Tuesday, 2014-03-11

« Monday, 2014-03-10 Index Wednesday, 2014-03-12 »
*** leseb has quit IRC00:03
bknudsonare we going to have blueprints go through gerrit?00:03
morganfainberghmm?00:03
bknudsonlooks like nova is going that way00:04
bknudsonhttps://review.openstack.org/#/c/79363/00:04
morganfainbergoh, interesting.00:04
morganfainbergbknudson, so, i'm not seeing how that is massively different than what we're doing with the identity-api stuff?00:05
morganfainbergbknudson, i guess i'll need to see it in action00:06
bknudsonone difference is they don't have apparently random people with +2 in the repo00:06
morganfainbergbknudson, i don't see that as a large benefit, i think something like storyboard will really be the winner00:06
bknudsonI'm surprised they're going this way with the storyboard work going on.00:07
morganfainbergyeah00:07
morganfainbergi'd say we shouldn't do that if storyboard is going to get traction00:07
morganfainbergin fact, i'm pretty against this kind of setup.00:07
morganfainberggit feels like the wrong tool for the job00:07
bknudsonmorganfainberg: for example https://review.openstack.org/#/c/73179/00:16
bknudsonwho are Andreas Jaeger and Lana Brindley?00:16
morganfainbergno idea00:16
morganfainbergdoc folks00:16
morganfainbergit looks like00:16
jamielennoxLana is docs00:17
jamielennoxnot sure about andreas00:17
bknudsonit just seems strange that they can approve changes to the identity API00:17
jamielennoxwhy did they call it nova-specs compute-api seems better00:17
morganfainbergjamielennox, they already have compute-api00:17
bknudsonjamielennox: I think it's for their blueprints.00:17
morganfainbergbknudson, they must have magic docs powers00:17
morganfainbergbknudson, because they must have inherited permissions00:18
morganfainbergoh isee it now00:18
morganfainbergeveryone here https://review.openstack.org/#/admin/groups/30,members has +2 to identity-api00:18
morganfainbergsince they are doc-core00:18
bknudsonmorganfainberg: now I know who to ask next time I want to make a change.00:19
morganfainberglol00:19
*** Yash has joined #openstack-keystone00:20
YashCan I make the user re-authenticate after some minutes by either making his token to expire or by making the user disabled?00:21
YashI am using python-keystone client00:22
bknudsonYash: delete the token00:22
Yashbknudson: So, taht will force him to be navigated to the login page?>00:23
bknudsonYash: login page?00:23
Yashbknudson: login page of openstack00:23
Yashbknudson: what I a trying to do is...once the user is logged in..im starting a timer..and after some time..i want him to logout00:24
bknudsonYash: I don't know how that works... could ask the horizon folks.00:24
Yashokay..00:24
Yashwhat will be consequence of deleting the token?00:24
bknudsonthe token will be invalidated so it can't be used anymore.00:24
bknudsonthere's other ways to invalidate a token... disabling the user would do it too00:25
Yashok......DO you know how to do it using python-keystoneclient?00:25
bknudsonlooks like we don't have a v3 api for it for some reason.00:26
bknudsonYash: http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/v2_0/tokens.py#n5900:26
bknudsonlooks like there's a token delete operation00:26
Yashyes00:29
Yashso..i use this command to authenticate the user00:29
Yashkeystone = client.Client(username=username, password=password,tenant_name=tenant_name, auth_url=auth_url)00:29
jamielennoxthat's a client side solution, isn't there a token expiry length you can set in keystone?00:29
jamielennox[token] expiration = (in seconds)00:30
jamielennoxthough that will affect everyone00:30
Yashlet me see00:30
Yashjamielennox: where do i find it?00:30
jamielennoxthat's in /etc/keystone.conf00:31
Yashjamielennox: i want the token to expire only for a specific user..not for everyone00:31
jamielennoxas i said that's a global setting so you can say that everyone's token is valid for only an hour00:31
jamielennoxyea, not sure how to do that one00:31
Yashwhat kind of object do I call delete on/00:35
Yash?00:35
Yashbknudson:??00:35
bknudsonYash: it's not something I've ever tried... haven't used the keystoneclient API much00:37
Yashok..no problem..thanks :)00:37
*** wchrisj has quit IRC00:39
*** wchrisj has joined #openstack-keystone00:41
*** wchrisj has quit IRC00:43
jamielennoxmorganfainberg: can you resurrect your kite in stackforge patches?00:49
jamielennoxi think dolphm had one of them as well00:49
jamielennoxi'm pretty sure we are going barbican-core for the owner though00:49
jamielennoxor actually leave it as kite-core and then we can add barbican people00:50
*** marcoemorais has quit IRC00:52
*** wchrisj has joined #openstack-keystone00:55
*** devlaps has quit IRC00:55
*** browne has quit IRC01:00
openstackgerritBrant Knudson proposed a change to openstack/keystone: Update sample config  https://review.openstack.org/7802401:09
*** stevemar has joined #openstack-keystone01:13
*** marekd is now known as marekd|away01:15
morganfainbergbknudson, i'm about to propose a fairly sizable refactor of tests01:15
morganfainbergbknudson, eliminating a bunch of files01:15
morganfainbergit might have overlap w/ yours01:15
morganfainbergbknudson, so lets 2x check :)01:16
bknudsonmorganfainberg: the only way you could get rid of backend_sql_disk.conf is if you're configuring the connection some other way01:17
bknudsonin the code01:17
morganfainbergbknudson, yeah that one i'm leaving the connection string in01:17
morganfainbergbknudson, we'll circle back, maybe ENV var in the future?01:18
morganfainbergbknudson, but i'm removing a lot of the other ones.01:18
bknudsonmorganfainberg: good riddance.01:18
morganfainbergso far: http://paste.openstack.org/show/73091/01:18
morganfainbergalso will be removing test_overrides.conf01:19
morganfainbergthe LDAP ones are probably not going away01:19
morganfainbergyet01:19
bknudsonmorganfainberg: are the config settings in the test code now?01:19
morganfainbergyep01:20
openstackgerritA change was merged to openstack/python-keystoneclient: Fix retry logic  https://review.openstack.org/7790701:20
morganfainbergi probably can eliminate another 3 or 4 files before i'm done01:20
morganfainbergthen i'll propose a change afterwards to move the remaining files to kestone/tests/config_files01:21
*** wchrisj has quit IRC01:22
bknudsonmorganfainberg: so I'm wondering why we have a config() function and a config_overrides()... why not do the config in config()?01:22
morganfainbergi'm fine with collapsing it down01:23
morganfainbergi just wanted to make sure it was clear where things are01:23
morganfainbergeasier to review the changes imo01:23
morganfainbergmaybe we do that as another 'cleanup' review?01:23
bknudsonmorganfainberg: it was clear as mud before!01:23
morganfainberglol01:23
morganfainbergwell trying to make mud a bit less murky01:23
morganfainbergand i'd rather not make it hard to read during the cleanup01:24
bknudsonso for some reason we had multiple calls to config() and multiple implementeations of config_files.01:24
morganfainbergyeah that is some of the overlap between my proposed change and yours01:24
morganfainbergbecause i need to do some of the same cleanup01:24
bknudsonthose were just some little things I noticed when doing the configurable temp dir.01:25
* morganfainberg nods01:25
*** browne has joined #openstack-keystone01:25
morganfainbergoh look at that01:28
morganfainbergi think i found a test gap01:28
* morganfainberg 2xchecks01:28
morganfainbergbknudson, so01:29
morganfainberghttps://github.com/openstack/keystone/blob/master/keystone/tests/backend_sql.conf01:29
morganfainbergnever sets assingmnet backend to use SQL01:29
morganfainbergwe're not testing the assingment SQL driver.01:29
morganfainberg*facepalm*01:29
morganfainbergoh wait01:29
bknudsonmorganfainberg: the assignment backend defaults based on identity01:29
morganfainbergit's defaulted to the same as identity01:29
morganfainberggod i hate that code01:29
morganfainberg:P01:29
bknudsonalthough that might be deprecated at some point01:30
morganfainbergi hope so01:30
bknudsonso could make it explicit in the config01:30
morganfainberg:P01:30
morganfainberggoing to make it explicit in the test cases01:30
morganfainbergoh actually.. not atm01:30
morganfainbergtoo much code shift for that in this change i think01:31
dstanekso are all non-feature/non -2ed reviews ok to approve? or do we need to be careful?01:32
morganfainbergdstanek, i'd still be careful01:32
bknudsondstanek: we need to be careful... might be added after dolphm had a chance to -201:32
morganfainberglook for string changes that don't comply w/ string freeze01:32
morganfainbergand look for things that are still making changes that we wouldn't want in 11th hour01:33
dstanekthere's lots of little things that *should* be fine like https://review.openstack.org/#/c/7426301:33
dstanekthat one in particular won't have side effects, but there are other small changes that might01:34
*** richm has quit IRC01:34
bknudsondstanek: if in doubt, +2 and ask dolphm when he's around.01:34
*** nkinder has quit IRC01:35
dstanekbknudson: that's a good point01:35
stevemarbknudson, that's my motto, except change it to dolphm/bknudson01:38
dstanekstevemar: yo01:47
dstanekstevemar: looking at your comment here on https://review.openstack.org/#/c/7928401:47
dstanekare those group ids all valid?01:48
*** stevemar2 has joined #openstack-keystone01:48
*** stevemar has quit IRC01:49
*** browne has quit IRC01:52
*** wchrisj has joined #openstack-keystone01:53
*** lbragstad has joined #openstack-keystone02:00
*** mberlin1 has joined #openstack-keystone02:08
*** stevemar2 is now known as stevemar02:09
*** mberlin has quit IRC02:10
morganfainbergbknudson, ok this test run is looking good02:18
morganfainbergbknudson, just debugging the last bits here before posting02:18
morganfainberg:)02:18
*** stevemar has quit IRC02:26
*** stevemar has joined #openstack-keystone02:27
*** noorul has joined #openstack-keystone02:36
noorulhello02:36
