Friday, 2012-08-24

« Thursday, 2012-08-23 Index Saturday, 2012-08-25 »
*** jrd-redhat has quit IRC00:03
*** anniec_ has joined #openstack-dev00:08
*** anniec has quit IRC00:12
*** anniec_ is now known as anniec00:12
*** blamar has quit IRC00:12
*** daddyjoseph97 has joined #openstack-dev00:20
*** markmcclain has quit IRC00:22
*** andrewsmedina has joined #openstack-dev00:24
*** andrewbogott is now known as andrewbogott_afk00:25
*** pixelbeat has quit IRC00:28
*** cloudvirt has quit IRC00:31
*** johnpur has quit IRC00:33
*** spiffxp has quit IRC00:34
*** Ryan_Lane has quit IRC00:41
*** novas0x2a|laptop has quit IRC00:41
*** novas0x2a|laptop has joined #openstack-dev00:42
*** jakedahn is now known as jakedahn_zz00:42
*** Gordonz has quit IRC00:47
*** maoy has joined #openstack-dev00:55
*** novas0x2a|laptop has quit IRC00:55
*** roge has quit IRC00:57
*** anniec has quit IRC01:00
*** nati_ueno has quit IRC01:07
*** nati_ueno has joined #openstack-dev01:07
*** renier_ has joined #openstack-dev01:26
*** renier has quit IRC01:26
*** lifeless has quit IRC01:26
*** nati_ueno has quit IRC01:29
*** nati_ueno has joined #openstack-dev01:30
*** lifeless has joined #openstack-dev01:36
*** daddyjoseph97 has quit IRC01:46
*** mestery has joined #openstack-dev01:51
*** dolphm has quit IRC01:53
*** dwalleck has joined #openstack-dev01:57
*** sniperd has joined #openstack-dev01:57
*** PotHix has quit IRC01:58
rmkvishy: What about moving to libvirt for snapshots?02:01
*** jtran has quit IRC02:14
*** anniec has joined #openstack-dev02:16
*** anniec_ has joined #openstack-dev02:19
*** mjfork has quit IRC02:22
*** thinrhino has joined #openstack-dev02:22
*** anniec has quit IRC02:23
*** anniec_ is now known as anniec02:23
*** colinmcnamara has joined #openstack-dev02:24
*** cloudvirt has joined #openstack-dev02:25
*** jtran has joined #openstack-dev02:27
*** dolphm has joined #openstack-dev02:28
*** shang has joined #openstack-dev02:29
*** roge has joined #openstack-dev02:33
*** maoy has quit IRC02:38
*** jtran has quit IRC02:41
*** cloudvirt has quit IRC02:44
*** rpedde_away is now known as rpedde02:45
colinmcnamaradoes anyone know how to push files from sourcetree into gerrit for review?02:48
*** adalbas has quit IRC02:48
*** lifeless has quit IRC02:49
clarkbcolinmcnamara: use git review02:51
clarkbcolinmcnamara: see http://wiki.openstack.org/GerritWorkflow02:51
clarkbyou do need to sign the CLA first. see http://wiki.openstack.org/HowToContribute if you haven't done that02:51
colinmcnamaraalready signed the CLA02:52
colinmcnamaraat a hackathon @ yahoo with sean roberts and crew02:52
colinmcnamarawe put a team together to implement some changes02:52
colinmcnamarakinda struggling on using GIT02:52
*** jtran has joined #openstack-dev02:53
clarkbthe GerritWorkflow wiki page is a good place to start. It should cover the basics and get code into gerrit02:53
*** roge has quit IRC02:54
colinmcnamarawe have that page open, like all good engineering types, struggling through it02:57
colinmcnamarahopefully disk_QOS should be submitted for review pretty soon02:58
clarkbanything in particular you need more clarification on?02:58
*** anniec has quit IRC03:02
*** thinrhino has quit IRC03:10
*** otter2 has joined #openstack-dev03:11
colinmcnamaratool specifically, I was looking to see if anyone used sourcetree and how to use git-review with it03:12
colinmcnamarathough, we are doing it through git now following the gerrit workflow03:12
*** Ruetobas has quit IRC03:14
*** tgall_foo has joined #openstack-dev03:15
*** tgall_foo has quit IRC03:15
*** tgall_foo has joined #openstack-dev03:15
*** rpedde is now known as rpedde_away03:19
*** matwood has quit IRC03:19
*** anniec has joined #openstack-dev03:20
*** Ryan_Lane has joined #openstack-dev03:23
*** dolphm has quit IRC03:30
*** asalkeld has quit IRC03:31
*** jtran has quit IRC03:33
*** roge has joined #openstack-dev03:36
*** asalkeld has joined #openstack-dev03:41
*** andrewsmedina has quit IRC03:42
*** jakedahn_zz is now known as jakedahn03:43
*** anniec has quit IRC03:44
*** jtran has joined #openstack-dev03:45
*** sacharya has joined #openstack-dev03:48
*** spiffxp has joined #openstack-dev03:49
*** vodanh86 has joined #openstack-dev03:50
vodanh86hello, i want to debug how nova work, i'm already installed pydev, but i can't debug or run test nova project03:50
vodanh86can anyone help me03:51
*** jtran has quit IRC03:59
*** asalkeld has quit IRC04:06
*** lifeless has joined #openstack-dev04:07
*** thinrhino has joined #openstack-dev04:09
colinmcnamaraI am getting an internal server error when putting my ssh keys into review.openstack.org04:11
colinmcnamaraI had changed my username on launchpad a couple days ago. I think that could be the root of my problem04:11
colinmcnamaraany ideas?04:11
*** mdomsch has quit IRC04:15
*** asalkeld has joined #openstack-dev04:21
colinmcnamaraok, now for whatever reason when I submit git review it doesn't see my signed CLA04:26
colinmcnamarafatal:  A Contributor Agreement must be completed before uploading:04:27
colinmcnamarawhich I have contributed under the username colinmcnamara04:27
colinmcnamaraideas?04:27
*** ewindisch has quit IRC04:28
*** roge has quit IRC04:29
zaitcevI eventually gave up and signed up another CLA in this situation. Who cares, it's not like I'm going to sue anyone.04:30
colinmcnamaraYeah, I did the same04:30
colinmcnamaraapparently it takes time to sync?04:30
zaitcevHmm.04:30
zaitcevI forgot the details now, but I seem to recall that yes, there was some hold-up.04:31
*** colinmcnamara has quit IRC04:34
*** winston-d has joined #openstack-dev04:46
*** almaisan-away is now known as al-maisan04:46
*** vodanh86 has quit IRC04:47
*** Gordonz has joined #openstack-dev04:48
*** anniec has joined #openstack-dev04:49
*** anniec_ has joined #openstack-dev04:50
*** dwalleck has quit IRC04:51
*** tgall_foo has quit IRC04:52
*** Gordonz has quit IRC04:52
*** jakedahn is now known as jakedahn_zz04:54
*** anniec has quit IRC04:54
*** anniec_ is now known as anniec04:54
*** spiffxp has quit IRC04:58
*** shang has quit IRC05:02
*** jerdfelt has quit IRC05:02
*** jimfehlig has joined #openstack-dev05:02
*** markmcclain has joined #openstack-dev05:02
*** asalkeld has quit IRC05:02
*** al-maisan is now known as almaisan-away05:05
*** zaitcev has quit IRC05:06
*** sniperd has quit IRC05:16
*** ncode has quit IRC05:16
*** chmouel has quit IRC05:27
*** chmouel has joined #openstack-dev05:28
*** zhuadl has joined #openstack-dev05:31
vishyrmk: you should look at the historical discussion on the mailing list05:34
vishylibvirt does not support what we need for snapshots05:34
vishyrmk: thread starts here05:36
vishyrmk: https://lists.launchpad.net/openstack/msg08427.html05:36
*** sacharya has quit IRC05:36
*** almaisan-away is now known as al-maisan05:44
*** Ryan_Lane has quit IRC05:44
*** colinmcnamara has joined #openstack-dev05:53
*** lifeless_ has joined #openstack-dev05:55
colinmcnamara@ zaitcev  apparently someone needs to re-approve my contributors agreement05:57
*** dayou has joined #openstack-dev05:57
*** lifeless has quit IRC05:57
*** lifeless_ is now known as lifeless05:58
*** dwalleck has joined #openstack-dev06:02
*** markmcclain has quit IRC06:03
*** jimfehlig has quit IRC06:05
*** dwalleck has quit IRC06:06
*** uvg has joined #openstack-dev06:07
uvgPlease review: https://review.openstack.org/#/c/11016/ - HTTP POST Notifier for OpenStack projects.06:09
