Friday, 2016-12-16

« Thursday, 2016-12-15 Index Saturday, 2016-12-17 »
*** tqtran has quit IRC00:01
*** harlowja has quit IRC00:06
*** ayoung has quit IRC00:08
*** stingaci has quit IRC00:25
*** harlowja has joined #openstack-keystone00:34
*** raildo_ has quit IRC00:35
openstackgerritayoung proposed openstack/keystone: API based RBAC Management Interface  https://review.openstack.org/40180800:43
*** ayoung has joined #openstack-keystone00:53
*** ChanServ sets mode: +v ayoung00:53
*** jamielennox is now known as jamielennox|away00:57
*** jamielennox|away is now known as jamielennox01:01
*** Zer0Byte__ has quit IRC01:05
*** asettle has joined #openstack-keystone01:08
*** asettle has quit IRC01:13
*** markvoelker has joined #openstack-keystone01:14
*** zhangqiankun has joined #openstack-keystone01:16
jamielennoxlbragstad: or whomever, https://review.openstack.org/#/c/406647/ needs to go into a release soon01:18
*** markvoelker has quit IRC01:19
*** liujiong has joined #openstack-keystone01:21
*** zhangjl has joined #openstack-keystone01:25
*** harlowja has quit IRC01:25
*** zhangqiankun has quit IRC01:33
stevemarjamielennox: do we not have any fixtures for tokens in keystone server side ?01:33
stevemarnvm, i think we're good01:35
openstackgerritMerged openstack/keystoneauth: Remove discover from test-requirements  https://review.openstack.org/41115301:37
*** guoshan has joined #openstack-keystone01:40
*** jamielennox is now known as jamielennox|away01:41
*** mvk has quit IRC01:46
*** jamielennox|away is now known as jamielennox01:47
openstackgerritSteve Martinelli proposed openstack/keystone: expose v3policy failure with is_admin_token  https://review.openstack.org/41156201:54
openstackgerritSteve Martinelli proposed openstack/keystone: modify cloud_admin rule so it loads properly  https://review.openstack.org/41156301:54
openstackgerritSteve Martinelli proposed openstack/keystone: expose v3policy failure with is_admin_token  https://review.openstack.org/41156201:55
openstackgerritSteve Martinelli proposed openstack/keystone: modify cloud_admin rule so it loads properly  https://review.openstack.org/41156301:56
stevemarjamielennox: if you want to have a chuckle ^01:56
jamielennoxstevemar: oh yea, at one point heat copied that from us and i had to fix it02:00
jamielennoxstevemar: so that actually works if the token is a v3 token02:00
jamielennoxbecause we dump the whole otken into the credential dict02:01
jamielennoxwhic is dumb02:01
stevemarjamielennox: yeah i just want the damn samples we provide to work02:01
stevemarya know, load02:02
jamielennoxdid we add is_admin_project to our policy?02:02
jamielennoxi think i did02:02
jamielennoxbut i had a whole plan of standardizing around oslo.context which got held up by the views stuff02:02
stevemarjamielennox: we sure did02:05
stevemarjamielennox: to the "standard" one02:05
stevemaroh wait... we didn't02:05
stevemarsome other projects did02:05
stevemarjamielennox: http://codesearch.openstack.org/?q=is_admin_project&i=nope&files=.*json&repos=02:07
stevemarcinder, heat, searchlight02:07
stevemarbut for some reason *we* couldn't get it right02:07
jamielennoxlol02:07
jamielennoxi know ayoung went around and did a few02:07
*** asettle has joined #openstack-keystone02:09
stevemari'm quite grumbly about it02:13
*** asettle has quit IRC02:13
jamielennoxour policy/context stuff is worse than almost every project because we thought we were different02:14
stevemarjamielennox: i'd agree with that02:27
samueldmqfor https://review.openstack.org/#/c/406647/02:28
samueldmqgerrit ui says to me02:28
samueldmqUpdatedin the future02:28
*** markvoelker has joined #openstack-keystone02:31
*** markvoelker has quit IRC02:36
stevemarjamielennox: can you review https://review.openstack.org/#/c/408908/02:41
jamielennoxstevemar: i never particularly cared about that, but ok02:43
stevemarsamueldmq: gerrit is a time traveler02:44
samueldmqstevemar: hehe yep. So we technically approved that patch before jamielennox posted to review ;)02:47
*** zhangqiankun has joined #openstack-keystone02:51
*** zhangqiankun has quit IRC02:53
*** zhangqiankun has joined #openstack-keystone02:53
*** lastops has joined #openstack-keystone02:54
openstackgerrityunfeng zhou proposed openstack/keystone: Replace logging with oslo_log.  https://review.openstack.org/41160002:57
openstackgerrityunfeng zhou proposed openstack/keystone: Replace logging with oslo_log.  https://review.openstack.org/41160002:58
*** zhiyan has quit IRC03:02
openstackgerritRon De Rose proposed openstack/keystone: expose v3policy failure with is_admin_token  https://review.openstack.org/41156203:04
openstackgerritRon De Rose proposed openstack/keystone: expose v3policy failure with is_admin_token  https://review.openstack.org/41156203:07
*** ngupta has joined #openstack-keystone03:09
*** ngupta has quit IRC03:09
*** ngupta has joined #openstack-keystone03:09
*** asettle has joined #openstack-keystone03:10
stevemarlbragstad: o/03:10
