Tuesday, 2014-02-04

bknudson	we really should get away from eventlet and use something sane like twisted or asycio	00:01
dstanek	bknudson: i think that would be a pretty big rewrite	00:02
*** ijw has quit IRC		00:03
lifeless	bknudson: we used to use twisted.	00:03
*** boris-42_ has quit IRC		00:03
*** ijw has joined #openstack-dev		00:04
*** ekarlso- has joined #openstack-dev		00:04
*** kenperkins has quit IRC		00:06
*** Mandell has quit IRC		00:06
*** markwash has joined #openstack-dev		00:06
bknudson	lifeless: what caused the switch? something wrong with it?	00:06
bknudson	I haven't used either but have used async libraries for c++ and javascript... seemed to make more sense.	00:06
*** boris-4__ has quit IRC		00:07
*** jckasper has joined #openstack-dev		00:07
dstanek	bknudson: eventlet is one of our Python3 problems	00:07
lifeless	bknudson: too many developers with not enough experience, twisted is super powerful but beginners often find it intimidating	00:07
bknudson	I'm guessing we'd still have the problem with db queries blocking.	00:08
bknudson	dstanek: and WebOb!	00:08
*** ijw has quit IRC		00:08
*** gokrokve has joined #openstack-dev		00:09
*** yamahata has joined #openstack-dev		00:10
*** marun has joined #openstack-dev		00:10
*** sweston has quit IRC		00:10
dstanek	bknudson: are db queries blocking right now?	00:10
bknudson	dstanek: I assume so... since I assume they're calling c code?	00:11
dstanek	bknudson: that would be an interesting test	00:12
bknudson	dstanek: as far as I can tell keystone can only handle one request at a time.	00:12
*** matsuhashi has joined #openstack-dev		00:12
*** doug_shelley66 has quit IRC		00:12
*** zyluo has joined #openstack-dev		00:13
*** zyluo has quit IRC		00:13
*** zyluo has joined #openstack-dev		00:14
dstanek	bknudson: what was the setup you were testing? under apache?	00:14
*** marun has quit IRC		00:15
bknudson	dstanek: to see if keystone handles more than one request at a time?	00:15
*** zzelle has quit IRC		00:15
*** alexpilotti has quit IRC		00:15
dstanek	bknudson: yeah	00:15
*** pmathews has quit IRC		00:15
bknudson	dstanek: this was some time ago... we had a scaling/stability test that created millions of tokens	00:16
*** IanGovett has quit IRC		00:16
bknudson	then keystone ops started to fail due to timeouts	00:16
*** david-lyle has quit IRC		00:16
bknudson	because auth_token middleware was getting revoken token list (trying to every second but it took several seconds)	00:16
bknudson	and since all the requests were essentially signle-threaded it wound up taking several minutes for each service to get the list	00:17
dstanek	bknudson: was it because request were serial or that you just reached the per process limit?	00:17
*** clayb has quit IRC		00:17
bknudson	dstanek: I'll have to try to do some more tests. We solved the revoked list with an index.	00:18
*** thuc has quit IRC		00:18
bknudson	since there weren't actually any revoked tokens.	00:18
*** thuc has joined #openstack-dev		00:19
*** david-lyle has joined #openstack-dev		00:20
*** eharney has quit IRC		00:20
*** mriedem has joined #openstack-dev		00:20
*** JStoker has quit IRC		00:20
*** Mandell has joined #openstack-dev		00:20
*** cdub has joined #openstack-dev		00:22
*** zyluo has quit IRC		00:22
*** zyluo has joined #openstack-dev		00:23
*** byeager has quit IRC		00:23
*** thuc has quit IRC		00:23
*** JStoker has joined #openstack-dev		00:24
*** faramir1 has joined #openstack-dev		00:24
*** jaypipes has quit IRC		00:27
*** achampion has joined #openstack-dev		00:29
*** yamahata has quit IRC		00:29
*** mikal_ is now known as mikal		00:29
*** rowleyaj has quit IRC		00:30
*** carl_baldwin has quit IRC		00:31
*** jaypipes has joined #openstack-dev		00:32
*** nosnos has joined #openstack-dev		00:33
*** yamahata has joined #openstack-dev		00:33
*** tserong has joined #openstack-dev		00:33
*** sweston has joined #openstack-dev		00:35
*** tjones has joined #openstack-dev		00:38
*** terriyu has joined #openstack-dev		00:39
*** terriyu has quit IRC		00:39
*** thuc has joined #openstack-dev		00:39
*** armax has joined #openstack-dev		00:40
*** yamahata has quit IRC		00:43
*** nosnos_ has joined #openstack-dev		00:44
*** nosnos has quit IRC		00:47
*** alexpilotti has joined #openstack-dev		00:47
*** kgriffs is now known as kgriffs_afk		00:48
*** asalkeld has quit IRC		00:48
*** yamahata has joined #openstack-dev		00:48
*** ekarlso has quit IRC		00:50
*** alexpilotti has quit IRC		00:51
*** Tross has quit IRC		00:53
*** nosnos_ has quit IRC		00:54
*** nosnos has joined #openstack-dev		00:54
*** gordc has quit IRC		00:54
*** gokrokve has quit IRC		00:55
*** david_lyle_ has joined #openstack-dev		00:55
*** Tross has joined #openstack-dev		00:55
*** sjmc7 has quit IRC		00:56
*** CaptTofu has joined #openstack-dev		00:56
*** gyee has quit IRC		00:59
*** david-lyle has quit IRC		00:59
*** galstrom_zzz is now known as galstrom		01:00
*** mrodden has quit IRC		01:00
*** galstrom is now known as galstrom_zzz		01:00
*** JStoker has quit IRC		01:01
*** atiwari has quit IRC		01:03
*** JStoker has joined #openstack-dev		01:05
*** JStoker has quit IRC		01:07
*** asalkeld has joined #openstack-dev		01:08
*** JStoker has joined #openstack-dev		01:08
*** Steap has joined #openstack-dev		01:09
*** thuc has quit IRC		01:10
*** thuc has joined #openstack-dev		01:10
*** ijw has joined #openstack-dev		01:10
*** Mandell has quit IRC		01:11
*** otherwiseguy has joined #openstack-dev		01:12
*** Mandell has joined #openstack-dev		01:12
*** colinmcnamara has quit IRC		01:13
*** asalkeld has quit IRC		01:14
*** asalkeld has joined #openstack-dev		01:14
*** thuc has quit IRC		01:14
*** mrodden has joined #openstack-dev		01:15
*** tdruiva has joined #openstack-dev		01:17
*** tdruiva has joined #openstack-dev		01:17
*** ijw has quit IRC		01:18
*** comay has joined #openstack-dev		01:24
*** amcrn has quit IRC		01:24
*** mestery has joined #openstack-dev		01:25
*** colinmcnamara has joined #openstack-dev		01:25
*** mestery has quit IRC		01:26
*** sarob has quit IRC		01:26
*** mestery has joined #openstack-dev		01:26
*** devoid has quit IRC		01:27
*** jmching has joined #openstack-dev		01:28
*** marun has joined #openstack-dev		01:28
*** jmching has quit IRC		01:28
*** nrs_ has joined #openstack-dev		01:30
*** asalkeld has quit IRC		01:31
*** marun has quit IRC		01:33
*** godara has quit IRC		01:34
*** browne has quit IRC		01:35
*** tjones has left #openstack-dev		01:37
*** peoplemerge has quit IRC		01:37
*** marcoemorais1 has quit IRC		01:38
*** david-lyle has joined #openstack-dev		01:40
*** colinmcnamara has quit IRC		01:43
*** pixelb has quit IRC		01:43
*** david_lyle_ has quit IRC		01:44
*** asalkeld has joined #openstack-dev		01:45
*** mikeoutland has quit IRC		01:46
*** mestery has quit IRC		01:47
*** gokrokve has joined #openstack-dev		01:47
stevemar2	bknudson, if we had utility_v3, then restfultest case would have to extend that too?	01:48
stevemar2	bknudson, unless you want to import it as it's needed... which would be painful to change :P	01:48
bknudson	stevemar2: there's no need to extend anything, just call the function in utility_v3.	01:48
*** kenperkins has joined #openstack-dev		01:48
bknudson	stevemar2: yes, we've built up a lot of crufty technical debt.	01:49
stevemar2	bknudson, that's a lot of line change	01:49
bknudson	should just be a search/replace.	01:49
*** MaxV has joined #openstack-dev		01:49
*** doug_shelley66 has joined #openstack-dev		01:49
stevemar2	bknudson, grumble grumble	01:49
bknudson	would be nice if the review queue wasn't so long because the change will wind up conflicting all over the place.	01:49
stevemar2	yeah	01:49
*** sandywalsh_ has quit IRC		01:50
stevemar2	maybe i'll hold off on it?	01:50
stevemar2	til after feb 18?	01:50
*** jecarey has joined #openstack-dev		01:50
bknudson	stevemar2: ok... not sure why this was being done in the first place?	01:50
*** tjones has joined #openstack-dev		01:50
bknudson	stevemar2: a smaller change would be to create the new file and then essentially import them into restfultestcase (or whatever it is).	01:51
bknudson	then use the new file wherever you can.	01:51
stevemar2	bknudson, could do that	01:51
stevemar2	bknudson, i guess still keep the functions in restfultestcase, but have act as a wrapper and call the new file?	01:52
*** stevemar2 is now known as stevemar		01:52
*** ann has joined #openstack-dev		01:53
bknudson	stevemar: right, should be able to do new_user_ref = utility_v3.new_user_ref	01:53
*** MaxV has quit IRC		01:54
ayoung	bknudson, stevemar ...so YorikSar takes my code, and rewrites into a much cleaner, cooler, and more pythonic than I could ever do...I don't even feel competent enough to review it.	01:54
*** xarses has quit IRC		01:54
*** markmcclain1 has joined #openstack-dev		01:54
*** tsekiyama has quit IRC		01:54
ann	on ubuntu 12.04 lts apt-get install git - errors "package not found" and apt-get install git-core errors "'git-core' has no installation candidate"....	01:54
*** markmcclain has quit IRC		01:54
ann	any ideas?	01:55
ayoung	ann maybe your apt repos are not showing up	01:55
ayoung	apt-get update	01:55
bknudson	ayoung: make sure you're left on there as a co-authored-by to take some of the credit.	01:56
stevemar	ayoung, been there, done that	01:56
ayoung	WTF does this do	01:56
ayoung	bundle = filter(None, bundle)	01:56
jamielennox	ayoung: removes None/FAlse values	01:56
*** markmcclain1 has quit IRC		01:56
ayoung	have you seen this?	01:57
ayoung	https://review.openstack.org/#/c/69531/8/keystone/contrib/revoke/model.py	01:57
bknudson	http://docs.python.org/2/library/functions.html#filter	01:57
ayoung	comment at the bottom	01:57
ayoung	bknudson, I read it three times	01:57
bknudson	it says in the docs that None is a special case.	01:57
ayoung	"If function is None, the identity function is assumed, that is, all elements of iterable that are false are removed."	01:58
ayoung	and None is falsey	01:58
*** nati_uen_ has joined #openstack-dev		01:59
ayoung	I love that he used faggot in its original meaning: a bundle of sticks.	01:59
*** nati_uen_ has quit IRC		01:59
bknudson	ayoung: you might want to pick a different variable name.	01:59
ayoung	yeah	01:59
ayoung	I'm going Roman on that one	01:59
ayoung	Fascii	01:59
*** sweston has quit IRC		02:00
*** gokrokve has quit IRC		02:00
ann	started apt-get update.... but seems very slow... only3% in last few min	02:00
*** nati_uen_ has joined #openstack-dev		02:00
ann	on an average, how long does it take to do apt-get update?	02:00
ayoung	ann usually not long	02:00
ayoung	it is just downloading the package names and some data about them	02:00
bknudson	ann: you running in a vm?	02:01
ayoung	Metadata to use an overused term	02:01
ann	yes vm	02:01
bknudson	ann: on my system I have to set the mtu on the vm to get through the vpn.	02:01
*** markmcclain has joined #openstack-dev		02:01
*** baoli has joined #openstack-dev		02:01
*** CaptTofu has quit IRC		02:02
*** nati_ueno has quit IRC		02:02
ayoung	ah, ok. I butchered his code moving it into my repo...he is resetting the erm...bundle object and I was not	02:02
*** russellb has joined #openstack-dev		02:02
*** CaptTofu has joined #openstack-dev		02:03
*** gokrokve has joined #openstack-dev		02:03
ayoung	oh, no wait, I am...this is so flipping cool	02:03
bknudson	you can do else on a for?	02:03
ayoung	bknudson, yes you can	02:03
ayoung	I learned that on this review too	02:04
bknudson	ah, when there's no break.	02:04
*** kenperkins has quit IRC		02:04
ayoung	this is the most fun I've had coding in years	02:04
*** sarob has joined #openstack-dev		02:04
ayoung	he makes use of Map, too	02:04
ayoung	and setdefault	02:04
ayoung	its poetry	02:04
*** tjones has left #openstack-dev		02:04
*** sandywalsh_ has joined #openstack-dev		02:06
ayoung	I'm totally making him co-author on this	02:07
*** tdruiva has quit IRC		02:10
*** Mandell has quit IRC		02:10
*** bswartz has joined #openstack-dev		02:11
*** crank has quit IRC		02:14
*** crank has joined #openstack-dev		02:14
ayoung	jamielennox, so, what if a function takes two parameters, and I want to use filter to check a list against a single value? can I do that somehow?	02:15
*** sgordon has joined #openstack-dev		02:16
jamielennox	filter(lambda x,y: x is True, list)	02:16
bknudson	ayoung: functools.partial	02:16
jamielennox	or that	02:16
jamielennox	depends on whether the first is static	02:17
ayoung	I have a token data and a list of events I want to call matches(event, token_data) for one token_data and every element of events	02:17
ayoung	so	02:17
ayoung	I want map	02:17
*** epim has quit IRC		02:17
ayoung	since that returns the true values, and something like	02:18
jamielennox	ayoung: i don't think you should ever need map in python	02:18
*** byeager has joined #openstack-dev		02:18
ayoung	map(events, [token_data])	02:18
jamielennox	you should be able to use list comprehension for most everything map does	02:18
*** melwitt has quit IRC		02:18
ayoung	er	02:18
ayoung	I mean filter	02:18
ayoung	filter(_matches, events, [token_data])	02:18
*** kenperkins has joined #openstack-dev		02:19
jamielennox	ayoung i'm not sure what you're attempting	02:19
ayoung	f = [_matches(e, token_data) for e in events]	02:20
ayoung	probably what I want ^^	02:20
jamielennox	yea	02:20
ayoung	then I can check len(f) > 0	02:21
bknudson	ayoung: ahhh!	02:21
jamielennox	what does _matches return?	02:21
ayoung	bknudson, its my backup check	02:21
bknudson	ayoung: can just check if f -- no len reqd.	02:21
ayoung	jamielennox, True if the event matches the token_data	02:21
ayoung	otherwise False	02:21
ayoung	bknudson, ++	02:21
jamielennox	so [ e for e in events if _matches(e, token_data) ]	02:22
jamielennox	there is also a built-in called any() that sounds very much like this	02:22
ayoung	ah, yip	02:22
ayoung	any( e for e in events if _matches(e, token_data) ]	02:22
*** hartsocks has left #openstack-dev		02:22
jamielennox	the problem with all of these is that you have to evaluate every event before you can tell if any match	02:23
jamielennox	i think you're just better of with a for/else	02:23
ayoung	jamielennox, its ok, this is the second, slow, implementation, just to check the logic of the fast one	02:23
ayoung	the real deal is the algorithm that YorikSar rewrote	02:24
*** kenperkins_ has joined #openstack-dev		02:24
*** sarob has quit IRC		02:25
*** sarob has joined #openstack-dev		02:25
*** tdruiva has joined #openstack-dev		02:26
bknudson	what do you think about setting fatal_deprecations for the tests... require marking tests that use deprecated function with a decorator.	02:27
bknudson	maybe that will convince us to stop using deprecated function	02:27
jamielennox	bknudson: i think that should be something we do with the warnings module	02:27
jamielennox	you can have that trigger a deprecation fail	02:27
bknudson	jamielennox: for some reason oslo-incubator logging doesn't use the warnings module.	02:28
*** colinmcnamara has joined #openstack-dev		02:28
*** kenperkins has quit IRC		02:28
bknudson	jamielennox: there's a config setting: http://git.openstack.org/cgit/openstack/oslo-incubator/tree/openstack/common/log.py#n314	02:28
*** galstrom_zzz is now known as galstrom		02:28
jamielennox	i remember seeing that - i wonder if someone just didn't know it existed	02:28
jamielennox	besides we don't use that for deprecation logging do we?	02:29
bknudson	jamielennox: we do use that	02:29
*** david-lyle has quit IRC		02:29
jamielennox	ok	02:29
bknudson	the @deprecated decorator winds up calling LOG.deprecated.	02:30
*** sarob has quit IRC		02:30
*** kenperkins has joined #openstack-dev		02:30
jamielennox	then i guess it makes sense to put fatal_deprecated in the tests	02:30
bknudson	I think about half the tests fail.	02:30
jamielennox	bknudson: so blueprint time	02:31
bknudson	Ran 2374 (+1) tests in 500.339s (-221.704s)	02:31
bknudson	FAILED (id=1577, failures=995 (+995), skips=211)	02:31
ayoung	jamielennox, did you see that people are agreeing with me about the need for an Ugly hack to deal with versions....I didn't realize how bad the Nova folks made it for themselves	02:31
jamielennox	ayoung: i saw other people starting to take interest and no other good ideas	02:31
bknudson	we skip almost 10% of tests.	02:31
jamielennox	that's almost agreeing	02:31
ayoung	jamielennox, I would love it if we didn't have to do it.	02:31
ayoung	But we have to	02:32
jamielennox	ayoung: i prototyped it the other day about how i could make it work with auth_plugins	02:32
ayoung	we've painted ourselves into the corner. Lets walk across the paint, clean out shoes and be smarter next time	02:32
ayoung	jamielennox, with existing clients?	02:32
ayoung	that is the rub.	02:32
jamielennox	ayoung: with any client that uses the session object	02:32
ayoung	You can do all sorts of smarts with new clients	02:32
ayoung	great, lets do it	02:32
*** kenperkins_ has quit IRC		02:33
ayoung	meanwhile, the old client still need urls that end with /v2.0	02:33
bknudson	nova is different because not only do they have the version in the endpoint they also have the tenant	02:33
*** cdub has quit IRC		02:33
ayoung	bknudson, what does one of their URLs look like?	02:33
jamielennox	bknudson: yuk forgot about that	02:33
jamielennox	that's completely wrong	02:33
*** galstrom is now known as galstrom_zzz		02:34
bknudson	http://git.openstack.org/cgit/openstack-dev/devstack/tree/files/default_catalog.templates#n9	02:34
bknudson	http://%SERVICE_HOST%:8774/v2/$(tenant_id)s	02:34
jamielennox	bknudson: how did that ever work with multiple tenants?	02:34
bknudson	looks like heat went the same route http://%SERVICE_HOST%:8004/v1/$(tenant_id)s	02:34
*** erkules_ has joined #openstack-dev		02:35
bknudson	jamielennox: you get a token scoped to a tenant.	02:35
*** pablosan has quit IRC		02:35
ayoung	So..we need to chop both the /v1 and the /$(tenant_id)s portion to get to a generic, versionless url?	02:35
jamielennox	but you don't get an endpoint scoped to a tenant	02:35
bknudson	jamielennox: you get an endpoint with the tenant ID.	02:35
ayoung	nah, they just pass it as a n URL, and then their client fills it in, I bet	02:35
*** kenperkins_ has joined #openstack-dev		02:35
*** kenperkins_ has quit IRC		02:36
bknudson	now I have to try it.	02:36
jamielennox	bknudson: i mean that when you get a token scoped tenant it won't check the tenant_id - so you can easily get an endpoint for an incorrect tenant	02:36
jamielennox	bknudson: actually no, that's the string substitution happens late	02:37
jamielennox	nevermind me	02:37
*** pablosan has joined #openstack-dev		02:37
*** erkules has quit IRC		02:37
ayoung	"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." HP Lovecraft	02:37
*** kenperkins has quit IRC		02:38
*** xarses has joined #openstack-dev		02:38
jamielennox	ayoung: so start checking auth plugin patches because i want to have this as my reason to make clients use session objects	02:39
jamielennox	i can just start telling clients to adopt it and they won't have to worry	02:39
*** Gordonz has joined #openstack-dev		02:39
ayoung	jamielennox, you are in serious denial	02:40
ayoung	you can't fix this	02:40
ayoung	you could write the most elegant code in the world	02:40
ayoung	won	02:40
ayoung	't matter	02:40
ayoung	CUZ of the FLIPPING existing clients we need to support	02:41
jamielennox	ayoung: oh yea, i know but i'd prefer this hack to get implemented once	02:41
ayoung	jamielennox, ++	02:41
*** Gordonz has quit IRC		02:42
ayoung	I promise to review any and all session related client patches	02:42
bknudson	keystone ec2-credentials-create --user-id 722d573ad57b4a72a328dfcdc7f233fc --tenant-id 98538edbdadd4d149bc8cae93a80d718 --	02:42
bknudson	\| trust_id \| \|	02:42
jamielennox	ayoung: otherwise we end up with somebody else implementing service catalog parsing	02:42
bknudson	is it weird the v2 ec2-credentials-create returns trust_id?	02:42
ayoung	nope	02:42
ayoung	it is an optional field bknudson	02:42
bknudson	user-create doesn't return a domain ID?	02:42
ayoung	V2	02:43
ayoung	V3 should	02:43
*** Gordonz has joined #openstack-dev		02:44
bknudson	when you get your token the tenant is filled into the endpoints -- http://192.168.122.176:8774/v2/f173773d9b3c4dd6be95ffc318523700	02:45
jamielennox	jaypipes: ping	02:45
bknudson	jamielennox: other client libs have service catalog parsing.	02:46
jamielennox	bknudson: yea, there is a weird substitution thing that takes data from config and your current auth and build the service catalog late	02:46
bknudson	cinder does... http://git.openstack.org/cgit/openstack/python-cinderclient/tree/cinderclient/service_catalog.py	02:47
jamielennox	bknudson: yea, my point	02:47
jamielennox	need to prevent this replication	02:47
*** nati_ueno has joined #openstack-dev		02:48
*** buzztroll has quit IRC		02:48
*** nati_ueno has quit IRC		02:49
*** _cjones_ has quit IRC		02:49
*** nati_ueno has joined #openstack-dev		02:50
*** MaxV has joined #openstack-dev		02:50
ayoung	tis late here jamielennox even on the West Coast	02:51
*** nati_uen_ has quit IRC		02:51
jamielennox	yea didn't expect that	02:51
*** buzztroll has joined #openstack-dev		02:52
jamielennox	was worth a try though	02:52
*** colinmcnamara has quit IRC		02:52
jamielennox	he left some comments on https://review.openstack.org/#/c/70663 and i'm not sure of a different approach	02:53
*** fandi has joined #openstack-dev		02:53
*** MaxV has quit IRC		02:54
*** arnaud__ has quit IRC		02:56
*** markmcclain has quit IRC		02:56
*** arnaud has quit IRC		02:56
*** aveiga has quit IRC		02:56
*** byeager has quit IRC		02:56
*** zyluo has quit IRC		02:56
*** byeager has joined #openstack-dev		02:57
*** pradeep has joined #openstack-dev		02:57
*** novas0x2a\|laptop has quit IRC		02:58
*** markwash has quit IRC		02:59
*** baoli has quit IRC		03:01
*** mikeoutland has joined #openstack-dev		03:02
*** mikeoutland has quit IRC		03:03
*** dkehn_ has joined #openstack-dev		03:04
*** buzztroll has quit IRC		03:05
*** lbragstad has joined #openstack-dev		03:05
*** spzala has quit IRC		03:05
*** mikeoutland has joined #openstack-dev		03:05
*** armax has left #openstack-dev		03:07
*** otherwiseguy has quit IRC		03:07
*** matiu has joined #openstack-dev		03:07
*** matiu has quit IRC		03:07
*** matiu has joined #openstack-dev		03:07
*** alop has quit IRC		03:08
*** mikeoutland has quit IRC		03:10
*** nati_ueno has quit IRC		03:11
*** russellb has quit IRC		03:12
*** boris-42_ has joined #openstack-dev		03:12
*** nati_ueno has joined #openstack-dev		03:12
*** nati_ueno has quit IRC		03:13
*** nati_ueno has joined #openstack-dev		03:13
*** Tross has quit IRC		03:15
*** faramir1 has quit IRC		03:15
*** paragan has joined #openstack-dev		03:18
jog0	SpamapS: to unwedge heat https://review.openstack.org/70894	03:19
jog0	devananda: to unwedge ironic https://review.openstack.org/70896	03:20
*** rraja_ has joined #openstack-dev		03:20
*** krotscheck has quit IRC		03:21
*** gokrokve has quit IRC		03:26
*** sarob has joined #openstack-dev		03:26
*** gokrokve has joined #openstack-dev		03:26
*** baoli has joined #openstack-dev		03:28
*** gokrokve has quit IRC		03:30
*** gokrokve has joined #openstack-dev		03:32
*** carl_baldwin has joined #openstack-dev		03:32
*** sarob has quit IRC		03:32
*** doug_shelley66 has quit IRC		03:34
*** buzztroll has joined #openstack-dev		03:35
*** ann has quit IRC		03:36
*** buzztroll has quit IRC		03:37
*** buzztroll has joined #openstack-dev		03:37
*** emagana has quit IRC		03:39
*** gokrokve has quit IRC		03:40
*** jecarey has quit IRC		03:41
*** jckasper has quit IRC		03:43
*** jckasper has joined #openstack-dev		03:43
*** neelashah has joined #openstack-dev		03:47
*** jckasper has quit IRC		03:48
*** jckasper has joined #openstack-dev		03:49
*** jpomero has quit IRC		03:49
*** byeager_ has joined #openstack-dev		03:50
*** coasterz has quit IRC		03:50
*** MaxV has joined #openstack-dev		03:51
*** baoli has quit IRC		03:53
*** buzztroll has quit IRC		03:53
*** buzztrol_ has joined #openstack-dev		03:53
*** byeager has quit IRC		03:53
*** rraja_ has quit IRC		03:55
*** MaxV has quit IRC		03:55
*** buzztrol_ has quit IRC		03:56
*** david-lyle has joined #openstack-dev		03:57
*** buzztroll has joined #openstack-dev		03:57
*** carl_baldwin has quit IRC		03:58
*** otherwiseguy has joined #openstack-dev		03:59
*** byeager_ has quit IRC		03:59
*** Mandell has joined #openstack-dev		04:01
*** byeager has joined #openstack-dev		04:02
*** sandywalsh_ has quit IRC		04:02
*** troytoman is now known as troytoman-away		04:03
*** byeager has quit IRC		04:06
*** buzztroll has quit IRC		04:07
ayoung	jamielennox, https://review.openstack.org/#/c/61247/ a month later and it still looks good	04:09
jamielennox	ayoung: still awake	04:09
ayoung	About to crash	04:09
jamielennox	ayoung: yea, that was supposed to go in prior to 0.4.7 or whatever but missed it	04:09
ayoung	feh	04:09
ayoung	Deadlines shmeadlines	04:10
jamielennox	API compatibility schemadability?	04:10
ayoung	That too	04:10
*** carl_baldwin has joined #openstack-dev		04:10
ayoung	We need a settle in time....this "commit to master means GA" crap is crazy	04:11
*** gokrokve has joined #openstack-dev		04:11
ayoung	But I digest...	04:11
jamielennox	ayoung: dolph sent out an email this time before relasing client	04:11
jamielennox	that was useful	04:11
ayoung	are we OK with these changes still?	04:12
jamielennox	which ones?	04:12
ayoung	https://review.openstack.org/#/c/60751/10	04:12
ayoung	and the rest of the auth plugin stack	04:12
*** gokrokve_ has joined #openstack-dev		04:13
jamielennox	the authenticate() call was useful - but if this makes it easier for people then i don't think it matters	04:13
*** harlowja is now known as harlowja_away		04:13
ayoung	I'll ignore the fact that we change the order of parameters for the long kv param lists...anyone calling those by order deserves to have their code broken	04:14
