Tuesday, 2014-03-25

« Monday, 2014-03-24 Index Wednesday, 2014-03-26 »
dolphmi just +A'd marekd|away's patch too00:00
dolphmwhich means...00:00
morganfainbergminor nits on white space, didn't even bother to comment00:00
morganfainbergwe get to do the RC dance?00:00
jamielennoxdolphm: this got missed for a little while: https://review.openstack.org/#/c/78068/00:00
jamielennoxthe default version URLs - i take it that's way too late now00:00
* dolphm IS NOW OFFICIALLY SCARED OF EMAILS THAT START WITH "Public Bug Reported..."00:00
morganfainbergdolphm, let me move the dependency for https://review.openstack.org/#/c/82674/ we should get that in (sneak it in) if possible00:01
morganfainberghelp cut down the volume of logging00:01
dolphmmorganfainberg: sounds great00:01
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove extra cache layer debugging  https://review.openstack.org/8267400:01
morganfainbergdolphm, ^ jamielennox ^00:02
morganfainbergprovided it passes check and all00:02
dolphmmorganfainberg: +200:02
morganfainbergit should remove all the CACHE_GET CACHE_SET lines from our logs00:02
dolphmi actually thought the discovery urls thing already merged00:03
morganfainbergthis one might be worth getting in as well: https://review.openstack.org/#/c/79422/ so we see the slowest tests each run00:03
jamielennoxmorganfainberg: _200:03
morganfainbergbut that one can wait till post RC00:03
jamielennoxdolphm: it sat for a little while with a bknudson -1 that i hadn't seen00:03
morganfainbergooh00:04
morganfainbergjamielennox, let me take a look, i thought that one went in as well00:04
morganfainbergjamielennox, it's going to merge conflict00:04
jamielennoxdamnit, i just fixed one of those00:05
morganfainbergjamielennox, test_wsgi00:05
jamielennoxmorganfainberg: has that merged?00:05
morganfainbergthe babel one?00:05
morganfainbergjamielennox, i just tried to rebase it and it merge conflicted. so ..00:06
dolphm78068?00:06
morganfainbergdolphm, yeah that one conflicts on test_wsgi looks like import line only00:06
dolphmah yeah00:06
dolphmp.s. everyone should start using the latest version of hacking - from trunk00:07
dolphmthey're long overdue for a release and we have a TON of violations against their master00:07
dolphmall good ones too00:07
morganfainbergdolphm, as soon as we have RC i'm going to aim to land a quick remove "deprecated" stuff from internal api calls.00:09
morganfainberge.g. identity proxy, et al00:09
jamielennoxmorganfainberg: just running tests locally and then i'll update the review00:09
jamielennoxbut is it too late?00:09
dolphmmorganfainberg: that's the only deprecatedness that we can remove in juno, right?00:09
jamielennoxit's a sweeping change at this point00:09
morganfainbergdolphm, i think there are 2-3 others.00:09
morganfainbergjamielennox, hm...00:09
dolphmjamielennox: no, let's get it in -- it's well reviewed and will set us up da bomb00:09
jamielennoxthere is also strings in the config file that change00:10
morganfainbergjamielennox, i think we're sane to get it in00:10
morganfainbergare conf options string freeze violations?00:10
jamielennoxmorganfainberg: no idea00:10
morganfainbergjamielennox, are the new options change of behavior?00:10
morganfainberge.g. change of default behavior?00:10
dolphmthey're not translated, at least in keystone.common.config00:10
morganfainbergdolphm, lets not translate those :P00:10
jamielennoxmorganfainberg: ummm - kind of a change in default behaviour00:11
jamielennoxessentially it's a better default00:11
dolphmmorganfainberg: change of use of defaults?00:11
morganfainbergjamielennox, so if i don't change my config, something completely new happens?00:11
*** stevemar has quit IRC00:11
jamielennoxmorganfainberg: yes, but not in a way that's a problem00:11
morganfainbergjamielennox, that could break my use of keystone?00:11
dolphmmorganfainberg: if you've set those options, then you continue using them with no effect00:11
morganfainbergdolphm, thats what i was looking for00:11
morganfainbergdolphm, cool.00:11
dolphmmorganfainberg: if you haven't set them, then a more reasonable default is assumed by keystone00:12
morganfainbergdolphm, +_+00:12
morganfainbergerm ++00:12
dolphmjamielennox: fair statement?00:12
jamielennoxdolphm: yep00:12
dolphmmorganfainberg: i sort of prefer +_+00:12
morganfainberg-_-00:12
morganfainbergi mean ..00:12
openstackgerritJamie Lennox proposed a change to openstack/keystone: Change the default version discovery URLs  https://review.openstack.org/7806800:13
morganfainbergjamielennox, i don't have an issue with that change.00:14
morganfainbergjamielennox, let me do a last once over on it though00:14
jamielennoxhuh, locally that told me that it failed to upload the review - but it seems to have pushed fine00:14
morganfainberghah00:14
openstackgerritJamie Lennox proposed a change to openstack/keystone: Change the default version discovery URLs  https://review.openstack.org/7806800:15
dolphmjamielennox: wait, what was the difference in the last two? i just finished reviewing the first and then accidentally +2'd the second00:18
jamielennoxdolphm: bad import ordering: https://review.openstack.org/#/c/78068/9/keystone/tests/test_wsgi.py00:18
dolphmthere's more deletes in the older one00:19
morganfainbergjamielennox, heh00:19
*** openstack has joined #openstack-keystone00:19
morganfainbergopenstack, phew, we missed you!00:19
morganfainberglol00:19
dolphmjamielennox: ah, thanks00:20
dolphmi had the bot blocked for awhile lol00:20
dolphmtoo many notifications for "keystone"00:20
morganfainbergdolphm, lol00:20
morganfainbergdolphm, gerrit one or the eavesdrop one?00:21
dolphmgerrit00:21
morganfainbergopenstack = eavesdrop00:21
morganfainbergdolphm, we can remove the gerrit one again if you want :P00:21
morganfainbergit's easy to remov00:21
morganfainberge00:21
morganfainbergit's kinda nice ot see them as they occur...but meh00:21
dolphmno no, i think it's super useful, i just don't want growl notifications for every patch00:21
morganfainbergi don't remember who asked me to add it though.00:21
morganfainbergOh! haha00:21
jamielennoxmorganfainberg: i did - i think it's useful00:22
*** nkinder has quit IRC00:22
morganfainbergdolphm, jamielennox, +200:26
*** flaper87 is now known as flaper87|afk00:26
jamielennoxmorganfainberg: cool00:26
jamielennoxbring on pecan though i'm sick of our wsgi layer00:27
morganfainbergjamielennox, dolphm, meeting tomorrow - added the eventlet bit, basically eventlet is dead.00:28
jamielennoxmorganfainberg: for keystone or everyone?00:28
morganfainbergjamielennox, dolphm, based upon -infra convo00:28
morganfainbergjamielennox, py3300:28
dolphmfun!00:28
jamielennoxthat's good00:29
dolphmmorganfainberg: eventlet is not going to py33 or what?00:29
morganfainbergsince we don't really use eventlet for anything00:29
dolphmwhat's the verdict00:29
jamielennoxi imagine it will be harder for some projects but it will be good for us00:29
morganfainbergdolphm, the verdict is use trollius for it00:29
morganfainbergtulip is a py33 construct00:29
morganfainbergand afaict supplants eventlet00:29
dolphmwhoa i didn't know that was in py200:29
morganfainbergtrollius is py2.7 friendly00:29
jamielennoxmorganfainberg: there are some testing concerns with removing eventlet00:30
dolphmmorganfainberg: and 2.6?00:30
morganfainbergdolphm, it's in the global reqs00:30
jamielennoxthere are still a couple of tests (i think the client ones) that rely on eventlet so that they can boot a server and communicate with it in the same thread00:30
morganfainbergdolphm, i can only assume, haven't tried00:30
morganfainbergjamielennox, we should be looking at using wsgiref and/or trollius for coroutine magic00:30
dolphmjamielennox: yeah, what's the story with asyncio there?00:31
*** nkinder has joined #openstack-keystone00:31
dolphmmorganfainberg: +1 for wsgiref - eventlet is overkill for tests00:31
*** bknudson has joined #openstack-keystone00:31
jamielennoxmorganfainberg: sure that can be done, it just hasn't yet - webtest has a thing for handling it as well00:31
jamielennoxdolphm: asyncio?00:31
dolphmjamielennox: trollius / tullip / asyncio00:32
morganfainbergjamielennox, trollius is asyncio00:32
morganfainbergasyncio is cool00:32
jamielennoxthe way i had heard trollius etc described in the passed was as a very low level handler and that we should start to see frameworks being built on it now00:32
morganfainbergit's a little more explicit than eventlet00:32
morganfainbergbut it's def awesome00:32
bknudsondoes asyncio work with db apis?00:32
jamielennoxthey didn't seem to recommend most people using asyncio directly00:33
morganfainbergjamielennox, trollius is ~= tuliop00:33
morganfainbergasyncio is the underpinnings00:33
jamielennoxalso i heard somewhere that asyncio is not compatible with wsgi00:33
morganfainbergbknudson, good question.00:33
morganfainbergjamielennox, mod_wsgi?00:33
jamielennoxmorganfainberg: at this point i'm ussing the three terms interchangably but i'll stop00:33
morganfainbergjamielennox, because eventlet isn't exactly mod_wsgi safe00:33
jamielennoxmorganfainberg: not sure how far it stretches, but the wsgi protocol had issues with doing things asynchronously00:34
jamielennoxi'd have to go looking for the details00:34
morganfainbergasyncio is coroutine, should be the same as eventlet.00:35
morganfainbergwell roughly the same00:35
morganfainberg_should_ :P00:35
jamielennoxyea but eventlet does all that nasty stuff to avoid looking like a coroutine00:35
morganfainbergand eventlet also monkeypatches stuff all over00:35
morganfainbergin icky ways00:35
jamielennoxanyway i'm happy to have eventlet out - i don't think we need to be the first adopter of trollius/asyncio as it doesn't benefit us that much00:36
bknudsonI don't think eventlet benefits us much00:36
dolphmmorganfainberg: i've actually been asked "do you run on eventlet or python?" before00:36
morganfainbergdolphm, *blink*00:36
morganfainbergdolphm, i.. i guess thats a valid question... ish00:37
jamielennoxdolphm: makes sense :)00:37
morganfainbergi almost have in-memory sqlite patch ready.00:37
dolphmmorganfainberg: :D00:37
dolphmit's like christmas00:37
jamielennoxdolphm, morganfainberg, bknudson: whist i've got people here is https://review.openstack.org/#/c/81695/ something we should allow in auth_token?00:38
morganfainbergjamielennox, interesting00:38
jamielennoxcan review later but in principal00:38
dolphmjamielennox: yes, i think so00:38
