Friday, 2017-01-20

rderose	morgan: my environment is toast (rebuilding)	00:01
morgan	local tests work for me	00:01
morgan	so i'm just baffled	00:01
rderose	morgan: but I don't see any problem with your tests	00:01
rderose	what's the error?	00:01
rderose	morgan: or, is it that you are just not seeing the table in mysql?	00:01
morgan	http://logs.openstack.org/17/422817/1/check/gate-keystone-python35-db/1d68383/console.html#_2017-01-19_19_14_55_374434	00:01
rderose	morgan: okay, now I'm baffled as well	00:11
morgan	rderose: yeah.	00:12
morgan	it's... weird	00:12
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add SQL Upgrade Tests for MFA rules https://review.openstack.org/422817	00:13
morgan	anyway fixed the pep8 issue	00:13
openstackgerrit	David Stanek proposed openstack/keystone: Updates to project mapping documentation https://review.openstack.org/422852	00:14
rderose	morgan: I wonder...	00:15
dstanek	rderose: and oslo.db isn't changing that for us?	00:15
rderose	morgan: we did have an issue where the migration file would get cached	00:15
morgan	rderose: not sure?	00:15
rderose	dstanek: not sure	00:15
rderose	morgan: so 014_user_mfa_table_add.py is the same name for expand, migrate, contract	00:16
rderose	morgan: I wonder if the contract version is some how getting cached and being execute instead of expand	00:16
rderose	morgan: you could try changing the file names, so that each one is unique	00:17
rderose	e.g. 014_expand_user_mfa_table_add	00:17
rderose	morgan: try that and see if that fixes the issue	00:17
dstanek	rderose: it looks like it can be configured, but i don't know if anyone could or would ever do that	00:18
rderose	dstanek: I could explicitly set it (just in case)	00:18
morgan	rolls eyes that would be stupid	00:19
rderose	morgan: tell me about it :)	00:19
morgan	i also want to point out the expand/contract/migrate repos kindof suck to work with	00:20
*** chris_hultin is now known as chris_hultin\|AWA		00:20
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add user_mfa_rules table https://review.openstack.org/418166	00:21
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Auth Method Handlers now return a response object always https://review.openstack.org/420955	00:21
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse https://review.openstack.org/422912	00:22
rderose	morgan: welcome to the zero downtime world we've created!	00:22
rderose	:)	00:22
morgan	rolls eyes	00:22
morgan	i know people clamour for zero downtime	00:22
morgan	but ... it's mostly an absurd request that upgrades and schema changes are done "live"	00:22
rderose	morgan: agree	00:24
dstanek	rderose: in memory it's probably a few hundred mb so probably not too much. something feels wrong about it	00:24
rderose	dstanek: I could try to paginate, but just concerned about folks deleting records in the middle and potentially missing records	00:24
morgan	rderose: welcome to why pagnination is terrible	00:26
morgan	s/why/one of the many reasons why/	00:26
morgan	anyone who says "pagination is a good ui" needs to seriously think about that statement and think about how many pages deep they are willing to go on google.	00:27
rderose	morgan: :)	00:27
morgan	filtering > pagination	00:27
knikolla	morgan: amen	00:28
*** thorst_ has joined #openstack-keystone		00:28
dstanek	morgan: :-) different reason, but i hear you	00:28
dstanek	rderose: what could be deleted to cause an issue	00:29
*** voelzmo has joined #openstack-keystone		00:30
rderose	dstanek: if you delete a row after I've selected it, the next batch will be off by one	00:32
rderose	dstanek and I'll miss updating a record	00:32
rderose	dstanek: deleting a user... hmm...	00:33
*** voelzmo has quit IRC		00:35
rderose	dstanek: have to think that through, the only way a local_user would be deleted is if a user is deleted, so that might actually be okay	00:36
rderose	dstanek: hmm... but adding users could be problematic... depends on how they are ordered I suppose...	00:37
rderose	dstanek: makes my head hurt. anyway, I'm off to the gym. I'll think on this later.	00:37
*** adrian_otto has joined #openstack-keystone		00:38
*** jose-phillips has quit IRC		00:38
dstanek	rderose: ah, no you'd have to use a filtered query where the total population is reduced each time	00:40
dstanek	rderose: for example 'select from local where the connected user doesn't have a domain'	00:41
dstanek	^ not valid SQL :-P	00:41
*** thorst_ has quit IRC		00:45
*** thorst_ has joined #openstack-keystone		00:45
*** thorst_ has quit IRC		00:50
*** hoangcx has joined #openstack-keystone		00:53
*** bradjones has quit IRC		00:55
morgan	rderose: looks like it was cache on the file name	01:07
morgan	rderose: rolls eyes	01:07
*** knikolla has quit IRC		01:07
*** knikolla has joined #openstack-keystone		01:08
*** knikolla has quit IRC		01:08
*** knikolla has joined #openstack-keystone		01:08
*** knikolla has quit IRC		01:08
*** knikolla has joined #openstack-keystone		01:09
*** knikolla has quit IRC		01:09
*** knikolla has joined #openstack-keystone		01:09
*** knikolla has left #openstack-keystone		01:10
*** liujiong has joined #openstack-keystone		01:19
*** thorst_ has joined #openstack-keystone		01:19
*** adrian_otto has quit IRC		01:20
*** gyee has quit IRC		01:23
*** agrebennikov_ has quit IRC		01:27
*** stingaci has joined #openstack-keystone		01:43
*** woodster_ has quit IRC		01:45
*** stingaci has quit IRC		01:48
openstackgerrit	Merged openstack/keystone: Add documentation for auto-provisioning https://review.openstack.org/421573	01:49
*** furface has quit IRC		02:01
*** thorst_ has joined #openstack-keystone		02:01
*** thorst_ has quit IRC		02:01
rderose	dstanek: looks like still have a caching problem with the migration files being cached, morgan 's problem above	02:12
*** browne has quit IRC		02:20
openstackgerrit	Ron De Rose proposed openstack/keystone: Add domain_id to the user table https://review.openstack.org/409874	02:20
*** edmondsw_ has quit IRC		02:36
*** links has joined #openstack-keystone		02:53
*** edmondsw has joined #openstack-keystone		02:57
*** edtubill has joined #openstack-keystone		03:01
*** edmondsw has quit IRC		03:02
*** edtubill has quit IRC		03:02
*** furface has joined #openstack-keystone		03:17
*** tovin07 has joined #openstack-keystone		03:18
tovin07	breton, this one got 2 +2 https://review.openstack.org/#/c/294535/ can you review that? thanks! :D	03:21