jamielennox	i did?	04:14
*** carl_baldwin has quit IRC		04:15
ayoung	auth went in the front of the list	04:15
*** harlowja_away is now known as harlowja		04:15
jamielennox	oh i removed some and made them kwargs	04:15
jamielennox	.. no different review then	04:15
jamielennox	what are you looking at?	04:15
*** joearnold has quit IRC		04:16
*** amandap has quit IRC		04:16
*** hugokuo has quit IRC		04:16
*** koolhead17 has quit IRC		04:16
*** anderstj has quit IRC		04:16
ayoung	one sec, I clicked past it	04:16
ayoung	https://review.openstack.org/#/c/60751/10/keystoneclient/session.py	04:16
*** gokrokve has quit IRC		04:16
jamielennox	oh right	04:16
jamielennox	yea, i think it's important to have auth as the first param	04:17
jamielennox	damn	04:17
ayoung	think its a problem? Would someone really call it with session as the first param>	04:17
ayoung	I think you are afine	04:17
jamielennox	theres still a reauth=True in there	04:17
*** carl_baldwin has joined #openstack-dev		04:17
*** sandywalsh_ has joined #openstack-dev		04:17
jamielennox	that's not used anywhere or useful	04:17
ayoung	session.session...reuse an old session?	04:18
jamielennox	ayoung: requests have a session as well	04:19
ayoung	So...would it make sense to add things on to the requests session?	04:19
ayoung	I'm guessin that would be ugly	04:19
*** gokrokve_ has quit IRC		04:19
jamielennox	passing session= is for requests sessions	04:19
ayoung	yeah, Looked at this code before. I had all these questions answered back then	04:19
ayoung	that should be in the arg docstring though	04:20
ayoung	actually, you are missing a few args there	04:20
ayoung	params	04:20
jamielennox	just that one	04:20
jamielennox	as i said reauth shouldn't be there	04:21
*** sarob has joined #openstack-dev		04:21
ayoung	jamielennox, I'm referring to the docstring	04:22
jamielennox	yea - i htink it's just session= that is missing	04:22
ayoung	reauth shouldn't be thjere?	04:22
ayoung	or it should?	04:23
ayoung	you aren';t using it...	04:23
ayoung	so you mean you are kiling it from the param list?	04:23
jamielennox	just reuploaded	04:23
jamielennox	exactly the same but with no reauth= in the param list	04:24
jamielennox	that was a left over from an old review	04:24
*** Gordonz has quit IRC		04:24
*** hugokuo has joined #openstack-dev		04:24
*** jgriffith has quit IRC		04:24
*** mriedem has quit IRC		04:24
ayoung	still missing session	04:24
jamielennox	i'll add the session doc string as another review but i really don't want to put another patch in front of all these - i need to pass the thing	04:24
*** jgriffith has joined #openstack-dev		04:24
jamielennox	put it in this review?	04:24
*** joearnold has joined #openstack-dev		04:25
ayoung	you sureyou want auth at the front of the list?	04:25
ayoung	these are going to be kwargs anyway, lets not break order, even if its stupid	04:25
*** AlexF has joined #openstack-dev		04:26
*** kolesovdv has quit IRC		04:26
*** kolesovdv1 has joined #openstack-dev		04:26
*** jgriffith has quit IRC		04:26
jamielennox	you think?	04:26
ayoung	yeah	04:26
jamielennox	Session(AuthPlugin()) is fairly useful	04:26
*** mikeoutland has joined #openstack-dev		04:26
jamielennox	it's really the main one fo those i think someone would use	04:26
ayoung	your call	04:26
ayoung	I won't cry	04:27
jamielennox	no one will use the session parameter	04:27
ayoung	Session(auth=AuthPlugin())	04:27
*** alpha_ori has joined #openstack-dev		04:27
ayoung	or even default to	04:27
ayoung	Session()	04:27
ayoung	with auth=AuthPlugin?	04:27
ayoung	as the default param?	04:28
jamielennox	no doesn't work that way	04:28
ayoung	Anyway, bed. I'll look again in the morn	04:28
jamielennox	it'd be Session(keystoneclient.auth.identity.V2())	04:28
*** ayoung is now known as ayoung-zZzZzZ		04:28
*** jgriffith has joined #openstack-dev		04:29
*** amandap has joined #openstack-dev		04:30
*** anderstj has joined #openstack-dev		04:30
*** koolhead17 has joined #openstack-dev		04:31
*** CaptTofu has quit IRC		04:32
*** gokrokve has joined #openstack-dev		04:32
*** AlexF has quit IRC		04:37
*** achampion has quit IRC		04:38
*** mikeoutland has quit IRC		04:38
*** angdraug has quit IRC		04:39
*** sweston has joined #openstack-dev		04:39
*** asalkeld has quit IRC		04:41
*** nati_ueno has quit IRC		04:44
*** topol has joined #openstack-dev		04:44
*** stevemar has quit IRC		04:49
*** emagana has joined #openstack-dev		04:49
*** MaxV has joined #openstack-dev		04:51
*** kolesovdv1 has quit IRC		04:53
*** kolesovdv has joined #openstack-dev		04:53
*** sgordon has quit IRC		04:54
*** sumanthns has joined #openstack-dev		04:54
*** emagana has quit IRC		04:55
*** MaxV has quit IRC		04:56
*** rraja has joined #openstack-dev		04:56
*** cagrev has joined #openstack-dev		04:56
*** thuc has joined #openstack-dev		04:58
*** amcrn has joined #openstack-dev		05:02
*** rdas has joined #openstack-dev		05:03
*** sarob has quit IRC		05:04
*** DinaBelova_ is now known as DinaBelova		05:04
*** sarob has joined #openstack-dev		05:04
*** tjones has joined #openstack-dev		05:07
*** sarob_ has joined #openstack-dev		05:07
*** kolesovdv has quit IRC		05:07
*** rraja_ has joined #openstack-dev		05:09
*** sarob has quit IRC		05:09
*** doug_shelley66 has joined #openstack-dev		05:09
*** tjones has quit IRC		05:11
*** cagrev has quit IRC		05:11
*** dims has quit IRC		05:11
*** haomaiwang has quit IRC		05:12
*** kgriffs_afk has quit IRC		05:12
*** haomaiwang has joined #openstack-dev		05:12
*** sarob has joined #openstack-dev		05:13
*** dims has joined #openstack-dev		05:13
*** kgriffs_afk has joined #openstack-dev		05:13
*** kgriffs_afk is now known as kgriffs		05:14
*** sarob_ has quit IRC		05:16
*** buzztroll has joined #openstack-dev		05:18
*** erkules_ is now known as erkules		05:18
*** thuc has quit IRC		05:19
*** thuc has joined #openstack-dev		05:19
*** coolsvap has joined #openstack-dev		05:21
*** buzztroll has quit IRC		05:22
*** amotoki has joined #openstack-dev		05:22
*** nshaikh has joined #openstack-dev		05:23
*** thuc has quit IRC		05:23
*** gokrokve has quit IRC		05:24
*** Ryan_Lane has joined #openstack-dev		05:24
*** mkollaro has joined #openstack-dev		05:28
*** markmcclain has joined #openstack-dev		05:28
*** achampion has joined #openstack-dev		05:28
*** irenab has joined #openstack-dev		05:30
*** sarob has quit IRC		05:32
*** sarob has joined #openstack-dev		05:32
*** pradeep1 has joined #openstack-dev		05:33
*** gokrokve has joined #openstack-dev		05:33
*** pradeep has quit IRC		05:35
*** sarob has quit IRC		05:37
*** gokrokve has quit IRC		05:38
*** markwash has joined #openstack-dev		05:40
*** rwsu has quit IRC		05:41
*** AMike has joined #openstack-dev		05:42
*** AMike has quit IRC		05:42
*** AMike has joined #openstack-dev		05:42
*** carl_baldwin has quit IRC		05:42
*** asalkeld has joined #openstack-dev		05:42
*** carlp_ has quit IRC		05:45
*** achampion has quit IRC		05:46
*** Tross has joined #openstack-dev		05:46
*** killer_prince has joined #openstack-dev		05:51
*** mohits has joined #openstack-dev		05:52
*** rohitk has joined #openstack-dev		05:53
*** AlexF has joined #openstack-dev		05:54
*** AlexF has quit IRC		05:59
*** AlexF has joined #openstack-dev		05:59
*** rohitk has quit IRC		05:59
*** nosnos_ has joined #openstack-dev		06:00
*** neeti has joined #openstack-dev		06:00
*** markwash has quit IRC		06:02
*** nosnos has quit IRC		06:03
*** sarob has joined #openstack-dev		06:03
*** jcoufal has joined #openstack-dev		06:04
*** AlexF has quit IRC		06:04
*** otherwiseguy has quit IRC		06:05
*** buzztroll has joined #openstack-dev		06:06
*** AlexF has joined #openstack-dev		06:08
*** hdd has quit IRC		06:10
*** achampion has joined #openstack-dev		06:11
*** buzztroll has quit IRC		06:11
*** buzztroll has joined #openstack-dev		06:11
*** colinmcnamara has joined #openstack-dev		06:12
*** yeylon__ has joined #openstack-dev		06:13
*** marcoemorais has joined #openstack-dev		06:14
*** colinmcnamara has quit IRC		06:16
*** marcoemorais1 has joined #openstack-dev		06:16
*** bashok has joined #openstack-dev		06:19
*** marcoemorais has quit IRC		06:20
*** rohitk has joined #openstack-dev		06:21
*** buzztroll has quit IRC		06:22
*** e0ne has joined #openstack-dev		06:23
*** AlexF has quit IRC		06:24
*** buzztroll has joined #openstack-dev		06:25
*** jcooley_ has joined #openstack-dev		06:26
*** zaitcev has quit IRC		06:26
*** vartom1111111114 has joined #openstack-dev		06:26
*** e0ne has quit IRC		06:27
*** buzztroll has quit IRC		06:27
*** buzztroll has joined #openstack-dev		06:27
*** otherwiseguy has joined #openstack-dev		06:28
*** xazel has joined #openstack-dev		06:29
*** tdruiva_ has joined #openstack-dev		06:30
*** neelashah1 has joined #openstack-dev		06:30
*** topol_ has joined #openstack-dev		06:30
*** Mandell_ has joined #openstack-dev		06:30
*** Ryan_Lane1 has joined #openstack-dev		06:30
*** buzztrol_ has joined #openstack-dev		06:30
*** colinmcnamara has joined #openstack-dev		06:31
*** vartom1111111114 has quit IRC		06:31
*** sarob has quit IRC		06:31
*** hashfail has joined #openstack-dev		06:31
*** Tross1 has joined #openstack-dev		06:31
*** apmelton1 has joined #openstack-dev		06:32
*** rohitk has quit IRC		06:32
*** mohits_ has joined #openstack-dev		06:32
*** coolsvap_away has joined #openstack-dev		06:32
*** matsuhashi has quit IRC		06:33
*** rraja has quit IRC		06:33
*** gokrokve has joined #openstack-dev		06:33
*** matsuhashi has joined #openstack-dev		06:33
*** branen_ has joined #openstack-dev		06:33
*** vuntz has joined #openstack-dev		06:33
*** SpamapS_ has joined #openstack-dev		06:33
*** grapsus has joined #openstack-dev		06:33
*** Steap___ has joined #openstack-dev		06:34
*** soren has joined #openstack-dev		06:34
*** soren has quit IRC		06:34
*** soren has joined #openstack-dev		06:34
*** sweston_ has joined #openstack-dev		06:34
*** yeylon__ has quit IRC		06:34
*** shadower_ has joined #openstack-dev		06:34
*** flaper87l has joined #openstack-dev		06:35
*** alex_klimov has joined #openstack-dev		06:35
*** colinmcnamara has quit IRC		06:35
*** flaper87l is now known as flaper87		06:35
*** jd__` has joined #openstack-dev		06:37
*** gmurphy_ has joined #openstack-dev		06:37
*** s0nea_ has joined #openstack-dev		06:37
*** jayg\|g0n` has joined #openstack-dev		06:38
*** gokrokve has quit IRC		06:38
*** buzztroll has quit IRC		06:38
*** mohits has quit IRC		06:38
*** Tross has quit IRC		06:38
*** asalkeld has quit IRC		06:38
*** Ryan_Lane has quit IRC		06:38
*** nshaikh has quit IRC		06:38
*** coolsvap has quit IRC		06:38
*** dims has quit IRC		06:38
*** rraja_ has quit IRC		06:38
*** topol has quit IRC		06:38
*** sweston has quit IRC		06:38
*** alpha_ori has quit IRC		06:38
*** joearnold has quit IRC		06:38
*** Mandell has quit IRC		06:38
*** neelashah has quit IRC		06:38
*** paragan has quit IRC		06:38
*** fandi has quit IRC		06:38
*** tdruiva has quit IRC		06:38
*** tserong has quit IRC		06:38
*** gmurphy has quit IRC		06:38
*** zaneb has quit IRC		06:38
*** jhesketh__ has quit IRC		06:38
*** gimps has quit IRC		06:38
*** primeministerp has quit IRC		06:38
*** marios has quit IRC		06:38
*** s0nea has quit IRC		06:38
*** SpamapS has quit IRC		06:38
*** soren_ has quit IRC		06:38
*** grapsus__ has quit IRC		06:38
*** d0ugal has quit IRC		06:38
*** n0ano has quit IRC		06:38
*** branen has quit IRC		06:38
*** zul has quit IRC		06:38
*** apmelton has quit IRC		06:38
*** avishay has quit IRC		06:38
*** benonsoftware has quit IRC		06:38
*** med_ has quit IRC		06:38
*** flaper87\|afk has quit IRC		06:38
*** jd__ has quit IRC		06:38
*** jayg\|g0n3 has quit IRC		06:38
*** enykeev has quit IRC		06:38
*** shadower has quit IRC		06:38
*** krtaylor has quit IRC		06:38
*** Steap has quit IRC		06:38
*** vuntz_ has quit IRC		06:38
*** mordred has quit IRC		06:38
*** fc__ has quit IRC		06:38
*** matrohon has quit IRC		06:38
*** jd__` is now known as jd__		06:38
*** s0nea_ is now known as s0nea		06:39
*** alpha_ori has joined #openstack-dev		06:39
*** sweston_ is now known as sweston		06:40
*** primeministerp has joined #openstack-dev		06:40
*** sweston is now known as sweston_		06:40
*** joearnold has joined #openstack-dev		06:41
*** Tross1 has quit IRC		06:42
*** mrda is now known as mrda_away		06:43
*** Tross has joined #openstack-dev		06:43
*** benonsoftware has joined #openstack-dev		06:43
*** benonsoftware has quit IRC		06:44
*** benonsoftware has joined #openstack-dev		06:44
*** topol_ has quit IRC		06:44
*** harlowja is now known as harlowja_away		06:44
*** fandi has joined #openstack-dev		06:44
*** asalkeld has joined #openstack-dev		06:45
*** n0ano has joined #openstack-dev		06:45
*** d0ugal has joined #openstack-dev		06:45
*** d0ugal has joined #openstack-dev		06:45
*** tserong has joined #openstack-dev		06:45
*** denis_makogon_ has joined #openstack-dev		06:45
*** zaneb has joined #openstack-dev		06:45
*** paragan has joined #openstack-dev		06:45
*** paragan has quit IRC		06:45
*** paragan has joined #openstack-dev		06:45
*** zul has joined #openstack-dev		06:46
*** avishay has joined #openstack-dev		06:46
*** rraja_ has joined #openstack-dev		06:46
*** nshaikh has joined #openstack-dev		06:47
*** rraja has joined #openstack-dev		06:48
*** skraynev_ is now known as skraynev		06:50
*** bhuvan has joined #openstack-dev		06:51
*** mordred has joined #openstack-dev		06:54
*** jhesketh_ has joined #openstack-dev		06:55
*** mikeoutland has joined #openstack-dev		06:58
*** krtaylor has joined #openstack-dev		06:59
*** mikeoutland has quit IRC		06:59
*** marios has joined #openstack-dev		07:00
*** haomaiwa_ has joined #openstack-dev		07:02
*** bhuvan has quit IRC		07:02
*** haomaiwang has quit IRC		07:04
*** coolsvap_away has quit IRC		07:04
*** bhuvan has joined #openstack-dev		07:04
*** dims has joined #openstack-dev		07:08
*** zoresvit has joined #openstack-dev		07:08
*** odyssey4me has joined #openstack-dev		07:08
*** achampion has quit IRC		07:08
*** markmcclain has quit IRC		07:10
*** pradeep1 has quit IRC		07:10
*** jcooley_ has quit IRC		07:12
*** saju_m has joined #openstack-dev		07:12
*** vartom1111111114 has joined #openstack-dev		07:14
*** pradeep has joined #openstack-dev		07:15
*** bhuvan has quit IRC		07:15
*** asalkeld has quit IRC		07:16
*** Drankis has joined #openstack-dev		07:16
*** lcheng_ has joined #openstack-dev		07:16
*** buzztrol_ has quit IRC		07:21
*** flaper87 has quit IRC		07:21
*** flaper87 has joined #openstack-dev		07:21
*** yamahata has quit IRC		07:23
*** coolsvap has joined #openstack-dev		07:26
*** dstufft is now known as dstufft-gone		07:26
*** yolanda has joined #openstack-dev		07:28
*** bcrochet has joined #openstack-dev		07:29
*** zoresvit has quit IRC		07:30
*** nkinder has joined #openstack-dev		07:31
*** zoresvit has joined #openstack-dev		07:31
*** mrunge has joined #openstack-dev		07:31
*** otherwiseguy has quit IRC		07:32
*** zoresvit has quit IRC		07:32
*** AlexF has joined #openstack-dev		07:32
*** achampion has joined #openstack-dev		07:32
*** zoresvit has joined #openstack-dev		07:32
*** asalkeld has joined #openstack-dev		07:33
*** gokrokve has joined #openstack-dev		07:33
*** zoresvit has quit IRC		07:33
*** zoresvit has joined #openstack-dev		07:33
*** obondarev has joined #openstack-dev		07:34
*** fc__ has joined #openstack-dev		07:34
*** rmk has joined #openstack-dev		07:34
*** aditirav has joined #openstack-dev		07:37
*** gokrokve has quit IRC		07:38
*** MaxV has joined #openstack-dev		07:41
*** AlexF has quit IRC		07:41
*** rwsu has joined #openstack-dev		07:42
*** sarob has joined #openstack-dev		07:43
*** lcheng_ has quit IRC		07:47
*** amcrn has quit IRC		07:47
*** sarob has quit IRC		07:48
*** jcooley_ has joined #openstack-dev		07:48
*** MaxV has quit IRC		07:50
*** rwsu has quit IRC		07:51
*** buzztroll has joined #openstack-dev		07:52
*** tkammer has joined #openstack-dev		07:52
*** rwsu has joined #openstack-dev		07:53
*** omachace has joined #openstack-dev		07:54
*** jcooley_ has quit IRC		07:56
*** pschaef has joined #openstack-dev		07:57
*** vartom1111111115 has joined #openstack-dev		07:57
*** vartom1111111114 has quit IRC		07:58
*** e0ne has joined #openstack-dev		07:59
*** afazekas has joined #openstack-dev		08:01
*** bauzas has joined #openstack-dev		08:04
*** oro has joined #openstack-dev		08:04
*** bvandenh has joined #openstack-dev		08:04
*** buzztroll has quit IRC		08:07
*** afazekas has quit IRC		08:07
*** jprovazn has joined #openstack-dev		08:07
*** killer_prince is now known as lazy_prince		08:08
*** denis_makogon_ has quit IRC		08:09
*** xga has joined #openstack-dev		08:11
*** rraja has quit IRC		08:11
*** jistr has joined #openstack-dev		08:11
*** pasquier-s has joined #openstack-dev		08:12
*** rraja_ has quit IRC		08:12
*** wfoster has joined #openstack-dev		08:12
*** viktors_away is now known as viktors		08:12
*** sundjango has joined #openstack-dev		08:12
*** sundjango_ has joined #openstack-dev		08:13
*** sarob has joined #openstack-dev		08:13
*** sundjango_ has quit IRC		08:13
*** guardianx has joined #openstack-dev		08:14
*** buzztroll has joined #openstack-dev		08:17
*** sarob has quit IRC		08:18
*** buzztroll has quit IRC		08:19
sundjango	hey, I am an OpenStack newbie and trying to set it up on an Ubuntu Server. I was configuring the networking interface card but if I do it like here http://docs.openstack.org/trunk/install-guide/install/apt/content/basics-networking.html, then I lose my Internet connection. What is the idea behind this configuration? So, that I can apply without changing my	08:20
sundjango	primary interface card?	08:20
*** asalkeld has quit IRC		08:20
*** jtomasek has joined #openstack-dev		08:22
*** colinmcnamara has joined #openstack-dev		08:23
*** afazekas has joined #openstack-dev		08:23
*** mindpixel has joined #openstack-dev		08:23
*** nmagnezi has joined #openstack-dev		08:24
*** thouveng has joined #openstack-dev		08:26
*** cnesa has quit IRC		08:26
*** colinmcnamara has quit IRC		08:27
*** yeylon__ has joined #openstack-dev		08:28
*** comay has quit IRC		08:29
*** marcoemorais1 has quit IRC		08:29
*** rohitk has joined #openstack-dev		08:32
*** gokrokve has joined #openstack-dev		08:33
*** coolsvap has quit IRC		08:36
*** florentflament_ has joined #openstack-dev		08:37
*** avishayb has joined #openstack-dev		08:37
*** gokrokve has quit IRC		08:37
*** sushils has joined #openstack-dev		08:40
*** ifarkas has joined #openstack-dev		08:41
*** amuller has joined #openstack-dev		08:42
*** I159 has joined #openstack-dev		08:42
*** ogelbukh1 is now known as ogelbukh		08:42
*** yamahata has joined #openstack-dev		08:43
*** JordanP has joined #openstack-dev		08:44
*** romcheg has joined #openstack-dev		08:45
*** jgallard has joined #openstack-dev		08:46
*** cschwede has joined #openstack-dev		08:49
*** sahid has joined #openstack-dev		08:50
*** colinmcnamara has joined #openstack-dev		08:50
*** MaxV has joined #openstack-dev		08:52
*** pradeep1 has joined #openstack-dev		08:52
*** belmoreira has joined #openstack-dev		08:53
*** pradeep has quit IRC		08:54
*** colinmcnamara has quit IRC		08:55
*** ilyashakhat has joined #openstack-dev		08:55
*** ygbo has joined #openstack-dev		08:56
*** jpich has joined #openstack-dev		08:56
*** corXi has joined #openstack-dev		08:56
*** lsmola has joined #openstack-dev		08:57
*** xqueralt has joined #openstack-dev		08:57
*** gcha has joined #openstack-dev		08:57
*** athomas has joined #openstack-dev		09:00
*** safchain has joined #openstack-dev		09:01
*** ndipanov has joined #openstack-dev		09:02
*** jhesketh_ has quit IRC		09:02
*** jhesketh has quit IRC		09:02
*** bhuvan has joined #openstack-dev		09:03
*** pixelb has joined #openstack-dev		09:03
*** xga has quit IRC		09:07
*** colinmcnamara has joined #openstack-dev		09:08
*** colinmcnamara has quit IRC		09:12
*** markmc has joined #openstack-dev		09:13
*** sarob has joined #openstack-dev		09:13
*** safchain has quit IRC		09:14
*** tdruiva_ has quit IRC		09:14
*** jhesketh has joined #openstack-dev		09:14
*** jhesketh_ has joined #openstack-dev		09:15
*** dtantsur has joined #openstack-dev		09:16
*** aditirav has quit IRC		09:17
*** rraja_ has joined #openstack-dev		09:17
*** aditirav has joined #openstack-dev		09:17
*** rraja has joined #openstack-dev		09:18
*** sarob has quit IRC		09:18
*** dtantsur has left #openstack-dev		09:19
*** xga has joined #openstack-dev		09:20
*** coolsvap has joined #openstack-dev		09:23
*** johnthetubaguy has joined #openstack-dev		09:24
*** mmagr has joined #openstack-dev		09:24
*** marcoemorais has joined #openstack-dev		09:26
*** jamespage has joined #openstack-dev		09:27
*** pradeep has joined #openstack-dev		09:28
*** pradeep1 has quit IRC		09:29
*** eglynn has joined #openstack-dev		09:29
*** nshaikh has left #openstack-dev		09:29
*** nshaikh has quit IRC		09:29
*** buzztroll has joined #openstack-dev		09:30
*** MaxV has quit IRC		09:30
*** johnthetubaguy has quit IRC		09:31
*** MaxV has joined #openstack-dev		09:31
*** johnthetubaguy has joined #openstack-dev		09:32
*** gokrokve has joined #openstack-dev		09:33
*** avishayb has quit IRC		09:33
*** rdas has quit IRC		09:34
*** buzztroll has quit IRC		09:34
*** lucasagomes has joined #openstack-dev		09:34
*** colinmcnamara has joined #openstack-dev		09:35
*** marcoemorais has quit IRC		09:35
*** danpb has joined #openstack-dev		09:35
*** Ryan_Lane1 has quit IRC		09:36
*** gokrokve has quit IRC		09:38
*** kashyap is now known as kashyap_bbiab		09:38
*** colinmcnamara has quit IRC		09:39
*** safchain has joined #openstack-dev		09:41
*** dtantsur has joined #openstack-dev		09:43
*** giulivo has joined #openstack-dev		09:44
*** e0ne has quit IRC		09:46
*** e0ne has joined #openstack-dev		09:46
*** tdruiva has joined #openstack-dev		09:46
*** zoresvit has quit IRC		09:47
viktors	flaper87: hi	09:49
flaper87	viktors: hey	09:49
*** reed has joined #openstack-dev		09:50
*** e0ne_ has joined #openstack-dev		09:50
*** e0ne has quit IRC		09:50
viktors	flaper87: when you'll have a few minutes, could you please look at patch https://review.openstack.org/#/c/57689/ (Drop dependency on log from oslo db code).	09:50
viktors	flaper87: You -1'ed it some time ago )	09:50
*** matrohon has joined #openstack-dev		09:51
*** romcheg has left #openstack-dev		09:52
*** ala has quit IRC		09:52
*** corXi has quit IRC		09:52
*** BobBallAway is now known as BobBall		09:52
flaper87	viktors: LGTM! Thanks!	09:52
viktors	flaper87: Thank you!	09:53
*** corXi has joined #openstack-dev		09:54
*** sweston_ has quit IRC		09:54
*** tdruiva has quit IRC		09:54
*** JordanP has quit IRC		09:55
*** Alexei_987 has joined #openstack-dev		09:56
*** zoresvit has joined #openstack-dev		10:00
*** oro has quit IRC		10:01
*** e0ne_ has quit IRC		10:02
*** e0ne has joined #openstack-dev		10:02
*** kashyap_bbiab is now known as kashyap		10:02
*** colinmcnamara has joined #openstack-dev		10:02
*** sergmelikyan has joined #openstack-dev		10:04
*** colinmcnamara has quit IRC		10:06
*** e0ne has quit IRC		10:06
*** e0ne has joined #openstack-dev		10:07
*** xga has quit IRC		10:08
*** jamespage_ has joined #openstack-dev		10:09
*** e0ne has quit IRC		10:10
*** e0ne has joined #openstack-dev		10:10
*** sarob has joined #openstack-dev		10:13
*** oro has joined #openstack-dev		10:14
*** martyntaylor has joined #openstack-dev		10:14
*** jcooley_ has joined #openstack-dev		10:17
*** zzelle has joined #openstack-dev		10:17
*** sarob has quit IRC		10:18
*** xga has joined #openstack-dev		10:19
*** gszasz has joined #openstack-dev		10:20
*** Adri2000_ is now known as Adri2000		10:21
*** metabro has quit IRC		10:22
*** xga_ has joined #openstack-dev		10:23
*** jcooley_ has quit IRC		10:23
*** xga has quit IRC		10:24
*** sergmelikyan has quit IRC		10:24
*** bada has joined #openstack-dev		10:26
*** jistr has quit IRC		10:27
*** rohitk has quit IRC		10:28
*** d0ugal has quit IRC		10:29
*** colinmcnamara has joined #openstack-dev		10:29
*** paragan has quit IRC		10:30
*** coolsvap has quit IRC		10:30
*** marcoemorais has joined #openstack-dev		10:31
*** d0ugal has joined #openstack-dev		10:32
*** d0ugal has quit IRC		10:32
*** d0ugal has joined #openstack-dev		10:32
*** oro has quit IRC		10:32
*** gokrokve has joined #openstack-dev		10:33
*** colinmcnamara has quit IRC		10:34
*** marcoemorais has quit IRC		10:36
*** xgsa has joined #openstack-dev		10:36
*** jamespage_ has quit IRC		10:37
*** gokrokve has quit IRC		10:37
*** nimi has joined #openstack-dev		10:39
*** mkollaro has quit IRC		10:42
*** zoresvit has quit IRC		10:43
*** boris-42_ has quit IRC		10:43
*** zoresvit has joined #openstack-dev		10:43
*** lazy_prince has quit IRC		10:46
*** jistr has joined #openstack-dev		10:50
*** e0ne has quit IRC		10:50
*** e0ne has joined #openstack-dev		10:50
*** vartom1111111115 has quit IRC		10:50
*** nimi has quit IRC		10:53
*** colinmcnamara has joined #openstack-dev		10:56
jamielennox	lifeless: dont suppose youre still here?	10:58
*** mmagr has quit IRC		10:58
*** russellb has joined #openstack-dev		11:00
*** colinmcnamara has quit IRC		11:01
*** DinaBelova is now known as DinaBelova_		11:01
*** CaptTofu has joined #openstack-dev		11:02
*** DinaBelova_ is now known as DinaBelova		11:02
*** asalkeld has joined #openstack-dev		11:02
*** rohitk has joined #openstack-dev		11:04
*** CaptTofu has quit IRC		11:07
*** zoresvit has quit IRC		11:08
*** zoresvit1 has joined #openstack-dev		11:08
*** DinaBelova is now known as DinaBelova_		11:10
*** e0ne has quit IRC		11:10
*** MaxV has quit IRC		11:10
*** jcooley_ has joined #openstack-dev		11:13
*** pradeep has quit IRC		11:13
*** smcavoy has left #openstack-dev		11:13
*** sarob has joined #openstack-dev		11:13
*** pradeep has joined #openstack-dev		11:13
*** sushils has quit IRC		11:14
marekd\|away	jamielennox: hi.	11:14