dolphmjamielennox: the hard part is how to configure the whitelist, i suppose00:38
morganfainbergjamielennox, i like it00:38
jamielennoxdolphm: yea, i think it would have to go in a paste file00:38
bknudsonjamielennox: who's going to use it?00:39
dolphmbknudson: everyone?00:39
bknudsonoh, the discover urls00:39
morganfainbergbknudson, ++00:39
jamielennoxbknudson: well i saw for example that barbican had to split up there whole paste pipeline so that they could have / unprotected00:39
dolphmjamielennox: why are you using ignore case?00:39
morganfainbergjamielennox, that isn't exactly a bad idea though.00:39
jamielennoxdolphm: it's a URL path00:39
morganfainbergjamielennox, it isolates secure vs insecure00:40
*** marcoemorais has quit IRC00:40
bknudsonsplitting up the paste pipeline doesn't sound that bad to me either00:40
jamielennox /v1 ~= /V100:40
morganfainbergjamielennox, URLs are case sensitive (well... depending on the web server, IIS is dumb)00:40
bknudsonon windows /v1 = /V100:40
dolphmbknudson: the internet runs on !windows00:40
morganfainbergbknudson, yay case insensitive filesystems!00:40
jamielennoxbknudson: it only make sense to split the pipeline when you want things to have different middleware on different versions00:40
* morganfainberg hides in the corner w/ hpfs+00:41
morganfainbergand no i don't reimage my computer w/ case sensitive00:41
bknudsonseems like you would want your insecure resources would have a simpler middleware00:41
morganfainbergbknudson, ++00:41
morganfainbergi mean, i am not opposed to having an exclude function00:41
jamielennoxbknudson: not always, largely middleware are things like json encode etc that all still apply00:42
morganfainbergbut... it seems like the paste pipeline should be split.00:42
morganfainbergespecially for things like URL discovery.00:42
jamielennoxalso we do recommend that /v1 should be publicly accessible00:42
bknudsonshould we split up keystone paste pipeline?00:42
openstackgerritRichard Megginson proposed a change to openstack/keystone: better handling for empty/None ldap values  https://review.openstack.org/7600200:42
morganfainbergbknudson, i wouldn't be opposed to it00:42
jamielennoxnot /v1/{resource} but /v1 for version discovery00:43
morganfainbergmight be easier to document than "oh and now write a regex"00:43
jamielennoxbknudson: keystone doesn't use auth_token so it doesn't apply here00:43
dolphmjamielennox: does PATH_INFO include fragments or query strings?00:44
dolphmi feel like one of those env vars is surprising in that way..00:44
jamielennoxdolphm: i would assume so00:44
jamielennoxi didn't test it on that00:44
jamielennoxbut i can't see that would matter?00:45
*** wchrisj has quit IRC00:45
jamielennoxunless you're thinking about really complex regex's where you exclude on the query string00:45
bknudsondoes it work if I do /%76%42 instead of /v2 ?00:46
bknudsonoops %72%3200:46
jamielennoxah...00:47
morganfainbergbknudson, LOL00:47
jamielennoxi'm guessing no but let me check00:47
ayoungjamielennox, wasn't through jenkins yet.  +A now00:47
jamielennoxit would depend on when PATH_INFO is resolved00:47
ayoungdstanek, default outform should be PEM00:47
jamielennoxbknudson: does our whole current routes system work if you do /%72%32 ?00:48
bknudsonjamielennox: that is a good question.00:48
*** derek_c has joined #openstack-keystone00:48
jamielennox72 = r00:49
bknudsonI've totally forgotten my ascii codes00:49
morganfainberg'Some people, when confronted with a problem, think “I know, I'll use regular expressions.”   Now they have two problems.' -- Jamie Zawinski00:49
bknudsonstill know ebcdic.00:49
jamielennoxyep it works00:49
jamielennoxwell it works for keystone00:50
jamielennoxhaven't tested the exclude yet00:50
jamielennoxmorganfainberg: yep, i know that one - that's why you make it a user problem00:50
jamielennox:)00:50
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Add a method for changing a user's password in V3  https://review.openstack.org/5991400:50
morganfainbergjamielennox, i think a regex here is going to open the door for security woes the more i think about it00:51
morganfainbergjamielennox, but it is.. a config issue then00:51
jamielennoxmorganfainberg: this is why i ask00:52
jamielennoxin reality it shouldn't be touched by an administrator00:52
jamielennoxit should be set by the project and left alone but you can never guarantee that00:52
morganfainbergjamielennox, but it will be00:52
morganfainbergjamielennox, i just get the strong sense that splitting the pipeline introduces less security risk00:53
jamielennoxthe main case i would see is "^/(v1|v2)?/?$"00:53
jamielennoxmorganfainberg: but that doesn't let us do /v1/ as a seperate app to /v1/{resource}00:53
morganfainbergjamielennox, maybe a non-regex explicit whitelist00:54
jamielennoxactually i guess it could but that would be an unusual deployment00:54
morganfainbergjamielennox, anything else would be paste splitting.00:54
jamielennoxmorganfainberg: i was thinking about that - but at somepoint the regex is actually easier00:54
morganfainbergjamielennox, sure, but how many items are you white listing?00:55
jamielennoxi would expect it to be just the version disccovery URLs00:55
morganfainbergthen why make it a regex00:55
morganfainberg1 or 2 items are a bad usecase for the regex00:56
jamielennoxbecause otherwise you need a configurable way to say things like do you include a trailing /00:56
*** wchrisj has joined #openstack-keystone00:56
jamielennoxi also don't see that we have to limit the other services to that00:56
morganfainbergmake a design choice on that.00:56
morganfainbergjamielennox, it's just that using a regex to govern security is making my skin crawl00:57
morganfainbergjamielennox, i'm going to abstain from reviewing this. if other more security minded folks want to jump in, i'll not block it.00:57
jamielennoxmorganfainberg: oh - i completely understand00:57
morganfainbergbut i don't feel comfortable with this approach.00:57
morganfainbergand keystone can't use auth_token middleware right now.00:58
morganfainbergin fact, likely it'll use some other subset of auth_token for the forseeable future because auth_token needs to talk to keystone in some cases00:58
morganfainbergso our usecase is a little bit more specialized00:59
jamielennoxmorganfainberg: right - i'm not doing this for keystone00:59
ayoungA=65, the rest can be calculated from that01:00
morganfainbergjamielennox, then i'm even more on board with just saying "split the paste pipeline" anyway.01:00
morganfainbergbut again, i'll just abstain at this point unless there is a need to step in and toss in my $0.0201:00
jamielennoxmorganfainberg: why make for example ceilometer have seperate paste pipelines so that it can do version discovery on / and /v1?01:00
morganfainbergjamielennox, separation of concerns. insecure vs secure01:01
morganfainbergjamielennox, easier to audit, easier to validate, easier to ensure things aren't leaking between them (if you don't want the api insecure, it doesn't go in the insecure pipeline)01:01
bknudsonkeystone could have separate paste pipelines for discovery, and /auth/tokens (just the POST??)01:01
bknudsonand then for the rest01:02
jamielennoxbknudson: i think we will end up with something like that to do token pipelines01:02
openstackgerritA change was merged to openstack/keystone: Add dedicated URL for issuing unscoped federation tokens.  https://review.openstack.org/8237501:02
openstackgerritA change was merged to openstack/keystone: Always include 'enabled' field in service response  https://review.openstack.org/8220501:02
jamielennoxmorganfainberg: ok - so ditch it?01:02
jamielennoxbecause a service can always use delay_auth_decision and then enforce that at the policy level01:02
morganfainbergjamielennox, if there is enough momentum behind this approach, i can't say it's the "wrong" one. but i don't feel like it's the right approach01:03
bknudsondoes any service use delay_auth_decition?01:03
jamielennoxbknudson: i've seen it but i can't remember whree01:03
bknudsonprobably swift!01:03
jamielennoxglance has it as default01:03
jamielennoxi guess it depends on the authentication style - it makes sense if you hvae good policy enforcement that auth_token just decode the actual token data01:06
morganfainbergdolphm, +Aing the log review01:08
morganfainbergcache log01:08
morganfainbergthat is01:08
morganfainbergsince 2+2 plus jenkins01:09
*** stevemar has joined #openstack-keystone01:09
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Rename keystone.tests.fixtures  https://review.openstack.org/8172101:10
dolphmcrap i just realized i didn't do the second half of bug 127386701:14
uvirtbotLaunchpad bug 1273867 in keystone "Keystone API v3 lists disabled endpoints and services in catalog" [High,In progress] https://launchpad.net/bugs/127386701:14
morganfainbergdolphm, oopse!01:14
bknudsonthe service catalog?01:14
dolphmyeah01:15
dolphmthe patch merged, and i was wondering why it wasn't Fix Committed on LP...01:15
lbragstadstevemar: hey! quick question on this guy here... https://review.openstack.org/#/c/80193/01:17
lbragstadwill it still work if the IP addresses for AUTH_URL and MANAGEMENT_URL are hardcoded?01:17
*** richm has quit IRC01:24
*** rwsu has quit IRC01:26
dstanekbknudson: thx for getting that pep8 issue01:28
bknudsondstanek: this is something I'm good at.01:28
*** wchrisj has quit IRC01:31
*** zhiyan_ is now known as zhiyan01:32
stevemarlbragstad, you are correct re: the comment / docstring, must have happened when i rebased01:36
stevemarlbragstad, or i just plain ol started it one way, and did it as another *shrugs*01:37
lbragstadstevemar: that happens :) thanks for the update01:37
stevemarlbragstad, got any suggestions for the ip address configuration01:37
lbragstadstevemar: hmmm01:37
lbragstadthat's tough, since it's  script01:38
lbragstadwhat is auth_url and management_url intended to point to?01:38
lbragstads/is/are/01:38
*** wchrisj has joined #openstack-keystone01:39
stevemarlbragstad, i was copying what ayoung was doing here: https://review.openstack.org/#/c/79096/5/examples/scripts/exercise_v3_regions.py01:41
stevemarlooks like he changed it to just endpoint/token, i can do that01:41
ayoungOh sure blame it on me01:41
stevemarand he tries to get env. variable01:41
openstackgerritDolph Mathews proposed a change to openstack/keystone: refactor AuthCatalog tests  https://review.openstack.org/8268601:41
