Wednesday, 2013-09-18

*** atiwari has quit IRC		00:00
*** jasondotstar has joined #openstack-dev		00:01
*** bcrochet has quit IRC		00:03
*** elmarco has quit IRC		00:03
*** sarob has quit IRC		00:03
*** sarob_ has quit IRC		00:04
*** lbragstad has joined #openstack-dev		00:04
*** bcrochet has joined #openstack-dev		00:05
*** shakayumi has quit IRC		00:05
*** elmarco has joined #openstack-dev		00:05
*** xchu has joined #openstack-dev		00:06
*** senk has joined #openstack-dev		00:07
*** cmcnamara has joined #openstack-dev		00:07
*** stevemar has quit IRC		00:07
*** stevemar has joined #openstack-dev		00:08
*** jergerber has quit IRC		00:09
*** kpavel has quit IRC		00:13
*** senk has quit IRC		00:14
*** RajeshMohan has quit IRC		00:15
*** RajeshMohan has joined #openstack-dev		00:15
*** matiu has quit IRC		00:15
*** hemna has quit IRC		00:16
dtroyer	jamielennox: yo…assuming it's about the cert config commit yo posted above?	00:17
jamielennox	dtroyer, yea i think it's fairly obvious what i'm looking to achieve	00:17
jamielennox	but i haven't done much devstack and i just want to know if a big block like that in stack.sh is ok	00:17
jamielennox	the same thing could be copied and pasted into the top of each service instead and get rid of the variable indirection and such	00:18
*** nosnos has joined #openstack-dev		00:18
dtroyer	at first glance I'd like to see how much of the CA bits I wrote for the TLS proxy support we can re-use	00:18
dtroyer	also, why does each service need its own cert?	00:18
jamielennox	it doesn't necessarily, what i'm trying to do is allow a cert to be fed in	00:19
jamielennox	if they are the same for all that would be ok	00:19
*** SumitNaiksatam has quit IRC		00:19
jamielennox	so 2 things regarding comparsion to tls-proxy	00:19
dtroyer	ok, good	00:20
jamielennox	first i'm looking to have the SSL native to the app	00:20
jamielennox	second, TLS proxy has a failry large make_certs section, my thought would be that if you wanted to generate those certs then we could move the make_cert stuff above and then simply assign those certs into the appropriate KEYSTONE_SSL_CERT variables	00:21
*** stevemar has quit IRC		00:21
dtroyer	of course…the proxy config was to test client TLS support without having to sort it out on the api side.	00:21
*** giulivo has quit IRC		00:21
jamielennox	yep, my hope here is to make us sort it out on the api side	00:21
*** malini_afk is now known as malini		00:22
*** amotoki_ has quit IRC		00:22
dtroyer	ok, you're thinking what I was…generalize those functions a bit and manage a little internal CA. I also have a script around here somewher that wraps up the openssl x509 commands for testing	00:22
jamielennox	yea, so if you had that script export KEYSTONE_SSL_CERT/CERT/CA NOVA_SSL_CERT/KEY/CA	00:23
dtroyer	without looking at it too closely I'd leave the CA functions in lib/TLS, just make sure the proxy functions don't get in the way	00:23
jamielennox	my hope is to then allow other cas	00:23
jamielennox	yea i'm not looking to move the CA stuff, as i said purely for seeding certs at the moment	00:23
*** jwcroppe has quit IRC		00:24
*** vuil has quit IRC		00:25
dtroyer	ok, good… need to head out for a while… I think you're on a good track	00:25
jamielennox	so if i get it ready for review we can debate some of the finer points, it's mainly that somewhat ugly loop in stack.sh, should we be doing that kind of validation and should it be global like that or confined to the service?	00:25
*** SumitNaiksatam has joined #openstack-dev		00:26
dtroyer	that's good. I don't like the loop, I like to keep service-specific stuff together…but the body of the loop could be a function	00:26
*** amotoki has quit IRC		00:26
jamielennox	yea, that may work as well - thanks for the guidance	00:27
*** shakayumi has joined #openstack-dev		00:28
*** faramir1 has joined #openstack-dev		00:28
*** dstanek has quit IRC		00:31
*** Shaan7 has quit IRC		00:34
*** cmcnamara has quit IRC		00:35
*** alunduil has joined #openstack-dev		00:35
*** Ryan_Lane has quit IRC		00:38
*** dkehn has joined #openstack-dev		00:42
*** angdraug has quit IRC		00:44
*** dsirrine has quit IRC		00:45
*** RajeshMohan has quit IRC		00:46
*** RajeshMohan has joined #openstack-dev		00:46
*** jhesketh__ has quit IRC		00:48
*** jhesketh__ has joined #openstack-dev		00:48
*** bfschott has quit IRC		00:50
*** Mandell has quit IRC		00:50
*** dsirrine has joined #openstack-dev		00:51
*** dsirrine has quit IRC		00:53
*** amotoki has joined #openstack-dev		00:54
*** jasondotstar has quit IRC		00:57
*** cmcnamara has joined #openstack-dev		00:58
*** sungju has joined #openstack-dev		00:59
*** SumitNaiksatam has quit IRC		00:59
*** zzs has joined #openstack-dev		01:00
*** jayg is now known as jayg\|g0n3		01:03
*** zzs has left #openstack-dev		01:04
*** kbrierly has quit IRC		01:04
*** nati_ueno has quit IRC		01:09
*** cmcnamara has quit IRC		01:13
*** cmcnamara has joined #openstack-dev		01:14
*** yongli_away is now known as yongli		01:15
*** cmcnamara has quit IRC		01:16
*** ausjke has quit IRC		01:20
*** stevemar has joined #openstack-dev		01:21
jdennis	jamielennox, dtroyer: just saw the discussion, but I'm off to bed atm, I'll follow-up in the morning ...	01:22
jamielennox	jdennis, no worries - i'll give you a look at what i have tomorrow and we can discuss	01:22
*** SumitNaiksatam has joined #openstack-dev		01:26
*** spzala has quit IRC		01:27
*** lucasagomes has quit IRC		01:27
*** cmcnamara has joined #openstack-dev		01:30
stevemar	jamielennox: ping	01:30
jamielennox	stevemar, hey	01:30
*** markmc has quit IRC		01:30
stevemar	jamielennox - i'm a bit behind on the keystoneclient code, i've been trying to rebase some old changes	01:31
stevemar	jamielennox, looks like there have been changes to tests.. what happened to TEST_REQUEST_BASE in the utils?	01:31
jamielennox	ah, you got hit by the test change?	01:31
stevemar	eeeyep	01:31
*** yongli has quit IRC		01:31
jamielennox	hopefully it's gone	01:31
stevemar	hehe	01:31
stevemar	it is	01:31
*** neelashah has joined #openstack-dev		01:32
stevemar	do you know off-hand what is recommended to replace it? or the patch # handy?	01:32
jamielennox	so, the point behind all those TEST_REQUEST_BASE etc was to try to exactly predict the arguments passed to requests.request so that it could be mocked	01:32
jamielennox	all that is gone	01:32
*** ljjjustin has joined #openstack-dev		01:32
jamielennox	this is the review: https://review.openstack.org/#/c/44014/	01:33
stevemar	ahhh wonderful	01:33
jamielennox	so have a look at like test_http for the basics	01:33
jamielennox	the library homepage is: https://github.com/gabrielfalcao/HTTPretty and the readme is pretty explanitory	01:34
stevemar	jamielennox, ahhh man, i just finished it up; now i have no idea what httpretty does	01:34
stevemar	it's just a kick in the pants, i worked on it all day :P	01:34
jamielennox	i feel your pain, i've rebased so many of these test fixes	01:35
*** martyntaylor has quit IRC		01:35
*** dstanek has joined #openstack-dev		01:35
jamielennox	i'm pretty happy it's in though :)	01:35
*** slagle has quit IRC		01:36
*** jprovazn has quit IRC		01:38
*** rwsu has quit IRC		01:41
*** eharney has joined #openstack-dev		01:42
*** erkules has quit IRC		01:45
*** yongli has joined #openstack-dev		01:47
*** paragan has joined #openstack-dev		01:47
*** paragan has joined #openstack-dev		01:47
*** gyee has quit IRC		01:47
*** changbl has joined #openstack-dev		01:47
morganfainberg	stevemar, sorry for the tests getting ripped out from under you.	01:49
*** noslzzp has joined #openstack-dev		01:49
stevemar	morganfainberg np dude, my own fault for taking so long on getting oauth for keystoneclient done	01:49
morganfainberg	stevemar, and by all rights that change should likely have been in (httpretty) a while ago	01:50
morganfainberg	but, it was a lot of change and a daunting review to lookover	01:50
morganfainberg	I'm a little scared… i think i'm going to try running keystone tests under testr soon.	01:51
morganfainberg	jamielennox, how hard do you think smushing H304 hacking issues out would be in keystoneclient?	01:52
morganfainberg	(relative imports)	01:52
stevemar	theres a few instances of relative imports i've seen on client	01:52
morganfainberg	yeah.	01:52
jamielennox	relative imports shouldn't be too hard now that we are in the namespace	01:53
morganfainberg	right.	01:53
jamielennox	i imagine there are a number of them	01:53
jamielennox	probably nearly all :)	01:53
morganfainberg	maybe i'll go try and smush that hacking fix out here shortly	01:53
*** amcrn has quit IRC		01:53
jamielennox	but i doubt it's not hard	01:53
jamielennox	bah i doubt its hard	01:53
morganfainberg	yeah	01:54
morganfainberg	figured as much	01:54
*** dstanek has quit IRC		01:54
morganfainberg	actually. i need to bug ayoung about the domain lookup stuff again so i can get the other couple patches in (before H hopefully) so we have an expirimental per-domain backend vs partially-implemented	01:55
*** marun has quit IRC		01:56
*** rfolco has joined #openstack-dev		01:56
*** radix has quit IRC		01:56
*** radix has joined #openstack-dev		01:56
*** sarob has joined #openstack-dev		01:57
*** adalbas has quit IRC		01:59
ayoung	morganfainberg, which patches	02:00
morganfainberg	ayoung, not about a specific patch, i just seem to have forgotten how we were talking about handling the domain lookup w/o using DN as the user_id	02:01
morganfainberg	ayoung, the convo from last night. brain is being fuzzy about that aspect.	02:01
*** erkules has joined #openstack-dev		02:02
ayoung	morganfainberg, so...I need to try the DN thing again. Specifically, I need to see what happens when I set user_id_attribute to dn and query_scope to sub	02:03
morganfainberg	since DN seemed to be a bad idea (http spec? or too much delta) for H.	02:03
morganfainberg	ah.	02:03
morganfainberg	got it	02:03
morganfainberg	like i said, it felt a little fuzzy.	02:03
ayoung	morganfainberg, I'm not convinced that the = sign in the url is going to be a problem, but I'd like to check	02:03
morganfainberg	ah, should be urlencoded, and controller should decode.	02:04
ayoung	morganfainberg, if necessary...	02:04
morganfainberg	if it isn't needed, more better.	02:04
ayoung	OK..lets see where we were when last we left our heros	02:04
morganfainberg	hehe.	02:04
ayoung	http://fpaste.org/40327/13794699/	02:05
ayoung	morganfainberg, that was the last I got before dinner	02:05
*** zhikunliu has joined #openstack-dev		02:05
ayoung	trying to get the domain_id field thing to be None	02:05
morganfainberg	oh right.	02:05
ayoung	attributes are set somewhere else...	02:06
*** CaptTofu has quit IRC		02:06
ayoung	line 363	02:06
ayoung	self.get_attribute_mappings	02:07
morganfainberg	which is populated from https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L149 it looks like	02:07
ayoung	line 149	02:08
ayoung	yepo	02:08
ayoung	maybe it is v, not k that I need to check?	02:09
morganfainberg	ayoung, couldn't you just do if k in self.attribute_ignore ?	02:10
ayoung	I did	02:10
morganfainberg	and that still got you the TypeError?	02:10
ayoung	no...gets the None in the list	02:11
morganfainberg	odd.	02:11
morganfainberg	right.	02:11
ayoung	ah, yeah TypeError after that	02:11
morganfainberg	ayoung	02:12
*** ctracey has quit IRC		02:12
ayoung	maybe I have it backewards, though...gonna try v	02:12
morganfainberg	https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L176	02:12
morganfainberg	attribute ignore isn't populated at line 149	02:12
ayoung	bahahaha	02:13
*** cmcnamara has quit IRC		02:13
ayoung	morganfainberg, good eyes	02:14
*** cmcnamara has joined #openstack-dev		02:14
*** cmcnamara has quit IRC		02:14
ayoung	moved that before and retrying	02:14
morganfainberg	ayoung, hehe. sounds good.	02:14
ayoung	morganfainberg, something networkwonky on my end...my connection in to the vm comes and goes, assuming vpn issues	02:14
*** networkstatic has joined #openstack-dev		02:15
ayoung	but devstack is a runnin	02:15
*** rfolco has quit IRC		02:15
*** networkstatic has quit IRC		02:15
*** xjiujiu has joined #openstack-dev		02:15
*** dims has quit IRC		02:15
*** sarob has quit IRC		02:15
*** sarob has joined #openstack-dev		02:16
*** gongysh has joined #openstack-dev		02:16
ayoung	morganfainberg, nope	02:17
morganfainberg	ayoung, still unhappy?	02:17
*** amotoki_ has joined #openstack-dev		02:17
morganfainberg	boo.	02:17
ayoung	return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)	02:17
morganfainberg	ayoung, ugh.	02:18
ayoung	actually, that may not be the line with the real problem	02:18
*** ctracey\|away has joined #openstack-dev		02:18
*** ctracey\|away is now known as ctracey		02:18
ayoung	morganfainberg, ok, going to try your hack of removing None	02:19
morganfainberg	ayoung, for the record, that is not my goto, but it might be sufficient.	02:19