openstackgerritSteve Martinelli proposed openstack/keystone: Replace logging with oslo_log.  https://review.openstack.org/41160003:10
stevemarrderose: you can just punt the change through, it was a minor change03:11
openstackgerritSteve Martinelli proposed openstack/keystone: modify cloud_admin rule so it loads properly  https://review.openstack.org/41156303:11
rderosestevemar: ah, okay03:12
stevemarrderose: i won't de-core you for that03:12
stevemar:P03:12
stevemarjust explain why in the message03:12
stevemarrderose: there is a follow-on change to fix the bug :)03:12
rderosestevemar: haha03:12
rderosestevemar: cool03:13
*** asettle has quit IRC03:14
openstackgerritMerged openstack/keystoneauth: Don't issue deprecation warning when nesting adapters  https://review.openstack.org/40664703:24
*** tqtran has joined #openstack-keystone03:33
*** tqtran has quit IRC03:40
stevemarjamielennox: propose a release?03:47
jamielennoxauth_tokne?03:47
stevemarjamielennox: no, keystoneauth, i thought you wanted one after ^ merges?03:54
stevemarrderose / samueldmq / lbragstad last call for https://review.openstack.org/#/c/411392/ before spec freeze ;)03:54
stevemarjamielennox:  also, whats up with https://bugs.launchpad.net/neutron/+bug/1602081 ?03:57
openstackLaunchpad bug 1602081 in OpenStack Identity (keystone) "Use oslo.context's policy dict" [High,In progress] - Assigned to Jamie Lennox (jamielennox)03:57
stevemari think i asked you before? sorry i don't remember03:57
jamielennoxumm, it all got held up because of the crappy way we do context in keystone04:00
jamielennoxthe next step involved a lot of controller refactor and led to views04:00
jamielennoxthere's probably an easier way, though views is the right one04:00
stevemarjamielennox: you managed to fix it in all the other spots :P04:03
*** catintheroof has quit IRC04:06
*** catintheroof has joined #openstack-keystone04:06
*** catintheroof has quit IRC04:06
*** asettle has joined #openstack-keystone04:10
openstackgerritMerged openstack/keystoneauth: Replace six.iteritems() with .items()  https://review.openstack.org/40890804:11
*** guoshan has quit IRC04:12
*** asettle has quit IRC04:15
*** dave-mccowan has quit IRC04:26
*** mvk has joined #openstack-keystone04:34
*** ngupta has quit IRC04:34
*** nicolasbock has quit IRC04:34
*** edmondsw has joined #openstack-keystone04:37
*** edmondsw has quit IRC04:42
*** bjolo_ has joined #openstack-keystone04:42
*** GB21 has joined #openstack-keystone04:47
openstackgerritMerged openstack/keystone: Add doctor checks for ldap symptoms  https://review.openstack.org/40929204:47
stevemari just had a flashback of this time last year when someone a bunch of openstack channels with SW the force awakens spoilers04:49
stevemarhope it doesn't happen again :(04:49
*** udesale has joined #openstack-keystone04:51
*** g2 has quit IRC04:54
*** BrAsS_mOnKeY has joined #openstack-keystone04:54
openstackgerritMerged openstack/keystone-specs: Versioned federation mappings  https://review.openstack.org/41139204:55
stevemarjamielennox: if you see henry can you get him to review https://review.openstack.org/#/c/411563/304:58
*** GB21 has quit IRC04:59
*** BrAsS_mOnKeY is now known as g205:01
*** asettle has joined #openstack-keystone05:11
*** guoshan has joined #openstack-keystone05:13
*** asettle has quit IRC05:15
*** guoshan has quit IRC05:18
morganstevemar: oh hai05:21
*** links has joined #openstack-keystone05:21
openstackgerritMerged openstack/keystone: expose v3policy failure with is_admin_token  https://review.openstack.org/41156205:26
*** tqtran has joined #openstack-keystone05:37
*** GB21 has joined #openstack-keystone05:38
*** ngupta has joined #openstack-keystone05:42
*** tqtran has quit IRC05:42
*** jaosorior has joined #openstack-keystone06:02
*** sorrison has quit IRC06:04
*** dikonoor has joined #openstack-keystone06:12
*** rcernin has quit IRC06:13
*** guoshan has joined #openstack-keystone06:14
*** guoshan has quit IRC06:18
*** guoshan has joined #openstack-keystone06:19
*** ngupta has quit IRC06:27
*** ngupta has joined #openstack-keystone06:27
*** ngupta has quit IRC06:31
*** rcernin has joined #openstack-keystone06:37
*** richm has quit IRC06:41
*** rcernin has quit IRC06:43
*** rcernin has joined #openstack-keystone06:54
*** asettle has joined #openstack-keystone07:12
*** asettle has quit IRC07:17
*** adriant has quit IRC07:20
*** mvk has quit IRC07:22
*** mvk has joined #openstack-keystone07:31
*** tobberydberg has joined #openstack-keystone07:35
*** tqtran has joined #openstack-keystone07:39
*** tqtran has quit IRC07:43
openstackgerritpangliye proposed openstack/keystone: Use assertGreater(len(x), y) instead of assertTrue(len(x) > y)  https://review.openstack.org/41167907:45
*** GB21 has quit IRC07:51
*** pcaruana has joined #openstack-keystone07:56
*** tesseract has joined #openstack-keystone07:57
*** tesseract is now known as Guest3130407:58
*** bjolo_ has quit IRC08:01
*** jamielennox is now known as jamielennox|away08:07
*** zhugaoxiao has quit IRC08:09
*** zhugaoxiao has joined #openstack-keystone08:10
openstackgerrityunfeng zhou proposed openstack/keystone: replace assertTrue with assertIs  https://review.openstack.org/41168908:11
