Tuesday, 2016-09-27

« Monday, 2016-09-26 Index Wednesday, 2016-09-28 »
*** adrian_otto has joined #openstack-keystone00:02
*** adrian_otto has quit IRC00:07
*** adrian_otto has joined #openstack-keystone00:11
*** spzala has joined #openstack-keystone00:15
*** adrian_otto has quit IRC00:16
*** adrian_otto has joined #openstack-keystone00:18
*** browne has quit IRC00:28
*** markvoelker has quit IRC00:30
*** adrian_otto has quit IRC00:31
*** david-lyle_ has joined #openstack-keystone00:38
openstackgerritRodrigo Duarte proposed openstack/keystone: PCI-DSS functional tests  https://review.openstack.org/37701000:39
*** david-lyle has quit IRC00:41
*** Marcellin__ has quit IRC00:47
*** tqtran has quit IRC00:48
*** adu has quit IRC00:51
*** GB21 has joined #openstack-keystone00:52
*** adu has joined #openstack-keystone00:54
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: DO NOT MERGE: test revocation search to sql  https://review.openstack.org/37499901:15
*** EinstCrazy has joined #openstack-keystone01:15
*** davechen has joined #openstack-keystone01:24
*** alex_xu has quit IRC01:27
*** sdake has quit IRC01:28
*** alex_xu has joined #openstack-keystone01:31
*** markvoelker has joined #openstack-keystone01:31
*** harlowja has quit IRC01:35
*** markvoelker has quit IRC01:36
*** spzala has quit IRC01:55
*** haplo37_ has quit IRC02:00
*** haplo37_ has joined #openstack-keystone02:02
openstackgerritTony Xu proposed openstack/pycadf: Clean oslo.i18n  https://review.openstack.org/37452202:07
*** ebalduf has joined #openstack-keystone02:07
darrenchi, I'm testing the install guide and have an issue with installing keystone. Can anyone help?02:07
darrencI'm getting the same issue mentioned here: https://bugs.launchpad.net/openstack-manuals/+bug/161240902:09
openstackLaunchpad bug 1612409 in openstack-manuals "Populate the Identity service database" [Undecided,Invalid]02:09
*** ebalduf has quit IRC02:09
*** richm has quit IRC02:24
*** adrian_otto has joined #openstack-keystone02:27
*** nicolasbock has quit IRC02:29
*** henrynash has quit IRC02:30
*** henrynash has joined #openstack-keystone02:34
openstackgerritAnh Tran proposed openstack/python-keystoneclient: TrivialFix: Using assertTrue() instead of assertEqual(True)  https://review.openstack.org/37716502:34
*** adrian_otto has quit IRC02:35
*** GB21 has quit IRC02:37
*** iurygregory_ has quit IRC02:38
*** richm has joined #openstack-keystone02:41
*** david-lyle_ has quit IRC02:48
*** gagehugo has quit IRC02:49
*** david-lyle has joined #openstack-keystone02:49
openstackgerritAnh Tran proposed openstack/pycadf: TrivialFix: Using assertTrue() instead of assertEqual(True)  https://review.openstack.org/37717202:53
*** GB21 has joined #openstack-keystone02:54
*** sdake has joined #openstack-keystone02:55
openstackgerritAnh Tran proposed openstack/pycadf: TrivialFix: Using assertTrue/False instead of assertEqual()  https://review.openstack.org/37717202:56
*** david-lyle has quit IRC03:04
*** ravelar has quit IRC03:04
*** sdake has quit IRC03:15
*** adrian_otto has joined #openstack-keystone03:16
*** adu has quit IRC03:18
*** sdake has joined #openstack-keystone03:23
*** markvoelker has joined #openstack-keystone03:32
*** markvoelker has quit IRC03:38
*** yarkot has quit IRC03:39
*** sdake has quit IRC03:40
*** sdake has joined #openstack-keystone03:41
openstackgerritAnh Tran proposed openstack/python-keystoneclient: TrivialFix: Using assertIsNone() instead of assertEqual(None)  https://review.openstack.org/37719003:43
*** yarkot has joined #openstack-keystone03:45
*** aswadr_ has joined #openstack-keystone03:45
*** adrian_otto has quit IRC03:45
*** tqtran has joined #openstack-keystone03:47
*** sdake has quit IRC03:47
*** adrian_otto has joined #openstack-keystone03:48
openstackgerritDave Chen proposed openstack/keystone: Deprecate `endpoint_filter.sql` backend  https://review.openstack.org/37593103:51
*** tqtran has quit IRC03:52
*** GB21 has quit IRC03:53
openstackgerritAnh Tran proposed openstack/python-keystoneclient: Import module instead of object  https://review.openstack.org/37719803:55
*** adrian_otto has quit IRC03:57
*** dikonoor has joined #openstack-keystone04:08
*** sdake has joined #openstack-keystone04:15
*** links has joined #openstack-keystone04:19
*** sdake_ has joined #openstack-keystone04:22
*** sdake has quit IRC04:24
openstackgerritSteve Martinelli proposed openstack/keystone: create release notes for removed functionality  https://review.openstack.org/37591404:26
*** roxanaghe has quit IRC04:29
*** roxanaghe has joined #openstack-keystone04:29
*** tqtran has joined #openstack-keystone04:29
openstackgerritAnh Tran proposed openstack/keystone: Using assertIsNone() instead of assertIs(None)  https://review.openstack.org/37722004:33
*** roxanaghe has quit IRC04:34
*** GB21 has joined #openstack-keystone04:36
*** sdake_ has quit IRC04:40
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated items from contrib  https://review.openstack.org/37448904:40
openstackgerritMerged openstack/pycadf: Clean oslo.i18n  https://review.openstack.org/37452204:41
*** sdake has joined #openstack-keystone04:43
*** dikonoor has quit IRC04:46
*** sdake_ has joined #openstack-keystone04:46
*** sdake has quit IRC04:48
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated items from contrib  https://review.openstack.org/37448904:49
*** jrist has joined #openstack-keystone04:51
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated config options  https://review.openstack.org/37450404:54
*** sdake_ has quit IRC04:58
*** jaosorior has joined #openstack-keystone05:07
*** jlopezgu has quit IRC05:08
*** hugokuo has quit IRC05:08
*** hugokuo has joined #openstack-keystone05:08
*** jlopezgu has joined #openstack-keystone05:10
*** dikonoor has joined #openstack-keystone05:11
*** jaosorior has quit IRC05:19
*** jaosorior has joined #openstack-keystone05:20
*** tonytan4ever has quit IRC05:20
*** lamt has quit IRC05:21
*** richm has quit IRC05:40
*** dikonoor has quit IRC05:40
*** code-R has joined #openstack-keystone05:45
*** code-R_ has joined #openstack-keystone05:47
*** code-R has quit IRC05:50
*** jrist has quit IRC05:53
bretonmorning, keystone05:55
*** dikonoor has joined #openstack-keystone05:59
*** woodster_ has quit IRC06:10
*** tqtran has quit IRC06:21
*** pcaruana has joined #openstack-keystone06:45
*** GB21 has quit IRC06:47
*** ravelar has joined #openstack-keystone06:53
*** ravelar has quit IRC06:58
*** rcernin has joined #openstack-keystone06:59
*** GB21 has joined #openstack-keystone07:09
*** GB21 has quit IRC07:13
*** GB21 has joined #openstack-keystone07:13
*** GB21 has quit IRC07:15
*** GB21 has joined #openstack-keystone07:15
*** tonytan4ever has joined #openstack-keystone07:21
*** xek has joined #openstack-keystone07:25
*** tonytan4ever has quit IRC07:26
*** hoonetorg has quit IRC07:42
*** code-R_ has quit IRC07:43
*** anteaya has quit IRC07:48
*** anteaya has joined #openstack-keystone07:49
*** hoonetorg has joined #openstack-keystone07:59
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** amoralej|off is now known as amoralej08:02
openstackgerritMerged openstack/keystone: Remove unused path in the v2 token controller  https://review.openstack.org/37560708:09
*** tonytan4ever has joined #openstack-keystone08:22
*** tonytan4ever has quit IRC08:27
*** ChanServ sets mode: +v henrynash08:28
*** pnavarro has joined #openstack-keystone08:38
*** hoonetorg has quit IRC08:51
openstackgerritBoris Bobrov proposed openstack/keystone: remove deprecated items from contrib  https://review.openstack.org/37448908:55
*** GB21 has quit IRC08:57
openstackgerritMerged openstack/keystone: Remove useless method override  https://review.openstack.org/37552409:00
*** code-R has joined #openstack-keystone09:02
*** hoonetorg has joined #openstack-keystone09:02
*** code-R_ has joined #openstack-keystone09:09
*** GB21 has joined #openstack-keystone09:10
*** namnh has joined #openstack-keystone09:11
*** code-R has quit IRC09:11
*** jaosorior is now known as jaosorior_lunch09:18
*** mvk has quit IRC09:27
*** GB21 has quit IRC09:28
*** namnh has quit IRC09:28
*** GB21 has joined #openstack-keystone09:41
*** haplo37_ has quit IRC09:56
*** jmccrory has quit IRC09:57
openstackgerritStephen Finucane proposed openstack/oslo.policy: Add sphinx extension to build sample policy  https://review.openstack.org/37654409:57
*** mvk has joined #openstack-keystone09:58
*** haplo37_ has joined #openstack-keystone09:59
*** jmccrory has joined #openstack-keystone10:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/37744810:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/37744910:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/37745010:00
*** zeus has quit IRC10:01
*** melwitt has quit IRC10:01
*** melwitt has joined #openstack-keystone10:01
*** melwitt is now known as Guest320310:02
*** zeus has joined #openstack-keystone10:02
*** zeus is now known as Guest7154610:02
*** EinstCrazy has quit IRC10:03
*** EinstCrazy has joined #openstack-keystone10:04
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/37753710:06
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements  https://review.openstack.org/37754610:06
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/37755510:07
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/37368610:07