noorulI hit this bug in havana https://bugs.launchpad.net/python-keystoneclient/+bug/119592402:36
noorulIs there a way to use an updated version of client in havana?02:37
*** nkinder has joined #openstack-keystone02:37
*** stevemar has quit IRC02:47
*** zhiyan_ is now known as zhiyan02:51
*** harlowja is now known as harlowja_away02:54
*** harlowja_away is now known as harlowja03:06
morganfainbergwow... tests have gotten slow03:15
openstackgerritJamie Lennox proposed a change to openstack/keystone: Change the default version discovery URLs  https://review.openstack.org/7806803:15
*** daneyon has joined #openstack-keystone03:16
*** stevemar has joined #openstack-keystone03:22
stevemarany night owls online?03:22
morganfainbergstevemar, no03:22
morganfainberg:P03:22
stevemaror west coast folks03:22
stevemarmorganfainberg, how unusual!03:22
*** gokrokve has quit IRC03:22
*** daneyon has quit IRC03:24
morganfainbergour testing has gotten really slow: stevemar03:24
morganfainberg:(03:24
morganfainbergmakes me sad03:24
*** daneyon has joined #openstack-keystone03:25
stevemarmorganfainberg, my isp is terrible this evening, that makes me sad03:27
*** gokrokve has joined #openstack-keystone03:27
morganfainbergi have 3 test cleanup patches about to post03:28
morganfainbergjust waiting for local unit tests to pass first03:28
stevemarmorganfainberg, i've added you to client reviews, because i can03:31
morganfainberglol03:31
morganfainbergi need to do some client reviews :(03:31
morganfainbergbut they always make my head hurt these days03:31
dstanekstevemar: i'm always lurking03:36
dstanekstevemar: did you see my comments above?03:36
stevemardstanek, unlikely, i was probably disconnected03:37
dstanekstevemar: looking at your comment here on https://review.openstack.org/#/c/7928403:37
dstanekare those group ids all valid?03:37
dstanek(instant replay)03:37
stevemardstanek, they may not be03:38
stevemardstanek, cause, mapping03:38
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Do not use keystone.conf.sample in tests  https://review.openstack.org/7952403:39
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Removal of test .conf files  https://review.openstack.org/7952503:39
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Move test .conf files to keystone/tests/config_files  https://review.openstack.org/7952603:39
dstanekso he would still need to query the db it he really does want to check03:39
morganfainbergdstanek, stevemar  ^03:39
noorulI hit this bug in havana03:39
noorul         https://bugs.launchpad.net/python-keystoneclient/+bug/119592403:40
noorulIs there a way to use an updated version of client in havana?03:40
stevemardstanek, absolutely, isn't that what i proposed in my comment?03:40
stevemarahhh too many links03:40
morganfainbergnoorul, that should be long since shipped03:40
morganfainbergnoorul, where did you get your release of the client? distribution package install?03:41
dstanekstevemar: maybe, i'll reread i got the impression that you thought we could use that list03:41
stevemarnoorul, keystoneclient is at 4.2.0 now03:41
stevemardstanek, i said get_group i think03:41
jamielennox4.2.0? whoa03:41
stevemarjamielennox, did i mix up the numbers? is it 4.0.2?03:41
morganfainbergstevemar, 0.6.003:41
morganfainberghttps://pypi.python.org/pypi/python-keystoneclient03:41
jamielennoxi think we're about to do an 0.703:41
morganfainbergjamielennox, ++03:42
noorulmorganfainberg: havan03:42
morganfainbergjamielennox, also ^ lots of test config cleanup.03:42
noorulmorganfainberg: havana release03:42
morganfainbergnoorul, how did you install keystoneclient? apt-get? pip?03:42
noorulapt-get03:42
jamielennoxmorgan: i haven't been paying attention to the channel03:42
stevemarjamielennox, whoa, i was way off03:42
morganfainbergjamielennox, hehe no worries, just pointing you to them. i think they'll help with keeping tests easier to manage03:43
jamielennoxare you doing the test changes now, or for start of J03:43
morganfainbergjamielennox, now would be good.03:43
jamielennoxlol, why not just hold it - when does the J cycle open?03:43
morganfainbergjamielennox, when we cut RC03:43
stevemarfew more weeks03:43
morganfainbergjamielennox, i'm trying to front load as much as I can to get to parallel testing early in J03:43
jamielennoxweeks? huh, i didn't think it was that long03:44
noorulmorganfainberg: Is there a way to update this using aptitude03:44
morganfainbergbig test changes are hard to land when the cycle is moving03:44
stevemarjamielennox, https://wiki.openstack.org/wiki/Icehouse_Release_Schedule03:44
jamielennoxmorganfainberg: yea i know i've tried that before03:44
stevemarmarch 27 to april 1003:44
morganfainbergnoorul, if there is a new update for ubuntu yes, but unfortunately I don't know for sure03:44
jamielennoxhmm, can we just start a J feature branch and do revies there or will that just means no-one is doing bugs03:45
morganfainbergnoorul, you could use pip to update keystoneclient, but that may be sub-optimal for a production environment03:45
morganfainbergjamielennox, negative it's not how this works.03:45
morganfainbergjamielennox, also resolving bugs would be nightmarish03:45
jamielennoxi know03:45
morganfainbergjamielennox, i'm also trying to make sure as we get new features people do tests more correctly03:46
morganfainbergand as long as this all passes check/gate it has no real impact on the project besides cleanup03:47
morganfainbergnoorul, let me see if i can dig something up03:47
morganfainbergnoorul are you using cloud-archive:havana as the apt source?03:49
morganfainbergnoorul, https://wiki.ubuntu.com/ServerTeam/CloudArchive03:49
morganfainbergnoorul, if so, they are likely to be the "most up-to-date" first-party packagers03:50
morganfainbergjamielennox, stevemar, oh wow03:50
jamielennoxhmm?03:50
morganfainbergjamielennox, stevemar, dstanek, https://wiki.ubuntu.com/ServerTeam/CloudArchive maintaining essex for 5yrs.03:50
morganfainbergsame w/ icehouse03:50
*** amcrn has quit IRC03:50
jamielennoxwow, that's a nightmare03:51
morganfainbergyeah right?03:51
jamielennoxeven RHEL isn't attempting that yet03:51
morganfainbergthat support schedule is... just wow03:51
stevemarjeez03:51
jamielennoxthey just decided it moved too quickly for now i think03:51
morganfainbergthat means i can use essex (lol why) until... uhm ... 17.04 release of ubuntu03:52
stevemardstanek, why you no +A https://review.openstack.org/#/c/74263/03:53
jamielennoxgyee: here?03:54
jamielennoxstevemar, morganfainberg, dstanek: you guys have any opinions on how we should do auth plugin discovery03:55
jamielennoxi've been thinking about a way of loading it via CONF objects03:56
jamielennoxor at least do an optional bit from plugins03:56
noorulmorganfainberg: yes, I am using cloud-archive:havana03:57
stevemarjamielennox, CONF would make things easier for discovery03:57
stevemaror at least over-riding03:57
noorulmorganfainberg: is it safe to uninstall python-keystoneclient and use pip to pull in specific version?03:57
jamielennoxstevemar depends what you consider discovery03:57
morganfainbergnoorul, then you'll need to either wait for them to roll an updated package, create your own package, or use pip03:57
jamielennoxmy main use here is for people loading it from outside. eg auth_token03:57
stevemarnoorul, you could do pip install --upgrade03:58
jamielennoxi think we'll need a way of doing it programatically as well03:58
morganfainbergnoorul, it _should_ be safe to use pip, but you'll probably want to make sure it doesn't have any bad interactions in your environment03:58
stevemarnoorul, i defer to morganfainberg03:58
jamielennoxnoorul: put it in a virtualenv if you can - no problems that way03:58
morganfainbergnoorul, i can't say with 100% certainty it is safe, but it really ought to not cause issues.03:58
morganfainbergjamielennox, ++03:58
morganfainbergjamielennox, likely, the best bet is stevedore03:59
morganfainbergjamielennox, i know you don't want to hear that03:59
jamielennoxmorganfainberg: yea, i'm thinking stevedore03:59
morganfainbergand it does make debugging ugly03:59
jamielennoxthere are usages that make sense03:59
morganfainbergbut it really is the best bet03:59
morganfainbergi want to move all the dogpile stuff to using it03:59
jamielennoxi have no problems with stevedore you just need to use it right03:59
morganfainbergi've seen it cause very hard to debug failures if say a plugin loads badly04:00
jamielennoxi don't like the magic, but if you specify by name it's ok04:00
morganfainbergno real information on the failure04:00
morganfainbergbut that is really my biggest complaint04:00
morganfainbergimportutils will at least say "OMG FAILED LIKE THIS"04:00
jamielennoxhttps://etherpad.openstack.org/p/keystoneclient-stevedore04:01
jamielennoxif you spell it out like that and make it explicit then you know if oauth isn't available04:02
noorulok, I will try pip and see how it fairs04:02
noorulthank you morganfainberg jamielennox04:02
jamielennoxi'm not sure i like just having everything in a big section and then going through the plugins to figure out what can handle all those options04:02
jamielennoxnoorul: np04:02
morganfainbergstevemar, you know... if we work at this i think we can remove the CONF object from all test files04:05
*** noorul has left #openstack-keystone04:06
morganfainbergforcing people to not just say CONF.<section>.<opt> = blah and wondering why it doesn't work04:06
jamielennoxmorganfainberg: is part of that directed at me?04:06
morganfainbergjamielennox, well besides that i need reviews, nothing specific directed at anyone04:07
morganfainbergjust that people seem to get confused when we ask them to use opt_in_group or now the config_fixture04:07
morganfainbergi don't think i've had to explain it to a core though.04:07
jamielennoxmorganfainberg: heh, we all need reviews, you should see my profile atm04:08
morganfainbergi know04:08