ayoungstevemar, OK, lets get first things first01:41
stevemarayoung, of course01:41
lbragstadlol01:41
ayoungI need to split out the "set things up from scratch" script...01:41
stevemarayoung, yes, i think that should be it's own :\01:42
lbragstadis there a way we can add some verification?01:42
stevemarayoung, cause i want to do the same thing01:42
ayounghttps://review.openstack.org/#/c/81166/3/examples/scripts/initialize_keystone.py01:42
ayoungand the tear down01:42
ayoungI can do that right now...01:42
stevemarayoung, instead I just added a comment saying "assume the env. is set up in a v3 friendly way"01:42
*** rwsu has joined #openstack-keystone01:42
stevemarayoung, that needs more comments, but otherwise i think it's okay-ish01:43
morganfainbergoooh i found a bug in our models01:43
morganfainbergsql models.01:44
morganfainbergi think.01:44
*** wchrisj has quit IRC01:44
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Initialization scripts  https://review.openstack.org/8268701:45
ayoungstevemar, ^^ look better?01:45
ayoungstevemar, you can rebase on that...01:46
lbragstaddstanek: qq on https://review.openstack.org/#/c/78117/7/keystone/tests/test_wsgi.py01:46
ayoungmeaniwhile I'll clean that one up for commit01:46
morganfainbergrole name is meant to be unique, right? role table column name01:48
ayoungmorganfainberg, nope01:48
stevemarayoung, i'll poke around and comment, technically still on vacation until tomorrow :P01:48
*** wchrisj has joined #openstack-keystone01:49
morganfainbergayoung, where did we drop the unique constraint?01:49
ayoungmorganfainberg, atiwari's approach will certainly require multiple entries with the same role name01:49
morganfainbergayoung, in migration001 we set the constraint to unique, but i'm not seeing it dropped.01:49
morganfainbergayoung, i am looking at current setup.01:50
* morganfainberg runs migrate on a clean db01:51
*** wchrisj_ has joined #openstack-keystone01:53
*** wchrisj has quit IRC01:53
ayoungmorganfainberg, nah, its probably unique now.  If we reduce that, it will become a multi column constraint01:59
ayoungmorganfainberg, you should know by now that my answers are about how its supposed to work, not how it actually works.01:59
morganfainbergayoung, i'm trying to make it so we use in-memory sql for testing01:59
ayoungah.01:59
ayoungthat would be very nice01:59
*** wchrisj_ has quit IRC02:00
morganfainbergayoung, and i'm getting some odd errors with reflection because of constraints not matching the models02:00
morganfainbergayoung, yeah i expect to land that as soon as RC cuts02:00
dstaneki need an rss feed from gerrit instead of email02:01
dstanekthis should be a relatively easy review: https://review.openstack.org/#/c/5991402:03
openstackgerritayoung proposed a change to openstack/python-keystoneclient: revoke events  https://review.openstack.org/8116602:04
dstaneklbragstad: shoot. just saw your message02:06
lbragstaddstanek: hey, so I was just wondering about https://review.openstack.org/#/c/78117/7/keystone/tests/test_wsgi.py02:07
lbragstadlines 242 and 251, if we should pass all_locales=['it'] as is since all_locales is no longer optional?02:08
bknudsonanother attempt at getting a keystone.conf file that tempest can use -- https://review.openstack.org/#/c/82358/02:09
dstaneklbragstad: you are correct. i could have to the default to None and then use the same (all_locals or []) trick i probably used elsewhere in that patch.02:10
dstaneklbragstad: i decided not to since there were only a few places calling that method and the parameter was always being passed in02:10
lbragstaddstanek: ok, cool02:11
dstaneklbragstad: i wanted to remove the other param because is isn't being used, but i did that in a different patch02:12
lbragstaddstanek:  ok, I was just curious if that should be refactored since the method signature was changing slightly.02:13
*** bknudson has quit IRC02:16
*** nkinder has quit IRC02:16
openstackgerritA change was merged to openstack/python-keystoneclient: Enforce scope mutual exclusion for trusts  https://review.openstack.org/7848902:19
openstackgerritA change was merged to openstack/keystone: Remove extra cache layer debugging  https://review.openstack.org/8267402:19
*** amcrn has quit IRC02:26
jamielennoxlbragstad: you still here?02:33
openstackgerritDolph Mathews proposed a change to openstack/keystone: exclude disabled services from the catalog  https://review.openstack.org/8269802:45
dolphmmorganfainberg: bkhudson: final fix is fairly straightforward, but it depends on a bit of a refactor https://review.openstack.org/#/c/82698/02:46
jamielennoxlbragstad: https://bugs.launchpad.net/keystone/+bug/129705902:48
uvirtbotLaunchpad bug 1297059 in keystone "Migrate 43 fails on old sqlalchemy" [Undecided,New]02:48
*** mberlin1 has joined #openstack-keystone02:50
jamielennoxdolphm: you never use the disabled endpoint?02:52
dolphmjamielennox: i'm ensuring it's not returned02:52
dolphmjamielennox: same for a disabled service02:52
dolphmjamielennox: oh you mean from the dict return?02:52
jamielennoxyea02:52
jamielennoxlooking at the refactor02:52
*** mberlin has quit IRC02:53
jamielennoxthe original is the same02:53
dolphmjamielennox: refresh02:53
openstackgerritDolph Mathews proposed a change to openstack/keystone: refactor AuthCatalog tests  https://review.openstack.org/8268602:53
jamielennox dummy_disabled_endpoint_ref  appears unused02:53
jamielennoxoh, ok - i am running tests so haven't checked it out yet - i just hadn't seen what the other was being used for02:54
dolphmjamielennox: i think they were used to illustrate the bug, and then not removed02:55
openstackgerritDavid Stanek proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation  https://review.openstack.org/7118102:57
jamielennoxdolphm: shoud you be checking the length of the catalog there?02:57
jamielennoxi know the original doesn't02:57
openstackgerritDolph Mathews proposed a change to openstack/keystone: exclude disabled services from the catalog  https://review.openstack.org/8269802:57
jamielennoxbut it appears you just take the first service from the catalog and check it against the enabled02:57
jamielennoxthat doesn't mean the disabled isn't there as the second entry02:58
dolphmjamielennox: like this? https://review.openstack.org/#/c/82698/2/keystone/tests/test_auth.py02:58
jamielennoxdolphm: lol, right - hadn't looked at the follow up yet02:58
dolphmjamielennox: i tried to keep the first patch as just a refactor :)02:58
dolphmalright, i'm off to bed. i'll cross my fingers for some a couple +A's while i'm asleep :P and an empty rc1 blocklist :D03:01
*** wchrisj has joined #openstack-keystone03:02
dolphmjamielennox: i have no idea how to filter by service.enabled in the v2 catalog query... i tried using subqueryload with an additional filter(), but sqlalchemy didn't like whatever i was doing :-/03:03
dolphm(here https://review.openstack.org/#/c/82698/2/keystone/catalog/backends/sql.py )03:03
jamielennoxfilter_by=Endpoint.service.enabled==True or filter_by=Service.enabled==True doesn't work?03:05
jamielennox(what you've got isn't a terrible solution given it's v2)03:06
*** wchrisj has quit IRC03:06
openstackgerritJamie Lennox proposed a change to openstack/keystone: Isolate backend loading  https://review.openstack.org/7429303:07
openstackgerritJamie Lennox proposed a change to openstack/keystone: Make Pecan the root routing framework  https://review.openstack.org/6542803:07
*** wchrisj has joined #openstack-keystone03:07
*** zhiyan is now known as zhiyan_03:10
*** zhiyan_ is now known as zhiyan03:11
*** wchrisj has quit IRC03:14
*** wchrisj has joined #openstack-keystone03:15
jamielennoxdolphm: yea - it appears you just need to add .filter(Service.enabled == True) to the query03:17
*** david-lyle has joined #openstack-keystone03:17
morganfainbergdolphm, hmm.03:18
morganfainbergjamielennox, oooh!03:18
morganfainbergbackend loading isolation!03:18
jamielennoxmorganfainberg: it's not as exciting as it sounds03:19
jamielennoxit just gets it out of the bin/keystone-all path03:19
*** devlaps has quit IRC03:19
*** wchrisj_ has joined #openstack-keystone03:19
morganfainbergjamielennox, still good!03:20
jamielennoxdolphm: so obviously i'm wrong regarding the filter...03:20
morganfainbergi'm lookin at dolph's reviews.03:20
*** wchrisj has quit IRC03:20
*** wchrisj has joined #openstack-keystone03:24
*** wchrisj_ has quit IRC03:25
morganfainbergdolphm, still here?03:26
morganfainbergjamielennox, dolphm, not sure about https://review.openstack.org/#/c/82698/2/keystone/catalog/backends/sql.py line 260, shouldn't the query on 253 be updated to cover this service being disabled?03:27
*** gokrokve has joined #openstack-keystone03:27
jamielennoxmorganfainberg: that's what i'm trying to figure out03:28
*** wchrisj_ has joined #openstack-keystone03:28
jamielennoxi can't seem to construct the query thoguh03:29
*** wchrisj has quit IRC03:29
morganfainbergjamielennox, ah03:30
morganfainbergjamielennox, look at the part below in green http://docs.sqlalchemy.org/en/rel_0_9/orm/tutorial.html#joined-load03:31
morganfainbergit would require an eagerload + explicit join03:31
morganfainbergjamielennox, doable with a standard join03:31
*** wchrisj has joined #openstack-keystone03:32
morganfainbergjamielennox, http://docs.sqlalchemy.org/en/rel_0_9/orm/tutorial.html#explicit-join-eagerload not sure i want to see that kind of refactor this late in the game03:32
*** wchrisj_ has quit IRC03:32
jamielennoxi do like sqlalchemy but it can be harder to make it do what you want than just writing the sql03:32
morganfainbergjamielennox, or in the case of most people in OpenStack, they try really hard to NOT use SQLAlchemy03:32
*** chandankumar_ has joined #openstack-keystone03:33
morganfainbergthat reminds me, i need to do some research on supporting partition tables.03:33
morganfainbergi could see some benefits03:33
jamielennoxmorganfainberg: looking at that joined+eager query i'm just as happy to let the current review pass03:34
morganfainbergjamielennox, yerah03:34
jamielennoxnon-enabled services aren't common enough to figure that out right now03:34
morganfainbergjamielennox, i don't want to see that level of change atm03:34
jamielennoxmorganfainberg: removing cache logging from tests makes the world a better place03:34
morganfainbergjamielennox, :)03:35
morganfainbergjamielennox, it was good to have when we initially launched caching03:35
morganfainbergnow... not as much03:35