*** EinstCrazy has quit IRC10:08
*** mah has joined #openstack-keystone10:13
*** richm has joined #openstack-keystone10:13
*** asettle has joined #openstack-keystone10:17
*** tonytan4ever has joined #openstack-keystone10:23
*** sdake has joined #openstack-keystone10:27
*** tonytan4ever has quit IRC10:28
*** jaosorior_lunch is now known as jaosorior10:34
openstackgerritStephen Finucane proposed openstack/oslo.policy: Add sphinx extension to build sample policy  https://review.openstack.org/37654410:46
*** nicolasbock has joined #openstack-keystone10:50
robcresswellHi hi. Been mucking around with Horizon locally and Devstack on a VM. Recently, this setup has suddenly started failing; horizon seems to be able to hit keystone, but always returns with "Unable to retrieve authorized projects"10:57
*** dikonoor has quit IRC10:59
robcresswellLogs show it retrieving the user it seems, but failing on the project list every time. I'm unsure why. I don't suppose this looks familiar to anyone?10:59
*** prashanth has joined #openstack-keystone11:01
*** dikonoor has joined #openstack-keystone11:06
*** sdake has quit IRC11:12
*** dikonoor has quit IRC11:15
openstackgerritKobi Samoray proposed openstack/keystone: Fix a docstring typo in test_v3_resource.py  https://review.openstack.org/37761811:25
*** amoralej is now known as amoralej|lunch11:26
*** dikonoor has joined #openstack-keystone11:29
openstackgerritKobi Samoray proposed openstack/keystone: Fix a docstring typo in test_v3_resource.py  https://review.openstack.org/37761811:30
openstackgerritKobi Samoray proposed openstack/keystone: Fix a docstring typo in test_v3_resource.py  https://review.openstack.org/37761811:31
*** dikonoo has joined #openstack-keystone11:36
*** dikonoor has quit IRC11:39
*** dikonoo has quit IRC11:49
*** dikonoo has joined #openstack-keystone11:59
*** jaosorior has quit IRC12:06
*** jaosorior has joined #openstack-keystone12:06
openstackgerritAnh Tran proposed openstack/keystone: Using assertIsNone(...) instead of assertIs(None, ...)  https://review.openstack.org/37722012:10
*** rodrigods has quit IRC12:12
*** rodrigods has joined #openstack-keystone12:12
*** davechen has left #openstack-keystone12:15
rodrigodsdstanek, there? have a question that you might be able to respond :)12:17
openstackgerritKobi Samoray proposed openstack/keystone: Fix a docstring typo in test_v3_resource.py  https://review.openstack.org/37761812:18
mahHi all, I have an OPNFV-Apex deployment,, which is based on TripleO and it stucks at the post install configuration of external neutron network.  I have done some tests .. such as source the overcloudrc from the undercloud then try any openstack command, then it fails12:24
*** amoralej|lunch is now known as amoralej12:25
mahI added --debug to see where it fails and I found here : Making authentication request to http://192.168.162.13:5000/v2.0/tokens12:25
rodrigodsmah, maybe #tripleo?12:25
mahthis ip the external ip  not the admine12:25
*** woodster_ has joined #openstack-keystone12:25
mahI asked there but they checked with me from the network configuration and all was fine then one guy recommend to ask here because it may be related to keystone12:26
*** sdake has joined #openstack-keystone12:28
rodrigodsmah, what is the result from that call? (calling /tokens)12:28
*** asettle_ has joined #openstack-keystone12:28
bretonmah: please post the full output12:29
*** markvoelker has joined #openstack-keystone12:29
mahok12:29
mahhttp://hastebin.com/abodoleted.sql12:30
bretonmah: and what happens after line 35?12:30
*** edmondsw has joined #openstack-keystone12:30
*** asettle has quit IRC12:31
rodrigodsmah, just hangs there?12:31
mahyes12:31
*** asettle has joined #openstack-keystone12:31
mahwhile when I do the same thing at the overcloud12:31
mahit works fine12:31
mahI can get the output there to see difference12:31
rodrigodsmah, so you can't access from the undercloud?12:32
rodrigodsa ping doesn't work12:32
mahping works12:32
mahand I can access12:32
mahhttp://hastebin.com/rujuvelezo.sql12:32
mahhere is from overcloud12:32
mahworks fine12:32
mahand you will see the difference is that tried to Post to tokens using external ip12:33
mahthen changed to use the admin ip12:33
mahand changed the port as well from 5000 to 3535712:33
rodrigodsmah, hmm12:34
rodrigodsayoung, ^ is this related to the versions endpoints issue?12:35
*** asettle_ has quit IRC12:35
rodrigodsmah, what happens if you make the same call from the undercloud?12:35
*** vaishali_ has joined #openstack-keystone12:35
mahif I make it with sourcing the overcloudrc , it stucks  http://hastebin.com/abodoleted.sql12:36
mahbut if I sourced stackrc it works fine12:36
*** vaishali_ has quit IRC12:36
rodrigodsmah, looks like a network communication problem between the overcloud and the undercloud12:36
*** vaishali_ has joined #openstack-keystone12:36
mahbut they can ping each others normally12:36
mahand the deployement of opnfv (tripleo) continues to the end except few steps (post install configurations)12:37
rodrigodsmah, can you get a token in the overcloud and try to use in another overcloud service from the undercloud?12:38
mahI did not tried it12:38
*** asettle_ has joined #openstack-keystone12:39
mahbut I tried to do something else, which is changing the ip of auth_url and port to use the admin network ip and port 35357 .. then it works from undercloud in some cases of openstack commands12:39
mahthese changes done in overcloudrc12:40
mahthen source it from undercloud12:40
mahat undercloud*12:40
*** asettle has quit IRC12:41
*** asettle_ is now known as asettle12:41
*** prashkre_ has joined #openstack-keystone12:52
*** prashanth has quit IRC12:54
*** tonytan4ever has joined #openstack-keystone12:54
*** david-lyle has joined #openstack-keystone12:56
*** GB21 has quit IRC12:57
*** tonytan4ever has quit IRC12:57
*** vaishali_ has quit IRC12:59
*** tonytan4ever has joined #openstack-keystone13:00
edmondswayoung, saw you told dikonoo yesterday that keystone signing dir is only used with PKI... that's not actually correct. It's also used with revocation for all token types13:04
ayoungedmondsw, I thought we killed that13:05
edmondswayoung, when?13:05
edmondswwould have to have been very recently, and maybe dikonoo doesn't have that change in her environment13:06
edmondswif indeed it was changed?13:06
*** prashkre_ has quit IRC13:06
stevemaro/13:16
bretonayoung: no13:16
bretonayoung: it's still alive13:17
bretonayoung: and we will discuss it today13:17
*** rob_d has joined #openstack-keystone13:18
*** jaosorior has quit IRC13:19
*** Guest71546 is now known as zeus13:20
*** jaosorior has joined #openstack-keystone13:20
*** zeus has quit IRC13:20
*** zeus has joined #openstack-keystone13:20
*** mnikolaenko has quit IRC13:37
*** woodburn has quit IRC13:43
*** mugsie__ is now known as mugsie13:45
*** raildo has joined #openstack-keystone13:47
*** woodburn has joined #openstack-keystone13:49
*** ngupta has joined #openstack-keystone13:54
*** guoshan has joined #openstack-keystone13:58
*** ravelar has joined #openstack-keystone14:11
openstackgerritLance Bragstad proposed openstack/keystone: Ensure all v2.0 tokens are validated the same way  https://review.openstack.org/37265514:12
stevemarlbragstad: you should totally land that patch that includes names for audit events :P14:13
lbragstadstevemar ?14:14
lbragstadstevemar which one?14:14
stevemarlbragstad: eh.. lemme find14:14
stevemarlbragstad: https://review.openstack.org/#/c/288643/14:14
lbragstadoh14:16
lbragstadstevemar we need to figure out what keystone's stance is on that kind of stuff14:16
lbragstadstevemar why do you want that patch landed?14:16
lbragstadbecause it closes a bug?14:16
bretonlbragstad: yep14:17
bretonlbragstad: was reported today14:17
*** pnavarro has quit IRC14:18
bretonlbragstad: so more and more people want it14:18
lbragstadbreton stevemar well - we have a couple different ways to solve that problem14:18
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated config options  https://review.openstack.org/37450414:19
lbragstadi'm not necessarily convinced people want more stuff in the notification14:19
stevemarbreton: thanks for the catches14:20
lbragstadI wrote about other options here - http://lbragstad.com/improving-auditing-in-keystone/14:20
stevemarlbragstad: i think we can toss them in, with the domain name for groups/projects/users -- with the expectation that names are not unique14:20
stevemarlbragstad: theres no reason we can't do both soft deletes and names in notifications14:21
stevemarthe name approach is a pinch more work, soft deletes are non-trivial14:21
lbragstadstevemar if we do both we'll be maintaining two code paths that solve the same problem14:21
lbragstadimplementing soft deletes means that we'll have to rework all of the keystone api to return deleted entities14:22
lbragstadthat sounds like a lot of work14:22
stevemarlbragstad: right, which is why i doubt it'll land any time soon14:22
stevemarlbragstad: i think soft-deletes are a wishlist item14:22
lbragstadi think it depends on how critical notification callbacks are14:23
lbragstadif soft-deletes are really the way we want to go with this - and the recommended approach, then I'd consider soft deletes a higher priority14:24
*** sdake has quit IRC14:24
lbragstadputting the name in the notification feels like a band-aid14:24
lbragstadonly because we would be assuming that's all people want14:25
lbragstadand I would guess that it's only a matter of time before we get another request to put a different attribute in the notification14:25
lbragstadkinda like a slippery slope14:26
*** GB21 has joined #openstack-keystone14:26
lbragstadand what it we get to the point where we have attributes X, Y, and Z in the payload - but a certain deployer has security concerns with exposing attribute Y in the payload?14:27
