Monday, 2017-03-06

*** agrebennikov has quit IRC00:13
*** ngupta has quit IRC00:24
*** markvoelker has joined #openstack-keystone00:56
*** ngupta has joined #openstack-keystone01:00
*** dave-mccowan has joined #openstack-keystone01:01
*** tovin07 has joined #openstack-keystone01:08
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Updated from global requirements
*** zhurong has joined #openstack-keystone01:13
*** liujiong has joined #openstack-keystone01:13
*** erlon has quit IRC01:15
*** bigjools_ has joined #openstack-keystone01:27
*** ngupta has quit IRC01:29
*** bigjools has quit IRC01:29
*** ngupta has joined #openstack-keystone01:30
*** ngupta has quit IRC01:34
*** zsli has joined #openstack-keystone01:35
*** dave-mccowan has quit IRC01:40
*** chlong__ has joined #openstack-keystone01:55
*** prashkre has joined #openstack-keystone02:11
*** zhurong has quit IRC02:15
*** zhurong has joined #openstack-keystone02:19
*** catintheroof has quit IRC02:21
*** catintheroof has joined #openstack-keystone02:23
*** catintheroof has quit IRC02:27
*** dave-mccowan has joined #openstack-keystone02:29
*** namnh has joined #openstack-keystone02:51
*** guoshan has joined #openstack-keystone02:52
*** thorst has quit IRC03:08
*** prashkre has quit IRC03:27
*** ngupta has joined #openstack-keystone03:31
*** ngupta has quit IRC03:35
*** ngupta has joined #openstack-keystone04:00
*** dave-mccowan has quit IRC04:03
*** spotz_zzz is now known as spotz04:13
*** lamt has joined #openstack-keystone04:20
*** adriant has quit IRC04:20
*** markvoelker has quit IRC04:23
*** ngupta has quit IRC04:24
*** ngupta has joined #openstack-keystone04:25
*** thorst has joined #openstack-keystone04:28
*** ngupta has quit IRC04:30
*** prashkre has joined #openstack-keystone04:36
*** lamt has quit IRC04:37
*** prashkre has quit IRC04:48
*** zsli has quit IRC04:48
*** zsli has joined #openstack-keystone04:48
*** guoshan has quit IRC04:53
*** zsli has quit IRC04:54
*** sreenath has joined #openstack-keystone05:09
*** markvoelker has joined #openstack-keystone05:24
*** arturb has joined #openstack-keystone05:25
*** markvoelker has quit IRC05:29
*** thorst has joined #openstack-keystone05:29
*** thorst has quit IRC05:34
*** guoshan has joined #openstack-keystone05:54
*** Dinesh_Bhor has joined #openstack-keystone05:55
*** guoshan has quit IRC05:58
*** guoshan_ has joined #openstack-keystone05:58
*** rcernin has joined #openstack-keystone06:08
*** prashkre has joined #openstack-keystone06:11
openstackgerritzhengliuyang proposed openstack/python-keystoneclient master: Delete pyc and pyo file before test
*** agrebennikov_ has joined #openstack-keystone06:18
*** agrebennikov_ has quit IRC06:23
openstackgerritMerged openstack/keystone master: Remove unused variable
*** prashkre has quit IRC06:25
*** thorst has joined #openstack-keystone06:30
*** thorst has quit IRC06:34
*** richm has quit IRC06:43
*** markvoelker has joined #openstack-keystone06:44
openstackgerritMerged openstack/keystone master: Imported Translations from Zanata
openstackgerritMerged openstack/keystone master: Fix api-ref building with sphinx 1.5
*** h5t4_ has joined #openstack-keystone06:55
*** pcaruana has joined #openstack-keystone06:58
*** pcaruana has quit IRC07:05
*** pcaruana has joined #openstack-keystone07:06
*** tesseract has joined #openstack-keystone07:13
*** h5t4_ has quit IRC07:14
*** h5t4_ has joined #openstack-keystone07:14
*** ngupta has joined #openstack-keystone07:27
*** jaosorior has joined #openstack-keystone07:30
*** ngupta has quit IRC07:32
*** chlong__ has quit IRC07:36
openstackgerritzhengliuyang proposed openstack/keystone master: Delete .pyc and .pyo file before test
*** tovin07 has quit IRC08:12
*** tovin07 has joined #openstack-keystone08:12
*** ngupta has joined #openstack-keystone08:28
*** thorst has joined #openstack-keystone08:32
*** ngupta has quit IRC08:33
*** thorst has quit IRC08:36
*** markvoelker_ has joined #openstack-keystone08:51
*** markvoelker has quit IRC08:54
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** zsli has joined #openstack-keystone09:10
*** d0ugal has quit IRC09:14
Dinesh_Bhordolphm: Hi, do you have some time?09:18
*** zsli has quit IRC09:26
*** zsli has joined #openstack-keystone09:26
*** d0ugal has joined #openstack-keystone09:26
*** d0ugal has quit IRC09:26
*** d0ugal has joined #openstack-keystone09:26
*** zsli has quit IRC09:28
*** ngupta has joined #openstack-keystone09:29
*** thorst has joined #openstack-keystone09:33
*** ngupta has quit IRC09:33
*** thorst has quit IRC09:37
*** liujiong has quit IRC10:17
robcresswellDinesh_Bhor: Probably best to leave a question in the channel, at least then dolphm can respond async.10:22