morganfainbergi've been slowly working through the ones in keystone04:08
*** david-lyle has joined #openstack-keystone04:08
morganfainbergthough it's easier w/ the -2s for FF04:09
stevemarmorganfainberg, i'm doing a PoC of something, and deliberately did not create or extend a new .conf04:10
stevemarmorganfainberg, just went ahead and did CONF.<group>.<opt>04:10
morganfainbergstevemar :)04:10
morganfainbergstevemar, don't troll :P04:10
stevemarmorganfainberg, i've played around with test automation for a while, and i hate prop files for tests04:10
morganfainbergabsolutely04:10
morganfainbergi want all the files to go away.04:11
stevemarmorganfainberg, even if you do string substitution, which is terrible, it's still hacky04:11
morganfainbergbut some of the live test stuff makes it hard04:11
stevemarand not sustainable04:11
stevemaryeah04:11
morganfainbergi have it down to 15 files in the last review04:11
morganfainbergand a few of those files are required since we load things from disk04:12
openstackgerritldbragst proposed a change to openstack/keystone: Fixup region description uniqueness  https://review.openstack.org/7915904:16
* lbragstad is fried04:16
openstackgerritldbragst proposed a change to openstack/keystone: Fixup region description uniqueness  https://review.openstack.org/7915904:17
stevemarlbragstad, unfry yourself04:19
* lbragstad feels like he just tried cracking eggs with the hammer of Thor04:20
* stevemar just looked at lbragstad's review, understands why he is fried04:20
stevemarit's named mjolnir04:20
lbragstadstevemar: I'm impressed you know that04:20
stevemarlbragstad, comic book trivia is one of my many useless talents04:21
lbragstad..hey, there are many who would argue it's not useless04:21
lbragstad:)04:21
*** wchrisj has quit IRC04:24
*** daneyon has quit IRC04:42
*** daneyon has joined #openstack-keystone04:43
*** wchrisj has joined #openstack-keystone04:54
*** daneyon has quit IRC05:03
*** wchrisj has quit IRC05:04
*** jruano has joined #openstack-keystone05:10
*** gokrokve has quit IRC05:13
*** jruano has quit IRC05:22
openstackgerritldbragst proposed a change to openstack/keystone: Allow 'description' in V3 Regions to be optional  https://review.openstack.org/7865805:23
openstackgerritldbragst proposed a change to openstack/keystone: Enforce required parameters for V3 Regions  https://review.openstack.org/7644405:23
openstackgerritldbragst proposed a change to openstack/keystone: Fixup region description uniqueness  https://review.openstack.org/7915905:23
*** jruano has joined #openstack-keystone05:27
stevemarjamielennox, i know i sound like a broken record, but you're the client gate-keeper :) - 'if you have time today, oauth for client'05:41
stevemargnite/gday05:42
gyeejamielennox, here now, sorry I was afk05:42
jamielennoxstevemar: ok, shall have a look05:42
gyeeoauth!05:42
stevemargyee, comes out of no where05:42
jamielennoxgyee: ah ok, i'm trying to figure out how to do auth plugin abstractions05:42
jamielennoxlike factory and load from config05:42
jamielennoxa replacement for auth_token loading that can be used elsewhere as well05:43
*** jruano has quit IRC05:43
gyeejamielennox, I would look for prior art, like JAAS, GSSAPI, etc05:43
gyeeget some inspiration there05:43
jamielennoxgyee: i'm not sure that'swhat i'm going for05:43
gyeeJAAS is using config file05:44
jamielennoxi think i'm just looking for a stevedore based approach that lets people do things like oauth from auth_token without having to specify everything05:45
jamielennox(currently fighting oslo.config)05:45
gyeeoauth from auth_token middleware?05:47
jamielennoxfor example05:48
*** stevemar has quit IRC05:48
jamielennoxor kerberos or whatever might be non-standard05:48
gyeejamielennox, I was thinking the same thing when I commented on one of your auth plugin patches, which is to essentially abstract the AccessInfo05:51
gyeeAccessInfo is essentiall the auth context05:51
*** amcrn has joined #openstack-keystone05:52
jamielennoxi don't want every plugin to have to implement the AccessInfo - it's too big05:52
gyeeits auth context05:52
jamielennoxthe only thing we need to do is implement the plugin interface05:54
gyeeare you thinking to automatically detecting auth plugins and make use of them?05:54
jamielennoxi'm not sure, i don't think i want it to be too automatick05:55
jamielennoxlike: https://etherpad.openstack.org/p/keystoneclient-stevedore maybe05:55
jamielennoxi'm trying to see if i can make oslo.config do that05:55
gyeewhere does the conf file live?05:56
jamielennoxwell it's an issue of how you want to use it i think05:56
jamielennoxauth_token will use some05:56
gyeecurrent dir, home, /etc/keystoneclient - in that order?05:56
jamielennoxother projects will want something that loads from there config file05:57
jamielennoxno, it's a library - i don't want it to have it's own config file05:57
gyeeauth_token uses whatever in *-paste.ini or <service>.conf05:57
jamielennoxyes05:57
jamielennoxso i'm just seeing if we can support a generic case05:58
gyeeI see what you mean. So config would be one of the kwargs for client05:58
jamielennoxgyee: https://review.openstack.org/#/c/79542/05:59
gyeeactually, with a config file, possibilities abound :)06:00
openstackgerritJenkins proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/7852506:00
jamielennoxi think there will be a lot of potential with a config file06:00
gyee++06:01
jamielennoxas in we will need something that allows people to specify what sort of auth you want when using it as part of another application06:01
jamielennoxwe will need the equivalent for CLI options i think06:01
jamielennoxand there is the general factory case06:02
jamielennoxi'm trying to figure out how they all tie together06:02
jamielennoxnote that i don't want to rely on oslo.config just provide helpers and standardize it if people are using it already06:04
gyeeCLI is a bit more interesting, bit config file definitely help06:06
jamielennoxi'm hoping i can leave CLI up to OSC06:08
jamielennoxthough i imagine i'll need to have some sort of helpers on the plugins06:08
*** harlowja is now known as harlowja_away06:08
gyeeCLI needs to think abstract06:09
gyeelike a command may compose of subcommands06:10
gyeefor every command, what are the args and their respective data types06:10
gyeethat information must be discoverable from the SDK06:10
gyeewe can apply the same "discoverability* principal to OCLI06:11
gyeeanyway, just some brain farts :)06:12
gyeehopefully, in Juno summit, we can get a bunch of ppl in a room to agree on the framework for discoverability06:13
jamielennoxdepends what you mean by discoverability06:15
jamielennoxif you mean discovering the URLs we talk with i think that's solved or at least standardied06:15
gyeeno06:15
jamielennoxif you mean creating auth then i don't know what we need to do06:15
jamielennoxi'm wondering if i just force people to specify a plugin by name06:15
jamielennoxlike a stevedore name06:15
gyeeI mean OCLI being a generic shell and discover the commands and their args from SDK06:15
jamielennoxso everything has plugin_name='oauth'06:16
gyeejamielennox, https://review.openstack.org/#/c/74908/4/keystoneclient/middleware/auth_token.py06:16
jamielennoxwhich makes it a whole lot easier for me and i don't think makes that much of a difference to the user because they will need to have different information depending on the type of auth they are trying to set up06:16
gyeeI think admin_token_expiry is still missing06:17
jamielennoxgyee: do we still need it?06:17
jamielennoxit's a refresh thing06:17
jamielennoxwhen do i need to get a new admin token06:17
gyeejamielennox, yes, it determines when to refresh06:17
jamielennox:68206:17
jamielennoxso if that is managed by an auth plugin why do i want it in the middleware?06:18
gyeeunless token_expiry is configurable in password auth plugin as well06:19
jamielennoxwhat?06:20
jamielennoxwhere would expiry be configurable from?06:20
jamielennoxthat's something that you get given an expiry when you get a token06:21
gyeeline 69406:21
gyeethough I am not sure how useful is admin_token_expiry06:22
gyeeits basically a delta to determine how soon you need to refresh06:22
jamielennoxgyee: it's set on line 69906:24
gyeeoh06:25
gyeewe're good then06:25
jamielennoxyea, i didn't think it was something configurable06:26
jamielennoxgood catch on the token auth method06:27
jamielennoxno idea how i missed that (or why the tests missed that)06:27
gyee+2ed06:28
gyeejamielennox, time for another keystoneclient release06:28
jamielennoxheh, i want to get a few more things in first06:29
gyeethe session and auth plugins are very much needed06:29
jamielennoxfeel free to go crazy on client reviews06:29
jamielennoxi need to chat with dolphm, his review said to use 'interface' rather than 'endpoint_type'06:29
jamielennoxendpoint_type is used a lot across the client already06:29
jamielennoxgyee: easy one; https://review.openstack.org/#/c/78409/06:30
gyeejamielennox, I am fine with either name, I am not picky on names :)06:30
gyeeI care what's under the hood :)06:31
jamielennoxi'll talk to him after tomorrows meeting cause that one i want to push through before i get to other clients06:31
gyeejamielennox, something I've learned overtime, if by changing a name earn you a +2, don't even bother to argue :)06:32
jamielennoxyea06:32
jamielennoxi don't care that much either06:32
gyeethe key to happiness in OpenStack is to know the point of diminishing return06:34
jamielennoxgyee: so you're defining happiness there as anything where you keep your sanity06:38
jamielennox(not disagreeing)06:38
gyeepretty much :D06:38
*** gyee has quit IRC06:43
*** henrynash has joined #openstack-keystone06:47
*** henrynash has quit IRC07:01
*** jaosorior has joined #openstack-keystone07:11
*** YorikSar has quit IRC07:24
*** bvandenh has joined #openstack-keystone07:43
*** jamielennox is now known as jamielennox|away07:44
*** YorikSar has joined #openstack-keystone08:04
*** marekd|away is now known as marekd08:05
*** marcoemorais has joined #openstack-keystone08:20
openstackgerritA change was merged to openstack/identity-api: Rename Openstack to OpenStack  https://review.openstack.org/7317908:20