stevemar	keystone at night going on?	03:27
*** itisha has joined #openstack-keystone		03:30
*** edtubill has joined #openstack-keystone		03:30
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	03:36
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	03:37
*** edtubill has quit IRC		03:39
*** thorst_ has joined #openstack-keystone		03:39
*** thorst_ has quit IRC		03:40
tovin07	stevemar, now: morning at my location :D	03:41
*** nicolasbock has quit IRC		03:41
stevemar	tovin07: early morning keystone then :)	03:41
*** agrebennikov_ has joined #openstack-keystone		03:52
*** chris_hultin\|AWA is now known as chris_hultin		04:09
*** links has quit IRC		04:16
*** adrian_otto has joined #openstack-keystone		04:17
*** links has joined #openstack-keystone		04:18
*** agrebennikov_ has quit IRC		04:25
*** voelzmo has joined #openstack-keystone		04:32
*** voelzmo has quit IRC		04:37
*** lucas has joined #openstack-keystone		04:45
*** lucas has quit IRC		04:46
openstackgerrit	Steve Martinelli proposed openstack/keystone: Allow user to change own expired password https://review.openstack.org/404022	04:47
stevemar	gagehugo: i fixed some of the tests for you ^	04:48
stevemar	but theres one that you added "test_changing_password_with_invalid_token_fails" which is now failing	04:48
*** catinthe_ has quit IRC		04:54
*** portdirect is now known as portdirect_away		04:55
*** chris_hultin is now known as chris_hultin\|AWA		04:59
*** agrebennikov_ has joined #openstack-keystone		04:59
*** voelzmo has joined #openstack-keystone		05:00
stevemar	gagehugo: commented on it	05:01
*** voelzmo has quit IRC		05:01
*** catintheroof has joined #openstack-keystone		05:02
*** dikonoor has joined #openstack-keystone		05:02
*** adrian_otto has quit IRC		05:02
*** sheel has joined #openstack-keystone		05:04
*** jerrygb has quit IRC		05:05
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	05:12
*** catintheroof has quit IRC		05:14
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	05:21
openstackgerrit	Ken Johnston proposed openstack/keystone: Readability enhancements to architecture doc https://review.openstack.org/422375	05:23
openstackgerrit	Ken Johnston proposed openstack/keystone: Readability enhancements to architecture doc https://review.openstack.org/422375	05:25
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	05:26
*** voelzmo has joined #openstack-keystone		05:37
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	05:38
*** jerrygb has joined #openstack-keystone		05:39
*** thorst_ has joined #openstack-keystone		05:40
*** edtubill has joined #openstack-keystone		05:41
*** voelzmo has quit IRC		05:41
*** stingaci has joined #openstack-keystone		05:45
*** Jack_V has joined #openstack-keystone		05:46
*** catintheroof has joined #openstack-keystone		05:46
*** thorst_ has quit IRC		05:48
gagehugo	stevemar: thanks!	05:49
gagehugo	stevemar: I think that test is redundant now since we removed @protected	05:49
*** stingaci has quit IRC		05:49
gagehugo	redundant/incorrect	05:50
*** agrebennikov_ has quit IRC		05:50
stevemar	gagehugo: maybe	05:51
stevemar	gagehugo: i would expect the tokens used from an old password to be invalid though	05:51
gagehugo	It's tested above I think	05:51
gagehugo	in test_changing_password	05:51
stevemar	gagehugo: i auth with passA, get a token -- tokenA, expire (somehow?), change passwd to passB, then tokenA should be invalidated	05:52
stevemar	oh is it	05:52
stevemar	my flying metal tube is taking off in 7 hours, i should get to bed :)	05:52
gagehugo	stevemar: yes	05:52
gagehugo	have fun in the metal tube	05:53
gagehugo	I'll fix this real quick before I head to bed	05:53
stevemar	gagehugo: okie, you can look into it :)	05:53
stevemar	i'll buy special metal tube wifi and take a look at it tmrw	05:53
gagehugo	That test I wrote doesn't really make sense if we aren't checking the token for change_password I think	05:54
* stevemar shrugs		05:55
stevemar	its weird	05:55
stevemar	if a user is expired, do their tokens get marked as invalid?	05:55
stevemar	i guess there is no way of knowing "when" a user expires, we don't poll	05:55
gagehugo	I don't think so?	05:55
stevemar	tovin07: yeah, i was waiting for breton to +A it, i don't know much about rally or osprofiler	05:57
stevemar	gagehugo: hmm	05:57
stevemar	gagehugo: point of note, we don't actually set the password_expires_days option btw	05:57
stevemar	in that test	05:57
gagehugo	yeah	05:58
gagehugo	I think I may have just been making redundant tests there	05:58
gagehugo	cause it's checked here: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_identity.py#L838	05:59
stevemar	yeah	06:00
stevemar	you could try something exotic like i mentioned above	06:00
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	06:00
stevemar	auth the user, get a token, mark him as expired, try to get him to change his password, see if the original token is valid or not	06:00
gagehugo	sure	06:01
stevemar	but any time a user changes their password, if expired or not, will invalidate their tokens	06:01
stevemar	like you said, its in the test case above	06:02
stevemar	ah, just remove it	06:02
stevemar	lets get this merged and you can play around with a fancy test case afterward	06:02
gagehugo	ok	06:02
openstackgerrit	Gage Hugo proposed openstack/keystone: Allow user to change own expired password https://review.openstack.org/404022	06:03
*** adriant has quit IRC		06:03
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	06:04
stevemar	gagehugo: why remove "test_changing_expired_password_fails" ?	06:05
stevemar	that one was fine, i thought	06:05
gagehugo	Just commenting on that now heh	06:05
gagehugo	since the config option was removed, it's also redundant	06:05
gagehugo	there is another test for checking incorrect passwords	06:06
gagehugo	I can add it back if we want to check incorrect password + expired	06:06
*** furface has quit IRC		06:06
stevemar	gagehugo: yeah, thats the combo i was looking for, but again i guess redundant	06:07
stevemar	okay	06:07
gagehugo	I think I like the change more now, it seems much simpler	06:07
stevemar	\o/	06:07
stevemar	bed time for me	06:08
stevemar	see ya tmrw	06:08
gagehugo	bye! have a safe flying metal tube trip	06:08