Anticimexauto-provisioning and R&E federation is great, considering implementing of Ocata-keystone now10:24
Anticimexbut there's one slight issue: "Projects will be created within the domain associated with the Identity Provider."10:24
Anticimexwe receive ~400 domains from 1 idp config10:24
Dinesh_Bhorrobcresswell: thanks,10:26
*** Haaibo has joined #openstack-keystone10:26
*** guoshan_ has quit IRC10:29
*** guoshan has joined #openstack-keystone10:29
*** ngupta has joined #openstack-keystone10:29
Dinesh_BhorHi all, about this: From this patch we have started using keystoneauth1 adapter but the related adapter code is still there in keystoneclient. is there any reason for that?10:30
*** openstackgerrit has quit IRC10:33
*** thorst has joined #openstack-keystone10:34
*** ngupta has quit IRC10:34
*** mvk has quit IRC10:35
*** guoshan has quit IRC10:38
*** thorst has quit IRC10:38
jamielennoxDinesh_Bhor: for various reasons it's really hard to deprecate code out of the client libraries, the keystoneclient adapter should just be considered deprecated10:44
jamielennoxit's just being left there for now and use the keystoneauth one instead10:44
robcresswellMore noob questions: since an unscoped token requires a domain/user/password, isn't it considered domain-scoped?10:46
robcresswellStill slowly trying to wrap my head around varying levels of scope10:47
Dinesh_Bhorjamielennox: Does that mean they might get used in future?10:47
jamielennoxDinesh_Bhor: no, it means if we remove them before we are really sure every other client doesn't use them we risk breaking things10:48
jamielennoxDinesh_Bhor: they were initially developed in keystoneclient and split out into their own repository so that other clients didn't have to inherit all of keystoneclient's dependencies10:48
jamielennoxlike lxml and other things10:48
jamielennoxthey're almost exactly the same, the one in keystoneclient is deprecated10:48
jamielennoxrobcresswell: a user belongs in a domain, so you're just identifying the user10:49
jamielennoxrobcresswell: think of it like email "user@domain", user isn't guaranteed to be unique unless you identify the domain as well10:49
*** gK-1wm-su has joined #openstack-keystone10:51
robcresswelljamielennox: Okay, think I've got that. I was looking into the value behind two step auth; i.e. retrieving an unscoped token, to see what you could then scope to, and then retrieving that token vs. Horizons current method of logging in and then switching (which I assume relies on a users role having a default project)10:51
Dinesh_Bhorjamielennox: thanks, clear.10:52
jamielennoxrobcresswell: that would be the preferred way to do it, at one point we were trying to push towards making it so you couldn't change scope from one scoped token to another, you could only exchange an unscoped token for a scoped token10:53
jamielennoxthere is a flag you can set on authentication (i'd have to look it up but it's probably ?unscoped=1) that means always get an unscoped token even if there is a default project set10:53
robcresswellAh, so thats why there is the whole explicit unscoped token vs unscoped token thing10:53
jamielennoxyea, really we're trapped into the default project thing because it was an obvious thing in the v2 API, less so in v3 but it would require such a change to actually implement it10:54
robcresswellI'm just building this out fro my own learning/research really, I've been relying on Dave to help with keystone for far too long now.10:54
jamielennoxwell, kinda on versions, but asking for explicit unscoped on first auth would be the ideal way to do it10:55
*** gK-1wm-su has quit IRC10:55
jamielennoxrobcresswell: so i made a bunch of DOA changes to make kerberos and federation work, there had always been the intent to make it properly ksa but we could never figure out how to serialize the auth info10:56
jamielennoxif you're interested in getting it sorted out this cycle we can probably figure it out10:57
robcresswelljamielennox: Er, I don't wanna get ahead of myself; we've already got a fair few keystone changes up for review that need to get done first10:58
jamielennoxno worries10:58
robcresswellWe'll see where I get to over the next couple weeks10:58
jamielennoxi've looked before and don't understand the DOA/django/horizon split well enough10:58
robcresswelljamielennox: I dont really understand the doa split either, tbh. Originally it was designed so that it was pluggable I guess, but in reality it doesnt seem to have been used that way10:59
