Monday, 2014-01-13

« Sunday, 2014-01-12 Index Tuesday, 2014-01-14 »
*** openstack has joined #openstack-dev13:37
*** openstackstatus has joined #openstack-dev13:37
*** FunnyLookinHat has joined #openstack-dev13:37
*** gordc has joined #openstack-dev13:39
*** ekhugen has joined #openstack-dev13:41
*** jay-lau-513 has joined #openstack-dev13:42
*** glenng has joined #openstack-dev13:42
*** nurla has joined #openstack-dev13:43
*** rcrit has quit IRC13:45
*** otherwiseguy has joined #openstack-dev13:47
*** salv-orlando has quit IRC13:47
*** rcrit has joined #openstack-dev13:47
*** doug_shelley66 has quit IRC13:47
*** aveiga has quit IRC13:48
*** jdob has joined #openstack-dev13:49
BobBallyjiang5_1: Ping13:50
*** eglynn has joined #openstack-dev13:50
*** aveiga has joined #openstack-dev13:51
*** prad_ has joined #openstack-dev13:51
*** jmckind has joined #openstack-dev13:52
*** dprince has joined #openstack-dev13:52
*** sthaha has joined #openstack-dev13:54
*** sthaha has quit IRC13:54
*** sthaha has joined #openstack-dev13:54
*** achampion has quit IRC13:54
*** L33 has joined #openstack-dev13:55
*** arozumenko1 has quit IRC13:56
*** rdas has quit IRC13:57
*** vartom1111111117 has quit IRC13:58
*** vkozhukalov has joined #openstack-dev13:58
*** salv-orlando has joined #openstack-dev13:58
*** rtheis has joined #openstack-dev13:59
*** radez_g0n3 is now known as radez13:59
*** otherwiseguy has quit IRC14:00
*** lbragstad has quit IRC14:00
*** salv-orlando has quit IRC14:00
*** glenng1 has joined #openstack-dev14:01
*** glenng has quit IRC14:01
*** jayg|g0n3 is now known as jayg14:01
*** jasondotstar has joined #openstack-dev14:02
*** glenng1 has quit IRC14:02
*** MaxV has quit IRC14:03
*** glenng has joined #openstack-dev14:03
*** thuc has joined #openstack-dev14:03
*** MaxV has joined #openstack-dev14:03
*** dbalog has joined #openstack-dev14:04
*** browne has joined #openstack-dev14:06
*** vijendar has joined #openstack-dev14:09
*** ewindisch is now known as zz_ewindisch14:09
*** markmc has quit IRC14:10
*** luisg has quit IRC14:11
*** luisg has joined #openstack-dev14:11
*** zz_ewindisch is now known as ewindisch14:11
*** Longgeek has quit IRC14:11
*** neelashah has quit IRC14:11
*** evgenyf has joined #openstack-dev14:13
*** neelashah has joined #openstack-dev14:13
*** markmc has joined #openstack-dev14:14
*** ewindisch is now known as zz_ewindisch14:15
*** xga has quit IRC14:15
*** xga has joined #openstack-dev14:16
*** xingchao_ has quit IRC14:16
*** zz_ewindisch is now known as ewindisch14:16
*** peristeri has joined #openstack-dev14:17
*** ewindisch is now known as zz_ewindisch14:17
*** e0ne has joined #openstack-dev14:21
*** e0ne_ has quit IRC14:21
*** eharney has joined #openstack-dev14:22
*** dims has quit IRC14:22
*** heyongli has quit IRC14:24
*** dims has joined #openstack-dev14:25
*** nkinder has quit IRC14:26
*** blamar has joined #openstack-dev14:28
*** thuc has quit IRC14:29
*** READ10 has joined #openstack-dev14:30
*** thuc has joined #openstack-dev14:30
*** b3nt_pin is now known as beagles14:30
*** damnsmith is now known as dansmith14:31
*** lbragstad has joined #openstack-dev14:32
*** doug_shelley66 has joined #openstack-dev14:32
*** xga has quit IRC14:33
*** mrunge has joined #openstack-dev14:34
*** thuc has quit IRC14:35
*** tdruiva has quit IRC14:35
*** tdruiva has joined #openstack-dev14:35
*** jecarey has quit IRC14:37
*** jnoller has joined #openstack-dev14:37
*** stevemar has joined #openstack-dev14:40
*** bknudson has joined #openstack-dev14:40
*** Longgeek has joined #openstack-dev14:42
*** burt has joined #openstack-dev14:42
*** ijw has joined #openstack-dev14:42
*** terrylhowe has joined #openstack-dev14:43
*** achampion has joined #openstack-dev14:48
*** avishayb has quit IRC14:49
*** FunnyLookinHat has quit IRC14:49
*** alop has joined #openstack-dev14:49
*** jobewan has joined #openstack-dev14:49
*** mordred has quit IRC14:50
*** mordred has joined #openstack-dev14:50
*** joesavak has joined #openstack-dev14:50
*** chandankumar has quit IRC14:52
*** CaptTofu has quit IRC14:52
*** pschaef has joined #openstack-dev14:52
*** hartsocks has joined #openstack-dev14:54
*** coolsvap has joined #openstack-dev14:54
*** Mandell has joined #openstack-dev14:54
*** avishayb has joined #openstack-dev14:56
*** mindpixel has quit IRC14:58
*** sthaha has quit IRC14:58
*** mindpixel has joined #openstack-dev14:59
*** irenab_ has quit IRC14:59
*** VenkatTS has joined #openstack-dev15:02
*** tsv has quit IRC15:02
*** ekhugen has quit IRC15:03
*** e0ne_ has joined #openstack-dev15:05
*** VenkatTS has quit IRC15:06
*** jecarey has joined #openstack-dev15:06
*** dave_tucker has joined #openstack-dev15:07
*** e0ne has quit IRC15:08
*** sandywalsh has joined #openstack-dev15:09
*** vladikr has joined #openstack-dev15:10
*** vkozhukalov has quit IRC15:10
*** mrunge has quit IRC15:11
*** mrodden has joined #openstack-dev15:11
*** wfoster_ is now known as wfoster15:11
fungii think python-keystoneclient==0.4.2 may have just broken horizon15:11
*** nkinder has joined #openstack-dev15:12
fungilooks like all python unit test runs for horizon are now failing on keystone-specific tests as of the last few minutes, and the only change in the pip freeze output for the tests is python-keystoneclient==0.4.2 instead of 0.4.115:13
*** moijes12 has joined #openstack-dev15:13
*** jecarey has quit IRC15:15
*** rwsu has joined #openstack-dev15:16
jaypipessdague: oh, XML, why don't thou die.15:16
*** CaptTofu has joined #openstack-dev15:16
*** AlanClark has joined #openstack-dev15:16
*** dstanek has joined #openstack-dev15:17
clarkbneed a bigger fire15:17
*** mdenny has joined #openstack-dev15:17
noorullol @ jaypipes15:18
jaypipesnoorul: I am deliberately going to NOT respond to that ML post. :)15:18
*** tongli has joined #openstack-dev15:19
*** jecarey has joined #openstack-dev15:19
bknudsonfungi: "UnknownMethodCallError: Method called is not a member of the object: management_url" ?15:20
fungibknudson: yup15:20
*** carlp has joined #openstack-dev15:20
fungihorizon will presumably need patching to work around that15:21
*** rnirmal has joined #openstack-dev15:21
*** coolsvap has quit IRC15:21
*** Loquacity has quit IRC15:22
*** markmc has quit IRC15:22
bknudsonLooks like the horizon test is trying to create a mock keystoneclient and creating the mock fails for some reason.15:22
*** aeperezt has joined #openstack-dev15:23
*** jecarey_ has joined #openstack-dev15:23
*** ekhugen has joined #openstack-dev15:23
jpichfungi: Thanks for the heads-up15:25
*** galstrom_zzz is now known as galstrom15:25
fungijpich: you're welcome15:25
*** jecarey has quit IRC15:27
sdaguejaypipes: well, I figured I would bring it up one last time before we have to keep it for the next 3 years until nova v4 is out15:28
jaypipessdague: LOL. You know full well where I stand on the issue.15:28
sdaguebut we hadn't really thought about validation bandwidth before15:28
jaypipeswhile (is_alive(xml)) { kill(xml);}15:29
ttxbut but but15:30
ttxwhat about the enterprise?15:30
*** salv-orlando has joined #openstack-dev15:30
*** gokrokve has joined #openstack-dev15:30
ttx</trollbait>15:30
jaypipesttx: oh, Thierry.15:32
*** markmcclain has joined #openstack-dev15:32
*** mrodden has quit IRC15:32
* jaypipes emits long-winded sigh15:32
*** xqueralt has quit IRC15:34
sdaguejaypipes: you still planning to be in montreal later this week?15:34
jaypipessdague: yup. be there around lunchtime on Wed.15:35
sdaguecool, sounds great15:35
jaypipesjdob: there are way too many Jays on these mailing list threads :P15:36
jaypipesjdob: between you, me, and jay-lau-513, I am getting confused ;)15:36
jdobI know, I almost called you Other Jay joking around but it came off as condescenging  :)15:36
jaypipesloL!15:36
jdobfunny part is, I'm actually Jason15:36
*** jruzicka_ has joined #openstack-dev15:37
jaypipesand I'm actually James :)15:37
jdobI shortened to Jay on my last team when we hired two more Jasons15:37
jdoboh, I have way more claim to Jay than you do15:37
*** mgagne has joined #openstack-dev15:37
*** jruzicka has quit IRC15:37
jaypipesheh, an old (really old) girlfriend called me Jay because her brother was named James, and it just stuck about 20 years ago...15:37
*** FunnyLookinHat has joined #openstack-dev15:37
jdobah yes, I've seen those situations, need to separate from family as much as possible15:37
jaypipesindeed :)15:37
*** morazi has joined #openstack-dev15:38
jdobJay P and Jay D work in text (sound too close in voice), though everyone normally devolves to calling me jdob after a while anyway15:38
jdobthat sounds find in voice too, so I ended up going by that15:38
*** salv-orlando has quit IRC15:38
*** rpodolyaka has joined #openstack-dev15:38
jaypipesjdob: but anyway, thx for entertaining my questions about the Tuskar domain model... coming from ops-world over the last couple years, I've felt the pain of trying to deal with "enterprise" DC inventory management practices, and it's something that interests me.15:38
jdobit was a great explanation. i still believe that tuskar needs to store way more in itself than we are currently aiming for; not duplication, but some form of inventory model, so your example gives me new ammo15:39
*** Squid56 has joined #openstack-dev15:40
jaypipesjdob: yeah. not a huge priority, but like I said, having it on the roadmap would be great.15:40
jdobgiven the time constraints for icehouse, I understand the evolution we're going down15:40
*** markmcclain has quit IRC15:41
*** markmcclain has joined #openstack-dev15:42
*** coolsvap has joined #openstack-dev15:42
*** Longgeek_ has joined #openstack-dev15:42
*** markwash has joined #openstack-dev15:43
*** jdurgin1 has quit IRC15:44
*** Nikolay_1t has quit IRC15:44
*** Longgeek has quit IRC15:45
*** yeylon_ has quit IRC15:45
*** markwash has quit IRC15:46
*** jruzicka_ has quit IRC15:47
*** spzala has joined #openstack-dev15:48
*** jruzicka has joined #openstack-dev15:48
*** kpavel has quit IRC15:48
*** kevinconway has joined #openstack-dev15:48
*** tkammer has quit IRC15:49
*** aswadrangnekar has quit IRC15:49
*** xqueralt has joined #openstack-dev15:50
*** mohits has joined #openstack-dev15:51
*** nmagnezi has quit IRC15:51
*** NikitaKonovalov has quit IRC15:52
*** gokrokve has quit IRC15:53
*** gokrokve has joined #openstack-dev15:53
*** CaptTofu has quit IRC15:54
*** markmc has joined #openstack-dev15:55
*** jpomero has joined #openstack-dev15:55
*** cagrev has joined #openstack-dev15:55
*** markmcclain has left #openstack-dev15:56
*** mrodden has joined #openstack-dev15:56
*** jprovazn has quit IRC15:56
*** DinaBelova has quit IRC15:57
*** AlanClark has quit IRC15:57
*** SergeyLukjanov has quit IRC15:57
*** aspiers has quit IRC15:59
*** alex_klimov has quit IRC16:00
*** markmcclain has joined #openstack-dev16:00
*** arozumenko has joined #openstack-dev16:00
*** browne has quit IRC16:00
dolphmfungi: skimming back... anything i can do to help with the impact of keystoneclient 0.4.2?16:00
