Tuesday, 2016-11-29

« Monday, 2016-11-28 Index Wednesday, 2016-11-30 »
openstackgerritEric Brown proposed openstack/keystone: SAML federation docs refer to old WSGIScriptAlias  https://review.openstack.org/40394400:06
openstackgerritEric Brown proposed openstack/keystone: SAML federation docs refer to old WSGIScriptAlias  https://review.openstack.org/40394400:08
*** catintheroof has joined #openstack-keystone00:08
rodrigodsayoung, yep: gate-keystone-dsvm-functional-ubuntu-xenial and gate-keystone-dsvm-functional-v3-only-ubuntu-xenial-nv00:29
ayoungrodrigods, OK.  I am going to try and replicate00:29
ayoungrodrigods, and if it works, I'll try to add a devstack plugin for LDAP, and LDAP functional test00:29
rodrigodsayoung, if you use https://review.openstack.org/#/c/400747/ in a devstack env, you will be able to run https://review.openstack.org/#/c/324769/00:30
ayoungyep, got it00:30
rodrigodsof course you need to proper config the tempest settings (see config.py)00:30
rodrigodsayoung, for LDAP, i was hoping to have it done by the outreachy student00:31
rodrigodsayoung, the first step is to check if the LDAP plugin in devstack is ok00:31
*** hoangcx has joined #openstack-keystone00:47
ayoungrodrigods, yep.  I can do that now.  I have devstack running00:50
*** gyee has joined #openstack-keystone00:54
*** gyee has quit IRC00:54
*** stevemar__ has quit IRC00:54
*** guoshan has joined #openstack-keystone00:56
*** dave-mccowan has quit IRC00:56
*** anush has joined #openstack-keystone00:59
*** guoshan has quit IRC01:01
*** spzala has joined #openstack-keystone01:05
*** guoshan has joined #openstack-keystone01:07
*** anush has quit IRC01:11
*** liujiong has joined #openstack-keystone01:14
ayoungrodrigods, looks like it failed01:14
ayoungnope, my typo01:14
ayoungrodrigods, looks like the interface to LDAP has changed. Doing01:18
ayoungsudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ldap.23913.sk95dgWEpX/manager.ldif  failed01:18
ayounghttp://paste.openstack.org/show/590735/01:18
ayoungI'll have to learn the current state of OpenLDAP...01:19
openstackgerritEric Brown proposed openstack/keystone: SAML federation docs refer to old WSGIScriptAlias  https://review.openstack.org/40394401:26
*** guoshan has quit IRC01:39
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/40396801:43
*** browne has quit IRC01:55
*** anush has joined #openstack-keystone02:01
*** anush has quit IRC02:02
*** zhangjl has joined #openstack-keystone02:05
*** catintheroof has quit IRC02:16
openstackgerritAdrian Turjak proposed openstack/keystone-specs: User self management of TOTP credentials  https://review.openstack.org/34570502:16
*** catintheroof has joined #openstack-keystone02:16
*** catintheroof has quit IRC02:20
*** masber has joined #openstack-keystone02:26
*** masber has quit IRC02:26
rodrigodsayoung, hmm yep... same here, would need to understand the openldap inners02:30
openstackgerritRodrigo Duarte proposed openstack/keystone: Upload service provider metadata to testshib  https://review.openstack.org/40074702:44
openstackgerritSpencer Yu proposed openstack/keystonemiddleware: Keystonemiddleware already uses PBR:- setuptools.setup(  setup_requires=['pbr>=1.8'],  pbr=True)  https://review.openstack.org/40398702:52
*** stevemar__ has joined #openstack-keystone02:55
*** stevemar__ has quit IRC03:00
*** spzala has quit IRC03:01
*** spzala has joined #openstack-keystone03:01
*** tqtran has quit IRC03:02
*** spzala has quit IRC03:08
*** links has joined #openstack-keystone03:10
*** links has quit IRC03:10
*** catintheroof has joined #openstack-keystone03:25
*** udesale has joined #openstack-keystone03:32
openstackgerritSpencer Yu proposed openstack/keystonemiddleware: Drop MANIFEST.in - it's not needed by pbr  https://review.openstack.org/40398703:34
*** spzala has joined #openstack-keystone03:37
*** code-R has quit IRC03:51
*** code-R has joined #openstack-keystone03:51
*** code-R_ has joined #openstack-keystone03:53
*** stevemar__ has joined #openstack-keystone03:55
*** code-R has quit IRC03:56
*** nicolasbock has quit IRC04:02
stevemar__should be ready: https://review.openstack.org/#/c/403987/204:05
openstackgerritSteve Martinelli proposed openstack/keystone: Use sha512.hash() instead of .encrypt()  https://review.openstack.org/40351404:08
*** stevemar__ has quit IRC04:11
*** adriant has quit IRC04:19
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/40396804:20
*** catinthe_ has joined #openstack-keystone04:23
*** catintheroof has quit IRC04:26
*** catinthe_ has quit IRC04:26
*** catintheroof has joined #openstack-keystone04:27
*** catintheroof has quit IRC04:27
openstackgerritRichard Avelar proposed openstack/keystone: Don't invalidate all user tokens of roleless group  https://review.openstack.org/39972804:28
*** code-R has joined #openstack-keystone04:35
*** code-R_ has quit IRC04:36
openstackgerritGhanshyam Mann proposed openstack/keystone: Fix title for role-assignments api-ref  https://review.openstack.org/40402104:43
*** jrist has quit IRC05:03
openstackgerritGage Hugo proposed openstack/keystone: WIP - Allow user to change own expired password  https://review.openstack.org/40402205:04
*** spzala has quit IRC05:15
*** zhangjl has quit IRC05:35
*** code-R has quit IRC05:42
*** code-R has joined #openstack-keystone05:43
*** davechen_afk has quit IRC06:14
*** davechen_afk has joined #openstack-keystone06:14
*** jaosorior has joined #openstack-keystone06:22
*** richm has quit IRC06:41
*** FunTara has joined #openstack-keystone06:43
*** zhangjl has joined #openstack-keystone06:44
FunTaraHi, We are getting timeout messages ocasionally when try to login our openstack environment. Is there anyone for help? Regards.06:45
openstackgerritMerged openstack/keystone: cache_on_issue default to true  https://review.openstack.org/38333306:52
*** josecastroleon has joined #openstack-keystone06:53
*** tqtran has joined #openstack-keystone07:01
*** masber has joined #openstack-keystone07:05
*** tqtran has quit IRC07:06
*** jaosorior has quit IRC07:07
*** jaosorior has joined #openstack-keystone07:08
*** spzala has joined #openstack-keystone07:16
*** spzala has quit IRC07:20
*** pcaruana has joined #openstack-keystone07:21
*** edtubill has joined #openstack-keystone07:58
*** edtubill has quit IRC08:03
*** jpich has joined #openstack-keystone08:16
*** amoralej|off is now known as amoralej08:33
*** woodster_ has quit IRC08:36
*** rcernin has joined #openstack-keystone08:56
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** spzala has joined #openstack-keystone09:10
*** stevemar__ has joined #openstack-keystone09:12
*** mvk has quit IRC09:13
*** spzala has quit IRC09:15
*** stevemar__ has quit IRC09:16
*** pnavarro has joined #openstack-keystone09:44
*** mvk has joined #openstack-keystone09:46
*** openstackgerrit has quit IRC09:48
*** openstackgerrit has joined #openstack-keystone09:48
*** code-R has quit IRC10:04
*** aloga_ has joined #openstack-keystone10:05
*** liujiong has quit IRC10:14
*** zhangjl has quit IRC10:15
*** hoangcx has quit IRC10:26
*** code-R has joined #openstack-keystone10:28
*** code-R_ has joined #openstack-keystone10:29
*** code-R has quit IRC10:32
*** udesale has quit IRC10:58
*** tqtran has joined #openstack-keystone11:03
*** tqtran has quit IRC11:07
*** mvk has quit IRC11:08
*** richm has joined #openstack-keystone11:12
*** mvk has joined #openstack-keystone11:20
*** nicolasbock has joined #openstack-keystone11:38
*** josecastroleon has quit IRC11:42
*** anush has joined #openstack-keystone12:13
*** anush has quit IRC12:24
*** josecastroleon has joined #openstack-keystone12:28
*** guoshan has joined #openstack-keystone12:28
*** guoshan has quit IRC12:29
*** guoshan has joined #openstack-keystone12:29
*** guoshan has quit IRC12:34
*** JoeStack has joined #openstack-keystone12:35
*** catinthe_ has joined #openstack-keystone12:37
openstackgerritBoris Bobrov proposed openstack/keystone: Print domain name in mapping_populate error message  https://review.openstack.org/40419712:39
*** stevemar__ has joined #openstack-keystone12:44
JoeStackHi, I need to raise one question regarding openstack-cli usage. I've installed "python-[openstackclient, heatclient] on my local notebook and I've sourced my openrc file containing the credentials and the publicURLs of my OpenStack. Any OpenStack service is responsive except keystone! (i.e.  "openstack service list" does not work, "openstack image list" and "glance image-list" does work!12:49
JoeStackAny hint??12:49
dstanekJoeStack: what is the error?12:52
*** dimonv has joined #openstack-keystone12:53
openstackgerritSteve Martinelli proposed openstack/keystone: Use sha512.hash() instead of .encrypt()  https://review.openstack.org/40351412:54
JoeStackhttps://bpaste.net/show/9f92246512db12:54
stevemar__lbragstad: dstanek we can punt this through now: https://review.openstack.org/#/c/403514/312:55
stevemar__passlib has been updated in keystone reqs12:55
stevemar__dstanek: this should be ready too: https://review.openstack.org/#/c/403987/12:56
*** dimonv has quit IRC12:58
bretonJoeStack: why do you think it doesn't work?13:02
bretonJoeStack: the things in the paste are not errors, everything should work fine.13:04
breton(or we don't see full logs)13:05
breton(and output)13:05
*** guoshan has joined #openstack-keystone13:06
JoeStackbreton: Please apologize my newbie state in case of asking stupid questions. I would expect the same output on my local notebook when I do a "openstack service list" as I got when I'm locally connected on the OpenStack control node.13:06
bretonJoeStack: no problem :)13:07
*** amoralej is now known as amoralej|lunch13:08
JoeStackbreton: in the paste you see no outcome from the requested command, no "service list".13:08
