Wednesday, 2013-02-20

« Tuesday, 2013-02-19 Index Thursday, 2013-02-21 »
gyeeI don't see any get_scoped_token call in test_v3_identity00:00
openstackgerritA change was merged to openstack/cinder: Add a safe_minidom_parse_string function.  https://review.openstack.org/2231000:00
dolphmgyee: class IdentityTestCase(test_v3.RestfulTestCase)00:01
*** reed has joined #openstack-dev00:01
*** kagan has joined #openstack-dev00:02
*** vipul is now known as vipul|away00:02
*** vipul|away is now known as vipul00:02
gyeeright, but it is essentially using user_foo's scoped token00:02
dolphmgyee: test_create_domain calls self.post() which calls self.v3_request() which calls self.get_scoped_token()00:02
gyeeright00:02
gyeebut it is using user_foo's account00:02
*** hemna is now known as hemnafk00:03
*** vkmc has quit IRC00:03
*** epim has joined #openstack-dev00:03
dolphmgyee: i take it you see the issue that needs to be fixed with test coverage then?00:05
*** topol has quit IRC00:05
*** pabelanger has quit IRC00:06
gyeedolphm, I am not sure if we need to lump this all together with token API changes00:06
lifelesssdague: https://bugs.launchpad.net/testtools/+bug/113042900:07
uvirtbotLaunchpad bug 1130429 in testtools "ConcurrentTestSuite silently eats exceptions from run(result)" [Critical,Triaged]00:07
gyeeclearly, there's a bug in policy engine00:07
gyeekeystone.policy.backends.rules: DEBUG: enforce identity:update_user: {'tenant_id': u'bar', 'user_id': u'foo', u'roles': [u'admin', u'_member_']}00:07
gyeekeystone.common.wsgi: WARNING: You are not authorized to perform the requested action: identity:update_user00:07
gyeeuser has admin role00:07
dolphmgyee: if keystone isn't testing it's own tokens against itself, then what's the point?00:07
gyeedolphm, we are testing tokens in test_v3_token00:08
gyeesee the POST /auth/tokens there00:08
*** david-lyle has quit IRC00:09
dolphmgyee: http://en.wikipedia.org/wiki/Eating_your_own_dog_food00:09
gyee:)00:09
gyeebut we are keep adding pork to this bill00:09
*** zykes- has quit IRC00:09
dolphmgyee: all the v3 tests are designed to dogfood auth, which is supposed to be our core competency00:09
dolphmgyee: bypassing that doesn't get us anywhere00:09
gyeenot bypassing00:10
*** donaldh has quit IRC00:10
gyeesee policy.json, almost all the APIs there need to be admin00:10
gyeeI don't think the bug's in token API00:10
*** alexxu has joined #openstack-dev00:11
heckjgyee, dolphm, henrynash: not super critical, but merging in the installvenv fix from oslo upstream for keystone: https://review.openstack.org/2238300:11
lifelesssdague: and https://bugs.launchpad.net/subunit/+bug/113043200:11
uvirtbotLaunchpad bug 1130432 in subunit "broken details objects break reporting of errors - invalid stream generated" [Wishlist,Triaged]00:11
lifelessclarkb: ^ both that and the other one I linked to sdague a few minutes back,. FYI no action required.00:12
dolphmheckj: +2'd00:12
gyeedolphm, right now is_admin is dictated by the ADMIN token00:12
dolphmgyee: which is absolutely not a token00:12
dolphmgyee: policy is not exercised, @protected is completely bypassed, and we throw warnings in the logs00:13
gyeehttps://github.com/openstack/keystone/blob/master/keystone/middleware/core.py#L6100:13
gyeewhat I am saying is policy is a separate change being worked on by henrynash00:13
dolphmgyee: yes, that is middleware that should be completely removed in a production environment00:13
*** alunduil has joined #openstack-dev00:14
*** davidlenwell has quit IRC00:14
gyeedolphm, what? that's where we are getting the X-Subject-Token00:14
*** jergerber has quit IRC00:15
dolphmgyee: no, it's not -- that's a hack00:15
gyeeyou got me confused00:16
dolphmgyee: useful for perhaps bootstrapping a keystone deployment and then it should be discarded00:16
*** zykes- has joined #openstack-dev00:16
dolphmkeystone.conf admin_token is useful for creating a real admin user in keystone, and then you should remove the AdminTokenAuthMiddleware from your pipeline00:16
gyeek00:17
dolphmgyee: if your deployment is backed by ldap or any other external user store, you should never have it in your pipeline at all00:17
gyeeI am not fan of the ADMIN token either00:17
*** digitalsanctum has quit IRC00:17
*** digitalsanctum has joined #openstack-dev00:18
*** markmcclain has quit IRC00:20
Ryan_Lanehow do things work without the admin token?00:22
*** digitalsanctum has quit IRC00:23
Ryan_Lanedoes the admin user need to be in an admin role of every project?00:23
Ryan_Laneor a single project?00:23
*** sulrich has quit IRC00:23
Ryan_Laneadmin token is easy to deal with and is no less secure than a user00:24
Ryan_LaneI'd argue that it's possibly more secure, as when you need to change the credentials, you push it out to every node and you're done. No need to worry about revoking tokens and such00:25
*** mrodden has quit IRC00:26
*** jkoelker has quit IRC00:26
*** rgoodwin has quit IRC00:26
*** jkoelker has joined #openstack-dev00:27
*** eharney has quit IRC00:28
*** vipul is now known as vipul|away00:28
dolphmRyan_Lane: without the static admin_token, a user with the role defined by your policy.json's "admin_required" rule will be applied across all v2 api calls, which tenant it was granted on doesn't matter, although you could restrict that with policy.json as well00:28
*** rgoodwin has joined #openstack-dev00:28
dolphmRyan_Lane: the v3 API is enumerated call by call in policy.json so that you can be more granular about that stuff00:29
*** vipul|away is now known as vipul00:29
Ryan_Laneso a role in a single tenant is treated like a global role?00:30
*** pabelanger has joined #openstack-dev00:31
*** BLZbubba has quit IRC00:31
*** dontalton has quit IRC00:33
*** mjfork has quit IRC00:33
*** tomoe_ has quit IRC00:36
*** tomoe_ has joined #openstack-dev00:36
*** Tross has quit IRC00:37
openstackgerritA change was merged to openstack/oslo-incubator: Avoid using cfg in install_venv_common  https://review.openstack.org/2236800:37
*** yidclare has quit IRC00:39
*** kmartin is now known as kmartin_zz00:40
*** kmansel has quit IRC00:41
*** jergerber has joined #openstack-dev00:41
*** yidclare has joined #openstack-dev00:41
*** nati_ueno has quit IRC00:43
*** tomoe_ has quit IRC00:43
*** tomoe_ has joined #openstack-dev00:43
*** nati_ueno has joined #openstack-dev00:43
*** digitalsanctum has joined #openstack-dev00:44
dolphmRyan_Lane: policy.json's default definition for admin_required doesn't specify a tenant00:45
Ryan_Laneso an admin in any project is an admin everywhere?00:45
dolphmRyan_Lane: according to policy.json default definition of admin_required, yes00:46
Ryan_Lanescary :)00:46
Ryan_Laneis some concept of global roles ever coming back. that's basically what this is00:46
Ryan_Laneexcept a scary version of it00:47
*** krtaylor has quit IRC00:47
Ryan_Lanes/./?/00:47
dolphmRyan_Lane: trying to work towards domain-specific roles to solve that use case00:47
Ryan_Lanegreat00:47
Ryan_LaneI need that badly :)00:47
*** tomoe_ has quit IRC00:47
*** tomoe_ has joined #openstack-dev00:48
*** krtaylor has joined #openstack-dev00:48
*** gary_th has quit IRC00:48
henrynashgyee: so unless I have this wrong, if you take out the 'ADMIN' it fails…it seems to because authenticate_for_token is itself protected….and tries to look up the token id…(which of course is indeed invalid)00:48
openstackgerritA change was merged to openstack/nova: Support running periodic tasks immediately at startup  https://review.openstack.org/2223200:48
openstackgerritA change was merged to openstack/keystone: Ensure user and tenant enabled in EC2  https://review.openstack.org/2231900:49
gyeehenrynash, I am having trouble with the policy engine00:49
gyeeuser has 'admin' role00:49
henrynashgyee: the old one I assume?00:50
henrynashgyee: (policy engine that is)00:50
gyeehenrynash, I rebased to the latest code00:50
gyeekeystone.policy.backends.rules: DEBUG: enforce identity:update_user: {'tenant_id': u'bar', 'user_id': u'foo', u'roles': [u'admin', u'_member_']}00:51
gyeekeystone.common.wsgi: WARNING: You are not authorized to perform the requested action: identity:update_user00:51
gyeeadmin role is in the creds AFAICT00:52
openstackgerritA change was merged to openstack/nova: Ensure rpc result is primitive types.  https://review.openstack.org/2227500:53
henrynashgyee: hmm, odd….I didn't have to change any of the formats of any of the test policies when swapping to the new engine….00:53
henrynashso (at least on the surface) the formats are OK00:53
*** tomoe_ has quit IRC00:53
*** tomoe_ has joined #openstack-dev00:54
gyeehenrynash, we were using the ADMIN token all along00:54
openstackgerritA change was merged to openstack/nova: Fix key check in instance actions formatter.  https://review.openstack.org/2206800:54
henrynashgyee: are u saying you have removed that now?00:54
gyeeafter switched over to a real token with admin role, all the enforcement are failing00:54
gyeehenrynash, dolphm made me do it00:54
gyee:)00:55
henrynashgyee: right, so I am trying to make it work too.00:55
gyeenow I am stuck00:55
gyeeI feel like that's a separate issue from the token APIs00:55
gyeeclearly this is a separate issue00:56
henrynashgyee: I changed my patch (which is based on yours) to take out the ADMIN token part…and I get a failure which appears to be that the token_authentication api call is itself protected…and is expecting a token id to be already there00:57
henrynashgyee: surely anyone should be able to attempt to get a token…why is it protected?00:57
gyeehenrynash, I've removed the protected decorator for get token00:58
gyeejust use my latest patch00:58
henrynashgyee: ahh…I'm only synced up to version 1200:58
*** winston-d_ has joined #openstack-dev00:59
henrynashgyee: I can't see where we have really tested the protection and policy engine calling before00:59
gyeedamn that policy engine code is pretty hairy01:00
*** alobbs has quit IRC01:00
*** alobbs has joined #openstack-dev01:00
*** gongysh has joined #openstack-dev01:02
henrynashgyee: is your latest patch 16?01:04
gyeehenrynash, yep01:04
*** topol has joined #openstack-dev01:07
henrynashgyee: does that patch really stop using "ADMIN'?   won't is_admin allays be true in v3_request() ?01:08
*** roampune has joined #openstack-dev01:08
gyeehenrynash, http://paste.openstack.org/raw/31993/01:09
gyeeapply dolphm's changes01:09
*** kmartin_zz is now known as kmartin01:09
*** pabelanger has quit IRC01:10
*** roampune has quit IRC01:12
*** yidclare has quit IRC01:14
*** pabelanger has joined #openstack-dev01:15
gyeehenrynash, definitely something's wrong in the policy engine01:17
gyeenone of the rules seem to be loaded01:17
bodepdI found that to get the folosm version of the tempest smoketests to run I had to remove a directory01:17
bodepdrm -Rvf ./tempest/openstack/01:18
bodepddoes anyone know why this is?01:18
*** diogogmt has joined #openstack-dev01:19
*** mlavalle has left #openstack-dev01:19
*** colinmcnamara has quit IRC01:23
*** bodepd has left #openstack-dev01:24
gyeehenrynash, I found the problem01:25
henrynashgyee: great if you have...01:26
gyeeit was using tests/policy.json01:26
gyeewhich has nothing in it01:26
*** ctracey has quit IRC01:27
henrynashgyee: ahh…in tests I am starting to write, I write a temp policy file…see end of test_v3_identity in my patch: https://review.openstack.org/#/c/22223/01:27
gyeehenrynash, I still see some test failures01:27
gyeeI think our policy.json file is not currect01:28
gyeecorrect01:28
gyeeanything that has {*_id} in the rules failed01:28
henrynashgyee: may be true….but of not, we should determine what the differences are….01:28
gyeehenrynash, I basically copied etc/policy.json over to tests01:29
henrynashgyee: but maybe that's because we are not loading the correct things into creeds/target etc.?01:29
*** metral has quit IRC01:29
gyeehenrynash, yeah, no domain scoping01:29
*** ctracey has joined #openstack-dev01:30
gyeeso far all the group_id tests failed01:30
henrynashgyee: so on that….what is it that is missing?  looking at your code, you seem to be issuing the domain token?01:30
henrynashsure, I will update the protected decorator to pass in the domain_id if it's a domain token01:31
*** ctracey has quit IRC01:31
gyeehenrynash, I didn't implement domain-scope token yet01:31
*** ctracey has joined #openstack-dev01:31
openstackgerritA change was merged to openstack/oslo-incubator: Implement replay detection.  https://review.openstack.org/2156201:31
openstackgerritA change was merged to openstack/oslo-incubator: Fast serialization of RPC envelopes for Kombu  https://review.openstack.org/2234501:31
henrynashgyee: but doesn't your formatting tken code already do that?01:32
gyeesee http://paste.openstack.org/show/32011/01:32
gyeegroup_id is not in the token01:33
*** Nachi has joined #openstack-dev01:34
*** Nachi has quit IRC01:35
*** Nachi has joined #openstack-dev01:35
henrynashgyee: OK, I gotta hit the sack…its 2:30am here….I'll check in tomorrow see where we are and pick up where what needs doing….send me a note on things that you think need looking at01:36
gyeehenrynash, we're hitting code freeze01:36
gyee:)01:36
*** nati_ueno has quit IRC01:37
henrynashgyee: not till tomorrow night, we're not01:37
openstackgerritA change was merged to openstack/oslo-incubator: Fix "DirectConsumer needs mirrored queue support"  https://review.openstack.org/2188001:38
*** njoy1__ has quit IRC01:38
*** njoy_ has joined #openstack-dev01:38
openstackgerritA change was merged to openstack/nova: Fibre channel block storage support (nova changes)  https://review.openstack.org/1999201:39
*** njoy has joined #openstack-dev01:40
*** njoy_ has quit IRC01:40
*** dims has quit IRC01:40
openstackgerritA change was merged to openstack/nova: Fix XML config tests for disk/net/cpu tuning  https://review.openstack.org/2234901:41
openstackgerritA change was merged to openstack/nova: Fix XMLMatcher error reporting  https://review.openstack.org/2235001:41
*** stevebaker has quit IRC01:41
*** sacharya has joined #openstack-dev01:43
*** jkyle has quit IRC01:45
*** novas0x2a|lapto1 has joined #openstack-dev01:45
dolphmgyee: i think your password authentication is broken01:47
gyeereally?01:47
*** novas0x2a|laptop has quit IRC01:48
dolphmgyee: either i'm getting auth_info confused with user_info, which would be easy to do because i'm not clear on what auth_info is (i thought it was just the contents of {'authentication': {'password': { ... } } but that doesn't appear to be the case?01:49
dolphmgyee: either that^ or i'm dumb. and in either case i'm probably dumb01:50
*** sthaha has joined #openstack-dev01:50
dolphmgyee: it looks like you're trying to follow the code path that my password follows01:50
dolphmgyee: and it seems to be discarded in the password driver01:50
*** anniec has joined #openstack-dev01:50
gyeeauth_info is AuthInfo object01:50
dolphmgyee: err, i'm trying to follow the code path that my password follows*01:51
dolphmgyee: yeah, what is that and why are plugins expected to understand an arbitrary object?01:51
gyeeit's not arbitrary object01:51
*** techlife has quit IRC01:51
gyeeits auth.controllers.AuthInfo01:51
dolphmgyee: well it's not a dictionary copy of body['authentication'][auth_plugin]01:52
gyeeno01:52
dolphmgyee: why are you passing scope and stuff into the auth driver?01:52
*** devoid has quit IRC01:52
gyeetake a look at auth.controllers.py01:52
*** nati_ueno_2 has quit IRC01:53
gyeebecause auth driver needs complete information01:53
gyeeinformation should be available to them01:53
dolphmgyee: define complete, and explain why their own namespace isn't sufficient?01:53
*** nati_ueno has joined #openstack-dev01:53
gyeeit is up to the driver to make use if it, or not01:53
*** dims has joined #openstack-dev01:53
*** AlanClark__ has quit IRC01:54
*** AlanClark__ has joined #openstack-dev01:54
*** nerd has quit IRC01:54
dolphmgyee: you're absolutely demanding that the driver understand that object01:54
dolphmgyee: and therefore tightly coupling a proprietary driver with our arbitrary object01:55
gyeeI am trying to make it easier for the drivers so they don't have to do other checks01:55
dolphmgyee: you're passing the driver WAY too much information01:55
*** reed has quit IRC01:55
gyeeAuthInfo is used for encapsulate the auth body01:56
dolphmgyee: it encapsulates the entire request, not just auth, and especially not just the authentication method's namespace, which is all it needs01:56
gyeedriver needs as much information to determine auth decision01:57
*** megha has joined #openstack-dev01:57
gyeeI don't see any problem with making that information available01:57
*** nati_ueno has quit IRC01:57
dolphmgyee: because it's awful and completely out of scope and tightly coupled01:58
dolphmgyee: i'm staring at all the source code and i have absolutely no clue how the password authentication driver works -- absolutely no clue.01:58
*** reed has joined #openstack-dev01:58
*** thingee is now known as thingee_zzz01:58
dolphmgyee: that's how complicated it is01:58
dolphmgyee: i can't even tell where to look for the password in the method signature01:59
dolphmgyee: i really expected auth_info['password']02:00
dolphmgyee: really really did02:00
*** techlife has joined #openstack-dev02:01
dolphmgyee: sorry, auth_info['user']['password'] is what i tried first02:04
gyeedolphm, I can change it to just pass the payload if it changes your world view :)02:04
gyeebut I am sure somewhere down the line we need to to amend this to pass more information02:05
dolphmgyee: will that work? because it looks like you're also putting the burden of authorization on the password authentication driver as well by passing it scope, and utilizing it there02:05
dolphmgyee: certainly not scope02:05
*** bing_bu has joined #openstack-dev02:05
dolphmgyee: or trusts or any other crap that doesn't have to do with authentication02:06
*** reed has quit IRC02:06
gyeesome driver may need the scope to make a more informed auth decision02:07
gyeethat's all I am saying02:07
*** heckj has quit IRC02:07
*** Nachi has quit IRC02:07
dolphmgyee: scope is authz, i thought this was authn?02:07
gyeedolphm, who knows, authz and authz line is not very clear sometime02:10
dolphmgyee: which is indicative of completely awful design02:10
gyeeall I am saying is lets have as much information available to the plugins now so we don't have to do it later02:10
dolphmgyee: as a plugin writer, i will write a plugin02:11
*** kmartin is now known as kmartin_zz02:11
dolphm*never* write a plugin.02:11
dolphmgyee: you will break my driver every time your change AuthInfo02:11
dolphmgyee: you will break my driver every time you rev the API02:11
dolphmgyee: i will not understand the interface i'm supposed to use from AuthInfo02:12
gyeedolphm, would it be helpful if I pass the entire request body?02:12
gyeeinstead of an object?02:12
dolphmgyee: no, it's really not02:12
gyeesame argument right?02:12
dolphmgyee: i have a tiny little slice of the auth request i care about, and that's the namespace of my driver02:13
dolphmgyee: my job is to implement authenticate() in response to that namespace02:13
*** digitalsanctum has quit IRC02:13
gyeedolphm, what if I need to know what methods users has authenticated so far?02:13
gyeewhat if I have drivers which need to be coordinated?02:14
dolphmgyee: what's the use case?02:14
dolphmgyee: an rsa token driver would identify the user by ID and then provide an RSA token value... i don't need any other random contextual information02:15
*** digitalsanctum has joined #openstack-dev02:15
*** digitalsanctum has quit IRC02:17
*** buzztroll_ has joined #openstack-dev02:17
dolphmgyee: i'm struggling really hard to come up with a scenario where i'd need the ID of the project I want authorization on in order to determine * who i am *02:18
*** nati_ueno has joined #openstack-dev02:19
gyeedolphm, I can't think of one right now either02:20
gyeebut then by brain is already numb from debugging all day :)02:20
gyees/by/my02:20
*** salv-orlando has quit IRC02:24
*** pabelanger has quit IRC02:24
*** diogogmt has quit IRC02:24
*** kagan has quit IRC02:24
*** bearovercloud has joined #openstack-dev02:26
*** tomoe_ has quit IRC02:29
*** tomoe_ has joined #openstack-dev02:30
*** tomoe_ has quit IRC02:34
*** mrodden has joined #openstack-dev02:36
*** bearovercloud has left #openstack-dev02:37
*** dolphm has quit IRC02:37
*** stevebaker has joined #openstack-dev02:37
*** datsun180b has quit IRC02:41
*** winston-d_ has quit IRC02:45
*** radez is now known as radez_g0n302:47
openstackgerritA change was merged to openstack/nova: libvirt: Fix LXC container creation  https://review.openstack.org/2206502:47
*** dolphm has joined #openstack-dev02:48
openstackgerritA change was merged to openstack/nova: Allow fixed to float ping with external gateway.  https://review.openstack.org/2168902:48
*** pabelanger has joined #openstack-dev02:48
*** digitalsanctum has joined #openstack-dev02:50
*** diogogmt has joined #openstack-dev02:51
*** kmartin has joined #openstack-dev02:52
*** buzztroll_ has quit IRC02:54
openstackgerritA change was merged to openstack/nova: Change all instances of the non-word "inteface" to "interface"  https://review.openstack.org/2227302:56
openstackgerritA change was merged to openstack/nova: Added a service heartbeat driver using Memcached.  https://review.openstack.org/2157402:57
openstackgerritA change was merged to openstack/glance: Use oslo-config-2013.1b3  https://review.openstack.org/2207902:57
*** megha is now known as bsd_freak02:57
openstackgerritA change was merged to openstack/nova: libvirt: Use uuid for instance directory name  https://review.openstack.org/2128702:57
*** armaan has joined #openstack-dev02:57
openstackgerritA change was merged to openstack/keystone: merging in fix from oslo upstream  https://review.openstack.org/2238302:57
*** armaan has left #openstack-dev02:57
openstackgerritA change was merged to openstack/nova: PowerVMDiskAdapter detach/cleanup refactoring  https://review.openstack.org/2228402:58
*** bsd_freak is now known as BSD_freak02:58
openstackgerritA change was merged to openstack/ceilometer: Imported Translations from Transifex  https://review.openstack.org/2225902:59
openstackgerritA change was merged to openstack-infra/devstack-gate: Recapture screen service logs; disable sysloging.  https://review.openstack.org/2168002:59
*** yaguang has joined #openstack-dev02:59
*** rkukura has joined #openstack-dev02:59
*** winston-d_ has joined #openstack-dev03:00
*** slackguru has quit IRC03:01
*** anniec has quit IRC03:01
*** AlanClark__ has quit IRC03:02
*** AlanClark__ has joined #openstack-dev03:02
*** ayoung has joined #openstack-dev03:03
*** Mandell has quit IRC03:03
ayoungdolphm, I'm back03:04
dolphmayoung: o/03:05
ayoungdolphm, saw your comments on the Auth plugins.  Should I try to get Trusts in first?03:05
*** buzztroll_ has joined #openstack-dev03:05
*** novas0x2a|lapto1 has quit IRC03:08
ayoungdolphm, BTW, you've been going a marathon. I have to admit I';m impressed.03:10