*** uvg has quit IRC06:09
*** uvg has joined #openstack-dev06:10
*** al-maisan is now known as almaisan-away06:17
*** littleidea has quit IRC06:19
*** lifeless has quit IRC06:19
*** Exhar has joined #openstack-dev06:25
*** Exhar has quit IRC06:28
*** mindpixel has joined #openstack-dev06:39
*** lifeless has joined #openstack-dev06:46
*** salv-orlando has joined #openstack-dev06:56
*** Exhar has joined #openstack-dev06:58
*** EmilienM has joined #openstack-dev06:59
*** Exhar has quit IRC07:03
*** EmilienM has quit IRC07:03
*** EmilienM has joined #openstack-dev07:03
*** colinmcnamara has quit IRC07:05
*** Ryan_Lane has joined #openstack-dev07:07
*** creiht has quit IRC07:11
*** jakedahn_zz is now known as jakedahn07:11
*** shang has joined #openstack-dev07:14
*** jerdfelt has joined #openstack-dev07:14
*** Ryan_Lane has quit IRC07:16
*** Exhar has joined #openstack-dev07:20
*** thingee is now known as thingee_zz07:26
*** zing has joined #openstack-dev07:32
*** alex88 has joined #openstack-dev07:47
*** alex88 has joined #openstack-dev07:47
*** shang has quit IRC07:48
*** zaneb has joined #openstack-dev07:52
*** shang has joined #openstack-dev07:54
*** salv-orlando has quit IRC07:55
*** salv-orlando has joined #openstack-dev07:58
*** lifeless has quit IRC08:02
*** salv-orlando has quit IRC08:02
*** winston-d has quit IRC08:04
*** jakedahn is now known as jakedahn_zz08:06
*** sniperd has joined #openstack-dev08:12
*** EmilienM has quit IRC08:14
*** EmilienM has joined #openstack-dev08:14
*** seats has quit IRC08:14
*** seats has joined #openstack-dev08:16
*** derekh has joined #openstack-dev08:17
*** samkottler|afk is now known as samkottler08:19
*** EmilienM has quit IRC08:20
*** lifeless has joined #openstack-dev08:23
*** pixelbeat has joined #openstack-dev08:24
*** EmilienM has joined #openstack-dev08:29
*** almaisan-away is now known as al-maisan08:34
*** winston-d has joined #openstack-dev08:35
*** darraghb has joined #openstack-dev08:39
*** lifeless has quit IRC08:43
*** kyriakos has joined #openstack-dev08:44
*** Gordonz has joined #openstack-dev08:48
*** Gordonz has quit IRC08:53
*** winston-d has quit IRC09:02
*** thinrhin_ has joined #openstack-dev09:03
*** derekh has quit IRC09:04
*** k4n0 has joined #openstack-dev09:05
*** thinrhino has quit IRC09:06
*** mrunge has joined #openstack-dev09:07
*** asalkeld has joined #openstack-dev09:07
*** thinrhino has joined #openstack-dev09:23
*** thinrhin_ has quit IRC09:27
*** derekh has joined #openstack-dev09:30
*** zhuadl has quit IRC09:45
*** dayou has quit IRC09:56
*** salv-orlando has joined #openstack-dev10:04
*** waa has quit IRC10:12
*** mjfork has joined #openstack-dev10:13
*** apevec has joined #openstack-dev10:17
*** apevec has joined #openstack-dev10:17
*** mnewby has joined #openstack-dev10:18
*** markmc has joined #openstack-dev10:23
*** salv-orlando has quit IRC10:23
*** JStoker has quit IRC10:24
*** al-maisan has quit IRC10:25
*** al-maisan has joined #openstack-dev10:26
*** al-maisan is now known as almaisan-away10:28
*** almaisan-away is now known as al-maisan10:28
*** al-maisan has quit IRC10:34
*** rohit404 has joined #openstack-dev10:55
*** mnewby has quit IRC10:59
*** al-maisan has joined #openstack-dev11:02
*** cloudvirt has joined #openstack-dev11:10
*** thinrhin_ has joined #openstack-dev11:13
*** JStoker has joined #openstack-dev11:14
*** thinrhino has quit IRC11:17
*** al-maisan is now known as almaisan-away11:19
*** ncode has joined #openstack-dev11:22
*** salv-orlando has joined #openstack-dev11:25
*** thinrhino has joined #openstack-dev11:30
*** cloudvirt has quit IRC11:30
*** thinrhi__ has joined #openstack-dev11:32
*** thinrhin_ has quit IRC11:33
*** thinrhino has quit IRC11:35
*** wiliam has joined #openstack-dev11:39
*** cloudvirt has joined #openstack-dev11:44
*** wiliam has quit IRC11:46
*** wiliam has joined #openstack-dev11:50
*** mnewby has joined #openstack-dev11:50
*** mnewby_ has joined #openstack-dev11:58
*** mnewby has quit IRC12:01
*** mnewby_ is now known as mnewby12:01
*** jrd-redhat has joined #openstack-dev12:10
*** mjfork has quit IRC12:17
*** mjfork has joined #openstack-dev12:18
*** apevec has quit IRC12:19
*** lifeless has joined #openstack-dev12:20
*** lts has joined #openstack-dev12:20
*** roge has joined #openstack-dev12:22
*** mjfork has quit IRC12:22
*** mjfork has joined #openstack-dev12:23
*** dolphm has joined #openstack-dev12:24
*** mjfork has quit IRC12:25
davidkranzdansmith: You there?12:31
*** thinrhi__ has quit IRC12:31
*** bla_ has joined #openstack-dev12:32
*** cloudvirt1 has joined #openstack-dev12:33
*** salv-orlando_ has joined #openstack-dev12:34
*** kbringard has joined #openstack-dev12:37
*** Xtrapni has joined #openstack-dev12:37
*** BLZbubba_ has joined #openstack-dev12:37
*** guitarza1 has joined #openstack-dev12:37
*** roge_ has joined #openstack-dev12:38
*** almaisan` has joined #openstack-dev12:40
*** kbringard has quit IRC12:40
*** roge has quit IRC12:42
*** cloudvirt has quit IRC12:42
*** salv-orlando has quit IRC12:42
*** almaisan-away has quit IRC12:42
*** dachary has quit IRC12:42
*** trapni has quit IRC12:42
*** openstackjenkins has quit IRC12:42
*** BLZbubba has quit IRC12:42
*** dabo has quit IRC12:42
*** guitarzan has quit IRC12:42
*** ogelbukh has quit IRC12:42
*** eafonichev has quit IRC12:42
*** ijw has quit IRC12:42
*** salv-orlando_ is now known as salv-orlando12:42
*** kbringard has joined #openstack-dev12:42
*** ijw has joined #openstack-dev12:44
*** eafonichev has joined #openstack-dev12:48
*** openstackjenkins has joined #openstack-dev12:48
*** dachary has joined #openstack-dev12:49
*** dabo has joined #openstack-dev12:49
*** Gordonz has joined #openstack-dev12:49
*** ijw has quit IRC12:50
*** ijw has joined #openstack-dev12:52
*** ogelbukh has joined #openstack-dev12:52
*** JStoker has quit IRC12:52
*** btorch has quit IRC12:52
*** btorch has joined #openstack-dev12:53
*** Gordonz has quit IRC12:54
*** macjack has joined #openstack-dev12:55
*** littleidea has joined #openstack-dev12:58
*** ijw has quit IRC12:58
*** rpedde_away is now known as rpedde13:00
*** ijw has joined #openstack-dev13:00
*** almaisan` is now known as al-maisan13:03
*** dprince has joined #openstack-dev13:05
*** cloudvirt1 has quit IRC13:07
sdaguedavidkranz: dansmith is on PST, so expect him online in another hour or so13:08
davidkranzsdague: OK, thanks.13:08
*** cloudvirt has joined #openstack-dev13:08
*** zhuadl has joined #openstack-dev13:12
*** k4n0 has left #openstack-dev13:15
*** JStoker has joined #openstack-dev13:16
*** apevec has joined #openstack-dev13:24
*** apevec has joined #openstack-dev13:24
*** guitarza1 is now known as guitarzan13:25
dansmithdavidkranz: and I'm in here too, your preference :)13:27
dansmithsdague: another hour? you know be better than that, don't you? :)13:27
davidkranzdansmith: Forgot to change channels. I sent an email to you and Daryl. I'm not sure what the current status is.13:27
davidkranzWas there agreement about how to proceed?13:28
dansmithdavidkranz: I think daryl isn't quite happy that both sets of tests get run each time, but is willing to push them along to avoid blocking the effort13:28
dansmithwhich I'm extremely thankful for :)13:28
dansmithI understand his argument, but I think I agree with jaypipes that running them both makes the most sense13:29
davidkranzdansmith: I can push them through now if that was the decision.13:29
dansmithalthough understand if that needs to be trimmed for a faster gate or something13:29
davidkranzdansmith: We have spent a lot of time reducing the runtime for tempest.13:29
dansmithdavidkranz: yeah, his comment to that effect was in the rest client patch, if you want to see it13:29
dansmithdavidkranz: you'd officially make my weekend if you did :)13:30
dansmith(push them in, that is)13:30
davidkranzdansmith: It is ultimately a hopeless task as openstack functionality grows and grows.13:30
dansmithheh, yeah13:30
davidkranzdansmith: We need a way to "run all" of the tests that is not gating.13:30
dansmithyeah, I was thinking about that13:30
dansmithalso, wondering:13:30
dansmithdoes openstack-ci run on top of openstack? it would ne nice to be able to fan out jenkins worker instances based on demand...13:31
davidkranzdansmith: It is possible for any organization to contribute to the jenkins pool by contributing hardware.13:31
dansmithah, okay, I guess I need to brush up on that :)13:32
davidkranzdansmith: In the past I have used a nightly build with a rotating person on the hook to investigate any failures immediately.13:32
davidkranzdansmith: But the infrastructure has to be rock solid for that.13:32
dansmithdavidkranz: yeah.. sdague had the idea of a nightly run that would also bisect failures and email the owner about the issue13:33
davidkranzdansmith: But it gets painful when there are flakey failures.13:33
*** sniperd has quit IRC13:34
davidkranzdansmith: I will push these through now. Does this impact the tests marked 'smoke' at all?13:35
dansmithdavidkranz: several of the servers tests are 'smoke' ones,13:40
dansmithso it runs a few extra tests in that case,13:40
dansmithbut I don't think it's a signficant increase in time13:40
dansmithoh, jeez, vincent rebased my patches on his branch in gerrit13:44
dansmithI hope that doesn't cause a problem13:44
dansmithsdague: I know that -R should help with that, but was there a fix coming to gerrit itself to prevent that by non-admins?13:45
*** zhuadl has quit IRC13:49
*** bla_ has left #openstack-dev13:51
*** shang has quit IRC13:56
*** JStoker has quit IRC13:56
*** zaneb has quit IRC13:57
*** sniperd has joined #openstack-dev13:57
*** zaneb has joined #openstack-dev13:57
sdaguedansmith: the ci tests are running on openstack clouds, they get spun up in parallel13:59