lbragstads/it/if/14:27
*** adrian_otto has joined #openstack-keystone14:27
lbragstadI'm just trying to think down the road - once this has been in the wild for a bit14:28
lbragstadI think the trade-off is that we already have a notification system in place where we can put whatever we want in the payload - and implementing soft deletes would be starting back at square one14:29
lbragstadbut making a soft delete call and admin operation and making it so that consumers of the notification have to ask keystone for the specific information they need feels like it addresses future security concerns14:31
lbragstads/and/an/14:31
* lbragstad clearly can't type today 14:31
*** _d34dh0r53_ is now known as d34dh0r5314:34
*** gagehugo has joined #openstack-keystone14:35
*** adrian_otto has quit IRC14:36
*** sdake has joined #openstack-keystone14:37
*** adrian_otto has joined #openstack-keystone14:37
*** spedione|AWAY is now known as spedione14:39
*** guoshan has quit IRC14:44
*** dikonoo has quit IRC14:45
*** GB21 has quit IRC14:47
stevemarlbragstad: why would it be a security concern? it goes to an internal message14:49
stevemarbus14:49
lbragstadstevemar that was a concern dstanek had14:53
*** adrian_otto has quit IRC14:53
*** edtubill has joined #openstack-keystone14:55
openstackgerritSteve Martinelli proposed openstack/keystone: create release notes for removed functionality  https://review.openstack.org/37591414:58
*** roxanaghe has joined #openstack-keystone14:58
*** spzala has joined #openstack-keystone15:03
ktychkova_stevemar , lbragstad : Hi. I'm the person who want more information in keystone notifications :).Could you please tell me why it is a problem to add in notifications as much info as possible about deleted entities?15:05
*** pcaruana has quit IRC15:06
*** rcernin has quit IRC15:07
openstackgerritAlexander Makarov proposed openstack/keystone: Verbose 401/403 debug responses  https://review.openstack.org/37243315:09
*** woodburn1 has joined #openstack-keystone15:10
stevemarktychkova_: i'd like to see it happen ;)15:11
*** woodburn has quit IRC15:12
lbragstadktychkova_ one of the reservations I have about it is that it requires notifications to put whatever the consuming application needs in the notification15:13
lbragstadthe whole idea behind the notification callback structure originally was to make it so that the consuming application gets just enough information to make a call back to keystone to get the exact information it needs15:14
lbragstadwhich decouples the keystone notification implementation from whatever application consumes the notification15:15
ktychkova_lbragstad: what information I can get by id of deleted user? I guess nothing. How to understand what user was deleted?15:15
lbragstadktychkova_ that's why i was making the case for soft deletes :)15:15
lbragstadktychkova_ your application could subscribe to notifications and listen for deletion events for user resource types - then it would have to make a call back to keystone asking for deleted user of a particular ID15:16
*** haplo37__ has joined #openstack-keystone15:17
lbragstadwhich would return the entire user reference15:17
ktychkova_lbragstad: I understand your point, but this "call back" thing requeres me to store openstack credentials outside of openstack...15:18
*** openstackgerrit has quit IRC15:18
*** openstackgerrit has joined #openstack-keystone15:18
lbragstadktychkova_ you'd have to do the same pattern if you wanted to consume a PATCH user event15:19
lbragstadwhen a user is updated, the only thing you're told in the notification is that a user of a specific id has something changed...15:19
lbragstadyou don't know what changed15:19
lbragstadyou'd have to store credentials in order to get that information today15:20
*** adrian_otto has joined #openstack-keystone15:20
*** adrian_otto has quit IRC15:20
amakarovrodrigods, hi! I've split patch 372433 as you asked15:21
ktychkova_libragstad: I like soft delete feature. It's fine. I just thougt that it is not a big problem to add all user fields in the message. But if it is I can wait for "soft delete" feature15:22
lbragstadktychkova_ would you be able to share your consuming application flow?15:22
lbragstadktychkova_ how do you use the notification in your application?15:22
rodrigodsamakarov, hmm my suggestion only makes sense if it is possible to add tests to cover the #noqa parts15:24
ktychkova_lbragstad: I actually doing research of possible use cases. So I don't know for sure. But, for example, it is: Keystone -> Ceilometer -> Aodh -> Jenkins/Slack or any of app with REST api15:25
rodrigodsamakarov, and... it is funny because my score was +1, not -115:25
*** agrebennikov has joined #openstack-keystone15:26
lbragstadktychkova_ so you'd have ceilometer listen for certain keystone events then kick of a job, or update a slack room?15:26
amakarovrodrigods, I think the questionable parts with noqa are better be extracted and handled separately15:27
ktychkova_lbragstad: yes, right15:27
rodrigodsamakarov, ++15:27
amakarovrodrigods, so first patch still solves the issue, and the second one - reveals another problem15:27
*** guoshan has joined #openstack-keystone15:30
ktychkova_lbragstad: please take a look: http://xuctarine.blogspot.ru/2016/09/keystone-notifications-integration-with_26.html15:31
ktychkova_It is just first stage of research and defenetly not a production use case and I'm using openstack credentials from Jenkins15:31
ktychkova_but it will give you an idea in what direction I want to continue work15:31
lbragstadktychkova_ cool - i'll check it out15:31
lbragstadktychkova_ so far, only you and dmitri have expressed an interest in the notification payload15:32
lbragstadktychkova_ i spoke with a few people in Austin about it, but the discussion ended up getting tabled15:33
lbragstadktychkova_ if you're going to be in Barcelona - we should talk to stevemar to see if we can get it rolled into a session15:34
lbragstadktychkova_ are you planning on using CADF notifications or the basic ones?15:37
bretonhow do i switch between basic and cadf?15:38
lbragstadbreton it's a configuration option15:39
ktychkova_lbragstad: I won't go to the Summit, but if you want to have a session I will find somebody to participate. Jay Pipes from Nova for example.15:39
ktychkova_Since the main use case we a looking for is "owner transfership" - transfer instances from deleted user to somebody15:39
lbragstadlet me grab a link15:39
ktychkova_CADF15:39
ktychkova_breton: in config file :)15:39
*** guoshan has quit IRC15:40
ktychkova_breton: notification_format = cadf15:40
lbragstadktychkova_ yep - breton - https://github.com/openstack/keystone/blob/8143f9ca49032fbfe2f567bb1e0cd6c370aaa8a4/keystone/conf/default.py#L20615:40
lbragstadstevemar do you think we have any room in the schedule for a notification session?15:40
lbragstadktychkova_ it's exciting to hear that you're working on the transfer/cleanup problem15:41
lbragstadbreton are you working on that, too?15:41
*** spilla has joined #openstack-keystone15:43
bretonlbragstad: nope, just eavesdropping :p15:43
ktychkova_lbragstad: we just made a first research and thinking what step to do next.15:43
ktychkova_Probably it will be a "transfer ownership" in Nova15:43
lbragstadktychkova_ got it - so when you receive a notification the a user has been deleted are you checking the domain/project of the user or something like that?15:44
*** gagehugo has quit IRC15:46
*** adrian_otto has joined #openstack-keystone15:46
ktychkova_lbragstad: project is important, because you have to specify it in Aodh when creating an alarm15:46
ktychkova_What else will be needed for Nova I don't know so far15:46
stevemarlbragstad: we can try15:47
lbragstadktychkova_ ah - that makes sense15:47
lbragstadstevemar we could try doing it over a meeting, too15:47
ktychkova_breton: You are going to Barcelona, right?15:48
stevemarlbragstad: i added it, earlier too, can you fill in the content?15:48
lbragstadstevemar sure15:48
*** agrebennikov has quit IRC15:48
lbragstadktychkova_ will you be able to make it to the keystone meeting today in #openstack-meeting at 18:00 UTC15:48
lbragstadi assume breton will be there15:49
lbragstads/there/at the meeting/15:49
openstackgerritArthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" find() calls by globally unique IDs  https://review.openstack.org/37781115:49
*** spedione is now known as chris_hultin15:50
ktychkova_lbragstad: yes, I will15:51
bretonktychkova_: lbragstad: yes15:53
lbragstadktychkova_ cool - stevemar's got you on the agenda here https://etherpad.openstack.org/p/keystone-weekly-meeting15:57
rob_dhi all, heat project still uses python-keystoneclient, does this make it impossible for federated users to use heat? - keystoneclient throws 404 when heat tries to determine the federated users role15:58
*** GB21 has joined #openstack-keystone15:58
rob_dI have heat configured to use trusts but it keeps throwing a 404, federated user can use all other services and heat configured to use un-versioned  identity endpoint16:00
openstackgerritArthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" find() calls by globally unique IDs  https://review.openstack.org/37573016:00
*** amakarov has quit IRC16:02
*** amakarov has joined #openstack-keystone16:02
*** haplo37_ has quit IRC16:05
*** gyee has joined #openstack-keystone16:05
*** haplo37_ has joined #openstack-keystone16:07
*** code-R_ has quit IRC16:10
bretonmany things to discuss today16:14
lbragstadyeah - we have a packed schedule16:14