*** aspiers has joined #openstack-dev16:00
*** Ruetobas has quit IRC16:01
*** ruhe is now known as ruhe_16:01
*** ruhe_ is now known as ruhe16:01
*** Ruetobas has joined #openstack-dev16:03
*** mindpixel has quit IRC16:03
*** carl_baldwin has joined #openstack-dev16:03
fungidolphm: no idea... i assume the horizon devs have it in hand16:03
*** angdraug has joined #openstack-dev16:04
*** rcleere has joined #openstack-dev16:04
jpichfungi, dolphm: A patch is on the way, thanks! https://bugs.launchpad.net/horizon/+bug/126863116:04
uvirtbotLaunchpad bug 1268631 in horizon "Unit tests failing with raise UnknownMethodCallError('management_url')" [Critical,In progress]16:04
*** fifieldt has quit IRC16:04
*** dstanek has quit IRC16:05
dolphmjpich: looking16:05
dolphmjamielennox: ping16:06
*** bvandenh has quit IRC16:06
*** pmathews has quit IRC16:06
*** mancdaz is now known as mancdaz_away16:07
*** Tross has quit IRC16:07
bknudsonhttps://review.openstack.org/#/c/60435/16:07
*** mohits is now known as mohits|away16:07
*** Tross has joined #openstack-dev16:07
*** Ruetobas has quit IRC16:08
bknudson?16:08
*** SumitNaiksatam has quit IRC16:08
*** jmontemayor has joined #openstack-dev16:09
*** Tross has left #openstack-dev16:09
*** Drankis has quit IRC16:09
*** thedodd has joined #openstack-dev16:10
*** bswartz has joined #openstack-dev16:10
*** ifarkas has quit IRC16:13
*** Underbyte has quit IRC16:13
*** Ruetobas has joined #openstack-dev16:13
dolphmbknudson: management_url is now a @property from keystoneclient.httpclient16:14
*** paragan has quit IRC16:14
dolphmbknudson: is has a setter though, with an interesting comment from jamielennox https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/httpclient.py#L491-L50016:15
bknudsondolphm: I don't know if this is a backwards-incompatible change or if the horizon tests monkeypatching is causing things to not work for them16:17
*** mfer has joined #openstack-dev16:17
dolphmbknudson: i'm leaning towards monkeypatching16:17
dolphmbknudson: although i haven't read through all the mocking code on horizon's side16:17
dolphmbknudson: i'm guessing we broke some expectation over there16:17
bknudsondolphm: they have a 1-line fix where they just mock management_url -- https://review.openstack.org/#/c/66361/1/openstack_dashboard/test/helpers.py16:18
*** zz_ewindisch is now known as ewindisch16:18
*** xgsa has quit IRC16:19
*** afazekas has quit IRC16:19
*** AlanClark has joined #openstack-dev16:19
*** browne has joined #openstack-dev16:20
*** gyee_ has joined #openstack-dev16:20
*** belmoreira has quit IRC16:21
*** bvandenh has joined #openstack-dev16:21
*** diogogmt has joined #openstack-dev16:21
jpichdolphm, bknudson: I think we've seen funky issues with mox and mocked properties before, I'd lean toward something similar happening here16:21
*** utlemming has joined #openstack-dev16:22
david-lyledolphm, bknudson: this type of fix has been required several times with or mocked client implementation.16:23
*** pmathews has joined #openstack-dev16:24
*** ekhugen has quit IRC16:25
*** Mandell has quit IRC16:25
david-lyleI think our underlying mock is just incomplete, and as the keystoneclient code base explicitly requires certain fields, we have to add them16:25
*** jruzicka has quit IRC16:25
david-lyleultimately there's probably a better way, but his will work for now16:26
*** willingc has joined #openstack-dev16:27
bknudsonjpich david-lyle dolphm: from the error message, I'm willing to believe that there's something funky with properties16:30
*** irenab_ has joined #openstack-dev16:30
bknudsonbut it's not something I've seen before... not that I use mock much.16:30
*** devoid has joined #openstack-dev16:31
*** e0ne_ has quit IRC16:32
*** anderstj has quit IRC16:32
*** devoid has left #openstack-dev16:32
*** ayoung_ has joined #openstack-dev16:32
*** danielbruno has quit IRC16:32
*** SumitNaiksatam has joined #openstack-dev16:33
*** jruzicka has joined #openstack-dev16:34
*** anderstj has joined #openstack-dev16:35
*** ekhugen has joined #openstack-dev16:35
*** danielbruno has joined #openstack-dev16:36
*** sandywalsh has quit IRC16:39
*** DinaBelova has joined #openstack-dev16:39
*** sandywalsh has joined #openstack-dev16:39
*** yamahata has joined #openstack-dev16:40
*** thuc has joined #openstack-dev16:40
*** Sumeniac has quit IRC16:41
*** ruhe is now known as ruhe_16:42
*** ayoung_ is now known as ayoung16:43
*** dkuffner has quit IRC16:43
*** pberis has joined #openstack-dev16:44
*** avishayb has quit IRC16:45
*** Sumeniac has joined #openstack-dev16:45
*** jnoller has quit IRC16:46
*** rods has joined #openstack-dev16:47
*** pmcg has quit IRC16:47
*** ruhe_ has quit IRC16:47
*** irenab_ has quit IRC16:49
*** andreaf has quit IRC16:49
*** gordc1 has joined #openstack-dev16:50
*** SergeyLukjanov has joined #openstack-dev16:50
*** gordc has quit IRC16:51
*** xarses has quit IRC16:53
*** rods has quit IRC16:53
*** AlanClark has quit IRC16:55
*** jay-lau-513 has quit IRC16:55
*** mlavalle has joined #openstack-dev16:56
*** iartarisi has quit IRC16:58
*** markmcclain has quit IRC16:58
bknudsonanother issue with the new version of keystoneclient -- if add new config options to auth_token middleware then nova pep8 check fails.16:58
*** martyntaylor has left #openstack-dev16:59
*** _cjones_ has joined #openstack-dev17:00
*** markmcclain has joined #openstack-dev17:00
*** angdraug has quit IRC17:01
*** sarob has joined #openstack-dev17:01
*** colinmcnamara has joined #openstack-dev17:01
*** colinmcn_ has joined #openstack-dev17:01
*** dstanek_afk has joined #openstack-dev17:01
*** jmontemayor has quit IRC17:01
*** corXi has quit IRC17:02
*** galstrom is now known as galstrom_zzz17:02
*** mmagr has quit IRC17:03
*** teran has quit IRC17:03
*** digambar_ has joined #openstack-dev17:03
*** vkozhukalov has joined #openstack-dev17:04
*** akrivoka has joined #openstack-dev17:04
*** exed_ has quit IRC17:04
dolphmbknudson: i don't follow?17:04
*** kbrierly has joined #openstack-dev17:04
*** jistr has quit IRC17:04
bknudsonhttps://bugs.launchpad.net/nova/+bug/126861417:05
uvirtbotLaunchpad bug 1268614 in nova "pep8 gating fails due to tools/config/check_uptodate.sh" [Undecided,Confirmed]17:05
*** xmltok_ has joined #openstack-dev17:05
bknudsonnot keystoneclient's problem, but something to watch out for17:06
*** marekd is now known as marekd|away17:06
*** danielbruno has quit IRC17:06
*** evgenyf has quit IRC17:06
*** MaxV has quit IRC17:07
*** neelashah has quit IRC17:07
*** jmontemayor has joined #openstack-dev17:08
*** ifarkas has joined #openstack-dev17:09
*** herndon_ has joined #openstack-dev17:09
*** moijes12 has left #openstack-dev17:10
*** newell has joined #openstack-dev17:10
*** kdbrierly has joined #openstack-dev17:10
*** kbrierly has quit IRC17:12
*** Ryan_Lane has quit IRC17:12
dolphmbknudson: ah cool. that's a nifty gate job17:12
*** exed_ has joined #openstack-dev17:13
*** jpomero has quit IRC17:14
*** alop has quit IRC17:15
*** kwss has quit IRC17:17
*** kgriffs_afk is now known as kgriffs17:17
*** max_lobur is now known as max_lobur_afk17:17
_cjones_Morning keystone team. I have a question regarding authentication. I'm looking at creating a cloud admin user.17:17
*** galstrom_zzz is now known as galstrom17:17
*** bvandenh has quit IRC17:17
_cjones_How do I satisfy the second part of this statement in my policy.json file? :     "cloud_admin": "rule:admin_required and domain_id:admin_domain_id",17:17
*** danielbruno has joined #openstack-dev17:18
*** danielbruno has quit IRC17:18
*** romcheg has quit IRC17:19
dolphm_cjones_: you can't, exactly. the "admin_domain_id" is intended to be a placeholder for a "special" domain ID that you designate as "for admins"17:19
*** angdraug has joined #openstack-dev17:19
*** gokrokve has quit IRC17:19
_cjones_So, replace the entry in the .json with the UID from my database?  Would that solve this?17:19
morganfainbergmorning17:19
*** kbrierly has joined #openstack-dev17:20
*** gokrokve has joined #openstack-dev17:20
_cjones_dolphm, sorry, that last response was a question for you.17:20
dolphm_cjones_: yes, that's it17:21
*** martyntaylor has joined #openstack-dev17:21
*** arozumenko has quit IRC17:21
*** kdbrierly has quit IRC17:21
_cjones_dolphm, I then get the following error: (keystone.auth.plugins.password): 2014-01-13 09:21:41,165 ERROR password _validate_and_normalize_auth_data Could not find user, admin.17:22
*** buzztroll has joined #openstack-dev17:22
*** xqueralt has quit IRC17:23
*** neelashah has joined #openstack-dev17:23
*** gokrokve has quit IRC17:24
*** hemnafk is now known as hemna_17:24
*** xarses has joined #openstack-dev17:25
*** omachace has left #openstack-dev17:25
*** tongli has quit IRC17:26
*** Longgeek_ has quit IRC17:26
*** alexpilotti has quit IRC17:26
*** herndon_ has quit IRC17:27
*** reed has joined #openstack-dev17:28
_cjones_dolphm, I'll do some more debugging here and get back to you guys. Thanks.17:28
*** markmc has quit IRC17:29
*** teran has joined #openstack-dev17:29
*** herndon_ has joined #openstack-dev17:29
*** bdpayne has joined #openstack-dev17:30
*** kbrierly has quit IRC17:31
*** romcheg has joined #openstack-dev17:32
*** Drankis has joined #openstack-dev17:32
*** krotscheck has joined #openstack-dev17:33
*** comay has joined #openstack-dev17:35
*** danielbruno has joined #openstack-dev17:35
*** danielbruno has joined #openstack-dev17:35
*** kbrierly has joined #openstack-dev17:35
*** armax has joined #openstack-dev17:36
*** fbo is now known as fbo_away17:37
*** BobBall is now known as BobBallAway17:37
*** Underbyte has joined #openstack-dev17:38
*** rods has joined #openstack-dev17:38
*** zaitcev has joined #openstack-dev17:38
*** mohits|away has quit IRC17:39
*** e0ne has joined #openstack-dev17:39
*** Longgeek has joined #openstack-dev17:39
*** danpb has quit IRC17:40
*** csaba is now known as csaba|afk17:41
*** amuller has quit IRC17:41
*** mnaser has quit IRC17:42
*** Doug2 has joined #openstack-dev17:42
*** thuc has quit IRC17:42
*** alexpilotti has joined #openstack-dev17:43
*** thuc has joined #openstack-dev17:43
morganfainbergdolphm, fyi i likely will be missing the meeting tomorrow17:43
morganfainbergbeing on a plane and all that17:44
*** florentflament has quit IRC17:44
dolphmmorganfainberg: ack17:44
dolphmmorganfainberg: i suspect you're not the only one17:44
morganfainberghehe17:44
*** ygbo has quit IRC17:44
*** Longgeek has quit IRC17:45
morganfainbergi am also rebasing and once jenkins +1s i'll do the reapprove dance on https://review.openstack.org/#/c/60742/ simple rebase issue (the log patch went in, and i had "fixed" the import in my patchset >.<17:45
*** doug_shelley66 has quit IRC17:46
morganfainbergthat should resolve bug 1251123 for icehouse, provided you don't issue more than 1 token per ~10s for a given user (all day long)17:46