*** marekd\|away is now known as marekd		11:14
jamielennox	marekd: hey	11:15
marekd	jamielennox: what happens when a keystoneclient receives an unscoped token as a auth response?	11:15
marekd	jamielennox: will it automatically query for a scoped token, by sending a project_id it's going to use?	11:16
jamielennox	marekd: essentially it's going to fail	11:16
*** sarob_ has joined #openstack-dev		11:16
marekd	jamielennox: oh dear...	11:16
marekd	jamielennox: so, what's the purpose for unscoped tokens :-)	11:16
jamielennox	i think it'll try to get a management_url from the service catalog, fail and crash	11:16
jamielennox	in theory they work	11:17
marekd	in theory...	11:17
jamielennox	the problem is we don't have a good way to rescope it	11:17
*** mmagr has joined #openstack-dev		11:17
marekd	jamielennox: here is the problem. i am starting with a list of keystone groups a federated user can access. I can than get a list of roles tied to those groups.	11:17
jamielennox	what you might be able to do is take the unscoped token and use auth_url=, token=, and project_id= to create a new client	11:17
*** sarob has quit IRC		11:18
jamielennox	list of groups?	11:18
marekd	jamielennox: but...i still know NOTHING about a project id that use will want to use.	11:18
marekd	jamielennox: yes, the mapping engine returns a list of local keystone groups...	11:18
jamielennox	a group is a collection of users - why is that available/	11:18
jamielennox	you're not really ever supposed to be able to resolve that i don't think	11:19
*** jcooley_ has quit IRC		11:19
marekd	resolve what?	11:19
marekd	it's easier to make rules for groups rather every single federated user.	11:20
jamielennox	hmm, so you are supposed to be able to list the projects a user is in right/	11:20
*** sarob_ has quit IRC		11:20
marekd	well, by looking in the code i see most of the logic depends on the user/project...i must depend on roles...	11:21
*** rraja has quit IRC		11:21
marekd	there will be no local user, no entity in the DB>	11:21
*** vartom1111111115 has joined #openstack-dev		11:22
*** rraja_ has quit IRC		11:22
marekd	it should be 'something', a set of roles that actually define what and how can be accessed.	11:22
jamielennox	i can't remember if it's possible to list the associated projects for a user - i guess it mustbe	11:22
*** akrivoka has joined #openstack-dev		11:22
marekd	eventually it's roles that grant/deny access to the projects, right?	11:22
jamielennox	a role is only defined on either a project or a domain	11:22
jamielennox	there is no such thing as an unsoped token with roles	11:23
*** gszasz is now known as gszasz_lunch		11:23
*** MaxV has joined #openstack-dev		11:23
jamielennox	(i don't know much about what federation is returning here)	11:23
marekd	ok, a role is only defined on a project/domain - so by having set of roles i am able to decide whether the project can be accessed.	11:24
*** nshaikh has joined #openstack-dev		11:24
*** ppetit has joined #openstack-dev		11:24
*** xga_ has quit IRC		11:24
marekd	args, super easy in theory, slightly more difficult in reality.	11:25
*** sergmelikyan has joined #openstack-dev		11:25
jamielennox	what are you working with? how do you know what roles you have if the token is unscoped?	11:26
*** jcoufal has quit IRC		11:26
marekd	i am starting with a list of keystone group ids. This will be provided by mapping rule engine.	11:27
marekd	it parses saml assertion and returns list of matching group ids.	11:27
marekd	I can assume a federated user is a member of those groups. By having that I can list all the roles that are attached to those groups.	11:27
marekd	so i now have a list of roles my user has.	11:27
marekd	the problem is: this is faked user, so no real entry in the DB 2) I cannot check what project he's going use, not after the first call..	11:28
jamielennox	what API version are you using - again roles shouldn't exist without being scoped somewhere	11:28
marekd	gonna be v3	11:28
jamielennox	yea, has to be	11:28
marekd	there are tables:	11:29
*** jgallard has quit IRC		11:29
*** david-lyle has quit IRC		11:29
marekd	https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/sql.py#L752	11:30
*** nosnos_ has quit IRC		11:30
marekd	i think you are asking about that...	11:30
marekd	https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/sql.py#L703	11:30
marekd	grom GroupDomainGrant and GroupProjectGrant I am able to get roles assigned to the groups.	11:31
marekd	s/grom/from/	11:31
*** marcoemorais has joined #openstack-dev		11:31
jamielennox	right	11:32
*** CaptTofu has joined #openstack-dev		11:32
*** denis_makogon has joined #openstack-dev		11:33
*** gokrokve has joined #openstack-dev		11:33
jamielennox	but you're trying to access that via the API - you should be starting from the project or domain	11:33
*** rohitk has quit IRC		11:33
*** rohitk has joined #openstack-dev		11:34
marekd	it will not be POST auth/token with {auth: {}} request body...	11:35
marekd	it will be more like GET /token/OS-FEDERATION/{idp}/protocol/{proto}	11:35
marekd	and I have nothing in the req body.	11:36
*** marcoemorais has quit IRC		11:36
jamielennox	marekd: hmm, this is really not my area - i haven't had all that much to do with federation	11:37
marekd	jamielennox: ok, no problem.	11:37
marekd	jamielennox: thanks, anyway.	11:37
jamielennox	from my thinking you should never have been able to find a group and roles without knowing the project	11:37
jamielennox	i guess that as a group only exists on a domain then the roles you are seeing are on the domain	11:37
*** gokrokve has quit IRC		11:38
marekd	yes	11:38
*** amotoki has quit IRC		11:38
jamielennox	but again this would tell me that the token is already scoped to the domain so i still don't know why you'd be seeing roles and have an unscoped token	11:38
*** amotoki has joined #openstack-dev		11:38
*** gcha has quit IRC		11:39
jamielennox	anyway - i'd suggest trying out stevemar in the US morning	11:40
jamielennox	or dolph or adam i guess	11:40
jamielennox	sorry about that	11:40
marekd	can a normal token be scoped to multiple projects/domains?	11:40
marekd	jamielennox: no problem.	11:40
jamielennox	marekd: no	11:40
jamielennox	very strictly one or the other	11:40
marekd	you got me wrong....	11:41
marekd	can a token be scoped to multiple projects?	11:41
jamielennox	marekd: no	11:41
marekd	(i am not mixing project w/ domains)	11:41
marekd	jamielennox: ok	11:41
*** jamespage_ has joined #openstack-dev		11:43
*** Nikolay_1t has quit IRC		11:44
marekd	jamielennox: is the horizon not working in a "unscoped/later scoped" token way?	11:45
jamielennox	marekd: it should be	11:45
jamielennox	get an unscoped token - list projects that user has access to	11:46
jamielennox	that's how it offers you a list of projects	11:46
jamielennox	there is also a defalut_project_id that can be used	11:46
marekd	well, so maybe that's the solution!	11:46
*** pcm has joined #openstack-dev		11:46
jamielennox	that's what i was going for earlier	11:46
jamielennox	but you seem to have the roles already - and you still need to have a user not a group	11:47
jamielennox	hmm, maybe you can get group projects - i'm not sure on that	11:47
marekd	ok i will investigate that.	11:47
*** pcm has quit IRC		11:48
*** csaba\|afk has joined #openstack-dev		11:48
*** rfolco has joined #openstack-dev		11:48
*** pcm has joined #openstack-dev		11:48
jamielennox	do you have the return dump from GET /token/OS-FEDERATION/{idp}/protocol/{proto} ?	11:49
marekd	dump?	11:49
jamielennox	like the json from the token	11:49
marekd	something like that.	11:50
*** asalkeld has quit IRC		11:50
jamielennox	can you paste it somewhere for me	11:50
marekd	the code or what?	11:50
jamielennox	the json	11:50
marekd	i didn't create any yet, but I assume this would be like a normal json sent upon auth request..	11:51
marekd	the effect the client should get is a token that can be later used in a classy way...	11:51
jamielennox	ok - well there are certain calls that can be made to the auth_url so that you don't have to use the service catalog	11:51
jamielennox	you can find them because they set management=False in the request call	11:52
*** colinmcnamara has joined #openstack-dev		11:52
jamielennox	that token should get you an unscoped token	11:52
jamielennox	then you can list projects and then get a token per project	11:52
jamielennox	that's the only way i can see this would work	11:52
marekd	i think so too.	11:53
jamielennox	marekd: anyway it's later here - i'm heading out	11:53
marekd	ok, thanks a lot.	11:53
marekd	cheers.	11:53
jamielennox	np	11:53
*** paragan has joined #openstack-dev		11:54
*** paragan has quit IRC		11:54
*** paragan has joined #openstack-dev		11:54
*** colinmcnamara has quit IRC		11:56
*** asalkeld has joined #openstack-dev		11:57
*** L33 has joined #openstack-dev		12:00
*** DuncanT- is now known as DuncanT		12:02
*** yamahata has quit IRC		12:04
*** sgordon has joined #openstack-dev		12:06
*** yamahata has joined #openstack-dev		12:09
*** drewlander has joined #openstack-dev		12:09
*** vkmc has joined #openstack-dev		12:10
*** rkukura has quit IRC		12:10
*** sarob has joined #openstack-dev		12:13
*** sergmelikyan has quit IRC		12:14
*** sergmelikyan has joined #openstack-dev		12:14
*** sandywalsh_ has quit IRC		12:15
*** neelashah1 has quit IRC		12:16
*** e0ne has joined #openstack-dev		12:17
*** sarob has quit IRC		12:18
*** yassine has joined #openstack-dev		12:20
*** FunnyLookinHat has joined #openstack-dev		12:21
*** bada_ has joined #openstack-dev		12:21
*** CaptTofu has quit IRC		12:22
*** eglynn is now known as eglynn-lunch		12:23
*** e0ne_ has joined #openstack-dev		12:24
*** e0ne has quit IRC		12:24
*** bada has quit IRC		12:25
*** xga has joined #openstack-dev		12:26
*** bhuvan has quit IRC		12:28
*** sandywalsh_ has joined #openstack-dev		12:28
*** e0ne has joined #openstack-dev		12:29
*** zoresvit1 has quit IRC		12:29
marekd	dolphm: ping.	12:30
*** e0ne__ has joined #openstack-dev		12:30
*** aditirav has quit IRC		12:30
*** e0ne___ has joined #openstack-dev		12:31
*** e0ne__ has quit IRC		12:31
*** asalkeld has quit IRC		12:31
*** boris-42_ has joined #openstack-dev		12:32
*** e0ne_ has quit IRC		12:32
*** e0ne___ has quit IRC		12:32
*** IanGovett has joined #openstack-dev		12:32
*** e0ne_ has joined #openstack-dev		12:32
*** gszasz_lunch is now known as gszasz		12:33
*** gokrokve has joined #openstack-dev		12:33
*** e0ne has quit IRC		12:34
*** rohitk has quit IRC		12:34
*** rohitk has joined #openstack-dev		12:34
*** vartom1111111115 has quit IRC		12:35
*** matsuhashi has quit IRC		12:36
*** matsuhashi has joined #openstack-dev		12:36
*** yamahata has quit IRC		12:37
*** gokrokve has quit IRC		12:37
*** DinaBelova_ is now known as DinaBelova		12:38
*** mohits_ has quit IRC		12:41
*** matsuhashi has quit IRC		12:41
*** sgordon has quit IRC		12:42
*** bhuvan has joined #openstack-dev		12:46
*** pschaef has quit IRC		12:47
*** sushils has joined #openstack-dev		12:50
*** gszasz has quit IRC		12:50
*** yamahata has joined #openstack-dev		12:51
*** byeager has joined #openstack-dev		12:51
*** DinaBelova is now known as DinaBelova_		12:52
*** gszasz has joined #openstack-dev		12:53
*** artom has joined #openstack-dev		12:53
*** DinaBelova_ is now known as DinaBelova		12:55
*** DinaBelova is now known as DinaBelova_		12:55
*** nmagnezi has quit IRC		12:55
*** baoli has joined #openstack-dev		12:56
*** tkammer has quit IRC		12:57
*** jgallard has joined #openstack-dev		12:58
*** markmcclain has joined #openstack-dev		12:59
*** gcha has joined #openstack-dev		13:00
*** neeti has quit IRC		13:00
*** DinaBelova_ is now known as DinaBelova		13:01
*** yamahata has quit IRC		13:03
*** gcha has quit IRC		13:03
*** nmagnezi has joined #openstack-dev		13:04
*** rohitk has quit IRC		13:04
*** e0ne has joined #openstack-dev		13:05
dolphm	marekd: pong	13:05
*** danielbruno has joined #openstack-dev		13:05
*** vartom1111111115 has joined #openstack-dev		13:06
*** russellb_ has joined #openstack-dev		13:06
*** gcha has joined #openstack-dev		13:06
*** russellb_ has quit IRC		13:07
*** yamahata has joined #openstack-dev		13:07
*** jhesketh_ has quit IRC		13:07
*** jhesketh has quit IRC		13:08
*** AlexF has joined #openstack-dev		13:08
*** e0ne_ has quit IRC		13:08
marekd	glad you are here.	13:09
marekd	i spoke with jammielennox earlier today.	13:09
*** sumanthns has quit IRC		13:10
marekd	cause i got to the point in a federated token generation where we should actually first return a non scoped token, that can be later used to request a scoped token..?	13:10
*** DinaBelova is now known as DinaBelova_		13:10
marekd	after the rule mapping i end up with set of groups, i can then get roles tied to the groups (domain and project grants) but...i still don't know WHAT project a user will want to access...	13:11
*** tkammer has joined #openstack-dev		13:11
*** neeti has joined #openstack-dev		13:12
*** e0ne_ has joined #openstack-dev		13:13
*** sarob has joined #openstack-dev		13:13
*** michchap has quit IRC		13:14
marekd	by default creating a service_catalog also depend on both user_id and project_id -> whoa, both are missing :-)	13:14
*** neeti has quit IRC		13:14
*** bhuvan has quit IRC		13:14
*** neeti has joined #openstack-dev		13:15
*** neeti has quit IRC		13:16
*** e0ne has quit IRC		13:16
*** sgordon has joined #openstack-dev		13:16
*** sarob has quit IRC		13:17
*** neeti has joined #openstack-dev		13:17
*** alexpilotti has joined #openstack-dev		13:18
*** jroll has joined #openstack-dev		13:18
*** tdruiva has joined #openstack-dev		13:18
*** bhuvan has joined #openstack-dev		13:18
*** byeager has quit IRC		13:19
dolphm	marekd: good questions...	13:19
dolphm	marekd: on user_id being required for the service catalog -- sounds like we need a refactor to remove that dependency	13:20
*** jprovazn has quit IRC		13:20
*** fandi has quit IRC		13:20
*** rohitk has joined #openstack-dev		13:20
marekd	dolphm: i think missing project_id is a bigger problem...	13:21
dolphm	marekd: +++	13:21
*** aveiga has joined #openstack-dev		13:21
*** jcoufal has joined #openstack-dev		13:21
marekd	dolphm: no chance to get a project_id.... and we can always fake user_id...	13:21
dolphm	marekd: thinking through it -- you'd have to put groups into the unscoped token, right?	13:21
dolphm	marekd: or persist something	13:21
*** CaptTofu has joined #openstack-dev		13:22
*** rohitk has quit IRC		13:22
marekd	dolphm: i'd leave groups - i can get roles which already define what and how i can access, right? So I would issue an unscoped token, just a PKI/UUID and make a client to request for a certain project. Now, depending on the roles behind that token I would either grant a valid scoped token for a project or reject the access...	13:23
marekd	dolphm: but i still think i need somehow generate a list of projects available to the user so a client can choose one..	13:23
dolphm	marekd: in the non-federated case, that's GET /users/{user_id}/projects or GET /users/{user_id}/domains -- do we need equivalent calls for ephemeral users?	13:24
dolphm	marekd: ... based on groups?	13:24
marekd	dolphm: quick hint how to list projects accessible from groups? that could actually help.	13:25
dolphm	marekd: from managers or what?	13:25
marekd	dolphm: ok, i will grep the basecode.	13:25
*** yamahata has quit IRC		13:26
marekd	but. what's the non-federated workflow when a user gets an unscoped token?	13:27
marekd	there is a token id and what else?	13:27
*** metral has joined #openstack-dev		13:27
*** rainya has joined #openstack-dev		13:27
*** annegentle has joined #openstack-dev		13:27
*** 64MAAAAAS has joined #openstack-dev		13:27
*** shanturoy has joined #openstack-dev		13:27
*** pvo has joined #openstack-dev		13:27
*** jbryce has joined #openstack-dev		13:27
dolphm	marekd: i don't think there's a driver method to expose that alone	13:27
*** dcmorton has joined #openstack-dev		13:27
dolphm	marekd: list_projects_for_user() is as close as we get	13:27
*** cagrev has joined #openstack-dev		13:28
dolphm	marekd: in the non-federated case, a user gets an unscoped token, calls GET /v3/users/{user_id}/projects, selects a project on the client side, and re-scopes with POST /v3/auth/tokens w/ unscoped token + project selection	13:28
*** jdob has joined #openstack-dev		13:30
marekd	and providing he knows the project_id apriori he will send the id in the first auth request and get a scoped token, right?	13:30
dolphm	marekd: yes, that's the second flow of three possibilities :)	13:31
marekd	what's the 3rd one?	13:31
*** jckasper has quit IRC		13:31
dolphm	marekd: the third is that the user has a default_project_id attribute set, and instead of being able to get an unscoped token at all, they automatically get back a scoped token to that project	13:31
*** achampion has quit IRC		13:31
marekd	dolphm: i doubt this can be reused in a federation use-case.	13:32
marekd	dolphm: possible the unscoped/scoped looks most promising.	13:32
*** yamahata has joined #openstack-dev		13:32
*** marcoemorais has joined #openstack-dev		13:32
*** rkukura has joined #openstack-dev		13:33
*** rkukura is now known as rkukura_		13:33
*** gokrokve has joined #openstack-dev		13:33
marekd	but we cannot extend the API with something like /v3/groups/{group}/projects ...	13:33
*** athomas has quit IRC		13:33
marekd	dolphm: rather /v3/OS-FEDERATION/token/{token_id}/projects	13:34
dolphm	marekd: but don't put the token in the URL!	13:34
marekd	dolphm: yes, you are right!	13:34
dolphm	marekd: the problem with /v3/groups/{group}/projects is that you'd be forcing the client to iterate over all their groups	13:35
marekd	dolphm: nope, the client doesn't know it's groups at all!	13:35
dolphm	marekd: that's why i was suggesting the groups should be added to the token :-/	13:35
marekd	dolphm: he starts with nothing, and the data that's flowing around is at most saml assertion.	13:35
dolphm	marekd: but saml assertions can be "reduced" to just a set of groups	13:36
marekd	dolphm: ok, now i see your point. i thought a roles can be used to list accessible projects.	13:36
*** marcoemorais has quit IRC		13:36
dolphm	marekd: but you don't "have" any roles until you've selected a project/domain to scope to	13:36
marekd	dolphm: yes, but internally, in the keystone, so the client cannot hit /v3/groups/{group_id}/projects ...unless he really gets a list of groups in a response.	13:36
dolphm	marekd: right	13:37
dolphm	marekd: if groups are in the token, the call could be as simple as GET /v3/OS-FEDERATION/projects and GET /v3/OS-FEDERATION/domains	13:38
*** gordc has joined #openstack-dev		13:38
*** vladikr has joined #openstack-dev		13:38
dolphm	marekd: on the service side, you'd only have to pull the list of groups out of the unscoped X-Auth-Token, and return a set of projects / domains those groups have access to	13:38
*** gokrokve has quit IRC		13:38
marekd	dolphm: and later 'scoping' the token follows the stardard way, right?	13:40
*** bswartz has quit IRC		13:40
*** athomas has joined #openstack-dev		13:41
*** saju_m has quit IRC		13:41
dolphm	marekd: i believe so	13:41
*** tdruiva has quit IRC		13:43
*** tdruiva has joined #openstack-dev		13:43
*** jprovazn has joined #openstack-dev		13:44
*** nacim has quit IRC		13:44
*** ekarlso- has quit IRC		13:45
marekd	so a response could be like this: https://gist.github.com/zaccone/8803808 ?	13:45
*** ekarlso has joined #openstack-dev		13:45
*** yamahata has quit IRC		13:46
dolphm	marekd: https://gist.github.com/dolph/5cfa70c02f5b141060c5#token-as-a-result-of-federation	13:46
marekd	because it has nothing in common with the token structure you showed me yesterday	13:46
marekd	dolphm: allright, i still have no idea how to fill the 'user' dictionary...	13:47
dolphm	marekd: i think steve was working on making that part of the mapping engine output	13:47
*** tdruiva has quit IRC		13:47
marekd	dolphm: he was, but i believe mapping to the specific user is just one of the use-case.	13:48
dolphm	marekd: the mapping engine could literally output an ephemeral user object that could be stuck straight into a token	13:48
marekd	dolphm: and the other one, and very likely more common is just a set of group_ids.	13:48
dolphm	marekd: and i'm suggesting that be the same thing (the group id's are part of the user)	13:48
dolphm	an attribute* of the user	13:48
*** mburned_out has joined #openstack-dev		13:49
*** mburned_out is now known as mburned		13:49
*** yamahata has joined #openstack-dev		13:50
*** nacim has joined #openstack-dev		13:50
*** ifarkas has quit IRC		13:51
*** pasquier-s_ has joined #openstack-dev		13:51
*** ifarkas has joined #openstack-dev		13:52
marekd	https://review.openstack.org/#/c/67645/10/keystone/contrib/federation/utils.py - i can get this: [{'group': {'id': '0cd5e9'}, 'user': {'email': 'bob@example.com'}}] or this: [{'group': {'id': '123'}}, {'group': {'id': 'xyz'}}]	13:52
marekd	in the latter there is no user...:(	13:53
marekd	that's what i was asking yesterday.	13:53
*** Steap___ is now known as Steap		13:53
marekd	dolphm: ^^^	13:54
dolphm	marekd: looking	13:54
dolphm	marekd: skimming the code -- but why one or the other?	13:54
marekd	dolphm: for 'simplicity'.	13:55
dolphm	marekd: ?	13:55
*** yamahata has quit IRC		13:55
*** prad_ has joined #openstack-dev		13:55
*** doug_shelley66 has quit IRC		13:56
marekd	dolphm: you can make rule: "if the guys department is IT put him in the keystone group IT' you can make a general rule, and don't need to bother making lots of direct mappings.	13:56
dolphm	marekd: oh this is only handling one assertion at a time...	13:56
*** rossella_s has joined #openstack-dev		13:56
*** thomasem has joined #openstack-dev		13:56
marekd	well yest, but it doesn't matter - you can make one generic rule and handle many users with that.	13:57
dolphm	marekd: the class construction seems backwards to me, fwiw -- it seems like you should __init__(mapping_ref), and then .process(assertion)	13:57
dolphm	or assertions	13:57
marekd	dolphm: THAT WAS MY COMMENT last friday!	13:57
dolphm	haha	13:57
*** arges has quit IRC		13:57
marekd	dstanek: liked that but eventually steve didn't decide to change it. its kinda illogical, but doesn't break anything so i gave up.	13:58
*** yamahata has joined #openstack-dev		13:59
marekd	anyway, i can't assume that mapping engine always produces a 'user' entity.	14:00
dolphm	marekd: well, it breaks intuitiveness lol	14:00
*** jckasper has joined #openstack-dev		14:00
dolphm	marekd: i think you should be able to safely make that assumption	14:00
marekd	dolphm: go ahead and support me by leaving some comments :-)	14:00
dolphm	marekd: i might even propose the refactor!	14:00
dstanek	dolphm, marekd: the class is a little wierd :)	14:01
*** hnarkaytis has joined #openstack-dev		14:01
*** glenng has joined #openstack-dev		14:01
marekd	dstanek: hey there.	14:02
marekd	dolphm: https://review.openstack.org/#/c/67645/10/keystone/tests/mapping_fixtures.py -> take a look at MAPPING_SMALL	14:02
marekd	produces list of groups.	14:02
marekd	i mean local entities are groups and this is what i am starting with.	14:02
*** dims has quit IRC		14:03
marekd	that's my point and i think during the summit sessions we were talking mostly about the list of groups.	14:03
*** xga has quit IRC		14:03
*** tkammer has quit IRC		14:04
marekd	dstanek: wanna save the world and join the discussion?:-)	14:04
*** sgordon has quit IRC		14:04
*** dkranz has quit IRC		14:05
*** sgordon has joined #openstack-dev		14:05
dolphm	marekd: dstanek: commented	14:05
*** xga has joined #openstack-dev		14:05
*** dprince has joined #openstack-dev		14:05
*** lsmola has quit IRC		14:05
*** beagles is now known as beagles_brb		14:06
*** glenng has quit IRC		14:07
*** tongli has joined #openstack-dev		14:07
dstanek	marekd: i put away my cape already	14:07
dolphm	dstanek: i recall having a discussion with morganfainberg_Z about putting groups into tokens to solve some problem ayoung-zZzZzZ was having with revocation events (consequences of deleting a group?) -- were you involved in that discussion?	14:07
*** ayoung-zZzZzZ has quit IRC		14:08
marekd	dolphm: hmmmm, and what about generating a uuid-like username if there is no direct mapping?	14:08
dolphm	i got the impression from morganfainberg_Z that i missed the party on that one	14:08
dstanek	dolphm: not that i can recall	14:08
dolphm	marekd: from what i've gathered from david chadwick, a username should be guaranteed / required	14:09
dstanek	dolphm: what problem is he having with revocation events?	14:09
dolphm	dstanek: i think it was just that the cost of generating revocation events from deleting a group -- there's no way for auth_token to handle a revocation event that looks like group_id=1234	14:09
marekd	dolphm: i am not 100% sure, but I might be wrong. so for now I will assume the username is presnet after the mapping is done.	14:10
dolphm	dstanek: because groups aren't in the token... so instead, he was having to generate revocation events for all the assignments to the group	14:10
dolphm	dstanek: marekd: point is, i think we have two solid use cases for adding group IDs to tokens	14:11
dstanek	dolphm: do you know which review that is in?	14:11
*** JordanP has joined #openstack-dev		14:12
dolphm	dstanek: i suppose https://review.openstack.org/#/c/55908/ -- but the conversation between ayoung and morganfainberg_Z may have been in irc	14:12
*** tdruiva has joined #openstack-dev		14:12
*** nmagnezi_ has joined #openstack-dev		14:13
*** sarob has joined #openstack-dev		14:13
*** mriedem has joined #openstack-dev		14:14
*** Jabadia has joined #openstack-dev		14:14
*** markmcclain has quit IRC		14:15
Jabadia	anyone know how can i extract the 'cpu_allocation_ratio' using API ?	14:15
Jabadia	( and not by reading nova.conf.. )	14:15