*** marcoemorais has quit IRC08:24
*** morganfainberg is now known as morganfainberg_Z08:27
*** florentflament has joined #openstack-keystone08:28
*** leseb has joined #openstack-keystone08:35
*** henrynash has joined #openstack-keystone08:45
*** andreaf has joined #openstack-keystone08:48
*** petertoft has joined #openstack-keystone08:50
openstackgerritA change was merged to openstack/python-keystoneclient: Fix state modifying catalog tests  https://review.openstack.org/7840908:51
*** henrynash has quit IRC09:18
*** zoresvit has joined #openstack-keystone09:20
*** marcoemorais has joined #openstack-keystone09:21
*** marcoemorais has quit IRC09:25
openstackgerritMarek Denis proposed a change to openstack/keystone: Validate groups presence for federated authn  https://review.openstack.org/7928409:36
*** bvandenh has quit IRC09:59
*** saju_m has joined #openstack-keystone10:05
*** saju_m has quit IRC10:18
*** leseb has quit IRC10:20
*** marcoemorais has joined #openstack-keystone10:20
*** leseb has joined #openstack-keystone10:20
*** leseb has quit IRC10:24
*** marcoemorais has quit IRC10:24
*** saju_m has joined #openstack-keystone10:31
*** andreaf has quit IRC10:35
zoresvitWhile working with Identity API v3 (OpenStack Havana) I've found that policy.v3cloudsample.json causes tempest to fail all Identity API v3 tests. Anyone know how to fix that?10:39
*** leseb has joined #openstack-keystone10:51
*** saju_m has quit IRC10:54
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Uses explicit imports for _  https://review.openstack.org/5876611:20
*** marcoemorais has joined #openstack-keystone11:21
*** marcoemorais has quit IRC11:25
*** andreaf has joined #openstack-keystone11:35
*** leseb has quit IRC11:49
*** leseb has joined #openstack-keystone11:50
openstackgerritA change was merged to openstack/keystone: Call an existing method in sync cache for revoke events  https://review.openstack.org/7917411:51
openstackgerritA change was merged to openstack/keystone: Remove unnecessary calls to self.config()  https://review.openstack.org/7922611:51
*** leseb has quit IRC11:53
openstackgerritA change was merged to openstack/keystone: Import order is fixed  https://review.openstack.org/7710611:59
*** henrynash has joined #openstack-keystone12:01
*** bvandenh has joined #openstack-keystone12:09
*** bvandenh has quit IRC12:09
*** bvandenh has joined #openstack-keystone12:09
*** dims_ has quit IRC12:12
*** dims_ has joined #openstack-keystone12:14
*** ayoung has quit IRC12:21
*** david-lyle has quit IRC12:21
*** marcoemorais has joined #openstack-keystone12:22
*** marcoemorais has quit IRC12:26
*** wchrisj has joined #openstack-keystone12:29
*** wchrisj has quit IRC12:29
*** henrynash has quit IRC12:40
*** raildo has joined #openstack-keystone12:40
*** henrynash has joined #openstack-keystone12:41
*** browne has joined #openstack-keystone12:42
dstanekzoresvit: using that instead of what tempest normally uses causes the test to fail?12:44
*** leseb has joined #openstack-keystone12:50
*** leseb has quit IRC12:52
*** leseb has joined #openstack-keystone12:53
*** leseb has quit IRC12:54
*** leseb has joined #openstack-keystone12:54
*** leseb has quit IRC12:58
*** leseb has joined #openstack-keystone13:00
*** stevemar has joined #openstack-keystone13:04
*** bvandenh has quit IRC13:06
*** lbragstad has quit IRC13:18
*** marcoemorais has joined #openstack-keystone13:22
*** marcoemorais has quit IRC13:27
*** wchrisj has joined #openstack-keystone13:28
*** marekd has quit IRC13:39
*** henrynash has quit IRC13:40
*** henrynash has joined #openstack-keystone13:44
*** marekd has joined #openstack-keystone13:44
*** lbragstad has joined #openstack-keystone13:44
raildostevemar: I was interested in contributing to the federation and would like to know how I can do this, is there any functionality that can help, or test, or extend to the client13:45
raildostevemar: Could you help me or you know who should I contact?13:46
stevemarraildo, that sounds awesome!13:46
stevemarraildo, myself, marekd or dolphm are good points of contact13:46
marekdraildo: hi raildo.13:47
marekdstevemar: o/13:47
raildomarekd: \o13:47
stevemarraildo, we need folks who can actually test out the federation code in a live environment13:47
stevemarraildo, and we have 0 client support right now13:47
marekdstevemar: mhu is also interested in federation.13:47
marekdstevemar: talked to him yesterday13:47
stevemarnice13:48
raildoI wanted to find a way to start, so I understand how the federation works13:48
marekdraildo: federation in general or Kesytone federation?13:48
raildokeystone federation13:48
*** nkinder has quit IRC13:48
marekdraildo: anything particular you don't understand or you know literally nothing?13:50
raildostevemar: marekd I became interested in SAML13:50
marekdraildo: ok, so i assume how it works in a 'normal' world.13:51
marekdraildo: it will be working in a Keystone in a pretty much similar way, but in our case this 'protected' resource will be just an OpenStack token...13:52
marekdraildo: are you familiar with terms like Service Provider (SP) and Identity Provider (IdP) ?13:53
marekdraildo: I guess you are.13:53
raildomarekd: yes13:53
marekdraildo: great!13:53
raildomarekd: I can understand how the overall operation of the Federation in Keystone13:54
raildomarekd: but do not know details or how it was implemented.13:55
raildomarekd: and this is what I want to learn more, who knows first test something, then help implement.13:55
marekdraildo: i see.13:56
marekdraildo: i can gather everything and squeeze it into a doc/e-mail if you want.13:57
marekdstevemar would be cc'd so he can correct me or add something new and important.13:57
marekdi think this could be easier rather than on IRC.13:57
marekdbut it's up to you.13:57
raildomarekd: sounds good to me13:58
marekdpm me your e-mail, please?13:58
raildomarekd: https://launchpad.net/~raildo13:58
marekdraildo: thanks.13:59
marekdi am about to start writing now.14:00
raildomarekd: thanks for the help.14:00
marekdraildo: no problem!14:00
*** richm has joined #openstack-keystone14:00
marekdstevemar: BW, did you have any chance to take a look at my comments for https://review.openstack.org/#/c/79284/14:01
raildomarekd: You will be in Summit? if you have any discussion of federation there, wanted to participate, I'll be there.14:01
marekdraildo: yes, i am planning to be at the Summit.14:01
raildomarekd: great!14:02
*** tellesnobrega has joined #openstack-keystone14:03
dstanekmarekd, stevemar: whatever you guys come up with to explain the federation design should end up in doc14:04
marekddstanek: ++14:04
stevemardstanek, yep, it's mostly a brief one-liner, then copy/paste the request in v3 api :P14:05
stevemardstanek, except, i outline the order14:05
marekddstanek: have never done this - any guideline for that or you are talking about 'some doc', loose format?14:05
dstanekstevemar: ah, i was hoping for more of a design/implementation doc14:06
dstanekmarekd: i think anything now would be fine14:06
dstanekmarekd: just outlining all the the pieces like mapping, etc. and pointing to where they are implemented14:06
marekddstanek: ok, i am starting producing something now, as I got two requests for arch/impl description since yesterday.14:07
dstanekalso how is plays (if at all) with password auth, oauth and other services14:07
dstanekmarekd: let me know as you start working on it and i can help with structure and add newb comments14:07
marekddstanek: this is what i was asking for - shall i produce .rst file or Google Doc (good to share, teamwork) is fine at the moment?14:08
*** gokrokve has joined #openstack-keystone14:09
dstanekmarekd: what ever is easier for you - i think eventually it should end up in the doc directory of the keystone tree14:09
marekddstanek: +14:12
marekdraildo: mhu: OK, let's change our plans :-) Instead of looping internal e-mail I am now starting to make a description of Federated Keystone. I will share it with you guys asap. Does it work for you? :-)14:14
*** henrynash has quit IRC14:15
stevemardstanek, sounds like you have something specific in mind?14:18
dstanekstevemar: no not really. i just like design docs because they help understand a system because they should not only tell you what, but a little about the why14:21
dstanekstevemar: and also higher level view of how the pieces are used and fit together14:21
raildomarekd: sounds good to me14:22
marekdraildo: great!14:22
mhumarekd, works for me too14:23
*** marcoemorais has joined #openstack-keystone14:23
*** ayoung has joined #openstack-keystone14:24
*** nkinder has joined #openstack-keystone14:26
*** david-lyle has joined #openstack-keystone14:26
*** marcoemorais has quit IRC14:28
*** huats_ is now known as huats14:30
*** henrynash has joined #openstack-keystone14:34
*** wchrisj has quit IRC14:38
*** florentflament has quit IRC14:40
*** bvandenh has joined #openstack-keystone14:43
*** devlaps has joined #openstack-keystone14:46
dolphmreviews plz! (thanks marekd!) https://review.openstack.org/#/c/79284/14:51
dstanekdolphm: what do you think about my comment on that review? i don't they we need a new identity function to list groups14:54
dolphmdstanek: looking...14:55
*** thedodd has joined #openstack-keystone14:56
*** ayoung has quit IRC15:01
dolphmdstanek: marekd: i agree with marekd's approach for doing the validation as early as possible, but i'm also hesitant to introduce anything new in the driver just for this... it seems like a manager method that does the heavy lifting utilizing get_group() would be the simplest solution?15:02
dstanekdolphm: why not expand on hints?15:02
dolphmdstanek: but calling list_groups once is much more attractive, and if hints works, then bonus points!15:02