*** code-R_ has quit IRC13:10
*** code-R has joined #openstack-keystone13:10
*** edmondsw has joined #openstack-keystone13:11
*** dimonv has joined #openstack-keystone13:15
*** guoshan has quit IRC13:18
dstanekJoeStack: the output doesn't show any errors.  what user are you using for that command?13:19
*** stevemar__ has quit IRC13:19
*** pnavarro has quit IRC13:19
*** stevemar__ has joined #openstack-keystone13:20
*** FunTara has quit IRC13:20
dimonvhelp13:22
*** jrist has joined #openstack-keystone13:23
*** stevemar__ has quit IRC13:24
JoeStackdstanek: I'm using my local user on my local machine (not root)13:25
*** spzala has joined #openstack-keystone13:26
dstanekJoeStack: what openstack user?13:26
dstanekhi dimonv13:26
JoeStackdstanek: I've sourced the "admin" account13:27
JoeStackI've found a hint after the command runs into a timeout.13:29
*** ayoung has quit IRC13:29
*** spzala has quit IRC13:30
JoeStackThe command was trying to contact the privateURL and not the public URL, but I don't understand way. The openrc file contains only the pubicURL API addresses.13:31
JoeStackmy openrc file: https://bpaste.net/show/a89820d520d713:34
JoeStackthe issued command after timeout: https://bpaste.net/show/63ffeb2923d413:36
*** dave-mccowan has joined #openstack-keystone13:43
dstanekJoeStack: if you don't have that URL in your env then it must be coming from the catalog13:44
JoeStackdstanek: bug or feature? :-)13:45
*** udesale has joined #openstack-keystone13:47
dstanekJoeStack: you'll have to find out where it's coming from and tell me. unlikely a bug since everyone would have the issue.13:50
dstanekJoeStack: what do your keystone endpoints look like?13:50
dstanekJoeStack: i don't use v2 anymore so i don't remember all of the port shenanigans13:54
JoeStackdstanek: my enpoint list: https://bpaste.net/show/8f827390b87313:55
*** code-R has quit IRC13:55
*** lamt has joined #openstack-keystone13:57
JoeStackdstanek: and a more verbose "endpoint list" from my local machine: https://bpaste.net/show/b6bc09c3812013:58
JoeStackAs you can see at the end of this paste, there is a curl request to the privateURL of keystone, but for whatever reason?!?!14:00
dstanekJoeStack: looking...14:02
dstanekJoeStack: i think since you are doing admin things over v2 that it is pulling the admin url from the catalog14:03
dstanekJoeStack: v2 tried to separate out admin from user APIs based on port. v3 doesn't do this anymore and instead relies on policy14:06
JoeStackdstanek: One conclusion might be to use a different tenant, other than "admin" to be able to issue that command.14:08
JoeStackdstankek: But I got the same behavior when I changed the tenant from "admin" to something else.14:09
openstackgerritMerged openstack/keystonemiddleware: Drop MANIFEST.in - it's not needed by pbr  https://review.openstack.org/40398714:10
JoeStackdstanek: may I'm the only one using Mirantis 8.0 (Liberty) remotely by using phython-openstackcli on my local machine :-/14:11
*** jperry has joined #openstack-keystone14:14
dstanekJoeStack: it's not the admin tenant. it's that your doing what is considered an admin operation.14:15
dstaneki don't know Mirantis' stack, but breton might be able to point you in the right direction14:16
*** stevemar__ has joined #openstack-keystone14:17
*** daemontool has joined #openstack-keystone14:19
lbragstaddimonv hello14:19
*** code-R has joined #openstack-keystone14:19
*** guoshan has joined #openstack-keystone14:22
openstackgerritSteve Martinelli proposed openstack/keystone: Print domain name in mapping_populate error message  https://review.openstack.org/40419714:23
*** amoralej|lunch is now known as amoralej14:23
*** agrebennikov has joined #openstack-keystone14:24
dstanekJoeStack: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/version/service.py#n85 {public,admin}_app_factory shows what 2.0 thinks is public and admin operation. v3_app_factory shows that everything runs under the same port.14:30
*** guoshan has quit IRC14:32
*** edmondsw_ has joined #openstack-keystone14:38
*** Marcellin__ has joined #openstack-keystone14:41
openstackgerritMerged openstack/keystone: SAML federation docs refer to old WSGIScriptAlias  https://review.openstack.org/40394414:47
*** edmondsw_ has quit IRC14:53
*** edmondsw_ has joined #openstack-keystone14:53
*** edmondsw has quit IRC14:55
*** edmondsw_ has quit IRC14:55
*** edmondsw has joined #openstack-keystone14:55
stevemar__lbragstad: i see you're also looking at the policy file bug14:59
stevemar__is ayoung around? noooope14:59
stevemar__lbragstad: is the rule just flat-out written incorrectly?14:59
stevemar__in https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json15:00
stevemar__should token.is_admin_project:True be target.token.is_admin_project:True ?15:00
lbragstadstevemar__ you're talking about https://bugs.launchpad.net/keystone/+bug/1645632 right?15:01
openstackLaunchpad bug 1547684 in oslo.policy "duplicate for #1645632 Attribute error on Token object when using domain scoped token" [Undecided,New]15:01
stevemar__yeah15:01
lbragstadstevemar__ i guess the rule could be written wrong, but i wouldn't expect the keystone CLI to work if that was the case.15:02
stevemar__this is on the list of the horizon -> keystone bugs15:02
stevemar__lbragstad: it's only the v3 sample15:02
lbragstadstevemar__ looks like it's on the schedule here - https://etherpad.openstack.org/p/ocata-keystone-horizon ?15:03
lbragstadat line 8315:04
*** spzala has joined #openstack-keystone15:04
stevemar__lbragstad: the schedule doesn't really change :)15:04
*** tqtran has joined #openstack-keystone15:05
*** spzala has quit IRC15:06
*** spzala has joined #openstack-keystone15:06
lbragstadstevemar__ true - i just wanted to give it visibility somewhere15:06
*** spzala has quit IRC15:06
*** spzala has joined #openstack-keystone15:06
*** spzala has quit IRC15:07
*** jaosorior has quit IRC15:07
*** spzala has joined #openstack-keystone15:07
*** spzala has quit IRC15:07
*** jaosorior has joined #openstack-keystone15:08
*** spzala has joined #openstack-keystone15:08
*** spzala has quit IRC15:08
*** spzala has joined #openstack-keystone15:09
*** spzala has quit IRC15:09
*** tqtran has quit IRC15:09
*** spzala has joined #openstack-keystone15:09
*** spzala has quit IRC15:10
*** spzala has joined #openstack-keystone15:10
*** spzala has quit IRC15:10
*** spzala has joined #openstack-keystone15:11
*** spzala has quit IRC15:11
mfischlbragstad: stevemar__ morning15:11
lbragstadmfisch yo15:11
mfischI'd love to know how my patch magically landed ;)15:11
lbragstadmfisch i was going to ask you the same question15:12
mfischwant to look this gift horse in the mouth, might be a trojan gift horse15:12
*** spzala has joined #openstack-keystone15:12
lbragstadwell - i did but davechen_afk beat me to the punch15:12
*** spzala has quit IRC15:12
mfischdid you guys already discuss it?15:12
*** spzala has joined #openstack-keystone15:12
*** spzala has quit IRC15:13
lbragstadmfisch nope15:13
*** spzala has joined #openstack-keystone15:13
*** spzala has quit IRC15:13
mfischlbragstad: well something certainly landed, had much changed?15:13
mfischbetween Nov 16 and Nov 2815:14
*** spzala has joined #openstack-keystone15:14
*** spzala has quit IRC15:14
*** spzala_ has joined #openstack-keystone15:14
*** jaugustine has joined #openstack-keystone15:14
*** spzala_ has quit IRC15:14
lbragstadmfisch i haven't looked specifically - just saw that it was passing... i need to dig up the error i was getting15:14
mfischit was a missing field in the token I thnk15:15
lbragstadit was something weird - like the token reference didn't have a specific attribute15:15
*** spzala has joined #openstack-keystone15:15
mfischlbragstad: oh hey we had a weird error I wanted to let you know about, standing up a new lab. Testers kept telling me that tokens were still valid a few seconds after they should have expired.15:15
mfischthey blamed caching15:15
lbragstadmfisch hmmm...15:16
mfischI found out yesterday that the ntp ports are blocked outbound in that lab, so the issues is clocks15:16
lbragstadwhen in doubt, blame caching15:16
mfischits a good go-to15:16
lbragstadoh - the clocks were out of sync across the keystone cluster?15:16
mfischyeah15:16
mfischjust a bit15:16
mfischand our ntp monitoring in Icinga only sees that ntp is up and listening, not that its actually working, oops15:17
mfischsomeone just casually said "oh yeah we're working with the firewall guys on ntp access, its blocked"15:17
lbragstadlol15:17
lbragstad"move along citizen, move along"15:18
mfisch#notdevstackproblems I guess15:19
mfischi am going through every interesting commit15:19
lbragstadcool15:20
mfischjamie has a patch to allow fetching expired tokens15:21
mfischin the same code area anyway15:21
lbragstadoh - good point15:21
mfischd9a6ead6f5f60de6821bc33603c44d04b7e4b8e5 changes a test15:21
mfischI wonder if that test change did it ^15:21
mfischlots of doc changes15:22
lbragstadmfisch https://github.com/openstack/keystone/commit/d9a6ead6f5f60de6821bc33603c44d04b7e4b8e5 ?15:23
mfischoh wait thats a notification test change15:23
mfischI thought it was in a different path15:24
mfischlbragstad: what about this15:24
mfischadb45134abc76c20d9ce1b8ea17bbbf94980534c15:24
mfischhttps://github.com/openstack/keystone/commit/adb45134abc76c20d9ce1b8ea17bbbf94980534c15:24
mfischthat looks familiar15:24
lbragstadah - possibly...15:25
mfischis there a way to see old jenkins results?15:25
lbragstadi pulled that out because it was specific to v215:25
lbragstadmfisch yeah - you can toggle patch CI through gerrit15:25
mfischsorry not sure what that means?15:25
*** ravelar has joined #openstack-keystone15:26
lbragstadmfisch if you scroll to the bottom of the page here - https://review.openstack.org/#/c/389365/15:26
lbragstadyou should see a 'Toggle CI' button15:26
lbragstadclick it15:26
mfischoh I had no idea what that button did15:26
mfischohh nice15:26
lbragstadthat should expand all the jenkins results for the history of that patch15:26