openstackgerritMerged openstack/pycadf: Updated from global requirements  https://review.openstack.org/37754616:14
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/37744916:15
*** code-R has joined #openstack-keystone16:16
*** jaosorior has quit IRC16:16
*** mvk has quit IRC16:17
stevemarlbragstad: i punched some of my stuff out16:18
*** agrebennikov has joined #openstack-keystone16:21
*** code-R has quit IRC16:29
*** ekarlso_ has quit IRC16:31
*** ravelar1 has joined #openstack-keystone16:34
*** asettle_ has joined #openstack-keystone16:34
*** roxanagh_ has joined #openstack-keystone16:34
*** tonytan_brb has joined #openstack-keystone16:34
*** david-lyle_ has joined #openstack-keystone16:35
openstackgerritSteve Martinelli proposed openstack/keystone: remove deprecated config options  https://review.openstack.org/37450416:36
*** xek_ has joined #openstack-keystone16:36
knikollarodrigods: you there?16:36
*** haplo37__ has quit IRC16:36
*** jraim has quit IRC16:36
*** samueldmq has quit IRC16:36
*** rob_d___ has joined #openstack-keystone16:36
*** roxanaghe has quit IRC16:36
*** edtubill has quit IRC16:36
*** brad[] has quit IRC16:36
*** asettle has quit IRC16:36
*** aswadr_ has quit IRC16:37
*** chrome0_ has quit IRC16:37
*** nicolasbock has quit IRC16:37
*** akrzos has quit IRC16:37
*** Kimmo__ has joined #openstack-keystone16:37
*** hugokuo has quit IRC16:37
*** Kimmo_ has quit IRC16:37
*** richm has quit IRC16:37
*** david_cu has quit IRC16:37
*** david-lyle has quit IRC16:37
*** kragniz has quit IRC16:37
*** jlk` has joined #openstack-keystone16:37
*** woodburn1 has quit IRC16:37
*** serverascode has quit IRC16:37
*** morgan has quit IRC16:37
*** stevemar has quit IRC16:37
*** andrewbogott has quit IRC16:37
*** jlk has quit IRC16:37
*** mrhillsman has quit IRC16:37
*** mfisch has quit IRC16:37
*** nonameentername has quit IRC16:37
*** stevemar has joined #openstack-keystone16:37
*** med_ has quit IRC16:37
*** sigmavirus has quit IRC16:37
*** nicolasbock has joined #openstack-keystone16:37
*** ravelar has quit IRC16:37
*** iurygregory has quit IRC16:37
*** pleia2 has quit IRC16:37
*** code-R has joined #openstack-keystone16:37
*** hugokuo_ has joined #openstack-keystone16:37
*** redrobot has quit IRC16:37
*** hoonetorg has quit IRC16:37
*** tsufiev has quit IRC16:37
*** mnaser has quit IRC16:37
*** _sigmavirus24 has joined #openstack-keystone16:37
*** hugokuo_ is now known as hugokuo16:37
*** arunkant_ has joined #openstack-keystone16:37
*** dmellado has quit IRC16:37
*** jdennis1 has quit IRC16:37
*** woodburn has joined #openstack-keystone16:37
*** jlwhite_ has joined #openstack-keystone16:38
*** jlwhite_ has quit IRC16:38
*** jlwhite_ has joined #openstack-keystone16:38
*** jlwhite has quit IRC16:38
*** jlwhite_ is now known as jlwhite16:38
*** anteaya has quit IRC16:38
*** GB21 has quit IRC16:38
*** sileht has quit IRC16:38
*** clayton has quit IRC16:38
*** mnaser has joined #openstack-keystone16:38
*** rob_d has quit IRC16:38
*** jidar has quit IRC16:38
*** adrian_otto1 has joined #openstack-keystone16:38
*** anteaya has joined #openstack-keystone16:38
*** zzzeek has quit IRC16:38
*** tonytan4ever has quit IRC16:38
*** henrynash has quit IRC16:38
*** adrian_otto has quit IRC16:38
*** x58 has quit IRC16:38
*** akrzos_ has joined #openstack-keystone16:38
*** xek has quit IRC16:38
*** arunkant has quit IRC16:38
*** chrome0 has joined #openstack-keystone16:38
*** x58 has joined #openstack-keystone16:38
*** kragniz1 has joined #openstack-keystone16:38
*** jdennis has joined #openstack-keystone16:38
*** akrzos_ has quit IRC16:38
*** akrzos_ has joined #openstack-keystone16:38
*** hoonetorg has joined #openstack-keystone16:38
*** dmellado has joined #openstack-keystone16:38
*** nonameentername has joined #openstack-keystone16:38
*** links has quit IRC16:38
*** timss has quit IRC16:38
*** dgonzalez has quit IRC16:38
*** brad[]` has joined #openstack-keystone16:38
*** prashkre_ has joined #openstack-keystone16:38
*** henrynash has joined #openstack-keystone16:39
*** pleia2 has joined #openstack-keystone16:39
*** code-R_ has joined #openstack-keystone16:39
*** redrobot has joined #openstack-keystone16:39
*** redrobot is now known as Guest2778016:40
*** mrhillsman has joined #openstack-keystone16:40
*** _sigmavirus24 is now known as sigmavirus16:40
*** sigmavirus has joined #openstack-keystone16:40
*** haplo37 has joined #openstack-keystone16:40
*** jidar has joined #openstack-keystone16:41
*** DuncanT has quit IRC16:41
*** tsufiev has joined #openstack-keystone16:41
*** code-R has quit IRC16:42
*** mfisch has joined #openstack-keystone16:42
*** mfisch has quit IRC16:42
*** mfisch has joined #openstack-keystone16:42
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/37755516:43
openstackgerritRichard Avelar proposed openstack/keystone: Change python code revocation search to sql  https://review.openstack.org/35937116:44
*** prashkre__ has joined #openstack-keystone16:44
*** mdurrant_ has joined #openstack-keystone16:44
*** asettle_ is now known as asettle16:44
*** dgonzalez has joined #openstack-keystone16:45
*** slberger has joined #openstack-keystone16:45
*** clayton has joined #openstack-keystone16:46
*** Guest66676 has quit IRC16:46
*** alex_xu has quit IRC16:46
*** woodburn1 has joined #openstack-keystone16:46
*** amakarov has quit IRC16:46
*** cburgess_ has joined #openstack-keystone16:46
*** adrian_otto1 has quit IRC16:47
*** mnaser has quit IRC16:47
*** henrynash_ has joined #openstack-keystone16:47
*** cburgess has quit IRC16:47
*** pkoraca has quit IRC16:47
*** alexander__ has joined #openstack-keystone16:47
*** BlackDex has quit IRC16:47
*** mlovell has quit IRC16:47
*** zeus has quit IRC16:47
*** evrardjp has quit IRC16:47
*** mdurrant__ has quit IRC16:47
*** jlk` has quit IRC16:47
*** alexander__ is now known as amakarov16:47
*** mfisch` has joined #openstack-keystone16:47
*** jlwhite_ has joined #openstack-keystone16:47
*** sigmavirus has quit IRC16:47
*** dmellado_ has joined #openstack-keystone16:47
*** hugokuo has quit IRC16:48
*** jidar_ has joined #openstack-keystone16:48
*** briancurtin has quit IRC16:48
*** BlackDex_ has joined #openstack-keystone16:48
*** mrhillsman has quit IRC16:48
*** arunkant_ has quit IRC16:48
*** ayoung has quit IRC16:48
*** jamielennox has quit IRC16:48
*** vkmc has quit IRC16:48
*** ayoung has joined #openstack-keystone16:48
*** ChanServ sets mode: +v ayoung16:48
*** zzzeek has joined #openstack-keystone16:48
*** x58 has quit IRC16:48
*** akrzos_ has quit IRC16:48
*** alex_xu_ has joined #openstack-keystone16:48
*** mfisch has quit IRC16:48
*** prashkre_ has quit IRC16:48
*** brad[]` has quit IRC16:48
*** kragniz1 has quit IRC16:48
*** chrome0 has quit IRC16:48
*** x58 has joined #openstack-keystone16:48
*** alex_xu_ has quit IRC16:48
*** alex_xu_ has joined #openstack-keystone16:48
*** akrzos has joined #openstack-keystone16:48
*** vkmc- has joined #openstack-keystone16:48
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/37744816:48
*** henrynash has quit IRC16:48
*** dmellado has quit IRC16:48
*** woodburn has quit IRC16:48
*** anteaya has quit IRC16:48
*** jlwhite has quit IRC16:48
*** chrome0_ has joined #openstack-keystone16:48
*** jidar has quit IRC16:48
*** jlwhite_ is now known as jlwhite16:48
*** med_ has joined #openstack-keystone16:48
*** kragniz1 has joined #openstack-keystone16:48
*** vkmc- is now known as vkmc16:48
*** vkmc has quit IRC16:48
*** vkmc has joined #openstack-keystone16:48
*** med_ is now known as Guest4406416:48
*** jamielennox has joined #openstack-keystone16:48
*** ChanServ sets mode: +v jamielennox16:48
*** jlk has joined #openstack-keystone16:49
*** hugokuo has joined #openstack-keystone16:49
*** jlk has quit IRC16:49
*** jlk has joined #openstack-keystone16:49
*** _sigmavirus24 has joined #openstack-keystone16:49
*** jidar_ is now known as jidar16:49
*** Guest3203 is now known as melwitt16:49
*** _sigmavirus24 is now known as sigmavirus16:49
*** mnaser has joined #openstack-keystone16:49
*** mnaser has joined #openstack-keystone16:49
*** brad[] has joined #openstack-keystone16:49
*** arunkant_ has joined #openstack-keystone16:49
*** adrian_otto has joined #openstack-keystone16:50
*** sigmavirus is now known as Guest4509616:50
openstackgerritSamuel Pilla proposed openstack/keystone: Domain included for role in list_role_assignment  https://review.openstack.org/37351616:50
*** GB21 has joined #openstack-keystone16:50
*** anteaya has joined #openstack-keystone16:50
*** Guest45096 is now known as sigmavirus16:51
*** sigmavirus has joined #openstack-keystone16:51
*** jraim has joined #openstack-keystone16:51
*** links has joined #openstack-keystone16:51
*** sileht has joined #openstack-keystone16:52
*** AndyWojo has quit IRC16:52
*** timss has joined #openstack-keystone16:52
*** iurygregory has joined #openstack-keystone16:53
*** zeus has joined #openstack-keystone16:53
*** jefrite has quit IRC16:53
*** evrardjp has joined #openstack-keystone16:53
*** zeus is now known as Guest6643016:53
*** richm has joined #openstack-keystone16:54
*** samueldmq has joined #openstack-keystone16:54
*** ChanServ sets mode: +v samueldmq16:54
openstackgerritRon De Rose proposed openstack/keystone: Move revocation logic to SQL: Indexes  https://review.openstack.org/37652316:54
openstackgerritRichard Avelar proposed openstack/keystone: Move revocation logic to SQL  https://review.openstack.org/35937116:54
openstackgerritLance Bragstad proposed openstack/keystone: Add release note for fernet tokens  https://review.openstack.org/37652616:56