*** jamielennox|away is now known as jamielennox08:14
openstackgerrityunfeng zhou proposed openstack/keystone: replace assertTrue with assertIs.  https://review.openstack.org/41168908:15
*** GB21 has joined #openstack-keystone08:19
*** amoralej|off is now known as amoralej08:31
*** jaosorior has quit IRC08:32
*** jaosorior has joined #openstack-keystone08:33
*** asettle has joined #openstack-keystone08:34
*** guoshan has quit IRC08:34
*** guoshan has joined #openstack-keystone08:35
*** asettle has quit IRC08:39
*** hogepodge has quit IRC08:42
*** udesale has quit IRC08:44
*** hogepodge has joined #openstack-keystone08:44
*** dikonoor has quit IRC08:46
*** med_ has quit IRC08:53
*** jaosorior has quit IRC08:55
*** med_ has joined #openstack-keystone08:57
*** med_ is now known as Guest6771708:57
*** zzzeek has quit IRC09:00
*** udesale has joined #openstack-keystone09:00
*** pooja_j has joined #openstack-keystone09:00
*** zzzeek has joined #openstack-keystone09:02
*** itisha has joined #openstack-keystone09:17
*** GB21 has quit IRC09:24
*** ngupta has joined #openstack-keystone09:30
*** aloga has quit IRC09:31
*** aloga has joined #openstack-keystone09:32
*** trananhkma has quit IRC09:32
*** asettle has joined #openstack-keystone09:33
*** ngupta has quit IRC09:34
*** GB21 has joined #openstack-keystone09:35
*** tqtran has joined #openstack-keystone09:41
*** tqtran has quit IRC09:45
*** jamielennox is now known as jamielennox|away09:48
*** jamielennox|away is now known as jamielennox09:55
*** mvk has quit IRC09:56
*** edmondsw has joined #openstack-keystone10:01
*** edmondsw has quit IRC10:06
*** mvk has joined #openstack-keystone10:09
*** openstackgerrit has quit IRC10:18
*** tobberydberg has quit IRC10:27
*** ngupta has joined #openstack-keystone10:31
*** liujiong has quit IRC10:33
*** guoshan has quit IRC10:33
*** zhangjl has left #openstack-keystone10:34
*** ngupta has quit IRC10:35
*** GB21 has quit IRC10:52
*** GB21 has joined #openstack-keystone10:54
*** guoshan has joined #openstack-keystone11:01
*** richm has joined #openstack-keystone11:09
*** guoshan has quit IRC11:11
*** dgonzalez has quit IRC11:22
*** guoshan has joined #openstack-keystone11:23
*** dgonzalez has joined #openstack-keystone11:24
*** jaosorior has joined #openstack-keystone11:38
*** tobberydberg has joined #openstack-keystone11:44
*** guoshan has quit IRC11:46
*** nicolasbock has joined #openstack-keystone11:46
*** GB21 has quit IRC11:50
*** guoshan has joined #openstack-keystone11:59
*** edmondsw has joined #openstack-keystone12:09
*** openstackgerrit has joined #openstack-keystone12:10
openstackgerritSteve Martinelli proposed openstack/keystone: Use assertGreater(len(x), y) instead of assertTrue(len(x) > y)  https://review.openstack.org/41167912:10
stevemarmorgan: heyo12:22
morganstevemar: zzzzzzzzzzzz12:23
stevemarmorgan: you better be sleepin!12:23
stevemarmorning to the east coasters o/12:24
stevemarafternoon to the euros o/12:24
morganstevemar: been packing12:24
stevemarevening to the apac folks o/12:24
morganmoving today12:24
stevemarmorgan: good luck12:24
stevemarmorgan: driving up a uhaul?12:24
morgannope12:25
morganhired movers12:25
morganthey're showing up in ~4hrs12:25
morgantrying to sleep a little.12:25
morganbut... a little stressed :PO12:25
stevemarmorgan: sleeping is definitely encouraged :)12:25
*** edmondsw has quit IRC12:30
*** edmondsw has joined #openstack-keystone12:30
*** ngupta has joined #openstack-keystone12:32
*** dave-mccowan has joined #openstack-keystone12:33
*** catintheroof has joined #openstack-keystone12:34
*** dikonoor has joined #openstack-keystone12:34
*** edmondsw has quit IRC12:35
*** ngupta has quit IRC12:36
*** links has quit IRC12:42
*** edmondsw has joined #openstack-keystone12:43
*** markvoelker has joined #openstack-keystone12:45
*** dikonoor has quit IRC12:45
*** edmondsw has quit IRC13:30
*** edmondsw has joined #openstack-keystone13:31
*** edmondsw has quit IRC13:35
*** edmondsw has joined #openstack-keystone13:38
*** amoralej is now known as amoralej|lunch13:47
*** ngupta has joined #openstack-keystone13:55
*** edmondsw has quit IRC13:59
*** edmondsw has joined #openstack-keystone13:59
*** chlong has quit IRC14:00
*** guoshan has quit IRC14:01
*** edmondsw has quit IRC14:04
*** edmondsw has joined #openstack-keystone14:06
*** dave-mccowan has quit IRC14:14
*** edmondsw has quit IRC14:15
*** edmondsw has joined #openstack-keystone14:15
*** GB21 has joined #openstack-keystone14:16
*** edmondsw has quit IRC14:19
*** mrsoul has quit IRC14:22
*** Dinesh_Bhor has quit IRC14:32
rderoserodrigods: around?14:35
*** amoralej|lunch is now known as amoralej14:36
*** ngupta has quit IRC14:38
*** edmondsw has joined #openstack-keystone14:39
*** ngupta has joined #openstack-keystone14:39
*** edmondsw has quit IRC14:42
*** edmondsw has joined #openstack-keystone14:43
stevemarquiet day today :O14:45