*** sarob has quit IRC		02:21
*** stevemar has quit IRC		02:23
*** gongysh has quit IRC		02:33
*** Dr_Who has joined #openstack-dev		02:34
*** dubsquared has joined #openstack-dev		02:39
*** yaguang has joined #openstack-dev		02:41
ayoung	morganfainberg, ok, so I think that works	02:42
ayoung	morganfainberg, http://paste.fedoraproject.org/40332/94721911/	02:43
morganfainberg	ayoung, you're just doing something like [x if x is not None for x in list] (or with filter())?	02:43
morganfainberg	ok, i can add that into this patchset and set the default_project_id to None	02:44
morganfainberg	if you think thats a better approach than using businessCategory (I would be inclined to agree)	02:44
morganfainberg	the config for the attribute for default....	02:45
ayoung	jamielennox, did you get the feedback you were looking for? Looks like you are on the right track	02:46
ayoung	morganfainberg, just updated the review request...	02:47
jamielennox	ayoung, yea, i did - i haven't done bash scripting for ages so i've got no idea what's considered bad form	02:47
morganfainberg	ayoung, thanks!	02:47
ayoung	jamielennox, tis a black art	02:47
jamielennox	(quietly) i think writing in bash = bad form	02:47
morganfainberg	jamielennox, use awk, it's turing complete last i heard >.>	02:48
morganfainberg	(use awk for all the things!)	02:48
ayoung	jamielennox, right now I am inclined to agree. What I was doing with FreeIPA integration is quickly growing beyond something I want to do from bash	02:48
ayoung	morganfainberg, awk is essential to using the openstack CLI	02:48
morganfainberg	ayoung, would it be bad form to use a python helper script in devstack?	02:48
ayoung	jamielennox, I might just have to learn the Nova CLI	02:48
jamielennox	awk is a sign to move to a higher level language - or get someone else to write it	02:48
morganfainberg	i mean, it seems like it would be a good choice.	02:48
jamielennox	ayoung, eek - i've avoided that	02:48
ayoung	morganfainberg, it's called packstack....hehehehe	02:49
morganfainberg	ayoung, hehe	02:49
ayoung	https://github.com/stackforge/packstack	02:49
morganfainberg	ayoung, i was tempted to try and use anvil for my dev environment	02:49
*** sdake_ has joined #openstack-dev		02:50
morganfainberg	but this looks a little more out-of-the-box friendly	02:50
ayoung	jamielennox, the thing is, If I can use the IPA client library without having to have the machine registered as an IPA client, it would be a win.	02:50
jamielennox	the problem is i've got keystone working with certs, now i have to figure out how to create SSL endpoints for the other services	02:50
*** jhesketh__ has quit IRC		02:50
jamielennox	ayoung, that seems like something you should be able to do - it should just verify the user based on ticket	02:50
ayoung	jamielennox, I know that it does if I use curl, but the CLI is doing something else	02:50
jamielennox	simple fix then	02:51
*** sridevi has joined #openstack-dev		02:51
ayoung	jamielennox, use curl everywhere?	02:51
jamielennox	ipa-client library?	02:51
jamielennox	are glance and glance registry both user facing?	02:52
ayoung	I'm quite comfortable talking to freeipa with curl. ... it was actually faster than using the cli for bulk operations. the webui used the json rpc instead of xml rpc...and JSON nests quite nicely	02:52
ayoung	I had a script that could upload something like 5000 names of sample data	02:52
*** Shaan7 has joined #openstack-dev		02:53
ayoung	glance-api is, not sure about the registry	02:53
ayoung	jamielennox, http://b6c82e5bf05bb57d5fd7-e4def687b494c6d4f892965970fc9f39.r37.cf2.rackcdn.com/openstack-arch-grizzly-logical-v2.jpg	02:53
ayoung	doesn't look like it	02:54
*** sridevi has quit IRC		02:54
ayoung	jamielennox, but that doesn't mean is shouldn't be secured...not sure how the api server talks to the registry server...need a glance dev to ask	02:54
jamielennox	it looks like there can be a client cert auth between the two	02:55
*** jhesketh__ has joined #openstack-dev		02:55
ayoung	that...sounds encouraging	02:55
ayoung	let me guess...they built it into the app...	02:55
jamielennox	of course, hmm glance doesn't do endpoint-create in devstack - i'm so confused	02:56
ayoung	jamielennox, don't look at me...my last devstack patch got rejected: https://review.openstack.org/#/c/40676/	02:57
*** bdpayne has quit IRC		02:59
*** bdpayne has joined #openstack-dev		03:00
*** matiu has joined #openstack-dev		03:00
*** matiu has quit IRC		03:00
*** matiu has joined #openstack-dev		03:00
*** bdpayne has quit IRC		03:02
*** ayoung is now known as ayoung-ZzZzZzZ		03:07
*** sridevi has joined #openstack-dev		03:08
*** mestery has joined #openstack-dev		03:10
*** mestery has quit IRC		03:10
*** mestery has joined #openstack-dev		03:10
*** enikanorov_ has joined #openstack-dev		03:11
*** dstanek has joined #openstack-dev		03:11
*** gimps has joined #openstack-dev		03:11
*** BStokes has joined #openstack-dev		03:12
*** sdake_ has quit IRC		03:12
*** huats_ has joined #openstack-dev		03:12
*** huats_ has joined #openstack-dev		03:12
*** statik_ has joined #openstack-dev		03:13
*** keekz_ has joined #openstack-dev		03:13
*** sld_ has joined #openstack-dev		03:13
*** redbo_ has joined #openstack-dev		03:13
*** clayg_ has joined #openstack-dev		03:13
*** anfrolov_ has joined #openstack-dev		03:13
*** mkoderer_ has joined #openstack-dev		03:13
*** _sirushti has joined #openstack-dev		03:13
*** sheeprine_ has joined #openstack-dev		03:13
*** jhesketh has quit IRC		03:13
*** mkerrin has quit IRC		03:13
*** gaelL has quit IRC		03:13
*** redbo has quit IRC		03:13
*** enikanorov has quit IRC		03:13
*** BStokes999 has quit IRC		03:13
*** jamielennox has quit IRC		03:13
*** sld has quit IRC		03:13
*** huats has quit IRC		03:13
*** hashfail has quit IRC		03:13
*** jgriffith has quit IRC		03:13
*** shadower has quit IRC		03:13
*** clayg has quit IRC		03:13
*** obondarev has quit IRC		03:13
*** Daviey has quit IRC		03:13
*** sheeprine has quit IRC		03:13
*** mkoderer has quit IRC		03:13
*** anfrolov has quit IRC		03:13
*** Reapster has quit IRC		03:13
*** keekz has quit IRC		03:13
*** statik has quit IRC		03:13
*** sirushti has quit IRC		03:13
*** anfrolov_ is now known as anfrolov		03:13
*** keekz_ is now known as keekz		03:13
*** _sirushti is now known as sirushti		03:13
*** obondarev has joined #openstack-dev		03:14
*** mkoderer_ is now known as mkoderer		03:14
*** jgriffith has joined #openstack-dev		03:14
*** Daviey has joined #openstack-dev		03:14
*** mkerrin has joined #openstack-dev		03:15
*** swaT30 has quit IRC		03:16
*** gaelL has joined #openstack-dev		03:18
*** jhesketh has joined #openstack-dev		03:18
*** portante has quit IRC		03:18
*** jamielennox_ has joined #openstack-dev		03:18
*** statik_ is now known as statik		03:18
*** jamielennox_ is now known as jamielennox		03:18
*** Reapster has joined #openstack-dev		03:18
*** shadower has joined #openstack-dev		03:18
*** clayg_ is now known as clayg		03:18
*** kushal has joined #openstack-dev		03:19
*** mestery has quit IRC		03:19
*** motoki has joined #openstack-dev		03:19
*** swaT30 has joined #openstack-dev		03:19
*** statik has quit IRC		03:19
*** statik has joined #openstack-dev		03:19
*** amotoki_ has quit IRC		03:19
*** networkstatic has joined #openstack-dev		03:20
*** portante has joined #openstack-dev		03:20
*** cmcnamara has joined #openstack-dev		03:24
*** sandeepr_ltp has quit IRC		03:25
*** sarob has joined #openstack-dev		03:26
*** cmcnamara has quit IRC		03:29
*** gongysh has joined #openstack-dev		03:30
*** shakayumi has quit IRC		03:31
*** sarob has quit IRC		03:32
*** redbo_ is now known as redbo		03:35
*** malini is now known as malini_afk		03:38
*** cmcnamara has joined #openstack-dev		03:38
*** neelashah has quit IRC		03:40
*** dstanek has quit IRC		03:46
*** Dr_Who has quit IRC		03:48
*** jbresnah has joined #openstack-dev		03:52
*** noslzzp has quit IRC		03:57
*** Dr_Who has joined #openstack-dev		03:58
*** vipul has quit IRC		03:59
*** vipul has joined #openstack-dev		04:00
*** kuuudos has joined #openstack-dev		04:01
*** cmcnamara has quit IRC		04:06
*** cmcnamara has joined #openstack-dev		04:07
*** matiu has quit IRC		04:08
*** cmcnamara has quit IRC		04:12
*** marun has joined #openstack-dev		04:12
*** jbresnah has quit IRC		04:14
*** claxton has joined #openstack-dev		04:18
*** xjiujiu has quit IRC		04:18
*** simonluo_ has joined #openstack-dev		04:19
*** matiu has joined #openstack-dev		04:20
*** jbresnah has joined #openstack-dev		04:21
*** edmund1 has quit IRC		04:23
*** jbresnah has quit IRC		04:24
*** jbresnah_ has joined #openstack-dev		04:24
*** slagle has joined #openstack-dev		04:24
*** xchu has quit IRC		04:25
*** kenperkins has quit IRC		04:26
*** SergeyLukjanov has joined #openstack-dev		04:32
*** Dr_Who has quit IRC		04:32
*** Dr_Who has joined #openstack-dev		04:34
*** Dr_Who has quit IRC		04:34
*** Dr_Who has joined #openstack-dev		04:34
*** simonluo_ has quit IRC		04:35
*** Ryan_Lane has joined #openstack-dev		04:35
*** shakayumi has joined #openstack-dev		04:37
*** kuuudos has left #openstack-dev		04:38
*** chandankumar has joined #openstack-dev		04:39
*** markwash has joined #openstack-dev		04:46
*** kushal has quit IRC		04:47
*** kushal has joined #openstack-dev		04:47
*** jprovazn has joined #openstack-dev		04:47
*** _anant has joined #openstack-dev		04:51
*** boris-42 has joined #openstack-dev		04:58
*** garyk has quit IRC		04:58
*** martine has joined #openstack-dev		05:01
*** martine is now known as Guest84908		05:01
*** aeperezt has quit IRC		05:02
*** terriyu has quit IRC		05:03
*** Kezar has joined #openstack-dev		05:04
*** jprovazn has quit IRC		05:04
*** Dr_Who has quit IRC		05:05
*** Nikolay10t has joined #openstack-dev		05:05
*** jpeeler has quit IRC		05:08
*** slagle has quit IRC		05:11
*** nil1511 has joined #openstack-dev		05:15
*** jpeeler has joined #openstack-dev		05:17
*** CaptTofu has joined #openstack-dev		05:18
*** prekarat has joined #openstack-dev		05:27
*** rushiagr has joined #openstack-dev		05:28
*** novas0x2a\|laptop has quit IRC		05:32
*** CaptTofu has quit IRC		05:34
*** nshaikh has joined #openstack-dev		05:37
*** matiu has quit IRC		05:37
*** vartom13 has joined #openstack-dev		05:38
*** Guest84908 has quit IRC		05:40
*** claxton has quit IRC		05:41
*** claxton has joined #openstack-dev		05:41
*** vartom13 has quit IRC		05:43
*** vartom13 has joined #openstack-dev		05:44
*** prometheanfire has left #openstack-dev		05:46
*** zaitcev has quit IRC		05:46
*** gongysh has quit IRC		05:48
*** garyk has joined #openstack-dev		05:56
*** ljjjustin has quit IRC		05:58
*** boris-42 has quit IRC		05:59
*** sungju has quit IRC		06:02
*** CaptTofu has joined #openstack-dev		06:03
*** ljjjustin has joined #openstack-dev		06:03
*** salv-orlando has joined #openstack-dev		06:03
*** nil1511 has quit IRC		06:04
*** sld_ has quit IRC		06:04
*** sld_ has joined #openstack-dev		06:04
*** shakayumi has quit IRC		06:09
*** yolanda has joined #openstack-dev		06:10
*** xqueralt-afk is now known as xqueralt		06:14
*** DinaBelova has joined #openstack-dev		06:17
*** dstanek has joined #openstack-dev		06:21
*** Max__ has joined #openstack-dev		06:22
*** grapsus_ has quit IRC		06:27
*** DinaBelova has quit IRC		06:28
*** salv-orlando has quit IRC		06:29
*** dubsquared has quit IRC		06:30
*** sandeepr_ltp has joined #openstack-dev		06:32
*** henrynash has joined #openstack-dev		06:35
*** henrynash has quit IRC		06:40
*** Max__ has quit IRC		06:41
*** dstanek has quit IRC		06:41
*** mrunge has joined #openstack-dev		06:44
*** sdake_ has joined #openstack-dev		06:44
*** sdake_ has quit IRC		06:44
*** sdake_ has joined #openstack-dev		06:44
*** kuuudos has joined #openstack-dev		06:45
*** Mandell has joined #openstack-dev		06:45
*** kuuudos has quit IRC		06:45
*** wfoster_away is now known as wfoster		06:49
*** rushiagr has quit IRC		06:51
*** DinaBelova has joined #openstack-dev		06:51
*** ljjjustin has quit IRC		06:52
*** senk has joined #openstack-dev		06:54
*** rushiagr has joined #openstack-dev		06:54
*** egallen has joined #openstack-dev		06:56
*** ljjjustin has joined #openstack-dev		06:58
*** dubsquared has joined #openstack-dev		07:00
*** ifarkas has joined #openstack-dev		07:02
*** fbo_away is now known as fbo		07:03
*** senk has quit IRC		07:03
*** sdake_ has quit IRC		07:04
*** tkammer has joined #openstack-dev		07:05
*** odyssey4me has joined #openstack-dev		07:05
*** networkstatic has quit IRC		07:08
*** dubsquared has quit IRC		07:09
*** networkstatic has joined #openstack-dev		07:09
*** networkstatic has joined #openstack-dev		07:09
*** reidrac has joined #openstack-dev		07:09
*** Ryan_Lane has quit IRC		07:10
*** danpb has joined #openstack-dev		07:12
*** o_petit has joined #openstack-dev		07:14
*** iartarisi has joined #openstack-dev		07:14
*** SergeyLukjanov has quit IRC		07:20
*** yuan has quit IRC		07:23
*** yuan has joined #openstack-dev		07:24
*** eglynn has quit IRC		07:27
*** jaimegil has joined #openstack-dev		07:27
*** salv-orlando has joined #openstack-dev		07:28
*** ygbo has joined #openstack-dev		