*** danwent has quit IRC03:11
*** buzztroll_ has quit IRC03:15
gyeeayoung, dolphm, code free tonight or tomorrow?03:15
*** sacharya1 has joined #openstack-dev03:19
*** jergerber has quit IRC03:20
*** sacharya has quit IRC03:22
ayounggyee, I think we have time.  ttx is worried about slippage, but gave us the lee way to get your patch and my patch in.03:22
gyeeayoung, still working to get rid of dolphm's nightmare so he can sleep better :)03:23
*** thingee_zzz is now known as thingee03:23
ayounggyee, need any help?03:23
gyeeayoung, I am good now, was struggling with the policy engine earlier03:24
gyeeall the tests should be using the *real* token now03:24
*** jog0 has quit IRC03:25
ayounggyee, nice.  I did a siumliar thing with the test_v3_trust.py03:26
ayoungbut that was V203:26
ayoungI'll probably need to update that to what you have03:26
gyeeayoung, I had to make some changes to policy.json03:26
gyeethe one in tests is bogus03:26
*** pixelbeat has quit IRC03:26
*** jkordish has quit IRC03:27
*** jkordish has joined #openstack-dev03:27
topolgyee, Im around to +1 your authentication stuff but it looks like dolph is the blocker?03:27
ayoungYeah, I bypassed that awhile back03:27
gyeetopol, I am changing it to pass in the auth payload instead of the auth_info object03:28
gyeetopol, also updated the doc to incorporate your comments, thanks for reviewing it03:28
gyeeayoung, if you have some cycle, I could use some help translating a v3 PKI token into a v2 PKI token and vice versa03:30
*** hattwick has quit IRC03:31
*** danwent has joined #openstack-dev03:32
*** pixelbeat has joined #openstack-dev03:34
topolayoung so I had everything working and now I just tried with the latest keystone and now get this beauty:03:37
topolUnable to communicate with identity service: {"error": {"message": "An unexpected error prevented the server from fulfilling your request. {'info': 'domain_id: AttributeDescription contains inappropriate characters', 'desc': 'Undefined attribute type'}", "code": 500, "title": "Internal Server Error"}}. (HTTP 500)03:37
topolwhen trying to add tenants03:38
*** tomoe_ has joined #openstack-dev03:38
*** Ryan_Lane has quit IRC03:39
*** hattwick has joined #openstack-dev03:40
*** martine has joined #openstack-dev03:43
*** JonnyNomad_ has joined #openstack-dev03:43
*** JonnyNomad has quit IRC03:44
openstackgerritA change was merged to openstack/quantum: Add Quantum support for NVP Layer-2 gateways  https://review.openstack.org/2142603:45
*** buzztroll_ has joined #openstack-dev03:47
*** reed has joined #openstack-dev03:52
*** danwent has quit IRC03:53
topolayoung, any idea who put in self.attribute_mapping['domain_id'] = (03:54
topol            conf.ldap.tenant_domain_id_attribute)  into /opt/stack/keystone/keystone/identity/backends/ldap/core.py:51003:54
bknudsontopol: you can look this up with blame...03:55
*** adjohn has quit IRC03:55
bknudsontopol: https://github.com/openstack/keystone/blame/master/keystone/identity/backends/ldap/core.py#L51003:55
*** ctracey has quit IRC03:56
topolbknudson: THANKS.  It was Henry03:56
topolHe went to bed 2:30am his time03:57
*** adjohn has joined #openstack-dev03:57
*** sandywalsh has quit IRC03:57
*** tommy_SSU has joined #openstack-dev03:58
*** digitalsanctum has quit IRC03:58
openstackgerritA change was merged to openstack/oslo-incubator: Setup exception handler after configuring logging.  https://review.openstack.org/2238803:59
*** ctracey has joined #openstack-dev04:00
*** bknudson has quit IRC04:00
*** yaguang has quit IRC04:01
*** yaguang has joined #openstack-dev04:01
*** adjohn has quit IRC04:02
*** henrynash_ has joined #openstack-dev04:02
*** markmcclain has joined #openstack-dev04:02
openstackgerritA change was merged to openstack/oslo-incubator: Fix IPC direct topic routing.  https://review.openstack.org/2173304:03
*** adjohn has joined #openstack-dev04:04
*** henrynash has quit IRC04:05
*** henrynash_ is now known as henrynash04:05
*** pabelanger has quit IRC04:05
*** koolhead17 has joined #openstack-dev04:06
*** adjohn has quit IRC04:06
*** echohead has quit IRC04:07
ayoungtopol, hmmm04:08
*** echohead has joined #openstack-dev04:09
ayoungtopol, this is when I run through the debugger.04:09
ayounggyee, sure04:10
ayoungthe V2 format is kindof ramshackle04:10
ayoungevolved, as it were04:10
topolaroung, is that a nice way of saying we are broken?04:11
gyeeayoung, yeah, this mix v2 and v3 env is dangerous04:11
gyeeI can understand rolling upgrade use case04:11
ayounggyee, I'm not sure that anything other than auth_token should try to deal with both04:11
ayoungand it should have two code paths.  What areyou trying to do?04:12
gyeeayoung, I have two code paths04:12
gyeefor UUID token, we're covered04:12
ayounggyee, for keystone server,  just do the hash and look up in the db04:14
ayounggyee, what exactly are you trying to solve?  Is this policy enforcement?04:16
gyeeayoung, with your patch, we should already do a token lookup instead of CMS04:16
gyeeso we should be fine I think04:16
gyeehas your security patch landed yet?04:17
ayounggyee, hasn't landed yet.04:20
ayounggyee, is that in your way?04:21
gyeeayoung, sort of04:21
ayounggyee, code around it04:21
gyeek04:21
ayoungjust code as if that patch were applied.04:22
*** danwent has joined #openstack-dev04:22
*** bknudson has joined #openstack-dev04:23
*** bdpayne has quit IRC04:25
ayounggyee, is that all?04:25
*** dims has quit IRC04:26
*** danwent has quit IRC04:26
*** sandywalsh has joined #openstack-dev04:30
*** dims has joined #openstack-dev04:30
*** boris-42 has joined #openstack-dev04:31
*** armaan1 has joined #openstack-dev04:32
*** rpedde_away is now known as rpedde04:34
*** morganfainberg has quit IRC04:39
topolayoung, I know you are swamped but one question to help me maintain my sanity and then I'll leave you alone.   We can't just do things like  the following in ProjectAPI:04:39
topolself.attribute_mapping['domain_id'] = (04:39
topol            conf.ldap.tenant_domain_id_attribute)04:39
topolwithout understanding that we either map domain_id to something valid in groupOfNames or we put it on the ignore list (which I think would be bad) or do some type of emulator trick like was done for enabled.  Otherwise Im confused as heck :-)04:39
ayoungtopol, hmmmm04:40
ayoungyeah, it needs to be a valida attribute, and group of names is short on that.04:41
*** dims has quit IRC04:41
ayoungIt seems to me that each domain should b its own subtree04:41
ayoungAnd the domain ID would be part of the DN topol ?04:41
topolayoung, dunno. we need to shove it somewhere.  or find something friendlier than groupOfNames04:43
ayoungtopol, agreed. Just had a moment of clarity.04:43
topolayoung, you think they will let us fix all this stuff after code freeze via opening bugs???04:43
ayoungDomain are organzational units.  The grouping of projects , users, etc, is all subordinate to domains.  To me, this says that each domain should be a sub tree.  Then ,the domain ID becomes the subtree.04:44
gyeeayoung, we now have v2-v3 token backward compatibility for both uuid and pki tokens at the backend04:44
ayoungand you add it to the CN/DN path04:45
gyeecan't do much for middleware though04:45
gyeethat'll need to be a separate patch04:45
ayounggyee, good enough for server side.  midddle ware goes on a different schedule anyway04:45
gyeeayoung, pushing a patch soon04:45
gyeethat should take care of dolphm's nightmare04:45
ayounggyee, I'm going to turn in soon, and I'll tkae a look in the morning, I'm on Eastern time.04:46
gyeeayoung, I am tired as hell too04:46
ayoungI wonder why04:46
gyeeneed to get food04:46
*** amotoki_ has joined #openstack-dev04:46
ayoungtopol, I don't know how hard it will be to fix domains for LDAP.04:47
*** dolphm has quit IRC04:47
gyeeayoung, I seem to be on Hawaii time even though I am not04:47
ayoungtopol, can you send me a write up of the problem, and I'll use that as a launchboard for writing up the solution?04:48
*** amotoki has quit IRC04:48
topolayoung, sure04:48
topolhave a good night04:48
*** sulrich has joined #openstack-dev04:50
*** dolphm has joined #openstack-dev04:50
*** pabelanger has joined #openstack-dev04:50
topolgyee, Im gonna +1 your dolphm nightmare patch no matter what.  youve definitely earned a "sympathy +1" :-)04:50
gyeehaha04:50
*** Ryan_Lane has joined #openstack-dev04:52
gyeedolphm, patch #17 should take care of your nightmare04:54
*** danwent has joined #openstack-dev04:56
openstackgerritA change was merged to openstack-dev/devstack: Add Nova fibre channel support required packages  https://review.openstack.org/2000304:57
openstackgerritA change was merged to openstack-dev/devstack: Baremetal should start using scheduler filters.  https://review.openstack.org/2185504:57
openstackgerritA change was merged to openstack-dev/devstack: Correct syntax error in stack.sh  https://review.openstack.org/2217604:57
clarkbfungi: ^04:57
* fungi cheers04:59
*** gyee has quit IRC05:00
*** martine has quit IRC05:01
*** pabelanger has quit IRC05:01
*** sulrich has quit IRC05:04
*** sulrich has joined #openstack-dev05:04
*** aeperezt has quit IRC05:05
*** nunosantos has quit IRC05:09
*** Tross has joined #openstack-dev05:10
*** nati_ueno has quit IRC05:12
*** boris-42 has quit IRC05:12
*** nati_ueno has joined #openstack-dev05:13
*** pixelbeat has quit IRC05:13
*** Mandell has joined #openstack-dev05:15
*** nati_ueno has quit IRC05:17
*** AlanClark__ has quit IRC05:18
*** AlanClark__ has joined #openstack-dev05:18
*** BSD_freak has quit IRC05:19
*** megha has joined #openstack-dev05:19
*** diogogmt has quit IRC05:20
*** ayoung has quit IRC05:26
*** markmcclain has quit IRC05:28
*** avishay has joined #openstack-dev05:35
*** jgriffith has quit IRC05:36
*** topol has quit IRC05:37
*** jgriffith has joined #openstack-dev05:37
*** navid_ has joined #openstack-dev05:38
*** obondarev has quit IRC05:39
*** koolhead17 has quit IRC05:39
*** obondarev has joined #openstack-dev05:40
*** nati_ueno has joined #openstack-dev05:45
*** soody has quit IRC05:48
*** vipul is now known as vipul|away05:54
enikanorovdanwent: hi. here?05:56
danwentenikanorov: hi05:56
*** armaan1 has quit IRC05:57
enikanorovdo you have few minutes to discuss the status of namespace haproxy agent?05:57
danwentenikanorov: sure06:00
enikanorovi'd like to go over key points of what we were agreed on:06:00
enikanorov1) no device scheduling/management06:01
enikanorov2) generic service agent that loads drivers becomes dedicated haproxy agent06:01
enikanorov3) haproxy driver does stuff similar to dhcp regarding device creation:06:01
enikanorovit creates quantum port via quantum client, plugs the interface in the port06:02
enikanorovand startes haproxy within namespace that has that interface06:02
enikanorovthat's the code we're going to give to Mark06:03
danwentok06:03
danwentmy impression from mark is that the agent wasn't necessarily haproxy specific06:03
danwentbut would be load-balancing specific.  similar to how there is a dhcp-agent, that could have different drivers (dnsmasq, isc-dhcp) that run in the namespace06:04
danwentbut i doubt there's a significant difference in code there06:04
enikanorovyes.06:04
danwenti think you have all of the key points listed above06:04
enikanorovso one concern i have though06:04
danwentk06:04
enikanorovi saw mark's patch regarding VIP creation and port reservation06:05
danwentyes06:05
enikanorovthat's kinda overlaps with what driver does06:05
enikanorovso currently the workflow is the next:06:05
danwentyeah.. i forget exactly how the dhcp stuff works now, whether the plugin creates the port that is used by the agent, or if the agent actually creates the port.  sounds like the later based on your comments (I'm assuming you've read the code recently)06:06
enikanorovuser creates a pool, that causes the driver to prepare infrastructure: port creation, initial config, etc06:06
enikanorovdhcp call plugin to create a port06:06
danwentin this case, we may want to do something closer to what the l3-agent does06:06
*** adjohn has joined #openstack-dev06:06
danwentin which case I think the port is allocated in the plugin (since a specific IP is desired)06:07
danwentit seems valuable to create the port at the plugin, so we can give the user an API error if there is a conflict06:07
enikanorovthe problem in this case is that driver works with single objects06:07
enikanorovand pool goes first06:07
danwentrather than having the call succeed.06:07
enikanorovso once user creates a pool, it goes to the driver06:07
*** yaguang has quit IRC06:07
enikanorovdriver has to do something with it06:08
enikanorovnow it prepares a device (no VIP IP yet!)06:08
enikanorovwhich gets fixed ip06:08
danwentwhy does it need a device if it doesn't have a VIP yet?06:08
enikanorovseems like currently there's no way to pass it back to server / pool06:08
danwentsorry, don't follow06:09
danwentuntil we have a vip, there's really nothing the agent needs to do, is there?06:09
*** ek6 has quit IRC06:09
danwentI'd have to think through the workflow a bit more06:09
enikanorovI'm not sure about this, really06:10
enikanorovit looks like this, at first glance06:10
enikanorovbut anyway06:10
*** dolphm_ has joined #openstack-dev06:10
enikanorovlets consider we create device with a VIP, not pool06:10
enikanorovbut object model requires pool go first06:10
enikanorovso now we need to pass VIP+pool to the driver06:10
enikanorovat VIP creation06:10
*** amotoki_ is now known as amotoki06:11
danwentyes06:11
enikanorovi see this may complicate both plugin and driver06:11
danwenti actually dont' think you HAVE to wait until VIP creation.06:12
enikanorovwhat do you mean/06:12
danwentin theory, you could create a namespace with no interfaces06:12
*** dolphm has quit IRC06:12
danwentwhen a pool is created.06:13
danwentis it correct to think of a pool and a namespace as one-to-one?06:13
danwentor can a namespace have multiple pools06:13
danwentas long as they are on the same subnet?06:13
enikanorovin fact, i'd say subnet defines a device06:13
enikanorovthere may be several pools06:13
enikanorovbut i see your point06:13
enikanorovit's a good point :)06:14
danwentseems possible either way06:14
enikanorovbut still I see we don't have to reserve port on the plugin side06:14
enikanorovhere's why:06:14
enikanorovdriver may check if port exists and create another VIP with the same IP, different tcp port06:15
enikanorovand with port creation in the plugin, each new tcp port will cause new device and new process06:15
openstackgerritA change was merged to openstack/nova: Add support for network adapter hotplug.  https://review.openstack.org/2181906:16
clarkbdansmith: ^ success06:16
openstackgerritA change was merged to openstack/cinder: Set rootwrap_config in cinder.conf sample.  https://review.openstack.org/2226506:16
enikanorovin fact, i think we just move port creation to the VIP creation in the driver. that would allow to achieve the same as marks patch06:16
danwentnot sure I follow.  I agree that the IP logic on vip creation needs to handle the fact that it is OK to have multiple VIPs using the same port + IP pair.06:16
danwent(i guess that implies a per-subnet namespace, since these vips could be on different pools)06:17
*** hattwick has quit IRC06:17
enikanorovnamespace is per subnet, correct06:17
danwenti think what mark wants to do is make sure that the IP isn't in use by something else (e.g., a nova VM)06:17
danwentperhaps now the patch does not properly handle the case that muliple VIPs may need to use the same port06:18
danwenti haven't had a chance to look at it…been to busy with other g-3 reviews :P06:18
enikanorovI see06:18
enikanorovmark was going to put it as limitation - single vip per device :)06:19
danwentwould be good if you could ping him to get his thoughts on whether plugin or agent should do port allocation.06:19
danwentok, sounds like maybe we can be smarter about it.  i'm sure he'd be open to that.06:19
danwentsingle vip per device?06:20
enikanorovwe discussed it a bit yesterday, but i'm not sure we had an agreement :)06:20
danwentwhere device = namespace?06:20
enikanorovdevice = port, i'd say06:20
enikanorov(and namespace, yes)06:20
danwenti'd be surprised if that is what mark was thiniking… as even dhcp + l3-namespace support multiple IPs per port.06:21
danwentbut i think he was thinking that we might limit an IP address to a single VIP06:21
danwentbut it sounds like we can make the "is this IP allocated?" check a bit smarter to get around that.06:21
danwentbtw, do you guys have WIP code mark and I could take a look at?  it sounds like we're 90% on the same page, but it woudl be good to make sure.06:22
enikanorovwe're going to give it to you at the end of our day (since it's night for you anyway)06:23
enikanorovso you could continue the work or comment on it06:23
danwenthaha, fair enough.  i'm pretty tired of looking through code after reviewing all day anyway06:23
enikanorovi think the most convenient would be to put in on gerrit onder corresponding blueprint06:23
enikanorovdraft review06:23
danwentyeah, having something where we could comment would be nice.06:24
danwentlike i said, i don't care who writes the code, as long as we're on the same page that its a design we all support.06:24
enikanorovsure. ok, thanks06:24
danwentdid mark ping you at all today after you email this morning? i'm worried that we're already duplicating efforts a bit.06:24
*** bing_bu has quit IRC06:25
*** AlanClark__ has quit IRC06:26
*** aswadrangnekar has joined #openstack-dev06:26
*** bing_bu has joined #openstack-dev06:26
*** AlanClark__ has joined #openstack-dev06:26
henrynashdolphm, gyee: henry back on after 4 hours kip, how can I help with stuff (its early morning here in Europe)06:26
*** olaph has quit IRC06:27
*** rpedde is now known as rpedde_away06:27
*** olaph has joined #openstack-dev06:28
*** reed has quit IRC06:30
*** vipul|away is now known as vipul06:32
*** johnpur has joined #openstack-dev06:33
*** johnpur has quit IRC06:33
enikanorovno he didn't yet06:35
*** esp has quit IRC06:38
*** kmartin has quit IRC06:38
*** melwitt has quit IRC06:39
*** Ryan_Lane has quit IRC06:39
*** dolphm_ has quit IRC06:40
*** k4n0 has joined #openstack-dev06:41
*** Ryan_Lane has joined #openstack-dev06:42
*** danwent has quit IRC06:43
*** henrynash has quit IRC06:46
*** vipul is now known as vipul|away06:48
*** nati_ueno has quit IRC06:55
*** nati_ueno has joined #openstack-dev06:55
*** romcheg has joined #openstack-dev06:57
*** Nachi has joined #openstack-dev06:59
*** nati_ueno has quit IRC06:59
*** almaisan-away is now known as al-maisan07:02
*** al-maisan is now known as almaisan-away07:02
openstackgerritA change was merged to openstack/cinder: Use oslo-config-2013.1b3  https://review.openstack.org/2211707:02
openstackgerritA change was merged to openstack/nova: Add support for instance disk IO control.  https://review.openstack.org/2210507:02
openstackgerritA change was merged to openstack/nova: Add support for instance CPU consumption control.  https://review.openstack.org/2210607:03
*** garyk has quit IRC07:07
k4n0For my  review https://review.openstack.org/#/c/21415/ , unit tests passed in one patchset, and now they are failing for a different patchset with no changes to the code07:07
k4n0any help?07:07
clarkbk4n0: looks like another database migration with the same number snuck in07:08
clarkbyou will need to increment your number up to the next free available number07:08
*** esp has joined #openstack-dev07:09
clarkbk4n0: I would rebase atop master to make sure you get the right number07:09
*** b1rkh0ff has quit IRC07:09
*** flaper87 has joined #openstack-dev07:10
*** avishay has quit IRC07:10
*** andrewbogott is now known as andrewbogott_afk07:11
k4n0I have rebased with latest master and fixed the migration number issue then resubmitted another patchset, i was watching the jenkins gate logs , it is failing because mysql is unable to create an index too long07:12
k4n0But the same tests passed yesterday on jenkins07:13
*** koolhead17 has joined #openstack-dev07:13
k4n0https://jenkins.openstack.org/view/Gate/job/gate-nova-python27/17147/console07:14
clarkbk4n0: so yesterday a change snuck in that broke some of the unittests (they were not run) it is possible that you were affected by that07:14
k4n0can you please link me to  that change?07:14
clarkbk4n0: I don't have it available currently and it has been fixed07:15
k4n0Anyways this issue is regarding mysql on the jenkins gate environment, (OperationalError: (OperationalError) (1071, 'Specified key was too long; max key length is 1000 bytes') 'CREATE INDEX key_pair_user_id_name_idx ON key_pairs_tmp (user_id, name)' ()07:15
k4n0)07:15
clarkbhttp://logs.openstack.org/21415/7/check/gate-nova-python27/16922/console.html.gz notice that only ~4500 tests were run then07:15
clarkband now you should be close to ~510007:15
k4n0this issue doesnt come up on my local testing environment07:15
clarkbk4n0: that test only runs if you have a mysql server running locally with a special account and DB present07:16
clarkbit will not run at all if you don't have that configured in your test environment07:16
k4n0Well this test "test_mysql_opportunistically" did run for my patch on jenkins07:16
k4n0my patch is adding a migration for key_pairs table.07:16
clarkbyes jenkins is configured to run this test07:17
clarkbhwoever, your local test environment probably isnt07:17
clarkbwhich would explain why you don't have this failure testing in your local test env07:17
k4n0I have ran this specific test on my local test env07:18
k4n0And how is it possible that these tests passed for the earlier patchset?07:18
clarkbk4n0: because the earlier patchset was affected by the cahnge that broke testing07:18
clarkbthe migration test was never run in taht case07:19
clarkbnow that that problem has been corrected you are seeing the failure07:19
k4n0ohh, i see07:19
*** esp has quit IRC07:19
clarkbk4n0: https://github.com/openstack/nova/blob/master/nova/tests/test_migrations.py#L260 may explain why it passes locally07:19
clarkbit should be counted as a skipped test07:20
k4n0I just ran the test again on my local test env, (nova.tests.test_migrations.TestMigrations.test_mysql_opportunistically ... ok07:20
k4n0) , i have created all the required databases and user and password, the test was not skipped07:20
clarkbmaybe it is a mysql config difference then?07:20
k4n0I am aware that it is skipped if your dont create the "openstack_citest" db and username.07:20
k4n0Do you know what mysql version does jenkins test on?07:21
*** b1rkh0ff has joined #openstack-dev07:21
clarkbk4n0: whatever is available in ubuntu precise07:21
*** aswadrangnekar has quit IRC07:21
clarkbpython 27 runs on precise and python 26 on oneiric so whatever version is availabe on those two distros07:21
*** aswadrangnekar has joined #openstack-dev07:21
k4n0i am running ubuntu precise, i have installed mysql from default packages07:23