jamielennoxit will make gate issues so much easier to find03:35
jamielennoxmorganfainberg: +A https://review.openstack.org/#/c/78068/ ?03:38
morganfainbergoh yeah03:38
jamielennoxthanks03:39
*** wchrisj_ has joined #openstack-keystone03:39
*** wchrisj has quit IRC03:40
*** chandankumar_ has quit IRC03:40
jamielennoxmorganfainberg: you like the @positional decorator as well didn't you: https://review.openstack.org/#/c/7702603:40
jamielennoxit's a 0.7 blocker and if i can get it cleaned up now it doesn't have to be at the meeting tomorrow03:41
morganfainbergyeah03:41
jamielennoxi've got bknudson's +2 so rolling through now03:41
*** wchrisj has joined #openstack-keystone03:43
*** wchrisj_ has quit IRC03:43
openstackgerritRichard Megginson proposed a change to openstack/keystone: better handling for empty/None ldap values  https://review.openstack.org/7600203:45
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Fix passing get_token kwargs to get_access  https://review.openstack.org/7673303:46
*** wchrisj has quit IRC03:47
dstanekmorganfainberg: looking at https://review.openstack.org/#/c/80368/7/keystone/assignment/core.py and i disagree with the renaming03:48
morganfainbergdstanek, i disagree with more than just the renaming03:48
dstanekmorganfainberg: i think that the event handler methods can be called handle_*, but the driver methods really have nothing to do with the event03:49
morganfainbergdstanek, ah sure03:49
morganfainbergdstanek, works for me03:49
*** harlowja_ is now known as harlowja_away03:49
jamielennoxdstanek: can you have a look at your -1 on https://review.openstack.org/#/c/77055/803:49
dstanekjamielennox: sure03:50
*** gokrokve has quit IRC03:50
jamielennoxmorganfainberg: ^ is also a release block for client and really easy to review03:50
morganfainbergjamielennox, lol going to have to wait on that one, winding down for a bit :)03:50
morganfainbergbut before i slepp i'll look at it03:50
jamielennoxmorganfainberg: no worries03:51
*** gokrokve has joined #openstack-keystone03:52
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Start using positional decorator  https://review.openstack.org/7705503:53
*** chandankumar_ has joined #openstack-keystone03:55
*** gokrokve has quit IRC03:57
dstanekjamielennox: looking at https://review.openstack.org/#/c/77055/9/keystoneclient/v3/policies.py - what criteria are you using to determine which methods should all be kwargs and which ones not?03:58
jamielennoxdstanek: basically personal taste - but are you referring to anything in particular?03:58
jamielennoxupdate() should always take as the first argument the resource so that i think should be an *arg03:59
jamielennoxbut for create and the others anything that is an attribute of a resource i think should be a kwargs even if it is a required attribute03:59
jamielennoxso possibly blob= should have been a kwarg04:00
jamielennoxthough in that case because you are most likely only passing one argument to the create it is probably ok to leave as an arg04:00
jamielennoxignore those last two lines, blob=None - so it is a kwargs anyway04:01
jamielennoxlol - damnit ignore the ignore - i was looking at resource.update04:01
dstanekjamielennox: GroupManager.update also looks me like it should also be all kwargs04:04
dstanekin general the pattern seems to be that all of the args should be kwargs except self, but there are exceptions in your patch04:05
jamielennoxdstanek: no because .update expects the resource to be passed first04:05
jamielennoxg = client.groups.get(42)04:06
jamielennoxclient.groups.update(g, name='new name')04:06
jamielennoxif you can g.update(name='new name') it will route internally to call client.groups.update(g, **kwargs) as well04:06
dstanekah, so this is a routes thing?04:07
jamielennoxdstanek: no routes is a server side term, but the managers control the logic and the resources are fairly dumb04:08
jamielennoxroutes as a library is a server side thing04:08
jamielennoxso functions called on a resource will get sent to the manager with the resource as the first argument04:08
dstanekso in general the .update methods allow the non-kwarg arg04:11
jamielennoxyea, update, and delete etc should take a single non-kwarg - update should then also take the kwargs you want to change04:12
dstanekjamielennox: credentials seems to have a different pattern04:15
jamielennoxso yea credentials.create allows blob as an arg - i'm not sure whether that's right or not04:15
dstanekjamielennox: CredentialManager.create has two required args that don't have to be kwargs. most the the other managers force everything to be specified as kwargs for create04:17
jamielennoxhuh, yep - that's wrong04:18
dstanekjamielennox: i would also expect PolicyManager.create to specify positional(1, ...)04:21
*** devlaps has joined #openstack-keystone04:21
jamielennoxyep04:23
*** chandankumar_ has quit IRC04:23
jamielennoxdstanek: let me know when you finish and i'll upload a fix with those 304:27
dstanekjamielennox: all done :-) once you upload i'll quickly skim and +2 it04:28
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Start using positional decorator  https://review.openstack.org/7705504:28
jamielennoxdstanek: ^04:28
openstackgerritA change was merged to openstack/keystone: Change the default version discovery URLs  https://review.openstack.org/7806804:31
openstackgerritJamie Lennox proposed a change to openstack/keystone: Make Pecan the root routing framework  https://review.openstack.org/6542804:31
dstanekjamielennox: thx04:35
jamielennoxlol, another URL discovery format for nova: http://docs.openstack.org/api/openstack-compute/2/content/Versions-d1e1193.html04:35
jamielennoxi love the open source thing but sometimes consistency is better than the perfect response04:36
jamielennoxdstanek: and thank you04:36
*** derek_c has quit IRC04:48
openstackgerritA change was merged to openstack/keystone: Rename keystone.tests.fixtures  https://review.openstack.org/8172104:49
*** stevemar has quit IRC05:05
*** derek_c has joined #openstack-keystone05:10
openstackgerritguang-yee proposed a change to openstack/python-keystoneclient: Implement endpoint filtering functionality on the client side.  https://review.openstack.org/8271305:18
*** gokrokve has joined #openstack-keystone05:21
*** gokrokve has quit IRC05:25
*** YorikSar has quit IRC05:37
*** chandan_kumar has quit IRC05:48
openstackgerritJenkins proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/7852506:05
*** andreaf has joined #openstack-keystone06:14
*** dstanek has quit IRC06:15
*** dstanek has joined #openstack-keystone06:22
*** YorikSar has joined #openstack-keystone06:32
*** jaosorior has joined #openstack-keystone06:51
*** dstanek has quit IRC07:04
*** andreaf has quit IRC07:08
*** devlaps has quit IRC07:17
*** gokrokve has joined #openstack-keystone07:21
*** gokrokve has quit IRC07:26
*** saju_m has joined #openstack-keystone07:30
*** derek_c has quit IRC07:41
*** flaper87|afk is now known as flaper8707:51
*** Gippa has joined #openstack-keystone08:20
*** leseb has joined #openstack-keystone08:40
*** saju_m has quit IRC08:50
*** saju_m has joined #openstack-keystone08:52
*** andreaf has joined #openstack-keystone08:53
*** YorikSar has quit IRC08:55
*** YorikSar has joined #openstack-keystone08:56
*** gokrokve has joined #openstack-keystone09:05
*** gokrokve has quit IRC09:05
*** gokrokve has joined #openstack-keystone09:05
*** chandan_kumar has joined #openstack-keystone09:13
*** Gippa has quit IRC09:22
*** saju_m has quit IRC09:38
*** bvandenh has quit IRC09:47
*** henrynash has joined #openstack-keystone09:47
openstackgerritA change was merged to openstack/python-keystoneclient: Add a positional decorator  https://review.openstack.org/7702609:49
*** andreaf has quit IRC09:49
*** Gippa has joined #openstack-keystone09:56
*** saju_m has joined #openstack-keystone09:57
*** morganfainberg is now known as morganfainberg_Z10:05
*** Gippa has quit IRC10:10
*** bvandenh has joined #openstack-keystone10:10
*** andreaf has joined #openstack-keystone10:47
*** saju_m has quit IRC11:07
*** saju_m has joined #openstack-keystone11:08
lbragstadjamielennox: sorry, checking now.11:09
*** saju_m has quit IRC11:09
lbragstadjamielennox: adding morganfainberg_Z to the bug report since he helped with the migrations quite a bit.11:12
*** saju_m has joined #openstack-keystone11:15
*** leseb has quit IRC11:19
*** leseb has joined #openstack-keystone11:20
*** gokrokve has quit IRC11:23
*** leseb has quit IRC11:24
*** gokrokve has joined #openstack-keystone11:34
*** gokrokve_ has joined #openstack-keystone11:38
*** saju_m has quit IRC11:38
*** saju_m has joined #openstack-keystone11:38
*** gokrokve has quit IRC11:39
*** gokrokve_ has quit IRC11:42
dolphmjamielennox: that's not new afaict11:47
*** leseb has joined #openstack-keystone11:50
lbragstadI tried it in virtualenv and I can't seem to reproduce with 0.7.1011:55
*** leseb has quit IRC11:55
*** harlowja_away has quit IRC12:03
*** gokrokve has joined #openstack-keystone12:10
dolphmlbragstad: jamielennox: repro'd and i think this fixes it https://review.openstack.org/#/c/82793/12:15
lbragstaddolphm: how did you recreate? sqlalchemy version 0.7.10?12:17
dolphmlbragstad: yeah, i didn't have any trouble reproducing -- copy/pasted shell output into the bug https://bugs.launchpad.net/keystone/+bug/1297059/comments/412:17
uvirtbotLaunchpad bug 1297059 in keystone "Migrate 43 fails on old sqlalchemy" [Medium,In progress]12:17
*** gokrokve has quit IRC12:19
*** gokrokve has joined #openstack-keystone12:22
*** david-lyle has quit IRC12:23
*** gokrokve has quit IRC12:28
*** gokrokve has joined #openstack-keystone12:32
*** saju_m has quit IRC12:41
*** gokrokve has quit IRC12:43
*** gokrokve has joined #openstack-keystone12:43
*** leseb has joined #openstack-keystone12:43
*** gokrokve has quit IRC12:47
*** marekd|away is now known as marekd12:52
*** dims_ has quit IRC12:52
*** gokrokve has joined #openstack-keystone12:53
*** saju_m has joined #openstack-keystone12:55
*** YorikSar has quit IRC12:56
*** YorikSar has joined #openstack-keystone12:58
*** saju_m has quit IRC12:59
*** joesavak has joined #openstack-keystone13:00
*** saju_m has joined #openstack-keystone13:01
*** dims_ has joined #openstack-keystone13:02
*** saju_m has quit IRC13:04
*** saju_m has joined #openstack-keystone13:06
*** bknudson has joined #openstack-keystone13:09
*** saju_m has quit IRC13:09
*** saju_m has joined #openstack-keystone13:11
*** browne has joined #openstack-keystone13:17
*** dstanek has joined #openstack-keystone13:19
*** wchrisj has joined #openstack-keystone13:20
*** ChanServ changes topic to "the gerrit event stream is currently hung, blocking all testing. troubleshooting is in progress (next update at 14:00 utc)"13:21
dstanekayoung: https://review.openstack.org/#/c/71181/ is still having problems13:21