07:30
*** claxton has quit IRC		07:32
*** JordanP has joined #openstack-dev		07:34
*** sahid has joined #openstack-dev		07:35
*** johnthetubaguy has joined #openstack-dev		07:38
*** o_petit has quit IRC		07:39
*** openstack has joined #openstack-dev		09:17
*** zhikunliu has quit IRC		09:20
*** SergeyLukjanov has joined #openstack-dev		09:20
*** prekarat has quit IRC		09:21
*** prekarat has joined #openstack-dev		09:22
*** DinaBelova has joined #openstack-dev		09:23
*** romcheg has joined #openstack-dev		09:24
*** bcwaldon has quit IRC		09:25
*** bcwaldon has joined #openstack-dev		09:25
*** iccha has quit IRC		09:25
*** iccha has joined #openstack-dev		09:25
*** sbadia has joined #openstack-dev		09:25
*** kpavel has joined #openstack-dev		09:26
*** nati_ueno has quit IRC		09:27
*** egallen has quit IRC		09:28
*** JordanP has quit IRC		09:30
*** o_petit has quit IRC		09:31
*** o_petit has joined #openstack-dev		09:31
*** michchap has quit IRC		09:32
*** prekarat has quit IRC		09:36
*** prekarat has joined #openstack-dev		09:37
*** JordanP has joined #openstack-dev		09:42
*** corXi has joined #openstack-dev		09:43
*** sandeepr_ltp has quit IRC		09:45
*** dmVI has joined #openstack-dev		09:58
*** dmVI has left #openstack-dev		09:59
*** o_petit has quit IRC		10:08
*** pcm_ has joined #openstack-dev		10:09
*** ljjjustin has quit IRC		10:09
*** pcm_ has quit IRC		10:10
*** pcm_ has joined #openstack-dev		10:11
*** MaxV_ has quit IRC		10:15
*** jcoufal has joined #openstack-dev		10:15
*** _anant has quit IRC		10:16
*** sthaha has quit IRC		10:16
*** branen__ has quit IRC		10:16
*** claxton has quit IRC		10:18
*** nosnos has quit IRC		10:18
*** iartarisi has quit IRC		10:20
*** mkollaro has quit IRC		10:21
*** sahid has quit IRC		10:26
*** gongysh has quit IRC		10:26
*** garyk has quit IRC		10:26
*** paragan has quit IRC		10:29
*** claxton has joined #openstack-dev		10:30
*** MaxV has joined #openstack-dev		10:43
ekarlso	enikanorov_: yo around ?	10:43
*** oubiwann has quit IRC		10:44
*** iartarisi has joined #openstack-dev		10:48
*** dukhlov_ has quit IRC		10:49
*** sumanthns has quit IRC		10:51
*** mjbright has quit IRC		10:52
*** oubiwann has joined #openstack-dev		10:54
*** sumanthns has joined #openstack-dev		10:55
*** dstanek has joined #openstack-dev		10:58
*** ema has joined #openstack-dev		10:58
*** michchap has joined #openstack-dev		10:59
*** alexxu has quit IRC		11:03
*** dubsquared has joined #openstack-dev		11:07
*** dubsquared has quit IRC		11:12
*** avishay has joined #openstack-dev		11:16
*** dstanek has quit IRC		11:17
*** avishay has quit IRC		11:19
*** adalbas has joined #openstack-dev		11:19
*** sthaha has joined #openstack-dev		11:21
*** sthaha has quit IRC		11:21
*** sthaha has joined #openstack-dev		11:21
*** sthaha has quit IRC		11:21
*** o_petit has joined #openstack-dev		11:23
*** sthaha has joined #openstack-dev		11:31
*** sthaha has quit IRC		11:31
*** sthaha has joined #openstack-dev		11:31
*** BobBallAway is now known as BobBall		11:32
*** cthulhup_ has joined #openstack-dev		11:33
*** sthaha has quit IRC		11:33
*** cthulhup_ has quit IRC		11:33
*** cthulhup has joined #openstack-dev		11:34
*** Dr_Who has joined #openstack-dev		11:34
*** sthaha has joined #openstack-dev		11:35
*** tkammer has quit IRC		11:36
*** larsks has quit IRC		11:37
*** o_petit has quit IRC		11:41
*** flaper87\|afk is now known as flaper87		11:44
*** o_petit has joined #openstack-dev		11:44
*** mkollaro has joined #openstack-dev		11:46
*** kushal has quit IRC		11:47
*** ifarkas has quit IRC		11:47
*** ifarkas has joined #openstack-dev		11:48
*** garyk has joined #openstack-dev		11:50
*** sandeepr_ltp has joined #openstack-dev		11:50
*** sahid has joined #openstack-dev		11:52
*** noslzzp has joined #openstack-dev		11:53
*** sgordon has joined #openstack-dev		11:55
*** kushal has joined #openstack-dev		12:00
*** morazi has joined #openstack-dev		12:00
*** claxton has quit IRC		12:00
*** sandywalsh has joined #openstack-dev		12:01
*** adalbas has quit IRC		12:02
*** terryh has joined #openstack-dev		12:05
*** mkollaro has quit IRC		12:06
*** mkollaro1 has joined #openstack-dev		12:06
*** mkollaro1 is now known as mkollaro		12:06
*** dubsquared has joined #openstack-dev		12:07
*** adalbas has joined #openstack-dev		12:10
*** lon_T2 is now known as lon		12:12
*** lon is now known as Guest78426		12:12
*** dubsquared has quit IRC		12:12
*** o_petit has quit IRC		12:13
*** eharney has quit IRC		12:14
*** o_petit has joined #openstack-dev		12:14
*** mjbright has joined #openstack-dev		12:16
*** Dr_Who has quit IRC		12:16
*** Dr_Who has joined #openstack-dev		12:17
*** Dr_Who has joined #openstack-dev		12:17
*** christophk has joined #openstack-dev		12:17
*** adalbas has quit IRC		12:19
*** mestery has joined #openstack-dev		12:19
*** mestery has quit IRC		12:19
*** martine_ has joined #openstack-dev		12:20
*** mestery has joined #openstack-dev		12:20
*** sgordon has quit IRC		12:21
*** boden has quit IRC		12:26
*** rfolco has joined #openstack-dev		12:26
*** mjbright has quit IRC		12:27
*** shang has quit IRC		12:28
*** grapsus has joined #openstack-dev		12:28
*** o_petit has quit IRC		12:28
*** o_petit has joined #openstack-dev		12:29
*** michchap has quit IRC		12:30
*** jhesketh__ has quit IRC		12:30
*** michchap has joined #openstack-dev		12:30
*** jaimegil has quit IRC		12:31
*** dsirrine has joined #openstack-dev		12:34
*** safchain_ has joined #openstack-dev		12:35
*** yassine_ has joined #openstack-dev		12:35
*** Dr_Who is now known as tgall_foo		12:35
*** nshaikh has left #openstack-dev		12:35
*** safchain_ has quit IRC		12:36
*** safchain_ has joined #openstack-dev		12:36
*** safchain has quit IRC		12:36
*** dmakogon has quit IRC		12:36
*** yassine has quit IRC		12:37
*** safchain_ has quit IRC		12:37
*** flaper87 is now known as flaper87\|afk		12:37
*** bashok has quit IRC		12:38
*** michchap has quit IRC		12:38
*** mestery has quit IRC		12:40
*** mestery has joined #openstack-dev		12:40
*** mestery has quit IRC		12:40
*** mestery has joined #openstack-dev		12:41
*** sgordon has joined #openstack-dev		12:43
*** martine_ has quit IRC		12:44
*** mjfs has joined #openstack-dev		12:44
*** topol has joined #openstack-dev		12:45
*** boden has joined #openstack-dev		12:46
*** mkollaro1 has joined #openstack-dev		12:46
*** mkollaro has quit IRC		12:46
*** motoki has quit IRC		12:47
*** mestery has quit IRC		12:56
*** garyk has quit IRC		12:57
*** mjfs has quit IRC		12:59
*** lbragstad has quit IRC		13:00
*** shinylasers has joined #openstack-dev		13:00
*** tonix has joined #openstack-dev		13:00
*** kushal has quit IRC		13:00
*** jayg\|g0n3 is now known as jayg		13:03
*** adalbas has joined #openstack-dev		13:03
*** rcrit has quit IRC		13:04
*** xga__ has quit IRC		13:05
*** kushal has joined #openstack-dev		13:06
*** tgall_foo has quit IRC		13:06
*** dvarga has joined #openstack-dev		13:06
*** xga__ has joined #openstack-dev		13:07
*** galstrom is now known as galstrom_zzz		13:07
*** kbringard has joined #openstack-dev		13:07
*** DinaBelova has quit IRC		13:08
*** prad has joined #openstack-dev		13:08
*** bknudson1 has quit IRC		13:09
*** rcrit has joined #openstack-dev		13:10
*** morazi_ has joined #openstack-dev		13:11
*** jprovazn has joined #openstack-dev		13:12
*** morazi has quit IRC		13:14
*** morazi_ is now known as morazi		13:14
*** vartom13 has quit IRC		13:14
*** stevemar has joined #openstack-dev		13:17
*** sushils has joined #openstack-dev		13:20
*** athomas has quit IRC		13:20
*** shinylasers has quit IRC		13:21
*** basha has joined #openstack-dev		13:21
basha	Can anyone pls look at https://review.openstack.org/#/c/44843/	13:22
basha	dolphm: ^^	13:22
*** eharney has joined #openstack-dev		13:22
*** bknudson has joined #openstack-dev		13:23
*** jecarey has joined #openstack-dev		13:23
*** slagle has joined #openstack-dev		13:24
*** jpeeler has quit IRC		13:25
*** jpeeler has joined #openstack-dev		13:26
*** jpeeler has quit IRC		13:26
*** jpeeler has joined #openstack-dev		13:26
*** rcrit has quit IRC		13:26
*** shinylasers has joined #openstack-dev		13:28
*** basha has quit IRC		13:29
*** neelashah has joined #openstack-dev		13:29
*** mrodden has quit IRC		13:31
*** athomas has joined #openstack-dev		13:31
*** mestery has joined #openstack-dev		13:34
*** martine_ has joined #openstack-dev		13:34
*** alunduil has quit IRC		13:35
*** jecarey has quit IRC		13:35
*** DinaBelova has joined #openstack-dev		13:36
*** dstanek has joined #openstack-dev		13:36
*** operrin has joined #openstack-dev		13:37
*** malini_afk is now known as malini		13:38
*** lbragstad has joined #openstack-dev		13:38
*** rcrit has joined #openstack-dev		13:39
*** ifarkas has quit IRC		13:41
*** ifarkas has joined #openstack-dev		13:42
*** miziel_r has joined #openstack-dev		13:42
*** jecarey has joined #openstack-dev		13:42
*** slagle has quit IRC		13:43
*** mrodden has joined #openstack-dev		13:44
*** basha has joined #openstack-dev		13:45
*** tstevenson has joined #openstack-dev		13:46
*** DinaBelova has quit IRC		13:47
*** larsks has joined #openstack-dev		13:48
*** cthulhup has quit IRC		13:49
*** dubsquared has joined #openstack-dev		13:51
*** cthulhup has joined #openstack-dev		13:51
*** basha has quit IRC		13:53
*** sridevi has quit IRC		13:54
*** sumanthns has quit IRC		13:54
*** prekarat has quit IRC		13:55
*** afazekas has joined #openstack-dev		13:56
*** thomasm has joined #openstack-dev		13:56
*** nil1511 has joined #openstack-dev		13:56
*** Guest78426 is now known as lon		13:58
*** yassine has joined #openstack-dev		14:03
*** amotoki has quit IRC		14:04
*** EmilienM has quit IRC		14:05
*** spzala has joined #openstack-dev		14:05
*** dims has joined #openstack-dev		14:05
*** yassine_ has quit IRC		14:06
*** openf\|y is now known as offenflieg		14:07
*** EmilienM has joined #openstack-dev		14:07
*** xga has joined #openstack-dev		14:07
*** terriyu has joined #openstack-dev		14:08
*** xga has quit IRC		14:09
*** xga__ has quit IRC		14:09
*** jmontemayor has joined #openstack-dev		14:09
*** xga has joined #openstack-dev		14:09
*** martine_ has quit IRC		14:10
*** bashok has joined #openstack-dev		14:11
*** markmcclain has joined #openstack-dev		14:14
*** jprovazn has quit IRC		14:15
*** morazi has quit IRC		14:15
*** dolphm has joined #openstack-dev		14:16
stevemar	dolphm: o/	14:17
dolphm	o/	14:17
*** alunduil has joined #openstack-dev		14:17
stevemar	dolphm: you caught me at a bad time yesterday, whats going on with oauth?	14:17
stevemar	dolphm: you mentioned moving it to middleware... is this related to the problem with the library?	14:18
dolphm	i was just looking for an alternative solution to the dependency injection hack that bkhudson and ayoung are working on	14:18
*** jimfehlig has joined #openstack-dev		14:18
dolphm	and yes, they're related	14:18
dolphm	if the entire implementation was in middleware, then there would be no dependency injection issue and you'd be able to handle xml requests	14:19
stevemar	dolphm: why don't you like dependency.optional bit?	14:19
stevemar	ah	14:19
dolphm	it's unnecessary :)	14:19
dolphm	it's also just a weird semantic	14:19
*** DinaBelova has joined #openstack-dev		14:19
stevemar	dolphm: what's the effort required to move it to middleware?	14:20
stevemar	dolphm: also, why would xml requests not be handled today?	14:20
*** sushils has quit IRC		14:20
*** prad has joined #openstack-dev		14:21
dolphm	probably too big for havana	14:21
dolphm	and xml is not handled because you don't have access to the original request body to produce a signature against	14:21
*** kenperkins has joined #openstack-dev		14:21
*** FunnyLookinHat has joined #openstack-dev		14:22
*** ayoung-ZzZzZzZ is now known as ayoung		14:22
stevemar	dolphm: sounds like we'll have to use the dependency change	14:23
*** flaper87\|afk is now known as flaper87		14:23
*** carl_baldwin has joined #openstack-dev		14:23
ayoung	dolphm, the question is not "Where is the dependency" but rather that oauth is disabled by default, and yet we are pulling in the dependency. If it moves to middleware, we get the dependency everywhere that middleware is consumed. Which leads me to think that oauth should probably be its own middleware in Icehouse time frame	14:23
ayoung	dolphm, but the "strange semantics" are due to the fact that our token architecture is pluggable on the wrong end. We can swap out the whole impl, but what we reallly need is to be able to plug in to the token construction pipeline.	14:25
*** topol has quit IRC		14:26
dolphm	ayoung: agree, and trusts should be the same way	14:27
*** morazi has joined #openstack-dev		14:27
*** Mandell has joined #openstack-dev		14:27
ayoung	dolphm, oh yes...in fact, stevemar and I were discussing this a week or so ago. trusts and oauth are APIs...what the token needs is a standard way to handle delegation, and then both oauth and trusts make use of that	14:28
ayoung	dolphm, that is what we are going to discuss in http://summit.openstack.org/cfp/details/52	14:28