*** yolanda has joined #openstack-dev07:23
clarkbk4n0: I think the jenkins DB is using utf8 as the charset07:25
clarkbif you are not using utf8 that may result in different lengths for the key depending on its types07:26
*** shang has quit IRC07:26
k4n0I will confirm about utf8 on my local env07:26
*** mindpixel has joined #openstack-dev07:26
*** shang has joined #openstack-dev07:27
*** rohitk has joined #openstack-dev07:27
k4n0Btw, this is mysql client version (mysql  Ver 14.14 Distrib 5.5.24, for debian-linux-gnu (x86_64) using readline 6.2) , server (Server version: 5.5.24-0ubuntu0.12.04.1 (Ubuntu))07:27
*** garyk has joined #openstack-dev07:29
*** afazekas has joined #openstack-dev07:33
*** gray-- has joined #openstack-dev07:33
*** eglynn_ has joined #openstack-dev07:37
*** TerryH has quit IRC07:37
*** jprovazn has joined #openstack-dev07:42
*** esp has joined #openstack-dev07:45
*** stevebaker has quit IRC07:46
*** stevebaker has joined #openstack-dev07:47
*** eglynn_ has quit IRC07:48
*** nmagnezi has joined #openstack-dev07:51
k4n0@clarkb , i ran the test with utf8 as default charset for mysql client and server, created new db with utf8 as default charset. "nova.tests.test_migrations.TestMigrations.test_mysql_opportunistically" passed ok07:51
*** ajia has quit IRC07:52
clarkbI am all out of ideas then07:52
k4n0what storage engine does jenkins mysql use?07:53
*** esp has quit IRC07:54
clarkbinnodb07:54
openstackgerritA change was merged to openstack/nova: support preallocated VM images  https://review.openstack.org/2205407:54
openstackgerritA change was merged to openstack/quantum: Raising error if invalid attribute passed in.  https://review.openstack.org/2184907:55
openstackgerritA change was merged to openstack/quantum: Routing table configuration support on L3  https://review.openstack.org/1988207:55
openstackgerritA change was merged to openstack/quantum: plugin/nec: Make sure resources on OFC is globally unique.  https://review.openstack.org/2162707:55
openstackgerritA change was merged to openstack/quantum: Implement MidoNet Quantum Plugin  https://review.openstack.org/2185607:55
clarkbNachi: ^ there we go :)07:55
*** megha has quit IRC07:56
*** eglynn_ has joined #openstack-dev07:57
*** BalleS__ has quit IRC07:57
*** susanne-balle has joined #openstack-dev07:58
*** Nachi has quit IRC07:58
*** nati_ueno has joined #openstack-dev07:59
*** rafaduran has joined #openstack-dev08:01
openstackgerritA change was merged to openstack/oslo-config: Add deprecated_group Opt kwarg  https://review.openstack.org/2207608:03
*** davidha has quit IRC08:04
*** AnilV4 has joined #openstack-dev08:05
*** mrunge has joined #openstack-dev08:07
*** reidrac has joined #openstack-dev08:09
rohitkjaypipes: ping08:10
*** ajia has joined #openstack-dev08:10
*** thouveng has quit IRC08:10
*** unix has joined #openstack-dev08:11
*** xga_ has joined #openstack-dev08:13
*** xgauvrit has joined #openstack-dev08:13
*** xga__ has joined #openstack-dev08:17
*** armaan has joined #openstack-dev08:17
*** xga_ has quit IRC08:17
*** xgauvrit has quit IRC08:18
*** Ryan_Lane has quit IRC08:18
*** xgauvrit has joined #openstack-dev08:19
*** pmyers has quit IRC08:19
*** mmagr has joined #openstack-dev08:19
*** buzztroll_ has quit IRC08:20
*** Ryan_Lane has joined #openstack-dev08:20
*** gargya has joined #openstack-dev08:21
*** dachary has quit IRC08:21
*** esp1 has joined #openstack-dev08:22
*** ajia has quit IRC08:22
*** Ryan_Lane has quit IRC08:22
*** ajia has joined #openstack-dev08:22
*** jgallard has joined #openstack-dev08:22
*** dachary has joined #openstack-dev08:24
zykes-is ASI getting into Grizzly - @ quantum team08:24
*** burris has quit IRC08:25
*** reed has joined #openstack-dev08:27
*** psedlak has joined #openstack-dev08:32
*** esp1 has quit IRC08:34
*** tommy_SSU has quit IRC08:35
*** aloga has quit IRC08:36
*** Nachi has joined #openstack-dev08:37
*** aloga has joined #openstack-dev08:37
*** shardy_afk is now known as shardy08:37
*** nati_ueno has quit IRC08:39
openstackgerritA change was merged to openstack/nova: Add basic infrastructure for compute driver async events  https://review.openstack.org/2180008:41
openstackgerritA change was merged to openstack/nova: Add support for lifecycle events in the libvirt driver  https://review.openstack.org/2180108:42
*** AlanClark__ has quit IRC08:42
*** AlanClark__ has joined #openstack-dev08:42
*** avishay has joined #openstack-dev08:42
*** zing has joined #openstack-dev08:42
openstackgerritA change was merged to openstack/nova: Handle lifecycle events in the compute manager  https://review.openstack.org/2180208:43
openstackgerritA change was merged to openstack/nova: Multi-tenancy isolation with aggregates  https://review.openstack.org/2056508:43
*** ajia has quit IRC08:44
openstackgerritA change was merged to openstack-infra/devstack-gate: turn off color logs  https://review.openstack.org/2238908:45
*** tomoe_ has quit IRC08:47
*** davidha has joined #openstack-dev08:47
*** tomoe_ has joined #openstack-dev08:47
*** morganfainberg has joined #openstack-dev08:49
openstackgerritA change was merged to openstack/nova: Use oslo-config-2013.1b4  https://review.openstack.org/2207808:50
openstackgerritA change was merged to openstack/cinder: Handle maxclonepervolume/node limits in SF driver.  https://review.openstack.org/2239508:50
*** darjeeling has quit IRC08:50
*** asalkeld has quit IRC08:51
*** stevebaker has quit IRC08:51
*** asalkeld has joined #openstack-dev08:51
*** ndipanov has joined #openstack-dev08:52
*** tomoe_ has quit IRC08:52
*** bing_bu has quit IRC08:54
*** giulivo has joined #openstack-dev08:55
*** winston-d_ has quit IRC08:55
openstackgerritA change was merged to openstack/horizon: Add support for both soft and hard reboot options  https://review.openstack.org/2230008:56
*** ajia has joined #openstack-dev08:56
*** buzztroll_ has joined #openstack-dev08:57
openstackgerritA change was merged to openstack/cinder: Add a volume driver in Cinder for Scality SOFS  https://review.openstack.org/1967508:58
*** shang has quit IRC08:59
*** esp has joined #openstack-dev09:00
*** shang has joined #openstack-dev09:01
*** dosaboy has joined #openstack-dev09:02
*** FlorianOtel has joined #openstack-dev09:03
*** esp has quit IRC09:04
*** esp has joined #openstack-dev09:04
*** yaguang has joined #openstack-dev09:06
*** adjohn has quit IRC09:08
*** nmagnezi has quit IRC09:08
*** dachary has quit IRC09:09
*** iartarisi has joined #openstack-dev09:10
*** henrynash has joined #openstack-dev09:11
*** esp has quit IRC09:11
*** salv-orlando has joined #openstack-dev09:13
*** romcheg has left #openstack-dev09:13
*** dachary has joined #openstack-dev09:14
*** trapni has joined #openstack-dev09:19
*** trapni has joined #openstack-dev09:19
*** derekh has joined #openstack-dev09:20
*** yolanda has quit IRC09:20
*** derekh has quit IRC09:20
openstackgerritA change was merged to openstack/quantum: Add support Quantum Security Groups for Ryu plugin  https://review.openstack.org/2196309:21
*** derekh has joined #openstack-dev09:21
*** yolanda has joined #openstack-dev09:23
*** trapnii has joined #openstack-dev09:24
*** Mandell has quit IRC09:24
*** nati_ueno has joined #openstack-dev09:25
*** trapni has quit IRC09:26
*** Nachi has quit IRC09:28
*** dosaboy has quit IRC09:30
*** jruzicka has joined #openstack-dev09:33
*** dosaboy has joined #openstack-dev09:34
*** zoresvit has joined #openstack-dev09:35
*** jgallard has quit IRC09:35
*** nati_ueno has quit IRC09:37
*** nati_ueno has joined #openstack-dev09:37
*** esp has joined #openstack-dev09:38
*** adjohn has joined #openstack-dev09:38
*** amotoki has quit IRC09:39
*** sthaha has quit IRC09:41
*** nati_ueno has quit IRC09:42
*** CaptTofu_ has joined #openstack-dev09:44
*** zoresvit has quit IRC09:46
*** BobBall has joined #openstack-dev09:46
*** CaptTofu has quit IRC09:47
*** adjohn has quit IRC09:48
*** davidh_ has joined #openstack-dev09:48
*** davidha has quit IRC09:48
*** johnthetubaguy has joined #openstack-dev09:49
*** milez has quit IRC09:50
*** AlanClark__ has quit IRC09:50
*** AlanClark__ has joined #openstack-dev09:50
*** esp has quit IRC09:50
*** nati_ueno has joined #openstack-dev09:51
*** shang has quit IRC09:52
*** pixelbeat has joined #openstack-dev09:53
*** trapnii has quit IRC09:57
*** mohits has quit IRC09:58
*** armaan has quit IRC09:59
*** jgallard has joined #openstack-dev10:00
*** zoresvit has joined #openstack-dev10:00
*** markwash has quit IRC10:01
*** dachary has joined #openstack-dev10:03
*** davidha has joined #openstack-dev10:03
*** avishay has quit IRC10:04
*** danpb has joined #openstack-dev10:04
*** shang has joined #openstack-dev10:05
*** davidh_ has quit IRC10:06
*** nati_ueno has quit IRC10:06
*** nati_ueno has joined #openstack-dev10:06
openstackgerritA change was merged to openstack/quantum: Resolve branches in db migration scripts to G-3 release  https://review.openstack.org/2240510:10
*** nati_ueno has quit IRC10:11
*** ondergetekende has joined #openstack-dev10:14
*** adjohn has joined #openstack-dev10:15
*** thingee is now known as thingee_zzz10:15
*** mohits has joined #openstack-dev10:16
*** esp has joined #openstack-dev10:17
*** adjohn has quit IRC10:19
*** avishay has joined #openstack-dev10:21
*** markwash has joined #openstack-dev10:23
*** tommy_SSU has joined #openstack-dev10:24
*** tommy_SSU has quit IRC10:25
openstackgerritA change was merged to openstack/keystone: Disable XML entity parsing  https://review.openstack.org/2231510:26
*** mohits1 has joined #openstack-dev10:26
*** mohits has quit IRC10:27
openstackgerritA change was merged to openstack/keystone: make LDAP query scope configurable  https://review.openstack.org/2166410:28
*** esp has quit IRC10:29
rozhi all, nova unit tests are broken? I can see errors about cfg and precisely from oslo.config import cfg10:33
*** hattwick has joined #openstack-dev10:35
openstackgerritA change was merged to openstack/cinder: Update cinder-manage to use FLAGS.log_dir.  https://review.openstack.org/2233210:36
ttxroz: hmm, it's a side-effect of using the oslo-config library... don't know what's the workaround though10:38
ttxroz: markmc should be up any moment and be able to help you10:38
rozttx: thanks I am waiting for markmc10:39
*** darjeeli_ has joined #openstack-dev10:39
bennerit seems that Firefox 19 can't parse some horizon javascript and get error: SyntaxError: invalid increment operand (function(){this.id||(this.id="ui-id-"+++n)})},removeUniqueId:function()). Chrome 24 is OK10:40
*** darjeel__ has joined #openstack-dev10:40
*** mindpixel has quit IRC10:40
ttxbenner: could you file a bug about that ? https://bugs.launchpad.net/horizon/+filebug10:40
*** darjee___ has joined #openstack-dev10:40
*** romcheg has joined #openstack-dev10:41
*** romcheg has quit IRC10:42
*** romcheg has joined #openstack-dev10:43
*** darjeeli_ has quit IRC10:44
*** darjeel__ has quit IRC10:44
zingroz: there was some stuff on mailing list a few days ago about it10:51
zinghttp://lists.openstack.org/pipermail/openstack-dev/2013-February/005822.html10:51
zingand http://lists.openstack.org/pipermail/openstack-dev/2013-February/005777.html10:51
zingmight help10:51
*** esp has joined #openstack-dev10:55
rozzing: thanks for that10:56
mordredttx: are you talking about the install-venv-uses-cfg thing?10:57
mordredttx: I just started hacking on that code on the plane and noticed that it was doing that ... want to talk to markmc myself10:57
*** davidh_ has joined #openstack-dev10:57
ttxmordred: yeô10:58
mordredttx: and then I'd REALLY like to schedule a summit session to talk about the seventy-bazillion different ways we think about venvs around here and if perhaps all of them could do with scaling back10:58
ttxyes10:58
bennerttx: i did litle more investigation. after JS compression "(this.id="ui-id-"+ ++n)})" becames "(this.id="ui-id-"+++n)})". Maybe it's not realy dashboard bug but django?10:58
*** johnthetubaguy has quit IRC10:59
ttxbenner: they should be able to sort out responsibility on the bug10:59
*** johnthetubaguy has joined #openstack-dev10:59
*** davidha has quit IRC11:00
*** darjeeling has joined #openstack-dev11:03
koolhead17GheRivero: hey there11:05
*** yamahata has joined #openstack-dev11:07
*** darjee___ has quit IRC11:07
*** esp has quit IRC11:07
bennerok, filed bug: https://bugs.launchpad.net/horizon/+bug/113061011:09
uvirtbotLaunchpad bug 1130610 in horizon ""SyntaxError: invalid increment operand" when parsing JavaScript using Firefox" [Undecided,New]11:09
*** tomoe_ has joined #openstack-dev11:10
*** darjeeling has quit IRC11:13
*** tommy_SSU has joined #openstack-dev11:19
*** armaan has joined #openstack-dev11:20
*** xgauvrit has quit IRC11:21
*** xga__ has quit IRC11:22
*** gargya has quit IRC11:22
alexxusalv-orlando, ping11:26
*** morganfainberg has quit IRC11:27
*** jprovazn has quit IRC11:28
*** darjeeling has joined #openstack-dev11:31
*** yamahata has quit IRC11:31
salv-orlandohi alexxu11:33
*** amerine has quit IRC11:33
alexxusalv-orlando, Hi! thanks for your review for pagination! There is pagination client side code waiting for review. Would you help review it if you have time?11:33
*** esp has joined #openstack-dev11:34
alexxusalv-orlando, but I asked gongyh, It needn't merged before feature freeze, I also can file bug for it, and review it at RC11:34
*** vkmc has joined #openstack-dev11:35
*** arbrandes has joined #openstack-dev11:35
salv-orlandoalexxu: indeed. I am spending my time now on gongysh and zyluo patches11:36
salv-orlandoWe should be able to merge your client side (and XML support) patches soon11:36
*** mohits1 is now known as mohits11:37
*** mohits has quit IRC11:37
*** mohits has joined #openstack-dev11:37
alexxusalv-orlando, I think xml support and client side code isn't big, we can review it at RC. We can spend more time for help gongysh and zyluo.11:37
salv-orlandoyes - actually I wanted to ask you if can kindly file a lp bug for the XML support patch, target to RC-1, and then change the commit message?11:38
alexxusalv-orlando, sure, I will file bug and change the log11:39
*** yaguang has left #openstack-dev11:41
*** yaguang has joined #openstack-dev11:41
*** armaan1 has joined #openstack-dev11:43
k4n0@sdague , please review https://review.openstack.org/#/c/21415/11:43
k4n0and any other core reviewers too11:43
*** zyluo has quit IRC11:44
*** armaan has quit IRC11:45
*** darjeeli_ has joined #openstack-dev11:46
*** esp has quit IRC11:47
*** darjeeling has quit IRC11:49
*** darjeeling has joined #openstack-dev11:49
*** darjeeli_ has quit IRC11:50
*** maurosr has joined #openstack-dev11:51
*** zeriouz has joined #openstack-dev11:52
*** gargya has joined #openstack-dev11:55
*** sulrich_ has joined #openstack-dev11:58
*** salv-orlando has quit IRC11:59
*** sulrich_ has quit IRC12:00
*** sulrich has quit IRC12:02
*** avishay has quit IRC12:05
*** AlanClark__ has quit IRC12:06
*** AlanClark__ has joined #openstack-dev12:06
*** adalbas has joined #openstack-dev12:10
*** salv-orlando has joined #openstack-dev12:11
*** boris-42 has joined #openstack-dev12:11
boris-42sdague: Hi12:11
*** pcm_ has joined #openstack-dev12:12
*** esp has joined #openstack-dev12:13
*** adjohn has joined #openstack-dev12:16
*** salv-orlando has quit IRC12:16
*** corrigac has quit IRC12:18
*** salv-orlando has joined #openstack-dev12:19
*** yamahata has joined #openstack-dev12:19
*** pmyers has joined #openstack-dev12:22
*** esp has quit IRC12:25
*** xgauvrit has joined #openstack-dev12:26
*** xga_ has joined #openstack-dev12:26
*** koolhead17 has quit IRC12:27
*** pmyers has quit IRC12:27
*** darraghb has joined #openstack-dev12:28
sdagueboris-42: hey12:28
*** pmyers has joined #openstack-dev12:29
*** pmyers has quit IRC12:31
*** mohits1 has joined #openstack-dev12:31
*** pmyers has joined #openstack-dev12:31
*** mohits has quit IRC12:33
*** johnthetubaguy has quit IRC12:35
boris-42sdague: probably we should use in 21415 patch set common code for dropping non unique rows?12:41
*** dims has joined #openstack-dev12:44
*** soody has joined #openstack-dev12:49
*** ayoung has joined #openstack-dev12:50
k4n0Hi @boris-42  we are renaming duplicate keypairs , not dropping them.12:50
k4n0this was suggested by @sdague12:50
*** tommy_SSU has quit IRC12:51
*** markvoelker has joined #openstack-dev12:52
*** esp has joined #openstack-dev12:52
sdagueboris-42: feel free to put that on the comments12:53
sdagueI'm ok either way12:53
boris-42k4no, sdague I am not sure that this is good approach, because DBA will have a lot of work after this migration.. to remove all keys...12:53
boris-42all rows*12:53
*** soody has quit IRC12:53
k4n0i think dropping key_pairs will cause more inconvience to the user who is using them to access vm's, renaming them doesnt disrupt their access to vm's using those keypairs12:54
boris-42In both cases could wait a little bit, I want to take a look at migration script.. but currently I am busy..12:54
boris-42k4no: Ok12:55
sdagueboris-42: ok, so flag the review with a -1 for now saying you want to look12:55
sdaguethen remove the -1 later if you are ok with it12:55
boris-42I have already flag it=) but there is bug typo=)12:55
*** markmc has joined #openstack-dev12:55
sdagueok12:55
k4n0pushing fixes for the typo12:55
boris-42k4no: Ok so I am also for this approach12:55
boris-42k4n0 just wait my review pls=)12:56
k4n0@boris-42 your review ?12:56
*** martine_ has joined #openstack-dev12:59
boris-42k4n0 yes13:00
*** fesp has joined #openstack-dev13:01
*** adjohn has quit IRC13:01
k4n0I pushed new patch with fixes for typo and added comments suggested by sean13:01
*** flaper87 has quit IRC13:01
*** henrynash has quit IRC13:02
*** henrynash has joined #openstack-dev13:03
*** esp has quit IRC13:05
*** xga_ has quit IRC13:06
*** henrynash has quit IRC13:06
*** xgauvrit has quit IRC13:06
*** zeriouz has quit IRC13:07
*** afazekas has quit IRC13:07
*** zeriouz has joined #openstack-dev13:07
*** Yada has joined #openstack-dev13:07
mordredmarkmc: ola!13:09
markmcmordred, yo13:09
mordredmarkmc: I'm in your timezone - so I can terrorize you more soundly13:11
*** corXi has joined #openstack-dev13:11
markmcmordred, that sounds like a terrible idea13:11
mordredmarkmc: such a good idea13:11
markmcmordred, what's up?13:12
mordredmarkmc: anywhoo... I started poking at the idea of taking the various python stuff we have in tools/ from nova and oslo-incubator and making an actual installable project with it13:12
mordredmarkmc: (needed plane hacking)13:12
mordredmarkmc: which caused me to actually look at install_venv.py13:13
mordredbefore I get too far down that road - I wanted to touch base with you on the idea at all13:13
*** anniec has joined #openstack-dev13:13
*** johnthetubaguy has joined #openstack-dev13:13
*** dhellmann is now known as dhellmann-afk13:13
markmcmordred, sounds good, with the usual caveat about compat13:13
*** anniec has quit IRC13:13
mordredtotally13:14
*** anniec has joined #openstack-dev13:14
markmcmordred, once it's an installable thing that projects depend on, you can't break things anymore :)13:14
markmcmordred, wrt install_venv.py ... why does it even exist anymore ?13:14
*** AlanClark__ has quit IRC13:14
mordredI have no idea13:14
markmcmordred, doesn't tox do the same thing?13:14
mordredit does13:14
*** AlanClark__ has joined #openstack-dev13:14
markmcok :)13:14
mordredI plan on doing a summit session on virtualenv management stuff13:14
sdaguemarkmc: so.... python update.py ../nova no longer works?13:14
sdagueImportError: No module named oslo.config13:15
markmcsdague, yeah, you need oslo-config installed13:15
*** mrunge has quit IRC13:15
*** johnthetubaguy1 has joined #openstack-dev13:15
markmcsdague, maybe re-instate update.sh and have it install oslo-config in a venv ?13:15
sdaguemarkmc: so I have to install to my global env?13:15
markmcsdague, right13:15
sdaguemarkmc: yeh, it would be nice if we could do it in a venv13:15
sdaguegiven that the rest of our tooling seems to do that13:16
markmcsdague, well, look at the update.sh I deleted13:16
markmcsdague, would be trivial to stick a 'pip install' of the oslo-config tarball in there13:17
markmcsdague, in place of the 'python setup.py install'13:17
sdaguemarkmc: right, and because oslo-config isn't on pypi, you can't just install it right now13:17
*** dprince has joined #openstack-dev13:17
markmcsdague, 'yum install python-oslo-config' works fine on Fedora :)13:17
sdaguemarkmc: yeh, well :P13:18
sdagueseems like we are in a lot of dark magic here13:18
*** johnthetubaguy has quit IRC13:18
sdagueok, let me look at restoring the .sh13:18
*** fesp is now known as flaper8713:18
markmcsdague, dark magic?13:18
mordredhave I mentioned that the bootstrap-working-environment task is actually really hard?13:18
sdaguejust that no one that doesn't deeply understand oslo can run the update script right now13:19
* mordred says this continually facing wanting a self-sufficient setup.py without copying stuff13:19
markmcsdague, it's hardly rocket science :)13:19
*** zeriouz has quit IRC13:19
*** susanne-balle has quit IRC13:19
sdaguemarkmc: not saying it's rocket science, just not documented :)13:19
*** baba has joined #openstack-dev13:19
mordredmarkmc: wait - isn't all of openstack technically rockscience because of the nasa background?13:19
*** unix has quit IRC13:19
markmcsdague, bah, who reads docs :)13:19
sdaguewell, usually not me.... but even when I fell back to the README it wasn't helpful :)13:20
markmcsdague, patches for update.sh, https://wiki.openstack.org/wiki/Oslo, the docstring in update.py ... all welcome :)13:22
sdaguemarkmc: yep, working on it13:22
markmcsdague, thanks for pointing it out, hadn't thought of the update.sh thing until you said it13:22
*** radez_g0n3 is now known as radez13:22
openstackgerritA change was merged to openstack/nova: Fix hacking test to handle namespace packages.  https://review.openstack.org/2238513:24
openstackgerritA change was merged to openstack/nova: Documentation cleanups for nova devref  https://review.openstack.org/2229913:24
*** eglynn_ has quit IRC13:24
openstackgerritA change was merged to openstack/nova: Fix network list and show with quantum.  https://review.openstack.org/2226413:24
*** eglynn_ has joined #openstack-dev13:25
*** afazekas has joined #openstack-dev13:26
dimssdague, one more victim of oslo-config - https://bugs.launchpad.net/cinder/+bug/113066913:26
openstackgerritA change was merged to openstack/nova: Fix inaccuracies in the development environment doc.  https://review.openstack.org/2157113:26
uvirtbotLaunchpad bug 1130669 in cinder "./run_tests.sh returns immediately without error" [Undecided,New]13:26
sdaguehmmm... now I'm confused13:26
sdaguemarkmc: so oslo has no equiv with_venv.sh script?13:27
*** alunduil has quit IRC13:27
*** adjohn has joined #openstack-dev13:27
openstackgerritA change was merged to openstack/nova: Make  ComputeTestCase.test_state_revert faster  https://review.openstack.org/2238413:28
