Tuesday, 2016-11-01

openstackgerritMerged openstack/keystone: Faster id mapping lookup  https://review.openstack.org/33929400:08
*** sigmavirus has quit IRC00:20
*** dims_ has quit IRC00:20
*** jrist has quit IRC00:21
*** jrist has joined #openstack-keystone00:22
*** _sigmavirus24 has joined #openstack-keystone00:24
*** guoshan has joined #openstack-keystone00:27
openstackgerritMerged openstack/keystone: Doctor check for LDAP domain specific configs  https://review.openstack.org/36143500:28
*** richm has joined #openstack-keystone00:30
*** dims has joined #openstack-keystone00:31
*** guoshan has quit IRC00:31
stevemarheads up keystoners, lets land this spec: https://review.openstack.org/#/c/345113/1400:42
stevemaradriant: thanks for the reviews! :)00:49
adriantstevemar: np :)00:50
adriantjust actually responding to you and jamie about caching for TOTP and why it doesn't make sense00:50
stevemaradriant: oh?00:50
adriantpasscodes are only valid for 30sec00:50
stevemaradriant: jamielennox and i spoke about it at the summit, guess we were wrong :(00:50
adriantno point caching that00:50
adriantso cache the token instead00:51
stevemarfor a few minutes anyway, as long as the token is good for00:51
* stevemar waves at jamielennox00:51
adriantposting a comment and how I've been getting around that00:51
* jamielennox is doing the rivetting mandatory cyber security training that is apparently overdue00:52
jamielennoxit has insightful comments about bearer tokens00:53
*** hoangcx has joined #openstack-keystone00:55
jamielennoxadriant: we're not caching the passcode, we're caching the token that is returned so that we don't have to fetch another one if we have an existing token00:59
jamielennoxjust to do that we need to cache based on the password component, but not the totp01:00
adriantthe password is password+totp though01:00
adriantso it's still just a password01:00
jamielennoxin submitting to keystone yes, from a client perspective it doesn't have to be01:00
adriantbut the keystone server then handles it as two values01:00
adriantoh, yeah01:01
adriantwe can easily ask for them seperately01:01
jamielennoxright so --os-password --os-access-code and we only cache on password01:01
jamielennoxstevemar: had asked me about it and that was the only way i know to cache it properly01:02
adriantjamielennox: but would that mean we need to make the server expect it as two different auth plugins, or will the client still do the password+totp join?01:03
jamielennoxadriant: honestly, doesn't matter, it's purely about how you set up the ksa loader to handle things like openstackclient01:04
jamielennoxhow you actually push the data is up to you01:04
adriantjamielennox: have posted a comment on the review, although we've mostly covered it here, but the thing to look at is this: http://paste.openstack.org/show/587502/01:05
adriantthat openrc is how I've been doing totp auth01:05
adriantand last I played with it was working fine in a devstack01:06
jamielennoxadriant: yea, ok, so what we would do is --os-auth-type passwordtotp --os-password XXX --os-pass-code YYY01:06
jamielennoxand the equivalent env vars01:06
jamielennoxit's purely a loading thing that we can solve later01:06
adriantthat seems sensible01:06
adriantjust don't want to complicate the server side of it01:07
*** dave-mccowan has joined #openstack-keystone01:09
*** chlong has quit IRC01:09
adriantjamielennox, stevemar: one change I do think I'll try and spec out at some stage is to allow serverside layering of auth plugins. So rather than having to make a separate passwordtotp plugin, in the conf you can specify that the password auth method is comprised of "password,totp"01:10
adriantbut that would be a weird and complex change...01:11
jamielennoxadriant: it's always been the intent, and serverside will handle that pretty well01:11
jamielennoxadriant: the problem is specifying that multiple is required01:11
adriantyeah, that's what I was running into when trying to get totp working01:11
jamielennoxthe server validates all the auth methods that a user provides, but therefore if a user only provides TOTP keystone will validate that01:11
jamielennoxwhat we've lacked and talked about for a while is a way to specify requirements for which auths require other auths01:12
adriantexactly, so we need a way to combine them in some way in such a way that won't break too much.01:12
adriantI'd love to work on that at some stage and help :)01:12
jamielennoxadriant: cool! yea, mostly we just need a way to figure out how we would express those links01:13
adriantIt was something I was considering, but this seemed like the fastest solution without much pain01:13
jamielennoxand in a way that isn't a giant PITA for existing users01:13
adriantI think just a new way of mapping auth plugins to auth types. Currently we map one to one, but maybe we should map one to many.01:14
adriantso password = "password,totp" token = "token" etc01:14
adriantbut I'll leave it for now. It's a weird topic!01:15
adriantPlus would mean reworking all existing plugins to play nice together...01:16
adriantOr impose limits on which can be used together.01:16
*** guoshan has joined #openstack-keystone01:17
jamielennoxthe plugins will play nice together today01:17