sdaguethat might have been why daryl wanted seperate xml / json flags, so they could be run in parallel instead of in series13:59
dansmithsdague: it just seems like when the queue is long, the time it takes to get an answer from jenkins is proportional14:00
*** mtreinish has joined #openstack-dev14:00
dansmithsdague: perhaps, but I don't think that's what jaypipes was expecting14:00
sdaguedansmith: at some point they run out of quota on their clouds14:00
dansmithsdague: okay, it just didn't seem to be anything other than linear from my eyeball measurements, but fair enough14:01
sdaguemtaylor, jeblair, or LinuxJedi could share more about it, that's just want I've picked up from them14:02
*** JStoker has joined #openstack-dev14:04
*** tgall_foo has joined #openstack-dev14:06
*** tgall_foo has quit IRC14:06
*** tgall_foo has joined #openstack-dev14:06
*** ewindisch has joined #openstack-dev14:08
*** Ruetobas has joined #openstack-dev14:08
*** EmilienM has quit IRC14:08
*** EmilienM has joined #openstack-dev14:09
*** jimfehlig has joined #openstack-dev14:10
*** daddyjoseph97 has joined #openstack-dev14:13
*** e1mer has quit IRC14:14
*** samkottler is now known as samkottler|brb14:16
*** ewindisch has quit IRC14:18
*** e1mer has joined #openstack-dev14:20
*** andrea__ has quit IRC14:21
*** andrea__ has joined #openstack-dev14:21
*** garyk has joined #openstack-dev14:23
*** samkottler|brb is now known as samkottler14:23
*** andrewbogott_afk is now known as andrewbogott14:26
*** sacharya has joined #openstack-dev14:27
jeblairdansmith: hi14:27
jeblairdansmith: zuul tells jenkins to run tests in parallel14:28
jeblairdansmith: don't limit the number of tests that tempest runs when gating on account of run-time; we'll spin up as many vms as we need.14:30
*** creiht has joined #openstack-dev14:30
*** ChanServ sets mode: +v creiht14:30
*** dwalleck has joined #openstack-dev14:33
*** salv-orlando has quit IRC14:34
*** samkottler has quit IRC14:35
*** samkottler has joined #openstack-dev14:35
*** Exhar has quit IRC14:49
*** rnirmal has joined #openstack-dev14:49
*** jtran has joined #openstack-dev14:51
*** sniperd has quit IRC14:52
*** sniperd has joined #openstack-dev14:52
*** cloudvirt has quit IRC14:52
*** sniperd has joined #openstack-dev14:53
*** datsun180b has joined #openstack-dev14:53
*** andrewsmedina has joined #openstack-dev14:56
*** andrewsmedina has quit IRC14:58
*** al-maisan is now known as almaisan-away14:58
*** andrewsmedina has joined #openstack-dev14:58
*** cloudvirt has joined #openstack-dev15:00
*** Gordonz has joined #openstack-dev15:01
*** Gordonz has quit IRC15:03
*** rods1 has joined #openstack-dev15:03
*** Gordonz has joined #openstack-dev15:03
*** JStoker has quit IRC15:06
*** maoy has joined #openstack-dev15:07
*** sniperd_ has joined #openstack-dev15:08
*** JStoker has joined #openstack-dev15:08
*** sniperd has quit IRC15:08
*** Exhar has joined #openstack-dev15:16
*** e1mer has quit IRC15:16
*** cp16net is now known as cp16net|away15:19
*** cloudvirt has quit IRC15:20
*** cp16net|away is now known as cp16net15:21
*** Exhar has quit IRC15:21
*** markmc has quit IRC15:21
*** littleidea has quit IRC15:22
*** derekh has quit IRC15:23
*** littleidea has joined #openstack-dev15:24
*** mindpixel has quit IRC15:24
*** nunosantos has joined #openstack-dev15:25
*** dwalleck has quit IRC15:25
*** AlanClark has joined #openstack-dev15:26
*** dachary has quit IRC15:28
*** dachary1 has joined #openstack-dev15:28
*** molten has joined #openstack-dev15:29
*** rods1 has quit IRC15:30
moltenmtaylor, jeblair: hey, I'm having issues with Gerrit, can't set my username so I can't push a change set15:30
*** dachary1 is now known as dachary15:32
jeblairmolten: you don't need to set your username, there's a sync script that does it for you15:32
*** dachary has quit IRC15:32
*** dachary has joined #openstack-dev15:32
jeblairmolten: what is the account id on this page?15:32
jeblairhttps://review.openstack.org/#/settings/15:32
moltenjeblair: 538715:32
jeblairmolten: and what's your launchpad username?15:33
moltenjeblair: andrew-melton15:33
*** EmilienM has quit IRC15:35
*** EmilienM has joined #openstack-dev15:36
*** lloydde has joined #openstack-dev15:36
*** johnpur has joined #openstack-dev15:36
*** ChanServ sets mode: +v johnpur15:36
*** daddyjoseph97 has quit IRC15:37
jeblairmolten: you should be all set now15:40
moltenjeblair: kk thanks!15:41
*** dspano has joined #openstack-dev15:41
*** daddyjoseph97 has joined #openstack-dev15:42
*** Exhar has joined #openstack-dev15:42
*** heckj has joined #openstack-dev15:44
*** salgado is now known as salgado-lunch15:46
*** daddyjoseph97 has quit IRC15:47
*** macjack has quit IRC15:48
*** maoy has quit IRC15:49
*** markmcclain has joined #openstack-dev15:53
*** maoy has joined #openstack-dev15:56
moltenjeblair: having more issues, i get this trying to run git review: "Exception: Could not connect to gerrit at ssh://andrew-melton@review.openstack.org:29418/openstack/glance.git"15:57
*** datsun180b_ has joined #openstack-dev16:01
*** Exhar has quit IRC16:01
*** dwalleck has joined #openstack-dev16:01
jeblairmolten: ssh -p 29418 andrew-melton@review.openstack.org gerrit ls-projects16:03
jeblairmolten: what does that get you?16:03
*** datsun180b_ has quit IRC16:03
jeblairmolten: make sure your public key is listed here: https://review.openstack.org/#/settings/ssh-keys16:03
*** datsun180b has quit IRC16:04
moltenjeblair: yup, it's listed16:04
*** daddyjoseph97 has joined #openstack-dev16:04
moltenthat call still gets me "Permission denied (publickey)."16:04
jeblairmolten: Gerrit says "no-matching-key" in the error log.16:06
moltenlet me redo the key16:06
moltenjeblair: there we go, must have been a copy-paste error16:07
jeblairmolten: cool16:07
*** hemna has joined #openstack-dev16:13
*** Exhar has joined #openstack-dev16:17
*** darraghb has quit IRC16:18
*** Exhar has quit IRC16:21
*** dubsquared has joined #openstack-dev16:26
*** ewindisch has joined #openstack-dev16:28
*** ewindisch has quit IRC16:31
*** samkottler is now known as samkottler|bbiab16:32
*** matwood has joined #openstack-dev16:37
*** timbock2 has quit IRC16:37
*** dwalleck has quit IRC16:40
*** wiliam has quit IRC16:45
*** salgado-lunch is now known as salgado16:49
*** Mandell has joined #openstack-dev16:49
*** rods1 has joined #openstack-dev16:54
devanandajgriffith: you may be intrested in the comment i just posted on bug 1007038.16:57
uvirtbotLaunchpad bug 1007038 in nova "Nova is issuing unnecessary ROLLBACK statements to MySQL" [Low,Confirmed] https://launchpad.net/bugs/100703816:57
jgriffithdevananda: Thanks... just saw the update notification but haven't had a chance to read it yet.16:57
*** spiffxp has joined #openstack-dev16:59
jgriffithdevananda: Interesting...16:59
devanandajgriffith: i fixed my fix to the other bug (SELECT 1 spam), but can't fix this one :(17:00
*** dubsquared has quit IRC17:01
jgriffithdevananda: seems like the pragmatic way to go17:01
*** cp16net is now known as cp16net|away17:01
*** cp16net|away is now known as cp16net17:04
*** zing has quit IRC17:04
ayoungdolphm, heckj, do we have a plan in place to deal with "Token in URL is a security risk"  for Folsom?17:05
ayoungIs there something we can do short of V3>17:05
heckjayoung: definitely -it's the V3 API updates to Token17:05
ayoungheckj, yeah, but V3 is not going into folsom17:05
heckjayoung: sorry, I read grizzly when you said folsom17:06
ayoungor can we grab just that piece?17:06
*** thingee_zz is now known as thingee17:06
heckjayoung: at this point, no freakin' way.17:06
heckjayoung: any change there is going to have massive impact across all the components and clients17:06
heckjayoung: the change we need to do is changing the API - it's relatively simple, but the impact spreads across all the projects.17:07
ayoungheckj, sure ,but what if we added the ability toi verify outside the URL and left it at that17:07
ayoungso that people have the alternative API available if the issue impacts them17:07
*** troytoman-away is now known as troytoman17:08
ayoungie,  just add in the V3 API for verification17:08
*** alex88 has quit IRC17:08
heckjayoung: if we weren't in the lock down/no features time of these release, that would be fine - but the issue really isn't solved until the defaults for all the clients and such have been changed to NOT use the existing V2 API setup17:08
ayoungyeah, I realize that...just hate leavin an issue like that unresolved through a major release.17:10