robcresswellPlus having doa in-tree would make it less complex at release time.10:59
robcresswelljamielennox: I guess since the domain has to be known for unscoped, there isn't much of a use case for getting an unscoped token and then a domain-scoped token? Unless the client (UI in this case) provides a default or something, that the user happens to be part of.11:01
jamielennoxyea, i really don't think there's another django project out there making use of DOA11:01
robcresswellYeah, exactly11:01
jamielennoxrobcresswell: so domain's owning users is not the best paradigm, but we needed them to be owned by something so that someone had the capabilities to create/modify users11:02
jamielennoxthat's part of the domain admin's responsibility11:02
jamielennoxbut that's not to say that the user only has projects in that same domain11:02
jamielennoxyou could for example just set up an IDP to point user's into a domain so that someone can manage them and then give them roles into projects on other domains11:03
jamielennoxsimilarly they could have roles on other domains11:03
jamielennoxhowever in practice you can probably assume that most of a user's projects will be in the same domain as the user is11:04
robcresswellBut in terms of requesting a token, you'd still need to always know the domain name ahead of time, so the unscoped -> scoped workflow main use case if for projects? Unless you had a setup where all your users are in a management domain that is widely known, and after requesting an unscoped token they can then see which domains they are also a part of.11:05
*** nicolasbock has joined #openstack-keystone11:05
robcresswellmain use case is for*11:05
robcresswellTrying to wrap my head around doing this in a pleasant UI-way11:06
*** mvk has joined #openstack-keystone11:07
jamielennoxyea, for horizon you probably want to know the user domain name ahead of time, listing domains for the user to pick from can be really unsafe because you expose to a user other companies/domains that might be using the same cloud11:10
jamielennoxi think last time we approached this in horizon you could define a static list of domains available to that login page11:11
jamielennoxbut then allow there to be multiple login pages so you could log in from different urls11:11
jamielennoxso if you have pepsi and coke in your cloud you could configure DOA at different URLs and give each to the different company so they don't know each other exists11:12
jamielennoxi guess that's all apache magic anyway11:13
cmurphythat would be cool11:13
*** richm has joined #openstack-keystone11:14
robcresswelljamielennox: re: exposing domains from other companies, wouldn't the unscoped token control what you could see anyway? My thought was, get unscoped token, get available domain and project scopes for that token, let user select domain or project scope.11:14
robcresswellIdeally avoiding any hardcoding. I'd probably keep the default domain setting though, because thats always going to be useful for a single domain world.11:15
robcresswellNo rush to respond btw, I just happen to be dedicating my morning to keystone work :)11:16
jamielennoxrobcresswell: yea, when you ask what you can do with an unscoped token it is safe to assume the user knows what they can do so that's fine11:17
jamielennoxwhat i  mean is from a login page you typically don't want the user to have to know they're in the PEPSI.COM domain, they just want to type their username and password11:17
jamielennoxin some situations you might decide that that login page could access PEPSI.COM, PEPSI-DEV.COM and some other things11:17
jamielennoxbut you can't just ask keystone for all the domains because that would reveal other cloud customers11:18
robcresswellYep, understood11:18
robcresswellyeah iirc someone proposed a URL -> Domain mapping patch to Horizon11:18
jamielennoxayoung and i argued about this a few cycles ago, there was some specs proposed about domain visibility but i don't know what happened to them11:18
ayoungjamielennox, !11:19
jamielennoxayoung: oh, hey, didn't expect you to be up yet11:19
ayoungjamielennox, new project has me working European-friendly times11:19
ayoungroughly 6-3 My time11:20
ayoungSo, yeah, what do them mean by URL -> reads up11:20
jamielennoxayoung: i work with west-coasters now so i'm almost on a regular working day11:20
robcresswellDoesn't seem like it went anywhere :(11:21
jamielennoxrobcresswell: yea, that's part of this - but IMO if you want to go down that path just handle a list from environ and make people do the work in apache11:22