jamielennoxthe problems we've had in the past is there is a huge rabbit hole here of things like extra roles for 2 factor vs 101:17
jamielennoxand how to specify which users require 2fa01:18
jamielennoxyea, it's hard, but it's more of a management issue than i think we'll have problems with the existing code01:18
adriantI was mainly meaning, the current TOTP plugin on master won't play nice with password if a user does not have a TOTP cred I don't think.01:19
adriantit requires a user to have the TOTP cred to auth, and if it fails, even a valid password would result in no token.01:19
adriantI think, i need to recheck the code.01:19
adriantbut if we allow it to auth when a user doesn't have a cred, then it is useless by itself.01:21
adriantso it has to be used with password, and then we fall into the hole of needing some way to tell the plugin it isn't being used by itself. :/01:21
morgan_lbragstad: o/01:27
*** guoshan has quit IRC01:31
*** guoshan has joined #openstack-keystone01:32
*** kiran-r has joined #openstack-keystone01:37
*** Zer0Byte__ has quit IRC01:42
*** davechen_afk is now known as davechen01:46
*** TonyXu has joined #openstack-keystone01:52
*** zhangjl has joined #openstack-keystone02:14
*** haplo37_ has quit IRC02:50
*** haplo37_ has joined #openstack-keystone02:52
*** dave-mccowan has quit IRC02:53
*** namnh has joined #openstack-keystone02:53
stevemarmorgan_: i don't think lbragstad is around :(02:56
ayoungstevemar, Did you get a chance to at least read     Token Verify Role Check https://review.openstack.org/#/c/391624/  yet?02:58
ayoungstevemar, cuz...I think I want to take it one step further, and extend the implied roles API to be the mechanism that actually implements this.03:00
ayoungBascially, instead of using the oslo-policy enforcement, we use the implied roles to link from a role to a pattern.  Or, more correctly, during enforcement time, we start with a pattern, match that to the current URL, and use the roles implication rules to confirm or deny access03:01
ayoungEach of the services could provide a basic JSON file with API patterns and Roles, and those would get uploaded to Keystone when they register with the service catalog03:02
ayoungSo the basic management of the RBAC policy would still fall on the individual projects.  Just they would register those RBAC policies with Keystone, and Keystone would store them in a Relational Database format03:03
*** richm has quit IRC03:07
*** jperry has joined #openstack-keystone03:23
stevemarayoung: i have not, i've been chipping away at reviews all day, haven't gotten to that one03:36
*** links has joined #openstack-keystone03:52
*** guoshan has quit IRC04:11
*** jperry has quit IRC04:17
morgan_stevemar: yeah.04:43
morgan_stevemar: figured04:43
*** kiran-r has quit IRC04:56
*** guoshan has joined #openstack-keystone05:12
*** guoshan has quit IRC05:17
*** sheel has joined #openstack-keystone05:28
*** kiran-r has joined #openstack-keystone05:44
*** adriant has quit IRC05:44
*** kiran-r has quit IRC06:20
*** guoshan has joined #openstack-keystone06:21
*** rcernin has joined #openstack-keystone06:29
*** kiran-r has joined #openstack-keystone06:31
openstackgerrithoward lee proposed openstack/oslo.policy: Fix typo in oslo.policy  https://review.openstack.org/39204206:34
*** guoshan has quit IRC06:35
*** guoshan has joined #openstack-keystone06:36
*** kiran-r has quit IRC07:12
*** haplo37_ has quit IRC07:12
*** haplo37_ has joined #openstack-keystone07:14
*** AlexeyAbashkin has quit IRC07:20
*** tesseract has joined #openstack-keystone07:21
*** tesseract is now known as Guest1438107:21
*** belmoreira has joined #openstack-keystone07:26
openstackgerritMerged openstack/keystone: log.error use _ of i18n  https://review.openstack.org/38907007:32
*** AlexeyAbashkin has joined #openstack-keystone07:33
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:01
*** Dinesh_Bhor has joined #openstack-keystone08:05
Dinesh_BhorHi all, I am getting following error: ContextualVersionConflict: (amqp 1.4.9......Requirement.parse('amqp<3.0,>=2.1.1'), set(['kombu']))08:06
Dinesh_Bhorbecause of this I am not able to run any other apis like nova list, cinder list etc08:07
Dinesh_Bhorlooks like it is similar to bug: https://bugs.launchpad.net/keystone/+bug/158723908:08
openstackLaunchpad bug 1587239 in OpenStack Identity (keystone) "cover job is failing too frequently" [High,Fix released] - Assigned to Steve Martinelli (stevemar)08:08
Dinesh_BhorIf someone has any suggestions on how to solve this please let me know08:09
*** LiYuenan has joined #openstack-keystone08:11
openstackgerritNITIN GUPTA proposed openstack/keystone: Added test cases for hints  https://review.openstack.org/38854108:16
*** guoshan has quit IRC08:35
*** guoshan has joined #openstack-keystone08:42
*** guoshan has quit IRC09:07
*** guoshan has joined #openstack-keystone09:07
openstackgerritNITIN GUPTA proposed openstack/keystone: Added test cases for hints  https://review.openstack.org/38854109:12