*** sweston has joined #openstack-dev		14:16
*** nmagnezi has quit IRC		14:16
*** tkammer has joined #openstack-dev		14:17
*** mindpixel has quit IRC		14:17
*** sarob has quit IRC		14:18
*** yamahata has quit IRC		14:18
*** mkollaro has joined #openstack-dev		14:18
*** rektide_ is now known as rektide		14:19
*** yamahata has joined #openstack-dev		14:19
*** thuc has joined #openstack-dev		14:20
*** jayg\|g0n` is now known as jayg		14:22
*** achampion has joined #openstack-dev		14:22
*** lsmola has joined #openstack-dev		14:22
*** changbl has quit IRC		14:23
*** lbragstad has quit IRC		14:23
*** prad_ has quit IRC		14:24
*** nmagnezi_ is now known as nmagnezi		14:24
*** btorch has joined #openstack-dev		14:25
*** lbragstad has joined #openstack-dev		14:25
*** browne has joined #openstack-dev		14:26
marekd	dolphm: one more thing. let's assume we have a list of mapped groups. We generate a token, store it in the database and return it. This is an unscoped token. So now, the client wants to get a list of projects / domains he can access and according to your suggestion does GET /v3/OS-FEDERATION/projects and/or GET /v3/OS-FEDERATION/domains . The Keystone reads X-Auth-Token and returns appropriate list. If so, is it really required to return a list of group	14:27
dolphm	marekd: do you have an alternative suggestion to compute the list of available projects?	14:28
*** andreaf has joined #openstack-dev		14:29
dolphm	marekd: the list of groups has to either be persisted or recomputed from assertions (so the assertions would have to be persisted somewhere)	14:29
*** lbragstad has quit IRC		14:31
dolphm	marekd: persisting groups in the token buys you the data you need, with the advantage that it's possible won't have to store them to a db at all (with ephemeral PKI tokens + revocation events)	14:31
*** ala has joined #openstack-dev		14:32
marekd	dolphm: i am not following....so you don't want to store the group_ids in a token backend at all and always recompute them when the user does GET /v3/OS-FEDERATION/projects ?	14:32
dolphm	marekd: sort of...	14:33
dolphm	marekd: store them in the token	14:33
*** gokrokve has joined #openstack-dev		14:33
dolphm	marekd: for the moment, we're writing those tokens to the database	14:33
marekd	dolphm: because from what you proposed the list of groups is returned, but client doesn't use it AT ALL. he asks for matching projects basing on the token_id he received.	14:33
*** dvarga has joined #openstack-dev		14:33
dolphm	marekd: but with ayoung's revocation events work, we won't have a reason to write PKI tokens to the db anymore	14:33
dolphm	marekd: right, the client has zero reason to care about their own groups	14:34
*** spzala has joined #openstack-dev		14:34
marekd	dolphm: ++ so my question is what's the reason for returning that group list in a unscoped token reponse - is it related to revocations/whatever? If so I will just do whatever you tell me. Otherwise I'd like to understand :-)	14:35
*** amotoki has quit IRC		14:35
dolphm	marekd: a couple reasons in my mind... but i completely share your hesitation!	14:35
marekd	dolphm: ok, if that's related to some future ideas and not only the federated token generation i am cool with that.	14:36
dolphm	marekd: A) ayoung wants to be able to issue revocation events when a group is deleted, and just emit the group id, rather than events for every role assignment on that group - it's just a performance improvement	14:36
*** vijendar has joined #openstack-dev		14:36
dolphm	marekd: B) the output of mapping is effectively groups, so it's useful to persist that output somehow	14:37
*** gordc has quit IRC		14:37
marekd	dolphm: i still elieve we must put it in the db. We cannot trust any client...	14:37
marekd	dolphm: I wouldn't...	14:38
*** IanGovett has quit IRC		14:38
marekd	dolphm: i mean, store a list of group_ids in a token backend.	14:38
*** gokrokve has quit IRC		14:38
dolphm	marekd: C) an ephemeral user could take advantage of a role assignment to a group without generating a new token (so, ephemeral user authenticates, receives an unscoped token with groups, admin assigns a role to one of those groups, ephemeral user can scope to new project without repeating a bunch of auth work)	14:38
*** joesavak has joined #openstack-dev		14:39
dolphm	marekd: for UUID tokens, they MUST be in the db	14:39
*** tdruiva_ has joined #openstack-dev		14:39
dolphm	marekd: for PKI tokens, the list of groups is effectively signed by keystone	14:39
dolphm	marekd: so the end user can't inject groups or anything	14:39
*** thuc has quit IRC		14:39
dolphm	(they could try, but the signature would then fail)	14:39
marekd	dolphm: ah, right!	14:40
*** btorch has quit IRC		14:40
*** thuc has joined #openstack-dev		14:40
*** tdruiva has quit IRC		14:40
*** medberry has joined #openstack-dev		14:40
*** medberry has quit IRC		14:40
*** medberry has joined #openstack-dev		14:40
*** lsmola has quit IRC		14:41
marekd	hmm, this might even work...	14:41
marekd	BRB	14:41
*** dbalog has joined #openstack-dev		14:42
*** coolsvap has joined #openstack-dev		14:42
*** doug_shelley66 has joined #openstack-dev		14:44
*** peristeri has joined #openstack-dev		14:44
*** thuc has quit IRC		14:44
*** tdruiva_ has quit IRC		14:45
*** irenab has quit IRC		14:47
*** jmckind has joined #openstack-dev		14:47
marekd	RE	14:47
*** wchrisj_ has quit IRC		14:48
*** hnarkaytis has quit IRC		14:48
*** bswartz has joined #openstack-dev		14:49
*** jdob_ has joined #openstack-dev		14:49
*** jdob has quit IRC		14:49
*** clayb has joined #openstack-dev		14:50
*** armax has joined #openstack-dev		14:50
*** neeti has quit IRC		14:50
*** adreznec has joined #openstack-dev		14:51
*** angdraug has joined #openstack-dev		14:51
*** jcooley_ has joined #openstack-dev		14:51
*** morazi has joined #openstack-dev		14:52
*** lbragstad has joined #openstack-dev		14:52
*** mflobo_ has quit IRC		14:52
*** jecarey has joined #openstack-dev		14:53
*** lsmola has joined #openstack-dev		14:53
*** DinaBelova_ is now known as DinaBelova		14:54
*** boris-42_ has quit IRC		14:54
*** Jabadia has quit IRC		14:57
*** jcooley_ has quit IRC		14:57
*** sgordon has quit IRC		14:58
*** radez_g0n3 is now known as radez		14:59
*** aveiga has quit IRC		14:59
marekd	dolphm: i am rereading our discussion one more time, and I might be getting into a vicious circle but...if the unscoped token returns a list of user grups, and doesn't store them in the backend a client cannot simply issue GET /v3/OS-FEDERATION/projects - assertion is already gone, a list of groups is not stored at the server side. So, rather POST with the list of groups rather than GET.	14:59
*** tmclaugh[work] has joined #openstack-dev		14:59
*** mfer has joined #openstack-dev		15:00
dolphm	marekd: if the list of groups is in the user's token, then GET /v3/OS-FEDERATION/projects has to be an authenticated call with X-Auth-Token: <unscoped token containing groups>	15:00
*** kevinconway has joined #openstack-dev		15:00
marekd	dolphm: ok, makes sense!	15:01
marekd	dolphm: thanks	15:01
*** devoid has joined #openstack-dev		15:01
*** READ10 has joined #openstack-dev		15:01
*** dvarga is now known as dvarga\|away		15:03
*** dvarga\|away is now known as dvarga		15:03
*** MaxV has quit IRC		15:03
*** devoid has quit IRC		15:03
*** nshaikh has left #openstack-dev		15:03
marekd	dolphm: but...no, wait. If we use uuid tokens then it's already stored in the db, so is a list of groups, and if it's the PKI token, the token from X-Auth-Token already has a list of groups, and these can be used. Am I right?	15:04
*** jasondotstar has joined #openstack-dev		15:04
*** sahid has quit IRC		15:04
*** matrohon has quit IRC		15:05
*** lsmola has quit IRC		15:05
*** jobewan has joined #openstack-dev		15:06
*** tdruiva has joined #openstack-dev		15:09
*** sweston has quit IRC		15:10
*** paragan has quit IRC		15:10
*** pmathews has joined #openstack-dev		15:10
*** sgordon has joined #openstack-dev		15:10
dolphm	marekd: correct	15:11
marekd	dolphm: uff	15:12
*** krotscheck has joined #openstack-dev		15:12
*** jobewan has quit IRC		15:12
dolphm	marekd: either way you could implement something like self.token_api.list_groups_for_token(token_id) -- which may or may not hit the database	15:12
*** jdob has joined #openstack-dev		15:13
dolphm	marekd: or have groups available in context, based on gyee's work	15:13
dolphm	marekd: context['groups']	15:13
marekd	dolphm: already available or somewhere on the review.openstack.org?	15:13
*** sarob has joined #openstack-dev		15:13
dolphm	marekd: it's in review	15:13
*** FunnyLookinHat has quit IRC		15:13
marekd	link?	15:14
dolphm	marekd: obviously it doesn't support groups yet, but...	15:14
dolphm	marekd: finding it	15:14
dolphm	marekd: actually, it looks to be merged https://review.openstack.org/#/c/56333/	15:15
*** MaxV has joined #openstack-dev		15:16
*** stevemar has joined #openstack-dev		15:16
*** stevemar has quit IRC		15:16
*** dkranz has joined #openstack-dev		15:16
*** stevemar has joined #openstack-dev		15:16
*** tjones has joined #openstack-dev		15:17
*** nelsnelson has quit IRC		15:17
dstanek	dolphm: migrations should still be sqlalchemy-migrate right?	15:17
*** AlexF has quit IRC		15:17
*** galstrom_zzz is now known as galstrom		15:17
*** nelsnelson has joined #openstack-dev		15:17
*** sarob has quit IRC		15:18
*** lsmola has joined #openstack-dev		15:18
*** IanGovett has joined #openstack-dev		15:18
*** jdob_ has quit IRC		15:19
*** gszasz_ has joined #openstack-dev		15:20
Alexei_987	sdague: Hi could you please take a look at https://review.openstack.org/#/c/65863/ ?	15:20
*** IanGovett1 has joined #openstack-dev		15:20
*** tjones has quit IRC		15:21
*** jnoller has joined #openstack-dev		15:22
*** MaxV has quit IRC		15:22
*** jistr has quit IRC		15:23
*** IanGovett has quit IRC		15:23
*** jistr has joined #openstack-dev		15:23
*** MaxV has joined #openstack-dev		15:23
*** eharney has joined #openstack-dev		15:23
*** gszasz has quit IRC		15:24
*** gordc has joined #openstack-dev		15:24
*** sushils has quit IRC		15:24
bugsdugg1n	Has anyone else had issues installing devstack (from the current HEAD of master)? Looks like a Keystone issue	15:25
*** carlp has joined #openstack-dev		15:27
dolphm	dstanek: unless you want to switch us over to alembic	15:27
*** jobewan has joined #openstack-dev		15:27
dolphm	bugsdugg1n: what is the issue(s)?	15:27
dstanek	dolphm: at this point i'll pass :-)	15:28
*** corXi has quit IRC		15:28
*** guardianx has quit IRC		15:28
*** ayoung-zZzZzZ has joined #openstack-dev		15:29
*** gokrokve has joined #openstack-dev		15:29
bugsdugg1n	dolphm: keystone can't find user glance-swift, which makes me think I've missed a configuration step	15:29
dolphm	bugsdugg1n: yeah, that doesn't sound like keystone's fault :P	15:30
*** bhuvan has quit IRC		15:30
*** gokrokve_ has joined #openstack-dev		15:30
bugsdugg1n	dolphm: agreed.	15:30
*** bugsdugg1n is now known as bugsduggan		15:30
YorikSar	dolphm: I wonder if there are any plans to switch to alembic	15:30
dolphm	YorikSar: ayoung was going to switch us over during havana, but got distracted	15:31
*** aditirav has joined #openstack-dev		15:31
*** bhuvan has joined #openstack-dev		15:31
bugsduggan	dolphm: fyi, looks like I hit this: https://bugs.launchpad.net/devstack/+bug/1276029	15:32
YorikSar	dolphm: Looks like we should do it in early Juno,	15:33
*** gokrokve has quit IRC		15:33
*** drewlander has quit IRC		15:33
*** doug-fish2 has joined #openstack-dev		15:33
*** doug-fish has quit IRC		15:33
dolphm	bugsduggan: bug description makes sense -- let me know if you find a link to the patch	15:33
bugsduggan	dolphm: will do	15:34
dstanek	dolphm, YorikSar: does a switch over mean a rewrite of existing migrations?	15:34
*** david-lyle has joined #openstack-dev		15:34
*** jruzicka has joined #openstack-dev		15:34
dolphm	dstanek: not the way ceilometer did it	15:35
YorikSar	dstanek: Having sqla-migrate migration stop at some point (release is a good point for this) and alembic migrations run after that should be good enough.	15:35
*** vartom1111111115 has quit IRC		15:35
*** terriyu has joined #openstack-dev		15:35
*** jgrimm_ has joined #openstack-dev		15:35
dolphm	dstanek: they just changed db_sync to first run sqlalchemy-migrate upgrade, then run alembic upgrade, for example	15:35
*** kenperkins has joined #openstack-dev		15:36
dolphm	dstanek: i don't know if/how they support downgrade or migrating to specific versions	15:36
dstanek	dolphm: now you have me interested	15:37
*** zzelle has quit IRC		15:40
*** zzelle has joined #openstack-dev		15:40
*** troytoman-away is now known as troytoman		15:41
*** troytoman is now known as troytoman-away		15:41
*** troytoman-away is now known as troytoman		15:42
*** troytoman is now known as troytoman-away		15:43
*** otherwiseguy has joined #openstack-dev		15:44
*** pradeep has quit IRC		15:45
*** jcooley_ has joined #openstack-dev		15:46
*** byeager has joined #openstack-dev		15:47
*** tsekiyama has joined #openstack-dev		15:47
*** amuller has quit IRC		15:47
*** tjones has joined #openstack-dev		15:49
*** gszasz_ has quit IRC		15:49
*** JordanP has quit IRC		15:49
shardy	dolphm: hi, quick question if you have a moment?	15:49
*** krotscheck has quit IRC		15:50
shardy	dolphm: Is it expected that the v2 tenant list contains projects from all domains, not just the default?	15:50
*** krotscheck has joined #openstack-dev		15:50
*** jprovazn is now known as jprovazn_afk		15:51
*** DinaBelova is now known as DinaBelova_		15:51
bknudson	request for keystone -- clear out keystone/tests/tmp/* and run tests	15:51
bknudson	does it work for you?	15:51
*** beagles_brb is now known as beagles		15:51
*** jcooley_ has quit IRC		15:51
dolphm	shardy: just hte default -- the entire v2 api is effectively "scoped" to a single domain, since it has no domain awareness	15:52
dolphm	shardy: that's the only purpose for the default domain, actually (it determines what's exposed by v2)	15:52
*** amotoki has joined #openstack-dev		15:53
*** DinaBelova_ is now known as DinaBelova		15:53
shardy	dolphm: Hmm, that's what I thought, but I'm creating projects in a "heat" domain and they show up with "keystone tenant-list"	15:53
*** alex_klimov has quit IRC		15:53
shardy	maybe something weird in my environment, but I've tried two openstack installs and they both do the same	15:53
dolphm	shardy: and default_domain_id != heat ?	15:54
shardy	dolphm: Yeah default_domain_id is not set in keystone.conf	15:54
dolphm	:(	15:54
shardy	maybe I'm doing something dumb, will keep digging	15:55
dolphm	shardy: it's probably a valid bug -- our v2 / v3 interop tests are basically non existent outside of auth, and i don't think i've even tested that behavior myself	15:55
stevemar	bknudson, are you done with the doc changes? When I ran tox -e docs, I noticed a few more related to .rst files, but don't want to start fixing it, if you were planning on it	15:56
bknudson	stevemar: I've submitted several separate changes to fix different doc generation problems.	15:57
*** CaptTofu has quit IRC		15:57
bknudson	stevemar: I believe I'm done with it... what warnings are you seeing?	15:57
*** jpomero has joined #openstack-dev		15:58
stevemar	bknudson, i noticed, 1 that i approved, and 1 related to kds, the ones i'm seeing are related to doc/source/extension_development.rst	15:58
*** mhagedorn_ has joined #openstack-dev		15:58
stevemar	bknudson, just wondering if i missed a patch that you uploaded	15:58
shardy	dolphm: In that case, it's unfortunate the keystone CLI isn't being migrated to v3, we'll end up hitting loads of weird bugs when users continue to use it :(	15:58
bknudson	stevemar: I don't think I have a fix for that one	15:59
mhagedorn_	Kind of a newbie question, Vanilla install of devstack, checked the identity service(Keystone) address. Noticed that in order to get it to work, I had to append "/tokens" to the end of the URL. Is this a mistake in the registration code in devstack for Keystone?	16:00
dolphm	shardy: we need to push harder for python-openstackclient	16:00
dolphm	mhagedorn_: change the address where?	16:01
stevemar	bknudson, http://paste.openstack.org/show/62449/	16:01
*** giroro_ has quit IRC		16:01
*** tanisdl has joined #openstack-dev		16:01
*** sweston has joined #openstack-dev		16:01
*** atiwari has joined #openstack-dev		16:01
stevemar	bknudson, i can fix em up	16:01
bknudson	stevemar: I saw the extension_development.rst failure once but then it went away somehow.	16:01
mhagedorn_	the registered address for the Keystone service, in my vanilla devstack install, comes up with an inappropriate address	16:01
dolphm	stevemar: if we can clean up 100% of those warnings, i'd love to gate against them	16:01
bknudson	or maybe I stopped noticing it.	16:01
stevemar	dolphm, +++++	16:01
dolphm	stevemar: i'm really tired of having to point crap like that out in code review	16:02
mhagedorn_	i.e. I had to append "/tokens" to the address to get it to work	16:02
*** xazel is now known as enykeev		16:02
bknudson	I don't know how to fix the prob with "WARNING: missing attribute mentioned in :members: or __all__"	16:02
stevemar	dolphm, there are some, unfortunately coming from oslo	16:02
*** changlp has quit IRC		16:02
*** changlp has joined #openstack-dev		16:02
bknudson	stevemar: I proposed fixes to oslo.	16:02
mhagedorn_	dolphm.. does that make sense?	16:02
stevemar	bknudson, yay!	16:02
*** iamben_tw is now known as chang1p		16:02
*** adreznec has quit IRC		16:02
bknudson	like these other changes they are slow to be accepted	16:02
mhagedorn_	its like horizon is displaying bad info	16:02
*** CaptTofu has joined #openstack-dev		16:02
*** Drankis has quit IRC		16:03
*** mrodden has quit IRC		16:03
dolphm	mhagedorn_: what's the specific change you're making? i'm not sure what you mean by "the address"	16:03
*** chang1p has quit IRC		16:03
*** Ruetobas has joined #openstack-dev		16:03
viktors	dhellmann: hello	16:03
dolphm	mhagedorn_: can you post a diff?	16:03
*** iamben_tw has joined #openstack-dev		16:03
dhellmann	viktors: hi	16:03
dolphm	mhagedorn_: http://paste.openstack.org	16:03
*** carl_baldwin has joined #openstack-dev		16:03
viktors	dhellmann: a few questions to you.	16:04
*** hk_peter has joined #openstack-dev		16:04
*** JordanP has joined #openstack-dev		16:04
hk_peter	Hey guy, do you want to join the project Titan team, to develop a mature management tool for openstack? http://peter.kingofcoders.com	16:04
*** drewlander has joined #openstack-dev		16:04
viktors	dhellmann: patch https://review.openstack.org/#/c/68684 (Don't store engine instances in oslo.db). How do you suppose use Model save() method?	16:05
mhagedorn_	dolphm please see http://paste.openstack.org/show/62450/	16:05
viktors	dhellmann: I think, we can fix it's usage in projects	16:05
dhellmann	viktors: I'm worried about projects delaying adoption of oslo.db as a library because of having to make significant code changes	16:06
dhellmann	viktors: I'm also worried it means syncing from the incubator into projects takes more time and effort	16:06
*** pablosan has quit IRC		16:06
*** kenperkins has quit IRC		16:06
*** kenperkins has joined #openstack-dev		16:07
*** krotscheck is now known as krotscheck_sick		16:07
*** pablosan has joined #openstack-dev		16:08
*** Ruetobas has quit IRC		16:08
viktors	dhellmann: anyway we will do the biggest change is - fix engine usage (because we remove global engine from Oslo).	16:08
*** bhuvan has quit IRC		16:09
*** jcooley_ has joined #openstack-dev		16:09
*** SumitNaiksatam has quit IRC		16:09
*** bhuvan has joined #openstack-dev		16:10
viktors	dhellmann: so, IMO, the minor change of save() method signature is not a big deal after it	16:10
*** angdraug has quit IRC		16:11
dhellmann	viktors: I just left a more detailed message on the changeset	16:11
viktors	dhellmann: ok, will look	16:11
*** emagana has joined #openstack-dev		16:13
*** mikeoutland has joined #openstack-dev		16:13
*** Ruetobas has joined #openstack-dev		16:13
*** Guest64422 is now known as mfisch		16:14
*** doude has joined #openstack-dev		16:14
*** doude has quit IRC		16:14
*** mfisch is now known as Guest19773		16:15
*** doude has joined #openstack-dev		16:16
*** aeperezt has joined #openstack-dev		16:16
*** mrodden has joined #openstack-dev		16:16
*** mdomsch has joined #openstack-dev		16:17
*** thouveng has quit IRC		16:17
*** bhuvan has quit IRC		16:17
*** bashok has quit IRC		16:18
*** tjones has quit IRC		16:18
*** adreznec has joined #openstack-dev		16:18
*** FunnyLookinHat has joined #openstack-dev		16:19
*** sweston has quit IRC		16:19
*** artom has quit IRC		16:20
*** dtantsur has quit IRC		16:20
*** terriyu has quit IRC		16:20
*** prad_ has joined #openstack-dev		16:20
*** xga has quit IRC		16:20
*** byeager has quit IRC		16:20
*** buzztroll has joined #openstack-dev		16:22
*** hemna has joined #openstack-dev		16:23
*** xarses has quit IRC		16:24
*** yeylon__ has quit IRC		16:24
*** rkukura_ has quit IRC		16:24
*** rkukura has joined #openstack-dev		16:25
*** xqueralt has quit IRC		16:25
*** jobewan has quit IRC		16:25
*** emagana has quit IRC		16:26
*** hk_peter has quit IRC		16:27
*** pablosan has quit IRC		16:27
*** mikeoutland has quit IRC		16:28
*** baoli has quit IRC		16:28
*** kbrierly has quit IRC		16:28
*** Shaan7 has joined #openstack-dev		16:29
*** Shaan7 has quit IRC		16:29
*** Shaan7 has joined #openstack-dev		16:29
*** emagana has joined #openstack-dev		16:31
*** ala has quit IRC		16:31
*** pablosan has joined #openstack-dev		16:31
dhellmann	viktors: I would feel more comfortable if I understood the upgrade path better	16:31
viktors	dhellmann: something like proof-of-concept to Nova?	16:32
*** max_lobur has quit IRC		16:33
*** topol has joined #openstack-dev		16:34
*** matrohon has joined #openstack-dev		16:34
dhellmann	viktors: that would help, sure	16:34
*** hemna has quit IRC		16:34
*** michchap has joined #openstack-dev		16:34
*** max_lobur has joined #openstack-dev		16:35
pcm	Can anyone help me with an issue I'm having trying to push some WIP code to Gerrit?	16:35
*** FunnyLookinHat has quit IRC		16:36
viktors	dhellmann: ok, will do it, but I'm not sure about today	16:36
*** drewlander has quit IRC		16:37
*** SumitNaiksatam has joined #openstack-dev		16:37
*** tkammer has quit IRC		16:37
dhellmann	viktors: no problem	16:37
*** kgriffs is now known as kgriffs_afk		16:37
viktors	dhellmann: one more question	16:38
viktors	patch https://review.openstack.org/#/c/68693 (Don't use cfg.CONF in oslo.db), patch-set 5, file options.py	16:38
viktors	dhellmann: you told, that we need a discovery function registered for bp improve-config-discovery-for-docs to work with the new lib	16:38
dhellmann	viktors: yes, that can come later	16:38
viktors	dhellmann: can you please provide more information about it? Or an example of such function	16:38
*** michchap has quit IRC		16:38
*** thuc has joined #openstack-dev		16:39
viktors	dhellmann: oh, later	16:39
*** lsmola has quit IRC		16:39
dhellmann	viktors: http://git.openstack.org/cgit/openstack/oslo.messaging/tree/oslo/messaging/opts.py#n56	16:39
*** zaitcev has joined #openstack-dev		16:39
viktors	dhellmann: thanks	16:39
dhellmann	viktors: registered like http://git.openstack.org/cgit/openstack/oslo.messaging/tree/setup.cfg#n53	16:39
*** belmoreira has quit IRC		16:39
*** thuc_ has joined #openstack-dev		16:40
viktors	dhellmann: will look at it	16:40
dhellmann	viktors: let me know if you run into issues	16:40
*** jcooley_ has quit IRC		16:40
viktors	dhellmann: will do	16:41
*** ayoung-zZzZzZ is now known as ayoung		16:41
*** baoli has joined #openstack-dev		16:41
*** aditirav has quit IRC		16:41
*** emagana has quit IRC		16:41
*** markwash has joined #openstack-dev		16:41
*** markmcclain has joined #openstack-dev		16:42
*** thuc has quit IRC		16:43
*** tjones has joined #openstack-dev		16:44
*** mlavalle has joined #openstack-dev		16:44
ayoung	bknudson, dstanek https://review.openstack.org/#/c/68548/ please when you get a chance. I want to start moving along the pre-reqs for revocation ahead of the I3 crush	16:45
*** drewlander has joined #openstack-dev		16:45
*** aditirav has joined #openstack-dev		16:45
*** devoid has joined #openstack-dev		16:45
*** dvarga is now known as dvarga\|away		16:45
*** dvarga\|away is now known as dvarga		16:45
*** tjones has quit IRC		16:46
*** SergeyLukjanov is now known as SergeyLukjanov_a		16:46
bknudson	ayoung: all that stuff is ready to go?	16:47
*** feleouet has joined #openstack-dev		16:47
ayoung	bknudson, that one is	16:47
bknudson	ok	16:47
*** ijw has joined #openstack-dev		16:47
ayoung	and if there are going to be more changes along the notifications front, I need to shave that Yak early	16:47
*** jistr has quit IRC		16:47
*** JordanP has quit IRC		16:48
marekd	dolphm: can we basically assume that the federated unscoped token, apart from the 'user' will have just 'expires_at', 'issued_at' and probably 'methods' in a response json? Just like in here: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#authentication-responses	16:48
*** pablosan has quit IRC		16:49
*** bhuvan has joined #openstack-dev		16:49
bknudson	ayoung: ok, so here's a concern... in _disable_project we delete_tokens_for users... then invalidate_projects...	16:49
bknudson	an exception occurs in invalidate_projects	16:49
bknudson	so the notification of disabled project doesn't get sent?	16:49
*** pablosan has joined #openstack-dev		16:49
ayoung	actually, it would	16:49
*** edmund has joined #openstack-dev		16:49
*** angdraug has joined #openstack-dev		16:50
ayoung	if it doesn't it is a failure of the notifications system	16:50
ayoung	would->should	16:50
bknudson	ayoung: well, normally if the operation fails (e.g., update user) the user wouldn't be updated so there's no notification	16:50
*** marun has joined #openstack-dev		16:50
ayoung	bknudson, well, the logic on that has not changed, just the notification that is sent	16:50