*** wchrisj has joined #openstack-keystone15:02
dstanekdolphm: i don't see why it wouldn't, but then again i've obviously not implemented that yet15:03
dolphmonly downside i can think of is that list_groups() isn't cacheable at the moment15:03
dolphmdstanek: would you be opposed to using list_groups() without hints for icehouse?15:04
bknudsonis get_group cacheable?15:04
dolphmbknudson: cacheable, yes. cached? not sure...15:04
dolphmbknudson: does not appear to be cached15:05
bknudsoncould the check_groups_presence be simulated by calling get_group in a loop?15:06
dolphmbknudson: yes15:06
bknudsonfor each of the groups?15:06
bknudsonhere's get_group: def get_group(self, group_id, domain_scope=None)15:07
bknudsonseems like check_groups_presence would need the domain_scope (whatever that is)15:07
marekddolphm: iterative try: get_group(gid) except NotFound is probably the easiers, but wasn't you who commented on a similar approach and made me switch into SELECT * FROM X WHERE x IN something ?15:10
dstanekdolphm: no, i wouldn't be opposed to it, but it may be wildly inefficient15:11
dstanekcaching on get_group should make it less inefficient15:12
*** ayoung has joined #openstack-keystone15:16
ayoungdolphm, I think that we are doing SAML backwards15:17
ayoungthere should be "no" identity backend for SAML15:17
marekdayoung: this is not something explicite for SAML....15:18
ayoungmarekd, that is not what the review says15:18
ayoung" federated authn"  with SAML being the only method15:18
ayoungmarekd, why would we want to have any identity store persisted in Keystone for a SAML authentication?15:19
ayoungmarekd, ignoring the fact that you don't need a driver change to implement a check for group presence15:19
marekdayoung because eventually saml2 transforms into groups and roles..?15:20
ayoungmarekd, no15:20
ayoungSAML2 transforms into groups via the mapping15:20
ayoungthe roles are presisted15:20
ayoungpersisted15:20
ayoungmarekd, we don't want "shadow" data in Keystone15:20
ayoungwe've been having this discussion about users and groups from the IdPs since inception15:20
ayoungits a nightmare.  You end up with data sync problems, and it is not the right approach15:21
ayoungit is the reason we have an LDAP provider instead of caching LDAP data in the sql backend15:21
ayoungand it is the reason we are still discussing the Unique identifiers for users to support mutliple IdPs (including LDAP) from issuing them15:21
ayoungsorry, the grammar on that last line was convoluted15:22
marekdayoung: i am not trying to store any extra users in the backend...15:22
ayoungmarekd, yes, but Groups have the same issue15:22
ayoungmarekd, what you are saying implicitly is that each SAML provider is going to have a keystone persistance store15:23
ayoungthat is not true, and not how we should be thinking about SAML or federation15:23
ayounginstead, think of it as a query for the identity backend that is "pushed" to Keystone15:24
marekdayoung: i am.15:24
*** marcoemorais has joined #openstack-keystone15:24
marekdayoung: and i am aware that this 'cached query' wll dissappear shortly after....15:24
ayoungmarekd, then there should be no link between Federation and the SQL or LDAP identity backends15:24
ayoungOK,  so this is just a temporary fix?15:24
marekdayoung: as tempoerary as mapping->groups exist...15:25
ayoungmarekd, then no15:25
marekdayoung: ok, so what do you suggest?15:25
ayoungmapping->groups should not require a persistance of groups15:25
marekdleave as it is ?15:25
ayoungcreating the mapping implicitly creates the group15:25
ayoungabsolutely15:26
ayoungmarekd, if you really want to do something short term15:26
marekdayoung: i dont15:26
marekdbut go ahead.15:26
ayoungdon't change the backends, and iterate through the list of groups from the SAML controller15:26
ayoungwe don't want to optimize that path15:27
dolphmayoung: i don't disagree with the notion at all (i'd rather not involve keystone at all in a federated authentication), but we agreed this was the shortest path to federation while utilizing as much existing code as possible15:27
ayoungdolphm, so for a shortcut, just modify the SAML controller15:28
ayoungit will generate more SQL traffic, but so what15:28
*** marcoemorais has quit IRC15:28
dolphmayoung: maybe in a few releases we'll have keystoneclient.middleware.federated_auth and you'll be able to pass saml docs to all services and be done :)15:28
dolphmand do ABAC :)15:28
ayoungdolphm, nah, we'll still have to stick our fingers in to make it work.  We are the puppet masters....15:29
marekddolphm: what's ABAC?15:29
*** daneyon has joined #openstack-keystone15:29
dolphmmarekd: doing authorization directly based on the SAML assertions, rather than fussing with roles15:29
dolphmattribute based access control15:29
marekddolphm: ok15:29
dolphmvs RBAC (role-based)15:29
ayoungdolphm, I think it means that we use the mapping layer to generate the policy.json15:30
dolphmayoung: that implies that keystone is aware of all capabilities of all services, which i disagree with15:30
ayoungdolphm, actually, it means that Keystone is a compile time utility, and not run time.  So while you use Keystone to generate Policy.json, it is done offline and then uploaded15:31
*** Yash has quit IRC15:31
* ayoung snickers uncontrollable15:32
ayoungy15:32
*** gokrokve has quit IRC15:33
*** gokrokve has joined #openstack-keystone15:33
dolphmayoung: i don't think your -1 on marekd's review is reasonable for icehouse; longer term, sure15:34
ayoungdolphm, so...  multiple endpoints for the same service (say mulitple glance servers) would they all have the same ABAC policy, or would each have its own?  Would it make sense, in your vision,. to centralized the distribution of the ABAC policy rules (however they are done?)15:36
dolphmayoung: none of that matters to me15:36
dolphmayoung: it'd be up to them where they got their policy, just like it is today15:36
*** gokrokve has quit IRC15:37
ayoungdolphm, and when a new SAML provider gets registered, with a new set of attributes, how would we map that to the endpoints view of things?  We can't just punt on that15:37
*** harlowja_away is now known as harlowja15:38
dolphmayoung: i think that would have to be centralized, as much as token revocation events are (for example)15:38
dolphmayoung: unless you wanted different services to carry different degrees of trust or something, but maybe multiple keystone deploys would be the solution there?15:39
ayoungdolphm, and normalized.  Roles are the normalization of that today.  and the layering on of additional authorization data, local to openstack, but not specific to the endpoints15:39
ayounginteresting...15:39
dolphmayoung: with ABAC, you wouldn't normalize anything15:39
ayoungdolphm, true, you would deploy a new mapping file.  Essentially the same thing15:40
ayoungbut there is no means to layer on an additional amount of Openstack specific authorization15:41
ayoungwhich means that each service is going to roll its onw15:41
ayoungown15:41
*** harlowja has quit IRC15:43
dolphmayoung: the goal of ABAC is to not fuss with that additional layer15:43
ayoungdolphm, that additional layer is the most important part.15:46
marekddolphm: ayoung: sorry to interrupt you, but just for the icehouse...15:46
ayoungdolphm, what I have learned from this project is that you need to split authN from authZ, and that authZ needs to have a local set of rules and management.  EIther we centralize that for Openstack, or each endpoint is its own little silo.15:47
ayoungmarekd, for icehouse, modify your commit to only change the SAML controller15:47
marekdayoung: auth/plugins/saml2.py and i guess...utilize get_group() and catch NotFound exceptions, right?15:47
ayoungyep15:48
marekdok15:48
marekdchanging..15:48
*** harlowja has joined #openstack-keystone15:48
ayoungmarekd, and a notfound can short circuit your logic.15:48
dolphmayoung: oh, that's easy enough... totally not what i understood from your review15:48
ayoungany one missing group means raise a 40315:48
dolphmayoung: that's basically the same solution dstanek, bknudson and i agreed would work, we just didn't discuss where the implementation should live15:48
openstackgerritJenkins proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/7669115:49
ayoungdolphm, yeah, I was just concnerned that this was something more than a short term workaround15:49
ayoungand I still am a little worried about that....15:49
openstackgerritMatthieu Huin proposed a change to openstack/keystone: Add missing documentation for enabling federation auth plugin  https://review.openstack.org/7948315:49
*** gyee has joined #openstack-keystone15:50
marekdayoung: any missin group should raise 403?15:50
marekddolphm: ^^?15:51
*** zhiyan is now known as zhiyan_15:51
ayoungmarekd, what were you going to do otherwise?15:51
marekdLOG a warning, and I think dolph suggested logging instead of 4xx.15:51
ayoungmarekd, hmmmm15:53
ayoungso you would get a reduced set of groups available, but all working mappings would then apply groups?15:53
ayoungmarekd, so, with my suggestion, we would have more failures:  anytime someone messed up a group, token requests would 4xx.  With the other, we'd have more "limited successes"15:55
ayoungIE  I requested a token, but didn't get the access I requested15:55
marekdayoung: yes.15:55
ayoungwhy bother confirming existence in the backend, then15:56
ayoungjust perform the operation and any non-real groups just get dropped15:56
ayoungthe whole thing sounds....suspect15:56
marekdif you silently ignore mistakes/misconfiguration and no even log anything it bet most people will conclude "this federation doesn't work", let's file a bug.15:57
marekdand the reasong behind "doesn't work" is a rule with gruop_x as a local object, instead of group_x15:57
*** gokrokve has joined #openstack-keystone15:57
ayoungmarekd, if you don't validate the group IDS at this stage, what happens during assignement?15:59