*** edtubill has quit IRC		06:09
rderose	stevemar: wait! what about https://review.openstack.org/#/c/409874/?	06:09
rderose	stevemar: jk, go to sleep :)	06:09
breton	stevemar: tovin07: and i am waiting for DinaBelova to make a quick look at the patch	06:15
breton	morning, keystone	06:16
*** voelzmo has joined #openstack-keystone		06:30
tovin07	stevemar, breton oh, thanks, will wait for DinaBelova to confirm that :D	06:32
*** edmondsw has joined #openstack-keystone		06:34
*** voelzmo has quit IRC		06:34
*** edmondsw has quit IRC		06:38
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	06:39
openstackgerrit	wanghongtaozz proposed openstack/keystone: Modify the spelling mistakes https://review.openstack.org/423079	06:42
*** richm has quit IRC		06:42
openstackgerrit	wanghongtaozz proposed openstack/keystone: Modify the spelling mistakes https://review.openstack.org/423079	06:56
*** portdirect_away is now known as portdirect		06:59
*** voelzmo has joined #openstack-keystone		07:17
openstackgerrit	zhangyanxian proposed openstack/keystone-specs: Fix typo in role-check-from-middleware.rst https://review.openstack.org/423103	07:37
openstackgerrit	zhangyanxian proposed openstack/keystone-specs: Fix typo in role-check-from-middleware.rst https://review.openstack.org/423103	07:38
*** liujiong_66 has joined #openstack-keystone		07:42
*** pcaruana has joined #openstack-keystone		07:43
*** dolphm_ has joined #openstack-keystone		07:46
*** ChanServ sets mode: +o dolphm_		07:46
*** melwitt_ has joined #openstack-keystone		07:48
*** liujiong has quit IRC		07:51
*** dgonzalez has quit IRC		07:51
*** melwitt has quit IRC		07:51
*** dolphm has quit IRC		07:51
*** masterjcool has quit IRC		07:51
*** dgonzalez has joined #openstack-keystone		07:51
*** dolphm_ is now known as dolphm		07:51
*** masterjcool has joined #openstack-keystone		07:51
*** tesseract has joined #openstack-keystone		08:05
*** stingaci has joined #openstack-keystone		08:07
*** jlwhite has quit IRC		08:29
*** tovin07 has quit IRC		08:30
*** afazekas has quit IRC		08:30
*** tovin07 has joined #openstack-keystone		08:30
*** jlwhite has joined #openstack-keystone		08:31
*** liujiong_66 is now known as liujiong		08:35
*** afazekas has joined #openstack-keystone		08:35
*** zzzeek has quit IRC		09:00
*** zzzeek has joined #openstack-keystone		09:00
*** openstackgerrit has quit IRC		09:02
*** namnh has joined #openstack-keystone		09:05
*** johnthetubaguy has quit IRC		09:16
*** johnthetubaguy has joined #openstack-keystone		09:19
*** dgonzalez_ has joined #openstack-keystone		09:23
*** dgonzalez has quit IRC		09:27
*** dgonzalez_ is now known as dgonzalez		09:27
*** timburke has quit IRC		09:32
*** jascott1 has joined #openstack-keystone		09:33
*** timburke has joined #openstack-keystone		09:35
*** jerrygb_ has joined #openstack-keystone		09:41
*** jerrygb has quit IRC		09:43
*** jerrygb has joined #openstack-keystone		09:46
*** thorst_ has joined #openstack-keystone		09:46
*** mvk has quit IRC		09:46
*** jerrygb_ has quit IRC		09:48
*** thorst_ has quit IRC		09:51
*** stingaci has quit IRC		09:56
*** stingaci has joined #openstack-keystone		09:59
*** stingaci has quit IRC		10:02
*** stingaci has joined #openstack-keystone		10:02
*** liujiong has quit IRC		10:04
*** edmondsw has joined #openstack-keystone		10:10
*** jerrygb has quit IRC		10:13
*** jerrygb has joined #openstack-keystone		10:14
*** edmondsw has quit IRC		10:15
*** mvk has joined #openstack-keystone		10:17
timss	Hi! Got a LDAP Keystone domain (AD) which is working fine, but when users are deleted in AD I'm unable to show/delete role of a given user, or list the users in a project with deleted users. Error message is "Could not found resource <user id>". Not quite sure what changes I need to do, any inputs? http://paste.openstack.org/show/EFif6iJPjp38GAqWk4R7/	10:22
*** hoangcx has quit IRC		10:25
*** namnh has quit IRC		10:29
*** pnavarro has joined #openstack-keystone		10:31
*** richm has joined #openstack-keystone		11:13
breton	timss: file a bugreport probably	11:20
timss	breton: Figured it might be a config issue, but if not I'll make a report	11:23
*** nicolasbock has joined #openstack-keystone		11:35
*** stingaci has quit IRC		11:39
*** stingaci has joined #openstack-keystone		11:41
*** stingaci has quit IRC		11:46
*** thorst_ has joined #openstack-keystone		11:47
*** thorst_ has quit IRC		11:52
*** pcaruana has quit IRC		11:59
*** pcaruana has joined #openstack-keystone		12:06
*** edmondsw has joined #openstack-keystone		12:13
*** catinthe_ has joined #openstack-keystone		12:32
*** catintheroof has quit IRC		12:33
*** openstackgerrit has joined #openstack-keystone		12:34
openstackgerrit	Merged openstack/keystone-specs: Fix typo in role-check-from-middleware.rst https://review.openstack.org/423103	12:34
*** stingaci has joined #openstack-keystone		12:42
*** jerrygb_ has joined #openstack-keystone		12:46
dstanek	morning all	12:47
*** thorst_ has joined #openstack-keystone		12:47
*** stingaci has quit IRC		12:47
*** voelzmo has quit IRC		12:48
*** jerrygb has quit IRC		12:49
stevemar	o/	12:49
stevemar	dstanek: lets see if this flight has wifi	12:50
*** voelzmo has joined #openstack-keystone		12:50
dstanek	stevemar: good luck	12:53
dstanek	stevemar: where are you off to?	12:53
*** links has quit IRC		12:55
asettle	Thank stevemar :)	13:09
asettle	Thanks*	13:09
*** stingaci has joined #openstack-keystone		13:09
dstanek	timss: did you end up creating a bug?	13:22
dstanek	stevemar: looks like your wifi question was answered :-P	13:22
*** clenimar has quit IRC		13:23
*** iurygregory has quit IRC		13:23
*** voelzmo has quit IRC		13:30
*** edtubill has joined #openstack-keystone		13:31
*** voelzmo has joined #openstack-keystone		13:33
timss	dstanek: no not yet, I'll give it a go now :)	13:36
*** bradjones has joined #openstack-keystone		13:38
*** bradjones has quit IRC		13:38
*** bradjones has joined #openstack-keystone		13:38
dstanek	timss: ok, make sure you include the version you are running	13:39
timss	dstanek: aye	13:39
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Test cross domain authentication via implied roles https://review.openstack.org/422819	13:41
*** voelzmo has quit IRC		13:42
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Test cross domain authentication via implied roles https://review.openstack.org/422819	13:43