stevemar	i should really be putting all this into the oauth design session, and renaming it to delegatin	14:29
*** edmund has joined #openstack-dev		14:30
*** mrunge has quit IRC		14:30
ayoung	stevemar, a good question to ask is "are there other delegation mechanisms of which we should be aware." I would maybe add S4U2Proxy onto that list, but it is Kerberos specific probably deal with it in a longer time frame	14:30
*** zaneb has joined #openstack-dev		14:30
*** datsun180b has joined #openstack-dev		14:30
*** alunduil has quit IRC		14:30
*** CaptTofu has quit IRC		14:31
ayoung	stevemar, I bed David Chadwick knows	14:31
*** gongysh has joined #openstack-dev		14:31
stevemar	ayoung: likely, i'm sure he'll chime in	14:31
radix	dolphm: so I think I was a bit confused yesterday when we were talking about trusts and oauth	14:35
*** kpavel has quit IRC		14:35
dolphm	radix: how so?	14:36
radix	dolphm: does either of them allow the workflow of "here is a normal user's token; give me a longer-term token based on it" without having authenticated as some other "service" user in the meantime?	14:36
dolphm	radix: p.s. ayoung and stevemar are the primary authors of both, respectively	14:36
radix	oh heh :)	14:36
radix	cool	14:36
dolphm	radix: both of them can issue delegation that has no time limit, but you still must generate fresh tokens periodically	14:37
*** radez_g0n3 is now known as radez		14:38
radix	dolphm: specifically the point I'm wondering about is without having the other user. so, say I'm implementing a service that takes tokens and passes them on to other openstack services... is it possible to never have to authenticate myself as my own user, but still extend the token that the user gives me?	14:39
*** sgordon has quit IRC		14:40
radix	I haven't thought the security implications of this through too much; maybe it's really important to require authentication as a "service" user before allowing extending other users' tokens	14:40
radix	but I would kind of imagine the user saying "here is a token that I have intentionally endowed with the rights for extension" and give that to my service	14:40
radix	I'm sure I could figure this out if I read the oauth spec enough times but it's tough to see if it supports this use case or not	14:40
*** terriyu has quit IRC		14:44
*** cmcnamara has joined #openstack-dev		14:44
*** jecarey has quit IRC		14:44
*** nil1511 has quit IRC		14:45
dolphm	radix: reading..	14:45
*** mestery has quit IRC		14:45
radix	sorry :)	14:45
*** sgordon has joined #openstack-dev		14:46
dolphm	radix: you mean extending the duration?	14:46
dolphm	valid duration	14:47
radix	dolphm: well. effectively. if it means having to create intermediate thingies, then fine...	14:47
*** aeperezt has joined #openstack-dev		14:47
*** schwicht has joined #openstack-dev		14:47
*** alunduil has joined #openstack-dev		14:47
dolphm	radix: today, you'd have to have your users delegate to you, and then you can generate as-fresh-as-possible tokens as needed	14:47
*** ruhe has joined #openstack-dev		14:47
radix	dolphm: what does "delegate to me" mean?	14:48
*** ruhe has quit IRC		14:48
dolphm	radix: so, (this applies to both oauth and trusts)... the users you're performing operations on behalf of must explicitly indicate that they trust you to perform a specific set of roles on a specific tenant	14:49
radix	dolphm: ok. which means I have to have a user for them to delegate to	14:49
radix	they can't just encode that delegation into their token and anyone who has the token has the right to extend it	14:49
radix	or create new ones, or whatever	14:49
dolphm	radix: hold up!	14:49
radix	hehe :)	14:49
dolphm	radix: with a trust, they must delegate to a specific user	14:49
dolphm	radix: with oauth, there may not be an identity of any kind that they're delegating to	14:50
*** jecarey has joined #openstack-dev		14:50
dolphm	radix: it's just an "oauth consumer" that they're delegating to	14:50
radix	ahhhh	14:50
radix	dolphm: ok, I remember reading about consumers	14:50
radix	dolphm: ok, that is pretty cool.	14:51
dolphm	radix: in the case of oauth, if there IS a "keystone user" being delegated to, oauth/keystone doesn't track the association	14:51
radix	basically I'm wondering if it's theoretically possible for us to get rid of the "heat" user	14:51
dolphm	radix: i would LOVE for that to be the case :D	14:51
radix	yaaaaaay	14:51
dolphm	radix: services users are awful	14:51
radix	afaict, trusts require us to still have it, does that sound accurate?	14:51
dolphm	radix: yes	14:51
radix	but maybe oauth would allow us to get rid of it	14:52
dolphm	radix: in the case of oauth, each service could "be" one or more oauth consumers	14:52
*** sgordon has quit IRC		14:53
*** sahid has quit IRC		14:53
*** cmcnamara has quit IRC		14:53
radix	sounds awesome. maybe we will work on that a little for the new autoscale stuff	14:53
dolphm	radix: an oauth consumer "is" basically just an oauth (consumer key + consumer secret) <-- stevemar, is that correct?	14:53
*** cmcnamara has joined #openstack-dev		14:53
*** jprovazn has joined #openstack-dev		14:53
radix	dolphm: is there any expectation that python-keystoneclient will grow oauth-in-keystone APIs? or will we be expected to just use something like oauthlib?	14:54
dolphm	radix: whatever entity holds the secret has the ability to act as that consumer	14:54
*** miziel_r has quit IRC		14:55
dolphm	radix: so, pretty much everyone is using python requests, which has this awesome feature- http://docs.python-requests.org/en/latest/user/advanced/#custom-authentication	14:55
*** testingtesting has joined #openstack-dev		14:55
*** fbo is now known as fbo_away		14:56
dolphm	radix: i'd like keystoneclient to implement an Auth object that can be passed to requests to handle everything from oauth to generating openstack tokens, or whatever is necessary	14:56
radix	yeah	14:56
dolphm	radix: including client-side token caching, etc	14:56
radix	I also came across requests_oauthlib	14:56
*** terriyu has joined #openstack-dev		14:56
*** kpavel has joined #openstack-dev		14:56
radix	https://github.com/requests/requests-oauthlib	14:57
*** cmcnamara has quit IRC		14:58
*** jmontemayor has quit IRC		14:59
*** herndon_ has joined #openstack-dev		14:59
*** gordc has joined #openstack-dev		14:59
*** reidrac has quit IRC		14:59
*** datsun180b_ has joined #openstack-dev		15:00
dolphm	radix: the one particularly useful oauth signed request we support today (where a lib would be very useful) would be POST /v3/auth/tokens (generate a keystone token using an oauth signed request)	15:01
radix	yeah, makes sense	15:02
dolphm	radix: i'm interested in replacing auth_token with something like oauth_token though, replacing keystone tokens with oauth access keys in the process	15:02
radix	ohh, boy :)	15:02
*** datsun180b has quit IRC		15:02
*** datsun180b_ is now known as datsun180b		15:02
*** sgordon has joined #openstack-dev		15:02
*** rdopieralski has quit IRC		15:02
*** jmontemayor has joined #openstack-dev		15:03
*** morazi has quit IRC		15:03
*** alop has joined #openstack-dev		15:04
*** topol has joined #openstack-dev		15:05
*** alop has quit IRC		15:09
*** newtest has joined #openstack-dev		15:09
dolphm	ayoung: did you specifically prevent trusts from being chained together?	15:11
*** cmcnamara has joined #openstack-dev		15:11
dolphm	ayoung: i.e. re-delegating delegated roles?	15:11
*** alop has joined #openstack-dev		15:11
*** newtest has left #openstack-dev		15:11
*** flaper87 is now known as flaper87\|afk		15:12
*** branen has joined #openstack-dev		15:12
*** nati_ueno has joined #openstack-dev		15:12
*** testingtesting has quit IRC		15:16
*** herndon_ has quit IRC		15:16
*** sgordon has quit IRC		15:16
*** morazi has joined #openstack-dev		15:18
*** senk has joined #openstack-dev		15:18
*** bnemec__ has joined #openstack-dev		15:19
*** para__ has joined #openstack-dev		15:19
*** bnemec has quit IRC		15:20
*** mmagr has quit IRC		15:21
*** garyk has joined #openstack-dev		15:21
*** pmathews has joined #openstack-dev		15:22
*** jtomasek has quit IRC		15:23
*** markmcclain has quit IRC		15:25
*** ifarkas has quit IRC		15:26
*** burt has quit IRC		15:27
*** para__ is now known as mmagr		15:27
*** bnemec has joined #openstack-dev		15:28
*** datsun180b has quit IRC		15:28
*** datsun180b has joined #openstack-dev		15:28
*** bnemec__ has quit IRC		15:28
*** newtest1 has joined #openstack-dev		15:28
*** bnemec_ has quit IRC		15:28
*** afazekas has quit IRC		15:29
*** litong has joined #openstack-dev		15:31
*** bashok has quit IRC		15:33
*** dolphm_ has joined #openstack-dev		15:34
*** cdub_ has quit IRC		15:36
*** garyk has quit IRC		15:36
*** jprovazn has quit IRC		15:36
*** marun has quit IRC		15:37
*** dolphm has quit IRC		15:37
jdennis	ayoung: where is the design overview for this bp? https://blueprints.launchpad.net/devstack/+spec/devstack-https	15:40
*** rcrit has quit IRC		15:40
*** Mandell has quit IRC		15:40
*** gongysh has quit IRC		15:41
*** ygbo has quit IRC		15:45
*** wfoster is now known as wfoster_away		15:45
*** sandeepr_ltp has quit IRC		15:45
danpb	jdennis: sigh, what a useless blueprint	15:45
*** sandeepr_ltp has joined #openstack-dev		15:46
dstanek	danpb: how so?	15:46
jdennis	dstanek: where is the overview of the basic implementation strategy? Is one supposed to derive this from the diff's?	15:47
*** cmcnamara has quit IRC		15:48
*** mlavalle has joined #openstack-dev		15:48
*** mlavalle has quit IRC		15:48
*** cmcnamara has joined #openstack-dev		15:48
*** cschwede has quit IRC		15:48
danpb	dstanek: 2 lines of text with zero info about what its design is	15:49
danpb	there's no basis on which a reviewer can decide if the proposed patch satisfies the blueprint	15:49
danpb	or whether there are design flaws	15:49
*** markmcclain has joined #openstack-dev		15:50
dstanek	danpb: ah, i see. i thought you were saying that adding https was useless	15:50
*** sergmelikyan has quit IRC		15:51
*** nati_ueno has quit IRC		15:51
*** herndon_ has joined #openstack-dev		15:52
*** cmcnamara has quit IRC		15:53
*** galstrom_zzz is now known as galstrom		15:55
*** rcrit has joined #openstack-dev		15:55
*** hemnafk is now known as hemna		15:56
*** CaptTofu has joined #openstack-dev		15:57
*** markmcclain has quit IRC		15:58
*** o_petit has quit IRC		15:59
*** morazi has quit IRC		16:00
*** sergmelikyan has joined #openstack-dev		16:00
*** Ruetobas has quit IRC		16:01
*** paragan has joined #openstack-dev		16:01
*** martyntaylor has joined #openstack-dev		16:02
*** kushal has quit IRC		16:02
*** dubsquar_ has joined #openstack-dev		16:03
*** MaxV has quit IRC		16:03
*** Ruetobas has joined #openstack-dev		16:04
*** dprince has joined #openstack-dev		16:05
*** MaxV has joined #openstack-dev		16:05
*** jprovazn has joined #openstack-dev		16:05
*** xga has quit IRC		16:05
*** slagle has joined #openstack-dev		16:05
*** dubsquared has quit IRC		16:06
ayoung	rcrit, what am I doing wrong in this ldap query: This one works: ldapsearch -x -D "dc=Manager,dc=OpenStack,dc=org" -H ldap://localhost -w test -b dc=openstack,dc=org "(&(cn=foo)(objectClass=inetOrgPerson))"	16:07
ayoung	this one doesn't	16:07
ayoung	ldapsearch -x -D "dc=Manager,dc=OpenStack,dc=org" -H ldap://localhost -w test -b dc=openstack,dc=org "(&(dn=cn=FOO,ou=Users,dc=openstack,dc=org)(objectClass=inetOrgPerson))"	16:07
ayoung	the first one returns a record with	16:08
*** markmc has joined #openstack-dev		16:08
ayoung	dn: cn=foo,ou=Users,dc=openstack,dc=org	16:08
ayoung	BTW, the second fails regardless of FOO or foo in the dn	16:08
ayoung	jdennis, looking	16:08
*** Ruetobas has quit IRC		16:09
*** dolphm_ has quit IRC		16:10
ayoung	jdennis, does not look like he wrote one up.	16:10
ayoung	danpb, it was a place holder, but I agree it should have a spec.	16:10
jdennis	yeah, I just added a review comment asking for the missing information	16:11
*** yassine has quit IRC		16:12
danpb	ayoung: well once a commit is submitted for review against it, is is not merely a place holder anymore	16:12
*** marun has joined #openstack-dev		16:13
*** bdpayne has joined #openstack-dev		16:13
*** jimfehlig has quit IRC		16:13
*** rwsu has joined #openstack-dev		16:13
*** morazi has joined #openstack-dev		16:13
*** mmagr has quit IRC		16:13
*** Ruetobas has joined #openstack-dev		16:14
ayoung	danpb, but one blueprint can serve for multiple reviews.. In this case, he was presenting a solution to Keystone ssl...a valid approach. But it will have to tie in with ssl for all of the services.	16:14
ayoung	danpb, learning devstack requires effort, and I don't think you can write a proper blueprint against it until you learn the code base.	16:14
*** dmakogon has joined #openstack-dev		16:16
bknudson	ayoung: dn is not an attribute	16:16
bknudson	it's the name of the entry	16:17
*** bknudson has quit IRC		16:17
*** johnthetubaguy1 has joined #openstack-dev		16:18
*** odyssey4me has quit IRC		16:18
*** dubsquar_ has quit IRC		16:18
ayoung	dagnabit bknudson get back here!	16:19
