just making sure :)	21:08
mfisch	memcache up to #3 memory user now	21:08
mfisch	STAT bytes 227594405	21:08
mfisch	STAT curr_items 16150	21:08
mfisch	STAT total_items 20479	21:08
bknudson	might as well use all the memory otherwise it's wasted	21:08
mfisch	I cap it at 10% because its a pig	21:09
*** ezpz has quit IRC		21:09
*** browne has quit IRC		21:09
*** pauloewerton has quit IRC		21:10
bknudson	What do you think about changing keystone so that user invalidations don't go in the events list, but instead we check if the user is still valid?	21:10
bknudson	Seems like it would be a pretty easy change (except for the issue of supporting old keystones)	21:11
*** roxanaghe has joined #openstack-keystone		21:11
bknudson	another idea - take advantage of "last_fetch" in revocation event listing somehow. The server would have to save the revocation events (maybe in memcache)	21:12
mfisch	me?	21:14
mfisch	disabling the user is the first thing we'd do if someone was hax0ring us	21:14
mfisch	token validation would be 2nd or 3rd	21:14
bknudson	unfortunately, might be hard since we have an api to get the revocation events...	21:15
*** browne has joined #openstack-keystone		21:22
*** browne has quit IRC		21:24
bknudson	mfisch: do you see a significant slowdown when there are some revocation events?	21:27
mfisch	yes, I have	21:28
bknudson	ever look into it?	21:29
mfisch	well there was ML discussion with adam about it	21:29
bknudson	I've been looking into it for a couple of days to see what's causing it.	21:29
lbragstad	bknudson the slow down when the revocation event table grows?	21:29
bknudson	lbragstad: yes.	21:30
lbragstad	bknudson after hearing some of the results from ravelar's work - it seems like the revocation check being in python isn't helping anything	21:31
bknudson	lbragstad: why is having the revocation check in python a problem?	21:32
bknudson	Here's an example timing: revoke.sql list_events: 0:00:00.211991 for 2050 - q:0:00:00.178369	21:33
bknudson	so list_events takes .212s , where the query takes .178 of that	21:33
lbragstad	bknudson ravelar was working on a POC to push the check in to sql	21:33
*** adriant has joined #openstack-keystone		21:34
bknudson	so token validation is going to take at least .212s , which is way too slow.	21:34
lbragstad	so instead of asking the backend for a list of revocation events and comparing them one by one in python - he was making it so that we would ask sql if there were any revocation records that matched these token values	21:34
bknudson	now, for some reason the call to list_events actually takes .324s	21:35
bknudson	lbragstad: that might be faster... would have to measure it.	21:35
lbragstad	bknudson i thought he did - but i'd have to ask him	21:35
bknudson	lbragstad: in the meantime, we could, stop putting user revocations into revocation event table.	21:35
lbragstad	either way - it sounds like you two were working on something very similar	21:36
lbragstad	bknudson stop putting user revcoations in the revocation table/	21:36
bknudson	lbragstad: btw - moving the event query into sql would make it impossible to cache.	21:36
lbragstad	like - stop storing use revocation events period?	21:36
lbragstad	for users?	21:37
bknudson	lbragstad: right, for user revocation events go to the identity manager to check if the user is disabled.	21:37
bknudson	I guess that wouldn't catch password changes?	21:37
lbragstad	bknudson yeah - that's the tricky one	21:37
bknudson	we'd have to still have revocation events for password changes.	21:37
bknudson	but for user disable / delete wouldn't need an event.	21:38
lbragstad	change password is one of the rare places were we need a revocation event	21:38
lbragstad	bknudson right - i have a couple patches up that might help with that, too	21:38
bknudson	another option is to take advantage of the last_fetch parameter.	21:38
bknudson	so in memcache would store the revocation event list + last_fetch	21:38
bknudson	and then the sql query would do last_fetch from there	21:39
lbragstad	ah	21:39
bknudson	and then update memcache with the new list + fetch time	21:39
bknudson	would have to prune the list.	21:39
bknudson	that should be pretty fast.	21:40
lbragstad	yeah - i'd be curious to see taht	21:40
dstanek	bknudson lbragstad: an SQL solution should be faster for large datasets	21:43
*** edtubill has quit IRC		21:43
*** spzala has quit IRC		21:43
bknudson	dstanek: serialization / deserialization seems to be taking a lot of the time, and that's only to going to grow with the # of events.	21:44