*** jaosorior has joined #openstack-keystone09:15
*** jpich has joined #openstack-keystone09:18
*** raildo has joined #openstack-keystone09:29
*** Dinesh_Bhor has quit IRC09:47
*** jaosorior has quit IRC09:48
*** jaosorior has joined #openstack-keystone09:48
*** raildo has quit IRC09:56
*** dootniz is now known as kragniz09:59
*** namnh has quit IRC10:05
*** hoangcx has quit IRC10:05
openstackgerritMerged openstack/keystone: Fix broken links in the docs  https://review.openstack.org/39185110:05
*** guoshan has quit IRC10:22
*** zhangjl has quit IRC10:34
openstackgerritJamie Lennox proposed openstack/keystone: Allow fetching an expired token  https://review.openstack.org/38209810:36
*** rodrigods has quit IRC10:37
*** rodrigods has joined #openstack-keystone10:37
*** nicolasbock has joined #openstack-keystone10:39
*** TonyXu has quit IRC10:47
samueldmqmorning keystone10:56
*** chlong has joined #openstack-keystone10:57
bretonksm gate is broken11:05
rodrigodsbreton, the tests pass locally?11:23
bretonrodrigods: nowhere11:25
bretonrodrigods: neither in the gates, nor locally11:25
bretondependency is missing11:25
*** haplo37_ has quit IRC11:28
*** haplo37_ has joined #openstack-keystone11:31
openstackgerritMerged openstack/oslo.policy: Fix typo in oslo.policy  https://review.openstack.org/39204211:41
*** narasimha_SV has joined #openstack-keystone11:42
narasimha_SVto have keystone2keystone federation11:43
narasimha_SVin IDP it is said that I need to place SSL confs in vhost11:43
narasimha_SVwhere do I need to add these details in wsgi-kesytone.conf file11:43
stevemarbreton: i noticed that it was failing around 25% of the time11:50
openstackgerritMerged openstack/keystone: Adds warning when no domain configs were uploaded  https://review.openstack.org/21428711:50
bretonstevemar: with what error?11:50
bretonstevemar: now it fails always, and this seems to be an issue on oslo-messaging side11:51
stevemarunrelated then11:51
bretonstevemar: but what was your error?11:51
stevemarbreton: can't remember, i think it was asserting something had size 1 when it was 2/11:52
stevemarbreton: it was only 1 test that would fail, consistently11:52
stevemarlet me look up the requirements change, it had the failure11:52
*** richm has joined #openstack-keystone11:52
stevemarbreton: https://review.openstack.org/#/c/391130/11:52
stevemarbreton: http://logs.openstack.org/30/391130/1/check/gate-keystonemiddleware-python34/3ea5248/testr_results.html.gz11:52
bretonstevemar: oooh, i am fighting this one now.11:53
bretonstevemar: (well, tried fighting it, before ran into oslo-messaging issue :( )11:53
stevemaryeah,, seeing that now11:54
stevemarprobably need to block that version of kombu11:54
bretonstevemar: yes, make it '< 4.0'11:54
stevemari'd say just make it !=4.0.0 for now11:55
stevemarthe requirements team doesn't like <, but in this case... maybe its a better idea11:55
bretonupper-constraints in requirements has kombu===3.0.3711:57
bretonwhy is it failing then?11:58
stevemargood question11:58
stevemarlet me ask in -requirements11:59
*** guoshan has joined #openstack-keystone12:06
openstackgerritMerged openstack/keystone: Add bindep environment to tox  https://review.openstack.org/39161312:11
*** _sigmavirus24 is now known as sigmavirus12:12
*** sigmavirus has joined #openstack-keystone12:12
openstackgerritMerged openstack/keystone: Document v2 Revoked Token Route  https://review.openstack.org/39091312:12
stevemarbreton: oslo and requirements teams will work on the issue i think12:16
*** iurygregory has joined #openstack-keystone12:17
openstackgerritSteve Martinelli proposed openstack/keystone: Document OS-SIMPLE-CERT Routes  https://review.openstack.org/38502812:26
*** edmondsw has joined #openstack-keystone12:38
*** jerrygb_ has quit IRC12:38
*** mvk has quit IRC12:45
*** dave-mccowan has joined #openstack-keystone12:46
*** jerrygb has joined #openstack-keystone12:52
*** ayoung has quit IRC12:58
*** narasimha_SV has quit IRC12:58
*** narasimha_SV has joined #openstack-keystone13:10
narasimha_SVhttp://paste.openstack.org/show/587537/ where do I need to keep these values in wsgi-kesytone.conf file13:10
narasimha_SVto enable SSL over IDP kesytone in federattion13:10
*** links has quit IRC13:14
*** narasimha_SV has quit IRC13:15
*** mvk has joined #openstack-keystone13:23
bretonstevemar: i think i started always getting "AttributeError: None does not have the attribute 'info'"13:23
*** jperry has joined #openstack-keystone13:28
bretoni actually understand why it fails13:29
bretoni don't understand why it didn't.13:29
robcresswellstevemar: Does keystone allow setting arbitrary k/v data on a user? I was wondering if Horizon could manipulate that for storing settings instead of using the cookie.13:32
robcresswell(I imagine there is more to this than I'm thinking, but just investigating)13:33
stevemarrobcresswell: not really, we have an "extras" field where you can dump things into as k/v, but we don't support removing/changing the data there13:33
robcresswellstevemar: Ah, got it. Thats a shame. It's one of the places where Horizon's lack of db falls over a little.13:34
robcresswellstevemar: Thanks anyway!13:34
openstackgerritBoris Bobrov proposed openstack/keystonemiddleware: Mock log only after app creation  https://review.openstack.org/39216713:39