ayoungI would assume that you would get lookups that just give you nothing15:59
marekdayoung: yes15:59
ayoungbut...that is exactly what is going to happend when there is no identity backend behind SAML.15:59
marekdayoung: RuleProcessor spits whatever it finds in the rules15:59
ayoungI think you should drop this patch15:59
marekdand it's stored in the token.15:59
marekdayoung: why?16:00
marekdayoung: but we now are somehow tied to the identity, to groups and so on....16:01
ayoungmarekd, OK...so groups should not be part of the SAML model.  They exist due to LDAP, really.  If we were writing this in a vacuum (no pre-existing Identiy backend) then the mapping would be in the assignment layer, and the mapping would be from SAML attribute to role_assignment16:02
ayoungmaybe we should rewrite it that way in Juno16:02
ayoungDavid Chadwick would be thrilled16:02
ayoungIt is what he origianlly suggested back when groups were introduced16:03
marekdhe was suggesting something like rules per uesr.16:03
marekduser16:03
ayounghe was suggesting using the rules engine to implement groups16:03
ayoungusers and role assignments were in the same backend16:04
ayoungand when we split identiyt, groups went with users, but roles and assignments went into their own backend16:04
ayounggroups, though, groups can fall into two categories16:04
ayounggroups can be from the attributes from the IdP, but can also be something you want to layer on in  Keystone16:05
dolphmjamielennox|away: this is an exciting patch! https://review.openstack.org/#/c/74908/16:05
ayoungdolphm, I know!16:06
ayoungdolphm, Client is really starting to take shape16:06
marekddolphm: ayoung stevemar dstanek bknudson : ok, ayoung suggests dropping patch https://review.openstack.org/#/c/79284/. Since our federation is somehow tied to the identity I would land it and not silently pass some mistakes/misconfiguration. We could also treat it as shortterm solution, until the federation layer is rewritten (one day). drop/not drop/change and not extend identity?16:06
ayoungmarekd, if you are going to land it, have it error out completely16:07
ayounglets let people know ASAP that a mapping is bad16:07
bknudsonmarekd: I don't want to see the identity API changing at this point.16:07
stevemarmarekd, i don't think he said drop it16:07
stevemarjust don't change identity16:07
ayoungbknudson, I think he means land it with the changes confined to the SAML controller16:07
marekdstevemar: 15:59 < ayoung> I think you should drop this patch16:07
stevemar:O16:08
bknudsonayoung: marekd: confining the changes to the SAML controller makes sense.16:08
ayoungstevemar, read up16:08
stevemarcatching up16:08
ayoungbknudson, SAML really should not be talking to ANY identity backend, but if we have that limitation today, we should error out on any mapping mistake16:08
ayoungbut...I am not certain that we do16:08
bknudsonayoung: I prefer an error out to a warning message.16:09
ayoungbknudson, ++16:09
marekdbknudson: ayoung: error then!16:09
marekdbknudson: ayoung and just saml2 controller changes.16:09
ayoungmarekd, that might be one of the few times I would say a code generated 5xx error might make sense16:10
*** nkinder_ has joined #openstack-keystone16:10
bknudsonmarekd: if we feel the need to optimize because there's a lot of groups or something then let's consider that for a future patch.16:10
ayoungI should say "an explicit raise of a 5xx"16:10
marekdbknudson: possible optimization for a future patch?16:10
ayoungbknudson, so, I'd like instead to consider a future patch where mapping bypasses Identiy completely and goes right to the role assignments16:11
bknudsonayoung: so if there's no roles assigned to the group it would fail?16:11
ayoungbknudson, there would be no "groups"16:11
ayoungyou get a set of attributes in the SAML document16:11
marekdayoung: from the user perspective he would be upload rules with role ids instead of group ids like today?16:12
ayoungthe mapping is processed in the assignment stage:  mapping attr1=x + attr2=y  to  user gets role=r on project=p16:12
ayoungmarekd, yeah16:12
*** bvandenh has quit IRC16:13
ayoungmarekd, I think that groups might be an abstraction we add to the mapping API.16:13
ayoungthink of it as an intermediate step16:13
*** nkinder has quit IRC16:13
dolphmayoung: i'm not opposed to a 401, but my thinking was that it was the deployers fault, so just log the condition and don't punish the user16:13
ayoungso attr->group  group->role and then we could have a step in the mappuing which is groups =[g1, g2, g3]16:13
marekdlooks like almost-0 change in RuleProcessor and lots of groups->roles transformation.16:13
ayoungdolphm, let the users punish the deployer16:13
marekdayoung: ^^16:14
ayoungmarekd, I think it might make sense if we add the ability to explicitly enumerate the groups in the rules processor.16:14
bknudsondolphm: you must be a deployer16:14
ayoung:)16:15
dolphmbknudson: why? lol16:15
marekdayoung: enumerate groups?16:15
bknudsondolphm: you don't want users complaining to you16:15
ayoungmarekd, yeah....as part of the rules, have a single list which is the set of expected groups16:15
ayoungor...16:15
dolphmbknudson: with the PTL hat, deployers are my users :P16:15
ayounga tree, and make group membership be hierarchical16:16
ayoungthat is probably the right solution.  We can discuss at the summit16:16
zoresvitdstanek: yeah, tempest Identity API v3 tests fail with policy.v3cloudsample.json causing 403 Forbidden error...16:16
marekdayoung: but we already have a list of expected groups?16:16
ayoungmarekd, no we don't16:16
ayoungthere is no identity backend16:16
marekdayoung: or we are now talking about something different...16:16
ayoungmarekd, when I get a SAML doc, it will be from a remote IdP16:17
*** wchrisj has quit IRC16:17
*** henrynash has quit IRC16:17
*** wchrisj has joined #openstack-keystone16:17
bknudsonit would be great if we could deprecate the identity backend.16:17
ayoungbknudson, split it into its own service16:17
ayoungthe identity program should have two services:  Keystone-idp and keystone-rbac16:18
bknudsonayoung: that supports saml? or a middleware that generates attributes to map?16:18
ayoungor something16:18
*** henrynash has joined #openstack-keystone16:18
ayoungbknudson, sure.  SAML16:18
ayoungbknudson, we here at redhat are working on something comparable for LDAP.  The ability to set up a SAML gateway as a simple extension to an existing LDAP infrastructure16:19
ayoungso it would be SAML produced from Keystone16:21
*** leseb has quit IRC16:26
*** leseb has joined #openstack-keystone16:26
stevemarreminder that the keystone meeting is an hour later than usual today (for those in daylight savings locations)16:28
*** zigo has joined #openstack-keystone16:29
*** leseb has quit IRC16:30
*** vhoward has joined #openstack-keystone16:31
*** ayoung is now known as ayoung-lunch16:33
*** gordc has joined #openstack-keystone16:36
*** gordc has left #openstack-keystone16:36
marekdayoung-lunch: how about raising GroupNotFound (which is 404) in case the group we are testing is actually missing?16:41
marekdayoung-lunch: cause you suggested raising http 40316:41
marekdGroupNotFound would be 404 and still a reasonable error16:42
lbragstadstevemar: I was wondering why there wasn't any rally chatter in -meeting16:52
*** leseb has joined #openstack-keystone16:54
*** marcoemorais has joined #openstack-keystone16:58
*** henrynash has quit IRC17:00
*** ayoung-lunch is now known as ayoung17:00
*** jaosorior has quit IRC17:00
ayoungmarekd, is that IAW the Identity spec?17:00
marekdayoung: IAW?17:01
*** david-lyle has quit IRC17:01
ayoungmarekd, POST tokens doesn't return a 404 does it?17:01
ayoungmarekd, https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#authentication-failures17:02
marekdayoung: good point!17:02
ayoungmarekd, 401 NotAuthorized with additional data seems to be expected, but it really wouldn't work17:02
ayoungunless you could request a SAML document without the attribute triggering the group lookup17:03
marekdayoung: so http 403 Forbidden with data about missing group?17:03
ayoung50017:03
ayoungits a config error17:03
marekdhmmm, I have always thought of 500s as bugs in the server code...something went terribly wrong and it's devs' fault.17:04
*** leseb has quit IRC17:04
ayoungmarekd, a bad mapping might fall into that category.17:04
marekdayoung: ok17:05
marekdayoung: well, not ok,  but i will raise 50017:05
ayoungmarekd, Fail FasT!17:05
marekd:-)17:05
stevemarlbragstad, yep, more time for lunch now :)17:06
marekdstevemar: is the meeting hour shiften only today ?17:07
marekdshifted*17:07
lbragstadnope, until daylight savings time happens again17:08
lbragstad:) dst threw me off last time too17:08
stevemarmarekd, it's at 1800 UTC, but us/can do day light savings, so it's shifted for us17:08
marekdLOL :D so it's still 18:00 UTC17:09
marekdi thought we are all shifting, not because of dst but some other reasons...17:09
marekdso effectively the meeting would start at 19:00UTC.17:10
lbragstadmarekd:  you had something up for review didn't you?17:11
lbragstadhttps://review.openstack.org/#/c/79284/17:12
marekdlbragstad: https://review.openstack.org/#/c/79284/ but17:12
marekdyou can hold off, as we just had discussion and i will throw away few things..17:12
marekdso no need to waste your time now.17:12
lbragstadmarekd: alright, I add myself, so I'll catch the next patch set17:13
lbragstadadded*17:14
marekdlbragstad: thanks!17:14
lbragstadnp17:15
*** henrynash has joined #openstack-keystone17:19
*** henrynash has quit IRC17:25
openstackgerritJenkins proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/7669117:30
ayoung> drop table "group";17:32
ayoungERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '"group"' at line 117:32
ayounghow do I do that by hand?17:32
ayoungah17:33
ayoungdrop table `group`;17:33
bknudsonI wish jenkins would slow down with the requirements update. it'll never get merged.17:33