ayoung	update user would have been sent on a disable in the past	16:51
*** tjones has joined #openstack-dev		16:51
ayoung	now a more explicit notification is sent, but the rules for sending it have not changed	16:51
*** mestery has joined #openstack-dev		16:51
*** mestery has quit IRC		16:51
*** AlexF has joined #openstack-dev		16:51
*** lsmola has joined #openstack-dev		16:51
ayoung	is this a problem?	16:51
bknudson	ayoung: updating a user is a multi-part process... part of it is revoking the tokens... I thought we wanted to be notified when the tokens are revoked	16:52
*** FunnyLookinHat has joined #openstack-dev		16:52
bknudson	ayoung: I'm not sure if it's a problem or not... you'd have tokens that are revoked according to revocation list but not according to events.	16:52
*** dprince has quit IRC		16:52
*** rcleere has joined #openstack-dev		16:52
bknudson	although maybe the tokens shouldn't have been revoked.	16:52
*** mestery has joined #openstack-dev		16:53
ayoung	bknudson, so a catch block around the delete tokens call?	16:53
*** ijw has quit IRC		16:53
*** CaptTofu has quit IRC		16:53
*** xqueralt has joined #openstack-dev		16:53
*** ijw has joined #openstack-dev		16:54
bknudson	ayoung: I guess this isn't really related to disabling projects... more about how I thought it was going to be used for revocations.	16:54
*** ijw has quit IRC		16:54
*** thedodd has joined #openstack-dev		16:54
*** pcm has quit IRC		16:55
*** Ryan_Lane has joined #openstack-dev		16:55
*** afazekas has quit IRC		16:55
*** pcm_ has joined #openstack-dev		16:55
*** smurugesan has joined #openstack-dev		16:56
*** carlp has quit IRC		16:57
*** boris-42_ has joined #openstack-dev		16:57
*** xmltok has joined #openstack-dev		16:57
*** galstrom is now known as galstrom_zzz		16:59
*** e0ne_ has quit IRC		16:59
shardy	dolphm: I raised https://bugs.launchpad.net/keystone/+bug/1276244, but I'm not sure if it's a bug or just a property of v2 admin-ness I didn't expect	17:00
*** sweston has joined #openstack-dev		17:00
*** AlexF has quit IRC		17:00
*** boris-42_ is now known as boris-42		17:00
*** kbrierly has joined #openstack-dev		17:01
*** CaptTofu has joined #openstack-dev		17:01
*** jcoufal_ has joined #openstack-dev		17:02
*** jcoufal has quit IRC		17:02
*** pmathews has quit IRC		17:02
*** mestery has quit IRC		17:02
*** pmathews has joined #openstack-dev		17:03
*** I159 has quit IRC		17:03
*** FunnyLookinHat has quit IRC		17:03
*** mestery has joined #openstack-dev		17:03
*** boris-42 is now known as boris-42_		17:04
*** mestery has quit IRC		17:05
*** markmc has quit IRC		17:05
*** mestery has joined #openstack-dev		17:06
*** Mandell_ has quit IRC		17:06
*** bvandenh has quit IRC		17:06
*** tdruiva_ has joined #openstack-dev		17:07
*** terriyu has joined #openstack-dev		17:07
*** hcc is now known as hdd		17:07
*** _cjones_ has joined #openstack-dev		17:07
*** xarses has joined #openstack-dev		17:07
*** tdruiva has quit IRC		17:08
*** galstrom_zzz is now known as galstrom		17:09
mriedem	has anyone thought about hooking something into our tox runs where if -r is used, we automatically delete all pyc's?	17:09
*** tdruiva_ has quit IRC		17:09
*** ppetit has quit IRC		17:09
mriedem	a few people hit some duplicate opt errors from oslo.config with the oslo.messaging change in nova last week - deleting pyc's fixed it	17:10
mriedem	seems we could make that automatic with tox -r	17:10
*** gyee has joined #openstack-dev		17:10
*** mestery_ has joined #openstack-dev		17:10
*** kdbrierly has joined #openstack-dev		17:10
*** tdruiva has joined #openstack-dev		17:10
*** AlanClark has joined #openstack-dev		17:10
*** gyee has quit IRC		17:11
*** mestery_ has quit IRC		17:11
*** digambar has joined #openstack-dev		17:11
*** mestery has quit IRC		17:11
*** kbrierly has quit IRC		17:11
*** mestery has joined #openstack-dev		17:12
*** neelashah has joined #openstack-dev		17:12
*** JonnyNomad has joined #openstack-dev		17:12
*** ifarkas has quit IRC		17:12
*** marcoemorais has joined #openstack-dev		17:13
*** gyee has joined #openstack-dev		17:13
*** sarob has joined #openstack-dev		17:13
*** sweston has quit IRC		17:14
*** slagle has quit IRC		17:15
ekarlso	sandywalsh_: around ?	17:16
ekarlso	you tried to ping me on irc earlier.	17:16
*** peoplemerge has joined #openstack-dev		17:17
*** omachace has quit IRC		17:18
*** sarob has quit IRC		17:20
*** AlexF has joined #openstack-dev		17:21
*** mrunge has quit IRC		17:21
*** drewlander has quit IRC		17:22
*** salv-orlando has quit IRC		17:23
*** bauzas has quit IRC		17:24
*** sweston has joined #openstack-dev		17:24
*** tdruiva_ has joined #openstack-dev		17:24
tjones	mriedem: i'm hitting that error now - delete the pyc in /opt/stack/…??	17:25
*** jasondotstar has quit IRC		17:25
*** salv-orlando has joined #openstack-dev		17:26
*** nkinder has quit IRC		17:26
*** tdruiva has quit IRC		17:27
*** vartom1111111115 has joined #openstack-dev		17:27
marekd	stevemar: ping.	17:29
*** tdruiva_ has quit IRC		17:29
*** omachace has joined #openstack-dev		17:30
*** tdruiva has joined #openstack-dev		17:30
*** omachace has left #openstack-dev		17:31
*** AlexF has quit IRC		17:31
*** galstrom is now known as galstrom_zzz		17:31
tellesnobrega	anyone from oslo here?	17:32
dhellmann	tellesnobrega: hi	17:32
*** Gaston_Severina has joined #openstack-dev		17:33
*** godara has joined #openstack-dev		17:33
*** mestery_ has joined #openstack-dev		17:34
*** amotoki has quit IRC		17:34
*** jcooley_ has joined #openstack-dev		17:34
*** vartom1111111115 has quit IRC		17:35
*** marcoemorais has quit IRC		17:35
gordc	tjones: delete /opt/stack/nova/openstack/common/notifier folder. that worked for me (there's probably a few more folders with just .pyc files in it which you can also delete)	17:35
lifeless	jamielennox: I wasn't, I am.	17:36
*** AlexF has joined #openstack-dev		17:36
tjones	gordc: thanks	17:36
*** athomas has quit IRC		17:37
*** Sumeniac2 has quit IRC		17:37
*** mestery has quit IRC		17:38
*** Sumeniac has joined #openstack-dev		17:38
mriedem	tjones: in /opt/stack/nova	17:38
mriedem	yeah	17:38
*** moted has joined #openstack-dev		17:38
mriedem	tjones: gordc: point is, deleting pyc's is usually an afterthought, would be nice if we could automatically delete pyc's when rebuilding the venv	17:39
mriedem	wasn't sure if someone else has tried that before though	17:39
mriedem	russellb: ^?	17:39
tjones	mriedem: im having a whole bunch of env issues (been on vacation for 2 weeks). If you want me to try something im happy to do it	17:39
*** bdpayne has joined #openstack-dev		17:40
gordc	mriedem: agreed. especially for those not working on project and blindly pulling in patches like me. i have no idea what was dropped and needs to be cleaned up.	17:40
*** sarob has joined #openstack-dev		17:41
*** adreznec has quit IRC		17:42
*** sandywalsh_ has quit IRC		17:42
*** Sumeniac has quit IRC		17:42
*** hemna has joined #openstack-dev		17:43
*** sandywalsh has joined #openstack-dev		17:43
ayoung	morganfainberg_Z, let me know when you are awake	17:43
*** SpamapS_ is now known as SpamapS		17:43
*** jasondotstar has joined #openstack-dev		17:44
*** jcooley_ has quit IRC		17:44
*** AlexF has quit IRC		17:44
*** tshirtma1 has joined #openstack-dev		17:45
*** sgran has quit IRC		17:46
*** tshirtman has quit IRC		17:46
*** julienvey has quit IRC		17:46
*** ctlaugh_ has quit IRC		17:46
*** creiht has quit IRC		17:46
*** BStokes has quit IRC		17:46
*** stannie has quit IRC		17:46
*** ctlaugh has joined #openstack-dev		17:46
*** sarob has quit IRC		17:46
*** BStokes has joined #openstack-dev		17:46
*** creiht has joined #openstack-dev		17:47
*** apevec has joined #openstack-dev		17:47
*** MaxV has quit IRC		17:47
apevec	dolphm, ayoung - I'd appreciate few Keystone Core eye on this stable/havana only patch: https://review.openstack.org/66149	17:48
apevec	it's discussed as an exception for 2013.2.2 on stable-maint list	17:48
dolphm	bknudson, dstanek, jamielennox, stevemar, gyee, henrynash ^	17:48
*** Gordonz has joined #openstack-dev		17:48
*** stannie has joined #openstack-dev		17:48
*** sgran has joined #openstack-dev		17:48
*** burt1 has joined #openstack-dev		17:49
*** julienvey has joined #openstack-dev		17:49
*** otherwiseguy has quit IRC		17:49
*** aditirav has quit IRC		17:49
dolphm	morganfainberg_Z: needs a recheck ^ looks to be a transient against pip	17:49
bknudson	why not a cherry-pick?	17:49
*** sarob has joined #openstack-dev		17:49
tellesnobrega	dhellmann: hi, i was looking into some of the service, nova, cinder, neutron, they all have similar context code, do you know why they don't use oslo context?	17:49
apevec	bknudson, there's nothing cherry-pickable afaict	17:50
*** Sumeniac has joined #openstack-dev		17:50
apevec	fix in icehouse is the whole new feature, isn't it?	17:50
apevec	revocation events or something?	17:50
dhellmann	tellesnobrega: the context class in oslo probably came from one of those services, and the services haven't been updated to use the common version yet	17:50
*** sweston has quit IRC		17:50
*** eglynn-lunch has quit IRC		17:50
tellesnobrega	dhellmann: i see, do you have any ideas when (if) they are going to be updated?	17:51
*** sweston has joined #openstack-dev		17:51
bknudson	I believe this kind of thing is going to continue to be in keystone in icehouse.	17:51
ayoung	revocation events addresses this somewhat, but the old mechanism will be left in place dfor a while apevec	17:51
apevec	ayoung, bknudson, hmm, then we really need this on master first	17:51
*** AlexF has joined #openstack-dev		17:51
apevec	please add review comments!	17:51
dhellmann	tellesnobrega: someone just needs to do that work, I don't think there's any reason not to	17:51
dolphm	apevec: that last run failed with "pkg_resources.DistributionNotFound: SQLAlchemy>=0.7.3,<=0.7.9" -- that's not a known issue against stable requirements is it?	17:52
dolphm	source- http://logs.openstack.org/49/66149/2/check/check-grenade-dsvm/50595f9/logs/old/screen-c-vol.txt.gz	17:52
*** tsekiyama has quit IRC		17:53
tellesnobrega	dhellmann: i see. a coworker had a code rejected because no one is using the context yet, it may come in handy to put some services to use it, so oslo com improve	17:53
ayoung	it might be different in Icehouse due to the KVS Dogpile implementation	17:53
tellesnobrega	dhellmann: thanks for your help	17:53
*** drewlander has joined #openstack-dev		17:53
*** tsekiyama has joined #openstack-dev		17:53
ayoung	Someone in southern Cali go wake up morganfainberg_Z	17:53
*** Oneiroi has quit IRC		17:53
*** Gordonz has quit IRC		17:53
*** amcrn has joined #openstack-dev		17:53
*** xqueralt has quit IRC		17:53
apevec	dolphm, ugh, not that's "old" so Grizzly, lemme look what happened	17:54
*** adreznec has joined #openstack-dev		17:54
dhellmann	tellesnobrega: patch rejected where?	17:54
*** florentflament_ has quit IRC		17:54
*** salv-orlando_ has joined #openstack-dev		17:54
apevec	ah nice SQLAlchemy==0.7.10 in pip-freeze	17:54
tellesnobrega	dhellmann: yes, a while back. it included domain_id in context	17:54
*** dprince has joined #openstack-dev		17:54
*** jgallard has quit IRC		17:54
*** gokrokve_ has quit IRC		17:54
* apevec sighs		17:54
*** jkyle has joined #openstack-dev		17:55
*** nmagnezi has quit IRC		17:55
apevec	dolphm, so we need to fix Grizzly to pass havana	17:55
dhellmann	tellesnobrega: which project rejected it?	17:55
*** sweston has quit IRC		17:55
*** lucasagomes has quit IRC		17:55
*** gokrokve_ has joined #openstack-dev		17:55
*** alop has joined #openstack-dev		17:55
*** kgriffs_afk is now known as kgriffs		17:56
tellesnobrega	dhellmann: i will find the patch to link it to you	17:56
dhellmann	tellesnobrega: ok	17:56
*** salv-orlando_ has quit IRC		17:56
*** sgordon has quit IRC		17:57
jaypipes	jamielennox: https://review.openstack.org/#/c/71044/	17:57
*** dvarga is now known as dvarga\|away		17:57
*** dvarga\|away is now known as dvarga		17:57
*** salv-orlando_ has joined #openstack-dev		17:57
*** salv-orlando has quit IRC		17:57
*** salv-orlando_ is now known as salv-orlando		17:57
dolphm	bknudson: looking at the meeting agenda and your patch -- are you just trying to support role assignments on ephemeral users?	17:57
*** byeager has joined #openstack-dev		17:58
tellesnobrega	dhellmann: sorry, i made a mistake, it was in nova	17:58
tellesnobrega	oslo accepted it	17:58
dhellmann	tellesnobrega: ok, if nova is not using the oslo context yet that's something separate to work on	17:58
bknudson	dolphm: get_project_users returns the users for the project... but the user might not exist due to federation.	17:58
*** harlowja_away is now known as harlowja		17:59
tellesnobrega	dhellmann: i see	17:59
dolphm	bknudson: i don't think the initial conditions make sense	17:59
bknudson	dolphm: maybe federation doesn't go through this code?	17:59
*** comay has joined #openstack-dev		17:59
dolphm	bknudson: ++ this should be unsupported for ephemeral users	17:59
*** mmagr has quit IRC		17:59
topol	dolphm., ping (meeting time)	17:59
*** gordc1 has joined #openstack-dev		17:59
*** AlexF has quit IRC		17:59
*** alop_ has joined #openstack-dev		17:59
bknudson	dolphm: so just don't return the users? return 404 Not Found?	17:59
dolphm	topol: ping our room is occupied lol	18:00
dolphm	bknudson: i think there's a problem before you ever get to this code	18:00
*** KurtMartin is now known as kmartin		18:00
topol	ayoung kicked them out	18:00
bknudson	dolphm: well, it used to be that we couldn't add role refs for users that don't exist, and now we can.	18:00
*** alop has quit IRC		18:01
*** alop_ is now known as alop		18:01
*** amuller has joined #openstack-dev		18:01
*** morganfainberg_Z is now known as morganfainberg		18:01
*** gcha has quit IRC		18:01
morganfainberg	dolphm o/	18:02
*** gordc has quit IRC		18:02
*** marcoemorais has joined #openstack-dev		18:02
*** kushal has joined #openstack-dev		18:02
*** buzztroll has quit IRC		18:03
*** buzztroll has joined #openstack-dev		18:03
*** marcoemorais has quit IRC		18:04
*** nati_ueno has joined #openstack-dev		18:04
*** max_lobur is now known as max_lobur_afk		18:05
*** FunnyLookinHat has joined #openstack-dev		18:05
*** otherwiseguy has joined #openstack-dev		18:05
*** SergeyLukjanov_a is now known as SergeyLukjanov		18:05
*** galstrom_zzz is now known as galstrom		18:05
*** rraja_ has joined #openstack-dev		18:06
*** nacim has quit IRC		18:06
*** rraja has joined #openstack-dev		18:07
*** e0ne has joined #openstack-dev		18:08
*** byeager has quit IRC		18:12
*** FunnyLookinHat has quit IRC		18:13
*** marcoemorais has joined #openstack-dev		18:13
*** sarob has quit IRC		18:14
*** FunnyLookinHat has joined #openstack-dev		18:14
*** sarob has joined #openstack-dev		18:15
*** coolsvap is now known as coolsvap_away		18:16
*** neelashah has quit IRC		18:17
*** neelashah has joined #openstack-dev		18:18
*** pberis has joined #openstack-dev		18:18
dolphm	luisg: can you step into #openstack-meeting please?	18:19
jamielennox	luisg: step into my office	18:20
*** kenperkins_ has joined #openstack-dev		18:20
YorikSar	ayoung: Hello. Around?	18:22
ayoung	YorikSar, yeah...in the Keystone meeting ATM	18:22
*** neelashah has quit IRC		18:22
*** AlexF has joined #openstack-dev		18:22
ayoung	YorikSar, I'm going to guess your question is about expires_at?	18:22
YorikSar	ayoung: Yes, exactly :)	18:22
YorikSar	ayoung: It can wait till after the meeting	18:23
ayoung	YorikSar, OK, so only user tokens are ever going to use that	18:23
ayoung	if I use a token to get antoher token, they both have the same expires_at	18:23
*** kenperkins has quit IRC		18:23
ayoung	this way, if I want to revoke a token AND all of the tokens it created, I revoke userid=<me> and expires_at = <expiresat of first token>	18:23
*** michchap has joined #openstack-dev		18:24
jamielennox	jaypipes: ok, that patch is cool - it might be easiest if i just rebase the others on top of that as there isn't any real ordering requirement on the others	18:24
ayoung	we are a little brutal, in that if I revoke the last token of the list created via 25 tokens prior, all 26 tokens get revoked	18:24
*** jcooley_ has joined #openstack-dev		18:24
jamielennox	jaypipes: might be useful to tag it with the bp	18:24
ayoung	YorikSar, so only a small subset of revocation events will have "expires_at" set	18:24
ayoung	YorikSar, we are ordering the events on "revoked_at" not for lifespan, but to be able to continually query the server	18:25
jaypipes	jamielennox: sure, go for it.	18:25
ayoung	and get only events we haven't seen in the past, hence "last_fetched"	18:25
*** jcooley_ has quit IRC		18:26
*** hartsocks has joined #openstack-dev		18:26
YorikSar	ayoung: Oh, wait. Looks like I've mixed up expries_at and issued_at.	18:27
*** dkehn has quit IRC		18:27
*** danpb has quit IRC		18:27
*** martyntaylor has left #openstack-dev		18:28
ayoung	YorikSar, yeah, and issued_at is only used in a > comparison with idssued_before	18:28
*** thuc_ has quit IRC		18:28
*** michchap has quit IRC		18:28
*** thuc has joined #openstack-dev		18:29
*** safchain has quit IRC		18:30
YorikSar	ayoung: So... We have 3 timestaps there: revoke_at, expires_at and issued_at.	18:31
YorikSar	ayoung: I get that expires_at is like a birthmark on all tokens that are generated from one ancestor.	18:31
YorikSar	ayoung: (we can probably use some more explicit mark though)	18:32
ayoung	YorikSar, yeah. But only issued_at is guaranteed to be there, and revoke_at is not part of the public API, just used for internal ordering	18:32
ayoung	YorikSar, userid + expires at is good enough	18:32
*** ijw has joined #openstack-dev		18:32
ayoung	farily common solution to this problem, I've been informed.	18:33
*** ijw has quit IRC		18:33
*** e0ne_ has joined #openstack-dev		18:33
YorikSar	ayoung: Can't I generate a token from another token with different expiration time?	18:33
*** thuc has quit IRC		18:33
YorikSar	Like subtract a second	18:33
*** changbl has joined #openstack-dev		18:34
YorikSar	iirc I can provide extiration time in token request.	18:34
ayoung	nope	18:34
*** sgordon has joined #openstack-dev		18:35
ayoung	pretty certain we made that illegal. If not...well it is a bug	18:35
*** e0ne has quit IRC		18:35
*** gokrokve_ has quit IRC		18:35
*** gokrokve has joined #openstack-dev		18:36
*** thuc has joined #openstack-dev		18:36
*** ijw_ has joined #openstack-dev		18:37
YorikSar	ayoung: I'll check it. But from code it looks like we set expires to the default value only if it's not set already.	18:38
*** mestery_ has quit IRC		18:38
*** zzelle_ has joined #openstack-dev		18:38
*** dprince has quit IRC		18:39
*** yassine has quit IRC		18:39
ayoung	YorikSar, if it comes in the existing token, they cannot extend it. If they can, it is a bug	18:39
*** neelashah has joined #openstack-dev		18:40
*** ijw_ has quit IRC		18:40
*** jpich has quit IRC		18:40
*** cagrev_ has joined #openstack-dev		18:40
*** arnaud___ has joined #openstack-dev		18:40
*** arnaud__ has joined #openstack-dev		18:40
*** markmcclain has quit IRC		18:40
*** gokrokve has quit IRC		18:41
YorikSar	ayoung: Ok, I believe you and will check it tomorrow just to learn more about auth process.	18:41
ayoung	YorikSar, look here:	18:41
ayoung	https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py	18:41
*** sdake has quit IRC		18:42
YorikSar	ayoung: Yeah, I'm looking at it :)	18:42
*** jistr has joined #openstack-dev		18:42
*** ijw_ has joined #openstack-dev		18:43
*** sdake has joined #openstack-dev		18:43
*** sdake has quit IRC		18:43
*** sdake has joined #openstack-dev		18:43
*** byeager has joined #openstack-dev		18:43
ayoung	YorikSar, it is possible something sneaks in from either the auth controller, the token controller, or one of the auth plugins, but fairly certain we test against that. It would be a secureity hole if a user could etend their token lifespan. But it may be that we don't check to see if they can shorten it...pretty sure we don't let the user touch it, though.	18:44
*** dims has joined #openstack-dev		18:44
*** Gordonz has joined #openstack-dev		18:45
YorikSar	ayoung: Yeah... Let's get back to revokation. I don't get the meaning of revoke_at, actually.	18:47
*** slagle has joined #openstack-dev		18:47
ayoung	YorikSar, it means "when the revocation event was recorded"	18:48
*** Gordonz has quit IRC		18:49
*** jprovazn_afk is now known as jprovazn		18:50
YorikSar	ayoung: Yes, but why do we forget about revocations that happened before default token expiration time + 30m?	18:50
ayoung	YorikSar, to clean out the database. Otherwise it will keep growing and fill all available space. We have that problem with the token database today.	18:50
*** byeager has quit IRC		18:51
*** thedodd has quit IRC		18:51
devananda	mikal: iirc, you had some tools for reviewing reviewers? was there anything that aggregated someone's review feedback, like if i want to see all the comments left by user 1234	18:51
YorikSar	ayoung: But what if the user generated a token for a day and then got fired, waited for an hour and came back with this token? It won't be revoked anymore.	18:52
ayoung	revocation is one hour, and you can't make a token for longer than that	18:53
ayoung	YorikSar, we can make the window longer, but we need to make sure people can't issue tokens longer than the window	18:54
*** jcooley_ has joined #openstack-dev		18:55
*** gokrokve has joined #openstack-dev		18:55
YorikSar	ayoung: How do we limit token lifetime?	18:55
*** andreaf has quit IRC		18:55
*** sdake has quit IRC		18:55
ayoung	expires_at cannot be set by the user	18:55
*** aveiga has joined #openstack-dev		18:56
*** melwitt has joined #openstack-dev		18:56
YorikSar	ayoung: Oh, ok.	18:57
ayoung	YorikSar, the idea is that tokens really are not for authentication. They are short lived authorization documents, kindof like "visitors must check in at the window and get a guest pass"	18:58
YorikSar	ayoung: But still what if I want the user to never get a new token since midight for example? I add a revocation with user_id and issued_at=midnight.	18:58
ayoung	disable the user account	18:59
ayoung	revocations are not for that	18:59
ayoung	they are for already issued tokens	18:59
marekd	federation.	19:00
ayoung	bknudson, we need a default approach	19:00
dolphm	ayoung, bknudson, dstanek, jamielennox, morganfainberg, stevemar, gyee, henrynash, topol, marekd, lbragstad, joesavak, shardy, fabiog: picking up where we left off	19:00
*** gokrokve has quit IRC		19:00
* morganfainberg is listening here now		19:00
ayoung	but I don;t think we can rely on the IdP to provide the user id without something from Keystone mixed in.	19:00
*** fabiog has joined #openstack-dev		19:00
ayoung	Otherwise, they will be able to step on each other	19:00
dstanek	dolphm: that won't work with ephemeral tokens though - someone is always going to want to know that user X did these things to my cloud	19:00
YorikSar	ayoung: Ok, looks like I get it now...	19:00
*** Gordonz has joined #openstack-dev		19:00
*** markmcclain1 has joined #openstack-dev		19:00
ayoung	YorikSar, ++	19:00
bknudson	ayoung: I guess keystone could append/prefix the idp ID	19:00
* stevemar afk for 5 mins... then back to listening about federation		19:01
ayoung	YorikSar, BTW, I am going to update both the SQL and the KVS backends in other patches	19:01
YorikSar	ayoung: Thanks a lot for clarifications :)	19:01
*** Gordonz has quit IRC		19:01
ayoung	but include the comments you made in the Tree patch.	19:01
bknudson	ayoung: after it gets some user_id attribute from federation mapping.	19:01
stevemar	marekd, i'm ok with assuming there will always be a user entity	19:01
dolphm	with the exception of the "groups" attribute which I added this morning, this was the example federated token we produced at the hackathon https://gist.github.com/dolph/5cfa70c02f5b141060c5#token-as-a-result-of-federation	19:01
ayoung	bknudson, domain id, lets keep it separate from IdP id	19:01
ayoung	one IdP can have one or more Domains	19:01
*** Gordonz has joined #openstack-dev		19:01
*** markmcclain1 has quit IRC		19:01
*** byeager has joined #openstack-dev		19:02
ayoung	Then, an IdP registers its domain with Keystone	19:02
bknudson	ayoung: where do you define the IdP -> domain mapping?	19:02
*** bhuvan has quit IRC		19:02
*** bhuvan_ has joined #openstack-dev		19:02
*** rodrigods has joined #openstack-dev		19:02
*** hugokuo has quit IRC		19:02
dolphm	ayoung: what do idp's have to do with domains?	19:03
ayoung	"I provide 3 domains: Harvard School of Policy, Harvard Extension, and Harvard Medical School"	19:03
bknudson	https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-federation-ext.md -- no mention of domains	19:03
*** jnoller has quit IRC		19:03
ayoung	dolphm, IdP is a service. Domain is a top level naming scope.	19:03
dolphm	that doesn't answer my question	19:03
*** amandap has quit IRC		19:03
*** mestery has joined #openstack-dev		19:04
ayoung	dolphm, Hosting company like Rackspace: you have employees and customers. Both come out of the same IdP. Each customer (company) gets its own domain.	19:04
ayoung	employees go into one domain	19:04
dolphm	ayoung: in the federated case, they're not users and don't have domains	19:05
bknudson	ayoung: so federation mapping generates a domain_id and user_id ?	19:05
dolphm	ayoung: they're ephemeral users from federated identity providers	19:05
ayoung	bknudson, "mapping" does not generate the domain id. It needs to be controlled by Keystone	19:05
*** jcoufal_ is now known as jcoufal		19:06
*** markmcclain has joined #openstack-dev		19:06
bknudson	ayoung: mappings are controlled by keystone -- https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-federation-ext.md#create-a-mapping-put-os-federationmappingsmapping_id	19:06