breton^ will fail for now because the gate is broken, however after that it should fix the problem that we ran into in https://review.openstack.org/#/c/391130/13:40
knikollamorning! o/13:52
*** ashyoung has joined #openstack-keystone13:57
*** guoshan has quit IRC13:57
*** jerrygb_ has joined #openstack-keystone14:00
stevemarbreton: nice14:00
lbragstadstevemar caching question for you14:01
lbragstadstevemar are we suppose to deprecate https://github.com/openstack/keystone/blob/fab399e26cdbe7cffba895f99d7247896ec6cb82/keystone/common/kvs/backends/memcached.py#L96-L9914:01
lbragstadthis option specifically - https://github.com/openstack/keystone/blob/9c2a48829d49eb1f59bada735c15280138470b96/keystone/conf/memcache.py#L18-L30 ?14:02
*** narasimha_SV has joined #openstack-keystone14:02
*** dave-mccowan has quit IRC14:02
narasimha_SVafter configuring SSL confs in wsgi-keystone.conf14:02
lbragstadbecause we also have https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L468-L47014:02
*** jerrygb has quit IRC14:02
narasimha_SVgetting this issue when i execute any openstack command14:02
narasimha_SV# openstack endpoint list Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. SSL exception connecting to [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)14:03
narasimha_SVin log file i see this line : RSA certificate configured for does NOT include an ID which matches the server name14:04
knikollanarasimha_SV, are you able to curl the keystone endpoint?14:04
openstackgerritDavid Stanek proposed openstack/keystone: Additional logging when authenticating  https://review.openstack.org/33349014:04
bknudsonnarasimha_SV: https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=rsa%20certificate%20configured%20for%20does%20not%20include14:05
stevemarlbragstad: yo14:06
lbragstadevrardjp and I have a question for you in -ansible :)14:07
stevemarlbragstad: reading14:07
stevemarlbragstad: yeah, saw that, was in the middle of a discussion with cinder team, thats over now, catching up14:07
*** narasimha_SV has quit IRC14:08
stevemarlbragstad: i want to say probably...14:10
stevemarlbragstad: all of the [memcache] options seem to have a [cache] equivalent14:12
lbragstadstevemar right - i was digging through the code but it doensn't look like we should be using [memcache]?14:13
lbragstadaccording to the comments14:13
*** ashyoung has quit IRC14:13
stevemarlbragstad: and theres only one instance of it: https://github.com/openstack/keystone/blob/fab399e26cdbe7cffba895f99d7247896ec6cb82/keystone/common/kvs/backends/memcached.py#L10014:13
lbragstadin code - there is nothing officially documenting or deprecating it though14:13
stevemarlbragstad: easy enough to deprecate something, just need to make sure we should be doing it14:13
*** kiran-r has joined #openstack-keystone14:14
stevemarlbragstad: i think its safe to deprecate that entire [memcache] section14:14
*** anushkrishnamurt has joined #openstack-keystone14:15
evrardjpI have the feeling I tried to help, and opened a pandora box14:15
lbragstadstevemar ok - i'll see if I can get something in the works to officially deprecate that14:15
*** ashyoung has joined #openstack-keystone14:15
stevemarlbragstad: fair enough, bug morgan_ if you can14:15
stevemarevrardjp: boxes need to be opened!14:16
evrardjpstevemar: at least I have hope :p14:16
lbragstadevrardjp i'd stick to using https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L468-L470 for now14:17
evrardjplbragstad: so as a list14:18
evrardjpmakes sense14:18
lbragstadevrardjp yep14:20
*** ayoung has joined #openstack-keystone14:23
*** ChanServ sets mode: +v ayoung14:23
*** edtubill has joined #openstack-keystone14:24
*** GB21 has joined #openstack-keystone14:26
*** ravelar has joined #openstack-keystone14:29
knikollastevemar, what's some areas of keystone that have the most knowledge debt?14:30
*** jerrygb has joined #openstack-keystone14:31
*** chirag has joined #openstack-keystone14:32
stevemarknikolla: not sure i get the question14:32
knikollastevemar, areas of the codebase which few people understand anymore14:33
stevemarknikolla: caching :P14:33
*** kiran-r has quit IRC14:33
chiragHello, Can someone help me with "DiscoveryFailure: Cannot use v2 authentication with domain scope" my keystone is working fine but I am facing mentioned error while requesting from ceilometer.14:33
*** jerrygb_ has quit IRC14:33
bretonunit tests.14:34
bretonthe thing i know worst in keystone is the structure of our unit tests.14:35
lbragstadbreton ++14:35
lbragstadwe have a few interesting patterns in our unit tests14:35
stevemari'd also say how keystonemiddleware's auth_token actually works14:36
stevemari think only jamielennox and bknudson know that :P14:36
knikollathat's plenty to look into for now.14:36
bretonauth_token is not that bad actually.14:37
*** tobberydberg has joined #openstack-keystone14:37
bretoni've never felt bad about debugging there14:38
*** chris_hultin|AWA is now known as chris_hultin14:38
dstaneksamueldmq: what are you thinking for self._validateCredentialList(credentials, self.user_credentials)14:39
bretonbut with unit tests it's always 5-6 open vim windows.14:39
dstaneksamueldmq: wrong cut-n-paste14:39
dstaneksamueldmq: https://review.openstack.org/#/c/345688/27/doc/source/configuration.rst14:39