heckjayoung: I understand. I do too - there's just a bug deeply endemic to the API structure - it's one of those "A lot tougher to unwind" bugs17:10
ayoungK17:11
heckjayoung: another reason to get rolling with the feature branch to push on that and make it available quickly for grizzly17:11
ayoungheckj, so what is priority of effort now?17:11
ayounglooks like all open reviews have been dealt with17:12
heckjayoung: first priority - any bugs/tracebacks in stabilizing Folsom release. Second, V3 API implementation and feature work there17:12
claygrpedde: wkelly: ping17:12
heckjayoung: actually, it would be worth having you take a look through the bugs that are open and seeing if you spot any that I categorized lower (or higher) than you think appropriate17:13
ayoungheckj, doing so now17:13
*** molten has quit IRC17:13
dolphmheckj: let me know if there's any bugs you want me to tackle, otherwise i'm focusing on v317:13
heckjdolphm: I think you're already tackling this one: https://bugs.launchpad.net/keystone/+bug/1040626 - let me know if not17:14
*** titankiller has joined #openstack-dev17:14
dolphmheckj: that's actually merged17:14
ayoungheckj, that is fixed in Folsom,. needs to be backproted.  Want me to tkae that?17:14
dolphmheckj: i don't think jenkins had permission to update the bug or something?17:14
heckjdolphm: should I change the status to FixCOmmitted?17:14
wkellyclayg: sup!?17:14
dolphmayoung: stable/essex patch is a diff in the bug report17:15
dolphmheckj: sure17:15
dolphmayoung: as requested by ttx17:15
heckjdolphm: thanks, done17:15
dolphmayoung: apparently i shouldn't have gone straight for gerrit :-/ i know for next time17:15
ayoungdolphm, shouldn't  it be submitted to Gerrit now, then?17:15
dolphmayoung: for stable/essex?17:16
ayoungdolphm, yes17:16
claygwkelly: pm, thanks17:16
*** clayg has left #openstack-dev17:16
dolphmayoung: ttx wanted a diff, that's all17:16
*** clayg has joined #openstack-dev17:16
*** nati_ueno has quit IRC17:17
*** nati_ueno has joined #openstack-dev17:17
ayoungdolphm, ah. Ok.  I'll leave that alone for now.  Looks like it is taken care of.17:17
dolphmayoung: so, i deleted that banana, btw. if we want it to land, i need help with the ldap driver17:18
*** kyriakos has quit IRC17:18
dolphmayoung: https://review.openstack.org/#/c/11935/17:20
ayoungdolphm, looking17:20
*** epim has joined #openstack-dev17:20
ayoungdolphm, OK,  let me pull17:20
*** colinmcnamara has joined #openstack-dev17:20
dolphmayoung: i started down this whole path because things get more complex with both user-domain and user-tenant relationships in v3 -- i figure simplify what we have to manage now, and then building v3 on top will be easier17:20
ayoungdolphm, so that is V3/Grizzly stuff, right?17:21
heckjdolphm: just tried to load that review, said I didn't have permissions?17:21
*** daddyjoseph97 has quit IRC17:21
heckjoh - I need ot be logged in to see it17:22
dolphmheckj: it's a draft, but i added you17:22
dolphmayoung: i'd like to rebase my v3 impl on top of this, yes17:22
*** epim has quit IRC17:22
*** epim_ has joined #openstack-dev17:22
ayoungdolphm, OK.  Let me tackle the ldap failures17:22
ayoungdolphm, so the first test fails becasue there is no longer a tenant_id in the response to authenticate?17:23
ayoungAssertionError: {'id': 'foo', 'name': 'FOO'} != {'tenant_id': 'bar', 'id': 'foo', 'name': 'FOO'}17:23
ayoungThat is a general purpose test, run the same across all of the backends17:24
dolphmayoung: yeah, i'm not clear on why17:25
dolphmayoung: if you look in the diffs of the other drivers (kvs and sql, at least)... i made a couple specific changes17:26
dolphmayoung: removed the add_user_to_tenant() and remove_user_from_tenant() calls (and removed everything from the rest of keystone that called those)17:26
dolphmayoung: create_user() needs to store the tenant_id attribute passed in (in SQL, i just made it an indexed column on the User table)17:26
ayoungdolphm, I think the Gorillas are starting to close in17:26
ayoungwe need to keep this API as is for V2.  How are we going to split it for V3?17:26
dolphmayoung: and then there's a couple calls for listing users in a specific tenant and listing tenants a user has access to -- how those lists are populated needs to be updated17:27
dolphmayoung: none of this is exposed via rest17:27
ayoungah17:27
dolphmayoung: the only place it's "exposed" is by legacy nova auth migrations, which i also updated in that patch17:27
ayoungheckj, is anything done with user/tenant assignments OUTSIDE of the roles?  dolphm and I think not.  termie can you chime in as well?17:28
dolphmbcwaldon: could use your feedback on that bit, as you wrote the migration code ^^17:28
bcwaldondolphm: werr?17:28
dolphmbcwaldon: in nova legacy auth, i think there were (are?) user-tenant relationships outside of role assignments -- is that correct?17:28
bcwaldondolphm: yes17:29
bcwaldondolphm: BUT legacy auth is gone17:29
bcwaldondolphm: so feel free to blow things away17:29
dolphmbcwaldon: still need to support migrations from legacy auth to keystone past folsom?17:29
heckjayoung: I don't believe so, but I'd need to re-read through the code to be 100%17:29
*** maurosr has joined #openstack-dev17:30
bcwaldondolphm: hmm17:31
bcwaldondolphm: what things are in keystone only for nover?17:31
bcwaldondolphm: and I have to walk out the door right now17:31
bcwaldondolphm: so can this wait until later today?17:31
dolphmbcwaldon: essentially a table that stores arbitrary user-tenant relationships, without specific role assignments17:31
bcwaldondolphm: you can control everything below the API, so if that isnt useful for you feel free to ignore it17:32
dolphmbcwaldon: well, the nova migration probably put user-tenant pairs into that table that aren't otherwise modeled in keystone, so i can't just blow the table away in a migration without moving that data into the user-tenant-role model17:33
*** EmilienM has quit IRC17:33
bcwaldondolphm: sorry, gotta run17:33
*** EmilienM has joined #openstack-dev17:33
dolphmbcwaldon: no worries, ping me later17:33
*** EmilienM has quit IRC17:34
*** EmilienM has joined #openstack-dev17:34
* dolphm runs off to grab lunch17:34
*** dolphm has quit IRC17:34
jtranwhat do i do to troubleshoot a ceilometer-gate problem , when the tests all pass locally ?  From the full console , i can see where it's failing but i cannot reproduce it locally to fix it17:37
*** zaneb has quit IRC17:39
*** zaneb has joined #openstack-dev17:40
colinmcnamaraDumb question, I screwed up my launchpad login (changed username) and had to re-submit a contributors agreement. How long does it take for the openstack-cla group to get approved? (I have code I need to submit for review)17:42
*** rbasak has quit IRC17:42
colinmcnamarausername is colinmcnamara17:42
kbringardany horizon devs gotta few moments?17:45
*** dwalleck has joined #openstack-dev17:46
*** EmilienM has quit IRC17:49
*** EmilienM has joined #openstack-dev17:50
*** dwalleck has quit IRC17:51
*** PotHix has joined #openstack-dev17:52
ayoungheckj, for dolphm's issue:  could we make a default role in the tenant  for migration  that indicates whatever Nova's membership meant?17:54
*** Ryan_Lane has joined #openstack-dev17:55
*** utlemming has quit IRC17:56
*** utlemming has joined #openstack-dev17:56
kbringardjakedahn_zz: if you happen to wake up in the next 4 or so hours, let me know17:56
colinmcnamarakbringard - I've been poking around horizon, whats up?17:56
heckjayoung: I think that's a good idea17:56
*** markmcclain has quit IRC17:56
kbringardcolinmcnamara: it looks like there's a bug in the ec2 credential generation/retrieval17:57
kbringardI think I've figured out what's wrong, but not really sure the best way to go about fixing it17:57
ayoungheckj, are you familiar with the old Nova code? What did membership in a tenant mean before?  And do we need to carry that over during a migration?17:57
*** adjohn has joined #openstack-dev17:58
*** almaisan-away is now known as al-maisan17:58
kbringardcolinmcnamara: this is in essex… if you look at line 67 in dashboard/settings/ec2/forms.py17:58
*** adjohn has quit IRC17:59
kbringardhttp://paste.openstack.org/show/20470/17:59
colinmcnamaraok, let me check out he essex code17:59
heckjayoung: not super familiar - but it was a basic role that didn't confer any specific attributes - it was the "not an admin" relationship that had been previously defined17:59
*** adjohn has joined #openstack-dev17:59
kbringardif keys doesn't exist, it'll generate them17:59
kbringardif it does, it'll always return element 017:59
kbringardwhich doesn't work if the user is a member of more than one tenant17:59