*** hugokuo has joined #openstack-dev		19:06
*** gokrokve has joined #openstack-dev		19:06
*** dprince has joined #openstack-dev		19:06
*** kushal has quit IRC		19:07
*** amandap has joined #openstack-dev		19:07
ayoung	bknudson, yes, but assignment of domain ID needs to be a constrained list. It is OK for the IdP to assign it however they like, so long as it is one of the legal domain ids they are apportioned	19:07
*** tanisdl has quit IRC		19:07
*** eglynn-lunch has joined #openstack-dev		19:08
ayoung	domain is the top level "group" and it is the "we own the users" abstraction. Try and break that, and you are once again trying to change the language that people use to talk about Keystone. We did that with tenants and projects and we are going to be years sorting that one out.	19:08
*** e0ne_ has quit IRC		19:09
ayoung	Because we need to make Federation work along side the SQL identity backend, and the LDAP backend	19:09
*** AlexF has quit IRC		19:09
*** amuller has quit IRC		19:10
*** zzelle has quit IRC		19:10
*** gokrokve has quit IRC		19:11
*** Mandell has joined #openstack-dev		19:12
dolphm	ayoung: you're trying really hard to conflate local users with federated users, and i thought we decided at the summit to avoid that	19:12
*** rossella_s has quit IRC		19:13
bknudson	I really would like if federation didn't require local users/groups if we can avoid it.	19:13
* ayoung processing		19:13
jamielennox	gyee: are you here - you've been quiet	19:13
bknudson	let's just drop the identity backend.	19:13
dolphm	bknudson: if we jump straight to ABAC, then yes	19:13
bknudson	deprecate it	19:13
*** salv-orlando has quit IRC		19:13
marekd	bknudson: in 14 days...	19:13
dolphm	marekd: lol	19:13
*** gokrokve has joined #openstack-dev		19:14
*** salv-orlando has joined #openstack-dev		19:14
*** akrivoka has quit IRC		19:14
*** baoli has quit IRC		19:15
*** mikeoutland has joined #openstack-dev		19:15
ayoung	or we can do it my way and everything works	19:15
bknudson	I wonder if we could use the mapping feature with general external users (REMOTE_USER)	19:15
bknudson	maybe httpd doesn't provide enough info	19:15
dolphm	bknudson: it only provides a name, really	19:16
ayoung	bknudson, depends on what it is given, but yes we can and will	19:16
marekd	https://gist.github.com/zaccone/914822d37ac2eea420ce provides e.g this (ADFS_*)	19:16
ayoung	We could, in fact, extract out the LDAP backedn and do it all with mod_auth_somethingthatcantalkldap	19:16
dolphm	bknudson: you need some set of attributes as an input to mapping, and it outputs another set of attributes	19:16
bknudson	maybe could use some other middleware to get the user info ... from ldap or something	19:16
*** mikeoutland has quit IRC		19:16
dolphm	ayoung: do it	19:17
*** dvarga is now known as dvarga\|away		19:17
*** dvarga\|away is now known as dvarga		19:17
*** jcooley_ has quit IRC		19:17
ayoung	dolphm, need to write it first. mod_authn_ldap is as hard coded as the other apache authns....we'll probably do soemthing on top of SAML and mod_mellon	19:18
marekd	i don't understand the LDAP talk.....can anybody explain it more?	19:18
*** reed has quit IRC		19:18
*** shadower_ is now known as shadower		19:18
ayoung	marekd, I can, but it is a bit beyond the scope here	19:18
*** reed has joined #openstack-dev		19:19
marekd	ayoung: ok	19:19
ayoung	the short of it is that we have mechanisms for SQL, LDAP, and now federation, that all should be able to co-exist in one Keystone deployment	19:19
*** sdake has joined #openstack-dev		19:19
*** sdake has quit IRC		19:19
*** sdake has joined #openstack-dev		19:19
ayoung	it means that we need to have a unified way to work with them. Really, it means that we ened to be able to distinguish between users stored in one backend from another	19:19
*** mriedem has quit IRC		19:19
dolphm	marekd: even shorter version- as federation becomes the first class deployment approach, we'll likely see the rest of keystone simplified	19:19
*** sushils has joined #openstack-dev		19:20
ayoung	Federated users won't worl with the identity API calls, but SQL and LDAP need to	19:20
marekd	okay, so you are talking about long-term plans. I'd love to talk about short-term ones :-)	19:20
*** rtheis has joined #openstack-dev		19:21
dolphm	marekd: +++++	19:21
ayoung	short term: we make the userid be one part mapped attribute out of SAML (or LDAP) and one part domain id	19:22
ayoung	the domain table will state what backend a domain comes out of: sql, LDAP, federated IDP	19:22
marekd	i was really really convinced that we would be mapping saml assertion to the groups that already have roles assigned and exist, befoe any mapping is done. Can we easily change this assumption NOW? Federation setup is not something you do twice a day.	19:23
topol	marekd+++ crawl walk run...	19:23
ayoung	direct role assignments for Icehouse	19:23
dolphm	marekd: i don't think that has changed	19:23
*** xgsa has quit IRC		19:23
marekd	dolphm: +	19:23
dolphm	ayoung: wtf	19:23
ayoung	something to pull groups out of identity for Juno	19:23
* dolphm facepalm		19:24
ayoung	er...allow groups to be pulled out of identiyt...or something	19:24
dolphm	ayoung: that's called mapping	19:24
ayoung	dolphm, I'm being consistent.	19:24
ayoung	dolphm, groups, not mapping auser to a group, the grouping itself	19:24
ayoung	dolphm, we've discussed this before. And stop hitting yourself	19:24
dolphm	ayoung: yes we have, and we've decided to move towards something much less complicated than what you're suggesting now	19:25
*** eglynn-lunch has quit IRC		19:25
ayoung	dolphm, mapping can only handle the data that comes out of the assertion. We can allow them to make a different mapping from userid to group, but as marekd said "its not something you do twice a day"	19:25
ayoung	dolphm, that is fine, and I am OK with us not doing it if we can avoid it. If mapping deals with "groups outside of identity" great	19:26
ayoung	I'm just saying "Juno" but if it is "never" I'm ok with that	19:26
dolphm	ayoung: i don't think "groups outside of identity" has been conceived before today	19:26
*** mriedem has joined #openstack-dev		19:26
ayoung	dolphm, I've had multiple requests for it over time. I've been talking about it, but putting it off	19:27
*** jasondotstar has quit IRC		19:27
dolphm	ayoung: multiple requests for non-existent groups?	19:27
ayoung	mapping will, I hope, be sufficient.	19:27
ayoung	dolphm, multiple requests for a way to manage users inside of keystone when the Identity backend is read only	19:28
dolphm	ayoung: that doesn't make sense, tell those people to go away	19:28
ayoung	LDAP has that characteristic, as does Federation with limited attributes.	19:28
*** kenperkins has joined #openstack-dev		19:30
marekd	does it all mean we ALL should put off federation and wait for Juno/whatever and new super identities?	19:31
*** kenperkins_ has quit IRC		19:31
*** vijendar has quit IRC		19:31
*** ayoung is now known as ayoung-afk		19:32
*** diakunchikov has quit IRC		19:32
*** jamezpolley_ is now known as jamezpolley		19:32
*** diakunchikov has joined #openstack-dev		19:33
*** AlexF has joined #openstack-dev		19:33
*** jamezpolley is now known as tchaypo		19:34
marekd	dolphm: ayoung-afk ^^^^ ?	19:34
*** johnthetubaguy has quit IRC		19:34
*** jcooley_ has joined #openstack-dev		19:36
*** AlexF has quit IRC		19:36
zzelle_	clarkb, hi	19:37
clarkb	zzelle_: hello	19:38
*** kgriffs is now known as kgriffs_afk		19:38
dolphm	marekd: i don't see a use case for non-ephemeral federated identities, so i'd say no	19:38
dolphm	actually, when i put it that way it just reads like an oxymoron to me	19:38
zzelle_	as you said (iirc), it seems there are troubles with git-review tests	19:39
clarkb	zzelle_: yes, the gerrit masters do not start and stop reliably for each test	19:39
zzelle_	do i need to do something to trace it ?	19:39
*** novas0x2a\|laptop has joined #openstack-dev		19:39
clarkb	zzelle_: you shouldn't, if you run the tests enough you should find that occasionally gerrits do not start or stop	19:40
*** galstrom is now known as galstrom_zzz		19:40
zzelle_	clarkb, that was also my opinion	19:40
marekd	dolphm: okay, so....I am assuming that automagically rules engine will always issue a user, not only list of local groups. The user is ephmeral, but his id will be stored in the token token['user_id']. That's for auditibility. Now, can we assume that communication unscoped token with list of groups -> fetching list of available domains/projects based on group memberships -> scoping the token is still valid?	19:41
clarkb	zzelle_: I think the best way to handle it would be to start one gerrit before the unittests run and setup different projects per test for test isolation	19:41
*** tjones has quit IRC		19:41
clarkb	zzelle_: then we don't have a bunch of jvms fighting for cpu time	19:41
zzelle_	clarkb, i was thinking of this solution but perhaps complicated for a so "small" component	19:42
dolphm	marekd: as confusing as the meeting was, i didn't take away any reason to change any of that approach. all that sounds valid to me	19:42
*** sdake has quit IRC		19:42
marekd	dolphm: well, i got really confused :-)	19:43
marekd	dolphm: especially since we started discussing ephemeral groups etc.	19:43
*** sdake has joined #openstack-dev		19:43
*** sdake has quit IRC		19:44
*** sdake has joined #openstack-dev		19:44
*** sdake has quit IRC		19:44
dolphm	marekd: me too.	19:44
jamielennox	dhellmann: ping	19:44
*** sdake has joined #openstack-dev		19:44
*** sdake has quit IRC		19:44
*** sdake has joined #openstack-dev		19:44
*** jcooley_ has quit IRC		19:44
marekd	dolphm: taking advantage you are still here i will repeat my previous question: apart from what's listed in the https://gist.github.com/dolph/5cfa70c02f5b141060c5#file-notes-md other attributes that must be present are: issued_at, expires_at and methods. That's all for an unscoped token?	19:45
dolphm	marekd: the split between identity and assignment drivers shouldn't have any bearing federation, i don't think (bknudson: -2'd the last patch in that series accordingly)	19:45
*** galstrom_zzz is now known as galstrom		19:46
dolphm	marekd: that sounds right!	19:46
*** AlexF has joined #openstack-dev		19:46
marekd	dolphm: need a hint on 'methods' stuffing :-)	19:46
dolphm	marekd: ha-- good question, again	19:47
*** AlexF has quit IRC		19:47
marekd	i am good in asking good questions, i'd rather prefer to be good in answering them :(	19:47
dolphm	marekd: so the story behind "methods" is that it's really just intended to reflect multifactor authentication	19:47
dolphm	marekd: so if the protocol is SAML 2, you could definitely stick "saml2" or something into "methods"	19:48
dolphm	marekd: unless SAML is capable of exposing similar information (?), in which case, you could basically just pass it through	19:48
jamielennox	lifeless: ping	19:48
marekd	dolphm: i doubt it.	19:49
dolphm	marekd: "federation" would quite vague but acceptable as well	19:49
*** salv-orlando has quit IRC		19:49
marekd	dolphm: 'vague but interesting...' :D	19:49
*** jcooley_ has joined #openstack-dev		19:49
*** salv-orlando has joined #openstack-dev		19:49
dolphm	marekd: a more realistic (and useful) example would be a multifactor token reflected as "methods": ["password", "rsa-token"]	19:50
marekd	rsa-token reflects to federated authn, right?	19:50
dolphm	marekd: yes, you could say that	19:50
dolphm	i've never thought of it that way!	19:50
marekd	dolphm: uhm....OK i will put something there, just for now.	19:51
marekd	this is probably not the biggest issue for now.	19:51
dolphm	marekd: clients would really only care if the token is multifactor or not, so it should really be "factors": 2 in that case	19:51
marekd	2?	19:52
dolphm	but i gave up arguing against gyee on that topic long ago :)	19:52
dolphm	marekd: 2 factors in ["password", "rsa-token"]	19:52
lifeless	jamielennox: ongp	19:52
dolphm	something you know + something you have	19:52
marekd	dolphm: yees, but i don't see any relation with federated authn?	19:52
dolphm	marekd: whereas "methods": ["password", "mothers-maiden-name"] is factors: 1 (both are just something you know)	19:53
dolphm	marekd: i'm just trying to give some perspective to the attribute :)	19:53
marekd	dolphm: ok	19:53
dolphm	marekd: sticking the protocol ID in there sounds sufficient to me	19:53
*** sweston has joined #openstack-dev		19:53
dolphm	or even just "federation"	19:53
marekd	if i recall correctly somebody got a -2 from ayoung for using federation as a authn method :P	19:54
*** dvarga is now known as dvarga\|away		19:54
*** dvarga\|away is now known as dvarga		19:54
jamielennox	lifeless: i am having a weird issue where testr is cutting out early and the ./run_test.sh script returns with a _StringException error with no details	19:54
marekd	dolphm: so i'd be reluctant to use 'federation' as a method name :-)	19:54
jamielennox	(and i've completely killed my environment now trying to debug the thing)	19:55
lifeless	jamielennox: testr is dying? thats unusual. Can you point me at a failed job ?	19:55
jamielennox	lifeless it's on my local machine but it seems consistant	19:56
lifeless	jamielennox: are you sure its testr thats dying and not the test backend ?	19:56
lifeless	jamielennox: anyhow, I'm happy to help you debug; remote hands / shared session whatever	19:56
lifeless	jamielennox: tell me where you're up to, and we can go from there.	19:57
*** cagrev_ has quit IRC		19:57
jamielennox	lifeless: it's not printing an exception like there is a test failure just exiting	19:57
lifeless	jamielennox: warning - this morning is my 4 hours of meeting penance for being, well, me.	19:57
lifeless	jamielennox: so there will be periods of quiet :(	19:57
*** cagrev has quit IRC		19:57
dolphm	marekd: lol can you use the protocol ID?	19:57
jamielennox	lifeless: that's ok you're usually around in my TZ anyway	19:57
*** jpomero has quit IRC		19:57
marekd	dolphm: i will, no worries :-)	19:57
*** cagrev has joined #openstack-dev		19:57
*** julienvey_ has joined #openstack-dev		19:58
lifeless	jamielennox: anyhow first thing is - get me a pastebin of what you do see	19:58
dolphm	marekd: if so, you've taken away another one of my shakey use cases for having a "user" ref in tokens at all!	19:58
lifeless	jamielennox: and tell me what project so I can eyball run_tests therein	19:58
jamielennox	lifeless: bah, after all that i've killed my venv with all the debugging stuff i had - sorry give me a few minutes and i'll get some stuff up	19:58
*** bauzas has joined #openstack-dev		19:58
*** sweston has quit IRC		19:58
*** thuc has quit IRC		19:59
*** thuc has joined #openstack-dev		19:59
marekd	dolphm: please rephrase, cause i might misunderstanding something..i still must use user in a token...	19:59
*** jtomasek has quit IRC		20:00
marekd	dolphm: user_id	20:00
dolphm	marekd: continue to plan on having the user reference in the token	20:00
*** markmc has joined #openstack-dev		20:00
*** bhuvan_ has quit IRC		20:01
*** emagana has joined #openstack-dev		20:01
*** jckasper_ has joined #openstack-dev		20:01
*** adreznec has quit IRC		20:02
*** dot has joined #openstack-dev		20:02
dot	hello is it possible to disable csrf token on login page?	20:03
dot	j #django	20:03
*** cagrev_ has joined #openstack-dev		20:03
*** neelashah1 has joined #openstack-dev		20:03
*** jistr has quit IRC		20:03
*** jcooley_ has quit IRC		20:03
*** thuc has quit IRC		20:03
*** cagrev has quit IRC		20:03
*** neelashah1 has left #openstack-dev		20:04
dolphm	dot: probably just remove the csrf middleware from the horizon config? (i haven't done it before, i'm just guessing)	20:04
*** jckasper has quit IRC		20:04
*** sgordon has quit IRC		20:04
*** eglynn-lunch has joined #openstack-dev		20:04
*** neelashah has quit IRC		20:05
*** troytoman-away is now known as troytoman		20:05
*** sushils has quit IRC		20:05
dot	dolphm: i've tried that but did not work :S	20:06
*** CaptTofu has quit IRC		20:06
*** jcooley_ has joined #openstack-dev		20:07
jamielennox	lifeless: ok this is the branch: https://github.com/jamielennox/keystone/tree/pecan1 it's really ugly as i've been trying to isolate the error	20:07
jamielennox	run_tests output: http://paste.openstack.org/show/62470/	20:07
jamielennox	testtools.run discover output: http://paste.openstack.org/show/62471/	20:07
gyee	jamielennox, dolphm, sorry I got stuck in an internal meeting this morning	20:08
dolphm	gyee: no worries	20:08
jamielennox	lifeless: if i comment out this line (which essentially undoes the change) https://github.com/jamielennox/keystone/blob/pecan1/keystone/service.py#L130 then i get the expected test run	20:09
*** yeylon__ has joined #openstack-dev		20:09
*** brianr has joined #openstack-dev		20:09
jamielennox	gyee: was going to bug you about auth_plugins	20:09
*** jasondotstar has joined #openstack-dev		20:09
gyee	jamielennox, I was reading it last night, have been thinking about it	20:09
jamielennox	gyee: figure out what we can do to get it +2ed	20:09
gyee	I will comment on it later today	20:09
gyee	jamielennox, I am OK with it, there will be more changes later to get it right anyway. But no reason to hold it up.	20:10
*** ijw_ has quit IRC		20:10
jamielennox	gyee: cool - yea there are additions later but i just want to advance past the framework	20:10
jamielennox	the idea hasn't changed much since the last summit and i really want to get some progress	20:11
gyee	I was thinking how do it work with multifactor auths	20:11
gyee	but I don't have a good alternative in mind	20:11
jamielennox	gyee: so i'm not sure why MFA changes the plugins	20:11
*** rfolco has quit IRC		20:11
gyee	jamielennox, probably not, I just can't wrap my head around it yet	20:11
gyee	lets merge what you have and enhance it later if needed	20:11
*** tjones has joined #openstack-dev		20:12
dot	hello is it possible to disable csrf token on login page? anyone pls?	20:12
jamielennox	gyee: so i think where the disconnect is what an auth_plugin does	20:12
jamielennox	gyee: really it's a backing to an auth provider	20:12
jamielennox	so for keystone v3 we only have 1 auth plugin	20:13
jamielennox	not 1 for user/pass, 1 for user/token	20:13
gyee	jamielennox, I was coming from an angle of custom plugins :)	20:13
jamielennox	so MFA is a feature of a specific provider eg keystone v3	20:13
morganfainberg	jamielennox, external, and oauth	20:13
morganfainberg	>.>	20:13
morganfainberg	jamielennox, ok i'm going to lunch :P	20:13
morganfainberg	sorry	20:13
jamielennox	so if the auth_plugin handles MFA then thats fine	20:13
jamielennox	morganfainberg: external and oauth maybe	20:14
jamielennox	morganfainberg: they are still methods of keystone auth	20:14
*** thedodd has joined #openstack-dev		20:14
jamielennox	oauth i'm a little unsure of	20:14
jamielennox	because it's keystone but it's not	20:15
*** AlexF has joined #openstack-dev		20:15
*** troytoman is now known as troytoman-away		20:15
jamielennox	gyee: so custom plugins are the same concept though at some point they will get a get_token() call and they will have to determine how to do that	20:15
*** tanisdl has joined #openstack-dev		20:15
*** gcha has joined #openstack-dev		20:15
jamielennox	if they require MFA then they have to prompt for input or something	20:16
jamielennox	it's a pity we had to ditch authenticate as a seperate call - but there is no reason that your custom plugin can't have an authetnicate call on it	20:16
jamielennox	(maybe that's even better)	20:16
*** ameade has joined #openstack-dev		20:17
*** tdruiva_ has joined #openstack-dev		20:18
stevemar	jeez, i almost have to scroll down to see the second bug on http://status.openstack.org/rechecks/	20:18
gyee	jamielennox, I agree, we may be OK	20:18
*** adreznec has joined #openstack-dev		20:18
*** odyssey4me has quit IRC		20:18
*** tjones has quit IRC		20:18
gyee	jamielennox, it would be awesome if we can abstract the notion of token, but that can be done in a separate patch	20:19
*** fabiog has quit IRC		20:19
jamielennox	gyee: so as far as i'm concerned we have abstracted a token to a blob	20:20
jamielennox	because get_token() will return a string that goes into a header	20:20
jamielennox	(it turned out to be non-trivial to put the header setting on the auth plugin but we can fix that later)	20:20
*** tdruiva has quit IRC		20:20
*** emagana has quit IRC		20:20
jamielennox	there is nothing about session that requires any knowledge about a token other than to just get one from a plugin	20:21
jamielennox	if you need to find out information about the token then you should talk to the auth plugin because that is what knows how to interpret it	20:21
jamielennox	so if you are doing your own auth plugin then you are free to define the interaction with your token any way you please	20:22
gyee	that's correct, auth plugin return token data	20:22
*** troytoman-away is now known as troytoman		20:22
*** vijendar has joined #openstack-dev		20:22
*** shalini has quit IRC		20:22
*** vijendar has joined #openstack-dev		20:22
*** shalini has joined #openstack-dev		20:23
*** ayoung-afk is now known as ayoung		20:23
*** mestery has quit IRC		20:23
jamielennox	gyee: yes the string	20:24
*** kragniz has quit IRC		20:24
ayoung	marekd, to answer your Question....we push it as far as we can. I don't thik we will have a 100% Federation solution this release, but that doens' mean that we won't have something usable by someone	20:25
gyee	jamielennox, no, the auth context	20:25
jamielennox	the identity plugins return a auth_ref which is just a way of abstracting behaviour between the v2 and v3 ref	20:25
jamielennox	and other plugin that wants to use an auth_ref can also inherit BaseIdentityPlugin	20:25
jamielennox	and that means that get_token() etc are handled for it	20:25
jamielennox	but you don't have to	20:25
gyee	auth plugin maintains auth context	20:25
gyee	auth context tells you things like user_id, username, roles, project, etc	20:26
*** emagana has joined #openstack-dev		20:27
jamielennox	gyee: right but you can ask the auth plugin for that	20:28
*** jckasper_ has quit IRC		20:28
jamielennox	the session doesn't care	20:28
*** rkukura has quit IRC		20:28
marekd	ayoung: that's my impression too.	20:28
*** e0ne has joined #openstack-dev		20:28
gyee	jamielennox, how? the base auth plugin class only have get_token() which returns a string	20:29
*** cnesa has joined #openstack-dev		20:29
marekd	ayoung: given the fact that actually nothing has been done on a client side i thnk it will be usable at all.	20:29
*** kgriffs_afk is now known as kgriffs		20:29
marekd	or maybe it will, but around april/may.	20:29
jamielennox	gyee: that's the interface that session requires to talk to a plugin - if you want to talk to the plugin you can define whatever methods you like	20:29
*** n9111 has joined #openstack-dev		20:29
n9111	How are you n9111 ?	20:30
bknudson	dolphm: how do I close this? https://blueprints.launchpad.net/python-keystoneclient/+spec/s3-token-to-keystoneclient	20:31
*** n9111 has quit IRC		20:31
bknudson	dolphm: never mind, got it	20:32
*** shalini has quit IRC		20:32
*** shalini has joined #openstack-dev		20:33
jamielennox	gyee: take as an example the ADMIN_TOKEN method of authenticating, all that plugin is going to know is where to talk to and what token to use	20:33
jamielennox	there is no auth_ref that can be returned there	20:33
*** julienvey_ has quit IRC		20:34
*** troytoman is now known as troytoman-away		20:34
*** thuc has joined #openstack-dev		20:35
gyee	jamielennox, how does session interact with auth plugin to get the token data?	20:35
*** atiwari has quit IRC		20:35
jamielennox	essentially headers['X-Auth-Token'] = auth_plugin.get_token()	20:36
gyee	but get_token() returns a string	20:36
jamielennox	... right	20:36
*** FunnyLookinHat has quit IRC		20:36
ayoung	marekd, hell, it was 2 release before anyone could use trusts, and PKI tokens were not the default for two releases, I am guessing Federation will go into use in the K timeframe	20:36
gyee	how does it turned into roles, user_id, username, project, etc?	20:36
jamielennox	gyee: why does session need to do that/	20:37
dstanek	what are credentials currently used for in Keystone?	20:37
*** troytoman-away is now known as troytoman		20:37
ayoung	dstanek, storing ec2 keypairs	20:37
*** gokrokve has quit IRC		20:37
*** cnesa has quit IRC		20:38
*** FunnyLookinHat has joined #openstack-dev		20:38
*** gokrokve has joined #openstack-dev		20:38
*** markmcclain has quit IRC		20:38
ayoung	morganfainberg, when you get back, I would love some guidance on redoing the KVS backend for revocation events	20:38
dstanek	ayoung: i'm working on my rotating-passwords blueprint now. i'm reusing credentials to store passwords, but i'm not sure is that's correct	20:39
*** kgriffs is now known as kgriffs_afk		20:39
dolphm	ayoung: i'd use a new sql table, and keep it as a sql-dependent feature	20:39
ayoung	um...probably not, but, hell, the whole idea of passwords is broken anyway	20:40
dolphm	dstanek: ^ (ayoung- my bad)	20:40
ayoung	dolphm, yep	20:40
ayoung	agree	20:40
ayoung	LDAP has its own PW mechanism, no reason to support or implement there	20:41
gyee	jamielennox, who does validate token and get the token data? session?	20:41
*** denis_makogon_ has joined #openstack-dev		20:41
ayoung	gyee, on the client side?	20:41
gyee	ayoung, right	20:41
jamielennox	gyee: validate? who validates a token now? we send it to the server	20:41
ayoung	gyee, tokens were not validatable on the client side prior to revocation events.	20:41
jamielennox	gyee: we can refresh a token if it's about to expire	20:41
ayoung	It just got tokens from the keystone erver and used them	20:41
dstanek	dolphm: the reason i didn't so that initially is that i changed things like /auth/tokens to pull from credentials; since the extension is optional i didn't want to have core code depend on an extension table	20:41
jamielennox	that's the plugin's job if it wants to do that	20:42
gyee	what is auth_ref for then?	20:42