*** johnthetubaguy has quit IRC		16:19
*** READ10 has quit IRC		16:19
*** ema has quit IRC		16:20
*** iartarisi has quit IRC		16:23
ayoung	radix, a trust token is explicitly prevented from getting another token	16:23
ayoung	radix, with trusts, you always need to authenticate as a user in order to get a trust token.	16:23
*** READ10 has joined #openstack-dev		16:23
*** litong has quit IRC		16:23
radix	ayoung: are you responding to my messages on #heat? :)	16:24
*** dmakogon has left #openstack-dev		16:24
radix	or just my earlier conversation with dolph	16:24
radix	oh I guess you're not in there, just a timing coincidence	16:24
*** jistr has quit IRC		16:24
*** litong has joined #openstack-dev		16:24
radix	ayoung: so yeah, I think I understand that now, thanks	16:25
ayoung	radix, we enforced the same rule for oauth.	16:25
*** lucasagomes has joined #openstack-dev		16:25
radix	hm	16:25
ayoung	radix, I had the same concern as you expressed	16:25
radix	so you still need a system user, basically?	16:25
ayoung	radix, not for oauth	16:25
ayoung	but in oauth, you can't use a token generated from oauth to get another token	16:26
*** litong has joined #openstack-dev		16:26
radix	actually I have a slightly more pressing question. is the behavior about disallowing trust-derived tokens from creating more tokens a relatively new change?	16:26
*** jruzicka has quit IRC		16:26
ayoung	radix, let me caveat that by saying I am using "token" to mean "keystone tokens"	16:26
ayoung	radix, no.	16:26
radix	ayoung: okay, I was wondering about that :)	16:26
ayoung	radix, that code has been in there since January	16:26
radix	ok cool	16:26
radix	trying to debug the the trust-using code in heat	16:27
ayoung	radix, look through the trust unit tests...they are pretty self documenting in describing the features they test	16:27
*** angdraug has joined #openstack-dev		16:27
ayoung	radix, what are you seeing?	16:27
radix	ayoung: so, this heat code 1. authenticates with v3 using heat username + password + trust_id to get the trust-derived user token; 2. converting that token to v2 with md5(token); 3. passing that token to a v2 Client, which incidentally tries to authenticate, which fails because of the aforementioned restriction on trust-token-chaining	16:28
radix	honestly I'm not sure how this code ever worked (that's why I asked if the change was recent)	16:28
radix	I'm wondering why the Client tries to authenticate when we're giving it a token anyway	16:29
*** litong has joined #openstack-dev		16:29
*** MaxV has quit IRC		16:29
ayoung	radix, I assure the trust code was in place long before the HEAT team tried to consume it	16:29
ayoung	radix, should be able to get a V2 token using a trust, though. No need to convert	16:30
radix	yeah, I believe you :)	16:30
radix	ayoung: well. we want the v3 token anyway	16:30
radix	so afaict we just need to avoid the v2 authenticate	16:30
radix	but that's impossible because the v2 client __init__ always authenticates	16:30
*** litong has quit IRC		16:30
ayoung	client has no way to verify a token. I suspect that was an attempt to verify it.	16:31
radix	isn't there a way to verify without authenticating?	16:31
*** MaxV has joined #openstack-dev		16:31
ayoung	that does sound like a problem	16:31
*** therve has joined #openstack-dev		16:31
*** JordanP has quit IRC		16:31
ayoung	client should authenticate as heat, then request the trust token, then use the trust token to perform some action.	16:32
ayoung	is the problem that the client doesn't support v3 tokens?	16:32
*** litong has joined #openstack-dev		16:32
radix	honestly I don't think we even need to verify it in this case. we just got it from the v3 api, I think we can trust that md5(tok_v3) is valid for v2	16:32
*** litong has quit IRC		16:32
radix	ayoung: well, heat needs both the v3 and v2 tokens and clients accessible because various resources use different versions of the API, I guess	16:33
*** litong has joined #openstack-dev		16:33
*** kushal has joined #openstack-dev		16:33
ayoung	radix, you can always get the appropriate form of the token from keystone using the same trust.	16:33
radix	ayoung: when you say "the client" do you mean python-keystoneclient?	16:33
ayoung	DOn't try to convert, just request the format you need	16:33
*** litong has quit IRC		16:33
ayoung	radix, yes...is that what you mean by the client?	16:33
*** vuil has joined #openstack-dev		16:34
*** litong has joined #openstack-dev		16:34
*** SumitNaiksatam has quit IRC		16:34
radix	yep	16:34
*** newtest1 has left #openstack-dev		16:34
radix	I don't really see why we should need to make another roundtrip to keystone to request a v2 token	16:35
radix	but I think I understand what you mean	16:35
*** DinaBelova has quit IRC		16:35
*** anniec has joined #openstack-dev		16:35
radix	we should get a v2 token fresh from the trust?	16:35
*** MaxV has quit IRC		16:36
*** jpich has quit IRC		16:38
*** SergeyLukjanov has quit IRC		16:39
ayoung	jdennis, ask in here. Other people are as frustrated with blueprints asI am, I am sure	16:42
ayoung	radix, only if you absoposiluteltutetly need both a v2 and a v3.	16:42
radix	heh :) maybe we don't.	16:43
*** dolphm has joined #openstack-dev		16:43
ayoung	the "conversion" is, I think, bogus	16:43
*** comay has quit IRC		16:44
radix	so yeah it looks like keystoneclient v2 client does not support trusts. I guess we will look at avoiding v2	16:45
*** markmcclain has joined #openstack-dev		16:45
radix	so it looks like v2 keystoneclient doesn't support trusts.	16:48
radix	oops	16:48
*** changbl has quit IRC		16:48
radix	I said that already. I was scrolled up :P	16:48
*** epim has joined #openstack-dev		16:48
radix	I don't think we can avoid v2, unfortunately.	16:49
*** troytoman-away is now known as troytoman		16:49
*** kushal has quit IRC		16:51
*** sthaha has quit IRC		16:52
*** kbrierly has joined #openstack-dev		16:52
dolphm	radix: in a single domain deployment, v3 tokens are backwards compatible with v2 and vice versa	16:55
dolphm	radix: so you can do trusts on v3, generate delegated v3 token, and it'll validate against v2	16:55
*** Ryan_Lane1 has joined #openstack-dev		16:56
*** BobBall is now known as BobBallAway		16:57
*** zaitcev has joined #openstack-dev		16:57
*** comay has joined #openstack-dev		16:59
*** xga has joined #openstack-dev		16:59
*** SumitNaiksatam has joined #openstack-dev		16:59
*** cdub_ has joined #openstack-dev		17:00
*** uvirtbot has quit IRC		17:00
*** paragan_ has joined #openstack-dev		17:02
*** lcheng has joined #openstack-dev		17:02
*** paragan has quit IRC		17:02
*** corXi has quit IRC		17:03
*** paragan_ is now known as paragan		17:04
*** uvirtbot has joined #openstack-dev		17:04
*** jmontemayor has quit IRC		17:04
ayoung	dolphm, so, with minor hacking, it looks like we can use the DN as the identifier for users. And, in doing this, I optimized away at least one unnecssary LDAP call.	17:06
*** dolphm has quit IRC		17:06
ayoung	morganfainberg, I'm still working through unit tests, but I think I have DN as ID working for LDAP backend	17:06
*** tstevenson_ has joined #openstack-dev		17:07
*** markwash has quit IRC		17:07
*** jasondotstar has joined #openstack-dev		17:08
rcrit	ayoung, I don't think you can search on dn in a filter like this	17:09
*** jasondotstar has quit IRC		17:10
*** anniec has quit IRC		17:10
ayoung	rcrit, yeah, found that out....but that actually makes it easier. If the ID is the DN, I can do an optimized search for exactly that dn	17:10
rcrit	yup, use it as the base, that was going to be my suggestion	17:10
ayoung	rcrit, I think that, for LDAP, we might move to using the DN as the user-id. We just need to make sure that it is web-safe	17:10
*** tstevenson has quit IRC		17:10
*** jasondotstar has joined #openstack-dev		17:11
simo	ayoung: using DNs is really unconvenient, why would you do that ?	17:11
*** mrunge has joined #openstack-dev		17:11
*** offenflieg has quit IRC		17:11
rcrit	yeah, that sounds like trouble with a capital T	17:12
ayoung	simo, IDs are expected to be globally unique. If we use any shorter field, we will have conflicts between two different LDAP backends	17:12
simo	ayoung: all you need for an optimized search is an index on the search attribute	17:12
*** kpavel has quit IRC		17:12
ayoung	simo, that is not my goal	17:12
simo	ayoung: you need to select the LDAP backend apropri anyway	17:12
ayoung	my goal is to be able to keep the userids unique across keystone with multiple LDAP servers	17:12
simo	*a priori	17:12
ayoung	simo, and we will most likely do that by parsing the DN	17:12
simo	bad idea	17:13
simo	DNs are not guarnteed to be globally unique	17:13
ayoung	simo, understood, but we are putting some limitations on it	17:13
ayoung	the subtree has to be registered	17:13
simo	why? you do not need to	17:13
simo	you just need a backend name	17:13
simo	and qualify users as username@backend-name	17:13
*** paragan_ has joined #openstack-dev		17:13
simo	and you are done	17:14
*** ausxxh has joined #openstack-dev		17:14
*** troytoman is now known as troytoman-away		17:15
jdennis	you don't want to expose the backend in the fully qualified username though, what if you change backends, don't you need a mapping from fully qualified username to backend?	17:15
simo	jdennis: yes, but using a DN is worse	17:15
jdennis	I'm not in favor of a DN either	17:16
ayoung	well "backend" really means "domain" in keystone...so even if you switch the backend impl, the domain would stay the same.	17:16
*** paragan has quit IRC		17:16
simo	ayoung: then user@domain is all you need	17:16
*** paragan_ is now known as paragan		17:16
*** danpb has quit IRC		17:17
simo	ayoung: if you use DNs you cause serious problems if someone needs to migrate the LDAP server	17:17
ayoung	simo, we can do that. In some ways, it is a bigger change, in that we need to munge the IDs	17:17
*** otherwiseguy has quit IRC		17:17
simo	ayoung: as long as you do not use DNs I am fine :)	17:18
*** fbo_away is now known as fbo		17:18
jdennis	ayoung: why would you need to munge user@domain?	17:18
*** networkstatic has joined #openstack-dev		17:18
ayoung	jdennis, right now, we assume the attribute is the attribute...we'd need to know to parse off the domain name in some cases,	17:19
ayoung	yes, we can do this	17:19
*** MaxV has joined #openstack-dev		17:19
*** xga_ has joined #openstack-dev		17:19
ayoung	but not for havana	17:19
*** comay has quit IRC		17:20
ayoung	DN is a value already in LDAP....userid@domain semantics have been discussed before...it means that making userids work for LDAP will likely cause changes to how userids are done for SQL.	17:20
*** xga has quit IRC		17:21
jdennis	why wouldn't you always split the username from the domain and if the domain is absent supply a default domain, then use the domain to perform the lookup?	17:21
ayoung	in sql, userids are a uuid, and there is no domain name. We can get away with that there, because the user records looked up by uuid has a domain-id on it	17:21
ayoung	so userid@domain id would be <hash>@<hash>	17:22
*** Mandell has joined #openstack-dev		17:23
*** litong has joined #openstack-dev		17:23
ayoung	well, that is the domain name...but mixing names and ids would also be messy	17:23
*** kenperkins has quit IRC		17:24
ayoung	henrynash, what do you think? Should we make the ldap and other federated backends do userid@domainid for Keystone?	17:25
jdennis	I'd see how the fact one or both component might be a hash is relevant, it's still just a mapping issue, one that might cause an extra lookup, is that what you're trying to avoid?	17:25
*** xga_ has quit IRC		17:25
*** cmcnamara has joined #openstack-dev		17:26
*** vartom13 has joined #openstack-dev		17:27
*** networkstatic has quit IRC		17:27
*** cdub_ has quit IRC		17:27
*** networkstatic has joined #openstack-dev		17:29
*** nati_ueno has joined #openstack-dev		17:29
ayoung	jdennis, no. Right now, there is not explicit mapping. We were looking at an approach to keep userids global based on a value actually stored in the backend. Adding in the domain id has come up from time to time, but it is a duplication of passing in the domain id. I'm not fundamentally opposed to the idea, just that it changes the semantics of the userids, and that pattern will likely extend to all of the per-domain enti	17:30
ayoung	ties...	17:30
*** rcrit has quit IRC		17:30
*** rcrit has joined #openstack-dev		17:31
*** markmcclain has quit IRC		17:32
*** RajeshMohan has quit IRC		17:36
*** RajeshMohan has joined #openstack-dev		17:37
*** amcrn has joined #openstack-dev		17:38
*** dubsquared has joined #openstack-dev		17:39
*** alop_ has joined #openstack-dev		17:42
*** devoid has joined #openstack-dev		17:43
*** devoid has quit IRC		17:43
*** alop has quit IRC		17:43
*** alop_ is now known as alop		17:43
*** markwash has joined #openstack-dev		17:43
*** litong has left #openstack-dev		17:45
*** feleouet has quit IRC		17:46
*** EmilienM has quit IRC		17:46
*** EmilienM has joined #openstack-dev		17:49
*** vartom13 has quit IRC		17:51
*** martyntaylor has quit IRC		17:53
*** martine has joined #openstack-dev		17:53
*** martine is now known as Guest38562		17:53
*** cschwede has joined #openstack-dev		17:54
morganfainberg	ayoung, cool	17:55