rderosetell me about it :)14:48
*** dave-mccowan has joined #openstack-keystone14:52
rodrigodsrderose, yep14:57
rodrigodsi mean, i am now :)14:57
rderose:)14:57
rderosecool14:57
rderoserodrigods: can you point me to what you want me to do on this one: https://review.openstack.org/#/c/399157/14:57
rderoserodrigods: also, can you push this one through: https://review.openstack.org/#/c/409946/14:58
rderoserodrigods: only made a change to the commit msg on that one14:58
rodrigodsrderose, the docs one is the thing about documenting the return code when trying to update the domain_id14:59
rderoserodrigods: ah, okay14:59
rderoserodrigods: thanks!15:00
rodrigodsnp :)15:01
*** itisha has quit IRC15:02
openstackgerritColleen Murphy proposed openstack/keystone: Add anonymous bind to get_connection method  https://review.openstack.org/40756115:02
rodrigodsstevemar, around? how far did you get when playing with devstack's ldap plugin?15:03
*** GB21 has quit IRC15:05
*** Dave has quit IRC15:09
*** Dave has joined #openstack-keystone15:12
*** jaosorior has quit IRC15:15
stevemarrodrigods: 0 progress!15:15
*** edmondsw has quit IRC15:15
*** edmondsw has joined #openstack-keystone15:16
openstackgerritRon De Rose proposed openstack/keystone: Update docs to require domain_id when registering Identity Providers  https://review.openstack.org/39915715:16
stevemarcrinkle: o/15:18
stevemarcrinkle: is your patch to fix the issue you pointed out in the one by kam?15:18
crinklestevemar: yes15:20
*** edmondsw has quit IRC15:21
openstackgerritRon De Rose proposed openstack/keystone: WIP - Require domain_id when registering Identity Providers  https://review.openstack.org/39968415:21
openstackgerritRon De Rose proposed openstack/keystone: Update docs to require domain_id when registering Identity Providers  https://review.openstack.org/39915715:21
*** chlong has joined #openstack-keystone15:21
stevemarcrinkle: cool, i'll get eyes on it then15:21
crinklethanks stevemar15:22
stevemarrderose: what happened to https://review.openstack.org/#/c/399684/ ? patch 28 had a bunch of stuff, patch 29 only has migrations?15:22
rderosestevemar: what the @!#$!@#$%!#@!15:22
rderosestevemar: I just rebased the doc patch and not sure what I did15:23
stevemarrderose: want me to fix?15:23
rderosestevemar: sure!15:23
openstackgerritSteve Martinelli proposed openstack/keystone: Require domain_id when registering Identity Providers  https://review.openstack.org/39968415:26
openstackgerritSteve Martinelli proposed openstack/keystone: WIP - Set the domain for federated users  https://review.openstack.org/40833215:26
openstackgerritSteve Martinelli proposed openstack/keystone: Update docs to require domain_id when registering Identity Providers  https://review.openstack.org/39915715:26
rderosestevemar: whew, thanks15:26
stevemarrderose: np, happens15:26
rderose:)15:26
*** dave-mccowan has quit IRC15:27
*** tobberyd_ has joined #openstack-keystone15:27
*** tobberydberg has quit IRC15:31
*** tobberyd_ has quit IRC15:32
lbragstadstevemar o/15:33
stevemarlbragstad: howdy15:33
lbragstadstevemar you rang earlier?15:34
stevemarrderose: delete your old branches and download the new ones with `git review -d <patch no>`15:34
stevemarlbragstad: i did?15:34
stevemarpffft15:34
stevemarno idea why15:34
lbragstadstevemar hm - ok cool15:34
lbragstadstevemar that was easy15:34
*** GB21 has joined #openstack-keystone15:34
lbragstadstevemar i'm trying to PTO today - but i didn't make it very far15:34
stevemarlbragstad: just close the laptop and walk away15:35
rderosestevemar: okay15:35
stevemarocata-2 is closed up and released! https://launchpad.net/keystone/+milestone/ocata-2 and https://releases.openstack.org/ocata/#ocata-keystone15:35
*** edmondsw has joined #openstack-keystone15:37
*** dave-mccowan has joined #openstack-keystone15:40
rderosestevemar: ++15:44
openstackgerritMerged openstack/keystone: Use assertGreater(len(x), y) instead of assertTrue(len(x) > y)  https://review.openstack.org/41167915:44
*** tqtran has joined #openstack-keystone15:45
stevemarrderose: reviewing your patch now15:46
stevemarcrinkle: you're up next15:46
rderosestevemar: sweet!!15:46
stevemarthen spilla's and gagehugo's15:46
stevemarrderose: shouldn't the stuff in the contract happen in migrate?15:48
rderosestevemar: yes, if we want to do triggers15:48
rderosestevemar: otherwise, it has to go in contract because that is when all of the new code has been deployed15:48
rderosestevemar: because you are not likely to have a lot of idps, I think it is okay to do in contract as it's not going to cause any kind locking issues15:49
*** tqtran has quit IRC15:50
stevemarrderose: we could do it in data_migration without triggers, but in case someone creates an idp while some nodes are upgraded ... then it'll fail cause no domain id?15:52
stevemarare not upgraded*15:52