*** bitblt has joined #openstack-dev18:00
kbringardso the end result is that in the dashboard, no matter what tenant you select to download your ec2 keys for, you'll always get the keys for the first tenant you genned keys for (or well, the first tenant keystone returns, but I assume it's doing it in order of creation)18:00
colinmcnamarathat makes sense18:01
*** jog0 has joined #openstack-dev18:01
*** markmcclain has joined #openstack-dev18:01
colinmcnamaravs getting keys for each individual tennant18:01
kbringardright, sure, but then that info is what gets passed to18:01
kbringardkeys = find_or_create_access_keys(request, data.get('tenant'))18:02
kbringard            context = {'ec2_access_key': keys.access,18:02
kbringardon line 8018:02
kbringardso when it creates the zip file18:02
kbringardit's always got the keys from the first tenant18:02
bitblthey, has anyone had their horizon logins just stop working? I started getting "'NoneType' is not iterable (HTTP 500)" errors. it looks like it can't get a list of tenants from keystone maybe?18:02
kbringardso the end result is you can't get keys for any other tenant in the dashboard18:02
colinmcnamaraand in the design docs, you are supposed to be able to gen access keys per tenant18:04
colinmcnamaraeven though having a user may belong to multiple tenants18:04
kbringardI only just started looking into it, but it seems like you'd just want to iterate over the array and return the position that matches the tenant the user requested18:04
*** jtran has quit IRC18:05
kbringardinstead of just indiscriminately returning position 018:05
*** nati_ueno_2 has joined #openstack-dev18:05
colinmcnamarathat sounds right18:06
colinmcnamaraso, this is for essex18:06
kbringardbut I don't know enough about the whole process to know why position 0 is always returned… if that was just an oversight or if that was done on purpose for some reason18:06
colinmcnamaraI think in folsom though we are going to be requesting that data from keystone right?18:06
colinmcnamaraI don't know the answer, but I am guessing oversight18:07
*** nati_ueno has quit IRC18:09
*** salgado is now known as salgado-afk18:11
*** tgall_foo has quit IRC18:16
*** datsun180b has joined #openstack-dev18:17
*** nati_ueno_2 has quit IRC18:21
*** nati_ueno has joined #openstack-dev18:22
*** nati_ueno has quit IRC18:22
*** ewindisch has joined #openstack-dev18:24
*** ewindisch_ has joined #openstack-dev18:26
*** jtran has joined #openstack-dev18:27
*** ewindisch has quit IRC18:29
*** ewindisch_ is now known as ewindisch18:29
*** negronjl has quit IRC18:30
*** negronjl has joined #openstack-dev18:31
*** andrewbogott is now known as andrewbogott_afk18:34
*** apevec has quit IRC18:36
*** bitblt has quit IRC18:37
*** heckj has quit IRC18:41
*** heckj has joined #openstack-dev18:44
*** heckj has quit IRC18:44
*** mrunge has quit IRC18:45
*** andrewbogott_afk is now known as andrewbogott18:45
*** ewindisch has quit IRC18:46
*** ewindisch has joined #openstack-dev18:49
*** ewindisch has quit IRC18:52
*** ewindisch_ has joined #openstack-dev18:52
*** EmilienM has quit IRC18:52
*** dolphm has joined #openstack-dev19:03
*** markmcclain has quit IRC19:04
*** lifeless has quit IRC19:09
*** lifeless has joined #openstack-dev19:10
*** adjohn has quit IRC19:15
dolphmcan jenkins run a draft review?19:18
*** jkoelker has quit IRC19:19
*** jkoelker has joined #openstack-dev19:22
*** dwalleck has joined #openstack-dev19:25
clarkbdolphm: I don't think so as draft events are hidden from zuul. What you can do is publish the draft, then change it to work in progress19:25
clarkbwork in progress is like a public draft19:25
*** rods1 has quit IRC19:25
ayoungdolphm, so for migrations now we should define an default "not and admin" role and use that to replace membership19:28
*** dwalleck_ has joined #openstack-dev19:28
dolphmayoung: if necessary, yeah19:28
dolphmayoung: i don't think we need it outside of migrations19:28
dolphmclarkb: thanks19:29
ayoungdolphm, so, why would we grant access to someone if they were not an admin?19:29
*** dwalleck has quit IRC19:29
*** colinmcnamara has quit IRC19:29
ayoungI mean, isn't openstack essetial an admin tool?19:29
dolphmayoung: to a tenant?19:29
ayoungyeah19:29
ayoungI mean, other than "cycle the power"  don't you need admin to do anything interesting?19:30
dolphmayoung: 'access' depends on the details of policy, no?19:30
ayoungdolphm, so, right now, with the membership stuff, doesn;'t that essentially deny the user the ability to do anything to the tenant?  They have to have a role, so migrating them into member is essentially disabling their tenant access19:31
dolphmayoung: hopefully 'member' is an exceptional case ... in that most records in the membership table represent "default tenancy"19:32
dolphmayoung: which i'm moving to the User.tenant_id attribute19:32
ayounghmmmm19:33
*** markmcclain has joined #openstack-dev19:33
ayoungdolphm, that seems like a stretch for an assumption.  Anything to back it up?19:33
dolphmayoung: i'm thinking the migration to remove the UserTenantMembership table will go like this...19:34
dolphmayoung: 1) if the user has a role on the tenant already, it's safe to delete the record of Membership19:34
*** dwalleck_ has quit IRC19:34
dolphmayoung: 2) if the user has no role on the tenant, make it their default tenant19:34
dolphmayoung: 3) if they already have a default tenant... grant the 'member' role (creating such a role only if necessary)19:35
dolphm4) nuke the membership table :)19:35
ayoungdolphm, that makes it a little order dependant, no?19:35
dolphmayoung: yeah -- not sure how else to handle it?19:36
dolphmayoung: go back and revoke default tenancy and grant 'member' role twice?19:36
ayoungdolphm, so there was no comparable concpet to default tenant in Nova before hand?19:36
dolphmayoung: or just panic and sqldump19:36
dolphmayoung: i think 'membership' is what the idea of 'default tenancy' grew out of -- however, we use it for a default authentication scope now19:37
*** maurosr has quit IRC19:37
dolphmayoung: and i don't think there was anything in nova legacy auth that prevented you from having multiple memberships19:38
dolphmayoung: so the concepts aren't 1:119:38
dolphm(1:1 as in analogous to each other)19:38
ayoungdolphm, OK, but should we have a parking lot for any user that does not have a default tenant_id then:?19:39
dolphmayoung: what do you mean?19:39
ayoungdolphm, well, if we migrate someone, and they don't have any tenants in Nova, they end up in Limbo in Keystone, right?19:40
ayoungOr, is that acceptable?19:40
*** jkoelker_ has joined #openstack-dev19:45
*** thinrhino has joined #openstack-dev19:45
*** jkoelker_ has quit IRC19:47
*** dwalleck has joined #openstack-dev19:47
dolphmayoung: you mean they don't have any tenants, period?19:51
ayoungdolphm, yeah19:51
dolphmayoung: nothing would change for them, right?19:51
ayoungyeah19:51
ayoungso no problem19:52
dolphmayoung: they didn't have any membership records before, they don't get anything new19:52
ayoungthe only issue would be what if a user got the wrong default?  THat should be OK,  but who could change it for them?19:52
dolphmayoung: what would make it wrong?19:52
dolphmayoung: we could also avoid setting User.tenant_id and just grant lots of 'member' roles, and market it as the new hotness19:53
ayoungdolphm, let me restate.  How would a user go about changing their default tenant_id?19:53
dolphmayoung: in v2, that'd be admin19:54
dolphmayoung: in v3, it could be doable with a policy.json allowing a user to update themselves19:54
*** Exhar has joined #openstack-dev19:54
ayoungdolphm, OK...I think your logic works19:54
dolphmPATCH /users/{my_user_id}: {'user': {'tenant_id': 'my-preferred-default'}}19:55
dolphmdashboard users of course expect to be able to set their own passwords ^^ a *major* reason i don't want to split the identity api into two halves ... the dividing line between halves is going to be blurry and fought over19:56
*** dwalleck has quit IRC19:57
dolphmayoung: what would you rather do, set default tenancy or *just* grant 'member'19:57
*** dwalleck has joined #openstack-dev19:58
dolphmayoung: and i'm still curious about how all this is going to work in ldap? :)19:58
ayoungdolphm, in LDAP,  we drop the members attribute19:58
ayoungdefault tenant_id is stored in...19:58
*** dprince has quit IRC19:59
ayoungum, default tenant_id is not stored in LDAP20:00
ayoungis it even necessary?20:00
*** dwalleck has quit IRC20:01
*** rkukura has quit IRC20:01
*** EmilienM has joined #openstack-dev20:01
*** rkukura has joined #openstack-dev20:01
*** dwalleck has joined #openstack-dev20:02
dolphmayoung: lol i'd call it a convenience, personally20:02
