Thursday, 2016-10-20

*** asettle has joined #openstack-keystone		00:00
*** LiYuenan has joined #openstack-keystone		00:04
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Add testscenarios to test-requirements https://review.openstack.org/388943	00:04
*** asettle has quit IRC		00:04
jamielennox	stevemar: required: ^	00:04
jamielennox	oh, wait, hmm	00:12
*** spzala has joined #openstack-keystone		00:13
*** spzala has quit IRC		00:18
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Don't use private testtools.test module https://review.openstack.org/388945	00:24
jamielennox	stevemar, morgan: unbreak CI tests ^	00:25
*** spzala has joined #openstack-keystone		00:26
*** ravelar has joined #openstack-keystone		00:26
*** guoshan has joined #openstack-keystone		00:29
*** ravelar has quit IRC		00:30
*** agrebennikov has quit IRC		00:31
*** agrebennikov_ has joined #openstack-keystone		00:31
*** spzala has quit IRC		00:32
*** edmondsw has quit IRC		00:46
*** hoangcx has joined #openstack-keystone		00:49
*** gagehugo has quit IRC		00:49
*** Zer0Byte__ has joined #openstack-keystone		00:49
*** david-lyle_ has joined #openstack-keystone		00:51
*** david-lyle has quit IRC		00:54
*** guoshan has quit IRC		00:55
*** spzala has joined #openstack-keystone		00:59
*** kiran-r has joined #openstack-keystone		01:02
*** kiran-r has quit IRC		01:08
*** agrebennikov_ has quit IRC		01:15
*** gyee has quit IRC		01:18
openstackgerrit	Merged openstack/python-keystoneclient: [doc] remove auth plugin docs https://review.openstack.org/388882	01:20
*** spzala has quit IRC		01:26
*** wangqun has joined #openstack-keystone		01:35
*** scarlisle has quit IRC		01:35
*** davechen has joined #openstack-keystone		01:41
*** nk2527 has quit IRC		01:48
*** r-daneel has quit IRC		01:48
*** tqtran has quit IRC		02:06
stevemar	jamielennox: i go away for a few minutes and you do wat!	02:13
jamielennox	stevemar: pshh, that was hours ago	02:14
stevemar	jamielennox: we need another release of ksa?	02:14
jamielennox	i can do so much worse in hours	02:14
stevemar	just catching up, i was out looking for your cookies	02:14
jamielennox	stevemar: umm - maybe	02:14
openstackgerrit	Merged openstack/keystoneauth: Don't use private testtools.test module https://review.openstack.org/388945	02:14
*** scarlisle has joined #openstack-keystone		02:14
jamielennox	stevemar: lol, really? don't worry too much, i assumed they'd be everywhere	02:15
openstackgerrit	Steve Martinelli proposed openstack/keystoneauth: Show deprecation warning and limit features for KSC session https://review.openstack.org/387733	02:15
openstackgerrit	Steve Martinelli proposed openstack/keystoneauth: Allow setting client_name, client_version on adapter https://review.openstack.org/387734	02:15
jamielennox	i thought recheck might be enough there	02:15
jamielennox	stevemar: i'm not sure if ksa requires a release there, it might be a problem if you're running tests with the new oslotest	02:20
stevemar	jamielennox: maybe? i'm not sure, but a rebase definitely does the trick	02:20
jamielennox	stevemar: but if we get those in i'm happy to see a release anyway	02:20
stevemar	yarg	02:20
stevemar	i'll ask for one tomorrow	02:21
stevemar	the osc-lib patches will need a newer minimum version	02:21
stevemar	bbl	02:21
*** spzala has joined #openstack-keystone		02:27
*** LiYuenan has quit IRC		02:32
*** scarlisle has quit IRC		02:42
*** spzala has quit IRC		02:43
*** catintheroof has joined #openstack-keystone		02:52
catintheroof	hi guys, quick question, if for example I have an API in-house that holds the "users" of the cloud, and I want keystone to use that API to authenticate the users, conceptually, I need to code an auth plugin? and identity package? or enable federation and use ( in some way ) that API as idP ?	02:55
*** catintheroof has quit IRC		02:56
*** catintheroof has joined #openstack-keystone		02:57
*** Zer0Byte__ has quit IRC		02:57
catintheroof	hi guys, quick question , suppose I have an API that holds the users of the cloud, an API that I also use for authenticate, if I want to use keystone to call that API and learn how to read those users and authenticate them, do I need to either code an auth plugin? code an identity backend? or enable federation and code new idP that knows how to deal with this API?	03:02
dstanek	catintheroof: does your API use some standard federation protocols?	03:09
*** david-lyle_ has quit IRC		03:23
*** david-lyle has joined #openstack-keystone		03:23
*** dave-mccowan has quit IRC		03:27
*** phalmos has quit IRC		03:29
openstackgerrit	Merged openstack/keystoneauth: Allow setting client_name, client_version on adapter https://review.openstack.org/387734	03:52
openstackgerrit	Merged openstack/keystoneauth: Show deprecation warning and limit features for KSC session https://review.openstack.org/387733	04:01
*** richm1 has joined #openstack-keystone		04:04
*** richm has quit IRC		04:05
*** GB21 has joined #openstack-keystone		04:07
*** GB21 has quit IRC		04:12
*** links has joined #openstack-keystone		04:23
*** GB21 has joined #openstack-keystone		04:25
*** links has quit IRC		04:27
*** code-R has joined #openstack-keystone		04:31
*** jdennis has quit IRC		04:34
stevemar	jamielennox: easy https://review.openstack.org/#/c/388618/2	04:35
*** jdennis has joined #openstack-keystone		04:36
jamielennox	stevemar: done	04:37
jamielennox	stevemar: cookie success?	04:37
stevemar	nah, didn't actually venture to the shop, had family stuff to do	04:38
stevemar	jamielennox: i literally live across the street from a grocery store, it makes me lazy	04:39
jamielennox	stevemar: heh, my sister is like that, has 1 night of food in the house at a time	04:39
stevemar	jamielennox: thats currently the situation here, especially since we're traveling in 36 hours	04:40