stevemarso either we fail during migrate at the code level, or fail at contract due to race condition15:52
rderosestevemar: yes, during date migration, you have old code and new code, so it's possible for someone to create an idp without a domain (old code)15:53
stevemari think the odds of someone creating an IdP during an upgrade are super slim, since it's normally the same admin that upgrades and creates and idp15:53
stevemaran*15:53
rderosestevemar: I don't think it will fail in contract phase because only new code and race condition would be really, really slim15:54
stevemari'd prefer to have this in the data_migration since we've moving data around, and we have a bug that will try to restrict certain things from happening in each phase... see https://bugs.launchpad.net/keystone/+bug/161502415:54
openstackLaunchpad bug 1615024 in OpenStack Identity (keystone) "Forbid invalid operations in expand, migrate, and contract repositories" [Medium,In progress] - Assigned to Henry Nash (henry-nash)15:54
rderosestevemar: we'd only be updating a handful of records, so it would happen very quickly15:54
stevemarwe could of course make an exception for this migration, but i'd prefer not to :)15:55
stevemardolphm: ^15:55
dolphmi'm on vacation15:56
rderosestevemar: but we do allow exceptions: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_sql_banned_operations.py#L27115:56
dolphmrderose: data migrations absolutely cannot happen in any phase other than migrate, and you need triggers, period.15:57
dolphmany other way, the migration process is not safe.15:57
dolphmrderose: and no, we don't allow exceptions15:57
rderosestevemar: again, the problem with doing it in the data migration is without triggers, I can't guarantee that all of the data is migrated15:57
rderosestevemar dolphm: I'll have to think through the complexity of doing this with triggers. The likelihood that it will cause is issue is so small that it doesn't feel justified. Let me give it some thought though.15:59
dolphmas soon as we allow an exception, we've effectively dropped support for zero downtime migrations16:01
*** Guest31304 has quit IRC16:02
SamYapledolphm: make an exception! then youll match the rest of openstack16:03
* SamYaple grumbles16:03
dolphmSamYaple: ha16:07
*** udesale has quit IRC16:16
*** ravelar has joined #openstack-keystone16:23
*** rcernin has quit IRC16:23
*** pcaruana has quit IRC16:25
mgagneI'm having an issue with token validation. I'm getting "ValueError: too many values to unpack" in Keystone. traceback and logs here: https://gist.github.com/mgagne/019df98f36d34b928215f1543d73859616:28
mgagnecan anyone help me debug the problem?16:28
*** chlong has quit IRC16:29
*** adrian_otto has joined #openstack-keystone16:32
stevemarmgagne: ah16:37
stevemarmgagne: running liberty?16:41
mgagneMitaka (for Keystone)16:41
stevemarmgagne: the latest mitaka?16:42
mgagneso I see that the service validating the token uses auth-version v2.0, the service (Ironic) could be still running liberty, I tried to update the keystonemiddleware, tried switching to 35357 and v316:42
stevemarwe backported a fix for that i thought16:42
mgagnestevemar: yes, latest from like Monday16:42
stevemarmgagne: ah https://github.com/openstack/keystone/commit/f1d9c54ef07c61cb80def5779802cc4daf45f4cb16:42
stevemarwell damn16:42
mgagnerunning 005a1a9a9c16b5d33dc756ef159b88424276361616:42
*** ravelar has quit IRC16:43
mgagneand I also tried disabling cache (in keystone) to make sure it isn't the source of the problem16:43
mgagnecould cache still be used even with enabled = False ?16:43
stevemarmgagne: ah one more things...16:43
stevemarhttps://bugs.launchpad.net/keystone/+bug/160039416:43
openstackLaunchpad bug 1600394 in OpenStack Identity (keystone) "memcache raising "too many values to unpack"" [Medium,Fix released] - Assigned to Brant Knudson (blk-u)16:43
stevemarmgagne: Another way to fix this is to ensure that keystone is not forked after it's initialized. This can be done in uwsgi by setting lazy-apps=true (see https://review.openstack.org/#/c/357539/10/templates/keystone-uwsgi.ini.j2 )16:44
*** browne has joined #openstack-keystone16:44
mgagneI'm using mod_wsgi and afaik, cache has been disabled to remove this variable from the equation16:44
mgagnealso the unpack exception is not in the memcache lib but in the fernet formatter disassemble function16:45
mgagneI tried to dump the payload and found the unpacked value isn't a tuple/list as expected but a single string16:45
andrewbogottI wrote to openstack@ about this already but… can I get advice about security concerns with opening up the keystone admin API?  I want my users to be able to enumerate projects (which requires the admin endpoint) but I don't want to accidentally give them rights outside of those set up with roles and policy.json.16:47
stevemarmgagne: you have to file a new bug then16:48
stevemarmgagne: if it's not one of those two fixes then maybe we never fixed it correctly :(16:48
stevemarandrewbogott: i've been meaning to reply to that!16:49