jamielennox	gyee: users really	20:42
jamielennox	gyee: we can't do anything about validating roles etc because we have no idea how a server is configured	20:42
gyee	jamielennox, that's what I was getting into	20:42
gyee	the data itself	20:42
ayoung	dstanek, password rotation should be a SQL identity specific feature. THe KVS ones can support it if you insist, but don't scope beyond that	20:43
*** gokrokve has quit IRC		20:43
gyee	so auth plugin would have to give you those data or you are doing another call to Keystone to validate the token	20:43
*** denis_makogon has quit IRC		20:44
*** denis_makogon_ is now known as denis_makogon		20:44
*** salv-orlando has quit IRC		20:44
jamielennox	gyee: but completely looking at the session - what do you need that data for? why are you trying to validate the token?	20:44
*** dmakogon_ has joined #openstack-dev		20:44
jamielennox	gyee: if the token is invalid it will be rejected just like now	20:44
*** salv-orlando has joined #openstack-dev		20:44
morganfainberg	ayoung, surte	20:45
morganfainberg	ayoung, back	20:45
*** markmcclain has joined #openstack-dev		20:45
ayoung	morganfainberg, OK, so can I list all keys?	20:46
jamielennox	gyee: so for people who want that data the auth_plugin is not a mystery - if you need it then you ask for it from the auth plugin but if you want to do that then you have to know what sort of auth plugin you've got	20:46
*** iccha has joined #openstack-dev		20:46
morganfainberg	ayoung, no	20:46
gyee	jamielennox, what is a token and how do you determine its about to expired?	20:46
ayoung	I need to get all events...I need a key for the events	20:46
dstanek	ayoung: yes, i agree; i modified the identity sql driver to use the credentials table	20:46
jamielennox	gyee: session doesn't, get_token() has that power	20:46
morganfainberg	ayoung, correct you'll need an index	20:46
ayoung	I really don't want to maintain an index table	20:46
ayoung	NOOOOOOOOOOOOOO	20:46
morganfainberg	ayoung, and updating that index is where you'd use the lock mechanism	20:47
ayoung	I might as well have one page with all revocation evetns	20:47
*** sgrasley has joined #openstack-dev		20:47
morganfainberg	ayoung, except that pages (in memcached) are limited in size	20:47
morganfainberg	ayoung, if you don't exceed that limit, it's great	20:47
ayoung	argle fargle garbel	20:47
ayoung	is there any query mechanism I can count on to get more than one key?	20:47
morganfainberg	ayoung, there is .get_multi	20:48
*** tdruiva_ is now known as tdruiva		20:48
morganfainberg	you pass it a list of keys, returns all of them at once	20:48
ayoung	but I need to know all of them...and what if one expired or summat	20:48
ayoung	and was no longer in the store	20:48
*** sdake has quit IRC		20:48
morganfainberg	ayoung, ... hm, let me check	20:48
dolphm	zaneb: cc- https://review.openstack.org/#/c/64738/ i was referring to linking on launchpad, not within the gerrit UI... is this patch still related in that regard?	20:49
morganfainberg	memcache would just omit the valie	20:49
morganfainberg	ayoung, ^ s/valie/value	20:49
morganfainberg	ayoung, i might have done something less friendly	20:49
*** slagle has quit IRC		20:49
gyee	jamielennox, so session does not do token management, the auth_plugin does	20:49
jamielennox	gyee: yes	20:49
morganfainberg	ayoung, blech, i raise an explicit exception	20:49
zaneb	dolphm: oh, then no. didn't realise there was an issue going in the other direction too	20:49
morganfainberg	doh	20:49
ayoung	morganfainberg, I probable could do something bad like record the lowest and highest event sequence numbers, then the keys would be event-1, event-2....	20:50
ayoung	but...bleh	20:50
*** sdake has joined #openstack-dev		20:50
*** sdake has quit IRC		20:50
*** sdake has joined #openstack-dev		20:50
dolphm	zaneb: might just be a keystone issue that i'm seeing; i'll ask in -infra	20:50
gyee	jamielennox, session will call auth_plugin everytime its about to make a call to the service and auth_plugin determine whether to renew or reuse	20:50
ayoung	morganfainberg, ok, lets dream for a bit	20:50
morganfainberg	ayoung, sure.	20:51
jamielennox	gyee: correct	20:51
ayoung	what if there were a preset number of buckets	20:51
ayoung	and one bucket was used for appending new events	20:51
gyee	jamielennox, alrighty then, we on the same page :)	20:51
ayoung	and the buckets were like a linked list	20:51
*** drewlander has quit IRC		20:51
morganfainberg	ayoung, sure.	20:51
jamielennox	gyee: excellent!	20:51
morganfainberg	ayoung, nothing unreasonable yet	20:51
*** mat-lowery has joined #openstack-dev		20:52
ayoung	so keystone only needs to know one bucket, and uses that for new revocations, and when that gets full...start a new bucket	20:52
ayoung	it can keep record of older buckets in memory	20:52
morganfainberg	ayoung, sure. that is doable.	20:52
ayoung	or rebuild them from the "good" bucket	20:52
morganfainberg	ayoung, or keep a single index record.	20:52
morganfainberg	ayoung, for "buckets"	20:52
ayoung	good bucket always has the same name	20:52
ayoung	what if we have multiple Keystone servers...can we make this approach scale to N-active buckets?	20:53
jamielennox	gyee: so what is there is fairly minimal, we will later need to mark a bunch of methods as deprecated and handle some interactions that are not supported between the old and new methods but i think that is ok for a new review as i wanted to keep this patch really obvious to what was happennig	20:53
*** thuc has quit IRC		20:53
ayoung	morganfainberg, do we havea way to query page size?	20:53
morganfainberg	ayoung, you wont know because each backend has different limitations	20:53
*** thuc has joined #openstack-dev		20:53
*** asalkeld has joined #openstack-dev		20:53
morganfainberg	ayoung, memcache could be configured for 1MB, or 1000MB. Redis is different, etc	20:53
ayoung	I know, but once I fire up a backend, can I ask it "how much fits in a bucket"	20:54
ayoung	Or do we make it a config param?	20:54
morganfainberg	ayoung, you could if the backend knows how to communicate that	20:54
morganfainberg	ayoung, i'd make it a config param	20:54
morganfainberg	ayoung, it's an operator choice, and i'd make the default 1MB	20:54
gyee	jamielennox, agreed	20:54
lifeless	jamielennox: so, pastebin of the symptoms ?	20:54
ayoung	OK, so one page is the "register a keystone server" page	20:54
morganfainberg	ayoung, yes.	20:54
ayoung	then each keystone server gets a bucket	20:55
morganfainberg	ayoung, sure.	20:55
ayoung	if the server fills the bucket, it clones it	20:55
jamielennox	gyee: cool, so i'd love it if you can take another look over those and +2 if you are happy - i want to get these actually moving through	20:55
*** aveiga has quit IRC		20:55
ayoung	not clones	20:55
ayoung	just renames it	20:55
morganfainberg	ayoung, reconstructs it?	20:55
ayoung	and makes a new, empty buck that just points to the last full bucket	20:55
morganfainberg	ayoung, yah.	20:55
jamielennox	lifeless: yep	20:55
*** tjones has joined #openstack-dev		20:55
ayoung	bucket being a page	20:55
morganfainberg	ayoung, just make sure the "index" is updated with the locking mechanism	20:55
dstanek	ayoung: clones the bucket?	20:56
jamielennox	lifeless: run_tests: http://paste.openstack.org/show/62470/	20:56
morganfainberg	.set(<key>, <value>, lock_from_lock_context)	20:56
jamielennox	lifeless: testtools.run discover: http://paste.openstack.org/show/62471/	20:56
gyee	jamielennox, ayoung already have a green check on it, I can just push the button, unless others disagree	20:56
ayoung	morganfainberg, so I am thinking we only lock on write	20:56
morganfainberg	ayoung, correct	20:56
*** ekhugen has joined #openstack-dev		20:56
jamielennox	gyee: there is one dep but it's a fairly easy one	20:56
ayoung	gyee, which review?	20:56
dstanek	ayoung, morganfainberg: if you fill up all of the 1m buckets then what do you do?	20:56
gyee	ayoung, https://review.openstack.org/#/c/60751/	20:56
jamielennox	gyee: there were +1s from dtroyer and others that were interested - i think anyone else who wanted to has seen it, it's been up long enough	20:57
morganfainberg	dstanek, 1MB of uuids? that would be ~64k buckets i think	20:57
*** AlexF has quit IRC		20:57
ayoung	gyee, that is what I thought. Good by me	20:57
lifeless	jamielennox: ok, testr is not aborting	20:57
morganfainberg	dstanek, i really really hope we never have that many	20:57
lifeless	jamielennox: its reporting a failure from your backend	20:57
ayoung	morganfainberg, more than UUIDs, but not by much	20:57
*** kgriffs_afk is now known as kgriffs		20:57
morganfainberg	ayoung, i meant the keys of the buckets	20:57
ayoung	each revocation event should be roughly ...3 UUIDs worth?	20:57
*** Ajaeger has joined #openstack-dev		20:57
lifeless	jamielennox: specifically from keystone.tests.test_associate_project_endpoint_extension.AssociateEndpointProjectFilterCRUDTestCase.test_check_endpoint_project_assoc	20:57
morganfainberg	ayoung, e.g. each bucket would be bucket_uuid	20:57
jamielennox	lifeless: oh, i assume that i have an error somewhere - but the fact that the discover run is exiting early with no error message is wrong	20:58
dstanek	morganfainberg: above you were talking about configurable page size	20:58
lifeless	jamielennox: the lack of exception means that the test that failed didn't show an exception	20:58
*** rraja has quit IRC		20:58
ayoung	morganfainberg, oh, yeah, that is not a problem. Revocation events are not going to live much longer than tokens	20:58
gyee	jamielennox, ayoung, +2ed	20:58
ayoung	I'm guessing the norm ill be one active bucket	20:58
morganfainberg	ayoung, ++ yes	20:58
*** thuc has quit IRC		20:58
*** rraja_ has quit IRC		20:58
gyee	auth plugin FTW!	20:58
morganfainberg	dstanek, youd say i want a max bucket size of X	20:58
ayoung	reading buckets will be lockless, writing to them will require a lock	20:58
*** atiwari has joined #openstack-dev		20:58
jamielennox	gyee: have a look at the dep as well https://review.openstack.org/#/c/61247/9	20:58
morganfainberg	dstanek, if keystone tried to store more than X data, it'd overflow to the new buckets	20:58
morganfainberg	ayoung, ++ correct	20:59
*** nati_ueno has quit IRC		20:59
morganfainberg	ayoung, there is the <region>.get_lock(<key>) context manager	20:59
morganfainberg	ayoung, you'll see i use that in the kvs token backend	20:59
*** asalkeld has quit IRC		20:59
ayoung	morganfainberg, the trick is to get the "add a bucket" logic such that it can safely be done with out a lock	20:59
ayoung	a read lock that is	20:59
ayoung	something like:	20:59
lbragstad	jamielennox: just wondering if we should document your change https://review.openstack.org/#/c/71098/ in the event_notifications.rst	20:59
gyee	jamielennox, sure, looking	20:59
dstanek	morganfainberg: i thought you were tring to store 1m of data in a single key and the overflow into other potentially 1m keys	21:00
ayoung	we have the same page in memory with two names. One is "active" and the other is the "date based" key.	21:00
morganfainberg	dstanek, no no, we make keystone manage the data being stored	21:00
*** nati_ueno has joined #openstack-dev		21:00
morganfainberg	dstanek, so if you were to exceed 1M, youd make a new bucket	21:01
ayoung	so long as active always points to the last full page, we are OK	21:01
jamielennox	lifeless: that doesn't explain the testtools.run issue though	21:01
*** yeylon__ has quit IRC		21:01
dstanek	morganfainberg: what is a bucket?	21:01
ayoung	I'll try to write it up more clearly.	21:01
morganfainberg	dstanek, memcache page in this case	21:01
morganfainberg	dstanek, conceptually	21:01
ayoung	dstanek, instead of a distributed hash table, we make it a distributed linked list implemented as a distributed hashtable	21:01
jamielennox	lifeless: also that ./run_tests.sh script should not fail after one test failure - it will normally run the whole suite and then print, it stops after 15	21:02
morganfainberg	dstanek, with an opaque kvs (not a dict i can inspect) you need to do it as a LL -> hash table	21:02
morganfainberg	basically	21:02
dstanek	morganfainberg, ayoung: i was just worried that you'd fill up the 1m keyspace too quickly	21:02
*** sdake has quit IRC		21:02
jamielennox	lifeless: i realize i have a mistake somewhere, my problems is i have no traceback or any information to figure out what went wrong and i can't pdb it because testtools.run doesn't run the whole suite	21:02
*** kragniz has joined #openstack-dev		21:02
gyee	jamielennox, I need to jump back into the meeting, will review it later today	21:03
jamielennox	gyee: np	21:03
morganfainberg	dstanek, nah, shouldn't be too much of an issue, and keystone will manage the data size (operator configured) rather than trying to ask memcache to store and fail and then try again	21:03
jamielennox	gyee: thanks	21:03
*** yeylon__ has joined #openstack-dev		21:03
ayoung	dstanek, assuming 1K per revoke event, a 1 M page would hold 100K Events	21:03
gyee	jamielennox, np, thanks for the auth plugin patch, good stuff!	21:03
mat-lowery	Sorry to interrupt. Keystone question: Are service catalog entries filtered at all or simply formatted (with tenant IDs)? In other words, is it possible that two different non-admin users see a different number of endpoints (provided they do no filtering)?	21:03
morganfainberg	dstanek, yeah events are smallish	21:03
ayoung	should only be one key per 100K events	21:03
morganfainberg	ayoung, by defaulty	21:03
jamielennox	mat-lowery: they are just formatted	21:03
*** nmagnezi has joined #openstack-dev		21:04
mat-lowery	jamielennox: Thank you!	21:04
*** cgoncalves has joined #openstack-dev		21:04
*** Gordonz has quit IRC		21:04
ayoung	morganfainberg, so...I can probable remove the logic that drops the old events from KVS (Prune) so long as I know that the oldest pages will get cleaned up eventually	21:04
morganfainberg	ayoung, sure, remember the KVS system raises NotFound if an item doesn't exist on get	21:05
morganfainberg	ayoung, you might need to override that behavior	21:05
ayoung	nope	21:05
morganfainberg	ayoung, ok.	21:06
*** MaxV has joined #openstack-dev		21:06
*** NearlyFunctional has quit IRC		21:06
morganfainberg	ayoung, this is very similar to how user-tokens are managed in kvs btw	21:06
ayoung	we catch it and say "oldest data is last successfully retrieved page"	21:06
morganfainberg	ayoung, except each user gets "one" bucket no overflow	21:06
jamielennox	lifeless: also if i do python -m testtools.run discover --list > all_tests; then delete the first 10 (up to the one thats failing) and then do; python -m testtools.run discover --load-list all_tests it will do a full run	21:06
ayoung	yeah...we could fix that if we weren't going ephemeral	21:06
jamielennox	lifeless: again i'm sure it's my fault, i'm just stumped on how to debug it	21:06
*** michchap has joined #openstack-dev		21:06
morganfainberg	ayoung, ++ I almost did write that logic	21:07
*** kgriffs is now known as kgriffs_afk		21:07
morganfainberg	ayoung, but we decided emphmeral instead	21:07
ayoung	morganfainberg, we still may need to	21:07
dstanek	ayoung: how many total would we need to store?	21:07
morganfainberg	ayoung, i actually have that code laying about somewhere.	21:07
ayoung	dstanek, revocation events? I have no clue as to how many we will see in reality	21:07
morganfainberg	ayoung, but eh. it's from like grizzly era.. was uuuugly	21:07
ayoung	much fewer than tokens	21:07
morganfainberg	dstanek, likely in the thousands would be an active cloud imo	21:08
*** gokrokve has joined #openstack-dev		21:08
ayoung	morganfainberg, if we dropped UUID tokens, we could just have the User pages	21:08
ayoung	put all of their tokens into their page.	21:08
ayoung	hell...lets not go there and just get to ephemeral	21:08
*** mrda_away is now known as mrda		21:09
ayoung	revoke events would come from password changes and deleting of role assignments. one per	21:09
morganfainberg	ayoung, yeah ephemeral instead plz. in J we can make events the default	21:09
ayoung	++	21:09
morganfainberg	and... in theory make uuid tokens go bye bye in ... L?	21:09
ayoung	OK, let me write this up. This revocation code has been the most fun I've had coding in a while	21:09
*** gokrokve_ has joined #openstack-dev		21:10
*** aveiga has joined #openstack-dev		21:10
morganfainberg	ayoung, ok i'm going to aim to start wokring on ephemeral token stuff in... a day or so.	21:10
jamielennox	lbragstad: sorry, just realized i didn't respond to your message - i'm happy to document that, i don't think it should be up to a config file to set the priority level anyway that seems like something that should depend on the type of message	21:10
lbragstad	jamielennox: no worries, you were in the middle of something : https://review.openstack.org/#/c/71098/1	21:10
morganfainberg	ayoung, and it'll be rooted on your revocation code (plus likely a devstack change to enable it, unless you already did that)	21:10
morganfainberg	s/enable/toggle	21:11
*** kgriffs_afk is now known as kgriffs		21:11
lifeless	jamielennox: sorry, multiplexing 4 discussions	21:11
jamielennox	lifeless: me too	21:11
*** radez is now known as radez_g0n3		21:11
*** michchap has quit IRC		21:11
lbragstad	jamielennox: just thinking if there are people who 'expecting' to set that in Keystone and can't	21:11
jamielennox	lbragstad: yea, that seems correct for now - i'm not sure what our long term plans for notification levels are	21:11
lifeless	jamielennox: python -m testtools.run discover isn't how discove ris used by .testr.conf	21:11
*** dvarga has quit IRC		21:11
lbragstad	jamielennox: me either	21:11
lifeless	jamielennox: you need python -m testtools.run discover -t ./ ./keystone/tests	21:12
*** asalkeld has joined #openstack-dev		21:12
dolphm	bknudson: luisg: tune into #openstack-meeting	21:12
dolphm	bknudson: luisg: concerning log translations	21:12
*** yeylon__ has quit IRC		21:13
lifeless	jamielennox: so do that (or just get the list via 'testr list-tests > list)	21:13
lifeless	jamielennox: next step - it sounds like you've isolated 10 or so tests that include the problem - just bisect down to it	21:13
*** gokrokve has quit IRC		21:13
jamielennox	so a diff of the two discover --list shows them the same	21:14
jamielennox	so list-tests is correct	21:14
jamielennox	lifeless: i can isolate it down to more or less a single line	21:14
*** gokrokve_ has quit IRC		21:14
jamielennox	(not true because that line kicks off new functionality)	21:15
*** bswartz has quit IRC		21:15
jamielennox	but if i remove it then it runs through like normal	21:15
lifeless	jamielennox: a line in the test list	21:15
lifeless	jamielennox: or a line of code	21:15
jamielennox	code	21:15
*** bswartz has joined #openstack-dev		21:15
lifeless	jamielennox: so no, we need a test list line	21:15
lifeless	jamielennox: you said if you delete the head of the list you can run through fully by hand ?	21:15
*** mhagedorn_ has quit IRC		21:15
*** termie has joined #openstack-dev		21:15
*** mat-lowery has left #openstack-dev		21:16
*** mdomsch has quit IRC		21:16
jamielennox	lifeless: so test list: http://paste.openstack.org/show/62481/	21:16
*** mdomsch has joined #openstack-dev		21:17
*** sdake has joined #openstack-dev		21:17
*** sdake has joined #openstack-dev		21:17
jamielennox	if i remove the first 14 entries keystone.tests.contrib.kds.* it seems to run through	21:17
lifeless	jamielennox: ok	21:17
ayoung	morganfainberg, I'm getting: RuntimeError: KVS region revoke-driver is already configured. Cannot reconfigure.	21:17
lifeless	jamielennox: so, bisect - keep those 14 entries, delete the rest.	21:17
ayoung	once I added in the KVS code	21:17
lifeless	jamielennox: then split the list in two, run each half separately	21:17
lifeless	jamielennox: if it runs all the tests in that half, the half is clean - discard; otherwise, split in half again and recurse.	21:18
*** glenng has joined #openstack-dev		21:18
morganfainberg	ayoung, you're doing a .get_key_value_stote('revoke-driver') ?	21:18
morganfainberg	ayoung, then .configure on that?	21:18
ayoung	morganfainberg, um	21:18
ayoung	self._store.configure(backing_store=self.kvs_backend, **kwargs)	21:18
ayoung	its in the test startup	21:19
*** sdake has quit IRC		21:19
ayoung	I just copied from the token code	21:19
morganfainberg	this in a review?	21:19
morganfainberg	oh oh	21:19
*** sushils has joined #openstack-dev		21:19
*** sdake has joined #openstack-dev		21:19
*** sdake has quit IRC		21:19
*** sdake has joined #openstack-dev		21:19
morganfainberg	you need an explicit cleanup	21:19
ayoung	http://paste.openstack.org/show/62482/	21:19
*** Ajaeger has left #openstack-dev		21:20
jamielennox	lifeless: sure but even then i'm not going to see an actual error, when i run the whole thing via testtools.run it just stops after 14 tests with an OK	21:20
*** emagana has quit IRC		21:20
ayoung	morganfainberg, where is that for the token code?	21:20
morganfainberg	ayoung, sec looking for that line	21:20
jamielennox	if i remove the first 14 entries keystone.tests.contrib.kds.* it seems to run through	21:20
*** NearlyFunctional has joined #openstack-dev		21:20
jamielennox	sry, up+enter	21:20
ayoung	morganfainberg, its getting called twice, I think. once by the test code, and the second time by the manager	21:21
morganfainberg	ayoung, ah	21:21
ayoung	actually, once by load backends	21:21
lifeless	jamielennox: so if you run those 14 they succeed	21:21
jamielennox	huh, it's the first one	21:21
morganfainberg	ayoung, load_backends should clear out all kvs backends	21:21
lifeless	jamielennox: but if you run those 14 and others, it exits?	21:21
ayoung	then my test calls	21:22
ayoung	self.revoke_api = revoke.Manager()	21:22
ayoung	right afterwards	21:22
morganfainberg	ayoung, https://github.com/openstack/keystone/blob/master/keystone/tests/core.py#L372	21:22
*** sarob has quit IRC		21:22
morganfainberg	ayoung, ah, i only handled the case of load-backends doing this	21:22
*** alexpilotti has quit IRC		21:22
*** CaptTofu has joined #openstack-dev		21:22
morganfainberg	ayoung, not instantiating multiples of the same name	21:22
*** baoli has joined #openstack-dev		21:22
ayoung	but calling maanger() should get me the already existing instance	21:22
jamielennox	lifeless: so if i remove the very first entry /keystone.tests.contrib.kds.api.test.SimpleTest.test_simple/ then i (seem to be so far) get a full run	21:23
morganfainberg	ayoung, your manager is trying to do configure	21:23
morganfainberg	ayoung, the manager should check to see if it's configured	21:23
*** baoli has quit IRC		21:23
lifeless	jamielennox: and it runs on it's own successfully?	21:23
*** hartsocks has quit IRC		21:23
*** ijw has joined #openstack-dev		21:23
*** galstrom is now known as galstrom_zzz		21:23
morganfainberg	ayoung, https://github.com/openstack/keystone/blob/master/keystone/common/kvs/core.py#L138 likely it should be an @property on kvs regions	21:23
*** baoli has joined #openstack-dev		21:23
morganfainberg	ayoung, .is_configured	21:23
jamielennox	lifeless: i don't think it will be successful, i've hacked it up too much for that but at least it's running more than 14 tests	21:24
morganfainberg	ayoung, you can do this exact logic to see if you need to configure: https://github.com/openstack/keystone/blob/master/keystone/common/kvs/core.py#L100	21:24
lifeless	jamielennox: now, do you know the test it dies on ?	21:24
lifeless	jamielennox: (do you see a test starting message and no finish)	21:24
morganfainberg	but like i said, likely an @property is the right way	21:24
*** mikeoutland has joined #openstack-dev		21:25
jamielennox	lifeless: i get swamped with output	21:25
jamielennox	but it's doing a full run if i comment out: /keystone.tests.contrib.kds.api.test.SimpleTest.test_simple/	21:25
*** thuc has joined #openstack-dev		21:25
lifeless	jamielennox: at the end of the run	21:25
jamielennox	lifeless: going to take a while longer	21:26
lifeless	oh	21:26
lifeless	so we should really be using subunit here	21:26
morganfainberg	ayoung, in Juno i'll bumpt the dogpile version in global reqs, which gives us a simple .is_configurred property on the actual dogpile region	21:26
jamielennox	i can switch it to testr	21:26
jamielennox	or at least ./run_test.sh	21:26
lifeless	jamielennox: no nneed for run_test	21:26
lifeless	you're running with -N	21:27
ayoung	morganfainberg, does the otken manager check if it has been configured already	21:27
lifeless	so just 'testr run --subunit > testlog'	21:27
ayoung	token	21:27
morganfainberg	ayoung, no.	21:27
morganfainberg	ayoung, it should	21:27
lifeless	jamielennox: ^ which will get us a binary log we can consult	21:27
jamielennox	yea i used -N but i can't use the list that way	21:27
ayoung	morganfainberg, then why doesn't it blow up	21:27
morganfainberg	ayoung, because it only gets loaded from load_backends	21:27
morganfainberg	ayoung, and applied to the test_case as .token_api	21:27
lifeless	jamielennox: you can - run_tests.sh -- --load-list foo.list (but we need to disable the colorizer because reasons)	21:28
lifeless	jamielennox: so - 'testr run --subunit > testlog'	21:28
morganfainberg	ayoung, https://github.com/openstack/keystone/blob/master/keystone/tests/core.py#L387	21:28
morganfainberg	ayoung, we don't set the manager on the test_case itself anywhere. we do similar to dependency injection in tests	21:28
*** emagana has joined #openstack-dev		21:28
ayoung	morganfainberg, OK, I can work around it for now	21:29
ayoung	if 'backend' not in self._store._region.__dict__:	21:29
ayoung	self._store.configure(backing_store=self.kvs_backend, **kwargs)	21:29
jamielennox	lifeless: but will this tell us why the test run would have been exiting early? if i've removed the offending test the expected output will be that everything passes	21:29
*** amcrn has quit IRC		21:30
ayoung	morganfainberg, soooooo how do we uniquely identify a keystone server from inside that keystone server?	21:30