*** code-R_ has joined #openstack-keystone		04:41
*** code-R has quit IRC		04:41
*** spzala has joined #openstack-keystone		04:44
*** spzala has quit IRC		04:48
*** markvoelker_ has quit IRC		04:49
*** haplo37_ has quit IRC		04:51
*** haplo37_ has joined #openstack-keystone		04:53
*** sfilatov has joined #openstack-keystone		04:57
*** sfilatov has quit IRC		05:02
breton	stevemar: https://www.openstack.org/project-mascots	05:04
breton	morning, keystone	05:04
*** jaosorior has joined #openstack-keystone		05:09
stevemar	breton: ah	05:10
stevemar	breton: well damn	05:11
stevemar	ctrl+z ? :)	05:11
breton	stevemar: https://www.youtube.com/watch?v=JmMTCWyY8Y4&feature=youtu.be you seen this?	05:11
stevemar	breton: yeah, tried to find the keystone one, couldn't	05:11
stevemar	breton: i still don't have the draft image, maybe i'm not actually ptl o_O	05:11
stevemar	"I'm reaching out to the PTLs individually to share your team's draft logo"	05:12
breton	stevemar: it's not even in the list when the list gets scrolled	05:15
* breton likes how ">" in mplayer moves just one frame forward		05:16
stevemar	i also took many looks at that list	05:16
openstackgerrit	Merged openstack/python-keystoneclient: Updated coverage configuration file https://review.openstack.org/388618	05:17
*** sfilatov has joined #openstack-keystone		05:20
*** sfilatov has quit IRC		05:23
*** sfilatov has joined #openstack-keystone		05:24
openstackgerrit	Merged openstack/python-keystoneclient: TrivialFix: Using assertIsNone() instead of assertEqual(None) https://review.openstack.org/377190	05:24
*** sfilatov has quit IRC		05:27
*** sfilatov has joined #openstack-keystone		05:27
openstackgerrit	Merged openstack/python-keystoneclient: Enable release notes translation https://review.openstack.org/383374	05:27
*** markvoelker_ has joined #openstack-keystone		05:30
*** LiYuenan has joined #openstack-keystone		05:31
*** richm1 has quit IRC		05:39
*** markvoelker_ has quit IRC		05:46
*** Dave____ has joined #openstack-keystone		05:47
*** sfilatov has quit IRC		05:53
*** Dave has quit IRC		05:56
*** pcaruana has joined #openstack-keystone		06:18
*** tqtran has joined #openstack-keystone		06:19
*** voelzmo has joined #openstack-keystone		06:21
*** tqtran has quit IRC		06:23
*** voelzmo has quit IRC		06:41
*** code-R_ has quit IRC		06:53
stevemar	jamielennox: 2014! https://review.openstack.org/#/c/141614/	06:53
*** code-R has joined #openstack-keystone		06:53
stevemar	jamielennox: is everything in ^ necessary, seems like some refactoring was thrown in	06:56
stevemar	jamielennox: nvm, it's good	06:57
stevemar	just had to do a lot of back and forth	06:57
*** sfilatov has joined #openstack-keystone		06:59
*** voelzmo has joined #openstack-keystone		07:03
*** sfilatov has quit IRC		07:04
*** sfilatov has joined #openstack-keystone		07:04
*** voelzmo has quit IRC		07:09
*** belmoreira has joined #openstack-keystone		07:09
*** tqtran has joined #openstack-keystone		07:10
*** tesseract has joined #openstack-keystone		07:11
*** tesseract is now known as Guest14069		07:12
*** pnavarro has joined #openstack-keystone		07:15
*** amoralej\|off is now known as amoralej		07:21
*** code-R has quit IRC		07:28
*** spzala has joined #openstack-keystone		07:29
*** spzala has quit IRC		07:34
openstackgerrit	Merged openstack/keystonemiddleware: Add service token to user token plugin https://review.openstack.org/141614	07:40
jamielennox	stevemar: it's my oldest active patch	07:42
*** Zer0Byte__ has joined #openstack-keystone		07:43
openstackgerrit	melissaml proposed openstack/python-keystoneclient: TrivialFix: Remove default=None when set value in Config https://review.openstack.org/389046	07:49
LiYuenan	Hi guys	07:51
LiYuenan	I have a 401 error when I create project.	07:52
LiYuenan	root@host1:/# openstack project create --domain default --description "Test Project" Test	07:52
LiYuenan	The request you have made requires authentication. (HTTP 401) (Request-ID: req-752cff03-589a-4817-90cf-0860dcf05a2f)	07:52
LiYuenan	I use fernet keys and abandon admin_token	07:52
*** sfilatov_ has joined #openstack-keystone		07:53
*** sfilatov has quit IRC		07:56
*** voelzmo has joined #openstack-keystone		07:57
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** voelzmo has quit IRC		08:03
*** asettle has joined #openstack-keystone		08:04
*** david-lyle_ has joined #openstack-keystone		08:07
*** david-lyle has quit IRC		08:09
*** jrist has quit IRC		08:09
*** jrist has joined #openstack-keystone		08:11
*** voelzmo has joined #openstack-keystone		08:11
*** qwertyco has joined #openstack-keystone		08:11
morgan	LiYuenan: either you have not sourced your openrc file, have not provided the correct information in your clouds.yaml file, or need to add the proper auth flags to the command line	08:14
*** Dave____ is now known as Dave		08:14
*** Zer0Byte__ has quit IRC		08:15
LiYuenan	morgan: I fine that the OS_PASSWORD in my admin-openrc.sh is wrong. Thx :)	08:17
*** markvoelker has joined #openstack-keystone		08:19
*** tqtran has quit IRC		08:21
morgan	LiYuenan: np! happy to help	08:32
*** hoangcx has quit IRC		08:32
*** hoangcx has joined #openstack-keystone		08:32
*** sfilatov_ has quit IRC		08:34
*** haplo37_ has quit IRC		08:40
*** haplo37_ has joined #openstack-keystone		08:42
*** spzala has joined #openstack-keystone		08:43
*** davechen has left #openstack-keystone		08:43
*** spzala has quit IRC		08:47
*** code-R has joined #openstack-keystone		08:48
*** code-R_ has joined #openstack-keystone		08:49
openstackgerrit	Shan Guo proposed openstack/keystone: log.error use _LE of i18n https://review.openstack.org/389070	08:50
*** code-R has quit IRC		08:52
*** woodster_ has quit IRC		08:55
breton	morgan: are you in Barcelona already?	09:00
morgan	breton: i wont be going to barcelona	09:14