openstackgerritJenkins proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/7969517:36
ayoungbknudson, now it is posting them just to spite you17:38
*** rupsky has joined #openstack-keystone17:38
dolphmlbragstad: you have two LP accounts... lbragstad (gmail) and ldbragst (ibm)... which do you use?17:39
dolphmlbragstad: and can you dump the other? :)17:39
dolphmlbragstad: you can associate multiple email addresses with one account17:39
lbragstaddolphm: I use both. Yeah, i can associate them17:40
dolphmlbragstad: why both?17:40
ayoungdolphm, because he uses the gmail one to undermine the things he is forced to  commit with the other17:40
lbragstad:)17:41
*** rupsky has quit IRC17:41
*** rupsky has joined #openstack-keystone17:41
lbragstaddolphm: merged them (ldbragst, lbragstad)17:45
*** petertoft has quit IRC17:46
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add missing documentation for enabling oauth1 auth plugin  https://review.openstack.org/7970817:47
bknudsonstevemar: on a related note -- did you see this? https://review.openstack.org/#/c/79213/17:48
stevemarbknudson, nope, just looking at it now17:48
bknudsonstevemar: check out the test failure.17:48
stevemarbknudson, i recall that we spoke about it last week17:48
*** rupsky has quit IRC17:49
stevemarbknudson, interesting, so in this case, it fails to upgrade from h->master right?17:52
dstanekstevemar: the review you just posted about oauth1 docs looks familiar. did you propose something similar already?17:52
stevemardstanek, mhu posted one for saml, i copied most of the same text17:52
bknudsonstevemar: http://logs.openstack.org/13/79213/1/check/check-grenade-dsvm/e5bef9e/logs/new/screen-key.txt.gz17:52
dstanekstevemar: ah, ok. that must be it17:52
bknudsonstevemar: so, yes, it was the master keystone that failed to start.17:53
bknudsonstevemar: auth.methods                   = ['external', 'password', 'token', 'oauth1']17:53
*** rupsky has joined #openstack-keystone17:53
*** henrynash has joined #openstack-keystone17:53
stevemarbknudson, because of: https://github.com/openstack/keystone/blob/stable/havana/etc/keystone.conf.sample#L42417:54
bknudsonstevemar: right... grenade must try to use the same config file?17:55
dstanekrunning the tests in isolation will really test your patience17:55
stevemarbknudson, likely, why wouldn't it17:55
bknudsonstevemar: oauth1 auth isn't going to work if oauth isn't in the pipeline, right?17:55
bknudsonstevemar: or is it supposed to work?17:56
stevemarbknudson, correct17:56
*** david-lyle has joined #openstack-keystone17:56
dolphmlbragstad: thanks!17:56
lbragstaddolphm: thank you for the heads up17:57
stevemarbknudson, i guess it could work, if you had it in the pipeline, then created an access token, then removed it from the pipeline, and only added it as an auth method17:57
openstackgerritRichard Megginson proposed a change to openstack/keystone: better handling for empty/None ldap values  https://review.openstack.org/7600217:58
bknudsonstevemar: if that's the case then the oauth auth plugin should be creating the manager.17:58
bknudsonnot the router.17:58
stevemarbknudson, the oauth plugin would still need to talk to the oauth api17:58
*** amcrn has quit IRC18:00
*** jamielennox|away is now known as jamielennox18:06
*** raildo has quit IRC18:06
*** raildo has joined #openstack-keystone18:07
*** zoresvit1 has joined #openstack-keystone18:10
*** andreaf has quit IRC18:17
*** vhoward has left #openstack-keystone18:29
openstackgerritMarek Denis proposed a change to openstack/keystone: Validate groups presence for federated authn  https://review.openstack.org/7928418:30
marekddolphm ayoung bknudson stevemar dstanek lbragstad: ^^18:32
stevemarcool18:32
lbragstadmarekd: thanks!18:32
ayoungmarekd, I'm seriously having second thoughts about that18:32
marekdayoung: you mean?18:32
ayoungI think it might break how people actually want to use DAML18:32
ayoungSAML18:32
*** arborism has joined #openstack-keystone18:33
marekd?18:33
ayoungif I have an external Identity provider, I don't want to have any data in the identity backend at all18:33
ayoungI know right now we force a user lookup18:33
marekdbut you already have....groups...18:33
ayoungbut that is dumb, and should be treated as a bug18:33
ayoungthere should be no Identity look up at all18:33
ayoungI think that is going to make SAML unusable18:33
marekdand it's not a 10 lines fix....18:33
ayoungdon't take my word on it18:33
ayoungI'll not hold it up, but I have misgivings18:34
marekdayoung: i completely understand your point!18:34
ayoungI think it is headed the wrong direction18:34
ayoungso...go gather some data18:34
*** arborism is now known as amcrn18:34
dstanekayoung: i thought the whole idea was to map SAML stuff into Keystone groups18:34
marekddstanek: it was18:35
ayoungmarekd, dstanek can we add this to the keystone meeting in progress?18:35
marekdayoung: sure.18:35
marekdayoung: so now you basically feel that the 'federation layer' should never  touch any identity/assignments etc.?18:36
marekdayoung: well...at most map directly to the roles.18:36
ayoungmarekd, identity.  It should absolutely touch assignments18:36
marekdayoung: hmmmm, you can always think of it in a way that  typical user will be much more familiar and comfortable with a group rather than a role...18:38
marekdayoung: plus, you now have the ability to map into groups, that can be tied with many roles, am i right? so instead of making many rules, you can create one group, assign many roles, and upload one rule.18:39
marekdwhich is IMHO also a nice feature.18:40
ayoungmarekd, in #openstack-meeting, please18:40
marekdroger!18:40
*** lbragstad is now known as lbragstad__18:43
*** devlaps1 has joined #openstack-keystone18:48
*** devlaps has quit IRC18:48
openstackgerritDavid Stanek proposed a change to openstack/keystone: Cleanup backends after each test  https://review.openstack.org/7972618:50
openstackgerritDavid Stanek proposed a change to openstack/keystone: Cleanup of instance attrs in core tests  https://review.openstack.org/7972718:50
openstackgerritDavid Stanek proposed a change to openstack/keystone: Cleans up test data from limit tests  https://review.openstack.org/7972818:50
openstackgerritDavid Stanek proposed a change to openstack/keystone: Cleanup fixture data added to test instances  https://review.openstack.org/7972918:50
openstackgerritDavid Stanek proposed a change to openstack/keystone: Cleanup keystoneclient tests  https://review.openstack.org/7973018:50
openstackgerritDavid Stanek proposed a change to openstack/keystone: Start using to oslotest  https://review.openstack.org/7906818:51
openstackgerritDavid Stanek proposed a change to openstack/keystone: Allows override of stdout/stderr/log capturing  https://review.openstack.org/7906918:51
marekdayoung: dstanek dolphm bknudson stevemar lbragstad__: so please take a look at https://review.openstack.org/#/c/79284/ again :-)18:58
*** marekd is now known as marekd|away18:58
*** marekd|away has quit IRC19:00
*** gyee has quit IRC19:04
*** harlowja has quit IRC19:04
*** gyee has joined #openstack-keystone19:05
*** harlowja has joined #openstack-keystone19:08
*** petertoft has joined #openstack-keystone19:11
*** ugrans has joined #openstack-keystone19:16
*** gyee has quit IRC19:16
*** lbragstad__ has quit IRC19:18
dstaneki couldn't get any overall numbers because i haven't been able to run all the tests for a while due to memory issues19:20
dstanekbut locally the backend_tests would consume about 681mb - after applying my testing patches that becomes 128mb19:20
*** ugrans has quit IRC19:24
ayoungdstanek, any time improvements on that?19:24
dstanekprobably some small improvements, but i was just trying to be able to run the tests again19:25
dstaneknext goal is to get all the tests to run in 120 seconds or less!19:25
*** lbragstad has joined #openstack-keystone19:25
dstanek:-) but i don't think that's actually possible19:26
*** daneyon has quit IRC19:30
*** amcrn has quit IRC19:38
*** amcrn has joined #openstack-keystone19:40
ayoungdstanek, I think if tests setup their own sample data instead of expecting all of the fixture data, it will speed things up a lot19:41
ayoungwe've made some movement that way19:42
*** tohins has joined #openstack-keystone19:43
*** tohins has quit IRC19:46
*** morganfainberg_Z is now known as morganfainberg19:48
morganfainbergbleh missed the meeting today :(19:48
ayoungmorganfainberg, it was basically "if its not a bug its a feature, and delayed until Juno"19:49
* morganfainberg is still recovering from a 9pm-4:30am maintenance last week19:50
* morganfainberg doesn't seem able to do that kind of stuff w/o having a really horked sleep schedule for 1+weeks after19:50
*** petertoft has quit IRC19:54
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Use AccessInfo in auth_token middleware  https://review.openstack.org/7495619:56
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Add 'methods' to all v3 test tokens  https://review.openstack.org/7495519:56
*** leseb has joined #openstack-keystone19:56
*** petertoft has joined #openstack-keystone19:59
dstanekmorganfainberg: i pushed a bunch of testing stuff a little while ago20:02
morganfainbergdstanek, i saw.20:03
morganfainberglets get this one in as well20:04
morganfainberghttps://review.openstack.org/#/c/79217/320:04
morganfainbergdstanek, i think we can get tests much happier with your work20:05
dstanekmorganfainberg: i still have a bunch of local cleanup stuff that needs pushing20:05
dstanekran into some trouble because i want to make sure the tests run in isolation20:06
morganfainbergyeah20:06
morganfainbergwe've been less than stellar about isolation20:06
dstaneki'll probably have another 3 or 4 commits related to speeding things up and lowering the memory footprint by tomorrow20:07
morganfainbergcool20:07
morganfainbergi hate the test restructure patches, they are a lot of work to land :(20:08
