Tuesday, 2018-03-06

*** r-daneel has quit IRC		00:12
openstackgerrit	yangweiwei proposed openstack/keystone master: Fix user email in federated shadow users https://review.openstack.org/549723	01:10
*** germs has joined #openstack-keystone		01:11
*** germs has quit IRC		01:40
*** gongysh has joined #openstack-keystone		02:10
*** gongysh has quit IRC		02:35
openstackgerrit	yangweiwei proposed openstack/keystone master: Fix user email in federated shadow users https://review.openstack.org/549723	02:58
*** zhurong has joined #openstack-keystone		03:05
*** harlowja has quit IRC		03:18
*** masuberu has quit IRC		03:34
*** nicolasbock has quit IRC		03:34
*** germs has joined #openstack-keystone		03:40
*** germs has quit IRC		03:40
*** germs has joined #openstack-keystone		03:40
*** germs has quit IRC		03:45
*** oikiki has quit IRC		03:48
*** links has joined #openstack-keystone		03:51
*** gyee has quit IRC		04:03
*** idlemind has quit IRC		04:11
*** itlinux has joined #openstack-keystone		04:19
*** masber has joined #openstack-keystone		04:23
*** bhagyashris has joined #openstack-keystone		04:28
*** zhurong has quit IRC		04:48
*** harlowja has joined #openstack-keystone		05:12
*** markvoelker has quit IRC		05:27
*** threestrands has quit IRC		06:14
*** namnh has joined #openstack-keystone		06:21
*** markvoelker has joined #openstack-keystone		06:27
*** harlowja has quit IRC		06:29
*** itlinux has quit IRC		06:37
*** AlexeyAbashkin has joined #openstack-keystone		06:52
openstackgerrit	Kairat Kushaev proposed openstack/keystoneauth master: use defusedxml for XML parsing https://review.openstack.org/536761	06:54
*** martinus__ has joined #openstack-keystone		07:08
*** rcernin has quit IRC		07:14
*** Krenair has quit IRC		07:26
*** Krenair has joined #openstack-keystone		07:27
*** felipemonteiro has joined #openstack-keystone		07:29
*** Krenair has quit IRC		07:37
*** Krenair has joined #openstack-keystone		07:40
*** Krenair has joined #openstack-keystone		07:40
*** namnh has quit IRC		07:48
*** AlexeyAbashkin has quit IRC		07:50
*** Krenair has quit IRC		07:59
*** Krenair has joined #openstack-keystone		08:09
*** Krenair has quit IRC		08:25
*** tesseract has joined #openstack-keystone		08:32
*** felipemonteiro has quit IRC		08:39
*** Krenair has joined #openstack-keystone		08:41
*** pcaruana has joined #openstack-keystone		08:44
*** zhurong has joined #openstack-keystone		08:45
*** thomasduval has joined #openstack-keystone		08:47
*** thomasduval has left #openstack-keystone		08:48
*** thomasduval has joined #openstack-keystone		08:48
*** thomasduval has quit IRC		08:48
*** pcaruana has quit IRC		08:54
*** masber has quit IRC		09:09
*** kmARC has quit IRC		09:15
*** AlexeyAbashkin has joined #openstack-keystone		09:17
*** rcernin has joined #openstack-keystone		09:44
*** dims has quit IRC		09:45
*** dims has joined #openstack-keystone		09:49
*** d0ugal has quit IRC		09:50
*** sticker has joined #openstack-keystone		09:55
*** d0ugal has joined #openstack-keystone		10:07
*** masber has joined #openstack-keystone		10:28
*** AlexeyAbashkin has quit IRC		11:05
*** AlexeyAbashkin has joined #openstack-keystone		11:16
*** MeltedLux has quit IRC		11:56
*** MeltedLux has joined #openstack-keystone		11:56
*** nicolasbock has joined #openstack-keystone		12:25
*** mvk has quit IRC		12:33
*** zhurong_ has joined #openstack-keystone		12:54
*** aojea_ has joined #openstack-keystone		13:01
*** zhurong has quit IRC		13:02
*** panbalag has joined #openstack-keystone		13:12
*** panbalag has left #openstack-keystone		13:15
*** markvoelker has quit IRC		13:24
*** markvoelker has joined #openstack-keystone		13:24
*** edmondsw has joined #openstack-keystone		13:27
*** gongysh has joined #openstack-keystone		13:40
*** zhurong_ has quit IRC		13:42
*** szaher has quit IRC		13:42
*** mvk has joined #openstack-keystone		13:46
*** jaosorior has quit IRC		