lbragstad#protip15:27
lbragstad;)15:27
mfischthe error was a KeyError exception on the token15:27
*** chlong has joined #openstack-keystone15:27
mfischon the user_Id field15:27
lbragstadstevemar__ do we have anyone around that is familiar with multi-domain ldap configurations/15:28
lbragstadmfisch yeah - that was it15:28
mfischlbragstad: well I suspect this is the change that did it15:29
*** code-R has quit IRC15:29
mfischi dont see anything concerning that landed15:29
*** code-R has joined #openstack-keystone15:29
*** chris_hultin|AWA is now known as chris_hultin15:31
lbragstadmfisch well - that's good :)15:33
*** knasim-wrs has joined #openstack-keystone15:37
lbragstadstevemar__ another question - do you know why we consider python-memcache an extra package if we enable caching by default?15:38
lbragstadhttps://bugs.launchpad.net/keystone/+bug/164526315:38
openstackLaunchpad bug 1645263 in devstack "Unable to run stack.sh on fresh new Ubuntu Xenial 16.04 LTS, script fails with "No module named 'memcache' "" [Undecided,Incomplete]15:38
dstaneklbragstad: that's a good question15:39
*** dimonv has quit IRC15:45
openstackgerritMerged openstack/keystone: Use sha512.hash() instead of .encrypt()  https://review.openstack.org/40351415:47
*** hrybacki is now known as hrybacki|mtg15:50
stevemar__lbragstad: dstanek we should probably just make it required at this point, but we could ask morgan_ to be sure15:52
*** pnavarro has joined #openstack-keystone15:53
stevemar__lbragstad: dstanek breton one of you guys want to look at https://review.openstack.org/#/c/390948/ ? it's ldap related, pretty close i think15:53
dstanekstevemar__: sure, just finishin up another one15:55
*** udesale has quit IRC15:55
*** Tahvok has joined #openstack-keystone15:55
*** adrian_otto has joined #openstack-keystone15:55
TahvokHey guys!15:55
TahvokI'm trying to configure keystone with AD15:56
TahvokCurrently I'm on Mitaka15:56
dstanekTahvok: are you having issues?15:56
dstanekstevemar__: actually meeting in 5 so i can take a peek after than15:56
dstanekerr. that15:56
TahvokFor some reason I can't get it to work. An example of an error I get from the log: User neutron has no access to project 765d0c55f5424ba384196d242a6fa810 _populate_roles /usr/lib/python2.7/dist-packages/keystone/token/providers/common.py:45415:56
TahvokThe project id is the 'service' project15:57
TahvokBut I did configure it as it should on AD15:57
TahvokI used this (a bit outdated) guide: http://behindtheracks.com/2015/03/openstack-juno-active-directory-integration/15:58
*** edtubill has joined #openstack-keystone15:58
TahvokThe official docs seem to be outdated as well.. So not sure what to follow15:58
*** madorn has quit IRC15:59
lbragstadstevemar__ cool - well I'l wait to hear what morgan_ has to say about it16:01
dstanekTahvok: can the user authenticate properly? and you are just having an issue with a project?16:03
*** rcernin has quit IRC16:03
Tahvokdstanek: with ad authentication + keystone in general16:03
TahvokNot just a project16:03
TahvokAnd the user can authenticate fine16:03
*** jaosorior has quit IRC16:05
openstackgerritJohannes Grassler proposed openstack/keystone-specs: Added spec on standalone trusts  https://review.openstack.org/39663416:05
dstanekTahvok: does that user have a role assignment on the project?16:06
Tahvokdstanek: via active directory. Yes16:06
*** chlong has quit IRC16:07
agrebennikovyet another upset user who needs remote assingments :D16:07
agrebennikovfolks, when are you restoring this functionality?16:08
dstanekagrebennikov: ?16:10
agrebennikov^^ "assignments via AD"16:11
dstanekagrebennikov: i doubt we'll officially support that any time soon. we've gone to read-only ldap only16:12
dstanekTahvok: what assignment driver are you using?16:13
Tahvokdstanek: ldap16:13
TahvokIs it not supported?16:13
dstanekwhich verison of keystone?16:13
agrebennikovI know :) that was just a joke, sorry for being sarcastic16:13
dstanekno, not anymore16:13
agrebennikovTahvok, it's been deprecated/removed 2 releases ago16:14
agrebennikovor 316:14
Tahvokdstanek: 2:9.2.0-0ubuntu116:14
TahvokSo any guide on configuring read only ldap?16:15
stevemar__Tahvok: i wrote a blog on it.... 1 sec16:17
stevemar__Tahvok: https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/ its from 2 releases ago, and i hate sharing unofficial docs, but each time i share i get good feedback:16:18
Tahvokstevemar__: thanks, I'll try it!16:19
*** chlong has joined #openstack-keystone16:20
agrebennikovTahvok, just keep in mind - No way to store roles/assignments/projects anywhere but local sql.16:21
*** knasim-wrs has quit IRC16:21
*** knasim-wrs has joined #openstack-keystone16:22
stevemar__bbiab16:22
Tahvokagrebennikov: so it's only for authorization?16:22
Tahvoksorry16:22
TahvokAuthentication16:22
TahvokYou still assign the roles for each user in sql?16:22
*** knasim-wrs has quit IRC16:24
*** chrisplo_ has quit IRC16:25
agrebennikovTahvok, yes, always16:27
agrebennikovTahvok, the alternative - use groups instead of individuals16:28
*** knasim-wrs has joined #openstack-keystone16:28
Tahvokagrebennikov: so at least I can use groups for assigning roles?16:28
agrebennikovTahvok, correct16:29
agrebennikovand that's in stevemar__'s article16:30
dstanekTahvok: in keystone we don't support the ldap driver anymore for assignments :-(16:34
*** pcaruana has quit IRC16:36
*** mvk has quit IRC16:36
*** sayalilunkad has quit IRC16:38
*** browne has joined #openstack-keystone16:42
openstackgerritDavid Stanek proposed openstack/keystone: Deprecate the AdminTokenAuthMiddleware  https://review.openstack.org/30528716:43
*** josecastroleon has quit IRC16:44
*** hrybacki|mtg is now known as hrybacki16:45
*** ravelar has quit IRC16:51
*** adrian_otto has quit IRC17:01
*** aloga_ has quit IRC17:07
*** asettle has quit IRC17:08
*** chlong has quit IRC17:10
*** adrian_otto has joined #openstack-keystone17:13
*** raildo has quit IRC17:15
openstackgerritMerged openstack/keystone: Don't invalidate all user tokens of roleless group  https://review.openstack.org/39972817:15
*** phalmos has joined #openstack-keystone17:17
Tahvokstevemar__: how do I know my group_objectclass according to your guide?17:19
*** zzzeek has quit IRC17:20
*** jpich has quit IRC17:21
*** chrisplo_ has joined #openstack-keystone17:22
*** chlong has joined #openstack-keystone17:24
*** zzzeek has joined #openstack-keystone17:24
*** knasim-wrs has quit IRC17:32
morgan_stevemar__: ?17:33
lbragstadit's a morgan_ !17:35
lbragstadmorgan_ i'd love to have your feedback on this - https://bugs.launchpad.net/keystone/+bug/164526317:35
openstackLaunchpad bug 1645263 in devstack "Unable to run stack.sh on fresh new Ubuntu Xenial 16.04 LTS, script fails with "No module named 'memcache' "" [Undecided,Incomplete]17:35
openstackgerritSergey Nikitin proposed openstack/oslo.policy: Improved performance of parse_file_contents() method  https://review.openstack.org/40435717:35
morgan_oh. lovely. something isn't installing it as exoected17:36
morgan_it should have worked.17:36
morgan_iirc this means optional deps [memcach] anret included.17:36
morgan_you can make it a hard dep if you want. I won't block that.17:37
lbragstadmorgan_ what was the whole backstory for not making it a hard dep in the first place/17:37
lbragstadi feel like i'm missing some tribal knowledge there17:37
morgan_operators complain Ed.17:38
lbragstadreally?17:38
morgan_complained*17:38
*** daemontool has quit IRC17:39
lbragstadmorgan_ were there packaging issues?17:39
morgan_don't think so.17:39
morgan_python-memcached just is a kind of sucky library17:40
lbragstadah17:40
morgan_and I tried to take it over, but the current maintainer and I haven't been able to sync up.17:40
morgan_I dropped the ball TBH.17:40
lbragstadmorgan_ you just wanted to take it over since we rely on it? or are there outstanding items that need to be addressed?17:41
lbragstadwith the library as a whole?17:41
*** browne has quit IRC17:41
morgan_outstanding bugs. and deoendance on thread.local17:42
morgan_etc.17:42
morgan_I can reopen the convo.17:42
lbragstadthis is sounding like a mailing list post17:42
*** zzzeek has quit IRC17:45
*** ayoung has joined #openstack-keystone17:45
*** markvoelker has quit IRC17:45
morgan_we have done this multiple times.17:46
lbragstadmorgan_ mailing list posts?17:47
morgan_cones up the same most. "please don't do that"17:47
morgan_iirc, yes.17:47
lbragstadah17:47
*** adriant has joined #openstack-keystone17:47
morgan_people complain about python-memcached alot in general.17:47
lbragstadhmm17:47
*** edtubill has quit IRC17:48
*** zzzeek has joined #openstack-keystone17:48
*** mvk has joined #openstack-keystone17:50
*** markvoelker has joined #openstack-keystone17:50
*** code-R_ has joined #openstack-keystone17:51
*** cbits has joined #openstack-keystone17:52
*** adrian_otto has quit IRC17:53
morgan_to be fair, it has gotten better.17:53
morgan_it still isn't "good"17:53
*** code-R has quit IRC17:53
lbragstadmorgan_ i threw it on the meeting agenda17:53
* stevemar__ has 6 minutes to eat lunch17:54
morgan_wfm17:54
* lbragstad hands stevemar__ a shovel17:55
*** browne has joined #openstack-keystone17:55
*** henrynash has joined #openstack-keystone17:58
*** ChanServ sets mode: +v henrynash17:58
*** jperry has quit IRC17:59
stevemar__didn't finish :(17:59
*** Zer0Byte__ has joined #openstack-keystone17:59
stevemar__meeting time!!17:59
*** jperry has joined #openstack-keystone17:59
stevemar__full agenda17:59
*** asettle has joined #openstack-keystone18:01
*** spilla has joined #openstack-keystone18:02
*** rodrigods is now known as rodrigods_18:02
*** chrisplo_ is now known as chrisplo18:02
*** morgan_ is now known as morganfainberg18:03
*** morganfainberg is now known as morgan18:04
*** rodrigods_ is now known as rodrigods18:06
*** rodrigods has quit IRC18:07
*** rodrigods has joined #openstack-keystone18:07
edmondswdoes anyone know what the max token length is for fernet tokens?18:09