dstanekayoung: i fixed a bug that i found in the error log, but not the error seems to be invalid credentials13:22
dstanekayoung: i wonder if this change somehow breaks existing encoded tokens13:22
*** wchrisj has quit IRC13:26
*** ChanServ changes topic to "[ Icehouse RC blockers https://launchpad.net/keystone/+milestone/icehouse-rc1 ][ Icehouse RC Target Date: March 27th, 2014 ][ No new strings during string freeze (dolphm was wrong!) - ping dolphm concerning exceptions ]"13:29
ayoungdstanek, it might be13:35
*** wchrisj has joined #openstack-keystone13:35
*** lbragstad has quit IRC13:35
ayoungdstanek, link?13:35
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Example Initialization scripts  https://review.openstack.org/8268713:39
dstanekayoung: https://review.openstack.org/#/c/71181/13:45
ayoungdstanek, yeah, but which failure? Or is it in the devstack setup?13:46
dstanekayoung: "Invalid OpenStack Identity credentials." in grenade13:46
ayoungdstanek, OK, so one thing we've needed to do ever since the "use the client libraray for signing" is figure out how to use a git checkout from /opt/stack/python-keystoneclient in a keystone run out of /opt/stack/keystone13:47
ayoungmanually, I'm guessing the process is something like:13:48
ayoungrun setup.py  -- something in python-kc13:48
ayoungget a package,13:48
ayoungactivate the venv in server13:48
ayoungand install the package13:48
ayoungthat sound right?13:48
dstanekayoung: if you are already activated you can just 'python setup.py install' in python-kc13:49
ayoungright...13:49
dstanekif you can't install you can adjus the path13:49
dstanekadjust13:49
*** wchrisj has quit IRC13:57
*** wchrisj_ has joined #openstack-keystone13:59
dolphmdstanek: ayoung: small, nice-to-have for RC1 https://review.openstack.org/#/c/82793/14:01
ayoungdolphm, seems like it is changing the meaning.14:02
ayoungcolumns.vales is different from columns.  You sure it means the same thing?14:03
dstanekayoung: the len should be the same if columns is a dictionary14:03
ayoungdstanek, I see that, but then why the error?14:03
dstanekayoung: error?14:04
ayoungutil/_collections.py", line 106, in __getattr__14:04
ayoung    raise AttributeError(key)14:04
ayoungAttributeError: values14:04
ayoungif there are no values in a collection, shouldn't you get back something of len() == 1?14:05
dstanekhow are you getting that exception?14:06
*** lbragstad has joined #openstack-keystone14:06
dstaneki would expect an empty collection to have a 0 length14:06
*** stevemar has joined #openstack-keystone14:06
ayoungdstanek, and it might be that idx.columns is not a dictionary in some version of SQLA14:07
dstanekayoung: that's what i'm looking to confirm now14:07
ayoungOK...I can get behind that one14:07
dolphmayoung: see the first comment on the review for an example14:12
ayoungdolphm, yep, that is why I +2ed14:12
dolphmayoung: ah, i'm behind -- thanks!14:13
* dolphm our 24 hour countdown to RC1 has started -- unless we can find new release blockers, we'll have an RC1 tomorrow morning14:13
dstanekdolphm: after this meeting i just want to take a quick peek at the sqlalchemy api before i +214:19
openstackgerritayoung proposed a change to openstack/keystone: Remember the DN  https://review.openstack.org/4744114:29
*** nkinder has joined #openstack-keystone14:30
*** david-lyle has joined #openstack-keystone14:31
*** zoresvit has joined #openstack-keystone14:32
*** leseb has quit IRC14:38
ayoungdolphm, I wouldn't consider it a blocker, but would like to get https://review.openstack.org/47441  in if possible.  Its a nice performance tune14:39
*** YorikSar has quit IRC14:43
dolphmdstanek: cool14:46
dstanekdolphm: all done, just need jenkins14:46
openstackgerritMatthieu Huin proposed a change to openstack/python-keystoneclient: Limited use trusts  https://review.openstack.org/5749214:51
*** thedodd has joined #openstack-keystone14:54
bknudsondolphm: do we need to have keystone requirements up to date for rc1 ? https://review.openstack.org/#/c/82372/  and https://review.openstack.org/#/c/82231/14:55
dolphmbknudson: i'd like to14:56
dolphmayoung: i'm looking at that patch again -- it's not the easiest review!14:56
ayoungdolphm, heh14:56
ayoungdolphm, the idea is that the lookup by DN is expensive, and if we already have done it once, we record the DN in the object to avoid a round trip to the LDAP servier14:57
ayoungthen we remove the DN from the object before reporting to the outside world14:57
dolphmayoung: i like the concept of the patch, it's the number of method that have the word "filter" in them that makes it a mind fuck14:58
ayounghttps://review.openstack.org/#/c/47441/11/keystone/common/ldap/core.py  is there so that it can be used by assignments eventually.14:58
ayoungnkinder treid to extend it to assignments, but it was too much for one patch, and since I am more concerned with Identity for LDAP, we figured we would scale it back14:58
ayoungbut I was glad to have someone with such in depth LDAP know how back me up on it14:59
*** zoresvit has quit IRC15:03
*** devlaps has joined #openstack-keystone15:04
*** leseb has joined #openstack-keystone15:05
*** jsavak has joined #openstack-keystone15:07
*** joesavak has quit IRC15:08
*** saju_m has quit IRC15:13
*** packet has joined #openstack-keystone15:14
*** wchrisj_ has quit IRC15:15
dolphmayoung: this looks risky- https://review.openstack.org/#/c/47441/15:22
*** YorikSar has joined #openstack-keystone15:23
ayoungdolphm, I think so, too.  I think that you are right:  there should not be two filter_functions.15:29
ayounglets hold off on that one for now15:29
dolphmayoung: happy to take the risk once we're open for juno15:29
ayoungdolphm, I'll redo it then to cover identity and assignment15:30
ayoungI think the code would actually be clearer15:30
nkinderayoung: I may have some old patches that cover part of assignment15:31
nkinderayoung: they likely don't apply cleanly anymore though...15:32
ayoungnkinder, I think that the split of the filter function broke some assumptions on that patch15:32
nkinderyeah15:32
ayoungnkinder, we'll have an LDAP huddle at the summit and figure out the most pressing topics to address, I think15:33
nkinderayoung: yeah, that would be good15:33
*** wchrisj has joined #openstack-keystone15:35
*** wchrisj has quit IRC15:35
*** wchrisj has joined #openstack-keystone15:36
*** ayoung has quit IRC15:37
stevemardstanek, OS_LOG_CAPTURE=0 -> discard data even if test fails, but 1 would discard data only if test fails?15:39
dstanek0 discards, but 1 will print it out for a failing test15:40
dstaneklet me check how i worded that15:41
dstanekstevemar: it looks like my comment in developing.rst is slightly incorrect, but the commit message is accurate - does it make sense?15:46
stevemardstanek, looking at commit message15:48
*** ayoung has joined #openstack-keystone15:48
dstanekstevemar: the difference is that as implemented all three stream are printed for failing tests15:49
dstaneki default all of those vars to 115:49
stevemardstanek, silly question, but in testr.conf, it shows as defaulted to -1? whats going on there?15:50
dstanekthat's bash there is a :- operator that says if you don't have a value use this one - sorta like Python's dict.setdefault15:51
dolphmjamielennox: the patch for this was only Partial-Bug ... is that still accurate? https://bugs.launchpad.net/python-keystoneclient/+bug/129588115:53
uvirtbotLaunchpad bug 1295881 in python-keystoneclient "*args vs **kwargs is unmanagable for future compatibility" [Medium,In progress]15:53
*** packet has quit IRC15:57
openstackgerritDavid Stanek proposed a change to openstack/keystone: Allows override of stdout/stderr/log capturing  https://review.openstack.org/7906915:58
*** packet has joined #openstack-keystone15:59
*** jaosorior has quit IRC16:00
openstackgerritA change was merged to openstack/keystone: Sync oslo-incubator db.sqlalchemy b9e2499  https://review.openstack.org/8259416:02
openstackgerritayoung proposed a change to openstack/keystone: Use CMS to generate sample tokens  https://review.openstack.org/7377216:09
*** marcoemorais has joined #openstack-keystone16:09
ayoungdstanek, ^^ might have been why devstack was failing, although I doubt it.16:09
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: sanity check memcached availability before running tests against it  https://review.openstack.org/8252716:13
dolphmjamielennox: ^16:14
openstackgerritA change was merged to openstack/keystone: Fix doc build errors with SQLAlchemy 0.9  https://review.openstack.org/8236716:14
openstackgerritA change was merged to openstack/keystone: Updated from global requirements  https://review.openstack.org/8237216:15
dstanekayoung: from the lack output i assumed tempest was trying set things up with keystone and that failed16:16
ayoungdstanek, yeah.  I need to get a devstack up and running, but having VM issues ATM...16:16
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync test_migrations  https://review.openstack.org/8061816:18
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063016:18
*** joesavak has joined #openstack-keystone16:21
*** jsavak has quit IRC16:23
*** zoresvit has joined #openstack-keystone16:24
dstanekdolphm: so you're not worried about backward compatibility for the kc middleware?16:27
dolphmdstanek: i'm not sure what we'd be trying to maintain compatibility with? extended implementations?16:27
*** andreaf has quit IRC16:27
dstanekdolphm: anyone that subclassed and modified behavior16:28
dstanekdolphm: i'm ok if we don't have those guarantees, but right now i don't have a good handle on this in kc16:29
dolphmdstanek: A) i'm simply not aware of anyone doing so B) this will be in 0.7.0 rather than a minor version bump16:29
*** zoresvit has quit IRC16:34
dstanekdolphm: fair enough, is there a rule of thumb for what we consider the public part of the API and how to let people know a change is coming?16:34
dstanekdolphm: like we do on the server side with deprecated16:34
dolphmdstanek: i'd consider all of the public Client() interface (and all manager methods) to be public / stable of course16:39