uvirtbotLaunchpad bug 1251123 in keystone/havana "_update_user_list_with_cas causes significant overhead (when using memcached as token store backend)" [High,In progress] https://launchpad.net/bugs/125112317:46
morganfainbergwel, almost fix it... still 2 more changes, but very close.17:46
*** doug_shelley66 has joined #openstack-dev17:46
morganfainbergand it looks like the fix i proposed to stable/havana might need a quick additional test, but otherwise should be pretty solid.17:47
*** willingc has quit IRC17:47
*** thuc has quit IRC17:47
*** danielbruno has quit IRC17:48
*** willingc has joined #openstack-dev17:49
*** akrivoka has quit IRC17:50
*** aswadrangnekar has joined #openstack-dev17:50
stevemardolphm, ping17:51
dolphmstevemar: pong17:51
stevemardolphm, did you chat with marekd?17:52
dolphmstevemar: briefly17:52
stevemardolphm, i think he's wondering if he should proceed with his auth via apache modules?17:52
dolphmstevemar: has there been any progress on the alternative approach in code review? i haven't kept up17:52
stevemardolphm, no, just the 1 patch set17:53
*** nati_ueno has joined #openstack-dev17:53
dolphmany reviews?17:53
*** tongli has joined #openstack-dev17:53
stevemardolphm, a few from ayoung and arvind17:54
*** tong_ has joined #openstack-dev17:54
*** tongli has quit IRC17:54
*** aswadrangnekar has quit IRC17:55
*** tong_ has quit IRC17:55
*** tong_ has joined #openstack-dev17:55
*** markwash has joined #openstack-dev17:55
*** exed_ has quit IRC17:55
*** buzztroll has quit IRC17:55
*** krotscheck has quit IRC17:55
*** buzztroll has joined #openstack-dev17:56
*** edmund has joined #openstack-dev17:59
*** harlowja_away is now known as harlowja17:59
*** buzztroll has quit IRC17:59
Apsuvishy: ping18:00
*** buzztroll has joined #openstack-dev18:00
mferfolks, I've got a naming question for projects. for blindings/sdks we call the clients. Is there a reason for this?18:00
*** athomas has quit IRC18:00
mferI ask because I've taken on the golang client. But, a golang binding or sdk might be a more common name. I'm wondering where the client name came from18:00
*** derekh has quit IRC18:01
*** krotscheck has joined #openstack-dev18:01
*** amotoki_ has joined #openstack-dev18:01
*** CaptTofu has joined #openstack-dev18:02
*** moijes12 has joined #openstack-dev18:02
*** amotoki has quit IRC18:03
*** Ryan_Lane has joined #openstack-dev18:03
*** nkinder has quit IRC18:03
*** moijes12 has left #openstack-dev18:04
*** bauzas has quit IRC18:05
*** thuc has joined #openstack-dev18:08
gyee_stevemar, for federation, are we going with the apache approach or both? I am trying to prioritize code review18:09
gyee_for IceHouse I mean18:09
*** thuc has quit IRC18:10
*** thuc_ has joined #openstack-dev18:10
Apsuvishy: If you can checkout https://review.openstack.org/#/c/56381/ when you're around, that'd be swell.18:10
*** buzztroll has quit IRC18:11
*** thuc_ has quit IRC18:11
*** xarses has quit IRC18:11
*** tqtran has joined #openstack-dev18:11
*** lcheng has joined #openstack-dev18:11
*** thuc has joined #openstack-dev18:11
*** colinmc__ has joined #openstack-dev18:12
stevemargyee, i'm not sure what was decided on tuesday (if anything was)18:12
*** rossella_s has quit IRC18:13
gyee_stevemar, do we even have time for the other? :)18:13
*** exed_ has joined #openstack-dev18:16
*** gszasz has quit IRC18:18
*** jasondotstar has quit IRC18:18
*** jasondotstar has joined #openstack-dev18:20
*** nkinder has joined #openstack-dev18:20
*** boris-42 has quit IRC18:20
*** eglynn has quit IRC18:24
*** antigluk_ has quit IRC18:24
*** alexpilotti has quit IRC18:25
*** Mandell has joined #openstack-dev18:25
stevemargyee: i like the way you think ;)18:25
*** jpich has quit IRC18:26
*** amcrn has joined #openstack-dev18:27
*** romcheg1 has joined #openstack-dev18:28
*** vkozhukalov has quit IRC18:29
yjiang5_1BobBallAway: pong18:29
*** romcheg has quit IRC18:29
*** ruhe has joined #openstack-dev18:30
*** colinmc__ has quit IRC18:31
*** colinmcn_ has quit IRC18:31
*** colinmcnamara has quit IRC18:31
*** zzelle has joined #openstack-dev18:31
morganfainberggyee_, I think we have time for the other implementation... but.....18:31
morganfainberggyee_, it may be cutting it close18:31
morganfainbergand require a lot of effort above and beyond to squeeze it in18:32
*** ecarlin has joined #openstack-dev18:32
morganfainbergi might be overly optimistic though18:32
*** gokrokve has joined #openstack-dev18:35
*** JordanP has quit IRC18:36
*** alop has joined #openstack-dev18:37
morganfainbergayoung, i was actually waiting for jenkins to not complain before re-appoving that patchset :P18:37
*** AlanClark has joined #openstack-dev18:37
morganfainbergnot that i think it would have18:38
ayoungah, yeah, you are right.  Figure you were just holding off to have a second opinion18:38
morganfainbergayoung, i don't think this will be an issue though18:38
morganfainbergayoung, the more i'm digging around in the token code, the more i look forward to revocation events18:40
morganfainbergayoung, >.>18:40
*** s2r2 has quit IRC18:40
ayoungmorganfainberg, working on it now18:40
*** s2r2 has joined #openstack-dev18:40
ayoungmorganfainberg, I need a config switch in order to test thenm18:40
*** digambar_ has quit IRC18:40
*** dripton has quit IRC18:40
morganfainbergayoung, cool! i'm going to bring the rest of the kvs stuff back from abandoned so we are all on dogpile for non-sql token stuffs18:41
ayoungI need to shut down the existing delete-upon-revoke code18:41
morganfainbergayoung, ah yes.18:41
ayoungtrying to figure out what to call it18:41
morganfainbergayoung, i _think_ you can also circumvent the user-token-index stuff18:41
morganfainbergin kvs18:41
ayoungthat is the idea18:41
ayounga switch to shut all that down18:41
*** buzztroll has joined #openstack-dev18:41
morganfainbergayoung, possibly something like "legacy_revocation_list" ?18:42
morganfainbergor..18:42
morganfainberg"support_revocation_list"18:42
morganfainbergsomething like that18:42
morganfainbergsince revocation events supplant that.18:42
ayoungnope18:43
ayoungrevcoation list is going on in parallel18:43
ayoungsomething more like v2_revocations18:43
*** galstrom is now known as galstrom_zzz18:43
ayoungor18:43
ayoung"enumerate_user_tokens"18:43
morganfainberghm.18:43
*** dripton has joined #openstack-dev18:44
*** herndon_ has quit IRC18:44
dolphmmorganfainberg: ayoung: persist_tokens = true ?18:44
morganfainbergi'd tie it to something that enables the revocation_list, since w/o the enumeration, you can't _really_ support the revocation list as is in non-sql backends18:44
ayoungI need them in parallel, since the A-T-Middleware change is going to happen second18:44
ayoungdolphm, does quite work for me18:45
morganfainbergayoung, it's not a turn on events vs list18:45
*** ndipanov has quit IRC18:45
*** dhellmann is now known as dhellmann_18:45
morganfainbergit's a enable the revocation list / disable18:45
morganfainbergregardless of if events are "live"18:45
ayoungits rally more about the modification of the token backend in support of v2 token revocations18:45
morganfainbergold_style_revocations18:45
morganfainberg:P18:46
ayoungso the new revocation events will go in parallel18:46
ayoungI was thinking v2, but we have them in v3 right now as well18:46
ayoungrevoke_ by_id?18:46
morganfainbergayoung, hm. that seems like a good name18:46
ayoungI'll run with it for now18:46
*** xarses has joined #openstack-dev18:46
morganfainbergdolphm, we're still persisting tokens, w/ events, we're just not enumerating them (if events is your revocation mechanism)18:47
morganfainbergdolphm, my guess is for Juno we should be able to work towards ephemeral tokens18:47
dolphmmorganfainberg: ++ but the core behavior we can change is not persisting tokens, for which a side effect is the revocation list is empty/broken/not available18:48
*** xarses has quit IRC18:48
morganfainbergdolphm, aye.18:48
*** xarses has joined #openstack-dev18:49
*** romcheg1 has quit IRC18:49
morganfainbergdolphm, maybe we'll tie that to the revoke_by_id option.  i'm thinkign that is more descriptive in either case.18:49
*** romcheg has joined #openstack-dev18:49
*** arnaud__ has joined #openstack-dev18:51
*** arnaud has joined #openstack-dev18:51
*** jmckind has quit IRC18:53
*** sarob has quit IRC18:53
*** sarob has joined #openstack-dev18:54
*** tong_ has quit IRC18:54
*** xarses has quit IRC18:54
*** galstrom_zzz is now known as galstrom18:56
*** herndon_ has joined #openstack-dev18:56
*** tongli has joined #openstack-dev18:57
*** pschaef has quit IRC18:57
*** jruzicka has quit IRC18:58
*** sarob has quit IRC18:58
*** rods has quit IRC18:58
*** aveiga has quit IRC18:59
*** ecarlin has quit IRC19:00
*** sahid has quit IRC19:00
*** pschaef has joined #openstack-dev19:01
*** asselin has joined #openstack-dev19:01
*** neelashah has quit IRC19:01
*** cagrev has quit IRC19:02
*** hub_cap has quit IRC19:04
*** neelashah1 has joined #openstack-dev19:04
*** cagrev has joined #openstack-dev19:05
*** exed_ has quit IRC19:06
*** yassine has quit IRC19:08
*** yassine has joined #openstack-dev19:08
*** moted has quit IRC19:09
*** yassine has quit IRC19:09
*** moted has joined #openstack-dev19:09
*** yassine has joined #openstack-dev19:09
*** yassine has quit IRC19:10
*** ecarlin has joined #openstack-dev19:11
*** colinmcnamara has joined #openstack-dev19:11
*** colinmcn_ has joined #openstack-dev19:11
*** chrispeters has joined #openstack-dev19:12
*** yassine has joined #openstack-dev19:12
*** yassine has quit IRC19:12
*** yassine has joined #openstack-dev19:13
*** yassine has quit IRC19:13
*** DennyZhang has joined #openstack-dev19:13
*** hartsocks has quit IRC19:13
*** dstanek_afk has quit IRC19:14
*** gokrokve has quit IRC19:15
*** gokrokve has joined #openstack-dev19:15
*** buzztroll has quit IRC19:16
*** colinmcn_ has quit IRC19:16
*** colinmcnamara has quit IRC19:16
*** amcrn is now known as arborism19:17
*** arborism is now known as amcrn19:17
*** pschaef has quit IRC19:17
markwashrussellb: looks like the "openreviews.txt" parts of reviewstats have stopped updating on your site, not sure what's up (reviewstats is still running fine on my laptop)19:18
*** jtomasek has quit IRC19:18
*** kgriffs is now known as kgriffs_afk19:19
*** gokrokve has quit IRC19:20
*** sushils has quit IRC19:22
*** mnaser has joined #openstack-dev19:22
*** ruhe is now known as ruhe_19:23
*** willingc has quit IRC19:24
*** jnoller has joined #openstack-dev19:25
*** Mandell has quit IRC19:26
*** gokrokve has joined #openstack-dev19:26
*** tdruiva has quit IRC19:28
*** tdruiva has joined #openstack-dev19:29
*** boris-42 has joined #openstack-dev19:30
*** buzztroll has joined #openstack-dev19:31
gyee_ayoung, I still think we need to provide an option to sign the revocation event19:32
*** pmathews has quit IRC19:32
ayounggyee_, I think we need an option to sign anything19:32
gyee_at least have an optional field in there19:33
gyee_to hold the signature19:33