stevemar__edmondsw: should be 25518:10
stevemar__edmondsw: meeting time btw18:10
lbragstadedmondsw 25518:10
edmondswtx18:10
lbragstadedmondsw if you're running uuid like ids that can be compressed18:10
lbragstadinto byte representations before being message packed18:11
*** code-R_ has quit IRC18:14
*** code-R has joined #openstack-keystone18:14
*** crinkle has quit IRC18:23
*** henrynash has quit IRC18:25
*** crinkle has joined #openstack-keystone18:28
*** code-R has quit IRC18:47
adriantmorgan: I'll be around after meeting, and I would love to help fix/rework the auth layer to allow multiple enforcement as I have been thinking about that a lot. :)18:49
morganadriant: absolutely :)18:49
morganadriant: i've wanted multiple plugin requirements enforced since grizzly18:49
adriantmorgan: my main problem, and why I've been waiting to write a spec, is enforcement isn't enough...18:49
morganso.. i've spent a long time thinking about how we do this18:50
adriantit needs to be a layered approach.18:50
adriantwith base types, and addons that require a base type18:50
adriantbut, after meeting :)18:50
morgannah. we have a canonical list of plugins we allow (it's in keystone.conf) we can store for a user (or idp/protocol) a list of required ones18:51
morganif the plugin is required AND enabled in keystone.conf18:51
morganwe require both for auth18:51
morganfor that user or idp/protocol18:51
morganit wont break what you'd be building too, aka passwordtotp if you needed it18:51
morganbecause you could just limit the keystone.conf to only use that one18:52
adriantWe run a public cloud, so we don't have esay control over what people are running18:52
*** nishaYadav has joined #openstack-keystone18:52
adriantso we need passwordtotp :(18:52
adriantas it just 'works'18:52
adriantpeople append their password to password and it works :(18:52
adriantI wanted to do multiple plugins, but keystone didn't support it, and it would break a lot for our customers18:53
morganis it stritcly CLI and horizon that you're worried about then?18:53
adriantyeah18:53
morganthen we can fix that part as well with keystoneauth work.18:53
morgansince keystoneauth also has plugins that can make the magic happen18:54
*** tqtran has joined #openstack-keystone18:54
morganand django-keystoneauth as well.18:54
morgan(which btw, would still be needed to be fixed)18:54
adriantindeed, but this seemed like the least hassle in the short term and appending a passcode to password was a common enough approach it seems18:54
morgani'm not precluding passwordtotp, i am very much against suppoting *another* plugin when the whole push for totp was predicated on the fix i've described18:55
adriantmy only problem with your idea is where/how do we say "this user need TOTP and password"18:55
morganin user specific metadata18:55
morganit becomes part of the user object18:55
morgana list of required auth plugins18:55
adriantok, and where is the totp secret stored? :P18:56
adriantthere are multiple dependencies here18:56
morganthe totp secret is (unfortunately) stored in the creds table18:56
morganlike today18:56
adriantand that also needs to be managed somehow18:56
*** code-R has joined #openstack-keystone18:57
morganthis feels like something that should be built around the CLI and/or horizon not in keystone18:57
morganthe totp creation.18:57
morgani don't really want keystone to be "generating" the totp secrets18:57
adriantyeah, but it allows us to be consistent18:57
adriantotherwise we NEED to validate incoming secrets18:57
dstanekadriant: why do you want to generate them in keystone?18:57
morganyour user management portal can do that.18:58
adriant^18:58
morganusers cannot update their own objects unless they are a domain admin with magic powers granted18:58
adriantit's a question of breaking18:58
adriantthe totp secrets need to be base3218:58
* morgan flips back to meeting18:59
ayoungagrebennikov, so, you knoiw that I proposed the projectID thing , too, right?19:00
agrebennikovsure I don't :)19:01
morganadriant: i also think it's a mistake we ever built an api to generate the EC2 credentials in keystone19:01
agrebennikovwhere?19:01
ayoungand it was killed then19:01
morganadriant: for what it's worth19:01
ayoungagrebennikov, in this same forum, about a year+ ago.19:01
dstanekmorgan: ++19:01
adriantmorgan: yeah, I can understand that.19:01
ayoungI wanted it for cleaning up resources left hanging when a project is deleted19:01
dstanekadriant: so your worried that a user will add a credential that isn't correct base32?19:02
morganayoung: and as you remember i was on your side. i put a -2 on this because i want to make sure we discussed this before we allowed it in based on the previous convos19:02
morganagrebennikov: ^ cc19:02
ayoungagrebennikov, there were other people that wanted it for keeping projects in sync between two clouds19:02
morgannot because i disagree with the proposal19:02
agrebennikovayoung, ah, but is's different since it involves all OS projects19:02
ayoungagrebennikov, everything that Keystone does involves all OS projects....nature of the Beast19:02
morganthis has been contentious in the past and can't be snuck in.19:02
ayoungagrebennikov, why do you want it?19:02
adriantmorgan: the thing though that I wanted to do with totp creation in keystone is to be able to create them, but not have them used until they've supplied a valid passcode generated from it.19:02
agrebennikovsame as before - I need my token to be valid across regions19:03
morganadriant: this is a lot of busines slogic19:03
adriantmorgan: I can do that outside of keystone, but it means storing the secret elsewhere19:03
adriantmorgan: until submitted and 'active' at least.19:03
morganadriant: this is also why i want the multiple plugin enforcement requirements19:03
morganadriant: so you could store it locally in keystone and when it's validated, you update the user to require the new (or multiple) plugins to auth19:04
adriantmorgan: yeah, a user specific list of "use these" would help19:04
agrebennikovayoung, in fact custom project IDs were always around based on the ldap groups19:04
morganadriant: exactly what i want to do :)19:04
ayoungagrebennikov, LDAP assignment is long dead19:04
agrebennikovthis is why I completely disagree with morgan's -219:04
morganayoung: ++19:04
agrebennikovand so?19:04
ayoungagrebennikov, question still stands.  why do you want it?19:04
agrebennikovI'm no longer asking you to bring it back:)19:04
morganagrebennikov: ldap assignment is dead, and we have said in no uncertain terms keystone itself owns and generates ids19:05
dstanekagrebennikov: you can still use it if you really, really want19:05
ayoungagrebennikov, is this for cross-cloud project assignment sync for the K2K case?19:05
cbitsI think there are use cases where you have more than one keysone (30) and you want to do show back, charge back and other tracking19:05
agrebennikovdstanek, this is offtopic for now.... ayoung yes19:05
dstanekadriant: i'm not clear on the usecase for generating the totp secrets19:05
morganthe only way i would accept custom ids is if it explicitly conformed to the standard id format... uuid4 -- but it opens a lot of doors to conflicting ids because ids are globally unique and domain admins can create orojects19:05
cbitsit helps to have the same project ID in all of those keystones19:05
ayoungagrebennikov, no, it is very much on topic19:06
adriantmorgan: but there is a problem to fix with the current totp plugin, even if a user has totp in their "must use" list, they should still be able to login and actually create a totp cred, so the totp plugin needs to only deny auth if the user has a totp cred and the passcode was wrong.19:06
ayoungit is a serious concern and should be addressed.19:06
cbitsRE: https://review.openstack.org/#/c/403866/219:06
ayoungAnd, guess what, it is19:06
ayoungagrebennikov, there is an effort to extend FEderation to autogenerate a project for certain cases.  Ithink it solves yours19:06
ayounglbragstad, that is going to make it in to Ocata, right?19:07
dstanekadriant: morgan: i don't think that enforcement belongs there19:07
morganadriant: i actually yhink we need a required list that looks like: (password, totp || password, backup_code)19:07
lbragstadayoung it's accepted for ocata - i'm still working on it though19:07
morgandstanek: i largely agree19:07
dstanekadriant: morgan: higher up something should know that certain plugins are required and deal with that19:07
adriantdstanek: saves it being done outside of keystone, allows admins to set a standard/min length, less hassle and problems outside of keystone, and lets the users manage things in keystone themselves rather than 'need' a separate user management service.19:07
ayounglbragstad, it will work for K2k right?19:07
dstanekadriant: morgan: i don't know how to do that though19:07
morgandstanek: i see it as user-metatdata19:08
agrebennikovmorgan, so literally you want me to automatically convert my custom "id" in the same way you do it for domains and users?19:08
morgandstanek: and the auth system sees what are required.19:08
lbragstadayoung sure - it is extending the mapping engine to resolve attribute in the assertion to create specific things on first federated authenticatino19:08
lbragstadayoung so it should work for k2k -but it shouldn't be specific to it by any means19:08
ayoungagrebennikov, there ya go...that was the answer I was given last year, too19:08
morganagrebennikov: if more folks than adam and i agree to this... you would need to perform a validation to make sure it conforms (uuid) to the same format as other ids19:08
dstanekadriant: why wouldn't you do that with password generation then?19:09
cbits+119:09