rodrigods	lbragstad, ^ we can't authenticate using domain specific roles	13:49
*** pnavarro has quit IRC		13:49
rodrigods	lbragstad, think this check is missing in the shadow mapping, right?	13:49
dstanek	rodrigods: what check would be missing?	13:52
rodrigods	dstanek, if the mapping uses a domain specific role, the user can't authenticate at all (not just if the role domain_id is different from the idp domain_id)	13:53
dstanek	rodrigods: doesn't shadow mapping just create project/assignments? i don't know why it would be doing that check	13:55
rodrigods	dstanek, the assignment can't be used to authenticate the user	13:56
dstanek	rodrigods: wouldn't that check only be applicable when getting a scoped token?	13:56
rodrigods	dstanek, right	13:56
rodrigods	to get a scoped token	13:56
dstanek	rodrigods: at that point you would already be authenticated.	13:56
rodrigods	dstanek, so we let the mapping create an assignment, but we won't let the user get an scoped token?	13:57
rodrigods	what do we gain than?	13:57
rodrigods	hmm, the project auto provisioning...	13:58
rodrigods	i have the feeling this should be documented, at least	13:58
dstanek	rodrigods: also you very well be able to scope to something else right?	13:58
rodrigods	dstanek, with further actions, yes	13:59
*** nicodemus_ has joined #openstack-keystone		13:59
dstanek	rodrigods: what type of token do you get with a federated auth? scoped or unscoped?	13:59
rodrigods	dstanek, the first one is unscoped	14:00
rodrigods	the one returned after the SP redirect	14:00
rodrigods	but... our saml2 plugin in keystoneauth only returns a scoped token, iirc	14:00
rodrigods	so it would fail	14:01
dstanek	rodrigods: ok, that's what i thought. so the authentication succeeds and you are authenticated. it's when you try to scope to something you can't scope to that it should fail	14:01
rodrigods	dstanek, exactly	14:01
dstanek	isn't that working as intended then?	14:01
rodrigods	dstanek, yeah, already figured that out at "rodrigods> i have the feeling this should be documented, at least"	14:02
openstackgerrit	Samuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS https://review.openstack.org/403898	14:02
dstanek	i still don't fully understand implied roles :-(	14:02
*** knikolla has joined #openstack-keystone		14:02
*** knikolla has quit IRC		14:02
dstanek	lol	14:02
*** knikolla has joined #openstack-keystone		14:03
rodrigods	dstanek, implied roles is simpler, the mixture with domain specific that is confusing to me	14:03
*** spilla has joined #openstack-keystone		14:03
knikolla	o/ morning	14:03
dstanek	rodrigods: yeah, i think we went overboard with features	14:04
*** Dinesh_Bhor has quit IRC		14:04
rodrigods	dstanek, we need to document that behavior (the fact we can only get a unscoped token)	14:05
rodrigods	dstanek, because our saml2 plugin from keystoneauth only returns a scoped token - so it won't properly work for this specific case	14:05
*** dgonzalez has quit IRC		14:06
*** dave-mccowan has joined #openstack-keystone		14:07
dstanek	rodrigods: it would already have the problem without the shadow mapping	14:09
dstanek	a user could currently be mapped to groups that only have those kinds of role assignments	14:10
rodrigods	dstanek, right!	14:10
rodrigods	that's true	14:10
dstanek	we're all about the hidden failures here	14:10
rodrigods	heh exactly	14:10
rodrigods	the interaction between the features is absurd in this case	14:11
rodrigods	dstanek, imagine the next time we talk about this, will take a while to figure out the complete stack of details	14:11
*** dgonzalez has joined #openstack-keystone		14:11
*** voelzmo has joined #openstack-keystone		14:13
*** woodster_ has joined #openstack-keystone		14:27
*** edtubill has quit IRC		14:31
*** catintheroof has joined #openstack-keystone		14:33
*** catinthe_ has quit IRC		14:36
*** Jack_V has quit IRC		14:41
*** smruf has joined #openstack-keystone		14:43
*** sheel has quit IRC		14:47
*** lamt has joined #openstack-keystone		14:51
*** clenimar has joined #openstack-keystone		14:51
*** iurygregory has joined #openstack-keystone		14:51
timss	dstanek: While digging up useful info for the bug report (LDAP deleted users) it hit me that the upstream AD might not actually delete the users. Checked with the ones responsible, and the users are actually moved (different OU/DN). Not sure what this implicates, could it mean that the identity mapping is off, is it based on the DN?	14:55
*** melwitt_ is now known as melwitt		14:55
*** dikonoor has quit IRC		14:58
*** pnavarro has joined #openstack-keystone		14:59
rderose	stevemar fyi: https://bugs.launchpad.net/keystone/+bug/1658116	15:09
openstack	Launchpad bug 1658116 in OpenStack Identity (keystone) "Wrong migration step run when file names are the same" [Undecided,New]	15:09
*** jaugustine has joined #openstack-keystone		15:13
*** david-lyle has joined #openstack-keystone		15:13
dstanek	lbragstad: i can't reproduce that issue	15:16
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	15:18
rderose	morgan fyi: https://bugs.launchpad.net/keystone/+bug/1658116	15:20
openstack	Launchpad bug 1658116 in OpenStack Identity (keystone) "Wrong migration step run when file names are the same" [Undecided,New] - Assigned to Ron De Rose (ronald-de-rose)	15:20
dstanek	rderose: i think i remember someone having that problem in the past	15:23
rderose	dstanek: :)	15:24
*** david-lyle has quit IRC		15:25
rderose	dstanek: me and alexander	15:25
*** david-lyle has joined #openstack-keystone		15:25
*** smruf has left #openstack-keystone		15:26
rderose	whatever happened to amakarov	15:26
knikolla	rderose: his linkedin page says he left mirantis	15:29
*** ravelar has joined #openstack-keystone		15:30
rderose	knikolla: ah, I see	15:30
rderose	knikolla: he should have at least said goodbye :)	15:31
rderose	to us	15:31
lbragstad	going to refill coffee quick	15:33
*** edtubill has joined #openstack-keystone		15:37
*** jaosorior has joined #openstack-keystone		15:39
*** david-lyle has quit IRC		15:42
openstackgerrit	Samuel Pilla proposed openstack/python-keystoneclient: Allow Multiple Filters of the Same Key https://review.openstack.org/423339	15:44