dolphmdstanek: second most important would be the headers passed down from auth_token to consuming services16:39
dolphmdstanek: beyond that, we haven't had a good story for introducing deprecations (or much reason to before now)16:40
dolphmdstanek: on that note, thoughts on the deprecation approach in https://review.openstack.org/#/c/77491/2/keystoneclient/middleware/auth_token.py ?16:43
dolphmdstanek: (see my comment on L224)16:43
dstanekdolphm: looking now16:45
dstaneki'm watching all about Google's cloud!16:46
dolphmdstanek: i thought google *was* "the cloud"16:48
dstanekwell i was anyway, but the Google is experiencing technical difficulties16:49
dolphmmust be bad weather16:49
dstaneks/the cloud/big brother/16:49
dstanekdolphm: good observation on line 22416:53
*** topol has joined #openstack-keystone16:56
*** jsavak has joined #openstack-keystone16:58
dolphmdstanek: thoughts on https://review.openstack.org/#/c/59914/ with a method signature change to http://pasteraw.com/9labq7tnhsfnp9rgono179d5vlqf7l8 ?16:58
dolphm-    def update_own_password(self, origpasswd, passwd):16:58
dolphm+    def update_password(self, old_password, new_password):16:58
dstanekdolphm: that would be fine with me17:00
*** joesavak has quit IRC17:01
*** harlowja has joined #openstack-keystone17:03
*** morganfainberg_Z is now known as morganfainberg17:04
topolare we meeting today?17:07
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: Add a method for changing a user's password in v3  https://review.openstack.org/8287017:07
morganfainbergtopol, hour later since DST.17:07
topolcrap!!17:07
morganfainbergdolphm, so old sqlalchemy is broken /w that migrate?17:07
morganfainberglbragstad, ^17:08
morganfainbergwhat is the window of support needed for SQLA?17:08
dolphmdstanek: proposed an alternative review with the diff included, along with slightly stronger validation and tests https://review.openstack.org/#/c/82870/17:08
dolphmmorganfainberg: the .values() thing?17:08
dolphmmorganfainberg: i think the argument was just that we should support what's in our requirements file17:09
dolphmmorganfainberg: and it wasn't unreasonable to fix support for the minimum required version17:09
morganfainbergdolphm, sqlalchemy-migrate>=0.8.2,!=0.8.417:09
dolphmmorganfainberg: it was sqlalchemy itself, not migrate17:09
morganfainbergoh wait sec17:09
morganfainbergyeah17:09
morganfainbergi thought we were past 0.7 as a minimum17:10
morganfainberg*facepalm*17:10
morganfainbergi can fix that.17:10
dolphmmorganfainberg: https://github.com/openstack/requirements/blob/master/global-requirements.txt#L11217:10
morganfainbergyeah i see it: SQLAlchemy>=0.7.8,<=0.9.9917:11
dolphmmorganfainberg: there's a comment there about < 0.817:11
morganfainbergyep i see it17:11
morganfainbergah there was a fix already?17:12
morganfainbergcool.17:12
morganfainbergthis is what happens being on the west coast :P17:12
morganfainbergi miss the morning stuff17:12
morganfainberg:P17:12
*** lbragstad has quit IRC17:12
dolphmmorganfainberg: oh, yeah lol17:13
dolphmmorganfainberg: if you'd like to push buttons though, i have reviews for you17:14
morganfainbergdolphm, lol sure.17:17
morganfainbergdolphm, just got in so sitting down to look at the state of things17:18
openstackgerritDolph Mathews proposed a change to openstack/identity-api: clarify user & project namespacing  https://review.openstack.org/8287617:20
morganfainbergdolphm, https://launchpad.net/keystone/+milestone/icehouse-rc1 i like the look of that page atm17:20
dolphmmorganfainberg: ++17:20
dolphmmorganfainberg: there's two client reviews that need some love https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting17:21
*** leseb has quit IRC17:21
dolphmmorganfainberg: hoping to cut keystoneclient 0.7.0 along with RC117:21
morganfainbergdolphm, cool17:21
dolphmmorganfainberg: (both targeting tomorrow morning)17:21
dolphmmorganfainberg: that was jamie's wishlist for client changes, plus the password self-service thing, which i think has been blocking a corresponding change in horizon :(17:22
morganfainbergdolphm, so the 76733 and 77748?17:22
morganfainbergdolphm, oooh password one17:23
dolphmmorganfainberg: and https://review.openstack.org/#/c/82870/17:23
morganfainbergdolphm, yeah ok.17:23
dolphm(or the original if you prefer the v2 client method signature)17:24
*** lbragstad has joined #openstack-keystone17:24
*** pcargnel has joined #openstack-keystone17:25
*** andreaf has joined #openstack-keystone17:25
dolphmi also added https://review.openstack.org/#/c/82527/ but it's really low priority17:27
*** gyee has joined #openstack-keystone17:32
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: Handle URLs via the session and auth_plugins  https://review.openstack.org/6075217:32
dolphmfixed the merge conflict here ^17:33
dolphmjamielennox: bknudson: gyee: ^17:33
gyeedolphm, k17:34
*** flaper87 is now known as flaper87|afk17:41
dolphmmorganfainberg: gyee: thanks!17:42
dolphmmorganfainberg: gyee: dstanek: the last one i'd like to see land is this one, as it was reported on the mailing list recently https://review.openstack.org/#/c/82527/17:43
gyeedolphm, sure, I am reviewing it17:44
gyeedolphm, are you thinking of a new keystoneclient release soon?17:45
dolphmgyee: aiming for tomorrow morning17:45
gyeedolphm, awesome!17:45
dolphmgyee: which means if it's not gating today, then it probably won't make it17:45
gyeeI am helping to get other clients to support V3 so I could use the new features17:45
dolphmgyee: that'll give us a bit of time to have a 0.7.1 before icehouse is properly released if need be17:45
dolphmgyee: AWESOME17:46
dolphmgyee: would you mind giving an update on the state that work in today's keystone meeting? it's not something everyone has enough visibility on17:46
dolphmgyee: especially given that the effort is so distributed -- it's not easy to track17:46
*** zuqiang has joined #openstack-keystone17:46
gyeedolphm, sure, I've started with barbicanclient17:46
gyeehttps://review.openstack.org/#/c/80124/17:47
gyeewould love to have the Session and auth plugins available so saved me a bunch of boilerplate code17:48
*** amcrn has joined #openstack-keystone17:49
*** dstanek has quit IRC17:49
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: Improve language in update_password() validation error  https://review.openstack.org/8288617:55
dolphmmorganfainberg: https://review.openstack.org/#/c/82886/1/keystoneclient/v3/users.py17:56
*** thedodd has quit IRC18:00
*** dstanek has joined #openstack-keystone18:01
dstanekdolphm: i think it's fine, but i wish we could have the function run only once18:02
dolphmdstanek: it sort of only runs once18:03
dolphmdstanek: but you mean at the setUp level?18:04
dstanekdolphm: yeah, not a big deal though18:04
*** packet has quit IRC18:07
openstackgerritA change was merged to openstack/python-keystoneclient: Start using positional decorator  https://review.openstack.org/7705518:10
*** packet has joined #openstack-keystone18:11
dstanekdolphm: with memcached disabled and without your patch i don't get test failures; and i just verified that the tests that should fail are running18:12
dolphmdstanek: i'm confused - are you saying you can't reproduce the problem *with* or *without* my patch?18:13
*** vhoward has left #openstack-keystone18:14
dstanekdolphm: i can't reproduce it without18:14
dolphmdstanek: are you sure memcached isn't running?18:14
dolphmdstanek: and that you have python-memcached installed?18:14
dstanekyes connection refused when telneting to localhost 1121118:15
dstanekah, it may be that i don't have the lib18:15
*** shakamunyi has joined #openstack-keystone18:25
*** shakamunyi has quit IRC18:25
*** shakamunyi has joined #openstack-keystone18:26
*** shakamunyi has quit IRC18:26
*** zoresvit has joined #openstack-keystone18:33
*** jaosorior has joined #openstack-keystone18:36
openstackgerritA change was merged to openstack/python-keystoneclient: Fix passing get_token kwargs to get_access  https://review.openstack.org/7673318:42
*** devlaps1 has joined #openstack-keystone18:44
*** devlaps has quit IRC18:46
*** pcargnel has quit IRC18:48
*** zhiyan is now known as zhiyan_18:58
*** thedodd has joined #openstack-keystone18:59
morganfainbergjamielennox, the hope is you don't call subprocess19:00
dstanekmorganfainberg: i'm pretty sure pycrypto is dead19:00
jamielennoxright - i dislike that to19:00
morganfainbergdstanek, ok sure other crypto lib19:01
jamielennoxwhat do we back to - openssl still?19:01
morganfainbergjamielennox, calling subprocess is well and fine until it isn't19:01
jamielennoxright but it depends how long we have to wait for other people to support the CMS19:01
morganfainbergjamielennox, probably. but it means we can't use pypy.19:01
dstanekhow often does it get called in a real deployment? it seems like you would peg your CPU pretty quickly19:01
jamielennoxmorganfainberg: cFFI gets around pypy19:02
morganfainbergjamielennox, ah true19:02
morganfainbergdstanek, hm..19:03
*** zhiyan_ is now known as zhiyan19:03
dolphmmorganfainberg: what's the issue with pypy?19:03
jamielennoxmorganfainberg: if we go down the cffi route can we keep that within keysotne?19:03
morganfainbergdolphm, C vs native python stuffs.19:03
jamielennoxdolphm: cpython bindings don't work in pypy19:03
morganfainbergjamielennox, perhaps.19:03
morganfainbergafaik at least one OpenStack project (non-client) is pypy friendly19:04
morganfainbergi don't remember where i saw it19:04
morganfainbergbut i saw it19:04
dstanekthis seems like something that should be in pyopenssl anyway19:04
morganfainbergdstanek, probably19:04
dstanekmorganfainberg: i know alex gaynor want to make everything pypy friendly19:04
jamielennoxpyopenssl now depends upon the cryptography library - so i don't think that they will be wanting to take new things there19:05
morganfainbergdstanek, yeah there is a long way to go to get there19:05
dstaneksince we are calling out to the openssl library for the functionality i assume they have C APIs for it too19:05
morganfainbergdstanek, i think this is a case where we can implement a lib (more quickly) to do s-mime and then work on finding the real home for it19:05
morganfainbergdstanek, wherever that is.19:06
jamielennoxlet's just keep it keystone for now - but how do you communicate that keystone has a dependency on the openssl c lib via ffi in requirements?19:06