*** paragan has quit IRC		17:55
ayoung	morganfainberg, heh...did you see all the follow on conversation?	17:55
*** dolphm has joined #openstack-dev		17:57
*** RajeshMohan has quit IRC		17:57
*** RajeshMohan has joined #openstack-dev		17:58
*** Ryan_Lane1 has quit IRC		17:58
*** otherwiseguy has joined #openstack-dev		17:58
*** Ryan_Lane has joined #openstack-dev		17:58
morganfainberg	ayoung, still catching up	17:59
*** epim has quit IRC		18:00
*** jmontemayor has joined #openstack-dev		18:02
*** MaxV has quit IRC		18:02
*** terriyu has quit IRC		18:02
morganfainberg	ayoung, ah i see it now.	18:03
morganfainberg	ayoung, yeah, i think this is the circle we keep going into basically	18:04
*** zodiak has joined #openstack-dev		18:05
*** MaxV has joined #openstack-dev		18:06
morganfainberg	ayoung, the more we converse on this, the more i think we need to just shelve the per-domain backends until I… or go with the implementation that allows for non-unique user_ids and continue to say:	18:06
morganfainberg	ayoung, "don't use this in production, it's expirimental and has issues such as <blah>, and you need to enforce unique seperately from keystone, we don't enforce it yet"	18:06
morganfainberg	in this configuratione*	18:06
*** zodiak has quit IRC		18:07
dolphm	morganfainberg: did the 'this is experimental' patch merge?	18:07
dolphm	i haven't seen it in a while	18:07
morganfainberg	dolphm, i think so	18:07
morganfainberg	dolphm, i should check.	18:07
dolphm	morganfainberg: http://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers	18:07
*** zodiak has joined #openstack-dev		18:07
morganfainberg	dolphm, i think is did merge >>	18:08
morganfainberg	it*	18:08
*** Mandell has quit IRC		18:09
*** comay has joined #openstack-dev		18:12
*** sarob has joined #openstack-dev		18:13
*** jecarey has quit IRC		18:15
*** comay has quit IRC		18:17
*** SumitNaiksatam has quit IRC		18:17
*** bknudson has joined #openstack-dev		18:18
*** SumitNaiksatam has joined #openstack-dev		18:19
*** johnthetubaguy1 has quit IRC		18:19
*** jasondotstar has quit IRC		18:19
*** anniec has joined #openstack-dev		18:19
morganfainberg	dolphm, i'm personally find with either option. shelve or just move it towards more usability with "expirimental" tag.	18:20
morganfainberg	gosh i can't type today. s/find/fine	18:21
*** cthulhup has quit IRC		18:21
*** changbl has joined #openstack-dev		18:22
*** garyk has joined #openstack-dev		18:22
*** Mandell has joined #openstack-dev		18:25
*** eglynn has quit IRC		18:26
henrynash	ayoung: what's the argument against userid@domain	18:26
*** melwitt has joined #openstack-dev		18:27
henrynash	ayoung: (other than can guarantee to fit that all in the same size field as userid along when we are generating it in some automatic fashion)	18:27
stevemar	morganfainberg got some time to review: https://review.openstack.org/#/c/30043/	18:28
*** EmilienM has quit IRC		18:29
morganfainberg	stevemar, it's just over 50% of the patchsets of your keystone oauth changes… i might need you to upload another 30 before i can review :P	18:29
stevemar	morganfainberg, oy, don't remind me :P	18:30
stevemar	morganfainberg - with httpretty, i'm not sure how to test that the headers are correct, that was the only thing	18:31
*** henrynash has quit IRC		18:31
*** EmilienM has joined #openstack-dev		18:32
morganfainberg	stevemar, i'd probably need to look at it in depth and/or bug jamielennox about that	18:32
morganfainberg	stevemar, to be honest	18:32
morganfainberg	stevemar. o	18:32
morganfainberg	i'll review when i have a few minutes.	18:33
stevemar	morganfainberg, ah, i was going to do the same with jamie	18:33
morganfainberg	have some obligations to take care of before i can do more reviews.	18:33
*** athomas has quit IRC		18:34
*** MaxV has quit IRC		18:34
*** henrynash has joined #openstack-dev		18:34
*** MaxV has joined #openstack-dev		18:34
stevemar	morganfainberg, thats cool dude	18:34
*** jasondotstar has joined #openstack-dev		18:35
*** markwash has quit IRC		18:35
*** Shaan7 has quit IRC		18:37
*** terriyu has joined #openstack-dev		18:41
*** Guest38562 has quit IRC		18:42
*** dosaboy has quit IRC		18:43
*** dosaboy has joined #openstack-dev		18:43
*** dosaboy has quit IRC		18:44
*** dosaboy has joined #openstack-dev		18:46
*** mestery has joined #openstack-dev		18:50
*** senk has quit IRC		18:52
*** markmcclain has joined #openstack-dev		18:52
*** comay has joined #openstack-dev		18:54
*** annegentle has quit IRC		18:56
*** Birk_ has joined #openstack-dev		18:56
*** bknudson has quit IRC		18:58
*** novas0x2a\|laptop has joined #openstack-dev		18:58
*** MaxV has quit IRC		18:58
*** cschwede has quit IRC		19:00
Birk_	Hey guys. I opened the bug https://bugs.launchpad.net/keystone/+bug/1226132. Apparently we just need to add 3 annotations in keystone/assignement/core.py before the domain create, update and delete. The unit tests for notifications already exists in keystone. I can commit this changes. Do you think it will be approved?	19:01
uvirtbot	Launchpad bug 1226132 in keystone "Keystone doesn't emit event notifications for domains" [Wishlist,Triaged]	19:01
*** schwicht has quit IRC		19:02
*** malini is now known as malini_afk		19:03
*** mestery has quit IRC		19:03
*** amohn9 has joined #openstack-dev		19:04
*** Ryan_Lane has quit IRC		19:06
*** Ryan_Lane has joined #openstack-dev		19:06
*** dubsquared has quit IRC		19:07
*** jecarey has joined #openstack-dev		19:08
*** cschwede has joined #openstack-dev		19:10
*** anniec has quit IRC		19:11
*** anniec has joined #openstack-dev		19:11
*** eglynn has joined #openstack-dev		19:17
*** Ruetobas has quit IRC		19:17
*** jecarey has quit IRC		19:18
*** MaxV has joined #openstack-dev		19:18
*** jecarey has joined #openstack-dev		19:18
*** salv-orlando has quit IRC		19:18
*** dstanek has quit IRC		19:18
*** Ruetobas has joined #openstack-dev		19:19
*** bknudson has joined #openstack-dev		19:19
*** bknudson has left #openstack-dev		19:19
*** sdake_ has joined #openstack-dev		19:20
*** Shaan7 has joined #openstack-dev		19:20
*** dstanek has joined #openstack-dev		19:21
*** bknudson has joined #openstack-dev		19:23
*** senk has joined #openstack-dev		19:23
*** Ruetobas has quit IRC		19:23
*** alunduil has quit IRC		19:24
*** Dr_Who has joined #openstack-dev		19:24
*** eglynn has quit IRC		19:25
*** Birk_ has quit IRC		19:25
*** Ryan_Lane has quit IRC		19:26
*** litong has joined #openstack-dev		19:27
*** litong has quit IRC		19:27
*** litong has joined #openstack-dev		19:27
*** mrodden1 has joined #openstack-dev		19:27
*** litong has quit IRC		19:27
*** litong has joined #openstack-dev		19:28
*** mrodden has quit IRC		19:28
*** senk has quit IRC		19:28
*** litong has joined #openstack-dev		19:28
*** shinylasers has quit IRC		19:28
*** litong has quit IRC		19:30
*** sandywalsh has quit IRC		19:30
*** Mandell_ has joined #openstack-dev		19:30
*** Ruetobas has joined #openstack-dev		19:30
*** novas0x2a\|laptop has quit IRC		19:31
*** mestery_ has joined #openstack-dev		19:31
*** jasondotstar has quit IRC		19:31
*** litong has joined #openstack-dev		19:31
*** Mandell has quit IRC		19:31
*** novas0x2a\|laptop has joined #openstack-dev		19:32
*** vipul is now known as vipul-away		19:32
*** vipul-away is now known as vipul		19:32
*** litong has quit IRC		19:33
*** mrunge has quit IRC		19:33
*** litong has joined #openstack-dev		19:35
*** shinylasers has joined #openstack-dev		19:36
*** litong has quit IRC		19:37
*** litong has joined #openstack-dev		19:37
*** mestery_ has quit IRC		19:37
*** dolphm has quit IRC		19:39
*** gordc has quit IRC		19:39
*** offenflieg has joined #openstack-dev		19:40
*** shinylasers has quit IRC		19:40
*** dolphm has joined #openstack-dev		19:41
*** litong has quit IRC		19:41
*** sdake_ has quit IRC		19:41
*** jcoufal has quit IRC		19:42
*** amohn9 has quit IRC		19:43
*** litong has joined #openstack-dev		19:43
*** Ryan_Lane has joined #openstack-dev		19:43
*** litong has quit IRC		19:44
*** shinylasers has joined #openstack-dev		19:44
*** martyntaylor has joined #openstack-dev		19:44
*** shinylasers has quit IRC		19:44
*** jasondotstar has joined #openstack-dev		19:44
*** zzs has joined #openstack-dev		19:45
*** litong has joined #openstack-dev		19:45
*** shinylasers has joined #openstack-dev		19:47
*** vipul is now known as vipul-away		19:47
*** litong has quit IRC		19:47
*** malini_afk is now known as malini		19:47
*** sandywalsh has joined #openstack-dev		19:47
*** vipul-away is now known as vipul		19:47
*** sdake_ has joined #openstack-dev		19:48
*** litong has joined #openstack-dev		19:48
ayoung	henrynash, OK, so we are ok with doing userid@domainid for Icehouse? I think that needs a blueprint	19:52
henrynash	ayoung: yes, can't do it for H	19:53
*** litong has quit IRC		19:53
ayoung	henrynash, I'll get it started	19:54
henrynash	ayoung: there are a few things to discuss around it (e.g. to we auto generate that for any backend that is not domain-aware)?	19:54
*** carl_baldwin has quit IRC		19:54
*** litong has joined #openstack-dev		19:54
henrynash	ayoung: or for every domain etc, etc.	19:54
ayoung	henrynash, my thought was that we look at the id, and if there is an @ sign in it, it is domain specific, otherwise it is in the "default" backend	19:55
henrynash	ayoung: and what about group_id?	19:55
*** mestery has joined #openstack-dev		19:55
ayoung	henrynash, has to be treated the same way	19:55
henrynash	ayoung: agreed	19:55
ayoung	groupid@domain	19:55
*** markmcclain has quit IRC		19:55
*** terryh has quit IRC		19:56
*** mestery has quit IRC		19:56
*** litong has quit IRC		19:57
*** adalbas has quit IRC		19:57
*** cschwede has quit IRC		19:57
*** mestery has joined #openstack-dev		19:57
*** sandywalsh has quit IRC		19:57
*** litong has joined #openstack-dev		19:57
*** mestery has quit IRC		19:58
*** networkstatic has quit IRC		19:58
ayoung	henrynash, https://blueprints.launchpad.net/keystone/+spec/domain-specific-ids	19:58
henrynash	ayoung: great	19:58
*** litong has quit IRC		19:59
morganfainberg	ayoung / henrynash, ++	19:59
*** markmcclain has joined #openstack-dev		19:59
*** litong has joined #openstack-dev		19:59
henrynash	ayoung, morganfainberg: as an aside, I have started a couple to "purify the assignment backend", namely:	20:01
radix	is it possible to request the catalog from keystone without authenticating? (i.e., assuming I already have a token)	20:01
*** herndon_ has quit IRC		20:01
henrynash	https://blueprints.launchpad.net/keystone/+spec/grant-table-rationalization	20:01
henrynash	and	20:01
henrynash	https://blueprints.launchpad.net/keystone/+spec/role-assignment-crud	20:01
morganfainberg	henrynash, i am really looking forward to not having 3 grant tables if i read that right	20:01
morganfainberg	or is it 4?	20:01
henrynash	morganfainberg: 4, my friend, 4	20:01
*** otherwiseguy has quit IRC		20:01
ayoung	henrynash, morganfainberg, while poking around at the LDAP backend this morning, i noticed that we tend to look up objects multiple times. I think we want to add the "dn" on to the any ldap entities, and use them for any additional lookups	20:02
morganfainberg	henrynash, yeah +++++++++++ <more> on cleaning that up :)	20:02
ayoung	I'll kaibosh that idea.	20:02
*** amohn9 has joined #openstack-dev		20:02
ayoung	1 table, and it is an assignment, not a grant...	20:02
morganfainberg	ayoung, ah	20:02
*** gordc has joined #openstack-dev		20:02
*** herndon_ has joined #openstack-dev		20:02
ayoung	henrynash, yeah...you got it right!	20:02
henrynash	ayoungL absolutely agree	20:02
ayoung	I read that as "I look forward to having 4 grant tables:" and I had a small heart attack....whew	20:03
*** litong has quit IRC		20:03
henrynash	morganfainberg: actually there could have been 5, but luckily ayoung get rid of the "UserTenantMembershiip" table	20:03
*** networkstatic has joined #openstack-dev		20:03
*** litong has joined #openstack-dev		20:04
morganfainberg	ayoung, no no getting it down to something sane.	20:04
ayoung	morganfainberg, I really like working with you guys...	20:04
* ayoung has new rule...if a suggestion looks like it is going backwards, assume I read it backwards		20:05
morganfainberg	ayoung, better idea, lets make it 15 tables… with FK constraints on the policy and catalog tables.	20:05
*** kenperkins has joined #openstack-dev		20:05
morganfainberg	>.>	20:05
morganfainberg	;)	20:06
ayoung	morganfainberg, I was contemplating having each of the modules register with the wsgi just like the extensions do. Then, we can enumerate identity, assignments, policy, catalog, and tokens from the /v2.0 and v3 pages...what do you think?	20:06