*** chris_hultin\|AWA is now known as chris_hultin		15:48
*** mvk has quit IRC		15:48
*** adrian_otto has joined #openstack-keystone		15:51
knikolla	in the first paragraph of http://docs.openstack.org/developer/keystone/external-auth.html it says that "this makes possible to use an SQL identity backend together with, X.509 authentication or Kerberos", what is meant by 'together', does that refer to the mapped plugin?	15:56
dstanek	knikolla: no i think it means that you can allow password login (identity backend) and external (kerberos, etc) at the same time. method=password,external	15:58
knikolla	dstanek: got it. i'll have a patch that rephrases that.	15:58
*** pcaruana has quit IRC		16:03
*** voelzmo has quit IRC		16:05
dstanek	knikolla: great. add me to the review	16:06
*** tovin07 has quit IRC		16:08
dstanek	rderose: why was this commit necessary? https://github.com/openstack/keystone/commit/7ba53701989490667d220a3faecae2b484a007c5#diff-123d55255e45e44f9baa492e882762b5R386	16:08
*** tovin07 has joined #openstack-keystone		16:14
*** diazjf has joined #openstack-keystone		16:15
rderose	dstanek: let me ping you in a few, be right back	16:20
openstackgerrit	Kristi Nikolla proposed openstack/keystone: Improvements to external auth documentation page https://review.openstack.org/423356	16:26
knikolla	dstanek ^^	16:26
*** diazjf has quit IRC		16:27
*** dave-mccowan has quit IRC		16:29
dstanek	rderose: k, i know why you did it.... just trying to track something down	16:30
dstanek	knikolla: nice	16:31
dstanek	going to do lunch for a bit	16:35
*** arunkant has quit IRC		16:35
openstackgerrit	Kristi Nikolla proposed openstack/keystone: Improvements to external auth documentation page https://review.openstack.org/423356	16:39
*** jaosorior has quit IRC		16:48
*** stingaci has quit IRC		16:49
*** jaosorior has joined #openstack-keystone		16:49
*** jaosorior has quit IRC		16:51
*** itisha has quit IRC		16:52
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	16:54
*** diazjf has joined #openstack-keystone		16:56
*** jose-phillips has joined #openstack-keystone		17:00
*** lamt has quit IRC		17:10
*** jose-phillips has quit IRC		17:12
*** lamt has joined #openstack-keystone		17:14
*** diazjf has quit IRC		17:16
openstackgerrit	Samuel Pilla proposed openstack/keystone: Update endpoint api for optional region_id https://review.openstack.org/420085	17:16
*** agrebennikov_ has joined #openstack-keystone		17:17
*** nicolasbock has quit IRC		17:18
*** nicolasbock has joined #openstack-keystone		17:18
*** stingaci has joined #openstack-keystone		17:19
*** jaugustine has quit IRC		17:21
*** jaugustine has joined #openstack-keystone		17:24
stevemar	dstanek: yep, no wifi, just got to hotel	17:28
stevemar	rderose: whaaaa	17:29
*** stingaci has quit IRC		17:29
*** mvk has joined #openstack-keystone		17:29
stevemar	rderose: for reals: 1658116 ?	17:29
*** diazjf has joined #openstack-keystone		17:30
rderose	stevemar: yep	17:30
stevemar	rderose: i thought it was designed that way, bah	17:32
rderose	stevemar: yeah, it's a feature :)	17:32
*** jaosorior has joined #openstack-keystone		17:32
rderose	stevemar: I think the fix will be to just make the files unique	17:33
rderose	stevemar: working on a test, to test that the file names are the same, but have the prefix expand, migrate, contract	17:33
rderose	stevemar: so that at least it is consistent	17:33
openstackgerrit	Sean Dague proposed openstack/keystone: Don't treat api-ref warnings as errors due to missing params https://review.openstack.org/423387	17:35
rderose	am I the only one that keeps failing this gate: gate-grenade-dsvm-neutron-ubuntu-xenial	17:36
rderose	can't figure out what's wrong: https://review.openstack.org/#/c/408332/	17:36
dstanek	stevemar: rderose: when dolphm, lbragstad and i were talking about this in a coffee shop i think we concluded the names needed to be different	17:36
dstanek	we should have done something to enforce that	17:37
knikolla	rderose: TRACE keystone AttributeError: Could not locate column in row for column 'idp_id'	17:37
knikolla	http://logs.openstack.org/32/408332/26/check/gate-grenade-dsvm-neutron-ubuntu-xenial/a56ee36/logs/grenade.sh.txt.gz#_2017-01-20_15_56_11_564	17:38
rderose	knikolla: thanks!! that was quick :)	17:38
knikolla	rderose: :)	17:39
openstackgerrit	Sean Dague proposed openstack/keystone: Fix warnings generated by os-api-ref 1.2.0 https://review.openstack.org/423387	17:39
stevemar	dstanek: i don't get why it has to be different, but i assume its a sqlalchemy thing	17:45
openstackgerrit	Sean Dague proposed openstack/keystone: Allow user to change own expired password https://review.openstack.org/404022	17:45
*** ravelar has quit IRC		17:50
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	17:55
*** tovin07 has quit IRC		17:56
dstanek	rderose: stevemar: it was...but i fixed it in the tests -> https://review.openstack.org/#/c/371075/	17:58
*** ravelar has joined #openstack-keystone		17:59
*** diazjf has quit IRC		17:59
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	18:03
rderose	dstanek: regarding: "why was this commit necessary? https://github.com/openstack/keystone/commit/7ba53701989490667d220a3faecae2b484a007c5#diff-123d55255e45e44f9baa492e882762b5R386"	18:03
rderose	dstanek: this was to remove the requirement that a mappings had to result in group memberships	18:04
rderose	dstanek: with concrete role assignments for federated users, we no longer needed this requirement	18:04
rderose	oh dam, here comes a merge conflict: https://review.openstack.org/#/c/404022/!	18:05
rderose	quick stevemar, push mine through first: https://review.openstack.org/#/c/403916/	18:06
stevemar	heheh	18:06
stevemar	its already gating :P	18:06
rderose	:)	18:06
stevemar	rderose: you could be douchey and push a new change for 404022 :P	18:07
stevemar	bump	18:07
rderose	haha, that would be great!	18:07
rderose	but yeah, douchey	18:07
*** stingaci has joined #openstack-keystone		18:09
*** adrian_otto has quit IRC		18:10
*** tovin07 has joined #openstack-keystone		18:12
stevemar	rderose: with 404022 merging i feel much more comfortable with your patch now :)	18:12
rderose	stevemar: that's good	18:12
rderose	stevemar: and me too!	18:12
*** stingaci has quit IRC		18:13
knikolla	stevemar: i had to write a microwebapp that does the same thing as both reviews, so I'm happy having to discontinue it	18:15