morgan	i'm still on the west coast of the US and will be staying here instead of going to the summit	09:15
*** hoangcx has quit IRC		09:15
breton	morgan: :(	09:28
*** sfilatov has joined #openstack-keystone		09:30
*** ganeshk has joined #openstack-keystone		09:32
ganeshk	Hi breton	09:32
ganeshk	breton: 'nova-compute' on the controller is going down repeatedly in kilo	09:32
*** markvoelker has quit IRC		09:39
*** spzala has joined #openstack-keystone		09:41
*** jaosorior has quit IRC		09:44
*** jaosorior has joined #openstack-keystone		09:44
*** spzala has quit IRC		09:45
*** sfilatov has quit IRC		09:48
breton	ganeshk: hi. You should probably ask about nova in #openstack-nova, because i have experience only with keystone	09:49
*** sfilatov has joined #openstack-keystone		09:50
ganeshk	breton: Ok. Thank you	09:51
*** wangqun has quit IRC		09:52
*** sfilatov has quit IRC		10:07
*** jpich has joined #openstack-keystone		10:10
*** sfilatov has joined #openstack-keystone		10:13
*** sfilatov has quit IRC		10:21
*** sfilatov has joined #openstack-keystone		10:21
catintheroof	hi guys, quick question , suppose I have an API that holds the users of the cloud, an API that I also use for authenticate, if I want to use keystone to call that API and learn how to read those users and authenticate them, do I need to either code an auth plugin? code an identity backend? or enable federation and code new idP that knows how to deal with this API?	10:31
*** markvoelker has joined #openstack-keystone		10:37
*** code-R_ has quit IRC		10:54
*** asettle has quit IRC		10:54
*** asettle has joined #openstack-keystone		10:58
*** asettle has quit IRC		10:59
*** code-R has joined #openstack-keystone		11:01
*** markvoelker_ has joined #openstack-keystone		11:07
*** guoshan has joined #openstack-keystone		11:08
*** markvoelker has quit IRC		11:11
*** sfilatov has quit IRC		11:12
catintheroof	stevemar: morning! quick question , suppose I have an API that holds the users of the cloud, an API that I also use for authenticate, if I want to use keystone to call that API and learn how to read those users and authenticate them, do I need to either code an auth plugin? code an identity backend? or enable federation and code new idP that knows how to deal with this API?	11:14
breton	coding an idp sounds better to me	11:15
breton	with idp you won't have any problems with us changing our driver interfaces	11:17
*** qwertyco has quit IRC		11:42
*** nicolasbock has joined #openstack-keystone		11:49
catintheroof	breton: what does it mean to code an idp? can you please expand? i would love to understand the concepts	11:49
*** aloga_ has joined #openstack-keystone		11:55
*** catintheroof has quit IRC		12:01
*** catintheroof has joined #openstack-keystone		12:02
*** code-R has quit IRC		12:02
*** guoshan has quit IRC		12:04
*** sfilatov has joined #openstack-keystone		12:07
*** edmondsw has joined #openstack-keystone		12:08
*** amoralej is now known as amoralej\|lunch		12:08
*** guoshan has joined #openstack-keystone		12:12
*** markvoelker has joined #openstack-keystone		12:12
*** markvoelker_ has quit IRC		12:16
*** sfilatov has quit IRC		12:16
*** sfilatov has joined #openstack-keystone		12:17
*** lamt has joined #openstack-keystone		12:17
*** nk2527 has joined #openstack-keystone		12:17
*** aloga_ has quit IRC		12:17
*** aloga_ has joined #openstack-keystone		12:18
*** zhugaoxiao has quit IRC		12:18
*** zhugaoxiao has joined #openstack-keystone		12:19
*** maticue has joined #openstack-keystone		12:25
*** mvk has quit IRC		12:26
*** nk2527 has quit IRC		12:29
*** GB21 has quit IRC		12:36
*** richm has joined #openstack-keystone		12:41
*** rcernin has joined #openstack-keystone		12:53
*** sfilatov has quit IRC		12:54
*** sfilatov has joined #openstack-keystone		12:55
*** mvk has joined #openstack-keystone		12:57
*** lamt has quit IRC		12:58
*** jaosorior is now known as jaosorior_brb		13:01
*** gagehugo has joined #openstack-keystone		13:01
catintheroof	breton: what does it mean to code an idp? can you please expand? i would love to understand the concepts	13:02
*** sfilatov has quit IRC		13:07
*** sfilatov has joined #openstack-keystone		13:07
*** code-R has joined #openstack-keystone		13:07
*** jistr is now known as jistr\|biab		13:08
dstanek	catintheroof: if your system doesn't support federation protocols then at a minimun you'll need to write an identity backend	13:09
*** richm1 has joined #openstack-keystone		13:10
*** richm has quit IRC		13:10
*** jistr\|biab is now known as jistr		13:11
*** code-R_ has joined #openstack-keystone		13:13
*** adrian_otto has joined #openstack-keystone		13:14
dstanek	catintheroof: you'll only need an auth plugin if you have a completely different way to auth (not using passwork, totp, etc)	13:14
*** catintheroof has quit IRC		13:16
*** code-R has quit IRC		13:16
*** guoshan has quit IRC		13:19
*** nicolasbock has quit IRC		13:23
*** nicolasbock has joined #openstack-keystone		13:27
*** gagehugo has quit IRC		13:30
*** billiebobthorty has joined #openstack-keystone		13:33
*** sfilatov has quit IRC		13:35
*** code-R_ has quit IRC		13:35
*** nicolasbock has quit IRC		13:39
*** amoralej\|lunch is now known as amoralej		13:43
*** asettle has joined #openstack-keystone		13:43
*** gagehugo has joined #openstack-keystone		13:47
*** asettle has quit IRC		13:47
*** sfilatov has joined #openstack-keystone		13:50
*** guoshan has joined #openstack-keystone		13:52
*** gagehugo_ has joined #openstack-keystone		13:53
*** gagehugo has quit IRC		13:53
*** asettle has joined #openstack-keystone		13:55
*** guoshan has quit IRC		13:56
*** lamt has joined #openstack-keystone		14:01
*** spzala has joined #openstack-keystone		14:01
*** nicolasbock has joined #openstack-keystone		14:01
*** belmorei_ has joined #openstack-keystone		