dolphmayoung: i would drop it all together if i could, and just return a list of tokens on POST /tokens20:03
*** salgado-afk is now known as salgado20:04
ayoungdolphm, this is what I have to work with http://www.fpaste.org/NMmX/20:04
dolphmayoung: obviously it belongs in homePhone20:05
ayoungdolphm, which descends from http://www.fpaste.org/ptSh/20:05
*** dwalleck has quit IRC20:06
ayoungactually, I guess I could have gone with organizationalPerson...thought I had20:06
*** Exhar has quit IRC20:11
*** al-maisan is now known as almaisan-away20:12
*** novas0x2a|laptop has joined #openstack-dev20:16
dolphmayoung: ldap changes more or less complicated than corresponding sql changes?20:16
*** openstackgerrit has quit IRC20:18
*** openstackgerrit has joined #openstack-dev20:18
*** dwalleck has joined #openstack-dev20:20
ayoungdolphm, I think comparable...still looking. Not sure where the tenant_id change you made comes from20:21
ayoungOh, I might have been reading it backward20:22
ayoungok, so you are *adding* tenant_id to the user object, not removing it.  Um..can I veto that?20:23
ayounghow was default tenant recorded in sql before?20:24
*** sniperd_ has quit IRC20:27
ayoungdolphm, yeah, I don't see any reason to put tenant_id in the user table.  If anything, we want to move away from default tenant_id, I think20:28
ayoungAFAICT it is a poor mans "preferences" for the web UI.20:28
vishyannegentle: responded on: https://review.openstack.org/#/c/11263/20:30
*** roge_ has quit IRC20:31
*** japage has quit IRC20:31
*** roge has joined #openstack-dev20:34
dolphmayoung: accurate description, imo20:40
ayoungdolphm, so, lets leave it out of V3?20:41
dolphmayoung: well... you won't get disagreement from me...20:41
annegentlevishy: thx that's a small list so far :)20:43
dolphmayoung: i'd still be nice to have a way to auth in a single call though, without knowing a tenant id/name20:44
dolphmayoung: so, we'll get less resistance dropping that feature if we have another solution for that use case ^ (returning a list of tokens is my suggestion, i know i've heard of another?)20:45
ayoungdolphm, I am tending to disagree.  I've been thinking that auth should be specific to the tenant you want....there is a nice separation of concerns where you use userid-password to get unscoped token, and only  unscoped to get a scoped token20:45
dolphmayoung: as in, authn vs authz?20:47
ayoungthen we can add an additional type of token for cross domain requests20:47
*** Exhar has joined #openstack-dev20:47
ayoungdolphm, yes20:47
*** chrisfer has quit IRC20:47
ayoungBut maybe I've lived in the kerberos world for too long20:48
dolphmayoung: not disagreeing, but it's 3 calls :-/ ... POST /tokens, GET /users/{user_id}/tenants, POST /tokens20:49
*** thinrhino has quit IRC20:49
dolphmi wonder how many users don't actually know their tenant id/name from the beginning, and actually go through the entire flow?20:50
Ryan_Lanehaving to get tenant tokens is annoying20:50
Ryan_Laneit's especially annoying that they also embed the role info into them20:50
ayoungRyan_Lane, security is annoying20:50
dolphmGET /users/{user_id}/projects*20:50
Ryan_Laneif I modify a user's roles, their old tokens are now invalid20:51
ayoungpassing userid password around is not the best practice20:51
Ryan_Laneayoung: how's it more secure?20:51
Ryan_Laneit's less secure imo20:51
Ryan_Lanewhat happens when they user is disabled?20:51
Ryan_Laneare all of their tenant tokens still valid?20:51
ayoungnope20:51
ayoungthey are all invalidated20:51
Ryan_LaneI'm still not seeing how tenant tokens are more secure20:52
dolphmhow would username/password be different in the case of a user being disabled?20:52
Ryan_Laneembeded roles are my biggest complaint, though20:52
Ryan_Laneuser gets a token, their roles change, now they need a new token20:53
dolphmRyan_Lane: honestly, i see them both as credentials, except you can only exchange one for the other in a single direction (i can't trade a token for your password)20:53
*** jimfehlig has quit IRC20:53
ayoungRyan_Lane, OK...the short of it is that all web based authn is insecure.  The best option is to use PKI or Kerberos.20:53
Ryan_Lanebut they get a token based on the authentication, that token can get any other token20:53
Ryan_Laneit all goes back to the same insecure authentication20:54
ayoungRyan_Lane, it is worse than that20:54
ayoungas the token is a shared secret.  Once someone knows a token, they have your auth20:54
Ryan_Laneyes20:54
dolphmuntil the token expires or is revoked20:55
Ryan_Laneso, I don't see how tenant tokens make this situation any better20:55
ayoungdolphm, yep20:55
ayoungso, if an unscoped token can only get a scoped token,  and then only the scoped tokens are passed around, you limit the likely damage to just that tenant20:55
Ryan_Lanethe worry isn't in transit20:56
Ryan_Lanethat's what https is for20:56
Ryan_Laneyou have to assume you are fucked if you aren't using https20:56
dolphm+120:56
Ryan_Lanethe worry is hijacking the token before transit20:57
Ryan_Laneweb interfaces save all of the tokens. an sql injection or similar attack vector will be able to get all of the tokens20:57
Ryan_Lanesame with the cli20:57
Ryan_Lanehell, the cli currently only accepts passwords20:58
Ryan_LaneI guess that's pluggable now20:58
dolphmRyan_Lane: only accepts passwords?20:58
Ryan_Lanesorry. I'm thinking of the essex version20:58
Ryan_LaneI don't see an option for using a token20:58
Ryan_Laneit re-auths every single attempt in the essex version20:59
*** openstackgerrit has quit IRC20:59
*** matwood has quit IRC20:59
dolphmRyan_Lane: i feel like --token and --endpoint have been options since before essex20:59
*** openstackgerrit has joined #openstack-dev20:59
dolphmor some equivalent20:59
ayoungRyan_Lane, so the CLI does tokens under the covers. I was proposing using Keyring as a way to cache tokens20:59
Ryan_Lanedolphm: only keystone cli accepts tokens20:59
Ryan_Lanethe keyring is a good idea, but tenant tokens don't help there either20:59
ayoungBut seriosuly, It feels like we've reimplemented a good chunk of Kerberos as it is20:59
Ryan_Lanethe keyring is going to take the generic token21:00
Ryan_Lanewhich means if it's owned, then all your projects are owned21:00
kbringardwhat's the best way to perform a healthcheck against the EC2 api for something that considered 4XX errors to be a failure21:02
kbringard / gives a 404 and /services/Cloud gives a 400 if you didn't auth21:02
Ryan_Laneayoung: so, is there any reasonable solution to the issue of roles?21:03
Ryan_Laneright now I invalidate project tokens from my web interface's cache when a role changes, but that doesn't work if the roles are changed outside of the interface21:03
*** dwalleck has quit IRC21:04
Ryan_LaneI don't see why roles are embedded in a token21:04
vishyannegentle: yes there is a lot to be done :)21:04
annegentleheh it looks better now than it did when I first clicked :)21:04
openstackgerritA change was merged to openstack/quantum: fixes cisco nexus plugin delete network issue  https://review.openstack.org/1191721:04
dolphmRyan_Lane: i'm not sure end-users need to see their list of roles in the first place? seems like an management concern21:06
Ryan_Lanedolphm: that's not what I mean21:06
Ryan_Lanedolphm: the web interface will automatically fetch a project token for the user when they try to access a project21:07
Ryan_Lanethe token has the roles in it21:07
dolphmsure21:07
Ryan_Laneif I add the user to the sysadmin group, then their project token is now invalid21:07
Ryan_Lanebecause the roles are embedded in the token21:07
Ryan_Lanethe web interface has no clue of this. it sees the user has a valid project token21:08
dolphmRyan_Lane: the user gets an Unauthorized on their next request, they re-authenticate, and go on their merry way21:08
Ryan_Lanefrom its perspective, it shouldn't get a new one for another day (or in my case a week)21:08
Ryan_Laneno21:08
Ryan_Lanethey don't21:08
Ryan_Lanethe old token is still valid21:08
dolphmRyan_Lane: not if they can't use it21:08
Ryan_Lanehow does the web interface know?21:08
Ryan_Lanefrom its perspective the token is valid. the user just isn't in the role21:09
*** openstackgerrit has quit IRC21:09
dolphmit gets Unauthorized responses pointing at keystone21:09
*** openstackgerrit has joined #openstack-dev21:09
Ryan_Lanea 401 is actually a perfectly valid response for the interface to get21:09
Ryan_Laneit shouldn't try to re-auth the user21:09