13:49
*** szaher has joined #openstack-keystone		13:49
*** jaosorior has joined #openstack-keystone		13:49
*** jaosorior has quit IRC		13:49
*** jaosorior has joined #openstack-keystone		13:51
*** itlinux has joined #openstack-keystone		13:55
*** szaher has quit IRC		14:00
*** szaher has joined #openstack-keystone		14:07
*** germs has joined #openstack-keystone		14:11
*** germs has quit IRC		14:11
*** germs has joined #openstack-keystone		14:11
hamzy	lbragstad, I took a stab http://paste.openstack.org/show/693357/ but seem to be missing something. How do you get it to actually try and load a driver and throw an exception if not found?	14:13
*** r-daneel has joined #openstack-keystone		14:16
hamzy	and for anyone else really :)	14:17
*** germs has quit IRC		14:22
*** sapd__ has joined #openstack-keystone		14:27
*** jaosorior has quit IRC		14:29
*** sapd_ has quit IRC		14:31
*** r-daneel has quit IRC		14:33
*** aojea_ has quit IRC		14:39
*** idlemind has joined #openstack-keystone		14:43
knikolla	o/	14:46
*** gongysh has quit IRC		14:49
*** r-daneel has joined #openstack-keystone		14:56
*** sticker has quit IRC		15:03
*** jaosorior has joined #openstack-keystone		15:04
*** spilla has joined #openstack-keystone		15:04
*** itlinux has quit IRC		15:09
openstackgerrit	Sam Yaple proposed openstack/keystone master: [WIP] Extend bindep usage https://review.openstack.org/549223	15:18
*** links has quit IRC		15:24
*** masber has quit IRC		15:28
openstackgerrit	Johannes Grassler proposed openstack/keystone-specs master: Added trust-scope-extensions https://review.openstack.org/396331	15:35
*** rcernin has quit IRC		15:43
ayoung	>>> from keystone.server import wsgi	15:45
ayoung	>>> app = wsgi.initialize_admin_application()	15:45
ayoung	>>> print (app['/v3'].application.application.application.application.application.application)	15:45
ayoung	<keystone.middleware.auth.AuthContextMiddleware object at 0x7ff170993b70>	15:45
ayoung	>>> print (app['/v3'].application.application.application.application.application.application.application)	15:46
ayoung	...	15:46
ayoung	2018-03-06 10:45:51.913 17800 ERROR keystone AttributeError: 'AuthContextMiddleware' object has no attribute 'application'	15:46
ayoung	so down that whole chain it is application objects, until we get to AuthContextMiddleware	15:46
ayoung	then what	15:46
ayoung	that chain is set up from the paste:	15:47
ayoung	[pipeline:api_v3]	15:47
ayoung	pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3	15:47
ayoung	I want to walk it down to service_v3	15:47
ayoung	and eventually print out the map of URL to functions...	15:48
ayoung	to get the policy enforcement points	15:48
ayoung	@kmalloc, any idea?	15:49
ayoung	OK./..too early for him...lets go to the WSGI app and see if we can figure it out from there	15:52
*** aojea_ has joined #openstack-keystone		15:57
*** jaosorior has quit IRC		15:58
ayoung	ok, so keystone.common.wsig.MiddleWare, base class for this:	16:08
ayoung	response = request.get_response(self.application)	16:08
ayoung	but this class is not a Middleware, so...	16:09
ayoung	AuthContextMiddleware(provider_api.ProviderAPIMixin,	16:09
*** itlinux has joined #openstack-keystone		16:09
ayoung	doesn't do much, just provides a getattr impl	16:09
ayoung	auth_token.BaseAuthProtocol	16:10
ayoung	from keystonemiddleware import auth_token	16:10
ayoung	that is in __init__.py	16:11
ayoung	__call__(self, req): does this	16:11
ayoung	response = req.get_response(self._app)	16:11
ayoung	ok...so moving on...	16:12
*** sapd__ has quit IRC		16:17
*** sapd__ has joined #openstack-keystone		16:17
*** sapd__ has quit IRC		16:19
*** sapd__ has joined #openstack-keystone		16:20
*** aojea_ has quit IRC		16:23
ayoung	OK this worked....	16:27
ayoung	for route in composing._router.mapper.matchlist:	16:27
ayoung	print(route.routepath)	16:27
ayoung	composing was defined as	16:27