adriantdstanek: but we now do have password requirements in keystone :)19:09
cbitsI think if we can validate its a UUID (same format) and check to ensure its not already in use the project_id could be passed in19:09
agrebennikovmorgan, but let me ask you this... WHAT is the purpose of this conversion if In Fact it is still the same?19:09
dstanekadriant: we don't have any generation19:09
cbitswe dont want to do anythin unsafe.  but do want to support valid use cases.19:09
adriantdstanek: and passwords a user needs to actually know/remember, a totp cred needs to be random19:10
morganagrebennikov: because as it stands now you can have an id called "omgmycoolproject"19:10
agrebennikovmorgan, the only thing needs to be valdated - whether it is unique or not19:10
agrebennikovin the db19:10
morganagrebennikov: that is not valid - we make assertions about project ids because they are used in URLs (much to my chagrin)19:10
adriantdstanek: no one remembers a totp cred, they add it to a passcode generation app and forget about it.19:10
morganoutside of keystone19:10
*** nishaYadav has quit IRC19:10
morganadriant: this is why you provide backup codes (one time use)19:11
morganadriant: ala google19:11
agrebennikovmorgan, gotcha, agree19:11
dstanekadriant: i don't remember passwords (or even generate them) either. last pass does that for me.19:11
morganagrebennikov: so my -2 really is about this is a repeated discussion. we need more than 2 cores here to confirm it is ok. and i'll require it to be a UUID in the db. (hex form)19:12
morganagrebennikov: i will be honest, i do not dislike this and was on adam's side before19:12
dstanekadriant: i don't expect google to tell me what my password is...ever. and if they do they are severly broken19:12
adriantdstanek: yes, but using password managers sadly isn't as common as we'd all like :(19:12
morganagrebennikov: this isn't a bad idea. it is an idea that needs quorum across the cores and the PTL19:12
adriantdstanek: I'm not sure what you mean here? when you setup MFA on google they give you a secret19:13
*** raildo has joined #openstack-keystone19:13
morgandstanek: keepass does it for me, but i want to go back to lastpass19:13
adriantdstanek: they generate one, and give that to you as a QRcode19:13
agrebennikovmorgan, ok, let me go talk to Adam :)19:13
adriantmorgan: keepass is awful... :(19:13
morganagrebennikov: that is ayoung btw19:13
agrebennikovI kon19:13
agrebennikov*know19:13
morganadriant: it is easier on multiple platforms and my data is not stored in a service that has been compromised over and over.19:14
morganadriant: (ok twice)19:14
adriantmorgan: oh I agree, I use it, I just don't like it :P19:14
morganadriant: keepass ui is awful19:14
morgananyway.. so back on topic19:14
morgangoogle, setup totp, requires a validation step and gives one-time-use codes19:15
morganas a backup19:15
adriantwe could do that in keystone, yes19:15
morganand all sorts of things we can't do (sms)19:15
agrebennikovmorgan, same with the roles then? (just so we make it more generic)19:15
bknudsonwhy not just do google federation?19:15
morganagrebennikov: roles are only ever referenced by name19:15
dstanekwe seem to be going further and further down the IdP rabbit hole19:16
agrebennikovmorgan, not in the token19:16
morganthe uuids are unique for DB purposed but could have been an autoinc19:16
morganagrebennikov: they should be referenced by name in the token. or they used ot be19:16
agrebennikovhm19:16
agrebennikovlet me double check :/19:16
morganbecause policy doens't know id->name19:16
*** code-R has quit IRC19:16
dstanekmorgan: yep, roles are by name19:17
morganpolicy engine can only enforce on name19:17
agrebennikovdstanek, currently in the token?19:17
morganagrebennikov: yes.19:17
*** code-R has joined #openstack-keystone19:17
morgani am certain19:17
morganotherwise we couldn't enforce roles for API calls19:17
agrebennikovmorgan, ok, well, then it's a bit easier19:17
morganyeah roles are a lot easier on that front19:17
dstanekagrebennikov: what morgan said19:17
morgandomain ids, project ids, and user ids19:18
cbitsLove them!19:18
morganand trust_ids (but that can be cloud specific)19:18
morganare ids, roles are names.19:18
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675219:18
openstackgerritGage Hugo proposed openstack/keystone: Add reason to CADF notifications in docs  https://review.openstack.org/40088219:18
morganbknudson: i mean... isn't google oidc?19:18
morganwe could.19:19
morganadriant: the way i see it is we need to be able to specify a list of AND and ORs for required auth plugins per user19:19
morganso we can do (password AND totp) OR (passwordtotp) OR (password AND onetime_code) etc19:19
morganas an example19:20
dolphmmfisch: i just came across http://www.mattfischer.com/blog/?p=790 -- A) awesome work, B) what are you using for benchmarking nowadays? those graphs are shiny.19:20
adriantmorgan: yeah, I could work with that19:20
morganand when you generate/validate the code, you then change the required plugins for the user19:20
morganand store the totp code in the db19:20
dolphmmfisch: i imagine you either tediously collected a LOT of data with something simple like ab or used something smarter19:21
morganit also means you could disable the need for totp without removing the cred if you so desired.19:21
*** amoralej is now known as amoralej|off19:21
dolphmmfisch: specifically for the data behind the excel-looking graphs19:21
morganor you could store the token and wait until it is validated to enable the requirement for the user19:21
morgandolphm: mfisch has shiiiiiiney graphs19:21
morgandolphm: i wish i had graphs that pretty19:21
morganadriant: i know it is more work19:22
morganadriant: i'll do what i can to help get this through.19:22
adriantmorgan: a lot of work, but I'd be happy to help19:22
morganadriant: so we can solve the problem more correctly and finish up the badly ignored totp stuff ... i knew i should have demanded the auth plugin work first :P19:23
adriantmorgan: we'd need to update keystone auth to dynamically load/require the plugins based on the user thought, which could get ugly.19:23
morganadriant: nah we still load based on keystone.conf19:23
adriantthough*19:23
bknudsondolphm: looks like grafana19:23
morganand we just enforce based upon user metadata19:23
morganif the plugin is disabled in keystone.conf, it is a no-op19:23
adriantkeystone auth those allows a user to say which plugins they want to use19:23
morganand ignored.19:23
morganthe auth-plugins in keystone itself (server) are configured explicitly19:24
adriantso we need to change and make sure the whole chain works19:24
adriantand that errors messages are good19:24
morgankeystoneauth library is user-end and doesn't matter.19:24
morganwe will need better error messages19:24
morganfor sure19:24
adriantyes, else a user will not be able to login and have no clue why19:24
morganbrb19:25
morgani think if someone passes a bad totp token you can say standard "bad username/password" --- if someone auths with user and password but requires totp "insufficient auth data" [will have to think of better wording] is correct19:27
adrianta lot of the problem will be a user logging in after someone (and admin maybe) has setup some requirements, and not knowing why they can't log in.19:28
adriantan* admin19:28
adriantbut that's another problem really :/19:28
morganthat is, i think, a communication issue19:28
morgani am not sure we can really solve that easily with tech.19:29
adriantyeah, and we have no way of saying: your auth requirements have changed19:29
morganwithout possibly leaking data that should 't be leaked.19:29
adriantthat needs to happen outside of keystone19:29
morganyah.19:29
morgani don't wnat keystone to need ot learn to talk smtp to send emails :P19:30
adriantin my case I have a service exactly for crap like that19:30
morgan^+^19:30
morganerm ^_^19:30
adriantAlright, morgan, lets organise working together on this as a spec, probably... next cycle?19:31
adriantAs I do want to allow multiple auth plugins, and I have ideas for new ones I want to add on top of password19:32
morganadriant: lets ping stevemar__ ^19:32
morgannext cycle spec or try and get this in now?19:33
adriantNot enough time I don't think this cycle :(19:33
morganthis is why i ask stevemar__ still.19:33
adriantpassword_totp is still probably worth keeping though ;)19:33
morganit's not a ton of work, but it is a db migration and some added validation19:34
morgani know where all the bits go19:34
morganmaybe 300-600 LOC with tests.19:34
morganthe only question i have is should it be a many-to-many mapping (in a db) setup... por just a column on the user19:35
* morgan leans towards many-to-many19:35
adriantmany to many? So you can link multiple users to the same rule?19:36
adriantI guess that makes sense, but also kind of ugly'19:36
*** code-R has quit IRC19:36
adriantsafer to give users each their own rules, although more data19:36
morganah yeah19:36
adriantYou mean more just, a new metadata like table?19:37
adriantkind of like: https://review.openstack.org/#/c/388886/ ?19:37
adriantIn this case, we can probably just do it as a top level user object field as it is important enough to justify it.19:38
morganyeah.19:38
morganmy only concern is the size limit19:38
adriantjust do user.auth_rules or something and to be safe make it a text field as char is too limiting19:38
morganvarchar255 is kindof the limit we have in the db19:39
morganwe could use a blob... but that is highly unstructured.19:39
agrebennikovmey morgan, one more question regarding my topic - if the user will try to create the new project with the same id, I hope the DB will not allow to store it, correct?19:39
agrebennikovsame as name19:39
morganagrebennikov: it should not allow it.19:39
morganit is a unique constraint19:40
morgannames are unique within a domain19:40