14:02
*** adrian_otto has quit IRC		14:02
*** scarlisle has joined #openstack-keystone		14:03
*** belmoreira has quit IRC		14:04
*** jaosorior_brb is now known as jaosorior		14:05
*** gagehugo has joined #openstack-keystone		14:06
*** gagehugo_ has quit IRC		14:07
*** lamt has quit IRC		14:07
*** code-R has joined #openstack-keystone		14:08
*** lamt has joined #openstack-keystone		14:09
*** gagehugo has quit IRC		14:11
*** gagehugo has joined #openstack-keystone		14:12
*** code-R_ has joined #openstack-keystone		14:12
*** code-R has quit IRC		14:15
*** agrebennikov_ has joined #openstack-keystone		14:17
*** lamt has quit IRC		14:17
*** gagehugo has quit IRC		14:18
*** thebloggu has joined #openstack-keystone		14:18
*** gagehugo has joined #openstack-keystone		14:19
*** spilla has joined #openstack-keystone		14:31
*** code-R_ has quit IRC		14:37
*** code-R has joined #openstack-keystone		14:37
*** ravelar has joined #openstack-keystone		14:39
*** chris_hultin\|AWA is now known as chris_hultin		14:39
spilla	stevemar: quick question, for https://review.openstack.org/#/c/385028/6, was the cert from ca.pem supposed to go under "Show Signing Certificate"? Or should it be the cert from signing_cert.pem?	14:40
*** jaugustine has joined #openstack-keystone		14:42
stevemar	spilla: lemme see	14:43
stevemar	spilla: hmm	14:44
stevemar	spilla: i guess flip them around? use the content of ca.pem for "Show CA" and use signing_cert for the "Show Signing Cert"	14:45
*** sfilatov has quit IRC		14:46
spilla	stevemar: ok will do. I was using http://docs.openstack.org/admin-guide/identity-certificates-for-pki.html as a reference and wanted to make sure I understood. Thanks! :)	14:46
*** belmorei_ has quit IRC		14:53
*** spzala has quit IRC		14:53
*** sfilatov has joined #openstack-keystone		14:54
*** prashkre has joined #openstack-keystone		14:55
*** phalmos has joined #openstack-keystone		14:55
*** sfilatov has quit IRC		14:56
*** sfilatov has joined #openstack-keystone		14:56
*** nicolasbock has quit IRC		14:56
*** sfilatov has joined #openstack-keystone		14:57
*** nicolasbock has joined #openstack-keystone		14:58
*** sfilatov has quit IRC		14:59
*** belmoreira has joined #openstack-keystone		14:59
*** belmoreira has quit IRC		14:59
*** sfilatov has joined #openstack-keystone		14:59
*** voelzmo has quit IRC		15:02
openstackgerrit	Richard Avelar proposed openstack/keystone: Remove new_id() in test_revoke https://review.openstack.org/389241	15:04
*** r-daneel has joined #openstack-keystone		15:04
*** aswadr_ has joined #openstack-keystone		15:06
*** prashkre has quit IRC		15:06
*** sfilatov has quit IRC		15:10
*** nicolasbock has quit IRC		15:11
ravelar	stevemar I have a question about a couple of the comments on https://review.openstack.org/#/c/387548/4/keystone/tests/unit/test_revoke.py	15:20
stevemar	ravelar: yo	15:20
*** spzala has joined #openstack-keystone		15:20
ravelar	having events=None come before token_data yeilds a syntax error non-default argument follows default. I just wanted to clarify what you meant on line 116?	15:21
stevemar	ravelar: ah right, you can probably set events=None and token_data=None though?	15:21
stevemar	or refactor it first, then apply the follow on	15:22
ravelar	but wouldn't token_data always need to be present in order to use list_events for check_token?	15:22
ravelar	or is it fine either way?	15:22
*** nicolasbock has joined #openstack-keystone		15:24
ravelar	stevemar, the reason that events is even a parameter in the assert method is because some of the methods use event = [] which essentially just makes the revoked events into a list instead of using the actual revoke_api methods to put them in the database	15:25
stevemar	ravelar: why not propose a patch where you flip the args around first? just a straight refactoring	15:26
ravelar	stevemar, so I could just refactor it to actually test the db revocation events rather then add them to a created list and therefore, remove the needs of an event parameter altogether?	15:26
*** aloga_ has quit IRC		15:26
ravelar	stevemar cause the tests didn't need to create an empty list posing as events when it would get the events from the actual database with list_events. But I definitely see what you are saying. If I leave it as is then I could pass in an empty list instead.	15:27
ravelar	but the only reason they were flipped is because I didn't have a need for an event list and having it as a placeholder forces it to come after a default like token_data	15:28
ravelar	stevemar what do you suggest?	15:29
stevemar	ravelar: yep, i get why they are flipped, i just ask that you do the flipping in a separate patch (since it's unrelated to the bug -- sort of)	15:29
stevemar	or if can be handled separately	15:29
ravelar	I could have them as both placeholders and keep them in the same order like you suggested	15:30
*** code-R has quit IRC		15:33
*** spzala has quit IRC		15:37
*** billiebobthorty has quit IRC		15:38
*** nicolasbock has quit IRC		15:39
*** jaosorior has quit IRC		15:44
*** spzala has joined #openstack-keystone		15:46
*** spzala has quit IRC		15:50
*** aloga_ has joined #openstack-keystone		15:52
*** rcernin has quit IRC		15:52
openstackgerrit	Richard Avelar proposed openstack/keystone: Remove unused statements in matches https://review.openstack.org/387548	15:55
knikolla	o/	15:56
*** ganeshk has quit IRC		15:56
*** Guest14069 has quit IRC		15:59
openstackgerrit	Richard Avelar proposed openstack/keystone: Remove unused statements in matches https://review.openstack.org/387548	15:59