*** cdub has joined #openstack-dev		21:30
*** sarob has joined #openstack-dev		21:30
*** bswartz has quit IRC		21:30
morganfainberg	ayoung, hm?	21:30
morganfainberg	ayoung, oh, uhmmmmmmmmmm	21:30
*** tjones1 has joined #openstack-dev		21:30
ayoung	morganfainberg, so, say I am load balancing	21:30
morganfainberg	ayoung, uhhhh i don't think do	21:30
*** changbl has quit IRC		21:31
morganfainberg	ayoung, keystone is pretty stateless across the board	21:31
jamielennox	lifeless: ok i have a testlog binary which happened too quickly to have been a test run	21:31
ayoung	and I want each instance to have its own "active page"	21:31
*** jcooley_ has quit IRC		21:31
ayoung	hostname?	21:31
lifeless	jamielennox: so I wanted a baseline	21:31
morganfainberg	ayoung, hostname-pid	21:31
lifeless	jamielennox: subunit-ls < testlog	21:31
jamielennox	lifeless: oh, ok	21:31
dolphm	ayoung: keystone.conf [DEFAULT] public_endpoint	21:31
morganfainberg	ayoung, might run multiple keystones on a server	21:31
ayoung	but pid gets recycled	21:31
morganfainberg	ayoung, right, thats why you need 2 items e.g. host and pid	21:31
ayoung	morganfainberg, nope, pid is not the right abstraction	21:32
morganfainberg	ayoung, listen-addr-port-pid?	21:32
*** mikeoutland has quit IRC		21:32
*** tjones has quit IRC		21:32
ayoung	cuz if a server gets recycled you just lost the old ones...or keep them around as Zombies	21:32
*** DinaBelova is now known as DinaBelova_		21:32
morganfainberg	ayoung, uuid generated on startup	21:32
ayoung	public_endpoint is better	21:32
morganfainberg	ayoung, ah ok	21:32
morganfainberg	ayoung, how does that solve the load-balanced issue?	21:33
ayoung	public_endpoint = http://127.0.0.1:%(public_port)s/	21:33
morganfainberg	you could have 10 separate keystones behind a single lb?	21:33
ayoung	morganfainberg, so...I'd need to expand that out	21:33
morganfainberg	each trying to modify the same pages. or you'll do just page-locking for all updates?	21:33
ayoung	ruh	21:33
ayoung	what do we use that value for	21:34
morganfainberg	the endpoint?	21:34
morganfainberg	where clients talk to. it would be the LB if you're using like HA Proxy or a f5 or something	21:34
morganfainberg	i think?	21:34
*** emagana has quit IRC		21:34
jamielennox	lifeless: i ran the wrong list which is why it was short so: http://paste.openstack.org/show/62488/ is the case where it only runs the 14 tests, running the baseline now	21:34
lifeless	jamielennox: thats the output from subunit-ls ?	21:35
*** neelashah has joined #openstack-dev		21:36
*** neelashah has quit IRC		21:36
jamielennox	yes	21:36
morganfainberg	ayoung, if you're looking at a "I'm a specific keystone process" (e.g. WSGI has multiple keystones that could update the same page?) I'm not sure on the best choice. - depends on what you consider a single keystone instance	21:36
ayoung	morganfainberg, yep....	21:36
ayoung	and for Apache, it is going to be a separate process each time	21:37
*** mst89 has joined #openstack-dev		21:37
*** rkukura has joined #openstack-dev		21:39
*** mestery has joined #openstack-dev		21:39
*** mestery has quit IRC		21:40
*** mestery has joined #openstack-dev		21:40
*** galstrom_zzz is now known as galstrom		21:41
*** kenperkins_ has joined #openstack-dev		21:42
dolphm	morganfainberg: ayoung: checking back in; i had no idea what ya'll were talking about a minute ago and i still don't; why are you trying to identify an instance of keystone?	21:43
*** dot has quit IRC		21:43
ayoung	dolphm, multiple reader/writer thing with a KVS backend for Revocation events	21:44
morganfainberg	dolphm, fewer pages that need explicit locking = less serialization across the multi-reader/writer scenarios	21:44
*** armax has left #openstack-dev		21:45
*** Gaston_Severina has quit IRC		21:45
morganfainberg	dolphm, if each keystone only ever needs to do a index page lock in the case it stored a ton of data in it's bucket, (reads w/o write is lockless) less contention	21:45
*** dprince has quit IRC		21:45
*** sarob has quit IRC		21:45
*** kenperkins has quit IRC		21:46
*** READ10 has quit IRC		21:46
*** peristeri has quit IRC		21:48
*** troytoman is now known as troytoman-away		21:49
*** gyee has quit IRC		21:50
*** doug_shelley66 has quit IRC		21:51
*** tjones1 has quit IRC		21:51
*** xqueralt has joined #openstack-dev		21:51
*** IanGovett1 has quit IRC		21:51
*** tjones has joined #openstack-dev		21:53
*** jdob has quit IRC		21:53
*** jhesketh has joined #openstack-dev		21:54
*** tshirtma1 is now known as tshirtman		21:54
*** tmclaugh[work] has quit IRC		21:54
*** apevec has quit IRC		21:54
*** sdake has quit IRC		21:55
*** buzztroll has quit IRC		21:57
*** sushils has quit IRC		21:57
*** buzztroll has joined #openstack-dev		21:58
*** rtheis has quit IRC		21:58
ayoung	dstanek, dolphm, if I were to try and compress the token before signing it, do we have a preferred mechanism to use?	21:58
jamielennox	lifeless: baseline for when you get back: http://paste.openstack.org/show/62492/	21:58
*** buzztroll has quit IRC		21:59
dolphm	ayoung: zlib and api change?	21:59
*** jprovazn has quit IRC		21:59
lifeless	jamielennox: ok, so thats truncated vs the full test list right ?	22:00
ayoung	dolphm, shouldn't bne an API change	22:00
*** buzztroll has joined #openstack-dev		22:00
ayoung	dolphm, it would be an optional token provider and additional logic in ATmiddleware	22:00
morganfainberg	ayoung, LZMA! i mean.. zlib	22:00
dolphm	ayoung: ah, it only affects the X-Subject-Token value, correct?	22:00
morganfainberg	dolphm, correct, it should only affect that	22:01
*** tjones1 has joined #openstack-dev		22:01
morganfainberg	and... in theory we could use magic number information to detect if it's compressed,	22:01
morganfainberg	if we wanted to	22:01
dolphm	i feel like we should have a separate spec for PKI tokens themselves, but it's not an HTTP API	22:01
*** godara has quit IRC		22:01
*** markmc has quit IRC		22:01
ayoung	dolphm, yeah	22:02
morganfainberg	dolphm, a separate spec for all things token	22:02
morganfainberg	dolphm, not even just PKI	22:02
dolphm	anyway, i vote stdlib	22:02
morganfainberg	dolphm, cough Juno	22:02
ayoung	I'm going to 1. compresss, 2 prepend the compresssion algorithm, and then sign it	22:02
morganfainberg	ayoung, sounds reasonable	22:02
*** kenperkins_ has quit IRC		22:03
*** MaxV has quit IRC		22:03
*** neelashah has joined #openstack-dev		22:03
ayoung	zlib.compress(token_data,0) I think	22:03
*** MaxV has joined #openstack-dev		22:03
dolphm	ayoung: i wouldn't bother making it optional, just do it?	22:03
*** tjones has quit IRC		22:03
*** kenperkins has joined #openstack-dev		22:03
*** godara has joined #openstack-dev		22:03
dolphm	ayoung: why 0?	22:03
ayoung	dolphm, let me make sure it works, and we can decide	22:03
morganfainberg	dolphm, i could see a benefit for debugging to not compress	22:03
dolphm	ayoung: actually, you could make the compression level configurable	22:03
*** e0ne has quit IRC		22:04
ayoung	dolphm, yes I could	22:04
dolphm	ayoung: i'd go for like 6-8	22:04
dolphm	personally	22:04
morganfainberg	dolphm, i'd default it to "on" just make it togglable	22:04
jamielennox	lifeless: yes so second link is full list, first was truncated	22:04
*** david-lyle has quit IRC		22:04
ayoung	dolphm, I figure speed is far more important, but I'll see what the range is	22:04
morganfainberg	ayoung, 6 for zlib in my experience is a solid place to live for speed/cpu requirements	22:04
morganfainberg	ayoung, 7+ tends to be slower.	22:04
dolphm	ayoung: default it to 9, and let deployments tweak it for speed	22:04
ayoung	if 0 is much faster than 9, and the size is roughly the same, good enough	22:04
dolphm	ayoung: make users happier in the short term	22:04
morganfainberg	ayoung, likely 3-6 will be close to same size imo	22:04
lifeless	jamielennox: uhm no, not what I meant	22:05
lifeless	jamielennox: http://paste.openstack.org/show/62492/ <- does that stop early.	22:05
dolphm	ayoung: go try it and give us results of 0-9 :)	22:05
*** jasondotstar has quit IRC		22:05
jamielennox	lifeless: no that appears to be a full run	22:05
*** sushils has joined #openstack-dev		22:05
lifeless	jamielennox: so the problem of exiting early didn't occur ?	22:05
morganfainberg	dolphm, a few years back did a test of gizp, bzip, and lzma, came out to lzma 3 was roughy equiv in speed to i think gzip 8 (way faster than even bzip3) and better compression than bzip 6	22:05
morganfainberg	dolphm, but thats random useless information for this convo :P	22:06
jamielennox	lifeless: it occurred in paste.openstack.org/show/62488/	22:06
* morganfainberg stops pulling useless trivia out of the air		22:06
jamielennox	it 62492 i removed the first test	22:06
*** neelashah has quit IRC		22:07
ayoung	morganfainberg, so my one req here is that I am going to use a standard python library if it exists. I don't want to chase something through requirements	22:07
ayoung	http://docs.python.org/2/library/archiving.html	22:07
ayoung	zlib, gzip, and bzip2	22:07
morganfainberg	ayoung, zlib would be my choice	22:08
*** cagrev__ has joined #openstack-dev		22:08
ayoung	there is a lzma module, but I think it is 3rd party	22:08
ayoung	that is what I am planning. I'll put the algorithm in the front of the token	22:08
*** nmagnezi has quit IRC		22:08
morganfainberg	yeah don't use that	22:08
ayoung	so once you do the cms verifuy, you can looks to see if the token starts wirh "zlib" and decompress	22:08
*** michchap has joined #openstack-dev		22:09
ayoung	so if we want lzma in the future, that would go in there, too	22:09
dolphm	ayoung: you might also have to encode utf-8 with zlib; not sure about the others	22:09
*** jcooley_ has joined #openstack-dev		22:10
dolphm	ayoung: zlib.compress(json.dumps(token_ref).encode('utf-8'), 6)	22:10
ayoung	dolphm, thanks	22:11
ayoung	trying it now	22:11
*** bswartz has joined #openstack-dev		22:11
stevemar	dolphm, ping	22:11
dolphm	stevemar: pong	22:11
*** cagrev_ has quit IRC		22:11
dolphm	stevemar: it's not time for nachos?	22:12
stevemar	dolphm, so, about that rule mapping, how do you want it used... initialize it with a mapping_ref, call process with an assertion, but what does process return?	22:12
*** SumitNaiksatam_ has joined #openstack-dev		22:12
stevemar	dolphm, cause in your example, you were just picking user out as a property	22:12
stevemar	dolphm, no nachos :(	22:12
*** danielbruno has quit IRC		22:12
*** SumitNaiksatam has quit IRC		22:13
*** SumitNaiksatam_ is now known as SumitNaiksatam		22:13
dolphm	stevemar: so, i was talking to marekd about that this morning, and you weren't online so sadness	22:14
dolphm	stevemar: this is the notes from the hackathon https://gist.github.com/dolph/5cfa70c02f5b141060c5#token-as-a-result-of-federation	22:14
dolphm	stevemar: with the exception of "groups" -- i added that this morning	22:14
dolphm	stevemar: (ignore everything but the JSON example)	22:15
dolphm	stevemar: and ignore "id"	22:15
dolphm	stevemar: if mapping returns a dict of user attributes that can be dropped directly into a token, that'd be dandy	22:15
*** sdake has joined #openstack-dev		22:16
*** marekd is now known as marekd\|away		22:16
*** jcooley_ has quit IRC		22:16
*** jcooley_ has joined #openstack-dev		22:17
dolphm	stevemar: revised the gist with a specific example!	22:17
ttx	annegentle: I confirm jeblair's interpretation on the openstack telemetry usage. Sorry -- just read the log again for stuff I missed duringthe heated discussion	22:18
stevemar	dolphm, reading, got bombarded with pings	22:18
stevemar	dolphm, okay, so you want something like... attributes = assertion_processor.process(assertion)	22:19
annegentle	ttx: drafting an email now, and I guess what I have permission to use is "ceilometer module of OpenStack Compute"?	22:19
*** doug_shelley66 has joined #openstack-dev		22:19
annegentle	ttx: or probably just "ceilometer module"	22:19
annegentle	ttx: honestly I'm guessing ceilometer and heat aren't well-covered in the docs anyway	22:19
stevemar	dolphm, i'm really confused about how i'm supposed to determine the user and such, from the local objects, without making some assumptions	22:20
*** julienvey_ has joined #openstack-dev		22:21
*** neelashah has joined #openstack-dev		22:21
dstanek	ayoung: yay! compression	22:21
annegentle	ttx: also trove for icehouse release	22:21
annegentle	ttx: trove module?	22:21
dolphm	stevemar: ?	22:22
ayoung	dstanek, yeah, now if I can just figure out where to get zlib from...	22:22
ayoung	data = "zlib:"+ zlib.compress(json.dumps(token_data).encode('utf-8'), 6)	22:22
ayoung	AttributeError: 'module' object has no attribute 'compress'	22:22
dolphm	ayoung: oh also, zlib compression level 0 does not compress anything, it'll make the token bigger :)	22:22
ayoung	heh	22:22
stevemar	dolphm, right now i just keep track of the local objects, i don't actually look at whats in them	22:22
*** CaptTofu has quit IRC		22:23
*** mestery has quit IRC		22:24
dolphm	ayoung: dstanek: morganfainberg: compressed lengths for unsigned tokens http://pasteraw.com/4m2l5hsfr656k004sfwmfcujhw4ki9w	22:24
*** ijw_ has joined #openstack-dev		22:25
ayoung	6 it is	22:25
dolphm	ayoung: ++ reasonable default	22:25
*** amcrn has joined #openstack-dev		22:25
ayoung	dolphm, do I need to somehow add zlib to my venv?	22:26
*** markmcclain has quit IRC		22:26
ayoung	Its base python, and it should inherit the native libs from the base install right?	22:26
*** eglynn-lunch has quit IRC		22:26
ayoung	I can do it from a command line python prompt, but not from the code in the test	22:27
dolphm	ayoung: no, it's standard library http://docs.python.org/2/library/zlib.html	22:27
*** Alexei_987 has quit IRC		22:27
dolphm	ayoung: maybe something is overriding it's namespace?	22:27
ayoung	AttributeError: 'module' object has no attribute 'compress'	22:27
ayoung	probably	22:27
*** slagle has joined #openstack-dev		22:28
ttx	annegentle: "ceilometer component of openstack" is certainly ok. And according to section 4.1, it's also possible that "openstack X" would be fair use	22:28
ayoung	UnicodeDecodeError: 'utf8' codec can't decode byte 0x9c in position 6: invalid start byte	22:28
ayoung	OK, that is better	22:28
*** ijw has quit IRC		22:28
dolphm	ayoung: zlib.__file__ ?	22:28
ttx	annegentle: at least until proven otherwise	22:28
annegentle	ttx: if "openstack X" is fair use then I don't wanna make all the changes :)	22:28
ayoung	dolphm, yeah, I had created a zlib.py file in the same dir, as an alternitave provider, then abandonded, just needed to cleanup	22:28
*** pcm_ has quit IRC		22:28
dolphm	ayoung: lol	22:29
*** gmurphy_ is now known as gmurphy		22:30
dstanek	ayoung: that's why i like absolute_import	22:30
*** tjones1 has quit IRC		22:31
ayoung	dstanek, yeah.	22:31
*** IanGovett has joined #openstack-dev		22:31
dstanek	ayoung: have you tried to see what the speed difference is for each compression level?	22:32
*** michchap has quit IRC		22:32
ayoung	dstanek, nope. Don't care	22:32
ayoung	premature optimization is the root of all evil -- Knuth	22:32
*** tjones has joined #openstack-dev		22:32
trevorj	dstanek: From NEO?	22:32
dstanek	ayoung: :-) i think that's out of context	22:32
ayoung	dstanek, heh...right now I just need to make the tokens fit	22:33
dstanek	ayoung: i'm not saying you should change, i'm just curious	22:33
ttx	annegentle: ianal, but you could ask the foundation lawyer to check with the CURRENT rules	22:33
*** markmcclain has joined #openstack-dev		22:33
ttx	annegentle: rules that might just let us slap "openstack" labels to whatever we work on.	22:34
*** tjones has quit IRC		22:35
lifeless	jamielennox: please try 'testr run --analyse-isolation 2>&1 > isolation.log'	22:36
jamielennox	lifeless: on the short one or the full one?	22:37
dstanek	trevorj: why yes i am	22:37
*** tjones has joined #openstack-dev		22:38
lifeless	jamielennox: do a full run to seed it (unless you just did one) then run the isolation analyser	22:38
*** gcha has quit IRC		22:39
*** dims has quit IRC		22:39
*** cnesa has joined #openstack-dev		22:40
*** dkranz has quit IRC		22:41
*** mriedem has quit IRC		22:42
*** sgordon has joined #openstack-dev		22:43
jamielennox	lifeless: ok, just to show the issue though i pushed https://github.com/jamielennox/keystone/commit/c63505649814512501cf1d55a253320f1e33be1f	22:44
jamielennox	in there i comment out keystone/tests/contrib/kds/api/test.py test_simple and i pass	22:45
jamielennox	lifeless: if i uncomment it then i get a short run	22:46
*** mfer has quit IRC		22:46
*** cnesa has quit IRC		22:46
*** eharney has quit IRC		22:47
*** jhesketh__ has joined #openstack-dev		22:47
*** joesavak has quit IRC		22:48
*** michchap has joined #openstack-dev		22:49
*** gokrokve has joined #openstack-dev		22:49
*** cnesa has joined #openstack-dev		22:50
*** dot has joined #openstack-dev		22:51
*** sweston has joined #openstack-dev		22:52
ayoung	I need to create the sample data. I assume I am ok with taking sample_token.json and doing gzip on it?	22:53
*** xqueralt has quit IRC		22:53
ayoung	actually, let me see if I can shell out to python to ensure I am using the same zlib	22:54
*** dot has quit IRC		22:55
*** dims_ has joined #openstack-dev		22:55
*** thuc has quit IRC		22:55
*** thuc has joined #openstack-dev		22:56
jamielennox	lifeless: isolation: http://paste.openstack.org/show/62496/	22:56
*** mfer has joined #openstack-dev		22:57
*** sweston has quit IRC		22:57
*** mfer has quit IRC		22:57
*** mikeoutland has joined #openstack-dev		22:58
zaneb	dolphm: shardy pointed out that https://review.openstack.org/#/c/57481/ is only a docs change (even though it is marked as closing the bug)	22:58
*** mikeoutland has quit IRC		22:58
*** dbalog has left #openstack-dev		22:59
zaneb	dolphm: the actual impelmentation is waiting on https://review.openstack.org/#/c/56243/	22:59
*** godara has quit IRC		22:59
zaneb	so that blueprint should be in Needs Code Review, not Implemented	23:00
lifeless	jamielennox: right, so running just those two tests together will fail	23:00
*** thuc has quit IRC		23:00
*** godara has joined #openstack-dev		23:00
lifeless	jamielennox: put both the names in a list file, and run that with pdb with testtools.run	23:00
*** topol has quit IRC		23:01
*** harlowja is now known as harlowja_away		23:01
jamielennox	lifeless: Ran 2 tests in 0.193s - OK	23:03
lifeless	jamielennox: blink	23:03
lifeless	jamielennox: testr when it did that had the second fail	23:03
*** burt1 has quit IRC		23:04
*** jmckind has quit IRC		23:04
*** AlanClark has quit IRC		23:04
jamielennox	hmm, when i do it with testr run --load-list all_tests2 it fails	23:04
jamielennox	(with no info)	23:04
*** godara has quit IRC		23:04
jamielennox	but python -m testtools.run discover --load-list all_tests2 succeeds	23:05
*** stevemar has quit IRC		23:05
*** vkmc has quit IRC		23:05
*** godara has joined #openstack-dev		23:05
*** krotscheck_sick has quit IRC		23:06
*** branen_ has quit IRC		23:08
jamielennox	lifeless: also if i keep test_simple and start removing other tests further down the same thing happens - it will run one additional test and then fail	23:09
*** mikeoutland has joined #openstack-dev		23:09
*** mikeoutland has quit IRC		23:09
jamielennox	ie it will run all the keystone.tests.contrib.kds.* tests and then fail on whatever comes next	23:10
*** jgrimm_ has quit IRC		23:11
*** clayb has quit IRC		23:11
lifeless	jamielennox: so I think you have something exiting the process hard	23:11
*** prad_ has quit IRC		23:12
*** patelna has joined #openstack-dev		23:12
*** Gordonz has joined #openstack-dev		23:13
*** Gordonz has quit IRC		23:13
*** Gordonz has joined #openstack-dev		23:13
jamielennox	lifeless: ok, it's weird that that would come to the surface from what is a reasonably simple change, does pecan do an exit for any reason	23:13
*** mdomsch has quit IRC		23:13
*** harlowja_away is now known as harlowja		23:13
jamielennox	?	23:13
lifeless	jamielennox: if we can just get it down to a simple interaction you can debug	23:13
lifeless	jamielennox: so anyhow, if you have any test list that exits in a reasonable time	23:14
*** FunnyLookinHat has quit IRC		23:14
lifeless	jamielennox: run the whole thing under pdb	23:14
*** kolesovdv has joined #openstack-dev		23:14
lifeless	e.g. python -m pdb ...path-to-run.py and then run discover ...	23:14
*** dstanek has quit IRC		23:14
*** jecarey has quit IRC		23:14
jamielennox	lifeless: so testtools.run doesn't show an error and my understanding was that testr and pdb was a bad mix	23:15
jamielennox	obviously i'm debugging testr itself this time	23:15
lifeless	jamielennox: nope	23:16
*** zzelle_ has quit IRC		23:16
lifeless	jamielennox: I thought you said testtools.run could show the error ?	23:16
lifeless	jamielennox: that you triggered errors by running python -m testtools.run discover ?	23:16
jamielennox	lifeless: testtools.run will exit after only 14 tests - but it will show an OK at the end	23:17
*** mestery has joined #openstack-dev		23:17
*** mestery has quit IRC		23:17
jamielennox	though $? gives 1	23:17
jamielennox	Ran 14 tests in 0.995s - OK	23:17
*** mestery has joined #openstack-dev		23:17
*** jayg is now known as jayg\|g0n3		23:18
jamielennox	so something is making it quit but it prints a success message	23:18
*** sarob has joined #openstack-dev		23:18
lifeless	jamielennox: yeouch, fun :/	23:18
jamielennox	hmm, looking at that though 0.995s is way to fast - it should take about 30sec	23:19
*** mikeoutland has joined #openstack-dev		23:19
jamielennox	or that's what ./run_tests.sh shows	23:19
lifeless	jamielennox: I am thoroughly confused.	23:19
*** pcm_ has joined #openstack-dev		23:19
lifeless	jamielennox: lets start from basics. Stop using run-tests.sh, its muddying things up.	23:20
jamielennox	lifeless: imagine how i feel :) that's why i came to you	23:20
*** neelashah has quit IRC		23:20
*** mikeoutland has quit IRC		23:20
jamielennox	lifeless: can you reproduce it?	23:20
lifeless	jamielennox: python -m testtools.run discover -t ./ ./keystone/tests	23:20
lifeless	jamielennox: no, and I have two criticals on my plate today already	23:20
lifeless	sorry	23:20
jamielennox	ok	23:20
*** thuc_ has joined #openstack-dev		23:21
lifeless	jamielennox: one thing	23:21
lifeless	jamielennox: run_tests is running in parallel.	23:21
lifeless	jamielennox: that may be the distinguishing factor	23:21
*** ijw has joined #openstack-dev		23:21
*** kevinconway has quit IRC		23:21
lifeless	jamielennox: so another thing to try is testr run --parallel	23:21
lifeless	and see if that reproduces	23:22
*** buzztroll has quit IRC		23:22
jamielennox	lifeless: i don't think we have parallel tests but i'm not sure	23:22
*** lbragstad has quit IRC		23:22
*** buzztroll has joined #openstack-dev		23:22
*** MaxV has quit IRC		23:23
jamielennox	ok discover: http://paste.openstack.org/show/62497/	23:23
jamielennox	note that it runs way to fast to be running those tests	23:23
*** thomasem has quit IRC		23:24
*** ijw_ has quit IRC		23:24
*** markmcclain has quit IRC		23:25
*** rcleere has quit IRC		23:26
*** sushils has quit IRC		23:26
*** sarob_ has joined #openstack-dev		23:27
*** rfolco has joined #openstack-dev		23:27
jamielennox	lifeless: did you try to reproduce and it didn't work or didn't try? i started with a new venv so i didn't think it was my machine, if it's just me i can try something else	23:27
*** sarob has quit IRC		23:28
*** mikeoutland has joined #openstack-dev		23:28
*** sushils has joined #openstack-dev		23:28
*** mriedem has joined #openstack-dev		23:29
*** mriedem has quit IRC		23:29
*** ekhugen has quit IRC		23:29
*** devoid has quit IRC		23:29
*** sheeprine has quit IRC		23:29
lifeless	jamielennox: I have not tried	23:30
jamielennox	ok	23:30
*** Shaan7 has quit IRC		23:30
*** tongli has quit IRC		23:30
*** mriedem has joined #openstack-dev		23:30
*** flaper87 is now known as flaper87\|afk		23:31
*** sgordon has quit IRC		23:32
*** sgordon has joined #openstack-dev		23:34
*** atiwari has quit IRC		23:35
*** byeager has quit IRC		23:35
*** tjones1 has joined #openstack-dev		23:35
*** rfolco has quit IRC		23:36
*** byeager has joined #openstack-dev		23:36
*** tjones has quit IRC		23:38
*** yamahata has quit IRC		23:38
*** achampion has quit IRC		23:38
*** thuc_ has quit IRC		23:38
SpamapS	soren: i can haz uvirtbot plzzzzz	23:39
*** yamahata has joined #openstack-dev		23:40
*** tdruiva has quit IRC		23:40
*** andreaf has joined #openstack-dev		23:42
*** bauzas has quit IRC		23:42
*** baoli has quit IRC		23:42
*** andreaf has quit IRC		23:43
*** mikeoutland has quit IRC		23:44
*** godara has quit IRC		23:44
*** jruzicka has quit IRC		23:45
*** byeager has quit IRC		23:45
*** godara has joined #openstack-dev		23:45
*** thuc has joined #openstack-dev		23:46
*** sgordon has quit IRC		23:48
*** cnesa has quit IRC		23:48
*** atiwari has joined #openstack-dev		23:48
*** tdruiva has joined #openstack-dev		23:48
*** tdruiva has quit IRC		23:50
*** patelna has quit IRC		23:51
kdbrierly	Are there any known bugs with neutron not updating security rules when new instances are added?	23:52
*** datamatic has joined #openstack-dev		23:52
*** thuc_ has joined #openstack-dev		23:53
*** cnesa has joined #openstack-dev		23:53
*** sweston has joined #openstack-dev		23:53
*** MaxV has joined #openstack-dev		23:53
*** dubsquared has joined #openstack-dev		23:54
*** markmcclain has joined #openstack-dev		23:54
*** yamahata has quit IRC		23:54
*** patelna has joined #openstack-dev		23:54
*** thuc has quit IRC		23:56
*** kenperkins_ has joined #openstack-dev		23:57
*** branen has joined #openstack-dev		23:57
*** galstrom is now known as galstrom_zzz		23:57
*** sweston has quit IRC		23:57
*** sgordon has joined #openstack-dev		23:58
*** vladikr has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!