samueldmqdstanek: I was thinking of updating it to: "Keystone provides UUID, PKI, PKIz and Fernet token providers."14:40
samueldmqdstanek: so we just don't say we support "both UUID and PKI"14:42
*** jaugustine has joined #openstack-keystone14:42
stevemargagehugo: i saw your email about ldap, but i am super jammed this week, can i get back to you next week?14:42
*** chirag has quit IRC14:43
stevemardstanek: if you have time today, can you look at https://review.openstack.org/#/c/374482/ ?14:43
gagehugostevemar: yeah that's fine, I still need to look over what tests we don't need anymore14:44
knikollabreton, what aspect of the unit tests structure?14:47
lbragstadknikolla i know one thing about our unit tests that gets me (and dstanek) is how much stuff is set up for each test14:48
lbragstadthe whole setup chain, as it exists today is rather confusing14:48
samueldmqdstanek: does that make sense ?14:48
*** dave-mccowan has joined #openstack-keystone14:48
lbragstadand when something like that is confusing, it tends to make it easier for developers to just copy-paste it around until something works...14:48
lbragstad(which only adds to the confusion later on)14:49
knikollalbragstad, i see.14:49
knikollai'll do a deep dive and see if i can better document what's happening.14:50
lbragstadknikolla cool - dstanek has also done a bunch of work with the unit tests to make setups more clear14:50
knikollalbragstad, cool. i'll look into that.14:51
openstackgerritRichard Avelar proposed openstack/keystone: Remove unused statements in matches  https://review.openstack.org/38754814:52
*** chris_hultin is now known as chris_hultin|AWA15:00
*** dave-mccowan has quit IRC15:00
*** jerrygb_ has joined #openstack-keystone15:00
*** jerrygb has quit IRC15:03
*** chris_hultin|AWA is now known as chris_hultin15:03
*** jperry has quit IRC15:05
*** jperry has joined #openstack-keystone15:06
*** ashyoung has quit IRC15:06
dstaneksamueldmq: yeah, i think so15:08
dstanekstevemar: sure15:08
dstanekbreton: knikolla: i with we have test_blah.py for each blah.py as the basic structure15:09
dstaneklbragstad: did samueldmq's comment make sense to you?15:11
knikolladstanek, yeah, that makes a lot of sense. not sure if folks would agree to such a large refactor though.15:11
lbragstaddstanek yeah - i can respin15:11
*** dave-mccowan has joined #openstack-keystone15:12
openstackgerritSteve Martinelli proposed openstack/keystoneauth: mark a few oidc parameters as required  https://review.openstack.org/39219815:14
*** kiran-r has joined #openstack-keystone15:35
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Support domain-specific configuration management  https://review.openstack.org/35877015:35
*** sheel has quit IRC15:40
*** agrebennikov has joined #openstack-keystone15:43
*** pcaruana has joined #openstack-keystone15:44
*** adrian_otto has joined #openstack-keystone15:45
*** Guest14381 has quit IRC15:51
dstanekstevemar: i took a look...it doesn't look completed15:58
openstackgerritLance Bragstad proposed openstack/keystone: Switch fernet to be the default token provider.  https://review.openstack.org/34568815:58
*** jaugustine has quit IRC15:59
lbragstadsamueldmq done ^15:59
samueldmqlbragstad: thanks16:00
*** rcernin has quit IRC16:06
*** pcaruana has quit IRC16:07
*** tobberydberg has quit IRC16:10
stevemari did it guys16:11
stevemari reviewed everything i had opened in my tabs16:11
stevemarnow to do the slide deck for the presentation on thursday -_-16:13
stevemari need foods!16:15
dstanekstevemar: nice16:15
*** jaugustine has joined #openstack-keystone16:15
bretoni have checked the performance issue with cache fix i mentioned16:15
stevemargood news i hope :)16:16
*** LamT__ has joined #openstack-keystone16:16
stevemari'll be slow to respond for the remainder of the afternoon16:16
bretonit currently exists in mitaka, and is bad there. In newton and master but is mitigated by https://review.openstack.org/#/c/309146/, but only for token validation.16:17
*** jaosorior has quit IRC16:17
*** martinus__ has quit IRC16:20
openstackgerritMerged openstack/keystone: Add release note for fernet tokens  https://review.openstack.org/37652616:21
openstackgerritayoung proposed openstack/keystone-specs: Token Verify Role Check  https://review.openstack.org/39162416:22
ayounglbragstad, et alles:  ^^ is very different from my previous versions.  I think it solves the majority of the issues we've had with policy thus far16:23
lbragstadstevemar dstanek was saying that we use CONF.memcache.server for the kvs token backend but we use oslo.cache for everything else16:25
*** ashyoung has joined #openstack-keystone16:26
*** ashyoung has quit IRC16:26
lbragstaddstanek just to confirm - we use oslo.cache for storing the token region, right?16:26
openstackgerritGage Hugo proposed openstack/keystone: Doctor ldap check fix for config files  https://review.openstack.org/39222916:27
lbragstadthe only thing we use CONF.memcache.server for should be the kvs backend?16:28
*** jperry has quit IRC16:30
lbragstaddstanek stevemar fwiw - we don't really document any of those differences anywhere - I would think we'd need to open a bug for it?16:33