*** david-lyle_ is now known as david-lyle		16:01
*** AlexeyAbashkin has quit IRC		16:01
*** jpich has quit IRC		16:04
*** GB21 has joined #openstack-keystone		16:04
*** tqtran has joined #openstack-keystone		16:06
*** voelzmo has joined #openstack-keystone		16:07
*** pjm6 has quit IRC		16:07
*** nicolasbock has joined #openstack-keystone		16:09
*** pjm6 has joined #openstack-keystone		16:11
*** voelzmo has quit IRC		16:12
*** voelzmo has joined #openstack-keystone		16:12
*** voelzmo has quit IRC		16:17
*** GB21 has quit IRC		16:18
*** openstackgerrit has quit IRC		16:18
*** openstackgerrit has joined #openstack-keystone		16:19
openstackgerrit	Lance Bragstad proposed openstack/keystone: Use issue_v3_token instead of issue_v2_token https://review.openstack.org/386665	16:19
openstackgerrit	Lance Bragstad proposed openstack/keystone: refactor the token controller https://review.openstack.org/386726	16:20
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove issue_v2_token https://review.openstack.org/386762	16:20
*** simondodsley has joined #openstack-keystone		16:22
*** phalmos has quit IRC		16:24
*** aloga_ has quit IRC		16:25
*** aloga_ has joined #openstack-keystone		16:25
openstackgerrit	Ron De Rose proposed openstack/keystone: Validate mapping exists when creating/updating a protocol https://review.openstack.org/362397	16:25
*** lamt has joined #openstack-keystone		16:26
*** jaugustine has quit IRC		16:27
*** gagehugo_ has joined #openstack-keystone		16:28
openstackgerrit	Samuel Pilla proposed openstack/keystone: Document OS-SIMPLE-CERT Routes https://review.openstack.org/385028	16:28
*** asettle has quit IRC		16:29
*** gagehugo has quit IRC		16:31
openstackgerrit	Ron De Rose proposed openstack/keystone: Validate mapping exists when creating/updating a protocol https://review.openstack.org/362397	16:40
*** prashkre has joined #openstack-keystone		16:41
*** mvk has quit IRC		16:45
*** AlexeyAbashkin has joined #openstack-keystone		16:49
*** AlexeyAbashkin has quit IRC		16:49
*** aloga_ has quit IRC		16:51
*** sfilatov has joined #openstack-keystone		16:52
*** AlexeyAbashkin has joined #openstack-keystone		16:54
*** browne has joined #openstack-keystone		16:58
*** aloga_ has joined #openstack-keystone		17:03
*** Zer0Byte__ has joined #openstack-keystone		17:07
*** sfilatov has quit IRC		17:17
*** jaugustine has joined #openstack-keystone		17:17
*** phalmos has joined #openstack-keystone		17:18
*** sfilatov has joined #openstack-keystone		17:20
*** voelzmo has joined #openstack-keystone		17:20
*** sfilatov_ has joined #openstack-keystone		17:21
*** aloga_ has quit IRC		17:21
*** aloga_ has joined #openstack-keystone		17:22
*** sfilatov has quit IRC		17:24
*** voelzmo has quit IRC		17:36
*** aloga_ has quit IRC		17:38
*** pnavarro has quit IRC		17:44
openstackgerrit	Tin Lam proposed openstack/keystone-specs: PCI-DSS Expired Password Users https://review.openstack.org/383832	17:44
*** sfilatov_ has quit IRC		17:47
openstackgerrit	NITIN GUPTA proposed openstack/keystone: added test cases for verifying the fix regarding bug #1614154 Test cases are added to verify the code with "None" Value of hints. https://review.openstack.org/388541	17:53
openstack	bug 1614154 in OpenStack Identity (keystone) "Hints with values of None seem to be broken" [Medium,Confirmed] https://launchpad.net/bugs/1614154 - Assigned to NITIN GUPTA (nitin-29-gupta)	17:53
*** mvk has joined #openstack-keystone		17:54
*** markvoelker has quit IRC		17:56
*** aswadr_ has quit IRC		17:59
*** amoralej is now known as amoralej\|off		18:00
*** spilla has quit IRC		18:01
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove issue_v3_token in favor of issue_token https://review.openstack.org/386837	18:02
*** tqtran has quit IRC		18:06
-openstackstatus- NOTICE: The Gerrit service on review.openstack.org is being restarted now in an attempt to resolve some mismatched merge states on a few changes, but should return momentarily.		18:08
*** browne has quit IRC		18:10
*** phalmos has quit IRC		18:11
*** phalmos has joined #openstack-keystone		18:16
*** dave-mccowan has joined #openstack-keystone		18:18
*** phalmos has quit IRC		18:18
*** phalmos has joined #openstack-keystone		18:19
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove issue_v2_token https://review.openstack.org/386762	18:21
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove issue_v3_token in favor of issue_token https://review.openstack.org/386837	18:21
*** Administrator_ has joined #openstack-keystone		18:22
*** phalmos_ has joined #openstack-keystone		18:24
*** zhugaoxiao has quit IRC		18:25
*** phalmos has quit IRC		18:27
*** markvoelker has joined #openstack-keystone		18:46
knikolla	stevemar, why is there a 1 hour difference between the wiki and the summit agenda? :/	18:46
*** markvoelker has quit IRC		18:47
*** markvoelker has joined #openstack-keystone		18:47
openstackgerrit	ayoung proposed openstack/keystone: WIP Support AD Nested groups https://review.openstack.org/389316	18:51
*** tobias_ has joined #openstack-keystone		18:52
*** tobias_ has quit IRC		18:59
*** woodster_ has joined #openstack-keystone		19:00
stevemar	knikolla: i mentioned this at the meeting, not sure why i wrote them down wrong	19:05
stevemar	knikolla: either i can't 24hr or they changed	19:05
stevemar	knikolla: i'll update the wiki	19:05
*** asettle has joined #openstack-keystone		19:05
knikolla	stevemar, oh right. didn't quite understand it at the meeting as i hadn't looked at the schedule yet. :P	19:07
stevemar	knikolla: done!	19:07
openstackgerrit	Steve Martinelli proposed openstack/keystone: Validate mapping exists when creating/updating a protocol https://review.openstack.org/362397	19:12
ayoung	stevemar, so, we found an issue when going with straight V3. Something expects there to be a _member_ role, but if you never create a user with V2, there is no _member_ role. If you try to create the role manuially, the id is autogenerated, and does not match what the configfile default says	19:12