ayoung	composing = app['/v3'].application.application.application.application.application.application._app.application.application.application.application	16:28
ayoung	Blog post incipient	16:28
*** germs has joined #openstack-keystone		16:39
*** germs has quit IRC		16:39
*** germs has joined #openstack-keystone		16:39
*** kevinbenton has quit IRC		16:41
knikolla	ayoung: your blog posts are always a nice resource	16:43
*** germs has quit IRC		16:43
*** kevinbenton has joined #openstack-keystone		16:43
*** mvk has quit IRC		16:54
*** AlexeyAbashkin has quit IRC		16:57
*** panbalag has joined #openstack-keystone		17:01
openstackgerrit	Johannes Grassler proposed openstack/keystone-specs master: Added trust-scope-extensions https://review.openstack.org/396331	17:17
cmurphy	lbragstad: I won't make the meeting tonight, and I will probably be late for office hours, but I tried to go through the roadmap etherpad and firm up my commitment to things	17:19
lbragstad	cmurphy: ack - thanks for the heads up	17:19
lbragstad	i don't expect us to go through a whole lot today - i would imagine people are fighting jet lag	17:20
lbragstad	and just getting caught up	17:20
*** gyee has joined #openstack-keystone		17:33
*** aojea_ has joined #openstack-keystone		17:51
*** oikiki has joined #openstack-keystone		18:07
*** AlexeyAbashkin has joined #openstack-keystone		18:26
*** tesseract has quit IRC		18:27
*** AlexeyAbashkin has quit IRC		18:30
*** rarora has quit IRC		18:37
*** jmlowe has joined #openstack-keystone		18:39
*** harlowja has joined #openstack-keystone		18:39
*** germs has joined #openstack-keystone		18:39
*** germs has quit IRC		18:39
*** germs has joined #openstack-keystone		18:39
*** germs has quit IRC		18:44
*** aojea_ has quit IRC		19:00
*** oikiki has quit IRC		19:03
lbragstad	#startmeeting keystone-office-hours	19:05
openstack	Meeting started Tue Mar 6 19:05:36 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	19:05
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	19:05
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"		19:05
*** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap"		19:05
openstack	The meeting name has been set to 'keystone_office_hours'	19:05
kmalloc	sorry for being a bit late for office hours/missing meeting	19:07
hamzy	I took a stab http://paste.openstack.org/show/693357/ but seem to be missing something. How do you get it to actually try and load a driver and throw an exception if not found?	19:07
*** oikiki has joined #openstack-keystone		19:08
lbragstad	kmalloc: no worries	19:09
lbragstad	hamzy: i can take a look today	19:09
hamzy	sure, I know you are busy... I was also trying to get other input as well	19:10
hamzy	I know pretend running things in mock is challenging	19:12
*** germs has joined #openstack-keystone		19:13
*** germs has quit IRC		19:13
*** germs has joined #openstack-keystone		19:13
kmalloc	lbragstad: i was cleaning up tempered glass :( it's been hours of finding yet again more glass on the floor	19:16
lbragstad	that doesn't sound fun	19:16
kmalloc	nope, it has not been fun	19:18
*** portdirect has quit IRC		19:41
*** portdirect has joined #openstack-keystone		19:42
*** germs has quit IRC		19:45
*** mvk has joined #openstack-keystone		19:58
*** david-lyle has joined #openstack-keystone		20:08
cmurphy	o/	20:09
cmurphy	we're not going over roadmap stuff in this office hours?	20:10
*** david-lyle has quit IRC		20:15
ayoung	cmurphy, https://review.openstack.org/#/c/396331/7/specs/keystone/rocky/trust-scope-extensions.rst is almost exactly my RBAC in middleware spec	20:27
knikolla	ayoung: yep, more or less.	20:28
knikolla	but only for application credentials.	20:28
cmurphy	ayoung: it has a lot of the same elements	20:28
ayoung	I was trying to avoid "get a whitelist during token validation" but beyond that...it just adds the ability to lock it down to a specific instance of a templatized URL, which I totally dig	20:28