chrispetershey guys; I'm authenticating against a keystone service but when I try to GET all users I run into a 503; any ideas why? is this a role issue?19:33
gyee_503?19:34
chrispetersgyee, yes19:34
gyee_sound like misconfiguration somewhere19:34
chrispetersgyee, hmm ok; let me ping my sysadmin19:34
*** giulivo has quit IRC19:34
chrispetersI get a 503 Service Unavailable19:34
*** ruhe_ is now known as ruhe19:36
*** ruhe has quit IRC19:36
*** kgriffs_afk is now known as kgriffs19:36
*** ecarlin has quit IRC19:37
*** spzala has quit IRC19:37
*** beagles has quit IRC19:38
*** CaptTofu has quit IRC19:39
*** CaptTofu has joined #openstack-dev19:40
_cjones_ayoung, or other keystone guys. Know why I would get this error?: (keystone.openstack.common.policy): 2014-01-13 11:34:22,067 ERROR policy _parse_check Failed to understand rule admin_on_project_filter19:40
ayoung_cjones_, did you edit that file by hand?19:40
dolphmchrispeters: dttocs just had and fixed the same issue in #openstack19:41
chrispetersdolphm, is there a url to the fix?19:41
*** Mandell has joined #openstack-dev19:42
dolphmchrispeters: i'm referring to the usage/support IRC channel19:42
_cjones_ayoung, only one field in policy.json:     "cloud_admin": "rule:admin_required and domain_id:31bdbda615a14da88ec8285ad476ce6e",19:42
dolphmchrispeters: and i mean 'just' as in 5 minutes ago... he's still online19:42
chrispetersdolphm, oh let me join that channel19:42
ayoung_cjones_, hmmm19:43
jaypipesdolphm: heyo... fresh checkout of keystone on a new VM (ubuntu 13.10), getting this when running ./run_tests.sh -V:19:43
jaypipesNo distributions at all found for netifaces>=0.5 (from -r /home/jaypipes/repos/openstack/keystone/test-requirements.txt (line 41))19:43
jaypipesknown issue?19:43
_cjones_ayoung, I'm trying now to use a newly created user in a newly created domain, to create a new user in that new domain.19:43
*** jgrimm has joined #openstack-dev19:43
ayoung_cjones_, was that based on the origianl policy,json or the cloud one?19:44
*** b3nt_pin has joined #openstack-dev19:44
*** CaptTofu has quit IRC19:44
_cjones_ayoung, Other than having this user an admin user.... Is there anything i need to do to make him a "domain_admin"?19:44
*** b3nt_pin is now known as beagles19:44
*** CaptTofu has joined #openstack-dev19:44
_cjones_ayoung, cloud one. Original has no concept of cloud_admin. ;)19:44
ayoungOK...one sec19:44
ayoung_cjones_, typo19:44
ayoungadmin_on_project_filter19:45
dolphmjaypipes: no, but i'm poking around... maybe --allow-external netifaces :-/19:45
ayoungshould that be "or"19:45
chrispetersdolphm, not getting a response :(19:45
_cjones_ayoung, sweet. Will change and test out. I have to take off for a bit, so I'll TTYL.19:45
ayoungnevefmind19:45
ayoung_cjones_, nope19:45
ayoungthat is not it19:45
_cjones_ayoung, crap.19:45
_cjones_ayoung, k. Still have to take off. If you find something, can you PM me as I'll be AFK.19:46
ayoung _cjones_ I think your edit was wrong19:46
_cjones_ayoung, ok?19:46
russellbmarkwash: thanks, will take a look19:46
ayoungdomain_id:admin_domain_id ...19:46
*** ativelkov has left #openstack-dev19:47
ayoung_cjones_, no idea19:47
ayoung_cjones_, except that it looks like it is barfing on that rule,19:47
*** tong_ has joined #openstack-dev19:47
brownejaypipes: i ran into the same netifaces when running tox.  but i'm new, so i figured its somehow my environment19:48
ayoung_cjones_, check to see if another API that also inherits that rule gives you the same error19:48
*** tongli has quit IRC19:50
*** novas0x2a|laptop has joined #openstack-dev19:50
*** Longgeek has joined #openstack-dev19:55
*** BLZbubba has quit IRC19:59
*** ArxCruz has quit IRC19:59
*** dhellmann_ is now known as dhellmann20:00
*** evgenyf has joined #openstack-dev20:00
*** lcheng has quit IRC20:01
*** teran has quit IRC20:02
*** Longgeek has quit IRC20:02
*** sergmelikyan has quit IRC20:02
*** nati_uen_ has joined #openstack-dev20:03
*** nati_ueno has quit IRC20:04
*** pmathews has joined #openstack-dev20:04
*** boris-42 has quit IRC20:05
*** dstanek_afk has joined #openstack-dev20:06
*** markmcclain has quit IRC20:06
*** nati_uen_ has quit IRC20:07
*** dspano has joined #openstack-dev20:07
*** nati_ueno has joined #openstack-dev20:07
*** boris-42 has joined #openstack-dev20:08
ayoung_cjones_, argh!20:08
*** jmckind has joined #openstack-dev20:09
*** DennyZhang has quit IRC20:09
*** DennyZhang has joined #openstack-dev20:09
*** ecarlin has joined #openstack-dev20:11
*** denis_makogon has joined #openstack-dev20:11
*** ecarlin has quit IRC20:11
*** markmcclain has joined #openstack-dev20:12
*** ecarlin has joined #openstack-dev20:12
*** colinmcnamara has joined #openstack-dev20:13
*** colinmcn_ has joined #openstack-dev20:13
*** exed_ has joined #openstack-dev20:13
brownejaypipes: this resolved the netifaces issue for me:20:13
*** csd has joined #openstack-dev20:13
browneexport PIP_ALLOW_EXTERNAL=netiface20:13
jaypipesbrowne: cheers! ty!20:13
browneexport PIP_ALLOW_UNVERIFIED=netifaces20:13
browneoops, first should be: export PIP_ALLOW_EXTERNAL=netifaces20:14
*** galstrom is now known as galstrom_zzz20:14
bknudsonjaypipes: netifaces is a known issue -- https://review.openstack.org/#/c/65835/20:14
*** exed_ has quit IRC20:14
dstufftbrowne: in 1.5.1 (not released yet) you'll only need export PIP_ALLOW_UNVERIFIED=netifaces since we changed it so allow unverified implies allow external20:14
bknudsonjaypipes: and check the bug -- https://bugs.launchpad.net/openstack-ci/+bug/126651320:14
uvirtbotLaunchpad bug 1266513 in tripleo "Some Python requirements are not hosted on PyPI" [Critical,In progress]20:14
*** ifarkas has quit IRC20:15
jaypipesbknudson: ty sir :)20:15
bknudsonjaypipes: so I thought I removed the requirement on netifaces?20:16
ayoungchrispeters, yeah.lets discuss your 503 here20:17
chrispetersayoung, ack20:18
ayounghttp://fpaste.org/68063/ chrispeters that seems like a successful call20:18
*** colinmcn_ has quit IRC20:18
*** colinmcnamara has quit IRC20:18
ayoungchrispeters, 503 ... you sure that is from Keystone?20:18
bknudsonchrispeters: are you running keystone under apache httpd?20:18
ayoungchrispeters, AND not something trying to talk to keystone and failing?20:18
jaypipesbknudson: you may have... just rebased my regions patch to master and am rebuilding venv now... will let you know.20:19
chrispetersayoung, so I'm using a library that is returning the 50320:19
ayoungeventlet.wsgi.server  bknudson looks like eventlet.  If it is Apache, its misconfigured20:19
*** neelashah1 has quit IRC20:19
*** neelashah has joined #openstack-dev20:20
ayoungchrispeters, my debugging usually follows these steps:20:20
ayoung1. try it from curl20:20
ayoung2.  try it using the CL20:20
ayoung3.  If both of those succeed, look at the client ap20:21
ayoungyou are getting back a 200, which means success, someone is lying to you and blaming Keystone.  Keystone doens't mind being being slnadered, though, it has broad shoulders20:21
ayoungplus it gets to laugh at you later20:22
joesavakayoung - lol20:22
* ayoung anthropomorphisizes his software20:22
chrispetersayoung, ok; let me see if I can turn debugging on in the client library20:23
dspanoayoung: Lol.20:23
chrispetersayoung, blame https://github.com/fog/fog20:23
ayoungThe role of Keystone  is being played by Andy Serkis20:24
*** neelashah has quit IRC20:24
*** dstanek_afk is now known as dstanek20:24
chrispetersanyone else have issues with ruby Fog library and keystone?20:25
bknudsondoes OSSA 2014-001 say it affects "Grizzly and later" only because Folsom isn't supported anymore?20:28
ayoungchrispeters, so my guess is that it isn't the get users call that is failing20:29
chrispetersayoung, oh yeah??20:29
ayoungmy guess Fog is trying  something  afterwards, based on the service catalog, and that is the call that is failing20:29
chrispetershmm20:30
chrispetersthat would be shitty20:30
*** doug_shelley66 has quit IRC20:30
chrispetersayoung, let me dive into this code and trace the call stack20:30
*** doug_shelley66 has joined #openstack-dev20:31
*** DennyZhang has quit IRC20:31
bknudsonok, looks like the code for OSSA 2014-001 isn't in folsom.20:31
terrylhoweI haven't had a problem with Fog and keystone20:31
chrispetersterrylhowe, oh yeah!?20:32
chrispetersterrylhowe, my test code fails as soon as I try to get all users20:32
terrylhoweyou using openstack as the provider I take it20:32
chrispetersterrylhowe, yeah20:33
chrispetersterrylhowe, http://fpaste.org/68074/45228138/20:33
chrispetersoh man; is it a jruby problem?20:34
terrylhoweSimple project I worked on was https://github.com/TerryHowe/kitchen-fog/blob/master/lib/kitchen/driver/fog.rb20:34
*** amotoki has joined #openstack-dev20:34
mutexbelliott: pingveno20:35
mutexbelliott: ping20:35
*** amotoki_ has quit IRC20:36
chrispetersayoung, btw I haven't filed that bug about tenantName vs tenantname; where do I submit?20:36
*** bvandenh has joined #openstack-dev20:36
ayoungchrispeters, no bug there20:37
chrispetersayoung, user error20:37
chrispetersheh20:37
ayoungchrispeters, I misunderstood what you were telling me20:37
chrispetersayoung, ah ok20:37
ayoungyou weren't passing in the tenantName at all , and thus got an unscoped token with not roles in it20:37
chrispetersright20:38
chrispetersok cool20:38
*** jnoller has quit IRC20:38
*** buzztroll has quit IRC20:39
chrispetersayoung, sent you pastebin20:39
chrispetersin pm because it might have sensitive data20:39
*** buzztroll has joined #openstack-dev20:39
ayoungchrispeters, yeah, and I'm going googlieyed reading it20:39
chrispetersayoung, welcome to the club :)20:39
*** buzztroll has quit IRC20:39
*** buzztroll has joined #openstack-dev20:40
*** radix_ has left #openstack-dev20:40
jaypipesbknudson: yup, after rebasing, no more issue with netifaces. cheers.20:41
* chrispeters ponders how to pretty print excon output20:41
terrylhowechrispeters everything looks on the up and up to me20:41
ayoungchrispeters, you are certain that comes from the get users call, and not something afterwards?20:41
*** kenperkins has quit IRC20:41
bknudsonjaypipes: great, thanks... nice to know the change worked as expected.20:41
chrispetersayoung, that I don't know; if I just inspect the connection I don't get an error20:41
chrispetersayoung, so it's highly likely there is a call happening after the get all users call20:41
chrispetersterrylhowe, ack20:42
chrispetersayoung, http://fpaste.org/68074/45228138/20:42
ayoungthat talks to 3535720:42
ayoungbut your squid is on some other port20:42
ayoung808020:43
ayoungcan it even forward over to 35357?20:43
*** pmathews1 has joined #openstack-dev20:43
*** jergerber has joined #openstack-dev20:44
*** pmathews has quit IRC20:44
*** jergerber has quit IRC20:44
*** yeylon_ has joined #openstack-dev20:45
chrispetersayoung, I don't know; I didn't even see that20:46
ayoungchrispeters, blame the proxy.  It is always the proxies faulyt20:46
ayoungfault20:46
ayoungunlike Keystone20:46