andrewbogottstevemar: I can be patient :)16:49
stevemarandrewbogott: we can chat16:49
stevemarandrewbogott: sounds like you're using v2?16:49
andrewbogottno, v316:49
andrewbogottat least, as far as I know16:49
andrewbogottI have some older services that are still using v216:50
stevemarandrewbogott: yeah, if you modified the policy file, the only way that works is with v316:50
stevemarandrewbogott: but in v3 we don't have a concept of 'admin api' or 'public api', just send everything to :500016:51
andrewbogottoh?16:51
andrewbogottthen I wonder why the client is hitting the admin port at all?16:51
stevemarit was only in v2 that 'admin' requests should be sent to :35357, and 'public' requests go to :500016:51
stevemarif a v3 request comes in at 35357 it's treated the same as if it were on 5000, IIRC...16:52
andrewbogottThis must mean that the openstack cmdline client I'm testing with explicitly loads the v2 client, huh?16:52
andrewbogottAnyway, that implies that there's no real security difference between opening 5000 and 35357, correct?16:53
*** chlong has joined #openstack-keystone16:53
stevemarandrewbogott: for v3, nope16:53
stevemarandrewbogott: yeah, i was going to say it's probably the client either loading v2 or sending requests to the admin "endpoint" by default16:54
andrewbogottwell… you say 'for v3' but when it comes to security I can't exactly control which api version a potential attacker is going to choose :)16:54
stevemar:)16:56
stevemarandrewbogott: i don't think we need to open up 3535716:56
stevemarandrewbogott: check your client tooling to make sure it's using v3 and you should be OK16:56
andrewbogottMy client tooling is… whatever openstack client package comes standard with my distro16:57
andrewbogottbut maybe I can import a newer package, will check16:57
* andrewbogott digs in client code to figure out why it's redirecting17:03
*** ngupta has quit IRC17:03
*** rcernin has joined #openstack-keystone17:04
openstackgerritMerged openstack/keystone: replace assertTrue with assertIs.  https://review.openstack.org/41168917:04
openstackgerritMerged openstack/keystone: Make user to nonlocal_user a 1:1 relationship  https://review.openstack.org/40994617:05
*** adrian_otto has quit IRC17:08
stevemarandrewbogott: you can do a --debug with OSC17:12
stevemarrderose: samueldmq rodrigods please respond to https://review.openstack.org/#/c/409946/817:13
stevemari have no idea why we're creating things in the contract repo all of a sudden17:13
stevemarwe have http://docs.openstack.org/developer/keystone/devref/development_best_practices.html#database-migrations for a reason17:13
rderosestevemar: just posted a comment17:16
stevemarrderose: noted, but it would have been nice to confirm that before merging a migration17:17
stevemari appreciate the tempo and speed of reviews but i don't want to sacrifice quality17:17
rderosestevemar: confirming? I pursued merging because I thought it was a contraction17:17
rderosestevemar: I don't think quality was sacrificed, but... understand17:18
stevemarrderose: in the dev docs, indicies are created in the expand17:18
*** ravelar has joined #openstack-keystone17:18
rderosestevemar: not an index, but a uniqueconstraint17:19
stevemaryes i'm aware they are different17:19
rderose:)17:19
stevemarrderose: propose a patch to update the dev docs then17:19
stevemarif something is missing17:20
rderosestevemar: will do17:20
stevemarrderose: i'm touchy about migrations17:20
stevemarthey're the one thing we can't revert17:20
*** tqtran has joined #openstack-keystone17:20
rderosestevemar: yeah, true17:20
rderosestevemar: understand17:20
stevemari'd rather we 2x, 3x check those <rant over>17:21
rderosestevemar: understand your concern, but that migration is 2 LOC and it wasn't rushed <ron's rant over>17:27
*** lamt has joined #openstack-keystone17:34
*** ayoung has quit IRC17:35
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers  https://review.openstack.org/39968417:36
andrewbogottstevemar: even the very latest git version of python-keystoneclient has default interface='admin' for HTTPClient17:37
andrewbogottso that makes me think that I'm going to be hitting this issue all over the place17:37
rodrigodsstevemar, rderose migrations are tricky, but i think they were done correctly17:37
rodrigodsstevemar, next time will wait for you to take a look before approving17:38
rodrigodsi mean... for changes like that17:38
*** adrian_otto has joined #openstack-keystone17:38
*** Zer0Byte__ has joined #openstack-keystone17:44
openstackgerritRon De Rose proposed openstack/keystone: Update docs to require domain_id when registering Identity Providers  https://review.openstack.org/39915717:50