cmurphy	awesome	20:29
ayoung	cmurphy, so I think we can automate some of the "map from URL to policy" that was a sticking point	20:29
*** jmlowe has quit IRC		20:29
ayoung	https://adam.younglogic.com/2018/03/inspecting-keystone-routes/	20:29
ayoung	that means we can get a list of the URL routes:	20:29
ayoung	a little more probing and I think I can generate a list like this:	20:30
ayoung	GET /users/{user_id} keystone.identity.controllers.Controller#get_user	20:30
ayoung	to be able to figure out what function is called. Then...maybe I can use some of the same techniques as the callgraph package to figure out what policy gets called	20:31
knikolla	ayoung: would that work for services outside of keystone?	20:31
ayoung	I tried pycallgraph but it got too much in it	20:31
ayoung	knikolla, I think so?	20:31
ayoung	knikolla, it would have to be adapted to each, of course, but once we get the mechanism down, I don't think it would be too bad	20:32
cmurphy	ayoung: why is that mapping a requirement?	20:32
cmurphy	this spec proposes a layer before even hitting policy	20:33
ayoung	cmurphy, so was mine, and there was the argument that it was not sufficient	20:33
ayoung	sometimes the policy is deep in the code.	20:33
ayoung	for example, we might want to have different policy for someone creating a project under a domain/top level than nested under another project	20:33
knikolla	ayoung: the rbac-in-middleware proposed restricting an entire users access. this is just about whitelisting just an app cred to a specific operation. scope is broadly different.	20:34
ayoung	so, yeah, I wanted to enforce RBAC in middleware, just like he is proposing	20:34
ayoung	knikolla, heh...his is the degenerate case.	20:34
ayoung	knikolla, and I don't want to do it just for app creds	20:35
ayoung	get it down to 1 role per operation	20:35
ayoung	make a Fernet token format that can have exactly one role specified in it	20:35
ayoung	and make it possible to request tokens with a subset of a users roles	20:35
ayoung	so, yeah, we can build a whole new mechanism, or we can build on top of what we have	20:36
lbragstad	cmurphy: i think hrybacki was planning on doing that next week during office hours	20:36
ayoung	knikolla, you aslo need to know "what role do I need to perform this operation" in the first place	20:36
ayoung	otherwise, the app-cred thing is going to break if the roles are ever updated	20:37
cmurphy	ayoung: we don't want to deal with roles at all here	20:37
ayoung	we would have built a parallel strucutre and locked us in to the current role scheme	20:37
cmurphy	we don't want to solve the "what role do i need" question yet	20:37
cmurphy	it's just a simple front end layer in front of the current rbac implementation	20:37
ayoung	cmurphy, Heh	20:37
ayoung	just?	20:37
cmurphy	heh	20:38
ayoung	So, yeah, we are going to screw with RBAC no matter what, either implicitly or explicitly	20:38
ayoung	I'd rather have a single access control mechanism than two	20:39
cmurphy	I disagree in the short term	20:39
*** david-lyle has joined #openstack-keystone		20:39
ayoung	cmurphy, there is no short term in keystone	20:39
ayoung	I worked on this longer than my wife was in Grad school	20:39
ayoung	cmurphy, OK, here's an example where things will break	20:41
ayoung	say I want to delegate to another user the ability to create a server, but, unknown to me, nova makes a Cinder call to mount the volume. If I only delegate Nova /server/create it will fail, and I won't know when it fails.	20:42
ayoung	how do we determine: this is what you need to have in order to perform this operation	20:43
ayoung	people will not be able to build fine grained delegations like these without a catalog of that	20:43
ayoung	so, the thing that I am doing to pull out the policy? It should also be able to pull out calls to other services	20:43
ayoung	lets generate that graph, and work from that information	20:44