chrispetersayoung, :)20:47
*** buzztroll has quit IRC20:47
chrispetersayoung, ok I'm going to beg, borrow, and trade for Dan to look at the proxy20:48
ayoungchrispeters, try running it from inside the VPN or somehow remove the Proxy from the equation20:49
ayoungchrispeters, but this is yet another reason I don't want to run Keystone on a non-standard port20:49
ayoungIts the web, it should be on 44320:49
chrispetersayoung, I agree; I'm just caught up in the middle20:50
ayoungJokers to the left, clowns to the right20:50
chrispetersoh noes; where am I?20:50
chrispetersboth sound bad20:50
chrispetersmiddle; I chose middle20:50
*** melwitt has joined #openstack-dev20:51
*** fbo_away is now known as fbo20:53
*** mkollaro has quit IRC20:54
*** fbo is now known as fbo_away20:54
*** READ10 has quit IRC20:54
*** DinaBelova has quit IRC20:55
*** nati_uen_ has joined #openstack-dev20:55
*** amotoki is now known as amotoki_20:56
*** amotoki has joined #openstack-dev20:56
*** dkuffner has joined #openstack-dev20:56
*** jaypipes has quit IRC20:58
*** yamahata has quit IRC20:58
*** yamahata has joined #openstack-dev20:58
*** nati_ueno has quit IRC20:59
*** beagles is now known as b3nt_pin20:59
*** gongysh has joined #openstack-dev20:59
*** b3nt_pin is now known as beagles21:00
*** Longgeek has joined #openstack-dev21:00
*** mfink has joined #openstack-dev21:01
*** emagana has joined #openstack-dev21:01
*** csd has quit IRC21:02
dstanekprocess question...why would I +2 something and not approve if there is already a +2?21:03
*** fbo_away is now known as fbo21:04
*** rods has joined #openstack-dev21:05
*** Longgeek has quit IRC21:05
morganfainbergdstanek, i can think of a few reasons21:05
morganfainberg1) you want someone else opportunity to review/look at (but usually a +1 is better at that point21:05
morganfainberg2) waiting for jenkins "check" to complete21:05
*** ecarlin has quit IRC21:06
*** NikitaKonovalov has joined #openstack-dev21:06
*** yolanda has quit IRC21:06
morganfainberg3) Thinks like identity-api where we tend to let lots of people +2+1+whatever-somethign it before we merge21:06
morganfainbergdstanek, (#3 is really #1, just in disguise, and not really anything beside an observation vs. a hard-fast-rule)21:07
morganfainbergafaict21:07
*** jtomasek has joined #openstack-dev21:07
*** uaberme has joined #openstack-dev21:07
dstanekmorganfainberg: thx, that makes sense - #2 is what i was missing21:07
morganfainbergdstanek, yeah that happens a lot on things like rebases21:07
*** evgenyf has quit IRC21:08
morganfainbergdstanek, so, i am about to propose some test fixes (likely tonight) to support the parallel testing, notably i think we need to cleanup the load_backends calls (make it so it can only occur once in a test setup)21:09
morganfainbergdstanek, the only issue i'm running across is where a test does an explicit change to the config that needs a load_backends21:09
morganfainbergdstanek, those, likely, should be broken out into their own class, or am i missing some decorator magic etc that can be called prior to setUp in those cases?21:10
morganfainbergoooooor21:10
morganfainbergis this a "solve with testresources and fixtures... stop messing with it" answer?21:10
*** ecarlin has joined #openstack-dev21:11
dstanekmorganfainberg: so certain test methods modify the configs and call load_backends?21:11
morganfainbergdstanek, currently right now they do21:11
morganfainbergdstanek, i am thinking that is "broken" heck, i think that for the most part we rely too much on "configs" in the tests dir21:11
morganfainbergi'd like to see a reduction in configuration files21:11
dstanekmorganfainberg: my first thought is that those should be in a different class so that the setUp can deal with modifying the config before load_backends is called21:12
morganfainbergdstanek, ok tyhat is my thought as well21:12
morganfainbergdstanek, cool, making sure i wasn't off in the weeds with that line of throught21:12
morganfainbergthought*21:12
morganfainbergdstanek, once i get these proposed i'm going to make load_backends raise an exception if it's called more than once.21:13
morganfainbergit shouldn't be.21:13
morganfainbergever.21:13
morganfainbergand we should always do a full tear down (addCleanup) to remove the properties, which i'll also add.21:13
morganfainberge.g. token_api, etc21:13
belliottmutex: not sure what you're missing21:14
belliottmutex: the logging config seems reasonable21:14
*** colinmcnamara has joined #openstack-dev21:15
*** colinmcn_ has joined #openstack-dev21:15
mutexbelliott: well at least you are validating that my methods are sane ;-)21:15
*** READ10 has joined #openstack-dev21:15
dstanekmorganfainberg: did you ever chase down the jenkins failure?21:15
*** galstrom_zzz is now known as galstrom21:15
*** bvandenh has quit IRC21:15
*** cagrev has quit IRC21:15
belliottmutex: basically as soon as the nova.compute.api module gets imported you should see 'found extension' messages from stevedore21:16
belliottmutex: perhaps the import doesn't occur until after you go to create an instance (i.e. not at nova-api startup)21:16
*** evgenyf has joined #openstack-dev21:16
belliottmutex: make sure you're using the same python and your hook code is on sys.path :)  (double check the obvious)21:18
mutexbelliott: heh, ok21:18
belliottmutex: you can always do the ghetto thing and put a 'raise' into _load_plugins in stevedore.extension to make sure it's being called21:19
*** tong_ has quit IRC21:19
*** colinmcn_ has quit IRC21:19
*** colinmcnamara has quit IRC21:19
mutexbelliott: and if it is not being called ?21:20
*** radez is now known as radez_g0n321:21
belliottmutex: that probably means you're not running the python you think you are, heh21:21
morganfainbergdstanek, i think it's because kvs backend is called sometimes21:21
morganfainbergdstanek, vs. sql.21:21
*** ecarlin has quit IRC21:21
morganfainbergdstanek, it means we are not properly ensuring the right backend is loaded21:21
morganfainbergdstanek, so, thats why i am thinking we should never ever call load_backends more than once in a test21:22
dstanekmorganfainberg: i absolutely agree. that's really a setup step so we should treat it like one.21:23
morganfainbergdstanek, so i'll be dropping like 3-5 patches to get that cleaned up21:23
morganfainbergone has to change how we do configuration options for the BaseLDAP object21:23
morganfainbergbut i think i see all the bits that need to be done21:24
*** Drankis has quit IRC21:24
morganfainbergand... one of them is limiting the number of configuration files (we should allow overrides via a conf, but if we expect the config options, we should set it, not load it externally)21:24
morganfainbergharder to see "what" is being done if you keep needing to reference outside configuration files.21:25
*** bauzas has joined #openstack-dev21:25
morganfainbergdstanek, i'm also not convinced loading the "sample" config is the right choice.21:25
morganfainbergdstanek, it seems... silly to load keystone.conf.sample21:25
morganfainbergany opinion (since i'm already mucking with config stuff in tests)21:25
morganfainberg?21:25
*** hartsocks has joined #openstack-dev21:26
*** sarob has joined #openstack-dev21:28
dstanekmorganfainberg: i'd rather now read configs and wire stuff up in the tests...not sure how easy that is for us to do right now21:29
morganfainbergdstanek, s/now/not?21:29
morganfainbergthe first now that is21:29
morganfainbergi am thinking we provide a couple of files we can supply overrides in (e.g. live tests)21:30
*** mrodden has quit IRC21:30
morganfainbergand a basic "load this file if you want to check things"21:30
morganfainbergw/o needing to wire up an option change21:30
*** RajeshMohan has quit IRC21:30
*** evgenyf has quit IRC21:30
morganfainbergso maybe 1-3 files that are empty to begin with, but are loaded in.21:30
*** RajeshMohan has joined #openstack-dev21:31
morganfainbergbut otherwise all options wired up in the tests21:31
mutexbelliott: well... so far as I can tell the paths are in sys.path, only difference between environments I can see is /usr/lib64 and /usr/lib seem to be done interchangably in nova21:31
mutexbelliott: vs what I run in /usr/bin/python21:31
ayoungmorganfainberg, might have just hit a show stopper.  Check me on this.  We want to revoke all tokens for a group.  But we don't put user groups into a token.21:31
mutexplugins doesn't seem to trigger... so I am lost now21:32
ayoungcurrent logic is to revoke all tokens for  identity-lookup user is member of group.  But that seems wrong, too21:32
morganfainbergayoung, there is a way to get around that, can you inspect the user's groups?21:32
morganfainbergayoung, oh wait... auth_token_middleware21:32
morganfainbergno.21:32
morganfainbergayoung, uhm, this is a case where adding the groups makes sense?21:33
*** cagrev has joined #openstack-dev21:33
morganfainbergi know it's token bloat, but this is a valid reason to add data i think21:33
ayoungUm...but what does it mean to delete a group?21:33
dstanekmorganfainberg: right - rather not :-)21:33
ayoungWe shouldn't revoke all tokens for all users in that group, which is what we do now21:33
ayoungand is overkill21:33
morganfainbergayoung, well, groups can impart role membership21:34
* ayoung acks that you can never have too much overkill21:34
morganfainbergayoung, if you delete a group, that role membership is no longer valid21:34
ayoungright, so we should revoke all tokens that would have been created based on that group21:34
morganfainbergayoung, s/membership/mapping21:34
morganfainbergayoung, i'm fine if we can be more surgical about it21:34
ayoungwhich might be impossible to calculate21:34
*** irenab_ has joined #openstack-dev21:34
morganfainbergayoung, exactly21:34
*** csd has joined #openstack-dev21:35
morganfainbergayoung, i don't think we have really tried.21:35
ayoungso...huh21:35
morganfainbergayoung, but it is theoretically possible, just may be very inefficient21:35
ayoungI add you to a group, then I remove you from a group...and all your tokens go away21:35
morganfainberg(i mean, it has to be possible... just how hard is it)_21:35
ayoungjust so as to mess with you21:35
*** dprince has quit IRC21:35
morganfainbergi think... think you can do role memberships for group...21:36
ayoungno, I think it is not theoritically possible unless we annotate in the token that the group somehow played a part in the decision21:36
morganfainbergand that should give you domain / project info21:36
*** henrynash has joined #openstack-dev21:36
morganfainbergthen do a for user in group revoke <domain> <user> and <project> <user> tokens21:36
ayoungthe group connection is used to create the role assignement, but then is dropped21:36
morganfainbergbut since we can do a forward resolition to make the role assignment, we could re-do that21:36
ayoungmorganfainberg, we can't do "for user in group"21:37
morganfainbergoh right, external IdP21:37
morganfainbergthanks.21:37