*** adrian_otto has joined #openstack-keystone		18:30
*** mvk has quit IRC		18:30
*** jaosorior has quit IRC		18:35
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	18:36
*** jefrite has quit IRC		18:40
*** browne has joined #openstack-keystone		18:47
stevemar	knikolla: oh really?	18:47
* morgan spams dolphm on twitter and IRC.		18:49
*** jefrite has joined #openstack-keystone		18:50
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	18:51
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	18:57
samueldmq	Morning Keystone!	18:59
samueldmq	Not really... Good $(localtime)!	18:59
morgan	soooo	18:59
stevemar	samueldmq: howdy!	19:00
stevemar	morgan: soooo	19:00
morgan	Pike target: HTTP 2.0	19:00
samueldmq	stevemar: o/	19:00
morgan	support in KSA and keystone server	19:00
morgan	faster, guaranteed https (required), etc	19:00
morgan	stevemar: fixed the mfa migration tests	19:01
stevemar	nice	19:01
morgan	stevemar: also almost all the MFA work is done now except loading rules and validating them	19:01
morgan	no hard-core test changes needed, all 100% compat with current workflow	19:01
morgan	feedback on the code would be welcome at this point. i expect to have the rule loader, parser, and validation in the auth path proposed today as well	19:02
morgan	stevemar: so question, should we make the MFA rules something toggle-able per user (like disable all MFA rules)	19:03
morgan	?	19:03
morgan	the way this is structured, it would be easy to add that metadata into the MFA rules table	19:03
stevemar	morgan: great to hear that	19:03
stevemar	morgan: i think per user makes sense	19:04
morgan	well no it is per user now, it just would be a flag for ALL rules enable/disable	19:04
morgan	regardless if rules were set.	19:04
*** voelzmo has joined #openstack-keystone		19:05
morgan	or should we make it user->[MFA_rule, MFA_rule], with each rule being toggleable	19:05
morgan	(one user->many rules, a row per rule)	19:05
morgan	?	19:06
* morgan is inclined to say do it as a single blob		19:06
morgan	but it means if you need to snipe/add a rule with SQL (please don't do this) it is a lot harder	19:06
stevemar	morgan: oh i see	19:07
stevemar	morgan: handle it like fed mapping? just overwrite it	19:07
morgan	that is the current design	19:07
morgan	but since i don't have any loader/parser code yet	19:07
morgan	we could make it row-by-row and a one-to-many relationship	19:07
morgan	vs a one-to-one	19:07
morgan	and each rule could be enabled/disabled.	19:07
morgan	i think that is much more over-engineerd, but figured i'd bounce the options off you first	19:08
stevemar	morgan: we could always migrate to the latter IMO	19:09
stevemar	if we one day get a yubikey auth plugin or something :P	19:10
morgan	The only real downside to the all-in-one API	19:10
morgan	is that you have to set all the rules at once	19:10
morgan	you can't easily just "add a single rule" via the api	19:10
morgan	well i guess you could, but it'd be weird via REST	19:10
morgan	since it would be string add/delete with string match.	19:11
morgan	basically.	19:11
morgan	i really don't think we're going to see a ton of crazy rules	19:11
morgan	i think it will be something like: [[password,mfa],[token],[external]]	19:12
morgan	for most	19:12
morgan	if anything	19:12
stevemar	yeah, that's what i am assuming the bulk will be	19:13
morgan	or [mapped] in there	19:13
morgan	i'm fully expecting to see a lot of [[mapped]]	19:13
morgan	only	19:13
morgan	which requires the federated login	19:14
stevemar	rderose: i think https://bugs.launchpad.net/keystone/+bug/1658116/ only affects tests	19:14
openstack	Launchpad bug 1658116 in OpenStack Identity (keystone) "Wrong migration step run when file names are the same" [High,New] - Assigned to Ron De Rose (ronald-de-rose)	19:14
stevemar	dolphm: ^	19:14
morgan	stevemar: not sure if it affects more than tests. but it makes testing annoying	19:14
stevemar	99% sure it only affects tests	19:15
stevemar	https://github.com/openstack/keystone/blob/master/keystone/cmd/cli.py#L451-L467	19:15
openstackgerrit	OpenStack Release Bot proposed openstack/oslo.policy: Update reno for stable/ocata https://review.openstack.org/423454	19:15
morgan	stevemar: ok so, we're good with a single blob and just saying "yeah it's not amazing, but if you have insane rules, sorry, just propose the whole ruleset list"	19:15
stevemar	morgan: i think that's fine for now, we'll see what P and Q bring us	19:16
morgan	i'll add in an "enabled" column for the user's MFA rule blob	19:16
morgan	so we can totally disable the rules for a user if needed.	19:16
morgan	but otherwise i'll just roll with what we have proposed and get the parser/loader/validate bits into the auth path	19:16
*** pnavarro has quit IRC		19:17
*** david-lyle has joined #openstack-keystone		19:17
stevemar	++	19:18
stevemar	i need food	19:18
morgan	i need moar coffee	19:18
*** david-lyle has quit IRC		19:24
*** nkinder has joined #openstack-keystone		19:27
*** tesseract has quit IRC		19:32
*** sshen has quit IRC		19:34
rderose	stevemar: yeah, I think so	19:36
ayoung	morgan, https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe	19:42
*** diazjf has joined #openstack-keystone		19:43
morgan	ayoung: i have bigger issues, gnome3 in f25 just doesn't work well, renders all wonky (title bars, etc are horrible widths) and wayland has so many bugs the whole system freezes a bunch	19:44
morgan	ayoung: =/	19:44
ayoung	f25? Really	19:44
morgan	yep.	19:44
ayoung	No problem here	19:44
ayoung	morgan, is wayland the default?	19:45
morgan	yep	19:45
morgan	wayland is the default in f25	19:45
morgan	i also have a hidpi screen	19:45
ayoung	how do I confirm?	19:45
morgan	try and do the x-restart and it'll say "restart unable in wayland"	19:45
morgan	from the ui. not logout/login	19:45
ayoung	1920X1080 24" here	19:45
morgan	sec	19:45
morgan	yeah. i've got one of the wonky screen rezes high dpi	19:46
morgan	and it doesn't play nice at all	19:46
morgan	i think it's gnome3	19:47
morgan	not wayland itself	19:47
morgan	for example, the tabs on chrome render with a font and spacing ~4x bigger than the rest of the UI	19:47
morgan	ayoung: ubuntu's ui renders the right size(s) to be usable.	19:47
morgan	ayoung: shrug iu'll try again in F26	19:48
*** jose-phillips has joined #openstack-keystone		19:48
ayoung	morgan, I'd ask the desktop team. Make use of the fact you work for RH, and it provides them feedback	19:48