pcm_[devstack] Dumb question… if I create a user and give them member role for a project, shouldn't I then be able to log in as said user?13:31
markmcsdague, what's with_venv.sh? I use tox13:31
sdaguemarkmc: it's just an activate wrapper13:32
*** Tross has quit IRC13:32
markmcsdague, yeah, but what's the issue?13:32
sdaguehttps://review.openstack.org/#/c/22423/ - that doesn't work, but I'm out of my depth on venv13:32
*** esp has joined #openstack-dev13:32
sdaguemarkmc: the venv still isn't found13:32
*** adjohn has quit IRC13:32
markmcsdague, you want to use the tools/pip-requires venv for running update.py ?13:32
sdaguemarkmc: that seems like the thing to do, no?13:32
*** mtreinish has joined #openstack-dev13:33
markmcsdague, commented in the review13:34
mordredmarkmc, sdague: the tl;dr on my summit "let's talk about venv stuff" session is - we've built up wrappers for standard python things, and I think some of the wrappers are themselves getting too complex13:34
markmcsdague, the update.sh idea is that update.py would have its own tiny venv with just oslo-config installed13:34
mordred(have been, but let's be generous)13:34
*** xgauvrit has joined #openstack-dev13:35
*** xga_ has joined #openstack-dev13:35
*** afazekas has quit IRC13:36
*** romcheg1 has joined #openstack-dev13:36
*** romcheg has quit IRC13:37
openstackgerritA change was merged to openstack/nova: Fix leak of loop/nbd devices in injection using localfs  https://review.openstack.org/2229113:38
*** bknudson has quit IRC13:38
*** dolphm has joined #openstack-dev13:41
sdaguemarkmc: there, that should work13:41
*** johnthetubaguy1 has left #openstack-dev13:42
*** johnthetubaguy has joined #openstack-dev13:43
sdaguemarkmc: oh, there is a spelling error in a comment on that, let me fix13:44
*** esp has quit IRC13:45
*** mohits1 has quit IRC13:46
*** topol has joined #openstack-dev13:46
*** mohits has joined #openstack-dev13:47
k4n0@sdague, @boris-42, Nova-core , please review https://review.openstack.org/#/c/21415/13:49
*** bknudson has joined #openstack-dev13:53
ttxdolphm: good morning. https://review.openstack.org/#/c/21487/ awaits your review pleasure.13:53
mordredmarkmc: https://github.com/emonty/oslo-hacking13:57
mordredmarkmc: there's a first stab13:57
markmcmordred, cool, looks good13:57
mordredmarkmc: I'm going to go back and do a git history split so it doesn't look like I wrote everything13:58
markmcmordred, yeah, I used git filter-branch to do that13:58
*** adjohn has joined #openstack-dev13:58
*** henrynash has joined #openstack-dev13:58
markmcmordred, each of the cmd modules should probably only publicly expose the main() function13:58
markmcmordred, everything else private13:58
*** bknudson has quit IRC13:59
*** anteaya has joined #openstack-dev13:59
mordredalso - there were a bunch of nova-isms that were still lurking in install_venv that I removed - I'll send those in as a patch to oslo-incubator so that we can get review on that13:59
mordredmarkmc: you mean via __all__ - or just via _ prefixes?13:59
markmccool13:59
markmcmordred, either is fine by me13:59
mordredkk13:59
mordredgood call13:59
*** Tross has joined #openstack-dev14:01
* ttx would like a few more patches in before relaxing the review rules, but we are on a good slope14:02
*** adjohn has quit IRC14:03
*** surya has joined #openstack-dev14:03
*** surya is now known as Guest3366214:03
*** afazekas has joined #openstack-dev14:04
*** Dr_Who has joined #openstack-dev14:04
*** Dr_Who has joined #openstack-dev14:04
*** Dr_Who is now known as tgall14:05
*** dhellmann-afk is now known as dhellmann14:07
*** dosaboy has quit IRC14:08
*** darjeeli_ has joined #openstack-dev14:08
*** dosaboy has joined #openstack-dev14:08
*** esp has joined #openstack-dev14:10
*** darjeeling has quit IRC14:11
*** eharney has joined #openstack-dev14:11
*** eharney has quit IRC14:11
*** eharney has joined #openstack-dev14:11
*** bknudson has joined #openstack-dev14:12
*** darjeeli_ has quit IRC14:13
*** k4n0 has left #openstack-dev14:14
*** almaisan-away is now known as al-maisan14:15
*** digitalsanctum has joined #openstack-dev14:15
*** Guest33662 has quit IRC14:16
*** kbringard has joined #openstack-dev14:20
icchajk0: around? if you got time can you look at https://review.openstack.org/#/c/21606/14:20
*** mohits1 has joined #openstack-dev14:22
*** esp has quit IRC14:23
*** mohits has quit IRC14:24
*** giulivo has quit IRC14:24
ayoungdolphm, looking at your comments on the password plugin "i still find conditionally modifying the user context to be incredibly confusing. don't pass in user_context and instead expect the plugin to return a user_id as a string"14:24
mordredmarkmc: is there a way to use filter-branch to graft the history of a file into oslo-incubator?14:24
mordredmarkmc: I know how to use it to split a repo14:24
*** woodspa has joined #openstack-dev14:25
ayounghow would you expect this to work?  It looks like the plugins need to make additional context avaialble.14:25
*** mohits1 is now known as mohits14:25
*** mohits has joined #openstack-dev14:25
ayoungbut it cannot be definitive14:25
ayoungdolphm, so I think it has to be conditional.  What would you prefer14:26
dolphmayoung: all an authentication plugin needs to do is identify the user? i don't understand the condition at all -- either the plugin identifies the user, or it fails for some reason, and raises an exception explaining why14:26
*** kashyap has joined #openstack-dev14:27
ayoungdolphm, maybe.  I'm not sure about the exception part.  I see it as a chain-of-responsibility pattern:14:28
ayoungimplementation14:28
ayoungso each plugin gets a swipe, and either says "yes" or "punt"14:28
ayoungbut what does it mean to say "yes"?14:28
dolphmayoung: well, either identify the user or not -- i prefer raising exceptions because it provides better feedback to the user14:28
*** surya has joined #openstack-dev14:29
*** adjohn has joined #openstack-dev14:29
kashyapayoung, continuing the conversation: changing the port to 5000 doesn't bring me any new info:14:29
ayoungdolphm, so, think of it like an old SCSI cable.  You need a terminator cap.  IN this case, it would be aplugin that says "nothing found, exception"14:29
*** surya is now known as Guest5683514:29
ayoungkashyap, does keystone_admin have access to that tenent?14:29
kashyapayoung, I still get the same info, when I run keystone tenant-list14:30
kashyapayoung, how do I figure that ?14:30
ayoungkashyap, run with --debug to make sure you are going to 500014:30
dolphmayoung: there's not a "yes" so much as a "the user in the request is X"14:30
ayoungdolphm, right.  By"yes" I meant that the plugin found the user and provides an authoritative answer14:31
icchaeglynn_: https://review.openstack.org/#/c/21606/ can you take quick look at this if you have got time, thanks14:31
ayoungdolphm, lets say there are two plugins, and ldap one and a database one, in that order.14:31
*** dhellmann is now known as dhellmann-afk14:31
ayoungSo a request comes in, and the LDAP one looks for the user, but doesn't find it14:31
ayoungso it passes the request on to the database one,14:32
ayoungsay, for a service user14:32
dolphmayoung: and that answer should simply be the identity of the user? i don't understand what you're advocating14:32
kashyapayoung, there we go: the request/response with --debug : http://www.fpaste.org/OLej/14:32
dolphmayoung: sure, i'd love to support this example so far14:32
*** yidclare has joined #openstack-dev14:32
ayoungdolphm, well, we need to determine if it is just user, or user and roles, but lets say just user for now14:32
dolphmayoung: it's not an authentication plugin's responsibility to determine authorization14:33
ayoungdolphm, so, the question is whether the password plugin as written should look to see if the ID is in the context already.  I suspect the answer is no14:33
*** adjohn has quit IRC14:34
ayoungdolphm, understood.  Just a question of efficienty, making one remote request instead of two, to get the subjects along with the principal14:34
ayoungbut it probably needs to be two requests anyway, so the question is moot14:34
ayoungso I would argue that the plugin  should lookup the user and return it or return None.  THen we iterate through the plugins to find one that doesn't return None. If we come to the end of the list, Unauthorized.14:36
*** giulivo has joined #openstack-dev14:36
*** Guest56835 has quit IRC14:37
*** arbrandes has quit IRC14:37
*** Thor^^ has joined #openstack-dev14:37
*** aabes has joined #openstack-dev14:38
danpbttx: any idea who is in charge of Swift Team blog postings ?14:38
danpbsomeone published a posting dated December 201314:38
danpbwhich is going to get stuck on top of planet.openstack.org for a whole year unless someone fixes the date14:39
*** maoy has joined #openstack-dev14:39
danpbhttp://planet.openstack.org/14:39
*** tommy_SSU has joined #openstack-dev14:39
dolphmayoung: "should lookup the user and return it" the user will *always* have to be looked up, so i'd rather not put that burden on the driver (remember, we have to filter the user ref and all that)... yes, it's easy when the auth driver is already talking to SQL, but if the auth driver wants to talk to a completely different system, it shouldn't *also* have to go look up a user ref in SQL if it doesn't need to14:39
* ttx looks14:39
*** Thor^^ is now known as Thor14:39
ttxdanpb: "SwiftStack Team". That would be notmyname14:39
ttxdanjared: He always thinks forward.14:39
danpbnotmyname: ping ^^14:39
dolphmayoung: totally agree with the rest, and i was toying with implementing that last night before feature freeze -- i'd like to see multiple auth drivers providing a single authentication method just like you described14:40
dolphmayoung: and that's how i ran into all these issues with the yesterday's design14:40
joearnolddanpb: hey, sorry about that.14:40
joearnolddanpb: we use octopress, so it's easy to mess up. fixing.14:40
eglynn_iccha: looking ...14:41
dolphmayoung: it was really difficult to write a trivial auth plugin that just said "yes, here's the user" no matter what the request was. that sucks.14:41
eglynn_iccha: looking ...14:41
danpbjoearnold: no problem - someone pointed me at it and asked if i could tell the right people14:41
*** zeriouz has joined #openstack-dev14:42
dolphmayoung: all i wanted to do was check for a specific hardcoded password and return whatever user ID was in the request... i expected that to be like 2 lines... if req['user']['password'] = 'secret': return req['user']['id']14:43
*** dims has quit IRC14:44
*** rohitk has quit IRC14:45
*** eglynn__ has joined #openstack-dev14:46
*** markmcclain has joined #openstack-dev14:46
*** eglynn_ has quit IRC14:47
joearnolddanpb: oh right, he mentioned this to me.... He thought he fixed it with an alias as his initial post had the wrong date. Removing. Apologies.14:47
*** dims has joined #openstack-dev14:47
kashyapayoung, this listed it: nova list --all-tenants14:48
*** esp1 has joined #openstack-dev14:49
kashyapayoung, so, it looks like: as tuser1 & admin are on different tenants. I must use --all-tenants to list images from both the tenants14:49
icchaeglynn__: thanks14:49
ayoungkashyap, sounds right.14:49
*** dontalton has joined #openstack-dev14:49
kashyapayoung, thanks for the info14:50
*** tgall has quit IRC14:50
ayoungkashyap, now pass it on14:50
*** ndipanov has quit IRC14:51
kashyapyep14:51
*** zeriouz has quit IRC14:52
*** zeriouz has joined #openstack-dev14:52
*** tommy_SSU has quit IRC14:53
*** ndipanov has joined #openstack-dev14:53
*** zaneb has joined #openstack-dev14:53
*** arbrandes has joined #openstack-dev14:54
*** dt has joined #openstack-dev14:54
*** dontalton has quit IRC14:54
*** dt is now known as dwt14:54
*** dwt is now known as dont14:54
*** dont is now known as dontalton14:55
*** sacharya has joined #openstack-dev14:56
*** sacharya1 has quit IRC14:57
*** adjohn has joined #openstack-dev15:00
*** esp1 has quit IRC15:00
*** zul has quit IRC15:00
*** jimfehlig has joined #openstack-dev15:01
*** zeriouz has quit IRC15:01
*** zul has joined #openstack-dev15:02
*** zeriouz has joined #openstack-dev15:02
*** xgauvrit has quit IRC15:02
*** adjohn has quit IRC15:04
*** xga_ has quit IRC15:04
*** navid_ has quit IRC15:04
*** mmagr has quit IRC15:06
*** ondergetekende has quit IRC15:07
*** gongysh has quit IRC15:08
*** darjeeling has joined #openstack-dev15:08
*** cloudchimp has joined #openstack-dev15:08
openstackgerritA change was merged to openstack/nova: Enhance IPAdresses migration tests  https://review.openstack.org/2130015:09
*** aeperezt has joined #openstack-dev15:09
openstackgerritA change was merged to openstack/nova: Log lifecycle events to log INFO (not ERROR)  https://review.openstack.org/2242915:10
*** tommy_SSU has joined #openstack-dev15:10
*** zeriouz has quit IRC15:11
*** renner has quit IRC15:12
*** romcheg1 has left #openstack-dev15:12
*** renner has joined #openstack-dev15:12
*** fc__ has quit IRC15:13
*** ondergetekende has joined #openstack-dev15:15
openstackgerritA change was merged to openstack/nova: Fix broken logging imports.  https://review.openstack.org/2238615:15
garykarosen: ping15:15
*** fc__ has joined #openstack-dev15:16
*** boris-42 has quit IRC15:17
*** danwent has joined #openstack-dev15:18
*** romcheg has joined #openstack-dev15:21
openstackgerritA change was merged to openstack/nova: Sync latest install_venv_common.py  https://review.openstack.org/2242215:22
*** al-maisan is now known as almaisan-away15:22
*** TerryH has joined #openstack-dev15:22
*** TerryH has quit IRC15:23
*** terryh has joined #openstack-dev15:23
*** rnirmal has joined #openstack-dev15:24
*** annegentle has joined #openstack-dev15:25
*** surya_ has joined #openstack-dev15:25
*** nir has joined #openstack-dev15:25
ayounghenrynash, topol, can you please take a swipe at the trust patches:15:26
ayounghttps://review.openstack.org/#/c/22063/15:26
*** Dr_Who has joined #openstack-dev15:26
henrynashayoung: yep15:26
ayoungand15:26
ayounghttps://review.openstack.org/#/c/20289/15:26
dolphmtopol: henrynash: ayoung: if you happen to see gyee get on, have him ping me15:27
*** sandywalsh has quit IRC15:27
*** esp1 has joined #openstack-dev15:27
*** nir has left #openstack-dev15:27
ayoungdolphm, he was active yesterday, but sayed of IRC.  I'll see if I can find him some oither way15:27
dolphmayoung: no worries, i'll just email him then15:28
dolphmayoung: thanks for the heads up15:28
openstackgerritA change was merged to openstack/python-novaclient: Add support for os-attach-interfaces  https://review.openstack.org/2222515:28
*** surya_ has quit IRC15:28
ayoungdolphm, on Trusts, I can rebase it off of the current HEAD on master and resubmit.  I assumed that V3 would be going in first, but there is no reason for that.15:29
*** dontalton has quit IRC15:29
dolphmayoung: don't you need v3 auth to implement trusts?15:30
ayoungdolphm, I realize you've been battling the auth API, and so I assume you havn't had time to look at the Actual trust patch15:30
ayoungdolphm, no15:30
*** AlanClark__ has quit IRC15:30
ayoungdolphm, trusts is doing v2 tokens15:30
ayoungI'll do v3 tokens and trusts afterwards15:30
*** AlanClark__ has joined #openstack-dev15:30
ayoungI didn't have enough to work with before15:30
*** adjohn has joined #openstack-dev15:30
dolphmayoung: so, your working on a deprecated API?15:30
ayoungI'm OK with a partial implementation15:30
ayoungdolphm, only for authenticate.15:31
ayoungdolphm, I wrote it in December.15:31
*** Dr_Who has quit IRC15:31
ayoungdolphm, but the services are not going to be ready to consumer V3 tokens until we update the client code anyway\15:31
dolphmayoung: and i assume you haven't documented your api changes there either?15:31
ayoungconsume15:31
dolphmayoung: v3 client code is up as WIP15:32
ayoungdolphm, the documentation currently only lives in V3, that is correct, but it is the same in V215:32
*** annegentle has quit IRC15:32
ayoungnamely, the location of the trustId in the request, and the location of the trust data in the token15:32
*** sacharya has quit IRC15:32
dolphmayoung: v2 is a different API, it's not "the same" at all15:33
dolphmayoung: it's currently documented with openstack/identity-api right next to v315:33
ayoungdolphm, creating and managing the trusts is a V3 api.  authenticate in v2 and v3 differ in the format of the token and the name of the url15:33
*** gargya has quit IRC15:33
dolphmayoung: yes, you're impacting the v2 public and admin API's in a significant way that must be documented15:34
*** adjohn has quit IRC15:35
ayoungdolphm, that is fine.  Take a look at the patch regardless15:36
dolphmayoung: i'd suggest going v3 only, personally as i don't see it being worth the effort15:36
ayoungdolphm, no, the need is for V215:36
ayoungdolphm, until we get v3 support across the board, people will be consuming v215:37
ayoungdolphm, you cna change a service to know about trusts and create tokens based on them, and then all of the things that consume v2 tokens work as previously documented.  That was the plan from the get-go15:38
*** Tross has quit IRC15:38
*** martine_ has quit IRC15:39
dolphmayoung: yes, you're impacting the v2 public and admin API's in a significant way that must be documented15:39
*** esp1 has quit IRC15:39
ayoungdolphm, well, I did write the spec back in October, according to what was the work flow at the time.15:40
zykes-how goes v3 stuffs dolphm ?15:40
ayoungso, yes, it is not in the repo, but it has been on the wiki for months15:40
dolphmayoung: really? because i've never seen it up for review15:40
*** sandywalsh has joined #openstack-dev15:40
ayoungdolphm, been on the blueprint15:40
ayounghttps://blueprints.launchpad.net/keystone/+spec/trusts15:40
dolphmayoung: great you should put it up for review on the actual documentation15:41
*** sulrich has joined #openstack-dev15:41
ayoungdolphm, and I will, but it is code freeze yesterday/today, not doc freeze.  Please look at the patch.15:41
*** aabes has left #openstack-dev15:41
dolphmayoung: no, i REALLY doubt you ever will -- i asked you do document your api changes 6 months ago related to PKI and just found out yesterday you never did that either15:42
*** devoid has joined #openstack-dev15:43
*** gary_th has joined #openstack-dev15:43
*** hemna_ has quit IRC15:43
ayoungthe token revocation list?  Yeah, it has been on my todo list prior to Grizzly going out the door, just hadn't made it top priority15:44
ayoungI really, really was hoping to get rid of it with trusts and short term tokens, but that is a diffferent story15:44
dolphmayoung: token revocation list, 'expired_at', who knows what else15:44
ayoungexpired_at?15:44
dolphmayoung: you added an undocumented field to the token15:45
*** alexxu has quit IRC15:45
ayoungah, you mean the issued_at?15:45
dolphmayoung: yes15:45
*** edmund has joined #openstack-dev15:45
*** ondergetekende has quit IRC15:46
ayoungdolphm, It was my understanding on that one that we didn;t want people counting on it, as it was bascially a technical tool to make  sure that each token was unique.15:46
*** markwash has quit IRC15:46
ayoungSo, unless the docs said "don't count on this being there" ...but point taken15:47
dolphmayoung: you changed the api, i asked you to document it under exactly these conditions, and trusted you to do so, and you didn't15:47
*** davidha has joined #openstack-dev15:47
ayoungdolphm, OK,  I'm willing to eat crow on that.15:48
ayoungI'll go and resubmit the trust API with the changes to the V3 tokens in it, and I'll post a WIP for the other API changes today15:48
*** rnirmal has quit IRC15:48
*** rnirmal has joined #openstack-dev15:49
ayoungbut...I'm more concerned with what you will find on the trust review, and so far it hasn;t had any in depth review.15:50
*** davidh_ has quit IRC15:50
*** ctracey has quit IRC15:51
*** gray-- has quit IRC15:52
*** ctracey has joined #openstack-dev15:53
*** gyee has joined #openstack-dev15:53
garyksalv-orlando: ping15:53
*** boden has joined #openstack-dev15:53
*** arbrandes has quit IRC15:54
*** nati_ueno has joined #openstack-dev15:54
*** arbrandes has joined #openstack-dev15:54
*** martine_ has joined #openstack-dev15:54
*** nunosantos has joined #openstack-dev15:55
dolphmayoung: how close is the implementation to the current identity-api review for trusts?15:55
*** nati_ueno_2 has joined #openstack-dev15:55
dolphmayoung: it's generally difficult to review an api implementation without first reviewing and understanding the api15:56
ayoungdolphm, if there are deviations it is unintentional.15:56
*** ondergetekende has joined #openstack-dev15:56
*** ondergetekende has quit IRC15:57
ayoungdolphm, the one detail that someone pointed out to me out of band and that I included on the last review (and I will update on the API review now) is that the expiry fo the token should not be longer than the expiry on the trust.15:57
*** aswadrangnekar has quit IRC15:57
dolphmayoung: cool15:58
*** anniec has quit IRC15:58
*** winston-d_ has joined #openstack-dev15:58
*** datsun180b has joined #openstack-dev15:58
*** annegentle has joined #openstack-dev15:59
gyeedolphm, ayoung, are you guys working on the token APIs patch?15:59
gyeedo I need to wait on anything?15:59
jgriffithmarkmc: ping15:59
*** rnirmal has quit IRC15:59
*** cmagina has quit IRC16:00
*** rnirmal has joined #openstack-dev16:00
ayounggyee, V3 auth has been reviewed16:00
*** thingee_zzz is now known as thingee16:00
*** cmagina has joined #openstack-dev16:00
ayounggyee, question for yo16:00
ayoungu16:00
ayoungwhy were you checking if the userId was already in the context?16:01
ayoungshouldn't the password plugin be authoritative on putting it in there?16:01
*** Tross has joined #openstack-dev16:01
*** adjohn has joined #openstack-dev16:01
gyeeayoung, because user_id has to come from the plugins16:01
gyeeI need to check if other plugin has already set it16:01
ayounggyee, yeah, but if it did, why would you ever call the password plugin in then?16:02
ayounggyee, for example, if REMOTE_USER set it, wouldn't that be enough?16:02
gyeein case there's a chain of plugins specify in the methods16:02
gyeeREMOTE_USER doesn't involve plugins16:02
ayounggyee, so you always execute all plugins in the chain?16:02
gyeeif REMOTE_USER is set, no plugin will be involed16:03
gyeeinvoked16:03
*** kmartin_zz is now known as kmartin16:03
ayounggyee, I would think we would want a REMOTE_USER  plugin16:03
gyeeayoung, yes, all plugins are invoked in the order specified in methods16:03
dolphmgyee: why not be done with a plugin identifies the user??16:03
dolphms/with/when/16:03
ayounggyee, OK, so I agree with dolph on this16:04
*** pabelanger has joined #openstack-dev16:04
ayoungit is chain of responsibility design pattern16:04
gyeedolphm, uh multi-factor?16:04
ayounggyee, multi facter won't say "yes"16:04
rozI am writing missed XML samples for documenting an existing API extensions. It's not clear to me if in the template for the requests I have to use attributes or elements? is there a way to understand which one is correct looking at the code?16:04