*** belmoreira has quit IRC16:35
*** jerrygb has joined #openstack-keystone16:41
*** jaugustine has quit IRC16:41
*** jerrygb_ has quit IRC16:43
*** jperry has joined #openstack-keystone16:44
*** jerrygb_ has joined #openstack-keystone16:44
*** GB21 has quit IRC16:44
*** markvoelker has quit IRC16:44
*** jaugustine has joined #openstack-keystone16:45
*** jerrygb has quit IRC16:46
*** markvoelker has joined #openstack-keystone16:46
*** mvk has quit IRC16:48
*** jvarlamova has joined #openstack-keystone16:53
*** jpich has quit IRC17:01
*** GB21 has joined #openstack-keystone17:03
*** Zer0Byte__ has joined #openstack-keystone17:06
openstackgerritLance Bragstad proposed openstack/keystone: Doc the difference between memcache and cache  https://review.openstack.org/39224217:11
lbragstadstevemar dstanek ^17:11
lbragstadevrardjp ^17:11
dstaneklbragstad: i don't think a bug is necessary17:11
*** harlowja has joined #openstack-keystone17:11
lbragstaddstanek cool - i didn't create one17:11
*** anushkrishnamurt has quit IRC17:18
openstackgerritLance Bragstad proposed openstack/keystone: Doc the difference between memcache and cache  https://review.openstack.org/39224217:19
stevemarlbragstad: so no need to deprecate memcache options then?17:21
*** artmr has joined #openstack-keystone17:22
*** intr1nsic has joined #openstack-keystone17:24
*** edtubill has quit IRC17:24
*** jerrygb has joined #openstack-keystone17:25
*** ankur-gupta-f has joined #openstack-keystone17:25
*** ankur-gupta-f has left #openstack-keystone17:25
*** intr1nsic is now known as matt_welch17:27
*** jerrygb_ has quit IRC17:28
stevemarrodrigods: your functional test is failing :( https://review.openstack.org/#/c/358770/817:29
*** ravelar has quit IRC17:29
lbragstadstevemar i don't think so17:30
lbragstadit looks like the [memcache] section is dedicated to kvs backends17:31
lbragstadso unless we get rid of all kvs backends - I don't think we can deprecate it17:31
*** notbreton has joined #openstack-keystone17:50
stevemarlbragstad: there is a bug to remove all kvs backends17:51
stevemarlong standing one17:51
openstackgerritJeffrey Augustine proposed openstack/keystone-specs: Add keystone project properties  https://review.openstack.org/38888617:52
*** mvk has joined #openstack-keystone17:54
*** ChanServ sets mode: +v henrynash17:55
*** browne has joined #openstack-keystone17:57
*** lamt has joined #openstack-keystone17:57
stevemarping ajayaa, amakarov, ayoung, breton, browne, crinkle, claudiub, davechen, david8hu, dolphm, dstanek, edmondsw, gagehugo, gyee, henrynash, hogepodge, htruta, jamielennox, jaugustine, joesavak, jorge_munoz, knikolla, lbragstad, MaxPC, morgan, nishaYadav, nkinder, notmorgan, raildo, ravelar, rodrigods, rderose, roxanaghe, samleon, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, xek, StefanPaetowJis17:59
*** anushkrishnamurt has joined #openstack-keystone18:04
*** edtubill has joined #openstack-keystone18:04
*** ravelar has joined #openstack-keystone18:05
*** spilla has joined #openstack-keystone18:08
mfischstevemar: digging into your upgrades stuff finally this is going to suck with puppet18:29
mfisch can you tell me is --expand --migrate ideimpotent?18:29
mfischalso is --expand --migrate --contract == db_sync with no args?18:34
*** GB21 has quit IRC18:34
openstackgerritRichard Avelar proposed openstack/keystone: WIP validate consumer_id exists directly  https://review.openstack.org/38884218:35
stevemarmfisch: hold up, keystone meeting, dont run away18:38
mfischim on a call now anyway18:39
*** notbreton has quit IRC18:39
*** adrian_otto has quit IRC18:58
gagehugo500 total wat19:00
lbragstadstevemar ayoung there are only 500 tickets for the PTG for *all* projects?19:00
stevemargagehugo: yep, just devs19:00
stevemarlbragstad: yes19:00
lbragstadstevemar do we get registration codes?19:01
knikollaand is it not free for atc?19:01
stevemarit is not free for ATC, no19:01
lbragstadi see the tickets are $10019:01
stevemaryes, $10019:01
stevemarlbragstad: not free for anyone19:01
knikollai'll query for an educational discount :/ maybe they have that19:01
stevemarlbragstad: if you attend a PTG you do get a discount code for the forum (nee summit)19:01
stevemarknikolla: ask for travel assistance19:02
lbragstadstevemar there was a session on this in barcelona, right?19:02
stevemarlbragstad: not really19:02
lbragstadis that were all this was discussed?19:02
knikollastevemar, i already got a verbal approval from my manager.19:02
stevemarlbragstad: its still very much in the foundation's hands, i have some early info19:02
stevemarmfisch: to answer your questions --19:03
stevemarmfisch: they are not idempotent AFAIK, we have a bunch of bugs that we need to fix surrounding the new upgrade flow: https://bugs.launchpad.net/keystone/+bugs?field.tag=upgrades19:04
mfisch$100 is far less than the travel and time away from work isnt it19:04
stevemarmfisch: if you just do a db_sync with no args, i believe it runs --expand, --migrate, --contract under the covers19:05
knikollawe've been staying in airbnbs though for the past summits/midcycles :P19:05
stevemarmfisch: if you run it with no args, we assume you are doing an offline upgrade19:05
mfischstevemar: the trouble is getting puppet to do something intelligent here19:06