ayoung	I'd like to create this role in the bootstrap if possible. Is it allowed?	19:12
stevemar	ayoung: depends on what expected it to be there?	19:13
ayoung	stevemar, the values need to come from conf	19:13
ayoung	I'll link the keys	19:13
ayoung	stevemar, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/conf/default.py#n97	19:14
ayoung	and http://git.openstack.org/cgit/openstack/keystone/tree/keystone/conf/default.py#n109	19:14
ayoung	default='9fe2ff9ee4384b1894a90878d3e92bab', for id	19:14
ayoung	stevemar, are we allowed to create database entries upon bootstrap>	19:15
ayoung	?	19:15
stevemar	ayoung: you are	19:15
stevemar	ayoung: so _member_ is only assigned when you give a user a default project (but have yet to assign her the role) IIRC	19:16
ayoung	stevemar, if you use the V2 API add_user_to_project they get that role	19:16
stevemar	why not, if you're going straight v3, just assign the user the role on the proejct	19:16
ayoung	stevemar, Horizon something or other...	19:16
stevemar	i believe that is correct	19:16
ayoung	let me find the bug	19:16
stevemar	its very much a v2-ism	19:17
ayoung	https://bugzilla.redhat.com/show_bug.cgi?id=1387313#c0	19:17
openstack	bugzilla.redhat.com bug 1387313 in openstack-tripleo "After newton deployment _member_ role is missing in keystone" [High,New] - Assigned to jslagle	19:17
stevemar	and actually assigning the role to the user should resolve the issue	19:17
ayoung	stevemar, and until V2.0 is dead, buried, decomposed, exhumed, and put in a museum, we need it	19:17
ayoung	https://bugzilla.redhat.com/show_bug.cgi?id=1387313#c0	19:17
ayoung	which does not really state the problem	19:17
*** asettle has quit IRC		19:18
ayoung	https://bugs.launchpad.net/tripleo/+bug/1635306 is the launchpad	19:18
openstack	Launchpad bug 1635306 in tripleo "After newton deployment _member_ role is missing in keystone" [High,Triaged]	19:18
stevemar	I can confirm I see the same problem on my overcloud. This is causing issues e.g. when using Horizon and trying to manage projects, as every command fails with "Error: Could not find default role "_member_" in Keystone."	19:18
stevemar	eww	19:18
stevemar	horizon, y u do dis	19:18
stevemar	ayoung: comment 6 here https://bugs.launchpad.net/tripleo/+bug/1635306	19:20
openstack	Launchpad bug 1635306 in tripleo "After newton deployment _member_ role is missing in keystone" [High,Triaged]	19:20
stevemar	ahhh its used when assigning a user to a project	19:21
ayoung	stevemar, so horizon has a config option that could be set. I don't know why they feel the need to Know what Role the users would have, but i assume it is to customize the UI and distinguish between admin and member users	19:22
*** thebloggu has quit IRC		19:22
ayoung	yep	19:22
ayoung	that makes even more sense	19:22
lbragstad	stevemar do we open bugs for untested bits of code?	19:22
lbragstad	stevemar and by bits I mean controllers	19:22
ayoung	Hey Keystoners, here's my line in the sand...er whiteboard, for the Keystone Mascot. https://twitter.com/admiyoung/status/789179752531668992	19:23
ayoung	lbragstad, yes, great first bug for a newbie	19:23
stevemar	ayoung: http://imgur.com/a/m9e3P	19:23
*** asettle has joined #openstack-keystone		19:24
ayoung	Yep	19:24
stevemar	so there's no concept of what "role" a user has in a project	19:24
stevemar	:(	19:24
stevemar	just "add me to it"	19:24
ayoung	stevemar, blame ziad	19:24
stevemar	and give me that OPENSTACK_KEYSTONE_DEFAULT_ROLE role	19:24
ayoung	Or probable joe	19:24
openstackgerrit	Merged openstack/keystone: Remove new_id() in test_revoke https://review.openstack.org/389241	19:25
stevemar	id say that if horizon wants to support v3 proper, then they need to be able to express the role someone is given when added to the project	19:25
stevemar	r1chardj0n3s: ^	19:25
*** voelzmo has joined #openstack-keystone		19:26
stevemar	lbragstad: sounds bug worthy to me	19:26
ayoung	stevemar, just so you know, that if you stick to that I am in a position where I have a bug we created that I cannot fix	19:27
*** sheel has joined #openstack-keystone		19:28
ayoung	we pushed people to move to V3. THis magically worked under V2	19:28
lbragstad	stevemar done, thanks	19:28
ayoung	so, unless we want people to keep using V2 we need a transition	19:28
ayoung	stevemar, my origianal question still stands. Is it OK to add a record to the role table during bootstrap?	19:31
stevemar	ayoung: blah, i'd prefer not, it'll promote bad behaviour :)	19:32
ayoung	stevemar, so that is a yes, then?	19:32
ayoung	stevemar, we found this in Tripleo based on Newton after newton was released. We need a fix in order to keep Newton working.	19:33
ayoung	Adding new code to Horizon is not an option.	19:33
ayoung	stevemar, ?	19:35
*** voelzmo_ has joined #openstack-keystone		19:36
stevemar	ayoung: mulling it over	19:36
*** phalmos_ has quit IRC		19:36
ayoung	stevemar, we don't allow creating the role with a specific ID. So we can't tell the installers to do a role_create	19:36
kfox1111	so, seeing a really weird thing with a gate job I have set up.	19:36
ayoung	unless they then grab the ID, stick it in the config file, and then restart Keystone. At which point, they lynch us	19:36
kfox1111	keystone misses some endpoints...	19:36
stevemar	ayoung: i was thinking that...	19:37
kfox1111	http://logs.openstack.org/99/389299/1/experimental/gate-kolla-kubernetes-deploy-ubuntu-binary-ceph-nv/8efde8c/logs/openstack-catalog-after-bootstrap.json	19:37
kfox1111	it is missing the internal cinderv2 endpoint in that case.	19:37
kfox1111	but, right before that file is generated, I capture:	19:37
kfox1111	curl -H "X-Auth-Token:$OS_TOKEN" $OS_AUTH_URL/endpoints -o /tmp/$$	19:38
kfox1111	which looks like this: http://logs.openstack.org/99/389299/1/experimental/gate-kolla-kubernetes-deploy-ubuntu-binary-ceph-nv/8efde8c/logs/endpoints.txt	19:38