morganso new domain_id and the same name works19:40
morgansame domain_id and same_name is a conflict19:40
agrebennikovok, tnx19:40
adriantmorgan: is there ever a case we'd need to index on rules themselves? Wouldn't be just fetch the whole blob anyway?19:40
morganids are globally (within a keystone) unqiue19:40
morganadriant: you know... i don't think we need to index it19:40
agrebennikovso no additional checks are required19:40
morganagrebennikov: correct, we already validate that19:41
adriantmorgan: blob works then, as we always just fetch the whole thing, parse it, build the rules tree, and go from there19:41
adriantand chances are we can do that at the last stage of auth. Once all the auth plugins are done, check their status against the rules.19:41
morganadriant: yeah.19:44
morganthat is the idea.19:44
morgani kindof want to be careful about creating a new DSL just for this though..19:44
adrianthttp://paste.openstack.org/show/590881/19:45
adriantdo a rules check is a tree traversal19:45
morgani'm thinking a simple JSON form19:45
*** josecastroleon has joined #openstack-keystone19:45
morganvs "natural language" style you proposed19:45
adrianta json tree of rules works too :)19:45
adriantsince it is that structure pretty much19:46
adrianteasier to read, parse and maintain19:46
morgan"required_plugins": [["password", "totp"], ["passwordtotp"], ["password", "ontime"]]19:46
morganexactly19:46
morganand i think we start with user-specific19:47
morganand we can add idp/protocol enforcement after with the same pattern19:47
*** josecastroleon has quit IRC19:50
*** adriant has quit IRC19:51
morganlbragstad: so .. should i re-open the convo with python-memcached maintainer?19:55
lbragstadmorgan well - i was going to wait and see what the rest of the group wanted to do about the issue19:56
morganlbragstad: i just asked the maintainer again19:57
morganworst case we can simply make it better -- regardless of what we do with stack.sh19:58
lbragstadmorgan who is the maintainer?19:58
morganSean Reifschneider19:58
morganlinsomniac on github19:58
morgani need him to grant me the pypi and launchpad projects19:59
morganand i can do the import / get it into gerrit19:59
*** code-R has joined #openstack-keystone20:00
*** code-R has quit IRC20:01
*** code-R has joined #openstack-keystone20:02
mfischdolphm: the first set of graphs is from grafana, the 2nd is google docs20:04
lbragstadmorgan cool - i'll keep the topic on the agenda for next weeks meeting20:05
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Import TaskManager from shade/nodepool  https://review.openstack.org/36247320:11
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Use TaskManager for all request interactions  https://review.openstack.org/36247420:11
dolphmmfisch: how did you collect the data?20:11
morganlbragstad: ^ those could use eyes20:11
mfischdolphm: the 2nd set of data is from a forked copy of that apache bench tool thing you wrote20:11
lbragstadmorgan cool - i have one other meeting after the tc meeting i'm lingering in, but i have them opened ;020:12
mfischthe first set we have a custom python test suite that makes api calls every 60 seconds and posts to monasca20:12
morganlbragstad: thnx20:12
openstackgerritSergey Nikitin proposed openstack/oslo.policy: Improved performance of parse_file_contents() method  https://review.openstack.org/40435720:17
*** adriant has joined #openstack-keystone20:25
openstackgerritDavid Stanek proposed openstack/keystone: Removes unused default_assignment_driver method  https://review.openstack.org/40441120:28
openstackgerritDavid Stanek proposed openstack/keystone: Removes unused method from assignment core  https://review.openstack.org/40441220:28
*** richm has left #openstack-keystone20:28
adriantmorgan: hey sorry internet cut out and then I realised what time it was so ran off to work. :(20:29
*** richm has joined #openstack-keystone20:29
* adriant at work now20:29
adriantmorgan: so can talk, but I think I'll just follow up with an email :)20:29
morganadriant: wfm20:32
morgani need to lunch and followup on a couple other things20:33
morganonce the TC meeting is done we'll get stevemar__ to make a call on "try and land in ocata" or not20:33
*** edtubill has joined #openstack-keystone20:34
*** edtubill has quit IRC20:34
*** catinthe_ has quit IRC20:35
stevemar__o/20:37
openstackgerritDavid Stanek proposed openstack/keystone: Removes unused exceptions  https://review.openstack.org/40441620:39
bknudsonby the time dstanek is done we'll find out that keystone is only a few lines of bash.20:40
morganstevemar__: the totp changed20:40
lbragstadbknudson lol20:40
morganstevemar__: try for this cycle or aim for next20:40
stevemar__bknudson: nice20:40
stevemar__morgan: i'm still game for this cycle20:41
morganbknudson: i bash? phsaw... who needs bash. it'd be 2 lines in a text document20:41
morganbknudson: and still work20:41
morganadriant: ^ looks like this cycle is on the table20:41
morganstevemar__: https://review.openstack.org/#/c/362473/ and the dependant change need eyes.20:42
morganstevemar__: if you don't mind. it would make adding application specific logic to ksa sessions much easier (and simplify shade/nodepool)20:42
stevemar__morgan: added to the list20:44
morganstevemar__: since you could add client/application specific logic to every request (such as rate limiting, or caching, or krb5) without needing ksa to be changed.20:44
morganstevemar__: thnx20:44
*** code-R has quit IRC20:51
lbragstadmorgan bknudson do it in lamdamoo!20:51
dstanekbknudson: :-)20:52
adriantmorgan: I'm game for this cycle too :) Can dedicate dev time towards it. Just have to get the spec together and merged before the 12th!20:58
*** raildo has quit IRC20:58
morganadriant: shouldn't be too hard to do20:59
morgani can start on it later today... or you can publish the first pass on the spec and i can contribute21:00
morganeither works for me21:00
*** adrian_otto has joined #openstack-keystone21:00
dstanekadriant: plenty of time21:01
*** adrian_otto1 has joined #openstack-keystone21:06
*** dave-mccowan has quit IRC21:06
*** adrian_otto has quit IRC21:07
*** edtubill has joined #openstack-keystone21:07
*** edtubill has quit IRC21:07
*** edtubill has joined #openstack-keystone21:08
openstackgerritDavid Stanek proposed openstack/keystone: Drop support for IBM DB2  https://review.openstack.org/35376721:10
*** code-R has joined #openstack-keystone21:16
mfischjust rolled newton into staging, very smooth21:20
lbragstadmfisch nice!21:20
mfischoutage was < 2 seconds this time21:20
lbragstadmfisch no rolling upgrade?! ;)21:21
mfischI have it all automated21:21
mfischmaybe I should post those ansible scripts21:21
lbragstadmfisch i thought you TWC folks lived dangerously :)21:21
stevemar__adriant: listen to morgan, he's the smart guy in the room :P21:22
lbragstadmfisch is that all ansible?21:22
mfischyeah ansible driving puppet21:23
lbragstadhuh - interesting21:23
mfischhandles teh quiescing, db backups, db cluster mgmt21:23
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Pass allow_expired to token validate  https://review.openstack.org/38209921:23
mfischif I get to go to ATL I'll draw it out for you guys so you can see how the real world deals with your devstack experiments ;)21:23
lbragstadmfisch i recently saw a couple patches being proposed to openstack-ansible for rolling upgrade support (cc: odyssey4me )21:23
lbragstadmfisch oo that sounds exciting!21:23
stevemar__dstanek: doubt https://review.openstack.org/#/c/353767/ will pass, it wasn't passing before the rebase was necessary21:24
mfischnow we'll wait 1 week and then do prod21:24
lbragstadawesome21:24
*** spilla has quit IRC21:29
bknudsonyou don't rust us?21:30
bknudsontrust21:30
*** adrian_otto1 has quit IRC21:32
adriantstevemar__, morgan: Well I've official approval from my PM to dedicate time towards a auth plugin rework (as it fits under what I want to do with MFA). :)21:32
morgannice!21:33
*** adrian_otto has joined #openstack-keystone21:33
*** cbits has quit IRC21:33
morganbknudson I don't trust us21:33
adriantmorgan: may put together a rough outline of the spec based on our talk and if you submit first I can simply contribute as needed :)21:33
adriantmorgan: but keystone is a trusts worth service!21:33
adriantworthy*21:33
morganadriant: sounds good.21:33
dstanekstevemar__: i have my finger crossed :-) and if it doesn't i'll get it fixed21:34
dstanekstevemar__: i21:34
dstanek'21:34
*** catintheroof has joined #openstack-keystone21:34
dstanekgrrr...21:34
dstanekstevemar__: i'm taking over https://review.openstack.org/#/c/276474/5 - any disagreement with my comments? that's in my queue of stuff21:35
*** spzala has quit IRC21:35
stevemar__dstanek: not disagreements from me21:35
dstanekcoolio21:35