gyeebut it should also check to make sure the user_id is the same as everyone's had authenticated16:05
ayounggyee, I see your point, but MF should say "I've taken my swipe, but I can't say yes, pass it on"16:05
ayounggyee, that is a different rule16:05
dolphmgyee: oh, adam and i have been talking about mutliple plugins supporting the same method (say, 2 password plugins) -- i was thinking about that scenario (you wouldn't ask the second plugin to auth if the first one already did)16:05
gyeeayoung, correct, but if the user_id is different then the one you are expecting, you should error out16:05
*** esp1 has joined #openstack-dev16:06
*** adjohn has quit IRC16:06
gyeedolphm, for MFA, all the plugins at to arrive at the same conclusion16:06
gyees/at/had/16:06
*** sacharya has joined #openstack-dev16:07
gyeeotherwise, there's no point of allowing more than one method at a time16:07
ayounggyee, ok,  I think MFA should be possible, but that logic should be encapsulated in the MFA plugins themselves.16:07
ayoungLets do it straight CofR16:07
gyeeI think the current design is adequate16:07
ayoungeach plugin can either end the chain successfully (yes, ID is set) or pass it on to the next level of the chain, or end the chain (definitely no)16:08
*** trapni has joined #openstack-dev16:08
*** trapni has joined #openstack-dev16:08
gyeeayoung, plugin should not end an authentication chain16:08
gyeefor Havanah, we can enhanced to allow user to configure the plugin as either "required" or "sufficient", just like PAM16:09
*** reidrac has quit IRC16:09
gyeebut we have to start somewhere :)16:09
*** alunduil has joined #openstack-dev16:10
alaskiroz: I've typically seen attributes over elements except when it requires it.  If the json has a dict that would translate to an element, otherwise key:value pairs are typically attributes.16:10
*** koolhead17 has joined #openstack-dev16:11
ayounggyee, ok  I see where you are going.16:12
alaskiroz: /win 1716:12
alaskiwoops16:12
rozalaski: thanks for your response, I am working on the change you reviewed. it's not clear to me if both versions work or if depends on how the API has been designed16:13
alaskiroz: that's a good question, and I've never tried two different ways.  I always go for attributes first, and from what I've seen that's how a lot of other samples do it.16:14
*** mkollaro has quit IRC16:15
*** mkollaro has joined #openstack-dev16:15
*** gargya has joined #openstack-dev16:15
ttxayoung/gyee/dolphm: would be great to nail https://review.openstack.org/21487 over the next couple of hours. This was supposed to go in yesterday :)16:16
rozalaski: ok I'll do the same and maybe I'll try to do some additional tests16:16
*** bdpayne has joined #openstack-dev16:16
ttxayoung/gyee/dolphm: any blocker ?16:16
gyeettx, no blocker, just nitpickings16:16
ayoungttx, read up16:16
gyee:)16:16
ayoungwe were just discussing, trying to get it clear16:16
ayoungttx, and even dolphm needs to sleep at least 45 minutes a night16:17
*** esp1 has quit IRC16:17
*** burris has joined #openstack-dev16:17
ttxnah. That's a bad habit16:17
*** john5223 has joined #openstack-dev16:18
*** lglenden has joined #openstack-dev16:18
*** yamahata has quit IRC16:19
*** sacharya has quit IRC16:19
gyeeayoung, pop a few cans of those red cows and we only need 45 mins of sleep :)16:19
dolphmgyee: i swear there's something wrong with the password plugin's password checking :(16:19
*** adjohn has joined #openstack-dev16:20
gyeedolphm, what are you finding this time?16:20
*** alunduil has quit IRC16:20
*** rpedde_away is now known as rpedde16:20
*** alunduil has joined #openstack-dev16:21
dolphmgyee: i'm trying to drop default_fixtures from the v3 tests, which means creating an admin user to use for the test16:21
dolphmgyee: essentially just changing the role that's created to be called 'admin'16:22
gyeek16:22
dolphmgyee: anyway, sql.authenticate fails when called by the password plugin16:22
gyeedolphm, did you clear the plugins in your tearDown?16:23
dolphmgyee: http://paste.openstack.org/raw/32086/16:23
dolphmgyee: i didn't change any tear downs, but the comment also doesn't explain why they need to be discarded?16:24
gyeedolphm, see the tearDown from test_v3_auth16:24
ayoungdolphm, agreed on the fixture cleanup.  I think we should do that across the board, V2 as well as V3 tests.16:24
*** BLZbubba has joined #openstack-dev16:24
*** david-lyle has joined #openstack-dev16:24
*** adjohn_ has joined #openstack-dev16:24
*** adjohn has quit IRC16:24
*** sacharya has joined #openstack-dev16:25
openstackgerritA change was merged to openstack/nova: Allow exit code 21 for 'iscsiadm -m session'.  https://review.openstack.org/2243116:26
*** mlavalle has joined #openstack-dev16:27
*** romcheg has quit IRC16:28
*** danwent has joined #openstack-dev16:28
dolphmgyee: why are auth plugins reset?16:33
gyeedolphm, python __import__ black magic I guess16:33
gyeetests are run in a single process16:33
davidkranzdolphm: Is v3 fully enabled in the current devstack gate configuration?16:33
gyeewhen we clear the db, the __import_ modules ended up with an identity_reference which has no data16:34
gyeeidentity_api reference16:34
davidkranzdolphm: We want to get some new v3 tests in Tempest online.16:34
dolphmdavidkranz: the api is available, but not utilized at all16:34
dolphmdavidkranz: except for v3 auth, which we're trying to merge right now16:34
dolphmdavidkranz: which is obviously important16:34
davidkranzdolphm: Well, some tempest tests want to utilize it :)16:35
*** colinmcnamara has joined #openstack-dev16:35
dolphmdavidkranz: i'm looking forward to that :)16:35
davidkranzdolphm: Can you ping me when auth is merged? I think that is part of our problem.16:35
dolphmgyee: the roles attribute in the auth response doesn't match spec16:35
dolphmdavidkranz: sure16:36
openstackgerritA change was merged to openstack/oslo-incubator: readd update.sh to address bootstrapping issue  https://review.openstack.org/2242316:36
gyeedolphm, what's missing?16:36
*** olaph has quit IRC16:37
dolphmgyee: it's not what's missing, its that there's too many attributes16:37
dolphmgyee: actually links are missing, but that can be a bug16:37
dolphmgyee: http://paste.openstack.org/raw/32089/16:37
*** trapni has quit IRC16:37
*** AlanClark__ has quit IRC16:38
dolphmgyee: i would manually build the list of roles and only include the id and name attribute [{'id': r['id'], 'name': r['name']} for r in role_refs]16:38
*** AlanClark__ has joined #openstack-dev16:38
*** olaph has joined #openstack-dev16:38
gyeedolphm, ok16:38
*** maoy_ has joined #openstack-dev16:39
gyeedolphm, for the roles, I just grep the list from identity_api16:39
dolphmgyee: same goes for some other elements -- you don't need to provide enabled=true for anything, because it would have raised 401 if disabled16:39
gyeeI just get them straight out of identity_api16:40
gyeemaybe we need to add a filter?16:40
dolphmgyee: there's also an "extra": {} that's slipping into the response somehow16:40
*** markvoelker1 has joined #openstack-dev16:40
gyeeextra is there in the spec16:40
gyeedid you remove it?16:40
dolphmgyee: well, the filters blacklist certain attributes -- i'd prefer whitelisting ones16:40
*** lglenden has left #openstack-dev16:41
dolphmgyee: uhh, if i saw an "extra" i definitely assumed it was an accident16:41
*** markvoelker2 has joined #openstack-dev16:41
dolphmgyee: also "services" should be "catalog"16:41
*** markvoelker has quit IRC16:41
*** dhellmann-afk is now known as dhellmann16:41
dolphmgyee: "issued_at" doesn't match "expires", and including "issued_at" was downvoted by heckj in the follow up review16:42
*** lglenden has joined #openstack-dev16:42
dolphmgyee: all these random attributes will just cause additional bloat for pki tokens16:42
gyeeissued_at are not supposed to match expires16:43
*** cp16net is now known as cp16net|away16:43
*** cp16net|away is now known as cp16net16:43
*** Nachi has joined #openstack-dev16:43
gyeeI took the same code from tokens16:43
dolphmgyee: "issued_at" should either be renamed to "issued" or "expires" should be renamed to "expires_at"16:43
*** maoy has quit IRC16:43
gyeedolphm, did you change the spec?16:44
*** maoy has joined #openstack-dev16:44
*** nati_ueno has quit IRC16:44
dolphmgyee: "issued_at" is not in the spec16:44
dolphmgyee: and i did not change "expires"16:44
*** markvoelker1 has quit IRC16:44
*** esp1 has joined #openstack-dev16:45
*** davidha has quit IRC16:45
*** superman has joined #openstack-dev16:45
*** superman has quit IRC16:46
*** tommy_SSU has quit IRC16:46
*** maoy_ has quit IRC16:47
gyeedolphm, so what should I do, change issued_at to issue?16:47
*** tomoe_ has quit IRC16:48
*** dosaboy has quit IRC16:48
*** dosaboy has joined #openstack-dev16:48
dolphmgyee: that's a minor issue compared to the massive discrepancies between what you're returning and what the spec illustrates16:48
*** tomoe_ has joined #openstack-dev16:48
dolphmgyee: you're returning this: http://paste.openstack.org/raw/32092/16:50
dolphmgyee: the spec illustrates this: http://paste.openstack.org/raw/32093/16:50
*** avishay has joined #openstack-dev16:50
dolphmgyee: i used null where the attribute totally isn't included in the current response16:50
*** vipul|away is now known as vipul16:51
ayoungdavidkranz, as far as examples of how to consume the v3-auth API, see this review https://review.openstack.org/#/c/21487/17/tests/test_v3_auth.py16:52
arosenhi garyk pong16:52
*** vipul is now known as vipul|away16:52
*** jrodom has joined #openstack-dev16:52
ayoungfor identity and the otherssee the corresponding files in github....16:52
ayounghttps://github.com/openstack/keystone/blob/master/tests/test_v3_catalog.py16:52
ayounghttps://github.com/openstack/keystone/blob/master/tests/test_v3_identity.py16:53
ayoungdavidkranz, those are really getting onto the line between Keystone and Tempest responsibility.16:53
ayoungthe basic set up for the tests is in tests/text_v3.py16:53
*** voliveirajr has joined #openstack-dev16:54
davidkranzayoung: Yes, it is getting to be an issue as Tempest wants to be an acceptance test and projects have functional testing as part of their unit tests.16:54
davidkranzayoung: We don't want duplication of effort.16:54
ayoungdolphm, I went the path of only inlcuding role names.  I was worried that the role IDs and role assignment IDs might get confused16:54
davidkranzayoung: The issue at the moment though is that Tempest is not yet set up to test v2 and v3 in the same run, partly due to v3 auth not yet being available.16:55
*** Nachi has quit IRC16:56
ayoungdavidkranz, understood.  What I think we need as Keystone devs is a clearer path to run the tempest test specific to Keystone as part of ongoing development.  We can probably migrate the tests I listed above over to tempest once we get v3 auth merged, but we'll need to have a pow-wow about how Keystone devs and tempest devs split htings up.16:56
dolphmdavidkranz: you can authenticate against v2 and use that token to work with v316:56
*** dprince has quit IRC16:56
openstackgerritA change was merged to openstack/nova: Sync rpc from oslo-incubator.  https://review.openstack.org/2230816:57
*** nati_ueno has joined #openstack-dev16:57
ayoungdavidkranz, for example, what would be fantastic is if, pon a bug report, someone had to submit a failing test to tempest16:57
openstackgerritA change was merged to openstack/cinder: Ensure volume exists before deleting.  https://review.openstack.org/2244316:57
ayoungit should not gate block keystone commits16:57
*** esp1 has quit IRC16:57
ayoungbut the keystone commit should assert : tes_x now passes16:57
dolphmayoung: tempest shouldn't gate keystone?16:57
ayoungdolphm, of course it should, that isn't what I was saying16:57
ayoungI was saying that tempest should have tests that are known to fail16:58
dolphmayoung: "it should not gate block keystone commits" it?16:58
ayoungand thosetests shouldn't gate keystone16:58
dolphmayoung: we do that today with skiptest16:58
ayoungdolphm, sort of16:58
dolphmayoung: you can write a failing test, file a bug on it, and raise a skiptest citing the bug16:58
ayoungdolphm, so what I was saying is that we state "fixes Bug X" in the commite message16:59
ayoungif there is a test for Bug X in tempest16:59
ayoungit can say "no you didn't test still fails"16:59
dolphmayoung: going to grab lunch, brb16:59
*** dontalton has joined #openstack-dev17:01
*** nati_ueno has quit IRC17:01
ayounghenrynash, what role would a user have to have in order for RBAC to kick in for trusts?17:02
ayounghenrynash, any user can create a trust17:02
henrynashayoung: well, RBAC will kick in IF we protect the calls (which I assume we would).  Then it is up to the policy file creator17:03
*** morganfainberg has joined #openstack-dev17:03
*** rafaduran has left #openstack-dev17:03
ayounghenrynash, I guess it can't hurt.17:03
dolphmgyee: if it's too difficult to produce the nested objects user -> domain in the token response, i'm open to changing the spec on that, but attributes like enabled and description need to be cut17:03
*** maroh has quit IRC17:04
henrynashayoung: Like everyone else, default is set to admin, but one might image a liberal policy of allowing the truster to always create trusts (i.e. proected by user_id) ?17:04
gyeedolphm, ok, lets have domain_id in the user then17:04
gyeeI can filter the enabled attribute17:04
dolphmayoung: wrap the trust call with @protected and then have an empty rule in policy.json for it17:04
winston-d_markmc: ping17:04
dolphmgyee: create_token should actually be done the same way ^ in case someone wants to protect it for whatever reason17:04
*** romcheg has joined #openstack-dev17:04
ayoungdolphm, OK,17:04
gyeedolphm, create_token is an internal call17:05
winston-d_markmc: do you know how to deal with oslo-config issue with cinder unit tests?17:05
markmcwinston-d_, what issue?17:06
markmcjgriffith, yep?17:06
*** Tross has quit IRC17:06
*** dontalton has quit IRC17:07
winston-d_markmc: we are seeing ''ImportError: No module named oslo.config'17:07
markmcwinston-d_, is this with a newly installed venv?17:08
jgriffithmarkmc: can't get unit tests to run with your latest oslo lib change in cinder17:08
winston-d_markmc: yup17:08
markmcsorry, otp17:08
markmcdoes 'pip freeze' show it?17:08
*** hugokuo has left #openstack-dev17:09
*** amerine has joined #openstack-dev17:09
avishaymarkmc: yes it does (oslo-config==2013.1b3)17:09
markmcit should just work17:10
tiamarhi! where in tempest is specified the flavor that is created?17:10
markmctry 'pip install http://tarballs.openstack.org/oslo-config/oslo-config-2013.1b4.tar.gz'17:10
markmcsee if b4 is better17:10
winston-d_markmc: b4 works!17:12
*** radez is now known as radez_g0n317:13
jgriffithsweet.. thanks markmc17:13
jgriffithmarkmc: I'll push an update to pip requires unless that's not "ready" or you have another version you plan to submit?17:13
winston-d_jgriffith: avishay could you verify b4 on your env as well? it works for me.17:14
jgriffithwinston-d_: yeah, that's what I just did... works for me17:14
*** zaitcev has joined #openstack-dev17:14
markmcjgriffith, go ahead with b417:14
jgriffithmarkmc: k.. thanks for the help17:14
winston-d_markmc: thx!17:15
avishaymarkmc: thanks17:15
markmcthank jkoelker17:15
*** kagan has joined #openstack-dev17:15
ayoungdolphm, looking at the policy file, I realize each of the rules are like: identity:delete_roles.  I assume identity is the service, and is not really meaningful to us, but instead the :delete_roles call is going to match the function name.  Does that imply that all of the function names need to be unique within keystoine if they are going to show up in policy?  Do I need to convert TrustController.create to TrustController.creat17:16
ayounge_trust?17:16
*** vipul|away is now known as vipul17:17
*** iartarisi has quit IRC17:18
*** koolhead17 has quit IRC17:19
*** dolphm has quit IRC17:19
*** esp1 has joined #openstack-dev17:23
*** yolanda has quit IRC17:24
*** jgallard has quit IRC17:25
*** derekh has quit IRC17:26
vishydanpb: don't think my last message made it. if you have some time could you take a look at https://review.openstack.org/#/c/21382/ ?17:27
henrynashgyee, dolphm: odd thing happening….I tried to submitted a new patch for my: http://review.openstack.org/#/c/22223/.…and it didn't appear as part of that review…but a trivial rebase appeared on Guang's patch that I am dependant on (i.e. I think, HOPE, that's all that happened)17:28
ayounghenrynash, TypeError: wrapper() takes exactly 2 arguments (3 give17:29
henrynashayoung: for which?17:29
gyeehenrynash, I need to submit another patch17:29
gyeedolphm didn't like the 'enabled' attribute in token data17:29
ayounghenrynash, I added @protected on to create(now create_trust) and delete17:29
*** dolphm has joined #openstack-dev17:29
ayoungdef the wrapper17:30
dolphmayoung: yes, create -> create_trust17:30
ayoungIs it due to the KW args?17:30
ayounglet me see if doing kw fixes it17:30
henrynashgyee: that's fine…..but concerned my patch is somehow not set up right17:30
danpbvishy: yikes, i thought that had merged already17:30
danpbwill review it again now17:30
ayounghenrynash, yeah, needs kw args when called.  OK17:31
vishydanpb: just discussing it in -nova I don't think we are going to take it for G17:31
vishydanpb: so no rush :)17:31
*** markmc has quit IRC17:31
henrynashayoung: ok, I can review if you pint me at t17:31
henrynashpoint me, even17:31
*** jruzicka has quit IRC17:31
ayounghenrynash, still coding17:31
ayounghenrynash, I need to fix the tests now17:31
danpbvishy: oh, what is "-nova" - another mailing list I'm not on :-/17:32
*** corXi has quit IRC17:33
ayoungdolphm,  if not context['is_admin']  is failing on a key error in policy.  THis might be the first non-admin api we've wrapped this way.  Are you ok with scope creeping this to handle fixing the policy stuff as well?17:33
dolphmayoung: ah, we haven17:34
ayoungdolphm, it is a minor change, I'll add it in in17:34
dolphm't exposed v2 *anything* with real policy17:34
ayoung if 'is_admin' in context and not context['is_admin']:17:34
dolphmayoung: you're in uncharted waters17:34
ayoungdolphm, but I know the name of the wind17:34
*** esp1 has quit IRC17:34
* ayoung a little Earthsea alittle Qvothe17:35
*** BobBall is now known as Bobba_away17:35
openstackgerritA change was merged to openstack/nova: Add API Sample tests for Hypervisors extension.  https://review.openstack.org/2202217:37
*** dachary has quit IRC17:37
*** nati_ueno_2 has quit IRC17:37
*** cp16net is now known as cp16net|away17:38
openstackgerritA change was merged to openstack/cinder: Add LIO configuration for iSCSI initiators  https://review.openstack.org/2126617:38
openstackgerritA change was merged to openstack/python-cinderclient: Fix typo breaking --debug option to cinder client  https://review.openstack.org/2243417:38
*** nati_ueno has joined #openstack-dev17:38
*** njoy_ has joined #openstack-dev17:38
henrynashgyee, dolphm, ayoung: just going to grab a bite to eat then be back on17:40
*** davidha has joined #openstack-dev17:41
*** adjohn_ has quit IRC17:42
*** njoy has quit IRC17:42
*** nati_ueno has quit IRC17:43
*** andrewbogott_afk is now known as andrewbogott17:43
ayoungdolphm, how do I shut up loggers during the unit test run?17:45
ayoungOI'm getting so much debug output I can't see what failed17:45
*** romcheg has quit IRC17:45
dolphmayoung:  turn off debug in test overrides?17:46
*** dhellmann is now known as dhellmann-afk17:46
gyeedolphm, about to push another patch with the stuff filtered17:46
openstackgerritA change was merged to openstack/cinder: rbd: implement get_volume_stats()  https://review.openstack.org/2240017:50
*** Yada has quit IRC17:50
*** Mandell has joined #openstack-dev17:50
*** danpb has quit IRC17:53
gyeedolphm, ayoung, henrynash, #1917:53
dolphmgyee: thanks, looking17:53
ayounggyee, looking17:53
*** arbrandes has quit IRC17:54
dolphmhenrynash: the reason you updated gyee's patch is because git-review rebases your branch, including underlying patches17:54
*** radez_g0n3 is now known as radez17:55
dolphmhenrynash: so all you did was change the parent patch to something more recent17:55
*** jog0 has joined #openstack-dev17:55
*** roampune has joined #openstack-dev17:55
*** morganfainberg has quit IRC17:56
dolphmhenrynash: and incidentally make it so we can compare patchset 19 vs patchset 18 cleanly :)17:56
*** susanne-balle has joined #openstack-dev17:56
*** Tross has joined #openstack-dev17:56
*** avishay has quit IRC17:57
gyeedolphm, #20, sorry I just found a pep8 issue17:57
dolphmgyee: no worries17:57
*** adjohn has joined #openstack-dev17:57
dolphmgyee: so this matches current spec at first glance? i don't need to revise the api?17:58
*** dontalton has joined #openstack-dev17:58
gyeedolphm no need to17:58
gyeeI filtered it exactly17:58
*** roampune is now known as roampune_17:59
*** lloydde has joined #openstack-dev17:59
*** aswadrangnekar has joined #openstack-dev17:59
ayounggyee, looks pretty good to me at first blush.18:00
gyeeayoung, sounds good18:00
*** dprince has joined #openstack-dev18:00
ayoungthe password plugin shows how we need to clean up our logic there, but beyond the scope of this patch, I think18:01
dolphmgyee: oh cool, didn't realize you got the fixtures removed and working18:01
dolphmgyee: i was still poking at that18:01
gyeedolphm, I pretty incorporated everything from the last review18:01
gyeepretty much18:01
*** roampune_ has quit IRC18:01
*** gray-- has joined #openstack-dev18:02
dolphmgyee: awesome18:02
*** gray-- has quit IRC18:02
gyeehad to change a couple of tests because they are no longer valid18:02
dolphmgyee: i was doing so as well18:02
*** shardy is now known as shardy_afk18:02
*** roampune has joined #openstack-dev18:02
dolphmgyee: made a comment on #18 that i think needs to be fixed18:02
*** darraghb has quit IRC18:03
*** vipul is now known as vipul|away18:03
gyeedolphm, which comment?18:03
gyeethe 'user_id' thing?18:03
dolphmgyee: you're filering roles properly and then discarding the filtered list18:03
*** otherwiseguy has quit IRC18:03
*** aswadrangnekar has quit IRC18:04
gyeedolphm, :)18:04
gyeepatch #2118:04
gyeegood catch!18:04
*** markwash has joined #openstack-dev18:05
topolayoung, dolphm, I am making an executive decision to map domain_id to businessCategory.  businessCategory exists in groupOfNames and inetOrgPerson  and seems to work18:06
dolphmtopol: cool18:06
gyeein LDAP, domain is usually domain controller object18:07
gyeedc18:07
ayoungdolphm, what does an empty policy rule look like?18:07
*** vipul|away is now known as vipul18:07
dolphm[]18:08
dolphmayoung: or "" in the new policy engine?18:08
topolgyee, I don't see dc in inetOrgPerson or its parents. Let me try and see if it breaks18:09