morgan	i saw some of the same complaints on the memo-list btw	19:49
morgan	recently	19:49
*** voelzmo has quit IRC		19:49
ayoung	Ah	19:49
morgan	and there are actuve bugs open	19:49
morgan	it's not a big deal. i'm running linux directly, it works.	19:49
morgan	and i can do my work (not doing fedora/rhel specific things)	19:49
morgan	anyway, sudo pip thing	19:50
morgan	interesting	19:50
ayoung	morgan, anyway, look at the link I posted. IIUC it means we could run devstack on the desktop without polluting the system	19:50
*** voelzmo has joined #openstack-keystone		19:50
ayoung	at least for py3	19:50
morgan	yes	19:50
morgan	it's a good proposal, did it land?	19:50
*** catinthe_ has joined #openstack-keystone		19:50
morgan	ah f26 target	19:51
morgan	yes, it is a good change	19:51
morgan	but you could also just use VENVs today	19:51
morgan	and do it on the desktop	19:51
morgan	and not pollute anything	19:51
*** jaosorior has joined #openstack-keystone		19:52
*** catintheroof has quit IRC		19:53
*** voelzmo has quit IRC		19:55
*** agrebennikov_ has quit IRC		19:58
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	19:59
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	20:00
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add user_mfa_rules table https://review.openstack.org/418166	20:01
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Auth Method Handlers now return a response object always https://review.openstack.org/420955	20:01
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse https://review.openstack.org/422912	20:01
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	20:06
*** jefrite has quit IRC		20:12
*** jefrite has joined #openstack-keystone		20:18
*** jefrite has quit IRC		20:25
*** adrian_otto has quit IRC		20:27
*** adrian_otto has joined #openstack-keystone		20:28
*** MasterOfBugs has joined #openstack-keystone		20:30
*** pramodrj07 has joined #openstack-keystone		20:32
*** jefrite has joined #openstack-keystone		20:33
*** adrian_otto has quit IRC		20:33
*** dave-mccowan has joined #openstack-keystone		20:34
dstanek	rderose: did you see my comment about the migration issue?	20:42
openstackgerrit	Merged openstack/keystone: Updates to project mapping documentation https://review.openstack.org/422852	20:42
*** voelzmo has joined #openstack-keystone		20:44
*** adrian_otto has joined #openstack-keystone		20:46
*** david-lyle has joined #openstack-keystone		20:47
*** adrian_otto has quit IRC		20:48
*** adrian_otto has joined #openstack-keystone		20:50
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	20:55
*** jaosorior has quit IRC		20:57
*** thiagolib has quit IRC		20:58
*** adrian_otto1 has joined #openstack-keystone		21:00
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	21:00
*** adrian_otto has quit IRC		21:00
*** nicodemus_ has quit IRC		21:02
*** catinthe_ has quit IRC		21:02
*** pnavarro has joined #openstack-keystone		21:03
*** catintheroof has joined #openstack-keystone		21:03
*** catintheroof has quit IRC		21:07
*** Jack_V has joined #openstack-keystone		21:14
*** voelzmo has quit IRC		21:17
browne	dstanek: lbragstad: I've added more details on bug 1654409. If you'd like me to try something else today let me know. I can reproduce very easily	21:17
openstack	bug 1654409 in OpenStack Identity (keystone) "Duplicate users (federated and sql) results in 401" [High,Incomplete] https://launchpad.net/bugs/1654409 - Assigned to Eric Brown (ericwb)	21:17
lbragstad	browne sounds good - wrapping a few things up here and I'll take a look	21:18
browne	sure thx	21:18
*** jamielennox is now known as jamielennox\|away		21:28
*** diazjf has quit IRC		21:28
dstanek	hi browne	21:29
dstanek	trying to get travel booked, but i can look again in a second	21:30
dstanek	browne: can you only reproduce with that particular IdP?	21:30
browne	its the only one i've used	21:30
browne	but i suspect is has less to do with the idp	21:31
browne	i think it has something to do with domains (Federated vs. Default vs local)	21:31
browne	is a Federated user always mapped to the Federated domain?	21:31
browne	i should mention everything works fine without having the same user defined in keystone	21:32
*** jerrygb_ has quit IRC		21:41
*** chris_hultin is now known as chris_hultin\|AWA		21:41
dstanek	browne: yes, it should be	21:42
dstanek	browne: i have the same user defined in keystone and i don't have an issue	21:43
dstanek	one thing that would be awesome is to log the traceback the the user_id is erroneously set on the context	21:43
dstanek	you get an error because something sets a user id and then tries to set it to something different	21:44
*** david-lyle has quit IRC		21:45
browne	i can add more debug if needed	21:45
browne	where would help?	21:46
morgan	hmm	21:47
browne	dstanek: here's a traceback at the point when the dup is found http://paste.openstack.org/show/595846/	21:55
*** jaugustine has quit IRC		21:58
*** thorst_ has quit IRC		22:02
*** adrian_otto1 has quit IRC		22:02
*** thorst_ has joined #openstack-keystone		22:03
*** chris_hultin\|AWA is now known as chris_hultin		22:07
*** thorst_ has quit IRC		22:07
*** Jack_V has quit IRC		22:07
browne	dstanek: lbragstad ah ha! the root cause is that i have "external" in the authentication methods.	22:13
browne	apparently that conflcits with saml	22:13
dstanek	say what?	22:13
browne	methods = external,password,token,saml2	22:14
browne	to:	22:14
browne	methods = password,token,saml2	22:14
*** edtubill has quit IRC		22:15
browne	I "think" this occurs because my mapping uses REMOTE_USER and if external is configured, it creates an AuthContext using the external method and then later attempts to set the user_id using the saml auth method, resulting in a dup.	22:17
dstanek	browne: oh, that is interesting	22:18
lbragstad	browne so did you remove external? or add it?	22:21
browne	lbragstad: i removed it	22:21
dstanek	browne: i'm still unclear on how it got the wrong user	22:23
dstanek	i have external in my methods and i'm not having the same issue	22:24
browne	does your mapping use REMOTE_USER	22:25
browne	does your idp send REMOTE_USER in the assertion?	22:25
browne	actually i guess apache2 does that	22:25
dstanek	browne: yeah that would be apache. i don't use remote user, but i don't know why that would change anything	22:26