*** litong has quit IRC		20:07
*** jmontemayor has quit IRC		20:07
*** eglynn has joined #openstack-dev		20:07
*** litong has joined #openstack-dev		20:07
*** litong has quit IRC		20:08
dolphm	ayoung: regarding looking up things multiple times -- 18 queries to LDAP during authentication, 6 of which are unique queries :)	20:08
ayoung	dolphm, yeah...If we grab the DN off the object, and look things up with that, we probably drop half of them	20:08
*** litong has joined #openstack-dev		20:08
ayoung	dolphm, let me see if I can split that out into its own patch.	20:09
dolphm	radix: we're talking about adding a GET /catalog to do just that, but the only solution we have right now is to validate your own token	20:09
dolphm	radix: GET /v3/auth/tokens or GET :35357/v2.0/tokens/{token_id}	20:09
morganfainberg	ayoung, that seems like a good approach (enumerating).	20:09
radix	dolphm: oh, that's cool	20:09
radix	dolphm: as long as I can do that :) I was worried that I would have to authenticate	20:09
dolphm	radix: that's an option as well, but please try to avoid that :P	20:10
*** litong has quit IRC		20:10
morganfainberg	ayoung, i'm trying to visualize it, but it's a little hazy. but that might be because i'm shuffling git repositories atm :P	20:10
*** gordc has quit IRC		20:11
*** litong has joined #openstack-dev		20:11
radix	dolphm: the reason I ask is because I saw that "keystone --debug catalog" is actually just authenticating to get the catalog	20:11
radix	and heat is still authenticating even when it has a token just to get the catalog, I think	20:11
*** boden has quit IRC		20:12
*** martyntaylor has quit IRC		20:12
radix	actually maybe keystone catalog does avoid authenticating if it has the token stored in a keyring, I haven't tested that	20:12
*** chandankumar has quit IRC		20:12
radix	I'll look to see if python-keystoneclient even has a method for validating the token	20:12
morganfainberg	radix, heat isn't the only project that did/does that for getting a catalog	20:13
*** sandywalsh has joined #openstack-dev		20:13
*** litong has quit IRC		20:13
*** jmontemayor has joined #openstack-dev		20:13
*** jcoufal has joined #openstack-dev		20:13
*** mestery has joined #openstack-dev		20:13
*** litong has joined #openstack-dev		20:14
*** yolanda has quit IRC		20:15
*** litong has quit IRC		20:18
dolphm	radix: i actually don't think it does! at least there's no client.tokens.validate()	20:18
*** gordc has joined #openstack-dev		20:18
radix	well, that might be one reason why so many projects reauth ;-)	20:18
dolphm	that's probably true :(	20:18
*** litong has joined #openstack-dev		20:19
*** vuil has quit IRC		20:19
morganfainberg	isn't client.tokens.get_token validate?	20:19
morganfainberg	or does that only scrape the x-subject-token out?	20:19
*** networkstatic has quit IRC		20:20
*** martyntaylor has joined #openstack-dev		20:21
*** litong has quit IRC		20:22
*** litong has joined #openstack-dev		20:22
*** gordc has quit IRC		20:22
*** sdake_ has quit IRC		20:22
*** martyntaylor has quit IRC		20:22
*** gordc has joined #openstack-dev		20:22
*** martyntaylor has joined #openstack-dev		20:23
*** martyntaylor has quit IRC		20:24
*** senk has joined #openstack-dev		20:24
*** martyntaylor has joined #openstack-dev		20:25
*** stevemar has quit IRC		20:26
*** litong has quit IRC		20:27
*** rackerjoe has left #openstack-dev		20:27
*** alunduil has joined #openstack-dev		20:28
*** litong has joined #openstack-dev		20:28
*** litong has quit IRC		20:28
*** senk has quit IRC		20:29
*** litong has joined #openstack-dev		20:29
*** annegentle has joined #openstack-dev		20:29
*** litong has quit IRC		20:29
*** litong has joined #openstack-dev		20:30
*** markmcclain has quit IRC		20:30
*** mkollaro1 has quit IRC		20:30
*** dvarga has quit IRC		20:31
*** otherwiseguy has joined #openstack-dev		20:31
*** SergeyLukjanov has joined #openstack-dev		20:31
*** gordc has quit IRC		20:31
*** litong has quit IRC		20:32
*** alop has quit IRC		20:32
*** gordc has joined #openstack-dev		20:32
*** litong has joined #openstack-dev		20:33
*** larsks has quit IRC		20:34
*** SumitNaiksatam has quit IRC		20:35
*** litong has quit IRC		20:35
*** SumitNaiksatam has joined #openstack-dev		20:35
*** anniec has quit IRC		20:35
*** cmcnamara has quit IRC		20:35
ayoung	morganfainberg, in the function _ldap_res_to_model we have access to the dn. If we stick it in the model, we are good...until we need to strip it out to pass all of the unit tests that don't think it should be there. Tempted to overload _ldap_res_to_modle for user and grop, and append it.	20:37
*** litong has joined #openstack-dev		20:37
*** litong has joined #openstack-dev		20:37
morganfainberg	ayoung, that would be where i would add that, at first pass	20:38
*** litong has quit IRC		20:38
morganfainberg	ayoung, in the long run would you update unit tests to accept it being there?	20:38
*** mkollaro has joined #openstack-dev		20:39
*** litong has joined #openstack-dev		20:40
*** alop has joined #openstack-dev		20:40
ayoung	morganfainberg, maybe. I think that the problem is really the LDAP assignment backedn, which I want to deprecate anyway, and then we can just leave the DN in there. We have the filter call that strips out unwanted Attributes, but LDAP assignments needs to have direct access to the hidden methods of the ldap identity backend.	20:42
*** eglynn has quit IRC		20:42
morganfainberg	ayoung. ++ on deprecating that backend. and that makes perfect sense if it is deprecated, unit tests don't need it.	20:42
*** jpeeler has quit IRC		20:43
*** litong has quit IRC		20:44
*** litong has joined #openstack-dev		20:45
radix	morganfainberg: I'm looking at all the methods named "get_token" and I'm not seeing one that calls the API like that	20:47
radix	looks like they just wrap an already-fetched service catalog	20:47
morganfainberg	radix, sec i'll find what i was thinking about, i might be wrong.	20:47
*** cdub_ has joined #openstack-dev		20:49
*** litong has joined #openstack-dev		20:49
ayoung	radix, get_service_catalog in the client actully gets the token	20:49
radix	I don't see that method	20:49
radix	grepping the entire python-keystoneclient codebase	20:50
*** boris-42 has quit IRC		20:51
radix	(^ayoung)	20:51
*** branen has quit IRC		20:51
*** branen has joined #openstack-dev		20:52
ayoung	radix, I migt have the name wrong...I'm looking at other code right now	20:52
*** welldannit has joined #openstack-dev		20:52
*** tong\|2 has joined #openstack-dev		20:52
ayoung	get_catalog? summat like that	20:52
*** Dr_Who has quit IRC		20:52
*** grizzled has joined #openstack-dev		20:53
radix	there's a service_catalog method that returns the pre-cached catalog	20:53
radix	no get_catalog that I can see either	20:53
*** mestery has quit IRC		20:54
*** zaneb has quit IRC		20:54
*** Dr_Who has joined #openstack-dev		20:55
*** Dr_Who has joined #openstack-dev		20:55
ayoung	radix, what if it is not cached?	20:56
*** radez is now known as radez_g0n3		20:56
radix	actually it's a property. it just does "return self.auth_ref.service_catalog"	20:56
*** tonix has quit IRC		20:57
*** eglynn has joined #openstack-dev		20:57
ayoung	radix, yep, and what sets auth_ref?	20:58
radix	hm, it looks like there's something in the middleware that verifies a token but it's not factored in a way that exposes it	20:58
radix	ayoung: only authentication, afaict.	20:58
ayoung	hold on....	20:59
*** dolphm has quit IRC		20:59
*** morazi has quit IRC		20:59
*** jpeeler has joined #openstack-dev		20:59
ayoung	radix, ./keystoneclient/httpclient.py:235: self.auth_ref = access.AccessInfo.factory(**auth_ref)	20:59
radix	ayoung: I don't understand how this helps me make an API call to get the service catalog.	21:00
*** noslzzp has quit IRC		21:00
*** herndon_ has quit IRC		21:00
*** tong\|2 has quit IRC		21:00
ayoung	nah..that is if you already have it..still looking	21:00
*** cdub_ has quit IRC		21:00
radix	check verify_uuid_token in middleware	21:01
ayoung	line 467	21:01
*** jasondotstar has quit IRC		21:01
ayoung	resp, body = self.get_raw_token_from_identity_service(**kwargs)	21:01
radix	auth_token.py	21:01
*** senk has joined #openstack-dev		21:01
*** mrodden1 has quit IRC		21:01
radix	ayoung: that authenticates	21:02
ayoung	radix, and then that is implemented in the subclasses	21:02
radix	yes. as authentication.	21:02
ayoung	radix, as I said, that is where we get the service catalog	21:02
*** salv-orlando has joined #openstack-dev		21:03
ayoung	radix, so why would you request it again?	21:03
radix	ayoung: I guess you missed some context. my whole line of questioning is about getting the service catalog without authenticating, when I already have a token	21:03
ayoung	radix, the service_catalog is embedded in the response	21:03
*** herndon_ has joined #openstack-dev		21:03
*** senk has quit IRC		21:03
ayoung	radix, if you have a token, you have the service_catalog, unless someone passed you a uuid token, which they should never do	21:04
radix	then dolphm pointed out that if you GET /v3/tokens/ you can do that, and I said I couldn't find a method in python-keystoneclient that exposes that functionality.	21:04
*** eglynn has quit IRC		21:04
*** kenperkins has quit IRC		21:04
*** DinaBelova has joined #openstack-dev		21:04
radix	er, /v3/auth/tokens/	21:04
ayoung	radix, that get is used to validate a token. The command line client doesn't do that....and I think that the call is a v2 call in auth_token middleware, not v3	21:05
ayoung	so GET /v2.0/token/<id>	21:05
*** stevemar has joined #openstack-dev		21:05
*** rfolco has quit IRC		21:07
*** kenperkins has joined #openstack-dev		21:08
radix	ayoung: are you saying that e.g. heatclient should pass the full token and service catalog to the heat server? i'm kind of lost	21:09
*** DinaBelova has quit IRC		21:09
radix	I don't understand what you mean by never having a uuid token without a service catalog.	21:09
*** jmontemayor has quit IRC		21:10
*** senk has joined #openstack-dev		21:11
*** mrodden has joined #openstack-dev		21:12
*** dsirrine has quit IRC		21:12
*** sdake_ has joined #openstack-dev		21:12
*** sdake_ has quit IRC		21:12
*** sdake_ has joined #openstack-dev		21:12
ayoung	radix, so heat is not validating the token via auth_token middleware?	21:13
ayoung	radix, when a user gets a token, they get the service catalog with it. When a service validates a token, it gets the service_catalog	21:14
ayoung	radix, if it is a PKI token, the service catalog is signed inside the token	21:14
*** grizzled has quit IRC		21:14
*** shardy is now known as shardy_afk		21:14
ayoung	if a uuid token is passed to keystone to validate, the validate call returns the service_catalog	21:14
*** jamielennox is now known as jamielennox\|away		21:15
radix	ayoung: hmm, yeah, I guess heat is using auth_token middleware. so I guess it must be somewhere...	21:16
*** donaldh has joined #openstack-dev		21:17
radix	AHHHH I think I just figuerd it out. we're implementing an unauthenticated webhook call... I need to go think about this for a bit :)	21:17
*** topol has quit IRC		21:18
ayoung	and with that..I have to go pickup the kids. Back in a few hours	21:18
*** henrynash has quit IRC		21:19
*** pcm_ has quit IRC		21:20
*** CaptTofu has quit IRC		21:20
*** sdake_ has quit IRC		21:20
*** sdake_ has joined #openstack-dev		21:20
*** sdake_ has quit IRC		21:20
*** sdake_ has joined #openstack-dev		21:20
*** CaptTofu has joined #openstack-dev		21:20
*** amohn9 has quit IRC		21:23
*** giulivo has quit IRC		21:24
*** davidhadas_ has joined #openstack-dev		21:24
*** vipul is now known as vipul-away		21:25
*** davidhadas has quit IRC		21:26
*** anniec has joined #openstack-dev		21:27
*** zaitcev has quit IRC		21:27
*** thomasm has quit IRC		21:28
*** sarob has quit IRC		21:28
*** vipul-away is now known as vipul		21:29
*** datsun180b has quit IRC		21:29
*** sarob has joined #openstack-dev		21:29
*** sarob has quit IRC		21:34
*** MaxV has quit IRC		21:35
*** alop has quit IRC		21:36
*** alop has joined #openstack-dev		21:37
lbragstad	hey russellb, quick question on a bug you put a fix in for (https://bugs.launchpad.net/glance/+bug/1100317) that might be similar to something I am seeing. I am using impl_qpid as the rpc_backend to send notifications in Keystone on resource changes.	21:38
uvirtbot	Launchpad bug 1100317 in glance/grizzly "Glance hangs in qpid notification when adding/removing an image" [High,Fix released]	21:38
*** mestery has joined #openstack-dev		21:38
*** amohn9 has joined #openstack-dev		21:39
morganfainberg	bknudson, hehe next time i'll wait before uploading another patchset ;)	21:40
*** mestery has quit IRC		21:40
bknudson	morganfainberg: I was pulled away to a meeting so submitted the couple of files that I had reviewed.	21:41
morganfainberg	bknudson, not a worry, i'm amused. :)	21:41
bknudson	It doesn't cause a problem for me reviewing... I just compare to the one I reviewed.	21:41
morganfainberg	bknudson, if you're ready i'll go through and get a foll,owup patchset done	21:42