*** jmlowe has joined #openstack-keystone		20:44
ayoung	Please don't disregard all of the effort, time, and discussion that went in to the previous design because this one looks simpler at the surface. There are rocks under the waves.	20:45
ayoung	We are also leaving security holes open if we do not address the RBAC approach properly.	20:45
cmurphy	ayoung: what if we could build on the service token support to delegate those implicit calls like mount volume?	20:46
ayoung	cmurphy, that is still based on the original user having that permission	20:46
cmurphy	ayoung: they do have that permission because they have a role that allows it	20:46
ayoung	the ervice token just adds to it the constraint that it can only be done in conjunction with the service token	20:47
ayoung	so either it is "all users can do this" or "none"	20:47
ayoung	somestimes you have to create the volume explicitly first, and do that by downloading an image from Glance. Lots of use cases. We don't want to hard code the access for them	20:48
cmurphy	if the specific use case is an application that must create volumes and download glance images explicitly then the user would build that into their whitelist	20:48
knikolla	i think using service tokens takes us to dangerous territory. what if we don't want that app cred to create volumes, but they can do so by creating a server and then shutting it down?	20:49
cmurphy	if it's relying on nova implicitly doing things for them then i think we could finagle the service token to proxy the request for them when they already have a traditional role that allows them to do that	20:49
ayoung	So...if we are willing to entertain the extensions he's proposing, we should be wiling to entertain the RBAC in middleware. It is the more general solution, and can be extended to cover his use cases by providing "fill in the template with these values"	20:49
ayoung	and it allows a user with Admin to not provide full admin when making an interactive call to a third party service	20:50
ayoung	and supports trusts and oauth	20:50
*** spilla has quit IRC		20:51
ayoung	and allows an admin to set up the delegations, not just the end user	20:51
ayoung	win -win all around	20:51
*** david-lyle has quit IRC		20:52
cmurphy	what i like about this approach is 1) it's not an overhaul of how things already work, we can work on converging them incrementally 2) the policy mapping isn't stored in keystone, it's all contained in the application credential (or trust)	20:54
ayoung	the application credential is stored in keystone	20:55
ayoung	you still need that knowledge somehow	20:55
cmurphy	when you get a token with the application_credential method it could contain the whitelist	20:56
*** aojea_ has joined #openstack-keystone		21:01
cmurphy	ayoung: we also don't have a way right now for users to create their own roles, so we would need every possible role created out of the box in order for this to be self-service, and we don't even have a read-only role out of the box	21:02
ayoung	cmurphy, which is a far more pressing request	21:04
ayoung	we've had a request for a read only role for years	21:04
cmurphy	ayoung: it's on the roadmap for this cycle too https://etherpad.openstack.org/p/rocky-PTG-keystone-policy-roadmap	21:04
ayoung	essentially, you are saying that the existing stuff is so broken that you don't want to fix it, and instead bolt something on over the top. I don't fault you for that attitude, as it is a painful path to fix.	21:05
cmurphy	ayoung: i'm not saying i don't want to fix it, i'm saying we can take incremental realistic steps toward fixing it	21:05
cmurphy	we can't overhaul it	21:05
*** aojea_ has quit IRC		21:05
ayoung	cmurphy, and I am saying that if you pursue this approach without fixing the underlying RBAC you will paint yourself into a corner	21:06