morganfainbergdstanek, but since there isn't a good home atm (or unclear) if no place is willing tot ake it now, we should get a python-smime lib written up19:06
morganfainbergjamielennox, no not internal to keystone please.19:07
morganfainbergjamielennox, i don't want keystone to have C in it, this should be separate to begin with19:07
jamielennoxmorganfainberg: ok - i was thinking about doing this for the cryptography library anyway so i'm interested in that19:08
dstanekmorganfainberg: i agree with that; may be worth reachin out to pyopenssl to see if they are interested - they seem very active https://github.com/pyca/pyopenssl/commits/master19:08
morganfainbergthe right answer is chat w/ the best places crypto lib? then if not there do our own and continue to work with them19:08
morganfainbergdstanek, ++ yeah lets reach out first, if not there to begin with we can make this happen on stackforge.19:08
morganfainbergdstanek, but if they want it and are willing, even better, they are already established19:09
dstanekdid i read that right in the meeting? openstack may be getting rid of py26 support?19:17
morganfainbergdstanek, eventually.19:17
morganfainbergdstanek, we support it because RHEL6 doesn't do software collections iirc19:17
dstanekmorganfainberg: i know that :-), but how soon?19:17
morganfainbergdstanek, once that ship has sailed, py26 can die.19:17
morganfainbergdstanek, my guess... k?19:18
*** openstackgerrit has quit IRC19:18
*** openstackgerrit has joined #openstack-keystone19:18
morganfainbergdstanek, that is a guess pulled out of thin air19:18
morganfainbergdstanek, so... dumb question.19:18
morganfainbergdstanek, maybe i;'m just not seeing it19:18
morganfainbergdstanek, in the RESTFul test cases, how does the default domain get populated?19:19
dolphmmorganfainberg: populated in the db?19:20
morganfainbergdolphm, yes19:20
dolphmmorganfainberg: there's a data migration19:20
morganfainbergdolphm, ok so we have pristine.db19:21
dstanekmorganfainberg: no idea19:21
dolphmmorganfainberg: 00819:21
dolphmkeystone/common/sql/migrate_repo/versions/008_create_default_domain.py19:21
morganfainbergoh gah.19:21
morganfainbergdolphm, *grumbles*19:21
morganfainbergok thanks19:21
morganfainbergdolphm, that was what i was missing19:22
dolphmmorganfainberg: git blame keystone/common/sql/migrate_repo/versions/008_create_default_domain.py19:22
dstanekdolphm: wow, i would have never looked there19:22
morganfainbergdolphm, I BLAME YOU!19:22
morganfainbergdstanek, ++ exactly19:22
morganfainbergdolphm, :) thanks19:22
dolphmmorganfainberg: $ git config --global alias.shame blame19:22
morganfainbergdolphm, I've been fighting tring to find that for an hour or so.19:22
dolphmmorganfainberg: $ git shame keystone/common/sql/migrate_repo/versions/008_create_default_domain.py19:22
dolphmthe new word of the day is "side-effectly"19:31
dstanekmorganfainberg: why are you worried about deployments if we make a change to not install eventlet on py3?19:34
*** zhiyan is now known as zhiyan_19:36
*** vhoward has joined #openstack-keystone19:37
dolphmdstanek: what would you risk breaking?19:38
morganfainbergdstanek, if you remove eventlet from the requirements, it may not be installed in py2X19:39
morganfainbergdstanek, was the point19:39
dstanekdolphm: nothing; you can't use keystone on py3 - i'm only making changes for py319:39
dstanekmorganfainberg: i'm not changing anything about the way we do py219:39
morganfainbergdstanek, so if it's in requirements.txt it gets built?19:40
morganfainbergdstanek, or are you talking about mucking with how we setup?19:40
dstanekmorganfainberg, dolphm: yesterday bknudson found this http://git.openstack.org/cgit/openstack/oslo-incubator/tree/tox.ini#n5819:40
morganfainbergdstanek, because if it's built, used or not - it would break19:40
dolphmdstanek: oh interesting19:40
morganfainbergdstanek, not a fan19:40
dstaneki've been working on a patch in between reviews to get as much stuff working in py3 as possible19:40
morganfainbergdstanek, does jenkins task understand that?19:41
morganfainbergdstanek, and jenkins checks.19:41
dolphmdstanek: is it intended to totally replace [test-]requirements.txt19:41
dolphmdstanek: or supplement, somehow19:41
dstanekmorganfainberg: i don't see an alternative other than waiting a few months (or years) for projects to implement py3 support19:41
dstanekmorganfainberg: yes, i believe they are using tox in the jenkins tests19:42
morganfainbergdstanek, no i mean the global requirements tasks19:42
dstanekdolphm: they are replacement files19:42
morganfainbergdstanek, and requirements checks19:42
morganfainbergdstanek, because that would be the #1 reason i am not a fan. i don't want to maintain a separate requirements file.19:42
morganfainbergif that makes sense19:42
dstanekmorganfainberg: there isn't really another way right now19:42
morganfainbergthe old style by hand was horrible19:43
dstaneki'll see what oslo has rigged up, but all-in-all this is better than waiting19:43
dstaneki had to take our a bunch of deps to get py3 to work; much more than just eventlet19:44
dstaneks/our/out/19:44
morganfainbergdstanek, can we possibly work with infra to get a py3 deps thing in place?19:45
openstackgerritA change was merged to openstack/python-keystoneclient: Add a method for changing a user's password in v3  https://review.openstack.org/8287019:45
morganfainbergdstanek, i really am concerned about manually maintaining a requirements file.19:45
morganfainbergit's super sucky :P19:45
morganfainbergbut if it's the only way...............19:46
dstaneki'll see what oslo is doing - their change is from quite a while ago19:46
morganfainbergk19:46
jamielennoxthis is a fairly easy client review for anyone in the mood: https://review.openstack.org/#/c/72878/19:48
jamielennoxi'll post a few more as well19:48
morganfainbergdolphm, about to post patch to move to SQLIte in-memory19:51
morganfainbergdolphm, for default testing.19:51
dolphmmorganfainberg: woot!19:51
morganfainbergdolphm, this wont cover the SQL migrate tests yet.19:52
dolphmmorganfainberg: damn :P19:52
morganfainbergdolphm, 2 patches :P19:52
morganfainbergtrying to keep this easy to review.19:52
*** shakayumi has joined #openstack-keystone19:54
morganfainbergdolphm, so if you want to use a disk-based sqlite for tests (why? no really why?) should i provide a {workdir} substitution that can occur?19:55
*** shakamunyi has joined #openstack-keystone19:56
dolphmmorganfainberg: any value in poking into a db that failed?19:56
morganfainbergdolphm, or just "sorry we don't support multi-worker-testr with a sqlite db on disk for tests"19:56
dolphmi've never, ever done it... but that's all i can think of19:56
morganfainbergdolphm, i've never ever ever done it19:56
morganfainbergdolphm, and we explicitly delete files on disk on atexit19:57
morganfainbergdolphm, so you'd need to change code anyway19:57
dolphmmorganfainberg: i wouldn't bother providing a workaround19:57
*** shakayumi has quit IRC19:58
*** leseb has joined #openstack-keystone19:58
*** dstanek is now known as dstanekafk19:58
morganfainbergdolphm, ok19:59
*** leseb has quit IRC20:03
*** shakamunyi has quit IRC20:03
openstackgerritA change was merged to openstack/python-keystoneclient: Handle URLs via the session and auth_plugins  https://review.openstack.org/6075220:03
dolphmanymore love for either https://review.openstack.org/#/c/82527/ or https://review.openstack.org/#/c/82886/ before i cut 0.7.0 without them?20:05
* lbragstad is reviewing https://review.openstack.org/#/c/82527/ but dolphm can cut 20:06
*** shakamunyi has joined #openstack-keystone20:06
jamielennoxcool, i've got both of those done - neither are really 'required' but they are simple20:07
jamielennoxanother easy client review (not for 0.7) https://review.openstack.org/#/c/74955/20:09
bknudson https://review.openstack.org/#/c/82527/ or https://review.openstack.org/#/c/82886/ look good to me.20:10
*** esmute has joined #openstack-keystone20:11
dolphmlbragstad: bknudson: thanks!20:13
dolphmjamielennox: you too!20:13
lbragstadnp, thanks for checking20:14
*** dstanekafk is now known as dstanek20:17
openstackgerritPablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager  https://review.openstack.org/8036820:17
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert auth_token to use session  https://review.openstack.org/7490820:19
jamielennoxdstanek, gyee: are you happy to remove the -1 on https://review.openstack.org/#/c/77748/ based on the meeting?20:20
jamielennoxor do you still want a request_uri property?20:21
dstanekjamielennox: just switched to a +220:24
jamielennoxdstanek: thanks - there is still the underlying patch to get through but i'm just cleaning up my list when i'm in vaguely the same hours as most people20:25
jamielennoxalso before the mad rush when juno opens20:26
*** esmute has left #openstack-keystone20:27
*** lbragstad has quit IRC20:34
morganfainbergdolphm, just running one last pass on tests for the test_sql_upgrade and test_sql_migrate_extensions and i'll have these reviews posted (in-mem sqlite ftw!)20:35
morganfainbergdolphm, much much faster.20:35
morganfainbergand no more need to specify the TMP dir to get reasonable performance20:36
gyeejamielennox, I am not happy, but I don't have a strong reason to block it20:37
jamielennoxgyee: oh?20:38
jamielennoxgyee: just because of the api compat difference20:38
gyeejamielennox, I'll have to make a small change at my local repo20:38
gyeebut that's fine, a small change anyway20:38
gyeejust a name change20:39
*** vhoward has left #openstack-keystone20:39
jamielennoxgyee: do you need it RO or RW?20:40
jamielennoxalso dont subclass auth token20:40
gyeejamielennox, I don't really want to if I don't have to20:41
gyeein a perfect world, I would love to not having to maintain any local code20:41
jamielennoxdo you have that subclass somewhere public?20:41
gyeejamielennox, no, in my local internal repo20:42
gyeeI basically override the get admin token part20:42
jamielennoxis it something i can see (even email me it) i just want to see what it doesn't support and how20:42
jamielennoxgyee: also ge_admin toen is going away: https://review.openstack.org/#/c/74908/20:44
jamielennoxthat was approved but failed on rebase20:44
gyeejamielennox, sweet!20:45
gyeeI didn't know that one20:45
jamielennoxgyee: didnt you approve it?20:45
jamielennoxno but you +2ed20:45
gyeewtf?20:46
gyeehangon20:46
gyeejamielennox, not really, that patch still not solving my problem20:50
gyeeit still require either a token or admin user/password/tenant_name20:50