mfischwhich I will bring up at the next meeting for puppet19:06
mfischif you want to attend19:06
stevemarmfisch: when is it?19:06
mfisch9am mountain next tuesday19:06
stevemarmfisch: i'm away thursday and friday19:06
stevemarsend me a ping? i'm awake at that time anyway19:06
mfischIdeally we could do this ideimpotently: keystone-manage db_sync --expand --migrate19:07
mfischthen I'd just always run that19:07
stevemarno contract?19:07
mfischcontract I'd run offline after every node19:07
mfischdisable puppet on nodes 2/3 and run puppet on node1, upgrade node 1, puppet runs that db_sync command above ^19:08
mfischrepeat for nodes 2/319:08
mfischwhen done all 3 , run contract19:08
mfischjlk has an easier time since ansible is designed for this kind of thing19:08
mfischstevemar: given the bugs is it still useful for me to test it right now?19:09
*** artmr has quit IRC19:09
*** dave-mccowan has quit IRC19:11
stevemarmfisch: the bugs are RFEs, not actual "bugs"19:11
*** Administrator__ has joined #openstack-keystone19:11
mfischJLK's looks legit19:12
stevemarmfisch: ah right, where he hit it with rally 15 times19:13
*** zhugaoxiao has quit IRC19:15
stevemarmfisch: so part of the reason why i'm asking you to try it out is to see if you also get that error, we need more info here in general about our new upgrade flow19:15
*** lamt has quit IRC19:15
stevemarif you're not comfortable with that, that's cool19:15
*** jaugustine has quit IRC19:17
*** jaugustine has joined #openstack-keystone19:17
mfischstevemar: I can still try it19:26
mfischM to N?19:26
*** browne has quit IRC19:27
*** anushkrishnamurt has quit IRC19:28
*** browne has joined #openstack-keystone19:30
*** dave-mccowan has joined #openstack-keystone19:31
*** matt_welch has quit IRC19:37
*** kiran-r has quit IRC19:37
openstackgerritKristi Nikolla proposed openstack/keystone: WIP: remove LDAP write support  https://review.openstack.org/37448219:38
*** mtreinish has quit IRC19:40
*** rcernin has joined #openstack-keystone19:41
*** mtreinish has joined #openstack-keystone19:43
*** clsacramento has joined #openstack-keystone19:44
*** woodburn has quit IRC19:47
stevemarmfisch: correct sir19:49
mfischI'll see what I can do19:49
openstackgerritRichard Avelar proposed openstack/keystone: WIP validate consumer_id exists directly  https://review.openstack.org/38884219:55
mfischstevemar: expand failed19:56
mfischstevemar: http://paste.openstack.org/show/587582/19:57
mfischSince setting this up is a pain. I will hold here and see what else I can get info wise19:57
stevemarmfisch: same error jlk ran into the first time19:59
stevemaryou gotta change something in your db settings19:59
openstackgerritRichard Avelar proposed openstack/keystone: WIP validate consumer_id exists directly  https://review.openstack.org/38884219:59
stevemarjlk / dolphm remember what the setting was?19:59
mfischI guess you need to be SUPER to create triggers20:00
*** adrian_otto has joined #openstack-keystone20:00
stevemarmfisch: https://github.com/soundcloud/lhm/issues/76 ?20:00
stevemarset global log_bin_trust_function_creators=120:01
mfischwhatever that does20:01
mfischthe sudafed tells me to jfdi!20:01
stevemari gotta head out now, family stuff, but i'll be on tonight and tomorrow20:01
mfischmysql> select user,super_priv from mysql.user where user="keystone";20:01
mfisch| user     | super_priv |20:01
mfisch| keystone | N          |20:01
mfisch| keystone | N          |20:01
*** haplo37_ has quit IRC20:01
mfisch| keystone | N          |20:01
mfischI can just fix that ^ in puppet20:01
stevemareh sure20:02
mfischI did have 1 blip in tehre also20:03
mfischjlk:  you around?20:04
*** haplo37_ has joined #openstack-keystone20:04
*** kiran-r has joined #openstack-keystone20:07
openstackgerritLance Bragstad proposed openstack/keystone: Remove support for PKI and PKIz tokens  https://review.openstack.org/37447920:10
samueldmqstevemar: I really like your patch to remove PKI/PKIz support20:14
samueldmqstevemar: it's a huge amount of code and docs we won't need to maintain anymore20:15
morgan_lbragstad: you were looking for me yesterday?20:27
lbragstadmorgan_ ah ha!20:29
lbragstadmorgan_ yes - i was20:29
lbragstadI was curious about some caching stuff20:29
*** spilla has quit IRC20:29
lbragstadmorgan_ i ended up creating a PR for it - https://review.openstack.org/#/c/392242/20:30
morgan_fwiw, we should drop token.kvs20:31
morgan_and deprecate [memcache] section20:31
lbragstadmorgan_ ++20:31
morgan_but +3 for that change20:31
morgan_for now20:31
morgan_because it's better than what we had20:31
lbragstadmorgan_ i'd be happy to remove that20:31
morgan_yeah. token.kvs should go away. iirc it was deprecated a long time ago20:32
morgan_and we don't support memcache backend for tokens20:32
morgan_iirc that was the last of the "kvs" things20:32
lbragstadmorgan_ we have a kvs entry point for the token backend20:32
morgan_if kvs is gone, [memcache] config can be deprecated (but not removed yet since it ties into [cache] in some cases still)20:33
morgan_lbragstad: right. but token.kvs should be clear to be deleted20:33
morgan_it isn't well supported20:33
morgan_at best its legacy code that hasn't been removed yet20:33