ayoung	yes, you can do it, but then you won;t be able to change roles, because this mechanism will assume the current role structure	21:06
ayoung	lets focus on fixing RBAC, and then do this on top of that,	21:06
*** r-daneel_ has joined #openstack-keystone		21:07
*** r-daneel has quit IRC		21:08
*** r-daneel_ is now known as r-daneel		21:08
cmurphy	"this mechanism will assume the current role structure" all of openstack assumes the current role structure, the only way we can change it is by doing it incrementally	21:11
ayoung	cmurphy, and that is what I have spent years laying out	21:13
ayoung	yeaahs as they say here in Boston	21:13
ayoung	lets fix policy.	21:13
ayoung	lets fix RBAC	21:13
ayoung	no new mechanisms that work around the brokenness	21:14
ayoung	GAh...callgraph needs full code...	21:14
-openstackstatus- NOTICE: The infrastructure team is aware of replication issues between review.openstack.org and github.com repositories. We're planning a maintenance to try and address the issue. We recommend using our official supported mirrors instead located at https://git.openstack.org.		21:18
ayoung	cmurphy, so I origianlly had RBAC in middleware fetching the URLs during token validation phase.	21:18
ayoung	either the data was too big	21:19
ayoung	you coulod easily do a hash value in to token that, if it does not exist, fetch the data you need from Keystone. It would be the equivalent to what he's doing there.	21:20
ayoung	and store the rbac rules by the hash	21:20
ayoung	in Memcache	21:20
ayoung	so, reconcile the two and you'll have my full support. Ignore me and work around me and I'll just be sad and grumpy	21:21
cmurphy	ayoung: i think the data won't be too big because we're not fetching the whole mapping for all the policies, we're just fetching a short whitelist and we could even limit the list size	21:23
ayoung	cmurphy and then your are limiting it to your use cases	21:23
*** david-lyle has joined #openstack-keystone		21:24
cmurphy	ayoung: i can't argue that, but i believe we can build something that solves the end-user case and works now and work in parallel on fixing rbac, i'm not convinced they're in conflict	21:28
*** germs has joined #openstack-keystone		21:31
*** germs has quit IRC		21:31
*** germs has joined #openstack-keystone		21:31
*** germs has quit IRC		21:35
*** afred312 has quit IRC		21:41
*** david-lyle has quit IRC		21:41
lbragstad	hamzy: i think you're missing a callable in http://paste.openstack.org/show/693357/	21:44
lbragstad	hamzy: http://paste.openstack.org/show/693465/ works for me but it could be generalized instead of being a token test	21:47
lbragstad	(since it doesn't really have anything to do with tokens anymore)	21:47
*** dave-mccowan has quit IRC		21:49
*** david-lyle has joined #openstack-keystone		21:51
*** threestrands has joined #openstack-keystone		21:54
lbragstad	#endmeeting	22:00
*** openstack changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap"		22:00
openstack	Meeting ended Tue Mar 6 22:00:14 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	22:00
openstack	Minutes: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-03-06-19.05.html	22:00
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-03-06-19.05.txt	22:00
openstack	Log: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-03-06-19.05.log.html	22:00
*** aojea_ has joined #openstack-keystone		22:02
*** r-daneel_ has joined #openstack-keystone		22:03
*** r-daneel has quit IRC		22:04
*** r-daneel_ is now known as r-daneel		22:04
*** itlinux has quit IRC		22:04
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Repropose JWT specification for Rocky https://review.openstack.org/541903	22:06
*** aojea_ has quit IRC		22:07
*** aojea_ has joined #openstack-keystone		22:12
*** david-lyle has quit IRC		22:13
*** aojea_ has quit IRC		22:16
*** rcernin has joined #openstack-keystone		22:20
*** david-lyle has joined #openstack-keystone		22:30
hamzy	thanks lbragstad, I did verify the working and nonworking by changing the string. How about instead of test_import_error_for_uuid_provider I call it test_import_error_for_missing_provider since the uuid function just generates a random string?	22:30