*** voelzmo has quit IRC		19:38
kfox1111	and the endpoint is listed there.	19:38
kfox1111	all are enabled too.	19:38
kfox1111	so either the extra entry is disapearing from keystone, or endpoints list isn't exactly what openstack catalog list is showing.	19:39
kfox1111	and nova's failing to find the cinderv2 endpoint, so whatever its doing to lookup too.	19:39
kfox1111	any ideas?	19:39
ayoung	kfox1111, neither have cinderv2 in them	19:40
*** voelzmo_ has quit IRC		19:41
kfox1111	well, the openstack catalog list does.	19:41
kfox1111	the other one only has uuid's in it, but there are 3 entries for 6 services.	19:42
kfox1111	so they seem like they are all there.	19:42
kfox1111	if I: jq -r '.endpoints[] \| .service_id' /tmp/$$ \| sort \| uniq -c #on the json endpoint dump, I see:	19:43
kfox1111	http://pastebin.com/rERHLPgT	19:44
kfox1111	so it seems like one of the endpoints is going away, or is being ignored somehow.	19:46
openstackgerrit	Richard Avelar proposed openstack/keystone: Remove unused statements in matches https://review.openstack.org/387548	19:47
*** prashkre has quit IRC		19:49
ayoung	kfox1111, can you reporduce, or is it just in the gate job? Is there a specific qurery being called, and maybe there is a filter used for endpoints? Keystone does not drop data unless told to.	19:51
kfox1111	it has happened frequently enough I've had to start tracking down why, but maybe one in 5 runs or so.	19:52
kfox1111	only seen it in the gate so far.	19:53
kfox1111	but finally added enough logging in it to see that if Icall the curl I seem to see all the endpoints, but then an openstack catalog list after that doesn't.	19:53
kfox1111	so something is very weird there.	19:53
kfox1111	at first I thought it was just an endpoint creation race condition or something.	19:53
kfox1111	like it wasn't waiting until all the endpoints were created.	19:53
kfox1111	but the curl is showing them all existing. and then later the catalog shows fewer.	19:54
kfox1111	its very strange.	19:54
kfox1111	I can add more logging if you can think of anything.	19:55
openstackgerrit	Gage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs https://review.openstack.org/361435	20:00
jlk	dolphm: stevemar: So I've been playing with rally while upgrading today. While the restart happens, I wound up with 2 503s in the rally tests. This may be due to haproxy above keystone, not stopping things from going to a downed back end fast enough (even though I'm giving it a 5 second pause), but still, 2 failures out of 500 some odd attempts isn't bad. (5 attempts at a time, I'm going to bump that up a bunch and try the restarts again).	20:03
*** ravelar has quit IRC		20:04
jlk	mind you, this is just testing the restart bit, I need to reset some things to test while db migrations (live) happen.	20:04
kfox1111	ayoung: is the catalog ever cached?	20:05
kfox1111	could one that was cached before all the endpoints were created be being returned?	20:06
ayoung	kfox1111, yeah, but cache should be invalidated upon add. Everything is cached	20:06
ayoung	possible, but unlikely	20:06
ayoung	unless it is a total race condition, maybe in how kolla sets things Up? But that would be weieird	20:06
kfox1111	I thought it could be my workflow. but spent a long time debugging it, and haven't found an indication that its not running the endpoint creation jobs successfully any more.	20:08
kfox1111	https://review.openstack.org/#/c/386966/26/tests/bin/ceph_workflow.sh	20:08
*** voelzmo has joined #openstack-keystone		20:14
*** haplo37_ has quit IRC		20:16
*** haplo37_ has joined #openstack-keystone		20:18
r1chardj0n3s	stevemar: got that message. am gonna read the scrollback to see if I can understand the context of the comment :-)	20:24
*** phalmos has joined #openstack-keystone		20:25
*** dave-mccowan has quit IRC		20:28
kfox1111	ayoung: I added a fiew more entries for logging, and disabled memcached. I'll let you know if it disapears.	20:31
*** phalmos has quit IRC		20:36
openstackgerrit	Samuel Pilla proposed openstack/keystone: Document OS-SIMPLE-CERT Routes https://review.openstack.org/385028	20:39
*** ravelar has joined #openstack-keystone		20:43
*** voelzmo has quit IRC		20:43
*** gagehugo_ has quit IRC		20:45
*** gagehugo has joined #openstack-keystone		20:45
*** ravelar has quit IRC		20:48
*** esp has joined #openstack-keystone		20:49
*** esp has left #openstack-keystone		20:50
*** catintheroof has joined #openstack-keystone		20:51
openstackgerrit	ayoung proposed openstack/keystone: WIP Support AD Nested groups https://review.openstack.org/389316	20:52
*** dave-mccowan has joined #openstack-keystone		20:54
openstackgerrit	Gage Hugo proposed openstack/keystone-specs: Add keystone project metadata https://review.openstack.org/388886	20:54
*** esp has joined #openstack-keystone		20:59
*** ravelar has joined #openstack-keystone		21:00
*** edmondsw has quit IRC		21:02
*** raildo has quit IRC		21:03
*** dave-mcc_ has joined #openstack-keystone		21:05
*** dave-mccowan has quit IRC		21:08
*** catintheroof_ has joined #openstack-keystone		21:11
*** ravelar has quit IRC		21:12
*** ayoung has quit IRC		21:12
catintheroof_	hi guys, one quick question, if i have a rest API (in-house) that provides me of a user authentication method, and i want keystone to use that API, several people told me that i need to code a idP, so what i want to understand is, i need to code something like an LDAP identitiy provider, or a federation mechanism?? i want to start with this but i d	21:15
catintheroof_	ont seem to understand the concepts	21:15
*** gyee has joined #openstack-keystone		21:16
*** ChanServ sets mode: +v gyee		21:16
*** sheel has quit IRC		21:30
*** dave-mcc_ has quit IRC		21:33
*** gagehugo has quit IRC		21:38
dstanek	catintheroof: if your system doesn't support federation protocols then at a minimun you'll need to write an identity backend	21:40