*** spzala has joined #openstack-keystone21:36
*** spzala has quit IRC21:36
*** spzala has joined #openstack-keystone21:36
*** spzala has quit IRC21:37
*** spzala has joined #openstack-keystone21:37
*** spzala has quit IRC21:37
*** spzala has joined #openstack-keystone21:38
*** spzala has quit IRC21:38
*** spzala has joined #openstack-keystone21:38
*** spzala has quit IRC21:38
*** catintheroof has quit IRC21:38
*** spzala has joined #openstack-keystone21:39
*** spzala has quit IRC21:39
*** spzala has joined #openstack-keystone21:40
*** spzala has quit IRC21:40
*** spzala has joined #openstack-keystone21:40
*** spzala has quit IRC21:40
*** spzala has joined #openstack-keystone21:41
*** spzala has quit IRC21:41
*** code-R has quit IRC21:42
*** spzala has joined #openstack-keystone21:42
*** spzala has quit IRC21:42
*** spzala has joined #openstack-keystone21:42
*** spzala has quit IRC21:43
*** spzala has joined #openstack-keystone21:43
*** spzala has quit IRC21:43
*** spzala has joined #openstack-keystone21:44
*** spzala has quit IRC21:44
*** spzala has joined #openstack-keystone21:45
*** spzala has quit IRC21:45
*** spzala has joined #openstack-keystone21:45
*** spzala has quit IRC21:46
*** spzala has joined #openstack-keystone21:46
*** spzala has quit IRC21:46
*** spzala has joined #openstack-keystone21:47
*** catintheroof has joined #openstack-keystone21:47
*** spzala has quit IRC21:47
*** spzala has joined #openstack-keystone21:48
*** spzala has quit IRC21:48
*** spzala has joined #openstack-keystone21:48
*** spzala has quit IRC21:48
*** spzala has joined #openstack-keystone21:49
*** spzala has quit IRC21:49
*** spzala has joined #openstack-keystone21:50
*** spzala has quit IRC21:50
*** pnavarro has quit IRC21:50
*** spzala has joined #openstack-keystone21:51
*** spzala has quit IRC21:51
*** spzala has joined #openstack-keystone21:51
*** spzala has quit IRC21:51
*** spzala has joined #openstack-keystone21:52
*** spzala has quit IRC21:52
*** spzala has joined #openstack-keystone21:53
*** spzala has quit IRC21:53
*** spzala has joined #openstack-keystone21:54
*** spzala has quit IRC21:54
*** spzala has joined #openstack-keystone21:54
*** spzala has quit IRC21:55
*** spzala has joined #openstack-keystone21:55
*** spzala has quit IRC21:55
*** rodrigods is now known as rodrigods_21:56
*** spzala has joined #openstack-keystone21:56
*** spzala has quit IRC21:56
*** spzala has joined #openstack-keystone21:57
*** spzala has quit IRC21:57
*** spzala has joined #openstack-keystone21:57
*** spzala has quit IRC21:57
*** spzala has joined #openstack-keystone21:58
*** spzala has quit IRC21:58
*** spzala has joined #openstack-keystone21:59
*** spzala has quit IRC21:59
*** spzala has joined #openstack-keystone21:59
*** masuberu has joined #openstack-keystone22:00
*** spzala has quit IRC22:00
openstackgerritMerged openstack/oslo.policy: Improved performance of parse_file_contents() method  https://review.openstack.org/40435722:00
*** spzala has joined #openstack-keystone22:00
*** spzala has quit IRC22:00
*** spzala has joined #openstack-keystone22:01
*** spzala has quit IRC22:01
*** spzala has joined #openstack-keystone22:02
*** spzala has quit IRC22:02
*** code-R has joined #openstack-keystone22:02
*** spzala has joined #openstack-keystone22:03
*** spzala has quit IRC22:03
*** masber has quit IRC22:03
*** spzala has joined #openstack-keystone22:03
*** spzala has quit IRC22:03
*** spzala has joined #openstack-keystone22:04
*** spzala has quit IRC22:04
*** topol has joined #openstack-keystone22:04
*** ChanServ sets mode: +v topol22:04
*** spzala has joined #openstack-keystone22:05
*** spzala has quit IRC22:05
*** masuberu has quit IRC22:05
*** spzala has joined #openstack-keystone22:05
*** spzala has quit IRC22:06
*** chris_hultin is now known as chris_hultin|AWA22:06
*** spzala has joined #openstack-keystone22:06
*** spzala has quit IRC22:06
*** spzala has joined #openstack-keystone22:07
*** spzala has quit IRC22:07
*** spzala has joined #openstack-keystone22:08
*** spzala has quit IRC22:08
*** masuberu has joined #openstack-keystone22:08
*** jrist has quit IRC22:08
*** spzala has joined #openstack-keystone22:08
*** spzala has quit IRC22:09
*** spzala has joined #openstack-keystone22:09
*** spzala has quit IRC22:09
*** spzala has joined #openstack-keystone22:10
*** spzala has quit IRC22:10
*** JoeStack has quit IRC22:10
*** spzala has joined #openstack-keystone22:11
*** spzala has quit IRC22:11
*** code-R has quit IRC22:11
*** spzala has joined #openstack-keystone22:11
*** spzala has quit IRC22:12
*** chlong has quit IRC22:12
*** spzala has joined #openstack-keystone22:12
*** spzala has quit IRC22:12
*** spzala has joined #openstack-keystone22:13
*** spzala has quit IRC22:13
*** spzala has joined #openstack-keystone22:14
*** spzala has quit IRC22:14
stevemar__dstanek: oh22:14
*** spzala has joined #openstack-keystone22:14
stevemar__dstanek: lbragstad: someone: https://review.openstack.org/#/c/390948/22:15
*** spzala has quit IRC22:15
*** spzala has joined #openstack-keystone22:15
*** spzala has quit IRC22:15
*** spzala has joined #openstack-keystone22:16
*** spzala has quit IRC22:16
*** topol has quit IRC22:16
*** spzala has joined #openstack-keystone22:17
*** spzala has quit IRC22:17
*** spzala has joined #openstack-keystone22:17
*** spzala has quit IRC22:18
*** spzala has joined #openstack-keystone22:18
*** spzala has quit IRC22:18
*** spzala has joined #openstack-keystone22:19
*** spzala has quit IRC22:19
*** topol has joined #openstack-keystone22:19
*** ChanServ sets mode: +v topol22:19
*** spzala has joined #openstack-keystone22:20
*** spzala has quit IRC22:20
*** spzala has joined #openstack-keystone22:20
*** spzala has quit IRC22:20
*** spzala has joined #openstack-keystone22:21
*** spzala has quit IRC22:21
*** spzala has joined #openstack-keystone22:22
openstackgerritMerged openstack/keystone: Removed unused EXTENSION_TO_ADD test declarations  https://review.openstack.org/40435022:22
*** spzala has quit IRC22:22
*** spzala has joined #openstack-keystone22:23
*** spzala has quit IRC22:23
*** JoeStack has joined #openstack-keystone22:23
*** spzala has joined #openstack-keystone22:24
*** spzala has quit IRC22:24
*** spzala has joined #openstack-keystone22:24
lbragstadstevemar__ reviewing22:24
*** spzala has quit IRC22:24
lbragstadmorgan mordred i reviewed the task manager stuff - code wise i think it's good to go... just had a couple outstanding questions22:25
*** spzala has joined #openstack-keystone22:25
*** spzala has quit IRC22:25
morganOK looking22:25
*** jaugustine has quit IRC22:25
lbragstadmorgan it's failing on a pep8 issue22:26
*** spzala has joined #openstack-keystone22:26
*** spzala has quit IRC22:26
*** spzala has joined #openstack-keystone22:26
*** spzala has quit IRC22:27
lbragstadstevemar__ are we expecting to backport https://review.openstack.org/#/c/390948/7 to mitaka?22:27
stevemar__lbragstad: no, i do not believe it is critical enough for n-1 release, let alone n-222:27
*** spzala has joined #openstack-keystone22:27
morganlbragstad: replied22:27
morgani can fix the pep822:28
*** spzala has quit IRC22:28
morganlbragstad: the other comment is basically "yep there are two ways" and submit_task is more correct22:28
*** spzala has joined #openstack-keystone22:28
morganbut ... changing this interface even down the line is going to be undesierabe unless we make shade/nodepool monkey patch this in each time22:28
*** spzala has quit IRC22:28
morgandeprecation warning could exist... if needed22:29
*** spzala has joined #openstack-keystone22:29
*** spzala has quit IRC22:29
morganlbragstad:  in short, if the difference is a +2 with a dep warning, i'll ad it22:29
morganif +2 will occur in either case, i'd rather not22:29
*** spzala has joined #openstack-keystone22:30
*** spzala has quit IRC22:30
lbragstadmorgan certainly not a hard stop - but something we can do in a follow on commit22:30
morganokie fixing pep8 now then22:31
*** adrian_otto has quit IRC22:31
*** spzala has joined #openstack-keystone22:31
morganwill see about deprecation warning in followup22:31
*** spzala has quit IRC22:31
*** rcernin has joined #openstack-keystone22:31
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Import TaskManager from shade/nodepool  https://review.openstack.org/36247322:31
lbragstadmorgan does TaskManager have developer docs?22:31
*** spzala has joined #openstack-keystone22:31
lbragstadmorgan because it can be used through the keystoneauth library, can't it?22:32
*** spzala has quit IRC22:32
morganlbragstad: that is something i need to get mordred to help with22:32
mordredI didn't do it22:32
mordredwhat?22:32
* mordred hides22:32
morganno docs yet22:32
morgantaskmanager22:32
lbragstadmorgan your 'i didn't do it' reaction time is on point22:32
*** spzala has joined #openstack-keystone22:32
morganthat is definitely a followup as is the larger functional tests22:32
lbragstader ... mordred ^22:32
*** spzala has quit IRC22:32
morganmor<tab> fail ;)22:32
lbragstadit's happened like 3 times today22:33
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Use TaskManager for all request interactions  https://review.openstack.org/36247422:33
mordredhehe22:33
*** spzala has joined #openstack-keystone22:33
*** spzala has quit IRC22:33
lbragstadmorgan how about a wishlist bug to add docs for taskmanager?22:33
morgansure. i need to run and food22:33
lbragstadthat way we don't lose it22:33
morganmind opening it for me?22:34
lbragstadmorgan sure22:34
morganand go ahead and assign it to mor<tab> :P22:34
*** spzala has joined #openstack-keystone22:34
*** spzala has quit IRC22:34
lbragstadlol - it will default to one of you so that'd be fine!22:34
morganthe plan is to get this in so we can clean up shade quickly22:35
*** spzala has joined #openstack-keystone22:35
*** spzala has quit IRC22:35
*** spzala has joined #openstack-keystone22:35
morganlbragstad: but the code is documentation /s :P22:35
*** spzala has quit IRC22:35
*** spzala has joined #openstack-keystone22:36
lbragstadpsh - mmmhm...22:36
*** spzala has quit IRC22:36
lbragstadi've tried that before22:36
*** spzala has joined #openstack-keystone22:36
morganok i need to food and make some phone calls.22:36
morganbbiab22:37
*** spzala has quit IRC22:37
*** spzala has joined #openstack-keystone22:37
*** spzala has quit IRC22:37
*** spzala has joined #openstack-keystone22:38
*** spzala has quit IRC22:38
*** spzala has joined #openstack-keystone22:38
*** spzala has quit IRC22:38
*** spzala has joined #openstack-keystone22:39
*** spzala has quit IRC22:39
*** spzala has joined #openstack-keystone22:39
*** spzala has quit IRC22:39
*** spzala has joined #openstack-keystone22:40
*** spzala has quit IRC22:40
*** spzala has joined #openstack-keystone22:41
*** spzala has quit IRC22:41
openstackgerritAndrey Grebennikov proposed openstack/keystone: Allow to specify ID on project creation  https://review.openstack.org/40386622:41