ayoungrobcresswell, Ok, so you need to separate how Keystone should work from how it does work....we've added at least one more abstraction than necessary11:23
ayoungDomains and IdPs really should be the same thing.11:23
ayoungIn both cases they are "where do I find my users"11:23
robcresswellRight, but you'd like to avoid average joe being domain aware at all11:24
ayoungKeystone really should not own the real users ,but it turns out is absolutely must be a place where we can create lighteweight things like service users etc11:24
ayoungrobcresswell, so, Federation is kindof the start of that11:25
ayoungits clunky, but the idea is that we need to reuse the corporate user ID system for most companies11:25
ayoungand, even in the case of Rackspace etc where the users are primarily there due to OpenStack, there is always a huge provisioning system11:26
* jamielennox poked the bear then goes to bed11:26
ayoungcuz, you know, payment11:26
ayounggnight Jamie11:26
jamielennoxrobcresswell: ping me if there's anything else i can help with later11:26
jamielennoxayoung: night11:26
ayoungrobcresswell, so, where I am headed is this:  set up Keystone, and then set up one horizon instance per IdP in  separate containers11:27
ayoungthen point your user at the appropriate Horizon instance11:27
ayoungand have that configured to only know about one IdP11:27
robcresswellnight jamielennox, thanks for the help!11:28
ayoungthat way, when you add a new IdP, or a new protocol for an existing IdP, you don't mess with the Apache config for all the other ones, and there is no service interruption. Also allows them to be configured for optimal user experience during login11:28
ayoungrobcresswell, I'm actually think in terms of a separate Keystone container per IdP as well.11:28
ayoungthe containers would not have routes set up for every IdP, just the one specific to it11:29
robcresswellayoung: Interesting setup, this is good to know11:29
ayoungrobcresswell, now the bad news11:29
ayoungrobcresswell, I'm no longer working on Keystone, or even OpenStack, full time.  I'm a heretic that has moved on.11:29
ayoungBut there is nothing preventing anyone from implementing what I just stated.  Its really a provisioning system problem to solve11:30
ayoungso Red Hat would have to make it work in Tripleo, and you in....whatever you do.11:30
ayoungrobcresswell, In Tripleo, they are just now moving over to containers, so it is necessary to get that up and working before we could push for that approach.  What are you using?11:31
*** namnh has quit IRC11:33
robcresswellayoung: I'm pretty detached from the deployers internally. Maintaining Horizon and learning about Ironic and Keystone is all I'm currently doing, while we figure out container work.11:34
ayoungrobcresswell, HA!11:35
robcresswellYeah, I'm "one of those"11:35
ayoungrobcresswell, so...I did this:
ayoungbut I have not yet done the Kubernetes equivalent, as I go stuck behind the Networking setup, and then had to get actual work donw11:36
robcresswellayoung: Most of our dev work right now is using kolla-k8s, and then I'm testing things with CORS for UI work. Drops all the boilerplate and working straight on to the API.11:40
ayoungrobcresswell, so, I think it could then work for you to go with the approach I just described11:40
robcresswellJust involves me hitting the server side guys with stick for a while until they add the CORS conf. Though oslo has made that trivial.11:40
robcresswellYeah, I think so, its an interesting design11:41
ayoungrobcresswell, cool,  now I'm back to figuring out how to use Kubernetes to migrate a running VM...11:43
robcresswellayoung: Ha, thanks for the input :)11:44
ayoungrobcresswell, you are welcome11:44
*** zhurong has quit IRC11:58
Anticimexayoung: neat, nice12:00
*** Jack_I has joined #openstack-keystone12:06
*** dave-mccowan has joined #openstack-keystone12:09
*** thorst has joined #openstack-keystone12:44
*** jamielennox is now known as jamielennox|away12:50
*** ngupta has joined #openstack-keystone12:50
*** edmondsw has joined #openstack-keystone13:04
*** lamt has joined #openstack-keystone13:10
*** ngupta has quit IRC13:10
*** ngupta has joined #openstack-keystone13:10
*** lamt has quit IRC13:14
*** ngupta has quit IRC13:15
*** venki has joined #openstack-keystone13:23
venkiI'm getting this error while building for devstack with ironic installation...13:25
venkiIssue is in keystone13:25
bretonvenki: we probably cannot tell anything from the part you showed13:27
venkiis there anything you need specifically ?13:29
Dinesh_Bhorvenki: not sure but this might help:
openstackLaunchpad bug 1515352 in devstack "duplicate for #1569167 Stacking fails on fedora 22 "Could not determine a suitable URL for the plugin"" [Undecided,Fix committed]13:32
*** venki has quit IRC13:34
*** Guest36874 is now known as zeus13:38
*** zeus has quit IRC13:39
*** zeus has joined #openstack-keystone13:39
*** rderose has joined #openstack-keystone13:39
*** rderose has quit IRC13:39
*** rderose has joined #openstack-keystone13:39
*** openstackgerrit has joined #openstack-keystone13:43
openstackgerritMerged openstack/keystone-specs master: Remove microversions spec from backlog
openstackgerritMerged openstack/keystone-specs master: Remove centralized policy delivery spec from backlog
*** dikonoor has joined #openstack-keystone13:47
samueldmqmorning keystone13:52
*** spilla has joined #openstack-keystone13:54
*** catintheroof has joined #openstack-keystone14:04
cmurphyhey keystone, I noticed that [ldap]/group_members_are_ids isn't one of the "whitelisted_options" which makes keystone-manage domain_config_upload fail if it is set14:07
cmurphyI'm wondering if that's on purpose or if it just got missed?14:07
lbragstadcmurphy that's a good question, i would think henrynash would know the answer to that14:32
lbragstadcmurphy seems like something that would change on a per domain basis though14:33
lbragstadmy initial gut feeling tells me that it just got missed14:34
cmurphythat's what I was guessing14:35
*** dikonoor has quit IRC14:39
lbragstadcmurphy there isn't a bug open for this yet is there?14:42
*** pnavarro has joined #openstack-keystone14:42
cmurphylbragstad: I haven't filed one and I don't see one14:44
cmurphyI can open one14:44
lbragstadcmurphy cool - i'm in launchpad opening another bug now... I can open one for the domain config issue if you have a trace?14:47
*** ngupta has joined #openstack-keystone14:48
cmurphyI just nuked the machine I was running it on, i'll have it back in a few minutes14:50
lbragstadcmurphy oh - no worries, i'll create a basic bug report and we can update it with stacktraces later14:53
cmurphylbragstad: mmk14:53
openstackLaunchpad bug 1670382 in OpenStack Identity (keystone) "[ldap]/group_members_are_ids isn't a whitelisted option" [Undecided,New]14:57
*** chlong__ has joined #openstack-keystone14:57
knikollao/ morning15:06
*** ngupta has quit IRC15:07
*** ngupta has joined #openstack-keystone15:07
*** lamt has joined #openstack-keystone15:11
*** venki has joined #openstack-keystone15:15
*** lucasxu has joined #openstack-keystone15:16
openstackgerritAnthony Washington proposed openstack/oslo.policy master: Add additional param to policy.RuleDefault
*** ngupta has quit IRC15:17
*** ngupta has joined #openstack-keystone15:18
*** david-lyle has quit IRC15:20
Aurelgad1ohello guys, i've been trying to configure the oidc driver to be use by both horizon and the cli, I got horizon working but I'm stuck with the cli... I updated on a ticket someone else opened weeks ago here :
openstackLaunchpad bug 1648580 in python-openstackclient "v3oidcpassword federated login error (argument count)" [Undecided,New]15:20
Aurelgad1oany help would be apreciated15:20
Aurelgad1oi'm pretty weak in python but if there's some work to do to get that working I'm willing to help15:21
*** aloga has quit IRC15:25
*** aloga has joined #openstack-keystone15:25
*** erlon has joined #openstack-keystone15:26
cmurphyAurelgad1o: I think it's known to not quite work yet
Aurelgad1oOoh thank you ... may I ask you how I should have used launchpad/gerrit/documentation/google to get to find this ? I dwelled into the code and google lots and lots without seeing once this page :-(15:30
Aurelgad1oSo what's the status of this bp ? is it going to be discussed in boston ?15:31
*** ravelar has joined #openstack-keystone15:33
cmurphyAurelgad1o: when/if that spec gets approved it will end up on and then google will be able to find it, i only knew about it because it was mentioned in a meeting15:38
Aurelgad1oalright thx15:39
*** venki has quit IRC15:40
*** rderose has quit IRC15:44
Aurelgad1obut I'm puzzled : if the feature doesn't work / is not implemented, why is it mentionned in the --help ?15:45
*** venki has joined #openstack-keystone15:50
knikollalbragstad: it's been a while since we merged the updated global requirements from the bot.15:59
knikollaany reason to hold off?16:00
robcresswelllbragstad: Quite a few places in the auth/token mgmt docs are missing that domain is required. Not sure if its a bug, or me being a noob.16:01
knikollarobcresswell: can you link to them?16:04