lbragstad	we should also trim some events	21:44
bknudson	even if memcache is used there's going to be a lot of serdes.	21:45
bknudson	so maybe losing memcache isn't a big deal.	21:45
dstanek	lbragstad: my worry with trimming events is that we have an api for them	21:45
*** edmondsw has quit IRC		21:46
bknudson	maybe we need a config option or something. :(	21:46
lbragstad	moar config options...	21:46
bknudson	which disables the API	21:46
lbragstad	i thought revocation events were internal only	21:46
bknudson	has it been deprecated long enough that we can drop it? We'd need a V4.	21:46
bknudson	no, there's an api for revocation events -- auth_token middleware was supposed to use it.	21:47
lbragstad	revocation lists have an api	21:47
*** adu has joined #openstack-keystone		21:47
dstanek	bknudson: i wouldn't start out using memcached for revocation data. i'm curious to see what the speedup is to just filter data on the DB side	21:47
lbragstad	oh ...	21:47
bknudson	that's why there's a last_fetch time.	21:47
stevemar	bknudson: i believe lbragstad is correct, the only API for revocation stuff is listing events	21:54
bknudson	http://git.openstack.org/cgit/openstack/keystone/tree/api-ref/source/v3-ext/revoke.inc#n35	21:55
*** lamt has joined #openstack-keystone		21:56
lbragstad	https://github.com/openstack/keystone/blob/0ec3b88a317236ab9daa36e352d17427fd3d1148/keystone/revoke/routers.py#L27	21:57
bknudson	identity v4 here we come!	21:59
bknudson	Maybe avelar's change works well enough I can try it out.	22:00
*** roxanaghe has quit IRC		22:08
*** roxanaghe has joined #openstack-keystone		22:09
*** asettle has quit IRC		22:14
breton	the whole thing ^ sounds complex	22:15
breton	maybe we could just store password id in a token	22:15
*** iurygregory_ has joined #openstack-keystone		22:15
breton	it will take just sizeof(int) bytes in unencrypted token	22:17
*** itsuugo has quit IRC		22:20
*** itsuugo has joined #openstack-keystone		22:21
*** hoonetorg has quit IRC		22:24
*** slberger has left #openstack-keystone		22:24
*** roxanaghe has quit IRC		22:27
*** r-daneel has quit IRC		22:34
*** roxanaghe has joined #openstack-keystone		22:45
*** gyee has quit IRC		22:47
*** ravelar has joined #openstack-keystone		22:48
*** itsuugo has quit IRC		22:49
rodrigods	lbragstad, there? i think the round down change is the issue :(	22:49
rodrigods	undid it here and the tests are passing	22:50
*** itsuugo has joined #openstack-keystone		22:50
rodrigods	dstanek, stevemar ^	22:51
*** nkinder has quit IRC		22:52
*** ravelar has quit IRC		22:53
*** roxanaghe has quit IRC		22:55
*** hoonetorg has joined #openstack-keystone		22:56
stevemar	rodrigods: ruh roh	22:58
*** tonytan4ever has quit IRC		22:58
rodrigods	stevemar, Depends-On runs with the correct code of the other repo, right?	22:58
stevemar	rodrigods: yep	22:58
*** roxanaghe has joined #openstack-keystone		22:59
stevemar	rodrigods: propose a revert of Iaee0ec8c7acd512b9d93096ce8306a2952061c7a and add a Depends-On to the new commit id	22:59
rodrigods	stevemar, cool, so I'll revert them and send a test commit to ksc to prove the tests are working	22:59
stevemar	++	22:59
jamielennox	dstanek, stevemar: it would be good to have https://review.openstack.org/#/c/371856/ in the release	23:00
stevemar	jamielennox: in the newton release?	23:00
stevemar	jamielennox: why's that?	23:00
breton	that's funny how we cannot win these round down issues for... a year?	23:01
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Revert "Add unit tests for isotime()" https://review.openstack.org/373553	23:02
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Revert "Consistently round down timestamps" https://review.openstack.org/373554	23:02
*** hoonetorg has quit IRC		23:02
stevemar	breton: seems like it!	23:02
*** markvoelker has quit IRC		23:03
*** markvoelker has joined #openstack-keystone		23:03
jamielennox	stevemar: this is the is_admin_project one we talked about the other day	23:03
stevemar	jamielennox: y, i know, but why must it go into newton?	23:04
jamielennox	keystone being about the only project (and probably the most useful project) that doesn't do any form of is_admin_project in policy checking	23:04
jamielennox	well it would give us the functionality across (i think) all the core services	23:05
jamielennox	however i'm not particularly bound by release cycles any more so if it sliips it doesn't bother me too much	23:05