dstanek	catintheroof: you'll only need an auth plugin if you have a completely different way to auth (not using passwork, totp, etc)	21:40
dstanek	catintheroof_: ^ (i just pressed up arrow to get to my responses this morning. didn't realized you changed nicks)	21:41
catintheroof_	dstanek: nice, so ... just an auth plugin? in that case, where i get the users from in that case ?	21:43
dstanek	catintheroof_: you have it reversed. you will need an identity backend unless you already support federation	21:43
*** simondodsley has quit IRC		21:44
catintheroof_	dstanek: in your experiencie, if i ALREADY have a backend api, would it be easier to add support to federation ?? that API uses user/pwd, but they want for keystone to use that REST endpoint of information to auth	21:50
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove format_token method https://review.openstack.org/389364	21:51
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove metadata from token provider https://review.openstack.org/389365	21:51
openstackgerrit	Lance Bragstad proposed openstack/keystone: Clarify the v2.0 validation path https://review.openstack.org/389366	21:51
*** chris_hultin is now known as chris_hultin\|AWA		21:52
*** jaugustine has quit IRC		21:55
dstanek	catintheroof_: implementing a SAML2 (or other) protocol yourself is not the easiest feat. if i didn't have that already i would just implement an identity backend.	21:59
dstanek	catintheroof_: since you system uses username/password you can use the existing password auth plugin	22:01
catintheroof_	dstanek: nice, im starting to get it, can you point me to some doc that says the broad idea of writing an identity backend ? kinda the same way the doc tells you how to write an auth plugin ?	22:03
dstanek	catintheroof_: i don't know if that exists. you could look at the code	22:04
openstackgerrit	Lance Bragstad proposed openstack/keystone: Simplify the validate_token method https://review.openstack.org/389371	22:05
*** asettle has quit IRC		22:05
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove the v2.0 validate path from validate_token https://review.openstack.org/389371	22:05
catintheroof_	dstanek: when we are talkin´ about that, are we talking about the same IB that as today only are sql & ldap ?	22:10
dstanek	catintheroof_: yes, you would create your own	22:15
*** r-daneel has quit IRC		22:17
catintheroof_	dstanek: looking at the base.py from the identity dir and their methods	22:19
catintheroof_	dstanek: i can see thats exactly what i need	22:20
*** ayoung has joined #openstack-keystone		22:24
*** ChanServ sets mode: +v ayoung		22:24
*** lamt has quit IRC		22:25
openstackgerrit	ayoung proposed openstack/keystone: WIP Support AD Nested groups https://review.openstack.org/389316	22:34
*** roxanaghe has joined #openstack-keystone		22:35
*** catintheroof_ has quit IRC		22:38
*** gagehugo has joined #openstack-keystone		22:42
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move V2TokenDataHelper to the v2.0 controller https://review.openstack.org/389383	22:45
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/388317	22:53
*** roxanaghe has quit IRC		23:01
*** ayoung has quit IRC		23:06
*** gyee has quit IRC		23:06
*** scarlisle has quit IRC		23:09
*** catintheroof has quit IRC		23:13
jlk	Well, bad news, I'm getting some keystone errors while in partially upgraded mode	23:19
jlk	error inserting a 'created_at' entry for a password	23:20
jlk	and then some deadlocks	23:20
*** dave-mccowan has joined #openstack-keystone		23:24
jlk	dolphm: stevemar: Seeing some errors like http://paste.openstack.org/show/586638/	23:24
*** r-daneel has joined #openstack-keystone		23:28
*** r-daneel has quit IRC		23:33
*** markvoelker has quit IRC		23:37
r1chardj0n3s	stevemar: I've gone back and read the scrollback regarding Horizon/Keystone v3/_member_/roles&projects and I'm not clear on what we're doing wrong, and what the correct approach should be. It's my understanding that to be in a project, a user must have a role in that project. That's _member_, as I understand it.	23:38
jlk	users aren't necessarily "in" projects, its just that users can have one or more roles within one or more project	23:42
jlk	the role is what maps the user to the project	23:42
r1chardj0n3s	jlk: great, I'm glad I understand that aspect correctly!	23:42
r1chardj0n3s	jlk: so now I just don't understand what we're doing wrong re: _member_	23:43
jlk	I'm missing context :)	23:44
jlk	_member_ is a defacto standard, but not necessarily one that's enforced	23:44
r1chardj0n3s	jlk: the conversation started here http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2016-10-20.log.html#t2016-10-20T19:12:30	23:44
jlk	oh okay	23:45
r1chardj0n3s	jlk: yep, that's why it's a setting in Horizon OPENSTACK_KEYSTONE_DEFAULT_ROLE='_member_'	23:45
*** agrebennikov_ has quit IRC		23:46
r1chardj0n3s	deployments can change it, but the impression I got from the scrollback was that users weren't getting a role at all in their projects	23:46
jlk	I think v2 automagically did that, but v3 doesn't.	23:46
r1chardj0n3s	yeah, that seems to be the case :-)	23:46
jlk	ew this is ugly	23:49
jlk	I bet we haven't hit this because our automation still ensures the _member_ role exists	23:50
jlk	as part of our install	23:50
r1chardj0n3s	yep, sounds like it	23:50
r1chardj0n3s	looks like some automation systems dropped _member_ in Newton	23:50
jlk	yeah I don't know why they were dependent on the role ID	23:52
jlk	our automation isn't	23:52
jlk	since role names are unique	23:53
* jlk vanishes		23:55
*** ayoung has joined #openstack-keystone		23:59
*** ChanServ sets mode: +v ayoung		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!