*** chris_hultin|AWA is now known as chris_hultin16:04
robcresswellyikes that link16:04
robcresswellSo at least, my env threw an error until I included the domain under scope.project.domain16:05
*** h5t4_ has quit IRC16:05
robcresswellSimilarly in explicit unscoped auth, domain is still required there, but isnt listed in the API docs I believe.16:06
knikollarobcresswell: the request part of that doc is really confusing. but generally, if you use name (for either user or project), you need domain. if you use id, you don't.16:06
robcresswellahh, interesting16:06
knikollarobcresswell: yes, i see they fail to mention domain entirely.,16:06
knikollarobcresswell: names are not unique across domains, that's why.16:07
knikollarobcresswell: but ids are.16:07
robcresswellprobably want that listed as optional. As it happens the error is perfect; it literally told me I was missing domain in field X.16:07
robcresswellknikolla: Yep, makes sense16:07
knikollarobcresswell: i16:07
knikollai'll have a patch soon to add domain as optional.16:07
knikollathanks for pointing it out :)16:07
robcresswellknikolla: No problem. Thought I'd just flag it while I'm working through it all16:08
*** rcernin has quit IRC16:08
openstackgerritSean Dague proposed openstack/keystone-specs master: WIP: block diag quota scenarios
lbragstadknikolla done16:14
venkiI'm installing devstack with ironic, while I encounters an issue16:15
venkiissue is in create_keystone_accounts16:16
venkianyone pls help16:16
knikollavenki: can you curl the OS_AUTH_URL there?16:17
*** david-lyle has joined #openstack-keystone16:17
knikollalbragstad: cool. :)16:17
*** pnavarro has quit IRC16:18
venkiKnikolla :  getting "500 Internal Server Error"16:19
lbragstadvenki can you check your keystone logs?16:20
knikollavenki: if you do "screen -r" you'll have access to the screens with the logs16:20
lbragstadvenki you should also be able to see them from /var/log/apache/keystone.log16:21
knikollalbragstad: right. i figure it's easier that than to explain the usage of screen. haha16:21
*** david-lyle has quit IRC16:22
venki@knikolla @lbragstad /var/log/apache/keystone.log16:28
dstanekvenki: that seems like devstack isn't installing the correct dependencies16:29
*** ngupta_ has joined #openstack-keystone16:30
lbragstadvenki are you using the latest devstack and is this a brand new installation?16:30
venkii cleaned and reinstalled the devstack many times...16:30
venkiI'm getting the same error....16:30
venkiI dono what to do..16:30
lbragstadvenki when that happens to me I usually just destroy the VM and start over16:31
lbragstadwith a fresh installation16:32
*** lucasxu has quit IRC16:32
lbragstadvenki in my experience, devstack isn't very re-useable16:32
*** ngupta has quit IRC16:34
*** ngupta_ has quit IRC16:35
venkioh okey okey.... I will do the same...16:37
venkithanks guys....16:37
*** h5t4_ has joined #openstack-keystone16:38
lbragstadvenki keep us posted if you run into anymore issues16:44
*** rderose has joined #openstack-keystone16:46
openstackgerritAnthony Washington proposed openstack/keystone master: API-ref return code fix
venkiyeah sure @lbragstad16:54
lbragstadrderose i have one comment on but other than that - i think that spec looks good16:55
lbragstadantwash aha - nice ^16:55
*** chris_hultin is now known as chris_hultin|AWA16:58
*** ngupta has joined #openstack-keystone16:58
*** browne has joined #openstack-keystone16:59
*** _cjones_ has joined #openstack-keystone16:59
*** aasthad has joined #openstack-keystone17:01
*** mgagne_ has quit IRC17:05
*** mgagne_ has joined #openstack-keystone17:05
*** ngupta has quit IRC17:06
*** lamt has quit IRC17:06
openstackgerritRichard Avelar proposed openstack/keystone master: Add group_members_are_ids to whitelisted options
*** tesseract has quit IRC17:10
*** lamt has joined #openstack-keystone17:17
*** david-lyle has joined #openstack-keystone17:18
*** david-lyle has quit IRC17:24
*** venki has quit IRC17:24
*** ngupta has joined #openstack-keystone17:27
*** rcernin has joined #openstack-keystone17:27
*** ravelar1 has joined #openstack-keystone17:29
*** ravelar has quit IRC17:29
*** lamt has quit IRC17:29
*** david-lyle has joined #openstack-keystone17:30
*** ravelar1 is now known as ravelar17:30
*** lamt has joined #openstack-keystone17:31
*** lucasxu has joined #openstack-keystone17:33
*** agrebennikov has joined #openstack-keystone17:38
rderoselbragstad: thanks, replied to your comment17:44
rderoselbragstad: as that is pretty minor change, wondering if we can push this through :)17:44
lbragstadrderose sure - if we get a follow on patch up, we can fast follow it17:46