morganfainbergsuper useful but hard to get in because things are moving so much20:08
morganfainbergrebase hell20:08
dstanekmorganfainberg: yeah, we just have to mover faster ;)20:08
morganfainbergnot sure about your feelings on this, but i think this is useful to have https://review.openstack.org/#/c/79422/20:09
morganfainbergprobably should also add --slowest to run_tests20:09
morganfainbergi'm looking at your test ones now20:09
dstanekmorganfainberg: stevemar had a good comment on my limits patch; i need to investigate, but i can probably start deleting some code20:10
dstanekbbiab20:12
morganfainbergalso20:12
*** dstanek is now known as dstanek_afk20:12
dstanek_afkmorganfainberg: ?20:12
morganfainbergi noticed when i ran the tests ayoung's revoke tests were far an away the slowest.20:12
morganfainbergnot sure what is significantly different there20:12
morganfainbergdstanek_afk, catch up w/ test stuff when you get back20:12
dstanek_afki noticed the same thing earlier today20:13
jamielennoxmorganfainberg: can you bring back: v20:14
jamielennoxhttps://review.openstack.org/#/c/73074/20:14
morganfainbergjamielennox, oh we need to make it stackforge though, right?20:15
jamielennoxmorganfainberg: yea - i can make the change and propose it as new if you don't want it20:15
morganfainbergjamielennox, i don't really care one way or another. if you want me to bring that patchset back i can20:16
jamielennoxyea, please20:16
morganfainbergelse feel free to just steal it and make it stackforge20:16
morganfainbergrestored20:16
morganfainbergdo you want to make the needed chagnes to make it stackforge?20:17
jamielennoxsure20:17
morganfainbergi can look at doing that later today/tomorrow20:17
morganfainbergbut if you want it sooner, please go for it20:17
*** gyee has joined #openstack-keystone20:18
*** andreaf has joined #openstack-keystone20:20
*** andreaf has quit IRC20:21
*** rupsky has quit IRC20:27
*** mereda has joined #openstack-keystone20:30
*** rupsky has joined #openstack-keystone20:30
*** mereda has quit IRC20:42
*** inquizitor has joined #openstack-keystone20:43
*** inquizitor has quit IRC20:47
*** amcrn has quit IRC20:51
*** arborism has joined #openstack-keystone20:53
*** raildo has quit IRC20:58
*** marcoemorais has quit IRC21:01
*** marcoemorais has joined #openstack-keystone21:02
*** petertoft has quit IRC21:02
*** jimbaker` has joined #openstack-keystone21:15
*** zoresvit1 has quit IRC21:22
*** harlowja has quit IRC21:28
*** YorikSar has quit IRC21:28
*** mberlin1 has quit IRC21:28
*** jimbaker has quit IRC21:28
*** rwsu has quit IRC21:28
*** marcoemorais has quit IRC21:28
*** devlaps1 has quit IRC21:28
*** henrynash has quit IRC21:28
*** dims_ has quit IRC21:28
*** zhiyan_ has quit IRC21:28
*** gyee has quit IRC21:28
*** wchrisj has quit IRC21:28
*** zoresvit has quit IRC21:28
*** bknudson has quit IRC21:28
*** sudorandom has quit IRC21:28
*** haneef_ has quit IRC21:28
*** david-lyle has quit IRC21:28
*** stevemar has quit IRC21:28
*** chandan_kumar has quit IRC21:28
*** arborism has quit IRC21:28
*** nkinder_ has quit IRC21:28
*** browne has quit IRC21:28
*** pete5 has quit IRC21:28
*** jaypipes has quit IRC21:28
*** jamielennox has quit IRC21:28
*** koolhead17 has quit IRC21:28
*** lbragstad has quit IRC21:28
*** thedodd has quit IRC21:28
*** richm has quit IRC21:28
*** dstanek_afk has quit IRC21:28
*** openstackgerrit has quit IRC21:28
*** dtroyer has quit IRC21:28
*** Daviey has quit IRC21:28
*** dolphm has quit IRC21:28
*** mfisch has quit IRC21:29
*** chmouel has quit IRC21:29
*** mhu has quit IRC21:29
*** ChanServ has quit IRC21:29
*** morganfainberg has quit IRC21:29
*** anteaya has quit IRC21:29
*** luisbg has quit IRC21:29
*** zhiyan_ has joined #openstack-keystone21:38
*** chmouel has joined #openstack-keystone21:41
*** dims_ has joined #openstack-keystone21:41
*** henrynash has joined #openstack-keystone21:41
*** devlaps has joined #openstack-keystone21:41
*** marcoemorais has joined #openstack-keystone21:41
*** mfisch has joined #openstack-keystone21:41
*** mhu has joined #openstack-keystone21:41
*** dolphm has joined #openstack-keystone21:41
*** YorikSar_ has joined #openstack-keystone21:41
*** arborism has joined #openstack-keystone21:41
*** gyee has joined #openstack-keystone21:41
*** lbragstad has joined #openstack-keystone21:41
*** david-lyle has joined #openstack-keystone21:41
*** wchrisj has joined #openstack-keystone21:41
*** nkinder_ has joined #openstack-keystone21:41
*** thedodd has joined #openstack-keystone21:41
*** richm has joined #openstack-keystone21:41
*** stevemar has joined #openstack-keystone21:41
*** browne has joined #openstack-keystone21:41
*** zoresvit has joined #openstack-keystone21:41
*** bknudson has joined #openstack-keystone21:41
*** pete5 has joined #openstack-keystone21:41
*** jaypipes has joined #openstack-keystone21:41
*** chandan_kumar has joined #openstack-keystone21:41
*** dstanek_afk has joined #openstack-keystone21:41
*** openstackgerrit has joined #openstack-keystone21:41
*** haneef_ has joined #openstack-keystone21:41
*** sudorandom has joined #openstack-keystone21:41
*** jamielennox has joined #openstack-keystone21:41
*** koolhead17 has joined #openstack-keystone21:41
*** luisbg has joined #openstack-keystone21:41
*** anteaya has joined #openstack-keystone21:41
*** Daviey has joined #openstack-keystone21:41
*** dtroyer has joined #openstack-keystone21:41
*** morganfainberg has joined #openstack-keystone21:41
*** ChanServ has joined #openstack-keystone21:41
*** dickson.freenode.net sets mode: +oo dolphm ChanServ21:41
*** harlowja has joined #openstack-keystone21:45
*** petertoft has joined #openstack-keystone21:46
*** rwsu has joined #openstack-keystone21:46
*** lbragstad has quit IRC21:47
*** petertoft has quit IRC21:50
*** marekd has joined #openstack-keystone21:56
*** petertoft has joined #openstack-keystone21:59
*** jimbaker` is now known as jimbaker22:05
*** rupsky_ has joined #openstack-keystone22:13
*** leseb has quit IRC22:13
*** rupsky has quit IRC22:14
*** leseb has joined #openstack-keystone22:19
*** dims_ has quit IRC22:30
*** andreaf has joined #openstack-keystone22:31
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add slowest output to tox runs (testr)  https://review.openstack.org/7942222:37
*** openstackstatus has joined #openstack-keystone22:44
*** dims_ has joined #openstack-keystone22:45
*** wchrisj has quit IRC22:48
*** petertoft has quit IRC22:49
*** ayoung has quit IRC22:50
*** arborism is now known as amcrn22:55
morganfainbergjamielennox, it feels like people go out of their way to avoid using SQL-A22:55
jamielennoxmorganfainberg: yea, we found that before right22:56
morganfainbergjamielennox, yeah22:56
morganfainbergjamielennox, people love the "session.execute(<raw sql>)22:56
jamielennoxdolphm: you still here? re: https://review.openstack.org/#/c/60752/23:02
jamielennoxis that you saying that you want endpoint_type to be renamed to interface? the only problem with that is that i map things passed via kwargs directly to the service_catalog and the service_catalog (object) uses endpoint_type23:03
*** lbragstad has joined #openstack-keystone23:07
*** david-lyle has quit IRC23:08
jamielennoxmorganfainberg: updated: https://review.openstack.org/#/c/7307423:10
morganfainbergcool23:10
lbragstaddolphm: qq, here do you mean leave description nullable=False, like it currently is? And carry the optional description change in the catalog manager? https://bugs.launchpad.net/keystone/+bug/127245923:10
jamielennoxhave a look for me as i've no idea if i'm right or how to test it23:10
morganfainberglooking now23:10
morganfainberglooks sane to me23:11
jamielennoxthere is no barbican.conf file in the acls so i'm not sure if there is a barbican-milestone gorup23:11
jamielennoxor a barbican-ptl23:11
*** thedodd has quit IRC23:15
*** nkinder_ has quit IRC23:17
*** leseb has quit IRC23:21
*** andreaf has quit IRC23:21
morganfainbergyeah23:27
morganfainberginfra will poke at me/you if it's wrong23:27
morganfainbergthey're good23:27
morganfainbergyou could bug SergeyLukjanov specicially23:28
morganfainberghe knows a lot about that stuff and is super helpful23:28
morganfainbergjamielennox, also you need to set the topic to 'new-project'23:28
jamielennoxdamn, i was going to do that23:29
morganfainbergalso, projects are not alphabetical23:29
morganfainberg:P23:29
jamielennoxoh?23:29
jamielennoxeverything i saw was alphabetical23:29
jamielennoxor did i add something out of order/23:29
morganfainbergyeah look at the jenkins failures23:29
morganfainbergno idea23:29
morganfainbergjust looking at jenkins failures23:30
*** Fin1te has joined #openstack-keystone23:31
*** ayoung has joined #openstack-keystone23:34
*** rupsky_ has quit IRC23:41
morganfainberglbragstad, ping migrate stuff23:44
morganfainberglbragstad, i have an almost working version23:44
lbragstadfor rename?23:44
morganfainberglbragstad, if you want me to post a pass at it (or at least a diff to a paste)23:44
morganfainberglbragstad, and incorporating the other fixes we talked about23:44
lbragstadmorganfainberg: sure, go for it.23:44
lbragstadwhatever is easiest for you23:44
morganfainberglbragstad, e.g. not doing the migrate if the constraint doesn't exist, etc23:44
lbragstad++23:45
*** marekd is now known as marekd|away23:45
lbragstadmorganfainberg: thank you23:45
morganfainberglbragstad, i didn't want ot take it over if you really wanted to dive into it23:45
lbragstadeither works just fine for me23:45
morganfainbergit's a little painful to interact with non-named (guaranteed named) constraints :P23:45
morganfainberglbragstad, k will post shortly-ish23:46
lbragstadmorganfainberg: cool, thanks!23:46
morganfainberglbragstad, just doing a couple checks on data introspection23:46
lbragstadgood deal23:46
*** Fin1te has quit IRC23:57
« Monday, 2014-03-10 Index Wednesday, 2014-03-12 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!