gyeetopol, dc is usually part of the user DN and a higher level container than organization18:10
gyeeor organization unit18:11
gyeetopol, with the auth plugin, you should be able to translate apache mod_ldap into python :)18:12
*** esp1 has joined #openstack-dev18:12
topolgyee, dc is a no go18:12
topolgyee, let me try ou18:13
*** dachary has joined #openstack-dev18:13
gyeewe don't use dc?18:13
*** nati_ueno has joined #openstack-dev18:13
*** adjohn has quit IRC18:14
ayoungdolphm, our policy should be in keysteon/etc/policy.json, and it is using the "new policy engiuner" right?18:14
gyeeayoung, I think henrynash did moved the latest policy engine code to openstack/common18:14
dolphmayoung: etc/policy.json in the repo, and i think henry updated us to oslo's policy engine impl18:15
gyeeayoung, try debugging them in your debugger and see how it goes :)18:15
gyeethat code is pretty hairy18:15
topolgyee, ou blows chunks as well. I think we are stuck with businessCategory given our choice of default objectClasses18:15
*** winston-d_ has quit IRC18:16
gyeetopol, I thought objectClass is configurable, no?18:16
*** jaypipes has quit IRC18:17
topolgyee, yes, but out of the box current defaults are groupOfNames for ProjectApi and inetOrgPerson for UserApi.   Im assuming we picked those as best practice choices. Yes we can change them. But again this is just show people that it can work out of the box from devstack18:18
*** kagan has quit IRC18:20
*** bencherian has quit IRC18:20
topolgyee, given code freeze was today, I felt bad about opening up a discussion of the default ObjectClasses at such a late time.  I was in put lipstick on the piggy and shove it out the door.18:20
*** zing has quit IRC18:20
topolmode18:20
dolphmgyee: question inline18:20
*** Ryan_Lane has joined #openstack-dev18:22
*** shardy_afk is now known as shardy18:25
*** doude has joined #openstack-dev18:26
gyeedolphm, responded18:26
*** nati_ueno has quit IRC18:26
*** nati_ueno has joined #openstack-dev18:27
gyeetopol, we probably need to revisit our LDAP design in H18:27
topolgyee,  I agree 1000%18:28
gyeerarely an enterprise will let an application write to their LDAP directory18:28
ayoungrussellb, what would a policy rule that always passes look like?18:28
ayoung"rule:True"?18:28
gyeefrom my past experience, we practically have to murder somebody in IT in order to get them to open up LDAP :)18:28
topolgyee, +100018:29
dolphmgyee: still confused18:29
ayounggyee, I think that LDAP is going to benefit most from the auth chain, and there will be several flavors of LDAP plugins for auth18:29
*** shardy is now known as shardy_afk18:29
openstackgerritA change was merged to openstack/nova: Prevent the unexpected with nova-manage network modify.  https://review.openstack.org/2144718:30
gyeedolphm, what's the confusion?18:30
ayoungbut most common will be, look in LDAP for user info, if it exists and meets some criteria, make sure there is an entry in the local database.  Local database wil be used for roles etc18:30
topolgyee, goal here is to get something basic  working so that we can add more automated testing, provide a real ldap development environment etc18:30
dolphmgyee: if an auth plugin succeeds, you append it, auth_response['methods'].append(method_name)18:31
dolphmgyee: and then you check if any auth methods succeeded, and raise an exception if so if len(auth_response["methods"]) > 0:18:31
topolayoung, I will be showing up in Portland with lots of use cases similar to what you mention18:31
dolphmgyee: at least that's how i read it, i suspect i'm wrong18:31
ayoungtopol, we can override in the config file, so if we need to publish a workaround  figure out what it is.  I doubt people will tend to use ldap with the defaults18:31
topolayoung, I agree. but for folks trying to do development its nice to have18:32
*** stevebaker has joined #openstack-dev18:32
gyeedolphm, we need to give all the method a chance for continuation18:32
dolphmgyee: i understand what the exception being raised is intended to convey to the end user18:33
gyeeif one raise a continuation exception, others down the chain have no chance18:33
topolso I am going to push a fix to devstack then check on sahdev who is trying to do the group ldap stuff18:33
gyeedolphm, the purpose is to aggregate all the responses and do it at once18:33
dolphmgyee: what i don't understand is how the conditional is possibly capable of detecting the proper condition under which to raise the exception18:33
dolphmgyee: so please explain WHY the condition is accurate, not WHAT the exception is for18:34
gyeeplugin should only raise an exception on failure18:34
gyeeit should return the payload for the next auth step if continuation is needed18:34
*** jaypipes has joined #openstack-dev18:35
gyeedolphm, I documented the expected behavior in both the interface and configuration.rst18:35
ayounghenrynash, I need a policy rule that will pass for all authed users.  What does that look like?18:36
*** Thor has quit IRC18:36
*** Tross has quit IRC18:36
*** Thor has joined #openstack-dev18:37
gyeealso, we did agreed on having the "extras" attribute in the token and that comes from the plugins to carry any deploment-spcific data18:37
*** gargya has quit IRC18:37
*** dolphm has quit IRC18:38
*** dolphm has joined #openstack-dev18:39
*** romcheg has joined #openstack-dev18:39
*** FlorianOtel has quit IRC18:40
*** kagan has joined #openstack-dev18:42
*** garyk has quit IRC18:42
*** digitalsanctum has quit IRC18:46
*** bdpayne has quit IRC18:47
*** bdpayne has joined #openstack-dev18:48
ayounggyee,18:49
ayoungI think there is some bleed over inpolicy18:49
gyeeayoung, yeah?18:50
*** locke105 has quit IRC18:50
ayounggyee, still investigating.   Not sure if it is your changes or mine, but the failure changed after rebase18:50
ayoungits v2, so it shouldnt matter18:51
*** baba has quit IRC18:51
gyeeayoung, no, v2 doesn't use policy engine AFAIK18:51
*** lglenden has quit IRC18:51
ayounggyee, I'm getting an auth error when getting a scoped token18:51
*** mrodden has quit IRC18:51
*** zoresvit has quit IRC18:51
ayoungfrom an unscoped.  /tokens/controller....18:52
ayounggyee, did your last patch remove all the domains check etc?18:53
gyeeayoung, the only thing I changed in token/controler is the token validation logic18:54
gyeepretty much applied the same security patch you had18:54
ayounghehehehehehehe18:54
ayounggyee, nope18:54
*** AlanClark__ has quit IRC18:54
ayoungyou also remove a large block right before that18:54
*** AlanClark__ has joined #openstack-dev18:54
ayounghttps://review.openstack.org/#/c/21487/16..21/keystone/token/controllers.py18:54
ayoungline 89?18:54
ayounggyee, it might be innocuous....I'll tell you in a sec18:55
gyeeayoung, that was dolphm's change18:55
gyeeI happened to rebased to it18:55
dolphmayoung: gyee: it was mostly written by mathrock and committed by me18:55
gyeedolphm, patch uploaded18:55
dolphmayoung: gyee: we reviewed the patch in the bug, domains enable/disable is currently not validated and i have a bug filed and WIP to fix that18:56
*** FlorianOtel has joined #openstack-dev18:56
gyeedolphm, I am check for domain enabled/disabled in the auth logic18:56
gyeechecking18:56
dolphmgyee: this only affects v2 because for whatever reason you didn't extend the same code18:57
*** alszar has joined #openstack-dev18:57
ayoungdolphm, something broke when I rebased to patch 21....probably due to my code.  Too many moving parts,  but hold off on committing gyee's until I am sure it is my fault and not his18:57
gyeedolphm, that's the reason I didn't extend it :)18:57
gyeedon't want to get into rebase hell18:57
dolphmgyee: to create a more divergent codebase?18:57
*** garyk has joined #openstack-dev18:57
gyeev2 and v3 tokens are different18:58
dolphmgyee: superficially18:58
ayoungget_user_by_name now failing....18:58
gyeeayoung, you need the domain ID18:58
ayounggyee, Ha!~18:59
ayoungprobably that is it,  I had removed that in the past....due to it being borked18:59
ayounggyee, still...this was default domain and v2...shouldn't have broken....19:00
*** mjfork has joined #openstack-dev19:01
gyeeayoung, you are using identity.Manager or identity.Controller?19:01
gyeeI think identity controller fill in the default domain ID19:01
ayounggyee I see in the debugger that domain_id = default19:02
gyeeso what's failing?19:02
*** stevebaker has quit IRC19:03
*** digitalsanctum has joined #openstack-dev19:03
ayounggyee, it isn't finding the user I create in my setup19:03
ayoungof coure, DB is not persisted, so I can't query what is in there for reas19:03
ayoungreals19:03
*** danwent has quit IRC19:03
*** torandu has quit IRC19:04
*** danwent has joined #openstack-dev19:04
*** jrodom has quit IRC19:05
ayounggyee, I suspect I am picking up a function from your unit test instead of mine...which is actually good.19:05
gyeeayoung, which test is this?19:05
ayoungI have a bunch of test functions that need to go away, but were there due to the V3 auth not being done yet19:05
ayounggyee, it is in my patch, test_v3_trust19:06
*** torandu has joined #openstack-dev19:06
gyeeayoung, if you extend from test_v3, you should be OK19:06
ayoungin setUp19:06
ayounggyee, yeah...except I rewrote a bunch of crap.19:06
ayoungwhich I can, I hope, get rid of now.19:06
gyeetest_v3 setUp did all the heavy lifting for you already19:06
*** mrodden has joined #openstack-dev19:06
*** stevebaker has joined #openstack-dev19:07
ayoungaha!19:07
ayoungOK,  so I am getting your domain ID, not the one I thought I was creating.  I can start removing my functions.19:07
gyee:)19:07
*** fc__ has quit IRC19:07
ayounggyee, v2 supports domain, right19:07
gyeeayoung, nope19:07
gyeev2 is not domain-aware19:07
ayounggyee, grumple19:08
*** jrodom has joined #openstack-dev19:08
*** Tross has joined #openstack-dev19:08
*** fc__ has joined #openstack-dev19:09
ayounggyee, you're OK19:10
*** danwent has joined #openstack-dev19:11
ayounggyee, I was testing for the presence of a domain attribute in the test self.  which you added n, and tripped up my use of default.  I'll need to stick with default for a short while19:11
*** JonnyNomad_ is now known as JonnyNomad19:12
openstackgerritA change was merged to openstack/cinder: Bump the oslo-config version to address issues.  https://review.openstack.org/2245019:13
*** dosaboy has quit IRC19:13
openstackgerritA change was merged to openstack/nova: Fix handling of source_groups with no-db-compute.  https://review.openstack.org/2167919:14
*** jrodom has quit IRC19:14
*** cp16net|away is now known as cp16net19:15
*** jrodom has joined #openstack-dev19:16
ayoungdolphm, being asked if the V2 API is going to stay as "beta"19:16
*** njoy_ has quit IRC19:16
dolphm"deprecated"19:16
dolphmideally19:16
*** njoy_ has joined #openstack-dev19:16
dolphmayoung: v2 was actually marked as "stable" sometime in essex, i'm not sure what happened19:17
ayoungdolphm, Ok.  So we think it should be tagged stable.  I'll note that.19:17
ayoungdolphm, and V3 in grizzly will be stable as well, right?19:17
dolphmayoung: if it has auth, i suppose19:18
ayoungdolphm, fair enough19:18
ayoungdolphm, I'm going to add     "default": [["rule:admin_required"]], to policy.json, so that any API that we addd, if we don't put a rule in, will be is_admin only19:20
dolphmayoung: i think you also need to revise keystone.conf to have a default_policy_rule=default or something19:20
ayoungdolphm, hmmmm, OK  I'll look19:21
*** adjohn has joined #openstack-dev19:22
*** afazekas has quit IRC19:23
* ayoung starting to like this policy thing19:25
*** colinmcnamara has quit IRC19:29
*** datsun180b_ has joined #openstack-dev19:29
*** bencherian has joined #openstack-dev19:31
*** maurosr_ has joined #openstack-dev19:32
*** datsun180b has quit IRC19:32
*** datsun180b_ is now known as datsun180b19:32
ayounghenrynash, ok, you got me into this mess19:33
ayounghere's the deal19:33
*** cp16net is now known as cp16net|away19:33
ayoungI the policy rule is looking at the request coming in19:33
ayoungand it looks partially like this19:33
ayoungdict: {trust :{trustee_user_id:'blah'}19:33
ayoungI need to write a rule that will match that19:34
*** colinmcnamara has joined #openstack-dev19:34
dolphmayoung: that's generally done in the controllers, which understand the api19:34
ayoungdolphm, I know, I have that19:35
*** maurosr has quit IRC19:35
ayoungdolphm, but...I want to understand the policy stuff, and the rule that the token API uses doesn't work for me19:35
ayoungI figured I'd try to see if I can get that to work here, too.19:35
ayoungdolphm, something needs to match/19:36
ayoungdolphm, it looks for something in the creds....and matches it to something in the request body.19:37
*** jrodom has quit IRC19:37
ayoung# TODO(termie): do dict inspection via dot syntax19:37
*** jrodom has joined #openstack-dev19:37
*** johnthetubaguy has quit IRC19:37
*** novas0x2a|laptop has joined #openstack-dev19:39
*** esp1 has quit IRC19:40
ayoungdolphm, is it a mistake in the trust API to have a top level trust :{} in the creat request?19:41
*** esp1 has joined #openstack-dev19:41
*** maurosr_ is now known as maurosr19:41
dolphmayoung: like POST /v3/trusts {"trust": { /* actual data? */ }}19:42
ayoungdolphm, yeah19:42
dolphmayoung: i think keystone.common.wsgi.Application expects you to do that19:42
*** adjohn has quit IRC19:42
dolphmayoung: because it'll unpack the request into create_trust(context, trust={ /* actual data */ })19:43
*** adjohn has joined #openstack-dev19:43
ayoungdolphm, yeah...policy doesn't seem to like it, though...still learning19:43
dimsdprince, got minute?19:45
dprincedims: hi.19:45
dprincedims: 1 minute... I have to run out for a bit.19:46
dimsdprince, if forbid_dtd is true, then EntityDeclHandler/UnparsedEntityDeclHandler is never called. if forbid_dtd is false, then ExternalEntityRefHandler *is* called and the tests hangs19:47
dimsdo we allow forbid_dtd to false ever? if not then we can even take out the code for  EntityDeclHandler/UnparsedEntityDeclHandler19:47
dprincedims: Okay. Well... as for our code in Nova we only use forbid_dtd=True.19:48
dimsright, so i am adding defensive code so that folks who may pick up will be safe19:48
dimsi'll make that clearer19:48
dimsok?19:48
dprincedims: I left that in there for some odd case... so if that is the case then I think you'll need to change your tests to actually use that flag then too.19:48
dimscool, will update code and tests19:49
*** afazekas has joined #openstack-dev19:49
*** cschwede has joined #openstack-dev19:49
dprincedims: making it clearer is good too though I think... but the important think is the initial security patch works as-is. (as it in already guarded against those attacks because we always set forbid_dtd=True)19:49
*** vipul is now known as vipul|away19:50
dimscorrect19:50
dimsagree19:50
dprincedims: cool. thanks for adding this. gotta run.19:50
*** dprince has quit IRC19:50
*** david2 has joined #openstack-dev19:51
ayounggyee, did you test ["user_id:%(user_id)s"]19:53
*** morganfainberg has joined #openstack-dev19:55
*** rnirmal has quit IRC19:58
*** doude has quit IRC19:58
*** bknudson has quit IRC19:59
icchahey is there a way to run tests by circumventing the oslo config for glance20:00
*** adjohn has quit IRC20:01
*** bknudson has joined #openstack-dev20:01
*** AlanClark__ has quit IRC20:02
*** danwent has quit IRC20:02
*** AlanClark__ has joined #openstack-dev20:02
dolphmgyee: here's another diff for you http://paste.openstack.org/raw/32112/20:03
openstackgerritA change was merged to openstack/glance: Adding new common image properties  https://review.openstack.org/2154720:03
openstackgerritA change was merged to openstack/nova: Add better status to baremetal deployments.  https://review.openstack.org/2148120:03
clarkbiccha: I don't think so. oslo config is used to manage glance's configuration20:03
clarkbiccha: what are you trying to accomplish?20:03
*** bknudson1 has joined #openstack-dev20:03
icchaclarkb: https://bugs.launchpad.net/glance/+bug/113085320:04
uvirtbotLaunchpad bug 1130853 in glance "Installing virtual environment depends on oslo.config" [High,In progress]20:04
*** romcheg has quit IRC20:05
*** bknudson has quit IRC20:05
icchaclarkb: i am not able to run tests becauyse of this, was wondering if there is a work around20:05
clarkbiccha: does tox -epy27 do any better?20:06
clarkbthat is what jenkins would use to gate glance so presumably that worked20:06
clarkbtox doesn't use install_venv_common so should work20:06
icchaclarkb: nope ImportError: No module named oslo.config20:07
clarkbwith tox?20:07
*** romcheg has joined #openstack-dev20:07
icchaclarkb: yes20:07
clarkbiccha: are you building a new tox env?20:07
ayoungdolphm, am I correct in understanding that with string replacement in python, using a dictionary, you can only go one level deep?20:07
ayoungIE20:07
clarkbiccha: tox -repy2720:07
clarkb-r means recreate the venv20:08
ayoung t = {"a":{"b":"1"}}20:08
ayoungprint "%(a)s" % t is ok20:08
ayoungbut there is not way to get at t["a"]["b"]  by just passing in t20:08
icchathat helps clarkb , thanks20:08
*** cschwede has quit IRC20:09
*** diogogmt has joined #openstack-dev20:09
dolphmayoung: i'm not aware of a way to do that in py220:09
*** kagan has quit IRC20:09
ayoungdolphm, OK...somehow thay manage it in Nova, and I'm tryng to figure out what they are doing20:10
ayoungthey have a rule20:10
ayoung"admin_or_owner":  "is_admin:True or project_id:%(project_id)s",20:10
dolphmayoung: maybe flatten the dictionary?20:10
openstackgerritA change was merged to openstack/ceilometer: Disable notifier tests  https://review.openstack.org/2244920:10
ayoungdolphm, ah...20:10
ayoungyou mean trust.id = trust { id: ...}20:10
ayoungdolphm, is there a standard way to do that in python?20:11
dolphmayoung: i mean produce a new dictionary... {"a":{"b":"1"}} -> {"a_b": "1"}20:11
ayoungdolphm, yeah20:11
ayoungI was going with dotr notation, but yeah20:12
*** crandquist has joined #openstack-dev20:12
ayoungso a.b instead of a_b,20:12
dolphm'%(a_b)s' % flatten({"a":{"b":"1"}})20:12
*** Tross has quit IRC20:12
dolphmyou could also override the __getitem__ method on the dict to do it dynamically20:13
dolphmor __getattr__ if you want to go with the dot notation20:13
gyeedolphm, for the tests, I simply remove the assertions for "description" and "enabled" field as they are applicable to all entities20:14
gyeerole does not have "enabled" field20:14
gyeeand user does not have "description"20:14
*** bdpayne has quit IRC20:15
gyeethey are not applicable to all entities20:15
dolphmgyee: users can have a description20:15
gyeebut those assertions are used on all entities20:15
dolphmgyee: but anyway, pass in ignore_attributes or something to explicitly ignore 'enabled' on a role, for example20:15
*** bdpayne has joined #openstack-dev20:16
dolphmgyee: instead of ignoring the convention, make exceptions to it20:16
gyeek20:16
dolphmgyee: did you see the diff i posted?20:16
gyeedolphm, I am about to apply those diffs, just came back from lunch20:17
*** jrodom has quit IRC20:17
gyeethanks for the diffs20:17
dolphmgyee: np, trying to help20:17
*** devoid has quit IRC20:18
*** devoid has joined #openstack-dev20:18
*** bknudson1 has quit IRC20:22
*** bknudson has joined #openstack-dev20:22
*** romcheg has left #openstack-dev20:25
*** bknudson has quit IRC20:26
*** FlorianOtel has quit IRC20:27
YorikSardolphm: Hi. Any chance for my 'enabled emulation' change to land today?20:30
*** otherwiseguy has joined #openstack-dev20:30
YorikSarCan anyone but ayoung approve it?20:31
ayoungYorikSar, link20:31
YorikSarhttps://review.openstack.org/2092820:31
YorikSarayoung: Never though you'll have time for this.20:32
*** bearovercloud has joined #openstack-dev20:32
*** alexpilotti has joined #openstack-dev20:32
dolphmgyee: this will fix your issue with validating error responses on HEAD calls http://paste.openstack.org/raw/32113/20:32
ayoungtopol, can you give ^^ a look over s well?  Your LDAP kung fu is stronger than mine20:33
dolphmgyee: i imagine it'll conflict if applied on top of the last one because i deleted the override with 'pass'20:33
*** amerine has quit IRC20:33
*** jcmartin has joined #openstack-dev20:34
topolayoung, sure.  which one?  https://review.openstack.org/20928 ?20:34
ayoungtopol, yeah20:34
topolayoung, k20:34
gyeedolphm, I simply want to check for 401 instead of base class bail on me20:34
YorikSardolphm: Thanks... I hope it still cleanly merges with master.20:34
dolphmtopol: the reason we don't answer your questions about ldap is because you're the go-to guy for ldap now20:35
*** david2 has quit IRC20:35
*** doude has joined #openstack-dev20:35
dolphmgyee: expected_status=401 isn't working?20:35
ayoungYorikSar, I assume you've tsted this against a live LDAP server?  I don;t really trust FakeLDAP20:35
topoldolphm,  I have thrown many a person in to force them to swim.   Karma dictates that it should  happen to me sooner or later  :-)20:36
gyeedolphm, it was working with the override20:36
YorikSarI can help with LDAP stuff if someone can fill me in.20:36
*** amerine has joined #openstack-dev20:36
gyeeI got a 401 back as expected20:36
*** bearovercloud has left #openstack-dev20:36
dolphmgyee: but you also weren't validating the auth body on failures20:36
*** japage has joined #openstack-dev20:37
YorikSarayoung: Yes, we ran tempest with OpenLDAP behind Keystone.20:37
*** bearovercloud has joined #openstack-dev20:37
ayoungdolphm, so for policy is . notation OK?  I have the following rule working with a flatten:20:37
ayoung["user_id:%(trust.trustor_user_id)s"]20:37
dolphmayoung: where are you writing the implementation, in oslo?20:38
*** Gordonz has quit IRC20:38
ayoungdolphm, no in Keystone controller20:38
*** Gordonz has joined #openstack-dev20:38
*** danwent has joined #openstack-dev20:38
*** mkollaro has quit IRC20:38
ayoungkeystone common controller decorator20:38
*** datsun180b has quit IRC20:38
*** stevebaker has quit IRC20:38
*** datsun180b has joined #openstack-dev20:38
YorikSarayoung: So 'enabled' support was missing totally, other fixes are filed separatelly: https://review.openstack.org/22352 and https://review.openstack.org/22348. But they can be considered bugfixes since nothing new is introduced, only fixed.20:38
ayoungcode shamelessly stolen from Stackoverflow of course20:38
ayoungYorikSar, I remember vaguley acking https://review.openstack.org/#/c/22352/120:39
ayoungyou sure that that fix isn't already in elsewhere?20:39
ayoungYorikSar, I can ack the enabled one, though20:40
ayoungI'll let topol chime in first though20:40
YorikSarayoung: I don't know about description stuff, I'll check open change requests now.20:40
henrynashayoung: that policy is on create trust, i assume20:41
ayounghenrynash, yes20:41
ayounghenrynash, I'm trying to get this working20:41
ayoung["rule:admin_required"], ["user_id:%(trust.trustor_user_id)s"],["user_id:%(trust.trustee_user_id)s"]20:41
ayoungfor the lists etc.20:41