dolphmRyan_Lane: https://github.com/openstack/keystone/blob/master/keystone/middleware/auth_token.py#L33321:10
Ryan_Laneotherwise, the interface should just re-auth the user every single request21:10
Ryan_LaneI don't see how that function means anything to me21:10
dolphmRyan_Lane: auth rejection includes a WWW-Go-Authenticate-With-Keystone-And-Come-Back header21:10
*** daddyjoseph97 has joined #openstack-dev21:10
Ryan_Lanethis occurs when a token is known to be bad?21:11
Ryan_Lanebecause the roles change?21:11
*** jimfehlig has joined #openstack-dev21:11
dolphmRyan_Lane: authz rejection will occur from inside the service, and won't have that header21:11
dolphmRyan_Lane: yes21:11
Ryan_Laneor does it also do this if the token's roles are valid too21:11
dolphmRyan_Lane: if the token is valid this won't be hit21:11
Ryan_Laneso, this is a header I need to read?21:12
dolphmRyan_Lane: this is just for authn failure (including revoked tokens)21:12
*** dwalleck has joined #openstack-dev21:12
Ryan_Lanewhat response will be given if a token is just rejected because the user isn't in the role?21:13
dolphmRyan_Lane: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2 "The response MUST include a WWW-Authenticate header field" "the 401 response indicates that authorization has been refused for those credentials"21:13
Ryan_Laneisn't that the exact same response I'll get if the user simply isn't in the role?21:14
dolphmRyan_Lane: the answer to *that* depends on the policy engine in the underlying service that makes that decision21:14
Ryan_Laneo.O21:14
*** dwalleck has quit IRC21:15
Ryan_Laneis there a use case that makes having the roles in the token useful?21:15
dolphmRyan_Lane: not one you'll hear from me21:15
Ryan_Lane:D21:15
Ryan_Lane:(21:15
dolphmRyan_Lane: it's useful in the token validation response, of course, but i don't see how it's useful in the authentication response21:16
jgriffithAnybody else having issues trying to create instances in devstack today?21:16
Ryan_Laneif a user is removed from a role, and they authenticate using an old token that has the role in the token, what happens?21:16
*** lts has quit IRC21:16
*** ncode has quit IRC21:16
Ryan_Laneto another service, like nova, for instance21:17
dolphmold but not-expired?21:17
Ryan_Lanedoes nova check with keystone? or does it trust the token?21:17
*** zaneb has quit IRC21:17
Ryan_Laneyes21:17
dolphmnova is protected by auth_token21:17
dolphmauth_token validates the token with keystone21:17
Ryan_Lanethe token is still valid, though, isn't it?21:17
dolphminjects roles from the validation response into the wsgi env for nova to use21:18
Ryan_Laneheh21:18
Ryan_Laneso, for removed roles this works properly, but when roles are added, it fails21:18
dolphmat that point, yes, nova trusts the token and the context21:18
Ryan_Lanewait....21:18
Ryan_Lanemaybe I misread you21:18
Ryan_Laneif I pass a non-expired token to nova that says I'm a sysadmin, it trusts the token?21:19
*** openstackgerrit has quit IRC21:19
dolphmif roles changes at all, validation with keystone *should* fail because the token *should* have been revoked as a result21:19
*** openstackgerrit has joined #openstack-dev21:19
Ryan_Laneeven if I've been removed?21:19
*** zaneb has joined #openstack-dev21:19
dolphmso auth_token turns the validation failure into an Unauthorized-go-talk-to-keystone-and-come-back-later-40121:19
Ryan_Laneok. that's sane21:19
Ryan_Laneso, the roles are checked anyway21:20
Ryan_Laneso the roles in the token don't help there21:20
dolphmRyan_Lane: if you remove auth_token from your middleware stack, you can trick nova into anything21:20
dolphmRyan_Lane: nope21:20
Ryan_Lanethe roles actively cause failures in the opposite situation, though21:20
dolphmRyan_Lane: what's the opposite situation?21:21
Ryan_Laneif I pass a token to nova that says I'm in sysadmin, and try to do an action that requires netadmin it'll fail. even if I'm in netadmin in keystone21:22
Ryan_Lanethe token just doesn't know21:22
Ryan_LaneI'll need to re-auth. the old token will still be valid for sysadmin actions, though21:22
dolphmRyan_Lane: different roles for the same tenant?21:22
Ryan_Laneyes21:22
Ryan_Laneservices both trust and don't trust the tokens21:23
*** daddyjoseph97 has quit IRC21:23
Ryan_Lane*the roles in the tokens21:23
Ryan_Lanethey are being used as authn and authz, but not in an actually trusted way for authz21:24
dolphmRyan_Lane: i'm pretty sure i'm not making this all up, but i actually don't see where role grants/revokes reach out and invalidate tokens in keystone... i wonder if that was missed in the rewrite?21:27
*** andrewbogott is now known as andrewbogott_afk21:27
Ryan_Lanethat's scary21:27
dolphmRyan_Lane: yes it is... i'm going to test it21:28
dolphmhopefully i'm just looking in the "wrong" place21:28
*** mtreinish has quit IRC21:28
*** openstackgerrit has quit IRC21:29
dolphmconsidering admins can't list tokens through the API, i'm not sure where you would remove that responsiblity to?21:29
*** openstackgerrit has joined #openstack-dev21:29
Ryan_Laneyeah. that's not a good situation21:30
dolphmmove*21:30
*** cloudvirt has joined #openstack-dev21:30
Ryan_LaneI can invalidate from tokens from my web cache21:30
Ryan_Lanebut i have no way to do it through keystone21:30
dolphmDELETE /tokens/{token_id}21:30
Ryan_Laneand really, in the case of an ldap backend, keystone doesn't even know that the roles have changed21:30
*** rnirmal has quit IRC21:31
Ryan_Lanereally roles should be checked every time a token is used21:31
dolphmbut you have to know the token ID, there's no GET /tokens or GET /users/{user_id}/tokens21:31
Ryan_Laneeven then, you need to know to do it by project too21:31
Ryan_Laneand what if you manage roles through ldap directly?21:31
Ryan_Lanekeystone really needs to handle this21:31
Ryan_Lanethe responsibility can't be moved to a manager21:32
*** Exhar has quit IRC21:32
*** openstackgerrit has quit IRC21:33
*** openstackgerrit has joined #openstack-dev21:33
*** openstackgerrit has quit IRC21:34
*** openstackgerrit has joined #openstack-dev21:34
ayoungRyan_Lane, so this is one artifact of PKI tokens.  The user will likely need a way to say "get me a new scoped token" to the web UI.21:34
ayoungWe don;t cache21:35
ayounger21:35
dolphmRyan_Lane: alternatively, keystone could just build the list of roles on every validation call, and then you wouldn't have to revoke tokens in that scenario21:35
ayoungwe don't reissue tokens, so the new token will have the roles21:35
Ryan_Laneif the roles are checked every time, then the token can simply be used for authentication21:35
ayoungdolphm, nope21:35
dolphmayoung: why not?21:35
Ryan_Laneand the roles can be removed from the token21:35
ayoungthat means each call has to go back to Keystone, which is what PKI tries to avoid21:35
Ryan_Lanethere's no way to change the expiration time of project vs generic tokens21:36
ayoungdolphm, what you described is how the uuid tokens currently work21:36
openstackgerritA change was merged to openstack/nova: Adds integration testing for api samples  https://review.openstack.org/1126321:36
Ryan_Laneso, if I want my generic token to last a week, my project ones need to last a week too21:36
dolphmayoung: right-- i'm trying to figure out why deleting a role from a user doesn't revoke tokens in our impl (or if it does, where that happens?)21:36
*** openstackgerrit has quit IRC21:37
*** openstackgerrit has joined #openstack-dev21:37
Ryan_Lanethis means that I have no way of controlling how quickly my roles are valid/invalid21:37
openstackgerritA change was merged to openstack/nova: Returns hypervisor_hostname in xml of extension  https://review.openstack.org/1168121:37
Ryan_Laneerr21:37
Ryan_Lanehow quickly they are invalidated21:37
openstackgerritA change was merged to openstack/nova: Ensure hairpin_mode is set whenever vifs is added to bridge.  https://review.openstack.org/1192521:37
dolphmayoung: i don't see anything calling delete_token other than the router21:39
*** sacharya has quit IRC21:39
*** openstackgerrit has quit IRC21:39
*** openstackgerrit has joined #openstack-dev21:39
dolphmayoung: (one exception): disabling a user or changing a user's password revokes all tokens21:39
ayoungif a token gets revoked, the remote service will find out next time he revocation list gets published.  But if a user gets 401s or something due to them recently getting a role, they need to get a new token that has the new roles in it21:40
ayoungdolphm, right21:40
dolphmayoung: yes, but tokens should also be revoked when roles are granted/revoked21:40