bknudson	morganfainberg: I'm done reviewing that one for today.	21:42
bknudson	any more reviews and I'll go loopy.	21:42
morganfainberg	bknudson, cool. thanks for the comments. yeah i know how that goes somedays	21:42
*** anniec has quit IRC		21:44
*** cjellick has joined #openstack-dev		21:44
*** cmcnamara has joined #openstack-dev		21:47
*** sdake_ has quit IRC		21:48
*** insanidade has joined #openstack-dev		21:48
*** amohn9 has quit IRC		21:49
*** xqueralt is now known as xqueralt-afk		21:49
*** cmcnamara has quit IRC		21:51
*** donaldh has quit IRC		21:52
*** Ryan_Lane has quit IRC		21:52
*** cmcnamara has joined #openstack-dev		21:52
*** Ryan_Lane has joined #openstack-dev		21:52
*** jcoufal has quit IRC		21:52
*** martine_ has joined #openstack-dev		21:53
*** shinylasers has quit IRC		21:53
jgriffith	jog0: thanks for the reminder on the lvremove failure	21:54
jog0	jgriffith: thanks for looking into it	21:54
jog0	jgriffith: I am working on better tracking of transient failures, currently automatically classifying them using logstash so in the future we will have better stats on all this	21:54
*** cmcnamara has quit IRC		21:54
jgriffith	jog0: man.. that will be AWESOME!	21:55
jgriffith	jog0: and much more accurate	21:55
jgriffith	jog0: so I think the issue on that BTW is messed up target connections	21:56
*** CaptTofu has quit IRC		21:56
jgriffith	jog0: something goes very bad with and the dm-mapper entry never gets cleaned up correctly	21:56
*** CaptTofu has joined #openstack-dev		21:56
jgriffith	anyway, I'm going to see if I can come up with a better fix than the last one I proposed	21:56
*** martine_ has quit IRC		21:57
*** cmcnamar_ has joined #openstack-dev		21:57
*** xmltok_ has quit IRC		21:59
*** eglynn has joined #openstack-dev		22:00
*** lucasagomes has quit IRC		22:01
jog0	jgriffith: thanks	22:02
jog0	jgriffith: we have the the basic tool running in #openstack-qa	22:02
*** amohn9 has joined #openstack-dev		22:03
*** cmcnamar_ has quit IRC		22:03
*** kbringard has quit IRC		22:03
lbragstad	bnemec: around?	22:04
*** cmcnamara has joined #openstack-dev		22:04
*** senk has quit IRC		22:04
bnemec	lbragstad: Yep	22:04
lbragstad	got a minute for a qq?	22:04
lbragstad	I have a qpid question :)	22:04
*** jasondotstar has joined #openstack-dev		22:06
*** vuil has joined #openstack-dev		22:06
*** sarob has joined #openstack-dev		22:07
*** sarob has quit IRC		22:07
*** sbadia has left #openstack-dev		22:07
*** sarob has joined #openstack-dev		22:08
bnemec	lbragstad: Whoops, yeah.	22:08
*** sbadia_ has joined #openstack-dev		22:08
*** cmcnamara has quit IRC		22:08
*** tstevenson_ has quit IRC		22:08
lbragstad	In Keystone we are running oslo's notifier module and we get notifications on the queue when we use impl_kombu and also the log notifier, but when I try to use the impl_qpid backend, the notification will hang attempting to establish a connection (https://bugs.launchpad.net/oslo/+bug/1224565). I have following the trace into the qpid.messaging code and also tried pulling in the latest notifier changes from Oslo to Keystone so that keys	22:09
uvirtbot	Launchpad bug 1224565 in oslo "Can't establish qpid connection with impl_qpid.py" [Undecided,New]	22:09
lbragstad	bnemec: wondering if I am missing something with the qpid configuration or if you have any suggestions on how to approach this next?	22:09
*** dims has quit IRC		22:09
*** cmcnamara has joined #openstack-dev		22:10
lbragstad	I saw Glance was having a similiar issue in Grizzly, but that case is a little different given Glance doesn't use the notifier module from Oslo	22:10
lbragstad	bnemec: which is documented here -> https://bugs.launchpad.net/glance/+bug/1100317	22:10
uvirtbot	Launchpad bug 1100317 in glance/grizzly "Glance hangs in qpid notification when adding/removing an image" [High,Fix released]	22:11
bnemec	lbragstad: Yeah, that was my first thought.	22:11
bnemec	Unfortunately I don't know that they ever found the reason for those hangs either.	22:11
lbragstad	bnemec: ahh gotcha	22:11
bnemec	Kind of punted and opened a new connection for every notification.	22:11
bnemec	I don't know if they've switched to using Oslo notification yet in Glance.	22:12
*** eharney_ has joined #openstack-dev		22:12
lbragstad	I don't think so	22:12
lbragstad	https://github.com/openstack/glance/blob/master/glance/notifier/notify_qpid.py	22:12
bnemec	Do you know if this ever worked in Keystone?	22:12
*** Dr_Who has quit IRC		22:12
*** eharney has quit IRC		22:12
lbragstad	well, notifications work in Keystone using impl_kombu or the log notifier, but impl_qpid doesn't work	22:12
bnemec	There's been some churn lately in Qpid so it's possible something got broken.	22:13
lbragstad	that could be true	22:13
lbragstad	I would think if that were the case, or if something possibly wasn't handled in Oslo then it would be effecting other projects as well.	22:13
bnemec	You would think. :-)	22:13
*** zzs has left #openstack-dev		22:13
bnemec	Might be worth finding an old version of impl_qpid and syncing it into Keystone just to see though.	22:15
*** portante is now known as portante\|afk		22:15
bnemec	(FWIW, I've only glanced at the bug you opened. Been buried in onboarding tasks this week. :-)	22:16
*** eharney_ is now known as eharney		22:16
*** cmcnamara has quit IRC		22:16
*** zaitcev has joined #openstack-dev		22:17
lbragstad	bnemec: no worries, I appreciate you taking a look!	22:17
*** cmcnamara has joined #openstack-dev		22:17
*** Thor has quit IRC		22:19
*** stevemar has quit IRC		22:19
*** cmcnamar_ has joined #openstack-dev		22:20
*** Thor has joined #openstack-dev		22:21
*** jvrbanac has joined #openstack-dev		22:21
*** cmcnamara has quit IRC		22:21
*** bknudson has quit IRC		22:21
*** amohn9 has quit IRC		22:23
*** jasondotstar has quit IRC		22:23
*** cmcnamar_ has quit IRC		22:24
*** dims has joined #openstack-dev		22:24
*** amohn9 has joined #openstack-dev		22:24
*** CaptTofu has quit IRC		22:24
*** neelashah has quit IRC		22:25
*** CaptTofu has joined #openstack-dev		22:25
*** CaptTofu has quit IRC		22:25
*** CaptTofu has joined #openstack-dev		22:25
*** adjohn_ has joined #openstack-dev		22:26
*** CaptTofu has quit IRC		22:27
*** adjohn_ has quit IRC		22:27
*** CaptTofu has joined #openstack-dev		22:28
*** adjohn has joined #openstack-dev		22:28
*** cmcnamara has joined #openstack-dev		22:28
*** eharney has quit IRC		22:30
*** CaptTofu has quit IRC		22:30
*** CaptTofu has joined #openstack-dev		22:31
*** mrodden has quit IRC		22:32
*** FunnyLookinHat has quit IRC		22:32
*** lbragstad has quit IRC		22:32
*** changbl has quit IRC		22:35
*** sbadia_ is now known as sbadia		22:36
*** dolphm has joined #openstack-dev		22:36
*** jecarey has quit IRC		22:38
*** dstanek has quit IRC		22:41
*** adjohn has quit IRC		22:41
*** amohn9 has quit IRC		22:41
*** adjohn has joined #openstack-dev		22:42
*** galstrom is now known as galstrom_zzz		22:42
*** amohn9 has joined #openstack-dev		22:44
*** michchap has joined #openstack-dev		22:46
*** jhesketh_ has joined #openstack-dev		22:48
*** amohn9 has quit IRC		22:48
*** radsy has joined #openstack-dev		22:49
insanidade	exit	22:51
*** insanidade has quit IRC		22:51
*** prad has quit IRC		22:51
*** cthulhup has joined #openstack-dev		22:52
*** senk has joined #openstack-dev		22:52
*** pmathews has quit IRC		22:53
*** portante\|afk is now known as portante		22:54
*** lucasagomes has joined #openstack-dev		22:55
*** cthulhup has quit IRC		22:55
*** kbrierly has quit IRC		22:55
*** sbadia has quit IRC		22:56
*** sbadia has joined #openstack-dev		22:57
*** herndon_ has quit IRC		23:00
*** dolphm has quit IRC		23:02
*** dolphm has joined #openstack-dev		23:03
*** spzala has quit IRC		23:04
*** amohn9 has joined #openstack-dev		23:05
*** kbrierly has joined #openstack-dev		23:05
Guest58099	Anyone ever see _DEFAULT_TARGET_ENDPOINT_TYPE attribute missing in unit tests on oslo-incubator?	23:05
*** anniec has joined #openstack-dev		23:07
*** jasondotstar has joined #openstack-dev		23:08
*** Mandell_ has quit IRC		23:10
*** gongysh has joined #openstack-dev		23:10
*** amohn9 has quit IRC		23:10
*** jamielennox\|away is now known as jamielennox		23:13
*** kenperkins has quit IRC		23:15
*** larsks has joined #openstack-dev		23:18
*** garyk1 has joined #openstack-dev		23:18
*** dstufft has quit IRC		23:19
*** dstufft_ has joined #openstack-dev		23:19
*** luisg has quit IRC		23:19
*** garyk has quit IRC		23:20
morganfainberg	dolphm, ping.	23:23
*** jvrbanac has quit IRC		23:23
morganfainberg	dolphm, nvm	23:24
*** dolphm has quit IRC		23:25
*** michchap has quit IRC		23:26
*** dolphm has joined #openstack-dev		23:26
*** dolphm has quit IRC		23:27
*** michchap has joined #openstack-dev		23:29
*** rcrit has quit IRC		23:30
*** amohn9 has joined #openstack-dev		23:30
*** stevemar has joined #openstack-dev		23:30
*** sbadia has quit IRC		23:31
*** dolphm has joined #openstack-dev		23:31
*** vipul is now known as vipul-away		23:31
*** sbadia has joined #openstack-dev		23:32
dolphm	morganfainberg: pong/nvm	23:33
morganfainberg	dolphm, lol	23:34
morganfainberg	dolphm, actually since you're here	23:34
dolphm	o/	23:34
morganfainberg	can you see any issue with moving the "filter_user" calls from identity up to the manager from the drivers?	23:34
*** malini is now known as malini_afk		23:34
morganfainberg	it seems silly to implement it in each driver.	23:34
*** vipul-away is now known as vipul		23:34
morganfainberg	dolphm, https://review.openstack.org/#/c/46207/14/keystone/tests/test_backend.py as commented on by bknudson	23:35
morganfainberg	(line 147)	23:35
morganfainberg	dolphm, and i'm thinking this change should be part of the bug(s) but as a separate patchset. this patchset is already… hard enough to follow	23:35
dolphm	morganfainberg: i've thought about that... i'm very torn. passwords shouldn't escape the driver, but redundant code sucks	23:35
morganfainberg	dolphm, putting it on the manager should enforce it not escaping the driver. right? manager is the gate for that kind of stuff.	23:36
morganfainberg	this comment also highlights a couple tests are making bad assumptions.	23:37
*** salv-orlando has quit IRC		23:37
morganfainberg	(probably just weren't updated a while back)	23:37
dolphm	morganfainberg: yes; i'm just being paranoid about misbehaving extensions, etc :-/	23:38
dolphm	morganfainberg: the sane part of me says it should be in the manager	23:38
morganfainberg	dolphm, when i do the refactor in Icehouse for ABCMeta, i was also planning on making it a bit harder to extract the driver from the manager.	23:38
morganfainberg	e.g. a bit more enforcement so extensions would need to work to misbehave	23:39
dolphm	morganfainberg: ooh, i'd be interested in that	23:39
dolphm	morganfainberg: i really hate the identity_api.driver.should_not_be_doing_this_ever()	23:39
morganfainberg	yeah, i have been noodling over how to enforce that.	23:39
*** fbo is now known as fbo_away		23:40
*** larsks has quit IRC		23:40
dolphm	morganfainberg: __driver ?	23:40
*** larsks has joined #openstack-dev		23:40
dolphm	"enforce"	23:40
morganfainberg	dolphm, well that in part, but i was thinking of also making it more anonymous access, so it really only exists in the namespace of the manager	23:40
*** cmcnamara has quit IRC		23:40
morganfainberg	and not something that could be accessed on the object.	23:41
morganfainberg	but _driver is the first step ;)	23:41
*** cmcnamara has joined #openstack-dev		23:41
dolphm	morganfainberg: anonymous access?	23:41
morganfainberg	similar to a function def within a function def	23:41
*** hemna is now known as hemnafk		23:42
dolphm	morganfainberg: (i'm specifically referring to double underscore to invoke python's name mangling thingy)	23:42
morganfainberg	oh oh yeah that would work too	23:42
*** amohn9 has quit IRC		23:42
morganfainberg	dolphm, but i def. want to see driver less available than the manager methods.	23:44
*** jasondotstar has quit IRC		23:44
*** rcrit has joined #openstack-dev		23:45
*** cmcnamara has quit IRC		23:45
dolphm	morganfainberg: agree; anything to encourage better behavior would be a win	23:45
morganfainberg	dolphm, but back to the question. should i just update the tests to be "more correct" or is it better to move this logic to the manager for H?	23:46
morganfainberg	i think either will address brant's concerns.	23:47
*** kbrierly has quit IRC		23:48
*** lucasagomes has quit IRC		23:49
*** changbl has joined #openstack-dev		23:52
*** jhesketh__ has joined #openstack-dev		23:52
*** jcoufal has joined #openstack-dev		23:54
*** jasondotstar has joined #openstack-dev		23:55
*** jprovazn has quit IRC		23:55
morganfainberg	dolphm, the more i think about it, the more i'm leaning towards just the tests until the further cleanup for I. yeah thats what i'm going to do.	23:55
*** mkollaro has quit IRC		23:58
*** vuil has quit IRC		23:58
*** mkollaro has joined #openstack-dev		23:58
*** mkollaro has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!