*** SergeyLukjanov has quit IRC21:37
morganfainbergbrain is in "tests and kvs" mode21:37
ayoungthat and also Auth Token Middleware would end up spamming the Keystone server21:37
morganfainbergoh no i was thinking it was a mechanism in keystone21:37
*** neelashah has joined #openstack-dev21:37
morganfainbergthat would generate extra revocations21:37
morganfainbergmiddleware would still consume it21:37
ayoungit would be more correct to lok at all role assignments created from that group and to revoke tokens with those role assignments21:38
*** herndon_ has quit IRC21:38
morganfainbergwait, so if we delete a group, do role assignments get removed now?21:39
*** corXi has joined #openstack-dev21:39
ayoungmorganfainberg, well, I don't think we do the cleanup21:39
morganfainbergayoung, hm.21:39
ayoungand I'm not certain we need to, but effectively that is what we want to enforce21:39
morganfainbergif we use groups to impart roles21:39
morganfainbergwe should enforce that21:40
ayoungwe need to record it21:40
morganfainbergyeah21:40
ayoungthe token needs to know that the role assignment came via the token21:40
morganfainbergand make sure another group doesn't impart the same assignment21:40
morganfainberghmmm.21:40
ayoungmorganfainberg, well, that should be an edge case21:41
ayoungstrictly speaking you are correct21:41
*** vartom1111111117 has joined #openstack-dev21:41
morganfainbergayoung, i think it's not as much of an edge case as you think21:41
*** RajeshMohan has quit IRC21:41
morganfainberggroup A has read-write to <project>, group B has stats/read to <project>21:41
morganfainbergyou remove the group B21:41
morganfainbergall tokens are invalid for users in the overlap?21:41
*** cagrev has quit IRC21:41
morganfainbergor if someone is in a read-write and read-only group overlap21:42
morganfainbergor... readonly domain, read-write project, etc21:42
ayoungthe current nasty logic is if I remove group B all tokens for users that were members of group B are revoked21:42
ayoungwhich is broken in its own right21:43
morganfainbergayoung, it's admitedly a hammer21:43
morganfainbergsledgehammer that is21:43
dstanekbknudson: does https://review.openstack.org/#/c/60983/ need to be reapproved?21:44
bknudsondstanek: it's not going to merge if it's not approved.21:44
morganfainbergok, so maybe logic looks like this:  we know what roles a group _can_ impart.  look at users with those roles.  look at the groups for the user, calculate if another group matches that role assignment, and revoke if not?21:45
morganfainbergayoung, ^ might be overkill still / sloooowww21:45
morganfainbergunless we had a quick-lookup of group -> role assignment21:45
*** BLZbubba has joined #openstack-dev21:45
*** colinmcnamara has joined #openstack-dev21:45
*** colinmcn_ has joined #openstack-dev21:46
*** colinmc__ has joined #openstack-dev21:46
*** herndon_ has joined #openstack-dev21:46
*** RajeshMohan has joined #openstack-dev21:46
*** vartom1111111118 has joined #openstack-dev21:47
*** joesavak has quit IRC21:47
dstanekbknudson: i put in my 2 cents then21:47
mutex /window 621:47
ayoung morganfainberg I'll think on this, but I thik the right solution is to add group info to the token, and then to revoke all tokens where that group was used in token creation.  Period21:48
ayoungdolphm, read up on my conversation with morganfainberg , if you would, and tell me if you agree with my assessment21:49
morganfainbergayoung, that is the slightly smaller hammer method, not as surgical as i could argue it should be, but i'm not opposed to it21:49
*** vartom1111111119 has joined #openstack-dev21:49
morganfainbergayoung, at the very least, it's a good starting spot21:49
*** vartom1111111117 has quit IRC21:50
*** vartom1111111118 has quit IRC21:52
*** irenab_ has quit IRC21:53
dolphmayoung: morganfainberg: reading back..21:53
*** buzztroll has joined #openstack-dev21:53
*** irenab_ has joined #openstack-dev21:53
dolphmayoung: regarding revoke all tokens for a group?21:53
ayoungdolphm, for the revocation events, I think we will want to add the group info into the token21:55
ayoungdolphm, then the logic would be group_delete->revoke all tokens that contain groups[group_id]21:57
*** colinmcnamara has quit IRC21:59
*** chrispeters has quit IRC21:59
*** colinmcnamara has joined #openstack-dev21:59
*** Mandell has quit IRC22:00
dolphmayoung: morganfainberg: so, i think there's a middleground between overkill and surgical that's maybe been overlooked...22:00
*** evgenyf has joined #openstack-dev22:00
* ayoung is hoping for *easy*22:00
*** yeylon_ has quit IRC22:01
*** tqtran1 has joined #openstack-dev22:01
dolphmayoung: morganfainberg: groups effectively map users->projects or users->domains; given a set of group assignments + group membership, you can compute a fairly fine-grained list of user+project pairs or user+domain pairs to issue revocation events for22:01
*** xmltok_ has quit IRC22:01
dolphmayoung: morganfainberg: there would be zero unaffected projects/domains or users22:01
dolphmand you don't have to include group data in the token22:02
*** tqtran has quit IRC22:02
ayoungdolphm, so upon group delete revoke all tokens for affected projects?22:02
dolphmayoung: user+project pairs, but yes22:02
*** jdob has quit IRC22:02
*** colinmc__ has quit IRC22:02
*** colinmcn_ has quit IRC22:02
ayoungdolphm, not certain we have user+project pairs available22:03
ayoungwe don't know the user list22:03
ayoungthinking Federated22:03
dolphmayoung: this has to be implemented somewhere https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#list-users-who-are-members-of-a-group-get-groupsgroup_idusers22:03
*** Longgeek has joined #openstack-dev22:04
*** pcm_ has quit IRC22:04
*** Mandell has joined #openstack-dev22:04
ayoungdolphm, we can only keep that if we do ephemeral usersid, and then it will only be for users that have logged in to keystone.  It would solve the group issue, but at a very high cost22:04
ayoungephemeral user records are really akin to ephemeral token records22:05
ayoungsomething I'd like to avoid if possible22:05
dolphmayoung: ++++++22:05
dolphmayoung: didn't consider that22:05
dolphmayoung: then i vote for adding groups to tokens :-/22:05
dolphmi think.22:05
*** jasondotstar has quit IRC22:05
dolphmit's messy in that no one else would care, but they are technically user attributes that express authorization... so it's intuitive22:06
ayoungyeah, I think it makes sense.  We can let that one bake on the slow cooker for a few days before we choose to consume it22:06
ayoungdolphm, OTOH, maybe we just say "you can't delete a group"22:06
dolphmayoung: a group with members?22:06
ayoungall you can do is remove the role assignments so they can't be used in the future22:06
ayoungI mean you don't revoke tokens based on group delete22:07
morganfainbergayoung, we could add a notification callback for that mechanism for the internal IdP22:07
*** ekhugen has quit IRC22:07
morganfainbergif the "Extensions" notification stuff works22:07
ayoungits is unlikely that, in the Federated case, we would ever get a group delete event22:07
dolphmmorganfainberg: did that merge?22:07
morganfainbergand assume non-SQL specific identity backends can't do that resolution22:07
morganfainbergdolphm, it was in process22:07
morganfainbergdolphm, let me check22:07
ayoungbut the same problem is there, I think for role assignments based on group memebership22:07
*** mfer has quit IRC22:07
*** amotoki has quit IRC22:07
ayoungand that is the one we will see.22:07
morganfainberglooks like it's up for review again22:07
morganfainberghttps://review.openstack.org/#/c/57811/22:07
ayoungNotifications are not the solution22:08
*** sushils has joined #openstack-dev22:08
*** Longgeek has quit IRC22:08
morganfainbergayoung, i think to start we go w/ apply groups into the tokens22:08
ayoungmorganfainberg, MorganStanley is not going to send out a "group deleted" event when their internal LDAP changes22:08
ayoungyeah22:08
morganfainbergayoung, dolphm, we can refine it more once we play with it.22:09
*** buzztroll has quit IRC22:09
morganfainbergthat kind of refinement can come post I-2 if we aren't changing API affecting stuff22:09
dolphmayoung: i'm always lead back to short-lived tokens as the solution to these issues..22:09
ayoungmorganfainberg, but... we onl;y need that for non-ephemeral tokens22:09
ayoungdolphm, heh22:09
ayoungJinks!22:09
*** buzztroll has joined #openstack-dev22:10
morganfainbergayoung, aye, which ... hopefully we get there?22:10
morganfainberg;)22:10
*** rods has quit IRC22:10
morganfainbergoh, right reminds me i want to propose a patch that reduces default TTL from 86400 (or resurrect that one from havana) to something a bit more sane22:10
ayoungOK...I'll take this as a todo...time to go into Dad mode.22:10
*** jobewan has quit IRC22:10
ayoungmorganfainberg, that will break things...we can discuss at the hackfest22:10
morganfainbergayoung, that was the plan22:11
*** lcheng has joined #openstack-dev22:11
*** ayoung is now known as ayoung_dadmode22:11
dolphmmorganfainberg: i proposed an hour a while back22:11
morganfainbergdolphm, that was the one i was referencinfg22:12
*** bswartz has quit IRC22:12
*** hartsocks has quit IRC22:12
dolphmmorganfainberg: i think bknudson blocked it?22:12
dolphmmaybe we should cut it in half every release :P22:12
morganfainbergdolphm, iirc it was too late to change it22:12
bknudsonwhat did I block?22:12
morganfainbergthis time we're pre-I2 so worth considering22:13
morganfainbergmight have been ayoung who blocked it22:13
dolphmbknudson: reducing default token lifespan from 24 hours to 122:13
dolphmbknudson: i think you had a concern with devstack specifically?22:13
bknudsonI don't think I would have a problem with that now.22:13
bknudsonif I did before.22:13
*** yamahata has quit IRC22:13
*** peristeri has quit IRC22:13
*** corXi has quit IRC22:14
*** buzztroll has quit IRC22:14
*** jtomasek has quit IRC22:15
morganfainbergdolphm, do you think that 10k tokens active for a given user is a sane amount to set the upper limit at?22:15
*** cagrev has joined #openstack-dev22:15
morganfainbergdolphm, the logic i proposed for havana's memcache backend sets the upper limit around 10k based on bad-back-of-the-napkin math22:15
morganfainbergbknudson, ^22:15
bknudsonI think 2 tokens should be enough.22:16
morganfainbergwith default expiry, thats 1 token issued every 10 seconds all day long being the upper limit22:16
bknudsonmorganfainberg: where do you get 10k from?22:16
*** vijendar has quit IRC22:16
morganfainbergbknudson, 1MB memcache page size, 32 byte token uuid hex, 27 byte iso-timestampe string, overhead for tuple, overhead for list22:16
morganfainberg~100bytes per token in the index.22:17
bknudsonmorganfainberg: you can't go over 1 page?22:17
morganfainbergthere is also some implicit pickle overhead.22:17
morganfainbergbknudson, no, there is no logic to bridge pages atm22:17