ayoungdolphm, I am not sure if it is possible to get all tokens for a user/tenant combination21:40
ayoungrevoked on revoke, certainly21:41
Ryan_Lanecan we make a private channel for this discussion?21:41
Ryan_Lanetemporarily?21:41
dolphmRyan_Lane: pm me one21:41
ayoungand me21:42
*** colinmcnamara has joined #openstack-dev21:42
*** cloudvirt has quit IRC21:43
openstackgerritA change was merged to openstack/nova: Clean up network create exception handling  https://review.openstack.org/1192721:43
openstackgerritA change was merged to openstack/nova: Simplify network create logic  https://review.openstack.org/1192821:45
*** lifeless has quit IRC21:45
*** belliott has quit IRC21:47
openstackgerritA change was merged to openstack/nova: Check volume status before detaching.  https://review.openstack.org/1192921:47
*** cloudvirt has joined #openstack-dev21:47
openstackgerritA change was merged to openstack/nova: Trap iscsiadm error  https://review.openstack.org/1193021:47
openstackgerritA change was merged to openstack/nova: Remove unused and old methods in hyperv and powervm driver.  https://review.openstack.org/1193221:48
*** daddyjoseph97 has joined #openstack-dev21:49
*** openstackgerrit has quit IRC21:49
*** openstackgerrit has joined #openstack-dev21:49
openstackgerritA change was merged to openstack/nova: Make pre block migration create correct disk files.  https://review.openstack.org/1193421:49
*** andrewbogott_afk is now known as andrewbogott21:51
*** ewindisch_ has quit IRC21:52
*** Gordonz has quit IRC21:53
*** markmcclain has quit IRC21:54
*** cloudvirt has quit IRC21:56
bcwaldonclarkb: is the 'rfc.sh' script necessary anymore?21:57
*** maoy has quit IRC21:57
jeblairbcwaldon: it is not21:57
clarkbbcwaldon: I don't think so. jeblair deleted swift's I think21:57
bcwaldonword21:57
bcwaldoncan I get one of you two to support this review? https://review.openstack.org/#/c/11958/21:58
*** openstackgerrit has quit IRC21:59
*** openstackgerrit has joined #openstack-dev21:59
*** ayoung is now known as ayoung-afk22:01
*** markmcclain has joined #openstack-dev22:02
bcwaldonjeblair: thanks :)22:05
*** openstackgerrit has quit IRC22:09
*** openstackgerrit has joined #openstack-dev22:09
*** dspano has quit IRC22:11
*** prao has joined #openstack-dev22:12
*** rpedde is now known as rpedde_away22:15
bcwaldondolphm: did you figure out your user-tenant issue?22:17
*** datsun180b has quit IRC22:18
*** lifeless has joined #openstack-dev22:19
*** daddyjoseph97 has quit IRC22:20
jgriffithSeemd create instances fails on devstack due to scheuling filter: http://paste.openstack.org/show/20475/22:21
jgriffithAnybody know what changed?22:21
*** colinmcnamara has quit IRC22:25
*** colinmcnamara has joined #openstack-dev22:25
*** pixelbeat has quit IRC22:27
*** troytoman is now known as troytoman-away22:29
dolphmbcwaldon: dealing with another issue at the moment, but i think we have a direction for the time being, yes22:29
bcwaldondolphm: cool22:29
*** jkff has joined #openstack-dev22:29
*** kbringard has quit IRC22:35
*** rohit404 has quit IRC22:40
jkffHi. Can anyone remind me who can *approve* changes at review.openstack.org? It seems that a LGTM from a core reviewer is not the same thing.22:41
jeblairjkff: core reviewers for the project in question can approve changes22:42
jkffjeblair: thanks22:42
clarkbtypically you need two +2 code reviews before approval is given22:43
jkffYup, I see it now at http://wiki.openstack.org/GerritJenkinsGithub22:43
jkffPrecisely http://wiki.openstack.org/GerritJenkinsGithub#Reviewing_a_Change22:43
jkffWhat is the polite way to ask a core reviewer to review a change without seeming pushy?22:44
jkffAlso, is there a list of "core reviewer per project" somewhere? I can't find it on the project pages of review.openstack.org nor on the wiki22:47
jeblairjkff: check launchpad.net/~foo-core (where foo is the project)22:48
jgriffithhmm... seems memory requirements have changed22:53
openstackgerritA change was merged to openstack/glance: Add nosehtmloutput as a test dependency.  https://review.openstack.org/1175622:57
*** titankiller has quit IRC22:57
*** lifeless has quit IRC22:58
*** nunosantos has quit IRC22:59
jkffjeblair: thanks again :)22:59
*** lifeless has joined #openstack-dev22:59
openstackgerritA change was merged to openstack/glance: Correctly re-raise exception on bad v1 checksum  https://review.openstack.org/1162423:00
jkffIs it considered polite to add a core reviewer to a change, thus asking them to review it, or are they usually very busy people and one waits until they get to the change themselves in their "reviewable" queue?23:04
*** lifeless has quit IRC23:04
*** lifeless has joined #openstack-dev23:05
jgriffithjkff: I don't think that adding them to the reviewer list is impolite....23:05
jgriffithjkff: Folks are rather busy right now, so sometimes things slip23:05
clarkbI have also pinged people on IRC asking for reviews23:05
jgriffithjkff: suggestion by clarkb is probably your best best23:06
jkffOk, thanks!23:06
*** rods1 has joined #openstack-dev23:07
*** jimfehlig has quit IRC23:07
jkffwell, then...23:08
jkffrussellb: I've added you to a change about RabbitMQ H/A https://review.openstack.org/#/c/10305/, so I'd be happy if you took a look at it, it's been hanging there for quite a while :)23:08
jkffAnd on the topic of H/A, there's also a change by Deva van der Veen about database H/A which I think is very important: https://review.openstack.org/#/c/10797/ - without it, currently, you can't even restart a database server without breaking openstack23:09
jkffOnce these two are in place, all that remains for solid H/A is probably retries on REST calls - which, I believe, are just keystone and glance API, right?23:10
*** belliott has joined #openstack-dev23:10
openstackgerritA change was merged to openstack/quantum: Move metaplugin test for common test directory  https://review.openstack.org/1144723:11
*** jkff_ has joined #openstack-dev23:14
*** jkff has quit IRC23:15
*** jkff_ has quit IRC23:15
*** jkff has joined #openstack-dev23:15
*** lloydde has quit IRC23:17
*** AlanClark has quit IRC23:18
*** jkff has quit IRC23:22
*** jkff has joined #openstack-dev23:23
*** e1mer has joined #openstack-dev23:24
*** e1mer has joined #openstack-dev23:24
jgriffithjeblair: ping23:24
clarkbjgriffith: if you have generic CI questions/problems and don't specificly need jeblair I will be happy to help (or attempt to help)23:26
jgriffithclarkb: cool!23:27
*** cloudvirt has joined #openstack-dev23:27
jgriffithclarkb: I was just wondering, if it was possible to do *detailed* searches in gerrit?23:27
*** samkottler|bbiab is now known as samkottler23:27
jgriffithclarkb: So more than just "status:open nova" etc23:27
clarkbyes, you can filter on quite a lot of things23:27
jgriffithclarkb: Yay!23:27
clarkbjgriffith: https://review.openstack.org/Documentation/user-search.html23:28
jgriffithclarkb: EXCELLENT!  Just what I was hoping for23:28
clarkbon that page there is a search operators list23:28
jgriffithclarkb: Thanks much!23:28
clarkbnp23:28
jkffCool! e.g. https://review.openstack.org/#/q/message:mysql,n,z23:29
jgriffithclarkb: Oh, this makes things soooo much easier!23:29
*** markmcclain has quit IRC23:36
*** hemna has quit IRC23:36
*** dachary has quit IRC23:36
*** ncode has joined #openstack-dev23:36
*** cloudvirt has quit IRC23:40
openstackgerritA change was merged to openstack/glance: PEP8 fix in conf.py  https://review.openstack.org/1185023:42
jkffWhoa, the rate of merges is pretty high23:43
*** zhuadl has joined #openstack-dev23:44
*** colinmcnamara has quit IRC23:44
*** markmcclain has joined #openstack-dev23:45
*** ncode has quit IRC23:45
*** asalkeld has quit IRC23:45
*** Ryan_Lane has quit IRC23:46
*** Ryan_Lane has joined #openstack-dev23:46
*** dolphm has quit IRC23:46
openstackgerritA change was merged to openstack/nova: Add missing context argument to start_transfer calls  https://review.openstack.org/1195123:48
*** mnewby has quit IRC23:50
jkffHeh, Mark McLoughlin's post answers some of my questions to an extent: http://blogs.gnome.org/markmc/2012/08/20/submitting-new-features-to-nova/23:50
jkff"Think about what it is like to be a nova-core reviewer looking at a list of 40 to 60 reviews and having maybe 2 hours today to do reviews"23:50
*** mnewby has joined #openstack-dev23:53
*** zhuadl has quit IRC23:55
*** mnewby has quit IRC23:56
*** tgall_foo has joined #openstack-dev23:59
*** tgall_foo has quit IRC23:59
*** tgall_foo has joined #openstack-dev23:59
« Thursday, 2012-08-23 Index Saturday, 2012-08-25 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!