*** spzala has joined #openstack-keystone22:42
*** spzala has quit IRC22:42
*** spzala has joined #openstack-keystone22:42
*** spzala has quit IRC22:43
*** spzala has joined #openstack-keystone22:43
*** spzala has quit IRC22:43
*** spzala has joined #openstack-keystone22:44
*** spzala has quit IRC22:44
openstackgerritAndrey Grebennikov proposed openstack/keystone: Allow to specify ID on project creation  https://review.openstack.org/40386622:45
*** spzala has joined #openstack-keystone22:45
*** spzala has quit IRC22:45
*** gyee has joined #openstack-keystone22:45
*** spzala has joined #openstack-keystone22:46
*** spzala has quit IRC22:46
*** spzala has joined #openstack-keystone22:46
*** spzala has quit IRC22:47
*** spzala has joined #openstack-keystone22:47
*** spzala has quit IRC22:47
*** spzala has joined #openstack-keystone22:48
*** spzala has quit IRC22:48
*** spzala has joined #openstack-keystone22:49
*** spzala has quit IRC22:49
*** edmondsw has quit IRC22:50
*** spzala has joined #openstack-keystone22:50
*** spzala has quit IRC22:50
*** spzala has joined #openstack-keystone22:51
*** spzala has quit IRC22:51
*** spzala has joined #openstack-keystone22:51
*** spzala has quit IRC22:51
*** spzala has joined #openstack-keystone22:52
*** spzala has quit IRC22:52
*** chris_hultin|AWA is now known as chris_hultin22:53
*** spzala_ has joined #openstack-keystone22:53
*** spzala_ has quit IRC22:53
*** spzala_ has joined #openstack-keystone22:54
*** spzala_ has quit IRC22:54
*** spzala_ has joined #openstack-keystone22:55
*** spzala_ has quit IRC22:55
*** spzala has joined #openstack-keystone22:56
*** spzala has quit IRC22:56
*** spzala has joined #openstack-keystone22:56
*** spzala has quit IRC22:56
*** spzala has joined #openstack-keystone22:57
*** spzala has quit IRC22:57
*** spzala has joined #openstack-keystone22:58
*** spzala has quit IRC22:58
*** spzala has joined #openstack-keystone22:59
*** spzala has quit IRC22:59
*** spzala has joined #openstack-keystone22:59
*** spzala has quit IRC22:59
*** spzala has joined #openstack-keystone23:00
*** spzala_ has joined #openstack-keystone23:00
*** spzala_ has quit IRC23:00
*** spzala_ has joined #openstack-keystone23:01
*** spzala_ has quit IRC23:01
*** rcernin has quit IRC23:01
*** spzala_ has joined #openstack-keystone23:02
*** spzala_ has quit IRC23:02
openstackgerritMerged openstack/python-keystoneclient: Pass allow_expired to token validate  https://review.openstack.org/38209923:02
*** spzala_ has joined #openstack-keystone23:02
*** spzala has quit IRC23:02
*** chris_hultin is now known as chris_hultin|AWA23:03
*** spzala_ has quit IRC23:03
*** edtubill has quit IRC23:03
*** rcernin has joined #openstack-keystone23:03
*** spzala has joined #openstack-keystone23:03
*** catinthe_ has joined #openstack-keystone23:03
*** spzala has quit IRC23:03
*** rcernin has quit IRC23:04
*** rcernin has joined #openstack-keystone23:04
*** spzala has joined #openstack-keystone23:04
*** spzala has quit IRC23:04
*** spzala has joined #openstack-keystone23:05
*** spzala has quit IRC23:05
*** spzala has joined #openstack-keystone23:06
*** spzala has quit IRC23:06
*** catintheroof has quit IRC23:06
*** spzala has joined #openstack-keystone23:06
*** spzala has quit IRC23:06
*** spzala has joined #openstack-keystone23:07
*** spzala has quit IRC23:07
*** spzala has joined #openstack-keystone23:08
*** spzala has quit IRC23:08
*** asettle has quit IRC23:08
openstackgerritAndrey Grebennikov proposed openstack/keystone: Allow to specify ID on project creation  https://review.openstack.org/40386623:08
*** spzala has joined #openstack-keystone23:09
*** spzala has quit IRC23:09
*** spzala has joined #openstack-keystone23:09
*** spzala has quit IRC23:09
*** spzala has joined #openstack-keystone23:10
*** spzala has quit IRC23:10
*** spzala has joined #openstack-keystone23:11
*** spzala has quit IRC23:11
*** spzala has joined #openstack-keystone23:12
*** spzala has quit IRC23:12
*** spzala has joined #openstack-keystone23:12
*** spzala has quit IRC23:13
*** spzala has joined #openstack-keystone23:13
*** spzala has quit IRC23:13
*** spzala has joined #openstack-keystone23:14
*** spzala has quit IRC23:14
*** spzala has joined #openstack-keystone23:15
*** spzala has quit IRC23:15
*** spzala has joined #openstack-keystone23:15
*** spzala has quit IRC23:15
*** spzala has joined #openstack-keystone23:16
*** spzala has quit IRC23:16
*** chris_hultin|AWA is now known as chris_hultin23:16
*** rodrigods_ is now known as rodrigods23:17
*** spzala has joined #openstack-keystone23:17
*** spzala has quit IRC23:17
*** jperry has quit IRC23:17
*** spzala has joined #openstack-keystone23:18
*** spzala has quit IRC23:18
*** spzala has joined #openstack-keystone23:18
*** spzala has quit IRC23:19
*** spzala has joined #openstack-keystone23:19
*** spzala has quit IRC23:20
*** spzala has joined #openstack-keystone23:20
*** spzala has quit IRC23:20
*** spzala has joined #openstack-keystone23:21
*** spzala has quit IRC23:21
*** spzala has joined #openstack-keystone23:22
*** spzala has quit IRC23:22
*** stevemar__ has quit IRC23:22
*** spzala has joined #openstack-keystone23:22
*** spzala has quit IRC23:23
*** stevemar__ has joined #openstack-keystone23:23
*** spzala has joined #openstack-keystone23:23
*** spzala has quit IRC23:23
*** ayoung has quit IRC23:23
*** phalmos has quit IRC23:23
*** spzala has joined #openstack-keystone23:24
*** spzala has quit IRC23:24
*** spzala has joined #openstack-keystone23:25
*** spzala has quit IRC23:25
*** spzala has joined #openstack-keystone23:25
*** spzala has quit IRC23:25
*** spzala has joined #openstack-keystone23:26
*** spzala has quit IRC23:26
*** spzala has joined #openstack-keystone23:27
*** spzala has quit IRC23:27
*** stevemar__ has quit IRC23:27
*** spzala has joined #openstack-keystone23:28
*** spzala has quit IRC23:29
*** JoeStack has quit IRC23:29
*** spzala has joined #openstack-keystone23:29
*** spzala has quit IRC23:29
*** spzala has joined #openstack-keystone23:30
*** spzala has quit IRC23:30
*** spzala has joined #openstack-keystone23:31
*** spzala has quit IRC23:31
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to immediately change their password upon first use  https://review.openstack.org/40391623:31
*** spzala has joined #openstack-keystone23:32
*** spzala has quit IRC23:32
*** spzala has joined #openstack-keystone23:32
*** spzala has quit IRC23:32
*** spzala has joined #openstack-keystone23:33
*** spzala has quit IRC23:33
*** spzala has joined #openstack-keystone23:34
*** spzala has quit IRC23:34
*** chris_hultin is now known as chris_hultin|AWA23:34
*** spzala has joined #openstack-keystone23:34
*** spzala has quit IRC23:35
*** spzala has joined #openstack-keystone23:35
*** spzala has quit IRC23:35
*** spzala has joined #openstack-keystone23:36
*** spzala has quit IRC23:36
*** spzala has joined #openstack-keystone23:37
*** agrebennikov has quit IRC23:40
*** rcernin has quit IRC23:41
jamielennoxmorgan: so why isn't task_manager basically a decorator/wrapper?23:44
jamielennoxmorgan: like ksa would give you the function it was going to call and you basically do a contextmanager around it23:45
jamielennoxmordred: ^23:46
*** lamt has quit IRC23:46
lbragstadjamielennox that'd be interesting23:46
jamielennoxlbragstad: i want to support the use case, and shade is a huge user - but i'm not sure the pattern makes sense for general purpose23:47
jamielennoxlike i cannot get around the fact that you get a client object passed to you - why? why not wrap that as a partial before hand and make the thing generic23:48
lbragstadjamielennox yeah - that kinda confused me a bit23:48
lbragstadseeing client passed as self23:48
lbragstadjamielennox so - what would be wrapped?23:49
jamielennoxi'm not sure yet, but i'm trying to use external rate limiting as a use case and go from there23:51
jamielennoxand keep shade's case in mind23:51
jamielennoxlike eg i don't think we should handle xcept keystoneauth1.exceptions.RetriableConnectionFailure:   if every request goes through the task manager23:51
lbragstadshade's case is that they just want to string together events, right?23:51
jamielennoxanyone handling that outside would be really confused23:52
jamielennoxi think it wants to multi thread and wait for a couple of requests23:52
lbragstadjamielennox so - like an example?23:52
mordredwe want to serliaze access from multiple threads and handle rate-limiting at the client side23:52
mordredso we have 1000 threads all trying to launch servers23:52
mordredbut we know the cloud falls over at more than 50 requests per second23:53
jamielennoxso it's kind of a cheap async()?23:53
mordredwell, it's an async that uses threads so it's possible to debug :)23:53
lbragstadso - TaskManager mitigates that by allowing you to specific the frequency of requests?23:53
mordredyah23:53
mordredit's how nodepool works, which means shade needs to support the construct - pushing support down into ksa is mostly a "other power users might want something similar"23:54
jamielennoxso the value coming back from session.get is an threading.event or something?23:54
mordrednah - we don't actually talk to a given cloud with more than one execution thread at a time23:55
jamielennoxmordred: why not just wrap requests.Session and pass that in?23:55
mordredthat's what we're currently doing23:55
mordredthis is not needed on our side23:55
mordredit's possible to do wrappers23:55
mordredbut it's one of those "we're higher volume api consumers than just about anyone else, trying to share the love" kind of things23:56
jamielennoxyea, i'm happy to incorporate it, it's just the framework doesn't feel right at this level23:57
jamielennoxlike why are we having to call generate_request_class23:57
jamielennoxthe basic non-shade case seems weird23:57
« Monday, 2016-11-28 Index Wednesday, 2016-11-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!