*** ngupta has joined #openstack-keystone17:53
*** lamt has quit IRC18:00
*** asettle has quit IRC18:01
*** asettle has joined #openstack-keystone18:01
*** zhugaoxiao has quit IRC18:02
*** zhugaoxiao has joined #openstack-keystone18:03
*** asettle has quit IRC18:06
*** ngupta has quit IRC18:11
*** ngupta has joined #openstack-keystone18:11
*** ngupta has quit IRC18:13
*** ngupta has joined #openstack-keystone18:13
openstackgerritRon De Rose proposed openstack/keystone: Update docs to require domain_id when registering Identity Providers  https://review.openstack.org/39915718:14
stevemarandrewbogott: using using OSC there is an option you can specify to use the public one18:14
stevemarandrewbogott: we chagned the name, it's either interface or endpoint-type18:14
stevemarcheck the help18:14
andrewbogottstevemar: the httpclient initializer has args like this:  service_type='identity', endpoint_type='admin',18:16
stevemarandrewbogott: endpoint_type is the one you want18:16
andrewbogottum, sorry, mispasted, one second...18:16
andrewbogottok, digging more...18:17
stevemarandrewbogott: but if you manage to specify that at the client level, your problem should be solved18:17
stevemarmay involve some diggin'18:17
*** GB21 has quit IRC18:18
andrewbogottstevemar: but there's no scenario where that will work with the openstack commandline client, right?18:18
openstackgerritRon De Rose proposed openstack/keystone: WIP - Set the domain for federated users  https://review.openstack.org/40833218:19
andrewbogottstevemar: Is the subtext here that with v2 the admin endpoint is indeed dangerous to expose?18:19
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to immediately change their password upon first use  https://review.openstack.org/40391618:27
*** ravelar has quit IRC18:28
*** adrian_otto has quit IRC18:30
*** asettle has joined #openstack-keystone18:31
*** asettle has quit IRC18:32
*** ravelar has joined #openstack-keystone18:36
stevemarandrewbogott: with OSC you should be able to set it with ``--os-interface public``18:42
stevemarshould be able to just append that to the command18:42
stevemarsorry, i thought i said that more clearly earlier :)18:43
andrewbogottstevemar: unrecognized arguments: --os-interface public18:44
andrewbogottbut maybe I'm back to needing a newer version18:44
*** haplo37_ has quit IRC18:44
andrewbogottyeah, ok, here's a version that works18:45
andrewbogottso this is promising, thanks18:45
stevemarandrewbogott: np, if you end up figuring it out please let me know, i'll reply to the ML in case someone else has the same question18:45
andrewbogott'k18:45
openstackgerritRon De Rose proposed openstack/keystone: Update docs to require domain_id when registering Identity Providers  https://review.openstack.org/39915718:48
*** itisha has joined #openstack-keystone18:52
*** ravelar has quit IRC18:53
*** haplo37_ has joined #openstack-keystone18:54
andrewbogottwell… now I'm trapped in dependency hell :(  upgrading that package is going to take all day19:05
openstackgerritRon De Rose proposed openstack/keystone: Update docs to require domain_id when registering Identity Providers  https://review.openstack.org/39915719:06
stevemarandrewbogott: spin up a virtualenv19:07
andrewbogottwe're a .deb only shop.19:07
openstackgerritRon De Rose proposed openstack/keystone: Update docs to require domain_id when registering Identity Providers  https://review.openstack.org/39915719:08
stevemarandrewbogott: figured a quick virtualenv to verify it's correct would do the trick :)19:09
andrewbogotttrue19:09
andrewbogottI guess I can verify that this works on trusty before diving in to getting it installed on a jessie box19:10
stevemarvirtualenv test_interface; source test_interface/bin/activate; pip install --upgrade python-openstackclient; openstack blahhh; deactive; rm -rf test_interface19:10
stevemaryeah, i hate it when an operator has to upgrade client libs just to validate something19:10
stevemarit's silly19:10
*** phalmos has joined #openstack-keystone19:11
openstackgerritMerged openstack/keystone: Replace logging with oslo_log.  https://review.openstack.org/41160019:15
stevemargagehugo: o/19:17
andrewbogottstevemar: with 1.7.0 it works!  So once I get the dozen or so packages I need for jessie and add OS_INTERFACE=public  I'll be in business.19:21
andrewbogottWant me to follow up on the ml or do you have more to add there?19:21
stevemarandrewbogott: you can follow up, and i'll fill in any holes (if any)19:22
andrewbogottok.  Thanks!19:22
stevemarandrewbogott: glad to hear it worked!19:22
stevemarandrewbogott: btw, openstack CLI is now at 3.5.0 so theres A LOT of new stuff19:22
stevemarandrewbogott: all sorts of networking, volume and compute commands19:23
andrewbogottyeah, the packagers should maybe start including latest-release versions of the client as patches to the older version archives19:23
*** phalmos has quit IRC19:25
stevemarrderose: did you see SW yet? aren't you the big fan?19:25
stevemarandrewbogott: yeah, unfortunately we release a lot more often than the distros :(19:26
stevemarah well19:26
rderosestevemar: huge fan19:27
andrewbogottstevemar: in theory canonical and mirantis maintain per-version release repos.  Those only include e.g. the liberty client with the liberty packages though, even though the n or o clients will work fine with the older services.19:27