dstanek	you could in theory hard code the username in the local section	22:26
browne	so i was browsing the code (no expert) trying to see where AuthContext is set	22:28
browne	https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L542	22:28
browne	i think if this block of code is executed, the auth_context sets a user_id mapping to the sql based local keystone user named "admin"	22:29
browne	but then later on, the user_id is attempted to be set to the user_id that maps to the federated user named "admin"	22:29
knikolla	not sure if it applies or anything, but there's a caution box in the docs about having both external and federation methods http://docs.openstack.org/developer/keystone/external-auth.html#configuration	22:29
browne	knikolla: ha, yep that seems to apply	22:30
dstanek	browne: so at that point the auth_context should have been created by the middleware using the user_id from the unscoped token	22:31
browne	we should probably have that comment right in keystone.conf instead of just the admin doc	22:31
*** stingaci has joined #openstack-keystone		22:32
dstanek	that warning is crazy. i can't see why it would actually be a problem unless we are doing something wrong	22:32
knikolla	dstanek: either i'm too tired, but I couldn't make much sense of it.	22:36
*** stingaci has quit IRC		22:36
dstanek	i just want to reproduce so i can understand :-(	22:38
dstanek	browne: when the authcontext is create what is used for the user_id?	22:38
browne	so i logged __setitem__ in AuthContext and it was only called once	22:39
browne	the time it resulted in a dup	22:39
*** spilla has quit IRC		22:39
*** jerrygb has joined #openstack-keystone		22:40
dstanek	browne: how does it ever get set then?	22:41
browne	i thought through an __init__ but don't see that in the code, so unsure	22:41
dstanek	browne: can you add an __init__ that just logs and passes the args through to the parent?	22:42
browne	sure	22:42
*** thorst_ has joined #openstack-keystone		22:43
*** dave-mccowan has quit IRC		22:46
*** thorst_ has quit IRC		22:47
browne	dstanek: looks like the __init__ doesn't set anything {'bind': {}, 'extras': {}, 'method_names': []} __init__	22:55
*** masber has quit IRC		22:59
*** masber has joined #openstack-keystone		23:00
lbragstad	dstanek you didn't have a repo for the office hours LP stuff did you?	23:01
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add user_mfa_rules table https://review.openstack.org/418166	23:03
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Auth Method Handlers now return a response object always https://review.openstack.org/420955	23:03
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse https://review.openstack.org/422912	23:03
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules https://review.openstack.org/423548	23:03
morgan	pushed while running unit tests locally (since that takes a good bit now)	23:04
morgan	that should be most everyrhing except some tests prior to adding new APIs for setting MFA rules.	23:04
morgan	ugh missed some things =/	23:05
morgan	hmm. lazy load not working...	23:07
morgan	rderose: ping. since you did password things	23:08
morgan	rderose: i am thinking i am a bit confused on the lazy load functionality	23:08
morgan	it is claiming it is not bound to a session...	23:09
knikolla	browne: i had a quick look at the code	23:13
knikolla	and that caution box was right	23:14
*** thorst_ has joined #openstack-keystone		23:15
knikolla	https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L542-L547	23:15
*** adrian_otto has joined #openstack-keystone		23:16
browne	knikolla: yeah, that's the same spot i linked to earlier	23:16
knikolla	browne: yeah, just saw it	23:16
knikolla	browne: authcontext doesn't allow changing values, so both plugins point to different user_ids	23:16
knikolla	i guess it makes sense	23:17
knikolla	I'll rewrite that part of the documentation tomorrow	23:17
knikolla	to make it clearer	23:17
*** portdirect has quit IRC		23:18
*** thorst_ has quit IRC		23:20
browne	should i create a patch for this bug to update the conf help on auth.methods?	23:20
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	23:21
knikolla	browne: yeah, and make it related	23:22
knikolla	the bug would be invalid in this case?	23:23
morgan	hmm	23:24
morgan	i'm not understanding the lazy='subquery' correctly apparently	23:24
*** portdirect has joined #openstack-keystone		23:25
knikolla	morgan: what's the issue?	23:25
knikolla	i'm feeling in a debugging mood	23:25
morgan	i'm getting sqlalchemy.orm.exc.DetachedInstanceError: Parent instance <User at 0x7f350cc65ef0> is not bound to a Session; lazy load operation of attribute 'mfa' cannot proceed"	23:25
morgan	with my addition of the mfa stuff	23:25
morgan	in _create_user	23:25
morgan	user_ref.to_dict	23:26
morgan	it's failing	23:26
morgan	see code at https://review.openstack.org/#/c/423548/	23:26
knikolla	morgan: looking	23:27
morgan	ahh nvm	23:28
morgan	i found it.	23:28
morgan	i need to add the MFA object to the _create_user	23:28
morgan	i think?	23:29
*** v1k0d3n has joined #openstack-keystone		23:29
morgan	huh but nonlocal and local user works	23:29
morgan	blink	23:29
morgan	ooh but they aren't in attrs	23:29
morgan	oookay	23:29
morgan	yeah	23:29
morgan	i need to add the ref	23:29
morgan	object	23:29
morgan	yup	23:30
morgan	knikolla: ^	23:31
knikolla	morgan: cool	23:32
*** chris_hultin is now known as chris_hultin\|AWA		23:32
morgan	knikolla: looks like i need to add another couple things for our tests	23:33
morgan	but, overall looks pretty good.	23:33
morgan	close. now just need to the tests for the new code paths and then the API changes	23:34
knikolla	morgan: good work!	23:35
knikolla	this release is looking sweet	23:36
*** v1k0d3n has quit IRC		23:43
*** edmondsw has quit IRC		23:53
*** edmondsw has joined #openstack-keystone		23:54
morgan	stevemar: ping - Deprecated: update_user for the LDAP identity backend has been deprecated in the Mitaka release in favor of read-only identity LDAP access. It will be removed in the "O" release.' we good to nuke that?	23:57
*** edmondsw has quit IRC		23:58
*** lamt has quit IRC		23:58
knikolla	morgan: the review that nukes that has been stuck in tests limbo. all tests depend on creating the users in the fakeldap backend.	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!