#openstack-keystone log

19:01:10 <lbragstad> #startmeeting keystone-office-hours
19:01:11 <openstack> Meeting started Tue Oct 24 19:01:10 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:01:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
19:01:15 <openstack> The meeting name has been set to 'keystone_office_hours'
19:01:18 <lbragstad> o/
19:03:30 <cmurphy> o/
19:04:38 <knikolla> o/
19:05:40 <lbragstad> alright - what are folks itching to work on?
19:05:54 <lbragstad> bug reviews are pretty low
19:06:09 <lbragstad> so we could dedicate time towards picking up fixes or proposing new ones.
19:06:17 <cmurphy> keystone is bug free
19:06:19 <cmurphy> good job team
19:06:29 <lbragstad> lol
19:06:48 * lbragstad slowly starts to cry because he knows it isn't true
19:07:12 <cmurphy> :'(
19:07:25 <lbragstad> we could also clean up/merge specs
19:08:10 <lbragstad> cmurphy: fyi - thanks for reviews on https://review.openstack.org/#/c/511822/4
19:08:33 <lbragstad> we also got some feedback on https://review.openstack.org/#/c/460344/
19:17:35 <cmurphy> I reported a bug this morning if anyone is interested in taking a look https://bugs.launchpad.net/keystone/+bug/1726736
19:17:35 <openstack> Launchpad bug 1726736 in OpenStack Identity (keystone) ""no auth token" debug logs are confusing" [Wishlist,New]
19:17:51 <cmurphy> people ask me about this all the time and i don't know what to tell them except "don't worry about it"
19:20:41 <lbragstad> cmurphy: oh - yes!
19:20:52 <lbragstad> cmurphy: that one is confusing
19:25:13 <lbragstad> seems like it existed when keystone/middleware/auth.py was created
19:25:15 <lbragstad> cf81d1ec356beca65d40a78a1dca915f4b5448fb
19:28:57 <cmurphy> hmm originally added here i think https://review.openstack.org/#/c/156870/
19:33:39 <lbragstad> cmurphy: yeah - that seems like the current version
19:34:00 <lbragstad> but it looks like there was a previous version of that same vague message @ line 199
19:34:03 <lbragstad> https://review.openstack.org/#/c/156870/62/keystone/middleware/core.py
19:34:22 <gagehugo> o/
19:34:39 <cmurphy> oh hmm
19:34:49 <cmurphy> the plot thickens
19:34:53 <lbragstad> yes...
19:35:10 <lbragstad> which appears to be around since 2015 versioning?!
19:35:12 <lbragstad> http://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/core.py?h=2015.1.0
19:36:31 <cmurphy> okay i guess the original version just meant X-Auth-Token wasn't in the request headers which just means it's a regular token request
19:36:32 <lbragstad> and 2014.2 http://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/core.py?h=2014.2#n270
19:37:18 <lbragstad> cmurphy: that should just mean it's not a "validate this token" call, yeah?
19:37:42 <lbragstad> wait - nevermind
19:37:51 <cmurphy> lbragstad: you're thinking X-Subject-Token
19:37:54 <lbragstad> yeah
19:39:01 <lbragstad> so - there isn't a whole lot you can do if X-Auth-Token isn't in the headers (except APIs that are "unprotected" like authenticate)
19:44:55 <cmurphy> that's true, but I'm not sure there's that much value in logging that for every POST /auth/tokens
19:46:31 <lbragstad> yeah.. me either
19:46:38 <lbragstad> does it generate more value than confusion?
19:48:13 <lbragstad> also - that message never actually makes it back to the user who it hitting POST /auth/tokens unless they are an operator and tailing the logs at the same time
19:48:44 <cmurphy> right
19:48:57 <lbragstad> it also contains no information about the user making the request - so the usability from an operator perspective is slim
19:49:10 <cmurphy> but if you do try to hit /projects with no X-Auth-Token the logs have a warning with "Authorization failed. auth_context did not decode anything useful"
19:49:31 <cmurphy> so i'm not sure there's ever a case where x-auth-token is unset and that message is useful
19:50:16 <lbragstad> cmurphy: right - in those cases the API requires a token and if it doesn't get it, it should provide some useful info to the user
19:50:55 <cmurphy> well it just provides a 401 but that's about as useful as you're going to get without giving too much away
19:51:18 <lbragstad> unless we're going to start including entity information in the message, i'm in favor of removing it or replacing it with an inline comment
19:52:08 <lbragstad> s/message/log message/
19:57:39 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Remove "no auth token" debug log  https://review.openstack.org/514810
19:57:49 <cmurphy> lbragstad: done ^
19:57:57 <lbragstad> reviewing
19:59:49 <lbragstad> when authenticating with x509 and the certificate is invalid, you'd expect to get a 401 back just like you would for an invalid password, right?
20:01:31 <cmurphy> I think so, I've never played with it though
20:02:04 <lbragstad> either way, the usefulness is in the response and not vague logs
20:02:28 <knikolla> cmurphy: quick-approved :) nice to see that message go away
20:03:17 <cmurphy> \o/
20:11:08 <lbragstad> #link https://review.openstack.org/#/c/460344/ and https://review.openstack.org/#/c/462733/12 are ready to go
20:19:23 <openstackgerrit> Gage Hugo proposed openstack/keystone master: Consolidate V2Controller functionality  https://review.openstack.org/514814
20:28:34 <openstackgerrit> Lance Bragstad proposed openstack/keystone-specs master: Specification for system roles  https://review.openstack.org/464763
20:30:51 <lbragstad> has anyone been able to recreate the functional v2.0 test failures in ksc
20:30:55 <lbragstad> ?
20:34:32 * cmurphy hadn't tried
20:34:46 <cmurphy> is it something more than just devstack not having v2 anymore?
20:38:10 <lbragstad> looking at a failed test run
20:38:19 <lbragstad> and the python-keystoneclient functional suite
20:38:27 <lbragstad> https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/functional/test_base.py#L24-L28 is the only thing that failed
20:44:15 <lbragstad> https://github.com/openstack/python-keystoneclient/tree/master/keystoneclient/tests/functional/v2_0 doesn't have much in it either
20:46:05 <openstackgerrit> Lance Bragstad proposed openstack/python-keystoneclient master: Remove v2.0 functional tests  https://review.openstack.org/514823
20:46:17 <lbragstad> we'll see if ^ passes
21:39:40 <lbragstad> whew - the assignment api is complex
22:00:12 <lbragstad> #endmeeting