rderosestevemar: tomorrow :)19:27
stevemarandrewbogott: i think the latest release of OSC will work with a juno (or maybe kilo) cloud :)19:28
stevemarrderose: it's getting great reviews, i have to avoid social media sites for the next few days19:29
rderosestevemar: yeah, I'm excited19:30
rderosestevemar: i turned off social media weeks ago :)19:30
*** asettle has joined #openstack-keystone19:33
*** asettle has quit IRC19:36
*** asettle has joined #openstack-keystone19:36
*** lamt has joined #openstack-keystone19:37
*** asettle has quit IRC19:39
*** mbeierl has joined #openstack-keystone19:41
openstackgerritSteve Martinelli proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675219:42
openstackgerritSteve Martinelli proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675219:43
mbeierlI am having a hard time getting a heat endpoint reliably across OpenStack distros.  Here is my latest code: http://pastebin.com/dvpeLkht, but I am getting "The service catalog is empty" when looking for the orchestration endpoint.  And, yes it does exist in keystone service-list | grep orchestration19:45
mbeierlIs there any guides on getting service endpoints that can handle both v2 and v3 auth?19:46
*** amoralej is now known as amoralej|off19:48
*** lamt has quit IRC19:48
*** lamt has joined #openstack-keystone19:50
*** navid_ has joined #openstack-keystone19:52
navid_hi have a question, the project id is unique throughout the keystone or domain19:53
*** ngupta has quit IRC19:54
*** ngupta has joined #openstack-keystone19:54
*** clenimar has quit IRC19:55
*** ravelar has joined #openstack-keystone19:56
*** ngupta has quit IRC19:59
openstackgerritSteve Martinelli proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675220:00
stevemarnavid_: throughout keystone20:01
navid_thanks @stevemar20:02
*** navid_ has quit IRC20:07
*** ravelar has quit IRC20:14
mgagneI found the issue with unpack value. I restarted the nova-compute service which was poking ironic-api which made token validation request.20:18
mgagneonly thing I found is %3D (=) appended to the token id in the previous request. now there is none.20:21
*** ayoung has joined #openstack-keystone20:29
*** ChanServ sets mode: +v ayoung20:29
*** ravelar has joined #openstack-keystone20:33
*** chlong has quit IRC20:48
*** ravelar has quit IRC20:50
openstackgerritSami Makki proposed openstack/oslo.policy: Closes-Bug #1650599  https://review.openstack.org/41198620:53
openstackbug 1650599 in oslo.policy "Dead code in oslo_policy/shell.py" [Undecided,New] https://launchpad.net/bugs/1650599 - Assigned to Sami Makki (smakki)20:53
*** asettle has joined #openstack-keystone20:59
*** asettle has quit IRC21:00
*** itisha has quit IRC21:02
*** catintheroof has quit IRC21:10
gagehugostevemar: I'm awake now, thanks for fixing the releasenotes21:10
*** catintheroof has joined #openstack-keystone21:11
*** catintheroof has quit IRC21:15
*** lamt has quit IRC21:16
*** lamt has joined #openstack-keystone21:20
*** ngupta has joined #openstack-keystone21:25
*** iurygregory has quit IRC21:27
openstackgerritColleen Murphy proposed openstack/keystone: Add anonymous bind to get_connection method  https://review.openstack.org/40756121:28
*** adrian_otto has joined #openstack-keystone21:42
openstackgerritRon De Rose proposed openstack/keystone: Update docs to require domain_id when registering Identity Providers  https://review.openstack.org/39915721:43
openstackgerritRon De Rose proposed openstack/keystone: Update docs to require domain_id when registering Identity Providers  https://review.openstack.org/39915721:45
stevemargagehugo: awake eh21:45
stevemargagehugo: :)21:45
stevemargagehugo: gonna try out your notification stuff over the weekend21:46
gagehugostevemar: slowly recovering from being sick :(21:49
*** adrian_otto has quit IRC21:49
stevemargagehugo: oh noes, feel better21:49
gagehugostevemar: thanks21:50
gagehugostevemar: lemme know if you notice any issues with testing21:50
*** kiran-r has joined #openstack-keystone21:58
*** edmondsw has quit IRC22:07
*** kiran-r has quit IRC22:07
*** edmondsw has joined #openstack-keystone22:07
stevemargagehugo: wilco22:08
*** adrian_otto has joined #openstack-keystone22:12
*** edmondsw has quit IRC22:12
*** dave-mccowan has quit IRC22:25
*** adrian_otto has quit IRC22:31
*** dave-mccowan has joined #openstack-keystone22:51
*** dave-mccowan has quit IRC22:56
*** chris_hultin|AWA is now known as chris_hultin22:56
*** adrian_otto has joined #openstack-keystone23:12
*** ngupta has quit IRC23:27
*** ngupta has joined #openstack-keystone23:28
*** chris_hultin is now known as chris_hultin|AWA23:29
*** ngupta has quit IRC23:30
*** ngupta has joined #openstack-keystone23:30
*** lamt has quit IRC23:37
*** kiran-r has joined #openstack-keystone23:54
« Thursday, 2016-12-15 Index Saturday, 2016-12-17 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!