*** adu has quit IRC		23:05
openstackgerrit	Rodrigo Duarte proposed openstack/python-keystoneclient: DO NOT MERGE: Check functional tests https://review.openstack.org/373555	23:05
rodrigods	stevemar, ^	23:05
jamielennox	based on talking other day it seemed you were ok with the late inclusion so i wanted to make sure to keep pushing it	23:05
*** tonytan4ever has joined #openstack-keystone		23:06
stevemar	jamielennox: i meant i was OK with the patch in general, including it in rc2 - ehhhh	23:06
stevemar	jamielennox: last thing i want it an issue like what rodrigods is working on now :(	23:07
stevemar	jamielennox: include keystone in the bug report? https://bugs.launchpad.net/neutron/+bug/1602081	23:08
openstack	Launchpad bug 1602081 in neutron "Use oslo.context's policy dict" [High,In progress] - Assigned to Jamie Lennox (jamielennox)	23:08
rodrigods	stevemar, let's start requiring functional tests for such changes	23:10
rodrigods	ideally at ksc, because we go through the whole stack	23:10
jamielennox	rodrigods: did you find the problem for ksc?	23:12
rodrigods	jamielennox, i hope so	23:12
rodrigods	jamielennox, at least, the tests are passing locally	23:13
jamielennox	what happened?	23:13
rodrigods	jamielennox, https://review.openstack.org/#/c/373554/	23:13
*** adrian_otto has joined #openstack-keystone		23:15
rodrigods	jamielennox, submitted https://review.openstack.org/#/c/373555/ to verify the fix upstream	23:16
rodrigods	stevemar, what about add the ksc functional tests job to keystone?	23:17
rodrigods	(and other repos)	23:17
*** itsuugo has quit IRC		23:18
jamielennox	rodrigods: that's weird, will_expire_soon is fairly lenient, the only thing i can see it being a problem for is maybe auth_token checks but if it's just rounding it shouldn't matter	23:18
*** itsuugo has joined #openstack-keystone		23:18
*** hoonetorg has joined #openstack-keystone		23:19
rodrigods	jamielennox, that was my guess, what i know is that it fails here https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L348-L351	23:20
rodrigods	because "Invalid user token" appears in the log	23:21
*** itsuugo has quit IRC		23:23
*** itsuugo has joined #openstack-keystone		23:24
stevemar	rodrigods: still failing	23:25
rodrigods	stevemar, yeah... but they pass locally	23:25
rodrigods	how can i be sure they have run considering the keystone change?	23:25
stevemar	rodrigods: it looks like it did here: http://status.openstack.org/zuul/	23:26
rodrigods	stevemar, right	23:27
rodrigods	:(	23:27
stevemar	rodrigods: http://logs.openstack.org/55/373555/1/check/gate-keystoneclient-dsvm-functional-ubuntu-xenial/c4617f3/logs/devstacklog.txt.gz#_2016-09-20_23_10_00_984	23:28
rodrigods	let me do more testing	23:28
stevemar	rodrigods: right next to keystone:install_keystone:556	23:28
stevemar	rodrigods: fwiw, it looks like less tests are failing now	23:28
stevemar	rodrigods: now it's only test_domains (it tries to delete before disabling)	23:29
*** hoonetorg has quit IRC		23:29
rodrigods	stevemar, this issue happens sometimes here	23:29
stevemar	rodrigods: and now update_role_domain and list_roles are both failing	23:29
rodrigods	stevemar, it is because the "disable" action is the one that has the "invalid" token	23:29
stevemar	ah	23:29
stevemar	rodrigods: yeah, depends on where it's run, some tests are failing more than others: http://logs.openstack.org/69/369469/1/gate/gate-keystoneclient-dsvm-functional-ubuntu-xenial/99ed136/testr_results.html.gz and http://logs.openstack.org/24/371324/1/check/gate-keystoneclient-dsvm-functional-ubuntu-xenial/4ad8dac/testr_results.html.gz	23:31
*** hoonetorg has joined #openstack-keystone		23:31
stevemar	rodrigods: also the tokens expire in 1 hr	23:35
stevemar	the rounding patch only affecting things in the microsecond range	23:35
stevemar	dinner time	23:36
*** BjoernT has joined #openstack-keystone		23:37
jamielennox	rodrigods: so if it's failing there i'd be more inclined to blame keystone's validate	23:37
jamielennox	rodrigods: but in which case it would be affecting more than just keystoneclient's tests	23:37
breton	the thing we are discussing now would be one my candidates for mitaka btw	23:39
*** ravelar has joined #openstack-keystone		23:45
*** ravelar has quit IRC		23:45
*** Alexey_Abashkin_ has joined #openstack-keystone		23:45
*** Alexey_Abashkin has quit IRC		23:46
*** tonytan4ever has quit IRC		23:47
*** itsuugo has quit IRC		23:58
rodrigods	stevemar, recreating my devstack, hopefully more logs can help	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!