*** ngupta has quit IRC16:56
*** mlovell has joined #openstack-keystone16:56
*** ngupta has joined #openstack-keystone16:57
*** jefrite has joined #openstack-keystone16:57
*** ktychkova has joined #openstack-keystone16:57
*** Guest66666 has joined #openstack-keystone16:57
*** ktychkova_ has quit IRC16:58
*** ktychkova has quit IRC16:58
*** ngupta has quit IRC16:59
*** ngupta has joined #openstack-keystone16:59
*** ktychkova_ has joined #openstack-keystone16:59
*** browne has joined #openstack-keystone16:59
*** henrynash_ is now known as henrynash17:01
*** Guest66430 is now known as zeus`17:02
*** zeus` is now known as zeus17:02
*** zeus has quit IRC17:02
*** zeus has joined #openstack-keystone17:02
*** amoralej is now known as amoralej|off17:02
*** andrewbogott has joined #openstack-keystone17:03
*** roxanagh_ has quit IRC17:05
*** frontrunner has joined #openstack-keystone17:06
*** roxanaghe has joined #openstack-keystone17:08
openstackgerritLance Bragstad proposed openstack/keystone: Switch fernet to be the default token provider.  https://review.openstack.org/34568817:09
*** chrome0 has joined #openstack-keystone17:09
*** lamt has joined #openstack-keystone17:09
*** jidar_ has joined #openstack-keystone17:10
*** woodburn1 has quit IRC17:10
*** code-R_ has quit IRC17:10
*** jidar has quit IRC17:10
*** GB21 has quit IRC17:10
*** Guest44064 has quit IRC17:10
*** zeus has quit IRC17:11
*** jidar_ is now known as jidar17:11
*** adrian_otto has quit IRC17:11
*** stevemar has quit IRC17:11
*** woodster_ has quit IRC17:11
*** stevemar has joined #openstack-keystone17:11
*** andrewbogott has quit IRC17:11
*** dmellado_ has quit IRC17:11
*** mnaser has quit IRC17:11
*** GB21 has joined #openstack-keystone17:11
*** frontrunner has quit IRC17:11
*** akrzos has quit IRC17:11
*** ayoung_ has joined #openstack-keystone17:11
*** jdennis has quit IRC17:11
*** x58 has quit IRC17:11
*** x58 has joined #openstack-keystone17:11
*** links has quit IRC17:11
*** jlk has quit IRC17:11
*** wolsen has quit IRC17:11
*** jhesketh has quit IRC17:12
*** jraim has quit IRC17:12
*** jamielennox has quit IRC17:12
*** ayoung has quit IRC17:12
*** pleia2 has quit IRC17:12
*** ktychkova_ has quit IRC17:12
*** Guest66666 has quit IRC17:12
*** jraju has joined #openstack-keystone17:12
rderoseSpamapS: have a question17:12
*** chrome0_ has quit IRC17:12
*** woodburn has joined #openstack-keystone17:12
*** code-R has joined #openstack-keystone17:12
*** ktychkova__ has joined #openstack-keystone17:12
*** akrzos has joined #openstack-keystone17:12
*** tonytan_brb has quit IRC17:12
*** adrian_otto has joined #openstack-keystone17:12
*** dmellado has joined #openstack-keystone17:12
*** jlk has joined #openstack-keystone17:12
*** jdennis has joined #openstack-keystone17:12
*** jlk has quit IRC17:12
*** jlk has joined #openstack-keystone17:12
SpamapSrderose: I'm here. Wassup?17:12
rderoseHere is what the query would look like: http://paste.openstack.org/show/583126/ (so far)17:13
*** jhesketh has joined #openstack-keystone17:13
rderoseWhich would make more sense a compound index that would include most columns or an index on each column?17:14
rderoseSpamapS ^17:14
*** frontrunner has joined #openstack-keystone17:14
*** jamielennox has joined #openstack-keystone17:14
*** ChanServ sets mode: +v jamielennox17:14
*** kragniz1 is now known as kragniz17:15
SpamapSwow17:15
SpamapSthat's one heck of an OR tree17:15
*** pleia2 has joined #openstack-keystone17:15
SpamapSso, OR's can only be turned into index range queries17:15
rderoseSpamapS: the reason why is you could match on user_id or user_id and domain_id...17:15
SpamapSexcept OR + Null17:16
SpamapSwhich can be a ref_or_null17:16
rderosehmm...17:16
*** roxanaghe has quit IRC17:17
*** zeus has joined #openstack-keystone17:17
*** Guest66666 has joined #openstack-keystone17:17
*** harlowja has joined #openstack-keystone17:17
openstackgerritArthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" find() calls by globally unique IDs  https://review.openstack.org/37573017:18
rderoseSpamapS: still investigating what would be the common values returned, but I think this is a good example of what would be in the token17:19
* SpamapS still reading17:20
rderoseSpamapS: and I think the query logic is sound in trying to match all different combinations; not sure if there would be a better alternative at this point17:20
*** ngupta has quit IRC17:20
*** woodburn1 has joined #openstack-keystone17:20
*** ngupta has joined #openstack-keystone17:21
*** asettle has quit IRC17:21
*** dmellado_ has joined #openstack-keystone17:21
*** haplo37_ has quit IRC17:21
*** spilla has quit IRC17:21
*** alex_xu has joined #openstack-keystone17:21
*** dmellado has quit IRC17:21
*** stevemar has quit IRC17:21
*** mlovell has quit IRC17:21
*** stevemar has joined #openstack-keystone17:21
*** artmr has joined #openstack-keystone17:21
*** zeus is now known as Guest4538517:21
*** rodrigod` has joined #openstack-keystone17:21
*** ayoung_ has quit IRC17:21
*** sileht has quit IRC17:21
*** harlowja_ has joined #openstack-keystone17:22
*** Guest66676 has joined #openstack-keystone17:22
*** alex_xu_ has quit IRC17:22
*** x58 has quit IRC17:22
*** BlackDex_ has quit IRC17:22
*** zzzeek has quit IRC17:22
*** x58 has joined #openstack-keystone17:22
*** harlowja has quit IRC17:22
*** Guest45385 has quit IRC17:22
*** pleia2 has quit IRC17:22
*** ktychkova_ has joined #openstack-keystone17:22
*** arunkant__ has joined #openstack-keystone17:22
*** woodburn has quit IRC17:22
*** ktychkova__ has quit IRC17:22
*** frontrunner has quit IRC17:22
*** Guest27780 has quit IRC17:22
*** Guest66666 has quit IRC17:22
*** frontrunner has joined #openstack-keystone17:22
*** pleia2 has joined #openstack-keystone17:23
*** electrichead has joined #openstack-keystone17:23
*** zeus- has joined #openstack-keystone17:23
*** iurygregory_ has joined #openstack-keystone17:23
*** haplo37_ has joined #openstack-keystone17:23
*** roxanaghe has joined #openstack-keystone17:23
*** pkoraca has joined #openstack-keystone17:23
*** serverascode has joined #openstack-keystone17:23
*** zeus- is now known as zeus`17:24
*** zzzeek has joined #openstack-keystone17:24
*** spilla has joined #openstack-keystone17:24
*** mlovell has joined #openstack-keystone17:24
*** david-lyle_ is now known as david-lyle17:24
*** sileht has joined #openstack-keystone17:25
openstackgerritAlexey Yelistratov proposed openstack/keystone: Add DB operations tracing  https://review.openstack.org/29453517:25
*** ayoung_ has joined #openstack-keystone17:25
*** haplo37| has joined #openstack-keystone17:25
*** ChanServ sets mode: +o stevemar17:27
*** GB21 has quit IRC17:27
*** gagehugo has joined #openstack-keystone17:27
*** iurygregory has quit IRC17:28
*** arunkant_ has quit IRC17:28
*** brad[] has quit IRC17:28
*** henrynash has quit IRC17:28
*** haplo37 has quit IRC17:28
*** raildo has quit IRC17:28
*** rodrigods has quit IRC17:28
*** iurygregory_ is now known as iurygregory17:28
*** frontrunner2 has joined #openstack-keystone17:32
*** x58 has quit IRC17:32
*** stevemar has quit IRC17:32
*** jdennis has quit IRC17:32
*** mtreinish has quit IRC17:33
*** SamYaple has quit IRC17:33
*** zeus` has quit IRC17:33
*** harlowja_ has quit IRC17:33
*** henrynash has joined #openstack-keystone17:33
*** frontrunner has quit IRC17:33
*** sileht has quit IRC17:34
*** ChanServ sets mode: +v henrynash17:34
*** spzala has quit IRC17:34
*** raildo has joined #openstack-keystone17:34
*** stevemar has joined #openstack-keystone17:34
*** harlowja has joined #openstack-keystone17:34
*** sileht has joined #openstack-keystone17:34
*** mnaser has joined #openstack-keystone17:35
*** x58 has joined #openstack-keystone17:35
*** BlackDex has joined #openstack-keystone17:36
*** spzala has joined #openstack-keystone17:36
*** jdennis has joined #openstack-keystone17:37
*** ravelar1 has quit IRC17:38
*** zeus- has joined #openstack-keystone17:38
*** SamYaple has joined #openstack-keystone17:38
*** zeus- is now known as zeus`17:39
*** aswadr_ has joined #openstack-keystone17:39
*** jraim has joined #openstack-keystone17:39
*** zeus` is now known as zeus17:39
*** zeus has quit IRC17:39
*** zeus has joined #openstack-keystone17:39
*** mtreinish has joined #openstack-keystone17:40
*** x58 has quit IRC17:41
*** harlowja has quit IRC17:42
*** rodrigod` is now known as rodrigods17:42
*** rodrigods has quit IRC17:42
*** rodrigods has joined #openstack-keystone17:42
*** med_ has joined #openstack-keystone17:44
*** andrewbogott has joined #openstack-keystone17:45
*** med_ is now known as Guest7927817:45
*** x58 has joined #openstack-keystone17:47
*** harlowja has joined #openstack-keystone17:47
*** DuncanT has joined #openstack-keystone17:47
*** x58 has left #openstack-keystone17:50
*** mvk has joined #openstack-keystone17:51
*** Marcellin__ has joined #openstack-keystone17:51
*** wolsen has joined #openstack-keystone17:52
*** tonytan4ever has joined #openstack-keystone17:53
*** woodster_ has joined #openstack-keystone17:53
*** tqtran has joined #openstack-keystone17:53
*** nk2527 has joined #openstack-keystone17:54
*** morgan_ has joined #openstack-keystone17:54
*** jraju has quit IRC17:54
*** AndyWojo has joined #openstack-keystone17:57
*** aswadr_ has quit IRC17:58
stevemarmeeting time!17:59
*** briancurtin has joined #openstack-keystone18:00
*** code-R has quit IRC18:02
openstackgerritAlexander Makarov proposed openstack/keystone: Verbose 401/403 debug responses  https://review.openstack.org/37243318:08