rderoselbragstad: sweet!17:47
*** mvk has quit IRC17:49
*** dikonoor has joined #openstack-keystone17:50
*** jaosorior has quit IRC17:58
*** chris_hultin|AWA is now known as chris_hultin17:59
*** dikonoor has quit IRC18:00
*** chlong__ has quit IRC18:08
openstackgerritMorgan Fainberg proposed openstack/keystone master: Support new hashing algorithms for securely storing password hashes
*** sreenath has quit IRC18:18
*** jaugustine has joined #openstack-keystone18:27
*** mvk has joined #openstack-keystone18:31
openstackgerritColleen Murphy proposed openstack/keystone master: Whitelist ldap group configs
*** spotz is now known as spotz_zzz18:42
*** spotz_zzz is now known as spotz18:43
*** lamt has quit IRC18:49
*** lucasxu has quit IRC18:55
*** Kris__ has joined #openstack-keystone18:55
openstackgerritRichard Avelar proposed openstack/keystone master: Add group_members_are_ids to whitelisted options
*** pcaruana has quit IRC19:04
*** MasterOfBugs has joined #openstack-keystone19:09
*** pcaruana has joined #openstack-keystone19:15
*** Kris__ has quit IRC19:18
*** basilAB_ has joined #openstack-keystone19:26
* notmorgan looks around.19:29
*** chlong has joined #openstack-keystone19:31
* ravelar waves from across empty room at notmorgan19:45
*** markvoelker_ has quit IRC19:47
*** lamt has joined #openstack-keystone19:48
* stevemar tosses tomatoes at ravelar and notmorgan20:01
* stevemar runs away20:01
* notmorgan watches stevemar get caught in the trap at the edge of the room, "HAH! now you must review code for openstack again"20:02
*** h5t4_ has quit IRC20:15
rcerninayoung: notmorgan: may i ask you about recommendation with keystone caching for production?20:20
notmorganoh sure20:20
notmorganrcernin: happy to help20:21
rcerninawesome what is preferred for keystone caching in production environment? looked thru the docs and its not memcached but not sure whats best option. we talk about 1000 tokens/min in db and need to increase performance.20:21
*** Jack_I has quit IRC20:22
notmorganwell, honestly, memcache is the easiest to setup20:22
notmorganthe other option that works (and has some differing performance profiles) is Redis20:22
notmorganit really depends on what you're production engineering expertise is.20:22
notmorgani fall back to what the people maintaining the cloud are most comfortable with20:22
notmorganthe short answer is "caching is recommended"20:23
rcerninnotmorgan: sure it is, do you have any examples for the above two?20:23
notmorganboth in keystone and setup in the keystone-middleware config for the other services20:23
rcerninnotmorgan: we could try both, check performance and see which makes better results.20:23
notmorgani really only have spent time with memcache, and the improvement in devstack was significant, 20-40% (sometimes hirer)20:24
*** markvoelker has joined #openstack-keystone20:24
notmorgani know some folks use redis, and it is supported since dogpile supports it20:24
rcerninare they are complex to configure? or is there any upstream docs to help configuring it?20:24
notmorganmemcache is super super easy to configure. Mostly it is "install and turn on" and if you have large amounts of data, increase the memory allocation for the memcache sever. Keystone and keystone-middleware configurations are pretty straightforward for caching20:25
notmorganredis has a lot more tunables on the backend.20:25
notmorganand keystonemiddleware (afaik) doesn't do redis yet20:25
notmorganbut keystone caching alone is significant20:26
notmorgan is where I'd start for keystonemiddleware20:27
notmorgan is for keystone or
notmorganthe biggest key recommendation is ensure that the memcache servers used for the non-keystone endpoints are shared if at all possible20:28
* rcernin reading20:28
notmorganthis will accelerate the validation as the first service that validates a token will cache the value20:28
notmorganand in the case of (say booting a server) some actions, the service will utilize the user's token to talk to another service (e.g. Nova -> Glance to get the image)20:29
notmorgannova will have validated the token and glance then benefits from the cached validation20:29
notmorganbasically, caching is a very large win in OpenStack for token validation(s).20:30
*** bknudson_ has left #openstack-keystone20:34
rcerninnotmorgan: thanks man!20:41
notmorganrcernin: happy to help20:42
*** chlong has quit IRC20:48
openstackgerritSean Dague proposed openstack/keystone-specs master: WIP: block diag quota scenarios