henrynashI think that should work, since the protector will out the trust_id and they trust object into the policy engine20:41
ayoungdelete will be same as create, but not sure I have the same context to work with.20:42
henrynashno, you won't since the object isn't pass to the api call20:42
ayounghenrynash, crud20:42
ayounghenrynash, how can I write a rule that just says "alway pass"?20:43
henrynash[]20:43
henrynash(I think)20:43
*** FlorianOtel has joined #openstack-dev20:43
*** colinmcnamara has quit IRC20:44
henrynashayoungL: pretty sure we'll be doing a pass of all the protection settings spit freze20:44
dolphmhenrynash: did you upgrade keystone to use oslo's policy impl?20:44
henrynashdolphm: yes20:44
openstackgerritA change was merged to openstack/cinder: Better error handling around volume delete.  https://review.openstack.org/2246220:45
*** stevebaker has joined #openstack-dev20:45
dolphmayoung: i'm pretty sure what you're doing should go into oslo20:45
henrynashdolphm: well, to be exact, it is the openstack.common one20:45
*** pcm_ has quit IRC20:45
dolphmhenrynash: yeah, i guess it's not packaged under 'oslo' quite yet20:45
henrynashdolphm: so we don't get it from the oslo librayr20:45
dolphmgyee: ETA on next rev?20:46
gyeedolphm, in a few mins20:47
dolphmgyee: cool20:47
gyeeI have both patches applied20:47
*** imsplitbit has joined #openstack-dev20:47
gyeereruning the tests right now20:47
*** jsindy has joined #openstack-dev20:47
topolayoung, 22352 looks correct to me and does not appear in my code which I refreshed earlier today I  believe.  Im doing some testing and may be running into issues because I dont have 22352.  will keep verifying20:47
*** adjohn has joined #openstack-dev20:48
YorikSarayoung: btw, if you ever want to remove more unused lines from LDAP backend: https://review.openstack.org/2236220:48
openstackgerritA change was merged to openstack/nova: Add a volume driver in Nova for Scality SOFS  https://review.openstack.org/1967620:51
openstackgerritA change was merged to openstack/nova: cfg should be imported from oslo.config  https://review.openstack.org/2246620:51
*** boris-42 has joined #openstack-dev20:52
openstackgerritA change was merged to openstack/glance: Sync latest install_venv_common.py  https://review.openstack.org/2246320:52
gyeedolphm, patch uploaded20:52
*** doude has left #openstack-dev20:54
ayoungdolphm, yes, it should go into oslo, but I think that it can go here safely for now.  I can't run withou it and do policy.  Should I just punt on policy?20:54
dolphmgyee: so, here's my opinion... it's complete but full of bugs that can be filed & fixed over the next couple weeks, all of them minor afaik20:54
*** pcm_ has joined #openstack-dev20:55
gyeebugs?20:55
dolphmgyee: spec inconsistencies, mostly20:55
gyeek20:55
gyeeworks for me20:55
dolphmgyee: i'd also refrain from telling anyone we support pluggable authentication, because i can't write a plugin myself20:56
gyeedolphm, what you have in mind, I can write one for ya :)20:56
*** jcmartin has quit IRC20:57
dolphmgyee: i'm just talking about the ability to understand the api i'm expected to fulfill as a plugin20:57
dolphmgyee: conditionally populating some dict that's handed to me is way out of bounds, imo20:57
gyeedoc not clear?20:57
YorikSarayoung: Looked through all open changes. Can't see anyone changing default mapping for description.20:57
dolphmgyee: it's not a doc issue, it's where the burden of responsibilities lies -- too many are placed on the plugin20:58
ayoungYorikSar, OK, I'll give those all a look over in a bit.  They mostly look fine.20:59
dolphmgyee: so, i'd like to make the plugin API a bit simpler (providing just a small part of the auth request to the plugin was a HUUUUGE step in that direction) and i'd also like to allow multiple plugins per authentication method... which i think is the use case most people have in mind (mixing sql and ldap auth, for example)20:59
gyeedolphm, not really, all we require is plugin resolve the user_id20:59
dolphmgyee: i agree, but that's not the reality20:59
dolphmYorikSar: the freeze doesn't apply to bug fixes, btw21:00
*** almaisan-away is now known as al-maisan21:00
*** EmilienM has quit IRC21:00
*** EmilienM has joined #openstack-dev21:01
gyeedolphm, I suspect we're going to have a session (or more) over this in the summit21:01
*** jsindy is now known as monst_21:01
*** afazekas has quit IRC21:01
YorikSardolphm: Yes, I understand. The one I want to make sure to land today is 'enabled emulation'.21:01
dolphmgyee: that's a good idea21:01
dolphmYorikSar: is that the one ayoung wants topol to review?21:02
*** Tross has joined #openstack-dev21:02
YorikSardolphm: Yes.21:02
ayoungdolphm, yeah21:03
*** rnirmal has joined #openstack-dev21:03
*** hub_cap has joined #openstack-dev21:03
henrynashdims, dophm, gyee, young: I need some hand holding to get my query filter patch (which is dependant on Guang's patch) in….I think I have a screwed by commit history, so trying to push the review is  not behaving21:03
hub_caphi all, im trying to code some changes to edit metadata (changes to our ovz driver w/ imsplitbit) and im wondering, since tehre is a metadata svc, is there some example that someone can point me to so i can start hacking?21:04
gyeehenrynash, yeah, I don't see your latest changes21:04
topoldolphm, I have on my list21:04
topolhttps://review.openstack.org/#/c/22352/121:04
topolhttps://review.openstack.org/2092821:04
dolphmhenrynash: can you push to github or something?21:05
dolphmhenrynash: the whole repo21:05
gyeetopol, you use openldap for your tests?21:07
henrynashdolphm: want to be careful here, what cmd would you suggest I use for that?21:07
topolgyee, yes I am21:08
*** ewindisch has quit IRC21:08
*** melwitt has joined #openstack-dev21:09
dolphmhenrynash: git checkout -b broken_branch21:09
*** ewindisch has joined #openstack-dev21:09
dolphmhenrynash: and then git push origin broken_branch to an empty github repo21:09
dolphmassuming origin is github21:09
*** mohits has quit IRC21:09
henrynashdolphm: so I have a branch that has correctly (in terms of the end result) merged up to a recent (but not the latest) version of Guang's patch21:10
dolphmhenrynash: git reflog may also be useful to show your previous states21:10
vishyboris-42: ping21:10
boris-42fishy hi21:11
dolphmhenrynash: are you using the Rebase button on gerrit or doing this offline?21:11
boris-42vishy hi*21:11
henrynashdiolphm: but looking at the log, it shows I 3 or 4 merges with earlier versions of the Guang's patch….and the review says I need to squash them21:11
vishyboris-42: I notice you are sticking up some more unique keys patches today21:11
vishyany idea how many there are?21:11
*** mohits has joined #openstack-dev21:11
boris-42vishy there is a lot of… =(21:11
vishyboris-42: any that don't make it today will we need to discuss whether to FFE them / take them as fixes / or push them to havanna21:12
*** cp16net|away is now known as cp16net21:12
dolphmhenrynash: have you made changes that aren't in your latest review, other than resolving merge conflicts?21:13
vishyboris-42: are you planning on working on them over the next few days or will it just be here and there when you have time?21:13
henrynashdolphm: yes, to fix up various problems21:13
dolphmand you've committed those?21:13
henrynashdolphm: yes21:14
henrynashdolphm: but git review fails21:14
dolphmhenrynash: git log -n 1 <-- shows your last commit id, worth making a note of21:14
clarkbhenrynash: can you paste the git review failure too?21:14
dolphmhenrynash: git reflog will show you previous commits you were on, in case you want to go back21:14
dolphmhenrynash: so don't worry to much about getting into a nasty state because you can always go back... what's the git review error say?21:15
*** colinmcnamara has joined #openstack-dev21:15
henrynashso here's what my git log says:21:16
boris-42vishy: I was going to sleep=), here is about 1am (UTC+3) =). I was planing to finish bp in 2-3 weeks..21:16
henrynash11060f02fb9e10a904b3921e70476e05fbb9a58b Pass query filter attributes to policy engine21:16
henrynash5aaa22100baf1e53680a062f2b841cfa323b4a10 blueprint pluggable-identity-authentication-handlers blueprint stop-ids-in-uris blueprint multi-factor-authn (just the plumbing) v3 authentication and token APIs21:16
henrynash69352fa99cf82ee78d980972bc4881ba9d7fe162 blueprint pluggable-identity-authentication-handlers blueprint stop-ids-in-uris blueprint multi-factor-authn (just the plumbing) v3 authentication and token APIs21:16
henrynashca2b0cd1d58d8d74e4e7920b8b8c6a7fa52490ec blueprint pluggable-identity-authentication-handlers blueprint stop-ids-in-uris blueprint multi-factor-authn (just the plumbing) v3 authentication and token APIs21:16
henrynash7e456cf2a9f85e4f45395c17d61d02043c69ab6b v3 token API21:16
henrynashd036db145d51f8b134ffa36165065a8986e4f8a1 Merge "make LDAP query scope configurable"21:16
openstackgerritA change was merged to openstack/oslo-incubator: Move DB thread pooling to DB API loader  https://review.openstack.org/2215821:17
*** donaldh has joined #openstack-dev21:17
boris-42There is a lot of work around, for example in security groups (There is no tests for db api at all) + there is also session in public parameters…21:17
vishyboris-42: ok so it will be for h then21:18
vishyI will bring it up in the nova meeting to see if we want to include any in the rc period21:18
dolphmhenrynash: do you have changes across multiple commits, or is everything in 11060?21:19
henrynashdolphm: and the actual review error is:21:19
henrynashremote: (W) ca2b0cd: commit subject >65 characters; use shorter first paragraph[K21:19
henrynashTo ssh://henry-nash@review.openstack.org:29418/openstack/keystone.git21:19
henrynash ! [remote rejected] HEAD -> refs/for/master/bug/1126048 (squash commits first)21:19
henrynasherror: failed to push some refs to 'ssh://henry-nash@review.openstack.org:29418/openstack/keystone.git'21:19
dolphmhenrynash: git fetch ssh://dolph@review.openstack.org:29418/openstack/keystone refs/changes/87/21487/21 && git checkout FETCH_HEAD && git cherry-pick 11060f02fb9e10a904b3921e70476e05fbb9a58b21:19
dolphmhenrynash: my normal workflow ^ checkout someone else's change, and cherry pick yours on top of it to create a dependency on their latest patch21:19
boris-42boris-42: ok thanks. I think that it is better to do slow and without bugs that could produce nasty things then fast=)21:20
henrynashall though isn't it version 23 now?21:20
dolphmhenrynash: actually 24 lol21:20
*** al-maisan is now known as almaisan-away21:20
dolphmgyee: pep8 fix?21:20
henrynashdolphm: so I do that in my branch21:21
boris-42vish ok thanks. I think that it is better to do slow and without bugs that could produce nasty things then fast=)21:21
dolphmhenrynash: that will leave your branch behind21:21
vishyboris-42: great!21:21
henrynashdolphm: opk, sounds good!21:21
boris-42fishy Also I implemented BP pci passthrough...21:21
*** cschwede has joined #openstack-dev21:22
gyeedolphm, yeah, just did21:24
*** mohits has quit IRC21:25
henrynashdophm: I get permission denied (publickey)21:25
*** hub_cap has left #openstack-dev21:25
clarkbyeah because the string dolphm gave you has dolphm as the username21:26
clarkbyou can ust https anonymously21:26
*** kagan has joined #openstack-dev21:26
clarkbif you look at the change you awnt under the latest patchset will be text you can copy and paste21:26
dolphmhenrynash: oh sorry, either your use username, or copy the checkout command from gerrit, and then do a cherry-pick21:27
henrynashdolphm: duh, yes sorry me being dumb21:27
*** boris-42 has quit IRC21:29
*** b1rkh0ff has quit IRC21:30
*** dwilson has left #openstack-dev21:30
ewindischI'd still like to get the (oslo) advanced-matchmaker blueprint merged today, if I can get reviewers on it.  https://review.openstack.org/#/c/20434/21:31
dolphmhenrynash: i imagine you didn't mean to approve https://review.openstack.org/#/c/22063/21:32
henrynashdolphm: eeK!  how did that happen?21:33
ewindischrussellb: I didn't realize that 'oslo.message' was NOT supposed to have s/oslo/$BASE/ ? Update.py will continue to break this, won't it?21:33
dolphmhenrynash: i don't think it matters because there's no positive votes anyway21:33
dolphmhenrynash: you can undo21:33
*** dwilson has joined #openstack-dev21:33
russellbewindisch: need to fix update.py now, yes21:33
ayounghenrynash, so it looks like "@" is a TrueCheck21:34
ttxdolphm: hola! how is it going ?21:35
*** adjohn has quit IRC21:35
ayoungtopol, if  you are  OK with  https://review.openstack.org/#/c/20928/5 let me know21:36
*** esp1 has quit IRC21:36
dolphmttx: you said we had like 10 more minutes21:36
ttxdolphm: oh, sure, I'm just being a PITA :)21:37
dolphmttx: ;)21:37
*** vipul|away is now known as vipul21:37
ttxI'll give you 23 more minutes :)21:37
dolphmttx: haha21:37
dolphmhenrynash: can you take a minute to review https://review.openstack.org/#/c/21487/ as-is?21:38
openstackgerritA change was merged to openstack/nova: Refactor nwfilter parameters  https://review.openstack.org/2236921:38
henrynashdolphm: yep…just cleaning up my git...21:38
*** radez is now known as radez_g0n321:38
topolayoung, looks good. just +1 it21:39
YorikSartopol: Yay!21:39
dolphmhenrynash: i can't stomach the approve button, so i'll leave that up to you21:39
*** dprince has joined #openstack-dev21:39
*** esp1 has joined #openstack-dev21:39
henrynashdolphm :-)21:40
*** adjohn has joined #openstack-dev21:40
topolYorikSar, so I am tracking down another issue maybe you can help me with21:40
YorikSartopol: Sure, just tell me what it is.21:41
topolYorikSar, so the basic devstack setup commands all run fine21:41
topolYorikSar, I then tried to add a user to a particular tenantID21:42
*** pabelanger has quit IRC21:42
*** Ryan_Lane has quit IRC21:42
*** eharney has quit IRC21:42
*** voliveirajr has quit IRC21:42
YorikSartopol: iirc, we had no problems there.21:45
topolYorikSar,  and then ldap complained about not being able to store the tenantID  attribute.  Which looks similar to the tenant_ id so I added it to the filter list:21:45
topoliniset $KEYSTONE_CONF ldap user_attribute_ignore "enabled,email,tenant_id,tenants,tenantId"21:45
YorikSareh....21:46
topolYorikSar that got me through the add user to tenant but then when it tries to update the role it cant find the role21:46
ttxdolphm: once 21487 merges... i can close "Implement authn Identity API v3", replace-tenant-user-membership, domain-name-spaces, domain-scoping ?21:47
*** Ryan_Lane has joined #openstack-dev21:47
ttxdolphm: and leave  pluggable-identity-authentication-handlers open ?21:47
YorikSarI don't get it how these tenant_id and tenantId coexist.21:47
gyeepluggable should be done21:47
dolphmttx: tenant-user-membership is merged21:47
dolphmgyee: that's debatable ;)21:47
gyeeand stop-ids-in-url21:48
dolphmttx: ^21:48
gyeeand mfa21:48
ttxdolphm: ok, marking tenant-user-membership completed21:48
gyeethough mfa is just the plumbing21:48
dolphmttx: not domain-scoping21:48
dolphmgyee: i think it's enough to satisfy the mfa bp, no?21:48
gyeedolphm, I think so21:49
dolphmgyee: mfa was mostly asking for a spec21:49
YorikSartopol: That's strange. Can you paste Keystone log of relevant request?21:49
gyeeunless you guys want me to hookup google authenticator :)21:49
*** imsplitbit has quit IRC21:49
ttxdolphm: mfa is not in the list, so i don't really care :)21:49
dolphmgyee: i think it'd be cool to example an example, in docs if not in contrib21:49
dolphmSOMEONE BROKE THE LIST21:49
ttxdolphm: what needs to be done to complete domain-scoping ? Looks like that will be deferred in H at this point21:49
ttxdolphm: blame heckj21:50
dolphmttx: we've written the API but haven't implemented due to lack of immediate use cases21:50
dolphmttx: definitely defer to H21:50
gyee+121:50
ttxdolphm: deferring domain-scoping to h121:51
ttxdolphm: should I add mfa back to the list ?21:52
gyeewe should as the plumbing is there to impl mfa21:52
ttxgyee: ok21:53
dolphmttx: only add it back if you want to mark it as completed?21:53
henrynashttx: hold, on- domain scopingto h?21:53
ttxhenrynash: that's what dolphm said just a minute ago21:53
dolphmttx: domain scoping to H21:54
dolphmttx: https://blueprints.launchpad.net/keystone/+spec/multi-factor-authn is implemented with gyee's patch today21:54
*** rnirmal_ has joined #openstack-dev21:54
ttxthis is all very confusing :)21:54
dolphmttx: +1!21:54
henrynashguang: I still can't see what is missing for domain scoping21:54
gyeeha21:54
*** rnirmal_ has quit IRC21:54
gyeehenrynash, domain-scoped token current have no domain roles21:55
gyeecurrently21:55
ttxdolphm: when 21487 ,lands I mark stop-ids-in-url, mfa, domain-name-spaces completed.21:55
dolphmhenrynash: the API is done, but gyee left a bunch of TODO's for actually creating domain scoped tokens21:55
zykes-sad to see a cool feature not going in :(21:55
topolYorikSar, http://fpaste.org/rcnt/21:55
dolphmhenrynash: didn't domain-name-spaces already merge too?21:55
henrynashgyee: I've been looking at the code…and maybe you guys need to point me at the right bit..but there can't be much to do…and I wrote a helper function for that already21:55
gyeeand (debatable) pluggable auth :)21:55
ttxdolphm: and i'll move pluggable-auth to rc1, granted an FFe21:56
topolYorkiSar, let me know if you need more21:56
henrynashdolphm: yes (on name spaces)21:56
gyeettx ^21:56
dolphmttx: domain name spaces is merged21:56
ttxok21:56
*** digitalsanctum has quit IRC21:56
dolphmttx: and agree on everything else21:56
henrynashgyee, dolphm: let me finish up the domain scoping roles…we have done so much of it..I'll get that done asap tonight21:56
gyeehenrynash, take a look at auth/token_factory.py21:57
dolphmgyee: how much work is left there ^21:57
* ttx fixes mfa21:57
gyeeI have a TODO for you21:57
zykes-ttx: mfa?21:57
*** rnirmal_ has joined #openstack-dev21:57
dolphmzykes-: multi-factor authentication21:57
*** rnirmal has quit IRC21:57
*** rnirmal_ is now known as rnirmal21:57
zykes-ah21:57
*** Ryan_Lane has quit IRC21:57
dolphmzykes-: https://blueprints.launchpad.net/keystone/+spec/multi-factor-authn21:57
gyeedolphm, henrynash, should be just populate the domain roles21:58
gyeeand we're done21:58
dolphmgyee: oh.21:58
gyeeif henrynash have the helper func, should be a two-liner fix, plus tests of course21:58
dolphmgyee: even tests should be a copy/paste of your tests21:58
gyeeright21:59
dolphmgyee: s/project/domain21:59
henrynashgyee: so if that's all that needs doing, then we can get this in tonight21:59
gyeehenrynahs, I have faith in you21:59
dolphmi'll volunteer to write tests21:59
henrynashgyee: :-)21:59
gyeecount me in too21:59
henrynashgyee, let me just get the query filter in21:59
dolphmis there a bp for domain scoping?21:59
ayoungdolphm, should I pull the trigger on V3 Auth?21:59
ttxdolphm: ok, so now just get me another +2 on 21487 and I'll be off your back ;)21:59
topolYorikSar, maybe the problem is that for that user I did explicitly give it a role. Do I have to?21:59
gyeeayoung, pleeeease22:00
dolphmayoung: you or henrynash should take another gander at it -- it's changed quite a bit in 24 hours22:00
henrynashdolphm: ok I have the query filter re-merged now, thanks22:00
topolYorikSar , errr I did not explicitly give it a role22:00
ayoungdolphm, 've been keeping up22:00
dolphmhenrynash: awesome, does your own review look good to you?22:00
YorikSartopol: What change do you work on now?22:00
dolphmayoung: well it's 4:01pm so we're past our deadline officially22:01
ttxayoung: go for it :)22:01
dolphmor bedtime ttx-time22:01
ayoungttx, one last look...22:01
gyeehold the horses :)22:01
topolYorikSar, Im not changing any keystone code.  Just running devstack with a new capability to install and configure LDAP and set keystone to use the LDAP identity driver22:01
*** lloydde has quit IRC22:01
ttxdolphm: you won't get rid of me that easily22:01
henrynashdolphm: for the commit, I assume it will be a new commit , so should I do a git commit -a …and paste in the old commit id so it gets hooked to the same gift review (or will the cherry pick have a carried that with t)22:01
YorikSartopol: My wild guess is about the recent switch towards role-based project membership has something to do with this.22:02
ayoungFIRE IN THE HOLE!22:02
dimsayoung, LOL22:02
ttxthe queue has been pretty aggressively stuffed anyway, so it won't land just now22:02
gyeew00t!22:02
dolphmhenrynash: cherry-pick will carry the Change-Id around, but that would work too22:02
ttxdolphm, gyee, ayoung, henrynash: congrats guys, you made it22:03
dolphmttx: i've been doing my part in not reviewing anything22:03
ttxdolphm: same here22:03
ayoungttx, not yet I have't my change was queued up behind it22:03
*** martine_ has quit IRC22:03
YorikSartopol: Yes. Looks like the member_role has never been created in LDAP.22:03
* dolphm falls asleep22:03
ttxayoung: your change ?22:03
ayoungttx, Trusts22:03
*** Ryan_Lane has joined #openstack-dev22:03
ttxayoung: oh, that's been granted an exception, so can wait a few days22:04
ayoungttx, Trusts has gotten trampled by a heard of Yaks which are all now properly shaven22:04
ttxayoung: was mostly concerned about what was NOT granted an exception yet22:04
ayoungttx, yes, but that was my finish line22:04
topolYorikSar, I dont know where it got the role value anyway. I did not declare a role for that user that I know of. I just created a user and tried to add it to a tenant (project)22:04
ayoungtopol, that was me22:04
ayoungmembers are gone!22:04
*** shardy_afk is now known as shardy22:04
gyeettx, how come ayoung gets an exception?22:05
dolphmtopol: yay! ayoung's patch worked22:05
topolayoung, pottery barn rules:  you break it, you bought it!22:05
gyeewhat's the address to send money?22:05
*** Ryan_Lane has quit IRC22:05
ayounggyee, I have a bank account in the Caymens, I'll PM yoiu in tbox number22:05
YorikSartopol: New logic is instead of adding user's DN to tenant's groupOfNames, user is granted with role in this project.22:05
dolphmgyee: heckj begged ttx on ayoung's behalf22:06
YorikSartopol: You should look and member_role_id config value in Keystone and probably create this role before running tests...22:06
dolphmYorikSar: a data migration will create it automatically? (ayoung- but only if it's needed?)22:07
YorikSarayoung: That's pretty strange, by the way. Before this change we never required user to create any objects in LDAP, only subtrees.22:07
dolphms/automatically?/automatically/22:07
topolYorikSar, so we can fix this without changing keystone code, correct?22:07
YorikSartopol: Yes, just add appropriate role.22:08
*** Ryan_Lane has joined #openstack-dev22:08
YorikSartopol: With id 9fe2ff9ee4384b1894a90878d3e92bab and name '_mamber_'22:08
YorikSartopol: *'_member_'22:09
YorikSardolphm: Mb we should create this role automatically as well?22:09
topolYorikSar, ugh, so you are saying in the devstack keystone code we need to add this magic role?22:09
dolphmYorikSar: in ldap?22:09