morgan_it was supposed to be deprecated a long time ago20:33
openstackgerritLance Bragstad proposed openstack/keystone: Remove support for PKI and PKIz tokens  https://review.openstack.org/37447920:35
jlkmfisch: I am, what's up?20:40
jlkmfisch: oh you're looking at the migrations, and the rights needed for triggers20:42
mfischjlk: yeah20:42
mfischnot sure adding SUPER is a great plan20:42
jlkheh, there is a smaller target20:42
mfischdid you just set that variable?20:42
jlkat least on percona20:42
mfischwhats that20:43
*** r1chardj0n3s_afk is now known as r1chardj0n3s20:43
jlklog_bin_trust_function_creators = 120:43
mfischyeah thats "the variable" I vaguely mentioned20:43
jlkyup, setting that and restarting percona everywhere made things work for me20:44
mfischI think you can set that one live20:44
mfischbut I will find out20:44
jlkYou can20:44
jlkI chose not to, because I hate it when live config doesn't necessarily match config file configuration. Can lead to really ugly surprises down the road20:44
*** adriant has joined #openstack-keystone20:45
mfischjlk: sure, I'm just hacking for now to test it some more. puppet has other issues because of the implied ordering20:45
jlkoh, yeah, ordering, and puppet. You're going to have a good time.20:45
mfischwhich is why we drive upgrades with ansible20:45
mfischfor now I just hacked out the calls to db_sync that puppet made20:46
openstackgerritayoung proposed openstack/keystone: Disable list users  https://review.openstack.org/39230620:47
*** edtubill has quit IRC21:07
*** kiran-r has quit IRC21:09
openstackgerritMerged openstack/keystone: Additional logging when authenticating  https://review.openstack.org/33349021:12
lbragstadayoung addressed your comments here - https://review.openstack.org/#/c/374479/21:14
openstackgerritMerged openstack/keystone: Doc the difference between memcache and cache  https://review.openstack.org/39224221:17
*** richm has quit IRC21:22
*** chris_hultin is now known as chris_hultin|AWA21:30
*** ravelar has quit IRC21:32
*** adrian_otto has quit IRC21:36
ayounglbragstad, +2A based on morgan's comments21:39
mfischjlk: I assume you're reading openstack-dev at least the keystone tag? I'm going to send my results21:45
*** jerrygb has quit IRC21:46
*** PsionTheory has joined #openstack-keystone21:48
jlkI'm not subscribed there at the moment.21:48
mfischI'll just email you and steve21:49
mfischthe commands do seem to be ideimpotent21:49
mfischthat helps puppet a bit21:49
mfischjlk: your bug is odd, its almost like you had some old workers running?21:50
jlkthat's what i found too, in that they exited 0 and shit didn't fall over after running them a second or many times.21:50
jlkmfisch: it is weird, but I wonder if it's just a timing of how the db actions are done21:50
mfischlike in-flight stuff21:50
mfischI saw 1 DB deadlock during expand under pretty much no load21:50
jlklike, the logic to read/write to a new location gets put down before the location exists or something like that.21:50
mfisch1 thread getting a token every 3 seconds21:50
mfischand this vvv21:51
openstackgerritMatt Fischer proposed openstack/keystone: cache_on_issue default to true  https://review.openstack.org/38333321:52
openstackgerritMatt Fischer proposed openstack/keystone: Allow running expand & migrate at the same time  https://review.openstack.org/39232021:52
mfischdang it, should have only been 1 review21:52
*** richm has joined #openstack-keystone21:53
mfischjlk: email is @ibm.com?21:53
mfischus. thanks21:53
*** Zer0Byte__ has quit IRC21:58
*** jperry has quit IRC21:59
*** Zer0Byte__ has joined #openstack-keystone22:00
*** ravelar has joined #openstack-keystone22:01
*** PsionTheory has quit IRC22:04
*** jerrygb has joined #openstack-keystone22:04
*** jerrygb has quit IRC22:06
openstackgerritLance Bragstad proposed openstack/keystone: Remove support for PKI and PKIz tokens  https://review.openstack.org/37447922:09
*** ravelar has quit IRC22:14
*** edmondsw has quit IRC22:24
*** haplo37_ has quit IRC22:25
knikollathe assumption that tests have write access to the identity backend is so deeply integrated into every abstraction layer of the unit tests. it's irritating.22:26
*** rcernin has quit IRC22:31
*** haplo37 has joined #openstack-keystone22:38
jamielennoxlol, in my first couple of months on keystone i proposed a giant unit test refactor22:46
jamielennoxi can't imagine they have gotten any better22:46
*** lamt has joined #openstack-keystone22:53
*** jaugustine has quit IRC23:00
gagehugoknikolla: ++23:20
*** lamt has quit IRC23:21
*** Zer0Byte__ has quit IRC23:23
*** Zer0Byte__ has joined #openstack-keystone23:25
*** kiran-r has joined #openstack-keystone23:34
*** ravelar has joined #openstack-keystone23:41
*** g2` is now known as g2[cubs-ATL]23:42
*** ravelar has quit IRC23:45
*** richm has quit IRC23:48
*** LiYuenan has quit IRC23:53
openstackgerritMerged openstack/keystone: Remove support for PKI and PKIz tokens  https://review.openstack.org/37447923:54
openstackgerritAdrian Turjak proposed openstack/keystone: adding combined password and totp auth plugin  https://review.openstack.org/34342223:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!