*** germs has joined #openstack-keystone		22:36
*** germs has quit IRC		22:36
*** germs has joined #openstack-keystone		22:36
lbragstad	hamzy: yeah - that's probably fine but we might be able to pull it into a more general location	22:37
lbragstad	or - if you use the config_fixture like you were doing originally, it could live in the module you had it in	22:38
lbragstad	i think you'd just need to call load_backends?	22:38
hamzy	up one directory for choice 1?	22:39
*** martinus__ has quit IRC		22:39
lbragstad	but the crux of the issue you were hitting with the test was probably due to the a missing callable in the assertRaisesRegex()	22:39
hamzy	yes, I was not calling manager.load_driver	22:39
*** david-lyle has quit IRC		22:40
hamzy	so do you want 1) move your test somewhere else or 2) write a test using config_fixture in the current location	22:41
lbragstad	i'm not seeing a module for testing common manager functionality	22:41
lbragstad	so maybe 2 will be easier for the sake of a fix	22:42
*** felipemonteiro has joined #openstack-keystone		22:42
lbragstad	in that case, you should be able to hit this if you set the config_fixture (like you were doing) and then instantiating an instance keystone.token.provider.Manager	22:43
lbragstad	that should raise an ImportError exception	22:43
*** jrist has quit IRC		22:47
*** jrist has joined #openstack-keystone		22:48
*** AlexeyAbashkin has joined #openstack-keystone		22:48
*** masber has joined #openstack-keystone		22:50
hamzy	lbragstad, then https://paste.fedoraproject.org/paste/3hG90i8fPffez6SjfYpX-A ?	22:51
lbragstad	yeah - that invokes load_driver from the manager directly, which workds	22:52
lbragstad	works*	22:52
*** AlexeyAbashkin has quit IRC		22:52
lbragstad	but if you want to test it specifically for token provider instances, you can do something like	22:52
lbragstad	http://paste.openstack.org/show/693493/	22:53
lbragstad	load_drivers will get called in the init of the common Manager class, which is inherited in keystone.token.provider.Manager	22:55
*** masuberu has joined #openstack-keystone		22:55
lbragstad	that should make the test specific enough to keep in that module for now	22:56
*** masber has quit IRC		22:59
hamzy	lbragstad, this is what it looks like now http://paste.openstack.org/show/693496/	23:04
hamzy	I guess that you are still saying that test_import_error_for_missing_provider doesn't fit where it is now?	23:04
*** germs has quit IRC		23:05
lbragstad	hamzy: i think what you have in test_import_error_for_uuid_provider looks good	23:08
*** oikiki has quit IRC		23:08
lbragstad	the second test might be redundant	23:08
*** oikiki has joined #openstack-keystone		23:08
hamzy	yeah... but it does test manager.load_driver and with random names... minor niggles	23:09
lbragstad	right - it implies it will be called by the Manager init	23:09
hamzy	so ditch it?	23:09
lbragstad	it wouldn't stop me from approving the patch if you ditched test_import_error_for_missing_provider	23:10
lbragstad	because the coverage would be the same and we'd still know if it broke somehow	23:10
hamzy	it sounds like you would feel more comfortable without the second test	23:11
lbragstad	yeah - i'd be fine if you didn't include it in the next patch set	23:11
lbragstad	just because it's too general for that specific module imo	23:12
openstackgerrit	Mark Hamzy proposed openstack/keystone master: Fix formatting of ImportError https://review.openstack.org/549870	23:12
*** david-lyle has joined #openstack-keystone		23:26
*** felipemonteiro has quit IRC		23:27
*** r-daneel has quit IRC		23:40
*** david-lyle has quit IRC		23:42

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!