*** tonytan_brb has joined #openstack-keystone18:08
*** Gorian has joined #openstack-keystone18:08
*** Gorian is now known as Gorian|work18:09
*** harlowja has quit IRC18:10
*** crinkle has quit IRC18:10
*** andrewbogott has quit IRC18:10
*** haplo37| has quit IRC18:10
*** pkoraca has quit IRC18:10
*** serverascode has quit IRC18:10
*** mtreinish_ has joined #openstack-keystone18:10
*** haplo37- has joined #openstack-keystone18:10
*** tonytan4ever has quit IRC18:10
*** mvk has quit IRC18:10
*** Guest79278 has quit IRC18:10
*** BlackDex has quit IRC18:10
*** ayoung_ has quit IRC18:10
*** redrobot has joined #openstack-keystone18:10
*** BlackDex has joined #openstack-keystone18:10
*** redrobot is now known as Guest4507918:11
*** mvk has joined #openstack-keystone18:11
*** morgan_ has quit IRC18:11
*** mtreinish has quit IRC18:11
*** mtreinish_ is now known as mtreinish18:11
*** electrichead has quit IRC18:11
*** sileht has quit IRC18:11
*** crinkle_ has joined #openstack-keystone18:11
*** crinkle_ is now known as crinkle18:12
*** morgan_ has joined #openstack-keystone18:12
*** serverascode has joined #openstack-keystone18:12
*** stevemar_ has joined #openstack-keystone18:12
*** ChanServ sets mode: +o stevemar_18:12
*** sileht has joined #openstack-keystone18:14
*** ayoung_ has joined #openstack-keystone18:15
*** ChanServ sets mode: +o stevemar18:15
*** stevemar_ is now known as stevemar__18:17
*** stevemar__ has quit IRC18:18
*** morgan__ has joined #openstack-keystone18:19
*** andrewbogott has joined #openstack-keystone18:20
*** stevemar____ has joined #openstack-keystone18:20
*** morgan__ is now known as morganfainberg18:20
*** morganfainberg has quit IRC18:20
*** morganfainberg has joined #openstack-keystone18:20
*** morganfainberg has joined #openstack-keystone18:20
*** morganfainberg is now known as morgan18:20
*** Guest45079 has quit IRC18:21
*** morgan_ has quit IRC18:21
*** _nonameentername has joined #openstack-keystone18:21
*** artmr has quit IRC18:21
*** electrichead has joined #openstack-keystone18:21
*** sileht has quit IRC18:21
*** nonameentername has quit IRC18:21
*** electrichead is now known as Guest7809118:22
morganwow, this is bad today18:22
*** ngupta has quit IRC18:23
*** ngupta has joined #openstack-keystone18:23
*** artmr has joined #openstack-keystone18:23
*** harlowja has joined #openstack-keystone18:24
*** sileht has joined #openstack-keystone18:25
*** pkoraca has joined #openstack-keystone18:26
*** code-R has joined #openstack-keystone18:28
*** artmr_ has joined #openstack-keystone18:30
*** artmr has quit IRC18:30
*** brad[] has joined #openstack-keystone18:33
*** asettle has joined #openstack-keystone18:35
*** sdake has quit IRC18:35
openstackgerritMerged openstack/python-keystoneclient: TrivialFix: Fixed typo in some files  https://review.openstack.org/37733818:41
*** asettle has quit IRC18:41
*** roxanaghe has quit IRC18:42
*** med_ has joined #openstack-keystone18:43
*** med_ is now known as Guest4087618:44
*** prashkre__ has quit IRC18:47
*** sdake has joined #openstack-keystone18:49
*** adrian_otto has quit IRC18:55
*** ezpz has joined #openstack-keystone18:56
*** brad[] has quit IRC18:57
*** DuncanT has quit IRC18:58
*** DuncanT has joined #openstack-keystone19:00
lbragstadif folks have an opinion on this or think we need to have a wider discussion we should do so in Barcelona19:01
*** gagehugo has quit IRC19:01
lbragstadregardless of what we do - i think it would be nice to have a plan in place sometime this release19:01
anteayastevemar: I'm not a guy19:02
anteayaand why don't you have a tail in this channel?19:02
*** stevemar____ has quit IRC19:02
stevemaranteaya: huh, i actually wrote "guys"19:03
stevemaranteaya: i thought i kicked that habit19:03
stevemarmy bad19:03
anteayait is in the archives yeah19:04
*** gagehugo has joined #openstack-keystone19:04
anteayaI had thought so too19:04
anteayain any case, thanks19:04
stevemaranteaya: i logged onto freenode directly, with the tail; but this is my bouncer19:04
anteayaah19:04
anteayasteve the bouncer19:04
stevemaranteaya: it's good when freenode isn't going wonky19:04
anteayait is good when freenode isn't wonky19:05
*** gyee has quit IRC19:08
rderoseSpamapS: so composite index?  since we know what columns will commonly be in the token?19:08
*** sdake has quit IRC19:10
rderoseSpamapS: or, what would you suggest?19:11
*** haplo37- has quit IRC19:11
*** haplo37- has joined #openstack-keystone19:12
*** zzzeek has quit IRC19:12
*** zzzeek has joined #openstack-keystone19:12
bknudsonrderose: all the fields are always in the token.19:18
rderosev2 and v3?19:18
rderosebknudson: it looks like v3 allows user_id to be None19:19
bknudsonthe code that calls into the revocation events normalizes v2 and v3 tokens and all their formats into a single dict that has all the possible fields19:19
rderoseah, nice19:20
rderosebknudson: then I think a composite index would make sense, but want to test that out19:20
bknudsona composite index will likely work well... try it out and see what the explain says.19:22
rderosebknudson: cool, will do19:24
SpamapSrderose: sorry, got distracted away. I'm still not sure I have a grasp on the writes:reads ratio.19:24
rderoseSpamapS: yeah, that's a hard one to answer.19:24
SpamapSIs it?19:24
bknudsonSpamapS: it's likely about 10:1 or 20:1... unfortunately we don't see a lot of token re-use.19:24
bknudsonbut, we also don't see a lot of revocations19:25
rderoseSpamapS: yeah, because it could vary based on the cloud apps19:25
SpamapSI'd think token invalidation from outside keystone itself is rare. Am I wrong in that?19:25
bknudsonwhere we see a problem is when automated testing happens that creates and destroys a lot of test users.19:25
*** ngupta_ has joined #openstack-keystone19:25
bknudsonwhere we see token invalidations is typically coming from horizon invalidating tokens when they log out.19:26
bknudsonand the automated testing as I mentioned.19:26
SpamapSbknudson: hm, if you don't see a lot of revocations, then the revocation_event table specifically should be more like 10000:1 reads:writes19:26
*** henrynash_ has joined #openstack-keystone19:26
*** crinkle_ has joined #openstack-keystone19:26
*** cnf has quit IRC19:26
*** Marcellin__ has quit IRC19:26
*** serverascode has quit IRC19:27
*** briancurtin has quit IRC19:27
*** stevemar has quit IRC19:27
*** mdurrant has joined #openstack-keystone19:27
*** sileht has quit IRC19:27
*** Marcellin__ has joined #openstack-keystone19:27
*** Guest40876 has quit IRC19:27
*** ayoung_ has quit IRC19:27
*** BlackDex has quit IRC19:27
*** SamYaple has quit IRC19:27
*** jefrite has quit IRC19:27
rderoseSpamapS: so assuming infrequent writes, does an composite index make sense for the reads?19:27
*** SamYaple has joined #openstack-keystone19:27
knikollarodrigods: you there?19:27
*** cnfer has joined #openstack-keystone19:27
rodrigodsknikolla, yep19:27
*** mdurrant_ has quit IRC19:27
*** cnfer is now known as cnf19:27
rderoseSpamapS: as bknudson said, all the fields are always in the token19:27
*** henrynash has quit IRC19:27
*** crinkle has quit IRC19:28
rodrigodssaw your topic in the meeting19:28
SpamapSrderose: infrequent writes means more indexes will be cheaper, and thus we can cover all the cases more effectively.19:28
rodrigodsi was going to say that testing the devstack plugin is in my todo list19:28
*** serverascode has joined #openstack-keystone19:28
knikollarodrigods: just ran into an issue a few hours ago, might need your help to iron out the last things19:28
knikollarodrigods: http://paste.openstack.org/show/583135/19:28
rodrigodsknikolla, sure, will need to leave in some minutes but we can continue via email19:28
SpamapSrderose: the composite of user_id+the date field will likely be the best index in every case, if every token submits all the fields into that OR tree19:29
rderoseSpamapS: great19:29
*** ngupta has quit IRC19:29
*** henrynash_ is now known as henrynash19:29
SpamapSsince user_id is the narrowest scope19:29
bknudsonthe query always has all the fields.19:29
bknudsonmost of them will be IS NULL19:29
rodrigodsknikolla, hmm looks like keystoneauth sent "saml2"as auth method19:29
SpamapSoh, so it has "the fields", but not values?19:29
rderoseSpamapS: table may not have the values, but token will19:30
SpamapSOk, so every token is always scoped to a user ID?19:30
rderoseyes19:30
*** wolsen has quit IRC19:30
bknudsoncorrect, if you look at the query http://paste.openstack.org/show/583126/19:30
SpamapSOk, so that's your winner19:30
bknudsonmost of the values will be NULL19:30
*** stevemar has joined #openstack-keystone19:30
*** jefrite has joined #openstack-keystone19:30
SpamapSand it will get slower and slower with any non-user-id revocation events.19:31
bknudsonI think user_id is going to always be set19:31
SpamapSRight, but you have that OR IS NULL19:31
SpamapSso you can match project scoped events, yes?19:31
SpamapSor domain scoped19:31
knikollarodrigods: the documentation is not too great. if you could give the plugin a few spins it would help greatly.19:31
SpamapSone thing that might make more sense is to not have those fields19:32
rodrigodsknikolla, so... saml2 was the name of the auth method in the keystone server19:32
*** mdurrant_ has joined #openstack-keystone19:32
SpamapSand just always write an event for every user ID that exists at the time of revocation19:32
knikollarodrigods: yeah, and the guide says to change keystone.conf for mapped, as mapped includes saml219:32
rodrigodsknikolla, if received a token with saml2 there, the correct provider would take care19:32
openstackgerritArthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" list() calls by globally unique IDs  https://review.openstack.org/37800119:32