ayounghenrynash, posted a new trusts patch with policy engaged.  I larned me summat today.22:10
YorikSartopol, dolphm: yes, yes22:10
topolYorikSar, in LDAP?22:10
henrynashayoung: ok22:10
YorikSar(packing/unpacking works in IRC as well as in Python, right?)22:10
*** alexpilotti has quit IRC22:10
topolYorikSar, just curiously how did we decide it would ALWAYS be 9fe2ff9ee4384b1894a90878d3e92bab22:10
YorikSartopol: Yes... Well, I guess, you can do it with API.22:11
YorikSartopol: Mb, it's the name of ayoung's cat ;)22:11
YorikSartopol: It's the default value for member_role_id config22:12
topolYorikSar, no wonder the cat never comes when he calls him22:12
YorikSartopol: What if it's encoded in some base42-ish encoding?22:12
zykes-is trusts landing for v3 ?22:12
dolphmzykes-: grizzly or v3?22:13
henrynashdolphm, gyee: sigh…so the query filter patch is re-posted….but while it is correct, it unfortunately appears to cinlude all Guang's changes…so you can't tell which are my updates. Damn.22:13
topolYorikSar, so I can add this but what about folks who run in production who dont use devstack.  How are they expected to handle this?  Always add the special role???22:13
henrynashhttps://review.openstack.org/#/c/22223/22:13
zykes-dolphm: ehm, G22:13
YorikSartopol: I don't know, btw, how is it handled in SQL backend22:13
dolphmhenrynash: how'd you do that? lol22:13
YorikSartopol: I guess, we should do smth like that.22:14
gyeehenrynash, you have a diff somewhere?22:14
topolYorikSar, dunno about SQL.  Im the ldap guy22:14
*** mdomsch has joined #openstack-dev22:14
YorikSartopol: LDAP backend was created to mimic SQL backend behaviour at first, so we might continue do it and noone will notice :)22:15
dolphmhenrynash: how close is your patchset 5 to where you want to be?22:15
*** Tross has quit IRC22:15
YorikSartopol: Crap... SQL has a migration for this.22:16
henrynashdolphm: so, I could certainly re-apply my changes to a "clean" patch set 522:16
dolphmhenrynash: let me get you to that point then22:16
henrynashdolphm: ok22:16
dolphmhenrynash: i'm going to push a review *with* a merge conflict included, and let you resolve22:16
*** boden has quit IRC22:16
henrynashdolphm: and the v3 auth is on it's way to be merged anyway, yes?22:17
henrynashdolphm: fine by me22:17
YorikSartopol: We have smth around two or three options here:22:17
dolphmhenrynash: https://review.openstack.org/#/c/22223/22:17
ayoungYorikSar, I have not Cat.  I am a dog person, but  for now, I have two kids under 7 and that is enough work for me,22:17
dolphmhenrynash: copy/paste the checkout command provided by gerrit22:17
dolphmhenrynash: v3 auth is gating now22:17
ayoungtopol, uuid-gen22:18
*** openstackjenkins has quit IRC22:18
YorikSartopol: * let deployers add this role (the'll be sad)22:18
YorikSartopol: * let backends deal with this (just like SQL does)22:18
*** AlanClark__ has quit IRC22:18
YorikSartopol: * deal with this on the higher level22:18
*** openstackjenkins has joined #openstack-dev22:18
*** AlanClark__ has joined #openstack-dev22:18
*** Ryan_Lane has quit IRC22:18
gyeedolphm, henrynash, 22223 doesn't seem to have any overlap with the token API patch22:18
*** vuntz has quit IRC22:19
YorikSarayoung: So which one of them do you call 9fe2ff9ee4384b1894a90878d3e92bab? :)22:19
*** openstackjenkins has quit IRC22:19
dolphmgyee: conflict in keystone/common/controller.py -- may or may not be against your patch22:19
YorikSarayoung: j/k22:19
YorikSarayoung: Can you help us with our options?22:19
dolphmayoung: should just rename the ID to 'member' lol22:19
*** openstackjenkins has joined #openstack-dev22:20
gyeedolphm, common/controller.py conflicts doesn't appear to coming from mine22:20
topolayoung, the backend ldap driver code is still shoving users in under tenants. Is that now a bug.  The new role patch I must admit I dont fully understand yet22:21
*** amerine has quit IRC22:22
henrynashdolphm: ok, got myself the patch 7 in detached head state (and just to make sure I do this right), i should git checkout -b mybranchname, and then make my changes, and then I can commit and git review of that branch?22:22
topolK, in 10 mins I drop my daughter off for a sleepover.  And with my wife and son on a trip in FL I get to spend all night with this crowd :-)22:23
dolphmgyee: crap, either i sent you a bad diff you made a bad merge22:23
*** vuntz has joined #openstack-dev22:23
*** cschwede has quit IRC22:23
YorikSartopol: Have a nice one! :)22:24
dolphmgyee: https://review.openstack.org/#/c/22491/22:24
dolphmhenrynash: you don't *need* to make a branch if you don't want to (personally i wouldn't unless you need to stop and go do something else, or you're writing several patches in sequence)22:25
dolphmhenrynash: all you really need to do is make changes and then git commit --amend22:25
henrynashok, can do22:25
*** amerine has joined #openstack-dev22:25
*** ladquin1 has joined #openstack-dev22:26
*** epim has quit IRC22:26
topolYorikSar, so in devstack I will need to read member_role_id and member_role_name out of keystone.conf.sample and then use those values since they are configurable and then create the role22:26
henrynashdolphm: although actually I need to switch to other branches to cope and paste some code out, so might have to create a branch (since I can't checkout any other branch in this state)22:27
topolYorikSar, or I can just hard code them and update keystone.conf since I update values in it anyway22:27
YorikSartopol: I guess, you can use the default once for now...22:28
*** hemnafk is now known as hemna22:28
BLZbubbais there a way to have the horizon instances page not DDOS my api server?22:29
*** epim has joined #openstack-dev22:29
*** ladquin has quit IRC22:29
BLZbubbai.e. if i have 150 nodes, it is updating their status with ajax way way too often22:29
*** ladquin1 is now known as ladquin22:30
gyeedolphm, nice catch22:30
BLZbubbai am improving the hardware and such too, but slowing down the update frequency would help quite a bit too22:30
topolYorikSar, I'll be back in 25 mins.  But I think I can proceed.  Thanks for helping me figure out the mystery role22:30
YorikSartopol: I'll create draft change request with my proposal for this.22:31
*** eharney has joined #openstack-dev22:31
*** eharney has quit IRC22:31
*** eharney has joined #openstack-dev22:31
topolYorikSar, you mean for how folks in production should address this?22:31
*** Ryan_Lane has joined #openstack-dev22:32
YorikSartopol: No, I suggest we handle this in core.22:32
topolYorikSar, you saying I wont have to add this to devstack?22:32
*** annegentle has quit IRC22:33
topolYorikSar, if its fixed in core then no changes to devstack22:33
topolYorikSar, basically where it throws the no role exception in core just have the code add the default role?22:34
YorikSartopol: https://review.openstack.org/2249322:34
dolphmgyee: i just got a domain scoped token back without having a role on the domain22:35
YorikSarayoung, dolphm: what do you think about this?22:35
gyeedolphm, that's the missing part22:35
dolphmgyee: i don't have a role grant on the domain22:35
gyeehenrynash will hook that up later today22:35
topolYorikSar, getting a page not found on that URL.  Ill be back soon22:36
henrynashgyee: sure thing22:36
dolphmgyee: i'm saying it's returning me a token that i should not be allowed to get22:36
gyeedolphm, correct, right now I don't check for domain roles22:36
dolphmgyee: okay, so this isn't just a bug it'd a security vulnerability if we let it go22:37
dolphm(and were using domain scoped tokens for something)22:37
gyeenot a security vul if user have no roles22:37
YorikSartopol: Oh.. Looks like drafts are hidden.22:37
*** buzztroll_ has quit IRC22:37
YorikSarfixed that.22:37
dolphmgyee: this is the real police badge with no badge number example22:37
gyeedolphm, what can one do without any roles?22:38
dolphmgyee: why can i get a domain-scoped token without authz on the domain?22:38
dolphmgyee: it doesn't do this for projects does it?22:38
gyeedolphm, it doesn't, once henrynash hookup the domain roles, we should be good to go22:39
*** hugokuo has joined #openstack-dev22:39
gyeeour policy engine should act on roles or we have a real problem22:40
*** rj___ has joined #openstack-dev22:40
gyeehenrynash, is your helper func in master already22:41
*** nsatterl_ has joined #openstack-dev22:41
gyeeI might as well finish it up for you22:41
henrynashgyee: have to go look...22:41
vishydanwent: ping22:43
gyeehenrynash, I don't see get_roles_for_user_and_domain() in identity controller22:43
danwentvishy: hey22:44
dolphmgyee: wrote a test to request a token for a project i don't have any roles on ... raised a 401 as expected22:44
henrynashgyee: let me find what I wrote!22:44
vishydanwent: was wondering about how important https://bugs.launchpad.net/nova/+bug/1039665 is22:44
uvirtbotLaunchpad bug 1039665 in nova "Creating quantum L2 networks (without subnets) doesn't work as expected" [High,In progress]22:44
danwentvishy: looking22:45
gyeedolphm, I am going to hookup domain roles22:45
dolphmgyee: i've got tests 80% done, so i'll just attach those to your patch, unless you want to do tdd22:45
*** jaypipes has quit IRC22:45
gyeedolphm, we can add the changes to your review22:46
gyeeprobably easier22:46
gyeegimme a few minutes22:46
*** datsun180b has quit IRC22:46
danwentvishy: its certainly not a core use can that I see.  I think it was that the libvirt xml generation code always assumed a vif had an IP.22:47
vishydanwent: so there is a a patch in review that will probably fix it22:48
vishybut22:48
vishyit is kind of risky since it refactors a bunch22:48
*** pcm_ has quit IRC22:48
openstackgerritA change was merged to openstack/cinder: Add HUAWEI volume driver in Cinder  https://review.openstack.org/2110022:48
vishyso we are planning on punting it to H22:48
danwentvishy: i'm ok with with that.22:48
vishydanwent: do you think that will cause problems?22:48
vishydanwent: I mean you can't do l2-only networks22:49
henrynashgyee: hmm, I can see  the low level support funcs, not the higher ones22:49
danwentvishy: i don't really know what the use case ian was going to as to why they were booting VMs that didn't get IPs.22:49
henrynashgyee: here's what we need to do:22:49
zykes-won't be L2 needed danwent ?22:49
danwentvishy: I think it is also only applies to using linux bridge, and I think the cisco folks have moved on to using OVS, though perhaps not all22:50
ayoungYorikSar, I originally had code that did just that.  I think I am ok with it.22:50
vishydanwent: ok cool, going to punt it to H then22:50
*** alexpilotti has joined #openstack-dev22:50
ayoungYorikSar, the thing is,  add_user_to_project should be deprecated any way22:50
danwentvishy: the mere fact that it went all the way from the end of folsom to now without being fixed is a pretty good indicator that it can't be that important22:50
henrynashgyee: 3 funds in the backend; get_roles_for_user_and_project, _get_user_project_roles, _get_user_group_project_roles…we just create domain versions of them…the underlying funds they call all can take domain_id in place of project_id22:51
ayoungYorikSar, 9fe2ff9ee4384b1894a90878d3e92bab is my older son.  The younger guy is 6b4a8c88-8510-4636-ba13-1c54b92342d722:51
gyeehenrynash, that's what I am about to do22:52
*** CaptTofu_ has quit IRC22:52
gyeea bit more work than I thought22:52
*** maoy has quit IRC22:52
henrynashgyee: i.e. the calls to get_metadata all toake domain id in place of project id22:52
dolphmgyee: authenticating with user_domain_name instead of user_domain_id doesn't work22:53
YorikSarayoung: I guess, we can inline it where it's used then. And this check can be added to create_user only, update_user should not need it.22:54
ayoungYorikSar, sar, no I think it is Ok.  THe thing is, SQL has the migration path, but LDAP does not22:54
YorikSarayoung: So the younger one already follows fashion trends and has dashes in his name.22:54
ayoungso with LDAP, we kindof need to lazy add it.22:55
YorikSarayoung: Well, we either have to add smth like this migration to all backends or remove this from SQL migration and let core deal with it.22:55
ayoungYorikSar, this is so a user can have membership in a default project?22:55
ayoungYorikSar, I'm almost thinking it should got into add_role_to_user22:56
*** alexpilotti has quit IRC22:56
ayoungadd_role_to_user_and_project(22:57
YorikSarayoung: I'm not sure if this 'default tenant' thing is still useful...22:57
ayoungYorikSar, vestige22:57
YorikSarayoung: It was used in diablo, I guess.22:58
*** davidkranz has quit IRC22:58
YorikSarayoung: Mb we should get rid of it then?22:58
*** alunduil has quit IRC22:59
ayoungYorikSar, yeah, but not 24 hours after code freeze.22:59
*** davidkranz has joined #openstack-dev22:59
YorikSarayoung: Right.22:59
ayoungYorikSar, We don't even have a way to automate setting up LDAP as part of core Keystone.  I am almost tempted to punt this one off to LDAP admins.22:59
ayoungYorikSar, cuz migration is going to be broken there, too23:00
*** jcmartin has joined #openstack-dev23:00
YorikSarayoung: And what about KVS backend? It doesn't have migrations too.23:00
ayoungwe are going to need a LDAP migrate tool that does the same thing as the SQL one23:00
ayoungKVS is for testing only23:00
ayoungIt doesn't survive a reboot, hardly enterprise ready23:00
YorikSarayoung: Oh, ok. I never actually looked into what it actually is.23:01
ayoungYorikSar, OK,  I think we need a migrate tool for LDAP.  It will have to take the members elements of each tenant and create a roleAssignment for them23:02
*** alexpilotti has joined #openstack-dev23:02
*** alexpilotti has quit IRC23:02
YorikSarayoung: The problem with LDAP is... It can be mostly read-only sometimes.23:02
ayoungCare to take a first hack at it?23:02
ayoungYorikSar, that is a different conversation23:02
ayoungthis is for the LDAP backend that we manage23:02
*** timello_ has quit IRC23:03
*** fc___ has joined #openstack-dev23:03
*** timello has joined #openstack-dev23:03
*** fc__ has quit IRC23:03
*** fc___ is now known as fc__23:03
YorikSarayoung: I mean, we deployed several projects with LDAP backend and almost all of them required r/o access to LDAP.23:03
ayoungYorikSar, so, lets hold off on https://review.openstack.org/#/c/22493/23:03
henrynashdolphm, young, gyee: OK, query filter patch finally back in shape and ready for review: https://review.openstack.org/#/c/22223/23:03
*** sandywalsh has quit IRC23:03
ayoungYorikSar, I know, I know.  Different bridge to burn23:04
YorikSarayoung: Yes, sure, that change is just a draft to show my proposal.23:04
ayounghenrynash, wow, I understand that so much better than I did before today23:04
*** bencherian has quit IRC23:05
ayoungYorikSar, can you code up the migration script? It needs to read the appropriate values out of the config file23:05
henrynashayoung: :-) life's a learning curve…just worry when it flattens out23:05
YorikSarayoung: Yes. I guess, it can run at db_sync.23:05
ayoungYorikSar, yep23:06
*** kbringard has quit IRC23:06
ayounghenrynash, is it possible to do that without a separate @ttribute?23:06
YorikSarayoung: But I'll do it some time in the morning. 3am here, bad time to start something new.23:06
henrynashyoung; you mean, onlyhave one @protection wrapper that can optionally take a list of filter attributes?23:07
gyeehenrynash, no add_role_to_user_and_domain?23:07
ayoungHeh.  YorikSar that is fine.  We  can always do it as a stand along script if needs be23:07
*** bencherian has joined #openstack-dev23:07
ayoungget some rest.23:07
ayounghenrynash, yeah.  Look at this....23:07
henrynashgyee: they're all create_grant23:07
ayounghttps://review.openstack.org/#/c/20289/18/keystone/common/controller.py23:08
henrynashgyee: all the v3 roles should really be using create/delete/check grnat23:08
ayounghenrynash, see how I flatten the dictionary?  Could we do something similar?23:08
*** openstackjenkins has quit IRC23:09
*** openstackjenkins has joined #openstack-dev23:09
*** armaan1 has quit IRC23:09
ayounghenrynash, I'd like to keep an eye toward pushing our policy changes to common, and the more consistent we are, the easier t is going to be to do that.23:10
*** flaper87 has quit IRC23:10
henrynashgyee: which in itself might be an issue in the policy file (dolphm and I discussed before) as to whether having a common policy file enter for creating both domain and project is desirable23:10
henrynashayoung: +1 to that23:10
*** tomoe_ has quit IRC23:13
*** tomoe_ has joined #openstack-dev23:13
*** jergerber has joined #openstack-dev23:15
*** cloudchimp has quit IRC23:15
*** rj___ has quit IRC23:18
henrynashayoung: so do you think it is safe to flatten every object…just wondering if we might get odd clashes, like if someone had user_id in their object and we also bout the user_id of the caller in the target already23:19
*** john5223 has quit IRC23:19
*** jog0 has quit IRC23:21
*** jog0 has joined #openstack-dev23:22
*** sacharya has quit IRC23:23
*** jergerber has quit IRC23:23
*** mjfork has quit IRC23:25
*** crandquist has quit IRC23:26
*** AlanClark__ has quit IRC23:26
*** AlanClark__ has joined #openstack-dev23:26
*** dachary has quit IRC23:27
*** asalkeld has quit IRC23:29
*** yamahata has joined #openstack-dev23:31
*** soody has joined #openstack-dev23:32
topolim back23:33
henrynashayoung: Ok, I think I take it back, I don;t think they would clash…oe set is in the creds, one in the target (unsurprisingly)23:34
*** sthaha has joined #openstack-dev23:35
*** dims has quit IRC23:36
*** monst_ has quit IRC23:36
topolYorikSar,  draft looks good. But if an LDAP is read-only  and was some how mapping to existing roles (not sure if this is a real use case)  we break, correct23:36
*** mtreinish has quit IRC23:37
topolBut in any case can we get your draft in still?23:37
YorikSartopol: I'll write a migration for LDAP backend tomorrow that'll create this role and move all members of all tenants to it.23:38
dolphmgyee: henrynash: is there a bug number or something for domain-scoped tokens?23:38
YorikSartopol: So keystone-migrate db_sync will solve this.23:38
gyeedolphm, no, I am almost done with my changes23:39
topolYorikSar, for the ldap backend as well?23:39
dolphmgyee: i have 6 failing tests for you :)23:39
henrynashthere was blueprint: bp/domain-scoping23:39
YorikSartopol: Yes.23:39
topolYorikSar, just curiously how does it help the ldap case.  keystone-migrate db_syn is not just for the sql backend?23:40
gyeebrb23:40
*** gyee has quit IRC23:40
*** pabelanger has joined #openstack-dev23:40
topolYorikSar, but I trust you.  you found the role named after ayoungs dog.  That was quite find :-)23:41
dolphmhenrynash: gyee: https://review.openstack.org/#/c/22497/23:41
YorikSartopol: It calls db_sync if every backend for all Keystone parts if it supports it.23:41
topolYorikSar, wonderful.  do I need to +1 your draft or not necessary?23:42
*** dwalleck has joined #openstack-dev23:42
YorikSartopol: No, it was just to show what I meant here. I'll abandon it23:43
*** asalkeld has joined #openstack-dev23:43
*** rnirmal has quit IRC23:43
*** woodspa has quit IRC23:43
topolYorikSar, k thanks! I'm going to manually add the magic role and continue testing23:43
YorikSartopol: Have fun! I'll be going to bed, so will be able to help tomorrow.23:44
henrynashdolphm: nice23:44
*** mrodden has quit IRC23:45
topolYorikSar. good night. Thanks again for the help!23:45
henrynashdolphm: the query filter patch is (finally!) up: https://review.openstack.org/#/c/22223/23:45
henrynashdolphm: thx for your help on that. btw23:45
*** shardy is now known as shardy_afk23:46
henrynashayoung: what do we need to do to get the Trusts complete…..23:46
*** dontalton has quit IRC23:46
*** eharney has quit IRC23:47
henrynashas an aside, the zuul check queue looks in an odd (and static) state23:47
*** gyee has joined #openstack-dev23:48
*** crandquist has joined #openstack-dev23:48
*** jimfehlig has quit IRC23:48
ayounghenrynash, zuul is slow, but probably not staic23:49
*** markvoelker has joined #openstack-dev23:49
*** pabelanger has quit IRC23:49
ayounghenrynash, I was planning on trusts being v2 only, but with v3 auth going in...it might be worth it to make it work for both. The API doc has been fairly combed over and, if therer are content issues there, I'll have to re check the comments to find out exactly what they are.  I think we are good, but dolphm is much more thorough and excting than I am on that front23:50
*** NobodyCam has joined #openstack-dev23:51
ayoungYorikSar, note also that the id and name for the member role are configurable, and, for LDAP, you might want to use an existing role.23:51
gyeedolphm, henrynash, http://paste.openstack.org/show/32136/23:52
ayounghenrynash, when I flattened, I chose to go with the dot notation, which should be clean.  the underscore approach would certainly clash.23:52
*** markvoelker2 has quit IRC23:52
*** dims has joined #openstack-dev23:52
henrynashayoung: ah, right, nice23:53
ayounghenrynash, the thing is, the Trusts patch hasn't gotten raked over the coals yet.  THe focus has been on the API docs patch.  I think that is mature enough that it can be used to review the code, though23:53
henrynashayoung: are we trying got Grizzly on it, still?23:54
ayounghenrynash, I'm going to do a separate doc patch for the V2 changes,  unless dolphm comes back and says that trusts should absolutely be V2 only.23:54
henrynashayoung: (wasn't meant to suggest we weren't !)23:55
ayounghenrynash, for trusts?  Yes, I got permission for a slight late submission.23:55
henrynashayoung: excellemt!23:55
ayoungbut obviously, energy has been focuses on V3 auth API first,23:55
*** dolphm has quit IRC23:56
gyeeayoung, we'll help you to get the trust API in, we have real use cases out there23:56
ayounghenrynash, I'm going to have dsinner etc, and then go back through the doc comments and see which still need to be addressed.  Aside from V2 API, which will be in  a different doc, I thought I had hit everything23:56
henrynashayoung: ok23:56
ayounggyee, ok, so I think that the unit tests need to be cleaned up.23:57
ayoungTHat is not make or break on the patch, as they are just doing things custom that should be using the v3_test code instead23:57
topolayoung, before you go is it possible to use the keystone client to create a role and to be able to specify what the roleId should be23:57
gyeesure, we can line them up23:57
ayoungtopol, I don't think so23:58
ayoungtopol, let me look23:58
ayoungtopol, the very first thing it does is creates a unique id,23:58
topolayoung, so  how would one add the special role if it doesnt exist?23:58
ayoungtopol, look in keystone/identity/controllers.py23:59
ayoungtopol, it would have to be direct to LDAP23:59
topolayoung, Oh, OK23:59
ayoungtopol, also, if the migrate code were executed it could bypass the controller23:59
« Tuesday, 2013-02-19 Index Thursday, 2013-02-21 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!