bknudsonhow about if you add a link from one page to the next page when gets too big/22:17
dstanekbknudson: not for a single key you can't22:17
morganfainbergbknudson, i was thinkig about that, doing an index page of pages22:17
_cjones_ayoung, Okay... mysteriously my previous issue went away. (I didn't change anything. I just attempted again)22:18
dstanekmorganfainberg: do we have a problem with eviction?22:18
morganfainbergdstanek, no, just if all tokens are active we don't pull them out of the index22:18
morganfainberge.g. non-expired, non-revoked22:18
dstanekmorganfainberg: but memcache can evict data for you22:18
morganfainbergdstanek, that is a separate issue22:18
morganfainbergdstanek, memcache is a poor choice for stable storage of data22:19
bknudsonmorganfainberg: you'd probably have to ask an operator if there's any problems with limiting # of active tokens to 10k.22:19
morganfainbergbut doesn't mean people don't use it for tokens22:19
bknudsonor whatever the limit is.22:19
dstanekmorganfainberg: that's putting it lightly22:19
*** uaberme has quit IRC22:19
morganfainbergbknudson, i have one operator that doesn't see it as an issue22:19
morganfainberghttps://review.openstack.org/#/c/66149/22:19
morganfainbergit's the same logic as we have coming for icehouse (just not through dogpile)22:19
bknudsonmorganfainberg: how did they find out? a database query?22:19
dstanekmorganfainberg: interesting because even with a ton of memory there will be a limited number of 1M slabs22:20
morganfainbergbknudson, if you can issue tokens, you haven't hit the page limit22:20
morganfainbergbknudson, it's ... an issue i ran across in essex22:20
dolphmbknudson: ... in that case https://review.openstack.org/#/c/66449/ (cc- ayoung_dadmode morganfainberg)22:20
morganfainbergwith a customer that had 60k tokens22:20
*** loquacities has joined #openstack-dev22:20
dolphmmorganfainberg: 10k seems really high22:20
*** mrodden has joined #openstack-dev22:21
morganfainbergdolphm, it only would affect things like memcache w/ a fixed page size22:21
morganfainbergsql suffers from other issues but not that one22:21
morganfainberganyways.  bbib22:21
morganfainbergmeeting time22:21
*** csaba|afk is now known as csaba22:21
dolphmbknudson: 2 is closer in magnitude to my intuition lol22:21
*** mikeoutland has joined #openstack-dev22:21
morganfainbergdolphm, i could see a case of one token per domain, and one per project, and one unscoped22:21
morganfainbergbeing the absolute upper limit22:22
*** loquacities has quit IRC22:22
morganfainbergassuming domain scoped tokens are kept22:22
*** Loquacity has joined #openstack-dev22:22
*** yamahata has joined #openstack-dev22:22
morganfainbergabsolute upper limit = generally "required" tokens22:22
*** gongysh has quit IRC22:23
*** doug_shelley66 has quit IRC22:23
bknudsonmorganfainberg: I guess I was assuming per auth domain or whatever you would call it... you'd want 2 in the case where 1 was about to expire.22:23
*** hartsocks has joined #openstack-dev22:23
*** salv-orlando has joined #openstack-dev22:23
*** buzztroll has joined #openstack-dev22:23
dolphmmorganfainberg: yeah-- so what does that look like as a static number in the default case?22:23
dolphmmorganfainberg: ... and what happens when you exceed it?22:24
dolphm403 on auth?22:24
dolphm:-/22:24
bknudsonwhat if you have 5000 domains? then you'd need more than 10k tokens.22:24
dolphmbknudson: i'd say you need to manually raise the limit, if we had one22:24
dolphmand you had a legit use case to need tokens for all of them at once22:24
bknudsonthe limit is imposed by memcache22:24
bknudsonmorganfainberg: right?22:24
*** glenng has quit IRC22:25
_cjones_ayoung, It seems to fail for this reason on first attempt of create_user: ERROR policy _parse_check Failed to understand rule admin_on_project_filter22:25
mutexbelliott: also, i am running these hooks on the compute node side... are these designed to be run on the controller ?22:25
_cjones_ayoung, On second attempt, I get this failure: WARNING wsgi __call__ You are not authorized to perform the requested action, identity:create_user.22:26
dolphmbknudson: yes22:28
dolphmbknudson: the final upper limit22:28
dolphm_cjones_: are you specifying a tenant/project id/name on the CLI?22:29
*** Loquacity has quit IRC22:29
dolphm_cjones_: or for whatever token you're generating?22:29
*** Loquacity has joined #openstack-dev22:29
*** Loquacity has quit IRC22:30
_cjones_ayoung, I'm using json/curl. And no project for token. Just domain.22:30
*** Loquacity has joined #openstack-dev22:30
_cjones_ayoung, correction. Project & Domain specified in token req.22:30
*** Squid56 has left #openstack-dev22:31
*** ArxCruz has joined #openstack-dev22:31
*** morazi has quit IRC22:32
_cjones_ayoung, As per your blog entry, I specify "scope": { "project": { "domain": { "name": "foo"}, "name": "demo"}}}22:32
_cjones_ayoung, and I have created a domain named "foo" and a project named "demo" bound to domain "foo".22:33
_cjones_ayoung, Must I specify additional  "methods" in the token request? Currently I only have "password"?22:34
belliottmutex: the create_instance only fires on the nova-api node :)22:36
*** buzztroll has quit IRC22:36
*** salv-orlando_ has joined #openstack-dev22:37
*** dkranz has quit IRC22:37
*** mkollaro has joined #openstack-dev22:37
*** chrispeters has joined #openstack-dev22:37
*** salv-orlando has quit IRC22:38
*** salv-orlando_ is now known as salv-orlando22:39
* mutex scratches his head22:39
mutexbelliott: alright man, I don't know what to tell you the stevedore code doesn't seem to run at all22:39
*** jmckind has quit IRC22:40
*** thomasem has quit IRC22:41
belliottmutex: you can't run the hooks on the compute node side22:41
belliottmutex: or let me rephrase, you can't use the create_instance hook22:41
*** sgordon has quit IRC22:41
*** vladikr has quit IRC22:42
*** cagrev has quit IRC22:43
_cjones_dolphm, I'll do some more detailed debugging on my end and see if I can't get a better reason for the failure.22:45
dolphm_cjones_: your scope is for a project, not a domain22:45
dolphm_cjones_: if you're trying to consume domain-level role authz, that won't do it22:45
*** tqtran has joined #openstack-dev22:46
mutexbelliott: well.... that sounds like my problem then!22:46
_cjones_dolphm, I thought that would be okay because I was part of both the domain and the porject.22:46
*** yamahata has quit IRC22:46
mutexbelliott: do I need to use the extension framework to run something on the compute node ?22:46
dolphm_cjones_: the domain you're providing is only namespacing the project22:46
dolphm_cjones_: "scope": { "domain": { "name": "foo" }}}22:46
_cjones_dolphm, So the correct syntax should be... exactly.... thanks.22:46
belliottmutex: you can modify the code and add hooks there if you want.  otherwise you can only hook the create_instance on your api node(s)22:47
_cjones_dolphm, I'll give that a whirl. brb.22:47
belliottmutex: it's a 1 liner to add arbitrary hooks wherever you want22:47
*** _cjones_ has quit IRC22:47
*** _cjones_ has joined #openstack-dev22:48
mutexah, yeah I'll just create one in my hypervisor driver22:48
*** jayg is now known as jayg|g0n322:48
dolphm_cjones_: i'm reading the docs to point you to an example... but they fall short of providing an example for domain level scope :(22:48
*** vladikr has joined #openstack-dev22:48
*** tqtran1 has quit IRC22:49
*** eharney has quit IRC22:51
*** rwsu has quit IRC22:52
*** bauzas has quit IRC22:52
*** dkuffner has quit IRC22:52
*** safchain has quit IRC22:53
*** salv-orlando has quit IRC22:53
*** mattymo has quit IRC22:54
*** mattymo has joined #openstack-dev22:55
*** doug_shelley66 has joined #openstack-dev22:55
*** Ryan_Lane has quit IRC22:55
*** CaptTofu has quit IRC22:56
*** colinmcnamara has quit IRC22:56
*** jgrimm has quit IRC22:56
dhellmannmutex: you're having a problem with stevedore?22:56
*** mikeoutland has quit IRC22:57
_cjones_dolphm, I'd go off on how the docs fall short in many areas, but I need friends here. :P22:58
dolphm_cjones_: no, PLEASE file bugs with criticisms!22:59
*** vartom1111111111 has joined #openstack-dev22:59
_cjones_dolphm, Already filed one. When I'm done experimenting around, I'll review my notes and file where necessary. Okay? :)22:59
*** achampion has quit IRC23:00
*** vartom1111111112 has joined #openstack-dev23:00
_cjones_dolphm, Can you point me to the current URL that is lacking. I'll add to my notes and remember to file against.23:00
_cjones_?23:00
*** kevinconway has quit IRC23:00
*** vartom1111111119 has quit IRC23:01
*** vartom1111111113 has joined #openstack-dev23:02
dolphm_cjones_: i was looking at this https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md23:02
*** dims has quit IRC23:03
dolphm_cjones_: specifically the section on scope https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#scope-scope23:03
*** vartom1111111111 has quit IRC23:04
bknudsonalmost all the identity-api-v3.md winds up being duplicated in http://api.openstack.org/api-ref-identity.html23:04
*** jecarey_ has quit IRC23:04
*** vartom1111111112 has quit IRC23:04
_cjones_dolphm, Thanks. I'll capture that. I see where domain only is misssing. Unfortuantely. That doesn't seem to solve my problem.23:05
*** lbragstad has quit IRC23:05
*** dspano has quit IRC23:05
*** burt has quit IRC23:05
*** irenab_ has quit IRC23:06
*** aeperezt has quit IRC23:06
*** radsy has joined #openstack-dev23:06
*** Longgeek has joined #openstack-dev23:07
*** asselin has quit IRC23:07
morganfainbergok, reading up now23:07
morganfainbergdolphm, bknudson, the erorr is a 401 if you can't issue more tokens iirc.23:08
*** rwsu has joined #openstack-dev23:08
*** kgriffs is now known as kgriffs_afk23:08
*** thuc has quit IRC23:08
bknudsonmight be better to pick an old one and revoke it.23:08
morganfainbergdolphm, bknudson, and this limit is an imposed limit by memcache because it can hold X data per key23:08
bknudson401 is not the correct return code for this situation23:08
*** thuc has joined #openstack-dev23:08
morganfainbergX is configurable bit it's a slab23:08
morganfainbergand so. fixed allocation23:08
morganfainbergbknudson, if we are really concerned about it, i'll write code that does an index page as the user index and overflows as much or as little as needed.23:09
*** fbo is now known as fbo_away23:09
morganfainbergall other options are bad, randomly evicting a non-expired-non-revoked token is really non-deterministic23:10
morganfainbergand we don't track "when was this token last used" (we can't effectively)23:10
bknudsoncreating a bunch of tokens is also bad.23:10
bknudsonwe know which is going to expire next23:10
morganfainbergbknudson, it is23:10
morganfainbergbut neutron does consume a very high number23:11
morganfainbergbknudson, we do, that data is now in the list.23:11
*** thedodd has quit IRC23:11
morganfainbergbknudson, (with my proposed patch)23:11
morganfainbergbknudson, though what if the next token would expire in 5 hours23:11