rodrigodsknikolla, but... saml2 was deprecated in favor of mapped19:32
SpamapSThat will be a more effective strategy than indexing.19:32
SpamapSbknudson: rderose ^19:32
rodrigodsknikolla, my guess is that keystoneauth hasn't been updated, so it is still sending saml219:32
SpamapSJust stop using project ID and domain ID and denormalize that table.19:32
*** ktychkova_ has quit IRC19:33
rderoseSpamapS: I think ravelar or lbragstad is working on a patch to remove project_id and domain_id19:33
SpamapSwell there you go19:34
SpamapSif you didn't have all those and's19:34
knikollarodrigods: is the url that needs to be changed or the payload?19:34
SpamapSand could drop the is null from the user_id filter19:34
SpamapSthat becomes a _super_ fast query.19:34
*** DinaBelova has quit IRC19:34
SpamapSin fact, you could make it an index-only query19:34
*** htruta has quit IRC19:34
bknudsonSpamapS: yes19:34
bknudsonright, the events typically don't have a user_id !19:34
bknudsonthe token always has a user_id19:34
bknudsonwhen I was testing this I was doing direct token revocations so the audit_id field and the timestamps were set.19:34
bknudsonsample data: http://paste.openstack.org/show/583161/19:34
SpamapSwhich means you never even touch the data rows19:34
bknudsonthis is what your table would look like if your users were using horizon so had lots of token revocations19:34
bknudsonthe table would look different if the revocations were because of project disabling or user password changes or whatever else.19:34
*** ianw has quit IRC19:35
*** freerunner has quit IRC19:35
*** mkoderer__ has quit IRC19:35
*** tonyb has quit IRC19:35
SpamapSaudit_id is what?19:35
*** akscram1 has quit IRC19:35
*** rdo_ has quit IRC19:35
*** pkoraca has quit IRC19:35
*** Marcellin__ has quit IRC19:35
bknudsonSpamapS: every token has an audit_id19:35
*** serverascode has quit IRC19:35
*** DuncanT has quit IRC19:35
*** pleia2 has quit IRC19:35
*** rha has quit IRC19:35
*** cnf has quit IRC19:35
bknudsonit's unique to the token (like the token_id)19:36
SpamapSbknudson: ah, so you can just revoke that one. Makes sense.19:36
*** mdurrant has quit IRC19:36
*** mtreinish has quit IRC19:36
*** AndyWojo has quit IRC19:36
*** arunkant__ has quit IRC19:36
*** vkmc has quit IRC19:36
*** amakarov has quit IRC19:36
*** bigjools has quit IRC19:36
*** akscram1 has joined #openstack-keystone19:36
*** stevemar has quit IRC19:36
*** zzzeek has quit IRC19:36
*** tonyb_ has joined #openstack-keystone19:36
bknudsonthe nice thing about audit_id is you can't use it to authenticate so you can identity a token without giving out auth info19:36
*** amakarov has joined #openstack-keystone19:36
*** mtreinish has joined #openstack-keystone19:36
*** pleia2 has joined #openstack-keystone19:36
*** stevemar has joined #openstack-keystone19:36
*** ianw has joined #openstack-keystone19:36
*** cnf has joined #openstack-keystone19:37
*** freerunner has joined #openstack-keystone19:37
*** vkmc has joined #openstack-keystone19:37
*** arunkant__ has joined #openstack-keystone19:37
SpamapSso, if you could only do user_id and audit_id, plus the issued_before field, then basically your queries are always going to be  WHERE (user_id='foo' OR audit_id='bar') AND issued_before >= '1971-01-01 00:00:00'19:37
bknudsonSpamapS: we don't have to store project_id or domain_id because we can check the db to see if the project is valid.19:37
*** sileht has joined #openstack-keystone19:37
bknudsonsame with role_id, trust_id, consumer_id, access_token_id19:38
bknudsonwe only need user_id because tokens are revoked on password change.19:38
rderoseravelar: ^19:38
*** wolsen has joined #openstack-keystone19:38
SpamapSbknudson: makes sense, and all of those checks are also all single PK reads, which makes them fast. :)19:38
*** htruta has joined #openstack-keystone19:38
bknudsonand memcached19:39
*** DinaBelova has joined #openstack-keystone19:39
rderoseso in this case, I would only need composite index (user_id + issued_before), (audit_id + issued_before)?19:39
rderoseSpamapS: ^19:39
SpamapSbknudson: actually yes, caching is fantastic in PK checks, because PK's are immutable.19:39
*** mkoderer__ has joined #openstack-keystone19:39
*** bigjools has joined #openstack-keystone19:39
*** bigjools has quit IRC19:39
*** bigjools has joined #openstack-keystone19:39
SpamapSso you don't have to worry about complicated invalidation ruining your day19:40
*** rha has joined #openstack-keystone19:40
rderosesweet!19:41
*** med_ has joined #openstack-keystone19:43
SpamapSIdeally there's a single spot to memoize checks from those fields.19:43
*** bknudson has quit IRC19:43
*** med_ is now known as Guest4578919:43
SpamapSrderose: so.. about the indexes19:43
rderose:)19:43
SpamapSrderose: OR's almost never index well together.19:43
SpamapSMySQL does try to do a merge based approach if you OR two fields with similar cardinality.19:43
*** rvba` has quit IRC19:44
*** kfox1111 has quit IRC19:44
SpamapSbut IIRC, it almost never works out well, and has been mostly factored out of the optimizer19:44
SpamapShttp://dev.mysql.com/doc/refman/5.7/en/index-merge-optimization.html19:44
*** wolsen has quit IRC19:44
*** stevemar has quit IRC19:44
*** DinaBelova has quit IRC19:44
*** rha has quit IRC19:44
*** haplo37- has quit IRC19:44
*** mdavidson has quit IRC19:45
*** cnf has quit IRC19:45
*** DinaBelova has joined #openstack-keystone19:45
*** bknudson_ has joined #openstack-keystone19:45
*** ChanServ sets mode: +v bknudson_19:45
*** tonytan_brb has quit IRC19:45
*** vkmc has quit IRC19:45
*** mkoderer__ has quit IRC19:45
*** mkoderer__ has joined #openstack-keystone19:45
*** rha has joined #openstack-keystone19:46
*** vkmc has joined #openstack-keystone19:46
*** ChanServ sets mode: +v henrynash19:46
*** rdo has joined #openstack-keystone19:47
rderoseSpamapS: I se19:47
*** haplo37- has joined #openstack-keystone19:47
rderosee19:47
*** rvba has joined #openstack-keystone19:47
*** rvba has quit IRC19:47
*** rvba has joined #openstack-keystone19:47
rderoseSpamapS bknudson: like the new plan ;)19:48
SpamapSrderose: Unfortunately, my experience has been almost 100% negative with index_merge.19:48
rderosereally19:48
rderoseokay19:49
SpamapSbut, I think the one place it is supposed to be good is on EXISTS queries19:49
SpamapSbecause you don't have to wait for the temp table to be built19:49
*** kfox1111 has joined #openstack-keystone19:49
rderoseI see19:49
*** BlackDex has joined #openstack-keystone19:49
*** cnf has joined #openstack-keystone19:50
SpamapSI think it's worth it though19:50
SpamapSif you can boil things down to just queries that do an OR on user_id and audit_id, plus an AND on issued_before... I think index_merge will happen, and will be fast.19:51
*** ravelar has joined #openstack-keystone19:51
SpamapSpretty easy to test too19:51
*** zzzeek has joined #openstack-keystone19:52
*** stevemar has joined #openstack-keystone19:52
*** artmr_ has quit IRC19:53
rderoseyeah19:53
*** DuncanT has joined #openstack-keystone19:53
SpamapSrderose: ultimately, the idea is to get to a point where you are a gnat buzzing around the tail of the mysql server.. instead of a cowboy trying to saddle and ride it. ;)19:54
*** adrian_otto has joined #openstack-keystone19:54
bknudson_do we want to do this work in a different order? For example, get project_id, etc, out of the revocation events table?19:56
*** wolsen has joined #openstack-keystone19:56
bknudson_** get project_id, etc, out of the revocation events table first?19:56
*** briancurtin has joined #openstack-keystone19:57
*** browne has quit IRC20:02
*** serverascode has joined #openstack-keystone20:03
*** pkoraca has joined #openstack-keystone20:06
*** AndyWojo has joined #openstack-keystone20:07
SpamapSbknudson_: well I think that would be ideal, because it would _massively_ simplify the query20:07
SpamapSyou don't have to do the explicit OR IS NULL's anymore for instance20:07
*** adrian_otto has quit IRC20:09
*** sdake has joined #openstack-keystone20:13
*** adrian_otto has joined #openstack-keystone20:13
*** julim has joined #openstack-keystone20:15
*** julim has quit IRC20:16
rderoseravelar: ^20:16
rderosebknudson: I think so20:17
ravelarthe dropped columns are still WIP, but that's the plan20:18
rderoseravelar: is there a patch already?20:18
ravelarhttps://review.openstack.org/#/c/371083/420:19
ravelarhttps://review.openstack.org/#/c/285134/ which has been picked up again20:19
ravelarrecent20:19
rderosebknudson SpamapS ^20:19
SpamapSbtw you don't have to drop the columns to stop using them. :)20:20
SpamapS(dropping columns breaks online upgrades, so I suggest not doing that)20:20
rderoseravelar: are you taking over 285134?20:20
rderosetrue20:20
ravelarlance method should do that without having to drop anything SpamapS20:20
*** tonytan4ever has joined #openstack-keystone20:21
*** code-R has quit IRC20:21
*** mrsoul has quit IRC20:21
*** code-R has joined #openstack-keystone20:21
*** topol has quit IRC20:22
*** rvba` has joined #openstack-keystone20:22
*** frickler has quit IRC20:22
*** bknudson has joined #openstack-keystone20:22
*** ChanServ sets mode: +v bknudson20:22
*** mkoderer___ has joined #openstack-keystone20:22
*** pkoraca has quit IRC20:22
*** wolsen has quit IRC20:22
*** DuncanT has quit IRC20:22
*** bknudson_ has quit IRC20:22
*** rvba has quit IRC20:23
*** DinaBelova has quit IRC20:23
*** lamt has quit IRC20:23
*** sdake_ has joined #openstack-keystone20:23
SpamapSravelar: lance method?20:23