gyeejamielennox, https://review.openstack.org/#/c/74908/6/keystoneclient/middleware/auth_token.py20:50
gyeeline 437-44420:51
jamielennoxgyee: yea, i'm aware20:51
gyeethat patch get us a step closer, but no cigar yet20:51
jamielennoxwhen the from_conf stuff comes in i can convert from that to from_conf20:51
gyeeright, when we truly utilizing the auth plugins20:52
jamielennoxthen you can use whatever plugin you like20:52
gyeethen we're in business20:52
gyeejamielennox, once all your patches landed, I'll buy you a beer next time I see you20:52
gyeeat least :-)20:52
gyeethat's for sure20:52
jamielennoxdeal20:52
jamielennoxthe one thing i know we're missing is having auth plugins set connection params20:53
jamielennoxso SSL client certs for authentication and kerberos needs the ability to set requests params from the plugin which is not currently doable20:53
gyeejamielennox, but that's more of a document thing than code thing right?20:54
jamielennoxgyee: no - but it just needs a new hook for the plugin20:54
jamielennoxi know it's missing and it can be added later20:55
gyeebut SSL client certs is itself a auth plugin20:55
gyeemaybe a no-op in terms of headers and request because we are using the underlaying connection mechanism for auth20:56
jamielennoxgyee: well SSL is funny20:56
gyeeright, a special case20:56
jamielennoxbecause it can be a session parameter or it can be an auth parameter20:56
jamielennoxjose's kerberos patch is my main target because that's just auth20:57
*** lbragstad has joined #openstack-keystone21:00
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Use in-memory SQLite for testing  https://review.openstack.org/8291721:01
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Use in-memory SQLite for sql migration tests  https://review.openstack.org/8291821:01
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove extraenous instantiations of managers  https://review.openstack.org/8172021:01
jamielennoxgyee or ayoung: if you have a minute can you look at and possibly +A https://review.openstack.org/#/c/7287821:02
ayoungjamielennox, looking21:02
dstanekjamielennox: do you have any more client stuff that you'd like me to take a look at? i have a little free time before i have to do kid stuff21:03
morganfainbergdstanek, dolphm, ^ in-mem sqlite21:03
ayoungjamielennox, +A21:03
morganfainbergdstanek, it can wait until post RC though.21:03
*** topol has quit IRC21:04
jamielennoxayoung: thanks21:04
dstanekmorganfainberg: cool,  i'll go through all three21:05
morganfainbergdstanek, the first one is the same manager one from before, just no more instantiation of credential_api in test_sql_upgrade21:05
*** leseb has joined #openstack-keystone21:08
*** shakayumi has joined #openstack-keystone21:08
*** shakayumi has quit IRC21:09
*** shakamunyi has quit IRC21:11
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add example script for oauth1 functions  https://review.openstack.org/8019321:20
*** gokrokve has quit IRC21:32
*** jsavak has quit IRC21:32
openstackgerritPablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager  https://review.openstack.org/8036821:42
*** marcoemorais1 has joined #openstack-keystone21:45
*** zigo has quit IRC21:47
*** mfisch has quit IRC21:47
*** marcoemorais has quit IRC21:47
*** dolphm has quit IRC21:47
*** mfisch has joined #openstack-keystone21:48
*** mfisch has joined #openstack-keystone21:48
*** zigo has joined #openstack-keystone21:49
*** dolphm has joined #openstack-keystone21:50
*** ChanServ sets mode: +o dolphm21:50
ayounghttps://pypi.python.org/pypi/pysmime21:56
*** topol has joined #openstack-keystone21:58
morganfainbergayoung, m2crypto ick21:59
*** stevemar has quit IRC22:00
ayoungmorganfainberg, doesnt have to stay that way22:00
morganfainbergayoung, i would hope it doesn't stay that way :)22:01
ayoungmorganfainberg, gyee what is the future of crypto in python?22:01
ayoungwhich library should we target?22:01
morganfainbergayoung, pyopenssl? i think that is the one dstanek identified22:01
morganfainbergayoung, but tbh, i don't know. it seems like we go through crypto libraries fast in the python world (since m2crypto died)22:02
*** leseb has quit IRC22:02
ayoungmorganfainberg, cuz even with the popen approach we could, in theory use the same library22:02
dstanekpyopenssl, i believe, is a wrapper around the openssl C APIs22:02
dstanekother crypto libs like m2crypto actually implement their own crypto in many cases22:03
*** bknudson has quit IRC22:03
ayounghttps://pythonhosted.org/pyOpenSSL/22:03
dstaneki though pyopenssl because i think we can just get a small wrapper around the CMS API calls if they exist22:03
ayoungneeds proper pkcs7 support22:03
ayoungI'm ok with contributing to an upstream project for crypto, just so as I know which one22:04
morganfainbergayoung, https://pythonhosted.org/pyOpenSSL/api/crypto.html#pkcs7-objects FIXME22:04
morganfainbergayoung, yeah =/22:04
openstackgerritA change was merged to openstack/python-keystoneclient: sanity check memcached availability before running tests against it  https://review.openstack.org/8252722:04
openstackgerritA change was merged to openstack/python-keystoneclient: Improve language in update_password() validation error  https://review.openstack.org/8288622:04
morganfainbergayoung, i think pyopenssl looks like the best bet since it's doing what we all kindof assume, call openssl c objects22:04
morganfainbergayoung, and that can be used by something a bit more specific (e.g. layering in anything else needed)22:05
morganfainbergand i like that it's not trying to be too clever.22:05
*** stevemar has joined #openstack-keystone22:06
jamielennoxayoung: the cryptography library which isrelated to barbican is the new one22:11
jamielennoxit has the advantage of having some of the pyopenssl guys working on it22:12
jamielennoxalso pyopenssl now depends on it22:12
*** derek_c has joined #openstack-keystone22:12
jamielennoxthough it will be a while as they dont have certs eve yet22:13
*** devlaps1 has quit IRC22:17
*** devlaps has joined #openstack-keystone22:17
*** dims_ has quit IRC22:18
*** dstanek has quit IRC22:22
*** dims_ has joined #openstack-keystone22:34
*** dstanek has joined #openstack-keystone22:37
*** nkinder has quit IRC22:43
gyeeayoung, pycrypto is stable, m2crypto not sure22:50
openstackgerritJamie Lennox proposed a change to openstack/keystone: Remove unnecessary test setUps  https://review.openstack.org/8293822:51
gyeestable support I mean22:51
morganfainbergjamielennox, yay! remove useless use of setUp!22:53
morganfainbergjamielennox, i think there are more of those around tbh22:53
jamielennoxmorganfainberg: i'm sure there are heaps22:53
jamielennoxbut that was the file i was looking at22:53
*** henrynash has quit IRC22:53
morganfainbergjamielennox, lol22:53
jamielennoxwhat is the policy on our testing controllers directly?22:54
jamielennoxi mean i know the policy should be: don't do it22:54
jamielennoxbut are there situations where it makes sense to test the driver?22:55
*** nkinder has joined #openstack-keystone22:55
jamielennoxi guess it doesn't matter - if you're testing the driver that's different22:56
morganfainbergjamielennox, eh, i mean there is a time and place to test the controller, that seems like the whole point of the restful tests22:58
jamielennoxmorganfainberg: no - if you want to test the controller you should be calling app.get() etc22:59
jamielennoxyou should never test token.controllers.Auth22:59
*** zoresvit has quit IRC23:00
morganfainberguh.23:00
morganfainberg*shrug*23:00
morganfainbergi mean, the restful test cases seem to do that kind of stuff.23:00
jamielennoxmorganfainberg: yes but it means that you hand create the context object23:01
jamielennoxmorganfainberg: they do - it's a real pain23:01
jamielennoxcrap, there's no way i can fix all those places23:04
*** david-lyle has quit IRC23:08
openstackgerritJohn Dennis proposed a change to openstack/keystone: Expand the use of non-ascii values in ldap test  https://review.openstack.org/8239923:12
openstackgerritJohn Dennis proposed a change to openstack/keystone: Properly handle unicode & utf-8 in LDAP  https://review.openstack.org/8239823:12
openstackgerritJohn Dennis proposed a change to openstack/keystone: Refactor LDAP API  https://review.openstack.org/8239723:12
openstackgerritJohn Dennis proposed a change to openstack/keystone: code hygiene; use six.text_type, escape regexp's, use key function  https://review.openstack.org/8239623:12
*** thedodd has quit IRC23:17
*** dstanek has quit IRC23:21
*** andreaf has quit IRC23:22
*** henrynash has joined #openstack-keystone23:24
*** jaosorior has quit IRC23:30
openstackgerritguang-yee proposed a change to openstack/python-keystoneclient: Implement endpoint filtering functionality on the client side.  https://review.openstack.org/8271323:38
*** dstanek has joined #openstack-keystone23:38
derek_chow do you customize the keystone.conf that gets installed?23:39
derek_cI mean, is there some code in keystone that's responsible for generating the default conf?23:39
morganfainbergderek_c, the sample config? or you mean like when you install a package in ubuntu?23:40
derek_cmorganfainberg: yeah, like when you install a package23:40
morganfainbergthat is often controlled by the packager23:41
derek_cI see. so keystone doesn't have a "default config"?23:41
morganfainbergderek_c, we have a default configuration in our repo that shows all of the default config options. But it doesn't change any values23:42
derek_cmorganfainberg: I see. is it keystone/common/config.py?23:43
derek_cI think it is. thanks!23:45
dstanekdolphm: so we have to un-deprecate v2?23:46
morganfainbergderek_c, that is the place options are registered23:49
morganfainbergdstanek, that is the general sentiment of the conversation.23:50
*** devlaps1 has joined #openstack-keystone23:50
dstanekmorganfainberg: that's unfortunate23:50
morganfainbergdstanek, well the point is don't notify the deployers/operators there is something to do if OpenStack doesn't fully support it. but, eh23:51
morganfainbergdstanek, differing opinions23:51
morganfainbergdstanek, i don't want to undeprecate it personally, but i understand the argument23:51
*** devlaps has quit IRC23:53
dstanekmorganfainberg: maybe we should just make it log in debug mode so deployers don't see it :-)23:56
« Monday, 2014-03-24 Index Wednesday, 2014-03-26 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!