*** jamielennox|away is now known as jamielennox21:00
*** raildo has quit IRC21:01
*** lucasxu has joined #openstack-keystone21:06
*** pcaruana has quit IRC21:13
-openstackstatus- NOTICE: restarting gerrit to address performance problems21:16
eanderssonbtw talking about memcached - how does sharding work? e.g. if you have two memcached instances, and one dies, will the other one naturally take over?21:17
*** adriant has joined #openstack-keystone21:21
notmorganeandersson: that really depends on the dogpile backend and the library it is based upon21:35
*** adriant has quit IRC21:41
*** catintheroof has quit IRC21:44
*** catintheroof has joined #openstack-keystone21:45
*** catintheroof has quit IRC21:49
notmorganlbragstad: our functional tests are horked: 2017-03-06 20:20:21.028667 | sudo: .tox/all-plugin/bin/testr: command not found21:58
lbragstadi wonder what happened there21:59
openstackgerritSujitha proposed openstack/oslo.policy master: Allow multiline descriptions for RuleDefaults
notmorgan is where i saw it first.21:59
notmorganthis is the hash fix thing, looks like something isn't installing testr in the right place?21:59
notmorganor now it's looking in the wrong place for it?22:00
*** lamt has quit IRC22:00
*** jaugustine has quit IRC22:01
*** thorst has quit IRC22:04
*** thorst has joined #openstack-keystone22:05
*** spilla has quit IRC22:07
openstackgerritGage Hugo proposed openstack/python-keystoneclient master: Remove pbr warnerrors in favor of sphinx check
*** thorst has quit IRC22:09
*** edmondsw has quit IRC22:12
*** edmondsw has joined #openstack-keystone22:13
*** ravelar has quit IRC22:14
*** dave-mccowan has quit IRC22:17
*** edmondsw has quit IRC22:17
*** lamt has joined #openstack-keystone22:20
*** adriant has joined #openstack-keystone22:22
*** chris_hultin is now known as chris_hultin|AWA22:28
*** lucasxu has quit IRC22:28
*** lamt has quit IRC22:40
*** ravelar has joined #openstack-keystone22:45
*** lamt has joined #openstack-keystone22:49
*** ravelar has quit IRC22:50
oomichirodrigods: hi, can I ask a question about used keystone APIs on the other core-projects?22:54
openstackgerritSujitha proposed openstack/oslo.policy master: Allow multiline descriptions for RuleDefaults
*** ngupta has quit IRC23:06
*** ngupta has joined #openstack-keystone23:06
*** pramodrj07 has joined #openstack-keystone23:07
openstackgerritGage Hugo proposed openstack/keystone-specs master: Remove pbr warnerrors in favor of sphinx check
*** ngupta has quit IRC23:10
*** lamt has quit IRC23:11
rodrigodsoomichi, sure! go ahead :)23:11
oomichirodrigods: thanks :)   I'd like to know the used keystone API versions by the other core-projects for line 37-4123:12
oomichirodrigods: I don't know which API version is used on authentication of token on the other projects23:13
rodrigodsoomichi, that's a good question23:13
oomichirodrigods: is that v2 or v3 or configurable?23:13
rodrigodshas been a while that we are pushing the usage of v3 and the support status should be documented somewhere23:13
rodrigodslet me try to find23:13
notmorganeverythihing at this point should be able to use v3 (at least the "core" projects)23:14
rodrigodsoomichi, should be any of them, although there was known some projects that had issues with v323:14
notmorganas long as you configure v323:14
rodrigodsand the usage of v2.0 and v3 should be configurable23:14
notmorganin other words, don't configure them to use v2 if at all avoidable, and if it breaks it is a bug and needs to be filed asap23:14
rodrigodsoomichi, what notmorgan said ^ :)23:14
notmorganv2.0 is deprecated (a while now) and v2.0 auth is also deprecated with a pike+4 removal plan23:15
notmorganv2.0 crud earlier removal23:15
oomichirodrigods: notmorgan: Thanks, that is good plan :)  We will change auth_version to v3 on tempest side:
rodrigodsthanks oomichi23:17
oomichirodrigods: notmorgan: which config file we can config it on the other projects ?23:17
notmorgandepends on the project23:17
oomichiI guess it would be on some middleware23:17
notmorganmost of them need it to be set in the keystone_authtoken section and some projects need it elsewhere too23:18
notmorgan(i think nova and neutron specificlaly need it elsewhere in nova/neutron.conf)23:18
notmorganmost of the time it goes in the keystone_authtoken section, and afaik that has all been v3-ified in devstack23:18
*** rcernin has quit IRC23:19
oomichinotmorgan: Thanks for the info, I will dig it on the keystone_authtoken section :)23:22
*** gyee has joined #openstack-keystone23:46
openstackgerritMerged openstack/keystone master: Updated from global requirements

Generated by 2.14.0 by Marius Gedminas - find it at!