morganfainbergand if the next 200 tokens after it expire within minutes of that one23:11
morganfainbergcould they still be in use? sure.23:11
bknudsonmorganfainberg: clients have to be able to handle tokens becoming invalid... it could happen for any number of reasons... change password, etc.23:12
morganfainbergthis is absolutely an edge case, but it is real for larger-scale deployments that don't reuse tokens (heck horizon generates a bunch of tokens per click)23:12
*** Longgeek has quit IRC23:12
morganfainbergbknudson, there is another concern... if someone with 10k tokens revokes all of them23:12
morganfainberg... the revocation list would explode23:12
*** thuc has quit IRC23:12
morganfainbergsince it has very similar limitations23:13
bknudsonmorganfainberg: I thought you were discussing this earlier...23:13
bknudsonuse notification rather than revocation list23:13
morganfainbergbknudson, revocation events will help with this23:13
*** denis_makogon has quit IRC23:13
morganfainbergbut we need to support the old-style list for X release time23:13
*** jmckind has joined #openstack-dev23:14
morganfainbergmake it configurable, if it isn't needed, don't track/enumerate it23:14
morganfainbergbut we can't make that functionality disappear until... k?23:14
*** jmckind has quit IRC23:14
*** jaypipes has joined #openstack-dev23:14
*** nkinder has quit IRC23:15
*** dbalog has left #openstack-dev23:16
*** pmathews1 has quit IRC23:17
*** pmathews has joined #openstack-dev23:17
*** colinmcnamara has joined #openstack-dev23:17
*** dims has joined #openstack-dev23:18
morganfainbergyeah K i think.23:18
*** FunnyLookinHat has quit IRC23:19
*** henrynash has quit IRC23:19
*** buzztroll has joined #openstack-dev23:19
*** prad_ has left #openstack-dev23:20
*** aeperezt has joined #openstack-dev23:22
*** aeperezt has quit IRC23:22
*** aeperezt has joined #openstack-dev23:22
*** Doug2 has quit IRC23:22
*** n0ano has joined #openstack-dev23:23
dolphm_cjones_: do you have a role assignment on the domain itself?23:23
*** flaper87 is now known as flaper87|afk23:25
*** pmathews1 has joined #openstack-dev23:25
*** evgenyf has quit IRC23:25
*** pmathews2 has joined #openstack-dev23:26
gyee_dolphm, why not default the token expiration to 10 mins? Why 1 hour?23:28
_cjones_dolphm, yes. It seems that the authentication is not working with only just the domain in place.23:28
dolphmgyee_: just a first step IMO23:28
*** martyntaylor has quit IRC23:28
_cjones_dolphm, I'll double check. Maybe I don't have a role assgn. against the domain itself.23:28
gyee_dolphm, if we reduce it down to say 10 mins, we may not need revocation API at all23:28
dolphmgyee_: an hour seems long enough to not affect *any* long running processes, but short enough to avoid a lot of the problems we see with 24 hours23:29
*** julienvey_ has joined #openstack-dev23:29
gyee_we'll see, if nobody screams, we'll keep reducing it :D23:29
*** pmathews has quit IRC23:30
_cjones_dolphm, I assume this is what is to go into the "user_domain_metadata" table? (mine is empty)23:30
dolphm_cjones_: that sounds correct23:30
*** pmathews1 has quit IRC23:30
_cjones_dolphm, I'll add and retry. Thanks - standby.23:31
*** bknudson has quit IRC23:31
*** markmcclain has quit IRC23:31
*** e0ne has quit IRC23:31
*** e0ne_ has joined #openstack-dev23:31
*** vartom1111111113 has quit IRC23:31
*** novas0x2a|laptop has quit IRC23:31
*** neelashah has quit IRC23:31
*** novas0x2a|laptop has joined #openstack-dev23:32
dolphmgyee_: ++23:32
dolphmgyee_: i suggested cutting it in half every release earlier :P23:32
gyee_dolphm, only concern I have is Horizon23:33
gyee_ppl may see the session expired faster then bank websites23:33
dolphmgyee_: an hour seems reasonable for horizon, no?23:33
dolphmdavid-lyle: what's a reasonable session length for horizon?23:33
gyee_dolphm, probably, worth the experiment though23:33
*** Ryan_Lane has joined #openstack-dev23:33
dolphmgyee_: horizon throws away creds post-auth, right?23:33
gyee_dolphm, not sure, I need to read the code23:34
jamielennoxdolphm: did you figure out the management_url problem? I've no idea why horizon should all of a sudden need to mock it23:35
*** mfink has quit IRC23:35
_cjones_dolphm, That seemed to be the issue. No roles specified against the domain. (le sigh)23:35
dolphm_cjones_: PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}23:35
dolphmjamielennox: i'm not clear on the mocking problem, but david-lyle seemed confident it was a trivial issue with their mocking code23:36
_cjones_dolphm, Thanks. I manually did that via SQL.23:36
dolphmjamielennox: (i'm not sure why it suddenly needed to be mocked vs v0.4.1)23:36
jamielennoxdolphm: ok - it's weird that it should come up now but i don't see a problem with it23:36
jamielennoxvs 0.4.1? did we do a release?23:37
*** admiyo has joined #openstack-dev23:37
*** admiyo has quit IRC23:37
dolphmjamielennox: i did 0.4.2 this morning -- it was requested on list23:37
jamielennoxdolphm: shit23:37
dolphmjamielennox: https://launchpad.net/python-keystoneclient/+milestone/0.4.223:37
jamielennoxdolphm: i really wanted https://review.openstack.org/#/c/65015/23:37
dolphmjamielennox: 0.4.3 end of week? :)23:38
dolphm(reviewing)23:38
dolphmjamielennox: underlying patch needs a reverify23:38
jamielennoxdolphm: it's backward incompatible - it had to go in before a release23:38
dolphmjamielennox: ?23:38
*** grapsus__ has quit IRC23:39
dolphmjamielennox: so 0.4.2 is backwards incompatible with 0.4.1?23:39
*** rfolco has quit IRC23:39
jamielennoxdolphm: no23:39
dolphmoh i see what you mean .. looking at the patch23:39
jamielennoxdolphm: that patch privatized some stuff23:39
jamielennoxif it's out in 0.4.2 then we have to keep supporting it :(23:40
*** e0ne has joined #openstack-dev23:40
*** carl_baldwin has quit IRC23:40
*** e0ne_ has quit IRC23:40
jamielennoxhmm, can't use reverify no bug any more - i just thought they weren't getting picked up23:41
jamielennoxa jenkins comment that it's not suppoted any more would be useful there23:41
*** galstrom is now known as galstrom_zzz23:41
*** sweston has joined #openstack-dev23:42
*** rcj has quit IRC23:42
*** mfink has joined #openstack-dev23:42
*** buzztroll has quit IRC23:43
jamielennoxdolphm: so i had talked to ayoung a while ago regarding how to deal with multiple versions and having each service do it's own discovery. That's annoying when we are trying to centralize stuff to a session. I was going to change discovery around so that it was no longer a keystone specific version discovery and try to support all the project discovery formats23:43
*** rnirmal has quit IRC23:43
*** buzztroll has joined #openstack-dev23:43
_cjones_dolphm: Okay. Now that I think I have all the auth/create working across domains. How do I specify a "list" on a specific domain. This isn't really documented either. I know this is a get, but I can't just do a get on /projects for example. What json structure do I need to pass to indicate my domain?23:43
dolphmjamielennox: that last bit sounds ambitious for keystone alone23:43
*** mrda has joined #openstack-dev23:44
*** rcleere has quit IRC23:44
*** bswartz has joined #openstack-dev23:44
*** CaptTofu has joined #openstack-dev23:44
jamielennoxI don't know exactly how that will change the public functions in discovery so as no one else will be using it anyway i just wanted to remove the public part until it got worked out23:44
dolphmjamielennox: i should have pinged you before making a release, but i wanted to get it out as early in the week as possible :-/23:44
jamielennoxdolphm: i don't think it would be that hard as there are a couple of basic formats and most of them are fairly distinguishable23:45
jamielennoxeg nova and keystone differ mainly by just having a 'values' root element23:45
jamielennoxand i think (and the little i've checked) that would cover most projects23:45
jamielennoxthe jsonhome stuff is then also sufficiently different that it's just a matter of looking for the right keys23:45
*** AlanClark has quit IRC23:46
jamielennoxdolphm: the eventual thought is that you would just have any client ask session if there is an available endpoint for it23:46
dolphmjamielennox: we support with and without values i believe23:46
dolphmjamielennox: i proposed a refactor around that yesterday i think23:47
jamielennoxso ask session.endpoint_available(service='identity', version='v3')23:47
*** buzztroll has quit IRC23:47
jamielennoxwhich because they will be using service and version for sending requests can easily be novaclient.v3.Client.supported(session)23:47
*** colinmcnamara has quit IRC23:47
jamielennoxit means that regardless of what we decided to do about migrating versions we can handle it all from the one place in a keystone authplugin and the session23:48
dolphmjamielennox: version=3 :P23:48
jamielennoxdolphm: i think (3, 0) is what i actually document23:49
dolphmjamielennox: regarding the privatized methods... revise that patch to support the "deprecated" methods as proxies for a bit?23:49
dolphmand get that out ASAP23:49
dolphmjamielennox: tuple sounds even better23:49
*** melwitt has quit IRC23:49
jamielennoxdolphm: most of it is not that much of a problem to support long term - it's just changing the usage around a bit23:50
*** rrader has joined #openstack-dev23:51
jamielennoxdolphm: i was hoping to discuss this change to service_catalog and discovery at summit f they'll send me this time23:51
*** herndon_ has quit IRC23:51
*** asselin has joined #openstack-dev23:51
*** jmontemayor has quit IRC23:51
jamielennoxayoung_dadmode: *cough*23:52
jamielennoxdolphm: because we need a proper solution to juggling mutliple version APIs23:52
*** rrader has quit IRC23:53
*** rrader has joined #openstack-dev23:54
*** lexano has joined #openstack-dev23:54
*** mrodden has quit IRC23:56
*** rrader is now known as rrader_23:56
*** romcheg has quit IRC23:56
dolphmjamielennox: *they* better!23:57
*** harlowja has quit IRC23:57
*** Loquacity is now known as loquacity23:57
jamielennoxdolphm: crap - that change i just reverified had API changes as well23:58
*** loq_mac has joined #openstack-dev23:58
dolphmjamielennox: ?23:58
_cjones_dolphm, forgot that domain was a property of each user. I'm good to go. I think I know where documentation is lacking. Likely two bug reports which I will post missing pieces to as well as proposed changes based on my experience.23:58
jamielennoxdolphm: https://review.openstack.org/#/c/61247/523:58
jamielennoxthe dependant one23:58
dolphmjamielennox: if you -2 it won't merge23:58
*** loquacity has quit IRC23:58
*** rrader_ is now known as rrader23:58
dolphm_cjones_: the domain_id user attribute doesn't affect authorization though (?)23:59
jamielennoxwell i know what i'm doing today :)23:59
dolphm_cjones_: how does that impact your use case?23:59
« Sunday, 2014-01-12 Index Tuesday, 2014-01-14 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!