*** mrsoul has joined #openstack-keystone20:23
*** zzzeek has quit IRC20:23
*** vkmc has quit IRC20:23
ravelar SpamapS https://review.openstack.org/#/c/371083/20:23
*** mkoderer__ has quit IRC20:24
*** rdo has quit IRC20:24
*** sdake has quit IRC20:24
*** arunkant__ has quit IRC20:24
*** ravelar has quit IRC20:24
*** rdo has joined #openstack-keystone20:24
*** vkmc has joined #openstack-keystone20:24
*** gyee has joined #openstack-keystone20:24
*** ChanServ sets mode: +v gyee20:24
*** DinaBelova has joined #openstack-keystone20:25
*** ravelar has joined #openstack-keystone20:25
*** asettle has joined #openstack-keystone20:26
*** zzzeek has joined #openstack-keystone20:27
*** arunkant__ has joined #openstack-keystone20:27
*** topol_ has joined #openstack-keystone20:28
*** ravelar1 has joined #openstack-keystone20:30
*** ngupta_ has quit IRC20:31
stevemarSpamapS: lance method's are the best kind of methods20:32
*** AndyWojo has quit IRC20:32
*** serverascode has quit IRC20:32
*** briancurtin has quit IRC20:32
*** DinaBelova has quit IRC20:32
SpamapSstevemar: obviously20:32
*** ngupta has joined #openstack-keystone20:32
*** DinaBelova2 has joined #openstack-keystone20:33
*** topol_ has quit IRC20:33
*** ravelar has quit IRC20:33
*** vkmc has quit IRC20:33
*** rdo has quit IRC20:33
*** topol__ has joined #openstack-keystone20:33
*** rdo has joined #openstack-keystone20:33
*** rakhmerov has quit IRC20:33
*** DinaBelova2 is now known as DinaBelova20:33
*** vkmc has joined #openstack-keystone20:34
*** sc68cal_ is now known as sc68cal20:35
*** rakhmerov has joined #openstack-keystone20:36
*** ngupta has quit IRC20:37
*** frickler has joined #openstack-keystone20:37
*** browne has joined #openstack-keystone20:38
*** DuncanT has joined #openstack-keystone20:39
*** wolsen has joined #openstack-keystone20:39
*** code-R has quit IRC20:42
*** ezpz has quit IRC20:43
*** rakhmerov__ has joined #openstack-keystone20:43
*** rakhmerov has quit IRC20:43
*** serverascode has joined #openstack-keystone20:43
*** mdurrant__ has joined #openstack-keystone20:44
*** nkinder has quit IRC20:44
*** Anticimex has quit IRC20:44
*** DinaBelova has quit IRC20:45
*** DinaBelova2 has joined #openstack-keystone20:45
*** DinaBelova2 is now known as DinaBelova20:46
*** DuncanT has quit IRC20:46
*** wolsen has quit IRC20:46
*** sdake_ has quit IRC20:46
*** jamielennox has quit IRC20:46
*** vkmc has quit IRC20:46
*** rha has quit IRC20:46
*** Anticime1 has joined #openstack-keystone20:46
*** mdurrant_ has quit IRC20:47
*** sdake has joined #openstack-keystone20:47
*** briancurtin has joined #openstack-keystone20:47
*** rha has joined #openstack-keystone20:47
*** rha has quit IRC20:47
*** rha has joined #openstack-keystone20:47
*** nkinder has joined #openstack-keystone20:48
*** lamt has joined #openstack-keystone20:49
*** vkmc has joined #openstack-keystone20:50
*** brad[] has joined #openstack-keystone20:50
*** gagehugo has quit IRC20:51
*** jamielennox has joined #openstack-keystone20:51
*** ChanServ sets mode: +v jamielennox20:51
*** pkoraca has joined #openstack-keystone20:53
*** AndyWojo has joined #openstack-keystone20:53
*** raildo has quit IRC20:56
*** wolsen has joined #openstack-keystone20:56
*** DuncanT has joined #openstack-keystone20:57
*** adrian_otto has quit IRC21:00
*** adrian_otto has joined #openstack-keystone21:03
*** code-R has joined #openstack-keystone21:04
*** ddieterly has joined #openstack-keystone21:05
*** chris_hultin is now known as chris_hultin|AWA21:06
*** woodburn1 has quit IRC21:08
*** ngupta has joined #openstack-keystone21:09
*** ngupta has quit IRC21:11
*** ngupta has joined #openstack-keystone21:12
*** code-R has quit IRC21:17
*** ddieterly is now known as ddieterly[away]21:18
*** ddieterly[away] is now known as ddieterly21:21
*** sdake has quit IRC21:22
*** ngupta has quit IRC21:22
*** woodburn has joined #openstack-keystone21:23
*** ngupta has joined #openstack-keystone21:23
*** spilla has quit IRC21:31
openstackgerritBrant Knudson proposed openstack/keystone: WIP - Validate project exists and enabled directly  https://review.openstack.org/37804721:39
rderosebknudson: nice!21:41
*** gagehugo has joined #openstack-keystone21:42
*** ngupta has quit IRC21:42
bknudsonrderose: lots of work left.21:43
*** ngupta has joined #openstack-keystone21:43
rderosebknudson: yeah21:46
rderosebknudson: the only thing that gives me pause, is that we're now doing extra sql calls21:47
*** spzala has quit IRC21:47
rderosebknudson: to check for project, domain, role21:47
rderosebknudson: but I suppose with caching, it won't matter21:47
*** spzala has joined #openstack-keystone21:48
*** ngupta has quit IRC21:48
bknudsonrderose: that's the hope is that the project , domain, etc., data will be cached.21:48
rderoseyeah, cool21:49
rderosethis should work21:49
*** adrian_otto has quit IRC21:49
bknudsonnext steps are like:21:49
bknudson2) Change the revocation event code to stop checking project, etc.21:49
bknudson3) Create a new table for project_id, etc., revocation events21:50
rderosebknudson: are you planning to check if the user still has the role as well?21:50
bknudson4) When revocation event is for project_id, etc., put it to the new table rather than the old one.21:50
bknudson5) When done with old version of code, remove columns from old table.21:50
rderoseah, I see21:50
bknudson6) Change list revoke events to get from the other table, too21:50
rderosebknudson: why the new table?21:51
bknudsonrderose: the list events API needs to still return those events.21:52
bknudsonbut checking for revoked doesn't need to21:52
rderoseI see21:52
bknudsonso list events API can just UNION the 2 tables.21:52
*** spzala has quit IRC21:52
rderosethat makes sense21:53
rderosebreak the revocation_event table up21:53
rderosewill this patch include roles assignments as well?21:53
bknudsonrderose: I figured I'd put all the checks in this patch, unless it gets too hairy21:54
bknudsonAlthough I could also put those in follow-on patches so maybe that's better.21:54
rderosebknudson: sweet!21:55
*** slberger has left #openstack-keystone21:55
*** tonyb_ is now known as tonyb21:56
rderosebknudson: so the patch that ravelar is working on, he could just check for (user_id or audit_id) and issued_before?  What are your thoughts there?21:57
bknudsonrderose: it'll still have to check for revocations due to the user password changing and for direct token revocation21:58
rderosebknudson: perfect21:58
bknudsonso, right, user_id, audit_id, audit_chain_id.21:58
rderoseravelar: ^21:59
rderoseravelar: sound good?21:59
rderosewoops, ravelar1 ^21:59
ravelar1rderose bknudson, that works for me. I can update the code to support the proposed patch of reducing revocation event22:01
ravelar1bknudson, just looked at the review, this is going to be a good one22:01
rderoseravelar1: and you'll like have your patch depend on bknudson's patch22:02
rderose*likely22:02
rodrigodsjust saw bknudson patch22:03
bknudsonrderose: ravelar1: created an etherpad: https://etherpad.openstack.org/p/key_revocation_event_cleanup22:03
rodrigodscan we do the same for domains?22:03
rodrigodsdisabled domains22:04
bknudsonI don't know if I'm going to have time to finish all of this.22:04
bknudsonrodrigods: yes, we'll also need domains.22:04
*** iurygregory_ has joined #openstack-keystone22:04
rodrigods++22:04
bknudsonI just wanted to see if it would work and put up a Proof-of-concept22:04
bknudsonmaybe ravelar1 or rderose or someone can pick this up and add the rest?22:04
rderosebknudson: yeah, sounds good22:05
ravelar1bknudson ++22:05
*** asettle has quit IRC22:09
rderosebknudson ravelar: once 1 and 2 done, we should still see big performance improvements22:10
rderose3-6 really just improves the design22:11
*** haplo37- has quit IRC22:12
*** haplo37- has joined #openstack-keystone22:14
*** ravelar1 has quit IRC22:20
*** Guest45789 is now known as med_22:22
*** med_ has quit IRC22:23
*** med_ has joined #openstack-keystone22:23
*** spzala has joined #openstack-keystone22:33
*** ngupta has joined #openstack-keystone22:44
*** ngupta has quit IRC22:44
*** roxanaghe has joined #openstack-keystone22:44
*** ngupta has joined #openstack-keystone22:44
*** gagehugo has quit IRC22:44
*** ddieterly is now known as ddieterly[away]22:44
*** roxanaghe has quit IRC22:45
*** roxanaghe has joined #openstack-keystone22:46
*** frontrunner2 has quit IRC22:47
*** ngupta has quit IRC22:49
*** alex_xu has quit IRC22:50
*** ChanServ sets mode: +o stevemar22:52
*** alex_xu has joined #openstack-keystone22:52
*** gagehugo has joined #openstack-keystone22:54
*** sdake has joined #openstack-keystone22:56
*** sdake_ has joined #openstack-keystone22:58
*** ddieterly[away] is now known as ddieterly22:58
*** ddieterly is now known as ddieterly[away]22:59
*** ddieterly[away] has quit IRC22:59
*** nicolasbock has quit IRC23:01
*** sdake has quit IRC23:01
*** nicolasbock has joined #openstack-keystone23:02
*** lamt has quit IRC23:10
*** Gorian|work has quit IRC23:17
*** adrian_otto has joined #openstack-keystone23:18
*** markvoelker has quit IRC23:19
*** ddieterly has joined #openstack-keystone23:29
*** ddieterly is now known as ddieterly[away]23:31
*** EinstCrazy has joined #openstack-keystone23:47
*** EinstCrazy has quit IRC23:48
*** ddieterly[away] is now known as ddieterly23:49
*** guoshan has joined #openstack-keystone23:49
*** frontrunner has joined #openstack-keystone23:49
*** tonytan4ever has quit IRC23:55
*** spzala has quit IRC23:55
*** spzala_ has joined #openstack-keystone23:59
« Monday, 2016-09-26 Index Wednesday, 2016-09-28 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!